There are two kinds of network security we'll talk about here. One kind is enforced as a background process not visible to users; the other is in your face:
Traffic-based security Controls connections requested by a network application, such as a Web browser or an FTP download
User-based security Controls admission of individuals to systems in order to start applications once inside, usually by user name and password
One kind of traffic-based security is the use of firewalls to protect autonomous systems by screening traffic from untrusted hosts. Another kind of traffic-based security is router access lists, used to restrict traffic and resources within an autonomous system. User-based security is concerned with people, not hosts. This is the kind of security with which we're all familiar-login-based security that asks you for a user name and password.
The two types complement one another, yet operate at different levels. Traffic-based security goes into action when you click a button in a Web browser, enter a command into an FTP screen, or use some other application command to generate network traffic. User-based security, on the other hand, asserts itself when an individual tries to log into a network, device, or service offered on a device.
Traffic-based security is implemented in a Cisco internetwork by using firewalls or router access lists. This style of security-covered in Chapter 7-focuses mainly on source and destination IP addresses, application port numbers, and other packet-level information that can be used to restrict and control network connections.
Until recently, firewalls have focused strictly on guarding against intruders from outside the autonomous system. However, they're now coming into use in more sophisticated shops to restrict access to sensitive assets from the inside. Access lists have been the traditional tool used to enforce intramural security.
Routers can be configured to enforce security in much the same way firewalls do. All routers can be configured with access lists, and they can be used to control what traffic may come and go through the router's network interfaces. What exactly an access list does is left to how it's configured by the network administrator.
Access lists can be used to improve network performance by isolating traffic in its home area, but more commonly, access lists are used to "screen" traffic and to perform rudimentary firewall-like restrictions on network traffic.
Packet-filtering firewalls are basically beefed-up routers that screen processes according to strict traffic management rules. They use all sorts of tactics to enhance security: address translation to hide internal network topology from outsiders; application layer inspection to make sure only permitted services are being run; even high/low counters that watch for any precipitous spikes in certain types of packets to ward off Denial-of Service (DoS) attacks, such as SYNflood and FINwait.
Firewalls intentionally create a bottleneck at the autonomous system's perimeter. As traffic passes through, the firewall inspects packets as they come and go through the networks attached to its interfaces.
Firewalls read source and destination host addresses and port numbers (for example, port 80 for HTTP), and establish a context for each permitted connection. The context comes in the form of a session, where packets with a certain address pair and port number must belong to a valid session. For example, if a user tries to connect to a Web server to download a file, the firewall will check the user's source IP address and the application service requested before permitting the packets to pass. If the traffic is permitted, the user will be allowed to connect to the web server. If not, the traffic will be denied and the connection will not be allowed.
Think of traffic-based security as being like those "easy pass" automated tollbooths on major toll roads. Vehicles are funneled through a gateway where a laser reads each electronic ID, barely slowing the flow of traffic. Once allowed to pass, nothing has been done to inspect what might have been in the trunk of that car.
User-based security evokes a different picture-this one of a gate with a humorless security guard standing at the post. The guard demands to know who you are and challenges you to prove your identity. If you qualify, you get to go in. More sophisticated user-based security systems also have the guard ask what you intend to do once inside and issue you a coded visitor's badge, giving you access to some areas, but not others.
Thus, user-based security is employed where a person must log into a host, and the security comes in the form of a challenge for your user name and password. In internetworking, this kind of security is used as much to keep bad guys from entering network devices such as routers or switches, as it is to restrict access to payload devices, such as servers.
Unlike firewalls, however, user-based security is nearly as concerned with insiders as outsiders. That security guard at the gate has colleagues on the inside to make sure nobody goes into the wrong area. You know the routine-there are employee badges and there are visitor badges, but the employee badges let you go more places.
Login/password authentication is generally required on every network device and all servers. Because user-based security mechanisms are software, not hardware, they can be deployed at will within an internetwork with little impact on performance or budget. The trade-off is how much inconvenience you're willing to put network users through, having to log in to gain access to various services. User-based security has four major applications:
To grant remote employees access to the enterprise internetwork
To grant onsite employees access to protected hosts and services within the internetwork
To let network administrators log into network devices
To let ISPs grant subscribers access to their portals
Because a lot of user-based security involves remote dial-in connections, WAN technologies play an important role. The two most important pieces of authenticating WAN connections are access servers and dial-in protocols.
Entering an internetwork through a dial-in connection is almost always done through an access server. The access server is a dedicated device that fields phone calls from remote individuals trying to establish a connection to a network. Access servers are also called network access servers or communication servers. Their key attribute is to behave like a fullfledged IP host on one side, but like a modem on the other side. Figure 6-2 depicts the role access servers play in dial-in connections.
Figure 6-2: Access servers are dedicated to supporting remote dial-in connections
When you connect to an internetwork's host from the enterprise campus, you usually do so over a dedicated twisted-pair cable that is connected to a hub or a switch. To make that same connection from afar, you usually do so over a normal telephone line through an access server-a device that answers the phone call and establishes a network connection. Besides making connections for remote dial-in users, access servers can also be used to connect remote routers.
User-Based Security for Local Connectivity When you turn on your PC and log in at work, you're not dealing with TACACS+ or RADIUS. The user name and password prompts are coming from your local server. Most LAN servers run Windows 2000/2003, Linux, UNIX, or Novell platforms. They have security subsystems and user databases of their own to authenticate and authorize users. RADIUS isn't used because, among other things, it's a dial-in password protocol. TACACS+ isn't used because it controls entry into the Cisco network devices themselves-routers, switches, and access servers-in addition to providing dial-in security much like RADIUS.
In this chapter, discussions of local or "in-network" connections refer to network administrators logging into IOS to work on a Cisco network device.
User-Based Security for Remote Connectivity Small office and home office users may connect to their enterprise internetworks through an access server, making it perhaps the most basic device in any wide area network. Low-end access servers are inconspicuous desktop devices resembling a PC without a monitor. When you dial into your ISP to get into the Internet from home, the call is also answered by an access server. As you might imagine, an ISP's computer room is jammed with rack-mounted high-density access servers to handle connections made from thousands of subscribers. (As a reminder, high density means many ports per device.)
Access servers are intelligent devices that handle other tasks in addition to making a line connection. They provide special services to accommodate configurations frequently encountered in enterprise internetworks:
Routing service Run by access servers called access routers, this makes it seem as if the dial-in user is sitting directly on the campus network. The key feature of access routers is dial-on-demand routing (DDR), which makes it possible to route traffic from a remote LAN to the main network over low-cost, dial-up phone lines.
Terminal service Many WAN connections still use terminal protocols. For that reason, most access servers support terminal protocols, such as IBM's TN3270, UNIX rlogin, or Digital Equipment's Local-Area Transport (LAT). A PC could run terminal emulation software to make such a connection.
Protocol translation A remote user may be running a virtual terminal protocol and then connect to a system running another virtual terminal protocol. Most access servers still support protocol translation.
As computing infrastructure improves, terminal service and protocol translation are declining in use. In contrast, access routers are increasing in popularity as small offices build LANs of their own and turn to DDR for convenience and savings.
As you've learned by now, there's a protocol for just about every major internetworking task. Making dial-in network connections work properly presents special problems, because most telephone company infrastructure was designed to handle voice, not highspeed data. Dial-in protocols exist to handle the point-to-point dial-in connections over normal telephone lines:
PPP Point-to-Point Protocol is the de facto standard for remote dial-in connections to IP networks; virtually all dial-in connections to the Internet use PPP. Most PPP connections are over asynchronous lines, but a growing number are made over ISDN in areas where it's available.
SLIP Serial Line Internet Protocol is also used to make point-to-point dial-in connections to IP networks from remote sites. SLIP is the predecessor to PPP, but is still in use in some quarters. You may also encounter a SLIP variant called CSLIP, Compressed Serial Line Internet Protocol.
ARAP AppleTalk Remote Access Protocol is Apple's tool for dial-in connectivity to remote AppleTalk networks.
In the old days, to make a remote connection, you dialed into a PBX or terminal server to connect to a mainframe or minicomputer as a dumb terminal. With the rise of internetworking, network-attached terminal servers took over the job of taking dial-in calls. As demand for remote computing grew, simple terminal connections were replaced by those made using the SLIP protocol. By that point, many desktops had PCs instead of terminals, but they emulated terminals in order to make dial-in connections. The boom in demand for Internet connectivity drove the market to replace SLIP with PPP, a protocol even more capable of computer-to-computer communications over phone lines. PPP brought better error detection, compression, and authentication support. It also allowed for multilink connectivity-double your throughput anyone? For our purposes, we'll assume PPP as the dial-in protocol unless otherwise noted.