Chapter 1: Cisco Network Design Models and Security Overview

OVERVIEW

The task of securing a corporate or organizational network with multiple routers, switches, servers, workstations, and other more exotic hosts is not easy to accomplish. Before you get down to security issues, you should gain an intimate understanding of your network operation on a more general level. This involves gaining a detailed understanding of all routed and routing protocols running through the network and comprehending the role and function of all networking devices deployed.

Unlike many other books on network security, this book does not dwell on networking and security basics, including the Open System Interconnection (OSI) model and its mapping to Transmission Control Protocol/Internet Protocol (TCP/IP), the CIA (Confidentiality, Integrity, Availability) Triad, and writing security policies. This is a book on hacking (in all meanings of this battered word) Cisco devices and Cisco-centered networks. We expect the reader to be familiar with networking and information security foundations, and we hope to provide undiluted, detailed, hands-on information that reflects the book's title.

A professional, skilled attacker looks at a target network as a whole entity. He or she would not miss an opportunity to break into any networked device, where possible, to use it for further exploitation of the future doomed network. This is similar to getting a user account on a UNIX-like system, in that it is much easier to attain root after you have gained local access.

As a person responsible for the security of your network, you should assess and secure the complete network infrastructure without missing any details. To provide a proper indepth defense, the safeguards you roll out must span through all seven layers of the OSI model, while taking into consideration the security of every single host deployed. Fortunately, available Cisco network security solutions cover every single networking aspect one can imagine and range from backbone Multiprotocol Label Switching virtual private networks (MPLS VPNs) to endpoint software security guards for users' desktops and laptops. Unfortunately, only a few system administrators, network integrators and architects , and even IT security consultants are aware of the scope and power of these solutions.

In addition, to use many of the Cisco network safeguards efficiently and with decent return on investment (ROI), it is necessary that you ensure their proper positioning on the network they are supposed to protect. This means implementing network security from the earliest design stages, as adding even the most powerful and expensive of Cisco safeguards after the network enters the production stage can be a useless and futile exercise as well as a great waste of resources. Nevertheless, a typical Cisco Certified Design Professional (CCDP) study guide would not even include security in the list of internetwork design goals or place it as an element of the first internetwork design step. From our perspective, this is a fatal mistake.

In this chapter, we try to correct this and other potential Cisco internetwork design errors by providing a security-oriented approach to Cisco-recommended network design models and layers. Chapter 2 continues the theme by providing an overview of various Cisco safeguards residing on all layers of hierarchical networks. From the attacker's perspective, both chapters demonstrate the points at which the attack can be stopped , suspicious activity logged, and an incident response procedure initiated. The message to attackers is clear: if a Cisco-based network is designed and maintained properly and with security in mind, better stay away from it or suffer the consequences.