The time has come to summarize the network design models and Cisco security elements discussed in this and the previous chapter. This sets the battlefield on which the action described in the chapters to follow will take place, positioning its rivers, hills, redoubts, and entrenchments. Figure 2-2 represents various Cisco security devices spread along three layers of the campus network. Of course, there could be more layers , but even those few shown will provide enough food for thought for both defender and attacker alike. For the defender though, there are things that make life somewhat easier. One example is multiple device management applications produced by Cisco to simplify the complex task of configuring, updating, and monitoring devices with a very different command syntax, including but not limited to the following:
Cisco 700 CLI
UNIX shell (Linux and Solaris-based Cisco appliances)
CMD.EXE (Windows-based server applications)
snmpget , snmpset, and other Net-SNMP utilities
Cisco management applications cover all aspects of Cisco network and network security, and nearly all of them can be integrated with the CiscoWorks suite. CiscoWorks Security Information Management Solution (SIMS) is probably the most complete Cisco security management application that covers collection, analysis, and correlation of security events across the whole enterprise network. To configure security of multiple Cisco routers simultaneously , the Cisco Router and Security Device Manager (SDM) supports Cisco 830, 1700, 2600XM, 2691, 3600, 3700, 7204VXR, 7206XVR, and 7301 routers. For security-specific Cisco appliances, the Cisco PIX Device Manager, CiscoWorks VPN/ Security Management Solution, and Cisco IP Solution Center are available. Finally, a suite of Cisco CNS products, or so-called intelligent agents , are available for automated network maintenance and monitoring. These include Cisco CNS Access Registrar, which is a RADIUS-compliant, access policy server for ISP AAA services supporting all types of user access. Cisco CNS intelligent agents can be run on Solaris, Linux, and HP-UX workstations or a specialized appliance, the Cisco CNS 2100 Series Intelligence Engine shown in Figure 2-2. Cisco 1102 VLAN Policy Server can also be deployed at the access layer to manage VLANs and run Cisco User Registration Tool (URT), described previously.
All these solutions and appliances combined make up what Cisco calls a self-defending network strategy . Ideally, self-defending networks should be able to identify attacks, react appropriately to their severity level, isolate hacked hosts , and reconfigure the network resources to block the attack (for example, shunning).
While the vendors may thrive to achieve nearly automated management of the networksecurity management includedit can never be 100 percent automatic. Do not assume that the appliances will do all the work for you. More security appliances and applications means that more security knowledge and skills are needed, not less. Also, the fact that CiscoWorks and company provide a user-friendly point-and-click interface does not mean that you shouldn't know the CLI listed earlier. These applications are developed out of necessity to manage massive networks that cannot be maintained otherwise , taking both quantity and workload of system administrators into account. They are not written to allow you to spend a whole day at Slashdot, even though it may not be such a bad idea, after all. Management GUIs do not cover many capabilities of the appliances they manage, nor are they bug-and communication fault-free and always available. Besides, skilled hackers know well the command interfaces of devices they targetdon't fall behind!
Another important weapon in the defender's arsenal is not an appliance or software bundle, but a collection of security white papers called "Cisco SAFE blueprints." At the moment of writing, 13 are available:
"Combating Slammer Worms"
"SAFE Blueprint for Small, Midsize, and Remote-User Networks"
"SAFE Layer 2 Security In-depth Version 2"
"SAFE Nimda Attack Mitigation"
"SAFE SQL Slammer Worm Attack Mitigation"
"SAFE: IP Telephony Security in Depth"
"SAFE: A Security Blueprint for Enterprise Networks"
"SAFE: Best Practices for Securing Routing Protocols"
"SAFE: Code-Red Attack Mitigation"
"SAFE: IDS Deployment, Tuning, and Logging in Depth"
"SAFE: VPN IPSec Virtual Private Networks in Depth"
"SAFE: Wireless LAN Security in Depth-version 2"
"SAFE: Worm Mitigation"
These white papers are down-to-earth, practical, and detailed; include working examples of device configuration files; and are usually written by Cisco Certified Internetwork Experts (CCIEs). It makes excellent bedtime reading. Besides, if you ever plan to take Cisco Certified Security Professional (CCSP) exams, you'll find out that many questions are about or directly based on the SAFE blueprints. Throughout this book, we will frequently refer to these documents when outlining countermeasures against various attacks discussed.
Taking everything described above into consideration, what can an attacker do to circumvent all these safeguards and succeed?
First of all, as you know, we do not live in an ideal world. Humans are, and always will be, the weakest link. Having a top- notch security equipment misconfigured and with default or bad passwords or SNMP communities set is not that uncommon. As a matter of fact, in such cases, it is better not to have that PIX or VPN concentrator at all, since either device's presence will create a false sense of security for the network owners . Also, network security is a continuous process. The "If it works, don't fix it" approach just doesn't apply in the information security field. If that IDS signature database is not updated in time, an attacker will slip in undetected. After the attack succeeds and the cracker preserves remote access, patching and updates become pretty useless ventures . This is common sense that applies to any network setup, Cisco-based networks included.
Second, the security safeguards themselves can also fall prey to an attack. If someone wants to break into a bank, she will take care of the alarm system first. We don't know whether the software run by Cisco security appliances and management consoles was thoroughly audited OpenBSD-style on a subject of various security flaws (and OpenBSD itself is not flawless). Since in the majority of cases we are dealing with closed source software, only its developers possess such knowledge. Many of the Cisco security management applications run on the Windows platform, famous for its malware issues and other security problems. A variety of Cisco security appliances use mainstream operating systems such as Red Hat Linux and Solaris with multiple security flaws known. And as we show later in the book, proprietary closed source systems such as Cisco IOS can also be successfully exploited with administrator privileges gained . An even easier avenue of exploitation is attacking not the application or device itself, but the traffic it generates. In particular, this applies to the appliance management traffic (for example, SNMP). Things that ease the work for system administrators can also make it easier for crackers. Another good example is syslog and other logging traffic types. If a PIX firewall detects the attack and sends a syslog message, but that message is intercepted on the fly and modified with netsed , an attack may well go unmentioned. Make sure that all management and logging traffic on the network is well protected using some form of a VPN.
Third, you can get far with IP spoofing. If you are already on the network, spoofing your IP as one of the legitimate hosts, Cisco security appliances included, can produce a lot of confusion when it comes to attack detection. For an outside attacker, IP spoofing can be used to abuse the self-defense features of the network and cause DoS by forcing network security appliances to shun legitimate IP ranges. Another way to sneak in is by hijacking legitimate established sessions and appending malicious traffic to them. Finally, an attacker can attempt to isolate security appliances such as the IDS sensors via a variety of second layer and routing protocol attacks. Describing all these methodologies and more is the aim of the remaining chapters of this book.