Cisco CCNP
Managing Cisco Network Security
Establishing A Network Security Policy
Evaluating Network Security Threats
A security threat can be as simple as snooping your
network’s normal operation or as complex as taking control of your entire
network. It is important then to be familiar with the three basic
categories of network security threats.
Basic Categories of Security Threats
-
Unauthorized Access - Unauthorized
access is when an unauthorized individual gains access to the network or
any network resource with the possibility of taking that resource or
tampering with it
-
Impersonation – Impersonation is the
process of identifying yourself as a different individual by using the
same credentials as that particular individual uses. There are several
ways that this is done. One of the more common ways is by eavesdropping
on your network and gaining access to usernames and password when these
are exchanged via unsecured means. Sniffer programs, as they are
commonly referred as, are small software packages that enable someone to
snoop into current network conversations and extract users’ credentials.
-
Denial of Service – Denial of
Service is an attack on your network by a malicious individual in order
to interfere in your networks normal operation. This is a common type of
attack that has gained notoriety due to the growth of the Internet.
Motivations of Network Security Threats
It is important to understand the different motivations that
some individuals may have in posing a security threat to your network. It
is a common perception that network security attacks are perpetrated from
your external network, which is the Internet. Therefore, the firewall is
an important piece in protecting your network against these said attacks.
Here are some of the more basic motivations in launching an attack on your
network.
-
Greed – The intruder’s purpose is to
take control or possession of any network resource such as corporate
data so that he/she may sell it for money.
-
Notoriety – The intruder attempts to
break in to networks that are said to be secure proving his skill to
gain respect from his peers.
-
Revenge – The intruder has been
fired or laid off and is looking for some type of reprisal. The most
common occurrence of this is the damaging of important corporate
data.
Outlining A Network Security Policy
-
Define physical security-Defining
physical security controls pertain to the physical infrastructure that
your network is built on. This can be the various physical components
that comprise your network such as servers, routers, switches and
cabling. Ensuring the security of these components should be the
foundation of your network security policy. Imagine having the strictest
password policy but having your wiring closet open to anyone in the
vicinity.
-
Define logical security controls –
Logical security controls provide boundaries within your network
segments. This process is done when traffic is filtered from one segment
of your network to the next. The two main logical boundaries used are:
-
Subnet Boundaries
-
VLAN Boundaries
-
Ensure data and system integrity –
Data that passes to and from your network needs to be identified as
valid traffic. Valid traffic can further be described as expected
network traffic that is supported traffic, unspoofed traffic and traffic
in which the data has not been altered. This is the main reason why
firewalls are implemented. A firewall ensures your data’s validity and
integrity ingressing and egressing your network.
-
Develop policies and procedures for
the staff that is responsible for the network – Specific guidelines
should be in place for the staff that is responsible for the maintenance
of the network infrastructure. This should ensure that these policies
are balanced between securing your network and allowing the staff to
carry out their responsibilities in an efficient manner. These policies
may include the following:
-
Backups – One of the most
important tasks in network management is being able to back up the
data that is stored in that network. Polices and procedures should be
in place to provide the staff, that is responsible for the backups,
the steps in securing those backups.
-
Equipment Certification –
Network equipment that is introduced into the network should adhere to
specific security requirements.
-
Audit Trails – Keeping a
log of what goes on in your network greatly enhances your ability to
determine if there is any suspicious activity going on in your network
environment.
-
Develop appropriate security
awareness training – Training should be provided to all staff in order
for them to be informed of the various security measures that your
network employs. It is very important that the staff is made aware of
the many problems that may arise due to security related issues.
Securing The Dialup Connection
Dialup connections to your corporate network are usually
comprised of several dial in infrastructures. These could be direct dial
in connections from mobile users and telecommuters. There is also the
virtual dial in process of remote branches via the Internet through a
corporate Virtual Private Network (VPN). Therefore, it is recommended that
you secure these dial in access points with a firewall device that
implements some kind of intrusion detection and auditing function.
Regardless of how dial in access is provided to the corporate network, the
main security concerns lie in the following areas:
-
Identifying the caller
-
Identifying the location of the
caller
-
Identifying the destination of the
caller
-
Logging of accessed applications and
data
-
Logging of the duration of the
connection
-
Guaranteeing authenticated
communication
-
Guaranteeing private
communication
Configuring the Network Access Server for AAA
Security
Access control is the process of controlling who is allowed
access to the network and what services they are allowed to use.
Authentication, Authorization and Accounting (AAA) network security
services provide the principal structure though which you set up access
control on your router or network server. AAA offers the following
benefits:
AAA is designed to enable you to configure the type of
authentication and authorization you would use on a per line (per user) or
per service basis. You define the type of authentication and authorization
you want by creating method lists, then apply those method lists to
specific services or interfaces. Method lists are lists defining the
authentication methods to be used, in order, to authenticate a dial in
user. These lists enable you to assign one or more security protocols to
be used for authentication, thus creating a backup system for
authentication to be used in case the initial method fails. AAA is
comprised of three independent security functions.
Authentication
Authentication is the process of
identifying users, including their login and password dialog scripts,
challenge and response, messaging support and encryption.
Authorization
Authorization provides the process of
determining what a remote user is authorized to access in the network such
as network resources or services. AAA authorization works by putting
together a set of attributes that identify what a user is authorized to
perform. These attributes are compared the information contained in a
database for a given user. The result is returned to AAA to determine the
user’s actual capabilities and restrictions. This database can be local on
the access server or remotely on a TACACS+ or RADIUS server.
Accounting
Accounting is the process of tracking
the different types of services that remotely connected users are
accessing. Activities are logged to either a RADIUS or TACACS security
server in the form of accounting records. This data can then be analyzed
for client billing, auditing or network management.
Overview of Basic AAA Configuration Process
aaa new-model
-
If you are using separate security
servers, configure security control parameters, such as RADIUS, TACACS+
or Kerberos
-
Define the method lists for
authentication by issuing this command
aaa authentication
For example, if you would like to specify RADIUS as the
default method for logging in, the command would be:
aaa authentication login default radius
To log in using the local username database on the router,
the command would be:
aaa authentication login default local
To log in using PPP and specify the local username
database, the command would be:
aaa authentication ppp default local
This example would allow authentication to succeed even if
the TACACS+ server returns an error.
aaa authentication ppp default tacacs+ none
This example applies the method list to interface serial 0
interface serial 0
ppp authentication chap pap default
aaa authorization
This example allows authorization on the network via TACACS+
aaa authorization network tacacs+
This example specifies TACACS+ as the method for user
authorization when trying to establish a reverse telnet session
aaa authorization reverse-access tacacs+
aaa accounting
In the following example, RADIUS-style accounting is used
to track all usages of EXEC commands and network services, such as PPP,
SLIP and ARAP
aaa accounting exe start-stop radius
aaa accounting network start-stop radius
Securing The Internet Connection
The most common solution to securing your Internet
connection is setting up a firewall. A firewall is a network device that
is placed between your trusted network and untrusted networks, the most
common in which, is the Internet. It is also possible to setup a firewall
within the boundaries of your internal network so as to prevent
unauthorized access to certain areas of your network that are highly
sensitive such as payroll files or engineering data. Today, there are
three classifications of firewalls
-
Packet Filtering – This type of
firewall depend exclusively on UDP, ICMP, TCP and IP headers of
individual packets to deny or permit traffic. The packet filter examines
the combination of inbound or outbound traffic direction, IP source and
destination address and TCP or UDP source and destination port numbers.
-
Circuit filtering – This type of
firewall controls access via observing state information and recreating
the flow of data that the traffic is associated with.
-
Application gateway – This type of
firewall processes messages that are specific to a particular IP
application. This type of firewall is probably the most secure, however,
it is also the most resource intensive type to deploy.
Cisco IOS Firewall
The Cisco IOS firewall feature set is a security-specific
option for the Cisco IOS software. It enhances the built-in security
capabilities in the Cisco IOS and adds the full functionality of a
firewall. The Cisco IOS firewall feature set is comprised of several
different feature modules. The three basic feature sets we cover are:
-
Context-Based Access Control – This
feature module provides the functionality of an advanced traffic filter
and is an essential part of your IOS firewall. CBAC provides these
functions for your firewall
-
Traffic Filtering –
Filters TCP and UDP packets based on information that is obtained
through the application-layer protocol session. The firewall can
inspect traffic originating from either side of the firewall and can
then determine which traffic is allowed access into or out of the
network.
-
Alert and Audit Trails –
CBAC produces real time alerts and audit logs based on events that are
observed by the firewall. This enhanced log keeps tracks of all
network transactions, such as source and destination hosts, ports used
and total number of bytes transferred.
-
Traffic Inspection –
Inspection of inbound and outbound traffic produces state information.
This state information allows the firewall to create temporary
openings to allow return traffic for the permissible session.
-
Intrusion Detection System – This
feature set is designed for mid-range and high-end router platforms with
firewall support. It is best suited for any router deployed around your
network perimeter, more commonly, on your Internet connections. This
feature set provides identification of the most common attacks by
identifying the signature in the pattern of attacks that are launched
against your network. When the intrusion detection system identifies a
pattern of attack that matches against a signature on the systems
database, it responds before network security can be compromised and the
event is then logged. These responses are to be configured by the
administrator and can be one of the following:
-
Send an alarm – this can
be sent to either a syslog or a centralized management system such as
NetRanger
-
Drop the packet
-
Reset the TCP
Connection
-
IOS Firewall Authentication Proxy –
This feature set allows network administrators to apply specific
security policies based on user. In earlier versions, security policies
were generally applied across multiple users. This feature can only be
active when there is traffic from the authenticated user.
Configuring the PIX Firewall
PIX Firewall Basics
The PIX firewall is a complete hardware and software
security solution. The PIX IOS runs on proprietary PIX hardware. In most
respects, the basic concept behind the PIX firewall is to allow everything
from the internal network to go outbound and only allow the return
connections from the outside interface to the inside interface. The
handling of connections from an inside interface to an outside interface
is different from connections that are from the outside interface to the
inside interface. Here are the basic steps in configuring a PIX firewall
-
The first step in configuring a PIX
firewall is naming the different interfaces. On new installations, the
PIX firewall provides default names for each interface. To view these
default interface names, use the show nameif command.
However, it would be ideal to rename these interfaces according to your
network conventions or specifications. The command to name the interface
is nameif. The syntax of this command is as follows:
nameif
hardware_Id Interface
Security_level
Hardware_id –
this is the hardware name for the
network interface card you are naming. Examples of this would be
Ethernet0 (if you are using Ethernet interfaces)
Interface –
this would be where you would name that
interface if you want to use a different name other than the default
one. Examples of this would be dmz or perimeter. You can specify up to
48 characters for this field, however, if you use a long name, you would
need to reenter that name every time.
Security_level
– You can choose any security level
value between 1 and 99 for any perimeter interface so long as it is not
the same as the inside or outside interface. If this is an initial PIX
configuration, the default security level starts at security10 for the
first perimeter interface.
An example of the nameif command is:
nameif ethernet0 inside 10
-
The second step in configuring a PIX
firewall is assigning IP addresses to each interface on your PIX
firewall. If you have any unused interface on your PIX firewall, the PIX
assigned IP address for that interface is 127.0.0.1 and the subnet mask
of 255.255.255.255. This does not allow any traffic to pass through this
interface. The format for this ip address command is as
follows:
ip address inside
ip_address
network_mask
ip address outside
ip_address
network_mask
ip_address
– IP address you specify for that
interface. This IP address must be unique.
network_mask
– The network mask of the IP address
assigned. If you are using a subnet mask, use it in this field.
An example of the ip address command is:
ip address inside 10.10.10.1 255.255.255.0
interfaceHardware_id Hardware_speed
(Shutdown)
Hardware_id -
You can use either
ethernetn for Ethernet interfaces or token for token ring
depending on how it was specified in the nameif command.
Hardware_speed –
If the interface used is Token
Ring, use either 4Mbps or 16Mbps depending on the speed of the Token
Ring card. If the interface is Ethernet, depending on the network
interface card used in the PIX firewall, you can use auto (sets Ethernet
speed automatically), 10baset (10 Mbps half duplex), 10full (10 Mbps
full duplex), 100basetx (100 Mbps half duplex), 100full (100 Mbps full
duplex) and aui (10 Mbps half duplex on a aui cable interface).
Shutdown –
This is used to disable the use of this
interface. If this is an initial configuration, the shutdown option is
on by default. To enable an interface, you would need to enter the
command without the shutdown option.
An example of the interface command is
interface ethernet0 auto
Configuring Access Through the PIX Firewall
Now that we have configured the different components of the
PIX firewall, we need to allow users to connect through the PIX firewall.
As we have identified each interface with a security level, we need to
define the guidelines allowing connections coming from a higher security
level interface to a lower security level interface and vice versa. The
commands that are used to allow this are nat and
global.
-
To allow inside users to connect to
any lower security level interface, use the nat (inside) 1 0 0
command. The “1” after the interface
(inside) is the NAT ID. Instead of using 0
0, to allow all hosts to start a connection, you can specify a
host or a network address and mask. For example, to allow only the
10.10.10.5 host to start a connection, you can specify this
command:
nat (inside) 1 10.10.10.5 255.255.255.255
-
Adding a global
command for each lower security level interface allows users to
have access to, for example, the outside interface or the dmz interface.
The global command then creates a pool of addresses that
translated connections can pass through. Remember to have enough global
addresses to accommodate the number of users that are accessing the
lower security level interface. An example of this is:
global (dmz1) 1 10.10.10.20-10.10.10.50 netmask
255.255.255.0
-
The next step is to set up a default
route that points to the outside router. You can use the show
route command to view the command that you just issued. If there
is an existing route already configured, use the no route
to remove it. For example, if the outside router’s address is
64.18.5.10, you would issue this command:
route outside 0 0 64.18.5.10 1
This command defines that the default router is on the
outside interface. The default route is defined as the 0 0
right before the ip address. This is translated as 0.0.0.0
netmask 0.0.0.0. The 1 at the end of the command states
that this is the next hop router.
access-list ping_in permit icmp any any
access-list ping_out permit icmp any any
access-group ping_in interface inside
-
The final steps are to save the
configuration by issuing the write memory command,
checking the configuration by using the write terminal
command and finally testing the network connectivity. Pinging
the different interfaces of the firewall and getting a response would be
a good start in verifying network connectivity. Here are some of the
commands you would use to check the configuration of the PIX
firewall:
show ip address
– to verify the ip address
of each interface
show nat
– to verify network address
translation
show route
– to verify the default route
show global
– to show the range of global
addresses
If you happen to need a host from the outside interface to
gain access to a host in the inside interface, the conduit
command is used. An example of this is when you want anyone from
the outside interface to access your web server in the dmz. The
resulting command would be:
static (dmz, outside) 64.18.1.50 10.10.10.50 netmask
255.255.255.255
conduit permit tcp host 64.18.1.50 ew www
any
The first line defines that from the dmz, host 10.10.10.50
is mapped access through the outside interface of 64.18.1.50. The second
line then defines that any user from the outside can access 64.18.1.50
via port 80.
Configuring Advanced Features
-
Failover – Failover allows you to
add a secondary PIX firewall unit that takes over when the primary unit
fails. These units are connected by special RS-232 serial cables that
transmit special “hello” failover messages to each other every 15
secs.
When a failure of the primary unit is detected, the secondary unit
assumes the IP address and the MAC address of the failed unit. The
secondary unit then acquires the configuration of the primary unit and
is now able to function as the firewall. To enable failover between two
PIX firewall units, they would need to be configured exactly the same.
When a failover cable is connected between the two units, you need to
explicitly enable failover by issuing the failover
command. In addition, if any configuration change is made on the
primary unit, you need to issue the command write standby
in order for the changes to be replicated to the standby unit.
-
PPTP Virtual Private Network – In
version 5.1, Microsoft’s PPTP is supported. PPTP (Point to point
tunneling protocol) is a layer 2 tunneling protocol that allows a remote
client to establish secure communication through a public IP network
such as the internet. The vpdn command enable the PPTP
feature for inbound connections between the PIX firewall and a windows
client. An example of the use of this command is as follows:
vpdn enable outside
-
ActiveX Blocking – Active X controls
are components that are inserted in a web page or application that can
contain several different forms that can gather or display information.
This can create many potential security problems as these can be invoked
to attack network services or take over a workstation. The PIX firewall
Active X feature blocks these controls from the web page itself.
-
SNMP – The PIX firewall can be
configured to send SNMP traps to a SNMP sever so that it can be
monitored remotely. The command to enable this advanced feature is
snmp-server hosts.
-
Websense URL Filtering – If you use
a websense server, the PIX firewall can be configured to allow it to do
URL filtering. The command issued on the PIX firewall to point itself to
a websense server is as follows:
url- server (inside) host 10.10.10.1 timoeout 15
Encryption Technology
Basic Cryptography
Cryptography is defined as the science of reading or writing
coded messages. It is the foundation of the mechanics of enabling
authentication, integrity and confidentiality. The process of cryptography
is known as encryption. An encrypted message is a message that has
undergone a mathematical process or algorithmic process in order for it to
be converted to cipher text. When the intended recipient gets the cipher
text, he then proceeds to decrypt the message by applying the same
algorithmic process on it as the sender. This allows him to be able to get
back the decrypted message. There are three types of cryptographic
functions that enable authentication, integrity and confidentiality:
-
Symmetric encryption – This type of
encryption is often known as secret key encryption. This is where a
common key and the same algorithmic process is used to encrypt and
decrypt a message.
-
Asymmetric encryption – This type of
encryption is often known as public key encryption. Public key
encryption uses two different but related keys in order to do the
algorithmic process on the message. When a message is encrypted, both a
public key and a private key is needed. For example, Joe would like to
send Mary an encrypted message. First, he encrypts the message using
both his public and private key. He then sends Mary both the encrypted
message and his public key. Mary then uses Joe’s public key to decrypt
the message.
-
Hash functions – A hash function
takes a message and then outputs it to a certain code. The code has to
meet specific properties to be effective. These properties are
consistency, randomness, uniqueness and it must be one way. One-way
hashes verify the integrity of a message by making sure that the message
has not been tampered with in transit.
Overview of IKE & IPSEC
-
IPSEC –IPSEC stands for IP Security.
IPSEC is a framework of open standards for guaranteeing secure private
communications over the Internet. IPSEC uses encryption technology to
offer data integrity, confidentiality and authenticity between
participating peers in a private network. Cisco provides full
Encapsulating Security Payload (ESP) and Authentication Header (AH)
support. IPSEC provides IP network layer encryption and authentication
thus providing an end-to-end security solution in your network
architecture. This encryption method allows encrypted packets to look
the same as regular packets; these packets are routed normally through
any IP network, such as the Internet. This is done without any changes
to the transitional networking devices. The only devices that are aware
of such an encryption are the end points of the communication. IPSEC
employs several different technologies to provide a complete system of
confidentiality, integrity and authenticity. These technologies are
-
Diffie-Hellman key
exchange – This is used for obtaining key material between peers on a
public network.
-
Public key cryptography –
This is used for signing the Diffie-Hellman exchanges. This guarantees
the identities of the two parties.
-
Bulk key encryption –
This is for encrypting the data.
-
Keyed Hash Algorithms –
This, combined with traditional hash algorithms, provides packet
authentication.
-
Digital Certificates –
Items signed by a certificate authority to act as digital
identification cards.
-
IKE – IKE stands for Internet Key Exchange. IKE was formerly known
as the Internet Security Association Key Management Protocol or ISAKMP.
IKE offers security association management. IKE authenticates each peer
in an IPSEC communication, negotiates security policy and handles the
exchange of session keys. IKE is a key management protocol standard that
is used in conjunction with IPSEC. IPSEC can be configured without IKE;
however, IKE enhances the IPSEC with its additional features. IKE
automatically negotiates IPSEC security associations and enables IPSEC
secure communications without manual configuration. IKE provides these
benefits
-
Eliminates the need to manually configure the different
security parameters of IPSEC in the crypto maps at both peers.
-
Allows you to configure a lifetime for the IPSEC security
association
-
Allows encryptions keys to change during IPSEC sessions
-
Allows IPSEC to offer anti-replay services
-
Permits Certificate Authority support for manageable and
scalable IPSEC implementation
-
Allows dynamic authentication of peers
Configuring IPSEC with IKE
access-list 102 permit ip 10.10.0.0 255.255.0.0
64.18.1.1 255.255.255.0
crypto ipsec transform-set testset1 esp-des
esp-sha-hmac
crypto ipsec transform-set testset2 ah-sha-hmac
esp-3des esp-sha-hmac
crypto map testmap1 10 ipsec-isakmp
crypto map testmap1 10 match address 102
crypto map testmap1 10 set peer
209.223.140.2
crypto map testmap1 10 set transform-set testset1
testset2
Configuring IKE
-
The first step is to enable the debug crypto isakmp
command to capture important IKE-related messages that only
display when this command is enabled.
-
Enable IKE on the interface on which the IPSEC traffic will be
evaluated. For example:
isakmp enable outside
isakmp policy 21
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 authentication rsa-sig
isakmp policy 21 group 2
Isakmp policy 21 lifetime 4000
|