cyber help
Chapter 5
Overview of Security Technologies
“We can’t help everyone, but everyone can help someone.” —Ronald Reagan
This chapter discusses the use of technologies that have evolved to support and enhance network security. Many of these technologies are used today without the user under- standing when or where they operate. After reading this chapter, you will understand the benefits of these technologies, where they operate, and some of the operational risks associated with them. By the end of this chapter, you should know and be able to explain the following:
■ How you can employ packet filtering to reduce threats to a network
■ Understand precisely what stateful packet inspection is, and why its important for firewalls to use this technique
■ The role and placement of a proxy technology within a secure network
■ Network Address Translation (NAT) and how you can use it to allow the Internet to continue to grow in IPv4
■ How Public Key Infrastructure (PKI) has the potential to protect the flow of informa- tion in a global manner
Answering these key questions and understand the concepts behind them will enable you to understand the overall characteristics and importance of the security technologies cov- ered in this chapter. By the time you finish this book, you will have a solid appreciation for network security, its issues, how it works, and why it is important.
So far, this book has painted in broad strokes the steps an attacker could possibly take to gain access to sensitive resources. The first step in protecting these assets is the global security policy created by combining the many aspects discussed in Chapter 2, “Security Policies.” This chapter introduces some of the more broadly used security technologies. Each of these technologies contains a concept or specific role that increases the security of your network when designed and implemented in a layered design.
128 Network Security First-Step
Security First Design Concepts Network security can be a hydra (many-headed beast) with regard to potential attacks and threats against the network. The resources and opinions on this subject are incredible, and opinions vary greatly depending on whom you ask. For example, in 2004 when I wrote the first edition of this book, a simple Google search on “designing a secure network” returned almost half a million results. In 2012, that same search string returns more than five and a quarter million hits. It is no wonder that conflicting security concepts bombard people, causing a great deal of confusion. To be honest, if you were to look up network security books, any bookstore also reveals almost as many!
The point is that experts in each area of network design have written so much on design- ing secure network architecture that to try to do the subject justice here is beyond the scope of this book. Books and websites deal with every aspect of network security, server security, application security, and so forth. We endeavor to provide you with a strong foundation upon which to build the security knowledge required for your role or network.
This book illustrates good network security design principles to build the strongest pos- sible foundation. However, it covers some important design concepts of which you must be aware:
■ Layered security: A network that implements layered security truly understands that a single point of defense is doomed to eventual failure. Thus, as Figure 5-1 demon- strates, consistently implementing security throughout a network at as many points as possible is considered good design. This concept of layering a network’s security is the single-most important design concept in this chapter and is often referred to as Defense in Depth.
■ Controlling access: The network is ultimately your responsibility and, as a result, you determine what is allowed into and on your network. One highly recommended prac- tice is to make access decisions with the mindset of “block everything, and allow only what is needed to conduct business.” This has also been referred to as the Policy of Least Privilege (POLP). This is the default action of Cisco firewalls and access con- trol lists (ACL).
■ Role-specific security (Role Based Access Control [RBAC]): When deciding upon access and privilege (that is, trust), one of the most useful templates to use is based on a user’s role within the organization. For example, a web developer would clearly need access to the organization’s website, whereas an administrative assistant would not.
■ User awareness: Stories abound about users writing down passwords, changing them five times in a row, and then using their original password again. It is not that users are intentionally bypassing security; they do not understand the purpose of the secu- rity and may have become complacent. Okay; let’s be honest; some users definitely try to bypass security, but more on that later! Thus, user awareness through training and visibility is essential to get users to understand the importance of security. One great idea for getting users to attend training and learn why it is important is to serve ice cream with all the trimmings. This method appeals to a basic human love of
Chapter 5: Overview of Security Technologies 129
Implement Security at Every Layer
Router
Firewall
Router
LAN Switch Users
Servers
Internet
Figure 5-1 Layered Security Points (Defense in Depth)
■ Monitoring: Perhaps one of the most forgotten aspects of security is monitoring. Many organizations believe that it is enough simply to have security. They forget that monitoring their systems to ensure that they remain secure and are not subject to attack is also crucial. The truth is, security devices report every little thing, and it’s hard to do an effective job if you’re not listening and monitoring what they are saying. One of the ways to achieve this is to “tune” the device; another is to have every device on the network report to a central device that you tune and monitor. It is much easier to monitor one device than ten. Cisco has an effective product for this, referred to as Cisco Security Manager. More information on the Cisco Security Manager is available at www.cisco.com/en/US/products/ps6498/index.html. Chapter 11, “Intrusion Detection and Honeypots,” discusses the methods used to monitor for attacks: intrusion detection systems (IDS). A strongly recommended practice is to include provisions for IDS when designing a network’s security solution in wired or wireless networks.
■ Keep systems patched: Patching or updating systems is a fundamental task that is often forgotten by system administrators with their busy schedules. Fortunately,
sweets, but it is also effective and fun; you will become a popular person! It is crucial to have your user truly aware of security and supportive of security policies; making security training a pleasant experience can help make that happen.
130 Network Security First-Step
many newer operating systems can remind you when new updates are available. For example, I use an Apple Mac Book Pro running OS X (aka Snow Leopard); within this operating system is a built-in functionality that automatically checks for updates, as shown in Figure 5-2.
The only downside in this example is that I do not yet have an Apple iPod, which would require this update. Regardless, you can understand the point: Always make the time to check for patches for your systems because hackers are always pushing to find and exploit. For Windows users, Microsoft has also included this automatic update functionality in newer versions of its operating systems. The trouble is that Microsoft set the auto updates to occur at 3 a.m. by default. This is great if you leave your computer on 7x24, but if you’re like most people, you shut it off when done using it. The moral to this story is that auto updates are good, but be proactive to ensure that they are happening, and at the right time! Patches must also be tested before inserted into production networks, and not all systems are as patch friendly as others. You need to understand where your patches are coming from (in some cases they are hashed) so that you can be sure they are not malicious code masquerading as a patch to one or more of your critical systems. Apple handles updates in a more ele- gant manner, as shown in Figure 5-2.
■ Incident Response Teams: Security concerns will inevitably be brought to you in some form or another. Perhaps your systems have become the target of an attack or you have detected that the compromise and damage has already been done. This as- pect of design deals with how an organization responds to an attack and deals with whatever situation it experiences. It is best to include and consider incident response teams and the process of responding in practice rather than when you are under pres- sure and the situation is extreme. So, design it now; the benefits come later. Practice
Figure 5-2 MAC OS X Automatic Update Functionality
Chapter 5: Overview of Security Technologies 131
makes perfect, and dry runs can help point out a plan’s flaws that do not seem evi- dent at the time the plan and policy is written.
These first-step security design considerations will enable you to understand how to begin securing any network. The next section begins to discuss the specifics of how you can use security technologies and their roles in protecting a network.
Packet Filtering via ACLs As you probably already know, all information that flows across the Internet uses TCP/IP and, in turn, this information is sent in small pieces known as packets. In the early days of the Internet, filtering based on packets was common and, in many cases, routers in many networks still use packet filtering. Packet filters are often used as a first defense in combi- nation with other firewall technologies. Today, their most common implementation is seen in the ACLs of routers at the perimeters of networks.
Packet filtering is one of the oldest and most common types of packet inspection tech- nologies available. It begins by inspecting a packet’s contents and applying rules to deter- mine whether a packet should be dropped or allowed. Although many characteristics are possible within a TCP/IP packet’s header (that is, protocol, port, and so on), this discussion refers to filtering based on the source or destination IP address, as shown in Figure 5-3.
The two main types of ACLs are standard ACLs, which filter based on IP address, and extended ACLs, which look further into a packet header, if so configured.
5 Application
4 Transport Control Protocol (TCP) User Datagram Protocol (UDP)
3 Internet Protocol (IP)
2 Data Link
1 Physical
Disallowed Allowed
Traffic is filtered based on specified rules, including source and destination IP address.
Incoming Traffic Allowed Outgoing Traffic
Figure 5-3 Packet Filtering at Layer 3 of the TCP/IP Model
132 Network Security First-Step
Note Standard ACLs are source address–based and extended ACLs are source-based and destination-based and have more capabilities, such as specifying port or protocol. The fol- lowing ACL styles for IP are supported:
■ Standard IP ACLs: Use source addresses for matching operations
■ Extended IP ACLs (control plane only): Use source and destination addresses for matching operations and optional protocol type and port numbers for finer granularity of control
■ Named ACLs: Use source addresses for matching operations
Refer to the following URL for more information about configuring ACLs and Cisco devices (Cisco.com account required): www.cisco.com/en/US/partner/products/ sw/secursw/ ps1018/products_tech_note09186a00800a5b9a.shtml#types
Packet filters inspect each packet individually, examining source and destination IP address and ports as defined in the filter. Only the beginning of each packet header is examined; for this reason, they can quickly decide packet flow because the packet is read only enough to determine whether it is a match. The characteristics of each of these inspection points determine whether the given packet should be allowed or denied. The use of ACLs is how packet filtering is conducted on Cisco devices; they are one of the focal points of this section.
Because every packet of every connection is checked against the access control rules, larger, complex packet-filtering rule bases could decrease performance of the device upon which they are applied. In addition, because packet filters can check only low-level attrib- utes, they are not secure against malicious code hiding in the other layers.
The use of ACLs is one of the most confusing topics to many. As you see in the following section, a good understanding of ACLs can be less confusing when superimposed over a good analogy that relates to real life.
Grocery List Analogy
This analogy based on going grocery shopping is just one way to introduce and explain the concepts behind packet filtering via ACLs. You must consider certain key principles while considering this grocery list analogy. Table 5-1 begins the analogy by comparing packet filtering via ACLs with creating a grocery list.
In planning a turkey dinner, my wife and I discovered that we needed some things to finish cooking; we decided to make a list. This way, I would not forget what we needed when I went to the store. We knew that we had the following things, so they are not going on the grocery list:
■ Turkey
■ Stuffing
Chapter 5: Overview of Security Technologies 133
Table 5-1 Access List/Grocery List Analogy Overview
ACL Characteristics Grocery List Analogies
ACLs are effective Following a grocery list is efficient and saves money.
Top-down processing The order of the items on the list is important.
Place denies first There are items not on the list, so do not buy them.
Always have a permit A list must always include things that are permitted.
Implicit deny all You can buy only what is on the list.
■ Bread
■ Cheese
In other words, I cannot buy these ingredients because my wife says that we do not need them. When I make a list of the things I am allowed to buy, my list is rather broad. I am happy with the list; it will do the job, so I am ready to head to the grocery store to get the following items:
■ Milk
■ Pie
■ Potatoes
■ Gravy
■ **Buy nothing else**
This list is broad because there are many types of milk and many types of pies and because of how the list is written, I can buy any sort of pie I want because they are all allowed. She just might be in trouble because I happen to enjoy mincemeat pies and she does not! Because we need these ingredients, I can buy them. This broad grocery list anal- ogy can relate directly to a standard ACL when expressed as follows:
[standard acl] Regular Grocery List [deny] Turkey [deny] Stuffing [deny] Bread [deny] Cheese [permit] Milk [permit] Pie
134 Network Security First-Step
[permit] Potatoes [permit] Gravy [implicit deny all else] **Buy nothing else - end**
Notice the last line; my wife imposes this restriction on me because I have a great deal of affection for chocolate ice cream and on-sale items. Now, she does not need to actually say the words to me because I implicitly understand that I am not allowed to buy any- thing else.
I decide to show my list to my wife to make sure I did not miss anything. She reviews the list and decides I need more specific instructions because it is important to buy the right “kind” of groceries. She begins writing on my list:
[extended acl] Extended Grocery List (that is, wife’s version) [deny] Turkey [deny] Stuffing [deny] Bread [deny] Cheese [permit] Milk – 2% White [permit] Pie – Mrs. Smith’s Pumpkin [deny] Potatoes – Red because a guest is allergic to this type [permit] Potatoes – Any potatoes other than red is okay [permit] Gravy - White Country [implicit deny all] **Buy nothing else - end**
This type of list allows for a more granular level of filtering or, in my case, a more reward- ing return home with the ingredients I was permitted to buy. Did you notice the difference between the two lists? The first list was rather broad and not specific at all, whereas the second list was extremely specific and told me not only exactly what not to buy, but more specifically what I was permitted to buy. Ultimately, the implicit understanding is that everything else is denied. You probably relate to the challenges of shopping when you are married and are also wondering how this relates to ACLs and packet filtering.
Packets have identifiable characteristics that access lists use to classify them and take an action—either permit or deny. Consider Example 5-1, which shows what a standard access list based on my analogy might look like.
Example 5-1 Analogy as a Standard Access List
access-list 10 deny any turkey
access-list 10 deny any stuffing
access-list 10 deny any bread
access-list 10 deny any cheese
Chapter 5: Overview of Security Technologies 135
access-list 10 permit any milk
access-list 10 permit any pie
access-list 10 permit any potatoes
access-list 10 permit any gravy
The standard access list in a Cisco device is primarily used to filter packets based on IP addresses. In addition, numbering them identifies a standard access list; specifically, they use 1–99 and 1300–1399 as identification numbers. If you were to take this example a technical level deeper and use IP addresses and subnets, it would look like Example 5-2 in a Cisco device’s configuration.
Example 5-2 Standard Access List Filtering Packets
access-list 10 permit any 192.168.10.0
access-list 10 permit any 192.168.20.0
access-list 10 permit any 192.168.30.0
access-list 10 permit any 192.168.40.0
You are probably wondering what happened to the deny statements. With Cisco ACLs, there is that implicit deny everything else at the end, which you do not “see” in the con- figuration. Thus, you do not have to enter the deny statements. You could take the stan- dard ACL and expand it to be even more specific by using an extended ACL; this is what my wife did when she gave me more specific instructions.
Because they are designed to identify packets, ACLs fulfill many roles in the world of net- working. After a packet is identified, it can be acted upon in some manner. This action might include sending it after a more important packet, or perhaps filtering the packet. Figure 5-4 shows the placement of an ACL to filter packets.
If you consider the analogy of the entrance to my local grocery store to where the packets are entering the router, you can understand that nothing is getting in without permission!
Place inbound packet filters at the closest point of entry to the network.
Router Firewall LAN Switch
Users
Servers
Packets
Internet
Figure 5-4 Placement of Packet Filters
136 Network Security First-Step
A secure router at the edge or perimeter of your network might be your first step/layer in a strong defense-in-depth methodology.
Limitations of Packet Filtering
It is time to talk about the drawbacks of using packet filtering. Certainly, you can stop many things with their use. Consider that you have a web server in a DMZ; all web/HTTP traffic must be able to reach this server. This server happens to run Microsoft’s IIS web server software, and an attacker decides to directly attack the web server using web/HTTP traffic. Because the attack targets vulnerabilities in IIS, the packets are allowed. So, although packet filtering is not enough security (on its own), it most certainly is another technique that will increase the depth of your networks security by creating another layer of protection.
Note You can find additional ACL information and techniques at the following Cisco.com URL (Cisco.com account required). The article is titled “Protecting Your Core: Infrastructure Protection Access Control Lists”: www.cisco.com/en/US/partner/tech/tk648/ tk361/technologies_white_paper09186a00801a1a55.shtml
The next section takes packet filtering a step further by discussing stateful packet inspection.
Stateful Packet Inspection This section discusses the more advanced technique of packet inspection: Stateful Packet Inspection (SPI). To understand how SPI operates, you must briefly review the TCP/IP model.
Note Many people are confused about the relationship between the OSI reference model and the TCP/IP model—simply put, the use of OSI is a reference for developers whereas, in education, functionally TCP/IP is used. Therefore, you must use the TCP/IP model when inspecting packets.
Figure 5-5 shows the five layers of the TCP/IP model. The stateful inspection component is concerned with how TCP (Layer 4—transport) makes connections. Tracking the state of the TCP connection is done via Layer 4 of the TCP/IP model.
In most cases, SPI occurs in a firewall, which sits behind the secure router that connects your network to the Internet. If you have implemented packet filtering with ACLs on the router as your first line of defense (and you should), the next line/layer of defense will be SPI at the firewall, as shown in Figure 5-6.
Chapter 5: Overview of Security Technologies 137
5 Application
4 TCP UDP
3 Internet Protocol (IP)
2 Data Link
1 Physical
Disallowed Allowed
Traffic is filtered based on specified session rules, such as when a session is initiated by a recognized computer.
Unknown traffic is allowed only up to Layer 4 of the Network Stack.
Incoming Traffic Allowed Outgoing Traffic
Figure 5-5 TCP/IP Model
Note There is an Internet standard known as RFC 2827, which can guide you through the process of creating your first line of defense. This RFC is titled “Network Ingress Filtering: Defeating Denial of Service Attacks,” which employs IP Source Address Spoofing.
This placement and added security enables the defense in depth to be layered at yet anoth- er level, with the goal of completely securing the network via multiple layers of protection.
SPI is usually implemented in a firewall, so the TCP/IP connections can be inspected more closely. Thus, this technology is considered connection-aware in that SPI monitors and understands that a connection between two computers usually consists of many packets that flow back and forth between the computers. This connection-aware functionality happens because the firewall is tracking every connection that comes into it and out of it
Internet
Inbound Packet Filters
Router Firewall
LAN Switch
Users
Servers
Packets
Stateful Packet Inspection
Packets
Figure 5-6 Placement of Stateful Packet Inspection
138 Network Security First-Step
to track the state of the connection. Yes, this connection was opened by one of my inter- nal users (permit) or no, it was not opened (deny).
Stateful inspection of packets occurs during the first packets used to create this connec- tion. As the connection is inspected, an entry is created in a table. Then, as future packets are received, they are verified against entries in this table to see whether they belong to an existing and recorded connection. If the packets pass this verification phase, they are allowed to pass. At a high level, that is how SPI occurs. The following section examines this process in more detail.
Detailed Packet Flow Using SPI
Because this book strives to always present best practices regarding network security and the associated technologies, this more detailed discussion is based on the assumption that the external router is in place and that it is configured to prescreen connection attempts into the network by using packet filtering. Therefore, picking up the packet as it passes through the router and its packet filtering, the next step is the packet arriving at the firewall:
1. When a packet arrives at the firewall, a decision must be made to determine whether the packet should be allowed (forwarded) to the internal network.
2. The device performing the stateful packet inspection takes each arriving packet and inspects its headers to determine whether they match the set of rules that control what kind of packets are allowed.
3. When inspecting the packet’s headers, the inspection includes the packet’s source and destination addresses, its protocol type (TCP, UDP, ICMP, and so forth), its source and destination ports, flags set on the packet (SYN, ACK, FIN, RST, and so on), or other such basic header information. Incoming packets are inspected until enough information has been gathered from the packets received (using information such as TCP sequence numbers) to determine the connection’s “state.”
4. This inspection data is compared against the rule set that has determined what should be allowed and what should be denied. For example, all HTTP traffic only might be allowed to a web server, whereas other traffic should be denied trying to access the web server. This is a common rule wherein only a certain type of traffic should be allowed to only a certain server.
5. Depending on the connection status, this inspection information is then compared to a stateful table that would have entries for each TCP/IP connection the device has enabled. For example, most devices enable everyone from inside the network to access anything they want outside the network, and that connection would have formed an entry in the state table. Rather than enabling all packets that meet the rule set’s requirements to pass, only those packets that are part of a valid, established con- nection are permitted.
Chapter 5: Overview of Security Technologies 139
6. Ultimately, packets are either permitted or denied depending on these inspection steps. Because these rules/tables are consulted only once, complex inspection rules do not greatly impact performance.
7. All permitted and denied access should be logged to a secure syslog server that has accurate NTP sync. These logs can be fed into a security information management system for further analysis and reporting. In Cisco Security Manager (CSM), rules can be audited and hit counts analyzed to make sure that rule usage is being monitored, templates are followed, and there is no rule overlap or mistakes in existing rules.
SPI rules are not as easy to create as packet-filtering rules because of the added level of complexity. However, they are certainly worth the money and effort because they add an additional level of security to your network. They are also fast and can handle large amounts of network traffic. If the metrics recorded for the connection do not match the entry in the connection database, the connection is dropped.
Note Usually, firewalls are the devices of choice for performing stateful packet inspec- tion; however, routers can also be used in this role. However, this is not advised because mixing network devices’ roles alters the functions they were designed to perform. Some might argue that you can successfully combine roles and devices; perhaps this might be appropriate in the distant future—for today and for the networks I am responsible for securing, I advise against it.
Limitations of Stateful Packet Inspection
Although SPI devices have improved scalability and benefits over packet filtering, they are not the ultimate point of protection for your network; again they are but a layer in a layered defense. Consider the following two major disadvantages of stateful packet inspection:
■ No application-level inspection: SPI cannot look at a packet any higher than Layer 4 of the OSI reference model. In practice, this is how attacks can succeed against servers that are accessible in some manner and protected by firewalls performing stateful packet inspection. Keep in mind that many attacks today are focused on Layer 4 and higher.
■ No connection state for every TCP/IP protocol: Certain protocols within TCP/IP have no method of tracking the state of their connection between computers. Specifically, ICMP and UDP have no connection state; thus, in the layered defense model, these protocols should be subjected to packet filtering because they have no connection state to track.
This section discussed the capability of security devices, such as firewalls, to track the state and thereby the validity of a connection to determine whether it should be allowed into the protected area of your network. The next section focuses on the various means of
140 Network Security First-Step
further ensuring the validity of packets entering your network by using additional securi- ty to inspect them at Layer 5 (application) of the TCP/IP model or Layer 7 of the OSI model to provide a map of the layers in the models.
Network Address Translation (NAT) The Internet has grown larger than anyone ever imagined. Although its exact size is unknown, the current estimate is that there are approximately 100 million hosts and more than 350 million users actively on the Internet. This is more than the entire population of the United States. The Internet is effectively doubling in size each year.
When IPv4 addressing first appeared, everyone thought there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique public addresses (232). The actual number of available public addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way the addresses have been separated by the Internet Engineering Task Force (IETF) into classes (A, B, C) and the need to set aside some of the addresses for multicasting, testing, or other specific uses (Class D).
Note In addition to arranging groups of IPv4 addresses into classes, you might be won- dering what happened to the millions of public IPv4 addresses that I said were no longer available. To ensure that every network in need of private IP addresses can have them, the Internet Engineering Task Force (IETF) has set aside a large range of addresses for internal network routing by means of Network Address Translation (NAT). Many of these addresses are referred to as private IP addresses; these addresses are not accessible on the public Internet, thus the word private. Private addresses are to be used within any organization that needs them and never used (routed) on the Internet. The addresses used (routed) on the Internet are referred to as public IP addresses.
With the explosion of the Internet and the ever-increasing need for IP addresses in home networks and business networks, the number of available IPv4 addresses is simply insuffi- cient. The obvious solution is to redesign the IP addressing scheme to allow for more pos- sible addresses. This is being developed in a solution known as IPv6, but it will take many years to implement because it requires the modification of the Internet’s entire infrastruc- ture. As a result, the process of converting from IPv4 to IPv6 has been slow and will likely continue slowly as NAT further extends the life of IPv4. Because of the massive number of addresses that IPv6 provides, NAT was not built into IPv6 initially. RFC 6052 is the most recent update for IPv6.
NAT enables organizations to resolve the problem of IP address depletion when they have existing networks and need to access the Internet. Sites that do not yet possess NIC-regis- tered IP addresses must acquire them from the Internet Assigned Numbers Authority (IANA) and American Registry for Internet Numbers (ARIN), who delight in causing bureaucratic delay. Many sites do not pass ARIN’s bureaucratic detailed examination or justification process and are denied public IP addresses; therefore, NAT is the solution for most organizations.
Chapter 5: Overview of Security Technologies 141
Note The IANA has reserved the following three blocks of the IP address space for pri- vate networks:
■ 10.0.0.0–10.255.255.255 (10/8 prefix)
■ 172.16.0.0–172.31.255.255 (172.16/12 prefix)
■ 192.168.0.0–192.168.255.255 (192.168/16 prefix)
NAT enables companies to use public IP addresses on the outside of the network (that is, on those devices that connect directly to the public Internet). However, as discussed, there probably will not be enough public IP addresses for every network printer, PC, serv- er, switch, router, wireless device, and so forth to be assigned a public IP address.
These devices need an IP address to connect with TCP/IP, so we use private IP addresses on the internal network. The use of private IP addresses inside our network provides for all devices to now communicate using TCP/IP, which was the goal. However, you must activate NAT because the private IP addresses are not allowed out onto the Internet.
NAT is deployed and implemented on a device (firewall, router, or computer) that sits between an internal network using private IP addresses and the Internet, which uses public IP addresses. The device performing the address translation from private to public is usu- ally a firewall and, to a lesser extent, a router. The device performing NAT usually sits with one part connected to the internal network and another part connected to the Internet (or some external network). Figure 5-7 shows the placement of NAT as part of a layered defense-in-depth architecture.
Internet
Inbound Packet Filters
Router Firewall LAN Switch
Users
Servers
Packets
Stateful Packet Inspection (SPI)
Packets Packets
Network Address Translation (NAT)
Figure 5-7 Placement of NAT in a Network
142 Network Security First-Step
Discussion of how NAT also provides an additional level of security to your network is discussed later in the section “Increasing Network Security.” NAT has many forms and can work in several ways:
■ Static NAT: Provides for mapping a private IP address to a public IP address on a one- to-one basis. This is particularly useful when a device needs to be accessible from outside the network; for example, if your web server has an internal IP address of (10.0.0.1) and it needs to be accessible from the Internet—it is your web server, after all! NAT must be statically configured to enable users who have only a single public IP address for it always to be translated to 10.0.0.1. The use of static NAT is quite common for devices such as web servers, which must always be accessible from the Internet.
■ Dynamic NAT: Provides for mapping a private IP address to a public IP address from a group of registered IP addresses. In this type of NAT, there is a one-to-one relation- ship in the mapping from private to public. For example, if your PC is assigned an internal IP address of 10.0.0.2 and your co-worker is assigned 10.0.0.3, each of you would be assigned a public IP address at the firewall via NAT as your traffic went to the Internet. Dynamic NAT is helpful, but it might not be the right solution in many cases. For example, what if your other co-worker wanted to access the Internet and the firewall was out of available public IP addresses? He would be denied. This could introduce a serious problem; therefore, NAT overloading was developed.
■ NAT Overloading (aka PAT): A form of dynamic NAT that provides for the dynamic translation of multiple private IP addresses to a single public IP address by using dif- ferent TCP ports. This is also known as Port Address Translation (PAT) or single ad- dress NAT. Its many names are not important, but how it functions is crucial. Because, with 65,535 TCP ports possible per single IP address, NAT enables an effec- tive means of providing Internet access to many users who have been assigned private IP addresses. This type of NAT is the most commonly used because it serves large numbers of users at once.
Increasing Network Security
Solving the IPv4 address depletion and waste problems was the leading reason for the development of NAT, which also provides for yet another layer of security to protect your network. In general, using NAT makes it slightly more difficult for an attacker to do the following:
■ Discover and map the target’s network topology and determine connectivity
■ Identify the number of systems running on a network
■ Identify the type of machines and the operating systems they run
■ Implement denial-of-service (DoS) attacks such as SYN (synchronize/start) flooding, port and service scans, packet injection, enumeration, and escalation of privilege on your network
Chapter 5: Overview of Security Technologies 143
NAT’s Limitations
It is clear that the introduction of NAT to the realm of networking and the Internet has solved or at least extended the IP address depletion problem. Many people have asked whether networks will ever evolve to IPv6 now that NAT works so well. The question is not actually if, but when will this conversion take place. For example, the Asia/Pacific region of the world is leading the implementation of IPv6 with many networks already using it.
As connectivity and convergence increase, the need for additional IP addresses will grow and expand. We will therefore make the change to IPv6 eventually; NAT has simply delayed the inevitable. NAT is useful and has brought advantages; however, it does have some limitations:
■ Issues with UDP: NAT tracks and controls connections based on state and, as dis- cussed earlier in this chapter, UDP has no inherent mechanism to determine state be- cause it is connectionless as a protocol. Thus, NAT has no way of knowing whether a packet is part of an ongoing conversation or an isolated transmission. NAT devices then need to guess at how long a conversation involving UDP should remain open af- ter the last packet; this is known as the idle time. Cisco firewalls provide the func- tionality to set idle time on UDP sessions to limit such cases.
■ Sensitive protocols: Some protocols hide, alter, or otherwise obscure aspects of the packets that NAT requires to properly perform the translation. For example, IPsec VPN, Kerberos, X-Window, remote shell, and Session Initiation Protocol (SIP) can have trouble operating through a NAT device. This trouble is caused by applications that have embedded IP addresses in the packets where this issue occurs. Cisco fire- walls have special “inspect” for different protocols, such as Skinny for telephony, that enable these applications to work when the inspect command is activated.
■ Interferes with encryption and authentication systems: Many data encryption sys- tems attempt to ensure the integrity of packets by ensuring that packets were not tampered with in transit. By its design, NAT tampers with packets, thus causing encryption and authentication technologies to not work well with NAT (by default). This is commonly seen with IPsec VPNs when a VPN device expects unaltered pack- ets but the user is behind a firewall performing NAT. This means my VPN packets leave my computer and get NAT’d to be sent off onto the Internet, and <boom> the VPN breaks.
■ Complicated logging: When devices log through a device, the correlation of the logs requires users to understand the translations being performed by NAT. Correlation of system logs with the NAT system can thus become highly complicated and tedious to understand which internal systems were actually involved.
■ One size fits all: If your organization is using PAT, and one person in the company authenticates to a protected resource outside your company, it’s possible that the rest of your organization now has access to that resource as well. Remember that if you use PAT, you’re using only one IP address that has been multiplexed using port num-
144 Network Security First-Step
bers. The protected resource that requires authentication sees all conversations from your company as coming from the same IP address.
As NAT has matured, there have been ways of addressing many of these limitations allow- ing them to work seamlessly; the VPNs requirement for special exemption from the pack- et-checking process of IPsec is one example. The final point to reinforce is that NAT is useful in many regards, from enabling an entire company to access the Internet to provid- ing an additional layer of security. If you go back to the network referenced in figures throughout this chapter, you can see that including NAT adds another layer of protection (refer to Figure 5-7).
The following section looks at how security can be further deepened through tools and technologies that look deeper into a TCP packet.
Proxies and Application-Level Protection Stateful packet inspection firewalls are enhanced versions of basic firewalls that just do packet filtering. The devices discussed here provide additional enhancements by analyzing the packets at the application layer. As you can see, we started with simple packet filters, added more advanced stateful packet inspection, and now we look even deeper into the packet at the application data contained within the packet.
You can use several types or technologies to provide application layer protection, and they are known by many different names. Although each technology operates slightly dif- ferently, their goal is the same: to increase the security of your network.
Application-level firewalls provide the most secure type of data connections because they can examine every layer in the TCP/IP model of the communication process. To achieve this level of protection, these firewalls—also known as proxies—actually medi- ate and control connections by intercepting and inspecting every connection. If the proxy determines that the connection is allowed, it opens a second connection to the server from itself on behalf of the original host, as shown in Figure 5-8. This sort of functionality is commonly seen when users surf the Internet; their computers talk to a proxy that, in turn, talks to servers on the Internet on their behalf.
Router Firewall LAN Switch
User PCs
Servers
Proxy Servers
Internet
Figure 5-8 Placement and Packet Flow of a Proxy
Chapter 5: Overview of Security Technologies 145
The data portion of each packet must be stripped off, examined, rebuilt, and sent again on the second connection. As shown in the list and in the following sections, different types of firewalls can be used to accomplish this:
■ Standard proxy firewalls: A proxy firewall does not route packets; it simply for- wards them, and it operates at the application layer of the TCP/IP model. Functionally, a proxy firewall receives packets from one interface, inspects the pack- ets according to the defined rule set (perhaps access to porn is blocked), and passes the packets out to the firewall if the request is permitted (checking the weather). A connection is never made from the outside to the inside by PCs; as far as the PCs in- side the firewall know, all their information comes from the proxy firewall.
■ Dynamic proxy firewalls: Originally developed from the concepts described for standard proxy firewalls, a dynamic proxy firewall was designed to take the benefits of standard proxies and add the benefits of packet filtering. A dynamic proxy firewall performs a complete inspection of the packet; when a connection is first made and, after it is approved, the faster and weaker packet filtering mechanism handles all addi- tional packets. To summarize, connections are first inspected at the application layer and then at the network layer.
Because these proxy firewalls have full visibility into the application layer of the TCP/IP model, they can look for more specific pieces of data than any other type of technology discussed thus far. For example, they can tell the difference between an email and Java data contained within a packet, as shown in Figure 5-9.
As the packet is inspected upon being received by the proxy server in Figure 5-9, all aspects of the TCP/IP header information is removed from the actual data and just data is
5 Application
4 TCP UDP
3 Internet Protocol (IP)
2 Data Link
1 Physical
Disallowed Allowed
Traffic is filtered based on specified application rules by WWW.
Incoming Traffic Allowed Outgoing Traffic
Figure 5-9 Proxy Packet Inspection
146 Network Security First-Step
inspected. The information gathered by this inspection would then be compared against the proxy server rules, and the packet would then either be denied or permitted based on this comparison. If the packet were deemed as something that should be permitted, the proxy firewall stores the connection information from the headers, rewrites the headers, and retransmits the packet accordingly. If the packet were denied, it would be thrown in the bit bucket. Often, the proxy gives users a web page stating why the website they were try- ing to go to is not allowed; for example, a reference to the Acceptable Usage Policy (AUP).
Note Have you ever heard the phrase bit bucket? It is a lighthearted way of saying trash or garbage can. When saying that a packet is thrown in the bit bucket, this actually means that the router, firewall, or proxy has chosen to discard the packet; because all data is ulti- mately only bits (1s and 0s), this is proof that nerds have a sense of humor.
Limitations of Proxies
Hopefully by now you have realized that implementing any technology and especially security has limitations or drawbacks that you must consider. The folks that sell and mar- ket these devices would be thrilled if you believe that their new security gizmo is perfect for solving all your problems. Reality is frequently not the rosy picture they would like you to believe, and proxy firewalls are no different. Following are some of the limitations of proxy firewalls:
■ Reduced performance: This thorough examination and handling of packets means that proxy firewalls are secure and generally slower than normal processing. Reduced performance could result because of the inspection of essentially every part of every packet being subjected to this level of security.
■ Not always current: As new protocols and applications are developed, proxy servers must be expanded to recognize what is acceptable. This expansion means that, to stay current, new software must be developed and tested; this takes time and results in a security device that might not always be current.
From a security standpoint, the most secure firewall is a standard proxy firewall that inspects all traffic on an application layer. However, that is not always the most practical solution in many of today’s networks. Careful planning and understanding of the required network security and the traffic therein is important for developing a strong security solu- tion. For example, a landscaping company has different security needs than a company that builds electronic components for the military. You should be aware of your application- level traffic through baselines and apply only the necessary security controls applicable to your baselined traffic until things evolve.
Of the two types of firewalls discussed—stateful and proxy—it is crucial that you use at least one of them as part of your layered approach to network security and defense in depth. Add to them the presence of packet filtering on your edge router and a firewall device that also uses NAT, and you will have developed the beginning of a layered
Chapter 5: Overview of Security Technologies 147
defense. The following section examines how you can also use content filters to protect your network and its users.
Content Filters Content filtering is a subject so vast that its implications and possible solutions have spawned entire businesses dedicated to providing the right solution for you, regardless of whether you are a home user or a large business. Everyone seems to be faced with the need to filter some sort of content at every aspect of how they connect. Consider some of the challenges that have recently emerged in politics and the media:
■ Public libraries and pornography: For some reason, there is a group of people who think people have the right to surf pornography on computers that tax dollars pay for. Making this issue worse is that they do this in the middle of libraries—the same place where children go to read. Content filters could be used in libraries to disallow access to this type of content. Businesses are also using content filters to filter out user attempts at going to sites on the Internet.
Unfortunately, the problem is not only about pornographic websites—there are also those sites dedicated to drug use, criminal activity, terrorism, violence, threats to the safety of children, and hate speech.
■ Spam: If you have email, you have spam—of that there can be no doubt. All types of businesses are fighting back against spam, and it has always been a fight to detect and stop spam. Every time a solution is discovered, spammers get more creative and do something different. For example, many people spell out their email addresses now— tom dot thomas at netcerts dot com—in hopes of fooling the programs that search for email addresses. It might for a little while, but it will not last long. In the arena of spam prevention, content filters can identify those annoying ads for low mortgage rates. They are so silly; who would want to get a mortgage with a company that had to spam to get your business? Trust me, you have not lost money in Nigeria either that was found by some mysterious individual who is emailing you; if any of these things were true, you would not be contacted via email. But you knew this; if only the gullible people who didn’t would buy this book!
■ Viruses and Trojan horses (malicious code): Many of the ways viruses are spread fol- low the growth patterns of the Internet. Virtually everyone who connects to the Internet has email—thus sending a malicious attachment in an email has become com- monplace. Content filters would examine the content of such attachments and filter them before any damage was done.
■ Malicious web pages: Attackers can now code into web pages ways to learn more about you when you visit those pages, and they can do this in many ways. Content filters would examine the actual HTML code that makes the website and filter it as needed. This happens more frequently than you imagine; users didn’t do anything or go someplace they shouldn’t. A normal website can be hacked with bogus content in place with the end results that every visitor gets infected.
148 Network Security First-Step
■ Increased organization success: You might wonder how content filtering can in- crease a corporation’s overall success. Companies and government agencies can face significant risk because of their employees’ behavior. Consider the implications to any organization if an employee were to access offensive or illegal material via that organization’s network. For example, employees visiting websites with offensive con- tent can create a hostile work environment and negatively affect morale or productiv- ity, which might lead to potentially costly legal fees with the resulting negative bad press. Do you recall the concept of downstream liability discussed in Chapter 1, “There Be Hackers Here.” If an employee were to access child pornography, the or- ganization could be held liable, have assets seized (network), and suffer additional negative publicity.
Internet access has become critical to businesses, and the rewards to many organizations can be high. However, issues arise where employees have unmanaged access to the Internet, as just discussed. None of the technologies discussed thus far address the potential security risks just listed. You might be correctly thinking that not all these risks are applicable to your organization, and that might be true. The goal of this chapter is to discuss the technology surrounding content filtering, which could clearly be applied to many different problems, depending on your need. Benefits of content filtering include the following:
■ Reduce the legal liability by not letting your organization’s resources be used in a com- promising manner or through the inadvertent disclosure of confidential information.
■ Optimize employee productivity; who wants to pay people’s salaries while they are surfing the Internet for pleasure?
■ Improve reporting on employee Internet usage. This is critical because you might feel protected or safe. There is no way to know for sure unless you also watch what hap- pens on your network.
■ Enforce company Internet access policies that would be documented in the Acceptable Use Security Policy, as discussed in Chapter 2:
■ Disallow the accessing of illegal or offensive material.
■ Prevent the downloading of unauthorized software.
■ Sorry, no holiday shopping during work hours.
You can filter the content of packets in a variety of ways as they flow through your net- work. Entire companies and many products provide any type of filtering service for you from spam to content. To do them justice by explaining them all is beyond the scope of this chapter. There are some common fundamental similarities, regardless of the product selected.
Chapter 5: Overview of Security Technologies 149
Note Your organization’s Acceptable Use Policy should inform employees about what is expected from them as users of corporate resources, and the content monitoring or filtering monitors and reports on compliance.
The key to content filtering solutions is the ability to monitor and filter content from the Internet, chat rooms, instant messaging, email, email attachments, Word, PowerPoint, PDFs, and from web browsers. There are several ways to filter traffic, which can be classi- fied into two main categories:
■ Client-based filtering: This filtering solution involves loading software onto individ- ual PCs that check content and filter it according to a defined set of rules. In the case of home users, this is the most common type of solution and usually comes in the form of a subscription to a server that contains updates.
■ Server-based filtering: In this filtering solution, individual client PCs do not require specialized software to be loaded because everything is loaded and controlled by a server that the client PCs in turn access. This type of filtering is commonly used for email spam and virus detection; all email comes into a central server, which is the most logical place to filter it.
For content filtering, a device such as a proxy server, content engine, or WAN optimiza- tion device forces all web traffic through it so that the user requests to view web pages. Users can be inspected to determine whether the request should be permitted or denied. Content filtering is accomplished using a library or database of terminology, words, and phrases as the set of rules defining what is not allowed.
In many cases, requests are regarded as the replies; for example, some attempts to access a website might be classified via the database or library when the client makes a request (such as www.showmeporno.com), whereas other requests might require the filtering device to analyze the content of the web page before making a filtering decision.
These same examples of browsing the Internet using content filtering is extremely similar to how spam and virus filtering is accomplished. Ultimately, a database contains ways of identifying what should be filtered and what should not. As traffic enters the network, it is verified against this database. For example, many products and tools can be used at the server level to identify and stop spam. Although nothing is ever 100 percent accurate; so many email clients also have some sort of built-in way of allowing users to further identify spam email.
150 Network Security First-Step
Limitations of Content Filtering
Content filtering can play a large role in protecting your network and ensuring the proper use of network resources. However, it does have some disadvantages that, if you are aware of them, allow for the filtering to operate better:
■ An estimated 3 to 5 million websites are introduced to the Internet as new or re- named every week. This makes the tracking of good or bad sites extremely difficult to do and requires dedicated service to ensure that your filters are always up to date.
■ Content is always changing; in addition to new websites, new ways to spam, new viruses, and other threats make it difficult to keep on top of the changes.
■ Nothing is perfect, so you can expect to see false positives to a certain degree. Therefore, retaining some sort of control of the system is important, and blind reliance on outside classifications is probably not a good idea—for example, www.msexchange.com being seen by content or URL filters as “m sexchange” rather than “ms exchange.”
■ In the higher education environment, a balance between security and freedom of aca- demia is often a balance that must be struck. RIAA also comes into play here from a compliance-related perspective on downloads and sharing protected music through open programs riddled with security threats.
Content filtering is probably in use in your network in some form or another. The extent of its implementation varies widely depending on the size and sensitivity of your business. The following section looks at ways to completely secure your network: PKI.
Public Key Infrastructure Have you ever bought anything online or otherwise engaged in some sort of electronic commerce on the Internet? Most likely, you saw the little lock in the corner of your browser window that told you that this was a secure transaction. With what you have learned so far in this book, do you honestly believe that?
The little key or lock in your browser means that you are on a website (server) that uses a Secure Socket Layer (SSL) certificate, so you can rest assured that they are who they say they are. Go ahead—buy and enter your credit card number!
Note The little lock means that an SSL connection has been engaged. Anyone can cause a secure connection to take place, so be careful even when you see a little lock.
Have you ever noticed that, while you are conducting e-commerce, the http://.... changes to https://...? The presence of the “s” means that you are using HTTP over SSL to commu- nicate back and forth.
Chapter 5: Overview of Security Technologies 151
Ultimately, what is actually occurring is that your web browser is taking in the SSL certifi- cate, contacting whoever certified it to ensure its validity, and then proceeding to commu- nicate in a secure mode with the server so that you can complete your transaction in com- plete security. Do you still believe that this is a good system?
Did I mention that this SSL certificate session is 40 bits in length? Certain aspects of the certificate that reside on the server are 1024 bits. Compare this 40-bit length to an IP address, which is 32 bits in length or 3DES encryption at 128 bits. You should never feel 100 percent secure when conducting e-commerce at this stage in the Internet’s evolution because the security is not there yet. As the use of e-commerce continues to rise, the level of fraud is increasing even more. This includes forging certificates that may use valid cer- tificates from the “lock” perspective that encourages man-in-the-middle attacks. This trend is taking a toll on the growth and confidence in e-commerce and online transactions of all kinds. Of course, none of this is ever talked about in polite sales and marketing cir- cles. Not to fret—an advance in securing e-commerce is coming in the form of PKI.
Public Key Infrastructure (PKI) is an evolving technology that will eventually become standard. The goal of PKI is to provide a foundation for a system that supports a variety of security services, such as data integrity, data confidentiality, and nonrepudiation; thus pre- venting destruction, alteration, and disclosure. PKI can provide this through a combina- tion of hardware, software, procedures, and policies so that users can communicate and exchange information securely, regardless of location.
This system involves the verification and authentication of each side of a transaction over a network. Consider for a moment the impact that online credit-card fraud has on people and businesses. At this time, everyone is losing when fraud occurs—the people because they had their credit card or identity stolen, and the businesses because they are trying to provide a service while remaining profitable.
PKI provides for authentication through the use of advanced digital certificates and certi- fication authorities and subordinate certification authorities to verify and authenticate the validity of each side of a transaction. This transaction could be something as sensitive as an online Internet purchase or as straightforward as exchanging sensitive information via email. PKI is going to be the next step in the evolution and enablement of secure commu- nication and e-commerce.
You can find additional PKI resources online at the following locations:
www.pki-page.org/ www.pkiforum.org/
PKI’s Limitations
In researching PKI, I began to think this was a great next step in security—even more so when my identity was stolen—see, no one is safe or perfect! Of course, I did the right thing and called the police; I was amazed at the lack of concern shown by our law- enforcement agencies. The ease with which people dismissed the crime was amazing, not to mention that businesses felt it was just a risk whose loss they had to absorb. Trust me,
152 Network Security First-Step
preventing loss is where you should spend your time! Certainly then, PKI would be a good step; however, there are some serious challenges in its future:
■ E-commerce is working and flourishing on the Internet, regardless of the occasional risks involved.
■ Serious laws in states like Utah and Washington are on the books, saying that if some- one were to crack your key or illegally use it, you are still responsible for the debt they created. Having seen the bills created by the theft of my wife’s identity, this is extremely worrisome to me if I am ever forced to use PKI!
■ Security is today, and it is likely to continue to be under PKI, the responsibility of the certificate holder. Thus, you must trust that they have taken all the necessary precau- tions without exposing new vulnerabilities. PKI is coming; however, there are still some questions in my mind about it.
■ PKI does not support a single login infrastructure (single sign on), so users will need to log in and authenticate multiple times to access different resources; this is a recipe for disaster. Users will find ways to “simplify” (that is, defeat) the security PKI pro- vides, and mistakes will happen.
So, is a technology such as PKI good or bad? That is difficult to say because PKI is not mature enough to be fully vetted. However, PKI does provide for increased security that could help in many areas. The verdict on PKI is still up in the air and is subject to the whims of the PKI vendors and how they listen and evolve their products. Of course, organizations then have to choose to spend money on PKI to correctly implement it; PKI’s adoption will take some time. The following section looks at some methods currently available for authenticating access to the network.
Reputation-Based Security Internet users are under attack, and an increasingly common characteristic of malware is the presence of a URL that a user must visit as part of the attack. Organized criminals methodically and invisibly exploit vulnerabilities in websites and browsers to infect com- puters, stealing valuable information (login credentials, credit card numbers, and intellec- tual property), and turning both corporate and consumer networks into unwilling partici- pants in propagating spam and malware. Simply allowing a user to visit their favorite web- site, or clicking a link from their top ten search results, is all it takes for the malware infec- tion process to unknowingly begin.
For most malware creators, recognition for creating a clever piece of malware is no longer the point. With a thriving, maturing malware economy in place, it’s more valuable to cre- ate malicious code that generates revenues for online criminal networks—for example, through click-fraud, massive spam campaigns, or identity and data theft.
To be successful, the malware must be both easy to distribute to as many victims as possi- ble and difficult to detect. That makes the Internet an attractive malware delivery mecha- nism. Originally, malware was delivered directly through email, but the visibility of large
Chapter 5: Overview of Security Technologies 153
attachments and the store-and-forward nature of email made it relatively simple to stop. The near-real-time nature of Internet websites, with threats hidden directly in the content, makes malware exponentially more difficult to stop.
The growing significance of the Web as a threat delivery mechanism is shown by the fact that more than 80 percent of spam messages include URLs, which can direct a user to a web server where malware is located. That percentage is even higher for malicious emails, such as phishing campaigns. These URLs are intended to lure readers to websites that engage them in questionable transactions or download malware onto their computers.
Typically, both the spam messages and the malicious websites the messages refer to use a combination of social engineering and software vulnerabilities to compromise users. Malicious websites, specifically created to distribute malware, are not the only sites com- promising users. Hackers are now frequently distributing malware through legitimate web- sites that have been compromised, taking advantage of security flaws in web applications.
More often, malware writers are targeting legitimate, trusted websites as the starting point for malware distribution. Both BusinessWeek.com and MSNBCsports.com had portions of their websites used for distributing malware. Although no threat is present on these websites today, users became infected simply by visiting trusted sites. Knowing these websites are trusted by millions of users makes them easy targets for malware writers.
As Figure 5-10 shows, the attacker’s traffic mixes with that of trusted visitors. If the attackers gain control of the site, they often insert attacks to those trusted users.
www.ihaveagoodreputation.com
www.ihaveabaddreputation.com
www.ihaveaneutralreputation.com
www.ihaveagoodreputation.com
www.ihaveabaddreputation.com
www.ihaveaneutralreputation.com
www.ihaveagoodreputation.com
www.ihaveabaddreputation.com
www.ihaveaneutralreputation.com
Ma lici
ou s
Ho st:
w ww
.ih av
ea go
od rep
uta tio
n.c om
HT TP
G ET
/
Figure 5-10 Criminals Compromise Legitimate Websites to Infect Unsuspecting Users
154 Network Security First-Step
Reactive Filtering Can’t Keep Up
Traditional methods of protection are usually not fast, accurate, or comprehensive enough to assess and protect users from these new, dynamic web-based threats, which are grow- ing in record numbers.
IP blacklists and URL-filtering solutions typically cover only a small percentage of all URLs and IP addresses—and only the known bad ones. They are also normally binary, offering only “block/malicious” or “allow/safe” options for the URLs and IP addresses they do cover, instead of providing detailed, granular information about any possibly sus- picious URL, IP address, or object—even those that haven’t been known offenders before.
Even with security categories enabled, these URL-filtering solutions can’t help when a legitimate, normally trustworthy website has been turned into a redirection hub for mal- ware distribution. The website’s URL is trusted and not on any blacklist. Consequently, acceptable-use policies designed to protect a network by preventing access to certain sites can’t prevent users from getting infected on acceptable websites. Because traditional URL- filtering technologies are concerned only with the initial domain request, they don’t exam- ine the additional objects needed to load the web page correctly or their origins, and thus don’t observe the malicious redirection. When a web page has an average of 150 objects, traditional URL-filtering technologies simply can’t keep up. This was the case on September 13, 2009, for visitors to NYTimes.com; a trusted source often categorized by URL filtering lists as “news.” A seemingly legitimate advertisement (inserted via a single object on the site—when there are so many objects linked to each web page) began pre- senting a pop-up, alerting visitors that a virus had infected their system. Victims were then redirected to a malware site that offered legitimate-looking antivirus software, which was actually a malicious Trojan.
The sophistication, innovation, rapid pace, and dynamic nature of these attacks often ren- der traditional defenses useless. URL filtering and IP blacklisting are reactive and cannot adequately assess new or previously uncompromised sites in a timely fashion, whereas signature-based scanning solutions have trouble keeping up with the constant mutation of malware. Protecting users from today’s web-based threats requires a layered, holistic, and integrated approach that uses multiple advanced methodologies to assess each threat and type of network traffic. The solution to this new threat asks a simple but powerful question:
“What is the reputation of this URL?”
When assessing the trustworthiness of a URL, a great deal can be determined by analyz- ing data that is hard to forge, such as how long the domain has been registered, in what country the website is hosted, whether the domain is owned by a Fortune 500 company, whether the web server is using a dynamic IP address, and more.
For example phishing site creators can spoof the content of their websites to perfectly replicate legitimate banking and e-commerce sites. Phishing sites cannot, however, spoof the URL on which they are located. The reputation of the URL assigns a reliability score to the vast majority of URLs and can therefore protect users. Analyzing data, even the
Chapter 5: Overview of Security Technologies 155
most difficult to manipulate elements, can reveal much about the trustworthiness of a URL. Data analysis can determine how long a domain has been registered, whether it was registered by machine or manually, who owns it, whether it is associated with an IP address that has previously been associated with a web-based threat, whether the IP address is dynamic or static, what country the website is hosted in, and more. By gather- ing this information and assigning a score to each category when a user attempts to access a URL, this score is calculated, and access is either permitted or denied. As shown in Figure 5-11, sophisticated algorithms analyze and correlate threats with more than 200 different web traffic- and network-related parameters (Cisco products only) to accurately evaluate a web object’s malware risk. Using this data, a dynamic score ranging from +10 to –10 is generated for web reputation. The same technology in senderbase.org, now sensor- base, has been adapted to intrusion prevention system (IPS) technologies, but the scoring assumes the attack is malicious and is –1 to –10 as an additional anomaly detection over and above traditional methods.
Cisco Web Reputation Solution
Cisco Web Reputation Filters are the world’s premier reputation system, in part because of the Cisco acquisition of Ironport. Powered by the Cisco Security Intelligence Operations and the Sensor Base network, Cisco Web Reputation Filters have visibility into more than 100,000 global networks—including Cisco IPS, with more than 30 percent of the world’s email and real-time traffic insights from customer participation. Cisco built the Sensor Base reputation database from more than 800,000 sensors deployed by customers global- ly. Each sensor now has the capability to anonymously contribute what it is detecting directly to Cisco Sensor Base.
–10 –5 0 +5 +10
Default Policies
Dedicated or hijacked sites persistently distributing
keyloggers, rootkits, and other malware. Almost guaranteed malicious.
Aggressive ad syndication and user tracking networks.
Sites suspected to be malicious, but not
confirmed.
Block Scan Allow
Sites with some history of responsible behavior
or third-party validation.
Phishing sites, bots, drive- by installers. Extremely likely to be malicious.
Well managed, responsible content
syndication networks and user-generated content.
Sites with a long history of responsible behavior.
Have significant volume and are widely accessed.
Figure 5-11 URL Reputation Examples
156 Network Security First-Step
Unlike traditional URL-filtering solutions, Cisco Web Reputation Filters examine every request made by the browser. Instead of just looking at the initial HTML request, they also analyze all subsequent data requests, considering each element on a web page and its origins—including live data (such as JavaScript, ads, and widgets), which might be fed from different domains. This enables Cisco Web Reputation Filters to give users a much more precise and accurate assessment and block web content in a far more fine-grained way than URL-filtering and IP-blacklisting solutions.
AAA Technologies Today, we live in a world in which almost everything must be protected from misuse and nothing is free. It does not matter whether you are a system administrator, manager, student, or a network engineer. If you access services via a network, you always need three things:
■ Authentication
■ Authorization
■ Accounting
These components are collectively known as AAA (Commonly referred to as Triple A). As discussed in the following sections, each of these components plays an important role.
Authentication
Authentication ensures that the network’s users are who they claim to be. This is impor- tant because you do not want these people accessing the network if they are not sup- posed to. Usually a shared secret or a trusted third-party software application provides authentication.
Authentication enables the network administrators to identify who can connect to a net- work device or Internet by including the user’s username and password. Normally, when a user connects to a router remotely via Telnet, the user must supply only a password to gain access to the router. This is functional but not secure because, if the router is con- nected to the Internet, an attacker could try and try to connect, and you might never know that this was occurring. All the attacker would need to do is guess a single password to access your router. How hard could that be when he has all the time in the world?
When someone logs on to one of your network devices and makes a change, how do you know who the person is and what she has done? With AAA authentication, whenever a user logs on, the user must enter a username and password pair (which the network administrator assigned). The following code snippet shows an example of a remote user accessing a Cisco router with AAA configured to request a username:
User Access Verification
Username: tom_thomas
Password: xxxxxxxx
MyNetworkDevice>
Chapter 5: Overview of Security Technologies 157
As shown in the preceding example, the user must enter a valid username and password to gain access to the router. Typically, a database that contains the valid usernames resides locally on the device or on a remote security server such as Cisco Access Control Server (ACS).
Authorization
After the user is authenticated, there must be a way to ensure that the user is authorized to do the things he requests. For example, if you are a normal user, you do not have the permissions to access all the files in a file system.
Authorization enables administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS Software enables certain access levels (called privilege levels) that control which IOS commands the user can issue. For exam- ple, a user with a 0 privilege level cannot issue any IOS commands. A user with a privilege level of 15 can perform all valid IOS commands. The local or remote security server can grant access levels.
You can display your privileged level on a Cisco router with the show privilege command, as shown in the following command line:
MyNetworkDevice# show privilege
Current privilege level is 15
MyNetworkDevice#
Authorization can also dictate the types of protocol activity in which the user can engage, such as allowing a user to invoke only FTP, Telnet, SSH, or HTTP traffic. The higher the privilege, the more capabilities a user has with the IOS command set.
Accounting
Accounting occurs after the authentication and authorization steps have been completed. Accounting enables administrators to collect information about users and the actions that they take when connected to network devices. The information gathered through account- ing can provide network forensic evidence of tampering or hacking because you have a road map of the user’s times/dates and activities. Specifically, administrators can track which user logged in to which router or switch, which IOS commands a user issued, and how many bytes were transferred during a user’s session. For example, accounting enables administrators to monitor the routers that have had their configurations changed. A router or a remote security server can collect accounting information.
Note If you use wireless in an airport, for example, to access the Internet, you use a form of AAA when you authenticate and receive authorization into the service provider’s net- work. Accounting is the process in which the network service provider collects network usage information for billing relating to how long you were connected, capacity planning,
158 Network Security First-Step
and other purposes. This is important for the service provider—there is no such thing as a free lunch.
After AAA is configured, you can use external security servers to run external security protocols—such as RADIUS or TACACS—that will stop unauthorized access to your net- work. Both RADIUS and TACACS can be implemented on Cisco network devices and are reviewed in the upcoming sections.
Note You must use AAA if you intend to use RADIUS or TACACS security server proto- cols. As AAA collects the information, it sends it to the security servers to determine each of the characteristics associated with AAA.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a client/server-based system that secures a Cisco network against intruders. RADIUS is a protocol implemented in Cisco IOS Software that sends authentication requests to a RADIUS server. A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users. When a RADIUS server authenticates a user, the following events occur:
1. The remote user is prompted for a username and password.
2. The username and password are encrypted and sent across the data network.
3. The RADIUS server accepts or rejects a username and password pair. In some in- stances, a user might be asked to enter more information. (This is called a challenge response.) For example, if a user’s password has expired, a RADIUS server prompts the user for a new password.
Note Traffic between the Network Access Server (NAS) and RADIUS is not encrypted— as opposed to TACACS, which does encrypt authentication message traffic.
Note A RADIUS server is usually software that runs on various platforms, including Microsoft NT servers or a UNIX host. RADIUS can authenticate router users, authenticate vendors, and even validate IP routes.
The following steps are required to enable RADIUS on a Cisco router:
Step 1. Use the aaa new-model command. AAA must be used with RADIUS.
Step 2. Specify the RADIUS server with the radius-server host command, as shown in Example 5-3.
Chapter 5: Overview of Security Technologies 159
Step 3. Specify the password used between the router and the RADIUS server.
Note Of course, you must also ensure that you have entered users and passwords into the RADIUS server before activating RADIUS.
Example 5-3 displays the required configuration for a Cisco router to authenticate users from the RADIUS server with the host address 10.99.34.50.
Example 5-3 RADIUS Configuration
radius-server host 10.99.34.50
radius-server key <password>
Let’s move on to TACACS, which is an alternative protocol to RADIUS that also works with AAA.
Terminal Access Controller Access Control System (TACACS)
Cisco IOS supports three versions of TACACS: TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username and password.
The first version of TACACS provides simple password verification and authentication. Accounting is limited in that only requests and denials are listed. Next, extended TACACS replaced the first version of TACACS. TACACS+, also referred to as TACACS plus, pro- vides detailed accounting and must be used with AAA (in other words, the aaa new- model command must be enabled). TACACS+ (yes, the plus sign is important) supersedes the earlier releases of TACACS. In general, TACACS provides a centralized security sys- tem that validates users from any remote location. Typically, TACACS runs on a Windows Server or UNIX operating system. When a TACACS server authenticates a user, the fol- lowing events occur:
1. The remote user is prompted for a username and password.
2. The username and password are sent across the data network and is authenticated.
3. The TACACS server accepts or rejects the username and password pair. The user might be asked to enter additional information (called a challenge response).
For example, a challenge response might appear when an error occurs during authentica- tion. TACACS+ requires AAA, but TACACS and extended TACACS do not use AAA.
The configuration tasks required to enable TACACS+ on a Cisco router are as follows:
Step 1. Use the aaa new-model command. AAA must be used with TACACS+.
Step 2. Specify the TACACS+ server with the tacacs-server host command.
160 Network Security First-Step
Step 3. Specify the authentication key used between the router and the TACACS+ server.
Step 4. Because TACACS+ must be used with AAA, you must specify TACACS+ authentication, authorization, and accounting.
Example 5-4 displays the required configuration for a Cisco router to authenticate users from the TACACS+ server with the host address 10.99.34.50.
Example 5-4 TACACS Configuration
aaa new-model
aaa authentication enable default tacacs+
! Sets router to use the tacacs server to authenticate enable
! password
aaa authorization exec tacacs+
! Sets tacacs+ plus to authorize exec commands on local router
aaa accounting exec start-stop tacacs+
! Accounting information is gathered for exec commands
tacacs-server host 10.99.34.50
tacacs-server key <password>
Example 5-4 is a basic TACACS + configuration; you can set other configuration options to enable complex AAA commands.
Caution If you enable AAA on a router, you could get locked out if you are not careful. If you fat finger any commands and exit out of your configuration, you might not be able to re-enter; make sure you are certain of your work before disconnecting.
TACACS+ Versus RADIUS
Comparing the two server protocols, RADIUS and TACACS+, shows that both require AAA to be enabled on a Cisco router (unless you use the older versions of TACACS+, namely TACACS and extended TACACS). RADIUS and TACACS+ both require a user- name and password pair to obtain access. The difference between the two protocols is in the protocol itself and the fact that TACACS+ is a centralized validation service, whereas RADIUS is based on client/server technologies.
Chapter 5: Overview of Security Technologies 161
Two-Factor Authentication/Multifactor Authentication As we have shown when reviewing RADIUS and TACACS, they are a means to securely authenticate to access a secure device. Those authentication methods relied on the user knowing a secret codeword or password, typically things the user knows. Although they are efficient, they are single layers in the defense of your network; additional layers, for defense in depth, are provided by using two-factor authentication. Two-factor authentica- tion is when there are two independent and separate methods of authentication that the user must pass to gain access. Usually one of the two methods is something the user has that must be applied as part of the authentication process. You might think that this is a new concept, but you have likely have been engaging in two-factor authentication for quite awhile without realizing it. Accessing an ATM or paying with a bank card is two-fac- tor authentication, the first authentication is “having the card,” and the second authentica- tion is “knowing the PIN.”
Perhaps you have access with a token card that is synced to generate a unique code that when applied together enables you to gain access to your company’s network via a VPN. Two-factor authentication is becoming more and more common these days; your kids are likely using it if they play the online game World of Warcraft. As shown in Figure 5-12, you gain access to the game by “knowing” your username/password and “having” your token to generate an authentication code.
Figure 5-12 Warcraft Authenticator Code Is Two-Factor Authentication
162 Network Security First-Step
IEEE 802.1x: Network Access Control (NAC)
Organizations continue to embrace mobility for their users by expanding wireless LANs (WLAN) for PCs and a whole range of mobile devices. Wireless networks are attractive because they are much easier to deploy and use than wired networks and cheaper, making them a better solution in many offices. However, security is a big concern because the open nature of wireless LANs brings a whole slew of concerns about user and corporate data being pulled from the air. Also increasing is the concern for the security of wireless networks with all sorts of new threats emerging, as discussed, and the bleed to wired net- works. Organizations require security mechanisms that ensure that when credentials are transmitted, they remain secure and enable organizations to ensure that users trying to connect are whom they claim to be.
Enter 802.1X, a standard for port-based network access control, developed by the Institute of Electrical and Electronics Engineers (IEEE). 802.1X was originally designed for use in wired networks but was adapted to address WLAN security concerns because of its robust, extensible security framework and powerful authentication and data privacy capabilities. The 802.1X standard also defines the encapsulation methodologies for the transport of EAP over PPP or Ethernet. The 802.1X standard delivers powerful authentica- tion, and security enables you to enforce port-based network access control when devices attempt to access the network. The 802.1X standard has three main components:
■ Supplicant: Software that resides on the user’s machine or device and is used to re- quest access to a wired or wireless network
■ Authenticator: Devices, such as switches or wireless access points, that sit between the supplicant and the authentication server
■ Authentication server: A server that receives authentication messages which in turn takes the request and validates against a back-end data store such as Active Directory, eDirectory, or LDAP
802.1x has become popular in wireless and wired networks in large part because its opera- tion is secure and straightforward. When attempting to access an 802.1X-enabled net- work, instead of the user or device simply being granted Layer 3 access, it is challenged for its identity. If the user’s device is not configured for use in an 802.1X-based network, that is, it does not have a running supplicant, it will be denied network access. If the user’s device is configured with an operational supplicant, it will respond to the challenge for its identity and start the 802.1X authentication process. The supplicant passes network cre- dentials (user and/or device identification information) to the authenticator, which verifies the connection to the network and passes the identification information on to the authen- tication server to determine access. Figure 5-13 demonstrates how 802.1X would work in a wireless network.
In a wired network, switches can use IEEE 802.1X to perform user authentication, rather than the types of device authentication performed by many of the other features described in this section. User authentication requires the user to supply a username and password, verified by a RADIUS server, before the switch can enable the switch port for
Chapter 5: Overview of Security Technologies 163
Supplicant EAPoL
Pass Credentials Securely
AUTHENTICATOR
EAP in RADIUS
RADIUS Wireless
Access Point
AUTHENTICATION SERVER
Validate User Credentials
Figure 5-13 802.1x Authentication Process Flow
normal user traffic. Requiring a username and password prevents the attacker from simply using someone else’s PC to attack the network without first breaking the 802.1X authenti- cation username and password.
Cisco has a comprehensive identity management solution based on 802.1X called TrustSec. TrustSec is an integrated solution that uses Cisco products that offer authentica- tion, access control, and user policies to secure network connectivity and resources. These products include the following:
■ Cisco Catalyst family of switches
■ Wireless LAN access points and controllers
■ Cisco Secure ACS
■ Cisco Secure Services Client
Additional and optional components include X.509 public key infrastructure (PKI) certifi- cate architecture. You can find detailed TrustSec information including configuration and deployment guidelines at www.cisco.com/go/trustsec.
Information on how the TrustSec and 802.1x solution is integrated into Cisco NAC is cov- ered in the following section.
Network Admission Control Network Admission Control (NAC) is a multipart solution that validates the security pos- ture of an endpoint system before entering the network. With NAC, you can also define what resources the endpoint has access to, based on the results of its security posture. NAC is a key part of the Cisco Self-Defending Network Initiative (SDNI). The SDNI mis- sion is to dramatically improve the capability of the network to identify, prevent, and adapt to threats.
NAC Appliance or Cisco Clean Access (CCA) enables an organization to enforce security policies by blocking, quarantining, and performing remediation of noncompliant systems. Remediation occurs at the discretion of the administrator. The policies and requirements enforced by the Cisco NAC Appliance include checks for latest antivirus software, operat- ing system (OS) patches, and security patches. The Cisco NAC Appliance can also per- form vulnerability scanning on the end-user machine in addition to role-based authentica- tion on users attempting to connect to the network. The NAC Appliance solution can
164 Network Security First-Step
restrict what resources these users can access, based on their role. All these policies and configurations are done in the Clean Access Manager (CAM). The Cisco NAC Appliance has three major components:
■ Clean Access Server (CAS): Acts as a network control device
■ Clean Access Manager (CAM): Manages one or more servers
■ Clean Access Agent (optional): Serves as an endpoint lightweight client for device- based registry scans in unmanaged environments
Cisco TrustSec
The traditional network and physical perimeter is no longer the only border where infor- mation must be defended. Collaboration, IT consumerization, mobility, and new comput- ing technologies are increasing productivity while presenting new security requirements. There is greater pressure on IT to meet the demands of a dynamic workforce—both in terms of service delivery and security challenges. New solutions are needed to protect borderless networks and to help further improve business efficiencies in the mean time. Cisco TrustSec is such a solution.
Solution Overview Cisco TrustSec enables organizations to secure their networks and services through identi- ty-based access control to anyone, anywhere, anytime. The solution also offers data integrity and confidentiality services, policy-based governance, and centralized monitor- ing, troubleshooting, and reporting services. TrustSec can be combined with personalized, professional service offerings to simplify solution deployment and management, and is a foundational security component to Cisco Borderless Networks.
The Cisco TrustSec solution offers the following benefits to customers:
■ Compliance support: Expands real-time access visibility and audit trails across an in- creasingly complex network to address mandated monitoring, auditing, and reporting requirements
■ Strengthened security: Extends security across the borderless network by enforc- ing consistent security policy, ensuring endpoint health, and delivering a secure net- work fabric
■ Increased efficiency: Reduces IT overhead through centralized identity services, in- tegrated policy enforcement, a consistent user experience, and dynamic assignment of user and device access
The core Cisco TrustSec functional areas follow:
■ Identity-aware user and device access: Dynamically provides role-based access. Noncompliant devices can be quarantined, remediated, or denied access.
Chapter 5: Overview of Security Technologies 165
■ Guest user access and lifecycle management: Sponsored guests receive restricted access to specific resources (Internet, printers, and so on) through a customized web portal. Internal network access is blocked and activity is tracked and reported.
■ Nonuser device discovery: Nonuser devices (printers, cameras, phones, and so on) are centrally discovered. Access is provided based on policy, and device behavior is monitored and audited to prevent spoofing.
■ Data integrity and confidentiality: Data paths can be encrypted via MACsec, from the endpoint client to the network core, while allowing critical tools (firewalls, IPSs, content inspection, QoS, and so on) to retain visibility into data streams.
■ Monitoring, management, and troubleshooting: Centralized, policy-based corporate governance and compliance includes centralized monitoring and tracking of users and devices to maintain policy compliance. Provides sophisticated troubleshooting, detailed auditing, and historical and real-time reporting.
■ Professional services: TrustSec services provide policy review, analysis, and design expertise to prepare a network to deploy a TrustSec solution.
Figure 5-14 illustrates the mechanics of how Cisco TrustSec works.
Network users are authenticated with flexible authentication mechanisms to support dif- ferent device types, operating systems, and access methods.
Access Compliance Reporting
Deny Access
Quarantine
Guest/Internet
Limited Access
Broad Access
Authorization (Controlling Access)
Other Conditions
Identity Information
Time and DateGroup: Full-Time Employee
Vicky Sanchez Employee Marketing Wireline 3 p.m.
Security Camera G/W Agentless Asset MAC: F5 AB 3B 65 00 04
Frank Lee Guest Wireless 9 a.m.
Francis Didier Consultant HO–Strategy Remote Access 6 p.m.
Group: Contractor
Group: Guest
Posture Location
Device Type
Access Type
+
Figure 5-14 How Cisco TrustSec Works
166 Network Security First-Step
Cisco Identity Services Engine Traditional corporate network boundaries and siloed services are a thing of the past. Today’s networks must accommodate an ever-growing array of consumer IT devices while providing user-centric policy and enabling global collaboration. The Cisco TrustSec archi- tecture addresses this shift by using identity-based access policies to tell you who and what is connecting to your network, allowing IT to enable appropriate services without sacrificing control.
The first release of ISE focuses on the pervasive service enablement of TrustSec for Borderless Networks. Cisco Identity Services Engine (ISE) delivers all the necessary serv- ices required by enterprise networks (AAA, profiling, posture, and guest management) in a single appliance platform. In the future, the same ISE platform can be used to propagate consistent service policies throughout the borderless network, from any endpoint to the video delivery optimization, branch service personalization, and data center server and service agility.
As part of the Cisco TrustSec solution and the Cisco SecureX architecture for Borderless Networks, the Cisco ISE provides a centralized policy engine for business-relevant policy definition and enforcement. ISE complements global contextual information offered by Cisco Security Intelligence Operations (SIO) with localized context awareness for effec- tive access policy enforcement.
■ Security: Secures your network by providing real-time visibility into and control over all users and devices on your network.
■ Compliance: Enables effective corporate governance by creating consistent policy across an infrastructure.
■ Efficiency: Helps increase IT and network staff productivity by automating tradition- ally labor-intensive tasks and streamlining service delivery.
■ Business-relevant policies: Enables centralized, coordinated policy creation and con- sistent policy enforcement across the entire corporate infrastructure, from head office to branch office.
■ Systemwide operational visibility: Discovers, assesses, and monitors users and end- points and employs advanced troubleshooting capabilities to give IT teams complete visibility into who and what is on the corporate network.
■ Context-aware enforcement: Gathers information from users, devices, infrastruc- ture, and network services to enable organizations to enforce contextual-based busi- ness policies across the network. Cisco ISE acts as the “single source of truth” for contextually rich identity attributes, including connection status, user and device identity, location, time, and endpoint health.
■ Flexible services architecture: Combines AAA, posture, profiling, and guest manage- ment capabilities into a single appliance platform. Cisco ISE can be deployed across the enterprise infrastructure, applying the appropriate services supporting 802.1x wired, wireless, and VPN networks. Figure 5-15 demonstrates these aspects of ISE.
Chapter 5: Overview of Security Technologies 167
The Cisco ISE is part of an infrastructure-based Cisco TrustSec deployment using Cisco network devices to extend access enforcement throughout a network. Additional deploy- ment components include Cisco NAC Agent and Cisco AnyConnect (or a 802.1x suppli- cant) on the endpoint; Cisco Catalyst switches and Cisco wireless LAN controllers acting as policy enforcement points for the LAN; and Cisco Adaptive Security Appliances for secure remote access. Cisco ISE also integrates with directory services such as Microsoft Active Directory and Sun ONE Directory Server as policy information points.
Putting Cisco TrustSec and ISE together is a layered solution, as shown in Figure 5-16.
Users, Endpoints
Network-Attached Device
Guest Users
Cisco Catalyst Switch
WLC
Campus Network
Cisco Catalyst Switch
Cisco Nexus 7000 Switch
Protected Resources
Identity Services Engine Appliance or Virtual Machine
Directory Service
IP Phones
802.1X
NAC Agent and AnyConnect 3.0
(or 802.1X Supplicant)
STOP STOP STOP
Figure 5-15 ISE-Based TrustSec LAN Deployment
Cisco TrustSec Policy- Governed Networks
Policy Enablement Platform
Cisco Identity Services Engine Guests
? Device
Full Policy Management
Policy-Enabled Services Policy Based on Business Objects
Internet
Quarantine
Initial Target
Business-Relevant Policies, Context Awareness, Visibility and Control
Driving Toward Bu
siness-R
elevant Policies C on
tex t A
w ar
en e
ss
P ol
ic y-
G ov
er ne
d N etworks Visibility and
C ontrol
Figure 5-16 ISE and TrustSec
168 Network Security First-Step
Chapter Summary This chapter began with a discussion of the importance of a layered network security design. This layering of security provides a deeper level of protection for your network. You must avoid what I call “the orange syndrome,” as in the fruit, in which only a single layer of protection exists before you get to the good stuff. You do not want attackers to defeat a single security layer and get to the good stuff in your network.
This chapter looked at many technologies that you can use to provide a layered approach to security: ■ Packet filtering via ACLs ■ Stateful packet inspection ■ Network Address Translation ■ Proxies and application level protection ■ Content filters ■ Public key infrastructure ■ AAA technologies Separately, each of these technologies is just a single layer of protection, but combined, they provide you with several layers of protection and keep the good stuff safe.
Chapter Review Questions The following questions assist in reinforcing the concepts covered in this chapter.
1. What are the six security design concepts you should consider when looking at the security technologies for securing your network?
2. What rule is always implicitly present at the end of every packet filter?
3. When a device performs stateful packet inspection, what characteristics in a packet’s header are inspected, and why are they important?
4. What are some limitations of stateful packet inspection?
5. Define the differences between public and private IP addresses.
6. Compare and contrast the three different versions of NAT, and identify which of them is the most commonly used.
7. What are the two types of proxy firewalls?
8. Why is content filtering so important to networking?
9. What is the potential value of PKI to securing a network and e-commerce?
10. AAA provides security for what aspect of a network?
11. Search the Internet and find three potential vendors that can offer an effective RADIUS solution. Describe what features about each are beneficial.