لطفا منتظر باشید ...
SAFE Design Philosophy
This chapter focuses on the design philosophy behind the SAFE blueprints. The heart of SAFE is the inclusion of security throughout the network and within the end systems themselves. To that end, the original SAFE Enterprise document used several design objectives to meet that criteria. This is SAFE's design philosophy.The embodiment of this design philosophy can be summed up in the six design objectives SAFE is based upon:
- Security and attack mitigation based on policy
- Security implementation throughout the infrastructure
- Secure management and reporting
- Authentication and authorization of users and administrators to critical network resources
- Intrusion detection for critical resources and subnets
- Support for emerging networked applications
- Cost-effective deployment
Each of these design objectives is described, in turn, in more depth in the sections that follow.
Security and Attack Mitigation Based on Policy
At the heart of any network security effort is the policy. The network security policy drives the decisions that determine whether an action or an event is considered a threat. A good security policy enables the network administrators or security personnel to deploy security systems and software throughout the infrastructure. This includes providing to the administrative personnel the capacity to deploy intrusion detection systems (IDSs), antivirus software, and other technologies in order to mitigate both existing threats and potential threats. The focus is on the security of the network and the data that exists on the servers in the network.The security policy also defines how attack mitigation will occur. This can be through the implementation of shunning or blocking by firewalls and routers of attacks coming in from the Internet and from the internal network or through the use of TCP resets. If a Cisco IDS sensor identifies an attack on a network LAN, it can terminate the connection by sending TCP reset packets to both ends of the connection. By sending TCP reset packets, the IDS is effectively able to immediately close the connection between the source and target systems.A security policy is a set of rules that defines the security goals of the organization. The policy is typically a high-level document that provides the authority for the network administration staff to enforce the rules governing the network. A formal definition of a security policy is provided by RFC 2196: "A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. (Fraser, Barbara, RFC 2196, p. 6.)"The security policy defines the procedures to use and the suggested guidelines for security personnel and network administrators. Without this concept of basing security and attack mitigation on a policy, the overall effort of securing a network becomes a haphazard patchwork of initiatives that are more likely to leave the network vulnerable to attack.
Security Implementation Throughout the Infrastructure
The SAFE blueprint calls for security to be implemented throughout the network. This means from the edge router all the way down to the end system. The implementation of security is done through a "defense-in-depth" approach. If an attacker bypasses one layer, he still faces other layers before he reaches critical network resources. This layered defense approach maximizes the security around critical resources such as servers, databases, and applications while minimizing the impact on net-work functionality and usability.
Secure Management and Reporting
All management of network devices and end systems is conducted in a secure manner. This requires that network devices ideally be managed through an out-of-band (OOB) network. Ideally this network is where access to the console interface of the network devices is located. An OOB network is completely separate from the network that carries the normal enterprise traffic. If an OOB network cannot be constructed or used for management, then the next best solution is to use encryption to secure communication between the network devices and the management system. This encryption is part of such management protocols as Secure Sockets Layer (SSL), Simple Network Management Protocol v3 (SNMPv3), or Secure Shell Protocol (SSH).
Authentication and Authorization for Access to Critical Resources
There are two primary methods of access control: authentication and authorization. Authentication is the process by which a user or a device proves the validity of their identification to an authoritative source. This source can be the login process on a host, the access device of a network, an application such as a database or web server, or one of a wide range of other systems on a network. Authorization is the process by which a user provides the credentials that prove that she has sufficient permission to execute a command or a process on a system or network device.Critical network resources such as routers, firewalls, switches, IDSs, and applications all require authentication before access is granted. Authentication ensures that the user or administrator has the necessary credentials to access a device or system. Additional authorization is required to perform various actions on network devices and servers.Users and administrators must authenticate before they are granted access to a device or a server. Authentication can be in the form of a single-factor authentication system, such as a password, or a two-factor authentication system, such as a public key or smart card.Authorization ensures that the user or administrator has sufficient privileges to execute a command or a process. Authorization enables you to determine who is accountable for any particular action and to define more clearly the role of users and administrators.
Intrusion Detection for Critical Resources and Subnets
Intrusion detection has emerged as one of the critical network technologies that are necessary to properly secure a network. The following are the two general categories of IDSs, which are discussed in the next sections:
- Host-based IPS
- Network IDS (NIDS)
Host-Based IPS
A host-based IPS is software that is installed and runs on end systems such as servers, desktops, and laptops. The function of a HIDS is to provide a last line of defense if the NIDS misses an attack, which can occur if either the NIDS's signature database is out of date or the attacker is able to employ an evasion technique to hide the attack from the NIDS. HIDSs monitor the host and attempt to detect illegal actions, such as the replacement of a critical file or the execution of an illegal instruction in computer memory. As such, HIDSs have quickly become an important part in the success of IDSs in general.
Network IDS
A NIDS works by monitoring network traffic for patterns of attack. When the NIDS detects an attack, it may simply raise an alarm on a management console, execute a block by inserting a new rule into a router's or firewall's access control list (ACL), or execute some other method to terminate the connection.The function of the NIDS is broken into two main categories:
- Misuse detection (also known as a signature-based IDS)
- Anomaly detection
A signature-based IDS identifies attacks by comparing network traffic to a database that contains signatures of exploits used to attack systems. An anomaly-based IDS uses profiles of network traffic to determine what is considered "normal." Anything that falls outside that profile is considered to be anomalous and indicative of a potential attack. Most NIDSs deployed in networks today are a hybrid system combining aspects of misuse detection and anomaly detection.Deployment is critical to maximizing the success of an IDS. It is insufficient to place an IDS device in the middle of a network and expect that it will be able to identify and respond to all possible attacks. As networks have grown tremendously over the past few years, the amount of traffic traversing the network wire has also increased. Consequently, the IDS needs to be properly placed at strategic locations throughout the network to maximize its effectiveness and flexibility in protecting critical network resources.Consider the network shown in Figure 2-1. The NIDSs are placed at intranet junction points such as the remote access systems and the extranet connections to business partners. Additionally, HIDSs have been deployed on critical servers throughout the network. The HIDS is a failsafe device should an attack go undetected by the NIDS. A HIDS is also used where a NIDS may be inappropriate because of, for example, an insufficient number of devices on the network, a low threat level, or a prohibitive cost factor.
Figure 2-1. Intrusion Detection for Critical Resources
[View full size image]
Support for Emerging Networked Applications
Technology evolves through the need for newer, better, and faster applications. These applications are more dependent than ever on the network for their proper use and operation. In the past, applications were monolithic in nature and relied on the fact that users accessed the application from within the same system the application was installed on. Today's distributed applications require a secure network to ensure secure communication between the application and the user. SAFE accommodates these emerging applications through the flexibility of the design. The deployment of new applications does not require a significant re-engineering of the network security state; rather, minor modifications can be made to provide access to these applications. This flexibility also helps to ensure that the overall security state of the network is maintained if a vulnerability in the application is discovered.
Cost-Effective Deployment
While security is an integral component of today's network architecture, it must be deployed and integrated in a cost-effective manner. The high price of equipment and implementation can become an impediment. The blueprint "SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks" integrates functionality within various network devices, lowering the cost of security deployment. As in any given architecture, choosing whether to use a network device's integrated functionality as a specialized appliance must be determined based on the particular needs of the network design. However, using the firewall feature set on a router rather than a dedicated firewall appliance or using the intrusion detection capabilities in a router rather than a dedicated IDS appliance can result in substantial cost savings. This does not indicate that such integrated functionality is appropriate wherever a specialized appliance is called for because some situations require the depth of functionality that only specialized appliances provide.
![[View full size image]](/image/library/english/13783_02fig01_alt.jpg;380136){kind=link}