CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Understanding SAFE Axioms

The SAFE axioms outlined in the white papers available on the Cisco Systems SAFE website (SAFE: A Security Blueprint for Enterprise Networks" and "SAFE: Extending the Security Blueprint to Small, Midsize and Remote-User Networks." These axioms also apply to the whitepapers discussing WLANs and IP telephony. However, those two whitepapers also introduce additional axioms that are unique to the technologies discussed in the whitepapers and described later.

• Routers are targets.

• Switches are targets.

• Networks are targets.

• Hosts are targets.

• Applications are targets.

Routers Are Targets

Three functions of routers are discussed in this section. First, routers are devices that announce network addresses through routing protocols. Second, routers filter the functionality of network traffic. Third, routers connect one network to another, a function that has made routers an increasingly popular target for intruders. Because they are so often targets, hardening them is critical. Router security postures can be improved by implementing the following best practices:

• Lock down Telnet access to routers
  This can be accomplished through the following means:

  - Restrict the protocols that are used to connect to the router for administration.

  - Use access control lists (ACLs) to restrict which IP addresses can connect to the router.

  - Require a password for login.

  - Ensure that sessions time out when they are no longer being used.

  - Consider SSH or HTTS as options that are more secure than Telnet.

• Lock down SNMP access to routers
  This can be accomplished through the following means:

  - Use SNMP version 2 at a minimum.

  - Choose community string names with the same care as passwords.

  - Require authentication.

  - Restrict the IP addresses that can connect to the SNMP port on the router.

• Use TACACS+ to control access to the router
  Using an authentication, authorization, and accounting (AAA) system allows for the collection of information about user logins, user logouts, HTTP accesses, privilege-level changes, commands executed, and similar events. AAA log entries are sent to authentication servers by using the TACACS+ or RADIUS protocol and are recorded locally by those servers, typically in disk files. TACACS+ passwords are not transmitted in clear text, so the threat of password sniffing to steal passwords is mitigated.

• Turn off unneeded services
  This includes the TCP and UDP small services (chargen, discard, and echo) and the finger service. If the Network Time Protocol (NTP) is not needed, consider disabling it. If the Cisco Discovery Protocol (CDP) is not required for network management, disable it as well.

• For routing protocols, consider using an authentication method to ensure that the routing updates are valid
  Use message digest authentication instead of plaintext password authentication.

For a more complete document on improving the security of Cisco routers, refer to this website: http://www.cisco.com/warp/public/707/21l.

Switches Are Targets

Like their router counterparts, switches are increasingly coming under attack by intruders. These attacks are targeting both OSI Layer 2 and Layer 3 switches. Many of the attacks to switches are unique to the function that they perform in a network. These attacks include VLAN hoppingin which an attacker in one VLAN gains access to a host in another VLAN that is not normally accessible from the attacker's VLANand MAC address spoofing. The common best practices for routers, which were listed previously, also apply to switches, as do the following switch-specific best practices:

• Always use a dedicated VLAN ID for all trunk ports
  This prevents VLAN-hopping attacks.

• Avoid using VLAN 1 for management
  VLAN 1 is the native VLAN on all Cisco switches. Any switch ports that are not assigned to a unique VLAN are automatically assigned to VLAN 1.

• Set all user ports to nontrunking mode
  Along with using a dedicated VLAN ID for all trunk ports, this setting is necessary to prevent VLAN-hopping attacks.

• Deploy port security for user ports
  When possible, configure each port to associate a limited number of MAC addresses (approximately two to three). This deployment mitigates MAC flooding and other network attacks.

• Have a plan for the ARP security issues in your network
  Enable Spanning Tree Protocol attack mitigation (BPDU Guard, Root Guard). This helps mitigate the possibility of an attacker spoofing a root bridge in the network topology and successfully executing a man-in-the-middle attack.

• Enable Spanning Tree Protocol attack mitigation
  This is accomplished through BPDU Guard and Root Guard.

• Use private VLANs
  When appropriate, this allows for the further division of Layer 2 networks.

• Use CDP only where appropriate
  CDP is a proprietary protocol that aids in managing Cisco devices. However, the information available in CDP can provide an attacker with desired information. Limiting the use of CDP to areas of the network that are considered sufficiently secure is considered a best practice.

• Disable all unused ports and put them in an unused VLAN
  This prevents network intruders from plugging into unused ports and communicating with the rest of the network.

• Use VTP passwords
  VLAN Trunking Protocol (VTP) is used to propagate VLAN configuration information from a server switch to client switches. Requiring VTP authentication in VTP advertisements reduces the likelihood that the VTP advertisements are spoofed by an attacker.

• Use Layer 2 port authentication such as 802.1x
  802.1x provides for the authentication of clients that attempt to connect to a network.

For more information on improving the security of Layer 2 switches, refer to the "SAFE Enterprise Layer 2 Addendum" Application Note on Cisco.com.

Hosts Are Targets

Hosts are the most frequently targeted aspects of a network. They represent the most visible target to an attacker and the biggest security problem for an administrator. Attackers see hosts as the most valuable target because of the applications that are run on them, the data that is stored on them, and the fact that they can be used as launch points to other destinations. Because hosts are highly visible and consist of numerous different combinations of hardware platforms, operating systems, and applications (each with its own set of patches and updates), hosts represent the lowest-hanging fruit on a network and are the target of choice for an attacker.

Hosts, therefore, represent the most successfully attacked elements on a network. For example, consider a typical web server on an enterprise network. The web server application may be from one vendor, the operating system from another, and the hardware from a third. Additionally, the web server may be running some freely available CGI programs or a commercial application that interfaces with the web server, such as a SQL database. All of these various components of the host may contain multiple vulnerabilities, some more severe than others. This is not to say that using operating system software and application software from one manufacturer is more secure; in some cases, quite the contrary has proven to be true. However, the lesson is that the more complex a system is, the greater the possibility of a failure.

When securing hosts, pay considerable attention to the system components. Keep systems up to date with the latest patch revision levels. Be sure to test the updates on test systems before you apply the patches to systems in a production environment. Patches can create unexpected conflicts between software components and result in a DoS by preventing the application or system from properly operating.

In addition, when securing hosts, turn off any "unnecessary services"services that are not required for the proper functioning and management of the system. For example, many UNIX systems come with "small" services turned on by default, which include echo, chargen, and discard. These services represent a potential target of a DoS attack. If the host is not an FTP server, disable the FTP service and, if possible, remove the FTP software package.

Other potential avenues of attack are the use of default accounts and poor user passwords. Accounts on production systems should be limited to only those users who need to access the system for management purposes or to affect maintenance on the software.

The key to successfully improving the security of a system is to lower the number of possible avenues of attack to a minimum. Additionally, you should consider the use of host-based intrusion prevention software on critical systems, to further improve the security posture of the system. Improving the overall security posture of the system does not necessarily mean that the system will become impenetrable; it will, however, certainly make an attack much harder.

Networks Are Targets

Network attacks are the most difficult to defend against because they typically take advantage of an intrinsic property of the network itself. This category of attacks includes Layer 2 attacks, distributed denial of service (DDoS) attacks, and network sniffers.

The Layer 2 attacks can be mitigated through the use of the best practices previously listed in the sections "Routers Are Targets" and "Switches Are Targets." The impact of sniffing can be mitigated through the implementation of a switched network and through the use of the same set of best practices.

DDoS attacks are much more difficult to protect against, however. Typically, the goal of a DDoS attack is to shut down an entire network rather than one particular host. The primary method of a DDoS network attack is to consume all of the bandwidth going to and from the network. A side effect of a DDoS attack might be that a target system on the network crashes.

Cooperation between the end customer and its ISP is the only effective way to mitigate many of the effects of a DDoS attack. The ISP can provide rate limitations on the outbound interface of the router that is providing the ISP link to the customer so that undesired traffic can be dropped when it exceeds a prespecified amount of the total bandwidth in the link.

Common forms of DDoS attacks include ICMP floods, TCP SYN floods, and UDP floods. One defense that administrators can devise to protect their systems is to follow filtering guidelines as specified in RFC 1918 and RFC 2827. RFC 1918 specifies the network address ranges that are reserved for private use, and RFC 2827 describes egress filtering for networks. When implemented on the ISP side of a WAN link, filtering helps prevent packets with source addresses within the ranges covered in RFC 1918, as well as other spoofed traffic, from reaching the customer end of the uplink. At the customer end, following the filtering guidelines discussed in these two RFCs helps prevent attackers from launching DDoS attacks using spoofed IP addresses by blocking them at the customer edge router. Although this strategy does not prevent DDoS attacks from happening, it does prevent the attacker from masking the source address of the attacking hosts.

NOTE

Consider the following example to understand the impact that a DDoS attack can have on a network. A typical enterprise organization has a DS1 (1.544 Mbps) link to its ISP. This provides access not only for the enterprise to the Internet but also for the enterprise's customers to the corporate web server and to the FTP server for downloading patches.

An attacker with 100 systems under his control begins a DDoS attack against the enterprise web server. Assume that each system under his control sits on a variety of DSL and ISDN links so that the average bandwidth for these 100 systems is 256 kbps. If all 100 of the systems are used in a coordinated attack against the web server and each fills up its link to the Internet with traffic, the total aggregate traffic generated is 25.6 Mbps:

100 systems * 256 kbps/system (avg) = 25.6 Mbps

This is easily 16 times greater than the size of the target enterprise's link to the Internet. Even if only half of the systems were able to flood at their full link capacity, the Internet link for the enterprise would still be

50 systems * 256 kbps/system + 50 systems * 128 kbps/system = 19.2 Mbps

Applications Are Targets

Applications are also targets because, like host operating systems, they are susceptible to coding errors. The extent of the damage caused by application coding errors can vary from a minor "HTTP 404 File Not Found" error to something considerably worse such as a buffer overflow that provides direct interactive access to a host. Applications need to be kept up to date as much as possible. Furthermore, public domain applications and custom-developed applications should be audited to ensure that potential vulnerabilities are not introduced to the system with the installation of the software. These audits should consider the following factors:

• Analysis of the calls that the application makes to other applications and to the operating system itself

• The application privilege level

• The level of trust the application has for the surrounding systems

• The method of transport the application uses to transmit data across the network

This level of auditing is necessary to resolve potentially known vulnerabilities that would reduce the security posture of the system and the network as a whole.

Intrusion Detection Systems

Intrusion detection systems (IDSs) fall into two primary categories: network IDS (NIDSs) and host-based IPS. NIDSs provide an overall view of activity on a network and the capability to alert upon discovery of an attack. host-based IPS excel in providing after-the-fact analysis of an attack on a host, and, with newer host-based intrusion prevention systems (IPSs), they are able to prevent an attack from succeeding by intercepting OS and application calls on the host.

All IDS require some level of adjustment, or tuning, to eliminate false positives. False positives are alarms that are triggered by activity that is benign in nature. Once the IDS has been tuned appropriately, additional mitigation techniques can then be implemented. There are two primary mitigation techniques in the Cisco IDS offerings:

• Shunning

• TCP resets

Shunning uses ACLs on routers and firewalls to block offending traffic from a source IP address. You must take great care when applying this technique because a skilled attacker may use spoofed packets in the attack to cause the IDS to add filters to the router or firewall that block legitimate traffic. To reduce this problem, it is recommended that you use shunning only against TCP traffic, because it is more difficult to spoof than UDP traffic. Additionally, use short shun timesjust long enough to provide the network administrator with sufficient time to determine a more permanent course of action. Shunning is recommended on the internal network, however, for several reasons, including the assumption that effective RFC 2827 filtering is being used on the internal network and the fact that internal networks tend not to have the same level of stateful filtering as edge connections.

The second mitigation technique, TCP resets, is available only against TCP-based connections and provides for the termination of the attack by sending TCP reset packets to both the attacking and the attacked hosts. Switched environments pose some additional challenges to TCP reset, but these can be overcome by using a Switched Port Analyzer (SPAN) or mirror port.

Secure Management and Reporting

Reporting is a design fundamental that addresses the requirement to log suspicious network activity. Additionally, it is also very important to actually read the log entries or summarize them if possible. Without log review, it is not possible to develop a complete picture of a potential security event.

Another item addressed by this topic includes management of the various network devices in the blueprint. Unlike the SAFE Enterprise blueprint, which utilizes an out-of-band network management method whereby all management traffic traverses a network infrastructure that is separate and distinct from the production network, the SAFE SMR blueprint utilizes an in-band network management scheme. To ensure the confidentiality and integrity of the management traffic, in-band management schemes require the use of encrypted protocols such as SSH, SSL, and IPSec where possible.

For management of devices outside of a firewall, there are several considerations to take into account:

• What management protocol does the device support?

• Should the management channel be active at all times?

• Is this management channel necessary?

Answering these three questions provides sufficient analysis in weighing the risks of management traffic outside of the firewall.

Syslog is the most common, supported method of reporting events on network devices. Synchronizing the time on network devices through the use of NTP further enhances the capability to correlate events from multiple devices.

Change management also represents a vital link in an overall comprehensive security policy. It is important that any changes done to network infrastructure devices be recorded and that known, good configurations be archived through the use of FTP or TFTP.