End-to-End Network Security: Defense-in-Depth

• Copyright 2008
• Dimensions: 7-3/8" x 9-1/8"
• Pages: 480
• Edition: 1st

• Book
• ISBN-10: 1-58705-332-2
• ISBN-13: 978-1-58705-332-0

End-to-End Network Security

Defense-in-Depth

Best practices for assessing and improving network defenses and responding to security incidents

Omar Santos

Information security practices have evolved from Internet perimeter protection to an in-depth defense model in which multiple countermeasures are layered throughout the infrastructure to address vulnerabilities and attacks. This is necessary due to increased attack frequency, diverse attack sophistication, and the rapid nature of attack velocity—all blurring the boundaries between the network and perimeter.

End-to-End Network Security is designed to counter the new generation of complex threats. Adopting this robust security strategy defends against highly sophisticated attacks that can occur at multiple locations in your network. The ultimate goal is to deploy a set of security capabilities that together create an intelligent, self-defending network that identifies attacks as they occur, generates alerts as appropriate, and then automatically responds.

End-to-End Network Security provides you with a comprehensive look at the mechanisms to counter threats to each part of your network. The book starts with a review of network security technologies then covers the six-step methodology for incident response and best practices from proactive security frameworks. Later chapters cover wireless network security, IP telephony security, data center security, and IPv6 security. Finally, several case studies representing small, medium, and large enterprises provide detailed example configurations and implementation strategies of best practices learned in earlier chapters.

Adopting the techniques and strategies outlined in this book enables you to prevent day-zero attacks, improve your overall security posture, build strong policies, and deploy intelligent, self-defending networks.

“Within these pages, you will find many practical tools, both process related and technology related, that you can draw on to improve your risk mitigation strategies.”

—Bruce Murphy, Vice President, World Wide Security Practices, Cisco

Omar Santos is a senior network security engineer at Cisco®. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.

• Guard your network with firewalls, VPNs, and intrusion prevention systems
• Control network access with AAA
• Enforce security policies with Cisco Network Admission Control (NAC)
• Learn how to perform risk and threat analysis
• Harden your network infrastructure, security policies, and procedures against security threats
• Identify and classify security threats
• Trace back attacks to their source
• Learn how to best react to security incidents
• Maintain visibility and control over your network with the SAVE framework
• Apply Defense-in-Depth principles to wireless networks, IP telephony networks, data centers, and IPv6 networks

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: Network security and incident response

Online Sample Chapter

Identifying and Classifying Network Security Threats

Downloadable Sample Chapter

Download Chapter 3: Identifying and Classifying Security Threats

Table of Contents

Foreword xix

Introduction xx

Part I

Introduction to Network Security Solutions 3

Chapter 1

Overview of Network Security Technologies 5

Firewalls 5

Network Firewalls 6

Network Address Translation (NAT) 7

Stateful Firewalls 9

Deep Packet Inspection 10

Demilitarized Zones 10

Personal Firewalls 11

Virtual Private Networks (VPN) 12

Technical Overview of IPsec 14

Phase 1 14

Phase 2 16

SSL VPNs 18

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 19

Pattern Matching 20

Protocol Analysis 21

Heuristic-Based Analysis 21

Anomaly-Based Analysis 21

Anomaly Detection Systems 22

Authentication, Authorization, and Accounting (AAA) and Identity Management 23

RADIUS 23

TACACS+ 25

Identity Management Concepts 26

Network Admission Control 27

NAC Appliance 27

NAC Framework 33

Routing Mechanisms as Security Tools 36

Summary 39

 

Part II

Security Lifestyle: Frameworks and Methodologies 41

Chapter 2

Preparation Phase 43

Risk Analysis 43

Threat Modeling 44

Penetration Testing 46

Social Engineering 49

Security Intelligence 50

Common Vulnerability Scoring System 50

Base Metrics 51

Temporal Metrics 51

Environmental Metrics 52

Creating a Computer Security Incident Response Team (CSIRT) 52

Who Should Be Part of the CSIRT? 53

Incident Response Collaborative Teams 54

Tasks and Responsibilities of the CSIRT 54

Building Strong Security Policies 54

Infrastructure Protection 57

Strong Device Access Control 59

SSH Versus Telnet 59

Local Password Management 61

Configuring Authentication Banners 62

Interactive Access Control 62

Role-Based Command-Line Interface (CLI) Access in Cisco IOS 64

Controlling SNMP Access 66

Securing Routing Protocols 66

Configuring Static Routing Peers 68

Authentication 68

Route Filtering 69

Time-to-Live (TTL) Security Check 70

Disabling Unnecessary Services on Network Components 70

Cisco Discovery Protocol (CDP) 71

Finger 72

Directed Broadcast 72

Maintenance Operations Protocol (MOP) 72

BOOTP Server 73

ICMP Redirects 73

IP Source Routing 73

Packet Assembler/Disassembler (PAD) 73

Proxy Address Resolution Protocol (ARP) 73

IDENT 74

TCP and User Datagram Protocol (UDP) Small Servers 74

IP Version 6 (IPv6) 75

Locking Down Unused Ports on Network Access Devices 75

Control Resource Exhaustion 75

Resource Thresholding Notification 76

CPU Protection 77

Receive Access Control Lists (rACLs) 78

Control Plane Policing (CoPP) 80

Scheduler Allocate/Interval 81

Policy Enforcement 81

Infrastructure Protection Access Control Lists (iACLs) 82

Unicast Reverse Path Forwarding (Unicast RPF) 83

Automated Security Tools Within Cisco IOS 84

Cisco IOS AutoSecure 84

Cisco Secure Device Manager (SDM) 88

Telemetry 89

Endpoint Security 90

Patch Management 90

Cisco Security Agent (CSA) 92

Network Admission Control 94

Phased Approach 94

Administrative Tasks 96

Staff and Support 96

Summary 97

Chapter 3

Identifying and Classifying Security Threats 99

Network Visibility 101

Telemetry and Anomaly Detection 108

NetFlow 108

Enabling NetFlow 111

Collecting NetFlow Statistics from the CLI 112

SYSLOG 115

Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches 115

Enabling Logging Cisco Catalyst Switches Running CATOS 117

Enabling Logging on Cisco ASA and Cisco PIX Security Appliances 117

SNMP 118

Enabling SNMP on Cisco IOS Devices 119

Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances 121

Cisco Security Monitoring, Analysis and Response System (CS-MARS) 121

Cisco Network Analysis Module (NAM) 125

Open Source Monitoring Tools 126

Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation

Appliances 127

Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) 131

The Importance of Signatures Updates 131

The Importance of Tuning 133

Anomaly Detection Within Cisco IPS Devices 137

Summary 139

Chapter 4

Traceback 141

Traceback in the Service Provider Environment 142

Traceback in the Enterprise 147

Summary 151

Chapter 5

Reacting to Security Incidents 153

Adequate Incident-Handling Policies and Procedures 153

Laws and Computer Crimes 155

Security Incident Mitigation Tools 156

Access Control Lists (ACL) 157

Private VLANs 158

Remotely Triggered Black Hole Routing 158

Forensics 160

Log Files 161

Linux Forensics Tools 162

Windows Forensics 164

Summary 165

Chapter 6

Postmortem and Improvement 167

Collected Incident Data 167

Root-Cause Analysis and Lessons Learned 171

Building an Action Plan 173

Summary 174

Chapter 7

Proactive Security Framework 177

SAVE Versus ITU-T X.805 178

Identity and Trust 183

AAA 183

Cisco Guard Active Verification 185

DHCP Snooping 186

IP Source Guard 187

Digital Certificates and PKI 188

IKE 188

Network Admission Control (NAC) 188

Routing Protocol Authentication 189

Strict Unicast RPF 189

Visibility 189

Anomaly Detection 190

IDS/IPS 190

Cisco Network Analysis Module (NAM) 191

Layer 2 and Layer 3 Information (CDP, Routing Tables, CEF Tables) 191

Correlation 192

CS-MARS 193

Arbor Peakflow SP and Peakflow X 193

Cisco Security Agent Management Console (CSA-MC) Basic

Event Correlation 193

Instrumentation and Management 193

Cisco Security Manager 195

Configuration Logger and Configuration Rollback 195

Embedded Device Managers 195

Cisco IOS XR XML Interface 196

SNMP and RMON 196

Syslog 196

Isolation and Virtualization 196

Cisco IOS Role-Based CLI Access (CLI Views) 197

Anomaly Detection Zones 198

Network Device Virtualization 198

Segmentation with VLANs 199

Segmentation with Firewalls 200

Segmentation with VRF/VRF-Lite 200

Policy Enforcement 202

Visualization Techniques 203

Summary 207

 

Part III

Defense-In-Depth Applied 209

Chapter 8

Wireless Security 211

Overview of Cisco Unified Wireless Network Architecture 212

Authentication and Authorization of Wireless Users 216

WEP 216

WPA 218

802.1x on Wireless Networks 219

EAP with MD5 221

Cisco LEAP 222

EAP-TLS 223

PEAP 223

EAP Tunneled TLS Authentication Protocol (EAP-TTLS) 224

EAP-FAST 224

EAP-GTC 225

Configuring 802.1x with EAP-FAST in the Cisco Unified Wireless Solution 226

Configuring the WLC 226

Configuring the Cisco Secure ACS Server for 802.1x and EAP-FAST 229

Configuring the CSSC 233

Lightweight Access Point Protocol (LWAPP) 236

Wireless Intrusion Prevention System Integration 239

Configuring IDS/IPS Sensors in the WLC 241

Uploading and Configuring IDS/IPS Signatures 242

Management Frame Protection (MFP) 243

Precise Location Tracking 244

Network Admission Control (NAC) in Wireless Networks 245

NAC Appliance Configuration 246

WLC Configuration 255

Summary 259

Chapter 9

IP Telephony Security 261

Protecting the IP Telephony Infrastructure 262

Access Layer 266

Distribution Layer 273

Core 275

Securing the IP Telephony Applications 275

Protecting Cisco Unified CallManager 276

Protecting Cisco Unified Communications Manager Express (CME) 277

Protecting Cisco Unity 281

Protecting Cisco Unity Express 287

Protecting Cisco Personal Assistant 289

Hardening the Cisco Personal Assistant Operating Environment 289

Cisco Personal Assistant Server Security Policies 291

Protecting Against Eavesdropping Attacks 293

Summary 295

Chapter 10

Data Center Security 297

Protecting the Data Center Against Denial of Service (DoS) Attacks and Worms 297

SYN Cookies in Firewalls and Load Balancers 297

Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) 300

Cisco NetFlow in the Data Center 301

Cisco Guard 302

Data Center Infrastructure Protection 302

Data Center Segmentation and Tiered Access Control 303

Segmenting the Data Center with the Cisco FWSM 306

Cisco FWSM Modes of Operation and Design Considerations 306

Configuring the Cisco Catalyst Switch 309

Creating Security Contexts in the Cisco FWSM 310

Configuring the Interfaces on Each Security Context 312

Configuring Network Address Translation 313

Controlling Access with ACLs 317

Virtual Fragment Reassembly 322

Deploying Network Intrusion Detection and Prevention Systems 322

Sending Selective Traffic to the IDS/IPS Devices 322

Monitoring and Tuning 325

Deploying the Cisco Security Agent (CSA) in the Data Center 325

CSA Architecture 325

Configuring Agent Kits 326

Phased Deployment 326

Summary 327

Chapter 11

IPv6 Security 329

Reconnaissance 330

Filtering in IPv6 331

Filtering Access Control Lists (ACL) 331

ICMP Filtering 332

Extension Headers in IPv6 332

Spoofing 333

Header Manipulation and Fragmentation 333

Broadcast Amplification or Smurf Attacks 334

IPv6 Routing Security 334

IPsec and IPv6 335

Summary 336

Part IV

Case Studies 339

Chapter 12

Case Studies 341

Case Study of a Small Business 341

Raleigh Office Cisco ASA Configuration 343

Configuring IP Addressing and Routing 343

Configuring PAT on the Cisco ASA 347

Configuring Static NAT for the DMZ Servers 349

Configuring Identity NAT for Inside Users 351

Controlling Access 352

Cisco ASA Antispoofing Configuration 353

Blocking Instant Messaging 354

Atlanta Office Cisco IOS Configuration 360

Locking Down the Cisco IOS Router 360

Configuring Basic Network Address Translation (NAT) 376

Configuring Site-to-Site VPN 377

Case Study of a Medium-Sized Enterprise 389

Protecting the Internet Edge Routers 391

Configuring the AIP-SSM on the Cisco ASA 391

Configuring Active-Standby Failover on the Cisco ASA 394

Configuring AAA on the Infrastructure Devices 400

Case Study of a Large Enterprise 401

Creating a New Computer Security Incident Response Team (CSIRT) 403

Creating New Security Policies 404

Physical Security Policy 404

Perimeter Security Policy 404

Device Security Policy 405

Remote Access VPN Policy 405

Patch Management Policy 406

Change Management Policy 406

Internet Usage Policy 406

Deploying IPsec Remote Access VPN 406

Configuring IPsec Remote Access VPN 408

Configuring Load-Balancing 415

Reacting to a Security Incident 418

Identifying, Classifying, and Tracking the Security Incident or Attack 419

Reacting to the Incident 419

Postmortem 419

Summary 420

Index

422

Foreword

Download the Foreword

Index

Download the Index

Introduction

Download the Introduction

Submit Errata