Network Security Design
This chapter will cover the following topics:
Network designers will often be faced with the situation in which security might be the number one priority for the customer, even above the cost factor. You learn far more in our Cisco CyberOps Associate certification course.
Network Attacks and Countermeasures
From a network design standpoint, security is part of enterprise risk management within the overall business policy mechanisms. Every company must determine the acceptable levels of risk and vulnerabilities based on the value of the corporate assets. Enterprises should also define risk probability and a reasonable expectation of quantifiable loss if a security compromise does occur.
This aspect of risk management is called risk assessment, which is the driving force behind an organization’s written security policies. Network designers will play a key role in developing these security policies, although not in the security implementation phase (this will be the role of another team).
When a network designer is in the process of attack recognition and identifying countermeasures for that specific attack, the designer should consider and plan for the worst situations because modern networks are large, and they can be susceptible to many security threats. The applications and systems in organizations are often very complex and this makes them difficult to analyze, especially when the company uses web applications and services.
Figure 8.1 – High-Level Security Components
The network designer should be able to guarantee to the customer the following important system characteristics (as illustrated above in Figure 8.1):
These three attributes are the core of the enterprise security policy. Confidentiality assures that only authorized individual users, applications, or services can access sensitive data. Integrity implies data will not be changed by unauthorized users or services. Availability of the systems and data should ensure uninterrupted access to computing resources.
Threats to Confidentiality, Integrity, and Availability
A network designer must understand the real threats to the network infrastructure before offering security consultancy services (e.g., risk assessment or business impact analysis). The different categories of threats to confidentiality, integrity, and availability include the following:
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Spoofing (masquerading)
- Telnet attacks
- Password cracking programs
- Trojans and worms
These threats must be analyzed in the context of the campus design modules they affect and the exact system components they target.
Denial of Service Attacks
The main purpose of a Denial of Service (DoS) attack is to make a machine or a network resource unavailable to its intended users. In this particular type of attack, the attacker does not try to get access to a resource; rather, the attacker tries to induce a loss of access to different users or services. The resources can include the following:
- The entire enterprise network
- The CPU of a network device or server
- The memory of a network device or server
- The disk of a network device or server
A DoS attack results in the resource being overloaded (e.g., disk space, bandwidth, memory, buffer overflow, or queue overflow), and this will cause the resource to become unavailable for usage. This can vary from blocking access to a particular resource to actually crashing a network device or server. There are many types of DoS attacks, such as ICMP attacks or TCP flooding.
An advanced form of DoS attack is the Distributed Denial of Service (DDoS) attack, which works by manipulating a large number of systems to launch an attack on a target over the Internet or over an enterprise network. In order to manage a DDoS attack, hackers usually break into weakly secured hosts (e.g., using common security holes in the operating systems or applications used) and compromise the systems by installing malicious code in order to have full access to the victims’ resources. After many systems are compromised, they can be used to launch a massive simultaneous attack on a target that will be overwhelmed with a very large number of illegitimate requests. This scenario is illustrated in Figure 8.2 below:
Figure 8.2 – DoS versus DDoS Attacks
Note: The process of sending illegitimate requests by the attacker to a network resource is also called flooding.
Spoofing (or masquerading) attacks occur when a single host or entity falsely assumes (spoofs) the identity of another host. A common spoofing attack is called the Man in the Middle (MITM) attack, and it works by convincing two different hosts (the sender and the receiver) that the computer in the middle is actually the other host. This is accomplished by using DNS spoofing, in which a hacker compromises a DNS server and explicitly changes the name resolution entries. Figure 8.3 below illustrates this type of attack:
Figure 8.3 – Man in the Middle Attack
Another type of masquerading attack is ARP spoofing, in which the ARP cache is altered and thus the L2 to L3 address mapping entries are changed in order to redirect the traffic through the attacker’s machine. This type of attack is usually targeted within a LAN.
Programs such as Telnet or File Transfer Protocol (FTP) work based on user-based authentication, in which the credentials are sent in clear text (unencrypted) over the wire. These credentials can be captured by attackers using network monitoring tools and they can be used to gain unauthorized access to network devices.
Other related threats in this area are generated by using old unsecured protocols such as rlogin, rcp, or rsh that allow access to different systems. These unsecured protocols should not be used; they should be replaced by protocols such as Secure Shell (SSH) or SSH File Transfer Protocol (SFTP).
Password Cracking Programs
Password cracking software is very easy to find nowadays, and it can be used to compromise password security in different applications or services. The programs work by revealing the password that has been previously encrypted with weak encryption algorithms (e.g., Data encryption Standard – DES).
A way to prevent password cracking from happening is to enforce the company’s security policy as follows:
- Use strong encrypting algorithms (e.g., Advanced Encryption Standard – AES)
- Choose complex passwords (a combination of letters, numbers, and special characters)
- Periodically change the password
A virus is a generic term for any type of program that attaches to individual files on a target system. Once the virus appends its original code to a victim’s file, the victim is infected and the file is changed, and it can infect other files through a process called replication.
The replication process can spread across hard disks and infect the entire operating system. Once a virus is linked to an executable file, it infects other files every time the host file is executed. The following are three major types of viruses based on their location in the system:
- MBR (Master Boot Sector) viruses
- Boot sector viruses
- File viruses
MBR and boot sector viruses affect the boot sector on the physical disk, rendering the operating system unable to boot. File viruses represent the most common type of viruses and they affect different types of files.
Another way to categorize viruses is based on their behavior, such as the following viruses:
- Stealth viruses
- Polymorphic viruses
Stealth viruses use different techniques to hide the fact that a change to the disk drive was made. Polymorphic viruses are difficult to identify because they can mutate (i.e., change their size) and avoid detection by special software. When using virus detection programs, the recommendation is to ensure they are updated as often as possible so they are capable of scanning for new forms of viruses.
Trojans and Worms
Trojan programs consist of unauthorized code that is contained in legitimate programs and perform functions that are hidden to the user. Worms are other illegitimate pieces of software that can be attached to e-mails, and once they are executed, they can propagate themselves within the file system and perform unauthorized functions, such as redirecting user traffic to certain websites.
Network Device Vulnerabilities
An important vulnerable area in the network infrastructure, considering the attacks presented above, is comprised of network devices. The targeted devices can be part of any network module and layer, including Access Layer devices, Distribution Layer devices, or Core Layer equipment. Since network devices such as routers, switches, or other appliances provide embedded security features, you need to ensure that they are secured from intruders.
The first thing you should control is physical access. Critical equipment should be placed in locked rooms that can be accessed only by authorized users, preferable via multiple authentication factors. You also should ensure that the network administrators follow security guidelines in order to avoid human errors, and harden network devices as you would harden hosts or servers by applying the following techniques:
- Enabling only the necessary services
- Using authenticated routing protocols
- Using one-time password configurations
- Providing management access to the device only through secured protocols, such as SSH
- Ensuring that the device operating system is always patched and updated in order to be protected against the latest known vulnerabilities
Network Infrastructure Vulnerabilities
Network infrastructure vulnerabilities are present at every level in the enterprise architecture model, and the attacks aimed to exploit these vulnerabilities can be categorized as follows:
- Reconnaissance attacks
- DoS and DDoS attacks
- Traffic attacks
Reconnaissance is a military term that implies scoping the targets before initiating the actual attack. The reconnaissance attack is aimed at the perimeter defense of the network, including the WAN network or edge modules. This includes activities such as scanning the topology using the following techniques:
- ICMP scanning
- SNMP scanning
- TCP/UDP port scanning
- Application scanning
The scanning procedure uses simple tools, such as Ping or Telnet, but it can also involve using complex tools that scan the network perimeter for vulnerabilities. The reconnaissance attack’s purpose is to find network weaknesses and then apply the most efficient type of attack.
As a countermeasure to these reconnaissance attacks, you can use network access control, including hardware and software firewall products, and you can harden the devices to make sure that only specific ports, specific connections, and specific services are used.
DoS and DDoS attacks are meant to compromise the connectivity and availability to or from the network and can be categorized into the following types:
- Flooding the network with poisoned packets
- Spoofing network traffic
- Exploiting application bugs
Countermeasures that help protect against DoS attacks mainly include using firewall products and ensuring that the network operating systems are updated regularly to include the latest patches. Cisco has a very useful feature in its IOS and firewall products called TCP Intercept, which can be used to prevent SYN flooding attacks that are used against websites, e-mail servers, or other services. This works by intercepting and validating TCP connection requests before they arrive at the server. You can also use QoS mechanisms to filter certain types of traffic.
Because DoS attacks affect the performance of network devices and servers, many large organizations oversize their resources in order to have additional bandwidth, backup connections, and redundancy. In doing so, when DoS attacks do occur, they can compensate the negative effects without critically affecting internal services. The downside of this approach is the cost factor.
Applications and individual host machines are often the ultimate target of the attacker or the malicious user. Generally, the attacker wants to get permissions in order to read sensitive data, write changes to the hard drive, or compromise data confidentiality and integrity.
Attackers try to exploit bugs in the operating system (for servers, hosts, and network devices of the OS) and abuse vulnerabilities in various applications in order to get access to the system. Some applications are very vulnerable because they were not properly tested and were launched without advanced security features in mind.
After getting basic access to a system, attackers will use a tactic called privilege escalation that will provide them system administrator privileges by exploiting vulnerabilities in certain programs and machines. Once they get administrator access, they can either attack the entire system or read/write sensitive and valuable information.
Countermeasures against application and host vulnerabilities include using secure and tested programs and applications. This can be enforced by digitally signing applications to ensure that you use quality components from different vendors. Hosts can be hardened using a variety of techniques to ensure that the machine is locked down and only the appropriate services and applications are used. Firewall and virus detection techniques should also be used and updated often.
Another useful countermeasure is minimizing exposure to outside networks, including the Internet, even though many attacks can come from inside the organization. As organizations get larger, increased attention must be given to the human factor and to inside threats. Network administrators, network designers, and end-users should be carefully trained to use the security policies implemented in the company.
Security Policy Mechanisms
The Cisco network designer may or may not have a role in creating the corporate security policy. Every organization, regardless of size, should have some form of written security policy and procedures, along with a plan for enforcing that policy and a disaster and recovery plan.
Figure 8.4 – Cisco Security Policy Methodology
When initially developing a security policy, Cisco recommends a methodology that is comprised of the following five steps (illustrated in Figure 8.4 above):
- Risk assessment
- Determine and develop the policy
- Implement the policy
- Monitor and test security
- Re-assess and re-evaluate
Risk assessment involves determining what the network threats are, making sure the entire network is documented, and identifying the current vulnerabilities and the countermeasures that are already in place. The second step is determining and developing a security policy. The policy should be based on a wide variety of documents, depending on the organization. The policy should also take into account the company’s strategy, the decision-makers of the company, their obligation to the company, the value of the company’s assets, and prioritization of the security rules.
After the policy is developed, it should be implemented from a hardware and software standpoint. This involves putting into place all the mechanisms involved in the Cisco SAFE blueprint (this will be covered in detail later in this chapter) and applying these to the campus infrastructure modules and submodules. The next step is to monitor and test the security plan, and, finally, to re-evaluate it in order to make changes that will improve the policy.
This methodology closely relates to the PPDIOO design methodology presented earlier. The security policy documentation can be different for each organization and can be based on different international standards. Some common written documents include the following:
- Organizational security policy
- Acceptable use policy
- Access control policy
- Incident handling
- Disaster recovery plan
- Personnel policies and procedures
The organizational security policy is a general document that is signed by the management of the organization and contains high-level considerations, such as its objectives, the scope of the security policy, risk management aspects, the company’s security principles, planning processes (including information classification), and encryption types used in the company.
The acceptable use policy and the personnel policies and procedures detail the way in which individual users and administrators use their access privileges. The access control policy involves password and documentation control policies, and incident handling describes the way a possible threat is handled in order to mitigate a breach in the organization’s security. The disaster recovery plan is another document that should be included in the organizational security policies, and it should detail the procedures that will be followed in case of a total disaster, including applying backup scenarios.
When documenting the security policy, the components may be divided into the major security mechanisms that will be applied in the organization, including the following:
- Physical security
- Data integrity
- Management and reporting
Physical security is often ignored when documenting the security policy. This involves physically securing the data center and the wiring closets; restricting access to network devices, LAN cabling, and the WAN/PSTN connection points; and securing access to endpoint devices such as workstations and printers.
Authentication ensures that the individual users who are actually accessing particular devices on the network are authorized to do so. Authentication is used to determine the identity of the subject and authorization is used to limit access to network devices based on their identity. Confidentiality and data integrity define encryption mechanisms to be used, such as IPSec, digital signatures, or physical biometric user access. Management and reporting involve auditing the network from a security standpoint, logging information, and auditing the actions of users and administrators. This can be supported by the use of Host Intrusion Detection Systems (HIDSs) to ensure that network servers can detect and protect themselves against attacks.
Cisco SAFE Blueprint
The Cisco SAFE (Security Architecture for Enterprise) blueprint provides to network and security designers guidelines for implementing security mechanisms for the Cisco campus design. The SAFE blueprint follows the Enterprise Composite Network Modular approach presented throughout this entire manual. All of the SAFE strategies are applied to each module and component of the enterprise architecture model’s design.
In addition, a strategy called Defense in Depth is used so that if one of the security systems in a module or component fails, the overall network infrastructure will not be compromised.
Note: The complete SAFE blueprint documentation can be found at www.cisco.com/go/safe.
From a network design standpoint, the SAFE blueprint is a security architecture that covers the following aspects:
- Attack mitigation policy
- Enterprise-wide deployment
- Secure reporting and management
- Authentication and authorization
- Ongoing support for emerging technology
The policy for attack mitigation ensures that possible attacks and threats to the organization can be identified and defines the countermeasures that will be used against those attacks. The SAFE blueprint is usually applied in an enterprise-wide deployment, not just to an isolated component. It also provides methods and mechanisms for ensuring that the reporting, management, and auditing are accomplished in a secure fashion. It includes secure authentication and authorization, with strong encryption and digital signing techniques, including Public Key Infrastructure (PKI). It also includes Intrusion Detection Services (IDSs) for critical resources and networks. The SAFE blueprint provides ongoing support from Cisco for all of the emerging technologies it provides.
Securing the Internet Connectivity Block
The SAFE blueprint allows you to apply a systematic approach to security from a modular standpoint. Risk at the Internet connectivity block would include the following (illustrated in Figure 8.5 below):
- Reconnaissance tools
- Port scanning tools
- IP mapping tools
- Mail relay (using SMTP servers to relay spam to other areas of the Internet)
- Malware, including malicious code, viruses, Trojan horses, and worms
Figure 8.5 – Internet Connectivity Block
In order to secure the Internet connectivity block, the SAFE blueprint recommends the use of firewalls, router access lists, and network IDS to mitigate the risks presented above. You should also consider hardening the network devices and servers in that particular block. You can also build DMZ networks to isolate specific devices from the network infrastructure, or you can use HIDS, QoS mechanisms, or application filters to prevent the introduction of malicious code or malware into the network.
Securing the E-commerce Block
For many organizations, the e-commerce block may get its Internet connectivity through the Internet connectivity block or it may have its own connections to an ISP. Regardless of this aspect, the risks and guidelines for the e-commerce block are very similar to the Internet connectivity block recommendations.
According to the SAFE blueprint, in this block (Figure 8.6), you should protect high-profile e-commerce servers, as this is where you will also encounter the defacing of web services technique (i.e., attackers hijacking web pages and adding their own code). The e-commerce block is also vulnerable to DoS and DDoS attacks.
Figure 8.6 – E-commerce Block
Countermeasures in the e-commerce block involve using access lists, filtering, and firewalls that protect the database, applications, or transaction servers. The servers should be hardened by using only the necessary applications and ports. Ensure that the e-commerce applications are secure by frequently updating and patching them. Cisco IDS should also be used, and the e-commerce block should be placed into a dedicated DMZ zone to isolate it from other blocks of the network.
Securing the Remote Access Block
The VPN and remote access block (Figure 8.7) is often connected through the Internet connectivity block to various ISPs, so you should use common techniques for securing it. However, because you will be using VPN technologies, some unique security mechanisms can be implemented.
Because remote access and VPN networks often use the public Internet or the PSTN as their carrier, you should be aware of possible spoofing (or masquerading) techniques that will allow an attacker to impersonate a legitimate client and get remote access or VPN access through the enterprise network. The network becomes vulnerable to spoofing if the attacker is able to steal credentials or to guess an authentication key. Another issue is compromising data confidentiality and integrity, which can happen both from the central remote access block and from the branch/remote offices, meaning the other side of the connection should be properly secured as well.
Figure 8.7 – Remote Access Block
In order to secure the remote access block, you should carefully implement VPN technologies using dedicated equipment (e.g., Cisco ASAs), which includes advanced security mechanisms. You can use the IPSec protocol to assure proper authentication, authorization, and encryption, and IDS and firewall equipment can be used as well.
Securing the WAN Block
In order to secure the WAN block (Figure 8.8) according to the SAFE blueprint, VPN techniques are used to ensure point-to-point secure connections. You should also use strong cryptography methods, such as 3DES or AES, to protect the confidentiality and integrity of the data packets. In addition, use authentication with all the WAN peers and harden the WAN routers to ensure that only the necessary protocols and ports are used. Additional security measures include using filtering techniques based on Cisco access lists on network devices.
Figure 8.8 – WAN Block
Securing the Network Management Submodule
The network management submodule (Figure 8.9) is especially vulnerable to inside attacks. The written security policy should describe the procedures that apply to this submodule, and a best practice is using Authentication, Authorization, and Accounting (AAA) services. AAA services are usually based on RADIUS or TACACS+ servers that will provide authentication.
Figure 8.9 – Network Management Submodule
Other possible problems might involve administrator impersonation for individuals who might want to get administrative-level privileges that will provide them access to all the other blocks in the enterprise campus module. In order to mitigate these threats, you should use strong encryption techniques and SSH, instead of Telnet, for remote administration. You should also harden the servers and network management workstations using HIDS, and use secure management protocols such as SNMPv3. Multiple-factor authentication (i.e., something the user knows, such as a password, and something a user has, such as a token) can be used to ensure that only authorized users have access to the network management system. A capable logging system (e.g., Syslog) should also be put into place in order to gather activity logs for every user who makes modifications to the system.
Note: Special attention must be given to the network management submodule security features because this is the central point of management for all network devices, including security devices that protect other modules (e.g., firewalls or IDS). If an attacker compromises the network management submodule, the attacker can disable the security features in other blocks of the campus infrastructure, making them vulnerable to basic attacks.
Securing the Server Farm Block
In the server farm block (Figure 8.10), the main goal is to protect the servers using strong and secure operating systems and applications. The servers should be periodically verified to ensure that they have all the proper updates and patches, as well as hardened.
Figure 8.10 – Server Farm Block
The server farm block can include firewall policies that will assure proper access control, as well as switch ACLs that will allow only certain traffic to flow at the Data Link Layer. IDS should also be used in this block to ensure secure connectivity to other campus blocks.
Securing the Access Layer Block
The Access Layer block (Figure 8.11) is the place where the end hosts and lower-end access switches are located. In order to secure them, you should use HIDS technologies, in addition to the standard hardening techniques, which will allow only the necessary applications, services, and ports to run.
Figure 8.11 –Access Layer Block
If the Access Layer block also includes complex IP Telephony integration, special measures must be taken to secure the VoIP infrastructure. The same principle applies to wireless networking because these technologies have many particularities from a vulnerability standpoint.
A network designer’s main responsibility includes defining the network and security architecture; the designer should not be concerned with the actual implementation of security mechanisms and deployment of security solutions. From a design standpoint, the network designer should focus on security management concepts, and the CCDA candidate must understand the reasons for network security, including the systematic approaches to manage security.
Cisco invented the concept of the Self-Defending Network, which describes the network infrastructure and the services used in order for the network to respond to attacks while maintaining availability and reliability. Networks should be able to absorb attacks and remain operational without affecting organizational productivity.
Security Threats and Risks
Efficient security mechanisms must address organizational threats and mitigate risks successfully. One characteristic of successful security is being transparent to the end-user. The security manager should maintain a balance between strict security policies and productivity and collaboration. If the security rules are too tight, the users’ experience may be affected and the employees might not be able to fulfill their tasks easily. On the other hand, if the security rules are too permissive, the users’ experience may be improved but the network is more vulnerable.
The network designer should create a secure environment for the organization by preventing attacks, while ensuring that the security features have as little effect on end-user productivity as possible.
A network security implementation must mitigate multiple factors and accomplish the following:
- Block outside malicious users from getting access to the network
- Allow only system, hardware, and application access to authorized users
- Prevent attacks from being sourced internally
- Support different levels of user access using an access control policy
- Safeguard the data from being changed, modified, or stolen
As detailed previously, network threats can be categorized into the following types:
- Unauthorized access
- Denial of Service (DoS)
Reconnaissance is the precursor to a more structured and advanced threat. Many worms, viruses, and Trojan horse attacks usually follow some type of reconnaissance attack. Reconnaissance can also be accomplished through social engineering techniques, for example, gathering information using the human factor. There are several tools that can be used for reconnaissance, including port scanning tools and packet sniffers. The goal is to gather as much information as possible about the target host and network. The information gathered in the reconnaissance phase is used to plan and select the most appropriate attack technique before initiating the attack.
Unauthorized access might relate to operating systems, physical access, or any service that allows for privilege escalation in a system. The final goal is reading or modifying confidential data. DoS attacks overwhelm the resources of different servers or systems in order to prevent them from answering legitimate users’ requests. The affected resources can include memory, CPU, bandwidth, or any other resource that can bring down (i.e., crash) the server or the service. A DoS attack denies service using well-known protocols, such as ICMP, ARP, or TCP, but attackers can also perform a more structured and distributed DoS attack by using several systems to overwhelm an entire network (i.e., sending a very large number of invalid flows).
Vulnerabilities are measurements of the probability of being negatively influenced by a threat (e.g., reconnaissance attack, unauthorized access, or DoS attack). Vulnerabilities are often measured as a function of risk that might include the following:
- Risk to the confidentiality of data
- Risk to the integrity of data
- Risk to the authenticity of systems and users
- Risk to the availability of networking devices
The level of security risks (i.e., vulnerability to threats) must be assessed in order to protect network resources, procedures, and policies. System availability involves uninterrupted access to network-enabled devices and computing resources in order to minimize business disruptions and productivity loss. Data integrity involves making sure data not only is seen by authorized users but also is not modified in transit (i.e., data that leaves the sender node must be identical to the data that enters the receiver node). Data confidentiality should ensure that only legitimate users see sensitive information. Confidentiality is used to prevent data theft and damage to the organization.
The risk assessment process involves identifying all possible targets within the organization and placing a quantitative value on them based on their importance in the business process. Targets include the following:
- Any kind of network infrastructure device (switches, routers, security appliances, wireless access points, and wireless controllers )
- Network services (DNS, ICMP, and DHCP)
- Endpoint devices, especially management stations that perform in-band or out-of-band management
- Network bandwidth, which can be overwhelmed by DoS attacks
Network Security System Lifecycle
Security is one of the main responsibilities of a network design professional, and this includes a solid knowledge of organizational security policies and procedures.
The security policy is a key element in securing network services, offering the necessary level of security, and enhancing network availability, confidentiality, integrity, and authenticity.
Figure 8.12 – Network Security System Lifecycle
The security policy is a small part of a larger network security system lifecycle, as illustrated in Figure 8.12 above, that is driven by an assessment of the business’s needs and comprehensive risk analysis. Risk assessment may also need to be performed, using penetration testing and vulnerability scanning tools.
The security policy contains written documents that include the following:
- Acceptable use policies
- Architectures and infrastructure elements used (e.g., IPSec or 802.1x)
- Granular areas of security policy, such as Internet use policy or access control policy
The written security policy leads to a security system that can include the following elements:
- Cisco ASA devices
- IDSs and IPSs
- 1x port-based authentication
- Device hardening
- Virtual private networking
These system elements are chosen based on a set of guidelines and best practices. The entire process leads to defining the organizational security operations, which involves the actual integration and deployment of the incident response procedures, the monitoring process, compliance with different standards, and implementation of security services (e.g., IPS, proxy authentication, and zone-based firewalls). The diagram presented above is an iterative process, and once the security operations are put into place, the process can step back and the business’s needs can be reassessed, leading to changes being made to the security policy. The network security system lifecycle is an ongoing framework that requires all of its components to be revised and updated periodically.
Security Policy and Procedures
The security policy is the main component of the network security system lifecycle, defined by RFC 2196 as a formal statement of the rules and guidelines that must be followed by the organization’s users, contractors, and temporary employees, and anybody who has access to the company’s data and informational assets. This general framework for organizational security implementation contains the different areas of the organization documented in a modular approach.
One way of approaching security policing is by examining the modular network design of the organization and developing a separate policy for each different module or a single policy that includes all the modules. The modular approach is also recommended when performing risk and threat assessments.
The security policy also creates a security baseline that allows future gap analysis to be performed in order to detect new vulnerabilities and countermeasures. The most important aspects covered by the written security policy and procedures are as follows:
- Identifying the company’s assets
- Determining how the organization’s assets are used
- Defining communication roles and responsibilities
- Describing existing tools and processes
- Defining the security incident handling process
A steering committee will review and eventually publish the security policy after all the component documents are finalized.
Cisco presents a four-step process that defines the security policy methodology that is part of the network security system lifecycle, as illustrated in Figure 8.13 below:
Figure 8.13 – Security Policy Methodology
The first step is to identify and classify the organization’s assets and assign them a quantitative value based on the impact of their loss. The next step is determining the threats to those assets, because threats only matter if they can affect specific assets within the company. One company may assign a higher priority to physical security than to other security aspects, such as protecting against reconnaissance attacks.
Next, a risk and vulnerability assessment is performed to determine the probability of the occurrence of threats. The next step is performed after the security policy is published, and it involves implementing cost-effective mitigation in order to protect the organization. This defines the actual tools, techniques, and applications used to mitigate the threats to which the company is vulnerable. The last step, which is often skipped by many organizations, involves periodically reviewing and documenting the developed security policy.
Many organizations have templates for developing the security policy and some of the common components are as follows:
- The acceptable use policy: This general end-user document defines the roles, responsibilities, and allowed processes, software, and hardware equipment. For example, certain file sharing applications or instant messaging programs can be forbidden.
- Network access control policy: This policy contains general access control principles and can relate to things such as password requirements, password storage, or data classification.
- Security management policy: This policy summarizes the organizational security mechanisms and defines ways to manage the security infrastructure with necessary tools (e.g., CiscoWorks or Cisco NAC).
- Incident handling policy: This document should describe the policies and procedures by which security incidents are handled. It can even include emergency-type scenarios such as Disaster Recovery plans or Business Continuity procedures.
- VPN policy: This dedicated policy covers the virtual private networking technologies used and the various security aspects that concern them. Different policies may be applied for teleworkers, remote access users, or site-to-site VPN users.
- Physical security policy: This involves physical security aspects such as access control (badges, biometrics, and facility security).
- Training and awareness: Ongoing training and awareness campaigns must sustain the organizational security policy, and this is especially applicable to new employees.
The following are the two driving factors behind the security policy:
- The business’s needs and goals
- Risk assessment
Network security requires a comprehensive risk management and risk assessment approach that will help lower the risks to acceptable levels for the organization. These acceptability levels will vary from organization to organization. The risk assessment process leads to the implementation of components included in the security policy. Risk assessment will also be accompanied by the cost-benefit analysis, which will analyze the financial implications of the mitigation (i.e., control) that will be put into place to protect specific assets. For example, money should not be spent protecting certain assets against threats that are not likely to occur.
The risk assessment process involves the following components:
These three components should explain what assets should be secured, their monetary value, and the actual loss that would result if one of those resources were to be affected. The severity and the probability aspects refer to the probability and impact of a certain attack on the organization. The control aspect defines how the policy will be used to control and minimize the risks.
The three components form a risk index (RI), which uses the following formula:
RI = (severity factor * probability factor) / control factor
- The severity factor represents the quantitative loss of a compromised asset.
- The probability factor is a mathematical value of the risk actually occurring.
- The control factor is the ability to control and manage that risk.
For example, the severity factor may have a range of 1 to 5, the probability factor may have a range of 1 to 3, and the control factor may have the same range. Looking at a particular example, if the severity factor for a DoS attack on an e-mail server lasting two hours has a value of 3, the probability factor has a value of 2, and the control factor has a value of 1, then the calculated RI has a value of 6. This calculation should be applied to different areas of the network and should take into account different types of threats.
Risk assessment is an ongoing process that will experience continuous change due to new technologies emerging. The security policy must be updated in order to reflect these infrastructure changes. The following four steps to the risk assessment security lifecycle are illustrated in Figure 8.14 below:
Figure 8.14 – Risk Assessment Security Lifecycle
Securing implies using authentication and identification techniques, ACLs, packet inspection, firewall techniques, IDS and IPS technologies, VPNs, or encryption. The next step is monitoring the processes using Simple Network Management Protocol (SNMP) and Security Device Event Exchange (SDEE). Ongoing vulnerability testing should be provided, along with penetration testing and security auditing, in order to ensure the functionality of each process. The last step is an iterative process that helps improve different areas. Improving is based on data analysis, reports, summaries, and intelligent network design.
Trust and Identity Management
Trust and identity management is another key part of the Cisco Self-Defending Network initiative, and it is a critical aspect for developing secure network systems. Trust and identity management states who can access the network, what systems can access the network, when and where the network can be accessed, and how the access can occur. It also attempts to isolate infected machines and keep them off the network by enforcing access control, by which they are forced to update their signature databases and their applications.
Trust and identity management includes the following components:
- Access control
Trust is the relationship between two or more network entities, for example, a workstation and a firewall appliance. The trust concept will determine security policy decisions. If a trust relationship exists, communication is allowed between the entities. The trust relationship and the level of privilege can be affected by different postures (e.g., an outdated virus signature database or an unpatched system). Devices can be grouped into domains of trust that can have different levels of segmentation.
The identity aspect determines who accesses the network, including users, devices, or other organizations. The authentication of identity is based on the following attributes that make the connection to access control:
- Something that the subject knows (password or PIN)
- Something that the subject has (token or smartcard)
- Something that the subject is (biometrics, such as fingerprint, voice, or facial recognition)
The domains of trust can be implemented with Microsoft Active Directory implementation and they can be based on the Cisco design methodology. In large organizations and across the Internet, certificates play an important role in proving the user’s identity and the right to access information and services.
Access controls in enterprise organizations typically rely on AAA services. AAA solutions can use an intermediate authenticator device (e.g., a router, switch, or firewall) that can leverage some back-end services, such as Cisco Access Control Server (ACS) or various RADIUS or TACACS+ servers. Authentication establishes user or system identity and access to network resources, while authorization services define what users can access. The accounting part provides an audit trail that can be used for billing services (e.g., recording the duration of a user connection to a particular service). Most of the modern Cisco devices can act as authenticators and can pass user authentication requests to RADIUS/TACACS+ servers.
Secure connectivity is another component of the Cisco Self-Defending Network that works closely with the trust and identity management concepts described above. This implies using secure technologies to connect endpoints. Examples include the following:
- Using IPSec inside the organization and over the insecure Internet
- Using SSH to replace insecure technologies, such as Telnet, for console access
- Using SSL/TLS (HTTPS) secure connectivity in web browsers
- Using solutions from service providers, such as Multi-Protocol Label Switching Virtual Private Networks (MPLS VPNs)
The primary goal of trust and identity services when combined with secure connectivity is infrastructure protection. This can be accomplished, from a Cisco standpoint, using a wide variety of integrated hardware security features, such as the following:
- Cisco ASA devices, including the 5500 family (ASA 5510, 5520, 5540, and so on)
- Routers using IOS security feature sets that include basic firewalls, zone-based firewalls, IPS functionality, IPSec VPNs, Dynamic Multipoint VPNs (DMVPNs), or SSL VPNs for web-based clients
- Cisco Catalyst switches with firewall, IDS, or VPN modules and other Layer 2 security features (e.g., 802.1x port-based authentication). The Cisco Catalyst 6500 series switch is a modular switch offering support for a wide variety of service modules that can help enhance network security. Examples of these modules include Cisco Firewall Services Module (FWSM), Cisco Intrusion Detection System Services Module (IDSM-2), and the Cisco SSL Services Module.
Note: 802.1x is also known as Identity Based Network Services (IBNS) in the Cisco world.
Threat Defense Best Practices
Some of the best practices for protecting the network infrastructure through trust and identity include the following:
- Using AAA services with the Cisco ACS server or other RADIUS/TACACS+ servers
- Using 802.1x
- Logging using Syslog and SDEE (the protocol used by Cisco IDS/IPS sensors to send information to the management stations) to create comprehensive reports
- Using SSH instead of Telnet to avoid any management traffic crossing the network in clear text
- Using secure versions of management protocols, such as SNMPv3 (it authenticates the client and the server), NTPv3, and SFTP
- Harden all network devices by making sure unnecessary services are disabled
- Using authentication between devices that are running dynamic routing protocols
- Using the Cisco one-step lockdown feature on network devices to harden them
- Using ACLs to restrict management access, allowing only certain hosts to access the network devices
- Using IPSec as an internal (encrypting management or other sensitive traffic) or external (VPN) solution
- Using Cisco Network Admission Control ( NAC ) solution, which ensures that network clients and servers are patched and updated in an automated and centralized fashion, with the newest anti-virus, anti-spam, and anti-spyware mitigation tools
An enterprise network design must include security measures to mitigate network attacks. Fortunately, with the modularity of the Cisco enterprise architecture model, you can address security concerns on a module-by-module basis.
Organizational requirements and potential threats determine the scope of a security design. At its essence, network security measures should not only defend against attacks and guard against unauthorized access but also prevent data theft and comply with security legislation, industry standards, and company policy.
Consider the following threats and risks facing today’s enterprise networks:
- Reconnaissance: This type of attack gathers information about the target of an attack using different tools, such as port-scanning software.
- Gaining system access: Attackers often attempt to gain access to the system after they gather information about their target. The most common approaches include social engineering or exploiting known system vulnerabilities.
- Denial of Service (DoS) attacks: A DoS attack can flood a system with traffic, thereby consuming the system’s processor and bandwidth.
- Data confidentiality: Companies should ensure that sensitive data on their systems is protected against theft.
- Data integrity: In addition to stealing data, attackers could also modify sensitive data.
- Data availability: A DoS attack could make a system crash, so security measures should be used to maintain system and data availability.
When designing a network security solution, realize that although hosts are the primary targets of an attack, other potential network targets also need protection. Other potential attack targets include routers, switches, DHCP/DNS servers, user PCs, IP phones, and IDS/IPS devices, in addition to the bandwidth available in the network infrastructure.
To guide security design decisions and provide guidelines for future security enforcement, organizations must formulate a security policy. A security policy is a documented set of rules that specify how users are allowed (or are not allowed) to access an organization’s technology and data.
Other considerations in a security design include the following:
- Business’s needs
- Risk analysis
- Industry best practices
- Security operations
In addition to a security policy, organizations might need to prepare the following documents to address specific risk categories:
- Network access control policy
- Acceptable use policy
- Security management policy
- Incident handling policy
An organization’s security policy is a continually evolving document that changes in response to technology and organizational requirements. Network designers use the following four steps to secure the network continually:
Security must be fully integrated into a network to combat data theft; as a result, Cisco has defined the concept of the Self-Defending Network to leverage the security abilities of network components in order to protect the network from both internal and external threats. Network security integration consists of the following components:
- Trust and identity management, including trust, identity, and access control
- Threat defense, including physical security, infrastructure protection, and threat detection and mitigation
- Secure connectivity, including privacy and data integrity
The Cisco Self-Defending Network is based on an underlying secure network platform (e.g., Cisco routers, Cisco Catalyst switches, and Cisco Adaptive Security Appliances). Layered on top of the network platform are advanced security technologies and services. The use of these technologies is then governed by security policies and security management applications. These security management applications are used by network administrators to monitor and control the network.
Network managers and administrators must be intimately familiar with the security policies and predefined procedures when responding to a security breach. A thorough understanding of these policies can help provide an efficient incident response.
To secure a network, security solutions should be integrated into all parts of the network, using the following network elements:
- Cisco IOS router
- Adaptive Security Appliance (ASA)
- Intrusion Prevention System (IPS)
- Cisco Catalyst Service Modules
The Cisco Self-Defending Network allows network designers to specify security features throughout the network. Typical security solutions for the enterprise network modules include the following techniques:
- Identity and access control
- Threat detection and mitigation
- Infrastructure protection
- Security management