HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
End-to-End Network Security
Defense-in-Depth
Best practices for assessing and improving network defenses and responding to security incidents
Omar Santos
Information security practices have evolved from Internet perimeter protection to an in-depth defense model in which multiple countermeasures are layered throughout the infrastructure to address vulnerabilities and attacks. This is necessary due to increased attack frequency, diverse attack sophistication, and the rapid nature of attack velocity—all blurring the boundaries between the network and perimeter.
End-to-End Network Security is designed to counter the new generation of complex threats. Adopting this robust security strategy defends against highly sophisticated attacks that can occur at multiple locations in your network. The ultimate goal is to deploy a set of security capabilities that together create an intelligent, self-defending network that identifies attacks as they occur, generates alerts as appropriate, and then automatically responds.
End-to-End Network Security provides you with a comprehensive look at the mechanisms to counter threats to each part of your network. The book starts with a review of network security technologies then covers the six-step methodology for incident response and best practices from proactive security frameworks. Later chapters cover wireless network security, IP telephony security, data center security, and IPv6 security. Finally, several case studies representing small, medium, and large enterprises provide detailed example configurations and implementation strategies of best practices learned in earlier chapters.
Adopting the techniques and strategies outlined in this book enables you to prevent day-zero attacks, improve your overall security posture, build strong policies, and deploy intelligent, self-defending networks.
“Within these pages, you will find many practical tools, both process related and technology related, that you can draw on to improve your risk mitigation strategies.”
—Bruce Murphy, Vice President, World Wide Security Practices, Cisco
Omar Santos is a senior network security engineer at Cisco®. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Networking: Security
Covers: Network security and incident response
Identifying and Classifying Network Security Threats
Download Chapter 3: Identifying and Classifying Security Threats
Foreword xix
Introduction xx
Part I
Introduction to Network Security Solutions 3
Chapter 1
Overview of Network Security Technologies 5
Firewalls 5
Network Firewalls 6
Network Address Translation (NAT) 7
Stateful Firewalls 9
Deep Packet Inspection 10
Demilitarized Zones 10
Personal Firewalls 11
Virtual Private Networks (VPN) 12
Technical Overview of IPsec 14
Phase 1 14
Phase 2 16
SSL VPNs 18
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 19
Pattern Matching 20
Protocol Analysis 21
Heuristic-Based Analysis 21
Anomaly-Based Analysis 21
Anomaly Detection Systems 22
Authentication, Authorization, and Accounting (AAA) and Identity Management 23
RADIUS 23
TACACS+ 25
Identity Management Concepts 26
Network Admission Control 27
NAC Appliance 27
NAC Framework 33
Routing Mechanisms as Security Tools 36
Summary 39
Part II
Security Lifestyle: Frameworks and Methodologies 41
Chapter 2
Preparation Phase 43
Risk Analysis 43
Threat Modeling 44
Penetration Testing 46
Social Engineering 49
Security Intelligence 50
Common Vulnerability Scoring System 50
Base Metrics 51
Temporal Metrics 51
Environmental Metrics 52
Creating a Computer Security Incident Response Team (CSIRT) 52
Who Should Be Part of the CSIRT? 53
Incident Response Collaborative Teams 54
Tasks and Responsibilities of the CSIRT 54
Building Strong Security Policies 54
Infrastructure Protection 57
Strong Device Access Control 59
SSH Versus Telnet 59
Local Password Management 61
Configuring Authentication Banners 62
Interactive Access Control 62
Role-Based Command-Line Interface (CLI) Access in Cisco IOS 64
Controlling SNMP Access 66
Securing Routing Protocols 66
Configuring Static Routing Peers 68
Authentication 68
Route Filtering 69
Time-to-Live (TTL) Security Check 70
Disabling Unnecessary Services on Network Components 70
Cisco Discovery Protocol (CDP) 71
Finger 72
Directed Broadcast 72
Maintenance Operations Protocol (MOP) 72
BOOTP Server 73
ICMP Redirects 73
IP Source Routing 73
Packet Assembler/Disassembler (PAD) 73
Proxy Address Resolution Protocol (ARP) 73
IDENT 74
TCP and User Datagram Protocol (UDP) Small Servers 74
IP Version 6 (IPv6) 75
Locking Down Unused Ports on Network Access Devices 75
Control Resource Exhaustion 75
Resource Thresholding Notification 76
CPU Protection 77
Receive Access Control Lists (rACLs) 78
Control Plane Policing (CoPP) 80
Scheduler Allocate/Interval 81
Policy Enforcement 81
Infrastructure Protection Access Control Lists (iACLs) 82
Unicast Reverse Path Forwarding (Unicast RPF) 83
Automated Security Tools Within Cisco IOS 84
Cisco IOS AutoSecure 84
Cisco Secure Device Manager (SDM) 88
Telemetry 89
Endpoint Security 90
Patch Management 90
Cisco Security Agent (CSA) 92
Network Admission Control 94
Phased Approach 94
Administrative Tasks 96
Staff and Support 96
Summary 97
Chapter 3
Identifying and Classifying Security Threats 99
Network Visibility 101
Telemetry and Anomaly Detection 108
NetFlow 108
Enabling NetFlow 111
Collecting NetFlow Statistics from the CLI 112
SYSLOG 115
Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches 115
Enabling Logging Cisco Catalyst Switches Running CATOS 117
Enabling Logging on Cisco ASA and Cisco PIX Security Appliances 117
SNMP 118
Enabling SNMP on Cisco IOS Devices 119
Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances 121
Cisco Security Monitoring, Analysis and Response System (CS-MARS) 121
Cisco Network Analysis Module (NAM) 125
Open Source Monitoring Tools 126
Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation
Appliances 127
Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) 131
The Importance of Signatures Updates 131
The Importance of Tuning 133
Anomaly Detection Within Cisco IPS Devices 137
Summary 139
Chapter 4
Traceback 141
Traceback in the Service Provider Environment 142
Traceback in the Enterprise 147
Summary 151
Chapter 5
Reacting to Security Incidents 153
Adequate Incident-Handling Policies and Procedures 153
Laws and Computer Crimes 155
Security Incident Mitigation Tools 156
Access Control Lists (ACL) 157
Private VLANs 158
Remotely Triggered Black Hole Routing 158
Forensics 160
Log Files 161
Linux Forensics Tools 162
Windows Forensics 164
Summary 165
Chapter 6
Postmortem and Improvement 167
Collected Incident Data 167
Root-Cause Analysis and Lessons Learned 171
Building an Action Plan 173
Summary 174
Chapter 7
Proactive Security Framework 177
SAVE Versus ITU-T X.805 178
Identity and Trust 183
AAA 183
Cisco Guard Active Verification 185
DHCP Snooping 186
IP Source Guard 187
Digital Certificates and PKI 188
IKE 188
Network Admission Control (NAC) 188
Routing Protocol Authentication 189
Strict Unicast RPF 189
Visibility 189
Anomaly Detection 190
IDS/IPS 190
Cisco Network Analysis Module (NAM) 191
Layer 2 and Layer 3 Information (CDP, Routing Tables, CEF Tables) 191
Correlation 192
CS-MARS 193
Arbor Peakflow SP and Peakflow X 193
Cisco Security Agent Management Console (CSA-MC) Basic
Event Correlation 193
Instrumentation and Management 193
Cisco Security Manager 195
Configuration Logger and Configuration Rollback 195
Embedded Device Managers 195
Cisco IOS XR XML Interface 196
SNMP and RMON 196
Syslog 196
Isolation and Virtualization 196
Cisco IOS Role-Based CLI Access (CLI Views) 197
Anomaly Detection Zones 198
Network Device Virtualization 198
Segmentation with VLANs 199
Segmentation with Firewalls 200
Segmentation with VRF/VRF-Lite 200
Policy Enforcement 202
Visualization Techniques 203
Summary 207
Part III
Defense-In-Depth Applied 209
Chapter 8
Wireless Security 211
Overview of Cisco Unified Wireless Network Architecture 212
Authentication and Authorization of Wireless Users 216
WEP 216
WPA 218
802.1x on Wireless Networks 219
EAP with MD5 221
Cisco LEAP 222
EAP-TLS 223
PEAP 223
EAP Tunneled TLS Authentication Protocol (EAP-TTLS) 224
EAP-FAST 224
EAP-GTC 225
Configuring 802.1x with EAP-FAST in the Cisco Unified Wireless Solution 226
Configuring the WLC 226
Configuring the Cisco Secure ACS Server for 802.1x and EAP-FAST 229
Configuring the CSSC 233
Lightweight Access Point Protocol (LWAPP) 236
Wireless Intrusion Prevention System Integration 239
Configuring IDS/IPS Sensors in the WLC 241
Uploading and Configuring IDS/IPS Signatures 242
Management Frame Protection (MFP) 243
Precise Location Tracking 244
Network Admission Control (NAC) in Wireless Networks 245
NAC Appliance Configuration 246
WLC Configuration 255
Summary 259
Chapter 9
IP Telephony Security 261
Protecting the IP Telephony Infrastructure 262
Access Layer 266
Distribution Layer 273
Core 275
Securing the IP Telephony Applications 275
Protecting Cisco Unified CallManager 276
Protecting Cisco Unified Communications Manager Express (CME) 277
Protecting Cisco Unity 281
Protecting Cisco Unity Express 287
Protecting Cisco Personal Assistant 289
Hardening the Cisco Personal Assistant Operating Environment 289
Cisco Personal Assistant Server Security Policies 291
Protecting Against Eavesdropping Attacks 293
Summary 295
Chapter 10
Data Center Security 297
Protecting the Data Center Against Denial of Service (DoS) Attacks and Worms 297
SYN Cookies in Firewalls and Load Balancers 297
Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) 300
Cisco NetFlow in the Data Center 301
Cisco Guard 302
Data Center Infrastructure Protection 302
Data Center Segmentation and Tiered Access Control 303
Segmenting the Data Center with the Cisco FWSM 306
Cisco FWSM Modes of Operation and Design Considerations 306
Configuring the Cisco Catalyst Switch 309
Creating Security Contexts in the Cisco FWSM 310
Configuring the Interfaces on Each Security Context 312
Configuring Network Address Translation 313
Controlling Access with ACLs 317
Virtual Fragment Reassembly 322
Deploying Network Intrusion Detection and Prevention Systems 322
Sending Selective Traffic to the IDS/IPS Devices 322
Monitoring and Tuning 325
Deploying the Cisco Security Agent (CSA) in the Data Center 325
CSA Architecture 325
Configuring Agent Kits 326
Phased Deployment 326
Summary 327
Chapter 11
IPv6 Security 329
Reconnaissance 330
Filtering in IPv6 331
Filtering Access Control Lists (ACL) 331
ICMP Filtering 332
Extension Headers in IPv6 332
Spoofing 333
Header Manipulation and Fragmentation 333
Broadcast Amplification or Smurf Attacks 334
IPv6 Routing Security 334
IPsec and IPv6 335
Summary 336
Part IV
Case Studies 339
Chapter 12
Case Studies 341
Case Study of a Small Business 341
Raleigh Office Cisco ASA Configuration 343
Configuring IP Addressing and Routing 343
Configuring PAT on the Cisco ASA 347
Configuring Static NAT for the DMZ Servers 349
Configuring Identity NAT for Inside Users 351
Controlling Access 352
Cisco ASA Antispoofing Configuration 353
Blocking Instant Messaging 354
Atlanta Office Cisco IOS Configuration 360
Locking Down the Cisco IOS Router 360
Configuring Basic Network Address Translation (NAT) 376
Configuring Site-to-Site VPN 377
Case Study of a Medium-Sized Enterprise 389
Protecting the Internet Edge Routers 391
Configuring the AIP-SSM on the Cisco ASA 391
Configuring Active-Standby Failover on the Cisco ASA 394
Configuring AAA on the Infrastructure Devices 400
Case Study of a Large Enterprise 401
Creating a New Computer Security Incident Response Team (CSIRT) 403
Creating New Security Policies 404
Physical Security Policy 404
Perimeter Security Policy 404
Device Security Policy 405
Remote Access VPN Policy 405
Patch Management Policy 406
Change Management Policy 406
Internet Usage Policy 406
Deploying IPsec Remote Access VPN 406
Configuring IPsec Remote Access VPN 408
Configuring Load-Balancing 415
Reacting to a Security Incident 418
Identifying, Classifying, and Tracking the Security Incident or Attack 419
Reacting to the Incident 419
Postmortem 419
Summary 420
Index
422