Some implementation details are given as examples of how to carry out part of the policy. Most of the implementation details are found in Chapters 8, 9, and 10, which detail specific features and considerations. Note Incidence response handling is also part of the planning and implementation phase but, because of its importance and breadth, it is detailed separately in Chapter 7, "Incident Handling." Physical Security Controls Physical security controls are those controls pertaining to the physical infrastructure, physical device security, and physical access. Do you expect intruders to tap into your infrastructure to eavesdrop on transmitting data? How easy or difficult is it for intruders to gain physical access to the important network infrastructure devices? If the corporate network has not yet been created at an existing site, you should consider the physical security controls available in its planning phase. For existing networks, if a security policy is being created or modified to accommodate changing environments, it might be necessary to change the physical infrastructure or the locations of some critical pieces of equipment to ensure an easier security policy imple-mentation. After you have incorporated the physical security controls into the policy, as the corporation grows and new sites are added, you should consider the network physical security controls as the site is constructed. Physical Network Infrastructure The physical network infrastructure encompasses both the selection of the appropriate media type and the path of the physical cabling (the network topography). You want to ensure that no intruder is able to eavesdrop on the data traversing the network and that all critical systems have a high degree of availability. Physical Media Selection From a security point of view, the type of cable chosen for various parts of the network can depend on the sensitivity of the information traveling over that cable. The three most common cable types used in networking infrastructures are twisted pair, coax, and optical fiber. Optical fiber is most often used in high-bandwidth and long-haul environments. Unlike either twisted pair or coax, optical fiber does not radiate any energy and, therefore, provides a very high degree of security against eavesdropping. Optical fiber is also much more difficult to tap into than either twisted pair or coax cable. Wire taps can sometimes be detected by using tools to measure physical attenuation of cable. Typically, a time domain reflectometer (TDR) tool is used to check coax cable, and an optical time domain reflectometer (OTDR) tool is used for optical fiber cable. These devices are used mainly to measure signal attenuation and the length of an installed cable base; sometimes, however, they can also detect illegal wire taps. Let's take a look at how you can detect taps in fiber optic cable using an OTDR. One of the things an eavesdropper needs when tapping into an optical cable is an optical splitter. The insertion of an optical splitter into an optical cable allows the tap to be made, but it also affects the signal level in the media. Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (3 of 28) [02/02/2001 17.32.47] This level can be measured. If a benchmark optical signal level is observed at several points along the topology of an optical media network, any conventional optical tap inserted into the network should be observable. Figure 6-1 shows an initial OTDR fiber optic cable trace between two buildings. Figure 6-1: A Baseline OTDR Measurement Figure 6-2 shows the fiber optic trace taken after an optical splitter was inserted into the length of the fiber cable. Figure 6-2: The OTDR Measurement After the Fiber Optic Splitter Is Inserted Although these types of traces can be an indication that an illegal tap might be in place, they are most useful in detecting cable degradation problems. Note An expert can insert a tap in a way that isn't easily detectable by a TDR or OTDR. However, it is good practice to initially take a baseline signal level of the physical cable infrastructure and periodically verify the integrity of the physical cable plant. Even if it doesn't detect unauthorized media taps, the measurement will provide you with some confidence in the integrity of the cable infrastructure. When choosing the transmission media to install for various segments of the network infra-structure, it is important to ensure that eavesdropping on the physical wire is proportionally more difficult as the data on that wire becomes more sensitive. In addition, if it is important that the transmission media be secure, the entire data path must be secure (see Figure 6-3). Figure 6-3: An Example of Consistent Transmission Media Use Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (4 of 28) [02/02/2001 17.32.47] Figure 6-3 shows a large medical facility with two buildings connected by a FDDI ring. Because the server holding the patient records is located in the administrative building, and the doctor retrieving the information is located in the hospital building, both the backbone segment and the LAN segments of the network use optical fiber. It is very difficult for someone to gain access to patient information by tapping into optical fiber. NOTE Although it is useful to keep the possibility of tapping in mind, in today's typical corporate network, there is very little need to use an "unauthorized" tap. Why bother with all the cloak-and-dagger stuff when there are all these PCs and workstations already attached to the network? All the thief has to do is run a program on any authorized workstation/PC to put its network controller into promiscuous mode; then the thief can "sniff" the network at his or her leisure. Several shareware programs can do this now; they are available for Windows, Linux, Solaris, and others. There is no need for a thief to set up an actual sniffer on the network anymore. Because there is no way to prevent anyone from running such a program on a Macintosh or a PC running Windows 95/98, there isn't much point in actually worrying about restricting the ability to sniff. Even a policy stating that anyone caught sniffing the corporate network will be fired probably won't be very helpful because this is very hard to detect. The issue therefore is reversed: The question you ask now is, "How do we prevent people who are sniffing the network from reading the contents of the packets they've sniffed?" The answer is obviously some form of encryption. Network Topography The physical path of the media, also known as the network topography, is a concern for the availability of the network and its attached devices. It touches on the reliability and security of the infrastructure. It is important to have a structured cabling system that minimizes the risk of downtime. Imagine a large campus environment with multiple buildings. If the topography of the backbone network infrastructure is not a true starred network with common conduits at the base of the star, a construction worker with a backhoe could bring down large portions of the network (see Figure 6-4). However, if alternative physical paths are made available (that is, if you create a true starred network), only small portions of the network might become inaccessible if the physical cable fails (see Figure 6-5). Figure 6-4: A Sample Physical Topography Figure 6-5: A True Starred Physical Topography Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (5 of 28) [02/02/2001 17.32.47] The cable infrastructure should also be well secured to prevent access to any part of it. If cables installed between buildings are buried underground, they must be buried a minimum of 40 inches, although local regulations might dictate other guidelines. Sometimes, cables can be encased in concrete to provide maximum protection. The International Telecommunication Union has a number of recommendations (the Series L Recommendations) that cover the construction, installation, and protection of cable plants. These guidelines can be found at http://info.itu.ch/itudoc/itu-t/rec/l.html. Physical Device Security Physical device security is sometimes understated. Intruders with enough incentive will think of anything to get at what they want. Physical device security includes identifying the location of the devices, limiting physical access, and having appropriate environmental safeguards in place. Physical Location The location of critical network resources is extremely important. All network infrastructure equipment should be physically located in restricted access areas to eliminate the possibility of unauthorized access by physical proximity. Facility issues can be a horrific nightmare, but when it comes to creating space for wiring closets that house critical infrastructure equipment, such as switches, firewalls, modems, and routers, it is imperative that you fight for whatever autonomous space there is. Don't overlook any aspect of the physical facility. Having a secure lock on a wiring closet does not provide much protection if you can go through the ceiling panels to get into the room. The infrastructure equipment includes more than just the networks and the routers, firewalls, switches, and network access servers that interconnect the networks. Infrastructure equipment also includes the servers that provide the various network services: Network management (SNMP) ● Domain Name Service (DNS)● Network time (NTP)● Network File System (NFS)● HyperText Transfer Protocol (HTTP)● User authentication and authorization (TACACS+, RADIUS, Kerberos)● Network audit and intrusion detection● Most of these servers can be segmented into a common area to provide easier access control measures. However, you must also be sure that adequate redundancy needs are met to ensure the availability of these critical services. Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (6 of 28) [02/02/2001 17.32.47] Note Whenever possible, incorporate security controls for cases in which physical access might be compromised. For example, protect console access using authentication mechanisms and use screen savers with authentication mechanisms for critical servers. Here is another area of concern that is sometimes overlooked. When printing confidential configuration files or faxing configurations, there is the possibility that the printouts from printers or fax machines might fall into the wrong hands. You might want to make it a requirement to put all sensitive printers and fax machines on a LAN segment that is physically located in a room with controlled access. Also, you must have a way to dispose of the printouts and documents securely. Shredding is not out of the question. Physical Access Who has access to the wiring closets and restricted locations? The physical access requirements of controlled areas are determined largely by the results of the risk analysis or a physical security survey. It is good practice to restrict physical access to wiring closets and locations of critical network infrastructure equipment. Access to these areas should not be permitted unless the person is specifically authorized or requires access to perform his or her job. Note The following is a true story. Although it might represent a rare occurrence, it is best to avoid any such instances if possible. A network connection was down, and some resources were unavailable. After some time spent analyzing possible problems, the equipment closet was inspected. It turns out that the cable connecting the LAN to the router had been disconnected. A maintenance worker had been working in another part of the closet, found the wire to be in the way, and disconnected it. When his work was finished, he forgot to reconnect it. A more devious example is that of a competitor posing as a maintenance worker and gaining access to confidential information. Part of the physical security policy should be to have contract maintenance personnel or others who are not authorized with unrestricted access, but who are required to be in the controlled area, to be escorted by an authorized person or to sign in before accessing the controlled area. To ensure an enforceable physical security policy, it is essential to ensure that people's work areas mesh well with access restrictions. If these conditions are not met, well-meaning employees will find ways to circumvent your physical security (for example, they will jam doors open rather than lock and unlock them 15 times per hour). If your facility is providing temporary network access for visitors to connect back to their home networks (for example, to read e-mail), plan the service carefully. Define precisely where you will provide it so that you can ensure the necessary physical access security. A typical example is at large industry meetings; if these meetings are hosted at a corporate facility, the host corporation usually has a network for guests. This network should reside in a single area and access should be given only to conference attendees. Environmental Safeguards Adequate environmental safeguards must be installed and implemented to protect critical networked resources. The sensitivity or criticality of the system determines whether security is "adequate." The more critical a system, the more safeguards must be put in place to ensure that the resource is available at Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (7 of 28) [02/02/2001 17.32.47] all costs. At a minimum, you should consider the following environmental safeguards: Fire prevention, detection, suppression, and protection ● Water hazard prevention, detection, and correction● Electric power supply protection● Temperature control● Humidity control● Natural disaster protection from earthquakes, lightning, windstorms, and so on● Protection from excessive magnetic fields● Good housekeeping procedures for protection against dust and dirt● The last item might seem a little extreme, but anyone who has worked with fiber optic equipment knows that is has been prone to network degradation and downtime caused by dust particles and will recognize the usefulness of this seemingly inane point. The following lists identify a sample physical security control policy for a university. Construction and Location of Premises: All university buildings must have network closets built in accordance with relevant fire and safety standards. ● All network closets must be protected from potential sources of man-made or natural hazards, such as floods, earthquakes, and lightning. ● Maintenance of Equipment: All network infrastructure equipment must be connected to backup power supplies. ● All network infrastructure equipment must be in locked cabinets with keys that only maintenance staff can access. ● Physical Access: Access to network closets and equipment racks is authorized only for people in the network infrastructure operations group. ● Other personnel may access network closets only in the company of a member of the network infrastructure operations group. ● Surveillance cameras must be installed in all network closets.● In the event of personnel changes, the locks to the network closets must be changed.● Logical Security Controls Logical security controls create boundaries between network segments. As such, they control the flow of traffic between different cable segments. When traffic is logically filtered between networks, logical access controls provide security. The example in Figure 6-6 shows three university buildings each connected by a router. The administration building has a LAN that allows only specific IP addresses from the engineering building Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (8 of 28) [02/02/2001 17.32.47] (144.254.3.3 and 144.254.3.4) and the liberal arts building (144.254.7.3 and 144.254.7.4) to access the LAN. These addresses are permitted access because they are known to belong to hosts in the faculty room, to which only faculty members have access. Figure 6-6: Security Through Logical Access Controls Note Although traffic filtering provides some measure of security, it is easy to spoof IP addresses. Filtering should be used in conjunction with other security measures. Because logical boundaries are not as secure as physical boundaries, you must fully understand the path the data is taking from one point to another. Although logical boundaries usually exist between separate subnets, routing policies and virtual local-area networks (VLANs) can obfuscate the logical traffic flow. Tips The only way to detect unauthorized traffic on the network is through the use of a packet analyzer or an intrusion detection system. It is prudent to place intrusion detection systems at critical network access points. Subnet Boundaries A characterization is sometimes made that traffic on different subnets is secure because the traffic is constrained to a single subnet domain. The thinking is that there is a logical separation between different groups of addresses that make up the different network access domains. You can provide filters to permit or deny traffic based on subnet addresses. However, as was pointed out in the preceding section, IP addresses are easy to spoof; other security measures should always be used in conjunction with filtering mechanisms. (Readers not familiar with IP addressing and subnetting can refer to the following sidebar.) IP Addressing An IP address is a 32-bit address represented by a dotted decimal notation of the form X.Y.Z.K (for example, 6.0.0.6). The following chart lists how the IP address space is divided by function. Address Range Functionality 1.0.0.0-223.255.255.255 IP unicast address 244.0.0.0-239.255.255.255 IP multicast address Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (9 of 28) [02/02/2001 17.32.47] 240.0.0.0-255.255.255.254 Reserved for future use 0.0.0.0 An unknown IP address 255.255.255.255 Local segment broadcast The IP unicast addresses are divided into three classes: Class Address Range Number of Networks Approximate Number of Hosts Per Single Network A 1.0.0.0-126.255.255.255 127 16 million B 128.0.0.0-191.255.255.255 64 65,000 C 192.0.0.0-223.255.255.255 32 254 The 32-bit IP address contains a network portion and a host portion, as shown in Figure 6-7. Figure 6-7: A Bitmap of Class A, Class B, and Class C Addresses A network mask is used to separate the network information from the host information. The mask is represented in binary notation as a series of contiguous 1s followed by a series of contiguous 0s. The network mask of the class A, class B, and class C networks in their binary and dotted decimal format is shown in Figure 6-8. Figure 6-8: An Example of Natural Network Masks Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (10 of 28) [02/02/2001 17.32.47] A subnet is a subset of the class A, class B, or class C network. Subnets are created by further extending the network portion of the address into the host portion. The use of subnets increases the number of subnetworks and reduces the number of hosts on each subnetwork. The following chart shows an example of a class C network 192.150.42.0 and the possible ways you can create subnetworks with contiguous subnet masks: Bits in Subnet Mask Dotted Decimal Format Number of Networks Number of Hosts in Each Network 0 255.255.255.0 1 254 1 255.255.255.128 2 126 2 255.255.255.192 4 62 3 255.255.255.224 8 30 4 255.255.255.240 16 14 5 255.255.255.248 32 6 6 255.255.255.252 64 2 Let's take the specific example of a 3-bit subnet mask used on the 192.150.42.0 network. This network yields eight separate subnetworks with 30 hosts on each network, as listed here: Subnet Network Address Broadcast Address Host Address Range 0 192.150.42.0 192.150.42.31 192.150.42.1-192.150.42.30 1 192.150.42.32 192.150.42.63 192.150.42.33-192.150.42.62 2 192.150.42.64 192.150.42.95 192.150.42.65-192.150.42.94 3 192.150.42.96 192.150.42.127 192.150.42.97-192.150.42.126 4 192.150.42.128 192.150.42.159 192.150.42.129-192.150.42.158 Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (11 of 28) [02/02/2001 17.32.47] 5 192.150.42.160 192.150.42.191 192.150.42.161-192.150.42.190 6 192.150.42.192 192.150.42.223 192.150.42.193-192.150.42.222 7 192.150.42.224 192.150.42.255 192.150.42.225-192.150.42.254 Subnetting gives the network administrator several benefits: It provides extra flexibility, makes more efficient the use of network address utilization, and contains broadcast traffic because a broadcast does not cross a router. Because subnets are under local administration, the outside world sees an organization as a single network and has no detailed knowledge of the organization's internal structure. However, internally, each subnet constitutes a separate LAN, possibly on a separate physical cable segment (see Figure 6-9). Figure 6-9: An Example of Subnet Boundaries The logical infrastructure of any network depends largely on how networks are logically separated into groups using subnets and how traffic is controlled between these subnets. Routing (also known as Layer-3 switching) is how traffic is controlled between subnets. Where routing information is distributed and accepted plays a large role in how you gain access to data on various networks. VLANs can also modify traditional subnet physical boundaries. Routing Boundaries Routing involves two basic activities: Determining optimal routing paths ● Transporting packets through an internetwork● The latter activity is typically referred to as Layer-3 switching. Switching is relatively straightforward: It involves looking up the destination address in a table that specifies where to send the packet. The table is created as a result of determining the optimal path to a given destination. If the table entry for a given destination is not there, the optimal path must be computed. The computation of the optimal path depends on the routing protocol used and can be a very complex process. Note Routing fundamentals are beyond the scope of this book. Read Internet Routing Architectures, published by Cisco Press/MTP, for a more detailed discussion on routing. Design and Implementation of the Corporate Security Policy http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch06.htm (12 of 28) [02/02/2001 17.32.47] [...]... 255.255.255. 248 This corporation allows free access to all corporate campus servers but allows only the branch office network 192.150 .42 .32 to access the Internet through the campus network The policy can be implemented as follows: q Allow all 144 .2 54. 0.0 routes to be announced everywhere q Announce all 192.150 .42 .0 networks to the main campus q Announce the 192.150 .42 .32 network to the Internet q Suppress... inside trusted network Outbound traffic comes from inside the trusted network to an outside untrusted network (see Figure 6-12) Figure 6-12: Traffic Direction http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm (18 of 28) [02/02/2001 17.32 .47 ] Design and Implementation of the Corporate Security Policy Traffic Origin Whether traffic was initiated from the inside (trusted) network or the... (commonly used by intruders) TCP 111 SunRPC UDP 111 SunRPC TCP 2 049 NFS UDP 2 049 NFS TCP 512 BSD UNIX R-command TCP 513 BSD UNIX R-command TCP 5 14 BSD UNIX R-command TCP 515 lpd http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm (20 of 28) [02/02/2001 17.32 .47 ] Design and Implementation of the Corporate Security Policy TCP 540 uucpd TCP 2000 OpenWindows UDP 2000 OpenWindows TCP 6000+ X Windows... and what steps should be taken to prevent a similar incident from occurring again http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch07.htm (9 of 10) [02/02/2001 17.32.50] Incident Handling Posted: Wed Jun 14 11: 34: 28 PDT 2000 Copyright 1989 - 2000 Cisco Systems Inc http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch07.htm (10 of 10) [02/02/2001 17.32.50] ... corporate network is divided into three distinct components: q Corporate campus network q Internet access q Dial-in access The campus network has a class B address of 144 .2 54. 0.0, which is subnetted into 256 distinct networks using an 8-bit subnet mask of 255.255.255.0 The Internet access is provided by an unnumbered interface The dial-in access is provided by a subnetted class C address of 192.150 .42 .0... the university security policy Personnel Security Controls: http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm (26 of 28) [02/02/2001 17.32 .47 ] Design and Implementation of the Corporate Security Policy q q q Key positions must be identified, and potential successors should always be identified Recruiting employees for positions in the implementation and operation of the network infrastructure... employees with adequate training to educate them about the many problems and ramifications of security- related issues continues continues Posted: Wed Jun 14 11:36 :48 PDT 2000 Copyright 1989 - 2000 Cisco Systems Inc http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm (28 of 28) [02/02/2001 17.32 .47 ] Incident Handling Table of Contents Incident Handling Building an Incident Response Team Establishing... you provide for a better analysis of a particular service or protocol and you can design a security mechanism suited to the security level of the http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm (19 of 28) [02/02/2001 17.32 .47 ] Design and Implementation of the Corporate Security Policy site Note Security complexity can grow exponentially with the number of services provided Evaluate all... an outside host, you must have control over the entire network path to that host, not just a single access point Any internetworking product can make spoofing attacks more difficult by making it harder for the http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm (22 of 28) [02/02/2001 17.32 .47 ] Design and Implementation of the Corporate Security Policy attacker to guess which nodes it's profitable... of computer security incidents that have gone on for long periods of time before a site has noticed the incident In such cases, backups of the affected systems are also tainted q Periodically verify the correctness and completeness of your backups http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm ( 24 of 28) [02/02/2001 17.32 .47 ] Design and Implementation of the Corporate Security Policy . Security Policy http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch06.htm (8 of 28) [02/02/2001 17.32 .47 ] ( 144 .2 54. 3.3 and 144 .2 54. 3 .4) and the liberal arts building ( 144 .2 54. 7.3 and 144 .2 54. 7 .4) . 192.150 .42 .31 192.150 .42 .1-192.150 .42 .30 1 192.150 .42 .32 192.150 .42 .63 192.150 .42 .33-192.150 .42 .62 2 192.150 .42 . 64 192.150 .42 .95 192.150 .42 .65-192.150 .42 . 94 3 192.150 .42 .96 192.150 .42 .127 192.150 .42 .97-192.150 .42 .126 4. 17.32 .47 ] 5 192.150 .42 .160 192.150 .42 .191 192.150 .42 .161-192.150 .42 .190 6 192.150 .42 .192 192.150 .42 .223 192.150 .42 .193-192.150 .42 .222 7 192.150 .42 .2 24 192.150 .42 .255 192.150 .42 .225-192.150 .42 .2 54 Subnetting