CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets Network Security Overview This section presents an overview of network security concepts, including common threats, attack types, and mitigation techniques It also includes an overview of the Cisco security portfolio Please note that there is some overlap of content in the Cisco CCSP certification courses and corresponding exams We chose to make each section of this book stand on its own, and we covered the material for each exam independently, so that you can focus on each exam without the need to reference a common topic from a different exam's section Becuase of this, you might notice redundant coverage of topics in certain sections of this book The Need for Network Security Networked systems must be designed and implemented with security in mind because most contemporary systems are interlinked or “open” in contrast to a previous time when systems were “closed” islands This interlinking, often demanded by business processes and information exchange, increases a system’s vulnerability, risk of attack, and exploitation by threats Comprehensive network security safeguards are needed because attacking systems has become easier for two reasons: • Software development tools and easy-to-use operating systems provide attackers with a basis to develop attack tools • The Internet allows attackers to not only distribute attack tools and related attack techniques but also gain the necessary connectivity required for the attack Network Security Overview In addition, the following three major dynamics have converged to further increase the need for network security in any successful organization: • New or pending regulations in the United States, European Union, and elsewhere mandating better protection of company-sensitive and personal information • Increasing terrorist and criminal activity directed at communication infrastructures and private and government networks and computer systems • Increasing number of perpetrators conducting cyber attacks and hacking with greater ease as worldwide use of Internet technology and connectivity increases Network Security Challenges The primary challenge of implementing network security is to strike the right balance between providing convenient access to systems and information as required to conduct business and the need to protect those same systems and information from attacks and inappropriate access The emergence of the Internet and e-business has made this challenge more difficult E-business demands stronger relationships with suppliers, partners, and customers, and often requires companies to provide access to their systems and critical information over the Internet Security within the system is important for the following reasons: • Digital data exchange among organizations is crucial to an economy These processes must be protected • Private data often travels via insecure networks, and precautions must be taken to prevent it from being corrupted or changed • Government regulations often dictate standards for information assurance compliance, especially in publicly held organizations Network Security Policy To be effective, network security must be a continuous process and must be built around a security policy The policy, which is an overall strategic vision, is defined first and the tactical processes and procedures to support that policy are designed around it The RFC 2196, Site Security Handbook, describes a security policy as, “…a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” A security policy is necessary because it: • Creates a baseline of current security posture and implementation • Clearly defines what behaviors are allowed and what behaviors are not • Helps determine necessary tools and procedures • Helps define roles and responsibilities • Informs users of their roles and responsibilities • States the consequences of misuse • Enables global security implementation and enforcement • Defines how to handle security incidents • Defines assets and how to use them • Provides a process for continuing review 85 86 CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets Security policies can be as simple as one document or they might consist of many documents that describe every aspect of security The organization’s needs, in addition to any regulations to which the organization must adhere, drive the level of detail A comprehensive security policy should describe some of the following concepts in writing: • Statement of authority and scope • Acceptable-use policy • Identification and authentication policy • Internet use policy • Campus-access policy • Remote-access policy • Incident handling procedure Network Security Process A continuous security process is most effective because it promotes the retesting and reapplying of updated security measures on a continuous basis as illustrated in the following figure Cisco Security Wheel Secure Improve Security Policy Monitor Test The Cisco Security Wheel provides a four-step process to promote and maintain network security: Step Secure—Implement security safeguards, such as firewalls, identification and authentication systems, and encryption with the intent to prevent unauthorized access to network systems Step Monitor—Continuously monitor the network for security policy violations Network Security Overview Step Test—Evaluate the effectiveness of the in-place security safeguards by performing tests, such as periodic system vulnerability analysis and application and operating system hardening review Step Improve—Improve overall security by collecting and analyzing information from the monitoring and testing phases to make judgments on ways to make security more effective Primary Types of Threats There are four ways to categorize threats to network security: • Unstructured threats—Threats primarily from inexperienced individuals using hacking tools available on the Internet (script kiddies) • Structured threats—Threats from hackers who are more motivated and technically competent They usually understand network system designs and vulnerabilities, and they can create hacking scripts to penetrate network systems • External threats—Threats from individuals or organizations working outside your company who not have authorized access to your computer systems or network They work their way into a network mainly from the Internet or dialup access servers • Internal threats—Threats from individuals with authorized access to the network with an account on a server or physical access to the wire (typically disgruntled current or former employees or contractors) Mitigating Network Attacks The following sections discuss expected attacks to networks and related mitigation techniques Physical and Environmental Threats A common threat to network security is improper installation of network security devices or software applications Default installation of many hardware devices or software applications can result in substandard security with such shortcomings as easily guessed or even blank default passwords, unnecessary running services, or disabled desirable services Devices are generally categorized into the following two groups: • Low-risk devices—Typically low-end or small office/home office (SOHO) devices implemented in remote locations or branch offices with minimal impact on the corporate network • High-risk (mission critical) devices—Devices used in larger offices, hub locations, or corporate headquarter locations with the potential to impact a large portion of the network and user base Consider the following common threats when installing physical devices: • Hardware threats—Threat of intentional or unintentional physical damage to devices, such as routers, firewalls, and switches 87 88 CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets • Environmental threats—Include threats of temperature and humidity conditions that can damage hardware devices • Electrical threats—Include threats, such as voltage spikes, insufficient voltage (brown outs), power loss (black outs), or unconditioned power • Maintenance threats—Improper practices that can result in outages For example, mislabeled devices or improper handling or static electricity Use the following techniques to mitigate hardware threats: • Limit physical access to authorized personnel only • Maintain an audit trail for access to the equipment, preferably using electronic access control • Implement a surveillance system such as cameras or CCTV Use the following techniques to mitigate environmental threats: • Include temperature and humidity control measures • Maintain positive air flow • Implement remote temperature and humidity monitoring and alarm systems • Limit electrostatic and magnetic interferences Use the following techniques to mitigate electrical threats: • Install Uninterrupted Power Supplies (UPS) • Install generators for the mission-critical systems • Implement routine UPS and generator testing and maintenance • Use redundant power supplies on critical devices • Use filtered power when possible • Monitor power supply conditions Finally, to mitigate maintenance-related threats, use the following techniques: • Clearly label devices and cabling • Use cable runs or raceways for rack-to-ceiling or rack-to-rack connections • Use proper electrostatic discharge procedures • Log out of administrative interfaces when it is no longer necessary • Do not rely on physical security alone (no room is completely secure) If a breach of physical security occurs and other security measures are not in place, an intruder can simply connect a terminal to the console port of a Cisco router or switch Reconnaissance Attacks Reconnaissance is an attempt to discover and map systems, services, vulnerabilities, and publicly available information about target systems often as a prelude to more sophisticated attacks Network Security Overview Reconnaissance methods include: • Internet Information queries—Data collection about the organization from public sources, such as newspapers, business registries, public web servers, tools such as WHOIS, DNS records, and ARIN and RIPE records • Port scans and ping sweeps—Used to identify online hosts, their services, their operating systems, and some of their vulnerabilities Mitigation includes controlling the visibility of hosts and services from untrusted networks by measures, such as filtering Internet Control Message Protocol (ICMP) echo and echo-reply traffic at the network edge and deploying network-based or host-based intrusion prevention systems • Packet sniffers—After hosts are compromised, rogue software can force their network cards to promiscuous mode and the hosts can become packet sniffers for further reconnaissance The sniffing host can potentially collect network data-like passwords and data on the wire, and an attacker can retrieve this information for use in other attacks Mitigation techniques include: — Use of strong authentication and One Time Passwords (OTP) — Switched infrastructures to prevent sniffing — Use of Host Intrusion Prevention Systems (HIPS) to detect disallowed host activities — Cryptography for data privacy Access Attacks Access attacks attempt to exploit weaknesses in applications, so that an intruder can gain unauthorized access They include: • Password attacks—An attempt to gain account access by obtaining its password using the following techniques: — Online and offline brute force repeated logon attempts Mitigated with strong passwords, OTP systems, automatic account disabling after “X“ number of failed attempts, limit password reuse, and periodic password testing to ensure policy compliance — Packet sniffing collection of passwords off the medium Mitigated with encryption, switching, and HIPS — Internet Protocol (IP) and Media Access Control (MAC) spoofing to appear as a trusted system, so that users unknowingly send their passwords to attackers Mitigated by device authentication — Trojan horse software that collects password information then, and sends this information to attackers Mitigated by use of host and network Intrusion Prevention Systems (IPS) • Trust exploitation—An attacker takes advantage of the fact that other hosts will trust one host that has been compromised, potentially allowing unauthorized access To mitigate trust exploitation attacks, create tight constraints on trust levels within a network and disallow Internet hosts complete access to internal hosts through the firewall Limit trusts for 89 90 CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets systems outside of the firewall to specific protocols and grant them based on something other than an IP address when possible • Port redirection—A trust exploitation attack whereby an attacker that does not have direct access to an end target uses an intermediate host (that the end target trusts) as a launching point The attacker compromises the intermediate host and from this point attacks the end target Mitigation techniques include: — Use of HIPS to detect suspicious events — Implementation of a network-specific trust model with more granular firewall filtering • Man-in-the-middle—An attacker sits in between two-way client and server communication to intercept it Use of effective encryption protocols (IPSec and SSL, for example) mitigates this exposure The following are man-in-the-middle attack examples: — Stealing or analyzing the information contained in packet payloads — Altering or introducing new packet data as it flows between the legitimate hosts — Hijacking the client’s session, so that the attacker can pose as the client and gain trusted access — Creating Denial of Service (DoS) conditions by interrupting packet flow • Unauthorized access—Internal or external attacks by people attempting access to systems or applications to which they not have access The following are examples of these attacks: — Unauthorized system access—Intruders gain access to a host to which they not have access Mitigate by use of OTP systems, advance authentication, and reduction of attack vectors by using stringent firewall filters to reduce attack opportunity Warning banners alert unauthorized persons that their activities are prohibited and might be logged — Unauthorized data manipulation by an authorized user—Users read, write, copy, or move files that are not intended to be accessible to them Mitigate by use of stringent OS trust model controls to monitor privilege escalation and HIPS — Unauthorized privilege escalation—Legitimate users with a lower level of access privileges, or intruders who gain lower privileged access, get information or process procedures without authorization at their current level of access Mitigate by use of stringent OS trust model controls to control privilege escalation and HIPS IP Spoofing Attacks IP spoofing occurs when an attacker attempts to impersonate a trusted IP address, so that the target accepts communications from the attacker IP spoofing mitigation techniques include: • Use of RFC 2827 filtering on routers and firewalls as follows: — Traffic entering your network should be destined only for IP addresses you control — Traffic leaving your network should be sourced only with IP addresses you control Network Security Overview — Traffic leaving your Internet Service Provider’s (ISP) network intended for your network should be destined only for IP addresses you control Your ISP must implement these filters because they own this equipment • Access control configuration— Prevents traffic entering your network with source addresses that should reside on the internal network Block all IP addresses reserved for private or other special uses, such as RFC 1918 private addresses and other “bogon” addresses • Encryption—Prevents compromising of source and destination hosts • Additional authentication—IP spoofing attacks rely on IP address-based identification and authentication of host By deploying another authentication method (other than IP address), IP spoofing attacks become irrelevant DoS Attacks DoS is the act of barraging a network or host with more connection requests or data than usually handled for the purpose of permanently or temporarily denying access to systems, services, or applications DoS and Distributed DoS (DDoS) focus on disabling or drastically slowing IT services by overwhelming them with requests from one or many distributed attackers DoS attacks most often target services already allowed by the firewall, such as HTTP, SMTP, and FTP DoS can shut down a network by consuming all available bandwidth DoS mitigation techniques include: • Use of RFC 1918 and RFC 2827 filtering • Use of Quality of Service (QoS) rate limiting to control data flow • Use of anti-DoS features on firewalls and routers to limit half open Transmission Control Protocol (TCP) connections • Use of advanced authentication to prevent invalid host-to-host trusts Worms, Viruses, Trojan Horses, Phishing, and Spam Attacks Malicious code usually targets workstations and servers to subvert their operation Malicious code types include: • Worms—Malicious code that installs a payload onto a host using an available exploit vector and attempts to replicate to other hosts through some propagation mechanism After installation of the payload, privilege escalation often occurs • Viruses—Malicious code attached to another program (such as email) that attempts some undesirable function on the host (such as reformatting the hard drive) after the user runs the rogue program • Trojans—Malicious code that appears to be legitimate and benigns but is a vector for an internal or external attack • Phishing—An attempt to deceive users into revealing private information to an attacker • Spam—Multiple unwanted emailed offers that flood inboxes 91 92 CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets Virus and Trojan horse mitigation techniques include: • Using HIPS software • Acquiring effective and up-to-date host antivirus software • Performing effective maintenance of operating system and application patches • Staying up-to-date with the latest developments in attacks of this type and new mitigation methodologies Mitigate the affect of worms through the following steps: Step Contain with defense in depth techniques at major network junctions Step Inoculate systems with antivirus updates Step Quarantine infected machines Step Treat infected machines with appropriate fixes Incident response methodologies are subdivided into the following six major categories based on the Network Service Provider Security (NSP-SEC) incident response methodology: • Preparation—Acquire the resources to respond • Identification—Identify the worm • Classification—Classify the type of worm • Traceback—Trace the worm back to its origin • Reaction—Isolate and repair the affected systems • Postmortem—Document and analyze the process used for the future Application Layer Attacks Application-layer attacks have the following general characteristics: • They are designed to exploit intrinsic security flaws and known weaknesses in protocols, such as sendmail, HTTP, and FTP • They use standard ports that are commonly allowed through a firewall, such as TCP port 80 or TCP port 25 • They are difficult to eliminate because new vulnerabilities are often discovered Stateful firewalls generally not stop these attacks because these devices are not designed to perform deep packet inspection Proxy firewall functions, such as PIX application inspection (formerly “fixups“), Cisco IPS, and Cisco Adaptive Security Appliances (ASA), are designed for deeper application inspection and control Mitigation techniques include: • Implementing application inspection within the firewall device • Implementing HIPS to monitor OS and specific applications for illegal or suspicious calls Network Security Overview • Implementing network IPS to monitor network communications for known attacks and activity outside of normal baseline • Keeping the host OS and applications patched • Logging events, parsing events, and performing analysis • Subscribing to mailing lists that alert you to new vulnerabilities in a timely manner Management Protocols and Vulnerabilities Management protocols such as Simple Network Management Protocol (SNMP), syslog, Trivial File Transfer Protocol (TFTP), and Network Time Protocol (NTP) have been around for a number of years and were originally designed with little or no security considerations Most of these protocols have been upgraded to newer versions that provide improved security measures For example, SNMP Version provides authentication and encryption of communications Mitigation techniques include: • Using secure protocols, such as Secure Shell (SSH) or Secure Sockets Layer (SSL), when connecting to devices over the network and avoiding clear-text protocols, such as telnet or HTTP • Using Access Control Lists (ACLs) to limit administrative access to network devices • Using RFC 3704 filtering at the perimeter to prevent outside attackers from accessing devices by spoofing the address of (legitimate) management hosts • SNMP recommendations: — Configure SNMP with read-only (ro) community strings — Limit access to management hosts on the managed devices — Use SNMP version or higher (authentication and encryption) • Syslog recommendations: — Encrypt syslog traffic using IPSec — Implement RFC 2827 filtering — Set up ACLs on the firewall to limit access to the servers • TFTP recommendations: — Encrypt TFTP traffic using IPSec • NTP recommendations: — Implement an internal master clock when possible — Use NTP version or higher (authentication) — Use ACLs to control access to specific NTP servers 93