111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK

111vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.

Cisco SAFE Cisco SAFE A Security Blueprint for Enterprise NetworksA Security Blueprint for Enterprise Networks

Özay UYANIKCisco Systems TURKEY


The Internet is Changing… EverythingThe Internet is Changing… Everything

Vote

BankMedicateTravel

Purchase


Expanded AccessHeightened Security Risks

InternetInternet AccessAccess

CorporateCorporateIntranetIntranet

InternetInternetPresencePresence

InternetBusinessValue

The Security Dilemma

CustomerCustomerCareCare

E-LearningE-Learning

Supply ChainSupply ChainManagementManagementE-CommerceE-Commerce

WorkforceWorkforceOptimizationOptimization

Explosion in E-Business!!


Threats Driving Security Awareness

Internet

Information TheftInformation TheftVirus Attacks Virus Attacks

Worm Blaster Strikes Worldwide—— CNN

Data InterceptionData InterceptionUnprotected Assets Unprotected Assets

AOL Boosts Email Security After Attack

— C/NET

Denial of ServiceDenial of ServiceUnauthorized Entry Unauthorized Entry

Several Web Sites Attacked Following Assault on Yahoo!

—— New York Times


Critical e-Business Solutions

CustomerCustomerCareCare

E-LearningE-Learning

Supply ChainSupply ChainManagementManagement

E-CommerceE-Commerce

WorkforceWorkforceOptimizationOptimization

Internet

An Intelligent and Secure Network Infrastructure is Required for E-Business!!


Are You Secure?

ExternalExploitation

75% vulnerable;95+% vulnerable externally with

secondary exploitation

Internet

100% vulnerable

InternalInternalExploitation Exploitation

Dial InDial InExploitation Exploitation

65+% vulnerable


100% Security

“

”

The only system which is truly secure is one which is switched off and

unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very

highly paid armed guards. Even then, I wouldn’t stake my life on it….

Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University


CiscoCisco SAFE

Cisco SAFE is a flexible framework that empowers companies to securely take advantage of the Internet Economy


Key Components of a SAFE Module

SecurityManagement

Identity PerimeterSecurity

SecurityMonitoring

SecureConnectivity


Security Is…

Security Office

Traditional Locks

Guard

SecurityCamera

Card KeyCard Key

Intrusion Detection

Intrusion Detection

Intrusion Detection

IDS Manager

Security Manager

Firewall

Firewall

Authentication Server

111111vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.ISP Edge

SAFE Enterprise Network Design GuideSAFE Enterprise Network Design Guide

Enterprise EdgeEnterprise Campus

WAN Module Frame / ATMModule

Corporate Internet

VPN&Remote Access PSTNModule

ISP AModule

E-CommerceModule

ISP BModule

Cisco SAFE Architecture Goal:• Security• Resilience• Performance• Scalability• QoS Awareness

Cisco SAFE Architecture Goal:• Security• Resilience• Performance• Scalability• QoS AwarenessDistribution

Core

Management

Server

User Access

Distribution


Enterprise SAFE Network

ISP EdgeEnterprise EdgeEnterprise Campus

User Access

Server

Management

Core

Distribution

VPN&Remote Access PSTNModule

E-CommerceModule

ISPModule

SAFE Axioms• Routers are targets

• Switches are targets

• Hosts are targets

• Networks are targets

• Applications are targets

• Secure management & reporting are required

Distribution


Routers are Targets

• Potentially a hacker’s best friend

• Protection should include:

- constraining telnet access

- SNMP read-only

-administrative access with TACACS+

-NTP authentication

- turning off unneeded services

- logging unauthorized access attempts

- authentication of routing update


Switches are Targets

• Protection needs are similar to routers

• VLANs are an added vulnerability:

- remove user ports from auto-trunking

- use non-user VLANs for trunk ports

- set unused ports to a non-routed VLAN

-do not depend on VLAN separation

-Private VLANs


PromiscuousPort

PromiscuousPort

Community‘A’

Community‘B’

IsolatedPorts

Primary VLAN

Community VLAN

Community VLAN

Isolated VLAN

Only One Subnet!

xx xx xx xx

ARP Spoof Mitigation: Private VLANs

• PVLANs Isolate traffic in specific communities to create distinct “networks” within a normal VLAN

• Note: Most inter-host communication is disabled with PVLANs turned on

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519


Networks are Targets

• DDoS (ICMP Flood, TCP SYN Flood, UDP Floods) attacks cannot be stopped by the victim network alone

• RFC1918 addresses or local addresses should originate locally

• IP address spoofing can mitigated by filtering non-registered addresses


RFC 2267 Filtering interface Serial n ip access-group 101 in!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any

ISPNetwork

CustomerNetwork:

142.142.0.0/16

Ingress to Internet

• Ingress packets must be from customer addresses

interface Serial n ip access-group 120 in ip access-group 130 out!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any

Egress from Internet

• Egress packets cannot be fromand to customer

• Ensure ingress packets are valid


RFC 1918 Filtering

interface Serial n ip access-group 101 in!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any

ISPNetwork

CustomerNetwork

Ingress to Internet


Hosts are Targets

• High Visibility makes them easy target

• Ensure that various host components are compatible and at the latest version

- hardware platform/devices

- operating system and updates

- standard applications and patches

- shareware scripts


Applications are Targets

• Complexity of applications makes them open to human error vulnerabilities

• Host and Network based IDS focus on recognizing attack signatures and taking action:

- shunning/blocking

- alarm/warning

- simply logging


Secure Management and Reporting

• Logging levels

• NTP

• Out-of-Band management

• Ipsec, ssh or ssl

• SNMP

• Change Management


Cisco Cisco SAFESAFE Enterprise Network Design Enterprise Network Design ModulesModules

Enterprise Campus Enterprise Edge SP EdgeBuildingBuilding

Building Distribution

Building Distribution

ManagementManagement

ServerServer

CoreCore

Edge Distribution

Edge Distribution

E-CommerceE-Commerce

CorporateInternet

CorporateInternet

VPN andRemote Access

VPN andRemote Access

WANWAN

ISP BISP B

ISP AISP A

PSTNPSTN

Frame/ATM

Frame/ATM


Campus Network Section

- Management Module

- Building Access and Distribution

- Core and Server Modules

- Edge Distribution Module


Management Module

• Out of Band Management

- separate physical networks

- separate address space (192.168.25x.xxx)

- use IPSec if physical separation is not possible

• Firewall between management subnet and managed-device subnet


Management Module - cont’d

• Isolate managed ports to minimize impact of compromised device

• NIDS and HIDS on the management subnet

• One-time Passwords for authentication of administrators

• SNMP read-onlysnmp-server community Txo~QbW3XM RO 98

access-list 98 permit host 192.168.253.51


Hosts IDS for Local AttackHosts IDS for Local Attack

Attack Mitigation Roles for Management Module

Two-FactorAuthentication

Two-FactorAuthentication

AAA ServicesAAA Services

Read-Only SNMPRead-Only SNMP

SSH Where Possible

Config and ContentManagement

SSH Where Possible

Config and ContentManagement

OTP Server

AccessControl Server

NetworkMonitoring

IDSDirector

Syslog 1

Syslog 2

SystemAdmin

X6 TermServer (IOS)

eIOS-91

eIOS-21

X6 Switch

Out-of-BandNetwork

Management

OOB ConfigManagementOOB ConfigManagement

To All DeviceConsole Ports

Encrypted In-BandNetwork Management

Network Log DataNetwork Log Data

ComprehensiveLayer 4-7 Analysis

ComprehensiveLayer 4-7 Analysis

Stateful PacketFiltering

IPSec Terminationfor Management

Stateful PacketFiltering

IPSec Terminationfor Management

Private VLANsPrivate VLANs



- Management Module





Enterprise Campus Detail

OTPServer

OTPServer

AccessControlServer

AccessControlServer

NetworkMonitoring

NetworkMonitoring

IDSDirector

IDSDirector

Syslog 1Syslog 1

Syslog 2Syslog 2

SystemAdmin

SystemAdmin

Management ModuleManagement Module

Building Module (Users)Building Module (Users)

BuildingDistributionModule

BuildingDistributionModule

Core ModuleCore Module

CorporateServer

CorporateServer

ServerModuleServerModule

To eCommerceModule

To CorporateInternet Module

To VPN/RemoteAccess Module

To WAN Module

CiscoCall Manager

CiscoCall Manager

EdgeDistributionModule

EdgeDistributionModule

Term Server(IOS)

Term Server(IOS)

InternalEmail

InternalEmail

Dept.ServerDept.

Server


Attack Mitigation Roles for Building and Distribution Modules

To Core Module

Inter Subnet FilteringRFC2827 FilteringInter Subnet FilteringRFC2827 Filtering

Host Virus ScanningHost Virus Scanning

VLANsVLANs



- Management Module





InternalEmail

Dept.Server

Call Manager

Attack Mitigation Roles for Core and Server ModulesAttack Mitigation Roles for Core and Server Modules

To Edge Distribution

Module

To Building Distribution

Module

Host IDS for Local AttackHost IDS for Local Attack

NIDS for Server Attacks

Private VLANs for Server

ConnectionsRFC2827 Filtering

NIDS for Server Attacks

Private VLANs for Server

ConnectionsRFC2827 Filtering



- Management Module





Attack Mitigation Roles for Edge Distribution Module

To eCommerce Module

To Corporate Internet Module

To VPN/Remote Access Module

To WAN Module

To Core Module

Layer 3 Access Control

RFC2827 Filtering


RFC2827 Filtering


Edge Network Section

- Corporate Internet Module

- Remote Access and VPN Module

- WAN Module

- E-Commerce Module

- ISP Filtering


Enterprise Edge Enterprise Edge - - DetailDetaileCommerceModuleeCommerceModule

Corporate InternetModuleCorporate InternetModule

ISP AModuleISP AModule

ISP A

ISP B

To Edge Distributio

nModule

To Edge Distributio

nModule

ISP BModuleISP BModule



Broad Layer 4-7 AnalysisBroad Layer 4-7 Analysis

Attack Mitigation Roles for Corporate Internet Module

To Edge Distributio

n To VPN/Remote

Access

Focused Layer 4-7 Analysis


Host IDS Local Attack Mitigation

Host IDS Local Attack Mitigation

SMTP ContentInspection

SMTP ContentInspection Spoof Mitigation

Basic Filtering

Spoof Mitigation

Basic Filtering

Spoof Mitigation

(D)DoS Rate-Limiting

Spoof Mitigation

(D)DoS Rate-Limiting

Inspect Outbound TrafficFor Unauthorized URLs

Inspect Outbound TrafficFor Unauthorized URLs Stateful Packet Filtering

Basic Layer 7 Filtering

Host DoS Mitigation

Stateful Packet Filtering

Basic Layer 7 Filtering

Host DoS Mitigation



ISP A





- WAN Module

- E-Commerce Module

- ISP Filtering


VPN/Remote Access VPN/Remote Access - - DetailDetail Detail

To Edge Distributio

nModule

To Edge Distributio

nModule

ToCorporate

InternetModule

VPN/Remote Access ModuleVPN/Remote Access Module

WAN ModuleWAN Module

PSTN ModulePSTN Module

Frame/ATMModuleFrame/ATMModule

PSTN

FR/ATM


Attack Mitigation Roles for Remote Access VPN Module

PSTN

Authenticate Remote Site

Terminate IPSec

Authenticate Remote Site

Terminate IPSec


Module



Allow only IPSec TrafficAllow only

IPSec Traffic To Internet Via the Corporate Internet Module

Broad Layer 4-7 AnalysisBroad Layer 4-7 Analysis

Stateful Packet Filtering Basic Layer 7 Filtering


Authenticate Users Terminate IPSec

Authenticate Users Terminate IPSec

Authenticate Users Terminate

Analog Dial

Authenticate Users Terminate

Analog Dial





- WAN Module

- E-Commerce Module

- ISP Filtering


Enterprise Edge Enterprise Edge - - DetailDetail

To Edge Distributio

nModule

To Edge Distributio

nModule

ToCorporate

InternetModule

VPN/Remote Access ModuleVPN/Remote Access Module

WAN ModuleWAN Module

PSTN ModulePSTN Module

Frame/ATMModuleFrame/ATMModule

PSTN

FR/ATM


Classic WAN Module: Detail and Attack Mitigation

Classic WAN not often addressed in security context.Man-in-the-middle attacks can be mitigated by several IOS features:

- Layer 3 access-control- IPSec encryption (optional)

FR/ATMTo Edge

Distribution Module

eIOS-61

eIOS-62







- WAN Module

- E-Commerce Module

- ISP Filtering


Enterprise Edge Enterprise Edge - - DetailDetaileCommerceModuleeCommerceModule

Corporate InternetModuleCorporate InternetModule

ISP AModuleISP AModule

ISP A

ISP B

To Edge Distributio

nModule

To Edge Distributio

nModule

ISP BModuleISP BModule



E-Commerce Traffic Flow

Edge Distribution Module E-Commerce Module

ISP Module

L1-3L1-3

DBDB

L4L4

L5-7L5-7

AppsApps

Incoming RequestsIncoming Requests

WebWebAppsApps


Attack Mitigation Roles for E-Commerce Module

Stateful Packet Filtering Basic 7 Layer Filtering

Host DoS Mitigation

Stateful Packet Filtering Basic 7 Layer Filtering

Host DoS Mitigation








Broad Layer 4-7 AnalysisWire Speed Access ControlBroad Layer 4-7 Analysis

Wire Speed Access Control

Spoof Mitigation(D)DoS Rate Limiting

Layer 4 Filtering

Spoof Mitigation(D)DoS Rate Limiting

Layer 4 Filtering



Host IDS for Local Attack Mitigation

Host IDS for Local Attack Mitigation





- WAN Module

- E-Commerce Module

- ISP Filtering


Service Provider Filtering

• Best in e-commerce environments

• DDoS mitigation

• Bandwidth optimization

• RFC 1918,2827

SiSi

Attacker

Public Services

Internal Services

Internal Users

Customer

DDoS Agent

okokPorts:80443

xxSource: DDoS AgentSource: DDoS AgentDestination: Public ServicesDestination: Public ServicesPort: UDP FloodPort: UDP Flood

Source: AttackerSource: AttackerDestination: Public ServicesDestination: Public ServicesPort: 23(Telnet)Port: 23(Telnet)xx


CAR Rate Limiting

Limit outbound ping to 8 Kbps

Limit inbound TCP SYN packets to 256 Kbps

interface xy rate-limit output access-group 102 8000 8000 8000

conform-action transmit exceed-action drop !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply

interface xy rate-limit input access-group 103 256000 8000 8000

conform-action transmit exceed-action drop !access-list 103 deny tcp any host 142.142.42.1 establishedaccess-list 103 permit tcp any host 142.142.42.1


Cisco SAFE Ecosystem:Security & VPN AssociatesCisco SAFE Ecosystem:Security & VPN Associates

Identity

Application Security Security

Management & Monitoring

Secure Connectivity Perimeter Security

Cisco.com/Cisco.com/go/securityassociatego/securityassociate


For more information ...For more information ...

Cisco.com/Cisco.com/go/security go/security

Cisco.com/Cisco.com/gogo//SAFESAFE

Policy

Documents

111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK