8/7/2019 Principles of Secure Network Design_020-BC[1]
1/15
Principles of Secure Network DesignandSecurityAwareness
Submitted by: Bill Chadwick
Technical Education Specialist
CCNA, CCNP, CCDA, CCDP, CCSP, CCSI
Content Consulting, Learning@Cisco
Cisco Systems, Inc.
July 15, 2008
File under CCNA-Security (IINS)
8/7/2019 Principles of Secure Network Design_020-BC[1]
2/15
Principles of Secure Network DesignThis topic describes the system-level security principles that you should consider throughout
the lifecycle of a secure network.
Business goals and risk analysis drive the need for network security. Regardless of the security
implications, business needs must come first. If your business cannot function because ofsecurity concerns, you have a problem. The security system design must accommodate the
goals of the business, not hinder them. Risk analysis includes two key elements:
What does the cost-benefit analysis of your security system tell you?
How will the latest attack techniques play out in your network environment?
The following are the key factors you should consider when designing a secure network:
Business needs: What does your organization want to do with the network?
Risk analysis: What is the risk and cost balance?
Security policy: What are the policies, standards, and guidelines that you need to address
business needs and risks?
Industry best practices: What are the reliable, well-understood, and recommended
security best practices?
Security operations: These operations include incident response, monitoring,
maintenance, and auditing the system for compliance.
2008 Cisco Systems, Inc. All rights reserved.
Secure Network Design Factors
Many factors affect the designof a secure network:
Business needs
Risk analysis
Security policy
Industry best practices
Security operationsSecuritySystem
Security Operations
Incident Response, MonitoringMaintenance, and Compliance Auditing
IndustryBest
Practices
BusinessNeeds
RiskAnalysis
Security Policy
Policies, Guidelines, Standards
8/7/2019 Principles of Secure Network Design_020-BC[1]
3/15
2008 Cisco Systems, Inc. All rights reserved.
Realistic Assumptions
A lot of security is broken because of unfoundedassumptions about users, attackers, and technology.
Assumptions must be set properly and always questioned toensure their validity:
Expect that anything might fail (identify fail-openelements).
Identify all possible attack paths.
Realistically evaluate availability of exploitation tools.
Account for technology advances.
Assume users will not use systems properly.
Double-check your assumptions with others.
Historically, a huge percentage of security mechanisms are broken, misconfigured, or bypassed
because the designer or implementer made unfounded assumptions about how and where the
system will be used, for example, wrong assumptions were made about the users of the system,
the attackers and threats, and the technology that is used to build the system.
A wrong assumption ends up being used as a bad axiom in all further design work; it might
influence one design decision, and then propagate to other decisions that might depend on it.
Wrong decisions are especially dangerous in early stages of secure system designwhen
threats are modeled and when risks are assessed. It is often easy to correct or enhance an
implementation aspect of a system, however design errors are either extremely hard or
impossible to correct without substantial investments in time and technology.
The following is a summary of recommendations you should follow to avoid making wrong
assumptions:
First, expect that any aspect of a system might fail, and evaluate how this failure affects the
security of a system. It is possible for every single element of a system to fail; only the
probability of failure might be different for different elements. When designing a system,
perform what-if analysis for failures of every element, assess the probability of failure,
and analyze all possible consequences of an element failure, taking into account consequent
cascading failures of other elements. As a part of the anything can fail mindset, identify any elements that fail-open. Fail-
open occurs when a failure results in a complete bypass of the security function of the
element. Ideally, any security element should be fail-safe; if the element fails, it should
default to a secure state, such as blocking all traffic across it.
Try to identify all attack possibilities. The attack tree method is one successful method of
top-down analysis of possible system failures, which involves evaluating the simplicity and
probability of every attack.
Realistically evaluate the probability of exploitation. An often-encountered philosophy is
if there is no exploit code available for a particular vulnerability, no one will be able to
exploit it. This philosophy is true only for script-kiddie attacks, and a sounder stance must
be taken, such as if a vulnerability exists, any skilled and focused attacker will easily write
8/7/2019 Principles of Secure Network Design_020-BC[1]
4/15
a tool to exploit it. The focus should be on the resources that are needed to create an attack
tool, not on the obscurity of the vulnerability.
Always account for technological advances if an attack is currently unlikely because the
attacker needs many resources. As computer power increases, the probability of attacks
might increase with an alarming rate. Many systems have been compromised because of
unrealistic assumptions about how much computing power was necessary to mountsuccessful attacksthe recommended lengths of cryptographic keys are a prime example.
Assume that people will make mistakes, for example, end users might use a system
improperly, compromising its security unintentionally. Likewise, attackers will not use
common and well-established techniques to compromise a system; they might hammer the
system with seemingly random attacks, looking for possible information on how the system
behaves under unexpected conditions.
Lastly, always check your assumptions with other people, who might have a fresh
perspective on potential threats and their probability. The more people that question your
assumptions, the more likely you can identify a bad assumption.
8/7/2019 Principles of Secure Network Design_020-BC[1]
5/15
2008 Cisco Systems, Inc. All rights reserved.
Realistic Assumptions Example
DVD protection assumed that DVD players would be tamper
resistant and the built-in keys would not be disclosed.
Software players were quickly reverse engineered toreveal the CSS algorithm and decryption keys.
US analog cellular assumed that scanners were tooexpensive for an individual attacker, therefore no encryptionwas provided.
This was quickly proven wrong.
U.S. digital cellular assumed that digital scanners were tooexpensive for an individual attacker, therefore no encryptionwas provided.
This was also proven wrong.
Three examples of wrong assumptions come from areas not directly related to network security.
The encryption of DVD movies, which uses a weak algorithm called Content Scrambling
System (CSS), is an example of bad assumptions made about the scope of system use. The
original assumption was that DVD discs would be played only on hardware players, where the
decryption keys could be stored in a tamper-resistant chip inside the player, making it
extremely hard for even skilled attackers to compromise the DVD discs. However, when
software DVD players appeared, the DVD discs were quickly reverse engineered, because
making software tamper resistant is next to impossible against a determined attacker. The keys
were recovered from one of the well-known players, and an algorithm was published on the
Internet, together with the keys.
The response strategy of the DVD industry was to try to ban the publishing of the CSS
algorithm and keys, but the decision of the court that the CSS algorithm source code was
essentially free speech stopped much of their efforts.
Another example of a wrong or poor assumption was the lack of encryption of US cellular
traffic. When cellular phones were first introduced, the assumption was that scanners, which
could intercept cellular traffic, were too expensive to mount any large-scale attacks against call
confidentiality in cellular networks. In a couple of years, the price of these scanners dropped to
the point that the scanners were available to virtually anyone. Thus, bad assumptionscompromised the protection policy of the cellular network.
The next-generation U.S. cellular service uses digital transmission, but the same assumption
was made, that digital scanners are too expensive. As technology advances, the same story has
unfolded for the digital transmissions.
8/7/2019 Principles of Secure Network Design_020-BC[1]
6/15
2008 Cisco Systems, Inc. All rights reserved.
Least Privilege Concept
A subject should have the minimal necessary privileges to
perform a task.
This applies to users, programs, hosts, and so on.
This is perhaps the most important concept in a securesystem design.
This concept enhances simplicity because it narrows down thewindow of vulnerability.
It limits possible unwanted interaction of system components.
This concept is often not followed because it can make asystem cumbersome to use.
The least privilege concept is a philosophy in which each subject, user, program, host, and so
on, should have only the minimum necessary privileges to perform a certain task.
The rationale behind the concept is that having too many privileges for a task can result in
doing more damage then would be otherwise possible, whether the damage is intentional or
unintentional. Using the least privileges always narrows down the window of vulnerability,
because it reduces the amount of possible side effects of a task. Least privilege also simplifies a
system when you analyze it for possible flaws, because if you allow only a very limited amount
of prescribed actions and system states, the potential for unwanted interactions within a system
is limited.
In practice, the least privilege concept is often not followed, because a person or process must
perform multiple tasks that require different privileges. Because the configuration of privileges
in such an environment is often cumbersome, a person or process is given high (or even worse,
the highest possible) privileges, which automatically enables them to perform a variety of tasks,
including the tasks originally required. This configuration of privileges opens up a system to
additional threats and interactions, which might not be expected.
8/7/2019 Principles of Secure Network Design_020-BC[1]
7/15
2008 Cisco Systems, Inc. All rights reserved.
Least Privilege Example
Inside and outside users only need access to the web serverprogram on the exposed host.
The web server does not need to open any connections to the inside or outside.
The firewall enforces those minimal permissions.
Internet Inside
Web Server
Permit HTTP Only Permit HTTP Only
DenyAll
The figure shows an example of proper least-privilege enforcement. A web server is located
inside a firewall system, and must be accessed by inside and outside users. No other access to
the system is necessary, and the system does not need to open any connections itselfit is a
simple static web server.
In the example, the firewall is configured to permit only HTTP connectivity to the server from
the inside interface to the outside interface. The firewall denies all other connections to the
server because they are not necessary. Also, the firewall prevents the web server from sourcing
any connections because they are not required. An attacker, who could compromise the web
server, would be isolated on it, because no connectivity is allowed from the web server.
In such a situation, many organizations would permit all access to the web server from the
inside. This level of access opens up the server for insider attacks, or enables an attacker, who
managed to enter the protected network, to also attack any service running on the web server.
You can see another example of least privilege enforcement by looking at the web server host
itself. The host runs an exposed web server program, which is expected to be attacked by
external crackers. Therefore, the web server program must be protected, and at the same time,
other processes and data on the host must be protected from the attacker, who can potentially
compromise the web server program. To protect the rest of the operating system, you can use
several well-known techniques, all of which implement the least privilege concept: Run the web server program under a special username, which has minimal rights in the host
operating system (it can listen on port 80 and it can access its data on disk).
Set the file permissions in such a way that the web server program can access only its
executable code (which is not owned by it, so it cannot be changed by it), and the
documents it is serving (HTML, multimedia files).
Configure the operating system to limit the web server program to be a part of the file
system, disallowing it access to any other directories, for example, using the UNIX chroot
system call.
8/7/2019 Principles of Secure Network Design_020-BC[1]
8/15
2008 Cisco Systems, Inc. All rights reserved.
Design and Implementation Simplicity
Complexity makes parts of the system interact in unpredictableways.
The system can be hard or impossible to analyze.
Complexity is often considered the biggest enemy ofsecurity design.
You should make design and implementation simple andstraightforward.
You should use multiple simple security features instead of onecomplex one, as long as they are comparable in protectionstrength.
Make sure that the user of the system understands it well
enough to use it properly.
Complexity is one of the biggest enemies of security. Complexity makes it hard for the
designer or implementer to predict how parts of the system will interact, and makes the system
hard or impossible to analyze from the security perspective. Simplicity of design and
implementation should therefore be one of the main goals of the designer.
When you must implement a security mechanism, it is always recommended to use the simplest
possible solution, which still provides an adequate level of security. When you need to put in
place a very complex mechanism, consider replacing it with multiple simpler, and easier to
verify mechanisms, as long as the resulting protection strength is comparable to the original
idea.
Also, simplicity is beneficial for the end users of the system. If the end user does not
understand the system adequately, the system can be compromised through unintentional
misuse. It is important to note that end users do not need to be aware of the internal workings of
the system, but the usage instructions should be simple and concise, as far as security is
concerned.
8/7/2019 Principles of Secure Network Design_020-BC[1]
9/15
2008 Cisco Systems, Inc. All rights reserved.
Simplicity Example
Simplicity in protection policy makes it easier to implement.
End-user responsibilities:All end users will participate in risk mitigation by
enforcing discretionary access control on file
system objects in such way as to prevent
external subjects from violating the integrity of
the properties or contents of an object.
End-user responsibilities:When changing file permissions, ensure
that only Cisco employees will have
write access to that file.
vs.
You can find an example of design and implementation simplicity in the formulation of a user
security policy. The example shows two ways to formulate a security policy, which is enforced
by the end user. An overly technical, confusing formulation alienates users, while a simple and
concise formulation enables the user to easily comprehend the required procedures and
understand why such protection must be put in place.
Note In short, simplicity in design often makes the implementation of security simpler.
You can also achieve simplicity by intentionally removing functionality from existing systems.
This concept introduces the well-know practice of disabling all unnecessary services that a
system offers. Disabling these services removes many potential attack possibilities; you could
identify this as the enforcing of least privilegerunning only the minimal necessary set of
servicesand it makes the system easier to analyze. The figure shows a Cisco IOS router that
has been hardened by disabling unnecessary features.
Another way to simplify security is to help simplify end user functions. For example, if e-mail
needs to be encrypted when it goes to external business partners, a solution that would be the
simplest for end users is to take the end users out of the equation and use technology to perform
automated encryption of the e-mail. A mail gateway can be configured to automatically encrypt
all outgoing mail.
8/7/2019 Principles of Secure Network Design_020-BC[1]
10/15
Security AwarenessThis topic describes how training and other awareness techniques can help you increase the
effectiveness of a security policy.
2008 Cisco Systems, Inc. All rights reserved.
The three pillars of a successful security awarenessprogram are:
Awareness
Education
Training
An effective security awareness and training
program require: Proper planning
Proper implementation
Maintenance
Periodic evaluation
Security Awareness
Technical, administrative, and physical controls can all be defeated without the participation of
the end user community. In order to get accountants and secretaries to think about information
security you must attempt to regularly remind staff members about security. The technical staffalso needs regular reminders because their jobs tend to emphasize performance rather than
secure performance. Therefore, leadership must develop a nonintrusive program that keeps
everyone aware of security and how to work together to maintain the security of their data. The
three key components that are used to implement this type of program are awareness, training,
and education.
An effective computer security awareness and training program requires proper planning,
implementation, maintenance, and periodic evaluation. In general, a computer security
awareness and training program should encompass the following seven steps:
Identify program scope, goals, and objectives: The scope of the program should provide
training to all types of people who interact with IT systems. Because users need training
that relates directly to their use of particular systems, you need to supplement a large
organization-wide program by more system-specific programs.
Identify training staff: It is important that trainers have sufficient knowledge of computer
security issues, principles, and techniques. It is also vital that they know how to
communicate information and ideas effectively.
Identify target audiences: Not everyone needs the same degree or type of computer
security information to do their jobs. A computer security awareness and training program
that distinguishes between groups of people, presents only the information that is needed by
the particular audience, and omits irrelevant information will have the best results.
Motivate management and employees: To successfully implement an awareness and
training program, it is important to gain the support of management and employees.
8/7/2019 Principles of Secure Network Design_020-BC[1]
11/15
Consider using motivational techniques to show management and employees how their
participation in a computer security and awareness program will benefit the organization.
Administer the program: Several important considerations for administering the program
include visibility, selection of appropriate training methods, topics, materials, and
presentation techniques.
Maintain the program: You should make an effort to keep abreast of changes in computer
technology and security requirements. A training program that meets the needs of an
organization today may become ineffective when the organization starts to use a new
application or changes its environment, such as by connecting to the Internet.
Evaluate the program: An evaluation should attempt to ascertain how much information
is retained, to what extent computer security procedures are being followed, and the general
attitudes toward computer security.
8/7/2019 Principles of Secure Network Design_020-BC[1]
12/15
2008 Cisco Systems, Inc. All rights reserved.
Awareness
Often an overlooked part of the
security practitioner job Can be overdone; moderation is a
good thing with awareness
Examples of things that increaseawareness:
Lectures, videos, andcomputer-based training
Posters, newsletter articles,and bulletins
Awards for good securitypractices
Reminders such as loginbanners, mouse pads, coffee
cups, and notepads
A successful IT security program consists of: 1) developing IT security policy that reflects
business needs tempered by known risks; 2) informing users of their IT security
responsibilities, as documented in agency security policy and procedures; and 3) establishing
processes for monitoring and reviewing the program.
You should focus security awareness and training on the entire user population of the
organization. Management should set the example for proper IT security behavior within an
organization. An awareness program should begin with an effort that you can deploy and
implement in various ways and is aimed at all levels of the organization including senior and
executive managers. The effectiveness of this effort usually determines the effectiveness of the
awareness and training program and how successful the IT security program will be.
An awareness and training program is crucial because it is the vehicle for disseminating
information that users, including managers, need in order to do their jobs. An IT security
program is the vehicle that you use to communicate security requirements across the enterprise.
An effective IT security awareness and training program explains proper rules of behavior for
the use of the IT systems and information of a company. The program communicates IT
security policies and procedures that must be followed. This program must precede and lay the
foundation for any sanctions that your company will impose due to noncompliance. You should
first inform the users first of the expectations. You must derive accountability from a fullyinformed, well-trained, and aware workforce.
Security awareness efforts are designed to change behavior or reinforce good security practices.
Awareness is defined in NIST Special Publication 800-16 as follows: Awareness is not
training. The purpose of awareness presentations is simply to focus attention on security.
Awareness presentations are intended to allow individuals to recognize IT security concerns
and respond accordingly. In awareness activities, the learner is the recipient of information,
whereas the learner in a training environment has a more active role. Awareness relies on
reaching broad audiences with attractive packaging techniques. Training is more formal,
having a goal of building knowledge and skills to facilitate the job performance.
An example of a topic for an awareness session (or awareness material to be distributed) is
virus protection. You can briefly address the subject by describing what a virus is, what canhappen if a virus infects a user system, what the user should do to protect the system, and what
the user should do if they discover a virus.
8/7/2019 Principles of Secure Network Design_020-BC[1]
13/15
2008 Cisco Systems, Inc. All rights reserved.
Education and Training
Security training for end users
Awareness training for groupswith sensitive positions
Technical security training for theIT staff
Advanced INFOSEC training forthe security practitioners
Specialized training for seniormanagement
Training strives to produce relevant and needed security skills and competencies by
practitioners of functional specialties other than IT security, for example, management, systems
design and development, acquisition, and auditing. The most significant difference between
training and awareness is that training tries to teach skills, which allow a person to perform a
specific function, while awareness focuses on an the attention of an individual on an issue or set
of issues. The skills that users acquire during training build upon the awareness foundation, in
particular, upon the security basics and literacy material. A training curriculum does not
necessarily lead to a formal degree from an institution of higher learning; however, a trainingcourse may contain much of the same material found in a course that a college or university
includes in a certificate or degree program.
An example of training is an IT security course for system administrators, which should address
in detail the management controls, operational controls, and technical controls that should be
implemented. Management controls include policy, IT security program management, risk
management, and life-cycle security. Operational controls include personnel and user issues,
contingency planning, incident handling, awareness and training, computer support and
operations, and physical and environmental security issues. Technical controls include
identification and authentication, logical access controls, audit trails, and cryptography.
Education integrates all of the security skills and competencies of the various functional
specialties into a common body of knowledge, adds a multidisciplinary study of concepts,issues, and principles (technological and social), and strives to produce IT security specialists
and professionals capable of vision and proactive response.
An example of education is a degree program at a college or university. Some people take a
course or several courses to develop or enhance their skills in a particular discipline. This is
training as opposed to education. Many colleges and universities offer certificate programs,
wherein a student may take two, six, or eight classes, for example, in a related discipline, and
be awarded a certificate upon completion. Often, these certificate programs are conducted as a
joint effort between schools and software or hardware vendors. These programs are more
characteristic of training than education. Those responsible for security training must assess
both types of programs and decide which one better addresses their identified needs.
8/7/2019 Principles of Secure Network Design_020-BC[1]
14/15
2008 Cisco Systems, Inc. All rights reserved.
Results of Security Awareness
Measurably reducesunauthorized actions byinsiders
Increases the effectivenessof existing controls
Helps fight waste, fraud, andabuse of informationsystems resources
A successfully implemented training and awareness program, in conjunction with a good
security operations practice, should result in many benefits to an organization. The technical
staff should be better at implementing the technical controls. End users, executives, and
everyone else should also do a better job of implementing the remaining administrative and
physical controls. The resulting more thorough implementation of a well-designed set of
controls is guaranteed to increase security.
8/7/2019 Principles of Secure Network Design_020-BC[1]
15/15
2008 Cisco Systems, Inc. All rights reserved.
Summary
Complexity can be identified as one of the biggest enemiesof security.
An effective computer security awareness and training programrequires proper planning, implementation, maintenance, andperiodic evaluation.