111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A...
-
date post
18-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of 111 vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved. Cisco SAFE A...
111vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Cisco SAFE Cisco SAFE A Security Blueprint for Enterprise NetworksA Security Blueprint for Enterprise Networks
Özay UYANIKCisco Systems TURKEY
222vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
The Internet is Changing… EverythingThe Internet is Changing… Everything
Vote
BankMedicateTravel
Purchase
333vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Expanded AccessHeightened Security Risks
InternetInternet AccessAccess
CorporateCorporateIntranetIntranet
InternetInternetPresencePresence
InternetBusinessValue
The Security Dilemma
CustomerCustomerCareCare
E-LearningE-Learning
Supply ChainSupply ChainManagementManagementE-CommerceE-Commerce
WorkforceWorkforceOptimizationOptimization
Explosion in E-Business!!
444vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Threats Driving Security Awareness
Internet
Information TheftInformation TheftVirus Attacks Virus Attacks
Worm Blaster Strikes Worldwide—— CNN
Data InterceptionData InterceptionUnprotected Assets Unprotected Assets
AOL Boosts Email Security After Attack
— C/NET
Denial of ServiceDenial of ServiceUnauthorized Entry Unauthorized Entry
Several Web Sites Attacked Following Assault on Yahoo!
—— New York Times
555vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Critical e-Business Solutions
CustomerCustomerCareCare
E-LearningE-Learning
Supply ChainSupply ChainManagementManagement
E-CommerceE-Commerce
WorkforceWorkforceOptimizationOptimization
Internet
An Intelligent and Secure Network Infrastructure is Required for E-Business!!
666vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Are You Secure?
ExternalExploitation
75% vulnerable;95+% vulnerable externally with
secondary exploitation
Internet
100% vulnerable
InternalInternalExploitation Exploitation
Dial InDial InExploitation Exploitation
65+% vulnerable
777vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
100% Security
“
”
The only system which is truly secure is one which is switched off and
unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very
highly paid armed guards. Even then, I wouldn’t stake my life on it….
Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University
888vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
CiscoCisco SAFE
Cisco SAFE is a flexible framework that empowers companies to securely take advantage of the Internet Economy
999vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Key Components of a SAFE Module
SecurityManagement
Identity PerimeterSecurity
SecurityMonitoring
SecureConnectivity
101010vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Security Is…
Security Office
Traditional Locks
Guard
SecurityCamera
Card KeyCard Key
Intrusion Detection
Intrusion Detection
Intrusion Detection
IDS Manager
Security Manager
Firewall
Firewall
Authentication Server
111111vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.ISP Edge
SAFE Enterprise Network Design GuideSAFE Enterprise Network Design Guide
Enterprise EdgeEnterprise Campus
WAN Module Frame / ATMModule
Corporate Internet
VPN&Remote Access PSTNModule
ISP AModule
E-CommerceModule
ISP BModule
Cisco SAFE Architecture Goal:• Security• Resilience• Performance• Scalability• QoS Awareness
Cisco SAFE Architecture Goal:• Security• Resilience• Performance• Scalability• QoS AwarenessDistribution
Core
Management
Server
User Access
Distribution
121212vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Enterprise SAFE Network
ISP EdgeEnterprise EdgeEnterprise Campus
User Access
Server
Management
Core
Distribution
VPN&Remote Access PSTNModule
E-CommerceModule
ISPModule
SAFE Axioms• Routers are targets
• Switches are targets
• Hosts are targets
• Networks are targets
• Applications are targets
• Secure management & reporting are required
Distribution
131313vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Routers are Targets
• Potentially a hacker’s best friend
• Protection should include:
- constraining telnet access
- SNMP read-only
-administrative access with TACACS+
-NTP authentication
- turning off unneeded services
- logging unauthorized access attempts
- authentication of routing update
141414vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Switches are Targets
• Protection needs are similar to routers
• VLANs are an added vulnerability:
- remove user ports from auto-trunking
- use non-user VLANs for trunk ports
- set unused ports to a non-routed VLAN
-do not depend on VLAN separation
-Private VLANs
151515vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
PromiscuousPort
PromiscuousPort
Community‘A’
Community‘B’
IsolatedPorts
Primary VLAN
Community VLAN
Community VLAN
Isolated VLAN
Only One Subnet!
xx xx xx xx
ARP Spoof Mitigation: Private VLANs
• PVLANs Isolate traffic in specific communities to create distinct “networks” within a normal VLAN
• Note: Most inter-host communication is disabled with PVLANs turned on
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519
161616vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Networks are Targets
• DDoS (ICMP Flood, TCP SYN Flood, UDP Floods) attacks cannot be stopped by the victim network alone
• RFC1918 addresses or local addresses should originate locally
• IP address spoofing can mitigated by filtering non-registered addresses
171717vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
RFC 2267 Filtering interface Serial n ip access-group 101 in!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any
ISPNetwork
CustomerNetwork:
142.142.0.0/16
Ingress to Internet
• Ingress packets must be from customer addresses
interface Serial n ip access-group 120 in ip access-group 130 out!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any
Egress from Internet
• Egress packets cannot be fromand to customer
• Ensure ingress packets are valid
181818vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
RFC 1918 Filtering
interface Serial n ip access-group 101 in!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any
ISPNetwork
CustomerNetwork
Ingress to Internet
191919vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Hosts are Targets
• High Visibility makes them easy target
• Ensure that various host components are compatible and at the latest version
- hardware platform/devices
- operating system and updates
- standard applications and patches
- shareware scripts
202020vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Applications are Targets
• Complexity of applications makes them open to human error vulnerabilities
• Host and Network based IDS focus on recognizing attack signatures and taking action:
- shunning/blocking
- alarm/warning
- simply logging
212121vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Secure Management and Reporting
• Logging levels
• NTP
• Out-of-Band management
• Ipsec, ssh or ssl
• SNMP
• Change Management
222222vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Cisco Cisco SAFESAFE Enterprise Network Design Enterprise Network Design ModulesModules
Enterprise Campus Enterprise Edge SP EdgeBuildingBuilding
Building Distribution
Building Distribution
ManagementManagement
ServerServer
CoreCore
Edge Distribution
Edge Distribution
E-CommerceE-Commerce
CorporateInternet
CorporateInternet
VPN andRemote Access
VPN andRemote Access
WANWAN
ISP BISP B
ISP AISP A
PSTNPSTN
Frame/ATM
Frame/ATM
232323vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Campus Network Section
- Management Module
- Building Access and Distribution
- Core and Server Modules
- Edge Distribution Module
242424vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Management Module
• Out of Band Management
- separate physical networks
- separate address space (192.168.25x.xxx)
- use IPSec if physical separation is not possible
• Firewall between management subnet and managed-device subnet
252525vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Management Module - cont’d
• Isolate managed ports to minimize impact of compromised device
• NIDS and HIDS on the management subnet
• One-time Passwords for authentication of administrators
• SNMP read-onlysnmp-server community Txo~QbW3XM RO 98
access-list 98 permit host 192.168.253.51
262626vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Hosts IDS for Local AttackHosts IDS for Local Attack
Attack Mitigation Roles for Management Module
Two-FactorAuthentication
Two-FactorAuthentication
AAA ServicesAAA Services
Read-Only SNMPRead-Only SNMP
SSH Where Possible
Config and ContentManagement
SSH Where Possible
Config and ContentManagement
OTP Server
AccessControl Server
NetworkMonitoring
IDSDirector
Syslog 1
Syslog 2
SystemAdmin
X6 TermServer (IOS)
eIOS-91
eIOS-21
X6 Switch
Out-of-BandNetwork
Management
OOB ConfigManagementOOB ConfigManagement
To All DeviceConsole Ports
Encrypted In-BandNetwork Management
Network Log DataNetwork Log Data
ComprehensiveLayer 4-7 Analysis
ComprehensiveLayer 4-7 Analysis
Stateful PacketFiltering
IPSec Terminationfor Management
Stateful PacketFiltering
IPSec Terminationfor Management
Private VLANsPrivate VLANs
272727vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Campus Network Section
- Management Module
- Building Access and Distribution
- Core and Server Modules
- Edge Distribution Module
282828vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Enterprise Campus Detail
OTPServer
OTPServer
AccessControlServer
AccessControlServer
NetworkMonitoring
NetworkMonitoring
IDSDirector
IDSDirector
Syslog 1Syslog 1
Syslog 2Syslog 2
SystemAdmin
SystemAdmin
Management ModuleManagement Module
Building Module (Users)Building Module (Users)
BuildingDistributionModule
BuildingDistributionModule
Core ModuleCore Module
CorporateServer
CorporateServer
ServerModuleServerModule
To eCommerceModule
To CorporateInternet Module
To VPN/RemoteAccess Module
To WAN Module
CiscoCall Manager
CiscoCall Manager
EdgeDistributionModule
EdgeDistributionModule
Term Server(IOS)
Term Server(IOS)
InternalEmail
InternalEmail
Dept.ServerDept.
Server
292929vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Attack Mitigation Roles for Building and Distribution Modules
To Core Module
Inter Subnet FilteringRFC2827 FilteringInter Subnet FilteringRFC2827 Filtering
Host Virus ScanningHost Virus Scanning
VLANsVLANs
303030vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Campus Network Section
- Management Module
- Building Access and Distribution
- Core and Server Modules
- Edge Distribution Module
313131vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
InternalEmail
Dept.Server
Call Manager
Attack Mitigation Roles for Core and Server ModulesAttack Mitigation Roles for Core and Server Modules
To Edge Distribution
Module
To Building Distribution
Module
Host IDS for Local AttackHost IDS for Local Attack
NIDS for Server Attacks
Private VLANs for Server
ConnectionsRFC2827 Filtering
NIDS for Server Attacks
Private VLANs for Server
ConnectionsRFC2827 Filtering
323232vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Campus Network Section
- Management Module
- Building Access and Distribution
- Core and Server Modules
- Edge Distribution Module
333333vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Attack Mitigation Roles for Edge Distribution Module
To eCommerce Module
To Corporate Internet Module
To VPN/Remote Access Module
To WAN Module
To Core Module
Layer 3 Access Control
RFC2827 Filtering
Layer 3 Access Control
RFC2827 Filtering
343434vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Edge Network Section
- Corporate Internet Module
- Remote Access and VPN Module
- WAN Module
- E-Commerce Module
- ISP Filtering
353535vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Enterprise Edge Enterprise Edge - - DetailDetaileCommerceModuleeCommerceModule
Corporate InternetModuleCorporate InternetModule
ISP AModuleISP AModule
ISP A
ISP B
To Edge Distributio
nModule
To Edge Distributio
nModule
ISP BModuleISP BModule
To VPN/RemoteAccess Module
363636vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Broad Layer 4-7 AnalysisBroad Layer 4-7 Analysis
Attack Mitigation Roles for Corporate Internet Module
To Edge Distributio
n To VPN/Remote
Access
Focused Layer 4-7 Analysis
Focused Layer 4-7 Analysis
Host IDS Local Attack Mitigation
Host IDS Local Attack Mitigation
SMTP ContentInspection
SMTP ContentInspection Spoof Mitigation
Basic Filtering
Spoof Mitigation
Basic Filtering
Spoof Mitigation
(D)DoS Rate-Limiting
Spoof Mitigation
(D)DoS Rate-Limiting
Inspect Outbound TrafficFor Unauthorized URLs
Inspect Outbound TrafficFor Unauthorized URLs Stateful Packet Filtering
Basic Layer 7 Filtering
Host DoS Mitigation
Stateful Packet Filtering
Basic Layer 7 Filtering
Host DoS Mitigation
Focused Layer 4-7 Analysis
Focused Layer 4-7 Analysis
ISP A
373737vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Edge Network Section
- Corporate Internet Module
- Remote Access and VPN Module
- WAN Module
- E-Commerce Module
- ISP Filtering
383838vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
VPN/Remote Access VPN/Remote Access - - DetailDetail Detail
To Edge Distributio
nModule
To Edge Distributio
nModule
ToCorporate
InternetModule
VPN/Remote Access ModuleVPN/Remote Access Module
WAN ModuleWAN Module
PSTN ModulePSTN Module
Frame/ATMModuleFrame/ATMModule
PSTN
FR/ATM
393939vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Attack Mitigation Roles for Remote Access VPN Module
PSTN
Authenticate Remote Site
Terminate IPSec
Authenticate Remote Site
Terminate IPSec
To Edge Distribution
Module
Focused Layer 4-7 Analysis
Focused Layer 4-7 Analysis
Allow only IPSec TrafficAllow only
IPSec Traffic To Internet Via the Corporate Internet Module
Broad Layer 4-7 AnalysisBroad Layer 4-7 Analysis
Stateful Packet Filtering Basic Layer 7 Filtering
Stateful Packet Filtering Basic Layer 7 Filtering
Authenticate Users Terminate IPSec
Authenticate Users Terminate IPSec
Authenticate Users Terminate
Analog Dial
Authenticate Users Terminate
Analog Dial
404040vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Edge Network Section
- Corporate Internet Module
- Remote Access and VPN Module
- WAN Module
- E-Commerce Module
- ISP Filtering
414141vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Enterprise Edge Enterprise Edge - - DetailDetail
To Edge Distributio
nModule
To Edge Distributio
nModule
ToCorporate
InternetModule
VPN/Remote Access ModuleVPN/Remote Access Module
WAN ModuleWAN Module
PSTN ModulePSTN Module
Frame/ATMModuleFrame/ATMModule
PSTN
FR/ATM
424242vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Classic WAN Module: Detail and Attack Mitigation
Classic WAN not often addressed in security context.Man-in-the-middle attacks can be mitigated by several IOS features:
- Layer 3 access-control- IPSec encryption (optional)
FR/ATMTo Edge
Distribution Module
eIOS-61
eIOS-62
Layer 3 Access Control
Layer 3 Access Control
434343vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Edge Network Section
- Corporate Internet Module
- Remote Access and VPN Module
- WAN Module
- E-Commerce Module
- ISP Filtering
444444vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Enterprise Edge Enterprise Edge - - DetailDetaileCommerceModuleeCommerceModule
Corporate InternetModuleCorporate InternetModule
ISP AModuleISP AModule
ISP A
ISP B
To Edge Distributio
nModule
To Edge Distributio
nModule
ISP BModuleISP BModule
To VPN/RemoteAccess Module
454545vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
E-Commerce Traffic Flow
Edge Distribution Module E-Commerce Module
ISP Module
L1-3L1-3
DBDB
L4L4
L5-7L5-7
AppsApps
Incoming RequestsIncoming Requests
WebWebAppsApps
464646vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Attack Mitigation Roles for E-Commerce Module
Stateful Packet Filtering Basic 7 Layer Filtering
Host DoS Mitigation
Stateful Packet Filtering Basic 7 Layer Filtering
Host DoS Mitigation
To Edge Distribution
Focused Layer 4-7 Analysis
Focused Layer 4-7 Analysis
Focused Layer 4-7 Analysis
Focused Layer 4-7 Analysis
Stateful Packet Filtering Basic Layer 7 Filtering
Stateful Packet Filtering Basic Layer 7 Filtering
Broad Layer 4-7 AnalysisWire Speed Access ControlBroad Layer 4-7 Analysis
Wire Speed Access Control
Spoof Mitigation(D)DoS Rate Limiting
Layer 4 Filtering
Spoof Mitigation(D)DoS Rate Limiting
Layer 4 Filtering
Focused Layer 4-7 Analysis
Focused Layer 4-7 Analysis
Host IDS for Local Attack Mitigation
Host IDS for Local Attack Mitigation
474747vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Edge Network Section
- Corporate Internet Module
- Remote Access and VPN Module
- WAN Module
- E-Commerce Module
- ISP Filtering
484848vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Service Provider Filtering
• Best in e-commerce environments
• DDoS mitigation
• Bandwidth optimization
• RFC 1918,2827
SiSi
Attacker
Public Services
Internal Services
Internal Users
Customer
DDoS Agent
okokPorts:80443
xxSource: DDoS AgentSource: DDoS AgentDestination: Public ServicesDestination: Public ServicesPort: UDP FloodPort: UDP Flood
Source: AttackerSource: AttackerDestination: Public ServicesDestination: Public ServicesPort: 23(Telnet)Port: 23(Telnet)xx
494949vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
CAR Rate Limiting
Limit outbound ping to 8 Kbps
Limit inbound TCP SYN packets to 256 Kbps
interface xy rate-limit output access-group 102 8000 8000 8000
conform-action transmit exceed-action drop !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply
interface xy rate-limit input access-group 103 256000 8000 8000
conform-action transmit exceed-action drop !access-list 103 deny tcp any host 142.142.42.1 establishedaccess-list 103 permit tcp any host 142.142.42.1
505050vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
Cisco SAFE Ecosystem:Security & VPN AssociatesCisco SAFE Ecosystem:Security & VPN Associates
Identity
Application Security Security
Management & Monitoring
Secure Connectivity Perimeter Security
Cisco.com/Cisco.com/go/securityassociatego/securityassociate
515151vbieri_cisco_router_security © 2001, Cisco Systems, Inc. All rights reserved.
For more information ...For more information ...
Cisco.com/Cisco.com/go/security go/security
Cisco.com/Cisco.com/gogo//SAFESAFE
Policy