416 69 7MB
English Pages 463 Year 2001
Cisco Secure Internet Security Solutions By Andrew G. Mason, Mark J. Newcom b
• Table of
Publisher
: Cisco Press
Pub Dat e
: May 30, 2001
I SBN
: 1- 58705- 016 - 1
Pages
: 528
Cont ent s • I ndex
Mu st -have securit y st rat egies using Cisco's com plet e solut ion t o net w ork securit y.
• •
The only book t o cover int er oper abilit y am ong t he Cisco Secur e pr oduct fam ily t o pr ov ide t he holist ic approach t o I nt er net secur it y The fir st book t o pr ovide Cisco pr oact ive solut ions t o com m on I nt er net t hreat s
•
A sour ce of indust r y-r eady pr e -built configurat ions for t he Cisco Secure product range
Cisco Syst em s st r ives t o help cust om er s build secur e int er net w orks t hrough net work design feat uring it s Cisco Secure product fam ily. Cisco Secure I nt ernet Securit y Solut ions covers t he basics of I nt ernet securit y, and t hen concent rat es on each m em ber of t he Cisco Secur e pr oduct fam ily , pr ov iding a r ich ex planat ion w it h exam ples of t he pr efer r ed configur at ions r equir ed for secur ing I nt er net connect ions. The Cisco Secur e PI X Fir ew all is cover ed in dept h fr om an ar chit ect ur al point of view , and a r efer ence of t he PI X com m ands explains t heir use in t he r eal w or ld. Alt hough Cisco Secure I nt ernet Securit y Solut ions is pr im ar ily concer ned w it h I nt er net secur it y, t he infor m at ion inside is also applicable t o m any general net w ork securit y scenarios.
Copyright Copyright © 2001 Cisco Press Cisco Pr ess logo is a t r adem ar k of Cisco Syst em s, I nc. Published by: Cisco Pr ess 201 West 103r d St r eet I ndianapolis, I N 46290 USA
1
All r ight s r eser v ed. No par t of t his book m ay be r epr oduced or t r ansm it t ed in any for m or by any m eans, elect ronic or m echanical, including phot ocopying, recording, or by any infor m at ion st orage and ret rieval syst em , w it hout w rit t en perm ission from t he publisher, except for t he inclusion of br ief quot at ions in a r ev iew . Pr int ed in t he Unit ed St at es of Am er ica 1 2 3 4 5 6 7 8 9 0 Libr a r y of Con gr e ss Ca t a login g- in- Publica t ion N u m be r : 0 0 - 1 0 5 2 2 2
Warning and Disclaimer This book is designed t o pr ovide infor m at ion about Cisco Secur e. Ever y effor t has been m ade t o m ak e t his book as com plet e and as accur at e as possible, but no w ar r ant y or fit ness is im plied. The infor m at ion is provided on an " as is" basis. The aut hors, Cisco Press, and Cisco Syst em s, I nc. shall have neit her liabilit y nor r esponsibilit y t o any per son or ent it y w it h r espect t o any loss or dam ages ar ising fr om t he infor m at ion cont ained in t his book or fr om t he use of t he discs or pr ogr am s t hat m ay accom pany it . The opinions expr essed in t his book belong t o t he aut hor s and ar e not necessar ily t hose of Cisco Syst em s, I nc.
Trademark Acknowledgments All t erm s m ent ioned in t his book t hat are know n t o be t radem arks or service m ar k s hav e been appr opr iat ely capit alized. Cisco Pr ess or Cisco Sy st em s, I nc. cannot at t est t o t he accur acy of t his infor m at ion. Use of a t er m in t his book should not be r egar ded as affect ing t he v alidit y of any t r adem ar k or ser vice m ar k.
Feedback Information At Cisco Pr ess, our goal is t o cr eat e in -dept h t echnical books of t he highest qualit y and value. Each book is cr aft ed w it h car e and pr ecision, under going r igor ous dev elopm ent t hat inv olv es t he unique exper t ise of m em ber s fr om t he pr ofessional t echnical com m unit y. Readers' feedback is a nat ural cont inuat ion of t his process. I f you have any com m ent s r egar ding how w e could im pr ov e t he qualit y of t his book , or ot her w ise alt er it t o bet t er suit your needs, you can cont act us t hrough e -m ail at
[email protected] .
Please m ake sure t o
include t he book t it le and I SBN in your m essage. We gr eat ly appr eciat e your assist ance.
Credits Publishe r
2
John Wait Edit or- i n- Chie f John Kane Cisco Syst e m s Pr ogr a m M a na ge r Bob Anst ey M a na ging Edit or Pat r ick Kanouse D e ve lopm e nt Edit or Andr ew Cupp Pr oj e ct Edit or Mar c Fow ler Copy Edit or Ginny Kaczm ar ek Te chnica l Edit or s Sean Conv er y Masam ichi Kaneko Duane Dicapit e Joel McFar land St eve Gifkins Br ian Melzer Per Hagen Ruben Rios Jeff Hillendahl
3
Joe Sir r ianni Tom Hua John Tiso Te a m Coor dina t or Tam m i Ross Book D e signe r Gina Rexrode Cove r D e signe r Louisa Klucznik Pr oduct ion Te a m Ar gosy I nde x e r Lar r y D. Sw eazy Cor por a t e H e a dqua r t e r s Cisco Syst em s, I nc. 170 West Tasm an Dr iv e San Jose, CA 95134-1706 USA ht t p: / / www.cisco.com
Tel: 408 526-4000 800 553-NETS ( 6387) Fax : 408 526-4100 Eur ope a n H e a dqua r t e r s
4
Cisco Sy st em s Eur ope 11 Rue Cam ille Desm oulins 9 2 7 8 2 I ssy-les-Moulineaux Cedex 9 France ht t p: / / www- europe.cisco.com
Tel: 3 3 1 5 8 0 4 6 0 0 0 Fax : 33 1 58 04 61 00 Am e r ica s H e a dqua r t e r s Cisco Syst em s, I nc. 170 West Tasm an Dr iv e San Jose, CA 95134-1706 USA ht t p: / / www.cisco.com
Tel: 408 526-7660 Fax : 408 527-0883 Asia Pa cific H e a dqua r t e r s Cisco Syst em s Aust r alia, Pt y., Lt d Lev el 17, 99 Walk er St r eet Nor t h Sy dney NSW 2059 Aust ralia ht t p: / / www.cisco.com
Tel: + 61 2 8448 7100
5
Fax : + 61 2 9957 4350 Cisco Syst e m s ha s m or e t ha n 2 0 0 office s in t he follow ing count r ie s. Addr e sse s, ph on e n u m be r s, a n d fa x n u m be r s a r e list e d on t h e Cisco W e b sit e a t www.cisco.com / go/ offices
Ar gent ina • Aust r alia • Aust r ia • Belgium • Br azil • Bulgar ia • Canada • Chile • China • Colom bia • Cost a Rica • Cr oat ia • Czech Republic • Denm ar k • Dubai, UAE • Finland • Fr ance • Ger m any • Gr eece • Hong Kong • Hungar y • I ndia • I n donesia • I reland • I srael • I t aly • Japan • Korea • Luxem bourg • Malaysia • Mexico • Th e Net herlands • New Zealand • Norw ay • Per u • Philippines Poland • Por t ugal • Puer t o Ric o • Rom ania • Russia • Saudi Ar abia • Scot land • Singapor e • Slov ak ia • Slov enia • Sout h Africa • Spain • Sw eden • Sw it zerland • Taiw an • Thailand • Tur key • Ukr aine • Unit ed Kingd om • Unit ed St at es • Venezuela • Viet nam • Zim babwe Copyright © 2000, Cisco Syst em s, I nc. All right s reserved. Access Regist rar, AccessPat h, Are You Ready, ATM Dir ect or , Br ow se w it h Me, CCDA, CCDE, CCDP, CCI E, CCNA, CCNP, CCSI , CDPAC, CiscoLink, t he Cisco Net Works logo, t he Cisco Pow ered Net w ork logo, Cisco Syst em s Net working Academ y, Fast St ep, FireRunner, Follow Me Browsing, Form Share, GigaSt ack, I GX, I nt elligence in t he Opt ical Core, I nt ernet Quot ient , I P/ VC, iQ Breakt hrough, iQ Expert ise, iQ Fast Track, iQuick St udy, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Nat ural Net w ork View er, Net w ork Regist rar, t he Net w orkers logo, Packet , PI X, Point and Click I nt ernet working, Policy Builder, Rat eMUX, ReyMast er, ReyView, Script Share, Secure Script , Shop wit h Me, SlideCast , SMARTnet , SVX, TrafficDirect or, TransPat h, VlanDirect or, Voice LAN, Wavelengt h Rout er, Workgroup Direct or, and Workgroup St ack are t radem arks of Cisco Sy st em s, I nc.; Changing t he Way We Wor k , Liv e, Play , and Lear n, Em pow er ing t he I nt er net Generat ion, are service m arks of Cisco Syst em s, I nc.; and Aironet , ASI ST, BPX, Cat alyst , Cisco, t he Cisco Cer t ified I nt er net w or k Exper t Logo, Cisco I OS, t he Cisco I OS logo, Cisco Press, Cisco Syst em s, Cisco Syst em s Capit al, t he Cisco Syst em s logo, Collision Free, Ent erprise/ Solver, Et herChannel, Et herSwit ch, Fast Hub, Fast Link, Fast PAD, I OS, I P/ TV, I PX, Light St ream , Light Swit ch, MI CA, Net Ranger, Post -Rout ing, Pre -Rout ing, Regist rar, St rat aView Plus, St rat m , Sw it chProbe, TeleRout er, are regist ered t radem arks of Cisco Syst em s, I nc. or it s affiliat es in t he U.S. and cer t ain ot her count r ies. All ot her brands, nam es, or t radem arks m ent ioned in t his docum ent or Web sit e ar e t he pr oper t y of t heir r espect iv e ow ner s. The use of t he w or d par t ner does not im ply a par t ner ship r elat ionship bet w een Cisco and any ot her com pany. ( 0010R)
Dedications I w ould like t o dedicat e t his book t o m y beaut iful w ife, Helen. Once again she had t o put up w it h m e com ing hom e fr om w or k dur ing t he sum m er m ont hs and disappear ing st r aight int o m y st udy t o r esear ch and w r it e t his book. I t hank her for being so pat ient and under st anding, and giv ing m e t he space t o w r it e t his book . I w ould also lik e t o t hank m y wonderful daught er, Rosie, as she keeps m e sm iling t hroughout t he day.
6
—Andr ew Mason This w or k is dedicat ed t o m y lovely w ife, Jacqueline, w it hout w hose help I could never have accom plished as m uch as I hav e. —Mark Newcom b
About the Authors Andrew G. M a son, CCI E # 7144, CCNP Secur it y, and CCDP, is t he CEO of CCSt udy.com Lim it ed ( www.ccst udy.com ) , a Unit ed Kingdom-based Cisco Pr em ier Par t ner specializing in Cisco consult ing for num er ous Unit ed Kingdom-based com panies. The CCSt udy .com w eb sit e is a fast -gr ow ing online Cisco com m unit y for all of t he Cisco Car eer Cer t ificat ions. Andr ew has 10 y ear s of ex per ience in t he net w or k indust r y and cur r ent ly is consult ing for Energis -Squar ed, t he lar gest I SP in t he Unit ed Kingdom . He is involved daily in t he design and im plem ent at ion of com plex secure host ed solut ions, using product s from t he Cisco Secure pr oduct r ange. M a r k J. N e w com b, CCNP Secur it y and CCDP, is a senior consult ing net w or k engineer for Aur or a Cons ult ing Group ( www.auroracg.com ) , a Cisco Prem ier Part ner locat ed in Spokane, Washingt on, USA. Mark provides net work design, securit y, and im plem ent at ion services for client s t hroughout t he Pacific Nort hwe st . Mark has m ore t han 20 years of experience in t he m icrocom put er indust ry. His current pr oj ect s include designing secur e com m unicat ion syst em s for w ir eless devices and pr oviding com pr ehensive secur it y ser vices t o t he banking indust r y.
About the Technical Reviewers Se a n Con ve r y is a net w or k ar chit ect in Cisco's VPN and Secur it y business unit . He has been at Cisco for t hr ee y ear s. Pr ior t o t hat he held posit ions in bot h I T and secur it y consult ing dur ing his six y ear s in t he net w or k secur it y indust r y . St e ve Gifk ins is a CCI E and CCSI of four and five year s, r espect ively. He is based in t he Unit ed Kingdom , w her e he r uns his ow n independent Cisco -only consult ing and t r aining business. He is m arried w it h no children, and his hobbies include anyt hing t o do w it h out door life. Having ret ired w it h a knee inj ury from playing act ive sport s such as squash, rugby, and soccer , he has t ak en up new hobbies in hor se ev ent ing and show j um ping. I n addit ion, he enj oy s sk iing and hill scr am bling. Br ia n M e lze r , CCI E # 3981, is an I nt ernet w ork Solut ions Engineer for ThruPoint , I nc., out of t heir Raleigh, Nor t h Car olina, USA office. He has w or k ed as a consult ant for Thr uPoint since Sept em ber of 2000. Thr uPoint is a global net w or k ing ser v ices fir m and one of t he few com panies select ed as a Cisco Syst em s St r at egic Par t ner . Befor e w or king for Thr uPoint , he spent fiv e y ear s w or k ing for AT&T Solut ions on design and m anagem ent of out sour cing deals
7
involving Fort une 500 client s. As a m em ber of t he Wolfpack, Brian received his undergraduat e d egr ee in elect r ical engineer ing and his m ast er 's degr ee in m anagem ent at Nor t h Car olina St at e Univer sit y. John Tiso, CCI E # 5162, is one of t he chief t echnologist s of NI S, a Cisco Sy st em s Silv er Part ner. He has a bachelor's degree from Adelphi Universit y, Gar den Cit y , New Yor k . John also holds t he CCDP cer t ificat ion, t he Cisco Secur it y specializat ion, t he Cisco Voice Access specializat ion, and Sun Microsyst em s, Microsoft , and Novell cert ificat ions. John can be reached by e -m ail at
j ohnt @j t iso.com .
Acknowledgments I w ould lik e t o t hank Mar k New com b for w or k ing on t his book w it h m e. We liv e at differ ent ends of t he w or ld and hav e only m et once, but st ill hav e built a long -last ing friendship. My t hank s also go out t o John Kane, Andr ew Cupp, and t he r est of t he Cisco Pr ess t eam for pulling all of t his t oget her and pr oviding an edit or ial ser vice t hat is second t o none. The t echnical r ev iew er s, John Tiso, Br ian Melzer , and St ev e Gifk ins, helped us bot h a lot w it h t he t echnical dir ect ion of t he t ex t , t hank s t o y ou all. I w ould lik e t o t hank Sean Conv er y and Ber nie Tr udel for allow ing us t o include t heir ex cellent w hit e paper as an inv aluable r efer ence in t his book. Finally, I w ould like t o t hank Sean Convery, Duane Dicapit e, Per Hagen, Jeff Hillendahl, Tom Hua, Masam ichi Kaneko, Joel McFar land, Ruben Rios, and Joe Sir r ianni. This gr oup of Cisco em ployees pr ovided helpful feedback t hat im m ensely im pr oved t he qualit y of t his book. —Andr ew Mason As w it h all w or k s of any consequence, t his book w as not sim ply t he w or k of t w o aut hor s. Ther e w er e a gr eat num ber of individuals behind t he scenes t hat m ade t his w or k a r ealit y. I w ould lik e t o list a few . I want t o acknowledge t he t echnical reviewers, St eve Gifkins, Brian Melzer, and John Tis o, all super ior engineer s. These t hr ee individuals show ed us w her e w e did not cover enough m at er ial, show ed us w her e w e w er e unclear , and pr ov ided a lar ge num ber of suggest ions t hat added t o t he qualit y of t his w or k . Their effor t s ar e t r uly appr eciat ed. I t hank Andr ew Cupp and John Kane at Cisco Pr ess for t heir ceaseless pur suit of t he best possible w or k . They , along w it h m any ot her s at Cisco Pr ess, hav e pr ov ided us w it h ev er y t hing necessary t o successfully com plet e t his book. I w ould also lik e t o ex pr ess m y gr at it ude t o Sean Conv er y and Ber nie Tr udel for let t ing us use t heir Cisco SAFE w hit e paper as a r efer ence in t his book . I w ant t o t hank Sean Convery, Duane Dicapit e, Per Hagen, Jeff Hillendahl, Tom Hua, Masam ichi Kaneko, Joel McFarland, Ruben Rios, and Joe Sirrianni, all from Cisco, for t heir t im e and v er y helpful suggest ions.
8
Finally , I w ant t o t hank Andr ew Mason for all of his w or k on t his book . Ev en t hough w e liv e on opposit e sides of t he w or ld, I consider him one of m y best fr iends. —Mark Newcom b
Introduction The I nt er net is a cor e business dr iver for m any lar ge cor por at ions. Along w it h t he expanded business, how ever , com e secur it y issues. Recent new s headlines oft en feat ur e ar t icles about lar ge e -com m erce sit es get t ing hacked, w it h pot ent ially disast r ous r esult s. Cisco Syst em s st rives t o help cust om ers build secure int ernet w orks t hrough net w ork design t hat feat ures it s Cisco Secure product fam ily. At present , no available publicat ion deals w it h I nt er net secur it y fr om a Cisco per spect ive, using t he Cis co Secure product fam ily. This book cover s t he basics of I nt er net secur it y and t hen concent r at es on each m em ber of t he Cisco Secur e pr oduct fam ily, pr oviding a r ich explanat ion w it h exam ples of t he pr efer r ed configurat ions required for securing I nt ernet connect ions.
The book starts by explaining the threats posed by the Internet and progresses to a complete working explanation of the Cisco Secure product family. The individual components of the Cisco Secure product family are discussed in detail, with advice given about how to configure each individual component to meet the requirements of the situation. The Cisco Secure PIX Firewall is covered in-depth, from presenting an architectural point of view to providing a reference of the common PIX commands and their use in the real world. Although the book is concerned with Internet security, it is also viable for use in general network security scenarios.
Audience Cisco Secure I nt ernet Securit y Solut ions is for net w or k engineer s and net w or k designer s. The pr im ary audience is net w ork engineers and net w ork designers responsible for t he corporat e I nt ernet connect ion or t he inst allat ion of Cisco Secure product s. The secondary audience is ot her net w orking st aff m em bers t hat have an int erest in securit y or Cisco Secure product s in relat ion t o t heir specific corporat e environm ent . Also, CCI E and CCDP/ CCNP candidat es w ill t ake int er est in t he t it le t o im pr ove t heir I nt er net secur it y sk ills. The book should be r ead and used by an int er m ediat e t o advanced r eader . Because of t he unique cont ent , indust r y exper t s could r efer ence t his book.
Audience Prerequisites
The content in this book assumes that the reader is familiar with general networking concepts and terminology. This includes a thorough understanding of the network
9
protocol TCP/IP, and a familiarity of the topics covered in the Cisco Press books Internetworking Technologies Handbook and IP Routing Fundamentals.
What Is Covered The book is or ganized int o 11 chapt er s and one appendix :
•
Chapt er 1
" I nt e r ne t Se cur it y" — This chapt er pr ov ides a hist or ical ov er v iew of t he
I nt er net and t he gr ow ing num ber of r isk s t hat ar e associat ed w it h it .
•
" Ba sic Cisco Rout e r Se cur it y" — This chapt er look s at Cisco r out er s and t he r elat ed secur it y t hr eat s and vulner abilit ies fr om an I nt ernet point of view. Sam ple Chapt er 2
configurat ions and t ips are provided for im plem ent at ion on your corporat e I nt ernet r out er s.
•
" Ove r vie w of t h e Cisco Se cu r it y Solu t ion a n d t h e Cisco Se cu r e Pr odu ct Fa m ily" — This chapt er pr ov ides an ov er v iew of t he Cisco Securit y Solut ion and t he Chapt er 3
Cisco Secur e pr oduct r ange. The follow ing six chapt er s look at each dev ice in m or e det ail.
•
" Cisco Se cur e PI X Fir e w a ll" — This chapt er cov er s t he Cisco Secur e PI X Fir ew all. A t echnical over view of t he PI X is pr ovided, along w it h a configur at ion guide Chapt er 4
and sam ple configur at ions based against a case st udy .
•
Chapt er 5
•
Chapt er 6
" Cisco I OS Fir e w a ll" — This chapt er looks at t he Cisco I OS Firewall. Sam ple configur at ions ar e pr ovided, and t he m aj or t echnologies ar e explained. " I n t r usion D e t e ct ion Sy st e m s"— This chapt er look s at one of t he lat est
and m ost em er gent secur it y t echnologies, int r usion det ect ion. I t gives a br ief explanat ion of t he various t ypes of int rusion det ect ion syst em s, and t hen provides configur at ions for bot h a Cis co r out er and a Cisco Secur e PI X Fir ew all based on per im et er int r usion det ect ion.
•
Chapt er 7
" Cisco Se cur e Sca nne r " — This chapt er covers t he Cisco Secure Scanner. A
br ief explanat ion of net w or k scanning and it s uses, good and bad, is pr ovided befor e looking in -dept h at t he offer ing fr om Cisco, t he Cisco Secur e Scanner .
•
" Cisco Secure Policy Manager ( CSPM) " — This chapt er covers t he Cisco Secure Policy Manager . The CSPM pr ovides a cent r alized m anagem ent plat for m for an ent er pr ise Chapt er 8
net w or k t hat incor porat es Cisco r out er s r unning t he Cisco I OS Fir ew all and Cisco Secur e PI X Fir ew alls. This chapt er pr ov ides a sam ple inst allat ion and configur at ion of CSPM.
•
" Cisco Se cu r e Acce ss Con t r ol Se r ve r ( ACS) "— This chapt er looks at t he Cisco Secure Access Con t r ol Ser v er and it s uses w it hin an int er net w or k . Configur at ion Chapt er 9
guidelines ar e pr ov ided for bot h t he net w or k access ser v er ( NAS) and t he Cisco Secur e ACS ser v er com ponent .
•
" Se cur ing t he Cor por a t e N e t w or k " — This chapt er look s at a com m on corporat e net w or k and ident ifies t he r isks associat ed w it h ext er nal connect ions.
Chapt er 1 0
Num er ous t ips and configur at ion solut ions ar e pr ov ided t o ov er com e t he associat ed r isk s.
10
•
" Pr oviding Se cur e Acce ss t o I nt e r ne t Se r vice s" — This chapt er focuses on I nt er net services and t he prot ect ion t hat can be offered t o t hem . The chapt er is Chapt er 1 1
w r it t en w it h ser ver s host ed eit her at an I SP or on t he cor por at e DMZ in m ind. Each I nt er net ser vice is looked at individually, and pot ent ial vulner abilit ies and r em edies ar e pr oposed.
•
" Cisco SAFE: A Se cur it y Blue pr int for Ent e r pr ise N e t w or k s" — Th e pr inciple goal of SAFE, Cisco's secur e bluepr int for ent er pr ise net w or ks, is t o pr ovide Ap p endix A
best pr act ice infor m at ion t o int er est ed par t ies on designing and im plem ent ing secur e net works. SAFE ser v es as a guide t o net w or k designer s consider ing t he secur it y requirem ent s of t heir net w orks. SAFE t akes a defense -in -dept h appr oach t o net w or k secur it y design. This t y pe of design focuses on t he ex pect ed t hr eat s and t heir m et hods of m it igat ion, r at her t han on " put t he firew all here, put t he int rusion det ect ion syst em t her e" inst r uct ions. This st r at egy r esult s in a lay er ed appr oach t o secur it y , w her e t he failur e of one secur it y syst em is not likely t o lead t o t he com pr om ise of net w or k resources. SAFE is based on Cisco pr oduct s and t hose of it s par t ner s.
Command Syntax Conventions Com m and synt ax in t his book confor m s t o t he follow ing convent ions:
•
Com m ands, keyw ords, and act ual values for argum ent s are bold.
•
Ar gum ent s ( w hich need t o be supplied w it h an a ct ual value) are italic.
•
Opt ional k ey w or ds or ar gum ent s ( or a choice of opt ional k ey w or ds or ar gum ent s) ar e in br acket s, [ ] .
•
Choice of m andat or y k ey w or ds or ar gum ent s is in br aces, { } . N OTE
Not e t hat t hese conv ent ions ar e for sy nt ax only . Act ual configurat ions and ex am ples do not follow t hese conv ent ions.
11
Device Icons Used in the Figures Figure I - 1
cont ains a k ey of t he m ost im por t ant dev ice icons used in t he figur es in t his book . Figur e I - 1 . D e vice I con Ke y
12
Part I: Internet Security Fundamentals Part I I nt ernet Securit y Fundam ent als Chapt er 1 I nt ernet Securit y Chapt er 2 Basic Cisco Rout er Securit y
13
Chapter 1. Internet Security This chapt er cont ains t he follow ing sect ions:
• • • • • • • •
I nt ernet Threats Net work Services Securit y in t he TCP/ I P Suit e Denial of Service ( DoS) At t acks Creat ing a Corporat e Securit y Policy Summary Frequent ly Asked Quest ions Glossary
This chapt er int r oduces som e of t he basics of net w or k secur it y. I t st ar t s w it h a br ief d escr ipt ion of som e of t he m ost com m on for m s of at t acks. Next , t he chapt er descr ibes t he char act er ist ics of sev er al t y pes of net w or k dev ices. The Cisco Secure I OS soft w are is specifically designed t o prevent at t acks from affect ing your net w or k . Cisco Secur e provides t he highest levels of prot ect ion from unaut horized access, denial of ser v ice ( DoS) at t ack s, m an-in -t he -m iddle at t acks, and m any ot her com m on m et hods used eit her t o deny service or t o obt ain unaut horized inform at ion. The Cisco Secure I OS relies o n a num ber of configurat ion t echniques, hardw are solut ions, and t echnologies, including t he Adapt ive Securit y Algorit hm ( ASA) . These provide t he best securit y available t o t he net w ork adm inist rat or t oday. As t echnologies evolve, Cisco cont inuously refines it s har dw ar e and soft w ar e solut ions t o r em ain on t he cut t ing edge of net w or k secur it y. This book explor es t he m et hods of pr ot ect ing t he net w or k t hat ar e av ailable t hr ough use of t he Cisco Secur e solut ions. To set t he foundat ions necessar y for pr ev ent ing at t acks, t he fir st chapt er cov er s t he for m at of several prot ocols, including Transm ission Cont rol Prot ocol ( TCP) , I nt ernet Prot ocol ( I P) , Address Resolut ion Prot ocol ( ARP) , and User Dat agram Prot ocol ( UDP) . The m ore com m on for m s of DoS at t ack s ar e t hen ex am ined. Specific t echniques for dealing w it h DoS at t ack s ar e pr ovided in lat er chapt er s. This chapt er concludes by exam ining t he need for and use of a corporat e securit y policy.
Internet Threats The I nt ernet is a collect ion of privat ely and publicly owned host s. Vir t ually any one ow ning a com put er is able t o get ont o t he I nt er net . Ther e ar e hundr eds of t housands of indiv iduals on t he I nt er net at any giv en t im e. Alt hough m ost of t hese indiv iduals hav e no ill int ent ions, t her e ar e a num ber w ho, for one r eason or another, choose t o t ry and penet rat e or disrupt services on cor por at e net w or ks. Som et im es net w or ks ar e at t acked by a t echnique w her e an innocent t hir d par t y is used t o launch t he at t ack. For exam ple, an individual w hose syst em has been infect ed by a w or m inadver t ent ly passes along t his w or m t o all know n e -m ail cont act s. This
14
book is designed t o show t he adm inist r at or how t o design net w or k s t hat ar e r esist ant t o at t ack. Ther e ar e a num ber of w ay s t hat t he dat a on a cor por at e net w or k can be com pr om ised. Am ong t he m ar e t he follow ing:
•
Pa ck e t sniffing— I n t his m et hod, t he at t ack er uses a pack et sniffer t o analy ze t he dat a for sensit ive infor m at ion t r aveling bet w een t w o sit es. One exam ple is t o use a packet sniffer t o discover user nam e and passw or d com binat ions.
•
I P addr e ss spoofin g— I n t his m et hod, an at t ack er changes t he sour ce I P addr ess of packet s t o pr et end t o be a t r ust ed user or t r ust ed com put er .
•
Port scans— This m et hod det er m ines t he por t s on a net w or k dev ice w her e a fir ew all list ens. Aft er t he at t acker discovers t he w eak nesses, at t ack s ar e concent r at ed on applicat ions t hat use t hose port s. Port scans can be launched against firew alls, r out er s, or individual com put er s.
•
D oS a t t a ck — The at t acker at t em pt s t o block valid user s fr om accessing a r esour ce or gat eway. Th is blockage is achieved by sending t raffic t hat causes an exhaust ion of r esour ces.
•
Applica t ion la ye r a t t a ck — This m et hod at t em pt s t o ex ploit w eak nesses in ser v er soft w are t o obt ain t he perm ission of t he account t hat runs an applicat ion or t o lim it u se of the syst em t hr ough a DoS at t ack.
•
Tr oj a n hor se — I n t his m et hod, t he user is m ade t o r un a m alicious piece of soft w ar e. The Tr oj an hor se at t ack uses an appar ent ly safe applicat ion or dat a pack et t o t r anspor t dest r uct ive dat a t o t he r ecipient . Aft er t he dest r u ct ive dat a has reached it s dest inat ion, t he pr ogr am or scr ipt launches, causing dam age. Tr oj an hor se at t ack s can exploit t echnologies such as HTML, Web br ow ser funct ionalit y, and t he Hyper t ext Tr ansfer Pr ot ocol ( HTTP) . These at t acks include Java applet s and Act iv eX cont r ols t o t r anspor t pr ogr am s acr oss a net w or k or load t hem on user Web br ow ser s.
Network Services At t his point , it is im por t ant for you t o under st and som e secur it y ser vices available on net w orks. Each of t hese services is fully discussed lat er in t his book . The follow ing ser v ices ar e discussed w it hin t his chapt er in a gener al m anner . Ther e is over lap am ong t hese ser vices; for exam ple, basic aut hent icat ion ser vices ar e included on all Cisco r out er s. Ther efor e, t his sect ion should be r efer r ed t o only for gener al guidelines.
Router Services Rout er s have t w o gener al w ays of pr oviding secur it y ser vices on a net w or k. The fir st is t hr ough r out ing. I f, for exam ple, t he adm inist r at or does not w ant any user t o be able t o send or receive from a given net w o r k , t he adm inist r at or can sim ply set a st at ic r out e for t hat net w or k t o go t o t he null int erface. The adm inist rat or can also set up rout e m appings t o dum p cer t ain pr ot ocols or individual por t s t o t he null int er face or t o a nonexist ent net w or k.
15
Alt hough t his is a r udim ent ar y w ay t o pr ot ect a net w or k , it is st ill effect iv e in lim it ed circum st ances. The problem w it h relying on t his t echnique is t hat it does not scale w ell in large inst allat ions; it is st at ic and can be over com e by a per sist ent at t acker . Most net w or k adm inist r at or s need m or e gr anular it y in t heir secur it y set t ings t han sim ply t o allow or disallow t r affic t o a net w or k. When m or e flex ibilit y is needed, adm inist r at or s r ely on t he second w ay t hat r out er s can pr ov ide secur it y ser v ices on a net w or k : access list s. Four m ain t ypes of access list s ar e used on Cisco equipm ent :
•
St andard
•
Ext ended
• •
Reflexive Cont ex t -based Access Cont r ol ( CBAC)
St andar d access list s allow or deny pack et s based only on t he sour ce addr ess of t he pack et . Ex t ended access list s ar e m or e ex t ensible, allow ing filt er ing based on sour ce or dest inat ion address, in addit ion t o prot ocol, port s used, and w het her t he connect ion is already est ablished. Reflexive access list s dynam ically change in r esponse t o out going r equest s for dat a. As a local host est ablishes a connect ion by r equest ing dat a, t he access list at t ached t o t he inbound int er face changes t o allow r et ur ning pack et s t hr ough. Once t he session is closed, r et ur ning packet s are again denied access. Cont ext -based Access Cont rol ( CBAC) is used w it h a lim it ed num ber of pr ogr am s t o allow por t s t o open and close dy nam ically based on t he needs of t hat part icular applicat ion.
Figure 1 - 1
giv es an ex am ple of basic r out er ser v ices. Each of t hese t y pes
of access list s w ill be t horoughly explored t h roughout t his book.
16
Figur e 1 - 1 . Ba sic Rout e r Se r vice s
Firewall Services Fir ew all ser vices t end t o be m or e sophist icat ed t han r out ing ser vices. One exam ple of t his is t he gr anular it y of packet filt er ing on a fir ew all com par ed w it h a r out er w it hout t he fir ew all operat ing syst em . On a r out er , it is not unusual t o use t he k ey w or d est ablished in ex t ended access list s; t his k ey w or d is only useful w hile w or k ing w it h connect ion-orient ed prot ocols. The keyword est a blished does not allow for pr ot ocols such as UDP w her e t her e is no connect ion. Addit ionally, t he keyw or d est ablished m er ely check s t o ensur e t hat t he dat a pack et is for m at t ed t o look like t her e has been a connect ion est ablished. The Cisco Pr iv at e I nt er net Exchange ( PI X) Firew all, on t he ot her hand, act ually checks t o m ake sure t hat dat a from a host has gone out bound befor e allow ing dat a inbound. The Cisco PI X Fir ew all t hat w ill be discussed in
Chapt er 4 ,
" Cisco Secure PI X Firew all," filt ers bot h
connect ion-orient ed and connect ionless prot ocols based on w het her a host inside has r equest ed dat a. This is only one ex am ple of m any w her e t he gr anular it y of a fir ew all ex ceeds t hat av ailable on a r out er.
Figure 1 - 2
giv es an ex am ple of fir ew all ser v ices.
17
Figur e 1 - 2 . Fir e w a ll Se r vice s
Authentication and Authorization Services Aut hent icat ion re fer s t o t he pr ocess of ensur ing t hat a claim ed ident it y of a dev ice or end user is v alid. Aut hor izat ion r efer s t o t he act of allow ing or disallow ing access t o cer t ain ar eas of t he net w or k based on t he user , syst em , or pr ogr am . Bot h ser vices can be pr ovided t hr ough eit her a Rem ot e Access Dial-I n User Service ( RADI US) or a Term inal Access Cont roller Access Cont r ol Syst em ( TACACS) ser ver . Encr ypt ion is also available for aut hent icat ion and can r un on a fir ew all or a r out er .
Figure 1 - 3
show s an exam ple of aut ho r izat ion ser v ices im plem ent ed on
a net w ork. Figur e 1 - 3 . Au t h or iza t ion Se r vice s
18
Network Address Translation (NAT) Services Many corporat e net works ch oose t o hide t heir local-area net work addresses from all out side users. Net work Address Translat ion ( NAT) changes t he local Layer 3 I P net work addresses, generally called privat e addresses, t o w hat ar e gener ally called global or public addr esses. This t r anslat ion can occur at a r out er or on a fir ew all. Ther e ar e bot h secur it y and pr act ical advant ages t o using NAT. The secur it y advant age is t hat at t acks cannot be m ade dir ect ly t o t he end device, because t he NAT device m ust t r anslat e each packet befor e for w arding t hat pack et t o or fr om t he end dev ice. The pr act ical adv ant age is t hat NAT is easily done at bot h fir ew alls and r out er s, allow ing t he cor por at ion t o use a lar ge num ber of public I P addr esses w it hout being for ced t o pur chase m or e t han a handful of pr ivat e I P addresses. NAT is defined by RFC 1631.
Figure 1 - 4
show s an exam ple of a net w or k em ploying NAT. Figur e 1 - 4 . N AT Se r vice s
Encryption and Decryption Services Encr y pt ion is t he act of changing t he cont ent of dat a in a w ay t hat pr ev ent s r ecognit ion of t hat dat a w it hout r ev er sing t he encr y pt ion pr ocess. The r ev er sing of t he encr y pt ion pr ocess is called decr y pt ion. Encr y pt ion and decr y pt ion ser v ices can be accom plished on end dev ices, r out er s, and fir ew alls. A Vir t ual Pr ivat e Net w or k ( VPN) is cr eat ed w hen an encr ypt ed connect ion is est ablished t hrough a public packet net w ork. A VPN can be est ablished bet w een t w o host s at different locat ions, bet ween t w o net w or ks of t he sam e com pany, or bet w een t he net w or ks of t w o different com panies.
Figure 1 - 5
show s how encr ypt ion ser vices can secur e dat a t hr ough t he
I nt er net .
19
Figur e 1 - 5 . En cr ypt ion Se r vice s
Proxy Services A pr ox y is an int er m ediar y. I n net w or king, it is a device t hat sit s bet w een a local host and rem ot e host s. Act ing as an int ercept device, t he proxy server accept s request s from t he rem ot e sit e a s if t he pr ox y ser v er w er e in fact t he local host . The pr ox y t hen sends it s ow n request t o t he local host . The local host answ ers t he proxy server, w hich t hen responds t o t he rem ot e sit e's request . A proxy server isolat es t he local host from all request s m ade from r em ot e sit es. Unless t he r em ot e sit e is able t o bypass t he pr oxy ser ver , t he local host s w ill never be subj ect t o direct at t ack.
Figure 1 - 6
show s pr oxy ser vices in use on a net w or k.
20
Figur e 1 - 6 . Pr ox y Se r vice s
Now t hat y ou hav e look ed at som e of t he basic secur it y ser v ices av ailable on net w or k s, y ou can m ov e on t o t he nex t sect ion t o see how TCP/ I P per t ains t o secur it y issues.
Security in the TCP/IP Suite To underst and securit y issues regarding t he TCP/ I P prot ocol suit e, you first need t o under st and how TCP/ I P w or k s. This sect ion w ill ex plor e how TCP/ I P w or k s befor e going on t o ex plor e how t he pr ot ocol suit e can be used in at t ack s against a net w or k.
Overview of TCP/IP TCP/ I P w as or iginally developed by t he U.S. Defense Advanced Resear ch Pr oj ect s Agency ( DARPA) t o int er connect Depar t m ent of Defense ( DoD) com put er s. The obj ect ive of t he DARPA proj ect w as t o build a robust com m unicat ions p rot ocol able t o recover aut om at ically from any node or com m unicat ions failur e. This r eliabilit y and r ecover y fr om node failur e, w hich w as necessit at ed by t he fact t hat com m unicat ions needed t o be m aint ained under bat t lefield condit ions, spawned t he creat ion of t he I nt er net . TCP/ I P is t he pr edom inant r out ed pr ot ocol suit e used w it hin t he I nt er net . Vir t ually all of t he m aj or soft w ar e and har dw ar e m anufact ur er s offer suppor t for t he full TCP/ I P pr ot ocol suit e.
TCP a n d I P in t h e Ope n Sy st e m I n t e r con n e ct ion ( OSI ) M ode l The Open Syst em I nt erconnect ion ( OSI ) m odel consist s of seven layers. Each of t hese seven lay er s int er act s and com m unicat es w it h t he lay er s dir ect ly abov e and dir ect ly below it . I n cont r ast , TCP/ I P w as built ar ound a four-layer m odel, w ell before t he adv ent of t he OSI r efer ence m odel. This four-lay er m odel is r efer r ed t o as t he DoD or DARPA m odel. The
21
funct ionalit y of t he DoD m odel can be m apped closely t o t he funct ionalit y of t he OSI reference m odel, as show n in Figure 1 - 7 . Figur e 1 - 7 . Th e Se ve n- Laye r OSI M ode l a n d t h e Fou r - La ye r D oD M ode l
The follow ing list of t he DoD layers furt her explains t heir m apping t o t he OSI m odel:
•
Applica t ion/ pr oce ss la ye r — The DoD applicat ion/ process layer defines t he upper layer funct ionalit y included w it hin t he applicat ion, pr esent at ion, and session layer s of t he OSI m odel. Support is provided for applicat ion com m unicat ions, code form at t ing, session est ablishm ent , and m aint enance funct ions bet w een applicat ions.
•
H ost t o host la ye r — The DoD host -to-host layer m aps direct ly t o t he t ransport layer of t he OSI m odel. The t ransport layer defines connect ionless and connect ion -or ient ed t ransport funct ionalit y. Host -to-host is t he DoD lay er w her e TCP r esides. The t r anspor t lay er is t he OSI lay er w her e TCP r esides.
•
I nt e r ne t la ye r — The DoD I nt er net layer m aps dir ect ly t o t he net w or k layer of t he OSI m odel. The net w or k layer defines int er net w or king funct ionalit y for r out ing prot o cols. This layer is responsible for t he rout ing of packet s bet w een host s and net w orks. The I nt ernet layer is w here I P resides in t he DoD m odel. The net w ork layer is t he OSI lay er w her e I P r esides.
•
N e t w or k la ye r — The DoD net w or k int er face lay er m aps t o t he dat a link and physical layer s of t he OSI m odel. Dat a link pr oper t ies, m edia access m et hods, and physical connect ions ar e defined at t his layer . Please not e t he ver y differ ent funct ions of t he DoD net work layer ( list ed in t his bullet ) and t he OSI net work la yer ( called t he I nt ernet layer in t he DoD m odel) .
The aut hor s w ill r efer t o t he TCP/ I P in r elat ion t o t he OSI m odel for t he r em ainder of t his book because t his is t he indust r y st andar d.
22
Wit hin t he TCP/ I P suit e, t her e ar e sever al differ ent pr ot ocols in addit ion t o I P and TCP.
Figure 1 - 8
show s w her e each of t hese pr ot ocols sit s in r elat ion t o t he OSI m odel. Figur e 1 - 8 . Th e Se ve n- La ye r OSI M ode l a nd TCP/ I P
Internet Protocol (IP) I P, t he net w or k layer dat agr am ser vice of t he TCP/ I P suit e, is used by all ot her pr ot ocols in t he TCP/ I P suit e except t he addr ess r esolut ion pr ot ocol ( ARP) and t he r ever se addr ess r esolut ion prot ocol ( RARP) t o t ransfer packet s fro m host t o host over an int ernet work. This funct ion isn't suppor t ed by any ot her pr ot ocols cont ained w it hin t he TCP/ I P suit e. The ot her m ain feat ur e of I P, congest ion cont rol, is found on nearly every layer of t he OSI m odel. I P perform s basic congest ion con t r ol t hat is v er y pr im it iv e in com par ison w it h t hat offer ed by t he TCP. Rout ing is descr ibed as t he deliv er y of pack et s or dat agr am s fr om t he sour ce node t o t he dest inat ion node acr oss m ult iple int er m ediat e net w or k s. When host s r eside on t he sam e physical net w or k, t hey can be deliver ed using t he r out ing ser vices pr ovided w it hin t heir ow n I P m odules. When host s ar e locat ed on separ at e connect ed net w or k s, t he deliv er y is m ade t hrough rout ers t hat connect t he net w orks. I P is cont r olled by RFC 791, w hich defines t he set of r ules for com m unicat ing acr oss t he int er net w or k. Addr essing and cont r ol infor m at ion t hat allow s t he I P packet s t o be r out ed t o t heir int ended dest inat ion over t he int er net w or k is included. The t w o pr im ar y r ules defined by RFC 791 r elat e t o
•
A connect ionless, best -effor t packet deliver y ser vice r out ing acr oss an int er net w or k.
•
Provisioning for fragm ent at ion and reassem bly of packet s t o support dat a links w it h differing m axim um t ransm ission unit ( MTU) sizes. This is basic congest ion cont rol.
23
I P pro v ides a connect ionless, best -effor t pack et deliv er y sy st em . Fr om a logical point of v iew , t his service has t hree charact erist ics t hat are im port ant for underst anding t he behavior of I P r out ing. These t hr ee char act er ist ics ar e as follow s:
•
Conne ct ionle ss pr o t ocol— I P is classified as a connect ionless pr ot ocol. Each pack et is deliv er ed independent ly of all ot her pack et s. The pack et s m ight be sent along differ ent r out es and m ight ar r ive at t heir dest inat ion out of sequence. No ack now ledgem ent s ar e sent or r eceiv ed t o indicat e t hat t he I P pack et s w er e r eceiv ed by t he int ended dest inat ion.
•
Un r e lia ble de live r y— Because I P is a connect ionless pr ot ocol, it is also classified as an unr eliable pr ot ocol. I P cannot guar ant ee t hat any packet t r ansm it t ed w ill be received b y t he host int act or in t he or iginal sequence in w hich it w as sent . I P has no pr ovision for not ificat ion t hat a packet is dr opped en r out e t o t he dest inat ion.
•
Best - e ffor t de live r y— I P uses it s best effor t t o deliv er t he pack et s t o t heir int ended dest inat io n. I P only discar ds a pack et w hen it is for ced t o do so because of har dw ar e issues, such as r esour ce allocat ion pr oblem s, or er r or s caused at t he phy sical lay er . I f an er r or occur s w hile a pack et is being sent , I P at t em pt s t o r et r ansm it t he pack et .
I P pack et s or dat agr am s consist of t he I P header and t he dat a. The dat a is r eceiv ed fr om t he upper layer prot ocols such as TCP or UDP, and encapsulat ed int o t he I P packet . The I P header is cr eat ed by I P and is used by I P on int er m ediar y syst em s t o r out e t he packe t t o it s final dest inat ion. The I P header cont ains infor m at ion t o enable I P t o r out e t he packet independent of any ot her pr ocess.
I P H e a de r D a t a gr a m For m a t Figure 1 - 9
show s t he for m at of an I P dat agr am header . The I P dat agr am header cont ains a
num ber of it em s t hat ar e int er est ing t o t he adm inist r at or w ho is concer ned w it h secur it y issues. Thr oughout t his book, you'll see r efer ences t o dat agr am s w it h var ious at t r ibut es, such as a fr agm ent ed I P dat agr am . This sect ion ex plains how t hese pack et s ar e for m ed and t he r elev ance of a field's set t ings. Figur e 1 - 9 . I P H e a de r D a t a gr a m For m a t
24
A list of t he fields in
•
Figure 1 - 9
and t heir funct ions follow s:
Version— The v er sion field is 4 bit s and r epr esent s t he I P v er sion for t his pack et . Most sy st em s use I P v er sion 4. I n t he fut ur e, m ost sy st em s w ill use I P v er sion 6 ( I Pv6) or I P: The Next Generat ion ( I Png) .
•
I P H e a de r Le n gt h ( I H L) — The I HL field defines t he lengt h o f t he I P header. The opt ions field t hat is discussed lat er in t his list is opt ional and can affect t he lengt h of t he header . The I HL field occupies 4 bit s of t he I P header .
•
Type of se r vice ( ToS) — The ToS field occupies 8 bit s of t he I P header . This field specifies how bot h host s and int erm ediat e devices should handle t he packet . This field can also be br oken dow n fur t her int o subfields. These subfields cont ain infor m at ion on precedence, delay, t hroughput , reliabilit y, cost , and MBz.
•
Tot a l le ngt h— The t ot al lengt h field occupies 16 bit s in t he I P header . This field cont ains 16 bit s specify ing t he t ot al lengt h of t he I P pack et up t o 65,535 by t es.
•
I de n t ifica t ion— The ident ificat ion field occupies 16 bit s in t he I P header . This field, used in conj unct ion w it h t he flag and offset fields, is used in t he packet fr agm ent at ion and r eassem bly pr ocess. A pack et needs t o be fragm ent ed, or br ok en dow n, w hen t he or iginal pack et size is lar ger t han t he MTU at t he r eceiving node or any r out er along t he r out e. I P br eaks t he o r iginal pack et int o sm aller pack et s t hat ar e w it hin t he MTU lim it at ions. Each fr agm ent ed pack et is a t r ue I P pack et and cont ains bot h an I P header and I P dat a. A unique num ber is ent er ed int o t he 16-bit ident ificat ion field. I f t he packet is fr agm ent ed, t he or iginal I P header is copied int o each of t he new fr agm ent ed packet s. The r eceiving host uses t he ident ificat ion field w hen r eassem bling t he packet int o it s original form .
25
•
Fla gs— The flags field occupies 3 bit s of t he I P header . I t s only pur pose is in fragm ent at ion. Each bit is int er pr et ed independent ly as follow s:
- Bit 0— Bit 0 is reserved and not used. - Bit 1— Bit 1 is t he Don't Fragm ent or DF bit . When t his bit is cleared ( value of 0) , it is an indicat or t hat t he packet can be fragm ent ed. When t he bit is set ( value of 1) , it indicat es t hat t he packet cannot be fragm ent ed. - Bit 2— Bit 2 is t he More Fragm ent s or MF bit . When t his bit is cleared ( value of 0) , it indicat es t hat t his is t he last fragm ent of t he packet . When t he bit is set ( value of 1) , it indicat es t hat m ore fragm ent s are t o follow. •
Fr a gm e n t offse t— The fr agm ent offset field occupies 13 bit s of t he I P header . This field ident ifies t he offset of t his por t ion of t he or iginal pack et befor e it w as fr agm ent ed.
•
Tim e To Live ( TTL) — The TTL field occupies 8 bit s of t he I P header . This field specifies how long t he packet can exist befor e being dr opped or copied t o t he bit bucket by an int er m ediat e r out er . When a r out er r eceives a packet it decr em ent s t he TTL value by 1. I f t his value is 0, t he rout e r discar ds t he packet by copying it t o t he bit bucket ; ot herw ise it forw ards t he packet t o t he next hop rout er or t o t he dest inat ion net w ork if t he dest inat ion net w ork is direct ly connect ed. This m et hod ensures t hat an I P pack et w ill ev ent ually be dr opped if t her e is a r out ing loop som ew her e in t he net w or k .
•
Prot ocol— The pr ot ocol field occupies 8 bit s of t he I P header . This field is used t o ident ify t he upper layer pr ot ocol t hat should r eceive t he dat a cont ained in t he packet . The 8 -bit field facilit at es 255 differ ent pr ot ocols t hat ar e r epr esent ed as num er ic v alu es. Table 1 - 1
list s t he prot ocol assignm ent s for I P.
Table 1 - 1 . I P Pr ot ocol N u m be r s
Value 0 1 2 3 4 5 6 7
Ke yw or d HOPOPT I CMP I GMP GGP IP ST TCP CBT
Pr ot ocol Hop- by- hop opt ion ( I P version 6) I nt ernet Cont rol Message Prot ocol I nt ernet Group Managem ent Prot ocol Gat ew ay- to- Gat eway Prot ocol I P in I P Encapsulat ion St ream Transm ission Cont rol Prot ocol CBT
26
8 9
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
EGP I GP BBN- RCCMON NVP- I I PUP ARGUS EMCON XNET CHAOS UDP MUX DCN- MEAS HMP PRM XNS- I DP TRUNK- 1 TRUNK- 2 LEAF- 1 LEAF- 2 RDP I RTP I SO- TP4 NETBLT MFE- NSP MERI T- I NP SEP 3 PC I DRP XTP DDP
38
I DPR- CMTP
39 40 41 42
TP+ + IL I Pv6 SDRP
10
Ext erior Gat eway Prot ocol I nt erior Gat eway Prot ocol BBN RCC Monit oring Prot ocol Net work Voice Prot ocol version I I PUP ARGUS EMCON Cross Net Debugger CHAOS User Dat agram Prot ocol Mult iplexing DCN Measuring Subsyst em s Prot ocol Host Monit oring Prot ocol Packet Radio Measurem ent Xerox NS I DP Trunk - 1 Trunk - 2 Leaf- 1 Leaf- 2 Reliable Dat a Prot ocol I nt ernet Reliable Transact ion Prot ocol I SO Transport Prot ocol ( Class 4) Bulk Dat a Transfer Prot ocol MFE Net work Services Prot ocol Merit I nt er- Nodal Prot ocol Sequent ial Exchange Prot ocol Third Part y Connect ion Prot ocol I nt er- Dom ain Rout ing Prot ocol XTP Dat agram Delivery Prot ocol I nt er- Dom ain Rout ing Prot ocol Cont rol Message Transport Prot ocol TP+ + Transport Prot ocol I L Transport Prot ocol I nt ernet Prot ocol version 6 Source Dem and Rout ing Prot ocol 27
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
I Pv6- ROUTE I Pv6- FRAG I DRP RSVP GRE MHRP BNA ESP AH I - NLSP SWI PE NARP MOBI LE
Rout ing Header ( I P version 6) Fragm ent Header ( I P version 6) I nt er- Dom ain Rout ing Prot ocol Reservat ion Prot ocol General Rout ing Encapsulat ion Prot ocol Mobile Host Rout ing Prot ocol BNA Encapsulat ion Securit y Payload Aut hent icat ion Header ( I P version 6) I nt egrat ed Net Layer Securit y Prot ocol Encrypt ed I P NBMA Address Resolut ion Prot ocol I PO Mobilit y Tr ansport Layer Securit y Prot ocol TLSP ( Krypt onet Key Managem ent ) SKI P Skip I nt ernet Cont rol Message Prot ocol ( I P I Pv6- I CMP version 6) I Pv6- NoNxt No Next Header ( I P version 6) I Pv6- Opt s Dest inat ion Opt ions ( I P version 6) HOST Local Host CFTP CFTP NETWORK Local Net work SAT- EXPACK SATNET and Backroom EXPACK KRYPTOLAN Kr y pt olan RVD MI T Rem ot e Virt ual Disk Prot ocol I PPC I nt ernet Pluribus Packet Core FI LE Dist ribut e File Syst em SAT- MON SATNET Monit oring VI SA VI SA I PCU I nt ernet Packet Core Ut ilit y CPNX Com put er Prot ocol Net work Execut ive CPHB Com put er Prot ocol Heart - Beat WSN Wang Span Net work PVP Packet Video Prot ocol BR- SAT- MON Backroom SATNET Monit or SUN- ND SUN- ND Pr ot ocol 28
78 79 80 81
83 84 85 86 87
W B- MON W B- EXPAK I SO- I P VMTP SECUREVMTP VI NES TTP NSFNET- I GP DGP TCF
88
EI GRP
89 90 91 92 93 94 95
OSPFI GP SPRI TE- RPC LARP MTP AX.25 I PI P MI CP
96
SCC- SP
97 98 99 100 101 102 103 104 105 106 107 108 109
ETHER- I P ENCAP ENCRYPT GMTP I FMP PNNI PI M ARI S SCPS QNX AN I PPCP SNP COMPAQPEER
82
110
Wideba nd Monit or Wideband EXPAK I SO I nt ernet Prot ocol VMTP Secure VMTP Banyan Vines TTP NSFNET I nt erior Gat eway Prot ocol Dissim ilar Gat eway Prot ocol TCF Enhanced I nt erior Gat eway Rout ing Pr ot ocol OSPF I nt erior Gat eway Prot ocol Sprit e Rem ot e Procedure Call Locus Address Resolut ion Prot ocol Mult icast Transport Prot ocol AX.25 Fram es I P in I P Encapsulat ion Mobile I nt ernet working Cont rol Prot ocol Sem aphore Com m unicat ions Securit y Pr ot ocol Et hernet in I P Encapsulat ion Encapsulat ion Header Privat e Encrypt ion Schem es GMTP I psilon Flow Managem ent Prot ocol PNNI over I P Prot ocol I ndependent Mult icast ARI S SCPS QNX Act ive Net works I P Payload Com pression Prot ocol Sit ara Net work Prot ocol Com paq Peer- t o- Peer Prot ocol
29
111 112 113 114 115 116 117– 254 255 •
I PXI P VRRP PGM NOHOP L2TP DDX
I PX in I P Encapsulat ion Virt ual Rout er Redundancy Prot ocol PGM Reliable Transport Prot ocol Zero Hop Prot ocols Layer 2 Transport Prot ocol D- I I Dat a Exchange
UNASSI GNED Unassigned RESERVED
Reserved
H e a de r ch e ck su m— The header check sum field occupies 16 bit s of t he I P header . This field is calculat ed as a checksum for t he I P header only.
•
Source a ddress— The sour ce addr ess occupies 32 bit s of t he I P header . Under n o rm al circum st ances, t his is t he act ual 32-bit I P addr ess of t he sour ce node.
•
D e st ina t ion a ddr e ss— The dest inat ion addr ess occupies 32 bit s of t he I P header . Under norm al circum st ances, t his is t he act ual 32 -bit I P addr ess of t he dest inat ion n od e.
•
Opt ions— The opt ions field is an opt ional field follow ing t he dest inat ion addr ess. I f present , it cont ains t he securit y, t im est am p, and special rout ing subfields:
- Secur it y— The securit y subfield specifies t he securit y level and dist ribut ion rest rict ions. - Tim est amps— The t im est am ps subfield cont ains a 32- bit value. This value is norm ally set t o t he num ber of m illiseconds since m idnight universal t im e. - Special rout ing— The special rout ing subfield specifies eit her host - discovered pat hs or t he specific pat h t hat t he dat agram should t ravel. •
Pa ddin g— The padding field alw ay s cont ains zer os. This field is used t o r ound t he lengt h of t he I P header unt il it cont ains an ex act m ult iple of 32 bit s.
Address Resolution Protocol (ARP) The Address Resolut ion Prot ocol ( ARP) is defined by RFC 1122. ARP creat es an int erface bet w een t he dat a link layer and t he net w or k layer of t he OSI m odel. The pr im ar y funct ion of ARP is t o r esolv e I P addr esses t o net w or k lay er addr esses, such as a Media Access Cont r ol ( MAC) addr ess. Rout ers and host s bot h use ARP t o r esolve I P addr esses t o MAC addr esses. All net w or k com m unicat ions ev ent ually t ak e place ov er t he net w or k lay er of t he OSI m odel, and a net w or k
30
lay er addr ess such as a MAC addr ess is r equir ed for t his t o t ak e place. The MAC addr ess corresponding t o t he I P addr ess can be eit her st at ically ent er ed pr ior t o com m unicat ions by ent er ing a st at ic ARP ent r y, or dynam ically lear ned by ARP. To lear n a MAC addr ess dy nam ically , ARP sends out a br oadcast fr am e r equest ing t he MAC addr ess of a host w it h a specified I P addr ess. All host s on t he segm ent r eceiv e t he br oadcast , but only t he host w it h t he specified I P addr ess r esponds w it h it s MAC addr ess. At t his point , Layer 3 com m unicat ion can begin. Reverse ARP ( RARP) , w hich is used t o t ranslat e a MAC addr ess t o an I P addr ess, uses t he sam e header for m at as ARP. The header of an ARP packet differ s depending on t he under lying net w or king t echnology in use. The header fields of an ARP packet cont ain values specifying t he lengt hs of t he successive fields. A list of fields follow s:
•
H a r dw a r e t ype — I ndicat es t he t y pe of har dw ar e in use.
•
Prot ocol t ype— I ndicat es t he net w or k level pr ot ocol.
•
H a r dw a r e a ddr e ss le ngt h— I ndicat es t he lengt h of t he har dw ar e addr ess in by t es.
•
Pr ot ocol a ddr e ss spa ce — I ndicat es t he lengt h o f t he pr ot ocol addr ess in by t es.
•
Ope r a t ion code — I ndicat es t he oper at ion for t his packet : ARP r equest , ARP r esponse, RARP r equest , or RARP r esponse.
•
Se nde r 's ha r dw a r e a ddr e ss— I ndicat es t he har dw ar e addr ess of t he sender .
•
Se nde r 's pr ot ocol a ddr e ss— I n dicates t he net w or k layer addr ess of t he sender .
•
Ta r ge t ha r dw a r e a ddr e ss— Wit h a RARP r equest , t his cont ains t he dest inat ion har dw ar e addr ess. Wit h a RARP r esponse, t his car r ies bot h t he dest inat ion's har dw ar e and net w or k layer addr esses.
•
Ta r ge t pr ot ocol a ddr e ss— Wit h an ARP r equest , t his car r ies t he dest inat ion's net w ork layer address. Wit h an ARP response, t his carries bot h t he dest inat ion's har dw ar e and net w or k lay er addr esses.
Internet Control Message Protocol (ICMP) I CMP m essages ar e encapsulat ed w it hin I P packet s. Using a connect ionless, unreliable t ransfer m echanism , I CMP is used t o r epor t er r or s w it hin a net w or k . Usually , only higher-level pr ot ocols ar e encapsulat ed w it hin anot her pr ot ocol. How ev er , I CMP is an int egr al par t of t he I P prot ocol suit e t hat s t ill is encapsulat ed w it hin t he dat a por t ion of an I P pack et . RFCs 792 and 1700 define I CMP. Even t hough I CMP m essage for m at s var y based on w hich ser vice is r equest ed, all I CMP m essages have t he first t hree fields in com m on. These fields are t ype, code, and checksum . Code is a single by t e field w hose pur pose is t o ex plain t he t y pe field fur t her . The I CMP checksum is a 2 -byt e field t hat uses t he sam e algor it hm as t he I P checksum field. How ever , t he I CMP checksum only pert ains t o t he I CMP port ion of t he I P m e ssage, not t o t he w hole I P pack et . All I CMP m essages t hat r epor t er r or s also car r y t he header and t he fir st 8 by t es of t he dat agr am t hat caused t he er r or . Because t he m ost cr it ical infor m at ion of a higher-level
31
pr ot ocol using I P is car r ied w it hin t hese fir st 8 by t es, t his helps w it h det ect ing w hat caused t he er r or . The form at s of echo request , echo reply, and dest inat ion unreachable m essages are show n in Figure 1 - 1 0 .
Rem em ber t hat t his I CMP m essage is im bedded w it hin t he dat a por t ion of an I P
pack et , w hich is in t ur n encapsulat ed w it hin anot her pr ot ocol, such as Et her net . Figur e 1 - 1 0 . I CM P M e ssa ge For m a t s
The m ain use of I CMP is t o pr ovide a r epor t ing funct ion t hat ident ifies er r or condit ions on net w or k devices. Rout er s usually gener at e I CMP m essages as t hey r eceive and r out e t he I P pack et . These I CMP m essages cont ain t hr ee fields at t he beginning of t he pack et :
•
Type field— The t y pe field is an 8 -bit field t hat ident ifies t he m essage. These t ype field values ar e displayed in Table 1 - 2 .
Table 1 - 2 . I CM P Type Fie ld Va lu e s
Type Va lue 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
M e ssa ge Type Echo Reply Unassigned Unassigned Dest inat ion Unreachable Source Quench Redirect Alt ernat e Host Address Unassigned Echo Request Rout er Advert isem ent Rout er Select ion Tim e Exceeded Param et er Problem Tim est am p Request Tim est am p Reply
32
15 16 17 18 19–29 30 31 32 33 34 35 36 37–255 •
Obsolet e ( I nform at ion Request ) Obsolet e ( I nform at ion Reply) Address Mask Re quest Address Mask Reply Reserved Tracerout e Dat agram Conversion Error Mobile Host Redirect I Pv6—Wher e Ar e You? I Pv6—Here I am . Mobile Regist rat ion Request Mobile Regist rat ion Reply Reserved
Code field— The code field is an 8 -bit field t hat provides furt her inform at ion about t he I CMP m essage.
•
Check sum field— The checksum field is a 16 -bit field t hat is used t o ver ify t he int egr it y of t he w hole I CMP m essage.
Transmission Control Protocol (TCP) TCP, defined in RFC 761, oper at es at t he t r anspor t lay er of t he OSI m odel. TCP encapsulat es I P and pr ovides a connect ion-orient ed and reliable t ransport prot ocol. Services using TCP include Hypert ext Transfer Prot ocol ( HTTP) , Sim ple Mail Transport Prot ocol ( SMTP) , Post Office Prot ocol 3 ( POP3) , and File Transfer Prot ocol ( FTP) . The fields in t he TCP header ar e show n in Figure 1 - 1 1 .
33
Figur e 1 - 1 1 . TCP H e a de r For m a t
An ex planat ion of each of t he fields in t he TCP header follow s:
•
Sou r ce p or t— The sour ce por t is 16 bit s and cont ains t he v alue of t he sour ce por t w her e dat a or iginat es. Because bot h UDP and TCP use por t s, a list of v alid sour ce por t s is included w it hin t he UDP sect ion.
•
D e st in a t ion por t— The dest inat ion por t is 16 bit s and cont ains a v alue of t he sour ce por t t o w hich dat a is sent .
•
Sequence num ber— The sequence num ber is 32 bit s. The v alue of t his field is t he sequence num ber of t he fir st dat a oct et w it hin t his segm ent w hen t he SYN bit is not set . When t he SYN bit is set , t he v alue of t his field is t he I nit ial Sequence Num ber ( I SN) , and t he fir st dat a offset is set t o I SN + 1.
•
Ack now le dge m e nt num be r — The ack now ledgem ent num ber is 32 bit s long. Once a conne ct ion is est ablished, t his field alw ays cont ains a value equal t o t he next sequence num ber expect ed by t he r eceiver . A connect ion is assum ed t o be est ablished if t he ACK bit is set .
•
D a t a of f se t— The dat a offset field is 4 bit s in lengt h and specifies t he n um ber of 32bit w or ds w it hin t he TCP header , t her eby specify ing w her e t he dat a begins.
•
Re se r ve d— This unused field is 6 bit s in lengt h and is set t o 0.
•
Fla gs ( cont r ol bit s) — The flags field is also k now n as t he cont r ol bit s field. This field is 6 bit s in lengt h and cont ains t he follow ing subfields, each a lengt h of 1 bit :
- URG— Urgent point er field significant - ACK— Acknowledge field significant - PSH— Push funct ion
34
- RST— Reset connect ion request - SYN— Synchronize sequence num bers - FI N— Connect ion fini shed •
W indow size — Th e 1 6 -bit w indow size field cont ains t he num ber of dat a oct et s t hat t he sender is w illing t o r eceiv e.
•
Ch e ck su m— Th e 1 6 -bit checksum field cont ains t he dat a calculat ed during t he cyclic redundancy check ( CRC) . This checksum is used for check ing t he dat a int egr it y for t he TCP packet , including t he sour ce addr ess, dest inat ion addr ess, pr ot ocol, opt ions, and TCP lengt h.
•
Urgent point er— Th e 1 6 -bit ur gent point er field is used in conj unct ion w it h t he URG cont rol bit . I f t he URG cont rol bit is s et , t he ur gent point er field cont ains t he sequence num ber of t he oct et follow ing t he ur gent dat a.
•
Opt ions— The opt ions field is v ar iable in lengt h aligning t o an equal m ult iple of 8 bit s. An opt ion w it hin t his field begins on an 8 -bit boundary. The opt ion field can be for m at t ed as a single oct et . An alt er nat ive for m at is t he com binat ion of an opt ion follow ed by an oct et descr ibing t he opt ion lengt h and t he opt ion dat a oct et s.
•
M a x im um se gm e nt size — The opt ional 16-bit m axim um segm ent size field is only used on pack et s w it h t he SYN cont r ol bit set . This field cont ains t he m ax im um r eceiv e segm ent size of t he sender .
•
Pa ddin g— The var iable lengt h padding field is used t o ensur e t hat t he TCP header en ds on a 3 2 -bit boundar y. This field alw ays cont ains zer os.
User Datagram Protocol (UDP) UDP is defined in RFC 768 and oper at es at t he t r anspor t lay er of t he OSI m odel. UDP is a sim ple packet -orient ed t ransport layer prot ocol t hat is connect ionless and t herefore unreliable. The UDP dat agr am r esides w it hin t he dat a por t ion of an I P pack et . UDP packet s ar e sent w it h no sequencing or flow cont r ol, so t her e is no guar ant ee t hat t hey will reach t heir int ended dest inat ion. The receiving host com pares t he UDP header checksum , and if a pr oblem is det ect ed, t he packet is dr opped w it hout r epor t ing t he er r or back t o t he sending host . This is a very fast t ransport prot ocol because no acknow ledgem ent s or advanced sequencing are carried out at t he t ransport layer. Upper layer prot ocols can enforce t heir ow n error det ect ion and r ecover y t o ut ilize t he speed of UDP. UDP is t y pically used w hen t he dat a is not essent ial, such as in video or voice st r eam ing live cont ent over t he I nt er net . The Tr ivial File Transfer Prot ocol ( TFTP) t hat is used t o upgrade soft w are im ages on Cisco rout ers and sw it ches is also based on UDP. A br eakdow n of t he UDP header fields is show n in
Figure 1 - 12 .
Figur e 1 - 1 2 . UD P H e a de r For m a t
35
Denial of Service (DoS) Attacks A DoS at t ack is designed t o ov er w helm t he v ict im 's net w or k t o t he point t hat t he v ict im cannot use t he net work for legit im at e business purposes. A Dist ribut ed DoS ( DDoS) is sim ply a DoS t hat is launched sim ult aneously from m ore t han one source. So m et im es t hese at t ack s ar e used in an at t em pt t o confuse t he equipm ent t o a point w her e unaut hor ized access is able t o penet rat e inside t he net w ork. At ot her t im es, t he at t acks are launched m erely because t he per pet r at or w ishes t o br ing dow n t he vict im 's net w ork connect ions. I n eit her case, t here are som e com m on m et hods used in DoS at t acks t hat ar e explor ed in t his chapt er , in addit ion t o w ay s t o av oid becom ing a v ict im of t hese at t ack s.
SYN Flood Attacks To under st and how a SYN flood at t ack can occur , y ou m ust fir st under st and how a connect ion is est ablished. When a host w ishes t o est ablish a connect ion, a TCP pack et w it h t he SYN bit set is sent t o t he r em ot e host . The r em ot e host look s at t he por t w it hin t his TCP pack et . I f t he port corresponds t o a service t hat is r unning, t he r em ot e host r eplies w it h anot her SYN pack et . The init iat ing host t hen sends an ACK pack et t hat st ar t s t he dat a t r ansfer st age of t he com m unicat ions. Because t her e is no guar ant ee of how quick ly t he ACK pack et w ill be r eceiv ed by t he r em ot e host , a par t ially opened connect ion, also called a half-open connect ion, is m aint ained by t he rem ot e host . Maint aining half-open connect ions uses CPU cy cles and m em or y and ex poses t he r em ot e host t o an inher ent vulner abilit y fr om SYN flood at t acks. I n a SYN flood at t ack, t he perpet rat or repeat edly causes t he rem ot e host t o m aint ain halfopen connect ions. As t he num ber of half-open connect ions incr eases, m or e m em or y and CPU cy cles ar e used in an at t em pt t o m aint ain t hese connect ions. Unless m easur es are t ak en t o lim it t he t im e t hat each half-open connect ion is m aint ained or t he t ot al num ber of half-open connect ions perm it t ed, event ually t he rem ot e host w ill spend all of it s resources t rying t o m aint ain t hese connect ions. SYN flood at t acks can be fur t her under st ood t hr ough an explanat ion of t he LAND.c at t ack.
LAN D .c At t a ck s 36
One for m of SYN flood at t ack is k now n as t he LAND.c at t ack . Or iginally w r it t en in t he C program m ing language, t his form of at t ack can be devast at ing t o unprot ect ed syst em s. However, filt ering spoofed addresses as discussed in Chapt er 2 , " Basic Cisco Rout er Securit y," w ill pr event t his t ype of at t ack fr om being successful. I n t he LAND.c at t ack, a perpet rat or repeat edly sends TCP SYN packet s t o a know n address. I n t he ex am ple show n in Figure 1 - 1 3 , t he per pet r at or is launching an at t ack on a Web ser v er . I n t his ex am ple, t he SYN pack et s w ould hav e bot h t he sour ce and dest inat ion addr ess set t o 10.1.1.30, w hich is t he addr ess of t he m achine under at t ack . Figur e 1 - 1 3 . LAN D .c At t a ck
Wit hin t he TCP pack et , t he per pet r at or set s a por t num ber . Any por t num ber associat ed w it h a running service could be used. Because t he at t acked m achine's m ain funct ion is t o ser vice Web pages, t he per pet r at or is lik ely t o set t he por t num ber t o 80, w hich is used for Web ser v ices. The at t acked m achine r eceives t he SYN packet and checks t he por t r equest ed. I f t he por t request ed is current ly running a service, t he at t acked m achine replies w it h anot her SYN packet t o t he " request ing host ," at t em pt ing t o com plet e t he connect ion. I n t his case, t he r equest ing host , as defined by t he sour ce addr ess of t he I P pack et , is t he sam e as t he dest inat ion host . Ther efor e, t he at t ack ed host t r ies t o est ablish a connect ion w it h it self. While w ait ing for a r esponse t hat w ill nev er com e, t he at t ack ed host holds open a connect ion unt il a t im eout per iod has passed. This t im eout per iod var ies, depending on t he oper at ing syst em of t he at t ack ed host . The host soon becom es over w helm ed by t he r epeat ed opening of connect ions t o it self and ceases t o funct ion because of ex haust ion of r esour ces.
37
Ping Attacks A ping at t ack occur s w hen a per pet r at or at t em pt s t o over w helm t he vict im 's equipm ent t hrough t he use of I CMP Echo Request packet s. As w it h m ost DoS at t acks, ping at t acks at t em pt t o use CPU cycles and m em or y t o pr event legit im at e use of equipm ent . Alt hough a num ber of ping at t ack s hav e been launched successfully , such as t he ping of deat h and t he sm urf at t acks, sim ple configurat ion changes can prevent at t acks from adversely affect ing your net work.
Chapt er 2
show s how t o configur e Cisco r out er s t o pr event becom ing
v ulner able t o t hese for m s of at t ack . Follow ing is an ex planat ion of a sm ur f at t ack .
Sm u r f At t a ck A sm ur f at t ack is w hen an at t ack er sends an I CMP Echo Request t o a net w or k addr ess of an unsuspect ing am plifier , r at her t han a specific host . The at t acker ent er s t he I P addr ess of t he t ar get ed ser ver as t he I CMP echo sour ce addr ess. Ever y hos t on t he am plifier net w or k r esponds and sends an I CMP Echo Reply t o t he sour ce addr ess of t he I CMP echo pack et . This addr ess is t hat of t he ser v er t hat t he at t ack er w ant ed t o at t ack . Because t he am plifier net w or k has m any host s, t hey each respond t o t he I CMP Echo Request , am plifying t he num ber of I CMP Echo Replies r eceived by t he vict im 's host . I n t his case, t he at t acker uses anot her 's r esour ces and net w or k t o at t ack t he vict im . This at t ack w or k s by sim ply consum ing bandw idt h t o t he v ict im . Once t his bandw idt h is consum ed, all access t o t he ser v er fr om ot her public host s w ill slow ly gr ind t o a halt .
Creating a Corporate Security Policy A cor por at e secur it y policy is a necessar y piece of any net w or k design effor t . Secur it y is as im port ant t o a net w ork design as bandwidt h requirem ent s and choosing t he net work prot ocol. Failing t o consider secur it y dur ing t he design st age leads t o sit uat ions w her e ex t r a effor t s m ust be t aken t o ensur e safet y. Secur it y m easur es incor por at ed w it hin t he design ar e m uch easier t o im plem ent , gener ally less expensive, and usually m or e r obust . The cor por at e secur it y policy is a for m al st at em ent t hat specifies a set of r ules t hat user s m ust follow w hen gaining access t o cor por at e asset s. You need t o different iat e t he securit y policy from t he t echnical design of t he secur it y feat ur es. For exam ple, a pr oper secur it y policy does not st at e t hat a PI X 515 Fir ew all w ill be used on I nt er net connect ions. I nst ead, a w ell-for m ed secur it y policy st at es t hat a fir ew all w ill be used on I nt er net connect ions and t hat t his firew all w ill have cert ain m inim um capabilit ies. The net w or k secur it y adm inist r at or chooses t he best equipm ent and configur at ions t o accom plish t he goals, using t he policy as a guide. For a securit y policy t o succeed, som e general guide lines m ust be follow ed:
•
Managem ent m ust support t he policy.
•
The policy m ust be t echnically feasible.
38
•
The policy m ust be im plem ent ed globally t hroughout t he com pany.
•
The policy m ust clearly define responsibilit ies for users, adm inist rat ors, and m anagem ent .
•
The policy m ust be flex ible enough t o adapt t o changing t echnologies and com pany goals.
•
The policy m ust be under st andable.
•
The policy m ust be w idely dist r ibut ed.
•
The policy m ust be enfor ceable.
• •
The policy m ust provide sanct ions for users violat ing t he policies. The policy m ust cont ain a r esponse plan for w hen secur it y br eaches ar e ex posed.
Once a secur it y policy is im plem ent ed, t he com pany w ill see a num ber of benefit s. Som e of t hese benefit s include:
•
A fram ew ork from w hich all securit y effort s are built .
•
Lessened uncer t aint y about w het her an act ion is per m issible.
• •
A basis for punit ive act ion t o be t aken in cases of unaccept able net w or k usage. A com pr ehensiv e sy st em for audit ing secur it y effor t s.
As defined in " The Sit e Secur it y Handbook" ( RFC 2196) , a securit y policy does not dict at e how a business runs. Rat her, t he business needs dict at e t he securit y policy. The policy does not dict at e t he ex act equipm ent or configur at ion t o be used; inst ead, it giv es guidance t o t he adm inist rat or.
Summary This chapt er int r oduced som e of t he basics of net w or k secur it y . St ar t ing w it h a br ief descr ipt ion of som e of t he m ost com m on for m s of at t ack s, it quick ly m ov ed on t o a descr ipt ion of com m on net w or k devices. Securit y provided by t he TCP/ I P prot ocol set w as discussed, delvin g int o t he for m at of t he m or e com m on pr ot ocols. Under st anding t he for m at and use of each of t he fields w it hin a prot ocol is necessary for t he adm inist rat or t o t hwart at t acks successfully. The chapt er ex am ined a few of t he m or e com m on for m s of DoS at t ack s. Specific exam ples of how t o deal w it h each of t hese t y pes of at t ack s w ill be show n in lat er chapt er s. I n t his book , t he focus of how t o deal w it h and pr ev ent at t ack s is on solut ions pr ov ided by Cisco Secur e. Finally, t he chapt er covered t he need for and re quir em ent s of a cor por at e secur it y policy. The r em aining chapt er s of t his book w ill build on t he foundat ions w it hin t his chapt er .
Frequently Asked Questions
39
Quest ion:
Why do I r eally need a w r it t en secur it y policy ? Why can't I j ust secur e m y net work?
Answ e r :
Alt hough t his m ay seem r easonable for a sm aller net w or k, failing t o im plem ent a w rit t en securit y policy has m any ram ificat ions. First , t he policy defines t he goals and par am et er s ar ound w hich t he configur at ions ar e designed. Failing t o w r it e dow n t he policy is sim ilar t o im plem ent ing a net w or k befor e designing t he net w or k . Second, as net w or ks and t echnologies gr ow in com plexit y, you need a base r efer ence t o look back on in or der t o com par e w her e y ou ar e t o w her e y ou w ish t o be. The w r it t en secur it y policy pr ov ides y ou w it h t his infor m at ion. Finally , as net w or k adm inist r at or s ar e r eplaced or added t o t he w or k for ce, t he w r it t en policy gives new adm inist r at or s guidance about how equipm ent should be configur ed. Hav ing a single docum ent t o r ely on allow s new adm inist r at or s t o av oid guessing about w hat should be allow ed and w hat should be denied.
Quest ion:
How secur e should I m ak e m y net w or k ? I sn't t her e a point at w hich t he net w or k becom es unusable?
Answ e r :
The secur it y on a net w or k m ust fit t he cor por at ion. A suit t hat is t oo t ight is not com for t able; neit her is one t hat is t oo loose. I f t he secur it y is t oo t ight , user s w ill const ant ly com plain. I f t he secur it y is t oo loose, t he net w or k r uns t he danger of being hack ed or ex posed t o a DoS at t ack . The t ask of t he adm inist r at or is t o find t he m iddle ground t hat follow s t he policy, pr ot ect s t he net w or k, and does not cause t he user s t o com plain. Again, t his is w her e a w ell-defined w r it t en secur it y policy com es in.
Quest ion:
My office net work doesn't have any crit ical dat a. Do I st ill need t o pr ot ect it ?
Answ e r :
Yes. Even if your ow n net w or k does not have cr it ical dat a, w hich is doubt ful, t her e is anot her r eason t o pr ot ect t he net w or k . Failing t o pr ot ect y our ow n net w or k m ight leav e y ou in a posit ion w her e y our net w or k is used t o launch at t acks on ot her net w or ks. Pr ot ect ing your ow n net w or k pr event s at t acker s fr om using it t o launch at t acks against ot hers. Also, even if your dat a is not crit ical, your oper at ion pr obably is, and a DoS at t ack w ill st ill be devast at ing .
Glossary Glossary ASA ( Ada pt ive Se cur it y Algor it hm ) — A Cisco pr opr iet ar y m et hodology of ensur ing secur it y.
40
CBAC ( Cont e x t - ba se d Acce ss Cont r ol) — A Cisco propriet ary m et hod of allow ing ret urning t raffic t hrough a rout er only aft er packet s request ing t hat session hav e t r av eled out t he sam e int er face.
D oS ( de n ia l of se r vice ) — A form of at t ack t hat at t em pt s t o deny t he availabilit y of a net w ork or host , usually by over w helm ing t hat net w or k or host w it h r equest s.
N AT ( N e t w or k Addr e ss Tr a nsla t ion) — NAT is t he pr ocess w her e t he sour ce or dest inat ion addr ess of I P pack et s is changed as t hese pack et s t r av er se a r out er or fir ew all. NAT allow s a net w or k using pr iv at e I P addresses t o connect t o t he I nt ernet using public I P addresses.
RAD I US ( Re m ot e Acce ss D ia l- I n Use r Se r v ice ) — A pr ot ocol used t o aut hent icat e user s on a net w or k.
TACACS ( Te r m ina l Acce ss Cont r olle r Acce ss Cont r ol Syst e m ) — A pr ot ocol used t o aut hent icat e user s on a net w or k. Also pr ovides aut hor izat ion and account ing facilit ies.
41
Chapter 2. Basic Cisco Router Security This chapt er cont ains t he follow ing sect ions:
• • • • • • • • • • • • •
Basic Managem ent Securit y Access Lists Password Managem ent Physical Securit y Out - o f- Band Managem ent Securit y Cisco Discovery Prot ocol ( CDP) HTTP Configurat ion Services Sim ple Net work Managem ent Prot ocol ( SNMP) Net work Tim e Prot ocol ( NTP) Banners Recom m ended Minim um I OS Securit y Set t ings TCP I nt ercept Summary
The fir st quest ion any adm inist r at or should ask about a ser v ice is w het her it is necessar y t o run t hat service in t he pre sent env ir onm ent . I f a ser v ice is not r equir ed, it should be disabled. Running a ser v ice t hat pr ov ides no funct ionalit y only bur ns up CPU cy cles and ex poses t he net w or k t o pot ent ial at t acks. I f a ser vice is r equir ed on t he int er ior of t he net w or k, t he adm inist r at or should m ak e effor t s t o pr ev ent t hat ser v ice fr om being seen fr om t he ex t er ior . Lik ew ise, if a ser v ice is r equir ed on t he ex t er ior of t he net w or k , t he adm inist r at or should at t em pt t o lim it t he scope of t he ser vice t o only t he ext er ior por t ions. Th r oughout t his chapt er , you w ill find sever al exam ples of ser vices t hat pose pot ent ial r isks of secur it y br eaches. Som e of t hese ser vices m ight be disabled by default , depending on t he ver sion of I OS being used. I n t hese cases, t he adm inist r at or is st ill urged t o t ur n off t he service specifically. The reason for t his is t o ensure t hat t he adm inist rat or does not rely on his or her m em or y r egar ding w hich ser v ices ar e off by default on w hich v er sions of t he I OS. Taking t he t im e t o t urn off quest ionable services specifically w ill also m ake cer t ain t hat t he ser v ice is off ev en if t he default changes. As hack er s, cr ack er s, and scr ipt k iddies t r y new and inv ent iv e w ay s t o br eak int o y our net w or k , new t hr eat s w ill cont inue t o em er ge. One of t he best w ay s t o st ay ahead of secur it y t hr eat s is t o keep cur r ent on t he I OS ver sion used on r out er s. Maj or secur it y t hr eat s ar e consist ent ly elim inat ed t hrough new I OS versions. However, t his does not relieve t he adm inist rat or of t he responsibilit y of using com m on sense and basic configurat ions t hat are sound. This chapt er provides t he basic configurat ion changes necessary t o prevent your net w or k fr om becom ing suscept ible t o com m on at t acks. Thr oughout t his chapt er , you w ill be r em inded t hat you should never int ent ionally divulge infor m at ion r egar ding y our net w or k . The r eason for t his w ar ning is t hat any infor m at ion r eceiv ed by som eone t r y ing t o br each secur it y can and w ill be used against y ou. You should
42
never int ent ionally divulge any inform at ion t hat does not need t o be shared. Rem em ber t hat t he t opic is secur it y; in t he r ealm of secur it y, t her e is no such concept as being t oo car eful. This chapt er is designed t o t each t he basic configurat ions necessary t o begin securing your net work. Advanced t opics such as Term inal Access Cont ro ller Access Cont rol Syst em ( TACACS) , TACACS+ , and Rem ot e Access Dial-I n User Ser vice ( RADI US) aut hent icat ion ar e ex plor ed in Chapt er 10 , " Securing t he Corporat e Net work." This chapt er is lim it ed in scope t o t he r udim ent ar y com m ands.
Basic Management Security Befor e delving int o specifics regarding how r out ers should be configured t o help avoid at t acks, t he differ ences bet w een int er nal and ex t er nal dev ices m ust be ex plor ed. For pur poses of t his chapt er , t he aut hor s use t he w or d ext ernal as in ext ernal int erface, m eaning t hat t he int er face is direct ly connect ed t o an unt rust ed ent it y. This can be t he I nt ernet , anot her com pany, or ev en a subsidiar y of y our ow n com pany . An int er nal int er face is one t hat connect s dir ect ly t o a fully t rust ed net w ork. Many fact or s det er m ine w het her an ent it y is t r ust ed. I f t her e is doubt t hat t he connect ed ent it y can be t rust ed, t he aut hors recom m end t hat t he adm inist rat or not t rust t hat ent it y. The init ial r eact ion of m any adm inist r at or s w ill be t o quest ion w hy a w holly ow ned subsidiar y should not be t r ust ed. Consider t he follow ing exam ple: Com pany A has a connect ion t o t he I nt er net . The adm inist r at or has done ever yt hing r easonable t o ensur e t hat t he net w or k is safe. Com pany B is a w holly ow ned subsidiar y t hat has it s ow n connect ion t o t he I nt ernet . The adm inist r at or s of t hese com panies hav e sent a few e -m ails t o each ot her and t alk ed on t he phone a num ber of t im es t o est ablish connect ion pr ocedur es and pr ocedur es for m aint aining connect ions. However, Com pany A's adm inist rat or has no aut horit y, eit her explicit or im plied, over Com pany B's adm inist r at or . Upper m anagem ent has decided t hat all subsidiar ies w ill be ent irely responsible for t heir ow n net w orks. I f Com pany B's adm inist rat or is not careful, Com pany A m ay becom e a t ar get of att ack t hrough Com pany B's net w ork.
Figure 2 - 1
illust rat es
t his scenar io.
43
Figur e 2 - 1 . Com pa ny A I s Ex pose d Thr ough Com pa ny B
This sit uat ion b ecom es m or e com plicat ed w hen a com pany acquir es sever al hundr ed subsidiar ies. I n a m ult inat ional com pany, one cannot possibly assum e t hat each of t he subsidiar ies w ill alw ays obser ve good secur it y pr act ices. Ther efor e, adm inist r at or s should assu m e t h at an y subsidiar y of w hich t hey do not dir ect ly have cont r ol is easily br eached. Likew ise, t he subsidiar ies should assum e t hat t he m ain office is easily br eached. Unless t he adm inist r at or at t he subsidiar y per sonally k now s all of t he secur it y st eps t ak en w it hin t he m ain office, securit y should be im plem ent ed. Addit ionally, even if all offices provide adequat e secur it y, t he only dr aw back t o incr eased secur it y w ill be a slight incr ease in lat ency and addit ional CPU requirem ent s on t he int erface rout ers —bot h of w hich ar e ver y r easonable t rade -offs for incr eased secur it y. I n any case, a connect ion t o anot her com pany t hat is not ow ned by your ow n com pany should be t r eat ed as a possible t hr eat and consider ed an ex t er nal int er face. The r easoning behind t his is t he sam e a s t hat for a subsidiar y. Unless t he adm inist r at or is able t o const ant ly ver ify t he secur it y on any connect ion, it m ust be assum ed t o be a t hr eat .
44
Now t hat t he basic differences bet w een int ernal and ext ernal connect ions have been explored, t he chapt er w ill m ov e on t o cov er som e specific set t ings on r out er s t o discour age t he m ost com m on form s of at t ack.
Access Lists Access list s ar e cr eat ed t o deny cer t ain packet s t he abilit y t o t r aver se a r out er int er face. By default , a r out er w ill allow all packet s t o t r ave l t hr ough an int er face. The r out er m ay not know w her e t o for w ar d a par t icular pack et but w ill st ill allow t hat pack et t o cr oss t he int er face. An access list is a list of packet s t hat is consult ed befor e allow ing or disallow ing a packet t o t r avel for w ar d t ow ar d it s ult im at e dest inat ion. Alt hough t his t ext assum es t hat you have at least an under st anding of access list s, t his sect ion cont ains a br ief r eview of t he basic for m s of I P access list s befor e m oving ont o t he m or e com plex r eflexive and cont ext -based access list s. The ex am ples w it hin t his chapt er w ill focus on I P access list s. A w ide v ar iet y of pr ot ocols ar e av ailable, all of w hich m ight hav e access list s applied t o rest rict access. A list ing of t he available access list num bers and t heir associat ed pr otocols can be found in Table 2 - 1 .
Table 2 - 1 . Acce ss List N um be r s a nd Associa t e d Pr ot ocols
List Ra nge 1–99 1–100 100–199 101–200 200–299
201–300 300–399 400–499 500–599 600–699 700–799
Pr ot ocol
N ot e s
IP Vines IP Vines Type Code
St andard I P access list St andard Vines access list Ex t ended I P access list Ext ended Vines access list Et hernet Type Code, t ransparent bridging Type Code, or source–rout e bridging Type Code access list Vines Sim ple Vines access list DECnet DECnet and Ext ended DECnet access list XNS XNS access list XNS Ext ended XNS access list AppleTalk AppleTalk access list Vendor Source- rout e bridging Vendor Code access list Code I PX St andard I PX access list I PX Ext ended I PX access l ist
800–899 900–999 1000– I PX 1099
I PX Service Access Prot ocol[ 1 ] access list
45
[ 1]
SAP= Ser v ice Access Pr ot ocol
Any int er face on a r out er m ay hav e up t o t w o access list s assigned: one w ill cont r ol inbound t r affic, and t he ot her w ill cont r ol out bound t r affic. All access list s, r egar dless of pr ot ocol or int er face, oper at e based on six pr inciples:
•
Access list s usually deny t hat w hich is not specifically per m it t ed, because t r affic is gener ally allow ed by default .
•
Access list s cont r ol t r affic in one dir ect ion ( inbound or out bound) on an int er face.
•
Ev er y pack et t r av er sing t he int er face is ex am ined against an applied access list in t he dir ect ion of t hat pack et .
•
Pack et s ar e com par ed t o t he access list st ar t ing at t he t op of t he access list and cont inuing unt il a m at ch is found. The im plied deny st at em ent at t he end of an a ccess list is consider ed a m at ch.
•
Out bound pack et s ar e r out ed t o t he appr opr iat e int er face befor e t he access list is applied.
•
I nbound packet s ar e com par ed t o t he access list and, if per m it t ed, ar e r out ed t o t he appr opr iat e int er face.
•
Any int erface m ay have a m axim um of one access list applied t o t he inbound t raffic and a m axim um of one access list applied t o t he out bound t raffic.
Access list s ar e m ade in one of sev er al for m s; t he m ost com m on ar e st andar d and ex t ended. Because st andar d access list s ar e sim pler by nat ur e, t hey w ill be ex am ined fir st .
Standard Access Lists St andar d access list s deny or per m it packet s t r aver sing a r out er int er face based solely on t he sour ce addr ess of t he pack et . Num ber ed 1 t hr ough 99 for I P, st andar d access list s m ust be defined befor e t hey can be used.
Figure 2 - 2
show s t hat a rout er, by default , allow s all t raffic
t hr ough t o t he int ended dest inat ion.
46
Figur e 2 - 2 . By D e fa ult , a Rout e r Allow s All Tr a ffic Thr ough
Applying an access list , how ever , w ill change t his behavior . When an access list is applied, a r out er act s as a fir ew all. The funct ion of a fir ew all is t o r est r ict t r affic t r aveling t hr ough it self. As show n in
Figure 2 - 3 ,
adding an access list changes t he behav ior of t he r out er . When an access
list is applied, only t r affic t hat has specifically been allow ed w ill be able t o t r av el t hr ough t he r out er . I n t he ex am ple show n in Figure 2 - 3 , t raffic from t he 10.2.2.0 / 24 net w ork is allow ed t o t raverse t he rout er. Because no ot her t raffic has been allow ed, t raffic originat ing from t he host 10.1.1.1 w ill not be allow ed t hr ough. Figur e 2 - 3 . Acce ss List Lim it s W h ich Pa ck e t s Tr a ve l Th r ou gh a Rou t e r
The sy nt ax for cr eat ing a st andar d I P access list is as follow s:
47
access-list access-list-number {deny | permit} source [source-wildcard] Wit h t his sy nt ax , access-list -num ber is any num ber fr om 1 t hr ough 99 t hat defines t he access list num ber. The param et er perm it or deny specifies w het her t o allow or disallow t he pack et s. The par am et er source is t he I P addr ess of t he host sending t he packet s t o be denied, and source-wildcard is t he w ildcar d m ask for t he host or host s sending t he pack et s. The logical flow for a st andar d access list is show n in Figure 2 - 4 . Not ice t hat if t he sour ce addr ess is eit her not found or found but not perm it t ed, t he packet is denied. Figur e 2 - 4 . Logica l Flow of St a n da r d Acce ss List
48
An exam ple of a st andar d access list follow s. Alt hough t his access list w ill r eveal som e inconsist encies, it is useful for t he pur poses of discussion. Each line of t his access list w ill be discussed. For t he pur poses of t his discussion, each line is labeled w it h a line num ber :
1)access-list 2)access-list 3)access-list 4)access-list 5)access-list 6)access-list
3 3 3 3 3 3
permit 172.30.1.0 0.0.0.255 permit 10.1.1.0 0.0.15.255 deny 10.1.1.2 0.0.0.0 permit 192.168.10.0 0.0.0.7 deny 172.31.1.0 0.0.0.255 deny any
Line 1 accom plishes a num ber of obj ect iv es. The k ey w or d a cce ss- list is used t o define t hat t his line is used t o spe cify an access list . The num ber 3 assigns t he follow ing per m it or deny st at em ent t o access list num ber 3. The w or d perm it t ells t he r out er t o allow t he follow ing com binat ion of I P addr ess and m ask t hr ough t he int er face. Using t he keyw or d deny w ould t ell t he r out er t o deny t he pack et s. Not ice t hat all of t he lines hav e an I P net w or k addr ess and w hat look s lik e a r ev er sed subnet m ask . The r ev er sed subnet m ask is called a w ildcar d m ask and w or k s v er y m uch lik e a subnet m ask, only in reverse. I n line 1, 1 7 2 . 3 0 .1 .0 0 .0 .0 .2 5 5 descr ibes t he sour ce addr ess of packet s t o per m it t hr ough t he int er face. This m eans t hat all packet s w it h t he sour ce addr ess of 172.30.1.0 t hr ough 172.30.1.255 w ill be per m it t ed t hr ough an int er face w it h t his access list applied. Line 2 looks sim ilar t o line 1 and allow s all packet s bet w een 10.1.0.0 and 10.1.15.255 t hr ough an int er face t o w hich t his access list is applied. At t his point , you m ight be quest ioning exact ly how t hat conclusion w as reached. This is explained in t he follow ing sideba r, " Wildcard Masks ."
Wildcard Masks I n a w ildcar d m ask , zer os indicat e t hat t he bit is significant w hile a one m eans t hat t he bit is not significant for pur poses of com par ison. Ther efor e, all ones in an oct et of a w ildcar d m ask , ex pr essed as 255, m eans t hat t his oct et is not significant for com par isons. I f y ou conv er t t he w ildcar d m ask show n in line 2 t o binar y , y ou w ill r eceiv e t he follow ing:
0.0.15.255 = 00000000.00000000.00000111.11111111 Ther e is an easy w ay t o calculat e t he net w or k s allow ed or denied by wildcard m asks. I n t his m et hod, a subnet m ask is used t o det er m ine t he appr opr iat e w ildcar d m ask. To use t his m et hod, sim ply subt ract t he w ildcard m ask from 255.255.255.255. The follow ing is an ex am ple of conv er t ing a w ildcar d m ask t o a subnet m ask :
2 5 5.255.255.255 = 11111111.11111111.11111111.11111111
49
0.0.15.255 = 00000000.00000000.00000111.11111111 255.255.255.255 – 0.0.15.255 = 255.255.240.0 255.255.240.0 = 11111111.11111111.11111000.00000000 I n t he pr eceding, t he subnet m ask t hat is com par able t o t he w ildcar d m ask is 255.255.240.0. When you apply t his subnet m ask t o t he I P address of 10.1.1.0, you calculat e t he net w or k r ange of 10.1.0.0 t hr ough 10.1.15.255. Line 3 is incor r ect . Because an access list is r ead fr om t he t op t o t he bot t om , any packet me et ing t his deny w ould have alr eady been per m it t ed by line 2. To cor r ect t his pr oblem , line 3 should hav e been ent er ed befor e line 2. Line 4 is sim ply anot her per m it st at em ent t hat allow s pack et s w it h a sour ce I P addr ess fr om 192.168.10.0 t hrough 192.168.10 .7 t o t r aver se t he int er face. The follow ing show s a r ecalculat ion j ust t o be sur e t his is cor r ect :
255.255.255.255 = 11111111.11111111.11111111.11111111 0.0.0.7 = 00000000.00000000.00000000.00000111 255.255.255.255 - 0.0.0.7 = 255.255.255.248 255.255.255.2 4 8 = 11111111.11111111.11111111.11111000 The subnet m ask of 255.255.255.248 applied t o t he I P addr ess of 192.168.10.0 pr ovides for a r ange of 192.168.10.0 t hr ough 192.168.10.7. Line 5 w ill deny pack et s w it h t he sour ce addr ess of 172.31.1.0 t hr ough 172.31.1.255. Finally, line 6 includes a t echnically unnecessary deny st at em ent t hat w ill deny all sour ces. This is unnecessar y because it is im plied on an access list . How ever , t he aut hor r ecom m ends t hat it is specifically st at ed for clarit y. Since consist ency p rom ot es underst anding, t he aut hor usually adds a specific deny any t o ev er y access list . This is also an im por t ant point w hen w or king w it h r eflexive access list s. Addit ionally, w hen using ext ended access list s, it is possible t o log m at ches. Logging of access list s w ill be explored in t he lat er sect ion, " Ext ended Access List s ."
Apply in g Acce ss List s Once an access list is cr eat ed, it m ust be applied t o an int er face. To apply an access list t o an int er face, use t he ip a ccess- gr ou p or ip a ccess- cla ss com m an d. Th e ip a ccess- cla ss com m and is used on vir t ual t er m inal int er faces, w hile t he ip a ccess- gr ou p com m and is used on all ot her int er faces. The access list is applied t o eit her t he inbound or out bound pack et s of t he int er face. The keyw or ds in and out det er m ine w het her t he access list is t o be applied on t he int er face t o deny inbound or out bound pack et s. The follow ing is t he com m and for apply ing access list num ber 3 t o an int erface t o deny inbound packet s. Not e t hat you m ust first be in configur at ion m ode and w it hin t he int er face configur at ion t o apply an access list .
50
ip access-group 3 in The access list could alt er nat iv ely be applied t o t he int er face t o deny out bound pack et s w it h t he follow ing:
ip access-group 3 out To apply an inbound access list t o a v ir t ual t erm inal, t he follow ing com m and is used. The only differ ence in apply ing an access list bet w een a v ir t ual t er m inal and any ot her t er m inal is t hat t he vir t ual t er m inal uses a cce ss- cla ss inst ead of a cce ss- gr ou p. Again, t he user m ust fir st be in configurat io n m ode on t hat par t icular int er face befor e apply ing an access list .
ip access-class 3 in Any int er face can have a single access list inbound and anot her single access list out bound. Only one access list should be applied in any given dir ect ion. I n ot her w or ds, one and only one access list should be applied inbound on an int er face, and one and only one access list should be applied out bound on an int er face. I f an int er face is using subint er faces, such as on a ser ial int erface connect ing in a point -t o-point m et hod t o rem ot e sit es, each subint erface is considered a separat e int erface. Each subint erface can have separat e access list s. I n t his case, how ever , t he r oot int er face cannot have a separ at e access list .
Figure 2 - 5
show s accept able
set t ings for access list s on int er faces w it h and w it hout subint er faces. Figur e 2 - 5 . Acce ss List s Applie d t o I nt e r fa ce s
51
Extended Access Lists St andar d access list s ar e lim it ed because t hey m ak e no dist inct ions bet w een t he por t s being used. A st andar d access list w ill allow or deny pack et s based solely on t he sour ce I P addr ess and ar e able t o log only t hose pack et s t hat hav e not passed t hr ough t he access list . Ex t ended access list s over com e t hese lim it at ions and for m t he basis for cont ext -based and reflexive access list s, w hich ar e discussed in Chapter 5 , "Cisco I OS Firewall." As w it h a st andar d access list , t hat w hich is not specifically per m it t ed is denied. Because ex t ended access list s can look at t he sour ce addr ess, t he dest inat ion addr ess, and por t s, any one it em m ight cause a pack et t o be r efused t r av er sing t he r out er . Ex t r em e car e should be t ak en w hen w or k ing on ex t ended access list s t o ensur e t hat ex act ly t hose pack et s t hat should be t raversing t he rout er, and only t hose, do, in fact , t raverse t he rout er. The follow ing ex am ple is an ex t ended access list w it h one of t he sim ple for m s av ailable. I n t he ex am ple, a num ber of differ ing ser v ices ar e allow ed t o t r av el t hr ough t he int erface. A num ber of pr ot ocols ar e also pr event ed. St udy t he follow ing list befor e m oving on t o t he det ailed discussion:
1) 2) 3) 4) 5)
ip ip ip ip ip
access-list access-list access-list access-list access-list
101 101 101 101 101
permit tcp any host 10.1.1.2 established log permit tcp any host 172.30.1.3 eq www log deny tcp any host 172.30.1.4 eq ftp log permit tcp any host 172.30.1.4 log deny any any
I n t he pr eceding ex am ple, line 1 allow s access t hr ough t he TCP pr ot ocol t o host 10.1.1.2, if a conne ct ion has already been est ablished from 10.1.1.2 t o t hat rem ot e host . This line w ill not perm it any packet s t o t raverse t he int erface unless t he session w as init iat ed from t he inside of t he corporat e net work. Line 2 allow s any host t o connect t o 172.30.1.3 for WWW ser vices ( HTTP) . All ot her t ypes of connect ion t o t his host w ill be denied because of t he im plied ( and in t his case specified) deny any any at t he end of t he access list . Line 3 denies access t o host 172.30.1.4 if t he r em ot e host is t r y ing t o connect using FTP ser vices. Line 4 allow s all ot her t ypes of connect ions t o 172.30.1.4. Not ice t hat each of t hese lines has t he w or d log added at t he end of t he line. This causes t he r out er t o log all at t em pt s at connect ion. A st andar d access list using t he log opt ion w ill only log t hose packet s t hat have been denied.
Named Access Lists Nam ed access list s, fir st int r oduced in I OS Ver sion 11.0, allow t he adm inist r at or t o use a char act er st r ing inst ead of an access list num ber . One benefit is t hat t he lim it at ions of 9 9 st andard access list s ( 1 –99) and 100 ext ended access list s ( 100 – 199) no longer apply. The
52
adm inist r at or can also nam e an access list som et hing m eaningful. For exam ple, an access list nam ed " fr om-int er net " could be cr eat ed t o lim it access int o t he co rporat e net work from t he I nt er net . Nam ing access list s in a m eaningful w ay t ends t o m ake t r oubleshoot ing easier . Anot her adv ant age t o nam ed access list s is t hat ent r ies can be r em ov ed. How ev er , new ent r ies ar e st ill added t o t he bot t om of t he access list , w hich is usually not w hat is int ended. Reflexive access list s, discussed in Chapt er 5 , r equir e a nam ed access list , and access list s dealing w it h pack et filt er s and r out e filt er s cannot use nam ed access list s. A st andar d and an ex t ended access list cannot bot h hav e t he sam e nam e.
Password Management Passw or ds ar e t he pr im ar y defense against unaut hor ized access t o net w or king equipm ent . The best w ay t o pr ev ent unaut hor ized access is t o use eit her a TACACS+ or a RADI US aut hent icat ion ser ver . Even if you ar e unable t o use t hese services, som e basic configurat ion issues should be addr essed concer ning passw or d m anagem ent . The fir st issue t o be addr essed is choosing passw or ds. No m at t er w hat t y pe of encr y pt ion is used, som e gener al r ules should be follow ed. When a passw ord is being chosen, t he follow ing list w ill help t he adm inist r at or in det er m ining t he appr opr iat eness and t he t r eat m ent of passw or ds:
•
Passw or ds should not r eflect t he com pany nam e.
•
Passw or ds should not r eflect t he business of t he com pany .
•
Passwords s hould not r eflect t he equipm ent w her e t hey ar e used.
•
Passw or ds should not be decipher able based on any ot her configur at ion par am et er . This includes m odel num ber and net w or k addr ess.
•
Passw or ds should not be any w or d t hat appear s in a st andar d dict ionar y .
•
Pa ssw or ds should be unique.
•
Passw or ds should not be sequent ial.
•
Passw or ds should include bot h upper case and low er case char act er s and nonalphabet ic char act er s if possible.
•
Passw or ds should be as long as r easonably possible.
•
Passw or ds should be changed on an ir r egular basis.
•
Any list cont aining passw or ds should be closely guar ded.
•
Cr it ical passw or ds should be changed w henev er any per son w it h t hat lev el of access leaves t he com pany. This holds especially t r ue if a cont r act or is involved or if a per son was t erm in at ed involunt arily.
•
As few people as possible should have access t o passw or ds, but cr it ical passw or ds should alw ay s be k now n by m or e t han one per son. This is an ex cept ion t o t he gener ally accept ed r ule t hat passw or ds should not be shar ed.
•
Nont echnical m ana ger s gener ally do not and should not know syst em passw or ds. Know ing a passw or d w it hout k now ing how t o effect iv ely configur e equipm ent ser v es no legit im at e pur pose.
53
•
Passw or ds should not be dist r ibut ed ov er t he I nt er net .
Alt hough som e of t he pr eceding guidelines m ight seem overly rest rict ive, t hey are designed t o r educe t he sev er it y of a secur it y br each, as w ell as t o pr ev ent br eaches fr om happening. For exam ple, t he aut hor has seen com panies t hat set rout er passw ords based on t he serial I P address. I f a sing le r out er w as penet r at ed, t he passw or d schem e w ould quick ly becom e appar ent . When y ou don't use a com m on passw or d schem e, som eone t r y ing t o br eak int o y our net w or k w ill need t o st ar t ov er w it h ev er y dev ice. The nex t sect ions ex am ine how passw or ds ar e set w it h t he e n a ble pa ssw or d an d enable se cr e t com m ands. Then t he chapt er m oves on t o console passw or ds and AAA ( aut hent icat ion, aut horizat ion, and account ing) passw ord m anagem ent .
The enable password Command Th e e n a ble pa ssw or d com m and is an old com m and t hat is not consider ed secur e and t her efor e should not be used. When e n a ble pa ssw or d is com bined w it h t he se r vice pa ssw ord- e n cr y pt ion com m and, t he I OS encr y pt s t he ent er ed passw or d using t he Vigener e algor it hm s. These w er e never int ended t o pr event any but t he m ost casual observer from gaining access. Any dedicat ed or fair ly know ledgeable per son can easily br eak t his algor it hm . A num ber of pr ogr am s ar e also av ailable on t he I nt er net t hat allow y ou t o br eak a passw or d t hat is ent er ed using t he ena ble pa ssw ord com m an d. Th e e n a ble pa ssw or d com m and can be disabled w it h t he use of t he follow ing global configur at ion com m and:
no enable password The enable secret Command Using t he e na ble se cr e t com m and in conj unct ion w it h t he se r vice pa ssw or d- e n cr ypt ion com m and pr ov ides a decent level of decr ypt ion r esist ance. I n t his case, MD5 hashing is used t o encr ypt t he passw or d. Alt hough t her e have been no know n cases of MD5 hashing being decr y pt ed as of t he t im e of t his w r it ing, t her e ar e ot her w ay s in w hich an e na ble se cr e t passwo r d can be br ok en. The easiest w ay t o br eak an e na ble se cr e t passw or d is by using a brute -st rengt h dict ionary at t ack, w her e a list of w or ds is com piled ( t he dict ionar y ) and t hen each w or d is used as t he passw or d sequent ially. Dict ionar y at t acks ar e t he r eas on for t he guideline against using any w or d t hat appear s in a dict ionar y. Th e e na ble se cr e t com m and allow s t he adm inist r at or t o specify up t o 16 pr ivilege levels t hr ough t he use of num ber s 0 t hr ough 15. I f no level is specified, level 15 is assum ed. This com m and, com bined w it h t he pr ivile ge le ve l com m and, allow s t he adm inist r at or t o give som e adm inist r at or s access t o specified com m ands w hile denying access t o ot her s. The full synt ax of t he enable secr et com m and is
enable secret [level level] {password | encryption-type encrypted-password}
54
The follow ing ex am ple show s how t o enable a secr et passw or d at lev el 7 using " 9% ad100gbellisnon" for t he password. The second line st art s service password -encr ypt ion.
RouterA(config-if)#enable secret level 7 9%ad100gbellisnon RouterA(config-if)#service router-encryption The opt ional encrypt ion -t ype an d encrypt ed-password ar e used w hen copy ing pr ev iously encr ypt ed passw or ds fr om ot her r out er configur at ions. Cur r ent ly, t he only encr ypt ion t ype av ailable is MD5, w hich is specified w it h t he num ber 5. This allow s t he adm inist r at or t o copy configur at ions w it h an e na ble se cr e t passw or d acr oss m ult iple r out er s. Alt hough having t he sam e passw or d on m ult iple r out er s should usually be av oided, t her e ar e som e cir cum st ances, su ch as d u ring init ial deploym ent , w here it is accept able. The com m and se r vice r out e r - e n cr ypt ion is used in t he pr eceding ex am ple t o ensur e t hat all passw or ds in t he configur at ion ar e show n encr ypt ed. Befor e t his com m and is ent er ed, all passw ords ot her t han t he enable se cr e t passw or d ar e show n ex act ly as t hey ar e ent er ed. When t he se r vice r out e r - encrypt ion com m and is used, all passw or ds w it hin t he configur at ion ar e encr ypt ed. This pr event s r evealing t he passw or d w hen dist r ibut ing pr int ed copies of t he configur at ion.
Physical Security Physical secur it y should alw ays com e fir st in t he m ind of t he secur it y adm inist r at or . I f you cannot guar ant ee phy sical secur it y , y ou cannot guar ant ee any secur it y . This is especially t r ue w her e t he console and aux iliar y por t s of a r out er a re concerned. Anyone w it h physical access t o a Cisco r out er and w ho possessed a PC, t he pr oper cable, and t he r equir ed k now ledge can br eak int o your r out er . Using t he passw or d r ecover y t echniques t hat ar e w idely published by Cisco w ill allow som eone t o gain t ot al cont r ol of t he r out er . I f you set all of your r out er passw or ds t o be t he sam e or used a logically based schem e for r out er passw or ds, y our ent ir e net w or k is now open t o t he w ill of t he int r uder . Physical securit y deals wit h rest rict ing physical acce ss t o equipm ent . Lock ing equipm ent -room doors, requiring em ployee badges, and m oving rout ers t o t heir ow n secure room is t he basis for physical securit y. Alt hough you cannot prevent people w ho are aut horized t o ent er t he room w it h t he rout er fr om r eboot ing and changing t he passw or d, y ou can lim it w hat t hey ar e able t o accom plish by m er ely connect ing int o t he console por t or by using Telnet t o access t he r out er . One good m et hod of prevent ing casual hackers from gaining access t o t he console port is t o physically disconnect t he console port from t he rout er's m ot herboard. This requires t he rout er case t o be opened. This is r eally t he equivalent of hiding a door key under t he door m at ; it w ill not st op any but t he m ost casual hack er . Any one opening t he case t o t he rout er w ill quickly see t hat t he console por t is disconnect ed. How ever , t his m et hod is bet t er t han not secur ing
55
t he console por t in any w ay .
Chapt er 9 ,
" Cisco Secur e Access Cont r ol Ser ver ( ACS) ," deals w it h
how t o use AAA t o ensur e t hat console por t access is t r uly secur e. Anot her m et hod is t o change t he connect ion pr oper t ies t o an unusual value. This w ill r equir e som eone w ho is casually t r y ing t o connect t o t he console por t t o set som et hing ot her t han t he default s. At t his point , it becom es a guessing ga m e for t he hacker. Alt hough neit her of t hese m et hods is foolpr oof, t hey do pr ovide som e addit ional secur it y. The only t r ue m et hod of pr event ing som eone fr om accessing t he r out er t hr ough t he console por t is t o physically lock t he r out er in a r oom w her e no u naut hor ized per sonnel have access.
Controlling Line Access Line access can easily be cont r olled on a Cisco r out er . Lines —consist ing of console port s, auxiliar y por t s, and Telnet por t s —all hav e t he abilit y t o lim it t he user s w ho can gain access. Adding an a ccess list t o t he vt y ( Telnet ) por t s is r elat ively easy. Fir st , a st andar d access list ( num bered 1– 99) is defined as follow s:
access-list 8 permit 172.30.1.45 access-list 8 permit 10.1.1.53 access-list 8 deny any This access list allow s only host s w it h one of t w o I P addr esses t o Telnet int o t he r out er . Aft er cr eat ing t he access list abov e, y ou st ill need t o apply t hat access list t o an int er face. Apply ing an access list t o a line uses t he a cce ss- cla ss com m and inst ead of t he a cce ss- group com m and t hat is comm only used at t he int er face level. When applying t he access list t o t he Telnet port s, use t he follow ing com m ands:
line vty 0 4 access-class 8 in An access list can also be applied t o one of t he lines t o lim it w her e a connect ed user can Telnet . Using a st a ndar d access list and applying it t o t he out bound int er face w ill lim it Telnet sessions. An ex am ple follow s:
access-list 9 permit 172.30.1.45 access-list 9 permit 10.1.1.53 access-list 9 deny any line vty 0 4 access-class 9 out I n t his case, t he user can Telnet t o only one of t he t w o list ed I P addresses. This m ight seem lik e a useless com m and set at fir st , because an adm inist r at or can sim ply r em ov e t his access list . How ev er , depending on w hich lev el of aut hent icat ion t he adm inist r at or logged on w it h, he
56
o r she m ight not have t he abilit y t o configur e t he r out er . I n t he ear lier sect ion r egar ding t he e n a ble se cr e t com m and, you lear ned t hat a pr ivilege level could have an associat ed passw ord. Every secret level can have it s ow n passw ord, and t he adm inist rat or h as t he abilit y t o lim it funct ionalit y of each level. The pr ivile ge e x e c com m and is used t o do t his. Assum e t hat y ou w ant t o lim it a new j unior adm inist r at or t o be able t o use only t he show com m ands. This can be accom plished w it h t he follow ing lines:
enable secret level 6 110%gdfsfej privilege exec 6 show I n t he pr eceding exam ple, logging on w it h t he level 6 passw or d allow s t he user t o access only t he show com m ands. Lim it ing w hich adm inist rat ors know passw ords allow s you t o cont rol how m uch access t he adm in ist r at or s hav e. Unfort unat ely, because t he console and auxiliary port s are direct ly connect ed t o t he rout er, it is im possible t o add an access list t o t hese int er faces. Ot her configur at ion opt ions ar e available, such as TACACS+ and RADI US aut hent icat ion. Bot h of t hese t echniques ar e cov er ed in
Chapt er 9 .
How ever, lim it ing t he abilit y t o adm inist er t he rout er t hrough t he use of enable
levels, as show n in t his sect ion, helps t o cont r ol t he am ount of dam age an inexper ienced adm inist r at or can cause. On all of t he line int er faces, you should specifically set a t im eout par am et er . I f t her e is no act iv it y on t he line for a per iod of t im e, w hich is specified in m inut es and seconds, t he connect ion w ill aut om at ically disconnect . This m akes it har der for a t er m inal t hat has been left unlock ed t o becom e a secur it y br each. You can set a t im eout par am et er for 5 m inut es and 0 seconds w it h t he follow ing com m and:
exec-timeout 5 0
Out-of-Band Management Security Ou t -o f-band securit y can pose unique problem s for t he adm inist ra t or. By definit ion, out -o fband access bypasses all of t he secur it y m easur es t hat ar e put int o place t hr oughout t he net w or k . Out -o f-band m anagem ent is t he abilit y t o configur e a piece of equipm ent by a m eans ot her t han t he t ransm ission m edia used for t rans ferring dat a. For exam ple, if a rem ot e sit e used Fram e Relay for connect ivit y, using an I SDN dial-up or m odem connect ion for m anagem ent purposes is considered out -o f-band. The easiest w ay t o av oid all out -o f-ban d secur it y issues is sim ply not t o allow any ou t -o f-band access. I n m ost cases, how ever , t her e ar e legit im at e r easons t o allow such access. The pr im ar y r eason is t o enable t r oubleshoot ing and r epair s fr om a r em ot e locat ion w hen t he pr im ar y link fails. When using out -o f-band connect ions, be especially aw ar e t hat t her e is usually only a single line of defense bet w een t he out side w or ld and t he int er ior of y our net w or k . Because out -o fband m anagem ent usually bypasses firewalls, perim et er rout ers, and ot her securit y m easures,
57
ex t r a pr ecaut ions m ust be em ploy ed t o ensur e t hat t he out -o f-band m anagem ent connect ions do not pr esent a new oppor t unit y for secur it y br eaches. I f at all possible, com bine all available m et hods of access lim it at ion, logging, and aut hent icat ion on out -o f-band access point s. Out -o f-band t elephone num bers should be guar ded in a sim ilar fashion as passw or ds. I f it is possible t o lim it access t o pr edefined t elephone num ber s and t o use a callback m et hod of aut hent icat ion, y ou should do so. One possible w ay of r em ot ely m anaging equipm ent com b ines out -o f-band m anagem ent w it h ex ist ing equipm ent . For inst ance, assum e t hat adm inist r at or s need t o access equipm ent on t he local net w or k fr om t heir hom es. I n t his case, using an exist ing access ser ver t o connect t o t he local net work and t hen using Telne t t o connect t o t he equipm ent in quest ion com bines bot h in -band and out -o f-band m anagem ent . The advant age of t his m et hod is t hat t he ent r y point s t o t he net w or k ar e concent r at ed, pr esent ing a sm aller oppor t unit y for secur it y breaches, and t hat t he st ronges t securit y m et hods including call back and AAA services m ay be applied at t his ent r y point . When feasible, using a com binat ion of ser v ices as descr ibed in t his paragraph increases securit y and lessens t he rout ine m aint enance required. See t he sect ion " Phys ical Security " ear lier in t his chapt er for specifics on configur ing access list s and ot her secur it y m et hods so t hat int er faces can be set in t he m ost secur e m anner .
Cisco Discovery Protocol (CDP) Cisco Discovery Prot ocol ( CDP) uses Layer 2 inquiries t o find infor m at ion about neighbor ing devices. CDP, enabled by default on I OS ver sions 11 and lat er , is ext r em ely useful for bot h m anaging and t r oubleshoot ing devices. How ever , CDP has an inher ent flaw : it w ill answ er any device t hat sends t he pr oper r equest . Be cause CDP infor m at ion cont ains such it em s as t he I OS v er sion num ber , t he nam e of t he dev ice, t he net w or k addr ess of t he dev ice, and how t hat device is connect ed, t he adm inist r at or should lim it on w hich int er faces CDP packet s ar e answ er ed and sent . I f CDP is not being used int ernally on t he net w ork, it can be disabled w it h t he follow ing global com m and:
no cdp run I f CDP is r equir ed on t he int er ior of t he net w or k , t he adm inist r at or should st ill disable CDP on all ext er nal int er faces. To disable CDP on any given int erface, ent er t he following int erface com m and:
no cdp enable
Hypertext Transfer Protocol (HTTP) Configuration Services
58
Many Cisco dev ices allow t he use of a Web br ow ser for configur at ion and m onit or ing. Alt hough t his m et hod of configurat ion m ight be convenient , especially for t he new adm inist rat or, special considerat ions are required t o ensure secur it y . HTTP ser v ices ar e also used on t he Cisco 1003, 1004, and 1005 r out er s for use w it h t he Cisco I OS Click St ar t soft w ar e. Access list s m ust be used on per im et er r out er s t o lim it w ho can access a r out er fr om out side of t he local net w or k. I f HTTP ser vices ar e used, you need t o adj ust access list s t o allow only specific I P addr esses access t o r out er s t hr ough WWW ser vices. HTTP ser v ices ar e t ur ned on w it h t he ip ht t p se r ve r com m and. Use t he no for m of t he com m and t o disable t his service. HTTP services run by default on TCP por t 80; t his can be changed t o virt ually any port required. I t is recom m ended t hat you change t he default port . Changing fr om t he default por t of 80 r equir es a hack er t o k now w hich por t is in use befor e being able t o ex ploit any possib le secur it y holes. Cont r ol ov er w ho accesses t he HTTP ser v ices is m anaged by a st andar d access list , as w ell as by t he ip ht t p a ccess- cla ss com m and. Not e t hat unlik e ot her a cce ss- cla ss com m ands, t he ip ht t p a cce ss- cla ss com m and is ent er ed in t he global con figurat ion m ode. Addit ional secur it y can be achieved t hr ough AAA aut hent icat ion, w hich is cover ed in Chapt er 10 . I f AAA aut hent icat ion is not used, t he ena ble pa ssw ord is used for logging ont o t he rout er. The follow ing is an ex am ple of set t ing HTTP ser v ices on a r out er , cr eat ing and apply ing an access list , and adding AAA aut hent icat ion. Not e t hat all com m ands ar e ent er ed in t he global configurat ion m ode. Also not e t hat t he use o f an ex clam at ion m ar k ( ! ) at t he beginning of a line indicat es t hat t he line is a com m ent .
ip http server !Starts HTTP services on the router. !Services can be stopped with the no ip http services command. ip http port 10120 !This changes the port used for management from port 80 to port 10120. !Port 10120 was an arbitrary number chosen because it is not commonly used. !To change the port back to 80, use the no ip http port command. access-list 91 permit host 10.1.1.50 !Allow host 10.1.1.50 access. access-list 91 permit host 10.1.1.52 !Allow host 10.1.1.52 access. access-list 91 deny any any !Deny all others. This line is included for clarity. !All access lists have an implied deny all at the end. ip http access-class 91 !Apply access list 91 to HTTP services. ip http authentication aaa tacacs !Use TACACS for authentication.
59
Simple Network Management Protocol (SNMP) Sim ple Net w or k Managem ent Pr ot ocol ( SNMP) is used by a v ar iet y of pr ogr am s inv olv ed w it h net w or k m anagem ent . The beaut y of SNMP is int er t w ined w it h it s danger s. Because SNMP is designed t o allow an adm inist r at or t o m onit or and configur e devices r em ot ely, SNMP can also be used in at t em pt s t o penet r at e t he cor por at e net w or k. This sect ion explor es how t o m inim ize vulnerabilit y w hile using SNMP. A few sim ple configur at ion changes, as w ell as a few logical choices t hat should be m ade by t he adm inist r at or , can gr eat ly r educe t he r isks involved w it h SNMP. Bot h logical choices and configur at ion consider at ions ar e cov er ed in t his sect ion. The first con siderat ion an adm inist rat or should m ake regarding SNMP is t o t urn it off. I f SNMP is not being used, r unning it only t akes aw ay fr om available bandw idt h, needlessly bur ns CPU cycles, and exposes t he net w ork t o unnecessary vulnerabilit ies. Before using SNMP in read/ w rit e m ode, ret hink t he requirem ent t o do so. Running SNMP in r ead/ w r it e m ode w it h j ust a few m inor configur at ion er r or s can leav e t he w hole of y our net w or k suscept ible t o at t acks. A gr eat num ber of t ools can scan any net w or k over SNMP. These can m ap out your ent ir e net w or k if SNMP has a hole left open. I n lat e Febr uar y of 2001, Cisco r eleased infor m at ion t hat t her e ar e also secur it y issues w it h SNMP ev en w hen using only t he r ead m ode. Due t o a defect w it hin t he Cisco I OS v er sions 11.0 and 12.0, SNMP is vulnerable t o cert ain denial of service at t acks designed t o confuse pr oduct s such as CiscoWor k s. I n or der t o fix t hese pot ent ial secur it y pr oblem s, an I OS upgr ade m ust be accom plished. I f y ou hav e not upgr aded y our I OS since t his t im e, it is st rongly r ecom m ended t hat you r ead t he infor m at ion at t he follow ing t w o URLs t o see if your specific equipm ent is affect ed:
www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml SNMP is available in ver sions 1, 2, and 3. Ther e ar e som e m aj or differ ences bet w een ver sions. Fir st , v er sion 1 sends passw or ds in clear-t ext for m at , and ver sion 2 allow s passw or d encr y pt ion using t he MD5 encr y pt ion algor it hm s. Second, alt hough v ir t ually all m anagem ent p r ogr am s can use SNMP ver sion 1, t he choice is lim it ed w hen using SNMP ver sion 2. One of t he or iginal goals of ver sion 2 w as t o pr ovide com m er cial-gr ade secur it y t hr ough aut hent icat ion, privacy, and aut horizat ion. Version 2 failed t o accom plish t hese goals because ver sion 2c, w hile having t he endor sem ent of t he I nt er net Engineer ing Task For ce ( I ETF) , failed t o im plem ent t hese secur it y m easur es. Ver sions 2u and 2* im plem ent ed secur it y but failed t o gain accept ance fr om t he I ETF. Ver sion 3, av ailable on t he standar d Cisco I OS since r elease 12.0( 3) T, uses MD5, Secur e Hash Algor it hm ( SHA) , and k ey ed algor it hm s t o pr ot ect against dat a m odificat ion and m asquer ade
60
at t acks. Version 3 can opt ionally use Dat a Encrypt ion St andard ( DES) in t he cipher block chaining m ode w hen secur it y is r equir ed. Fr om a secur it y view point , t he passing of clear-t ex t passw or ds should becom e a pr im ar y concern, especially because m ost SNMP applicat ions send passwords repeat edly during norm al operat ions. I f your m anagem ent soft ware and equipm e nt is com pat ible w it h ver sion 2, t her e is no r eason t o r un v er sion 1. Assum ing t hat t he net w or k in quest ion is using only SNMP v er sion 2, t he adm inist rat or can ensure encrypt ion by using t he follow ing com m and:
snmp-server enable traps snmp authentication md5 This com m and r eplaces t he older and no longer valid com m and:
snmp-server trap-authentication Unless you ar e pur posely using SNMP ver sion 1, t he follow ing com m and m ust be avoided at all cost s:
snmp-server communityname This com m and not only set s t he com m unit y nam e, but also enables SNMP v er sion 1 inst ead of v er sion 2 . I f ver sion 1 is r unning, pay close at t ent ion t o t he nam e of t he com m unit y. Because t he com m unit y nam e is passed in clear t ex t , t his nam e should giv e no indicat ion of eit her t he com pan y n am e or t he t ype of com pany associat ed w it h t he nam e. For exam ple, assum e t hat t he com pany in quest ion is Cisco Syst em s. Using t he w or d " cisco" in any par t of t he com m unit y nam e m ight aler t hacker s t hat t hey have gained access t o Cisco Syst em s. Using a com m u nit y nam e " routers " m ight also give hackers unnecessary inform at ion. When using SNMP version 1, Cisco suggest s t hat all equipm ent use differing com m unit y nam es. Alt hough t his m ight seem like an unreasonable rest rict ion in a large net w ork, using m ult iple co m m unit y nam es w ill r educe t he num ber of r out er s t hat ar e v ulner able because of t he r ev ealing of a single com m unit y nam e. I f it is not possible t o assign a differ ent com m unit y nam e for all dev ices, find a balance bet w een using a single com m unit y nam e and us ing a differ ing nam e on each piece of equipm ent . Finally, avoid using t he nam es " public" or " privat e," because t hey ar e so com m only used. Most net w or k s hav e a few select m anagem ent st at ions fr om w hich SNMP m essages can legit im at ely or iginat e. When using v e rsion 1 and t he com m unit y nam e com m and, it is recom m ended t hat t he opt ional access list num ber be included. This allow s t he adm inist rat or t o cont r ol w hich st at ions have access, t hr ough a st andar d access list ( num ber ed 1 –99) applied t o t he SNMP ser v ices as if SNMP w er e an inbound r out er por t .
61
Access cont r ol list s ( ACLs) should be placed close t o t he edge of your net w or k, pr event ing out side par t ies fr om pr obing your net w or k over SNMP. Addit ionally, if t he CPU cycles ar e available on int erior rout ers, it m ight be w or t h t he effor t t o add ACLs on cer t ain r out er s in t he int er ior of t he net w or k. This allow s for t he lim it at ion of br eaches, if t hey do occur . I f y ou ar e using SNMP in r ead-only m ode, y ou need t o ensur e t hat it is set up w it h appr opr iat e access cont rols . An ex am ple of pr oper pr ot ect ion follow s:
access-list 7 permit 172.30.1.45 access-list 7 permit 10.1.1.53 snmp-server snmp-server snmp-server snmp-server snmp-server
community 85tres76n RO 7 trap-source Loopback0 trap-authentication enable traps config enable traps envmon
snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server
contact Joe Admin [[email protected]] location main server room router 8 enable traps bgp enable traps frame-relay host 172.30.1.45 85tres76n host 10.1.1.53 85tres76n tftp-server-list 7
The pr eceding ex am ple uses ACL 7 and allow s SNMP m essages fr om only t w o I P addr esses t o be accept ed. Because t her e ar e only t w o possible SNMP ser v er s ( 172.30.1.45 and 10.1.1.53) , t hese ar e t he only I P addr esses w her e SNMP is allow ed t o r espond. SNMP m essages fr om all ot her I P addr esses w ould be im plicit ly denied. Because t he com m unit y st ring is not encrypt ed, care is t aken t o use " 85t res76n," w hich has no known relat ion t o t he com pany or t he services t hat t he com pany offe r s. Once a com m unit y st r ing is k now n out side of t he or ganizat ion, a point of possible at t ack is cr eat ed. Unless SNMP is set up t o pass com m unit y-nam e aut hent icat ion failure t raps, and t he SNMP m anagem ent device is configur ed t o r eact t o t he aut hent icat ion failure t rap, t he com m unit y nam e is easily discov er ed. Keep in m ind t hat accept ing SNMP from only know n good I P addresses does not necessarily guar ant ee secur it y because of I P addr ess spoofing. Unless ser ious ant ispoofing m easur es ar e in place, y ou cannot rely on I P addresses as t he prim ary m eans of securit y on any syst em . Wit h all secur it y configur at ions, t he obj ect ive of t he adm inist r at or should be t o build m any obst acles t o unaut horized personnel w hile providing seam less operat ion t o aut horized users. No t ice t hat even t he e -m ail addr ess of t he adm inist r at or is not a com pany e -m ail address. This is done in case t he SNMP does becom e violat ed. I f t he SNMP syst em is violat ed, t his inform at ion could give clues about t he com pany nam e t o t he violat or. Th e snm p- se r ve r h ost configur at ion show n in t he pr eceding exam ple list s t he host s t o w hich SNMP infor m at ion can be sent . I f a m eans of collect ing SNMP t r aps is not available, don't
62
configur e snm p- se r v e r h ost s. When using an SNMP ser v er host , m ak e sur e t hat t his host is configured t o receive and respond t o SNMP t raps. Read/ w rit e com m unit y st rings should not be used on net w or ks in or der t o lim it t he r isk of SNMP set s being used by unaut hor ized par t ies.
Network Time Protocol (NTP) The Net w ork Tim e Prot ocol ( NTP) allow s for t im e sy nchr onizat ion of equipm ent on t he net w or k . As com m only used, one r out er is set as t he m ast er t o w hich ot her dev ices look for t he current t im e. I f t he current t im e is different t han t he t im e received from t he m ast er t im e device, t he t im e is adj us t ed accor dingly . The m ast er dev ice also look s at a k now n t im e sour ce. This t im e sour ce m ay be a local dev ice, a r adio device connect ed locally , or a publicly av ailable dev ice on t he I nt er net . Cisco's im plem ent at ion of NTP allow s for t he delay t hat t he packet car r ying t he cur r ent t im e exper iences w hile cr ossing t he I nt er net . By having all t he devices synchr onized t o one clock, under st anding an out age on a net w or k is easier . By exam ining logs t hat have been t im e -st am ped by one com m on t im e, t he or der in w hich event s occurred can be det erm ined, and t he out age t hus isolat ed t o t he proper culprit . A device t hat uses r adio t o get t he cur r ent t im e is t he safest fr om a net w or k secur it y perspect ive. This is illust rat ed in accept ed ov er t he I nt er net .
Figure 2 - 6 .
Using t his m et hod, no NTP services ar e ex pect ed or
Figur e 2 - 6 . Usin g N TP Th r ou gh a Ra dio D e vice
I f t he rout er get s NTP t im es from an I nt ernet source, as show n in Figure 2 - 7 , y ou need t o open up y our net w or k t o t he I nt er net for t his pr ot ocol. This is an accept ed m et hod because NTP does not usually pose a lar ge t hr eat t o m ost net w or k s. How ev er , som e pr ecaut ions should be t ak en. When y ou ar e using NTP ser v ices, use MD5 hashing t o aut hent icat e t he issuer of t he
63
NTP pack et s. When y ou ar e not using NTP, specifically t ur n NTP off w it h t he follow ing int er face com m and: Figur e 2 - 7 . Usin g N TP Th r ou gh a N e t w or k D e vice
no ntp enable You should recom m end t hat a single rout er be used t o gain t he current t im e and t hat int ernal r out er s look t o t his m ast er for t he t im e. This not only is t he w ay in w hich NTP w as designed t o be used, but also ex poses only a single r out er t o any t hr eat t hr ough NTP.
Banners Cisco r out er s have t w o differ ent t ypes of banner s: login and EXEC. Bot h of t hese banner s should be enabled w it h a st er n w ar ning t hat all access at t em pt s ar e logged, and unaut horized at t em pt s t o penet r at e t he sy st em w ill be pr osecut ed t o t he fullest ex t ent of t he law . Placing a w ar ning about logging all at t em pt s at access is t he equiv alent of placing a hom e secur it y syst em placard on your front law n. Even if you do not log access, it m ight discourage som e at t em pt s. The nam e of t he com pany , t he I P addr ess, or any ot her infor m at ion t hat unnecessar ily r eveals infor m at ion about your syst em should not be included on t he banner . A sam ple banner is as follow s:
This equipment is privately owned. All access to this equipment is logged. Disconnect immediately if you are not an authorized user. Violators will be prosecuted to the fullest extent of the law. Contact [email protected]
64
As wit h m ost ot her securit y set t ings, t his banner has purposefully avoided giving any inform at ion, including using an e -m ail addr ess t hat w ill disclose no m or e infor m at ion t han absolut ely necessary.
Recommended Minimum IOS Security Settings This sect ion deals w it h t he basic m inim um configur at ions t hat all ent er pr ises should em ploy on t heir r out er s. Alt hough som e of t he com m ands explained in t his sect ion ar e disabled by default , t he adm inist r at or is ur ged t o deny specifically t hose ser vices and r out es t hat ar e not needed. The follow ing t opics ar e cover ed:
•
Den ying RFC 1918 rout es
•
UDP and TCP servers
•
Finger service
•
I P unreachables
•
I CMP Redirect m essages
•
Direct ed broadcast s
•
Proxy Address Resolut ion Prot ocol ( ARP)
• •
I P Unicast I P sour ce r out ing
Denying RFC 1918 Routes All border rout ers w it hin a com pany t hat is conce rned w it h securit y should have som e specific r out es denied. RFC 1918 defines t he r anges of I P addr esses available for use on t he I nt er net , as w ell as t hose consider ed pr ivat e. A pr ivat e I P addr ess should not be used on t he I nt er net . The sour ce or dest inat ion addr esses of all pack et s on t he I nt er net should not be w it hin t hese pr iv at e r anges. Com m on at t ack m et hods r ely on pr iv at e addr esses t o hide t he t r ue sour ce of t he at t ack. This sect ion show s a t ypical m et hod of blocking access from t hese form s of at t ack. Wit h t he except ion of Net w ork Address Translat ion ( NAT) , no one from t he I nt ernet or from w it hin y our ow n net w or k should be sending pack et s fr om any of t he addr esses in t he follow ing list . The follow ing is a sam ple ACL t hat w ill be applied t o r out ing updat es t o prohibit t he pr iv at e addr ess spaces as defined by RFC 1918:
access-list 191 deny ip host 0.0.0.0 any !This prevents packets with a source address of 0.0.0.0 !from traversing the network access-list 191 deny ip any host 0.0.0.0 access-list 191 deny ip 10.0.0.0 0.255.255.255 any !10.0.0.0 through 10.255.255.255 is a non-routable address range !and should not traverse the network from the Internet. access-list 191 deny ip 127.0.0.0 0.255.255.255 any !127.0.0.0 through 127.255.255.255 addresses are used for loopback testing !and should never traverse the Internet. access-list 191 deny ip 169.254.0.0 0.0.255.255 any !169.254.0.0 is reserved by Microsoft as the address given to a host !unsuccessfully attempting to use DHCP services. access-list 191 deny ip 172.16.0.0 0.15.255.255 any
65
!172.16.0.0 through 172.31.255.255 are non-routable addresses. access-list 191 deny ip 192.168.0.0 0.0.255.255 any !192.168.0.0 through 192.168.255.255 are non-routable addresses !and should never be traveling over the Internet. access-list 191 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 !224.0.0.0 through 255.255.255.255 as a source address is invalid !because these are reserved for multicast broadcasts. !Here, you are stopping these packets from traversing the network if the !destination is a multicast and the source is a multicast. !A correctly formed multicast packet will have a valid source address !with a multicast destination address between 224.0.0.0 and 255.255.255.255. access-list 191 deny ip any 255.255.255.0 0.0.0.255 !Packets should not be sent to the 255.255.255.0 network, !because this is a reserved network. access-list 191 permit ip any any !You need to allow traffic that is not specifically blocked !through the router. deny any any !The deny any any line is shown for clarity. !This line is implied by all access lists. !Any packets that are not specifically allowed are denied. This access list should be applied t o bot h t he inbound and out bound int er faces of bor der rout ers. I f you are running NAT services, som e of t hese int erfaces w ill not necessarily apply. For ex am ple, if y ou ar e using t he 10.0.0.0 net w or k inside y our or ganizat ion, y ou w ill need t o allow t his net w ork t o t ravel t o t he device providing NAT services. Addit ionally, on t he inbound int erface of all border rout ers, t he int ernal net w ork addresses should be specifically denied. The pr eceding list is a m inim um list t hat is designed t o pr event com m only spoofed I P addresses from being allow ed t o t raverse your net w ork. I f ot her rout es are know n t o be invalid, t hey should also be pr ohibit ed. Besides specifically pr event ing packet s w it h a sour ce address m at ching your int ernal net work from ent ering t hrough t he I nt ernet , adm inist rat ors should consider w ay s in w hich t hey can pr ohibit unaut hor ized ex t er nal net work addresses from t raversing t o t he out side of t he net w ork. This w ill help prevent som eone from using t he net w or k t o launch an at t ack on a t hir d par t y . As w it h all access list s, t hese m ight cause excessive CPU usage on r out er s. How ever , t he addit ional CPU usage is usually j ust ified by t he added secur it y pr ov ided by t he access list s. I f your r out er is unable t o effect ively funct ion w it h t he pr eceding access list s, chances ar e t hat t he r out er is alr eady over w or ked and should be upgr aded.
User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) Servers The User Dat agram Prot ocol ( UDP) and Transm ission Cont rol Prot ocol ( TCP) servers are gener ally t hose w it h por t num ber s below 10. These t y pically include echo por t s and discar d por t s. Echo por t s r eplay t he pack et ( echo) out of t he por t r eceiv ed. Discar d t hr ow s aw ay t he pack et . Because eit her t hr ow ing aw ay or echoing pack et s consum es CPU cy cles, t hey ar e com m only used in denial of ser vice ( DoS) at t acks. When t oo m any packet s r equest ing echoes ov er load a rout er, for exam ple, t he rout er m ust delay ot her processes. This delay can cause pr oblem s, such as an inabilit y t o pr ocess r out ing updat es. Ther efor e, bot h of t hese should be
66
disabled unless t her e is a specific r eason t o r un t hem . This is especially im por t ant on t he r out er dir ect ly connect ed t o t he I nt er net . These can be disabled as follow s:
no service-udp-small-servers no service-tcp-small-servers Finger Service The finger service can be used t o resolve usernam es on rem ot e syst em s. Specifically, fin g er w as designed t o show act iv e user s on a sy st em . Alt hough t he pr ev alence of finger has been reduced in t he last few years, several adm inist rat ors st ill allow finger request s t o t raverse t heir net w or k s. Because of t he m any k now n w ay s t hat finger can be abused, no r out er should ev er r un finger unless t her e is a v er y specific r eason t o do so. An adm inist r at or can ( and should) st op finger ser v ices w it h t he follow ing com m and:
no service finger IP Unreachables By default , w hen a r out er r eceiv es a nonbr oadcast packet w it h an unr ecognized pr ot ocol w hose dest inat ion addr ess belongs t o t hat r out er , it w ill send an I nt er net Cont r ol Message Pr ot ocol ( I CMP) Pr ot ocol Unr eachable m essage back t ow ar d t he sour ce. A r out er w ill also send back an I CMP Host Unreachable m essa ge if it r eceiv es a pack et w hose dest inat ion addr ess is not know n. This is illust r at ed in Figure 2 - 8 . Figur e 2 - 8 . I CM P H ost Unr e a cha ble
67
Alt hough t his behavior m ight seem reasonable, it also opens t he rout er t o vulnerabilit y from I CMP DoS at t acks. I f a r out er spends all of it s t im e r esponding t o I CMP m essages, som et hing else is not being processed. Addit ionally, disabling I CMP unreachables m ight help out t he innocent vict im of a DoS at t ack. A DoS at t ack can occur in m any w ay s. Her e is j ust one scenar io: When sending an I CMP echo r equest , t he per pet r at or changes t he or iginat ing I P addr ess on t he pack et t o a legit im at e I P addr ess of t he v ict im . The per petrat or sends num erous I CMP request s t o t he net work br oadcast addr ess of t he by st ander . The by st ander , w ho is unaw ar e of w hat is occur r ing, r esponds t o t hese I CMP r equest s. The r esponse is sent t o t he I P addr ess w it hin t he or iginal request . I f t he source add ress is valid, som e rout er w ill st art receiving t hese responses. Take a m om ent t o look at
Figure 2 - 9 .
Figur e 2 - 9 . I CM P Re dir e ct Affe ct s Bot h Byst a nde r a nd Vict im
I n t his case, t he I CMP r equest s w er e sent t o t he br oadcast net w or k addr ess on t he byst ander 's net w or k. Each host on t he net w or k r eceived t he r equest and r esponded. This m eans t hat t he byst ander am plified t he pow er of t he effect iveness of t he r equest s by t he num ber of host s r esponding. Ver y quickly, t he byst ander 's available bandw idt h w ill be used by I CMP m essages. The vict im 's bandw idt h w ill also be used by t hese I CMP m essages. I n effect , bot h t he vict im and t he byst ander lose all effect ive co m m unicat ion capabilit ies. I t becom es
68
ver y har d t o t ell exact ly w ho t he int ended vict im is in t his case. I f t he per pet r at or sends out request s t o m ore t han one byst ander at a t im e, t he effect can be devast at ing t o t he vict im . I t is recom m ended t hat all ext e rnal int erfaces be configured not t o respond in t his m anner. Pr event ing a r out er fr om sending out I CMP Host and Pr ot ocol Unr eachable m essages is easily accom plished w it h t he follow ing int er face com m and:
no ip unreachable ICMP Redirect Messages Under cert a in circum st ances, rout es m ight not be opt im al. Alt hough m ost of t hese cases can be pr ev ent ed by pr oper configur at ion, it is usually pr udent for t he adm inist r at or t o ensur e t hat r out er s do not send packet s out t he sam e int er face over w hich t hey have been r e ceived. When a pack et is sent back out t he int er face on w hich it w as r eceiv ed, an I CMP Redir ect m essage is also sent . This is illust rat ed in
Figure 2 - 10 .
Figur e 2 - 1 0 . I CM P Re dir e ct D oS At t a ck
The I CMP Redir ect m essage t ells t he sender of t he or iginal packet t o r em ove t he r out e and subst it ut e a specified device t hat has a m or e dir ect r out e. This feat ur e is enabled by default , but it becom es disabled w hen t he Hot St andby Rout er Pr ot ocol ( HSRP) is in use on t he par t icular int er face. Because you should be concer ned about any I CMP m essages leaving your net w or k, you should m anually disable t his feat ure. I nst ead of using your bandw idt h t o inform ot her, usually
69
unk now n r out er s w her e a net w or k ex ist s, y ou should r eser v e y our bandw idt h for y our ow n pur poses. This is especially im por t ant on ex t er nal int er faces w her e lar ge am ount s of t hese I CMP m essages m ight be a form of DoS at t ack.
Figure 2 - 1 0
giv es an ex am ple of how I CMP
Redirect w orks. To m anually disable t his behavior, use t he follow ing int erface com m and:
no ip redirects Directed Broadcasts I t is possible w it hin t he I P pr ot ocols t o send a direct ed broadcast , w hich is w hen a pack et t hat is r eceiv ed cont ains a r equest t o t r anslat e t he br oadcast packet t o anot her int er face on t he device, usually t he LAN int erface. I f t his is left enabled, t he LAN m ight experience excessive br oadcast s fr om a DoS at t ack. The default on I OS 12.0 and lat er is t o have dir ect ed broadcas t s disabled. How ever, t he adm inist rat or should st ill specifically disable it w it h t he follow ing com m and:
no ip directed-broadcast Proxy Address Resolution Protocol (ARP) Pr ox y Addr ess Resolut ion Pr ot ocol ( ARP) is a sy st em w her e one dev ice answ er s an ARP request dest ined for anot her dev ice if t hat MAC addr ess is k now n. When a pr ox y ARP dev ice sees an ARP r equest for a dev ice on a differ ent k now n Lay er 3 net w or k , t he pr ox y ARP dev ice w ill r eply t o t he ARP and for w ar d t he r equest t o t he r em ot e LAN segm ent . Th is is usually done so t hat ARP r equest s w ill not hav e t o t r av el ov er a r elat iv ely slow link . The pr oblem w it h using pr ox y ARP is t hat it can ex pose t he net w or k t o pot ent ial secur it y pr oblem s. One w ay of ex ploit ing t he secur it y hole caused by pr ox y ARP is to launch a DoS at t ack t hat uses bandw idt h and rout er resources responding t o repeat ed ARP request s. at t ack.
Figure 2 - 1 1
illust rat es t his
Figur e 2 - 1 1 . Pr ox y ARP D oS At t a ck
70
Pr ox y ARP can be disabled w it h t he global com m and:
no ip proxy-arp IP Verify Th e ip ve r ify unica st r e ve r se - p a t h com m and is useful in pr ev ent ing addr ess-spoofing at t acks on syst em s r unning Cisco Expr ess For w ar ding ( CEF) and I OS ver sion 12.0 and higher . While r unning CEF w it h t his int er face lev el com m and, all pack et s ar e ev aluat ed for t he sour ce addr ess. I f t he sour ce I P addr ess does not hav e a CEF r out e in t he t able cor r esponding t o t he int er face on w hich t he pack et w as r eceiv ed, t hat pack et is dr opped. The r esult of t his configur at ion is t hat at t ack s depending on addr ess spoofing and r eceiv ed on an int er face ot her t han t he expect ed int er face ar e aut om at ically dr opped. Because m ost I P spoofing packet s do not com e ov er t he ex pect ed int e rface ( or subint erface) , anot her layer of prot ect ion is added. CEF m ust be t urned on for t he rout er. How ever, t here is no requirem ent t hat CEF m ust be t ur ned on for t he specific int er face or subint er face w her e t he filt er ing is used. The follow ing w ill st art pack et filt er ing on an int er face:
ip verify unicast reverse-path IP Source Routing The Cisco I OS is designed t o ex am ine t he opt ions w it hin t he header of ev er y I P pack et . According t o RFC 791, t hese opt ions can include Loose Source Rout e, Record Rout e, o r Tim e St am p. When t he I OS r eceiv es a pack et w it h one of t hese opt ions enabled, it r esponds appr opr iat ely . I f t he pack et cont ains an inv alid opt ion, t he r out er sends an I CMP par am et er pr oblem m essage t o t he sour ce and discar ds t he pack et . I f t he pack et cont ains t he sour ce r out e opt ion, it is int er pr et ed t o m ean t hat t he pack et is r equest ing a specific r out e t hr ough t he net w or k . Alt hough t he default is t o use sour ce r out ing, I SPs usually do not w ant t he cust om er deciding how t o rout e t hrough t he net work. Als o, I P sour ce r out ing has a num ber of know n secur it y pr oblem s. The m ain secur it y pr oblem is t hat a r em ot e ent it y cont r ols w her e dat a t r avels, m eaning t hat it is possible for dat a t o t r avel t hr ough a hacker 's net w or k befor e going on t o it s ult im at e dest inat ion. The hacker is able t o r ecor d all dat a int ended for anot her net w or k .
Figure 2 - 12
show s an ex am ple. Figur e 2 - 1 2 . I P Source Rout ing Vulnera bilit y
71
I P sour ce r out ing can be disabled w it h t he follow ing com m and:
no ip source-route
TCP Intercept TCP I nt ercept t racks, int ercept s, and validat es TCP connect ion request s. This shields t he local host fr om being cont act ed dir ect ly by a nont r ust ed net w or k or host . Ther efor e, any DoS at t acks at t em pt ed on t he host ar e act ually car r ied out against t he r out er , w hich w ill be prepared t o survive such at t acks. TCP I nt ercept uses fast swit ching, except on t he RS/ RP/ SSPbased Cisco 7000 ser ies, w hich only uses pr ocess sw it ching. TCP I nt er cept oper at es in one of t w o m odes, m onit or m ode and int er cept m ode. Monit or m ode allow s connect ions dir ect ly t o t he local host w hile m onit or ing t he st at us of t hese connect ions. The r out er , because of t he num ber of open connect ions or t im eout lim it at ions, dr ops exist ing and part ially opened connect ions as needed t o prot ect t he local h ost . I nt ercept m ode is used t o pr ot ect t he local host fr om all dir ect cont act w it h t he r em ot e host . The r out er , act ing in a m anner sim ilar t o t hat of a pr oxy ser ver , r esponds t o r equest s fr om t he r em ot e host . The r out er t hen est ablishes it s ow n connect ion w it h t he local host and m er ges t he connect ions bet w een t he t w o host s. Figure 2 - 13 show s a r out er act ing in int er cept m ode. Figur e 2 - 1 3 . I P TCP I nt ercept
72
Exceeding preset t hresholds in eit her m ode causes aggressive behavior m ode t o st art . Dr opping back below anot her set of t hr esholds causes t he r out er t o m ove back t o nor m al. Dur ing aggr essiv e behav ior m ode, new connect ion at t em pt s for ce a dr op of an exist ing part ial connect ion. Addit ionally, t he ret ransm ission and w at ch t im eout s are cut in half. TCP I nt er cept is r elat ively easy t o configur e by a five -st ep pr ocess: St e p 1 . Cr eat e an int er cept access list . St e p 2 . Enable TCP I nt er cept . St e p 3 . Set int erce pt m ode. St e p 4 . Set t hr esholds. St e p 5 . Set dr op m ode. The follow ing ex am ple configur at ion show s how t o accom plish all of t hese t ask s and giv es com m ent s on par am et er s av ailable:
!Create an extended access list. !TCP Intercept access lists must be extended access lists (101–199). access-list 101 permit 172.30.1.15 255.255.255.255 host 10.1.1.1 !Allow access from the single host at 172.30.1.15 to the single host at 10.1.1.1. access-list 101 permit 172.30.2.0 255.255.255.0 host 10.1.1.2 !Allow any host on the 172.30.2.0 network to get to host 10.1.1.2. ! !Enable TCP Intercept.
73
ip tcp intercept list 101 !Starts IP Intercept for the hosts listed as permitted in access list 101. ! !Set the intercept mode. ip tcp intercept mode intercept !Sets the mode to intercept. The other possible mode is watch. ! !Set the thresholds. ip intercept connection-timeout 3600 !Connections will be reset after 3600 seconds (1 hour) of no activity. !The default is 86400 seconds (24 hours). ! ip tcp intercept finrst-timeout 3 !Sets the time in seconds (3) after receiving a reset or FIN that the connection !remains managed. The minimum is 1 second. The default is 5 seconds. ! ip tcp intercept max-incomplete high 900 !Sets the maximum number of half-open connections (900) before the router goes !into aggressive behavior mode. The default is 1100. The maximum is 2147483647. !The minimum is 1. ! ip tcp intercept max-incomplete low 700 !Sets the number of half-open connections (700) below which the router leaves !aggressive behavior mode. The default is 900. The maximum is 2147483647. !The minimum is 1. ! ip tcp intercept one-minute high 800 !Sets the maximum number of connection requests (800) that may be received in a !one-minute period before the router goes into aggressive behavior mode. !The default is 1100. The maximum is 2147483647. The minimum is 1. ! ip tcp intercept one-minute low 600 !Sets the number of connection requests (600) that may be received in a !one-minute period below which the router leaves aggressive behavior mode. !The default is 900. The maximum is 2147483647. The minimum is 1. ! ip tcp intercept watch-timeout 20 !Sets the time in seconds (20) for a partially opened connection to complete !the connection sequence before sending a reset command to the local host. ! !Set the drop mode. ip tcp intercept drop-mode random !Sets the drop mode (random) to randomly choose which half-open connection !while in aggressive behavior mode. The default (oldest) will drop the oldest !partial connection first.
Summary
74
This chapt er ex plor es t he basic configur at ions and pr act ices t hat w ill help pr event t he m ost obvious for m s of at t ack fr om affect ing your net w or k. Ther e ar e som e ver y specific com m ands t hat m ost , if not all, adm inist r at or s should em ploy, at least on t heir ext er nal r out er s. No book can possibly t ell you exact ly how your r out er s should be configur ed. I f t her e w er e, w e w ould all be out of j obs. Ever y net w or k is differ ent and r equir es configur at ions t hat r eflect t he or ganizat ion's unique goals and needs. Use t his chapt er as a guideline for t he opt ions available w hile set t ing up y our r out er s. Som e of t he it em s discussed should be set on ev er y r out er , no m at t er w hat t he cir cum st ances of your par t icular net w or k. The configur at ion on ot her it em s will depend on t he individual variat io ns w it hin net w or k s and w hat y ou ar e t r y ing t o accom plish. Know ing t he opt ions t hat ar e av ailable and how t hey oper at e can help adm inist rat ors prot ect t heir net w orks from m ost int rusions. A r ecur r ing t hem e is pr esent ed in t his chapt er t hat should be car efully consider ed w hile configur ing r out er s: I f a ser vice is not needed, it should not be r un. I f a ser vice is needed only on t he int er nal net w or k , do not r un it on t he ext er nal net w or k. This is especially t r ue of I CMP services. Rest rict ing how I CMP m essages a r e handled m ight pr ot ect not only y our ow n net work, but also som e ot her adm inist rat or's net work. To giv e a concise ov er v iew of t he salient configur at ions ex plor ed in t his chapt er , t he follow ing sect ions show sam ple configur at ions t hat incor por at e all of t he suggest ed set t ings. Rem em ber t hat som e of t hese com m ands m ight not be v iable on y our r out er s because of int er nally used I P addr esses and special cir cum st ances w it hin y our net w or k . How ev er , t hey w ill st ill ser v e as a guideline for your configur at ions. Review t he follow ing configur at ions befor e m oving on t o Chapter 3 ,
" Overview of t he Cisco Securit y Solut ion and t he Cisco Secure Product Fam ily."
Global Commands no enable password !prevents the older non-secure enable password from being used enable secret level 7 9%ad100gbellisnon !uses a secret password that follows the rules for passwords service router-encryption !encrypts the passwords no cdp enable !prevents CDP from sending information access-list 7 permit 172.30.1.45 access-list 7 permit 10.1.1.53 !sets up access list 7 for use with SNMP access-list 8 permit 172.30.1.45 access-list 8 permit 10.1.1.53 access-list 8 deny any !sets up access list 8 for use with telnet on vty 0 through 4 snmp-server community 85tres76n RO 7 !sets the version 1 community name (use version 2 if possible)
75
snmp-server trap-source Loopback0 snmp-server trap-authentication snmp-server enable traps config snmp-server enable traps envmon snmp-server enable traps bgp snmp-server enable traps frame-relay !sets the SNMP traps snmp-server contact Joe Admin [[email protected]] snmp-server location main server room router 8 !sets the contact information following the password rules snmp-server host 172.30.1.45 85tres76n snmp-server host 10.1.1.53 85tres76n !sets what servers may request SNMP information snmp-server tftp-server-list 7 !sets a valid SNMP TFTP server no ntp enable !stops unneeded NTP services no service finger !stops finger service no service pad !old command dealing with x.25 no service udp-small-servers no service tcp-small-servers !stops the small server services no ip directed-broadcast !stops directed broadcasts no ip proxy-arp !prevents answering ARP requests in proxy mode for another device no ip source-route !prevents outside entities from directing the routes a packet takes Interface Commands !apply to both inside and outside interfaces no ip redirects !do not send packets out the same interface they came in on no ip unreachable !do not respond with host unreachable messages access-list access-list access-list access-list access-list access-list access-list access-list
191 191 191 191 191 191 191 191
deny deny deny deny deny deny deny deny
ip ip ip ip ip ip ip ip
host 0.0.0.0 any 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
76
access-list 191 deny ip any 255.255.255.128 0.0.0.127 access-list 191 permit ip any any !do not route to any of the private networks vty Commands line vty 0 4 access-class 8 in !sets access list 8 to limit Telnet access exec-timeout 5 0 !automatically times out the Telnet connection after 5 minutes of no activity
77
Part II: Cisco Secure Product Family Part I I Cisco Secure Product Fam ily Chapt er 3 Overview of t he Cisco Securit y Solut ion and t he Cisco Secure Prod uct Fam ily Chapt er 4 Cisco Secure PI X Firewall Chapt er 5 Cisco Secure I nt egrat ed Soft ware Chapt er 6 I nt rusion Det ect ion Syst em s Chapt er 7 Cisco Secure Scanner Chapt er 8 Cisco Secure Policy Manager ( CSPM) Chapt er 9 Cisco Secure Acces s Cont rol Server ( ACS)
78
Chapter 3. Overview of the Cisco Security Solution and the Cisco Secure Product Family This chapt er cont ains t he follow ing sect ions:
• • • • • • •
Cisco Securit y Solut ion Cisco Secure Product Fam ily Summary Frequen t ly Asked Quest ions Glossary Bibliography URLs
The only syst em t hat is t r uly secur e is one t hat is sw it ched off and unplugged, locked in a t it anium-lined safe, bur ied in a concr et e bunker , and is sur r ounded by ner ve gas and ver y highly paid arm ed guards. Ev en t hen, I w ouldn't st ak e m y life on it …. —Gene Spaffor d, Pur due Univer sit y This st at em ent is t r ue. No m at t er w hat sy st em y ou im plem ent , y ou w ill nev er hav e a t r uly secur e sy st em . The best t hat net w or k pr ofessionals can do is t o im plem ent a solut ion t hat is as secur e as cur r ent t echnologies allow and t hen r edesign w hen hack er s find a new vulner abilit y. This m et hod of pr event ion has been ar ound since t he fir st m isuse of t he I nt er net . This chapt er pr ov ides an ex planat ion of t he Cisco Secur it y Solut ion and an over view of t he Cisco Secure product range. The Securit y Solut ion is designed t o ease t he im plem ent at ion of y our secur it y policy and int r oduce y ou t o t he idea of secur it y as an ev er-evolving r equir em ent t hat needs const ant m onit or ing and r edesign. Cont ained w it hin t his chapt er is a br ief ov er v iew of t he funct ionalit y and r ole of each pr oduct in t he Cisco Secur e fam ily . This ov er v iew can be used as a quick r efer ence w hen designing t he secur it y appr oach for a Cisco net w or k . As w it h any t ool, a com plet e underst anding of t he t ool's full capabilit ies, as w ell as any im plem ent at ion issues, is of supr em e im por t ance in or der t o help you m ake a qualified design r ecom m endat ion. I nt er net secur it y is a ver y com plicat ed field of st udy t hat requires const ant ly keeping one st ep ahead of pr ospect ive at t acker s. New securit y t hreat s and loopholes appear all t he t im e, and unscrupulous people capit alize on t hem . The I nt er net secur it y designer faces a ver y t ough t ask: t o design t he secur it y ar ound ev er-changing cr it er ia. The Cis co Secure product range is covered in great det ail in Chapt ers 4 t hr ough 9 .
Cisco Security Solution
79
The Cisco Securit y Solut ion com prises five key elem ent s. These elem ent s enable a consist ent appr oach t o be adm inist er ed t hat pr ev ent s unaut hor ized ent r y and pr ot ect s v aluable dat a and net w or k r esour ces fr om cor r upt ion and int r usion. The k ey elem ent s of t he Cisco Securit y Solut ion are
•
I dent it y
•
Per im et er secur it y
•
Secure connect ivit y
• •
Securit y m onit oring Securit y m anagem ent
For m ore inform at ion on t he Cisco Securit y Solut ion, see www.cisco.com / warp/ public/ cc/ so/ neso/ sqso/ index.shtm l .
Identity The fir st elem ent of t he Cisco Secur it y Solut ion is ident it y . This elem ent is concer ned w it h t he unique and posit ive ident ificat ion of net w or k user s, applicat ion ser vices, and r esour ces. You w ant t o ensure t hat any ent it y accessing your net w ork, w het her it is a rem ot e user or soft w are agent , is aut hor ized t o do so. St andar d t echnologies t hat enable ident ificat ion include aut hent icat ion pr ot ocols such as Rem ot e Access Dial-I n User Ser v ice ( RADI US) , Term inal Access Cont roller Access Cont rol Syst em Plus ( TACACS+ ) , and Kerberos. New ident ificat ion t echnologies include digit al cert ificat es, sm art cards, and direct ory services. I dent it y t hr ough aut hent icat ion has t o t ak e place at t he net w or k boundar y befor e t he user or service has access t o t he secured net w ork. This prot ect s t he inside net w ork from unaut hent icat ed user s or ser v ices. The Cisco Secur e pr oduct t hat pr ovides t he secur it y funct ion at t he ident it y level is Cisco Secure Access Cont ro l Server ( ACS) . This product provides aut hent icat ion, aut horizat ion, and account ing ( AAA) of all users t rying t o access t he secured net w ork.
Perimeter Security Per im et er secur it y pr ovides t he m eans t o secur e access t o cr it ical net w or k applicat ions, dat a, a nd ser vices so t hat only aut hent icat ed and aut hor ized user s and infor m at ion can pass t hr ough t he net w or k . As t he nam e indicat es, t his lev el of secur it y is applied at t he per im et er of t he net w or k , w hich can be t hought of as t he point of ent r y t hat unt r ust w o rt hy connect ions w ould t ake. This could be t he point bet w een t he cor por at e net w or k and t he I SP net w or k or t he point bet ween t he corporat e net work and t he Public Swit ched Telephone Net work ( PSTN) . An ex am ple of a per im et er is display ed in Figure 3 - 1 . I t can also be a point bet w een t w o organizat ions w it hin t he corporat ion ( such as t he m arket ing and engineering depart m ent s.)
80
Figur e 3 - 1 . N e t w or k Pe r im e t e r
Secur it y cont r ol is pr ov ided at t he per im et er by access -lim it ing devices, com m only classified as firewalls These devices can be Cisco r out er s w it h t r affic-lim it ing access list s and basic fir ew all feat ur es or dedicat ed fir ew all solut ions such as a Cisco Secur e PI X ( Pr ivat e I nt er net Exchange) Firewall. Ot her t ools t hat assist at t he per im et er secur it y lev el ar e v ir us scanner s and cont ent filt er s. Securit y at t he net work perim et er is discussed in det ail in Chapt er 1 0 , " Securing t he Corporat e Net work."
Secure Connectivity When highly sensit ive inform at ion is t raversing your corporat e net w ork, it is very im port ant t o pr ot ect it fr om pot ent ial eavesdr opping or sniffing of t he net w or k. You can achieve secur e connect ivit y in t hr ee w ays:
•
The t raffic can be isolat ed fr om t he r est of t he net w or k by em ploy ing a t unneling pr ot ocol, such as gener ic r out e encapsulat ion ( GRE) or Lay er 2 Tunneling Pr ot ocol ( L2TP) .
•
A sim ple w ay t o incr ease dat a pr ivacy is t o im plem ent Layer 2 sw it ches t o ever y client and ser v er on t he net w ork . By design, a sw it ch w ill only for w ar d unicast s t o t he por t on w hich t he dest inat ion r esides. Only br oadcast t r affic is flooded out on ev er y por t . Ther efor e, a net w or k sniffer plugged int o a sw it ch w ould not aut om at ically r eceive t r affic t hat w as not des t ined for t he sniffer it self.
•
I f a m ore secure m et hod is required, a VPN t echnology, such as I nt ernet Prot ocol Secur it y ( I PSec) , can be used t o encr y pt t he dat a against a 128-bit digit al signat ur e.
Secure connect ivit y is discussed in det ail in Chapt er 10 .
81
Security Monitoring Securit y m anagem ent , like net w ork m anagem ent , is a dynam ic, ever-changing process. Once y ou hav e designed and im plem ent ed a secur it y solut ion, it has t o be m easur ed. One w ay of m easur ing t he int egr it y of y our solut ion is w it h a net w or k scanner , w hich w ill scan ev er y liv e I P addr ess on y our net w or k and check t he r esult s against w ell-known vulnerabilit ies. A full report is t hen creat ed, and act ions can be t aken t o rem edy any short com ings in t he design or im plem ent at ion. I t 's im port ant t o m ake t he changes and t hen scan t he net w or k again t o ensure t hat t he changes have been effect ive and t heir im plem ent at ion hasn't caused any furt her securit y vulnerabilit ies. The securit y vulnerabilit y dat abase for all leading net work scanners is upgradable o n a per iodic basis, ensur ing t hat m ost new vulner abilit y t hat is discov er ed is added t o t he dat abase. When y ou r un a net w or k scan, y ou can be sur e t hat y ou are scanning for t he lat est vulnerabilit ies. Cisco Secure Scanner is a full, net work-scanning ut ilit y t hat can be used for r egular secur it y m onit or ing pur poses. I n addit ion t o net w ork scanning, t he ot her aspect of securit y m onit oring is int rusion det ect ion. I nt rusion det ect ion syst em s m onit or t he net w ork and respond t o pot ent ial t hreat s in real t im e. Shunning is a t er m w idely used in int r usion det ect ion and descr ibes t he capabilit y of t he int r usion det ect ion syst em t o act ively r ej ect all packet s fr om a specific sour ce if t he syst em suspect s sinist er act ivit y. As w it h t he secur it y scanner , an int r usion det ect ion sy st em oper at es by checking int ernal net w ork t raffic against a dat abase of know n vulnerabilit ies. Bot h t he I P header and t he payload ar e checked against t hese know n t hr eat s. Cisco Secure I nt rusion Det ect ion Syst em ( I DS) is an int rusion det ect ion sys t em t hat can be used for r eal-t im e net work securit y.
Security Management Today's net w or ks ar e const ant ly gr ow ing in size; w it h t his gr ow t h com es t he need for cent r alized secur it y m anagem ent . Ther e ar e var ious secur it y m anagem ent t ools available, one of w h ich is t he Cisco Secur e Policy Manager . This t ool enables t he adm inist r at or t o cent r ally adm inist er t he secur it y policy and dist r ibut e policy changes t o a num ber of Cisco PI X and Cisco I OS Firew all devices by aut om at ed com m and -line configurat ions w it hout de t ailed com m and line int er face ( CLI ) know ledge. Cisco Secur e Policy Manager is explained in gr eat dept h in Chapt er 8 , " Cisco Secure Policy Manager ."
Cisco Secure Product Family To com plem ent Cisco's leading presence in t he int ernet w orking device m arket , Cis co's range of secur it y pr oduct s has been built and r ecent ly am algam at ed under t he Cisco Secur e pr oduct fam ily t it le. These pr oduct s pr ovide var ious secur it y funct ions and feat ur es t o enhance t he ser vice provided by t he current range of rout ers and sw it ches . Every product in t he Cisco Secure pr oduct fam ily has it s place in t he Cisco Secur it y Solut ion as out lined pr eviously and in Appendix
82
A,
" Cisco SAFE: A Securit y Blueprint for Ent erprise Net works," confirm ing Cisco's st ance and
com m it m ent t o t he pr eser v at ion of net w or k secur it y . This sect ion pr ov ides a br ief ov er v iew of t he pr oduct r ange and ex plains t he m ain feat ur es of each pr oduct . The following product s m ake up t he Cisco Secure product fam ily:
•
Cisco Secure PI X Firew all
•
Cisco I OS Firew all
•
Cisco Secur e I nt rusion Det ect ion Syst em
•
Cisco Secur e Scanner
• •
Cisco Secur e Policy Manager Cisco Secur e Access Cont r ol Sy st em
Cisco Secure PIX Firewall The Cisco Secur e PI X Fir ew all is t he dedicat ed har dw ar e fir ew all in t he Cisco Secur e pr oduct fam ily. The PI X Firewall is t he indust r y leader in bot h m ar ket shar e and per for m ance w it hin t he fir ew all m ar k et . The Cisco PI X Fir ew all is built ar ound a non-UNI X, secur e, r eal-t im e, em bedded operat ing syst em , w hich leads t o excellent perform ance w it hout com prising securit y. This hig h lev el of per for m ance is t he r esult of t he har dw ar e ar chit ect ur e of t he PI X Fir ew all, com par ed w it h oper at ing sy st em-based fir ew alls. The Cisco PI X Firew all encom passes t he I nt ernet Engineering Task Force ( I ETF) I PSec st andar d for secur e pr ivat e com m unica t ions over t he I nt ernet or any I P net w ork. This m akes t he Cisco Secur e PI X Fir ew all an excellent and logical choice t o t er m inat e I PSec Vir t ual Pr ivat e Net w or k ( VPN) t r affic fr om I PSec-com pliant net w or k equipm ent . Cur r ent ly, t her e ar e four ver sions of t he PI X Firewall:
•
PI X 5 0 6 — The PI X 506 is t he ent r y -level firewall designed for high -end sm all office, hom e office ( SOHO) inst allat ions. The t hr oughput has been m easur ed at 10 Mbps and r eflect s t he m ar k et at w hich t he pr oduct is aim ed.
•
PI X 5 1 5 — The PI X 515 is t he m idrange firewall designed for t he sm all or m edium business and r em ot e office deploy m ent s. I t occupies only one r ack unit and offer s a t hr oughput of up t o 120 Mbps w it h a m ax im um of 125,000 concur r ent sessions. The default configurat ion is t wo Fast Et he rnet port s, and it is current ly upgradable by t w o onboar d PCI slot s.
•
PI X 5 2 0 — The PI X 520 is t he high -end fir ew all designed for ent er pr ise and ser vice pr ov ider use. The unit occupies t hr ee r ack unit s and offer s a t hr oughput of up t o 370 Mbps w it h a m ax im um of 250,000 concur r ent sessions. The default configur at ion consist s of t w o Fast Et her net por t s, and it is cur r ent ly upgr adable by four onboar d PCI
83
slot s. The end -o f-life dat e of 23 June 2001 has been announced for t he PI X 520. The replacem ent for t he PI X 5 20 is t he PI X 525.
•
PI X 5 2 5 — The PI X 525 is int ended for ent er pr ise and ser v ice pr ov ider use. I t has a t hr oughput of 370 Mbps w it h t he abilit y t o handle as m any as 280,000 sim ult aneous sessions. The 600 MHz CPU of t he PI X 525 can enable it t o deliv er an addit ional 25– 30% increase capacit y for firew alling services.
•
PI X 5 3 5 — The Cisco Secur e PI X 535 is t he lat est and lar gest addit ion t o t he PI X 500 ser ies. I nt ended for ent er pr ise and ser v ice pr ov ider use, it has a t hr oughput of 1.0 Gbps w it h t he abilit y t o han dle up t o 500,000 concurrent connect ions. Support ing bot h site -t o-sit e and r em ot e access VPN applicat ions v ia 56-bit DES or 168-bit 3DES, t he int egr at ed VPN funct ionalit y of t he PI X 535 can be supplem ent ed w it h a VPN Accelerat or card t o deliver 100 Mbps t h roughput and 2,000 I PSec t unnels
Ther e is also a dedicat ed PI X Fir ew all VPN Acceler at or Car d ( VAC) t hat can be used in t he PI X 515, 520, 525, and 535 unit s. This card perform s hardware accelerat ion of VPN t raffic encrypt ion/ decrypt ion providing 100 Mbps I P Sec t hr oughput using 168-Bit 3DES. The PI X Fir ew all is configur ed using a com m and-line edit or . The com m ands ar e sim ilar t o t hose used in t he st andar d Cisco I OS, but t hey v ar y in w het her t hey per m it inbound and out bound t raffic. Fur t her infor m at ion on t he C isco Secur e PI X Fir ew all can be found at
www.cisco.com / go/ pix .
Cisco IOS Firewall The Cisco I OS Fir ew all is an I OS-based soft w ar e upgr ade for a specific r ange of com pat ible Cisco r out er s. The Cisco I OS Firew all provides an ext ensive set of new CLI com m ands t hat int egrat e firew all and int rusion det ect ion funct ionalit y int o t he I OS of t he rout er. These added securit y feat ures enhance t he exist ing Cisco I OS securit y capabilit ies, such as aut hent icat ion an d encr y pt ion. These added secur it y feat ur es also add new capabilit ies, such as defense against net w or k at t ack s; per-user aut hent icat ion and aut hor izat ion; r eal-t im e aler t s; and st at eful, applicat ionbased filt er ing. VPN suppor t is pr ov ided w it h t he Cisco I OS Fir ew all ut ilizing t he I ETF I PSec st andar d as w ell as ot h er I OS-based t echnologies such as L2TP t unneling. Cisco I OS Fir ew all also adds lim it ed int r usion det ect ion capabilit ies. Tr affic is com par ed t o 59 default int r usion det ect ion signat ur es, and out pu t can be direct ed t o t he Cisco Secure I DS Direct or. Alt hough per for m ance of t he Cisco I OS Fir ew all w ill nev er com pet e w it h t hat of t he Cisco PI X Fir ew all, Cisco I OS Fir ew all st ill has a place in t he por t folio of m ost m oder n or ganizat ions. Ther e m ight be t im es w hen t he full pow er and associat ed cost of a PI X Fir ew all is not r equir ed because of t he low t hr oughput or an oper at ional r equir em ent . For ex am ple, a SOHO w or k er
84
wit h a 64 -kbps I SDN I nt er net connect ion is not going t o be concer ned about t he r educt ion in t hroughput offered by using t he Cisco I OS Firew all inst ead of t he PI X Firew all. The feat ur es available w it h Cisco I OS Fir ew all ar e configur able using t he Cisco ConfigMaker soft w are. This eases t he adm inist rat ive burden placed on t he net w ork professional, because a full underst anding of t he CLI com m ands is not required t o configure t he securit y feat ures and deploy t he configurat ions t hroughout t he required devices. Mor e infor m at ion on ConfigMaker can be found at
www.cisco.com / go/ configm aker .
Fur t her infor m at ion on t he Cisco I OS Fir ew all can be found at
www.cisco.com / go/ firewall .
Cisco Secure Intrusion Detection System (IDS) I nt r usion det ect ion is key in t he overall securit y policy of an organizat ion. I nt rusion det ect ion can be defined as det ect ing, report ing, and t erm inat ing unaut horized act ivit y on t he net w ork. The Cisco Secure I nt rusion Det ect ion Syst em ( I DS) ( form erly Net Ranger) is t he dynam ic secur it y com ponent of Cisco's end -t o-end secur it y pr oduct line. I DS is a r eal-t im e int rusion det ect ion syst em designed for ent er pr ise and ser vice pr ovider deploym ent . I DS det ect s, report s, and t erm inat es unaut horized act ivit y t hroughout t he netw ork. Cisco Secure I DS consist s of t hree m aj or com ponent s:
•
The I nt r usion Det ect ion Sensor
• •
The I nt r usion Det ect ion Dir ect or The I nt rusion Det ect ion Post Office
I n t r u sion D e t e ct ion Se n sor The I nt rusion Det ect ion Sensor is a net w ork " plug -and -play" device t ha t int erpret s I P t raffic int o m eaningful securit y event s. These event s are passed t o t he I nt rusion Det ect ion Direct or for analy sis and any r equir ed fur t her act ion. The m ain feat ures of t he I nt rusion Det ect ion Sensor are
•
N e t w or k se n sin g— The sensor capt ur es packet s on one of it s int erfaces, r eassem bles t he packet s, and com par es t he dat a r eceived against a r ule set t hat cont ains signat ures of t he com m on net w ork int rusions. Bot h t he packet header and packet dat a ar e exam ined against t he r ule set t o cat ch t he va r y ing t y pes of at t ack s.
•
At t a ck r e sponse — I f t he sensor ident ifies an at t ack , t he sensor w ill r espond t o t he at t ack in t he follow ing user-configur able w ay s:
- Generat e an alarm — The sensor will generat e an alarm and not ify t he I nt rusion Det ect ion Direct or im m ediat ely.
85
- Generat e I P session logs — A session log will be sent t o t he configurable log t ype and locat ion. This session log will cont ain det ailed inform at ion about t he at t ack and will record t he t im e of day along wit h any capt ured I P address inform at ion. - Reset TCP connect ions aft er an at t ack begins— The sensor can t erm inat e individual TCP connect ions if it senses t hat t hey have been involved in an act ual or at t em pt ed at t ack. All ot her connect ions go on as usual. - Shun t he at t ack— The t erm shunning describes t he sensor's abilit y t o aut om at ically reconfigure an access cont rol list on a rout er, if t he sensor det ect s suspicious act ivit y. To im plem ent shunning, t he sensor changes t he access cont rol list on t he device t o block t he at t acker at t he perim et er ent ry point t o t he net work. •
D e vice m a na ge m e nt — I f t he sensor det ect s suspicious act iv it y , it has t he abilit y t o dy nam ically r econfigur e a net w or k ing dev ice's access cont r ol list s t o shun t he sour ce of an at t ack in r eal t im e.
I n t r u sion D e t e ct ion D ir e ct or Th e I nt rusion Det ect ion Direct or is t he soft w are applicat ion t hat m onit ors and cont rols t he behav ior of t he sensor s. Ther e is usually only one I nt r usion Det ect ion Dir ect or on any giv en net w ork, and all sensors direct t heir alarm s and not ificat ions t o it . The I nt rusion Det ect ion Direct or soft ware current ly support s only t he Solaris plat form . The m ain funct ions of t he I nt rusion Det ect ion Direct or are
•
I nit ia l configur a t ion of t he I nt r usion D e t e ct ion Se nsor — Once t he sensor has been configur ed on it s ow n, t he dir e ct or w ill com plet e t he configur at ion of t he sensor and w ill st ar t r eceiv ing alar m s and not ificat ions fr om it .
•
I nt r usion D e t e ct ion Se nsor m onit or ing— The sensor s send r eal-t im e securit y infor m at ion t o t he dir ect or , and t he dir ect or is r esponsible for collating and represent ing t his dat a graphically on t he direct or console.
•
I nt r usion D e t e ct ion Se nsor m a na ge m e nt — The direct or can rem ot ely m anage t he configur at ion of ser v ices on a sensor . This enables y ou t o use t he built -in em bedded signat ur es or t o cr eat e y our ow n signat ur es t o m at ch t he needs of y our net w or k.
•
Colle ct ion of t he I nt r usion D e t e ct ion Se nsor da t a — Ev er y sensor sends it s dat a t o t he dir ect or . The I nt r usion Det ect ion Dir ect or ships w it h dr iv er s for Or acle and Rem edy , enabling t he adm inist r at or t o w rit e t he dat a t o an ex t er nal dat a sour ce for st or age.
•
Ana lysis of t he I nt r usion D e t e ct ion Se nsor da t a — The I nt r usion Det ect ion Direct or soft w are has a built -in set of SQL-com pliant queries t hat can be run against
86
dat a collect ed from t he sensors. Many t hird -par t y t ools can be int egr at ed int o t he I nt r usion Det ect ion Dir ect or t o pr ovide m or e det ailed analysis of t he dat a pr esent ed.
•
N e t w or k Se cur it y D a t a ba se — The Net w ork Securit y Dat abase ( NSDB) is an HTMLbased encyclopedia of net work securit y inform at ion. This inform at ion includes t he current vulnerabilit ies, t heir associat ed exploit s, and prevent ive m easures you can t ake t o avoid t hem . This dat abase is upgr adable w it h a dow nload fr om Cisco Connect ion Online ( CCO) ,
www.cisco.com ,
for cust om ers wit h a m aint enance agreem ent
w it h Cisco. User-defined not es can be added t o each vulnerabilit y.
•
Support for user- de fin e d a ct ion s— The I nt r usion Det ect ion Dir ect or can be pr ogr am m ed w it h user-defined act ions. This can be as s im ple as sending specific people an e -m ail if a cer t ain condit ion is m et or as com plex as r unning a UNI X scr ipt t o lock dow n a specific ser v ice.
I n t r u sion D e t e ct ion Post Office The I DS Post Office is t he com m unicat ions backbone t hat allow s Cisco Secur e I DS ser v ices and host s t o com m unicat e w it h each ot her . All com m unicat ions bet w een t he I nt r usion Det ect ion Sensor and Dir ect or use a pr opr iet ar y connect ion-based pr ot ocol t hat can sw it ch bet w een alt ernat e rout es t o m aint ain point -t o-point connect ions. Fur t her inform at ion on t he Cisco Secure I nt rusion Det ect ion Syst em can be found at www.cisco.com / go/ netranger .
Cisco Secure Scanner The Cisco Secure Scanner ( form erly Cisco Net Sonar) is a soft w are applicat ion t hat offer s a com plet e suit e of net w or k scanning t ools designed t o r un on eit her Window s NT or Solar is. Net w or k scanning is t he pr ocess in w hich a specific host is configur ed as a scanner and it scans all or j ust configur able par t s ( depending on t he scanner) of t he net w ork for know n secur it y t hr eat s. The design and oper at ion of t he scanner m akes it a valuable asset t o have in your quest for I nt ernet securit y. The Cisco Secur e Scanner follow s a four-st ep pr ocess t o ident ify any possible net w or k v u ln erabilit ies: St e p 1 . Gat her infor m at ion. The user inst r uct s t he scanner t o scan a net w or k or v ar ious net w or k s based on pr ov ided I P addr ess det ails. The scanner ident ifies all act iv e dev ices. St e p 2 . I dent ify pot ent ial vulner abilit ies. The det ailed infor m ation t hat is obt ained fr om t he act ive devices is com par ed against w ell-know n securit y t hreat s appert aining t o t he specific host t ype and version num ber.
87
St e p 3 . Confir m select ed vulner abilit ies. The scanner can t ak e act ion t o confir m v ulner abilit ies by using act ive probing t echniques t o ensur e t hat no dam age t o a net w or k occur s. St e p 4 . Gener at e r epor t s and gr aphs. Once all of t he inform at ion has been gat hered and pot ent ial vulnerabilit ies have been ident ified, full report s can be creat ed. These report s can be geared t ow ard specific or ganizat ional r oles, r anging fr om t he syst em adm inist r at or s t o senior m anagem ent . The Cisco Secure Scanner ident ifies inform at ion about t he net work host s for a given net work. For exam ple, you m ight scan your public I P address a llocat ion of 212.1.1.0/ 24. The scanner w ill ident ify w hich I P addr esses ar e live and w ill also ext r act t he oper at ing syst em , ver sion num ber , dom ain nam e, and I P set t ings for all host s, including int er net w or k ing dev ices such as rout ers, swit ches, and rem ot e access ser v er s. Key I nt er net ser v er s such as Web, FTP, and SMTP ser v er s w ill also be ident ified. Once t his infor m at ion has been obt ained, t he list of host s is com par ed against com m on vulnerabilit ies. These vulnerabilit ies are in t he follow ing cat egories:
•
TCP/ I P
•
UNI X
•
Window s NT
•
Web servers ( HTTP, HTTPS)
•
Mail ser ver s ( SMTP, POP3, I MAP4)
•
FTP servers
•
Firewalls
•
Routers
•
Swit ches
This vulnerabilit y inform at ion is collat ed from t he Net work Securit y Dat abase ( NSDB) . The NSDB cont ains t he cur r ent w ell-know n secur it y vulnerabilit ies grouped by operat ing syst em . The Cisco Count erm easures Research Team ( C-CRT) frequent ly updat es t he dat abase, and t he updat ed dat abase is post ed on Cisco Connect ion Online ( CCO) . Cust om er s w it h m aint enance cont r act s can dow nload t he lat est dat abase t o updat e t he scanning host w it h t he m ost r ecent r ev ision. Figure 3 - 2
show s t he scanner per for m ing a scan for a giv en net w or k . Figur e 3 - 2 . Cisco Se cu r e Sca n n e r
88
Once t he dat a has been collat ed and any vulner abilit y ident ified, t he applicat ion allow s you t o cr eat e num er ous char t s and r epor t s w it hin t hr ee r epor t for m at s. The r epor t s ar e configur able for an Ex ecut iv e Repor t , Br ief Technical Report , and Full Technical Report . Figure 3 - 3
show s a sam ple Execut ive Sum m ar y fr om a Full Technical Repor t . Figur e 3 - 3 . Cisco Se cu r e Sca n n e r Re por t in g
89
The Cisco Secur e Scanner is a key com ponent in t he Cisco Secur it y Solut ion. The pr oduct falls int o t he secur it y m onit or ing cat egor y discussed in t he pr evious " Securit y Monit oring" sect ion, and it is a k ey elem ent of t he const ant r ev iew of I nt er net secur it y . As a net w ork designer, you m ight feel t hat y ou hav e pr ot ect ed y our net w or k against all cur r ent I nt er net secur it y t hr eat s. This m ay be t r ue, but t he const ant updat e and r enew al of t he NSDB m ay int r oduce new t hr eat s t hat you have not considered or vulnerab ilit ies t hat w er e not ex ploit ed befor e. This const ant evolut ion m akes I nt er net secur it y a const ant t ask and t he secur it y scanner an invaluable t ool for t he m oder n net w or k engineer . Fur t her infor m at ion on t he Cisco Secur e Scanner can be found at
www.cisco.com / go/ netsonar .
Cisco Secure Policy Manager Cisco Secure Policy Manager ( form erly Cisco Securit y Manager) is a very powerful securit y policy m anagem ent applicat ion designed ar ound t he int egr at ion of Cisco Secu re PI X Firewalls, I PSec VPN-capable r out er s, and r out er s r unning t he Cisco I OS Fir ew all feat ur e set . Cur r ent ly, Cisco Secur e Policy Manager is available only on t he Window s NT plat for m . The Policy Manager pr ovides a t ool t hat enables t he secur it y adm inist rat or t o define, enforce, and audit secur it y policies. The adm inist r at or is able t o for m ulat e com plex secur it y policies based on or ganizat ional needs. These policies ar e t hen conver t ed t o det ailed configur at ions by t he Policy Manager and dist r ibut ed t o t he specific securit y devices in t he net work. The m ain feat ur es of Cisco Secur e Policy Manager ar e
•
Cisco fir e w a ll m a n a ge m e n t— Cisco Secur e Policy Manager em pow er s t he user t o define com plex securit y policies and t hen dist ribut e t hese t o several hundred PI X Firew alls or rout ers running t he Cisco I OS Firew all. Full m anagem ent capabilit ies are av ailable for t he fir ew alls.
•
Cisco VPN r out e r m a na ge m e nt — I PSec-based VPNs can be easily configur ed by using t he sim ple GUI . As w it h t he firew all m anagem ent , t his VPN config urat ion can be dist r ibut ed t o sever al hundr ed PI X Fir ew alls or r out er s r unning t he Cisco I OS Fir ew all.
•
Se cur it y policy m a na ge m e nt— The GUI enables t he cr eat ion of net w or k-w ide secur it y policies. These secur it y policies can be m anaged fr om a single point and delivered t o several hundred firew all devices w it hout requiring ext ensive device know ledge and dependency on t he com m and-line int er face.
•
I nt e llige nt ne t w or k m a na ge m e nt— The defined secur it y policies ar e t r anslat ed int o t he appropriat e device com m ands t o creat e t he required device configurat ion. The device configurat ion is t hen securely dist ribut ed t hroughout t he net w ork, elim inat ing t he need for device -b y-device m anagem ent .
•
N ot ifica t ion a n d r e por t in g syst e m— Cisco Secur e Policy Manager pr ov ides a basic se t of t ools t o m onit or , aler t , and r epor t act ivit y on t he Cisco Secur e devices. This pr ovides t he secur it y adm inist r at or w it h r epor t ing infor m at ion t hat can be used t o ascer t ain t he cur r ent st at e of t he secur it y policy as w ell as a not ificat ion sy st em t o
90
re port various condit ions. Along wit h t he built -in not ificat ion and report ing t ools, t he pr oduct also im plem ent s and int egr at es w it h leading t hir d -part y m onit oring, billing, and r epor t ing sy st em s. Figure 3 - 4
show s t he m ain configurat ion screen of t he Cisco Secure Policy Manager. Figur e 3 - 4 . Cisco Se cu r e Policy M a n a ge r
The follow ing dev ices and soft w ar e r ev isions ar e suppor t ed by Cisco Secur e Policy Manager:
•
Cisco Secure PI X Firew all - PI X OS 4.2.4, 4.2.5, 4.4.x, 5.1.x, 5.2.x , 5 . 3 .x
•
Cisco 1720 Series running Cisco I OS Firewall
•
Cisco 2600 Series running Cisco I OS Firewall
•
Cisco 3600 Series running Cisco I OS Firewall
• •
Cisco 7100 Series running Cisco I OS Fire w all Cisco 7200 Series running Cisco I OS Firewall N OTE
Though not docum ent ed at t he t im e t his book w as w r it t en, Cisco Secur e Policy Manager can be ex pect ed t o suppor t t he Cisco PI X 525.
91
Fur t her infor m at ion on t he Cisco Secur e Policy Manager can be found at www.cisco.com / go/ policym anager .
Cisco Secure Access Control Server (ACS) Cisco Secur e Access Cont r ol Ser ver ( ACS) ( for m er ly know n as Cisco Secur e) is a com plet e net work cont rol solut ion bu ilt around t he aut hent icat ion, aut horizat ion, and account ing ( AAA) st andards. Current ly, Cisco Secure ACS is available on Window s NT and Solaris plat form s. Bot h versions have sim ilar feat ures and operat e using indust ry-st andar d pr ot ocols. AAA funct ions are available on m ost Cisco devices, including r out er s and t he Cisco Secur e PI X Firew all. The t w o m ain AAA prot ocols used are RADI US and TACACS+ .
Figure 3 - 5
show s t he m ain
configur at ion scr een of Cisco Secur e ACS for Window s NT. Figur e 3 - 5 . Cisco Se cu r e ACS
Au t h e n t ica t ion Aut hent icat ion is t he det er m inat ion of a user 's ident it y and t he v er ificat ion of t he user 's inform at ion, sim ilar t o t he usernam e and passw or d pair ut ilized by m ost com m on net w or k oper at ing syst em s. Cisco Secur e ACS pr ovides a secur e aut hent icat ion m et hod for dealing w it h access t o your cor por at e net w or k. This access m ight include r em ot e user s logging in over a VPN or t he cor por at e RAS syst em or net w ork adm inist rat ors gaining access t o int ernet w orking dev ices such as r out er s or sw it ches. Aut hent icat ion can be enabled against num er ous dat a
92
sour ces; for ex am ple, w it h t he Window s NT v er sion of Cisco Secur e ACS, y ou can enable aut hent icat ion against t he Window s NT User Dom ain. All leading crypt o card m anufact urers ar e also suppor t ed.
Au t h or iz a t ion Wit h aut hor izat ion, you can specify w hat user s can do once t hey ar e aut hent icat ed. You cr eat e user pr ofile policies on t he ACS ser ver t hat ar e enfor ced w hen t he user logs in. This is useful for allow ing specific gr oups of user s access t o specific ar eas on t he net w or k. For exam ple, you can r est r ict access t o t he I nt er net for all user s unless t hey ar e in t he I nt er net Access user gr oup on t he ACS ser v er .
Accou n t in g Account ing can be defined as r ecor ding w hat a user is doing once aut hent icat ed. This is ext rem ely useful t o im plem ent on t he int ernet w orking devices w it hin your operat ion. Unplanned changes occurring on t he configurat ion of a m ission crit ical ro ut er ar e com m on in every organizat ion. These changes disrupt service, cause net w ork dow nt im e, and cost t he com pany m oney. When it com es t o ident ifying t he culpr it , you can expect t hat nobody w ill ow n up t o m aking t he changes. Wit h t he account ing feat ures o f Cisco Secure ACS, you can log ev er y single com m and t hat a user ent er s on a suppor t ing dev ice t o eit her a com m a -separ at ed v alue ( CSV) file or a sy slog ser v er . This infor m at ion is held along w it h t he logged-in usernam e and t he dat e and t im e. This pr event ive sy st em is ex cellent t o st op budding CCI E engineer s from t w eaking various configurat ion set t ings w it hout really know ing or underst anding t he r am ificat ions. Fur t her infor m at ion on t he Cisco Secur e ACS can be found at
www.cisco.com / go/ ciscosecure .
Summary This chapt er has pr ovided an over view of t he Cisco Secur it y Solut ion and has int r oduced you t o t he Cisco Secur e pr oduct fam ily . As y ou can see, each pr oduct in t he fam ily fit s int o a specific role in t he Cisco Secur it y Solut ion. Secur it y is m or e t han j ust im plem ent ing a PI X Fir ew all or occasionally scanning your net w or k w it h t he Cisco Secur e Scanner . I t should be clear in y our m ind t hat t he cor r ect secur it y appr oach is one t hat look s at all angles of secur it y, as out lined in t he Cisco Securit y Solut ion. Mult iple product s are required t o facilit at e t his, and an int r insically sound secur it y policy t hat is im plem ent ed and under st ood by all is key t o t he success of y our endeav or s.
Frequently Asked Questions
Quest ion: Answ e r :
What Cisco product provides int rusion det ect ion capabilit ies? The dedicat ed int r usion det ect ion solut ion fr om Cisco Syst em s is t he Cisco
93
Secure I DS. Keep in m ind t hat Cisco I OS Firew all also has int rusion det ect ion feat ures built in. Quest ion: Answ e r :
I s it necessary t o perform securit y scanning on your net w ork? Yes, secur it y scanning w it h a pr oduct such as t he Cisco Secur e Scanner is an excellent w ay t o m easure t he securit y of your net w ork. Every net w ork t hat is designed m ust have a benchm ar k t o m easur e it self against concer ning t he securit y safeguards t hat have been im plem ent ed. A securit y scanner uses t he sam e t echniques t hat com m on hackers em ploy t o t est t he vulnerabilit y of t he net w or k. I t is bet t er for you t o discover t he vulnerabilit y rat her t han for a pot ent ial at t ack er t o do so.
Glossary Glossary AAA ( a ut he nt ica t ion, a ut hor iza t ion, a ccount ing) — Oft en pronounced " t riple a."
ACS ( Acce ss Con t r ol Se r ve r ) — The Cisco Secur e ACS is an int egr at ed RADI US and TACACS+ ser ver for aut hent icat ion, aut hor izat ion, and account ing.
CCO ( Cisco Con n e ct ion On lin e ) — The Cisco Sy st em s hom e page on t he I nt er net . Locat ed at
http: / / www.cisco.com .
I D S ( I nt r usion D e t e ct ion Syst e m ) — Scans t he ne t work in real t im e t o int ercept at t em pt ed breaches of securit y.
I SP ( I nt e r ne t se r vice pr ovide r ) — A ser v ice pr ov ider t hat pr ov ides a connect ion t o t he public I nt er net .
94
I PSe c ( I n t e r n e t Pr ot ocol Se cu r it y) — A st andards -based m et hod of providing privacy, in t egr it y , and aut hent icit y t o infor m at ion t r ansfer r ed acr oss I P net w or ks.
N SD B ( N e t w or k Se cu r it y D a t a ba se ) — The securit y dat abase of know n securit y vulnerabilit ies, t heir exploit s, and associat ed rem edies. Used by securit y scanners and int rusion det ect ion sy st em s.
PI X ( Pr iva t e I n t e r n e t Ex ch a n ge ) — The Cisco range of leading hardware -based fir ew alls.
RAD I US ( Re m ot e Acce ss D ia l- I n Use r Se r v ice ) — A pr ot ocol used t o aut hent icat e user s on a net w or k.
TACACS+ ( Te r m in a l Acce ss Con t r olle r Acce ss Con t r ol Syst e m Plus) — A pr ot ocol used t o aut hent icat e user s on a net w or k. Also pr ovides aut hor izat ion and account ing facilit ies.
VPN ( Vir t ua l Pr iva t e N e t w or k ) — A secure connect ion over an unsecured m edium . The connect ion is secured by t he use of t unneling prot ocols an d encr y pt ion.
Bibliography Designing Net work Securit y by MerikeKaeo, Cisco Press 1999. ( I SBN 1 -5 7 8 7 0 -0 4 3 -4 )
URLs Cisco Connect ion Online
95
www.cisco.com
Cisco Secure hom e page www.cisco.com / warp/ public/ 44/ j um p/ secure.shtm l
Securit y product s and t echnologies www.cisco.com / warp/ public/ cc/ cisco/ m kt/ sec urit y/
Cisco Secur e ACS www.cisco.com / warp/ public/ cc/ cisco/ m kt / access/ secure/
Cisco I OS Firew all www.cisco.com / warp/ public/ cc/ cisco/ m kt/ security/ iosfw/
Cisco Secure I DS www.cisco.com / warp/ public/ cc/ cisco/ m kt/ security/ nranger/
Cisco Secure PI X Firewall www.cisco.com / go/ pix
Cisco Secur e Policy Manager www.cisco.com / warp/ public/ cc/ pd/ sqsw/ sqppm n/ index .sht m l
Cisco Secur e Scanner www.cisco.com / warp/ public/ cc/ pd/ sqsw/ nesn/ index.shtm l
96
Chapter 4. Cisco Secure PIX Firewall This chapt er cont ains t he follow ing sect ions:
• • • • • • • • •
PI X Models PI X Feat ures PI X Configurat ion VPN wit h Point- t o- Point Tunneling Prot oc ol ( PPTP) VPN wit h I PSec and Manual Keys VPN wit h Preshared Keys Obt aining Cert ificat e Aut horit ies ( CAs) PI X- to- PI X Configurat ion Summary
This chapt er focuses on t he Cisco Secur e Pr ivat e I nt er net Exchange ( PI X) Fir ew all. The st r engt h of t he secur it y feat ures w it hin t he PI X lay in t he fact t hat it w as designed solely as a fir ew all. Alt hough a PI X Fir ew all w ill do a lim it ed am ount of r out ing, t he r eal pur poses of t he PI X ar e t o deny unr equest ed out side t r affic fr om your LAN and t o for m secur e Vir t ual Pr ivat e Net w orks ( VPNs) bet w een rem ot e locat ions. A rout er requires a great deal of configurat ion t o act effect ively as a firew all. The PI X, how ever, only requires six com m ands before it can be placed int o ser v ice. The PI X is easy t o configur e and gener ally r equires no r out ine m aint enance once configur ed. The lar ger a spher e is, t he lar ger t he sur face ar ea of t hat spher e. I f you analogize t he secur it y concer ns of an oper at ing sy st em t o a spher e, y ou soon r ealize t hat t he lar ger t he oper at ing sy st em , t he lar ger t he " sur face ar ea" t hat m ust be defended. A r out er w it h a m uch lar ger oper at ing syst em m ust be car efully configur ed t o st op int r uder s, pr event denial of ser vice ( DoS) at t ack s, and secur e t he LAN. The PI X oper at ing sy st em , or iginally designed as a Net work Addre ss Tr anslat ion ( NAT) dev ice, is not a gener al-pur pose oper at ing sy st em and oper at es in r eal t im e, unlik e bot h Window s NT and UNI X. Ther efor e, t he PI X has a v er y sm all operat ing syst em t hat present s few er opport unit ies for a securit y breach. The sm aller t he oper at ing syst em , t he less chance t hat an ar ea has been over looked in t he developm ent pr ocess. The PI X does not ex per ience any of t he m any secur it y holes pr esent w it hin eit her UNI X or Window s NT. The oper at ing sy st em is pr opr iet ar y , and it s inner w or k ings ar e not published for use out side of Cisco Sy st em s. The gener al net w or k ing public does not hav e access t o t he source code for t he PI X, and t herefore, t he opport unit ies for exploit ing a possible vulnerabilit y ar e lim it ed. The inner w or k ings of t he PI X Fir ew all ar e so secr et t hat t he aut hor s of t his book w er e not able t o gain access t o t hem .
97
Sever al advant ages t o using t he PI X over a r out er or a UNI X, Linux, or Window s NT-based fir ew all exist . The benefit s of using a PI X include t he follow ing:
•
PI X's Adapt ive Secur it y Algor it hm ( ASA) , com bined w it h cut -t hrough proxy, allows t he PI X t o deliver out st anding perform ance
•
Up t o 500,000 connect ions sim ult aneously
•
Thr oughput speeds up t o 1000 Mbps
•
Failover capabilit ies on m ost m odels
•
An int egrat ed appliance
•
I PSec VPN suppor t
•
NAT and Port Address Translat ion ( PAT) fully support ed
•
Low pack et delay
•
Low cost of ownership due t o no OS m aint enance
•
I nt egrat ed I nt rusion Det ect ion Syst em ( I DS)
• •
High reliabilit y, no hard disk, Mean Tim e Bet ween Failure great er t han 60,000 hours Com m on crit eria EAL 2 cert ificat ion
PIX Models The PI X Fir ew all com es in four m ain m odels, w it h an addit ional m odel t hat 's being phased out . Ranging in size fr om m odels designed for t he hom e or sm all office t hr ough ent er pr ise level fir ew alls, t he PI X m odels allow for v ir t ually any size of or ganizat ion t o be pr ot ect ed. The m odels ar e as follow s:
•
PI X 5 0 6
•
PI X 5 1 5
• •
PI X 520/ 525 PI X 5 3 5
The feat ur es of each m odel follow .
PIX 506 The PI X 506 is t he sm allest of t he PI X Fir ew alls available. Cur r ent ly list -priced at le ss t han U.S. $2000, t he 506 is designed for fir ew all pr ot ect ion of t he hom e or sm all business office. The 506 is appr oxim at ely one -half t he w idt h of t he r est of t he PI X m odels. The capabilit ies and har dw ar e feat ur es of t he 506 ar e as follow s:
•
10 Mbps t hrou ghput
•
7 Mbps t hroughput for Triple Dat a Encrypt ion St andard ( 3DES) connect ions
•
Up t o t en sim ult aneous I PSec Securit y Associat ions ( SAs)
•
200 MHz Pent ium MMX pr ocessor
•
32 MB SDRAM
•
8 MB Flash m em or y
98
•
Tw o int egr at ed 10/ 100 por t s
A pict ure of t he PI X 506 is show n in Figure 4 - 1 . Figur e 4 - 1 . PI X 5 0 6
PIX 515 The PI X 515 is designed for lar ger offices t han t hose of t he 506. Ther e ar e t hr ee m ain adv ant ages of t he 515 over t he 506. The fir st advant age is t he abilit y t o cr eat e dem ilit ar ized zones ( DMZs) t hr ough t he use of an addit ional net w or k int er face. The second adv ant age is t he t hr oughput speed and num ber of sim ult aneous connect ions suppor t ed. The t hir d advant age is t he abilit y t o suppor t a failov er dev ice t hat w ill assum e t he dut ies of t he pr im ar y PI X should t her e be a failur e. The PI X 515 com es in t w o m odels, t he 515 Rest r ict ed ( 515-r) and t he 515 Unrest rict ed ( 515 -ur ) . The char act er ist ics of t hese t w o m odels follow . PI X 5 1 5 -r:
•
No failover devices suppor t ed.
•
A single DMZ can be used.
•
Et hernet m ust be t he LAN prot ocol.
•
Max im um of t hr ee int er faces m ay be used.
•
32 MB RAM.
PI X 5 1 5 -ur:
•
Failov er dev ices ar e suppor t ed.
•
Tw o DMZs m ay be im plem ent ed.
•
Et hernet m ust be t he LAN prot ocol.
• •
Max im um of six int er faces m ay be used. 64 MB RAM.
These t w o m odels ar e essent ially t he sam e har dw ar e w it h differ ent m em or y and soft w ar e. I t is possible t o pur chase a 515 -r and upgr ade it t o a 515-ur by adding m or e m em or y and updat ing t he oper at ing sy st em . The net cost t o t he user is v er y close t o t he pur chase pr ice of a 515-ur. The capabilit ies and har dw ar e feat ur es of t he 515 follow :
•
Rack m ount able
99
•
Up t o 100,000 sim ult aneous connect ions
•
Up t o 170 Mbps t hr oughput
•
Up t o four int erfaces
•
Up t o 6 4 MB SDRAM
• •
16 MB Flash m em or y 200 MHz Pent ium MMX pr ocessor
A pict ur e of t he PI X 515 is show n in Figure 4 - 2 . Figur e 4 - 2 . PI X 5 1 5
PIX 520/525 The PI X 520, som et im es called t he classic PI X, is in t he process of being phased out in favor of t he new er design of t he m odel 525. Bot h of t hese firew alls have t he sam e underlying har dw ar e. The PI X 525 is designed for a lar ge or ganizat ion and has t he follow ing capabilit ies and har dw ar e feat ur es:
•
Rack m ount able
•
More t han 256,000 sim ult aneous connect ions
•
Six t o eight int egrat ed Et hernet cards
•
Up t o four Token Ring cards
100
•
Up t o four FDDI or four Gigabit Et hernet cards
•
More t han 240 Mbps t hroughput
•
Up t o 256 MB RAM
A pict ur e of t he PI X 525 is show n in Figure 4 - 3 . Figur e 4 - 3 . PI X 5 2 5
PIX 535 The PI X 535 is designed for lar ge ent er pr ise and I nt er net ser vice pr ovide r ( I SP) environm ent s w her e an ex t r em e am ount of t r affic m ust be secur ed. This is pr esent ly t he lar gest PI X Fir ew all available and has t he follow ing capabilit ies and har dw ar e feat ur es:
•
Rack m ount able
•
More t han 500,000 sim ult aneous connect ions
•
Six t o eight int egrat ed Et hernet cards
•
Up t o four Token Ring cards
•
Up t o four FDDI or eight Gigabit Et hernet cards
• •
More t han 1,000 Mbps t hroughput 512 t o 1024 MB RAM
A pict ur e of t he PI X 535 is show n in Figure 4 - 4 . Figur e 4 - 4 . PI X 5 3 5
PIX Features
101
The PI X Fir ew alls, r egar dless of m odel num ber , all pr ovide t he sam e secur it y feat ur es. The PI X is a st at eful fir ew all t hat deliv er s full pr ot ect ion t o t he cor por at e network by com plet ely concealing t he nat ur e of t he int er nal net w or k t o t hose out side. The m ain oper at ing feat ur es of t he PI X follow :
•
Se que nce r a ndom num be r ing— I P spoofing gener ally r elies on t he abilit y t o guess a sequence num ber. The PI X random izes t he I P s equence num ber s for each session. This m ak es I P spoofing m uch m or e difficult t o accom plish.
•
St a t e ful filt e r ing— This is a secur e m et hod of analy zing dat a pack et s t hat is also know n as t he Adapt ive Securit y Algorit hm ( ASA) . When dat a t raverses from t he t r u st ed int er face on t he PI X t o a less t r ust ed int er face, infor m at ion about t his packet is ent er ed int o a t able. When t he PI X r eceiv es a dat a pack et w it h t he SYN bit set , t he PI X check s t he t able t o see if, in fact , t he dest inat ion host has pr ev iously sent data out t o t he r esponding host . I f t he t able does not cont ain an ent r y show ing t hat t he local host has request ed dat a, t he packet is dropped. This t echnique virt ually elim inat es all SYNbased DoS at t ack s.
•
N e t w or k Addr e ss Tr a nsla t ion ( N AT) — NAT is t he pr ocess of changing t he sour ce I P addr ess on all pack et s sent out by a host and changing t he dest inat ion I P addr ess of all incom ing packet s for t hat host . This pr event s host s out side of t he LAN fr om k now ing t he t r ue I P addr ess of a local host . NAT uses a pool of I P addresses for all local host s. The I P addr ess a local host w ill r eceiv e changes as addr esses ar e used and ret urned t o t he pool.
•
Por t Addr e ss Tr a nsla t ion ( PAT) — PAT is sim ilar t o NAT ex cept t hat all local host s r eceiv e t he sam e I P addr ess. Using differ ent port s for each session different iat es local host sessions. The I P addr ess of t he local host is st ill changed using PAT, but t he por t s associat ed w it h t he session ar e also changed. Bot h PAT and NAT can be used concurrent ly on a PI X Firew all.
•
Em be dde d ope r a t in g sy st e m— A UNI X, Linux , or Window s NT m achine can be used as a pr ox y ser v er . How ev er , t he t hr oughput of such a m achine is slow er by design t han t hat available t hrough t he PI X. A proxy server receives an Et hernet packet , st rips off t he header , ex t r act s t he I P packet , and t hen m oves t hat packet up t hr ough t he OSI m odel unt il it r eaches t he applicat ion lay er ( Lay er 7) , w her e t he pr ox y ser v er soft w ar e changes t he addr ess. The new I P pack et is r ebuilt and sent dow n t o Lay er 1 of t he OSI m odel, w her e it is t r ansm it t ed. This uses a lar ge num ber of CPU cycles and int r oduces delay. Because t he PI X is a pr opr iet ar y syst em , t he OSI m odel const r aint s can be by passed and m ade t o allow cut -t hr ough pr ox y t o oper at e.
•
Cut - t hr ough pr ox y a nd ASA— The com binat ion of cut -t h rough proxy and ASA allows t he PI X t o process m ore t han 500,000 connect ions sim ult aneously w it h virt ually no pack et delay . Cut -t hr ough pr ox y is t he pr ocess w her e t he fir st pack et in a session is check ed as in any pr ox y ser v er , but all subsequent pack et s are passed t hr ough. This t echnique allow s t he PI X t o t r ansfer packet s ext r em ely efficient ly.
•
DN S gua rd— By default , all out going DNS r equest s ar e allow ed. Only t he fir st r esponse is allow ed t o ent er t he LAN.
•
M a il gua rd— Only RFC 821-specific com m ands ar e allow ed t o a Sim ple Mail Tr ansfer Pr ot ocol ( SMTP) ser v er on an inside int er face. These com m ands ar e H ELLO, M AI L,
102
RCPT, D ATA, RSET, N O O P , and QUI T. The PI X r esponds w it h an OK t o all ot her m ail r equest s t o confuse at t ack er s. This is configur ed w it h t he fixup com m and.
•
Flood de fe nde r — This lim it s t he t ot al num ber of connect ions and t he num ber of halfopen connect ions. User Dat agr am Pr ot ocol ( UDP) r esponse packet s t hat eit her have not been r equest ed or ar r iv e aft er a t im eout per iod ar e also dr opped.
•
I CMP deny — By default , all I nt er net Cont r ol Message Pr ot ocol ( I CMP) t r affic does not get sent over t he inside int er face. The adm inist r at or m ust specifically allow I CMP t r affic t o ent er if needed.
•
I P Fra g Gua rd— This lim it s t he num ber of I P full-fragm ent packet s per secon d p er int ernal host t o 100. This prevent s DoS at t acks such as LAND.c and t eardrop. Addit ionally, t his ensur es t hat all r esponsive I P packet s ar e let t hr ough only aft er an init ial I P packet request ing t he response has t raversed t he PI X.
•
Flood gua rd— This feat ur e is designed t o pr ev ent DoS at t ack s t hat cont inuously r equest an aut hent icat ion of a user . The r epet it ive r equest s for aut hent icat ion in t his t y pe of DoS at t ack ar e designed t o use m em or y r esour ces on a net w or k dev ice. The PI X r elies on a subr out ine t hat uses it s ow n sect ion of m em or y . When an ex cessiv e num ber of aut hent icat ion r equest s ar e r eceived, t he PI X st ar t s dr opping t hese request s and reclaim ing m em ory, t hus defeat ing t his form of at t ack.
•
Aut om a t ic Te lne t de nia l— By default , t he PI X Firew all w ill not r espond t o any Telnet r equest except t hr ough t he console por t . When enabling Telnet , set it t o allow only t hose connect ions t hat ar e act ually necessar y.
•
D yn a m ic H ost Con figu r a t ion Pr ot ocol ( D H CP) clie n t a n d se r ve r su ppor t— Th e PI X can r ely on a DHCP ser v er t o gain an I P addr ess for an int er face. As a DHCP ser ver , t he PI X pr ovides I P addr esses for host s at t ached t o one of t he int er faces.
•
Se cu r e Sh e ll ( SSH ) su ppor t— The PI X support s t he SSH rem ot e shell funct ionalit y available in SSH version 1. SSH is an applicat ion t hat r uns on t op of a connect ionor ient ed Layer 3 pr ot ocol such as TCP. SSH pr ovides encr ypt ion and aut hent icat ion services for Telnet sessions. Support for SSH requires t hird -par t y soft w ar e, w hich m ay be obt ained at t he follow ing sit es: - Window s client : hp.vect or.co.j p/ aut hors/ VA002416/ t erat erm .ht m l - Linux, Solaris, OpenBSD, AI X, I RI X, HP/ UX, FreeBSD, and Net BSD client : www.openssh.com
- Macint osh client : www.lyastor.liu.se/ ~ j onasw/ freeware/ niftyssh
•
I n t r u sion D e t e ct ion Syst e m ( I D S) — The PI X int egr at es t he sam e I DS feat ur es t hat are available on rout ers t hrough t he Cisco Secure I OS. The I DS det ect s 53 specific
103
t y pes of int r usion. See Chapter 6 , " I nt rusion Det ect ion Syst em s," for m ore det ails on I DS.
•
TCP in t e r ce pt— The PI X can act lik e a TCP int er cept dev ice, isolat ing pr ot ect ed host s from direct cont act t hrough TCP connect ions. TCP int ercept is discussed in Chapter 2 , " Basic Cisco Rout er Securit y."
PIX Configuration This sect ion explor es how t o configur e a PI X Fir ew all for a num ber of differ ent scenar ios. This sect ion defines t er m s and gives explanat ions of how differ ent scenar ios r equir e differ ent har dw ar e and so ft w are configurat ions. The basic PI X configur at ion is ext r em ely sim ple. By default , t his configur at ion allow s out going pack et s and r esponsiv e pack et s int o t he LAN. This configur at ion also denies all I CMP pack et s t r av er sing t he PI X fr om t he out side t o t he inside, ev en w hen such a pack et is in r esponse t o a ping issued fr om t he inside. Lik e any ot her Cisco I OS, t he Cisco PI X has a com m and-line int er face ( CLI ) . Ther e is a user m ode and an enable m ode. For t he m om ent , you w ill configur e t he PI X by connect ing t he console por t on t he PI X t o a ser ial por t on a com put er using t he cable y ou r eceiv ed w it h t he PI X Fir ew all. Som e of t he com m ands w ill be fam iliar and som e w ill be new . Each scenar io in t his sect ion builds on t he pr ev ious scenar io. I f by issuing a show config com m and y ou see a num ber of it em s not show n on a par t icular configur at ion, do not panic. The PI X ent er s a num ber of default s int o t he configur at ion w hen boot ing. These default s can be changed. This chapt er w ill deal w it h t he m ost frequent ly used com m ands fir st . I f y ou sim ply cannot w ait t o see w hat a com m and does, look in t he index and j um p ahead t o t he sect ion concer ning t hat com m and.
Basic Configuration The basic configur at ion for t he PI X is illust r at ed in Figure 4 - 5 . I n t his scenario, t he PI X is used t o pr ot ect a single LAN fr om t he I nt er net . Not ice in
Figure 4 - 5
t hat t he perim et er rout er and t he
connect ion bet w een t he per im et er r out er and t he out side int er face of t he PI X ar e unpr ot ect ed. The perim et er rout er should be hardened against at t acks —especia lly DoS at t acks—because it is not pr ot ect ed by t he PI X Fir ew all.
Chapt er 1 0 ,
" Securing t he Corporat e Net w ork," deals w it h
secur ing a per im et er r out er . Any device t hat is out side of t he PI X Fir ew all cannot be pr ot ect ed by t he PI X. I f possible, only t he per im et er r out er should r eside on t he unpr ot ect ed side of t he net w or k . Tak e a few m inut es t o st udy Figure 4 - 5 , w hich y ou can use t o define t er m s such as inside, out side, prot ect ed, an d unprot ect ed.
104
Figur e 4 - 5 . Ba sic PI X Configur a t ion Sa m ple N e t w or k
As show n in Figure 4 - 5 , t her e is an inside and an out side int er face on t he PI X. The out side int erface is less t rust ed t han t he inside int erface. The inside int er face has a secur it y lev el of 100. The out side int er face has a secur it y lev el of 0. The secur it y lev el is w hat det er m ines w het her packet s or iginat ing fr om a par t icular int er face ar e t r ust ed by anot her int er face. The higher t he secur it y level, t he m or e an int erface is t rust ed. This prem ise becom es m ore im por t ant as y ou build sy st em s w it h m ult iple DMZs. When pack et s ar e t r ust ed, t hey ar e allow ed t hr ough an int er face by default . When pack et s ar e not t r ust ed, t hey ar e not allow ed t hr ough by default . For t he basic configur at ion, you only need t o add a few com m ands. This sect ion t akes m uch longer t o r ead t han it w ill act ually t ake t o configur e t he PI X. St ar t up t he PI X Fir ew all and connect t he inside int erface int o your local net w ork. Connect t he out side int erface t o t he inside int er face of y our per im et er r out er . Do not connect t hese t hrough t he sam e sw it ch or hub t hat runs your local net w ork. The only pat h from t he perim et er rout er t o your LAN m ust t ravel t hr ough t he PI X Fir ew all. Com panies w it h m ult iple pat hs t o t he I nt er net should em ploy a PI X Firewall bet ween each perim et er rout er and t he LAN. Aft er show ing you how t o configur e t he PI X, t he chapt er explains w hat has been done. Using Telnet , ent er t he following com m ands. The lines are separat ed for clarit y.
enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100
105
interface ethernet0 10baset interface ethernet1 10baset ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.254 255.255.255.0 global (outside) 1 192.168.1.100 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 route inside 10.1.1.0 255.255.255.0 10.1.1.1 1 arp timeout 7200 write mem At t his point , you hav e y our basic configur at ion set . The nex t sect ions w alk t hr ough each line t hat y ou ent er ed and ex plain t he significance of t he com m ands.
pa ssw or d Com m a n d s The fir st t w o lines set up y our passw or ds. The fir st passw or d line w as set w it h t he enable pa ssw or d com m an d t o enablepass. This w as ent er ed w it h t he opt ional k ey w or d encrypt ed. Using encrypt ed ensur es t hat t he passw or d w ill not be r ev ealed if y ou pr int out a copy of your configurat ion. The second line configures your Telnet passw ord t o passw ord. The sa m e r ules t hat apply t o r out er passw or ds apply t o PI X passw or ds. For ex am ple, t he enable passw or d cont r ols access t o t he enable com m ands.
n a m e if Com m a n d Th e nam eif com m and is used t o label y our int er faces and set t he secur it y lev els for each of your int erfa ces. The first line set s t he Et hernet 0 int erface t o be called out side and t o hav e a securit y level of zero. The next line labels t he Et hernet 1 int erface as inside w it h a secur it y lev el of 100. I n ot her w or ds, Et her net 0 is fr om now on called out side in st ead of Et her net 0 and is com plet ely unt r ust ed because it has a secur it y level of zer o. Et her net 1 is now called inside and is com plet ely t r ust ed. These ar e bot h t he default s and ar e necessar y t o t he configur at ion. Et her net 0 is alw ays out side and Et her net 1 is alw ay s inside. ou t side alw ay s has a secur it y lev el of zer o, and inside alw ay s has a secur it y lev el of 100. Ex cept for t he inside and out side int er faces, an int er face m ay be nam ed any t hing y ou desir e and w ill hav e a secur it y level som ew her e bet w een 0 and 100. Rem em ber t hat t he higher a secur it y level, t he m or e it is t r ust ed. This is im por t ant because t he default behav ior of t he PI X Fir ew all is r elat iv e t o t he secur it y levels associat ed w it h t he int erfaces in quest ion. Every int erface has a higher securit y leve l t han t he out side int er face. Ther efor e, by default , packet s fr om any int er face can t r avel t hrough t he out side int erface. Conversely, no packet s from t he out side int erface by default can t r av el t o any ot her int er face.
106
Suppose t hat y our PI X had t w o addit ional int er faces, Et her net 2 and Et her net 3. You ent er t he follow ing t w o lines:
nameif ethernet2 joe security16 nameif ethernet3 nancy security45 Th e j oe int er face ( Et her net 2) has a secur it y lev el of 16 and t he nancy int erface ( Et hernet 3) has a secur it y lev el of 45. This is feasible because you can assign any secur it y level t o an int erface and can call t he int erface anyt hing you choose. I n t his scenario, packet s from nancy could t ravel t hrough t he j oe int erface w it hout any special configurat ions. Packet s originat ing at j oe cannot by default t ravel t hrough t he nancy int erface because t he nancy int erface has a higher securit y level. The advanced configurat ions lat er in t his chapt er expand on t his concept and use m or e r ealist ic nam es for t he int er faces.
in t e r f a ce Com m a n d The lines st ar t ing w it h int erfa ce accom plish t w o t ask s. The fir st t ask is t o set t he speed and t ype of t he int er face. I f you set int er face Et her net 0 t o 100BaseT, you w ould use t he follow ing line:
interface Ethernet0 100baset Alt ernat ively, if you w ant t o set t he first Token Ring int erface at 16 Mbps, you w ould ent er:
interface tokenring0 16 The second accom plishm ent of t his line is t o t ur n up t he int er face. This is t he equivalent of issuing a no shut com m and on a r out er . The int erfa ce com m and is also t he except ion t o t he r ule t hat you can use inside or ou t side inst ead of Et h e r n e t 0 . The act ual har dw ar e ident ificat ion m ust be used w it h t he int erfa ce com m and.
Assign in g I P Addr e sse s The nex t t w o lines assign an I P addr ess and subnet m ask t o t he inside and out side int er faces. The w or ds inside and out side ar e used because t hat is w hat y ou hav e nam ed w it h t he nam eif com m and. Subst it ut e w hat ever nam e you have given t o t his par t icular int er face. The I P addresses on each int erface m ust reside on different subn et s. The full ip a ddr e ss com m and follow s:
ip address interface_name ip_address subnet_mask
globa l Com m a n d
107
One of t he st r engt hs of t he PI X Fir ew all is it s abilit y t o suppor t NAT and PAT. The global com m and, in conj unct ion w it h t he nat com m and, is used t o a ssign t he I P addr esses t hat pack et s r eceiv e as t hey cr oss t he int er face. The global com m and defines a pool of global addr esses. This pool pr ovides an I P addr ess for each out bound connect ion and for inbound connect ions r esult ing fr om t hese out bound connect ions. Whet her NAT or PAT is used depends on how t he global com m and is used. I f you ar e connect ing t o t he I nt er net , t he global addresses should be regist ered. Nonrout able I P addresses are used here for illust rat ive pur poses only . Using r out able I P addr esses becom es a v it al consider at ion w hen using VPNs t hat t er m inat e on t he PI X Fir ew all, because w it hout a r out able I P addr ess t he VPN w ill nev er t ravel over t he I nt ernet . The synt ax for t he global com m and follow s:
global [(interface_name)] nat_id global_ip[-global_ip] [netmask global_netmask] Th e int erface_nam e is t he nam e assigned w it h t he nam eif com m and. The nat _id is an int eger . The nat _id m ust m at ch t he num ber used in t he nat com m and. Alt hough alm ost any num ber can be used ( as long as t he num ber is consist ent bet w een t he global an d nat com m ands) , t he num ber 0 is r eser ved for special cases. The use of 0 is cover ed in t he sect ion " nat Com m and." Th e global -i p can t ak e one of t w o for m s. The for m chosen det er m ines w het her NAT or PAT is used. I f PAT is t o be used, ent er a single I P addr ess. All pack et s fr om all host s w ill r eceiv e t his addr ess as t hey cr oss t he int er face. I f NAT is t o be used, ent er an addr ess r ange for t he I P addr esses t o be seen fr om t he out side. For exam ple, if you w ish t o use t he single addr e ss of 192.10.10.1, y ou w ould ent er t he follow ing:
global (outside) 1 192.10.10.1 255.255.255.0 I f, on t he ot her hand, y ou w ish t o use NAT and use a w hole Class C subnet , y ou w ould ent er t he follow ing:
global (outside) 1 192.10.10.1-192.10.10.254 255.255.255.0 You could also use m or e t han a Class C net w or k by adj ust ing t he I P addr esses ent er ed and t he subnet m ask . The follow ing ex am ple uses a 23-bit subnet m ask and allow s y ou t o use all I P addr esses bet w een 192.10.10.1 and 192.10.11.254. When an addr ess r ange over laps subnet s, t he br oadcast and net w or k addr esses ar e not used by t he global com m an d.
global (outside) 1 192.10.10.1-192.10.11.254 255.255.254.0 When y ou w ant t o use PAT, y ou use a single addr ess inst ead of a r ange. PAT suppor t s up t o 65,535 concu rrent t ranslat ions. There are som e lim it at ions in t he use of PAT. For exam ple, PAT cannot be used w it h H.323 and m ult im edia applicat ions. These t y pes of applicat ions ex pect t o be able t o assign cer t ain por t s w it hin t he applicat ion. PAT also does not w or k in
108
conj unct ion w it h t he est ablished com m and. Because t he por t s ar e changed w hen using PAT, t hese applicat ions fail. As in t he basic configur at ion, t he follow ing line set s a single I P addr ess:
global (outside) 1 192.168.1.100 255.255.255.0 The use of t he global com m and r equir es r ev er se DNS PTR ent r ies t o ensur e t hat ex t er nal net w ork addresses are accessible t hrough t he PI X Firew all. Wit hout t hese PTR ent ries, you w ill see slow or int er m it t ent I nt er net connect ivit y and File Tr ansfer Pr ot ocol ( FTP) r equest s co nsist ent ly failing. DNS ser ver s on a higher secur it y level needing updat es fr om a nam e ser v er on an out side int er face m ust use t he st at ic com m and, w hich w ill be ex plained in t he " Realist ic Configurat ion " sect ion. The subnet m ask should m at ch t he subnet m as k on t he net w ork segm ent . Use t he ranges of I P addr esses t o lim it t he host s used, not t he subnet m ask. I n m or e advanced configur at ions lat er in t his chapt er , y ou w ill see how t o use NAT and PAT t oget her and how t o use m ult iple global r anges.
nat Com m a n d Th e nat com m and is used in conj unct ion w it h t he global com m and. The nat com m and specifies from w hich int erface connect ions can originat e. The synt ax for t he nat com m and follow s:
nat [(interface_name)] nat_id local_ip [netmask [max_connections [em_limit]]] [norandomsequence] Th e nat _id num ber m ust be t he sam e on t he nat and global com m and st at em ent s. Alt hough you m ight have m ult iple global com m ands associat ed w it h an int er face, only a single nat com m and can be used. Use t he no for m of t he nat com m and t o r em ove t h e nat ent r y , or r ew r it e t he nat com m and w it h t he sam e nat _id t o ov er w r it e t he ex ist ing nat com m and. Aft er issuing a nat com m and, y ou should ent er t he clear xlat e com m and. This com m and clears all present NAT and PAT connect ions, w hich are t hen reest ablished w it h t he new param et ers. This sect ion w ill deal w it h using t he num ber 0 for t he nat _id aft er you have seen t he ot her par am et er s w it hin t he nat com m and and t he discussion on using t he nat com m an d w it h access list s. Th e local_ip par am et er can be set t o a single I P addr ess or t o a w hole net w or k by adj ust ing t he net m ask param et er. The local_ip par am et er specifies t he int er nal net w or k addr ess t o be t r anslat ed. Using 0.0.0.0 allow s all host s t o st ar t out bound connect ions. I nst ead of using 0.0.0.0, you can ab br ev iat e by using sim ply 0. Use t he net m ask par am et er as y ou w ould use any subnet m ask . The ex cept ion is w hen y ou use 0. 0. 0. 0 as t he net m ask. Using 0.0.0.0 m eans t hat y ou w ant t o allow all host s on t he local net w ork t hrough. This can be abbreviat ed as sim p ly 0. When allow ing all host s t hr ough, y ou can use 0 for bot h t he local_ip an d t h e net m ask. Wit hin t he PI X, 0 can be subst it ut ed for
109
w her e t he w or d any w ould be used on a Cisco r out er . The com m and line m ight look lik e any of t he follow ing lines, assum ing t hat t he local inside net w or k is 10.1.1.0 w it h a Class C subnet m ask:
nat nat nat nat
(inside) (inside) (inside) (inside)
1 1 1 1
0 0 0 0 10.1.1.0 255.255.255.0 0 0 0 255.255.255.0 0 0 10.1.1.0 0 0 0
Th e m ax connect ions param et er lim it s t he num ber of concu rrent TCP connect ions t hrough an int er face. Using 0 m akes t he num ber of connect ions lim it ed only by t he license agr eem ent and soft ware inst alled on t he PI X Firewall. Em bryonic connect ions ar e half-open TCP connect ions. The default of 0 does not lim it t he n um ber of em br y onic connect ions. On slow er sy st em s, ent er ing a num ber for em _lim it ensur es t hat t he syst em does not becom e over w helm ed t r ying t o deal w it h em br yonic connect ions. Th e nor a ndom se que nce k ey w or d is used t o disable t he default r andom sequencing o f TCP packet num ber s. Alt hough usually not added t o t he nat com m and, t his can be useful for debugging and in cert ain ot her circum st ances. For exam ple, if t raffic m ust t ravel t hrough t w o PI X Fir ew alls, t he dual r andom izat ion of sequence num ber s m ight cause t he applicat ion t o fail. I n t his case, adding t he nora ndom sequence k ey w or d t o one of t he PI X Fir ew alls should resolve t he problem . Ther e ar e som e special consider at ions for using t he nat an d global com m an ds w it h a nat _id of 0. The fir st consider at ion is w hen using an access list t o prevent NAT from occurring. For ex am ple, t he follow ing lines allow t he host s at I P addr esses 10.1.1.54 and 10.1.1.113 t o t r av er se t he PI X w it hout changing t heir I P addr esses. All ot her addr esses on t he inside net work receive t ranslat ion ser v ices. The access list associat ed w it h a nat 0 com m and m er ely pr event s NAT; it does not lim it accessibilit y t o t he out side.
access-list prevent_nat tcp host 10.1.1.54 access-list prevent_nat tcp host 10.1.1.113 nat (inside) 0 access-list prevent_nat The access list should not at t em pt t o pr event specific por t s, because t his causes t he addr esses t o becom e t ranslat ed. The ASA rem ains in effect , w at ching packet s and prevent ing unaut hor ized access. How ev er , t he addr esses w it hin t he access list ar e available t hrough t he out er int er face w it hout t r anslat ion. Th e nat 0 com m and can also be used w it hout an access list as any ot her nat _id could be used. How ev er , using a nat _id of 0 w it hout an access list causes all host s on t he net w or k specified w it h t he netm ask t o avoid being t ranslat ed by t he NAT funct ionalit y of t he PI X. Pr ev ious v er sions of t he PI X soft w ar e ex per ienced an issue w hen using 0 as t he nat _id. This issue w as t hat using 0 w ould cause t he PI X t o use pr ox y Addr ess Resolut ion Pr ot ocol ( ARP) for
110
a ll inside addr esses. PI X I OS ver sions 5.0 and above disable t his behavior . I f no addr esses ar e t o be t r anslat ed, t he global com m and is not necessar y . The follow ing ex am ple show s how all inside addr esses can be pr event ed fr om being t r anslat ed:
nat (inside) 0 0 0 0 0
r ou t e Com m a n d Th e route com m and is used by t he PI X in t he sam e m anner t hat st at ic r out es and default r out es ar e used on a r out er . The PI X has lim it ed r out ing capabilit ies. I t is necessar y for you t o specify rout es. As in a rout er, t he m ost specific r out e list ed t ak es pr ecedence. The sy nt ax for t he r out e com m and follow s:
route interface_name ip_address netmask gateway_ip [metric] Th e int erface_nam e is any nam e pr eviously defined by t he nam eif com m and. The ip_address is t he addr ess of t he int er nal or ext er nal net w or k. A default r out e can be set w it h eit her 0.0.0.0 or 0. The net m ask is t he subnet m ask of t he r out e. A default r out e can use eit her 0. 0. 0. 0 or 0. Th e gat eway_ip is t he I P addr ess of t he nex t hop for t he net w or k t o w hich y ou ar e adding a rout e. For ex am ple, if y our inside int er face suppor t ed m ult iple net w or k s connect ed w it h a r out er w hose int er face is 10.1.1.20, y our r out e st at em ent s m ight appear as follow s:
route route route route
inside inside inside inside
10.1.2.0 255.255.255.0 10.1.1.20 2 10.1.8.0 255.255.255.0 10.1.1.20 2 10.2.13.0 255.255.255.0 10.1.1.20 2 10.11.7.0 255.255.255.0 10.1.1.20 2
Ver sion 5.1 has been im pr oved t o specify aut om at ically t he I P addr ess of a PI X Fir ew all int er face in t he route com m and. Once y ou ent er t he I P addr ess for each int er face, t he PI X cr eat es a route st at em ent ent r y t hat is not delet ed w hen y ou use t he clear rout e com m and. I f t he route com m and uses t he I P addr ess fr om one of t he PI X's ow n int er faces as t he gat ew ay I P address, t he PI X uses ARP for t he dest inat ion I P addr ess in t he pack et inst ead of issuing an ARP for t he gat ew ay I P addr ess. Th e m et ric par am et er is used t o specify t he num ber of hops t o gat eway_ip, not t o t he ult im at e dest inat ion of t he I P pack et . A default of 1 is assum ed if t his par am et er is not used. I f duplicat e r out es ar e ent er ed w it h differ ent m et r ics for t he sam e gat ew ay , t he PI X changes t he m et r ic for t hat r out e and updat es t he m et r ic for t he r out e.
a r p t im e ou t Com m a n d Th e arp t im eout com m and is used t o specify t he t im e t hat an ARP e nt ry rem ains in t he ARP cache befor e it is flushed. The num ber show n is t he t im e in seconds t hat an ARP ent r y r em ains
111
in t he cache. The default t im e is 14,400 seconds, or 4 hours. I n t he configurat ion, you change t he default t o 2 hour s w it h t he follow ing:
arp timeout 7200
w r it e Com m a n d Th e w rit e com m and w or k s in t he sam e w ay t hat t he w rit e com m and oper at es in a Cisco r out er . For t hose of you r elat ively new t o Cisco equipm ent , t his com m and has lar gely been r eplaced on r out er s w it h t he copy com m and. The w r it e com m and can t ak e any of t he follow ing for m at s:
write write write write write write
net [[server_ip_address]:[filename]] erase floppy memory terminal standby
Th e w r it e ne t com m and w r it es acr oss a net w or k t o a Tr iv ial File Tr ansfer Pr ot ocol ( TFTP) ser v er w it h t he filenam e specified. I f no ser v er I P addr ess or filenam e is ent er ed, t he user is pr om pt ed. Th e w r it e e r a se com m and clears t he Flash m em ory configurat ion. The w rit e floppy com m and w r it es t he configur at ion t o t he floppy disk , if t he PI X has a floppy . Th e w r it e m e m or y com m and st or es t he configur at ion in RAM m em or y. The w r it e t e r m ina l com m and show s t he cur r ent configur at ion on t he t er m inal. The w rit e st andby com m and is used t o writ e t he configurat ion t o eit her a failover or st andby, PI X'S RAM m em ory. At t his point , you have com plet ed a basic configur at ion. You ar e r eady t o m ove t ow ar d a m or e r ealist ic sit uat ion, such as a net w or k w it h a m ail ser v er and an FTP ser v er .
Realistic Configuration Alt hough t he basic configurat ion suffices t o illust rat e how sim p le it is t o configur e t he PI X, t her e ar e a few m or e it em s t hat alm ost all sy st em s need. Thr ee ex am ples ar e Web ser v ices, e -m ail ser v ices, and FTP ser v ices. This configur at ion w ill show how access fr om t he out side t o t he inside of t he PI X can be allow ed. Th e default configur at ion for t he PI X Fir ew all is t o pr event all access fr om an int er face w it h a low er secur it y lev el t hr ough an int er face w it h a higher secur it y lev el. The configur at ion in t his sect ion show s how access can be allow ed w it hout losing secur it y pr ot ect ion on t he w hole net w or k subnet , or ev en on t he host s t hat y ou allow t o be seen fr om t he out side. Figure 4 - 6
show s t he layout for t his scenar io. Not e t hat t he 192.168.1.0 / 24 net w or k has been
used on t he int er faces bet w een t he PI X and t he per im et er r out er . I n r eal life, t hese should be
112
r out able I P addr esses, because you need people on t he I nt er net t o be able t o br ow se your Web ser v er , dow nload files fr om y our FTP ser v er , and send and r eceiv e fr om y our e -m ail ser v er . Figur e 4 - 6 . Rea list ic PI X Configu r a t ion
As show n in
Figure 4 - 6 ,
t he int er ior r out er and t he inside int er face of t he PI X ar e on a separ at e
net work. This is not m andat ory. However, if t her e is a spar e Et her net int er face on t he int er ior r out er and plans t o use a nat 0 com m and, using a spar e int er face on t he inside r out er is adv ised, because t he PI X w ill use ARP t o a r out er for t he addr ess of each r equest . Repeat ed ARP request s can cause an ex cessiv e load on an ov er t ax ed net w or k . Connect ing t he PI X t o a r out er 's int er face also ensur es t hat all pack et s fr om and t o t he PI X ar e not delay ed because of issues such as collisions and br oadcast st or m s. Finally , t he int er ior r out er can and should be configur ed w it h at least sim ple access list s t o ensur e t hat only aut hor ized t r affic is t r aver sing t he net w ork. This m ight seem like t oo m uch t rouble for som e adm inist rat ors. How ever, secur it y should becom e a per vasive at t it ude t hr oughout t he net w or k engineering st aff. Having an ex t r a lay er of pr ot ect ion is nev er a w ast e of effor t . You now have t hr ee m aj or design changes t o m ake t o your syst em . You m ust fir st allow WWW t r affic t o access t he Web ser v er , w hose I P addr ess is 10.1.1.30. This I P addr ess needs t o b e st at ically t r anslat ed t o a r out able addr ess on t he I nt er net . One of t he easiest w ay s t o k eep t r ack of st at ic I P t r anslat ions is t o use t he sam e last oct et in bot h addr esses. I n t he case of t he Web ser v er , y ou w ill use 30 as t he last oct et . The second change is t o allow e -m ail t hr ough t o t he m ail ser ver . The t hir d change is t o allow FTP t r affic t o t he FTP ser ver . All of t hese ser ver s
113
need a st at ic t r anslat ion because y ou cannot be guar ant eed w hat host w ill be using a giv en out side I P addr ess at any giv en t im e if y ou sim ply r ely on t he default NAT set t ings on t he PI X and allow t r affic int o t he LAN. I ssue a w r it e e r a se com m and on t he PI X. This er ases t he sav ed configur at ion. Tur n t he PI X pow er off and t hen back on t o ar r iv e at a clean st at e. Ent er t he follow ing com m ands w hile in enable m ode on t he PI X. This sect ion cov er s each change aft er t he lines ar e ent er ed. Again, t he lines ar e separ at ed for clar it y.
enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 10baset interface ethernet1 10baset ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.2 255.255.255.252 global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0 global (outside) 1 192.168.1.254 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 static (inside, outside) 192.168.1.30 10.1.1.30 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.30 eq http any conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.49 eq smtp any route outside 0 0 192.168.1.2 1 route inside 10.1.1.0 255.255.255.0 172.30.1.1 1 arp timeout 7200 write mem There are only a few changes from t he basic configurat ion. You first changed t he inside I P addr ess t o r eflect t he separ at e net w or k bet w een t he PI X and t he int er ior r out er . The t w o global com m ands show n next assign bot h NAT and PAT t o be used by t he inside host s. Because y ou used a r ange of I P addr esses, t he fir st global com m and allow s for each host on t he LAN t o get a dy nam ically assigned global addr ess, or NAT. Once all of t he av ailable global I P addresses ar e in use, any host s at t em pt ing t o connect t o t he out side w ill use PAT. The second global line is cr it ical because it assigns one addr ess for use w it h PAT. I f a single addr ess is not r eser v ed for use by PAT, host s w ill sim ply not be able t o get t hr ough the PI X. The user s w ill t hink t hat t he I nt er net connect ion has been dr opped, because t hey w ill r eceive no indicat ion of a pr oblem ot her t han a lack of connect ion.
114
You m ight w onder w hy t he r ange of I P addr esses st ar t s at 50 in t he fir st global com m and. This allow s ser v er s t o hav e st at ic I P addr esses. The num ber 50 w as ar bit r ar ily chosen. What ever num ber is chosen ensur es t hat t her e ar e sufficient r eser ved I P addr esses for all ser ver s on t he net w or k. You could have also r eser ved a set of I P addr esses on t he up per end of t he net w or k . The inside and out side r out es w er e also changed t o r eflect t he net w or k as show n in
Figure 4 - 6 .
You ar e now act ually r eady t o allow user s on t he I nt er net t o access y our e -
m ail, FTP, and Web ser v ices. Set t ing up t o allow e -m ail t o t ra verse t he PI X requires a few new com m ands. This replaces t he m ailhost com m and in pr evious ver sions of t he PI X. These com m ands ar e cover ed lat er in t his sect ion. Ent er t he follow ing lines int o t he PI X configur at ion.
static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.49 eq smtp any That is all t hat is r equir ed t o allow SMTP pack et s t o t r av er se t he PI X t o t he ser v er w it h t he 10.1.1.49 I P addr ess. User s out side t he PI X w ill see t his ser ver as 192.168.1 .49. Packet s sent t o 192.168.1.49 w ill have NAT applied t o t hem and w ill be for w ar ded t o 10.1.1.49. Only t he SMTP com m ands H ELLO, M AI L, RCPT, D ATA, RSET, N O O P , and QUI T ar e allow ed t hr ough t he PI X. The r esponse t o all ot her SMTP com m ands is an OK packet from t he PI X. You added t w o new com m ands her e, t he st at ic and t he conduit com m ands. Each of t hem w ill be ex am ined befor e m ov ing on t o t he FTP and Web ser v er s.
st a t ic Com m a n d Th e st at ic com m and is act ually a v er y sim ple com m and once y ou ar e fam iliar w it h it . Th e pur pose of t he st at ic com m and is t o apply NAT t o a single host w it h a pr edefined I P addr ess. The sy nt ax is as follow s:
static [(internal_interface, external_interface)] global_ip local_ip [netmask subnet_mask] [max_connections [em_limit]] [norandomsequence] Th e int ernal_int erface and ext ernal_int erface ar e nam es defined by t he nam eif com m and. Th e global_ip is t he I P addr ess seen on t he out side, aft er NAT has been applied. The local_ip is t he I P addr ess used on t he local host befor e NAT is applied. Th e subnet _m ask should alw ay s be 255.255.255.0 w hen applied t o a single host . I f a net w or k is being assigned t o a single addr ess, use t he subnet m ask for t he net w or k . For ex am ple, if y ou w ant t he w hole 10.1.4.0 net w ork t o be t ranslat ed using PAT t o 192.168.1.4, y ou use t he follow ing line:
static (inside, outside) 192.168.1.4 10.1.4.0 netmask 255.255.255.0 0 0 I n t his case, y ou also need t o associat e an access list w it h t he conduit com m and. This w ill be cov er ed under a m or e adv anced configur at ion ent it led " Dual DMZ wit h AAA Aut hent icat ion" lat er in t his chapt er.
115
Th e m ax_connect ions and em _lim it ( em br y onic lim it ) w or k in t he sam e m anner as w it h t he global com m and. Using t he no for m of t he com m and r em oves t he st at ic com m and. Using a show st a t ic com m and displays all of t he st at ically t r anslat ed addr esses. Th e st at ic com m and is sim ple if y ou r em em ber t he or der in w hich int er face nam es and I P addr esses appear . The or der is:
static (high, low) low high I n ot her w or ds, t he nam e of t he int er face w it h t he higher secu rit y level is show n first w it hin t he par ent hesis, follow ed by t he nam e of t he low er secur it y level int er face and a closing par ent hesis. This is follow ed by t he I P addr ess as seen on t he low er secur it y int er face, t hen t he I P addr ess as seen on t he higher se curit y level int erface. The aut hors rem em ber t his w it h t he phr ase " high, low , low , high." When y ou st ar t look ing at PI X Fir ew alls using one or m or e DMZs, t he pr inciple w ill hold t r ue. Because ever y int er face m ust have a unique secur it y level, one int erface m ust be m or e t r ust ed t han t he ot her . You w ill st ill place t he nam e of t he int erface w it h t he higher securit y level first , follow ed by t he less t rust ed int erface nam e inside t he par ent hesis. Out side t he par ent hesis, y ou w ill show t he I P addr ess as seen on t he low er secur it y level int er face, follow ed by t he I P addr ess as seen on t he higher secur it y level int er face. I f y ou choose t o use nat 0 t o avoid t ranslat ing t he I P address, you st ill use " high, low , low , high," but t he I P addr esses ar e t he sam e for t he g lobal and local I P. The following is an ex am ple for w hen y ou do not use NAT on t he I P addr ess:
static (inside, outside) 10.1.1.49 10.1.1.49 netmask 255.255.255.255 0 0
con du it Com m a n d Th e conduit com m and is necessar y t o allow packet s t o t r avel fr om a low e r secur it y lev el t o a higher securit y level. The PI X Firew all allow s packet s from a higher securit y level t o t ravel t o a low er securit y level. How ever, only packet s in response t o request s init iat ed on t he higher secur it y level int er face can t r avel back t hrough from a lower securit y level int erface. The conduit com m and changes t his behav ior . By issuing a conduit com m and, y ou ar e opening a hole t hr ough t he PI X t o t he host t hat is specified for cer t ain pr ot ocols fr om specified host s. Th e conduit com m and act s v er y m uch lik e adding a perm it st at em ent t o an access list . The default behav ior of t he PI X is t o act as if t her e w er e a deny all access list applied. Because y ou m ust allow e -m ail t o r each y our ser v er , y ou need t o use t he conduit com m and. The r ule for access fr om a higher secur it y level int er face t o a low er secur it y level int er face is t o use t he nat com m and. For access fr om a low er secur it y lev el int er face t o a higher secur it y lev el int er face, use t he st at ic an d conduit com m ands. As w it h any opening int o t he corporat e net w or k , t his opening should be as nar r ow as possible. The follow ing allow s any host on t he I nt er net t o send m ail t o t he host :
116
conduit permit tcp host 192.168.1.49 eq smtp any I f you w ish t o lim it t he originat ing I P address for e -m ail, you co uld sim ply add an I P addr ess and net w or k m ask t o t he end of t he pr eceding line. You ar e allow ed t o hav e as m any conduit st at em ent s as required. The follow ing exam ple allow s SMTP t raffic t o ent er t he net w ork from one of t hree net works —t w o w it h Class C subne t s and t he final one w it h a Class B subnet :
conduit permit tcp host 192.168.1.49 eq smtp 10.5.5.0 255.255.255.0 conduit permit tcp host 192.168.1.49 eq smtp 10.15.6.0 255.255.255.0 conduit permit tcp host 192.168.1.49 eq smtp 10.19.0.0 255.255.0.0 The combinat ion of t he st at ic declar at ion and t he conduit com m and can allow FTP t r affic t hr ough your net w or k. You have allow ed FTP t r affic t o t he FTP ser ver w it h t he follow ing t w o lin es:
static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.35 eq ftp any I t is possible t o hav e m ult iple conduit com m ands associat ed w it h a single I P addr ess. For exam ple, t he follow ing lines allow SMTP, FTP, and HTTP ser vices t o gain access t o a single ser ver :
static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.35 eq http any conduit permit tcp host 192.168.1.35 eq smtp any Not ice t hat t her e is a single st at ic st at em ent for t he host . Alt hough som e v er sions of t he PI X I OS w ill allow you t o ent er m ult iple st at ic com m ands for a single addr ess, only t he fir st st at ic com m and is used. The PI X only allow s t he use of t he host in t he fir st st at ic com m and. I f y ou ar e using m ult iple conduit com m ands, y ou m ight deny som e net w or k s w hile allow ing ot her s. Alt ernat ively, you m ight allow t raffic from som e net w orks, but not from ot hers. I n t he follow ing exam ple, you deny FTP t raffic from t he 10.5.1.0 / 24 net w ork, w hile allow ing t raffic from all ot her net w or k s:
static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 conduit deny tcp host 192.168.1.35 eq ftp 10.5.1.0 255.255.255.0 conduit permit tcp host 192.168.1.35 eq ftp any
Re m ot e Sit e Con figu r a t ion At t his point , you have a configur at ion t hat allow s t he m ain office t o com m unicat e t hr ough t he I nt er net . You allow ed access t o t he Web, FTP, and m ail ser v er s. What y ou do not hav e is access fr om t he r em ot e sit es in Manchest er and Seat t le. The r eason you do not have access is
117
t h at t he nat st at em ent only applies t o t he Chicago LAN. You can easily add access t o t he Seat t le and Manchest er offices by adding t he follow ing lines:
nat (inside) nat (inside) route inside route inside
1 10.2.1.0 255.255.255.0 0 0 1 10.3.1.0 255.255.255.0 0 0 10.2.1.0 255.255.255.0 172.30.1.1 1 10.3.1.0 255.255.255.0 172.30.1.1 1
The nex t configur at ion adds a DMZ and allow s configur at ion of t he PI X t hr ough som et hing ot her t han t he console. The configurat ion also enables SNMP, a syslog server, and filt er URLs.
Single DMZ Configuration This configurat ion m oves t he FTP, Web, and e -m ail ser ver s t o a DMZ. All t r affic dest ined for t hese ser v er s w ill not t ouch t he LAN. When using a DMZ, it is cr it ical t hat no connect ion bet ween t he LAN and t he DMZ be m aint ained exce pt t hrough t he PI X Firew all. Connect ing t he LAN t o t he DMZ in any w ay except t hrough t he firew all defeat s t he purpose of t he DMZ. 4-7
Figur e
show s t hat a t hir d int er face has been added t o t he PI X. This int er face w ill be used as a
DMZ. Figur e 4 - 7 . Single D M Z Configura t ion
118
The configur at ion w ill need a few changes fr om t he pr ev ious one. Look t hr ough t he follow ing configurat ion. This sect ion w ill discuss w her e changes hav e been m ade and t he r am ificat ions of t hose changes aft er t he configur at ion. As befor e, t he blank lines ar e for clar it y.
hostname pixfirewall enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 public security 50 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.2 255.255.255.252 ip address public 192.168.2.1 255.255.255.0 fixup fixup fixup fixup fixup fixup fixup fixup fixup fixup
protocol protocol protocol protocol protocol protocol protocol protocol protocol protocol
snmp-server snmp-server snmp-server snmp-server snmp-server
http 80 http 10120 http 10121 http 10122 http 10123 http 10124 http 10125 ftp 21 ftp 10126 ftp 10127
community ourbigcompany location Seattle contact Mark Newcomb Andrew Mason host inside 10.1.1.74 enable traps
logging on logging host 10.1.1.50 logging trap 7 logging facility 20 no logging console telnet 10.1.1.14 255.255.255.255 telnet 10.1.1.19 255.255.255.255 telnet 10.1.1.212 255.255.255.255 url-server (inside) host 10.1.1.51 timeout 30 url-server (inside) host 10.1.1.52 filter url http 0 0 0 0 global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0 global (outside) 1 192.168.1.254 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 nat (inside) 1 10.2.1.0 255.255.255.0 0 0 nat (inside) 1 10.3.1.0 255.255.255.0 0 0
119
nat (public) 1 192.168.2.1 255.255.255.0 0 0 static (public, outside) 192.168.1.30 192.168.2.30 static (public, outside) 192.168.1.35 192.168.2.35 static (public, outside) 192.168.1.49 192.168.2.49 conduit permit tcp host 192.168.1.30 eq http any conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.49 eq smtp any conduit permit tcp any eq sqlnet host 192.168.1.30 route outside 0 0 192.168.1.2 1 route inside 10.1.1.0 255.255.255.0 172.30.1.1 1 route inside 10.2.1.0 255.255.255.0 172.30.1.1 1 route inside 10.3.1.0 255.255.255.0 172.30.1.1 1 route public 192.168.2.0 255.255.255.0 192.168.2.1 arp timeout 7200 clear xlate write mem Th e hostnam e com m and has been added as t he fir st line in t his configur at ion. This m er ely ident ifies t he host w hen you Telnet in for configu r at ion. You add a new int er face, nam e it public, and assign a secur it y lev el of 50 w it h t he follow ing line:
nameif ethernet2 public security 50 Because t he secur it y level of t his int er face is less t han t he inside and gr eat er t han t he out side, som e default behav ior s com e int o play . By default , pack et s fr om t he out side int er face ar e not allow ed int o t his net w or k. Packet s fr om t he inside ar e, by default , allow ed int o t his net w or k. You also changed t he speeds for all of t he int er faces. You ar e now using t he ke yword auto w it h t he int erfa ce com m and. This allow s t he int erface t o connect in w hat ever form is m ost appr opr iat e, based on t he equipm ent t o w hich it is connect ed. You added an I P addr ess for t he new net w or k car d and a subnet m ask for t he net w or k .
fix up Com m a n d Sev er al fixup com m ands w er e ent er ed. Som e fixup com m ands appear in t he configur at ion by default , ot her s ar e added as needed. The fix up prot ocol com m ands allow changing, enabling, and disabling t he use of a ser v ice or pr ot ocol t hr ough t he PI X Fir ew all. The por t s specified for each ser vice ar e list ened t o by t he PI X Fir ew all. The fix up prot ocol com m and causes t he ASA t o w or k on por t num ber s ot her t han t he default s. The follow ing fix up pr ot ocol com m ands ar e enabled by default :
fixup protocol ftp 21 fixup protocol http 80
120
fixup fixup fixup fixup
protocol protocol protocol protocol
smtp 25 h323 1720 rsh 514 sqlnet 1521
You added t he following lines regarding t he HTTP prot ocol:
fixup fixup fixup fixup fixup fixup
protocol protocol protocol protocol protocol protocol
http http http http http http
10120 10121 10122 10123 10124 10125
These lines accom plish a ver y specific t ask. When HTTP t r affic is seen by t he PI X, it can now be on any of t he pr ev iously list ed por t s. Befor e t hese lines w er e ent er ed, t he PI X w ou ld have seen w hat look ed lik e HTTP t r affic ent er ing t he PI X. Because t he dest inat ion por t w as set t o som et hing ot her t han t he default of 80, t hat t r affic w ould be denied. For exam ple, if an out side user t ried t o connect t o t he Web server w it h t he follow ing URL, t he user w ould be denied: http: / / www.ourcom pany.com : 10121
The r eason for t he denial is t hat t he :1 0 1 2 1 at t he end of t he URL specifies t hat t he connect ion should be m ade on por t 10121, r at her t han on t he default por t of 80. The Web dev eloper s hav e specific r easons for w ant ing t o allow user s t o connect t o t hese por t s. The configur at ion allow s t he user s t o connect w it h t hese por t s, and y ou st ill m aint ain t he sam e safeguar ds r egar ding HTTP t r affic t hat is t r ue for por t 80. Sim ilar ly, t he developer s have specific reasons for w ant ing t o change t he default s. The dev eloper s decided t hat user s r equir ing FTP access should be able t o gain access t hr ough t he default por t of 21 or por t s 10126 and 10127. You hav e no idea w hy t hey w ant t o do t his, nor do y ou r eally car e. What y ou car e about is t hat y ou can open t hese por t s t o FTP t r affic, and only FTP t r affic, w it hout com pr om ising t he net w or k secur it y. To accom plish t his, you add t he follow ing lines:
fixup protocol ftp 21 fixup protocol ftp 10126 fixup protocol ftp 10127 I t should be not ed t hat t he fix up prot ocol com m and is global in nat ur e. For exam ple, w hen y ou t old t he PI X t hat por t 10121 w as par t of t he HTTP pr ot ocol, t his applied t o all int er faces. You cannot select ively cause por t 10121 t o be r egar ded as HTTP t r affic on one int er face, but not on anot her int er face. Ther e m ight be t im es w hen it is necessar y t o disable one of t he default fix up prot ocol com m ands. For exam ple, if your com pany develops e -m ail soft w ar e and t he PI X is used t o
121
separat e t he t est net w ork fr om t he cor por at e net w or k. I n t his case, you m ight w ant t o allow m or e com m ands t han H ELLO, M AI L, RCPT, D ATA, RSET, N O O P , and QUI T t o t r av el t hr ough t he PI X. I n t his case, using t he no for m of t he fix up prot ocol com m and w ill disable t he feat ur e. An ex am ple of r em oving t he Mailguar d feat ur e is as follow s:
no fixup protocol smtp 25
SN M P Com m a n d s You add SNMP t o t he PI X because y ou w ant t o be infor m ed w hen er r or s occur . You can br ow se t he Syst em and I nt erface groups of MI B-I I . All SNMP v alues w it hin t he PI X Fir ew all ar e r eadonly ( RO) and do not suppor t br ow sing ( SNMPget or SNMPw alk ) of t he Cisco sy slog Managem ent I nfor m at ion Base ( MI B) . Tr aps ar e sent t o t he SNMP ser ver . I n ot her w or ds, SNMP can be used t o m onit or t he PI X but not for configur ing t he PI X. The s ynt ax for t he com m ands is essent ially t he sam e as w hen w or k ing on a Cisco r out er . The follow ing lines set t he com m unit y st r ing, t he locat ion, t he cont act , and t he int er face and I P addr ess of t he SNMP ser v er . Because y ou hav e specified inside on t h e snm p- se r ve r h ost com m and, t he PI X k now s w hich int er face t o send SNMP t r aps out w it hout t he need for a specific r out e t o t his h ost .
snmp-server snmp-server snmp-server snmp-server
community ourbigcompany location Seattle contact Mark Newcomb Andrew Mason host inside 10.1.1.74
loggin g Com m a n d s The follow ing logging com m ands allow y ou t o use a sy slog ser v er for r ecor ding ev ent s. These com m ands ar e sim ilar t o t hose used on a Cisco r out er . The logging on com m and is used t o specify t hat logging w ill occur . The logging h ost com m and is w hat act ually st ar t s t he logging pr ocess on t he host at 10. 1. 1. 50. The logging t rap com m and set s t he level of logging t o be r ecor ded, w hich is all ev ent s w it h a lev el of 7. Finally , t he no logging console com m and is used t o pr ev ent t he log m essages fr om appear ing on t he console. For t his t o w or k , t he PI X m ust k now how t o find t he host at 10.1.1.50. Ensur e t hat a r out e t o t his host ex ist s.
logging on logging host 10.1.1.50 logging trap 7 logging facility 20 no logging console
t elnet Com m a n d You added t hr ee lines t o allow access t o t he PI X Fir ew all t hr ough Telnet in addit ion t o t he console por t access. This is a m aj or conv enience and a m aj or secur it y r isk . Ther e ar e t hr ee r easons t hat w e consider Telnet access a r isk. The fir st is t hat Telnet lim it s access based on
122
t he I P addr ess. I t is v er y easy for a user t o change t he I P addr ess on a com put er , especially if t he user is using an oper at ing sy st em such as Window s 95. This allow s t he possibilit y of a user gaining access w her e t he user should not be able t o gain access. The second concer n r egar ding secur it y is t hat , as har d as y ou m ay t r y t o pr ev ent it , y ou cannot alw ay s be sur e t hat a user w alking aw ay fr om a desk w ill lock t he t er m inal. Passw or d -prot ect ed screensavers help m inim ize t he issue, bu t t hey cannot com plet ely resolve it . Because t he PI X form s t he corporat ion's m aj or defense from out side int rusion, it is crit ical t hat access is lim it ed as m uch as possible. The t hir d concer n r egar ding Telnet access is a m isunder st anding on how it should b e configured. This t hird issue is covered in t his sect ion, aft er exam ining t he com m ands ent er ed.
telnet 10.1.1.14 255.255.255.255 telnet 10.1.1.19 255.255.255.255 telnet 10.1.1.212 255.255.255.255 I n t he pr eceding lines, y ou specified a subnet m ask of 32 bit s for each of t hese I P addr esses. Ent er ing 2 5 5 .2 5 5 .2 5 5 .2 5 5 is opt ional, because an I P addr ess w it hout a subnet m ask is assum ed t o hav e a 32-bit m ask associat ed w it h t hat addr ess. The subnet m ask used on t he t e ln e t com m and is t he m ask for t hose w ho should hav e access t o t he PI X, not t he subnet m ask for t he net w or k. Appr oxim at ely 50 per cent of t he PI X Fir ew alls t he aut hor s of t his book hav e ex am ined hav e been incor r ect ly configur ed w it h t he subnet m ask of t he LAN. I n t hese cases, any user on t he LAN can Te lnet t o t he PI X Fir ew all. I f one of t hese user s is able t o guess t he passw or d, t he user can cont r ol t he PI X. I n t he configur at ion sect ion " Dual DMZ wit h AAA Authentication "
lat er in t his chapt er , y ou w ill see how t o use aut hent icat ion, aut hor izat ion, and
a ccount ing ( AAA) services t o ensure t hat unaut horized users cannot Telnet t o t he PI X Firew all.
URL Filt e r in g You added URL filt ering for m onit oring, report ing, and rest rict ing URL access. Cisco Syst em s and Websense, I nc. hav e for m ed a par t ner ship for j oint m arket ing and coordinat ion of t echnical infor m at ion on a pr oduct called Websense, w hich is used t o cont r ol t he sit es t hat user s ar e allow ed t o access. For ex am ple, w eb sit es classified as em ploy m ent or v iolent can be blocked. I nst r uct ions on or der ing Webse nse are included in t he docum ent at ion of every PI X Firew all. The PI X Firewall configurat ion for enabling URL filt ering is very sim ple. The following t hree lines show t he configur at ion. The fir st line t ells t he PI X t o allow or block URL access based on t he infor m at ion r eceived fr om t he Websense ser ver on t he inside int er face at t he 10.1.1.51 I P addr ess. Should a r esponse t o a r equest not be r eceiv ed w it hin t he t im eout par am et er of 30 seconds show n on t his line, t he nex t Websense ser v er w ill be quer ied. The default t im eout is 5 seconds. The second line show s t he failov er Websense ser v er , w hich is also t he Web ser v er on t he public int er face. The t hir d line defines t hat all HTTP r equest s w ill be w at ched. Mult iple filt er com m ands can be com bined t o refine w hat is m onit or ed. The full synt ax of t he filt er com m and w ill be show n aft er t he com m and lines.
123
url-server (inside) host 10.1.1.51 timeout 30 url-server (public) host 192.168.2.30 filter url http 0 0 0 0 The full synt ax of t he filt er com m and is as follow s:
filter [activex http url] | except local_ip local_mask foreign_ip foreign_mask [allow] The definit ions of t he par am et er s can be found in Table 4 - 1 .
Table 4 - 1 . filt er Com m a n d Pa r a m e t e r s
Com m a nd D e scr ipt ion a ct ive x Blocks out bound Act iveX, Java applet s, and ot her HTML obj ect t ags from out bound packet s. url Filt ers URL dat a from m oving t hrough t he PI X. ht t p Filt ers HTTP URLs. e x ce pt Creat es an except ion t o a previously st at ed filt er condit ion. local_ip The I P address before NAT ( if any) is applied. Use 0 for all I P addresses. local_m ask The subnet m ask of t he local I P. Use 0 if 0 is used for t he I P addr ess. for eign_ip The I P address of t he lower securit y level host or net work. Use 0 for all foreign I P addresses. for eign_m ask The subnet m ask of t he foreign I P. Use 0 if t he foreign I P is 0. a llow When a server is unavailable, t his let s out bound connect ions pass t hrough t he PI X wit hout filt ering.
Addit ion a l Sin gle - D M Z Con figu r a t ion Con side r a t ion s The rem aining changes t o t his configurat ion involve com m ands t hat w ere previously e xam ined in t his chapt er . You added a new nat st at em ent w it h t he int er face set as public t o allow for t r anslat ion of t he public DMZ t o global addr esses. This elim inat es t he chance t hat anyone fr om t he out side w ill see any t r affic on t he inside net w or k. You can use NAT on all of t he public host s and add t hem t o t he com m on global pool. The com m and used is as follow s:
nat (public) 1 192.168.2.1 255.255.255.0 0 0
124
Nex t , y ou change t he st at ic NAT for t he Web, FTP, and e -m ail servers from t he inside int erface t o t he public int er face. The new lines r ead:
static (public, outside) 192.168.1.30 192.168.2.30 static (public, outside) 192.168.1.35 192.168.2.35 static (public, outside) 192.168.1.49 192.168.2.49 I f you w er e using t he pr evious configur at ion, you w ould have needed t o r em ov e t he old st at ic t r anslat ions using t he no for m of t he st at ic com m and. You also added a new conduit st at em ent . This st at em ent allow s any Oracle dat abase t raffic from t he Web server on t he public int er face t o ent er int o your inside LAN. The PI X Fir ew all uses por t 1521 for SQL* Net . This is also t he default por t used by Or acle for SQL* Net , despit e t he fact t hat t his value does not agr ee w it h I nt er net Assigned Num ber s Aut hor it y ( I ANA) por t assignm ent s. Because t he Web ser ver has a dat abase r unnin g in t he background, you need t o allow t raffic fr om t his Web ser v er t o ent er int o t he LAN and t alk t o t he Or acle dat abase ser v er s. These t ask s ar e accom plished w it h t he follow ing lines:
conduit conduit conduit conduit
permit permit permit permit
tcp tcp tcp tcp
host 192.168.1.30 eq http any host 192.168.1.35 eq ftp any host 192.168.1.49 eq smtp any any eq sqlnet host 192.168.1.30
You also added a few new route st at em ent s. You added r out es for bot h t he Seat t le and Manchest er net w orks as w ell as t he public n et w ork. Finally, you m ade sure t hat t he NAT changes w ould occur by issuing a clear xlat e com m and and t hen w r it ing t he configur at ion.
Dual DMZ with AAA Authentication This sect ion int roduces AAA aut horizat ion and creat es t w o DMZs.
Chapt er 10
deals ex t ensiv ely
w it h AAA. This sect ion focuses on t he PI X configur at ion aspect s of AAA. This sect ion also int r oduces a failover PI X and access list s int o t his configur at ion. Figure 4 - 8
show s how t his net w or k is configur ed. Not ice t hat t here ar e t w o PI X Fir ew alls, a
pr im ar y and a failov er . Should t he pr im ar y PI X fail, t he failov er PI X t ak es ov er all of t he dut ies of t he pr im ar y PI X. You also hav e t w o DMZs, t he public and t he account ing DMZs. The account ing DMZ is used for client s on t he I nt e r net t o access t he account ing dat a for t he ser v ices. Figur e 4 - 8 . D ua l D M Z Configur a t ion
125
Alt hough t here is a failover cable t hat connect s t he serial por t s on t he fir ew alls, y ou also added a hub on t he inside int er faces t o allow connect ivit y bet w een t he fir ew alls and t he int er ior r out er in or der t o sav e int er faces on t he int er ior r out er . You did t he sam e bet w een t he out side int erfaces of t he firewalls and t he ext erior rout er. Bot h PI X Firew alls m ust have connect ivit y t o bot h DMZs for t he failover PI X t o operat e correct ly, should t he prim ary fail. The configurat ion of t he prim ary PI X follow s. This sect ion discusses t he changes m ade t o t his configurat ion a ft er t he list ing. The blank lines w ere added for clarit y.
hostname pixfirewall enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 public security 50 nameif ethernet3 accounting security 60 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto ip ip ip ip
address address address address
outside 192.168.1.1 255.255.255.0 inside 172.30.1.2 255.255.255.248 public 192.168.2.1 255.255.255.0 accounting 10.200.200.1 255.255.255.0
126
fixup fixup fixup fixup fixup fixup fixup fixup fixup fixup
protocol protocol protocol protocol protocol protocol protocol protocol protocol protocol
http 80 http 10120 http 10121 http 10122 http 10123 http 10124 http 10125 ftp 21 ftp 10126 ftp 10127
failover active failover link failover no no no no no no no no
rip rip rip rip rip rip rip rip
inside passive outside passive public passive accounting passive inside default outside default public default accounting default
pager lines 24 aaa-server TACACS+ (inside) host 10.1.1.41 thekey timeout 20 aaa authentication include any outbound 0 0 0 0 TACACS+ aaa authorization include any outbound 0 0 0 0 TACACS+ aaa accounting include any outbound 0 0 0 0 TACACS+ aaa authentication serial console TACACS+ snmp-server snmp-server snmp-server snmp-server snmp-server
community ourbigcompany location Seattle contact Mark Newcomb Andrew Mason host inside 10.1.1.74 enable traps
logging on logging host 10.1.1.50 logging trap 7 logging facility 20 no logging console outbound limit_acctg deny 10.200.200.0 255.255.255.0 outbound limit_acctg except 10.10.1.51 outbound limit_acctg permit 10.200.200.66 outbound limit_acctg permit 10.200.200.67 apply (accounting) limit_acctg outgoing_dest access-list acct_pub permit host 10.200.200.52 access-list acct_pub deny 10.200.200.0 255.255.255.0 access-group acct_pub in interface public telnet 10.1.1.14 255.255.255.255 telnet 10.1.1.19 255.255.255.255 telnet 10.1.1.212 255.255.255.255 url-server (inside) host 10.1.1.51 timeout 30 url-server (inside) host 10.1.1.52 filter url http 0 0 0 0
127
global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0 global (outside) 1 192.168.1.254 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 nat (inside) 1 10.2.1.0 255.255.255.0 0 0 nat (inside) 1 10.3.1.0 255.255.255.0 0 0 nat (public) 1 192.168.2.1 255.255.255.0 0 0 nat (accounting) 0 0 0 static (public, outside) 192.168.1.30 192.168.2.30 static (public, outside) 192.168.1.35 192.168.2.35 static (public, outside) 192.168.1.49 192.168.2.49 conduit conduit conduit conduit route route route route route route
permit permit permit permit
tcp tcp tcp tcp
host 192.168.1.30 eq http any host 192.168.1.35 eq ftp any host 192.168.1.49 eq smtp any any eq sqlnet host 192.168.1.30
outside 0 0 192.168.1.2 1 inside 10.1.1.0 255.255.255.0 172.30.1.1 1 inside 10.2.1.0 255.255.255.0 172.30.1.1 1 inside 10.3.1.0 255.255.255.0 172.30.1.1 1 public 192.168.2.0 255.255.255.0 192.168.2.1 accounting 10.200.200.0 255.255.255.0 10.200.200.1 1
arp timeout 7200 mtu mtu mtu mtu
inside 1500 outside 1500 public 1500 accounting 1500
clear xlate write mem write standby The first change m ade t o t his configurat ion is t he added nam eif com m and for t he account ing DMZ, assigning a secur it y lev el of 60. The nex t change is t hat y ou enabled t his int er face w it h t he int erfa ce com m and. You t hen assigned an I P addr ess t o t he int er face. Nex t , y ou configured t he failover param et ers.
fa ilov e r Com m a n ds Th e fa ilove r com m ands a re relat ively sim ple t o use. Before discussing t he com m ands, t his sect ion t akes a few m om ent s and discusses t he r equir em ent s for a failover PI X, how t he pr im ar y and secondar y PI X ar e connect ed, and how t he failov er PI X is configur ed. When pur chasing a PI X, consider pur chasing a failov er PI X at t he sam e t im e. When bot h ar e pur chased t oget her , t her e is a significant pr ice r educt ion on t he failover unit . Because t he PI X is generally used as t he prim ary device prot ect ing your net w ork, it usually m akes sense fro m bot h ser vice and fiscal point s of view t o m ake t his a r edundant syst em . For a PI X t o failover t o anot her PI X aft er failur e, bot h fir ew alls m ust have ident ical har dw ar e and ident ical soft w are versions. There is a propriet ary cable m ade specifically for co nnect ing
128
bet w een PI X Fir ew alls. On t he back of each PI X is a por t labeled failover. The cable ends ar e labeled prim ary an d secondary. Once t he pr im ar y PI X is configur ed, t ur n t he secondar y PI X's pow er off. Connect t he cable, and r est or e pow er t o t he secondar y PI X. Aft er a few seconds, t he secondar y PI X acquir es a copy of t he configur at ion on t he pr im ar y PI X. Should t he pr im ar y PI X fail, t he secondary PI X st art s est ablishing connect ions. How ever, any connect ions t hat exist w hen t he pr im ar y PI X fails ar e dr op ped and need t o be r eest ablished. Aft er t he secondar y PI X is pow er ed on w it h t he failover cable connect ed, changes should only be m ade t o t he pr im ar y PI X. One lim it at ion of t he failov er sy st em on t he PI X is t he lengt h of t he failov er cable. The lengt h of the cable cannot be ext ended, and t he cable is required t o be used. Ther efor e, y ou cannot use a pr im ar y PI X in one phy sical locat ion and t he secondar y PI X in anot her locat ion. The fir st com m and used is t he fa ilove r a ct ive com m and. This com m and, like all comm ands, should only be ent er ed on t he pr im ar y PI X. This com m and est ablishes t hat failov er is configur ed and t hat t he pr esent PI X is t he pr im ar y PI X. Using t he no for m of t his com m and for ces t he cur r ent PI X t o becom e t he secondar y PI X. The second com m and show n is t he fa ilove r link com m and. You have specified t hat t he por t used for t he failover is t he failover port . There is one m ore com m and used regarding failover. This com m and, w r it e st a ndby, is show n at t he bot t om of t he configur at ion. The w r it e st andby com m and should be used aft er each t im e t he configurat ion is changed. This causes t he secondar y PI X t o r eceive a copy of t he cur r ent configur at ion.
Un de r st a n din g Fa ilove r The failov er feat ur es of t he PI X ar e sim ilar t o t hose used w it h t he Hot St andby Rout er Prot ocol ( HSRP) in t hat t he st andby device r em ains inact ive unt il t he pr im ar y device fails. The st andby dev ice, on act iv at ion, assum es t he I P and Media Access Cont r ol ( MAC) addr ess of t he pr im ar y unit . Lik ew ise, t he pr ev iously act iv e dev ice assum es t he I P and MAC addresses of t he form erly st andby device. Because net w or k devices do not see any change in t hese addr esses, no new ARP ent r ies need t o be m ade on t he host s using t he PI X Fir ew all. St ar t ing w it h t he PI X I OS 5.0 soft w ar e r elease, st at eful failov er s ar e support ed. Prior t o t his r elease, t he PI X did not m aint ain a copy of t he connect ion st at e in t he st andby unit . When t he prim ary device failed, net work t raffic needed t o reest ablish previous connect ions. St at eful failov er s ov er com e t his issue by passing dat a about t he st at e of connect ions bet w een t he pr im ar y and t he st andby dev ices w it hin st at e updat e packet s. A single pack et t r av er sing t he PI X can est ablish a new connect ion st at e. Because each connect ion st at e changes on a perpacket basis, ever y packet r e ceived by t he current ly act ive device requires a st at e updat e pack et t o be r elay ed t o t he inact iv e dev ice. Alt hough t his pr ocess w or k s v er y w ell, t her e ar e som e lat ency -sensit ive applicat ions t hat w ill t im e out before t he failover process is com plet ed. I n t hese cases, a new session w ill need t o be est ablished. I P st at es ar e suppor t ed, as ar e TCP st at es, ex cept t hose using HTTP. Alm ost no UDP st at e t ables ar e t r ansfer r ed bet w een t he act ive and st andby devices. Except ions t o t his include
129
dynam ically opened po rt s used wit h m ult ichannel prot ocols, such as H.323. Because DNS r esolves use a single channel por t , t he st at e of DNS r equest s is not t r ansfer r ed bet w een dev ices. A dedicat ed LAN int erface bet w een t he t w o PI X devices is required t o achieve st at eful failove r. St at e updat e packet s are t ransm it t ed asynchronously in t he background from t he act ive device t o t he st andby device over t he dedicat ed LAN int er face. Ther e ar e also a few configur at ions changes r equir ed w hen using st at eful failover . These changes ar e cover ed in t he sect ion " St at eful Failover Con figurat ion ." Sever al cr it er ia ar e consider ed befor e a failover occur s. I f t he st andby device det ect s t hat t he act ive device is pow er ed dow n, t he st andby device w ill t ake act ive cont r ol. I f t he failover cable is unplugged, a sy slog ent r y is gener at ed, but bot h devices m aint ain t heir present st at e. An except ion t o t his is dur ing t he boot pr ocess. Should t he failover cable be unplugged w hile t he dev ices ar e boot ing, bot h dev ices w ill assum e t he sam e I P addr ess, causing a conflict on y our net w or k . Ev en if y ou ar e configur ing t he PI X Fir ew alls for st at eful failover using a dedicat ed LAN int erface, t he failover cable m ust be inst alled on bot h devices for failover t o funct ion properly. Failov er hello pack et s ar e ex pect ed on each int er face ev er y 15 seconds. When t he st andby device does not r eceive a failover hello packet w it hin 30 seconds, t he int er face r uns a ser ies of t est s t o est ablish t he st at e of t he act ive device. I f t hese t est s do not r eveal t hat t he act ive dev ice is pr esent , t he st andby dev ice assum es t he act iv e r ole. A pow er failur e on t he act iv e dev ice is det ect ed t hr ough t he failov er cable w it hin 15 seconds. I n t his case, t he st andby dev ice assum es t he act iv e r ole. A disconnect ed or dam aged failov er cable is det ect ed w it hin 15 seconds.
St a t e fu l Fa ilove r Co n figu r a t ion Only a few com m ands need t o be added t o a configur at ion t o enable st at eful failov er . The follow ing is a par t ial configur at ion, show ing t he com m ands necessar y t o enable st at eful failover. Aft er t he configurat ion, t he com m ands are discussed.
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 failover security 60 ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.1 255.255.255.0 ip address failover 10.200.200.1 255.255.255.0 failover failover failover failover failover
active ip address outside 192.168.1.2 ip address inside 172.30.1.2 ip address failover 10.200.200.2 link failover
130
Not ice t hat t he int erfaces are nam ed failover, and a secur it y lev el is assigned t o t he int er face w it h t he nam e if com m and. You could have nam ed t his int er face anyt hing, but for clar it y, it is nam ed failover her e. This is t he int er face you w ill be using t o t r ansfer st at e updat e packet s bet w een t he act iv e and t he st andby dev ices. Aft er assigning I P addr esses and net mask s t o each of t he int er faces, y ou ar e r eady t o st ar t on t he failover com m ands. St art failover w it h t he fa ilove r a ct ive com m and. Nex t , use t he fa ilove r ip a ddr e ss com m and on all of t he int er faces. When using t he fa ilove r ip a ddr e ss com m and, y ou need t o r e m em ber t wo t hings. First , ev er y int er face needs t he fa ilover ip a ddress com m and ent er ed for t hat int er face. I f an int er face does not hav e an associat ed fa ilover ip a ddress com m and and t he st at e of t hat int er face is changed t o dow n, failov er w ill not occur . For ex am ple, if y ou did not add t he fa ilove r ip a ddr e ss com m and for t he out side int er face and t he cable connect ing t hat int er face br oke, all dat a int ended t o t r avel t hr ough t hat int er face w ill be lost . This defeat s t he pur pose of hav ing a failov er dev ice, because a failover device should allow all ser vices t o cont inue aft er t he pr im ar y device has failed. Addit ionally, because bot h devices m ust have t he sam e hardw are inst alled, t here is no reason not t o enable failover t o check all int erfaces. The second it em t hat you need t o r em em ber is t hat t he fa ilove r ip a ddr e ss n eeds t o be on t h e sam e subnet but w it h a differ ent I P addr ess t han t hat t o w hich t he int er face is set . The final configur at ion r equir ed is t o assign a dedicat ed int er face t o failover . Using t he fa ilove r link com m and w it h t he int er face nam e assigned by t he nam eif com m and, Et her net 2 has been assigned as t he failov er int er face in t his ex am ple.
r ip Com m a n d s You added com m ands t o disable RI P on all int er faces. Not ice t hat each int er face has t w o lines associat ed w it h t hat int er face: a no rip int erface_nam e pa ssive an d a no rip int erface_nam e de fa u lt com m and. Each one of t hese com m ands accom plishes a differ ent obj ect iv e. The no rip int erface_nam e pa ssive com m and causes t he PI X t o st op list ening t o RI P updat es. The no rip int erface_nam e d e f a u lt com m and causes t he PI X t o st op br oadcast ing k now n r out es t hr ough RI P. RI Pv 1 and RI Pv 2 ar e bot h av ailable on t he PI X t hr ough t he rip com m and. Use t he no form of t he rip com m and t o disable a por t ion of RI P. Use t he show r ip com m and t o show t he cur r ent RI P ent r ies and t he cle a r r ip com m and t o clear RI P t ables. The full synt ax of t his com m and is:
rip interface_name default | passive [version [1 | 2]] [authentication [text | md5 key (key_id)]] The param et ers and keyw or d m eanings ar e list ed in Table 4 - 2 .
131
Table 4 - 2 . rip Com m a n d Pa r a m e t e r s
Com m a nd D e scr ipt ion int erface_nam e The int erface t o which t his com m and should be applied. default Broadcast s a default rout e on t he int erface. pa ssive Enables passive RI P ( list ening m ode) and propagat es t he RI P t ables based on t hese updat es. version RI P version 1 or 2. Version 2 m ust be used if encrypt ion is required. a u t h e n t ica t ion Enables RI P version 2 aut hent icat ion. text Sends RI P updat es as clear t ext . This is not a recom m ended opt ion. m d5 Sends RI P updat e packet s using MD5 encrypt ion. Version 2 only. key This is t he key used t o encrypt RI P updat es for version 2. key _id The key ident ificat ion value. Bot h sides m ust use t he sam e key. Version 2 only.
pa ge r lin e s Com m a n d Th e pager lines com m and specifies how m any lines ar e show n w hen a show config com m and is issued befor e a m ore pr om pt appear s. Alt hough t his can be set t o alm ost any v alue, 24 w or k s w ell w hen using st andar d Telnet applicat ions.
AAA Com m a n ds You have enabled AAA using Ter m inal Access Cont roller Access Cont rol Syst em Plus ( TACACS+ ) on your PI X for aut hent icat ing, aut horizing, and account ing for users passing from t he inside t hrough t he out side int erface. You have also enabled TACACS+ aut hent icat ion for t hose connect ing t o t he PI X t hr ough t he console. The fir st com m and y ou need t o look at is t he a a a - se r ve r com m and. The exam ple set s t he ser v er t o TACACS+ on t he inside int er face w it h t he I P addr ess of 10.1.1.41. You ar e using t hek ey as y our TACACS+ k ey and hav e set a t im eout of 20 seconds. This com m and is also r esponsible for st ar t ing AAA on t he PI X. The full sy nt ax of t he a a a - se r ve r com m and follow s:
aaa-server group_tag (interface_name) host server_ip key timeout seconds The par am et er s and keyw or ds, along w it h t heir descr ipt ions, ar e displa yed in Table 4 - 3 .
132
Table 4 - 3 . a a a- se r ve r Co m m an d Pa r a m e t e r s
Com m a nd D e scr ipt ion group_t ag TACACS+ or RADI US. int erface_nam e Nam e of t he int erface where t he server resides. host Keyword designat ing t hat a single host I P address follow s. ser ver _ip The I P address of t he server. key The alphanum eric key expect ed at t he server. t im eout Keyword designat ing t hat t he param et er following is t he num ber of seconds. seconds The wait t im e in seconds t hat t he PI X will wait aft er sending a request wit hout receiving a response before anot her request is sent . The default t im e is 5 seconds. Four request s will be sent before t im ing out . Aft er st art ing AAA, you aut hent icat ed, aut horized, and account ed for any out bound t raffic. For a full descript ion of t hese t hree processes, see Chapt er 10 . For t he m om ent , it will suffice t o say t hat w hen user s at t em pt t o send dat a out side, fir st t hey w ill be check ed t o ensur e t hat t hey ar e w ho t hey claim t o be, t hen a check w ill det er m ine w het her t hey ar e allow ed t o send t he dat a out side, and t hen a r ecor d w ill be m ade t hat t he user s sent t he dat a. You accom plish t hese t hr ee t ask s in t his ex am ple w it h t he follow ing t hr ee lines:
aaa authentication include any outbound 0 0 0 0 TACACS+ aaa authorization include any outbound 0 0 0 0 TACACS+ aaa accounting include any outbound 0 0 0 0 TACACS+ The k ey her e is t he w or d out bound, w hich m eans packet s t raversing from t he inside int erface t hrough t he out side int erface. The any in t hese lines r efer s t o t he t ype of account ing service; possible values ar e a n y , ftp, ht t p, t elnet , or pr ot ocol/ por t . The four zer os r efer , in or der , t o t he local addr ess, t he local m ask, t he for eign I P addr ess, and t he for eign m ask. The final param et er det erm ines w hich service should be used, RADI US or TACACS+ . I t is possible t o r un bot h TACACS+ and RADI US at t he sam e t im e. To accom plish t his, m er ely add anot her a a a - se r ve r com m and w it h t he ot her ser v ice. Th e a a a a u t h e n t ica t ion com m and has anot her form t hat allow s you t o aut hen t icat e connect ions for t he ser ial por t , t he Telnet por t s, and t he enable m ode. The full synt ax of t his com m and follow s:
aaa authentication [serial | enable | telnet] console group_tag
ou t bou n d a nd a pply Com m a n d s
133
Now t hat you have seen how AAA can lim it out bound access t hr ough an int er face, t her e is anot her w ay t o cont r ol and lim it access fr om a higher secur it y level int er face t o a low er securit y level int erface. This m et hod uses PI X access list s configured w it h t he out bound an d a pply com m ands. The fir st t hing t o r em em ber about t his t y pe of PI X access list is t hat it operat es in a t ot ally different m anner t han a rout er's access list . I f you are int im at ely fam iliar w it h r out er access list s, y ou m ight hav e a har der t im e accept ing how PI X access list s w or k t han t hose w ho ar e not so fam iliar w it h r out er access list s. The or der of a r out er 's access list is vit ally im por t ant , because t he fir st m at ch w ill cause a r ej ect ion or accept ance. How ever , t he PI X uses a best -fit m echanism for it s access list s. This allow s t he adm inist r at or t o deny w hole r anges of I P addr esses and t hen allow specific host s t hr ough at a lat er dat e w it hout hav ing t o r ew r it e t he w hole access list . The PI X access list is also neit her a st andar d nor an ex t ended access list , but rat her a com binat ion of t he t w o for m s. Wher e a r out er uses t w o com m ands, a cce ss- list an d a cce ss- group ( or a cce ss- cla ss) , t o define and apply an access list , t he PI X uses t he outbound an d a pply com m ands t o define and apply an access list . The full synt ax of t he out bound com m and follow s:
outbound list_id permit | deny ip_address [netmask [java | port[-port]]] [protocol] A descript ion of t he com m and param et ers can be found in Table 4 - 4 .
Table 4 - 4 . ou t bou n d Com m a nd Pa r a m e t e r s
Com m a nd D e scr ipt ion list _id This is an arbit rary nam e or num ber used t o ident ify t he access list . This is sim ilar t o a nam ed access list on a rout er. perm it Allows t he access list t o access t he specified I P address and port . deny Denies access t o t he specified I P address and port . Cr eat es an ex cept ion t o t he pr ev ious outbound co m m an d. e x ce pt The I P addr ess associat ed w it h an ex cept st at em ent changes depending on w het her an out going_ src or out going_ de st par am et er is used in t he a pply com m and. I f t he a pply com m and uses out going_ src, t he I P addr ess applies t o t he dest inat ion I P addr ess. I f t h e a pply com m and uses an out going_ dest , t he I P addr ess r efer s t o t he sour ce I P addr ess.
134
ip_address The I P address associat ed wit h t he out bound perm it , out bound deny, or ou t bou n d e x ce pt com m and. net m ask The subnet m ask associat ed wit h t he I P address. Rem em ber t hat t his is a subnet m ask, not a wildcard m ask as used on rout ers. Where a rout er would have a wildcard m ask of 0.0.0.255, t he PI X would have a subnet m ask of 255.255.255.0. port The port or range of port s associat ed wit h t his com m and. j ava The keyword j ava is used t o indicat e port 80. When j ava is used w it h a deny, t he PI X blocks Java applet s from being downloaded from t he I P address. By default , t he PI X perm it s Java applet s. prot ocol This lim it s access t o one of t he following prot ocols: UDP, TCP, or I CMP. TCP is assum ed if no prot ocol is ent ered. Now t hat you know how t he com m and w or ks, look at t he effect s of t he com m ands. The fir st t w o lines of t he configur at ion r egar ding access list s r ead:
outbound limit_acctg deny 10.200.200.0 255.255.255.0 outbound limit_acctg except 10.10.1.51 The fir st out bound com m and denies all pack et s fr om t he Class C net w or k at 10.1.1.0. When using t he deny and perm it for m s of t he out bound com m and, y ou ar e r efer r ing t o t he dest inat ion I P address. You could use t h e w or d perm it in t he ex am ple inst ead of de n y, w h ich w ould allow packet s fr om t hese I P addr esses. The effect s of t he second line cannot be fully det er m ined unt il y ou look at t he a pply com m and. How ev er , y ou can st ill see t hat an ex cept ion t o t he pr ev ious deny com m and ex ist s. This ex cept ion allow s pack et s associat ed w it h t he I P addr ess of 10.10.1.51 t hr ough t he PI X. Her e t he w or d associat ed is used inst ead of dest inat ion or source because w het her you are concerned about t he source or t he dest inat ion I P ad dress is act ually det erm ined by t he a pply com m and. I f t he a pply com m and specifies a sour ce I P addr ess, t he packet s fr om t he sour ce used w it h t he out bound com m an d ar e per m it t ed or denied. I f t he a pply com m and specifies a dest inat ion addr ess, t hen pack et s w h ose dest inat ion addr ess m at ches t he I P addr ess used w it h t he outbound com m and ar e denied or per m it t ed. This is a t w o -st ep process t hat requires t he adm inist rat or t o ask t w o quest ions. First , look at t he out bound com m and. I s t his a per m it or deny st at em ent ? Next , look at t he a pply com m and. I s t he a pply com m and concer ned w it h t he sour ce or t he dest inat ion addr ess? The nex t t w o lines ar e easy t o under st and. You per m it access t o t he host s at 10.200.200.66 and 10.200.200.67. At t his point , y ou st ill do not hav e a definit ion as t o w het her t he I P addr ess associat ed w it h t he ex cept is a sour ce or dest inat ion addr ess. How ev er , t he a pply com m and w ill r esolv e t his out st anding issue. For r ev iew pur poses, t he t w o lines follow :
135
outbound limit_acctg permit 10.200.200.66 outbound limit_acctg permit 10.200.200.67 Th e a pply st at em ent is used t o connect an access list w it h an int er face and t o define w het her I P addr esses specified w it h t hat access list ar e sour ce or dest inat ion I P addr esses. This ex am ple of t he a pply com m and fo llow s:
apply (accounting) limit_acctg outgoing_dest I n t his ex am ple, y ou applied an access list t o t he int er face pr ev iously defined as account ing by t he nam eif com m and. The access list y ou connect ed is t he one called lim it _ a cct g. As w it h a r out er 's access list s, only one access list can be applied in a giv en dir ect ion on any PI X int er face. This a pply com m and has applied t he ex cept com m and t o sour ce packet s. The alt er nat ive w ould be t o apply t he ex cept com m and t o dest inat ion pack et s by using t he out going_ src par am et er . The applicat ion of t his com m and has a dist inct effect on t he access list . This effect is t hat t he I P addr ess specified by t he ex cept com m and is a sour ce addr ess. For r eview pur poses, look at
Figure 4 - 9 .
Refer t o Figure 4 - 9 w hile review ing t he follow ing discussion
about t he com m and lines used. Figur e 4 - 9 . PI X ou t bou n d Com m a n d Ex a m ple
The follow ing line pr event s access t o all of t he 10.200.200.0/ 24 net w or k fr om all host s for all pr ot ocols. The PI X uses subnet m ask s, not w ildcar d m ask s.
outbound limit_acctg deny 10.200.200.0 255.255.255.0 The follow ing line is an except ion t o t he preceding line. Because t he a pply st at em ent uses out going_ sr c, t he pr eceding denial of access t o t he 10.200.200.0 net w or k does not apply t o t he host wit h t he I P addr ess of 10.10.1.51. Because t he secur it y level is higher on t he net w or k w her e t his com put er sit s, t his com put er has access t o t he w hole of t he 10.200.200.0 net w or k.
136
outbound limit_acctg except 10.10.1.51 The follow ing line allow s all host s on all net w or k s w it h a higher secur it y lev el t o hav e access t o t he host at 10.200.200.66.
outbound limit_acctg permit 10.200.200.66 The follow ing line allow s all host s on all net w or k s w it h a higher secur it y lev el t o hav e access t o t he host at 10.200.200.67.
outbound limit_acctg permit 10.200.200.67 The follow ing line applies t he access list called lim it _ acct g t o t he account ing int er face and m ak es a definit ion for t he ex cept com m and, specifying t hat t he I P addr esses w it hin t he ex cept com m and r efer t o a sour ce addr ess .
apply (accounting) limit_acctg outgoing_dest I t is im por t ant t o r em em ber t hat t he or der of t he out bound st at em ent s is not a concer n because t he PI X uses a best -fit algorit hm .
a cce ss- list a nd a cce ss- gr ou p Com m a n d s There is anot her m et hod of using access list s shown in t his configurat ion. This m et hod, heavily used in conj unct ion w it h cr ypt o m aps, w ill be explor ed fur t her in t he VPN sect ions lat er in t his chapt er. This sect ion discusses t he a cce ss- list an d a cce ss- group com m ands as t hey r elat e t o t raffic ot he r t han encr ypt ed t r affic. Access list s on a PI X Fir ew all use eit her of t hese com m ands t o lim it connect ions bet w een int erfaces. When used t o lim it connect ions from a low er secur it y lev el int er face t o a higher secur it y lev el int er face, t he a cce ss- list com m and com m and can r eplace a conduit com m and. When used t o lim it connect ions fr om a higher secur it y level int er face t o a low er secur it y level int er face, t he access list can r eplace t he out bound com m an d. Whet her you ar e using t he a cce ss- list com m and from a highe r t o low er or a low er t o higher int er face changes how y ou use t his com m and. The follow ing ar e som e r ules t o k eep in m ind w hen designing PI X access list s. For access from a higher securit y level int erface t o a low er securit y int erface, alw ays perm it access fir st and t hen deny access aft er w ar d. Out bound connect ions ar e per m it t ed by default . Therefore, t he access list is used t o lim it t his default behavior. Only deny st at em ent s need t o be added, unless a perm it is needed t o ov er r ide a deny com m and. Because PI X access list s are best -fit , t his is a legit im at e t echnique. I n t he configur at ion, you fir st allow ed access for a single host at 10.200.200.52. You t hen denied access fr om all of t hose host s on t he
137
10.200.200.0 / 24 net w ork. Make sure t hat t he net m ask used on a PI X access list is r eally a subnet m ask , and not t he w ildcar d m ask used on r out er access list s. This is show n in t he configur at ion w it h t he follow ing t w o lines:
access-list acct_pub permit host 10.200.200.52 access-list acct_pub deny 10.200.200.0 255.255.255.0 When accessing from a low er t o a higher securit y level, access is denied by default . Therefore, an access list w ould nor m ally only cont ain perm it st at em ent s. Again, y ou m ight hav e a sit uat ion w her e all ex cept for a few host s should be denied. I n t his case, y ou w ould use pe r m it com m ands for t he host s t o be let t hr ough t he int er face, along w it h a deny com m and for t he specific host s t o be denied. The full sy nt ax for a PI X access list follow s:
access-list name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port On t he PI X Fir ew all, access list s ar e applied t o an int er face w it h t he a cce ss- group com m and. I n t he com m and, show n below , y ou apply t he access list nam ed acct _ pub t o t h e public int er face.
access-group acct_pub in interface public Th e a cce ss- group com m and alw ay s uses t he k ey w or ds in int e r fa ce befor e t he int er face n am e. Ther e ar e a few t hings t o consider w hen w or k ing w it h PI X access list s. Fir st , it is r ecom m ended t hat y ou do not use t he a ccess list com man d w it h t h e conduit an d outbound com m ands. Technically, t hese com m ands w ill w ork t oget her, how ever, t he w ay t hese com m ands int er act causes debugging issues. The conduit an d outbound com m ands oper at e w it h t w o int er faces, w hile t he a cce ss- list com m and applies only t o a single int er face. I f y ou choose t o ignor e t his w ar ning, r em em ber t hat t he access list is checked fir st . The conduit an d out bound com m ands ar e check ed aft er t he a cce ss- list com m and. Second, t he m ask s used in t he PI X access list s and t he outboun d com m and ar e subnet m ask s, not w ildcar d m ask s.
Addit iona l D ua l - D M Z Con figu r a t ion Con side r a t ion s Not ice t hat t her e is a nat 0 com m and associat ed w it h t he account ing DMZ. A na t 0 com m and pr ev ent s any NAT or PAT fr om occur r ing. How could t his be used t o y our advant age? Assum ing t hat y ou do not use NAT and y ou assign nonr out able I P addr esses t o a DMZ, y ou can pr ev ent any one on t he I nt er net fr om r eaching t his DMZ w hile st ill allow ing t he local LANs t o r each t he net w or k. You can also pr ovide addit ional pr ot ect ion w hen y ou ar e using r out able
138
I P addr esses t hr ough t he PI X. Whet her or not y ou choose t o use NAT on an int er face does not r eally affect how t hat int er face oper at es. This concludes t he configur at ion of t he PI X Fir ew all, w it h t he except ion of VPNs. The r em ainder of t his chapt er cov er s VPNs, st ar t ing w it h Point -to-Point Tunneling Prot ocol ( PPTP) and t hen m ov ing on t o I PSec VPNs.
VPN with Point-to-Point Tunneling Protocol (PPTP) St ar t ing w it h Ver sion 5.1 of t he PI X I OS, Cisco pr ovides suppor t for Micr osoft PPTP VPN client s as an alt er nat ive t o I PSec. Alt hough PPTP is a less secur e t echnology t han I PSec, PPTP is easier t o configur e and m aint ain. PPTP also enj oys a gr eat deal of suppor t , especially fr om Microsoft client s. The PPTP is an OSI Layer 2 t unneling prot o col t hat allow s a r em ot e client t o com m unicat e secur ely t hr ough t he I nt er net . PPTP is descr ibed by RFC 2637. The PI X Fir ew all only suppor t s inbound PPTP, and only a single int er face can have PPTP enabled at any given t im e. PPTP t hr ough t he PI X has been t es t ed w it h Window s 95 using DUN1.3, Window s 98, Window s NT 4.0 w it h SP6, and Window s 2000. The PI X Firew all support s Passw ord Aut hent icat ion Prot ocol ( PAP) , Challenge Handshake Aut hent icat ion Prot ocol ( CHAP) , and Microsoft Challenge Handshake Aut hent icat ion Prot ocol (MS-CHAP) , using an ext er nal AAA ser ver or t he PI X local user nam e and passw or d dat abase. Point -t o-Point Pr ot ocol ( PPP) w it h Com bined Packet Pr ot ocol ( CCP) negot iat ions w it h Micr osoft Point -To -Point Encrypt ion ( MPPE) ext ensions using t he RSA/ RC4 algorit hm and eit her 40 - or 1 2 8 -bit encr y pt ion is also suppor t ed. The com pr ession feat ur es of MPPE ar e not cur r ent ly suppor t ed. To enable PPTP suppor t , y ou fir st need t o hav e t he PI X configur ed t o allow and deny pack et s in t he nor m al fashion. The int er faces m ust be configur ed and t he passw or ds set . Aft er t his is accom plished, you can add addit ional feat ures. The sect ions regarding VPN in t his chapt er do not show all of t he com m ands necessar y t o configur e t he PI X. I nst ead, t his sect ion concent rat es on t hose co m m ands t hat require configurat ion changes from previously shown ex am ples or t hat ar e new com m ands. Tak e a m om ent t o look at
Figure 4 - 10 .
Not ice t hat t he VPN t unnel is t erm inat ed on t he out side
int er face of t he PI X. Alt hough y ou could t er m inat e t he VPN on t he per im et er r out er , t her e ar e a few r easons w hy t er m inat ing at t he PI X is pr efer r ed. The fir st r eason is t hat t he PI X is opt im ized for securit y operat ions, including VPN t erm inat ion. The PI X is able t o handle a m uch lar ger num ber of VPN t er m inat ions t han m ost r out er s. The second r eason is t hat if you t e r m inat e on t he per im et er r out er , t hen only t he per im et er r out er ensur es secur it y on t he packet s aft er t he VPN t unnel has been decr ypt ed. Because t he PI X is consider ed t he pr im ar y defense, it m ak es logical sense t o k eep pack et s encr y pt ed all t he w ay t o t he PI X, even if t he perim et er rout er is running t he PI X Firew all I OS. Figur e 4 - 1 0 . PI X PPTP VPN
139
The sam ple configurat ion used t hroughout t his chapt er requir es changes t o enable PPTP. These ar e show n in t he follow ing configur at ion. This sect ion ex am ines each of t he new com m ands, aft er t he follow ing new configurat ion:
ip local pool thelocalpool 10.1.1.50-10.1.1.75 vpdn enable outside vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap vpdn group 1 client configuration address local thelocalpool vpdn group 1 client configuration dns 10.1.1.41 vpdn group 1 client configuration wins 10.1.1.9 vpdn group 1 client authentication local vpdn username joe password joespassword vpdn username mary password marryspassword sysopt connection permit-pptp ip local pool Command An I P local pool is used w it h VPNs t o r eser v e a r ange of I P addr esses t hat w ill be assigned t o host s using VPNs. The addresses in t his r ange m ust not be in use by any ot her host s and should not be used in any ot her com m ands. Use t he show for m of t he com m and t o display all of t he I P addr esses w it hin a pool. The com m and, r eser v ing I P addr esses of 10.1.1.50 t hr ough 10.1.1.75 and using t he nam e t heloca lpool follow s.
ip local pool thelocalpool 10.1.1.50-10.1.1.75 vpdn Command Th e vpdn com m and t akes m any for m s. The fir st line, t he vpdn e na ble out side com m and, accom plishes t w o t asks. First , t his enables virt ual privat e dial-up net w or k ( VPDN) suppor t on t he PI X it self. Second, VPDN is enabled on t he int er face labeled out side by t h e nam eif com m and. Mult iple int er faces accept ing PPTP t r affic each r equir e a separ at e vpdn enable int erface com m and. Not e t hat t he PI X Fir ew all only accept s incom ing PPTP t r affic and cannot be used t o init iat e a PPTP t unnel. The basic form of t he com m and, vpdn gr oup 1 a cce pt dia lin ppt p, associat es t he VPDN gr oup num ber ed 1 w it hin ot her com m ands. Assum ing t hat m ult iple PPTP t unnels ar e t o be t erm inat ed on t his int erfa ce, y ou m ight w ish t o set up som e user s on one t unnel and ot her user s on a differ ent t unnel. I n t his case, m ult iple t unnels allow you t o accom plish such t asks
140
as assigning differ ent WI NS or DNS sever s t o individuals. The a cce pt dia lin ppt p por t ion of t h is com m and t ells t he PI X t hat it should accept PPTP connect ions request ed by out side ent it ies. Th e vpdn gr oup 1 ppp a ut he nt ica t ion m scha p com m and show n next ensur es t hat t he passw or d aut hent icat ion pr ot ocol used w it hin VPDN gr oup 1 is m scha p. The ot her opt ions av ailable on t his com m and ar e pap and chap. N OTE
You m ust also ensur e t hat any associat ed Window s dev ices needing t o use a PPTP t unnel int o your net w ork are also configured correct ly. Unless you have set a Micr osoft Window s client t o r equir e encr y pt ed passw or ds, t he client w ill fir st use a clear-t ex t PAP passw or d. This at t em pt w ill fail because of y our PI X configur at ion t hat r equir es encr y pt ion. The client w ill t hen at t em pt t o connect using t he sam e passw or d in an encr y pt ed for m , w hich w ill be successful. Even t hough t he connect ion is ult im at ely successful, t he passw or d has been sent in clear t ext and m ight have been r evealed t o hacker s. Ther efor e, ensur e t hat encr ypt ed passw or ds ar e r equir ed on all Micr osoft Window s client s used w it h t unneled connect ions.
Th e vpdn gr oup 1 clie nt configur a t ion a ddr e ss loca l t he loca lpool com m and is used t o assign t he I P addr ess used by t he client w hile t he client is connect ed t hr ough t he PPTP connect ion. Because y ou cr eat ed a gr oup called t helocalpool and assigned t he addre sses of 10.1.1.50 t hr ough 10.1.1.75 t o t hat pool, t his com m and assigns t he client t o look t o t hat pool for one of t hese available addr esses. Lim it ing t he t ot al num ber of available I P addr esses in t he pool in t urn lim it s t he t ot al num ber of PPTP connect ions t hat can be used sim ult aneously. Th e clie nt configur a t ion for m of t he vpdn com m and is used t o assign WI NS and DNS ser ver s for use by t he PPTP client w hile t he client is connect ed int o your syst em . Bot h of t hese com m ands can t ak e eit her one or t w o I P addr esses. The or der t hat t hese I P addr esses ar e ent er ed w it hin t he com m and r eflect s t he or der of t heir use by Window s client s. Th e vpdn gr oup 1 clie nt a ut he nt ica t ion loca l com m and t ells t he PI X t o look t o t he local user dat abase t o check passw ords. I f you are using a AAA server for client aut hent icat ion, you w ould need t o set up t he PI X t o r ecognize t he AAA ser v er and t he need t o aut hent icat e PPTP user s w it h lines sim ilar t o t he follow ing:
aaa-server TACACS+ (inside) host 10.1.1.41 thekey timeout 20 client authentication aaa TACACS+ Th e vpdn use r na m e j oe pa ssw or d j oe spa ssw or d com m and ent er s Joe as a user w it hin t he local dat abase and assigns j oe spa ssw or d t o Joe. This is t he passw or d w hose hash r esult w ill
141
be sent ov er t he connect ion t hr ough t he MS-CHAP aut hent icat ion pr ocess. You have also enabled Mar y as a user w it h a unique passw or d. Once t he sy st em is configur ed t o allow one user , allow ing ot her user s inv olv es adding a user nam e and passw or d t o t he PI X configur at ion.
sysopt Command The previous com m ands show n in t his ex am ple hav e set up t he PPTP t unnel and user s. What has not been done is t o allow t he user s access t hr ough t he fir ew all. The sysopt connect ion pe r m it- ppt p com m and allow s for all aut hent icat ed PPTP client s t o t r aver se t he PI X int er faces. Th e sysopt com m and is used t o change t he default secur it y behav ior of t he PI X Fir ew all in a num ber of differ ent w ay s. Ther e ar e m any for m s of t his com m and, each act ing slight ly different ly.
Table 4 - 5
cont ains a list of t he sysopt com m ands and a descr ipt ion of each of t heir
funct ions. Each of t hese com m ands also has an associat ed no for m of t he com m and, w hich is used t o r ev er se t he behav ior associat ed w it h t he com m and.
Table 4 - 5 . sysopt Com m a n ds
Com m a nd sysopt conne ct ion e n for ce su bn e t
sysopt conne ct ion perm it - ipse c
sysopt conne ct ion perm it - ppt p sysopt conne ct ion t cpm ss by t es sysopt conne ct ion t im ew ait sysopt ipse c p lcom pat ible
D e scr ipt ion Prevent s packet s wit h a source address belonging t o t he dest inat ion subnet from t raversing an int erface. A packet arriving from t he out side int erface having an I P source address of an inside net work is not allowed t hrough t he int erface. Allows t raffic from an est ablished I PSec connect ion t o bypass t he norm al checking of access list s, conduit com m ands, and a ccess- group com m ands. I n ot her words, if an I PSec t unnel has been est ablished, t his com m and m eans t hat t he t raffic will be allowed t hrough t he int erface on which t he t unnel was t erm inat ed. Allows t raffic from an est ablished PPTP connect ion t o bypass conduit and a ccess- gr ou p com m ands and access list s. Forces TCP proxy connect ions t o have a m axim um segm ent size equal t o t he num ber specified by t he param et er byt es. The default for byt es is 1380. Forces TCP connect ions t o st ay in a short ened t im e - wait st at e of at least 15 seconds aft er t he com plet ion of a norm al TCP session ends. Enables I PSec packet s t o bypass bot h NAT and t he ASA feat ures. This also allows incom ing I PSec t unnels t o t erm inat e on an inside int erface. For a t unnel crossing t he I nt ernet t o t erm inat e on t he
142
sysopt nodnsa lia s out bound sysopt nopr ox ya r p int erface_nam e sysopt se cur it y fr a ggu a r d
inside int erface, t he inside int erface m ust have a rout able I P address. Denies out bound DNS A record replies.
Disables proxy ARPs on t he int erface specified by int erface_nam e. Enables t he I P Frag Guard feat ure, which is designed t o prevent I P fragm ent at ion at t acks such as LAND.c and t eardrop. This works by requiring responsive I P packet s t o be request ed by an int ernal host before t hey are accept ed and lim it s t he num ber of I P packet s t o 100 per second for each int ernal host .
VPN with IPSec and Manual Keys I OS versions of t he PI X prior t o 5.0 used a connect ion m et hod involving t he Privat e Link Encr ypt ion Car d t o connect bet w een t w o PI X Fir ew alls. This m et hod is no longer suppor t ed; I PSec is used as t he alt e r nat iv e. I f y our sy st em is st ill using Ver sion 4 or ear lier of t he Cisco PI X I OS, it is t im e t o upgr ade. I n t his configur at ion, you w ill use I PSec t o connect t w o net w or ks over t he I nt er net . You w ill also use m anual keys for t his exam ple. I n t his exam ple, your m ain cor por at e office uses an int er nal I P addr ess of 10.1.1.0 w it h a 24 -bit subnet m ask , w hile y our br anch office uses10. 1. 2. 0 w it h a 24-bit subnet m ask. ( As w it h any int er face accessible fr om t he I nt er net , t he out side int er face of t he PI X m ust hav e a rout able I P address.)
Figure 4 - 11
show s a diagr am
of how t hese net w or k s ar e connect ed. Figur e 4 - 1 1 . VPN w it h I PSe c
143
You need t o configure bot h PI X Firew alls t o enable a secure t unnel bet w een t hem . Th e configur at ions t hat follow show only t he it em s associat ed w it h set t ing up t he I PSec t unnels. You w ill see bot h configur at ions and t hen a discussion of t he r am ificat ions of using t he com m ands. Keep in m ind t hat t hese ar e ex am ples1 and, t her efor e, do not have rout able I P addr esses on t he out side int er faces. I n r eal life, t he out side int er faces w ould need r out able I P addr esses; inside t he cor por at e LANs, t he I P addr esses do not need t o be r out able. The cor por at e PI X configur at ion changes ar e as follow s:
ip address outside 172.30.1.1 255.255.255.252 access-list 20 permit 10.1.2.0 255.255.255.0 crypto map mymap 10 ipsec-manual crypto map mymap 10 set transform-set myset crypto ipsec transform-set myset ah-md5-hmac esp-des crypto map mymap 10 match address 20 crypto map mymap 10 set peer 172.30.1.2 crypto map mymap 10 set session-key inbound ah 400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa crypto map mymap 10 set session-key outbound ah 300 bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb crypto map mymap 10 set session-key inbound esp 400 cipher cccccccccccccccccccccccccccccccc crypto map mymap 10 set session-key outbound esp 300 cipher dddddddddddddddddddddddddddddddd crypto map mymap interface outside sysopt connection permit-ipsec The br anch office PI X configur at ion changes ar e as follow s:
ip address outside 172.30.1.2 255.255.255.252 access-list 20 permit 10.1.1.0 255.255.255.0 crypto map mymap 10 ipsec-manual crypto map mymap 10 set transform-set myset crypto ipsec transform-set myset ah-md5-hmac esp-des
144
crypto map mymap 10 match address 20 crypto map mymap 10 set peer 172.30.1.1 crypto map mymap 10 set session-key inbound ah 300 bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb crypto map mymap 10 set session-key outbound ah 400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa crypto map mymap 10 set session-key inbound esp 300 cipher dddddddddddddddddddddddddddddddd crypto map mymap 10 set session-key outbound esp 400 cipher cccccccccccccccccccccccccccccccc crypto map mymap interface outside sysopt connection permit-ipsec I n t his e x am ple, aft er assigning y our out side I P addr esses, y ou added an access list . Because y ou decided t o use m anual k ey s, t his access list m ight cont ain only a single perm it . I f y ou used preshared keys, t he access list could cont ain m ult iple perm it st at em ent s. The access list is used t o inv ok e y our I PSec connect ion. When pack et s ar e sent t o t his addr ess, y our PI X est ablishes a connect ion w it h t he peer , and all dat a t r av eling bet w een t he t w o is car r ied ov er your t unnel.
crypto map Commands Th e cr ypt o m a p com m and is used ext ensively wit h I PSec. This sect ion exam ines t he form s of t his com m and in Table 4 - 6 befor e exam ining exact ly w hat has t o be configur ed in t he exam ples. Th e cr ypt o m a p com m and's fir st par am et er is alw ays t he m apnam e. Th e m apnam e par am et er is an ar bit r ar y nam e assigned t o dist inguish one m ap fr om anot her .
Table 4 - 6
assum es t hat crypto m a p m apnam e pr ecedes t he com m and. As w it h m ost com m ands, t he no for m of a com m and r em ov es t he configur at ion.
Table 4 - 6 . cr ypt o m a p m a pn a m e Pa r a m e t e r s
Cr ypt o Com m a n d clie nt a ut he nt ica t ion aaa-server clie nt configur a t ion a ddress init ia t e clie nt configur a t ion a ddr e ss r e spond int erfa ce int erfacenam e
seq- num ipse c- isakm p |
D e scr ipt ion This is t he nam e of a AAA server t hat aut he nt icat es t he user during I nt ernet Key Exchange ( I KE) negot iat ions. This forces t he PI X t o at t em pt t o set t he I P address for each peer. This forces t he PI X t o at t em pt t o accept request s from any request ing peer. This specifies t he int erface, as defined by t he nam eif com m and, t hat t he PI X will use t o ident ify peers. When I KE is enabled and a cert ificat e aut horit y ( CA) is used t o obt ain cert ificat es, t his m ust be t he int erface specified wit hin t he CA cert ificat e. The seq- num ( sequence num ber) is t he 145
ipse c- m a n u a l [ dyna m ic dynam ic- m ap- nam e]
seq- num m a t ch a ddr e ss acl_nam e seq- num se t pe e r host nam e | ipaddress
seq- num se t pfs [ gr ou p1 | group2 ]
seq- num set session- k e y inbound | out bound a h spi hex- key- st r ing
num ber assigned t o t he m ap ent ry. The seq- num is used in a num ber of form s of t he crypt o m ap com m and. ipsecisa k m p indicat es t hat I KE is used t o est ablish t he securit y associat ion ( SA) . ipse c- m a n u a l indicat es t hat I KE should not be used. dynam ic dynam ic- m apnam e is an opt ional keyword and param et er. The keyword dyna m ic indicat es t hat t he present crypt o m ap ent ry references a preexist ing dynam ic crypt o m ap. The param et er dynam ic- m apnam e is t he nam e of t he preexist ing m ap. Traffic dest ined for t he I P addresses wit h a perm it st at em ent wit hin t he access list defined by acl_nam e will be encrypt ed. This specifies t he peer for t his SA. A host nam e m ight be specified if t he na m e s com m and has been used. Ot herwise an I P address is used. Specifies t hat I PSec will ask for Perfect Forward Secret ( PFS) . group1 and group2 are opt ionally used t o specify whet her a 768- bit Diffie- Hillm an prim e m odulus group (group1 ) or a 1024- bit Diffie- Hillm an prim e m odulus group ( group2 ) will be used on new exchanges. This set s t he session k ey s w it hin a crypt o m ap ent r y . Using t he keyw ord inbound specifies t hat t he follow ing key-st r ing is for inbound t raffic. Specifying t he keyw ord out bound specifies t hat t he key-st r ing is for out bound t raffic. One peer's out bound key st ring m ust m at ch t he ot her peer 's inbound k ey st r ing and v ice v er sa. Th e spi param et er is used t o specify t he Securit y Param et er I ndex ( SPI ) . The SPI is an arbit rarily assigned num ber rangin g from 256 t o m ore t han 4 billion ( OxFFFFFFFF) . Th e hex-key-st r ing is an ar bit r ar y hexadecim al session key. The lengt h of t his key is det er m ined by t he t r ansfor m set in use. DES uses 16 digit s, MD5 uses 32, and SHA uses 40 digit s.
146
seq- num set session- key inbound | out bound e sp spi cipher hex- key- st r ing [ a ut he nt ica t or hex- k eyst r ing]
This is ver y sim ilar t o t he pr evious com m and, except t hat it is used w it h encapsulat ing secur it y pay load ( ESP) inst ead of aut hent icat ion header ( AH) . The keyw ord esp specifies t hat t he ESP pr ot ocol w ill be used. The keyw or d cipher indicat es t hat t he follow ing hexkey-st r ing is t o be used w it h t he ESP encr y pt ion t ransform . The opt ional aut hent icat or st ring is used w it h t he ESP aut hent icat ion t ransform .
crypto ipsec Command You hav e also seen t he crypt o ipsec com m and used w it hin t he configur at ions. Ther e ar e t w o m aj or for m s of t his com m and, t he cr ypt o ipse c t r a n sfor m- se t an d t h e crypt o ipsec securit y - a ssocia t ion life t im e for m s. Bot h of t hese can be r em ov ed w it h t he no for m of t he com m and. These com m ands ar e ex plained in Tabl e 4 - 7 .
Table 4 - 7 . crypt o ipsec Com m a n d s
Cr ypt o Com m a n d crypt o ipsec set securit y- a ssocia t ion life t im e se con ds seconds | k ilobyt e s kiloby t es
crypt o ipsec t r a nsfor m - se t t ransform - set - nam e
D e scr ipt ion I f t he keyword seconds is used, t he seconds param et er specifies how m any seconds before an SA will rem ain act ive wit hout renegot iat ion. The default is 28,800 seconds, which is 8 hours. I f t he keyword k ilobyt e s is used, t he kiloby t es param et er specifies how m any kilobyt es of dat a can pass bet ween peers before a renegot iat ion m ust occur. The default v alue is 4,608,000 KB, which is approxim at ely 4.5 GB. This com m and defines t he t ransform set s t hat can be used wit h t he m ap ent ry. There can be up t o a t ot al of six t ransform - set - nam es used wit hin a single line. The t ransform set at t em pt s t o est ablish an SA in t he order t hat t he set s are specified.
Now t hat you have seen t he synt ax and uses of t he crypt o m ap an d cr ypt o ipse c com m ands, look again at t he sam ple configur at ions. You t ell t he PI X t hat your crypt o m a p is nam ed m ym ap w it h a m ap num ber of 1 0 and t hat I KE should not be used. This is done w it h t he follow ing line:
147
crypto map mymap 10 ipsec-manual Next , you define t he nam e of t he t r ansfor m w it h t he follow ing:
crypto map mymap 10 set transform-set myset Th e t r ansfor m set is defined w it h t he follow ing line:
crypto ipsec transform-set myset ah-md5-hmac esp-des You pr eviously cr eat ed an access list 20 and per m it t ed packet s or iginat ing fr om t he r em ot e sit e's net w or k . You t hen set t he PI X t o look at access list 20. I f t he packet s ar e t r aveling t o or fr om an addr ess w it hin t his access list , t hey w ill be encr y pt ed.
crypto map mymap 10 match address 20 Set t he ot her end of t he I PSec t unnel t o t er m inat e at 172.30.1.2, w hich is t he out side int er face of t he br anch office's PI X:
crypto map mymap 10 set peer 172.30.1.2 Set up t he inbound and out bound session k ey s:
crypto map mymap 10 set session-key inbound ah 400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa crypto map mymap 10 set session-key outbound ah 300 bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb crypto map mymap 10 set session-key inbound esp 400 cipher cccccccccccccccccccccccccccccccc crypto map mymap 10 set session-key outbound esp 300 cipher dddddddddddddddddddddddddddddddd Associat e t he cr y pt o m ap w it h t he out side int erface.
crypto map mymap interface outside Finally, per m it I PSec packet s int o t he net w or k w it h t he sysopt com m and.
sysopt connection permit-ipsec The br anch office PI X configur at ion is alm ost ident ical. The follow ing sect ion point s out w her e it differs.
148
The br anch office PI X has a differ ent out side I P addr ess.
ip address outside 172.30.1.2 255.255.255.252 The access list m ust r eflect t he m ain office's I P addr esses.
access-list 20 permit 10.1.1.0 255.255.255.0 The peer is t he out side I P addr ess of t he m ain office's PI X.
crypto map mymap 10 set peer 172.30.1.1 The session keys for t he br anch office ar e configur ed in t he opposit e or der of w hat is configur ed on t he m ain office's PI X. The inbound key on one side of a connect ion m ust equal t he out bound k ey on t he opposit e side of t he connect ion. The inbound AH session key on t he Br anch office is equal t o t he out bound AH session k ey on t he m ain office's PI X. The inbound AH session key m ust m at ch t he m ain office's out bound AH session key in or der for t he con nect ion t o be est ablished. The inbound ESP session key m at ches t he m ain office's inbound ESP session key and t he out bound ESP session key m at ches t he m ain office's inbound ESP session k ey :
crypto map mymap 10 set session-key inbound ah 300 bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb crypto map mymap 10 set session-key outbound ah 400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa crypto map mymap 10 set session-key inbound esp 300 cipher dddddddddddddddddddddddddddddddd crypto map mymap 10 set session-key outbound esp 400 cipher cccccccccccccccccccccccccccccccc
VPN with Preshared Keys Using preshared keys is easy, once you underst and t he concept s present ed in t he previous exam ple. The differ ence bet w een t his configur at ion and t he pr evious one is t hat you ar e now r elying on t he I nt ernet Securit y Associat ion and Key Managem ent Prot ocol ( I SAKMP) for ex changing k ey s. This sect ion pr esent s t he configur at ion befor e ex plor ing how it has changed. The m ain office's configur at ion is as follow s:
hostname chicago domain-name bigcompany.com isakmp enable outside isakmp policy 15 authentication pre-share isakmp policy 15 encr 3des crypto isakmp key isakmpkey address 172.30.1.2 crypto ipsec transform-set strong esp-sha-hmac esp-3des
149
access-list myaccesslist permit ip 10.1.2.0 255.255.255.0 crypto map seattletraffic 29 ipsec-isakmp crypto map seattletraffic 29 match address myaccesslist crypto map seattletraffic 29 set transform-set strong crypto map seattletraffic 29 set peer 172.30.1.2 crypto map seattletraffic interface outside sysopt connection permit-ipsec The br anch PI X Fir ew all configur at ion looks like t his:
hostname seattle domain-name bigcompany.com isakmp enable outside isakmp policy 21 authentication pre-share isakmp policy 21 encryption 3des crypto isakmp key isakmpkey address 172.30.1.1 crypto ipsec transform-set strong esp-3des esp-sha-hmac access-list chicagolist permit ip 10.1.1.0 255.255.255.0 crypto map chicagotraffic 31 ipsec-isakmp crypto map chicagotraffic 31 match address chicagolist crypto map chicagotraffic 31 set transform-set strong crypto map chicagotraffic 31 set peer 172.30.1.1 crypto map chicagotraffic interface outside sysopt connection permit-ipsec isakmp Commands Befor e explaining t he exam ple, r eview Table 4 - 8 concerning t he isakm p com m ands. The isakm p com m ands ar e v er y sim ilar in sy nt ax t o t he v pdn com m ands. As w it h m ost com m ands, using t he no for m of t he com m and r em oves t he configur at ion.
Table 4 - 8 . isa k m p Com m a nds
Com m a nd isa k m p clie n t configur a t ion a ddr e ss- pool loca l localpoolnam e isak m p enable int erfacenam e isa k m p ide nt it y addr ess | host nam e isa k m p k e y keyst ring a ddr e ss peer- addr ess
D e scr ipt ion This com m and assigns a VPN client an addr ess from wit hin t he addresses set aside by t he ip loca l pool com m and.
isa k m p pe e r fqdn fqdn no- x a ut h noconfig - m ode
Th e fqdn ( fully qualified dom ain nam e) is t he full DNS name
This enables I SAKMP on t he int erface specified by t he param et er int erfacenam e. This ident ifies t he syst em for I KE part icipa t ion. The keyst ring specifies t he preshared key. The peer- addr ess specifies t he I P address of t he peer. of t he peer . This is used t o ident ify a peer t hat is a secur it y
150
gat ew ay . Th e no- x a u t h opt ion is t o used if y ou enabled t he Xaut h feat ur e and you have an I PSec peer t hat is a gat ew ay. Th e no- config- m ode opt ion is used if y ou enabled t he I KE Mode Configura t ion feat ur e and y ou hav e an I PSec peer t hat is a secur it y gat ew ay .
isa k m p policy pr ior it y a u t h e n t ica t ion pr e sha r e | rsa - sig isa k m p policy pr ior it y group1 | gr ou p2
This set s t he priorit y for t he aut hent icat ion and defines whet her you are using pre- shar ed keys or RSA signat ures. group1 and group2 are opt ionally used t o specify whet her a 768- bit Diffie- Hillm an prim e m odulus group (group1 ) or a 1024- bit DiffieHillm an prim e m odulus group (group2 ) w ill be used on new exchanges. isa k m p policy pr ior it y Specifies MD5 or SHA as t he hash algorit hm ha sh m d5 | sha t o be used in t he I KE policy. isa k m p policy pr ior it y Specifies how m any seconds each SA should lifet im e seconds exist before expiring. Explanation of VPN with Preshared Keys Going back t o t he co nfigurat ion, you can see t hat it is really quit e sim ple t o enable preshared k ey s. The follow ing sect ion w ill w alk y ou t hr ough t he configur at ion and ex plain w hat has been configur ed. Fir st , set t he host nam e. The fully qualified dom ain nam e ( FQDN) is set w it h t he dom ainnam e com m and.
hostname chicago domain-name bigcompany.com Then set I SAKMP t o t he out side int er face and define t hat you use pr eshar ed keys and 3DES encr y pt ion.
isakmp enable outside isakmp policy 15 authentication pre-share isakmp policy 15 encr 3des The I SAKMP key, w hose value is isa k a m pk e y, is set , along w it h t he I P addr ess of t he out side int er face of t he peer . Then set t ra nsform- s e t t o fir st use esp- sha - hm ac an d t h en esp3 de s.
151
crypto isakmp key isakmpkey address 172.30.1.2 crypto ipsec transform-set strong esp-sha-hmac esp-3des Define an access list for use w it h t he crypt o m ap com m and, set t ing t he per m it t ed I P addr esses t o m at ch t he r em ot e sit e's I P addr ess.
access-list myaccesslist permit ip 10.1.2.0 255.255.255.0 Next , m ap t he t raffic t o be encr y pt ed, set t he peer , and set t he int er face.
crypto crypto crypto crypto crypto
map map map map map
seattletraffic seattletraffic seattletraffic seattletraffic seattletraffic
29 ipsec-isakmp 29 match address myaccesslist 29 set transform-set strong 29 set peer 172.30.1.2 interface outside
Finally, set t he PI X t o allow I PSec t raffic t hrough t he int erfaces.
sysopt connection permit-ipsec The only r eal differ ences bet w een t he br anch office and t he m ain office configur at ions ar e t hat t h e peer s ar e set t o t he ot her office's PI X out side int er face, and t he t r affic t o be encr y pt ed is set t o t he ot her office's LAN.
Obtaining Certificate Authorities (CAs) Ret r iev ing cer t ificat e aut hor it ies ( CAs) w it h t he PI X Fir ew all uses alm ost ex act ly t he sam e m et hod as t hat used on r out er s. The follow ing ar e t he com m ands used t o obt ain a CA. Not e t hat t hese com m ands m ight not show in a configur at ion. The adm inist r at or should av oid r eboot ing t he PI X dur ing t his sequence. The st eps ar e explained as t hey ar e show n. Fir st , define your ident it y and t he I P addr ess of t he int er face t o be used for t he CA. Also configure t he t im eout of ret ries used t o gain t he cert ificat e and t he num ber of ret ries.
ca identity bigcompany.com 172.30.1.1 ca configure bigcompany.com ca 2 100 Gener at e t he RSA key used for t his cer t ificat e.
ca generate rsa key 512 Then get t he public k ey and cer t ificat e.
152
ca authenticate bigcompany.com Next , request t he cert ificat e, and finally, save t he configurat ion.
ca enroll bigcompany.com enrollpassword ca save all At t his point , you have saved your cer t ificat es t o t he flash m em or y and ar e able t o use t hem . The configur at ion for using an ex ist ing CA is as follow s:
domain-name bigcompany.com isakmp enable outside isakmp policy 8 auth rsa-signature ca identity example.com 172.30.1.1 ca generate rsa key 512 access-list 60 permit ip 10.1.2.0 255.255.255.0 crypto map chicagotraffic 20 ipsec-isakmp crypto map chicagotraffic 20 match address 60 crypto map chicagotraffic 20 set transform-set strong crypto map chicagotraffic 20 set peer 172.30.1.2 crypto map chicagotraffic interface outside sysopt connection permit-ipsec
PIX-to-PIX Configuration One adv ant age of using t he PI X Fir ew all is t hat it has becom e a st andar d w it hin t he indust r y . As t im e passes, your business m ight acquir e or becom e acquir ed by anot her com pany. To provide connect ivit y, you are faced w it h t w o choices: enabling VPNs over t he I nt ernet or using dedicat ed connect ions. Because one of t he benefit s of t he PI X box is t o allow secur e VPNs, t his sect ion explore s how t o set up t w o PI X Fir ew alls bet w een differ ent locat ions t hr ough t he I nt er net . I n t his scenar io, show n in
Figure 4 - 10 ,
assum e t hat bot h com panies t r ust each other t ot ally. This
m eans t hat y ou w ill not filt er any t r affic bet w een t he sit es, and all host s on bot h sit es w ill be able t o see all host s on t he ot her sit e. The peer s use I SAKMP in Phase 1 t o negot iat e an I PSec connect ion in Phase 2. As show n in
Figure 4 - 12 ,
t he m ain office uses an int ernal I P address of 10. 1. 1. 1/ 24 w it h an I P
addr ess of 172.30.1.1 on t he out side int er face. The br anch office uses an int er nal I P addr ess of 10.2.1.1/ 24 and an I P addr ess of 172.30.2.1 on t he out side int er face. The follow ing is t he configurat ion for t he PI X Firew all at t he m a in office. Aft er t he configur at ion, you w ill see a discussion of t he com m ands used. Figur e 4 - 1 2 . PI X- to- PI X I PSe c w it h I SAKM P Ex a m ple
153
hostname mainofficepix nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 172.30.1.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0 nat (inside) 0 access-list 100 sysopt connection permit-ipsec crypto ipsec transform-set maintransformset esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 100 crypto map mymap 10 set peer 172.30.2.1 crypto map mymap 10 set transform-set maintransformset crypto map mymap interface outside isakmp enable outside isakmp key mysharedkey address 172.30.2.1 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 768 All of t he pr eceding com m ands have been discussed pr eviously w it hin t his chapt er . Ther e ar e only a few new it em s t hat y ou need t o w a t ch carefully t o ensure t hat t his configurat ion will w ork. Fir st , access list 100 m ust allow host s fr om t he br anch office t hr ough t he PI X Fir ew all. Lim it ing w ho is allow ed t hr ough on t he br anch office net w or k or w hich host s t hat t he br anch office host s are allow ed t o see is cont r olled t hr ough t his access list . For exam ple, assum e t hat ever yone except t he br anch m anager in t he br anch office is allow ed t o connect only t o t he host s at 10.1.1.14, 10.1.1.15, and 10.1.1.200. The branch m anager, w hose I P address is 10.2.1.53, is allow ed t o access all host s on t he m ain office net w or k . I n t his case, y our access list w ould be as follow s:
154
access-list 100 255.255.255.255 access-list 100 access-list 100 access-list 100
permit ip 10.1.1.0 255.255.255.0 10.1.2.1.53 permit ip 10.1.1.14 255.255.255.255 10.2.1.0 255.255.255.0 permit ip 10.1.1.15 255.255.255.255 10.2.1.0 255.255.255.0 permit ip 10.1.1.200 255.255.255.255 10.2.1.0 255.255.255.0
Now t ak e not e of t he use of t he nat 0 com m and t o prevent NAT from occurring. I n som e cases, y ou need t o enable NAT because bot h sit es ar e using t he sam e nonr out able I P addr esses. This is act ually a com m on scenar io. For exam ple, w it hout NAT enabled and bot h sit es using t he 10.1.1.0/ 24 net w or k , bot h PI X Fir ew alls w ill not k now w hich net w or k t o r espond t o w hen a pack et is r eceiv ed. Nex t , y ou set up t he Phase 2 connect ion. Use t he sysopt com m and w it h t he perm it -ipsec par am et er t o allow packet s associat ed w it h t his SA t hr ough t he PI X Fir ew all. Set up t he t r ansfor m set for I PSec, assign a m ap t o t he access list , and set t he int er face for t he cr ypt o connect ion. You also use t he cr ypt o m a p com m and t o set t he peer for t his connect ion. As alw ays, t he I P addr ess of t he peer should be t he out side int er face of t he r em ot e PI X Fir ew all. As wit h any I SAKMP key exchange, you need t o ensur e t hat t he int er face chosen is appr opr iat e, t hat t he k ey is ex act ly t he sam e on bot h peer s, and t hat t he encr y pt ion and hash t y pes ar e ident ical bet w een peer s.
PIX-to-PIX with Identical Internal IP Addresses One of t he issue s r aised by using a nonr out able I P addr ess is t he use of t he I P addr ess w hile anot her connect ed locat ion is using t hat sam e addr ess. This is a com m on issue w hen t w o com panies connect t o each ot her for t he fir st t im e. Look ing at
Figure 4 - 1 3 ,
not ice t hat bot h t he
m ain and br anch offices use t he sam e int er nal I P addr ess. I n t his sit uat ion, y ou w ill need t o t r anslat e t he addr esses of bot h int er nal net w or k s. Figur e 4 - 1 3 . PI X- to- PI X w it h I de nt ica l I nt e r na l N e t w or k Addr e sse s
155
On t he PI X at t he m ain office, y ou w ill use NAT t o t r anslat e all dat a dest ined for t he br anch office t o t he 192.168.1.0/ 24 net w ork. The branch office t ranslat es all dat a dest ined for t he m ain office t o use 192.168.2.0/ 24 addr esses. Therefor e, fr om t he point of v iew of t he m ain office, t he br anch office appear s t o use 192.168.2.0/ 24. Fr om t he point of view of t he br anch office, t he m ain office appear s t o use 192.168.1.0 as it s int er nal I P addr esses. Each PI X Firewall needs t o be configure d in a sim ilar m anner .
Figure 4 - 14
show s how each office sees t he
ot her . Figur e 4 - 1 4 . PI X- to- PI X w it h Ea ch Side Using N AT
The list ing of t his configurat ion follow s. This is virt ually t he sam e configur at ion as t he pr ev ious ex am ple, w it h a few m inor changes. Fir st , y ou hav e t o im plem ent a global pool for use w it h NAT for dat a t r aveling t o t he br anch office. Second, you have t o r em ove t he lines associat ed w it h t he nat 0 com m and for dat a t raveling t o t he br anch office. Thir d, y ou hav e t o cr eat e a new access list called nat t obranch, w hich is used by NAT t o change t he sour ce addr ess of t he packet s so t hat t hese packet s appear t o or iginat e fr om t he 192.168.1.0/ 24 net w or k.
hostname mainofficepix nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 172.30.1.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 global (outside) 1 192.168.1.1-192.168.1.253 global (outside) 1 192.168.1.254
156
access-list nattobranch permit ip 10.1.1.0 255.255.255.0 192.168.2.1 255.255.255.0 nat (inside) 1 access-list nattobranch sysopt connection permit-ipsec crypto ipsec transform-set maintransformset esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address nattobranch crypto map mymap 10 set peer 172.30.2.1 crypto map mymap 10 set transform-set maintransformset crypto map mymap interface outside isakmp enable outside isakmp key mysharedkey address 172.30.2.1 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 768
Summary This chapt er has show n how t o configure t he PI X Fir ew all in m any differ ent w ays. I t st ar t ed wit h t he m ost basic form before m oving t o a m ore realist ic configurat ion. This realist ic configur at ion, allow ing user s t hr ough t o specific ser vices, should pr ove adequat e for m ost com panies t hat do not require t he use of a DMZ. The chapt er t hen m oved on t o explor e using single and m ult iple DMZs, along w it h AAA ser vices and ot her exam ples of connect ions possible w it h t he PI X Fir ew all. These configurat ions provide exam ples t hat are applicable t o larger org anizat ions.
157
Chapter 5. Cisco IOS Firewall This chapt er cont ains t he follow ing sect ions:
• • • • • • • •
Access Lists Dynam ic Access List s Tim e- Based Access List s Reflexive Access List s Cisco I OS Firewall Feat ures How Cont ext- Based Access Cont rol ( CBAC) Works Configuring Cont ext - Based Access Cont rol ( CBAC) Summary
Cisco I OS Fir ew all is an add-on com ponent of t he Cisco I OS t hat provides funct ionalit y sim ilar t o t hat found on t he Cisco PI X. Designed t o allow t he adm inist r at or t o lev er age ex ist ing har dw ar e, Cisco I OS Firew all allow s t he adm inist rat or t o effect ively secure t he net w ork w it hout t he added cost of a separ at e fir ew all. This chapt er explores t he feat ures of Cisco I OS Firew all and discusses configurat ion choices associat ed w it h using t his soft w ar e. Befor e exp loring Cisco I OS Firewall, t his chapt er will discuss advanced access list s t o ensur e t hat you have t he solid foundat ion needed t o w or k wit h Cisco I OS Firewall.
Access Lists Chapter 2 ,
" Basic Cisco Rout er Securit y," explored st andard and ext ended access list s. This
chapt er explor es m or e advanced for m s of access list s. The act of cr eat ing and r em oving ent ries in access list s wit hout adm inist rat or int ervent ion is t he basis for advan ced access list s. Secur it y on a net w or k should be as t ight as is r easonable at any giv en t im e. Adv anced access list s, such as dynam ic, r eflexive, and Cont ext -based Access Cont rol ( CBAC) , all change t he ex ist ing access list s t o cr eat e openings in r eal t im e w it hout changing any configurat ions. These openings ar e usually cr eat ed in r esponse t o a r equest m ade fr om t he inside ( t r ust ed side) of t he cor por at e net w or k . The new ly cr eat ed opening is closed aft er a per iod of t im e w it h no act iv it y or w hen t he session init iat ing t he opening ends. Cr eat ing openings only w hen init iat ed fr om inside of t he net w or k and closing t hem w hen t hey ar e not needed lim it s t he t im e w hen an out side ent it y can ex ploit t hese openings.
Dynamic Access Lists Dynam ic access list s perm it dynamic ent r ies t o be m ade int o st andar d or ex t ended access list s by users aft er aut hent icat ion. This aut hent icat ion com es t hrough t he use of a Telnet session t o t he r out er init iat ed by t he user . Once t he user successfully init iat es a Telnet session t o t he r ou ter , t he Telnet session is ended by t he r out er and a dy nam ic ent r y is added t o t he access list . The user can t hen use t he new ly creat ed opening t hrough t he rout er. Using dynam ic access list s requires t hat usernam es and passw ords are ent ered int o t he rout er, and t hat t he
158
access list has a st at em ent r eflect ing t he user nam e t hat is m apped t o a per m ission st at em ent . Ther e ar e four st eps r equir ed t o use a dy nam ic access list :
•
The ext ended access list m ust be cr eat ed.
•
The access list m ust be assigned t o an int er fa ce.
•
The user m ust be aut hent icat ed t hr ough TACACS+ , RADI US, or t hr ough a user nam e and passw or d on t he r out er .
•
The user m ust be able t o Telnet t o t he virt ual t erm inal.
The follow ing is an ex am ple of a dy nam ic access list . Not e t hat t he use of an ex clam at ion m ar k ( ! ) at t he beginning of a line indicat es t hat t he line is a com m ent .
access-list 109 permit telnet any host 172.31.10.2 eq telnet access-list 109 dynamic testdynamic timeout 10 permit ip any any deny any any !Set up the access list with a dynamic entry called "testdynamic." !This is the same name as is used in the Telnet session. !The timeout is set to 10 minutes. !The dynamic list entry permits ip traffic from and to any host. !As with any extended access list, you could allow only certain protocols or !ports to be available through this access list entry. interface serial 1 ip address 172.30.1.1 255.255.255.0 ip access-group 109 in !Assigns the access list number 109 to the interface. Username testdynamic password iwanttotelnet !This sets up the user with a password. line vty 0 4 login local !Use the local login. auto-command access-enable host timeout 5 !This is the line that tells user to create the dynamic entry. password mypassword rotary 1 !You need a way for the administrator to access the router. !Using "rotary 1" says that admin Telnets should occur on port 3001. !"rotary 2" would mean port 3002. And so on. Thr ee show a ccess- list com m ands follow . The fir st one is fr om befor e t he user Telnet s t o t he r out er . The second one is fr om dur ing t he t im eout per iod t hat t he new opening ex ist s. The last one is fr om aft er t he opening has closed. Before t he user Telnet s t o t he rout er:
routera:#show access-list Extended IP access-list 109 permit telnet any host 172.31.10.2 eq telnet
159
dynamic testdynamic timeout 10 permit ip any any Dur ing t he t im eout per iod:
routera#show access-list Extended access-list 109 permit telnet any host 172.31.10.2 eq telnet dynamic testdynamic timeout 10 permit ip any any permit ip host 192.168.1.2 any idle-time 5 min. Aft er t he opening has closed:
routera:#show access-list Extended IP access-list 109 permit telnet any host 172.31.10.2 eq telnet dynamic testdynamic timeout 10 permit ip any any I n t he preceding exam ples, t he user at host 19 2.168.1.2 creat ed t he dynam ic perm it st at em ent in t he access list by Telnet t ing t o t he rout er. I n response, t he dynam ic access list opened all t r affic t o t hat host fr om t he out side. This opening w ill r em ain for as long as dat a is t r aveling t o and fr om t he local host . When act ivit y ceases for t he am ount of t im e specified w it hin t he dynam ic st at em ent , 5 m inut es in t his exam ple, packet s dest ined for 192.168.1.2 w ill again be denied. Figure 5 - 1
show s how under nor m al cir cum st ances access fr om t he out side t o t he host at
192.168.1.2 is pr event ed. Figur e 5 - 1 . Be for e Use r Aut he nt ica t e s w it h Rout e r
Once t he user at host 192.168.1.2 is aut hent icat ed by t he r out er , a new ent r y opens in t he r out er , allow ing access t o host 192.168.1.2. This is illust rat ed in
Figure 5 - 2 .
160
Figur e 5 - 2 . Aft e r Use r Aut he nt ica t e s w it h Rout e r
This is not an ideal sit uat ion because y ou do not necessar ily w ant all t r affic t o be able t o ent er ; you only w ant t he t r affic t hat is dir ect ly r elat ed t o t he t ype of connect ion t he user w ishes t o est ablish. Alt hough you could lim it t he t ype of t r affic available t hr ough t his opening by adj ust ing t he dynam ic st at em ent , t his pr esupposes t hat y ou k now ex act ly w hat t y pe of t r affic a user w ill w ant . CBAC w as designed for t his pur pose and is cov er ed lat er in t his chapt er , in t he sect ion " How Cont ext - Based Acc ess Control ( CBAC) Works ."
Time -Based Access Lists St art ing wit h I OS version 12.0, t im e -based access list s allow an adm inist r at or t o base secur it y policies on t he t im e of day and day of t he w eek . This is a pow er ful t ool, w hich allow s t he adm inist rat or t o enable policies such as lim it ing t he dow nload of Web -based m usic or t he playing of gam es over t he int ernal net w ork t o aft er norm al business hours. The end result is t hat t he sy st em user s can play m usic and gam es w hen net w or k r esponse t im es ar e not an issu e. This can be im port ant from a polit ical view point , because a lot of users t hink t hat t he adm inist r at or s and secur it y adm inist r at or s pr event t hem fr om having fun, even w hen it does not affect any com pany goal. Addit ional benefit s can be r ealized by using t ime -based access list s in t he ar eas of dial-on -dem and rout ing, policy-based r out ing, and queuing. These ar e all bey ond t he scope of t his book , but ar e st ill useful in t he daily adm inist r at ion of a net w or k . To est ablish t im e -based access list s, t hree st eps are necessary: St e p 1 . Accur at e t im es m ust be est ablished on all affect ed r out er s. Gener ally speaking, t he easiest w ay t o accom plish t his is by using Net w or k Tim e Pr ot ocol ( NTP) .
161
St e p 2 . Tim e r anges m ust be est ablished. This is done by one of t w o m et hods. Th e fir st m et hod is t o use t he periodic st at em ent . The synt ax for t he periodic com m and is show n below :
periodic day-of-week hh:mm to day-of-week hh:mm I n t he pr eceding com m and sy nt ax , a num ber of subst it ut ions ar e av ailable for t he dayof-week v ar iable. Th e day-of-w eek can be any indiv idual day ; a select ion of day s separ at ed by spaces; or t he w or ds da ily t o represent every day, w e e k da y t o represent Monday t hrough Friday, or w e e k e nd t o r epr esent Sat ur day and Sunday. I f t he t im e t o be specified t r av er ses spe cific days, a second day-of-week is used aft er t he to k ey w or d. The hh :mm variable is t he t im e ent ered in m ilit ary t im e. The follow ing t w o ex am ples show how t o use t he periodic st at em ent . The first exam ple w ill set t he t im e of t he per m issions for t he t im e range nam ed " first t im e" bet w een 08: 00 ( 8 a.m .) and 13: 00 ( 1 p.m .) on Tuesday, Wednesday, and Thur sday:
time-range firsttime periodic Tuesday Wednesday Thursday 08:00 to 13:00 The second exam ple set s t he t im e for t he t im e r ange nam ed " secondt im e" of t he p e rm issions t o be checked bet ween 22: 00 ( 10 p.m .) on Friday and 23: 30 ( 11: 30 p.m .) on Sat urday:
time-range secondtime periodic friday 22:00 to saturday 23:30 Anot her m et hod for set t ing a t im e r ange is t o use t he absolut e com m and, w hich is used t o assign specific hour s and dat es t o a nam ed t im e r ange. The follow ing exam ple assigns t he t im e of 11: 00 on January 1, 2001 t hrough 14: 00 on January 2, 2002 t o t he t im e range nam ed " absolut et im e."
time-range absolutetime absolute start 11:00 1 january 2001 end 14:00 2 january 2002 St e p 3 . Once a t im e r ange is defined, it can be used w it hin an ex t ended access list . The follow ing is an exam ple of using t he " fir st t im e" t im e r ange t o lim it Telnet access. I n t his ex am ple, Telnet is only per m it t ed bet w een 08: 00 on Tuesday t hrough 13: 00 on Thur sday:
access-list 110 permit any any eq telnet time-range firsttime access-list 110 deny any any Time -based access list s allow t he adm inist r at or t o allow or deny t r affic based on t he cur r ent t im e. Anot her t ool available t o t he adm inist rat or is a r eflex iv e access list , w hich w ill be discussed nex t .
162
Reflexive Access Lists Reflex iv e access list s ar e a t y pe of ex t ended access list t hat allow t w o access list s t o w or k t oget her dynam ically. When t he out bound access list senses a connect ion t o a r em ot e sit e, t he inbound access list is opened up t o allow t w o-w ay com m unicat ions t o occur . Once t his t w o w ay session is com plet ed, t he inbound access list is again closed t o t he r em ot e sit e. The char act er ist ics of r eflex iv e access list s ar e as follow s:
•
Ther e ar e no im plied deny any st at em ent s at t he end of t he r eflex iv e access cont r ol list .
•
A r eflex iv e access list ent r y is alw ay s a per m it ent r y .
•
Nam ed access list s ar e used in pair s and r elat e t o each ot her w hile using r eflex iv e access list s.
•
The inbound int erface access list is dynam ically changed in relat ion t o sessions init iat ed from t he inside of t he net w ork. These dy nam ic changes ar e cr eat ed and r em ov ed as sessions ar e init iat ed and closed fr om host s on t he int er nal net w or k or aft er a specified t im e of inact ivit y. I n t he case of TCP, t he FI N or RST bit is used. I n UDP connect ions, or w hen a TCP session is not pr oper ly ended, t he t im eout is used.
•
Reflex iv e access list s suppor t TCP and UDP sessions.
•
Reflexive access list s ar e built w it hin ext ended access list s and ar e not applied dir ect ly t o an int er face.
•
Reflexive access list s pr ovide secur it y gr eat er t han t hat exper ienced w it h ext ended access list s, especially in t he ar ea of spoofed addr esses and cer t ain DoS at t ack s.
•
Reflex iv e access list s ar e a t y pe of nam ed access list t hat allow s t w o access list s t o w ork t oget her dynam ically, creat ing Layer 4 session-based filt ering.
Reflexive access list s ar e sim ilar t o dynam ic access list s, as bot h dynam ically open pat hw ays t hr ough t he r out er based on t he needs of a user at a given t im e. These pat hw ays are closed once t he init iat ing applicat ion has t erm inat ed. The advant age of reflexive access list s is t hat t he user does not need t o be aut hent icat ed on t he r out er by init iat ing a Telnet session. This allow s a t ransparent oper at ion, w her e t he user is not ev en aw ar e t hat an access list is cont rolling availabilit y. Addit ionally, reflexive access list s are m uch easier t o use w it h m ass pr oduced and sy st em-based soft w ar e because no addit ional st eps ar e r equir ed t o allow addit ional access. When set t ing up r eflexive access list s, t w o access list s m ust be cr eat ed: one for t he inbound pack et s, and one for t he out bound pack et s. The follow ing is an ex am ple of t w o access list s w it hout any r eflex iv e pr oper t ies. Aft er t he ex am ple, y ou w ill see t hese access list s w it h changes t o incor por at e r eflex iv e pr oper t ies.
interface Serial 0
163
ip access-group inbound in ip access-group outbound out ip access list extended inbound permit ip 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255 deny ip any any ip access list extended outbound deny ip 172.30.1.18 0.0.0.0 10.1.1.0 0.0.0.255 permit ip any any I n t he preceding configurat ion, any I P packet dest ined for t he 172.30.1.0/ 24 net w ork w it h a sour ce addr ess on t he 10.1.1.0/ 24 net w or k is allow ed int o t he rout er. All packet s from inside t he net w or k ar e allow ed out except for t hose or iginat ing fr om 172.30.1.18 and dest ined t o t he 10.1.1.0/ 24 net work. The pr oblem w it h t his list becom es appar ent w hen som eone inside t he cor por at e net w or k w ant s t o est ablish a connect ion t o anot her net w ork t hat is not on t he access list . For exam ple, if a user w ant s t o est ablish a connect ion t o t he 10.10.10.0/ 24 net w or k , t he inbound access list w ill pr event t he r eceipt of r esponses. Reflexive access list s w er e designed w it h t his part icular sit uat ion in m ind. You can easily change t he access list s t o allow a connect ion init iat ed on t he inside of t he net w or k t o be av ailable as needed. The follow ing is an ex am ple of how t he access list s changes t o allow t his:
interface Serial 0 ip access-group inbound in ip access-group outbound out ip access list extended inbound permit ip 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255 evaluate packetssent deny ip any any ip access list extended outbound deny ip 172.30.1.18 0.0.0.0 10.1.1.0 0.0.0.255 permit tcp any any reflect packetssent timeout 90 permit udp any any reflect packetssent timeout 60 permit icmp any any reflect packetssent timeout 30 permit ip any any A t ot al of four lines have been added t o t he configur at ion. The fir st line, e va lua t e pa ck e t sse n t , is applied on t he inbound filt er . The nex t t hr ee lines ar e applied t o t he out bound filt er . When an out bound packet is seen on t he int er face, t he out bound access list is checked. I f t he packet m eet s any of t he cr it er ia, it is allow ed t hrough. The follow ing paragraph cont ains a specific exam ple t o help you under st and exact ly w hat happens t o t he access list s. I f no act ivit y is pr esent on t he connect ion for t he per iod in seconds specified by t he t im e out par am et er , t he r eflexive access list w ill aut om at ically be discont inued. Assum e t hat a user on host 172.30.1.18 init iat es a Telnet connect ion t o 10.10.10.10. The out bound access list sees t he Telnet pack et s and m ir r or s t hem on t he inbound filt er t o allow r esponses. I n fact , t he inbound filt er dynam ically changes t o allow responses t o t ravel t hrough
164
t he int erface in response t o t he connect ion init iat ed from 172.30.1.18. Using t he show a cce ss- list com m and pr ov es t his. Thr ee ex am ples of t he show a ccess- list com m and follow , one befor e t he connect ion is init iat ed, one w hile t he connect ion session is r unning, and one aft er t he connect ion has t er m inat ed. Not ice t hat w hile t he session is r unning, t he " pack et ssent " r eflex iv e access list is v isible and cont ains a per m it st at em ent allow ing Telnet t raffic fr om t he r em ot e host w it h t he appr opr iat e por t num ber . The inbound filt er ev aluat es t he inbound t raffic against t his t em porary access list and perm it s t he packet s t hat m at ch t he cr it er ia. Befor e t he connect ion is init iat ed:
routera#show access-list Extended ip access list inbound permit ip 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255 evaluate packetssent deny ip any any extended ip access list outbound deny ip host 172.30.1.18 10.1.1.0 0.0.0.255 permit tcp any any reflect packetssent timeout 90 permit udp any any reflect packetssent timeout 60 permit icmp any any reflect packetssent timeout 30 permit ip any any Dur ing t he connect ion session:
routera#show access-list Extended ip access list inbound permit ip 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255 evaluate packetssent deny ip any any extended ip access list outbound deny ip host 172.30.1.18 10.1.1.0 0.0.0.255 permit tcp any any reflect packetssent timeout 90 permit udp any any reflect packetssent timeout 60 permit icmp any any reflect packetssent timeout 30 permit ip any any reflexive access list packetssent permit tcp host 10.10.10.10 eq telnet host 172.30.1.18 eq 1045 (15 matches) (time left 23 seconds) Aft er t he connect ion has t er m inat ed:
routera#show access-list Extended ip access list inbound permit ip 10.1.1.0 0.0.0.255 172.30.1.0 0.0.0.255 evaluate packetssent deny ip any any extended ip access list outbound deny ip host 172.30.1.18 10.1.1.0 0.0.0.255 permit tcp any any reflect packetssent timeout 90 permit udp any any reflect packetssent timeout 60
165
permit icmp any any reflect packetssent timeout 30 permit ip any any Figure 5 - 3
show s t he sequence of t he r eflexive access list exam ple.
Figur e 5 - 3 . Re fle ct ive Acce ss List s Ope n t he Rout e r in Re sponse t o Conne ct ions I nit ia t e d fr om I nside t he N e t w or k
As w it h all access list s, placem ent s of per m it and deny st at em ent s ar e cr ucial t o pr oper funct ioning. I f t he user chose t o Telnet t o a host on t he 10.1.1.0/ 24 net w ork, t he request w ould st ill hav e been denied, because t he deny st at em ent for t hat net w or k w ould hav e been evaluat ed befor e r eaching t he r eflexive access list st at em ent s. Alt hough a r eflex iv e access list is a v er y pow er ful and useful t ool, t her e ar e st ill som e lim it at ions. Reflexive access list s do not have t he abilit y t o handle m ult iple channel applicat ions. Cont ext -based Access Cont r ol ( CBAC) , w hich w ill be discussed lat er in t his chapt er in t he sect ion " How Cont ext- Based Access Cont rol ( CBAC) Works ," w as designed t o pr ov ide secur it y support for m ult iple channel applicat ions.
Null Route An alt er nat iv e t o access list s is t he null r out e com m and. This is act ually a st at ic r out e t hat dir ect s packet s t o t he null int er face. The null int er face, also know n as t he bit bucket , sim ply dr ops pack et s inst ead of for w ar ding t hem t o t he nex t hop. Using t his com m and has a num ber of advant ages. The fir st is t hat ver y few CPU cy cles ar e r equir ed t o im plem ent t his m et hod. Unlike an access list , w hich can consum e an unaccept able num ber of CPU cycles, using t he null rout e com m and consum es no m ore cycles t han any ot her st at ic r out e. The nex t adv ant age is t hat a single ent r y can be u sed t o cont rol access t o bot h inbound and out bound packet s. The t hir d advant age is t hat a null r out e can be r edist r ibut ed,
166
and t her efor e, a single ent r y can dr op dat a dest ined for any giv en net w or k as soon as t hat dat a at t em pt s t o t r av er se a r out er . A draw back t o using t he null r out e com m and for secur it y pur poses is t hat using it does not prevent packet s originat ing at t he designat ed net w ork from ent ering your com pany's net w ork. How ever, responses dest ined t o t he designat ed net w ork are dropped. A null rout e is ent er ed as a st at ic r out e w it h t he nex t -hop r out er ent er ed as null. For ex am ple, if you w ish t o deny access t o t he 184.15.10.0/ 24 net w or k, use t he follow ing:
ip route 184.15.10.0 255.255.255.0 null 0 This for w ar ds all packet s dest ined for t he 184.15.1 0.0/ 24 net w ork t o t he null bit bucket . I n ot her w ords, t he rout er t hrow s aw ay all packet s dest ined for t his net w ork. Redist ribut ing t his st at ic r out e allow s all r out er s on t he net w or k t o dr op t hese pack et s. Look at
Figure 5 - 4
t o see an ex am ple of how a null r out e oper at es. Aft er t he null r out e is added
t o a single r out er and r edist r ibut ed, all r out er s k now t o t hr ow aw ay pack et s dest ined for t he 184.15.10.0/ 24 net w or k. This m et hod pr event s w ast ing bandw idt h w it hin t he net w or k for pack ages t hat ar e ult im at ely dest ined t o be dr opped. Figur e 5 - 4 . N u ll Rou t e w it h Redist ribut ion
167
I n t he
Figure 5 - 4
exam ple, if Host A t ries t o send inform at ion t o t he 182.15.10.0/ 24 net w ork, t he
first rout er drops t his packet . Likewise, if Host B t ries t o send dat a t o t he 18 2.15.10.0/ 24 net w or k , t he fir st r out er dr ops t he pack et .
Cisco IOS Firewall Features Cisco I OS Fir ew all com bines fir ew all feat ur es, r out ing ser vices, and int r usion det ect ion w it hin a single rout er I OS. Form erly called t he Cisco I OS Firew all Feat ure Set , Cisco I OS Firewall pr ov ides secur it y and policy enfor cem ent on a w ide r ange of r out er s. Cisco I OS Fir ew all adds funct ionalit y t o t he exist ing Cisco I OS secur it y capabilit ies. These enhancem ent s include encrypt ion, failover services, aut hent icat ion, encrypt io n, per-user aut hent icat ion, r eal-t im e int r usion aler t s, and applicat ion -based filt er ing t hr ough CBAC. In
Chapt er 6 ,
" I nt rusion Det ect ion Syst em s," Table 6 - 1 cont ains t he Cisco I OS int rusion -det ect ion
signat ur es t hat ar e used in conj unct ion w it h CBAC. Ther e ar e a t ot al of 59 dist inct ive signat ures recognized by Cisco I OS Firew all. These s ignat ur es ar e list ed in t he sam e num er ical order as list ed by t heir signat ure num ber in t he Net Ranger Net w ork Securit y Dat abase. These int r usion-det ect ion signat ur es w er e chosen as r epr esent at iv e of t he m ost com m on net w or k at t acks and infor m at ion gat her ing scans not com m only found in an oper at ional net w or k . I ncluded in Table 6 - 1 is an indicat ion of t he t ype of signat ur e: I nfo or At t ack, At om ic or Com pound. At om ic s ignat ur es t hat show as At om ic* ar e allocat ed m em or y for session st at es by CBAC.
Port Application Mapping (PAM) Port Applicat ion Mapping ( PAM) gives t he adm inist rat or t he abilit y t o cust om ize TCP and UDP por t num ber s in r elat ion t o access list s. PAM allow s support of services using port s different fr om t he r egist er ed and w ell-k now n por t s associat ed w it h an applicat ion. PAM cr eat es a t able of default por t -to-applicat ion m apping inform at ion at t he firewall rout er. This t able is populat ed w it h sy st em-defined m a ps w hen t he I OS is boot ed. The adm inist rat or can m odify t his t able t o include host -specific and user-defined m appings. The PAM t able w or k s wit h CBAC-suppor t ed ser v ices t o allow applicat ions t hr ough t he access list w hile st ill r unning on nonst andar d por t s. Wit hout t he use of PAM, CBAC is lim it ed t o inspect ing t r affic using only t he st andar d applicat ion por t s. CBAC w ill use t he PAM t able t o ident ify a ser v ice or applicat ion. CBAC associat es t he nonst andar d por t num ber s ent er ed t hr ough PAM w it h specific pr ot ocols. The m appings ser ve as t he default por t m apping for t r affic passing t hr ough t he r out er .
Sy st e m - D e fin e d Por t M a ppin g
168
When t he sy st em st ar t s, t he PAM t able is cr eat ed, and t he sy st em-defined v ar iables ar e ent ered int o t he t able. The PAM t able cont ains en t r ies com pr ising all t he ser vices suppor t ed by CBAC, w hich r equir es t he sy st em-defined m apping inform at ion t o funct ion properly. Th ese sy st em-defined m appings cannot be delet ed or changed. I t is possible, how ev er , t o ov er r ide t he sy st em-defined ent r ies for specific host s using t he PAM host -specific opt ion. Table 5 - 1
list s t he sy st em-defined services, port m appings, and prot ocol descript ions.
Table 5 - 1 . PAM Syst em - D e fine d Se r vice s
Syst e m - D e fin e d Service cuseem e exec ft p ht t p
Por t 7648 512 21 80
h323
1720
m srpc net show r eal- audio - video sm t p sqlnet st ream works sunrpc t ft p v doliv e
135 1755 7070 25 1521 1558 111 69 7000
Pr ot ocol CU- SeeMe Rem ot e Process Execut ion File Tra nsfer Prot ocol cont rol port Hypert ext Transfer Prot ocol H.323 prot ocol used by MS Net Meet ing and I nt el Video Phone Microsoft Rem ot e Procedure Call Microsoft Net Show RealAudi o and RealVideo Sim ple Mail Transport Prot ocol SQL* Net St ream Works Prot ocol SUN Rem ot e Procedure Call Trivial File Transfer Prot ocol VDOLive
U se r- D e f in e d Por t M ap p in g Using applicat ions w it h nonst andar d por t s r equir es t he addit ion of user-defined ent r ies int o t he PAM t able. Each inst ance of a nonst andard applicat ion is ent ered int o t he t able. Applicat ions can be enabled t o use m ult iple por t s or a r ange of por t s by ent ering each port in succession. Ent er ing a por t num ber a second t im e w it h a new applicat ion ov er w r it es t he or iginal ent r y . At t em pt ing t o ent er an applicat ion using a sy st em-defined por t r esult s in an er r or m essage and an unsuccessful m apping. Save m appings by w r it ing t he r out er configur at ion.
H ost - Spe cific Por t M a ppin g User-defined ent ries can include host -specific m apping infor m at ion, w hich est ablishes por t m apping infor m at ion for specific host s or subnet s. Host -specific port m apping overrides
169
sy st em-d efined ent r ies in t he PAM t able. I t m ight be necessar y t o over r ide t he default por t m apping infor m at ion for a specific host or subnet . Using host -specific por t m apping, t he sam e por t num ber can be used for differ ent ser vices on differ ent host s. For ex am ple, it is possible t o assign por t 6565 t o Telnet on one host w hile assigning t he sam e por t ( 6565) t o HTTP on anot her host . Host -specific por t m apping also allow s PAM t o be applied t o individual subnet s. Sim ilar t o host specific por t m apping, y ou can assign por t 6565 t o Telnet on one net w or k w hile assigning t he sam e port ( 6565) t o HTTP on anot her net w ork.
Con figu r in g PAM Th e ip por t- m ap com m and is used t o configur e PAM. The follow ing ex am ple set s HTTP t o port s 8000, 8001, 8002, and 8003. Aft er t his com m and is run, t he keyw ord http in an access list w ill r elat e not only t o t he default por t 80, but also t o t he por t s 8000, 8001, 8002, and 8003. This exam ple is ent er ed in t he global configur at ion m ode and applies globally:
ip ip ip ip
port-map port-map port-map port-map
http http http http
8000 8001 8002 8003
I f PAM is t o be applied t o only a specific access list , t he ent r ies ar e m ade w it h t he addit ional k ey w or d list and t he access list num ber for t he affect ed access list . The follow ing exam ple show s HTTP por t s m apped t o an access list 101. I n t his case, HTTP for access list 101 includes por t 80 ( t he default ) , as w ell as por t 8000:
access-list 101 permit ip any any eq http ip port-map http port 8000 list 101 I n t he follow ing exam ple, a specific host runs HTTP services on por t 2 1 , w h ich is a sy st emdefined port for FTP dat a. Therefore, it requires a host -specific ent ry:
access-list 55 permit !define the host that ip port-map http port !map HTTP to port 21,
172.30.1.2 will have the default mapping changed 21 list 55 replacing the default usage for port 21
How Context-Based Access Control (CBAC) Works Cont ex t -based Access Cont r ol ( CBAC) w as designed for use w it h m ult iple por t pr ot ocols t hat ar e unable t o be pr ocessed w it h r eflexive access list s. Since st andar d and extended access list s w or k at t he net w or k ( Layer 3) or t r anspor t ( Layer 4) layer s of t he OSI m odel, t heir abilit y t o w or k w it h som e applicat ions is lim it ed. CBAC loosens t hese lim it at ions by filt er ing pack et s
170
based on t he applicat ion ( Lay er 7) lay er of t he OSI m odel. Ver sion 11.2 of t he fir ew all feat ur e set I OS includes CBAC for 1600 and 2500 ser ies r out er s. I OS Ver sion 12.0 expands t he cover ed r out er s t o include 1700, 2600, and 3600 ser ies r out er s. The m aj or addit ional feat ur es enabled t hr ough t he use of CBAC ar e as follow s:
•
Applica t ion- la ye r filt e r ing— CBAC filt er s TCP and UDP pack et s based on applicat ion -layer prot ocol session inform at ion. CBAC can be configured t o inspect t raffic for sessions t hat originat e from eit her inside or out side of t he corporat e netw or k . By w at ching not only Lay er s 3 and 4, but also Lay er 7, CBAC lear ns t he st at e of connect ion sessions and filt er s based upon t hat st at e. When a pr ot ocol, such as RPC or SQL* NET, requires negot iat ion of m ult iple channels, CBAC is st ill able t o filt er e ffect iv ely w her e a st andar d or ex t ended access list could not .
•
I P pa ck e t fr a gm e nt a t ion pr e ve nt ion a nd D oS de fe nse s— CBAC can det ect and pr event cer t ain t ypes of net w or k at t acks, such as SYN-flooding. SYN-flooding is a t y pe of DoS at t ack w her e m ult iple sy nc r equest s ar e sent t o a r out er . The r out er holds t hese connect ions open unt il t hey t im e out or ar e com plet ed. CBAC w at ches t he pack et sequence num ber s for all connect ions and dr ops t hose t hat ar e of a suspicious or igin. Suspicious pack et s ar e t hose out side of t he ex pect ed r ange of sequence num ber s. Addit ionally , CBAC det ect s and sends aler t m essages w hen an inor dinat ely high num ber of new connect ions ar e seen.
•
Adm inist r a t ive a le r t s a nd a udit t r a ils— CBAC cr eat es audit t r ails and r eal-t im e aler t s based on t he event s t racked by t he firew all. Audit t rails use syslog t o t rack net w ork t ransact ions. The dat a included in t his t racking cont ains source and dest inat ion addr ess, sour ce and dest inat ion por t , and t im e st am ps. Real-t im e aler t s occur by sending sy slog er r or m essages t o cent ral m anagem ent consoles.
•
Suppor t for t he Cisco I OS I nt r usion D e t e ct ion Syst e m ( I D S) — The Cisco I OS Firew all's I nt rusion Det ect ion Syst em ( Cisco I OS I DS) ident ifies a t ot al of 59 of t he m ost com m on at t acks using t he dist inct ive signat ur es o f t hese at t acks t o det ect pat t er ns. CBAC has t he abilit y t o send dat a dir ect ly t o a Cisco I DS com ponent .
CBAC Operation CBAC w or ks in m uch t he sam e m anner as r eflexive access list s. Bot h cr eat e t em por ar y openings in access list s based on t raffic t raversing t he ex t er nal int er face out bound fr om t he r out er . These openings allow t he r et ur ning t r affic t o ent er t he int er nal net w or k back t hr ough t he firew all. This t raffic, norm ally blocked, is t hen allow ed back t hrough t he rout er. I n CBAC, only dat a fr om t he sam e session t hat or iginally t r igger ed t he opening is allow ed back t hr ough. CBAC inspect s t raffic t raveling t hrough t he rout er in order t o discover and m anage inform at ion about t he st at e of TCP and UDP sessions. This infor m at ion is used t o cr eat e a t em por ar y o pening in access list s, allow ing r et ur n t r affic and addit ional dat a connect ions. These t em por ar y access ent r ies ar e nev er sav ed t o NVRAM. CBAC is lim it ed in it s abilit y t o w or k w it h cer t ain pr ot ocols. Not all pr ot ocols ar e suppor t ed,
171
only t hose specified. I f a pr ot ocol is not specified, no CBAC inspect ion w ill occur . As w it h all secur it y m et hods, com plet e secur it y cannot be guar ant eed. CBAC excels in t he det ect ion and pr event ion of t he m ost popular for m s of at t ack. CBAC is usable only w it h I P prot ocol t raffic, and only TCP and UDP pack et s ar e inspect ed. I CMP is not inspect ed w it h CBAC. Use st andar d or ex t ended access list s inst ead of CBAC for I CMP. CBAC also ignor es I CMP Unr eachable m essages. Figure 5 - 5
show s an ex am ple of CBAC in act ion. When t he user on t he host init iat es a connect ion
t o anot her host on t he opposit e side of t he r out er , an opening is cr eat ed on t he out side of t he rout er t o allow t he responding packet s for t his connect ion t o t ravel t hrough t he rout er. Once t his session has ended, t his new ly cr eat ed opening w ill again be closed. Figur e 5 - 5 . CBAC Cr e a t in g a Te m por a r y Ope n in g Th r ou gh t h e Fir e w a ll Rou t e r
The adm inist r at or m ust specify w hich pr ot ocols ar e t o be inspect ed, as w ell as t he int e rfaces and dir ect ion on w hich t he inspect ion of t hese pr ot ocols occur s. Only t he pr ot ocols specified w ill be inspect ed. The select ed pr ot ocols w ill be inspect ed in bot h dir ect ions as t hey t r av er se t he int er face. The inspect ion of t he cont rol channel allows CBAC t o det ect and pr ev ent cer t ain t y pes of applicat ion -based at t acks. Packet s are inspect ed by t he access list first . CBAC t hen inspect s and m onit ors t he cont rol channels of t he connect ions. For exam ple, w hen using FTP, CBAC par ses t he FTP com m ands and r esponses t o t hose com m ands, but t he act ual dat a being t r ansfer r ed w it hin t he FTP pr ogr am is not inspect ed. This is an im por t ant point , because only t he cont rol channels are m onit ored for st at e changes, not t he dat a channels. Sequence num ber s ar e t r ack ed, and pack et s w it hout t he ex pect ed sequence num ber ar e dr opped. CBAC has k now ledge of applicat ion-specific com m ands and w ill det ect and pr ev ent som e for m s of at t ack s based on t he nuances of applicat ions. On det ect ion of an at t ack , t he DoS feat ur e built int o CBAC r esponds in one of t hr ee w ay s:
172
•
Prot ect syst em resources
•
Block pack et s fr om t he sour ce of t he suspect ed at t ack
•
Generat e alert m essages
This feat ur e pr ot ect s syst em r esour ces by det er m ining w hen t o dr op sessions t hat have not becom e fully est ablished. Tim eout v alues for net w or k sessions ar e set in or der t o fr ee up syst em r esour ces by dr opping sessions aft er t he specified t im e. Thr eshold values for net w or k sessions are set in order t o prevent DoS at t acks by cont rolling t he num ber of half-open sessions. CBAC dr ops a session t o r educe r esour ce usage, and a r eset m essage is sent t o bot h t he source and dest inat ion for t hat session. There are t hree t hresholds used by CBAC in r elat ion t o DoS at t ack s:
•
The t ot al num ber of half-open sessions
•
The num ber of half-open session per given am ount of t im e
•
The num ber of half-open TCP session per host
When a t hr eshold is ex ceeded, CBAC act s in one of t w o w ay s:
•
Sends a r eset m essage t o sour ce and dest inat ion of t he oldest half-open session and dr ops t he session.
•
Blocks all SYN pack et s for t he t im e specified w it h t he t hreshold v alue. This is only used on TCP sessions.
To act ivat e DoS pr event ion and det ect ion, an inspect ion r ule m ust be cr eat ed and applied t o an int er face. This inspect ion r ule needs t o include t he pr ot ocols you w ish t o m onit or regarding DoS at t ack s. As packet s t r aver se t he int er face, a st at e t able is m aint ained. Ret ur ning t r affic is com par ed t o t his t able t o ensur e t hat t he pack et belongs t o a cur r ent session. UDP is a connect ionless ser v ice. Ther efor e, no session inform at ion is carried in UDP packet s. CBAC uses a m et hod of appr ox im at ion t o ensur e r easonable car e is used w hen allow ing UDP pack et s t hr ough an int er face. Each UDP pack et is com par ed t o pr ev ious UDP pack et s t o see w het her t he source and dest inat ion addre sses m at ch, t he por t num ber s m at ch, and so on. Addit ionally , inbound UDP pack et s m ust be r eceiv ed aft er an out bound UDP pack et w it hin t he t im e specified by t he udp idle t im eout com m and.
Sequence of CBAC Events CBAC follow s a defined flow of ev ent s w hen dea ling w it h packet s.
Figure 5 - 6
show s t he logical
flow for t hese ev ent s. Tak e a few m om ent s t o v iew t his logical flow char t befor e m ov ing t hr ough t he suppor t ed pr ot ocols. Figur e 5 - 6 . Se qu e n ce of CBAC Eve n t s
173
Protocol Sessions Supported by CBAC CBAC can be configured t o support t he prot ocol sessions out lined in Table 5 - 2 .
Table 5 - 2 . Suppor t e d CBAC Se ssion Pr ot ocols
Pr ot ocol
N ot e s
174
TCP UDP CU- SeeMe FTP
Handles all t ypes of TCP session Handles all t ypes of UDP sessions Whit e Pine version only CBAC does not allow t hird - part y connect ions. Dat a channels m ust have t he dest inat ion port in t he range of 1024 t o 65,535 only H.323 Microsoft Net Meet ing and ProShare use H.323 HTTP Java blocking Microsoft Net Show Java Pr ot ect s against unident ified, m alicious Java applet s UNI X R rsh, rexec, rlogin, and so on com m ands RealAudio SUN RPC SUN com pliant RPC, does not handle DCE RPC Microsoft RPC Any packet not on t he follow ing list is considered illegal: SMTP DATA, EHLO, EXPN, HELO, HELP, MAI L, NOOP, QUI T, RCPT, RSET, SAML, SEND, SOML, VRFY
SQL* Net St ream Works TFTP VDOLive The t erm support ed m eans t hat w hen a prot ocol is configured for CBAC, t hat prot ocol t raffic is inspect ed, st at e infor m at ion is m aint ained, and packet s ar e allow ed back t hr ough t he fir ew all only if t hey belong t o a per m issible session ( w it h t he except ion of connect ionless pr ot ocols, such as UDP) .
Compatibility with Cisco Encryption Technology (CET) and IPSec When t hr ee r out er s ar e connect ed, t he m iddle r out er is using CBAC, and t he out side r out er s ar e r unning encr y pt ion, t he r esult s m ight not be w hat y ou ex pect . The r eason is t hat CBAC cannot accur at ely inspect pay loads t hat hav e been encr y pt ed. This should be an ex pect ed occurrence, because encrypt ion is specifically designed t o pr ev ent any but t he end r out er s fr om being able t o decipher t he dat a. This sit uat ion is pr esent ed in Figure 5 - 7 . Figur e 5 - 7 . Com pa t ibilit y w it h CET
175
Addit ionally, configur ing bot h CBAC and encr y pt ion on t he sam e r out er causes CBAC t o st op w or king w it h som e pr ot ocols. CBAC w ill st ill w or k w it h single -channel TCP and UDP, w it h t he ex cept ion of Jav a and SMTP. CBAC w ill not w or k w it h any m ult iple channel pr ot ocols, ex cept St r eam Wor k s and CU-SeeMe. Ther efor e, w hen configur ing bot h encr y pt ion and CBAC on t he sam e rout er, configure Generic TCP, Generic UDP, CU-SeeMe, and St r eam Wor ks as t he only pr ot ocols. CBAC is com pat ible w it h I PSec under lim it ed circum st ances. I f t he rout er running CBAC is t he endpoint of an I PSec connect ion, t here are no know n com pat ibilit y issues. How ever, if t he r out er r unning CBAC is not t he endpoint of an I PSec connect ion, t he sam e pr oblem as w it h encr y pt ion occur s. For CBAC t o r un pr oper ly , t he dat a w it hin individual packet s m ust be exam ined. Any t im e t hat t his dat a is encr ypt ed, CBAC w ill not w or k. Addit ionally, I PSec pack et s ar e not I P or UDP pack et s, w hich ar e t he only t y pes of pack et s CBAC is able t o pr ocess.
Configuring CBAC This sect ion w ill discuss t he configur at ion of CBAC. Several st eps are required t o m ake CBAC effect ively secure t he corporat e net w ork: St e p 1 . Choose an int er face. St e p 2 . Configur e I P access list s on t he int er face. St e p 3 . Configur e global t im eout s and t hr esholds. St e p 4 . Define inspect ion r ules and apply t he inspect ion r ule t o t he int er face. St e p 5 . Configur e logging and audit t r ail. Each of t hese w ill be discussed in t ur n.
176
Choose an Interface The fir st st ep of configur ing CBAC poses t he adm inist r at or w it h a dilem m a: Should CBAC b e configur ed on t he inside or out side int er face? Should a dem ilit ar ized zone ( DMZ) be cr eat ed? No m at t er w hat configur at ion is ult im at ely chosen, one dir ect ion should alw ays be configur ed first . Only aft er t his configurat ion is t horoughly t est ed should a second int er face be added. The out side int erface is t he int erface t hat connect s t o t he I nt ernet . An inside int erface is an int er face t hat connect s dir ect ly t o t he cor por at e LAN. A DMZ is a net w or k t hat is ow ned and cont r olled by a com pany and is not dir ect ly connect ed t o eit her t he I nt er net or t he com pany LAN. The m ost com m on configurat ion is show n in Figure 5 - 8 . I n t his configurat ion, t he CBAC is enabled on t he ext ernal int erface t o prevent unaut horized access int o t he corporat e net w ork. I n t his configurat ion exam ple, t he only t raffic allow ed in from t he I nt ernet is in response t o t raffic init iat ed w it hin t he corporat e net w ork. Figur e 5 - 8 . Pr ot e ct ing t he Cor por a t e N e t w or k w it h CBAC
Figure 5 - 9
show s a differ ent and slight ly m or e com plex configurat ion. I n t his configur at ion you
build a DMZ t o allow som e access fr om t he I nt er net t o ser v ices pr ov ided t o t he gener al public. Ex am ples of t hese ser v ices could include DNS, Web, or FTP ser v er s. Figur e 5 - 9 . CBAC w it h a D M Z
177
When enabling CBAC as in t he ex am ple in Figure 5 - 9 , configure it on t he int ernal Et hernet 0 int er face. This m et hod allow s access t o t he DMZ fr om t he I nt er net w hile st ill allow ing access t o t he int er nal net w or k in r esponse t o sessions init iat ed from w it hin t he corporat e net w ork. No m at t er w hich int er face is chosen for CBAC configur at ion, som e basics r egar ding applying access list s in r elat ion t o CBAC need t o be discussed.
Configure IP Access Lists on the Interface To m axim ize t he be nefit s of CBAC, I P access list s need t o be correct ly configured. Som e gener al r ules should be follow ed w hen designing access list s for use w it h CBAC:
•
St ar t w it h t he basics. Mak e t he init ial access list as sim ple as possible and ex pand aft er it is t hor oughly t est ed.
•
Per m it t hose pr ot ocols you w ish CBAC t o inspect t o leave t he net w or k. For exam ple, if TFTP t r affic is pr ohibit ed fr om leaving t he net w or k, CBAC w ill never evaluat e TFTP t raffic.
•
Deny ret urning CBAC t raffic from ent ering t hrough t he rout er t hrough an ex t ended access list . This m ay sound w r ong at fir st , but CBAC w ill cr eat e t he t em por ar y holes t o allow dat a t hr ough in r esponse t o a valid r equest .
•
Do not init ially configur e an access list pr event ing t r affic fr om t he int er nal side t o t he ext ernal side of t he net w or k. All t r affic should flow fr eely out of t he net w or k unt il CBAC is fully funct ional. This is invaluable for t roubleshoot ing purposes.
178
•
Allow I CMP m essages t o flow freely in t he init ial configurat ion. I CMP t raffic is not inspect ed by CBAC, t herefor e, ent r ies ar e needed in t he access list t o per m it r et ur n t r affic for I CMP com m ands.
•
Add an access list ent r y denying any net w or k t r affic fr om a sour ce addr ess m at ching an addr ess on t he pr ot ect ed net w or k . This should r eally be done on all r out er s.
•
An out bound access list on an ext er nal int er face should per m it t r affic t hat you w ant t o be inspect ed by CBAC. I f t r affic is not per m it t ed, it w ill be dr opped befor e get t ing t o t he CBAC.
•
The inbound I P access list at t he ext er nal int er face m ust deny t r affic dest ined t o be inspect ed by CBAC.
•
The inbound I P access list at t he int ernal int erface m ust perm it t raffic dest ined for inspect ion by CBAC.
I n essence, y ou need t o allow t he CBAC t o see t he pack et s fr om t he t r ust ed side of t he net w or k. You also need t o pr eve nt r et ur ning pack et s and r ely on CBAC t o allow t hem t o t r av er se t he int er face.
Configure Global Timeouts and Thresholds CBAC uses t im eout s and t hresholds in conj unct ion in order t o det erm ine how long t o m anage st at e infor m at ion for a session. Tim eout s and t hr esholds ar e also used t o det er m ine w hen t o drop sessions t hat are not fully est ablished. Because t im eout s and t hresholds are so closely r elat ed, t hey ar e usually configur ed at t he sam e t im e. These ar e global, so t hey apply t o all CBAC configur at ions on t he rout er. The easiest w ay t o configur e t he t im eout s and t hr esholds is sim ply t o use t he default values. I n t his case, no changes t o t he configurat ion are necessary. How ever, t his sect ion w ill st ill ex plor e t im eout s and t hr esholds in case opt im izat ions are necessar y based on y our indiv idual cor por at e needs. All of t he t hr eshold and t im eout s av ailable for changing, as w ell as t heir default v alues and a shor t descr ipt ion of t he effect w hen t hey ar e changed, ar e list ed in Table 5 - 3 .
Table 5 - 3 . CBAC Tim e ou t s a n d Th r e sh olds
Com m a nd ip in sp e ct d n st im eout seconds
D e fa ult 5 seconds
ip inspe ct m a x incom ple t e high num ber
500 concurrent half- open sessions 400
ip inspe ct m a x -
Use The lengt h of t im e a DNS nam e lookup session rem ains act ive aft er no act ivit y The num ber of concurrent halfopen sessions t hat causes t he soft ware t o st art delet ing half- open sessions The num ber of concurrent half-
179
incom ple t e low num ber
concurrent half- open sessions 500 half- open sessions per m inut e 500 half- open sessions per m inut e 5 seconds
open sessions t hat causes t he soft ware t o st op delet ing half- open sessions ip inspe ct one The rat e of new sessions at which m inut e high CBAC st art s delet ing half- open num ber sessions ip inspe ct one The rat e of new sessions at which m inut e low CBAC st ops delet ing half- open num ber sessions ip inspe ct t cp The lengt h of t im e a TCP session finw a it - t im e st ays act ive aft er t he firewall seconds det ect s a FI N- exchange ip inspe ct t cp 3600 seconds The lengt h of t im e a TCP session idle - t im e seconds ( 1 hour) st ays act ive aft er no act ivit y ( t he TCP idle t im eout ) 50 exist ing halfip inspe ct t cp The num ber of exist ing half- open open TCP m a x - incom ple t e TCP sessions wit h t he sam e sessions; h ost n u m be r dest inat ion host address t hat block- t im e m inut es causes CBAC t o st art dropping 0 m inut es half- open sessions t o t he sam e dest inat ion host address ip inspe ct t cp 30 seconds The lengt h of t im e CBAC wait s for synw ait - t im e a TCP session t o reach t he seconds est ablished st at e before dropping t he session As w it h m ost com m ands, t he t im e out an d t hr e shold com m ands can be r eset t o t he default by ent er ing t he no for m of t he com m and.
Define Inspection Rules Aft er t he t im eout s and t hr esholds ar e set , t he inspect ion r ules ar e defined. The inspect ion r ules delineat e w hich pack et s w ill be inspect ed by CBAC for a given int erface. Unless you are configur ing t w o separ at e int er faces bot h t o use CBAC, only a single inspect ion r ule is defined. The inspect ion r ules define w hich applicat ion -layer pr ot ocols r elying on I P w ill be inspect ed by CBAC. The inspect ion rules also include opt ions for audit t r ail m essages, aler t m essages, and packet fragm ent at ion. Tw o v ar iat ions of t he ip inspect nam e com m and ar e available for set t ing inspect ion of an applicat ion -layer pr ot ocol. The follow ing ar e t he t w o var iat ions:
ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
180
and
ip inspect name inspection-name rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] The first inst ance of t he com m and configures CBAC inspect ion for applicat ion -lay er pr ot ocols, ex cept for RPC and Jav a. The protocol k ey w or ds w ill be discussed in t he nex t sect ion. This com m and is repeat ed for each desired prot ocol, using t he sam e inspect ion nam e each t im e. I f m or e t han one int er face is using CBAC, t his com m and is r epeat ed for each pr ot ocol used w it h each int er face, associat ing one nam e for each int er face. The second var iat ion is used t o enable CBAC inspect ion for t he RPC applicat ion-layer prot oco l. As w it h t he fir st inst ance, t his com m and is specified m ult iple t im es, once for each pr ogr am num ber .
Pr ot ocol Ke y w or ds cont ains a list of t he keyw ords used for t he protocol ar gum ent in t he ip inspect nam e com m and. Table 5 - 4
Table 5 - 4 . ip in spe ct n a m e Com m a nd pr ot ocol Ke yw or ds
Ke yw or d cuseem e h323 net show rcm d realaudio rpc sqlnet st ream works t ft p v doliv e
Pr ot ocol CU- SeeMe H.323 Microsoft Net Show UNI X R com m ands ( rlogin, rexec, rsh, and so on) RealAudio RPC SQL* Net St ream Works TFTP VDOLive
A not e concer ning Micr osoft Net Meet ing 2.0: Net Meet ing is an H.323 applicat ion-layer prot ocol t hat operat es slight ly out side of t he norm ally accept ed m ode. Specifically, Net Meet ing uses an addit ional TCP channel t hat is not defined w it hin t he H.323 specificat ions. To use Net Meet ing and CBAC effect iv ely , TCP inspect ion m ust also be enabled.
Ja va Block in g
181
CBAC filt er s Jav a applet s by r ely ing on a list of sit es designat ed as fr iendly . I n t his m et hod, a Jav a applet fr om a fr iendly sit e is allow ed t hr ough, w hile all ot her s ar e block ed. Ja v a applet s fr om sit es ot her t han fr iendly ones ar e not allow ed t hr ough. The ip inspe ct- nam e com m and is used t o block Jav a applet s:
ip inspect name inspection-name http [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds] Use t he sam e inspect ion -nam e as t he ot her pr ot ocols checked by CBAC, unless you int end t o use CBAC on m or e t han one int er face. CBAC does not det ect or block Java applet s t hat ar e encapsulat ed w it hin anot her for m at . CBAC also does not det ect or block Java applet s loaded t hr ough HTTP on a nonst andar d por t or t hr ough t he use of FTP, Gopher , or any ot her pr ot ocol w her e it cannot be det er m ined t hat t he Jav a applet is w it hin t he dat a.
Fr a gm e n t a t ion I n spe ct ion CBAC can be used t o help pr ot ect against DoS at t ack s t hat use fragm ent ed packet s by m aint aining an int er fr agm ent st at e t able for I P packet s. When a packet is r eceived t hat has t he fr agm ent bit set , is not t he fir st pack et of a sequence of pack et s, and is not r eceiv ed in t he pr oper or der , CBAC w ill dr op t he pack et . This can cause pr oblem s in sit uat ions w her e it w ould nor m ally be accept able t o accept pack et s out of or der . When t he sending host fails t o r eceiv e an ack now ledgem ent t hat all pack et s w er e r eceived, anot her set of packet s is sent . This can affect p erform ance ext rem ely. I f it is accept able t o r eceive packet s out of or der , t he default set t ings should be left as t hey ar e. I f, how ever , r eceiving packet s out of or der is unaccept able, use t he follow ing for m of t he ip inspect nam e com m and:
ip inspect name inspection-name fragment [max number timeout seconds]
Ge n e r ic TCP a n d UD P I nspect ing TCP and UDP packet s is possible even if t he applicat ion-lay er pr ot ocol has not been configured for inspect ion. Doing t his, however, m eans t hat CBAC does not recognize comm ands t hat ar e specific t o t he applicat ion. I n t his case, CBAC does not necessar ily allow all packet s of an applicat ion t hr ough t he int er face. This usually happens w hen t he r et ur ning pack et s hav e a differ ent por t num ber t han t hat associat ed w it h t he pack et previously sent out t his int er face. Because a defined applicat ion-layer pr ot ocol t akes pr ecedence over t he TCP or UDP packet inspect ion, t he m ore prot ocols t hat are defined, t he less likely t hat t his problem w ill be seen . When using TCP and UDP inspect ion, packet s at t em pt ing t o ent er t he net w ork m ust m at ch t he cor r esponding packet t hat pr eviously exit ed t he net w or k in t he sour ce and dest inat ion addr esses and por t s. Failur e t o m at ch r esult s in t he packet being dr opped. UDP packet s m ust also be r eceiv ed w it hin t he t im e specified by t he ip inspect udp idle- tim e com m and. TCP
182
packet s m ust have t he pr oper sequence num ber befor e being allow ed t o ent er t he int er face. I nspect ion of TCP and UDP pack et s is enabled w it h t he follow ing com m ands:
ip inspect name inspection-name tcp [timeout seconds] ip inspect name inspection-name udp [timeout seconds] The next st ep in t he configurat ion process is t o configure logging and t he audit t rail.
Configure Logging and Audit Trail Tur ning on logging and audit t r ails pr ov ides a r e cord of all access t hrough t he firew all. Logging and audit t r ails ar e ex t r em ely sim ple t o im plem ent . The follow ing is a sm all sam ple configur at ion t hat t ur ns on bot h logging and audit t r ails:
service timestamps log datetime !Adds the date and time to syslog and audit messages logging 172.30.1.8 !Specifies that syslog messages are sent to 172.20.1.8 logging facility syslog !Configures the syslog facility in which error messages are sent !Valid options instead of syslog are: auth, cron, kern, local0-7, lpr, mail, !news, sys9, sys10, sys11, sys12, sys13, sys14, daemon, user, and uucp. logging trap 7 !Sets logging to level 7 (informational) ip inspect audit-trail !Turns on CBAC audit trail messages CBAC Configuration Example I n t he configur at ion ex am ple at t he end of t his sect ion, a com pany, Bigg I ncor por at ed, has a connect ion t o a part s dist ribut or on t he 10.1.1.0/ 24 net w ork t hrough int erface Serial 0.1. I t also has a connect ion t o one of it s br anch offices t hr ough int er face Ser ial 0.2. The br anch office is r unning on net w ork 172.31.1.0/ 24.
Figure 5 - 1 0
show s a logical v iew of t hese
connect ions. Figur e 5 - 1 0 . Conne ct ion t o Br a nch Office a nd D ist r ibut or
183
Because Bigg I nc. has no cont r ol over t he net w or k pr act ices at t he par t s dist r ibut or , it enabled CBAC secur it y bet w een it s m ain sit e and t he dist r ibut or . All infor m at ion exchanges, w it h t he ex cept ion of I CMP m essages, ar e denied by default . When a connect ion is init iat ed fr om w it hin t he corporat e net work, t he CBAC w ill ev aluat e and allow a connect ion t o be m ade. I n t his configur at ion, Bigg I nc. set t he CBAC t o ex am ine sev en pr ot ocols and set t he t im eout on each t o 30 seconds. Next , t he com pany cr eat ed an ext ended access list num ber ed 111. This access list , w orking in conj unct ion w it h CBAC, allow s only I CMP m essages t hr ough, unless t he connect ion is init iat ed from wit hin t he net work. Bigg I nc. has added a nam ed access list t o t he inbound and out bound sides of t he ser ial int erface connect ed t o t he branch office. This access list , in conj unct ion w it h t he r e fle ct st at em ent , pr ev ent s all t r affic fr om going t o t he br anch office, ex cept w hen in r esponse t o a session init iat ed from w it hin t he branch. Bigg I nc. could have added t his prevent ion w it hin t he ex t ended access list . How ever , t his configur at ion illust r at es how you can use CBAC on one int er face w it hout int er fer ing w it h any ot her int er face.
184
I nt er face Ser ial 0.1, w hich connect s t o t he dist r ibut or 's office, is set up w it h an I P addr ess, an access list , and a call t o t he CBAC t o inspect out going packet s. Bigg I nc. allow s HTTP ( Web ser ver ) access t o t he host at 10.1.1.34 for por t s 80 ( t he default ) and por t s 8001, 8002, 8003, and 8004. I nt er face Ser ial 0.2 is t hen set up w it h an I P addr ess and a st andar d access list t hat lim it s pack et s t o t he 172.31.1.0/ 24. Finally, Bigg I nc. set up an Et her net int er face t hat connect s t o t he local net w or k and t he st at ic I P r out es. The com pany could alt er nat ively use a r out ing pr ot ocol inst ead of st at ic r out es. The following is t he configu r at ion:
ip port-map http 8001 ip port-map http 8002 ip port-map http 8003 ip port-map http 8004 !Sets HTTP to equal ports 8001, 8002, 8003 and 8004 in addition !to the default port 80
ip inspect name test cuseeme timeout 30 ip inspect name test ftp timeout 30 ip inspect name test h323 timeout 30 ip inspect name test realaudio timeout 30 ip inspect name test rpc program-number 100000 ip inspect name test streamworks timeout 30 ip inspect name test vdolive timeout 30 time-range httptime periodic weekday 08:00 to 17:00 !Set the httptime to occur between 08:00 and 17:00 !(8 a.m. till 5 p.m.) on weekdays access-list 111 permit ip any host 10.1.1.34 eq http time-range httptime !Because they added a port map earlier, this allows the new ports !to have http access as well as the default port. Additionally, they !limit HTTP access to weekdays (mon-fri) at certain hours access-list 111 deny TCP any any access-list 111 deny UDP any any access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any 172.30.1.0 0.0.0.255 time-exceeded access-list 111 permit icmp any 172.30.1.0 0.0.0.255 packet-too-big access-list 111 permit icmp any 172.30.1.0 0.0.0.255 traceroute access-list 111 permit icmp any 172.30.1.0 0.0.0.255 unreachable access-list 111 deny ip any any
ip access list extended inbound evaluate packetssent !The only packets allowed to enter are in response to connections !initiated from within the corporate network deny ip any any ip access list extended outbound permit tcp any any reflect packetssent timeout 90
185
permit udp any any reflect packetssent timeout 60 permit icmp any any reflect packetssent timeout 30 permit ip any any interface s0.1 ip address 192.168.1.1 255.255.255.252 ip access-group 111 in ip inspect test out interface s0.2 ip address 192.168.1.5 255.255.255.252 ip access-group inbound in !Set the named access list "inbound" to packets entering the !interface ip access-group outbound out !Set the named access list "outbound" to packets leaving the !interface for use with the reflect statement interface e0 ip address 10.1.1.1 255.255.255.0 ip route 172.30.1.0 255.255.255.0 192.168.1.2 ip route 172.31.2.0 255.255.255.0 192.168.1.6
Summary The preceding configurat ion com bines m ost of t he issues discussed in t his chapt er.
Chapt er 6
w ill
discuss how t he I nt r usion Det ect ion Sy st em w or k s as a st andalone opt ion, as w ell as in conj unct ion w it h CBAC. Review t he pr eceding configur at ion exam ple befor e m oving on t o Chapter 6 .
186
Chapter 6. Intrusion Detection Systems This chapt er cont ains t he follow ing sect ions:
• • • • • • • • •
Overview of I nt rusion Det ect ion I nt rusion Det ect ion Syst em s Cisco Secure I nt rusion Det ect ion Syst em ( CSI DS) Cisco I OS Firew all I DS Cisco Secure PI X Firewall I DS Cisco I nt rusion Det ect ion Syst em ( I DS) Configurat ion Summary Frequent ly Asked Quest ions Glossary
Wit h t he grow t h of t he I nt ernet , and t he reliance of indust ry on it for revenue t hrough business and e -com m erce, com e new challenges. A great deal of t his book covers t hese new challenges and t he r isk s associat ed w it h t hem . One area of net w or k secur it y t hat is becom ing incr easingly im por t ant is int r usion det ect ion. You can spend t ens of t housands of dollar s im plem ent ing a corporat e securit y policy t hat deploys t echnologically advanced hardw are dev ices such as st at eful fir ew alls and VPN t er m inat or s, but how can you act ively m onit or t he dat a flow on y our net w or k t o ensur e t hat t hese dev ices ar e doing t heir j obs? One w ay t o t est t he net w ork int egrit y is t o use a port scanner or vulnerabilit y scanner from an out side int erface t o ascert a in w hat is v isible on t he inside fr om t he out side w or ld. These dev ices ar e excellent t ools, but t hey only infor m net w or k adm inist r at or s of w hat t hey r eally should alr eady k now . A lot of at t ack s, especially denial of ser v ice ( DoS) at t ack s, m asquer ade as legit im at e session t r affic. These at t acks can bypass t he com m on fir ew all t echnologies, because t he fir ew all pr esum es t hat t hey ar e genuine user s w it h genuine ser v ice r equest s. This is w her e int r usion det ect ion play s a par t in t he t ot al secur it y solut ion. The int rusion det ect ion syst em ( I DS) passively list ens t o dat a on t he net w or k segm ent and m at ches t he t r affic pat t er n against know n secur it y signat ur es. Once t his dat a is collect ed and int er pr et ed, act ions can be t aken. This chapt er pr ov ides a basic int r oduct ion t o int r usion det ect ion. This over view looks at t he t w o basic t ypes of int rusion det ect ion syst em s, host -based syst em s and net w or k-based syst em s. The chapt er t hen looks at t he int r usion det ect ion offer ings fr om Cisco Syst em s t hat for m par t of t he Cisco Secure product fam ily. These offerings include t he Cisco Secure I nt rusion Det ect ion Syst em ( CSI DS) , t he Cisco Secure PI X Firewall, and Cisco I OS Firewall. A sam ple configur at ion of t he int r usion det ect ion capabilit ies for bot h t he PI X Fir ew all and t he rout e r r unning Cisco I OS Fir ew all is also pr ov ided.
Overview of Intrusion Detection I nt r usion det ect ion w or k s in a sim ilar m anner t o v ir us pr ot ect ion soft w ar e applicat ions. The v ir us scanner scans files w it hin a giv en oper at ing sy st em and t r ies t o m at ch t he file again st a dat abase of k now n v ir uses. I f t he file is m at ched against t he dat abase, t he soft w ar e applicat ion int er act s and t akes act ion. This act ion can be t o r em ove t he vir us fr om t he file or t o delet e t he file fr om t he file sy st em of t he oper at ing sy st em. I nt r usion det ect ion w or k s in a
187
sim ilar w ay. I nst ead of checking files for vir uses, an int r usion det ect ion syst em m onit or s t he flow of net w or k t r affic and com par es t his flow t o t he dat abase of secur it y signat ur es t hat hav e been configur ed on t he int r usion det ect ion device. When a m at ch is m ade, t he int rusion det ect ion syst em usually can alar m , dr op t he packet , or r eset t he connect ion. This pr ov ides an ex cellent secur it y t ool t hat can scan t he t r affic on t he net w or k in r eal t im e and t ak e act ion against any suspect act ivit y. Tw o m ain t ypes of int r usion det ect ion syst em s ar e com m only available and in use in t oday's net w or k s:
• •
Host -based int rusion det ect ion syst em s Net w or k -based int rusion det ect ion syst em s
Host-Based Intrusion Detection Systems Host -based int rus ion det ect ion sy st em s ex ist on t he act ual host s or ser v er s t hat t hey ar e pr ot ect ing. They use r esour ces on t he host , such as disk space, RAM, and CPU t im e, and r un as any ot her applicat ion w ould. The I DS applicat ion inst alled on t he host is r efer r ed t o as an agent . The agent collect s dat a by analy zing t he oper at ing sy st em , applicat ions, and sy st em audit t r ails and com par es t his dat a t o a pr edefined set of r ules. These r ules indicat e w het her a securit y breach or int rusion has been at t em pt ed. Because t he agen t s act ually r un on t he host , t hey can be fine -t uned t o det ect oper at ing syst em int r usion at t em pt s and offer gr eat er flexibilit y in t his ar ea t han net w or k-based int r usion det ect ion syst em s. The host agent s can usually be configur ed t o r epor t int r usion at t empt s locally by som e client applicat ion or cent r ally t o an ent er pr ise m onit or ing sy st em . Scalabilit y alw ay s becom es an issue w it h host -based agent s, as you m ust inst all an agent on each pr ot ect ed host .
Figure 6 - 1
displays t he deploym ent of host -based int r usion det ect ion sy st em s. Figur e 6 - 1 . H ost - Ba se d I ntr usion D e t e ct ion
188
Network-Based Intrusion Detection Systems Net w or k -based int rusion det ect ion syst em s are physical devices t hat are connect ed t o various net w or k segm ent s w it hin t he pr ot ect ed net w or k . Net w or k -based int r usion det ect ion syst em s usually com prise t w o com ponent s t hat w ork t oget her t o provide t he I DS service. These t w o com ponent s are an I DS sensor ( Cisco's is t he I nt rusion Det ect ion Sensor) a nd an I DS m anagem ent plat form ( Cisco's is t he I nt rusion Det ect ion Direct or) . The I DS sensor s ar e har dw ar e devices t hat passively m onit or and analyze t he t r affic flow w it hin a net w or k segm ent . The sensor m onit or s t he t r affic and com par es t he collect ed dat a t o prebuilt I DS signat ures, t o build up a profile of act ivit y on t he net w ork segm ent . One problem w it h t he I DS sensors is t heir placem ent . They can only m onit or t raffic t hat t heir net w ork connect ion sees. The net w or k int er face list ens in pr om iscuous m ode to pr ocess all net w or k t r affic, even t hat not dest ined for t he sensor it self. The obvious pr oblem is t hat a nor m al sw it ch por t cr eat es a separ at e collision dom ain and a shar ed br oadcast dom ain t hr oughout t he VLAN t o w hich t he sw it ch port is connect ed. There fore, t he sensor only receives unicast t raffic dest ined for t he sensor it self and br oadcast t r affic on t hat VLAN. To get ar ound t his, y ou should connect t he I DS sensor t o w hat is called a Sw it ched Por t Analyzer ( SPAN) por t on t he sw it ch. SPAN por t s can be configur ed on all of t he Cisco Cat alyst r ange of sw it ches. A SPAN por t can be configur ed t o list en t o all unicast s and br oadcast s for specific VLANs on one por t .
189
This is ideal for t he I DS sensor, as it can t hen passively m onit or and analyze all unicast t ra ffic on t he net w or k segm ent acr oss m ult iple VLANs.
Figure 6 - 2
show s a net w or k -based int rusion
det ect ion syst em . Figur e 6 - 2 . N e t w or k - Ba sed I nt rusion Det ect ion
The second component of the network-based intrusion detection system is the IDS management platform. The IDS sensor sends notification messages to the IDS management platform, which can be configured to interpret these results and take necessary action on them.
Intrusion Detection Systems Now t hat you have a br ief explanat ion of int r usion det ect ion, t he r em ainder of t his chapt er cover s t he cur r ent int r usion det ect ion offer ings fr om Cisco Syst em s. Ther e ar e t hr ee m ain offer ings fr om Cisco acr oss differ ing plat for m s:
•
Cisco Secure I nt rusion Det ect ion Syst em ( CSI DS)
•
Cisco I OS Firewall I DS
•
Cisco Secure PI X Firewall I DS
190
Cisco Secure Intrusion Detection System (CSIDS) Most of t his book focuses on w ays t o pr event out side unaut hor ized ent it ies fr om connect ing t o y our net w or k . This sect ion differ s in t hat t he focus is on how pat t erns of abuse are det ect ed fr om bot h int er nal and ex t er nal sour ces. Aft er a pat t er n of abuse is not ed, y ou can r espond in real t im e t o t he t hreat . The phrase pat t er ns of abuse is used because t he Cisco Secure I nt rusion Det ect ion Syst em ( CSI DS) looks at t he for m at and t he am ount of dat a t r aver sing your net w or k t o det er m ine t he likelihood and sever it y of t hr eat s. The pat t er ns w it hin t he dat a t r av er sing t he net w or k ar e analy zed t o det er m ine w het her an at t ack has been launched. This sect ion covers t he CSI DS. The CSI DS is different iat ed from t he Cisco I OS Firewall I DS and t he Cisco Secure PI X Firew all I DS in t hat t he CSI DS is designed t o run bot h independent ly and in conj unct ion w it h t he ex ist ing har dw ar e on a net w or k . Addit ionally , t he abilit ies of t he CSI DS t o det ect and r espond t o t hr eat s ar e m uch gr eat er t han t hose built int o eit her t he Cisco I OS Fir ew all or t he Cisco Secur e PI X Fir ew all. These addit ional abilit ies ar e av ailable because r out ing or per for m ing fir ew all funct ions is not the m ain purpose of t he CSI DS. The m ain pur pose of t he CSI DS is t o det ect and r espond t o pat t er ns of abuse in r eal t im e. A full explanat ion of t he det ails of inst allat ion, m aint enance, and configurat ion of t he CSI DS is bey ond t he scope of t his book . How ev er, t his sect ion gives you t he t heory necessary t o begin your invest igat ions int o t he CSI DS. This sect ion pr ovides an over view of t he m ost im por t ant feat ur es and issues involved w it h t he CSI DS, t he basics of Sensor deploym ent , Dir ect or deploym ent , signat ures , alar m s, and log files. I nt r usion det ect ion m onit or s against t hr ee for m s of at t ack .
•
Re conna issa nce a t t a ck s— A r econnaissance at t ack is w her e an at t em pt is m ade t o discov er and m ap ser v ices, v ulner abilit ies, and sy st em s for pur poses of lat er access or den ial of service ( DoS) at t acks. As lit t le inform at ion about your net w ork should be r evealed as possible, because excessive r evelat ions m ight show possible w eaknesses t hat hav e not y et been addr essed. For ex am ple, an int er nal user m ight scan t he por t s on a server t o pr epar e for br eaking int o t hat ser ver for confident ial infor m at ion.
•
Acce ss a t t a ck s— An access at t ack occur s w hen user s act iv ely at t em pt t o access ser v ices t o w hich t hey do not hav e aut hor it y . For ex am ple, an int er nal user sit t ing at a desk and r epea t edly t r y ing t o log int o a ser v er w it h anot her user 's nam e and differ ent passw ords is considered an access at t ack.
•
D e nia l of se r vice ( D oS) a t t a ck s— A DoS at t ack occur s w hen an at t em pt is m ade t o pr ev ent v alid use of a net w or k or sy st em . Many ex am ples of Do S at t acks, including t he ping of deat h at t ack, ar e discussed t hr oughout t his book.
The CSI DS is designed t o m onit or for t hese t y pes of at t ack and t o not ify t he appr opr iat e per sonnel in t he event of such an at t ack. Logs ar e built t hat det ail t he suspicious packet s. The CSI DS can also r espond by deny ing ser v ice t o t he per pet r at or s of all t hr ee for m s of at t ack .
191
Cisco has chosen t o im plem ent a pack et-based det ect ion m et hod t o det er m ine w hen an at t ack is in pr ogr ess. This m et hod r elies on com par ing t he dat a w it hin each pack et w it h a " signat ur e" t hat indicat es a possible at t ack . Ther e ar e som e differ ences bet w een t he signat ur es used w it hin t he Cisco I OS soft w ar e used on r out er s and t hose found on t he Cisco I DS equipm ent . One differ ence is t he num ber of signat ur es: alt hough t he Cisco I OS has im plem ent ed 59 signat ur es and t he PI X Fir ew all has im plem ent ed 57 signat ur es, t he CSI DS has a m uch lar ger num ber of signat ur es. Addit ionally, CSI DS allow s a skilled adm inist r at or t o cr eat e new signat ures. This allow s t he prot ect ion of t he net w or k t o ev olv e as new t hr eat s em er ge. The CSI DS w as for m er ly called Net Ranger , and m any of t he ex ist ing URLs on t he Cisco w eb sit e st ill r efer t o t his pr oduct w it h t he old nam e. Keep t he old nam e in m ind w hen sear ching t he Cisco w eb sit e for specific inform at ion about t he CSI DS.
Overview of the CSIDS Components The CSI DS com prises t hree com ponent s: t he Sensor, t he Post Office Prot ocol, and t he Dir ect or . Each has a unique funct ion. This sect ion pr ovides an over view of t he funct ions of each befo r e t he r est of t he chapt er goes on t o delve int o t he specifics of each com ponent .
CSI D S Se n sor The CSI DS Sensor is a high-perform ance hardw are appliance used t o det ect int rusion at t em pt s. I n essence, t his is a pack et sniffer t hat analy zes all of t he net w ork t r affic on a giv en net w or k segm ent , com par ing t he pack et s t o an at t ack signat ur e dat abase. When a pack et w it h qualit ies m at ching a signat ur e w it hin t he dat abase is det ect ed, t he Sensor not ifies t he Dir ect or and logs alar m act iv it ies. The Sensor can be configur ed t o r eset a TCP connect ion aut om at ically , block an offending I P addr ess, or log t he session. The Sensor r eassem bles fr agm ent ed I P packet s as necessar y t o det er m ine t he full t hr eat posed by t he packet s.
CSI D S Post Office Pr ot ocol The Post Office Pr ot ocol is r esponsible for deliver ing bet w een t he Sensor s and t he Dir ect or s. This pr ot ocol, using a UDP for m at on por t 4500, is consider ed r eliable because it r equir es an ack now ledgem ent of all dat a sent and r esends dat a as necessar y . The Post Office Prot oco l can be configur ed t o send m essages t o up t o 255 alt er nat e Dir ect or s if t he pr im ar y Dir ect or is unavailable. Dir ect or s ar e specified by I P addr ess.
CSI D S D ir e ct or The Dir ect or can be consider ed t he focal point of t he CSI DS com ponent s, because t his is w h ere display s and logs about alar m s ar e st or ed. The adm inist r at or uses t he Dir ect or t o
192
m anage and r espond t o alar m s t hr ough a gr aphical user int er face ( GUI ) . The Dir ect or can also be configur ed t o send e -m ail or t o ex ecut e a user scr ipt w hen an alar m is r eceiv ed. The Dir ect or also allow s for m anagem ent and configur at ion of r em ot e Sensor s t hr ough t he configur at ion m anagem ent ut ilit y. This feat ur e is especially useful in cases w her e a lar ge cor por at ion w it h m ult iple locat ions has chosen t o cent r alize t heir securit y effor t s.
Un it I de n t ifica t ion Bot h Direct ors and Sensors are ident ified uniquely. There are t hree part s t o t his ident ificat ion, t w o of w hich ar e assigned by t he adm inist r at or . The t hr ee par t s ar e
•
Host I D
• •
Organizat ional I D Applicat ion I dent ifier
H ost I D The Host I D is set t o any num ber gr eat er t han zer o. For ex am ple, one Sensor m ight be assigned num ber 1, a Dir ect or is assigned 2, and anot her Sensor is assigned 3.
Or g a n iz a t ion a l I D The Or ganizat ional I D is any num ber gr eat er t han zer o. This is com m only used t o gr oup devices t oget her accor ding t o r egion or funct ion. For exam ple, all Sensor s and Dir ect or s in Sout h Am er ica could be assigned 2000, w hile all Sensor s and Dir ect or s w it hin Nor t h Am er ica are assigned 3000. This m akes it easier for t he adm inist rat or of a lar ge sy st em t o k now w her e a dev ice is locat ed. The Host and Or ganizat ional I D ar e com bined by adding a per iod ( .) bet w een t he Host and Or ganizat ional I D num ber s. Ex am ples of t his ar e 3.2000 and 2.2000.
Alph a I de n t ifie r s Associat ed w it h t he Host and Or ganizat ional I Ds ar e t he Host Nam e and Or ganizat ion Nam e, respect ively. The nam es are j oined t oget her in t he sam e m anner as t heir num eric count er par t s. These also allow for easier ident ificat ion of devices. For exam ple, Sensor s m ight be labeled sensor 1.sout ham er ica and sensor 2.sout ham er ica, w hile Dir ect or s m ight be labeled direct or1.nort ham erica or direct or2.nort ham erica. Alt hough t here is no specific rule st at ing t hat any nam ing convent ions should be used, labeling devices logically and consist ent ly grea t ly eases bot h adm inist r at ion and t r aining of new per sonnel.
Applica t ion I de n t ifie r s
193
The Applicat ion I dent ifier is a st at ist ically unique num ber assigned by t he soft w ar e. This allow s for a com binat ion am ong t he t hree part s of t he I dent ifier t hat should alw ays be unique. These ident ifier s ar e used t o r out e all com m unicat ions bet w een dev ices. The Sensor , t he Post Office Pr ot ocol, and t he Dir ect or w or k t oget her t o for m t he CSI DS. The nex t sect ions delv e deeper int o a discussion of t he har dw ar e associat ed w it h t he CSI DS Sensor , an explanat ion of t he Post Office Pr ot ocol, and a discussion of t he r equir em ent s for t he CSI DS Direct or.
The CSIDS Sensor The CSI DS Sensor com es in t w o basic m odels. The fir st m odel is a st andalone r ack-m ount able version, and t he second m odel is a Cat alyst sw it ch m odule, also called a blade, r esiding w it hin t he Cat aly st 6000 ser ies. Wit h t he st andalone r ack-m ount able ver sion, t her e is a floppy disk pr ovided for soft w ar e upgr ades and passw or d r ecov er y . The fr ont cov er is also lock able. Th e st andalone m odule num ber is based on t he t ype of net w or k int er face used for m onit or ing. The CSI DS Sensor can be used on Et her net , Fast Et her net , Single or Dual FDDI , and Token Ring. Ther e ar e a num ber of connect ions av ailable on t he back of t he Sensor . Th er e ar e connect ions on t he back for pow er , in addit ion t o a COM por t , and a m onit or and a k ey boar d, w hich ar e used for init ial configur at ion. Connect ing a cable t o t he COM por t of a com put er is done in t he sam e m anner as w it h a r out er t hat uses t he COM por t . Not ice t hat t her e ar e t w o net w or k int er face por t s on t he r ear of t he Sensor . The built -in hor izont al net w or k por t , called t he Com m and NI C, is used for com m unicat ions w it h r out er s and t he Direct or. The vert ically m ount ed Monit oring NI C por t is used t o m onit or t he net work segm ent . Alt hough a st andar d Et her net connect ion could be used t o m onit or a net w or k w it h a num ber of Fast Et hernet connect ions, such a configurat ion could easily cause t he Et hernet link t o becom e over used because of t he lar ge am ount of t r a ffic t hat is t y pically t r av er sing such a net w or k. Bot h NI Cs m ust be connect ed for t he Sensor t o oper at e pr oper ly. When connect ing t he Monit or ing NI C t o a sw it ch, ensur e t hat SPAN m onit or ing is enabled for t hat por t w it hin t he sw it ch. Because a sw it ch, by d efault , for w ar ds pack et s only t o t he appr opr iat e por t s, failing t o enable por t m onit or ing on t he sw it ch w ill r esult in t he Sensor being unable t o see at t ack s t hat ar e not dir ect ed t ow ar d t he Sensor it self. I n t he ev ent t hat m ult iple VLANs are in use, t he Sensor can m onit or m or e t han one VLAN, if t he sw it ch is pr oper ly configur ed w it h por t m onit or ing on t he desir ed VLANs t hr ough t he Monit or NI C por t . The second form of t he CSI DS Sensor is available in t he form of a blade m odule for t he Cat aly st line of sw it ches. This v er sion of t he Sensor becom es an int egr al par t of t he sw it ch. The adv ant age of using t his for m of t he Sensor is t hat all dat a dest ined for t he Sensor t r av els over t he backplane of t he sw it ch. Assum e for a m om ent t hat t he net w or k you w ish t o m onit or
194
uses a Cisco Cat aly st 6509 w it h four set s of 48 -por t Fast Et her net m odules. Ther e is ver y r eal possibilit y t hat t he am ount of dat a t r aveling t hr ough t his sw it ch could exceed t he capacit y of t he single Fast Et her net connect ion of Monit or ing NI C on a st an dalone version. Having t his dat a t ravel t hrough t he backplane of t he sw it ch on t he blade version m eans t hat t he m axim um am ount of dat a inspect ed is not lim it ed by a Fast Et her net connect ion ( 100 Mbps) . The lim it at ion w hile using t he blade ver sion com es fr o m t he processing speed of t he Sensor it self, inst ead of t he Et hernet connect ion. The configurat ion of t he Sensor is virt ually t he sam e, w het her t he st andalone or t he blade v er sion is used. Because a lar ger num ber of t he st andalone versions are used, t he re m ainder of t his sect ion w ill focus on t his for m of t he Sensor.
CSI D S Se n sor D e ploy m e n t The CSI DS Sensor can be deploy ed in a num ber of w ay s. Because all net w or k s v ar y , t her e can be no single m et hod of deploy m ent t hat fulfills t he needs of all net w or k s. This sect ion w ill show t he m or e com m on m et hods av ailable and discuss t he benefit s and deficit s of each. Som e it em s t o consider w hile planning a Sensor deploym ent include t he size and com plexit y of t he net w or k , t he am ount s and t y pes of dat a t r av eling ov er t he segm ent , and t he connect ions bet w een t his net w or k and ot her t r ust ed and unt r ust ed net w or k s. Decisions also need t o be m ade t o det er m ine w hich par t s of t he net w or k should be m onit or ed. I f t he sensor is placed on t he out side of a firewall, t hat Sensor can be used t o m onit or at t acks dir ect ed against t he fir ew all fr om t he out side. How ev er , t he Sensor w ill not be able t o w at ch for t hr eat s or iginat ing on t he inside of t he firew all and direct ed only t o m achines inside t he firew all. Conversely, placing t he Sensor inside t he fir ew all w ill not allow t he sensor t o m onit or any at t ack s originat ing from t he I nt ernet direct ed t oward t he firewall. As wit h m ost net working decisions, a balance m ust be found t hat suit s t he adm inist r at or 's individual sit uat ion. The follow ing sect ions cover som e pr act ical w ays t o deploy t he CSI DS Sensor .
Sim ple CSI D S D e ploy m e n t Figure 6 - 3
show s a sim ple deploym ent w her e t he Sensor m onit or s t he int er ior of t he net w or k.
The Dir ect or is also locat ed on t he int er ior net w or k. The sw it ch m ust be configur ed t o send por t -m onit oring dat a t o t he Monit oring NI C. Not ice t hat t he area m onit ored is lim it ed by t he PI X Firewall. Figur e 6 - 3 . CSI D S Se nsor M onit or ing t he Loca l N e t w or k
195
CSI D S M on it or in g Be y on d t h e Fir e w a ll Figure 6 - 4
show s an ex am ple of how t he Sensor could be deployed for purposes of m onit oring
t he dat a t ransferred from t he perim et er rout er t o t he firew all. I n t his m odel, t he Com m and NI C is connect ed t o inside t he fir ew all, w hile t he Monit or ing NI C is connect ed t o out side t he firew all. The Com m and NI C sends inform at ion about possible at t acks t o t he Direct or t hrough t he Com m and NI C. I n t his scenar io, t he adm inist r at or w ill be m ade aw ar e of bot h w hen an at t ack on t he firew all from t he I nt ernet occurs, and t he form of t he at t ack. Figur e 6 - 4 . CSI D S Se n sor M on it or in g Be yon d t h e Fir e w a ll
Because t he PI X allow s pack et s t o t r av el fr om t he inside t o t he out side int er face by default , t he Sensor is also able t o com m unicat e w it h t he per im et er r out er . I n t he ev ent t hat an at t ack is obser ved, t he Sensor can be configur ed t o add an access cont r ol list on t he per im et er r out er t o by pass t he at t ack . Adding t he access cont r ol list is r efer r ed t o as shunning. For shunning t o occur , Telnet ser v ices on t he r out er m ust be enabled, t he r out er m ust be added t o t he
196
Sensor 's m anagem ent list , and an access cont r ol list m ust not be pr esent on t he int er face in t he sam e dir ect ion as t he access list t hat w ill be applied by t he CSI DS.
M on it or in g Re m ot e Sit e s I n som e net w or k s, t her e ex ist s a need t o m onit or a net w or k segm ent connect ed t hr ough a nonsecur ed m edium . A r em ot e sit e t hat has t he capabilit y of configur ing a connect ion t o t he m ain office can use a Sensor on eit her t he pr ot ect ed or t he unpr ot ect ed por t ion of t he net w or k .
Figure 6 - 5
show s an ex am ple of a Sensor at a r em ot e sit e t hat is configur ed t o m onit or
t he unpr ot ect ed por t ion of t he r em ot e sit e's net w or k. As in t he case w hen a local sit e m onit or s t he unprot ect ed net w ork, t he Monit oring NI C is connect ed bet w een t he per im et er r out er and t he PI X Fir ew all. The Com m and NI C is connect ed t o t he pr ot ect ed net w or k w it h an I P addr ess on t hat net w ork. Figur e 6 - 5 . CSI D S Se nsor M onit or ing t he Re m ot e N e t w or k
Not ice t hat t he rem ot e sit e does not have a direct ly connect ed CSI DS Direct or. The requirem ent is t hat t wo -w ay UDP connect ivit y bet w een t he Com m and NI C and t he Direct or should be m aint ained. As long as t he fir ew alls on each side allow UDP connect iv it y , t her e ar e no requirem ent s for t he locat ion of t he Direct or. In
Figure 6 - 5 ,
t he connect ion from t he rem ot e sit e is over an encrypt ed t unnel. This is crit ical t o
t he securit y of your net w ork. Alt hough t here is no requirem ent by t he Sensor or t he Direct or t hat t he pat h bet w een t he t w o is secur e, it w ould be foolish t o t r ansfer dat a about t he cur r ent vulnerabilit ies t hrough t he I nt ernet . I n t he case t hat t he connect ion t o t he rem ot e sit e is t hrough a m ore secure m et hod such as dedicat ed Fram e Relay, it m ight not be necessa r y t o encr ypt t he connect ion. How ever , if t he connect ion is not encr ypt ed, any user w it h access t o int er m ediat e r out er s m ight be able t o w at ch t r affic t r aveling bet w een t he Sensor and t he Direct or.
N on con t r ollin g D e ploy m e n t 197
Anot her configur at ion is possible, alt hough it is not r ecom m ended. I t is point ed out t o show how a com m on m ist ak e can be av oided. Look ing at
Figure 6 - 6 ,
not ice t hat t he Monit oring NI C is
connect ed t o t he unpr ot ect ed net w or k, but t he Com m and NI C is used t o build a separ at e net w or k t o t he Dir ect or . I n t his case, t he Com m and NI C and t he Dir ect or hav e no access t o t he per im et er r out er , because t he Sensor does not r out e bet w een t he int er faces and only sends com m ands out t hr ough t he Com m and NI C. Should an at t ack be discov er ed, t her e is no pat h fr om t he Com m and NI C t o t he per im et er r out er t hat can be used t o adj ust t he access cont rol list on t he perim et er rout er t o block t he at t ack. This scenario only allow s for passive m onit oring and logging of t he net w ork, w hile denying t he funct ionalit y of responding t o at t ack s in a r eal-t im e m anner. Therefo re, t his configurat ion is not recom m ended. Figur e 6 - 6 . CSI D S Se nsor W it hout Cont r ol Ca pa bilit y
CSI D S Se n sor Gu ide lin e s So far , t his sect ion gav e an over view of t he CSI DS Sensor har dw ar e and differ ent com m on deploy m ent s. As w it h m ost ot her net w or k configur at ions, a lot of t he decisions on how t o deploy som et hing ar e individual t o t he needs of t he par t icular net w or k. Ther e ar e, how ever , a few guidelines t hat should be rem em bered w hen deploying Sensors.
•
The Sensor m ust be able t o com m unicat e w it h t he Dir ect or t hr ough t he Com m and NI C, using t he UDP pr ot ocol on por t 4500.
•
The com m unicat ions bet w een t he Sensor and t he Direct or can provide hackers w it h dat a a bout t he vulnerabilit y of your net w ork. Therefore, t hese com m unicat ions should be t r eat ed as any ot her v it al dat a.
•
The Sensor only m onit or s a single segm ent at a t im e.
•
The Cat alyst I DS Sensor m odule accept s dat a at backplane speeds, bypassing t he lim it at ions of an Et her net , Token Ring, or FDDI connect ion.
198
The CSIDS Post Office Protocol The Post Office Prot ocol is used for com m unicat ions bet w een t he Sensor and t he Direct or. Bot h t he Dir ect or and t he Sensor can send a Post Office Pr ot ocol m essage. Ther e ar e s ix t y pes of m essages t hat can be sent bet w een t he Sensor and t he Dir ect or .
•
Hear t beat
•
Er r or
•
Redirect
•
Alar m
• •
Com m and log I P log
Each of t hese is ex plor ed in t ur n in t he follow ing sect ions.
H e a r t be a t The heart beat is used by t he Sensor t o poll t he prim ary Dire ct or , and by a Dir ect or t o poll t he Sensor . As w it h all com m unicat ions, a r eply is expect ed. I n t he event t hat hear t beat packet s do not r eceiv e a r esponse, t he Sensor assum es t hat t he pr im ar y Dir ect or has gone off line and init iat es com m unicat ions w it h t he next secondar y Dir ect or . The Dir ect or , failing t o hear a Sensor , believ es t hat a m alfunct ion has occur r ed.
Er r o r An er r or m essage is sent in t he ev ent t hat a m alfunct ion has occur r ed. This can be because of a har dw ar e issue, loss of connect ivit y on t he m o nit oring NI C, or a problem w it hin t he oper at ing sy st em soft w ar e.
Com m a n d A com m and is used for configurat ion purposes. Com m ands can be used t o change cert ain par am et er s, such as t he lev el of alar m s.
Ala r m An alarm is a m essage sent by t he Sensor t o t he Direct or t hat an ev ent of not iceable sev er it y has been m onit or ed. By default , t her e ar e five alar m levels, alt hough t he adm inist r at or can configur e up t o 255 lev els.
Com m a n d Log A com m and log is an ent r y m ade t o r ecor d t he com m ands issued bet w een Sensor s and Dir ect or s. All com m ands ar e r ecor ded t o t he com m and log by default .
199
I P Log An I P log m essage cont ains infor m at ion concer ning TCP sessions. This log is only w r it t en w hen a t riggering event t akes place. Once w rit ing t o an I P log init iat es, t he log cont inues t o be w r it t en for a specified am ount of t im e. Because I P is t he only pr ot ocol suppor t ed at t his t im e, t here are no I nt ernet work Packet Exchange ( I PX) or Syst em s Net work Archit ect ure ( SNA) logs. These m essages cont ain infor m at ion such as t he t im e, t he sour ce and dest inat ion I P addr esses, and t he associat ed por t s.
The CSIDS Director The CSI DS Dir ect or is a soft w ar e package designed t o oper at e in conj unct ion w it h t he CSI DS Sensors. The m ain funct ion of t he Direct or is t o m anage t he configurat ion of t he Sensors . Alt hough it is possible t o configur e m ult iple dir ect or s t o m anage a given Sensor sim ult aneously, t his should be avoided for t w o r easons. Fir st , it is ext r em ely easy for m ult iple Direct ors t o give conflict ing com m ands t o a Sensor. Second, securit y is increased if only a single Direct or m anages any Sensor at any given t im e. This, how ever, does not im ply t hat it is w r ong for m or e t han one Dir ect or t o be used t o m anage a Sensor on a r out ine basis. As long as only one Dir ect or is m anaging at any t im e, it is perfect ly reasonable t o have m ore t han one Dir ect or capable of m anaging a Sensor . For ex am ple, t he st r uct ur e of a com pany m ight dict at e t hat from 0800 t hrough 1600 GMT t im e, Direct ors in t he London office m aint ain Sensors. From 1600 t hr ough 2400 GMT, Dir ect or s in t he Hong Kong office m anage Sensor s, and fr om 2400 t hrough 0800, Direct ors in t he San Francisco office m anage Sensors. The CSI DS is perfect ly capable of handling t his scenar io. Direct or services are available in t w o form s: t hrough t he Cisco Secure Po licy Manager and as a st andalone ser v er . Alt hough t he inner w or k ings of t hese t w o for m s of t he Dir ect or v ar y , t he basic available feat ur es ar e t he sam e. The Cisco Secur e Policy Manager is cover ed in Chapt er 8 , " Cisco Secure Policy Manager ( CSPM) ." The r em ainder of t his sect ion w ill deal w it h t he st andalone ser v er v er sion of t he Dir ect or . Configurat ion on t he st andalone ver sion is accom plished t hr ough t he CSI DS Configur at ion Managem ent Ut ilit y, also called nrConfigure. This ut ilit y allow s m ult iple configurat ions t o be saved for each Sensor and dow nloaded t o t he Sensor w hen appr opr iat e. One scenar io w her e t his can be adv ant ageous is w hen t he secur it y r equir em ent s for a net w or k change on a r egular basis. For ex am ple, if a r em ot e sit e should nev er hav e any net w or k t r affic ov er a holiday w eekend, t he adm inist r at or can dow nload a ver y r est r ict ive configur at ion t hat r uns a scr ipt t o page t he adm inist r at or w hen any t r affic t r av er ses t he net w or k . Anot her benefit of t he abilit y t o m aint ain num er ous configur at ions is t hat t he adm inist r at or s can t est each of t hem t o find t he one t hat w or k s best w it h t heir par t icular net work.
Se r v e r- Ba se d D ir e ct or H a r dw a r e Re qu ir e m e n t s
200
The st andalone CSI DS Dir ect or is designed t o r un on SPARC or HP pr ocessor plat for m s. As w it h m ost har dw ar e r equir em ent s, t he follow ing should be consider ed t he absolut e m inim um r equir ed t o r un t he CSI DS Dir ect or soft w ar e. The m inim um SPARC plat form consist s of t he following:
•
Solar is 2.51, 2.6, or 2.7 Oper at ing Sy st em
•
50 MB CSI DS inst all par t it ion
•
2 GB CSI DS log par t it ion
•
110 MB HP OpenView part it ion
•
12 MB Java Runt im e Part it ion
•
96 MB RAM
• •
HP OpenView 4. 11, 5.01, or 6.0 t o display t he CSI DS GUI A Java -com pat ible Web brow ser for displaying t he Net w ork Securit y Dat abase ( NSDB)
The m inim um HP-UX plat for m consist s of t he follow ing:
•
HP-UX 10.20
•
50 MB CSI DS inst all par t it ion
•
2 GB CSI DS log par t it ion
•
65 MB HP OpenView par t it ion
•
10 MB Java Runt im e Part it ion
•
96 MB RAM
• •
HP OpenView 4.11, 5.01, or 6.0 t o display t he CSI DS GUI A Java com pat ible Web browser for displaying t he NSDB
Before at t em pt ing t o inst all Direct or, several it em s should be checked for com plet eness. Am ong t hese it em s are
•
HP OpenView com plet ely inst alled and t est ed
•
DNS configured and t est ed, if used
•
UNI X host nam e configur ed and t est ed
•
Web br ow ser configur ed and t est ed
• •
I P address, subnet m ask, and default gat ew ay configured and t est ed All dev ices w it h concurrent t im es and t im e zones [ 1] [ 1]
This is a crit ical it em , because t he t im es t hat act ivit ies occur w ill be recorded. All equipm ent , such as rout ers, t he Direct or, and t he Sensor, should have ident ical t im es. I n cases w her e a net w or k t r av er ses m ult iple t im e zones, a single t im e zone, such as t he GMT, should be chosen for all equipm ent . Using NTP t o synchr onize t im es on t he equipm ent is r ecom m ended.
M a n a ge d D e v ice s Re qu ir e m e n t s
201
The CSI DS is capable of changing access cont r ol list s on a r out er t o shun an at t ack . Ther e ar e only a few r equir em ent s t o allow a de vice t o be m anaged.
•
Telnet m ust be allow ed.
• •
A v t y passw or d m ust be set . An enable passw or d m ust be set .
D ir e ct or D e ploy m e n t One Direct or can be configured t o m anage m ult iple Sensors. The act ual num ber of Sensors t hat can be successfully m anaged by a single Dir ect or is based on a num ber of fact or s, including t he m em or y and CPU speed of t he Dir ect or and t he am ount of dat a sent t o t he Dir ect or by t he Sensor s. Dir ect or s can be configur ed in a hier ar chical m anner t hat allow s m essages t o have pr opagat ion t hr ough t he hier ar chies. Using a hier ar chical configur at ion allow s per sonnel t o m onit or and r espond t o sit uat ions pr esent ed by locally placed Dir ect or s, w hile st ill allow ing a cent r alized m onit or ing sit e t o m aint ain an ov er v iew of t he w hole net w or k . Alar m s can be sen t t o t he higher-level Direct ors t hrough t he locally adm inist ered Direct ors w it hout broadcast ing. As show n in t he ex am ple in
Figure 6 - 7 ,
t he Direct or in West ern Europe report s t o t he Direct or in
East er n Eur ope, w hich in t ur n r epor t s t o t he Dir ect or in t he East er n Unit ed St at es. The Direct ors in Sout h Am er ica r epor t t o Dir ect or in t he West er n Unit ed St at es, w hich in t ur n report s t o t he Direct or in t he East ern Unit ed St at es. The Direct or in Aust ralia report s direct ly t o t he Dir ect or in t he East er n Unit ed St at es. Figur e 6 - 7 . CSI D S D ir e ct or H ie r a r chy
Signatures A signat ur e is a set of r ules based on act iv it y t y pically seen w hen an int r usion is at t em pt ed. This set of r ules is m at ched t o pack et s on t he net w or k . When a m at ch is found, a unique
202
response is generat ed. When a m at ch occurs, a t rigger is set t hat causes t he Sensor t o react by adj ust ing an access cont r ol list on a r out er , not ify ing t he Dir ect or , or act ing in anot her predefined m anner. The CSI DS signat ur es ar e cat egor ized accor ding t o t he st r uct ur e, im plem ent at ion, and class of packet s. A lar ge num ber of signat ur es ar e included w it h t he Sensor . The adm inist r at or can add t o t his list and change t he char act er ist ics of any signat ur e.
Sign a t u r e St r u ct u r e s Ther e ar e t w o t y pes of signat ur e st r uct ur es: at om ic and com posit e. A single pack et t r igger s an at om ic signat ur e, w hile m ult iple pack et s t r igger a com posit e signat ur e. For ex am ple, an I P pack et w it h ident ical sour ce and dest inat ion addr esses m ight be consider ed an at om ic signat ur e. An int r uder sw eeping t hr ough por t r anges w ould t r igger a com posit e at t ack.
Sign a t u r e I m ple m e n t a t ion There are also t w o t ypes of signat ure im plem ent at ions: cont ext and cont ent . A cont ent im plem ent at ion is t riggered by dat a con t ained w it hin t he packet payload. A cont ext im plem ent at ion is t r igger ed by t he dat a cont ained w it hin t he pack et header . For ex am ple, a pack et cont aining dat a w it h t he st r ing " hack at t ack " w ould be a cont ent im plem ent at ion. An I P packet w it h a bad opt ion ca n be consider ed a cont ext im plem ent at ion.
Sign a t u r e Cla sse s Ther e ar e four t y pes of signat ur e classes.
•
Re conna issa nce Cla ss— A Reconnaissance Class t r igger s because of net w or k act iv it y t hat can be used t o discover syst em s, services, and vulnerabilit ies on t he net work. Reconnaissance at t acks include ping sw eeps and por t sw eeps.
•
Acce ss Cla ss— Access Class signat ur es t r igger on act iv it y t hat could lead t o unaut hor ized syst em access, escalat ion of pr ivileges, or dat a r et r ieval. Access Class at t acks include phf ( WWW) , Back Or ifice, and I P fr agm ent at t acks.
•
D oS Cla ss— A DoS Class signat ur e is t r igger ed w hen packet s m onit or ed could lead t o t he disabling of net w ork equipm ent , syst em s, or services. DOS at t acks include ping of deat h, half-open SYN at t ack s, and UDP bombs.
•
I nfor m a t ion Cla ss— I nfor m at ion Class signat ur es t r igger on packet s t hat ar e nor m al w it hin a net w or k but st ill can be used m aliciously. I nfor m at ion Class signat ur es ar e also t r igger ed t o enable t he adm inist r at or t o det er m ine t he validit y and sever it y of an at t ack and t o form a record for possible use in legal proceedings. I nform at ion Class signat ures include TCP connect ion request s, UDP connect ions, and I CMP Echo Request s.
203
Sign a t u r e Se r ie s The CSI DS signat ur es ar e gr ouped in num ber ed ser ies. Ther e ar e se v en ser ies, each r elat ing t o signat ur es w it hin t he ser ies lev el. The CSI DS signat ur e ser ies ar e show n in Table 6 - 1 .
Table 6 - 1 . I P Signa t ur e Se r ie s
Se r ie s N um be r 1000 2000 3000 4000 6000 8000 10000
Type I P Signat ures I CMP Signat ures TCP Signat ures UDP Signat ures Miscellaneous Signat ures St ring Mat ch Signat ures Policy Violat ions
Sign a t u r e Se v e r it y Le v e ls Each signat ur e has an associat ed sev er it y lev el t hat indicat es t he pr obabilit y t hat t he signat ur e is an act ual at t ack. The default secur it y levels for all signat ur es ar e pr eset , and t he adm inist r at or can change t he set t ing at any t im e. The five signat ur e sever it y levels ar e show n in
Table 6 - 2 .
Table 6 - 2 . I P Sign a t u r e Se ve r it y Le ve ls
Se ve r it y Nam e D e scr ipt ion Le v e l 1 I nform at ional I nform at ional event s are logged only on Sensors. Sim ply som eone pinging a server can cause t his. 2 Abnorm al An abnorm al event is one t hat does not norm ally occur on a net work. This could be caused by an unknown prot ocol. 3 Marginal The infrequent occurrence of t he pack et s causing t his
Pr oba bilit y I m m e dia t e of At t a ck Th r e a t Very low No
Low
No
Medium
Low
204
4
Serious
5
Crit ical
t rigger does not j ust ify a higher severit y level. The sam e packet s in higher quant it ies could cause a higher severit y level. An exam ple could be an I P fragm ent at t ack. The signat ur e High indicat es an at t ack of a suspicious nat ure. The adm inist rat or should invest igat e furt her. An exam ple could be a TCP port sweep. The at t ack Very high signat ures indicat e t hat an at t ack of a severe nat ure is being launched. There is very lit t le probabilit y t hat t he packet s have a legit im at e purpose. An exam ple could be a ping of deat h at t ack.
Medium
High
Responding to Alarms Now y ou hav e ex am ined t he har dw ar e and soft w ar e associat ed w it h t he CSI DS. You hav e look ed at signat ur es. This sect ion also ex plor es w hat happens w hen a pack et on t he m onit or ed net w or k m at ches a signat ur e. This sect ion w alk s t hr ough a t heor et ical at t ack on an e -m ail server t o illust rat e how t he CSI DS is capable of react ing t o an at t ack. Tak e a m om ent t o r ev iew Figure 6 - 8 . I n t his exam ple, t here is a Sensor m onit oring t he unpr ot ect ed net w or k betw een t he per im et er r out er and t he PI X Fir ew all. The Com m and NI C is connect ed t o t he local LAN, w her e t he Dir ect or r esides. Figur e 6 - 8 . CSI D S Se nsor N ot ice s a n At t a ck
205
As show n in
Figure 6 - 8 ,
a hacke r on t he I nt er net has decided t o at t em pt a DoS at t ack against t he
int ernal e -m ail server t hrough t he use of half-open TCP connect ions. Alt hough t he PI X Firew all is fully capable of r esist ing such an at t ack , t he Sensor st ill not ices t he at t ack t he m om ent it has been launched. The FloodGuar d algor it hm on t he PI X Fir ew all w ill not st ar t t o dr op halfopen connect ions unt il t he defined t hreshold has been exceeded. The Sensor sends a m essage t o t he Direct or st at ing t hat an at t ack is under w ay. Ent ries are m ade in t he log show ing t he pack et s r eceiv ed. This ex am ple uses t he abilit y of t he CSI DS t o deny pack et s fr om t he at t ack er t hr ough t he adj ust m ent of an access cont r ol list on t he ser ial int er face of t he perim et er rout er. The configurat ion of t he signat ure definit ion for t his t y pe of at t ack specifies t hat a num ber of act ions happen w hen t his t y pe of at t ack occur s. The fir st act ion is t hat e -m ail is sent from t he Dir ect or t o t he adm inist r at or st at ing t hat an at t ack is under w ay. The second act ion is t hat t his t ype o f at t ack not ifies t he adm inist r at or at t he Dir ect or t hat a sev er e at t ack is under w ay . The t hir d act ion is for t he per im et er r out er 's access cont r ol list on t he ser ial int er face t o be changed by t he Sensor t o deny t he I P addr ess of t he at t acker . This is sh ow n in Figure 6 - 9 . Figur e 6 - 9 . CSI D S Re sponds t o t he At t a ck
206
Aft er t he at t ack is st opped, t he cleanup process begins. The PI X and t he m ail server aut om at ically drop t he half-open connect ions aft er a t im eout per iod expir es. Sim ilar ly, t he Sensor r em oves t he dynam ically cr eat ed access cont r ol list fr om t he per im et er r out er aft er a specified am ount of t im e. The preceding exam ple is m eant t o be purely illust rat ive in nat ure. Nearly all responses t o signa t ur e det ect ions, as w ell as t he signat ur es t hem selves, ar e definable by t he adm inist r at or . Ther e is no r equir em ent t hat any of t he act ions illust r at ed in t he pr eceding exam ple need t o be t aken. I nst ead of sending e -m ail t o t he adm inist r at or , t he signat ur e definit ion could have easily had t he Dir ect or r un a scr ipt t hat defined act ions t o be t aken. The adm inist r at or could hav e also chosen t o allow all half-open connect ions from a part icular host . The flexibilit y inher ent w it hin t he CSI DS gives addit ional bene fit s t o t he adm inist r at or . One benefit t hat t he CSI DS has ov er ot her I DSs is because of t his flex ibilit y . Many I DSs do not allow t he adm inist r at or t o bypass cer t ain t ypes of appar ent at t acks. No t w o net w or ks have t he sam e charact erist ics regarding prot ocol dist r ibut ion, num ber of br oadcast s, and so on. Unless a det ect ion syst em allow s t he adm inist rat or t o com plet ely adj ust t he param et ers used t o det ect an at t ack , t hat sy st em quick ly becom es unusable in a num ber of net w or k s. For ex am ple, t he aut hor s w er e once asked t o inst all anot her m anufact ur er 's I DS on a st ockbroker's net w ork. This net w ork w as unusual, because broadcast s w ere t he m ain form of dat a t r ansfer . Br oadcast s w er e used so t hat all w or kst at ions r eceived updat es w henever any w or k st at ion r equest ed a r eal-t im e quot e. The I DS chosen by m anagem ent w as unable t o r ecognize t hat t he high num ber of br oadcast s w as not an at t ack on t he sy st em , and t her efor e, it w as nev er successfully deploy ed. The CSI DS does not suffer fr om t hese shor t com ings. The CSI DS allows t he adm inist r at or t o ignor e t ypes of appar ent at t acks, ignor e appar ent at t acks fr om individual or gr oups of host s, and m aint ain m ult iple configur at ions t hat allow n ear-inst ant aneous changes t o t hose signat ures t o which t he Sensor will react . This flexibilit y allow s t he CSI DS t o becom e a v iable I DS for m ost net w or k s.
207
Interpreting Logs I t is som et im es necessar y t o look at t he act ual log file t o det er m ine ex act ly w hat has occur r ed. This sect ion explor es how t o int er pr et a log file. The CSI DS st or es four lev els of logging t o a com m a -delim it ed file. The act ive log is st ored in t he / usr / nr / v ar dir ect or y w it h a file nam e of YYYYMMDDHHMM. By default , w hen t he act iv e log has r eached 300 KB, or t he elapsed t im e since t he log cr eat ion has exceeded 240 m inut es, t he file is ar chiv ed under t he sam e nam e in t he / usr / nr / nav / new dir ect or y . The log file has a defined for m at and is easy t o r ead. The follow ing is a sam ple r ecor d fr om a log:
4,1034121,2001/04/08,14:04:01,11008,6,300,IN, OUT, 212,8543,51304,TCP/IP, 172.30.1.8,172.31.2.1,1015,25,0.0.0.0,hack attack,69576 ... AEBA0 The fields w it hin t he log file ar e descr ibed in Table 6 - 3 .
Table 6 - 3 . CSI D S Re cor d For m a t
Value
Fie ld N a m e Record Type
D e scr ipt ion 4 The record t ype can have one of 4 values: 2 is an error, 3 is a com m and, 4 is eit her an alarm or an event , 5 is an I P log. 1034121 Record Record num bers st art at 1,000,000 and Num ber increm ent by one wit h each record. 2001/ 04/ 08 Dat e This is t he dat e in YYYY/ MM/ DD form at . 14: 04: 01 Tim e This is t he t im e in HH: MM: SS form at . 11008 Applicat ion I D Thi s is t he Applicat ion I D of t he process t hat generat ed t he log record. 6 Host I D This is t he Host I D of t he Sensor t hat generat ed t he log record. 300 Organizat ional This is t he Organizat ional I D of t he Sensor ID t hat generat ed t he log record. IN Source This is t he source of t he packet t hat t riggered t he alarm . The value can be eit her OUT ( signifying t hat t he source is out side of t he m onit ored net work) or I N ( signifying t hat t he source is wit hin t he m onit ored net work) . OUT Dest inat ion This is t he dest inat ion of t he packet t hat t riggered t he alarm . The value can be
208
eit her OUT ( signifying t hat t he dest inat ion is out side of t he m onit ored net work) or I N ( signifying t hat t he dest inat ion is wit hin t he m onit ored net work) . 212 Alarm Level By defaul t , t here are 5 alarm levels. Here, t he m axim um of 255 levels is specified. This alarm is level 212. 8543 Signat ure I D The signat ure I D is m apped t o a signat ure nam e in t he / usr/ nr/ et c/ signat ures files. Valid values range from 1000 t hrough 10,000. 51304 SubSignat ure The SubSignat ure I D is usually used on a ID st ring m at ch signat ure, cust om izable by t he adm inist rat or. I f t he value of t his field is zero, t here is no subsignat ure. Subsignat ures st art wit h t he value 51,304. I n t his exam ple record, t his subsignat ure is associat ed wit h t he st ring " hack at t ack." TCP/ I P Prot ocol This indicat es t hat t he packet was in TCP/ I P form at . 172.30.1.8 Source I P This is t he source I P address of t he Addr ess pack et . 172.31.2.1 Dest inat ion I P This is t he dest inat ion I P address of t he Addr ess pack et . 1015 Source Port This is t he source port of t he packet . 25 Dest inat ion This is t he dest inat ion port of t he packet . Por t 0.0.0.0 Ext ernal Dat a This is t he ext ernal I P address of t he Source Sensor t hat det ect ed t he event . An I P address of 0.0.0.0 signifies t hat t he Sensor t hat was specified by t he Host and Organizat ional I D det ect ed t he event . A valid I P address is usually associat ed wit h a device, such as a rout er placing a syslog event because of an access list . Hack at t ack Event Det ail This is an opt ional field. I n t his exam ple, t he st ring " hack at t ack" was used t o t rigger t he logging event . 69576 … Cont ext Dat a This is an opt ional field. When populat ed, AEBA0 t his field cont ains up t o 512 byt es,
209
showing t he 256 byt es before and t he 256 byt es aft er t he st ring t hat t riggered t he event . This field allows t he adm inist rat or t o see m ost of t he relevant port ions of t he pack et . Now t hat you have seen an over view of t he m aj or com ponent s of CSI DS, t he next sect ions cover t he Cisco I OS Fir ew all I DS and t he Cisco PI X Fir ew all I DS.
Cisco IOS Firewall IDS I nt r usion det ect ion has been available as par t of t he Cisco I OS Fir ew all fr om t he 12.05( T) r elease. The I DS capabilit ies ar e only available on t he m idr ange t o high -end rout er plat form s. These include t he follow ing plat for m s, w it h m or e scheduled for r elease in t he near fut ur e:
•
Cisco 1700
•
Cisco 2600
•
Cisco 3600
• •
Cisco 7100 Cisco 7200
Once t he rout er has t he Cisco I OS Firew all I DS feat ures inst alled and enabled, t he r out er act s as an I DS sensor . The r out er passively m onit or s and analyzes all packet flow t hr ough t he r out er and checks t his dat a against t he inst alled and configur ed I DS signat ur es. I f suspect act ivit y is det ect ed, t he rout er can be configured t o
•
Send an a la r m t o a m a n a ge m e n t pla t for m— I n t his inst ance, eit her a sy slog ser ver or t he Cisco Secur e I DS Dir ect or can be used t o r eceive t he alar m .
•
D r op t h e pa ck e t— The packet is dr opped fr om t he r out er and not for w ar ded t o it s dest inat ion int er face.
•
Reset t he TCP con n e ct ion— The r eset funct ion w ill send a pack et w it h t he RST ( Reset ) flag set t o bot h t he sour ce and dest inat ion. This w ill t er m inat e t he cur r ent session bet w een t he host s.
The 59 default I DS signat ur es ar e av ailable for use w it h t he Cisco I OS Fir ew all I DS. These can be disabled on a signat ur e -b y-signat ur e basis if t he r equir em ent s do not fit t he net w or k design. The Cisco I OS Firew all I DS feat ures can im prove on perim et er securit y by adding addit ional perim et er visibilit y of net w ork int rusion at t em pt s. Net w or k -based I DS syst em s list en t o t raffic passing on t he net w or k segm ent , w her eas a r out er w ill r eceiv e and pr ocess all inbound and out bound t raffic t o and from a net w ork. The Cisco I OS Fir ew all I DS com plem ent s an ex ist ing Cisco Secur e I DS inst allat ion and can act as a per im et er-based sensor , r epor t ing as t he I DS Sensor does t o t he I DS Dir ect or .
210
One dr aw back of using t he Cisco I OS Fir ew all I DS is t hat it can r educe t he per for m ance of your r out er due t o t he heavy w or kload in r unning t he I DS soft w ar e.
Cisco Secure PIX Firewall IDS I nt r usion det ect ion on t he Cisco Secur e PI X Fir ew all becam e av ailable w it h t he 5.2( 1) r elease of t he PI X oper at ing syst em . This is available on all cur r ent PI X plat for m s. The configur at ion of I DS on t he PI X is ver y lim it ed com par ed w it h t he configur at ion av ailable on t he Cisco Secur e I DS and t he Cisco I OS Fir ew all I DS. The PI X is alw ay s used as a net w or k dev ice t o separ at e at least t w o net w or ks and t o pr ovide adapt ive secur it y for t he net w or ks behind it . The I DS feat ur e on t he PI X Fir ew all enables adm inist r at or s t o enfor ce per im et er int r usion det ect ion on a dev ice t hat is alr eady pr ov iding secur it y ser v ices. Unlike t he Cisco I OS Firew all I DS, t he PI X I DS can not send alarm s t o t he Cisco Secure Policy Manager or t he I DS Dir ect or , only t o sy slog. A lot of I nt er net sit es em ploy PI X Fir ew alls t o pr ot ect t he host ed net w or k t hat exist s behind t he PI X. I ncluding I DS w it h a PI X Fir ew all allow s secur it y adm inist r at or s t o gat her int r usion dat a and aut om at ically act on any suspect ed v ulner abilit ies. Unt il now , t his w as only av ailable using a net w or k -based I DS sensor connect ed t o t he pr ot ect ed VLANs w it hin t he host ed solut ion. When suspect act iv it y is ident ified, t he Cisco PI X oper at es in a m anner sim ilar t o t he Cisco I OS Fir ew all I DS. I t can eit her send an alar m , dr op t he connect ion, or r eset t he session. These ar e all explained in t he " Cisco I OS Firew all I DS" sect ion earlier in t his chapt er. The PI X, like t he Cisco I OS Fir ew all, suppor t s t he 59 default I DS signat ur es. These signat ur es can be seen in Table 6 - 4 . I ncluded in Table 6 - 4 is an indicat ion of t he t y pe of signat ur e: I nfo or At t ack, At om ic or Com pound. At om ic signat ures t hat show as At om ic* are allocat ed m em ory for session st at es by CBAC.
Table 6 - 4 . Th e 5 9 D e fa u lt I D S Sign a t u r e s
ID Na m e 1000 I P opt ions- Bad Opt ion List
Tr igge r Type Triggered by receipt of an I P I nfo, dat agram wit h t he list of I P opt ions At om ic in t he header incom plet e or m alform ed. 1001 I P opt ions- Record Triggered by receipt of an I P I nfo, Packet Rout e dat agram w it h t he Record Packet At om ic Rout e chosen. 1002 I P opt ionsTriggered by receipt of an I P I nfo, Tim est am p dat agram where t he Tim est am p At om ic
211
opt ion is chosen. 1003 I P opt ionsTriggered by receipt of an I P Provide s, c, h, dat agram where t he opt ion list for t cc t he dat agram includes opt ion 2 ( securit y opt ions) . 1004 I P opt ions- Loose Triggered by receipt of an I P Source Rout e dat agram where t he opt ion list for t he dat agram includes opt ion 3 ( loose source rout e) . 1005 I P opt ionsTriggered by receipt of an I P SATNET I D dat agram where t he opt ion list for t he dat agram includes opt ion 8 ( SATNET st ream ident ifier) . 1006 I P opt ions- St rict Triggered by receipt of an I P Source Rout e dat agram in which t he I P opt ion list for t he dat agram includes t he st rict source rout ing opt ion. 1100 I P Fragm ent Triggered when any I P dat agram is At t ack received wit h t he m ore fragm ent s flag set t o 1 or if t here is an offset indicat ed in t he offset field. 1101 Unknown I P Triggered when an I P dat agram is Prot ocol received wit h t he prot ocol field set t o 101 or great er. These prot ocol t ypes are undefined or reserved and should not be used. 1102 I m possible I P Tr iggered when an I P packet Pack et arrives wit h source equal t o dest inat ion address. This signat ure w ill cat ch t he so- called Land at t ack. 2000 I CMP Echo Reply Triggered when a I P dat agram is received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 0 ( Echo Reply) . 2001 I CMP Host Triggered when an I P dat agram is Unreachable received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 3 ( Host Unreachable) . 2002 I CMP Source Triggered when an I P dat agram is
I nfo, At om ic
I nfo, At om ic
I nfo, At om ic
I nfo, At om ic
At t ack, At om ic
At t ack, At om ic
At t ack, At om ic
I nfo, At om ic
I nfo, At om ic
I nfo, 212
Quench
2003 I CMP Redir ect
2004 I CMP Echo Request
2005 I CMP Tim e Exceeded for a Dat agram
2006 I CMP Param et er Problem on Dat agram
2007 I CMP Tim est am p Request
2008 I CMP Tim est am p Reply
2009 I CMP I nform at ion Request
2010 I CMP I nform at ion
received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 4 ( Source Quench) . Triggered when an I P dat agram is received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 5 ( Redirect ) . Triggered when an I P dat agram is received w it h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 8 ( Echo Request ) . Triggered when an I P dat agram is received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 11 ( Tim e Exceeded for a Dat agram ) . Triggered when an I P dat agram is received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 12 ( Param et er Problem on Dat agram ) . Triggered when an I P dat agram is received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 13 ( Tim est am p Request ) . Triggered when an I P dat agram is received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 14 ( Tim est am p Reply) . Triggered when an I P dat agram is received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 15 ( I nform at ion Request ) . Triggered when an I P dat agram is
At om ic
I nfo, At om ic
I nfo, At om ic
I nfo, At om ic
I nfo, At om ic
I nfo, At om ic
I nfo, At om ic
I nfo, At om ic
I nfo,
213
Reply
2011
2012
2150
2151
2154
received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 16 ( I CMP I nform at ion Reply) . I CMP Address Triggered when an I P dat agram is Mask Request received w it h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t ype field in t he I CMP header set t o 17 ( Address Mask Request ) . I CMP Address Triggered when an I P dat agram is Mask Reply received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he t y pe field in t he I CMP header set t o 18 ( Address Mask Reply) . Fragm ent ed I CMP Triggered when an I P dat agram is Tr affic received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and eit her t he m ore fragm ent s flag is set t o 1 ( I CMP) or t here is an offset indicat ed in t he offset field. Large I CMP Triggered when an I P dat agram is Tr affic received wit h t he prot ocol field in t he header set t o 1 ( I CMP) and t he I P lengt h is great er t han 1024. Tr igger ed w hen an I P dat agr am is r eceiv ed Ping of Deat h w it h t he pr ot ocol field in t he header set t o 1 At t ack
At om ic
I nfo, At om ic
I nfo, At om ic
At t ack, At om ic
At t ack, At om ic
At t ack, At om ic
( I CMP) , t he Last Fr agm ent bit is set , and ( I P offset x8) + ( I P dat a lengt h) > 65,535 I n ot her w or ds, t he I P offset ( w hich r epr esent s t he st ar t ing posit ion of t his fr agm ent in t he or iginal pack et and is in 8 -byt e unit s) plus t he r est of t he pack et is gr eat er t han t he m ax im um size for an I P pack et .
3040 TCP—no bit s set in flags
Triggered when a TCP packet is received wit h no bit s set in t he flags field. 3041 TCP—SYN and Triggered when a TCP packet is FI N bit s set received wit h bot h t he SYN and FI N bit s set in t he flag field. 3042 TCP—FI N bit wit h Triggered when a TCP packet is no ACK bit in received wit h t he FI N bit set but
At t ack, At om ic At t ack, At om ic At t ack, At om ic
214
flags 3050 Half- open SYN At t ack/ SYN Flood
3100 Sm ail At t ack
3101 Sendm ail I nvalid Recipient 3102 Sendm ail I nvalid Sender 3103 Sendm ail Reconnaissance 3104 Archaic Sendm ail At t acks 3105 Sendm ail Decode Alias 3106 Mail Spam
3107 Maj ordom o Execut e At t ack
3150 FTP Rem ot e Com m and Execut ion
wit h no ACK bit set in t he flags field. Triggered when m ult iple TCP At t ack, sessions have been im properly Com pound init iat ed on any of several wellknown service port s. Det ect ion of t his signat ure is current ly lim it ed t o FTP, Telnet , HTTP, and e- m ail servers ( TCP port s 21, 23, 80, and 25, respect ively) . Triggered by t he very com m on At t ack, sm ail at t ack against SMTPCom pound com pliant e- m ail servers ( fr equent ly Sendm ail) . Triggered by any m ail m essage At t ack, w it h a pipe ( | ) sym bol in t he Com pound recipient field. Triggered by any m ail m essage At t ack, w it h a pipe ( | ) sym bol in t he Com pound From : field. Triggered when expn or v r fy At t ack, com m ands are issued t o t he SMTP Com pound port . Triggered when w iz or de bug At t ack, com m ands are issued t o t he SMTP Com pound port . Triggered by any m ail m essage At t ack, wit h " : decode@" in t he header. Com pound Count s num ber of Rcpt t o: lines in At t ack, a single m ail m essage and alarm s Com pound aft er a user- definable m axim um has been exceeded (default is 250) . A bug in t he Maj ordom o e- m ail list At t ack, program will allow rem ot e users t o Com pound execut e arbit rary com m ands at t he privilege level of t he server. This t riggers when a rem ot e user issues a privileged level com m and. Triggered when som eone t ries t o At t ack, execut e t he FTP SI TE com m and. Com pound
215
3151 FTP SYST Com m and At t em pt 3152 FTP CWD ~ root
Triggered when som eone t ries t o I nfo, execut e t he FTP SYST com m and. Com pound
Triggered when som eone t ries t o At t ack, execut e t he CW D ~ r oot Com pound com m and. 3153 FTP I m proper Triggered if a port com m and is At t a ck, Address Specified issued wit h an address t hat is not At om ic* t he sam e as t he request ing host . 3154 FTP I m proper Triggered if a port com m and is At t ack, Port Specified issued wit h a dat a port specified At om ic* t hat is less t han 1024 or great er t han 65,535. 4050 UDP Bom b Triggered w hen t he UDP lengt h At t ack, specified is less t han t he I P lengt h At om ic specified. 4100 TFTP Passwd File Triggered by an at t em pt t o access At t ack, t he passwd file ( t ypically Com pound / et c/ passwd) via TFTP. 6100 RPC Port Triggered when at t em pt s are m ade I nfo, Regist rat ion t o regist er new RPC services on a At om ic* t arget host . 6101 RPC Port Triggered when at t em pt s are m ade I nfo, Unregist rat ion t o unregist er exist ing RPC services At om ic* on a t arget host . 6102 RPC Dum p Triggered when an RPC dum p I nfo, request is issued t o a t arget host . At om ic* 6103 Proxied RPC Triggered when a proxied RPC At t ack, Request request is sent t o t he port m apper At om ic* of a t arget host . 6150 ypserv Port m ap Triggered when a request is m ade I nfo, Request t o t he port m apper for t he YP At om ic* server daem on ( ypserv) port . 6151 ypbind Port m ap Triggered when a request is m ade I nfo, Request t o t he port m apper for t he YP bind At om ic* daem on ( ypbind) port . 6152 yppasswdd Triggered when a request is m ade I nfo, Port m ap Request t o t he port m apper for t he YP At om ic* passw ord daem on ( yppasswdd) port . 6153 ypupdat ed Triggered when a request is m ade I nfo,
216
6154
6155
6175
6180
6190
8000
Port m ap Request t o t he port m apper for t he YP updat e daem on ( ypupdat ed) port . ypxfrd Port m ap Triggered when a request is m ade Request t o t he port m apper for t he YP t ransfer daem on ( ypxfrd) port . m ount d Port m ap Triggered when a request is m ade Request t o t he port m apper for t he m ount daem on ( m ount d) port . rexd Port m ap Triggered when a request is m ade Request t o t he port m apper for t he rem ot e execut ion daem on ( rexd) port . rexd At t em pt Triggered when a call t o t he rexd program is m ade. The rem ot e execut ion daem on is t he server responsible for rem ot e program execut ion. This m ay be indicat ive of an at t em pt t o gain unaut horized access t o syst em resources. st at d Buffer Triggered when a large st at d Overflow request is sent . This could be an at t em pt t o overflow a buffer and gain access t o syst em resources. SubSig I D: 2101 FTP Ret rieve Password File
At om ic* I nfo, At om ic* I nfo, At om ic* I nfo, At om ic* I nfo, At om ic*
At t a ck, At om ic*
At t ack, At om ic*
Tr igger ed by st r ing passw d issued dur ing an FTP session. May indicat e som eone at t em pt ing t o r et r ieve t he passw or d file fr om a m achine in order t o crack it and gain unaut horized access t o syst e m resources.
Cisco IDS Configuration This sect ion looks at t he configurat ion t asks required t o configure Cisco int rusion det ect ion on t he Cisco r out er and Cisco PI X Fir ew all. I t does not cover t he configur at ion of t he Cisco Secur e I DS ( Net Ranger ) Sensor or Dir ect or , as t hese ar e bey ond t he scope of t his book . This sect ion concent r at es on int r usion det ect ion fr om an I nt er net—and specifically, a host edsolut ion —point of view . I t st art s by looking at t he Cisco I OS Firew all I DS configurat ion t hat is locat ed on a cor por at e r out er t hat pr ovides I nt er net access t o t he or ganizat ion. I t t hen cover s t he Cisco Secur e PI X Fir ew all I DS t hat is deploy ed t o pr ot ect a cor por at e w eb sit e host ed at an I SP.
217
Cisco IOS Firewall IDS Configuration Rout er s connect net w or ks. The I nt er net connect ion point of near ly all com panies is t hr ough som e r out ing dev ice. I n t his sect ion, y ou w ill look at t he configur at ion of t he Cisco I OS Fir ew all I DS for a rout er t hat is act ing as t he I nt ernet connect ion point for a large co m pany. This com pany has ot her WAN link s t o ot her sit es. All I nt er net-bound t raffic is rout ed t hrough t he cent ral sit e. The I nt ernet connect ion is provided for I nt ernet browsing and e -m ail only . Ther e ar e no I nt er net ser ver s locat ed at any cor por at e sit e. The r out er has been configur ed w it h Cont ex t -based Access Cont r ol ( CBAC) t o allow back t hr ough t he fir ew all only w hat w as originat ed from inside on t he corporat e net w ork. Net w ork Address Translat ion ( NAT) has been used in an over load fashion. This is also known as Port Address Translat ion ( PAT) . Theor et ically , fr om t he out side, not hing on t he inside should be v isible. Because all I nt ernet t raffic com es t hrough t his connect ion ont o t he corporat e net w ork, t he com pany has decided t o configur e int r usion det ect ion on t his r out er t o pr ov ide a fur t her lay er of securit y against any ext ernal t hreat s t hat exist .
Figure 6 - 10
show s t his sim ple net w ork.
Figur e 6 - 1 0 . Cor por a t e I nt e r ne t Conne ct ion
218
To configur e int r usion det ect ion on t he Cisco I OS Fir ew all, you have t o ensur e t hat you ar e using t he cor r ect I OS level. You m ust be using I OS 12.0( 5) T or lat er w it h t he Cisco I OS Fir ew all included. You are going t o configure int rusion det ect ion t o use syslog logging and t o pr ot ect t he out side int er face of t he r out er . The follow ing configur at ion lines ar e all ent er ed in global configur at ion m ode:
ip audit notify log ip audit name ids info action alarm ip audit name ids attack action alarm drop reset The first line configures t he I DS t o use syslog logging. Wit h t he Cisco I OS Fir ew all I DS, you hav e t he opt ion of using sy slog or t he Cisco Secur e I nt r usion Det ect ion Dir ect or . The second and t hir d lines specify t he I DS pr ofile called ids. This pr ofile is set t o alar m for infor m at ional m essages and alar m , dr op, and r eset sessions for at t ack m essages. Once t his I DS pr ofile has been cr eat ed, y ou hav e t o apply it t o an int er face. Ent er t he follow ing configurat ion line from t he int erface configurat ion m ode for t he int erface t o w hich y ou wish t o apply t he policy:
ip audit ids in This com m and applies t he I DS policy ids t o t he int erface for inbound t raffic. This is sim ilar t o t he ip a ccess- group com m and t hat applies access list s, eit her inbound or out bound, t o int er faces. A f ew show com m ands can be used on t he rout er t o look at t he configurat ion of I DS.
Th e sh ow ip a u dit con figu r a t ion Com m a n d Th e sh ow ip a u dit con figu r a t ion com m and displays t he global configurat ion set t ings for I DS on t he r out er :
Router#show ip audit configuration Event notification through syslog is enabled Event notification through Net Director is disabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 250 PostOffice:HostID:0 OrgID:0 Msg dropped:0 :Curr Event Buf Size:0 Configured:100 Post Office is not enabled - No connections are active Audit Rule Configuration Audit name ids info actions alarm
219
attack actions alarm drop reset You can see from t he co m m and out put t hat t his r out er is using sy slog logging and not t he Net Ranger ( Cisco Secure) Direct or.
Th e sh ow ip a u dit in t e r fa ce s Com m a n d Th e show ip a udit int e r fa ce s com m and displays int er face specific infor m at ion about I DS for every int erface t hat I DS is configur ed on:
Router#show ip audit interfaces Interface Configuration Interface FastEthernet0/0 Inbound IDS audit rule is ids info actions alarm attack actions alarm drop reset Outgoing IDS audit rule is not set The out put show s t hat t he I DS pr ofile ids is configur ed inbound on t he Fast Et her net 0/ 0 int er face on t he r out er .
Th e sh ow ip a u d it n a m e Com m a n d This com m and displays t he I DS inform at ion for t he specific I DS profile:
Router#show ip audit name ids Audit name ids info actions alarm attack actions alarm drop reset The out put show s t he configur at ion of t he I DS pr ofile called ids t hat w as pr ev iously configur ed for t his ex am ple. This concludes t he sim ple configur at ion of t he Cisco I OS Fir ew all I DS. As y ou can see, t he configurat ion o f I DS on t he Cisco I OS Fir ew all is fair ly st r aight for w ar d. You have t o ensur e t hat t he r out er is successfully logging t o a sy slog ser v er . Ther e ar e num er ous sy slog ser v er s av ailable for UNI X. For Window s plat for m s, t her e is an ex cellent sy slog ser v er av ailable from www.ccst udy.com .
Cisco Secure PIX Firewall IDS Configuration I t is ver y com m on for host ed solut ions t hat ar e locat ed w it hin an I SP t o be behind a fir ew all. The firew all separat es t he host ed solut ion fr om t he m ain I SP public net w or k and pr ovides NAT and st at eful inspect ion of packet s t o pr ot ect t he host ed net w or k fr om var ious ext er nal at t acks. This m akes t he firewall an ideal place t o im plem ent I DS.
220
I DS t echnologies operat e by passively list ening to t raffic t o ascert ain w het her t he t raffic is genuine or m at ches a k now n at t ack signat ur e. This can be a pr oblem in a shar ed net w or k env ir onm ent , because y ou do not w ant y our I DS sy st em t o aler t all of t he t im e because of t raffic dest ined for ot her net w orks. This can be t r ue of a host ed solut ion fr om an I SP, because t he public Et hernet connect ion t hat form s t he out side int erface of t he PI X Firew all can be in t he sam e br oadcast dom ain as num er ous ot her host ed net w or ks. How ever , all I SPs should use sw it ches t o pr ovide Et her net connect ivit y. The sw it ch ensur es t hat only t he r equir ed unicast t r affic is deliver ed t o each host ed net w or k. The nat ur e of t he st at ic NAT t r anslat ions causes t he out side sw it ches t o send unicast t raffic for every host behind t he firew all t o t he por t w her e t he out side int erface of t he firew all is physically connect ed. This rem oves pot ent ial false posit ives on t he I DS from t raffic t hat is direct ed t ow ard ot her host ed net w orks. How ever, because t he sw it ch im plem ent s a single br oadcast dom ain t hr oughout t he Lay er 3 dom ain, y ou m ight st ill get false posit ives for br oadcast -based at t ack s. This sect ion look s at a v er y sim ple host ed I nt er net solut ion and t he com m ands t hat ar e required t o inst all I DS on t he firewall.
Figure 6 - 1 1
displays t his sim ple net w or k.
Figur e 6 - 1 1 . Sim ple H ost e d N e t w or k
The configurat ion lines in t his sect ion configure I DS on t he out side int erface of t he rout er. Rem em ber t hat t he out side int er face is t he I nt er net-facing int erface. There is lit t le use in t his scenar io t o enable I DS on bot h t he inside and out side int er faces. You can see fr om t he net w or k diagr am in Figure 6 - 11 t hat t his is a sim ple m odel, w her e t he host ed firew all's out side int erface is connect ed t o t he I nt ernet , and t he inside int erface
221
pr ov ides access t o t he pr ot ect ed net w or k. I n t his sim ple net w or k, t her e is a Web ser ver , an e m ail server, and an FTP server. To enable I DS on t he PI X Fir ew all, t he soft w ar e on t he PI X m ust be r elease 5.2 or lat er . I DS configur at ion on t he PI X is car r ied out w it h one com m and t hat has num er ous v ar iables associat ed w it h it . This com m and is ip audit . The im por t ant point t o r em em ber is t hat t he alar m act ion w it h bot h t he info and at t ack signat ur es uses t he cur r ent ly configur ed syslog ser v er . This m eans t hat sy slog has t o be configur ed and w or k ing on an inside int er face. Sy slog is enabled w it h t he logging com m an ds. These com m ands ar e all ent er ed in global configur at ion m ode:
ip ip ip ip ip ip
audit audit audit audit audit audit
info action alarm attack action alarm name idsattack attack action alarm drop reset name idsinfo info action alarm interface outside idsinfo interface outside idsattack
The fir st t w o lines ar e configur ed by default and apply t o all int er faces. These alar m on info or at t ack signat ur es. The t hir d and four t h lines of t he configurat ion specify an I DS policy w it h t he nam e of idsat t ack and idsinfo. The fift h and sixt h lines apply t hese nam ed I DS policies t o t he out side int er face. A f ew show com m ands can be used on t he PI X t o look at t he configur at ion of I DS.
Th e sh ow ip a u dit in fo Com m a n d Th e show ip a udit info com m and displays t he global info I DS policy on t he firewall:
pixfirewall# show ip audit info ip audit info action alarm You can see fr om t he out put t hat t he global info I DS policy is t o alar m .
Th e sh ow ip a u d it a t t a ck Com m a n d Th e show ip a udit a t t a ck com m and displays t he global at t ack I DS policy on t he firewall:
pixfirewall# show ip audit attack ip audit attack action alarm You can see fr om t he out put t hat t he global at t ack I DS policy is t o alar m .
222
Th e sh ow ip a u d it in t e r f a ce Com m a n d Th e show ip a udit int e r fa ce com m and displays t he specific I DS policy t hat has been applied t o an int er face. Fr om t his ex am ple, t he follow ing is obser v ed:
pixfirewall# show ip audit interface outside ip audit interface outside idsinfo ip audit interface outside idsattack This show s t hat t he nam ed I DS policies idsinfo and idsat t ack have been applied t o t he out side int er face of t he PI X.
Th e sh ow ip a u d it n a m e Com m a n d Th e show ip audit nam e com m and display s t he I DS policy t hat has been specified in a nam ed policy. Fr om t his exam ple, you can obser ve t hat t he I DS policy idsinfo is set j ust t o alarm :
pixfirewall# show ip audit name idsinfo ip audit name idsinfo info action alarm The follow ing show s t hat at t ack signat ur es ar e alar m ed, dr opped, and r eset :
pixfirewall# show ip audit name idsattack ip audit name idsattack attack action alarm drop reset
I D S M on it or in g Once int r usion det ect ion has been configur ed, you can m onit or t he syslog infor m at ion t o ident ify any at t em pt ed secur it y iss ues. The follow ing log dat a ar e ex t r act s fr om an act ual I nt er net-facing PI X Fir ew all. You can see t hat t he I DS on t he PI X has int er cept ed quit e a few it em s of suspicious act iv it y :
%PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside
SYN+FIN flags from 24.15.59.98 to 194.73.134.2 SYN+FIN flags from 24.15.59.98 to 194.73.134.6 SYN+FIN flags from 24.15.59.98 to 194.73.134.7 SYN+FIN flags from 24.15.59.98 to 194.73.134.20 SYN+FIN flags from 24.15.59.98 to 194.73.134.21 SYN+FIN flags from 24.15.59.98 to 194.73.134.22 SYN+FIN flags from 24.15.59.98 to 194.73.134.23
223
%PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP on interface outside %PIX-4-400027: IDS:3041 TCP 194.73.134.100 on interface outside
SYN+FIN flags from 24.15.59.98 to 194.73.134.24 SYN+FIN flags from 24.15.59.98 to 194.73.134.26 SYN+FIN flags from 24.15.59.98 to 194.73.134.25 SYN+FIN flags from 24.15.59.98 to 194.73.134.27 SYN+FIN flags from 24.15.59.98 to 194.73.134.28 SYN+FIN flags from 24.15.59.98 to 194.73.134.30 SYN+FIN flags from 24.15.59.98 to 194.73.134.29 SYN+FIN flags from 24.15.59.98 to
The pr eceding m essages indicat e t hat t he I P addr ess 24.15.59.98 is at t em pt ing a reconnaissance sweep against t he I P addresses on t he 194.73.134.0 net w ork. This is classified as an at t ack , and because of t he policy t hat is in place, t hese sessions w ould be logged, dr opped, and r eset . The follow ing m essage could indicat e t hat t he I P address 137.39.5.35 is t r y ing t o ov er com e t h e pack et-filt ering securit y policy. This could indicat e an at t ack:
%PIX-4-400011: IDS:2001 ICMP unreachable from 137.39.5.35 to 194.73.134.7 on interface outside The follow ing m essage indicat es t hat a successful I CMP echo r eply ( ping) w as sent fr om t he I P addr ess 64.225.249.26. This is an infor m at ional m essage:
%PIX-4-400010: IDS:2000 ICMP echo reply from 64.225.249.26 to 194.73.134.2 on interface outside This concludes t he sim ple configur at ion of t he Cisco PI X I DS. As you can see, t he configurat ion of I DS on t he PI X is fairly st raight forw ard. You have t o ensure t hat t he PI X is successfully logging t o a sy slog ser v er . Ther e ar e num er ous sy slog ser v er s av ailable for UNI X. For Window s plat for m s, t her e is an ex cellent sy slog server available from
www.ccstudy.com .
Summary This chapt er pr ovided an over view of int r usion det ect ion. I t st ar t ed by pr oviding an ex planat ion of int r usion det ect ion, it s r ole in t he t ot al secur it y solut ion, and t he differ ent for m s t hat int r usion det ect ion can assum e w it hin t he net w or k. The chapt er t hen looked at t he int r usion det ect ion offer ings av ailable fr om Cisco Sy st em s and pr ov ided a br ief ex planat ion of each of t hese and t heir associat ed feat ur es. I t concluded by look ing at som e configur at ion exam ples for bot h t he Cisco I OS Firewall I DS and t he Cisco Secure PI X Firewall I DS.
224
Frequently Asked Questions
Quest ion: Answ e r :
What is int r usion det ect ion? I nt r usion det ect ion is t he passive m onit or ing of t he t raffic flow on a net w or k segm ent t o det ect any suspicious act iv it y on t he net w or k . Once a pr oblem is ident ified, an int r usion det ect ion sy st em can t ak e act ion against t he session t o ensur e t hat it is not m aint ained.
Quest ion: Answ e r :
I alr eady hav e a fir ew all; w hy do I need int rusion det ect ion as w ell? A firew all is a device t hat can prot ect int ernal net w orks from ext ernal t hreat s by providing address t ranslat ion and st at eful inspect ion of t raffic flow . The firew all does not hav e t he int elligence by default t o k now w het her t he pack et flow t hr ough t he fir ew all r epr esent s genuine t r affic or an at t em pt ed at t ack t hat is hiding as a genuine ser v ice r equest . The inclusion of int r usion det ect ion adds anot her layer of secur it y and int elligence t o ensur e t hat t he fir ew all only allow s t r affic t hr ough t o t he int er nal net w or ks aft er scr eening.
Glossary Glossary I D S ( int r usion de t e ct ion syst e m ) — Scans t he net w ork in real t im e t o int ercept at t em pt ed breaches of securit y.
I SP ( I nt e r ne t se r vice pr ovide r ) — A ser v ice pr ovider t hat pr ov ides a connect ion t o t he public I nt er net .
N AT ( N e t w or k Addr e ss Tr a nsla t ion) — NAT is t he t r anslat ion of an I P addr ess used w it hin one net w or k t o a differ ent I P addr ess know n w it hin anot her net w or k.
PI X ( Pr iva t e I n t e r n e t Ex ch a n ge ) — The Cisco range of leading hardware -based fir ew alls.
225
Chapter 7. Cisco Secure Scanner This chapt er cont ains t he follow ing sect ions:
• • • • • • • Chapter 3 ,
Cisco Secure Scanner Feat ures Cisco Secure Scanner I nst allat ion Cisco Secure Scanner Configurat ion Summary Frequent ly Asked Quest ions Glossary URLs
" Over view of t he Cisco Secur it y Solut ion and t he Cisco Secur e Pr oduct Fam ily,"
covered t he Securit y Solut ion t hat has been devised by Cisco in order t o provide t ot al net w ork secur it y. This solut ion consist s of five key elem ent s:
•
I dent it y
•
Per im et er secur it y
•
Dat a pr ivacy
• •
Securit y m onit oring Policy m anagem ent
This chapt er delves deeper int o t he four t h key elem ent of t he Cisco Secur it y Solut ion: secur it y m onit or ing. Securit y m anagem ent , like net w ork m anagem ent , is a dynam ic, ever-changing process. Once you ha v e designed and im plem ent ed a secur it y solut ion, it has t o be m easur ed. One w ay of m easur ing t he int egr it y of y our solut ion is w it h a net w or k scanner , w hich w ill scan ev er y liv e I P addr ess on y our net w or k and check t he r esult s against w ell-known vulnerabilit ies. A full report is t hen creat ed, and act ions can be t aken t o rem edy any short com ings in t he design or im plem ent at ion. I t 's im por t ant t o m ake t he changes and t hen scan t he net w or k again t o ensur e t hat t he changes have been effect ive and t heir im plem entat ion hasn't caused any furt her securit y vulnerabilit ies. The securit y vulnerabilit y dat abase for all leading net work scanners is upgraded on a periodic basis, ensuring t hat every new vulnerabilit y t hat is discover ed is added t o t he dat abase. When you r un a net w or k scan, y ou can be sur e t hat y ou are scanning for t he lat est vulnerabilit ies. Cisco Secur e Scanner is a full, net w or k-scanning ut ilit y t hat can be used for r egular secur it y m onit or ing pur poses. This chapt er t ak es a look at t he Cisco Secur e Scanner . The chapt er st ar t s by pr oviding an explanat ion of t he pr ocesses and t heor y behind net w or k scanning, and it m oves on t o look at t he Cisco Secur e Scanner pr oduct and how it is used t o car r y out net w or k scanning.
Cisco Secure Scanner Features
226
The Cisco Secure Scanner ( for m er ly Cisco Net Sonar ) is a soft w ar e applicat ion t hat offer s a com plet e suit e of net w or k scanning t ools designed t o r un on eit her Window s NT or Solar is. Net w or k scanning is t he pr ocess in w hich a specific host is configur ed as a scanner and scans all or j ust configur able par t s ( depending on t he scanner ) of t he net w or k for k now n secur it y t hr eat s. The design and oper at ion of t he scanner m ak es it a v aluable asset t o hav e in y our quest for I nt ernet securit y. Cisco Secur e Scanner follow s a six-st ep process t o ident ify any possible net w ork v ulner abilit ies: St e p 1 . Net work m apping St e p 2 . Dat a collect ion St e p 3 . Dat a analysis St e p 4 . Vulner abilit y confir m at ion St e p 5 . Dat a present at ion and navigat ion St e p 6 . Repor t ing
Step 1: Network Mapping Net work m a pping is t he process t hat t he Cisco Scanner uses t o ident ify host s. At t his point , y ou hav e t o pr ov ide a r ange of I P addr esses t hat m ak e up t he net w or k t hat y ou w ish t o scan. These addr esses do not have t o be your local net w or k. They can be any r em ot e I P address, as long as y ou hav e net w or k lay er access, t hat is, as long as y ou can r un a successful net w or k lay er connect iv it y t est such as ping. Cisco Secur e Scanner allow s you t o ent er eit her single I P addr esses or a com plet e r ange of I P addresses. You also h ave t he opt ion t o exclude I P addr esses or r anges t o fur t her sim plify your scan. Figure 7 - 1
shows you t he net work m apping configurat ion screen from t he Cisco Secure Scanner. Figur e 7 - 1 . N e t w or k M a pping Scr e e n
227
You can see in
Figure 7 - 1
t hat a session has been creat ed for t he I P address range 194.73.134.1
t o 194.73.134.255. This is covered in t he first configurat ion line. Not e t hat t he second and t hir d configur at ion lines bot h hav e t he Ex cluded Address check box select ed. This m eans t hat t he addresses specified t her eaft er ar e excluded fr om t he addr ess r ange. The second configur at ion line j ust excludes one addr ess because I P Addr e ss Be gin an d I P Addr e ss En d ar e t he sam e. The t hir d configur at ion line excludes t he r ange of I P addr esses 194.73.134.211 t o 1 94.73.134.214. The addr esses t hat w ill be included in t he scan ar e show n in Table 7 - 1 .
Table 7 - 1 . I P Addr e sse s I nclude d in t he Sca n
I P Addr e ss Be gin 194.73.134.1 194.73.134.201 194.73.134.215
I P Addr e ss End 194.73.134.199 194.73.134.210 194.73.134.255
Now t her e is a r ange of I P addr esses t hat ar e going t o m ak e up t he scan. Ther e ar e t w o w ay s of select ing how t he net w or k m ap is dev ised. The fir st and st andar d m et hod is t o use t he net w or k t ool ping. The second and opt ional m et hod is t o for ce t he scan. You have creat ed your range of I P addre sses for t he scan, but ar e you r eally sur e t hat all of t hose I P addr esses ar e valid host s? The default r esolut ion t o t his is for t he scanner t o t est ever y I P addr ess for basic net w or k connect ivit y. The sim plest w ay t o do t his, and t he one t he scanner em plo ys, is sim ply t o send an I nt ernet Cont rol Message Prot ocol ( I CMP) Echo Request
228
t o t he configur ed I P addr esses. This is com m only k now n as a ping. I f t he scanner r eceives an I CMP Echo Reply, it assum es t hat t he I P addr ess is a valid host and adds it t o t he net w or k m ap. This pr ocess seem s lik e a sim ple and const r uct iv e t est for t he scanner , pr ev ent ing t he w ast e of t im e and r esour ces in scanning against a r ange of addr esses t hat eit her do not exist or do not hav e pow er ed-up net work host s configured t o t hem . However, t his is not alw ays t he case. Many firew alls, especially t hose used t o prot ect I nt er net ser vices, ar e configur ed t o deny all I CMP t r affic t o pr ot ect ed int er faces, t hose w her e secur it y policies ar e defined t o pr ot ect r esour ces t hat ar e r esident on t hose int erfaces from ext ernal net w or k s. The sim ple I nt er net ser vice displayed in
Figure 7 - 2
show s t his scenar io.
Figur e 7 - 2 . Sim ple W e b Se r vice
You can see in Figure 7 - 2 t hat t he I nt ernet firew all blocks all TCP, UDP, and I CMP t raffic dest ined for t he int ernal net w ork. Only HTTP port 80 t raffic is allowed t hrough t he firew all. I n t his inst ance, a st andar d scan against 194.73.134.100 w ould fail, because t he scanner soft w ar e w ould send an I CMP Echo Request packet t o t he I P addr ess 194.73.134.100 and no I CMP Echo
229
Reply w ould be r eceiv ed. The scanner soft w ar e w ould pr esum e t hat t her e is no host associat ed w it h t he I P addr ess 194.73.134.100 and sim ply m ov e on t o t he nex t I P addr ess. Figure 7 - 3
slight ly com plicat es Figure 7 - 2 by adding anot her int er face t o t he fir ew all, t he DMZ, and
also an I nt er net m ail ser ver on t he DMZ fir ew all int er face. Figur e 7 - 3 . Ex pa n de d Sim ple W e b Se r vice
Ther e ar e now t w o basic fir ew all r ules in t he secur it y policy: t o r est r ict all t r affic except TCP por t 80 t o t he int er nal int er face, and t o allow all t r affic t o t he DMZ int er face. These t w o dist inct r ules w ill alt er t he w ay t he net w or k m ap is cr eat ed. Cisco Secur e Scanner has a feat ur e w her e y ou can for ce a scan against an addr ess. This is exact ly t he feat ur e you need in this case because it cir cum vent s t he pr oblem . When you for ce a scan, t he I P addr ess is pr obed w it hout sending an I CMP echo. Figure 7 - 4
show s t he correct session configurat ion t o scan t he net w orks show n in
Figure 7 - 3 .
Figur e 7 - 4 . Se ssion Configur a t ion
230
You can see t hat t w o r anges hav e been defined. The fir st r ange is for t he Web ser v er far m , 194.73.134.100 t o 194.73.134.110. Not e t hat t he For ce Sca n checkbox is select ed. This m eans t hat all of t hese host s w ill be pr obed, r egar dless of w het her t hey are act iv e. The second range ident ifies t he I nt ernet m ail server on 194.73.134.111. An I CMP Echo Request w ill be sent t o t his m achine t o ascer t ain w het her or not t he m achine is r unning. Cisco Secur e Scanner is licensed based on t he num ber of host s av ailable t o any one net w ork. The v er sion used her e is t he 2500 host license t hat allow s y ou t o scan up t o 2500 host s in one session.
Step 2: Data Collection Once t he net w or k m apping st age is com plet ed, and t he scanner has a v alid r ange of I P addresses t hat have eit her been v er ified w it h a successful I CMP echo or set t o be for ced at t he net w or k m apping st age, t he scanning soft w ar e gat her s dat a fr om t hese host s. Running a ser ies of por t scans against t he v alid host s collect s t he dat a. N OTE
A port scan can be defined as a w ay of ident ify ing w hich ser v ices ar e r unning on a r em ot e m achine by t est ing connect ions t o each por t on t he r em ot e m achine. Most net w or k ser v ices hav e a w ell-know n por t , eit her TCP, UDP, or bot h, associat ed t o t hem . These port s and associat ed services can be found in t he Services t ext file
231
locat ed in t he / et c dir ect or y on a UNI X box or in t he C: \w in n t \sy st em 32\ drivers\et c folder on a Window s NT sy st em .
The por t scan w ill ident ify w hich ser vices ar e r unning on t he r em ot e host s. This infor m at ion is adde d t o t he scanner 's dat abase for analy sis. Cisco Secur e Scanner pr ov ides a configur able set of opt ions for dat a collect ion.
Figure 7 - 5
show s
t he dat a capt ur e configur at ion scr een. Figur e 7 - 5 . D a t a Ca pt ur e Configur a t ion
You can see in por t scan :
•
Figure 7 - 5
th at t her e ar e five possible choices for t he TCP dat a collect ion phase or
None — This set t ing does not r un a por t scan for dat a collect ion, t her efor e, no dat a is r ecor ded. The host s ar e only check ed against t he scanner pr obes look ing for w ellk now n v ulner abilit ies.
•
Low Por t s— The por t s 1 t o 1024 ar e consider ed low por t s, and m ost default net w or k ser vices oper at e her e. For exam ple, HTTP is TCP por t 80, SMTP is TCP por t 25, and Telnet is TCP por t 23.
232
•
W e ll- Kn ow n Por t s— This set t ing select s por t s t hat hav e w ell-k now n ser v ices associat ed t o t hem . This includes all por t s t hat can be found in t he Ser vices file.
•
Low Plu s W e ll- Know n Por t s— Wit h t his set t ing, all por t s fr om 1 t o 1024 ar e scanned, as w ell as w ell-k now n por t s abov e 1024.
•
All Port s— Th is scan s all available port s from 1 t o 65,535. This is a very t im e consum ing por t scan, but it w ill guar ant ee t hat you scan t he por t you ar e looking for .
UDP is slight ly m or e r est r ict iv e in w hat y ou can scan for , because UDP is classed as a connect ionless ser v ice and t her efor e not as r eliable as TCP. Ev en t hough UDP does hav e advant ages over TCP, m ost net w or k applicat ions r ely on t he m or e r obust TCP as t heir t r anspor t pr ot ocol. Th e UDP opt ion s ar e:
•
None — This set t ing does not run a port scan for dat a collect ion, t here for e no dat a is r ecor ded. The host s ar e only check ed against t he scanner pr obes look ing for w ellk now n v ulner abilit ies.
•
W e ll- Kn ow n Por t s— This set t ing select s por t s t hat hav e w ell-k now n ser v ices associat ed w it h t hem . This includes all por t s t hat can be found in t he Ser vices file.
Once y ou hav e select ed t he r equir ed por t s for bot h TCP and UDP, t he por t scan is r eady t o com m ence.
Step 3: Data Analysis At t his st age, t he net w or k m ap is com plet e and t he v alid host s hav e been scanned for t he net w or k ser vices r un ning on t hem . This dat a has been collect ed and is st or ed in t he int er nal scanner dat abase. The Cisco Secur e Scanner now analyzes t his st or ed infor m at ion for t he follow ing:
•
N e t w or k de vice s— All net w or k dev ices w it hin t he net w or k m ap ar e ident ified. The soft ware can ident ify rout ers, swit ches, firewalls, net work servers, print ers, deskt ops, and w or k st at ions.
•
Ope r a t ing syst e m s— The scanner uses pr ov en m et hods t o ident ify t he oper at ing sy st em t hat is r unning on t he host .
•
N e t w or k se r vice s— All net w or k ser v ices r unning on t he specific host s ar e analyzed. All host s, unless prot ect ed by a firew all, have net w ork services running, as t hese ser v ices pr ov ide access t o t he host fr om t he r equir ed client s.
•
Pot e nt ia l vulne r a bilit ie s— Through passive analysis, Cisco Secure Scanner ident ifies pot ent ial vulner abilit ies based on t he dat a t hat has alr eady been collect ed at t he dat a collect ion st age. These passive vulner abilit ies include: - Know n secur it y v ulner abilit ies in oper at ing sy st em s such as Window s NT and Linux - Misconfigured net w ork devices such as firew alls and rout ers
233
- Service -based vulnerabilit ies for public services such as File Transfer Prot ocol ( FTP) and Rem ot e Shell ( RSH) - Problem s w it h t he Sendm ail UNI X applicat ion - Syst em m isconfigurat ion - Reconnaissance services, such as finger, t hat m ight be used by hackers The analysis is carried out by com paring t he dat a w it h t he built -in rules base. This operat es in a m et hod sim ilar t o t hat of a virus det ect ion applicat ion. The dat a is checked against t he rules base, and any m at ches indicat e a pot ent ial vulnerabilit y. Once t he vulnerabilit ies have been ident ified, t he next st ep act ively checks t he host s and confir m s t hese vulner abilit ies.
Step 4: Vulnerability Confirmation Cisco Secur e Scanner cont ains a v er y adv anced v ulner abilit y exploit engine t hat can be used t o act ively probe t he net w ork t o confirm t he presence of know n vulnerabilit ies. These probes r un against all host s ident ified at t he net w or k m apping st age, as w ell as any ot her host w her e t he decision has been m ade t o car r y out a for ced scan. Cisco Secure Scanner has nine built -in act iv e pr obe pr ofiles:
•
All H e a vy— The All Heav y pr ofile select s all of t he act iv e pr obes for bot h UNI X and Window s m achines.
•
All Ligh t— The All Light profile select s t he act ive probes t ha t ar e consider ed t o be com m on know n pr oblem s for bot h UNI X and Window s m achines. This pr obe pr ofile is a lot less resource - and t im e -int ensive t han t he All Heavy profile.
•
All Se ve r e — The All Severe profile select s t he act ive probes t hat are considered t o be sev er e k now n pr oblem s for bot h UNI X and Window s m achines. This pr obe pr ofile is a lot less resource - and t im e -int ensive t han t he All Heavy profile.
•
UN I X H e a vy— The UNI X Heav y pr ofile select s all of t he act iv e pr obes for UNI X m achines.
•
UN I X Ligh t— The UNI X Light pr ofile select s t he act iv e pr obes t hat ar e consider ed t o be com m on know n pr oblem s for UNI X m achines. This pr obe pr ofile is a lot less resource - and t im e -int ensive t han t he All Heavy pr ofile.
•
UN I X Se ve r e — The UNI X Sev er e pr ofile select s t he act iv e p robes t hat are considered t o be sev er e k now n pr oblem s for UNI X m achines. This pr obe pr ofile is a lot less resource - and t im e -int ensive t han t he All Heavy pr ofile.
•
W indow s H e a vy— The Window s Heav y pr ofile select s all of t he act iv e pr obes for Window s m achines.
•
W indow s Light — The Window s Light pr ofile select s t he act ive pr obes t hat ar e consider ed t o be com m on know n pr oblem s for Window s m achines. This pr obe pr ofile is a lot less resource - and t im e -int ensive t han t he All Heavy pr ofile.
234
•
W in dow s Se ve r e — The Window s Sev er e pr ofile select s t he act iv e pr obes t hat ar e consider ed t o be sev er e k now n pr oblem s for Window s m achines. This pr obe pr ofile is a lot less resource - and t im e -int ensive t han t he All Heavy profile.
Each of t hese pr ofiles cont ains a pr econfigur ed select ion of t he act iv e pr obes. I n addit ion t o t he built -in pr obes, y ou can also cr eat e a cust om ized pr obe by select ing an ex ist ing pr ofile and t hen adding or r em ov ing indiv idual pr obes. N OTE
By default , t he act ive pr obes ar e disabled. You have t o enable t he act iv e pr obes and t hen choose y our pr ofile. The All Heav y pr ofile is t he default act iv e pr obe pr ofile.
Figure 7 - 6
show s t he act ive probe configurat ion screen. Figur e 7 - 6 . Act ive Pr obe Configur a t ion
In
Figure 7 - 6 ,
you can see t hat act ive probes are enabled. This is indicat ed by t he select ion of t he
Ena ble a ct ive pr obe s check box . Beneat h t his check box is t he Act ive Pr obe Pr ofile d r op dow n list . The figure provided is using t he All Heavy profile. N OTE
235
The nat ur e of t he act ive pr obes at t he vulner abilit y confirm at ion st age m akes t hem int r usive t o t he net w or k on w hich t he scan is r un. This is im por t ant t o under st and, because act ive probes could raise alarm s w it h any int rusion det ect ion soft w are t hat is configured on t he net w ork. Even t hough t he probe is int r usiv e, no denial of ser v ice ( DoS) t y pe of pr obe t hat has dest r uct iv e im plicat ions w ill be car r ied out .
Aft er configur ing t he act ive pr obe pr ofile, t he scan is fully configur ed. Clicking t he O K but t on as show n in
Figure 7 - 6
w ill st ar t t he scan.
The scan w ill st ar t by m apping t he net w or k , t hen it w ill collect and analy ze t he dat a. At t his point , t he dat a is r eady for pr esent at ion and r epor t ing.
Step 5: Data Presentation and Navigation By now , t he dat a has been collect ed and analy zed. To m ak e t he scan w or t hw hile, y ou can v iew t he r esult s of t he net w or k scan. Cisco Secur e Scanner pr ovides t he m ost sophist icat ed r epor t ing t ools of any net w or k scanner on t he m ar k et . Ther e ar e t hr ee pr esent at ion t ools:
•
Gr id br ow ser
• •
Chart s Net work Securit y Dat abase ( NSDB)
The follow ing t hr ee sect ions look at each of t hese t oo ls and pr ov ide sam ples of each.
Gr id Br ow se r The gr id br ow ser is a spr eadsheet t hat cont ains all of t he dat a t hat has been collect ed and analy zed fr om t he pr eceding four st ages. Figure 7 - 7
shows t he grid browser. Figur e 7 - 7 . Gr id Br ow se r
236
The gr id br ow ser in
Figure 7 - 7
has been configured t o display t he Service/ Host relat ionship. The
ident ified ser v ices ar e show n dow n t he left side ( y -ax is) , and t he ident ified host s t hat m ak e up t he net w or k m ap ar e on t he t op ( x-ax is) . The pr esence of a 1 in t h e grid indicat es t hat t he specified ser v ice w as found on t he specified host . Fr om t his exam ple, you can see t hat t he host 194.73.134.2 had t he follow ing ser vices r unning:
•
NT dom ain cont r oller
•
FTP
•
Window s ser v er ser v ice
•
Window s w orkst at ion service
I t is pr et t y easy t o see t hat t his m achine is a Window s NT ser v er r unning as a dom ain cont r oller w it hin a Window s NT dom ain. Over all, t her e ar e 42 pr ebuilt gr id configur at ions t hat you can select t o view your dat a. Ther e ar e num er ous cont r ols t hat can change t he w ay t he dat a is v iew ed w it hin each gr id configurat ion.
Figure 7 - 8
show s a differ ent gr id configur at ion.
Figur e 7 - 8 . An Alt e r na t e Gr id Br ow se r Configur a t ion
237
The exam ple in
Figure 7 - 8
show s t he OS/ Host r elat ionship w it h t he t ot als t ur ned on. You can
quick ly see t hat t her e w er e t hr ee unk now n oper at ing sy st em s, four Window s oper at ing syst em s, one Window s NT 4.0 oper at ing syst em , and one Window s NT 5 ( Window s 2000) oper at ing syst em , giving a t ot al of nine host s in t he scan. The gr id dat a can be sav ed, cr eat ing an HTML r epor t t hat is an ex act r eplica of t he gr id t hat w as v iew ed.
Ch a r t s Besides view ing t he dat a in t he gr id, you can also cr eat e char t s fr om it . To do t his, you fir st have t o define t he gr id br ow ser t o display t he dat a you w ant t o char t . The Char t but t on on t he t oolbar becom es act iv e w hen y ou select t he dat a r equir ed for t he char t fr om t he gr id br ow ser . The follow ing t y pes of char t s can be cr eat ed:
•
Ar ea
•
Lin e
•
3 -D bar graph
•
Pie char t
•
2.5 -D colum n
•
3 -D colum n
•
3 -D horizont al row
• •
St ack ed bar St acked area
The char t s pr ov ide a gr aphical r epr esent at ion of t he gr id dat a and can be used lat er at t he r epor t ing st age t o add m or e clar it y t o pr int ed and elect r onic r epor t s.
N e t w or k Se cu r it y D a t a ba se ( N SD B)
238
The NSDB is pr ov ided as a HTML-based r esour ce t hat is inst alled w hen you inst all t he Cisco Secure Scanner. The NSDB cont ains inform at ion regarding t he known vulnerabilit ies, as well as ot her link s t o secur it y r esour ces on t he I nt er net .
Figure 7 - 9
show s t he m ain scr een of t he
NSDB. Figur e 7 - 9 . N SDB
Figure 7 - 9
show s t he m ain NSDB index page. You can see t hat t his m ain index page displays t he
vulner abilit y index. The War ning icon is t he sever it y level, and t he t it le is t he nam e of t he act ual vulnerabilit y. Clicking any of t he list ed vulnerabilit ies w ill give you furt her inform at ion on t hat vulnerabilit y.
Fig ure 7 - 10
show s t he infor m at ion r eceived aft er clicking t he Default
Dangerous Account s vulnerabilit y. Figur e 7 - 1 0 . N SD B D e fa ult D a nge r ous Account s Vulne r a bilit y
239
You can see in t his ex am ple t hat t he NSDB pr ov ides y ou w it h a descr ipt ion of t he ex ploit along wit h t he consequences and count erm easures t hat can be t aken t o correct t he vulnerabilit y. The NSDB is an ex cellent r esour ce and can be used t o gain a good ov er v iew of t he cur r ent vulner abilit ies. I t can also be used as a sour ce of infor m at ion, pr oviding m any links t o secur it y r esour ces av ailable on t he I nt er net .
Step 6: Reporting Cisco Secur e Scanner has a built -in r epor t ing w izar d t hat can be used t o creat e various report s based on t he collect ed and analy zed dat a. These r epor t s add r eal v alue t o t he collect ed dat a
240
and pr ov ide y ou w it h a pr ofessional-looking r epor t t hat can be used t o explain t he findings of t he scan bot h t echnically and nont echnically. Thr ee m ain r epor t t y pes can be cr eat ed:
•
Ex e cut ive Sum m a r y— The Execut ive Sum m ar y pr ovides a br ief execut ive -level r epor t on t he findings of t he scan. The cont ent is not ver y t echnical in nat ur e and is geared t ow ard senior nont echnical m anagem ent .
•
Br ie f Te ch n ica l Re p or t— The Br ief Technical Repor t is a concise t echnical r epor t w it hout t he Execut ive Sum m ar y and ot her explanat or y sect ions. I t pr esent s a basic t echnical r epor t of t he findings and vulner abilit ies, along w it h t he r equir ed act ion t o r em edy t he vulnerabilit ies.
•
Fu ll Te ch n ica l Re por t— The Full Technical Report cont ains t he Execut ive Sum m ary and ot her explanat or y sect ions, as w ell as t he full t echnical aspect s r egar ding t he discovered vulnerabilit ies. This can be a lengt hy docum ent if t he findings a re copious, but in t he aut hor 's opinion, t his is t he m ost useful of t he t hr ee r epor t s.
Figure 7 - 1 1
show s t he r esult of a Full Technical Repor t .
Figur e 7 - 1 1 . Fu ll Te ch n ica l Re por t Sh ow in g Pa r t of t h e Ta ble of Con t e n t s
241
All of t hese r epor t s can be cust om ized using t he w izar d t o add and r em ove cont ent . Pr eviously saved gr id br ow ser s and char t s can also be incor por at ed w it hin t he r epor t , fur t her enhancing t he qualit y of t he r epor t .
Cisco Secure Scanner Installation Cisco Secur e Scanner is available for bot h t he Window s and Solar is plat for m s. Cisco Secur e Scanner is pr ov ided on a CD-ROM, w hich has t o be inst alled t o your host 's har d disk for t he applicat ion t o funct ion. Cisco Secur e Scanner w ill not oper ate f r om t h e CD-ROM dr iv e. This chapt er does not exam ine t he full inst allat ion process. The process is fully docum ent ed on Cisco Connect ion Online ( CCO) at
www.cisco.com
and also in t he docum ent at ion pr ovided w it h t he
Cisco Secur e Scanner pr oduct .
Cisco Secure Scanner Configuration
242
Now t hat you have looked at t he m ain feat ur es of t he Cisco Secur e Scanner , t his sect ion covers t he configurat ion of t he soft w are w it h t he goal of creat ing a session t o check a sam ple net w or k for secur it y vulner abilit ies. This configur at ion exam ple is pr ovided as a basic exam ple, w it h st eps you can em ulat e in your w or kplace t o check your int er nal net w or ks for secur it y v ulner abilit ies. This sect ion includes four st eps t o cr eat e t he sess ion and ult im at ely report on t he collect ed dat a. These st eps r equir e using t he feat ur es t hat w er e descr ibed pr eviously in t his chapt er . The st eps ar e as follow s: St e p 1 . Running Cisco Secur e Scanner St e p 2 . Creat ing a session t o capt ure dat a St e p 3 . I nt er p ret ing t he collect ed dat a St e p 4 . Report ing on t he collect ed dat a
Step 1: Running Cisco Secure Scanner Once you have successfully inst alled and licensed t he Cisco Secur e Scanner for your chosen plat for m , you have t o st ar t t he scanning applicat ion. This exa m ple uses t he Cisco Secur e Scanner V2.0 for Window s NT. Figure 7 - 1 2
show s t he net w or k diagr am t hat y ou ar e going t o use for t his ex er cise. Figur e 7 - 1 2 . Sa m ple N e t w or k D ia gr a m
243
You can see in
Figure 7 - 12
t hat t his is a sim ple net w ork t hat could rep resent a corporat e I nt ernet
connect ion. The m ain connect ion t o t he I nt er net fr om t he cor por at e net w or k is t hr ough an I nt er net-facing firew all w it h four int erfaces. I nt erface 1 is connect ed t o t he I nt ernet , int erface 2 is connect ed t o t he int ernal net w ork, int er face 3 is connect ed t o DMZ1, and int er face 4 is connect ed t o DMZ2. Table 7 - 2
show s t he sim ple securit y policy inst alled on t he firew all.
Table 7 - 2 . Sim ple Se cu r it y Policy for t h e Ex a m ple N e t w or k
Source Any Any Any Any Any Any
D e st ina t ion Web servers Web servers Web servers Mail servers Mail servers I nt ernal net work
Service TCP Port 80 TCP Port 443 I CMP TCP Port 25 I CMP I CMP
Pe r m it / D e n y Per m it Per m it Per m it Per m it Per m it Deny
244
Step 2: Creating a Session to Capture Data The fir st t hing t hat y ou need t o do is cr eate a session t o capt ur e t he r equir ed dat a. To do t his, click t he Cr e a t e N e w Se ssion com m and but t on t hat is locat ed in t he t op left cor ner of t he Cisco Secur e Scanner applicat ion w indow . Once t he session configur at ion scr een is displayed, y ou need t o configur e a session t hat w ill enable a scan of t he DMZ1, DMZ2, and int er nal net w or k s. You m ight ask w hy y ou ar e scanning t he int er nal net w or k . This is t o confir m t hat t he fir ew all is blocking access t o inbound ser vices on t he int er nal net w or k. You know t hat I CMP is not allow ed t o t he int er nal net w or k , so y ou w ill hav e t o for ce a scan of t hese addr esses. For t his exer cise, t he scanner w ill be r un fr om t he I nt er net . Figure 7 - 1 3
show s t he r equir ed configur at ion set t ings for t he I P addr esses in t he session. Figur e 7 - 1 3 . Se ssion Configur a t ion Se t t ings
In
Figure 7 - 1 3 ,
you can see t hree configurat ion lines for t he session. The first line configures t he
session t o scan t he Web ser v er s on DMZ1. The second line configur es t he session t o scan t he int ernal net work, and t he t hir d line configur es t he session t o scan t he m ail ser ver s on DMZ2. Not e t hat t he For ce Sca n checkbox is checked on t he second configurat ion line. Because I CMP is not per m it t ed t hr ough t he fir ew all for t he int er nal int er face, for cing a scan is t he o nly w ay t o scan t he host s on t he int er nal net w or k. I f you leave t his blank, no host s on t he int er nal int er face w ould be added t o t he net w or k m ap because t he scanning soft w ar e w ould pr esum e t hat t he host s ar e dow n.
245
The nex t st ep is t o configur e t he por t s fo r t he scan and t he act ive pr obes. Click t he Vulne r a bilit ie s t ab t o display t hese opt ions. I n t his inst ance, y ou w ant t o scan t he w ell-k now n por t s for bot h TCP and UDP. Do t his by clicking t he W e ll- Know n Port s opt ion for bot h TCP and UDP. You m ust t hen enable t he act iv e pr obes and select t he W in dow s_ H e a vy profile, because you do not have any UNI X m achines on t he net w or k. All of t he act ive pr obes t hat cor r espond t o know n vulner abilit ies on host s r unning Window s as t he oper at ing sy st em ar e t hen select ed. Figure 7 - 1 4
show s t he finished por t and pr obe configurat ion. Figur e 7 - 1 4 . Por t a nd Pr obe Configur a t ion Se t t ings
You can see t he set t ings ex plained in t he pr ev ious par agr aph in
Figure 7 - 14 .
W e ll- Know n Port s
and t he W indow s H e a vy pr obe pr ofile ar e select ed. The last t ab on t he session configur at ion scr een is t he Scheduling t ab. Her e y ou can set a schedule for t he scan t o r un. The default is I m m e dia t e ly, but y ou hav e t he opt ion t o choose a t im e of day and also t he day and fr equency of t he scan. For t his dem onst rat ion, you are going t o configur e t he scan t o r un at 0700 ev er y Monday .
Figure 7 - 1 5
show s t his configurat ion.
Figur e 7 - 1 5 . Sche duling Se t t ings
246
Figure 7 - 1 5
show s t hat t he scan is set t o r un ev er y w eek on a Monday at 0700. As long as t he
hos t w it h t he Cisco Secur e Scanner applicat ion inst alled is r unning t he soft w ar e at t his t im e, t he scan w ill occur . I f not , t he scan w ill occur t he nex t t im e t he soft w ar e is r un. N OTE
I t is possible t o r un Cisco Secur e Scanner as a Window s NT ser vice. This m e ans t hat t he scans w ould r un ev en t hough t he applicat ion is not loaded. Refer t o t he pr oduct m anual for inst r uct ions on how t o do t his.
Clicking O K at t his point w ill m ak e t he scan session r eady for t he nex t Monday m or ning at 0700. At t hat t im e, t he scan w ill st ar t , and y ou w ill see t he scan st at us scr een as show n in Figure 7 - 1 6 .
Figur e 7 - 1 6 . Sca n St a t us Scr e e n
247
Step 3: Interpreting the Collected Data Aft er t he scan has r un, y ou w ill be pr esent ed w it h a r esult set it em under t he nam e of t he session in t he m ain Cisco Secur e Scanner applicat ion w indow . This can be seen in Figure 7 - 17 . Figur e 7 - 1 7 . Sca n n e r Applica t ion W in dow
248
The session cr eat ed is called Sam ple Session and can be seen along w it h t he folder s cr eat ed by default : Chart s, Grids, and Report s. Not e t hat t here is not hing list ed under t he Chart s, Gr ids, or Repor t s folder s. At t his point , you have not cr eat ed any obj ect s t hat w ould nor m ally be placed under t hese folder s. You w ill now cr eat e a sam ple gr id and char t , leav ing t he r epor t t o St ep 4, " Report ing on t he Collect ed Dat a ," lat er in t his chapt er. To cr eat e a gr id and v iew it in a gr id br ow ser , r ight -click t he r esult set and select Vie w Gr id Dat a. You ar e t hen pr esent ed w it h t he gr id br ow ser . To configur e t he gr id br ow ser , r efer t o t he configurat ion set t ings described under t he " Cisco Secure Scanner Feat ures " sect ion at t he beginning of t his chapt er . Once you have com plet ed configur ing your gr id, save it by select ing t he Sa v e but t on on t he com m and bar . Aft er ent er ing t he nam e of t he gr id, it appear s as an obj ect below t he Grid folder on t he m ain configurat ion screen. To cr eat e a char t , y ou fir st hav e t o configur e a gr id t o display t he infor m at ion y ou r equir e on t he char t . When y ou highlight t his dat a, t he Char t Wizar d icon becom es act iv e. Click ing t his but t on enables t he chart w izard. To configure t he chart , refer t o t he configurat ion set t ings descr ibed under t he " Cisco Secure Scanner Feat ures " sect ion ear lier in t his chapt er . Once y ou hav e com plet ed configuring your chart , save it by select ing t he Sa ve but t on on t he com m and bar. Aft er ent er ing t he nam e of t he char t , it appear s as an obj ect below t he Char t folder on t he m ain configur at ion scr een. Aft er y ou hav e com plet ed t hese st eps, y ou w ill hav e a m ain applicat ion w indow t hat look s sim ilar t o t hat in Figure 7 - 1 8 . Figur e 7 - 1 8 . Sca nne r Applica t ion W in dow
You can see in
Figure 7 - 18
t hat along w it h t he r esult set , y ou now hav e Sam ple Gr id and Sam ple
Char t obj ect s under t he cor r esponding folder s.
249
The nex t st ep is t o cr eat e t he r epor t .
Step 4: Reporting on the Collected Data You now hav e r un a successful por t scan and pr obe of t he int ended host s. The nex t r equir em ent is t o pr oduce a Br ief Technical Repor t t o explain t he findings of t he scan. You should include t he Sam ple Grid and Sam ple Cha rt t hat you produced in t he previous sect ion. To cr eat e a new r epor t , you have t o r ight -click t he r esult set and select Cr e a t e a N e w Re por t . Fr om t he Repor t Select ion scr een, choose t he Br ie f Te chnica l Re por t opt ion. The m ain difference bet w een t he Brief a nd Full Technical Report s is t he Execut ive Sum m ary and t he ex planat or y t ex t . Because t his r epor t is of a t echnical nat ur e and t he scan is t o be r un every w eek, t here is no need for t he explanat ory t ext or Execut ive Sum m ary. Be sur e t o include in t he r epor t t he Sam ple Chart and Sam ple Grid t hat you previously cr eat ed. Once t he r epor t is cr eat ed, you w ill have a Repor t obj ect under t he Repor t folder . To open t he report , sim ply double -click t he report t it le t hat is locat ed w it hin t he Report folder. The report is HTML-based, so it w ill open in t he default inst alled I nt ernet brow ser.
Summary This chapt er pr ov ided an ov er v iew of t he Cisco Secur e Scanner . Net w or k scanning is a v er y im port ant part of t he securit y policy for your organizat ion; you m ay spend t housands of dollar s on equipm ent and r esour ces t o pr ot ect y our net w or k . Net w or k scanning pr ov ides an oppor t unit y t o t est t he effect iveness of t hese m easur es. Regular scanning of t he net w or k, especially aft er an updat ed NSDB cont aining new vulnerabilit ies is released, is im por t ant as an ongoing t ask t o ensur e t hat t he net w or k is secur e fr om all t hr eat s. The net w or k scanner can be used not only in checking net w or k secur it y, but also in applicat ion t est ing t o ensur e t hat specific m achines ar e list ening for t r affic on specific port s. This alt ernat e use of t he net w or k scanner is one t hat t he aut hor has im plem ent ed num er ous t im es.
Frequently Asked Questions
Quest ion: Answ e r :
I have heard t he t erm port scan quit e frequent ly. What exact ly does it m ean? Port scanning is run by an applicat ion t hat is classified as a por t scanner . Cisco Secur e Scanner can be classified as a por t scanner . A por t scanner r uns a ser ies of net w or k connect iv it y t est s against a pr econfigur ed r ange of I P addr esses and port s. The result is called t he por t scan. The scan ident ifies w hat por t s ar e open, t hat is, w hat net w or k ser v ices ar e being r un on each specific host .
Quest ion:
I cannot ping an int er nal Web ser v er fr om t he point w her e I w ill r un t he net w or k scan. Can t he Web ser v er st ill be scanned?
250
Answ e r :
Yes. You can set t he scan t o for ce specific addr esses. This m eans t hat no net w or k connect iv it y t est , such as an I CMP echo, w ill be at t em pt ed. The obj ect w ill aut om at ically be added t o t he net w or k m ap w het her or not it is r unning and com m unicat ing o n t he net w ork.
Glossary Glossary D oS ( de n ia l of se r vice ) — A specific t ype of net w or k at t ack t hat over loads som e aspect of a ser ver 's net w or k com m unicat ion t o force t he server t o deny access t o legit im at e t raffic.
PI X ( Pr iva t e I n t e r n e t Ex ch a n ge ) — Th e Cisco range of leading hardware -based fir ew alls.
VPN ( Vir t ua l Pr iva t e N e t w or k ) — A secure connection over an unsecured medium. The connection is secured by the use of tunneling encryption and protocols.
URLs Cisco Secure Scanner: www.cisco.com / go/ net sonar/
251
Chapter 8. Cisco Secure Policy Manager (CSPM) This chapt er cont ains t he follow ing sect ions:
• • • • • • •
Cisco Secure Policy Manager Feat ures Cisco Secure Policy Manager I nst allat ion Configurat ion Exam ple Summary Frequently Asked Q uestions Glossary URLs
As net w or k s gr ow , so t oo does t he adm inist rat ive burden associat ed w it h t he cent ralized cont rol of t he net w orking devices. One specific range of devices t hat requires st ringent cont rol is t hat group responsible for m aint aining net w ork int egrit y: t he securit y devices. The securit y dev ices fr om Cisco include t he Cisco Secur e PI X Fir ew all and v ar ious Cisco r out er s r unning t he Cisco I OS Fir ew all. By default , each of t hese secur it y devices is a com plet e st andalone ent it y t hat r elies on edit ing t he configur at ion w it h t he com m and-line int erface ( CLI ) . As t he net w or k grows, a cent ralized, policy-based t ool is r equir ed t o keep cont r ol of net w or k secur it y, and a m et hod of sim plified adm inist rat ion and deploym ent becom es necessary. Cisco pr ov ides t he Cisco Secur e Policy Manager ( CSPM) t o car r y out such a funct ion. This chapt er cov er s CSPM by fir st ex plaining ex act ly w hat CSPM is and w hat it st r iv es t o achieve. I nst allat ion of CSPM w ill be cover ed r ight t hr ough t o t he specific configur at ion r equir em ent s essent ial for obt aining t he m ost out of t he pr oduct .
CSPM Features CSPM ( for m er ly Cisco Secur it y Manager ) is a pow er ful secur it y policy m anagem ent applicat ion t hat is designed around t he int egrat ion of Cisco Secure PI X Firew alls, I nt ernet Prot ocol Secur it y ( I PSec) VPN-capable r out er s, r out er s r unning t he Cisco I OS Fir ew all feat ur e set , and I nt rusion Det ect ion Syst em ( I DS) sensors. Cur r ent ly, CSPM is available only on t he Window s NT plat for m . CSPM pr ovides a t ool t hat enables t he secur it y adm inist r at or t o define, enfor ce, and audit securit y policies for dist ribut ed Cisco Secur e PI X Fir ew alls, I PSec VPN-capable rout ers, and r out er s r unning t he Cisco I OS Fir ew all feat ur e set . The soft w ar e enables t he adm inist r at or t o for m ulat e com plex secur it y policies based on or ganizat ional needs. These policies ar e t hen convert ed t o det ailed configur at ions by t he CSPM and dist r ibut ed t o t he specific secur it y devices in t he net w or k. The m ain feat ur es of CSPM ar e as follow s:
252
•
Cisco fir e w a ll m a n a ge m e n t— CSPM em pow er s t he user t o define com plex secur it y policies and t hen dist r ibut e t hese t o sev er al hundr ed PI X Fir ew alls or r out er s r unning t he Cisco I OS Fir ew all. Full m anagem ent capabilit ies ar e available for t he fir ew alls.
•
Cisco VPN r out e r m a na ge m e nt — I PSec-based VPNs can be easily configur ed by using t he sim ple graphical user int erface ( GUI ) . As w it h firew all m anagem ent , t his VPN configurat ion can be dist ribut ed t o several hundred PI X Firew alls or rout ers running t he Cisco I OS Firewall.
•
Se cur it y policy m a na ge m e nt— The GUI enables t he cr eat ion of net w or k-w ide securit y policies. These securit y policies can be m anaged fr om a single point and delivered t o several hundred firew all devices w it hout requiring ext ensive device know ledge and dependency on t he CLI .
•
I nt e llige nt ne t w or k m a na ge m e nt— The defined secur it y policies ar e t r anslat ed int o t he appropriat e device com m ands t o creat e t he required device configurat ion. The device configurat ion is t hen securely dist ribut ed t hroughout t he net w ork, elim inat ing t he need for device -b y-device m anagem ent .
•
N ot ifica t ion a n d r e por t in g syst e m— CSPM pr ov ides a basic set of t ools t o m onit or, aler t , and r epor t act iv it y on t he Cisco Secur e dev ices. This pr ov ides t he secur it y adm inist r at or w it h bot h r epor t ing infor m at ion t hat can be used t o ascer t ain t he cur r ent st at e of t he secur it y policy and a not ificat ion syst em t o report various condit ions. Along w it h t he built -in not ificat ion and report ing t ools, t he product also im plem ent s and int egrat es w it h leading t hird -part y m onit oring, billing, and report ing syst em s.
Figure 8 - 1
show s t he m ain configurat ion screen of t he CSPM. Figur e 8 - 1 . CSPM
The follow ing devices and soft w ar e r evisions ar e suppor t ed by CSPM:
253
•
Cisco Secure PI X Firew all - PI X OS 4.2.4, 4.2.5, 4.4.x, 5 . 1 . x, 5.2.1
•
Cisco r out er / fir ew all and Cisco VPN gatew ay - I OS 12.0( 5) T, XE - I OS 12.0( 7) T - I OS 12.1( 1) T, E, XC - I OS 12.1( 2) , T, ( 2) T, E, XH, ( 3) T, X1
•
Cisco Secur e I nt r usion Det ect ion Syst em sensor - 2.2.0.x - 2.2.1.x - 2.5.0
•
Cisco Secure I nt rusion Det ect ion Syst em line card - Cat aly st 6000 2.5 I DSM N O TE
A Cisco rout er/ firew all is a Cisco rout er running t he firew all feat ure set . A Cisco VPN gat ew ay is a Cisco rout er running t he I PSec VPN feat ure set . These feat ure set s are part of t he Cisco I OS Firew all and Cisco Secure I nt egrat ed VPN Soft w are solut ions for Cisco r out er s.
CSPM Installation This sect ion covers t he inst allat ion requirem ent s for CSPM. Befor e you inst all CSPM, you have t o ensur e t hat t he inst allat ion syst em m eet s t he har dw ar e and soft w ar e r equir em ent s. This sect ion assum es t hat you ar e using v er sion 2.2 of t he CSPM. I f you ar e using a differ ent ver sion, you should consult your docum ent at ion t o ascer t ain t he r equir em ent differ ences.
254
Hardware Requirements The t arget host for your CSPM syst em m ust m eet t he m inim um hardw are requirem ent s t o prot ect t he int egrit y and funct ionalit y of t he syst em t hat you inst all. How ever, you should alw ays consider your net w ork t opology, t he num ber of policy enforcem ent point s you int end t o m anage, and your perform ance requirem ent s for com m and dist ribut ion and m onit oring w hen review ing t he m inim um hardw are requirem ent s. For exam ple, t he Policy Ser ver is a m ult it hr eaded applicat ion t hat w ould benefit fr om m ult iple CPUs and av ailable m em or y on a single host . Enhancing t he Policy Adm inist r at or host w ould not necessar ily o pt im ize t he GUI perform ance. The m inim um hardware requirem ent s m ay be sufficient for a st andalone or client -ser ver syst em , but t hey ar e not opt im al for a dist r ibut ed sy st em . To ensur e opt im al per for m ance, y ou should inst all CSPM on host s t hat ex ceed t he minim um har dw ar e r equir em ent s.
M in im u m H a r dw a r e Re qu ir e m e n t s The m inim um har dw ar e r equir em ent s t o r un t he CSPM ar e as follow s:
•
200 MHz Pent ium pr ocessor
•
96 MB of RAM
•
2 GB free hard drive space
•
One or m ore properly configured net work adapt er cards
•
1024 by 768 v ideo adapt er car d capable of at least 64 K color
•
CD-ROM dr ive ( pr efer ably Aut or un-enabled)
•
Modem ( opt ional for pager not ificat ions)
• •
Mouse SVGA color m onit or
Software Requirements You can inst all t he CSPM feat ure set s on any host t hat m eet s t he m inim um har dw ar e r equir em ent s and t hat also r uns Window s NT 4.0. To inst all ver sion 2.2, you m ust be using Micr osoft Window s NT 4.0 w it h Ser v ice Pack 6a inst alled. CSPM w ill not inst all on any ot her Ser v ice Pack built on Window s NT 4.0 or on a sy st em r unning Micr oso ft Window s 2000. The Policy Adm inist r at or feat ur e set can also be inst alled on a host t hat r uns Window s 95 or Win dow s 9 8 .
Re qu isit e Soft w a r e You cannot access t he set up program unless t he t arget host on w hich you are inst alling CSPM has t he follow ing r equisit e soft w ar e pr oper ly inst alled:
•
Service Pack 6a for Window s NT ( t o updat e files in t he operat ing syst em )
255
• •
Micr osoft I nt er net Explor er ver sion 5 ( for displaying syst em-gener at ed r epor t s) HTML Help 1.3 Updat e ( for view ing online HTML-based help t opics)
Th e Aut ost art ut ilit y aut om at ically searches t he t arget host for t hese requirem ent s and list s t he ones t hat you m ust inst all befor e pr oceeding w it h t he set up pr ogr am . You can inst all all t hr ee pieces of soft w ar e fr om t he Aut ost ar t panel.
Planning your Installation Once you ascer t ain t hat you have m et t he har dw ar e and soft w ar e inst allat ion cr it er ia, you can pr ogr ess t o planning t he inst allat ion. Befor e you can plan t he inst allat ion, you have t o fully under st and t hr ee t opics r elat ed t o CSPM:
•
Policy enfor cem ent point s
• •
Feat ure set s I nst allat ion opt ions
Policy En for ce m e n t Poin t s A policy enforcem ent point is defined as a net w or king device t hat can alt er t he t r affic flow fr om one net w or k t o anot her . Concer ning t he CSPM, a policy enfor cem ent point can be any device t ha t CSPM m anages t hr ough t he dist r ibut ion of policies. These policy enfor cem ent point s can be dedicat ed fir ew alls, such as t he Cisco Secur e PI X Fir ew all, r out er fir ew alls, or VPN gat ew ays. Rout er fir ew alls ar e Cisco r out er s t hat ar e r unning t he Cisco I OS Fir ew all, and VPN gat ew ays ar e Cisco r out er s t hat ar e r unning t he Cisco I OS Fir ew all w it h t he I PSec VPN feat ur e set . Only specific v er sions of t he Cisco Secur e PI X Fir ew all and Cisco I OS Fir ew all w ill w or k w it h CSPM and in differ ent w ays. One r est r ict ion is w it h t he PI X Firew all. All versions of t he PI X soft w ar e pr ior t o 5.1(x) r equir e t he m anaged int er face t o be available on t he inside int er face. Wit h v er sion 5. 1(x) and lat er , you can m anage t he PI X Fir ew all fr om any available int er face on t he PI X. Table 8 - 1
show s t he support ed policy enforcem ent point s and t heir int erface dependencies.
Table 8 - 1 . Su ppor t e d Policy En for ce m e n t Poin t s a n d I n t e r fa ce D e pe n de n cie s
Policy En for ce m e n t Poin t
Su ppor t e d Ve r sion
M a n a ge d I n t e r fa ce D e pe nde ncy
256
Cisco Secure PI X Firew all
4.2( 4)
4.2( 5) 4.4( x) 5.1( x) 5.2( x) Cisco Rout er Firewall I OS 12.0( 5) T Cisco VPN gat eway I OS 12.0( 5) XE I OS 12.0( 7) T I OS 12.1( 1) T, E, XC I OS 12.1( 2) , T, ( 2) T, E, XH, ( 3) T, X1
I nside I nside I nside None None None None None None
The inst allat ion of t he policy enforcem ent point s is not included in t he syst em . Each policy enforcem ent point m ust be configured t o facilit at e m anagem ent from t he CSPM. These configur at ions ar e called t he boot st rap set t ings. The boot st r ap set t ings ar e ver y im por t ant for achieving com m unicat ion bet ween t he policy ser v er and t he policy enfor cem ent point s. The boot st r ap set t ings for each dev ice ar e ex plained in det ail in t he sect ion " I nstallation Procedures " lat er in t his chapt er.
Fe a t u r e Se t s The CSPM syst em is com posed of m ult iple subsyst em s. Each of t hese subsyst em s provides a specific funct ionalit y t hat m akes up t he w hole CSPM product . A feat ure set is defined as a collect ion of t hese subsyst em s, w hich are offered at inst allat ion t im e as inst allable opt ions. These also ar e r elat ed t o t he specific inst allat ion opt ions t hat a r e discussed in Chapt er 9 , " Cisco Secure Access Cont rol Server ( ACS) ." The opt ions are dict at ed largely by t he net work t opology and num ber and locat ion of t he policy enforcem ent point s. The fiv e feat ur e set s ar e as follow s:
•
Policy Adm inist r at or
•
Policy Ser v er
•
Policy Monit or
• •
Policy Proxy Policy Proxy-Monit or
Policy Ad m in ist r a t or The Policy Adm inist rat or feat ure set is t he prim ary GUI for policy definit ion, enforcem ent , and audit ing for your CSPM syst em .
257
Policy Se r v e r The Policy Server feat ure set cont ains t he dat abase subsyst em . This subsyst em is t he m ain dat a st or e for all of t he syst em configur at ion dat a and audit r ecor ds. Besides t he dat abase subsy st em , t he r epor t ing and gener at ion subsy st em s ar e also w it hin t he Policy Ser v er feat ur e set . The report ing subsyst em is responsible for generat ing t he on -dem and and scheduled r epor t s associat ed w it h CSPM. The generat ion subsyst em com piles t he global policy int o a collect ion of int erm edia t e policies t hat ar e applied t o t he specific policy enfor cem ent point s. The Policy Ser ver feat ur e set also includes t he Policy Adm inist r at or , Policy Pr oxy, Policy Pr oxyMonit or , and Policy Monit or feat ur e set s. N OTE
The Policy Server feat ure set alw ays has t o be t he first feat ure set inst alled. The dat abase key generat ed during t his inst allat ion is required during inst allat ion of all ot her feat ur e set s.
Policy M on it or The Policy Monit or feat ure set cont ains t he m onit oring subsyst em and a secondary dat abase . The m onit or ing subsyst em is r esponsible for collect ing all of t he audit r ecor ds fr om t he policy enfor cem ent point s and pr ocessing t his dat a t o gener at e not ificat ion aler t s apper t aining t o specific condit ions. The secondar y dat abase ex changes st at us and sum m ar y audit r ecor ds w it h t he pr im ar y dat abase t hat is inst alled w it h t he Policy Ser v er feat ur e set . The Policy Adm inist rat or feat ure set is inst alled w hen you inst all t he Policy Monit or feat ure set .
Policy Pr ox y The Policy Proxy feat ure set cont ains t he p roxy subsyst em and anot her secondary dat abase. The proxy subsyst em m aps and t ranslat es t he int erm ediat e policy int o a device -specific rule set required by t he m anaged policy enforcem ent point s on your net w ork.
258
The secondar y dat abase m aint ains a local copy of t he int er m ediat e policies and st or es t he sy st em ev ent s t hat ar e gener at ed by t he pr ox y subsy st em . This dat a is t hen sy nchr onized w it h t he Policy Ser v er on t he Policy Ser v er host . The Policy Adm inist r at or feat ur e set is inst alled w hen you inst all t he Policy Pr ox y feat ur e set .
Policy Pr ox y- M on it or The Policy Pr ox y -Monit or feat ure set basically com bines t he funct ionalit y of t he proxy and m onit or ing subsy st em s. This allow s y ou t o hav e a dist r ibut ed sy st em w it h a r educed num ber of r equir ed host s on w hich t o r un t he feat ur e set s. The Policy Adm inist rat or feat ure set is inst alled w hen you inst all t he Policy Proxy-Monit or feat ur e set .
I n st a lla t ion Opt ion s Ther e ar e four w ays of inst alling t he CSPM. The m et hod you choose lar gely depends on your net w or k t opology and t he num ber of dev ices t o be m anaged. The four t y pes of inst allat ion ar e:
•
St andalone sy st em
•
Client -ser v er sy st em
• •
Dist r ibut ed sy st em Dem o sy st em
St a n da lon e Sy st e m As you w ould expect , a st andalone syst em inst allat ion is w hen t he CSPM is inst alled on a sin gle host . All of t he CSPM funct ions ar e car r ied out on t his single host . A st andalone inst allat ion should be used in a sm all office envir onm ent . This w ould nor m ally be locat ed on one sit e w it h no policy enfor cem ent point s locat ed at t he r em ot e end of a WAN link. The cent ralized locat ion of t he inst allat ion enforces cent ralized m anagem ent of t he securit y policy. Figure 8 - 2
show s a net w or k t opology w her e a st andalone inst allat ion w ould suffice. Figur e 8 - 2 . Sa m ple St a nda lone I nst a lla t ion N e t w or k
259
As y ou can see in Figure 8 - 2 , t his is a sm all office w it h a sm all num ber of policy enforcem ent point s. This t opology is suit ed t o t he st andalone inst allat ion and is scalable t o t he client -ser v er inst allat ion as t he net w or k gr ow s.
Clie n t - Se r ve r Sy st e m The client -ser v er inst allat ion is w hen y ou inst all t he CSPM Policy Ser v er feat ur e set on one host and t he Policy Adm inist r at or feat ur e set on one or m or e differ ent host s in t he net w or k . The client -ser ver ar chit ect ur e is follow ed in t hat t he Policy Ser ver is inst alle d on a sin gle h ost , t he ser ver , w hich can be adm inist er ed fr om client s in var ious net w or k locat ions. A client -server inst allat ion is norm ally required for larger net w orks t han t hose served by st andalone sy st em s. One k ey point is t he m anagem ent of t he securit y policy. St andalone syst em s are necessary w hen only cent ralized m anagem ent and adm inist rat ion is required. When m anagem ent is decent r alized and num er ous separ at e ent it ies r equir e localized adm inist r at ion, it is necessar y t o scale t o t he client -server m o del. This m odel also fit s int o a m ult ioffice t opology, where m ult iple policy enforcem ent point s are locat ed t hroughout t he ent ire net w ork. Figure 8 - 3
show s a net w or k t opology w her e a client -server inst allat ion is required. Figur e 8 - 3 . Sa m ple Clie n t- Se r ve r I nst a lla t ion N e t w or k
260
You can see in t he t opology in Figure 8 - 3 t hat each sit e has it s ow n policy enfor cem ent point , and t he r em ot e offices each hav e t heir ow n policy adm inist r at ion host .
D ist r ib u t e d Sy st e m You should r ecall t hat t he st andalone syst em has all of t he CSPM feat ur e set s inst alled on one host , and t he client -ser ver syst em is t heor et ically t he sam e, except t hat t he Policy Adm inist rat or feat ure set can be inst alled on num erous host s across t he net w ork. The dist r ibut ed sy st em ex pands t he client -server m odel by allowing dist ribut ion of ot her CSPM feat ure set s t o m ult iple host s on t he net w ork. Wit h t his m odel, y ou hav e t o inst all t he Policy Ser v er feat ur e set on a single host , w hich act s as t he m ain policy ser v er . The ot her feat ur es such as t he Policy Proxy, Policy Proxy-Monit or, and Policy Monit or can all be inst alled on any num ber of addit ional host s. This syst em
261
dist r ibut es t he com ponent s and allow s t hese host s t o assum e r esponsibilit y for m onit or ing and proxy funct ionalit y for a port ion o f t he ent erprise net w ork. Figure 8 - 4
shows a net w or k t opology w her e a dist r ibut ed inst allat ion is r equir ed. Figur e 8 - 4 . Sa m ple D ist r ibut e d I nst a lla t ion N e t w or k
As y ou can see, t he net w or k in Figure 8 - 4 is spread over t hree m ain offices. Each office is classed as a separ at e adm inist r at iv e ent it y because of t he int er nal and ex t er nal pr ot ect ed link s. You can see t hat each sit e is connect ed by t he com pany int r anet , and each sit e has it s ow n ext ernal links. I nt ernet access is provided t hrough t he com pa ny headquart ers. This m odel gives ever y sit e it s ow n Policy Adm inist r at or host , as w ell as a Policy Pr oxy-Monit or host t hat holds t he secondary dat abase. This m odel allow s 24/ 7 m anagem ent of securit y services t hroughout t he corporat e net w ork from m ult iple locat ions. The dist r ibut ed inst allat ion also pr ov ides bet t er per for m ance of t he CSPM sy st em by off-loading crit ical funct ions t o different ser ver s. I n offices t hat cont ain sever al policy enfor cem ent point s, dedicat ed Policy Monit or and Policy Proxy host s a r e deploy ed.
D e m o Sy st e m I n addit ion t o inst alling CSPM in a live envir onm ent , you can inst all it in dem o m ode. This w ill only inst all it on a single host ; t he full feat ur e set and t he Policy Adm inist r at or feat ur e ar e inst alled w it h var ious dem onst r at ion files. Dem o m ode's m ain pur pose is t o allow you t o m ake a dem o inst allat ion t o explor e t he Policy Adm inist r at or int er face and feat ur es w it hout having t o
262
inst all a liv e sy st em . This m ode can be used for appr aising t he sy st em or t o t r ain st aff in t he cor r ect use of t he CSPM's m any feat ur es.
Installation Procedures Now t hat you have seen t he inst allat ion pr ocedur es and com ponent s, t his sect ion w ill concent rat e on t he act ual soft w are inst allat ion and policy enforcem ent point configurat ion. Rem em ber t hat each policy enforcem ent point requires specific set t ings t o enable com m unicat ion w it h CSPM and t o allow CSPM t o fully and dynam ically m anage t he policy enfor cem ent point . These set t ings ar e called t he boot st r ap set t ings.
Soft w a r e I n st a lla t ion CSPM is pr ov ided on a CD-ROM t hat has t o be inst alled t o y our host 's har d disk for t he applicat ion t o funct ion. CSPM w ill not oper at e fr om t he CD dr ive. This chapt er w ill not ex am ine t he full inst allat ion pr ocess. The pr ocess is fully docum ent ed on Cisco Connect ion Online at
www.cisco.com
and also in t he docum ent at ion pr ov ided w it h t he CSPM
pr oduct .
Policy En for ce m e n t Poin t —Boot st r a p Se t t in gs For t he CSPM t o connect t o and configur e t he policy enfor cem ent point s, som e basic com m a nds hav e t o be added t o t he configur at ion of t he policy enfor cem ent point s. These com m ands enable com m unicat ion and allow CSPM t o t ake over t he m anagem ent of t he device t o cont r ol it as a policy enfor cem ent point . N OTE
Not e t hat once y ou hav e enabled a device t o becom e a policy enfor cem ent point by boot st r apping, y ou m ust nev er connect t o t he dev ice using t he CLI and m ak e m anual changes t o t he configurat ion.
The dev ices m ust be eit her m anually cont r olled or cont r olled by CSPM as a policy enfor cem ent point . I f you w ere t o connect m anually and add lines of configurat ion com m ands, t he policy m anager w ould r em ov e t hese lines w hen it nex t sy nchr onized t he configur at ion.
Ther e ar e differ ent boot st r ap set t ings r equir ed depending on w het her t he device is a PI X Firew all or a r out er w it h t he Cisco I OS Fir ew all inst alled. Each is discussed separ at ely in t he follow ing t w o sect ions.
263
Cisco Se cu r e PI X Fir e w a ll Boot st r a ppin g You m ust connect t o t he PI X Fir ew all using a console cable t o t he console por t and a t er m inal applicat ion. Once connect ed, follow t hese st eps in order t o configure t he init ial boot st rap set t ings: St e p 1 . Ent er global configur at ion m ode fr om w it hin pr iv ileged m ode. St e p 2 . Nam e each inst alled int er face on t he PI X Fir ew all. This is done by ent er ing t he f ollow ing com m and:
nameif hardware_id if_name security_level Th e hardware_id should r eflect w hat t y pe of har dw ar e t he int er face is. For ex am ple, t he fir st Et her net int er face is e t he r ne t 0 , t he second Et her net int er face is e t he r ne t 1 , and so on. For Tok en Ring, use token0 and incr em ent t he num ber for ev er y int er face. Th e if_nam e r elat es t o t he nam ing and locat ion of t he int er face: - The int er face inst alled in slot 0 m ust be nam ed out side and t he secur it y lev el m ust be 0. - The int er face inst alled in slot 1 m ust be nam ed inside and t he secur it y lev el m ust be 100. - The int er face inst alled in slot 2 m ust be nam ed DMZ- slot :2 and t he secur it y lev el m ust be an unused lev el bet w een 1 and 99. - The int er face inst alled in slot 3 m ust be nam ed DMZ- slot :3 and t he secur it y lev el m ust be an unused lev el bet w een 1 and 99. Th e securit y_level is a v alue such as se cur it y0 or se cu r it y 1 0 0 . The out side int er face m ust be se cu r it y0 , and t he inside int er face m ust be se cu r it y 1 0 0 . For any ot her int erfaces, t he value m ust be bet ween 1 an d 99. St e p 3 . Configure t he net w ork addresses for t he inside and out side int erfaces. This is achiev ed w it h t he com m and
ip address int_name a.a.a.a m.m.m.m int _nam e is eit her inside or out side, a.a.a.a is t he I P addr ess, and m .m .m .m is t he subnet m ask for t hat I P address. An exam ple of t his could be
ip address inside 192.168.0.1 255.255.255.0 This w ill assign t he I P addr ess of 192.168.0.1 t o t he inside int er face.
264
St e p 4 . Specify t he default gat ew ay for t he PI X Fir ew all. This is t he next hop on t he out side int erface t hat all ext ernal bound t raffic is passed t o for onw ard delivery. This is achiev ed w it h t he com m and
route outside 0 0 n.n.n.n 1 The addr ess n.n.n.n is t he I P addr ess of t he nex t hop r out er . For ex am ple t he follow ing com m and w ould set t he default r out e on t he out side int er face t o be 212.1.157.1:
route outside 0 0 212.1.157.1 1 St e p 5 . The next st ep is t o configure Net w ork Address Translat ion ( NAT) on t he firew all by ent ering t w o configurat ion com m ands, t he nat and global com m ands. Ent er t he following com m ands:
nat (inside) 1 0 0 global (outside) 1 a.a.a.a-b.b.b.b The fir st com m and j ust st ar t s NAT t r anslat ion for pr ocess num ber 1 on t he inside int erface. The second com m and allocat es global I P addresses t o t he sam e NAT process ( 1) . The address a.a. a. a is t he st ar t ing global I P addr ess, and t he addr ess b.b.b.b is t he last global I P addr ess. For ex am ple:
nat (inside) 1 0 0 global (outside) 1 194.73.134.1-194.73.134.254 These com m ands w ould set up NAT for pr ocess 1 and allocat e t he public I P addr esse s 194.73.134.1 t o 194.73.134.254 t o be used for addr ess t r anslat ion. St e p 6 . You now w ant t he Policy Pr ox y t o be able t o dist r ibut e com m ands t o t he PI X ov er Telnet . To do t his, y ou m ust allow Telnet connect ions t o t he Policy Pr ox y host on an int ernal net wo rk. The com m and t o do t his is
telnet a.a.a.a 255.255.255.255 The addr ess a.a.a.a is t he I P addr ess of t he Policy Pr ox y host and 2 5 5 .2 5 5 .2 5 5 .2 5 5 is an ex am ple t hat specifies t he Policy Pr ox y host . N OTE
Don't for get t hat in a single inst allat ion and som e client -server inst allat ions, t he Policy Pr ox y host m ay be t he sam e as t he Policy Ser v er host .
265
St e p 7 . I f t he Policy Pr oxy host is not locat ed on t he sam e br oadcast dom ain/ subnet as t he inside int er face, y ou hav e t o ent er a st at ic r out e t o t he Policy Pr ox y host 's net w or k . You do t his w it h t he route com m and in a sim ilar fashion as ent er ing a st at ic r out e on a Cisco r out er by I OS. I f t he Policy Pr ox y is on t he 192.168.2.0/ 24 net w or k and t he inside int erface is addressed 192.168.1.1/ 24, you need t he follow ing comm an d:
route inside 192.168.2.0 255.255.255.0 192.168.1.254 2 This pr esum es t hat t he connect ed r out er bet w een 192.168.1.0/ 24 and 192.168.2.0/ 24 is locat ed at t he I P addr ess 192.168.1.254/ 24. N OTE
I f your PI X Firew all has m ore t han t w o int erfaces, you cannot specify a default inside r out e. A default inside r out e w ould be a r out e t o 0.0.0.0 0.0.0.0. St e p 8 . The final st age is t o save your configur at ion t o t he flash m em or y of t he PI X Firew all. This is achieved w it h t he follow ing com m and:
write memory This co ncludes t he boot st r apping of t he Cisco Secur e PI X Fir ew all. The PI X Fir ew all is now r eady t o be m anaged by t he CSPM.
Cisco I OS Fir e w a ll Boot st r a ppin g You m ust connect t o t he r out er r unning t he Cisco I OS Fir ew all using a console cable t o t he console por t and a t erm inal applicat ion. Once connect ed, follow t hese st eps t o configure t he init ial boot st r ap set t ings. St e p 1 . Ent er global configur at ion m ode fr om w it hin pr iv ileged m ode. St e p 2 . Specify t he st at ic default gat ew ay for t he r out er . This is t he nex t hop to w h ich all ext er nal bound t r affic is passed for onw ar d deliver y. Do t his w it h t he com m and
ip route 0.0.0.0 0.0.0.0 a.a.a.a The addr ess a.a.a.a is t he I P addr ess of t he nex t hop r out er . For ex am ple, t he follow ing com m and w ould set t he default r out e for t he r out er t o be 212.1.157.1:
ip route 0.0.0.0 0.0.0.0 212.1.157.1
266
St e p 3 . I f t he Policy Pr oxy host is not locat ed on t he sam e br oadcast dom ain/ subnet as t he inside int er face, y ou hav e t o ent er a st at ic r out e t o t he Policy Pr ox y host 's net w or k . You can do t his w it h t he ip route com m an d. I f t he Policy Pr oxy is on t he 192.168.2.0/ 24 net w or k and t he r out er 's local int er face is 192.168.1.1/ 24, you need t he follow ing com m and:
ip route 192.168.2.0 255.255.255.0 192.168.1.254 This presum es t hat t he connect ed rout er bet w een 192.168.1.0/ 24 and 192.168.2.0/ 24 is locat ed at t he I P addr ess 192.168.1.254/ 24. St e p 4 . At t his point , y ou ar e left w it h t he decision of w het her t o configur e NAT. I f y ou do not w ant t o configur e NAT, sk ip t o St ep 9. St e p 5 . The nex t st ep is t o configure NAT on t he rout er. This t akes t hree st eps. First , y ou m ust define a global pool of addr esses. The nex t st ep is t o cr eat e a st andar d access list t o specify t he inside/ pr ivat e addr esses t hat you w ant t o t r anslat e. Finally, y ou m ust apply t he NAT pool t o t he inside int er face on t he r out er and specify t he out side NAT int er face. St e p 6 . To configur e t he global pool of addr esses, ent er t he follow ing com m and:
ip nat pool pool_name first global address last global address netmask subnet_mask Th e pool_nam e is a nam e given t o t he NAT pool for applying t o t he required int erface. Th e first global address and last global address explain t hem selves, as does t he subnet _m ask. An ex am ple of t his com m and could be
ip nat pool nat1 194.73.134.10 194.73.134.20 netmask 255.255.255.0 The pr eceding com m and w ould define a global NAT pool called nat 1. The pool w ould include t he global addresses from 194.73.134.10 t o 194.73.134.20. St e p 7 . The nex t NAT st ep is t o cr eat e t he st andar d access list . This access list is used t o specify exact ly w hich int er nal host s w ill have t heir addr esses t r anslat ed by t he NAT pr ocess on t he inside int er face. As an ex am ple, t o allow all host s on t he 192.168.1.0 net w or k access t o t he t r anslat ion pr ocess, ent er t he follow ing com m and:
access-list 1 permit 192.168.1.0 255.255.255.0 St e p 8 . The final NAT st ep is t o apply t he cr eat ed pool and access list t o an inside int er face. To apply t he NAT pool and access list cr eat ed in St ep 6, t he com m and w ould be
267
ip nat inside source list 1 pool nat1 Th e 1 re lat es t o t he access list and nat1 relat es t o t he previously creat ed global NAT pool. Then configure t he out side int erface t o com plet e t he NAT t ranslat ion. This is configur ed by ent er ing t he com m and
ip nat outside St e p 9 . Now , m anually ent er t he I P addresses of all inst alled int er faces on y our r out er . To do t his, you m ust ent er t he int er face configur at ion m ode. For exam ple:
Router(config)# Router(config)#interface ethernet0 Router(config-if)# You know t hat you ar e in int er face configur at ion m ode w hen you see t he Rou t e r ( con fig- if ) # pr om pt . The com m and t o set t he I P addr ess is sim ply
ip address a.a.a.a m.m.m.m The addr ess a.a.a.a is t he I P addr ess and m .m .m .m is t he subnet m ask . St e p 1 0 . The final st age is t o sav e y our configur at ion t o t he flash m em or y of t he r out er . Do t his w it h t he follow ing com m and:
write memory This concludes t he boot st r apping of t he Cisco I OS Fir ew all-enabled r out er . The device is now r eady t o be m anaged by t he CSPM.
268
Configuration Example Now t hat you have seen an overview of t he CSPM and t he required basic inst allat ion r equir em ent s, t his sect ion w ill pr ov ide a sim ple configur at ion ex am ple. This ex am ple is based ar ound a sim ple net w or k w it h one Cisco Secur e PI X Fir ew all and one Cisco Rout er r unning t he Cisco I OS Firewall. The PI X is v er sion 5.1( 2) and t he Cisco I OS Fir ew all is 12.0( 7) T. Bot h of t hese ar e suppor t ed by t he CSPM as policy enfor cem ent point s. The net w or k t opology is show n in Figure 8 - 5 . Figur e 8 - 5 . Configur a t ion Ex a m ple N e t w or k Topology
You can see in t he net w or k in
Figure 8 - 5
t hat t her e is one connect ion t o t he I nt er net by t he Cisco
Secur e PI X Fir ew all. The client s r eside on t he 192.168.9.0 int er nal net w or k, w hich is an RFC 1 9 1 8 -com pliant pr ivat e addr ess. The ext er nal addr ess and t he out side PI X int er face is on t he 194.73.134.0/ 24 public net w or k . The PI X has a default r out e set t o 194.73.134.1 on t he out side int er face, w hich is pr ov ided by t he I nt er net ser v ice pr ov ider and is out of y our adm inist rat ive cont rol. Num erous ot her privat e net w ork addresses e xist bet ween t he client net w or k and t he I nt er net . All int er nal r out ing is alr eady configur ed, so y ou need t o be concer ned only w it h t he pr ov ision of t he gener al I nt er net ser v ices ( e -m ail, Web, and DNS) t hr ough t he PI X Fir ew all t o t he I nt er net .
269
Configure the Network Topology Aft er a successful inst allat ion, t he first t hing t o do is t o configure t he net w ork t opology. Figure 8 6 show s t he basic scr een t hat is pr esent ed befor e any configur at ion has com m enced. This has no policy definit ions and no defined obj ect s. Figur e 8 - 6 . Ba sic CSPM Configur a t ion Scr e e n
As y ou can see in Figure 8 - 6 , only t he fiv e br anches ex ist in t he left pane. The first configurat ion procedure in any CSPM inst allat ion is t o configure t he net w ork t opology. A fr equent ly ask ed quest ion is, " What devices do I have t o define in t he net w ork t opology?" The answ er cont ains t w o par t s: Ther e ar e net w or k obj ect s t hat y ou m ust define in or der for t he Policy Manager soft w ar e t o funct ion, and t her e ar e net w or k obj ect s t hat you m ust define in order for t he enfor ced policies t o pr ovide t he level of secur it y r equir ed. You m ay not have t o define ev er y net w or k dev ice as par t of t he net w or k t opology for t he secur it y policy t o be enfor ced. The net work obj ect s required by t he policy m anager soft ware are
•
Policy e nfor ce m e nt point s— All policy enfor cem ent point s, such as t he m anaged PI X Firew alls and t he Cisco Rout ers running t he Cisco I OS Firew all, need t o be defined in t he net w or k t opology. CSPM w ill gener at e and deliver device -specific com m and set s t o t hese policy enforcem ent point s t o im plem ent t he securit y policy.
•
The de fa ult ga t e w a y use d by e a ch policy e nfor ce m e nt point — The policy enfor cem ent point default gat ew ay r epr esent s t he dow nst r eam I P addr ess t o w hich a
270
policy enforcem ent point delivers net w ork packet s for w hich it does not have a specific r out ing r ule defined.
•
All h ost s r u n n in g CSPM com pon e n t s— All host s t hat ar e r unning CSPM com ponent s m ust be able t o com m unicat e w it h each ot her . CSPM look s aft er t he configurat ion of t his com m unicat ion, but you m ust define t hese as obj ect s in t he net w ork t opology.
•
All n e t w or k s w h e r e policy e n for ce m e n t poin t s or CSPM h ost s r e side — Besides defining t he policy enforcem ent point s and CSPM host s, you m ust define t he net w orks t hat t hey r eside on, if t hey hav e not alr eady been defined.
I n addit ion t o t hese CSPM required net w ork obj ect s, you m ust rem em ber t o configure every net w or k dev ice, host , and net w or k t o w hich y ou w ish t o apply a secur it y policy . I n t he exam ple net w ork t opology in
Figure 8 - 5 ,
all client s reside on t he 192.168.9.0/ 24 net w ork.
How ever, if no policy enfor cem ent point or CSPM host r esided on t his net w or k, t he net w or k w ould not be v isible t o CSPM and no host s on t he net w or k w ould hav e access t o t he r equir ed basic I nt er net ser v ices. To enable access t o host s on t his net w or k , y ou w ould hav e t o define e it her t he individual host s and t he net w or k or j ust t he net w or k as par t of t he net w or k t opology. Once t his net w or k is defined, you can apply a syst em policy t o m ake it t r ust ed for t he r equir ed ser v ices. When m apping your net w or k, alw ays st ar t w it h t he I nt er net and add t he net w or k obj ect s fr om t her e. This is an out side -to-inside appr oach, w her e you st ar t w it h t he unt r ust ed net w or k and m ove t o t he t rust ed net work. Now you ar e going t o add t he r equir ed net w or k obj ect s pr esent ed in t he exam ple net w or k configur at ion in
Figure 8 - 5 .
The fir st st ep is t o add t he out erm ost connect ion, in t his case, t he PI X Firew all. The easiest w ay t o do t his w it h a suppor t ed policy enfor cem ent point is t o use t he net w or k Topology Wizar d. The init ial net w or k Topology Wizar d scr een is show n in Figure 8 - 7 . Figur e 8 - 7 . N e t w or k Topology W iza r d—I nit ia l Scr e e n
271
Select N ext , and in t he next scr een, select t he PI X Fir e w a ll obj ect , as show n in Figure 8 - 8 , and click N ext once again t o pr oceed t o t he nex t scr een. Figur e 8 - 8 . N e t w or k Topology W iza r d—Add A Ga t e w a y Scr e e n
272
I n t his scr een, show n in Figure 8 - 9 , ent er t he default gat ew ay addr ess of t he PI X. This is usually t he direct I SP-pr ovided connect ion t o t he I nt er net . Figur e 8 - 9 . N e t w or k Topology W iza r d—D e fa ult Ga t e w a y Addr e ss Scr e e n
I n t he next scr een, select t o aut om at ically discover t he int er faces, as show n in Figure 8 - 1 0 . Figur e 8 - 1 0 . N e t w or k Topology W iza r d—D e vice D e fin it ion Opt ion Scr e e n
273
I n t he next scr een, ent er t he I P addr ess over w hich t he CSPM host w ill configur e t he device, along w it h t he enable passw or d. The Policy Dist r ibut ion Host should also be select ed here. These st eps ar e show n in Figure 8 - 11 . When finished, click t he D iscove r bu t t on . Figur e 8 - 1 1 . N e t w or k Topology W iza r d—D e vice Con n e ct ion a n d Policy D ist r ibu t ion H ost Scr e e n
274
As y ou can see in Figure 8 - 1 2 , t he net w or k Topology Wizar d has ident ified t he firew all and all of t he int er faces w it hin it . Figur e 8 - 1 2 . N e t w or k Topology W iza r d—Se t t ings Scr e e n
275
Fr om t he Topology Wizar d scr een show n in
Figure 8 - 1 2 ,
click N ext unt il y ou r each t he
Dist ribut ion and Monit or Host Set t ings screen, as seen in
Figure 8 - 13 .
Select t he required host for
bot h of t hese. Not ice t hat t he host is called CI SCOTEST, but t hat t her e is a quest ion m ar k by each nam e. You hav e y et t o define t he CSPM ser v er as a net w or k obj ect . Figur e 8 - 1 3 . N e t w or k Topology W iza r d—Dist ribu t ion a n d M on it or H ost Se t t in gs Scr e e n
Aft er configurat ion, you are ready t o proceed. Click Fin ish t o en d t h e w izar d.
Figure 8 - 1 4
show s t he scr een t hat is pr esent ed.
Figur e 8 - 1 4 . N e t w or k Topology W iza rd—Fin a l Scr e e n
276
The PI X Fir ew all net w or k obj ect has been added t o t he left pane of t he Policy Manager w indow , as show n in Figure 8 - 15 . Figur e 8 - 1 5 . Policy M a n a ge r W in dow
277
Figure 8 - 1 6
show s t he I nt erfaces t ab of t he PI X Fir ew all net w or k obj ect . Not e t he cor r ect
net w or k and I P addr esses assigned t o each int er face. The PI X in quest ion has four int er faces, and t he t w o DMZ int er faces ar e disabled . Figur e 8 - 1 6 . PI X Fir e w a ll I nt e r fa ce Scr e e n
You w ill next have t o m anually configur e NAT, w hich is configur ed on t he M a pping t ab of t h e PI X Firewall net w or k obj ect . St at ic t r anslat ion is t he sam e as t he st at ic com m and on t he PI X, and address hiding is t rue NAT or Port Address Translat ion ( PAT) .
Figure 8 - 1 7
show s t he default
em pt y M a pping t ab scr een. Figur e 8 - 1 7 . PI X Fir e w a ll M a pping Scr e e n
278
Figure 8 - 1 8
show s t his scr een aft er you add an addr ess -hiding m apping r ule. Her e you ar e hiding
t he inside int erface from t he out side int erface, using t he address range of 194.73.134.205 t o 194.73.134.208 w it h a subnet m ask of 255.255.255.0. Figur e 8 - 1 8 . Com ple t e d PI X Fir e w a ll M a pping Scr e e n
279
This com plet es t he inst allat ion and init ial configur at ion of t he PI X Fir ew all. You ar e now going t o ent er t he Cisco 2620 I OS r out er t hat is r unning t he Cisco I OS Fir ew all. This device is going t o be m anaged by CSPM; how ever , in t his dem onst r at ion it has no r eal use. Configur e t he I OS rout er by using t he net w ork Topology Wizard as you did for t he PI X Firew all.
Figure 8 - 1 9
show s
t he result of adding t he I OS rout e r t o t he net work t opology. Figur e 8 - 1 9 . I OS Rout e r a s Pa r t of t he N e t w or k Topology
Next , add t he CSPM server host t o t he net w ork t opology. This is p r et t y easy t o do. Right -click t he 192.168.1.0 net w or k obj ect and select N e w and t hen Host .
Figure 8 - 2 0
show s t his
pr ocedur e. Figur e 8 - 2 0 . I nse r t t he CSPM H ost
280
The CSPM adm inist rat or soft w are is already aw ar e of w her e it is r unning fr om , so t he m inut e t hat you add t he host t o t his net w or k it pr esum es t hat t his is t he CSPM policy host . You ar e pr esent ed w it h a sim ple y es or no quest ion. Click ing Ye s w ill inst all t his host as t he CSPM server. This is s how n in Figure 8 - 2 1 . Figur e 8 - 2 1 . Con figu r in g t h e CSPM H ost
281
Figure 8 - 2 2
show s t he CSPM ser v er added t o t he net w or k t opology . The host is av ailable in t he
left pane. Figur e 8 - 2 2 . N e t w or k Topology w it h t h e CSPM H ost
282
The final configurat ion st ep is t o add t he 2514 rout er and t he 192.168.9.0 net w ork. Rem em ber , it is t he 192.168.9.0 net w or k w her e t he client s r eside, so t his m ust be added t o t he net w ork t opology. This rout er has an int erface in t he 192.168.1.0 net w ork, so right -click t he 192.168.1.0 net w or k and select N e w , Ga t e w a y , Rou t e r s, I OS Rout e r . This is show n in Figure 8 - 2 3 .
Figur e 8 - 2 3 . Adding t he 2 5 1 4 I OS Rout e r
Because t his is a m anual inst allat ion, you ar e pr esent ed w it h blank configur at ion t abs, w hich you have t o com plet e. Not ice t hat t her e is no Com m ands t ab, because t his dev ice is not m anaged by t he CSPM. This is show n in Figure 8 - 24 . Figur e 8 - 2 4 . I OS Rout e r Configur a t ion Scr e e n
283
Click t he I nt erfaces t ab and configur e t he int er faces as addr essed in t he net w or k t opology diagr am in
Figure 8 - 5 .
The final r esult is show n in
Figure 8 - 25 .
Figur e 8 - 2 5 . Com ple t e d I n t e r fa ce Con figu r a t ion for t h e 2 5 1 4
284
The added rout er and t he com plet e net w ork t opology can be clearly seen in
Figure 8 - 26 .
Figur e 8 - 2 6 . Com plet ed N et w ork Topology
This com plet es t he configur at ion of t he net w or k t opology. Not ice t hat t he w hole net w or k has not been defined in t he CSPM net w or k t opology . You hav e only defined t he par t s of t he net w or k t hat cont ain policy enfor cem ent point s and CSPM host s. Th e next st ep is t o configur e t he secur it y policy t o enable your r equir em ent s t o be im plem ent ed.
Configure the Security Policy Once t he net w ork t opology is configured, t he next st ep is t o configure t he securit y policy. You ar e only concer ned w it h t he 192.168.9.0 net w or k , so it is t he only net w or k or dev ice for w hich you have t o cr eat e a policy. St art by dragging t he 192.168.9.0 net w ork obj ect int o t he Securit y Policy Enforcem ent branch t hat is locat ed at t he t op of t he scr een.
Figure 8 - 2 7
show s t his net w or k obj ect added t o t he
br anch. Figur e 8 - 2 7 . Se cu r it y Policy Enfor ce m e nt Br a nch
285
You can only assign policies t o obj ect s locat ed w it hin t his br anch. Right -click t he obj ect and select Policy , N e w , as sh ow n in
Figure 8 - 28 .
Figur e 8 - 2 8 . Cr e a t ing a N e w Policy
286
The blank policy w it h j ust t he default I f policy st at em ent is displayed, as show n in Figure 8 - 2 9 . Figur e 8 - 2 9 . Th e D e fa u lt N e w Policy Scr e e n
You need t o build a policy t hat w ill allow t he st andar d e -m ail, Web, and DNS services t o be passed t o t he I nt ernet perim et er. Use t he built -in policy t ools t o cr eat e a policy , as show n in Figure 8 - 3 0 .
Figur e 8 - 3 0 . Com ple t e d Policy Scr e e n
287
This policy w ill allow t he 192.168.9.0 net w or k access t o t he e -m ail, Web, and DNS ser vices t hr ough t he I nt er net per im et er . This com plet es t he cr eat ion of t he syst em policy for t he dem onst rat ion net work.
Generate and Publish the Device -Specific Command Sets Aft er all of t his configurat ion, you have t o generat e t he device -specific com m and set s and publish t hem t o t he required m anaged policy enforcem ent point s as co nfigured in t he Policy Manager soft w ar e. The fir st st ep is t o save and updat e t he policy. This is show n in Figure 8 - 3 1 . Figur e 8 - 3 1 . Sa ving a nd Upda t ing t he Policy
288
Sav ing and updat ing t he policy generat es t he device -specific com m and set s t hat require dist ribut ing t o t he policy enforcem ent point s. You can see in
Figure 8 - 32
t hat t he save and updat e
oper at ion com plet ed successfully. I f t her e ar e any inconsist encies w it h t he dist r ibut ion t o t he policy enfor cem ent point s, t hese w ould be display ed in Figure 8 - 3 2 . Figur e 8 - 3 2 . Syst e m I nconsist e ncie s Aft e r t he Sa ve a nd Upda t e
289
You ar e left w it h t he t ask of deploying t he device -specific com m and set t o t he appropriat e dev ices. I n t his ex am ple, only t he PI X Fir ew all com m and set w ill need updat ing. To do t his, click t he PI X Firew all obj ect in t he Net w ork Topology sect ion in t he left pane. Select t he Com m and t ab, approve t he com m and changes, and t hen click Appr ov e N ow in t he bot t om left cor ner t o send t he com m and changes t o t he device.
Figure 8 - 3 3
shows t his pr ocedur e.
Figur e 8 - 3 3 . D e ployin g t h e D e vice- Spe cific Com m a nds
290
You can see t he highlight ed out bound com m ands t hat w ill allow t he specified se rvices. These were aut ogenerat ed aft er you creat ed t he securit y policy.
Summary This chapt er pr ov ided an ov er v iew of t he CSPM, cov er ing CSPM feat ur es, inst allat ion, and configur at ion. CSPM is a lar ge pr oduct t hat is capable of m uch m or e t han is descr ibed in t h is chapt er ; I could hav e w r it t en an ent ir e book about CSPM. Refer t o t he CCO Web sit e for m or e det ailed configur at ion and t echnical infor m at ion about t he CSPM pr oduct .
Frequently Asked Questions
Quest ion: Answ e r :
What devices do I have t o define in t he net w or k t opology? This depends on w hat y ou ar e t r y ing t o achiev e. As a basic r ule of t hum b, y ou need t o define ev er y dev ice t hat y ou w ant t o be adm inist er ed by t he CSPM. All policy enfor cem ent point s and CSPM host s m ust be included.
Quest ion: Answ e r :
Can I use bot h CLI m anagem ent and CSPM at t he sam e t im e? No. You can log in t o t he dev ice w it h t he CLI , but y ou m ust not com m it any changes. CSPM w ill handle t he configur at ion; any m anual changes w ill int er fer e w it h t he secur it y policy configur ed and applie d by t he CSPM.
291
Glossary Glossary AAA ( a ut he nt ica t ion, a ut hor iza t ion, a ccount ing) — Oft en pronounced " t riple a."
ACS ( Acce ss Con t r ol Se r ve r ) — The Cisco Secure ACS is an int egrat ed RADI US and TACACS+ server for aut hent icat ion, aut horizat ion, and account in g .
CCO ( Cisco Con n e ct ion On lin e ) — The Cisco Sy st em s hom e page on t he I nt er net . Locat ed at
www.cisco.com .
CLI ( com m a nd- lin e in t e r fa ce ) — The UNI X-st yle com m and int erface t hat is used t o configure Cisco internet working dev ices.
I D S ( I nt r usion D e t e ct ion Syst e m ) — Scans t he net w ork in real t im e t o int ercept at t em pt ed breaches of securit y.
I SP ( I nt e r ne t se r vice pr ovide r ) — A ser v ice pr ov ider t hat pr ov ides a connect ion t o t he public I nt er net .
I PSe c ( I nt e r ne t Pr ot ocol Se cu r it y) — A st andards -based m et hod of pr oviding pr ivacy, int egr it y, and aut hent icit y t o infor m at ion t r ansfer r ed acr oss I P net w or ks.
292
N AS ( n e t w or k a cce ss se r ve r ) — The connect ion point t o t he net w ork for rem ot e services, such as dial-in users ove r PPP.
N OS ( ne t w or k ope r a t ing syst e m ) — The oper at ing sy st em of t he net w or k . This pr ov ides ser v ices t o user s such as file and pr int shar ing. Com m on NOSs include Micr osoft Window s NT and Novell Net War e.
PI X ( Pr iva t e I n t e r n e t Ex ch a n ge ) — The Cisco r ange of leading hardware -based fir ew alls.
RAD I US ( Re m ot e Acce ss D ia l- I n Use r Se r v ice ) — A pr ot ocol used t o aut hent icat e user s on a net w or k.
TACACS+ ( Te r m ina l Acce ss Cont r olle r Acce ss Cont r ol Syst e m Plus) — A prot ocol used t o aut hent icat e users on a net w ork. Also pr ov ides aut hor izat ion and account ing facilit ies.
VPN ( Vir t ua l Pr iva t e N e t w or k ) — A secure connect ion over an unsecured m edium . The connect ion is secured by t he use of t unneling pr ot ocols and encr y pt ion.
URLs Cisco Connect ion Online: www.cisco.com
CSPM:
293
www.cisco.com / warp/ public/ cc/ pd/ sqsw/ sqppm n/ index.shtm l
294
Chapter 9. Cisco Secure Access Control Server (ACS) This chapt er cont ains t he follow ing sect ions:
• • • • • • • • • • • •
Cisco Secure Access Cont rol Server ( ACS) Feat ures Overview of Aut hent icat ion, Aut horizat ion, and Account ing ( AAA) RADI US and TACACS+ Cisco Secure ACS I nst allat ion Cisco Secure ACS Configurat ion Net work Access Server Configurat ion Configurat ion Exam ple Summary Frequent ly Asked Quest ions Glossary Bibliography URLs
This chapt er covers t he Cisco Secure Access Cont rol Server ( ACS) . As net w orks and net w ork secur it y hav e ev olv ed, so t oo hav e t he m et hods of cont r olling access t o t hese net w or k s and t heir associat ed r esour ces. Ten y ear s ago, it w as deem ed suit able t o use a st at ic user nam e and passw or d pair t o gain access t o r esour ces on t he cor por at e net w or k. As t im e progressed, t hese m et hods becam e st r onger fr om a secur it y st andpoint w it h t he int r oduct ion of aging passw or ds and one -t im e passw ords. Event ually, securit y professionals init iat ed t he use of t oken car ds and t oken ser ver s t o issue one -t im e passwords. Fr om an I nt er net secur it y v iew point , y ou can consider t w o dist inct ar eas of concer n:
• •
Access t o t he net w or k by dial-up or ot her r em ot e ser vices Access t o t he int er net w or king devices at t he per im et er or on t he int er nal net w or k
To m anage t hese concerns, Cisco released t he Cisco Secure Server, which was lat er renam ed t he Cisco Secure Access Cont rol Server ( ACS) . This is a com plet e access cont rol server t hat support s t he indust ry- st andard Rem ot e Access Dial- I n User Service ( RADI US) pr ot ocol in addit ion t o t he Cisco propriet ary Term inal Access Cont roller Access Cont rol Syst em Plus ( TACACS+ ) prot ocol. Cisco Secure ACS Features Cisco Secur e ACS suppor t s t he indust r y-st andard RADI US prot ocol and t he Cisco propriet ary TACACS, XTACACS, and TACACS+ prot ocols. Cisco Secur e ACS helps t o cent r alize access cont r ol and account ing for dial-in access ser v er s and fir ew alls in addit ion t o m anagem ent of access t o r out er s and sw it ches. Wit h Cisco Secur e
295
ACS, ser vice pr ovider s can quickly adm inist er account s and globally change levels of ser v ice offer ings for ent ir e gr oups of user s. Cisco Secur e ACS suppor t s Cisco net w or k access ser ver s ( NASs) such as t he Cisco 2509, 2511, 3620, 3640, AS5200, and AS5300, t he Cisco PI X Firew all, and any t hird -par t y device t hat can be configur ed w it h t he TACACS+ or t he RADI US prot ocol. Cisco Secure ACS uses t he TACACS+ or RADI US prot ocols t o provide aut hent icat ion, aut horizat ion, and account ing ( AAA) ser v ices t o ensur e a secur e env ir onm ent . Cisco Secur e ACS can aut hent icat e user s against any of t he follow ing user dat abases:
•
Window s NT ( only in t he NT v er sion)
•
UNI X Dat abases ( only in t he UNI X ver sion)
•
Cisco Secur e ACS
•
Tok en -card servers, including: - AXENT - CRYPTOCard - SafeWord - RSA
•
Novell Direct ory Services ( NDS)
•
Micr osoft Com m er cial I nt er net Syst em Light weight Direct ory Access Prot ocol ( MCI S LDAP)
•
Micr osoft Open Dat aBase Connect ivit y ( ODBC)
The NAS dir ect s all dial-in user access request s t o Cisco Secure ACS for aut hent icat ion and aut horizat ion of privileges. Using eit her t he RADI US or TACACS+ prot ocol, t he NAS sends aut hent icat ion r equest s t o Cisco Secur e ACS, w hich ver ifies t he user nam e and passw or d. Cisco Secur e ACS t hen r et ur ns a success or failur e r esponse t o t he NAS, w hich per m it s or denies user access. When t he user has been aut hent icat ed, Cisco Se cur e ACS sends a set of aut hor izat ion at t r ibut es t o t he NAS, and t he account ing funct ions t ak e effect . Cur r ent ly , t w o v er sions of Cisco Secur e ACS ar e av ailable. They ar e differ ent iat ed by plat for m , and t her e ar e no m aj or differ ences in how t hey oper at e. The plat for m s av ailable ar e Window s NT 4.0/ 2000 and Solar is. The t ight int egr at ion of Cisco Secur e ACS w it h t he Window s NT oper at ing syst em enables com panies t o lever age t he w or king know ledge and invest m ent alr eady m ade in building a Window s NT net w or k. Exist ing Window s NT dom ain account s can be used t o pr ov ide a single login t o bot h t he net w or k r esour ces and t he Window s NT dom ain.
296
Overview of Authentication, Authorization, and Accounting (AAA) You m ight be fam iliar wit h t he t erm AAA ( pronounced " t riple a" ) . This is a securit y fram ew ork t hat st ands for aut hent icat ion, aut hor izat ion, and account ing. Basically, aut hent icat ion is t he act ual perm ission t o use t he net work, aut horizat ion is what you can do on t he net w ork, and account ing is w hat you did and how yo u did it . You hav e t o be aut hent icat ed t o be aut hor ized or account ed.
Authentication Aut hent icat ion is t he pr ocess of ident ificat ion by t he user t o t he ACS ser v er . This can be car r ied out by a num ber of m et hods; t he m ost fr equent ly used is a user nam e and password. The ACS ser v er pr ov ides a m eans of aut hent icat ion against v ar ious dat a sour ces, such as an Open Dat aBase Connect ivit y ( ODBC) dat a sour ce or t he Window s NT dom ain. This w ay, you can aut hent icat e against t he ex ist ing Window s NT dom ain account t o enfor ce a single login policy . Encr y pt ion can be also enabled depending on t he aut hent icat ion pr ot ocol and t y pe, t o fur t her secur e t he login pr ocess. You hav e t o be aut hent icat ed by t he ACS befor e y ou can per for m any aut hor izat ion or account ing funct ion. One good use of aut hent icat ion is t o pr ov ide a single login t o all int er net w or k ing dev ices on t he net w ork. By enabling AAA on t he Cisco devices, you can force your net w ork adm inist rat ive st aff t o use a single login for ev er y dev ice t hey m anage. This eases t he adm inist r at ive bur den of cr eat ing local account s and synchr onizing passw or ds acr oss t hese devices. When a new device is inst alled, you have only t o enable AAA aut hent icat ion, and all exist ing user s w ill be able t o access t he dev ice r ight aw ay . Anot her point t o consider is t hat local user nam es and passw or ds ar e by default st or ed in cleart ext form in t he device configurat ion. Anybody snooping over your shoulder or obt aining configur at ion dum ps eit her fr om paper or fr om dir ect access t o t he TFTP ser ver w ill q uickly be able t o lear n t he user nam es and passw or ds on t he dev ice. I f t hese passw or ds ar e t he sam e on ot her devices, you have an inst ant ly r ecognizable pr oblem . You can encr ypt t he local user nam es and passw or ds by using t he se r vice pa ssw or d- encrypt ion com m and. How ev er , t her e ar e num er ous applicat ions t hat can easily cr ack t hese passw or ds, as t he algor it hm used is not v er y st r ong. By im plem ent ing an AAA aut hent icat ion ser v ice w it h t he Cisco Secur e ACS, y ou can ensur e dat a int egr it y and secur it y t hr ough advanced aut hent icat ion m et hods and dat a encr ypt ion. Com bine t his w it h t he account ing feat ur es, and y ou hav e a v er y r obust aut hent icat ion m et hod for int er net w or king devices.
297
Authorization Once y ou hav e successfully aut hent icat ed against t he select ed ACS dat a sour ce, y ou can be aut hor ized for specific net w or k r esour ces. Aut hor izat ion is basically w hat a user can and cannot do on t he net w or k once he or she is aut hent icat ed. Aut hor izat ion w or k s by using a cr eat ed set of at t r ibut es t hat descr ibe w hat t he user can and cannot do on t he net w or k . These at t r ibut es ar e com par ed t o t he infor m at ion cont ained w it hin t he AAA dat abase on t he Cisco Secur e ACS ser v er , and a det er m inat ion of t he user 's act ual r est r ict ions is m ade and deliv er ed t o t he local net w or k access ser v er w her e t he user is connect ed. These at t ribut es are norm ally called at t ribut e -v alue ( AV) pair s.
Accounting Account ing is a m et hod of collect ing and r epor t ing usage dat a so t hat it can be em ploy ed for pur poses such as audit ing or billing. Dat a t hat can be colle ct ed m ight include t he st art and st op t im es of connect ion, execut ed com m ands, num ber of packet s, and num ber of byt es. This service, once configured, report s usage st at ist ics back t o t he ACS server. These st at ist ics can be ex t r act ed t o cr eat e det ailed r eport s about t he usage of t he net w or k . One excellent and w idely deployed use of account ing is in com binat ion w it h AAA aut hent icat ion for m anaging access t o int er net w or king devices for net w or k adm inist r at ive st aff. You have already seen how AAA aut hent icat ion helps t o cent r alize t he account adm inist r at ion and im pr ov e secur it y for st aff w ho m ust log on t o t he com m and-line int erface ( CLI ) of Cisco int er net w or king devices. Account ing pr ovides ext r a lever age and account abilit y on t op of t he aut hent icat ion. Once aut hent icat ed, t he Cisco Secur e ACS ser v er k eeps a det ailed log of ex act ly w hat t he aut hent icat ed user is doing on t he device. This includes all EXEC and configur at ion com m ands issued by t he user. The log cont ains num erous dat a fields, including t he usernam e, t he dat e and t im e, and t he act ual com m and t hat w as ent er ed by t he user . An ex am ple of t he account ing log can be seen in Figure 9 - 1 . Figur e 9 - 1 . Ex a m ple of a n Accou n t in g ACS Re por t
298
RADIUS and TACACS+ Th e Cisco Secure ACS support s t w o rem ot e access prot ocols, t he RADI US prot ocol and t he TACACS+ prot ocol. TACACS has t hree variat ions, all of w hich are support ed by Cisco I OS:
•
TACACS— TACACS is t he original prot ocol t hat Cisco developed in response t o RADI US. I t is incom pat ible w it h TACACS+ and has a lot of it s ow n com m ands t hat ar e support ed on Cisco I OS. I t provides passw ord checking, aut hent icat ion, and basic account ing funct ions.
•
Ex t e n de d TACACS ( X TACACS) — XTACACS is an ex t ension t o t he or iginal TACACS protoco l. This adds funct ionalit y t o t he TACACS prot ocol by int roducing feat ures such as m or e com plex aut hent icat ion and account ing m et hods.
•
TACACS+ — TACACS+ is t he m ost r ecent of t he TACACS pr ot ocols. This pr ot ocol is not com pat ible w it h TACACS or XTACACS. I t provides full AAA feat ur es t hr ough t he Cisco I OS AAA com m ands and t he use of a TACACS+ ser v er , such as t he Cisco Secur e ACS.
All t hr ee of t he abov e TACACS v er sions ar e suppor t ed by Cisco I OS, alt hough Cisco Secur e ACS only support s TACACS+ .
RADIUS The RADI US pr ot ocol w as dev eloped by Liv ingst on Ent er pr ises and oper at es as a pr ot ocol t o offer aut hent icat ion and account ing ser v ices. Sev er al lar ge access ser v er v endor s hav e im plem ent ed RADI US, and it has gained suppor t am ong a w ide cust om er base, including
299
I n t ernet ser v ice pr ov ider s ( I SPs) . RADI US is consider ed t o be a st andar d and open-sour ce prot ocol. RADI US is cur r ent ly m ade up of t he aut hent icat ion ser v ice and t he account ing ser v ice. Each of t hese t w o ar e docum ent ed separ at ely and hold separ at e RFCs. The aut hent icat ion ser v ice is ex plained in RFC 2058, and t he account ing ser v ice is ex plained in RFC 2059. RADI US oper at es under t he client / ser v er m odel w her e a net w or k access ser v er oper at es as t he RADI US client and a cent ralized soft w are -based ser v er oper at es as t he RADI US server. The RADI US client sends aut hent icat ion request s t o t he RADI US server. The RADI US server act s upon t his request t o forw ard a reply t o t he RADI US client . The RADI US client t hen uses t his r eply t o gr ant or deny access t o t he r equest ing host . The RADI US client can be any net w or k access ser ver t hat suppor t s t he RADI US pr ot ocol. Cisco I OS fr om r elease 11.2 also suppor t s RADI US com m ands as par t of it s AAA m odel. This m eans t hat any Cisco r out er w it h I OS 11.2 or lat er can be used t o aut hent icat e inbound or out bound connect ions t hrough RADI US. The RADI US ser ver com ponent is a soft w ar e applicat ion t hat is based ar ound t he RFC 2058 and RFC 2059 st andards. Various vendors have released RADI US servers, including Livingst on and Mer it . As pr ev iously discussed, Cisco Sy st em s r eleased t he Cisco Secur e ACS t o act as a RADI US server and t o furnish t he request s from RADI US client s. The RADI US server is usually a dedicat ed w or k st at ion or ser v er w it h t he r equir ed soft w ar e inst alled. RADI US com m unicat es using t he User Dat agram Prot ocol ( UDP) as it s t ransport prot ocol. All r et r ansm issions and t im eout s ar e handled by t he RADI US soft w ar e on t he client and ser ver t o provide t he service not offered by t he connect ionless t ransport layer prot ocol.
TACACS+ The TACACS+ is t he lat est revision of t he TACACS access cont rol prot ocol. The first release of TACACS was im proved on by Cisco Syst em s and nam ed Ext ended TACACS ( XTACACS) . TACACS+ w as t hen r eleased and is t he cur r ent ver sion t hat is suppor t ed bot h by Cisco I OS an d t h e Cisco Secur e ACS. TACACS+ is a Cisco pr opr iet ar y pr ot ocol and t her efor e is not classified as an indust r y st andar d. Ot her v endor s' equipm ent gener ally w ill not suppor t TACACS+ ; how ever, various com panies are releasing TACACS+ server soft w are t o com pet e w it h t he Cisco Secure ACS. TACACS+ consist s of t hr ee m ain ser vices: t he aut hent icat ion ser vice, t he aut hor izat ion service, and t he account ing service. Each of t hese services is im plem ent ed independent ly of one anot her . This gives you t he flexibilit y t o com bine ot her prot ocols wit h TACACS+ . TACACS+ oper at es under t he client / ser ver m odel w her e a net w or k access ser ver oper at es as t he TACACS+ client and a cent ralized soft w are -based ser ver oper at es as t he TACACS+ ser ver . The TACACS+ client sends aut hent icat ion requests t o t he TACACS+ server. The TACACS+
300
ser ver act s upon t his r equest t o for w ar d a r eply t o t he TACACS+ client . The TACACS+ client t hen uses t his r eply t o gr ant or deny access t o t he r equest ing host . The TACACS+ client can be any net w or k access ser ver t hat su pport s t he TACACS+ prot ocol. Cisco I OS fr om r elease 11.1 also suppor t s TACACS+ com m ands as par t of it s AAA m odel. This m eans t hat any Cisco r out er w it h I OS 11.1 or lat er can be used t o aut hent icat e inbound or out bound connect ions t hrough TACACS+ . The TACACS+ server com ponent is a soft w are applicat ion. Cisco Syst em s released t he Cisco Secur e ACS t o act as a TACACS+ ser ver and t o fur nish t he r equest s fr om TACACS+ client s. The TACACS+ ser v er is usually a dedicat ed w or k st at ion or ser v er w it h t he r equir ed soft w are inst alled. TACACS+ com m unicat es using t he Transm ission Cont rol Prot ocol ( TCP) as it s t ransport prot ocol. This connect ion -orient ed prot ocol has t he advant age of built -in er r or checking and r et r ansm ission funct ionalit y. The w hole of t he TCP packet , apar t from t he TACACS+ header, is encrypt ed t o provide securit y on t he local segm ent from eavesdropping.
Differences Between RADIUS and TACACS+ There are quit e a few dist inct differences bet w een RADI US and TACACS+ . These differences can be v it al in deciding w hich prot ocol t o im plem ent . The m ain differ ences ar e show n in Table 9 - 1 .
Table 9 - 1 . D iffe r e n ce s Be t w e e n RAD I US a n d TACACS+
RADI US Uses UDP as t he t ransport pr ot ocol Encrypt s only t he password Com bines aut hent icat ion and aut horizat ion RFC- based indust ry st andard No support for ARA, Net BI OS, NASI , or X.25 connect ions No aut horizat ion
TACACS+ Uses TCP as t he t ransport prot ocol Encrypt s t he ent ire body of t he packet Uses t he AAA archit ect ure t hat separat es aut hent icat ion, aut horizat ion, and, account ing Cisco propriet ary Mult iprot ocol support
Aut horizat ion is support ed as part of t he AAA archit ect ure Does not allow t he cont rol of Allows cont rol of com m ands t hat can com m ands t hat can be execut ed be execut ed at t he rout er CLI by at t he rout er CLI eit her user or group
301
RADI US uses UDP as it s t r anspor t layer pr ot ocol, w her eas TACACS+ uses TCP. Ther e ar e sev er al adv ant ages of TCP ov er UDP but t he m ain one is t hat TCP is consider ed a connect ionor ient ed pr ot ocol and UDP is consider ed a connect ionless-or ient ed pr ot ocol. This m eans t hat TCP has built -in m echanism s t o pr ot ect against com m unicat ion er r or s, and t he pr ot ocol it self ensur es deliv er y . Wit h UDP, soft w ar e at a higher lay er has t o be r esponsible for t he safe deliv er y of t he pack et s, w hich can add ov er head t o t he int egr it y of t he applicat ion. When a user at t em pt s aut hor izat ion against a RADI US client , t he RADI US client sends an access-request packet t o t he RADI US server. This packet cont ains t he user's login credent ials such as t he user nam e and passw or d pair . RADI US only encr y pt s t he passw or d par t o f t his pack et and leav es t he r est in clear t ex t . This allow s t he sniffing of t he user nam e and could lead t o a dict ionary brut e -force at t ack. TACACS+ encrypt s t he ent ire access -request packet and only leaves t he TACACS header unencrypt ed for debugging purposes. RADI US com bines bot h aut hent icat ion and aut hor izat ion ser v ices w it hin t he access-accept packet . Wit h TACACS+ , you can separ at e t he aut hent icat ion and aut hor izat ion ser vices because each of t he AAA services is independent . For exam ple, you could aut hen t icat e using anot her pr ot ocol such as Ker ber os and st ill use TACACS+ for aut hor izat ion. This cannot be done using only RADI US ser v ices. TACACS+ suppor t s a w ide r ange of access pr ot ocols. RADI US does not suppor t t he follow ing prot ocols t hat TACACS+ does sup por t :
•
AppleTalk Rem ot e Access ( ARA) Pr ot ocol
•
Net BI OS Fr am e Pr ot ocol Cont r ol Pr ot ocol
•
Novell Asynchronous Services I nt erface ( NASI )
•
X.25 Pad Connect ion
RADI US does not allow y ou t o cont r ol com m and access t o t he Cisco r out er CLI . Wit h TACACS+ , you can enable cont r ols on a user or gr oup level t o specify exact ly w hat com m ands a user or gr oup can ent er on a Cisco r out er w it h a suppor t ing I OS v er sion inst alled. This feat ure can be very useful for cont rolling t he m anagem ent of t he int ernet w orking devices wit hin yo ur or ganizat ion. This can also be com bined w it h AAA account ing t o pr ov ide a r obust , scalable solut ion t o device m anagem ent .
Cisco Secure ACS Installation Now t hat y ou hav e seen a br ief ov er v iew of t he Cisco Secur e ACS, t he r ole it ser v es in t he int er net w ork, and t he t wo m ain aut hent icat ion prot ocols, RADI US and TACACS+ , it is t im e t o proceed on t o t he inst allat ion requirem ent s for t he act ual Cisco Secure ACS server soft w are. Tw o versions of t he Cisco Secure ACS are in operat ion: Cisco Secure ACS for Window s NT and Cisco Secure ACS for UNI X. This sect ion covers t he inst allat ion requirem ent s for bot h of t hese v er sions.
302
Windows NT and Windows 2000 Installation The m ain advant age of t he Window s NT ver sion of Cisco Secur e ACS is t he t ight int egr at ion w it h t he Win dow s NT dom ain dat abase. This allow s t he user s t o log on using t heir exist ing Window s NT dom ain account t o pr om ot e a single net w or k login. The inst allat ion m ust be car r ied out on a Window s NT ser v er ( not a w or k st at ion) , and t he cur r ent suppor t ed v er sion is v er sion 4.0. For sy st em r equir em ent s and ser v ice pack s, see t he r elease not es at : www.cisco.com / univercd/ cc/ td/ doc/ product/ access/ acs_soft/ csacs4nt/ csnt26/ index.htm
W in dow s N T Sy st e m Re qu ir e m e n t s Cisco Secur e ACS is suppor t ed on Micr osoft Window s NT 4.0 Ser v er . To inst all Cisco Secur e ACS on t he Windows NT plat form , t he NT server m ust m eet t he following m inim um r equir em ent s:
•
Pent ium process or r unning at 200 MHz or bet t er
•
Micr osoft Window s NT Ser v er 4.0 oper at ing sy st em , English language v er sion
•
64 MB of RAM required, 128 MB recom m ended
•
At least 150 MB of free disk space
•
Minim um of 256 color s at r esolut ion of 800 by 600 lines
•
To have Cisco Se cure ACS refer t o t he Grant Dial-in Per m ission t o User feat ur e, m ak e sur e t his opt ion is checked in t he Window s NT User Manager for t he applicable user account s
•
Mak e sur e y our NAS is r unning Cisco I OS Release 11.1 or higher ( r elease 11.2 or higher for RADI US) or you are using a t hird -par t y device t hat can be configur ed w it h TACACS+ or RADI US
•
Mak e sur e dial-up client s can successfully dial in t o your NAS
• •
Mak e sur e t he Window s NT ser v er can ping t he NAS One of t he follow ing br ow ser s m ust be inst alled on t he W indows NT server: - Micr osoft I nt er net Ex plor er 3.02 or higher - Net scape Navigat or 3.x or Com m unicat or 4.x or higher - Jav a and Jav aScr ipt suppor t m ust be enabled
Once t hese cr it er ia have been m et , you can inst all t he Cisco Secur e ACS soft w ar e.
W indow s N T I n st a lla t ion Pr oce ss Cisco Secur e ACS is pr ov ided on a CD-ROM, w hich has t o be inst alled t o y our ser v er 's har d disk for t he applicat ion t o funct ion. Cisco Secur e ACS w ill not oper at e fr om t he CD dr iv e.
303
This chapt er does not exam ine t he full inst allat ion p r ocess. This is fully docum ent ed on Cisco Connect ion Online at
www.cisco.com / go/ ciscosecure
and also in t he docum ent at ion pr ov ided w it h t he
Cisco Secur e ACS pr oduct .
UNIX Installation The UNI X version of Cisco Secure ACS is a robust applicat ion t hat provides AAA services against indust ry-st andar d dat abases such as SQL and Or acle. The UNI X v er sion does not suppor t aut hent icat ion against a Window s NT dom ain.
UN I X Sy st e m Re qu ir e m e n t s The m ain r equir em ent of t he UNI X ver sion is t hat it m ust r un on Solar is. The Cisco Secure ACS ( and it s opt ional backup server) requires t he follow ing hardw are and soft w ar e:
•
Ult r aSPARC or com pat ible w or k st at ion - To suppor t Cisco Secur e ACS w it hout t he licensed Dist r ibut ed Session Manager opt ion: Ult r a 1 w it h a pr ocessor speed of 167 MHz or fast er ; m inim um 200 MHz if t he Or acle or Sy base RDBMS is inst alled on t he sam e sy st em - To suppor t Cisco Secur e ACS w it h t he licensed Dist r ibut ed Session Manager opt ion: Ult ra 1 or fa st er ; Ult r a 10 or fast er if t he Or acle or Sybase RDBMS is inst alled on t he sam e sy st em
•
Minim um 256 MB of swap space Minim um 512 MB of sw ap space if t he Or acle or Sy base RDBMS is inst alled on t he sam e sy st em
•
128 MB of RAM 256 MB of RAM if t he Oracle or Sybase RDBMS is inst alled on t he sam e sy st em
•
Minim um 256 MB of fr ee disk space ( if y ou ar e using t he supplied SQLAny w her e dat abase) Minim um 2 GB disk space if t he Or acle or Sy base RDBMS is inst alled on t he sam e sy st em
304
•
CD-ROM drive
•
Solaris 2.6, or Solaris 2.5.1 w it h pat ches; m or e infor m at ion on Solar is 2.5.1 w it h pat ches can be found on CCO at t he follow ing URL: www.cisco.com / univercd/ cc/ t d/ doc/ product/ access/ acs_soft/ cs_unx/ instl23.htm # 26679
UN I X I n st a lla t ion Pr oce ss Cisco Secur e ACS is pr ov ided on a CD-ROM, w hich has t o be inst alled t o y our ser v er 's har d disk for t he applicat ion t o funct ion. Cisco Secur e ACS w ill not oper at e fr om t he CD dr ive . This chapt er does not exam ine t he full inst allat ion pr ocess. This is fully docum ent ed on Cisco Connect ion Online at
www.cisco.com / go/ ciscosecure
and also in t he docum ent at ion pr ov ided w it h t he
Cisco Secur e ACS pr oduct .
Cisco Secure ACS Configuration This sect ion covers t he configurat io n of Cisco Secur e ACS, including infor m at ion on t he client configur at ion and t he ser ver configur at ion. I n t his sect ion, t he client is a Cisco r out er r unning I OS 12 and suppor t ing bot h RADI US and TACACS+ . The ser v er is a Window s NT ser v er t hat is aut hent ica t ed against t he Window s NT dom ain and also a r em ot e ODBC dat a sour ce. The sect ion show s t he configur at ion of RADI US and TACACS+ for aut hent icat ion and account ing bot h for EXEC and net w or k connect ions. This sect ion st art s by looking at t he configurat ion opt ions for t he Cisco Secure ACS server. Not hing can be dem onst rat ed w it h t he ACS client unt il t he ACS server is fully funct ional. Configur ing an ACS client for aut hent icat ion against a ser ver t hat is not live can act ually lock y ou out of t he ser v ice. I f y ou use t his service t o aut hent icat e yourself for logging in t o t he r out er , you w ill not be able t o log in. This sect ion includes t echniques t o ensur e t hat you can log in t o t he r out er at all t im es, ev en if t he ACS ser v er is offline for w hat ev er r eason. As soon as you have successfully inst alled Cisco Secur e ACS, you ar e r eady t o configur e it .
Web-Based Configuration and the ACS Admin Site Cisco Secure ACS is configured t hrough a w eb -based applicat ion t hat is called ACS Adm in. When you inst all Cisco Secure ACS, y ou also inst all a com plet e w eb ser v er t o w hich t he ACS Adm in sit e is bound. This w eb ser v er only oper at es on por t 2002, and it r uns as a Window s NT ser v ice on t he Window s NT v er sion and as an applicat ion on t he UNI X v er sion. This ser v ice is called CSAdm in and can be st opped and st ar t ed lik e any ot her Window s NT ser v ice. An icon is cr eat ed on t he deskt op and also on t he St ar t m enu for ACS Adm in. Double -clicking t his icon launches t he ACS Adm in w eb int erface. I f you are running t he ACS Adm in applicat ion fro m anot her m achine, y ou hav e t o ent er t he I P addr ess of t he m achine follow ed by t he por t 2002. For ex am ple, if t he ACS ser v er w as inst alled on 194.73.134.2, t he URL w ould be ht t p: / / 194.73.134.2: 2002 .
The colon indicat es t hat t he por t num ber w ill follow . This connect s t o
305
194.73.134.2 on por t 2002. Por t 2002 is ser viced by CSAdm in, t her efor e, t he ACS Adm in applicat ion is ex ecut ed. Figure 9 - 2
show s t he ACS Adm in configur at ion scr een t hat y ou get w hen y ou log in. Figur e 9 - 2 . Cisco Se cur e ACS Adm in Applica t ion
Fr om her e, you can see t he m ain configur at ion opt ions. These ar e r epr esent ed as but t ons dow n t he left side of t he scr een. These configurat ion opt ions inclu de:
•
User Set up
•
Group Set up
•
Net w or k Configur at ion
•
Syst em Configurat ion
•
I nt erface Configurat ion
•
Adm inist r at ion Cont r ol
•
Ext ernal User Dat abases
• •
Report s and Act ivit y Online Docum ent at ion
Sam ple configur at ions also can be seen fr om her e. The sam ple configur at ions giv e y ou num er ous scenar ios and t he r equir ed configur at ion for bot h t he ACS Ser ver and ACS client .
306
The follow ing sect ions look at each of t he configur at ion opt ions list ed.
User and Group Setup The User and Gr oup Set up configur at ion opt ions can bot h be r eached fr om t he m ain ACS Adm in page. The User Set up configur at ion opt ion displays all user s w ho have ever aut hent icat ed against t he ACS server. For exam ple,
Figure 9 - 3
show s t he det ails for t he user chr isw hit e.
Figur e 9 - 3 . Use r Se t up Scr e e n
From t his init ial screen, you can see t he user det ails for chrisw hit e. You can see t hat t his user has been aut hent icat ed against t he Window s NT dat abase. This m eans t hat t his user w as fir st aut hent icat ed from an ACS client against t he user 's Window s NT user nam e and passw or d. You can change a num ber of ot her set t ings her e, such as t he adv anced set t ings and t he advanced TACACS+ set t ings. The advanced TACACS+ set t ings can be seen in Figure 9 - 4 . Figur e 9 - 4 . Use r Se t up Scr e e n—Adva nce d TACACS+ Se t t ings
307
One ot her im por t ant point her e is t he gr oup m em ber ship. User s can be m em ber s of gr oups and have t he per m issions and set t ings applied t o t he gr oup inst ead of t o each individual user . This eases t he im plem ent at ion of changes acr oss gr oups of user s. The gr oups can be eit her configur ed or m apped ext er nally. As you can see in Figure 9 - 5 , t he user chrisw hit e is a m em ber of gr oups t hat ar e m apped by an ext er nal aut hent icat or . This m eans t hat t he Window s NT gr oups t hat Chr is is a m em ber of ar e m apped t o t he Cisco Secur e ACS gr oups. This is explained lat er in t his chapt er, in t he sect ion " Ext ernal User Dat abases ." Figur e 9 - 5 . Use r Se t up Scr e e n—Gr oup Se t t ings
308
You can also add a new user fr om t he User Set up scr een. When y ou add a new user , by default y ou add it t o t he Cisco Secur e int er nal dat abase. The Gr oup Set up scr een is sim ilar t o t he User Set up scr een, ex cept t hat it deals w it h gr oups inst ead of user s. Fr om t he m ain scr een, y ou can v iew use r s in a gr oup, edit set t ings, or r enam e t he gr oup.
Figure 9 - 6
show s you t he user s in t he default gr oup.
Figur e 9 - 6 . Gr oup Se t up Scr e e n—U se r s in a Gr ou p
309
I n t he r ight pane of t he w indow , y ou can see t he four user s w ho ar e m em ber s of t he Default Group. Clicking t he individual user w ill t ake you t o t he User Set up screen for t hat individual user .
Network Configuration The Net w or k Configur at ion scr een is w her e you configur e t he net w or k infor m at ion for t he ACS ser ver . Fr om t his scr een, you ent er t he net w or k access ser ver infor m at ion t hat w ill configur e t he ACS ser ver t o begin pr ocessing r equest s fr om t hat NAS. You can also add, r em ove, and edit AAA ser ver s t o t he adm inist r at ive console. Figure 9 - 7
show s t he st andard screen displayed for Net w ork Configurat ion. Figur e 9 - 7 . N e t w or k Configur a t ion Scr e e n
310
You can see fr om t his scr een t hat t her e ar e t w o net w or k access ser v er s and one AAA ser v er . The t w o access ser v er s ar e Access_PPP and Rout er 2511. The AAA ser ver is called m as001. Clicking any of t hese it em s w ill t ake you t o t he individual configur at ion scr een for t hat it em . To add a new NAS, click t he Add Ent ry but t on below t he Net w or k Access Ser ver s header . The follow ing screen, shown in
Figure 9 - 8 ,
is t he Add Access Ser v er scr een.
Figur e 9 - 8 . N e t w or k Configur a t ion Scr e e n—Adding a N ew N AS
311
To add a new access ser v er , y ou hav e t o ent er t he net w or k access ser v er host nam e, I P add r ess, and k ey . The k ey is a shar ed secur it y k ey t hat has t o be t he sam e on bot h t he ACS ser ver and t he ACS client . You can t hen choose t he aut hent icat ion m et hod. This obviously has t o m at ch t he aut hent icat ion t ype im plem ent ed on t he ACS client or NAS. I f you h av e configured TACACS+ on t he NAS, select t he default , TACACS+ , on t he ACS server. The ot her opt ions ar e t he differ ent flavor s of RADI US. Ther e is RADI US ( CI SCO) for use w it h Cisco dev ices, RADI US ( I ETF) for use w it h st andar ds-based ( RFC 2058 and RFC 2059) devices, RADI US ( ASCEND) for Ascend int ernet working devices, and RADI US ( RedCreek) for Red Creek int er net w or king devices. Clicking Su bm it configur es t he ACS ser v er t o st ar t pr ocessing r equest s for AAA ser v ices for t he new ly configured net w ork access server. To add a new AAA ser v er , click t he Add Ent ry but t on below t he AAA Ser v er s header . The follow ing scr een, show n in
Figure 9 - 9 ,
is t he Add AAA Ser ver scr een.
Figur e 9 - 9 . N e t w or k Configur a t ion Scr e e n—Adding a N e w AAA Se r ve r
312
To add a new AAA ser v er , y ou hav e t o ent er t he AAA ser v er nam e, I P addr ess, and k ey . You t hen specify w het her t he server is a RADI US, TACACS+ , or Cisco Secure ACS server. Even t hough Cisco Secur e ACS is bot h a RADI US and TACACS+ ser v er, it is im por t ant t o select t he Cisco Secur e ACS opt ion if t he new AAA ser ver is r unning t he Cisco Secur e ACS ser ver soft w ar e.
System Configuration The next configurat ion opt ion is t he Syst em Configurat ion. This opt ion leads t o seven ot her configur at ion opt ions t hat are all relat ed t o t he configurat ion of t he Cisco Secure ACS syst em . These opt ions ar e:
•
Ser v ice Cont r ol
•
Logging
•
Passw or d Validat ion
•
Cisco Secure Dat abase Replicat ion
•
ACS Back up
•
ACS Rest ore
•
ACS Service Managem ent
The Sy st em Configur at ion scr een can be seen in Figure 9 - 10 . Figur e 9 - 1 0 . Syst e m Con figu r a t ion Scr e e n
313
Se r vice Con t r ol The Ser v ice Cont r ol opt ion r epor t s infor m at ion and let s y ou st op and st ar t t he Window s NT ser v ices t hat r elat e t o t he Cisco Secure ACS server.
Loggin g The Logging opt ion let s y ou configur e w hat ev ent s and t ar get s y ou w ish t o log. These logs ar e st or ed on t he ACS ser ver in com m a separ at ed value ( .CSV) for m at .
Pa ssw or d V a lida t ion The Passw or d Validat ion opt ion let s y ou for ce a m inim um and m axim um password lengt h for t he int ernal Cisco Secure ACS dat abase. You can also specify furt her passw ord opt ions, such as deciding t hat t he passw or d and user nam e cannot be t he sam e.
Cisco Se cu r e D a t a ba se Re plica t ion The Cisco Secure Dat abase Replicat ion opt ion allow s you t o configure and schedule replicat ion of t he Cisco Secur e ACS dat abase t o ot her inst alled Cisco Secur e ACS ser ver s. These ser ver s have t o be added under t he Net w ork Configurat ion opt ion covered previously.
ACS Ba ck u p
314
The ACS Ba ckup opt ion allows you t o back up t he Cisco Secure ACS dat abase, including t he user , gr oup, and configur at ion set t ings. This backup can be t o a local or r em ot e shar ed dr ive.
ACS Re st or e The ACS Rest ore opt ion perform s a rest ore of t he Cisco Secure ACS dat a base, including t he user , gr oup, and configur at ion set t ings.
ACS Se r vice M a n a ge m e n t The ACS Ser v ice Managem ent opt ion allow s y ou t o specify sy st em-m onit or ing and ev ent logging par am et er s. The sy st em-m onit oring opt ion uses a dum m y user t o t est aut hent icat io n for a pr edet er m ined per iod. The ev ent -logging opt ion set s all ev ent s t o be sent t o t he built -in Window s NT event log. These can also be configured t o be e -m ailed t hr ough an SMTP ser ver t o any v alid e -m ail account .
Interface Configuration The I nt er face Configur at ion scr een is w her e you can configur e t he Cisco Secur e HTML int er face. Ther e ar e four fur t her opt ions w it hin t he int er face configur at ion:
•
User Dat a Configurat ion
•
TACACS+ ( Cisco I OS)
•
RADI US ( Microsoft )
•
RADI US ( Cisco VPN 3000)
• •
RADI US ( I ETF) Advanced Opt ions
Figure 9 - 1 1
shows t hese opt ions on t he I nt erface C onfigur at ion scr een. Figur e 9 - 1 1 . I nt e r fa ce Configur a t ion Scr e e n
315
U se r D a t a Con figu r a t ion I n t he User Dat a Configur at ion scr een, y ou can ent er up t o fiv e user-defined fields t hat w ill be display ed in t he User Set up configur at ion opt ion.
TACACS+ ( Cisco I OS) The TACACS+ ( Cisco) opt ion allow s you t o change t he TACACS+ ser vices t hat you w ant t o appear as configur able it em s in t he User Set up and Gr oup Set up scr eens.
RAD I U S ( M icr osoft ) The RADI US ( Micr osoft ) opt ion allow s you t o change t he RADI US ser vices specific for Micr osoft pr ot ocols t hat you w ant t o appear as configur able it em s in t he User Set up and Gr oup Set up w indow s.
RAD I U S ( Cisco V PN 3 0 0 0 ) This opt ion allow s y ou t o enable t he RADI US Vendor-Specific At t ribut e ( VSA) num ber 26 for t he Cisco VPN 3000 concent rat or.
RAD I US ( I ETF)
316
The RADI US ( I ETF) opt ion allow s you t o change t he RADI US ser vices t hat you w ant t o appear as configur able it em s in t he User Set up and Gr oup Set up scr eens.
Ad v a n ce d Op t ion s The adv anced opt ions ar e a set of opt ions t hat ar e only enabled as configur able if set her e. These opt ions ar e display ed in Figure 9 - 12 . Figur e 9 - 1 2 . I n t e r fa ce Con figu r a t ion Adva n ce d Opt ion s Scr e e n
Administration Control The Adm inist r at ion Cont r ol scr een is w her e y ou can gener at e and configur e user s t hat ar e classified as adm inist r at or s of t he Cisco Secur e ACS syst em . When you cr eat e t hese adm inist rat ive users, you can also specify t o w hich gr oups and funct ions t hey hav e access. This allow s you t o cr eat e t ier ed levels of adm inist r at or s. Ther e ar e t hr ee ot her opt ions available fr om t his configur at ion page:
•
Access Policy
•
Session Policy
•
Audit Policy
Figure 9 - 1 3
show s t he m ain Adm inist r at ion Cont r ol scr een. Figur e 9 - 1 3 . Adm in ist r a t ion Cont r ol Scr e e n
317
You can see fr om
Figure 9 - 1 3
t hat t his ACS server has t w o configured adm inist rat ors, chris and
t est .
Acce ss Policy The Access Policy is used t o r est r ict access t o t he adm inist r at iv e funct ions on t he Cisco Secur e ACS ser v er . You can ent er 10 r anges of I P addr esses t hat can be eit her allow ed or disallow ed. The default set t ing is t o let all I P addr esses connect t o t he adm inist r at ive console. This act s in a sim ilar w ay t o access list s on Cisco rout ers.
Se ssion Policy The Session Policy is concer ned w it h t he connect ed session. You can set t he idle t im eout for t he session. This is set at 60 m inut es by default , but it m ight be a good idea t o low er t his value t o 10 m inut es or even less. I f som e body rem ains logged in and leaves t he m achine unat t ended, anybody w it h physical access t o t he m achine can use t he logged -in adm inist rat ive r ight s on t he ACS syst em . You can also set a login failur e lim it befor e t he adm inist r at ive account is locked out . This det er s br ut e for ce and dict ionar y at t ack s. Anot her im por t ant set t ing her e is t he Allow a ut om a t ic loca l login set t ing. By default , t his is check ed, w hich m eans t hat anybody w it h t he sufficient privileges t o log on locally t o t he server w ill be able t o run t he ACS Adm in applicat ion w it hout any fur t her aut hent icat ion. This is not v er y secur e for obv ious r easons, and it is a good idea t o disable t his and cont r ol access t hr ough adm inist r at iv e account s for specific adm inist rat ors.
318
Au d it Policy The Audit Policy set s t he fr equency of t he audit log gener at ion. The default set t ing is t o cr eat e a new log for ev er y day of t he w eek . This can be changed t o w eek ly , m ont hly , or w hen t he log size r eaches a specific v alue.
External User Databases The Ext er nal User Dat abases configur at ion scr een is w her e you configur e Cisco Secur e ACS t o aut hent icat e user s against ex t er nal dat abases. You ar e pr esent ed w it h t hr ee opt ions fr om t he m ain page:
•
Unknown User Policy
•
Dat abase Gr oup Mappings
•
Dat abase Configur at ion
This scr een is show n in Figure 9 - 1 4 . Figur e 9 - 1 4 . Ex t e r na l Use r D a t a ba se s Scr e e n
Un k n ow n Use r Policy The unk now n user policy inst r uct s t he ACS ser v er w hat t o do if t he user is not found in t he built -in ACS dat abase. This is a ver y im por t ant funct ion if you w ish t o use a differ ent aut hent icat ion dat abase t han t he built -in Cisco Secur e ACS dat abase.
319
The default set t ing is for t he ACS t o fail t he aut hent icat ion at t em pt . The only ot her set t ing is t o use a configur ed ext er nal dat abase.
Figure 9 - 15
show s y ou t he unk now n user policy
configurat ion scr een. Figur e 9 - 1 5 . Ex t e r na l Use r D a t a ba se s Scr e e n—Un k n ow n Use r Policy Con figu r a t ion
You can see in
Figure 9 - 15
t hat t his ACS ser ver is set t o t r y t he int er nal ACS dat abase, and failing
t hat , it at t e m pt s aut hent icat ion against t w o ex t er nal dat abases, a Window s NT dom ain and an ODBC sour ce. The Window s NT dom ain dat abase w ill be checked fir st , follow ed by t he configur ed ODBC dat a sour ce. Bot h t he Window s NT dom ain dat abase and t he ODBC dat a source have t o be configured in t he Dat abase Configurat ion screen, w hich is covered in t he sect ion " Dat abase Configurat ion ."
D a t a ba se Gr ou p M a ppin gs The Dat abase Group Mappings configurat ion screen allow s you t o m ap a preconfigured built -in gr oup w it hin t he Cisco Secur e ACS dat abase t o a gr oup configur ed on t he ext e rnal dat abase. For exam ple, if you have a Window s NT gr oup called Account s, you can also have a Cisco Secur e ACS gr oup called Account s and cr eat e a m apping bet w een t hese t w o gr oups. Then all m em ber s of t he Window s gr oup Account s w ill be m ade m em ber s of t he ACS group Account s. This group can be configured from t he Group Set up configurat ion screen t hat w as explained earlier in t he sect ion " User and Group Set up ." Figure 9 - 1 6
show s som e m appings bet w een a Window s NT dat abase and t he Cisco Secur e ACS
dat abase.
320
Figur e 9 - 1 6 . Ex t e r na l Use r D a t a ba se s Scr e e n—D a t a ba se Gr oup M a ppings
I n Figure 9 - 1 6 , you can clear ly see t he m appings in r elat ion t o t he Window s NT dat abase and t he Cisco Secur e ACS dat abase.
D a t a ba se Con figu r a t ion The Ext er nal User Dat abase Configur at ion scr een is w her e you configur e Cisco Secur e ACS t o u se an ex ternal dat a source.
Figure 9 - 1 7
show s t he available opt ions .
Figur e 9 - 1 7 . Ex t e r na l Use r D a t a ba se s Scr e e n—D a t a ba se Configur a t ion
321
Fr om t he scr een in
Figure 9 - 17 ,
you can see t he ext er nal dat abases available fr om w it hin Cisco
Secur e ACS. Each dat abase has it s ow n configur at ion set t ings associat ed w it h it .
Reports and Activity The Repor t s and Act ivit y configur at ion scr een is w her e you can view t he r epor t s cr eat ed by t he Cisco Secure ACS server soft w are. The prebuilt report s include:
•
TACACS+ Account ing
•
TACACS+ Adm inist ra t ion
•
RADI US Account ing
•
VoI P Account ing
•
Passed Aut hent icat ions
•
Failed At t em pt s
•
Logged-I n Users
•
Disabled Account s
•
ACS Back up and Rest or e
•
RDBMS Synchronizat ion
•
Dat abase Replicat ion
•
Adm inist rat ive Audit
•
ACS Service Monit oring
TACACS+ Accou n t in g
322
The TACACS+ Account ing r epor t pr ovides infor m at ion about t he TACACS+ account ing. This r epor t is gat her ed fr om infor m at ion sent fr om TACACS+ client s t hat ar e configur ed t o use TACACS+ for account ing. You can see a sam ple TACACS+ account ing report in Figure 9 - 18 . Figur e 9 - 1 8 . Re por t s a nd Act ivit y Scr e e n—TACACS+ Accou n t in g Re por t
You can see in
Figure 9 - 18
t hat com m ands have been execut ed at privilege level 15. The first
com m and t hat w as ent er ed w as w r it e m e m or y, and t he last com m and ent er ed w as also w r it e m e m or y.
TACACS+ Adm in ist r at ion The TACACS+ Adm inist r at ion r epor t cont ains det ails about t he com m ands t hat w er e execut ed against t he devices configur ed for TACACS+ account ing. This nor m ally r efer s t o Cisco r out er s t hat have been configur ed for TACACS+ account ing t o t r ack all com m ands ent er ed against t he r out er .
RAD I US Accou n t in g The RADI US Account ing report provides inform at ion about t he RADI US account ing. This report is gat hered from inform at ion sent from RADI US client s t hat are configured t o use RADI US for account ing. This r epor t is ver y sim ilar t o t he TACACS+ account ing r epor t .
V oI P Accou n t in g
323
The VoI P Account ing r epor t pr ovides infor m at ion about t he VoI P RADI US Account ing. This report is gat hered from account ing inform at ion sent from RADI US client s t hat are configured t o use VoI P RADI US for account ing.
Pa sse d Au t h e n t ica t ion s This report list s successful aut hent icat ions during t he period covered by t he report . By default , t his r epor t is disabled.
Fa ile d At t e m pt s The Failed At t em pt s r epor t is a list of failed aut hent icat ion and aut ho rizat ion at t em pt s. The reason for failure is also included, w hich can include expired account s, disabled account s, and exceeding t he allow ed aut hent icat ion at t em pt s count .
Logge d- I n U se r s The Logged-I n User s r epor t display s a list of cur r ent user s w ho ar e logged in t o each net work access server on t he net w ork. The dat a in t he report cont ains t he dat e, t im e, usernam e, gr oup, and I P addr ess.
D isa ble d Accou n t s The Disabled Account s r epor t is a list of account s t hat have been disabled. These account s m ight have been disabled m anually or aut om at ically by dat e expir at ion on t he account . No .CSV file is cr eat ed for t his r epor t , and it is only visible fr om t he ACS Adm in applicat ion.
ACS Ba ck u p a n d Re st or e The ACS Backup and Rest ore report provides inform at ion about t he ACS backup and rest ore oper at ions. The dat e, t im e, and locat ion of each oper at ion ar e r ecor ded, along w it h t he adm inist r at or 's user nam e t hat st ar t ed t he pr ocess.
RD BM S Sy n ch r on iz a t ion This report cont ains t he t im es t he RDBMS dat abase w as synchronized a nd t he cause of t he sy nchr onizat ion: m anual or scheduled.
D a t a ba se Re plica t ion The Dat abase Replicat ion report cont ains t he dat e and t im e t hat t he ACS dat abase w as successfully r eplicat ed t o t he backup ser ver . The cause of t he r eplicat ion, eit her m anual or aut om at ic, is also r ecor ded.
324
Adm in ist r a t ive Au dit The Adm inist r at ive Audit r epor t cont ains a list of t he Cisco Secur e ACS adm inist r at or s w ho accessed t he ACS sy st em on t he specified dat e. All act ions t hat t he adm inist r at or car r ied out ar e logged, along w it h t he dat e and t im e of t he act ion. This r epor t is sim ilar t o t he TACACS+ account ing feat ur e on Cisco int er net w or king devices, w her e all adm inist r at or dut ies ar e m onit or ed and logged.
ACS Se r vice M on it or in g The ACS Service Monit oring report provides det ails about t he m onit or ed Cisco Secur e ACSr elat ed Window s NT ser v ices. This infor m at ion can also be v iew ed in t he Window s NT ev ent log. These r epor t s ar e all st or ed in .CSV files and ar e st or ed in t he \ Pr ogr am Files\ Cisco Secur e ACS v2.3 \ Logs direct ory on t he ACS server. These raw .CSV files can be im port ed int o leading dat abase and spr eadsheet applicat ions for fur t her analy sis and r ecor ding ov er and abov e t he report s generat ed by t he Cisco Secure ACS server.
Online Documentation As y ou w ould ex pect , t he Online Docum ent at ion scr een is a collect ion of t he r elat ed docum ent s for Cisco Secur e ACS ser ver . These docum ent s include t he full docum ent s for ever y feat ur e suppor t ed on Cisco Secur e ACS, in addit ion t o sam ple configur at ions and exam ple com m ands t hat ar e r equ ir ed t o be ent er ed on t he net w or k access ser v er s. Updat ed docum ent at ion can alw ay s be found at t he Cisco Connect ion Online w eb sit e at
www.cisco.com .
Network Access Server Configuration The pr ev ious sect ion covered t he basic configurat ion t asks required for t he Cisco Secure ACS ser v er . The ACS ser v er act s as t he aut hent icat ion ser v er , r egar dless of w het her y ou use RADI US or TACACS+ as t he aut hent icat ion prot ocol. The ot her required configurat ion t ask r elat es t o t he aut hent icat ion client ; again t his is regardless of w het her you choose RADI US or TACACS+ as t he aut hent icat ion pr ot ocol. The t it le giv en t o t hese client s is usually net w or k access ser v er s. The NAS is usually an int ernet working device capable of t erm inat ing m any inbound connect ions. These can be dialbased connect ions ov er t he PSTN or I SDN ( BRI and PRI ) or fix ed, WAN-int erconnect -based connect ions bet w een corporat e sit es. AAA services can also be used on int ernet w ork devices t o ease t he adm inist r at iv e bur den of user-account cr eat ion and t o pr ovide a m echanism for r ecor ding t he pr ivileged-level com m ands t hat ar e r un on t he devices. The r em ainder of t his sect ion concent r at es on configur ing Cisco devices for AAA ser vices t o t he Cisco Secur e ACS ser ver . The client is r efer r ed t o as t he NAS in t his sect ion.
325
AAA Configuration Overview I n t his sect ion, you w ill see how t o configur e AAA ser vices for bot h TACACS+ and RADI US. This sect ion does not cover t he older TACACS and XTACACS prot ocols; for configurat ion in form at ion about TACACS and XTACACS, refer t o t he I OS Net w ork Securit y docum ent at ion on CCO for t he r elev ant r elease of t he I OS soft w ar e y ou ar e using. Before you st art configuring t he specific AAA services, som e basic configurat ion com m ands are r equir ed t o init ialize AAA on t he NAS and t o pr ovide t he t ype and locat ion of t he aut hent icat ion ser v er . By default , t he NAS w ill not be configured for TACACS+ and RADI US configurat ion, because it w ill be in t he default TACACS and XTACACS st at e. The fir st com m and you alw ay s ent er w hen you configure RADI US or TACACS+ is
aaa new-model This com m and enables t he configur at ion of TACACS+ and RADI US and disables access t o m any of t he old TACACS and XTACACS com m ands. The nex t st ep is t o configur e t he NAS w it h t he r equir ed infor m at ion of t he TACACS+ and RADI US servers. To enable TACACS+ , t he follow ing t w o com m ands are required:
tacacs-server host ip address tacacs-server key key The fir st com m and configur es t he locat ion of t he TACACS+ ser ver . The I P addr ess has t o be t h e I P address of t he TACACS+ server. The second com m and set s t he shared key for t he TACACS+ connect ion. This shar ed k ey has t o be t he sam e on bot h t he TACACS+ client and t he TACACS+ ser v er . This k ey is used in t he encr y pt ion of t he ent ir e pack et bet w een t he client and t he ser v er . To enable RADI US, t he follow ing t w o com m ands ar e r equir ed:
radius-server host ip address radius-server key key The fir st com m and configur es t he locat ion of t he RADI US ser ver . The I P addr ess has t o be t he I P address of t he RADI US server. The second com m and set s t he shar ed key for t he RADI US connect ion. This shar ed key has t o be t he sam e on bot h t he RADI US client and t he RADI US ser v er . This k ey is used in t he encr y pt ion of t he passw or d w it hin t he pack et bet w een t he client and t he ser v er . Th e follow ing exam ple enables AAA services, set s t he TACACS+ server t o 192.168.0.1, and set s t he shared key t o m yKey:
326
NAS(config)aaa new-model NAS(config)#tacacs-server host 192.168.0.1 NAS(config)#tacacs-server key myKey This is t he basic configur at ion r equir ed t o act ivat e bot h RADI US and TACACS+ . Ther e ar e ot her com m ands t hat can be used; det ails about t hese can be found in t he I OS Secur it y Docum ent at ion online w it hin CCO. The rem ainder of t his sect ion looks at t he specific AAA services and how t o configure t hem .
Au t h e n t ica t ion Con figu r a t ion Aut hent icat ion is r equir ed befor e bot h aut hor izat ion and account ing can funct ion. I f t he user is not aut hent icat ed, t he user cannot be aut hor ized or account ed. You can, how ev er , j ust configur e aut hent icat ion and not aut h orizat ion or account ing. Aut hent icat ion perform s adequat ely by it self and is not dependent on any ot her AAA ser v ice. The fir st st ep in configur ing aut hent icat ion is t o cr eat e a m et hod list . The m et hod list descr ibes t he aut hent icat ion m et hods t o be quer ied, in sequence, t o aut hent icat e t he user. Met hod list s allow you t o specify m or e t han one sour ce of aut hent icat ion. This is useful in case one aut hent icat ion sour ce is not r esponding. For exam ple, you could use TACACS+ fir st , t hen t he local user dat abase on t he rout er. The synt ax for specifying an aut hent icat ion m et hod list on t he access ser ver is:
aaa authentication service {default | list-name} method1 [method2] [method3] [method4] Met hod 2 t hr ough Met hod 4 ar e opt ional and ar e j ust used t o select ano t her aut hent icat ion m et hod. N OTE
Even t hough you can specify m ult iple aut hent icat ion m et hods, t he NAS only t ries t he next m et hod if no response is received from t he previous m et hod. I f aut hent icat ion fails at any point , t he aut hent icat ion pr ocess st ops and t he user is denied.
For aut hent icat ion, t here are five specified values for service:
•
a r a p— Configures aut hent icat ion for AppleTalk Rem ot e Access users
•
nasi— Configures aut hent icat ion for Net Ware Asynchronous Services I nt erface users
327
•
enable— Con f igu r es aut hent icat ion for enable m ode access t o t he dev ice
•
login— Configures aut hent icat ion for charact er m ode connect ions t o t he device
•
ppp— Configur es aut hent icat ion for PPP connect ions t o t he device
You can hav e up t o four aut hent icat ion m et hods per m et hod list . The m et hod list uses t he first configured m et hod and only m oves on t o t he next m et hod if no response is received. There ar e 11 aut hent icat ion m et hods in t ot al. Again, t his sect ion concent r at es on RADI US and TACACS+ . The 11 m et hods are:
•
enable— Uses t he en able passw or d for aut hent icat ion
•
line — Uses t he line passw or d for aut hent icat ion
•
loca l— Uses t he local dat abase for aut hent icat ion
•
none — Uses no aut hent icat ion
•
t acacs+ — Uses a TACACS+ ser v er for aut hent icat ion
•
radius— Uses a RADI US server for aut hent icat io n
•
krb5 — Uses Kerberos 5 for aut hent icat ion
•
krb5 - t e lne t— Uses Ker ber os 5 for Telnet aut hent icat ion
•
a u t h- gu e st— Guest logins ar e allow ed only if t he user has alr eady logged in t o EXEC
•
gu e st— Guest logins ar e allow ed
•
if- needed— Do not aut hent icat e t he user if t he user has alr eady been aut hent icat ed by ot her m eans
Ther e ar e 5 ser vices and 11 aut hent icat ion m et hods. Not all aut hent icat ion m et hods ar e per m it t ed for ever y ser vice.
Table 9 - 2
show s t he available ser vices and t he cor r esponding
aut hent icat ion m et hods.
Table 9 - 2 . Aut he nt ica t ion M e t hods
M e t hod enable line lo ca l none t a ca cs+ radius krb5 krb5 - t e lne t a ut h- guest guest if - n e e d e d
arap No Yes Yes No Yes Yes No No Yes Yes No
n a si Yes Yes Yes Yes Yes No No No No No No
enable Yes Yes No Yes Yes Yes No No No No No
login Yes Yes Yes Yes Yes Yes Yes Yes No No No
ppp No No Yes Yes Yes Yes Yes No No No Yes
328
One im por t ant point t o r em em ber is t he m et hod list nam e. This can be any st r ing v alue ot her t han default . The list nam e of default is r eser v ed and has t he effect of apply ing t he aut hent icat ion m et hod list t o all int er faces for all valid connect ions w it hout any fur t her configur at ion. This m ight be w hat y ou w ant and is t hen an ideal solut ion, but t her e ar e m any t im es w hen, for inst ance, y ou only w ant t o use AAA for VTY aut hent icat ion and not PPP aut hent icat ion. The follow ing line of configur at ion set s up a default m et hod list :
NAS(config)#aaa authentication login default tacacs+ local The preceding com m and enables login aut hent icat ion for a ll int erfaces against TACACS+ and, failing t hat , t he local dat abase st or ed on t he dev ice. I f y ou decide t hat y ou w ant t o specify a nam e for t he m et hod list , you have t o apply it t o t he int er faces. For exam ple, t he follow ing configurat ion creat es a m et hod list called " execaccess" :
NAS(config)#aaa authentication login execaccess radius local The preceding m et hod list aut hent icat es against RADI US, and if no response is received from t he RADI US server, t he local dat abase st ored on t he device is checked. This m et hod list is t o provide login aut hent icat ion against t he VTY lines on t he device. The follow ing com m and from line configur at ion m ode is r equir ed:
NAS(config-line)#login authentication execaccess This com m and applies t he m et hod list execaccess t o t he VTY lin es. Mor e ex am ples for aut hent icat ion w ill be giv en at t he end of t his chapt er . Also, t her e ar e num erous prebuilt configurat ions for AAA available at CCO.
Au t h or iz a t ion Con figu r a t ion Once t he user has been aut hent icat ed, you can apply aut horizat ion t o t hat user . As w it h aut hent icat ion, t he first configurat ion st ep is t o creat e a m et hod list . The synt ax is very sim ilar, and t he t heory behind t he m et hod list is exact ly t he sam e as t hat for aut hent icat ion. One differ ence is t hat you ar e not r equir ed t o give t he m et hod list a nam e. The synt ax for specifying an aut hor izat ion m et hod list on t he access ser ver is:
aaa authorization service [default | list-name] method1 [method2] [method3] [method4] Met hod 2 t hr ough Met hod 4 ar e opt ional and ar e j ust used t o select anot her aut hor izat ion m et hod.
329
N OTE
Even t hough you can specify m ult iple aut horizat ion m et hods, t he NAS only t ries t he next m et hod if no r esponse is r eceived fr om t he pr evious m et hod.
For aut hor izat ion, t her e ar e five specified ser vices:
•
net w ork — Aut horizat ion is checked for all net w ork connect ions. This includes connect ions over PPP, SLI P, and ARAP.
•
e x e c— This r elat es t o w het her t he user can r un an EXEC shell on t he NAS.
•
com m a nds— All com m ands ent er ed ar e check ed t o ensur e t hat t he user has aut horiza t ion t o use t hem . You have t o specify t he com m and enable level ( 1 –15) aft er t he com m and ser v ice t y pe.
•
config- com m a n ds— All configur at ion com m ands ent er ed ar e check ed t o ensur e t hat t he user has aut horizat ion t o use t hem .
•
r e ve r se - a cce ss— Aut horizat ion for rev er se Telnet sessions.
As w it h aut hent icat ion, you also have t o specify m et hods in t he m et hod list . Up t o four of t hese can be specified, and t hey are cont act ed in order. For aut horizat ion, t here are four m et hods t o car r y out aut hor izat ion:
•
t acacs+ — The NAS cont act s a TACACS+ ser ver , and t he TACACS+ dat abase is check ed for m at ching at t r ibut e v alue pair s.
•
radius— The NAS cont act s a RADI US ser ver , and t he RADI US dat abase is checked t o ascer t ain w het her t he user has t he appr opr iat e per m issions.
•
if- a ut hent ica t e d— This allow s user s t o be aut hor ized as long as t hey hav e been aut hent icat ed.
•
loca l— The NAS consult s t he local dat abase. Only ver y lim it ed funct ions ar e suppor t ed.
So, t o apply aut hor izat ion against TACACS+ for all com m ands at exec level 4, t he com m and is:
NAS(config)#aaa authorization commands 4 default tacacs+ The com m and t o apply aut horizat ion t o net w ork connect ions if already aut hent icat ed is:
NAS(config)#aaa authorization network default if-authenticated
330
To add t o t his com m and, y ou could specify t hat all aut hent icat ed user s should be aut hor ized, and if t hey ar e not , t hey w ould be check ed against RADI US. This w ould be achiev ed by t he follow ing com m and:
NAS(config)#aaa authorization network default if-authenticated radius By adding radius t o t h e en d of t his com m and, y ou ar e t elling t he NAS t o see if t he user is aut hent icat ed and, if not , t o cont act t he RADI US ser ver . Mor e ex am ples for aut hor izat ion w ill be giv en at t he end of t his chapt er . Also, t her e ar e num er ous pr ebuilt configur at ions for AAA available at CCO.
Accou n t in g Con f ig u r a t ion Account ing is t he t hir d AAA ser vice. Account ing is configur ed in a sim ilar w ay t o bot h aut hent icat ion and aut hor izat ion. Met hod list s ar e cr eat ed for account ing as t hey ar e for aut hent icat ion and aut horizat ion. Howeve r , t he m et hod list for account ing t akes on a differ ent for m t han for aut hent icat ion and aut hor izat ion. The synt ax for specifying an account ing m et hod list on t he access ser ver is:
aaa accounting event type {default | list-name} {start-stop | wait-start |stop-only | none}method1 [method2] Met hod 2 is opt ional and is j ust used t o select anot her account ing m et hod. N OTE
Ther e ar e only t w o m et hod t ypes suppor t ed by account ing. These ar e RADI US and TACACS+ . Ther efor e, only t w o m et hods can be specified.
For account ing, t her e ar e nine specified event t ypes:
•
com m a nds— Applies account ing for all EXEC m ode com m ands
•
con n e ct ion— Applies account ing t o all out bound connect ions fr om t he NAS
•
e x e c— Applies account ing for EXEC shells
•
nest ed— Applies account ing t o PPP sessions st art ed from t he EXEC process
•
net w ork — Applies account ing t o net w or k -based ser vices such as PPP, SLI P, and ARAP
•
send— Sends r ecor ds t o t he account ing ser v er
•
suppr e ss— Allow s y ou t o suppr ess t he sending of account ing infor m at ion for specific usernam es
331
• •
syst e m— Applies account ing t o syst em event s update — Enables account ing for updat e r ecor ds
Aft er y ou hav e specified t he ev ent t y pe, y ou hav e t o t ell t he NAS w hen t o send t he account ing r ecor ds t o t he account ing ser v er . Ther e ar e four opt ions:
•
st a r t- st op— As soon as t he session begins, an account ing st ar t r ecor d is sent t o t he account ing ser ver . The NAS does not w ait unt il t he acknow ledgem ent is r eceived fr om t he account ing ser v er t hat t he session has st ar t ed. When t he session st ops, t he st op r ecor d is sent t o t he account ing ser v er along w it h t he session st at ist ics.
•
w a it - st a r t— The st ar t account ing r ecor d is not sent unt il an ack now ledgem ent is r eceiv ed fr om t he ser v er t hat t he session has st ar t ed. When t he session ends, t he st op r ecor d is sent along w it h t he ses sion st at ist ics.
•
stop- on ly — The NAS only sends t he st op account ing r ecor d and t he session st at ist ics. No st ar t r ecor d is sent .
•
none — All account ing act iv it ies ar e st opped. This is usually applied t o an int er face.
The only t w o m et hods av ailable ar e radius a n d t acacs+ . As an ex am ple, if y ou w ant ed t o enable account ing for all net w or k connect ions, including t he st ar t and st op r ecor ds, account ed t o t he TACACS+ ser v er , t he com m and w ould be:
aaa accounting network default start-stop tacacs+ This set s up t he defa ult m et hod list for net w ork account ing t o t he TACACS+ server. Now t hat y ou hav e r ev iew ed t he t hr ee AAA ser v ices, t he nex t sect ion cov er s som e sam ple configur at ions t hat can be used in y our place of w or k . Also, t her e ar e num er ous pr ebuilt configur at ions for AAA av ailable at CCO.
Configuration Example This sect ion looks at som e sam ple configur at ions of t he NAS ( client ) and t he ACS ( ser ver ) . I ncluded ar e exam ples of aut hent icat ion, aut hor izat ion and account ing —all t hree of t he AAA ser v ices. These ex am ples ar e based on a sim ple case st udy .
Scenario You are t he securit y adm inist rat or responsible for ensuring t hat t he corporat e securit y policy is enfor ced t hr oughout t he com pany. You r ecent ly inst alled t w o new ser vices, a dir ect I nt er net connect ion and r em ot e dial-in access for senior m anagem ent so t hat t hey can dial int o t he office at night and on w eek ends. You ar e concer ned about t he t hr eat s t hese new connect ions pose t o t he securit y of t he int ernal net w ork. No ot her t hird -par t y link s hav e ev er ex ist ed, so t his is t he first ext ernal penet rat ion of t he net work.
332
Technical Aspects The net w ork diagram is show n in
Figure 9 - 19 .
Figur e 9 - 1 9 . Ex a m ple N e t w or k D ia gr a m
You can see in
Figure 9 - 19
t hat t he net w or k sim ply consist s of a sw it ched LAN, an int er nal r out er ,
and an I nt er net-connect ed r out er all locat ed at one office. The int er nal r out er has eight asynchr onous ser ial por t s t hat pr ovide r em ot e access t o t he r em ot e user s over m odem s and PPP. An RFC 1918-com pliant privat e address is used int ernally wit h NAT providing t he public address over t he leased -line 128 -kbps I nt ernet connect ion. Window s NT is current ly used on t he net w ork as t he net w ork operat ing syst em ( NOS) .
Potential Risks As t he secur it y adm inist r at or , y our concer ns ar e w it h t he aut hent icat ion of t he r em ot e access user s and also w it h t he aut hent icat ion of adm inist r at or s t o t he Cisco int er net w or king devices for com m and-line edit ing and m onit or ing.
Configuration The fir st ser v ice t o im plem ent is aut hent icat ion. For any of t his t o w or k , t her e m ust be an aut hent icat ion ser ver locat ed on t he net w or k. You decide t o inst all t he Cisco Secur e ACS on y our net w or k as show n in Figure 9 - 2 0 . You give t he ACS server an I P address of 192.168.0.10/ 24. You give t he NAS an I P addr ess of 192.168.0.9/ 24.
333
Figur e 9 - 2 0 . Ex a m ple N e t w or k D ia gr a m w it h t h e AAA se r ve r
All user s cur r ent ly hav e a Window s NT user account , so y ou decide t o use t he Window s NT dom ain dat abase inst ead of t he built -in Cisco Secur e ACS dat abase. You also decide not t o use an y g roup m appings, but t o allow and disallow r em ot e access by t he Gr ant Dial-I n Perm ission, w hich is alr eady available w it hin t he Window s NT user pr ofile fr om t he User Manager for Dom ains applicat ion.
ACS Server Configuration Before you can configure anyt hing o n t he net w ork access server, you m ust configure t he ACS ser v er t o com m unicat e w it h t he NAS and t o aut hent icat e against t he Window s NT dom ain dat abase. This is explained in t he follow ing st eps: St e p 1 . You have t o configur e t he ACS ser ver t o accept AAA r equest s from t he NAS. To do t his, you have t o go t o t he Net w ork Configurat ion screen and click Add En t r y for t he net w or k access ser ver s.
Figure 9 - 2 1
show s y ou t he r esult ing scr een.
Figure 9 - 2 1 . N e t w or k Con figu r a t ion Scr e e n
334
You can see in
Figure 9 - 21
t hat t he I P addr ess, nam e, and key have been ent er ed. The
k ey ent er ed is " secur econfig." This also has t o be ent er ed on t he NAS. TACACS+ has been select ed as t he m et hod of aut hent icat ion. You should now click t he Su bm it + Re st a r t but t on t o subm it t he addit ion and r est ar t t he AAA ser vices on t he Window s NT server. St e p 2 . The nex t st ep is t o enable aut hent icat ion against t he Window s NT dom ain dat abase. This is a t w o -st ep pr ocess. The fir st st ep is t o t ell t he ACS ser ver t o use NT. The second st ep is t o set t he unknow n user policy t o use t he NT ser ver for aut hent icat ion. Bot h of t hese ar e done fr om w it hin t he Ext er nal User Dat abases configur at ion scr een. Click t he Ex t e r na l Use r D a t a ba se s configur at ion icon, t hen click t he D a t a ba se Configur a t ion link. Select W indow s N T and check t he box t o allow access by t he Gr ant Dial-in Per m ission. This is show n in Figure 9 - 2 2 . Figure 9 - 2 2 . Ex t e r na l Use r D a t a ba se s
335
Ret urn t o t he Ext ernal User Dat abases configurat ion screen and select t he Unknow n Use r Policy link . You w ill now be pr esent ed w it h t he scr een show n in
Figure 9 - 23 .
Figure 9 - 2 3 . Un k n ow n Use r Policy
336
You can see in
Figure 9 - 23
t hat y ou should select t he second opt ion but t on, w hich say s
not t o fail t he aut hent icat ion at t em pt but t o aut hent icat e aga inst t he Window s NT dat a sou r ce. This is all t hat is r equir ed t o per for m sim ple AAA ser vices.
NAS Configuration As w it h t he ACS ser v er , cer t ain configur at ion t ask s hav e t o be car r ied out on t he NAS j ust t o init iat e com m unicat ion w it h t he ACS ser v er . You are using TACACS+ for t his ex am ple. The follow ing com m ands hav e t o be ent er ed on t he NAS:
NAS1(Config)#aaa new-model NAS1(Config)#tacacs-server host 192.168.0.10 NAS1(Config)#tacacs-server key secureconfig These com m ands enable t he new m odel for AAA on t he NAS. The TACACS+ server is ident ified as I P addr ess 192.168.0.10, and t he shar ed key is set as " secur econfig." This m at ches t he v alue ent er ed int o t he ACS ser v er and enables all t r affic bet w een t he NAS and t he ACS t o be encr ypt ed. The NAS is now configur ed t o allow furt her AAA configurat ion.
Authentication Configuration You ar e going t o st ar t t he AAA ser vices by configur ing aut hent icat ion on t he NAS. You r equir e aut hent icat ion for bot h EXEC logins and PPP net w or k connect ions. The easy w ay t o achieve t his is t o cr eat e a m et hod list nam ed " default " for bot h login and PPP access. This is t hen applied t o all lines and int er faces on t he NAS. The follow ing com m ands enable aut hent icat ion:
NAS1(Config)#aaa authentication login default tacacs+ local NAS1(Config)#aaa authentication ppp default tacacs+ local These t w o com m ands bot h enable aut hent icat ion for login and PPP access t o t he NAS. Not ice t hat t wo m et hods are defined, TACACS+ and local. Aut hent icat ion uses TACACS+ first , but if no r esponse is r eceived, it t hen uses t he local user infor m at ion on t he NAS. I t is useful alw ay s t o include bot h in case t he ACS ser ver is ever unavailable. I t is m or e for adm inist r at ive access t o t he CLI t han for PPP access. Cr eat e som e adm inist r at iv e user s on t he NAS t hat can be used in an em er gency t o gain access t o t he CLI . These t wo com m ands enable aut hent icat ion for t he NAS.
Authorization Configuration Wit h aut hent icat ion configured, you now w ant t o configure aut horizat ion t o deny users access t o t h e dial-in syst em bet w een t he hours of 22: 00 and 06: 00, and t o ensur e t hat each user can only hav e one act iv e session at any one t im e. These t w o funct ions im pr ov e on t he secur it y of t he syst em and ar e bot h configur able as aut hor izat ion com m ands.
337
This pr ocess involves cr eat ing t he changes on t he Cisco Secur e ACS ser ver and a sim ple one line configurat ion on t he NAS. On t he ACS ser v er , click t he Gr ou p Se t u p configur at ion link . By default , all user s ar e m ade m em ber s of t he Default User s gr oup. You w ant t o apply t hese changes t o ever y user , so ch oose t o edit t he set t ings for t he default gr oup. The fir st change is t he t im e of day access for t he user s. Click t he Se t As D e fa u lt Acce ss Tim e s check box and deny t he t im es bet w een 22: 00 and 06: 00.
Figure 9 - 2 4
show s t his com plet ed t ask. Figur e 9 - 2 4 . Tim e of D a y Se t t ings
You can see in Figure 9 - 24 t hat dur ing t he t im es bet w een 22: 00 and 06: 00, access is denied. You t hen need t o scr oll dow n t his page t o t he Max Sessions sect ion. Her e you have t w o opt ions. You can apply a m ax session figur e t o t he ent ir e gr oup or t o u ser s of t his gr oup. You need t o apply t his t o t he user s of t his gr oup and select t he default , one connect ion.
Figure 9 - 2 5
show s
t his configur at ion. Figur e 9 - 2 5 . M a x Use r Con n e ct ion s
338
Now t hat you have config ur ed t he ACS ser ver , you have t o configur e t he NAS. To configur e t he NAS, ent er t his com m and:
NAS(Config)aaa authorization network default tacacs+ This com m and applies t his m et hod list t o all lines and int er faces on t he r out er . The net w or k service t ype specifies t hat all net w or k-based ser v ices such as PPP, SLI P, and ARAP w ill use t he TACACS+ ser ver for aut hor izat ion.
Accounting Configuration You w ish t o k eep a r ecor d of all CLI access t o t he NAS t o t r ack adm inist r at or access of w hat com m ands ar e issued at EXEC level 15. No furt her configurat ion is required on t he ACS server, and only one configur at ion line is r equir ed on t he NAS t o st ar t t his pr ocess:
NAS1(Config)#aaa accounting commands 15 default start-stop tacacs+ The pr eceding com m and set s up account ing for level 15 com m ands. The default m et hod list is used, so it is applied t o all lines and int er faces. Only one m et hod is configur ed. TACACS+ and RADI US ar e suppor t ed, but RADI US is not configur ed on t he ACS ser ver , so it m akes sense t o use j ust TACACS+ for account ing. This com plet es t he sim ple case st udy configur at ion exam ple. I n it , you im plem ent ed aut hent icat ion, aut hor izat ion, and account ing bot h on t he ACS ser ver and t he NAS.
339
Summary This chapt er pr ovided an over view of t he Cisco Secur e ACS. You looke d at t he ACS ser v er com ponent s and configurat ion requirem ent s, in addit ion t o t he com m ands t hat are support ed by Cisco I OS and ar e r equir ed t o be configur ed on t he NAS for t he AAA pr ocess t o w or k . The ser vices pr ovided by AAA, especially aut hent icat ion, are vit al for t he net w or k secur it y of y our cor por at e net w or k . I t is im por t ant t o plan t he design of t hese ser v ices int o y our net w or k . The lat e int r oduct ion of AAA ser v ices w ill be a lot har der t o im plem ent once t he design and configurat ion for your net work is com plet e.
Frequently Asked Questions
Quest ion:
I am using m ult ivendor net w or k access ser ver s for dial-up connect ivit y. Which aut hent icat ion prot ocol is best ?
Answ e r :
RADI US is based on an open st andar d and is descr ibed in RFC 2058 and 2059. TACACS+ is a Cisco pr opr iet ar y pr ot ocol t hat is not suppor t ed on all m anufact urers' devices. I f t he devices support TACACS+ , t hen use it . I f not , use RADI US.
Quest ion: Answ e r :
What are t he m ain differences bet ween RADI US and TACACS+ ? There are num erous differences b et ween RADI US and TACACS+ . One m ain difference is t hat RADI US is open source and TACACS+ is Cisco propriet ary. TACACS+ gener ally has m or e feat ur es and is consider ed m or e secur e.
Glossary Glossary AAA ( a ut he nt ica t ion, a ut hor iza t ion, a ccount ing) — Oft en pronounced " t riple a."
ACS ( Acce ss Con t r ol Se r ve r ) — The Cisco Secure ACS is an int egrat ed RADI US a nd TACACS+ server for aut hent icat ion, aut hor izat ion, and account ing.
CCO ( Cisco Con n e ct ion On lin e ) —
340
The Cisco Sy st em s hom e page on t he I nt er net . Locat ed at
www.cisco.com .
CLI ( com m a nd- lin e in t e r fa ce ) — Th e UNI X-st yle com m and int erface t hat is used t o configure Cisco int ernet working dev ices.
N AS ( n e t w or k a cce ss se r ve r ) — The connect ion point t o t he net w or k for r em ot e ser v ices such as dial-in user s ov er PPP.
N OS ( ne t w or k ope r a t ing syst e m ) — The operat ing s yst em of t he net w or k. This pr ovides user s w it h ser vices such as file and pr int shar ing. Com m on NOSs include Micr osoft Window s NT and Nov ell Net War e.
RAD I US ( Re m ot e Acce ss D ia l- I n Use r Se r v ice ) — A pr ot ocol used t o aut hent icat e user s on a net w or k.
TACACS+ ( Te r m ina l Acce ss Cont r olle r Acce ss Cont r ol Syst e m Plus) — A pr ot ocol used t o aut hent icat e user s on a net w or k. Also pr ovides aut hor izat ion and account ing facilit ies.
Bibliography Designing Net work Securit y by Mer ik e Kaeo, Cisco Pr ess 1999 ( I SBN 1 -57870 -0 4 3 -4 )
URLs Cisco Connect ion Online www.cisco.com
Cisco Secure hom e page
341
www.cisco.com / warp/ public/ 44/ j um p/ secure.shtm l
Securit y product s and t echnologies www.cisco.com / warp/ public/ cc/ cisco/ m kt / securit y/
Cisco Secur e ACS www.cisco.com / warp/ public/ cc/ cisco/ m kt / access/ secure/
Sam ple Cisco Secure ACS and NAS configurat ions www.cisco.com / univerc d/ cc/ td/ doc/ product/ access/ acs_soft/ csacs4nt/ csnt23/ csnt23ug/ ch2.htm
342
Part III: Internet Security Situations Part I I I I nt ernet Securit y Si tuations Chapt er 10 Securing t he Corporat e Net work Chapt er 11 Providing Secure Access t o I nt ernet Services
343
Chapter 10. Securing the Corporate Network This chapt er cont ains t he follow ing sect ions:
• • • • • • • •
Dial- I n Securit y Dial- I n User Aut hent icat ion, Aut horizat ion, and Account ing ( AAA) AAA Aut hent icat ion Set up wit h TACACS+ and RADI US AAA Aut horizat ion Set up AAA Account ing Set up Using All AAA Services Sim ult aneously Virt ual Privat e Net works ( VPNs) Summary
Som et im es secur it y has m or e t o do w it h polit ics and hum an r esour ces issues t han w it h net w orking. The securit y adm inist r at or is const ant ly pulled bet w een needing t o m aint ain a r easonable lev el of secur it y and allow ing user s t he flex ibilit y t o get t heir w or k done. The adm inist r at or is faced w it h balancing t hese t w o oft en-opposing needs. How can a balance be achieved? Securit y policies should be looked at in t he sam e m anner as clot hing. Clot hing should not be so t ight t hat it r est r ict s m ovem ent , but it st ill needs t o cover t hat w hich should not be r ev ealed t o t he public. A suit t hat is t oo r est r ict iv e w ill soon be left in t he closet , along w it h a suit t hat is t oo big in t he shoulder s. Lik e a suit , t he ar t of building a secur it y sy st em m ust balance bet w een being t oo loose and t oo t ight . When t hinking about secur ing t he cor por at e net w or k, keep in m ind t he t hr ee m ain w ays som eone can t r y t o gain access t o t he cor por at e net w or k:
•
Thr ough t he I nt er net
•
Thr ough dial-in access
•
Thr ough Vir t ual Pr ivat e Net w or ks ( VPNs)
Chapter 2 ,
" Basic Cisco Rout er Securit y," and
Chapter 5 ,
" Cisco I OS Firewall," discussed m et hods of
pr ot ect ing your net w or k fr om t he I nt er net . Not cover ed in t hose chapt er s w as how t o pr ot ect y our net w or k fr om dial-in access and VPNs com ing in t hrough t he I nt ernet . The securit y needs of each of t hese access m et hods ar e discussed in t his chapt er .
Dial-In Security The need t o suppor t dial-in user s m ight pr ov e t o be t he secur it y adm inist r at or 's lar gest challenge. This is espe cially t r ue if user s ar e allow ed t o dial in dir ect ly t o t heir w or k st at ions or ser ver s, bypassing all ot her secur it y m et hods. Dial-in access can be t hr ough eit her t he plain old t elephone ser v ice ( POTS) or t hr ough an I SDN connect ion. Because I SDN connect ions ar e ex pensiv e, t her e ar e gener ally few er individuals w ho have an I SDN connect ion at t heir desk. How ever, t he price of t elephone connect ions is so low t hat it is r easonable for individuals t o have dedicat ed connect ions at t heir deskt op. The r em ainder of t his sect ion deals w it h connect ions using t he POTS.
344
Wit hin som e organizat ions, t here are groups and individuals t hat insist t hat t he norm al securit y precaut ions need t o be bypassed because of special circum st ances. Som et im es t hose insist ing on by passing t he secur it y pr ecaut ions ar e developer s, som et im es t hey ar e m anager s, and som et im es t hey ar e net w or k engineer s. I n m ost cases, t he ar gum ent s as t o w hy t he securit y m ust be bypassed seem logical on t he surface. For exam ple, t he argum ent can be m ade t hat dir ect access of t he har dw ar e is r equir ed for debugging pur poses. Anot her com m on ar gum ent is t hat a connect ion m ust be m ade for t est ing pur poses w it hout int er fer ence or delays im posed by securit y m et hods. This scenario can be different iat ed from one w here t here is a cent r al dev ice on t he net w or k for dial-in access ( such as a Cisco access ser v er or a single Window s NT RAS server) by t he fact t hat t here are m ult iple ent ries int o t he net w ork. A com pany w it h m ult iple dial-in connect ions is show n in Figure 10- 1 . Fig u r e 1 0- 1 . M ult iple D ia l- I n En t r y Poin t
Once t he net w or k st ar t s t o becom e open t o r em ot e access w it hout pr oper aut hor izat ion, it can be ver y difficult for t he adm inist r at or t o r egain cont r ol. Alt hough it is m uch easier t o m aint ain cont rol t han t o regain cont rol, it is st ill possible t o m ove from an unsecured dial-in net w or k t o a fully secur ed dial-in net w or k. Assum e for a m om ent t hat y ou ar e t he new ly hir ed adm inist r at or for a 600-host Window s NT net w or k . You discover t hat t her e ar e appr oxim at ely 50 user s w ho connect a m odem t o t heir deskt op PC and rout inely call int o t he net work t hrough t his connect ion for access t o e -m ail, net w or k pr ogr am s, and shar ed files. What , ex act ly , is t he pr oblem w it h t his scenar io? Several t hings can be im pr ov ed in t his scenar io:
•
I f t he phone lines can be elim inat ed t hrough consolidat ion, recurring expenses in t he form of unnecessary phone lines can be elim inat ed. Som e phone syst em s require t hat m odem s use a dedicat ed line. I n t his case, a separat e line m ust be purchased for use on each m odem . Because all lines ar e not in use at ex act ly t he sam e t im e, t he com pany needs t o pur chase m or e lines t han ar e ev er used at one t im e. Building a m odem pool allow s t he adm inist r at or t o elim inat e som e of t hese lines. The aut hor s of t his book w er e faced w it h ex act ly t his scenar io and w er e able t o r em ov e a t ot al of 24
345
dedicat ed lines by building a m odem pool, saving t he com pany a good deal of m oney over t he fir st year .
•
Allow ing users t o access t heir com put er s dir ect ly t hr ough an uncont r olled dial-u p connect ion decent r alizes secur it y. I t can becom e a near ly im possible t ask t o ensur e any sem blance of secur it y w hen indiv idual user s ar e set t ing up t heir ow n connect ions int o t he net w or k . The user m ight set up t he connect ion not t o r equir e a passw or d or m ight m ak e t he passw or d so obv ious t hat it is useless. A single adm inist r at or w ould hav e an ex t r em ely difficult t ask of check ing ev er y single connect ion on a r egular basis for configur at ion issues such as encr y pt ion and dial-back ser v ices.
•
I n t his exam ple, t he com pany relies solely on t he built -in secur it y m et hods w it hin t he operat ing syst em of t he deskt op. Many operat ing syst em s w ere not built w it h securit y as a pr im ar y concer n. Even t hose oper at ing syst em s t hat claim t o have st rong securit y policies m ight be vulner able, sim ply because t hey ar e w ell know n. Ther e ar e also usually no built -in m et hods w it hin t he oper at ing sy st em t hat allow s t he adm inist r at or t o be not ified if r epeat ed at t em pt s t o br eak int o t he net w ork occur.
•
Unless t he adm inist r at or has cont r ol over dial-in connect ions, t he adm inist r at or is unable t o lim it t he ar eas of t he net w or k t hat a dial-in user can access. Som e com panies m ight w ish, for exam ple, not t o allow any confident ial infor m at ion t o be a ccessed t hr ough a dial-in connect ion. Wit h a lar ge num ber of oper at ing syst em s, a user dialing int o a w or kst at ion has t he sam e r ight s as t hat w or kst at ion. Ther e m ight not be pr ov isions m ade t o differ ent iat e t he aut hor it y lev els bet w een a dial-in account and a local user . This m eans t hat t her e is no w ay t o enfor ce t he com pany 's w ish t hat sensit ive inform at ion be available only t hrough t he local net w ork.
For t hese r easons, t he adm inist r at or is st r ongly ur ged t o m ov e t ow ar d a cent r alized dial-in point w her e appr opr iat e cont r ols can be used. The fact t hat all user s ent er at a single point sim plifies all adm inist r at ive effor t s, including secur it y. A diagr am of a net w or k using a single point of access t hr ough an access ser v er and m odem bank is show n in
Figure 10-2 .
Fig u r e 1 0- 2 . Single D ia l- I n En t r y Poin t
346
Dial-In User Authentication, Authorization, and Accounting (AAA) This sect ion deals w it h t he aut hent icat ion of user s accessing dial-in ser vices. Aut hent icat ion can occur at eit her t he user or t he dev ice lev el. The m ost com m only used pr ot ocols for a dial-in connect ion ar e t he Point -to-Point Pr ot ocol ( PPP) and t he Serial Line I nt ernet Prot ocol ( SLI P) . Bot h of t hese prot ocols require a m inim um of a 1200 baud connect ion. Alt hough using Passw ord Aut hent icat ion Prot ocol ( PAP) or Challenge Handshake Aut hent icat ion Pr ot ocol ( CHAP) for aut hent icat ion is a v iable opt ion in sm aller env ir onm ent s, t he adm inist rat ive overhead involved m ight becom e unm anageable in a larger environment . This is because each user should hav e a separ at e ent r y . A single ent r y can be m ade for m ult iple user s, but t his pr act ice v iolat es a basic r ule t hat passw or ds should not be shar ed. I m agine t he over head involved in set t ing up and m aint aining 100 user s, especially if you are t rying t o enfor ce a policy t hat r equir es changing of passw or ds ev er y 60 day s. I n addit ion t o PAP and CHAP password aut hent icat ion, TACACS+ or RADI US aut hent icat ion can also be used t o perform AAA funct ions. Bot h of t hese build a dat ab ase of users and passwords. Term inal Access Cont roller Access Cont rol Syst em Plus ( TACACS+ ) and Rem ot e Access Dial-I n User Ser vice ( RADI US) also have t he added benefit of including aut hor izat ion and account ing ser v ices. N OTE
347
Som e confusion w it hin t he indust ry surrounds t he dist inct ions bet ween t he t hree areas of AAA: aut hent icat ion, aut horizat ion, and account ing. This not e is provided t o clear up any r esidual uncer t aint y.
Aut hent icat ion r efer s t o t he pr ocess of ensur ing t hat t he claim ed ident it y of a device or end user is valid. An exam ple is user Ter r y being aut hent icat ed t hr ough t he use of a passw or d.
Aut horizat ion r efer s t o t he act of allow ing or disallow ing access t o cer t ain ar eas of t he net w or k ( pr ogr am s, dat a, and so on) based on t he user , syst em , or p rogram . An ex am ple is user Ter r y being allow ed t o access pay r oll dat a as a m em ber of t he payr oll depar t m ent .
Account ing r efer s t o t r ack ing ( and by im plicat ion, logging) t he r esour ces t hat ar e used by a giv en user or sy st em . This allow s a com pany t o char ge for t he specific ser vices used. An exam ple is logging t he t im e user Ter r y spends logged in t hr ough a dialed connect ion.
As an exam ple, w hen Ter r y st ar t s up t he com put er , t her e is a passw or d pr om pt . I f t he passw ord is t he correct one, Terry is aut hent icat ed and can now use t he com put er.
Ter r y st ar t s t o open t he payr oll pr ogr am , w hich r esides on a net w or k ser ver . Befor e t he pr ogr am is opened, t he aut hor izat ion pr ocess occur s t o ensur e t hat Ter r y should have access t o t he pr ogr am . I f Ter r y is aut hor ized t o use t he pr ogr am , t he pr ocess cont inues.
I f Ter r y dials int o t he net w or k, t he account ing pr ocess w ould st ar t r ecor ding fact s about t his access, such as t he user and t he dat e and t im e.
Now t ak e a few m inut es and ex plor e a sim ple ex am ple configur at ion. I n t his exam ple, AAA is enabled using t he local securit y dat abase, inst ead of eit her a TACACS+ or RADI US server. This ex am ple w ill ser v e as a pr im er t o t he AAA m et hodology . The local dat abase is st or ed w it hin t he r out er and does not r equir e any out side ent it y t o w ork properly. Look t hrough t his configur at ion and r ead t he im bedded com m ent lines, w hich ar e pr eceded by a ( ! ) . The com m ands shown here will be m ore fully explained t hroughout t he chapt er.
aaa new-model
348
!Get ready to use AAA security aaa authentication login default local !By default, use the local database for authentication of logins aaa authentication arap default local !By default, use the local database for authentication of ARAP aaa authentication ppp default local !By default, use the local database for authentication on PPP aaa authorization exec local !Use the local database for authentication of EXEC commands aaa authorization network local !Use the local database for authentication of Network Services !The aaa authorization command is fully explained later in this !chapter in the section, "AAA Authorization Setup." !For the moment, it is sufficient to know that this command !authorized the user to do certain commands and run certain programs. !Using the username command is what actually builds the local security database. !In this example, three users are being added !to the local database: amason, mnewcomb, and jkane. username amason privilege exec level 7 password 7 Aeb98768 !Set Andrew Mason's exec privilege level at 7 and set Andrew Mason's password username mnewcomb privilege exec level 6 password 7 010102238746 !Set Mark Newcomb's EXEC privilege level to 6 and set Mark Newcomb's password username jkane privilege exec level 8 password 7 095E4F10140A1916 !Set John Kane's EXEC level to 8 and set John Kane's password
privilege exec level 6 slip privilege exec level 7 ppp privilege exec level 8 arap !This associates the execution of SLIP, PPP, and ARAP with privilege levels. !Because John Kane has a privilege level of 8, he can use ARAP, PPP, or SLIP. !Andrew can use both ARAP and PPP because he has a privilege level of 7. !Mark can only use SLIP because he has a privilege level of 6. !The higher the privilege level, from 0-15, the more rights a user has. interface Group-Async1 ppp authentication chap default !Use PPP authentication on this interface group-range 1 16 ! line console 0 login authentication default !Previously the default authentication method for !logins was set to use the local database line 1 16
349
arap authentication default !Previously the default authentication method for !ARAP was set to use the local database This configurat ion relies solely on t he local securit y dat abase t o aut hent icat e and aut horize user s. This is one of t he sim plest configur at ions available, b ut it should suffice t o giv e y ou som e exposur e t o t he AAA m odel. The AAA m odel w ill cont inue t o be explor ed t hr oughout t his chapt er . The nex t sect ion w ill deal w it h aut hent icat ion using TACACS+ and RADI US ser v er s.
AAA Authentication Setup with TACACS+ and RADIUS To aut hent icat e lar ge num ber s of user s, y ou need t o hav e a dat abase t hat st or es t he user nam es and passw or ds. This is w her e eit her TACACS+ or RADI US ser v er s com e int o play . On t he r out er configur at ion, TACACS+ and RADI US ar e not difficult t o configure. They also allow for m ult iple for m s of aut hent icat ion, including:
•
Digit al cert ificat es
•
One -t im e passwords
•
Changeable passw ords
•
St at ic passwords
•
UNI X aut hent icat ion using t he / et c/ passw ord file
•
NT dat abase aut hent icat ion
Thr ee st eps ar e r equir ed t o m ake a rout er use AAA: St e p 1 . I nit ial configurat ion St e p 2 . Building a m et hod list St e p 3 . Linking t he list t o int erfaces Each of t hese w ill be discussed in t ur n.
Initial Configuration You need t o know a few new com m ands before using TACACS+ or RADI US. These co m m ands ar e used in global configur at ion m ode. For TACACS+ , t he com m ands ar e as follow s:
aaa new-model tacacs-server host host-ip-address tacacs-server key serverkey The first com m and, a a a ne w - m odel, t ells t he r out er t hat y ou ar e using eit her TACACS+ or RADI US for aut hent icat ion. The next line t ells t he rout er t he I P address of t he TACACS+ ser v er , w her e host -ip-addr ess is t he I P addr ess of t hat ser ver . The t hir d line t ells t he r out er
350
w hat passw or d key is shar ed bet w een t he r out er and t he ser ver . Unlike passw or ds, w hich can be m ade t o appear encrypt ed w it hin configurat ion files, t his passw ord key alw ays appears in plain t ex t . I t is im por t ant t hat t he key is used on bot h t he r out er and w it hin t he configur at ion file on t he ser ver . This ensur es t hat t he key is e ncrypt ed before being sent t o t he server. Unless bot h t he TACACS+ ser v er and one of t he Et her net por t s on t he r out er ar e locat ed on an ex t r em ely secur e net w or k , it is possible for som eone t o gat her k ey s t hr ough t he use of a pack et analyzer . Ther efor e, t he aut hor s r ecom m end t hat t he key is alw ays ent er ed in bot h places. Ther e is lit t le sense in not encr y pt ing t he k ey aft er going t hr ough t he effor t of configur ing TACACS+ or RADI US aut hent icat ion. RADI US aut hent icat ion also relies on t hree init ial com m ands. Th e first com m and, a a a ne w m ode l, is t he sam e as on a TACACS+ sy st em . The nex t t w o com m ands differ only in t he r eplacem ent of radius for t a ca cs:
aaa new-model radius-server host host-ip-address radius-server key serverkey Building a Method List Now t hat t he init ial configurat ion of aut hent icat ion is com plet ed, you need t o det erm ine in w hat or der t he aut hent icat ion m et hods w ill be accom plished. You have som e flexibilit y in t he order chosen. For exam ple, you can m ake t he rout er check t he TACACS+ server first a nd t hen t he local ent r y on t he r out er , or check t he local fir st and t hen t he TACACS+ ser v er . A num ber of differ ent aut hent icat ion ser vices also can be used.
Table 10- 1
cont ains a list of t he
av ailable ser v ices and a descr ipt ion of each.
Ta ble 1 0 - 1 . AAA Au t h e n t ica t ion Se r vice Type s
Service arap enable login nasi ppp
Uses Uses Used Uses Uses
D e scr ipt ion AppleTalk Rem ot e Access Prot ocol list t he enable m ode list for charact er m ode connect ions Net Ware Asynchronous Services I nt erface Point -t o- Point Prot ocol
I n addit ion t o t he ser v ice used, t he order in w hich aut hent icat ion is check ed is also chosen. Up t o four differ ent aut hent icat ion m et hods can be chosen. Mult iple aut hent icat ion m et hods ar e usually em ployed in case t he aut hent icat ion ser ver is unr eachable, but it can also be used t o allow som e individuals, such as t he adm inist r at or , t o com plet ely bypass t he ser ver aut hent icat ion process.
Table 10- 2
cont ains a list of v alid aut hent icat ion m et hods.
351
Ta ble 1 0 - 2 . AAA Aut he nt ica t ion M e t hods
M e t hod au t hguest enable guest
D e scr ipt ion Allows a guest logon only if t he user has already logged int o t he EXEC m ode. Uses t he enable password for aut hent icat ion. Allow s a guest logon. Aut hent icat es only if t he user has not already been if - needed aut hent icat ed. krb5 Uses Kerberos 5 for aut hent icat ion. krb5 Uses Kerberos 5 for aut hent icat ion on Telnet sessions. Not e: t elnet This m ust be t he first in t he list . line Uses t he line password for aut hent icat ion. local Uses t he local dat abase for aut hent icat ion. none No aut hent icat ion is used. r adius Uses RADI US for aut hent icat ion. t acacs+ Uses TACACS+ for aut hent icat ion. Not all of t he ser v ices can use all of t he m et hods list ed in Table 10-2 . For exam ple, t he local m et hod cannot use t he enable ser v ice, and RADI US cannot be used w it h NASI . A com plet e list of com pat ibilit ies can be found in Table 10-3 .
Ta ble 1 0 - 3 . Aut he nt ica t ion Se r vice s a nd M e t hods Com pa t ibilit y
M e t hod au t h- guest enable guest if - needed krb5 krb5 - t elnet line local none r adius t acacs+
arap Yes No Yes No No No Yes Yes No Yes Yes
enable No Yes No No No No Yes No Yes Yes Yes
login No Yes No No Yes Yes Yes Yes Yes Yes Yes
n a si No Yes No No No No Yes Yes Yes No Yes
ppp No No No Yes No No No Yes Yes Yes Yes
Th e a a a a u t h e n t ica t ion com m and is used t o st ar t aut hent icat ion on t he r out er . The gener al synt ax of t his com m and is
352
aaa authentication service-type {default | list-name} method1 [method2] [method3] [method4] Wit h t his com m and, service-t ype is one of t he ser v ices pr ev iously list ed in Table 10- 1 , such as a ra p, lin e , if- n e e de d, and so on. The nex t par am et er is eit her t he k ey w or d default or a list nam e. The list nam e can be v ir t ually any w or d ex cept t he w ord default , and it is used t o nam e t he follow ing list of aut hent icat ion m et hods. The par am et er s m et hod1, m et hod2, m et hod3, and m et hod4 ar e used t o specify t he or der in w hich aut hent icat ion t ak es place. Use any of t he m et hods list ed in Table 10- 2 . At least one m et hod m ust be used, w it h a m axim um t ot al of four met hods specified. Ther e ar e t hr ee ex cept ions t o t he sy nt ax descr ibed abov e. These ex cept ions ar e:
aaa authentication local-override aaa authentication password-prompt text-string aaa authentication username-prompt text-string Th e a a a a ut he nt ica t ion loca l- ov e r r ide com m and is used on an indiv idual int er face t o for ce t he I OS t o check t he local dat abase before at t em pt ing any ot her form of aut hent icat ion. The a a a a ut he nt ica t ion pa ssw or d- prom pt t ext -st r ing com m and is used t o change t he t ext t hat is displayed w he n a user is pr om pt ed for a passw or d. The par am et er t ext -st r ing is t he t ex t t hat is display ed. The aaa aut hent icat ion usernam e - pr om pt t ext -st r ing changes t he t ex t t hat is display ed w hen a user is pr om pt ed for a user nam e. Now look at how t hese com m ands w or k . Assum e t hat y ou w ant t o m ak e TACACS+ t he default aut hent icat ion m et hod for PPP access. You w ould use t he follow ing com m and:
aaa authentication ppp default tacacs+ I f y ou w ant t o use TACACS+ as t he default and also allow t he local dat abase t o be used if t he TACACS+ ser v er does not r espond, y ou w ould use t he follow ing com m and:
aaa authentication ppp branch-office-users tacacs+ login Not ice in t his scenar io t hat y ou hav e dr opped t he use of t he w or d default and ar e now using br a n ch- office - users inst ead. The param et er branch- office - u se r s is an ar bit r ar y nam e m ade up for t his list . I t is cr it ical t hat t he adm inist r at or under st ands t hat t he local dat abase is not used if any r esponse is r eceived fr om t he TACACS+ ser ver . I n ot her w or ds, t he local dat abase is only used if t he TACACS+ server is not available. The local dat abase is not consult ed if t he TACACS+ ser ver r ej ect s t he r equest t o log in. To review , t he follow ing show s t he new com m ands used in t his configurat ion. For t his exam ple y ou w ill use TACACS+ t o aut hent icat e users logging int o t he rout er. I f t he TACACS+ server is
353
not av ailable, y ou w ill use t he local dat abase t o aut hent icat e. The set of global com m ands r equir ed follow s:
aaa new-model !Get ready to use AAA tacacs-server host 172.30.1.50 !Set the server to look for the TACACS+ server at the IP address of 172.30.1.50 tacacs-server key mysecretkey !Using the server key "mysecretkey" on both the router and !within the configuration of the TACACS+ server forces !encryption when the key is sent to the server aaa authentication ppp branch-office-users tacacs+ login !Set authentication for PPP to first use the TACACS+ server and !then use the local database. !The name of this list is "branch-office-users." Now t hat t he m et hod list is built , you st ill need t o link t he list t o an int erface before aut hent icat ion can t ak e place.
Linking the List to Interfaces Because t he init ial and m et hod list configurat ions are done, you m erely need t o add t he proper com m ands t o t he individual int erfaces. I n t his ex am ple, y ou are going t o use AAA aut hent icat ion on S2, w hich is connect ed t o t he br anch office.
interface serial 2 !This interface is connected via ISDN to the branch office ppp authentication chap !You have set the PPP authentication to use CHAP Alt hough t his configur at ion w or k s t o aut hent icat e t he user s w it h CHAP, it m ight not be t he best configurat ion for your purposes. I nst ead, you could use t he TACACS+ server for t he init ial aut hent icat ion. You w ould t hen use CHAP if t he user is not alr eady aut hent icat ed. To do t h is, you change t he last int er face configur at ion line t o r ead:
ppp authentication chap if-needed branch-office-users !You have set the PPP authentication to use CHAP if the user has !not already been authenticated by the TACACS+ server. This gives a lit t le m or e pr ot ect ion. To r efine t his a lit t le m or e, in t he follow ing configur at ion t he r out er fir st expect s a CHAP passw or d. I f t he r eceived passw or d fails, t he r out er t hen accept s anot her passw or d at t em pt , t his t im e expect ing a PAP passw or d. Because PAP sends
354
t he passw ord it self in clear t ext , t he adm inist rat or should ensure t hat t he chap k ey w or d is used befor e t he pap keyw or d. This causes t he fir st connect ion at t em pt passw or d hash t o be encr y pt ed w it h a clear t ex t passw or d being sent only if t he CHAP connect ion at t em pt fails. Using t he pap k ey w or d fir st w ould cause t he fir st at t em pt t o be accom plished w it h a clear-t ext passw or d, w hich is a less secur e m et hod.
ppp authentication chap pap if-needed branch-office-users !You have set the PPP authentication to use CHAP if the user has !not already been authenticated by the TACACS+ server. !If CHAP is not available, you use PAP. Finally, because you only need t o ver ify user s fr om t he r em ot e office com ing int o t he m ain br anch, you can specify t hat only t hose calling in ar e aut hent icat ed. As t he r out er is now configur ed, bot h incom ing and out going user s ar e aut hent icat ed. Adding t he keyw or d callin t o t he previous com m and aut hent icat es only incom ing calls:
ppp authentication chap pap if-needed branch-office-users callin !You have set the PPP authentication to use CHAP if the user has !not already been authenticated by the TACACS+ server. !If CHAP is not available, you use PAP. !This only applies to connections initiated from the outside of this interface. The final configur at ion looks like t his:
aaa new-model tacacs-server host 172.30.1.50 tacacs-server key mysecretkey aaa authentication ppp branch-office-users tacacs+ login interface serial 2 ppp authentication chap pap if-needed branch-office-users callin Fine -Tuning the Configuration You now have a configurat ion w here t he rem ot e PPP user aut hent icat es t hrough t he TACACS+ ser ver . How ever , t her e is a configur at ion issue her e t hat is sur e t o becom e a pr oblem som et im e in t he fut ure. You have not really secured how you lo g int o t he r out er for adm inist r at iv e pur poses. You need t o be ex t r em ely car eful w hen aut hent icat ing user s t o t he console. I f you r ely solely on a TACACS+ or RADI US ser ver , you w ill be unable t o log ont o t he r out er if t her e ar e pr oblem s in com m unicat ion betw een t he t w o. Ther efor e, y ou need t o enable anot her m et hod of accessing t he console. This is ver y sim ple t o do, but ver y im por t ant for t r oubleshoot ing pur poses. Fir st , set t he default aut hent icat ion for t he login t hr ough t he console and TTY t o use TACACS+ or RADI US. Then cr eat e a list t hat r equir es no aut hent icat ion. Finally, associat e t his list w it h an int er face. An ex am ple follow s:
355
aaa authentication login default tacacs+ aaa authentication login administrative none line con 0 login authentication administrative The only secur it y issue r elat ed t o t his configur at ion is t hat anyone w ho has physical access t o t he rout er can plug int o t he console and log in, bypassing t he TACACS+ aut hent icat ion. How ev er , any one w it h phy sical access t o t he r out er also has t he abilit y t o r eset t he r out er and bypass t he cur r ent configur at ion anyw ay. As alw ays, physical secur it y is necessar y on all equipm ent crit ical t o your net work.
AAA Authorization Setup Wher eas aut hent icat ion is concer ned w it h ensur ing t hat t he device or end user is w ho it claim s t o be, aut hor izat ion is concer ned w it h allow ing and disallow ing aut hent icat ed user s access t o cer t ain ar eas and pr ogr am s on t he net w or k . The com m and for enabling aut hor izat ion follow s:
aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] Wit h t his com m and, service-t ype m ust be one of t he ser v ice t y pes list ed in Table 10-4 .
Ta ble 1 0 - 4 . AAA Au t h or iza t ion Se r vice Type s
Se r vice Type com m a nds { level } exec net work reverse- access
D e scr ipt ion Checks aut horizat ion for any EXEC com m and at t he opt ionally specified level Checks aut horizat ion t o run an EXEC shell Checks aut horizat ion for net work act ivit ies Checks aut horizat ion for reverse Telnet
The nex t par am et er is eit her t he k ey w or d default or a list nam e. The list nam e can be v ir t ually any w or d ex cept t he w or d default , and it is used t o nam e t he follow ing list of aut horizat ion m et hods. The param et ers m et hod1, m et hod2, m et hod3, an d m ethod4 ar e used t o specify t he or der in w hich aut hent icat ion t ak es place. At least one m et hod m ust be used, w it h a m axim um t ot al of four m et hods specified. The possible values for t he m et hod are show n in
Table 10- 5 .
Ta ble 1 0 - 5 . AAA Au t h or iza t ion M e t h ods
M e t hod
D e scr ipt ion
356
if I f t he user is already aut hent icat ed, t he user is allowed aut hent icat ed t o access t he service. krb5 - inst ance This uses t he inst ance defined wit h t he k e r be r os inst a nce m a p com m and. local The local dat abase is consult ed. r adius The RADI US server's dat abase is consult ed t o see if t he user has t he appropriat e right s. t acacs+ The TACACS+ server's dat abase is consult ed t o see if t he user has t he appropriat e right s. N OTE
When AAA aut horizat ion is not enabled, all users are allow ed full access. Once aut hent icat ion is st ar t ed, t he default changes t o allow no access.
This m eans t hat t he adm inist r at or m ust cr eat e a user w it h full access r ig ht s configured before aut horizat ion is enabled. Failure t o do so w ill im m ediat ely lock t he adm inist r at or s out of t heir ow n sy st em t he m om ent t he a a a a ut hor iza t ion com m and is ent er ed.
The only w ay t o recover from t his is t o reboot t he rout er. I f t his is a p roduct ion r out er , r eboot ing m ight be unaccept able. Be sur e t hat at least one user alw ays has full r ight s.
Configuring AAA aut horizat ion is very sim ilar t o AAA aut hent icat ion. Look at t he follow ing configurat ion. This configurat ion checks t he aut horizat ion for user s of t he S2 int er face w hen accessing net w or k ser v ice such as PPP:
aaa new-model !Set up for AAA tacacs-server host 172.30.1.50 !The TACACS+ server is at 172.30.1.50 tacacs-server key mysecretkey !Use the encrypted keys interface s2 aaa authorization network tacacs+ !Start authorization for network services
357
AAA Accounting Setup Som et im es a cor por at ion w ishes t o keep t r ack of w hich r esour ces individuals or gr oups use. Ex am ples of t his include w hen t he I S depar t m ent char ges ot her depar t m ent s for access, or one com pany provides int ernal support t o anot her com pany. For w hat ever reason you choose, AAA account ing giv es t he abilit y t o t r ack usage, such as dial-in access; t he abilit y t o log t he dat a gat her ed t o a dat abase; and t he abilit y t o pr oduce r e por t s on t he dat a gat her ed. Alt hough account ing is gener ally consider ed a net w or k m anagem ent or financial m anagem ent issue, it is look ed at br iefly her e because it is so closely link ed w it h secur it y . One secur it y issue t hat account ing can addr ess is cr eat ing a list of user s and t he t im e of day t hey choose t o dial int o t he sy st em . I f, for ex am ple, t he adm inist r at or k now s t hat a w or k er logs ont o t he syst em in t he m iddle of t he night , t his infor m at ion can be used t o fur t her invest igat e t he purpose of t he login . Anot her r eason t o im plem ent account ing is t o cr eat e a list of changes occur r ing on t he net w or k , w ho m ade t he changes, and t he ex act nat ur e of t he changes. Know ing t his infor m at ion helps in t he t r oubleshoot ing pr ocess if t he changes cause unexpect ed r esult s. AAA account ing is st ar t ed w it h t he a a a a ccou n t in g com m and. Not e t hat AAA account ing is cur r ent ly suppor t ed only on TACACS+ and RADI US ser v er s. The full sy nt ax of t he a a a a ccount ing com m and follow s:
aaa accounting event-type {default | list-name} {start-stop | wait-start | stop-only | none} method1 [method2] event -t ype can be one of t he ev ent t y pes show n in Table 10-6 .
Ta ble 1 0 - 6 . AAA Accou n t in g Eve n t Type s
Eve nt Type D e scr ipt ion com m a n d Applies t o all com m ands for t he opt ionally specified { level } lev el connect ion Applies t o all out bound connect ions, including LAT, PAD, and so on exec Runs account ing for all user shell EXEC com m ands net work Runs account ing for all net work- r elat ed ser vice request s such as PPP and ARAP syst em Runs account ing for syst em- relat ed event s t hat are not associated wit h users, for exam ple, a reload com m and
358
As w it h AAA aut hent icat ion, eit her t he keyw ord default or a list nam e is used. Nex t , t he t r igger is ent er ed. The t r igger specifies w hat act ions cause account ing r ecor ds t o be updat ed. The list of possible t r ig gers and t heir m eanings is show n in Table 10-7 .
Ta ble 1 0 - 7 . AAA Aut he nt ica t ion Tr igge r s
Tr igge r D e scr ipt ion none St ops account ing on t his int erface. The account ing record is sent as soon as a session begins. This is in cont rast t o w ait - st art . Anot her account ing record start ( which includes t he se ssion st at ist ics) is sent as soon as t he st op session ends. st opA record is sent only when t he session ends. This record only includes t he session st at ist ics. wait The account ing record is sent when an acknowledgm ent is st ar t received from t he server t ha t a session has st art ed. This is in cont rast t o st a rt - st op. Anot her account ing record ( which includes t he session st at ist ics) is sent as soon as t he session ends. The param et ers m et hod1 and m ethod2 have only t w o possible values: t acacs+ an d radius. Using t acacs+ uses a TACACS+ ser v er , w hile radius uses a RADI US ser v er . An exam ple of using AAA account ing follow s:
aaa new-model !Set up for AAA tacacs-server host 172.30.1.50 !The TACACS+ server is at 172.30.1.50 tacacs-server key mysecretkey !Use the encrypted keys aaa accounting exec start-stop tacacs+ !Start accounting whenever an exec command is issued
Using All AAA Services Simultaneously I t is possible, and som et im es desirable, t o incorporat e aut hent icat ion, aut horizat ion, and account ing sim ult aneously on a r out er . This is act ually easier t han it sounds. The follow ing is a configur at ion t hat com bines all t hr ee par t s of AAA using ex act ly t he ex am ples fr om t he previous sect ions. All t hat is needed t o run t hem at t he sam e t im e is for t he adm inist rat or t o
359
ent er t he appropriat e configurat ion lines. Som e com m ands, such as t he a a a ne w - m odel, only needs t o be ent er ed once:
aaa new-model !Set up for AAA tacacs-server host 172.30.1.50 !The TACACS+ server is at 172.30.1.50 tacacs-server key mysecretkey !Use the encrypted keys aaa authentication login default tacacs+ !Set the default authentication to TACACS+ aaa authentication ppp branch-office-users tacacs+ login !Sets authentication for PPP to first use TACACS+ if the server !is available and then look at the local database aaa authentication login administrative none !Used to ensure the administrator has access aaa accounting exec start-stop tacacs+ !Start accounting whenever an exec command is issued interface serial 2 !Go to the interface ppp authentication chap pap if-needed branch-office-users callin !Enable authentication on the S2 interface aaa authorization network tacacs+ !Start authorization for network services line con 0 login authentication administrative !Make sure the administrator can get into the console
Virtual Private Networks (VPNs) The huge incr ease in t he num ber of VPN client s and com panies w ant ing t o use VPNs r equir es adm inist r at or s t o under st and t he special secur it y consider at ions necessar y w hen dealing w it h VPNs. Because m ost VPNs ar e used ov er a connect ion t o t he I nt er net , any secur it y gap has t he pot ent ial t o be ex ploit ed by hundr eds of hack er s. VPNs ar e built by using t unneling pr ot ocols, w hich ar e pr ot ocols t hat ar e encapsulat ed w it hin anot her prot ocol. Exam ples of t unneling pr ot ocols used in VPNs ar e Gener al Rout ing Encapsulat ion ( GRE) , Layer 2 Tunneling Prot ocol ( L2TP) , Encapsulat ion Securit y Prot ocol ( ESP) , Cisco Encrypt ion Technology ( CET) , and t he Layer 2 Forwarding ( L2F) prot ocols. This sect ion cov er s som e of t he m or e com m only used t unneling prot ocols.
360
Alt hough a t unneling pr ot ocol by it self does offer som e pr ot ect ion, gr eat er pr ot ect ion can be obt ained by adding encr y pt ion w it hin t he t unnel. Because a t unnel can nor m ally only be ent er ed fr om one of t he endpoint s, som e adm inist r at or s consider t hem safe w it hout encrypt ion. Only encrypt ion can t ruly prot ect dat a. The " m an in t he m iddle" form of at t ack can be used t o inj ect a dev ice in t he m iddle of a t unnel. This is w hy a t unnel w it hout encr y pt ion is not t r uly secur e. Because m ost t unnels can carry encrypt ed t raffic, t here is no reason ot her t han rout er overhead not t o also encrypt t raffic running t hrough t he t unnel. I f t he perform ance of your r out er s is adver sely affect ed by t he com binat ion of encr ypt ion and t unneling, t he rout ers should be upgr aded. Befor e discussing how t o set up an encr y pt ed t unnel, t his sect ion includes a quick ov er v iew of som e of t he t y pes of t unnels and encr y pt ion av ailable on Cisco equipm ent .
L2F The Lay er 2 For w ar ding ( L2F) pr ot ocol is a Cisco pr opriet ar y pr ot ocol developed t o allow Vir t ual Pr iv at e Dial-up Net w or k ( VPDN) connect ions. While st ill suppor t ed for var ious ot her funct ions, L2F has lar gely been r eplaced by L2TP.
L2TP Layer 2 Tunneling Pr ot ocol ( L2TP) builds on t he best feat ur es pr esent in bot h t he L2F and PPTP pr ot ocols. Suppor t ing bot h I P and non-I P pr ot ocols, L2TP is used m ainly for dial-u p connect ions.
Generic Routing Encapsulation (GRE) Tunneling Gener ic r out ing encapsulat ion ( GRE) t unnels build a pat h t hr ough t he public I nt er net w hile e ncapsulat ing t r affic w it h new packet header s t hat ensur e t he deliver y t o a specified dest inat ion. GRE t unneling is also com m only used t o t r ansfer non-I P t r affic over an I P net w or k by encapsulat ing t his non-I P t r affic w it hin I P.
Encryption Cisco support s bo t h I PSec and Cisco Encr ypt ion Technology ( CET) dat a encr ypt ion w it hin GRE t unnels. I PSec is an open st andar d, suppor t ing 56 -bit , 128-bit , and 256-bit encrypt ion algorit hm s. Suppor t ed on plat for m s such as Window s and UNI X, I PSec uses cer t ificat e aut hent icat ion and I nt ernet Key Exchange ( I KE) . CET is a Cisco st andar d t hat suppor t s 40-bit and 5 6 -bit encr y pt ion algor it hm s. CET can be used only bet w een t w o Cisco r out er s. Adm inist r at or s need t o be aw ar e t hat w it h t he except ion
361
of t he acceler at ion car d w it hin t he 7200 and 7500 ser ies r out er s, CET w ill be discont inued w it h t he next m aj or r elease aft er I OS ver sion 12.1. I f you ar e cur r ent ly deploying CET, you should consider upgr ading your configur at ions befor e you are forced t o w hen inst alling a new I OS version. Cis co r ecom m ends t hat I PSec w it h I KE be used inst ead of CET for encr ypt ion w it hin t he t unnel. See t he ar t icle at t his URL for m or e det ails about t he CET end -o f-life announcem ent : www.cisco.com / warp/ public/ cc/ general/ bulletin/ security/ 1118_pp.htm
IPSec Configuration The follow ing configur at ions show how a m ain r out er and a br anch r out er can be set up t o accept a VPN connect ion using I PSec encrypt ion. The new co m m ands w ill be ex plor ed aft er t he configurat ions. The follow ing is t he m ain office rout er configurat ion:
access-list 101 permit any any crypto map branchoffice 10 ipsec-isakmp match address 101 set transform-set mytransformset set peer 172.30.2.2 interface Serial0 ip address 172.30.2.1 crypto map branchoffice The follow ing is t he branch rout er configurat ion:
access-list 101 permit any any crypto map branchoffice 10 ipsec-isakmp match address 101 set transform-set mytransformset set peer 172.30.2.1 interface Serial0 ip address 172.30.2.2 crypto map branchoffice Th e cr ypt o m a p br a nchoffice 1 0 ipse c- isa k m p line defines a m ap nam e ( branchoffice ) and assigns a num ber ( 1 0 ) t o t hat m ap nam e. Nex t , t he line defines t hat y ou w ill use I KE t o est ablish I PSec secu rit y associat ions for t he t raffic specified in t he m ap st at em ent . Th e m at ch address com m and specifies t hat ex t ended access list 101 is used t o det er m ine w hat t r affic is encr y pt ed. A nam ed access list can also be used.
362
Th e se t t r a n sfor m- se t com m and specifies t he nam e m yt r a nsfor m se t . This nam e is com par ed t o t he peer r out er . I f t he t r ansfor m set on t he peer r out er is t he sam e, encr y pt ion and decr y pt ion t ak es place. I f t he nam es ar e differ ent , no dat a t r ansfer occur s. Th e set peer com m and set s t he I P addr ess o f t he peer rout er. The peer rout er m ust also have t he cor r ect I P addr ess configur ed. Wit hin t he int er face, t her e is t he crypt o m ap com m and t hat associat es t his int er face w it h t he globally defined m apping of bra nchoffice. This w as a v er y sim ple ex am ple. Next , look at an exam ple t hat is closer t o r eal life. Take ext r a t im e t o r ead all of t he im bedded com m ent s w it hin t his configur at ion:
access-list 199 permit udp any eq 500 any eq 500 access-list 199 permit 50 any any access-list 199 permit 51 any any !These ports are necessary because IKE and IPSec use them access-list 150 permit 50 any any access-list 150 permit 51 any any access-list 150 permit udp any eq 500 any eq 500 !Since you will have two access lists (one inbound and one outbound) !on the serial interface, you will need to allow IKE !and IPSec traffic for both of these interfaces. access-list 101 permit tcp 172.30.1.0 0.0.0.255 172.20.3.0 0.0.0.255 eq 23 access-list 101 permit tcp 172.30.1.0 0.0.0.255 eq 23 172.20.3.0 0.0.0.255 !Why use another access list? You want to encrypt all !data that uses port 23 (Telnet) either coming or going from the main branch. !You will use the number 101 later to define what is encrypted. crypto transform-set encryp-auth esp-des esp-sha-hmac crypto transform-set auth-only ah-sha-hmac !You define the IPSec protection types for use on each type of traffic crypto map BranchOffice 10 ipsec-isakmp match address 101 !Remember that you are watching for the number 101? !This refers to access list number 101, which is used to determine !what traffic should be encrypted set transform-set mytransformset set peer 172.30.2.1 interface Serial0 ip address 172.30.2.2 crypto map branchoffice ip access-group 199 in !You need to allow IKE and IPSec traffic through ip access-group 150 out !You need the traffic to flow both ways
363
Summary This chapt er discussed how dial-in user s can be aut hent icat ed using t he local dat abase. As an exam ple, t he chapt er included a basic AAA configurat ion. Next , t he chapt er t ook an in -dept h look at t he AAA aut hent icat ion process using a TACACS+ server. Finally, t he chapt er explored how I PSec can be used t o secur e VPNs com ing int o t he net w or k t hr ough t he I nt er net . The next chapt er, " Providing Secure Access t o I nt ernet Services ," covers t he requirem ent s of securing t he cor por at e net w or k w hile st ill allow ing access t o Web ser v er s.
364
Chapter 11. Providing Secure Access to Internet Services This chapt er co nt ains t he following sect ions:
• • • • • • • • • • •
I nt ernet Services Com m on I nt ernet Securit y Threat s I nt ernet Service Securit y Exam ple Web Servers File Transfer Prot ocol ( FTP) Servers I nt ernet e- Mail Servers ( SMTP/ POP3/ I MAP4) Dom ain Nam e Syst em ( DNS) Servers Back- End Servers Summary Frequent ly Asked Quest ions Glossary
The I nt er net is gr ow ing at a phenom enal r at e. I t is est im at ed t hat sev er al t housand w eb sit es ar e added t o t he I nt er net on a daily basis. Nev er befor e has indust r y had such an aggr essiv e m edium for exploit at ion. Wit h t his gr ow t h, it has becom e st andar d for t he t r adit ional r et ail st or e t o gain a pr esence on t he I nt er net . I nit ially , t his pr esence w as not hing m or e t han a st at ic Web page t hat act ed pur ely as an online adv er t isem ent for t he stor e. This pr ogr essed t o becom ing an online sour ce t hat present ed inform at ion about goods and services offered by t he st ore.Pret t y soon, e com m er ce cam e along, and t he st or e st ar t ed act ively t r ading on t he I nt er net . The I nt er net has no geographical lim it s, so soon t he r et ail st or e had a global m ar k et w it h unlim it ed pot ent ial at it s disposal. Wit h t his m assiv e gr ow t h and dependence on t he t echnology suppor t ing it com es a new set of hazar ds. The adv ent of e -com m erce brings w it h it unique risks, as financial da t a is being t r ansfer r ed ov er t he I nt er net . This leads t o a br eed of cy ber-cr im inals. These cy ber-crim inals are very int elligent net w ork hackers w ho use t ried and t est ed t echniques t o infilt rat e corporat e syst em s for t heir ow n financial gain or t o cause a denial of ser vice ( DoS) t o t he cor por at e sit e, t hus cost ing t he cor por at ion m oney in lost r evenue. This chapt er covers com m on I nt ernet services and t he at t acks t hat are launched on t hem . I t st ar t s by look ing at som e com m on secur it y at t ack s t hat can be m ade over t he I nt er net and concent r at es on net w or k int r usion and DoS at t acks. Finally, t he chapt er m oves on t o look at each individual I nt ernet service, consist ing of Web servers, File Transfer Prot ocol ( FTP) servers, I nt ernet e -m ail ser ver s, and Dom ain Nam e Syst em ( DNS) ser v er s. The com m on t hr eat s t o each ser vice and pr event ive secur it y st r at egies t hat can be applied t o t hese ser vices ar e ident ified in t his chapt er . This chapt er pr ovides only an over view of I nt er net ser vice t hr eat s and pr event ive m easur es. Th ere ar e w hole book s t hat hav e been w r it t en on t he subj ect , such as:
365
Web Securit y and Com m erce. O'Reilly Nut shell, 1997. E-Com m erce Securit y: Weak Links, Best Defences . John Wiley and Sons, 1998. Web Securit y: A St ep- by- St ep Reference Guide . Addison-Wesley, 1 998. Pract ical Unix and I nt ernet Securit y . O'Reilly , 1996.
Internet Services This chapt er cover s t he com m on I nt er net ser vices t hat m ost com panies pr ovide for public access. These ser vices m ake up t he I nt er net pr esence of t he com pany. These ser vices m ight int er act w it h each ot her t o pr ov ide t he ser v ice t o t he public. This int er act ion it self m ight r aise v ar ious secur it y r isk s not associat ed w it h t he dev ices on t heir ow n. TCP/ I P oper at es using w hat is called a port as a connect ion endpoint . The por t is w hat TCP/ I P uses t o different iat e am ong t he services w it hin t he TCP/ I P prot ocol suit e. All I nt ernet services use port s; som e use User Dat agram Prot ocol ( UDP) , but m ost use TCP. The follow ing is a list of t he com m on I nt er net ser v ices t hat m ost cor por at e businesses em ploy as par t of t heir public I nt er net offer ing. These t echnologies can be used on int r anet s, ex t r anet s, and ot her pr iv at e net w or k s, as w ell as t he public I nt er net :
•
W e b se r ve r s— Web ser v er s pr ov ide access t o t he w eb sit es of t he business.
•
FTP se r ve r s— FTP ser v er s pr ov ide a sour ce of dow nloadable files fr om t he w eb sit e and also act as a m edium for t r ansfer r ing files t o and fr om t he ot her ser v er s.
•
I nt e r ne t e - m a il se r ve r s— I nt er net e -m ail servers are responsible for m essage deliv er y and r out ing of t he cor porat e I nt ernet-bound e -m ails.
•
D N S se r ve r s— DNS servers hold t he dom ain and I P inform at ion for t he corporat e dom ain .
•
Ba ck - e nd se r ve r s— Back-end ser v er s can fall int o one of m any cat egor ies. These include dat abase ser v er s, secur it y aut hent icat ion ser v er s, and applicat ion ser ver s. Back-end ser v er s ar e not usually public-facing; t hat is, t hey do not usually hav e a publicly accessible I P addr ess.
This chapt er cov er s each indiv idual ser v ice, giv es a br ief ov er v iew of t he ser v ice, ex plains t he specific t hr eat s posed t o t he individual ser vice, and pr ovides solut ions t o t hese t hr eat s. Solut ions can be achiev ed by im plem ent ing pr oduct s fr om t he Cisco Secur e pr oduct r ange. Before covering t he individual services, t he chapt er looks at aspect s of I nt ernet securit y in rela t ion t o t he w eb sit e as a w hole. To do t his, t he chapt er includes a sam ple I nt er net ser v ice t hat is r unning under Mydom ain.com . This I nt er net ser vice includes Web ser ver s, FTP ser ver s, e -m ail ser ver s, DNS ser ver s, and back-end ser v er s.
366
You w ill see how t o assess t he secur it y of t he sit e in r elat ion t o t he com m on at t acks t hat ar e m ade on public I nt er net ser v ices. Aft er look ing at t he t hr eat s, y ou w ill see how t o out line how each of t hese affect each indiv idual ser v ice.
The next section starts by looking at the common Internet security threats before going on to outline the sample Internet service.
Common Internet Security Threats Throughout t he short hist ory of t he I nt ernet , at t acks t o t he public servers of large cor por at ions have been pr evalent . These ar e usually for financial gain t o t he perpet rat or, financial loss t o t he v ict im , or sense of per sonal achiev em ent and incr ease in st at us t o t he perpet rat or am ong t he hacking com m unit y. These at t acks can be cat egorized based on t he t ype of at t ack. Most I nt er net at t acks fall int o one of t hese cat egor ies. How ever , j ust as t he I nt er net ev olv es, new cat egor ies and new at t ack s ev olv e all of t he t im e. These at t ack s fall int o t w o gener al cat egor ies. They ar e t r y ing eit her t o gain unaut hor ized access int o t he net w or k or t o deny service t o t he net w ork. These t w o cat egories can int er m ingle such t hat a net w or k int r usion could lead t o t he denial of ser v ice. Thr oughout t his chapt er , t he follow ing separ at e at t ack s ar e cov er ed:
• •
Net work int rusion Denial of ser vice
Network Intrusi on Net w or k int r usion is w hen unaut hor ized access is gained t o a com put er syst em or com put er net w or k. This can be achieved in m any w ays. The follow ing ar e t he t w o m ain t ypes of net w or k int r usion w it h w hich t his book is concer ned:
• •
Unaut horized access Eav esdropping
Un a u t h or iz e d Acce ss Unaut hor ized access gener ally r efer s t o t he gaining of access t o a net w or k by using user nam e and passw or d pair s. These passw or ds can be obt ained by t he follow ing m et hods:
•
Socia l e n gin e e r in g— Social engineer ing is w her e t he at t ack er get s som eone of aut horit y t o release inform at ion, such as usernam e and passw ord pairs. A com m on social engineering at t ack could be som eone t elephoning a net w ork user, pret ending t o be fr om t he com pany's net w or k help desk, and asking for t he user 's user nam e an d passw or d. These at t ack s ar e v er y har d t o ov er com e; t he only r eal w ay is t hr ough st aff t r aining and fost er ing a secur e office cult ur e.
367
•
D ict ion a r y a t t a ck— A dict ionar y at t ack is a br ut e -force at t ack against a passw ord sy st em . The at t ack er r uns a piece of dict ionar y soft w ar e t o t r y num er ous passw or ds against t he syst em . The at t ack get s it s nam e from t he fact t hat t he m et hod usually em ploy s a dict ionary file, w hich cont ains t housands of com m on and not -so -com m on words. Each of t hese words in t urn is at t e m pt ed in t he aut hent icat ion at t em pt . Secur it y policy should st ipulat e t he m axim um num ber of w r ong passw or ds t hat can be ent ered before t he account is locked. This feat ure is im plem ent ed in m ost m ainst ream net w or k oper at ing sy st em s t oday . One w ay t o ov er come a m aj or it y of t hese at t ack s is t o m ak e all passw or ds a r andom set of alphanum er ic char act er s w it h m ix ed case. For ex am ple, t he passw or d " dfgWJdHu75G4fo" w ould be a lot har der for a dict ionar y at t ack t o break t han t he password " m iam idolphins."
•
Ex ploit a t io n of se r vice s— I n addit ion t o passw ord at t acks, w hich encom pass t he pr evious t w o m et hods, t her e is t he exploit at ion of t he net w or k ser vices. For exam ple, a bug w it h t he UNI X sendm ail ser v ice allow ed a user t o send a ser ies of com m ands t o t he ser vice t hat w ould gain t he user adm inist rat ive access t o t he host m achine. Be sur e t o keep abr east of all t he lat est secur it y vulner abilit ies and ensur e t hat all net w or k ser v ices hav e t he lat est secur it y pat ch.
Ea v e sdr oppin g Eav esdr opping is w her e an at t ack er uses a ne t w or k analyzer or sniffer t o list en and decode t he fram es on t he net w ork m edium . This t ype of at t ack is physically hard t o achieve, because it has t o be done eit her at t he sam e locat ion as t he net w or k or at t he office of a ser v ice pr ov ider t o t hat net w or k . The t r affic t hat t he at t acker can capt ur e is lim it ed by t he locat ion of t he at t acker . For exam ple, if t he sniff or t r ace is r un on t he cor por at e LAN, an at t acker pr obably w ill not see WAN r out ing t r affic because t hat t r affic w ill not be local or cont ained t o t he LAN. A com m on use of sniffing is t o obt ain t he user nam e and passw or d pair s of eit her user s or net w or k ser v ices. Sniffing can also lead t o session r eplay at t ack s and session hij ack ing:
•
Se ssion r e pla y a t t a ck s— Wit h m ost net w ork analyzers available t o day, you can capt ure t he dat a int o a buffer. This buffer can t hen be replayed on t he net w ork. An at t acker can capt ur e a user logging int o a syst em and r unning com m ands. By r eplaying t he capt ur ed session, t he at t acker can r ecr eat e t he init ial user 's act ions and use it for per sonal benefit . The com m on m et hod is for t he at t acker t o change t he sour ce I P addr ess of t he capt ur e so t hat t he session init iat es w it h anot her host . Even w it h encr y pt ion, session r eplay s ar e v er y har d t o spot and pr ev ent .
•
Se ssion hij a ck i ng— Session hij acking is w her e t he at t acker inser t s falsified I P dat a packet s aft er t he init ial session has been est ablished. This can alt er t he flow of t he session and est ablish com m unicat ion w it h a differ ent net w or k host t han t he one w her e t he session w as or iginally est ablished.
368
Denial of Service (DoS) The t erm denial of ser vice has been hear d quit e a lot in t he I nt er net com m unit y r ecent ly. This is par t ly because of fr equent DoS at t ack s t hat hav e been car r ied out against leading e com m erce vendors, such as
eBay.com
and Am azon.com .
A DoS at t ack is t he sat ur at ion of net w or k r esour ces t ar get ed against a single host or r ange of host s w it h t he int ent t o st op t hat host fr om furnishing furt her net w ork request s. This has t he sam e effect as a ser v er t hat is under t oo m uch st r ain and cannot deal w it h t he concent r at ion of r equest s for it s ser v ices. The pr oblem w it h DoS at t acks is t hat m ost of t he at t acks appear t o be genuine r equ est s for service. They j ust com e in rat her large num bers —large enough t o m ake t he server fall over. Num er ous DoS at t acks exist , and new ones ar e found alm ost on a w eekly basis. Web sit es r un by whit e hat hackers ( hackers benevolent ly researching securit y issues) are being m isused by black hat hackers ( m alevolent hackers) and script kiddies. This inform at ion is being m isused in t he for m of DoS at t acks against I nt er net host s. At t acker s can r un a DoS at t ack fr om anyw her e. They t ar get a public ser vice, so t hey prot ect and hide t heir ident it y , and t hey can r un t he at t ack by a dial-up connect ion any w her e in t he w or ld. Many DoS at t ack s ar e v er y sim ple t o r un, w hich has led t o t he incr ease in w hat ar e called script kiddies. A scr ipt k iddie is som eone w it h lim it ed k now ledge w ho r uns a pr ebuilt DoS scr ipt t o at t ack an I nt er net host . The aut hor s have even seen UNI X GUI -based applicat ions t hat m im ic num er ous DoS at t acks and m ake it ext r em ely easy t o use t his t echnology against an unsuspect ing host . This sect ion look s at som e com m on and m or e fam ous DoS at t acks. Ther e ar e lit er ally hundr eds of t hese in ex ist ence now .
•
TCP SYN flooding a t t a ck — The TCP SYN flood at t ack ex ploit s t he t hr ee -w ay handshake connect ion m echanism of TCP/ I P. The at t acker init iat es a TCP session w it h t he ser ver by sending a TCP SYN packet t o t he ser ver . The ser ver r esponds t o t his init ial pack et w it h a TCP SYN/ ACK r esponse. The at t ack er 's m achine should t hen r espond t o t his SYN/ ACK by sending it s ow n SYN/ ACK back t o t he ser ver . At t his point , t he session w ould be est ablished. What happens in a TCP SYN at t ack is t hat t he at t acker's m achine never responds t o t he TCP SYN/ ACK sent by t he server. This causes t he ser v er t o w ait for r esponse and for t he session t o st ar t . This is called a half-open session. Each of t hese half-open sessions uses r esour ces on t he ser ver . The at t acker floods t he server w it h t housands of t hese session init iat ion packet s, causing t he ser v er ev ent ually t o r un out of r esour ces, t hus deny ing ser v ice t o any ot her inbound connect ions.
369
•
Sm urf a t t a ck — A sm ur f at t ack is w hen an at t ack er sends an I CMP Echo Request t o a net w or k addr ess r at her t han a specific host . The im por t ant point is t hat t he at t ack er ent er s t he I P addr ess of t he t ar get ed ser v er as t he I CMP Echo Request sour ce addr ess. This has t he effect of ever y host on a net w or k r esponding and sending an I CMP Echo Reply t o t he at t ack er-supplied sour ce addr ess of t he I CMP Echo packet . This sour ce addr ess is t he addr ess of t he ser ver t hat t he at t acker w ant s t o at t ack. I n t his case, t he at t ack er uses som ebody else's r esour ces and net w or k t o at t ack t he vict im . This at t ack w or ks by sim ply consum ing bandw idt h t o t he vict im . Once t his bandw idt h is consum ed, all access t o t he ser ver fr om ot her public host s slow ly gr inds t o a halt . The t hir d par t y w ho is am plifying t he at t ack is also affect ed because it consum es out bound bandw idt h from t he net w ork. Figure 11- 1
depict s a sm ur f at t ack . Fig u r e 1 1- 1 . Sm ur f At t a ck
•
Ping of de a t h— The ping of deat h is a fam ous DoS at t ack t hat uses t he ping I CMP Echo Request and Echo Reply t o cr ash a r em ot e sy st em . I t is classified as an elegant one -packet kill. This at t ack w or k s by sending a lar ge I CMP Echo Request pack et t hat get s fr agm ent ed before sending. The receiving host , w hich is also t he v ict im , r econst r uct s t he fragm ent ed packet . Because t he packet size is above t he m axim um allow ed packet size, it can cause syst em cr ashes, r eboot s, ker nel dum ps, and buffer over flow s, t hus r ender ing t he sy st em unusable. This at t ack , alt hough st ill in ex ist ence, is w ell pr ot ect ed against w it h all r ecent oper at ing sy st em s.
370
•
Tea rdrop— The t eardrop at t ack is a classic DoS at t ack t hat norm ally causes m em ory pr oblem s on t he ser ver t hat is being at t acked. Tear dr op at t acks use fr agm ent at ion and m alfor m ed packet s t o cause t he vict im host t o m iscalculat e and per for m illegal m em ory funct ions. These illegal m em ory funct ions can int eract w it h ot her applicat ions r unning on t he ser ver and r esult in cr ashing t he ser ver . Because t his is a fr agm ent at ion at t ack, it can bypass som e t radit ional int rusion det ect ion syst em s ( I DSs) .
•
Land— The land at t ack is w her e t he at t ack er sends a spoofed pack et t o a ser v er t hat has t he sam e sour ce I P addr ess and por t as t he dest inat ion I P addr ess and por t . For ex am ple, if t he ser v er had an I P addr ess of 192.168.0.1, bot h t he sour ce and dest inat ion I P addr esses of t he packet w ould be 192.168.0.1. The por t is ident ified as being open by a net w or k scan t hat t he at t ack er r uns befor e sending t he pack et . The result is t hat t he server, if suscept ible, w ill cr ash. This at t ack is also k now n as t he LAND.c at t ack. The .c r efer s t o t he C scr ipt in w hich it is pr esent ed.
The pr eceding list r epr esent s only a sm all per cent age of t he net w or k int r usions and DoS at t ack s t hat ex ist . Whit e hat hack ers w ho aim t o educat e secur it y adm inist r at or s about t he new t hr eat s and v ulner abilit ies t hat em er ge alm ost daily pr ov ide helpful w eb sit es; am ong t hese sit es ar e w w w . secur it y -focus.com and w w w .r oot shell.com . These sit es should be exam ined fr equent ly t o keep net w or k secur it y up-to-dat e and as secur e as possible.
Internet Service Security Example This exam ple pr esent s t he fict it ious sim ple I nt er net ser vice of Mydom ain.com , a new dot -com st art up selling CDs and videos online. Mydom ain.com em ploys t he full range of ser v er s covered t hroughout t his chapt er, including Web servers, FTP servers, I nt ernet e -m ail servers, DNS ser v er s, and back -end ser v er s. This exam ple includes befor e and aft er designs. The befor e design uses a st andar d publicfacing m odel, and t he aft e r design im plem ent s securit y elem ent s based around a Cisco Secure PI X Fir ew all. The exam ple ident ifies t he com m on at t acks t hat can be car r ied out and t he w ay t hat t he pr oposed secur e solut ion w ill deal w it h t hese at t ack s. The net w or k is host ed at an I nt er n et ser vice pr ovider ( I SP) and is connect ed st r aight int o a host ing swit ch. The I SP provides no upst ream securit y for host ed solut ions. Securit y is t he r esponsibilit y of t he individual client s. The net w or k diagr am can be seen at
Figure 11- 2 .
Fig u r e 1 1- 2 . M ydom a in .com N e t w or k D ia gr a m
371
You can see in t he net w or k diagr am in
Figure 11- 2
t hat t he Mydom ain.com solut ion consist s of
four ser v er s. The Web and FTP ser v ices ex ist on t he sam e ser v er . My dom ain.com has been allocat ed 10 addresses in t he 194.73.134.0/ 24 net work t ha t is r egist er ed t o t he I SP and is used for host ing solut ions. The addresses allocat ed are 194.73.134.11/ 24 t o 194.73.134.20/ 24. This is a v er y com m on sim ple configur at ion for Web host ing fr om an I SP.
Initial Problems and Threats in the Internet Service Security Example This solut ion is not ideal fr om a secur it y point of view . As a gener al r ule of t hum b, t he aut hor s w ould never place an unprot ect ed host on t he public I nt ernet . This solut ion places all four ser v er s on t he public I nt er net w it h public I P addr esses. The I P addr ess allocat ion is not w it hin it s ow n Lay er 3 dom ain ( VLAN/ subnet ) ; t her efor e, it is consider ed t o be on t he sam e br oadcast dom ain as all of t he ot her t r affic w it hin t he 194.73.134.0/ 24 net w or k. The follow ing t hr eat s have been ident ified w it h t his solut ion:
•
N e t w or k t hr e a t s— Because t he ser v er s ar e locat ed on t he public I nt er net , no securit y device is prot ect ing t he servers from a plet hora of net w ork t hreat s. These t hreat s include net w ork int rusion at t em pt s and DoS at t acks. Wit hout securit y de vices pr ot ect ing t he solut ion, y ou ar e r ely ing on t he configur at ion of t he act ual ser v er as t he fir st and only line of defense.
•
Ope r a t ing syst e m s vulne r a bilit ie s— Ev er y oper at ing sy st em has k now n vulnerabilit ies. You have only t o check t he cont ent of any secur it y -focused w eb sit e t o see t he num ber of vulnerabilit ies t hat exist in every operat ing syst em . By placing t hese ser v er s on t he public I nt er net , y ou ar e m ak ing any secur it y flaw in t he oper at ing syst em available for exploit at ion by pot ent ial hackers.
372
•
Applica t ion vulne r a bilit ie s— Besides oper at ing syst em vulner abilit ies, t her e ar e applicat ion vulnerabilit ies. These vulnerabilit ies appert ain t o t he applicat ions running on t he ser ver s. Micr osoft 's I nt er net I nfor m at ion Ser ver ( I I S) is t he st andar d Web serve r of choice for Window s NT and Window s 2000 servers. This applicat ion has num er ous w ell-know n vulner abilit ies, and new pat ches ar e r eleased fr equent ly t o pr ot ect against r ecent ly found vulner abilit ies.
•
Se r v e r - to- se r ve r com m u n ica t ion— When t he Web ser v er co m m unicat es w it h t he dat abase ser v er , t his is classified as ser v er-to-server com m unicat ion. This t raffic should nev er go acr oss a public net w or k . I n t he design in Figure 11- 2 , t his t raffic is going acr oss t he public net w or k. Ot her m achines t hat ar e not a par t of t he Mydom ain.com net w or k and w it hin t he sam e Lay er 3 dom ain could easily capt ure t his com m unicat ion. This r aises secur it y issues.
•
Acce ss t o ba ck - e n d se r ve r s— Why m ak e a ser v er publicly accessible if only ser v ert o-ser ver com m unicat ion is going t o exist ? Most back-end ser v er s ar e not r equir ed t o be accessed by out side host s, because t hey m ight need only t o com m unicat e t o ot her servers t hat are request ing t heir resources. The My dom ain.com ser v ice uses a Web ser v er and a dat abase ser v er . The dat abase ser v er st or es t he st ock det ails and is accessed by a Web page on t he Web ser v er . The public client is never required t o access t he server direct ly. I n m aking it publicly accessible, y ou ar e also m ak ing ev er y v ulner abilit y on t he ser v er accessible.
Alt hough t here are obviously num erous t hreat s t o t his solut ion, it is shocking t o learn how m any host ed solut ions w it hin t he I SP env ir onm ent ar e inst alled in t his w ay . I n secur it y , t her e m ust alw ays be a m ot ive for at t ack. Wit h low -risk and low -exposure sit es, t his m ot ive m ight be so low as not t o cat ch a hack er 's at t ent ion .
Proposed Changes to the Internet Service Security Example The m ost im por t ant change t o im plem ent in t his solut ion is t o place som e sor t of a fir ew all dev ice in fr ont of it . The t er m firewall can be defined as a dev ice t hat sim ply pr ot ect s int er nal n et w orks from ext ernal t hreat s. These devices norm ally carry out som e sort of rout ing t o rout e t raffic from one int erface t o anot her and t o perform packet or st at eful inspect ion of t raffic. N OTE
St at eful inspect ion is a ver y im por t ant feat ur e t o have w it hin a fir ew all. Ear ly firew alls only im plem ent ed packet filt ering. St at eful inspect ion and filt ering m aint ain connect ion st at e infor m at ion and allow policy decisions t o be based on t his st at e. Packet filt ering j ust filt ers every packet , regardless of t he exist ence of a cur r ent connect ion, session, or st at e.
373
Now see w hat happens if y ou decide t o im plem ent a Cisco Secur e PI X Fir ew all t o pr ot ect t he solut ion. You only need t w o int er faces—one int er nal and one ex t er nal. The pr oposed net w or k diagr am can be seen in Figure 11- 3 . Fig u r e 1 1- 3 . Pr opose d Ch a n ge t o t h e M ydom a in .com N e t w or k
You can see fr om t he net w or k diagr am in
Figure 11-3
t hat t her e is now a Cisco Secur e PI X
Fir ew all bet w een t he host ed sw it ch and t he My dom ain.com net w or k . This PI X Fir ew all also carries out Net work Ad dress Translat ion ( NAT) for t he Mydom ain.com net work. The use of NAT m eans t hat t he Mydom ain.com net w ork can now use RFC 1918-com pliant privat e addressing. I n t his case, Mydom ain.com has opt ed for t he 192.168.0.0/ 24 net w ork. This address space is not rout e d on t he public I nt er net and can pr ot ect t he ident it y and addr essing of t he Mydom ain.com net work. NAT is a m et hod w her e public I P addr esses get t r anslat ed int o pr ivat e I P addr esses for address -hiding pur poses. You can cr eat e a pr ivat e net w or k behind a NAT dev ice, such as a r out er or a fir ew all, and cr eat e st at ic t r anslat ions bet w een t hese pr ivat e addr esses and public addr esses. This hides t he pr ivat e addr esses of t he net w or k fr om t he public I nt er net and pr ov ides a m et hod w her e t he pr iv at e ser v er s can com m unicat e w it h each ot her ov er t he pr ivat e addr esses. Ther e ar e t w o t ypes of NAT. These ar e one -t o-one NAT and one-to-m any NAT. One-t o-m any NAT is also known as Port Address Translat ion ( PAT) . Access t o t he specific servers from t he public I nt ernet is perm it t ed t hr ough w hat ar e called st at ic t r anslat ions. The PI X Fir ew all m aint ains st at ic t r anslat ions bet w een t he public and privat e addresses. These are m anually configured on t he PI X Firew all—one per t ranslat ion. Because t he dat abase ser ver is only involved in com m unicat ion w it h t he Web ser v er , t her e is no need t o pr ov ide a st at ic t r anslat ion for t his ser v er .
374
The st at ic t r anslat ions for t his solut ion ar e displayed in Table 11-1 .
Ta ble 1 1 - 1 . St a t ic Tr a nsla t ions
Public I P Address 194.73.134.10 194.73.134.11 194.73.134.12
Pr iva t e I P Addr e ss 192.168.0.10 192.168.0.11 192.168.0.12
I n t his case, a public client accessing w w w .m y dom ain.com r eceiv es t he I P addr ess of 194.73.134.10. The PI X Firew all int ercept s t his packet on t he host ed sw it ch, because t he out side int erface replies t o Address Resolut ion Prot ocol ( ARP) request s for it s ow n int erface and every ot her st at ically configured address. The PI X t hen redirect s t he packet t o 192.168.0.10. This w ould be t ot ally t r anspar ent t o t he public client . You can fur t her r est r ict access by configur ing access list s on t he PI X Fir ew all. On t he PI X Fir ew all, t hese access list s ar e called conduit s. You can allow specific t r affic t o specific ser v er s and deny ev er y t hing else. The PI X conduit com m and w or k s in a sim ilar w ay t o t he Rout er I OS a cce ss- list com m and. These conduit s m ake up t he basic fir ew all secur it y policy for t he solut ion.
Table 11- 2
shows t he basic firewall securit y policy.
Ta ble 1 1 - 2 . Sa m ple Fir e w a ll Se cur it y Policy
Sour ce I P Addr e ss D e st ina t ion I P Addr e ss Any 194.73.134.10 Any 194.73.134.10 Any 194.73.134.11 Any 194.73.134.11 Any 194.73.134.12 195.92.1.250 Any
Service WWW FTP SMTP POP3 Dom ain Ping
Pe r m it / D e n y Per m it Per m it Per m it Per m it Per m it Per m it
This policy allow s only specific ser vices t o specific host s. One point t o m ent ion is t he last line in t he policy in Table 11- 2 . This line allows I nt ernet Cont rol Message Prot ocol ( I CMP) pin g access fr om t he addr ess 195.92.1.250 t o any host w it hin t he Mydom ain.com host ed net w or k. The address 195.92.1.250 is t he egress point from t he Mydom ain.com offices, w hich are in a different physical locat ion t han t he host ed net w ork. This is so t hat t he n et work st aff at t he office can ping t he solut ion for m onit or ing pur poses. The configur at ion of t he PI X Fir ew all is as follow s:
PIX Version 5.1(2) nameif ethernet0 outside security0
375
nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 auto shutdown interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 194.73.134.19 255.255.255.0 ip address inside 192.168.0.1 255.255.255.0 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 static (inside,outside) 194.73.134.10 192.168.0.10 netmask 0 0 static (inside,outside) 194.73.134.11 192.168.0.11 netmask 0 0 static (inside,outside) 194.73.134.12 192.168.0.12 netmask 0 0 conduit permit tcp host 194.73.134.10 eq www any conduit permit tcp host 194.73.134.10 eq ftp any conduit permit tcp host 194.73.134.11 eq smtp any conduit permit tcp host 194.73.134.11 eq pop3 any conduit permit tcp host 194.73.134.12 eq domain any conduit permit udp host 194.73.134.12 eq domain any conduit permit icmp any host 195.92.1.250 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable isakmp identity hostname telnet timeout 5 terminal width 80 Cryptochecksum:5884cc517ea6d0954099b857a8572c0c
255.255.255.255 255.255.255.255 255.255.255.255
0:02:00
376
I f you ar e unsur e about any of t he configur at ion com m ands, r efer t o PI X Fir ew all," or v isit t he Cisco Secur e PI X w eb sit e at
Chapt er 4 ,
" Cisco Secure
www.cisco.com / go/ pix .
Revised Problems and Threats in the Internet Service Security Example Wit h t he int r oduct ion of t he fir ew all bet w een t he public I nt er net and t he Mydom ain.com net w or k , m ost of t he net w or k t hr eat s hav e been addr essed. The follow ing is a r ev ision of t he original list from t he sect ion " I nit ial Problem s and Threat s in t he I nt ernet Service Securit y Exam ple ," now t hat t he fir ew all has been added.
•
N e t w or k t hr e a t s— The servers are now locat ed behind t he firew all; t herefore, t hey are not direct ly connect ed t o t he public I nt ernet . Cert ain DoS at t acks m ight st ill be possible, and t he im plem ent at ion of I DS t echnology w ill furt her prot ect t he net w ork. Ping access has been disallow ed t o all public addr esses w it h t he ex cept ion of t he Mydom ain.com offices. This is ident ified w it h t he conduit pe r m it icm p a ny host 1 9 5 .9 2 .1 .2 5 0 com m and. This m eans t hat I nt er net client s ar e not able t o ping t he m achines t o check for t heir exist ence. At t acker s r unning por t scans have t o for ce t he por t scan t o check t he addr esses because t he fir ew all block s all I CMP Echo Request pack et s.
•
Ope r a t ing syst e m s vulne r a bilit ie s— The ser ver s ar e not on t he public I nt er net , and access has been r est r ict ed t o t he specific por t s on t he specific ser ver s. This m eans t hat any por t -specific operat ing syst em vulnerabilit y should now be prot ect ed.
•
Applica t ion vulne r a bilit ie s— Applicat ion vulner abilit ies m ight st ill exist . This is because t he applicat ion vulner abilit y m ight be r elat ed t o t he specific por t t hat is allow ed t hr ough t he fir ew all. For exam ple, Micr osoft 's I I S is a TCP por t 80 ser vice. There have been vulnerabilit ies in t he past r elat ed t o cer t ain URLs causing cr ashes on t he ser v er . These URLs w ould com e ov er t he allow ed TCP por t 80. The only w ay t o k eep up w it h applicat ion v ulner abilit ies is t o ensur e t hat t he applicat ions ar e k ept upt o-dat e w it h t he lat est ser v ice pack s and fix es, w hich ar e av ailable fr om t he applicat ion vendor s' w eb sit es.
•
Se r v e r - to- se r ve r com m u n ica t ion— All ser v er-to-ser ver com m unicat ion is now over t he privat e 192.168.0.0/ 24 net w ork. No broadcast s or m ult icast s are propagat ed by t he fir ew all. This alleviat es t he secur it y t hr eat .
•
Acce ss t o ba ck - e n d se r ve r s— The back -end server is no longer publicly accessible. The back -end ser v er does not hav e a st at ic t r anslat ion associat ed w it h it , so com m unicat ion can only occur w it h t he back -end server from t he Mydom a in.com net w or k. This r em oves t he secur it y t hr eat t o t he back-end ser v er s.
I n t his ex am ple, y ou hav e seen a v er y basic Web inst allat ion, ident ified t he secur it y t hr eat s posed t o t his net w or k , and im plem ent ed a pr oposed solut ion. I t is v er y easy t o r educe 95 per cent of all t hr eat s fr om t he I nt er net and ver y har d t o pr ot ect against t he r em aining 5 percent . By sim ply im plem ent ing a firew all, you can reduce m any risks associat ed w it h I nt ernet securit y.
377
The rem aining sect ions in t his chapt er cover t he individual I nt er net ser v ices and t he t hr eat s posed t o t hese specific ser v ices.
Web Servers The Wor ld Wide Web is t he t echnology t hat is r esponsible for t he m assive gr ow t h of t he I nt ernet t oday. The Wor ld Wide Web w as bor n in 1990, w hen Tim Ber ner s -Lee developed t he fir st br ow ser applicat ion and launched t he int er nal Wor ld Wide Web w it hin t he Eur opean Labor at or y for Par t icle Phy sics, or CERN, headquar t er s. At t hat t im e, t he Web w as only av ailable t o t hose w ho had access t o t he CERN syst em . The nex t m aj or point of m ent ion is in 1993, w hen t he Nat ional Cent er for Supercom put ing Applicat ions ( NCSA) released t he Mosaic brow ser. This gave users t he abilit y t o view graphics and t ex t at t he sam e t im e ov er t he Web. I n t he sam e y ear , t he New York Tim es announced t he appearance o f t he Wor ld Wide Web, and t he Whit e House w ent online at
www.whitehouse.gov .
The nex t sev en y ear s saw m assiv e gr ow t h for t he Wor ld Wide Web, w it h ar ound 7000 new w eb sit es being added daily. The lar gest gr ow t h sect or of t he I nt er net is st ill t he Wor ld Wide Web . The Wor ld Wide Web is m ade up of num er ous Web ser v er s t hat ar e locat ed all ov er t he w or ld on a com m on net w or k, t he I nt er net . These ser ver s all r un t he Hyper t ext Tr ansfer Pr ot ocol ( HTTP) service. HTTP is an applicat ion lay er pr ot ocol t hat uses TCP as t he t r anspor t pr ot ocol and m aps t o port 80. Besides HTTP, t here is t he Secure Hypert ext Transfer Prot ocol ( HTTPS) . HTTPS uses client -t o-ser ver encr ypt ion t o secur e t he nor m ally clear t ext t r ansm ission o f dat a bet w een t he HTTP client and t he HTTP ser ver .
Threats Posed to Web Servers Web ser v er s ar e t he m ost com m on t ar get s for at t ack s w it hin a cor por at e w eb sit e. Web ser ver s host t he HTTP ser vice and deliver t he HTML pages t o I nt er net client s br ow sing t hem. The v er y nat ur e of t his client / ser v er r elat ionship m ak es t he Web ser v er a t ar get for abuse. The ser v er is addr essable on a specific I P addr ess and a specific por t . The m aj or it y of DoS at t ack s ar e aim ed at Web ser v er s. The Web ser v er is t he m ain com ponent t hat br ings all of t he ot her com ponent s t oget her , and disr upt ion of t his ser ver affect s t he ov er all I nt er net ser v ice. Besides t he DoS at t acks, t her e ar e applicat ion-relat ed vulnerabilit ies. The m ost com m on Web ser v er applicat ion t hat is used on Window s NT is Microsoft 's I I S, and t he m ost com m on UNI X Web ser v er is Apache. Bot h of t hese ser v er s ar e under const ant scr ut iny fr om t he I nt er net com m unit y, and vulnerabilit ies are found quit e frequent ly.
378
Solutions to the Threats to Web Servers I n t heory, t he I nt ern et ser vice t hat r uns on TCP por t 80 is int r insically secur e and does not r eally r equir e pr ot ect ion. How ever , it is t he Web ser ver it self and t he net w or k oper at ing syst em t hat causes t he securit y concerns. Any service ot her t han t he HTTP service running on t he ser v er incr eases t he r isk associat ed t o t he ser v er . The best w ay t o pr ot ect against t his, as w it h m ost ot her ser v ices, is t o deploy a fir ew all t hat is sit uat ed bet w een t he public I nt er net and t he Web ser v er . The Web ser v er can t hen be on a pr iv at e net w ork, and Net work Address Tr anslat ion can pr ov ide t he added secur it y of hiding t he r eal I P addr ess of t he Web ser v er . The fir ew all should be fur t her configur ed only t o allow access t o t he Web ser v er on t he r equir ed por t s. These ar e usually por t 80 for general HTTP t r affic and por t 443 if t he w eb sit e is using HTTPS and HTTP. To pr ot ect against applicat ion v ulner abilit ies, it is im por t ant t o ensur e t hat t he Web ser v er applicat ions ar e kept up w it h t he lat est ser vice and secur it y pat ches. These ar e pr ovided on t he v endor s' w eb sit es. I nfor m at ion about v ulner abilit ies can be obt ained fr om w hit e hat hack er w eb sit es, such as www.rootshell.com , and various e -m ail list s.
Configuration Recommendations for Web Servers Using t he Cisco Secure PI X Firew all, t he follow ing com m ands allow public Web t raffic t o t he Web ser v er w it h an int er nal addr ess of 192.168.0.10/ 24 and pr ov ide st at ic t r anslat ion t o t he public addr ess of 194.73.134.10/ 24. This is based on
Figure 11-3 :
static (inside,outside) 194.73.134.10 192.168.0.10 netmask 255.255.255.255 0 0 conduit permit tcp host 194.73.134.10 eq www any
File Transfer Protocol (FTP) Servers The File Transfer Prot ocol ( FTP) is an applicat ion layer prot ocol t hat provides file -sharing capabilit ies bet w een host s. FTP w as for m ally announced as par t of t he TCP/ I P pr ot ocol suit e in 1971. RFC 172 cover s t he design and im plem ent at ion on FTP. There a re act ually t w o port s associat ed w it h FTP: TCP 20 and 21. FTP creat es a virt ual connect ion over TCP por t 21 for cont r ol infor m at ion, and t hen it cr eat es a separ at e TCP connect ion on por t 20 for dat a t r ansfer s. FTP is a very com m on applicat ion prot ocol t hat is used w idely on t he I nt er net t o t r ansfer files. Most public Web ser ver s also pr ovide som e FTP funct ionalit y for public user s t o dow nload files. For ex am ple, Cisco Sy st em s has a cor por at e w eb sit e t hat is locat ed at
www.cisco.com .
This
ser v es t he cor por at e w eb sit e. I n addit ion, Cisco has an FTP ser v er t hat can be accessed at ft p.cisco.com . This ser vice is pr ovided for dow nloading files fr om t he Cisco w eb sit e.
379
Regist er ed user s or user s w it h suppor t agr eem e nt s can dow nload I OS im ages and r equir ed soft w ar e updat es. Many com panies do not r un t heir ow n Web ser v er s in -house. They look t o an I SP t o pr ov ide Web space on a shar ed ser v er or opt for a dedicat ed, colocat ed ser v er . I n doing t his, t hey gain t he benefit of t he I SP's net w or k and I nt er net connect ion. The I SP offer s t his as a ser v ice and usually provides fault -t oler ant , secur e access t o t he I nt er net ser vices behind m ult it ier ed fir ew alls. I n t his sit uat ion, especially w it h shar ed Web space, m ost I SPs offer FTP ser v ices t o t heir client s for uploading t he r equir ed files t o t he Web ser ver . Consequent ly, m ost w eb sit es hav e an FTP ser v ice r unning t hat has dir ect access t o t he dir ect or y t hat cont ains t he act ual client w eb sit e HTML files. FTP, by design, is a fast e r m et hod of t ransferring files across t he I nt ernet t han HTTP. Most sit es offer eit her HTTP or FTP file dow nload, but nor m ally FTP dow nload is t he fast er of t he t w o.
Threats Posed to FTP Servers The m aj or concer n w it h FTP is t hat t he built -in aut hent icat ion sy st em uses a user nam e and passw or d pair t hat is t r ansm it t ed in clear t ext t o t he FTP ser ver . This causes obvious concer ns w hen t he r em ot e FTP ser v er is accessed acr oss a public, unt r ust ed net w or k . I f t he FTP user nam e and passw or d ar e int er cept ed, t he at t acker has t he sam e access t o your files and dir ect or ies as you have, leading t o disast r ous r esult s. As w it h any ot her ser v er , FTP ser v er s ar e suscept ible t o DoS at t ack s. These at t ack s can r ender t he server unusable t o t he I nt ernet public.
Solutions to the Threats to FTP Servers FTP access for dow nloading files from a Web server is norm ally pret t y safe and anonym ous; access can be allow ed for t his pur pose. The pr oblem s ar ise w hen y ou st ar t t o use FTP t o upload files t hat m ake up t he com pany w eb sit e or sim ilar ser v ices. This access has t o be pr ot ect ed against int r usion, because t he files being uploaded m ake up t he cor por at e w eb sit e and m ust be kept secur e. A good idea in t his inst ance is eit her t o r un t he m anagem ent FTP access on a differ ent por t or t o use a differ ent ser ver com plet ely for public FTP access. A fir ew all should be placed bet w een t he FTP ser ver and t he public I nt er net . This fir ew all w ill pr ot ect against som e net w or k -based DoS at t ack s. I t should be configur ed so t hat m anagem ent FTP access is per mit t ed fr om as few host s as possible.
Configuration Recommendations for FTP Servers Using t he Cisco Secur e PI X Fir ew all, t he follow ing com m ands allow public FTP t r affic t o t he FTP server w it h an int ernal address of 192.168.0.10/ 24 and provide st at ic t ransla t ion t o t he public addr ess of 194.73.134.10/ 24. This is based on Figure 11- 3 :
380
static (inside,outside) 194.73.134.10 192.168.0.10 netmask 255.255.255.255 0 0 conduit permit tcp host 194.73.134.10 eq ftp any Alt hough t his configur at ion is sufficient for public FTP r ead access, it pr obably is not good enough for m anagem ent FTP access—t hat is, FTP access t o m anage t he configur at ion or files on t he FTP ser v er . This r equir es a change t o t he pr eceding configur at ion so t hat it is m anagem ent FTP access only. There are t w o host s at t he Mydom ain.com m ain office from w hich m anagem ent FTP w ill be per for m ed. The public addr esses of t hese t w o host s ar e 195.195.195.1 and 195.195.195.2. Observe t he changes t o t he configurat ion:
static (inside, outside) 194.73.134.10 192.168.0.10 netmask 255.255.255.255 0 0 conduit permit tcp host 194.73.134.10 eq ftp host 195.195.195.1 conduit permit tcp host 194.73.134.10 eq ftp host 195.195.195.2 Not e t hat now t he host s 195.195.195.1 and 195.195.195.2 ar e specifically allow ed FTP access t o t he ser ver 194.73.134.10. All public FTP access t o t his ser ver w ill now be denied.
Internet e -Mail Servers (SMTP/POP3/IMAP4) Besides t he Wor ld Wide Web, t he ot her m aj or fact or in t he grow t h of t he I nt ernet has been elect ronic m ail. e -m ail allow s user s t o send m essages inst ant ly t o w or ldw ide r ecipient s w it hout cost or delay . This has had a huge im pact on business; alm ost ev er y business w or k er has an e -m ail addr ess. As com put er net w or ks gr ew in t he ear ly '90s, cor por at e e -m ail becam e ver y com m on w it hin com panies. No longer did you have t o pr int out m em or andum s and place t hem in t he r equir ed physical m ailboxes or pigeonholes. You could t ype a shor t m em o and send it direct ly from your e -m ail client t o t he int ended recipient s. The use of e -m ail dist r ibut ion list s allow ed user s t o send one e -m ail t o m ult iple r ecipient s, fur t her im pr oving t he value of e -m ail. Wit h t he advent and growt h of t he I nt ernet , m ore and m ore corpora t ions connect ed t heir int ernal e -m ail syst em s t o t he I nt er net and pr ovided int er nal user s w it h I nt er net e -m ail addr esses. This opened up t he w or ld for int er nal e -m ail user s, as t hey could now send a m essage t o any one w ho had a v alid I nt er net addr ess dir ect ly from t heir usual e -m ail client inst alled on t heir w or kst at ion. I nt er net e -m ail syst em s use a com binat ion of t hree applicat ion layer prot ocols t hat belong t o t he TCP/ I P suit e. These pr ot ocols ar e SMTP, POP3, and I MAP4, and t hey oper at e over TCP por t s 25, 110, and 143 respect ively.
•
Sim ple M a il Tr a n sfe r Pr ot ocol ( SM TP) — SMTP is an applicat ion lay er pr ot ocol t hat oper at es ov er TCP por t 25. SMTP is defined in RFC 821 and w as or iginally m odeled on FTP. SMTP t ransfers e -m ail m essages bet w een syst em s and pr ovides not ificat ion regarding incom ing e -m ail.
381
•
Post Office Pr ot ocol ve r sion 3 ( POP3 ) — POP3 is an applicat ion lay er pr ot ocol t hat oper at es ov er TCP por t 110. POP3 is defined in RFC 1939 and is a pr ot ocol t hat allow s w or kst at ions t o access a m ail dr op dynam ically on a ser v er host . The t y pical use of POP3 is on t he e -m ail client , where t he client ret rieves m essages t hat t he e -m ail ser v er is holding for it .
•
I n t e r n e t M e ssa ge Acce ss Pr ot ocol r e vision 4 ( I M AP4 ) — I MAP4 is an applicat ion lay er pr ot ocol t hat oper at es ov er TCP por t 143. I MAP4 is defined in RFC 2060 and is a pr ot ocol t hat allow s an e -m ail client t o access and m anipulat e e -m ail m essages t hat ar e st or ed on a ser v er . I MAP4 adds a lot m or e funct ionalit y com par ed w it h POP3 and is t he lat est e -m ail pr ot ocol t o be devised. Wit h I MAP4, you can m anipulat e and cont rol rem ot e e -m ail account s sim ilar t o t he w ay you can w it h local m ailboxes in Micr osoft Exchange or a sim ilar corporat e e -m ail client .
E-m ail will cont inue t o add t o t he growt h of t he I nt ernet . New m edia -rich im provem ent s t o e m ail are occurring all t he t im e. These im provem ent s furt her enhance t he benefit of e -m ail, bot h t o cor por at e and t o hom e user s.
Threats Posed to Internet e-Mail Servers I nt er net e -m ail syst em s can be at t acked t o deny ser vice, or t hey can be m isused if t hey ar e incor r ect ly configur ed. One com m on m isuse of I nt er net e -m ail syst em s is spam . Spam is unsolicit ed bulk e -m ail; t he people w ho send it ar e k now n as spam m er s. Spam m ers usually send bulk e -m ails about getrich -quick schem es or advert is ing por nogr aphic w eb sit es. Spam is enabled if t he Web ser v er is r u n n in g as an open relay. Var ious I nt er net gr oups, such as t he Open Relay Behav iorm odificat ion Syst em ( ORBS,
www.orbs.org ) ,
have em erged t o crack dow n on ser v er
adm inist rat ors w ho are running open relays, eit her int ent ionally or unint ent ionally. Spam result s in t he e -m ail ser v er s becom ing heav ily loaded w hile sending out e -m ails t o som et im es t housands of r ecipient s; t his incr eases t he load on t he ser v er and ut ilizes bandw idt h t o t he ser v er . I nt er net e -m ail servers, as any ot her server, can be subj ect t o t he com m on DoS at t acks. These at t acks render t he server unusable t o t he general public. There are also applicat ion vulnerabilit ies relat ing t o I nt ernet e -m ail servers. The com m on Microsoft Window s -based e -m ail syst em is Microsoft Exchange, and t he com m on UNI X-based e -m ail sy st em is Sendm ail. Bot h of t hese applicat ions hav e v ulner abilit ies associat ed w it h t hem . Recent ly, t here has been a vulnerabilit y w it h Micr osoft I I S 4.0 w her e y ou could r un a com m and such as CM D.EXE r em ot ely over t he I nt er net . A ver y sim ple FORM AT C: could t hen be car r ied out t o for m at a dr iv e on t he ser v er . Micr osoft has r ecent ly fix ed t his w it h a ser v ice pack .
382
Solutions to the Threats to Internet e-Mail Servers The pr ovision of a fir ew all bet w een t he I nt er net e -m ail ser ver and t he public net w or k is t he easiest w ay t o r educe t he t hr eat s t o t he I nt er net e -m ail server. The firew all should be configur ed t o r est r ict access t o t he specific por t s used for e -m ail com m unicat ion—in t his case, SMTP and POP3. The oper at ing syst em and e -m ail applicat ion t hat ar e r unning on t he ser v er should bot h hav e t he lat est ser vice and secur it y pat ches. This ensur es t hat any know n vulner abilit ies t hat exis t w it hin t he oper at ing sy st em and applicat ion ar e pr ot ect ed. The e -m ail ser v ice should be configur ed t o disallow spam . Ther e ar e v ar ious docum ent s on how t o do t his, based on t he e -m ail server t hat you are running. Furt her inform at ion can be found at
www.orbs.org .
Configuration Recommendations for Internet e-Mail Servers Using t he Cisco Secur e PI X Fir ew all, t he follow ing com m ands allow SMTP and POP3 t r affic t o t he I nt ernet e -m ail ser ver w it h an int er nal addr ess of 192.168.0.11/ 24 and pr ovide st at ic t ranslat ion t o t he public address of 194.73.134.11/ 24. This is based on Figure 11- 3 :
static (inside, outside) 194.73.134.11 192.168.0.11 netmask 255.255.255.255 0 0 conduit permit tcp host 194.73.134.11 eq smtp any
conduit permit tcp host 194.73.134.11 eq pop3 any
Domain Name System (DNS) Servers The Dom ain Nam e Syst em ( DNS) is a dist ribut ed dat abase of I P address -t o-nam e tra nslat ions. When y ou t y pe in a w eb sit e addr ess or URL such as www.cisco.com , t he fir st t hing t hat happens is t hat t his easy-t o-use nam e get s conver t ed int o an I P addr ess. The ser ver is know n on t he net w or k b y it s I P address, not by it s nam e. I t is easier for users t o rem em ber
www.cisco.com
t han
192.168.10.12. This is t he m ain r eason t hat DNS w as im plem ent ed, but t her e ar e ot her benefit s of using a nam e -r esolut ion ser v ice. One of t hese is r ound-robin load balancing, w her e one dom ain nam e can be t r anslat ed t o m or e t han one I P addr ess. For ex am ple, y ou could r egist er w w w .m y dom ain.com t o 192.168.0.1 and 192.168.0.2. Bot h of t hese could be Web servers serving t he Mydom ain.com w eb sit e. Users accessing w w w .m ydom ain.com from t heir Web br ow ser s w ould get eit her of t he Web ser v er s in a r ound -robin fashion. This provides load balancing and a sim ple for m of fault t oler ance. Anot her use of DNS is in e -m ail. You can set w hat is called a m ail exchange ( MX) r ecor d for any part icular dom ain. SMTP, w hen sending e -m ail bet ween e -m ail servers, first does a DNS lookup for t he dest inat ion dom ain. For exam ple, if a user sends an e -m ail t o andrew@m ydom ain.com , t he user's SMTP server t ries t o r esolv e t he dom ain nam e
383
m ydom ain.com and locat e t he MX r ecor d for t hat dom ain. The MX r ecor d point s by I P addr ess t o a ser v er or gr oup of ser v er s t hat ser v e I nt er net e -m ail for t he dom ain. The user's SMTP server t hen sends t he m essage t o t he I P addre ss represent ed by t he m ydom ain.com MX r ecor d. DNS is descr ibed in RFC 1035 and RFC 1706.
Threats Posed to DNS Servers DNS oper at es over por t 53, using bot h UDP and TCP as t he t r anspor t layer pr ot ocol. Client nam e r equest s ar e car r ied out over UDP por t 53, and dom ain zone t r ansfer s ar e car r ied out over TCP por t 53. Zone t r ansfer s occur bet w een t he pr im ar y and secondar y DNS ser ver s. Updat es ar e car r ied out on t he pr im ar y ser ver , and t hese changes get r eplicat ed dow n t o t he secondar y ser v er s. The obv ious t hr eat s t hat apper t ain t o DNS ser ver s ar e DoS at t acks and net w or k int r usion. I nt er net client s r equir e DNS ser v er s t o r esolv e t he dom ain nam e t o t he I P addr ess of t he ser ver t hey ar e t r ying t o connect t o. At t acker s can eit her use a DoS at t ack against t he ser ver t o deny access fr om ot her DNS ser ver s and client s, or t hey can infilt r at e t he ser ver and change t he DNS infor m at ion. For exam ple, w w w .m ydom ain.com could have a DNS ent ry of 194.73.134.10; an at t acker could change t his t o 195.195.195.195, w hich point s t o a differ ent w eb sit e, t hus r edir ect ing all t r affic aw ay fr om t he My dom ain.com w eb sit e. Because of t he w ay DNS w or k s and get s cached all ov er t he I nt er net , t he at t ack w ould hav e t o be v er y pr olonged—m or e t han 48 hour s at least —befor e any r eal effect w ould be not iced.
Solutions to the Threats to DNS Servers The easiest w ay t o pr ot ect a DNS ser v er is t o place it behind a fir ew all dev ice and lim it access t o only TCP and UDP por t 53. This allow s t he DNS ser v ice t o funct ion cor r ect ly and disallow s any ot her access t o t he oper at ing syst em or por t adver t ising applicat ions r unning on t he ser v er .
Configuration Recommendations for DNS Servers Using t he Cisco Secure PI X Firew all, t he follow ing com m ands allow DNS t raffic t o t he DNS ser v er w it h an int er nal addr ess of 192.168.0.12/ 24 and provide st at ic t ranslat ion t o t he public addr ess of 194.73.134.12/ 24. This is based on Figure 11- 3 :
static (inside, outside) 194.73.134.12 192.168.0.12 netmask 255.255.255.255 0 0 conduit permit tcp host 194.73.134.12 eq domain any conduit permit udp host 194.73.134.12 eq domain any
384
Back-End Servers A back -end ser v er can be t hought of as a ser v er t hat is r equir ed for t he I nt er net ser v ice t o operat e, but does not need t o be public-facing or have a publicly accessible I P addr ess. An exam ple of t his is a dat abase ser ver and is show n in
Figure 11-3 .
These ser v er s hav e t o be able t o com m unicat e w it h t he public-facing ser ver s t o fulfill t he r equest s sent t o t hem . In
Figure 11- 3 ,
you can see t hat t he Web server for Mydom ain.com is ser v ing Web files for
w w w .m y dom ain.com . The Web ser v er r uns a st ock look up dat abase t hat is link ed t o a back end SQL dat abase r unning on a ser v er in t he sam e Lay er 3 dom ain as t he Web ser v er . NAT is used t o st at ically t r anslat e t he Web ser v er 's pr iv at e I P addr ess of 192.168.1.10 t o t he public I P address of 194.73.134.10. Therefore, I nt ernet host s access w w w .m ydom ain.com and DNS resolves t his t o 194.73.134.10. The Mydom ain.com firew all handles t his request and st at ically t ranslat es it inbound t o 192.168.1 .10. The SQL ser v er has a pr iv at e I P addr ess of 192.168.1.20. Ther e is no st at ic t r anslat ion for t his ser v er , so in t heor y , it cannot be accessed fr om t he out side. Back-end ser v er s can be any com binat ion of t he follow ing:
•
Dat abase servers
•
E-com m er ce ser v ers
•
Cont ent servers
•
Applicat ion servers
• •
Aut hent icat ion servers Com m unicat ions servers
Ther e ar e num er ous ot her ser ver s t hat could fall int o t he cat egor y of back-end ser v er s.
Threats Posed to Back-End Servers Back-end ser v er s should not be accessible t o t he public I nt ernet unless required. I f a back-end ser ver is connect ed t o t he public I nt er net , it opens up all of t he vulner abilit ies associat ed w it h t he oper at ing sy st em and also w it h t he applicat ion.
Solutions to the Threats to Back-End Servers The easiest w ay t o rem ove t he t hreat s associat ed wit h back-end ser v er s is t o place t hem on a pr iv at e net w or k behind a fir ew all and not t o pr ov ide a st at ic t r anslat ion bet w een t he pr iv at e addr ess and public addr ess.
385
I f t he back -end server does need t o be publicly visible , it should be placed behind a fir ew all and access should only be allow ed t o t he specific por t s t hat ar e r equir ed. This r est r ict s t he r isk s associat ed w it h allow ing t he back -end ser v er t o be accessed ov er t he I nt er net . I n addit ion, t he lat est service and s ecur it y pat ches should be applied t o t he applicat ion t o ensure t hat t here are no backdoor vulnerabilit ies t hat can be exposed.
Summary This chapt er pr ov ided an ov er v iew of t he com m on I nt er net ser v ices and t he ev er y day t hr eat s t hese ser vices ar e under w hen placed on t he public I nt er net . The chapt er looked at t he m ain net work int rusion m et hods and DoS a t t acks befor e pr esent ing a basic exam ple of a host ed net w or k solut ion. This solut ion out lined t he need for at least a fir ew all and NAT bet w een t he public I nt er net and t he ser ver s t hat m ake up t he cor por at e I nt er net sit e. Finally, t he chapt er look ed at each individual m aj or I nt er net ser vice, ident ified t he t hr eat s, and out lined sim ple solut ions t o ov er com e t hese t hr eat s.
Frequently Asked Questions
Quest ion: Answ e r :
What exact ly is a DoS at t ack? DoS st ands for denial of ser vice. A DoS at t ack is a net w or k-based at t ack on a ser v er or gr oup of ser v er s t hat causes t he ser v er t o deny ser v ice t o ot her net w or k r equest s. This denial can be caused by an ov er load of t he net w or k w it h phy sical r esour ces on t he ser v er .
Quest ion: Answ e r :
What is NAT? NAT st ands for Net wo r k Addr ess Tr anslat ion. I t is a m et hod w her e public I P addr esses get t r anslat ed int o pr ivat e I P addr esses for addr ess-hiding pur poses. You can cr eat e a pr iv at e net w or k behind a NAT dev ice, such as a r out er or a firewall, and creat e st at ic t ranslat ions bet w een t hese pr ivat e addr esses and public addresses. This hides t he privat e addresses of t he net w ork from t he public I nt er net and pr ov ides a m et hod w her e t he pr iv at e ser v er s can com m unicat e w it h each ot her ov er t he pr iv at e addr esses. Ther e ar e t w o t y pes of NAT. These ar e one -t o-one NAT and one-to-m any NAT. One-to-m any NAT is also k now n as Por t Address Translat ion ( PAT) .
Glossary Glossary I D S ( I nt r usion D e t e ct ion Syst e m ) —
386
Scans t he net w ork in real t im e t o int ercept at t em pt ed breaches of securit y.
I SP ( I n t e r ne t se r vice pr ovide r ) — A ser v ice pr ov ider t hat pr ov ides a connect ion t o t he public I nt er net .
N AT ( N e t w or k Addr e ss Tr a nsla t ion) — NAT is t he t r anslat ion of an I P addr ess used w it hin one net w or k t o a differ ent I P addr ess know n w it hin anot her net w or k.
PI X ( Pr iva t e I n t e r n e t Ex ch a n ge ) — The Cisco range of leading hardware -based fir ew alls.
387
Part IV: Appendix Par t I V Appendix Appendix A Cisco SAFE: A Securit y Blueprint for Ent erprise Net works
388
Appendix A. Cisco SAFE: A Security Blueprint for Enterprise Networks This appendix w as or iginally published as a w hit e paper and is r epr oduced her e by per m ission of t he aut hors and Cisco Syst em s. The form at of t his appendix has been m odified sligh t ly so t hat it can confor m t o t his book 's design.
Authors of This Appendix Sean Convery ( CCI E # 4232) and Bernie Trudel ( CCI E # 1884) are t he aut hors of t his appendix , w hich w as or iginally published as a w hit e paper . Sean is t he lead ar chit ect for t he refere nce im plem ent at ion of t his archit ect ure at Cisco's headquart ers in San Jose, California. Sean and Bernie are bot h m em bers of t he VPN and Securit y Archit ect ure Technical Market ing t eam in Cisco's Ent er pr ise Line of Business.
Abstract The pr incipal goal of SAFE, Cisco's secur e bluepr int for ent er pr ise net w or ks, is t o pr ovide t he best pr act ice infor m at ion t o int er est ed par t ies on designing and im plem ent ing secur e net w or ks. SAFE ser ves as a guide t o net w or k designer s consider ing t he secur it y r equir em ent s of t he ir net w orks. SAFE t akes a defense -in -dept h approach t o net w ork securit y design. This t y pe of design focuses on t he ex pect ed t hr eat s and t heir m et hods of m it igat ion, r at her t han on " put t he firewall here, put t he int rusion det ect ion syst em t here" inst ruct io ns. This st rat egy r esult s in a lay er ed appr oach t o secur it y , w her e t he failur e of one secur it y sy st em is not lik ely t o lead t o t he com pr om ise of net w or k r esour ces. SAFE is based on Cisco pr oduct s and t hose of it s par t ner s. This docum ent begins w it h an ov erv iew of t he ar chit ect ur e, t hen det ails t he specific m odules t hat m ake up t he act ual net w or k design. The fir st t hr ee sect ions of each m odule descr ibe t he t r affic flow s, key devices, and expect ed t hr eat s w it h basic m it igat ion diagr am s. Det ailed t echnical analysis of t he design follow s, along w it h m ore det ailed t hreat m it igat ion t echniques and m igrat ion st rat egies. The sect ion " Annex A:
Validat ion Lab"
det ails t h e validat ion lab for SAFE
and includes configurat ion snapshot s. The sect ion " Annex B: Net work Securit y Prim er" is a pr im er on net w or k secur it y . Reader s w ho a r e unfam iliar w it h basic net w or k secur it y concept s ar e encour aged t o r ead t his sect ion befor e t he r est of t he docum ent . " Annex C: Archit ect ure Taxonom y " con tains glossar y definit ions of t he t echnical t er m s used in t his docum ent . This docum ent focuses heavily on t hreat s encount ered in ent erprise environm ent s. Net w ork designer s w ho under st and t hese t hr eat s can bet t er decide w her e and how t o deploy m it igat ion t echnologies. Wit hout a full underst anding of t he t hreat s involved in net w ork securit y, deploy m ent s t end t o be incor r ect ly configur ed, ar e t oo focused on secur it y devices, or lack t hreat response opt ions. By t aking t he t hreat -m it igat ion appr oach, t his docum ent should pr ovide net w or k designer s w it h infor m at ion for m aking sound net w or k secur it y choices.
Audience
389
Though t his docum ent is t echnical in nat ure, it can be read at different levels of det ail, depending on t he reader. A net w ork m anager, for exam ple, can read t he int roduct ory sect ions in each ar ea t o obt ain a good ov er v iew of net w or k secur it y design st r at egies and consider at ions. A net w or k engineer or designer can r ead t his docum ent in it s ent ir et y and gain design infor m at ion and t hr eat analysis det ails, w hich ar e suppor t ed by configur at ion snapshot s for t he dev ices inv olv ed.
Caveats This docum ent pr esum es t hat you alr eady have a secur it y policy in place. Cisco Syst em s does not r ecom m end deploying secur it y t echnologies w it hout an associat ed policy. This docum ent dir ect ly addr esses t he needs of lar ge ent er pr ise cust om er s. Alt hough m ost of t he pr inciples discussed her e also apply dir ect ly t o sm all and m edium businesses and even t o hom e offices, t hey do so on a differ ent scale. A det ailed analy sis of t hese business t y pes is out side t he scope of t his docum ent . How ev er , in or der t o addr ess t he issue of sm alle r-scale net w or ks in a lim it ed m anner, t he " Alternatives " and " Enterprise Options " sect ions out line devices t hat you can elim inat e if y ou w ant t o r educe t he cost of t he ar chit ect ur e. Follow ing t he guidelines in t his docum ent does not guar ant ee a secur e envir onm ent , or t hat you w ill pr event all int r usions. Tr ue abso lut e secur it y can only be achiev ed by disconnect ing a syst em fr om t he net w or k, encasing it in concr et e, and put t ing it in t he bot t om floor of For t Knox. Your dat a w ill be very safe, t hough inaccessible. How ever, you can achieve reasonable securit y by est ab lishing a good securit y policy, follow ing t he guidelines in t his docum ent , st ay ing up-to-dat e on t he lat est developm ent s in t he hacker and securit y com m unit ies, and m aint aining and m onit or ing all sy st em s w it h sound sy st em-adm inist rat ion pract ices. This in cludes aw ar eness of applicat ion secur it y issues t hat ar e not com pr ehensively addr essed in t his paper. Though vir t ual pr ivat e net w or ks ( VPNs) ar e included in t his ar chit ect ur e, t hey ar e not descr ibed in gr eat det ail. I nfor m at ion such as scaling det ails, r esilience st rat egies, and ot her t opics relat ed t o VPNs are not included. Like VPNs, ident it y st rat egies ( including cert ificat e aut hor it ies [ CAs] ) ar e not discussed at any level of det ail in t his paper . Sim ilar ly, CAs r equir e a level of focus t hat t his docum en t could not pr ovide and st ill adequat ely addr ess all t he ot her r elevant ar eas of net w or k secur it y. Also, because m ost ent er pr ise net w or ks have yet t o deploy fully funct ional CA environm ent s, it is im port ant t o discuss how t o deploy net w orks securely wit hou t t hem . Finally, cer t ain advanced net w or ked applicat ions and t echnologies ( such as cont ent net w or king, caching, and ser ver load balancing) ar e not included in t his docum ent . Alt hough t heir use w it hin SAFE is t o be expect ed, t his paper does not cover t heir specific secur it y needs. SAFE uses t he pr oduct s of Cisco Sy st em s and it s par t ner s. How ev er , t his docum ent does not specifically refer t o product s by nam e. Com ponent s are referred t o by funct ional purpose, rat her t han m odel num ber or nam e. During t he valida t ion of SAFE, r eal pr oduct s w er e configured in t he exact net work im plem ent at ion described in t his docum ent . Specific configurat ion snapshot s from t he lab are included in Annex A.
390
Thr oughout t his docum ent , t he t er m hacker denot es an indiv idual w ho at t em pt s t o gain unaut horized access t o net w ork resources w it h m alicious int ent . Alt hough t he t erm cracker is gener ally r egar ded as t he m or e accur at e w or d for t his t y pe of indiv idual, hack er is used her e for readabilit y.
Architecture Overview This sect ion cov er s an ar chit ect ur al over view of SAFE.
Design Fundamentals SAFE em ulat es as closely as possible t he funct ional requirem ent s of t oday's ent erprise net works. I m plem ent at ion decisions vary depending on t he net work funct ionalit y required. How ev er , t he follow ing design obj ect ives, list ed in or der of pr ior it y, guide t he decision-m ak ing pr ocess.
•
Securit y and at t ack m it igat ion based on policy
•
Securit y im plem ent at ion t hroughout t he infrast ruct ure ( not j ust on specialized securit y dev ices)
•
Secure m anagem ent and report ing
•
Aut hent icat ion and aut horizat ion of users and adm inist rat ors t o crit ical net w ork resources
• •
I nt rusion det ect ion for crit ical resources and subnet s Support for em erging net w orked applicat ions
First and forem ost , SAFE is a securit y archit ect ure. I t m ust preven t m ost at t acks from successfully affect ing valuable net w ork resources. The at t acks t hat succeed in penet rat ing t he fir st line of defense or or iginat e fr om inside t he net w or k m ust be accur at ely det ect ed and quick ly cont ained t o m inim ize t heir effect on t he r est of t he net w or k . How ev er , w hile being secur e, t he net w or k m ust cont inue t o pr ovide cr it ical ser vices t hat user s expect . Pr oper net w or k secur it y and good net w or k funct ionalit y can be pr ov ided at t he sam e t im e. The SAFE ar chit ect ur e is not a r ev olut ionary w ay of designing net w or k s, but is m er ely a bluepr int for m ak ing net w or k s secur e. SAFE is also r esilient and scalable. Resilience in net w or ks includes physical r edundancy t o pr ot ect against a dev ice failur e, w het her it is by m isconfigur at ion, phy sical failure, or net work at t ack. Alt hough sim pler designs ar e possible, par t icular ly if a net w or k's per for m ance needs ar e not gr eat , t his docum ent uses a com plex design as an ex am ple because designing secur it y in a com plex environm ent is m ore involved t han in sim p ler env ir onm ent s. Opt ions t o lim it t he com plexit y of t he design ar e discussed t hr oughout t his docum ent . At m any point s in t he net w ork design process, you need t o choose bet w een using int egrat ed funct ionalit y in a net w or k device and using a specialized funct ional appliance. The int egrat ed funct ionalit y is oft en at t r act ive because you can im plem ent it on exist ing equipm ent , or because t he feat ur es can int er oper at e w it h t he r est of t he device t o pr ovide a bet t er funct ional
391
solut ion. Appliances ar e oft en used w hen t he dept h of funct ionalit y r equir ed is v er y adv anced or w hen per for m ance needs r equir e using specialized har dw ar e. Make your decisions based on t he capacit y and funct ionalit y of t he appliance r at her t han t he int egr at ion advant age of t he device. For exa m ple, som et im es you can choose an int egr at ed higher-capacit y Cisco I OS r out er w it h I OS fir ew all soft w ar e, as opposed t o a sm aller I OS r out er w it h a separ at e fir ew all. Thr oughout t his ar chit ect ur e, bot h t ypes of syst em s ar e used. Most cr it ical secur it y funct ions m igr at e t o dedicat ed appliances because of t he per for m ance r equir em ent s of lar ge ent er pr ise net w or k s.
Module Concept Alt hough m ost ent er pr ise net w or k s ev olv e w it h t he gr ow ing I T r equir em ent s of t he ent er pr ise, t he SAFE ar chit ect ur e uses a gr een-field m odular approach. A m odular approach has t w o m ain adv ant ages. Fir st , it allow s t he ar chit ect ur e t o addr ess t he secur it y r elat ionship am ong t he v ar ious funct ional block s of t he net w or k . Second, it per m it s designer s t o ev aluat e and im plem ent secur it y on a m odule -b y-m odule basis, inst ead of at t em pt ing t he com plet e ar chit ect ur e in a single phase. Figure A - 1
illust rat es t he first layer of m odularit y in SAFE. Each block represent s a funct ional
ar ea. The I nt er net ser vice pr ovider ( I SP) m odule is not im plem ent ed by t he ent er pr ise, but it is included t o t he ex t ent t hat specific secur it y feat ur es should be r equest ed of an I SP t o m it igat e against cer t ain at t ack s. Figu r e A- 1 . Ent e r pr ise Com posit e M odule
The second layer of m odularit y, w hich is illust rat ed in Figure A -2 , r epr esent s a v iew of t he m odules w it hin each funct ional ar ea. These m odules per for m specific r oles in t he net w or k and have specific secur it y r equir em ent s, but t heir sizes ar e not m eant t o r eflect t heir scale in a real net w ork. For exam ple, t he building m odule, w hich r epr esent s t he end -user dev ices, m ight include 80 per cent of t he net w or k dev ices. The secur it y design of each m odule is descr ibed separ at ely but is v alidat ed as par t of t he com plet e ent er pr ise design. Figu r e A- 2 . Ent e r pr ise SAFE Block D ia gr a m
392
Alt hough it is t r ue t hat m ost exist ing ent er pr ise net w or ks cannot be easily dissect ed int o clearcut m odules, t his appr oach pr ovides a guide for im p lem ent ing different securit y funct ions t hr oughout t he net w or k . The aut hor s do not ex pect net w or k engineer s t o design t heir net w or ks t o be ident ical t o t he SAFE im plem ent at ion, but r at her t o use a com binat ion of t he m odules descr ibed and int egr at e t hem int o t he exist ing net w or k.
SAFE Axioms This sect ion cov er s t he SAFE ax iom s:
•
Rout ers Are Target s
•
Sw it ches Ar e Tar get s
•
Host s Are Target s
•
Net w or k s Ar e Tar get s
• •
Applicat ions Ar e Tar get s Secur e Managem ent and Repor t ing
Rou t e r s Ar e Ta r ge t s Rout er s cont r ol access fr om every net w ork t o every net w ork. They advert ise net w orks and filt er w ho can use t hem , and t hey ar e pot ent ially a hacker 's best fr iend. Rout er secur it y is a crit ical elem ent in any securit y deploym ent . By t heir nat ure, rout ers provide access, and t her efor e, you should secure t hem t o reduce t he likelihood t hat t hey are direct ly com prom ised. You can refer t o ot her docum ent s t hat have been w rit t en about rout er securit y. These docum ent s pr ovide m or e det ail on t he follow ing subj ect s:
393
•
Lock ing dow n Telnet access t o a r out er
•
Lock ing dow n Sim ple Net w or k Managem ent Pr ot ocol ( SNMP) access t o a r out er
•
Cont r olling access t o a r out er t hr ough t he use of Ter m inal Access Cont r oller Access Cont rol Syst em Plus ( TACACS+ )
•
Turning off unneeded services
• •
Logging at appr opr iat e levels Aut hent icat ion of rout ing updat es
The m ost current docum ent on rout er securit y is available at t he follow ing URL: www.cisco.com / warp/ custom er/ 707/ 21.htm l .
Sw it ch e s Ar e Ta r ge t s Like r out er s, sw it ches ( bot h Layer 2 and Layer 3) have t heir ow n set of secur it y considerat ions. Unlike rout ers, not as m uch public inform at ion is available about t he securit y r isks in sw it ches and w hat can be done t o m it igat e t hose r isks. Most of t he secur it y t echniques det ailed in t he pr eceding sect ion, " Rout ers Are Target s ," apply t o sw it ches. I n addit ion, y ou should t ak e t he follow ing pr ecaut ions:
•
Por t s w it hout any need t o t r unk should hav e any t r unk set t ings set t o off, as opposed t o aut o. This pr ev ent s a host fr om becom ing a t r unk por t and r eceiv ing all t raffic t hat w ould nor m ally r eside on a t r unk por t .
•
Mak e sur e t hat t r unk por t s use a v ir t ual LAN ( VLAN) num ber not used any w her e else in t he sw it ch. This pr ev ent s pack et s t agged w it h t he sam e VLAN as t he t r unk por t fr om r eaching anot her VLAN w it hout cr os sing a Lay er 3 dev ice. For m or e infor m at ion, r efer t o t he follow ing URL:
•
www.sans.org/ newlook/ resources/ I DFAQ/ vlan.htm .
Set all unused por t s on a sw it ch t o a VLAN t hat has no Layer 3 connect ivit y. Bet t er yet , disable any por t t hat is not needed. This pr event s hacker s fr om plugging int o unused por t s and com m unicat ing w it h t he r est of t he net w or k .
•
Av oid using VLANs as t he sole m et hod of secur ing access bet w een t w o subnet s. The ca pabilit y for hum an er r or , com bined w it h t he under st anding t hat VLANs and VLAN t agging pr ot ocols w er e not designed w it h secur it y in m ind, m akes t heir use in sensit ive environm ent s inadvisable. When VLANs are needed in securit y deploym ent s, be sure t o pay close at t ent ion t o t he configurat ions and guidelines m ent ioned above.
Wit hin an exist ing VLAN, pr ivat e VLANs pr ovide som e added secur it y t o specific net w or k applicat ions. Pr ivat e VLANs w or k by lim it ing w hich por t s w it hin a VLAN can com m unicat e w it h ot h er port s in t he sam e VLAN. I solat ed por t s w it hin a VLAN can com m unicat e only w it h pr om iscuous por t s. Com m unit y por t s can com m unicat e only w it h ot her m em ber s of t he sam e com m unit y and pr om iscuous por t s. Pr om iscuous por t s can com m unicat e w it h any por t . This is an effect iv e w ay t o m it igat e t he effect s of a single com pr om ised host . Consider a st andar d public ser vices segm ent w it h a Web, File Tr ansfer Pr ot ocol ( FTP) , and Dom ain Nam e Syst em ( DNS) ser v er . I f t he DNS ser v er is com pr om ised, a hack er can pur sue t he ot her tw o host s w it hout passing back t hr ough t he fir ew all. I f pr ivat e VLANs ar e deployed, once one syst em is
394
com pr om ised, it cannot com m unicat e w it h t he ot her sy st em s. The only t ar get s a hack er can pur sue ar e host s on t he ot her side of t he fir ew all.
H ost s Ar e Ta r g e t s A host is t he m ost lik ely t ar get dur ing an at t ack and pr esent s som e of t he m ost difficult challenges from a securit y perspect ive. There are num erous hardw are plat form s, operat ing syst em s, and applicat ions, all of w hich have updat es, pat ches, and fixes available at different t im es. Because host s provide t he applicat ion services t o ot her host s t hat request t hem , t hey ar e ext r em ely visible w it hin t he net w or k. For exam ple, m any people have visit ed www.wh itehouse.gov ,
w hich is a host , but few hav e at t em pt ed t o access s2-0.whit ehouseisp.net ,
w hich is a rout er. Because of t his visibilit y, host s are t he m ost frequent ly at t acked devices in any net w or k int r usion at t em pt . I n par t because of t he secur it y challenges m ent ioned abov e, host s ar e also t he m ost successfully com pr om ised devices. For exam ple, a given Web ser ver on t he I nt er net m ight r un a hardware plat form from one vendor, a net work card from anot her, an operat ing syst em from st ill anot her v endor , and a Web ser ver t hat is eit her open sour ce or fr om yet anot her vendor . Addit ionally, t he sam e Web ser ver m ight r un applicat ions t hat ar e fr eely dist r ibut ed over t he I nt er net , and it m ight com m unicat e w it h a dat abase ser ver t hat st ar t s t he var iat ions all over again. That is not t o say t hat t he secur it y vulner abilit ies ar e specifically caused by t he m ult isour ce nat ur e of host s, but r at her t hat as t he com plex it y of a sy st em incr eases, so does t he lik elihood of a failur e. To secur e host s, pay car eful at t ent ion t o each of t he com ponent s w it hin t he syst em s. Keep an y sy st em s u p-to-dat e w it h t he lat est pat ches, fixes, and so for t h. I n par t icular , pay at t ent ion t o how t hese pat ches affect t he oper at ion of ot her sy st em com ponent s. Ev aluat e all updat es on t est sy st em s before you im plem ent t hem in a pr oduct ion envir onm ent . Failur e t o do so m ight r esult in t he pat ch it self causing a denial of ser v ice ( DoS) .
N e t w or k s Ar e Ta r ge t s The w or st at t ack is one t hat y ou cannot st op. When per for m ed pr oper ly , dist r ibut ed denial of service ( DDoS) is j ust such an at t ack. As out lined in Annex B, DDoS w orks by causing t ens or hundr eds of m achines t o send spur ious dat a sim ult aneously t o an I P addr ess. The goal of such an at t ack is gener ally not t o shut dow n a par t icular host , but r at her t o m ak e t he ent ire net w or k unr esponsive. For exam ple, consider an or ganizat ion w it h a DS3 ( 45 Mbps) connect ion t o t he I nt ernet t hat provides e -com m er ce ser v ices t o it s w eb sit e user s. Such a sit e is very securit y conscious and has int rusion det ect ion, firewalls, logging, and act iv e m onit or ing. Unfor t unat ely , all of t hese secur it y dev ices do not help w hen a hack er launches a successful DDoS at t ack. Consider 100 dev ices ar ound t he w or ld, each w it h DS1 ( 1.5 Mbps) connect ions t o t he I nt er net . I f t hese sy st em s ar e t old r em ot ely t o flood t he ser ial int er face of t he e -com m erce or ganizat ion's I nt er net r out er , t hey can easily flood t he DS3 w it h er r oneous dat a. Ev en if each
395
host is only able t o gener at e 1 Mbps of t r affic ( lab t est s indicat e t hat a st ock UNI X w or k st at ion can easily gener at e 50 Mbps w it h a popular DDoS t ool) , t hat am ount is st ill m or e t han t w ice t he am ount of t r affic t hat t he e -com m er ce sit e can handle. As a r esult , legit im at e Web r equest s ar e lost , and t he sit e appear s t o be dow n for m ost user s. The local fir ew all dr ops all of t he er r oneous dat a, but by t hen, t he dam age is done. The t r affic has cr ossed t he WAN connect ion and filled up t he link . Only t hrough cooperat ion w it h it s I SP can t his fict it ious e -com m erce com pany hope t o t hwart such an at t ack . An I SP can configure rat e lim it ing on t he out bound int erface t o t he com pany's sit e. This r at e lim it ing can dr op m ost undesir ed t r affic w hen it exceeds a pr especified am ount of t he available bandw idt h. The key is t o flag t r affic cor r ect ly as undesir ed. Com m on form s o f DDoS at t acks are I CMP floods, TCP SYN floods, or UDP floods. I n an e com m erce environm ent , t his t ype of t raffic is fairly easy t o cat egorize. Only w hen lim it ing a TCP SYN at t ack on port 80 ( Hypert ext Transfer Prot ocol [ HTTP] ) does an adm inist rat or run t h e r isk of lock ing out legit im at e user s dur ing an at t ack . Ev en t hen, it is bet t er t o lock out new legit im at e users t em porarily and ret ain rout ing and m anagem ent connect ions t han t o have t he rout er overrun and lose all connect ivit y. Mor e sophist icat ed at t ack s use por t 80 t r affic w it h t he ACK bit set so t hat t he t r affic appear s t o be legit im at e Web t r ansact ions. I t is unlikely t hat an adm inist r at or could pr oper ly cat egor ize such an at t ack , because ack now ledged TCP com m unicat ions ar e ex act ly t he sor t t hat y ou w ant t o allow int o your net w or k. One appr oach t o lim it ing t his sor t of at t ack is t o follow t he guidelines out lined in RFC 1918 and RFC 2827. RFC 1918 specifies t he net w or k s t hat ar e r eser v ed for pr iv at e use and should nev er be seen acr oss t he public I nt er net . RFC 2827 filt ering is discussed in t he " I P Spoofing " sect ion of Annex B. For inbound t r affic on a r out er t hat is connect ed t o t he I nt er net , y ou could em ploy RFC 1918 and RFC 2827 filt ering t o prevent unaut horized t raffic from reaching t he corporat e net w or k . When im plem ent ed at t he I SP, t his filt er ing pr event s DDoS at t ack packet s t hat use t hese addr esses as sour ces fr om t r aver sing t he WAN link, pot ent ially sav ing bandw idt h dur ing t he at t ack. Collect ively, if I SPs w or ldw ide w er e t o im plem ent t he guidelines in RFC 2827, sour ce addr ess spoofing w ould be gr eat ly dim inished. Alt hough t his st r at egy does not dir ect ly pr ev ent DDoS at t ack s, it does pr ev ent such at t acks fr om m ask ing t heir sour ce, w hich m ak es t raceback t o t he at t acking net w orks m uch easier.
Applica t ion s Ar e Ta r ge t s Applicat ions ar e coded by hum an beings ( m ost ly) and as such, ar e subj ect t o num er ous errors. These errors can be benign, for exam ple, an erro r t hat causes your docum ent t o print incor r ect ly, or m alignant , for exam ple, an er r or t hat m akes t he cr edit car d num ber s on your dat abase ser ver available over anonym ous FTP. I t is t he m alignant pr oblem s, in addit ion t o ot her m ore general securit y vulnerab ilit ies, t hat int rusion det ect ion syst em s ( I DSs) aim t o det ect . I nt r usion det ect ion act s lik e an alar m sy st em in t he phy sical w or ld. When an I DS det ect s som et hing t hat it consider s an at t ack , it can eit her t ak e cor r ect iv e act ion it self or
396
not ify a m anagem e nt sy st em for act ions by t he adm inist r at or . Som e sy st em s ar e m or e or less equipped t o r espond and pr ev ent such an at t ack . Host -based int r usion det ect ion can w or k by int er cept ing OS and applicat ion calls on an indiv idual host . I t can also oper at e by aft er-t hefact analysis of local log files. The for m er appr oach allow s bet t er at t ack pr event ion, w hile t he lat t er approach dict at es a m ore passive at t ack-response role. Because of t he specificit y of it s role, host -based I DS ( HI DS) is oft en bet t er at prevent ing sp ecific at t acks t han net w ork I DS ( NI DS) , w hich usually only issues an aler t on discov er y of an at t ack . How ev er , t he HI DS specificit y causes a loss of per spect ive t o t he over all net w or k. This is w her e NI DS excels. Cisco r ecom m ends a com binat ion of t he t w o syst em s —HI DS on cr it ical host s and NI DS looking over t he w hole net w or k —for com plet e int r usion det ect ion. Once deployed, you m ust t une an I DS im plem ent at ion t o increase it s effect iveness and r em ove false posit ives. False posit iv es ar e defined as alar m s caused by legit im at e t raffic or act ivit y. False negat ives are at t acks t hat t he I DS syst em fails t o see. Once t he I DS is t uned, you can configure it m ore specifically t o it s t hr eat m it igat ion r ole. As m ent ioned above, you should configur e HI DS t o st op m ost valid t hreat s at t he host level, because HI DS is w ell prepared t o det erm ine t hat cer t ain act iv it y is indeed a t hr eat . When deciding on m it igat ion r oles for NI DS, t her e ar e t w o pr im ar y opt ions. The first opt ion, and pot ent ially t he m ost dam aging if im properly dep loyed, is t o " shun" t raffic by t he addit ion of access -cont r ol filt er s on r out er s. When an NI DS det ect s an at t ack fr om a par t icular host over a par t icular pr ot ocol, it can block t hat host fr om com ing int o t he net w or k for a pr edet er m ined am ount of t im e. Alt hough on t he sur face, t his m ight seem lik e a gr eat aid t o a secur it y adm inist r at or , in r ealit y it m ust be ver y car efully im plem ent ed, if at all. The fir st pr oblem is spoofed addr esses. I f t r affic t hat m at ches an at t ack is seen by t he NI DS, and t hat par t icular alar m t r igger s a shun r esponse, t he NI DS w ill deploy t he access list t o t he device. How ever , if t he at t ack t hat caused t he alar m used a spoofed addr ess, t he NI DS has now locked out an addr ess t hat never init iat ed an at t ack. I f t he I P addr ess t hat t he ha ck er used happens t o be t he I P addr ess of a m aj or I SP's out bound HTTP pr oxy ser ver , a huge num ber of user s could be lock ed out . This by it self could be an int er est ing DoS t hr eat in t he hands of a cr eat ive hacker . To m it igat e t he r isk s of shunning, y ou should gener ally use it only on TCP t r affic, w hich is m uch m or e difficult t o successfully spoof t han UDP. Use it only in cases w her e t he t hr eat is r eal and t he chance of t he at t ack being a false posit ive is ver y low . How ever , in t he int er ior of a net w or k , m any m or e opt ions ex ist . Wit h effect iv ely deploy ed RFC 2827 filt er ing, spoofed t raffic should be very lim it ed. Also, because cust om ers are not generally on t he int ernal net work, you can t ake a m ore rest rict ive st ance against int ernally originat ed at t ack at t em p t s. Anot her reason for t his is t hat int ernal net w orks do not oft en have t he sam e level of st at eful filt er ing t hat edge connect ions possess. As such, I DS needs t o be m or e heavily r elied on t han in t he ex t er nal env ir onm ent .
397
The second opt ion for NI DS t hr eat m it igat ion is t he use of TCP reset s. As t he nam e im plies, TCP r eset s oper at e only on TCP t r affic and t er m inat e an act iv e at t ack by sending TCP r eset m essages t o t he at t acking and at t acked host . Because TCP t raffic is m ore difficult t o spoof, y ou should consider using TCP r eset s m or e oft en t han shunning. Fr om a per for m ance st andpoint , NI DS obser v es pack et s on t he w ir e. I f pack et s ar e sent fast er t han t he NI DS can process t hem , t here is no degradat ion t o t he net w ork, because t he NI DS does not sit dir ect ly in t he flow of dat a. How ev er , t he NI DS w ill lose effect iv eness and pack et s could be m issed, causing bot h false negat ives and false posit ives. Be sur e t o avoid exceeding t he capabilit ies of I DS so t hat you can get it s benefit s. From a rout ing st andpoint , I DS, lik e m any st at e -aw ar e engines, does not oper at e pr oper ly in an asym m et r ically r out ed env ir onm ent . Pack et s sent out fr om one set of r out er s and sw it ches and r et ur ning t hr ough anot her w ill cause t he I DS syst em s t o see only half of t he t r affic, causing false posit ives and false negat iv es.
Se cu r e M a n a ge m e n t a n d Re por t in g " I f you'r e going t o log it , r ead it ." I t is such a sim ple pr oposit ion t hat alm ost ever yone fam iliar w it h net w or k secur it y has said it at least once. Yet logging and r eading infor m at ion fr om m ore t han 100 devices can pr ove t o be a challenging pr oposit ion. Which logs ar e m ost im por t ant ? How do I separat e im port ant m essages from m ere not ificat ions? How do I ensure t hat logs are not t am per ed w it h in t r ansit ? How do I ensur e m y t im e st am ps m at ch each ot her w hen m ult iple devices r epor t t he sam e alar m ? What infor m at ion is needed if log dat a is r equir ed for a cr im inal inv est igat ion? How do I deal w it h t he v olum e of m essages t hat can be gener at ed by a large net work? You m ust address all of t hese quest ions w hen consider ing m anaging log files effect ively. From a m anagem ent st andpoint , a different set of quest ions needs t o be asked: How do I secur ely m anage a device? How can I push cont ent out t o public ser ver s and ensur e t hat it is not t am per ed w it h in t r ans it ? How can I t rack changes on devices t o t roubleshoot w hen at t acks or net w or k failur es occur ? From an archit ect ural point of view , providing out -o f-band ( OOB) m anagem ent of net w ork syst em s is t he best first st ep in any m anagem ent and report ing st rat egy. OOB, as it s nam e im plies, r efer s t o a net w or k on w hich no pr oduct ion t r affic r esides. Dev ices should hav e a dir ect local connect ion t o such a net w or k w her e possible, and w her e im possible because of geogr aphic or sy st em-relat ed issues, t he device should conn ect by a pr iv at e encr y pt ed t unnel over t he pr oduct ion net w or k. Such a t unnel should be pr econfigur ed t o com m unicat e only acr oss t he specific por t s r equir ed for m anagem ent and r epor t ing. The t unnel should also be lock ed dow n so t hat only appr opr iat e host s can init iat e and t er m inat e t unnels. Be sur e t hat t he OOB net w ork it self does not creat e securit y issues. See t he " Managem ent Module " sect ion of t his docum ent fo r m ore det ails. Aft er im plem ent ing an OOB m anagem ent net w ork, dealing w it h logging and report ing becom es m or e st r aight for w ar d. Most net w or k ing dev ices can send sy slog dat a, w hich can be invaluable w hen t roubleshoot ing net w ork problem s or securit y t hreat s. Send t his dat a t o one or m or e syslog analysis host s on t he m anagem ent net w or k. Depending on t he device involved,
398
you can choose var ious logging levels t o ensur e t hat t he cor r ect am ount of dat a is sent t o t he logging devices. You also need t o flag device log dat a w it hin t he analy sis soft w ar e t o per m it gr anular v iew ing and r epor t ing. For ex am ple, dur ing an at t ack , t he log dat a pr ov ided by Lay er 2 sw it ches m ight not be as int er est ing as t he dat a pr ovided by t he I DS. Specialized applicat ions, such as I DS, oft en use t heir ow n logging prot ocols t o t ransm it alarm inform at ion. Usually t his dat a should be logged t o separ at e m anagem ent host s t hat ar e bet t er equipped t o deal w it h at t ack alar m s. When com bined, alar m dat a fr om m any differ ent sour ces can pr ov ide infor m at ion about t he overall healt h of t he net work. To ensure t hat log m essages are t im e sy nchr onized t o one anot her , clock s on host s and net w or k dev ices m ust be in sy nc. For dev ices t hat suppor t it , Net w or k Tim e Pr ot ocol ( NTP) pr ov ides a w ay t o ensur e t hat accur at e t im e is kept on all devices. When dealing w it h at t acks, seconds m at t er because it is im por t ant t o ident ify t he or der in w hich a specified at t ack t ook place. Fr om a m anagem ent st andpoint , w hich for t he pur poses of t his docum ent r efer s t o any funct ion perfor m ed on a dev ice by an adm inist r at or ot her t han logging and r epor t ing, t her e ar e ot her issues and solut ions. As w it h logging and r epor t ing, t he OOB net w or k allow s t he t r anspor t of infor m at ion t o r em ain in a cont r olled env ir onm ent w her e it is not subj ect t o t am per ing. St ill, w hen secur e configur at ion is possible, such as t hr ough t he use of Secur e Socket Layer ( SSL) or Secur e Shell ( SSH) , it should be pr efer r ed. SNMP should be t r eat ed w it h t he ut m ost car e because t he under ly ing pr ot ocol has it s ow n set of securit y vulnerabilit ies. Consider providing read -only access t o devices over SNMP and t r eat t he SNMP com m unit y st r ing w it h t he sam e car e t hat y ou m ight t r eat a r oot passw or d on a cr it ical UNI X host . Configurat ion change m anagem ent is anot her issue relat ed t o secur e m anagem ent . When a net w or k is under at t ack , it is im por t ant t o k now t he st at e of cr it ical net w or k dev ices and w hen t he last know n m odificat ions t ook place. Cr eat ing a plan for change m anagem ent should be a par t of y our com pr ehensiv e secur it y policy, but at a m inim um , you should record changes using aut hent icat ion syst em s on t he devices and ar chive configur at ions by FTP or Tr ivial File Transfer Prot ocol ( TFTP) .
Enterprise Module The ent er pr ise com pr ises t w o funct ional ar eas: t he cam pus and t he edge. These t w o ar eas ar e fur t her divided int o m odules t hat define t he var ious funct ions of each ar ea in det ail. Follow ing t he det ailed discussion of t he m odules in t he " Enterprise Cam pus " and " Enterprise Edge " sect ions, t he " Ent erprise Opt ions " sect ion of t his docum ent descr ibes var ious opt ions for t he design.
Expected Threats From a t hreat perspect ive, t he ent erprise net w ork is like m ost net w orks connect ed t o t he I nt er net . Ther e ar e int er nal user s w ho need access out and ext er nal user s w ho need access in. There are several com m on t hreat s t hat can generat e t he init ial com prom ise t hat a hacker needs t o penet r at e t he net w or k fur t her w it h secondar y ex ploit s. Fir st is t he t hr eat fr om int er nal user s. Though st at ist ics var y on t he percent age, it is an est ablished fact t hat t he m aj orit y of all at t acks com e from t he int ernal net w ork. Disgrunt led
399
em ployees, cor por at e spies, visit ing guest s, and inadver t ent ly bum bling user s ar e all pot ent ial sour ces of such at t ack s. When designing securit y , it is im por t ant t o be aw ar e of t he pot ent ial for int er nal t hr eat s. Second is t he t hreat t o t he publicly addressable host s t hat are connect ed t o t he I nt ernet . These syst em s ar e likely t o be at t acked w it h applicat ion layer vulner abilit ies and DoS at t acks. The final t hr eat is t hat a hack er m ight t r y t o det er m ine y our dat a phone num ber s by using a war-dialer and t r y t o gain access t o t he net w or k . War-dialer s ar e soft w ar e or har dw ar e t hat ar e designed t o dial m any phone num ber s and det er m ine t he t ype of syst em on t he ot her end of t he connect ion. Personal syst em s wit h rem ot e -cont r ol soft w ar e inst alled by t he user ar e t he m ost vulnerable, because t hey t ypically are not very secure. Because t hese devices are behind t he firew all, once hackers have access over t he host t hey dialed int o, t hey can im personat e users on t he net w ork. For a com plet e discussion of t hreat det ails, refer t o Annex B.
Enterprise Campus Figure A - 3
show s a det ailed analy sis of all of t he m odules cont ained w it hin t he ent er pr ise
cam pus. Figu r e A- 3 . Ent e r pr ise Ca m pus D e t a il
Management Module The pr im ar y goal of t he m anagem ent m odule ( see Figure A - 4 ) is t o facilit at e t he secure m anagem ent of all dev ices and host s w it hin t he ent er pr ise SAFE ar chit ect ur e. Logging and
400
report ing inform at ion flow s from t he devices t o t he m anagem ent host s, w hile cont ent , configur at ions, and new soft w ar e flow t o t he dev ices fr om t he m anagem ent host s. Figu r e A- 4 . M a n a ge m e n t Tr a ffic Flow
Ke y D e vice s The k ey dev ices ( see Figure A - 5 ) ar e as follow s: Figu r e A- 5 . M a na ge m e nt M odule : D e t a il
401
•
SN M P m a na ge m e nt host— Provides SNMP m anagem ent for devices
•
N I D S h ost— Pr ov ides alarm aggregat ion for all NI DS devices in t he net w ork
•
Syslog host s— Aggregat es log inform at ion for firew all and NI DS host s
•
Acce ss con t r ol se r ve r — Delivers one -t im e, t wo -fact or aut hent icat ion ser vices t o t he net w or k dev ices
•
One - t im e pa ssw or d ( OTP) se r ve r — Aut horizes one -t im e password inform at ion r elay ed fr om t he access cont r ol ser v er
•
Syst e m a dm in host — Pr ovides configur at ion, soft w ar e, and cont ent changes on dev ices
•
N I D S a pplia nce — Pr ov ides Lay er 4 t o Lay er 7 m onit or ing of k ey net w or k segm ent s in t he m odule
•
Cisco I OS fir e w a ll— Allow s granular cont rol for t raffic flow s bet w een t he m anagem ent host s and t he m anaged devices
•
La ye r 2 sw it ch ( w it h pr iva t e VLAN suppor t ) — Ensur es dat a fr om m anaged devices can only cross direct ly t o t he I OS firew all
Th r e a t s M it iga t e d Th e t hreat s m it igat ed ( see Figure A -6 ) ar e as follow s: Figu r e A- 6 . At t a ck M it iga t ion Role s for M a na ge m e nt M odule
402
•
Una ut hor ize d a cce ss— Filt ering at t he I OS firew all st ops m ost unaut horized t raffic in bot h direct ions.
•
M a n- in- the - m iddle a t t a ck s— Managem ent dat a is cr ossing a pr ivat e net w or k, m ak ing m an-in -t he -m iddle at t acks difficult .
•
N e t w or k r e conna issa nce — Because all m anagem ent t raffic crosses t his net work, it does not cross t he product ion net w ork w here it could be int er cept ed.
•
Pa ssw or d a t t a ck s— The access cont r ol ser v er allow s for st r ong t w o -fact or aut hent icat ion at each dev ice.
•
I P spoofin g— Spoofed t raffic is st opped in bot h direct ions at t he I OS firew all.
•
Pa ck e t sniffe r s— A sw it ched infr ast r uct ur e lim it s t he effect iv eness of sniffing.
•
Tr ust e x ploit a t ion— Pr ivat e VLANs pr event a com pr om ised device fr om m asquer ading as a m anagem ent host .
D e sig n Gu id e lin e s As can be seen in Figure A - 6 , t he SAFE ent erprise m anagem ent net work has t wo net work segm ent s t hat ar e separ at ed by an I OS r out er , w hich act s as a fir ew all and a VPN t erm inat ion device. The segm ent out side t he firew all connect s t o all of t he devices t hat require m anagem ent . The segm ent inside t he firew all cont ains t he m anagem ent host s t hem selves and t he I OS r out er s t hat act as t er m inal ser v er s. The r em aining int erface connect s t o t he pr oduct ion net w or k , but only for I PSec-prot ect ed m anagem ent t raffic from predet erm ined host s. This allow s for m anagem ent of a Cisco dev ice t hat did not phy sically hav e enough int erfaces t o support t he norm al m anagem ent connect ion. The I OS fir ew all is configur ed t o allow syslog infor m at ion int o t he m anagem ent segm ent , in addit ion t o Telnet , SSH, and SNMP if t hese ar e fir st init iat ed by t he inside net w or k.
403
Bot h m anagem ent subnet s oper at e under an addr ess space t hat is com plet ely separ at e from t he r est of t he pr oduct ion net w or k . This ensur es t hat t he m anagem ent net w or k w ill not be adver t ised by any r out ing pr ot ocols. This also enables t he pr oduct ion net w or k devices t o block any t r affic fr om t he m anagem ent subnet s t hat appear on t he pr oduct ion net w or k link s. The m anagem ent m odule provides configurat ion m anagem ent for nearly all devices in t he net w ork t hrough t he use of t w o prim ary t echnologies: Cisco I OS rout ers act ing as t erm inal ser ver s and a dedicat ed m anagem ent net w or k segm ent . The r out ers pr ov ide a r ev er se Telnet funct ion t o t he console por t s on t he Cisco devices t hr oughout t he ent er pr ise. Mor e ext ensive m anagem ent feat ur es ( soft w ar e changes, cont ent updat es, log and alar m aggr egat ion, and SNMP m anagem ent ) ar e pr ovided t hr ough t he dedicated m anagem ent net w or k segm ent . The few ot her unm anaged devices and host s ar e m anaged t hr ough I PSec t unnels t hat or iginat e from t he m anagem ent rout er. Because t he m anagem ent net w or k has adm inist r at ive access t o near ly ever y ar ea of t he net w or k , it can be a very at t ract ive t arget t o hackers. The m anagem ent m odule has been built w it h sever al t echnologies designed t o m it igat e t hose r isks. The fir st pr im ar y t hr eat is a hacker at t em pt ing t o gain access t o t he m anagem ent net work it self. This t hreat can only be m it igat ed t hr ough t he effect ive deploym ent of secur it y feat ur es in t he r em aining m odules in t he ent er pr ise. All of t he r em aining t hr eat s assum e t hat t he pr im ar y line of defense has been br eached. To m it igat e t he t hr eat of a com pr om ised device, access cont r ol is im plem ent ed at t he fir ew all and at ev er y ot her possible dev ice t o pr ev ent ex ploit at ion of t he m anagem ent channel. A com pr om ised dev ice cannot ev en com m unicat e w it h ot her host s on t he sam e subnet , because pr ivat e VLANs on t he m anagem ent segm ent sw it ches force all t raffic from t he m anaged devices dir ect ly t o t he I OS fir ew all w her e filt er ing t akes place. Passw or d sniffing r eveals only useless infor m at ion because of t he OTP envir onm ent . HI DS and NI DS ar e also im plem ent ed on t he m anagem ent subnet and ar e configured in a very rest rict ive st ance. Because t he t ypes of t r affic on t his net w or k should be ver y lim it ed, any signat ur e m at ch on t his segm ent should be m et w it h an im m ediat e r esponse. SNMP m anagem ent has it s ow n set of securit y needs. Keeping SNMP t raffic on t h e m anagem ent segm ent allow s it t o t r av er se an isolat ed segm ent w hen pulling m anagem ent inform at ion from devices. Wit h SAFE, SNMP m anagem ent only pulls inform at ion from devices, r at her t han being allow ed t o push changes. To ensur e t his, each dev ice is configur ed w it h a r ead-only st r ing. Proper aggregat ion and analysis of t he syslog inform at ion is crit ical t o t he proper m anagem ent of a net w ork. From a securit y perspect ive, syslog provides im port ant inform at ion regarding secur it y v iolat ions and configur ation changes. Depending on t he device in quest ion, different levels of syslog infor m at ion m ight be r equir ed. Having full logging w it h all m essages sent m ight pr ovide t oo m uch infor m at ion for an individual or syslog analysis algor it hm t o sor t . Logging for t he sak e of logging does not im pr ov e secur it y . For t he SAFE validat ion lab, all configurat ions w ere done using st andalone m anagem ent applicat ions and t he com m and-line int erface ( CLI ) . Not hing in SAFE, however, precludes using
404
policy m anagem ent syst em s for configurat ion. Est ablishing t his m anagem ent m odule m akes deploym ent s of such t echnology com plet ely viable. CLI and st andalone m anagem ent applicat ions w ere chosen because t he m aj orit y of current net w ork deploym ent s use t his configur at ion m et hod.
Alt e r n a t ive s Com plet e OOB m anagem ent is not alw ays possible, because som e devices m ight not suppor t it or t here m ight be geographic differences t hat dict at e in -band m anagem ent . When in -ban d m anagem ent is r equir ed, m or e em phasis needs t o be placed on secur ing t he t r ansp or t of t he m anagem ent prot ocols. This can be t hrough t he use of I PSec, SSH, SSL, or any ot her encr ypt ed and aut hent icat ed t r anspor t t hat allow s m anagem ent infor m at ion t o t r aver se it . When m anagem ent happens on t he sam e int er face t hat a dev ice uses for user dat a, im por t ance needs t o be placed on passw or ds, com m unit y st r ings, cr ypt ogr aphic keys, and t he access list s t hat cont rol com m unicat ions t o t he m anagem ent services.
Fut ur e N e a r - Te r m Ar ch it e ct u r e Goa ls The current report ing and alarm ing im plem ent at ion is split across m ult iple host s. Som e host s have int elligence for analyzing fir ew all and I DS dat a, w hile ot her s ar e bet t er suit ed t o analyze r out er and sw it ch dat a. I n t he fut ur e, all dat a w ill aggr egat e t o t he sam e set of r edundant host s so t hat event correla t ion bet w een all of t he devices can occur .
Core Module The cor e m odule ( see Figure A - 7 ) in t he SAFE archit ect ure is nearly ident ical t o t he core m odule of any ot her net w or k ar chit ect ur e. I t m er ely r out es and sw it ches t r affic as fast as possible fr om one net w or k t o anot her . Figu r e A- 7 . Cor e M odule : D e t a il
Ke y D e vice s
405
Layer 3 sw it ches r out e and sw it ch pr oduct ion net w or k dat a fr om one m odule t o anot her .
Th r e a t s M it iga t e d Pack et sniffer s ar e t he t hr eat s m it igat ed. A sw it ched infr ast r uct ur e lim it s t he effect iveness of sniffing.
D e sig n Gu id e lin e s St andar d im plem ent at ion guidelines w er e follow ed in accor dance w it h t he cor e, dist r ibut ion, and access layer deploym ent s com m only seen in w ell-designed Cisco -based netw or k s. Though no unique r equir em ent s ar e defined by t he SAFE ar chit ect ur e for t he cor e of ent er pr ise net w or ks, t he cor e sw it ches follow t he sw it ch secur it y axiom in t he " Swit ches Are Target s " sect ion t o ensur e t hat t hey ar e w ell pr ot ect ed against dir ect at t ack s.
Building Distribution Module The goal of t he building dist ribut ion m odule ( see Figure A - 8 ) is t o pr ovide dist r ibut ion layer services t o t he building sw it ches; t hese include rout ing, qualit y of service ( QoS) , and access cont r ol. Request s for dat a flow int o t hese sw it ches and ont o t he cor e, and r esponses follow t he ident ical pat h in r ev er se. Figu r e A- 8 . Building D ist r ibut ion M odule : D e t a il
Ke y D e vice s Lay er 3 sw it ches aggr egat e Lay er 2 sw it ches in t he building m odule and pr ov ide adv anced ser v ices.
406
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -9 ) ar e as follow s: Figu r e A- 9 . At t a ck M it iga t ion Role s for Building D ist r ibut ion M odule
•
Una ut hor ize d a cce ss— At t acks against ser ver m odule r esour ces ar e lim it ed by Layer 3 filt er ing of specific subnet s.
• •
I P spoofin g— RFC 2827 filt er ing st ops m ost spoofing at t em pt s. Pa ck e t sniffe r s— A sw it ched infr ast r uct ur e lim it s t he effect iveness of sniffing.
D e sig n Gu id e lin e s I n addit ion t o st andard net w ork design fundam ent als, t he opt im izat ions described in t he " Swit ches Are Target s " sect ion w er e im plem ent ed t o pr ov ide added secur it y w it hin t he ent er pr ise user com m unit y. I nt r usion det ect ion is not im plem ent ed at t he building dist r ibut ion m odule because it is im plem ent ed in t he m odules t hat cont ain t he resources likely t o be at t acked for t heir cont ent ( server, rem ot e access, I nt ernet , and so fort h) . The building dist ribut ion m odule provides t he first line of defense and prevent ion against int ernally originat ed at t acks. I t can mit igat e t he chance of a depar t m ent accessing confident ial infor m at ion on anot her depar t m ent 's ser ver t hr ough t he use of access cont r ol. For exam ple, a net w or k t hat cont ains m ar ket ing and r esear ch and developm ent ( R&D) m ight segm ent off t he R&D ser ver t o a specific VLAN and filt er access t o it , ensur ing t hat only R&D st aff have access t o it . For per for m ance r easons, it is im por t ant t hat t his access cont r ol is im plem ent ed on a har dw ar e plat form t hat can deliver filt ered t raffic at near w ire rat es. This generally dict at es t he use of Layer 3 sw it ching as opposed t o m or e t r adit ional dedicat ed r out ing devices. This sam e access cont rol can also prevent local source -addr ess spoofing by t he use of RFC 2827 filt er ing. Finally, subnet isolat ion is used t o r out e Voice ove r I P ( VoI P) t raffic t o t he call m anager and any associat ed gat ew ays. This pr event s VoI P t r affic fr om cr ossing t he sam e segm ent s t hat all
407
ot her dat a t raffic crosses, reducing t he likelihood of sniffing voice com m unicat ions and allow ing a sm oot her im plem ent at ion of QoS.
Alt e r n a t ive s Depending on t he size and per for m ance r equir em ent s of t he net w or k, t he dist r ibut ion layer can be com bined w it h t he cor e lay er t o r educe t he num ber of dev ices r equir ed in t he env ir onm ent .
Building Access Module SAFE defines t he building access m odule as t he ext ensive net w or k por t ion t hat cont ains enduser w or k st at ions, phones, and t heir associat ed Lay er 2 access point s. I t s pr im ar y goal is t o pr ov ide ser v ices t o end user s.
Ke y D e vice s The k ey dev ices ( see Figure A - 10 ) ar e as follow s: Figu r e A- 1 0 . Building Acce ss M odule : D e t a il
•
La ye r 2 sw it ch — Pr ovides Layer 2 ser vices t o phones and user w or kst at ions
• •
I P ph one — Pr ov ides I P t elephony ser v ices t o user s on t he net w or k
Use r w or k st a t ion— Pr ov ides dat a ser v ices t o aut hor ized user s on t he net w or k
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -1 1 ) are as follow s:
408
Figu r e A- 1 1 . At t a ck M it iga t ion Role s for Building Acce ss M odule
•
Pa ck e t sniffers— A sw it ched infr ast r uct ur e and default VLAN ser vices lim it t he effect iv eness of sniffing.
•
Vir u s a n d Tr oj a n h or se a pplica t ion s— Host -based vir us scanning pr event s m ost v ir uses and m any Tr oj an hor ses.
D e sig n Gu id e lin e s Because user devices are gener ally t he lar gest single elem ent of t he net w or k , im plem ent ing securit y in a concise and effect ive m anner is challenging. From a securit y perspect ive, t he building dist r ibut ion m odule, r at her t han anyt hing in t he building m odule, pr ovides m ost of t he access cont r ol t hat is enfor ced at t he end -user level. This is because t he Layer 2 sw it ch t hat t he w orkst at ions and phones connect t o has no capabilit y for Layer 3 access cont rol. I n addit ion t o t he net w ork securit y guidelines described in t he sw it ch securit y a xiom , host -based vir us scanning is im plem ent ed at t he w or kst at ion level.
Server Module The ser v er m odule's pr im ar y goal is t o pr ov ide applicat ion ser v ices t o end user s and dev ices. Tr affic flow on t he ser ver m odule is inspect ed by onboar d int r usion det ect ion w it hin t he Lay er 3 sw it ches.
409
Ke y D e vice s The k ey dev ices ( see Figure A - 12 ) ar e as follow s: Figu r e A- 1 2 . Se r ve r M odule : D e t a il
•
La ye r 3 sw it ch — Pr ov ides Lay er 3 ser v ices t o t he ser v er s and inspect s data cr ossing t he ser v er m odule w it h NI DS
•
Ca ll M a na ger— Per for m s call-rout ing funct ions for I P t elephony devices in t he ent erprise
•
Cor por a t e a nd de pa r t m e nt se r ve r s— Deliver file, print , and DNS services t o workst at ions in t he building m odule
•
E- m a il se r ve r — Provides Sim ple Mail Tr ansfer Pr ot ocol ( SMTP) and Post Office Prot ocol version 3 ( POP3) services t o int ernal users
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -1 3 ) are as follow s: Figu r e A- 1 3 . At t a ck M it iga t ion Role s for Se r ve r M odule
•
Una ut hor ize d a cce ss— Mit igat ed t hrough t he use of host -based int rusion det ect ion and access cont rol.
410
•
Applica t ion la ye r a t t a ck s— Oper at ing sy st em s, dev ices, and applicat ions ar e k ept u p -t o-dat e w it h t he lat est secur it y fix es and ar e pr ot ect ed by HI DS.
•
I P spoofin g— RFC 2827 filt er ing pr ev ent s sour ce addr ess spoofing.
•
Pa ck e t sniffe r s— A sw it ched infr ast r uct ur e lim it s t he effect iveness of sniffing.
•
Tr ust e x ploit a t ion— Tr ust ar r angem ent s ar e v er y ex plicit ; pr iv at e VLANs prevent host s on t he sam e subnet fr om com m unicat ing unless necessar y.
•
Por t r e dir e ct ion— HI DS pr event s por t r edir ect ion agent s fr om being inst alled.
D e sig n Gu id e lin e s The server m odule is oft en overlooked from a securit y perspect ive. When exam ining t he levels of access t hat m ost em ploy ees hav e t o t he ser v er s t o w hich t hey at t ach, t he ser v er s can oft en becom e t he pr im ar y goal of int er nally or iginat ed at t acks. Sim ply r elying on effect ive passw ords does not provide for a com prehensive at t ack m it igat ion st rat egy. Using HI DS and NI DS, pr ivat e VLANs, access cont r ol, and good syst em adm inist r at ion pr act ices ( such as keeping syst em s up -t o-dat e w it h t he lat est pat ches) pr ovides a m uch m or e com pr ehensive r esponse t o at t ack s. Because t he NI DS is lim it ed in t he am ount of t r affic it can analyze, it is im por t ant t o send only at t ack -sensit ive t r affic t o it . This var ies fr om net w or k t o net w or k, but should include SMTP, Telnet , FTP, and WWW. The sw it ch -based NI DS w as chosen because of it s abilit y t o look only at int er est ing t r affic acr oss all VLANs as defined by t he secur it y policy . Once pr oper ly t uned, t his I DS can be set up in a r est r ict ive m anner , because r equir ed t r affic st r eam s should be w ell k now n.
Alt e r n a t ive s Like t he building dist r ibut ion m odule, t he ser ver m odule can be com bined w it h t he cor e m odule if per for m ance needs do not dict at e separ at ion. For ver y sensit ive high-perform ance ser ver envir onm ent s, t he NI DS capabilit y in t he Layer 3 sw it ch can be scaled by inst alling m or e t han one NI DS blade and dir ect ing policy -m at ched t r affic t o specific blades.
Edge Distribution Module The edge dist r ibut ion m odule's goal is t o aggr egat e t he connect ivit y fr om t he var ious elem ent s at t he edge. Tr affic is filt er ed and r out ed fr om t he edge m odules and r out ed int o t he cor e.
Ke y D e vice s Lay er 3 sw it ches ( see Figure A - 14 ) aggr egat e edge connect ivit y and pr ovide advanced ser vices. Figu r e A- 1 4 . Edge D ist r ibut ion M odule : D e t a il
411
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -1 5 ) are as follow s: Figu r e A- 1 5 . At t a ck M it iga t ion Role s for Edge D ist r ibu t ion M odu le
•
Una ut hor ize d a cce ss— Filt er ing pr ovides gr anular cont r ol over specific edge subnet s and t heir abilit y t o r each ar eas w it hin t he cam pus.
412
• •
I P spoofin g— RFC 2827 filt er ing lim it s locally init iat ed spoof at t acks. N e t w or k r e conna issa nce — Filt ering lim it s nonessent ial t raffic from ent ering t he cam pus, lim it ing a hacker's abilit y t o perform net w ork reconnaissance.
•
Pa ck e t sniffe r s— A sw it ched infrast ruct ure lim it s t he effect iveness of sniffing.
D e sig n Gu id e lin e s The edge dist ribut ion m odule is sim ilar in som e respect s t o t he building dist ribut ion m odule in t er m s of over all funct ion. Bot h m odules em ploy access cont r ol t o filt er t r affic, a lt hough t he edge dist ribut ion m odule can rely som ew hat on t he ent ire edge funct ional area t o perform addit ional secur it y funct ions. Bot h m odules use Layer 3 sw it ching t o achieve high perform ance, but t he edge dist ribut ion m odule can add addit ional securit y funct ions because t he per for m ance r equir em ent s ar e not as gr eat . The edge dist r ibut ion m odule pr ovides t he last line of defense for all t raffic dest ined t o t he cam pus m odule from t he edge m odule. This includes m it igat ion of spoofed packet s, erroneous rout ing updat es, and pr ovisions for net w or k layer access cont r ol.
Alt e r n a t ive s Lik e t he ser v er and building dist r ibut ion m odules, t he edge dist r ibut ion m odule can be com bined w it h t he cor e m odule if per for m ance r equir em ent s ar e not as st r ingent as t he SAFE r eference im plem ent at ion. NI DS is not present in t his m odule, but it could be placed here t hr ough t he use of I DS line car ds in t he Layer 3 sw it ches. I t w ould t hen r educe t he need for NI DS appliances at t he ex it fr om t he cr it ical edge m odules as t hey connect to t he cam pus. How ever, perform ance reasons m ay dict at e, as t hey did in SAFE's reference design, t hat dedicat ed int r usion det ect ion be placed in t he var ious edge m odules, as opposed t o using t he edge dist r ibut ion m odule.
Enterprise Edge Figures A -1 6
and A - 17 show a det ailed analy sis of all of t he m odules cont ained w it hin t he
ent er pr ise edge. Figu r e A- 1 6 . Ent e r pr ise Edge D e t a il—Pa r t I
413
Figu r e A- 1 7 . Ent e r pr ise Edge D e t a il—Pa r t I I
414
Corporate Internet Module The corporat e I nt ernet m odule ( see Figure A -1 8 ) provides int ernal users w it h connect ivit y t o I nt er net ser vices and I nt er net user s access t o infor m at ion on public ser ver s. Tr affic also flow s fr om t his m odule t o t he VPN and r em ot e -access m odule, w here VPN t erm inat ion t akes place. This m odule is not designed t o serve e -com m erce applicat ions. Refer t o the " E- Com m erce Module" sect ion lat er in t his docum ent for m or e det ails on pr oviding I nt er net com m er ce. Figu r e A- 1 8 . Cor por a t e I nt e r ne t Tr a ffic Flow
Ke y D e vice s The k ey dev ices ( see Figure A - 19 ) ar e as follow s: Figu r e A- 1 9 . Cor por a t e I nt e r ne t M odule : D e t a il
415
•
SM TP se r ve r — Act s as a r elay bet w een t he I nt er net and t he I nt er net m ail ser ver s; inspect s cont ent
•
D N S se r ve r — Ser v es as aut hor it at iv e ex ter nal DNS ser ver for t he ent er pr ise; r elays int ernal request s t o t he I nt ernet
•
FTP/ H TTP se r ve r — Pr ovides public infor m at ion about t he or ganizat ion
•
Fir e w a ll— Pr ovides net w or k level pr ot ect ion of r esour ces and st at eful filt er ing of t raffic
•
N I D S a pplia nce — Pr o vides Layer 4 t o Layer 7 m onit or ing of key net w or k segm ent s in t he m odule
•
URL filt e r ing se r ve r — Filt ers unaut horized URL request s from t he ent erprise
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -2 0 ) are as follow s: Figu r e A- 2 0 . At t a ck M it iga t ion Role s for Cor por a t e I nt e r ne t M odule
416
•
Una ut hor ize d a cce ss— Mit igat ed t hr ough filt er ing at t he I SP, edge r out er , and corporat e firew all
•
Applica t ion la ye r a t t a ck s— Mit igat ed t hr ough I DS at t he host and net w o rk levels
•
Vir us a nd Tr oj a n hor se — Mit igat ed t hr ough e -m ail cont ent filt ering and HI DS
•
Pa ssw or d a t t a ck s— Lim it ed ser vices available t o br ut e for ce; OS and I DS can det ect t he t hr eat
•
DoS — Com m it t ed access r at e ( CAR) at I SP edge and TCP set up cont r ols at fir ew all
•
I P spoofin g— RFC 2827 and RFC 1918 filt er ing at I SP edge and ent er pr ise edge r ou t er
•
Pa ck e t sniffe r s— Swit ched infrast ruct ure and HI DS lim it s exposure
•
N e t w or k r e conna issa nce — I DS det ect s reconnaissance; prot ocols filt ered t o lim it effect iv eness
•
Trust ex ploit a t ion— Rest rict ive t rust m odel and privat e VLANs lim it t rust -based attacks
•
Por t r e dir e ct ion— Rest rict ive filt ering and HI DS lim it at t ack
D e sig n Gu id e lin e s The hear t of t he m odule is a pair of r esilient fir ew alls, w hich pr ov ide pr ot ect ion for t he I nt ernet public services and int ernal users. St at eful inspect ion exam ines t raffic in all direct ions, ensur ing only legit im at e t r affic cr osses t he fir ew all. Aside fr om t he Layer 2 and Layer 3 r esilience built int o t he m odule and t he st at eful failover capabilit y of t he fir ew all, all ot her design consider at ions cent er ar ound secur it y and at t ack m it igat ion. St ar t ing at t he cust om er-edge r out er in t he I SP, t he egr ess out of t he I SP r at e lim it s nonessent ial t r affic t hat ex ceeds pr especified t hr esholds t o m it igat e against DDoS or DoS at t acks. Also at t he egr ess of t he I SP r out er , RFC 1918 and RFC 2827 filt er ing m it igat e against source -addr ess spoofing of local net w or k s and pr iv at e addr ess r anges.
417
At t he ingr ess of t he fir st r out er on t he ent er pr ise net w or k, basic filt ering lim it s t he t r affic t o t he expect ed t r affic ( addr esses and I P ser vices) , pr oviding a coar se filt er for t he m ost basic at t ack s. RFC 1918 and RFC 2827 filt er ing is also pr ov ided her e as a v er ificat ion of t he I SP's filt ering. I n addit ion, because of t he enorm ous securit y t hreat t hat fragm ent ed packet s creat e, t he r out er is configur ed t o dr op m ost fr agm ent ed packet s t hat should not gener ally be seen for st andard t raffic t ypes on t he I nt ernet . Any legit im at e t raffic lost because of t his filt ering is considered accept able w hen com par ed t o t he r isk of allow ing such t r affic. Finally, any I PSec t raffic dest ined for t he VPN and rem ot e -access m odule is rout ed appropriat ely. Filt ering on t he int er face t hat is connect ed t o t he VPN m odule is configur ed t o allow only I PSec t raffic t o cross, and only when originat ed from and sent t o aut horized peers. Wit h rem ot e -access VPNs, you generally do not know t he I P address of t he syst em com ing in, so filt ering can be specific only t o t he head -end peer s w it h w hich t he r em ot e user s ar e com m unicat ing. The NI DS appliance at t he public side of t he fir ew all m onit or s for at t ack s based on Lay er 4 t o Lay er 7 analy sis and com par isons against k now n signat ur es. Because t he I SP and ent er pr ise edge rout er filt er cert ain address ranges and port s , t he NI DS appliance can focus on som e of t he m or e com plex at t acks. St ill, t his NI DS should have alar m s set t o a low er level t han appliances on t he inside of t he fir ew all, because alar m s seen her e do not r epr esent act ual br eaches, but m er ely at t em pt s. Th e firew all provides connect ion st at e enforcem ent and det ailed filt ering for sessions init iat ed t hr ough it . Publicly addr essable ser ver s have som e pr ot ect ion against TCP SYN floods t hr ough t he use of half-open connect ion lim it s on t he firew all. From a filt ering st andpoint , in addit ion t o lim it ing t r affic on t he public ser vices segm ent t o r elevant addr esses and por t s, filt er ing in t he opposit e dir ect ion also t akes place. I f an at t ack com pr om ises one of t he public ser ver s ( by circum vent ing t he firewall, HI DS, and NI DS) , t hat ser v er should not be able t o at t ack t he net w or k fur t her . To m it igat e against t his t ype of at t ack, specific filt er ing pr event s any unaut hor ized r equest s fr om being gener at ed by t he public ser v er s t o any ot her locat ion. As an exam ple, t he Web s er v er should be filt er ed so t hat it cannot or iginat e r equest s of it s ow n, but m erely respond t o request s from client s. This helps prevent a hacker from dow nloading addit ional ut ilit ies t o t he com prom ised box aft er t he init ial at t ack. I t also helps st op unw ant ed sessions from being t riggered by t he hacker during t he prim ary at t ack. An exam ple of such an at t ack is one t hat gener at es an x t er m fr om t he Web ser v er t hr ough t he fir ew all t o t he hack er 's m achine. I n addit ion, pr ivat e VLANs pr event a com pr om ised public server from at t acking ot her ser v er s on t he sam e segm ent . This t r affic is not ev en det ect ed by t he fir ew all, w hich is w hy privat e VLANs are crit ical. Traffic on t he cont ent inspect ion segm ent is lim it ed t o URL filt ering request s from t he firewall t o t h e URL filt er ing dev ice. I n addit ion, aut hent icat ed r equest s ar e allow ed fr om t he ent er pr ise URL filt er ing dev ice out t o a m ast er ser v er for dat abase updat es. The URL filt er ing dev ice inspect s out bound t r affic for unaut hor ized WWW r equest s. I t com m unicat es direct ly wit h t he fir ew all and appr oves or r ej ect s URL r equest s sent t o it s URL inspect ion engine by t he fir ew all. I t s decision is based on a policy m anaged by t he ent er pr ise using classificat ion infor m at ion of t he WWW pr ov ided by a t hir d -part y service. URL inspect ion is pr efer r ed ov er st andar d access filt er ing because I P addr esses oft en change for unaut hor ized w eb sit es, and such filt er s can
418
gr ow t o be ver y lar ge. HI DS soft w ar e on t his ser ver pr ot ect s against possible at t acks t hat som ehow circum vent t he firewall. The public ser v ices segm ent includes an NI DS appliance t o det ect at t ack s on por t s t hat t he firew all is configured t o perm it . These m ost oft en are applicat ion layer at t acks against a specific ser vice or passw or d at t acks against a pr ot ect ed ser vice. Yo u need t o set t his NI DS in a m or e r est r ict ive st ance t han t he NI DS on t he out side of t he fir ew all because signat ur es m at ched her e have successfully passed t hr ough t he fir ew all. Each of t he ser ver s have host int r usion det ect ion soft w ar e on t hem t o m onit or a gainst any r ogue act ivit y at t he OS level, in addit ion t o act ivit y in com m on ser ver applicat ions ( HTTP, FTP, SMTP, and so for t h) . The DNS host should be lock ed dow n t o r espond only t o desir ed com m ands and t o elim inat e any unnecessary responses t hat m ight a ssist hackers in net w ork reconnaissance. This includes pr event ing zone t r ansfer s fr om anyw her e but t he int er nal DNS ser ver s. The SMTP ser ver includes m ail-cont ent inspect ion ser v ices t o m it igat e against v ir us and Tr oj an-t ype at t acks generat ed against t he int ernal net work t hat are usually int roduced t hrough t he m ail syst em . The fir ew all it self filt er s SMTP m essages at Layer 7 t o allow only necessar y com m ands t o t he m ail server. The NI DS appliance on t he inside int er face of t he fir ew all pr ovides a final analysis of at t ack s. Ver y few at t ack s should be det ect ed on t his segm ent , because only r esponses t o init iat ed r equest s and a few select por t s fr om t he public ser vices segm ent ar e allow ed t o t he inside. Only sophist icat ed at t ack s should be seen on t his segm ent , because t hey gener ally m ean a syst em on t he public services segm ent has been com prom ised and t he hacker is at t em pt ing t o lever age t his foot hold t o at t ack t he int er nal net w or k. For exam ple, if t he public SMTP ser ver is com pr om ised, a hack er m ight t r y t o at tack t he int er nal m ail ser ver over TCP por t 25, w hich is per m it t ed t o allow m ail t r ansfer bet w een t he t w o host s. I f at t ack s ar e seen on t his segm ent , t he r esponses t o t hose at t acks should be m or e sever e t han t hose on ot her segm ent s because t hey pr obably indicat e t hat a com pr om ise has alr eady occur r ed. The use of TCP r eset s t o t hw ar t , for ex am ple, t he SMTP at t ack m ent ioned abov e should be ser iously consider ed.
Alt e r n a t ive s There are several alt ernat ive designs for t his m odule. For exam ple, depending on your a t t it ude t ow ard at t ack aw areness, t he NI DS appliances m ight not be required in front of t he firew all. I n fact , w it hout basic filt ering on t he access rout er, t his t ype of m onit oring is not recom m ended. Wit h t he appr opr iat e basic filt er s, w hich exist in t his design, t he I DS out side t he firew all can pr ovide im por t ant alar m infor m at ion t hat w ould ot her w ise be dr opped by t he fir ew all. Because t he am ount of alar m s gener at ed on t his segm ent is pr obably lar ge, alar m s gener at ed her e should hav e a low er sev er it y t han alar m s gener at ed behind a fir ew all. Also, consider logging alar m s fr om t his segm ent t o a separ at e m anagem ent st at ion t o ensur e t hat legit im at e alar m s fr om ot her segm ent s get t he appr opr iat e at t ent ion. Wit h t he visibilit y t hat NI DS out side t he fir ew all pr ovides, evaluat ion of t he at t ack t ypes your organizat ion is at t ract ing can be bet t er seen. I n addit ion, evaluat ion of t he effect iveness of I SP and ent er pr ise edge filt er s can be per for m ed.
419
Anot her possible alt ernat ive t o t he proposed design is t he elim inat io n of t he r out er bet w een t he firew all and t he edge dist ribut ion m odule. Though it s funct ions can be int egrat ed int o t he edge dist ribut ion m odule, t he funct ional separat ion bet w een m odules w ould be lost , because t he edge dist r ibut ion sw it ches w ould need t o be aw ar e of t he ent ir e t opology of t he cor por at e I nt er net m odule t o ensur e pr oper r out ing. I n addit ion, t his lim it s your abilit y t o deploy t his archit ect ure in a m odular fashion. I f an ent erprise's current core is Layer 2, for exam ple, t he r out ing pr ov ided in t he corporat e I nt ernet m odule w ould be required.
N e a r - Te r m Ar ch it e ct u r e Goa ls Developing Cisco firewall t echnology t hat can com m unicat e direct ly wit h ot her cont ent inspect ion devices is needed ( for exam ple, net w or k-based virus scanning) . Current ly, URL filt er ing is t he only suppor t ed cont ent filt er ing funct ion t hat is dir ect ly int egr at ed w it h Cisco fir ew all t echnology. Nonint egr at ed pr oduct s r ely on user s oper at ing in a pr oxy m ode t hat does not pr oper ly scale.
VPN and Remote -Access Module As t he nam e im p lies, t he pr im ar y obj ect ive of t he VPN and r em ot e -access m odule ( see Figure A 21)
is t hreefold: t erm inat e t he VPN t raffic from rem ot e users, provide a hub for t erm inat ing
VPN t r affic fr om r em ot e sit es, and t er m inat e t r adit ional dial-in users. All of t he t raffic forwarded t o t he edge dist ribut ion is from rem ot e cor por at e user s t hat ar e aut hent icat ed in som e fashion befor e being allow ed t hr ough t he fir ew all. Figu r e A- 2 1 . Rem ot e- Acce ss VPN M odule Tr a ffic Flow
Ke y D e vice s The k ey dev ices ( see Figure A - 22 ) are as follow s:
420
Figu r e A- 2 2 . Rem ot e- Acce ss VPN M odule : D e t a il
•
VPN conce nt r a t or — Aut hent icat es individual rem ot e users using Ext ended Aut hent icat ion ( Xauth) and t erm inat e t heir I PSec t unnels
•
VPN rout er— Aut hent icat es t r ust ed r em ot e sit es and pr ovide connect ivit y using generic rout ing encapsulat ion ( GRE) or I PSec t unnels
•
D ia l- in se r ve r — Aut hent icat es individual rem ot e users using TACACS+ and t erm inat e t heir analog connect ions
•
Fir e w a ll— Pr ovides differ ent iat ed secur it y for t he t hr ee differ ent t ypes of r em ot e access
•
N I D S a pplia nce — Pr ov ides Lay er 4 t o Lay er 7 m onit or ing of k ey net w or k segm ent s in t he m odule
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -2 3 ) are as follow s: Figu r e A- 2 3 . At t a ck M it iga t ion Role s for Rem ot e - Acce ss VPN M odule
421
•
N e t w or k t opology discove r y— Only I nt er net Key Exchange ( I KE) and Encapsulat ing Securit y Payload ( ESP) are allowed in t o t his segm ent from t he I nt ernet .
•
Pa ssw or d a t t a ck — OTP aut hent icat ion r educes t he lik elihood of a successful passw or d at t ack .
•
Una ut hor ize d a cce ss— Fir ew all ser vices aft er packet decr ypt ion pr event t r affic on unaut hor ized por t s.
•
M a n- in- the - m iddle— Mit igat ed t hrough encrypt ed rem ot e t raffic.
•
Pa ck e t sniffe r s— A sw it ched infr ast r uct ur e lim it s t he effect iveness of sniffing.
D e sig n Gu id e lin e s Resilience aside, t he cor e r equir em ent of t his m odule is t o have t hr ee separ at e ext er nal user ser v ices aut hent icat e and term inat e. Because t he t raffic com es from different sources out side of t he ent er pr ise net w or k , t he decision w as m ade in t he SAFE ar chit ect ur e t o pr ov ide a separat e int erface on t he firew all for each of t hese t hree services. The design considerat ion for each of t hese ser v ices ar e addr essed below .
Re m o t e- Acce ss V PN The VPN t raffic is forw arded from t he corporat e I nt ernet m odule access rout ers, w here it is fir st filt er ed at t he egr ess point t o t he specific I P addr esses and pr ot ocols t hat ar e par t of t he VPN services. Today's rem ot e -access VPNs can use several different t unneling and securit y prot ocols. Alt hough I PSec is t he t unneling prot ocol of choice, m any organizat ions choose Point -t o-Point Tunneling Prot ocol ( PPTP) and Layer 2 Tunneling Prot ocol ( L2TP) because t hey ar e nat ively suppor t ed by popular deskt op oper at ing syst em s. I n SAFE, I PSec w as chosen because t he client s r equir e m inim al configur at ion and at t he sam e t im e pr ovide good secur it y. The rem ot e -access VPN t raffic is addressed t o one specific public a ddr ess using t he I KE ( UDP 500) prot ocol. Because t he I KE connect ion is not com plet ed unt il t he correct aut hent icat ion infor m at ion is pr ovided, t his pr ovides a level of det er r ence for t he pot ent ial hacker . As par t of
422
t he ext ensions ( draft RFCs) of I KE, XAUTH pr ov ides an addit ional user aut hent icat ion m echanism before t he rem ot e user is assigned any I P param et ers. The VPN concent rat or is " connect ed" t o t he access cont r ol ser v er on t he m anagem ent subnet by it s m anagem ent int erface. St rong passw ords are provided by t he OTP server. Once aut hent icat ed, t he rem ot e user is provided w it h access by receiving I P param et ers using anot her ext ension of I KE, MODCFG. Besides an I P addr ess and t he locat ion of nam e ser ver s ( DNS and WI NS) , MODCFG pr ovides aut hor izat ion ser vices t o cont r ol t he access of t he r em ot e user . For exam ple in SAFE, user s ar e pr event ed fr om enabling split t unneling, t her eby for cing t he user t o access t he I nt ernet via t he corporat e connect ion. The I PSec param et ers t hat are being used are Triple DES ( 3DES) for encr y pt ion and SHA-HMAC for dat a int egr it y. The hardware encrypt ion m odules in t he VPN concent rat or allow scalable rem ot e -access VPN ser vices t o be deployed t o t housands of r em ot e user s. Follow ing t er m inat ion of t he VPN t unnel, t r affic is sent t hr ough a fir ew all t o ensur e t hat VPN user s ar e appr opr iat ely filt er ed. Secur e m anagem ent of t his ser vice is achieved by pushing all I PSec and secur it y par am et er s t o t he rem ot e users from t he cent ral sit e. Addit ionally, connect ions t o all m anagem ent funct ions ar e on a dedicat ed m anagem ent int er face.
Dial - I n Acce ss U se r s The t r adit ional dial-in user s ar e t er m inat ed on one of t he t w o access r out er s w it h built -in m odem s. Once t he Layer 1 connect ion is est ablished bet w een t he user and t he server, t hree w ay Challenge Handshake Aut hent icat ion Prot ocol ( CHAP) is used t o aut hent icat e t he user. As in t he rem ot e -access VPN service, t he aut hent icat ion, aut horizat ion, and account ing ( AAA) and OTP ser vers are used t o aut hent icat e and provide passw ords. Once aut hent icat ed, t he users ar e pr ov ided w it h I P addr esses fr om an I P pool t hr ough Point -to-Point Pr ot ocol ( PPP) .
Sit e- t o- Sit e V PN The VPN t raffic associat ed wit h sit e -to-sit e connect ions consist s of GRE t unnels pr ot ect ed by an I PSec pr ot ocol in t r anspor t m ode using ESP. As in t he rem ot e -access case, t he t raffic t hat is forwarded from t he corporat e I nt ernet m odule can be lim it ed t o t he specific dest inat ion addr esses on t he t w o VPN r out er s and t he sour ce addr esses expect ed fr om t he r em ot e sit es. The ESP prot ocol ( I P 50) and t he I KE pr ot ocol ar e t he only t w o expect ed on t his link. GRE is used t o pr ov ide a full-service rout ed link t hat w ill carry m ult iprot ocol, rout ing prot ocol, and m ult icast t raffic. Because rout ing prot ocols ( Enhanced I nt erior Gat ew ay Rout ing Prot ocol [ EI GRP] is used bet w een r em ot e sit es) can det ect link failur e, t he GRE t unnel pr ovides a resilience m echanism for t he rem ot e sit es if t hey build t w o GRE connect ions, one t o each of t he cent r al VPN r out er s. As in rem ot e -access VPN, 3DES and SHA-HMAC ar e used for I KE and I PSec param et ers t o provide t he m axim um securit y w it h lit t le effect on perform ance. I PSec hardw are accelerat ors ar e used in t he VPN r out er s.
423
Re st of t h e M odu le The t raffic from t he t hree services is aggregat ed by t he firew all ont o one privat e int erface b efor e being sent t o t he edge dist r ibut ion m odule by a pair of r out er s. The fir ew all m ust be configur ed w it h t he r ight t ype of const r aining access cont r ol t o allow only t he appr opr iat e t r affic t hr ough t o t he inside int er face of t he fir ew all fr om each of t he services. A pair of NI DS appliances ar e posit ioned at t he public side of t he m odule t o det ect any net w or k reconnaissance act ivit y t arget ed at t he VPN t erm inat ion devices. On t his segm ent , only I PSec ( I KE/ ESP) t raffic should be seen. Because t he NI DS cannot see inside t he I PSec packet s, any alar m on t his net w or k indicat es a failur e or com pr om ise of t he sur r ounding devices. As such, t hese alar m s should be set t o high sev er it y lev els. A second pair of NI DS appliances ar e posit ioned aft er t he firew all t o det ect any at t ack s t hat m ak e it t hr ough t he r est of t he m odule. This NI DS device also has a r est r ict ive policy in place. All user s cr ossing t his segm ent should be bound t o or com ing fr om a r em ot e locat ion, so any shunning or TCP r eset s w ill affect only t hose use r s.
Alt e r n a t ive s I n VPN and aut hent icat ion t echnology, t here are m any alt ernat ives available, depending on t he r equir em ent s of t he net w or k. These alt er nat ives ar e list ed below for r efer ence, but t he det ails ar e not addr essed in t his docum ent .
•
Sm ar t car d or biom et ric aut hent icat ion
•
L2TP or PPTP rem ot e -access VPN t unnels
•
Cer t ificat e aut hor it ies ( CAs)
• •
I KE keep -alive resilience m echanism Mult iprot ocol Label Swit ching ( MPLS) VPNs
WAN Module Rat her t han being all-inclusiv e of pot ent ial WAN designs, t his m odule show s r esilience and securit y for WAN t erm inat ion. Using Fram e Relay encapsulat ion, t raffic is rout ed bet w een r em ot e sit es and t he cent r al sit e.
Ke y D e vice s The I OS rout er, using rout ing, access -cont rol, and QoS m echanism s, is t he key device ( see Figure A - 24 ).
Figu r e A- 2 4 . W AN M odule : D e t a il
424
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -2 5 ) are as follow s: Figu r e A- 2 5 . At t a ck M it iga t ion Role s for W AN M odule
•
I P spoofin g— Mit igat ed t hr ough Lay er 3 filt er ing.
•
Una ut hor ize d a cce ss— Sim ple access cont r ol on t he r out er can lim it t he t ypes of pr ot ocols t o w hich br anches hav e access.
D e sig n Gu id e lin e s The r esilience is pr ov ided by t he dual connect ion fr om t he ser v ice pr ov ider , t hr ough t he r out er s, and t o t he edge dist r ibut ion m odule. Secur it y is pr ovided by using I OS secur it y feat ur es. I nput access list s ar e used t o block all unw ant ed t r affic fr om t he r em ot e br anch.
Alt e r n a t ive s Som e organizat ions t hat are very concerned about inform at ion privacy encrypt highly confident ial t raffic on t heir WAN links. Sim ilar t o sit e -to-sit e VPNs, y ou can use I PSec t o achieve t his inform at ion privacy.
E-Commerce Module Because e -com m er ce is t he pr im ar y obj ect ive of t his m od ule ( see Figure A -2 6 ) , t he balance bet w een access and securit y m ust be carefully weighed. Split t ing t he e -com m erce t ransact ion
425
int o t hr ee com ponent s allow s t he ar chit ect ur e t o pr ovide var ious levels of secur it y w it hout im peding access. Figu r e A- 2 6 . E- Com m e r ce Tr a ffic Flow
Ke y D e vice s The k ey dev ices ( see Figure A - 27 ) ar e as follow s: Figu r e A- 2 7 . E- Com m e r ce M odule : D e t a il
•
W e b se r ve r — Act s as t he pr im ary user int erface for t he navigat ion of t he e com m erce st ore
•
Applica t ion se r ve r — I s t he plat for m for t he v ar ious applicat ions r equir ed by t he Web ser v er
•
D a t a ba se se r ve r — I s t he cr it ical infor m at ion t hat is t he hear t of t he e -com m erce business im plem ent at ion
426
•
Fir e w a ll— Governs com m unicat ion bet w een t he various levels of securit y and t rust in t he sy st em
•
N I D S a pplia nce — Provides m onit oring of key net w ork segm ent s in t he m odule
•
La ye r 3 sw it ch w it h I D S m odule — I s t he scalable e -com m er ce input dev ice w it h int egrat e d securit y m onit oring
Th r e a t s M it iga t e d The t hr eat s m it igat ed ( see Figure A -2 8 ) are as follow s: Figu r e A- 2 8 . At t a ck M it iga t ion Role s for E- Com m e r ce M odu le
•
Una ut hor ize d a cce ss— St at eful fir ew alls and access cont rol list s ( ACLs) lim it exposur e t o specific pr ot ocols.
•
Applica t ion la ye r a t t a ck s— At t acks ar e m it igat ed t hr ough t he use of I DS.
•
DoS — I SP filt er ing and r at e lim it ing r educe DDoS or DoS pot ent ial.
•
I P spoofin g— RFC 2827 and RFC 1918 pr ev ent locally originat ed spoofed packet s and lim it r em ot e spoof at t em pt s.
•
Pa ck e t sniffe r s— A sw it ched infr ast r uct ur e and HI DS lim it t he effect iveness of sniffing.
•
N e t w or k r e conna issa nce — Por t s ar e lim it ed t o only w hat is necessar y ; I CMP is r est r ict ed.
•
Tr ust e x ploit a t ion— Fir ew alls ensur e t hat com m unicat ion flow s only in t he pr oper dir ect ion on t he pr oper ser v ice.
•
Por t r e dir e ct ion— HI DS and fir ew all filt er ing lim it ex posur e t o t hese at t ack s.
D e sign I m ple m e n t a t ion D e scr ipt ion
427
The hear t of t he m odule is t w o pair s of r esilient firewalls t hat provide prot ect ion for t he t hree lev els of ser v er s: Web, applicat ion, and dat abase. Som e added pr ot ect ion is pr ov ided by t he I SP edge r out er s at t he I SP and t he ent er pr ise. The design is best under st ood by consider ing t he t raffic flow seque nce and direct ion for a t ypical e -com m erce t ransact ion. The e -com m er ce cust om er init iat es an HTTP connect ion t o t he Web ser ver aft er r eceiving t he I P addr ess fr om a DNS ser v er host ed at t he I SP net w or k . The DNS is host ed on a differ ent net w or k t o r educe t he am ount of pr ot ocols r equir ed by t he e -com m erce applicat ion. The first set of firew alls m ust be configured t o allow t his prot ocol t hrough t o t hat part icular address. The r et ur n t r affic for t his connect ion is allow ed back , but t her e is no need for any com m unicat ion init iat ed by t he Web ser v er back out t o t he I nt er net . The fir ew all should block t his pat h t o lim it t he opt ions of hack er s if t hey get cont r ol of one of t he Web ser v er s. As t he user nav igat es t he w eb sit e, cer t ain link select ions cause t he Web server t o init iat e a r equest t o t he applicat ion ser ver on t he inside int er face. This connect ion m ust be per m it t ed by t he fir st fir ew all, as w ell as t he associat ed r et ur n t r affic. As in t he case w it h t he Web ser ver , t here is no reason for t he applicat ion serve r t o init iat e a connect ion t o t he Web ser v er or ev en out t o t he I nt ernet . Likew ise, t he user's ent ire session runs over HTTP and SSL w it h no abilit y t o com m unicat e dir ect ly w it h t he applicat ion ser ver or t he dat abase ser ver . At one point , t he user m ight w a nt t o per for m a t r ansact ion. The Web ser v er should pr ot ect t his t r ansact ion, and t he SSL pr ot ocol w ill be r equir ed fr om t he I nt er net t o t he Web ser ver . At t he sam e t im e, t he applicat ion ser v er m ight w ant t o quer y or pass infor m at ion on t o t he dat abase ser v er. These are t ypically St ruct ured Query Language ( SQL) queries t hat are init iat ed by t he applicat ion ser v er t o t he dat abase ser v er , and not v ice v er sa. These quer ies run t hrough t he second firew all t o t he dat abase server. Depending on t he specific applica t ions in use, t he dat abase ser v er m ight need t o com m unicat e w it h back -end sy st em s locat ed in t he ser v er m odule of t he ent er pr ise. I n sum m ar y, t he fir ew alls m ust allow only t hr ee specific com m unicat ion pat hs, each w it h it s ow n pr ot ocol, and block all ot her com m unicat ion, unless it is t he ret urn pat h packet s t hat are associat ed w it h t he t hr ee or iginal pat hs. The ser ver s t hem selves m ust be fully pr ot ect ed, especially t he Web ser ver , w hich is a publicly addr essable host . The oper at ing sy st em and Web ser v er applicat ion m ust be pat ched t o t he lat est v er sions and m onit or ed by t he host int r usion det ect ion soft w ar e. This should m it igat e against m ost applicat ion lay er pr im ar y and secondar y at t ack s, such as por t r edir ect ion and r oot k it s. The ot her ser v er s should hav e sim ilar securit y in case t he first server or firew all is com pr om ised.
Be y on d t h e Fir e w a ll The e -com m erce firew alls are init ially prot ect ed by t he cust om er edge rout er at t he I SP. At t he r out er egr ess point , t ow ar d t he ent er pr ise, t he I SP can lim it t he t r affic t o t he sm all num ber of
428
prot ocols required for e -com m er ce w it h a dest inat ion addr ess of t he Web ser v er s only . Rout ing prot ocol updat es ( generally Border Gat ew ay Prot ocol [ BGP] ) are required by t he edge rout ers, and all ot her t raffic should be blocked. The I SP should im plem ent rat e lim it ing, as specified in t he " SAFE Axiom s " sect ion, t o m it igat e DDoS or DoS at t acks. I n addit ion, filt er ing accor ding t o RFC 1918 and RFC 2827 should be im plem ent ed by t he I SP. On t he ent er pr ise pr em ises, t he init ial r out er ser ves only as an int er face t o t he I SP. The Layer 3 sw it ch does all t he net w ork processing because it has feat ures off-loaded t o har dw ar e processors. The Layer 3 sw it ches part icipat e in t he full BGP rout ing decision t o decide w hich I SP has t he bet t er r out e t o t he par t icular user . The Layer 3 sw it ches also pr ovide ver ificat ion filt ering in keeping w it h t he I SP filt ering described above; t his provides overlapping se curit y. The Layer 3 sw it ches also provide built -in I DS m onit oring. I f t he connect ion t o t he I nt ernet ex ceeds t he capacit y of t he I DS line car d, y ou m ight need t o look at inbound Web r equest s from t he I nt ernet on t he I DS line card. Alt hough t his w ill m iss s om e HTTP alarm signat ures ( approxim at ely 10 percent ) , it is bet t er t han looking at t he ent ire st ream in bot h direct ions, w her e m any m isses w ould occur . The ot her NI DS appliances behind t he var ious int er faces of t he firewall m onit or t he segm ent s for any at t acks t hat m ight have penet rat ed t he first line of defense. For ex am ple, if t he Web ser v er is out of dat e, hack er s could com pr om ise it ov er an applicat ion layer at t ack, assum ing t hey w er e able t o cir cum vent t he HI DS. As in t he cor por at e I nt ernet m odule, t he false posit ives m ust be r em oved so t hat all t r ue at t ack det ect ions ar e t reat ed w it h t he correct level of priorit y. I n fact , because only cert ain t ypes of t raffic exist on cert ain segm ent s, you can t une NI DS very t ight ly. Fr om an applicat ion st andpoint , t he com m unicat ions pat hs bet w een t he var ious layer s ( w eb, apps, dbase) should be encr ypt ed, t r ansact ional, and highly aut hent icat ed. For exam ple, if t he apps ser v er w as t o get dat a fr om t he dat abase ov er som e t y pe of scr ipt ed int er act iv e session ( SSH, FTP, Telnet , and so for t h) , a hacker could lever age t hat int er act ive session t o init iat e an applicat ion layer at t ack. By em ploying secure com m unicat ions, you can lim it pot ent ial t hreat s. The Lay er 2 sw it ches t hat suppor t t he v ar ious fir ew all segm ent s pr ov ide t he abilit y t o im plem ent privat e VLANs, t hereby im plem ent ing a t rust m odel t hat m at ches t he desired t raffic com m unicat ion on a par t icular segm ent and elim inat es all ot her s. For ex am ple, t her e is usually no r eason for one Web ser ver t o com m unicat e w it h anot her Web ser v er . The m anagem ent of t he ent ir e m odule is done com plet ely out of band, as in t he r est of t he ar chit ect ur e.
Alt e r n a t ive s The pr inciple alt er nat ive t o t his deploym ent is colocat ing t he ent ir e syst em at an I SP. Though t he design r em ains t he sam e, t her e ar e t w o pr im ar y differ ences. The fir st is t hat bandw idt h is gener ally lar ger t o t he I SP and uses a LAN connect ion. Though not r ecom m ended, t his pot ent ially elim inat es t he need for t he edge r out er s in t he pr oposed design. The addit ional bandw idt h also creat es different requirem ent s for DDoS or DoS m it igat ion. The second is t he connect ion back t o t he ent er pr ise, w hich needs t o be m anaged in a differ ent w ay. Alt er nat ives
429
include encr ypt ion and pr ivat e lines. Using t hese t echnologies cr eat es addit ional secu rit y consider at ions, depending on t he locat ion of t he connect ions and t heir int ended use. Ther e ar e sever al var iat ions on t he pr im ar y design for t his m odule. Aside fr om list ing t he alt er nat ives, fur t her discussion is beyond t he scope of t his appendix.
•
Th e use of addit ional firew alls is one alt ernat ive. Sam ple com m unicat ions w ould be edge r out ing t o fir ew all t o Web ser ver t o fir ew all t o applicat ions ser ver t o fir ew all t o dat abase ser ver . This allow s each fir ew all t o cont r ol com m unicat ions for only one pr im ary syst em .
•
Load-balancing and caching t echnologies are not specifically discussed in t his appendix, but t hey can be overlaid ont o t his archit ect ure w it hout m aj or m odificat ions. A fut ur e paper w ill addr ess t hese needs.
•
For very high securit y requirem ent s, t he use of m ult iple fir ew all t y pes m ay be consider ed. Not e t hat t his cr eat es addit ional m anagem ent over head in duplicat ing policy on dispar at e sy st em s. The goal of t hese designs is t o av oid a v ulner abilit y in one firew all from circum vent ing t he securit y of the ent ir e sy st em . These t y pes of designs t end t o be v er y fir ew all-cent ric and do not adequat ely t ake advant age of I DS and ot her securit y t echnologies t o m it igat e t he risk of a single firewall vulnerabilit y.
Enterprise Options The design pr ocess is oft en a series of t rade -offs. This shor t subsect ion of t he docum ent highlight s som e of t he high-level opt ions t hat a net w ork designer could im plem ent if faced w it h t ight er budget const raint s. Som e of t hese t rade -offs ar e done at t he m odule lev el, w hile ot her s ar e done at t he com ponent level. One opt ion is t o collapse t he dist ribut ion m odules int o t he core m odule. This reduces t he num ber of Lay er 3 sw it ches by 50 per cent . The cost sav ings w ould be t r aded off against per for m ance r equir em ent s in t he cor e of t he net w ork and flexibilit y t o im plem ent all t he dist ribut ion securit y filt ering. A second opt ion is t o m erge t he funct ionalit y of t he VPN and rem ot e -access m odule w it h t he cor por at e I nt er net m odule. Their st r uct ur e is ver y sim ilar , w it h a pair of fir ew alls at t he hear t of t he m odule sur r ounded by NI DS appliances. This m ay be possible w it hout loss of funct ionalit y if t he perform ance of t he com ponent s m at ches t he com bined t raffic requirem ent s of t he m odules, and if t he firew all has enough int erfaces t o accom m odat e t he different ser v ices. Keep in m ind t hat as funct ions ar e aggr egat ed t o single dev ices, t he pot ent ial for hum an er r or incr eases. Som e or ganizat ions go even fur t her and include t he e -com m erce funct ions in t he corporat e I nt ernet / VPN m odule. The aut hors feel t hat t he r isk of doing t his far out w eighs any cost savings unless t he e -com m er ce needs ar e m inim al. Separ at ion of t he e com m erce t raffic from general I nt ernet t raffic allows t he e -com m er ce bandw idt h t o be bet t er opt im ized by allow ing t he I SP t o place m ore re st rict ive filt ering and rat e -lim it ing t echnology t o m it igat e against DDoS at t ack s.
430
A t hir d opt ion is t o elim inat e som e of t he NI DS appliances. Depending on your oper at ional t hr eat r esponse st r at egy, you m ight need few er NI DS appliances. The num ber of appliances is also affect ed by t he am ount of HI DS deployed, because t his m ight r educe t he need for NI DS in cer t ain locat ions. This is discussed, w her e appr opr iat e, in t he specific m odules. Clear ly , net w or k design is not an ex act science. Choices m ust alw ay s be m ade depending on t he specific r equir em ent s facing t he designer . The aut hor s ar e not pr oposing t hat any designer w ould im plem ent t his ar chit ect ur e ver bat im , but ar e encour aging designer s t o m ake educat ed choices about net w or k secur it y gr ounded in t his pr oven im plem ent at ion.
Migration Strategies SAFE is a guide for im plem ent ing secur it y on t he ent er pr ise net w or k . I t is not m eant t o ser v e as a secur it y policy for any ent er pr ise net w or k s, nor is it m eant t o ser v e as t he allencom passing design t o provide full secur it y for all exist ing net w or ks. Rat her , SAFE is a t em plat e t hat enables net w ork designers t o consider how t hey design and im plem ent t heir ent er pr ise net w or ks t o m eet t heir secur it y r equir em ent s. Est ablishing a securit y policy should be t he first act ivit y in m igr at ing t he net w or k t o a secur e infr ast r uct ur e. Basic r ecom m endat ions for a secur it y policy can be found at t he end of t he docum ent in Annex B. Aft er t he policy is est ablished, t he net w ork designer should consider t he secur it y axiom s descr ibed in t he fir st sect ion of t his docum ent and see how t hey pr ov ide m or e det ail t o m ap t he policy on t he ex ist ing net w or k infr ast r uct ur e. Ther e is enough flexibilit y in t he ar chit ect ur e and det ail of t he design consider at ions t o enable t he SAFE ar chit ect ur e elem ents t o be adapt ed t o m ost ent er pr ise net w or k s. For ex am ple, in t he VPN and rem ot e -access m odule, t he var ious flow s of t r affic fr om public net w or ks ar e each giv en a separ at e pair of t er m inat ing dev ices and a separ at e int er face on t he fir ew all. The VPN t raffic could be com bined in one pair of devices, if t he load r equir em ent s per m it t ed it and t he secur it y policy w as t he sam e for bot h t ypes of t r affic. On anot her net w or k, t he t r adit ional dialin and rem ot e -access VPN users m ight be allow ed direct ly int o t he net w ork because t he securit y policy put s enough t rust in t he aut hent icat ion m echanism s t hat perm it t he connect ion t o t he net w or k in t he fir st place. SAFE allow s t he designer t o addr ess t he secur it y r equir em ent s of each net w or k funct ion alm ost independent ly of each ot her . Each m odule is gener ally self-cont ained and assum es t hat any int er connect ed m odule is only at a basic secur it y level. This allow s net w or k designer s t o use a phased appr oach t o secur ing t he ent er pr ise net w or k . They can addr ess secur ing t he m ost crit ical net w ork funct ions as det erm ined by t he policy w it hout redesigning t he ent ire net w ork. The except ion t o t his is t he m anagem ent m odule. During t he init ial SAFE im plem ent at ion, t he m anagem ent m odule should be im plem ent ed in parallel w it h t he first m odule. As t he r est of t he net w or k is m igr at ed, t he m anagem ent m odule can be connect ed t o t he r em aining locat ions. This fir st v er sion of t he SAFE ar chit ect ur e is m eant t o addr ess t he secur it y im plem ent at ion of a generic ent erprise net w ork. The aut hors know t hat t here are m any areas t hat need furt her
431
det ailed research, explorat ion, and im provem ent . Som e of t hese areas include, but are not lim it ed t o, t he follow ing:
•
I n-dept h securit y m anagem ent analysis and im plem ent at ion
•
Specialized design infor m at ion for sm aller net works
•
I n-dept h ident it y, dir ect or y ser vices, AAA t echnologies, and CA analysis and im plem ent at ion
•
Scaled v er sions of VPN head-end and WAN design
Annex A: Validation Lab A reference SAFE im plem ent at ion exist s t o validat e t he funct ionalit y described in t his docum ent . This annex det ails t he configur at ions of t he specific dev ices w it hin each m odule in addit ion t o t he overall guidelines for general device configurat ion. The follow ing are configur at ion snapshot s fr om t he liv e dev ices in t he lab. The aut hors do not recom m end applying t hese configurat ions direct ly t o a product ion net w ork.
Overall Guidelines The configurat ions present ed here correspond in part t o t he " SAFE Axiom s " sect ion pr esent ed ear lier in t his docum ent .
Rou t e r s Her e ar e t he basic configur at ion opt ions pr esent on near ly all r out er s in t he SAFE lab:
! turn off unnecessary services ! no ip domain-lookup no cdp run no ip http server no ip source-route no service finger no ip bootp server no service udp-small-s no service tcp-small-s ! !turn on logging and snmp ! service timestamp log datetime localtime logging 192.168.253.56 logging 192.168.253.51 snmp-server community Txo~QbW3XM ro 98 ! !set passwords and access restrictions ! service password-encryption enable secret %Z