• Cisco Secure Product Family • Summary
• Frequently Asked Questions • Glossary
• Bibliography • URLs
The only system that is truly secure is one that is switched off and unplugged, locked in a titanium-lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it….
—Gene Spafford, Purdue University
This statement is true. No matter what system you implement, you will never have a truly secure system. The best that network professionals can do is to implement a solution that is as secure as current technologies allow and then redesign when hackers find a new
vulnerability. This method of prevention has been around since the first misuse of the Internet.
This chapter provides an explanation of the Cisco Security Solution and an overview of the Cisco Secure product range. The Security Solution is designed to ease the implementation of your security policy and introduce you to the idea of security as an ever-evolving requirement that needs constant monitoring and redesign.
Contained within this chapter is a brief overview of the functionality and role of each product in the Cisco Secure family. This overview can be used as a quick reference when designing the security approach for a Cisco network. As with any tool, a complete understanding of the tool's full capabilities, as well as any implementation issues, is of supreme importance in order to help you make a qualified design recommendation. Internet security is a very complicated field of study that requires constantly keeping one step ahead of prospective attackers. New security threats and loopholes appear all the time, and unscrupulous people capitalize on them. The Internet security designer faces a very tough task: to design the security around ever-changing criteria.
The Cis co Secure product range is covered in great detail in Chapters 4 through 9.
The Cisco Security Solution comprises five key elements. These elements enable a consistent approach to be administered that prevents unauthorized entry and protects valuable data and network resources from corruption and intrusion.
The key elements of the Cisco Security Solution are
• Identity
• Perimeter security
• Secure connectivity
• Security monitoring
• Security management
For more information on the Cisco Security Solution, see www.cisco.com/warp/public/cc/so/neso/sqso/index.shtml.
Identity
The first element of the Cisco Security Solution is identity. This element is concerned with the unique and positive identification of network users, application services, and resources. You want to ensure that any entity accessing your network, whether it is a remote user or software agent, is authorized to do so. Standard technologies that enable identification include
authentication protocols such as Remote Access Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), and Kerberos. New identification technologies include digital certificates, smart cards, and directory services.
Identity through authentication has to take place at the network boundary before the user or service has access to the secured network. This protects the inside network from
unauthenticated users or services.
The Cisco Secure product that provides the security function at the identity level is Cisco Secure Access Control Server (ACS). This product provides authentication, authorization, and accounting (AAA) of all users trying to access the secured network.
Perimeter Security
Perimeter security provides the means to secure access to critical network applications, data, and services so that only authenticated and authorized users and information can pass through the network. As the name indicates, this level of security is applied at the perimeter of the network, which can be thought of as the point of entry that untrustworthy connections would take. This could be the point between the corporate network and the ISP network or the point between the corporate network and the Public Switched Telephone Network (PSTN). An example of a perimeter is displayed in Figure 3-1. It can also be a point between two
Figure 3-1. Network Perimeter
Security control is provided at the perimeter by access-limiting devices, commonly classified as firewalls These devices can be Cisco routers with traffic-limiting access lists and basic firewall features or dedicated firewall solutions such as a Cisco Secure PIX (Private Internet Exchange) Firewall.
Other tools that assist at the perimeter security level are virus scanners and content filters. Security at the network perimeter is discussed in detail in Chapter 10, "Securing the Corporate
Network."
Secure Connectivity
When highly sensitive information is traversing your corporate network, it is very important to protect it from potential eavesdropping or sniffing of the network. You can achieve secure connectivity in three ways:
• The traffic can be isolated from the rest of the network by employing a tunneling protocol, such as generic route encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP).
• A simple way to increase data privacy is to implement Layer 2 switches to every client and server on the network. By design, a switch will only forward unicasts to the port on which the destination resides. Only broadcast traffic is flooded out on every port. Therefore, a network sniffer plugged into a switch would not automatically receive traffic that was not destined for the sniffer itself.
• If a more secure method is required, a VPN technology, such as Internet Protocol Security (IPSec), can be used to encrypt the data against a 128-bit digital signature. Secure connectivity is discussed in detail in Chapter 10.
Security Monitoring
Security management, like network management, is a dynamic, ever-changing process. Once you have designed and implemented a security solution, it has to be measured. One way of measuring the integrity of your solution is with a network scanner, which will scan every live IP address on your network and check the results against well-known vulnerabilities. A full report is then created, and actions can be taken to remedy any shortcomings in the design or implementation. It's important to make the changes and then scan the network again to ensure that the changes have been effective and their implementation hasn't caused any further security vulnerabilities. The security vulnerability database for all leading network scanners is upgradable o n a periodic basis, ensuring that most new vulnerability that is discovered is added to the database. When you run a network scan, you can be sure that you are scanning for the latest vulnerabilities. Cisco Secure Scanner is a full, network-scanning utility that can be used for regular security monitoring purposes.
In addition to network scanning, the other aspect of security monitoring is intrusion detection. Intrusion detection systems monitor the network and respond to potential threats in real time.
Shunning is a term widely used in intrusion detection and describes the capability of the intrusion detection system to actively reject all packets from a specific source if the system suspects sinister activity. As with the security scanner, an intrusion detection system operates by checking internal network traffic against a database of known vulnerabilities. Both the IP header and the payload are checked against these known threats.
Cisco Secure Intrusion Detection System (IDS) is an intrusion detection sys tem that can be used for real-time network security.
Security Management
Today's networks are constantly growing in size; with this growth comes the need for
centralized security management. There are various security management tools available, one of which is the Cisco Secure Policy Manager. This tool enables the administrator to centrally administer the security policy and distribute policy changes to a number of Cisco PIX and Cisco IOS Firewall devices by automated command-line configurations without detailed command- line interface (CLI) knowledge.
Cisco Secure Policy Manager is explained in great depth in Chapter 8, "Cisco Secure Policy Manager."
Cisco Secure Product Family
To complement Cisco's leading presence in the internetworking device market, Cisco's range of security products has been built and recently amalgamated under the Cisco Secure product family title.
These products provide various security functions and features to enhance the service provided by the current range of routers and switches. Every product in the Cisco Secure product family has its place in the Cisco Security Solution as outlined previously and in Appendix
A, "Cisco SAFE: A Security Blueprint for Enterprise Networks," confirming Cisco's stance and
commitment to the preservation of network security.
This section provides a brief overview of the product range and explains the main features of each product.
The following products make up the Cisco Secure product family:
• Cisco Secure PIX Firewall
• Cisco IOS Firewall
• Cisco Secure Intrusion Detection System
• Cisco Secure Scanner
• Cisco Secure Policy Manager
• Cisco Secure Access Control System Cisco Secure PIX Firewall
The Cisco Secure PIX Firewall is the dedicated hardware firewall in the Cisco Secure product family. The PIX Firewall is the industry leader in both market share and performance within the firewall market.
The Cisco PIX Firewall is built around a non-UNIX, secure, real-time, embedded operating system, which leads to excellent performance without comprising security. This high level of performance is the result of the hardware architecture of the PIX Firewall, compared with operating system-based firewalls.
The Cisco PIX Firewall encompasses the Internet Engineering Task Force (IETF) IPSec
standard for secure private communications over the Internet or any IP network. This makes the Cisco Secure PIX Firewall an excellent and logical choice to terminate IPSec Virtual Private Network (VPN) traffic from IPSec-compliant network equipment.
Currently, there are four versions of the PIX Firewall:
• PIX 506— The PIX 506 is the entry-level firewall designed for high-end small office, home office (SOHO) installations. The throughput has been measured at 10 Mbps and reflects the market at which the product is aimed.
• PIX 515— The PIX 515 is the midrange firewall designed for the small or medium business and remote office deployments. It occupies only one rack unit and offers a throughput of up to 120 Mbps with a maximum of 125,000 concurrent sessions. The default configuration is two Fast Ethernet ports, and it is currently upgradable by two onboard PCI slots.
• PIX 520— The PIX 520 is the high-end firewall designed for enterprise and service provider use. The unit occupies three rack units and offers a throughput of up to 370 Mbps with a maximum of 250,000 concurrent sessions. The default configuration consists of two Fast Ethernet ports, and it is currently upgradable by four onboard PCI
slots. The end-of-life date of 23 June 2001 has been announced for the PIX 520. The replacement for the PIX 520 is the PIX 525.
• PIX 525— The PIX 525 is intended for enterprise and service provider use. It has a throughput of 370 Mbps with the ability to handle as many as 280,000 simultaneous sessions. The 600 MHz CPU of the PIX 525 can enable it to deliver an additional 25– 30% increase capacity for firewalling services.
• PIX 535— The Cisco Secure PIX 535 is the latest and largest addition to the PIX 500 series. Intended for enterprise and service provider use, it has a throughput of 1.0 Gbps with the ability to handle up to 500,000 concurrent connections. Supporting both site -to-site and remote access VPN applications via 56-bit DES or 168-bit 3DES, the integrated VPN functionality of the PIX 535 can be supplemented with a VPN
Accelerator card to deliver 100 Mbps throughput and 2,000 IPSec tunnels
There is also a dedicated PIX Firewall VPN Accelerator Card (VAC) that can be used in the PIX 515, 520, 525, and 535 units. This card performs hardware acceleration of VPN traffic
encryption/decryption providing 100 Mbps IP Sec throughput using 168-Bit 3DES.
The PIX Firewall is configured using a command-line editor. The commands are similar to those used in the standard Cisco IOS, but they vary in whether they permit inbound and outbound traffic.
Further information on the C isco Secure PIX Firewall can be found at www.cisco.com/go/pix. Cisco IOS Firewall
The Cisco IOS Firewall is an IOS-based software upgrade for a specific range of compatible Cisco routers.
The Cisco IOS Firewall provides an extensive set of new CLI commands that integrate firewall and intrusion detection functionality into the IOS of the router. These added security features enhance the existing Cisco IOS security capabilities, such as authentication and encryption. These added security features also add new capabilities, such as defense against network attacks; per-user authentication and authorization; real-time alerts; and stateful, application- based filtering.
VPN support is provided with the Cisco IOS Firewall utilizing the IETF IPSec standard as well as other IOS-based technologies such as L2TP tunneling.
Cisco IOS Firewall also adds limited intrusion detection capabilities. Traffic is compared to 59 default intrusion detection signatures, and output can be directed to the Cisco Secure IDS Director.
Although performance of the Cisco IOS Firewall will never compete with that of the Cisco PIX Firewall, Cisco IOS Firewall still has a place in the portfolio of most modern organizations. There might be times when the full power and associated cost of a PIX Firewall is not required because of the low throughput or an operational requirement. For example, a SOHO worker
with a 64-kbps ISDN Internet connection is not going to be concerned about the reduction in throughput offered by using the Cisco IOS Firewall instead of the PIX Firewall.
The features available with Cisco IOS Firewall are configurable using the Cisco ConfigMaker software. This eases the administrative burden placed on the network professional, because a full understanding of the CLI commands is not required to configure the security features and deploy the configurations throughout the required devices.
More information on ConfigMaker can be found at www.cisco.com/go/configmaker.
Further information on the Cisco IOS Firewall can be found at www.cisco.com/go/firewall. Cisco Secure Intrusion Detection System (IDS)
Intrusion detection is key in the overall security policy of an organization. Intrusion detection can be defined as detecting, reporting, and terminating unauthorized activity on the network. The Cisco Secure Intrusion Detection System (IDS) (formerly NetRanger) is the dynamic security component of Cisco's end-to-end security product line. IDS is a real-time intrusion detection system designed for enterprise and service provider deployment. IDS detects, reports, and terminates unauthorized activity throughout the network.
Cisco Secure IDS consists of three major components:
• The Intrusion Detection Sensor
• The Intrusion Detection Director
• The Intrusion Detection Post Office