Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions.
Evolving Security Threats
As computing resources have evolved over the past couple of decades, security threats have kept pace. For example, in the 1980s, boot viruses presented a threat to computer systems. However, such viruses took weeks to propagate throughout an individual network. During the 1990s, more-advanced viruses, denial-of-service (DoS) attacks, and other hacking attacks evolved. These attacks could impact multiple networks and propagate in a matter of days.
Modern networks face threats such as blended threats, which combine worm, virus, and Trojan horse characteristics. Such advanced threats can spread throughout regional networks in a matter of minutes. Future threats are anticipated to spread globally within just a few seconds.
One of the challenges of protecting against these evolving threats is the ambiguity of network boundaries. For example, consider the following:
■ Port 80 traditionally is thought of as the port used for web traffic. Because it is often an open conduit entering “secured” networks, attackers can attempt to send malicious traffic in the form of port 80 payloads.
■ Because traffic is often sent in an encrypted format (for example, using Secure Socket Layer [SSL] or Transport Layer Security [TLS]), malicious traffic can often escape recognition (for example, by Intrusion Prevention System [IPS] or Intrusion Detection System [IDS] appliances).
■ Clients often have multiple network connections (for example, a wireless laptop connected to a corporate wireless access point and also acting as a peer in a wireless ad-hoc network). Therefore, those clients might act as conduits for malicious users to access a “secured” network.
Constructing a Cisco Self-Defending Network
When a Cisco Self-Defending Network is constructed, consideration is given to how the individual security products work together. As a result, a Cisco Self-Defending Network integrates a collection of security solutions to identify threats, prevent those threats, and adapt to emerging threats.
Figure 2-4 highlights the three core characteristics of a Cisco Self-Defending Network, which are described in Table 2-7.
Figure 2-4 Cisco Self-Defending Network Core Characteristics
Cisco Self-Defending Networks can be more cost-effective, as compared to merely implementing a series of standalone solutions (also known as point solutions). This is Table 2-7 Cisco Self-Defending Network Core Characteristics
Characteristic Description
Integrated Security is built in to the network, as opposed to being added to an existing network.
Collaborative IT personnel focusing on security collaborate with IT personnel focusing on network operations.
Adaptive Security solutions can adapt to evolving threats.
Integrated Collaborative Adaptive
because a complementary infrastructure simplifies management and administrative tasks. Similarly, equipment upgrade cycles can be better coordinated. Construction of a Cisco Self-Defending Network begins with a network platform that has integrated security. Then, strategic security features such as the following are layered on top of the already secure foundation:
■ Threat control: Strategies to contain and control threats include the following:
—Endpoint threat control defends endpoints against threats, typically sourced from the Internet, such as viruses and spyware.
—Infrastructure threat control protects servers and shared applications from internal and external threats.
—E-mail threat control blocks security threats sourced from e-mail, such as malicious attachments.
■ Confidential and authenticated communication: Technologies such as IPsec and SSL VPNs can provide confidential and authenticated communications channels. Specifically, the Cisco Secure Communications solution offers a set of products that can be categorized into one of two broad categories:
—Remote-access communications security secures transmission to an organization’s network and applications via a secure tunnel formed across the Internet on an as-needed basis.
—Site-to-site communications security secures transmission between an organization’s primary site and other sites (for example, home offices or business partners) via an Internet-based WAN infrastructure.
■ Management solutions: Products that provide system-wide control of policies and configuration offer a variety of benefits:
—Efficiency of rolling out a new policy to multiple devices while maintaining consistency of the configuration
—Comprehensive view of a network’s end-to-end security status
—Quick response to attacks
—Improved congruity with an organizational security policy Figure 2-5 shows the hierarchical structure of a Cisco Self-Defending Network.
Figure 2-5 Cisco Self-Defending Network Hierarchical Structure
Cisco Security Management Suite
As an organization’s network begins to grow, end-to-end security management becomes a more daunting task. Fortunately, Cisco offers a suite of security management tools, the main components of which are Cisco Security Manager and Cisco Security Monitoring, Analysis, and Response System (MARS).
Cisco Security Manager
The Cisco Security Manager application can be used to configure security features on a wide variety of Cisco security products. From a scalability perspective, Cisco Security Manager can be useful on smaller networks (for example, networks with fewer than ten devices), and it can also help more efficiently manage networks containing thousands of devices. As a few examples, the Cisco Security Manager application offers these features: ■ Provisioning security on a variety of Cisco platforms, including Cisco IOS-based
routers, Cisco ASA 5500 series security appliances, Cisco PIX 500 series security appliances, Cisco IPS 4200 sensors, and the Advanced Inspection and Prevention Security Services Module (AIP-SSM), available for the Cisco Catalyst 6500 series switch platform
■ Performing configuration tasks via a graphical interface
■ Applying a centralized policy, which maintains consistency throughout a network and that can be inherited by newly installed devices
Secure Network Platform Threat
Containment
Protected Communications Management
■ Interoperates with Cisco Secure Access Control Server (ACS) to provide different sets of permissions to different users
Cisco Security MARS
The Cisco Security MARS product offers security monitoring for security devices and applications. In addition to Cisco devices and applications, Cisco Security MARS can monitor many third-party devices and applications. As a few examples, Cisco Security MARS performs these functions:
■ It uses event correlation to collect events from multiple devices in the network, thereby reducing the number of false positives.
■ It identifies appropriate mitigation strategies for specific security challenges. ■ It uses Cisco NetFlow technology to more readily identify network anomalies.
Cisco Integrated Security Products
A Cisco Self-Defending Network relies on a collection of complementary security solutions. Table 2-8 identifies some of the products available in the Cisco product line that could contribute to a Cisco Self-Defending Network.
NOTE The following URL offers a flash-based introduction to Cisco Security Manager: http://www.cisco.com/cdc_content_elements/flash/sec_manager/index.html
NOTE The following URL offers a flash-based introduction to Cisco Security MARS: http://www.cisco.com/cdc_content_elements/flash/security_mars/demo.htm
Table 2-8 Examples of Cisco Security Products Product Description
Cisco IOS router
Many Cisco IOS routers can be configured with Intrusion Prevention System (IPS), virtual private network (VPN), and firewall features. Cisco ASA
5500 series security appliance
The Cisco 5500 series of Adaptive Security Appliances (ASA) offers a wide variety of security solutions, such as firewall, IPS, VPN, antispyware, antivirus, and antiphishing. Figure 2-6 shows a collection of Cisco ASA 5500 series security appliances.
Cisco PIX 500 series security appliance
The Cisco PIX 500 series of security appliances offer firewall and VPN-termination features. As an example, Figure 2-7 shows a Cisco PIX 535 security appliance.
Product Description
Cisco 4200 series IPS appliances
The Cisco 4200 series of IPS appliances can analyze traffic inline. If this inline analysis identifies traffic believed to be malicious, the IPS appliance can perform such operations as dropping the traffic, sending an alert, and instructing another network device (such as a Cisco PIX security appliance) to block connections from the offending host. Figure 2-8 shows a selection of Cisco 4200 series IPS appliances. Cisco
Security Agent (CSA)
Cisco Security Agent (CSA) is an application that provides IPS services on a host. Therefore, CSA is called a Host-based Intrusion Prevention System (HIPS) application.
Cisco Secure Access Control Server
The Cisco Secure Access Control Server (ACS) application can provide an authentication, authorization, and accounting (AAA) function, thus allowing different sets of permissions to be applied to different users. Cisco Catalyst 6500 series switch and Cisco 7600 series router modules
Cisco Catalyst 6500 series switches and Cisco 7600 series routers use a modular chassis with multiple interchangeable modules. Some of these modules provide security features to the chassis. For example, you could insert a Firewall Services Module (FWSM) into a chassis to provide firewall services between various VLANs defined on a Cisco Catalyst 6500 series switch.
Cisco Router and Security Device Manager (SDM)
Cisco SDM provides a graphical interface for configuring a variety of security features (for example, IPS, IPsec site-to-site VPN, and firewall features), in addition to multiple router configuration features. Figure 2-9 shows the home screen of the SDM application.
Figure 2-6 Cisco ASA 5500 Series Security Appliances
Figure 2-7 Cisco PIX 535 Security Appliance
Exam Preparation Tasks
Review All the Key Topics
Review the most important topics from this chapter, denoted with the Key Topic icon. Table 2-9 lists these key topics and the page where each is found.
Table 2-9 Key Topics for Chapter 2 Key Topic
Element Description
Page Number
List The five phases of SDLC 49
List SDLC’s initiation phase procedures 49
List SDLC’s acquisition and development phase procedures 49
List SDLC’s implementation phase procedures 50
List SDLC’s operations and maintenance phase procedures 50
List SDLC’s disposition phase procedures 51
Table 2-2 Operations security recommendations 51-52
List Three phases of recovery 55
Table 2-3 Disruption categories 56
Table 2-4 Backup sites 56
List Detailed documents included in a security policy 59
Table 2-5 Annualized loss expectancy factors 61
List Components of risk mitigation 62
Table 2-6 Components of a security awareness program 65
Table 2-7 Cisco Self-Defending Network core characteristics 67
Complete the Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD) or at least the section for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists so that you can check your work.
Definition of Key Terms
Define the following key terms from this chapter, and check your answers in the glossary: System Development Life Cycle (SDLC), disaster recovery plan, nondisaster, disaster, catastrophe, hot site, warm site, cold site, security policy, threat identification, risk analysis, awareness, training, education, Cisco Self- Defending Network, Cisco Security Manager, Cisco Security MARS
ISR overview and providing secure
administrative access: This section describes methods of securely accessing a router prompt for purposes of administration. Additionally, this section provides an overview of the Cisco Integrated Services Router (ISR) line of routers.
Cisco Security Device Manager overview:
This section examines the Cisco Security Device Manager (SDM) interface. The graphical interface provided by SDM allows administrators to configure a variety of router features using a collection of wizards and other configuration aids, which use best-practice recommendations from the Cisco Technical Assistance Center (TAC).
C H
A
P
T
E
R
3
Defending the Perimeter
In addition to Cisco firewall, virtual private network (VPN), and intrusion prevention system (IPS) appliances that can sit at the perimeter of a network, Cisco IOS routers offer perimeter-based security. For example, the Cisco Integrated Services Routers (ISR) can be equipped to provide high-performance security features, including firewall, VPN
termination, and IPS features, in addition to other services such as voice and quality-of- service (QoS) services. This chapter introduces various ISR models.
Because perimeter routers can be attractive targets for attack, they should be configured to secure administrative access. Therefore, this chapter also discusses specific approaches to “harden” administrative access to ISRs.
Configuring advanced ISR router features can be a complex process. Fortunately, many modern Cisco routers can be configured using the graphical Cisco Security Device Manager (SDM) interface. SDM contains multiple wizard-like configuration utilities, which are introduced in this chapter.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you determine your level of knowledge of this chapter’s topics before you begin. Table 3-1 details the major topics discussed in this chapter and their corresponding quiz questions.
Table 3-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section Questions
ISR Overview and Providing Secure Administrative Access 1 to 10 Cisco Security Device Manager Overview 11 to 13
1. Which of the following are considered IOS security features? (Choose four.) a. Stateful firewall b. MARS c. IPS d. VRF-aware firewall e. VPN f. ACS
2. Some ISRs include a USB port, into which a flash drive can connect. What are three common uses for the flash drive? (Choose three.)
a. Storing configuration files b. Storing a digital certificate c. Storing a copy of the IOS image d. Storing a username/password database
3. The enable secret password appears as an MD5 hash in a router’s configuration file, whereas the enable password is not hashed (or encrypted, if the password-encryption service is not enabled). Why does Cisco still support the use of both enable secret and enable passwords in a router’s configuration?
a. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the enable password is used to match the password that was entered, and the enable secret is used to verify that the enable password has not been modified since the hash was generated.
b. The enable password is used for IKE Phase I, whereas the enable secret password is used for IKE Phase II.
c. The enable password is considered to be a router’s public key, whereas the enable secret password is considered to be a router’s private key.
d. The enable password is present for backward compatibility.
4. What is an IOS router’s default response to multiple failed login attempts after the
security authentication failure command has been issued?
a. The login process is suspended for 10 seconds after 15 unsuccessful login attempts. b. The login process is suspended for 15 seconds after 10 unsuccessful login attempts. c. The login process is suspended for 30 seconds after 10 unsuccessful login attempts. d. The login process is suspended for 10 seconds after 30 unsuccessful login attempts.
5. What line configuration mode command would you enter to prevent a line (such as a console, aux, or vty line) connection from timing out because of inactivity?
a. no service timeout b. timeout-line none c. exec-timeout 0 0 d. service timeout default
6. An IOS router’s privileged mode, which you can access by entering the enable
command followed by the appropriate password, has which privilege level? a. 0
b. 1 c. 15 d. 16
7. How is a CLI view different from a privilege level?
a. A CLI view supports only commands configured for that specific view, whereas a privilege level supports commands available to that level and all the lower levels. b. A CLI view can function without a AAA configuration, whereas a privilege level
requires AAA to be configured.
c. A CLI view supports only monitoring commands, whereas a privilege level allows a user to make changes to an IOS configuration.
d. A CLI view and a privilege level perform the same function. However, a CLI view is used on a Catalyst switch, whereas a privilege level is used on an IOS router.
8. To protect a router’s image and configuration against an attacker’s attempt to erase those files, the Cisco IOS Resilient Configuration feature keeps a secure copy of these files. What are these files called?
a. The bootset b. The configset c. The backupset d. The backup-config
9. When you configure Cisco IOS login enhancements for virtual connections, what is the “quiet period”?
a. The period of time between successive login attempts b. A period of time when no one is attempting to log in
c. The period of time in which virtual login attempts are blocked, following repeated failed login attempts
d. The period of time in which virtual logins are blocked as security services fully initialize
10. In the banner motd # command, what does #represent?
a. A single text character that will appear as the message of the day b. A delimiter indicating the beginning and end of a message of the day c. A reference to a system variable that contains a message of the day
d. The enable mode prompt from where the message of the day will be entered into the IOS configuration
11. What Cisco IOS feature provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router and also provides multiple “smart wizards” and configuration tutorials?
a. QPM
b. SAA c. SMS
d. SDM
12. What are two options for running Cisco SDM? (Choose two.) a. Running SDM from a router’s flash
b. Running SDM from the Cisco web portal c. Running SDM from within CiscoWorks d. Running SDM from a PC
13. Which of the following are valid SDM configuration wizards? (Choose three.) a. Security Audit
b. VPN c. ACS d. NAT e. STP