Firewall Deployment

You have selected a firewall product—now the big question is how it should be placed within your network environment. While there are many different opinions on this topic, the most common deployment is shown in Figure 5.14.

Figure 5.14: Where to place your firewall

In this design, all internal systems are protected by the firewall from Internet-based attacks. Even remote sites connected to the organization via the WAN link are protected. All systems that are accessible from the Internet (such as the Web server and the mail relay) are isolated on their own subnet. This subnet is referred to as a DMZ or demilitarized zone, because while it may be secure from attack, you cannot be 100 percent sure of its safety, as you are allowing inbound connections to these systems.

Using a DMZ provides additional protection from attack. Since some inbound services are open to these hosts, an attacker may be able to gain high-level access to these systems. If this occurs, it is less likely that additional internal systems will be compromised, since these machines are isolated from the rest of the network.

Additional network cards can be added to the firewall in order to control other types of remote access. For example, if the company has WAN links to business partners that are not officially part of the organization, another subnet could be created from an additional NIC card in the firewall. All routers connecting to these remote business partners would then be located on this subnet. The firewall would be able to control traffic between these sites and the internal network.

Additionally, you can use the static packet filtering capability of your router to increase security even further. This provides a multilayered wall of protection at your network perimeter. If an exploit is found in one of your security devices, the second device may be able to patch the leak.

There are many variations of this basic design. For example, you could add an additional type of firewall to the configuration you saw in Figure 5.14 in order to enhance security even more. For instance, if the firewall in the figure is a dynamic packet filter, you could place a proxy firewall behind it in order to better secure your Internet connection.

Tip Just remember that it is always a good idea to place your firewall between the Internet and the assets you wish to protect, so that all communication sessions must pass through the firewall. While this may sound like an extremely basic idea, you might be surprised—if not shocked—at the way some organizations attempt to deploy a firewall.

Figure 5.14: Where to place your firewall

Chapter 6: Configuring Cisco Router Security

Features

Service Provider. Since a router is required equipment for a dedicated WAN connection, knowing how to configure Cisco security features can also be useful for controlling traffic between business partners.

Cisco Routers

Cisco is arguably the number-one supplier of hardware routers. It has a diverse product line, which means it has a router to suit almost every configuration requirement. Whether you are using an analog dial-up, ISDN, leased line, Frame Relay, T1, or even a T3 circuit to connect to your ISP, Cisco has a number of products that can fit your needs.

A unique ability of the Cisco router series is that, as of IOS 11.3, reflexive filtering is supported. Reflexive filtering allows a Cisco router to maintain connection session state. This means that while most routers only support static filtering, a Cisco router using IOS 11.3 or higher is capable of performing dynamic packet filtering. This is extremely beneficial for the small shop that does not require a full-featured firewall, or for use on

perimeters where a full-featured firewall is not cost effective (such as a WAN link to a business partner or a so- called “Chinese firewall”). This feature set can even be combined with an additional firewall solution to strengthen a perimeter even further. Cisco routers running the newer IOS 12.1 can also filter based on connection time and context, further extending their usefulness as security devices.

When selecting a router for Internet connectivity, most organizations have traditionally gone with a Cisco 2500 series router. However, because the 2500 series routers are not very expandable, companies with newer implementations have started to purchase the 2600 series that is modular, expandable, and has compatible interfaces with other Cisco router families. In addition, businesses have begun to incorporate newer technologies into their networks such as Fast Ethernet (100Mbps), Gigabit Ethernet (1000Mbps), VLANs (Virtual LANs), VPNs, digital telephony, and streaming multimedia. This demand has dramatically increased the variety of router offerings—even from a single vendor.

A summary of the more popular models of the 2500 and 2600 series product lines is shown in Table 6.1. Remember that earlier Cisco models typically used an Attachment Unit Interface (AUI) connection for Ethernet segments, so you may need to purchase a transceiver as well.

Note A transceiver will convert between the DB15 pin connection used by an AUI connection, and the female RJ45 connection used in a twisted-pair environment.

Table 6.1: Popular Models of the Cisco 2500 and 2600 Series

Cisco Model Number Included Ports Speed

2503 1 Ethernet, 1 BRI, 2 serial 128K

ISDN, 10 Mbps 2520 1 Ethernet (AUI), 1 Ethernet (RJ45), 1 BRI,

1 Serial

128K ISDN, 10 Mbps 2610 1 Ethernet (RJ45), 1 Network Module slot,

2 WAN Interface Card slot, 1 Advanced Integration Module (AIM) slot

Port specifi c (Maxi mum = 100 Mbps) 2611 2 Ethernet (RJ45), 1 Network Module slot,

2 WAN Interface Card slot, 1 AIM slot Port specifi c (Maxi mum = 100 Mbps)

Where to Begin

Cisco routers are extremely flexible devices. The number of configurable options can be downright daunting. For example, the online “Cisco IOS Software Command Summary” for IOS 12.1 (the latest major OS release) is hundreds of pages long. Keep in mind this is a “summary,” not a fully detailed manual—not exactly something you can toss in your shirt pocket!

A full description of how to configure a Cisco router is beyond the scope of this book. This section will simply focus on how to implement your security policies using this device. We will therefore assume the following:

IOS 12.0 or higher has been loaded on the router.

The router is powered up and physically connected to your LAN and WAN. Both interfaces have a valid IP address and subnet mask.

You can ping the router at the other end of the WAN located at your ISP. You are reasonably familiar with the Cisco command interface.

Once these requirements have been met, you are ready to start locking down your perimeter.

Basic Security Tips

The place to start in securing your perimeter is to insure that the router itself does not become compromised. The router will be of little use in controlling traffic across your borders if Woolly Attacker can change the

configuration. A Cisco router offers various levels of access: User EXEC Mode

Privileged EXEC Mode

User EXEC Mode

User EXEC mode is the first mode of operation you reach when connecting to a Cisco router. If you are running a direct console session, you are placed in user EXEC mode automatically. If you are connecting to the router via a telnet session, you are first prompted for a terminal password.

Note A Cisco router will deny all telnet session attempts if a terminal password has not been set.

A Cisco router changes the terminal prompt, depending on which mode of operation you are currently using. The prompt always starts with the name of the router and ends with some special sequence to let you know where you are. Table 6.2 lists some of the more common prompts.

Don’t worry about the meaning of the other prompts for now. We will cover them in the next section.

Table 6.2: Cisco Command Prompts

Prompt Appearance Description

router> _{User EXEC}

mode router# _Privilege mode router(config)# _Global configurati on mode router(config-if)# _Interface configurati on mode While in user EXEC mode, a user is allowed to check connectivity and to look at statistics, but not to make any type of configuration changes to the device. This helps to limit the amount of damage that can be done by an attacker if your terminal password is compromised or if the attacker can gain physical access to the device.

kahuna. At this level of access, a user is free to change or even delete any configuration parameters. You enter privilege mode by entering the command

enable

password: privilege_password

Since you use the command enable to gain privilege access, this mode is sometimes referred to as enable mode. In the past, the command given to change the enable password was as follows:

enable password new_password

However, Cisco now recommends using the following command that uses a stronger encryption algorithm: enable secret new_password

You can actually specify up to 16 different levels (0–15) of privilege-level access, each with its own unique password. In this case, the password a user enters when accessing privilege mode would determine what level of privileged access the user receives. This can be useful if you need to allow an administrator access to some privilege-level commands, but not all. To set a password for a specific privilege level, enter the command enable secret level new_password

where level is replaced by some value between 0 and 15. The lower the value, the lower the level of privilege-level access.

In document Active Defense A Comprehensive Guide to Network Security pdf (Page 115-119)