With today’s mission-critical network services, such as e-commerce, network security has become a major design consid-eration. This chapter discusses Cisco recommendations for securing an enterprise network. Specifically, this chapter discusses firewall, network admission control, intrusion detection, and intrusion prevention services.
Firewalls
Firewalls contain a list of rules that control what traffic can enter or exit a network segment. These rules can be based on, for example, user access rights or specific applications. Cisco firewalls use one of two basic modes of operation:
n Routed mode: The traditional mode of operation, where the firewall acts as a Layer 3 device
n Transparent mode: A newer mode of operation, where the firewall acts as a Layer 2 device, with each interface residing on the same subnet but on different VLANs
Cisco IOS Software has a firewall feature set available, through which a router can act as a firewall. However, for large-scale deployments dedicated appliances are often preferred. Examples of these dedicated appliances include the following:
n PIX: Ciscos traditional firewall, which allows traffic from a higher-security interface (for example, the “inside”
network) to a lower-security interface (for example, the “outside” network)
n ASA: Cisco Adaptive Security Appliance, which offers other services (for example, virtual private network [VPN]
and intrusion prevention) in addition to firewall services
n FWSM: Cisco Firewall Services Module for the Catalyst 6500 series switch, which unlike the PIX and ASA, does not permit any traffic flow between interfaces unless configured to do so (with the exception of Address Resolution Protocol (ARP) traffic)
Modern Cisco firewalls can contain contexts, which act as virtual firewalls within a single physical firewall. VLANs are then associated with a context. Virtual firewalls can often benefit service providers, who can have a single physical device
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Securing an Enterprise Network
that provides unique firewalling services for multiple subscribers. However, from a design perspective, keep in mind that if one context is attacked, the other contexts on the physical firewall device could be impacted, too.
The preferred redundancy design for firewalls is called active/active. The active/active topology leverages the context feature. Specifically, contexts are placed into failover groups, with one context acting as the active context for the failover group and the other context acting as the standby context for the failover group.
For example, consider Firewall-1 and Firewall-2 shown in Figure 8-1. Firewall-1 contains the contexts 1 and CTX-2. Firewall-2 contains the contexts CTX-3 and CTX-4. Both CTX-1 and CTX-3 belong to the same failover group, GROUP-1. Similarly, CTX-2 and CTX-4 belong to a common failover group, GROUP-2. CTX-1 is active for GROUP-1, and CTX-4 is active for GROUP-2. In this scenario, both Firewall-1 and Firewall-2 are actively passing traffic, while being ready to take over for the other firewall in the event of a failure.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
Standby Standby
Asymmetric routing is a feature supported by the previously mentioned FWSMs. With asymmetric routing, return traffic for a session can enter via a different interface than the interface from which the traffic exited the FWSM. This asymmet-ric routing feature can function in both a failover and a nonfailover configuration, and works when the firewall is operat-ing in either routed or transparent mode.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Multiple FWSMs (as many as four) can be combined in a single Catalyst 6500 series switch chassis to provide enhanced throughput, using an active/active configuration. The two methods of load balancing amount the FWSMs are as follows:
n Traffic engineering (for example, policy-based routing) n Routing (for example, Equal Cost Multipath [ECMP] routing)
Another way for a Catalyst switch to provide security is through the use of private VLANs (PVLAN). These PVLANs can provide privacy between groups of Layer 2 ports on a Catalyst switch. A PVLAN domain has a single primary VLAN. In addition, the PVLAN domain contains secondary VLANs that provide isolation between ports in a PVLAN domain.
Cisco Catalyst switches support two categories of secondary VLANs:
n Isolated VLANs: Ports belonging to an isolated VLAN lack Layer 2 connectivity between one another.
n Community VLANs: Ports belonging to a community VLAN can communicate with one another, but not with ports in other community VLANs
PVLAN ports fall into one of three categories:
n Promiscuous: Promiscuous ports are typically used to communicate with network devices (for example, routers or backup servers), and these ports can communicate with all other PVLAN ports.
n Isolated: Isolated ports can only communicate with a promiscuous port.
n Community: Community ports can communicate with other ports in their community and also with promiscuous ports.
The Cisco IOS Firewall feature set now offers the zone-based policy firewall (ZPF) feature. With ZPF, firewall interfaces are assigned to zones, and firewall policies are applied to traffic moving between zones, rather than traffic moving between interfaces. As an example, consider Figure 8-2, which shows a router running the Cisco IOS Firewall feature set.
The router’s three interfaces are each assigned to a unique zone (that is, zones for the inside network, the demilitarized zone [DMZ] network, and the outside network).
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Securing an Enterprise Network
NAC Design Considerations
Network admission control (NAC) is a collection of technologies that can be used to enhance network security services.
Specifically, NAC can perform posture validation, which ensures that only permitted devices can communicate on the network.
Identity-based networking services (IBNS) can be used with NAC technologies to identify and authenticate a user (or other network device), and make sure the user or network device has appropriate access to network resources.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
DMZ Zone
Router with IOS Firewall Feature Set
INSIDE Zone OUTSIDE Zone
FIGURE 8-2 Zone-Based Policy Firewall Example
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Cisco combines multiple admission control and policy enforcement mechanisms into a device called a NAC Appliance.
Specifically, the NAC Appliance is composed of the following four elements:
n Cisco NAC Appliance Manager (Cisco NAM): Acts as a NAC Appliance administration server for defining poli-cies
n Cisco NAC Appliance Server (Cisco NAS): Acts as a policy enforcement server between the trusted and untrusted networks
n Cisco NAC Appliance Agent (Cisco NAA): Acts as an optional agent for Windows-based clients
n NAC Appliance Policy Updates: Checks the status of updates applied to operating systems, antivirus signatures, and other client software
When designing a NAS deployment, consider the following variables:
n Virtual gateway or real gateway: Defines the NAS as a Layer 2 or Layer 3 device n In-band or out-of-band operating mode: Defines how traffic flows through the NAS
n Layer 2 or Layer 3 client access mode: Defines user device adjacency (that is, Layer 2 or Layer 3) to the NAS n Central or edge physical deployment: Defines whether the NAS device is physically inline with the data flow Cisco recommends that NAC Appliance deployments be designed with full redundancy. Among the supported NAC Appliance designs are the following:
n Layer 2 in-band: The most popular type of NAC Appliance deployment, where the NAS is logically, but not physi-cally, inline with the client data, as depicted in Figure 8-3
n Layer 2 out-of-band: Similar to the Layer 2 in-band design, with the exception of a trunk (carrying traffic from the posture assessment and the network access VLANs) being used between the access and distribution switches
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Securing an Enterprise Network
n Layer 3 in-band: Securely manages traffic for VPN concentrators or from remote sites, where the client is not Layer 2 adjacent to the NAS
n Layer 3 out-of-band: Allows the NAS to be centrally deployed out-of-band in the core or distribution layers The Cisco NAC Framework leverages both Cisco technologies and third-party security solutions to analyze the posture of a host, preventing unauthorized network access. The three major components of the Cisco NAC posture validation process are as follows:
n Subjects: Subjects are endpoints that access a network on which network admission control is being used.
n Enforcement devices: Enforcement devices are network devices (for example, routers, VPN gateways, Catalyst switches, and wireless access points) that NAC polices.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
NAC Appliance
• VLAN 20 - NAS Management VLAN
• VLAN 30 - NAM Management VLAN VLAN 10, 20
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
n Decision and remediation devices: Decision and remediation devices (for example, AAA [authentication, authori-zation, and accounting] servers, directory servers, posture validation servers [PVS], remediation servers, and audit servers) work together to provide the features of a NAC architecture.
Cisco offers four security applications for client devices:
n Cisco NAC Appliance Agent (NAA): An optional component of the Cisco Clean Access feature, which provides Registry scans
n Cisco Security Agent (CSA): A host intrusion prevention system (HIPS) application that integrates with the Cisco NAC Framework and Monitoring, Analysis, and Response System (MARS)
n Cisco Secure Services Client: Uses IEEE 802.1X to provide a single authentication framework for multiple device types
n Cisco Trust Agent: An integral component of the NAC framework that allows NAC to check the state of security or management software
IDS and IPS Design Considerations
Cisco Self-Defending Network technology leverages the features of intrusion detection systems (IDS) and intrusion prevention systems (IPS). Both IDS and IPS can help defend a network against malicious traffic such as worms, network viruses, and denial-of-service (DoS) attacks.
Intrusion detection systems do not reside in the data path. Instead, they receive a copy of the data for analysis. As a result, an IDS cannot protect against certain types of attacks. For example, atomic attacks can consist of a single packet, and by the time the IDS detects the attack (based on a copy of the attack packet), the attack has already been carried out.
Intrusion prevention systems, conversely, do reside in the data path. Therefore, an IPS might be able to defeat an attack that an IDS would not be able to defeat.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Securing an Enterprise Network
Both IDS and IPS solutions consist of two major components:
n Sensors: Sensors collect and analyze traffic patterns, looking for attack signatures. These sensors can be a dedicated network appliance or software than runs on a host (for example, Cisco Security Agent).
n Security management and monitoring infrastructure: Cisco uses a collection of management and monitoring solutions to carry out the functions of IDS and IPS, including the following:
n Cisco Security Manager: Used to configure Cisco firewalls, VPNs, and IPS devices for security features, in addition to performing high-level monitoring functions
n Cisco Security Monitoring, Analysis, and Reporting System (MARS): Monitors both security devices in the network and host applications
n Cisco Intrusion Prevention System Device Manager (IDM): A Java application used to configure and manage IPS sensors
n IDS Event Viewer: A Java-based applications used to view and manage alarms for as many as five sensors A designer can select from multiple options for placing an IPS sensor in an enterprise network, as illustrated in Figure 8-4.
n Two Layer 2 devices (no trunk): The IPS sensor is positioned between two Layer 2 devices and connects to those two devices via access ports on those devices.
n Two Layer 3 devices: Typically used in Internet, campus, and server farm designs, this model places the IPS sensor between two Layer 3 devices, such as routers or firewalls.
n Two VLANs on the same switch: The IPS sensor bridges two VLANs together on the same switch, such that the traffic arrives from the switch on one VLAN, and the IPS sensor sends the traffic back to the switch on a separate VLAN.
n Two Layer 2 devices (trunked): The IPS sensor is positioned between two Layer 2 devices (for example, Cisco Catalyst switches), and attaches to those devices via IEEE 802.1Q trunks.
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
FIGURE 8-4 Positioning an IPS Appliance in an Enterprise Network
© 2008 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 98 for more details.
Two Layer 2 Devices (No Trunk)
Two Layer 3 Devices
Two Layer 2 Devices (Trunked)
IEEE 802.1Q Trunk Two VLANs on the Same Switch
VLAN A
VLAN B
CCDP ARCH Quick Reference
CCDP ARCH Quick Reference By Kevin Wallace, Michael Watkins ISBN: 9781587054990 Publisher: Cisco Press
Prepared for Kevin Kem, Safari ID: [email protected] Licensed by Kevin Kem
Print Publication Date: 2007/10/26 User number: 1023945 Copyright 2007, Safari Books Online, LLC.
This PDF is exclusively for your use in accordance with the Safari Terms of Service. No part of it may be reproduced or transmitted in any form by any means without the prior written permission for reprints and excerpts from the publisher. Redistribution or other use that violates the fair use priviledge under U.S. copyright laws (see 17 USC107) or that otherwise violates the Safari Terms of Service is strictly prohibited.
Virtual Private Network Design