| |
|
| |
| Importance of Security |
|
| The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal and business communications worldwide. The volume of
traffic moving over the Internet, as well as corporate networks, is expanding exponentially every day. More and more communication is taking place via e-mail;
mobile workers, telecommuters, and branch offices are using the Internet to remotely connect to their corporate networks; and commercial transactions completed over
the Internet, via the World Wide Web, now account for large portions of corporate revenue. While the Internet has transformed and greatly improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats from which corporations must protect themselves. Although network attacks are presumably more serious when they are inflicted upon businesses that store sensitive data, such as personal medical or financial records,
the consequences of attacks on any entity range from mildly inconvenient to completely debilitating—important data can be lost, privacy can be violated, and several hours,
or even days, of network downtime can ensue. Despite the costly risks of potential security breaches, the Internet can be one of the safest means by which to conduct business. For example, giving credit card information to a telemarketer over the phone or a waiter in a restaurant can be more risky than submitting the information via a Web site, because electronic commerce transactions are usually protected by security technology.
Waiters and telemarketers are not always monitored or trustworthy. Yet the fear of security problems can be just as harmful to businesses as actual security breaches.
General fear and suspicion of computers still exists and with that comes a distrust of the Internet. This distrust can limit the business opportunities for companies, especially
those that are completely Web based. Thus, companies must enact security policies and instate safeguards that not only are effective, but are also perceived as effective.
Organizations must be able to adequately communicate how they plan to protect their customers. In addition to protecting their customers, corporations must protect their employees and partners from security breaches. The Internet, intranets, and extranets enable fast and effective communication between employees and partners. However, such communication and efficiency can of course be impeded by the effects of a network
attack. An attack may directly cause several hours of downtime for employees, and networks must be taken down in order for damage to be repaired or data to be
restored. Clearly, loss of precious time and data can greatly impact employee efficiency and morale. Legislation is another force that drives the need for network security. Governments recognize both the importance of the Internet and the fact that substantial portions of the world’s economic output are dependent on it.
However, they also recognize that opening up the world’s economic infrastructure to abuse by criminals could cause major economic damage. National governments are therefore developing laws intended to regulate the vast flow of electronic information. Furthermore, to accommodate the regulations enacted by governments, the computer industry has developed a portfolio of security standards to help to secure data and to prove that it is secure. Businesses that do not have demonstrable security policies to protect their data will be in breach of these standards and penalized accordingly. |
|
| Computer security |
|
| A. What is computer security? |
|
|
| Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done. |
|
|
| B. Why should I care about computer security? |
|
| We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements). |
|
| C. Who would want to break into my computer at home? |
|
| Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.
Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.
Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data. |
|
|
| D. How easy is it to break into my computer? |
|
| Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.
When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes.
Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them. |
|
| Firewall Manager |
|
|
| When you need to administer a large network, you will have one or more
firewalls on the border of your network, connecting either to the Internet
or to a customer’s company with whom you need to communicate. The
firewalls installed on your network will play an important role in protecting
against intruders from outside your network. It is critical that you manage
them effectively and efficiently.Cisco has developed PIX Firewall Manager
for their PIX Firewall product range to do just this. The rules for accessing
your network are defined at a central point and can be distributed to multiple
firewalls on the border of your network. PIX Firewall Manager Overview
When you have one or more PIX Firewalls installed on your network protecting
the resources inside your network against potential intrusion from outside, you
can use PIX Firewall Manager to administer and manage the PIX Firewall device
security policy. PIX Firewall Manager can manage one or more PIX Firewalls from
any host with a Graphical User Interface (GUI).The most basic use of PIX Firewall
Manager is to add, remove, and change the security policy and rules for all
communication between your network and the outside world. PIX Firewall
Manager,or PFM, can be installed on a Microsoft Windows NT Server or
Workstation and includes two components:
All of Cisco’s equipment can be managed via a Telnet connection to the
device, using a normal Telnet client. This interface, or configurations
mode, is called a Command Line Interface (CLI), and you can use commands
specific to the device to add, remove, and change the configuration
file. The CLI may sometimes be required to access commands not available
on the PIX Firewall Manager software. Overall, PFM has the most commonly
used configuration and settings used on the PIX Firewall.When you use PFM
to manage PIX Firewalls on your network, you will be able to connect to the
Management Client from anywhere on your network.With this connection, you
will use the Management Server to relay requests and responses to and from
any PIX Firewall on your network.This means that you always have one central
point to manage all PIX Firewall policies. Conversely, if you use the CLI to manage
and configure your PIX Firewalls, you will always connect to the specific IP address
of the PIX Firewall to alter the configuration. This could become very time-consuming
if your policy for the network security changes and you needed to implement
this change on all the PIX Firewalls in your administrative domain and your network.
When you are using the alarms to notify you when a possible intrusion
occurs, the PFM can be used as a central point for all notifications configured
in all the PIX Firewalls on the network. If you need to implement this
kind of policy, it would take you more than half the time to set specific
alerts with PFM than it would with the CLI.
Security Policy Management
CSPM is a centralized, policy-based management solution for Cisco security
devices on your network. You can use CSPM to deploy a company
security policy throughout your network. It uses a simple management
process for implementing network-wide policies by using policy, definition,
enforcement, and auditing. |
|
|
| Security Policy Definition |
|
|
| Using CSPM, you can create high-level security policies based on the
Company security objectives. You can create security policy abstracts that
define access and the associated level of security to specific network
devices. By adjusting the parameters for the type of network service or
application and the source and destination address of the abstracts, you
can control network traffic across your enterprise network.
To simplify the creation of the policies on your network, the policy
abstracts can be generated for a collection of services to reduce the
number of policies created. When you first install the CSPM software on
your server, there will be predefined abstract bundles ready for use in your
security policies. CSPM also provides grouping constructs for supported
devices and hosts that allow you to reference multiple networks or hosts in
a single policy. You can also use CSPM to easily define NAT policies on your
PIX Firewall or router on the boundary of your network. |
|
| Security Policy Enforcement |
|
| After you have defined the security policy, you should deploy the policy to
the specific Cisco security device on your network. You can easily create a
network topology and identify where the policy should be enforced using a
drag-and-drop method to apply the security policies to the target network
segments. The CSPM translates the policy into the device commands to
deploy it to the necessary PIX Firewalls and VPN routers on the specified
network section. You don’t need to use the time-consuming CLI to configure
each router for the new security policy deployed.
Depending on your preferences and needs, you can deploy the policy to
the network automatically or manually. The communication between the
CSPM host and the managed devices is secure to use across the network.
It provides a flexible, robust, and secure mechanism to distribute the
Configurations and enforce the policies. It allows consistent and proper
policy enforcement on your network that you can easily verify and modify
as required. You can, at any time,use the consistency check feature to ensure
network policy integrity and to enforce status, or you can configure a notification
if an error occurs with the policy enforcement. |
|
| Standard and Extended Access Lists |
|
| These are the simplest access lists that can be installed, and they are often
sufficient for implementing many security policies Standard access lists can
be used to filter packets based on the source IP address in the packet.
For example, one could define a standard access list that would deny all incoming
traffic on the router except if the traffic is from a specific IP address (source).
The source address specified in the standard access list can be configured to
represent a host or a network.An extended access list allows better control when
defining filtering rules: one can create a filtering rule based on the source address, destination address, type of protocol (for example, TCP or UDP), source and destination
port numbers, and other various fields in the IP and TCP headers. A commonly used parameter is established which will match all TCP packets that have the ACK or RST
flag bit set. The ACK flag indicates that the packet is part of an open TCP session.
The drawback of standard and extended access lists is that they do not understand
the state of a connection in that every packet received is checked individually; it
does not consider whether it is part of an existing connection between two hosts.
To allow TCP traffic, this means that one must configure the access list
to allow return connections through the router.To allow UDP traffic, an extended
access list must simply allow UDP
traffic through without any way to restrict from which direction the session
initialization is permitted. Although this filtering technique is suitable in many cases,
it does not protect against forged TCP packets (commonly used to probe networks).
It also does not offer any facility to effectively filter UDP sessions nor protocols
that embed IP addresses within the protocol (RPC, SQL*Net, H.323,and so on) nor
FTP in non-passive mode. |
|
| Reflexive Access Lists |
|
| Using extended access lists, one can install an access list that will permit
allowed traffic through the router, but an access list is also required to
allow the return traffic through as well. This can be a problem since it
leaves permanent openings in the access lists.This is where reflexive lists
can be of help. Using reflexive access lists,one can install an access list that
will permit allowed traffic through the router. Once traffic is initiated and
allowed through by the access list, a reflexive list will automatically be installed
in the router that will allow the return traffic through. Reflexive access lists
automatically create and delete temporary access list entries that will allow traffic associated with an IP session. This offers a stronger control over what traffic is
allowed into a network. Reflexive access lists are a feature added to an extended
access list and can only be defined using extended named IP access lists.
One shortcoming of reflexive access lists, similar to extended access
lists, is that it cannot be used with protocols that embed IP addresses
within the protocol (RPC, SQL*Net, H.323, and so on) or FTP in nonpassive mode. |
|
| Context-based Access Control |
|
| Compared to the other types of access lists, Context-based Access Control
(CBAC) goes one step further and examines the application-layer protocol
information in order to learn the state of the connection. This information
is used to provide greater control over what traffic should be allowed or
denied.
By examining the application-layer protocol, CBAC can effectively filter
traffic from protocols like RPC, SQL*Net, H.323 and FTP. However, since
every application protocol is different, CBAC must explicitly support that
protocol. CBAC also offers protection against certain types of network
attacks.
These topics are covered in more detail in Chapter 2, “Traffic Filtering
on Cisco IOS.” |
|
| Network Address Translation (NAT) |
|
| The Internet is comprised of an ever-growing number of hosts. Each of
those hosts has a unique and globally routable IP address. This is the
“ideal” Internet. However, in real-world application, IPv4 addresses have
become a scarce resource. The majority of today’s IPv4 network deployments
require more addresses than are made available by ISPs. ISPs are
being monitored by Regional Internet Registries which in turn are responsible
for IP address allocation throughout the world.
With the ongoing IPv6 deployment on the Internet, this issue will eventually
become a thing of the past.
Private Addresses To get around the address shortage, a site can use addresses
from a private space for its internal IP networks. Private addresses are part of a
reserved network range defined in the document RFC1918 “Address Allocation
for Private Internets” found at the following link:A site using private addresses
can allocate as many IP networks as required, and normal IP connectivity between
those internal networks can be achieved without any special configuration.
This site will have a private addressing realm, in that all nodes within that site will
have full IP connectivity, but the connectivity is restricted to that site.
The Internet is part of the public addressing realm. In that respect, hosts within
a site using private IP addresses cannot communicate directly with hosts on the
Internet since addresses from the site are not part of the valid IP addresses on
the Internet. Thus, they are non-routable. |
|
| Network Address Translation |
|
| Network Address Translation (NAT) is a mechanism that allow a site using
a private addressing realm to achieve connectivity with another realm, like
the Internet. (The Internet is part of the public addressing realm.) NAT is
usually implemented in a router or a firewall at the boundary of the two
networks or realms.When a packet leaves the internal network, the NAT
device will modify the source address of the packet such that the new
source address is avalid address in the network it is forwarded on. A packet
flowing in the other direction, towards the internal network, will be modified
by the NAT device, this time by changing the destination address. Depending
on the type of network address translation, the source and destination port numbers
can be modified.We can categorize NAT functions into static NAT and dynamic NAT.
In static NAT, there is a pre-determined, one-to-one mapping between an internal IP address and an outside IP address. In dynamic NAT, the IP address mapping is done on demand (dynamically) and there can be a one-to-many mapping on the IP address.
Cisco IOS and PIX can be configured to offer these types of NAT functions.
Static NAT In this type of configuration, an internal host can be reached externally
from its external IP address. Whenever an internal host initiates a communication
with an external host, the NAT device allocates an external IP address for that host.
The NAT is preconfigured with the address translation table such that an internal host
will always be assigned the same external IP address. The NAT modifies the source address for the outgoing packets and the destination address for the incoming packets.
Since there is a fixed one-to-one mapping between internal addresses and external addresses, this type of NAT configuration requires one external IP address for each internal host that require static NAT. Static NAT can be a useful tool when renumbering the IP address of servers. A static NAT can be configured so that during a transition, a
server can be reached from its new and deprecated IP address. |
|
| Traditional or Outbound NAT |
|
| Whenever an internal host initiates a communication with an external
host, the NAT device allocates an external IP address for that host. The
NAT modifies the source address for the outgoing packets and the destination
address for the incoming packets.This type of NAT has a limit on the number
of internal hosts that can simultaneously access the external networks. For example,
if 10 external (public) address are available and configured in the NAT, there will
be a limit of 10 internal hosts that will be able to simultaneously communicate
with the external (public) network. Network Address Port Translation (NAPT or PAT)
Network Address Port Translation (NAPT) is referred to as Port Address
Translation (PAT) in Cisco documentation. In this configuration, a number of internal
hosts can use the same external IP address. Whenever an internal host initiates a communication with an external host, the NAPT device modifies the source address
and source port number for the outgoing packets. In doing so, the outgoing communications can be multiplexed through the same external source IP address.By allocating multiple internal hosts to the same external IP address,this type of NAT makes an efficient use of external IP address. |
|
| Considerations |
|
| There are advantages and drawbacks to consider when implementing. NAT
is a stateful device that maintains the state of every connection that
requires address translation. This property can be a weakness since the
NAT device becomes a single point of failure. Some application protocols that
embed IP addresses inside the application data will not work with NAT,
unless that protocol is specifically supported by the NAT. NAT often increases
the complexity of network debugging tasks, such as logging records that may contain translated addresses.Also, access control based on the source IP address breaks
when a NAT is used. This is especially true when NAPT is used because many hosts will share the same IP source address assigned by the NAPT device. Note also that IPSec cannot be used through NAT.These topics are covered in more detail in Chapter 3, “Network Address Translation (NAT).” |
| |
| |
| |
| |
| |
|
|
|
|
|
