Importance of Security
The Internet has undoubtedly become the largest public data network, enabling and facilitating both personal and business communications worldwide. The volume of traffic moving over the Internet, as well as corporate networks, is expanding exponentially every day. More and more communication is taking place via e-mail; mobile workers, telecommuters, and branch offices are using the Internet to remotely connect to their corporate networks; and commercial transactions completed over the Internet, via the World Wide Web, now account for large portions of corporate revenue. While the Internet has transformed and greatly improved the way we do business, this vast network and its associated technologies have opened the door to an increasing number of security threats from which corporations must protect themselves. Although network attacks are presumably more serious when they are inflicted upon businesses that store sensitive data, such as personal medical or financial records, the consequences of attacks on any entity range from mildly inconvenient to completely debilitating—important data can be lost, privacy can be violated, and several hours, or even days, of network downtime can ensue. Despite the costly risks of potential security breaches, the Internet can be one of the safest means by which to conduct business. For example, giving credit card information to a telemarketer over the phone or a waiter in a restaurant can be more risky than submitting the information via a Web site, because electronic commerce transactions are usually protected by security technology. Waiters and telemarketers are not always monitored or trustworthy. Yet the fear of security problems can be just as harmful to businesses as actual security breaches. General fear and suspicion of computers still exists and with that comes a distrust of the Internet. This distrust can limit the business opportunities for companies, especially those that are completely Web based. Thus, companies must enact security policies and instate safeguards that not only are effective, but are also perceived as effective. Organizations must be able to adequately communicate how they plan to protect their customers. In addition to protecting their customers, corporations must protect their employees and partners from security breaches. The Internet, intranets, and extranets enable fast and effective communication between employees and partners. However, such communication and efficiency can of course be impeded by the effects of a network attack. An attack may directly cause several hours of downtime for employees, and networks must be taken down in order for damage to be repaired or data to be restored. Clearly, loss of precious time and data can greatly impact employee efficiency and morale. Legislation is another force that drives the need for network security. Governments recognize both the importance of the Internet and the fact that substantial portions of the world’s economic output are dependent on it. However, they also recognize that opening up the world’s economic infrastructure to abuse by criminals could cause major economic damage. National governments are therefore developing laws intended to regulate the vast flow of electronic information. Furthermore, to accommodate the regulations enacted by governments, the computer industry has developed a portfolio of security standards to help to secure data and to prove that it is secure. Businesses that do not have demonstrable security policies to protect their data will be in breach of these standards and penalized accordingly.
Computer security
A. What is computer security?
Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.
B. Why should I care about computer security?
We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).
C. Who would want to break into my computer at home?
Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems. Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target. Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.
D. How easy is it to break into my computer?
Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems. When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes. Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.
Firewall Manager
When you need to administer a large network, you will have one or more firewalls on the border of your network, connecting either to the Internet or to a customer’s company with whom you need to communicate. The firewalls installed on your network will play an important role in protecting against intruders from outside your network. It is critical that you manage them effectively and efficiently.Cisco has developed PIX Firewall Manager for their PIX Firewall product range to do just this. The rules for accessing your network are defined at a central point and can be distributed to multiple firewalls on the border of your network. PIX Firewall Manager Overview When you have one or more PIX Firewalls installed on your network protecting the resources inside your network against potential intrusion from outside, you can use PIX Firewall Manager to administer and manage the PIX Firewall device security policy. PIX Firewall Manager can manage one or more PIX Firewalls from any host with a Graphical User Interface (GUI).The most basic use of PIX Firewall Manager is to add, remove, and change the security policy and rules for all communication between your network and the outside world. PIX Firewall Manager,or PFM, can be installed on a Microsoft Windows NT Server or Workstation and includes two components: All of Cisco’s equipment can be managed via a Telnet connection to the device, using a normal Telnet client. This interface, or configurations mode, is called a Command Line Interface (CLI), and you can use commands specific to the device to add, remove, and change the configuration file. The CLI may sometimes be required to access commands not available on the PIX Firewall Manager software. Overall, PFM has the most commonly used configuration and settings used on the PIX Firewall.When you use PFM to manage PIX Firewalls on your network, you will be able to connect to the Management Client from anywhere on your network.With this connection, you will use the Management Server to relay requests and responses to and from any PIX Firewall on your network.This means that you always have one central point to manage all PIX Firewall policies. Conversely, if you use the CLI to manage and configure your PIX Firewalls, you will always connect to the specific IP address of the PIX Firewall to alter the configuration. This could become very time-consuming if your policy for the network security changes and you needed to implement this change on all the PIX Firewalls in your administrative domain and your network. When you are using the alarms to notify you when a possible intrusion occurs, the PFM can be used as a central point for all notifications configured in all the PIX Firewalls on the network. If you need to implement this kind of policy, it would take you more than half the time to set specific alerts with PFM than it would with the CLI. Security Policy Management CSPM is a centralized, policy-based management solution for Cisco security devices on your network. You can use CSPM to deploy a company security policy throughout your network. It uses a simple management process for implementing network-wide policies by using policy, definition, enforcement, and auditing.
Security Policy Definition
Using CSPM, you can create high-level security policies based on the Company security objectives. You can create security policy abstracts that define access and the associated level of security to specific network devices. By adjusting the parameters for the type of network service or application and the source and destination address of the abstracts, you can control network traffic across your enterprise network. To simplify the creation of the policies on your network, the policy abstracts can be generated for a collection of services to reduce the number of policies created. When you first install the CSPM software on your server, there will be predefined abstract bundles ready for use in your security policies. CSPM also provides grouping constructs for supported devices and hosts that allow you to reference multiple networks or hosts in a single policy. You can also use CSPM to easily define NAT policies on your PIX Firewall or router on the boundary of your network.
Security Policy Enforcement
After you have defined the security policy, you should deploy the policy to the specific Cisco security device on your network. You can easily create a network topology and identify where the policy should be enforced using a drag-and-drop method to apply the security policies to the target network segments. The CSPM translates the policy into the device commands to deploy it to the necessary PIX Firewalls and VPN routers on the specified network section. You don’t need to use the time-consuming CLI to configure each router for the new security policy deployed. Depending on your preferences and needs, you can deploy the policy to the network automatically or manually. The communication between the CSPM host and the managed devices is secure to use across the network. It provides a flexible, robust, and secure mechanism to distribute the Configurations and enforce the policies. It allows consistent and proper policy enforcement on your network that you can easily verify and modify as required. You can, at any time,use the consistency check feature to ensure network policy integrity and to enforce status, or you can configure a notification if an error occurs with the policy enforcement.
Standard and Extended Access Lists
These are the simplest access lists that can be installed, and they are often sufficient for implementing many security policies Standard access lists can be used to filter packets based on the source IP address in the packet. For example, one could define a standard access list that would deny all incoming traffic on the router except if the traffic is from a specific IP address (source). The source address specified in the standard access list can be configured to represent a host or a network.An extended access list allows better control when defining filtering rules: one can create a filtering rule based on the source address, destination address, type of protocol (for example, TCP or UDP), source and destination port numbers, and other various fields in the IP and TCP headers. A commonly used parameter is established which will match all TCP packets that have the ACK or RST flag bit set. The ACK flag indicates that the packet is part of an open TCP session. The drawback of standard and extended access lists is that they do not understand the state of a connection in that every packet received is checked individually; it does not consider whether it is part of an existing connection between two hosts. To allow TCP traffic, this means that one must configure the access list to allow return connections through the router.To allow UDP traffic, an extended access list must simply allow UDP traffic through without any way to restrict from which direction the session initialization is permitted. Although this filtering technique is suitable in many cases, it does not protect against forged TCP packets (commonly used to probe networks). It also does not offer any facility to effectively filter UDP sessions nor protocols that embed IP addresses within the protocol (RPC, SQL*Net, H.323,and so on) nor FTP in non-passive mode.
Reflexive Access Lists
Using extended access lists, one can install an access list that will permit allowed traffic through the router, but an access list is also required to allow the return traffic through as well. This can be a problem since it leaves permanent openings in the access lists.This is where reflexive lists can be of help. Using reflexive access lists,one can install an access list that will permit allowed traffic through the router. Once traffic is initiated and allowed through by the access list, a reflexive list will automatically be installed in the router that will allow the return traffic through. Reflexive access lists automatically create and delete temporary access list entries that will allow traffic associated with an IP session. This offers a stronger control over what traffic is allowed into a network. Reflexive access lists are a feature added to an extended access list and can only be defined using extended named IP access lists. One shortcoming of reflexive access lists, similar to extended access lists, is that it cannot be used with protocols that embed IP addresses within the protocol (RPC, SQL*Net, H.323, and so on) or FTP in nonpassive mode.
Context-based Access Control
Compared to the other types of access lists, Context-based Access Control (CBAC) goes one step further and examines the application-layer protocol information in order to learn the state of the connection. This information is used to provide greater control over what traffic should be allowed or denied. By examining the application-layer protocol, CBAC can effectively filter traffic from protocols like RPC, SQL*Net, H.323 and FTP. However, since every application protocol is different, CBAC must explicitly support that protocol. CBAC also offers protection against certain types of network attacks. These topics are covered in more detail in Chapter 2, “Traffic Filtering on Cisco IOS.”
Network Address Translation (NAT)
The Internet is comprised of an ever-growing number of hosts. Each of those hosts has a unique and globally routable IP address. This is the “ideal” Internet. However, in real-world application, IPv4 addresses have become a scarce resource. The majority of today’s IPv4 network deployments require more addresses than are made available by ISPs. ISPs are being monitored by Regional Internet Registries which in turn are responsible for IP address allocation throughout the world. With the ongoing IPv6 deployment on the Internet, this issue will eventually become a thing of the past. Private Addresses To get around the address shortage, a site can use addresses from a private space for its internal IP networks. Private addresses are part of a reserved network range defined in the document RFC1918 “Address Allocation for Private Internets” found at the following link:A site using private addresses can allocate as many IP networks as required, and normal IP connectivity between those internal networks can be achieved without any special configuration. This site will have a private addressing realm, in that all nodes within that site will have full IP connectivity, but the connectivity is restricted to that site. The Internet is part of the public addressing realm. In that respect, hosts within a site using private IP addresses cannot communicate directly with hosts on the Internet since addresses from the site are not part of the valid IP addresses on the Internet. Thus, they are non-routable.
Network Address Translation
Network Address Translation (NAT) is a mechanism that allow a site using a private addressing realm to achieve connectivity with another realm, like the Internet. (The Internet is part of the public addressing realm.) NAT is usually implemented in a router or a firewall at the boundary of the two networks or realms.When a packet leaves the internal network, the NAT device will modify the source address of the packet such that the new source address is avalid address in the network it is forwarded on. A packet flowing in the other direction, towards the internal network, will be modified by the NAT device, this time by changing the destination address. Depending on the type of network address translation, the source and destination port numbers can be modified.We can categorize NAT functions into static NAT and dynamic NAT. In static NAT, there is a pre-determined, one-to-one mapping between an internal IP address and an outside IP address. In dynamic NAT, the IP address mapping is done on demand (dynamically) and there can be a one-to-many mapping on the IP address. Cisco IOS and PIX can be configured to offer these types of NAT functions. Static NAT In this type of configuration, an internal host can be reached externally from its external IP address. Whenever an internal host initiates a communication with an external host, the NAT device allocates an external IP address for that host. The NAT is preconfigured with the address translation table such that an internal host will always be assigned the same external IP address. The NAT modifies the source address for the outgoing packets and the destination address for the incoming packets. Since there is a fixed one-to-one mapping between internal addresses and external addresses, this type of NAT configuration requires one external IP address for each internal host that require static NAT. Static NAT can be a useful tool when renumbering the IP address of servers. A static NAT can be configured so that during a transition, a server can be reached from its new and deprecated IP address.
Traditional or Outbound NAT
Whenever an internal host initiates a communication with an external host, the NAT device allocates an external IP address for that host. The NAT modifies the source address for the outgoing packets and the destination address for the incoming packets.This type of NAT has a limit on the number of internal hosts that can simultaneously access the external networks. For example, if 10 external (public) address are available and configured in the NAT, there will be a limit of 10 internal hosts that will be able to simultaneously communicate with the external (public) network. Network Address Port Translation (NAPT or PAT) Network Address Port Translation (NAPT) is referred to as Port Address Translation (PAT) in Cisco documentation. In this configuration, a number of internal hosts can use the same external IP address. Whenever an internal host initiates a communication with an external host, the NAPT device modifies the source address and source port number for the outgoing packets. In doing so, the outgoing communications can be multiplexed through the same external source IP address.By allocating multiple internal hosts to the same external IP address,this type of NAT makes an efficient use of external IP address.
Considerations
There are advantages and drawbacks to consider when implementing. NAT is a stateful device that maintains the state of every connection that requires address translation. This property can be a weakness since the NAT device becomes a single point of failure. Some application protocols that embed IP addresses inside the application data will not work with NAT, unless that protocol is specifically supported by the NAT. NAT often increases the complexity of network debugging tasks, such as logging records that may contain translated addresses.Also, access control based on the source IP address breaks when a NAT is used. This is especially true when NAPT is used because many hosts will share the same IP source address assigned by the NAPT device. Note also that IPSec cannot be used through NAT.These topics are covered in more detail in Chapter 3, “Network Address Translation (NAT).”
 
 
 
 
 

©2010 Fusion net BD All Rights Reserved. Design & Developed by Archiana technology    Privacy and Legal  |  Sitemap  |  Contact