End-to-End Network Security: Defense-in-Depth

End-to-End Network Security Defense-in-Depth   Best practices for assessing and improving network defenses and responding to security incidents   Omar Santos   Information security practices have evolved from Internet perimeter protection to an in-depth defense model in which multiple countermeasures are layered throughout the infrastructure to address vulnerabilities and attacks. This is necessary due to increased attack frequency, diverse attack sophistication, and the rapid nature of attack velocity—all blurring the boundaries between the network and perimeter.   End-to-End Network Security is designed to counter the new generation of complex threats. Adopting this robust security strategy defends against highly sophisticated attacks that can occur at multiple locations in your network. The ultimate goal is to deploy a set of security capabilities that together create an intelligent, self-defending network that identifies attacks as they occur, generates alerts as appropriate, and then automatically responds.   End-to-End Network Security provides you with a comprehensive look at the mechanisms to counter threats to each part of your network. The book starts with a review of network security technologies then covers the six-step methodology for incident response and best practices from proactive security frameworks. Later chapters cover wireless network security, IP telephony security, data center security, and IPv6 security. Finally, several case studies representing small, medium, and large enterprises provide detailed example configurations and implementation strategies of best practices learned in earlier chapters.   Adopting the techniques and strategies outlined in this book enables you to prevent day-zero attacks, improve your overall security posture, build strong policies, and deploy intelligent, self-defending networks.   “Within these pages, you will find many practical tools, both process related and technology related, that you can draw on to improve your risk mitigation strategies.”   —Bruce Murphy, Vice President, World Wide Security Practices, Cisco   Omar Santos is a senior network security engineer at Cisco®. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.   Guard your network with firewalls, VPNs, and intrusion prevention systems Control network access with AAA Enforce security policies with Cisco Network Admission Control (NAC) Learn how to perform risk and threat analysis Harden your network infrastructure, security policies, and procedures against security threats Identify and classify security threats Trace back attacks to their source Learn how to best react to security incidents Maintain visibility and control over your network with the SAVE framework Apply Defense-in-Depth principles to wireless networks, IP telephony networks, data centers, and IPv6 networks   This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.   Category: Networking: Security Covers: Network security and incident response  

Table of Contents:
Foreword xix Introduction xx   Part I Introduction to Network Security Solutions 3 Chapter 1 Overview of Network Security Technologies 5 Firewalls 5 Network Firewalls 6 Network Address Translation (NAT) 7 Stateful Firewalls 9 Deep Packet Inspection 10 Demilitarized Zones 10 Personal Firewalls 11 Virtual Private Networks (VPN) 12 Technical Overview of IPsec 14 Phase 1 14 Phase 2 16 SSL VPNs 18 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 19 Pattern Matching 20 Protocol Analysis 21 Heuristic-Based Analysis 21 Anomaly-Based Analysis 21 Anomaly Detection Systems 22 Authentication, Authorization, and Accounting (AAA) and Identity Management 23 RADIUS 23 TACACS+ 25 Identity Management Concepts 26 Network Admission Control 27 NAC Appliance 27 NAC Framework 33 Routing Mechanisms as Security Tools 36 Summary 39   Part II Security Lifestyle: Frameworks and Methodologies 41 Chapter 2 Preparation Phase 43 Risk Analysis 43 Threat Modeling 44 Penetration Testing 46 Social Engineering 49 Security Intelligence 50 Common Vulnerability Scoring System 50 Base Metrics 51 Temporal Metrics 51 Environmental Metrics 52 Creating a Computer Security Incident Response Team (CSIRT) 52 Who Should Be Part of the CSIRT? 53 Incident Response Collaborative Teams 54 Tasks and Responsibilities of the CSIRT 54 Building Strong Security Policies 54 Infrastructure Protection 57 Strong Device Access Control 59 SSH Versus Telnet 59 Local Password Management 61 Configuring Authentication Banners 62 Interactive Access Control 62 Role-Based Command-Line Interface (CLI) Access in Cisco IOS 64 Controlling SNMP Access 66 Securing Routing Protocols 66 Configuring Static Routing Peers 68 Authentication 68 Route Filtering 69 Time-to-Live (TTL) Security Check 70 Disabling Unnecessary Services on Network Components 70 Cisco Discovery Protocol (CDP) 71 Finger 72 Directed Broadcast 72 Maintenance Operations Protocol (MOP) 72 BOOTP Server 73 ICMP Redirects 73 IP Source Routing 73 Packet Assembler/Disassembler (PAD) 73 Proxy Address Resolution Protocol (ARP) 73 IDENT 74 TCP and User Datagram Protocol (UDP) Small Servers 74 IP Version 6 (IPv6) 75 Locking Down Unused Ports on Network Access Devices 75 Control Resource Exhaustion 75 Resource Thresholding Notification 76 CPU Protection 77 Receive Access Control Lists (rACLs) 78 Control Plane Policing (CoPP) 80 Scheduler Allocate/Interval 81 Policy Enforcement 81 Infrastructure Protection Access Control Lists (iACLs) 82 Unicast Reverse Path Forwarding (Unicast RPF) 83 Automated Security Tools Within Cisco IOS 84 Cisco IOS AutoSecure 84 Cisco Secure Device Manager (SDM) 88 Telemetry 89 Endpoint Security 90 Patch Management 90 Cisco Security Agent (CSA) 92 Network Admission Control 94 Phased Approach 94 Administrative Tasks 96 Staff and Support 96 Summary 97 Chapter 3 Identifying and Classifying Security Threats 99 Network Visibility 101 Telemetry and Anomaly Detection 108 NetFlow 108 Enabling NetFlow 111 Collecting NetFlow Statistics from the CLI 112 SYSLOG 115 Enabling Logging (SYSLOG) on Cisco IOS Routers and Switches 115 Enabling Logging Cisco Catalyst Switches Running CATOS 117 Enabling Logging on Cisco ASA and Cisco PIX Security Appliances 117 SNMP 118 Enabling SNMP on Cisco IOS Devices 119 Enabling SNMP on Cisco ASA and Cisco PIX Security Appliances 121 Cisco Security Monitoring, Analysis and Response System (CS-MARS) 121 Cisco Network Analysis Module (NAM) 125 Open Source Monitoring Tools 126 Cisco Traffic Anomaly Detectors and Cisco Guard DDoS Mitigation Appliances 127 Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) 131 The Importance of Signatures Updates 131 The Importance of Tuning 133 Anomaly Detection Within Cisco IPS Devices 137 Summary 139 Chapter 4 Traceback 141 Traceback in the Service Provider Environment 142 Traceback in the Enterprise 147 Summary 151 Chapter 5 Reacting to Security Incidents 153 Adequate Incident-Handling Policies and Procedures 153 Laws and Computer Crimes 155 Security Incident Mitigation Tools 156 Access Control Lists (ACL) 157 Private VLANs 158 Remotely Triggered Black Hole Routing 158 Forensics 160 Log Files 161 Linux Forensics Tools 162 Windows Forensics 164 Summary 165 Chapter 6 Postmortem and Improvement 167 Collected Incident Data 167 Root-Cause Analysis and Lessons Learned 171 Building an Action Plan 173 Summary 174 Chapter 7 Proactive Security Framework 177 SAVE Versus ITU-T X.805 178 Identity and Trust 183 AAA 183 Cisco Guard Active Verification 185 DHCP Snooping 186 IP Source Guard 187 Digital Certificates and PKI 188 IKE 188 Network Admission Control (NAC) 188 Routing Protocol Authentication 189 Strict Unicast RPF 189 Visibility 189 Anomaly Detection 190 IDS/IPS 190 Cisco Network Analysis Module (NAM) 191 Layer 2 and Layer 3 Information (CDP, Routing Tables, CEF Tables) 191 Correlation 192 CS-MARS 193 Arbor Peakflow SP and Peakflow X 193 Cisco Security Agent Management Console (CSA-MC) Basic Event Correlation 193 Instrumentation and Management 193 Cisco Security Manager 195 Configuration Logger and Configuration Rollback 195 Embedded Device Managers 195 Cisco IOS XR XML Interface 196 SNMP and RMON 196 Syslog 196 Isolation and Virtualization 196 Cisco IOS Role-Based CLI Access (CLI Views) 197 Anomaly Detection Zones 198 Network Device Virtualization 198 Segmentation with VLANs 199 Segmentation with Firewalls 200 Segmentation with VRF/VRF-Lite 200 Policy Enforcement 202 Visualization Techniques 203 Summary 207   Part III Defense-In-Depth Applied 209 Chapter 8 Wireless Security 211 Overview of Cisco Unified Wireless Network Architecture 212 Authentication and Authorization of Wireless Users 216 WEP 216 WPA 218 802.1x on Wireless Networks 219 EAP with MD5 221 Cisco LEAP 222 EAP-TLS 223 PEAP 223 EAP Tunneled TLS Authentication Protocol (EAP-TTLS) 224 EAP-FAST 224 EAP-GTC 225 Configuring 802.1x with EAP-FAST in the Cisco Unified Wireless Solution 226 Configuring the WLC 226 Configuring the Cisco Secure ACS Server for 802.1x and EAP-FAST 229 Configuring the CSSC 233 Lightweight Access Point Protocol (LWAPP) 236 Wireless Intrusion Prevention System Integration 239 Configuring IDS/IPS Sensors in the WLC 241 Uploading and Configuring IDS/IPS Signatures 242 Management Frame Protection (MFP) 243 Precise Location Tracking 244 Network Admission Control (NAC) in Wireless Networks 245 NAC Appliance Configuration 246 WLC Configuration 255 Summary 259 Chapter 9 IP Telephony Security 261 Protecting the IP Telephony Infrastructure 262 Access Layer 266 Distribution Layer 273 Core 275 Securing the IP Telephony Applications 275 Protecting Cisco Unified CallManager 276 Protecting Cisco Unified Communications Manager Express (CME) 277 Protecting Cisco Unity 281 Protecting Cisco Unity Express 287 Protecting Cisco Personal Assistant 289 Hardening the Cisco Personal Assistant Operating Environment 289 Cisco Personal Assistant Server Security Policies 291 Protecting Against Eavesdropping Attacks 293 Summary 295 Chapter 10 Data Center Security 297 Protecting the Data Center Against Denial of Service (DoS) Attacks and Worms 297 SYN Cookies in Firewalls and Load Balancers 297 Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) 300 Cisco NetFlow in the Data Center 301 Cisco Guard 302 Data Center Infrastructure Protection 302 Data Center Segmentation and Tiered Access Control 303 Segmenting the Data Center with the Cisco FWSM 306 Cisco FWSM Modes of Operation and Design Considerations 306 Configuring the Cisco Catalyst Switch 309 Creating Security Contexts in the Cisco FWSM 310 Configuring the Interfaces on Each Security Context 312 Configuring Network Address Translation 313 Controlling Access with ACLs 317 Virtual Fragment Reassembly 322 Deploying Network Intrusion Detection and Prevention Systems 322 Sending Selective Traffic to the IDS/IPS Devices 322 Monitoring and Tuning 325 Deploying the Cisco Security Agent (CSA) in the Data Center 325 CSA Architecture 325 Configuring Agent Kits 326 Phased Deployment 326 Summary 327 Chapter 11 IPv6 Security 329 Reconnaissance 330 Filtering in IPv6 331 Filtering Access Control Lists (ACL) 331 ICMP Filtering 332 Extension Headers in IPv6 332 Spoofing 333 Header Manipulation and Fragmentation 333 Broadcast Amplification or Smurf Attacks 334 IPv6 Routing Security 334 IPsec and IPv6 335 Summary 336   Part IV Case Studies 339 Chapter 12 Case Studies 341 Case Study of a Small Business 341 Raleigh Office Cisco ASA Configuration 343 Configuring IP Addressing and Routing 343 Configuring PAT on the Cisco ASA 347 Configuring Static NAT for the DMZ Servers 349 Configuring Identity NAT for Inside Users 351 Controlling Access 352 Cisco ASA Antispoofing Configuration 353 Blocking Instant Messaging 354 Atlanta Office Cisco IOS Configuration 360 Locking Down the Cisco IOS Router 360 Configuring Basic Network Address Translation (NAT) 376 Configuring Site-to-Site VPN 377 Case Study of a Medium-Sized Enterprise 389 Protecting the Internet Edge Routers 391 Configuring the AIP-SSM on the Cisco ASA 391 Configuring Active-Standby Failover on the Cisco ASA 394 Configuring AAA on the Infrastructure Devices 400 Case Study of a Large Enterprise 401 Creating a New Computer Security Incident Response Team (CSIRT) 403 Creating New Security Policies 404 Physical Security Policy 404 Perimeter Security Policy 404 Device Security Policy 405 Remote Access VPN Policy 405 Patch Management Policy 406 Change Management Policy 406 Internet Usage Policy 406 Deploying IPsec Remote Access VPN 406 Configuring IPsec Remote Access VPN 408 Configuring Load-Balancing 415 Reacting to a Security Incident 418 Identifying, Classifying, and Tracking the Security Incident or Attack 419 Reacting to the Incident 419 Postmortem 419 Summary 420   Index 422

About the Author :
Omar Santos is a senior network security engineer and Incident Manager within the Product Security Incident Response Team (PSIRT) at Cisco. Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government, including the United States Marine Corps (USMC) and the U.S. Department of Defense (DoD). He is also the author of many Cisco online technical documents and configuration guidelines. Before his current role, Omar was a technical leader within the World Wide Security Practice and Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. He is an active member of the InfraGard organization. InfraGard is a cooperative undertaking that involves the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants. InfraGard is dedicated to increasing the security of the critical infrastructures of the United States of America. Omar has also delivered numerous technical presentations to Cisco customers and partners, as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of the Cisco Press books:Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.