- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
Network Security Policies 365
Foundation Topics
Network Security Policies
IP networks are susceptible to unsecured intruders using a number of different methods. Through the campus, by dialup, and through the Internet, an intruder can view IP data and attack vulnerable network devices.
IP networks must provide network security for the following reasons:
•Inherent technology weaknesses—All network devices and operating systems have inherent vulnerabilities.
•Configuration weaknesses—Common configuration mistakes can be exploited to open up weaknesses.
•Network policy—The lack of a network policy can lead to vulnerabilities, such as password security.
•Outside/inside intruders—Internal and external people always want to exploit network resources and retrieve sensitive data.
Every IP network architecture should be based on a sound security policy designed to address all these weaknesses and threats. Every network should have a sound security policy before allowing remote access, for example. Network vulnerabilities must be constantly monitored, found, and addressed because they define points in the network that are potential security weak points (or loopholes) that can be exploited by intruders or hackers.
Technologies, such as TCP/IP, which is an open and defined standard, allow intruders to devise programs to send IP packets looking for responses and act on them. Countermeasures can be designed and deployed to secure and protect a network.
Intruders are typically individuals who have a broad skill set. Intruders can be skilled in coding programs in Java, UNIX, DOS, C, and C++. Their knowledge of TCP/IP can be exceptional, and they can be very experienced when using the Internet and searching for security loopholes. Sometimes, the biggest security threat comes from within an organization from disgruntled former employees, in particular, who would have access to usernames and passwords.
An intruder’s motivation can be based on a number of reasons that make any network a possible target:
•
•
•
•
•
•
Cash profit
Revenge
Vandalism
Cyber terrorism
Challenge to gain prestige or notoriety
Curiosity, to gain experience, or to learn the tools of trade
366 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Countermeasures against vulnerabilities attacks ensure that a policy, procedure, or specific technology is implemented so that networks are not exploited.
The ever-changing nature of attacks is another major challenge facing network administrators. Intruders today are well organized and trained, and Internet sites are easy targets and offer low risk to intruders. The tools used by intruders (see the section, “Vulnerabilities, Attacks, and Common Exploits,” in this chapter) are increasingly sophisticated, easy to use, and designed for large-scale attacks.
Now that you are aware of some of the reasons a network must have a sound security policy and the reason intruders (hackers) want to exploit a poorly designed network, consider some of the standards bodies that are designed to help network administrators.
Standards Bodies and Incident Response Teams
A number of standards bodies today help a network administrator design a sound security policy. The two main entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT/CC) and the various newsgroups that enable you to share valuable security information with other network administrators.
The CERT/CC is a U.S. federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the infamous worm incident (a virus developed to halt IP networks), which brought 10 percent of Internet systems to a halt in November 1988, the CERT/CC has helped to establish incident handling practices that have been adopted by more than 200 response teams around the world.
CERT/CC works with the Internet community to facilitate responses to incidents involving the Internet and the hosts that are attacked. CERT/CC is designed to take proactive steps to ensure that future attacks and vulnerabilities are communicated to the entire Internet community.
CERT/CC also conducts research aimed at improving the security of existing systems.
CERT/CC also helped technology managers with Y2K compliance and various other wellknown viruses, such as the Melissa virus. CERT/CC does not focus on the intruders themselves, or on the arrest of individuals responsible for causing havoc; rather, it ensures that vulnerabilities and loopholes are closed as soon as possible. CERT/CC does not maintain any security standards (these are left for RFCs); also, it does not provide any protocols to help network administrators.
CERT/CC has a number of relationships with other organizations, such as law enforcement, Internet security experts, and the general public, so that any information gathered by the teams involved in stifling attacks is communicated.
Examples of intruders actually overcoming network security include the famous Barclay Bank attack in July 2001, where the company’s home page was defaced. The New York Times website was altered in September 1998. In February 2000, Yahoo also came under attack. In response to attacks like these and the increased concern brought about by them, Cisco Systems decided to release a new CCIE Security certification.
Standards Bodies and Incident Response Teams 367
|
Cisco Systems also provides a website (for the Cisco Product Security Incident Response |
|
Team) where customers can report any security concerns regarding flaws in Cisco IOS |
|
products: |
|
www.cisco.com/warp/public/707/sec_incident_response.shtml |
|
You can also e-mail the Cisco Product Security Incident Response Team directly for emergency |
|
issues at securityalert@cisco.com, and for nonemergencies at psirt@cisco.com. |
|
|
NOTE |
Social engineering is a widely used term that refers to the act of tricking or coercing employees |
|
into providing information, such as usernames or mail user identifications and even passwords. |
|
First-level phone support personnel are individuals typically called by intruders pretending to |
|
work for the company to gain valuable information. |
|
|
|
In 1998, CERT/CC handled 4942 incidents involving intruders. In 2001, CERT/CC handled |
|
over 52,000 incidents resulting is 2437 incidents reports. |
|
If you have never heard of CERT/CC, now is the time to read more and ensure that you are |
|
alerted to vulnerabilities. For more details on CERT/CC, visit www.cert.org. CERT/CC claims |
|
that over 95 percent of intrusions can be stopped with countermeasures in place and monitoring |
|
tools. |
Incident Response Teams
Incident response teams are too often set up only after an incident or intrusion occurs. However, sound security administration should already have teams set up to monitor and maintain network security.
Incident responses teams do the following:
•Verify the incident.
•Determine the magnitude of the incident (hosts affected and how many).
•Assess the damage (for example, determine if public servers have been modified).
•Gather and protect the evidence.
After this data has been collected, the incident response team determines whether there is enough trace data to track the intruders. The actual data you discover might be only a small part of the entire puzzle. For example, initially, you might have only a log file or notice that a log file size increased or decreased during the incident.
The data should be sent to upper management, to the operations groups within an organization, to all affected sites, and to organizations such as CERT/CC or the press. Organizations like Cisco are typically not going to release a statement to the press detailing any attacks.
368 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
After the information flows to all parts of an organization, the incident response team restores programs and data from the vendor-supplied media and backup device storage media. The data restored needs to be securely configured (such as routers; see the example in the section, “Protecting Cisco IOS from Intrusion” later in this chapter), including installing all relevant patches for all application-based programs.
Finally, the incident response team prepares a report and provides that information to the law enforcement organization if prosecution is required.
Internet Newsgroups
Another important body for both network administrators and intruders themselves is Internet newsgroups. Newsgroups are mailing list type forums where individuals can share ideas and past incidents to keep current with the latest security concerns and protection policies. As a network administrator, you must be aware of both standards and what intruders are discussing.
For example, CERT/CC recommends the following newsgroups:
•alt.security—Lists computer security issues as well as other security issues, such as car locks and alarm systems
•comp.risks—Moderated forum on the risks to the public in computers and related systems
•comp.security.announce—Computer security announcements, including new CERT advisories, summaries, and vendor-initiated bulletins
•comp.security.misc—A variety of issues related to computer and network security
•comp.security.unix—Security information related to the UNIX operating system
•comp.virus—Computer viruses and related topics
NOTE |
The following sites also contain a great wealth of information. Although not security specific, |
|
they can help you identify the mechanism used to infiltrate technologies such as TCP/IP: |
•Internet Domain Survey (www.isc.org/ds/)—Includes Host Count History and pointers to other sources of Internet trend and growth information
•Internet Engineering Task Force (IETF) (www.ietf.org/)—Offers technical papers, best practices, standards, and more
•Internet Society (ISOC) (www.isoc.org/internet/)—Provides an overview of the Internet, including its history and how it works