Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
CCIE Self Study CCIE Security Exam Certification Guide - Cisco press.pdf
10.23 Mб

Network Security Policies 365

Foundation Topics

Network Security Policies

IP networks are susceptible to unsecured intruders using a number of different methods. Through the campus, by dialup, and through the Internet, an intruder can view IP data and attack vulnerable network devices.

IP networks must provide network security for the following reasons:

Inherent technology weaknesses—All network devices and operating systems have inherent vulnerabilities.

Configuration weaknesses—Common configuration mistakes can be exploited to open up weaknesses.

Network policy—The lack of a network policy can lead to vulnerabilities, such as password security.

Outside/inside intruders—Internal and external people always want to exploit network resources and retrieve sensitive data.

Every IP network architecture should be based on a sound security policy designed to address all these weaknesses and threats. Every network should have a sound security policy before allowing remote access, for example. Network vulnerabilities must be constantly monitored, found, and addressed because they define points in the network that are potential security weak points (or loopholes) that can be exploited by intruders or hackers.

Technologies, such as TCP/IP, which is an open and defined standard, allow intruders to devise programs to send IP packets looking for responses and act on them. Countermeasures can be designed and deployed to secure and protect a network.

Intruders are typically individuals who have a broad skill set. Intruders can be skilled in coding programs in Java, UNIX, DOS, C, and C++. Their knowledge of TCP/IP can be exceptional, and they can be very experienced when using the Internet and searching for security loopholes. Sometimes, the biggest security threat comes from within an organization from disgruntled former employees, in particular, who would have access to usernames and passwords.

An intruder’s motivation can be based on a number of reasons that make any network a possible target:

Cash profit



Cyber terrorism

Challenge to gain prestige or notoriety

Curiosity, to gain experience, or to learn the tools of trade

366 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

Countermeasures against vulnerabilities attacks ensure that a policy, procedure, or specific technology is implemented so that networks are not exploited.

The ever-changing nature of attacks is another major challenge facing network administrators. Intruders today are well organized and trained, and Internet sites are easy targets and offer low risk to intruders. The tools used by intruders (see the section, “Vulnerabilities, Attacks, and Common Exploits,” in this chapter) are increasingly sophisticated, easy to use, and designed for large-scale attacks.

Now that you are aware of some of the reasons a network must have a sound security policy and the reason intruders (hackers) want to exploit a poorly designed network, consider some of the standards bodies that are designed to help network administrators.

Standards Bodies and Incident Response Teams

A number of standards bodies today help a network administrator design a sound security policy. The two main entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT/CC) and the various newsgroups that enable you to share valuable security information with other network administrators.

The CERT/CC is a U.S. federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the infamous worm incident (a virus developed to halt IP networks), which brought 10 percent of Internet systems to a halt in November 1988, the CERT/CC has helped to establish incident handling practices that have been adopted by more than 200 response teams around the world.

CERT/CC works with the Internet community to facilitate responses to incidents involving the Internet and the hosts that are attacked. CERT/CC is designed to take proactive steps to ensure that future attacks and vulnerabilities are communicated to the entire Internet community.

CERT/CC also conducts research aimed at improving the security of existing systems.

CERT/CC also helped technology managers with Y2K compliance and various other wellknown viruses, such as the Melissa virus. CERT/CC does not focus on the intruders themselves, or on the arrest of individuals responsible for causing havoc; rather, it ensures that vulnerabilities and loopholes are closed as soon as possible. CERT/CC does not maintain any security standards (these are left for RFCs); also, it does not provide any protocols to help network administrators.

CERT/CC has a number of relationships with other organizations, such as law enforcement, Internet security experts, and the general public, so that any information gathered by the teams involved in stifling attacks is communicated.

Examples of intruders actually overcoming network security include the famous Barclay Bank attack in July 2001, where the company’s home page was defaced. The New York Times website was altered in September 1998. In February 2000, Yahoo also came under attack. In response to attacks like these and the increased concern brought about by them, Cisco Systems decided to release a new CCIE Security certification.

Standards Bodies and Incident Response Teams 367


Cisco Systems also provides a website (for the Cisco Product Security Incident Response


Team) where customers can report any security concerns regarding flaws in Cisco IOS






You can also e-mail the Cisco Product Security Incident Response Team directly for emergency


issues at securityalert@cisco.com, and for nonemergencies at psirt@cisco.com.




Social engineering is a widely used term that refers to the act of tricking or coercing employees


into providing information, such as usernames or mail user identifications and even passwords.


First-level phone support personnel are individuals typically called by intruders pretending to


work for the company to gain valuable information.




In 1998, CERT/CC handled 4942 incidents involving intruders. In 2001, CERT/CC handled


over 52,000 incidents resulting is 2437 incidents reports.


If you have never heard of CERT/CC, now is the time to read more and ensure that you are


alerted to vulnerabilities. For more details on CERT/CC, visit www.cert.org. CERT/CC claims


that over 95 percent of intrusions can be stopped with countermeasures in place and monitoring



Incident Response Teams

Incident response teams are too often set up only after an incident or intrusion occurs. However, sound security administration should already have teams set up to monitor and maintain network security.

Incident responses teams do the following:

Verify the incident.

Determine the magnitude of the incident (hosts affected and how many).

Assess the damage (for example, determine if public servers have been modified).

Gather and protect the evidence.

After this data has been collected, the incident response team determines whether there is enough trace data to track the intruders. The actual data you discover might be only a small part of the entire puzzle. For example, initially, you might have only a log file or notice that a log file size increased or decreased during the incident.

The data should be sent to upper management, to the operations groups within an organization, to all affected sites, and to organizations such as CERT/CC or the press. Organizations like Cisco are typically not going to release a statement to the press detailing any attacks.

368 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

After the information flows to all parts of an organization, the incident response team restores programs and data from the vendor-supplied media and backup device storage media. The data restored needs to be securely configured (such as routers; see the example in the section, “Protecting Cisco IOS from Intrusion” later in this chapter), including installing all relevant patches for all application-based programs.

Finally, the incident response team prepares a report and provides that information to the law enforcement organization if prosecution is required.

Internet Newsgroups

Another important body for both network administrators and intruders themselves is Internet newsgroups. Newsgroups are mailing list type forums where individuals can share ideas and past incidents to keep current with the latest security concerns and protection policies. As a network administrator, you must be aware of both standards and what intruders are discussing.

For example, CERT/CC recommends the following newsgroups:

alt.security—Lists computer security issues as well as other security issues, such as car locks and alarm systems

comp.risks—Moderated forum on the risks to the public in computers and related systems

comp.security.announce—Computer security announcements, including new CERT advisories, summaries, and vendor-initiated bulletins

comp.security.misc—A variety of issues related to computer and network security

comp.security.unix—Security information related to the UNIX operating system

comp.virus—Computer viruses and related topics


The following sites also contain a great wealth of information. Although not security specific,


they can help you identify the mechanism used to infiltrate technologies such as TCP/IP:

Internet Domain Survey (www.isc.org/ds/)—Includes Host Count History and pointers to other sources of Internet trend and growth information

Internet Engineering Task Force (IETF) (www.ietf.org/)—Offers technical papers, best practices, standards, and more

Internet Society (ISOC) (www.isoc.org/internet/)—Provides an overview of the Internet, including its history and how it works

Соседние файлы в предмете Сети и Телекоммуникации