Cisco Security Setup & Configuration: Part 3 – Network & Host-Based IPS 1-800-COURSES www.globalknowledge.com Expert Reference Series of White Papers Introduction This paper is the third in a three-part series of white papers, each of which focuses on a functional area of securing your network. So far, we have a perimeter router secured and configured with interface Access Control Lists (ACLs). We also have a firewall using stateful inspection and switches in between controlling our ports for secure end station connectivity. This all sounds very impressive and complete, but is it? Of course not, or this white paper series would be complete. The problem is that routers, firewalls, and switch- es aren’t always enough. There are still attacks out there that travel over valid client requests and responses. These attacks would be permitted by our perimeter ACLs and stateful firewalls. Or perhaps a worm infects an end station and tries to propagate throughout our network. Maybe even some of our own end-users decide to chew up all of our bandwidth downloading Spider Man II using Bit Torrent. In all of these situations static ACLs, or even stateful firewalls would not be enough. That is where we install, configure, and use Network- and Host-based Intrusion Prevention Systems (IPS). IPS/HIPS IPS/HIPS provide for an increased level of protection not available from a static access list or stateful firewall inspection. IPS and HIPS offer security by sensing abnormalities in traffic communications or protocol, and packet behaviors that are known to have malicious objectives. Here are some recommendations for installing and hardening your IPS sensors: Allowing for a sufficient discovery period prior to sensor installation is a key item often overlooked. Many envi- ronments simply try to rack and stack a sensor, give it a quick IP address, and let it do its thing. Then they wonder why there is a high level of false positives, an interruption to network communication, or an unman- ageable amount of log information. To properly configure and optimize your IPS sensor, I suggest a minimum of two weeks (ideally a month) of network discovery and communications analysis. Options available to help you discover network applications would be client/end-user questioning, packet sniffer, and Network-Based Application Recognition (NBAR). The information gained from your investigation period can be used to fine-tune your sensor to your environment. Secure sensor management is just as important as securely managing your switch, router and firew all. Here we not only need to ensure secure access to the sensors configuration but also to the sensor’s log information. We have a simple saying: “If you’re going to log it, you must read it.” This means dedicating a management sta- tion to retrieve, store, and read your sensor log files. On this station, install IPS Device Manager (IDM) and IPS Event Viewer (IEV). When installing and configuring these applications , be sure to use secure management pro- Isaac A. Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP Cisco Security Setup & Configuration: Part 3 – Network & Host-Based IPS Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 2 t ocol alternatives, such as https over http, and to define the exact management station addresses allowed to manage the sensor. For example, use IDM via Configuration/Sensor Setup/Allowed Hosts/Add to define the exact management subnet allowed to manage the sensor. Having a lab environment to test your configuration changes and upgrade is crucial. For that reason, an addi- tional sensor that is not a part of your production network is suggested. This allows you to test operating sys- tem and signature upgrades, signature tuning, and creation before rolling these changes out to your produc- tion network. Once your tests prove to be safe for your production network, you should roll these changes out to non-critical parts of your corporate environment first before finally making these tested changes on high- profile devices. As you make changes to the installed signatures, document the changes in as much detail as possible. This allows you to verify that new signature updates have not overwritten your custom settings and will help you troubleshoot your configuration in the event of a problem. Integrated Platform While our focus has been largely on specialized equipment offering a specific service, there are devices avail- able from Cisco Systems that integrate all of these services into a single affordable platform. Integrated Services Routers (ISRs) ISRs are the new 1800, 2800, and 3800 series routers, which have the ability to integrate routing, security, voice, and wireless into a single chassis . From a security standpoint, they support hardware co-processor cards to off-load the tunneling, authentication, and encryption services of a VPN. These models also support a subset of IPS features that include over 700 IPS signatures and the ability to create signatures specific to your envi- ronment. Adaptive Security Appliances (ASAs) ASAs are the next generation firewalls available from Cisco Systems. It is important to understand that the ASAs are not designed as a replacement to the existing Packet Internet Exchange (PIX) product line; instead, they fit nicely to fill in k ey areas where a PIX may be too much or not enough for the current environment. As of the writing of this document, there are 3 ASA models available: the ASA 5510, 5520, and 5540. Available in all 3 models are the IPS, Content Security Service, and 4-port Gig module. The IPS module (AIP-SSM) pro- vides a full-features network based IPS that can be configured and monitored just as an external sensor. The Content Security module (CSC-SSM) provides a full suite of Anti-X features, including anti-Virus, Phishing, SPAM, Trojan, and Malware, plus URL filtering. These modules, once inserted into the expansion bay of the new ASAs, provide high-level security services in a consolidated chassis via a single command set, all at an afford- able price when compared to purchasing individual security appliances . Enterprise 6500 and 7600 Series Devices These combine high performance, high port density, and advanced features into a single module-based chassis. From a security standpoint, the operating system natively supports all security features mentioned in the “Switch Security” section of this white paper . Now we add to these features a suite of service modules that include a F irew all Services Module (FWSM), Intrusion Prevention Services Modules (IPSM), and VPN Service Module (VPNSM). These service modules integrate advanced security features with high backplane speeds to offer enterprise-class security services. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 3 Management Protocols Now that your network is installed and configured to provide all of the services needed, per your corporate security policy, how do you manage it? Many environments are perfectly content with managing their network by the easiest and quickest means available. This is a BIG mistake! Many management applications, such as remote shell (rsh) or telnet, send all details between the management station and managed device in plain text. This allows anyone who is in the same VLAN (either manually configured or through a compromised con- nection) to view all of your commands and parameters with a simple protocol analyzer. Sure, switches help to minimize the traffic an end port receives, and you can implement usernames and passwords to access your device, but keep in mind that all communications still crosses the wire in plain text. For this reason, you should use secure and efficient management protocols to connect to your enterprise devices. Let’s review some management protocol alternatives and methods for securely managing your devices: Secure versus Non-Secure Versions: ftp over tftp tftp does not use credentials before accepting file requests or sending file responses. Using ftp at least allows you to require credentials before files are transferred. scp over ftp When possible the secure copy protocol (scp) should be used even over ftp. While ftp allows for the checking of credentials by way of authentication, all information exchanged (credentials and files) are sent across the network in plain text. For that reason, scp is suggested for use over ftp when supported by the operating system or appliance. ssh over telnet Just as in tftp and ftp, telnet communicates all information in the clear. To make mat- ters worse, by default, telnet will send only one character per packet. This means that not only is there is an incredible amount of padding in each packet, but all of your sensitive information is sent in plain text for others to see. This is the driving force behind using secure shell (ssh) as a secure management alternative for managing all network devices . When we say ‘all’, we mean all; ssh can be configured on any oper- ating system where supported. This means router, switches, firewalls, and even servers. To find out more, visit www.openssh.org. https over http Http is another popular protocol that sends all information in plain text. Even though this protocol supports authentication, all communications are still sent in the clear. By using https, you first perform authentication with the end device and then encrypt all communications to follow. Authenticated NTP In many environments, time is paramount. Time can be used for timed access restric- tions, daily authentication and access, digital certificates, building access, and trou- bleshooting by way of internal and system log files. If time is compromised, many systems can be at risk. As a result, using authenticated ntp peers is highly recom- mended. Many environments will purchase and configure internal ntp appliances just to ensure a high degree of security and control. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 4 s nmp version 3 The Simple Network Management Protocol (SNMP) has been around for almost 20 years and, even though it provides a great method of network discovery and config- uration, it has done so in a very insecure manner. That is, until version 3. Ver. 1: Provides for no authentication or protection (encryption) of information transferred. All a management station needs is the assigned community strings for your Read Only and Read Write device attributes. Ver. 2: Provide for hashed authentication, but still transfers your device attributes in plain text. Ver. 3: Provides the ability to authenticate the requesting management station using a hashed pass phrase and protect the information transferred (privacy) using DES, 3DES, and AES encryption algorithms. T he main stumbling block for migrating to SNMP version 3 is the investment of upgrading. Each operating system(s) and application(s) must support this new version. You must configure all of your managed devices and train your administrators to use these new features . All of this tak es time and money . Many environments may not have such resources or be able to prioritize such a need at the moment. One-Time Passwords In any system where user credentials (username and password) are required, the leaking of these credentials is always a weak point. One way to minimize your expo- sure would be to change user credentials on a set schedule , every 30 days as an example. Still, the user credentials could be compromised within this time period, rendering everything insecure again until the next change schedule. A final solution to this problem would be the use of One-Time Passwords (OTP). There are three components to the OTP authentication system: a user with a unique key fob (e.g., token card), an authenticating device (e.g., router), and authentication server (e.g., RSA token server). The key fob held by the user is registered to the user on the authentication server by a unique serial number. This key fob generates a unique value at a set interval (e.g., every 60 sec.). User credentials are required before the user can connect to and communicate through the perimeter router . At the time of connection, when the user is prompted by the router for authentication credentials, the user enters username, pin, and unique value found on the key fob. Here you have the user entering credentials made up of something they know (user- name and pin) plus a v alue unique to them (random number) by w ay of the k ey fob . Now , if their authentication credentials are compromised, those v alues will only be valid until the fob generates a new random value, which is less than 60 seconds. You’d better hurry! Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 5 Suggested Hardening Now that you have configured secure alternatives for device management and enabled secure authentication with OTPs, you may want to harden the managed device even more by defining the permissible management addresses. Router management security, covered in the “Router Hardening” section of this series, suggested the use of the “access-class” command to define permissible source addresses for telnet or ssh sessions. Configure a standard ACL to permit the source addresses of the desired management stations, and then apply this ACL in “line vty” mode using the “access-class” command. Now, the only management stations allowed to ssh into the router will be those permitted by the standard ACL. These same concepts hold true on the Firewall, IPS Sensor, and VPN Concentrator. You just configure these per- mitted addresses in different ways using different management utilities. • On the PIX/ASA firewall, you would use the “telnet,” “ssh,” and “http” commands to define the permis- sible addresses and ingress interface for such management traffic types. • On the IPS Sensor, you would use IPS Device Manager (IDM) and navigate to Configuration/Sensor Setup/Allowed Hosts/Add to define the exact management subnet allowed to manage the sensor. • Finally, the VPN Concentrator is secured through the Administration/Access Rights/Access Control List options found within the web management interface. Additionally, on the router, you may want to utilize the “source-interface” command for telnet, ssh, syslog, ntp, and tftp, to name a few. You point the source-interface command to the routers “loopback” interface. This command defines the source interface address (now loopback) from where all of the above-listed protocol communications will source their pack ets . Now you can create perimeter ACL entries to permit only those pro- tocols when coming from those addresses, the addresses applied to the router(s) loopback interface. The end result is to allow only management protocol communications to and from your infrastructure equipment and IT subnet. Approach to Device Management (In-Band versus Out-of-Band) In-Band uses the same network to carry user traffic and management traffic alike. Out-of-Band (OOB) creates a separate network dedicated to carrying only management communications. When using the above-listed protocols (telnet or ssh, http or https) to manage your network, it is important to understand that these packets could be crossing the same subnets with your user’s traffic. Again, if insecure protocols are used (telnet, http), end users could capture your management credentials and even device con- figurations. Additionally, by using the very network that carries user traffic to manage your devices’ “In-Band Management, ” you run the risk of loosing connectivity to your devices when the network experiences a failure . For that reason, the OOB alternative is available. OOB network management uses a completely separate infrastructure to carry your management traffic. Specifically, there are two types to review: Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 6 • First, you have an OOB management option that uses Console Servers. These are devices that connect to the console ports of your networking equipment and provide physical access to the appliance even over long distances. The console server could be a true console server from a dedicated manufacturer, such as Cyclades, or an asynchronous module installed into your 2600 series router, for example. From the com- fort of your desktop, you would ssh (of course) to the console server. There, you chose the end device you want to manage, either through a web interface or simple command line. Figure 8 shows a sample topology using a Cisco 2511 as your console server. The benefit of this approach is direct, constant access to the end device, even in the event of a network failure. As long as you can access the console server (via modem, if needed), you can access the end device. Now, you can manage your router, even if routing fails or manage your switch before the needed VLANs have even been created. This approach truly offers constant access. Of course, there is a problem, which is why we’re reviewing two options. Since all communications from the console server to the end device are character-based (no IP communication is used), you do not have the ability to run IP-based applications , such as syslog, snmp , ntp, and the like. That is where the second solution would be useful. • Secondly, you have an OOB approach that still uses a separate physical infrastructure, but this time the infrastructure is created by a separate VLAN. This VLAN is dedicated to pass only IP-based management communications, such as syslog, snmp, ntp, http, and others, as needed. This VLAN must exist throughout your campus network. As what is known as an end-to-end VLAN , which is not without its own consider - ations (we will have to save this for another white paper). T his means a dedicated end-to-end VLAN on all switches, interface, or sub-interface on all routers, firewalls, and the external interface of your VPN Concentrator. Now, you can use your standard IP-based management applications, as you have direct IP access to each device. This approach is not without its issues as well; you may still loose connectivity , if routing or IP communi- cation is interrupted. You will also never have full access to the device by way of tracking the boot Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 7 p rocess or entering “monitor” mode (they require direct connectivity to the console port). Nevertheless, this approach still offers great value by way of logging, remote access, and device tracking/status, and configuration management. • Each approach has its own benefits and considerations, which is why a common solution for enterprise networks is to use a combination of the two. Many environments will dedicate a VLAN and needed interfaces for dedicated IP-based management applications. Additionally, a console server will be installed and connected to the console port of each device to provide access in times of network out- ages or misconfiguration. Change Management/Control A final, but equally important, aspect of network security is change management and control. Once your sys- tems are configured and operating properly, it is important to control access to their configurations and track all changes made. This level of monitoring offers insight and control into the changes made to the devices that make up your network infrastructure. Document! Document! Document! If you’re the average network engineer, you do not like to be tied down to your desk typing away for hours at a time just to create a document explaining all the things you already know! The key here is not to document all network details for your benefit but for the benefit of your teammates, fill-ins , and management. Detailed network documentation is invaluable for many reasons. It is invaluable to the new hire when learning about your network, the poor guy who has to troubleshoot a networking problem at 3 A . M ., or the lucky person who get to replace you while you’re attending new security training classes . Bottom line, documentation is a critical part to network operation, learning, troubleshooting and, yes, security. Get used to it—make documenting your network a continuous function and part of your job description. • While documenting your network, strongly consider saving your documents in industry standard formats such as .pdf or .html for your documents and .png for your diagrams. Then store these documents (both electronically and physically) in a central location. An IT server that is part of the corporate backup rota - tion would be ideal for the electronic formats, while a simple 3-ring binder locked in a team lead’s desk would be a good place for the physical copy. I suggest time stamping each version and print out to keep track of which document is most up-to-date. • Update this documentation on a regular basis. Make this part of your work-cycle and job description to ensure your documentation is as accurate as possible. There are few things worse than trying to trou- bleshoot a network problem and searching for a network diagram only to find an hour later that this diagram is six months old. • A sound approach to ensuring that you have enough time to document your network is to add 15 – 20% to your project time just for documentation. Once the project is approved, you automatically have extra time just for documentation. IT Support and Repair Ticketing System Many in-house support departments use a ticketing and repair system. This allows them to centralize all sys- tems-related issues reported by end users and track the progress repairing those systems. Such a process is Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 8 i deal for any size environment; all you need to do is pick a solution to match the size of your company. Your solution could range from a simple email address to report and track issues all the way to a custom relational database stored on a central server. The most important feature of your tracking system should be the ability to search previous repair tickets. Too often, engineers will spend time helping a user or troubleshooting a sys- tem that is experiencing the same problem Bob fixed just last week. Such a system benefits everyone in your IT department. Management benefits by having a system to meter the progress or workload of their engineers to monitor work load, hiring, or pay increases. Engineers benefit not only by the searching option, but also in justifying requests for additional resources such as hardware, soft- ware, engineers, and, yes, even salary (that’s a resource too). Key features to look for in such a system would be a standard scalable database format. Pick a system where your database can grow by simply adding more resources to the supporting server (hard drive, RAM, controllers) or by choosing a database format that can be easily exported and imported into a more advanced structure. For example, start with an Access database on a shared workstation and later grow into a relational database stored on an SQL server . Additionally, you want your solution to offer extensive, even customizable, fields to maintain system and user information. Lastly, this solution should offer rich search and reporting capabilities. System Flow Charts (Failure, Upgrade, and Replacement) These can also be categorized under documentation. Here, you would create a flow chart outlining each “process” under the control of the IT department. This could be as simple as creating a new user account in your Directory, troubleshooting your switched network, or even replacing a failed system. These flow charts are designed to help document your network, teach a new hire, guide an engineer through a troubleshooting process, or even get you through a security audit. As with your documentation, store these flow charts in a physically and logically central location for easy access. Have a regular process in place to update these flow charts as your network grows and use these charts as you experience problems. The more you use these charts, the more they can be refined into a very useful troubleshooting and training tools . Configuration File Storage, Backup, and Retrieval These are k ey components to change management and control. If you do not have a sound backup process for your configurations, then retrieving the needed file, in the event of a failure, could be almost impossible. Without a reliable storage for your configuration files , the change control process just falls apart. Two key components are needed here: a proven application to identify changes made and offer the ability to roll-back to a previous configuration as needed; and a safe , secure , and archived location for your configura- tion files. A simple suggestion would be to have an FTP/TFTP/SCP daemon running on an IT department server and to add that server to your corporate back rotation. A weekly full backup with daily differential backup should be more than enough for this server and will help save time and space. Conclusion T his concludes our three-part series on Cisco Security for Setup and Configuration. We discussed many security topics covering the entire spectrum of options for securing your network as a whole. As you can imagine, we did not review ALL possible security options, features, or applications. There is always room for extra security or maybe you’re in an environment where a feature just won’t work. Either way, this is why security is a dynamic process that will change with your organization. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 9 A s with any project, you must start with a set of objectives in mind. From those objectives, you create a set of requirements to guide your progress to completion. In network security, your objectives and requirements are laid out in your Corporate Security Policy, which defines what you need and how you would like to secure your network. Create your security policy by using the very regulations and requirements that govern your business communications (HIPPA, SOx, VISA, FBI, etc.) Be sure to refer to your security policy often to ensure that cur- rent and future systems are installed correctly. Once you are ready to install any new system, be sure to manage your installation using the 4-step Security Lifecycle: Secure, Monitor, Test, and Improve. This is a continuous process that followed through to completion, loops back on itself in a constant cycle of protection. Focus on hardening a device during the installation and configuration of each new service. When securing your network, it is important to implement security at every layer as available by your network- ing device. Start your security configuration where the network starts – at the physical layer. Leverage each device’s built-in services. For example, use switch security features to control layer 1 & 2 and routers abilities at layer 3 and 4. Once basic network security is configured, you can add in advanced services offered by your firewall in the form of stateful and deep packet inspection, IDS/IPS for deep packet inspection, and protocol anomaly detection and finally on the end stations you can use HIPS. Once a network is installed, configured, and operational, many organizations begin to think about how to manage their equipment. This is a common mistake. Secure network management should be a consideration all along. To create a network conducive to secure management, management should be an objective from the beginning of your design process . Whenever you address management of your network, be sure to do so in as secure a manner as possible. Be sure to use secure protocols over insecure alternatives. Thoroughly document your network configuration and related systems. Track all changes made to your configuration, as well as each process and procedure for maintaining your environment. The most important aspect to network documenta- tion is keeping your documentation up-to-date and in a secure, centrally accessible location. Remember! Security is a constantly growing and evolving protective shield over your network. As your busi- ness needs change, your network will change, and so to will your methods of protecting it. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: SND (Securing Cisco ® Network Devices) SNRS (Securing Networks with Cisco ® Routers and Switches) SNPA (Securing Networks with PIX and ASA) CSVPN (Cisco ® Secure Virtual Private Networks) SNPA/CSVPN Mini Camp F or more information or to register , visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand k ey concepts and how to apply them to your specific work situation. Choose from our more than 700 courses , delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 10 [...]... download tools for testing your security configuration, and to learn more about network security from certified security instructors Good luck and have fun! Web sites for creating a security policy http://www.computersecuritynow.com http://www.sans.org/resources/policies/#primer http:/ /security. berkeley.edu/pols.html Web site guidelines for network design http://www .cisco. com/safe Web site tools for... and Cisco Systems His consulting and training experience ranges from Novell NetWare & GroupWise, Microsoft Windows NT, Windows 2000 and Windows 20 03, Cisco Routing, Switching, LAN/WAN, Wireless and Security, plus a list of Enterprise applications for Messaging, Front and Back Office, Management and Remote Access In the Cisco certification track, Isaac teaches a total of 15 courses toward the CCNA, CCDA,... experience in hardware design, network design, network administration, and certification training Fresh out of college, he was hired as an in-house hardware technician where he learned the ins and outs of hardware troubleshooting and repair After a few years in hardware, Isaac made his move to Network Administration for the big players at the time: Novell, Microsoft, and Cisco Systems His consulting... for network design http://www .cisco. com/safe Web site tools for vulnerability testing: http://s-t-d.org http://www.nessus.org/ http://www.ethereal.com/ Book Penetration Testing and Network Defense, Cisco Press, ISBN 15870520 83 Copyright ©2006 Global Knowledge Training LLC All rights reserved Page 11 . Cisco Security Setup & Configuration: Part 3 – Network & Host-Based IPS 1-800-COURSES www.globalknowledge.com. Knowledge Instructor, CCSI, CCSP, CCNP, CCDP Cisco Security Setup & Configuration: Part 3 – Network & Host-Based IPS Copyright ©2006 Global Knowledge T