Expert Reference Series of White Papers Cisco Security Setup & Configuration: Part – a Layered Approach 1-800-COURSES www.globalknowledge.com Cisco Security Setup & Configuration: Part – a Layered Approach Isaac A Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP Introduction This paper is the first in a three-part series of white papers, each of which focuses on a functional area of securing your network The three papers work together to create a complete picture of how to configure your network appliances for complete corporate security It will discuss a starting point for network security, suggested technology types, ideal points for securing your network using a layered approach, and secure ways to manage your new or existing network This first paper in the series introduces concepts to get started on network security and begin the process of securing your network at the switch level Security Policy: Start at the Beginning Security is one of the fastest growing branches within the networking industry, and current trends point to a steady increase in growth over the years to come This is largely due to the integration of so many critical data types over a single network and the increased realization by companies as to just how vulnerable their networks can be With security becoming such a focal point of networks, it is increasingly important to understand how to integrate security into a network As with any new project, you must start with some direction I’m sure you have heard the adage, “If you fail to plan, then you plan to fail.” This is never more true than when planning network security Create your security policy to serve as a starting point and future road map for securing your corporation A security policy, originally defined in request for comment (RFC) 2196 and now updated in RFC 3704, contains the whys, whats, and hows of securing your corporate environment Copyright ©2006 Global Knowledge Training LLC All rights reserved Page Why have a security policy? What should be in a security policy? How would I create a security policy? To create a baseline of your current Statement of authority and scope security configuration Use the very documents that govern your day-to-day business operation For example, your physical site security regulations or corporate acceptable use policy To define allowed and not-allowed Identification and authentication behaviors policy Use standards such as SOx, HIPPA, VISA, International Standards Organization (ISO) 27001, etc To help determine necessary tools and procedures Internet use policy Reference web sites for assistance: To help define roles and responsibilities Campus access policy To state the consequences of misuse Remote access policy To define how to handle security incidents (social & technical) Incident handling procedure • www.computersecuritynow.com • www.sans.org/resources/policies/ #primersecurity.berkeley.edu/pols.html To provide a process for continuing review Keep in mind that your security policy is a document that defines how you will secure your corporation, corporate resources, and corporate users As your business grows, or corporate direction changes, this document will also grow and change Security Lifecycle: an Understanding and Review Take a controlled, metered approach when installing any desktop/network operating system, application, or appliance By taking a metered approach, you ensure consistent installation and hardening of each system The following recommendations for a secure installation come directly from Cisco Systems Step #1: Secure Install Install each new operating system, application, and appliance in as secure a manner as possible This may require you to review the documentation as completely as possible, which I know we all have time to Also, consider staying away from default installations or installation wizards, as they often create the most simple of configurations, which are not always the most secure Step #2: Monitor Once the new system has been installed, take the time to review the installation logs, operational logs, and behavior to make sure the system is operating as securely as possible Copyright ©2006 Global Knowledge Training LLC All rights reserved Page Step #3: Test Perform regularly scheduled tests of your new system Such tests should be performed by both internal and external parties You may chose to perform quarterly or bi-annual internal tests and annual audits by an external entity Of course, no system is perfect, so expect to have areas for improvement discovered as a result of these tests These areas of improvement lead us to the final step in the security lifecycle Step #4: Improve From the items found in the testing process of step #3, make improvements in as secure a manner as possible Again, look to the product documentation and try to avoid any cookie cutter fixes Remember that this process is called a lifecycle Once you improve upon a system, you should so in a secure manner by performing a secure installation (step #1); then monitor all changes made and new behaviors that result from your changes (step #2); perform either internal or external tests (step #3) of these improvements to be sure that they still meet the requirements of your security policy; and, finally, improve (step #4) any areas as needed This lifecycle, as well as security as a whole, is a continuous process that will evolve and grow with your network As your network changes, so will your security policy and the means by which you install, monitor, test, and improve each new system Device Roles & Definitions Let’s start with a simple review of six key network security components We will define each device and make suggestions on its placement and use Router: A junction between two networks to transfer data packets between them Ex Cisco 1841, 3845, 7206 Sample uses: Perimeter security via Access Control Lists ACLs, Committed Access Rate (CAR), routing protocol security and protocol tunneling Switch: A layer 2, sometimes multilayer, networking device that provides physical connectivity to end stations and redirects a frame between physical ports on that same switch Ex Cisco Catalyst 3750, 4506, 6513 Sample uses: Physical port security to control a devices initial access to the network Firewall: A piece of hardware and/or software that exists to prevent specific communications forbidden by the security policy Ex Cisco PIX 525, ASA 5540 Sample uses: Stateful inspection, Virtual Private Network (VPN) tunnel termination, advanced protocol handling, deep packet inspection and Network Address Translation (NATting) Copyright ©2006 Global Knowledge Training LLC All rights reserved Page VPN Concentrator: A security device used to connect (terminate) VPN sessions from Remote Access, Web Clients, and Site-to-Site locations Sample uses: High volume termination of Remote Access and Clientless VPN sessions Offering extensive control over the VPN sessions of the connecting device Ex Cisco 3015, 3030, 3060 Intrusion Detection or Prevention System (IDS/IPS) Sensor: A device that generally detects unwanted manipulations to communication systems (individual and streams of packets) and is required to detect all types of malicious network traffic Ex NM-CIDS, 4240, 4250XL Sample uses: As a device that inspects traffic/communications on all critical entry and exit points to a corporate network Host-based Intrusion Prevention System (HIPS): An agent CSA installed on host stations that provides security against malicious activity between applications on the host and communications from the host Used to enforce a company’s security policy at the end-station level Ex Cisco Security Agent Sample uses: Install on critical end-stations and servers to protect them from access to local or network resources that not follow the security policy Device Use and Placement Now that we’ve completed a cursory review and defined the more common security devices, we will explore sample topology types and device placement 2-Leg Security, Single-Perimeter Device Figure shows a single-perimeter device controlling access to a corporate network This security device may be a router with firewall capabilities or a true firewall Such a topology is ideal for remote offices or small branch sites It offers not only a low-cost approach to security, but also significantly limits an administrator’s security options Copyright ©2006 Global Knowledge Training LLC All rights reserved Page Note: Keep in mind that all security services are offered by this single perimeter device Even though this is a very affordable approach, it is also very limiting It is like using a screw driver for all home repairs: it may work most of the time, but you’ll just tear things up on those finer jobs Perimeter Router with Internal Firewall Figure shows a dual-layered approach to securing your external connection This approach is ideal for medium-to-large enterprise networks because you can leverage the services of each device to provide a more complete security configuration The router, for example, could be used for ACL filtering, protocol tunneling, high-level routing and peer routing authentication The firewall can be used for deep packet inspection, NATting and stateful inspection For added security, you can add a 3rd interface off of your firewall device to serve as a Demilitarized Zone (DMZ) for external access to secure services An example is clients who need to access your corporate web site for order processing Note: This offers a significant increase in security options and flexibility at a negligible increase in price Copyright ©2006 Global Knowledge Training LLC All rights reserved Page Firewall Sandwich Figure illustrates a very flexible topology that has two routers protecting either side of a firewall device This approach is ideal for large-to-enterprise-size corporate networks The interaction between the perimeter router and internal router offers protection from both externally and internally originating attacks The outer routers off-load functions from the firewall device, which allows each device to process and secure even more traffic Again, you can leverage the abilities of each device to offer a complete security configuration Note: This topology brings additional costs in hardware and complexity to the administrator, but the security benefits and options are among the highest available by any other configuration Dual-Layered Figure shows a configuration where there are two layers of firewall devices protected by a perimeter router This approach offers the highest level of security as well as a high degree of configuration difficulty Such a topology would be ideal for environments where different departments (IT and Special Projects) control security for different portions of the network However, you must have a high degree of communication between these departments for traffic that is to pass through both levels of security devices For added security, you could even incorporate different vendors at each layer Copyright ©2006 Global Knowledge Training LLC All rights reserved Page Note: This approach does bring the highest level of cost and complexity, but it offers, in return, the greatest level of secure flexibility VPN Concentrator Figure illustrates a topology where a VPN Concentrator has been integrated to offer high-level Remote Access tunnel termination The figure shows a VPN Concentrator that is NOT in parallel but, instead, terminates into a firewall device Caution: So as not to contradict anyone or any other publication that may have come before this one, I will simply say that I not place a VPN Concentrator in parallel with any other device offering security services Technically put, a VPN Concentrator does not offer stateful inspection, deep packet inspection or networkbased IDS/IPS functionality As a result, the VPN Concentrator should not be placed in parallel and used to bypass any of those services This topology has the following benefits: it offers filterable control of the Internet Protocol Security (IPSec) protected traffic at the perimeter router, stateful firewalling of the post IPSec-protected traffic as the client data passes through the firewall, and conservation of firewall interfaces by using only a single firewall interface to offer security services If you wanted to increase the level of security offered, you could connect both VPN Concentrator interfaces (public and private) to separate interfaces on the firewall Again, this approach offers increased security but will require additional firewall interfaces which, depending on the number of interfaces and operating system currently in use, may require additional funds in the form of a licensing upgrade Note: Again, it is NOT recommended to place a VPN Concentrator in parallel with your network’s firewall device (router or firewall) Although a concentrator can perform some security services, it does not offer stateful inspection, deep packet inspection, or IDS/IPS functionality IDS/IPS Sensors Incorporating an external sensor, as shown in Figure 6, is ideal for medium-to-large corporate environments Sensor placement is one of the first and most important questions to answer during network design It is rec- Copyright ©2006 Global Knowledge Training LLC All rights reserved Page ommended that you sense all entry/exit points to your network, as well as subnets containing critical corporate resources, such as server farms The number of sensors used is determined by the number of points sensed, and whether you chose IDS or Intrusion Prevention (IPS) For IDS/IPS functionality at a small to medium-size remote office, consider using the integrated IDS/IPS services of your router and firewall operating system or a network module that can be installed in your routers (NMCIDS in the 2611XM & above) and firewall (AIP-SSM in the ASA5500 series) The installed modules perform and are configured just as a true external sensor The topology will change considerably, based on the use of IDS versus IPS Note: The term “firewall device” was used instead of “firewall” simply to illustrate how a router with the proper software can be used as a firewall just the same as a dedicated firewall Device Hardening:Taking a Layered Approach When it comes to securing your network, taking a layered approach offers the most comprehensive level of security This approach uses the Open Systems Interconnection Reference Model OSI as guidance and simply incorporates security at as many layers of the network as possible Just as the Physical and Data Link layers start the OSI Model, so should you protect your network using Physical and Data Link technologies For that, there is no better device to offer initial protection to your network than a LAN Switch Switch A LAN switch is typically a user’s first point of connectivity to your corporate network As a result, it should be the first point of security for your network Incorporate the following methods of network security, as they are available on your model of switch: Copyright ©2006 Global Knowledge Training LLC All rights reserved Page Disable un-used ports These would be all ports that are not run to a location within your organization, or are leading to offices and cubicles that are not currently used Here is sample syntax for disabling a range of access ports: AccSw01#conf t AccSw01(config)#int range fast0/13 - 20 AccSw01(config-if-range)#shutdown Set the ports type This would be either setting a port to be an access or trunk port By default, switch ports dynamically negotiate with their connected peer to become either an access or trunk port This could lead to access layer attacks by roguely connected switches negotiating a trunk connection with your corporate network Now all traffic travels down the newly established trunk and to the roguely connected switch: AccSw01(config-if-range)#int range fast0/1 - 20 AccSw01(config-if-range)#switchport mode access Use physical device authentication This can ensure only controlled stations will communicate on your corporate network, and can be performed using IEEEs 802.1x This standard, which was originally defined for the LAN, can also be used on wireless access points to authenticate wireless clients before they connect to an access point Here is a sample of how to configure the switch to be an 802.1x authenticator using RADIUS as the authentication protocol: AccSw01(config)#aaa new-model AccSw01(config)#radius-server host 10.1.1.1 AccSw01(config)#radius-server key RADk3y01 AccSw01(config)#aaa authentication dot1x default group radius AccSw01(config)#int range f0/1 - 20 AccSw01(config-if-range)#dot1x port-control auto Enable port security This is a great way to define how many and exactly which devices can connect to your switch ports This is ideal to prevent the connection of unauthorized hubs, switches, and access points throughout your network Here, we enable port security and define the number of MAC addresses permitted on each port: AccSw01(config)#int range fast0/1 - 20 AccSw01(config-if-range)#switchport port-security maximum AccSw01(config-if-range)#switchport port-security violation restrict Secure Spanning Tree Protocol (STP) This is an often overlooked point of control in a LAN environment Keep in mind two key points about STP: STP operates automatically, converges on its own, and will re-converge each time a new switch is connected; and the direction for all traffic that flows throughout your layer network is determined by STP This means that a compromised STP configuration can be used to create a Denial of Service (DoS) by way of constant convergence and cause slow performance by directing traffic through less-than-optimal points in your network Copyright ©2006 Global Knowledge Training LLC All rights reserved Page 10 In English, an attacker can configure your STP network so a wiring closet switch acts as the root bridge Now all traffic for your layer network (VLANs) will pass through this access layer, low-bandwidth edge device Figure illustrates a collection of switches commonly seen in an enterprise campus Each wiring closet access switch is connected redundantly to each building’s distribution switch Notice how the distribution switches are the logical center of this building’s network Here, we configure the logical center of our layer network to be the STP root but only for the VLANs configured and operating on this switch: AccSw01(config)#spanning-tree vlan 1,10,20-25 root ? primary Configure this switch as primary root for this spanning tree secondary Configure switch as secondary root AccSw01(config)#spanning-tree vlan 1,10,20-25 root primary Next, we disable STP and ensure there are no STP-configured devices (switches) connected to our access interfaces (int f0/1 – 20) These are interfaces that lead to end stations and interfaces that should not communicate in your STP network: AccSw01(config)#int range f0/1 - 20 AccSw01(config-if-range)#spanning-tree portfast AccSw01(config-if-range)#spanning-tree bpdufilter enable Continue by ensuring there are no other switches claiming to be the root of the STP network (int f0/21 – 24): AccSw01(config-if-range)#int range f0/21 - 24 AccSw01(config-if-range)#spanning-tree guard root Just as we configured our user ports to be access ports, ensuring that only end-stations will connect, we will configure our infrastructure ports as trunk ports This is ideally configured on a switch-to-switch connection By Copyright ©2006 Global Knowledge Training LLC All rights reserved Page 11 default, these ports will dynamically negotiate to this state, but this process takes time and may not always work To ensure our desired setting are used and agreed upon as quickly as possible, we will set (hard code) these ports as trunks: AccSw01(config-if-range)#switchport mode trunk AccSw01(config-if-range)#switchport trunk encapsulation dot1q AccSw01(config-if-range)#switchport trunk allowed vlan 1,10,20-25 Notice how the last command also defines the VLANs we want to allow across the trunk This process is known as manual pruning and is an added security feature available on your trunk links Finally, we will configure our VLAN Trunking Protocol (VTP) options VTP is a management protocol designed to ensure consistent VLAN creation across multiple switches in the same layer VTP domain While this protocol works well, it can also be used to compromise the security of your network either by deleting needed/used VLANs or by creating VLANs that are not under corporate administrative control Here, we start by defining a VTP domain name, setting the source interface for all VTP updates, and creating a unique password for all VTP updates: AccSw01(config)#vtp mode server AccSw01(config)#vtp domain VTPDom01 AccSw01(config)#vtp interface loopback0 AccSw01(config)#vtp password VTPp@55w0rd Note: Even though the “vtp mode server” command is included, this command is not necessary All switches are in VTP server mode by default As you can see, there are several options available for switch security Each of these allows you to integrate security as close to the end device as possible Summary As with any project, you must start with a set of objectives in mind From those objectives, you create a set of requirements to guide your progress to completion In network security, your objectives and requirements are laid out in your Corporate Security Policy This security policy defines what you need and how you would like to secure your network Create your security policy by using the very regulations and requirements that govern your business communications (e.g., HIPPA, SOX, VISA, FBI, etc.) Be sure to refer to your security policy often to ensure that current and future systems are installed correctly Once you are ready to install any new system, be sure to manage the installation using the 4-step Security Lifecycle: Secure, Monitor, Test, and Improve This is a continuous process that, once followed through to completion, loops back on itself in a constant cycle of protection Focus on hardening a device during the installation and configuration of each new service When securing your network, it is important to implement security at every layer possible and available by your networking device Start your security configuration where the network starts—at the physical layer Leverage devices’ built-in services For example, use switch security features to control layer & The examples covered here center around setting the port types (access versus trunk), configuring your STP configura- Copyright ©2006 Global Knowledge Training LLC All rights reserved Page 12 tion and protecting switches from rogue STP updates, and controlling VLAN update information by defining secure VTP parameters In the second installment of this series, you will learn the suggested steps for hardening your routers, firewalls, and VPN Concentrators Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge Check out the following Global Knowledge courses: SND (Securing Cisco® Network Devices) SNRS (Securing Networks with Cisco® Routers and Switches) SNPA (Securing Networks with PIX and ASA) CSVPN (Cisco® Secure Virtual Private Networks) SNPA/CSVPN Mini Camp For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs About the Author Isaac A Valdez is President and Owner of IV Consulting Services, Inc., a contract consulting and training firm based in Tampa, Florida In addition to a B.S in Computer Engineering, Isaac has 15 years of experience in hardware design, network design, network administration, and certification training Fresh out of college, he was hired as an in-house hardware technician where he learned the ins and outs of hardware troubleshooting and repair After a few years in hardware, Isaac made his move to Network Administration for the big players at the time: Novell, Microsoft, and Cisco Systems His consulting and training experience ranges from Novell NetWare & GroupWise, Microsoft Windows NT, Windows 2000 and Windows 2003, Cisco Routing, Switching, LAN/WAN, Wireless and Security, plus a list of Enterprise applications for Messaging, Front and Back Office, Management and Remote Access In the Cisco certification track, Isaac teaches a total of 15 courses toward the CCNA, CCDA, CCNP, CCDP, CCIP and CCSP certifications These courses include INTRO, ICND, ARCH, DESGN, BSCI, BCMSN, BCRAN, CIT, BGP, QoS, SND, SNRS, SNPA, CSVPN and CSIDS Now that all that boring technical stuff is over, Isaac really prides himself on being a very curious individual When he’s done with work (and even instead of work at times), he likes to get away from the keyboard and books to enjoy the finer things in life Balance is key! If you have any questions feel free to contact him at ivaldez@ivconsulting.com Copyright ©2006 Global Knowledge Training LLC All rights reserved Page 13 ... be an 802.1x authenticator using RADIUS as the authentication protocol: AccSw 01( config)#aaa new-model AccSw 01( config)#radius-server host 10 .1. 1 .1 AccSw 01( config)#radius-server key RADk3y 01 AccSw 01( config)#aaa... proper software can be used as a firewall just the same as a dedicated firewall Device Hardening:Taking a Layered Approach When it comes to securing your network, taking a layered approach offers.. .Cisco Security Setup & Configuration: Part – a Layered Approach Isaac A Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP Introduction This paper is the first in a three -part series