Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Data Center: Securing Server Farms March, 2003 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Data Center: Securing Server Farms Copyright © 2004 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R) iii Data Center: Securing Server Farms 956638 CONTENTS Preface i Document Organization i Document Conventions ii CHAPTER 1 Securing Intranet Server Farms: Overview 1-1 Data Center Security 1-1 The Need for Intranet Security 1-2 Security Technologies 1-3 Data Center Security Topologies 1-3 Deploying Layer 2 Security in Server Farms 1-3 Deploying Private VLANs in the Data Center 1-4 Security Considerations in the Intranet Data Center 1-5 Deploying Network-Based Intrusion Detection 1-6 Deploying Host-Based Intrusion Detection 1-7 Data Center Networking Architecture 1-8 Network Infrastructure 1-9 Cisco Storage Networking 1-9 Application Optimization 1-10 Business Continuance Networking 1-10 CHAPTER 2 Data Center Security Topologies 2-1 Topologies 2-1 Packet Filtering: Aggregation Layer 2-3 ACLs 2-3 Appliance Firewalls 2-4 Integrated Firewalls 2-6 Packet Filtering: Access Layer 2-7 Security for Multi-Tier Server Farms 2-8 Intrusion Detection Sensors 2-10 Network IDS: Access Layer 2-11 Host IDS 2-12 CHAPTER 3 Deploying Layer 2 Security in Server Farms 3-1 Overview 3-1 Contents iv Data Center: Securing Server Farms 956638 Design Details 3-2 Problem Description-MAC Flooding 3-2 Solutions 3-3 Problem Description-ARP Spoofing 3-5 Solutions 3-6 Problem Description-PVLAN Vulnerabilities 3-9 Solution 3-10 Problem Description-VLAN Hopping 3-11 Solutions 3-12 Problem Description - Spanning Tree Vulnerabilities 3-13 Solutions 3-14 CHAPTER 4 Deploying Private VLANS in the Data Center 4-1 PVLAN Overview 4-1 PVLANs in the Data Center 4-1 Private VLANs and Content Switching 4-3 CSS Deployments 4-4 Solutions 4-7 CSM Deployments 4-10 Solution 4-11 CHAPTER 5 Security Considerations for the Intranet Data Center 5-1 Intranet Data Center Overview 5-1 Distributed Intranet Data Centers 5-4 Route Health Injection 5-6 Integrating Security 5-7 Unauthorized Access 5-8 Denial of Service Attacks 5-8 Network Reconnaissance/Viruses/Worms 5-9 IP Spoofing 5-9 Layer 2 Attack Mitigation 5-9 Solution Design Details 5-10 FWSM Logical Placement 5-12 Benefits 5-12 Aggregation Switch Traffic Flow 5-13 Configuration Details 5-14 Redundancy and Failover 5-18 FWSM Failure Scenario 5-21 Caveats 5-22 Contents v Data Center: Securing Server Farms 956638 Summary 5-23 CHAPTER 6 Deploying Network-Based Intrusion Detection 6-1 Overview 6-1 The Need for Intrusion Detection Systems 6-2 Solution Topology 6-2 Cisco IDS 6-4 Methods of Network Attack 6-5 Types of Attacks 6-5 Buffer Overflows 6-5 Worms 6-6 Trojans 6-6 CGI-Scripts 6-6 Protocol Specific Attacks 6-7 Traffic Flooding 6-7 IDS Evasion Techniques 6-7 Fragmentation 6-7 Flooding 6-8 Obfuscation 6-8 Encryption 6-9 Asymmetric Routing 6-9 Cisco IDS Attack Mitigation Techniques 6-9 Signature Analysis 6-9 Simple Pattern Matching 6-10 Session-Aware Pattern Matching 6-10 Context-Based Signatures 6-10 Protocol Decode-Based 6-10 Heuristic Analysis 6-11 Traffic Anomaly Analysis 6-11 IDS Software Configuration 6-12 Network Sensor 6-12 Traffic Capture 6-13 SPAN (Switched Port Analyzer) 6-13 VACL (VLAN Access Control Lists) 6-14 RSPAN (Remote Switched Port Analyzer) with VACL 6-15 MLS IP IDS 6-16 Management 6-16 IEV 6-17 Enterprise Class Solutions 6-18 Contents vi Data Center: Securing Server Farms 956638 VMS 6-18 CTR 6-20 Tuning Sensors 6-21 Cisco Product Matrix 6-22 Conclusion 6-23 CHAPTER 7 Deploying Host-Based Intrusion Detection 7-1 Overview 7-1 Benefits of Endpoint Security in the Enterprise Data Center 7-2 Solution Topology 7-3 Required Components 7-4 Server Agent for Windows 7-4 Server Agent for Solaris 7-4 Desktop Agent 7-4 CiscoWorks VMS with Management Center for Cisco Security Agents 7-5 Design Details 7-5 Design Goals 7-5 Design Recommendation 7-6 Manageability 7-7 Implementation Details 7-8 Basic Implementation Steps 7-8 Infrastructure Description 7-9 High Availability 7-11 Scalability and Performance 7-12 Limitations and Restrictions 7-13 Conclusion 7-13 Additional References 7-13 I NDEX i Data Center: Securing Server Farms 956638 Preface This Solution Reference Network Design (SRND) provides design and implementation recommendations fo r deploying security services in the data center. This document discusses security topologies that include both appliance and integrated devices. This publication provides solution guidelines for enterprises implementing Data Centers with Cisco devices. The intended audiences for this design guide include network architects, network managers, and others concerned with the implementation of secure Data Center solutions, including: • Cisco sales and support engineers • Cisco partners • Cisco customers Document Organization This document contains the following chapters Chapter or Appendix Description Chapter 1, “Securing Intranet Server Farms: Overview” Provides an overview of the data center with special emphasis on security in the data center. Chapter 2, “Data Center Security Topologies” Provides an overview of security topologies. Chapter 3, “Deploying Layer 2 Security in Server Farms” Provides design recommendations for deploying Layer 2 security in the server farm. Chapter 4, “Deploying Private VLANS in the Data Center” Provides design recommendations for deploying Private VLANs in the data center. Chapter 5, “Security Considerations for the Intranet Data Center” Provides design recommendations for implementing security for intranet server farms. Chapter 6, “Deploying Network-Based Intrusion Detection” Describes the benefits of deploying network intrusion detection in the data center and addresses mitigation techniques, deployment models ,and the management of the infrastructure Chapter 7, “Deploying Host-Based Intrusion Detection” Describes the need for employing host-based intrusion prevention in the data center and addresses the design, deployment, and management of this infrastructure. ii Data Center: Securing Server Farms 956638 Preface Document Conventions Document Conventions This guide uses the following conventions to convey instructions and information: Convention Description boldface font Commands and keywords. italic font Variables for which you supply values. [ ] Keywords or arguments that appear within square brackets are optional. {x | y | z} A choice of required keywords appears in braces separated by vertical bars. You must select one. screen font Examples of information displayed on the screen. boldface screen font Examples of information you must enter. < > Nonprinting characters, for example passwords, appear in angle brackets. [ ] Default responses to system prompts appear in square brackets. CHAPTER 1-1 Data Center: Securing Server Farms 956638 1 Securing Intranet Server Farms: Overview 1-1 This chapter describes the importance of securing intranet server farms and introduces the different topics described in the other chapters in the Security Intranet Server Farms SRND. It includes the following sections: • Data Center Security Topologies, page 1-3 • Deploying Layer 2 Security in Server Farms, page 1-3 • Deploying Private VLANs in the Data Center, page 1-4 • Security Considerations in the Intranet Data Center, page 1-5 • Deploying Network-Based Intrusion Detection, page 1-6 • Deploying Host-Based Intrusion Detection, page 1-7 • Data Center Networking Architecture, page 1-8 Data Center Security Data center security is based on an effective security policy that accurately defines access and connection requirements within your data center. Once you have a good security policy, you can use many state-of-the-art Cisco technologies and products to protect your data center resources from internal and external threats and to ensure data privacy and integrity. Cisco delivers a powerful set of network security technologies, shown in Figure 1-1, that can be deployed as standalone appliances or as modules for the Cisco Catalyst 6500 Series. These solutions include the following categories of products and technologies: • Access controls • Firewalls • Extranet VPN termination • Network and host-based intrusion detection and prevention systems (network and host IDS) To understand how these technologies are integrated into the other solution areas within the Data Center Networking Architecture, refer to the section “Data Center Networking Architecture” section on page 1-9, or see the following website: http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/networking_solutions_packages_list.html Alternatively, at www.cisco.com, just enter “go/datacenter.” 1-2 Data Center: Securing Server Farms 956638 Chapter 1 Securing Intranet Server Farms: Overview Figure 1-1 Data Center Security and Data Center Networking The Need for Intranet Security In addition to protecting the perimeter of the data center against external threats, you must also protect the boundaries between functional and administrative regions within the data center. Too often, security within the intranet data center is inadequate, even though the data center hosts vital applications and systems related to payroll, HR, manufacturing, marketing, and R&D. Unfortunately, robust security is often only deployed at the Internet edge to defend against external threats. In several recent third-party network security surveys, IT managers stated that 40-60% of the attacks and security breaches affecting their networks came from users and devices inside the network. They estimated the loss of confidential and proprietary information from these internal attacks to have cost their organizations an average of six million dollars per year. Such internal threats can originate from many sources: • Devices compromised by outside attackers • Outside attackers who have compromised upstream security devices • Disgruntled current and former employees • Accidental employee actions To protect your vital data center resources from internal threats, you can apply many of the same technologies and strategies that work so well in defending the Internet edge. However, the security policies that you develop for your intranet will be different, and the topologies and configuration required to support those policies may also differ. When designing topologies that integrate firewall and IDS devices into the data center network, you can either use standalone appliances or service modules integrated into the Catalyst 6500 chassis. You can integrate appliance-based products with a variety of platforms, while Catalyst 6500-based service modules help improve performance and reduce administrative overhead through collapsed network topologies. 104026 Storage Network NAS RAID Tape Cisco MDS 9500 IP Network Infrastructure Layer 2/3 Multi-Tier Applications Web Servers Application Servers DB Servers Main Frame M IP Communications Operations FC SAN Application Optimization SSL Content Switch Cache IDS Firewall Security [...]... Data Center Networking Architecture The Data Center Networking architecture includes a suite of advanced solutions in the following areas: • Data center IP network infrastructure • Storage networking • Application optimization Data Center: Securing Server Farms 1-8 956638 Chapter 1 Securing Intranet Server Farms: Overview Data Center Networking Architecture • Data center security • Business continuance... Detection.” Data Center: Securing Server Farms 1-6 956638 Chapter 1 Securing Intranet Server Farms: Overview Deploying Host-Based Intrusion Detection Figure 1-4 Enterprise Data Center - Network Vulnerablity Points Internet PSTN Partners WAN SP2 SP1 VPN Remote Office Internet Edge Internet Gateway DMZ Or Or Private WAN Internet Server Farm Campus Core 104356 Corporate Infrastructure Extranet Data Center... of applying operating system patches • Protect proprietary or confidential company data • Maintain service level agreements (SLA) Data Center: Securing Server Farms 956638 1-7 Chapter 1 Securing Intranet Server Farms: Overview Data Center Networking Architecture The CSA architecture allows authorized personnel to update server software or to patch operating systems on a predetermined schedule, which... these issues and provides guidance and recommendations for implementation Data Center: Securing Server Farms 1-4 956638 Chapter 1 Securing Intranet Server Farms: Overview Security Considerations in the Intranet Data Center Security Considerations in the Intranet Data Center The security policies and deployments for the intranet data center act as a second layer of security against external users and... and systems Data Center: Securing Server Farms 956638 2-1 Chapter 2 Data Center Security Topologies Topologies Figure 2-1 Enterprise Network and Intranet Data Center Internet PSTN Partners WAN SP2 SP1 VPN Remote Office Internet Edge Internet Gateway DMZ Or Private WAN Or Internet Server Farm Campus Core 87352 Corporate Infrastructure Extranet Data Center Intranet Data Center The intranet data center... community VLANs Servers placed in isolated VLANs cannot communicate with any other servers in the server farm Servers placed in community VLANs can only communicate with other servers also residing in the community VLAN Data Center: Securing Server Farms 956638 2-7 Chapter 2 Data Center Security Topologies Topologies PVLANs Limit Server Communication 15 10 Primary VLAN Primary VLAN 20 Isolated 30 Community... • Buffer overflows Data Center: Securing Server Farms 2-12 956638 C H A P T E R 3 Deploying Layer 2 Security in Server Farms Data center security generally has two stages: securing the physical perimeter and securing the network perimeter Physical security keeps out any unauthorized individuals, while firewalls, intrusion detection devices, and security features deployed at the data center edge deny... Figure 3-1 shows these data center layers Data Center: Securing Server Farms 956638 3-1 Chapter 3 Deploying Layer 2 Security in Server Farms Design Details Figure 3-1 Data Center Design with Layer 2 and Layer 3 Aspects Campus core or Internet edge Layer 3 Aggregation layer Layer 2 Direct attachment or compromised device Attacker 88379 Access layer (Front-end) In the server farm, many servers often reside... multi-tier server farm with the FWSM Data Center: Securing Server Farms 956638 2-9 Chapter 2 Data Center Security Topologies Topologies Figure 2-9 FWSM Providing Security for the Multi-Tier Server Farm Campus Core FWSM with Multi-Firewall Virtualization Web Tier Database Tier 87376 Application Tier Intrusion Detection Sensors Network IDS: Aggregation Layer Network IDS devices should be deployed at the data. .. before it is able to compromise any servers or devices Figure 2-10 provides an overview of network IDS deployment in the data center Data Center: Securing Server Farms 2-10 956638 Chapter 2 Data Center Security Topologies Topologies Figure 2-10 Network IDS in the Data Center Campus Core Aggregation Layer Network IDS Monitoring Synchronous Traffic Flows Outbound Traffic Data Center Aggregation Switches . “go/datacenter.” 1-2 Data Center: Securing Server Farms 956638 Chapter 1 Securing Intranet Server Farms: Overview Figure 1-1 Data Center Security and Data. Internet Server Farm VPN Intranet Data Center 1-8 Data Center: Securing Server Farms 956638 Chapter 1 Securing Intranet Server Farms: Overview Data Center