405_clonvick_rev4.ppt
TRANSCRIPT
405NW’98 1© 1998, Cisco Systems, Inc.
405NW’98 2© 1998, Cisco Systems, Inc.
C
Designing SecureEnterprise Network
405NW’98
405NW’98 3© 1998, Cisco Systems, Inc.
Infrastructure Security
405NW’98 4© 1998, Cisco Systems, Inc.
1Corporate Security Policy
2 SECURE
3 MONITOR
4 AUDIT/TEST
5 MANAGE & IMPROVE
The Security Wheel
405NW’98 5© 1998, Cisco Systems, Inc.
Procedures and Operations
Rules
PeriodicReview
Delegationof Authority
Lesson 1
Training
405NW’98 6© 1998, Cisco Systems, Inc.
Goals of the Session
• Define what to protectDefine what to protect— anything that could cause problems if it were to stop or malfunction
• Decide how to protect itDecide how to protect it—good enough vs. absolute protection
• Think about the cost of protection vs. Think about the cost of protection vs. the cost of loss or corruptionthe cost of loss or corruption
405NW’98 7© 1998, Cisco Systems, Inc.
Agenda
I. Introduction
II. Router/Switch Self-Protection
III. Resource Protection
IV. Perimeter Protection
V. Sustaining Network Security
VI. Security Sustainment Validation
VII. Conclusions
405NW’98 8© 1998, Cisco Systems, Inc.
II. Router/Switch Self-Protection
• Threats
• Avoidance Measures
405NW’98 9© 1998, Cisco Systems, Inc.
Intruder Attack Points
• The administrative interfaces
Console
Telnet
SNMP
• Overload the data interface
• Overload the processor
405NW’98 10© 1998, Cisco Systems, Inc.
The Administrative Interface
• Password Protection
• Password Encryption
Router>Router>
405NW’98 11© 1998, Cisco Systems, Inc.
Banners
• Select an appropriate login banner that tells who is allowed into the system
Welcome.Password:Welcome.Password:
405NW’98 12© 1998, Cisco Systems, Inc.
Native Passwords
line console 0
login
password one4all
exec-timeout 1 30
User Access Verification
Password: <one4all>
router>
User Access Verification
Password: <one4all>
router>
The native passwords can be viewed by anyone logging in with the enabled password
405NW’98 13© 1998, Cisco Systems, Inc.
Service Password-Encryption (7)
• Will encrypt all passwords on the Cisco IOS™
with Cisco-defined encryption type “7”
• Use “enable password 7 <password>” for cut/paste operations
• Cisco proprietary encryption method
405NW’98 14© 1998, Cisco Systems, Inc.
Service Password-Encryption
hostname Router
!
enable password one4all
!
service password-encryption
!
hostname Router
!
enable password 7 15181E00F
405NW’98 15© 1998, Cisco Systems, Inc.
Enable Secret (5)
• Uses MD5 to produce a one-way hash
• Cannot be decrypted
• Use “enable secret 5 <password>”to cut/paste another “enable secret” password
405NW’98 16© 1998, Cisco Systems, Inc.
Enable Secret 5
!
hostname Router
!
enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1
hostname Router
!
enable password 1forAll
405NW’98 17© 1998, Cisco Systems, Inc.
PassPassword of Caution
• Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router
100101100101
405NW’98 18© 1998, Cisco Systems, Inc.
Use Good Passwords
• Do not use passwords that can be easily guessed
hmm…, How about“Pancho”?
405NW’98 19© 1998, Cisco Systems, Inc.
Authentication Mechanisms
• Local Password
• Kerberos
• TACACS+
• RADIUS
• One-time Passwords
UNIVERSALUNIVERSALPASSPORTPASSPORT
USA
405NW’98 20© 1998, Cisco Systems, Inc.
Cisco IOS TACACS+ Authentication
version 11.2!service password-encryption!hostname Router!aaa new-modelaaa authentication login ruth tacacs+ enableaaa authentication login sarah tacacs+ localenable secret 5 $1$hM3l$.s/DgJ4TeKdDk…!username john password 7 030E4E050D5Cusername bill password 7 0430F1E060A51!
Encrypts passwords withencryption (7).
Define list “ruth” to useTACACS+ then the enable password
Define list “sarah” to useTACACS+ then thelocal user and password
“enable secret” overridesthe (7) encryption
Define local users
405NW’98 21© 1998, Cisco Systems, Inc.
Cisco IOS TACACS+ Authentication
Defines the IP addressof the TACACS+ server
Defines the “encryption”key for communicatingwith the TACACS+ server
Uses the authenticationmechanisms listed in “ruth” —TACACS+ thenenable password
Uses the authenticationmechanisms listed in “sarah” —TACACS+ thena local user/password
tacacs-server host 10.1.1.2tacacs-server key <key>!line con 0 login authentication ruthline aux 0 login authentication ruthline vty 0 4 login authentication sarah length 29 width 92!end
405NW’98 22© 1998, Cisco Systems, Inc.
PIX TACACS+ Authentication
PIX Version 4.2(2)enable password BjeuCKspwqCc94Ss encryptedpassword nU3DFZzS7jF1jYc5 encryptedtacacs-server host 10.1.1.2 <key>aaa authentication telnet outbound 0 0 0 0 tacacs+aaa authentication ftp outbound 0 0 0 0 tacacs+aaa authentication http outbound 0 0 0 0 tacacs+no snmp-server locationno snmp-server contactsnmp-server community notpublicno snmp-server enable trapstelnet 10.1.1.2 255.255.255.255...Cryptochecksum:a21af67f58849f078a515b177df4228: end[OK]
Enable Password
Telnet Password
Defines the IP addressof the TACACS+ serverand the key
Defines the services thatrequire authentication
Defines the device thatcan Telnet into the PIX
405NW’98 23© 1998, Cisco Systems, Inc.
Encrypted Telnet Sessions
• Kerberos v5
• Strong Authentication within the session
• Relies heavily upon DNS and NTP
405NW’98 24© 1998, Cisco Systems, Inc.
One-Time Passwords
• May be used with TACACS+ or RADIUS
• The same “password” will never be reused by an authorized administrator
• Key Cards—CryptoCard token server included with CiscoSecure
• Support for Security Dynamics and Secure Computing token servers in Cisco Secure
405NW’98 25© 1998, Cisco Systems, Inc.
Restrict Telnet Access
access-list 12 permit 172.17.55.0 0.0.0.255
line vty 0 4
access-class 12 in
405NW’98 26© 1998, Cisco Systems, Inc.
SNMP Access Control
access-list 13 permit 192.85.55.12
access-list 13 permit 192.85.55.19
snmp-server community notpublic RO 13
RO—Read OnlyRW—Read + Write
405NW’98 27© 1998, Cisco Systems, Inc.
Switch Access Security
Console> set ip permit 172.100.101.102Console> set ip permit 172.160.161.0 255.255.192.0Console> set ip permit enable
Console> show ip permitIP permit list feature enabled.Permit List Mask---------------- ---------------172.100.101.102 172.160.161.0 255.255.192.0 Denied IP Address Last Accessed Time Type ----------------- ---------------- ------172.100.101.104 01/20/97,07:45:20 SNMP172.187.206.222 01/21/97,14:23:05 TelnetConsole>
405NW’98 28© 1998, Cisco Systems, Inc.
SNMP
• Version one sends cleartext communitystrings and has no policy reference
• Version two addresses some of the known security weaknessesof SNMP version one
• Version three is being worked on
405NW’98 29© 1998, Cisco Systems, Inc.
Identification Protocol
• The Identification Protocol (Auth) can be enabled for sessions to the router
Telnet Host (D=23, S=4909)
Auth—who’s using (D=23, S=4909)
Auth— (D=23, S=4909) is Chris
Telnet (D=23, S=4909) proceed
RFC 1413: Identification Protocol
“The information returned by this protocol is at most as trustworthy as the host providing it...”
405NW’98 30© 1998, Cisco Systems, Inc.
Resource Deprivation Attacks
version 11.2!no service udp-small-serversno service tcp-small-servers!
• Echo (7)
• Discard (9)
• Daytime (13)
• Chargen (19)
These are disabled by default in IOS 11.3These are disabled by default in IOS 11.3
405NW’98 31© 1998, Cisco Systems, Inc.
Resource Deprivation Attacks
• Finger (tcp/79)
version 11.2!no service fingerno service udp-small-serversno service tcp-small-servers!
405NW’98 32© 1998, Cisco Systems, Inc.
ARP Control
!arp 172.1.1.99 00e0.a08c.70c2 arpa!interface ethernet 0/0ip address 172.1.1.100 255.255.0.0!
172.1.1.9900e0.a08c.70c2
Ethernet 0/0
172.1.1.9900e0.a013.0070
405NW’98 33© 1998, Cisco Systems, Inc.
Switch Port Security
Console> set port security 3/1 enable 01-02-03-04-05-06Console> set port security 3/2 enableConsole>
Console> show port 3Port Status Vlan Level Duplex Speed Type ---- -------- ---- ------ ------ ----- ------------3/1 connect 1 normal half 10 10 BASE-T3/2 connect 1 normal half 10 10 BASE-T
Port Security Secure-Src-Addr Last-Src-Addr Shutdown---- -------- ----------------- ----------------- -------3/1 enabled 01-02-03-04-05-06 01-02-03-04-05-06 No3/2 enabled 05-06-07-08-09-10 10-11-12-13-14-15 YesConsole>
Console> show port 3Port Status Vlan Level Duplex Speed Type ---- -------- ---- ------ ------ ----- ------------3/1 connect 1 normal half 10 10 BASE-T3/2 connect 1 normal half 10 10 BASE-T
Port Security Secure-Src-Addr Last-Src-Addr Shutdown---- -------- ----------------- ----------------- -------3/1 enabled 01-02-03-04-05-06 01-02-03-04-05-06 No3/2 enabled 05-06-07-08-09-10 10-11-12-13-14-15 YesConsole>
405NW’98 34© 1998, Cisco Systems, Inc.
AdministratorAuthorization Levels
• Sixteen administrative levels that can be used to delegate authority
• Cisco IOS commands can be associated with a level
Router# show priv
Current privilege level is 15
Router# disable
Router>enable 9
Password:
Router# show priv
Current privilege level is 9
Router#
privilege exec level 9 show
enable secret level 9 <AllinOne>
enable secret 5 <OneinAll>
405NW’98 35© 1998, Cisco Systems, Inc.
Audit Trail—Cisco IOS Syslog
unix% tail cisco.log Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2)unix% date Tue Feb 17 21:49:53 CST 1998unix%
unix% tail cisco.log Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2)unix% date Tue Feb 17 21:49:53 CST 1998unix%
Router>sho clock*11:53:44.764 CST Tue Mar 2 1993Router>
Router>sho clock*11:53:44.764 CST Tue Mar 2 1993Router>
version 11.2service timestamps log datetime localtime show-timezone!logging 10.1.1.2
405NW’98 36© 1998, Cisco Systems, Inc.
Audit Trail—PIX Syslog
unix% tail pix.logFeb 20 07:46:25 [10.1.1.1.2.2] Begin configuration: reading from terminalFeb 20 07:46:29 [10.1.1.1.2.2] 111005 End configuration: OKFeb 20 07:46:32 [10.1.1.1.2.2] 111001 Begin configuration: writing to memoryFeb 20 07:46:32 [10.1.1.1.2.2] 111004 End configuration: OKunix%
unix% tail pix.logFeb 20 07:46:25 [10.1.1.1.2.2] Begin configuration: reading from terminalFeb 20 07:46:29 [10.1.1.1.2.2] 111005 End configuration: OKFeb 20 07:46:32 [10.1.1.1.2.2] 111001 Begin configuration: writing to memoryFeb 20 07:46:32 [10.1.1.1.2.2] 111004 End configuration: OKunix%
PIX Version 4.2(2) …nameslogging console informationallogging monitor informationallogging buffered informationallogging trap informationallogging facility 20logging host inside 10.1.1.2
405NW’98 37© 1998, Cisco Systems, Inc.
Use a tool to analyzeyour logs and generate reports
405NW’98 38© 1998, Cisco Systems, Inc.
III. Resource Protection
• Individual Resources
• Threats
• Avoidance measures
405NW’98 39© 1998, Cisco Systems, Inc.
Spoofing interface Serial 1 ip address 172.26.139.2 255.255.255.252ip access-group 111 inno ip directed-broadcast!interface ethernet 0/0ip address 10.1.1.100 255.255.0.0no ip directed-broadcastAccess-list 111 deny ip 127.0.0.0 0.255.255.255 anyAccess-list 111 deny ip 10.1.0.0 0.0.255.255 anyAccess-list 111 permit ip any any
IP (D=10.1.1.2 S=10.1.1.1)IP (D=10.1.1.2 S=10.1.1.1)
10.1.1.2
172.16.42.84
405NW’98 40© 1998, Cisco Systems, Inc.
ICMP Filtering
Summary of Message Types 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply
ICMP Codes are not shown
no ip redirects (IOS will not send or accept)
Extended Access List:access-list 101 permit icmp any any <type> <code>
no ip unreachables (IOS will not send)
RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
405NW’98 41© 1998, Cisco Systems, Inc.
Source Routing
RFC 791: Internet protocol
NetworkNetwork10.16.0.010.16.0.0
I’m 10.16.99.99— and I’m 10.16.99.99— and here’s the here’s the route back to meroute back to me
Private
interface Serial 1 ip address 172.16.139.2 255.255.255.252ip access-group 111 inno ip source routing!Access-list 111 permit ip 10.16.0.0 0.0.255.255 any
405NW’98 42© 1998, Cisco Systems, Inc.
Example Scenario
Protect the email serverProtect the email server
??SMTP Host
405NW’98 43© 1998, Cisco Systems, Inc.
Cisco IOS with an Access List
e0/0
e0/1
interface ethernet 0/0 ip address 172.16.1.100 255.255.0.0!interface ethernet 0/1 ip address 172.17.1.100 255.255.0.0 ip access-group 111 inno ip unreachablesno ip redirects!access-list 111 permit tcp any host 172.16.1.1 eq smtpaccess-list 111 permit tcp any host 172.16.1.1 establishedaccess-list 111 permit icmp any host 172.16.1.1
405NW’98 44© 1998, Cisco Systems, Inc.
Cisco PIX
Inside
Outside
PIX Version 4.2(2)nameif ethernet0 outside security0nameif ethernet1 inside security100hostname mypix...fixup protocol smtp 25...interface ethernet0 autointerface ethernet1 autoip address inside 10.1.1.101 255.255.0.0ip address outside 172.17.1.100 255.255.0.0static (inside,outside) 171.68.41.7 10.1.1.2 netmask 255.255.255.255 0 0conduit permit tcp host 171.68.41.7 eq smtp any
405NW’98 45© 1998, Cisco Systems, Inc.
Cisco IOS Firewall Feature Set
e0
s0
logging 172.16.27.131ip inspect audit-trail ip inspect dns-timeout 10ip inspect tcp idle-time 60ip inspect name myfw smtp timeout 3600ip inspect name myfw tcp timeout 3600!interface Ethernet 0 ip address 172.16.1.100 255.255.0.0 ip inspect myfw in!interface Serial 0 ip address 172.19.139.1 255.255.255.248 ip access-group 111 in ip inspect myfw in!access-list 111 permit tcp any host 172.16.1.1 eq smtp! Add anti-spoofing here as well..
405NW’98 46© 1998, Cisco Systems, Inc.
Intranet Protection Costs
• Versus:
Loss
Corruption
Ease of Use
405NW’98 47© 1998, Cisco Systems, Inc.
IV. Perimeter Protection
405NW’98 48© 1998, Cisco Systems, Inc.
Firewall Protection
• Use access control listsaccess control lists on the screening screening routerrouter to control traffic
• Isolate each server from traffic with a switch
The InternetThe Internet
DNS WWWMail
DemilitarizedDemilitarizedZone (DMZ)Zone (DMZ)
405NW’98 49© 1998, Cisco Systems, Inc.
Syn Attack
TCP syn (D=172.18.1.2 S=1.1.1.1)TCP syn (D=172.18.1.2 S=1.1.1.1)
TCP syn (D=172.18.1.2 S=1.1.1.2)TCP syn (D=172.18.1.2 S=1.1.1.2)
TCP syn (D=172.18.1.2 S=1.1.1.3)TCP syn (D=172.18.1.2 S=1.1.1.3)
TCP syn (D=172.18.1.2 S=1.1.1.4)TCP syn (D=172.18.1.2 S=1.1.1.4)
TCP syn (D=172.18.1.2 S=1.1.1.5)TCP syn (D=172.18.1.2 S=1.1.1.5)
TCP syn (D=172.18.1.2 S=2.1.1.1)TCP syn (D=172.18.1.2 S=2.1.1.1)
TCP syn (D=172.18.1.2 S=2.1.1.2)TCP syn (D=172.18.1.2 S=2.1.1.2)
172.18.1.2172.18.1.2
405NW’98 50© 1998, Cisco Systems, Inc.
Cisco IOS Syn Attack Defense
TCP syn
TCP syn/ack
TCP ack• How many session How many session
requests in the last one requests in the last one minute?minute?
• How many incomplete How many incomplete sessions are there?sessions are there?
TCP syn
TCP syn/ack
TCP ack
!ip tcp intercept <access-list number>!
405NW’98 51© 1998, Cisco Systems, Inc.
Cisco IOS Syn Attack Defense
• How many session requests in the last one minute?
• How many incomplete sessions are there?
• How long do I wait for the final ack?
• How many session requests in the last one minute?
• How many incomplete sessions are there?
• How long do I wait for the final ack?
TCP ackTCP ack
TCP synTCP syn
TCP syn/ackTCP syn/ack
ip tcp intercept <access-list-number>ip tcp intercept mode watch
405NW’98 52© 1998, Cisco Systems, Inc.
PIX—Syn Attack Defense
Inside
Outside
PIX Version 4.2(2)
static (inside,outside) 171.68.41.7 10.1.1.2 netmask
255.255.255.255 0 0 [max_conns [em_limit]]
conduit permit tcp host 171.68.41.7 eq smtp any
max_conns - the maximum number of TCP connections allowed
em_limit - the embryonic connection limit
max_conns - the maximum number of TCP connections allowed
em_limit - the embryonic connection limit
405NW’98 53© 1998, Cisco Systems, Inc.
Cisco IOS Firewall Feature Set Syn Attack Defense
TCP synTCP syn
TCP syn/ackTCP syn/ack
TCP ackTCP ack
• How many session requests in the last one minute?
• How many incomplete sessions are there?
• How long do I wait for the final ack?
• How many session requests in the last one minute?
• How many incomplete sessions are there?
• How long do I wait for the final ack?
ip inspect tcp synwait-time [seconds]ip inspect tcp finwait-time [seconds]ip inspect tcp idle-time [seconds]
405NW’98 54© 1998, Cisco Systems, Inc.
EDITranslator
EDITranslator
PurchasingSystem
PurchasingSystem
Extranet Options
Gateway
Private LinksPartner
Campus Backbone InternetInternet
Partner
Partner
VANVAN
Virtual Private Networking
405NW’98 55© 1998, Cisco Systems, Inc.
Electronic Commerce
WebServer
IntranetIntranet
SecureCommerceServers
Firewall
GatewayRouter
EnterpriseServers
InternetInternet
DemilitarizedDemilitarizedZone (DMZ)Zone (DMZ)
IntranetIntranet
InternetInternet
405NW’98 56© 1998, Cisco Systems, Inc.
VPN Security Requirements
• Encryption for authentication, confidentiality and integrity
• Physical line separation via private lines or frame relay
or
405NW’98 57© 1998, Cisco Systems, Inc.
Virtual Private Dial Network
The Internet
• Layer 2 Forwarding
• Layer 2 Tunnel Protocol
405NW’98 58© 1998, Cisco Systems, Inc.
VPDN Entrance to the Enterprise
FirewallFirewall
ScreeningScreeningRouterRouter
InternetInternet
DemilitarizedDemilitarizedZone (DMZ)Zone (DMZ)
IntranetIntranet
InternetInternet
Home GatewayHome Gateway
IntranetIntranet
405NW’98 59© 1998, Cisco Systems, Inc.
Dial Access Protection
• Where to place the NAS?
DNSDNS WWWWWWMailMail
ScreeningRouterScreeningRouter
405NW’98 60© 1998, Cisco Systems, Inc.
V. Sustaining Network Security
• 24 by 7
405NW’98 61© 1998, Cisco Systems, Inc.
Dynamic Routing Protocols
Path Redundancyto Route Around Failures
405NW’98 62© 1998, Cisco Systems, Inc.
Keyed Hashing forAuthentication and Integrity
Message
983lna9458hk7436gq
““Secret Key”Secret Key”
HashFunction
HashFunction
• Secret key and message arehashed together
• Recomputation of digest verifies that the message originated with the peer and that the message was not altered in transit
Signature
405NW’98 63© 1998, Cisco Systems, Inc.
Route Update Authentication and Integrity
IP HDRIP HDR KeyKey Route Update DataRoute Update Data
HashFunction
HashFunction
IP HDRIP HDR Signature
To the Wire
Route Update DataRoute Update Data
Assemble the Packetwith the Key
Reassemble the Packet with the Signature
Signature
405NW’98 64© 1998, Cisco Systems, Inc.
Route Filtering
Router# sho ip protoRouting Protocol is "rip" Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip
Router# sho ip protoRouting Protocol is "rip" Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip
router rip network 10.0.0.0 distribute-list 1 in!access-list 1 deny 0.0.0.0access-list 1 permit 10.0.0.0 0.255.255.255
405NW’98 65© 1998, Cisco Systems, Inc.
Secure Vital Services
• Network Time Protocol Sources
• Domain Name Servers
• Certificate Authority
405NW’98 66© 1998, Cisco Systems, Inc.
Multi-Level Security -TCSEC, ITSEC and CC
• Not really needed in Enterprise Networks
• Difficult to implement (unless you’re the military)
405NW’98 67© 1998, Cisco Systems, Inc.
Session Protection through Encryption
ApplicationApplication
NetworkNetwork
LinkLink
Application to Application
End to End
End to Intermediate
Intermediate to Intermediate
Link Link
405NW’98 68© 1998, Cisco Systems, Inc.
Session Protection through Network Layer Encryption
Shared Secret Key Shared Secret Key
(Cleartext)
(Ciphertext)
DES DES
Internet
(Cleartext)
10100010110101010101010010101001010101011101010010110010100101011011
IPSec—the IETF working group defining IP SecurityIPSec—the IETF working group defining IP Security
EncryptEncrypt DecryptDecrypt
405NW’98 69© 1998, Cisco Systems, Inc.
NetRanger
• Sensors watch for attacks or problems
• NetRanger stops active attacks
NetRangerDirector
Sensor
Sensor
Sensor
SensorSensorSensor
405NW’98 70© 1998, Cisco Systems, Inc.
NetSonar Vulnerability Scanning
Target Target
Target
Target
• Network mapping
Identify live hosts
Identify services on hosts
• Vulnerability scanning
Analyze discovery data for potential vulnerabilities
Confirm vulnerabilities on targeted hosts
405NW’98 71© 1998, Cisco Systems, Inc.
VI. Security Sustainment Validation
What steps can you take to make sure that your network will continue to be secure?
405NW’98 72© 1998, Cisco Systems, Inc.
Modeling Tools
• NetSys Modeling can verify the access controls in your network
405NW’98 73© 1998, Cisco Systems, Inc.
Validating Your Policy through Network Management Systems
• What to monitor?
• What to measure?
Access
Workgroup
IBM
ManagementManagement
Core
Track and report trends that show how you are achieving your security goals
Track and report trends that show how you are achieving your security goals
405NW’98 74© 1998, Cisco Systems, Inc.
For the want of a nail, the shoe was lost.
For the want of a shoe, the horse was lost.
For the want of a horse, the rider was lost.
For the want of a rider, the battle was lost.
For the want of a battle, the Kingdom was lost.
And all for the want of a horse shoe nail.
For the want of a nail, the shoe was lost.
For the want of a shoe, the horse was lost.
For the want of a horse, the rider was lost.
For the want of a rider, the battle was lost.
For the want of a battle, the Kingdom was lost.
And all for the want of a horse shoe nail.
VII. Conclusions