securing places in the network - cisco...5/10/2008 cisco systems 3 places in the network the...
TRANSCRIPT
Nadhem J. Al-FardanConsulting System EngineerCisco Systems - Saudi Arabia
Securing Placesin the Network
5/10/2008 Cisco Systems 1
AGENDA
• What are the “Places in the Network” ?• Place I - The Campus• Place II - The Data Center• Securing Services - Unified Communications (UC)
The Agenda for the next 45 Minutes !
5/10/2008 Cisco Systems 2
5/10/2008 Cisco Systems 3
Places in the Network
The Objective is to build best practices inarchitecting your network.
Campus
Internet
Data Center
WANBuilding BestPractices
Today’s session will look on how to secure some ofthese locations
Applications and Services
5/10/2008 Cisco Systems 4
Place IThe Campus
Campus Security - Best Practices Catalyst Integrated Security Feature Set!
Dynamic Port Security, DHCPSnooping, Dynamic ARP Inspection, IPSource Guard
Use SSH to access devices instead of Telnet Enable AAA and roles based access control
(RADIUS/TACACS+) for the CLI on all devices Enable SYSLOG to a server. Collect and
archive logs When using SNMP use SNMPv3 Disable unused services:
no service tcp-small-serversno service udp-small-servers
Use FTP or SFTP (SSH FTP) to move images andconfigurations around – avoid TFTP when possible
Install VTY access-lists to limit which addresses canaccess management and CLI services
Enable control plane protocol authenticationwhere it is available (EIGRP, OSPF, BGP,HSRP, VTP, etc.)
Apply basic protections offered by implementingRFC2827 filtering on external edge inbound interfaces
WAN Internet
End-to-End Security
SiSi SiSi SiSi SiSi SiSi SiSi
SiSiSiSi
SiSiSiSi
SiSi SiSiSiSiSiSi
IPmc Sources
5/10/2008 Cisco Systems 6
BPDU Guard
Problem:Multiple Windows XPmachines can create aloop in the wired VLANvia the WLAN
Solution:BPDU Guard configuredon all end station switchports will prevent loopfrom forming
Win XPBridgingEnabled
Win XPBridgingEnabled
BPDU GuardDisables Port
STP LoopFormed
BPDUGenerated
Prevent Loops via WLAN (Windows XP Bridging)
5/10/2008 Cisco Systems 7
Problem: Prevalence of Rogue APs
The majority of WLAN deployments areunauthorized by well intended employees(rogue APs)—many are insecure
A daily drive to work taken within the car atnormal speeds with a PDA running afreeware application (mix of residencesand enterprises)
Insecure enterprise rogueAP’s are a result of:
Well intentioned staff install dueto absence of sanctioned WLANdeploymentAn infrastructure that is not“wireless ready” to protectagainst rogue AP’s
59 APs Found
InsecureAPs
War Chalking
5/10/2008 Cisco Systems 8
Basic 802.1x Access Control
Authorized AP
Rogue AP
D on AuthorizedWLAN AP Ports
802.1x Enabled on“user” Facing
PortsAuthorized
User
Who Are You?
I Am Joe Cisco
Who Are You?
CatOS Configuration Exampleset dot1x system-auth-control enableset dot1x guest-vlan 250set radius server 10.1.125.1 auth-port1812 primaryset radius key cisco123set port dot1x 3/1-48 port-control auto
Cisco IOS Configuration Exampleradius-server host 10.1.125.1radius-server key cisco123aaa new-modelaaa authentication dot1x default groupradiusaaa authorization default group radiusaaa authorization config-commandsdot1x system-auth-control
Cisco IOS Per-Port configurationint range fa3/1 - 48dot1x port-control auto
Disabled
No802.1xHere
Controlling When and Where APs Are Connected
5/10/2008 Cisco Systems 9
Port Security Limits MAC Flooding Attackand Locks down Port and Sends anSNMP Trap
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
“Script Kiddie” Hacking ToolsEnable Attackers Flood Switch CAMTables with Bogus Macs; Turningthe VLAN into a “Hub”and Eliminating Privacy
Switch CAM Table Limit Is FiniteNumber of Mac Addresses
Only 3 MACAddressesAllowed on
the Port:Shutdown250,000
Bogus MACsper Second
PROBLEM:SOLUTION:
switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity
Cutting off MAC-Based Attacks
Securing Layer 2 from SurveillanceAttacks
5/10/2008 Cisco Systems 10
DHCP Snooping
DHCP requests (discover) and responses (offer) tracked Rate-limit requests on trusted interfaces; limits DOS attacks on DHCP server Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP
server
DHCPServer
1000s of DHCPRequests toOverrun the
DHCP Server
1
2
DHCPRequestBogus
DHCP
Response
Protection Against Rogue/Malicious DHCP Server
5/10/2008 Cisco Systems 11
Securing Layer 2 fromSurveillance Attacks
Dynamic ARP inspection protectsagainst ARP poisoning (ettercap,dsnif, arpspoof)
Uses the DHCP snooping bindingtable
Tracks MAC to IP fromDHCP transactions
Rate-limits ARP requests from clientports; stop port scanning
Drop BOGUS gratuitous ARPs; stopARP poisoning/MIM attacks
SiSi
Gateway = 10.1.1.1MAC=A
Attacker = 10.1.1.25MAC=B
Victim = 10.1.1.50MAC=C
Gratuitous ARP10.1.1.1=MAC_B
Gratuitous ARP10.1.1.50=MAC_B
Protection Against ARP Poisoning
5/10/2008 Cisco Systems 12
IP Source Guard
IP source guard protects againstspoofed IP addresses
Uses the DHCPsnooping binding table
Tracks IP address toport associations
Dynamically programsport ACL to drop traffic notoriginating from IP addressassigned via DHCP
SiSi
Gateway = 10.1.1.1MAC=A
Attacker = 10.1.1.25 Victim = 10.1.1.50
Hey, I’m 10.1.1.50 !
Protection Against Spoofed IP Addresses
5/10/2008 Cisco Systems 13
Catalyst Integrated Security Features
Port security prevents MAC floodingattacks
DHCP snooping prevents clientattack on the switch and server
Dynamic ARP Inspection addssecurity to ARP using DHCPsnooping table
IP source guard adds securityto IP source address usingDHCP snooping table
ip dhcp snoopingip dhcp snooping vlan 2-10
ip arp inspection vlan 2-10!
interface fa3/1switchport port-security
switchport port-security max 3switchport port-security violationrestrict
switchport port-security aging time 2
switchport port-security aging typeinactivity
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
ip verify source vlan dhcp-snooping
!
Interface gigabit1/1
ip dhcp snooping trust
ip arp inspection trust
IP Source Guard
Dynamic ARP Inspection
DHCP Snooping
Port Security
Summary Cisco IOS
5/10/2008 Cisco Systems 14
Place IIThe Data Center
5/10/2008 Cisco Systems 15
BusinessContinuity
• Effective crisismanagement
• Protected dataredundancy
• Improvedglobal accessto core criticalservices anddata
Secure Data Center
ComplianceIssues
• SOX• PCI• HIPAA• Gramm-Leach-
Bliley Act(GLBA
• Load sharingandacceleration
• Applicationprotection
• SSL Offloadand loadbalancing
• e-Mail spamprevention
• PerimeterProtection
• EncryptionServices
• Virtualizeddatainspectionservices
• XML Security
ServiceResilience
DataProtection
5/10/2008 Cisco Systems 16
Features of a typicaldata center design
Maximum protectionat the application anddata layers
Higher level ofprotection from DDoSand malicious traffic
Three Tiers of Data Center Security
1 2 3
5/10/2008 Cisco Systems 17
Data Center Security - In a Nutshell
Security considerations for Data Center must address Business Continuity Regulatory Compliance Mitigating risk to service availability, service integrity and service
confidentiality Secure Data Center Designs leverage breadth and depth of defense
NETWORK-WIDE not PRODUCT NARROW Services Layer design critical to delivery of Virtualized and High-touch security
services Differentiate technologies based on customer requirements and placement within
the Data Center Deliver Secure Data Center designs based:
Scalable network Agile services Highly Available Validated approach
5/10/2008 Cisco Systems 18
Anomaly Guard Module (AGM)
Maximized Security
Wide Area Application Services Appliance (WAAS)
Integrated Network Services
Application Servers /Integrated Server Fabric
SFS GatewayBlade Servers / Infiniband
Fiber Channel Storage
Tape Data Storage
Multi-LayerFabric Switch (MDS)
Data Replication Services
Storage Virtualization
Fabric Assisted Applications
Application Velocity System (AVS)
Firewall Services Module
Catalyst 6500 Switch
SSL Offload with SSL Service Module
Intrusion Detection Services (IDSM)
Application Control Engine (ACE)
Anomaly Detector Module (ADM)
CSA Protected Servers
Integrated Storage Fabric
Virtual Fabrics (VSAN)
CSA-MC
Management
Offsite Recovery
Tape Data Storage
Multi-LayerFabric Switch (MDS)
Fiber Channel Storage
Network Compliance Manager
CS-MARS
ISP DDoS Protection
IronPort C-Series
DC
ASA w / Web VPN
XML Firewall
5/10/2008 Cisco Systems 19
Secure Data Center
ASA
ACS
MARS
WAAS
Web Servers
ACE
CSA
CSACSA
ApplicationServers
DatabaseServers
ACEWAF
CSA
CSA
MDS w/SME
Tier 1/2/3 Storage
Tape/Off-site Backup
ACEWAF
CSMCSA-MCCW-LMN
Data Center Edge• Firewall & IPS• DOS Protection• App Protocol Inspection• Web Services Security• VPN termination• Email & Web Access
control
Cat6KFWSM
Web Access• Web Security• Application Security• Application Isolation• Content Inspection• SSL
Encryption/Offload• Server Hardening
Apps andDatabase
• XML, SOAP, AJAXSecurity
• XDoS Prevention• App to App Security• Server Hardening
Storage• Data Encryption
•In Motion•At Rest
• Stored DataAccess Control
• Segmentation
Mgmt• Tiered Access• Monitoring &
Analysis• Role-Based
Access• AAA Access
Control
IronPort E-Mail Security
ACEWAF
IronPort Web Security
IronPort Web Security
CSAWAF
5/10/2008 Cisco Systems 20
The Effect of Application Attacks
Web Application Threats Cross-site scripting SQL injection Command injection Cookie and session poisoning Parameter and form tampering Buffer overflow Directory traversal and forceful
browsing Cryptographic interception Cookie snooping Authentication hijacking Error-message interception Attack obfuscation Application platform exploits DMZ protocol exploits Security management attacks Day-zero attacks
• Theft of customer data• Access to unpublished pages• Unauthorized application
access• Password theft• Modification of data• Disruption of service• Website defacement• Recovery and cleanup
5/10/2008 Cisco Systems 21
Endpoint Security for Servers
Defends endpoints against sophisticated DAY ZERO attacks
Enhances the Cisco Self Defending Network
Antivirus
Antispyware
Firewall
IntrusionPrevention
ThreatVisibility
Device C
ontrolA
pplic
atio
n C
ontr
ol
Anti Botnet
5/10/2008 Cisco Systems 22
Securing the LayersDefense in Depth - Best Practices
Secure Management-Plane-Secure communications to
Nodes-Ensure CLI Access available at
all times Secure Control-Plane
-Shield network from direct attackand from collateral damage
Secure Data-Plane-Block malicious packets at the
Edge of the network Services-Plane
-Managed Security Services-Application Security-Virtualization
• CORE/AGGREGATION-Secure Bandwidth resources-Segmentation (VLAN, PVLAN, VRF)
• ACCESS-Secure Server to Server traffic-Traffic Marking and Policing-L2 Edge Filtering
• SANs-Secure Access to storage resources-Segmentation (VSANS)
5/10/2008 Cisco Systems 23
Securing ServicesUnified
Communications
5/10/2008 Cisco Systems 24
PSTN
WAN
Secure Servers andApplications
A A
SecureInfrastructure &
Connectivity
Secure Endpoints
Jeddah Riyadh
Secure Unified Communications
5/10/2008 Cisco Systems 25
Network as the Platform
Building A Secure UC SystemProtecting all elements of the UC system
InfrastructureSecure connectivityand transport
EndpointsAuthenticated IP phones, softclients and other devices
ApplicationsAuto-attendant, Messaging,and Customer Care
Call ControlSecure Protocols for CallManagement Features
UnifiedCommunications
5/10/2008 Cisco Systems 26
Secure UC Threats and Risks Examples
EavesdroppingListening/Recording to audio or video conversationsRisk: Loss of Privacy (Regulatory Issues, Reputation)
Denial of Service (Internal)Loss of serviceRisk: Loss of Productivity, Safety and Security impact (#999)
Compromised System IntegrityHacker control of applications or call control infrastructureRisk: Financial (Toll Fraud), Data Theft, Regulatory Issues (Loss ofPrivacy)
Compromised UC Clients (e.g. Softphones)Hacker control of platforms that are UC ClientsRisk: Financial (Toll Fraud), Data Theft ( egg Customer Information - IPCCAgent Desktop)
5/10/2008 Cisco Systems 27
Best Practice for Secure UnifiedCommunications
Intrusion prevention servicesCisco Patches
Managed CSAClasses of restriction(Toll Fraud prevention)
Advanced O/S HardeningDHCP SnoopingSigned Firmware and Configs
Encrypted Config FilesDynamic Port SecuritySmart Ports (Auto QoS)
TLS/SRTP to applications(Unity)IP Source GuardDisable Gratuitous ARP
IPSec/TLS & SRTP toGatewaysDynamic ARP InspectionApproved Antivirus
TLS / SRTP to PhonesLimit MAC Address LearningStandalone Cisco SecurityAgent (CSA)
NAC / 802.1XRate LimitingSeparate voice/data VLANS
Firewall with advancedapplication inspection (andencrypted VoIP support)
Firewalls with statefulinspectionBasic Layer 3 ACL's
AdvancedIntermediateBase
5/10/2008 Cisco Systems 28
Secure UC Campus
PSTN
VSEC Router(IOS Firewall + Voice Gateway)
Campus Security Features
PhoneSecurityFeatures
Soft Phonewith
CSA/NACAgent
NACAppliance
Applications(VMail, IPCC, MP…) with
Cisco Security Agent
Cisco ASA with IPS(TLS Proxy/Phone Proxy)
VoIP SP
CUCM Cluster's with Cisco Security Agent
Secure SIP Trunk Demarcation
5/10/2008 Cisco Systems 29
Secure UC Branch
IP WAN
Cisco Integrated Services Router
Cisco IOS Firewall/IPSwith WAAS
PSTN
Voice Gateway,CCME/SRST and
CUE
5/10/2008 Cisco Systems 30
ASA for Secure Unified CommunicationsProtecting the Telephony Infrastructure andenabling UC Services
Internet
WAN
Cisco IOS VPNRouter
Cisco SecurityAgent (CSA)
Cisco ASAwith VPN
Cisco ASAwith IPS and
VPN
Firewall Features:
Ensure SIP, SCCP, H.323, MGCPrequests conform to standards
Prevent inappropriate SIP Methods frombeing sent to Communication Manager
Network Rate Limit SIP Requests Policy enforcement of calls (white list,
blacklist, caller/called party, SIP URI)
Dynamic port opening for Ciscoapplications
Enable only “registered phones” tomake calls
Enable inspection of encryptedphone calls
5/10/2008 Cisco Systems 31
Links to Resources
Cisco Security Centerhttp://www.cisco.com/security
Open Web Application Security Project (OWASP)http://www.owasp.org
SANS Institutehttp://www.sans.org
5/10/2008 Cisco Systems 32