Securing Places in the Network

Securing Places in the Network
Securing Places
in the Network
Nadhem J. Al-Fardan
Consulting System Engineer
Cisco Systems - Saudi Arabia
AGENDA
The Agenda for the next 45 Minutes !
•
•
•
•
5/10/2008
What are the “Places in the Network” ?
Place I - The Campus
Place II - The Data Center
Securing Services - Unified Communications (UC)
Cisco Systems
1
5/10/2008
Cisco Systems
2
Places in the Network
The Objective is to build best practices in
architecting your network.
Today’s session will look on how to secure some of
these locations
Applications and Services
Internet
Building Best
Practices
Campus
5/10/2008
WAN
Data Center
Cisco Systems
3
Place I
The Campus
5/10/2008
Cisco Systems
4
Campus Security - Best Practices
 Catalyst Integrated Security Feature Set!
Dynamic Port Security, DHCP
Snooping, Dynamic ARP Inspection, IP
Source Guard
End-to-End Security
Si









Use SSH to access devices instead of Telnet
Enable AAA and roles based access control
(RADIUS/TACACS+) for the CLI on all devices
Enable SYSLOG to a server. Collect and
archive logs
When using SNMP use SNMPv3
Disable unused services:
no service tcp-small-servers
no service udp-small-servers
Use FTP or SFTP (SSH FTP) to move images and
configurations around – avoid TFTP when possible
Install VTY access-lists to limit which addresses can
access management and CLI services
Enable control plane protocol authentication
where it is available (EIGRP, OSPF, BGP,
HSRP, VTP, etc.)
Apply basic protections offered by implementing
RFC2827 filtering on external edge inbound interfaces
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Si
Internet
WAN
IPmc Sources
BPDU Guard
Prevent Loops via WLAN (Windows XP Bridging)

Problem:
Multiple Windows XP
machines can create a
loop in the wired VLAN
via the WLAN

STP Loop
Formed
BPDU Guard
Disables Port
Solution:
BPDU Guard configured
on all end station switch
ports will prevent loop
from forming
BPDU
Generated
Win XP
Bridging
Enabled
5/10/2008
Cisco Systems
Win XP
Bridging
Enabled
6
Problem: Prevalence of Rogue APs
 The majority of WLAN deployments are
unauthorized by well intended employees
(rogue APs)—many are insecure
 A daily drive to work taken within the car at
normal speeds with a PDA running a
freeware application (mix of residences
and enterprises)
 Insecure enterprise rogue
AP’s are a result of:
Insecure
APs
Well intentioned staff install due
to absence of sanctioned WLAN
deployment
An infrastructure that is not
“wireless ready” to protect
against rogue AP’s
59 APs Found
War Chalking
5/10/2008
Cisco Systems
7
Basic 802.1x Access Control
Controlling When and Where APs Are Connected
Who Are You?
I Am Joe Cisco
Authorized
User
No
802.1x
Here
802.1x Enabled on
“user” Facing
Ports
Who Are You?
Rogue AP
Disabled
D on Authorized
WLAN AP Ports
CatOS Configuration Example
set dot1x system-auth-control enable
set dot1x guest-vlan 250
set radius server 10.1.125.1 auth-port
1812 primary
set radius key cisco123
set port dot1x 3/1-48 port-control auto
Cisco IOS Configuration Example
radius-server host 10.1.125.1
radius-server key cisco123
aaa new-model
aaa authentication dot1x default group
radius
aaa authorization default group radius
aaa authorization config-commands
dot1x system-auth-control
Cisco IOS Per-Port configuration
int range fa3/1 - 48
dot1x port-control auto
Authorized AP
5/10/2008
Cisco Systems
8
Securing Layer 2 from Surveillance
Attacks
Cutting off MAC-Based Attacks
Only 3 MAC
Addresses
Allowed on
the Port:
Shutdown
00:0e:00:aa:aa:aa
00:0e:00:bb:bb:b
b
250,000
Bogus MACs
per Second
SOLUTION:
PROBLEM:
“Script Kiddie” Hacking Tools
Enable Attackers Flood Switch CAM
Tables with Bogus Macs; Turning
the VLAN into a “Hub”
and Eliminating Privacy
Switch CAM Table Limit Is Finite
Number of Mac Addresses
5/10/2008
Port Security Limits MAC Flooding Attack
and Locks down Port and Sends an
SNMP Trap
switchport
switchport
switchport
switchport
switchport
Cisco Systems
port-security
port-security
port-security
port-security
port-security
maximum 3
violation restrict
aging time 2
aging type inactivity
9
DHCP Snooping
Protection Against Rogue/Malicious DHCP Server
1
1000s of DHCP
Requests to
Overrun the
DHCP Server
DH
Re CP
qu
es
t
2
s
u
g P e
o
B HC ons
D p
s
Re
DHCP
Server


DHCP requests (discover) and responses (offer) tracked
Rate-limit requests on trusted interfaces; limits DOS attacks on DHCP server

Deny responses (offers) on non trusted interfaces; stop malicious or errant DHCP
server
5/10/2008
Cisco Systems
10
Securing Layer 2 from
Surveillance Attacks
Protection Against ARP Poisoning

Dynamic ARP inspection protects
against ARP poisoning (ettercap,
dsnif, arpspoof)

Uses the DHCP snooping binding
table
Tracks MAC to IP from
DHCP transactions
Rate-limits ARP requests from client
ports; stop port scanning



Gateway = 10.1.1.1
MAC=A
Gratuitous ARP
10.1.1.50=MAC_B
Gratuitous ARP
10.1.1.1=MAC_B
Drop BOGUS gratuitous ARPs; stop
ARP poisoning/MIM attacks
Attacker = 10.1.1.25
MAC=B
5/10/2008
Si
Cisco Systems
Victim = 10.1.1.50
MAC=C
11
IP Source Guard
Protection Against Spoofed IP Addresses

IP source guard protects against
spoofed IP addresses

Uses the DHCP
snooping binding table
Tracks IP address to
port associations


Gateway = 10.1.1.1
MAC=A
Dynamically programs
port ACL to drop traffic not
originating from IP address
assigned via DHCP
Hey, I’m 10.1.1.50 !
Attacker = 10.1.1.25
5/10/2008
Si
Cisco Systems
Victim = 10.1.1.50
12
Catalyst Integrated Security Features
Summary Cisco IOS
IP Source Guard
Dynamic ARP Inspection
DHCP Snooping
Port Security




Port security prevents MAC flooding
attacks
DHCP snooping prevents client
attack on the switch and server
Dynamic ARP Inspection adds
security to ARP using DHCP
snooping table
IP source guard adds security
to IP source address using
DHCP snooping table
5/10/2008
ip dhcp snooping
ip dhcp snooping vlan 2-10
ip arp inspection vlan 2-10
!
interface fa3/1
switchport port-security
switchport port-security max 3
switchport port-security violation
restrict
switchport port-security aging time 2
switchport port-security aging type
inactivity
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
ip verify source vlan dhcp-snooping
!
Interface gigabit1/1
ip dhcp snooping trust
ip arp inspection trust
Cisco Systems
13
Place II
The Data Center
5/10/2008
Cisco Systems
14
Secure Data Center
Data
Protection
• Perimeter
Protection
• Encryption
Services
• Virtualized
data
inspection
services
• XML Security
5/10/2008
Compliance
Issues
Business
Continuity
SOX
PCI
HIPAA
Gramm-LeachBliley Act
(GLBA
• Effective crisis
management
• Protected data
redundancy
• Improved
global access
to core critical
services and
data
Service
Resilience
• Load sharing
and
acceleration
• Application
protection
• SSL Offload
and load
balancing
• e-Mail spam
prevention
•
•
•
•
Cisco Systems
15
Three Tiers of Data Center Security
1
Features of a typical
data center design
5/10/2008
2
3
Higher level of
protection from DDoS
and malicious traffic
Maximum protection
at the application and
data layers
Cisco Systems
16
Data Center Security - In a Nutshell

Security considerations for Data Center must address
 Business Continuity
 Regulatory Compliance


 Mitigating risk to service availability, service integrity and service
confidentiality
Secure Data Center Designs leverage breadth and depth of defense
 NETWORK-WIDE not PRODUCT NARROW
Services Layer design critical to delivery of Virtualized and High-touch security
services

Differentiate technologies based on customer requirements and placement within
the Data Center

Deliver Secure Data Center designs based:
 Scalable network
 Agile services
 Highly Available
 Validated approach
5/10/2008
Cisco Systems
17
DC
Maximized Security
Integrated Network Services
Firewall Services Module
ISP DDoS Protection
Catalyst 6500 Switch
IronPort C-Series
SSL Offload with SSL Service Module
Offsite Recovery
Intrusion Detection Services (IDSM)
Application Velocity System (AVS)
ASA w / Web VPN
Application Control Engine (ACE)
Anomaly Detector Module (ADM)
Wide Area Application
Services Appliance (WAAS)
Anomaly Guard Module (AGM)
Application Servers /
Integrated Server Fabric
XML Firewall
Multi-Layer
Fabric Switch (MDS)
Tape Data Storage
Blade Servers / Infiniband
CSA Protected Servers SFS Gateway
Fiber Channel Storage
Integrated Storage Fabric
Management
Data Replication Services
Fiber Channel Storage
Storage Virtualization
CSA-MC
Multi-Layer
Fabric Switch (MDS)
CS-MARS
Fabric Assisted Applications
5/10/2008
Tape Data Storage
Virtual Fabrics (VSAN)
Cisco Systems
Network Compliance Manager
18
Secure Data Center
Data Center Edge
•
•
•
•
•
•
Firewall & IPS
DOS Protection
App Protocol Inspection
Web Services Security
VPN termination
Email & Web Access
control
Web Access
•
•
•
•
•
Web Security
Application Security
Application Isolation
Content Inspection
SSL
Encryption/Offload
• Server Hardening
Apps and
Database
• XML, SOAP, AJAX
Security
• XDoS Prevention
• App to App Security
• Server Hardening
Storage
Mgmt
• Data Encryption
•In Motion
•At Rest
• Stored Data
Access Control
• Segmentation
• Tiered Access
• Monitoring &
Analysis
• Role-Based
Access
• AAA Access
Control
ACE
WAAS
ACS
ACE
WAF
IronPort
E-Mail Security
CSA
WAF
ACE
WAF
5/10/2008
Tier 1/2/3
Storage
CSM
CSA-MC
CW-LMN
Application
Servers
CSA
Cat6K
FWSM
IronPort
Web Security
MDS
w/SME
IronPort
Web Security
ACE
WAF
ASA
CSA
MARS
CSA
CSA
CSA
Web
Servers
Database
Servers
Cisco Systems
Tape/Off-site
Backup
19
The Effect of Application Attacks
Web Application Threats
















5/10/2008
Cross-site scripting
SQL injection
Command injection
Cookie and session poisoning
Parameter and form tampering
Buffer overflow
Directory traversal and forceful
browsing
Cryptographic interception
Cookie snooping
Authentication hijacking
Error-message interception
Attack obfuscation
Application platform exploits
DMZ protocol exploits
Security management attacks
Day-zero attacks
• Theft of customer data
• Access to unpublished pages
• Unauthorized application
access
• Password theft
• Modification of data
• Disruption of service
• Website defacement
• Recovery and cleanup
Cisco Systems
20
Endpoint Security for Servers
Intrusion
Prevention
ZERO attacks
Antivirus
Threat
Visibility
Antispyware
Anti Botnet
Firewall
Device Control
Application Control
Defends endpoints against sophisticated DAY
Enhances the Cisco Self Defending Network
5/10/2008
Cisco Systems
21
Securing the Layers
Defense in Depth - Best Practices


•
Secure Management-Plane
-Secure communications to
Nodes
-Ensure CLI Access available at
all times
•
Secure Control-Plane
-Shield network from direct attack
and from collateral damage

Secure Data-Plane
-Block malicious packets at the
Edge of the network

Services-Plane
-Managed Security Services
•
CORE/AGGREGATION
-Secure Bandwidth resources
-Segmentation (VLAN, PVLAN, VRF)
ACCESS
-Secure Server to Server traffic
-Traffic Marking and Policing
-L2 Edge Filtering
SANs
-Secure Access to storage resources
-Segmentation (VSANS)
-Application Security
-Virtualization
5/10/2008
Cisco Systems
22
Securing Services
Unified
Communications
5/10/2008
Cisco Systems
23
Secure Unified Communications
A
Secure Servers and
Applications
A
WAN
Secure
Infrastructure &
Connectivity
PSTN
Secure Endpoints
Riyadh
Jeddah
5/10/2008
Cisco Systems
24
Building A Secure UC System
Protecting all elements of the UC system
Endpoints
Infrastructure
Authenticated IP phones, soft
clients and other devices
Secure connectivity
and transport
Unified
Communications
Call Control
Applications
Secure Protocols for Call
Management Features
Auto-attendant, Messaging,
and Customer Care
Network as the Platform
5/10/2008
Cisco Systems
25
Secure UC Threats and Risks Examples
 Eavesdropping
Listening/Recording to audio or video conversations
Risk: Loss of Privacy (Regulatory Issues, Reputation)
 Denial of Service (Internal)
Loss of service
Risk: Loss of Productivity, Safety and Security impact (#999)
 Compromised System Integrity
Hacker control of applications or call control infrastructure
Risk: Financial (Toll Fraud), Data Theft, Regulatory Issues (Loss of
Privacy)
 Compromised UC Clients (e.g. Softphones)
Hacker control of platforms that are UC Clients
Risk: Financial (Toll Fraud), Data Theft ( egg Customer Information - IPCC
Agent Desktop)
5/10/2008
Cisco Systems
26
Best Practice for Secure Unified
Communications
Base
Intermediate
Advanced
Basic Layer 3 ACL's
Firewalls with stateful
inspection
Firewall with advanced
application inspection (and
encrypted VoIP support)
Separate voice/data VLANS
Rate Limiting
NAC / 802.1X
Standalone Cisco Security
Agent (CSA)
Limit MAC Address Learning
TLS / SRTP to Phones
Approved Antivirus
Dynamic ARP Inspection
IPSec/TLS & SRTP to
Gateways
Disable Gratuitous ARP
IP Source Guard
TLS/SRTP to applications
(Unity)
Smart Ports (Auto QoS)
Dynamic Port Security
Encrypted Config Files
Signed Firmware and Configs
DHCP Snooping
Advanced O/S Hardening
Classes of restriction
(Toll Fraud prevention)
Managed CSA
Cisco Patches
Intrusion prevention services
5/10/2008
Cisco Systems
27
Secure UC Campus
CUCM Cluster's with
Cisco Security Agent
Applications
(VMail, IPCC, MP…) with
Cisco Security Agent
Secure SIP Trunk Demarcation
Cisco ASA with IPS
(TLS Proxy/Phone Proxy)
Campus Security
Features
VoIP SP
Phone
Security
Features
NAC
Appliance
Soft Phone
with
CSA/NAC
Agent
5/10/2008
PSTN
VSEC Router
(IOS Firewall + Voice Gateway)
Cisco Systems
28
Secure UC Branch
IP WAN
Cisco Integrated Services Router
Voice Gateway,
CCME/SRST and
CUE
Cisco IOS Firewall/IPS
with WAAS
5/10/2008
PSTN
Cisco Systems
29
ASA for Secure Unified Communications
Protecting the Telephony Infrastructure and
enabling UC Services
Firewall Features:
 Ensure SIP, SCCP, H.323, MGCP
requests conform to standards
 Prevent inappropriate SIP Methods from
being sent to Communication Manager
Cisco Security
Agent (CSA)
 Network Rate Limit SIP Requests
Cisco ASA
with IPS and
VPN
Cisco IOS VPN
Router
WAN
 Dynamic port opening for Cisco
applications
Internet
 Enable only “registered phones” to
make calls
Cisco ASA
with VPN
5/10/2008
 Policy enforcement of calls (white list,
blacklist, caller/called party, SIP URI)
 Enable inspection of encrypted
phone calls
Cisco Systems
30
Links to Resources
 Cisco Security Center
http://www.cisco.com/security
 Open Web Application Security Project (OWASP)
http://www.owasp.org
 SANS Institute
http://www.sans.org
5/10/2008
Cisco Systems
31
5/10/2008
Cisco Systems
32
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement