10.1 Key Terms
Cisco
SIO = Security Intelligence Operations. Early warning intelligence,
threat and vulnerability analysis, and proven Cisco mitigation solutions to
help protect networks.
ASA
= Adaptive Security Appliance firewall, such as the ASA 5510 Firewall.
stateful
filtering = More than just a simple packet filter check, stateful
inspection can determine whether a network flow exists and can look at
information up to the application layer. A stateful filtering firewall
dynamically allows the return traffic to the user, from the server they were
accessing on the other side of the firewall. This is implemented in the ASA
firewall and in the Zone-Based Firewall feature on an IOS router.
10.2 Things to
Remember
10.2.1 Security Features on Cisco Switches
Feature >
Description
Port
security > Limits the number of MAC addresses that a port can learn.
This protects against a CAM content-addressable memory (CAM) (also known as the
MAC table) overflow. An attacker may attempt to flood bogus source MAC
addresses in an attempt to consume all the memory in the table, which would
cause the switch to forward unicast frames out all ports in the same VLAN. By
launching this attack, the attacker is hoping to see all frames on the VLAN and
perform an eavesdropping reconnaissance against the network.
DHCP
snooping > An attacker who attempts to place a rogue DHCP server on
the network could potentially hand out incorrect Dynamic Host Configuration
Protocol (DHCP) information, including the default gateway for the clients to
use, which could cause a man-in-the-middle attack and allow eavesdropping by
the attacker. DHCP snooping only allows server responses from specifically
trusted ports that lead to your authorized DHCP servers. This also protects the
DHCP server by rate-limiting how many TCP requests can be sent per interval.
This is useful if somewhere an attacker is requesting thousands of IP addresses
in an attempt to consume the entire pool on the DHCP server.
Dynamic
Address Resolution Protocol (ARP)
inspection > Using the information from DHCP snooping or from
manually configuring it, a switch can confirm that your traffic includes
accurate MAC address information in ARP communications, to protect against an
attacker trying to perform Layer 2 spoofing.
IP
source guard > This can be used to verify the client on a given port
is not doing Layer 3 spoofing (IP address spoofing).
Root
guard, BPDU guard, BPDU filtering > These features enable you to
control your spanning-tree topology, including resisting a rogue switch’s
attempt to become root of the spanning tree.
Storm
control > This feature allows the switch to begin clamping on traffic
at configurable levels. For example, broadcast storm control could tell the
switch to stop forwarding broadcast traffic (or limit it) if broadcasts ever
reach more than 50 percent utilization (for example) of the switch capacity.
Additional
modules > Modules are supported on various networking devices, which
add functionality to that device. Examples include IPS modules, VPN modules,
firewall modules, anti-malware modules, and so on. You can expand security
services on many network devices, such as routers, switches, and even add on to
the functionality of firewalls.
10.2.2 Security Features of IOS Routers
Feature >
Description
Reflexive
access lists > This is mostly for historical purposes, but this was
one of the early attempts on Cisco IOS to perform stateful filtering. The
concept is to not allow any traffic in from the outside world (if it is
initiated from the outside). If a user on the inside of your network sends
traffic out to a server on the outside network, the reflexive access lists
looks at that flow of traffic, creates an access control entry (ACE) , which is
the mirror image (swapping the source and destination IP addresses and ports),
and dynamically applies that so that the return traffic from the server is
allowed. Reflexive access lists are not used much anymore.
Context-based
access control (CBAC) > This was the evolution of the IOS router to
now support stateful filtering, without creating reflexive access lists. This
used to be called the IOS Firewall, because CBAC was the primary feature of the
IOS Firewall feature set.
Zoned-Based
Firewall > This replaced CBAC, and is the current recommended way to implement
stateful filtering on IOS routers. Zone-Based Firewalls use class maps to identify
traffic, policy maps to specify actions to take on that traffic, and a service
policy set of commands to put the policy in place. Among other things, a
Zone-Based Firewall can do application layer inspection and URL filtering and
has other security-related features.
Packet-filtering
ACLs > Using standard and extended ACLs, you can implement your
policy of what traffic is allowed or denied through the interfaces of the
router.
AAA
> AAA stands for authentication, authorization, and accounting. The IOS
router has extensive support for each of these features and to work with
external servers relevant to these features if desired.
VPNs
> IOS supports remote-access VPNs using Secure Sockets Layer (SSL) or IPsec.
It also supports VPNs in a site-to-site configuration when using IPsec. (SSL is
not generally used for site-to-site VPNs.)
IPS
> The IOS router can implement an intrusion prevention system (IPS) in
software or by using a hardware module in an available option slot. With an IPS
function on the router, you can leverage the added security that the routing
function currently provides.
Routing
protocol authentication > This provides security that prevents an
unauthorized router from being trusted or believed as it sends routing updates
with an attempt to influence or learn the routing information from another
router.
Control
plane protection and control plane policing > This enables you to set
thresholds and limits for traffic that is directed to the router. In an attempt
to overwhelm the router, an attacker might send thousands of packets directly
to the router, which by default would have to be processed by the router itself
(as opposed to forwarding the packet somewhere else as in the case of the
transit packet). The protection and policing set limits on these packets so
that CPU can be preserved.
Secure
management protocols > Secure Shell (SSH) and SSL are supported for
managing the router.
10.2.3 Security Features of ASA Firewalls
Feature >
Description
Stateful
filtering > This allows the ASA to remember the state of a connection
(for example, a client going out to a web server) and dynamically allow the
return traffic back to the client. The firewall can be implemented as a Layer 2
or Layer 3 device and in either case can analyze traffic all the way up to the
application layer.
Modular
Policy Framework (MPF) > Used by the ASA (via class maps, policy
maps, and service policy rules) to perform simple protocol and application
layer inspection and policy enforcement
URL
filtering > Working with statically configured URLs or with a
third-party system, the ASA can control which URLs are allowed to be accessed
by users through this firewall.
Packet-filtering
ACLs > Using standard and extended ACLs, you can implement your
policy of what traffic is allowed or denied through the interfaces of the
router.
AAA
> AAA stands for authentication, authorization, and accounting. The ASA has
extensive support for each of these features and can work with external servers
related to these features (such as an Access Control Server [ACS] server).
VPNs
> ASA supports remote-access VPNs using SSL or IPsec. It also supports VPNs
in a site-to-site configuration when using IPsec. (SSL is not generally used
for site-to-site VPNs.)
IPS
> The ASA can implement an IPS by adding a hardware module to an available
option slot on the ASA.
Routing
protocol authentication > This provides security that prevents a
rogue router from being trusted or believed as it sends routing updates with an
attempt to influence or learn the routing information from another router.
Secure
management protocols > SSH and SSL are supported for managing the
ASA.
10.2.4 Other Appliances and Services Used to Implement
a Security Policy
Device or System
> Explanation
IPS
> An IPS analyzes network traffic, can report on traffic that it deems
malicious or harmful, and can take countermeasures against the offending
traffic. This can be implemented as an appliance, as a blade in a 6500 switch,
or as a module in an ASA or IOS router. The primary method for identifying
problem traffic is through signature matching.
Cisco
Security Manager (CSM) > This is an enterprise-level configuration
tool that you can use to manage most security devices.
Cisco
Security Intelligence Operations (SIO) Service > The SIO researches
and analyzes threats and provides real-time updates and best practices related
to these threats. They can dynamically deliver the latest breaking news right
when it happens. There is also an application for smart phones. You can learn
more about http://www.cisco.com/go/sio.
Comments
Post a Comment