CCSP Complete Study Guide (642-501, 642-511, 642-521, 642-531, 642-541)

CCSP Complete Study Guide\ \ By Todd Lammle \ John Wiley & Sons\ ISBN: 0-7821-4422-5 \ \ \ Chapter One\ Introduction to Network Security\ THE FOLLOWING SECUR EXAM TOPICS ARE COVERED IN THIS CHAPTER:\ \ Introduction to network security\ \ \ Creating a security policy\ \ \ Reasons for creating a security policy\ \ \ Security issues\ \ \ Security threats\ \ In a perfect world, network security would be as simple as installing some cool hardware or software onto your network, and voila! Your network is now Fort Knox. In the real world, you do this and then brace yourself so you don't make too much of a scene when the inevitable corporate security breach occurs. Frustrated, you say to yourself, "I really thought I took the necessary precautions-I did everything I could!" This chapter will help you understand that there's more to network security than technology. Real network security requires understanding the inherent people and corporate policy issues as well.\ News and stories about Internet identity theft, hackers jacking sensitive corporate information, and new viruses vaporizing hard drives left and right are definitely the hot topics du jour. Countless shadowy Internet users are spreading havoc from their computers, and it's really difficult-sometimes impossible-to track them down. So how do you protect yourself? Well, to begin addressing this problem, let's take a look at what Cisco says are the three main security issues that a corporate network faces today:\ * Security is not just a technology problem. Administrators and users are the cause of many corporate security problems.\ * Vast quantities of security technologies exist. Too many network administrators buy technology from a random advertisement they happen to read in a networking magazine. But simply throwing money at your security problems usually isn't the best solution. Predictably, many vendors would absolutely love it if they could succeed in making you believe otherwise!\ * Many organizations lack a single, well-defined network-wide security policy. Some corporations don't even have a security policy-no lie! Or worse, even if they do, each department has created its own security policy independently of the others. This is highly ineffective because it creates a myriad of security holes, leaving the network wide open to attacks in a number of places.\ Anyone reading this book should be concerned with network security and interested in how a network can become truly secure using proper network policy. An effective network security policy involves a strategic combination of both hardware implementation and the proper corporate handling of information. This chapter will discuss the reasons for creating a corporate security policy. Understanding these reasons will provide you with a solid grasp of the Cisco SECUR exam objectives.\ Let's move on to discuss the specific types of threats to which your network may be vulnerable.\ Types of Network Security Threats\ Sadly, human nature has a nasty side. And unfortunately, its lust for power, money, and revenge is sometimes aimed straight at your data. Although most of us aren't twisted, depraved, and ethically challenged, our fellow humans can and often do present serious threats to our network data. You must realize that you need to protect it. And you can-but before you begin to secure your data, you must understand the different types of threats looming out there, just waiting for the opportunity to strike. Four primary threats to network security define the type of attacker you could be dealing with some day:\ Unstructured threats Unstructured threats typically originate from curious people who have downloaded information from the Internet and want to feel the sense of power this provides them. Sure, some of these folks-commonly referred to as Script Kiddies-can be pretty nasty, but most of them are just doing it for the rush and for bragging rights. They're untalented, inexperienced hackers, and they're motivated by the thrill of seeing what they can do.\ Structured threats Hackers who create structured threats are much more sophisticated than Script Kiddies. They're technically competent and calculating in their work, they usually understand network system design, and they're well versed in how to exploit routing and network vulnerabilities. They can and often do create hacking scripts that allow them to penetrate deep into a network's systems at will. They tend to be repeat offenders. Both structured and unstructured threats typically come from the Internet.\ External threats External threats typically come from people on the Internet or from someone who has found a hole in your network from the outside. These serious threats have become ubiquitous in the last six to seven years, during which time most companies began to show their presence on the Internet. External threats generally make their insidious way into your network via the Internet or via a dial-up server, where they try to gain access to your computer systems or network.\ Internal threats Internal threats come from users on your network, typically employees. These are probably the scariest of all threats because they're extremely tough to both catch and stop. And because these hackers are authorized to be on the network, they can do serious damage in less time because they're already in and they know their way around.\ Plus, the profile of an internal threat is that of the disgruntled, angry, vengeful former or current employee, or even a contractor who wants nothing more than to cause real pain and suffering. Although most users know this type of activity is illegal, some users also know it's fairly easy to cause a lot of damage-fast-and that they have a shake at getting away with it. That can be a huge, irresistible temptation to those with the right modus operandi or the wrong temperament.\ Types of Security Weaknesses\ This is probably the most important section in this chapter, because it defines what security weaknesses are and how to understand inherent weaknesses in hardware, software, and people. Generally, there are three types of security weaknesses in any network implementation:\ * Technology weaknesses\ * Configuration weaknesses\ * Policy weaknesses\ Technology Weaknesses\ Cisco defines a technology weakness as a protocol, operating system, or hardware weakness. By default, protocols, operating systems, and hardware typically aren't secure. Understanding their weaknesses can help you secure your network before you're attacked.\ Technology weakness refers to the inadequacies of electronic systems, whether hardware or software. These weaknesses create a challenge for IT staff because most hardware and software used in a company were already installed when they started their job.\ Let's break this category into three specific areas:\ TCP/IP weaknesses TCP/IP has intrinsic security weaknesses because it was designed as an open standard to facilitate network communication. The fact that TCP/IP is an open standard is the main reason for its vast popularity, but the open-standard nature of TCP/IP is also a reason why network attacks happen so easily and often-many people are familiar with how TCP/IP works.\ For example, the original Unix sendmail daemon allows access to the Unix root, which, in turn, allows access to the entire Unix system. By viewing the sendmail information, a hacker can lock, load, and launch attacks on vulnerabilities specific to the operating system version. (Special torture!)\ Yes, TCP/IP has operating system weaknesses that need to be addressed, but what's worse is that TCP/IP has also created network equipment weaknesses such as password protection, lack of required authentication, its routing protocols (which advertise your entire network), and firewall holes.\ Cisco likes to pick on two protocols in the TCP/IP stack as being inherently insecure: Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP). IP spoofing (masquerade attack), man-in-the-middle, and session replaying are specific examples of TCP/IP weaknesses.\ Operating system weaknesses Every operating system has weaknesses, but Microsoft Windows' weaknesses get top billing because most people use some version of Windows. To be fair, Unix and Linux have considerably fewer operating system weaknesses than Windows does, but they still have security issues that must be dealt with if you're running them on your network. It all comes down to a specific network's needs.\ Network equipment weaknesses All network equipment, such as servers, routers, switches, and so on, has inherent security weakness. But being armed with a well-defined policy for the configuration and installation of network equipment can help tremendously in reducing the effects of network equipment weaknesses.\ It's recommended that the following policies be in place before any piece of network equipment is configured and installed: passwords, authentication, routing protocols, and firewalls.\ Configuration Weaknesses\ Here's where human error comes into the fray: It's the administrator who creates configuration weaknesses. You'd be surprised how often a network administrator either leaves equipment at a default setting or fails to secure the network administrator accounts. Some common "come hither and hack me" scenarios exposing your everyday corporate network include configuration flaws such as unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment.\ Unsecured User Accounts\ Using default administrator accounts with no passwords and God-like control over the network is definitely asking for trouble. Just don't do it! If you're running Microsoft Windows NT, make sure you rename the administrator account. Doing so ensures that any intruders will at least have a slightly harder time finding and breaking into your operating system.\ Put some serious thought into which users are granted which rights and privileges, because if you don't, and you instead give away rights indiscriminately, chaos will ensue. Take the time to establish the rights each user really needs, and don't give them any more rights than are required to do their job.\ Did you know that usernames and passwords are generally transmitted insecurely across the network? Ever hear of the Reconnaissance intruder-you know, the guy or gal who likes to imagine that they're in the Internet Special Forces and their job is to find your network weakness and exploit it? (Funny how these people always think they're performing a public service when they steal your data and that you were so lucky it was only them who broke in and not some really bad person. They actually believe that they've helped you, because now you'll fix the weakness before a bad guy breaks in.) Clear passwords are the kind of cool stuff these snoopers spy for so they can use the information to gain access to your network later. As an administrator, be sure you define password policies that will help secure your network.\ System Accounts with Easily Guessed Passwords\ Another way to invite trouble is to assign system account passwords that are easy to guess. To avoid this blunder, the administrator needs to set up policies on your servers that won't allow certain kinds of passwords and that make sure each password has an expiration date.\ Explicitly define a corporate policy for all users that makes it crystal clear that they can't use their name, their significant other's name, their child's name, their birth date, or any other excruciatingly obvious password-even if they add something to it. It's also a great idea to have them mix lowercase and uppercase letters, numbers, and special characters into their passwords. Doing so helps defend your network against brute-force attacks that use dictionary files to guess passwords.\ Misconfigured Internet Services\ I know it's hard to believe, but some companies still use routable IP addresses on their network to address their hosts and servers. With the Network Address Translation (NAT) and Port Address Translation (PAT) services that are available now, there is absolutely no reason to use real IP addresses.\ But you can use private IP addresses. These allow corporations-and even single homes-to use an IP address range that's blocked on the Internet. Doing so provides some security for corporations, whose real IP addresses on the border router allow routing from the Internet.\ This isn't a magical cure, though. Ports need to be open on the router connecting the router interface to the Internet in order to allow users access to and from the Internet. This is the very hole in a firewall that attackers can and do exploit.\ Don't get me wrong: By putting up a firewall-the Cisco Secure Private Internet Exchange (PIX) Firewall is one of the best-you can provide good security for your network by using conduits (which are basically secure connections) to open ports from the Internet to your servers. Is this bulletproof security? No, that doesn't exist; but the PIX box is good-really good.\ Another potential source of trouble and exposure is that some network administrators enable Java and JavaScript in their web browsers. Doing this makes it possible for hackers to attack you with hostile Java applets.\ Unsecured Default Settings in Products\ Tangling things further is the fact that many hardware products either ship with no password at all or make the password available so that the administrator can easily configure the device. On one hand, this really does make life easier-some devices are meant to be plug-and-play. For example, Cisco switches are plug-and-play because Cisco wants you to be able to replace your hubs and instantly make your network better. (And it works, too.) But you definitely need to put a password on that switch, or an attacker could easily break in.\ Cisco gave this issue some thought and is a step ahead in solving the problem. Cisco routers and switches won't allow Telnet sessions into them without some type of login configuration on the device. But this cool feature does nothing to guard against other types of break-in attempts, such as what the "Internet Special Forces" are trying to "protect" you from.\ This is one reason why it's a good idea to establish a configuration security policy on each device before any new equipment is installed on your network.\ Misconfigured Network Equipment\ Misconfigured network equipment is another exploitable flaw. Weak passwords, no security policy, and unsecured user accounts can all be part of misconfigured network equipment policies.\ Hardware and the protocols that run on it can also create security holes in your network. If you don't have a policy that describes the hardware and the protocols that run on each piece of equipment, hackers could be breaking in without your being aware that you've been attacked until it's too late.\ Here's a huge problem: If you use SNMP default settings, tons of information about your network can be deciphered simply and quickly. So, make sure you either disable SNMP or change the default SNMP community strings. These strings are basically passwords for gathering SNMP data.\ Policy Weaknesses\ You know by now that your corporate network security policy describes how and where security will be implemented within your network. And you understand that your policy should include information about how those configuration policies will be or have been initiated-right?\ Let's take a moment to clarify solid security policy by identifying the characteristics that contaminate bad policies.\ (Continues...)\ \ \ \ \ Excerpted from CCSP Complete Study Guide by Todd Lammle Excerpted by permission.\ All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.\ Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site. \ \

Pt. ISecuring Cisco IOS networks (SECUR)1Ch. 1Introduction to network security3Ch. 2Introduction to AAA security23Ch. 3Configuring Cisco secure ACS and TACACS+51Ch. 4Cisco perimeter router problems and solutions83Ch. 5Context-based access control configuration101Ch. 6Cisco IOS firewall authentication and intrusion detection121Ch. 7Understanding Cisco IOS IPSec support149Ch. 8Cisco IOS IPSec pre-shared keys and certificate authority support167Ch. 9Cisco IOS remote access using Cisco easy VPN209Pt. IICisco secure PIX firewall advanced219Ch. 10PIX firewall basics221Ch. 11PIX firewall configuration257Ch. 12ACLs, filtering, object grouping, and AAA307Ch. 13Advanced protocol handling, attack guards, and intrusion detection341Ch. 14Firewall failover and PDM371Ch. 15VPNs and the PIX firewall405Pt. IIICisco secure virtual private networks463Ch. 16Introduction to virtual private networks465Ch. 17Introduction to Cisco VPN devices493Ch. 18Configuring the VPN concentrator533Ch. 19Managing the VPN concentrator597Pt. IVCisco secure intrusion detection systems627Ch. 20Introduction to intrusion detection and protection629Ch. 21Installing Cisco secure IDS sensors and IDSMs683Ch. 22Configuring the network to support Cisco secure IDS sensors735Ch. 23Configuring Cisco secure IDS sensors using the IDS device manager783Ch. 24Configuring signatures and using the IDS event viewer865Ch. 25Enterprise Cisco secure IDS management941Ch. 26Enterprise Cisco secure IDS monitoring1017Pt. VCisco SAFE implementation1065Ch. 27Security fundamentals1067Ch. 28The Cisco security portfolio1093Ch. 29SAFE small and medium network designs1111Ch. 30SAFE remote access network design1141

\ From Barnes & NobleThe Barnes & Noble Review\ It’s no longer enough to “know Cisco” -- you need a deep understanding of securing Cisco networks. The best way to demonstrate that knowledge is to earn your CCSP. Now one information-packed book preps you for all five CCSP exams: Sybex’s CCSP Complete Study Guide. \ These 1,200-plus pages offer comprehensive and up-to-date security reviews covering IOS, VPNs, PIX Firewalls, intrusion detection, and Cisco’s latest SAFE security blueprint. You’ll find concise and readable coverage of everything from basic “AAA” security concepts to fighting rerouting attacks, configuring firewall signatures to implementing SAFE remote access network designs. And, of course, there’s a cornucopia of study help, including pre-assessment tests, six bonus exams on CD-ROM, and 500 multiplatform electronic flashcard questions. Bill Camarda, from the June 2005 Read Only\ \ \