CCSP: Securing Cisco IOS Networks Study Guide (642-501)

CCSP: Securing Cisco IOS Networks Study Guide\ \ By Todd Lammle \ John Wiley & Sons\ ISBN: 0-7821-4231-1 \ \ \ Chapter One\ Introduction to Network Security\ THE FOLLOWING SECUR EXAM TOPICS ARE COVERED IN THIS CHAPTER:\ \   Introduction to network security\ \ \   Creating a security policy\ \ \   Reasons for creating a security policy\ \ \   Security issues\ \ \   Security threats\ \ In a perfect world, network security would be as simple as merely installing some cool hardware or software onto your network and voila! Your network is now Fort Knox. In the real world, you do this and then brace yourself so you don't make too much of a scene when the inevitable corporate security breach occurs. Frustrated, you say to yourself, "I really thought I had taken the necessary precautions-I've done everything I could have!" This chapter will help you understand that there's more to network security than technology. Real network security requires understanding the inherent people and corporate policy issues as well.\ News and stories about Internet identity theft, hackers jacking sensitive corporate information, or some new virus vaporizing hard drives left and right are definitely the hot topics du jour. Countless shadowy Internet users are spreading havoc from their computers, and it's really difficult-sometimes impossible-to track them down. So how do you protect yourself? Well, to begin addressing this problem, let's take a look at what Cisco says are the three main security issues that face a corporate network today:\ * Security is not just a technology problem. Administrators and users are the cause of many of the security problems that corporations face today.\ * Vast quantities of security technologies exist. Too many network administrators buy technology from a random advertisement they happen to read in a networking magazine. But simply throwing money at your security problems isn't usually the best solution. Predictably, many vendors would absolutely love it if they could succeed in making you believe otherwise!\ * Many organizations lack a single, well-defined network-wide security policy. Some corporations don't even have a security policy-no lie! Or worse, even if they do, each department has created their own security policy independently of the others. This is highly ineffective because it creates a myriad of security holes, leaving the network wide open to attacks in a number of places.\ Anyone reading this book should be concerned with network security and interested in how a network can become truly secure using proper network policy. An effective network security policy involves a strategic combination of both hardware implementation and the proper corporate handling of information. This chapter will discuss the reasons for creating a corporate security policy. Understanding them will provide you with a solid grasp of the Cisco SECUR exam objectives.\ Let's move on to discuss the specific types of threats your network may be vulnerable to.\ Types of Network Security Threats\ Sadly, human nature does have a nasty side. And unfortunately, its lust for power, money, and revenge is sometimes aimed straight at your data. Though most of us aren't twisted, depraved, and ethically challenged, it's our fellow humans who can and often do present serious threats to our network data. You simply must realize that you need to protect it. And you can-but before you actually begin to secure your data, you must understand the different types of threats looming out there, just waiting for the opportunity to strike. There are four primary threats to network security that define the type of attacker you could be dealing with some day:\ Unstructured threats Unstructured threats typically originate from curious people who have downloaded information from the Internet and want to feel the sense of power this provides them. Sure, some of these folks-commonly referred to as Script Kiddies-can be pretty nasty, but most of them are just doing it for the rush and for bragging rights. They're untalented, inexperienced hackers, and they're really just motivated by the thrill of seeing what they can do.\ Structured threats Hackers who create structured threats are much more sophisticated than Script Kiddies. They are technically competent and calculating in their work, they usually understand network system design, and they are well versed in how to exploit routing and network vulnerabilities. They can and often do create hacking scripts that allow them to penetrate deep into a network's systems at will. They tend to be repeat offenders. Both structured and unstructured threats typically come from the Internet.\ External threats External threats typically come from people on the Internet or from someone who has found a hole in your network from the outside. These serious threats have become ubiquitous in the last six to seven years, during which time most companies began to show their presence on the Internet. External threats generally make their insidious way into your network via the Internet or via a dial-up server, where they try to gain access to your computer systems or network.\ Internal threats Internal threats come from users on your network, typically employees. These are probably the scariest of all threats because they're extremely tough to both catch and stop. And because these hackers are authorized to be on the network, they can do some serious damage in less time because they're already in and they know their way around.\ Plus, the profile of an internal threat is that of the disgruntled, angry, and vengeful former or current employee, or even a contractor who wants nothing more than to cause some real pain and suffering! Although most users know this type of activity is illegal, some users also know it's fairly easy to cause a lot of damage-fast-and that they have a shake at getting away with it. That can be a huge, irresistible temptation to those with the right modus operandi or the wrong temperament!\ Types of Security Weaknesses\ This is probably the most important section in this chapter because it defines what security weaknesses are and how to understand inherent weaknesses in hardware, software, and people. Generally, there are three types of security weaknesses in any network implementation:\ * Technology weaknesses\ * Configuration weaknesses\ * Policy weaknesses\ Technology Weaknesses\ Cisco defines technology weaknesses as a protocol, operating system, or hardware weakness. By default, protocols, operating systems, and hardware are typically not secure. Understanding their weaknesses can help you secure your network before you are attacked.\ Technology weakness refers to the inadequacies of electronic systems, whether it is hardware or software. Technology weaknesses create a challenge for IT people because most hardware and software used in a company were already installed when they started their job.\ Let's break down this category into three specific areas.\ TCP/IP Weaknesses\ TCP/IP has intrinsic security weaknesses because it was designed as an open standard to facilitate network communication. The fact that TCP/IP is an open standard is the main reason for its vast popularity, but the open standard nature of TCP/IP is also a reason why network attacks happen so easily and often-many people are familiar with how TCP/IP works.\ For example, the original Unix sendmail daemon allows access to the Unix root, which, in turn, allows access to the entire Unix system! By simply viewing the sendmail information, a hacker can lock, load, and launch attacks on vulnerabilities specific to the operating system version. Special torture!\ Yes, TCP/IP has operating system weaknesses that truly need to be addressed, but what's worse is that TCP/IP has also created network equipment weaknesses such as password protection, lack of required authentication, its routing protocols (which advertise your entire network), and firewall holes.\ The two protocols that Cisco likes to pick on in the TCP/IP stack as inherently insecure are Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP). IP spoofing (masquerade attack), man-in-the-middle, and session replaying are specific examples of TCP/IP weaknesses.\ Operating System Weaknesses\ While every operating system has weaknesses, Microsoft Windows' weaknesses get top billing because most people use some version of Windows. To be fair, Unix and Linux have considerably fewer operating system weaknesses than Windows does, but they still have security issues that must be dealt with if you're running them on your network. It all comes down to a specific network's needs.\ Network Equipment Weaknesses\ All network equipment, such as servers, routers, switches, and so on, has some inherent security weakness. But being armed with a well-defined policy for the configuration and installation of network equipment can help tremendously in reducing the effects of network equipment weaknesses.\ It is recommended that the following policies be in place before any piece of network equipment is configured and installed: passwords, authentication, routing protocols, and firewalls.\ Configuration Weaknesses\ Here's where human error comes into the fray-it's the administrator who creates configuration weaknesses. You'd be surprised how often a network administrator either leaves equipment at a default setting or fails to secure the network administrator accounts. Some common "come hither and hack me" scenarios exposing your everyday corporate network include configuration flaws such as unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment.\ Unsecured User Accounts\ Using default administrator accounts with no passwords and "God-like" control over the network is definitely asking for trouble. Just don't do that! If you're running Microsoft Windows NT, make sure you rename the administrator account. Doing this ensures that any intruders will at least have a slightly harder time finding and breaking into your operating system.\ Put some serious thought into which users are granted which rights and privileges, because if you don't and you instead give rights away indiscriminately, chaos will ensue. Take the time to establish the rights each user really needs, and don't give them any more rights than what they really need to do their job!\ Did you know that usernames and passwords are generally transmitted insecurely across the network? Ever hear of the Reconnaissance intruder? You know, the guy or gal who likes to think they are in the "Internet Special Forces" and their job is to find your network weakness and exploit it? Funny how these people always think they are performing a public service when they steal your data and that you were just so lucky that it was only them who broke in and not some really bad person. They actually believe that they have helped you because now you will fix "the weakness" before a "bad guy" really breaks in. Right. Anyway, these clear passwords are the kind of cool stuff that these snoopers spy for so they can use the information to gain access to your network later. As an administrator, make sure to define password policies that will help you secure your network.\ System Accounts with Easily Guessed Passwords\ Another way to invite trouble is to assign system account passwords that are easy to guess. To avoid this blunder, the administrator needs to set up policies on your servers that won't allow certain kinds of passwords and that make sure each password has an expiration date.\ Explicitly define a corporate policy for all users that makes it crystal clear that they can't use their name, their significant other's name, their child's name, their birth date, or any other excruciatingly obvious passwords-even if they add something to it! It's also a really great idea to have them mix lowercase and uppercase letters, numbers, and special characters into their passwords. This helps defend your network against brute-force attacks that use dictionary files to guess passwords.\ Misconfigured Internet Services\ I know it's hard to believe, but some companies really do still use actual routable IP addresses on their network to address their hosts and servers. With the Network Address Translation (NAT) and Port Address Translation (PAT) services that are available now, there is absolutely no reason to use real IP addresses.\ But you can use private IP addresses. These allow corporations-and even single homes-to use an IP address range that's blocked on the Internet. This provides some security for corporations, whose real IP addresses on the border router allow routing from the Internet.\ This isn't a magical cure though. Ports need to be open on the router connecting the router interface to the Internet in order to allow users access to and from the Internet. This is the very hole in a firewall that attackers can and do exploit.\ Don't get me wrong. By putting up a firewall-the Cisco Secure Private Internet eXchange (PIX) Firewall is one of the best-you can provide good security for your network by using conduits, which are basically secure connections, to open ports from the Internet to your servers. Is this bulletproof security? No, that doesn't exist, but the PIX box is good-really good!\ Another potential source of trouble and exposure is that some network administrators enable Java and JavaScript in their web browsers. Doing this makes it possible for hackers to attack you with hostile Java applets.\ Unsecured Default Settings in Products\ Tangling things further is the fact that many hardware products ship with either no password at all or they make the password available so that the administrator can easily configure the device. On one hand, this really does make life easier-some devices are meant to be plug-and-play. For example, Cisco switches are plug-and-play because they want you to be able to just replace your hubs and instantly make your network better. And it really works, too! But you definitely need to put a password on that switch or an attacker could easily break in.\ Cisco actually gave this some thought and is a step ahead in solving this problem. Cisco routers and switches won't allow Telnet sessions into them without some type of login configuration on the device. But this cool feature does nothing to guard against other types of break-in attempts, such as what the "Internet Special Forces" are trying to "protect" you from.\ This is one reason why it's such a good idea to establish a configuration security policy on each device before any new equipment is installed on your network.\ Misconfigured Network Equipment\ Misconfigured network equipment is another exploitable flaw-weak passwords, no security policy, and unsecured user accounts can all be part of misconfigured network equipment policies.\ Hardware and the protocols that run on it can also create security holes in your network. If you don't have a policy that describes the hardware and the protocols that run on each piece of equipment, hackers could be breaking in without your ever being aware that you've been attacked until it's too late.\ Here's a huge problem: If you use SNMP default settings, tons of information about your network can be deciphered simply and quickly. So make sure you either disable SNMP or change the default SNMP community strings. These strings are basically passwords for gathering SNMP data.\ Policy Weaknesses\ You know by now that your corporate network security policy describes how and where security will be implemented within your network. And you understand that your policy should include information on how those configuration policies will be or have been initiated-right?\ Let's take a moment to really clarify solid security policy by identifying the characteristics that contaminate bad policies.\ Absence of a Written Security Policy\ If a network administrator-or anyone else around-doesn't understand what's expected of them from the start, they'll just make things up as they go along. This is a very bad idea, and it's a good way to create the kind of chaos that will leave your network wide open to bad guys. Start your written security policy by first describing users, passwords, and Internet access. Then describe your network's hardware configuration, including all devices-PCs, servers, routers, and switches-and the security that's required to protect them.\ (Continues...)\ \ \ \ \ Excerpted from CCSP: Securing Cisco IOS Networks Study Guide by Todd Lammle Excerpted by permission.\ All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.\ Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site. \ \

Introduction Assessment TestChapter 1: Introduction to Network Security Chapter 2: Introduction to AAA Security Chapter 3: Configuring CiscoSecure ACS and TACACS+ Chapter 4: Cisco Perimeter Router Problems and Solutions Chapter 5: Context-Based Access Control Configuration Chapter 6: Cisco IOS Firewall Authentication and Intrusion Detection Chapter 7: Understanding Cisco IOS IPSec Support Chapter 8: Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support Chapter 9: Cisco IOS Remote Access Using Cisco Easy VPN Appendix A: Introduction to the PIX FirewallGlossary Index