wp cisco part1

8/8/2019 Wp Cisco Part1

1/13

Cisco Security

Setup & Configuration:Part 1

a Layered Approach

1-800-COURSES www.globalknowledge.com

Expert Reference Series of White Papers


2/13

IntroductionThis paper is the first in a three-part series of white papers, each of which focuses on a functional area ofsecuring your network. The three papers work together to create a complete picture of how to configure yournetwork appliances for complete corporate security. It will discuss a starting point for network security, sug-gested technology types, ideal points for securing your network using a layered approach, and secure ways tomanage your new or existing network.

This first paper in the series introduces concepts to get started on network security and begin the process ofsecuring your network at the switch level.

Security Policy: Start at the BeginningSecurity is one of the fastest growing branches within the networking industry, and current trends point to asteady increase in growth over the years to come. This is largely due to the integration of so many critical datatypes over a single network and the increased realization by companies as to just how vulnerable their net-works can be.With security becoming such a focal point of networks, it is increasingly important to understandhow to integrate security into a network.

As with any new project, you must start with some direction. Im sure you have heard the adage, If you fail toplan, then you plan to fail.This is never more true than when planning network security. Create your securitypolicy to serve as a starting point and future road map for securing your corporation.

A security policy, originally defined in request for comment (RFC) 2196 and now updated in RFC 3704, con-tains the whys, whats, and hows of securing your corporate environment.

Isaac A. Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP

Cisco Security Setup & Configuration:

Part 1 a Layered Approach

Copyright 2006 Global Knowledge Training LLC. All rights reserved. Page 2


3/13

Keep in mind that your security policy is a document that defines how you will secure your corporation, corpo-rate resources, and corporate users. As your business grows, or corporate direction changes, this document willalso grow and change.

Security Lifecycle: an Understanding and ReviewTake a controlled, metered approach when installing any desktop/network operating system, application, orappliance. By taking a metered approach, you ensure consistent installation and hardening of each system.Thefollowing recommendations for a secure installation come directly from Cisco Systems.

Step #1: Secure InstallInstall each new operating system, application, and appliance in as secure a manner as possible. This mayrequire you to review the documentation as completely as possible, which I know we all have time to do.Also,

consider staying away from default installations or installation wizards, as they often create the most simple ofconfigurations, which are not always the most secure.

Step #2: MonitorOnce the new system has been installed, take the time to review the installation logs, operational logs, andbehavior to make sure the system is operating as securely as possible.


Why have a security policy? What should be in a security policy? How would I create a security policy?

To create a baseline of your currentsecurity configuration.

Statement of authority and scope. Use the very documents that governyour day-to-day business operation.For example, your physical site secu-rity regulations or corporate accept-able use policy.

To define allowed and not-allowedbehaviors.

Identification and authenticationpolicy.

Use standards such as SOx, HIPPA,VISA, International StandardsOrganization (ISO) 27001, etc.

To help determine necessary toolsand procedures.

Internet use policy. Reference web sites for assistance: www.computersecuritynow.com www.sans.org/resources/policies/

#primersecurity.berkeley.edu/pols.html

To help define roles and

responsibilities.

Campus access policy.

To state the consequences ofmisuse.

Remote access policy.

To define how to handle securityincidents (social & technical).

Incident handling procedure.

To provide a process for continuingreview.


4/13

Step #3: TestPerform regularly scheduled tests of your new system. Such tests should be performed by both internal andexternal parties. You may chose to perform quarterly or bi-annual internal tests and annual audits by an exter-nal entity. Of course, no system is perfect, so expect to have areas for improvement discovered as a result ofthese tests. These areas of improvement lead us to the final step in the security lifecycle.

Step #4: ImproveFrom the items found in the testing process of step #3, make improvements in as secure a manner as possible.Again, look to the product documentation and try to avoid any cookie cutter fixes.

Remember that this process is called a lifecycle. Once you improve upon a system, you should do so in asecure manner by performing a secure installation (step #1); then monitor all changes made and new behav-iors that result from your changes (step #2); perform either internal or external tests (step #3) of theseimprovements to be sure that they still meet the requirements of your security policy; and, finally, improve(step #4) any areas as needed.

This lifecycle, as well as security as a whole, is a continuous process that will evolve and grow with your net-

work.As your network changes, so will your security policy and the means by which you install, monitor, test,and improve each new system.

Device Roles & DefinitionsLets start with a simple review of six key network security components. We will define each device and makesuggestions on its placement and use.

Router: A junction between two networks to transfer data packets between them.

Sample uses: Perimeter security via Access Control Lists ACLs, Committed Access Rate(CAR), routing protocol security and protocol tunneling.

Switch: A layer 2, sometimes multilayer, networking device that provides physical con-nectivity to end stations and redirects a frame between physical ports on that sameswitch.

Sample uses: Physical port security to control a devices initial access to the network.

Firewall: A piece of hardware and/or software that exists to prevent specific communica-tions forbidden by the security policy.

Sample uses: Stateful inspection,Virtual Private Network (VPN) tunnel termination,advanced protocol handling, deep packet inspection and Network Address Translation(NATting).


Ex. Cisco 1841,

3845, 7206

Ex. Cisco Catalyst3750, 4506, 6513

Ex. Cisco PIX 525,ASA 5540


5/13

VPN Concentrator: A security device used to connect (terminate) VPN sessions fromRemote Access,Web Clients, and Site-to-Site locations.

Sample uses: High volume termination of Remote Access and Clientless VPN sessions.Offering extensive control over the VPN sessions of the connecting device.

Intrusion Detection or Prevention System (IDS/IPS) Sensor: A device that gener-ally detects unwanted manipulations to communication systems (individual and streamsof packets) and is required to detect all types of malicious network traffic.

Sample uses: As a device that inspects traffic/communications on all critical entry andexit points to a corporate network.

Host-based Intrusion Prevention System (HIPS): An agent CSA installed on hoststations that provides security against malicious activity between applications on thehost and communications from the host.

Used to enforce a companys security policy at the end-station level.

Sample uses: Install on critical end-stations and servers to protect them from access tolocal or network resources that do not follow the security policy.

Device Use and Placement

Now that weve completed a cursory review and defined the more common security devices, we will exploresample topology types and device placement.

2-Leg Security, Single-Perimeter DeviceFigure 1 shows a single-perimeter device controlling access to a corporate network. This security device maybe a router with firewall capabilities or a true firewall. Such a topology is ideal for remote offices or smallbranch sites. It offers not only a low-cost approach to security, but also significantly limits an administratorssecurity options.


Ex. Cisco 3015, 3030,3060

Ex. NM-CIDS, 4240,4250XL

Ex. Cisco SecurityAgent


6/13

Note: Keep in mind that all security services are offered by this single perimeter device. Even though this is avery affordable approach, it is also very limiting. It is like using a screw driver for all home repairs: it may work

most of the time, but youll just tear things up on those finer jobs.

Perimeter Router with Internal FirewallFigure 2 shows a dual-layered approach to securing your external connection. This approach is ideal for medi-um-to-large enterprise networks because you can leverage the services of each device to provide a more com-plete security configuration.

The router, for example, could be used for ACL filtering, protocol tunneling, high-level routing and peer routingauthentication. The firewall can be used for deep packet inspection, NATting and stateful inspection.

For added security, you can add a 3rd interface off of your firewall device to serve as a Demilitarized Zone(DMZ) for external access to secure services. An example is clients who need to access your corporate web sitefor order processing.

Note: This offers a significant increase in security options and flexibility at a negligible increase in price.



7/13

Firewall SandwichFigure 3 illustrates a very flexible topology that has two routers protecting either side of a firewall device. Thisapproach is ideal for large-to-enterprise-size corporate networks. The interaction between the perimeter routerand internal router offers protection from both externally and internally originating attacks. The outer routersoff-load functions from the firewall device, which allows each device to process and secure even more traffic.

Again, you can leverage the abilities of each device to offer a complete security configuration.

Note: This topology brings additional costs in hardware and complexity to the administrator, but the securitybenefits and options are among the highest available by any other configuration.

Dual-LayeredFigure 4 shows a configuration where there are two layers of firewall devices protected by a perimeter router.This approach offers the highest level of security as well as a high degree of configuration difficulty. Such a

topology would be ideal for environments where different departments (IT and Special Projects) control securi-ty for different portions of the network. However, you must have a high degree of communication betweenthese departments for traffic that is to pass through both levels of security devices. For added security, youcould even incorporate different vendors at each layer.



8/13

Note: This approach does bring the highest level of cost and complexity, but it offers, in return, the greatestlevel of secure flexibility.

VPN ConcentratorFigure 5 illustrates a topology where a VPN Concentrator has been integrated to offer high-level Remote

Access tunnel termination.The figure shows a VPN Concentrator that is NOT in parallel but, instead, terminatesinto a firewall device.

Caution: So as not to contradict anyone or any other publication that may have come before this one, I willsimply say that I do not place a VPN Concentrator in parallel with any other device offering security services.Technically put, a VPN Concentrator does not offer stateful inspection, deep packet inspection or network-based IDS/IPS functionality. As a result, the VPN Concentrator should not be placed in parallel and used tobypass any of those services.

This topology has the following benefits: it offers filterable control of the Internet Protocol Security (IPSec) pro-tected traffic at the perimeter router, stateful firewalling of the post IPSec-protected traffic as the client datapasses through the firewall, and conservation of firewall interfaces by using only a single firewall interface to

offer security services. If you wanted to increase the level of security offered, you could connect both VPNConcentrator interfaces (public and private) to separate interfaces on the firewall. Again, this approach offersincreased security but will require additional firewall interfaces which, depending on the number of interfacesand operating system currently in use, may require additional funds in the form of a licensing upgrade.

Note: Again, it is NOT recommended to place a VPN Concentrator in parallel with your networks firewall

device (router or firewall). Although a concentrator can perform some security services, it does not offer state-ful inspection, deep packet inspection, or IDS/IPS functionality.

IDS/IPS SensorsIncorporating an external sensor, as shown in Figure 6, is ideal for medium-to-large corporate environments.Sensor placement is one of the first and most important questions to answer during network design. It is rec-



9/13

ommended that you sense all entry/exit points to your network, as well as subnets containing critical corpo-rate resources, such as server farms. The number of sensors used is determined by the number of pointssensed, and whether you chose IDS or Intrusion Prevention (IPS).

For IDS/IPS functionality at a small to medium-size remote office, consider using the integrated IDS/IPS servicesof your router and firewall operating system or a network module that can be installed in your routers (NM-

CIDS in the 2611XM & above) and firewall (AIP-SSM in the ASA5500 series). The installed modules performand are configured just as a true external sensor.

The topology will change considerably, based on the use of IDS versus IPS.

Note: The term firewall device was used instead of firewall simply to illustrate how a router with theproper software can be used as a firewall just the same as a dedicated firewall.

Device Hardening:Taking a Layered ApproachWhen it comes to securing your network, taking a layered approach offers the most comprehensive level ofsecurity. This approach uses the Open Systems Interconnection Reference Model OSI as guidance and simplyincorporates security at as many layers of the network as possible. Just as the Physical and Data Link layersstart the OSI Model, so should you protect your network using Physical and Data Link technologies. For that,there is no better device to offer initial protection to your network than a LAN Switch.

SwitchA LAN switch is typically a users first point of connectivity to your corporate network. As a result, it should bethe first point of security for your network. Incorporate the following methods of network security, as they areavailable on your model of switch:



10/13

Disable un-used portsThese would be all ports that are not run to a location within your organization, or are leading to offices andcubicles that are not currently used. Here is sample syntax for disabling a range of access ports:

AccSw01#conf tAccSw01(config)#int range fast0/13 - 20

AccSw01(config-if-range)#shutdown

Set the ports typeThis would be either setting a port to be an access or trunk port. By default, switch ports dynamically negoti-ate with their connected peer to become either an access or trunk port. This could lead to access layer attacksby roguely connected switches negotiating a trunk connection with your corporate network. Now all traffictravels down the newly established trunk and to the roguely connected switch:

AccSw01(config-if-range)#int range fast0/1 - 20AccSw01(config-if-range)#switchport mode access

Use physical device authenticationThis can ensure only controlled stations will communicate on your corporate network, and can be performedusing IEEEs 802.1x. This standard, which was originally defined for the LAN, can also be used on wirelessaccess points to authenticate wireless clients before they connect to an access point. Here is a sample of howto configure the switch to be an 802.1x authenticator using RADIUS as the authentication protocol:

AccSw01(config)#aaa new-modelAccSw01(config)#radius-server host 10.1.1.1AccSw01(config)#radius-server key RADk3y01AccSw01(config)#aaa authentication dot1x default group radiusAccSw01(config)#int range f0/1 - 20AccSw01(config-if-range)#dot1x port-control auto

Enable port securityThis is a great way to define how many and exactly which devices can connect to your switch ports. This isideal to prevent the connection of unauthorized hubs, switches, and access points throughout your network.Here, we enable port security and define the number of MAC addresses permitted on each port:

AccSw01(config)#int range fast0/1 - 20AccSw01(config-if-range)#switchport port-security maximum 1AccSw01(config-if-range)#switchport port-security violation restrict

Secure Spanning Tree Protocol (STP)

This is an often overlooked point of control in a LAN environment. Keep in mind two key points about STP: STPoperates automatically, converges on its own, and will re-converge each time a new switch is connected; andthe direction for all traffic that flows throughout your layer 2 network is determined by STP. This means that acompromised STP configuration can be used to create a Denial of Service (DoS) by way of constant conver-gence and cause slow performance by directing traffic through less-than-optimal points in your network.



11/13

In English, an attacker can configure your STP network so a wiring closet switch acts as the root bridge. Nowall traffic for your layer 2 network (VLANs) will pass through this access layer, low-bandwidth edge device.

Figure 7 illustrates a collection of switches commonly seen in an enterprise campus. Each wiring closet accessswitch is connected redundantly to each buildings distribution switch. Notice how the distribution switchesare the logical center of this buildings network.

Here, we configure the logical center of our layer 2 network to be the STP root but only for the VLANs config-ured and operating on this switch:

AccSw01(config)#spanning-tree vlan 1,10,20-25 root ?primary Configure this switch as primary root for this spanning tree

secondary Configure switch as secondary rootAccSw01(config)#spanning-tree vlan 1,10,20-25 root primary

Next, we disable STP and ensure there are no STP-configured devices (switches) connected to our access inter-faces (int f0/1 20). These are interfaces that lead to end stations and interfaces that should not communicatein your STP network:

AccSw01(config)#int range f0/1 - 20AccSw01(config-if-range)#spanning-tree portfastAccSw01(config-if-range)#spanning-tree bpdufilter enable

Continue by ensuring there are no other switches claiming to be the root of the STP network (int f0/21 24):

AccSw01(config-if-range)#int range f0/21 - 24AccSw01(config-if-range)#spanning-tree guard root

Just as we configured our user ports to be access ports, ensuring that only end-stations will connect, we willconfigure our infrastructure ports as trunk ports. This is ideally configured on a switch-to-switch connection. By



12/13

default, these ports will dynamically negotiate to this state, but this process takes time and may not alwayswork. To ensure our desired setting are used and agreed upon as quickly as possible, we will set (hard code)these ports as trunks:

AccSw01(config-if-range)#switchport mode trunkAccSw01(config-if-range)#switchport trunk encapsulation dot1q

AccSw01(config-if-range)#switchport trunk allowed vlan 1,10,20-25

Notice how the last command also defines the VLANs we want to allow across the trunk. This process isknown as manual pruning and is an added security feature available on your trunk links.

Finally, we will configure our VLAN Trunking Protocol (VTP) options. VTP is a management protocol designed toensure consistent VLAN creation across multiple switches in the same layer 2 VTP domain.While this protocolworks well, it can also be used to compromise the security of your network either by deleting needed/usedVLANs or by creating VLANs that are not under corporate administrative control. Here, we start by defining aVTP domain name, setting the source interface for all VTP updates, and creating a unique password for all VTPupdates:

AccSw01(config)#vtp mode serverAccSw01(config)#vtp domain VTPDom01AccSw01(config)#vtp interface loopback0AccSw01(config)#vtp password VTPp@55w0rd

Note: Even though the vtp mode server command is included, this command is not necessary. All switchesare in VTP server mode by default.

As you can see, there are several options available for switch security. Each of these allows you to integratesecurity as close to the end device as possible.

SummaryAs with any project, you must start with a set of objectives in mind. From those objectives, you create a set ofrequirements to guide your progress to completion. In network security, your objectives and requirements arelaid out in your Corporate Security Policy. This security policy defines what you need and how you would like tosecure your network. Create your security policy by using the very regulations and requirements that governyour business communications (e.g., HIPPA, SOX, VISA, FBI, etc.) Be sure to refer to your security policy often toensure that current and future systems are installed correctly.

Once you are ready to install any new system, be sure to manage the installation using the 4-step SecurityLifecycle: Secure, Monitor, Test, and Improve. This is a continuous process that, once followed through to com-pletion, loops back on itself in a constant cycle of protection. Focus on hardening a device during the installa-tion and configuration of each new service.

When securing your network, it is important to implement security at every layer possible and available byyour networking device. Start your security configuration where the network startsat the physical layer.Leverage devices built-in services. For example, use switch security features to control layer 1 & 2. The exam-ples covered here center around setting the port types (access versus trunk), configuring your STP configura-



13/13

tion and protecting switches from rogue STP updates, and controlling VLAN update information by definingsecure VTP parameters.

In the second installment of this series, you will learn the suggested steps for hardening your routers, firewalls,and VPN Concentrators.

Learn MoreLearn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.Check out the following Global Knowledge courses:SND (Securing Cisco Network Devices)SNRS (Securing Networks with Cisco Routers and Switches)SNPA (Securing Networks with PIX and ASA)CSVPN (Cisco Secure Virtual Private Networks)SNPA/CSVPN Mini Camp

For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with asales representative.

Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use.Our expert instructors draw upon their experiences to help you understand key concepts and how to applythem to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms,e-Learning, and On-site sessions, to meet your IT and management training needs.

About the AuthorIsaac A. Valdez is President and Owner of IV Consulting Services, Inc., a contract consulting and training firmbased in Tampa, Florida.

In addition to a B.S. in Computer Engineering, Isaac has 15 years of experience in hardware design, networkdesign, network administration, and certification training. Fresh out of college, he was hired as an in-househardware technician where he learned the ins and outs of hardware troubleshooting and repair. After a fewyears in hardware, Isaac made his move to Network Administration for the big players at the time: Novell,Microsoft, and Cisco Systems.

His consulting and training experience ranges from Novell NetWare & GroupWise, Microsoft Windows NT,Windows 2000 and Windows 2003, Cisco Routing, Switching, LAN/WAN, Wireless and Security, plus a list ofEnterprise applications for Messaging, Front and Back Office, Management and Remote Access.

In the Cisco certification track, Isaac teaches a total of 15 courses toward the CCNA, CCDA, CCNP, CCDP, CCIPand CCSP certifications. These courses include INTRO, ICND, ARCH, DESGN, BSCI, BCMSN, BCRAN, CIT, BGP,

QoS, SND, SNRS, SNPA, CSVPN and CSIDS.

Now that all that boring technical stuff is over, Isaac really prides himself on being a very curious individual.When hes done with work (and even instead of work at times), he likes to get away from the keyboard andbooks to enjoy the finer things in life. Balance is key! If you have any questions feel free to contact him [email protected].


wp cisco part1

Documents