CCSP: Securing Cisco
Network Devices (SND)
Quick Reference Sheets
Network Security Overview
This section presents an overview of network security concepts, including common threats, attack
types, and mitigation techniques. It also includes an overview of the Cisco security portfolio.
Please note that there is some overlap of content in the Cisco CCSP certification courses and corresponding exams. We chose to make each section of this book stand on its own, and we covered the
material for each exam independently, so that you can focus on each exam without the need to reference a common topic from a different exam's section. Becuase of this, you might notice redundant coverage of topics in certain sections of this book.
The Need for Network Security
Networked systems must be designed and implemented with security in mind because most
contemporary systems are interlinked or “open” in contrast to a previous time when systems
were “closed” islands. This interlinking, often demanded by business processes and information exchange, increases a system’s vulnerability, risk of attack, and exploitation by threats.
Comprehensive network security safeguards are needed because attacking systems has
become easier for two reasons:
• Software development tools and easy-to-use operating systems provide attackers with a
basis to develop attack tools.
• The Internet allows attackers to not only distribute attack tools and related attack techniques but also gain the necessary connectivity required for the attack.


Network Security Overview

In addition, the following three major dynamics have converged to further increase the need
for network security in any successful organization:
• New or pending regulations in the United States, European Union, and elsewhere mandating better protection of company-sensitive and personal information
• Increasing terrorist and criminal activity directed at communication infrastructures and
private and government networks and computer systems
• Increasing number of perpetrators conducting cyber attacks and hacking with greater ease
as worldwide use of Internet technology and connectivity increases.
Network Security Challenges
The primary challenge of implementing network security is to strike the right balance between
providing convenient access to systems and information as required to conduct business and

the need to protect those same systems and information from attacks and inappropriate access.
The emergence of the Internet and e-business has made this challenge more difficult. E-business
demands stronger relationships with suppliers, partners, and customers, and often requires companies to provide access to their systems and critical information over the Internet.
Security within the system is important for the following reasons:
• Digital data exchange among organizations is crucial to an economy. These processes
must be protected.
• Private data often travels via insecure networks, and precautions must be taken to prevent
it from being corrupted or changed.
• Government regulations often dictate standards for information assurance compliance,
especially in publicly held organizations.
Network Security Policy
To be effective, network security must be a continuous process and must be built around a
security policy. The policy, which is an overall strategic vision, is defined first and the tactical
processes and procedures to support that policy are designed around it. The RFC 2196, Site
Security Handbook, describes a security policy as, “…a formal statement of the rules by which
people who are given access to an organization’s technology and information assets must
abide.”
A security policy is necessary because it:
• Creates a baseline of current security posture and implementation
• Clearly defines what behaviors are allowed and what behaviors are not
• Helps determine necessary tools and procedures
• Helps define roles and responsibilities
• Informs users of their roles and responsibilities
• States the consequences of misuse
• Enables global security implementation and enforcement
• Defines how to handle security incidents
• Defines assets and how to use them
• Provides a process for continuing review

85



86

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

Security policies can be as simple as one document or they might consist of many documents
that describe every aspect of security. The organization’s needs, in addition to any regulations
to which the organization must adhere, drive the level of detail. A comprehensive security policy should describe some of the following concepts in writing:
• Statement of authority and scope
• Acceptable-use policy
• Identification and authentication policy
• Internet use policy
• Campus-access policy
• Remote-access policy
• Incident handling procedure
Network Security Process
A continuous security process is most effective because it promotes the retesting and reapplying of updated security measures on a continuous basis as illustrated in the following figure.

Cisco Security Wheel
Secure

Improve

Security
Policy

Monitor

Test

The Cisco Security Wheel provides a four-step process to promote and maintain network
security:
Step 1

Secure—Implement security safeguards, such as firewalls, identification and
authentication systems, and encryption with the intent to prevent unauthorized
access to network systems.

Step 2

Monitor—Continuously monitor the network for security policy violations.


Network Security Overview

Step 3

Test—Evaluate the effectiveness of the in-place security safeguards by performing
tests, such as periodic system vulnerability analysis and application and operating
system hardening review.

Step 4

Improve—Improve overall security by collecting and analyzing information from
the monitoring and testing phases to make judgments on ways to make security more
effective.

Primary Types of Threats
There are four ways to categorize threats to network security:
• Unstructured threats—Threats primarily from inexperienced individuals using hacking

tools available on the Internet (script kiddies).
• Structured threats—Threats from hackers who are more motivated and technically competent. They usually understand network system designs and vulnerabilities, and they can
create hacking scripts to penetrate network systems.
• External threats—Threats from individuals or organizations working outside your company who do not have authorized access to your computer systems or network. They work
their way into a network mainly from the Internet or dialup access servers.
• Internal threats—Threats from individuals with authorized access to the network with
an account on a server or physical access to the wire (typically disgruntled current or
former employees or contractors).
Mitigating Network Attacks
The following sections discuss expected attacks to networks and related mitigation techniques.
Physical and Environmental Threats
A common threat to network security is improper installation of network security devices or
software applications. Default installation of many hardware devices or software applications
can result in substandard security with such shortcomings as easily guessed or even blank
default passwords, unnecessary running services, or disabled desirable services.
Devices are generally categorized into the following two groups:
• Low-risk devices—Typically low-end or small office/home office (SOHO) devices
implemented in remote locations or branch offices with minimal impact on the corporate
network.
• High-risk (mission critical) devices—Devices used in larger offices, hub locations, or
corporate headquarter locations with the potential to impact a large portion of the network
and user base.
Consider the following common threats when installing physical devices:
• Hardware threats—Threat of intentional or unintentional physical damage to devices,
such as routers, firewalls, and switches.

87


88


CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

• Environmental threats—Include threats of temperature and humidity conditions that
can damage hardware devices.
• Electrical threats—Include threats, such as voltage spikes, insufficient voltage (brown
outs), power loss (black outs), or unconditioned power.
• Maintenance threats—Improper practices that can result in outages. For example, mislabeled devices or improper handling or static electricity.
Use the following techniques to mitigate hardware threats:
• Limit physical access to authorized personnel only.
• Maintain an audit trail for access to the equipment, preferably using electronic access
control.
• Implement a surveillance system such as cameras or CCTV.
Use the following techniques to mitigate environmental threats:
• Include temperature and humidity control measures.
• Maintain positive air flow.
• Implement remote temperature and humidity monitoring and alarm systems.
• Limit electrostatic and magnetic interferences.
Use the following techniques to mitigate electrical threats:
• Install Uninterrupted Power Supplies (UPS).
• Install generators for the mission-critical systems.
• Implement routine UPS and generator testing and maintenance.
• Use redundant power supplies on critical devices.
• Use filtered power when possible.
• Monitor power supply conditions.
Finally, to mitigate maintenance-related threats, use the following techniques:
• Clearly label devices and cabling.
• Use cable runs or raceways for rack-to-ceiling or rack-to-rack connections.
• Use proper electrostatic discharge procedures.
• Log out of administrative interfaces when it is no longer necessary.

• Do not rely on physical security alone (no room is completely secure). If a breach of
physical security occurs and other security measures are not in place, an intruder can simply connect a terminal to the console port of a Cisco router or switch.
Reconnaissance Attacks
Reconnaissance is an attempt to discover and map systems, services, vulnerabilities, and publicly
available information about target systems often as a prelude to more sophisticated attacks.


Network Security Overview

Reconnaissance methods include:
• Internet Information queries—Data collection about the organization from public
sources, such as newspapers, business registries, public web servers, tools such as
WHOIS, DNS records, and ARIN and RIPE records.
• Port scans and ping sweeps—Used to identify online hosts, their services, their operating systems, and some of their vulnerabilities. Mitigation includes controlling the visibility of hosts and services from untrusted networks by measures, such as filtering Internet
Control Message Protocol (ICMP) echo and echo-reply traffic at the network edge and
deploying network-based or host-based intrusion prevention systems.
• Packet sniffers—After hosts are compromised, rogue software can force their network
cards to promiscuous mode and the hosts can become packet sniffers for further reconnaissance. The sniffing host can potentially collect network data-like passwords and data
on the wire, and an attacker can retrieve this information for use in other attacks. Mitigation techniques include:
— Use of strong authentication and One Time Passwords (OTP)
— Switched infrastructures to prevent sniffing
— Use of Host Intrusion Prevention Systems (HIPS) to detect disallowed host activities
— Cryptography for data privacy
Access Attacks
Access attacks attempt to exploit weaknesses in applications, so that an intruder can gain
unauthorized access. They include:
• Password attacks—An attempt to gain account access by obtaining its password using
the following techniques:
— Online and offline brute force repeated logon attempts. Mitigated with strong passwords, OTP systems, automatic account disabling after “X“ number of failed
attempts, limit password reuse, and periodic password testing to ensure policy compliance.

— Packet sniffing collection of passwords off the medium. Mitigated with encryption,
switching, and HIPS.
— Internet Protocol (IP) and Media Access Control (MAC) spoofing to appear as a
trusted system, so that users unknowingly send their passwords to attackers. Mitigated
by device authentication.
— Trojan horse software that collects password information then, and sends this information to attackers. Mitigated by use of host and network Intrusion Prevention
Systems (IPS).
• Trust exploitation—An attacker takes advantage of the fact that other hosts will trust one
host that has been compromised, potentially allowing unauthorized access. To mitigate
trust exploitation attacks, create tight constraints on trust levels within a network and disallow Internet hosts complete access to internal hosts through the firewall. Limit trusts for

89


90

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

systems outside of the firewall to specific protocols and grant them based on something
other than an IP address when possible.
• Port redirection—A trust exploitation attack whereby an attacker that does not have
direct access to an end target uses an intermediate host (that the end target trusts) as a
launching point. The attacker compromises the intermediate host and from this point
attacks the end target. Mitigation techniques include:
— Use of HIPS to detect suspicious events
— Implementation of a network-specific trust model with more granular firewall filtering
• Man-in-the-middle—An attacker sits in between two-way client and server communication to intercept it. Use of effective encryption protocols (IPSec and SSL, for example)
mitigates this exposure. The following are man-in-the-middle attack examples:
— Stealing or analyzing the information contained in packet payloads
— Altering or introducing new packet data as it flows between the legitimate hosts

— Hijacking the client’s session, so that the attacker can pose as the client and gain
trusted access
— Creating Denial of Service (DoS) conditions by interrupting packet flow
• Unauthorized access—Internal or external attacks by people attempting access to systems or applications to which they do not have access. The following are examples of
these attacks:
— Unauthorized system access—Intruders gain access to a host to which they do not
have access. Mitigate by use of OTP systems, advance authentication, and reduction
of attack vectors by using stringent firewall filters to reduce attack opportunity. Warning banners alert unauthorized persons that their activities are prohibited and might be
logged.
— Unauthorized data manipulation by an authorized user—Users read, write, copy,
or move files that are not intended to be accessible to them. Mitigate by use of stringent OS trust model controls to monitor privilege escalation and HIPS.
— Unauthorized privilege escalation—Legitimate users with a lower level of access
privileges, or intruders who gain lower privileged access, get information or process
procedures without authorization at their current level of access. Mitigate by use of
stringent OS trust model controls to control privilege escalation and HIPS.
IP Spoofing Attacks
IP spoofing occurs when an attacker attempts to impersonate a trusted IP address, so that the
target accepts communications from the attacker.
IP spoofing mitigation techniques include:
• Use of RFC 2827 filtering on routers and firewalls as follows:
— Traffic entering your network should be destined only for IP addresses you control.
— Traffic leaving your network should be sourced only with IP addresses you control.


Network Security Overview

— Traffic leaving your Internet Service Provider’s (ISP) network intended for your network should be destined only for IP addresses you control. Your ISP must implement
these filters because they own this equipment.
• Access control configuration— Prevents traffic entering your network with source
addresses that should reside on the internal network. Block all IP addresses reserved for

private or other special uses, such as RFC 1918 private addresses and other “bogon”
addresses.
• Encryption—Prevents compromising of source and destination hosts.
• Additional authentication—IP spoofing attacks rely on IP address-based identification
and authentication of host. By deploying another authentication method (other than IP
address), IP spoofing attacks become irrelevant.
DoS Attacks
DoS is the act of barraging a network or host with more connection requests or data than usually handled for the purpose of permanently or temporarily denying access to systems, services, or applications. DoS and Distributed DoS (DDoS) focus on disabling or drastically
slowing IT services by overwhelming them with requests from one or many distributed attackers. DoS attacks most often target services already allowed by the firewall, such as HTTP,
SMTP, and FTP. DoS can shut down a network by consuming all available bandwidth.
DoS mitigation techniques include:
• Use of RFC 1918 and RFC 2827 filtering
• Use of Quality of Service (QoS) rate limiting to control data flow
• Use of anti-DoS features on firewalls and routers to limit half open Transmission Control
Protocol (TCP) connections
• Use of advanced authentication to prevent invalid host-to-host trusts
Worms, Viruses, Trojan Horses, Phishing, and Spam Attacks
Malicious code usually targets workstations and servers to subvert their operation. Malicious
code types include:
• Worms—Malicious code that installs a payload onto a host using an available exploit
vector and attempts to replicate to other hosts through some propagation mechanism.
After installation of the payload, privilege escalation often occurs.
• Viruses—Malicious code attached to another program (such as email) that attempts some
undesirable function on the host (such as reformatting the hard drive) after the user runs
the rogue program.
• Trojans—Malicious code that appears to be legitimate and benigns but is a vector for an
internal or external attack.
• Phishing—An attempt to deceive users into revealing private information to an attacker.
• Spam—Multiple unwanted emailed offers that flood inboxes.


91


92

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

Virus and Trojan horse mitigation techniques include:
• Using HIPS software.
• Acquiring effective and up-to-date host antivirus software.
• Performing effective maintenance of operating system and application patches.
• Staying up-to-date with the latest developments in attacks of this type and new mitigation
methodologies.
Mitigate the affect of worms through the following steps:
Step 1

Contain with defense in depth techniques at major network junctions.

Step 2

Inoculate systems with antivirus updates.

Step 3

Quarantine infected machines.

Step 4

Treat infected machines with appropriate fixes.


Incident response methodologies are subdivided into the following six major categories based
on the Network Service Provider Security (NSP-SEC) incident response methodology:
• Preparation—Acquire the resources to respond.
• Identification—Identify the worm.
• Classification—Classify the type of worm.
• Traceback—Trace the worm back to its origin.
• Reaction—Isolate and repair the affected systems.
• Postmortem—Document and analyze the process used for the future.
Application Layer Attacks
Application-layer attacks have the following general characteristics:
• They are designed to exploit intrinsic security flaws and known weaknesses in protocols,
such as sendmail, HTTP, and FTP.
• They use standard ports that are commonly allowed through a firewall, such as TCP port
80 or TCP port 25.
• They are difficult to eliminate because new vulnerabilities are often discovered.
Stateful firewalls generally do not stop these attacks because these devices are not designed to
perform deep packet inspection. Proxy firewall functions, such as PIX application inspection
(formerly “fixups“), Cisco IPS, and Cisco Adaptive Security Appliances (ASA), are designed
for deeper application inspection and control.
Mitigation techniques include:
• Implementing application inspection within the firewall device.
• Implementing HIPS to monitor OS and specific applications for illegal or suspicious calls.


Network Security Overview

• Implementing network IPS to monitor network communications for known attacks and
activity outside of normal baseline.
• Keeping the host OS and applications patched.
• Logging events, parsing events, and performing analysis.

• Subscribing to mailing lists that alert you to new vulnerabilities in a timely manner.
Management Protocols and Vulnerabilities
Management protocols such as Simple Network Management Protocol (SNMP), syslog, Trivial File Transfer Protocol (TFTP), and Network Time Protocol (NTP) have been around for a
number of years and were originally designed with little or no security considerations. Most of
these protocols have been upgraded to newer versions that provide improved security measures. For example, SNMP Version 3 provides authentication and encryption of communications.
Mitigation techniques include:
• Using secure protocols, such as Secure Shell (SSH) or Secure Sockets Layer (SSL), when
connecting to devices over the network and avoiding clear-text protocols, such as telnet or
HTTP.
• Using Access Control Lists (ACLs) to limit administrative access to network devices.
• Using RFC 3704 filtering at the perimeter to prevent outside attackers from accessing
devices by spoofing the address of (legitimate) management hosts.
• SNMP recommendations:
— Configure SNMP with read-only (ro) community strings.
— Limit access to management hosts on the managed devices.
— Use SNMP version 3 or higher (authentication and encryption).
• Syslog recommendations:
— Encrypt syslog traffic using IPSec.
— Implement RFC 2827 filtering.
— Set up ACLs on the firewall to limit access to the servers.
• TFTP recommendations:
— Encrypt TFTP traffic using IPSec.
• NTP recommendations:
— Implement an internal master clock when possible.
— Use NTP version 3 or higher (authentication).
— Use ACLs to control access to specific NTP servers.

93



94

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

Determining Network Vulnerabilities
An important aspect of securing any network is proper assessment to determine existing vulnerabilities. Use the following tools and techniques to evaluate the network and discover security vulnerabilities:
• Netcat—A networking utility that reads and writes data across network connections
using the TCP/IP protocol. Netcat is a network debugging and exploration tool that creates many connections useful for evaluation of network security.
• Blue’s Port Scan—A port-scanning tool (can scan 300 ports per second).
• Ethereal—An open-source, packet-capturing application that runs on most popular computing platforms, such as UNIX, Linux, and Windows. Ethereal is a full-featured protocol
analyzer and includes remote capturing capabilities.
• Microsoft Baseline Security Analyzer (MBSA)—MBSA is a free Microsoft-supplied
security assessment tool for Windows clients. This tool scans Windows systems and discovers missing patches. It also functions as a best-practices vulnerability assessment tool
by highlighting any setting on the scanned system that is not in compliance with best
security practices as recommended by Microsoft.
Introducing the Cisco Security Portfolio
Cisco provides an extensive portfolio of security appliances, management platforms, and software applications designed for securing small and large networks alike.
The following sections describe Cisco security products based on different security-need
categories.
Perimeter Security Products
Cisco perimeter security products include:
• Cisco PIX 500 Series Security Appliance Series—Security appliances designed for
small and large networks (SOHO to ISP).
• Cisco ASA 5500 Series Security Appliance Series—Expandable security devices combining the functionality of PIX 500 Series security appliances, Cisco Virtual Private Network (VPN) 3000 Concentrators, and Cisco 4200 Series IPS devices.
• Cisco Firewall Service Module (FSWM)—Firewall module designed for the Catalyst
6500 Series switch and Cisco 7600 Series router.
• VPN Acceleration Card Plus (VAC+)—High performance, hardware-based encryption
with support for AES and 3DES encryptions standards.
• Cisco IOS Firewall—Integrated firewall and intrusion detection functionality on a wide
range of Cisco IOS software-based routers. Specific highlights include:

— Stateful Cisco IOS Firewall Inspection
— Intrusion detection
— Firewall voice traversal


Network Security Overview

— ICMP inspection
— Authentication proxy
— Destination URL policy management
— Per-user firewalls
— Cisco IOS router and firewall provisioning
— DoS detection and prevention
— Dynamic port mapping
— Java applet blocking
— VPNs, IPSec encryption, and QoS Support
— Real-time alerts
— Audit trail
— Integration with Cisco IOS software
— Basic and advanced traffic filtering
— Policy-based multi-interface support
— Network address translation
— Time-based access lists
— Peer router authentication
Virtual Private Network Solutions
VPNs provide secure, reliable, encrypted connectivity over a shared public network infrastructure such as the Internet. This shared infrastructure allows connectivity at a lower cost than
that provided by existing dedicated private networks.
There are three basic VPN scenarios:
• Intranet VPN—Used to link corporate headquarters to remote offices, offering a lowercost alternative to traditional WANs.
• Extranet VPN—Used to securely link network resources with third-party vendors and

business partners over the public network.
• Remote-access VPN—Used to securely connect telecommuters and mobile users to corporate networks over the public network.
Cisco provides VPN functionality on the following products:
• Cisco VPN 3000 Series Concentrators:
— Have models available for small businesses (100 connections) up to large enterprises
(10,000 connections).
— Are scalable and resilient.
— Provide unlimited Cisco VPN Client licensing.
— Support several access methods including WebVPN (SSL VPN), Cisco VPN Client
(IPSec VPN), Microsoft-embedded clients (PPTP and L2TP), and Nokia Symbian
Client for wireless phones and PDAs.

95


96

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

— Include integrated Web-based management for configuration and monitoring.
— Support Cisco Network Admission Control (NAC).
• Cisco PIX 500 Series and ASA 5500 Series Security Appliances:
— Provide combined firewall and VPN functionality.
— Support several access methods, including WebVPN (SSL VPN, available on ASA
5500 Series only), Cisco VPN Client (IPSec VPN), Microsoft-embedded clients
(L2TP only), and Nokia Symbian Client for wireless phones and PDAs.
• Cisco VPN-enabled IOS routers:
— Operate at site-to-site VPNs.
— Offer scalability, network resiliency, bandwidth optimization and QoS, and deployment flexibility.
— Include the Cisco 800 Series, 900 Series, 1700 Series, 2600 Series, 2700 Series, 3600

Series, 3700 Series, and 7000 Series routers.
— Use the VPN Accelerator Module 2 (VAM2) to enhance VPN performance in the
Cisco 7000 series routers.
— Include built-in hardware-based VPN acceleration with the Cisco 1800 Series, 2800
Series, and 3800 Series Integrated Services Routers (ISR).
• Cisco VPN Hardware and Software Clients:
— Include Cisco VPN Software Client version 4.x, Cisco VPN 3002 Hardware Client,
several models of Cisco IOS routers, and Cisco PIX 501 and 506 security appliances.
— Incorporate a centralized push policy technology foundation.
— Work with all Cisco VPN concentrators, Cisco IOS routers, and PIX security appliances.
— Work with non-Windows operating systems (Linux, Mac, and Solaris).
The following table provides an overview of Cisco VPN product positioning.
Intended Use
Network Size

Remote Access

Large Enterprise
and Service
Provider

Cisco VPN 3060 and
Cisco 7200 Series router, Cisco PIX 525, PIX
VPN 3080 Concentrators Cisco 3800 Series ISRs 535, and ASA 5540
and higher
security appliances

Medium Enterprise Cisco VPN 3030
Concentrator


Site-to-Site

Firewall-Based

Cisco 3600 Series and
Cisco PIX 515 and
7100 Series router, Cisco ASA 5520 security
2800 Series and 3800
appliances
Series ISRs

Small Business or
Branch Office

Cisco VPN 3005, VPN
3015, and VPN 3020
Concentrators

Cisco 3600 Series, 2600 Cisco PIX 506, PIX
Series, and 1700 Series 515, and ASA 5520
routers, Cisco 1800
security appliances
Series ISRs

SOHO Market

Cisco VPN Software
Client and VPN 3002
Hardware Client


Cisco 800 Series and 900 Cisco PIX 501 and PIX
Series routers
506 security appliances


Network Security Overview

IPS Solutions
The Cisco IPS is a network-based intrusion protection system that detects unauthorized activity.
For example, if hackers attack, it can analyze traffic in real time. Cisco IPS sensors can tap into
data from outside the forwarding path andfunction as traditional Intrusion Detection System
(IDS) devices, sending alarms to a management console and controlling other systems, such as
routers, to terminate the unauthorized sessions. With IPS software version 5.0 or higher, Cisco
IPS devices can also operate “inline,” terminating unauthorized sessions by dropping the attack
packets in contrast to relying on other blocking devices, such as firewalls or routers.
The Cisco IPS sensor portfolio consists of the following:
• Cisco IDS/IPS 4200 Series appliances
• Cisco Catalyst 6500 Intrusion Detection System Module (IDSM2)
• Network Module-Cisco IDS (NM-CIDS) modules designed for Cisco 2600XM Series,
Cisco 2691, Cisco 3660, and Cisco 3700 Series IOS routers
• Advanced Intrusion and Prevention Security Services Module (AIP-SSM) for Cisco ASA
5500 Series security appliances
In addition to the listed sensors, Cisco IOS routers, PIX 500 Series, and ASA 5500 Series
security appliances include basic IPS capabilities. These capabilities were significantly
improved in Security Appliance Software version 7.0 and Cisco IOS Software Release
12.3(8)T; however, compared to the Cisco full-featured IPS sensors, these platforms still
detect a more limited subset of attacks.
Cisco IOS IPS is an inline, deep-packet inspection-based solution and offers the following features and benefits:
• New enhancements that provide broadly deployed worm and threat mitigation services
• A design that loads and enables IPS signatures in the same manner as Cisco IDS sensor

appliances
• Support for 700+ of the same signatures supported by Cisco IPS sensor platforms
• Custom signatures to mitigate new threats
• An ideal solution for remote branch office applications
• Support for Trend Micro antivirus signatures
HIPS Solutions
In addition to network-based IPS solutions, Cisco provides HIPS solutions for threat mitigation throughout the network.
• HIPS audits host log files, host file systems, and resources.
• An advantage of HIPS is that it can monitor operating system processes and protect critical system resources and files.
• Cisco HIPS combines behavioral analysis and signature filters.

97


98

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

• HIPS combines the features of antivirus, network firewalls, and host-based application
firewalls.
• HIPS can be implemented on critical systems anywhere on the network (not just the
perimeter).
Cisco provides the Cisco Security Agent (CSA) as its HIPS solution. CSA includes the following components:
• Management Center for Cisco Security Agent (CSA MC)—CSA MC provides centralized management of CSA agents. The CSA MC can maintain a log of security violations and send alerts through e-mail or via a pager.
• CSA Agents—CSA agents are installed on the host systems to continually monitor local
system activity and analyze the operations of that system. When necessary, CSA agents
block attempted malicious activity. They also poll the CSA MC at configured intervals
and download policy updates as appropriate.
• Administrative workstation—An administrative workstation connects securely to the
CSA MC using an SSL-enabled web interface and is used to configure CSA settings on

CSA MC.
Identity Solutions: Cisco Secure ACS
Cisco Secure Access Control Server (ACS) provides Authentication, Authorization, and
Accounting (AAA) services.
Some of the services provided by Cisco ACS include:
• RADIUS services
• TACACS+ services
• Web-based Graphical User Interface (GUI) administration interface
• Scalable data replication for redundant ACS implementations
• Full accounting and user reporting
• Support for Active Directory, Windows NT Domains, LDAP, Novel NDS, and ODBC
external databases
Network Admission Control
The Cisco NAC is a multivendor framework designed to prevent noncompliant endpoint
devices from accessing the network.
NAC currently provides support for endpoints running Windows NT, 2000, and XP operating
systems. Compliance level of endpoints are accessed based on OS patch levels and antivirus
status. Noncompliant endpoints can be:
• Permitted access
• Denied access
• Restricted
• Quarantined


Network Security Overview

NAC architecture consists of the following components:
• Endpoint Security Software—Antivirus client, CSA, Personal Firewall, and the Cisco
Trust Agent
• Network Access Devices—Network devices (routers, switches, wireless access points,

and security appliances) that enforce admission control policy
• Policy Server—Cisco ACS and third-party policy servers, such as an antivirus policy
server responsible for evaluating the endpoint security information
• Management System—CiscoWorks VMS and CiscoWorks Security Information Manager Solution (CiscoWorks SIMS) or appropriate third-party management systems used
to configure Cisco NAC elements and provide monitoring and reporting operational tools
Security Management Solutions: Security Management Center
The CiscoWorks VMS management platform provides centralized configuration, management, and monitoring capabilities to simplify implementation of various components of the
Cisco security portfolio. The platform’s web-based tools provide the following simplified
solutions for configuring, monitoring, and troubleshooting:
• VPNs
• Firewalls
• Network-based IPS devices
• HIPS
• Routers
CiscoWorks VMS includes the following applications:
• Firewall Management Center—Enables the large-scale deployment of Cisco firewalls.
• Network-based IPS (IPS) and router-based IPS Management Center—Allows largescale deployment and management of sensors and router-based IPS using group profiles.
• Host IPS Management Center—Scalable to thousands of endpoints per manager, supports large-scale deployments.
• VPN Router Management Center—Facilitates setup and maintenance of large-scale
deployment of VPN-enabled routers, Cisco IOS firewalls, and Cisco Catalyst 6000 IPSec
VPN Service Modules.
• Security Monitor—Provides comprehensive view of security-related logging, and provides event correlation for improved detection of threats.
• Performance Monitor—Provides monitoring and troubleshooting services.
• VPN Monitor—Allows management of remote-access or site-to-site VPNs.
• Operational Management—Provides network inventory, reports on hardware and software changes, and manages software updates on multiple devices.

99


100


CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

Building Cisco Self-Defending Networks
The Cisco Self-Defending Network strategy consists of three main components aimed at
reducing exposure to security risks inherent in many networks by deploying three categories
of overlapping and complementary security solutions:
• Secure connectivity—This pillar provides secure and scalable network connectivity,
incorporating multiple types of traffic.
• Threat defense—This pillar prevents and responds to network attacks and threats using
network services.
• Trust and identity—This pillar intelligently protects endpoints using technologies, such
as NAC, identity services, and 802.1X.
The following three phases explain the development of self-defending networks:
• Phase 1: Integrated Security—This phase aims to distribute security technologies
throughout every segment of the network to enable every network element as a point of
defense. Products and technologies used in Phase 1 include firewall, intrusion prevention,
and secured connectivity.
• Phase 2: Collaborative Security Systems—Phase 2 introduces the NAC industry initiative and aims to enable the security technologies throughout the network to operate as a
coordinated system to defeat attacks. Products and technologies used in Phase 2 include
NAC, Network Foundation Protection (NFP), Voice Over IP (VoIP), wireless, and service
virtualization.
• Phase 3: Adaptive Threat Defense—This phase aims at deploying innovative and threat
defense technologies throughout the “integrated security” fabric of the network. Products
and technologies used in Phase 3 include application inspection and control, real-time
worm, virus, spyware prevention, and Peer-to-Peer (P2P) and Instant Messaging (IM)
controls.
Adaptive Threat Defense
Adaptive Threat Defense (ATD) is the primary goal of self-defending networks. ATD building
blocks include the following:

• Firewall services—These services provide access control and traffic inspection.
• IPS and network antivirus (AV) services—These services provide application intelligence with deep packet inspection.
• Network intelligence—This service includes network security services, such as segmentation through Virtual LANs (VLANs), identity for user knowledge, QoS for controlling
use of bandwidth, routing for topological awareness, switch root, and NetFlow for global
traffic visibility. “Virtualization,” or “virtualized fabric” is the virtualization of services
for cost-effective deployment.


Network Security Overview

ATD enables the following services on the network:
• Application security—This service provides granular application inspection in firewalls
and IDS and IPS appliances and allows enforcement of application-use policies, such as
those controlling IM usage. Application security services allow control of web traffic and
guard against applications that abuse port 80 (for example, IM and P2P), and provide protection for web services (for example, XML applications).
• Anti-X defenses—A new class of servicees that provide broad attack mitigation capabilities, such as malware protection, AV, message security (antispam, antiphishing), antiDDoS, and antiworm. Deployment of anti-X defenses can occur throughout the network to
effectively stop attacks as far from their intended destination and the core of the network
as possible.
• Network containment and control—These services provide network intelligence and
virtualization of security technologies to layer auditing, control, and correlation capabilities to control and protect any networked element.
The following table provides a summary of recently announced Cisco products and technologies that support ADT (please check Cisco.com for an up-to-date listing):
Products

Application
Security

Security
Appliance 7.0
Software


Application inspection
and control for firewalls
and VoIP security

IPS 5.0

Multivector threat
identification

Anti-X

Containment
and Control
Virtual firewall, QoS,
transparent firewall, and
IPv6 support

Malware, virus, and
worm mitigation

VPN 3000
SSL VPN Tunnel Client Cisco Secure Desktop
Concentrator 4.7 and fully clientless

Accurate prevention
technologies for inline IPS
Cisco NAC

Citrix


Cisco IOS
Application inspection Enhanced in-line IPS
Software Release and control for Cisco
12.3.(14)T
IOS firewalls

NPF, virtual firewall, and
IPSec virtual interface

Cisco Security
Agent 4.5

Spyware mitigation and Context-based policies
system inventory auditing

Catalyst DDoS
Modules

Guard and Traffic
Anomaly Detector

Cisco Secure
MARS
Cisco Security
Auditor

Event correlation for
proactive response
Cisco 800 Series and 900 Network-wide security
Series routers

policy auditing

The following sections discuss several of the products and technologies listed in the previous
table.

101


102

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

Cisco PIX Security Appliance Software Version 7.0
Cisco PIX Security Appliance Software Version 7.0 provides advanced firewall and deep
inspection services to improve overall security. Highlights of the new features include:
• Web security:
— Prevents web-based attacks and port 80 misuse with advanced HTTP firewall services.
— Controls P2P actions to protect network capacity.
— Polices IM usage to ensure compliance with company policies and prevent covert
transmissions of sensitive information.
• Voice security:
— Secures next-generation converged networks.
— Controls VoIP security with improved H.323, Session Initiation Protocol (SIP),
Media Gateway Control Protocol (MGCP), Real-Time Streaming Protocol (RTSP),
and fragmentation/segmentation support.
— Supports global system for mobile communication (GSM) wireless networks with
General Packet Radio Service (GPRS) inspection engine and GPRS tunneling protocol (GTP).
• Advanced application and protocol security provides protocol conformance, state tracking, and security checks for over 30 protocols.
• Flexible policy control provides a policy framework for granular control of user-to-user
and user-to-application network communications.

• Scalable security services (security contexts).
• Easy-to-deploy firewall services (transparent firewall capabilities).
• Improved network and device resiliency:
— Active/active and active/passive failover for enhanced high-availability.
— Zero-downtime software upgrades.
• Intelligent network integration:
— QoS traffic prioritization.
— IPv6 support for hybrid IPv4 and IPv6 network environments.
— PIM sparse mode multicast support.
Cisco DDoS Modules
Cisco DDoS modules are available for the Catalyst 6500 Series switch and 7600 Series router
and are designed to provide detection and automatic defense against DDoS attacks. Feature
highlights include:
• Anomaly Guard— This feature performs attack analysis and mitigation services. The
anomaly guard, or “Guard,” uses a special traffic diversion technique that scrubs identified DDoS traffic while allowing legitimate traffic to continue unaffected. The Guard
provides multiple layers of defense including dynamic filters and active antispoofing.


Network Security Overview

• Traffic Anomaly Detector— This feature passively monitors traffic and can generate
alarms or activate the anomaly guard feature for automated threat mitigation.
Cisco Secure Monitoring, Analysis and Response System
Cisco Secure Monitoring, Analysis and Response System (CS-MARS) is an appliance-based
solution designed to allow organizations to better identify, manage, and counter security
threats. CS-MARS aims to address specific security issues and challenges such as:
• Security and network information overload
• Poor attack and fault identification, prioritization, and response
• Increased attack sophistication, velocity, and remediation costs
• Compliance and audit requirements

• Security staff and budget constraints
CS-MARS helps businesses meet these challenges by:
• Integrating network intelligence to modernize correlation of network anomalies and security events
• Visualizing validated incidents and automating investigation
• Mitigating attacks by fully leveraging network and security infrastructure
• Monitoring systems, network, and security operations to aid in regulatory compliance
• Delivering a scalable appliance to simplify use and deployment scenarios and lower Total
Cost of Ownership (TCO)
CS-MARS features and benefits include:
• Capability to accurately identify, correlate, visualize, prioritize, investigate, and report
incidents and mitigate attacks in progress
• Appliance-based architecture, offering turn-key installation and an easy-to-use interface
covering a wide spectrum of security devices
• Capability to collect events from firewalls, VPN concentrators, network- and host-based
intrusion prevention systems, and system logs, and to correlate event information with
vulnerability assessment and NetFlow data to detect anomalies
• Capability to extend the Cisco Self-Defending Network initiative by identifying and mitigating threats in the network
Cisco Security Auditor
Cisco Security Auditor provides crucial network and security compliance auditing services.
Cisco security auditor operational highlights include:
• Examining multiple router, switch, security appliance, and VPN Concentrator configurations against available best-practices checklists, such as the NSA-, CIS-, SAFE-, and
TAC-approved configurations

103


104

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets


• Benchmarking and scoring lists of policies against published best practices
• Generating audit reports linking to security vulnerabilities found
• Providing recommendations to fix discovered vulnerabilities and deviation from bestpractices
Securing the Network Infrastructure with Cisco IOS Software Security
Features
Cisco IOS software provides features designed to increase the security of Cisco routers and
switches, and consequently, the networks where they deploy. Cisco SAFE axioms, Routers
Are Targets and Switches Are Targets, highlight the importance of router and switch security
to the overall security and heath of any network.
Cisco IOS software provides the following services and features to better protect routers and
switches:
• AutoSecure—Provides a single command lock-down of IOS devices according to published NSA standards. Disables nonessential system processes and services to eliminate
potential security threats.
• Control-Plane Policing (CoPP)—Some DoS attacks target a router’s control and management plane, resulting in excessive CPU utilization and degradation or interruption of
network connectivity. CoPP throttles the amount of traffic forwarded to the route processor of a router to prevent excessive CPU utilization on the router and avert the network
connectivity issues that can result. CoPP uses the Modular Quality of Service CommandLine Interface (MQC).
• Silent mode—This feature reduces a hacker’s ability to scan and attack an IOS device by
stopping the router from generating certain informational packets such as ICMP messages and SNMP traps that the router usually generates. Because hackers rely on system
messages to conduct reconnaissance, use of the silent mode feature reduces the ability of
hackers to perform effective reconnaissance.
• Scavenger-Class QoS—Scavenger-class traffic is based on an Internet2 draft outlining a
Less Than Best Effort (LBE) service. IOS routers can permit Scavenger traffic (for example, traffic generated by applications such as KaZaA, Napster, and other nonbusiness or
gaming applications) as long as the service of more important traffic classes is adequate.
If congestion occurs, the scavenger class is the first dropped. This feature ensures that
management traffic gets through to the router and allows administrators to implement
appropriate ACLs or other mitigation measures to effectively deal with in-progress network attacks.
Self-Defending Network Endpoint Security Solutions
An important aspect of the Self-Defending Network initiative is distribution of security technologies throughout the network to enable every network element as a point of defense. Cisco



Securing the Perimeter

endpoint security solutions provide distributed threat mitigation and include the following
products:
• Cisco Secure Desktop—The Cisco Secure Desktop software is an integrated endpoint
security client used with the WebVPN feature on the Cisco VPN 3000 Concentrator
Series.
• Cisco Clean Access (CCA)— CCA provides similar functionality to the more robust and
scalable NAC, but its design is for the small-medium business market where a turnkey
solution is preferred. Similar to NAC, it enforces endpoint policy compliance and enables
organizations to provide access to endpoints that have been judged as “clean.” CCA can
direct noncompliant endpoints to a quarantine role with access only to resources required
to achieve policy compliance, such as AV upgrades and OS patches.

Securing the Perimeter
This section provides a review of the concepts, features, and procedures for securing Cisco
layer 2 and layer 3 equipment.
Securing Administrative Access to Cisco Routers
Access to routers can occur through serial console and aux ports or via a network interface
using Telnet, SSH, a web browser (HTTP or the more secure HTTPS), SNMP, and the Cisco
Security Device Manager (SDM).
Command-line modes for IOS-based routers and switches are:
• ROM Monitor—The reduced functionality IOS mode to which a device boots if the system IOS image is missing or corrupt.
• User EXEC mode—The default IOS shell with limited command access.
• Privileged EXEC mode—Commonly referred to as enable mode, this shell can allow
access to all IOS commands.
• Configuration modes:
— Global configuration—Allows global configuration settings
— Interface configuration—Allows configuration settings for individual interfaces
— Line configuration—Allows configuration settings for virtual terminal line (vty),

console, and aux ports
Locally stored passwords, and in some cases usernames and passwords, are the first lines of
defense in protecting a router from unauthorized access via these access methods. In more
sophisticated setups, AAA authentication servers centrally store the credentials of users in lieu
of local username and password storage.

105


106

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

Password complexity should meet or exceed an organization’s quality standard. Cisco suggests nondictionary passwords of at least 10 characters. Cisco routers have the following
password-creation bounds:
•


Securing the Perimeter

Password and
Logon-Related Commands

Command Explanation

exec-timeout 4 30
rtr8(config-line)#e

Terminates idle vty sessions after 4 minutes and 30
seconds.


line aux 0
rtr8(config-line)#l

Enter aux line configuration.

login
rtr8(config-line)#l

Allows login to the aux line. Also requires a
password to be set.

password
rtr8(config-line)#p
al!T3ab3rRy!

Sets the password for logging onto the aux port to
al!T3ab3rRy!.

no exec
rtr8(config-line)#n

Prevents authenticated users from getting a user
EXEC shell after logging on.

exit
rtr8(config-line)#e

Exits line configuration mode.


no service passwordrtr8(config)#n
recovery

Disables the capability to enter ROM monitor
mode. Typically done for password recovery
operations.

service passwordrtr8(config)#s
encryption

Encrypts passwords within the configuration.
password 7 refers to Vigenere cipher encrypted
passwords and are considered cryptographically
weak. password 5 refers to MD5 encrypted
passwords and are considered to be stronger than
Vigenere.

username hqadmin secret 0
rtr8(config)#u
This1sThePa55word

Adds an entry to the local security database.
Defines the username hqadmin and a secret
password that is encrypted in the configuration
with MD5.

username hqadmin
rtr8(config)#u
privilege 15


Assigns privilege level 15 to hqadmin user.
There are 16 levels of access (0–15, defining most
to least restrictive respectively) that grant users
system privileges. Custom privilege levels that
define permitted commands can be customized and
tied to a logon account. Default levels are 1
(EXEC) and 15 (privileged EXEC).

security authentication
rtr8(config)#s
failure rate 12 log

Configures the number of allowable unsuccessful
login attempts before a 15-second delay is
introduced. Logs the authentication failure to
syslog.

banner motd %
rtr8(config)#b

Defines a system banner and a delimiting character
(%). Other banner types: exec, incoming, login,
slip-ppp. Craft banners to meet an organization’s
legal requirements. Always use banners to warn
those about to log on that they must have
authorization and that unauthorized use is
prohibited.

Notice: Unauthorized access to this system Sample banner text with second delimiting
is prohibited!! %

character (%) to denote the banner end.
rtr8(config)#

Return to configuration mode command line.

107


108

CCSP: Securing Cisco Network Devices (SND) Quick Reference Sheets

Configuring AAA for Cisco Routers
AAA (“triple A”) is a set of security services used by administrators requiring remote administrative access to network devices (TTY, vty, AUX, and console ports and HTTP-based
access) and user verification to network resources (802.1X wired and wireless network access,
dialup, VPN access). AAA defines who can access the system, the authorization users have
after the system has approved their logon, and an auditable accounting trail of their activities
while they were connected.
The AAA acronym stands for:
• Authentication—Who are you? Prove your identity.
• Authorization—With what resources are you allowed to interact?
• Accounting—When logged in, what did you do?
AAA implementation on networking devices occurs in three ways:
• A self-contained AAA local security database containing usernames and passwords
directly on the device (see the following figure). Targeted for networks with a small number of users.

Router with Local
AAA Database

• A Cisco Secure Access Control Server (ACS) server. An external AAA server installed

onto a Windows server system that scales well.
• Cisco Secure ACS Solutions Engine. A dedicated external AAA server platform that
scales as illustrated in the following figure.