Cisco Security
Setup & Configuration:
Part 1 –
a Layered Approach
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
This paper is the first in a three-part series of white papers, each of which focuses on a functional area of
securing your network. The three papers work together to create a complete picture of how to configure your
network appliances for complete corporate security. It will discuss a starting point for network security, sug-
gested technology types, ideal points for securing your network using a layered approach, and secure ways to
manage your new or existing network.
This first paper in the series introduces concepts to get started on network security and begin the process of
securing your network at the switch level.
Security Policy: Start at the Beginning
Security is one of the fastest growing branches within the networking industry, and current trends point to a
steady increase in growth over the years to come. This is largely due to the integration of so many critical data
types over a single network and the increased realization by companies as to just how vulnerable their net-
works can be. With security becoming such a focal point of networks, it is increasingly important to understand
how to integrate security into a network.
As with any new project, you must start with some direction. I’m sure you have heard the adage, “If you fail to
plan, then you plan to fail.” This is never more true than when planning network security. Create your security
policy to serve as a starting point and future road map for securing your corporation.
A security policy, originally defined in request for comment (RFC) 2196 and now updated in RFC 3704, con-
tains the whys, whats, and hows of securing your corporate environment.
Isaac A. Valdez, Global Knowledge Instructor, CCSI, CCSP, CCNP, CCDP
Cisco Security Setup & Configuration:
Part 1 – a Layered Approach
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 2
Keep in mind that your security policy is a document that defines how you will secure your corporation,
corpo
-
rate resources
, and corporate users
. As your business grows, or corporate direction changes, this document will
also grow and change.
Security Lifecycle: an Understanding and Review
Take a controlled, metered approach when installing any desktop/network operating system, application, or
appliance. By taking a metered approach, you ensure consistent installation and hardening of each system. The
following recommendations for a secure installation come directly from Cisco Systems.
Step #1:
Secure Install
Install each new operating system, application, and appliance in as secure a manner as possible. This may
require you to review the documentation as completely as possible, which I know we all have time to do. Also,
consider staying aw
ay from default installations or installation wizards
,
as they often create the most simple of
configurations, which are not always the most secure.
Step #2: Monitor
Once the new system has been installed, take the time to review the installation logs, operational logs, and
behavior to mak
e sure the system is operating as securely as possible
.
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 3
Why have a security policy? What should be in a security policy? How would I create a security policy?
To create a baseline of your current
security configuration.
Statement of authority and scope. Use the very documents that govern
your day-to-day business operation.
For example, your physical site secu-
rity regulations or corporate accept-
able use policy.
To define allowed and not-allowed
behaviors.
Identification and authentication
policy.
Use standards such as SOx, HIPPA,
VISA, International Standards
Organization (ISO) 27001, etc.
To help determine necessary tools
and procedures.
Internet use policy. Reference web sites for assistance:
• www.computersecuritynow.com
• www.sans.org/resources/policies/
#primersecurity.berkeley.edu/pols.html
To help define roles and
responsibilities.
Campus access policy.
To state the consequences of
misuse.
Remote access policy.
To define how to handle security
incidents (social & technical).
Incident handling procedure.
To provide a process for continuing
review.
S
tep #3: Test
Perform regularly scheduled tests of your new system. Such tests should be performed by both internal and
external parties. You may chose to perform quarterly or bi-annual internal tests and annual audits by an exter-
nal entity. Of course, no system is perfect, so expect to have areas for improvement discovered as a result of
these tests. These areas of improvement lead us to the final step in the security lifecycle.
Step #4: Improve
From the items found in the testing process of step #3, make improvements in as secure a manner as possible.
Again, look to the product documentation and try to avoid any cookie cutter fixes.
Remember that this process is called a lifecycle. Once you improve upon a system, you should do so in a
secure manner by performing a secure installation (step #1); then monitor all changes made and new behav-
iors that result from your changes (step #2); perform either internal or external tests (step #3) of these
improvements to be sure that they still meet the requirements of your security policy; and, finally, improve
(step #4) any areas as needed.
This lifecycle, as well as security as a whole, is a continuous process that will evolve and grow with your net-
work. As your network changes, so will your security policy and the means by which you install, monitor, test,
and improve each new system.
Device Roles & Definitions
Let’s start with a simple review of six key network security components. We will define each device and make
suggestions on its placement and use.
Router: A junction between two networks to transfer data packets between them.
Sample uses: Perimeter security via Access Control Lists ACLs, Committed Access Rate
(CAR), routing protocol security and protocol tunneling.
Switch: A layer 2, sometimes multilayer, networking device that provides physical con-
nectivity to end stations and redirects a frame between physical ports on that same
switch.
Sample uses: Physical port security to control a devices initial access to the network.
Firewall: A piece of hardware and/or software that exists to prevent specific communica-
tions forbidden by the security policy.
Sample uses: Stateful inspection, Virtual Private Network (VPN) tunnel termination,
advanced protocol handling, deep packet inspection and Network Address Translation
(NA
Tting).
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 4
Ex. Cisco 1841,
3845, 7206
Ex. Cisco Catalyst
3750, 4506, 6513
Ex. Cisco PIX 525,
ASA 5540
VPN Concentrator: A security device used to connect (terminate) VPN sessions from
Remote Access, Web Clients, and Site-to-Site locations.
Sample uses: High volume termination of Remote Access and Clientless VPN sessions.
Offering extensive control over the VPN sessions of the connecting device.
Intrusion Detection or Prevention System (IDS/IPS) Sensor: A device that gener-
ally detects unwanted manipulations to communication systems (individual and streams
of packets) and is required to detect all types of malicious network traffic.
Sample uses: As a device that inspects traffic/communications on all critical entry and
exit points to a corporate network.
Host-based Intrusion Pr
evention System (HIPS)
: An agent CSA installed on host
stations that provides security against malicious activity between applications on the
host and communications from the host.
Used to enforce a company’s security policy at the end-station level.
Sample uses: Install on critical end-stations and servers to protect them from access to
local or network resources that do not follow the security policy.
Device Use and Placement
Now that we’ve completed a cursory review and defined the more common security devices
, we will explore
sample topology types and device placement.
2-Leg Security, Single-Perimeter Device
Figure 1 shows a single-perimeter device controlling access to a corporate network. This security device may
be a router with firewall capabilities or a true firewall. Such a topology is ideal for remote offices or small
branch sites
.
It offers not only a low-cost approach to security
,
but also significantly limits an administrator’
s
security options
.
Copyright ©2006 Global Knowledge T
raining LLC. All rights reserved.
Page 5
E
x. Cisco 3015, 3030,
3060
Ex. NM-CIDS, 4240,
4250XL
Ex. Cisco Security
Agent