Advanced Security Concepts
A wealth of security concepts have been covered in the previous chapters; now, you are ready to look at some of the techniques that are used to secure areas of your network that are vulnerable to attacks, in particular the demilitarized zone (DMZ).
The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet.
Figure 6-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense for hosts that can be scarified in case of a network attack or attacks).
Figure 6-1. DMZ Design
Figure 6-1 displays a typical perimeter network in which the DMZ is separated by a firewall. Firewalls are network devices such as Cisco Private Internet Exchange (PIX) Firewall, discussed later in this chapter. Firewalls are designed to protect the internal (or private) parts of a network from the public domain. Firewalls can operate at several levels of the OSI model, namely the application layer (7), network layer (3), and transport layer (4). Another popular design option is to configure the DMZ on a third interface of the firewall so that the firewall can protect both the DMZ servers and the internal network.
The aim of all firewalls is to accomplish the following:
• Serve as a traffic point The traffic or choke point from inside and outside the network must pass through the traffic point.
• Authorize traffic Permits only authorized traffic.
• Designed to be immune from penetration Firewalls are designed to be immune from attacks. However, firewalls are still often attacked by outside hosts.
• Provide invisibility Ensures that the private network is invisible to the outside world.
As shown in Figure 6-1, the perimeter router sits between the DMZ and the public domain. Typically, a high-performance router or routers will be located here, performing various duties, including the following:
1. Ensure that access to IP is restricted using access lists.
2. Restrict TCP services.
3. Prevent attacks on firewall systems.
4. Prevent DoS attacks on bastion hosts and the private network.
5. Permit only authorized traffic to the bastion hosts.
6. Log all network events to external or internal systems.
7. Perform address translation (NAT/PAT).
8. Run static or dynamic routing protocols; Cisco PIX release 6.3 is no longer limited to RIP and static routing but now supports OSPF. PIX Firewall software version 6.3 is now capable of supporting RIP versions 1 and 2 along with OSPF.
Note
Proxy servers are designed to shield internal devices from outside intruders by replacing the internal hosts' IP addresses with its own IP address. Most new vendors (supplying routers) now allow routers to act as proxy servers. Proxy servers have scalability and speed issues, because all packets must be examined and IP headers must be modified for packet delivery.
Firewalls and perimeter routers have the additional function of packet filtering. A packet filter is a device that inspects all incoming and outgoing packets based on IP source address, destination IP address, and protocol type, such as TCP or UDP. Based on configurable options, the filter decides whether to reject traffic or allow traffic to pass through the device.
Table 6-1 summarizes the main functions of a perimeter and firewall router.
Cisco IOS routers can filter TCP or UDP protocol types. Example 6-1 displays the variety of TCP services that you can filter on a Cisco IOS router using extended access lists.
Example 6-1. TCP Services Filtered on Cisco IOS Routers
R1(config)#access-list 100 permit tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
Example 6-2 displays the extended access list when filtering services based on the UDP protocol suite of services.
Example 6-2. UDP Services Filtered on Cisco IOS Routers
R1(config)#access-list 101 permit udp any any eq ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol (500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)
Examples 6-1 and 6-2 clearly indicate that a network administrator has flexibility when designing perimeter security based on particular port numbers, as defined in RFC 1700.
The growth of the Internet and increased ease of information transfer has also meant a proliferation of network hacking tools. Whisker, Nmap and strobe are perfect examples of this fact. A simple search on the Internet reveals many more tools. Firewalls are your first line of defense but should not be your last.
Intrusion detection systems (IDSs) are the next level of security now being added to secure IP networks, providing even greater awareness of IP packet flow through a network. IDSs are covered later in this chapter. The next section introduces basic NAT and PAT.
The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet.
Figure 6-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense for hosts that can be scarified in case of a network attack or attacks).
Figure 6-1. DMZ Design
Figure 6-1 displays a typical perimeter network in which the DMZ is separated by a firewall. Firewalls are network devices such as Cisco Private Internet Exchange (PIX) Firewall, discussed later in this chapter. Firewalls are designed to protect the internal (or private) parts of a network from the public domain. Firewalls can operate at several levels of the OSI model, namely the application layer (7), network layer (3), and transport layer (4). Another popular design option is to configure the DMZ on a third interface of the firewall so that the firewall can protect both the DMZ servers and the internal network.
The aim of all firewalls is to accomplish the following:
• Serve as a traffic point The traffic or choke point from inside and outside the network must pass through the traffic point.
• Authorize traffic Permits only authorized traffic.
• Designed to be immune from penetration Firewalls are designed to be immune from attacks. However, firewalls are still often attacked by outside hosts.
• Provide invisibility Ensures that the private network is invisible to the outside world.
As shown in Figure 6-1, the perimeter router sits between the DMZ and the public domain. Typically, a high-performance router or routers will be located here, performing various duties, including the following:
1. Ensure that access to IP is restricted using access lists.
2. Restrict TCP services.
3. Prevent attacks on firewall systems.
4. Prevent DoS attacks on bastion hosts and the private network.
5. Permit only authorized traffic to the bastion hosts.
6. Log all network events to external or internal systems.
7. Perform address translation (NAT/PAT).
8. Run static or dynamic routing protocols; Cisco PIX release 6.3 is no longer limited to RIP and static routing but now supports OSPF. PIX Firewall software version 6.3 is now capable of supporting RIP versions 1 and 2 along with OSPF.
Note
Proxy servers are designed to shield internal devices from outside intruders by replacing the internal hosts' IP addresses with its own IP address. Most new vendors (supplying routers) now allow routers to act as proxy servers. Proxy servers have scalability and speed issues, because all packets must be examined and IP headers must be modified for packet delivery.
Firewalls and perimeter routers have the additional function of packet filtering. A packet filter is a device that inspects all incoming and outgoing packets based on IP source address, destination IP address, and protocol type, such as TCP or UDP. Based on configurable options, the filter decides whether to reject traffic or allow traffic to pass through the device.
Table 6-1 summarizes the main functions of a perimeter and firewall router.
Table 6-1. Perimeter/Firewall Router Functions |
|
|
Protection Service |
Method |
|
Sniffer or snooping capabilities |
Control eavesdropping with the TCP/IP service and network layer encryption (IPSec). |
|
Control unauthorized access |
Use authentication, authorization, and accounting (AAA), and Cisco Secure ACS. Also, use access list filtering and PIX Firewall. |
|
Control session replay |
Control which TCP/IP sessions are
authorized. |
|
Control inbound connections |
Filter internal address as the source from
the outside world. |
|
Control outbound connections |
Allow only valid IP addresses to the outside world and filter remaining illegal addresses and outbound service requests. |
|
Packet filtering |
Use predefined access lists that control the transmission of packets from any given interface, control vty lines and access, and ensure that routing updates are authenticated. |
Cisco IOS routers can filter TCP or UDP protocol types. Example 6-1 displays the variety of TCP services that you can filter on a Cisco IOS router using extended access lists.
Example 6-1. TCP Services Filtered on Cisco IOS Routers
R1(config)#access-list 100 permit tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
Example 6-2 displays the extended access list when filtering services based on the UDP protocol suite of services.
Example 6-2. UDP Services Filtered on Cisco IOS Routers
R1(config)#access-list 101 permit udp any any eq ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol (500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)
Examples 6-1 and 6-2 clearly indicate that a network administrator has flexibility when designing perimeter security based on particular port numbers, as defined in RFC 1700.
The growth of the Internet and increased ease of information transfer has also meant a proliferation of network hacking tools. Whisker, Nmap and strobe are perfect examples of this fact. A simple search on the Internet reveals many more tools. Firewalls are your first line of defense but should not be your last.
Intrusion detection systems (IDSs) are the next level of security now being added to secure IP networks, providing even greater awareness of IP packet flow through a network. IDSs are covered later in this chapter. The next section introduces basic NAT and PAT.
