This book is about IP network security. Though you probably already know something about networking, weāll go over some of the language to be sure we are all working from the same concepts. Letās begin by discussing what we are trying to accomplish with IP network security.
Goals
The goals of security usually boil down to three things, represented by the acronym CIA:
ā Confidentiality Confidentiality protects sensitive information from unauthorized disclosure or intelligible interception. Information should only be seen by the intended parties in a conversation, not by eaves-droppers.
ā Integrity Integrity ensures that information or software is complete, accurate, and authentic (in other words, it isnāt altered without authorization) . We want to ensure mechanisms are in place to protect against accidental or malicious changes, and may wish to produce documented trails of which communications have occurred.
ā Availability Availability ensures that information and services are accessible and functional when needed and authorized. There is a related concept of trust. The formal definition of trust concerns the extent to which someone who relies on a system can have confidence that the system meets its specifications (that is, the system does what it claims to do and does not perform unwanted functions).
Different systems and businesses will place differing levels of importance on each of these three characteristics. For example, while Internet service providers (ISPs) may be concerned with confidentiality and integrity, they will be more concerned with protecting availability for their customers. The military, by contrast, places more emphasis on confidentiality, with its system of classifications of information, and the clearances for people who need to access it. Most businesses must be concerned with all three elements, but will be concerned primarily with the integrity of their data.
Confidentiality
Confidentiality protects sensitive information from unauthorized disclosure or intelligible interception. Cryptography and access control are used to protect confidentiality. The effort applied to protecting confidentiality depends on the sensitivity of the information and the likelihood of it being observed or intercepted.
Damage & Defenseā¦
Cleartext Passwords
Passing passwords in cleartext that permits administrative access to systems is a severe security risk. Use access control mechanisms, and where possible, encryption controls (such as SSH) to communicate with infra-structure devices. Many Cisco devices will support SSH with a modern image.
Network encryption can be applied at any level in the protocol stack. Applications can provide end-to-end encryption, but each application must be adapted to provide this service. Encryption at the transport layer is used frequently today. Virtual private networks (VPNs) can be used to establish secure channels of communication between two sites or between an end user and a site. (VPNs are covered in more detail in Chapter 5.) Encryption can be used at the OSI data-link layer, but doesnāt scale easily; every networking device in the communication pathway would have to participate in the encryption scheme. Datalink layer encryption is making a comeback in the area of wireless security, such as in IEEE 802.11. Physical security, meanwhile, is used to prevent unauthorized access to network ports or equipment rooms. One of the risks at the physical level is violation of access control through the attachment of promiscuous packet capture devices to the network, particularly with the widespread use of open source tools such as Ethereal (www.ethereal.com) and tcpdump (www.tcpdump.org) that permits nearly any host to become a packet decoder.
Integrity
Integrity ensures that information or software is complete, accurate, and authentic. We want to keep unauthorized people or processes from making any changes to the system, and keep authorized users from making changes that exceed their authority. These changes may be intentional or unintentional, and similar mechanisms can protect a system from both.
For network integrity, we need to ensure that the message received is the same message that was sent. The content of the message must be complete and unmodified, and that the link is between a valid source and destination nodes. Connection integrity can be provided by cryptography and routing control. Simple integrity assurance methods to detect incidental changes, like adding up all the bytes in a message and recording that as an element in the packet, are used in everyday IP flows. More robust approaches, such as taking the output from a hash function like message digest (version) 5 (MD5) or secure hash algorithim (SHA) and adding that to the message, as is used in IPSec, can detect attempted malicious changes to a communication.
For host integrity, cryptography can also come to the rescue. Using a secure hash can identify whether an unauthorized change has occurred. However, of fundamental importance are careful use of audit trails to determine what changed, when the change occurred, and who made the change. Sound security design includes a centralized log server, and policy and procedure around safe handling of audit data.
Integrity also extends to the software images for network devices that are transporting data. The images must be verified as authentic, and that they have not been modified or corrupted. Just as a transported IP packet has a checksum to verify it wasnāt accidentally damaged in transit, Cisco provides a checksum for IOS images. When copying an image into flash memory, verify that the checksum of the bundled image matches the checksum listed in the README file that comes with the upgrade.
Availability
Availability ensures that information and services are accessible and functional when needed. Redundancy, fault tolerance, reliability, failover, backups, recovery, resilience, and load balancing are the network design concepts used to assure availability. If systems arenāt available, then integrity and confidentiality wonāt matter. Build networks that provide high availability.
Your customers or end users will perceive availability as being the entire systemāapplication, servers, network, and workstation. If they canāt run their applications, then it is not available. To provide high availability, ensure that security processes are reliable and responsive. Modular systems and software, including security systems, need to be interoperable.
Denial of service (DoS) attacks are aimed at crippling the availability of networks and servers, and can create severe losses for organizations. In February, 2000, large Web sites such as Yahoo!, eBay, Amazon, CNN, ZDNet, E*Trade, Excite, and Buy.com were knocked offline or had their availability reduced to about 10 percent for many hours by distributed denial of service attacks (DDoS). The attacks were not particularly sophisticatedāthey were launched by a teenagerābut were disastrously effective.
Note
Having a good inventory and documentation of your network is important for day-to-day operations, but in a disaster, you can't depend on having it available. Business Continuity/Disaster Recovery is an important aspect of security design. Store the configurations and software images of network devices offsite with your backups from servers, and keep them up to date. Include documentation about the architecture of your network. All of this documentation should be available in printed form because electronic versions may be unavailable or difficult to locate in an emergency. Such information will save valuable time in a crisis.
Cisco makes many products designed for high hardware availability. These devices are characterized by a long mean time between failure (MTBF) with redundant power supplies, and hot-swap...