Network Security

Published on May 2016 | Categories: Types, Books - Non-fiction | Downloads: 63 | Comments: 0 | Views: 355
of 41
Download PDF   Embed   Report

Guide for the essentials on network security

Comments

Content

Network Security

first-step
Tom Thomas

© 2005



Cisco Press



Network Security First-Step



1587200996

What You Will Learn
This chapter discusses the use of technologies that have evolved to support and enhance network security. Many of these technologies are used today without the user really understanding when or where they are operating. After reading this chapter, you will understand the benefits of these technologies, where they operate, and some of the risks associated with them. By the end of this chapter, you should know and be able to explain the following:


How packet filtering can be employed to reduce simple threats to a network Precisely what is stateful packet inspection, and why we need firewalls to use this technology The role and placement of proxy technology Network Address Translation (NAT) and how it is being used to allow the Internet to continue to grow




✔ ✔

How Public Key Infrastructure (PKI) has the potential to protect the flow of information in a global manner


Identify several authentication technologies and how they are used to secure network resources

Being able to answer these key questions and understand the concepts behind them will allow you to understand the overall characteristics and importance of the security technologies covered in this chapter. By the time you finish this book, you will have a solid appreciation for network security, its issues, how it works, and why it is important.

CHAPTER 3

Overview of Security Technologies
A man travels the world over in search of what he needs and returns home to find it.—Author Unknown
So far, this book has painted in broad strokes the steps an attacker could possibly take to gain access to sensitive resources. The first step in protecting these resources is the global security policy created by combining the many aspects discussed in Chapter 2, “Security Policies and Responses.” This chapter introduces some of the more broadly used security technologies. Each of these technologies contains a concept or specific role that increases the security of your network when designed and implemented in a layered design.

Security First Design Concepts
Network security can be a many-headed beast with regard to the potential attacks and threats against the network. The resources and opinions on this subject are incredible, and opinions vary greatly depending on whom you ask. For example, a simple Google search on “designing a secure network” returns almost half a million results. Looking in any bookstore also reveals almost as many! The point is that experts in each area of network design have written so much on designing a secure network that to try to do the subject justice here is beyond the scope of this book. Current texts on network security offer a granular approach to the subject. This book illustrates good network security design principles to build

86

Chapter 3: Overview of Security Technologies

the strongest possible foundation for the reader. However, we cover some important design concepts of which you must be aware:


Layered security—A network that implements layered security truly understands that a single point of defense is doomed to eventual failure. Thus, as Figure 3-1 demonstrates, implementing security consistently throughout a network at as many points as possible is considered good design. This concept of layering a network’s security is the single-most important design concept in this chapter.
Layered Security Points

Figure 3-1

Internet

Router Router
Implement Security at Every Layer

Firewall

Users
LAN Switch

Servers



Controlling access—The network is ultimately your responsibility and, as a result, you determine what is allowed into your network. One highly recommended practice is to make access decisions with the mindset of “block everything, and only allow what is needed to conduct business.” This has also been referred to as the Policy of Least Privilege (POLP). This is the default action of Cisco firewalls.

Security First Design Concepts 87



Role Specific security—When deciding upon access and privilege (that is, trust), one of the most useful templates to use is based on a user’s role within the organization. For example, a web developer would clearly need access to the organization’s website, while an administrative assistant would not. User awareness—Stories abound about users writing down passwords, changing them five times in a row, and then using their original password again. It is not that users are intentionally bypassing security; they do not understand the purpose of the security. Thus, user awareness through training is essential to get users to understand the importance of security. One great idea for getting users to attend training and learn why it is important is to serve ice cream with all the trimmings. This method appeals to a base need, but it is also effective and fun; you will become a very popular person! It is crucial to have your user truly aware of security and supportive of security policies. Monitoring—Perhaps one of the most forgotten aspects of security is monitoring. Many organizations believe that it is enough simply to have security. They forget that monitoring their systems to ensure that they remain secure and are not subject to attack is also crucial. Chapter 9, “Intrusion Detection and Honeypots,” discusses the methods that are used to monitor for attacks: Intrusion Detection Systems (IDS). A strongly recommended practice is to include provisions for IDS when designing a network’s security solution. Keep systems patched—Patching/upgrading systems is a fundamental task that is often forgotten by system administrators with their busy schedules. Fortunately, many newer operating systems can remind you when new updates are available. For example, I use an Apple PowerBook G4 running OS X (a.k.a. Jaguar); within this operating system is a built-in functionality that automatically checks for updates, as shown in Figure 3-2. The only downside in this example is that I do not yet have an Apple iPod, which would require this update. Regardless, you can understand the point: Always make the time to check for patches for your systems because hackers are always pushing to find and exploit. For Windows users, Microsoft has also included this automatic update functionality in newer versions of its operating systems.







88

Chapter 3: Overview of Security Technologies

Figure 3-2

MAC OS X Automatic Update Functionality



Response team—Security concerns will inevitably be brought to you in some form or another. Perhaps your systems have become the target of an attack or you have detected that the compromise and damage has already been done. This aspect of design deals with how an organization responds to an attack and deals with whatever situation it is experiencing. It is best to include and consider response teams and the process of responding in practice rather than when you are under pressure and the situation is extreme. So design it now; the benefits come later. Practice makes perfect, and dry runs can help point out a plan’s flaws that do not seem evident at the time the plan is written.

These first-step security design considerations will allow you to understand how to begin securing any network. The next section begins to discuss the specifics of how security technologies are used and their roles in protecting a network.

Packet Filtering via Access Control Lists (ACLs) 89

Packet Filtering via Access Control Lists (ACLs)
As you probably already know, all information that flows across the Internet uses TCP/IP and, in turn, this information is sent in small pieces known as packets. In the early days of the Internet, filtering based on packets was common and, in many cases, routers in many networks still use packet filtering. Packet filters are often used as a first defense in combination with other firewall technologies. Today, their most common implementation is seen in the access control lists of routers at the perimeters of networks. Packet filtering is one of the oldest and most common types of packet inspection technologies available. It begins by inspecting a packet’s contents and applying rules to determine whether a packet should be dropped or allowed. Although many characteristics are possible within a TCP/IP packet’s header (that is protocol, port, and so on), this discussion refers to filtering based on the source or destination IP address, as shown in Figure 3-3.
Figure 3-3 Packet Filtering at Layer 3 of the TCP/IP Model

5 Application Disallowed Allowed

4 Transport Control Protocol (TCP) User Datagram Protocol (UDP)

3 Internet Protocol (IP)

Traffic is filtered based on specified rules, including source and destination IP address.

2 Data Link

1 Physical

Incoming Traffic

Allowed Outgoing Traffic

90

Chapter 3: Overview of Security Technologies

The method used to configure and deploy packet filters on Cisco routers is known as access control lists (ACLs). The two main types of ACLs are standard ACLs, which filter based on IP address, and extended ACLs, which look further into a packet header, if so configured. note
Standard ACLs are source address-based and extended ACLs are sourcebased and destination-based and have more capabilities, such as specifying port or protocol. The following ACL styles for IP are supported: • Standard IP ACLs—Use source addresses for matching operations • Extended IP ACLs (control plane only)—Use source and destination addresses for matching operations, and optional protocol type and port numbers for finer granularity of control • Named ACLs—Use source addresses for matching operations Refer to the following URL for more information about ACLs and Cisco devices (Cisco.com account required): http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/ products_tech_note09186a00800a5b9a.shtml#types

Packet filters inspect each packet of data individually, examining source and destination IP address and ports. Only the most basic attributes of each packet are examined; for this reason, they can decide packet flow quickly. The characteristics of each one of these inspection points determine whether the given packet should be allowed or denied. The use of ACLs is how packet filtering is conducted on Cisco devices; they are one of the focal points of this section. Because every packet of every connection is checked against the access control rules, larger, complex packet-filtering rule bases could decrease performance of the device upon which they are applied. In addition, because packet filters can check only low-level attributes, they are not secure against malicious code hiding in the other layers.

Packet Filtering via Access Control Lists (ACLs) 91

The use of ACLs is one of the most confusing topics to many. As you will see in the following section, a good understanding of ACLs can be less confusing when superimposed on a good analogy that relates to real life.

Grocery List Analogy
This analogy is just one way to introduce and explain the concepts behind packet filtering via ACLs. You must consider certain key principles while considering this grocery list analogy. Table 3-1 begins the analogy by comparing packet filtering via ACLs with creating a grocery list.
Table 3-1 ACL Analogy Overview
Grocery List Analogies

ACL Characteristics

[ACLs are effective] [Top-down processing] [Place denies first] [Always have a permit] [Implicit deny all]

Following a list is efficient and saves money. The order of the items on the list is important. There are items that are not on the list, so do not buy them. A list must always include things that are permitted. You can only buy what is on the list.

In planning a turkey dinner, my wife and I discovered that we needed some things to finish cooking; we decided to make a list. This way, I would not forget what we needed when I went to the store. We knew that we had the following things, so they are not going on the grocery list:
■ ■ ■ ■

Turkey Stuffing Bread Cheese

92

Chapter 3: Overview of Security Technologies

In other words, I cannot buy these ingredients because my wife says that we do not need them. When I make a list of the things I am allowed to buy, my list is rather broad. I am happy with the list; it will do the job, so I am ready to head to the grocery store to get the following items:
■ ■ ■ ■ ■

Milk Pie Potatoes Gravy **Buy nothing else**

This list is broad because there are many types of milk and many types of pies. Because we need these ingredients, I can buy them. This broad grocery list analogy can relate directly to a standard ACL when expressed as follows:
[standard acl] Regular Grocery List [deny] Turkey [deny] Stuffing [deny] Bread [deny] Cheese [permit] Milk [permit] Pie [permit] Potatoes [permit] Gravy [implicit deny all else] **Buy nothing else**

Notice the last line; my wife imposes this restriction on me because I have a great deal of affection for chocolate ice cream and sale items. Now, she does not have to actually say the words to me because, after 16 years of marriage, I implicitly understand that I am not allowed to buy anything else.

Packet Filtering via Access Control Lists (ACLs) 93

I decide to show my list to my wife to make sure I did not miss anything. She reviews the list and decides I need more specific instructions because it is important to buy the right “kind” of groceries. She begins writing on my list:
[extended acl] Extended Grocery List (i.e. wife’s version) [deny] Turkey [deny] Stuffing [deny] Bread [deny] Cheese [permit] Milk - 2% White [permit] Pie - Mrs. Smiths Pumpkin [deny] Potatoes – Red as a guest is allergic to this type [permit] Potatoes – any potatoes other than red is okay [permit] Gravy - White Country [implicit deny all] **Buy nothing else**

This type of list allows for a more granular level of filtering or, in my case, a more rewarding return home with the ingredients I was permitted to buy. Did you notice the difference between the two lists? The first list was rather broad and not specific at all, while the second list was extremely specific and told me not only exactly what not to buy, but more specifically what I was permitted to buy. Ultimately, the implicit understanding is that everything else is denied. You probably relate to the challenges of shopping when you are married and are also wondering how this relates to ACLs and packet filtering. Packets have identifiable characteristics that access lists use to classify them and take an action—either permit or deny. Consider Example 3-1, which shows what a standard access list based on my analogy might look like.
Example 3-1 Analogy as a Standard Access List
access-list access-list access-list access-list access-list access-list access-list access-list 10 10 10 10 10 10 10 10 deny any turkey deny any stuffing deny any bread deny any cheese permit any milk permit any pie permit any potatoes permit any gravy

94

Chapter 3: Overview of Security Technologies

The standard access list in a Cisco device is primarily used to filter packets based on IP addresses. In addition, numbering them identifies a standard access list; specifically, they use 1–99 and 1300–1399 as identification numbers. If you were to take this example a technical level deeper and use IP addresses and subnets, it would look like Example 3-2 in a Cisco device’s configuration.
Example 3-2 Standard Access List Filtering Packets
access-list access-list access-list access-list 10 10 10 10 permit permit permit permit any any any any 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.0

You are probably wondering what happened to the deny statements? With Cisco ACLs, there is that implicit deny everything else at the end, which you do not “see” in the configuration. Thus, you do not have to enter the deny statements. You could take the standard ACL and expand it to be even more specific by using an extended ACL; this is what my wife did when she gave me more specific instructions. Because they are designed to identify packets, ACLs fulfill many roles in the world of networking. After a packet is identified, it can be acted upon in some manner. This action might include sending it after a more important packet, or perhaps filtering the packet. Figure 3-4 shows the placement of an ACL to filter packets.
Figure 3-4 Placement of Packet Filters
Users

Packets

Internet
Router
Place inbound packet filters at the closest point of entry to the network.

Firewall

LAN Switch

Servers

Stateful Packet Inspection (SPI) 95

Limitations of Packet Filtering
It is time to talk about the drawbacks of using packet filtering. Certainly, you can stop many things with their use. Consider that you have a web server in a DMZ; all web/HTTP traffic must be able to reach this server. This server happens to be running Microsoft’s IIS web server software, and an attacker decides to directly attack the web server using web/HTTP traffic. Because the attack targets vulnerabilities in IIS, the packets are allowed. So, although packet filtering is not good security (on its own), it most certainly is another technique that will increase the depth of your security. note
You can find additional ACL information and techniques at the following Cisco.com URL (Cisco.com account required): http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1835/ products_configuration_guide_chapter09186a00800ca7c0.html

The next section takes packet filtering a step further by discussing stateful packet inspection.

Stateful Packet Inspection (SPI)
This section discusses the more advanced technique of packet inspection: Stateful Packet Inspection (SPI). To understand how SPI operates, you must briefly review the TCP/IP model. note
Many people are confused about the relationship between the OSI reference model and the TCP/IP model—simply put, the use of OSI is as a reference for developers whereas, in education, functionally TCP/IP is used. Therefore, you must use the TCP/IP model when inspecting packets.

96

Chapter 3: Overview of Security Technologies

In Figure 3-5, you can see the five layers of the TCP/IP model. The stateful inspection component is concerned with how TCP (Layer 4—transport) makes connections. Tracking the state of the TCP connection is done via Layer 4 of the TCP/IP model.
Figure 3-5 TCP/IP Model

5 Application Disallowed Allowed

4 TCP UDP

3 Internet Protocol (IP)

Traffic is filtered based on specified session rules, such as when a session is initiated by a recognized computer. Unknown traffic is allowed only up to Layer 4 of the Network Stack.

2 Data Link

1 Physical

Incoming Traffic

Allowed Outgoing Traffic

In most cases, SPI occurs in a firewall, which sits behind the router that connects your network to the Internet. If you have implemented packet filtering on the router as your first line of defense, the next line of defense will be SPI at the firewall, as shown in Figure 3-6.
Figure 3-6 Placement of Stateful Packet Inspection
Users
Packets Packets

Router

Firewall

Internet
LAN Switch Servers

Inbound Packet Filters

Stateful Packet Inspection

Stateful Packet Inspection (SPI) 97

This placement and added security allows for the defense in depth to be layered at yet another level, with the goal of completely securing the network via multiple layers of protection. SPI is usually implemented in a firewall so the TCP/IP connections can be inspected more closely. Thus, this technology is considered connection aware in that SPI monitors and understands that a connection between two computers usually consists of many packets that flow back and forth between the computers. Stateful inspection of packets occurs during the first packets that are used to create this connection. As the connection is inspected, an entry is created in a table. Then, as future packets are received, they are verified against entries in this table to see whether they belong to an existing and recorded connection. If the packets pass this verification phase, they are allowed to pass. At a very high level, that is how SPI occurs. The following section examines this process in more detail.

Detailed Packet Flow Using SPI
Because this book strives to always present best practices regarding network security and the associated technologies, this more detailed discussion is based on the assumption that the external router is in place and that it is configured to prescreen connection attempts into the network by using packet filtering. Therefore, picking up the packet as it passes through the router and its packet filtering, the next step is the packet arriving at the firewall:
1. When a packet arrives at the firewall, a decision must be made to determine

whether the packet should be allowed (forwarded) to the internal network.
2. The device performing the stateful packet inspection takes each arriving

packet and inspects its headers to determine whether they match the set of rules that control what kind of packets are allowed.
3. When inspecting the packet’s headers, the inspection includes the packet’s

source and destination addresses, its protocol type (TCP, UDP, ICMP, and so forth), its source and destination ports, flags set on the packet (SYN, ACK, FIN, RST, and so on), or other such basic header information. Incoming packets are inspected until enough information has been gathered from the packets received (using information such as TCP sequence numbers) to determine the connection’s “state.”

98

Chapter 3: Overview of Security Technologies

4. This inspection data is compared against the rule set that has determined

what should be allowed and what should be denied. For example, all HTTP traffic only might be allowed to a web server, while other traffic should be denied trying to access the web server. This is a common rule wherein only a certain type of traffic should only be allowed to a certain server.
5. Depending on the connection status, this inspection information is then com-

pared to a stateful table that would have entries for each TCP/IP connection the device has allowed. For example, most devices allow everyone from inside the network to access anything they want outside the network, and that connection would have formed an entry in the state table. Rather than allowing all packets that meet the rule set’s requirements to pass, only those packets that are part of a valid, established connection are permitted.
6. Ultimately, packets are either permitted or denied depending on these

inspection steps. Because these rules/tables are only consulted once, complex inspection rules do not greatly impact performance. SPI rules are not as easy to create as packet-filtering rules because of the added level of complexity. However, they are certainly worth the money and effort because they add an additional level of security to your network. They are also fast and can handle large amounts of network traffic. If the metrics recorded for the connection do not match the entry in the connection database, the connection is dropped. note
Usually, firewalls are the devices of choice for performing stateful packet inspection; however, routers can also be used in this role. However, this is not advised because mixing network devices’ roles alters the functions they were designed to perform. Some might argue that you can successfully combine roles and devices; perhaps this might be appropriate in the distant future—for today and for the networks I am responsible for securing, I advise against it.

Network Address Translation (NAT) 99

Limitations of Stateful Packet Inspection
Although SPI devices have improved scalability and benefits over packet filtering, they are not the ultimate point of protection for your network. Consider the following two major disadvantages of stateful packet inspection:


No application level inspection—SPI cannot look at a packet any higher than Layer 4 of the OSI reference model. In practice, this is how attacks are able to succeed against servers that are accessible in some manner and protected by firewalls performing stateful packet inspection. No connection state for every TCP/IP protocol—Certain protocols within TCP/IP have no method of tracking the state of their connection between computers. Specifically, ICMP or UDP have no connection state; thus, in the layered model, these protocols should be subjected to packet filtering because they have no connection state to track.



This section discussed the capability of security devices, such as firewalls, to track the state and thereby the validity of a connection to determine whether it should be allowed into the protected area of your network. The next section focuses on the various means of further ensuring the validity of packets entering your network by using additional security to inspect them at Layer 5 (application) of the TCP/IP model.

Network Address Translation (NAT)
The Internet has grown larger than anyone ever imagined. Although its exact size is unknown, the current estimate is that there are about 100 million hosts and over 350 million users actively on the Internet. This is more than the entire population of the United States. In fact, the Internet is effectively doubling in size each year. When IPv4 addressing first appeared, everyone thought there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique public addresses (232). The actual number of available public addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses

100

Chapter 3: Overview of Security Technologies

have been separated by the Internet Engineering Task Force (IETF) into classes (A, B, C) and the need to set aside some of the addresses for multicasting, testing or other specific uses (Class D). note
In addition to arranging groups of IPv4 addresses into classes, you might be wondering what happened to the millions of public IPv4 addresses that I said were no longer available. To ensure that every network in need of private IP addresses can have them, the Internet Engineering Task Force (IETF) has set aside a large range of addresses for internal network routing by means of Network Address Translation (NAT). Many of these addresses are referred to as private IP addresses; these addresses are not accessible on the public Internet, thus the word “private.” Private addresses are to be used within any organization that needs them, and never on the Internet. The addresses used on the Internet are referred to as public IP addresses.

With the explosion of the Internet and the ever-increasing need for IP addresses in home networks and business networks, the number of available IPv4 addresses is simply insufficient. The obvious solution is to redesign the IP addressing scheme to allow for more possible addresses. This is being developed in a solution known as IPv6, but it will take many years to implement because it requires the modification of the Internet’s entire infrastructure. As a result, the process of converting from IPv4 to IPv6 has been slow and will likely continue slowly as NAT further extends the life of IPv4. NAT allows organizations to resolve the problem of IP address depletion when they have existing networks and need to access the Internet. Sites that do not yet possess NIC-registered IP addresses must acquire them from the Internet Assigned Numbers Authority (IANA) and American Registry for Internet Numbers (ARIN), who delight in causing bureaucratic delay. Many sites do not pass their unfriendly bureaucratic examination; therefore, NAT is the solution for most.

Network Address Translation (NAT) 101

note
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks: • 10.0.0.0–10.255.255.255 (10/8 prefix) • 172.16.0.0–172.31.255.255 (172.16/12 prefix) • 192.168.0.0–192.168.255.255 (192.168/16 prefix)

NAT allows companies to use public IP addresses on the outside of the network (that is, on those devices that connect directly to the public Internet). However, as discussed, there probably will not be enough public IP addresses for every network printer, PC, server, switch, router, wireless device, and so forth to be assigned a public IP address. These devices need an IP address to connect with TCP/IP, so we use private IP addresses on the internal network. The use of private IP addresses inside our network provides for all devices to now communicate using TCP/IP, which was the goal. However, you must activate NAT because the private IP addresses are not allowed out onto the Internet. Network Address Translation (NAT) is deployed and implemented on a device (firewall, router, or computer) that sits between an internal network using private IP addresses and the Internet, which uses public IP addresses. The device performing the Address Translation from private to public is usually a firewall and, to a lesser extent, a router. The device performing NAT usually sits with one part connected to the internal network and another part connected to the Internet (or some external network). Figure 3-7 shows the placement of NAT as part of a layered defense.
Figure 3-7 Placement of NAT in a Network
Users

Packets

Packets

Packets

Internet
Router Firewall LAN Switch Servers

Network Address Translation (NAT) Inbound Packet Filters Stateful Packet Inspection (SPI)

102

Chapter 3: Overview of Security Technologies

Discussion of how NAT also provides an additional level of security to your network is discussed later in the section, “Increasing Network Security.” NAT has many forms and can work in several ways:


Static NAT—Provides for mapping a private IP address to a public IP address on a one-to-one basis. This is particularly useful when a device needs to be accessible from outside the network. For example, if your web server has an internal IP address of (10.0.0.1) and it needs to be accessible from the Internet—it is your web server, after all! NAT must to be statically configured to allow users who go a public IP address to always be translated to 10.0.0.1. The use of static NAT is quite common for devices like web servers, which must always be accessible from the Internet. Dynamic NAT—Provides for mapping a private IP address to a public IP address from a group of registered IP addresses. In this type of NAT, there is a one-to-one relationship in the mapping from private to public. For example, if your PC was assigned an internal IP address of 10.0.0.2 and your coworker was 10.0.0.3, each of you would be assigned a public IP address at the firewall via NAT as your traffic went to the Internet. Dynamic NAT is helpful, but it might not be the right solution in many cases. For example, what if your other co-worker wanted to access the Internet and the firewall was out of available public IP addresses? He would be denied. This could introduce a serious problem; therefore, NAT overloading was developed. NAT Overloading—A form of dynamic NAT that provides for the translation of multiple private IP addresses to a single public IP address by using different TCP ports. This is also known as Port Address Translation (PAT) or single address NAT. Its many names are not important, but how it functions is crucial. Because over 64,000 TCP ports are possible per single IP address, NAT allows for an effective means of providing Internet access to many users who have been assigned private IP addresses. This type of NAT is the most commonly used because it serves large numbers of users at once.





Network Address Translation (NAT) 103

Increasing Network Security
Solving the IPv4 address depletion problem was the leading reason for the development of NAT. NAT also provides for yet another layer of security to protect your network. In general, using NAT makes it more difficult for an attacker to
■ ■ ■ ■

Map the target’s network topology and determine connectivity Identify the number of systems running on a network Identify the type of machines and the operating systems they are running Implement denial of service (DOS) attacks such as SYN (synchronize/start) flooding, port scans, and packet injection

NAT’s Limitations
It is clear that the introduction of NAT to the realm of networking and the Internet has solved or at least extended the IP address depletion problem. Many people have asked if networks will ever evolve to IPv6 now that NAT works so well. The question is not really if, but when will this conversion will take place. For example, the Asia/Pacific region of the world is leading the implementation of IPv6 with many networks already using it. As connectivity and convergence increase, the need for additional IP addresses will grow and expand. We will therefore make the change to IPv6 eventually; NAT has simply delayed the inevitable. NAT is useful and has brought advantages; however, it does have some limitations:


Issues with UDP—NAT tracks and controls connections based on state and, as discussed earlier in this chapter, UDP has no inherent mechanism to determine state. Thus, NAT has no way of knowing whether a packet is part of an ongoing conversation or an isolated transmission. NAT devices then need to guess at how long a conversation involving UDP should remain open after the last packet; this is known as the idle time. Cisco firewalls provide the functionality to set idle time on UDP sessions to limit such cases.

104

Chapter 3: Overview of Security Technologies



Sensitive protocols—Some protocols hide, alter, or otherwise obscure aspects of the packets that NAT requires to properly perform the translation. For example, Kerberos, X-Windows, remote shell, and session initiation protocol (SIP) can have trouble operating through a NAT device. This trouble is caused by applications that have embedded IP addresses in the packets where this issue occurs. Cisco firewalls have nice fix-ups for different protocols, such as Skinny for telephony, that allow these applications to work when the fix-up is applied. Interferes with encryption and authentication systems—Many data encryption systems attempt to ensure the integrity of packets by ensuring that packets were not tampered with in transit. By its very design tampers, NAT with packets, thus causing encryption and authentication technologies to not work well with NAT (by default). Complicated logging—When devices are logging through a device, the correlation of the logs requires users to understand the translations being performed by NAT. Correlation of system logs with the NAT system can thus become highly complicated and tedious to understand which internal systems were actually involved. One size fits all—If your organization is using PAT, and one person in the company authenticates to a protected resource outside of your company, it’s possible that the rest of your organization now has access to that resource as well. Remember that if you’re using PAT, you’re only using one IP address that has been multiplexed using port numbers. The protected resource that requires authentication sees all conversations from your company as coming from the same IP address.







The final point to reinforce is that NAT is useful in many regards, from allowing an entire company to access the Internet to providing an additional layer of security. If you go back to the network referenced in figures throughout this chapter, you can see that including NAT adds another layer of protection, as shown in Figure 3-7. The following section of this chapter looks at how security can be further deepened through tools and technologies that look deeper into a TCP packet.

Proxies and Application Level Protection 105

Proxies and Application Level Protection
Stateful packet inspection firewalls are enhanced versions of packet filtering. The devices used here provide additional enhancements by analyzing the packets at the application layer. Several types or technologies can be used to implement this protection, and they are known by many different names. Although each technology operates slightly differently, their goal is the same: to increase the security of your network. Application level firewalls provide the most secure type of data connections because they can examine every layer in the TCP/IP model of the communication process. To achieve this level of protection, these firewalls—also known as proxies— actually mediate and control connections by intercepting and inspecting every connection. If the proxy determines that the connection is allowed, it opens a second connection to the server from itself on behalf of the original host, as shown in Figure 3-8.
Figure 3-8 Proxy Placement
Proxy Servers User PCs

Internet
Router Firewall LAN Switch Servers

The data portion of each packet must be stripped off, examined, rebuilt, and sent again on the second connection. As shown in the list and in the following sections, different types of firewalls can be used to accomplish this:


Standard proxy firewalls—A proxy firewall does not route packets; it simply forwards them, and it operates at the application layer of the TCP/IP model. Functionally, a proxy firewall receives packets from one interface, inspects the packets according to the defined rule set, and passes the packets out to the other interface if they are permitted. A connection is never made from the outside to the inside byPCs; as far as the PCs inside the firewall know, all of their information is coming from the proxy firewall.

106

Chapter 3: Overview of Security Technologies



Dynamic proxy firewalls—Originally developed from the concepts described for standard proxy firewalls, a dynamic proxy firewall was designed to take the benefits of standard proxies and add the benefits of packet filtering. A dynamic proxy firewall performs a complete inspection of the packet; when a connection is first made and, after it is approved, the faster and weaker packet filtering mechanism handles all additional packets. To summarize, connections are first inspected at the application layer, and then at the network layer.

Because these proxy firewalls have full visibility into the application layer of the TCP/IP model, they can look for more specific pieces of data than any other type of technology discussed thus far. For example, they can tell the difference between an e-mail and java data contained within a packet, as shown in Figure 3-9.
Figure 3-9 Proxy Packet Inspection
Disallowed Allowed

5 Application

4 TCP UDP

Traffic is filtered based on specified application rules by WWW.

3 Internet Protocol (IP)

2 Data Link

1 Physical

Incoming Traffic

Allowed Outgoing Traffic

As the packet is inspected entering the proxy in Figure 3-9, all aspects of the TCP/IP header information is removed from the actual data and inspected with the data. The information gathered by this inspection would then be compared against the firewalls rules, and the packet would then either be denied or permitted based on this comparison. If the packet was deemed as something that should be permitted, the proxy firewall stores the connection information from the headers, rewrites the headers, and transmits the packet accordingly. If the packet were denied, it would be thrown in the bit bucket.

Proxies and Application Level Protection 107

note
Have you never heard of the bit bucket? It is a lighthearted way of saying trash or garbage can. When saying that a packet is thrown in the bit bucket, this really means that the router, firewall, or proxy has chosen to discard the packet; because all data is ultimately only bits (1s and 0s), we have proof that nerds have a sense of humor.

Limitations of Proxies
Hopefully by now, you have realized that everything has a limitation or associated drawback. Sales and marketing would love for you to believe that their new security gizmo is perfect for solving all of your problems. Reality is frequently not the rosy picture they would like us to believe, and proxy firewalls are no different. Following are some of the limitations of proxy firewalls:


Reduced performance—This thorough examination and handling of packets means that proxy firewalls are very secure and generally slow. Reduced performance could result because of the inspection of essentially every part of every packet being subjected to this level of security. Not always current—As new protocols and applications are developed, proxy servers must be expanded to recognize what is acceptable or not. This expansion means that, to stay current, new proxies must be developed and tested; this takes time and results in a security device that might not always be current.



From a security standpoint, the most secure firewall is a standard proxy firewall that inspects all traffic on an application layer. However, that is not always the most practical solution in many of today’s networks. Careful planning and understanding of the required network security and the traffic therein is important for developing a strong security solution. For example, a landscaping company has different security needs than a company that builds electronic components for the government. Of the two types of firewalls discussed—stateful and proxy—it is crucial that you use at least one of them as part of your layered approach to network security. Add to them the presence of packet filtering on your edge router and a firewall device

108

Chapter 3: Overview of Security Technologies

that also uses NAT, and you will have developed the beginnings of a layered defense. The following section examines how content filters can also be used to protect your network and its users.

Content Filters
Content filtering is a subject so vast that its implications and possible solutions have spawned entire businesses that are dedicated to providing the right solution for you, regardless of whether you are a home user or a large business. Everyone seems to be faced with the need to filter some sort of content at every aspect of how they connect. Consider some of the challenges that have recently emerged into politics and the media:


Public libraries and pornography—For some reason, there is a group of people who think people have the right to surf pornography on computers that tax dollars pay for. Making this issue worse is the fact that they are doing this in the middle of libraries— the same place where children go to read. Content filters could be used in libraries to disallow access to this type of content. Businesses are also using content filters to filter out user attempts at going to sites on the Internet. Unfortunately, the problem is not only about pornographic web sites—there are also those sites dedicated to drug use, criminal activity, terrorism, violence, threaten the safety of children, and hate-oriented material.



SPAM—If you have e-mail, you have spam—of that there can be no doubt. All types of businesses are fighting back against spam, and it has always been a fight to detect and stop spam. Every time a solution is discovered, spammers get more creative and do something different. For example, many people spell out their e-mail addresses out now—tom dot thomas at netcerts dot com—in hopes of fooling the programs that search for e-mail addresses. It might for a little while, but it will not last long. In the arena of spam prevention, content filters can identify those annoying ads for low mortgage rates. They are so silly; who would want to get a mortgage with a company that had to spam to get your business?

Content Filters 109



Viruses and trojan horses—Many of the ways viruses are spread follow the growth patterns of the Internet. Virtually everyone who connects to the Internet has e-mail—thus sending a malicious attachment in an e-mail has become commonplace. Content filters would examine the content of such attachments and filter them before any damage was done. Malicious web pages—Attackers can now code into web pages ways to learn more about you when you visit those pages, and they can do this in many ways. Content filters would be able to examine the actual HTML code that makes the website and filter it as needed. Increased organization success—You might be wondering how content filtering can increase a corporation’s overall success? Companies and government agencies can face significant risk because of their employees’ behavior. Consider the implications to any organization if an employee were to access offensive or illegal material via that organization’s network? For example, employees visiting websites with offensive content can create a hostile work environment, negatively affect morale/productivity, and might lead to potentially costly legal fees with the resulting negative bad press. Do you recall the concept of downstream liability discussed in Chapter 1, “Here There Be Hackers!”? If an employee were to access child pornography, the organization could be held liable, have assets seized (network), and suffer additional negative publicity.





Internet access has become critical to businesses, and the rewards to many organizations can be high. However, issues arise where employees have unmanaged access to the Internet, as just discussed. None of the technologies discussed thus far address the potential security risks just listed. You might be correctly thinking that not all of these risks are applicable to your organization, and that might be true. The goal of this chapter is to discuss the technology surrounding content filtering, which could clearly be applied to many different problems, depending on your need. Benefits of content filtering include the following:


Reduce or eliminate legal liability by not letting your organization’s resources be used in a compromising manner or through the inadvertent disclosure of confidential information.

110

Chapter 3: Overview of Security Technologies



Optimize employee productivity; who wants to pay someone while they are surfing the Internet for pleasure? Improve reporting on employee Internet usage. This is critical because you might feel protected or safe. There is no way to know for sure unless you are also watching what is happening on your network. Enforce company Internet access policies that would be documented in the Acceptable Use Security Policy, as discussed in Chapter 2, “Security Policies and Responses”: — Disallow the accessing illegal or offensive material — Prevent the downloading of unauthorized software





There are a variety of ways to filter the content of packets as they flow through your network. Entire companies and tons of products provide any type of filtering service for you from span to content. To do them justice by explaining them all is beyond the scope of this chapter. There are some common fundamental similarities, regardless of the product selected. note
Your organization’s Acceptable Use Policy should inform the employee of what is expected from him as a user of corporate resources, and the content monitoring/filtering monitors and reports on compliance.

The key to content filtering solutions is the ability to monitor and filter content from the Internet, chat rooms, instant messaging, e-mail, e-mail attachments, Word, PowerPoint, and from web browsers. There are several ways to filter traffic, and they can be classified into two main categories:


Client-based filtering—This filtering solution involves loading software onto individual PCs that check content and filter it according to a defined set of rules. In the case of home users, this is the most common type of solution and usually comes in the form of a subscription to a server that contains updates.

Content Filters 111



Server-based filtering—In this filtering solution, individual client PCs do not require specialized software to be loaded because everything is being loaded and controlled by a server that the client PC’s in turn access. This type of filtering is commonly used for e-mail spam and virus detection; all e-mail comes into a central server, which is the most logical place to filter it.

For content filtering, a device such as a proxy server or Cisco content engine forces all web traffic through it so the user requests to view web pages. Users can be inspected to determine if the request should be permitted or denied. Content filtering is accomplished using a library or database of terminology, words, and phrases as the set of rules defining what is not allowed. In many cases, requests are regarded as the replies; for example, some attempts to access a website might be able to be classified via the database/library when the client makes a request (such as http://www.showmeporno.com), while other requests might require the filtering device to analyze the content of the web page before making a filtering decision. These same examples of browsing the Internet using content filtering is extremely similar to how spam and virus filtering is accomplished. Ultimately, a database contains ways of identifying what should be filtered and what should not. As traffic enters the network, it is verified against this database. For example, many products and tools can be used at the server level to identify and stop spam. Nothing is ever 100 percent accurate, so many e-mail clients also have some sort of built-in way of allowing users to further identify spam e-mail.

Limitations of Content Filtering
Content filtering can play a large role in protecting your network and ensuring the proper use of network resources. However, it does have some disadvantages that, if you are aware of them, will allow for the filtering to operate better:


An estimated three to five million websites are introduced to the Internet as new or renamed every single week. This makes the tracking of good/bad sites extremely difficult to do and requires dedicated service to ensure that your filters are always up to date.

112

Chapter 3: Overview of Security Technologies



Content is always changing; in addition to new websites, new ways to spam, new viruses, and other threats make it difficult to keep on top of the changes. Nothing is perfect, so you can expect to see false positives to a certain degree. Therefore, retaining some sort of control of the system is important, and blind reliance on outside classifications is probably not a good idea—for example, www.msexchange.com being seen by content/URL filter as “m sexchange” rather than “ms exchange.”



Content filtering is probably in use in your network in some form or another. The extent of its implementation varies widely depending on the size and sensitivity of your business. The following section looks at a manner of completely securing your network: PKI.

Public Key Infrastructure (PKI)
Have you ever bought anything online or otherwise engaged in some sort of electronic commerce on the Internet? Most likely, you saw the little lock in the corner of your browser window that told you that this was a secure transaction. With what you have learned so far in this book, do you honestly believe that? The little key or lock in your browser means that you are on a website (server) that is using a Secure Socket Layer (SSL) certificate, so you can rest assured that they are who they say they are. Go ahead—buy and enter your credit card number! note
The little lock means that an SSL connection has been engaged. Anyone can cause a secure connection to take place, so be careful even when you see a little lock.

Have you ever noticed that, while you are conducting e-commerce, the http:/…. changes to https://…? The presence of the “s” means that you are using HTTP over SSL to communicate back and forth.

Public Key Infrastructure (PKI) 113

Ultimately, what is actually occurring is that your web browser is taking in the SSL certificate, contacting whoever certified it to ensure its validity, and then proceeding to communicate in a secure mode with the server so you can complete your transaction in complete security. Do you still believe that this is a good system? Did I mention that this SSL certificate session is 40 bits in length? Certain aspects of the certificate that reside on the server are 1024 bits. Compare this 40-bit length to an IP address, which is 32 bits in length or 3DES encryption at 128 bits. You should never feel 100 percent secure when conducting e-commerce at this stage in the Internet’s evolution because the security is not there yet. As the use of e-commerce continues to rise, the level of fraud is increasing even more. This trend is taking a toll on the growth and confidence in e-commerce and online transactions of all kinds. Of course, none of this is ever talked about in polite sales and marketing circles. Not to fret—an advance in securing e-commerce is coming in the form of PKI. Public Key Infrastructure (PKI) is an evolving technology that will eventually become an IETF standard. The goal of PKI is to provide a foundation for a system that will support a variety of security services, such as data integrity, data confidentiality, and non-repudiation. PKI will provide this through a combination of hardware, software, procedures, and policies so users can communicate and exchange information securely, regardless of location. This system involves the verification and authentication of each side of a transaction over a network. Consider for a moment the impact that online credit-card fraud has on people and businesses. At this time, everyone is losing when fraud occurs—the people because they had their credit card or identity stolen, and the businesses because they are trying to provide a service while remaining profitable. PKI provides for authentication through the use of advanced digital certificates and certification authorities to verify and authenticate the validity of each side of a transaction. This transaction could be something as sensitive as an online Internet purchase, or as straightforward as exchanging sensitive information via e-mail. PKI is going to be the next step in the evolution of secure communication and e-commerce.

114

Chapter 3: Overview of Security Technologies

Additional PKI resources can be found online at the following locations: http://www.pki-page.org/ http://www.pkiforum.org/

PKI’s Limitations
PKI is not yet a standard because the IETF has yet to ratify any RFC relating to PKI at press time. In researching PKI, I began to think this was a great next step— even more so when my wife’s identity was stolen, coupled with the lack of concern by our law-enforcement agencies. The ease with which people dismissed the crime was amazing, not to mention the fact that businesses felt it was just a risk whose loss they had to absorb. Certainly then, PKI would be a good step; however, there are some serious challenges in its future:


E-commerce is working and flourishing on the Internet, regardless of the occasional risks involved. Scary laws in states like Utah and Washington are on the books, saying that if someone were to crack your key or use it illegally, you are still responsible for the debt they created. Having seen the bills created by the thief of my wife’s identity, this is extremely worrisome to me if I am ever forced to use PKI! Security is today, and it is likely to continue to be under PKI the responsibility of the certificate holder. Thus, you must trust that they have taken all the necessary precautions without exposing new vulnerabilities. PKI is coming; however, there are still some questions in my mind about it. PKI does not support a single login infrastructure, so users will have to log in and authenticate multiple times to access different resources; this is a recipe for disaster. Users will find ways to “simplify” (that is, defeat) the security PKI provides, and mistakes will happen.







So, is a technology like PKI good or bad? That is difficult to say because PKI is not really mature enough to be called a standard. However, it does provide for increased security that could help in many areas. The verdict on PKI is still up in

AAA Technologies 115

the air and is subject to the whims of the PKI vendors and how they listen and evolve their products. The following section looks at some methods that are currently available for authenticating access to the network.

AAA Technologies
Today, we live in a world where almost everything must be protected from misuse and nothing is free. It does not matter if you are a system administrator, manager, student, or a network engineer. If you access services via a network, you always need three things:
■ ■ ■

Authentication Authorization Accounting

These components are collectively known as AAA (pronounced triple A). As discussed in the following sections, each of these components plays an important role.

Authentication
Authentication ensures that the network’s user is who she claims to be. This is important because you do not want that person accessing the network if she is not supposed to. Usually a shared secret or a trusted third-party software application provides authentication. Authentication allows the network administrators to identify who can connect to a network device or Internet by including the user’s username and password. Normally, when a user connects to a router remotely via Telnet, the user must supply only a password to gain access to the router. This is functional but not secure because, if the router is connected to the Internet, an attacker could try and try to

116

Chapter 3: Overview of Security Technologies

connect, and you might never know that this was occurring. All the attacker would have to do is guess a single password to access your router. How hard could that be when he has all the time in the world? When someone logs into one of your network devices and makes a change, how do you know who the person is and what he has done? With AAA authentication, whenever a user logs on, the user must enter a username and password pair (which network administrator has assigned). The following code snippet shows an example of a remote user accessing a Cisco router with AAA configured to request a username:
User Access Verification Username: tom_thomas Password: xxxxxxxx MyCiscoRouter>

As shown in the preceding example, the user must enter a valid username and password to gain access to the router. Typically, a database that contains the valid usernames reside locally on the router or on a remote security server.

Authorization
Related to authentication is authorization, which comes into play once authentication is complete. After the user is authenticated, there must be a way to ensure that the user is authorized to do the things he is requesting. For example, if you are a normal user, you do not have the permissions to access all the files in a file system. Using ACLs or policies provides authorization. Authorization allows administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS Software allows certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a 0 privilege level cannot issue any IOS commands. A user with a privilege level of 15 can perform all valid IOS commands. The local or remote security server can grant access levels.

AAA Technologies 117

You can display your privileged level on a Cisco router with the show privilege command, as shown in the following command line.
MyCiscoRouter#show privilege Current privilege level is 15 MyCiscoRouter#

Authorization can also dictate the types of protocol activity in which the user can engage, such as allowing a user to invoke only FTP, Telnet, or HTTP traffic. Keep in mind that the higher the privilege, the more capabilities a user has with the IOS command set.

Accounting
Accounting occurs after the authentication and authorization steps have been completed. Accounting allows administrators to collect information about users and the actions that they take when connected to network devices. The information gathered through accounting can provide forensic evidence of tampering or hacking because you have a roadmap of the user’s times/dates and activities. Specifically, administrators can track which user logged into which router, which IOS commands a user issued, and how many bytes were transferred during a user’s session. For example, accounting enables administrators to monitor the routers that have had their configurations changed. A router or a remote security server can collect accounting information. note
If you still use dialup to access the Internet, you are using AAA when you authenticate and receive authorization into your service provider’s network. Accounting is the process in which the network service provider collects network usage information for billing relating to how long you were connected, capacity planning, and other purposes. This is important for the service provider—there is no such thing as a free lunch.

118

Chapter 3: Overview of Security Technologies

After AAA is configured, you can use external security servers to run external security protocols—such as RADIUS or TACACS—that will stop unauthorized access to your network. Both RADIUS and TACACS can be implemented on Cisco network devices and will be reviewed in the upcoming sections. note
You must use AAA if you intend to use RADIUS or TACACS security server protocols. As AAA collects the information, it sends it to the security servers to determine each of the characteristics associated with AAA.

Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a client-server based system that secures a Cisco network against intruders. RADIUS is a protocol implemented in Cisco IOS Software that sends authentication requests to a RADIUS server. A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users. When a RADUIS server authenticates a user, the following events occur:
1. The remote user is prompted for a username and password. 2. The username and password is encrypted and sent across the data network. 3. The RADIUS server accepts or rejects a username and password pair. In

some instances, a user might be asked to enter more information (this is called a challenge response). For example, if a user’s password has expired, a RADUIS server prompts the user for a new password. note
Traffic between the Network Access Server (NAS) and RADIUS is not encrypted—as opposed to TACACS, which does encrypt authentication message traffic.

AAA Technologies 119

note
A RADIUS server is usually software that runs on various platforms, including Microsoft NT servers or a UNIX host. RADIUS can authenticate router users, authenticate vendors, and even validate IP routes.

The following steps are required to enable RADIUS on a Cisco router:
Step 1 Step 2 Step 3

Use the aaa new-model command. AAA must be used with RADIUS. Specify the RADIUS server with the radius-server host command, as shown in Example 3-3. Specify the password used between the router and the RADIUS server. note
Of course, you must also ensure that you have entered users and passwords into the radius server before activating RADIUS.

Example 3-3 displays the required configuration for a Cisco router to authenticate users from the RADIUS server with the host address 10.99.34.50.
Example 3-3 RADIUS Configuration
radius-server host 10.99.34.50 radius-server key <password>

Let’s move on to TACACS, which is an alternative protocol to RADIUS that also works with AAA.

Terminal Access Controller Access Control System (TACACS)
Cisco IOS supports three versions of TACACS: TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username and password.

120

Chapter 3: Overview of Security Technologies

The first version of TACACS provides simple password verification and authentication. Accounting is limited in that only requests and denials are listed. Next, extended TACACS replaced the first version of TACACS. TACACS+, also referred to as TACACS plus, provides detailed accounting and must be used with AAA (in other words, the aaa new-model command must be enabled). TACACS+ supercedes the earlier releases of TACACS. In general, TACACS provides a centralized security system that validates users from any remote location. Typically, TACACS runs on a Windows Server or UNIX operating system. When a TACACS server authenticates a user, the following events occur:
1. The remote user is prompted for a username and password. 2. The username and password is sent across the data network and is authenticated. 3. The TACACS server accepts or rejects the username and password pair. The

user might be asked to enter additional information (called a challenge response). For example, a challenge response might appear when an error occurs during authentication. TACACS+ requires AAA, but TACACS and extended TACACS do not use AAA. The configuration tasks required to enable TACACS+ on a Cisco router are as follows:
Step 1 Step 2 Step 3 Step 4

Use the aaa new-model command. AAA must be used with TACACS+. Specify the TACACS+ server with the tacacs-server host command. Specify the authentication key used between the router and the TACACS+ server. Because TACACS+ must be used in conjunction with AAA, you must specify TACACS+ authentication, authorization, and accounting.

AAA Technologies 121

Example 3-4 displays the required configuration for a Cisco router to authenticate users from the TACACS+ server with the host address 10.99.34.50.
Example 3-4 TACACS Configuration
aaa new-model aaa authentication enable default tacacs+ ! Sets router to use the tacacs server to authenticate enable ! password aaa authorization exec tacacs+ ! Sets tacacs+ plus to authorize exec commands on local router aaa accounting exec start-stop tacacs+ ! Accounting information is gathered for exec commands tacacs-server host 10.99.34.50 tacacs-server key <password>

Example 3-4 is a basic TACACS + configuration; you can set other configuration options to enable complex AAA commands. caution
If you enable AAA on a router, you could get locked out if you are not careful. If you fat finger any commands and exit out of your configuration, you might not be able to re-enter.

TACACS+ Versus RADIUS
Comparing the two server protocols, RADIUS and TACACS+, shows that both require AAA to be enabled on a Cisco router (unless you use the older versions of TACACS+, namely TACACS and extended TACACS). RADIUS and TACACS+ both require a username and password pair to obtain access. The difference between the two protocols is in the protocol itself and the fact that TACACS+ is a centralized validation service, while RADIUS is based on client/server technologies.

122

Chapter 3: Overview of Security Technologies

Chapter Summary
This chapter began with discussion of the importance of a layered network security design. This layering of security provides a deeper level of protection for your network. You want to avoid what I call the orange syndrome, where there is only a single layer of protection before you get to the “good stuff.” You do not want attackers to defeat a single layer and get to the good stuff in your network. This chapter looked at many technologies that you could use to provide a layered approach to security:
■ ■ ■ ■ ■ ■ ■

Packet filtering via ACLs Stateful packet inspection Network Address Translation Proxies and application level protection Content filters Public key infrastructure AAA technologies

Separately, each of these technologies is just a single layer of protection, but combined, they provide you with several layers of protection and keep the good stuff safe.

Chapter Review Questions 123

Chapter Review Questions
The following questions assist in reinforcing the concepts that we covered in this chapter.
1. What are the six security design concepts you should consider when looking

at the security technologies for securing your network?
2. What rule is always implicitly present at the end of every packet filter? 3. When a device is performing stateful packet inspection, what characteristics

in a packet’s header are inspected, and why are they important?
4. What are some limitations of stateful packet inspection? 5. Define the differences between public and private IP addresses. 6. Compare and contrast the three different versions of NAT and identify which

of them is the most commonly used.
7. What are the two types of proxy firewalls? 8. Why is content filtering so important to networking? 9. What is the potential value of PKI to securing a network and e-commerce? 10. AAA provides security for what aspect of a network? 11. Search the Internet and find three potential vendors that can offer an effective

RADIUS solution. Describe what features about each are beneficial.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close