This chapter describes the concepts that relate to network security and includes the following sections:
Not long ago, the campus network’s sole purpose was to provide connectivity. Nowadays, the campus network is an intricate part of business success, providing productivity tools in every part of the infrastructure. Therefore, sound security must protect the network to ensure high availability, integrity, and confidentiality of the data.
You can deal with risk in four ways: you accept it, you reduce it, you ignore it, or you transfer it. In network security, you seek to reduce the risk with the help of sound technologies and policies. This chapter focuses on reducing the risk and on the security technologies available in campus network design to mitigate vulnerabilities and threats.
Network security can be a complicated but exhilarating subject. Prior to jumping into the design aspects of network security, we review the basics of hacking and the equipment available to mitigate threats.
Note
Appendix B, “Network Fundamentals,” includes material that we assume you understand before reading the rest of the book. Thus, we encourage you to review any of the material in Appendix B that you are not familiar with before reading the rest of this chapter.
Not a week goes by without news of another network attack. CERT, a U.S. federally funded center coordinating communication during security emergencies, estimated that security breaches in the United States totaled 153,000 in 2003, almost double that of the prior year and more than a sevenfold increase in three years.
When dealing with network security, one trend is certain: Attacks are becoming more complex. Blaster and SoBig.F, which we explain in the following sidebar, are examples of those complex threats called combo malware. Malware is a generic term that describes malicious software such as viruses and Trojan horses. Combo malware are hybrid menaces that combine destructive components of different threats. For example, a worm that carries a viral payload would be called combo malware.
Most of us equate hacking with malicious activities. In fact, hacking is defined as working diligently on a computer system until it performs optimally. The popular use of the term hacking is more related to cracking, which is defined as the act of unlawfully accessing a network infrastructure to perform unethical activities. But for the purposes of this book, the widely accepted term hacking denotes malicious activities directed at networks and systems.
There are as many motivating factors for hacking as there are hacker types. From the script-kiddy who downloads hacking shareware and follows on-screen instructions to the cyber-terrorist, one thing is certain: They want to inflict pain on your organization.
Also, although they are not necessarily qualifying as hackers, careless employees can also be dangerous to your organization.
Not all hackers spell trouble. White-hat hackers are either reformed hackers or network professionals who have achieved mastery of the art and science of hacking. White-hat hackers are paid to provide penetration testing of the corporate network and to produce a detailed report of their findings. White-hat hackers are sometimes hired inconspicuously by senior management to test the ability of the IT department to detect and deal with attacks.
Regardless of whether the hacking motivation is benevolence, carelessness, or maliciousness, hackers wouldn’t exist if vulnerabilities weren’t available to exploit. The next section delves into network vulnerabilities.
Regardless of the hackers’motivation, they intrude networks by exploiting vulnerabilities, and the consequences can range from embarrassment to significant downtime and revenue losses.
Key Point
Vulnerability is defined as the characteristics of a system that allow someone to use it in a suboptimal manner or allow unauthorized users to take control of the system in part or entirely.
Vulnerabilities usually fall into one of the following categories:
Design issues
Human issues
Implementation issues
Design issues refer to inherent problems with functionality because of operating system, application, or protocol flaws.
The human issues category of vulnerabilities refers to administrator and user errors, such as unsecured user accounts, unsecured devices, or open devices (devices that have not been hardened).
Implementation issues deal with creation, configuration, and enforcement of security policies, such as password policies, remote-access policies, Internet usage policies, e-mail policies, and so on.
Because technological advancement usually precedes policy formulation, the organization must promote a secure culture where users know how to extrapolate from current policies to judge actions to be taken when faced with a new networking situation.
For example, an organization might not have had a wireless policy when the first low-cost wireless access point (WAP) became available. Even if it was not specifically detailed in a policy that an employee can’t connect his own WAP to the network, he should be able to draw that inference.
As mentioned earlier, regardless of their motivation, hackers capitalize on vulnerabilities. Hackers exploiting vulnerabilities are real threats to network security.
The following is a generic list of attack categories:
Reconnaissance attacks
Access attacks
Information disclosure attacks
Denial of Service Attacks
Reconnaissance attacks consist of intelligence gathering, often using tools like network scanners or packet analyzers. The information collected can then be used to compromise networks.
Some of the proverbial reconnaissance attacks, conducted with specialized tools, are as follows:
Ping sweeping—. To discover network addresses of live hosts
Network and port scanning—. To discover active ports on target hosts
Stack fingerprinting—. To determine the target operating system (OS) and the applications running on targeted hosts
Enumeration—. To infer network topology
During an access attack, the hacker exploits the vulnerabilities he has discovered during the reconnaissance attack. Some common access attacks are as follows:
Entry—. Unlawful entry to an e-mail account or database.
Collect—. The hacker gathers information or passwords.
Plant—. The hacker might create a back door so that he can return at a later time.
Occupy—. The hacker might elect to control as many hosts as he wants.
Cover—. The hacker might cover his tracks by attempting to change the system logs.
Hackers continuously come up with crafty access attacks. Consider the case of a user who receives an e-mail tantalizing him to play a virtual game of Spinning Wheel for a cash prize by simply opening the attachment. In the short time it takes the user to open the attachment, wait for the spinning wheel to stop turning, and hope the needle points to WINNER, an inconspicuous application meticulously collects all the entries in the user’s e-mail address book and sends them back to the originator of the attack. The originator could be a spammer who plans to use this information for future spamming.
Proper dissemination and enforcement of an e-mail security policy would have taught the user not to open an attachment from an unknown source. Alternatively, the organization might have considered installing an e-mail filtering service to purge the message of executable attachments. E-mail filtering is discussed in the section “Content Filtering,” later in this chapter.
Information disclosure attacks are different from an access attack in the sense that the information is provided voluntarily through a sophisticated subterfuge. The following attacks, though considered information disclosure attacks, could fall into the category of white-collar crimes:
Social engineering
Phishing
Social engineering, a form of low-tech hacking, is defined as someone, claiming to be someone he is not, who approaches a user either through e-mail or through a phone call for the purpose of infiltrating the organization. Great technical ability is not necessary to perform social engineering.
Internet scammers who cast about for people’s financial information have a new way to lure unsuspecting victims: they go phishing. Phishing is a high-tech scam that uses spam or pop-up messages to deceive readers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. Figure 4-1 is an example of an e-mail that looked legitimate but was actually a scam.
Unfortunately, no security systems can protect against information disclosure. Only the dissemination and enforcement of sound security policies can help users learn to be suspicious and to confirm the origin of these e-mails prior to taking actions.
With a DoS attack, a hacker attempts to render a network or an Internet resource, such as a web server, worthless to users. A DoS attack typically achieves its goal by sending large amounts of repeated requests that paralyze the network or a server.
A common form of a DoS attack is a SYN flood, where the server is overwhelmed by embryonic connections. A hacker sends to a server countless Transmission Control Protocol (TCP) synchronization attempts known as SYN requests. The server answers each of those requests with a SYN ACK reply and allocates some of its computing resources to servicing this connection when it becomes a “full connection.” Connections are said to be embryonic or half-opened until the originator completes the three-way handshake with an ACK for each request originated. A server that is inundated with half-opened connections soon runs out of resources to allocate to upcoming connection requests, thus the expression “denial of service attack.”
The following sidebars provide the anatomy of DoS attacks and distributed DoS (DDoS) attacks.
Anatomy of a Complex Distributed DoS Attack
A common form of DoS attack is a DDoS attack. In the case of DDoS, an attacker finds hosts that he can compromise in different organizations and turns them into handlers by remotely installing DDoS handler software on them, as shown in Figure 4-2.
![DDoS—Creating an Army of Agents[1]](http://imgdetail.ebookreading.net/design/12/1587052229/1587052229__campus-network-design__1587052229__graphics__04fig02.gif)
Those handlers in turn scan their own corporate network, hunting for workstations to compromise and turn into DDoS agents. Those agents are also referred to as bots, thus the expression of botnets.
When his army of agents is strategically in place, the hacker launches the attack. He transmits his orders for the mission to the handlers and agents; these orders usually cause each of these hosts to send large quantities of packets to the same specific destination, at a precise time, thus overwhelming the victim and the path to it. It also creates significant congestion on corporate networks that are infected with handlers and agents when they all simultaneously launch their attack on the ultimate victim.
As an added twist, the crafty hacker might have requested that the agents use a spoofed source IP address when sending the large quantities of packets to the destination. The target would reply to the best of its ability to the source, which happens to be an innocent bystander, as shown in Figure 4-3.
![DDoS—Launching an Attack Using a Spoofed Source IP Address[2]](http://imgdetail.ebookreading.net/design/12/1587052229/1587052229__campus-network-design__1587052229__graphics__04fig03.gif)
A basic knowledge of the different types of threats and attacks is crucial to understanding the purpose of mitigation equipment and proper network security design. These topics are covered in the following sections.
Known threats can usually be mitigated by security equipment and sound security policies.
The following sections cover the most pervasive mitigation techniques, which are grouped in these four major categories:
Threat defense
Virus protection
Traffic filtering
Intrusion detection and prevention
Content filtering
Secure communication
Encrypted Virtual Private Network (VPN)
Secure Socket Layer (SSL)
File encryption
Trust and identity
Authentication, authorization, and accounting (AAA)
Network Admission Control (NAC)
Public key infrastructure (PKI)
Network security best practices
Network management
Assessment and audits
Policies
Threat defense refers to the activities that are necessary to guard against known and unknown attacks, specifically by doing the following:
Defending the edge
Protecting the interior
Guarding the end points
To do so, the campus design should include the following:
Virus protection
Traffic filtering
Intrusion detection and prevention
Content filtering
Probably the easiest and most cost-effective way to start protecting an organization is through up-to-date virus protection.
Virus scanning can be performed at the following levels on a network:
Hosts—. Workstations and servers.
E-mail servers—. Incoming messages are scanned prior to being passed to the recipient.
Network—. An intrusion detection system (IDS) or intrusion prevention system (IPS), covered in the section “Intrusion Detection and Prevention,” later in this chapter, can report to the IT manager that a virus signature was detected.
Practitioners recommend that IT departments implement different brands of virus protection at different junctions and functions of the network, thus benefiting from multiple comprehensive virus-signature databases and hopefully enlarging the spectrum of the virus dragnet.
Traffic filtering can be achieved at many layers of the OSI model. It can be done at the data link layer using the Media Access Control (MAC) address but is most commonly done at the network layer through packet filtering. Packet filtering is further divided into the following areas:
Static packet filtering
Dynamic packet filtering
Static packet filtering is also referred to as stateless packet filtering or stateless firewalling. It is often performed at the perimeter router, which acts as the logical point of demarcation between the ISP and the corporate network. With stateless firewalling, the router does not track the state of packets and does not know whether a packet is part of the SYN process, the actual transmission, or the FIN process. A stateless firewall typically tracks only IP addresses and therefore can be tricked by a hacker who spoofs IP addresses.
Dynamic packet filtering is also referred to as stateful firewalling. It is usually done by a firewall, which is a dedicated appliance that performs packet scans. Stateful firewalling capabilities are also built into some routers.
The default behavior of a firewall is that outgoing traffic—traffic that flows from the inside network to the outside network—is allowed to leave and its reply traffic is allowed back in. However, traffic that originates from the outside network and attempts to come to the inside network is automatically denied. This is possible because the firewall meticulously tracks connections and records the following connection-state information in a table:
Source IP address
Destination IP address
Source port
Destination port
Connection TCP flags
Randomized TCP sequence number
This default behavior of a firewall is sometimes changed to accommodate the presence of a corporate server to which outside users need access. This “public” server is usually located in the demilitarized zone (DMZ) of a corporate network. A rule can be configured in the firewall to stipulate which outside traffic is permitted to enter for the purpose of visiting the web server, as shown in Figure 4-4.
![DMZ and Firewall[3]](http://imgdetail.ebookreading.net/design/12/1587052229/1587052229__campus-network-design__1587052229__graphics__04fig04.gif)
Firewalling is evolving. For example, Cisco offers, on some switch models, a stateful firewall at the port level, thus providing tighter security inside the network, not just at the perimeter. The Cisco Catalyst 6500 Firewall Services Module provides a real-time, hardened and embedded security system.
IDSs and IPSs are part of the design solution for protecting primarily the perimeter, extranet, and increasingly internal network. The purpose of IDSs and IPSs is to monitor network traffic by analyzing each packet that enters the network.
As previously explained, an IDS scans network traffic for malicious activity. A management server, located on the inside network, logs the alerts of suspicious activities that are sent by the IDS.
An IDS watches for the following:
Attack signatures, such as DoS and virus patterns
Traffic anomalies, such as the same source sending countless requests to SYN on a specific target
Protocol anomalies, such as a malformed packet
An IDS can be one of the following:
Network-based IDS (NIDS)—. A dedicated appliance installed on the network
Host-based IDS (HIDS)—. Integrated software on a mission-critical system, such as a web server
NIDSs are efficient and don’t introduce latency in a network because they perform their analysis on “copies” of the data, not on the packets themselves, as shown in Figure 4-5. When designing a campus network, set up the NIDS to have its reporting interface on the inside network and its stealth interface on the outside network. A stealth interface is physically present on a network but has no IP address. Without an IP address, the hacker cannot address and therefore hack through that stealth interface.
![Stealth Operation of an IDS[4]](http://imgdetail.ebookreading.net/design/12/1587052229/1587052229__campus-network-design__1587052229__graphics__04fig05.gif)
As an alternative to buying a dedicated IDS appliance, your network design might harness the basic IDS capabilities that are built into Cisco PIX Firewalls and specific Cisco router IOS versions.
HIDSs are typically installed on mission-critical devices, such as web servers and e-mail servers, but can also be installed on desktop and laptop PCs. Cisco offers an HIDS solution called the Cisco Secure Agent (CSA).
CSA closely monitors the behavior of codes that are coming to the end point and prevents attacks while reporting the incident to the management server.
IPSs have naturally evolved from IDSs. An IPS has the extra capabilities of taking remedial actions when it confirms suspicious activities. Upon discovering malicious activity, the IPS can take at least one of the following actions:
Alert the management console server
Send a TCP reset (RST) to the source
Shun the source of the attack by sending a command to the firewall requesting it to temporarily block the suspect IP address
Currently, only subtle differences exist between IDSs and IPSs; therefore, many vendors interchange the terms.
A significant issue with IDSs is the number of alarms that they generate. The number of alarms generated by the sensor can be reduced by locating the monitoring interface on the inside link of a firewall, instead of the outside link. If you put your IDS monitoring connection before the firewall (the outside interface), you will get alarms for traffic that would be stopped by the firewall anyway; however, if you put the IDS monitoring interface on the inside interface, it will only catch, and therefore generate alarms about, malicious traffic that has passed through the firewall. Another significant issue with IDSs/IPSs are false positives. False positives are alerts triggered by legitimate activities, in which case no alarm should have been raised.
A target-based IDS, such as Cisco Threat Response, tries to address this problem by investigating in-depth and relative to the target an alert received by the network management console. The target-based IDS does the following:
In addition to controlling outbound traffic through filtering configured in the perimeter router or Internet firewall, the network design might also include the following:
Uniform resource locator (URL) filtering
E-mail filtering
Corporations use content filtering to enforce their Internet usage policies, hoping to protect themselves from possible legal implications should their employees visit objectionable websites.
With content filtering, outbound user traffic that is looking for a specific URL is checked by the firewall against the content-filtering server that is installed on the corporate network. The firewall is provided by the content-filtering server with a permit or deny for the website requested by the user. The sophisticated content-filtering software installed on a corporate server can have over 5 million websites in its database. The network administrator sets the policies to allow or deny access to groups and individual websites. The permissions can also be based on daily usage or time of day. As an example, a system administrator could set a rule that allows users to visit online banking sites only during the lunch hour.
When designing your corporate e-mail services, consider including an e-mail filtering service. That service, installed on the same network segment as your mail server (usually in a DMZ), sanitizes the e-mail from malware and some executable attachments prior to delivery of the messages to the end user.
Encryption addresses the need for data confidentiality, which often finds itself in the forefront of network design. Confidentiality of data refers to the inability for wandering eyes to see and/or decipher a message sent from one party to another.
Encryption is a significant topic and can easily fill books by itself. Therefore, this section provides only enough information to assist you in network design. Should you be interested in a detailed book on encryption, read The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, by Simon Singh (ISBN 0-385-49532-3, Anchor, 2000). Some basic principles of encryption are presented in this section.
As shown in Figure 4-6, the following two components are essential to encryption:
Encryption algorithm
Encryption keys
![Encryption Operation[5]](http://imgdetail.ebookreading.net/design/12/1587052229/1587052229__campus-network-design__1587052229__graphics__04fig06.gif)
Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) are all common encryption algorithms used in IP security (IPsec). IPsec is discussed in the next section of this chapter. The algorithm can be seen as the engine of encryption—the morphing device through which the data goes. The “pattern” of morphing is provided by the “key.” An encryption key is a code that enciphers and deciphers a stream of data. Encryption keys must be well guarded and shared only between the two parties requiring securing communications. The following are the two types of encryption keys:
Symmetrical keys—. The same key encrypts and decrypts a message.
Asymmetrical keys—. A different key decrypts a message from the key that encrypted the message. This is the case with public and private keys.
A key becomes vulnerable when it has been in service for a long period because the hacker has had time to attempt to break it. A key is also vulnerable if a large quantity of data is encrypted with it: The hacker would then have a large sample of cipher text to try deciphering. Therefore, when designing a network, you should consider having keys that expire frequently and when large amounts of data have been encrypted through that key.
As part of network design activities, you might consider using one of the following common encryption scenarios:
Encrypted VPN
SSL
File encryption
An encrypted VPN consists of a tunnel in which data transiting through it is encrypted, as shown in Figure 4-7. The tunnel can originate from a VPN-enabled device or from a remote user running VPN software on his computer.
![Encrypted Tunnels[6]](http://imgdetail.ebookreading.net/design/12/1587052229/1587052229__campus-network-design__1587052229__graphics__04fig07.gif)
The most common standard for encrypted VPN is IPsec. IPsec provides three optional mechanisms, as explained in Table 4-1.
Table 4-1. IPsec Mechanisms
IPsec Option | Description |
|---|---|
Authenticity | Only a legitimate sender and receiver would successfully encrypt and decrypt a message, thus providing proof of authenticity of the message. |
Confidentiality | The message is encrypted and therefore illegible to onlookers. Only those in possession of the legitimate key can decipher the message. |
Integrity | A hash is appended to the message, confirming its integrity. See the following sidebar for more about hashing. |
VPN-enabled devices that might be included in the design of a network are as follows:
VPN concentrator—. Dedicated appliance that is optimized to manage multiple encrypted tunnels and profiles.
Router—. IPsec technology is available on specific versions of Cisco IOS.
Firewall—. IPsec technology is available on PIX Firewalls.
IPsec client—. Mobile workers can harness the potential of IPsec by installing VPN connectivity software, thus creating a tunnel from their laptop up to the VPN-enabled device such as a VPN concentrator, router, or firewall.
SSL provides encryption of data to and from a web browser and could be included in a network design if a point-to-point encryption is needed for a service. It is commonly seen for online banking or shopping transactions and web mail operations. It is also popular for organizations that do not want to install VPN-client software on remote hosts.
Trust and identity management includes the following:
Authentication, authorization, and accounting capabilities
Network Admission Control
AAA is a crucial aspect of network security and should be considered during the network design. This can be accomplished through a AAA server, which handles the following:
Authentication—. Who? Checks the identity of the user, typically through a username and password combination.
Authorization—. What? After the user is validated, the AAA server dictates what activity the user is allowed to perform on the network.
Accounting—. When? The AAA server can record the length of the session, the services accessed during the session, and so forth.
AAA can be managed by a Cisco Secure Access Control Server (ACS).
The principles of strong authentication should be included in the user authentication.
Key Point
Strong authentication refers to the two-factor authentication method. The users are authenticated using two of the following factors:
Something you know—. Such as a password or personal identification number (PIN)
Something you have—. Such as an access card, bank card, or token[*]
Something you are—. For example, some biometrics, such as a retina print or a fingerprint
Something you do—. Such as your handwriting, including the style, pressure applied, and so forth
As an example, when accessing an automated teller machine, strong authentication is enforced because a bank card (something you have) and a PIN (something you know) are used.
NAC, the latest feature in Cisco’s security portfolio, should be considered in the design of your network. NAC ensures that users and their computers comply with corporate network policies.
On a corporate network with NAC, a network access device (NAD)—for example, a router—intercepts attempts to connect from local or remote users. As shown in Figure 4-8, the Cisco trust agent, residing on the end point (for example, a user’s laptop), provides the NAD with pertinent information, such as the version of antivirus software and the patch level of the connecting laptop. The NAD passes the end-point security credentials to a policy server, which decides whether access will be granted to the end point. Noncompliant end points are quarantined until they meet NAC standards.
PKI is a set of technologies and procedures that authenticate users. It addresses the issue of key distribution by using private keys and public keys. These are asymmetrical keys, and the public keys usually reside on a central repository called a certification authority (CA). The private keys are usually stored locally on devices. PKI operations are shown in Figure 4-9.
![Private and Public Key Operations[7]](http://imgdetail.ebookreading.net/design/12/1587052229/1587052229__campus-network-design__1587052229__graphics__04fig09.gif)
Each unique pair of public and private keys is related, but not identical. Data encrypted with a public key can be deciphered only with the corresponding private key, while data encrypted with a private key can be deciphered only with its corresponding public key.
PKI is usually considered in the design of complex enterprise networks where it is too cumber-some for each party to locally keep the public key of every other party that he or she wants to communicate with using encryption. In a PKI environment, the public keys are kept centrally, thus simplifying the distribution and management of those keys.
As in any field, network security also possesses a set of best practices. Best practices are the recommendation of due care that subject-matter experts have agreed upon for a particular field.
Network security includes many well-known practices presented in the following sections.
Most security appliances, such as firewalls, routers, and IDSs, can send syslog security triggers to a central repository such as a syslog server. There is a saying in network security: “If you log it, read it.” This is to say that it’s futile to just log information if you never analyze the logs. To help the network administrator sort and extract meaningful information from the large quantity of syslog data received, security event management software should be used. Should a significant anomaly be discovered, the software can notify the network administrator through e-mail, pager, or text messaging. In addition, correlation tool modules can be added to assist the network administrator in seeing security anomaly patterns from what would otherwise appear to be random activity taking place.
Prior to designing your network, you should conduct a security assessment to uncover potential vulnerabilities and therefore target your security efforts where they are the most effective.
Subsequently, when your network security systems are in full production, it can be beneficial to hire a security audit company that can perform penetration testing and report on the corporate network security position.
Sophisticated security equipment is no match for sloppy user behavior. Organizations must develop basic network policies, disseminate them, and enforce them. Examples of network security policies are as follows:
Internet usage policy
E-mail usage policy
Remote-access policy
Password-handling policy
Software and hardware installation policy
Physical security policy
Business continuity policy
Cisco has developed a guide, called the Cisco SAFE Blueprint, of best practices for designing and securing networks. The Cisco SAFE Blueprint addresses design issues by dividing a large network into layers of modularity. This modular approach helps to ensure that proper consideration is provided to each critical part of the network at the time of design, and it provides scalability.
As introduced in Chapter 1, “Network Design,” the Cisco Enterprise Composite Network Model is the name given to the architecture used by the SAFE blueprint. At the highest layer, this model divides an enterprise network into the following three main functional areas:
Enterprise Campus
Enterprise Edge
Service Provider Edge
At the second layer of modularity, shown in Figure 4-10, the Enterprise Campus functional area is subdivided into multiple modules, which are listed in Table 4-2. Some of the key devices in each of those modules are listed in Table 4-2, as are some security design considerations.
Table 4-2. Enterprise Campus Detail
Enterprise Campus Module | Key Devices | Special Security Design Considerations |
|---|---|---|
Network Management Module | HIDS Virus scanning OTP server Access Control Server Network log server Layer 2 switch | Out-of-band management should be preferred over in-band management. If in-band management must be used, employ IPsec, SSL, or SSH. |
Core Module | Layer 3 switch | No special consideration, other than the fact that switches are a target and should be protected. We explain this in Chapter 2, “Switching Design.” |
Building Distribution Module | Layer 3 switch | VLANs can be used to further segment the different departments within a campus. |
Building Module (corporate user access) | Layer 2 switch Host virus scanning Network Admission Control | A switched environment is recommended to reduce the risk of packet sniffing. |
Server Module | Layer 3 switch HIDS | Often the target of internal attacks, servers should not only be physically secured and running an IDS but should also be kept up to date with the latest patches. |
Edge Distribution Module | Layer 3 switch | Depending on the size of the infrastructure, the Edge Distribution Module can be folded into the Core Module. In this case, an IDS should be included in the Core Module. This could be done with the insertion of an IDS card in the Layer 3 switch. |
Removing some of the complexity of the redundancy presented in Figure 4-10 and integrating as many elements of security discussed in this chapter, a campus network design might look like what is shown in Figure 4-11.
For more information on the Cisco Secure Blueprint for Enterprise Networks (SAFE) white paper, visit the http://www.cisco.com/go/safe.
In addition to SAFE, Cisco has been promoting the self-defending network concept. The philosophy for a self-defending network is to have security present in every aspect of an organization. In a self-defending network, every device, from the desktop PC through the LAN infrastructure and across the WAN, plays a role in securing the network. For more on self-defending networks, visit the Cisco website.
This chapter explores the following critical elements of campus security that make up the Self-Defending Network philosophy of Cisco:
Firewalls
Routers
VPN Concentrators
IDSs and IPSs
Encryption, VPN, and IPsec
End-point antivirus software and Cisco Secure Agent
Access Control Server
Network Admission Control
Public key infrastructure
This chapter summarizes the threats and vulnerabilities that hacking presents as well as the business case for considering security in campus design.
It covers the crucial devices and technologies for mitigating threats and follows this up by discussing the design implications within the framework of the Cisco SAFE Blueprint and the Cisco philosophy to have security present in every aspect of an organization.
Chapter 2 covers security in switches, and in the chapters to come, we further discuss network security as it relates to IP telephony, wireless connectivity, and network management.
[*] Tokens are key-chain-size devices that show, one at a time, in a predefined order, a one-time password (OTP). The OTP is displayed on the token’s small LCD, typically for 1 minute, before the next password in the sequence appears. The token is synchronized with a token server, which has the same predefined list of passcodes for that one user. Therefore, at any given time, only one valid password exists between the server and a token.