Cisco Secure Product Family
To complement Cisco's leading presence in the internetworking device market, Cisco's range of security products has been built and recently amalgamated under the Cisco Secure product family title.
These products provide various security functions and features to enhance the service provided by the current range of routers and switches. Every product in the Cisco Secure product family has its place in the Cisco Security Solution as outlined previously and in Appendix A, “Cisco SAFE: A Security Blueprint for Enterprise Networks,” confirming Cisco's stance and commitment to the preservation of network security.
This section provides a brief overview of the product range and explains the main features of each product.
The following products make up the Cisco Secure product family:
Cisco Secure PIX Firewall
Cisco IOS Firewall
Cisco Secure Intrusion Detection System
Cisco Secure Scanner
Cisco Secure Policy Manager
Cisco Secure Access Control System
Cisco Secure PIX Firewall
The Cisco Secure PIX Firewall is the dedicated hardware firewall in the Cisco Secure product family. The PIX Firewall is the industry leader in both market share and performance within the firewall market.
The Cisco PIX Firewall is built around a non-UNIX, secure, real-time, embedded operating system, which leads to excellent performance without comprising security. This high level of performance is the result of the hardware architecture of the PIX Firewall, compared with operating system-based firewalls.
The Cisco PIX Firewall encompasses the Internet Engineering Task Force (IETF) IPSec standard for secure private communications over the Internet or any IP network. This makes the Cisco Secure PIX Firewall an excellent and logical choice to terminate IPSec Virtual Private Network (VPN) traffic from IPSec-compliant network equipment.
Currently, there are four versions of the PIX Firewall:
PIX 506— The PIX 506 is the entry-level firewall designed for high-end small office, home office (SOHO) installations. The throughput has been measured at 10 Mbps and reflects the market at which the product is aimed.
PIX 515— The PIX 515 is the midrange firewall designed for the small or medium business and remote office deployments. It occupies only one rack unit and offers a throughput of up to 120 Mbps with a maximum of 125,000 concurrent sessions. The default configuration is two Fast Ethernet ports, and it is currently upgradable by two onboard PCI slots.
PIX 520— The PIX 520 is the high-end firewall designed for enterprise and service provider use. The unit occupies three rack units and offers a throughput of up to 370 Mbps with a maximum of 250,000 concurrent sessions. The default configuration consists of two Fast Ethernet ports, and it is currently upgradable by four onboard PCI slots. The end-of-life date of 23 June 2001 has been announced for the PIX 520. The replacement for the PIX 520 is the PIX 525.
PIX 525— The PIX 525 is intended for enterprise and service provider use. It has a throughput of 370 Mbps with the ability to handle as many as 280,000 simultaneous sessions. The 600 MHz CPU of the PIX 525 can enable it to deliver an additional 25–30% increase capacity for firewalling services.
PIX 535— The Cisco Secure PIX 535 is the latest and largest addition to the PIX 500 series. Intended for enterprise and service provider use, it has a throughput of 1.0 Gbps with the ability to handle up to 500,000 concurrent connections. Supporting both site-to-site and remote access VPN applications via 56-bit DES or 168-bit 3DES, the integrated VPN functionality of the PIX 535 can be supplemented with a VPN Accelerator card to deliver 100 Mbps throughput and 2,000 IPSec tunnels
There is also a dedicated PIX Firewall VPN Accelerator Card (VAC) that can be used in the PIX 515, 520, 525, and 535 units. This card performs hardware acceleration of VPN traffic encryption/decryption providing 100 Mbps IPSec throughput using 168-Bit 3DES.
The PIX Firewall is configured using a command-line editor. The commands are similar to those used in the standard Cisco IOS, but they vary in whether they permit inbound and outbound traffic.
Further information on the Cisco Secure PIX Firewall can be found at www.cisco.com/go/pix.
Cisco IOS Firewall
The Cisco IOS Firewall is an IOS-based software upgrade for a specific range of compatible Cisco routers.
The Cisco IOS Firewall provides an extensive set of new CLI commands that integrate firewall and intrusion detection functionality into the IOS of the router. These added security features enhance the existing Cisco IOS security capabilities, such as authentication and encryption. These added security features also add new capabilities, such as defense against network attacks; per-user authentication and authorization; real-time alerts; and stateful, application-based filtering.
VPN support is provided with the Cisco IOS Firewall utilizing the IETF IPSec standard as well as other IOS-based technologies such as L2TP tunneling.
Cisco IOS Firewall also adds limited intrusion detection capabilities. Traffic is compared to 59 default intrusion detection signatures, and output can be directed to the Cisco Secure IDS Director.
Although performance of the Cisco IOS Firewall will never compete with that of the Cisco PIX Firewall, Cisco IOS Firewall still has a place in the portfolio of most modern organizations. There might be times when the full power and associated cost of a PIX Firewall is not required because of the low throughput or an operational requirement. For example, a SOHO worker with a 64-kbps ISDN Internet connection is not going to be concerned about the reduction in throughput offered by using the Cisco IOS Firewall instead of the PIX Firewall.
The features available with Cisco IOS Firewall are configurable using the Cisco ConfigMaker software. This eases the administrative burden placed on the network professional, because a full understanding of the CLI commands is not required to configure the security features and deploy the configurations throughout the required devices.
More information on ConfigMaker can be found at www.cisco.com/go/configmaker.
Further information on the Cisco IOS Firewall can be found at www.cisco.com/go/firewall.
Cisco Secure Intrusion Detection System (IDS)
Intrusion detection is key in the overall security policy of an organization. Intrusion detection can be defined as detecting, reporting, and terminating unauthorized activity on the network.
The Cisco Secure Intrusion Detection System (IDS) (formerly NetRanger) is the dynamic security component of Cisco's end-to-end security product line. IDS is a real-time intrusion detection system designed for enterprise and service provider deployment. IDS detects, reports, and terminates unauthorized activity throughout the network.
Cisco Secure IDS consists of three major components:
The Intrusion Detection Sensor
The Intrusion Detection Director
The Intrusion Detection Post Office
Intrusion Detection Sensor
The Intrusion Detection Sensor is a network “plug-and-play” device that interprets IP traffic into meaningful security events. These events are passed to the Intrusion Detection Director for analysis and any required further action.
The main features of the Intrusion Detection Sensor are
Network sensing— The sensor captures packets on one of its interfaces, reassembles the packets, and compares the data received against a rule set that contains signatures of the common network intrusions. Both the packet header and packet data are examined against the rule set to catch the varying types of attacks.
Attack response— If the sensor identifies an attack, the sensor will respond to the attack in the following user-configurable ways:
- - Generate an alarm—
The sensor will generate an alarm and notify the Intrusion Detection Director immediately.
- - Generate IP session logs—
A session log will be sent to the configurable log type and location. This session log will contain detailed information about the attack and will record the time of day along with any captured IP address information.
- - Reset TCP connections after an attack begins—
The sensor can terminate individual TCP connections if it senses that they have been involved in an actual or attempted attack. All other connections go on as usual.
- - Shun the attack—
The term shunning describes the sensor's ability to automatically reconfigure an access control list on a router, if the sensor detects suspicious activity. To implement shunning, the sensor changes the access control list on the device to block the attacker at the perimeter entry point to the network.
- - Generate an alarm—
The sensor will generate an alarm and notify the Intrusion Detection Director immediately.
Device management— If the sensor detects suspicious activity, it has the ability to dynamically reconfigure a networking device's access control lists to shun the source of an attack in real time.
Intrusion Detection Director
The Intrusion Detection Director is the software application that monitors and controls the behavior of the sensors. There is usually only one Intrusion Detection Director on any given network, and all sensors direct their alarms and notifications to it. The Intrusion Detection Director software currently supports only the Solaris platform.
The main functions of the Intrusion Detection Director are
Initial configuration of the Intrusion Detection Sensor— Once the sensor has been configured on its own, the director will complete the configuration of the sensor and will start receiving alarms and notifications from it.
Intrusion Detection Sensor monitoring— The sensors send real-time security information to the director, and the director is responsible for collating and representing this data graphically on the director console.
Intrusion Detection Sensor management— The director can remotely manage the configuration of services on a sensor. This enables you to use the built-in embedded signatures or to create your own signatures to match the needs of your network.
Collection of the Intrusion Detection Sensor data— Every sensor sends its data to the director. The Intrusion Detection Director ships with drivers for Oracle and Remedy, enabling the administrator to write the data to an external data source for storage.
Analysis of the Intrusion Detection Sensor data— The Intrusion Detection Director software has a built-in set of SQL-compliant queries that can be run against data collected from the sensors. Many third-party tools can be integrated into the Intrusion Detection Director to provide more detailed analysis of the data presented.
Network Security Database— The Network Security Database (NSDB) is an HTML-based encyclopedia of network security information. This information includes the current vulnerabilities, their associated exploits, and preventive measures you can take to avoid them. This database is upgradable with a download from Cisco Connection Online (CCO), www.cisco.com, for customers with a maintenance agreement with Cisco. User-defined notes can be added to each vulnerability.
Support for user-defined actions— The Intrusion Detection Director can be programmed with user-defined actions. This can be as simple as sending specific people an e-mail if a certain condition is met or as complex as running a UNIX script to lock down a specific service.
Intrusion Detection Post Office
The IDS Post Office is the communications backbone that allows Cisco Secure IDS services and hosts to communicate with each other. All communications between the Intrusion Detection Sensor and Director use a proprietary connection-based protocol that can switch between alternate routes to maintain point-to-point connections.
Further information on the Cisco Secure Intrusion Detection System can be found at www.cisco.com/go/netranger.
Cisco Secure Scanner
The Cisco Secure Scanner (formerly Cisco NetSonar) is a software application that offers a complete suite of network scanning tools designed to run on either Windows NT or Solaris.
Network scanning is the process in which a specific host is configured as a scanner and it scans all or just configurable parts (depending on the scanner) of the network for known security threats. The design and operation of the scanner makes it a valuable asset to have in your quest for Internet security.
The Cisco Secure Scanner follows a four-step process to identify any possible network vulnerabilities:
Step 1. |
Gather information. The user instructs the scanner to scan a network or various networks based on provided IP address details. The scanner identifies all active devices. |
Step 2. |
Identify potential vulnerabilities. The detailed information that is obtained from the active devices is compared against well-known security threats appertaining to the specific host type and version number. |
Step 3. |
Confirm selected vulnerabilities. The scanner can take action to confirm vulnerabilities by using active probing techniques to ensure that no damage to a network occurs. |
Step 4. |
Generate reports and graphs. Once all of the information has been gathered and potential vulnerabilities have been identified, full reports can be created. These reports can be geared toward specific organizational roles, ranging from the system administrators to senior management. |
The Cisco Secure Scanner identifies information about the network hosts for a given network. For example, you might scan your public IP address allocation of 212.1.1.0/24. The scanner will identify which IP addresses are live and will also extract the operating system, version number, domain name, and IP settings for all hosts, including internetworking devices such as routers, switches, and remote access servers. Key Internet servers such as Web, FTP, and SMTP servers will also be identified.
Once this information has been obtained, the list of hosts is compared against common vulnerabilities. These vulnerabilities are in the following categories:
TCP/IP
UNIX
Windows NT
Web servers (HTTP, HTTPS)
Mail servers (SMTP, POP3, IMAP4)
FTP servers
Firewalls
Routers
Switches
This vulnerability information is collated from the Network Security Database (NSDB). The NSDB contains the current well-known security vulnerabilities grouped by operating system. The Cisco Countermeasures Research Team (C-CRT) frequently updates the database, and the updated database is posted on Cisco Connection Online (CCO). Customers with maintenance contracts can download the latest database to update the scanning host with the most recent revision.
Figure 3-2 shows the scanner performing a scan for a given network.
Figure 3-2. Cisco Secure Scanner
Once the data has been collated and any vulnerability identified, the application allows you to create numerous charts and reports within three report formats. The reports are configurable for an Executive Report, Brief Technical Report, and Full Technical Report.
Figure 3-3 shows a sample Executive Summary from a Full Technical Report.
The Cisco Secure Scanner is a key component in the Cisco Security Solution. The product falls into the security monitoring category discussed in the previous “Security Monitoring” section, and it is a key element of the constant review of Internet security. As a network designer, you might feel that you have protected your network against all current Internet security threats. This may be true, but the constant update and renewal of the NSDB may introduce new threats that you have not considered or vulnerabilities that were not exploited before. This constant evolution makes Internet security a constant task and the security scanner an invaluable tool for the modern network engineer.
Further information on the Cisco Secure Scanner can be found at www.cisco.com/go/netsonar.
Cisco Secure Policy Manager
Cisco Secure Policy Manager (formerly Cisco Security Manager) is a very powerful security policy management application designed around the integration of Cisco Secure PIX Firewalls, IPSec VPN-capable routers, and routers running the Cisco IOS Firewall feature set.
Currently, Cisco Secure Policy Manager is available only on the Windows NT platform.
The Policy Manager provides a tool that enables the security administrator to define, enforce, and audit security policies. The administrator is able to formulate complex security policies based on organizational needs. These policies are then converted to detailed configurations by the Policy Manager and distributed to the specific security devices in the network.
The main features of Cisco Secure Policy Manager are
Cisco firewall management— Cisco Secure Policy Manager empowers the user to define complex security policies and then distribute these to several hundred PIX Firewalls or routers running the Cisco IOS Firewall. Full management capabilities are available for the firewalls.
Cisco VPN router management— IPSec-based VPNs can be easily configured by using the simple GUI. As with the firewall management, this VPN configuration can be distributed to several hundred PIX Firewalls or routers running the Cisco IOS Firewall.
Security policy management— The GUI enables the creation of network-wide security policies. These security policies can be managed from a single point and delivered to several hundred firewall devices without requiring extensive device knowledge and dependency on the command-line interface.
Intelligent network management— The defined security policies are translated into the appropriate device commands to create the required device configuration. The device configuration is then securely distributed throughout the network, eliminating the need for device-by-device management.
Notification and reporting system— Cisco Secure Policy Manager provides a basic set of tools to monitor, alert, and report activity on the Cisco Secure devices. This provides the security administrator with reporting information that can be used to ascertain the current state of the security policy as well as a notification system to report various conditions. Along with the built-in notification and reporting tools, the product also implements and integrates with leading third-party monitoring, billing, and reporting systems.
Figure 3-4 shows the main configuration screen of the Cisco Secure Policy Manager.
Figure 3-4. Cisco Secure Policy Manager
The following devices and software revisions are supported by Cisco Secure Policy Manager:
Cisco Secure PIX Firewall
- PIX OS 4.2.4, 4.2.5, 4.4.x, 5.1.x, 5.2.x, 5.3.x
Cisco 1720 Series running Cisco IOS Firewall
Cisco 2600 Series running Cisco IOS Firewall
Cisco 3600 Series running Cisco IOS Firewall
Cisco 7100 Series running Cisco IOS Firewall
Cisco 7200 Series running Cisco IOS Firewall
NOTE
Though not documented at the time this book was written, Cisco Secure Policy Manager can be expected to support the Cisco PIX 525.
Further information on the Cisco Secure Policy Manager can be found at www.cisco.com/go/policymanager.
Cisco Secure Access Control Server (ACS)
Cisco Secure Access Control Server (ACS) (formerly known as Cisco Secure) is a complete network control solution built around the authentication, authorization, and accounting (AAA) standards. Currently, Cisco Secure ACS is available on Windows NT and Solaris platforms. Both versions have similar features and operate using industry-standard protocols.
AAA functions are available on most Cisco devices, including routers and the Cisco Secure PIX Firewall. The two main AAA protocols used are RADIUS and TACACS+. Figure 3-5 shows the main configuration screen of Cisco Secure ACS for Windows NT.
Authentication
Authentication is the determination of a user's identity and the verification of the user's information, similar to the username and password pair utilized by most common network operating systems. Cisco Secure ACS provides a secure authentication method for dealing with access to your corporate network. This access might include remote users logging in over a VPN or the corporate RAS system or network administrators gaining access to internetworking devices such as routers or switches. Authentication can be enabled against numerous data sources; for example, with the Windows NT version of Cisco Secure ACS, you can enable authentication against the Windows NT User Domain. All leading crypto card manufacturers are also supported.
Authorization
With authorization, you can specify what users can do once they are authenticated. You create user profile policies on the ACS server that are enforced when the user logs in. This is useful for allowing specific groups of users access to specific areas on the network. For example, you can restrict access to the Internet for all users unless they are in the Internet Access user group on the ACS server.
Accounting
Accounting can be defined as recording what a user is doing once authenticated. This is extremely useful to implement on the internetworking devices within your operation. Unplanned changes occurring on the configuration of a mission critical router are common in every organization. These changes disrupt service, cause network downtime, and cost the company money. When it comes to identifying the culprit, you can expect that nobody will own up to making the changes. With the accounting features of Cisco Secure ACS, you can log every single command that a user enters on a supporting device to either a comma-separated value (CSV) file or a syslog server. This information is held along with the logged-in username and the date and time. This preventive system is excellent to stop budding CCIE engineers from tweaking various configuration settings without really knowing or understanding the ramifications.
Further information on the Cisco Secure ACS can be found at www.cisco.com/go/ciscosecure.