Tip:
Highlight text to annotate it
X
Now I'm trying to think back. Did I already called one of these Nuggets
in the CCDA series my favorite Nugget?
I hope I didn't, because this has got to be my favorite Nugget.
You see, I am currently studying to become a CCIE in
the area of security. I'm trying to follow in my dear friend and
CBT Nugget trainer Keith Barker's footsteps.
I'm a CCIE in the area of routing and switching, and I
want to add the CCIE in the area of security to that
designation. This Nugget is going to be all about
designing security solutions. And we're going to go on an amazing tour of
attacks and Cisco mitigation steps for these attacks.
So what exactly will we discover together in this
particular CBT Nugget? Well first of all, I have to discuss the fundamentals
of network security with you.
Let's talk about the common types of attacks that we are
going to face, and let's find out why this is such a big
deal, this whole concept of network security. Then let's outline some processes that we
can use. I want to give you some tried and true network
security processes that are going to really help you
and your clients keep themselves safe.
Speaking of safe, that'll be our next section. We'll look at the Security Architecture For
Enterprise. How clever.
Cisco came up with an acronym of SAFE to describe the
umbrella of Cisco products that exist for security.
In fact, that'll wrap up this Nugget. We'll go through and talk about selecting
the right security products for your design.
It is amazing how many different security products we
are going to discuss in these last two sections of this Nugget.
In fact, it makes this Nugget worth it just to sort out all
of the different security products that Cisco has in
their portfolio. You'll emerge from this Nugget being able
to describe to customers all of the different security products.
And that is valuable in and of itself. Now before we get too deep into this,
what is the big deal? Why, every time I open The Wall Street Journal--
and by the way, that's, of course, on my iPad. I got rid of the print edition long ago--
but when I open The Wall Street Journal each day, why
is it almost every issue I see something somewhere on network security?
Well one of the reasons why is indeed money. The cost to large organizations regarding
network security is huge. And how about the reputation of these organizations?
And of course, their reputation ties back to money,
absolutely. I remember when Sony had their online gaming
infrastructure compromised, and all of that credit card information
of all those gamers that were paying for monthly
online gaming fees got compromised.
There were some numbers about what that was going to cost
them from a reputation standpoint. Southwest Airlines was very forthcoming in
saying how much a network outage of their online
presence would cost them. Just think if someone did a massive distributed
denial of service attack-- and we'll cover what
that is here shortly-- if someone did one of those attacks against
them and brought down their online website, it was
millions and millions of dollars that it would cost them.
So security is a huge deal now for these organizations. And I'll tell you something else.
How about legislation? More and more there are legislations like
HIPAA and SOX, and PCI DSS.
And these legislations force companies to go ahead and
really invest in network security. HIPAA is legislation about the health industry.
SOX is legislation about the financial industry. And PCI DSS is about online credit card transactions.
All of these are examples of legislations which force
organizations today to really pay attention to network
security, so they don't end up breaking the law.
So we know network security is a big deal. But what are the common types of attacks that
we're guarding against these days and that we'll see?
Well I'm just going to give you an example of some.
We could do, obviously, an entire CBT Nugget series on
these various attacks and their mitigations. But let's talk about some of the classics.
Recon attacks, or reconnaissance attacks-- this would be something like a ping sweep.
And programs these days will combine this with port scans.
What's happening here is the attacker is trying to map out
your network infrastructure. They are creating their own set of documentation
about your network infrastructure, so they can
launch further attacks. So often, this is step one in further attacks
that are going to be taking place against your network infrastructure.
Isn't it sad to think that some attackers out there have
better network documentation then the organization they're attacking?
That is pretty sad. And this brings up an interesting point about
reconnaissance attacks. If we were to completely mitigate them, if
we were to make them virtually impossible to be carried
out against your organization, that would penalize your organization
because, sure enough, your organization wouldn't be able
to do a lot of the network management stuff they want to
be able to do. Let me give you an example.
It's ping sweeps. If we were to completely eliminate ping sweeps
by eliminating the ability to ping in our organization,
for example, then we are suffering because we
can't do the cool network management utility of ping.
So we constantly play a balancing act when it comes to
mitigating attacks like reconnaissance attacks. You know what's funny about these reconnaissance
attacks. They'll often use tools that are indeed
network management tools. Here is Zenmap.
Zenmap is a graphical user interface version of Nmap.
And Nmap is often used to carry out these reconnaissance attacks.
And this is a tool that's used to do network management.
Here I put in the target of my 192.168.10 network, and I said
I wanted it to do a Quick scan plus. Notice there are many different types of scans
we could have done, including the Intense scan.
But so that I could get these results quickly for us, I did
a Quick scan plus. This is pretty scary, all of the information
I'm getting here about this network.
There's my home router showing me what ports are
open on that router. If I scroll down, uh-oh, here's my ANTHONY-PC,
and here are the ports that are open on that particular
PC. So we're getting a look at all of this information.
Here's my Apple TV. Oh boy, please don't hack into my Apple TV.
What would I do without my Netflix? So anyways, you get the idea.
These tools for performing reconnaissance are readily
available now, very powerful, and we often use them to do
forces of good, things like network management. Now we said that reconnaissance attacks are
often step one. Well, step one, what in the world is step
two? Oftentimes this will be access type of attacks.
You know what attacks fall in this category? Attacks against username and password combinations--
the attacker, they'll know your network and know what's
in your network and know what holes there are based on
reconnaissance. Then they'll go after username and password
information. Why do they do this?
Because they want to get that information to escalate their
privileges. They escalate their privileges on the network,
and then they access information that can either cause you
great harm or embarrassment or will give them financial
gain. A great information, of course, is hijacking
credit card information from your customers.
And then they go out and make small purchases with all those
credit card numbers, and they gain some financial benefit
from doing that. In username and password attack categories,
we have things like brute force attacks where, literally,
they're just going to have applications that guess again
and again and again and again, rapidly, amazingly quick, and
they will attack your passwords. Related to this is dictionary attacks.
Sure, the brute force attack will use a dictionary to fire
password guesses at your particular username and
password combination. This is why we preach never, ever, ever allow
your engineers to set a password like Cisco.
I mean, I would guess that right out of the gate because
this is often a default password utilized by Cisco.
Another one would be admin. These are horrible passwords because they
would be guessed by a brute force attack in the literally milliseconds.
Now something else that really is troubling in today's
environment with access attacks is social engineering.
And you might think, oh, I've heard about this.
It would never happen to me. This would be like phishing.
That's a great example of a social engineering type of an
attack, where they come up with a web page that looks
like the web page of a legitimate organization, only
it's an illegitimate version of the page. Another great example of social engineering
is literally someone calling in to your employees
pretending to be someone in the IT department, asking
them for username and password information.
Believe it or not, these social engineering attacks are
indeed accounting for a majority of the issues that we
face today. I mentioned The Wall Street Journal.
There was just a big Wall Street Journal article about
an attack against United States government organizations.
How did it all start out? You guessed it--
the whole problem that we saw in this massive attack against
these government organizations all started out with simple
social engineering attacks. So we want to be aware of attacks like this
so that we can educate our users against such attacks,
really get them to help us mitigate things like username and
password types of attacks and social engineering attacks.
But what category of attack probably keeps most network
engineers up late at night? What is it that they most likely fear most
these days? It's availability attacks, specifically
denial of service attacks. null
Think about how relatively easy this is to do.
So there's some key router in your organization. And sure enough, this key router is going
I have a key interface or link.
Think about how easy it would be to flood that interface
with garbage traffic. That in itself is the simplest example I could
give you of a denial of service attack.
We just make this coordinated effort to flood some key
interface with big packets. Maybe we just start firing video traffic at
this particular interface to cause congestion problems.
Denial of service attacks are simple like this, just
flooding an interface with bogus traffic, to very, very
sophisticated. But it all adds up to a nightmare
for a network engineer. These can be very, very difficult to track
down, difficult to guard against, and they're obviously
pretty easy to implement.
Now if that didn't give you a bad case of heartburn, how
about this? The distributed denial of service attack.
null And there have been some really famous ones,
like the SQL Slammer worm from years ago that literally
brought down entire countries worth of the public
internet. With distributed denial of service attacks,
what the attacker does is they launch an attack
that takes over machines. These machines become what we call zombies.
And they'll go ahead and carry out the attack on behalf of
the original attacker. And this situation typically multiplies exponentially.
And we end up with just amazing numbers of zombies
systems carrying out the attack. This is what happened in the famous SQL Slammer
attack. This thing, by about 15 minutes into it, the
number of infected machines had reached the tens of
thousands, and it was wreaking havoc on the public internet.
So distributed denial of service attacks, they'll
definitely keep you up at night. So reconnaissance attacks, access attacks,
availability attacks-- we need solutions.
And that's really what we're going to be discussing for the
majority of the remainder of this Nugget. So at this point, I know what you're thinking.
Anthony, you're insane. How could you possibly say that this is one
of your favorite topics?
You're about to have nightmares. You're about to be up all night worrying about
reconnaissance attacks and access attacks and the very
easy to carry out and devastating denial of service attacks.
Well, good news. From here forward, we're going to focus on
designing solutions to all these various big problems.
And the first thing I want you to think about is something
that we have talked about again and again in this Nugget series.
It's the business needs of the organization. The exact security solutions that you're going
to design and propose, it's all going to come down to
making sure the organization fulfills its business need,
its business goals. We're not going to implement security solutions
just for the sake of implementing them.
Something else that we're going to do is we are going to
perform a thorough risk analysis for the organization. We're going to find out that not all areas
of the organization's network experience the
same level of risk. There's going to be some parts of the network
that have high risk, some parts of the network that have
low risk, just like there's going to be assets of high
value and low value to the company.
So we really need to do a thorough risk analysis. And you're going to help the company design
its security policy. This is a written document.
And the document is given to internal individuals or at
least portions of it are, and the document or portions of it
might be given to external individuals like consultants.
You're going to help the organization design best
practices-- that's right.
And best practices, literally, specific best practices, some
of them I'll be spelling out for you, just to give you a
good sense for what they might look like later on in this Nugget.
And then we're going to really help them to design their
security operations. And guess what?
This is a lot like a network's life cycle itself.
It's going to be constantly evolving. You see, what you teach them to do is implement
security best practices, and then you teach them to
carefully monitor security in the organization.
You'll also teach them to test themselves the security.
And then, sure enough, they end up making improvements,
and this thing starts all over again. So we secure.
We monitor. We test.
We improve, and we go through that cycle, rinse and repeat.
We keep testing and improving upon the security of the
organization, so that organization ensures they
achieve their business goals. So Cisco came up with a real clever acronym,
as I alluded to earlier in this Nugget.
And it's that Secure Architecture For the Enterprise.
The whole concept behind Cisco SAFE is really a concept of
layered defenses. In fact, the example that Cisco themselves
will often give is a castle.
We know the castle will have defenses. In fact, it's pretty funny.
There's so many computer games now for the iPad, the iPod,
the Android device, where you build some kind of a castle
and then defend it. We know there would be those, what are they
called? Torrents, I guess--
I don't know. I know very little about this, obviously.
But there were these tall columns at the corners of the
castle, and they would put archers up there. And then they would have individuals along
the top of the walls that would dump burning oil down.
And then what would surround the particular castle?
Well, there would be water in the form of a moat.
And of course, there would be side crocodiles in the water.
Boy, what an artist I am. So anyways, it was a layered defense
approach for the castle. Sure it was.
And that's exactly what we seek to do with Cisco's SAFE.
Let me give you an example here of the first layer of
defenses we can have in our network architecture. The first layer of defenses--
the network platforms themselves. We know Cisco is in the business now of selling
integrated service routers. What's one of the services that these routers
provide? Security services.
Let me just, off the top of my head-- honestly, I didn't plan on doing this.
I really didn't in this Nugget-- null
I'm going to go ahead and list some of the security features
that we're going to find integrated into one of these
integrated service routers. We don't have to use all these, of course,
but let me just tell me you stuff that a modern Cisco
router can do. Right off the top of my head I'm going to
do this. We can do something called IOS-based firewall.
We can do an IOS firewall feature. It makes the device work a lot like an
adaptive security appliance. If that's not fancy enough, you can do a zone-based
firewall with the device. You can do unicast reverse path forwarding
to help guard against things like spoofing attacks.
There are three huge security features right off the top of
my head that these modern Cisco routers can implement.
Of course, we know there's all kinds of access control lists
that these things can implement. It's just amazing how many really in-depth,
sophisticated security solutions now exist inside our devices.
And this happens when we look at our catalyst switches.
Our catalyst switches have built-in features like DHCP snooping--
the ability to ensure that all the DHCP traffic in our
environment is legitimate-- IP Source Guard to guard against spoofing.
We have the dynamic ARP inspection to guard against
Mac address spoofing. We have port security.
A lot of times what you're going to find when you're
designing network infrastructures for a company is that they didn't realize, when it comes
to security, that their existing equipment could do so
much. That's right, a lot of times when we're doing
the design, we give them great news, that they don't have
to make this additional massive investment in security
infrastructure equipment, because they already have the capabilities
they need in their devices. And of course, the ultimate device when it
comes to security and the network platform is Cisco's
Adaptive Security Appliance.
We're going to be taking a more detailed look at the
Adaptive Security Appliance here a bit later on in this Nugget.
But this is the premier Cisco security device, so much so
that it put a couple of other devices out of business.
It put the old firewall, called the PIX from Cisco, out
of business. It put VPN Concentrators out of business.
It can do what they do, and that's give high volumes of
VPN connections to the organization. And it's, in some environments, putting IPS
out of work because the Adaptive Security Appliance
can do intrusion prevention system.
And if that wasn't enough, how about virus protection?
The Adaptive Security Appliance can even do that.
So it is an amazing device for securing the network
infrastructure. Something else Cisco does to really make sure
we have a good, strong layered defense is they design
components. They design software around what's called
the Security Control Framework.
This says, we need to be able to intelligently identify
security issues. We need to stick around and constantly monitor
for these. We need to be able to correlate events in
our network to be able to tell that we're under
attack. We need to be able to easily harden our equipment.
We need to be able to isolate infected machines easily.
And finally, we need to be able to enforce the overall
security policy of the organization. These six principles Cisco really seeks to
bring about through devices that they create and software
that runs these devices or runs on the devices.
Let me give you a quick example. We know that Intrusion Prevention Systems
from Cisco Systems are amazing for identifying particular
attacks and for monitoring the network.
As a matter of fact, these devices can even look at
things that are happening in the network and correlate that
to give you an alert that there is an attack. This is called profile-based intrusion prevention.
And the intrusion prevention is literally educated about
what's normal in your network environment. And if it sees something go out of that profile,
it will alert you that it could be some kind
of a security attack. When it comes to hardening your devices, Cisco
gives us something called Auto Secure that we can run
at the command line, that will automatically take a bunch
of steps to ensure that your network device is secured.
One such step would be to disable any services that
might be running on the device that aren't really needed.
So Cisco is constantly thinking about this security
control framework and implementing it in the hardware and software services that they sell
to us. Now another huge, huge layer of security design
that Cisco really helps us with is this whole concept
of trust and identity management.
How do we manage users? How do we provision user accounts
across all of our devices? How do we identify users of the network infrastructure?
Cisco gives us many, many tools in this regard, including an architecture called AAA.
No, this isn't the Automobile Association of America.
No, this is Authentication, Authorization, and Accounting services.
Cisco gives us products that are going to subscribe to this
security model and give us real robust ways in which to
identify users' authentication, to authorize these users to do certain things on the network,
and then to keep track of what these
particular users are doing. Cisco devices can subscribe to what are called
identity-based net working services.
In fact, Cisco adheres to 802.1x standards in their products.
What 802.1x allows you to do is have a user that wants to
get onto your network hit a Cisco device-- maybe this is a Cisco access point, a Cisco
switch-- and then have that device check with a AAA
server. Cisco's AAA server products are the Access
Control Server or ACS and another device we'll be talking
more about a little bit called ISE, the Identity Service
Engine. So notice, the user wants to get on the network.
They hit a Cisco device. The Cisco device works with a AAA server,
thanks to 802.1x, in order to find out who that person is and
let them in. Something else that Cisco does is called NAC.
This is Network Admission Control. And once again, the user wants to get on your
network. A device that supports NAC--
and many of Cisco's devices do support NAC-- will literally query that person.
In fact, NAC can do something that is so cool. It can do what's called posture assessment.
And what posture assessment is all about is not just finding
out who this username is, who this user account is, but also
finding out things like what operating system are they running?
What patch level for that operating system are they running?
Are they running the appropriate anti-virus software?
So yes, it will literally assess the makeup of that
system and make sure it meets your network security
standards before it's permitted on the network. So trust and identity management--
a huge layer of this layered defense that Cisco can help us design.
And this is obviously a critical component in securing
the network. But you know what?
It all starts with designing the physical security of the
organization that you're working with. We did this in Cisco's order of design, but
you could argue that this should be the very first thing.
We should have talked about this much earlier in the Nugget.
But listen, no matter where, what step of this process you
design the organization's physical security, we've just
got to know that this is absolutely imperative. You could have all the sophisticated software
defenses and services in place that you could imagine
perfectly configured. If someone can get to the network equipment
physically, well, they can destroy it.
Think about the environmental things that they could do.
They could kill the power to the device. They could cause it to be too warm or too
cold too humid in the area where this equipment is kept.
And they could cause damage to it. Something else that Cisco puts in the area
of threat defense design is their IronPort equipment.
They have security devices called IronPort. There is an IronPort email security
device that's very popular. It's called an Email Security Appliance.
And there is a Web IronPort Security Appliance. What is cool and exciting about IronPort is
the fact that it uses a global database for protecting
your web surfing and your email surfing.
So email is coming in to your organization. The IronPort device says, let me look in this
email. And of course, it's respecting the privacy
of the communications and stuff like that.
It's just looking at it from a security perspective. And then it goes, and it checks a database
of everything that is suspect with email, either
contents that are proven to be a virus or a worm and
also who's sending it.
There's a database of individuals that are blacklisted because they're computer criminals.
It's the same with web traffic. The IronPort device will analyze the web traffic
and check it against a known database of potential
issues-- phishing sites and other classic issues that
we run into when we're web surfing.
Now we talked about it in our Nugget on remote access.
We talked about how everyone these days wants to VPN.
People want to work from anywhere, anytime. They want to do it securely.
They want to access the corporate resources. So VPNs are more popular than even
Cisco responds with an amazing list of VPN alternatives.
The first that I want to bring up is IPsec. This is the most popular site to site VPN
approach, and Cisco recognizes this.
This is why IPsec is supported on routers. Many of the multilayer switches can do it,
of course. The firewall product, the Adaptive Security
Appliance can do it. And IPsec is mandatory now in an IPv6 implementation.
So if your device supports IPv6, guess what? It supports IPsec because that is a mandatory
component in IPv6. Cisco invented a solution called the
Dynamic Multipoint VPN. This is for an environment where you have,
let's say, headquarters and a bunch of branch offices.
So you've got these branch offices, and they want to be
able to dynamically VPN with each other and dynamically VPN
with headquarters. And the Dynamic Multipoint VPN technology
accommodates that. You want even more dynamic in your VPN implementation?
Well, Cisco invented the GET VPN solution. With GET VPN, you literally can have a full
mesh of on-demand VPN connections between your devices
and it even supports the multicast traffic in your
environment. They invented Easy VPN.
What Easy VPN is all about is setting up your, let's say,
headquarters device, so it can very easily accommodate a wide
variety of incoming VPN connections. You might have someone coming in with what's
called a clientless browser-based VPN.
We'll talk about that in just a moment. It's called a Secure Socket Layer VPN.
You might have someone coming in with IPsec. You might have someone coming in with a software
client like the AnyConnect client from Cisco Systems.
And the headquarters router dynamically accommodates all
these VPN requests and can even enforce policies like
time of day restrictions and things like that thanks to
this Easy VPN configuration. Easy VPN is the most ironic term in all of
Cisco networking because this is actually pretty
darn difficult for us to set up.
Easy is for the end user. Easy is not for us as an administrator.
So one of the types of VPNs that they support is an SSL VPN.
I just mentioned it down here. And this is a nice alternative where the user
has just a web browser, and that's all they need to do basic
VPN data acquisition from headquarters.
In fact, if they get frustrated because their web
browser can't get to all of the corporate resources they
want, there's even a client-based SSL VPN. Now this is pretty funny because you're doing
away with the whole beauty of it, and that is you didn't
need any client software other than a web browser.
But again, the idea is let's add some software on the
client, so they can get to more resources. Cisco's latest software for making VPN connections,
full fledged VPN connections, is called the
AnyConnect Software Client. This is the replacement technology for the
old VPN Client software from Cisco.
Cisco is ditching this concept of the VPN Client software,
and they renamed it the AnyConnect Client, just to
really emphasize its flexibility when it comes to
making a wide variety of different technology-based VPN solutions.
Now I know what you're thinking. You're thinking this is amazingly complicated.
We are talking about a lot of different Cisco products that
fit into this SAFE architecture. There's lots of layers here of security that
we're going to be responsible for.
That's the whole idea behind it. Well the good news is Cisco does make
products to help you. One of my favorites is called the CSM.
This is the Cisco Security Manager. What it allows you to do is design a particular
policy and then push that policy out to a wide variety
of devices, like Cisco routers, Cisco switches, Cisco firewalls.
There's my drawing of a firewall. Isn't that great?
So we design policy once, and then we push that out to all
of the different Cisco devices. As you might guess, that really helps you
design a consistency to the security policy.
We have an Access Control List that blocks certain known,
problematic IP addresses. And that consistently gets applied to all
of your different devices thanks the Cisco Security
Manager. I had the privilege of teaching the very first
CSM course for the very first CSM version.
It was some e-learning that I had the privilege to develop
for Cisco Systems. It's a great product.
And it's come a long way since version one that I did the
training for. A product that Cisco unfortunately gave up
on, because I really thought it was pretty cool,
is MARS, the Monitoring and Analysis and Response System.
This product is end of sale. And of course, soon it will go end of life,
and Cisco will no longer support it.
What MARS does is it takes all of the messaging coming from
all of your different Cisco devices, it takes all of the
syslog messages, it takes all of logging, anything at all--
any traps, SNMP traps, that are set up-- it just consumes
all of the information that devices have the ability to
convey in your network. And then it correlates them to present to
you any-- any suspect whatsoever of an attack, the MARS
system tells you, look, I think we're under attack.
And it shows you what devices are involved, and it will even
make suggestions for rectifying the particular problem.
What's strange is that Cisco is killing off MARS, as I
indicated to you. And I have been asking them year after year
what the replacement technology will be.
And they don't know yet. So it's interesting.
There is plenty of third-party people that do
this kind of a product. So I guess this is just one of those areas
where Cisco is leaving it to third parties.
Obviously-- I mentioned it earlier-- the Access Control
System helps you manage security in your environment.
And so does a new product called the Identity Service Engine.
Remember, these products surround the concept of AAA
and Network Admission Control. Both of the products do these things to try
and control who is using your network and what they are able
to do in your network infrastructure.
Now earlier we said that we certainly had to help our
clients design security best practices. And I promised you that we'd cover some,
and I keep my promises. Let's do that right now.
One of the things that amazes me is how many organizations
out there are still using Telnet. You absolutely have to stop them from using
Telnet in their production networks and replace
that with Secure Shell. Remember, Telnet as a Remote Access Protocol
is going to transmit its information in clear text.
Whenever we see the words clear text, we know this is a
no-no from a security perspective. So let's get that replaced with Secure Shell.
If they're absolutely forced into Telnet, you're going to
need them to do the Telnet over a secured tunnel.
So have them Telnet over a VPN. That's a lot of work.
SSH is just a better idea. Make sure they adopt a AAA-type approach to
identity management.
The worst thing they could do is try and do identity
management on a device by device basis. Make sure they are practicing good syslogging
techniques. Take the system messages from their Cisco
devices, and send them to a syslog server than can go ahead
and alert them when there is critical events transpiring
on the network. Make sure they are moving to a Simple Network
Management Protocol version 3 environment.
Why version 3? Well as we've covered in this Nugget series,
it's going to include security.
Have them disable any unused services. So if they're not using the particular services
that exist on a particular device, have them disable
them. A great example of this is HTTP.
You see so many Cisco devices with the built-in web server
turned on unnecessarily. They're not using it for anything.
How about replacing FTP in their organization with Secure FTP?
Tags along with that replacing Telnet with Secure Shell ID idea.
When it comes to the virtual terminal lines that we're
going to use for SSH, let's lock those down with Access
Control Lists. That capability exists.
We should take advantage of it. Engage in authentication at the control
plane whenever possible. So if you're running OSPF in your environment,
make sure these devices authenticate each other.
If you're running EIGRP, make sure they authenticate each other.
And finally, something that can help you with several of these--
and I mentioned it earlier-- take advantage Cisco's Auto Secure capability.
That so what it's called at the command line. The web-based version of that is One-Step
Lockdown. With One-Step Lockdown, we can go ahead and
use a graphical user interface, Cisco Configuration Professional,
in order to lock down the system and disable
a lot of unused services and help you put in good, strong
passwording. So we know we want to wrap this particular
Nugget up with just a discussion of some of the main Cisco
products that we're going to be helping a customer select
and then design and implement.
The Internetwork Operating System is really something you
want to emphasize, as I did for you in this particular CBT Nugget.
We know this is the operating system that we have in our
Integrated Service Routers and our Cat switches. I gave you examples of all of the amazing
security capabilities that are in these particular
devices. In fact, let me show you quickly Cisco's Feature
Navigator, so I can make sure that you know how you can
ensure that a feature that a customer wants is indeed
supported in their particular version of hardware and software.
An easy way to get to the Feature Navigator-- this is so cool, so easy to remember--
you go to cisco.com/go/fn. That's it.
You don't have to worry about some big URL that you'll
eventually get to. Just to cisco.com/go/fn for Feature Navigator.
And you will be here at the Feature Navigator. Once you go in, you can research particular
features. So you could go, and you could say, I'm interested
in the zone-based firewall.
So you'll go in, and you'll do a search for zone-based
firewall for this particular feature. Here's zone-based policy firewall.
And we can add that to our list of features that we are
interested in having, and then we can find all of the various
operating systems that are going to support that
particular feature. That's just one way to use the Feature Navigator
though. If you have a particular software image, we
can go in and figure out the features that are supported
in our particular software that we already have.
We can compare two different software releases. We can even use the Feature Navigator to figure
out what images are now end of life.
So this Cisco Feature Navigator is going to be very
important to us, not only when we're designing the security
solution but designing other solutions as well, like what
network management features do we have available for us in a
particular code release? Now the other huge product, obviously, we've
alluded to quite a bit is the Adaptive Security Appliance.
And there are many, many do models of Adaptive Security Appliance.
There is the small device designed for a small office
environment. And then there is the huge adaptive security
product that would be appropriate for data centers.
Let's visit cisco.com once again and see the variety that
we have in these different models of Adaptive Security Appliance.
So here we are at cisco.com. And I'm going to go the top Menu, and I'm
going to say Products and Services.
And I'm going to grab the link for Security Products.
Here in Security, notice they're going to base it
around the area of the network. So for instance, securing the data center
is going to be separated from securing the edge and branch.
Guess what? From what I've already told you, you know
that Adaptive Security Appliances would be in just about
all of these categories.
For instance, if I'm interested in securing the
edge and the branch, I'm going to have the 5500-series Next
Generation firewalls. These are Adaptive Security Appliances.
They might not be as robust as the ASAs for securing the data
center, but once again, they are Adaptive Security
Appliances nonetheless. So notice at the very bottom--
I always shoot to the very bottom of these pages--
here's what I care about. Here's all kinds of data sheets.
Here's all kinds of at a glance descriptions and case
study information about these particular devices. Here's a 5585-X Adaptive Security Appliance.
And of course, we can go to that link, get more
information about it. One of the amazing things that we see with
this particular device is it supports 40 gigabits per second
of firewall throughput.
So if you're worried about your firewall in your network
infrastructure being your bottleneck, that worry starts
to go out the window when you look at some of
these higher end ASAs. Now the other category of product that's very
important is Cisco's Intrusion Prevention Systems.
What's really interesting about intrusion prevention is
that there are indeed standalone appliances that do it.
So you can get a box that rack mounts with your firewalls and
your routers and your switches, and it's an IPS appliance.
You can do it in an appliance from Cisco. But what's really interesting about intrusion
prevention is the fact that you can also do it inside your
ASA with a special module you can insert in the ASA,
or you can do it inside your IOS.
There is the IPS capability inside the Internetwork Operating System--
so lots of options from Cisco in the area of intrusion
prevention. And guess what?
For your higher end catalyst switches, there are indeed
security modules that you can insert. There is a firewall module you could insert.
There's an IPS module that you could insert. So for something like a cat 6500-series switch,
you can basically stick an ASA inside it.
You can basically stick an IPS appliance inside it, thanks to
modules that give you those capabilities that you can
insert inside those higher end catalyst switches. Finally, the last area that you will end up
helping your client select from is a wide variety of endpoint
security solutions from Cisco Systems.
Cisco is starting to get into the software business pretty
heavy, and part of that software business they're
getting into is Intrusion Prevention Systems, Intrusion
Prevention Software that runs on the PC. So not only do we have intrusion prevention
running on the network devices, we now have it on
the PC. By the way, this gets a special name.
And it's HIPS. What a cool name.
This is Host-based Intrusion Prevention. And a lot of people say, well, does that replace
my need for network-based?
No, because remember, you want to build a layered defense.
If the attacker gets through your network solution, then
they have to get through your host-based solution. And that's a real nice layered approach to
what we called defense in depth.
This is all by Cisco's design, to have many, many layers of
security as we discussed in this important Nugget.
In this super important CBT Nugget, we took a look at the
fundamentals behind designing network security solutions and
you can't really discuss the fundamentals of this subject
without giving some examples of what we fear today.
One of those things we fear today, we saw, was the dreaded
distributed denial of service attack. And I think that was an alliteration, wasn't
it? Yes, the repeating of the D word--
dreaded distributed denial of service, and that was just one
of the many attacks we saw that can impact dramatically
an organization's desire to hit its goals. We talked about a lot of different security
processes in this Nugget that make sense for organizations,
things like designing best practices and designing physical
security solutions and designing an overall life cycle
of securing and monitoring and testing and improving.
We took a look at the SAFE, the Secure Architecture for
Enterprise from Cisco. And we saw how it was a layered defense strategy
that would really try and achieve the lofty goal
of keeping organizations safe from many different types
of attacks. And we wrapped it all up by taking a look
at the major product categories from Cisco Systems.
And we learned something pretty exciting, that there's
a lot of security features right inside the IOS that we
might be able to take advantage of. Well I hope this has been informative for
you, and I'd like to thank you for viewing.