To help you face the complexities of managing a modern network, this chapter discusses the core principles of security-the CIA triad: confidentiality, integrity, and availability.
Step 1. Develop a security policy
Step 2. Make the network secure
Step 3. Monitor and respond.
Step 4. Test.
Step 5. Manage and improve.
User accounts can be managed on the local sensor because there is no support for AAA servers on sensor appliance. Each user is associated with a role that controls what that user can and cannot modify. There are four basic user roles:
Administrator
Operator
Viewer
Service
Port-based traffic control features can be used to provide protection at the port level. Catalyst switches offer Storm Control, Protected Ports, Private Virtual Local Area Network (PVLAN), Port Blocking, and Port Security features.
three types of PVLAN ports:Promiscuous;Isolated;Community
In summary, a Private VLAN contains three elements: the Private VLAN itself, the secondary VLANs (known as the community VLAN and isolated VLAN), and the promiscuous port.
Port Security three security violation modes: protect, restrict, shutdown
The switch supports the following four types of ACLs for traffic filtering:
Router ACL
Port ACL
VLAN ACL
MAC ACL
Spanning Tree Protocol Features:
Bridge Protocol Data Unit (BPDU) Guard
Root Guard
EtherChannel Guard
Loop Guard
The traffic managed by a device can be divided into three functional components or planes:
Data plane
Management plane
Control plane
Cisco IOS Firewall consists of several major subsystems: an advanced firewall engine for stateful-packet inspection (SPI), Context-Based Access Control (CBAC), Zone-Based Policy Firewall (ZFW), Intrusion Prevention Systems (IPS), Authentication Proxy, Port-to-Application Mapping (PAM), Multi-VRF firewall, Transparent firewall, and several others.
Note that the two configuration models (Classical CBAC and new ZFW) can be used concurrently on the same router; however, they cannot be combined on the same interface overlapping each other. An interface cannot be configured as a zone member and be configured for ip inspect simultaneously.
By default, traffic between the zones is blocked unless an explicit policy dictates the permission.
The Security Appliance supports up to eight redundant interface pairs.
ECMP is not supported across multiple interfaces.
The nat-control command is available in routed firewall mode and in single and multiple security context modes.
The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the higher-level interface. The no nat-control command does not have this requirement, nor does it require a static command to allow communication from the lower-level interface (from Outside to Inside); it relies only on access-policies-for example, permitting the traffic in ACL and having corresponding route entries.
Traffic flow is unidirectional when using the nat/global command, and bidirectional when using the static command.
Although the PIX/ASA OS is similar to the FWSM OS, there are some subtle differences. Many of the differences are enhancements that take advantage of the Catalyst 6500 Series Switch and Cisco 7600 Series Router architecture.
FWSM does not provide *** and IPS functionality. FWSM is a purpose-built firewall device. The following separate purpose-built products are available on the Catalyst 6500 Series Switch and Cisco 7600 Series Router: IPsec *** Service Module (***SM), Web*** Service Module, and Intrusion Detection System Module (IDSM-2).
By default, no traffic can pass through the FWSM to access the network. On PIX and ASA appliance software, traffic flow from higher-level interfaces (Inside) to lower-level interfaces (Outside) will pass unrestricted. However, the FWSM software does not allow any traffic to flow between the interfaces unless explicitly permitted with an ACL. The security level does not provide explicit permission for traffic from a high-security interface to a low-security interface. This applies to all types of FWSM implementation (routed and transparent mode). To control network traffic, access lists are applied to FWSM interfaces. ACLs determine which IP addresses and traffic can pass through the interfaces to access other networks.
Three major types of attacks follow:
Reconnaissance
Access
Denial of Service
There are two major types of SYN-flood attacks:
Nonspoofed source addresses
Spoofed source addresses
Some techniques available to prevent or minimize the impact of SYN flood attacks include the following:
Rate-limiting (CAR).
Context-Based Access Control (CBAC).
TCP Intercept.
On security appliances such as PIX firewalls, static and nat commands provide an option to monitor and control half-open embryonic connections.
and so on
In summary, the antispoofing implementation is used to
Deny incoming packets if source address is allocated to your network
Deny outbound packets if source address is not allocated to your network
mitigate source address spoofing method:
Access List
uRPF
IP Source Guard
The IP Source Guard feature will not prevent an MITM type of attack. Use Dynamic ARP Inspection (DAI) to prevent MITM
NBAR classifies the following three types of protocols:
TCP and UDP protocols that use statically assigned port numbers
TCP and UDP protocols that use dynamically assigned port numbers, requiring stateful inspection
Non-TCP and non-UDP IP protocols such as IPsec (ESP/AH) or ICMP
Most Windows platforms allow a maximum of 128 half-open (embryonic) connections, so when setting the embryonic limit on the static, use a value less than the maximum embryonic limit allowed by the server operating system.
二層***:MAC spoofing, MAC flooding, ARP spoofing, Spanning-Tree attacks, and VLAN hopping
RADIUS (Remote Authentication Dial-In User Service)
TACACS+ (Terminal Access Controller Access Control System)
The formula to calculate the RR follows:
RR = ((ASR*TVR*SFR)/10000)+ARR-PD+WLR
IPS Interface Modes:
Promiscuous mode
Inline interface mode
Inline VLAN pair mode
VLAN Group mode
IPS Blocking (Shun)
There are three basic types of blocking:
Host block
Connection block
Network block
The IPS Sensor Software OS Version 6.0 introduces the concept of virtualization, whereby virtual sensors can be created in the Analysis Engine. Version 6.0 supports up to four virtual sensors.
A security policy configuration contains three components:
Signature definition policy
Event action rules policy
Anomaly detection policy
AD的三中ZONE:
Internal zone
Illegal zone
External zone
The AD has the following three modes:
Learn mode
Detect mode
Inactive mode
There are three possible solutions to resolve situations in which the inline IPS device may fail:
Fail-open mechanism
Failover mechanism
Load-balancing mechanism
The Cisco DDoS Anomaly Detection and Mitigation solution consists of two basic deployment components:
Cisco Traffic Anomaly Detector
Cisco Guard DDoS Mitigation