320 Chapter 7: Security Technologies
Foundation Topics
Advanced Security Concepts
A wealth of security concepts have been covered and now some of the techniques used in areas of your network will be covered that are vulnerable to attacks, in particular, the Demilitarized Zone (DMZ).
The DMZ is defined as an isolated part of the network that is easily accessible to hosts outside of the network, such as the Internet.
Figure 7-1 displays a typical network design where a DMZ is defined with a number of bastion hosts (first line of defense or hosts that can be scarified in case of a network attack or attacks).
Figure 7-1 DMZ Design
Perimeter or |
Bastion Hosts – |
Edge Router |
FTP Server, HTTP Server, |
|
Proxy Servers |
Internet
DMZ
Firewalls 
Private
Network
Figure 7-1 displays a typical perimeter network where the DMZ is separated by a firewall. Firewalls are network devices such as Private Internet Exchange (PIX), which are discussed later in this chapter. Firewalls are designed to protect the internal (or private) parts of a network from the public domain.
Advanced Security Concepts 321
The aim of all firewalls is to accomplish the following:
•Serve as a traffic point—The traffic from inside and outside the network must pass through the traffic point.
•Authorize traffic—Permits only authorized traffic.
•Designed to be immune from penetration—Firewalls are designed to be immune from attacks. Firewalls are still often devices that are attacked by outside hosts.
•Invisibility—Ensures that the private network is invisible to the outside world.
As shown in Figure 7-1, the perimeter router sits between the DMZ and the public domain. Typically, a high performance router or routers will be located here, performing a number of duties including the following:
•Ensuring that access to the Internet Protocol (IP) is restricted using access lists
•Restricting Transmission Control Protocol (TCP) services
•Preventing attacks on firewall systems
•Preventing Denial of Service (DoS) attacks on bastion hosts and the private network
•Permitting only authorized traffic to the bastion hosts
•Logging all network events to external or internal systems
•Performing Address translation (NAT/PAT)
•Running static or dynamic routing protocols; Cisco PIX is limited to RIP and static routing.
NOTE Proxy servers are designed to shield internal devices from outside intruders by replacing the internal hosts’ IP addresses with its own IP address. Most new vendors now allow routers to act as proxy servers. Proxy servers have scalability and speed issues, as all packets must be examined and IP headers modified for packet delivery.
Firewalls and perimeter routers have the additional function of packet filtering. A packet filter is a device that inspects all incoming and outgoing packets based on IP source address, destination IP address, and protocol type, such as TCP or UDP. Based on configurable options, the filter decides whether to reject or allow traffic to pass through the device.
Table 7-1 summarizes the main functions of a perimeter and firewall router.
322 Chapter 7: Security Technologies
Table 7-1 |
Perimeter/Firewall Router Functions |
|
|
|
|
|
Protection Service |
Method |
|
|
|
|
Sniffer or snooping capabilities |
Control eavesdropping with the TCP/IP service and network layer |
|
|
encryption (IPSec). |
|
|
|
|
Control unauthorized access |
Use authentication, authorization, accounting (AAA), and Cisco |
|
|
Secure. Also, access-list filtering and PIX Firewall. |
|
|
|
|
Controlling session replay |
Control what TCP/IP sessions are authorized. |
|
|
Block SNMP, IP source routing, and finger services to outside hosts. |
|
|
|
|
Controlling inbound |
Filter internal address as the source from the outside world. |
|
connections |
Filter all private addresses. |
|
|
|
|
|
Filter Bootp, Trivial File Transfer Protocol (TFTP), and trace route |
|
|
commands. |
|
|
Allow TCP connections established from the inside network. |
|
|
Permit inbound traffic to DMZ only. |
|
|
|
|
Controlling outbound |
Allow only valid IP addresses to the outside world and filter |
|
connections |
remaining illegal addresses. |
|
|
|
|
Packet filtering |
Use predefined access lists that control the transmission of packets |
|
|
from any given interface, controlling Virtual Terminal lines, VTY, |
|
|
and access, and ensuring that routing updates are authenticated. |
|
|
|
Cisco IOS routers can filter TCP or UDP protocol types. Example 7-1 displays the number of TCP services you can filter on a Cisco IOS router using extended access lists.
Example 7-1 TCP Services Filtered on Cisco IOS Routers
R1(config)#access-list 100 permit tcp any any eq ?
<0-65535> |
Port number |
|
bgp |
Border Gateway Protocol (179) |
|
chargen |
Character generator |
(19) |
cmd |
Remote commands (rcmd, 514) |
|
daytime |
Daytime (13) |
|
discard |
Discard (9) |
|
domain |
Domain Name Service |
(53) |
echo |
Echo (7) |
|
exec |
Exec (rsh, 512) |
|
finger |
Finger (79) |
|
ftp |
File Transfer Protocol (21) |
|
ftp-data |
FTP data connections (used infrequently, 20) |
|
gopher |
Gopher (70) |
|
hostname |
NIC hostname server |
(101) |
ident |
Ident Protocol (113) |
|
irc |
Internet Relay Chat |
(194) |
klogin |
Kerberos login (543) |
|
kshell |
Kerberos shell (544) |
|
Advanced Security Concepts 323
Example 7-1 TCP Services Filtered on Cisco IOS Routers (Continued)
login |
Login (rlogin, 513) |
lpd |
Printer service (515) |
nntp |
Network News Transport Protocol (119) |
pim-auto-rp |
PIM Auto-RP (496) |
pop2 |
Post Office Protocol v2 (109) |
pop3 |
Post Office Protocol v3 (110) |
smtp |
Simple Mail Transport Protocol (25) |
sunrpc |
Sun Remote Procedure Call (111) |
syslog |
Syslog (514) |
tacacs |
TAC Access Control System (49) |
talk |
Talk (517) |
telnet |
Telnet (23) |
time |
Time (37) |
uucp |
Unix-to-Unix Copy Program (540) |
whois |
Nicname (43) |
www |
World Wide Web (HTTP, 80) |
|
|
Example 7-2 displays the extended access list when filtering services based on the UDP protocol suite of services.
Example 7-2 UDP Services Filtered on Cisco IOS Routers
R1(config)#access-list 101 permit udp any any eq ?
<0-65535> |
Port number |
biff |
Biff (mail notification, comsat, 512) |
bootpc |
Bootstrap Protocol (BOOTP) client (68) |
bootps |
Bootstrap Protocol (BOOTP) server (67) |
discard |
Discard (9) |
dnsix |
DNSIX security protocol auditing (195) |
domain |
Domain Name Service (DNS, 53) |
echo |
Echo (7) |
isakmp |
Internet Security Association and Key Management Protocol (500) |
mobile-ip |
Mobile IP registration (434) |
nameserver |
IEN116 name service (obsolete, 42) |
netbios-dgm |
NetBios datagram service (138) |
netbios-ns |
NetBios name service (137) |
netbios-ss |
NetBios session service (139) |
ntp |
Network Time Protocol (123) |
pim-auto-rp |
PIM Auto-RP (496) |
rip |
Routing Information Protocol (router, in.routed, 520) |
snmp |
Simple Network Management Protocol (161) |
snmptrap |
SNMP Traps (162) |
sunrpc |
Sun Remote Procedure Call (111) |
syslog |
System Logger (514) |
tacacs |
TAC Access Control System (49) |
talk |
Talk (517) |
tftp |
Trivial File Transfer Protocol (69) |
time |
Time (37) |
who |
Who service (rwho, 513) |
xdmcp |
X Display Manager Control Protocol (177) |
324 Chapter 7: Security Technologies
Examples 7-1 and 7-2 clearly allow a network administrator flexibility when designing perimeter security based on particular port numbers, as defined in RFC 1700.
Network Address Translation and Port Address
Translation
|
NAT is a router function, which allows it to translate the addresses of hosts behind a firewall. |
|
|
This also helps to overcome IP address shortage. It also provides security by hiding the entire |
|
|
network and their real IP addresses. |
|
|
NAT is typically used for internal IP networks that have unregistered (not globally unique) |
|
|
IP addresses. NAT translates these unregistered addresses into legal addresses on the outside |
|
|
(public) network. |
|
|
PAT provides additional address expansion but is less flexible than NAT. With PAT, one IP |
|
|
address can be used for up to 64,000 hosts by mapping several IP port numbers to one IP |
|
|
address. PAT is secure because the inside hosts’ source IP addresses are hidden from the outside |
|
|
world. The perimeter router typically provides the NAT or PAT function. |
|
|
NAT is defined in RFC 1631, www.ietf.org/rfc/rfc1631.txt. Cisco devices started supporting |
|
|
NAT in IOS versions 11.2 and higher. NAT basically provides the capability to retain your |
|
|
network’s original IP addressing scheme while translating that scheme into a valid Internet IP |
|
|
address to ensure that intruders never view your private address. |
|
|
|
|
NOTE |
IOS 12.0 and higher support full NAT functionality in all images. Version 11.2 and higher need |
|
|
“PLUS” image for a NAT feature set. |
|
|
|
|
|
NAT changes the Layer 3 address when the packet is sent out to the Internet. This is a function |
|
|
no other protocol will do (that is, alter the Layer 3 source address). |
|
|
For your review to fully prepare you for the exam, Table 7-2 explains some of the terminology |
|
|
used in a NAT environment. |
|
Table 7-2 |
NAT Terminology |
|
|
|
|
|
Term |
Meaning |
|
|
|
|
Inside local address |
An IP address that is assigned to a host on the internal network; that is, the logi- |
|
|
cal address that is not being advertised to the Internet. A local administrator gen- |
|
|
erally assigns this address. This address is NOT a legitimate Internet address. |
|
|
|
|
Inside global address |
A legitimate registered IP address, as assigned by the InterNIC. |
|
|
|
|
Outside local |
The IP address of a network’s outside host that is being translated as it appears |
|
address |
to the inside network. |
|
|
|
|
Outside global |
The IP address assigned to a host on the outside of the network that is being |
|
address |
translated by the host’s owner. |
|
|
|
Network Address Translation and Port Address Translation 327
For a more specific illustration, configure NAT on Router R1. In Figure 7-2, the NAT pool name is going to be CCIE. (You can use any name you want.) Assume that the InterNIC has assigned you the Class C address of 210.1.1.0/2424.
Your Internet service provider (ISP) has also supplied you the unique address 131.108.1.1/30 to use on your serial connection.
Example 7-3 provides a sample NAT configuration for this setup.
Example 7-3 Sample NAT Configuration on R1
hostname R1
ip nat pool CCIE 210.1.1.1 210.1.1.254 netmask 255.255.255.0 ip nat inside source 1 pool CCIE
interface ethernet0
ip address 10.99.34.1 255.255.255.0 ip nat inside
interface serial 0
ip address 131.108.1.1 255.255.255.252
ip address 210.1.1.1 255.255.255.0 secondary ip nat outside
access-list 1 permit 10.99.34.0 0.0.0.255
It is assumed that you have an IP routing protocol to advertise the IP networks shown in the sample, which are 131.108.1.0/30 and 210.1.1.0/24, to the remote ISP router through R1’s Serial 0 interface.
The configuration shown in Example 7-3 translates the inside addresses 10.99.34.0/24 into globally unique addresses ranging from 210.1.1.1/24 to 210.1.1.254.
Monitoring NAT Operations with show Commands
To monitor the operation of NAT, you can use the following commands:
show ip nat translation [verbose] show ip nat statistics
The show ip nat translation command displays the current active transactions. The show ip nat statistics command displays NAT statistics, such as how many translations are currently taking place.
There are four different versions of NAT translations:
•Static NAT—Maps an unregistered IP address to a registered IP address on a one-to-one basis. This is particularly useful when a device needs to be accessible from outside the network to an internal unregistered address.
•Dynamic NAT—Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.