2 3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. Security Technologies
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 333 Security Threats: Pervasive in the Network Internet Information Theft Virus Attacks Destructive ILOVEYOU Computer Virus Strikes Worldwide —— CNN Data Interception Unprotected Assets AOL Boosts Security After Attack — C/NET Denial of Service Unauthorized Entry Several Web Sites Attacked Following Assault on Yahoo! —— New York Times
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 444 Code Red Propagation July 19, Midnight—159 Hosts Infected
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 555 Code Red Propagation (Cont.) July 19, 11:40 am—4,920 Hosts Infected
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 666 Code Red Propagation (Cont.) July 20, Midnight—341,015 Hosts Infected
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 777 Threat Capabilities: More Dangerous & Easier To Use Sophistication of Hacker Tools Packet Forging/ Spoofing Password Guessing Self Replicating Code Password Cracking Exploiting Known Vulnerabilities Disabling Audits Back Doors Hijacking Sessions Sweepers Sniffers Stealth Diagnostics Technical Knowledge Required High Low 2000 DDOS
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 888 Patch Vulnerabilities and Update Virus Scanning Software Patch ALL vulnerable systems! Remote sites Dial-up users VPN connections Update Virus Scanning software for NIMDA Patching Cisco products running Microsoft IIS: Patching Microsoft IIS itself:
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 999 SECURE MONITOR and RESPOND TEST MANAGE and IMPROVE A Continual, Multistage Process Focused on Incremental Improvement Security Philosophy: The Security Wheel
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 10 To Edge Distribution Module To VPN/Remote Access Module To ISP Module Public Web Servers Content Inspection Servers Cisco IDS Appliance Cisco IOS Router Cisco PIX Firewall SAFE “Campus Internet” Module
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 11 To Edge Distribution Module To VPN/Remote Access Module To ISP Module Public Web Servers Content Inspection Servers Cisco IDS Appliance Cisco IOS Router Cisco PIX Firewall SAFE “Campus Internet” Module PIX Firewall Family: Range of solutions – from teleworkers through large Enterprise/SP High performance Very secure Easy to deploy and maintain Cost-effective failover Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 12 To Edge Distribution Module To VPN/Remote Access Module To ISP Module Public Web Servers Content Inspection Servers Cisco IDS Appliance Cisco IOS Router Cisco PIX Firewall Broad Layer 4–7 Analysis Focused Layer 4–7 Analysis SAFE “Campus Internet” Module Cisco Network IDS Sensors: Network appliance and switch-based solutions Provide network “video camera and burglar alarm” Protect against attacks and misuse High performance Very secure
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 13 To Edge Distribution Module To VPN/Remote Access Module To ISP Module Public Web Servers Content Inspection Servers Cisco IDS Appliance Cisco IOS Router Cisco PIX Firewall Host IDS for local attack mitigation SAFE “Campus Internet” Module Cisco IDS Host Sensors: Protect critical systems against viruses and worms Intercept and inspect all system commands Secure the OS and validate service requests Alert on suspicious activity Most robust solution Easy to deploy and manage
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 14 To Edge Distribution Module To VPN/Remote Access Module To ISP Module Public Web Servers Content Inspection Servers Cisco IDS Appliance Cisco IOS Router Cisco PIX Firewall Spoof Mitigation DDoS Rate-Limiting Basic Filtering SAFE “Campus Internet” Module Cisco IOS Routers: Incorporate many robust security features Authentication/PKI ACLs / Filtering Rate-limiting Firewall & IDS IPsec VPN Provide significant first line of defense
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 15 To Edge Distribution Module To VPN/Remote Access Module To ISP Module Public Web Servers Content Inspection Servers Cisco IDS Appliance Cisco IOS Router Cisco PIX Firewall Inspect Outbound Traffic for unauthorized URLs SMTP Content Inspection SAFE “Campus Internet” Module Cisco AVVID Partners: Provide complementary security solutions Authentication/PKI Content Filtering/AV Personal Firewall Wireless/VPN Client Security Management Security Services
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 16 To Edge Distribution Module To VPN/Remote Access Module To ISP Module Public Web Servers Content Inspection Servers Cisco IDS Appliance Cisco IOS Router Cisco PIX Firewall Inspect Outbound Traffic for unauthorized URLs Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation Spoof Mitigation DDoS Rate-Limiting Basic Filtering Broad Layer 4–7 Analysis SMTP Content Inspection Host IDS for local attack mitigation Focused Layer 4–7 Analysis SAFE “Campus Internet” Module
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 17 IdentitySecure Connectivity Perimeter Security Monitoring Security Management Network Security Components Internet Authentication Firewalls VPN Intrusion Detection Scanning Policy
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 18 EDGE Options
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 19 Campus Network Issues (Security) Firewall Intrusion Detection VPN HIDS
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 20 Campus Network Issues Firewall Intrusion Detection VPN Transparent Cache (Content Engine) H.323 GK Intelligent Switched LAN Infrastructure
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 21 New Cisco VPN 3000 Concentrator Series
_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. Internet Worms Code Red and NIMDA Overview
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 23 Anatomy of a Worm 3. Payload 2. Propagation Mechanism 1. The Enabling Vulnerability
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved The Enabling Vulnerability 1 Internet IIS Using the Index Server buffer overflow attack, the worm attempts to install itself on IIS Web servers
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved Worm Propagation GO 2 IIS After gaining access to the servers, the worm replicates itself and selects new targets for infection
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved The Payload 3 STEAL DEFACE BACK DOOR ROOTKIT After infection, the attacker can possess administrator-level access to the server!
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 27 Code Red: How It Works Conceals itself in HTTP Packets. Firewalls alone cannot safeguard against the virus The worm exploits vulnerabilities found in Microsoft’s Internet Information Server (IIS) v4&5 via a buffer overflow attack It then exploits arbitrary code and installs a copy of itself into the infected computer’s memory—which then infects other hosts Multiple versions: CRv1, CRv2, Code Red II Results: DDoS attack, network latency, backdoor installation, drive mapping
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 28 NIMDA: How It Works Hybrid of Worm and Virus—can attack and infect in multiple ways, creating a DoS situation Only infects computers running a Microsoft operating system and Microsoft's , web browser or web server applications Spread via the following mechanisms: Infects without user launching the infected attachment Places copies of itself in network shared files, and when previewing these files with Internet Explorer the worm’s executable is loaded Modifies all Web content files—any user browsing the Web site may accidentally download the worm Results: DDoS attack, network latency
_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. Protecting Your Network Against Internet Worms Using SAFE
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved Intrusion Detection on Critical Hosts Host-Based Intrusion Detection (HIDS) Analyzes HTTP traffic and determines if attack is underway Analyzes HTTP server to detect abnormal operations Protects OS against buffer overflow and binary modifications Secures IIS by disabling indexing service Sends alarm when exploitation is intercepted Install HIDS on critical servers!
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved Intrusion Detection in the Network Network Based Intrusion Detection (NIDS) Attack detection triggers NIDS to send alarm and/or either shun or reset connection Shunning not recommended for Code Red v1 or v2 since attack is contained in single packet NIDS can stop Code-Red II since multiple packets are used NIDS will alarm on NIMDA and identify compromised hosts 4210 IDS 4230 IDS C6000 IDSM
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved Access Control with Firewalls Stateful firewalling Filter to allow only inbound connections to web server Disallow outbound connections from web server to limit self-propagation Limit inbound connections to server to block excessive connection attempts and DoS situation PIX 506 PIX 515 PIX 525 PIX 535 PIX 501
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 33 3a. Access Control with Router Filtering Ingress filtering Block access to hosts/services that should not be publicly available Egress filtering Block outbound access of devices designed for internal use only to limit propagation access-list out deny ip any access-list out deny ip any access-list out permit icmp any any echo-reply access-list out permit tcp any host eq www access-list out permit tcp any host eq ftp access-list out permit tcp any host eq smtp access-list out permit udp any host eq domains access-list in deny ip any access-list in deny ip any access-list in permit icmp any any echo access-list in permit udp host host eq domain access-list in permit tcp host eq www access-list in permit tcp host host eq smtp access-list in permit tcp host host eq 389 access-list in permit tcp host eq ftp access-list in deny ip any access-list in permit ip any access-list in permit esp host host access-list in permit esp host host access-list in permit udp host host eq isakmp access-list in permit udp host host eq isakmp
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved Private VLANs Hosts on given segment can only communicate with default gateway— NOT other hosts on network Compromised web server could not infect others Promiscuous Port Community ‘A’ Community ‘B’ Isolated Ports x x x x Community VLAN Isolated VLAN Primary VLAN Community VLAN
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 35 PVLANs & a DMZ
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 36 What is VPN/Security Mgmt Solution(VMS)? Integral part of SAFE blueprint Flagship solution for VPN & Security Management One stop for configuring, monitoring, and troubleshooting: VPN Firewall Network-based IDS Host-based IDS For Detailed Information:
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 37 Summary Threats will continue to become more advanced and aggressive, but… Organizations need to adopt a comprehensive approach to security—there is no silver bullet Function of design, people, and processes Requires defense-in-depth Cisco can help you secure your network! SAFE security blueprint Market-leading products, services, and partners
3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 38 Sample Cisco Configurations Host IDS CachingVPN DS-1 1.5Mbps fDS-3 20Mbps DS-3 45Mbps Intrusion Detection OC-3 155Mbps PIX515 CE PIX525 PIX535 CE560 CE Notes: List Pricing Shown – Discounts & Trade-ins Apply – Router Required, Other Elements Optional Firewall Console & Agents MGMT VMS 2.0
39Updated_ © 2001, Cisco Systems, Inc.