Network Statements – Part 1

Published September 3, 2010 Al Friebe , Routing & Switching Leave a Comment
Tags: , ,

In this multi-part series, we’ll examine the effects of Cisco IOS “network” statements for various IP routing protocols. Let’s start with the IGPs (Interior Gateway Protocols). The IGPs for which Cisco IOS uses network statements are:

  • RIP
  • OSPF
  • EIGRP

Note that Cisco IOS does not use network statements for IS-IS (another IP IGP). Also, BGP, which is an EGP (Exterior Gateway Protocol), uses its network statements differently, so we’ll discuss it later.

Refer to the example topology shown in Figure 1:

As you can see, we have multiple logical networks connected to a router, those being:

  • 192.168.1.0/24
  • 172.16.1.0/24
  • 10.1.1.0/24
  • 10.2.2.0/24

What we want to do is get RIP running on the Fa0/1, Fa0/2 and Fa0/3 interfaces, but not on Fa0/0. To do this, we use “network” statements under RIP, as follows:

router rip
   network 172.16.0.0
   network 10.0.0.0

Note that a “network” statement has two functions:

  1. It tells the router on which interfaces to run the routing protocol. Since we have network statements that cover the 10.0.0.0 and 172.16.0.0 networks, the Fa0/1, Fa0/2 and Fa0/3 interfaces will run the routing protocol. The meaning of this varies, but in the case of RIP, it means start sending RIP updates on the interfaces, and listen for incoming RIP updates.
  2. It tells the router to inject the logical networks of the interfaces into the routing protocol. In our example, those would be the 10.1.1.0/24, 10.2.2.0/24 and 172.16.1.0/24 prefixes.

Note that when it comes to advertising the prefixes to neighbor routers, the exact result takes into account the type of route summarization, if any, that is being performed by the routing protocol. Let’s look at this in more detail. In our case, the router will advertise the following prefixes on its interfaces:

  • Fa0/0 – nothing (this interface is not running the protocol)
  • Fa0/1 – 10.1.1.0 and 172.16.0.0
  • Fa0/2 – 10.0.0.0
  • Fa0/3 – 10.2.2.0 and 172.16.0.0

Recall that RIPv1 is a classful protocol, meaning that the updates do not contain subnet masks. Because of this, RIPv1 performs automatic route summarization at the boundary between classful networks, which is why the router is advertising the classful network 172.16.0.0 on Fa0/1 and Fa0/3, and likewise 10.0.0.0 on Fa0/2. Note that the network 10.0.0.0 subnets are advertised on the interfaces belonging to that network (10.1.1.0 on Fa0/1, and 10.2.2.0 on F0/3). Since classful protocols do not allow VLSM (Variable-Length Subnet Masks), the assumption is that any neighbor routers will be using the same subnet mask with that classful network.

Next time, we’ll look more closely at the actions of network statements under RIP.

Author: Al Friebe

AAA Authentication Using the Enable Console

Published September 1, 2010 Doug McKillip , Security Leave a Comment
Tags: , , ,

One property of the ASA security appliance which “takes some getting used to” by Cisco IOS router veterans is the enable console. While users defined in the local configuration of the router can be given privileges to allow them immediate enabled access upon login, the security appliance requires that the enable command be typed. This article will explain the importance behind configuring the enable console in respect to command authorization, either locally or using an external Access Control Server (ACS).

First of all, let’s set the stage for why we need this. Picture this scenario: You are a network administrator who has either configured local privilege level commands or commands under Shared Profile Components of the Cisco ACS. (This article won’t go into those details as they are well-documented). In testing the newly-created admin account (which you thought had unrestricted command access) you log into the ASA device, type enable, and then attempt to show the running configuration. The following screen shows the result:

Further investigation under Failed Attempts on the Cisco ACS shows the following:

Note that the identity of the admin user is lost! The ACS (and the LOCAL database, if used) sees the user who enters privileged mode by using enable is required to use the locally configured (non-user-specific) password. The frustrating downside of seeing repeating “Command Authorization Failed” messages is now being locked out of backing out your configuration changes! Fortunately, this undesired outcome can be prevented by the following straightforward fix:

ciscoasa(config)# aaa authentication enable console <server-tag>

The shown above could be LOCAL or any admin-defined label referring to the ACS which is the TACACS+ server. An administrative user could be supported in both the TACACS+ database for command authorization and the LOCAL database for enable access at the same time although this would burden IT support with the requirement of each ASA needing the same usernames as configured on the ACS. If the enable console is directed to use TACACS+ on the ACS, a maximum privilege per user can be configured.

As explained in ASA Configuration Guide Version 8.0 – Managing System Access, when the CLI is used to configure virtual firewalls/security contexts, the enable_15 user account is utilized by the ASA operating system. As a result, command authorization entries would need to be added for this account in order to permit the administrator to change between contexts.

Author: Doug McKillip

Controlling Public Space Phone Access

Published August 27, 2010 Bob Long , Unified Communications Leave a Comment
Tags: ,

To the extent practical, good design suggests that phones have only the minimum calling privileges necessary. Consider how you might want to configure a lobby phone. Depending upon the intended usage, you could set it as Private Line Automatic Ringdown (PLAR) to a receptionist or operator who could then place the call on behalf of the user. Or maybe you set up the lobby with a calling search space (CSS) that permits calls to internal, local, and perhaps toll-free numbers.

Conference room phones on the other hand get a bit more involved. In one sense, they are public space phones and unauthorized usage can be a concern. On the other hand, if calling privileges are too tightly restricted you run the risk of impeding the users. There is a solution which might be worth considering, and that is using Forced Authorization Codes (FACs).

On the surface, setting up FACs would seem simple.

  1. Create the User List: You begin by making a list of all users. Assign users a code (maybe their employee number) and an authorization level. Unless you have a co-worker to whom you wish to delegate a mind numbing task, I’d suggest using the Bulk Administration Tool in CUCM to upload these codes into the system. If you’re creative, you might be able to get your existing HR database to output a CSV file for this purpose to further automate things.
  2. Edit the Affected Route Patterns: Check the box for “Require Forced Authorization Code” and enter the minimum required authorization level.

Well that’s the end of the easy stuff.

If you have a single-site deployment using traditional class of service, then you run the risk of inadvertently requiring a FAC for all calls, not just those placed from the conference room phones. To work around this, you’d use CSS and partition:

  1. Create a partition called Conf_Room_PSTN_Pt and a CSS named Conf_Room_PSTN_CSS which references that partition
  2. Create two new route patterns – one for long distance and another for international patterns – ensure the FAC box is checked, and place them into the new partition
  3. Set the CSS on the affected phones

Many people reading this blog though, have multi-site deployments and/or are using the Line-Device Approach to CSSs. The basic premise remains the same, it’s just the design and layout of the partitions and CSSs which needs to be adjusted. For the line device approach, you might create a dedicated “FAC_PSTN_Pt” and a new device-level CSS which references it.

Author: Bob Long

Trends for IT Security Decision Makers

Published August 26, 2010 Security Leave a Comment
Tags:

Cisco Systems recently released the findings from a research study they did asking IT Security Decision Makers/Contributors (ITSDMs) about tracking vulnerabilities and policy enforcement in the corporate environment. Highlights from the key findings are below:

Software & Hardware

  • The vast majority of ITSDMs monitor employees’ technology use to learn what security applications (63%) and/or OS employees are running (58%).
  • More than half (56%) have determined that employees are using unsupported applications. Among them, the most common is social networking (68%).
  • About 4 in 10 have determined that employees already use unsupported network devices, while more than half  indicate their organization is likely to allow personal devices on the enterprise network in the next 12 months.
  • The majority of ITSDMs indicate their organization has a complete technical process in place to lock employees from all access if needed (74%) and restrictions on what employees bring onto the network (79%).
  • The vast majority (88%) of ITSDMs have centralized control (either technology or process-based) for updating software. The two most common methods are employee training (73%) and automatic deployment solutions (68%).

Threats

  • Along with Social Networking (51%), more than half of ITSDMs perceive that unauthorized users (55%) are the biggest IT risk to their organization.
  • About 4 in 10 have experienced a loss of information due to an unsupported network device.
  • A variety of solutions are used to track vulnerabilities; vendor notifications (48%), Symantec Threat Alert (46%), security mailing lists (44%), or third-party advisory services (43%).

Policies

  • The IT Department is responsible for setting, maintaining and communicating company security policies according to 75% of ITSDMs.
  • Policies tend to be enforced through training (62%) or URL filtering (57%). But nearly half (48%) are running an automatic policy enforcement solution such as NAC.
  • Most ITSDMs (71%), recognize that overly strict security policies can have a negative impact on the hiring and retention of employees who are under the age of 30.

Excerpted from Cisco Systems Bi-Annual Security Research Security Solutions Marketing and Insight Express June 2010.

5 Ways to Strengthen Security by 2011

Published August 25, 2010 Security Leave a Comment
Tags: ,

An organization’s network infrastructure, and the security that supports it, is a complex ecosystem that is always changing. What and whom the business needs to protect varies as well. Each new event—whether a merger or acquisition, hiring or downsizing, or a new product launch—has an impact on what the enterprise needs to protect. However, there are several steps that businesses, with guidance from their IT teams, and involvement and support from their employees, can take to strengthen their enterprise security within the next six months. These measures will help the organization respond to the tectonic forces of change now in motion, and to build a foundation that will allow it to adapt more readily to future changes that affect enterprise security.

1) Close Gaps in Situational Awareness
Most enterprises are simply not aware of the totality of their network: There are outliers—disconnected elements—that present real risk. There are many moving parts and areas of low visibility to monitor and manage, such as mobile workers, mobile devices, web-based collaborative applications, and the cloud. By taking stock of these elements, IT teams gain better visibility into the overall network security posture. They also can identify and correct weaknesses more easily, and remove or block those things that should not be connecting to the network.

2) Focus First on Solving “Old” Issues—and Doing It Well
Many of the security issues considered to be “new” problems are actually old issues that can be managed and secured using existing, effective practices. One word of caution, however: Organizations should start by working to solve a limited number of things—and doing them well—instead of trying to solve too many problems at once, only to arrive at mediocre results or unfinished projects.

Software updating and patching is a good place for many organizations to begin making improvements. Enterprises have steadily lost control over the software that’s installed on technology assets. With today’s unwieldy networks comprised of a mix of officially sanctioned technology equipment, and whatever mobile devices workers have decided suit their needs, enterprises can’t guarantee that everyone is using approved versions of corporate software.

3) Educate Your Workforce on Security—and Include Them in the Process
When educating users, explain the security issues the enterprise needs to address, and ask them how they can help the organization to solve these problems. The most effective training uses real-world examples of criminals and attacks to show employees that threats are genuine and can cause significant damage.

“Workers need to have a heightened awareness of the pain they can cause a business when they over-share information via social networks,” advises Seth Hanford, Intelligence Operations Team Lead at Cisco. “They may be unaware that they could put customers, their own jobs, and others at risk, along with the enterprise’s ability to turn a profit. Executives need to clearly state the ramifications of workers’ actions.”

4) Understand That One Security Border Is No Longer Enough
The “fortress” approach to security of the past clearly is no longer adequate. With workers collaborating and sharing vital information far beyond the walls of the workplace, every hour of every day, security that’s limited to the network edge is bound to fail.

More than that, today’s hackers are skilled at breaking through traditional security perimeters and are finding it all too easy to penetrate the “soft spots” in the enterprise where sensitive data resides and is not protected by any security border. Never before has it been more important for enterprises to adopt a layered approach to security, and to make certain that wherever critical data flows or resides, it is protected by intelligent technology solutions, rich policies, robust enforcement practices, and a workforce who has been educated about security risks and who understand their role in helping to mitigate them.

5) View Security as a Differentiator for Your Business
Leading organizations are aligning their security investments with their business objectives and finding that it allows them to adapt more quickly and confidently to changing business conditions, take advantage of new technologies and markets, and enhance the customer experience.

Network and IT systems make up some of an organization’s most critical infrastructure. Together, they are the “endoskeleton” supporting the business and protecting its data. And like a living thing, if that vital framework is neglected, it will surely fail—especially when under pressure. Businesses must take action now to test the robustness of their infrastructure and implement effective security practices so they can endure—and thrive—in the new landscape formed by these changes.

It is important for enterprises to recognize, however, that there is no “silver bullet” technology solution that can meet all their security needs. A layered approach that includes depth and breadth of defense is the only way to meet the challenges and protect the opportunities presented to the enterprise by these forces of change and the emerging borderless network.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.


Share

Cloud Models

Published August 24, 2010 Cloud Computing Leave a Comment
Tags:

In Cloud computing, IT resources and services are separate from the underlying infrastructure and provided on-demand and at scale in a multi-tenant environment. There are several common variations of service and deployment models that you may come across as you explore this new platform.

Cloud Service Models

  • Infrastructure as a Service (IaaS) provides users with processing, storage, networks, and other computing infrastructure resources. The user does not manage or control the infrastructure, but has control over operating systems, applications, and programming frameworks.
  • Platform as a Service (PaaS) enables users to deploy applications developed using specified programming languages or frameworks and tools onto the Cloud infrastructure. The user does not manage or control the underlying infrastructure, but has control over deployed applications.
  • Software as a Service (SaaS) enables users to access applications running on a Cloud infrastructure from various end-user devices (generally through a web browser). The user does not manage or control the underlying Cloud infrastructure or individual application capabilities other than limited user-specific application settings.

Cloud Deployment Models

  • Private clouds are operated solely for one organization. They may be managed by the organization itself or by a third-party, and they may exist on premises or off.
  • Public clouds are open to the general public or a large industry group and are owned and managed by a Cloud service provider.
  • Hybrid clouds combine two or more clouds (private or public) that remain unique entities but are bound together by technology that enables data and application portability.
  • Community clouds feature infrastructure that is shared by several organizations and supports a specific community. They may be managed by the organizations or a third-party and may exist on-premises or off.

Source: NIST

Share

Advanced Persistent Threats

Published August 23, 2010 Hacking & Cybercrime , Security Leave a Comment
Tags: ,

Like the so-called “sleeper cells” that plague those who fight terrorism, persistent threats present a danger to enterprises that have not implemented ways to identify and stop these security challenges. Instead of constant, “noisy” attempts, persistent threats favor a “low-and-slow” approach. This type of exploit may center on malware that, once lodged in the network, communicates only infrequently with its command-and-control networks to evade detection, or uses social networks and other hard-to-filter means to communicate inconspicuously.

Advanced persistent threats (APTs) are launched by skilled attackers whose goal is to cause severe economic disruption to the business and to gather intelligence in a targeted manner. For instance, they may seek anything from competitive bids to natural resource contracts to engineering documents. Because these threats are designed to remain under the security-detection radar, the intruders intend to return repeatedly to a specific target, stealing more information. These attacks are also adaptive, meaning they will change tactics based on your defenses. This is not a “smash-and-grab” crime—it is a well-planned, long-term scheme to separate a business from its money or intellectual property, or to gain competitive advantage.

The perpetrators of an APT launch their intrusion with the goal of stealing information—perhaps intending to sell it to a competitor. And when they want to gather more data, they don’t need to breach network defenses again, since they’re already inside the network and presumably undetected. “Advanced persistent threats reinforce the idea that the current cybercrime landscape is driven by business-minded, well organized crime syndicates,” warns Henry Stern, senior security researcher at Cisco.

How can enterprises combat such sophisticated and potentially devastating threats? Not surprisingly, detection of APTs is difficult once they have established a presence in your network. “When a hacker is inside the network, it really becomes a game of hide-and-seek,” notes Kurt Grutzmacher of the Cisco Advanced Services Security Posture Assessment team. Most corporate security systems are concentrated on inbound traffic only, which means that if an APT manages to work its way past the perimeter defenses, it may not be detected again.

The best defense against APTs is to prevent infection to begin with, relying on user education and network- and hostbased defenses. However, enterprises must acknowledge the risk of APTs, and have the ability to detect them if an infection occurs. Enterprises often have the tools necessary to detect APTs and stop data exfiltration, but they lack awareness of this threat’s existence, and therefore do not focus attention on them.

Enterprises’ tools to detect APT infections on corporate networks include network monitoring, egress filtering, and data loss systems in conjunction with baselining “normal” network usage, outbound traffic log analysis, and data on the commandand-control nodes used as upload points for data theft. These tools, used in combination, are key to detection of the APT threat.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.


Share

A “Perfect Storm” of Technological Change?

Published August 20, 2010 Security Leave a Comment
Tags: ,

IPv4 address exhaustion and the move to IPv6, the need to implement DNSSEC, and the switch from 2-byte to 4-byte Autonomous System Numbers (ASNs), which marks a change to the Internet’s inter-domain routing structure, will ultimately change the way the Internet functions. Any one of these changes represents a significant architectural and operational challenge for network operators. Together, they create a “perfect storm”—described as “the greatest and potentially most disruptive set of circumstances in the history of the Internet, given its growth in importance to worldwide communications and
commerce.”

Of course, this means that enterprises are at risk as well. The question: Is your enterprise prepared for the arrival of these “multiple, simultaneous, and large-scale changes”?

The storm is approaching fast—but organizations have known for years that it was coming. Therefore, your security team already should be carefully planning for these changes and making necessary updates so they can help minimize the organization’s security exposure and ensure the network infrastructure, from routers to firewalls to switches to software, is protected as the transition to each new service occurs.

Expect to see many businesses preparing for the storm in the coming year. They will likely need to expend a great deal of time, money, and resources on adapting to these significant changes, which are inconveniently culminating post-recession, when IT resources are already limited at many organizations.

U.S. government organizations are likely to be particularly preoccupied with getting up to speed, as many failed to comply with the December 31, 2009, deadline set by the U.S. Office of Management and Budget to deploy new authentication mechanisms (for example, digital signatures for DNSSEC) on their websites that would help prevent hackers from hijacking web traffic and redirecting it to bogus sites.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.

6 Questions to ask Before Entering the Cloud

Published August 19, 2010 Cloud Computing Leave a Comment
Tags:

Industry analysts forecast a rapid formation of cloud offerings* by 2012, with IDC predicting the cloud services market topping $42 billion, and Dataquest predicting that 28-37% of all server shipments will be for cloud building. But before you dive in, you should ask a few questions.

1) What does your ideal partner look like?
Identify the characteristics of providers that are most important to your company. For example:

  • Do they offer appropriate service level agreements (SLA) and audit documents (SAS 70)?
  • Do they have the right experience to manage enterprise cloud services?
  • What is their Disaster Recovery and Business Continuity strategy?
  • Who is responsible for data back-ups?

2) Where’s the Security Guard?
A critical component to a healthy cloud strategy is ensuring that your internal security technologies and practices such as network firewalls and user access controls are strong and mesh well with your cloud provider’s own security measures. Remember: Your side of the infrastructure is just as vulnerable, if not more so, than the cloud provider’s side. Key

  • Be sure that the cloud provider you choose can supply detailed information about its security architecture.
  • Request a copy of their Statement on Auditing No. 70 (SAS 70) audit controls. Unwillingness to commit to an audit request should be a big red flag.
  • How do they detect if an application is being attacked (hacked)? How/when are attacks reported to you?
  • What controls – physical and virtual – are in place to ensure your data’s safety?
  • What’s the access control? Does a single password provide access to everything?
  • What type of employee / contractor screening do they do?
  • How flexible are they when working with you on your security requirements.

4) Is it Legal?
Certain industries are subject to laws and regulations that affect what you can and can’t put in the cloud. Also, some major cloud providers have their own rules around “discriminatory material” and copyright. Make sure you know what their rules are before you upload the data or you might just lose. You can hope the provider would exercise good judgment before deleting your data, but you shouldn’t stake your business on it.

  • Does your provider have specific regulatory expertise or data encryption options in your industry?
  • Will they commit to storing and processing data in specific jurisdictions?
  • Will they make a contractual commitment to obey local privacy/regulatory requirements?

5) Are they in it for the Long Haul?
Make sure you choose a cloud provider that really takes your relationship seriously and provides a solid partnership when supporting and hosting your server and data needs.

  • Choose a partner that will be there when you need them
  • Ask for references and check them
  • Find out what kind of financial footing they are on

6) What’s your exit strategy?
No matter how much you plan and prepare, sometimes it just doesn’t work out. If you aren’t satisfied with the cloud in general, or your provider in particular, having a plan for ending the relationship will save you time and money.

  • How much will the migration back cost?
  • Will you still have employees with the skills needed to manage your data?
  • Do you have full ownership of your data?
  • How easy is it to migrate to another cloud service provider?

* Have you noticed how a lot of articles talking about cloud computing use weather analogies?


Share

Privacy Issues Moving to the Forefront

Published August 18, 2010 Hacking & Cybercrime , Security Leave a Comment
Tags:

In the year ahead, expect the discussion around civil liberties and privacy issues to intensify as the country takes a more defensive posture with its cybersecurity. Why should the private sector pay attention? Because they may end up doing the “heavy lifting” on these issues, with Congress and the American public asking what companies are doing to protect against the erosion of citizens’ privacy, while also doing their part to help strengthen national cybersecurity.

Meanwhile, businesses have been airing their concerns to the government about privacy, but from a different angle—specifically, how disclosure about an attack can undermine their competitive edge and damage their reputation. At the RSA Conference in March 2010, FBI Director Robert Mueller pledged

minimal disruption to business with protective orders and increased privacy for U.S. corporations who suffered data breaches, in order to avoid loss of reputation and brand—despite the momentum of federal and state data breach disclosure laws.”

He went on to say

Notifying the authorities may harm your competitive position. We will minimize the disruption into your business. We [will] work together to limit the breadth and scope of [the] attack. For every investigation in the news, there are hundreds that will never make the headlines. Disclosure is the exception, not the rule.”

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.


Share

Next Page »

Subscribe in a Reader

Subscribe by Email

Follow us on Twitter

CCNP Prep Kit

Posts by Author & Technology

Archives