Technical Implementation Guide
Security Technical Implementation Guide
Executive Summary
As they move forward to design, upgrade,
Small and medium businesses have come to
and install their secure network
depend more than ever on the network to
architecture, small and midsize businesses
support their key business objectives. As
must evaluate each area of the network,
they become more open to supporting
determine potential threats, and implement
Internet-powered initiatives such as
appropriate security measures.
e-commerce, customer care, supply-chain
Cisco and its partners offer a complete
management, and extranet collaboration,
array of multitiered solutions to provide
the risks to these networks are increasing.
robust protection to every portion of the
Today’s networks are subject to attack from
data infrastructure, from the desktop to the
packet sniffers, IP spoofing, denial of
network perimeter, and everywhere in
service, spam, viruses, Trojan horses, and a
between, to enable small and midsize
host of other threats, any of which can
businesses to expand their e-business
seriously impact the revenue of a business,
initiatives with confidence.
its reputation, and its customer confidence.
The SAFE blueprints from Cisco enable
Escalating Security Threats
small and midsize companies to combat
As companies rely increasingly on the
these threats, providing a scalable,
network for key business functions, they
corporate-wide security solution. SAFE
become more vulnerable than ever to
takes a defense-in-depth approach to
network attacks. Compromised security
network security design.
can disrupt key operations, reduce
The first step in establishing a secure
network infrastructure is the development
productivity and inflict significant
economic losses on a business.
of a formal security policy to define roles,
Network attacks can be as varied as the
responsibilities, acceptable use, and key
systems that they attempt to penetrate.
security practices for a company. After
Some attacks are elaborately complex.
developing the policy, the company may
Others might be unintentional security
consider conducting an assessment, using
breaches by employees, which can still
established best practices as a benchmark.
cause significant damage.
Businesses should then closely examine
their existing network infrastructure to
identify potential vulnerabilities—including
the physical security of the network
infrastructure.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 17
To understand the types of potential attacks, it is important to be aware of some of the inherent limitations of the
TCP/IP protocol. When the Internet was formed, it linked various government entities and universities to one another
to facilitate learning and research. Because the original architects of the Internet never anticipated the widespread
commercial adoption the Internet has achieved today, security was never built into the IP specification. As a result,
most IP implementations are inherently insecure. Only after many years and thousands of Requests for Comment
(RFCs) do organizations have the tools to begin to deploy IP securely.
Because specific provisions for IP security were not designed from the outset, organizations need the ability to ensure
that their IP implementations include network security practices, services, and products that can mitigate the inherent
risks of the protocol. Common network threats include:
• Packet sniffers—A packet sniffer is a legitimate management tool that can be abused by hackers to capture data
transmitted over a network, such as usernames and passwords.
• IP spoofing—An IP spoofing attack occurs when a hacker inside or outside a network impersonates a trusted
computer to gain access to network information.
• Defacing—Defacing attacks focus on changing the files on an Internet Web server. Defacing can reduce customer
confidence and severely damage e-commerce sites that depend on their reputation of protecting sensitive customer
data.
• Denial of service—Denial of service, perhaps the most widely publicized form of attack, can be initiated using
programs that are available for downloading on the Internet. They focus on making a service unavailable for
normal use, often by exhausting a resource on the network, operating system, or application.
• Spam—Another growing threat to network operations is spam, or unsolicited mass e-mail, which slows mail
servers, overruns storage space, and reduces user productivity by clogging individual mailboxes.
• Man-in-the-middle attack—A man-in-the-middle attack is initiated by hackers who have access to network
packets that move across a wired or wireless network. During this attack, hackers hijack a network session to
gain access to private network resources, steal information, or analyze traffic to learn about a network and its
users.
• Viruses, Trojan horses, and worms—End-user PCs and workstations are especially vulnerable to viruses and
Trojan horse attacks. Viruses are malicious software code that is attached to another program to execute an
unwanted function on a user’s PC. Trojan horse attacks are similar to viruses, but disguise the application to look
like something else. Worms are malicious programs that replicate themselves.
• Hypertext Transfer Protocol (HTTP) exploits—HTTP attacks use a Web server application to perform malicious
activities by exploiting the relatively insecure access to company Web servers. If attackers can take control of the
Web server to perform malicious activities, they can access resources that would otherwise be unavailable.
• Application layer attacks—Hackers can initiate application layer attacks using several different methods. One of
the most common is exploiting well-known weaknesses in software that are commonly found on servers, such as
sendmail, HTTP, and File Transfer Protocol (FTP), to gain access to a computer with a high level of administrative
access.
The Impact on Businesses
Network security breaches can be devastating to companies, costing significant loss of revenue, productivity, and
business, not to mention the expenses involved in repairing damage. Small organizations are especially vulnerable
because they often lack the staff and budget needed to respond effectively to a security breach. The impact to
businesses can be significant, including:
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 2 of 17
• Loss of customer revenue—Nothing hits a company harder than loss of business. When a customer attempts a
purchase or tries to access resources at a company’s Web site only to find that it has been hacked, they will likely
take their business elsewhere.
• Disruption of partner transactions—A security breach can interrupt or stop business-to-business transactions,
impairing a business’ ability to collaborate with partners and suppliers.
• Loss of customer confidence—A business network that has been victimized by hackers can find it difficult to earn
back the customer trust and loyalty necessary to succeed over the long term. Customers are understandably
reluctant to share private information with a company that cannot protect it.
• Liability due to fraud—Credit card fraud has become increasingly prevalent. Customers who use a credit card to
purchase goods or services on an e-commerce site are entrusting the company with confidential information.
Fraud and identity theft due to network breaches expose the organization to liability risks that can threaten its
very survival.
To combat these threats, organizations need a consistent, scalable, corporate-wide security solution that enables them
to continually safeguard their network.
The SAFE Blueprint from Cisco for Ensuring a Secure Network
The SAFE blueprints from Cisco provide end-to-end security strategies for designing, implementing, and maintaining
a secure wired or wireless network. SAFE serves as a guide to network designers considering the security
requirements of their network. It takes a defense-in-depth approach to network security design. This type of design
focuses on the expected threats and their methods of mitigation, rather than on “Put the firewall here, put the
intrusion detection system there.” This strategy results in a layered approach to security where the failure of one
security system is not likely to lead to the compromise of network resources. SAFE is based on Cisco products and
those of its partners.
Cisco SAFE is developed around a set of fundamental concepts about network protection:
• A true security solution is a process, not a product, so an effective security solution must be able to continually
evolve and change to accommodate new threats or business requirements.
• All access points of the network are security targets, and must be protected accordingly.
• A successful security solution requires comprehensive, integrated safeguards throughout the entire network
infrastructure—not just a few specialized security devices.
• Security solutions must be modular in order to be cost-effective, scalable, and flexible.
• A layered, in-depth defense strategy provides more complete protection and minimizes areas of potential
vulnerability.
A Modular Blueprint Based on Best Practices
Each SAFE blueprint from Cisco uses a modular approach offering two key advantages. First, it allows network
planners to address the security relationship between the various functional blocks of the network. Second, it enables
them to evaluate and implement security on a module-by-module basis, instead of attempting the complete
architecture in a single phase. Cisco has developed SAFE blueprints for small, midsize, and remote-user networks, as
well as for WLAN environments.
Because the SAFE design approach focuses on the expected threats and methods for combating them, it offers a
layered security solution, in which the failure of one part of the system is not likely to lead to the compromise of
other network resources.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 3 of 17
Cisco created its SAFE blueprints after years of experience in developing industry-leading security solutions.
Organizations that implement the SAFE blueprint take advantage of Cisco best practices in creating robust security
solutions for growing businesses.
Considerations for Implementation
Security challenges are continually evolving, and companies need a solution based on a sound policy that offers a
solid combination of depth, flexibility, and scalability.
Creating a Security Policy
As the computing and network resources of businesses grow, establishing a security policy to protect company assets
from prying eyes is essential. A security policy is a formal, published document that defines roles, responsibilities,
acceptable use, and key security practices for a company. It is a required component of a complete security
framework, and it should be used to guide investment in security defenses.
Elements of a Security Policy
Because a security policy affects all parts of a business, it should be created by a collaborative process. It should
include participation from the IT department, human resources, legal, administrative, and executive business units.
The person in charge of business security is often the best choice to chair the team. Developing a security policy can
take up to several weeks, depending on the size of the organization.
The elements of a security policy include:
• Policy statement—A concise statement of the purpose of the document, a policy statement should be applicable
to the business and its industry, and be auditable, controllable, and enforceable.
• Scope—The policy should include the type of information and resources covered by the policy (for example,
whether it applies only to electronic resources or also pertains to paper-based physical security and other forms
of intellectual property).
• Roles and responsibilities—Security policies must define the roles and duties of the security manager, IT manager,
IT administrator, and the specific responsibilities of employees.
• Security directives—The core of the security policy should offer detailed security directives that must be followed,
including those for network design, the types of hardware and software that can be used by employees,
third-party connections, remote access, name and password management, intrusion detection, and other
requirements.
• Acceptable use policy (AUP)—The AUP addresses issues such as personal use of the Internet and prohibitions
against accessing Internet sites that offer inappropriate content.
• Incident response procedures—Among the most important aspects of a security policy, incident response
procedures define who gets the first alert for various threat levels and the specific steps required for response.
• Document control factors—Organizations should define how updates to the security policy occur.
As they develop a security policy, businesses may want to begin with a simplified, high-level security policy and refine
it over a year-long period. It is recommended that they postpone making major security purchase decisions until a
policy is in place.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 4 of 17
Identifying Vulnerabilities
Today’s open networks have many potential vulnerabilities, including extranets, VPNs, “always on” broadband
Internet connections, and WLANs. Businesses can identify potential vulnerabilities by reviewing a few key areas of
their network architecture.
• Do you have a firewall, and do you know what it is doing?
The longer a firewall is in place, the greater the likelihood that nobody really knows what policy the firewall is
implementing. Even the most robust, feature-rich firewalls are of little use unless they are correctly configured
and their features turned on. Small and midsize businesses should budget for yearly, proactive reviews of firewall
configurations.
• What types of remote access do you allow?
It does no good to have a firewall as a fortified front door when dozens of remote access windows are left wide
open throughout the rest of the business as back doors into the network. Businesses should check VPNs,
telephone dial-in lines for modems and remote control software, as well as other external connections to vendors
and business partners.
• Do you have a Web site?
Keeping a Web server, especially one that handles e-business or e-commerce, safe from hackers requires
considerable effort. At a minimum, every Internet-exposed Web server should have underlying operating systems
configured to conform to OS vendor security checklists. And businesses should develop a process to ensure that
security patches are evaluated and installed within a week of the OS vendor’s distribution.
• Do you have a comprehensive IDS Solution?
Intrusion detection is the process of detecting attempts to gain unauthorized access to a network or to create
network degradation. This unauthorized access is managed automatically or through manual intervention and is
based on a set of rules.
Designing the Network Architecture
When designing and deploying their network architecture, businesses must evaluate each area of the network,
determine potential threats, and implement appropriate security measures.
Channel partners and value-added resellers (VARs) or managed security service providers (MSSPs) can be especially
helpful to small and midsize businesses, which often lack the staff or expertise of large enterprises. A variety of
partners are available, and each has its own areas of specialization. When considering a partner, organizations should
be sure to investigate their manufacturer certifications. This will further ensure that the integrator is qualified to
install and configure the network security solutions.
The Main Business Location
The small and medium network designs comprise two logical layers: the main business and independent branch-office
locations.
The first layer is based on the main business location or headquarters of an organization’s network.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 5 of 17
Figure 1
Example of a Main Business Location or Headquarters of a company with 100-500 Users/Nodes
Dedicated
Connection
Cisco 2600 or
3700 with Firewall,
VPN, and Cisco
IOS NIDS
Web Server
with CSA
(HIDS)
Cisco ACS
Using RADIUS
with CSA (HIDS)
De
Cisco PIX® 515
with PIX NIDS
Catalyst 2950
with Secure
LAN Features
Internet
Cisco VPN 3005
L/
DN
DS e/IS
bl
Ca
DSL o
r
Fractio
nal T1
Desktops/Laptops
with CSA (HIDS),
Third-Party AntiVirus Software and
Personal Firewall
Catalyst
3550-PWR
with Secure
LAN Features
Desktops/Laptops
with CSA (HIDS)
and Third-Party
Anti-Virus Software
Catalyst 3550 or
4500 with Secure
LAN Features
Cisco Aironet®
1100/1200
Cisco
Access Point Aironet NICs
Broadband
Access Modems
Cisco
VPN 3002
Secure
Corporate Servers
with CSA (HIDS)
DMZ
VLAN
ion
d
ect
ate
nn
dic
Co
or
1
lT
D iona
t
ac
r
F
SL
Catalyst 2950
with Secure
LAN Features
Gigabit Ethernet
Main Business Location
IP WAN
Cisco PIX 501
with Firewall,
VPN and
PIX NIDS
Desktops/Laptops
with CSA (HIDS),
and Third-Party
Anti-Virus
Software
Cisco uBR925,
803, or 837
Router with
Firewall, VPN,
and Cisco IOS
NIDS
V
Cisco 1700 or
2600 with
Firewall, VPN,
and Cisco
IOS NIDS
Secure
Corporate
Servers
with CSA (HIDS)
Catalyst 2950
with Secure
LAN Features
Desktops/Laptops
with CSA (HIDS),
Third-Party AntiVirus Software and
Personal Firewall
Branch Office
Teleworker Remote Access
This headquarters may have VPN connections to other offices of the same company. For example, a large firm may
use the medium network design for its main business location and several small network designs for its other remote
locations. Full-time teleworkers might come into the main office over some of the options discussed in the remote
network design. The main business location or headquarter layer has two modules: the network perimeter module
and the LAN and desktops layer. Administrators should plan to address the needs of these two layers within the main
office, as well as the needs of teleworkers, optional wireless users, and network management.
The Network Perimeter
Most small and midsize businesses choose economical ISDN, DSL, or broadband cable for their Internet access.
Shared broadband services can pose a more significant risk of service interruption than leased lines, because the
bandwidth available per user is more easily degraded, decreasing as the number of users increases. If a
denial-of-service attack occurs, it is possible for a single, undistributed attacker to exhaust the resources of these
connections. And unlike traditional leased lines that service a single user, these broadband access systems are shared
systems, opening the door to significant security risks if users can see each other’s data.
The best way to protect the perimeter is by using a business-class firewall or access router with stateful inspection
firewall features. Small businesses with limited budgets or IT staffs may wish to choose an integrated router solution
that might be more cost-effective and easier to manage, whereas midsize and larger organizations might require the
higher performance and functionality of a dedicated firewall. Companies can make decisions based on the capacity
and functionality of the appliance compared to the integration advantage of the device.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 6 of 17
A hardware or software-based firewall encircles a company network and acts as a secure buffer between it and an
insecure network, such as the Internet. Firewalls perform the following tasks:
• Ensure that only appropriate information and personnel are allowed access to the business network and IT
environment
• Secure the network from the inside out by preventing employees from connecting to insecure external networks
• lock unwanted or dangerous transmissions from unauthorized outsiders
• Filter the information that internal users can view from the Internet
Although a firewall is a necessity for any business connected to the Internet, implementing and maintaining one often
taxes the limited IT resources and skills of most small and midsize businesses. In this situation, many organizations
choose to outsource firewall implementation and management.
When implementing a firewall solution, organizations need to ask themselves key questions:
• Does the firewall support network security policy, or does it impose the vendor’s policy?
The most secure approach is for the firewall to be delivered preset to deny all services except those expressly
permitted. During installation, site personnel can switch on the required services.
• Does the firewall perform at or above expected levels of traffic?
Independent evaluation verifies whether the vendor’s claims are valid. Depending on their size and needs,
companies should ensure that the firewall can handle a large number of user connections and that it can move
traffic quickly enough with security rules in place, such as the firewall forwarding rate.
Intrusion detection systems (IDSs) can also provide protection for the network perimeter against hackers and
unauthorized users. An IDS can alert administrators, intelligently cut off a hacker, and even dynamically reconfigure
the network to thwart further attacks. Intrusion detection involves understanding how network attacks occur. Based
on that understanding, one takes a phased approach to stop these attacks.
• First, make sure that general patterns of malicious activity are detected.
• Second, ensure that specific events that do not fall into common categories of attacks are dealt with firmly.
This is why most Intrusion Detection Systems (IDSs) rely on update mechanisms for their software that are quick
enough to preempt any growing network threat. However, just detecting intrusions is not sufficient. You need to trace
intrusions back to the source and deal with the attacker in an effective manner. Dealing with attackers is not a trivial
issue however, because many attacks use spoofed IP addresses or are sourced from compromised devices or systems.
Businesses that host Web servers should also implement a demilitarized zone (DMZ), to allow only appropriate
traffic to and from the Web server. For situations where the Web server resides on the company’s LAN, Network
Address Translation (NAT) may be implemented. NAT provides translation of public routable IP addresses with
private, nonroutable addresses. Using NAT, all traffic destined for the public IP address on the access router is
forwarded to the private address of the Web server. To provide additional access control, the company can also place
the Web server on a separate virtual LAN (VLAN).
Many businesses also need to connect smaller branch-office locations to one another, and they need a solution that
is more cost-effective and flexible than leased WAN lines. These businesses often deploy site-to-site VPNs, with key
network resources located at the company headquarters at a central site and several smaller sites or branch offices
connected to it over a VPN.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 7 of 17
Midsize businesses should implement a scalable solution that lets them easily add resources as required, without
compromising security. Because performance requirements are often more critical and budgets are less restrictive in
midsize businesses, their network solution could include more dedicated devices, such as firewalls.
The Cisco Solution
Cisco offers a complete portfolio of integrated, end-to-end security offerings that are fully manageable and
encompass all key areas of the business network. At the network perimeter, Cisco access routers, such as the Cisco
SOHO Series, Cisco 800 Series, Cisco 1700 Series access routers, and the Cisco 2600 Series routers, are ideal
solutions to enable small companies to effectively mitigate potential attacks. Using a Cisco access router, businesses
can protect the network perimeter while extending secure network access to multiple remote users or offices. In
addition, the new Easy VPN features of the Cisco routers enable them to function as a VPN access concentrator, or
to act as a network extension to another access concentrator.
Although the configuration of access routers and firewalls might seem daunting for small businesses, Cisco products
offer easy-to-use Web-based configuration that is designed to meet the needs of small organizations.
Figure 2
Main Business Location
FTP Server
Web Server
with CSA
(HIDS)
with CSA
(HIDS)
DMZ
VLAN
Cisco 1700, 2600
or uBR925 with
Firewall, VPN, and
Cisco IOS NIDS
Internet
DSL or
Cable
10/100 and Gigabit Ethernet
Recommended Security Solution Blueprint <100 Users/Nodes
Cisco ACS Using
Remote Dial-In User
Service (RADIUS)
with CSA (HIDS)
Secure
Corporate Servers
with CSA (HIDS)
Desktops/Laptops
with CSA (HIDS)
and Third-Party
Anti-Virus Software
Catalyst® 2950 with
Secure LAN feature
Broadband
Access
Modems
Cisco 831 with
Firewall, VPN, and
Cisco IOS NIDS
Desktops/Laptops
with Cisco VPN
Client, CSA (HIDS),
Third-Party Anti-Virus
Software and
Personal Firewall
Desktops/Laptops
with CSA (HIDS)
and Third-Party
Anti-Virus Software
Teleworker/Remote Access
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 8 of 17
In some cases, midsize companies require support for more simultaneous connections, higher bandwidth, and higher
performance than smaller sized organizations. For these companies, the dedicated Cisco PIX® Firewall provides the
highest level of firewall and security functions in site-to-site as well as remote access applications. Cisco PIX firewalls
offer business-class security services, including stateful packet inspection (SPI) firewalling, standards-based IP
Security (IPSec) VPN support, intrusion protection, and many other features.
Cisco IDS Host Sensor or IDS software running on Cisco routers identifies attacks that firewalls cannot detect by
monitoring Internet and extranet connections in real time to protect key network resources. Cisco IDS products offer
denial-of-service protection, antihacking detection, and defense for e-business applications. Two Basic types of IDSs
on the market today are Host-based IDSs (HIDS, and Network-based ID’s (NIDS).
Figure 3
Corporate
Network
Agent
Agent
Firewall
Agent Agent Agent Agent
Untrusted
Network
Agent Agent
Console WWW WWW
Server Server
HIDSs, for example are software agents used to secure critical network severs and desktops that contain sensitive
information. In typical implementations, agents are loaded on each protected asset. These agents make use of system
resources such as: disk space, RAM, CPU time to analyze operation system, application, and system audit trails. The
collected information is compared to a set of rules to determine if a security breach has taken place. These agents are
tailored to detect host-related activity and can track these types of events with a fine degree of granularity (for
example, which user accessed which file at what time).
HIDS agents can be self-contained, sending alarm information to the local console, or remotely managed by a
manager/collector that receives periodic updates and security data. A host-based implementation that includes a
centralized management platform makes it easier to upgrade the software. HIDS are ideal if a limited number of
critical systems need protection, and they are complementary to network-based IDSs, however they do not scale well
if a company-wide solution is needed.
Network-based IDSs (NIDS)
Network-based IDSs, monitor activity on a specific network segment. Unlike host-based agents, network-based
systems are usually dedicated platforms with two components:
• A sensor, which passively analyzes network traffic
• A management system, which displays alarm information from the sensor and allows security personnel to
configure the sensors.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 9 of 17
The LAN and Desktop
The desktop and LAN in small businesses contain desktops, file servers, and daily file backup systems and software.
It is critical to protect these hosts and update them regularly with third-party software solutions such as antivirus
scanners and patches. Because most of the resources of a small business may be contained on a single file server, it is
especially important for servers to be accessible and available.
Figure 4
Recommended Security Solution Blueprint 100-500 Users/Nodes
Cisco 2600 or
3700 with Firewall,
VPN, and Cisco
IOS NIDS
d
ate
dic ion
De
ect
nn
Co
or
1
lT
D iona
t
ac
r
F
SL
Cisco PIX® 515
with PIX NIDS
Catalyst 2950
with Secure
LAN Features
Internet
Cisco VPN 3005
L/
DN
DS e/IS
bl
Ca
DSL o
r
Fractio
nal T1
Desktops/Laptops
with CSA (HIDS),
Third-Party AntiVirus Software and
Personal Firewall
Secure
Corporate Servers
with CSA (HIDS)
Catalyst 2950
with Secure
LAN Features
Catalyst
3550-PWR
with Secure
LAN Features
Desktops/Laptops
with CSA (HIDS)
and Third-Party
Anti-Virus Software
Catalyst 3550 or
4500 with Secure
LAN Features
Cisco Aironet®
1100/1200
Cisco
Access Point Aironet NICs
Broadband
Access Modems
Cisco
VPN 3002
Cisco ACS
Using RADIUS
with CSA (HIDS)
Gigabit Ethernet
Dedicated
Connection
Web Server
with CSA
(HIDS)
DMZ
VLAN
Main Business Location
IP WAN
Cisco PIX 501
with Firewall,
VPN and
PIX NIDS
Desktops/Laptops
with CSA (HIDS),
and Third-Party
Anti-Virus
Software
Cisco uBR925,
803, or 837
Router with
Firewall, VPN,
and Cisco IOS
NIDS
V
Cisco 1700 or
2600 with
Firewall, VPN,
and Cisco
IOS NIDS
Secure
Corporate
Servers
with CSA (HIDS)
Catalyst 2950
with Secure
LAN Features
Desktops/Laptops
with CSA (HIDS),
Third-Party AntiVirus Software and
Personal Firewall
Branch Office
Teleworker Remote Access
As companies grow in size, so does the number of desktop hosts in the network, making it a greater challenge to
control access to company network resources. Midsize businesses may consider splitting the LAN into more
manageable subnets. These subnets might be organized by department (such as marketing, finance, or
manufacturing) or geographic location, and can give network administrators additional control over connection and
access privileges.
Organizations can also improve security on the LAN by implementing identity services within the switches and
routers on the network, to help identify users and control what they are permitted to do on the network. Examples
of identity services authentication systems include the Cisco Secure Access Control Server (ACS), which can be
supplemented with Cisco partner solutions such as Public Key Infrastructure (PKI) products.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 10 of 17
The Cisco Solution—LAN Infrastructure
Part of the basic LAN infrastructure, Cisco Catalyst switches provide support for a wide variety of identity services,
such as Remote Access Dial-In User Service (RADIUS) or TACACS+ authentication, which enable centralized control
of the switch and restrict unauthorized users from altering the configuration. These secure LAN features provide an
excellent capability to further control access within a network.
Smaller sized businesses may choose to deploy the fixed-configuration Cisco Catalyst 2950 Series switches, whereas
larger organizations might opt for the Cisco Catalyst 3500 and 4000 Series switches, which offer additional flexibility
and scalability.
Teleworking and Remote Access
As companies evolve, they typically need the ability to support a wider range of high-speed remote access
technologies to help increase productivity or shift the way they do business. With a larger employee base or a greater
geographic distribution, some companies may require a variety of connectivity options to support remote access for
teleworkers and partners. For example, although DSL or cable may be the broadband technology of choice for a
company, some of its remote teleworkers may have only ISDN available to them. Regardless of the technology,
organizations must design a network that accounts for access methods and ensures proper routing and access control.
VPNs are an excellent method to support remote access, enabling users to securely connect to company resources
over the public network by using the access method they choose. Remote access VPNs uses dialup or broadband
(DSL or cable) access to a service provider network to connect remote or mobile users to the company network. And
extranet VPNs connect a company with its suppliers, customers, and other business partners, providing limited access
to specific portions of the company network for collaboration and coordination.
When developing a VPN solution, companies should build a solution that provides all the security features needed
to keep VPN traffic private and secure, including methods such as tunneling, encryption, packet authentication,
firewalls, and user identification. Tunneling is the feature that allows all other security and transmission quality
measures to be imposed on the Internet environment. In a VPN, encryption is applied to a tunneled connection to
scramble the data, rendering it indecipherable to unauthorized viewers. A selected VPN solution should support key
tunneling protocols such as IPSec, Layer 2 Tunneling Protocol (L2TP), and generic routing encapsulation (GRE).
The remote access model for small businesses may include users with existing broadband connections at home,
combined with a VPN software client to gain secure access to the company network. The disadvantage of this model
is that the host is protected only when connected with the VPN software client.
Improvements can be made on this model by adding a DSL router with an integrated firewall on the client side, which
provides the wide array of protection features outlined previously. In offices with multiple users, the router can also
act as a VPN client, providing secure remote access for all hosts behind it, and thereby eliminating the need for each
host to launch a software client.
Larger companies may wish to deploy a VPN concentrator or server behind an Internet router. These devices can
then be reached and connected to by VPN software or hardware clients on computers, small office routers, or firewall
appliances.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 11 of 17
The Cisco Solution—Remote Access
Teleworkers who need to access the company network may consider a Cisco SOHO or Cisco 800 Series Router with
both firewall and VPN capabilities. Cisco PIX firewalls can also provide both firewall protection and VPN access at
small offices.
For midsize and larger companies, Cisco VPN 3000 Series concentrators create a scalable platform that combines
high availability and powerful performance with advanced encryption and authentication techniques. Their flexible
design lets businesses add user connections, increase throughput, and support additional users as the organization
grows. VPN routers, such as Cisco 7100 Series VPN routers, can also act as VPN headend termination devices at a
central location for larger organizations.
The Cisco VPN Client (included with the Cisco VPN Concentrator) is software that resides on employee laptop or
desktop computers and is used to establish secure, end-to-end encrypted tunnels. And the Cisco VPN 3002 Hardware
Client offers additional performance and ease of use.
The Wireless LAN and Desktop
Growing companies often consider deploying a WLAN based on IEEE 802.11 standards to support mobile workers
and facilitate network moves, adds, and changes. WLANs can often be deployed more rapidly than wired LANs, and
their inherent flexibility helps businesses overcome the limitations of older buildings, leased spaces, or temporary
work areas.
Because overall network security is only as strong as its weakest link, network managers need assurance that WLANs
will provide the same level of access control and data privacy as wired LANs. In contrast to a wired LAN, in which
access is controlled by physical access to an Ethernet port, wireless LANs broadcast data using radio waves between
the two basic components of a WLAN-the access point and the client adapter. Any wireless LAN device in the area
can receive these radio signals. To mitigate threats to a WLAN, network managers need to turn on their WLAN
security features and look at installing an enhanced WLAN security solution.
The two major components of WLAN security are authentication and encryption. Authentication ensures that the
user and the access point are who they say they are. Encryption is the method of ensuring that the data remains
uncorrupted throughout the sending and receiving transmission process.
Traditional WLAN security includes the use of service set identifiers (SSIDs), open or shared-key authentication,
static wireless encryption protocol (WEP) keys and optional Media Access Control (MAC) authentication. This
combination offers a basic level of access control and privacy, but each element can be compromised.
A more secure solution is the IEEE 802.1X standard for authentication on wired and wireless networks. This
standard provides WLANs with strong, mutual authentication between a client and an authentication server. 802.1X
provides dynamic per-user, per-session WEP keys, removing the administrative and security issues associated with
static WEP keys. Several 802.1X authentication types exist, each providing a different approach to authentication
while relying on the same framework and the Extensible Authentication Protocol (EAP) for communication between
a client and a wireless access point. With 802.1X authentication, the credentials used for authentication, such as a
log-on password, are never transmitted in the clear, or without encryption, over the wireless medium.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 12 of 17
Two encryption options are currently used for WLANs. The first option is standard 802.11 WEP, which uses the RC4
algorithm and has known vulnerabilities. The second option includes enhancements to the 802.11b WEP standard
and falls under the umbrella of the Temporal Key Integrity Protocol (TKIP). TKIP contains several key enhancements
to RC4-based WEP-key hashing, or per-packet keying and message integrity check (MIC). This second option also
includes the use of broadcast key rotation to mitigate WLAN susceptibility to network attacks.
Figure 5
Recommended Security Solution Blueprint Remote Access
Internet
Hardware-Based
Remote-Site
Firewall and VPN
Software
Access
DSL or
Hardware-Based
VPN Client
Remote-Site
Firewall
Cable
Broadband
Access Modem
Broadband
Access Modem
Desktops/Laptops
with CSA (HIDS) and
Third-Party Anti-Virus
Software
Remote-Site
Router
Remote-Site
Router
Cable
Broadband
Access Modem
Cisco 831 Router
with Firewall, VPN,
and Cisco IOS NIDS
Desktops/Laptops with
Cisco VPN Client, CSA
(HIDS), Third-Party
Anti-Virus Software and
Personal Firewall
DSL or
Cisco VPN 3002
Desktops/Laptops
with CSA (HIDS) and
Third-Party Anti-Virus
Software
100 Users or Fewer
Broadband
Access Modem
Cisco PIX 501
with Firewall, VPN,
and PIX NIDS
Cisco uBR925,
803 or 837 Router
with Firewall and
Cisco IOS NIDS
Cisco uBR925,
803, or 837 Router
with Firewall, VPN,
and Cisco IOS NIDS
Cisco 7910
IP Phone
IP
Desktops/Laptops
with CSA (HIDS)
and Third-Party
Anti-Virus Software
100 to 500 Users
500 Users or More
The Cisco Solution—Wireless LANs
For organizations that are deploying WLANs, Cisco Aironet® products include standards-based 802.11a and
802.11b access points and client devices for small and midsize businesses. The Cisco Wireless Security Suite, included
with Cisco Aironet products, provides robust WLAN security services that closely parallel the security available in a
wired LAN. The Cisco Wireless Security Suite takes advantage of the EAP framework for user-based authentication
to support all 802.1X authentication types, including Lightweight EAP (LEAP), EAP-transport layer security
(EAP-TLS) and types that operate over EAP-TLS, such as Protected EAP (PEAP) and EAP-tunneled TLS (EAP-TTLS).
The Cisco Wireless Security Suite also provides support for several enhancements to WEP keys discussed previously.
Management of a Secure Network
After companies develop their security policy and implement firewall, intrusion detection, virus detection, and other
perimeter security technology, they must then address management of their security environment.
Acquiring and implementing the technology for perimeter security is only the start of securing the network perimeter.
To provide effective protection, these technologies must be correctly installed, configured, maintained, and
monitored.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 13 of 17
As business requirements, technology, and potential threats evolve, businesses should update firewall policy, virus,
and intrusion detection to reflect these changes. Security technologies need periodic maintenance with patches and
updates. Perimeter security technology must also be monitored to ensure that potential problems are identified and
addressed with minimal delays.
According to research from Gartner Dataquest, in most companies, the staff responsible for IT security is also
responsible for many other activities, and spends most of its time on non security projects. When the tools are in
place, many companies find that monitoring and managing the infrastructure stretches staff availability and
expertise. In resource-constrained businesses, this added responsibility is often too taxing.
Assessing the potential impact of changes to firewall policy requires continuous education on threats and
vulnerabilities, as well as expertise in firewall configuration to implement changes. Extending monitoring and
management coverage with beepers and “on calls” often results in spotty coverage, harms staff morale, and impacts
key employee retention. At the same time, help-desk staff may lack the expertise to identify and address or call
attention to potentially serious events. The overall result is a degradation of a company’s security level over time.
To help meet necessary security requirements, businesses may consider adding to security resources to their current
staff or prioritizing security as an area of importance for their business-by continuing to educate all employees on
security issues and vulnerabilities.
For these reasons businesses choose to outsource management and monitoring of perimeter network security
technology to a managed security service provider (MSSP) to cost-effectively ensure security. The value of MSSPs is
clear: they can improve an organization’s security level via 24 x 7 monitoring with security experts, and help growing
businesses manage costs by taking advantage of technology and expertise across a large number of devices.
Managed security services include management and monitoring of firewall and intrusion detection sensors. These
management services include hardware repair and maintenance, periodic system software updates or patches, and
implementation of policy changes.
The Cisco Solution—Management
Management of a network, large or small, is critical for any system administrator supporting a business. Good
management tools can dramatically aid this requirement by allowing a single person to view and control the activity
of the network at any time. The CiscoWorks Small Network Management Solution (SNMS) was designed for small
and midsize business networks; it provides a powerful set of life-cycle functionality, including configuration
management and troubleshooting tools for Cisco devices.
The Branch Office
The second layer is based on a completely independent and autonomous design for the branch office of a larger
company with its own local servers and user stations.
When configured as a branch, the small network design architecture can serve sites with 100 or fewer users. All the
components and design guide principles outlined in the small network design section are directly applicable in this
layer. However, some considerations for WAN connectivity to the headquarters layer need to be accounted for.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 14 of 17
Businesses can choose from two options: private WAN links and IPSec VPN. Private WANs include a more granular
level of quality-of-service (QoS) support, multicast support, reliability of the network infrastructure, and the support
of non-IP traffic. Alternatively, IPSec VPN over the public Internet can provide local Internet for all remote sites,
saving bandwidth costs at the headquarters layer as well as providing significant cost savings over private WAN links.
Conclusion
As the risks and challenges related to networks for businesses grow, organizations should take a systematic and
multitiered approach to planning and deploying secure network infrastructures. When developing their network
architecture, small and midsize businesses should carefully evaluate each area of the network, determine potential
threats, and implement appropriate security measures. Channel partners can add tremendous value to small and
midsize businesses, which may lack the staff expertise of large enterprises.
The SAFE Blueprint from Cisco for network security offers a defense-in-depth, modular approach to security that
can evolve and change to meet the needs of businesses. The SAFE Blueprint from Cisco encompasses every aspect of
the data infrastructure, from the desktop to WLANs, to the network perimeter, to remote user sites, and all areas in
between. For more information on The SAFE Blueprint from Cisco, visit http://www.cisco.com/go/SAFE.
Small and midsize businesses can also benefit by taking advantage of service providers to manage their networks,
freeing them to focus on their core business issues. Service providers are also useful in helping organizations maintain
network resiliency and provide complete protection from a catastrophic event.
By developing an appropriate security policy, backed by industry-leading Cisco solutions, companies can move
forward confidently to deploy their network solutions and enjoy the benefits that the Internet has to offer.
Appendix A: Product List
The following products discussed in this guide can be part of an end-to-end Cisco network infrastructure.
• Cisco Aironet 1200 Series access points—Dual-mode 802.11a- and 802.11b-compliant wireless access points that
deliver enterprise-class security, manageability, upgradeability, and reliability to create high-performance wireless
LANs.
• Cisco PIX 500 Firewall Series (Cisco PIX 501, 506E, 515E, and 525)—A firewall platform that cost-effectively
provides easy-to-deploy, robust, business-class security services including stateful packet inspection (SPI)
firewalling, standards-based IP Security (IPSec) virtual private networking (VPN), intrusion protection, and much
more.
• Cisco SOHO 90 Series secure broadband routers—Suitable for small offices with up to five users, the Cisco
SOHO 90 Series routers provide affordable, secure Internet connectivity with the integrated security features of
Cisco IOS software.
• Denial of service—Denial of service, perhaps the most widely publicized form of attack, can be initiated using
programs that are available for downloading on the Internet. They focus on making a service unavailable for
normal use, often by exhausting a resource on the network, operating system, or application.
• Cisco 800 Series access routers—A series of fixed-configuration routers tailored for small offices and
telecommuters that connect these users to the Internet or to a corporate LAN via ISDN, serial connections (Frame
Relay, leased lines, X.25, or asynchronous dialup), DSL (asymmetric DSL [ADSL], ADSL over ISDN, G.SHDSL,),
or dual Ethernet.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 15 of 17
• Cisco uBR 925 Series cable access routers—A fully integrated Cisco IOS® Software router and Data over Cable
Service Interface (DOCSIS) 1.1 standards-based cable modem for cable service providers deploying feature-rich
broadband cable access to commercial markets.
• Cisco 1700 Series access routers—A cost-effective integrated e-business platform for small and midsize businesses
and enterprise small branch offices that provides flexibility and manageability to meet demanding and evolving
e-business requirements.
• Cisco 2600 Series Router—A modular access router that delivers enterprise-class versatility, integration, and
power.
• Cisco 3700 Series Multiservice Access Router—A multifunction platform that combines dial access, routing, and
LAN-to-LAN services and multiservice integration of voice, video, and data in the same device.
• Cisco Catalyst 2950 Series Intelligent Ethernet Switch—A line of affordable, fixed-configuration, stackable, and
standalone devices that provide wire-speed Fast Ethernet and Gigabit Ethernet connectivity.
• Cisco Catalyst 3500 Series Switch—A scalable line of stackable 10/100 and Gigabit Ethernet switches that deliver
premium performance that is perfect for integrated voice, video, and data along with manageability, flexibility,
and unparalleled investment protection.
• Cisco Catalyst 4000 Series Switch—A product line of modular, high-density, cost-effective switches that offer
switched 10/100 and Gigabit Ethernet in the LAN, packet telephony, content networking, security, quality of
service, and integrated WAN access functionality.
• Cisco VPN 3000 Series—A product line of purpose-built, remote access VPN platforms and client software that
incorporates high availability, high performance, and scalability with the most advanced encryption and
authentication techniques available.
• Cisco Intrusion Detection System (IDS)—A comprehensive, pervasive security solution for combating
unauthorized intrusions, malicious Internet worms, along with bandwidth and e-business application attacks.
• Cisco CallManager—A software application that extends telephony features and functions to packet telephony
network devices.
• Cisco 7900 Series IP telephones—Standards-based communication appliances that can interoperate with IP
telephony systems using Cisco CallManager technology or Session Initiation Protocol (SIP).
• Cisco Access Control Server (ACS)—A scalable, centralized user access control framework that offers centralized
control for all user authentication, authorization, and accounting, including Cisco Extensible Authentication
Protocol (EAP), from a Web-based graphical interface, and distributes those controls to hundreds or thousands
of access gateways in a network.
• CiscoWorks Small Network Management Solution (SNMS)—A new Web-based network management solution
that provides small to midsize businesses a powerful set of life-cycle functionality, including configuration
management and troubleshooting tools for Cisco and other network devices.
Cisco Systems, Inc.
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 16 of 17
Appendix B: Deployment and Support Services
Technology and Service Specialized Partners
Advanced Service
Cisco Total Implementation Solutions (TIS) offers a full range of
implementation solutions, including project management; project
Technology specializations provide partners with training that
engineering, configuration, staging, and rollout coordination; and
covers presales, basic deployment, and postsales operational
assurance of correct installation and deployment. For more
support. Partners become familiar with specific Cisco products
information on Cisco Total Implementation Solutions, visit http://
relevant to the technology and focus on a minimum foundation of
www.cisco.com/en/US/products/svcs/ps11/ps2902/ps3061/
skills that partners need to define, deploy, and support the specific
serv_home.html.
Cisco solution.
Cisco Secure Consulting Services
Cisco Direct and Partner Enabling Services
Cisco Secure Consulting Services brings together a team of
Cisco Technical Support Services SMARTnetTM support augments
consultants drawn primarily from military and government, such as
the resources of your operations staff by providing them with access
the Air Force Information Warfare Center and the Central
to a wealth of expertise, both online and via telephone, including the
Intelligence Agency. Cisco Secure Consulting Services consultants
ability to refresh their system software at will, and a range of
are not just experts in security vulnerabilities and countermeasures,
hardware Advance Replacement options. Cisco SMARTnet Onsite
they understand the sensitivity of handling confidential corporate
provides all services and complements the hardware Advance
data. Cisco Secure Consulting Services provides two types of
Replacement feature by adding the services of a field engineer, a
services for these companies: a Security Posture Assessment (SPA)
feature that can be critical for those locations where staffing is
and an Incident Control and Recovery (ICR) program. For more
insufficient or unavailable to perform parts replacement activities.
information, see http://www.cisco.com/warp/public/cc/serv/mkt/
For more information on Cisco SMARTnet support, visit http://
sup/advsv/pavsup/sposass/index.shtml.
www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/
serv_home.html.
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
European Headquarters
Cisco Systems International BV
Haarlerbergpark
Haarlerbergweg 13-19
1101 CH Amsterdam
The Netherlands
www-europe.cisco.com
Tel: 31 0 20 357 1000
Fax: 31 0 20 357 1100
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-7660
Fax: 408 527-0883
Asia Pacific Headquarters
Cisco Systems, Inc.
Capital Tower
168 Robinson Road
#22-01 to #29-01
Singapore 068912
www.cisco.com
Tel: +65 6317 7777
Fax: +65 6317 7799
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
C i s c o We b s i t e a t w w w. c i s c o . c o m / g o / o f fi c e s
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia
Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland
Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland
Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden
S w i t z e r l a n d • Ta i w a n • T h a i l a n d • Tu r k e y • U k r a i n e • U n i t e d K i n g d o m • U n i t e d S t a t e s • Ve n e z u e l a • Vi e t n a m • Z i m b a b w e
All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Catalyst, Cisco, Cisco Systems, Cisco IOS, the Cisco Systems logo, Cisco Unity, and EtherSwitch are registered trademarks or trademarks
of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
(0303R)
203101/ETMG 06/03