Technical Implementation Guide Security Technical Implementation Guide Executive Summary As they move forward to design, upgrade, Small and medium businesses have come to and install their secure network depend more than ever on the network to architecture, small and midsize businesses support their key business objectives. As must evaluate each area of the network, they become more open to supporting determine potential threats, and implement Internet-powered initiatives such as appropriate security measures. e-commerce, customer care, supply-chain Cisco and its partners offer a complete management, and extranet collaboration, array of multitiered solutions to provide the risks to these networks are increasing. robust protection to every portion of the Today’s networks are subject to attack from data infrastructure, from the desktop to the packet sniffers, IP spoofing, denial of network perimeter, and everywhere in service, spam, viruses, Trojan horses, and a between, to enable small and midsize host of other threats, any of which can businesses to expand their e-business seriously impact the revenue of a business, initiatives with confidence. its reputation, and its customer confidence. The SAFE blueprints from Cisco enable Escalating Security Threats small and midsize companies to combat As companies rely increasingly on the these threats, providing a scalable, network for key business functions, they corporate-wide security solution. SAFE become more vulnerable than ever to takes a defense-in-depth approach to network attacks. Compromised security network security design. can disrupt key operations, reduce The first step in establishing a secure network infrastructure is the development productivity and inflict significant economic losses on a business. of a formal security policy to define roles, Network attacks can be as varied as the responsibilities, acceptable use, and key systems that they attempt to penetrate. security practices for a company. After Some attacks are elaborately complex. developing the policy, the company may Others might be unintentional security consider conducting an assessment, using breaches by employees, which can still established best practices as a benchmark. cause significant damage. Businesses should then closely examine their existing network infrastructure to identify potential vulnerabilities—including the physical security of the network infrastructure. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 1 of 17 To understand the types of potential attacks, it is important to be aware of some of the inherent limitations of the TCP/IP protocol. When the Internet was formed, it linked various government entities and universities to one another to facilitate learning and research. Because the original architects of the Internet never anticipated the widespread commercial adoption the Internet has achieved today, security was never built into the IP specification. As a result, most IP implementations are inherently insecure. Only after many years and thousands of Requests for Comment (RFCs) do organizations have the tools to begin to deploy IP securely. Because specific provisions for IP security were not designed from the outset, organizations need the ability to ensure that their IP implementations include network security practices, services, and products that can mitigate the inherent risks of the protocol. Common network threats include: • Packet sniffers—A packet sniffer is a legitimate management tool that can be abused by hackers to capture data transmitted over a network, such as usernames and passwords. • IP spoofing—An IP spoofing attack occurs when a hacker inside or outside a network impersonates a trusted computer to gain access to network information. • Defacing—Defacing attacks focus on changing the files on an Internet Web server. Defacing can reduce customer confidence and severely damage e-commerce sites that depend on their reputation of protecting sensitive customer data. • Denial of service—Denial of service, perhaps the most widely publicized form of attack, can be initiated using programs that are available for downloading on the Internet. They focus on making a service unavailable for normal use, often by exhausting a resource on the network, operating system, or application. • Spam—Another growing threat to network operations is spam, or unsolicited mass e-mail, which slows mail servers, overruns storage space, and reduces user productivity by clogging individual mailboxes. • Man-in-the-middle attack—A man-in-the-middle attack is initiated by hackers who have access to network packets that move across a wired or wireless network. During this attack, hackers hijack a network session to gain access to private network resources, steal information, or analyze traffic to learn about a network and its users. • Viruses, Trojan horses, and worms—End-user PCs and workstations are especially vulnerable to viruses and Trojan horse attacks. Viruses are malicious software code that is attached to another program to execute an unwanted function on a user’s PC. Trojan horse attacks are similar to viruses, but disguise the application to look like something else. Worms are malicious programs that replicate themselves. • Hypertext Transfer Protocol (HTTP) exploits—HTTP attacks use a Web server application to perform malicious activities by exploiting the relatively insecure access to company Web servers. If attackers can take control of the Web server to perform malicious activities, they can access resources that would otherwise be unavailable. • Application layer attacks—Hackers can initiate application layer attacks using several different methods. One of the most common is exploiting well-known weaknesses in software that are commonly found on servers, such as sendmail, HTTP, and File Transfer Protocol (FTP), to gain access to a computer with a high level of administrative access. The Impact on Businesses Network security breaches can be devastating to companies, costing significant loss of revenue, productivity, and business, not to mention the expenses involved in repairing damage. Small organizations are especially vulnerable because they often lack the staff and budget needed to respond effectively to a security breach. The impact to businesses can be significant, including: Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 2 of 17 • Loss of customer revenue—Nothing hits a company harder than loss of business. When a customer attempts a purchase or tries to access resources at a company’s Web site only to find that it has been hacked, they will likely take their business elsewhere. • Disruption of partner transactions—A security breach can interrupt or stop business-to-business transactions, impairing a business’ ability to collaborate with partners and suppliers. • Loss of customer confidence—A business network that has been victimized by hackers can find it difficult to earn back the customer trust and loyalty necessary to succeed over the long term. Customers are understandably reluctant to share private information with a company that cannot protect it. • Liability due to fraud—Credit card fraud has become increasingly prevalent. Customers who use a credit card to purchase goods or services on an e-commerce site are entrusting the company with confidential information. Fraud and identity theft due to network breaches expose the organization to liability risks that can threaten its very survival. To combat these threats, organizations need a consistent, scalable, corporate-wide security solution that enables them to continually safeguard their network. The SAFE Blueprint from Cisco for Ensuring a Secure Network The SAFE blueprints from Cisco provide end-to-end security strategies for designing, implementing, and maintaining a secure wired or wireless network. SAFE serves as a guide to network designers considering the security requirements of their network. It takes a defense-in-depth approach to network security design. This type of design focuses on the expected threats and their methods of mitigation, rather than on “Put the firewall here, put the intrusion detection system there.” This strategy results in a layered approach to security where the failure of one security system is not likely to lead to the compromise of network resources. SAFE is based on Cisco products and those of its partners. Cisco SAFE is developed around a set of fundamental concepts about network protection: • A true security solution is a process, not a product, so an effective security solution must be able to continually evolve and change to accommodate new threats or business requirements. • All access points of the network are security targets, and must be protected accordingly. • A successful security solution requires comprehensive, integrated safeguards throughout the entire network infrastructure—not just a few specialized security devices. • Security solutions must be modular in order to be cost-effective, scalable, and flexible. • A layered, in-depth defense strategy provides more complete protection and minimizes areas of potential vulnerability. A Modular Blueprint Based on Best Practices Each SAFE blueprint from Cisco uses a modular approach offering two key advantages. First, it allows network planners to address the security relationship between the various functional blocks of the network. Second, it enables them to evaluate and implement security on a module-by-module basis, instead of attempting the complete architecture in a single phase. Cisco has developed SAFE blueprints for small, midsize, and remote-user networks, as well as for WLAN environments. Because the SAFE design approach focuses on the expected threats and methods for combating them, it offers a layered security solution, in which the failure of one part of the system is not likely to lead to the compromise of other network resources. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 3 of 17 Cisco created its SAFE blueprints after years of experience in developing industry-leading security solutions. Organizations that implement the SAFE blueprint take advantage of Cisco best practices in creating robust security solutions for growing businesses. Considerations for Implementation Security challenges are continually evolving, and companies need a solution based on a sound policy that offers a solid combination of depth, flexibility, and scalability. Creating a Security Policy As the computing and network resources of businesses grow, establishing a security policy to protect company assets from prying eyes is essential. A security policy is a formal, published document that defines roles, responsibilities, acceptable use, and key security practices for a company. It is a required component of a complete security framework, and it should be used to guide investment in security defenses. Elements of a Security Policy Because a security policy affects all parts of a business, it should be created by a collaborative process. It should include participation from the IT department, human resources, legal, administrative, and executive business units. The person in charge of business security is often the best choice to chair the team. Developing a security policy can take up to several weeks, depending on the size of the organization. The elements of a security policy include: • Policy statement—A concise statement of the purpose of the document, a policy statement should be applicable to the business and its industry, and be auditable, controllable, and enforceable. • Scope—The policy should include the type of information and resources covered by the policy (for example, whether it applies only to electronic resources or also pertains to paper-based physical security and other forms of intellectual property). • Roles and responsibilities—Security policies must define the roles and duties of the security manager, IT manager, IT administrator, and the specific responsibilities of employees. • Security directives—The core of the security policy should offer detailed security directives that must be followed, including those for network design, the types of hardware and software that can be used by employees, third-party connections, remote access, name and password management, intrusion detection, and other requirements. • Acceptable use policy (AUP)—The AUP addresses issues such as personal use of the Internet and prohibitions against accessing Internet sites that offer inappropriate content. • Incident response procedures—Among the most important aspects of a security policy, incident response procedures define who gets the first alert for various threat levels and the specific steps required for response. • Document control factors—Organizations should define how updates to the security policy occur. As they develop a security policy, businesses may want to begin with a simplified, high-level security policy and refine it over a year-long period. It is recommended that they postpone making major security purchase decisions until a policy is in place. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 4 of 17 Identifying Vulnerabilities Today’s open networks have many potential vulnerabilities, including extranets, VPNs, “always on” broadband Internet connections, and WLANs. Businesses can identify potential vulnerabilities by reviewing a few key areas of their network architecture. • Do you have a firewall, and do you know what it is doing? The longer a firewall is in place, the greater the likelihood that nobody really knows what policy the firewall is implementing. Even the most robust, feature-rich firewalls are of little use unless they are correctly configured and their features turned on. Small and midsize businesses should budget for yearly, proactive reviews of firewall configurations. • What types of remote access do you allow? It does no good to have a firewall as a fortified front door when dozens of remote access windows are left wide open throughout the rest of the business as back doors into the network. Businesses should check VPNs, telephone dial-in lines for modems and remote control software, as well as other external connections to vendors and business partners. • Do you have a Web site? Keeping a Web server, especially one that handles e-business or e-commerce, safe from hackers requires considerable effort. At a minimum, every Internet-exposed Web server should have underlying operating systems configured to conform to OS vendor security checklists. And businesses should develop a process to ensure that security patches are evaluated and installed within a week of the OS vendor’s distribution. • Do you have a comprehensive IDS Solution? Intrusion detection is the process of detecting attempts to gain unauthorized access to a network or to create network degradation. This unauthorized access is managed automatically or through manual intervention and is based on a set of rules. Designing the Network Architecture When designing and deploying their network architecture, businesses must evaluate each area of the network, determine potential threats, and implement appropriate security measures. Channel partners and value-added resellers (VARs) or managed security service providers (MSSPs) can be especially helpful to small and midsize businesses, which often lack the staff or expertise of large enterprises. A variety of partners are available, and each has its own areas of specialization. When considering a partner, organizations should be sure to investigate their manufacturer certifications. This will further ensure that the integrator is qualified to install and configure the network security solutions. The Main Business Location The small and medium network designs comprise two logical layers: the main business and independent branch-office locations. The first layer is based on the main business location or headquarters of an organization’s network. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 5 of 17 Figure 1 Example of a Main Business Location or Headquarters of a company with 100-500 Users/Nodes Dedicated Connection Cisco 2600 or 3700 with Firewall, VPN, and Cisco IOS NIDS Web Server with CSA (HIDS) Cisco ACS Using RADIUS with CSA (HIDS) De Cisco PIX® 515 with PIX NIDS Catalyst 2950 with Secure LAN Features Internet Cisco VPN 3005 L/ DN DS e/IS bl Ca DSL o r Fractio nal T1 Desktops/Laptops with CSA (HIDS), Third-Party AntiVirus Software and Personal Firewall Catalyst 3550-PWR with Secure LAN Features Desktops/Laptops with CSA (HIDS) and Third-Party Anti-Virus Software Catalyst 3550 or 4500 with Secure LAN Features Cisco Aironet® 1100/1200 Cisco Access Point Aironet NICs Broadband Access Modems Cisco VPN 3002 Secure Corporate Servers with CSA (HIDS) DMZ VLAN ion d ect ate nn dic Co or 1 lT D iona t ac r F SL Catalyst 2950 with Secure LAN Features Gigabit Ethernet Main Business Location IP WAN Cisco PIX 501 with Firewall, VPN and PIX NIDS Desktops/Laptops with CSA (HIDS), and Third-Party Anti-Virus Software Cisco uBR925, 803, or 837 Router with Firewall, VPN, and Cisco IOS NIDS V Cisco 1700 or 2600 with Firewall, VPN, and Cisco IOS NIDS Secure Corporate Servers with CSA (HIDS) Catalyst 2950 with Secure LAN Features Desktops/Laptops with CSA (HIDS), Third-Party AntiVirus Software and Personal Firewall Branch Office Teleworker Remote Access This headquarters may have VPN connections to other offices of the same company. For example, a large firm may use the medium network design for its main business location and several small network designs for its other remote locations. Full-time teleworkers might come into the main office over some of the options discussed in the remote network design. The main business location or headquarter layer has two modules: the network perimeter module and the LAN and desktops layer. Administrators should plan to address the needs of these two layers within the main office, as well as the needs of teleworkers, optional wireless users, and network management. The Network Perimeter Most small and midsize businesses choose economical ISDN, DSL, or broadband cable for their Internet access. Shared broadband services can pose a more significant risk of service interruption than leased lines, because the bandwidth available per user is more easily degraded, decreasing as the number of users increases. If a denial-of-service attack occurs, it is possible for a single, undistributed attacker to exhaust the resources of these connections. And unlike traditional leased lines that service a single user, these broadband access systems are shared systems, opening the door to significant security risks if users can see each other’s data. The best way to protect the perimeter is by using a business-class firewall or access router with stateful inspection firewall features. Small businesses with limited budgets or IT staffs may wish to choose an integrated router solution that might be more cost-effective and easier to manage, whereas midsize and larger organizations might require the higher performance and functionality of a dedicated firewall. Companies can make decisions based on the capacity and functionality of the appliance compared to the integration advantage of the device. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 6 of 17 A hardware or software-based firewall encircles a company network and acts as a secure buffer between it and an insecure network, such as the Internet. Firewalls perform the following tasks: • Ensure that only appropriate information and personnel are allowed access to the business network and IT environment • Secure the network from the inside out by preventing employees from connecting to insecure external networks • lock unwanted or dangerous transmissions from unauthorized outsiders • Filter the information that internal users can view from the Internet Although a firewall is a necessity for any business connected to the Internet, implementing and maintaining one often taxes the limited IT resources and skills of most small and midsize businesses. In this situation, many organizations choose to outsource firewall implementation and management. When implementing a firewall solution, organizations need to ask themselves key questions: • Does the firewall support network security policy, or does it impose the vendor’s policy? The most secure approach is for the firewall to be delivered preset to deny all services except those expressly permitted. During installation, site personnel can switch on the required services. • Does the firewall perform at or above expected levels of traffic? Independent evaluation verifies whether the vendor’s claims are valid. Depending on their size and needs, companies should ensure that the firewall can handle a large number of user connections and that it can move traffic quickly enough with security rules in place, such as the firewall forwarding rate. Intrusion detection systems (IDSs) can also provide protection for the network perimeter against hackers and unauthorized users. An IDS can alert administrators, intelligently cut off a hacker, and even dynamically reconfigure the network to thwart further attacks. Intrusion detection involves understanding how network attacks occur. Based on that understanding, one takes a phased approach to stop these attacks. • First, make sure that general patterns of malicious activity are detected. • Second, ensure that specific events that do not fall into common categories of attacks are dealt with firmly. This is why most Intrusion Detection Systems (IDSs) rely on update mechanisms for their software that are quick enough to preempt any growing network threat. However, just detecting intrusions is not sufficient. You need to trace intrusions back to the source and deal with the attacker in an effective manner. Dealing with attackers is not a trivial issue however, because many attacks use spoofed IP addresses or are sourced from compromised devices or systems. Businesses that host Web servers should also implement a demilitarized zone (DMZ), to allow only appropriate traffic to and from the Web server. For situations where the Web server resides on the company’s LAN, Network Address Translation (NAT) may be implemented. NAT provides translation of public routable IP addresses with private, nonroutable addresses. Using NAT, all traffic destined for the public IP address on the access router is forwarded to the private address of the Web server. To provide additional access control, the company can also place the Web server on a separate virtual LAN (VLAN). Many businesses also need to connect smaller branch-office locations to one another, and they need a solution that is more cost-effective and flexible than leased WAN lines. These businesses often deploy site-to-site VPNs, with key network resources located at the company headquarters at a central site and several smaller sites or branch offices connected to it over a VPN. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 7 of 17 Midsize businesses should implement a scalable solution that lets them easily add resources as required, without compromising security. Because performance requirements are often more critical and budgets are less restrictive in midsize businesses, their network solution could include more dedicated devices, such as firewalls. The Cisco Solution Cisco offers a complete portfolio of integrated, end-to-end security offerings that are fully manageable and encompass all key areas of the business network. At the network perimeter, Cisco access routers, such as the Cisco SOHO Series, Cisco 800 Series, Cisco 1700 Series access routers, and the Cisco 2600 Series routers, are ideal solutions to enable small companies to effectively mitigate potential attacks. Using a Cisco access router, businesses can protect the network perimeter while extending secure network access to multiple remote users or offices. In addition, the new Easy VPN features of the Cisco routers enable them to function as a VPN access concentrator, or to act as a network extension to another access concentrator. Although the configuration of access routers and firewalls might seem daunting for small businesses, Cisco products offer easy-to-use Web-based configuration that is designed to meet the needs of small organizations. Figure 2 Main Business Location FTP Server Web Server with CSA (HIDS) with CSA (HIDS) DMZ VLAN Cisco 1700, 2600 or uBR925 with Firewall, VPN, and Cisco IOS NIDS Internet DSL or Cable 10/100 and Gigabit Ethernet Recommended Security Solution Blueprint <100 Users/Nodes Cisco ACS Using Remote Dial-In User Service (RADIUS) with CSA (HIDS) Secure Corporate Servers with CSA (HIDS) Desktops/Laptops with CSA (HIDS) and Third-Party Anti-Virus Software Catalyst® 2950 with Secure LAN feature Broadband Access Modems Cisco 831 with Firewall, VPN, and Cisco IOS NIDS Desktops/Laptops with Cisco VPN Client, CSA (HIDS), Third-Party Anti-Virus Software and Personal Firewall Desktops/Laptops with CSA (HIDS) and Third-Party Anti-Virus Software Teleworker/Remote Access Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 8 of 17 In some cases, midsize companies require support for more simultaneous connections, higher bandwidth, and higher performance than smaller sized organizations. For these companies, the dedicated Cisco PIX® Firewall provides the highest level of firewall and security functions in site-to-site as well as remote access applications. Cisco PIX firewalls offer business-class security services, including stateful packet inspection (SPI) firewalling, standards-based IP Security (IPSec) VPN support, intrusion protection, and many other features. Cisco IDS Host Sensor or IDS software running on Cisco routers identifies attacks that firewalls cannot detect by monitoring Internet and extranet connections in real time to protect key network resources. Cisco IDS products offer denial-of-service protection, antihacking detection, and defense for e-business applications. Two Basic types of IDSs on the market today are Host-based IDSs (HIDS, and Network-based ID’s (NIDS). Figure 3 Corporate Network Agent Agent Firewall Agent Agent Agent Agent Untrusted Network Agent Agent Console WWW WWW Server Server HIDSs, for example are software agents used to secure critical network severs and desktops that contain sensitive information. In typical implementations, agents are loaded on each protected asset. These agents make use of system resources such as: disk space, RAM, CPU time to analyze operation system, application, and system audit trails. The collected information is compared to a set of rules to determine if a security breach has taken place. These agents are tailored to detect host-related activity and can track these types of events with a fine degree of granularity (for example, which user accessed which file at what time). HIDS agents can be self-contained, sending alarm information to the local console, or remotely managed by a manager/collector that receives periodic updates and security data. A host-based implementation that includes a centralized management platform makes it easier to upgrade the software. HIDS are ideal if a limited number of critical systems need protection, and they are complementary to network-based IDSs, however they do not scale well if a company-wide solution is needed. Network-based IDSs (NIDS) Network-based IDSs, monitor activity on a specific network segment. Unlike host-based agents, network-based systems are usually dedicated platforms with two components: • A sensor, which passively analyzes network traffic • A management system, which displays alarm information from the sensor and allows security personnel to configure the sensors. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 9 of 17 The LAN and Desktop The desktop and LAN in small businesses contain desktops, file servers, and daily file backup systems and software. It is critical to protect these hosts and update them regularly with third-party software solutions such as antivirus scanners and patches. Because most of the resources of a small business may be contained on a single file server, it is especially important for servers to be accessible and available. Figure 4 Recommended Security Solution Blueprint 100-500 Users/Nodes Cisco 2600 or 3700 with Firewall, VPN, and Cisco IOS NIDS d ate dic ion De ect nn Co or 1 lT D iona t ac r F SL Cisco PIX® 515 with PIX NIDS Catalyst 2950 with Secure LAN Features Internet Cisco VPN 3005 L/ DN DS e/IS bl Ca DSL o r Fractio nal T1 Desktops/Laptops with CSA (HIDS), Third-Party AntiVirus Software and Personal Firewall Secure Corporate Servers with CSA (HIDS) Catalyst 2950 with Secure LAN Features Catalyst 3550-PWR with Secure LAN Features Desktops/Laptops with CSA (HIDS) and Third-Party Anti-Virus Software Catalyst 3550 or 4500 with Secure LAN Features Cisco Aironet® 1100/1200 Cisco Access Point Aironet NICs Broadband Access Modems Cisco VPN 3002 Cisco ACS Using RADIUS with CSA (HIDS) Gigabit Ethernet Dedicated Connection Web Server with CSA (HIDS) DMZ VLAN Main Business Location IP WAN Cisco PIX 501 with Firewall, VPN and PIX NIDS Desktops/Laptops with CSA (HIDS), and Third-Party Anti-Virus Software Cisco uBR925, 803, or 837 Router with Firewall, VPN, and Cisco IOS NIDS V Cisco 1700 or 2600 with Firewall, VPN, and Cisco IOS NIDS Secure Corporate Servers with CSA (HIDS) Catalyst 2950 with Secure LAN Features Desktops/Laptops with CSA (HIDS), Third-Party AntiVirus Software and Personal Firewall Branch Office Teleworker Remote Access As companies grow in size, so does the number of desktop hosts in the network, making it a greater challenge to control access to company network resources. Midsize businesses may consider splitting the LAN into more manageable subnets. These subnets might be organized by department (such as marketing, finance, or manufacturing) or geographic location, and can give network administrators additional control over connection and access privileges. Organizations can also improve security on the LAN by implementing identity services within the switches and routers on the network, to help identify users and control what they are permitted to do on the network. Examples of identity services authentication systems include the Cisco Secure Access Control Server (ACS), which can be supplemented with Cisco partner solutions such as Public Key Infrastructure (PKI) products. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 10 of 17 The Cisco Solution—LAN Infrastructure Part of the basic LAN infrastructure, Cisco Catalyst switches provide support for a wide variety of identity services, such as Remote Access Dial-In User Service (RADIUS) or TACACS+ authentication, which enable centralized control of the switch and restrict unauthorized users from altering the configuration. These secure LAN features provide an excellent capability to further control access within a network. Smaller sized businesses may choose to deploy the fixed-configuration Cisco Catalyst 2950 Series switches, whereas larger organizations might opt for the Cisco Catalyst 3500 and 4000 Series switches, which offer additional flexibility and scalability. Teleworking and Remote Access As companies evolve, they typically need the ability to support a wider range of high-speed remote access technologies to help increase productivity or shift the way they do business. With a larger employee base or a greater geographic distribution, some companies may require a variety of connectivity options to support remote access for teleworkers and partners. For example, although DSL or cable may be the broadband technology of choice for a company, some of its remote teleworkers may have only ISDN available to them. Regardless of the technology, organizations must design a network that accounts for access methods and ensures proper routing and access control. VPNs are an excellent method to support remote access, enabling users to securely connect to company resources over the public network by using the access method they choose. Remote access VPNs uses dialup or broadband (DSL or cable) access to a service provider network to connect remote or mobile users to the company network. And extranet VPNs connect a company with its suppliers, customers, and other business partners, providing limited access to specific portions of the company network for collaboration and coordination. When developing a VPN solution, companies should build a solution that provides all the security features needed to keep VPN traffic private and secure, including methods such as tunneling, encryption, packet authentication, firewalls, and user identification. Tunneling is the feature that allows all other security and transmission quality measures to be imposed on the Internet environment. In a VPN, encryption is applied to a tunneled connection to scramble the data, rendering it indecipherable to unauthorized viewers. A selected VPN solution should support key tunneling protocols such as IPSec, Layer 2 Tunneling Protocol (L2TP), and generic routing encapsulation (GRE). The remote access model for small businesses may include users with existing broadband connections at home, combined with a VPN software client to gain secure access to the company network. The disadvantage of this model is that the host is protected only when connected with the VPN software client. Improvements can be made on this model by adding a DSL router with an integrated firewall on the client side, which provides the wide array of protection features outlined previously. In offices with multiple users, the router can also act as a VPN client, providing secure remote access for all hosts behind it, and thereby eliminating the need for each host to launch a software client. Larger companies may wish to deploy a VPN concentrator or server behind an Internet router. These devices can then be reached and connected to by VPN software or hardware clients on computers, small office routers, or firewall appliances. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 11 of 17 The Cisco Solution—Remote Access Teleworkers who need to access the company network may consider a Cisco SOHO or Cisco 800 Series Router with both firewall and VPN capabilities. Cisco PIX firewalls can also provide both firewall protection and VPN access at small offices. For midsize and larger companies, Cisco VPN 3000 Series concentrators create a scalable platform that combines high availability and powerful performance with advanced encryption and authentication techniques. Their flexible design lets businesses add user connections, increase throughput, and support additional users as the organization grows. VPN routers, such as Cisco 7100 Series VPN routers, can also act as VPN headend termination devices at a central location for larger organizations. The Cisco VPN Client (included with the Cisco VPN Concentrator) is software that resides on employee laptop or desktop computers and is used to establish secure, end-to-end encrypted tunnels. And the Cisco VPN 3002 Hardware Client offers additional performance and ease of use. The Wireless LAN and Desktop Growing companies often consider deploying a WLAN based on IEEE 802.11 standards to support mobile workers and facilitate network moves, adds, and changes. WLANs can often be deployed more rapidly than wired LANs, and their inherent flexibility helps businesses overcome the limitations of older buildings, leased spaces, or temporary work areas. Because overall network security is only as strong as its weakest link, network managers need assurance that WLANs will provide the same level of access control and data privacy as wired LANs. In contrast to a wired LAN, in which access is controlled by physical access to an Ethernet port, wireless LANs broadcast data using radio waves between the two basic components of a WLAN-the access point and the client adapter. Any wireless LAN device in the area can receive these radio signals. To mitigate threats to a WLAN, network managers need to turn on their WLAN security features and look at installing an enhanced WLAN security solution. The two major components of WLAN security are authentication and encryption. Authentication ensures that the user and the access point are who they say they are. Encryption is the method of ensuring that the data remains uncorrupted throughout the sending and receiving transmission process. Traditional WLAN security includes the use of service set identifiers (SSIDs), open or shared-key authentication, static wireless encryption protocol (WEP) keys and optional Media Access Control (MAC) authentication. This combination offers a basic level of access control and privacy, but each element can be compromised. A more secure solution is the IEEE 802.1X standard for authentication on wired and wireless networks. This standard provides WLANs with strong, mutual authentication between a client and an authentication server. 802.1X provides dynamic per-user, per-session WEP keys, removing the administrative and security issues associated with static WEP keys. Several 802.1X authentication types exist, each providing a different approach to authentication while relying on the same framework and the Extensible Authentication Protocol (EAP) for communication between a client and a wireless access point. With 802.1X authentication, the credentials used for authentication, such as a log-on password, are never transmitted in the clear, or without encryption, over the wireless medium. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 12 of 17 Two encryption options are currently used for WLANs. The first option is standard 802.11 WEP, which uses the RC4 algorithm and has known vulnerabilities. The second option includes enhancements to the 802.11b WEP standard and falls under the umbrella of the Temporal Key Integrity Protocol (TKIP). TKIP contains several key enhancements to RC4-based WEP-key hashing, or per-packet keying and message integrity check (MIC). This second option also includes the use of broadcast key rotation to mitigate WLAN susceptibility to network attacks. Figure 5 Recommended Security Solution Blueprint Remote Access Internet Hardware-Based Remote-Site Firewall and VPN Software Access DSL or Hardware-Based VPN Client Remote-Site Firewall Cable Broadband Access Modem Broadband Access Modem Desktops/Laptops with CSA (HIDS) and Third-Party Anti-Virus Software Remote-Site Router Remote-Site Router Cable Broadband Access Modem Cisco 831 Router with Firewall, VPN, and Cisco IOS NIDS Desktops/Laptops with Cisco VPN Client, CSA (HIDS), Third-Party Anti-Virus Software and Personal Firewall DSL or Cisco VPN 3002 Desktops/Laptops with CSA (HIDS) and Third-Party Anti-Virus Software 100 Users or Fewer Broadband Access Modem Cisco PIX 501 with Firewall, VPN, and PIX NIDS Cisco uBR925, 803 or 837 Router with Firewall and Cisco IOS NIDS Cisco uBR925, 803, or 837 Router with Firewall, VPN, and Cisco IOS NIDS Cisco 7910 IP Phone IP Desktops/Laptops with CSA (HIDS) and Third-Party Anti-Virus Software 100 to 500 Users 500 Users or More The Cisco Solution—Wireless LANs For organizations that are deploying WLANs, Cisco Aironet® products include standards-based 802.11a and 802.11b access points and client devices for small and midsize businesses. The Cisco Wireless Security Suite, included with Cisco Aironet products, provides robust WLAN security services that closely parallel the security available in a wired LAN. The Cisco Wireless Security Suite takes advantage of the EAP framework for user-based authentication to support all 802.1X authentication types, including Lightweight EAP (LEAP), EAP-transport layer security (EAP-TLS) and types that operate over EAP-TLS, such as Protected EAP (PEAP) and EAP-tunneled TLS (EAP-TTLS). The Cisco Wireless Security Suite also provides support for several enhancements to WEP keys discussed previously. Management of a Secure Network After companies develop their security policy and implement firewall, intrusion detection, virus detection, and other perimeter security technology, they must then address management of their security environment. Acquiring and implementing the technology for perimeter security is only the start of securing the network perimeter. To provide effective protection, these technologies must be correctly installed, configured, maintained, and monitored. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 13 of 17 As business requirements, technology, and potential threats evolve, businesses should update firewall policy, virus, and intrusion detection to reflect these changes. Security technologies need periodic maintenance with patches and updates. Perimeter security technology must also be monitored to ensure that potential problems are identified and addressed with minimal delays. According to research from Gartner Dataquest, in most companies, the staff responsible for IT security is also responsible for many other activities, and spends most of its time on non security projects. When the tools are in place, many companies find that monitoring and managing the infrastructure stretches staff availability and expertise. In resource-constrained businesses, this added responsibility is often too taxing. Assessing the potential impact of changes to firewall policy requires continuous education on threats and vulnerabilities, as well as expertise in firewall configuration to implement changes. Extending monitoring and management coverage with beepers and “on calls” often results in spotty coverage, harms staff morale, and impacts key employee retention. At the same time, help-desk staff may lack the expertise to identify and address or call attention to potentially serious events. The overall result is a degradation of a company’s security level over time. To help meet necessary security requirements, businesses may consider adding to security resources to their current staff or prioritizing security as an area of importance for their business-by continuing to educate all employees on security issues and vulnerabilities. For these reasons businesses choose to outsource management and monitoring of perimeter network security technology to a managed security service provider (MSSP) to cost-effectively ensure security. The value of MSSPs is clear: they can improve an organization’s security level via 24 x 7 monitoring with security experts, and help growing businesses manage costs by taking advantage of technology and expertise across a large number of devices. Managed security services include management and monitoring of firewall and intrusion detection sensors. These management services include hardware repair and maintenance, periodic system software updates or patches, and implementation of policy changes. The Cisco Solution—Management Management of a network, large or small, is critical for any system administrator supporting a business. Good management tools can dramatically aid this requirement by allowing a single person to view and control the activity of the network at any time. The CiscoWorks Small Network Management Solution (SNMS) was designed for small and midsize business networks; it provides a powerful set of life-cycle functionality, including configuration management and troubleshooting tools for Cisco devices. The Branch Office The second layer is based on a completely independent and autonomous design for the branch office of a larger company with its own local servers and user stations. When configured as a branch, the small network design architecture can serve sites with 100 or fewer users. All the components and design guide principles outlined in the small network design section are directly applicable in this layer. However, some considerations for WAN connectivity to the headquarters layer need to be accounted for. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 14 of 17 Businesses can choose from two options: private WAN links and IPSec VPN. Private WANs include a more granular level of quality-of-service (QoS) support, multicast support, reliability of the network infrastructure, and the support of non-IP traffic. Alternatively, IPSec VPN over the public Internet can provide local Internet for all remote sites, saving bandwidth costs at the headquarters layer as well as providing significant cost savings over private WAN links. Conclusion As the risks and challenges related to networks for businesses grow, organizations should take a systematic and multitiered approach to planning and deploying secure network infrastructures. When developing their network architecture, small and midsize businesses should carefully evaluate each area of the network, determine potential threats, and implement appropriate security measures. Channel partners can add tremendous value to small and midsize businesses, which may lack the staff expertise of large enterprises. The SAFE Blueprint from Cisco for network security offers a defense-in-depth, modular approach to security that can evolve and change to meet the needs of businesses. The SAFE Blueprint from Cisco encompasses every aspect of the data infrastructure, from the desktop to WLANs, to the network perimeter, to remote user sites, and all areas in between. For more information on The SAFE Blueprint from Cisco, visit http://www.cisco.com/go/SAFE. Small and midsize businesses can also benefit by taking advantage of service providers to manage their networks, freeing them to focus on their core business issues. Service providers are also useful in helping organizations maintain network resiliency and provide complete protection from a catastrophic event. By developing an appropriate security policy, backed by industry-leading Cisco solutions, companies can move forward confidently to deploy their network solutions and enjoy the benefits that the Internet has to offer. Appendix A: Product List The following products discussed in this guide can be part of an end-to-end Cisco network infrastructure. • Cisco Aironet 1200 Series access points—Dual-mode 802.11a- and 802.11b-compliant wireless access points that deliver enterprise-class security, manageability, upgradeability, and reliability to create high-performance wireless LANs. • Cisco PIX 500 Firewall Series (Cisco PIX 501, 506E, 515E, and 525)—A firewall platform that cost-effectively provides easy-to-deploy, robust, business-class security services including stateful packet inspection (SPI) firewalling, standards-based IP Security (IPSec) virtual private networking (VPN), intrusion protection, and much more. • Cisco SOHO 90 Series secure broadband routers—Suitable for small offices with up to five users, the Cisco SOHO 90 Series routers provide affordable, secure Internet connectivity with the integrated security features of Cisco IOS software. • Denial of service—Denial of service, perhaps the most widely publicized form of attack, can be initiated using programs that are available for downloading on the Internet. They focus on making a service unavailable for normal use, often by exhausting a resource on the network, operating system, or application. • Cisco 800 Series access routers—A series of fixed-configuration routers tailored for small offices and telecommuters that connect these users to the Internet or to a corporate LAN via ISDN, serial connections (Frame Relay, leased lines, X.25, or asynchronous dialup), DSL (asymmetric DSL [ADSL], ADSL over ISDN, G.SHDSL,), or dual Ethernet. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 15 of 17 • Cisco uBR 925 Series cable access routers—A fully integrated Cisco IOS® Software router and Data over Cable Service Interface (DOCSIS) 1.1 standards-based cable modem for cable service providers deploying feature-rich broadband cable access to commercial markets. • Cisco 1700 Series access routers—A cost-effective integrated e-business platform for small and midsize businesses and enterprise small branch offices that provides flexibility and manageability to meet demanding and evolving e-business requirements. • Cisco 2600 Series Router—A modular access router that delivers enterprise-class versatility, integration, and power. • Cisco 3700 Series Multiservice Access Router—A multifunction platform that combines dial access, routing, and LAN-to-LAN services and multiservice integration of voice, video, and data in the same device. • Cisco Catalyst 2950 Series Intelligent Ethernet Switch—A line of affordable, fixed-configuration, stackable, and standalone devices that provide wire-speed Fast Ethernet and Gigabit Ethernet connectivity. • Cisco Catalyst 3500 Series Switch—A scalable line of stackable 10/100 and Gigabit Ethernet switches that deliver premium performance that is perfect for integrated voice, video, and data along with manageability, flexibility, and unparalleled investment protection. • Cisco Catalyst 4000 Series Switch—A product line of modular, high-density, cost-effective switches that offer switched 10/100 and Gigabit Ethernet in the LAN, packet telephony, content networking, security, quality of service, and integrated WAN access functionality. • Cisco VPN 3000 Series—A product line of purpose-built, remote access VPN platforms and client software that incorporates high availability, high performance, and scalability with the most advanced encryption and authentication techniques available. • Cisco Intrusion Detection System (IDS)—A comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, along with bandwidth and e-business application attacks. • Cisco CallManager—A software application that extends telephony features and functions to packet telephony network devices. • Cisco 7900 Series IP telephones—Standards-based communication appliances that can interoperate with IP telephony systems using Cisco CallManager technology or Session Initiation Protocol (SIP). • Cisco Access Control Server (ACS)—A scalable, centralized user access control framework that offers centralized control for all user authentication, authorization, and accounting, including Cisco Extensible Authentication Protocol (EAP), from a Web-based graphical interface, and distributes those controls to hundreds or thousands of access gateways in a network. • CiscoWorks Small Network Management Solution (SNMS)—A new Web-based network management solution that provides small to midsize businesses a powerful set of life-cycle functionality, including configuration management and troubleshooting tools for Cisco and other network devices. Cisco Systems, Inc. All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 16 of 17 Appendix B: Deployment and Support Services Technology and Service Specialized Partners Advanced Service Cisco Total Implementation Solutions (TIS) offers a full range of implementation solutions, including project management; project Technology specializations provide partners with training that engineering, configuration, staging, and rollout coordination; and covers presales, basic deployment, and postsales operational assurance of correct installation and deployment. For more support. Partners become familiar with specific Cisco products information on Cisco Total Implementation Solutions, visit http:// relevant to the technology and focus on a minimum foundation of www.cisco.com/en/US/products/svcs/ps11/ps2902/ps3061/ skills that partners need to define, deploy, and support the specific serv_home.html. Cisco solution. Cisco Secure Consulting Services Cisco Direct and Partner Enabling Services Cisco Secure Consulting Services brings together a team of Cisco Technical Support Services SMARTnetTM support augments consultants drawn primarily from military and government, such as the resources of your operations staff by providing them with access the Air Force Information Warfare Center and the Central to a wealth of expertise, both online and via telephone, including the Intelligence Agency. Cisco Secure Consulting Services consultants ability to refresh their system software at will, and a range of are not just experts in security vulnerabilities and countermeasures, hardware Advance Replacement options. Cisco SMARTnet Onsite they understand the sensitivity of handling confidential corporate provides all services and complements the hardware Advance data. Cisco Secure Consulting Services provides two types of Replacement feature by adding the services of a field engineer, a services for these companies: a Security Posture Assessment (SPA) feature that can be critical for those locations where staffing is and an Incident Control and Recovery (ICR) program. For more insufficient or unavailable to perform parts replacement activities. information, see http://www.cisco.com/warp/public/cc/serv/mkt/ For more information on Cisco SMARTnet support, visit http:// sup/advsv/pavsup/sposass/index.shtml. www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/ serv_home.html. Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc. Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the C i s c o We b s i t e a t w w w. c i s c o . c o m / g o / o f fi c e s Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden S w i t z e r l a n d • Ta i w a n • T h a i l a n d • Tu r k e y • U k r a i n e • U n i t e d K i n g d o m • U n i t e d S t a t e s • Ve n e z u e l a • Vi e t n a m • Z i m b a b w e All contents are Copyright © 1992–2003 Cisco Systems, Inc. All rights reserved. Catalyst, Cisco, Cisco Systems, Cisco IOS, the Cisco Systems logo, Cisco Unity, and EtherSwitch are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R) 203101/ETMG 06/03