Nội dung

Cisco Security Architectures Preface Chapter 1: Introduction Chapter 2: The TCP/IP Protocol Suite Chapter 3: The Internet Protocol Chapter 4: TCP and UDP Chapter 5: NetWare Chapter 6: Router Hardware and Software Overview Chapter 7: Cisco Router Access Lists Chapter 8: Advanced Cisco Router Security Features Chapter 9: Non-IP Access Lists Chapter 10: The Cisco PIX Appendix A: Determining Wildcard Mask Ranges Appendix B: Creating Access Lists Appendix C: Standard Access Lists Appendix D: Extended IP Access Lists Appendix E: Glossary Appendix F: Acronyms and Abbreviations Cisco Security Architectures Gilbert Held Kent Hundley Copyright © 1999 by The McGraw-Hill Companies, Inc. All Rights Reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 1 2 3 4 5 6 7 8 9 0 AGM/AGM 9 0 4 3 2 1 0 9 ISBN: 0—07—134708—9 The sponsoring editor for this book was Steven Elliot, and the production supervisor was Clare Stanley. It was set by D&G Limited, LLC. Printed and bound by Quebecor/Martinsburg Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used the names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. Information contained in this work has been obtained by The McGraw-Hill Companies, Inc. ("McGraw-Hill") from sources believed to be reliable. However, neither McGraw-Hill nor its authors guarantees the accuracy or completeness of any information published herein and neither McGrawHill nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that McGraw-Hill and its authors are supplying information but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought. Preface Overview In the past, the strength of countries and organizations were measured in terms of production, with tons of steel, barrels of oil, and similar metrics used to gauge their place among contemporaries. Today, the strength of countries and organizations is more dependent upon their capacity to transfer information. That information can range in scope from satellite images of terrorists' base camps in a village in Afghanistan, which are used to wage retaliatory strikes by countries, to the flow of financial information between organizations and the use of ATM machines by consumers. If this information flow is disrupted or altered, the effect on countries, organizations, and individuals can be severe or even disastrous. Just imagine if a person could intercept the flow of financial information and reroute the flow of funds into an account in Switzerland or in the Bahamas. Depending on whose account was diverted, countries, businesses, or individuals might become candidates for national or Chapter 11 bankruptcy. The key to securing networks is obtained through the use of appropriate equipment and policies that govern the use of such equipment. When we talk about securing computer networks to include Internet access, most people rightfully think of Cisco Systems, because that company provides approximately 80 percent of the routers used to connect organizational networks to the Internet. Thus, the focus of this book reflects its title and deals with Cisco Systems equipment, covering in detail the operation and utilization of that company's routers and firewalls. While the only network that is completely secure is the one that is truly isolated and is contained in a locked laboratory or closet, information presented in this book was written to provide you with a solid foundation concerning tools and techniques you can use to secure your Cisco Systemsbased network. By obtaining a detailed understanding of how to correctly configure access lists, as well as enabling different firewall functions, you can avoid many common mistakes that result in network vulnerability. When appropriate, we will include real-life examples obtained from several decades of collective consulting experience. To avoid embarrassing previous and current clients, we will use pseudonyms to hide the guilty. Because security is a learning process, you should note errors and omissions—as well as techniques—that can result in potential security problems, to ensure that such errors and omissions are avoided. Thus, by focusing on how to correctly configure equipment, we will provide you with the information necessary to minimize the vulnerability of your organization's network. While nobody can guarantee a perfectly secure net work, the information contained in this book should assist you in your goal of obtaining the foundation needed to minimize potential network vulnerabilities. As professional authors, we highly value reader feedback. If you wish to share your thoughts concerning the scope and depth of topics covered in this book, or if there are areas you would like to see covered in a future edition, you can contact us either through our publisher or directly via email. Gilbert Held Kent Hundley Macon, GA Stanford, KY 235— 8068@mcimail.com kent_hundley@ins.com Acknowledgments Although you might not realize it, a book is similar to many sports representing a team effort. Without the effort of an acquisitions editor with the knowledge and foresight to back a proposal, it would be difficult, if not impossible, to have a manuscript published. It is always a pleasure to work with a knowledgeable acquisitions editor, and Steve Elliot is no exception. Thus, we would be remiss if we did not thank Steve for backing this writing project. As an old-fashioned author who spends a significant amount of time traveling to various international locations, Gil Held long ago recognized that the variety of electrical receptacles made pen and paper far more reliable than the use of a notebook, which was difficult to recharge. Converting his writings and drawings into a professional manuscript is a difficult assignment, especially when balancing the effort with family obligations. Once again, Gil is indebted to Mrs. Linda Hayes for her fine effort in preparing the manuscript that resulted in the book you are reading. Writing is a time-consuming effort, requiring many weekends and evenings that would normally be spent with family. Thus, last but not least, we truly appreciate the support and understanding of our families and friends as we wrote this book, checked galley pages, and verified the techniques presented in this book. Kent would like to extend a special thanks to his wife, Lori, for her support during the months of effort that have culminated in this work. About the Authors Gil Held is an award-winning lecturer and author. He is the author of over 40 books covering computer and communications technology. A member of the adjunct faculty at Georgia College and State University, Gil teaches courses in LAN Performance and was selected to represent the United States at technical conferences in Moscow and Jerusalem. Kent Hundley (CCNA) is a Senior Network Consultant for International Network Services, a global provider of network integration and management services. He specializes in Cisco-centric security issues for Fortune 500 companies. Chapter 1: Introduction Overview In the preface to this book, we noted that the strength of countries, organizations, and individuals in a modern society depends to a great extent upon the flow of information. That information flow must be transported from source to destination in a reliable manner, such that the receiver can be assured of the identity of the originator—as well as the fact that the received data was not altered. In addition, some types of information should be excluded from recognition by other parties. Thus, at a minimum, there are several security-related issues associated with the transmission of information to include authentication and encryption. When constructing data networks, authentication and encryption might only represent a portion of security features and techniques you might wish to consider. To obtain an appreciation for the variety of security features and techniques you might wish to consider, let's first examine the need for security—along with some of the potential threats that result in the requirements to obtain security-related equipment to protect the modern organizational network. The Need for Security Figure 1—1 illustrates an example of a corporate network that is connected to the Internet. Although many people might be tempted to consider security equipment as a necessity to protect the computers on the private network from people who can access the Internet, that might not be the only networking boundary that requires a degree of protection. The private network, regardless of its structure, might also require one or more security devices, techniques, and policies to protect equipment on that network from inadvertent or intentional employee actions. Thus, in this section, we will examine the need for security from both external and internal threats. Figure 1—1: Public network threats Public Network Threats In this section, we will consider public network threats to represent potential or actual threats originating on a public network. These threats are directed at an organization's private network but are also connected to the public network. Because the Internet literally represents a network of interconnected networks without a boundary, the organizational network becomes accessible to the tens of millions of people who now access the Internet. Without a method to control access to the segments shown behind the organizational router, each workstation and server operated by the organization becomes vulnerable to intentional, malicious actions that could emanate from anywhere on the globe. Such malicious actions could include an attempted break-in into a server or the transmission of e-mail to a workstation user with an executable virus either embedded in the e-mail as a macro or added as a file attachment. A second area of concern with respect to the network configuration illustrated in Figure 1—1 involves two items: the transmission line that connects the organizational router to the Internet Service Provider (ISP) router, and the ISP's connection to the Internet. Once data traffic leaves the premises of the organization, ensuring that the transmission is not read nor modified becomes more difficult. This occurs because physical security employed via building passes and employee recognition can prevent a person from gaining access to a wire closet and using a protocol analyzer to record traffic. Once data flows beyond the physical span of control of the organization, however, that organization must then rely upon authentication and encryption to verify the originator of the message—and the fact that its contents are not disclosed. Another problem area that deserves attention when connecting to a public network—such as the Internet—involves a series of activities that are commonly referred to collectively as denial-ofservice attacks. In its simplest fashion, one or more malicious individuals can write a program that randomly selects source addresses for use in packet requests transmitted to one or more of your organizational servers. By transmitting a continuous stream of service requests, your servers do what they are programmed to do : respond. Because the response is transmitted to a non-existent address, the servers keep a session connection open a bit longer than normal until a timer expires. The volume of service requests and the prolonged session connection time, however, cumulatively results in the use of all of the server's resources—in effect, denying service to legitimate users. Without having to write specialized software, the possibility exists for people to easily overload an organization's public network connection. For example, assume your organization has one or more FTP servers and supports anonymous FTP access. A person, either inadvertently or intentionally, could access the FTP server and enter the command MGET *.*, causing all the files in the directory to be transferred. If your FTP server has a few gigabytes of files and a 56Kbps connection to the Internet, one MGETcommand will saturate your Internet connection—perhaps interfering with customers attempting to obtain pricing or place orders on your organizational Web servers. Thus, there are a number of factors you must consider when connecting a private network to the Internet. Now that we have an appreciation for some of the threats to a private network via a public network, let's turn our attention to private network threats. Private Network Threats In this section, we will examine some actual and potential threats to a private network emanating from a private network. In doing so, we will again reference the network structure shown in Figure 1—1, focusing our attention on the two segments behind the organizational router. If we assume the private network was segmented to enable accounting and personnel operations to be separated from other organizational functions, then one or more servers on one segment more than likely are limited to supporting users only on that segment. This situation means that a curious or malicious employee could conceivably attempt to access the accounting or personnel server to perhaps increase a payment to a friend, change the pay grade of an employee, or perform another most questionable activity. Because the router is the first line of defense that bars user access from one segment to the other, without implementing any access lists, data can flow freely between segments. Even with an access list in place, the possibility exists for a disgruntled employee to use another station, whose address is enabled in the access list, for access to the other segment. Or, with a degree of technical knowledge, the employee could attempt to gain access to the router's command port and alter the access list. Assuming a disgruntled employee can access the other segment, the task is relatively simple to use the contents of an electronic dictionary in an attempt to gain access to an account on a server. In fact, as we will note later in this book, routers do not examine the contents of the information field packets. This fact means that once access is obtainable to a server, either from the public network or from the private network, the router cannot distinguish a series of client-server request-responses from a series of repeated logon attempts. Thus, by itself, a router provides a limited degree of security that many organizations will usually supplement through the use of a firewall, authentication server, and virus scanning software. Concerning the latter, monitoring the use of the telephone and the corporate Internet location to prevent employees from inadvertently downloading a file containing a virus is difficult, if not impossible. In addition, many malicious people develop virus-based macros and executable