is impossible for ideas to compete in the marketplace if no forum for
CISCO THREAT DEFENSE SYSTEM GUIDE
Contributed by Cisco Systems, Inc.
The network today is a critical business asset. It not only allows the smooth running of business applications, it also enables the easy delivery of data, voice, and video. As a result, companies are increasingly concerned with keeping their network running and applications online while protecting one of their most critical assets — their information. In order to protect your business, you need to protect your network.
In recent years, not only has the number of network and computer attacks been on the rise, but also the level of complexity and sophistication with which they strike. The most commonplace and perhaps most damaging of these attacks are called “worms.”
Worms are malicious programs written to exploit vulnerabilities within an operating system or environment. The infected host becomes crippled and from there the worm gains access to other systems, leaving behind a trail of other crippled — and many times altogether inoperable — hosts. The worm travels rapidly, affecting all neighboring systems of the initially infected host.
Examples of destructive worms include NIMDA, Code
Red, SQL Slammer, Blaster Worm, and the MyDoom virus (refer to
How Worms Propagate
Throughout the Network
Cisco Systems® understands these challenges that its customers face and empowers them to safely engage in business by providing best-in-class security solutions. Instead of just providing point products that set only a base level of security, Cisco® meets all the requirements needed to protect your network by embedding security throughout the network and integrating security services in all its products. As a result, Cisco customers enjoy greater security as a transparent, scalable, and manageable aspect of their business infrastructure.
The Cisco Threat Defense System (TDS)
The system provides:
The Cisco Threat Defense System comprises layers of protection throughout the network. The first line of defense against attacks is controlling the levels of access to your network. Firewalls such as the Cisco PIX® Firewall Security Appliance, the Cisco Firewall Services Module for the Cisco Catalyst® 6500, and Cisco IOS® Software Advanced Security should be employed to keep out unwanted traffic.
Network-based intrusion detection products such as the Cisco IDS 4200 Series Intrusion Detection System sensors, Cisco Catalyst 6500 Intrusion Detection System (IDSM)-2 Services Module, and the Cisco IDS Module for Cisco access routers help survey activity across your network. They monitor for any unusual or unexpected activity. In addition, Cisco also has built intelligence in products you may already have in your network. These key security features are found in the Cisco Catalyst switch series, content engines, and Cisco IOS Software-based routers.
Most importantly, to help protect your system at the host level, Cisco offers an endpoint protection product, Cisco Security Agent. Cisco Security Agent protects against worm attacks on both server and desktop systems, and because of its anomaly-based intelligence, it protects against future unknown attacks as well.
Table 1. Cisco Threat Defense Technologies and Products
The Cisco TDS offers a practical solution against the security threats that worms pose to networks today. Because worms typically invade an environment in a multi-phased approach, this layered structure is an effective way to protect networks from these threats.
To understand how to mitigate the problem, we must examine how a worm damages a network. Worm and virus attacks can exploit multiple vulnerabilities concurrently. The Cisco SAFE Worm Mitigation paper discusses the best-practices methodology needed when facing a worm attack. Six steps are involved, using the NSP-SEC Mitigation Methodology. These steps follow (in order): preparation, identification, classification, traceback, reaction, and post-mortem. The reaction phase can be further broken down into containment, inoculation, quarantine, and treatment.
Responding to a Security Incident
The Cisco Threat Defense System applies to the reaction stage of the NSP-SEC Incident Response. When dealing with worm attacks, the Cisco Threat Defense System can inoculate, quarantine, and treat your network against damage.
Using Endpoint Protection on Servers and Desktop Systems
Cisco Security Agent
Cisco Security Agent is an anomaly-based detection day-zero technology that mitigates both known and unknown attacks, including worms, before they can harm your system. Cisco Security Agent intercepts application resource requests to the operating system, allowing it to make real-time “allow” and “deny” decisions in accordance with the predefined security policy. In the case of MSBlaster, Cisco Security Agent responded based upon the anomalous behavior of the operating system.
The default Cisco Security Agent 4.0 server and desktop policies stopped successful execution of MS Blaster as well as malicious worms before that, including Code Red, Nimda, and Slammer.
Because of the sensitive nature of the SVCHOST process in the proper operation of Windows, the Cisco Security Agent detects the overflow but does not terminate the SVCHOST process. Instead, Cisco Security Agent prevents the host from being exploited byterminating the CMD.exe process that the buffer overflow in the SVCHOST process creates because of the exploit. This day-zero technology requires no updates. Cisco Security Agent does not have the same challenge that applying system patches does. As a result, Cisco Security Agent is significantly easier and less obtrusive to install on running systems, and customers are less likely to require system interruptions or reboots. Administrators should use a network security scanner to identify those systems that are running critical services, and install Cisco Security Agent on those systems. To mitigate future network attacks beyond remoteprocedure call (RPC) Distributed Component Object Model (DCOM), Cisco Security Agent should be installed on all critical servers.
For configuration information, refer to the following URL:
Deploying Network-Based Intrusion Detection System to Detect Worm Activity Cisco NIDS
The Cisco NIDS operates by using a variety of methods to detect attacks on a network level. When an attack is detected, the sensor notifies an operator that an attack is under way. The operator then can take corrective action to prevent subsequent attacks. Cisco NIDS appliances also feature policing mechanisms such as shunning (port blocking) and TCP reset.
Cisco Threat Response provides intelligent investigation of the information surveyed by Cisco NIDS appliances. This management application performs a Layer 2 analysis on the targeted host to determine the impact of the attack. This information is quickly provided so that the operator can determine the overall threat of the attack to the network environment.
In the scenario of the NIMDA worm, the Cisco IDS system generates five events when the worm traverses the network from host to host:
As soon as the Cisco IDS sensor reports the attack, the Cisco Threat Response application performs an analysis on the target host. Cisco Threat Response determines the impact of the attack based on gathered information about the operating system and services running on the target host, such as type, version, and patch levels. The Layer 2 analysis provides the support necessary to decide whether or not to remove the host from service.
For details about how to properly configure Cisco IDS to deal with worm attacks, refer to the following URL:
Using Access Control to Restrict Worm Traffic
Cisco Firewall Solutions:
Cisco Catalyst 6500 Firewall Services Module, Cisco PIX Security Appliances,, Cisco IOS Software Advanced Security) Stateful firewalls provide a proactive way to mitigate worms in addition to other types of attacks. The stateful inspection engine can control connection attempts at a more granular level by validating proper protocol adherence. For example, this filtering can be used to allow only inbound connections to a Web server and at the same time not allow that Web server to initiate outbound connections, thus limiting the ability of the worm to self-propagate. This is particularly applicable for DMZ Web server deployments. As discussed in SAFE: A Security Blueprint [from Cisco] for Enterprise Networks, your Web servers do not need to establish outbound connections. It would be unusual for the Web server to need access to surf the Web. In most cases, Web servers only need to respond to incoming HTTP requests. Firewalls also can limit the number of permitted inbound connections to a server so that the server is not overwhelmed. In the case of Blaster, this setup blocks excessive inbound exploitation connection attempts when the maximum allowed number is reached.
Ingress filtering is typically carried out by access control on the network perimeter. It is used to block access to hosts and services that should not be publicly available. For instance, it is best practice to deny incoming connection requests to hosts or networking devices unless those hosts or devices are actively participating in providing a publicly accessible service. As it pertains to a worm attack, incoming HTTP connections are blocked from accessing any possibly exploitable user systems or nonpublicly available Web servers. These same filters, however, should allow access to a publicly available Web presence or e-commerce servers. Ideally, the public servers are under tight administrative control and have the latest patches. Ingress filtering blocks the exploitation attempts of targeted user systems.
Egress filtering also is carried out by access control on the network perimeter. This filtering refers to blocking outbound traffic access of a local host. Devices that do not need outbound Internet access, which can be most of the networking devices in your network or Web servers that serve only the internal environment, should not be allowed to initiate outbound connections. As this pertains to worm attacks, if a device is compromised it will not be able to infect an external network because the traffic will be intercepted and dropped at the network perimeter.
Additional layers of egress filtering in the network besides at the WAN edge also can be used to prevent an infected public Web server (or its entire segment in the case of a Web farm) from infecting private internal servers that are protected by the edge ingress filtering. For more information about access control and filtering, refer to SAFE Blueprint white papers.
Using Sinkhole Routers to Identify Infected Systems
Cisco IOS Software Advanced Security Features
Setting up a sinkhole router will assist in determining which systems in your environment are infected when the Cisco NIDS is not available. This scenario works by using addresses not yet allocated that worm attacks will inadvertently attempt to exploit. The sinkhole router advertises these networks locally (only), and any attempts at reaching them are then routed to the router. When received, they can be logged and discarded. The results of the logs provide a list of infected hosts.
Cisco IOS Software Advanced Security Features
NBAR is a classification engine in Cisco IOS Software that can recognize a wide variety of application level protocols, including HTTP, through URL or Multipurpose Internet Mail Extensions (MIME) type and protocols that use dynamic port assignments. After the traffic has been classified by NBAR, appropriate QoS policies can be applied to the traffic classes. NBAR recognizes the CRv1 and CRv2 URL request but not the Code-Red II URL request, for instance, because Code-Red II spreads the GET request over multiple packets and NBAR today inspects only the first packet. Unlike NIDS, NBAR can immediately classify the CRv1 and CRv2 traffic and drop the packet before it reaches the server. NBAR can be used inbound and outbound to mitigate the effects of Code-Red and other similar worms.
For more information about NBAR, refer to:
Cisco IOS Software Advanced Security Features
Cisco now supports two URL filtering server vendor implementations: WebSense Inc. and Secure Computingâ€™s N2H2. Destination policy management is based on predetermined policy for a specific user or groups of users. Before the router queries the server, it can maintain two locally configured permit or deny tables. These tables are location or URLs (strings, wildcards) where all users are always permitted access; alternatively, they can be locations where no users can ever receive access permission. If no entries or matches are found, the router checks its local cache to determine if the request has been made at an earlier time. If so, it studies the results.
This process is transparent and the user perceives no network delay.
URL filtering delivers the following benefits:
Cisco Catalyst Switch Security Features
Private VLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Typically,private VLANs are deployed so that the hosts on a given segment can communicate only with their default gateway and not the other hosts on the network. For instance, if a worm compromises a Web server, it cannot initiate infection attempts to other Web servers in the same VLAN, even though they exist in the same network segment. This access control, carried out by assigning hosts to either an isolated port or a community port, is an effective way to mitigate the effects of a single, compromised host. Isolated ports can communicate only with promiscuous ports (typically the router). Community ports can communicate with the promiscuous port and other ports in the same community.
For more information about private VLANs, refer to:
CiscoWorks VPN/Security Management Solution
The flagship integrated security management solution from Cisco, CiscoWorks VMS is an integral part of the SAFE Blueprint from Cisco for network security. CiscoWorks VMS protects the productivity and reduces operating costs for enterprises by combining Web-based tools for configuring, monitoring, and troubleshooting enterprise VPNs, firewalls, and network IDS and endpoint security. CiscoWorks VMS delivers the industry's first robust and scalable foundation and feature set that addresses the needs of small and large-scale VPN and security deployments. Today's business challenges and resulting security deployments require more scalability than merely supporting a large number of devices. Many customers have limited staffing, yet are asked to manage a myriad of security devices. These customers must manage the security and network infrastructure; frequently update many remote devices; implement change control and auditing when multiple organizations are involved in defining and deploying policies; enhance security without adding more headcount; or roll out remote access VPNs to all employees and monitor the VPN service.
Complete SAFE Blueprint Coverage
To completely manage a SAFE Blueprint environment, a
network management solution must manage SAFE Blueprint
CiscoWorks VMS implements a foundation with a consistent user experience, making it easier to scale management to manydevices. CiscoWorks VMS provides users with a consistent GUI, workflow, ACS logon, roles definition, platforms, database engine, installation, and more. An industry-leading feature of this foundation is the CiscoWorks VMS Auto Update feature, which allows numerous devices to be updated easily and quickly. CiscoWorks VMS Auto Update helps enable devices — even remote and dynamically addressed devices — to periodically "call home" to an update server and "pull" the most current security configurations or Cisco PIX operating system. CiscoWorks VMS Auto Update is required to effectively scale remote-office firewall deployments across intermittent links or dynamic addresses. Prior policy-updating methods relied on a "push" model. Although this model works for known devices, it does not work for remote devices with unknown addresses or devices that are not always active. Without auto update, a more manual process is required to update each remote device. The auto update feature provides a dramatic scalability improvement for organizations that want to deploy devices with many remote and local locations. In addition to easier and faster policy updates, CiscoWorks VMS Auto Update also provides consistent policy deployments.
Enterprise Operational Integration
CiscoWorks VMS helps organizations easily integrate management into their operations. One operational need is to replicate policies to multiple locations. The CiscoWorks VMS Smart Rules hierarchy addresses this need by helping administrators define device groups and implement policy inheritance. For example, an administrator can define a device group for the New York sales office and deploy that same policy to all other sales offices quickly and consistently. The CiscoWorks VMS Command and Control Workflow feature provides change control and auditing, and is particularly important for customers who have separate groups for network and security operations. The solution includes processes for generating, approving, and deploying configurations. This can help security operations to define and approve new policies. Network operations can later deploy the new policies during their regular maintenance window. An audit of the changes can be maintained.
Centralized Role-Based Access Control
Role-based access control (RBAC) enables organizations to scale access privileges. CiscoWorks VMS conveniently uses a commonACS logon for users, administrators, devices, and applications. CiscoWorks VMS helps enable different groups to have different access rights across different devices and applications.
Integrated Infrastructure Management
Scalability requires management of multiple components — not just firewalls, but also VPNs, network- and host-based IDSs, routers, and switches. CiscoWorks VMS manages not only the security infrastructure, but also the network infrastructure. Customers benefit from being able to manage these components from one solution. Integrated monitoring is also required to see the larger picture.
CiscoWorks VMS provides integrated monitoring of Cisco PIX Security Appliance, and Cisco IOS Software syslogs, and events from network- and host-based IDSs, along with event correlation.
CiscoWorks VMS Functions
CiscoWorks VMS is launched from the CiscoWorks dashboard and is organized into several functional areas:
These functional areas supply multifaceted scalability by offering features such as a consistent user experience, auto update, command and control workflow, and RBAC.
CiscoWorks VMS helps enable the large-scale deployment of Cisco PIX firewalls by providing the following features:
CiscoWorks VMS Smart Rules is an innovative feature that allows common information, including access rules and settings, to be inherited for all firewalls in a device or customer group. Smart Rules allows a user to define common rules once, resulting in reduced configuration time, fewer administrative errors, and higher device scalability. Using Smart Rules, a user can configure a common rule such as allowing all HTTP traffic once, and the user can apply this rule globally to all firewalls. Smart Rules can also be defined on a device or customer group basis.
For specific information about the firewall management functions of CiscoWorks VMS, refer to:
CiscoWorks VMS introduces the industryâ€™s first firewall auto update server that allows users to implement a "pull" model for security and Cisco PIX operating system management. CiscoWorks VMS Auto Update Server permits remote firewall networks with unprecedented scalability. The auto update server allows Cisco PIX firewalls to both periodically and automatically contact the update server for any security configuration, Cisco PIX operating system, and Cisco PIX Device Manager updates. The CiscoWorks VMS Auto Update Server supports the following features:
The CiscoWorks VMS Auto Update Server is an indispensable component of any large-scale remote Cisco PIX firewall deployment.
The auto update server is an easy-to-use solution to automatically update all remote or local firewalls with new operating system releases. Cisco is the industry's first vendor to provide this pull model of security policy and operating system management. For specific information about the CiscoWorks VMS Auto Update Server component of CiscoWorks VMS, refer to:
Administrators can use CiscoWorks VMS to configure network and switch IDS sensors. Many sensors can be configured quickly using group profiles. Additionally, a more powerful signature management feature is included to increase the accuracy and specificity of detection. Prominent features include the following:
For specific information about the NIDS management functions of CiscoWorks VMS, refer to:
The Management Center for Cisco Security Agents provides all management functions for all agents in a centralized manner, from the CiscoWorks VMS platform. Its role-based, Web browser “manage-from-anywhere” access makes it easy for administrators to create agent software distribution packages, create or modify security policies, monitor alerts, or generate reports. Because it ships with more than 20 fully configured default policies, administrators will find it easy to deploy thousands of agents across the enterprise. The manager also allows customers to deploy agents in “IDS mode,” where activity is alerted but not blocked.
The Management Center for Cisco Security Agents offers simple but powerful customization capabilities such as a tuning wizard, allowing administrators to quickly fit default policies to their environment. Administrators can easily modify rules or create entirely new rules to meet custom needs and requirements. To aid audit compliance requirements, an “explain rules” feature prints out a description of what specified rules or policies do.
Agents are deployed to servers and desktops directly from the Management Center for Cisco Security Agents, and are controlled and updated from this manager. Each agent operates autonomously—if communications with the manager is not possible (for example, if a remote laptop user has not yet connected through the VPN), the agent continues to enforce the security policy. All security alerts are cached by the agent and uploaded to the manager when communications are restored.
Cisco also offers the add-on Cisco Security Agent Profiler, a snap-in application for the Management Center for Cisco Security Agents that provides a comprehensive data analysis and policy creation tool for custom applications and environments. The profiler analyzes actual application behavior to create custom policies that allow customers to protect any application, even extremely complex ones that have been highly customized to an individual customerâ€™s environment.
Security Monitoring CiscoWorks VMS provides integrated monitoring to reduce the number of security monitoring consoles, reduce the number of events to monitor, and provide a broader view of security status.
For specific information about the security monitoring component of CiscoWorks VMS, refer to:
Visit the Authors Web Site
Click Here for The Business Forum Library of White Papers
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business