|
|
Cisco Systems, Inc.---the worldwide leader in networking for the Internet---offers comprehensive, end-to-end security solutions for the enterprise. The Cisco Secure line of security solutions includes the Cisco Secure Scanner, the vulnerability scanner and network mapping system. The Scanner enables an enterprise to diagnose and repair security problems in networking environments. The Scanner helps network administrators and security consultants to ensure preparedness by detecting and reporting on vulnerabilities on network hosts. The Cisco Secure line also includes Cisco Secure Intrusion Detection System, Cisco's intrusion-detection software, which can be used in conjunction with the Scanner and other Cisco security products to provide a comprehensive network security solution.
The Scanner's innovative technology has produced two patents that are currently pending: a patent for the invention of real-time insertion of data into a multi-dimensional database for network intrusion detection and vulnerability assessment (the Grid Browser), and a patent for a rules-based approach to real-time discovery of security vulnerabilities.
This chapter includes the following sections:
The Scanner scans your network to uncover vulnerabilities that threaten the security of your network.
This section includes the following topics:
The Scanner discovers security weak points on your network before intruders can exploit them. The Scanner allows you to automatically compile an inventory of networking devices and servers on your network. Then, using the vulnerability inventory database, the Scanner identifies vulnerabilities associated with network services. It then compiles a list of the discovered vulnerabilities and displays them in a grid.
The Scanner provides details about each vulnerability, such as the vulnerable hosts, the operating system weaknesses, the level of severity of the vulnerability, a description of the vulnerability, and actions you can take to correct the weaknesses.
You can use the Scanner to scan all IP-based networks. The Scanner can scan networks connected to the Internet as well as standalone networks.
Using the Scanner in conjunction with firewalls, Intrusion Detection Systems (IDSes), and other security measures ensures security in depth.
This section includes the following topics:
The Scanner should be used on a recurring basis. The scheduling function allows you to set up sessions on a regular or random basis. As sessions are run, you can review the session data and compile grids, charts, and reports, and thus always be knowledgeable about the security of your network.
Follow these recommendations to make the best use of the Scanner:
The Scanner's functions are best viewed from a phased approach. The six phases correspond to the functions of the Scanner (see Figure 1-1 for a linear view of these six phases).
This section includes the following topics:
The Scanner maps your network by running scans on all of the ports and IP addresses that you specify. This is the network discovery phase of the Scanner. The network mapping tool is flexible. You can scan one host on the network, all the hosts on the network, or some hosts across different segments. The Scanner obtains a comprehensive profile of "live" devices on the network by accessing any devices that respond to requests for network services. The list of devices can contain multiple types of network devices such as workstations and servers, routers, firewalls, switches, printers, and hubs.
The Scanner uses the following sequencing to obtain an electronic map:
Step 1 The Scanner sends out ICMP echo requests or "pings" to query hosts and network devices on a given LAN.
Step 2 The Scanner generates an electronic map, which is a profile of all live hosts at the particular time a session is run.
The Scanner gathers data from all live hosts and network devices identified in the electronic map. Through the use of port scans, the Scanner collects data from active ports. The Scanner can be configured in various ways to collect data:
The Scanner stores the data in a database for analysis.
The Scanner uses a sophisticated, patent-pending vulnerability analysis engine to identify the following:
The Scanner analyzes the potential vulnerabilities by using the Rules database, which is a comprehensive repository of vulnerability rules that identifies known security risks. Also, the Scanner allows you to create user vulnerability rules to add to the Rules database.
Using the vulnerability exploit engine, the Scanner actively probes the network to confirm the presence of known vulnerabilities. The Scanner issues commands against target hosts to confirm whether the hosts identified in the electronic map respond correctly.
The Scanner has the most sophisticated data presentation capabilities of any scanning tool available. A variety of options for viewing and managing session results is available.
This section includes the following topics:
The Grid Browser has the ability to display the data in the following ways:
You can access the Network Security Database (NSDB) to find out more information about a particular vulnerability. The NSDB provides the following information:
The Scanner's charting feature allows you to display the data in the following types of charts:
The Scanner has a strong reporting tool that is accessed via the Report Wizard. You can create one of the following reports of the data to fit your audience:
Each report can include session information in the form of prose, charts, and graphics.
The Cisco security solution is based on an operational perspective rather than on separate products or policies. This security philosophy is reflected in the image of the Security Wheel (as shown in Figure 1-2). All the elements of security are represented in the Security Wheel.
This section includes the following topics:
The most practical and complete approach to the problem of maintaining network security is based on an operational solution rather than a solution that only uses point products or applications restrictions.
This section includes the following topics:
The most common security point product in use today is the firewall. Firewalls are designed to be a single point on the network that regulates all incoming and outgoing traffic from a protected network. Firewalls are an important part of the security solution, because a firewall is often the first barrier that external users encounter. But if used alone, a firewall is not enough to protect the network because of the following reasons:
Some companies, in an effort to make their networks more secure, restrict the access and use of certain applications. The idea is that the fewer employees who use these applications, the more secure the company's network. So, these companies do not allow all of their employees access to the Web or access to email outside of the company. These strategies may work for a while, but in the long run with the Internet becoming such a valuable business tool, such restrictions may not seem the best way to maintain a secure network. Policies such as these are only as good as the people and products used to enforce them.
All companies today need a detailed and enforced network security policy. A security policy defines the rules that identify which users have access rights to which enterprise resources. This security policy must support users within the enterprise and also users outside the enterprise, such as partners, customers, and employees accessing corporate resources from the Internet.
Using an operational solution in conjunction with a defined corporate network security policy will provide your company with the ultimate protection. This dynamic approach to security management---Vulnerability Management Process---is best represented by the paradigm of the Security Wheel (Figure 1-2).
The Security Wheel is cyclical to ensure security diligence and improvement. The paradigm incorporates the following five steps:
Step 1 Develop a strong corporate security policy.
A strong corporate security policy provides the foundation for an effective security program.
Step 2 Secure the network.
Secure your network by using a combination of point products including firewalls and AAA. Establish configuration metrics so that you can measure the state of security of your network.
Step 3 Monitor the network and respond to attacks.
Continuously monitor your network using intrusion-detection tools positioned at strategic places on the network to provide real-time visibility. Establish attack metrics so that you can measure the amount of attacks that your network suffers and respond to these attacks.
Step 4 Test existing security safeguards.
Using the Scanner, regularly test the configurations of all of the components of the network to ensure that they are secure. Establish vulnerability metrics in this way so that you can determine which of the network components are most vulnerable and recommend methods of improvement.
Step 5 Manage and improve corporate security.
Analyze all metrics that have been obtained through the other parts of the security cycle and keep abreast of any new network threats by improving your network security policy and continue implementing the Security Wheel cycle.
Successfully using Internet technologies results in an increased need to protect valuable data and network resources from corruption and intrusion. To meet these needs, Cisco offers a robust end-to-end security solution.
The following elements of security make up Cisco's end-to-end security solution:
Most security incidents occur, because available countermeasures are not implemented and then hackers or disgruntled employees exploit the oversight. Therefore you must do more than just confirm that a vulnerability exists and then find a countermeasure that works; it is also critical to verify that the countermeasure is in place and working properly throughout the corporate MIS environment. Identifying and implementing fixes is termed countermeasure engineering. Verifying that they are active and working on a day-to-day basis is termed Security Audit.
Security posture is the state of hardware, operating system software, utilities, and applications designed to control access to and use of services and information resident on the system. The Scanner allows you to perform a security posture assessment so that you can then probe the network to confirm any security vulnerabilities that exist. The result of this step is the network vulnerability assessment.
Cisco security engineers provide two services:
Today companies face many security problems that arise particularly from their use of networked environments, which keep their employees communicating with each other and with the outside world.
This section includes the following topics:
Today's corporate networks are so complex that this complexity alone leads to security risks. There are so many components to a company's network---firewalls, routers, switches, and servers---that to manage the security of each and every one is a sizable task. Also, each of these components is liable to misconfiguration, which opens security holes on the network.
Most companies today do not have employees that are professionally trained network security personnel. In short, there is a "skills gap" among the system administrators that are normally employed by companies to set up, configure, and watch the company network. No single employee is dedicated to perform the following tasks:
Nor is there usually anyone assigned specifically to the task of creating and maintaining a corporate security policy.
In today's world, network change is a constant. New technologies introduce change on the network, which inadvertently introduces security holes on the network. Employee growth and turnover cause change to the network as more users (and their access and privileges) are added or removed. And new applications to enable employees to do their work better, some requiring extra access to sensitive applications and material, introduce security risks. With the increase in E-Commerce, connectivity, and acquisitions and mergers, keeping up with change on the network becomes a monumental task.
A company can be threatened from within by disgruntled employees who know how to find sensitive material and cause harm to the company. But threats from within are not always the result of deliberate misdeeds. Inexperienced system administrators often have no idea how to securely configure the components of the network and thus constitute an internal threat. Or consider the scenario of the system administrator who is experienced with network security, but who is overworked and short-handed, and therefore cannot keep up with the security demands that a complex network generates.
Every day use of the network also exerts pressures on the security of a network. Public use of operating system services, such as FTP, Telnet, and SMTP introduce unwanted holes in the network. And the sheer volume of traffic on the network often masks unauthorized behavior.
Externally, no company is safe from the proverbial hacker who is out to gain access to your network. Hackers on their own or as part of an organized group may joyride through your network for their own agenda just to show that they can---gaining or destroying information as it suits them. And there are also hackers who have been hired by an organization (whether government or corporate) to steal trade secrets and other confidential information from targeted networks.
The use of the Internet as a business tool has increased exponentially. In the following three areas substantial growth has occurred and in its wake exposure to security risks has increased.
This section includes the following topics:
Many companies have taken to the Web to sell their products. Now many outsiders to the company have access to company web sites to buy products. This access can open holes to the company's network that a knowledgeable user can exploit. The use of credit cards over the Internet also introduces risk by virtue of the fact that personal information is now available to be used by others to abuse other systems.
Through acquisitions and mergers, many companies today have become large national and international entities that no longer operate from one facility alone. To enable employees at their remote sites to do private business with all parts of the corporation, companies need a large network with many connections and points of entry. And outside vendors also often need access to the company intranet. Both situations introduce a security nightmare for a company.
To survive in the global market economy today, many companies forge trusted relationships with other companies so that they can successfully dominate a part of the market share. This brings up the need for a secure network so that they can conduct private business with each other. Also, trusted partners may need access to private company files and databases, which introduces a security risk both internally and externally.
Every company today needs a well-defined and detailed corporate network security policy. Some companies may have a general idea of what they need in terms of network security, but no one in the company has been assigned to own the network security policy. Or, the company may have defined a network security strategy, but has not worked to enforce it. Without a network security policy, your company is at high risk to suffer network security breaches.
The amount of research that a company needs to conduct to stay on top of new network security threats is overwhelming. New network threats appear daily because of all of the changes in computer-related technology. The lack of in-house personnel devoted to researching the latest network vulnerabilities is a big liability for most companies.
Posted: Thu Jun 29 14:12:52 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.