Perimeter Router, Internal Router and Firewall

There are basically few types of perimeter router standards whereby each of them suits differently depending on the size of the corporate network, each standard also provides different level of protection against network attacks. The very basic of perimeter router i'm going to talk about is the "Standalone perimeter router" which is suitable for small business network due to the minimal cost but provides only 1 layer of security.


The standalone perimeter router basically means having a router which is placed between the outside network (Global) and internal network (Local). The router does basic filtering of unwanted traffics and provides minimal protection for the internal network.


The diagram below shows the example of the Standalone Perimeter Router Topology.

Standalone Perimeter Router Topology

The next standard will be the Perimeter router with a standalone firewall. The perimeter router will again be placed between the outside network (Global) and internal network (Local).  On top of that, there will be a firewall placed just before the perimeter router within the internal network. The firewall provides greater protection and flexibility such as having packet filtering, stateful filtering, application layer filtering and NAT which is suitable for medium to large business network.

The diagram below shows the example of the Perimeter Router and Firewall Topology. 

Perimeter Router and Firewall Topology

The last standard will have at least 3 layer of protection, the perimeter router, a standalone firewall and an internal router. The internal router is to provide mitigation function of the network in case the trusted network inside had been compromise to prevent spreading of the attacks to the DMZ side. On top of that, the router also provides better routing options thus improving the performance of the network.

The diagram below shows the example of the Perimeter Router, Firewall and internal router Topology. 

Perimeter Router, Firewall and internal router Topology.

References:

OLIVE TEACHING MATERIALS

Secure Perimeter Routers & Disable Services & Logging

Ingress and Egress Filtering

The ingress filtering blocks the packets outside the network with a source address inside the network. This helps to prevent an outside attacker spoofing the address of an internal machine.


The egress filtering  blocks the packets from inside the network containing a source address that is not inside. This helps to prevent an attacker within the network from launching IP spoofing attacks against external machines.


The diagram below shows the topology of the Cisco IOS router's ingress/egress filtering in a typical corporate network.

Access List Directional Filtering

The Cisco IOS ACL is used to define traffic. Once that traffic is defined, some action can then be taken on that traffic.

Commonly, an ACL is associated with the filtering of IP packets (Network Layer 3 of the OSI Model) as they pass through a router. In other words, it is used to permit or deny traffic through a router. However, if you just define the ACL only and don’t apply it to an interface using the access-group command, nothing happens.

The diagram below shows the topology of the Cisco IOS router's ACL filtering in a typical corporate network.

IOS Firewall Router

Context-Based Access Control (stateful traffic inspection)

CBAC is a stateful firewall which keeps track the state of network connections such as TCP and UDP traffic travelling across it. It creates opening in the ACLs at the interfaces that inspect the traffic by adding a temporary ACL entry for a specific session.


The openings are created when the internal network starts a session with the outside network that would normally be denied. The traffic is only allowed back through the firewall if it is part of the same session and has the correct properties that CBAC is looking for.


Authentication proxy

The HTTP-based authentication proxy provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols.


The diagram below is an example of the HTTP-based authentication proxy.

Intrusion Detection

Acts as an in-line intrusion detection sensor.
When a packet or packets match a signature, it can perform any of the following configurable actions:

• Alarm—Send an alarm to a Cisco IDS Director or Syslog server.
• Drop—Drop the packet.
• Reset—Send TCP resets to terminate the session.

It can Identifies up to 100 common attacks depending on release.

Securing Cisco Routers by Disabling Unused Services

Disable bootp Server
Test(config)# no ip bootp server
Disable CDP
Test(config)#no cdp run
Disable ip classless
Test(config)#no ip classless
Disable DNS lookup
Test(config)#no ip domain-lookup
Disable finger service
Test(config)#no ip finger
Disable HTTP
Test(config)#no ip http server
Disable ip mask-reply
Test(config-if)#no ip mask-reply
Disable IP-Directed Broadcast
Test(config-if)#no ip directed-broadcast
Disable IP Source Routing
Test(config)#no ip source-route
Disable IP Unreachable
Test(config-if)#no ip unreachables
Disable Small Servers
Test(config)#no service tcp-small-servers
Test(config)#no service udp-small-servers

Router Management (logging)

Event logging provides you visibility into the operation of a Cisco IOS device and the network into which it is deployed. Cisco IOS software provides several flexible logging options that can help achieve the network management and visibility goals of an organization.

Log Severity Levels:

Types of Logging method:

Console
Buffered
Terminal Line
Syslog
SNMP


Log Message Format:

References:

http://en.wikipedia.org/wiki/IP_address_spoofing
http://www.techrepublic.com/blog/networking/what-you-need-to-know-about-cisco-ios-access-list-filtering/536
http://ciscoskills.net/2011/02/22/understanding-cbac
http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html
OLIVE INKS teaching materials

Network/Port Address Translation

What is NAT?

The Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between  

the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers. The shortage of IP addresses is only one reason to use NAT, it also helps to improve security by reusing IP addresses. The NAT router translates traffic coming into and leaving the private network. 

The diagram below shows the overview of the NAT routing traffic between private(local) and global(Internet) network.

The different types of NAT.

Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.

In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.

Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.

In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.

Overloading - A form of dynamic NAT that maps multiple  IP addresses to a single  IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.


References:


http://computer.howstuffworks.com/nat.htm
http://computer.howstuffworks.com/nat1.htm

Security Policy

A security policy is a formal statement of the rules by which people who are given access to 
an organization’s technology and information assets must abide.


The reason to have a security policy is to have a baseline of the current security condition and also setting up a framework for security purposes such as defining what type of behaviors is allowed or not allowed. It also determines which tools to use when necessary and the procedures on handling security incidents so as to mitigate them. 


Network security is a continuous process cycle and is built around the policy which usually involves 4 steps or more.


1.) Securing the network - Implement security solution such as authentication,encryption and firewalls to prevent unauthorized access and to protect information.


2.) Monitoring Security - Monitors system logging and real-time intrusion detection on the network to prevent violation towards the security policy.


3.) Test security - Validates the security and effectiveness through system auditing and pen-testing.


4.) Update/Improvise Security - Uses information from the previous phase to improvise and make changes to the security policy and having training for the staffs where necessary. 


The following diagram of the security policy life cycle:

References:
OLIVE teaching materials.

Common Network Attacks Threats and Solution

IP Spoofing

In computer context, IP spoofing is a term that refers to a person or program that disguise as a trusted source by falsifying the data, the purpose is to gain unauthorized access to the computer or inflict damage to the network.

The most common spoofing attack is called an IP spoofing. This type of attack takes advantage of the Internet Protocol (IP), which is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite. The computer send data over the network by using IP, which the data has a header containing the source address of the sender, the attacker then modify the source header so it contain different address and so whoever receive the spoofed packet will then send back the to the modified source address, this technique is mainly used in Denial-of-service attacks (DoS) whereby the attacker does not care about the response. 

Packet filtering is one of the solution against IP spoofing attacks. There are 2 types of filtering method, firstly the ingress filtering which is usually perform by a router which blocks the packets outside the network with a source address inside the network. This helps to prevent an outside attacker spoofing the address of an internal machine.

Another filtering method would be egress filtering which is usually used with ingress filtering, it blocks the packets from inside the network containing a source address that is not inside. This helps to prevent an attacker within the network from launching IP spoofing attacks against external machines. It is also recommended to design network protocols and services that they do not rely on the IP source address for authentication.


The following diagram shows how this is done:

Denial of service attack

A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable  temporarily or indefinitely to its intended users.


One common method of attack involves flooding the target machine with external communications requests, such that it cannot respond to intended traffic, or making it responds so slow that it rendered them unavailable. Such attacks usually lead to a server overload, the DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the server so that they can no longer communicate smoothly.


The following diagram shows how this type of attack is performed:





The simplest solution was to completely disable ICMP from untrusted interfaces using firewall or packet filtering and the more complicated one was to limit down the rate of the ICMP requests transmission in case of attack.

Sniffer attack

A sniffer is an application that can capture network packets. Sniffers are also known as network protocol analyzer. If the network packets are not encrypted, the data within the network packet can be read using a sniffer. 


Sniffing refers to the process used by attackers to capture network traffic using a sniffer. Once the packet is captured using a sniffer, the contents of packets can be analyzed. Sniffers are used by hackers to capture sensitive network information, such as passwords and account information etc.


The following diagram shows how this type of attack is performed:







The only possible solution for sniffer attack is to have encryption setup end-to-end.






References:

http://en.wikipedia.org/wiki/IP_address_spoofing
http://www.webopedia.com/TERM/I/IP_spoofing.html
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.omnisecu.com/security/sniffer-attack.htm