Identifying Network Foundation Protection Deployment Models

Network Foundation Protection (NFP) is typically deployed the same way in all environments. Some factors that will influence the deployment are network size, network type (enterprise, service provider, small/medium business), and the type of equipment being deployed because this will determine the availability of NFP features. For enterprise networks that are large enough to have all three layers of the Cisco Hierarchical Network design model, employing security measures at the appropriate layer is important. Most of the techniques are configured at the access layer because that is typically the point at which most attacks, whether intentional or not, will occur. The deployment of the security tools is similar to how you deploy network features in the hierarchical design model. The core layer is where you focus on moving traffic at the highest rates possible so that there are minimal services at this layer. The core will have only device hardening and routing protocol authentication. Device hardening and routing protocol authentication are also important at the distribution layer, but there are other controls, such as Netflow Telemetry Export, for traffic analysis at the distribution layer. The access layer is where you configure the bulk of the security controls. This is the point at which users first enter your network. Therefore, this is where you want to have the controls that will prevent malicious actions as well as innocent mistakes. Figure 3-1 shows the enterprise model with each layers security controls.

Small and medium businesses (SMB) will not typically have the network deployed using the Cisco Hierarchical Network design model. These smaller networks will not always have dedicated routers and switches at each layer. This means that the services of the three layers will be configured on the same devices, which in turn means that the security controls found at the access layer of the enterprise model will need to be configured on all devices in this scenario. Figure 3-2 shows the SMB model and describes the controls that are deployed on all devices because of the collapsed nature of the model

The service provider network will generally be deployed using the Cisco Hierarchical Network design model. The deployment of the Network Foundation Protection strategy will follow the same principles as the enterprise model, with the following differences: Service providers can use dedicated links, Point-to-Point Protocol (PPP), or PPP over Ethernet (PPPoE) to authenticate users prior to allowing access to services. Service providers should provide separation between customers so that attacks cannot propagate from one customer to another. Service providers will benefit from infrastructure ACLs that will prevent undesired traffic from being sent directly to service provider devices control planes. Figure 3-3 shows the similarity of the service provider to the enterprise model, with some features that are specific to the service provider. Reference material to assist network and security professionals with deploying the Cisco Network Foundation Protection are found in the following documents: SAFE - Network Foundation Protection design guide SAFE - Enterprise Branch design guide Service Provider Infrastructure Security Techniques Cisco IOS Network Foundation Protection white papers Links to these resources can be found in the References section.

Identifying Network Foundation Protection Feature Availability

The following sections provide detailed information about the availability of Network Foundation Protection security controls on the wide array of Cisco devices.

Cisco Catalyst Switches

Generally, the security features found in the control and management planes are the same on almost all the platforms; however, data plane security features are highly platform independent. Cisco Catalyst switches offer a comprehensive set of security features in the architecture of their control plane, data plane, and management plane. Almost all the data plane functions are executed in hardware Application Specific Integrated Circuits (ASIC). Each platform will have hardware ASICs that are specific to that platforms functional design. In other words, the different switch platforms (access switch, data center switch, enterprise distribution/core switch) will have different ASICs, which in turn explains why the differences in data plane security control availability are highly platform specific. Table 3-6 shows each functional plane on a Cisco Catalyst IOS switch and its corresponding available security control.

Cisco Integrated Services Routers (ISR)

Unlike on the Cisco Catalyst switches, almost all the security features are available on the ISR because of the absence of the special ASICs that are found on the Cisco Catalyst switches. On ISRs, except for some special functions that can be processed on certain hardware processors, all the security functionality is handled by the main CPU on the router. Because the ISR uses the main CPU to process its features, it provides a much broader set of security features. An organization can benefit by purchasing Cisco devices in the ISR family and be guaranteed to have all the Network Foundation Protection security features available for securing its infrastructure. There is another factor created by handling everything with the routers main CPU. As opposed to your available security feature set being limited by a specific type of ASIC, owners of the ISR models are only limited by the processor speed and memory in the device. As mentioned earlier, there are some exceptions to the CPU handling all security features. Data plane functions for VPN traffic can be offloaded to a hardware module. Implementing cryptography on this specialized hardware module will move the processor-intensive load that is required to encrypt and decrypt ingress and egress traffic from the main CPU to the hardware module. Intrusion Prevention System (IPS) features can be processed either in software on the main processor or on a dedicated hardware module as with the VPN functionality. The IPS module makes available additional IPS features and improves performance because of the dedicated nature of the hardware module. Table 3-7 shows the availability of security features and the functional plane to which they belong on a Cisco IOS Integrated Services Router (ISR).

Cisco Supporting Management Components

The following sections discuss the various Cisco Supporting Management components that complement the Cisco IOS Software Catalyst switches and the Cisco Integrated Services Routers (ISR).

Cisco Configuration Professional (CPP)

The Cisco Configuration Professional (CPP) is a GUI device management application for Cisco ISRs. It is provided by Cisco at no charge. It makes performing several complex configuration tasks very simple through the use of built-in wizards. Configuration tasks that can be completed using smart wizards include general router and firewall configurations, IPS, VPN, and Unified Communications features. Also included is a feature that hardens a router by automatically implementing a wide array of security features that essentially lock down the router without having to configure the features individually. Another feature included in CPP is an auditing feature in which the device s security configuration is checked and recommendations are made based on best practices provided by the Cisco Technical Assistance Center (TAC).

Cisco Security Manager (CSM)

Cisco Security Manager (CSM) is an application that can be used to deploy and manage security features on Cisco devices. CSM is designed to help large enterprise customers or service providers deploy their Cisco Network Foundation Protection strategy with more ease and consistency than they could if they performed the tasks manually. CSM gives organizations the capability to deploy and manage Cisco firewalls, VPNs, IPS sensors, and the Cisco IOS Software firewall and IPS features on the ISRs. CSM includes a workflow process with approval features as well as integrates with Cisco Secure Access Control Server (ACS) and Cisco Security Monitoring, Analysis, and Response System (CS-MARS) to provide RBAC and correlate events with firewall rules, respectively.

Cisco Secure Access Control Server (CS ACS) The Cisco Secure Access Control Server (CS ACS) is an
authentication server that supports TACACS and RADIUS protocols. Despite the growing complexities in todays networks, Cisco Secure ACS provides authentication, authorization, and accounting (AAA) services for several connection types, devices, and user/groups: CS ACS provides AAA services for device administration by authenticating users and authorizing commands while maintaining logs that provide audit trails. CS ACS integrates with remote access devices to provide adherence to corporate security policies for remote access users and external connections to third-party vendors and partners. CS ACS provides authentication and authorization for wireless users and devices to mitigate any possible attacks being launched through wireless connections. CS ACS integrates with Network Admission Control access servers to validate and enforce posture requirements and access restrictions. CS ACS provides a centralized platform from which security administrators can manage a wide range of security policies, protocols, and other requirements. CS ACS provides support for other authentication platforms such as Microsoft Windows Active Directory, Lightweight Directory Access Protocol (LDAP) servers, and so on and allows organizations to capitalize on technologies that are already in place in an environment. CS ACS can be deployed in an environment in a software (a Microsoft Windows Server application), hardware (an appliance), or a virtual appliance (VMware vSphere) format.

Cisco IOS Software Certificate Server

Cisco also provides a limited-functionality certificate server. The Cisco IOS Software Certificate Server is a certificate server that runs inside the Cisco IOS Software. The benefits are as follows: Easier deployment of public-key infrastructure (PKI)based services using the builtin support for device default behaviors. This software is integrated with the Cisco IOS Software, which alleviates the need to purchase a separate server or appliance. Cisco Security Monitoring, Analysis, and Response System (CS-MARS) With the new heightened awareness of the need for security controls comes an ever-increasing amount of security log data. Log data received from devices such as firewalls, intrusion prevention systems, authentication servers, and so on is received at alarming rates. The task of monitoring these logs is daunting to say the least. In fact, in larger organizations, it is not even feasible to attempt to try to keep up with analysis of the log data manually. The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) is an application that performs the analysis of log data and transforms it into usable graphical

information that can be used by security administrators to react efficiently to attacks and breaches: CS-MARS can identify threats by using the information it receives to become aware of your environment. Using the awareness and event correlation, CS-MARS makes recommendations for actions that can be taken to mitigate current threats. Integration with Cisco Security Manager allows administrators to simply approve the mitigation technique recommended by CS-MARS, and the change is deployed to stop the threat.

Cisco IPS Manager Express

Cisco IPS Manager Express is a free event-monitoring solution for Cisco IPS events, including the IPS functionality provided by Cisco IOS Software running on a Cisco ISR. The application can assist in configuring, managing, and tuning Cisco IOS sensors, Cisco Advanced Inspection and Prevention Security Modules, Cisco Catalyst 6500 Series Intrusion Detection System Modules, Cisco IDS Network Modules, and Cisco IOS IPS software and modules. Besides reporting capabilities, the software also has a real-time event viewer for troubleshooting current events.