The Cisco IOS software supports a variety of security features, and the Security Configuration Guide describes how to configure each of these security features.
This chapter provides an overview of these security features and also discusses how to create an effective security policy, which defines your plan for protecting your network resources.
An effective security policy works to ensure that your organization's network assets are protected from sabotage and from inappropriate access--both intentional and accidental. These assets include all networked hosts (including the hosts' operating systems, network applications, and data), all networking devices (such as routers), and all network data (data that traverses the network).
Organizations cannot afford to overlook the importance of protecting their networks. This is even more true for organizations that have connections to external, public, networks, such as the Internet or other service provider networks. Intruders can easily find ways to disrupt or halt your network activities or collect proprietary information, if you do not take sufficient measures to provide network security.
Cisco Systems, Inc. strongly recommends a systematic approach to security that includes multiple, overlapping security methods.
This chapter contains the following sections:
For configuration information about specific security features, refer to the appropriate chapter in this publication.
The Cisco IOS security architecture provides a modular, scalable security system. By selecting appropriate Cisco IOS security features, you can create an effective, comprehensive network security policy for your organization. To develop such a policy, you need to carefully evaluate which security features you require for your network.
With all security policies, there is some trade-off between user productivity and security measures that can be restrictive and time consuming. The goal of any security design is to provide maximum security with minimum impact on user access and productivity. Some security measures, such as network data encryption, do not restrict access and productivity. On the other hand, cumbersome or unnecessarily redundant verification and authorization systems can frustrate users and even prevent access to critical network resources.
A security policy should not determine how a business operates; the nature of the business should dictate the policy. By defining a security policy before choosing security methods, organizations can avoid redesigning security methodologies after they are implemented.
Security policies should be living documents. Because organizations are constantly subject to change, security policies must be systematically updated to reflect new business directions, technological changes, and resource allocations.
To develop an effective security policy, consider the following recommendations:
Because it is virtually impossible to know who might be an intruder, you need to understand your organizations's assets before you develop a security policy. You must understand what you want to protect, what access is needed, and how these considerations work together. Some parts of an infrastructure can be left more exposed than others because there is less cost involved if they are compromised.
Your network assets can include all networked hosts (including the hosts' operating systems, applications, and data), all networking devices (such as routers), and all network data (data that traverses the network).
An organization must understand how potential intruders can enter its network. Special areas of consideration are network connections, dial-up access points, and misconfigured hosts. Misconfigured hosts, frequently overlooked as points of network entry, can be systems with unprotected login accounts (guest accounts), employ extensive trust in remote commands (such as rlogin and rsh), have illegal modems attached to them, and use easy-to-break passwords.
Organizations can create multiple barriers within networks, so that unlawful entry to one part of the system does not automatically grant entry to the entire infrastructure. Although maintaining a high level of security for the entire network can be prohibitively expensive (in terms of systems and equipment as well as productivity), you can often provide high levels of security to the more sensitive areas of your network.
Every security system has underlying assumptions. For example, an organization might assume that its network is not tapped, that intruders are not very knowledgeable, that intruders are using standard software, or that a locked room is safe. It is important to examine and justify assumptions: any hidden assumption is a potential security hole.
Some security measures inevitably inconvenience some sophisticated users. Security can delay work, create expensive administrative and educational overhead, use significant computing resources, and require dedicated hardware.
When you decide which security measures to implement, you must understand their costs and weigh these against potential benefits. If the security costs are out of proportion to the actual dangers, it is a disservice to the organization to implement them.
If security measures interfere with essential uses of the system, users resist these measures and sometimes even circumvent them. Many security procedures fail because their designers do not take this fact into account. For example, because automatically generated "nonsense" passwords can be difficult to remember, users often write them on the undersides of keyboards. A "secure" door that leads to a system's only tape drive is sometimes propped open. For convenience, unauthorized modems are often connected to a network to avoid cumbersome dial-in security procedures. To ensure compliance with your security measures, users must be able to get their work done as well as understand and accept the need for security.
Any user can compromise system security to some degree. For example, an intruder can often learn passwords by simply calling legitimate users on the telephone claiming to be a system administrator and asking for them. If users understand security issues and understand the reasons for them, they are far less likely to compromise security in this way.
Defining such human factors and any corresponding policies needs to be included as a formal part of your complete security policy.
At minimum, users must be taught never to release passwords or other secrets over unsecured telephone lines (especially through cordless or cellular telephones) or electronic mail. They should be wary of questions asked by people who call them on the telephone. Some companies have implemented formalized network security training for their employees in which employees are not allowed access to the network until they have completed a formal training program.
Most security is based on secrets; for example, passwords and encryption keys are secrets. But the more secrets there are, the harder it is to keep all of them. It is prudent, therefore, to design a security policy that relies on a limited number of secrets. Ultimately, the most important secret an organization has is the information that can help someone circumvent its security.
Almost any change that is made to a system can affect security. This is especially true when new services are created. System administrators, programmers, and users need to consider the security implications of every change they make. Understanding the security implications of a change takes practice; it requires lateral thinking and a willingness to explore every way that a service could potentially be manipulated. The goal of any security policy is to create an environment that is not susceptible to every minor change.
Understand how your network system normally functions, know what is expected and unexpected behavior, and be familiar with how devices are usually used. This kind of awareness helps the organization detect security problems. Noticing unusual events can help catch intruders before they can damage the system. Software auditing tools can help detect, log, and track unusual events. In addition, an organization should know exactly what software it relies on to provide auditing trails, and a security system should not operate on the assumption that all software is bug-free.
The physical security of your network devices and hosts cannot be neglected. For example, many facilities implement physical security by using security guards, closed circuit television, card-key entry systems, or other means to control physical access to network devices and hosts. Physical access to a computer or router usually gives a sophisticated user complete control over that device. Physical access to a network link usually allows a person to tap into that link, jam it, or inject traffic into it. Software security measures can often be circumvented when access to the hardware is not controlled.
The Cisco IOS software provides many different security features. These features are briefly described in the following sections:
Each of these features is also described in a corresponding chapter in this publication.
If you have one or two routers providing access to your network, you probably want to store username and password security information on the Cisco router. This is referred to as local authentication. (See Figure 2.)
As your network grows, you need a centralized security database that provides username and password information to each of the routers on the network. This centralized security database resides in a security server. (See Figure 3.)
A remote, centralized security database is convenient when you have a large number of routers providing network access because it prevents you from having to update each router with new or changed username authentication and authorization information for potentially hundreds of thousands of dialin users. A centralized security database also helps establish consistent remote access policies throughout a corporation.
The Cisco router exchanges user authentication information with a TACACS+ or RADIUS database on the security server by transmitting TACACS+ or RADIUS packets across the network.
The CiscoSecure product from Cisco Systems, Inc. is an example of a remote security database server. CiscoSecure is a UNIX security daemon solution in which the administrator creates a database that identifies network users and defines their privileges. CiscoSecure uses a central database that stores user and group profiles with authentication and authorization information.
Network access security controls access to network devices from outside the network.
With network access security, you can also configure additional levels of verification required to authenticate users. With TACACS + and CiscoSecure, for example, if a user enters the correct password, the system can then prompt for additional information, such as the user's date of birth, mother's maiden name, and so on.
You can use any of the following tools to control access to network devices:
RADIUS, Kerberos, and TACACS+ are supported by the authentication, authorization, and accounting (AAA) facility. AAA is configured at individual routers.
Authentication allows you to assign different authentication protocols to different router interfaces. For example, on one interface you can use the RADIUS protocol and on other interfaces you can use the Kerberos protocol, or even a locally defined password. Enabling AAA allows you to mix and match protocols supported by AAA facilities along with local passwords, line passwords, and enable passwords.
For authentication, you can also configure TACACS, extended TACACS, CHAP, and PAP, which are not supported by the AAA facilities. You cannot mix and match protocols if you use TACACS or extended TACACS.
TACACS supports the use of token cards. The token card system relies on a physical card that must be in the user's possession to provide authentication by use of one-time-only passwords. By using the interfaces provided in the TACACS server software, third-party companies can offer these enhanced TACACS services.
CHAP and PAP are authentication protocols used only in conjunction with the Point-to-Point Protocol (PPP). For example, if you wish to initiate a PPP session from a router with CHAP or PAP configured, you must complete CHAP or PAP authentication before the link is brought up.
Authorization allows you to define user parameters such as user privilege levels and network filters. For example, you can assign an access control list (ACL) to a user to restrict the user from accessing certain other network locations.
Accounting allows you to track use of network services for billing or security. Refer to the section "AAA Accounting and Billing" for more information.
For more information about configuring network access security, refer to the chapter "Configuring Network Access Security" in this publication.
Terminal access security refers to securing access to the router and includes control over access to privilege EXEC (enable) mode and, therefore, configuration mode on the router. An unauthorized user with access to configuration mode could compromise all resources inside the network.
Typically, you want administrators to have access to your router; you do not want other users on your local area network or those dialing in to the network to have access to the router.
Users can access a router by dialing in from outside the network through an asynchronous port, connecting from outside the network through a serial port, or connecting via a terminal or workstation from within the local network.
You protect access to your router terminal by performing the following tasks, which are described in the "Configuring Terminal Access Security" chapter:
The third AAA service, accounting, provides an audit record of user activity on specified network services.
The accounting service can compile records of all activity on the router. AAA accounting is not provided as a stringent security feature and is often used merely for billing or management. However, you should be aware of unusual user activity within your routers, and AAA accounting provides a way to keep track of user activity on the router.
For more information about AAA accounting, refer to the chapter "Configuring Accounting" in this publication.
Using traffic filters allows you to control whether routed traffic is forwarded or blocked at the router interfaces. Without traffic filters, all routed traffic passing through the router is allowed onto all parts of your network.
By using traffic filters, you can control who has access to specific parts of your network. For example, you can allow one host access a part of your network, and prevent another host from accessing the same area. In Figure 4, Host A is allowed to access the Human Resources network and Host B is prevented from accessing the Human Resources network.
You can prevent (or block) traffic from entire networks from entering other networks. Traffic filters are commonly used in "firewalls." For example, a router configured for traffic filtering can be positioned between your organization's internal network and an external network such as the Internet. Firewalls are designed to prevent unauthorized, external individuals from gaining access to your internal network, while at the same time allowing your internal users access to the Internet.
You can even use traffic filters to decide which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic.
Traffic filters are used for traffic flow control, but they can also provide a useful security service because they allow you to control access to sensitive information. Traffic filters do not authenticate individual users, but only determine whether routed traffic is forwarded or blocked based on information embedded within the traffic itself. This information can be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully evade or fool traffic filters because no authentication is required.
For more information about traffic filters, refer to the chapter "Configuring Traffic Filters" in this publication. This chapter also provides general traffic filter configuration information, and lists where to find information about configuring traffic filters for specific routed protocols.
The router access security feature in the Cisco IOS software allows you to configure "neighbor authentication." When neighbor authentication is configured on a router, the router authenticates its neighbor router before accepting any route updates from that neighbor. This ensures that a router always receives reliable routing update information from a "trusted" source.
This feature can play a key part in your security design. For example, a security compromise can occur if an incorrect route update diverts your network traffic to an unauthorized location.
For more information about neighbor authentication, refer to the chapter "Controlling Router Access" in this publication. This chapter also describes where to find specific information about configuring neighbor authentication.
Network data encryption is used to prevent routed traffic from being examined or tampered with while it travels across a network. This feature allows packet-level data to be encrypted at a Cisco router, routed across a network as encrypted information, and decrypted at the destination Cisco router.
Typically, you do not use network data encryption for traffic that is routed through networks that you consider secure. Consider using network data encryption for traffic that is routed across unsecured networks, such as the Internet, if your organization could be damaged if the traffic is examined or tampered with by unauthorized individuals.
Network data encryption is available for IP traffic. Figure 5 illustrates the encryption of an IP packet as it travels across an unsecured network.
For more information about network data encryption, refer to the chapter "Configuring Network Data Encryption with Router Authentication," in this publication.