Cisco IOS Security Architecture

Abstract

Enterprise networks require systemwide security options that can provide coverage to workgroup, IBM internetworking, access, and core topologies (see Figure 1). These features must have the flexibility to respond to new security concerns as they arise and to upgrade as new technologies become available and costeffective. This document describes how organizations can fulfill their enterprise security requirements with the Cisco Internetwork Operating System[tm] (Cisco IOS).

Bro_WP_IOSS_fig1

Figure 1: An Enterprise Network Topology

Introduction

Network security presents an organization with a challenging dilemma. To ensure comprehensive security, an organization must address all hosts, systems, applications, and networking devices with a policy that maximizes user convenience and productivity, while at the same time limiting security violations. For enterprise-wide security, no single technology will meet all the requirements; in fact, intruders find it easier to penetrate a network if security deployment is limited to any single method. Cisco Systems strongly recommends that its customers take a systematic approach to security by deploying multiple, overlapping security methods.

The Cisco IOS[tm] Security Architecture provides modular, scalable security. Firewalling, access management, host security, and encryption provide the foundation for security. Each of these security systems can be tuned with its own policy options to meet an organization's requirements.

Cisco views security from several aspects. For corporate facilities, physical security is frequently based upon security guards, closed circuit television, and card-key entry systems. With these measures in place, organizations feel confident that within their physical facilities, assets are protected, and high user productivity is maintained. Cisco's approach to security allows an organization to extend this model by using the policy-based components of the Cisco IOS Security Architecture (firewalling, access management, host security, and encryption). The Cisco IOS Security Architecture as the basis for an organization's security policy has evolved over more than ten years of technological innovation (see Figure 2). The cornerstone of the Cisco IOS Security Architecture bases security requirements on multiple, overlapping solutions to maintain an organization's security integrity.

Bro_WP_IOSS_fig2

Figure 2: Security Policy Supported by the Cisco IOS Security Architecture

Organizations must decide where to strike the balance between access and productivity for users and security measures that may be perceived as restrictive by the user community (see Figure 3).

Bro_WP_IOSS_fig3

Figure 3: The Security Balance

On one side of the balance beam shown in Figure 3 is access and productivity, and on the other side is security. The goal of a good design is to provide a balance while adding as few restrictions as possible from the users' point of view. Some very sound security measures, such as encryption, do not restrict access and productivity. On the other hand, poor security planning can cause reduced productivity and performance among users. How much access and productivity can a company stand to risk in the effort to maintain security?

Cisco responds to this question by suggesting that customers first define their security policies. Once they are defined, multiple security components can be attached to address policy requirements. Among them are the components of the Cisco IOS Security Architecture described earlier:

Firewalling
Access management
Host security
Encryption

All of these components can be used to support security policy requirements with an eye on productivity. However, before discussing them in detail, this document further explains the requirements for an effective security policy.

Defining Policy

A security policy should not determine how a business operates; the nature of the business should dictate the policy. Defining a company's security policy can seem difficult, but by defining policy before choosing security methods, organizations can avoid having to redesign security methodologies after they are implemented.

A balanced security policy provides organizations with the following benefits:

A course of action
Guiding principles based on corporate policy
Procedures that are considered expedient, prudent, advantageous, and productive

Effective Security Policies

Security policies should consider the factors discussed in the following sections.

Knowing Your Assets

It is impossible to know who might be an organization's potential enemies; a better approach for the organization is to know itself. Companies must understand what they want to protect, what access is needed, and how these considerations work together. Some parts of an infrastructure can be left more open because there is little cost involved if they are compromised. Security measures cannot make it impossible for a user to perform unauthorized tasks with a computer system; they can only make it harder. Companies should be more concerned about their assets and their value than about an attacker's motivation.

Counting the Cost

Some security measures will inevitably reduce convenience, especially for sophisticated users. Security can delay work and create expensive administrative and educational overhead, as well as use significant computing resources and require dedicated hardware.

When designing security measures, companies should understand their costs and weigh them against the potential benefits. If the security costs are out of proportion to the actual dangers, it is a disservice to the organization to implement them.

Identifying Assumptions

Every security system has underlying assumptions. For example, an organization might assume that its network is not tapped, that intruders are not very knowledgeable, that they are using standard software, or that a locked room is safe. It is important to examine and justify assumptions; any hidden assumption is a potential security hole.

Controlling Secrets

Most security is based on secrets. For example, passwords and encryption keys are secrets. Too often, however, the secrets are not kept secret. The most important part of keeping secrets is knowing which areas must be protected. A company should jealously guard the knowledge that would enable someone to circumvent its security and assume that its adversaries know everything else. The more secrets there are, the harder it will be to keep all of them. Security systems should be designed so that only a limited number of secrets need to be kept.

Allowing for Human Factors

If security measures interfere with essential uses of the system, users will resist them and sometimes even circumvent them. Many security procedures fail because their designers do not take this fact into consideration. For example, because automatically generated "nonsense" passwords can be difficult to remember, they are often found written on the undersides of keyboards. For convenience, a "secure" door that leads to a system's only tape drive is sometimes propped open. For expediency, unauthorized modems are often connected to a network to avoid onerous dial-in security measures. To get compliance, users must be able to get their work done, but they also must understand and accept the need for security.

Any user can compromise system security, at least to some degree. For example, an intruder can often learn passwords by simply calling legitimate users on the telephone claiming to be a system administrator and asking for them. If users understand security issues and understand the reasons for them, they are far less likely to make an intruder's life easier.

At a minimum, users should be taught never to release passwords or other secrets over unsecured telephone lines (especially through cordless or cellular telephones) or electronic mail (e-mail). They should be wary of questions asked by people who call them on the telephone. Some companies have implemented formalized network security training for their employees; that is, employees are not allowed access to the network until they have completed a formal training program.

Limiting the Scope of Access

Companies must create appropriate barriers inside their systems so that if intruders access one part of a system, they do not automatically have access to the rest of it. They should consider partitioning the infrastructure to provide as much protection as is necessary for that component of the network (while incurring the associated cost). Although maintaining a high level of security on the entire infrastructure is difficult, it is often possible to do so for a smaller sensitive component.

Understanding the Environment

Understanding how a system normally functions, knowing what is expected and unexpected behavior, and being familiar with how devices are usually used will help the organization detect security problems. Noticing unusual events can help catch intruders before they can damage the system. Software auditing tools can help companies detect, log, and track those unusual events. In addition, an organization should know exactly what software it relies on, and the security system should not have to rely upon the assumption that all software is bug-free.

Remembering Physical Security

Physical access to a computer (or router) usually gives a sufficiently sophisticated user total control over that device. Physical access to a network link usually allows a person to tap into that link, jam it, or inject traffic into it. Software security measures can often be circumvented when access to the hardware is not controlled.

Providing Pervasive Security

Almost any change that is made to a system can affect security. This is especially true when new services are created. System administrators, programmers, and users should consider the security implications of every change they make. Understanding the security implications of a change takes practice; it requires lateral thinking and a willingness to explore every way that a service could potentially be manipulated. The goal of good security design and policy is to create an environment that is not susceptible to every minor change.

Focusing on Points of Attack

An organization must understand how potential intruders can enter its network. Special areas of consideration are network connections, dial-up access points, and misconfigured hosts. One point that is frequently omitted are misconfigured hosts. These can be systems with unprotected login accounts (guest accounts), extensive trust in remote "r" commands (such as rlogin), illegal modems hanging off a networked host, and easytobreak passwords.

Technical Considerations

It is important to understand the technological considerations of network security. In some instances, organizations are bound by architectural, technical, and protocol limitations. Some organizations do not have the capacity or resources to replace legacy systems, and these technologies may no longer be supported by original vendors. In these cases, it is not possible to implement new technical options such as encryption.

Security policies are living documents. Because organizations are constantly subject to change, security policies must be systematically updated to reflect new business directions, technological changes, and resource allocations.

The Importance of Firewall Routers

For the past several years, routers have typically functioned as the only things standing between an organization's intellectual assets and its network. Routers are uniquely positioned, designed, and technically equipped to control and report packet flow at various levels of the Open Systems Interconnection (OSI) reference model that describes the various network functions. As the networks of today become more accessible and capable, and as more companies connect by way of cost-effective remote access devices, the level of risk increases. A router positioned to provide security on the periphery of the network is often referred to as a "firewall router" (see Figure 4). The functionality within the router providing firewalling is referred to as access control lists (ACLs). The primary function of ACLs is to provide filtering.

Bro_WP_IOSS_fig4

Figure 4: Firewall Routers Form the First Line of Defense

However, providing robust filtering enhancements is not enough. Organizations need tools for reporting access control list violations. How can organizations know of attempts to intrude beyond firewall devices? The Cisco IOS Security Architecture offers ACL violation accounting and logging.

ACL Violation Accounting

Over time, an organization needs a historical perspective to ascertain which ACLs have been tested. This knowledge provides network managers with an understanding of how intruders are attempting to enter their enterprise networks. ACL violation accounting provides source and destination address information, source and destination port numbers, and packet counts.

ACL Violation Logging

Providing strong firewalling capabilities is not enough in today's world of networking; network managers need an option for centralized reporting. In the past, network managers did not know that they had been hit by a hacker until the damage was done. At that time, the only available early warning tool was to scan host log files. Although this is still an excellent method for security diagnostics, it does not scale well. ACL reporting tools help managers by providing violation information and prevention at the network perimeter. With Cisco's ACL violation logging, network managers receive periodic system logging when ACL violation occurs.

Access Management

Access management controls the means, approach, and release of resources, while providing for supervision and control (see Figure 5). Organizations are faced with the challenge of managing hosts and networking devices as well as telecommuters. The key is to provide the network manager with multiple methods for controlling access. Access management is an important aspect of the Cisco IOS Security Architecture. To address the magnitude of access requirements, the Cisco IOS Security Architecture provides customers with a wide range of access management capabilities. These capabilities are discussed in the sections that follow.

Bro_WP_IOSS_fig5

Figure 5: Access Management Protects against Intrusion

TACACS

Terminal Access Controller Access Control System (TACACS) provides a way to centrally validate every user individually before they can gain access to a router or access server. TACACS was derived from the United States Department of Defense and is described in RFC 1492. The Cisco IOS implements TACACS to allow centralized control over who can access routers and access servers. Authentication can also be provided for Cisco IOS administration tasks on the router and access servers' user interfaces. With TACACS enabled, the router and access server prompts the user for a user name and a password. Then the router or access server queries a TACACS server to see if the user provided the correct corresponding password. A TACACS server typically runs on a UNIX workstation. TACACS can be augmented with token card access. (See the section "Token Card Access" later in this document.)

TACACS+

Cisco also supports TACACS+, a completely new version of TACACS. TACACS+ provides for separate and modular authentication, authorization, and accounting (referred to as triple A) facilities. Many network managers are concerned with these requirements for their network access servers (NASs). In the past, the common approach has been through a unified protocol. TACACS+ allows for a single access control server (the TACACS+ server) to provide each service-authentication, authorization, and accounting-independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network.

The overall goal for TACACS+ is to provide a methodology for managing dissimilar network access servers from a single set of management services. The Cisco family of access servers and the Cisco IOS user interface (for both routers and access servers) fall into this category. Access servers provide communication facilities for traditional "dumb" terminals, terminal emulators, workstations, personal computers (PCs), and routers, using a serial line framing protocol such as Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Compressed SLIP (CSLIP), or AppleTalk Remote Access Protocol (ARAP). In other words, a NAS provides connections to a single user, to a network or subnetwork, and to interconnected networks. The entities that use the NAS to connect to a network are called network access clients (NACs); for example, a PC running PPP over a voice-grade circuit is a NAC.

Authentication

The authentication facility provides the ability to authenticate a user beyond a login and password dialog. A user can be challenged by a number of questions. Some examples are name, password, home address, mother's maiden name, service request (SLIP, CSLIP, PPP, XRemote, TTY, ARAP, or TN3270), and city of birth. This means that if a user's password is compromised, authentication will not necessarily be granted. The TACACS+ administrator can improve the dialog integrity by routinely changing the questions. The TACACS+ authentication service is flexible enough to send messages to users' screens. For example, a message might instruct users that their passwords need to be changed because of the company's password aging policy.

The TACACS+ protocol provides authentication between the access server and the TACACS+ server and also ensures confidentiality of the packets. This is done by never sending sensitive user information (such as passwords) over the network in clear text.

Authorization

The authorization component in TACACS+ allows for greater levels of control over user actions and can be used to create separate administrative groups based on user functionality. For example, a network manager can restrict a user to only perform certain functions on the access server's or router's user interface.

Auto-commands are user interface commands tied to users' profiles. For example, after certain users are authenticated, their profiles can automatically create a Telnet session to a specific host. Within the access server, a user's profile can be restricted to performing only auto-commands and connecting only to a specific host address.

Accounting

Network managers can use the accounting component to track user activity for a security audit or to provide information for user billing. A report can be structured to provide user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

Cisco has provided a general-purpose TACACS+ protocol specification for integrating TACACS+ servers with a third-party (such as token password cards) or a customer's own authentication, authorization, and accounting services. The intention is that services (such as a Kerberos authentication) can be provided by a third party; this protocol specification provides access to such future services. TACACS+ is not constrained by a single mode of access; it is supported over SLIP, CSLIP, XRemote, PPP, ARAP, TN3270, X.25, and dumb terminals (TTYs).

Token Card Access

Many organizations are concerned about proper password handling. Individuals are frequently faced with remembering many passwords. People tend to resist having to change their passwords periodically and often resort to using common passwords and improper techniques to remember passwords (such as writing them under the keyboard). Organizations are also concerned with password "sniffing," whereby intruders detect passwords by monitoring user logins. TACACS service on routers and access servers supports physical card key devices or token cards. The token card system relies on a physical card that must be in the user's possession to provide authentication by use of one-time-only passwords. By using the interfaces provided in the TACACS server software, third-party companies can offer these enhanced TACACS services. Token card vendors such as Enigma Logic Incorporated and Security Dynamics Incorporated support the TACACS and TACACS+ protocol.

Kerberos

Kerberos is a secret-key network authentication system developed at Massachusetts Institute of Technology (MIT) that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, requires trust in a third party; in this case, the Kerberos server. Cisco will integrate the client portion of Kerberos within the Cisco IOS in Cisco access servers.

Cisco IOS Privilege Levels

Each customer has unique access management requirements. System administrators can customize access to the Cisco IOS user interface, enabling them to establish privilege levels for access to routers and access servers. Up to 16 levels of access can be established. Incorporating multiple privilege levels allows for finer granularity of access; for each level of the Cisco IOS user interface, a stored encrypted password can be established. For example, an access level can be designed for a network controller that is required to perform various diagnostic commands such as debugging. However, the security or network management policy might prohibit configuration functions by users, and the Cisco IOS interface can enforce the restrictions.

Simple Network Management Protocol Access

The Simple Network Management Protocol (SNMP) is another method that can be used to access network devices. SNMP can be used to gather statistics or configure the router. The network manager may gather statistics with SNMP get-request and get-next-request messages and change router configurations with set-request messages. Each of these SNMP messages has a community string that is a clear text password sent in every packet between a management station and the router (which contains an SNMP agent). The SNMP community string is used to authenticate messages sent between the manager and agent. The agent will respond only when the manager sends a message with the correct community string.

Unfortunately, SNMP community strings are sent on the network in clear ASCII text. Thus, anyone who has the ability to capture a packet on the network can discover the community string. This may allow unauthorized users to query or modify routers via SNMP. The Internet community recognizes this problem and has greatly enhanced the security in SNMP version 2 (SNMPv2) as described in RFC 1446. SNMPv2 uses an algorithm called MD5 to authenticate communications between an SNMP server and agent. MD5 verifies the integrity of the communications, authenticates the origin, and checks for timeliness. The Cisco IOS Security Architecture supports the no snmpserver trap-authentication command. This command is designed to prevent intruders from using trap messages (sent between SNMP managers and agents) to discover community strings.

DNSIX/IPSO

Cisco Systems continues to support evolving government security requirements. The Cisco IOS Security Architecture's extended Internet Protocol Security Option (IPSO) support is compliant with the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) specification documents. Extended IPSO functionality can unconditionally accept or reject network traffic that contains extended security levels by comparing those levels to configured allowable values. This support allows DNSIX networks to use additional security information to achieve a higher level of security than that achievable with basic IPSO. An audit trail facility supported by the User Datagram Protocol (UDP) reports IPSO security violations. This facility allows the system to report security failures on incoming and outgoing packets. The audit trail facility sends DNSIX audit trail messages when a datagram is rejected because of IPSO security violations. This feature permits administrators to configure organization-specific security information.

Host Security

The goal of good network security and firewalling is to reduce the dependence on host security. Networks commonly bear most of an organization's security responsibilities, but good security practices on hosts should be maintained as well (see Figure 6). Application and host security are important components of overall security design. (For example, a data processing department might want to provide different access models for a data entry person and an auditor.) Host operating systems have a history of security problems, much of which can be prevented with proper planning. Individual hosts should be periodically audited to ensure security compliance. A high level of synergy can be obtained by combining host and network security practices.

Bro_WP_IOSS_fig6

Figure 6: Host Security Provides Additional Protection

Encryption

Traditionally, when network environments consisted primarily of a centralized point-to-point architecture with predetermined information paths, security was fairly straightforward. Securing the link itself provided reasonable assurance of maintaining the integrity, access, and privacy of the information.

Modern enterprise internetworks present a tremendous opportunity for corporations to remain competitive while increasing overall efficiency. This opportunity comes with a cost. Today's open networking technologies pose a threat to the overall security of the enterprise. This openness can mean that a corporation has little control over who has access to its information resources and the path over which that information will flow. Traditional security systems based on point-to-point, nonpacketized transmission media simply were not designed to address the evolving WAN and LAN technologies that are at the heart of today's enterprise network when the data travels across public networks.

Cisco Systems has a long history of encryption support. Several years ago Cisco added support for encryption through the United States government Blacker Front End (BFE) program. The Defense Communications Agency (DCA) certified Cisco Systems' DDN X.25 standard service implementation for attachment to the Defense Data Network (DDN). Cisco's DDN implementation includes Blacker front-end encryption and Blacker emergency mode operation.

Cisco's commercial and government customers understand that the best available security technique is encryption, the process of transforming intelligible information (clear text) into an unintelligible state, or "cipher text." Cisco Systems and Cylink Corporation have joined forces to integrate Cylink's Enterprise Security Architecture, consisting of Cylink's SecurePacket technology, into Cisco's family of routers and switches through the Cisco IOS in the first half of 1996 (see Figure 7).

Bro_WP_IOSS_fig7

Figure 7: Encryption Protects Data Confidentiality

Conclusion

Network security embodies the modern organization's overall security policy. The key to success is to consider security an evolving process. This will allow organizations to change as new requirements and technologies are brought forward. Over the past ten years, Cisco's approach has been to provide customers with flexible and scalable security options. Cisco offers and suggests a systematic approach to network security using the Cisco IOS as the cornerstone.

Products That Support the Cisco IOS

The Cisco IOS is supported on a wide range of hardware platforms available from Cisco Systems and Cisco partners. For a complete list of products that support the Cisco IOS, see the Cisco Systems Product Catalog, Cisco Order Number DOC-CAT4, or call 800 326-1981 for additional information about Cisco Systems products.

Posted: May 5 13:09:50 1995