When we talk about “security” we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks. This article is chapter eight of the book, Cisco: A Beginner's Guide, third edition, by Anthony Velte and Toby Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354).
The concept of network security may seem somewhat of a moving target—or several moving targets. When we talk about “security” we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks.
On top of that, add departmental budget constraints (and the personnel cuts that many companies have seen in recent years) and even reasonable security solutions might seem impossible to attain. Three trends have increased the bite that security takes out of the IT department’s overall budget:
Internetworks are getting bigger and more complicated.
New threats are always emerging.
The typical network security system is usually not a system at all, but is a patchwork of vendor-specific tools (sound familiar?).
Network security is so pervasive a consideration that even network management consoles raise concerns. As we’ll talk about in Chapter 15, some worry about whether the SNMP infrastructure itself is secure enough. After all, stealing the right SNMP community string would give a hacker a road map to an entire internetwork’s configuration, and unless you’ve been living in a cave, you know about computer viruses spreading in various forms: e-mail bombs, Trojan horse Java applets, Denial-of-Service attacks, and other worrisome new threats to computer security. Suffice it to say that a lot of time, money, and effort go into network security.
NOTE:SNMP stands for Simple Network Management Protocol and, as you have probably deduced, it is used for network management. Don’t worry about it too much at this point. We’re mentioning it here as a bit of foreshadowing, before we talk about it in depth in Chapter 15. SNMP relates to some other protocols that are used for network security. Basically, all these protocols gather information from your network—whether for security or for network management.
In Chapter 9, we’ll talk about Cisco’s Internet access and security products. Just as a head’s up, the focus will be mainly on how firewalls—and even routers—monitor internetwork traffic at the packet level to provide security. Traffic-based security runs on firewalls and routers and deals mainly in IP addresses.
But a second kind of security operates at the people level. This kind of security, called user-based security, employs passwords and other login controls to authenticate users’ identities before they are permitted access. There are two basic types of user-based security:
End-user remote access to servers, in which employees dial into their enterprise internetworks and subscribers dial into their Internet service providers (ISPs)
Network administrator access to network devices, in which technicians log into IOS on various kinds of network devices in order to work on them
Security is the third major control system in internetworking, along with network management systems and routing protocols. Although the three control systems have distinct missions, you’ll see a familiar pattern:
Embedded commands Application commands built directly into IOS that are used to configure individual devices to participate in a larger network control system
Dedicated control protocol A communications protocol that coordinates the exchange of messages needed to perform the network control system’s tasks
Server and console A server to store the messages and a workstation to provide the human interface through which the network control system is operated
Figure 8-1 illustrates the common architecture shared by network control systems.
Looking at the figure, you see two new names listed next to SNMP—TACACS+ and RADIUS. These are the protocols used for security, not management, as is SNMP, but they’re analogous in how they operate. Data is gathered from network devices and stored
Figure 8-1. Internetwork control systems, including security, share certain features.
in a central database, and a console is used to configure devices from a central management workstation. Network management and security systems differ in what they do, but are basically the same in how they work.
The third internetwork control system, routing protocols, differs sharply. Routing protocols don’t use servers because the information—route tables—is transient and doesn’t need to be stored on disk. Additionally, they don’t use consoles because they are largely self-operating.
The structural similarities between network management and security will make it easier to comprehend network security technology. Just swap in new names for protocols (TACACS+and RADIUS) and consoles, and you understand the general setup.