When we talk about “security” we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks. This article is chapter eight of the book, Cisco: A Beginner's Guide, third edition, by Anthony Velte and Toby Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354).
There are two kinds of network security. One kind is enforced as a background process not visible to users; the other is in your face:
Traffic-based security Controls connections requested by a network application, such as a web browser or an FTP download
User-based security Controls admission of individuals to systems in order to start applications once inside, usually by user and password
One kind of traffic-based security is the use of firewalls to protect autonomous systems by screening traffic from untrusted hosts. The other kind of traffic-based security is router access lists, used to restrict traffic and resources within an autonomous system. User-based security is concerned with people, not hosts. This is the kind of security with which we’re all familiar—login-based security that asks you for a username and password.
The two types complement one another yet operate at different levels. Traffic-based security goes into action when you click a button in a web browser, enter a command into an FTP screen, or use some other application command. User-based security, on the other hand, asserts itself when an individual tries to log into a network, device, or service offered on a device.
Traffic-based security is implemented in a Cisco internetwork by using firewalls or router access lists. This style of security—covered in Chapter 9—focuses mainly on source and destination IP addresses, application port numbers, and other packet-level information that can be used to restrict and control network connections.
Until recently, firewalls have focused strictly on guarding against intruders from outside the autonomous system. However, they’re now coming into use in more sophisticated shops to restrict access to sensitive assets from the inside. Access lists have been the traditional tool used to enforce intramural security.
Access List Traffic-Based Security
Routers can be configured to enforce security in much the same way firewalls do. All routers have access lists, and they can be used to control what traffic may come and go through the router’s network interfaces and what applications may be used if admitted. What exactly an access list does is left to how it’s configured by the network administrator.
Mostly, access lists are used to improve network performance by isolating traffic in its home area, but a heavily configured access list can pretty much behave like an internal firewall, restricting traffic among departments.
Firewall Traffic-Based Security
Firewalls are basically beefed-up routers that screen processes according to strict traffic management rules. They use all sorts of tactics to enhance security: address translation to hide internal network topology from outsiders; application layer inspection to make sure only permitted services are being run; even high/low counters that watch for any precipitous spikes in certain types of packets to ward off Denial-of-Service attacks such as SYNflood and FINwait.
Firewalls intentionally create a bottleneck at the autonomous system’s perimeter. As traffic passes through, the firewall inspects packets as they come and go through the networks attached to its interfaces.
Firewalls read source and destination host addresses and port numbers (for example, port 80 for HTTP), and establish a context for each permitted connection. The context comes in the form of a session, where packets with a certain address pair and port number must belong to a valid session. For example, if a user tries to connect to a web server to download a file, the firewall will check the user’s source IP address and the application service requested before permitting the packets to pass.
Think of traffic-based security as being like those “easy pass” automated tollbooths on major toll roads. Vehicles are funneled through a gateway where a laser reads each electronic ID, barely slowing the flow of traffic.
User-based security evokes a different picture—this one of a gate with a humorless security guard standing at the post. The guard demands to know who you are and challenges you to prove your identity. If you qualify, you get to go in. More sophisticated user-based security systems also have the guard ask what you intend to do once inside and issue you a coded visitor’s badge giving you access to some areas, but not others.
Thus, user-based security is employed where a person must log into a host, and the security comes in the form of a challenge for your username and password. In internetworking, this kind of security is used as much to keep bad guys from entering network devices such as routers or switches, as it is to restrict access to payload devices, such as servers.
Unlike firewalls, however, user-based security is nearly as concerned with insiders as outsiders. That security guard at the gate has colleagues on the inside, there to make sure nobody goes into the wrong area. You know the routine—there are employee badges and there are visitor badges, but the employee badges let you go more places.
Login/password points are generally placed on every network device and all servers. Because user-based security mechanisms are software, not hardware, they can be deployed at will within an internetwork with little impact on performance or budget. The trade-off is how much inconvenience you’re willing to put network users through, having to log in to gain access to various services. User-based security has four major applications:
To grant remote employees access to the enterprise internetwork
To grant onsite employees access to protected hosts and services within the internetwork
To let network administrators log into network devices
To let ISPs grant subscribers access to their portals
Because most user-based security involves remote dial-in connections,WANtechnologies play an important role. The two most important pieces inWANconnections are access servers and dial-in protocols.