Defining Operations Security Needs
As with any IT project, there must be a demonstrable need for the technology before its acquisition and implementation. Unfortunately, many organizations succumb to the temptation of caving in to the wish list of their IT staff and purchasing equipment without performing the required needs analysis. Many IT professionals can speak to the experience of being asked to architect a need to fit the technology rather than the other way around—architecting the technology to fit the need … the preferred approach. There is a basic lesson to be learned here for both IT staff and their management. Without a needs analysis, followed by a gap analysis and finally a proper methodology in place for the implementation of the technology, a network security project is doomed to fail.
Vendors such as Cisco usually have their own methodology for these facets of a secure network project. Because Cisco’s customers often look to Cisco sales engineers for direction in their technology projects, it makes good business sense that Cisco should have their own system development life cycle for secure networks. This approach is certain to help sell equipment and also (but less cynically) to ensure that the customer is satisfied with the solution. We examine this cycle in the context of both operational security principles and disaster recovery planning and business continuity planning.
Cisco System Development Life Cycle for Secure Networks
Cisco System Development Life Cycle (SDLC) for secure networks recommends a five-phase approach for security projects. When performed in order, these five steps help organize the workflows that need to coincide throughout the life cycle of a network. Figure 2.1 illustrates these phases.
Table 2.1 contains the steps defined in Figure 2.1, as well as a breakdown of the
separate elements within each step.
FIGURE 2.1 Cisco Recommended Secure Network Life Cycle
Operations Security Principles
INFOSEC professionals need to be aware of a few overarching principles to ensure secure operations. Some of the principles are as follows:
- Separation of Duties (sometimes Segregation of Duties)
- Rotation of Duties
- Trusted Recovery
- Change and Configuration Controls
Table 2.2 summarizes the elements within each principle.
NOTE
Here are the separate controls that comprise SoD:
- Two-Man Control. Multiple individuals audit and approve each other’s work. This is an example of an administrative control.
- Dual Operator Control. Two individuals are required to complete a single task. An example might be a safe deposit box that requires the use of both the customer’s and the bank’s keys to open. This is an example of a technical control.
EXAM ALERT
Know the difference between “two-man control” and “dual operator control.” They sound the same, but have entirely different meanings.
Network Security Testing
There are a number of utilities and other tools that you can use to assess your network’s security from the perspective of a potential attacker. Don’t forget that networks should be resilient against attack both from internal and external threats. Also, the vulnerabilities discovered must be measured against their relative likelihood (that is, risk) and, in a practical sense, whether the cost of the corrective controls employed might outweigh the benefit of their implementation. According to Cisco, this is why we implement security controls:
- Create a baseline for corrective action.
- Define ways to mitigate discovered vulnerabilities.
- Create a baseline of an organization’s current security measures.
- Measure an organization’s progress in fulfilling security policy.
- Analyze the relative cost vs. benefit of security improvements.
- Support the steps of the Security SDLC.
Types of Testing Techniques
Network security testing tools can be grouped into different types. See if you can determine whether the following test the network’s or system’s confidentiality, integrity, or availability? (The answers appear in the note at the end of this section.)
- Network scanning
- Vulnerability detection
- Password cracking
- Log analysis
- Integrity checkers
- Virus detection
- War dialing
- War driving (802.11 or wireless LAN testing)
- Penetration testing
Common Security Testing Tools Here is a list of some common security testing tools, along with the organization behind them:
- Network Mapper (Nmap). Open Source from Insecure.org.
- Nessus. Tenable Network Security Inc.
- GFI LANGuard. GFI Software Inc.
- SuperScan. Foundstone (division of McAfee Inc.).
- Metasploit. Metasploit LLC.
- Tripwire. Tripwire Inc.
The following is a more detailed explanation of some of the more important testing tools from this list.
EXAM ALERT
Scanners are testing utilities that probe a network for specific vulnerabilities. There is a fine line between scanning a network and hacking a network because often the same tools are used; the difference is the degree to which they are employed. For example, Tenable Security Corporation’s Nessus product is a scanner that, when carelessly employed, can create a denial of service (DoS) on a vulnerable network or end system if dangerous plug-ins are enabled. In Chapter 8, “Network Security Using Cisco IOS IPS,” we examine the role of intrusion detection systems (IDS) and intrusion protec tion systems (IPS). These are also known as sensors. Scanners probe networks, and carefully tuned sensors can detect such probes. In short:
- Scanners (like Nessus, Nmap, and SuperScan) probe a network for vulnerabilities and can even simulate an attack when certain plug-ins are enabled.
- Sensors monitor a network for signs of probes and attacks. IDSs and IPSs are sensors.
Nmap is a popular scanner, running on Windows, Unix, and Linux systems, and an example of an excellent Open Source tool. Some features of Nmap include the following:
- Low-level scanner, because it will probe for vulnerabilities in layer 3 and 4 of the OSI model but no higher.
- Often employed as a general-purpose scanning tool, often by hackers, to perform the initial reconnaissance of a network.
- Both ping sweeping and stealth port scanning functionality to make it difficult for IPSs to detect.
- OS footprinting (explained in Chapter 1, “Network Insecurity”).
Figure 2.2 shows an example of Nmap using its new GUI, Zenmap.
SuperScan is another example of a scanner. Here are some of SuperScan’s features according to Foundstone:
- Superior scanning speed
- Support for unlimited IP ranges
- Improved host detection using multiple ICMP methods
- TCP SYN scanning
- UDP scanning (two methods)
- IP address import supporting ranges and CIDR formats
- Simple HTML report generation
- Source port scanning
- Fast hostname resolving
- Extensive banner grabbing
- Massive built-in port list description database
- IP and port scan order randomization
- A selection of useful tools (ping, traceroute, Whois, and so on)
- Extensive Windows host enumeration capability
Figure 2.3 illustrates the main screen of SuperScan. Interestingly, the scan against the network node at IP address 192.168.99.130 returned no results. This could indicate that an intermediate device such as a firewall (discussed in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy”) has detected the scan as an attack and has employed countermeasures to hide the scanned host, at least temporarily.
Disaster Recovery and Business Continuity Planning
As indicated previously in the discussion of the Trusted Recovery as a principle of Operations Security, you must both expect and plan for a disaster. Although it is impossible and also impractical to plan for every eventuality and contingency, plans must be put into place for the events that are the most likely to occur. For example, it makes no sense to have a recovery procedure in place in case of an earthquake disaster in an area where the risk is minimal, but where risk of loss due to military action or civil unrest is the most likely.
The Three Phases of DRP and BCP
In chronological order, the three phases that disaster recovery procedures (DRP) and business continuity planning (BCP) cover are as follows:
- Emergency response
- Recovery
- Return to normal operation
Let’s look at the differences between disaster recovery and business continuity planning separately in the context of these three phases.
Business Continuity Planning
Business continuity planning focuses on the short- to medium-term requirements essential to continuing an organization’s operations with the following
objectives:
- Relocation. Relocation of elements critical to an organization’s operations to a remote or mirror site, while faults at the original site are remedied. An example of this might be a federal government department relocating operations temporarily to a mirror site and using data recovered from backup at the moment of the disaster (emergency response and recovery).
- Alternate Communication Channels. Use of alternate communication channels with suppliers, customers, shareholders, knowledge workers, and so on, until primary channels can be phased back in when the disaster is remedied (recovery).
Disaster Recovery Procedures
Disaster recovery procedures are concerned with the actions that are taken to deal with the disaster immediately after it has occurred. In this sense, they are a
subset of business continuity planning. It is the process of restoring access to systems, data, software, and hardware critical to business operations. It deals with the second phase in the three phases of DRP and BCP.
EXAM ALERT
Disaster recovery procedures are part of business continuity planning.
Here are some key objectives of disaster recovery procedures:
- Minimize the requirement for on-scene decision-making during the emergency by setting out specific procedures.
- Ensure the safety of workers as well as their ability to return to work quickly.
- Ensure that data integrity is not compromised during the emergency.
- Ensure that key business functions are not impaired and can return to normal as quickly as possible.
Categories of Disruption
As we saw in the section “Cisco System Development Life Cycle for Secure Networks,” the initiation phase is used to categorize the risks and to do an initial risk assessment. Not all disruptions are the same magnitude. Here’s a list of disruption categories:
- Nondisaster. A business process is disrupted for a finite period of time.
- Disaster. A facility is unusable for an entire day or more.
- Catastrophe. The entire facility is destroyed.
Backups
Redundancy is the key to dealing with destruction. There are three types of backup, as follows:
- Replacement with a redundant component. A failed or destroyed component is replaced with an equivalent component.
- Service-Level Agreements (SLAs) with vendors. When a service is disrupted, it is replaced with another service and/or restitution is made to an insured value stipulated in the agreement.
- Complete off-site backup facilities. Production can be moved to the following:
- Hot sites (or mirror sites). Redundant site with real-time copies of data from the primary site. The site is maintained in operational readiness with data synchronized from the primary site. When a disaster occurs, only the very last, incremental changes in data need to be restored for the site to be fully operational.
- Warm sites. Redundant sites without real-time copies of data and software. The disaster recovery team needs to pay a physical site visit to restore data to the site for it to become fully operational.
- Cold sites. Redundant sites that have the minimum power, environmental controls, and network links but no equipment. During disaster recovery, equipment would have to be sourced and installed and backups restored before full functionality can be recovered.
NOTE
Here are the answers to the exercise from the “Types of Testing Techniques” section. You were asked to determine whether the following test confidentiality, integrity, or availability. The suggested answers appear in parentheses beside the item: C = confidentiality; I = integrity; A = availability.
- Network scanning (A)
- Vulnerability detection (C, I, A)
- Password cracking (C, I)
- Log analysis (I, A)
- Integrity checkers (I)
- Virus detection (I)
- War dialing (C, I)
- War driving (802.11 or wireless LAN testing) (C, I)
- Penetration testing (C, I)