Professional Documents
Culture Documents
http://www.thebryantadvantage.com
Back To Index
You can read five different books that discuss SDLC models and
see five slightly different ways to name the following phases. As
our friends at Wikipedia put it so well:
"There is no definitively correct SDLC model ..."
Cisco's SDLC recommendations for secure networks are quite
different from any SDLC you may have seen before, so keep
that in mind as we walk through a hypothetical SDLC plan. In
this case, we've got a brand-new e-commerce server...
... and we're concerned about its current security. Let's walk
through the SDLC steps and determine what needs to be asked
and answered at each level.
Phase 1: Initiation
In this phase, we'll perform both a security characterization and a
preliminary risk assessment.
The security characterization involves answering an interesting
question:
"Compared to the other devices in our network, how important is
this new server?"
The first answer that comes to mind is "Well, all of our network
devices are equally important!" (That's the answer I'd give at a
department meeting, too.) Truth is, all of our network devices
are important - but some are more important than others.
An ecommerce server's security is very high, since we can be
shut down economically if that server goes down, and not to
mention lawsuits from customers if their data is compromised.
Having decided that the level of security needed is very high, we
move on to the preliminary risk assessment...
"What are the overall risks to this server?"
We're not getting too specific with risk analysis yet, but we do
need to identify the overall risks.
Phase 2: Acquisition And Development
"A&D" sounds like a separate department in your organization,
but it's actually the next step in our SDLC process. So what
exactly are we "acquiring and developing"? In a nutshell, we're
fleshing out details from our Phase 1 risk assessment to create a
more-detailed risk analysis plan. There's a lot going on in this
phase, including:
Detailed risk assessment. What exactly are we concerned
with? What attack types are we most concerned with, both from
the inside and the outside of our network? (Remember, not all
the bad guys are coming in from the outside!)
Cost. Yes, you and I both know good security is priceless, but
someone in your company has to write a check for everything
we need to secure that server - and they're going to want to
know how much this is going to cost!
Two requirements analysis (RA) - security functional and
security assurance. The security functional RA basically says
"Here's what we need to do in order to protect the server"; the
security assurance RA basically says "Here's the proof that the
server will be protected". Obviously, both of these steps require
a great deal of planning and testing - especially testing!
Testing - It's not possible to do too much testing! Cisco's
terminology for this step is "developmental security test and
evaluation". I like to call it "test, evaluate, and repeat".
Report creation - Cisco documentation refers to these steps as
"security planning" and "security control development". These
two steps both involve creating reports that detail exactly what
we're doing to protect the server and how we're going to
implement it on the production network.
And sure, I know creating any report isn't #1 on the Network
Admin Fun Parade, but it's gotta be done for us to move to the
next phase - Implementation.
Phase 3: Implementation
Sounds self-explanatory, but there's a bit more going on that just
implementing the solution here. Cisco documentation lists the
following four steps to this phase:
Inspection and Acceptance, where the "acceptance" is a fancy
way of saying "we verified this and it works"
System Integration, another way of saying "it didn't screw up
anything else we already had running"
Security Certification, another way of saying "everything we
planned in Phase 2 worked"
Security Accreditation, where the overall operation is given
approval and the secured devices are put into operation
The next phase, Operations and Maintenance, is a two-part
phase:
Configuration Management is exactly what it sounds like, and it's
actually one of the most important parts of the entire Cisco
SDLC process.
Ever sat down at a router, entered a simple configuration,
applied it, and then watched as something you didn't even think
about comes crashing down? For example, you might have
created an ACL or two for a specific purpose, applied it to an
interface, and then watched one console message after another
mention that you just brought OSPF down. Or BGP. Or
something else.
Preventing that kind of thing from happening to your network
security is the entire point of Configuration Management. In one
way or another, CM requires other admins to examine the impact
of your configuration change to the network operations they're
responsible from, and to give approval before a configuration
change is accepted.
The other part of the Operations and Maintenance phase,
Continuous Monitoring, is self-explanatory.
The final Cisco SDLC phase is Disposition, a nice way of saying
"How are we going to get rid of this stuff when it's outdated
and/or replaced with other hardware and software?"
If you've ever seen a news report about hard drives being stolen
out of computers that were not properly disposed of, you know
how important this phase is.
Another way to find out how important this phase - lawsuits from
people whose personal information was accessed on improperly
disposed-of servers. Since that's an expensive way to learn, let's
take a closer look at the three parts of the Disposition phase.
Information Preservation - It's not necessarily legal to dispose of
data simply because you're done working with it. For example,
some government agencies require a business to retain their
records for up to seven years, even if they're closing the
business. And obviously, we can't just delete such sensitive
information as medical records. To protect yourself legally, this
kind of information must be preserved.
Media Sanitation - a formal way of saying "if you're deleting data,
you better REALLY delete it". Contrary to what the average end
user thinks, hitting the "delete" key does not make that deleted
data irretrievable. Do a quick Google search on "recover deleted
data" and you'll see what I mean. If you're planning to dispose
of any data, make sure it's not data that needs to be preserved and then really delete it.
assessment.
If you have an enterprise network, it's going to be difficult to
perform one giant risk analysis that encompasses the entire
network. Rather, you could use the qualitative analysis
approach, where lab environments are used to perform the risk
analysis.
I don't usually list URLs since they can change, but this particular
doc is recommended reading for the CCNA Security exam and
your real-world knowledge as well. The URL is particularly long,
so just enter the phrase "The Cisco Self-Defending Network
combines best-of-breed" into Google and it'll be the first or
second match. It's a PDF well worth reading!
The Cisco ASA 5500 Adaptive Security Appliance
I don't mean to sound like sales propaganda, but the ASA 5500
really "does it all". According to the Wikipedia entry for the ASA,
the 5500 actually succeeded three Cisco products:
the
ACS, via the ACS Shell Command Authorization set. Here, you
can set full or restricted access to commands as you see fit.
In the online documentation for the ACS Shell Command
Authorization set, several references are made to TACACS+,
which should not surprise you. (TACACS+ has command
authorization capabilities, but RADIUS does not.)
Here's a link to a Cisco PDF that I do recommend you take a
look at, and it'll show you exactly how the ACS interface appears
to the user.
http://www.cisco.com/application/pdf/paws/99361/acs_shell_auth.pdf
I would not spend hours and hours studying that doc, but to save
yourself some frustration in the real world (and possible the
exam room!), note that we can set a Shell Command
Authorization Set at both the User Setup and Group Setup
levels, and that user-level settings override group-level settings.
(Those screen shots are near the end of the document.)
In-Band Management vs. Out-Of-Band (OOB)
Regardless of the network monitoring software you choose,
you're going to have management traffic as a result. That's a
good thing - if you don't have management traffic, you don't
have management - but there are two schools of thought on how
to handle that traffic:
in-band, where management traffic shares a network with the
"regular" data
out-of-band (OOB), where management traffic uses a separate
network
In a perfect world, we'd always use OOB, since mixing the
production data and management data increases the likelihood
of sensitive network management data falling into the wrong
hands. However, sometimes it's just not practical to use OOB,
and some management tools do not work properly if the
management traffic's on a separate network.
For ideal, perfect-world situations like those we only see on
certification exams :), it's a good idea to know the difference
between these two approaches. It's also a Cisco best-practice
to use OOB. For real-world application of OOB, be sure to do
plenty of research for the particular network monitor you're using
and the potential impact on performance if the network
management traffic is segregated from the production data
traffic.
Hot Spots And Gotchas
The Cisco ASA 5500 Adaptive Security Appliance really does it
all in network security - VPN, IPS, antispyware, antivirus, and
more!
The Cisco Self-Defending Network's "big three" selling points:
Integrated - Security is embedded into the network and not
treated as an afterthought
Collaborative - Services and devices work together to
thwart attacks on the network
Adaptive - Security techniques and approaches evolve as
attack techniques advance
IronPort is Cisco's email / web security appliance. IronPort uses
SenderBase as its email monitoring service and the Dynamic
Vectoring and Streaming (DVS) engine for signature-based
spyware filtering.
The Cisco Security Agent Interceptors and their purpose:
File System, allows/denies RO and RW file access requests
Configuration, allows/denies writes to the Windows Registry and
the rc files in Unix
Network, works to prevent SYN flooding attacks and port scans
Execution Space, prevents buffer overflows.
Copyright 2008 The Bryant Advantage. All Rights Reserved.