In this multipart series I will be presenting some of the leading industry-standard best practices for enterprise network security using Cisco technologies. Each article in the series will cover a different aspect of security technologies and designs and how each can be deployed in the enterprise to provide the best security posture at the lowest possible budgetary and administrative cost.

In Part 3 of this series I began to discuss Cisco technologies as a standard for enterprise data security. In this article we take a look at how Cisco firewall and packet filtering technologies can be used at the network perimeter to enhance enterprise security.

Perimeter Security - Filtering and Firewalls

Effective enterprise security starts at the network perimeter, or the boundary between the private and locally managed-and-owned side of a network and the public side that is usually managed by a service provider. While the network perimeter has often been considered nothing more than a router connection to the Internet, in an effective enterprise security design the network perimeter offers great opportunity for enhancing the security posture of the network.

The network perimeter contains several potential enforcement points, or points within the network architecture where security policies for admission control can be enforced. The network perimeter as a whole is one of the primary enforcement points of security policy in the enterprise and arguably the most important enforcement point in the defense against external threats. Many type of security can be deployed at the perimeter, including packet filtering, Intrusion Detection and Protection (IDS/IPS), anomaly detection and reporting, and stateful packet inspection via firewall.

The network perimeter consists of a Border Network and Perimeter Network; each considered an enforcement point within the network perimeter with each having a unique role in the perimeter security design. Enforcing security policy at each of these points within the network perimeter provides an enhanced security posture termed Defense in Depth security.

Network Perimeter architecture (multi-tier design)

Border Network

The border network faces directly onto the Internet via a gateway router which should provide an initial layer of protection, in the form of basic network traffic ingress and egress filtering. With ingress filtering, inbound traffic flows are subjected to an initial set of router-based filters to drop malformed, spoofed, or undesirable traffic at the point of entry to the border network. This enhances security and reduces exposure to common network attacks while at the same time decreasing latency and load on upstream firewall platforms. Egress filtering allows for filtering of outbound traffic flows to prevent specific types of communications from leaving the organization. The filtering of ICMP responses is a common type of egress filtering deployed at the border router and is used to obscure the network architecture from a probing attacker.

Ingress and Egress Filtering at the Internet gateway router

All models of Cisco routers provide the capability for filtering at the border network. Ingress filtering is a robust and effective security tool and there are several good configurations provided by both Cisco and third party sources, making this a simple and effective solution to deploy. Remotely Trigger Black Hole Filtering (RTBH) is a notable example of effective ingress filtering, which provides a method for quickly dropping undesirable traffic at the network border. This can be used to effectively mitigate DDoS and worm attacks, quarantine traffic destined for a target under attack, or to enforce blacklist filtering. Bogon filters are another type of ingress filtering and are used to defend against the use of spoofed source addresses (A “bogon” is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Internet registry).

In addition to filtering at the border network all Internet-facing routers should be heavily configured as a security device, or hardened, for both defense of the enterprise and the router itself. While there are many good templates available for hardened router configurations Cisco provides the capability to use the Auto Secure router configuration macro to simplify the process. Auto Secure applies a diverse set of best practice configuration settings to harden the security of the router by disabling common IP services that can be exploited for network attacks, and by enabling IP services and features that can aid in the defense of the network and router when under attack. Using hardened router configurations in conjunction with ingress and egress filtering can add a highly effective layer of defense to your enterprise security design.

Cisco Auto Secure placement in the perimeter architecture

Once traffic has been passes through initial filtering, the gateway router directs traffic to the perimeter network through a perimeter firewall where traffic is classified and inspected by a set of true firewall policies and rules. This firewall will subject traffic flows to security policy designed to protect the perimeter network from threats originating from the Internet or other networks connected via the border network.

Perimeter Network

This network, often referred to as the DMZ (demilitarized zone) or edge network, links incoming users to publicly accessible services such as web servers or portals. The primary role of the perimeter network is to segregate publicly-accessible systems from those residing on the protected internal network. This reduces the potential exposure and scope of security vulnerabilities in the perimeter network and severely limits or negates entirely the ability of an attacker to use systems located within the perimeter network to aid in the attack of internal systems.

Traffic flowing from the perimeter network to the protected internal network passes through an internal firewall where traffic is classified and inspected by a much more restrictive set of policies and rules as those use on the perimeter firewall. These stateful packet inspection firewall rules are designed to track and limit both the inbound and outbound flow of data to that which is permitted by business need and justification. Stateful packet inspection (SPI) is a firewall process that keeps track of the state of network connections (such as TCP streams, UDP communication) as data passes through the firewall. The stateful firewall is designed to distinguish legitimate data for different types of connections, protocols and services. Only packets matching a known connection state will be allowed by the firewall; all other packets will be rejected and dropped from the traffic flow.

Stateful Packet Inspection

Many organizations opt for a single layer of firewall protection at the perimeter. However, an enhanced perimeter network security design can consist of two firewall instances where traffic is inspected at multiple enforcement points. This provides the capability to focus firewall services on distinct segments of the network perimeter while maintaining simplified yet effective security policies and rule sets. As a key component in a sound Defense in Depth security design, this multi-tier firewall approach provides a much greater level of reliability and flexibility than a single multi-interface firewall platform.

Firewall Implementation: Physical vs Logical Separation

Firewalls are deployed within the enterprise environment to provide either physical or logical separation. It has long been considered a security design best-practice to ensure that a firewall is implemented to physically separate the Internet from internal networks and systems. This guarantees that all inbound and outbound traffic flows must pass through the firewall. While this provides enhanced security it is also a limiting factor in your network design.

Conversely, a logically separated firewall design allows a switch or router configuration to determine which traffic is directed through the firewall and which traffic is allowed to pass unabated. While this provides a much greater level of flexibility in a network design great care must be taken to ensure that traffic is being secured in a responsible manner. Logical firewall separation is typically achieved using VLAN (virtual LAN) technology to segregate traffic. Keep in mind that a logically separated subnet is still physically connected to other subnets in the same switch architecture. Normally for traffic to go from one VLAN to another it must pass through a router or firewall; because there is no actual physical separation between the VLANs, however, it is possible for traffic on one VLAN to be inadvertently delivered—often through human-imposed configuration errors—to another VLAN without using a router or firewall. This would allow traffic flows to circumvent firewall policy and is the primary concern with using logical firewall designs.

Physical separation firewall deployment

Logical separation firewall deployment

In perimeter networks it is highly recommended that physical separation be implemented wherever possible. This prevents traffic flows from bypassing the firewall due to configuration errors in the network or malicious intent by an intruder. Ensuring that traffic flows are directed through the firewall guarantees that all traffic is subjected to firewall security policy, inspected and logged accordingly. In terms of internal firewall design, such as Data Center firewall implementations, the logical separation of resources on a trusted network is generally considered an adequate security risk, although it is not as secure as physical separation of resources.

Firewall designs based on both physical and logical separations have their place in the network architecture. Which design is implemented depends on where the firewall resides in the architecture and what data is being secured by that firewall. Both the Cisco ASA (Adaptive Security Appliance) 5500 series and Cisco Catalyst 6500 Series Firewall Services Module (FWSM) firewall platforms can be deployed in either physical or logical separation designs. The ability to operate either platform in multi-context mode—where virtual firewalls can be configured and deployed from a single firewall device—provides for a greater flexibility in logical separation designs, allowing different firewall policies to be applied to separate interfaces, traffic flows or functions within the firewall platform.

Cisco also offers the Cisco IOS firewall platform, integrated in the Cisco Integrated Services Router (ISR) platforms. This IOS-based firewall offers the advantage of an integrated security approach allowing organizations to build upon their existing IT infrastructure, which simplifies the process of deploying an end-to-end security model. The Cisco IOS firewall platform, while not suitable for large enterprise deployments, is a solid choice in small or medium-sized organizations and can be integrated within either a physical or logical separation firewall design.

When designing firewall architectures the principle of simplicity is something that should be first and foremost in the mind of a designer. Essentially, the more simple the firewall solution the more secure and easier to manage it becomes. Complexity in design and function can often lead to configuration errors and an elevated level of risk to the enterprise.