In networking terms, a perimeter usually exists where a private network meets a public network. It can also be found internally in a private network where sensitive data may need to be protected from unauthorized access. However, more commonly, a perimeter is thought of as the entry point into a network for connections that are not to be trusted.
An Internet access point for a company is a typical example where you would apply perimeter security and hence control access to critical applications, services, and data so that only legitimate users and information can pass through the network.
Traditionally, perimeter security has been provided by a firewall that performs stateful inspections on packets and sessions to determine whether packets should be transmitted or dropped. Generally, firewalls protect from some of the vulnerabilities of the perimeter network.
Typical perimeter attacks or vulnerabilities are
■ Passive eavesdropping—An intruder performs, for example, network packet sniffing or network snooping. The information gathered by eavesdropping can then be used to pose other attacks to the network.
■ Denial of service (DoS)—An intruder attempts to deny network or networked computer services to legitimate users.
■ IP address spoofing—An intruder manipulates the source IP address of his traffic to prevent detection.
■ Unauthorized access—An intruder gains unauthorized access to networked computers or networking devices through any of a variety of means, such as social engineering or various exploitations.
■ Port scan—An intruder uses an application that scans for active ports on a network device.
■ Data manipulation—A network intruder captures, manipulates, and replays data sent over a communication channel.
■ Session replay or hijacking—An intruder captures, manipulates, and replays a sequence of packets or application commands to cause an unauthorized action.
Perimeter Security 159
■ Rerouting attack—An intruder manipulates routing updates to cause traffic to flow to unauthorized destinations.
■ Malicious destruction—An intruder causes destruction to data on purpose.
Nowadays, perimeter security can use not only the traditional firewall but also other networking components, such as routers, and more specialized components, such as intrusion detection devices.
The next few sections discuss routers and firewalls.
Routers
As shown in Figure 11-1, the perimeter router is the first line of defense for the Internet connection.
Its basic role is to provide the following:
■ Basic filtering
■ IP address spoofing mitigation
■ Protection of the firewall from direct attack
Figure 11-1 Perimeter Router
Many routers today have more advanced and powerful perimeter security features available for use in securing the perimeter connection. Cisco routers with Cisco IOS feature-rich software can provide some of the following advanced perimeter security features:
■ Control of TCP/IP services
■ Extensive access control list (ACL) functionality
Internet
ISP Router
Perimeter Router
Internal LAN
Web Servers
■ Network Address Translation
■ Stateful packet-filter firewall
■ IPSec support
■ User authentication
This functionality is available across the breadth of the Cisco IOS router product portfolio from the SOHO/800 Series routers up to the enterprise and service provider class series of routers.
Further detailed information on the features available on Cisco routers can be found at Cisco.com by searching for “routers.”
Firewalls
By definition, a firewall is a system or group of systems designed to prevent unauthorized access to or from a private network. Firewalls are generally implemented as a hardware device, but software versions are also available.
The method by which firewalls operate can be based on one of three technologies:
■ Packet filtering—Limits the information that is permitted into a network based on the destination and source address.
■ Proxy server—Requests connections between a client on the inside of the firewall and a client the outside of the firewall.
■ Stateful packet filtering—Limits the information that is permitted into a network based not only on the destination and source address but also on the packet data content.
Cisco offers two lines of firewalls: Cisco IOS Firewalls and Cisco PIX Firewalls. The next two sections describe each type.
Cisco IOS Firewalls
The Cisco IOS Firewall is a Cisco IOS software option that is available with a wide range of routers. The Cisco IOS Firewall provides a stateful packet-filter firewall, which includes intrusion detection and authentication capabilities. These added security features enhance the existing security capabilities that are already present in the standard Cisco IOS router and offer sophisticated security and policy enforcement for connections within the perimeter.
Perimeter Security 161
The enhancements to the existing Cisco IOS security features (such as packet filters, authentication, and encryption) include the following:
■ Context-based access control (stateful, application-based filtering)—Provides secure access control across the network perimeter by scrutinizing both source and destination addresses of traffic flows and by tracking each application’s connection status.
■ Intrusion detection—Currently, compares traffic flows to 59 default intrusion detection signatures and can direct the information from these comparisons to the Cisco Secure Policy Manager (CSPM) or a similar device.
■ Per-user authentication and authorization—Integrates with either RADIUS or TACACS+
services.
■ Real-time alerts—Provides real-time reporting of IDS alerts and other events.
■ VPN support—Uses the IETF IPSec standard and other technologies such as L2TP tunneling.
This support also includes the availability of optional IPSec hardware acceleration modules across most router platforms.
Currently, the Cisco IOS Firewall is available across a wide range of routers, from the SOHO/800 Series through the 7200 Series platforms.
You can find more detailed information about the Cisco IOS Firewall at Cisco.com by searching for
“Cisco IOS Firewall.”
Cisco PIX Firewalls
The Cisco PIX Firewall is a dedicated hardware firewall that is built around a secure, real-time, embedded operating system that provides excellent performance without comprising security. The PIX Firewall family spans the entire user application spectrum, from compact desktop firewalls for SOHO environments to carrier-class gigabit firewalls for the enterprise and service provider environments.
Recently a Firewall Service module (FWSM) has also become available for the Cisco Catalyst 6500 switch and Cisco 7600 Series routers, providing up to 5 Gbps of throughput.
The PIX Firewall is a stateful firewall appliance that provides a wide range of security and networking functionality and services. Some of these include the following:
■ Adaptive Security Algorithm (ASA)—Maintains the secure perimeters between the networks that are controlled by the firewall. ASA is the heart of the PIX Firewall.
■ Authentication and authorization—Integrates with either RADIUS or TACACS+ services.
■ Content filtering—Integrates with URL packages and includes internal support for Java and ActiveX filtering.
■ Cut-through proxy—After a user is authenticated, the firewall shifts the session flow directly between the source and destination, resulting in a marked increase in performance.
■ DHCP—Provides DHCP services.
■ Network Address Translation (NAT) and Port Address Translation (PAT)—Provides rich dynamic and static NAT and PAT capabilities.
■ Multimedia services—Supports common multimedia applications.
■ Stateful firewall—Monitors the traffic flow to verify that the destination of an inbound packet matches that of the source of a previous outbound packet.
■ URL filtering—Supports URL filtering services.
■ VPN functionality—Uses the IETF IPSec standard. This support also includes the availability of optional IPSec hardware VPN acceleration cards (VAC) starting at the mid-range models upwards.
You can find more detailed information about the Cisco Secure PIX Firewall at Cisco.com by searching for “PIX Firewall.”