
2/15

Principles of Secure Network DesignThis topic describes the system-level security principles that you should consider throughout

the lifecycle of a secure network.

Business goals and risk analysis drive the need for network security. Regardless of the security

implications, business needs must come first. If your business cannot function because ofsecurity concerns, you have a problem. The security system design must accommodate the

goals of the business, not hinder them. Risk analysis includes two key elements:

What does the cost-benefit analysis of your security system tell you?

How will the latest attack techniques play out in your network environment?

The following are the key factors you should consider when designing a secure network:

Business needs: What does your organization want to do with the network?

Risk analysis: What is the risk and cost balance?

Security policy: What are the policies, standards, and guidelines that you need to address

business needs and risks?

Industry best practices: What are the reliable, well-understood, and recommended

security best practices?

Security operations: These operations include incident response, monitoring,

maintenance, and auditing the system for compliance.

2008 Cisco Systems, Inc. All rights reserved.

Secure Network Design Factors

Many factors affect the designof a secure network:

Business needs

Risk analysis

Security policy

Industry best practices

Security operationsSecuritySystem

Security Operations

Incident Response, MonitoringMaintenance, and Compliance Auditing

IndustryBest

Practices

BusinessNeeds

RiskAnalysis

Security Policy

Policies, Guidelines, Standards


3/15


Realistic Assumptions

A lot of security is broken because of unfoundedassumptions about users, attackers, and technology.

Assumptions must be set properly and always questioned toensure their validity:

Expect that anything might fail (identify fail-openelements).

Identify all possible attack paths.

Realistically evaluate availability of exploitation tools.

Account for technology advances.

Assume users will not use systems properly.

Double-check your assumptions with others.

Historically, a huge percentage of security mechanisms are broken, misconfigured, or bypassed

because the designer or implementer made unfounded assumptions about how and where the

system will be used, for example, wrong assumptions were made about the users of the system,

the attackers and threats, and the technology that is used to build the system.

A wrong assumption ends up being used as a bad axiom in all further design work; it might

influence one design decision, and then propagate to other decisions that might depend on it.

Wrong decisions are especially dangerous in early stages of secure system designwhen

threats are modeled and when risks are assessed. It is often easy to correct or enhance an

implementation aspect of a system, however design errors are either extremely hard or

impossible to correct without substantial investments in time and technology.

The following is a summary of recommendations you should follow to avoid making wrong

assumptions:

First, expect that any aspect of a system might fail, and evaluate how this failure affects the

security of a system. It is possible for every single element of a system to fail; only the

probability of failure might be different for different elements. When designing a system,

perform what-if analysis for failures of every element, assess the probability of failure,

and analyze all possible consequences of an element failure, taking into account consequent

cascading failures of other elements. As a part of the anything can fail mindset, identify any elements that fail-open. Fail-

open occurs when a failure results in a complete bypass of the security function of the

element. Ideally, any security element should be fail-safe; if the element fails, it should

default to a secure state, such as blocking all traffic across it.

Try to identify all attack possibilities. The attack tree method is one successful method of

top-down analysis of possible system failures, which involves evaluating the simplicity and

probability of every attack.

Realistically evaluate the probability of exploitation. An often-encountered philosophy is

if there is no exploit code available for a particular vulnerability, no one will be able to

exploit it. This philosophy is true only for script-kiddie attacks, and a sounder stance must

be taken, such as if a vulnerability exists, any skilled and focused attacker will easily write


4/15

a tool to exploit it. The focus should be on the resources that are needed to create an attack

tool, not on the obscurity of the vulnerability.

Always account for technological advances if an attack is currently unlikely because the

attacker needs many resources. As computer power increases, the probability of attacks

might increase with an alarming rate. Many systems have been compromised because of

unrealistic assumptions about how much computing power was necessary to mountsuccessful attacksthe recommended lengths of cryptographic keys are a prime example.

Assume that people will make mistakes, for example, end users might use a system

improperly, compromising its security unintentionally. Likewise, attackers will not use

common and well-established techniques to compromise a system; they might hammer the

system with seemingly random attacks, looking for possible information on how the system

behaves under unexpected conditions.

Lastly, always check your assumptions with other people, who might have a fresh

perspective on potential threats and their probability. The more people that question your

assumptions, the more likely you can identify a bad assumption.


5/15


Realistic Assumptions Example

DVD protection assumed that DVD players would be tamper

resistant and the built-in keys would not be disclosed.

Software players were quickly reverse engineered toreveal the CSS algorithm and decryption keys.

US analog cellular assumed that scanners were tooexpensive for an individual attacker, therefore no encryptionwas provided.

This was quickly proven wrong.

U.S. digital cellular assumed that digital scanners were tooexpensive for an individual attacker, therefore no encryptionwas provided.

This was also proven wrong.

Three examples of wrong assumptions come from areas not directly related to network security.

The encryption of DVD movies, which uses a weak algorithm called Content Scrambling

System (CSS), is an example of bad assumptions made about the scope of system use. The

original assumption was that DVD discs would be played only on hardware players, where the

decryption keys could be stored in a tamper-resistant chip inside the player, making it

extremely hard for even skilled attackers to compromise the DVD discs. However, when

software DVD players appeared, the DVD discs were quickly reverse engineered, because

making software tamper resistant is next to impossible against a determined attacker. The keys

were recovered from one of the well-known players, and an algorithm was published on the

Internet, together with the keys.

The response strategy of the DVD industry was to try to ban the publishing of the CSS

algorithm and keys, but the decision of the court that the CSS algorithm source code was

essentially free speech stopped much of their efforts.

Another example of a wrong or poor assumption was the lack of encryption of US cellular

traffic. When cellular phones were first introduced, the assumption was that scanners, which

could intercept cellular traffic, were too expensive to mount any large-scale attacks against call

confidentiality in cellular networks. In a couple of years, the price of these scanners dropped to

the point that the scanners were available to virtually anyone. Thus, bad assumptionscompromised the protection policy of the cellular network.

The next-generation U.S. cellular service uses digital transmission, but the same assumption

was made, that digital scanners are too expensive. As technology advances, the same story has

unfolded for the digital transmissions.


6/15


Least Privilege Concept

A subject should have the minimal necessary privileges to

perform a task.

This applies to users, programs, hosts, and so on.

This is perhaps the most important concept in a securesystem design.

This concept enhances simplicity because it narrows down thewindow of vulnerability.

It limits possible unwanted interaction of system components.

This concept is often not followed because it can make asystem cumbersome to use.

The least privilege concept is a philosophy in which each subject, user, program, host, and so

on, should have only the minimum necessary privileges to perform a certain task.

The rationale behind the concept is that having too many privileges for a task can result in

doing more damage then would be otherwise possible, whether the damage is intentional or

unintentional. Using the least privileges always narrows down the window of vulnerability,

because it reduces the amount of possible side effects of a task. Least privilege also simplifies a

system when you analyze it for possible flaws, because if you allow only a very limited amount

of prescribed actions and system states, the potential for unwanted interactions within a system

is limited.

In practice, the least privilege concept is often not followed, because a person or process must

perform multiple tasks that require different privileges. Because the configuration of privileges

in such an environment is often cumbersome, a person or process is given high (or even worse,

the highest possible) privileges, which automatically enables them to perform a variety of tasks,

including the tasks originally required. This configuration of privileges opens up a system to

additional threats and interactions, which might not be expected.


7/15


Least Privilege Example

Inside and outside users only need access to the web serverprogram on the exposed host.

The web server does not need to open any connections to the inside or outside.

The firewall enforces those minimal permissions.

Internet Inside

Web Server

Permit HTTP Only Permit HTTP Only

DenyAll

The figure shows an example of proper least-privilege enforcement. A web server is located

inside a firewall system, and must be accessed by inside and outside users. No other access to

the system is necessary, and the system does not need to open any connections itselfit is a

simple static web server.

In the example, the firewall is configured to permit only HTTP connectivity to the server from

the inside interface to the outside interface. The firewall denies all other connections to the

server because they are not necessary. Also, the firewall prevents the web server from sourcing

any connections because they are not required. An attacker, who could compromise the web

server, would be isolated on it, because no connectivity is allowed from the web server.

In such a situation, many organizations would permit all access to the web server from the

inside. This level of access opens up the server for insider attacks, or enables an attacker, who

managed to enter the protected network, to also attack any service running on the web server.

You can see another example of least privilege enforcement by looking at the web server host

itself. The host runs an exposed web server program, which is expected to be attacked by

external crackers. Therefore, the web server program must be protected, and at the same time,

other processes and data on the host must be protected from the attacker, who can potentially

compromise the web server program. To protect the rest of the operating system, you can use

several well-known techniques, all of which implement the least privilege concept: Run the web server program under a special username, which has minimal rights in the host

operating system (it can listen on port 80 and it can access its data on disk).

Set the file permissions in such a way that the web server program can access only its

executable code (which is not owned by it, so it cannot be changed by it), and the

documents it is serving (HTML, multimedia files).

Configure the operating system to limit the web server program to be a part of the file

system, disallowing it access to any other directories, for example, using the UNIX chroot

system call.


8/15


Design and Implementation Simplicity

Complexity makes parts of the system interact in unpredictableways.

The system can be hard or impossible to analyze.

Complexity is often considered the biggest enemy ofsecurity design.

You should make design and implementation simple andstraightforward.

You should use multiple simple security features instead of onecomplex one, as long as they are comparable in protectionstrength.

Make sure that the user of the system understands it well

enough to use it properly.

Complexity is one of the biggest enemies of security. Complexity makes it hard for the

designer or implementer to predict how parts of the system will interact, and makes the system

hard or impossible to analyze from the security perspective. Simplicity of design and

implementation should therefore be one of the main goals of the designer.

When you must implement a security mechanism, it is always recommended to use the simplest

possible solution, which still provides an adequate level of security. When you need to put in

place a very complex mechanism, consider replacing it with multiple simpler, and easier to

verify mechanisms, as long as the resulting protection strength is comparable to the original

idea.

Also, simplicity is beneficial for the end users of the system. If the end user does not

understand the system adequately, the system can be compromised through unintentional

misuse. It is important to note that end users do not need to be aware of the internal workings of

the system, but the usage instructions should be simple and concise, as far as security is

concerned.


9/15


Simplicity Example

Simplicity in protection policy makes it easier to implement.

End-user responsibilities:All end users will participate in risk mitigation by

enforcing discretionary access control on file

system objects in such way as to prevent

external subjects from violating the integrity of

the properties or contents of an object.

End-user responsibilities:When changing file permissions, ensure

that only Cisco employees will have

write access to that file.

vs.

You can find an example of design and implementation simplicity in the formulation of a user

security policy. The example shows two ways to formulate a security policy, which is enforced

by the end user. An overly technical, confusing formulation alienates users, while a simple and

concise formulation enables the user to easily comprehend the required procedures and

understand why such protection must be put in place.

Note In short, simplicity in design often makes the implementation of security simpler.

You can also achieve simplicity by intentionally removing functionality from existing systems.

This concept introduces the well-know practice of disabling all unnecessary services that a

system offers. Disabling these services removes many potential attack possibilities; you could

identify this as the enforcing of least privilegerunning only the minimal necessary set of

servicesand it makes the system easier to analyze. The figure shows a Cisco IOS router that

has been hardened by disabling unnecessary features.

Another way to simplify security is to help simplify end user functions. For example, if e-mail

needs to be encrypted when it goes to external business partners, a solution that would be the

simplest for end users is to take the end users out of the equation and use technology to perform

automated encryption of the e-mail. A mail gateway can be configured to automatically encrypt

all outgoing mail.


10/15

Security AwarenessThis topic describes how training and other awareness techniques can help you increase the

effectiveness of a security policy.


The three pillars of a successful security awarenessprogram are:

Awareness

Education

Training

An effective security awareness and training

program require: Proper planning

Proper implementation

Maintenance

Periodic evaluation

Security Awareness

Technical, administrative, and physical controls can all be defeated without the participation of

the end user community. In order to get accountants and secretaries to think about information

security you must attempt to regularly remind staff members about security. The technical staffalso needs regular reminders because their jobs tend to emphasize performance rather than

secure performance. Therefore, leadership must develop a nonintrusive program that keeps

everyone aware of security and how to work together to maintain the security of their data. The

three key components that are used to implement this type of program are awareness, training,

and education.

An effective computer security awareness and training program requires proper planning,

implementation, maintenance, and periodic evaluation. In general, a computer security

awareness and training program should encompass the following seven steps:

Identify program scope, goals, and objectives: The scope of the program should provide

training to all types of people who interact with IT systems. Because users need training

that relates directly to their use of particular systems, you need to supplement a large

organization-wide program by more system-specific programs.

Identify training staff: It is important that trainers have sufficient knowledge of computer

security issues, principles, and techniques. It is also vital that they know how to

communicate information and ideas effectively.

Identify target audiences: Not everyone needs the same degree or type of computer

security information to do their jobs. A computer security awareness and training program

that distinguishes between groups of people, presents only the information that is needed by

the particular audience, and omits irrelevant information will have the best results.

Motivate management and employees: To successfully implement an awareness and

training program, it is important to gain the support of management and employees.


11/15

Consider using motivational techniques to show management and employees how their

participation in a computer security and awareness program will benefit the organization.

Administer the program: Several important considerations for administering the program

include visibility, selection of appropriate training methods, topics, materials, and

presentation techniques.

Maintain the program: You should make an effort to keep abreast of changes in computer

technology and security requirements. A training program that meets the needs of an

organization today may become ineffective when the organization starts to use a new

application or changes its environment, such as by connecting to the Internet.

Evaluate the program: An evaluation should attempt to ascertain how much information

is retained, to what extent computer security procedures are being followed, and the general

attitudes toward computer security.


12/15


Awareness

Often an overlooked part of the

security practitioner job Can be overdone; moderation is a

good thing with awareness

Examples of things that increaseawareness:

Lectures, videos, andcomputer-based training

Posters, newsletter articles,and bulletins

Awards for good securitypractices

Reminders such as loginbanners, mouse pads, coffee

cups, and notepads

A successful IT security program consists of: 1) developing IT security policy that reflects

business needs tempered by known risks; 2) informing users of their IT security

responsibilities, as documented in agency security policy and procedures; and 3) establishing

processes for monitoring and reviewing the program.

You should focus security awareness and training on the entire user population of the

organization. Management should set the example for proper IT security behavior within an

organization. An awareness program should begin with an effort that you can deploy and

implement in various ways and is aimed at all levels of the organization including senior and

executive managers. The effectiveness of this effort usually determines the effectiveness of the

awareness and training program and how successful the IT security program will be.

An awareness and training program is crucial because it is the vehicle for disseminating

information that users, including managers, need in order to do their jobs. An IT security

program is the vehicle that you use to communicate security requirements across the enterprise.

An effective IT security awareness and training program explains proper rules of behavior for

the use of the IT systems and information of a company. The program communicates IT

security policies and procedures that must be followed. This program must precede and lay the

foundation for any sanctions that your company will impose due to noncompliance. You should

first inform the users first of the expectations. You must derive accountability from a fullyinformed, well-trained, and aware workforce.

Security awareness efforts are designed to change behavior or reinforce good security practices.

Awareness is defined in NIST Special Publication 800-16 as follows: Awareness is not

training. The purpose of awareness presentations is simply to focus attention on security.

Awareness presentations are intended to allow individuals to recognize IT security concerns

and respond accordingly. In awareness activities, the learner is the recipient of information,

whereas the learner in a training environment has a more active role. Awareness relies on

reaching broad audiences with attractive packaging techniques. Training is more formal,

having a goal of building knowledge and skills to facilitate the job performance.

An example of a topic for an awareness session (or awareness material to be distributed) is

virus protection. You can briefly address the subject by describing what a virus is, what canhappen if a virus infects a user system, what the user should do to protect the system, and what

the user should do if they discover a virus.


13/15


Education and Training

Security training for end users

Awareness training for groupswith sensitive positions

Technical security training for theIT staff

Advanced INFOSEC training forthe security practitioners

Specialized training for seniormanagement

Training strives to produce relevant and needed security skills and competencies by

practitioners of functional specialties other than IT security, for example, management, systems

design and development, acquisition, and auditing. The most significant difference between

training and awareness is that training tries to teach skills, which allow a person to perform a

specific function, while awareness focuses on an the attention of an individual on an issue or set

of issues. The skills that users acquire during training build upon the awareness foundation, in

particular, upon the security basics and literacy material. A training curriculum does not

necessarily lead to a formal degree from an institution of higher learning; however, a trainingcourse may contain much of the same material found in a course that a college or university

includes in a certificate or degree program.

An example of training is an IT security course for system administrators, which should address

in detail the management controls, operational controls, and technical controls that should be

implemented. Management controls include policy, IT security program management, risk

management, and life-cycle security. Operational controls include personnel and user issues,

contingency planning, incident handling, awareness and training, computer support and

operations, and physical and environmental security issues. Technical controls include

identification and authentication, logical access controls, audit trails, and cryptography.

Education integrates all of the security skills and competencies of the various functional

specialties into a common body of knowledge, adds a multidisciplinary study of concepts,issues, and principles (technological and social), and strives to produce IT security specialists

and professionals capable of vision and proactive response.

An example of education is a degree program at a college or university. Some people take a

course or several courses to develop or enhance their skills in a particular discipline. This is

training as opposed to education. Many colleges and universities offer certificate programs,

wherein a student may take two, six, or eight classes, for example, in a related discipline, and

be awarded a certificate upon completion. Often, these certificate programs are conducted as a

joint effort between schools and software or hardware vendors. These programs are more

characteristic of training than education. Those responsible for security training must assess

both types of programs and decide which one better addresses their identified needs.


14/15


Results of Security Awareness

Measurably reducesunauthorized actions byinsiders

Increases the effectivenessof existing controls

Helps fight waste, fraud, andabuse of informationsystems resources

A successfully implemented training and awareness program, in conjunction with a good

security operations practice, should result in many benefits to an organization. The technical

staff should be better at implementing the technical controls. End users, executives, and

everyone else should also do a better job of implementing the remaining administrative and

physical controls. The resulting more thorough implementation of a well-designed set of

controls is guaranteed to increase security.


15/15


Summary

Complexity can be identified as one of the biggest enemiesof security.

An effective computer security awareness and training programrequires proper planning, implementation, maintenance, andperiodic evaluation.

principles of secure network design_020-bc[1]

Documents