. 12
( 19)


revocation lists, and have a contract with the user that forces the user to assume responsibility
for stolen token cards.
Insider attack on the system - Strictly limit inside access to the application, and provide strict

auditing of all accesses from the inside.
Data input error - Enhance the security of database applications, and provide a redundant

checking system to reduce data entry errors.
Data center destruction - Ensure that backups are kept off campus and that additional

equipment is on hand. Enhance defenses against flooding by raising equipment off the ground
and taking other precautions.
Using the risk avoidance approach, a company would decide to not offer e-banking services at all
because it is deemed too risky. Such an attitude might be valid for some military organizations, but
is usually not an option in the commercial world. Organizations that can manage the risks are tra-
ditionally the most profitable.
After an organization identifies threats, it performs the appropriate analysis. If they decide to man-
age the risk, the next step is to create a security solution.

9.2 Cisco Self-Defending Network
9.2.1 Introducing the Cisco Self-Defending Network
In the past, threats from internal and external sources moved slowly, and it was easy to defend
against them. Now, Internet worms spread across the world in a matter of minutes. Security sys-
270 CCNA Security Course Booklet, Version 1.0

tems, and the network itself, must react instantaneously. As the nature of threats to organizations
continues to evolve, the defensive posture taken by network security professionals and managers
must also evolve. However, it is important that the evolution of network security solutions does not
introduce complexity.
Complexity is one of the biggest enemies of security. Complexity makes it hard for the designer or
administrator to predict how parts of the system will interact, and makes the system hard or impos-
sible to analyze from a security perspective. Simplicity of design and implementation should
therefore be one of the main goals of the designer. To meet complex security needs, consider using
multiple, simple, and easy-to-verify mechanisms.
Simplicity is beneficial for the end users of the system. If the end user does not understand the sys-
tem adequately, the system can be compromised through unintentional misuse. One way to intro-
duce simplicity is to disable all unnecessary services that a system offers. Disabling unnecessary
services removes many potential attack possibilities. On an end-user device, this practice is known
as the enforcement of least privilege.
The concept of least privileges specifies that each subject, user, program, or host should have only
the minimum necessary privileges to perform tasks. Having too many privileges allows end users
to do more damage, whether intentional or unintentional, than would otherwise be possible. Least
privilege also simplifies system analysis for possible flaws.
In addition to disabling unnecessary services on host devices, simplicity also entails disabling un-
necessary services and features on networking devices. This is known as hardening.
Another way to simplify security is to help simplify end user functions. For example, if email must
be encrypted when sent to external partners, the simplest solution is to use technology, such as a
mail gateway, to automate email encryption.
Finally, simplicity should be built into the security design. There are many security solution ven-
dors. To help simplify the design, it is recommended that all security mechanisms come from a
single vendor. The Cisco Self-Defending Network (SDN) is a comprehensive, end-to-end solution
for network security.
A Cisco Self-Defending Network uses the network to identify, prevent, and adapt to threats. Un-
like point-solution strategies, where products are purchased individually without consideration for
which products work best together, a network-based approach is strategic and meets the current
challenges and evolves the security capability to address new security threats.
To enable its strategy, a Cisco Self-Defending Network has three key principles:

Integrate - Security should be incorporated into the existing infrastructure. Security is built

in, not bolted on.
Collaborate - Security services should work in partnership with existing network services to

leverage the strengths of each area.
Adapt - The network should have the ability to intelligently evolve and adjust based on

changing needs and emerging threats.

The Cisco Self-Defending Network strategy starts with a strong, secure, and flexible network plat-
form. Security services are then layered on top of this platform as needed. Several security serv-
ices are available through the Cisco Self-Defending Network:

Threat control and containment - Includes devices and services that limit the exposure to

threats as well as the extent of damage to the network if threats are realized.
Chapter 9: Managing a Secure Network 271

Secure communications - Includes devices and services that ensure the confidentiality and

privacy of all sensitive communications, whether it is data communication, voice
communication, or wireless communication.
Operational control and policy management - Includes a suite of tools that comprise a

framework for scalable policy administration and enforcement that span security end-to-end.
Individual point solutions from a variety of vendors increase costs over time because of unplanned
network design adjustments, inconsistencies, and complexities. The Cisco Self-Defending Net-
work increases the value of an investment over time by using a common infrastructure. Manage-
ment is more efficiently performed when it is simplified, enabling the identification and resolution
of gaps before they become disabling vulnerabilities in the network design.
The Cisco Self-Defending Network approach is comprehensive and includes the following tools to
provide security services:

Cisco Security Manager provides policy-based management.

Cisco Security Monitoring, Analysis, and Response System (MARS) provides threat

Cisco IOS software, Cisco Adaptive Security Appliances, and Cisco Intrusion Prevention

System (IPS) Sensor Software provide network security.
Cisco NAC appliances and Cisco Security Agent provide endpoint security.

There are a number of additional benefits that result from this comprehensive, integrated approach:

360 degree visibility and protection - Delivers comprehensive and proactive network defense.

Infrastructure-wide threat intelligence is delivered cost-effectively across a variety of systems
and devices. Multivector threat identification captures policy violations, vulnerability exploits,
and anomalous behavior.
Simplified control - Streamlines network-wide policy management and infrastructure-wide

implementation across a variety of systems and devices.
Buisness resiliency - Ensures the operations of the enterprise. Unparalleled collaboration and

correlation across systems, endpoints, and management enables adaptive response to real-time
threats. This is a vital element of the Cisco Self-Defending Network strategy.
This enhanced threat control and containment solution portfolio delivers comprehensive threat pro-
tection across the entire infrastructure ensuring business continuity.

9.2.2 Solutions for the Cisco SDN
Threat Control and Containment
The Cisco Threat Control and Containment solution protects the network, servers, endpoints, and
information. It is enabled by behavioral-based endpoint protection, DDoS mitigation, intrusion
prevention, network anti-virus, policy enforcement, and proactive response. It regulates network
access, isolates infected systems, prevents intrusions, and protects critical business assets. The
Cisco Threat Control and Containment counteracts malicious traffic such as worms, viruses, and
malware before they affect business through the use of centralized policy, configuration, and threat
event management.
The Cisco Threat Control and Containment solution contains three elements:

Threat control for endpoints - This element defends against threats most commonly

introduced by Internet use, such as viruses, spyware, and other malicious content. Cisco
272 CCNA Security Course Booklet, Version 1.0

products that provide threat control for endpoints include the Cisco Security Agent for
Desktops, Cisco ASA 5500 Series Adaptive Security Appliances (Content Security Edition),
Cisco Integrated Services Routers, Cisco IPS, and Cisco NAC appliance.
Threat control for infrastructure - This element safeguards the server and application

infrastructure against attacks and intrusions. It also defends against internal and external
attempts to penetrate or attack servers and information resources through application and
operating system vulnerabilities. Products that provide threat control for the infrastructure
include the Cisco Security Agent for Servers, Cisco IPS, Cisco firewall solutions including the
ASA 5500 Series and Cisco Catalyst 6500 Series Firewall Services Module, Cisco
Application Control Engine (ACE) Module, Cisco Application Velocity System (AVS), XML
security, Cisco Security MARS, and Cisco Security Manager.
Threat control for email - This element protects business productivity, resource availability,

and confidential information by stopping email initiated threats.

There are a number of benefits to the Cisco Threat Control and Containment solution:

Proactively protects against threats

Enforces endpoint compliance for more manageable patching and updating

Proactively contains infections and outbreaks with distributed mitigation

Secure Communications
Many organizations use the flexibility and cost effectiveness of the Internet to extend their network
to branch offices, telecommuters, customers, and partners. When an organization extends its net-
work in this way, ensuring the privacy and integrity of all information sent across the Internet is
vital. This requires a manageable and cost-effective communications infrastructure that allows for
secure communications. Secure communication is achieved through the use of IPsec and SSL
There are several benefits to implementing a secure communications infrastructure:

Improve business productivity and efficiency

Enable new business applications

Help comply with information privacy regulations

The Cisco Secure Communications solution is a set of security services. These services are essen-
tial to the Cisco Self-Defending Network. The secure communications solution has two major ele-
ments. Both use cryptography to ensure confidentiality:

Secure communications for remote access - Provides highly secure, customizable access to

corporate networks and applications by establishing an encrypted tunnel across the Internet.
Secure communications for site-to-site connections - Provides an Internet-based WAN

infrastructure for connecting branch offices, home offices, or the sites of business partners to
all or portions of a network.

Operational Control and Policy Management
Operational control and policy management helps automate, simplify, and integrate a network to
reduce operational costs and improve productivity. The Cisco Security Management Suite is a
framework of products and technologies that are designed for scalable policy administration and
enforcement for the Cisco Self-Defending Network.
Chapter 9: Managing a Secure Network 273

There are two components in the Cisco Security Management Suite: Cisco Security Manager and
Cisco Security MARS. They work together to centrally manage the network and to achieve critical
functions such as availability, responsiveness, resilience, and security in a consistent way. Cisco
Security Manager and Cisco Security MARS were designed to complement CiscoWorks products.
This integrated solution simplifies and automates the tasks that are associated with security man-
agement operations, including configuration, monitoring, analysis, and response.
The Cisco Security Management Suite provides a number of benefits:

Increases speed and accuracy of policy deployment

Improves visibility to monitor end-to-end security

Provides more rapid response to threats

Enforces corporate policy compliance

Enhances proper workflow management

Cisco Security Manager is a powerful, easy-to-use solution for centrally provisioning all aspects of
device configurations and security policies for the Cisco family of security products. The solution
is effective for managing even small networks consisting of fewer than 10 devices, but also scales
for efficiently managing large-scale networks composed of thousands of devices. Scalability is
achieved through intelligent policy-based management techniques that can simplify administra-
tion. Cisco Security Manager includes a number of features:

It supports provisioning for Cisco router platforms running a Cisco IOS Security Software

image, including Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX 500 Series
Security Appliances, Cisco IPS 4200 Series Sensors, and Cisco Catalyst 6500 Series
Advanced Inspection and Prevention Security Services Module (AIP-SSM).
It responds faster to threats by allowing an administrator to define and assign new security

policies to thousands of devices in a few simple steps.
It has a rich graphical user interface (GUI) that provides ease of use.

Multiple views provide flexible methods to manage devices and policies, including the ability

to manage the security network visually on a topology map.
It contains extensive animated help for the new user, which reduces learning time.

It allows an administrator to specify, centrally, which policies are shared and automatically

inherited by new devices.
It integrates with Cisco Secure Access Control Server (ACS) for granular role-based access

control to devices and management functions.
It integrates with Cisco Security MARS to correlate events with the associated firewall rules

to make decisions faster and increase network uptime.
It provides the ability to assign specific tasks to each administrator during the deployment of a

policy, with formal change control and tracking. This results in improved team coordination.
Cisco Security MARS provides security monitoring for network security devices and host applica-
tions made by Cisco and other providers. Cisco Security MARS offers these benefits:

Greatly reduces false positives by providing an end-to-end view of the network.

Defines the most effective mitigation responses by tracking the configuration and topology of

the environment.
274 CCNA Security Course Booklet, Version 1.0

Promotes awareness of environmental anomalies with network behavior analysis using

Provides quick and easy access to audit compliance reports with more than 150 ready-to-use

customizable reports.
Makes precise recommendations for threat removal, including the ability to visualize the

attack path and identify the source of the threat with detailed topological graphs that simplify
security response at Layer 2 and above.

9.2.3 Cisco Integrated Security Portfolio
A truly secure network requires multiple products and technologies that collaborate seamlessly
across platforms and integrate tightly with the network infrastructure. No single product or tech-
nology is able to secure a network.
Cisco offers the broadest portfolio of integrated security products in the industry. The portfolio is
designed to meet the requirements and diverse deployment models of any network and any envi-
ronment. These integrated security products provide a comprehensive solution:

Cisco IOS platforms with integrated IPS, VPN, and stateful firewall to support secure IP

Cisco Adaptive Security Appliances with integrated VPN to ensure perimeter security, access

control, and IPS
Cisco PIX Security Appliances with integrated VPN to ensure perimeter security and access

Appliance-based network IDS and IPS and integrated network IDS and IPS for Cisco IOS

routers, Cisco PIX Security Appliances, and Cisco ASA
Cisco Security Agent endpoint protection software to protect servers and desktops from the

damaging effects of threats
Cisco Secure ACS to ensure that users have the proper authority to access corporate resources

Security modules for Cisco switches and Cisco routers that provide security throughout the

data center
Security management products, including Cisco Security Manager, Cisco Security MARS,

Cisco Router and Security Device Manager (SDM), and other GUI-based device managers
Most organizations do not adopt all components of the Cisco Self-Defending Network at one time.
This is because it can be difficult to overhaul all the required subsystems at once without disrupt-
ing the integrity of the IT services. Additionally, some organizations are hesitant to relinquish se-
curity controls to an automated system until they are confident that the system operates
dependably. The Cisco Self-Defending Network design accommodates these concerns by provid-
ing products that can deploy independently of one another. Other product solutions can be added
over time as confidence builds in the overall network security design.

9.3 Operations Security
9.3.1 Introducing Operations Security
While the Cisco Self-Defending Network does increase the level of security, it cannot guarantee a
completely invulnerable network. New types of attacks and advances in hacking technologies are
Chapter 9: Managing a Secure Network 275

still threats to even the most secure systems. Additionally, all networks are vulnerable to attack if
the planning, implementation, operations, and maintenance of the network do not adhere to opera-
tional security practices. Operations security is concerned with the day-to-day practices necessary
to first deploy and later maintain a secure system.
Operations security starts with the planning and implementation process of a network. During
these phases, the operations team proactively analyzes designs, identifies risks and vulnerabilities,
and makes the necessary adaptations. After a network is set up, the actual operational tasks begin,
including the continual day-to-day maintenance of the environment. These activities are regular in
nature and enable the environment, systems, and applications to continue to run correctly and se-
The responsibilities of the operations team pertain to everything that takes place to keep the net-
work, computer systems, applications, and the environment up and running in a secure and pro-
tected manner. These individuals are concerned with the controls or security solutions used to
protect hardware, software, and media on a day-to-day basis. This includes protection from threats
in the operating environment, internal and external intruders, and operators who access resources
The operations team usually has the objectives of preventing reoccurring problems, reducing hard-
ware failures to an acceptable level, and reducing the impact of hardware failure or disruption.
They should investigate any unusual or unexplained occurrences, unscheduled initial program
loads, deviations from standards, and other abnormal conditions occurring on the network. While
the people within operations are responsible for ensuring that systems are protected and continue
to run in a predictable manner, it is important to note that management is responsible for the be-
havior and correction of personnel. For this reason, it is necessary that management work closely
with the operations team to ensure the continued security of the network.
To ensure a secure working environment within the operations department, certain core principles
should be integrated into the day-to-day activities:

Separation of duties - Two-person control and dual operator

Rotation of duties

Trusted recovery - Failure preparation and system recovery

Change and configuration controls

9.3.2 Principles of Operations Security
Separation of Duties
Separation (or segregation) of duties (SoD) is one of the main concepts of internal control and is
the most difficult and sometimes the most costly control to achieve. SoD states that no single indi-
vidual has control over two or more phases of a transaction or operation. Instead, responsibilities
are assigned in a way that incorporates checks and balances. This makes a deliberate fraud more
difficult to perpetrate because it requires a collusion of two or more individuals or parties.
The term SoD is already well known in financial systems. These companies do not combine roles
such as receiving checks, approving discounts, depositing cash, reconciling bank statements, and
approving time cards. This helps to reduce the potential damage from the actions of one person.
Similarly, IT departments should be organized in a way that achieves adequate separation of du-
ties. There are two methods to accomplish this.
The first method is known as the two-person control principle. It states that a task requires two in-
dividuals, and each is responsible for reviewing and approving the work of the other. In addition to
providing accountability and reducing opportunities for fraud, this principle has the added benefit
276 CCNA Security Course Booklet, Version 1.0

of reducing errors within configurations. Because of the overhead costs involved, this practice is
usually limited to sensitive duties that are considered potential security risks.
Another method of implementing SoD is the dual operator principle in which a task is broken
down and each part of the task is assigned to a different individual. The task is not complete until
both individuals complete their part. An example of the dual operator principle is a check that re-
quires two signatures for the bank to accept it.
Rotation of Duties
Rotation of duties, or job rotation, is a security measure in which individuals are given a specific
assignment for a certain amount of time before moving to a new assignment. To successfully im-
plement this principle, it is important that individuals have the training necessary to complete more
than one job.
Peer review is built into the practice of rotation of duties. For example, suppose that a job rotation
scheme has five people rotating through five different roles during the course of a week. Peer re-
view of work occurs whether or not it was intended. When five people do one job in the course of
the week, each person is effectively reviewing the work of the others.
In addition to providing security, rotation of duties also prevents boredom and gives individuals a
greater breadth of exposure to the entire network operation. This creates a strong and flexible oper-
ations department because everyone is capable of doing multiple jobs.
Trusted Recovery
One of the easiest ways to compromise a system is to make the system restart and gain control of
it before all of its defenses are reloaded. For this reason, trusted recovery is an important principle
of operations security. This principle states that systems fail at some point, so a process for recov-
ery must be established. The most common way to prepare for failure is to back up data on a regu-
lar basis.
Backing up data is standard practice in most IT departments. Keep in mind that many backup soft-
ware programs use an account that bypasses file security. Therefore, individuals with the right to
back up data can have access to files that they would not ordinarily be able to access. The same is
true if those individuals who have the right to restore data.
Security professionals propose that a secure backup program contain some of the following prac-

A junior staff member is responsible for loading blank media.

Backup software uses an account that is unknown to individuals to bypass file security.

A different staff member removes the backup media and securely stores it onsite while being

assisted by another member of the staff.
A separate copy of the backup is stored off site and handled by a third staff member who is

accompanied by another staff member.

One of the easiest ways for an attacker to obtain a password file (or any other data) is to get a copy
of the backup tape because the backup tape is not always handled or stored very securely.
Being prepared for system failure is also an important part of operations security:

Back up critical data on a regular basis

Evaluate who has access to the files to back them up and what kind of access they have

Secure the backup media

Chapter 9: Managing a Secure Network 277

System recovery follows system failure. There are several examples of programs and applications
that incorporate system recovery features:

Operating systems and applications that have single-user or safe mode.

The ability to recover files that were open at the time of the problem. The autosave process in

many desktop applications is an example of this ability. Memory dumps that many operating
systems perform upon system failure are also an example of this ability.
The ability to retain the security settings of a file after a system crash is critical so that the

security is not bypassed by forcing a crash.
The ability to recover and retain security settings for critical system files such as the registry,

configuration files, and password files.
Configuration and Change Control
Configuration and change control is a process that should be implemented to ensure that standard-
ized methods and procedures are used to efficiently handle all changes. A change is defined as an
event that results in a new status of one or more configuration items. A change should be approved
by management, be cost effective, and be an enhancement to business processes with a minimum
of risk to the IT infrastructure and security.
The configuration and change controls should address three major components: the processes in
place to minimize system and network disruption, backups and reversing changes that go badly,
and guidance on the economic utilization of resources and time.
A few suggestions are recommended to accomplish configuration changes in an effective and safe

Ensure that the change is implemented in an orderly manner with formalized testing

Ensure that the end users are aware of the coming change when necessary

Analyze the effects of the change after it is implemented

Although the change control process differs from organization to organization, certain patterns
emerge in change management. There are five steps in a typical change control process:
Step 1. Apply to introduce the change.
Step 2. Catalog the proposed change.
Step 3. Schedule the change.
Step 4. Implement the change.
Step 5. Report the change to the relevant parties.
Operations security minimizes harm to the network by providing organized processes for security
personnel. The effectiveness of an operations security solution fortunately can be tested without
waiting for a real threat to take place. Network security testing makes this possible.

9.4 Network Security Testing
9.4.1 Introducing Network Security Testing
Network security testing is testing that is performed on a network to ensure all security implemen-
tations are operating as expected. Typically, network security testing is conducted during the im-
plementation and operational stages, after the system has been developed, installed, and integrated.
278 CCNA Security Course Booklet, Version 1.0

Security testing provides insight into various administrative tasks such as risk analysis and contin-
gency planning. It is important to document the results of security testing and make them available
for staff involved in other IT areas.
During the implementation stage, security testing is conducted on specific parts of the security
After a network is fully integrated and operational, a Security Test and Evaluation (ST&E) is per-
formed. ST&E is an examination or analysis of the protective measures that are placed on an oper-
ational network.
Tests should be repeated periodically and whenever a change is made to the system. For security
systems that protect critical information or protect hosts that are exposed to constant threat, secu-
rity testing should be conducted more frequently.
After a network is operational, it is important to ascertain its security status. Many tests can be
conducted to assess the operational status of the system:

Network scanning

Vulnerability scanning

Password cracking

Log review

Integrity checkers

Virus detection

War dialing

War driving (802.11 or wireless LAN testing)

Penetration testing

Some testing techniques are predominantly manual and other tests are highly automated. Regard-
less of the type of testing, the staff that sets up and conducts the security testing should have sig-
nificant security and networking knowledge, including expertise in the following areas: network
security, firewalls, intrusion prevention systems (IPSs), operating systems, programming, and net-
working protocols, such as TCP/IP.
Network security testing results can be used in several ways:

As a reference point for corrective action

To define mitigation activities to address identified vulnerabilities

As a benchmark to trace the progress of an organization in meeting security requirements

To assess the implementation status of system security requirements

To conduct cost and benefit analysis for improvements to system security

To enhance other activities such as risk assessments, Certification and Authorization (C&A),

and performance improvement efforts

9.4.2 Network Security Testing Tools
There are many tools available to test the security of systems and networks. Some of these tools
are open source while others are commercial tools that require licensing.
Two of the most common security testing tools are Nmap and SuperScan.
Chapter 9: Managing a Secure Network 279

Nmap is the best-known low-level scanner available to the public. It is simple to use and has an
array of excellent features which can be used for network mapping and reconnaissance. The basic
functionality of Nmap allows the user to accomplish several tasks:

Classic TCP and UDP port scanning - looking for different services on one host.

Classic TCP and UDP port sweeping - looking for the same service on multiple hosts.

Stealth TCP and UDP port scans and sweeps - similar to classic scans and sweeps but harder

to detect by the target host or IPS.
Remote operating system identification, known as OS fingerprinting.

Advanced features of Nmap include protocol scanning, known as Layer 3 port scanning. This fea-
ture identifies Layer 3 protocol support on a host. Examples of protocols that can be identified in-
clude GRE and OSPF.
While Nmap can be used for security testing, it can also be used for malicious purposes. Nmap has
an additional feature that allows it to use decoy hosts, on the same LAN as the target host, to mask
the source of the scan.
Nmap has no Application Layer features and runs on UNIX, Linux, Windows and OS X.
Both console and graphical versions are available. The Nmap program and Zenmap GUI can be
downloaded from the internet.
SuperScan is a Microsoft Windows port scanning tool. It runs on most versions of Windows and
requires administrator privileges. Windows XP SP2 has removed support for raw sockets which
limits the ability of SuperScan and other scanning tools.
A raw socket is a socket that allows a user to directly access and manipulate the header of a data
While SP2 has increased the security aspect of this tool, some functionality can be restored by en-
tering the net stop SharedAccess command at the Windows command prompt.
SuperScan version 4 has a number of very useful features:

Adjustable scanning speed

Support for unlimited IP ranges

Improved host detection using multiple ICMP methods

TCP SYN scanning

UDP scanning (two methods)

Simple HTML report generation

Source port scanning

Fast hostname resolving

Extensive banner grabbing

Massive built-in port list description database

IP and port scan order randomization

280 CCNA Security Course Booklet, Version 1.0

A selection of useful tools (ping, traceroute, and whois)

Extensive Windows host enumeration capability

Tools such as Nmap and SuperScan can provide effective penetration testing on a network and
determine network vulnerabilities while helping to anticipate possible attack mechanisms. How-
ever network testing cannot prepare a network administrator for every security problem.
The good news is that networks can recover from most security issues by adapting the security so-
lution. The bad news is that prior to adapting the security solution it is possible for an attack to
cause disruption and even catastrophic damage. Catastrophic damage is serious disruption to net-
work services or complete destruction of data or network systems. Catastrophic damage can also
be caused by a cataclysmic event. A business must have a plan in place to recover and remain in
business in the event of serious disruption or network destruction.

9.5 Business Continuity Planning and Disaster
9.5.1 Continuity Planning
Business continuity planning addresses the continuing operations of an organization in the event of
a disaster or prolonged service interruption that affects the mission of the organization. These
plans address an emergency response phase, a recovery phase, and a return to normal operation
phase. These phases should include a short to medium-term framework to continue the organiza-
tional operations. Each phase also identifies the responsibilities of personnel and the available re-
sources during an incident.
In reality, contingency and disaster recovery plans do not address every possible scenario or as-
sumption. Rather, they focus on the events most likely to occur and identify an acceptable method
of recovery. Periodically, the plans and procedures should be practiced to ensure that they are ef-
fective and well understood.
For example, business continuity planning may address the following concerns:

Moving or relocating critical business components and people to a remote location while the

original location is being repaired
Utilizing different channels of communication to deal with customers, shareholders, and

partners until operations return to normal
Disaster recovery is the process of regaining access to the data, hardware, and software necessary
to resume critical business operations after a natural or human-induced disaster. It also includes
plans for coping with the unexpected or sudden loss of key personnel. A disaster recovery plan is
part of business continuity planning.
After the events of September 11, 2001, when many companies lost irreplaceable data, the effort
put into protecting data has changed. It is believed that some companies spend up to 25 percent of
their IT budget on disaster recovery planning to avoid larger losses. Research indicates that of the
companies that have had a major loss of computerized records, 43 percent never reopen, 51 per-
cent close within two years, and only 6 percent remain in business.

9.5.2 Disruptions and Backups
When planning for disaster recovery and business continuity, the first step is identifying the possi-
ble types of disasters and disruptions. Not all disruptions to business operations are equal. A good
Chapter 9: Managing a Secure Network 281

disaster recovery plan takes into account the magnitude of the disruption, recognizing that there
are differences between catastrophes, disasters, and minor incidents.
The only way to deal with destruction is redundancy. When a component is destroyed, it must be
replaced with a redundant component. This component can be a standby component that is owned
by the organization for disaster recovery purposes or a new device that is provided by the service
provider that the organization has contracted services with. If the service provider is responsible
for providing redundant components, this information must be contained within the service level
agreement (SLA). The SLA should also cover redundancy when service is disrupted or provide for
some type of compensation.
On a much larger scale, an organization might require a redundant facility if some catastrophic
event results in facility destruction. Redundant facilities are referred to as hot, warm, and cold
Each type of facility is available for a different price with different resulting downtimes. With hot
sites, a completely redundant facility is required with almost identical equipment. The copying of
data to this redundant facility is part of normal operations, so in the case of a catastrophe, only the
latest data changes must be applied to restore full operations. Organizations that need to respond in
seconds often employ global load balancing (GLB) and distributed SANs to respond quickly. With
this type of redundancy in place, an organization can quickly recover from disruption or even de-
struction .
Warm sites are physically redundant facilities, but software and data are not stored and updated on
the equipment. A disaster recovery team is required to physically go to the redundant facility and
get it operational. Depending on how much software and data is involved, it can take days before
operations are ready to resume.
A cold site is usually an empty datacenter with racks, power, WAN links, and heating, ventilation,
and air conditioning (HVAC) already present, but no equipment. In this instance, an organization
must first acquire routers, switches, firewalls, servers, and other equipment to rebuild everything.
When the backups are uploaded onto the new equipment, operations can continue. This option is
the least expensive in terms of money spent annually, but usually requires weeks to resume opera-
The type of redundancy, whether it is standby equipment, SLA redundancy agreements, or facility
redundancy requirements, is dependant on the types of disasters that an organization deems possi-
ble and the time sensitivity of critical data. The more redundancy options an organization puts in
place, the higher the cost. However, not having backup plans and recovery options could result in
lost revenue and lost customer trust.
It is important to keep in mind that the disaster recovery plan and business continuity plan include
not only the redundancy options but also all the steps and personnel required to implement the
backup plan.

9.6 System Development Life Cycle
9.6.1 Introducing the SDLC
Business continuity and disaster recovery plans are ever-changing documents. They must be ad-
justed to changes in environment, equipment, and business needs. These changes not only affect
continuity plans, but all aspects of network operations. Documentation should be maintained and
updated regularly, and security needs should be continuously evaluated.
282 CCNA Security Course Booklet, Version 1.0

Evaluating system changes and adjusting plans are all part of a system life cycle. Keep in mind
that the term “system” can refer to a single device or a group of devices that operate together
within a network.
A. A general system development life cycle (SDLC) includes five phases:
Step 1. Initiation
Step 2. Acquisition and development
Step 3. Implementation
Step 4. Operation and maintenance
Step 5. Disposition

When using the SDLC to design a network, each phase should include a minimum set of security
requirements. This results in less expensive and more effective security as compared to adding se-
curity to an operational system after the fact. This purposeful inclusion of security in every phase
of the life cycle is part of the secure network life cycle management process.

9.6.2 Phases of the SDLC
These are the security tasks related to the initiation phase of the SDLC:

Security categorization - Define three levels of potential impact on organizations or

individuals if there is a breach of security: low, moderate, and high. Security categorization
standards help organizations make the appropriate selection of security controls for their
information systems.
Preliminary risk assessment - Initial description of the basic security needs of the system

that defines the threat environment in which the system operates.

Acquisition and Development
These are the security tasks related to the acquisition and development phase of the SDLC:

Risk assessment - Identify the protection requirements for the system through a formal risk

assessment process. This analysis builds on the risk assessment that was performed during the
initiation phase, but is more in-depth and specific.
Security functional requirements - Analyze the operating necessities addressing the system

security environment, the enterprise information security policy, and enterprise security
Security assurance requirements - Address the developmental activities that are required and

the assurance evidence that is needed to produce the desired level of confidence that the
information security is working correctly and effectively. The analysis, which is based on
legal and functional security requirements, serves as the basis for determining how much and
what kinds of assurance are required.
Security cost considerations and reporting - Determine how much of the development cost

to attribute toward information security over the life cycle of the system. These costs include
hardware, software, personnel, and training.
Security planning - Complete document of the agreed-upon security controls. The security

plan also fully describes the information system and includes attachments or references to key
documents that support the information security program of the organization. Examples of
documents that support the information security program include, such as a configuration
Chapter 9: Managing a Secure Network 283

management plan, contingency plan, incident response plan, security awareness and training
plan, rules of behavior, risk assessment, security test and evaluation results, system
interconnection agreements, security authorizations and accreditations, and a plan of action
and milestones.
Security control development - Ensure that the security controls that are described by the

various security plan are designed, developed, and implemented. The security plans for
information systems that are currently in operation might call for the development of
additional security controls to supplement the controls that are already in place or the
modification of selected controls that are deemed less than effective.
Developmental security test and evaluation - Ensure that security controls that are developed

for a new information system are working properly and are effective. Some types of security
controls, primarily those of a non-technical nature, cannot be tested and evaluated until the
information system is deployed. These controls are typically management and operational
Other planning components - Consider all the necessary components of the development

process when incorporating security into the network life cycle. These components include
the appropriate contract, the participation of all necessary functional groups within an
organization, the participation of the certifier and accreditor, and the development and
execution of the contracting plans and processes.
These are the security tasks related to the implementation phase of the SDLC:

Inspection and acceptance - Validate and verify that the functionality that the specification

describes is included in the deliverables.
System integration - Ensure that the system is integrated at the operational site where the

information system is deployed. The security control settings and switches must be enabled in
accordance with the vendor instructions and the available security implementation guidance.
Security certification - Use established verification techniques and procedures. This step

gives organization officials confidence that the appropriate safeguards and countermeasures
are in place. Security certification also uncovers and describes the known vulnerabilities in the
information system.
Security accreditation - Provide the necessary security authorization to process, store, and

transmit the information that is required. This authorization is granted by a senior organization
official and is based on the verified effectiveness of security controls to some agreed-upon
level of assurance and an identified residual risk to organization assets or operations.
Operations and Maintenance
These are the security tasks related to the operations and maintenance phase of the SDLC:

Configuration management and control - Consider the potential security impacts caused by

specific changes to an information system or its surrounding environment. Configuration
management and configuration control procedures are critical to establishing an initial
baseline of hardware, software, and firmware components and subsequently controlling and
maintaining an accurate inventory of any changes to the system.
Continuous monitoring - Ensure that controls continue to be effective through periodic

testing and evaluation. Reporting the security status of the information system to the
appropriate officials is an essential activity of a comprehensive information security program.
284 CCNA Security Course Booklet, Version 1.0

These are the security tasks related to the disposition phase of the SDLC:

Information preservation - Retain information as necessary to conform to legal requirements

and to accommodate future technology changes that can render the retrieval method obsolete.
Media sanitization - Ensure that data is deleted, erased, and written over, as necessary.

Hardware and software disposal - Dispose of hardware and software as directed by the

information system security officer.

9.7 Developing a Comprehensive Security Policy
9.7.1 Security Policy Overview
The Secure Network Life Cycle is a process of assessment and reevaluation of equipment and se-
curity needs as the network changes. One of the important aspects of this ongoing evaluation is un-
derstanding which assets an organization must protect, even as those assets are changing.
Determine what the assets of an organization are by asking questions:

What does the organization have that others want?

What processes, data, or information systems are critical to the organization?

What would stop the organization from doing business or fulfilling its mission?

The answers might identify assets such as critical databases, vital applications, important customer
and employee information, classified commercial information, shared drives, email servers, and
web servers.
Network security systems help protect these assets, but a security system alone cannot prevent as-
sets from being vulnerable to threat. Technical, administrative, and physical security systems can
all be defeated if the end user community does not adhere to security policies and procedures.
A security policy is a set of security objectives for a company, rules of behavior for users and ad-
ministrators, and system requirements. These objectives, rules, and requirements collectively en-
sure the security of a network and the computer systems in an organization. Much like a continuity
plan, a security policy is a constantly evolving document based on changes in technology, busi-
ness, and employee requirements.
A comprehensive security policy has a number of benefits:

Demonstrates an organization™s commitment to security.

Sets the rules for expected behavior.

Ensures consistency in system operations, software and hardware acquisition and use, and

Defines the legal consequences of violations.

Gives security staff the backing of management.

Security policies are used to inform users, staff, and managers of an organization™s requirements
for protecting technology and information assets. A security policy also specifies the mechanisms
that are needed to meet security requirements and provides a baseline from which to acquire, con-
figure, and audit computer systems and networks for compliance.
Chapter 9: Managing a Secure Network 285

One of the most common security policy components is an acceptable (or appropriate) use policy
(AUP). This component defines what users are allowed and not allowed to do on the various sys-
tem components. This includes the type of traffic that is allowed on the network. The AUP should
be as explicit as possible to avoid misunderstanding. For example, an AUP might list specific web-
sites, newsgroups, or bandwidth intensive applications that are prohibited from being accessed by
company computers or from the company network.
The audience for the security policy is anyone who has access to the network. The internal audi-
ence includes various personnel, such as managers and executives, departments and business units,
technical staff, and employees. The external audience is also a varied group that includes partners,
customers, suppliers, consultants, and contractors. It is likely that one document cannot meet the
needs of the entire audience of a large organization. The goal is to ensure that the various informa-
tion security policy documents are consistent with the needs of the intended audience.
The audience determines the content of the policy. For example, it is probably unnecessary to in-
clude a description of why something is necessary in a policy that is intended for the technical
staff. It can be assumed that the technical staff already knows why a particular requirement is in-
cluded. Managers are not likely to be interested in the technical aspects of why a particular re-
quirement is needed. Instead, they want a high-level overview or the principles supporting the
requirement. Employees often require more information on why particular security rules are nec-
essary. If they understand the reasons for the rules, they are more likely to comply with them.

9.7.2 Structure of a Security Policy
Most corporations use a suite of policy documents to meet their wide and varied needs. These doc-
uments are often broken into a hierarchical structure:

Governing policy - High-level treatment of the security guidelines that are important to the

entire company. Managers and technical staff are the intended audience. The governing policy
controls all security-related interactions among business units and supporting departments in
the company.
Technical policy - Used by security staff members as they carry out security responsibilities

for the system. These policies are more detailed than the governing policy and are system-
specific or issue-specific. For example, access control and physical security issues are
described in a technical policy.
End-user policy - Covers all security topics that are important to end users. End users can

include employees, customers, and any other individual user of the network.
Governing Policy
The governing policy outlines the company™s overall security goals for managers and technical
staff. It covers all security-related interactions among business units and supporting departments in
the company.
The governing policy aligns closely with existing company policies and is placed at the same level
of importance as these other policies. This includes human resource policies and other policies that
mention security-related issues, such as email, computer use, or related IT subjects.
A governing policy includes several components:

Statement of the issue that the policy addresses

How the policy applies in the environment

Roles and responsibilities of those affected by the policy

286 CCNA Security Course Booklet, Version 1.0

Actions, activities, and processes that are allowed and those that are not

Consequences of noncompliance

Technical Policy
Technical policies are detailed documents that are used by technical staff in the conduct of their
daily security responsibilities. These policies are system-specific or issue-specific, such as router
security and physical security issues. They are essentially security handbooks that describe what
the technical staff does, but not how they perform the functions.
Technical policies are broken down into specified technical areas, including:



Remote access


Application usage

Network usage

Wireless communication

End User Policy
End-user policies cover all rules pertaining to information security that end users should know
about and follow. End-user policies might overlap with technical policies. These policies are gen-
erally grouped together into a single document for ease of use.
Several different target groups require end-user policies. Each group might have to agree to a dif-
ferent end-user policy. For example, an employee end-user policy would probably be different
from a customer end-user policy.

9.7.3 Standards, Guidelines, and Procedures
The security policy documents are high-level overview documents. The security staff uses detailed
documents to implement the security policies. These include the standards, guidelines, and proce-
dures documents.
Standards, guidelines, and procedures contain the actual details defined in the policies. Each docu-
ment serves a different function, covers different specifications, and targets a different audience.
Separating these documents makes it is easier to update and maintain them.
Standards Documents
Standards help an IT staff maintain consistency in the operations of the network. Standards docu-
ments include the technologies that are required for specific uses, hardware and software version-
ing requirements, program requirements, and any other organizational criteria that must be
followed. This helps IT staff improve efficiency and simplicity in design, maintenance, and trou-
One of the most important security principles is consistency. For this reason it is necessary for or-
ganizations to establish standards. Each organization develops standards to support its unique op-
erating environment. For example, if an organization supports 100 routers, it is important that all
100 routers are configured using the established standards. Device configuration standards are de-
fined in the technical section of an organization™s security policy.
Chapter 9: Managing a Secure Network 287

Guideline Documents
Guidelines provide a list of suggestions on how to do things better. They are similar to standards,
but are more flexible and are not usually mandatory. Guidelines can be used to define how stan-
dards are developed and to guarantee adherence to general security policies.
Some of the most helpful guidelines are found in organizational repositories called best practices.
In addition to an organization™s defined best practices, a number of guidelines are widely available:

National Institute of Standards and Technology (NIST) Computer Security Resource Center

National Security Agency (NSA) Security Configuration Guides

The Common Criteria standard

Procedure Documents
Procedure documents are longer and more detailed than standards and guidelines. Procedure docu-
ments include implementation details, usually with step-by-step instructions and graphics. Proce-
dure documents are extremely important for large organizations to have the consistency of
deployment that is necessary for a secure environment.

9.7.4 Roles and Responsibilities
All persons in an organization, from the chief executive officer (CEO) to the newest hires, are con-
sidered end users of the network and must abide by the organization™s security policy. Developing
and maintaining the security policy is delegated to specific roles within the IT department.
Executive-level management must always be consulted during security policy creation to ensure
that the policy is comprehensive, cohesive, and legally binding. Smaller organizations might have
a single executive position that oversees all aspects of operation, including network operations.
Larger organizations might break up the executive task into several positions. The business and re-
porting structure of an organization depends on the organization™s size and industry.
Some of the more common executive titles include:

Chief Executive Officer (CEO) - Is ultimately responsible for the success of an organization.

All executive positions report to the CEO.
Chief Technology Officer (CTO) - Identifies and evaluates new technologies and drives new

technology development to meet organization objectives. Maintains and enhances the current
enterprise systems, while providing direction in all technology-related issues in support of
Chief Information Officer (CIO) - Responsible for the information technology and computer

systems that support enterprise goals, including successful deployment of new technologies
and work processes. Small- to medium-sized organizations typically combine the
responsibilities of CTO and CIO into a single position that can use either title. When an
organization has both a CTO and CIO, the CIO is generally responsible for processes and
practices supporting the flow of information, and the CTO is responsible for technology
Chief Security Officer (CSO) - Develops, implements, and manages the organization™s

security strategy, programs, and processes associated with all aspects of business operation,
including intellectual property. A major aspect of this position is to limit exposure to liability
in all areas of financial, physical, and personal risk.
288 CCNA Security Course Booklet, Version 1.0

Chief Information Security Officer (CISO) - Similar to the CSO, except that this position

has a specific focus on IT security. One of the major responsibilities of the CISO is
developing and implementing the security policy. The CISO might choose to be the primary
author of the security policy or to delegate some or all of the authoring. In either case, the
CISO is responsible and accountable for security policy content.

9.7.5 Security Awareness and Training
Technical, administrative, and physical security is easily breached if the end-user community is
not purposefully abiding security policies. To help ensure the enforcement of the security policy, a
security awareness program must be put in place. Leadership must develop a program that keeps
everyone aware of security issues and educates staff on how to work together to maintain the secu-
rity of their data.
A security awareness program reflects the business needs of an organization tempered by known
risks. It informs users of their IT security responsibilities and explains the rules of behavior for
using the IT systems and data within a company. This program must explain all IT security poli-
cies and procedures. A security awareness program is crucial to the financial success of any organ-
ization. It disseminates the information that all end users need to effectively conduct business in a
way that protects the organization from loss of intellectual capital, critical data, and even physical
equipment. The security awareness program also details the sanctions that the organization im-
poses for noncompliance. This portion of the program should be part of all new hire orientation.
A security awareness program usually has two major components:

Awareness campaigns

Training and education

Awareness Campaigns
Awareness campaigns are usually aimed at all levels of the organization, including executive posi-
Security awareness efforts are designed to change behavior or reinforce good security practices.
Awareness is defined in NIST Special Publication 800-16 as: “Awareness is not training. The pur-
pose of awareness presentations is simply to focus attention on security. Awareness presentations
are intended to allow individuals to recognize IT security concerns and respond accordingly. In
awareness activities, the learner is the recipient of information... Awareness relies on reaching
broad audiences with attractive packaging techniques.”
An example of a topic for an awareness session (or awareness material to be distributed) is virus
protection. The subject can be briefly addressed by describing what a virus is, what can happen if
a virus infects a user system, what the user must do to protect the system, and what users do if they
discover a virus.
There are several methods of increasing security awareness:

Lectures, videos

Posters, newsletter articles, and bulletins

Awards for good security practices

Reminders, such as login banners, mouse pads, coffee cups, and notepads

Training and Education
Chapter 9: Managing a Secure Network 289

Training strives to impart needed security skills to end users who may or may not be members of
the IT staff. The most significant difference between training and awareness is that training teaches
skills that allow a person to perform a specific task, while awareness campaigns simply focus an
individual™s attention on security issues. The skills that users acquire during training build upon
the information learned in security awareness campaigns. Following a security awareness cam-
paign with training targeted to specific audiences helps cement the information and skills im-
parted. A training curriculum does not necessarily lead to a formal degree from an institution of
higher learning, but it might contain much of the same material found in a course that a college or
university includes in a certificate or degree program.
An example of a training course for non-IT personnel is one that addresses appropriate security
practices specific to those applications that the end user must use, such as database applications.
An example of training for IT personnel is an IT security course that addresses in detail the man-
agement, operational, and technical controls that must be implemented.
An effective security training course requires proper planning, implementation, maintenance, and
periodic evaluation. The life cycle of a security training course includes several steps:
Step 1. Identify course scope, goals, and objectives. The scope of the course provides training to


. 12
( 19)