Today’s data center environments must be designed to significantly reduce administrative overhead and improve flexibility and operational efficiency. Critical security functions must be able to dynamically scale to protect assets as business demands change.


Cisco has created technologies and products such as the Application Centric Infrastructure (ACI) ecosystem and the Cisco ASAv (virtual ASA) to provide security solutions for today’s data center demands. For example, ACI provides a centralized application-level policy engine for physical, virtual, and cloud infrastructures. The Cisco ASAv provides detailed visibility and control of application and services within the virtual environment.


Figure 1 illustrates a high-level data center environment with multiple network connections, and it defines the concept of east-west versus north-south traffic.


Figure 1: High-level Data Center Environment and Traffic Definitions




Figure 2 shows a virtualized data center where multiple software applications (such as VMWare, KVM, Xen) are used to divide one physical server into multiple isolated virtual environments. In this example physical firewalls are deployed to provide protection and segmentation to the data center from the rest of the corporate network.


Figure 2: Virtualized Data Center Topology




The challenge of using physical firewalls and other security appliances in a virtualized environment is that sometimes the traffic does not leave the physical server (often referred to as bare metal). Subsequently, a virtual security solution is needed. Figure 3 demonstrates how a security administrator can provide detailed visibility and control of application and services within the virtual environment by deploying the Cisco ASAv.


Figure 3: Virtual Security Solution







Knowing the type of network topology used in your network is the first step into knowing how best to protect yourself. This is why we are going to list and state some of network topologies that exist today. There exist a number of network topologies that depend on the size and type of each organization. Some organizations will have a presence of each of the following topologies while others may only utilize a subset of this list. Refer to the list that follows and Figure 1 through Figure 4 for a description and depiction of each of the different topologies that can make up an entire organization’s network.



A campus-area network, as illustrated in Figure 1, is the network topology used to provide connectivity, data, applications, and services to users of an organization that are physically located at the corporate office (headquarters). The CAN includes a module for each building in the campus, for the data center, for WAN Aggregation, and for the Internet Edge. Security with the Campus Area Network.


Figure 1: Campus -Area Network Topology





The cloud and WAN provide a logical and physical location for data and applications that an organization prefers to have moved off-site, as illustrated in Figure 2. This alleviates an organization from having to expend resources to operate, maintain, and manage the services that have been previously located within the organization’s purview.


Figure 2: Cloud /WAN Topology





The Data Center network contains the Unified Computing System (UCS) servers, voice gateways, and CUCM servers supporting the VoIP environment, all of which is provided network connectivity by a series of Nexus switches, as illustrated in

Figure 3. The entire Data Center network is protected by a set of firewalls at the edge that filters all traffic ingressing and egressing the Data Center.


Figure 3: Data Center Topology





The remote SOHO site will provide connectivity to the SOHO users through the use of WAN routers that find their way back to the WAN Aggregation module in the CAN via MPLS WANs, as illustrated in Figure 4. Within the SOHO, users are provided network connectivity through the presence of access switches.






Figure 4: Branch Office/Home Office Topology






After a company has identified its assets and considered the risks involved to that asset from a threat against a vulnerability, the company can then decide to implement countermeasures to reduce the risk of a successful attack. Common control methods used to implement countermeasures include the following:


§  Administrative: These consist of written policies, procedures, guidelines, and standards. An example would be a written acceptable use policy (AUP), agreed to by each user on the network. Another example is a change control process that needs to be followed when making changes to the network. Administrative controls could involve items such as background checks for users, as well.


§  Physical: Physical controls are exactly what they sound like, physical security for the network servers, equipment, and infrastructure. An example is providing a locked door between users and the wiring closet on any floor (where the switches and other gear exist). Another example of a physical control is a redundant system (for instance, an uninterruptible power supply).


§  Logical: Logical controls include passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, and so on. Logical controls are often referred to as technical controls.


Not all controls are created equal, and not all controls have the same purpose. Working together, however, the controls should enable you to prevent, detect, correct, and recover, all while acting as a deterrent to a threat.





You can deal with risk in several ways, one of which is eliminate, or at least minimize, it. For example, by not placing a web server on the Internet, you eliminate any risk of that nonexistent web server being attacked. (This does not work very well for companies that do want the web server.)


An option for avoiding the web server altogether is to transfer the risk to someone else. For example, instead of hosting your own server on your own network, you could outsource that functionality to a service provider. The service provider could take full responsibility (the risk) for attacks that might be launched against its server and provide a service level agreement and guarantees to the customer. Keep in mind, however, the possibility of risk must be assumed if the outsourcing entity (for example, the service provider) does not adequately eliminate risk effectively.


So, the service provider now has the risk. How does it handle it? It does exactly what we are going to cover in this series of Security topics: It reduces risk by implementing appropriate countermeasures. By applying the correct patches and using the correct firewalls and Internet service providers (ISP) and other safeguards, they reduce their own risk. If risk is purely financial, insurance can be purchased that helps manage the risk.


Attacks against networks today are primarily motivated by the desire for financial gain. As mentioned in the previous paragraph, the risk assumed by the service provider is not completely eliminated, which results in residual risk that your organization must understand and accept.


Another option is for a company to put up its own web server and just assume the risk. Unfortunately, if it takes no security precautions or countermeasures against potential threats, the risk could be high enough to damage the company and put it out of business. Most people would agree that this is not acceptable risk.






This section examines the holistic approach to improve the security posture of your network before, during, and after your network implementation.



You want some basic principles and guidelines in place in the early stages of designing and implementing a network. Table 1 describes such key guidelines.


Table 1: Guidelines for Secure Network Architecture





Rule of least privilege

This rule states that minimal access is only provided to the required network resources, and not any more than that. An example of this is an access list applied to an interface for filtering that says “deny all.” Before this, specific entries could be added allowing only the bare minimum of required protocols, and only then between the correct source and destination addresses.

Defense in depth

This concept suggests that you have security implemented on nearly every point of your network. An example is filtering at a perimeter router, filtering again at a firewall, using IPSs to analyze traffic before it reaches your servers, and using host-based security precautions at the servers, as well.


Additional methods that can be used to implement a defense-in-depth approach include using authentication and authorization mechanisms, web and e-mail security, content security, application inspection monitoring, traffic monitoring, and malware protection.


The concept behind defense in depth is that if a single security technology fails, additional levels, or mechanisms, of security are still in place to protect the data, applications, and devices on the network.

Separation of duties

When you place specific individuals into specific roles, there can be checks and balances in place regarding the implementation of the security policy. Rotating individuals into different roles periodically will also assist in verifying that vulnerabilities are being addressed, because a person who moves into a new role will be required to review the policies in place.


This refers to accounting and keeping records about what is occurring on the network. Most of this can be automated through the features of authentication, authorization, and accounting (AAA). When events happen on the network, the records of those events can be sent to an accounting server. When the separation-of-duties approach is used, those who are making changes on the network should not have direct access to modify or delete the accounting records that are kept on the accounting server.




Threats today are constantly changing, with new ones emerging. Moving targets are often difficult to zero in on, but understanding the general nature of threats can prepare you to deal with new threats. This section covers the various network threat categories and identifies some strategies to stay ahead of those threats.



Instead of trying to list the thousands of attacks that could threaten vulnerable networks, let’s begin by looking at the types of adversaries that may be behind attacks:


§  Terrorists

§  Criminals

§  Government agencies

§  Nation states

§  Hackers

§  Disgruntled employees

§  Competitors

§  Anyone with access to a computing device (sad, but true)


Different terms are used to refer to these individuals, including hacker/cracker (criminal hacker), script-kiddie, hactivist, and the list goes on. As a security practitioner, you want to “understand your enemy.” This is not to say that everyone should learn to be a hacker or write malware, because that is really not going to help. Instead, the point is that it is good to understand the motivations and interests of the people involved in breaking all those things you seek to protect. You also need to have a good understanding of your network and data environment to know what is vulnerable and what can be targeted by the malicious actors.


Some attackers seek financial gain (as mentioned previously). Others might want the notoriety that comes from attacking a well-known company or brand. Sometimes attackers throw their net wide and hurt companies both intended and unintended. Back in the “old days,” attacks were much simpler. We had basic intrusions, war dialing, and things like that. Viruses were fairly new. But it was all about notoriety. The Internet was in its infancy, and people sought to make names for themselves.


In the late 1990s and early 2000s, we saw an increase in the number of viruses and malware, and it was about fame. More recently, many more attacks and threats revolve around actual theft of information and damage with financial repercussions. Perhaps that is a sign of the economy, or maybe it is just an evolution of who is computer literate or incentivized to be involved. Attackers may also be motivated by government or industrial espionage.



Most attackers do not want to be discovered and so they use a variety of techniques to remain in the shadows when attempting to compromise a network, as described in Table 1.


Table 1: Attack Methods






This is the discovery process used to find information about the network. It could include scans of the network to find out which IP addresses respond, and further scans to see which ports on the devices at these IP addresses are open. This is usually the first step taken, to discover what is on the network and to determine potential vulnerabilities.

Social engineering

This is a tough one because it leverages our weakest (very likely) vulnerability in a secure system (data, applications, devices, networks): the user. If the attacker can get the user to reveal information, it is much easier for the attacker than using some other method of reconnaissance. This could be done through e-mail or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining information. Social engineering can also be done in person or over the phone.


Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is prompted to disclose confidential information such as usernames/passwords.


Pharming is used to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user.

Privilege escalation

This is the process of taking some level of access (whether authorized or not) and achieving an even greater level of access. An example is an attacker who gains user mode access to a router and then uses a brute-force attack against the router, determining what the enable secret is for privilege level 15 access.

Back doors

When attackers gain access to a system, they usually want future access, as well, and they want it to be easy. A backdoor application can be installed to either allow future access or to collect information to use in further attacks.


Many back doors are installed by users clicking something without realizing the link they click or the file they open is a threat. Back doors can also be implemented as a result of a virus or a worm (often referred to as malware).

Code execution

When attackers can gain access to a device, they might be able to take several actions. The type of action depends on the level of access the attacker has, or can achieve, and is based on permissions granted to the account compromised by the attacker. One of the most devastating actions available to an attacker is the ability to execute code within a device. Code execution could result in an adverse impact to the confidentiality (attacker can view information on the device), integrity (attacker can modify the configuration of the device), and availability (attacker can create a denial of service through the modification of code) of a device.



Be aware that attacks are not launched only from individuals outside your company. They are also launched from people and devices inside your company who have current, legitimate user accounts. This vector is of particular concern these days with the proliferation of organizations allowing employees to bring your own device (BYOD) and allowing it seamless access to data, applications, and devices on the corporate networks.


Perhaps the user is curious, or maybe a back door is installed on the computer on which the user is logged in. In either case, it is important to implement a security policy that takes nothing for granted and to be prepared to mitigate risk at several levels.


You can implement a security policy that takes nothing for granted by requiring authentication from users before their computer is allowed on the network (for which you could use 802.1X and Cisco Access Control Server [ACS]). This means that the workstation the user is on must go through a profiling before being allowed on the network. You could use Network Admission Control (NAC) or an Identity Service Engine (ISE) to enforce such a policy. In addition, you could use security measures at the switch port, such as port security and others.





A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all the traffic.



No standards groups for attackers exist, so not all the attacks fit neatly or clearly in one category. In fact, some attacks fit into two or more categories at the same time. Table 2 describes a few additional methods attackers might use.


Table 2: Additional Attack Methods





Covert channel

This method uses programs or communications in unintended ways. For example, if the security policy says that web traffic is allowed but peer-to-peer messaging is not, users can attempt to tunnel their peer-to-peer traffic inside of HTTP traffic. An attacker may use a similar technique to hide traffic by tunneling it inside of some other allowed protocol to avoid detection.


An example of this is a backdoor application collecting keystroke information from the workstation and then slowly sending it out disguised as Internet Control Message Protocol (ICMP). This is a covert channel. A covert channel is the legitimate use of a protocol, such as a user with a web browser using HTTP to access a web server, for illegitimate purposes, including cloaking network traffic from inspection.

Trust exploitation

If the firewall has three interfaces, and the outside interface allows all traffic to the demilitarized zone (DMZ) but not to the inside network, and the DMZ allows access to the inside network from the DMZ, an attacker could leverage that by gaining access to the DMZ and using that location to launch his attacks from there to the inside network. Other trust models, if incorrectly configured, may allow unintentional access to an attacker including active directory and NFS (Network File System in UNIX).

Brute-force (password-guessing) attacks

Brute-force (password-guessing) types of attacks are performed when an attacker’s system attempts thousands of possible passwords looking for the right match. This is best protected against by specifying limits on how many unsuccessful authentication attempts can occur within a specified time frame.


Password-guessing attacks can also be done through malware, man-in-the-middle attacks using packet sniffers, or by using key loggers.


A botnet is a collection of infected computers that are ready to take instructions from the attacker. For example, if the attacker has the malicious backdoor software installed on 10,000 computers, from his central location, he could instruct those computers to all send TCP SYN requests or ICMP echo requests repeatedly to the same destination.


To add insult to injury, he could also spoof the source IP address of the request so that reply traffic is sent to yet another victim. The attacker generally uses a covert channel to manage the individual devices that make up the botnet.

DoS and DDoS

Denial-of-service (DoS) attack and distributed denial of-service (DDoS) attack. An example is using a botnet to attack a target system. If an attack is launched from a single device with the intent to cause damage to an asset, the attack could be considered a DoS attempt, as opposed to a DDoS. Both types of attacks want the same result, and whether it is called a DoS or DDoS attack just depends on how many source machines are used in the attack.


A more advanced and increasingly popular type of DDoS attack is called a reflected DDoS (RDDoS) attack. An RDDoS takes place when the source of the initial (query) packets is actually spoofed by the attacker. The response packets are then “reflected” back from the unknowing participant to the victim of the attack; that is, the original (spoofed) source of the initial (query) packets.




Go to top