Security Best Practices in Cisco IOS® and Other Techniques to Help

Security Best Practices in Cisco IOS® and
Other Techniques to Help your Network
Survive in Today’s Internet/Extranet
Enviroments
Mike Peeters
SE Toronto
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
1
Safe Security
• SAFE Blueprint
• Understanding Todays Threats and
Vulnerabilities
• Securing the Router
• Securing the Routing Protocols
• Limiting the impact of DOS Attacks
• In Conclusion
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
2
The Network of Five Years Ago
Closed Network
PSTN
Remote Site
Frame Relay
X.25
Leased Line
PSTN
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
3
Legacy Security Solutions
• Most security designed when networks were
simple and static
• Primarily single-point products (accesscontrol) with no network integration or
intelligence
• Such legacy products are still seen as
default security solutions (a “cure-all”)
• Today, there are serious drawbacks to
relying on such “overlay” security to protect
sophisticated networks and services
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
4
Case in Point…
Internet connections have dramatically increased
as a frequent point of attack (from 59% in 2000
to 70% in 2001.)
Of those organizations reporting attacks, we
learn:
§ 27% say they don't know if there had been
unauthorized access or misuse
§ 21% reported from two to five incidents in one year
§ 58% reported ten or more incidents in a single year
– something isn’t working!
Computer Security Institute & FBI Report
March, 2001
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
5
Code Red and Nimda Worm Impacts
• Rapid penetration and propagation through
existing security solutions
• Extensive impact; expensive recovery
• Exploited existing and known vulnerabilities, and
bypassed legacy security devices
• Could be prevented and mitigated
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
6
Impact of Recent Worms
• Major Computer Company... Code Red/Nimda
$9 million for remediation
12,000 IT hours for Code Red
6,500 IT hours for Nimda
• Multibillion dollar financial institution... Nimda
75% of core routers down at any given time
Lost trading server for half day ($13 million impact)
Important Lesson Learned:
Security Needs to Be Designed and Implemented
Around, In and Through the Network
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
7
The Network Today
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
8
Today’s Threats
• Attackers are taking advantage of complex networks
and sophisticated Internet services
• In this environment, everything is a target: Routers,
Switches, Hosts, Networks (local and remote), Applications, Operating
Systems, Security Devices, Remote Users, Business Partners,
Extranets, etc.
• Threats to today’s networks are not addressed by
most legacy security products
• In fact, there is no single security device which can
protect all of these targets
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
9
SAFE Security Blueprint
• Integrates security and network issues
• Includes specific configurations for Cisco
and partner solutions
• Based on existing, shipping capabilities
• Over 3,000 hours of lab testing
• Currently, five SAFE white papers:
SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP
Telephony, Wireless LAN Security in Depth, Safe for VPNs
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
10
SAFE: Securing E-Business
Management
Building
E-Commerce
ISP
Distribution
Corporate Internet
Edge
Core
Server
VPN/Remote Access
PSTN
WAN
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
FR/ATM
11
Defense-in-Depth
Secure
Connectivity
Perimeter
Security
Security
Monitoring
Identity
Security
Management
VPN
Firewalls
IDS/Scanning
Authentication
Policy
• Integration – into network infrastructure
compatibility with network services
• Integration – functional interoperability
intelligent interaction between elements
• Convergence – with other technology initiatives
mobility/wireless, IP telephony, voice/video-enabled VPNs
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
12
Understanding Today’s
Threats and Vulnerabilities
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
13
Classes of Attacks
• Reconnaissance
Unauthorized discovery and
mapping of systems,
services, or vulnerabilities
• Access
Unauthorized data
manipulation, system access,
or privilege escalation
• Denial of Service
Disable or corrupt networks,
systems,
or services
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
14
Reconnaissance Methods
• Common commands and administrative
utilities
nslookup, ping, netcat, telnet, finger, rpcinfo,
file explorer, srvinfo, dumpacl
• Public tools
Sniffers, SATAN, SAINT, NMAP, custom scripts
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
15
nmap
• Network mapper is a utility for port scanning large
networks:
TCP connect() scanning,
TCP SYN (half open) scanning
TCP FIN, Xmas, or NULL (stealth) scanning
TCP ftp proxy (bounce attack) scanning
SYN/FIN scanning using IP fragments (bypasses some packet
filters)
TCP ACK and window scanning
UDP raw ICMP port unreachable scanning
ICMP scanning (ping-sweep)
TCP ping scanning
Direct (non portmapper) RPC scanning
Remote OS identification by TCP/IP fingerprinting (nearly 500)
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
16
nmap
• nmap {Scan Type(s)} [Options] <host or net list>
• Example:
my-unix-host% nmap -sT my-router
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on my-router.example.com (10.12.192.1)
(The 1521 ports scanned but not shown below are in state closed)
Port
PS-543
3029_05_2001_c1
State
Service
21/tcp
open
ftp
22/tcp
open
ssh
23/tcp
open
telnet
25/tcp
open
smtp
37/tcp
open
time
80/tcp
open
http
© 2001, Cisco Systems, Inc. All rights reserved.
17
Access Methods
• Exploiting passwords
Brute force
Cracking tools
• Exploit poorly configured or managed services
Anonymous ftp, tftp, remote registry
access, nis,…
Trust relationships: rlogin, rexec,…
IP source routing
File sharing: NFS, windows file sharing
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
18
Access Methods (Cont.)
• Exploit application holes
Mishandled input data: Access outside application
domain, buffer overflows, race conditions
• Protocol weaknesses: Fragmentation, TCP
session hijacking
• Trojan horses: Programs that plant a backdoor
into a host
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
19
IP Packet Format
0
15 16
4-Bit Header
4-Bit Version
Length
8-Bit Type of
Service (TOS)
16-Bit Total Length (In Bytes)
3-Bit
Flags
16-Bit Identification
8-Bit Time to Live (TTL)
31
8-Bit Protocol
13-Bit Fragment Offset
16-Bit Header Checksum
32-Bit Source IP Address
32-Bit Destination IP Address
Options (If Any)
Data
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
20
IP Spoofing
C
Hi,
A
sB
I
e
am
N
y
M
Attacker
B
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
21
IP: Normal Routing
A, C via Ra
B via Ethernet
B,C via Ra B via Rb
C via Rc
A
A
-
>B
Rb
B
A -> B
Ra
A -> B
Rc
C
Routing Based on Routing Tables
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
22
IP: Source Routing
B Unknown
C via Rc
A
A
Ra
->
B
a,
R
via
Rb
Rb
B
A -> B via Ra, Rb
A -> B via Ra, Rb
Rc
C
Routing Based on IP Datagram Option
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
23
IP Unwanted Routing
2
R1, R
a
i
v
C->A
Internet
A Unknown
B via DMZ
R1
C->A via R1, R2
Intranet
R2
C->A via R1,R2
PS-543
3029_05_2001_c1
A Unknown
B via Internet
C->
Av
ia
R1,
R2
A Unknown
B via R1
A
C
© 2001, Cisco Systems, Inc. All rights reserved.
B
DMZ
A via Intranet
B via DMZ
C Unknown
24
IP Unwanted Routing (Cont.)
C
C->
Av
ia
B
A Unknown
B via Internet
Internet
A via Ethernet
C via PPP
A
Intranet
PP
P
p
u
Dial
B
ia
v
A
C->
A Unknown
B via PPP
B (Acting as Router)
C->A via B
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
25
IP Spoofing Using Source Routing
B Is a Friend
Allow Access
A
Ra
B->A via C,Rc,Ra
Rb
B
Rc
C
B->
Av
ia
C,R
cR
A->
a
Bv
ia R
a,
Rc
,C
A->B via Ra, Rc,C
B->A via C, Rc,Ra
A->B via Ra, Rc,C
Back Traffic Uses the Same Source Route
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
26
TCP Packet Format
0
31
15 16
16-Bit Source Port Number
16-Bit Destination Port Number
32-Bit Sequence Number
32-Bit Acknowledgment Number
4-Bit Header
Length
Reserved
(6 Bits)
U A P R S F
R C S S Y I
G K H T N N
16-Bit TCP Checksum
16-Bit Window Size
16-Bit Urgent Pointer
TCP Options
Data
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
27
TCP Connection Establishment
B
A
flags=SYN
, seq =(Sb,?
)
,Sb )
a
S
(
=
q
e
s
,
+ACK
flags=SYN
flags=ACK
, seq =(Sb,S
a)
b,Sa)
(S
=
q
e
s
,
K
flags=AC
e:”
m
a
n
r
e
s
U
“
data=
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
28
TCP Blind Spoofing
B
A
,Sb )
a
S
(
=
q
e
s
,
+ACK
flags=SYN
b,Sa)
(S
=
q
e
s
,
K
flags=AC
e:”
m
a
n
r
e
s
U
“
data=
C
Masquerading as B
,?)
b
S
(
=
q
e
s
,
flags=SYN
b,Sa)
(S
=
q
e
s
,
K
flags=AC
C Guesses Sa
,Sb)
9
+
a
S
(
=
q
e
CK, s
A Believes the Connectionflags=A “myname”
data=
Comes from B and Starts
the Application (e.g. rlogin)
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
29
TCP Blind Spoofing (Cont.)
• C masquerades as B
• A believes the connection is coming from
trusted B
• C does not see the back traffic
• For this to work, the real B must not be up,
and C must be able to guess A’s sequence
number
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
30
TCP Session Hijacking
B
A
flags=SYN
, seq =(Sb,?
)
Sa,Sb )
(
=
q
e
s
,
K
+AC
flags=SYN
C
Masquerading B
B Initiates a Connection
with A and Is Authenticated
By Application on A
flags=ACK
, seq =(Sb,S
a)
,Sa)
b
S
(
=
q
e
s
,
:”
“Password
“Xyzzy” , s
eq=(Sa+9,S
b)
a+ 9)
S
,
5
+
b
S
(
=
q
se
“delete *”,
C Guesses Sa, Sb
C Inserts Invalid Data
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
31
IP Normal Fragmentation
• IP largest data is 65,535 == 2^16-1
• IP fragments a large datagram into smaller
datagrams to fit the MTU
• Fragments are identified by fragment
offset field
• Destination host reassembles the original
datagram
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
32
IP Normal Fragmentation (Cont.)
Before Fragmentation:
TL=1300, FO=0
Data Length 1280
IP Header
IP Data
After Fragmentation (MTU = 500):
TL=500, FO=0
TL=500, FO=480
TL=340, FO=960
PS-543
3029_05_2001_c1
Data Length 480
Data Length 480
Data Length 320
© 2001, Cisco Systems, Inc. All rights reserved.
33
IP Normal Reassembly
Received from the Network:
TL=500, FO=0
Data Length 480
TL=340, FO=960
Data Length 320
TL=500, FO=480
Data Length 480
Reassembly Buffer, 65.535 Bytes
Kernel Memory at Destination Host
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
34
IP Reassembly Attack
• Send invalid IP datagram
• Fragment offset + fragment
size > 65,535
• Usually containing ICMP echo
request (ping)
• Not limited to ping of death!
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
35
IP Reassembly Attack (Cont.)
Received from the Network:
TL=1020, FO=0
Data Length 1000
…64 IP Fragments with Data Length 1000…
TL=1020, FO=65000
Data Length 1000
BUG: Buffer Exceeded
Reassembly Buffer, 65.535 Bytes
64 IP Fragments
Kernel Memory at Destination Host
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
36
SYN Attack
B
A
C
Masquerading as B
,?)
b
S
(
=
q
e
s
,
flags=SYN
q=(Sa
e
s
,
K
C
A
N+
,Sb )
flags=SY
A Allocates Kernel Resource for
Handling the Starting Connection
No Answer from B…
120 Sec Timeout
Free the Resource
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Denial of Services
Kernel Resources Exhausted
37
SMURF Attack
160.154.5.0
ICMP REPLY D=172.18.1.2 S=160.154.5.10
Attempt to
Overwhelm WAN
Link to Destination
ICMP REPLY D=172.18.1.2 S=160.154.5.11
ICMP REPLY D=172.18.1.2 S=160.154.5.12
ICMP REPLY D=172.18.1.2 S=160.154.5.13
172.18.1.2
ICMP REPLY D=172.18.1.2 S=160.154.5.14
ICMP REQ D=160.154.5.255 S= 172.18.1.2
Directed Broadcast PING
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
38
DDoS Step 1: Find Vulnerable Hosts
Attacker
Use Reconnaissance Tools to
Locate Vulnerable Hosts to Be Used
as Masters and Daemon Agents
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
39
DDoS Step 2: Install Software
on Masters and Agents
Innocent Master
Attacker
Innocent Daemon Agents
1.
2.
Innocent
Master
PS-543
3029_05_2001_c1
Innocent
Daemon Agents
© 2001, Cisco Systems, Inc. All rights reserved.
Use master and agent programs
on all cracked hosts
Create a hierarchical covert
control channel using innocent
looking ICMP packets whose
payload contains DDoS
commands; Some DDoS further
encrypt the payload...
40
DDoS Step 3: Launch the Attack
Innocent Master
Attacker
Attack Alice
NOW !
Victim
Innocent
Master
PS-543
3029_05_2001_c1
Innocent
Daemon Agents
© 2001, Cisco Systems, Inc. All rights reserved.
A
41
Securing the Router
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
42
Passwords:
• Physical access to console port means no password needed upon
reboot
• Telnet:
Enable password should be different than login password
• SNMP:
SNMP Community strings are transmitted in clear (v1,v2)
• Passwords/community strings are stored in clear text on TFTP
servers (No service config)
• Use good passwords
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
43
Passwords:
• Understand the different password protection
mechanisms
service password-encryption
enable password 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1
line con
0 passwords that are encrypted in the
Beware:
Even
Beware:
Even
passwords that are encrypted in the
passwordare
7 00071A150754
configuration
not encrypted on the wire as an
configuration are not encrypted on the wire as an
administrator
• 5 => MD5
protectionlogs
administrator
logs into
into the
the router
router
Cannot be decrypted
• 7 => Cisco proprietary encryption method
• Use TACAS+/RADIUS for authentication
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
44
SNMP:
snmp-server community <string> <view> RO/RW <ACL>
Use Views and ACL’s to prevent unauthorized access.
snmp-server host <ip> <string>
Use snmp-server host for trap forwarding and
authentication of traps.
snmp-server trap-source <>
Use source interface to uniquely identify a device
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
45
SNMP:
• Change your community strings! Do not
use public, private, secret!
• Use different community strings for the
RO and RW communities.
• Use mixed alphanumeric characters in
the community strings: SNMP
community strings can be cracked, too!
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
46
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
47
SNMP Version 3:
• SNMP V3 integrated in routers and
switches.
• HP OpenView has plugin for SNMP v3.
• Cisco Enterprise Network Management has at this time no
plans to support SNMP version 3. We advise people to
use IPsec, to accomplish a secure connection.
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
48
Transaction Records
• How do you tell when someone is attempting
to access your router?
• Consider some form of audit trails:
Using the syslog feature
SNMP traps and alarms
Implementing TACACS+, Radius, Kerberos, or third
party solutions like one-time password token cards
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
49
Configuring Syslog on a Router
• To log messages to a syslog server host,
use the logging global configuration
command
logging host
logging trap level
• To log to internal buffer use:
logging buffered size
•To source the log event to a common address:
PS-543
3029_05_2001_c1
logging source-interface e0/1
© 2001, Cisco Systems, Inc. All rights reserved.
50
Global Services You Turn On
• Add timestamping service facility for logs.
service timestamps log datetime localtime
show-timezone msec
• Add the encryption service facility for console
and VTY passwords.
service password-encryption
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
51
Setting NTP
• ntp server 192.168.41.40
• ntp server 192.168.41.41
• ntp source Ethernet0/1
• service timestamps log datetime localtime show-timezone
• service timestamps debug datetime localtime show-timezone
• clock timezone EST –5
• clock summer-time EDT recurring
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
52
Global Services You Turn OFF
• Some services turned on by default (< IOS
12.x), should be turned off to save memory
and prevent security breaches/attacks
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no ip bootp server
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
53
Global Services You Turn OFF (Cont:)
• Check these services as well
no ip source-route
no mop enabled
no ip rsh-enable
no ip rcmd rcp-enable
no ip identd
no ip http
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
54
Interface Services You Turn OFF
• All interfaces on an Internet facing router
should have the follow as a default:
no ip redirects
no ip directed-broadcast
no ip proxy-arp
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
55
Cisco Discovery Protocol
• Lets network administrators discover
neighbouring Cisco equipment, model
numbers and software versions
• Should not be activated on any public facing
interface: IXP, customer, upstream ISP –
unless part of the peering agreement.
• Disable per interface
no cdp enable
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
56
Cisco Discovery Protocol
Defiant#show cdp neighbors detail
------------------------Device ID: Excalabur
Entry address(es):
IP address: 4.1.2.1
Platform: cisco RSP2,
Capabilities: Router
Interface: FastEthernet1/1,
FastEthernet4/1/0
Port ID (outgoing port):
Holdtime : 154 sec
Version :
Cisco Internetwork Operating System Software
IOS (tm) RSP Software (RSP-K3PV-M), Version 12.0(9.5)S, EARLY
DEPLOYMENT MAINTEN
ANCE INTERIM SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Fri 03-Mar-00 19:28 by htseng
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
57
Login Banner
• Use a good login banner, or nothing at all:
banner login ^
Authorised access only
Disconnect IMMEDIATELY if you are not an
authorised user!
^
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
58
Use Enable Secret
• Encryption '7' on a Cisco is reversible
• The “enable secret” password encrypted
via a one-way algorithm
enable secret <removed>
no enable password
service password-encryption
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
59
VTY and Console Port Timeouts
• Default idle timeout on async ports is 10
minutes 0 seconds
exec-timeout 10 0
• Timeout of 0 means permanent connection
• TCP keepalives on incoming network
connections
service tcp-keepalives-in
• Kills unused connections
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
60
VTY Security
• Access to VTYs should be controlled, not left open;
consoles should be used for last resort admin only:
access-list 3 permit 215.17.1.0 0.0.0.255
access-list 3 deny
any
line vty 0 4
access-class 3 in
exec-timeout 5 0
transport input telnet ssh
transport output none
transport preferred none
password 7 045802150C2E
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
61
VTY Security
• Use more robust ACLs with the logging
feature to spot the probes on your
network
access-list 199 permit tcp 1.2.3.0 0.0.0.255 any
access-list 199 permit tcp 1.2.4.0 0.0.0.255 any
PS-543
3029_05_2001_c1
access-list 199 deny
log
tcp any any range 0 65535
access-list 199 deny
ip any any log
© 2001, Cisco Systems, Inc. All rights reserved.
62
VTY Access and SSHv1
• Secure shell supported from IOS 12.1
• Obtain, load and run appropriate crypto images on
router
• Set up SSH on router
Beta7200(config)#crypto key generate rsa
• Add it as input transport
line vty 0 4
transport input telnet ssh
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
63
User Authentication
• Account per user, with passwords
aaa new-model
aaa authentication login neteng local
username joe password 7 1104181051B1
username jim password 7 0317B21895FE
line vty 0 4
login neteng
access-class 3 in
• Username/password is more resistant to
attack than a plain password
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
64
User Authentication
• Use distributed authentication system
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa accounting exec start-stop tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 215.17.1.1
tacacs-server key CKr3t#
line vty 0 4
access-class 3 in
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
65
User Authentication
TACACS+ Provides a Detailed Audit Trail of what Is
Happening on the Network Devices
User-Name
Group-cmd
bgreene
bgreene
bgreene
NOC
NOC
NOC
bgreene
pfs
pfs
bgreene
bgreene
bgreene
bgreene
bgreene
bgreene
bgreene
bgreene
bgreene
NOC
NOC
NOC
NOC
NOC
NOC
NOC
NOC
NOC
NOC
NOC
NOC
bgreene
bgreene
bgreene
bgreene
bgreene
NOC
NOC
NOC
NOC
NOC
PS-543
3029_05_2001_c1
enable <cr>
exit <cr>
no aaa accounting exec
Workshop <cr>
exit <cr>
enable <cr>
exit <cr>
enable <cr>
show accounting <cr>
write terminal <cr>
configure <cr>
exit <cr>
write terminal <cr>
configure <cr>
aaa new-model <cr>
aaa authorization commands
0 default tacacs+ none <cr>
exit <cr>
ping <cr>
show running-config <cr>
router ospf 210 <cr>
debug ip ospf events <cr>
© 2001, Cisco Systems, Inc. All rights reserved.
priv-lvl service NAS-Portname task_id NAS-IP-reason
0
0
0
shell
shell
shell
tty0
tty0
tty0
4
5
6
210.210.51.224
210.210.51.224
210.210.51.224
0
0
0
0
15
15
15
0
15
15
15
15
shell
shell
shell
shell
shell
shell
shell
shell
shell
shell
shell
shell
tty0
tty0
tty0
tty0
tty0
tty0
tty0
tty0
tty0
tty0
tty0
tty0
8
11
12
14
16
17
18
20
21
22
23
24
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
0
15
15
15
15
shell
shell
shell
shell
shell
tty0
tty0
tty66
tty66
tty66
25
32
35
45
46
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
210.210.51.224
66
Source Routing
• IP has a provision to allow source IP host
to specify route through Internet
• should turn this off, unless it is
specifically required:
no ip source-route
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
67
ICMP Unreachable Overload
• All Routers who use any static route to
Null0 should put no ip unreachables
• interface Null0
no ip unreachables
!
ip route <dest to drop> <mask> Null0
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
68
Securing the Routing Protocol
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
69
Routing Protocol Security
• Routing protocol can be attacked
Denial of service
Smoke screens
False information
Reroute packets
May Be Accidental or Intentional
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
70
Secure Routing
Route Authentication
Configure Routing Authentication
Campus
Signs Route
Updates
Verifies
Signature
Signature
Route Updates
Certifies Authenticity of Neighbor
and Integrity of Route Updates
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
71
Signature Generation
Route Updates
Router A
Hash
Function
Signature
Route Updates
Hash
Signature
Signature = Encrypted Hash of Routing Update
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
72
Signature Verification
Router B
Signature
Routing Update
Receiving Router Separates
Routing Update and Signature
Routing Update
Re-Hash the
Routing Update
Signature
Hash
Function
Decrypt Using
Preconfigured Key
Hash
If Hashes Are
Equal, Signature
Is Authentic
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Hash
73
Route Authentication
• Authenticates routing update packets
• Shared key included in routing updates
Plain text—Protects against accidental
problems only
Message Digest 5 (MD5)—Protects against
accidental and intentional problems
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
74
OSPF Route Authentication
• OSPF area authentication
Two types
Simple password
Message Digest (MD5)
ip ospf authentication-key key (this goes under the specific interface)
area area-id authentication (this goes under "router ospf <process-id>")
ip ospf message-digest-key keyid md5 key (used under the interface)
area area-id authentication message-digest (used under "router ospf <process-id>")
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
75
OSPF and Authentication Example
• OSPF
interface ethernet1
ip address 10.1.1.1
255.255.255.0
ip ospf message-digestkey 100 md5 cisco
!
router ospf 1
network 10.1.1.0
0.0.0.255 area 0
area 0 authentication
message-digest
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
76
What Ports Are open on the Router?
• It may be useful to see what sockets/ports
are open on the router
• Show ip sockets
7206-UUNET-SJ#show ip sockets
Proto
Remote
Port
Local
OutputIF
17 192.190.224.195
162 204.178.123.178
17
--listen-204.178.123.178
17 0.0.0.0
123 204.178.123.178
17 0.0.0.0
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
0 204.178.123.178
Port
In Out Stat TTY
2168
67
123
0
0
0
0
0
0
0
9
1
0
0
0
161
0
0
1
0
77
Securing the Network
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
78
Securing the Network
• Route filtering
• Packet filtering
• Rate limits
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
79
Ingress Filters—Inbound Traffic
ISP A
ISP B
Traffic Coming into a
Network from ISP or
another Customer
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Customer
Network
80
Egress Filters—Outbound Traffic
ISP A
ISP B
Traffic Going out of
Network from Another
ISP or Customer
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
Customer
Network
81
Route Filtering
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
82
Ingress and Egress Route Filtering
• Quick review
0.0.0.0/8 and 0.0.0.0/32—Default and broadcast
127.0.0.0/8—Host loopback
192.0.2.0/24—TEST-NET for documentation
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16—RFC
1918 private addresses
169.254.0.0/16—End node auto-config for DHCP
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
83
Ingress and Egress Route Filtering
• Two flavors of route filtering:
Distribute list—Widely used
Prefix list—Increasingly used (BGP only)
• Both work fine—Engineering preference
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
84
Packet Filtering
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
85
Ingress and Egress Packet Filtering
You should not be sending any IP
packets out to the Internet with a
source address other then the
address that has been allocated to
your network!
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
86
Packet Filtering
• Static access list on the edge of
the network
• Dynamic access list with AAA profiles
• Unicast RPF
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
87
Ingress Packet Filtering
Customer Edge
Deny Source Address 165.21.0.0/16
165.21.20.0/24
Internet
Serial 0/1
Customer
Backbone
165.21.0.0/16
Deny Source Address 165.21.X.0/16
(Depending on Customer’s IP Address Block
Ex. IP Addresses with a Source of
165.21.10.1 would be Blocked on the
Interface Going to that Customer
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
165.21.61.0/24
165.21.19.0/24
165.21.10.0/24
Filter Applied on
Downstream
Aggregation and
NAS Routers
88
ICMP Filtering
Extended Access List:
access-list 101 permit icmp any any <type> <code>
Summary of Message Types
0 Echo Reply
3 Destination Unreachable
no ip unreachables
(IOS will not send)
4 Source Quench
5 Redirect
no ip redirects
(IOS will not accept)
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
ICMP Codes are not shown
RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
89
Inbound Packet Filtering
• Filter packets with internal addresses as source
to prevent IP spoofing attacks
• Filter packets with RFC-reserved addresses as
source to prevent IP address spoofing attacks
• Filter bootp, TFTP, SNMP, and traceroute as
incoming to prevent against remote access and
reconnaissance attacks
• Allow incoming pings to the external interface of
the perimeter router only from the ISP host.
• Permit DNS requests to the DMZ server on the
bastion host ( TCP port 53, Not UDP Port 53)
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
90
Egress Packet Filtering
Customer Edge
Allow Source Address 165.21.X.0/16
(Depending on the IP Address Block Allocated to the Customer)
165.21.20.0/24
Internet
Serial 0/1
Customer
Backbone
165.21.0.0/16
165.21.19.0/24
Block Source Address from All Other Networks
Ex. IP Addresses with a Source of
10.1.1.1 Would Be Blocked
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
165.21.61.0/24
165.21.10.0/24
Filter Applied on
Downstream
Aggregation and
NAS Routers
91
Outbound Packet Filtering
• Only allow packets with valid internal
addresses as source to prevent IP
spoofing attacks
• Filter packets with RFC-reserved
addresses as source to prevent IP address
spoofing attacks
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
92
uRPF Basics
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
93
Unicast Reverse Path Forwarding
• Source based feature (!)
• On input path on an interface
After input ACL check
• Requires CEF
• Small to no performance impact
• Does not look inside tunnels (GRE, IPinIP, …)
• History: Coming from Multicast world
• Strict available from 12.0
• Enhancements from 12.1(2)T (ACL & logging)
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
94
Strict uRPF Check (Unicast Reverse Path Forwarding)
router(config-if)# ip verify unicast reverse-path
or: ip verify unicast source reachable-via rx allow-default
i/f 2
i/f 1
S D data
i/f 3
FIB:
...
S -> i/f 1
...
Same i/f:
Forward
PS-543
3029_05_2001_c1
i/f 2
© 2001, Cisco Systems, Inc. All rights reserved.
i/f 1
S D data
i/f 3
FIB:
...
S -> i/f 2
...
Other i/f:
Drop
95
Loose uRPF Check (Unicast Reverse Path Forwarding)
router(config-if)# ip verify unicast source reachable-via any
i/f 2
i/f 1
S D data
i/f 3
FIB:
...
S -> i/f x
...
Any i/f:
Forward
PS-543
3029_05_2001_c1
i/f 2
© 2001, Cisco Systems, Inc. All rights reserved.
i/f 1
S D data
i/f 3
FIB:
...
...
...
?
Not in FIB
or route -> null0:
Drop
96
Limiting the Impact of DOS
Attacks
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
97
Limit the Impact of DOS Attacks:
Committed Access Rate
Traffic
Matching
Specification
• Rate limiting
• Several ways
to filter
Traffic
Measurement
Instrumentation
Action
Policy
Tokens
Burst
Limit
• “Token bucket”
implementation
Next
Policy
Conforming
Traffic
Excess
Traffic
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
98
CAR—Traffic Measurement
• Token bucket configurable parameters
Committed rate (bits/sec)
Configurable in increments of 8Kbits
Normal burst size (bytes)
To handle temporary burst over the committed rate
limit without paying a penalty.
Minimum value is Committed Rate divided by 2000
Extended burst size (bytes)
Burst in excess of the normal burst size
To gradually drop packet in more RED-like fashion instead of
entering into tail-drop scenario
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
99
CAR Rate Limiting
• Limit outbound ping to 256 Kbps
ACL Ave. Rate Burst Excess
interface xy
rate-limit output access-group 102 256000 8000 8000
conform-action transmit exceed-action drop
!
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
Traffic can burst
8K above 256K
average for 8k
worth of data
• Limit inbound TCP SYN packets to 8 Kbps
interface xy
rate-limit input access-group 103 8000 8000 8000
conform-action transmit exceed-action drop
!
access-list 103 deny tcp any host 142.142.42.1 established
access-list 103 permit tcp any host 142.142.42.1
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
100
In Conclusion
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
101
Where to get additional information
• The NSA’s Router Security document and the NIST’s
recommendations on data security provide a good starting point for
creating default IOS router configurations.
• http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-28-02.asp
• http://csrc.nist.gov/publications/drafts/ITcontingency-planningguideline.pdf
• http://www.cisecurity.org/
•
Cisco’s own SAFE training provides important tips to customers:
• http://www.cisco.com/warp/public/707/newsflash.html
• http://www.cisco.com/warp/public/779/largeent/issues/security/safe.ht
ml
• http://cisco.com/warp/public/707/21.html#flood
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
102
Cisco Security Courses
• MCNS – Managing Cisco Network Security
• CSIDS – Cisco Secure Intrusion Detection Systems
• CSIHS – Cisco Secure IDS Host Sensor
• CSPFA - Cisco Secure PIX Firewall Advanced
• CSPM – Cisco Secure Policy Manger
• CSVPN – Cisco Secure Virtual Private Networks
• CSDI – Cisco SAFE Design Implementation
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
103
Cisco Press Books
Cisco Secure PIX Firewalls
(CSPFA) Released December 2001
Cisco Secure Virtual Private Networks
(CSVPN) Released December 2001
Managing Cisco Network Security
(MCSN) Released January 2001
Cisco Secure Intrusion
Detection System
(CSIDS) Released October
2001
Available at bookstores,
computer stores, and online
booksellers
PS-543
3029_05_2001_c1
© 2001, Cisco Systems, Inc. All rights reserved.
104