Upload
lucia-huru
View
225
Download
0
Embed Size (px)
Citation preview
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 1/69
SecuringNetworkDevices
20‐oct‐2009
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 2/69
Whatthislectureisabout:
Discussmethodsforsecuringdevices
Howtoconnectsecurelytonetworkdevices Monitoringaccess
AutomatedsecurityfeaturesavailableinCiscoIOS
2
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 3/69
PreviousIOSexperience
AbasicunderstandingofIOScommandsyntaxisrequiredforthislecture.
Thisweek’sCNSlabwillfeatureanintroductorylab.
ForallyouSRSguys…sorry… NoIOSintroductorylabforyou.
YoucansQllaccessthelabfromthecourse’ssiteifyou’re
feelingalilerusty.
Ifyouhaven’thadyoulabyet… Don’tworry,you’llgetthehangofit
3
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 4/69
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 5/69
Coursetopics,indetail(2)
11. IdenQfyingvulnerableservicesonrouters;12. Performingasecurityaudit;
13. LockingdownarouterwithAutoSecure;
14. LockingdownarouterwithSDM.
No,youwon’tgetbored.Notthisevening.
Youshouldhavegoenacoffee.5
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 6/69
Securingthenetwork
Securinganetworkbasicallymeans: Securingtheedgerouter
Whatisanedgerouter?
Yeah,arouterattheedge…butanedgebetweenwhat?
6
Anedgerouteristhelastrouterbetweenthelocal
networkandthe“danger”zone–theInternet.
Firstandlastlineofdefense.
Thereisnouniversalsecuritydesign; Securityisdictatedbythecompany’spolicy.
…andbyyourskills…
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 7/69
Securingtheedgerouter
Theedgerouteristhemostexposedone Youneedtosecurepreymucheverything!
Ensurephysicalsecurity
OperaQngsystemsecurity
AdministraQveaccesssecurity
Remoteaccesssecurity
First,designtheperimeterarchitecture:
TherearedifferentimplementaQons
7
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 8/69
Perimeter–Singlerouterapproach
AsinglerouterbeweentheLANandtheInternet
Therouterhasallthesecuritypoliciesandtrafficfiltering
mechanismconfigured.
TheKISSprinciplemightnotalwaysbethebest…
8
LAN 1192.168.2.0
R1
Internet
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 9/69
Perimeter–Defense‐in‐depthapproach
Rulesintherouterdeterminewhattrafficcanpass Allpassingtrafficisfilteredthroughthefirewall.
CanhavemulQplelayersofroutersandfirewalls
Eachlayercandefendthenetworkusingdifferentmethods
9
LAN 1192.168.2.0
R1
Internet
Firewall
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 10/69
Perimeter–DMZapproach
Aneutralzonebetweentheprivateandthepublicnetwork.
Usedforpublicservers,accessiblefromtheInternet.
CannotiniQatesessionstotheprivatenetwork
IncasetheDMZiscompromised,theLANshouldsQllbesecure.
10
LAN 1192.168.2.0
R1
Internet
R2Firewall
DMZ
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 11/69
Ensuringthesecurityofarouter
Securingaccess ThoroughlysecureadministraQveaccessandauthenQcaQon
Disableanythingunused:ports,services,accounts
Logandaccountallaccesses
SecuringtheoperaQngsystem
Alwaysusethelateststableversion
BackuptheoperaQngsystemanditsconfiguraQon
Physicalsecurity RoutersshouldbeplacesinsecurelocaQons
InstallanuninterrupQblepowersource11
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 12/69
Typesofaccess–localaccess
RequiresadirectconnecQontothedevice
CiscoroutersuseconsoleandAUXports
TheAUXportconnectstoamodem
Theadministratorrequiresonlyaterminalsoware
Xterm,Puy,etc.
12
InternetLAN 1
R1
Administrator Console Port
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 13/69
Typesofaccess–remoteaccess
13
LAN 2
R1
Internet
R2Firewall
LAN 3
Management
LAN
Administration
Host
Logging
Host
Protocolsused: Telnet,SSHfordirectCLI
access;
SNMPforcentralizeddevice
management.
Inlargernetworks,alogging
serverreceivesalllog
entriesfromnetwork
devices.
Moreaboutlogginglateron.
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 14/69
ProtecQngaccesswithpasswords
Allaccessmethodscanbepassword‐protected
StrongpasswordselliminatetheriskofdicQonaryaacks
Lowercase,uppercase,numbers,punctuaQon
Length>10
AvoidrepeQQons
Passwordsmustbechangedoen
Thisshouldbestatedinthesecuritypolicy
Ofcourse,trynottowritethemdownallaroundyou.
14
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 15/69
Configuringaccesspasswords(1)
RestricQngaccesstoprivilegedmode:R1(config)# enable password cisco2
or
R1(config)# enable secret cisco1(notethatyoucannotsetthesamepasswordinbothways)
Thedifference?
15
IntheconfiguraQonfileyou’llsee:R1(config)#show run | include enable
enable secret 5 $1$W5ah$mNNIchs14INIQcQR2qWU1/
enable password cisco2
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 16/69
Configuringaccesspasswords(2)
ProtecQngincomingTelnet&SSHconnecQons:R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
Bydefault,Ciscorouterssupportupto5simultaneous
TelnetorSSHsessions
ProtecQngconsoleandAUXaccess:R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exit
R1(config)#line aux 0R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#
16
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 17/69
ConfiguringsecureadministraQon(1)
Securingpassword‐protectedadministraQonbyimplemenQngthefollowingprocedures:
Ensureaminimumpasswordlengthisused:R1(config)#security passwords min-length 8
R1(config)#enable secret cisco% Password too short - must be at least 8 characters.Password configuration failed
Passwordsalreadyinplaceareunaffected
Theminimumpasswordlengthcanbesetbetween0and16
characters.
17
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 18/69
ConfiguringsecureadministraQon(2)
DisableidleconnecQons IdleconnecQonsautomaQcallydisconnectaer10minutes(default)
Anaackerhasawindowofopportunitytogainprivileges
R1(config)#line console 0
R1(config-line)#exec-timeout 3 30
[theconsolewilldisconnectanidlesessionaer3:30minutes]
Forasecurelabenvironmentyoucanusethevalues“00”.
DisableunusedconnecQons
Thenoexeccommandwillnotstartanexec(commandlineprocess)
onaspecificline
R1(config)#line vty 0 5
R1(config-line)#no execR2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
[Connection to 10.0.0.1 closed by foreign host]
18
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 19/69
ConfiguringsecureadministraQon(3)
Encryptclear‐textpasswords:R1(config)#service password-encryption
TheconfiguraQonfileisalilebit“safer”now:
Type‐7encrypQonisanextremelyweakmehod
R1#show running-config
line con 0
password 7 110A1016141D4Bline vty 0 4
password 7 02050D480809
Thealgorithmisquicklyreversible
UsefulonlyforprevenQngunauthorizedindividualsfrom
viewingtheconfiguraQonfile. “noservicepasswordencrypQon”commanddisablestheencrypQon,
butpasswordsalreadyencryptedwillremainthesame.
19
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 20/69
UsercreaQon
Usercanhavedifferentprivileges Syntax:
R1(config)#username Gigi secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
R1(config)#username Gigi password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
20
Tousethelocaluserdatabaseinsteadoftheline/console
password(inlineconfiguraQonmode):R1(config-line)#login local
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 21/69
Loginsecurityenhancements(1)
Allehancementshavetobeenabled. Theblock‐forcommand:
R1(config)#login block-for 100 attempts 7 within 60
Blocksallloginaemptsfor100secondsif7loginaempts
werefailedwithin60seconds.
The100‐seconddelayisalsoknownasthe“quietperiod” Thecommandalsointroducesaone‐secondlogindelay
The“block‐for”commandonlyappliestoTelnetandSSH
(notconsolelogins)
Afailedaemptmeansabadusername/password
combinaQon
21
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 22/69
Loginsecurityenhancements(2)
Togeneratelogmessagesforsuccessful/failedloginsuse:login on-failure log
login on-success log
Togenerateamesssagewhenafailurerateisexceeded
SecurityauthenQcaQonfailurerate10log
Sendsalogmessagewhenever10failedloginaemptsaredetectedwithinoneminute.
Toforcealogindelay(seconds),regardlessofvalid/invalid
logincredenQals:R2(config)#login delay 2
Slowsdownbruteforceaacks BFaackstest1000sofpasswords/sec(you’veseeninthelab)
22
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 23/69
Checkingloginfailures(1)
“showlogin”summarizestheloginconfiguraQon:R2#show login
A login delay of 2 seconds is applied.
No Quiet-Mode access list has been configured.
Router enabled to watch for login Attacks.
If more than 7 login failures occur in 60 seconds or less,
logins will be disabled for 100 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 4 seconds.
Login failures for current window: 6.
Total login failures: 6.
23
Theseareyourfailures
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 24/69
Checkingloginfailures(2)
“showloginfailures”shows…exactlywhatissays…
R2#show login failures
Total failed logins: 6
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamprrazvan 10.0.0.1 23 1 00:38:16 UTC Fri Oct 16 2009
doggy 10.0.0.1 23 1 00:38:19 UTC Fri Oct 16 2009
buzz 10.0.0.1 23 1 00:38:27 UTC Fri Oct 16 2009
hacker 10.0.0.1 23 1 00:38:34 UTC Fri Oct 16 2009
evil 10.0.0.1 23 1 00:38:37 UTC Fri Oct 16 2009
nasty 10.0.0.1 23 1 00:38:40 UTC Fri Oct 16 2009
24
Commonlyusedhackernames…
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 25/69
Configuringbanners(1)
Abanner’sroleistoinformpotenQalintrudersthattheyarenotwelcomeonthenetwork.
Theirimportanceislegal‐based
Courtcaseshavebeenwonbecauseintrudersencountereda
“Welcome!”banner.
ExampleconfiguraQonofamessage‐of‐the‐daybanner:R2(config)#banner motd & Access to this private equipment is restricted.
Enter TEXT message. End with the character '&'.
All unauthorized access will be prosecuted to the fully extent of law.&
BannerscanspanmulQplelines Startandendwiththesamecharacter.
25
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 26/69
Configuringbanners(2)
Thereareseveralothertypesofbanners: motd(messageoftheday)
exec
incoming
login
Also,certain“variables”canbeusedinsideabanner:
$(hostname)–displaystherouter’shostname
$(domain)–displaystherouter’sdomainname
$(line)–displaysthecurrentvtyline $(line‐desc)–displaysthelinedescripQon(ifset)
26
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 27/69
Securingremoteaccess
TheTelnetprotocoltransmitsunencrypteddataoverTCPport23.
Traffic(routerconfiguraQons,commands,etc)canbe
easilysniffed.
SoluQons:
DisableTelnetanduseonlythegood’oldconsole..
RealizethatremoteaccessISAMUSTandusesomethingelse
SSH(SecureSHell)providesremoteauthenQcaQonand
encrypQon
NotallIOSimagessupportSSHconnecQons Lookfor“k8”or“k9”intheimage’sfilename
Example:c3640‐jk9o3s‐mz.123‐22.bin
27
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 28/69
PrepareforSSH!
ThingstocheckbeforeconfiguringarouterforSSHaccess:
MakesuretheIOSimagesupportsSSH
Makesuretherouterhasaunique
host
Makesuretherouterhasthecorrectdomainnameofthenetwork
Makesurethatyouhaveatleasta
validuserconfiguredontherouter(or
thattherouterusesAAAfor
authenQcaQon) MoreonAAAinalatercourse
28
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 29/69
StepsforconfiguringSSH(1)
ChecktheIOSimage:R2#show version | include IOS
IOS (tm) 3600 Software (C3640-JK9O3S-M), Version 12.3(22), RELEASESOFTWARE (fc2)
Configureadomainname:R2(config)#ip domain-name my.home
GenerateRSAprivate/publickeypair:R2(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R2.my.home
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys ...[OK]
R2(config)#
*Oct 19 00:17:23.487: %SSH-5-ENABLED: SSH 1.5 has been enabled
29
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 30/69
StepsforconfiguringSSH(2)
Createatleastavalidusername:R2(config)#username student secret poli
AcQvatetheSSHprotocolforthevirtuallines(vty):R2(config)#line vty 0 4
R2(config-line)#transport input ssh
TestyourconnecQon:R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-o Specify options
-p Connect to this port
WORD IP address or hostname of a remote system
R1#ssh -l student 10.0.0.2
Password:
R2> 30
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 31/69
OtherSSHcommands
SengtheSSHversion 2ismoresecurethan1–usesDiffie‐Helmankeyexchangeand
MAC(MessageAuthenQcaQonCode)R2(config)#ip ssh version 2
SpecifyanintervalfortheSSHsessionsQmeout:R2(config)#ip ssh time-out 60
Thedefaultis120seconds.
SetthenumberofauthenQcaQonretries:
R2(config)#ip ssh authentication-retries 5 Thedefaultis3retries.
31
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 32/69
SSH“show”commands
ViewingtheacQveconnecQons:R2#show ssh
Connection Version Encryption State Username
0 1.5 3DES Session started student
DisplayingthecurrentSSHconfiguraQonR2#show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 30 secs; Authentication retries: 5
ViewingyourgeneratedRSApublickey:R2#show crypto key mypubkey rsa
32
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 33/69
Privilegelevels
Privilegelevelsexistbecausecompleteaccessshouldnotbegiventoeveryone.
Youhavemetsofartwoprivilegelevels:
UserEXECmode(privilegelevel1)
Thedefaultlevelforlogin;youcannotchangeanyconfiguraQonor
viewthecurrentconfiguraQonfile.
PriviligedEXECmode(privilegelevel15)
Reservedforthe“enable”command.Userscanchangeany
configuraQonandviewanyconfiguraQonfile.
Butthereareothers:
Level0:
predefined,includesonlyenable,disable,exit,help,logout.
Levels2‐14:canbecustomized
33
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 34/69
Privilegecommandsexamples(1)
CreaQngauserwithaprivilegelevelof1:R2(config)#username luser privilege 1 secret cisco
CreaQngauserwithaprivilegelevelof5,sengthelevel
5secretpasswordandallowingtheshowstartup‐config
commandfortheprivilegelevel5:
R2(config)#username support privilege 5 secret ciscoR2(config)#enable secret level 5 EnableSecret
R2(config)#privilege exec level 5 show startup-config
34
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 35/69
Privilegecommandsexamples(2)
Commandslike:
R2(config)#username support privilege 5 secret cisco
automaQcallyputtheuserinthespecifiedprivilegelevelatlogin.
Commandsareallowedperprivilegemode,notperuser.
Anyusercanchangeitsprivilegemodeusing:enable 5
The“enable”youknewunQlnowwasasynonimfor:enable 15
Privilegemodescanbepassword‐protected(seeprevious
slide)
Toviewyourcurrentprivilegelevel:R2#show privilege
Current privilege level is 5
35
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 36/69
PrivilegelevellimitaQons
Youcannotrestrictaccesstointerfaces,lines,portsorlogicalinterfacesontherouter.
Commandsavailableononeprivilegelevelwillbe
automaQcallyavailableonsuperiorprivileges,too.
whichalsomeansthat…
CommandsavailableononeprivilegelevelwillNOTbe
availableforlowerprivilegelevels.
36
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 37/69
Role‐basedCLI
Role‐basedCLIaccessallowsyoutodefinesetsofcommandsavailableonlytocertainusers.
Defineswhichcommandscanbeenteredbywhichusers
Accesstointerfaces,lines,etccanbecontrolled.
Usersonlyseethecommandstheyhaveaccessto.
37
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 38/69
Role‐basedhierarchy
38
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 39/69
Views
A“view”isacontainerfortheavailablecommands.
Role‐basedCLIprovidesthreetypesofviews:
Rootview
Similartoprivilegelevel15
Onlyarootviewusercancreateviewsandadd/removecommands
CLIview Containsasetofcommandsconfiguredbytheadmin
Unlikeprivilegelevels,thereareno“high”or“low”views
Doesnotinheritcommandsfromotherviews
Superview
Containsotherviews
39
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 40/69
Superviews
Superviewscontainotherviews.
Commandscannotbeaddeddirectlytosuperviews
Commandsmustbeaddedtooneormoreviews
Theviewsmustbeaddedtothesuperview
AsingleviewcanbelongtomulQplesuperviews.
Whenloggedinasuperview,userscanaccesscommands
fromalltheviewsincludedinthatsuperview.
DeleQngasuperviewdoesnotdeletetheviewsinsideit.
Viewsandsuperviewscanbepasswordprotected.
40
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 41/69
Definingaview
AAA(AuthenQcaQon,AuthorizaQon,AccounQng)mustbeenabledontherouter:
R2(config)#aaa new-model
Entertherootviewtocreateaview:R2(config)#enable view
Tocreateaview:R2(config)#parser view SHOWVIEW
Toassignapasswordtotheview:R2(config-view)#secret cisco
ThepasswordmustbeenteredrightaercreaQngtheview.
Assigncommandstotheselectedview:R2(config-view)#commands exec include all show
Thiswillincludeallcommandsbeginningwith“show”
41
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 42/69
Definingaview(2)
Thesyntaxforaddingcommandsis:commands parser-mode {include | include-exclusive | exclude}[all] [interface name | command ]
Include‐exclusiveincludesthecommandsandalsoexcludes
themfromallotherviews.
Changingtoanotherview:R2#enable view SHOWVIEW
DisplayingtheacQveview:R2#show parser view
CreaQngasuperviewandaddingviews:R2(config)#parser view SUPER superview
R2(config-view)#view SHOWVIEW
42
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 43/69
ProtecQngtheIOSanditsconfiguraQon
Ifaackersgainaccesstoarouter,therearemanythingstheycando(ordestroy).
(Aquick)oneofthemistocompletelyerasetheIOSand
theconfiguraQon.
ReinstallingtheIOSimageandrecoveringtheconfiguraQonfile
fromabackupcreateshighnetworkdownQme.
TheCiscoIOSResilientConfiguraQonallowsfaster
recovery:
ThesystemsecurestheIOSimageandtheconfiguraQon
Anyaemptstodelete,replaceormodifytheIOSaredenied
Asecurecopyofthestartupconfigisalsobackedup.
43
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 44/69
SecuringtheIOSanditsconfiguraQon
ThesavedIOSandconfiguraQonfilearecalled“bootset”
TosecuretheIOSimage:Router(config)#secure boot-image
Onlylocallystoredimagescanbesecured.
Thebackupcopycanbestoredonlylocally.
Unsecuringthebootsetrequiresconsoleaccesss.
TosecurethestartupconfiguraQon:Router(config)#secure boot-config
Neitherthebacked‐upIOSortheconfiguraQonfileare
visibleinthefilesystem.
ToviewtheIOS/configuraQonresilienceopQons:Router#show secure bootset
44
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 45/69
Securemanagementandlogging
Seewhat’shappeningonthenetwork
45
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 46/69
Methodsformanagementandlogging
ConsidertheflowofinformaQon Out‐of‐band(OOB)
InformaQonflowsonadedicatedmanagementnetwork,withoutany
producQontraffic.
In‐band
InformaQonflowsacrosstheproducQonnetwork,usingthesamechannelsasthenetwork’straffic.
AdevicemightnothaveenoughinterfacesforOOB.
IfmanagementtrafficmustgoacrosstheproducQon
network,itisrecommendedtouseandencryptedtunneloraVPNtunnel.
Thetunnelmustonlyallowmanagementtraffic46
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 47/69
Threateningthemanagementnetwork
Ifadedicatedmanagementnetworkexists,thenitisanaracQvetargetforhackers
Itspansalloverthenetwork
ItcontainsinformaQonaboutallthedevicesinthenetwork
Ifunsecured,ahackercanuseittotakecontrolofthenetwork
47
Ifadedicatedmanagementnetworkexists,thenitisanaracQvetargetforhackers
Itspansalloverthenetwork
ItcontainsinformaQonaboutallthedevicesinthenetwork
Ifunsecured,ahackercanuseittotakecontrolofthenetwork
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 48/69
SNMP
SimpleNetworkManagementProtocol
Managesnetwork“nodes”
Nodesarerouters,switches,hubs,servers,workstaQons,
securityappliancs.
RunsattheapplicaQonlayer
EnablesremoteadministraQonforthesedevices
Communitystrings
UsedforauthenQcaQon
Canprovideread‐onlyorread‐writeaccess
MulQpleversionsavailable:v1,v2,v3 Onlyversion3offersstrongauthenQcaQonandencrypQon
48
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 49/69
SNMPbasicconcepts
Managingsystems(Masters) AdministraQvecomputersthatmonitoragroupofhosts
AlsocalledNMS(NetworkManagementSystem)
Managedsystems(Slaves)
Ahost/devicethatrunsanAgent
Agent
Sowarecomponentrunningonslavesystemsthatreports
databacktothemastersystem
TheagentusesSNMPtocommunicate.
Exposesdataasvariables:“name”,“freememory”,“processes”
CanreceiveandapplynewconfiguraQons
49
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 50/69
SNMPmessages
50
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 51/69
SNMPv3
51
Agent may enforce access
control to restrict each principal to certain actions on certain
portions of its data.
Managed
Node
Managed
Node
ManagedNode
Managed
Node
Messages may be
encrypted to ensure
privacy
NMS
NMS
Transmissions from manager to
agent may be authenticated toguarantee the identity of the sender
and the integrity and timeliness of a
message.
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 52/69
SNMPlevelsofsecurity(1)
SNMPallowsforthefollowinglevelsofsecurity:
noAuth:authenQcatesapacketonlybycommunitystringor
username
Auth:authenQcatesapacketusingSHA,MD5orHMAC
Priv:AuthenQcatesapacketjustlikeAuthbutalsoprovides
encrypQonusingDES,3DESorAES. SNMPv1andv2onlysupport:
noAuthNoPriv:onlyusecommunitystring,noauthenQcaQon
orencrypQon
SNMPv3supports:
noAuthNoPriv(don’tauthenQcate,don’tencrypt) authNoPriv(authenQcatebutdon’tencrypt)
authPriv(authenQcateandencrypt)52
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 53/69
SNMPlevelsofsecurity(2)
Thedefaultcommunitystringis“public” Manynetworksusethisdefaultvalue
Knowingthecommunitystringislikehavingtheenable
passwordforallthedevicesinthenetwork.
SNMPv1andv2sendtheircommunitystringincleartext
overthenetwork. Ifmanagementisbeingdonein‐bandanyoneonthe
networkcanseethecommunitystring.
Devicesshouldonlybeconfiguredwitharead‐only
communitystring Therewillbenowriteaccessfornetworknodes
53
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 54/69
Networksecurityandlogging
CiscorouterscanloginformaQonaboutmosteventsthattakeplaceinthe
network.
LogmessagescanbesenttoseveralloggingfaciliQes:
Console:thisisonbydefault;logmessageswillappearautomaQcallyon
theconsoleoveryourcommandprompt.
Thisiswhyyouneedtoknowthe“loggingsynchronous”command
Terminallines:EXECsessionsfromTelnetorSSHcanalsoreceivelogmessages
Bufferedlogging:logmessagesarestoredintherouter’smemoryunQl
reboot.
SNMPtraps:certainloggedeventscanbeforwardedasSNMPtrapstoa
NMS.
Syslog:logmessagescanbeforwardedtoanexternalsyslogservice;can
beanapplicaQonrunningonWIndowsorLinux.
54
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 55/69
Asamplelogmessage
Eachlogmessagehasthreefields:
AQmestamp
Thelogmessagenameandtheseveritylevel
Themessagetext
55
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 56/69
Logmessagetypes
56
Examplesofevents:
0:IOScannotload
1:Temperaturetoohigh
2:Unabletoallocatememory
3:Invalidmemorysize
4:CryptooperaQonfailed
5:Interfacechangedstateupordown
6:PacketdeniedbyACL
7:Packettypeinvalid
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 57/69
NetworkTimeProtocol
Clocksonnetworkdevicesmustbemaintainedand
synchronized
Misconfiguredclockscanleadto:
IncorrectQmestampsinsystemlogs
InvalidQme‐basedsecuritycerQficates
OtherQme‐relatedconfiguraQons
TheQmeanddatecanbesetonCiscorouters
Manually(works,butdon’texpectanysynchronizaQon)
Doesnotscalewell
AutomaQcally,usingNTP
57
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 58/69
Manuallysengtheclock
Thisishowyoumanuallysettheclock:R2#clock set 19:02:00 OCT 17 2009
R2#
*Oct 17 19:02:00.000: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 00:05:26 UTC Fri Mar 1 2002 to 19:02:00 UTC Sat Oct17 2009, configured from console by console.
NoQcethesyslogmessage.
AlsonoQcethatthiscommandisNOTenteredinthe
configuraQonmode.Why?
58
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 59/69
NTPfacts
NTPallowsroutersonanetworktosynchronizetheirQme
sengswithaQmeserver.
ObtainingtheQmefromasinglesourceprovidesmore
consistentQmesengs.
YoucanimplementyourownQmeserveroryoucaneven
useapubliclyavailableNTPserver,fromtheInternet. NTPworksonUDPport23.
59
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 60/69
SecuringNTP
GengQmefromtheInternetiseasyandcanbe
accurateenough.But…
MostQmeserversdonotrequireanyauthenQcaQon.
60
AnaackercaninjectafalseQmevaluein
yournetwork
Possiblyduringanaacktomaketracing
difficult
OrtomakedigitalcerQficatesinvalidand
disruptoperaQons
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 61/69
ConfiguringbasicNTP
TomakearouteranNTPserver:R2(config)#ntp master 1
The“1”representsthestratumnumber.
ThestratumnumberisthenumberofhopsbetweentheNTP
serverandauthoritaQvesource,suchasanatomicclock.
ItbasicallysayshowtrustworthytheQmesourceis.
Yes,thelower,thebeer,yougotit!
Then,configuretheserver’saddressontheclients:R1(config)#do sh clock
*00:11:08.955 UTC Fri Mar 1 2002
R1(config)#ntp server 10.0.0.2
R1(config)#do show clock
19:08:14.952 UTC Sat Oct 17 2009
61
Before
Aer
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 62/69
VerifyingbasicNTPR1#show ntp status
Clock is synchronized , stratum 2, reference is 10.0.0.2nominal freq is 250.0000 Hz, actual freq is 249.9997 Hz, precision is 2**18
reference time is CE84969D.9939A4FB (19:16:45.598 UTC Sat Oct 172009)
clock offset is -0.0892 msec, root delay is 3.94 msec
root dispersion is 12.48 msec, peer dispersion is 12.36 msec
Usingthe“ntpserver”clientcommandcausestheclientstocontactthe
server.
ServerscanalsobroadcasttheirQmesengsonaLAN:R2(config-if)#ntp broadcast destination 10.0.0.255
Andclientscanlistenforit:R1(config-if)#ntp broadcast client
TimeaccuracyislowersincecommunicaQonisone‐wayonly.
62
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 63/69
ConfiguringsecureNTP
NTPv3providesacryptographicauthenQcaQon
mechanismbetweenclientsandtheserver.
ToconfigureNTPauthenQcaQon,usethefollowing
commandsontheserverANDtheclients:R2(config)#ntp authenticate
R2(config)#ntp authentication-key 1 md5 CiscoTime
R2(config)#ntp trusted-key 1
NTPv3usesMD5authenQcaQon.
MulQplekeyscanbedefined,the“ntptrusted‐key”
commandindicateswhichkeywillbeused.
InaddiQon,theclientsmustadd:R1(config)#ntp server 10.0.0.2 key 1
TheserverwillsQllrespondtounauthenQcatedrequests.63
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 64/69
VerifyingNTPauthenQcaQon
TocheckthatNTPwithauthenQcaQonisusedonclients:R1#show ntp association detail 10.0.0.2 configured, authenticated, our_master, sane, valid, stratum 1
ref ID .LOCL., time CE849EC8.ABFD8D6E (19:51:36.671 UTC Sat Oct 17 2009)
our mode client, peer mode server, our poll intvl 256, peer poll intvl 256
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 8.347
delay 3.88 msec, offset 5.7161 msec, dispersion 6.38
precision 2**18, version 3
org time CE849ECF.1CB71019 (19:51:43.112 UTC Sat Oct 17 2009)rcv time CE849ECF.1CAC9CDD (19:51:43.112 UTC Sat Oct 17 2009)
xmt time CE849ECF.1AAF3964 (19:51:43.104 UTC Sat Oct 17 2009)
filtdelay = 7.60 7.87 3.88 11.31 63.92 27.66 51.91 23.67
filtoffset = 3.96 -8.11 5.72 13.62 11.68 22.02 9.70 16.05
filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12
Horrible.Let’strythis:R1#show ntp association detail | include 10.0.0.2 10.0.0.2 configured, authenticated, our_master, sane, valid, stratum 1
64
Beer
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 65/69
Auto‐secure
CiscoIOSprovidesaneasywaytolockdownyourrouter
inonestep:the“autosecure”command.
Autosecureisamacrothatwilladdthenecessary
commandstoyourrunningconfiguraQonfile.
AwizardstartsthatqueriestheuserforinformaQon.R1#autosecure
‐‐‐AutoSecureConfigura4on‐‐‐
***AutoSecureconfigura4onenhancesthesecurityof
therouter,butitwillnotmakeitabsolutelyresistant
toallsecuritya@acks***
...
65
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 66/69
AutoSecurelockdown
AutoSecurethemanagementplane
BOOTP,CDP,FTP,TFTP,PAD,UDPandTCPsmallservers,MOP,ICMP,IP
sourcerouQng,finger,passwordencrypQon,TCPkeepalives,gratuitous
ARP,proxyARP,directedbroadcast
Configuresabanner
SecurespasswordsandloginfuncQons
SecuresNTP SecuresSSHaccess
TCPInterceptservices
AutoSecurethedataplane
EnableCiscofirewallinspecQon
Enablestrafficfilteringusingaccesslists
EnablesCiscoExpressForwarding(CEF)
66
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 67/69
AutoSecuremodes
TheAutoSecuresetupcanruninaninteracQvemode:Router#auto secure
Orinanon‐interacQvemode(userisnotasked):Router#auto secure no-interact
67
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 68/69
Longcourse,shortsummary
Securingthenetworkperimeter
SecuringrouteradministraQveaccess
Enhancingsecurityforvirtuallogins
EnablingSSH
ConfiguringadministraQveprivilegelevels
Configuringrole‐basedCLIaccess
SecuringtheIOSimageandconfiguraQonfile
DescribingSNMP
Describinglogging
ConfiguringsecureNTP
LockingdowntherouterwithAutoSecure68
8/8/2019 2009 SRS 03 Securing Network Devices
http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 69/69
Thequotemeansit’sover
“Using encryption on the Internet is theequivalent of arranging an armored car to deliver credit card information from someone
living in a cardboard box to someone living on a park bench.”
GeneSpafford
69