Upload
dangtu
View
231
Download
3
Embed Size (px)
Citation preview
1© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
Security Best Practices in Cisco IOS® and Other Techniques to Help your Network
Survive in Today’s Internet/Extranet Enviroments
Mike Peeters
SE Toronto
© 2001, Cisco Systems, Inc. All rights reserved. 2PS-5433029_05_2001_c1
Safe Security
• SAFE Blueprint
• Understanding Todays Threats and Vulnerabilities
• Securing the Router
• Securing the Routing Protocols
• Limiting the impact of DOS Attacks
• In Conclusion
© 2001, Cisco Systems, Inc. All rights reserved. 3PS-5433029_05_2001_c1
The Network of Five Years Ago
Closed NetworkClosed Network
Remote SiteRemote Site
PSTN
Frame RelayX.25
Leased Line
PSTN
© 2001, Cisco Systems, Inc. All rights reserved. 4PS-5433029_05_2001_c1
Legacy Security Solutions
• Most security designed when networks were simple and static
• Primarily single-point products (access-control) with no network integration or intelligence
• Such legacy products are still seen as default security solutions (a “cure-all”)
• Today, there are serious drawbacks to relying on such “overlay” security to protect sophisticated networks and services
© 2001, Cisco Systems, Inc. All rights reserved. 5PS-5433029_05_2001_c1
Internet connections have dramatically increased as a frequent point of attack (from 59% in 2000 to 70% in 2001.)
Of those organizations reporting attacks, we learn:
§ 27% say they don't know if there had been unauthorized access or misuse
§ 21% reported from two to five incidents in one year
§ 58% reported ten or more incidents in a single year – something isn’t working!
Computer Security Institute & FBI ReportMarch, 2001
Case in Point…
© 2001, Cisco Systems, Inc. All rights reserved. 6PS-5433029_05_2001_c1
Code Red and Nimda Worm Impacts
• Rapid penetration and propagation through existing security solutions
• Extensive impact; expensive recovery
• Exploited existing and known vulnerabilities, and bypassed legacy security devices
• Could be prevented and mitigated
• Rapid penetration and propagation through existing security solutions
• Extensive impact; expensive recovery
• Exploited existing and known vulnerabilities, and bypassed legacy security devices
• Could be prevented and mitigated
© 2001, Cisco Systems, Inc. All rights reserved. 7PS-5433029_05_2001_c1
Impact of Recent Worms
• Major Computer Company... Code Red/Nimda$9 million for remediation
12,000 IT hours for Code Red
6,500 IT hours for Nimda
• Multibillion dollar financial institution... Nimda 75% of core routers down at any given time
Lost trading server for half day ($13 million impact)
Important Lesson Learned:
Security Needs to Be Designed and Implemented Around, In and Through the Network
Important Lesson Learned:
Security Needs to Be Designed and Implemented Around, In and Through the Network
© 2001, Cisco Systems, Inc. All rights reserved. 9PS-5433029_05_2001_c1
Today’s Threats
• Attackers are taking advantage of complex networks and sophisticated Internet services
• In this environment, everything is a target: Routers, Switches, Hosts, Networks (local and remote), Applications, Operating Systems, Security Devices, Remote Users, Business Partners, Extranets, etc.
• Threats to today’s networks are not addressed by most legacy security products
• In fact, there is no single security device which can protect all of these targets
© 2001, Cisco Systems, Inc. All rights reserved. 10PS-5433029_05_2001_c1
SAFE Security Blueprint
• Integrates security and network issues• Includes specific configurations for Cisco
and partner solutions• Based on existing, shipping capabilities• Over 3,000 hours of lab testing• Currently, five SAFE white papers:
SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Safe for VPNs
© 2001, Cisco Systems, Inc. All rights reserved. 11PS-5433029_05_2001_c1
ManagementManagement BuildingBuilding
DistributionDistribution
CoreCoreEdgeEdge
ServerServer
EE--CommerceCommerce
Corporate InternetCorporate Internet
VPN/Remote AccessVPN/Remote Access
WANWAN
ISPISP
PSTNPSTN
FR/ATMFR/ATM
SAFE: Securing E-Business
© 2001, Cisco Systems, Inc. All rights reserved. 12PS-5433029_05_2001_c1
IdentitySecureConnectivity
PerimeterSecurity
Security Monitoring
Security Management
Defense-in-Depth
FirewallsVPN IDS/Scanning Authentication Policy
• Integration – into network infrastructurecompatibility with network services
• Integration – functional interoperabilityintelligent interaction between elements
• Convergence – with other technology initiativesmobility/wireless, IP telephony, voice/video-enabled VPNs
13© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
Understanding Today’s Threats and Vulnerabilities
© 2001, Cisco Systems, Inc. All rights reserved. 14PS-5433029_05_2001_c1
Classes of Attacks
• ReconnaissanceUnauthorized discovery and mapping of systems, services, or vulnerabilities
• AccessUnauthorized data manipulation, system access, or privilege escalation
• Denial of ServiceDisable or corrupt networks, systems, or services
© 2001, Cisco Systems, Inc. All rights reserved. 15PS-5433029_05_2001_c1
Reconnaissance Methods
• Common commands and administrative utilities
nslookup, ping, netcat, telnet, finger, rpcinfo, file explorer, srvinfo, dumpacl
• Public tools
Sniffers, SATAN, SAINT, NMAP, custom scripts
© 2001, Cisco Systems, Inc. All rights reserved. 16PS-5433029_05_2001_c1
nmap
• Network mapper is a utility for port scanning large networks:
TCP connect() scanning, TCP SYN (half open) scanningTCP FIN, Xmas, or NULL (stealth) scanningTCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters)TCP ACK and window scanningUDP raw ICMP port unreachable scanningICMP scanning (ping-sweep) TCP ping scanning Direct (non portmapper) RPC scanning Remote OS identification by TCP/IP fingerprinting (nearly 500)
© 2001, Cisco Systems, Inc. All rights reserved. 17PS-5433029_05_2001_c1
nmap
• nmap {Scan Type(s)} [Options] <host or net list>• Example:
my-unix-host% nmap -sT my-router
Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Interesting ports on my-router.example.com (10.12.192.1)
(The 1521 ports scanned but not shown below are in state closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
80/tcp open http
© 2001, Cisco Systems, Inc. All rights reserved. 18PS-5433029_05_2001_c1
Access Methods
• Exploiting passwordsBrute force
Cracking tools
• Exploit poorly configured or managed servicesAnonymous ftp, tftp, remote registry access, nis,…
Trust relationships: rlogin, rexec,…
IP source routing
File sharing: NFS, windows file sharing
© 2001, Cisco Systems, Inc. All rights reserved. 19PS-5433029_05_2001_c1
• Exploit application holesMishandled input data: Access outside application domain, buffer overflows, race conditions
• Protocol weaknesses: Fragmentation, TCP session hijacking
• Trojan horses: Programs that plant a backdoor into a host
Access Methods (Cont.)
© 2001, Cisco Systems, Inc. All rights reserved. 20PS-5433029_05_2001_c1
IP Packet Format
00 1515 1616 3131
4-Bit Version4-Bit Version 4-Bit Header Length
4-Bit Header Length
8-Bit Type of Service (TOS)
16-Bit Identification16-Bit Identification
8-Bit Protocol8-Bit Protocol8-Bit Time to Live (TTL)8-Bit Time to Live (TTL)
DataData
16-Bit Header Checksum16-Bit Header Checksum
16-Bit Total Length (In Bytes)
3-Bit Flags3-Bit Flags 13-Bit Fragment Offset
32-Bit Source IP Address
Options (If Any)
32-Bit Destination IP Address
© 2001, Cisco Systems, Inc. All rights reserved. 21PS-5433029_05_2001_c1
IP Spoofing
A
B
C
Attacker
Hi, My Name Is B
Hi, My Name Is B
© 2001, Cisco Systems, Inc. All rights reserved. 22PS-5433029_05_2001_c1
A, C via RaB via Ethernet
A, C via RaB via Ethernet
IP: Normal Routing
Ra
Rb
Rc
A
B
C
Routing Based on Routing Tables
A -> B
A -> B
A -> B
B,C via RaB,C via Ra B via RbC via RcB via RbC via Rc
© 2001, Cisco Systems, Inc. All rights reserved. 23PS-5433029_05_2001_c1
A -> B via Ra, Rb
IP: Source Routing
Ra
Rb
Rc
A
B
C
Routing Based on IP Datagram Option
B UnknownC via Rc
B UnknownC via Rc A ->
B via Ra,
Rb
A -> B via Ra, Rb
© 2001, Cisco Systems, Inc. All rights reserved. 24PS-5433029_05_2001_c1
IP Unwanted Routing
DMZDMZ
Intranet
R1
R2
C
A
C->A via R1, R2
C->A via R1, R2
C->A via R1, R2
C->A via R1,R2
B
A UnknownB via InternetA Unknown
B via Internet
A via IntranetB via DMZ
C Unknown
A via IntranetB via DMZ
C Unknown
A UnknownB via DMZ
A UnknownB via DMZ
Internet
A UnknownB via R1
A UnknownB via R1
© 2001, Cisco Systems, Inc. All rights reserved. 25PS-5433029_05_2001_c1
A via EthernetC via PPP
A via EthernetC via PPP
IP Unwanted Routing (Cont.)
B (Acting as Router)
Dialup PPP
IntranetIntranetA
CC->A via B
C->A via B
C->A via B
A UnknownB via InternetA Unknown
B via Internet
Internet
A UnknownB via PPP
A UnknownB via PPP
© 2001, Cisco Systems, Inc. All rights reserved. 26PS-5433029_05_2001_c1
B Is a FriendAllow Access
IP Spoofing Using Source Routing
Ra
Rb
Rc
A
B
C
B->A via C, Rc,Ra
Back Traffic Uses the Same Source Route
B->A via C,Rc Ra
B->A via C,Rc,Ra
A->B via Ra, Rc,C
A->B via Ra , Rc,C
A->B via Ra, Rc,C
© 2001, Cisco Systems, Inc. All rights reserved. 27PS-5433029_05_2001_c1
TCP Packet Format
00 1515 1616 3131
16-Bit Destination Port Number16-Bit Destination Port Number16-Bit Source Port Number16-Bit Source Port Number
TCP OptionsTCP Options
DataData
16-Bit Urgent Pointer16-Bit Urgent Pointer16-Bit TCP Checksum16-Bit TCP Checksum
16-Bit Window Size16-Bit Window SizeReserved(6 Bits)
Reserved(6 Bits)
4-Bit Header Length
4-Bit Header Length
32-Bit Sequence Number
32-Bit Acknowledgment Number
URG
ACK
PSH
RST
SYN
FIN
© 2001, Cisco Systems, Inc. All rights reserved. 28PS-5433029_05_2001_c1
B A
flags=SYN, seq=(Sb,?)
flags=SYN+ACK, seq=(Sa,Sb)
flags=ACK, seq=(Sb,Sa)
flags=ACK, seq=(Sb,Sa)
data=“Username:”
TCP Connection Establishment
© 2001, Cisco Systems, Inc. All rights reserved. 29PS-5433029_05_2001_c1
flags=ACK, seq=(Sa+9,Sb)
data=“myname”
flags=SYN, seq=(Sb,?)
flags=ACK, seq=(Sb,Sa)
CMasquerading as B
TCP Blind Spoofing
B A
flags=SYN+ACK, seq=(Sa,Sb)
flags=ACK, seq=(Sb,Sa)
data=“Username:”
A Believes the ConnectionComes from B and Starts
the Application (e.g. rlogin)
A Believes the ConnectionComes from B and Starts
the Application (e.g. rlogin)
C Guesses SaC Guesses Sa
© 2001, Cisco Systems, Inc. All rights reserved. 30PS-5433029_05_2001_c1
TCP Blind Spoofing (Cont.)
• C masquerades as B
• A believes the connection is coming from trusted B
• C does not see the back traffic
• For this to work, the real B must not be up, and C must be able to guess A’s sequence number
© 2001, Cisco Systems, Inc. All rights reserved. 31PS-5433029_05_2001_c1
TCP Session Hijacking
B Aflags=SYN, seq=(Sb,?)
flags=SYN+ACK, seq=(Sa,Sb)
flags=ACK, seq=(Sb,Sa)
“Password:”, seq=(Sb,Sa)
“Xyzzy” , seq=(Sa+9,Sb)
“delete *”, seq=(Sb+5,Sa+9)
CMasquerading B
B Initiates a Connection with A and Is Authenticated
By Application on A
B Initiates a Connection with A and Is Authenticated
By Application on A
C Guesses Sa, SbC Inserts Invalid Data
C Guesses Sa, SbC Inserts Invalid Data
© 2001, Cisco Systems, Inc. All rights reserved. 32PS-5433029_05_2001_c1
IP Normal Fragmentation
• IP largest data is 65,535 == 2^16-1
• IP fragments a large datagram into smaller datagrams to fit the MTU
• Fragments are identified by fragment offset field
• Destination host reassembles the original datagram
© 2001, Cisco Systems, Inc. All rights reserved. 33PS-5433029_05_2001_c1
TL=340, FO=960TL=340, FO=960
IP Normal Fragmentation (Cont.)
Before Fragmentation:
After Fragmentation (MTU = 500):
IP HeaderIP Header IP DataIP Data
Data Length 1280Data Length 1280TL=1300, FO=0TL=1300, FO=0
TL=500, FO=0TL=500, FO=0 Data Length 480Data Length 480
TL=500, FO=480TL=500, FO=480
Data Length 320Data Length 320
Data Length 480Data Length 480
© 2001, Cisco Systems, Inc. All rights reserved. 34PS-5433029_05_2001_c1
IP Normal Reassembly
Received from the Network:
Kernel Memory at Destination Host
Reassembly Buffer, 65.535 BytesReassembly Buffer, 65.535 Bytes
TL=500, FO=480TL=500, FO=480
TL=340, FO=960TL=340, FO=960
TL=500, FO=0TL=500, FO=0 Data Length 480Data Length 480
Data Length 320Data Length 320
Data Length 480
© 2001, Cisco Systems, Inc. All rights reserved. 35PS-5433029_05_2001_c1
IP Reassembly Attack
• Send invalid IP datagram
• Fragment offset + fragment size > 65,535
• Usually containing ICMP echo request (ping)
• Not limited to ping of death!
© 2001, Cisco Systems, Inc. All rights reserved. 36PS-5433029_05_2001_c1
IP Reassembly Attack (Cont.)
Received from the Network:
Reassembly Buffer, 65.535 BytesReassembly Buffer, 65.535 Bytes
64 IP Fragments
…64 IP Fragments with Data Length 1000…
Kernel Memory at Destination Host
TL=1020, FO=65000TL=1020, FO=65000
TL=1020, FO=0TL=1020, FO=0
Data Length 1000Data Length 1000
Data Length 1000Data Length 1000
BUG: Buffer ExceededBUG: Buffer Exceeded
© 2001, Cisco Systems, Inc. All rights reserved. 37PS-5433029_05_2001_c1
SYN Attack
B A
flags=SYN, seq=(Sb,?)
flags=SYN+ACK, seq=(Sa,Sb)
CMasquerading as B
Denial of ServicesKernel Resources Exhausted
A Allocates Kernel Resource forHandling the Starting ConnectionA Allocates Kernel Resource for
Handling the Starting Connection
No Answer from B…120 Sec Timeout
Free the Resource
No Answer from B…120 Sec Timeout
Free the Resource
© 2001, Cisco Systems, Inc. All rights reserved. 38PS-5433029_05_2001_c1
SMURF Attack
Directed Broadcast PING
172.18.1.2
160.154.5.0 Attempt toOverwhelm WAN
Link to Destination
ICMP REPLY D=172.18.1.2 S=160.154.5.14ICMP REPLY D=172.18.1.2 S=160.154.5.14
ICMP REPLY D=172.18.1.2 S=160.154.5.13ICMP REPLY D=172.18.1.2 S=160.154.5.13
ICMP REPLY D=172.18.1.2 S=160.154.5.12ICMP REPLY D=172.18.1.2 S=160.154.5.12
ICMP REPLY D=172.18.1.2 S=160.154.5.11ICMP REPLY D=172.18.1.2 S=160.154.5.11
ICMP REPLY D=172.18.1.2 S=160.154.5.10ICMP REPLY D=172.18.1.2 S=160.154.5.10
ICMP REQ D=160.154.5.255 S= 172.18.1.2ICMP REQ D=160.154.5.255 S= 172.18.1.2
© 2001, Cisco Systems, Inc. All rights reserved. 39PS-5433029_05_2001_c1
DDoS Step 1: Find Vulnerable Hosts
AttackerAttacker
Use Reconnaissance Tools to Locate Vulnerable Hosts to Be Used
as Masters and Daemon Agents
Use Reconnaissance Tools to Locate Vulnerable Hosts to Be Used
as Masters and Daemon Agents
© 2001, Cisco Systems, Inc. All rights reserved. 40PS-5433029_05_2001_c1
DDoS Step 2: Install Software on Masters and Agents
1. Use master and agent programs on all cracked hosts
2. Create a hierarchical covert control channel using innocent looking ICMP packets whose payload contains DDoScommands; Some DDoS furtherencrypt the payload...
1. Use master and agent programs on all cracked hosts
2. Create a hierarchical covert control channel using innocent looking ICMP packets whose payload contains DDoScommands; Some DDoS furtherencrypt the payload...
Innocent MasterInnocent Master
Innocent Master
Innocent Master
InnocentDaemon Agents
InnocentDaemon Agents
Innocent Daemon AgentsInnocent Daemon Agents
AttackerAttacker
© 2001, Cisco Systems, Inc. All rights reserved. 41PS-5433029_05_2001_c1
Innocent MasterInnocent Master
Innocent Master
Innocent Master
InnocentDaemon Agents
InnocentDaemon Agents
DDoS Step 3: Launch the Attack
Victim
A
Attack AliceNOW !
Attack AliceNOW !
AttackerAttacker
© 2001, Cisco Systems, Inc. All rights reserved. 43PS-5433029_05_2001_c1
Passwords:
• Physical access to console port means no password needed upon reboot
• Telnet:Enable password should be different than login password
• SNMP:SNMP Community strings are transmitted in clear (v1,v2)
• Passwords/community strings are stored in clear text on TFTP servers (No service config)
• Use good passwords
© 2001, Cisco Systems, Inc. All rights reserved. 44PS-5433029_05_2001_c1
Passwords:
• Understand the different password protection mechanisms
service password-encryptionenable password 55 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1line con 0
password 77 00071A150754
• 5 => MD5 protection
Cannot be decrypted
• 7 => Cisco proprietary encryption method
• Use TACAS+/RADIUS for authentication
Beware: Even passwords that are encrypted in the configuration are not encrypted on the wire as an
administrator logs into the router
Beware:Beware: Even passwords that are encrypted in the Even passwords that are encrypted in the configuration are not encrypted on the wire as an configuration are not encrypted on the wire as an
administrator logs into the routeradministrator logs into the router
© 2001, Cisco Systems, Inc. All rights reserved. 45PS-5433029_05_2001_c1
SNMP:
snmp-server community <string> <view> RO/RW <ACL>
Use Views and ACL’s to prevent unauthorized access.
snmp-server host <ip> <string>
Use snmp-server host for trap forwarding and authentication of traps.
snmp-server trap-source <>
Use source interface to uniquely identify a device
© 2001, Cisco Systems, Inc. All rights reserved. 46PS-5433029_05_2001_c1
SNMP:
• Change your community strings! Do not use public, private, secret!
• Use different community strings for the RO and RW communities.
• Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!
© 2001, Cisco Systems, Inc. All rights reserved. 48PS-5433029_05_2001_c1
SNMP Version 3:
• SNMP V3 integrated in routers and switches.
• HP OpenView has plugin for SNMP v3.
• Cisco Enterprise Network Management has at this time no plans to support SNMP version 3. We advise people to use IPsec, to accomplish a secure connection.
© 2001, Cisco Systems, Inc. All rights reserved. 49PS-5433029_05_2001_c1
Transaction Records
• How do you tell when someone is attempting to access your router?
• Consider some form of audit trails:Using the syslog feature
SNMP traps and alarms
Implementing TACACS+, Radius, Kerberos, or third party solutions like one-time password token cards
© 2001, Cisco Systems, Inc. All rights reserved. 50PS-5433029_05_2001_c1
• To log messages to a syslog server host, use the logging global configuration commandlogging hostlogging trap level
• To log to internal buffer use:logging buffered size
Configuring Syslog on a Router
•To source the log event to a common address:
logging source-interface e0/1
© 2001, Cisco Systems, Inc. All rights reserved. 51PS-5433029_05_2001_c1
Global Services You Turn On
• Add timestamping service facility for logs.
service timestamps log datetime localtimeshow-timezone msec
• Add the encryption service facility for console and VTY passwords.
service password-encryption
© 2001, Cisco Systems, Inc. All rights reserved. 52PS-5433029_05_2001_c1
Setting NTP
• ntp server 192.168.41.40
• ntp server 192.168.41.41
• ntp source Ethernet0/1
• service timestamps log datetime localtime show-timezone
• service timestamps debug datetime localtime show-timezone
• clock timezone EST –5
• clock summer-time EDT recurring
© 2001, Cisco Systems, Inc. All rights reserved. 53PS-5433029_05_2001_c1
Global Services You Turn OFF
• Some services turned on by default (< IOS 12.x), should be turned off to save memory and prevent security breaches/attacksno service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no ip bootp server
© 2001, Cisco Systems, Inc. All rights reserved. 54PS-5433029_05_2001_c1
Global Services You Turn OFF (Cont:)
• Check these services as wellno ip source-routeno mop enabledno ip rsh-enableno ip rcmd rcp-enableno ip identdno ip http
© 2001, Cisco Systems, Inc. All rights reserved. 55PS-5433029_05_2001_c1
Interface Services You Turn OFF
• All interfaces on an Internet facing router should have the follow as a default:no ip redirects
no ip directed-broadcast
no ip proxy-arp
© 2001, Cisco Systems, Inc. All rights reserved. 56PS-5433029_05_2001_c1
Cisco Discovery Protocol
• Lets network administrators discover neighbouring Cisco equipment, model numbers and software versions
• Should not be activated on any public facing interface: IXP, customer, upstream ISP –unless part of the peering agreement.
• Disable per interfaceno cdp enable
© 2001, Cisco Systems, Inc. All rights reserved. 57PS-5433029_05_2001_c1
Cisco Discovery ProtocolDefiant#show cdp neighbors detail-------------------------Device ID: ExcalaburEntry address(es):
IP address: 4.1.2.1Platform: cisco RSP2, Capabilities: RouterInterface: FastEthernet1/1, Port ID (outgoing port):
FastEthernet4/1/0Holdtime : 154 sec
Version :Cisco Internetwork Operating System SoftwareIOS (tm) RSP Software (RSP-K3PV-M), Version 12.0(9.5)S, EARLY
DEPLOYMENT MAINTENANCE INTERIM SOFTWARECopyright (c) 1986-2000 by cisco Systems, Inc.Compiled Fri 03-Mar-00 19:28 by htseng
© 2001, Cisco Systems, Inc. All rights reserved. 58PS-5433029_05_2001_c1
Login Banner
• Use a good login banner, or nothing at all:
banner login ^
Authorised access only
Disconnect IMMEDIATELY if you are not an authorised user!^
© 2001, Cisco Systems, Inc. All rights reserved. 59PS-5433029_05_2001_c1
Use Enable Secret
• Encryption '7' on a Cisco is reversible
• The “enable secret” password encrypted via a one-way algorithmenable secret <removed>
no enable password
service password-encryption
© 2001, Cisco Systems, Inc. All rights reserved. 60PS-5433029_05_2001_c1
VTY and Console Port Timeouts
• Default idle timeout on async ports is 10 minutes 0 secondsexec-timeout 10 0
• Timeout of 0 means permanent connection
• TCP keepalives on incoming network connectionsservice tcp-keepalives-in
• Kills unused connections
© 2001, Cisco Systems, Inc. All rights reserved. 61PS-5433029_05_2001_c1
VTY Security
• Access to VTYs should be controlled, not left open; consoles should be used for last resort admin only:
access-list 3 permit 215.17.1.0 0.0.0.255
access-list 3 deny any
line vty 0 4
access-class 3 in
exec-timeout 5 0
transport input telnet ssh
transport output none
transport preferred none
password 7 045802150C2E
© 2001, Cisco Systems, Inc. All rights reserved. 62PS-5433029_05_2001_c1
VTY Security
• Use more robust ACLs with the logging feature to spot the probes on your networkaccess-list 199 permit tcp 1.2.3.0 0.0.0.255 any
access-list 199 permit tcp 1.2.4.0 0.0.0.255 any
access-list 199 deny tcp any any range 0 65535 log
access-list 199 deny ip any any log
© 2001, Cisco Systems, Inc. All rights reserved. 63PS-5433029_05_2001_c1
VTY Access and SSHv1
• Secure shell supported from IOS 12.1
• Obtain, load and run appropriate crypto images on router
• Set up SSH on routerBeta7200(config)#crypto key generate rsa
• Add it as input transportline vty 0 4transport input telnet ssh
© 2001, Cisco Systems, Inc. All rights reserved. 64PS-5433029_05_2001_c1
User Authentication
• Account per user, with passwordsaaa new-modelaaa authentication login neteng localusername joe password 7 1104181051B1username jim password 7 0317B21895FEline vty 0 4login netengaccess-class 3 in
• Username/password is more resistant to attack than a plain password
© 2001, Cisco Systems, Inc. All rights reserved. 65PS-5433029_05_2001_c1
User Authentication
• Use distributed authentication systemaaa new-modelaaa authentication login default tacacs+ enableaaa authentication enable default tacacs+ enableaaa accounting exec start-stop tacacs+ip tacacs source-interface Loopback0tacacs-server host 215.17.1.1tacacs-server key CKr3t#line vty 0 4access-class 3 in
© 2001, Cisco Systems, Inc. All rights reserved. 66PS-5433029_05_2001_c1
User Authentication
TACACS+ Provides a Detailed Audit Trail of what Is Happening on the Network Devices
User-Name Group-cmd priv-lvl service NAS-Portname task_id NAS-IP-reason
bgreene NOCNOC enable <cr>enable <cr> 00 shellshell tty0tty0 44 210.210.51.224210.210.51.224bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 55 210.210.51.224210.210.51.224bgreene NOCNOC no aaa accounting exec
Workshop <cr>no aaa accounting exec Workshop <cr>
00 shellshell tty0tty0 66 210.210.51.224210.210.51.224
bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 88 210.210.51.224210.210.51.224pfs NOCNOC enable <cr>enable <cr> 00 shellshell tty0tty0 1111 210.210.51.224210.210.51.224pfs NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 1212 210.210.51.224210.210.51.224bgreene NOCNOC enable <cr>enable <cr> 00 shellshell tty0tty0 1414 210.210.51.224210.210.51.224bgreene NOCNOC show accounting <cr>show accounting <cr> 1515 shellshell tty0tty0 1616 210.210.51.224210.210.51.224bgreene NOCNOC write terminal <cr>write terminal <cr> 1515 shellshell tty0tty0 1717 210.210.51.224210.210.51.224bgreene NOCNOC configure <cr>configure <cr> 1515 shellshell tty0tty0 1818 210.210.51.224210.210.51.224bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 2020 210.210.51.224210.210.51.224bgreene NOCNOC write terminal <cr>write terminal <cr> 1515 shellshell tty0tty0 2121 210.210.51.224210.210.51.224bgreene NOCNOC configure <cr>configure <cr> 1515 shellshell tty0tty0 2222 210.210.51.224210.210.51.224bgreene NOCNOC aaa new-model <cr>aaa new-model <cr> 1515 shellshell tty0tty0 2323 210.210.51.224210.210.51.224bgreene NOCNOC aaa authorization commands
0 default tacacs+ none <cr>aaa authorization commands 0 default tacacs+ none <cr>
1515 shellshell tty0tty0 2424 210.210.51.224210.210.51.224
bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 2525 210.210.51.224210.210.51.224bgreene NOCNOC ping <cr>ping <cr> 1515 shellshell tty0tty0 3232 210.210.51.224210.210.51.224bgreene NOCNOC show running-config <cr>show running-config <cr> 1515 shellshell tty66tty66 3535 210.210.51.224210.210.51.224bgreene NOCNOC router ospf 210 <cr>router ospf 210 <cr> 1515 shellshell tty66tty66 4545 210.210.51.224210.210.51.224bgreene NOCNOC debug ip ospf events <cr>debug ip ospf events <cr> 1515 shellshell tty66tty66 4646 210.210.51.224210.210.51.224
© 2001, Cisco Systems, Inc. All rights reserved. 67PS-5433029_05_2001_c1
Source Routing
• IP has a provision to allow source IP host to specify route through Internet
• should turn this off, unless it is specifically required:no ip source-route
© 2001, Cisco Systems, Inc. All rights reserved. 68PS-5433029_05_2001_c1
ICMP Unreachable Overload
• All Routers who use any static route to Null0 should put no ip unreachables
• interface Null0no ip unreachables
!
ip route <dest to drop> <mask> Null0
69© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
Securing the Routing Protocol
© 2001, Cisco Systems, Inc. All rights reserved. 70PS-5433029_05_2001_c1
Routing Protocol Security
• Routing protocol can be attacked
Denial of service
Smoke screens
False information
Reroute packets
May Be Accidental or IntentionalMay Be Accidental or Intentional
© 2001, Cisco Systems, Inc. All rights reserved. 71PS-5433029_05_2001_c1
Secure Routing Route Authentication
Configure Routing Authentication
Signs Route Updates
Verifies Signature
Campus
SignatureSignature Route UpdatesRoute Updates
Certifies Authenticity of Neighbor and Integrity of Route Updates
© 2001, Cisco Systems, Inc. All rights reserved. 72PS-5433029_05_2001_c1
Signature Generation
Signature = Encrypted Hash of Routing Update
Hash
Router A
HashFunction
HashFunction
SignatureSignature Route UpdatesRoute Updates
Route UpdatesRoute Updates
SignatureSignature
© 2001, Cisco Systems, Inc. All rights reserved. 73PS-5433029_05_2001_c1
Signature Verification
SignatureSignature
Decrypt UsingPreconfigured Key
Re-Hash the Routing Update
If Hashes Are Equal, Signature
Is Authentic
Hash
Routing UpdateRouting Update
Routing UpdateRouting UpdateSignatureSignature
Hash
Router B
Receiving Router Separates Routing Update and Signature
HashFunction
HashFunction
© 2001, Cisco Systems, Inc. All rights reserved. 74PS-5433029_05_2001_c1
Route Authentication
• Authenticates routing update packets
• Shared key included in routing updates
Plain text—Protects against accidental problems only
Message Digest 5 (MD5)—Protects against accidental and intentional problems
© 2001, Cisco Systems, Inc. All rights reserved. 75PS-5433029_05_2001_c1
OSPF Route Authentication
• OSPF area authentication
Two types
Simple password
Message Digest (MD5)
ip ospf authentication-key key (this goes under the specific interface)area area-id authentication (this goes under "router ospf <process-id>")
ip ospf message-digest-key keyid md5 key (used under the interface)area area-id authentication message-digest (used under "router ospf <process-id>")
© 2001, Cisco Systems, Inc. All rights reserved. 76PS-5433029_05_2001_c1
OSPF and Authentication Example
• OSPFinterface ethernet1
ip address 10.1.1.1 255.255.255.0
ip ospf message-digest-key 100 md5 cisco
!
router ospf 1
network 10.1.1.0 0.0.0.255 area 0
area 0 authentication message-digest
© 2001, Cisco Systems, Inc. All rights reserved. 77PS-5433029_05_2001_c1
What Ports Are open on the Router?
• It may be useful to see what sockets/ports are open on the router
• Show ip sockets
7206-UUNET-SJ#show ip socketsProto Remote Port Local Port In Out Stat TTYOutputIF17 192.190.224.195 162 204.178.123.178 2168 0 0 0 017 --listen-- 204.178.123.178 67 0 0 9 017 0.0.0.0 123 204.178.123.178 123 0 0 1 0
17 0.0.0.0 0 204.178.123.178 161 0 0 1 0
© 2001, Cisco Systems, Inc. All rights reserved. 79PS-5433029_05_2001_c1
Securing the Network
• Route filtering
• Packet filtering
• Rate limits
© 2001, Cisco Systems, Inc. All rights reserved. 80PS-5433029_05_2001_c1
Ingress Filters—Inbound Traffic
ISP A
ISP B
Customer Network
Traffic Coming into a Network from ISP or
another Customer
Traffic Coming into a Network from ISP or
another Customer
© 2001, Cisco Systems, Inc. All rights reserved. 81PS-5433029_05_2001_c1
ISP A
ISP B
Customer Network
Traffic Going out of Network from Another
ISP or Customer
Traffic Going out of Network from Another
ISP or Customer
Egress Filters—Outbound Traffic
© 2001, Cisco Systems, Inc. All rights reserved. 83PS-5433029_05_2001_c1
Ingress and Egress Route Filtering
• Quick review
0.0.0.0/8 and 0.0.0.0/32—Default and broadcast
127.0.0.0/8—Host loopback
192.0.2.0/24—TEST-NET for documentation
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16—RFC 1918 private addresses
169.254.0.0/16—End node auto-config for DHCP
© 2001, Cisco Systems, Inc. All rights reserved. 84PS-5433029_05_2001_c1
Ingress and Egress Route Filtering
• Two flavors of route filtering:
Distribute list—Widely used
Prefix list—Increasingly used (BGP only)
• Both work fine—Engineering preference
© 2001, Cisco Systems, Inc. All rights reserved. 86PS-5433029_05_2001_c1
Ingress and Egress Packet Filtering
You should not be sending any IP packets out to the Internet with a source address other then the address that has been allocated to your network!
© 2001, Cisco Systems, Inc. All rights reserved. 87PS-5433029_05_2001_c1
Packet Filtering
• Static access list on the edge of the network
• Dynamic access list with AAA profiles
• Unicast RPF
© 2001, Cisco Systems, Inc. All rights reserved. 88PS-5433029_05_2001_c1
Ingress Packet FilteringCustomer Edge
InternetCustomerBackbone
165.21.0.0/16Serial 0/1
Deny Source Address 165.21.0.0/16
Deny Source Address 165.21.X.0/16(Depending on Customer’s IP Address Block
165.21.20.0/24
165.21.61.0/24
165.21.19.0/24
165.21.10.0/24
Filter Applied on Downstream
Aggregation and NAS Routers
Filter Applied on Downstream
Aggregation and NAS Routers
Ex. IP Addresses with a Source of 165.21.10.1 would be Blocked on the
Interface Going to that Customer
© 2001, Cisco Systems, Inc. All rights reserved. 89PS-5433029_05_2001_c1
ICMP Filtering
Summary of Message Types0 Echo Reply3 Destination Unreachable4 Source Quench5 Redirect8 Echo
11 Time Exceeded12 Parameter Problem13 Timestamp14 Timestamp Reply15 Information Request16 Information Reply
ICMP Codes are not shown
no ip redirects (IOS will not accept)
Extended Access List:access-list 101 permit icmp any any <type> <code>
no ip unreachables (IOS will not send)
RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
© 2001, Cisco Systems, Inc. All rights reserved. 90PS-5433029_05_2001_c1
Inbound Packet Filtering
• Filter packets with internal addresses as source to prevent IP spoofing attacks
• Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks
• Filter bootp, TFTP, SNMP, and traceroute as incoming to prevent against remote access and reconnaissance attacks
• Allow incoming pings to the external interface of the perimeter router only from the ISP host.
• Permit DNS requests to the DMZ server on the bastion host ( TCP port 53, Not UDP Port 53)
© 2001, Cisco Systems, Inc. All rights reserved. 91PS-5433029_05_2001_c1
InternetCustomer Backbone
165.21.0.0/16Serial 0/1
Allow Source Address 165.21.X.0/16 (Depending on the IP Address Block Allocated to the Customer)
Block Source Address from All Other Networks
165.21.20.0/24
165.21.61.0/24
165.21.19.0/24
165.21.10.0/24
Filter Applied on Downstream
Aggregation and NAS Routers
Filter Applied on Downstream
Aggregation and NAS Routers
Ex. IP Addresses with a Source of 10.1.1.1 Would Be Blocked
Egress Packet FilteringCustomer Edge
© 2001, Cisco Systems, Inc. All rights reserved. 92PS-5433029_05_2001_c1
Outbound Packet Filtering
• Only allow packets with valid internal addresses as source to prevent IP spoofing attacks
• Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks
© 2001, Cisco Systems, Inc. All rights reserved. 94PS-5433029_05_2001_c1
Unicast Reverse Path Forwarding
• Source based feature (!)
• On input path on an interfaceAfter input ACL check
• Requires CEF
• Small to no performance impact
• Does not look inside tunnels (GRE, IPinIP, …)
• History: Coming from Multicast world
• Strict available from 12.0
• Enhancements from 12.1(2)T (ACL & logging)
© 2001, Cisco Systems, Inc. All rights reserved. 95PS-5433029_05_2001_c1
i/f 1
i/f 2
i/f 3
Strict uRPF Check (Unicast Reverse Path Forwarding)
i/f 1
i/f 2
i/f 3
FIB:. . . S -> i/f 1. . .
S D data
FIB:. . . S -> i/f 2. . .
S D data
Same i/f:Forward
Other i/f:Drop
router(config-if)# ip verify unicast reverse-pathor: ip verify unicast source reachable-via rx allow-default
© 2001, Cisco Systems, Inc. All rights reserved. 96PS-5433029_05_2001_c1
i/f 1
i/f 2
i/f 3i/f 1
i/f 2
i/f 3
FIB:. . . S -> i/f x. . .
S D data
FIB:. . . . . .. . .
S D data
Any i/f:Forward
Not in FIBor route -> null0:
Drop
?
Loose uRPF Check (Unicast Reverse Path Forwarding)
router(config-if)# ip verify unicast source reachable-via any
97© 2001, Cisco Systems, Inc. All rights reserved.
PS-5433029_05_2001_c1
Limiting the Impact of DOS Attacks
© 2001, Cisco Systems, Inc. All rights reserved. 98PS-5433029_05_2001_c1
Limit the Impact of DOS Attacks: Committed Access Rate
Traffic Matching
Specification
Traffic Matching
Specification
Traffic Measurement
Instrumentation
Traffic Measurement
Instrumentation
Next Policy
Excess Traffic
Conforming Traffic
Burst Limit
Tokens• Rate limiting
• Several ways to filter
• “Token bucket” implementation
Action PolicyAction Policy
© 2001, Cisco Systems, Inc. All rights reserved. 99PS-5433029_05_2001_c1
CAR—Traffic Measurement
• Token bucket configurable parameters
Committed rate (bits/sec)
Configurable in increments of 8Kbits
Normal burst size (bytes)
To handle temporary burst over the committed rate limit without paying a penalty.Minimum value is Committed Rate divided by 2000
Extended burst size (bytes)
Burst in excess of the normal burst sizeTo gradually drop packet in more RED-like fashion instead of entering into tail-drop scenario
© 2001, Cisco Systems, Inc. All rights reserved. 100PS-5433029_05_2001_c1
• Limit outbound ping to 256 Kbps
• Limit inbound TCP SYN packets to 8 Kbpsinterface xy
rate-limit input access-group 103 8000 8000 8000conform-action transmit exceed-action drop
!access-list 103 deny tcp any host 142.142.42.1 establishedaccess-list 103 permit tcp any host 142.142.42.1
interface xy rate-limit output access-group 102 256000 8000 8000
conform-action transmit exceed-action drop !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply
CAR Rate Limiting
ACL Ave. Rate Burst Excess
Traffic can burst 8K above 256K average for 8k worth of data
© 2001, Cisco Systems, Inc. All rights reserved. 102PS-5433029_05_2001_c1
Where to get additional information
• The NSA’s Router Security document and the NIST’srecommendations on data security provide a good starting point for creating default IOS router configurations.
• http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-28-02.asp
• http://csrc.nist.gov/publications/drafts/ITcontingency-planning-guideline.pdf
• http://www.cisecurity.org/
• Cisco’s own SAFE training provides important tips to customers:
• http://www.cisco.com/warp/public/707/newsflash.html
• http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html
• http://cisco.com/warp/public/707/21.html#flood
© 2001, Cisco Systems, Inc. All rights reserved. 103PS-5433029_05_2001_c1
Cisco Security Courses
• MCNS – Managing Cisco Network Security
• CSIDS – Cisco Secure Intrusion Detection Systems
• CSIHS – Cisco Secure IDS Host Sensor
• CSPFA - Cisco Secure PIX Firewall Advanced
• CSPM – Cisco Secure Policy Manger
• CSVPN – Cisco Secure Virtual Private Networks
• CSDI – Cisco SAFE Design Implementation
© 2001, Cisco Systems, Inc. All rights reserved. 104PS-5433029_05_2001_c1
Cisco Press Books
Cisco Secure PIX Firewalls(CSPFA) Released December 2001
Cisco Secure Virtual Private Networks(CSVPN) Released December 2001
Managing Cisco Network Security(MCSN) Released January 2001
Cisco Secure Intrusion Detection System(CSIDS) Released October 2001
Available at bookstores, computer stores, and online
booksellers