Designing secure network infrastructures peter elford pelford@cisco com
1 / 56

Router Security Issues - PowerPoint PPT Presentation

  • Updated On :

Designing Secure Network Infrastructures Peter Elford [email protected] © 1998, Cisco Systems, Inc. . 1. Agenda. I. Introduction II. Router/Switch Security III. Resource Protection IV. Perimeter Protection V. Maintaining Network Integrity VI. Security Maintenance Validation.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Router Security Issues' - KeelyKia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Agenda l.jpg

I. Introduction

II. Router/Switch Security

III. Resource Protection

IV. Perimeter Protection

V. Maintaining Network Integrity

VI. Security Maintenance Validation

Approaching network security l.jpg

Identify your network assets

Determine points of access

Know your enemy

Limit the scope of access

Identify your assumptions

Count the cost

Remember human factors

Keep limited secrets

Security is pervasive

Understand your network environment

Remember physical security

Approaching Network Security

Solutions before you begin security is an attitude l.jpg
SolutionsBefore you Begin....... Security is an ATTITUDE!

  • On-Site Security Policy

  • Host Security (UNIX/VMS)

  • Workstation Security(X, MS , MAC, OS/2)

  • Network Security

  • Password Policies

  • Application Security

  • Tools to Track Attacks

  • Ability to lock ‘em up (every security policy needs a big stick)

Define a security policy l.jpg
Define a Security Policy

  • Define what to protect—anything that could cause problems if it were to stop or malfunction

  • Decide how to protect it—good enough versus absolute protection

  • Think about cost of protection vs. cost of loss or corruption

Ii router switch security l.jpg
II. Router/Switch Security

  • Threats

  • Avoidance Measures

Router security l.jpg
Router Security

  • Local or Remote Security

    • Where to store passwords

  • Network Access Security

    • How to control access through the router

  • Terminal Access Security

    • How to control access to the router

  • AAA Accounting and Billing

    • What has gone through and what is done to the router

  • Traffic Filters

    • What can go where via the router

  • Router Access (Neighbour Authentication)

    • How do I trust a route update?

  • Network Data Encryption

    • Stop viewing or tampering of data through network

The administrative interface l.jpg
The Administrative Interface

  • Password Protection

  • Password Encryption


Native passwords l.jpg
Native Passwords

line console 0


password one4all

exec-timeout 1 30

User Access Verification

Password: <one4all>


The native passwords can be viewed by anyone

logging in with the enabled password

Service password encryption 7 l.jpg
Service Password-Encryption (7)

  • Will encrypt all passwords on the Cisco IOS™with Cisco-defined encryption type “7”

  • Use “enable password 7 <password>” for cut/paste operations

  • Cisco proprietary encryption method

Service password encryption l.jpg
Service Password-Encryption

hostname Router


enable password one4all


service password-encryption


hostname Router


enable password 7 15181E020F

Enable secret 5 l.jpg
Enable Secret (5)

  • Uses MD5 to produce a one-way hash

  • Cannot be decrypted

  • Use “enable secret 5 <password>”to cut/paste another “enable secret” password

Enable secret 513 l.jpg
Enable Secret (5)

hostname Router


enable password 1forAll


hostname Router


enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1

Use good passwords l.jpg
Use Good Passwords

  • Do not use passwords that can be easily guessed

hmm…, How about


Authentication mechanisms l.jpg



Authentication Mechanisms

  • Local Password

  • Kerberos



  • One-time Passwords

Cisco ios tacacs authentication l.jpg
Cisco IOS TACACS+ Authentication

Encrypts passwords with

encryption (7).

version 11.2


service password-encryption


hostname Router


aaa new-model

aaa authentication login billy tacacs+ enable

aaa authentication login bobby tacacs+ local

enable secret 5 $1$hM3l$.s/DgJ4TeKdDk…


username bill password 7 030E4E050D5C


Define list “billy” to use

TACACS+ then the

enable password

Define list “bobby” to use

TACACS+ then the

local user and password

“enable secret” overrides

the (7) encryption

Define a local user and

password for “bill”

Cisco ios tacacs authentication17 l.jpg
Cisco IOS TACACS+ Authentication

Defines the IP address

of the TACACS+ server

tacacs-server host

tacacs-server key gW78pTkf9


line con 0

login authentication billy

line aux 0

login authentication billy

line vty 0 4

login authentication bobby

length 29

width 92



Defines the “encryption”

key for communicating

with the TACACS+ server

Uses the authentication

mechanisms listed in

“billy” —TACACS+ then

enable password

Uses the authentication

mechanisms listed in

“billy” —TACACS+ then

a local user/password

Pix tacacs authentication l.jpg
PIX TACACS+ Authentication

PIX Version 4.0.7

enable password BjeuCKspwqCc94Ss encrypted

passwd nU3DFZzS7jF1jYc5 encrypted

tacacs-server host <key>

aaa authentication telnet outbound tacacs+

aaa authentication ftp outbound tacacs+

aaa authentication http outbound tacacs+

no snmp-server location

no snmp-server contact


mtu outside 1500

mtu inside 1500

: end


Enable Password

Telnet Password

Defines the IP address

of the TACACS+ server

and the key

Defines the services that

require authentication

Defines the device that

can Telnet into the PIX

Enable authentication l.jpg



Enable Authentication

  • Cisco IOS—Can use the same authentication mechanisms for “enable” and “login” starting in Cisco IOS 11.3

  • PIX—Supports Tacacs+ authentication mechanisms for the Console and “enable” since 4.2

Pass word of caution l.jpg


Password of Caution

  • Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router

Encrypted telnet sessions l.jpg
Encrypted Telnet Sessions

  • Kerberos v5

    • Strong Authentication within the session

    • Relies heavily upon DNS and NTP

  • Cisco Encryption Technology (CET)

  • IPSec

One time passwords l.jpg
One-Time Passwords

  • May be used with TACACS+ or RADIUS

  • The same “password” will never be reused by an authorized administrator

  • Key Cards—CryptoCard token server included with CiscoSecure

  • Support for Security Dynamics and Secure Computing token servers in Cisco Secure

Restrict telnet access l.jpg
Restrict Telnet Access

access-list 12 permit

line vty 0 4

access-class 12 in

Slide24 l.jpg

  • #1 Source of intelligence on a target network!

  • Block SNMP from the outside

    • access-list 101 deny udp any any eq snmp

  • If the router has SNMP, protect it!

    • snmp-server community fO0bAr RW 1

    • access-list 1 permit

  • Explicitly direct SNMP traffic to an authorized management station.

    • snmp-server host fO0bAr

Slide25 l.jpg

  • Change your community strings! Do not use public, private, secret!

  • Use different community strings for the RO and RW communities.

  • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!

Slide26 l.jpg

  • Version one sends cleartext communitystrings and has no policy reference

  • Version two addresses some of the known security weaknessesof SNMP version one

  • Version three is being worked on

Resource deprivation attacks l.jpg
Resource Deprivation Attacks

version 11.2


no service finger

no service udp-small-servers

no service tcp-small-servers


  • Daytime (13)

  • Chargen (19)

  • Echo (7)

  • Discard (9)

  • Finger (79)

Administrator authorization levels l.jpg
AdministratorAuthorization Levels

privilege exec level 9 show

enable secret level 9 <AllinOne>

enable secret 5 <OneinAll>

  • Sixteen administrative levels that can be used to delegate authority

  • Cisco IOS commands can be associated with a level

Router# show priv

Current privilege level is 15

Router# disable

Router>enable 9


Router# show priv

Current privilege level is 9


Transaction records l.jpg
Transaction Records

  • How do you tell when someone is attempting to accessyour router?

    • ip accounting

    • ip accounting access-violations

    • logging

  • Consider some form of audit trails:

    • Using the syslog feature.

    • SNMP Traps and alarms.

    • Implementing TACACS+, Radius, Kerberos, or third party solutions like One-Time Password token cards.

Audit trail cisco ios syslog l.jpg
Audit Trail—Cisco IOS Syslog

unix% tail cisco.log

Feb 17 21:48:26 [] 31: *Mar 2 11:51:55 CST:

%SYS-5-CONFIG_I: Configured from console by vty0 (

unix% date

Tue Feb 17 21:49:53 CST 1998


version 11.2

service timestamps log datetime localtime show-timezone



Router>sho clock

*11:53:44.764 CST Tue Mar 2 1993


Catalyst security l.jpg
Catalyst Security

  • Set passwords & SNMP

    • set password

    • set enablepass

    • set snmp community read-only fO0bAr

  • Control access to telnet and SNMP

    • set ip permit enable

    • set ip permit

    • set ip permit

    • set ip permit

  • Console timeout

    • set logout 5 minutes vs. 20 default

Catalyst security32 l.jpg
Catalyst Security

  • Use TACACS for login

    • set authentication login tacacs enable

    • set authentication enable tacacs enable

    • set tacacs key secretkey

    • set tacacs server

  • Use logging

    • set logging console disable

    • set logging server

    • set logging server enable

    • set logging session enable

Iii resource protection l.jpg
III. Resource Protection

  • Individual Resources

  • Threats

  • Avoidance measures

Spoofing l.jpg

interface Serial 1

ip address

ip access-group 111 in

no ip directed-broadcast


interface ethernet 0/0

ip address

no ip directed-broadcast


Access-list 111 deny ip any

Access-list 111 deny ip any

IP (D= S=

Source routing l.jpg
Source Routing

interface Serial 1

ip address

ip access-group 111 in

no ip source routing


Access-list 111 permit ip any


I’m— and here’s the

route back to me


RFC 792: Internet protocol

Cisco ios with an access list l.jpg
Cisco IOS with an Access List

interface ethernet 0/0

ip address


interface ethernet 0/1

ip address

ip access-group 111 in

no ip unreachables

no ip redirects


access-list 111 permit tcp any host eq smtp

access-list 111 permit tcp any host established

access-list 111 permit icmp any host



Cisco ios firewall feature set l.jpg
Cisco IOS Firewall Feature Set


ip inspect audit-trail

ip inspect dns-timeout 10

ip inspect tcp idle-time 60

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tcp timeout 3600


interface Ethernet 0

ip address

ip inspect myfw in


interface Serial 0

ip address

ip access-group 111 in


access-list 111 permit tcp any host eq smtp

access-list 111 permit tcp any host eq pop3

access-list 111 permit tcp any host eq ident



Firewall protection l.jpg

The Internet

Firewall Protection


Zone (DMZ)




  • Useaccess control listson thescreening routerto control traffic

  • Isolate each server from traffic with a switch

Syn attack l.jpg
Syn Attack

TCP syn (D= S=

TCP syn (D= S=

TCP syn (D= S=

TCP syn (D= S=

TCP syn (D= S=

TCP syn (D= S=

TCP syn (D= S=

Cisco ios syn attack defense l.jpg
Cisco IOS Syn Attack Defense

ip tcp intercept <access-list-number>

ip tcp intercept mode watch

  • How many session requests in the last one minute?

  • How many incomplete sessions are there?

  • How long do I wait for the final ack?

TCP syn

TCP syn/ack

TCP ack

Cisco ios firewall feature set syn attack defense l.jpg
Cisco IOS Firewall Feature Set Syn Attack Defense

ip inspect tcp synwait-time [seconds]

ip inspect tcp finwait-time [seconds]

ip inspect tcp idle-time [seconds]

  • How many session requests in the last one minute?

  • How many incomplete sessions are there?

  • How long do I wait for the final ack?

TCP syn

TCP syn/ack

TCP ack

Dynamic routing protocols l.jpg
Dynamic Routing Protocols

Path Redundancyto Route Around Failures

Route update authentication and integrity l.jpg



Route Update Authentication and Integrity



Route Update Data

Assemble the Packet

with the Key


To the Wire

Reassemble the Packet with the Signature



Route Update Data

Route filtering l.jpg
Route Filtering

router rip


distribute-list 1 in


access-list 1 deny

access-list 1 permit

Router# show ip protocol

Routing Protocol is "rip"

Sending updates every 30 seconds, next due in 12 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is 1

Redistributing: rip

Secure vital services l.jpg
Secure Vital Services

  • Network Time Protocol Sources

  • Domain Name Servers

  • Certificate Authority

Session protection through network layer encryption l.jpg









Session Protection through Network Layer Encryption

Shared Secret Key

Shared Secret Key





IPSec—the IETF working group defining IP Security

Netranger l.jpg








  • Sensors watch for attacks or problems

  • NetRanger stops active attacks



Vulnerability scanning l.jpg





Vulnerability Scanning

  • Network mapping

    • Identify live hosts

    • Identify services on hosts

  • Vulnerability scanning

    • Analyse discovery data for potential vulnerabilities

    • Confirm vulnerabilities on targeted hosts

Vi security maintenance validation l.jpg
VI. Security Maintenance Validation

What steps can you take to make sure that your network will continueto be secure?

Modeling tools l.jpg
Modeling Tools

  • NetSys Modeling can verify the access controlsin your network

0937_03F8_c2 NW98_Africa_405

© 1998, Cisco Systems, Inc.


Protecting the internet from your site l.jpg
Protecting the Internet from your site!

  • Anti-spoofing at exit points

  • Local traffic tracing ability

Implementation l.jpg

  • Many things that can be done

  • From a policy

    • Identify immediate need

    • Deploy configuration changes

    • Review need for additional work

  • Does not require upgrades and $$

    • Apart from AAA server, crypto

    • Use existing servers for some logging

    • Obviously needs human resource

Where to get more information l.jpg
Where to get more information?

  • Security URLs:

    • Increasing Security On IP Networks:

    • Security Configuration Guide (11.2)

    • Computer Operations, Audit, and Security Technology (COAST):

    • CERT Coordination Center:

Slide56 l.jpg




© 1998, Cisco Systems, Inc.