designing secure network infrastructures peter elford pelford@cisco com
Download
Skip this Video
Download Presentation
Designing Secure Network Infrastructures Peter Elford [email protected]

Loading in 2 Seconds...

play fullscreen
1 / 56

Router Security Issues - PowerPoint PPT Presentation


  • 223 Views
  • Uploaded on

Designing Secure Network Infrastructures Peter Elford [email protected] © 1998, Cisco Systems, Inc. . 1. Agenda. I. Introduction II. Router/Switch Security III. Resource Protection IV. Perimeter Protection V. Maintaining Network Integrity VI. Security Maintenance Validation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Router Security Issues' - KeelyKia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda

I. Introduction

II. Router/Switch Security

III. Resource Protection

IV. Perimeter Protection

V. Maintaining Network Integrity

VI. Security Maintenance Validation

approaching network security
Identify your network assets

Determine points of access

Know your enemy

Limit the scope of access

Identify your assumptions

Count the cost

Remember human factors

Keep limited secrets

Security is pervasive

Understand your network environment

Remember physical security

Approaching Network Security
solutions before you begin security is an attitude
SolutionsBefore you Begin....... Security is an ATTITUDE!
  • On-Site Security Policy
  • Host Security (UNIX/VMS)
  • Workstation Security(X, MS , MAC, OS/2)
  • Network Security
  • Password Policies
  • Application Security
  • Tools to Track Attacks
  • Ability to lock ‘em up (every security policy needs a big stick)
define a security policy
Define a Security Policy
  • Define what to protect—anything that could cause problems if it were to stop or malfunction
  • Decide how to protect it—good enough versus absolute protection
  • Think about cost of protection vs. cost of loss or corruption
ii router switch security
II. Router/Switch Security
  • Threats
  • Avoidance Measures
router security
Router Security
  • Local or Remote Security
    • Where to store passwords
  • Network Access Security
    • How to control access through the router
  • Terminal Access Security
    • How to control access to the router
  • AAA Accounting and Billing
    • What has gone through and what is done to the router
  • Traffic Filters
    • What can go where via the router
  • Router Access (Neighbour Authentication)
    • How do I trust a route update?
  • Network Data Encryption
    • Stop viewing or tampering of data through network
the administrative interface
The Administrative Interface
  • Password Protection
  • Password Encryption

Router>

native passwords
Native Passwords

line console 0

login

password one4all

exec-timeout 1 30

User Access Verification

Password: <one4all>

router>

The native passwords can be viewed by anyone

logging in with the enabled password

service password encryption 7
Service Password-Encryption (7)
  • Will encrypt all passwords on the Cisco IOS™with Cisco-defined encryption type “7”
  • Use “enable password 7 <password>” for cut/paste operations
  • Cisco proprietary encryption method
service password encryption
Service Password-Encryption

hostname Router

!

enable password one4all

!

service password-encryption

!

hostname Router

!

enable password 7 15181E020F

enable secret 5
Enable Secret (5)
  • Uses MD5 to produce a one-way hash
  • Cannot be decrypted
  • Use “enable secret 5 <password>”to cut/paste another “enable secret” password
enable secret 513
Enable Secret (5)

hostname Router

!

enable password 1forAll

!

hostname Router

!

enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1

use good passwords
Use Good Passwords
  • Do not use passwords that can be easily guessed

hmm…, How about

“Pancho”?

authentication mechanisms

UNIVERSALPASSPORT

USA

Authentication Mechanisms
  • Local Password
  • Kerberos
  • TACACS+
  • RADIUS
  • One-time Passwords
cisco ios tacacs authentication
Cisco IOS TACACS+ Authentication

Encrypts passwords with

encryption (7).

version 11.2

!

service password-encryption

!

hostname Router

!

aaa new-model

aaa authentication login billy tacacs+ enable

aaa authentication login bobby tacacs+ local

enable secret 5 $1$hM3l$.s/DgJ4TeKdDk…

!

username bill password 7 030E4E050D5C

!

Define list “billy” to use

TACACS+ then the

enable password

Define list “bobby” to use

TACACS+ then the

local user and password

“enable secret” overrides

the (7) encryption

Define a local user and

password for “bill”

cisco ios tacacs authentication17
Cisco IOS TACACS+ Authentication

Defines the IP address

of the TACACS+ server

tacacs-server host 10.1.1.2

tacacs-server key gW78pTkf9

!

line con 0

login authentication billy

line aux 0

login authentication billy

line vty 0 4

login authentication bobby

length 29

width 92

!

end

Defines the “encryption”

key for communicating

with the TACACS+ server

Uses the authentication

mechanisms listed in

“billy” —TACACS+ then

enable password

Uses the authentication

mechanisms listed in

“billy” —TACACS+ then

a local user/password

pix tacacs authentication
PIX TACACS+ Authentication

PIX Version 4.0.7

enable password BjeuCKspwqCc94Ss encrypted

passwd nU3DFZzS7jF1jYc5 encrypted

tacacs-server host 10.1.1.2 <key>

aaa authentication telnet outbound 0.0.0.0 0.0.0.0 tacacs+

aaa authentication ftp outbound 0.0.0.0 0.0.0.0 tacacs+

aaa authentication http outbound 0.0.0.0 0.0.0.0 tacacs+

no snmp-server location

no snmp-server contact

telnet 10.1.1.2 255.255.255.255

mtu outside 1500

mtu inside 1500

: end

[OK]

Enable Password

Telnet Password

Defines the IP address

of the TACACS+ server

and the key

Defines the services that

require authentication

Defines the device that

can Telnet into the PIX

enable authentication

UNIVERSALPASSPORT

USA

Enable Authentication
  • Cisco IOS—Can use the same authentication mechanisms for “enable” and “login” starting in Cisco IOS 11.3
  • PIX—Supports Tacacs+ authentication mechanisms for the Console and “enable” since 4.2
pass word of caution

100101

Password of Caution
  • Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router
encrypted telnet sessions
Encrypted Telnet Sessions
  • Kerberos v5
    • Strong Authentication within the session
    • Relies heavily upon DNS and NTP
  • Cisco Encryption Technology (CET)
  • IPSec
one time passwords
One-Time Passwords
  • May be used with TACACS+ or RADIUS
  • The same “password” will never be reused by an authorized administrator
  • Key Cards—CryptoCard token server included with CiscoSecure
  • Support for Security Dynamics and Secure Computing token servers in Cisco Secure
restrict telnet access
Restrict Telnet Access

access-list 12 permit 172.17.55.0 0.0.0.255

line vty 0 4

access-class 12 in

slide24
SNMP
  • #1 Source of intelligence on a target network!
  • Block SNMP from the outside
    • access-list 101 deny udp any any eq snmp
  • If the router has SNMP, protect it!
    • snmp-server community fO0bAr RW 1
    • access-list 1 permit 127.1.3.5
  • Explicitly direct SNMP traffic to an authorized management station.
    • snmp-server host fO0bAr 127.1.3.5
slide25
SNMP
  • Change your community strings! Do not use public, private, secret!
  • Use different community strings for the RO and RW communities.
  • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!
slide26
SNMP
  • Version one sends cleartext communitystrings and has no policy reference
  • Version two addresses some of the known security weaknessesof SNMP version one
  • Version three is being worked on
resource deprivation attacks
Resource Deprivation Attacks

version 11.2

!

no service finger

no service udp-small-servers

no service tcp-small-servers

!

  • Daytime (13)
  • Chargen (19)
  • Echo (7)
  • Discard (9)
  • Finger (79)
administrator authorization levels
AdministratorAuthorization Levels

privilege exec level 9 show

enable secret level 9 <AllinOne>

enable secret 5 <OneinAll>

  • Sixteen administrative levels that can be used to delegate authority
  • Cisco IOS commands can be associated with a level

Router# show priv

Current privilege level is 15

Router# disable

Router>enable 9

Password:

Router# show priv

Current privilege level is 9

Router#

transaction records
Transaction Records
  • How do you tell when someone is attempting to accessyour router?
    • ip accounting
    • ip accounting access-violations
    • logging 127.0.3.2
  • Consider some form of audit trails:
    • Using the syslog feature.
    • SNMP Traps and alarms.
    • Implementing TACACS+, Radius, Kerberos, or third party solutions like One-Time Password token cards.
audit trail cisco ios syslog
Audit Trail—Cisco IOS Syslog

unix% tail cisco.log

Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST:

%SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2)

unix% date

Tue Feb 17 21:49:53 CST 1998

unix%

version 11.2

service timestamps log datetime localtime show-timezone

!

logging 10.1.1.2

Router>sho clock

*11:53:44.764 CST Tue Mar 2 1993

Router>

catalyst security
Catalyst Security
  • Set passwords & SNMP
    • set password
    • set enablepass
    • set snmp community read-only fO0bAr
  • Control access to telnet and SNMP
    • set ip permit enable
    • set ip permit 172.100.101.102
    • set ip permit diablo.cisco.com
    • set ip permit 172.160.161.0 255.255.192.0
  • Console timeout
    • set logout 5 minutes vs. 20 default
catalyst security32
Catalyst Security
  • Use TACACS for login
    • set authentication login tacacs enable
    • set authentication enable tacacs enable
    • set tacacs key secretkey
    • set tacacs server 144.254.5.9
  • Use logging
    • set logging console disable
    • set logging server 144.254.5.5
    • set logging server enable
    • set logging session enable
iii resource protection
III. Resource Protection
  • Individual Resources
  • Threats
  • Avoidance measures
spoofing
Spoofing

interface Serial 1

ip address 172.26.139.2 255.255.255.252

ip access-group 111 in

no ip directed-broadcast

!

interface ethernet 0/0

ip address 10.1.1.100 255.255.0.0

no ip directed-broadcast

!

Access-list 111 deny ip 127.0.0.0 0.255.255.255 any

Access-list 111 deny ip 10.1.0.0 0.0.255.255 any

172.16.42.84

10.1.1.2

IP (D=10.1.1.2 S=10.1.1.1)

source routing
Source Routing

interface Serial 1

ip address 172.16.139.2 255.255.255.252

ip access-group 111 in

no ip source routing

!

Access-list 111 permit ip 10.16.0.0 0.0.255.255 any

Private

I’m 10.16.99.99— and here’s the

route back to me

Network

10.16.0.0

RFC 792: Internet protocol

cisco ios with an access list
Cisco IOS with an Access List

interface ethernet 0/0

ip address 172.16.1.100 255.255.0.0

!

interface ethernet 0/1

ip address 172.17.1.100 255.255.0.0

ip access-group 111 in

no ip unreachables

no ip redirects

!

access-list 111 permit tcp any host 172.16.1.1 eq smtp

access-list 111 permit tcp any host 172.16.1.1 established

access-list 111 permit icmp any host 172.16.1.1

e0/0

e0/1

cisco ios firewall feature set
Cisco IOS Firewall Feature Set

logging 172.16.27.131

ip inspect audit-trail

ip inspect dns-timeout 10

ip inspect tcp idle-time 60

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tcp timeout 3600

!

interface Ethernet 0

ip address 172.16.1.100 255.255.0.0

ip inspect myfw in

!

interface Serial 0

ip address 172.19.139.1 255.255.255.248

ip access-group 111 in

!

access-list 111 permit tcp any host 172.16.1.1 eq smtp

access-list 111 permit tcp any host 172.16.1.1 eq pop3

access-list 111 permit tcp any host 172.16.1.1 eq ident

e0

s0

firewall protection

The Internet

Firewall Protection

Demilitarized

Zone (DMZ)

DNS

Mail

WWW

  • Useaccess control listson thescreening routerto control traffic
  • Isolate each server from traffic with a switch
syn attack
Syn Attack

TCP syn (D=172.18.1.2 S=1.1.1.1)

TCP syn (D=172.18.1.2 S=1.1.1.2)

TCP syn (D=172.18.1.2 S=1.1.1.3)

TCP syn (D=172.18.1.2 S=1.1.1.4)

TCP syn (D=172.18.1.2 S=1.1.1.5)

172.18.1.2

TCP syn (D=172.18.1.2 S=2.1.1.1)

TCP syn (D=172.18.1.2 S=2.1.1.2)

cisco ios syn attack defense
Cisco IOS Syn Attack Defense

ip tcp intercept <access-list-number>

ip tcp intercept mode watch

  • How many session requests in the last one minute?
  • How many incomplete sessions are there?
  • How long do I wait for the final ack?

TCP syn

TCP syn/ack

TCP ack

cisco ios firewall feature set syn attack defense
Cisco IOS Firewall Feature Set Syn Attack Defense

ip inspect tcp synwait-time [seconds]

ip inspect tcp finwait-time [seconds]

ip inspect tcp idle-time [seconds]

  • How many session requests in the last one minute?
  • How many incomplete sessions are there?
  • How long do I wait for the final ack?

TCP syn

TCP syn/ack

TCP ack

dynamic routing protocols
Dynamic Routing Protocols

Path Redundancyto Route Around Failures

route update authentication and integrity

Hash

Function

Route Update Authentication and Integrity

IP HDR

Key

Route Update Data

Assemble the Packet

with the Key

Signature

To the Wire

Reassemble the Packet with the Signature

IP HDR

Signature

Route Update Data

route filtering
Route Filtering

router rip

network 10.0.0.0

distribute-list 1 in

!

access-list 1 deny 0.0.0.0

access-list 1 permit 10.0.0.0 0.255.255.255

Router# show ip protocol

Routing Protocol is "rip"

Sending updates every 30 seconds, next due in 12 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is 1

Redistributing: rip

secure vital services
Secure Vital Services
  • Network Time Protocol Sources
  • Domain Name Servers
  • Certificate Authority
session protection through network layer encryption

DES

DES

Decrypt

Encrypt

10100010110101010

10101001010100101

01010111010100101

10010100101011011

Session Protection through Network Layer Encryption

Shared Secret Key

Shared Secret Key

Internet

(Cleartext)

(Cleartext)

(Ciphertext)

IPSec—the IETF working group defining IP Security

netranger

Sensor

Sensor

Sensor

Sensor

Sensor

Sensor

NetRanger
  • Sensors watch for attacks or problems
  • NetRanger stops active attacks

NetRanger

Director

vulnerability scanning

Target

Target

Target

Target

Vulnerability Scanning
  • Network mapping
    • Identify live hosts
    • Identify services on hosts
  • Vulnerability scanning
    • Analyse discovery data for potential vulnerabilities
    • Confirm vulnerabilities on targeted hosts
vi security maintenance validation
VI. Security Maintenance Validation

What steps can you take to make sure that your network will continueto be secure?

modeling tools
Modeling Tools
  • NetSys Modeling can verify the access controlsin your network

0937_03F8_c2 NW98_Africa_405

© 1998, Cisco Systems, Inc.

80

protecting the internet from your site
Protecting the Internet from your site!
  • Anti-spoofing at exit points
  • Local traffic tracing ability
implementation
Implementation
  • Many things that can be done
  • From a policy
    • Identify immediate need
    • Deploy configuration changes
    • Review need for additional work
  • Does not require upgrades and $$
    • Apart from AAA server, crypto
    • Use existing servers for some logging
    • Obviously needs human resource
where to get more information
Where to get more information?
  • Security URLs:
    • Increasing Security On IP Networks: http://www.cisco.com/warp/public/701/31.html
    • Security Configuration Guide (11.2)http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/2cbook/index.htm
    • Computer Operations, Audit, and Security Technology (COAST): http://www.cs.purdue.edu//coast/coast.html
    • CERT Coordination Center: http://www.cert.org/
slide56

1047_03F8_c1

NWA-98-111

85

© 1998, Cisco Systems, Inc.

ad