580 likes | 908 Views
Designing Secure Network Infrastructures Peter Elford pelford@cisco.com. © 1998, Cisco Systems, Inc. . 1. Agenda. I. Introduction II. Router/Switch Security III. Resource Protection IV. Perimeter Protection V. Maintaining Network Integrity VI. Security Maintenance Validation.
E N D
Designing Secure Network InfrastructuresPeter Elfordpelford@cisco.com © 1998, Cisco Systems, Inc. 1
Agenda I. Introduction II. Router/Switch Security III. Resource Protection IV. Perimeter Protection V. Maintaining Network Integrity VI. Security Maintenance Validation
Identify your network assets Determine points of access Know your enemy Limit the scope of access Identify your assumptions Count the cost Remember human factors Keep limited secrets Security is pervasive Understand your network environment Remember physical security Approaching Network Security
SolutionsBefore you Begin....... Security is an ATTITUDE! • On-Site Security Policy • Host Security (UNIX/VMS) • Workstation Security(X, MS , MAC, OS/2) • Network Security • Password Policies • Application Security • Tools to Track Attacks • Ability to lock ‘em up (every security policy needs a big stick)
Define a Security Policy • Define what to protect—anything that could cause problems if it were to stop or malfunction • Decide how to protect it—good enough versus absolute protection • Think about cost of protection vs. cost of loss or corruption
II. Router/Switch Security • Threats • Avoidance Measures
Router Security • Local or Remote Security • Where to store passwords • Network Access Security • How to control access through the router • Terminal Access Security • How to control access to the router • AAA Accounting and Billing • What has gone through and what is done to the router • Traffic Filters • What can go where via the router • Router Access (Neighbour Authentication) • How do I trust a route update? • Network Data Encryption • Stop viewing or tampering of data through network
The Administrative Interface • Password Protection • Password Encryption Router>
Native Passwords line console 0 login password one4all exec-timeout 1 30 User Access Verification Password: <one4all> router> The native passwords can be viewed by anyone logging in with the enabled password
Service Password-Encryption (7) • Will encrypt all passwords on the Cisco IOS™with Cisco-defined encryption type “7” • Use “enable password 7 <password>” for cut/paste operations • Cisco proprietary encryption method
Service Password-Encryption hostname Router ! enable password one4all ! service password-encryption ! hostname Router ! enable password 7 15181E020F
Enable Secret (5) • Uses MD5 to produce a one-way hash • Cannot be decrypted • Use “enable secret 5 <password>”to cut/paste another “enable secret” password
Enable Secret (5) hostname Router ! enable password 1forAll ! hostname Router ! enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1
Use Good Passwords • Do not use passwords that can be easily guessed hmm…, How about “Pancho”?
UNIVERSALPASSPORT USA Authentication Mechanisms • Local Password • Kerberos • TACACS+ • RADIUS • One-time Passwords
Cisco IOS TACACS+ Authentication Encrypts passwords with encryption (7). version 11.2 ! service password-encryption ! hostname Router ! aaa new-model aaa authentication login billy tacacs+ enable aaa authentication login bobby tacacs+ local enable secret 5 $1$hM3l$.s/DgJ4TeKdDk… ! username bill password 7 030E4E050D5C ! Define list “billy” to use TACACS+ then the enable password Define list “bobby” to use TACACS+ then the local user and password “enable secret” overrides the (7) encryption Define a local user and password for “bill”
Cisco IOS TACACS+ Authentication Defines the IP address of the TACACS+ server tacacs-server host 10.1.1.2 tacacs-server key gW78pTkf9 ! line con 0 login authentication billy line aux 0 login authentication billy line vty 0 4 login authentication bobby length 29 width 92 ! end Defines the “encryption” key for communicating with the TACACS+ server Uses the authentication mechanisms listed in “billy” —TACACS+ then enable password Uses the authentication mechanisms listed in “billy” —TACACS+ then a local user/password
PIX TACACS+ Authentication PIX Version 4.0.7 enable password BjeuCKspwqCc94Ss encrypted passwd nU3DFZzS7jF1jYc5 encrypted tacacs-server host 10.1.1.2 <key> aaa authentication telnet outbound 0.0.0.0 0.0.0.0 tacacs+ aaa authentication ftp outbound 0.0.0.0 0.0.0.0 tacacs+ aaa authentication http outbound 0.0.0.0 0.0.0.0 tacacs+ no snmp-server location no snmp-server contact telnet 10.1.1.2 255.255.255.255 mtu outside 1500 mtu inside 1500 : end [OK] Enable Password Telnet Password Defines the IP address of the TACACS+ server and the key Defines the services that require authentication Defines the device that can Telnet into the PIX
UNIVERSALPASSPORT USA Enable Authentication • Cisco IOS—Can use the same authentication mechanisms for “enable” and “login” starting in Cisco IOS 11.3 • PIX—Supports Tacacs+ authentication mechanisms for the Console and “enable” since 4.2
100101 Password of Caution • Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router
Encrypted Telnet Sessions • Kerberos v5 • Strong Authentication within the session • Relies heavily upon DNS and NTP • Cisco Encryption Technology (CET) • IPSec
One-Time Passwords • May be used with TACACS+ or RADIUS • The same “password” will never be reused by an authorized administrator • Key Cards—CryptoCard token server included with CiscoSecure • Support for Security Dynamics and Secure Computing token servers in Cisco Secure
Restrict Telnet Access access-list 12 permit 172.17.55.0 0.0.0.255 line vty 0 4 access-class 12 in
SNMP • #1 Source of intelligence on a target network! • Block SNMP from the outside • access-list 101 deny udp any any eq snmp • If the router has SNMP, protect it! • snmp-server community fO0bAr RW 1 • access-list 1 permit 127.1.3.5 • Explicitly direct SNMP traffic to an authorized management station. • snmp-server host fO0bAr 127.1.3.5
SNMP • Change your community strings! Do not use public, private, secret! • Use different community strings for the RO and RW communities. • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!
SNMP • Version one sends cleartext communitystrings and has no policy reference • Version two addresses some of the known security weaknessesof SNMP version one • Version three is being worked on
Resource Deprivation Attacks version 11.2 ! no service finger no service udp-small-servers no service tcp-small-servers ! • Daytime (13) • Chargen (19) • Echo (7) • Discard (9) • Finger (79)
AdministratorAuthorization Levels privilege exec level 9 show enable secret level 9 <AllinOne> enable secret 5 <OneinAll> • Sixteen administrative levels that can be used to delegate authority • Cisco IOS commands can be associated with a level Router# show priv Current privilege level is 15 Router# disable Router>enable 9 Password: Router# show priv Current privilege level is 9 Router#
Transaction Records • How do you tell when someone is attempting to accessyour router? • ip accounting • ip accounting access-violations • logging 127.0.3.2 • Consider some form of audit trails: • Using the syslog feature. • SNMP Traps and alarms. • Implementing TACACS+, Radius, Kerberos, or third party solutions like One-Time Password token cards.
Audit Trail—Cisco IOS Syslog unix% tail cisco.log Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2) unix% date Tue Feb 17 21:49:53 CST 1998 unix% version 11.2 service timestamps log datetime localtime show-timezone ! logging 10.1.1.2 Router>sho clock *11:53:44.764 CST Tue Mar 2 1993 Router>
Catalyst Security • Set passwords & SNMP • set password • set enablepass • set snmp community read-only fO0bAr • Control access to telnet and SNMP • set ip permit enable • set ip permit 172.100.101.102 • set ip permit diablo.cisco.com • set ip permit 172.160.161.0 255.255.192.0 • Console timeout • set logout 5 minutes vs. 20 default
Catalyst Security • Use TACACS for login • set authentication login tacacs enable • set authentication enable tacacs enable • set tacacs key secretkey • set tacacs server 144.254.5.9 • Use logging • set logging console disable • set logging server 144.254.5.5 • set logging server enable • set logging session enable
III. Resource Protection • Individual Resources • Threats • Avoidance measures
Spoofing interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip access-group 111 in no ip directed-broadcast ! interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directed-broadcast ! Access-list 111 deny ip 127.0.0.0 0.255.255.255 any Access-list 111 deny ip 10.1.0.0 0.0.255.255 any 172.16.42.84 10.1.1.2 IP (D=10.1.1.2 S=10.1.1.1)
Source Routing interface Serial 1 ip address 172.16.139.2 255.255.255.252 ip access-group 111 in no ip source routing ! Access-list 111 permit ip 10.16.0.0 0.0.255.255 any Private I’m 10.16.99.99— and here’s the route back to me Network 10.16.0.0 RFC 792: Internet protocol
Cisco IOS with an Access List interface ethernet 0/0 ip address 172.16.1.100 255.255.0.0 ! interface ethernet 0/1 ip address 172.17.1.100 255.255.0.0 ip access-group 111 in no ip unreachables no ip redirects ! access-list 111 permit tcp any host 172.16.1.1 eq smtp access-list 111 permit tcp any host 172.16.1.1 established access-list 111 permit icmp any host 172.16.1.1 e0/0 e0/1
Cisco IOS Firewall Feature Set logging 172.16.27.131 ip inspect audit-trail ip inspect dns-timeout 10 ip inspect tcp idle-time 60 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tcp timeout 3600 ! interface Ethernet 0 ip address 172.16.1.100 255.255.0.0 ip inspect myfw in ! interface Serial 0 ip address 172.19.139.1 255.255.255.248 ip access-group 111 in ! access-list 111 permit tcp any host 172.16.1.1 eq smtp access-list 111 permit tcp any host 172.16.1.1 eq pop3 access-list 111 permit tcp any host 172.16.1.1 eq ident e0 s0
The Internet Firewall Protection Demilitarized Zone (DMZ) DNS Mail WWW • Useaccess control listson thescreening routerto control traffic • Isolate each server from traffic with a switch
Syn Attack TCP syn (D=172.18.1.2 S=1.1.1.1) TCP syn (D=172.18.1.2 S=1.1.1.2) TCP syn (D=172.18.1.2 S=1.1.1.3) TCP syn (D=172.18.1.2 S=1.1.1.4) TCP syn (D=172.18.1.2 S=1.1.1.5) 172.18.1.2 TCP syn (D=172.18.1.2 S=2.1.1.1) TCP syn (D=172.18.1.2 S=2.1.1.2)
Cisco IOS Syn Attack Defense ip tcp intercept <access-list-number> ip tcp intercept mode watch • How many session requests in the last one minute? • How many incomplete sessions are there? • How long do I wait for the final ack? TCP syn TCP syn/ack TCP ack
Cisco IOS Firewall Feature Set Syn Attack Defense ip inspect tcp synwait-time [seconds] ip inspect tcp finwait-time [seconds] ip inspect tcp idle-time [seconds] • How many session requests in the last one minute? • How many incomplete sessions are there? • How long do I wait for the final ack? TCP syn TCP syn/ack TCP ack
V. Network Integrity Maintenance • 24 by 7
Dynamic Routing Protocols Path Redundancyto Route Around Failures
Hash Function Route Update Authentication and Integrity IP HDR Key Route Update Data Assemble the Packet with the Key Signature To the Wire Reassemble the Packet with the Signature IP HDR Signature Route Update Data
Route Filtering router rip network 10.0.0.0 distribute-list 1 in ! access-list 1 deny 0.0.0.0 access-list 1 permit 10.0.0.0 0.255.255.255 Router# show ip protocol Routing Protocol is "rip" Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip
Secure Vital Services • Network Time Protocol Sources • Domain Name Servers • Certificate Authority
DES DES Decrypt Encrypt 10100010110101010 10101001010100101 01010111010100101 10010100101011011 Session Protection through Network Layer Encryption Shared Secret Key Shared Secret Key Internet (Cleartext) (Cleartext) (Ciphertext) IPSec—the IETF working group defining IP Security
Sensor Sensor Sensor Sensor Sensor Sensor NetRanger • Sensors watch for attacks or problems • NetRanger stops active attacks NetRanger Director
Target Target Target Target Vulnerability Scanning • Network mapping • Identify live hosts • Identify services on hosts • Vulnerability scanning • Analyse discovery data for potential vulnerabilities • Confirm vulnerabilities on targeted hosts