Designing secure network infrastructures peter elford pelford@cisco com
Download
1 / 56

Designing Secure Network Infrastructures Peter Elford pelford@cisco - PowerPoint PPT Presentation


  • 223 Views
  • Updated On :

Designing Secure Network Infrastructures Peter Elford pelford@cisco.com. © 1998, Cisco Systems, Inc. . 1. Agenda. I. Introduction II. Router/Switch Security III. Resource Protection IV. Perimeter Protection V. Maintaining Network Integrity VI. Security Maintenance Validation.

Related searches for Designing Secure Network Infrastructures Peter Elford pelford@cisco

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Designing Secure Network Infrastructures Peter Elford pelford@cisco' - KeelyKia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Designing secure network infrastructures peter elford pelford@cisco com l.jpg

Designing Secure Network InfrastructuresPeter Elfordpelford@cisco.com

© 1998, Cisco Systems, Inc.

1


Agenda l.jpg
Agenda

I. Introduction

II. Router/Switch Security

III. Resource Protection

IV. Perimeter Protection

V. Maintaining Network Integrity

VI. Security Maintenance Validation


Approaching network security l.jpg

Identify your network assets

Determine points of access

Know your enemy

Limit the scope of access

Identify your assumptions

Count the cost

Remember human factors

Keep limited secrets

Security is pervasive

Understand your network environment

Remember physical security

Approaching Network Security


Solutions before you begin security is an attitude l.jpg
SolutionsBefore you Begin....... Security is an ATTITUDE!

  • On-Site Security Policy

  • Host Security (UNIX/VMS)

  • Workstation Security(X, MS , MAC, OS/2)

  • Network Security

  • Password Policies

  • Application Security

  • Tools to Track Attacks

  • Ability to lock ‘em up (every security policy needs a big stick)


Define a security policy l.jpg
Define a Security Policy

  • Define what to protect—anything that could cause problems if it were to stop or malfunction

  • Decide how to protect it—good enough versus absolute protection

  • Think about cost of protection vs. cost of loss or corruption


Ii router switch security l.jpg
II. Router/Switch Security

  • Threats

  • Avoidance Measures


Router security l.jpg
Router Security

  • Local or Remote Security

    • Where to store passwords

  • Network Access Security

    • How to control access through the router

  • Terminal Access Security

    • How to control access to the router

  • AAA Accounting and Billing

    • What has gone through and what is done to the router

  • Traffic Filters

    • What can go where via the router

  • Router Access (Neighbour Authentication)

    • How do I trust a route update?

  • Network Data Encryption

    • Stop viewing or tampering of data through network


The administrative interface l.jpg
The Administrative Interface

  • Password Protection

  • Password Encryption

Router>


Native passwords l.jpg
Native Passwords

line console 0

login

password one4all

exec-timeout 1 30

User Access Verification

Password: <one4all>

router>

The native passwords can be viewed by anyone

logging in with the enabled password


Service password encryption 7 l.jpg
Service Password-Encryption (7)

  • Will encrypt all passwords on the Cisco IOS™with Cisco-defined encryption type “7”

  • Use “enable password 7 <password>” for cut/paste operations

  • Cisco proprietary encryption method


Service password encryption l.jpg
Service Password-Encryption

hostname Router

!

enable password one4all

!

service password-encryption

!

hostname Router

!

enable password 7 15181E020F


Enable secret 5 l.jpg
Enable Secret (5)

  • Uses MD5 to produce a one-way hash

  • Cannot be decrypted

  • Use “enable secret 5 <password>”to cut/paste another “enable secret” password


Enable secret 513 l.jpg
Enable Secret (5)

hostname Router

!

enable password 1forAll

!

hostname Router

!

enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1


Use good passwords l.jpg
Use Good Passwords

  • Do not use passwords that can be easily guessed

hmm…, How about

“Pancho”?


Authentication mechanisms l.jpg

UNIVERSALPASSPORT

USA

Authentication Mechanisms

  • Local Password

  • Kerberos

  • TACACS+

  • RADIUS

  • One-time Passwords


Cisco ios tacacs authentication l.jpg
Cisco IOS TACACS+ Authentication

Encrypts passwords with

encryption (7).

version 11.2

!

service password-encryption

!

hostname Router

!

aaa new-model

aaa authentication login billy tacacs+ enable

aaa authentication login bobby tacacs+ local

enable secret 5 $1$hM3l$.s/DgJ4TeKdDk…

!

username bill password 7 030E4E050D5C

!

Define list “billy” to use

TACACS+ then the

enable password

Define list “bobby” to use

TACACS+ then the

local user and password

“enable secret” overrides

the (7) encryption

Define a local user and

password for “bill”


Cisco ios tacacs authentication17 l.jpg
Cisco IOS TACACS+ Authentication

Defines the IP address

of the TACACS+ server

tacacs-server host 10.1.1.2

tacacs-server key gW78pTkf9

!

line con 0

login authentication billy

line aux 0

login authentication billy

line vty 0 4

login authentication bobby

length 29

width 92

!

end

Defines the “encryption”

key for communicating

with the TACACS+ server

Uses the authentication

mechanisms listed in

“billy” —TACACS+ then

enable password

Uses the authentication

mechanisms listed in

“billy” —TACACS+ then

a local user/password


Pix tacacs authentication l.jpg
PIX TACACS+ Authentication

PIX Version 4.0.7

enable password BjeuCKspwqCc94Ss encrypted

passwd nU3DFZzS7jF1jYc5 encrypted

tacacs-server host 10.1.1.2 <key>

aaa authentication telnet outbound 0.0.0.0 0.0.0.0 tacacs+

aaa authentication ftp outbound 0.0.0.0 0.0.0.0 tacacs+

aaa authentication http outbound 0.0.0.0 0.0.0.0 tacacs+

no snmp-server location

no snmp-server contact

telnet 10.1.1.2 255.255.255.255

mtu outside 1500

mtu inside 1500

: end

[OK]

Enable Password

Telnet Password

Defines the IP address

of the TACACS+ server

and the key

Defines the services that

require authentication

Defines the device that

can Telnet into the PIX


Enable authentication l.jpg

UNIVERSALPASSPORT

USA

Enable Authentication

  • Cisco IOS—Can use the same authentication mechanisms for “enable” and “login” starting in Cisco IOS 11.3

  • PIX—Supports Tacacs+ authentication mechanisms for the Console and “enable” since 4.2


Pass word of caution l.jpg

100101

Password of Caution

  • Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router


Encrypted telnet sessions l.jpg
Encrypted Telnet Sessions

  • Kerberos v5

    • Strong Authentication within the session

    • Relies heavily upon DNS and NTP

  • Cisco Encryption Technology (CET)

  • IPSec


One time passwords l.jpg
One-Time Passwords

  • May be used with TACACS+ or RADIUS

  • The same “password” will never be reused by an authorized administrator

  • Key Cards—CryptoCard token server included with CiscoSecure

  • Support for Security Dynamics and Secure Computing token servers in Cisco Secure


Restrict telnet access l.jpg
Restrict Telnet Access

access-list 12 permit 172.17.55.0 0.0.0.255

line vty 0 4

access-class 12 in


Slide24 l.jpg
SNMP

  • #1 Source of intelligence on a target network!

  • Block SNMP from the outside

    • access-list 101 deny udp any any eq snmp

  • If the router has SNMP, protect it!

    • snmp-server community fO0bAr RW 1

    • access-list 1 permit 127.1.3.5

  • Explicitly direct SNMP traffic to an authorized management station.

    • snmp-server host fO0bAr 127.1.3.5


Slide25 l.jpg
SNMP

  • Change your community strings! Do not use public, private, secret!

  • Use different community strings for the RO and RW communities.

  • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!


Slide26 l.jpg
SNMP

  • Version one sends cleartext communitystrings and has no policy reference

  • Version two addresses some of the known security weaknessesof SNMP version one

  • Version three is being worked on


Resource deprivation attacks l.jpg
Resource Deprivation Attacks

version 11.2

!

no service finger

no service udp-small-servers

no service tcp-small-servers

!

  • Daytime (13)

  • Chargen (19)

  • Echo (7)

  • Discard (9)

  • Finger (79)


Administrator authorization levels l.jpg
AdministratorAuthorization Levels

privilege exec level 9 show

enable secret level 9 <AllinOne>

enable secret 5 <OneinAll>

  • Sixteen administrative levels that can be used to delegate authority

  • Cisco IOS commands can be associated with a level

Router# show priv

Current privilege level is 15

Router# disable

Router>enable 9

Password:

Router# show priv

Current privilege level is 9

Router#


Transaction records l.jpg
Transaction Records

  • How do you tell when someone is attempting to accessyour router?

    • ip accounting

    • ip accounting access-violations

    • logging 127.0.3.2

  • Consider some form of audit trails:

    • Using the syslog feature.

    • SNMP Traps and alarms.

    • Implementing TACACS+, Radius, Kerberos, or third party solutions like One-Time Password token cards.


Audit trail cisco ios syslog l.jpg
Audit Trail—Cisco IOS Syslog

unix% tail cisco.log

Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST:

%SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2)

unix% date

Tue Feb 17 21:49:53 CST 1998

unix%

version 11.2

service timestamps log datetime localtime show-timezone

!

logging 10.1.1.2

Router>sho clock

*11:53:44.764 CST Tue Mar 2 1993

Router>


Catalyst security l.jpg
Catalyst Security

  • Set passwords & SNMP

    • set password

    • set enablepass

    • set snmp community read-only fO0bAr

  • Control access to telnet and SNMP

    • set ip permit enable

    • set ip permit 172.100.101.102

    • set ip permit diablo.cisco.com

    • set ip permit 172.160.161.0 255.255.192.0

  • Console timeout

    • set logout 5 minutes vs. 20 default


Catalyst security32 l.jpg
Catalyst Security

  • Use TACACS for login

    • set authentication login tacacs enable

    • set authentication enable tacacs enable

    • set tacacs key secretkey

    • set tacacs server 144.254.5.9

  • Use logging

    • set logging console disable

    • set logging server 144.254.5.5

    • set logging server enable

    • set logging session enable


Iii resource protection l.jpg
III. Resource Protection

  • Individual Resources

  • Threats

  • Avoidance measures


Spoofing l.jpg
Spoofing

interface Serial 1

ip address 172.26.139.2 255.255.255.252

ip access-group 111 in

no ip directed-broadcast

!

interface ethernet 0/0

ip address 10.1.1.100 255.255.0.0

no ip directed-broadcast

!

Access-list 111 deny ip 127.0.0.0 0.255.255.255 any

Access-list 111 deny ip 10.1.0.0 0.0.255.255 any

172.16.42.84

10.1.1.2

IP (D=10.1.1.2 S=10.1.1.1)


Source routing l.jpg
Source Routing

interface Serial 1

ip address 172.16.139.2 255.255.255.252

ip access-group 111 in

no ip source routing

!

Access-list 111 permit ip 10.16.0.0 0.0.255.255 any

Private

I’m 10.16.99.99— and here’s the

route back to me

Network

10.16.0.0

RFC 792: Internet protocol


Cisco ios with an access list l.jpg
Cisco IOS with an Access List

interface ethernet 0/0

ip address 172.16.1.100 255.255.0.0

!

interface ethernet 0/1

ip address 172.17.1.100 255.255.0.0

ip access-group 111 in

no ip unreachables

no ip redirects

!

access-list 111 permit tcp any host 172.16.1.1 eq smtp

access-list 111 permit tcp any host 172.16.1.1 established

access-list 111 permit icmp any host 172.16.1.1

e0/0

e0/1


Cisco ios firewall feature set l.jpg
Cisco IOS Firewall Feature Set

logging 172.16.27.131

ip inspect audit-trail

ip inspect dns-timeout 10

ip inspect tcp idle-time 60

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tcp timeout 3600

!

interface Ethernet 0

ip address 172.16.1.100 255.255.0.0

ip inspect myfw in

!

interface Serial 0

ip address 172.19.139.1 255.255.255.248

ip access-group 111 in

!

access-list 111 permit tcp any host 172.16.1.1 eq smtp

access-list 111 permit tcp any host 172.16.1.1 eq pop3

access-list 111 permit tcp any host 172.16.1.1 eq ident

e0

s0



Firewall protection l.jpg

The Internet

Firewall Protection

Demilitarized

Zone (DMZ)

DNS

Mail

WWW

  • Useaccess control listson thescreening routerto control traffic

  • Isolate each server from traffic with a switch


Syn attack l.jpg
Syn Attack

TCP syn (D=172.18.1.2 S=1.1.1.1)

TCP syn (D=172.18.1.2 S=1.1.1.2)

TCP syn (D=172.18.1.2 S=1.1.1.3)

TCP syn (D=172.18.1.2 S=1.1.1.4)

TCP syn (D=172.18.1.2 S=1.1.1.5)

172.18.1.2

TCP syn (D=172.18.1.2 S=2.1.1.1)

TCP syn (D=172.18.1.2 S=2.1.1.2)


Cisco ios syn attack defense l.jpg
Cisco IOS Syn Attack Defense

ip tcp intercept <access-list-number>

ip tcp intercept mode watch

  • How many session requests in the last one minute?

  • How many incomplete sessions are there?

  • How long do I wait for the final ack?

TCP syn

TCP syn/ack

TCP ack


Cisco ios firewall feature set syn attack defense l.jpg
Cisco IOS Firewall Feature Set Syn Attack Defense

ip inspect tcp synwait-time [seconds]

ip inspect tcp finwait-time [seconds]

ip inspect tcp idle-time [seconds]

  • How many session requests in the last one minute?

  • How many incomplete sessions are there?

  • How long do I wait for the final ack?

TCP syn

TCP syn/ack

TCP ack



Dynamic routing protocols l.jpg
Dynamic Routing Protocols

Path Redundancyto Route Around Failures


Route update authentication and integrity l.jpg

Hash

Function

Route Update Authentication and Integrity

IP HDR

Key

Route Update Data

Assemble the Packet

with the Key

Signature

To the Wire

Reassemble the Packet with the Signature

IP HDR

Signature

Route Update Data


Route filtering l.jpg
Route Filtering

router rip

network 10.0.0.0

distribute-list 1 in

!

access-list 1 deny 0.0.0.0

access-list 1 permit 10.0.0.0 0.255.255.255

Router# show ip protocol

Routing Protocol is "rip"

Sending updates every 30 seconds, next due in 12 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is 1

Redistributing: rip


Secure vital services l.jpg
Secure Vital Services

  • Network Time Protocol Sources

  • Domain Name Servers

  • Certificate Authority


Session protection through network layer encryption l.jpg

DES

DES

Decrypt

Encrypt

10100010110101010

10101001010100101

01010111010100101

10010100101011011

Session Protection through Network Layer Encryption

Shared Secret Key

Shared Secret Key

Internet

(Cleartext)

(Cleartext)

(Ciphertext)

IPSec—the IETF working group defining IP Security


Netranger l.jpg

Sensor

Sensor

Sensor

Sensor

Sensor

Sensor

NetRanger

  • Sensors watch for attacks or problems

  • NetRanger stops active attacks

NetRanger

Director


Vulnerability scanning l.jpg

Target

Target

Target

Target

Vulnerability Scanning

  • Network mapping

    • Identify live hosts

    • Identify services on hosts

  • Vulnerability scanning

    • Analyse discovery data for potential vulnerabilities

    • Confirm vulnerabilities on targeted hosts


Vi security maintenance validation l.jpg
VI. Security Maintenance Validation

What steps can you take to make sure that your network will continueto be secure?


Modeling tools l.jpg
Modeling Tools

  • NetSys Modeling can verify the access controlsin your network

0937_03F8_c2 NW98_Africa_405

© 1998, Cisco Systems, Inc.

80


Protecting the internet from your site l.jpg
Protecting the Internet from your site!

  • Anti-spoofing at exit points

  • Local traffic tracing ability


Implementation l.jpg
Implementation

  • Many things that can be done

  • From a policy

    • Identify immediate need

    • Deploy configuration changes

    • Review need for additional work

  • Does not require upgrades and $$

    • Apart from AAA server, crypto

    • Use existing servers for some logging

    • Obviously needs human resource


Where to get more information l.jpg
Where to get more information?

  • Security URLs:

    • Increasing Security On IP Networks: http://www.cisco.com/warp/public/701/31.html

    • Security Configuration Guide (11.2)http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/2cbook/index.htm

    • Computer Operations, Audit, and Security Technology (COAST): http://www.cs.purdue.edu//coast/coast.html

    • CERT Coordination Center: http://www.cert.org/


Slide56 l.jpg

1047_03F8_c1

NWA-98-111

85

© 1998, Cisco Systems, Inc.