device security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Device Security PowerPoint Presentation
Download Presentation
Device Security

Loading in 2 Seconds...

play fullscreen
1 / 38

Device Security - PowerPoint PPT Presentation


  • 146 Views
  • Uploaded on

Device Security. A device is a node helping to form the topology of the network. A compromised device may be used by the attacker as a jumping board. A DoS attack may be launched against a device.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Device Security' - july


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
device security
Device Security
  • A device is a node helping to form the topology of the network.
  • A compromised device may be used by the attacker as a jumping board.
  • A DoS attack may be launched against a device.
  • Device security is an important and required step in ensuring infrastructure security in a network.

Network Security

layered view of device security figure 3 1
Layered view of device security(Figure 3-1)
  • Physical security
    • confidentiality, integrity, availability
    • Placing the device in a secure location ?
    • Power got cut off ?
  • Logical security
    • Securing the device against nonphysical attacks
    • Static core configuration of the device
    • Dynamic configuration and performance
    • Network traffic flow through the device
  • The security of each layer depends on the security of the layers within.

Network Security

physical security
Physical security

Considerations:

  • Using redundant devices?
  • Network topology (serialized, star, fully meshed?)
  • Where to place the network devices?
  • Media security (wire tapping, physical eavesdropping)
  • Adequate/uninterrupted power supply
  • disasters

Network Security

device redundancy
Device Redundancy
  • A backup device (router, switch, gateway, …) is configured to take over the functionality of a failed active device.
  • Means of achieving redundancy:
    • Use routing to enable redundancy
    • Use a redundancy protocol
      • Hot Standby Router Protocol (HSRP)
      • Virtual Router Redundancy Protocol (VRRP)
      • Failover protocols: a feature of Cisco PIX firewalls

Network Security

security of major devices
Security of major devices
  • How to protect the device against attacks aimed at compromising the device itself
    • Routers
    • Firewalls
    • Switches
    • Authentication servers
    • wireless access points

Network Security

steps to secure a device hardening
Steps to secure a device (hardening):
  • Login banner messages
  • Controlling SNMP as a management protocol
  • Controlling HTTP as a management protocol
  • Using CEF as a switching mechanism
  • Setting up the scheduler from a security perspective
  • Using the Network Time Protocol (NTP)
  • Capturing core dumps
  • Using service nagle to improve Telnet access during high CPU events
  • Physical security
  • Password management
  • ROMmon (ROM monitor, or the bootstrap program)
  • Controlling access to the device (tty, vty ports)
  • Securing access to the device (via SSH)
  • Backup of configuration files and the device software
  • Logging events on the device
  • Disabling unnecessary services

Network Security

password management
Password Management
  • Passwords stored on the router should be properly encrypted.
  • The default password-encryption is either type 0 (clear text passwords) or type 7 (weak encryption).
  • service password-encryption

Network Security

rommon
ROMmon
  • ROM monitor (aka the bootstrap program)
  • Source: http://www.cisco.com/en/US/docs/routers/access/800/801/software/configuration/guide/rommon.html#wp1013650
    • “The ROM monitor firmware runs when the router is powered up or reset.”
    • “The firmware helps to initialize the processor hardware and boot the operating system software.”
    • “You can use the ROM monitor to perform certain configuration tasks, such as recovering a lost password or downloading software over the console port.”
  • The no service password-recovery is a security enhancement feature that prevents the completion of the break key sequence and the entering of ROMmon mode.

Network Security

controlling access to the router
Controlling access to the router
  • A tty port (console port) is physically connected to a terminal or workstation for local administrative access to the router.
  • A vty (virtual tty) port is used to allow remote in-band connection sessions, via telnet, ssh, or rlogin.
  • An aux ports, similar to a tty port, is connected to a modem for remote out-of-band administrative access to the router.
    • An aux port in most cases should be disabled.
    • Out-of-band management (http://en.wikipedia.org/wiki/Out-of-band_management)

Network Security

vulnerabilities of tty or aux ports
Vulnerabilities of tty or aux ports
  • A tty or aux port may suffer reverse telnet attack, where the terminal server connected to the tty port or the modem connected to the aux port of the router is used by the attacker (as a remote client) to access the router.
  • Reverse Telnet(as defined in Wikipedia)

Network Security

reverse telnet cont
Reverse Telnet (cont.)
  • An example:

What is Reverse Telnet and how do I configure it?

“Reverse Telnet gives you the ability to telnet to a device, and then console to another device from there. For example, you could telnet to a router, and then console into a switch, or a modem, or anything that has a console port.  There are a lot of devices out there that don’t have remote access built into them, their only option is a console session.  Well, this will allow you to remotely manage these devices.”

“You need a straight through cable going from the console port of the console-only device to the AUX port on your router.”

Network Security

normal telnet
Normal telnet

Network Security

reverse telnet
Reverse Telnet

Network Security

vulnerabilities of tty or aux ports1
Vulnerabilities of tty or aux ports
  • Solution?
    • Disable the console port

Line con0

transport input none

    • Allow only SSH access to a router’s console port (a feature added to IOS v12.2 or higher)

Line con0

login authentication default

rotary 1

transport input ssh

ip ssh port 2001 rotary 1

      • Requirement: The router must be set up as a SSH server.

Network Security

controlling vty access
Controlling vty access
  • Restricted access: Only allow the protocols that will be used by the network admin
    • Since Cisco IOS v11.1, the default is none.
    • Example: To allow only telnet and ssh connections

line vty 0 4

transport input telnet ssh

  • Only addresses in the ‘access list’ are allowed to connect: access-class, access-list
  • Short timeouts:
    • The default timeout value is 10 minutes. To set it to 5 min. 30 sec.

line vty 0 4

exec-timeout 5 30

  • Authentication for vty access: either local or RADIUS authentication (preferred).

Network Security

securing access to the router using encryption
Securing access to the router using encryption
  • IPsec VPN client (preferred; more details in Ch 13)
    • Two cases:
      • The VPN client access a back-end LAN (the destination) by building a tunnel between itself and a router (the IPsec gateway), behind which the LAN is located.
      • The VPN client is used to remotely administer the router, which is both the gateway and the destination.
  • SSH: Only SSH v1 is supported by Cisco IOS

Network Security

logging events
Logging events
  • Advantages: Allows auditing and tracking

 forensics (in case of an attack)

performance tuning (maintenance)

  • Requirement:

good time stamping  using NTP

Network Security

disable unnecessary services
Disable unnecessary services
  • If a service is not being actively used on a device, it should be disabled.
  • Otherwise it may be used as a back door for the attacker to gain access to the device.
  • Sample services to be disabled:

TCP small servers, UDP small servers, Finger server, …

Network Security

slide19
Access control based on loopback
    • Enable a block of IP addresses to be assigned to be used as the loopback IPs of a block of routers.
    • Router IDs: All routers can be forced to use these loopback IP addresses as source addresses when accessing the servers.
    • Access Control: The servers can then also be locked down to allow access only from this block of IP addresses.
    • Accesses from addresses outside this block are denied.
  • Examples (next)

Network Security

slide20
Examples of access control based on loopbacksource: http://ws.edu.isoc.org/data/2004/112350407740360107a09f9/loopback-1up.pdf
  • TFTP Server Access
    • TFTP is the most common tool for uploading and downloading configurations.
    • The TFTP server's security is critical, which means that you should always use security tools with IP source addresses.
    • IOS Software allows TFTP to be configured to use specific IP interfaces address. This allows a fixed ACL on the TFTP server based on a fixed address on the router (for example, the loopback interface).

ip tftp source-interface Loopback0

Network Security

examples of access control based on loopback cont
Examples of access control based on loopback (cont.)
  • Source: http://ws.edu.isoc.org/data/2004/112350407740360107a09f9/loopback-1up.pdf (slide 12)
  • TACACS+ distributed authentication system for management access to routers
    • Configure TACACS+ so that the loopback address is used in packets originating from the router
    • Configuration example:

ip tacacs source-interface Loopback0

tacacs-server host 215.17.1.1

Network Security

banner messages
Banner messages
  • Informational messages displayed to users who connect to the device
  • To warn the unauthorized users of their activity and to warn them they are being monitored and logged
  • Useful for law enforcement and system admin
  • Sequence:
    • MOTD banner
    • Login banner
    • login session
    • EXEC banner (or incoming banner) -- for users to enter commands; show the contexts

Network Security

backup of the device software
Backup of the Device Software
  • Cisco IOS Resilient Configuration feature
  • Enables a router to secure a working copy of the running image and configuration (the primary bootset)
  • Those files can withstand malicious attempts to erase the contents of persistent storage
  • Those secure files are protected by the IOS File System (IFS); cannot be removed by the user
  • secure boot-image
  • secure boot-config

Network Security

check the default settings
Check the Default Settings
  • Disable unnecessary services
    • Finger, FTP, HTTP, …
  • Disable potentially insecure services, which may be used by the attacker to map or exploit the network
    • IP source routing
    • IP mask reply
    • IP redirects
  • The Auto-Secure feature
    • Disables common IP services that can be exploited
    • Enables IP services and features that can aid in defending the network

Network Security

using ntp
Using NTP
  • Network Time Protocol
  • Critical for services requiring good time stamping: logging, AAA, Kerberos, …
  • Challenge: authentication between devices exchanging NTP information

Network Security

controlling snmp
Controlling SNMP
  • An application layer protocol facilitating the exchange of information between network devices
  • can be used in read-only and ‘read and write’ modes
  • Unless necessary, use read-only mode on routers.
  • The ‘read and write’ mode allows the admin to modify the router’s configurations via SNMP.
  • Access into the network via SNMP should be blocked at the network’s boundary.
  • Security of SNMP:
    • v1 and v2 use ‘community strings’ as the only authentication mechanism. (Not secure)
    • v3 is more secure by providing MD5 or SHA for authentication, and DES for encryption.

Network Security

controlling snmp1
Controlling SNMP
  • SNMP v3 threats vs protections

Network Security

controlling http as a management protocol
Controlling HTTP (as a management protocol)
  • Unless necessary, HTTP access to the router should be disabled.
  • HTTP protocol provides little security.
  • The default authentication sends the password as clear text.
  • Admin access to the router via HTTP should be secured, by activating authentication.
  • Ideally, a secure connection via VPN or SSL should be used. (example: HTTPS)

Network Security

using cef as a switching mechanism
Using CEF as a switching mechanism
  • Cisco Express Forwarding
  • Routers using the traditional switching mechanisms need to update routing caches when packets destined for new addresses arrive.
  • SYN floods and DDoS attacks use a large number of random or pseudo-random IP addresses as ultimate targets.
  • CEF replaces the normal routing cache with a data structure (Forwarding Information Base, or FIB, and Adjacency Table) that mirrors the entire routing tables.
  • It does away with the need to update the cache each time a new IP address needs to be routed to.

Network Security

slide30

CEF Components

http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdcef.html#wp1000922

  • Forwarding Information Base
    • CEF uses a FIB to make IP destination prefix-based switching decisions.
    • The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table.
    • When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table.
    • Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with switching paths such as fast switching and optimum switching.
  • Adjacency Tables
    • Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer.
    • In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries.

Network Security

using the scheduler
Using the scheduler
  • scheduler allocate
  • scheduler interval
  • To prevent the router from becoming too busy responding to the interrupts on its interfaces due to the large number of packets arriving  large-scale network attack, esp. a DDoS attack

Network Security

using the scheduler cont
Using the scheduler (cont.)
  • Example (from: http://www.cymru.com/Documents/performance.html)
    • scheduler allocate 4000 200 // The default values
    • Where 4000 is the maximum number of microseconds to allocate to fast switching any single network interrupt context, and 200 is the minimum guaranteed number of microseconds to allocate to process level tasks while network interrupts are masked.
    • In cases where extremely high network load presents itself on the interface of a router, it is possible that other tasks will not be able to run.
    • By default, the Cisco IOS allocates 5% of the CPU time to the lower priority tasks. During a high load event, such as a DDOS, this default may be insufficient to ensure that other tasks acquire CPU time, such as routing protocol updates and CEF table maintenance.

Network Security

capturing core dumps
Capturing core dumps
  • In the event of system crash, the core dump may provide useful info for tracking the attack(s).

Network Security

service nagle
Service nagle
  • Nagle is an algorithm that can be enabled as a service on a Cisco router, to allow the router to pace the TCP connection for Telnet in a way that reduces the burden on the CPU and generally improves the performance of the Telnet session.
    • service nagle
  • More info (next)

Network Security

slide35
From: http://www.ciscopress.com/articles/article.asp?p=27137&seqNum=7
  • The Nagle congestion-control algorithm is something that many ISPs turn on to improve the performance of their Telnet sessions to and from the router.
  • When using a standard TCP implementation to send keystrokes between machines, TCP tends to send one packet for each keystroke typed. On larger networks, many small packets use up bandwidth and contribute to congestion.
  • John Nagle's algorithm (RFC 896) helps alleviate the small-packet problem in TCP. In general, it works this way:
    • The first character typed after connection establishment is sent in a single packet, but TCP holds any additional characters typed until the receiver acknowledges the previous packet.
    • The second, larger packet is sent, and additional typed characters are saved until the acknowledgment comes back.
    • The effect is to accumulate characters into larger chunks and pace them out to the network at a rate matching the round-trip time of the given connection.
    • This method is usually good for all TCP-based traffic and helps when connectivity to the router is poor or congested or the router itself is busier than normal.
    • However, do not use the service nagle command when real-time traffic (like voice over IP) are processed on the router — performance will become very poor.

Network Security

security of other devices
Security of other devices
  • Firewalls, switches, …
  • Similar procedure
    • Check the default settings
    • ‘Harden’ the device before placing it into use in the production network.

Network Security

device security checklist
Device Security Checklist

✓Device security policy written, approved, distributed, and reviewed on regular basis.

✓Facilities (room, building, area) housing the devices secured—physical security.

✓Password policies to ensure that good passwords are created that cannot be easily guessed or hacked.

✓Password encryption used so that passwords are not visible when device configuration is viewed.

✓Access methods such as Console, VTY, AUX using ACLs, and authentication mechanisms secured.

✓Access methods such as SSH with AAA authentication chosen wisely.

✓Unneeded services and protocols to be disabled.

✓Unused interfaces shut down or disabled.

✓Configuration hardened for network services and protocols in use (for example, HTTP and SNMP).

✓Port and protocol needs of the network and use access lists to limit traffic flow identified.

✓Access list for anti-spoofing and infrastructure protection and for blocking reserved and private addresses considered.

✓Routing protocols established that use authentication mechanisms for integrity.

✓Appropriate logging enabled with proper time information.

✓Device’s time of day set accurately, maintained with NTP.

Network Security

security baseline checklist infrastructure device access
Security Baseline Checklist— Infrastructure Device Access
  • http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/appendxD.html

Network Security