cisco equipment security
DESCRIPTION
TRANSCRIPT
Seguridad en los elementos de red
Cisco
© Rafael Vida, 2004
Index (I)
♦ Introducción– General Situation
• Routers• Security Policy• Purpose of a router• Basic Router Functional Architecture
– Protecting the Network with the Router
Index (II)♦ Protecting the Router Itself
– Attacks on Routers– Managing the Router
• SNMP• SSH
– Security Policy for Cisco Routers♦ Implementing Security: E-Policy
– AAA• Remote Access• Logins, Privileges, Passwords, and Accounts
Index (III)
♦ Filtering– ACL– ACR
♦ RAT (Router Audit Tool)
Introduction
Introduction
♦ Purpose of a router– Directing packets, roting protocols– Filtering:ACL– Modifing packet´s headers: NAT, PAT.
♦ Hardware– CPU, Memory:
• RAM, NVRAM, Flash, and ROM (PROM, EEPROM)• ROM, NVRAM.
– Does Not have Hard disk, floppy, CDROM, etc.
Introduction
Routing Fabric
Interface 0 Interface 1 Interface n
Network 0
Network 0 Network
1
Network 1
Network n
Network n
ConfCPU
ConsolaRouter
...
...
Security Policy
Security Policy
♦ Router Security Layers
Physical accessElectrical Access
Administrative AccessSoftware Access
Routing ProtocolosManagement Protocols
Access to the networks that the router ServesNetwork traffic
Dynamic Configuration
Core Static Configuration
Physical Integrity
Security Policy: Checklist♦ Physical Security
– Who is autorized to install, de-instal, move, etc.– Making physical connections to the router
• Console and direct ports• Recovery procedures
♦ Static Configuration– Who is authorized to log into the router– Roles– Password Policy– Log policy– Porcedures and limits of use
Security Policy: Checklist
♦ Dynamic Configuration Security– Services permited in the router– Routing protoclos, clock (NTP)– Procedures in key agreement and cryptographic
algorithms
♦ Compromise Response– ITO?, Netcool?, ...– Response procedures, authorities, and objectives for
response after a successful attack against the network– Law
Security Policy: Checklist♦ Network Service Security
– Procedures and roles for interactions with external service providers and maintenance technicians
– Protocols, ports, services, etc
Internet
DMZ
Management
Protecting networks and routers
Protecting the networks♦ Router Clasification by funcionality
– Internal Routers
– Backbone
– Border (EDCs)
Protecting the router: Attacks
♦ Unauthorized access♦ Session hijacking♦ Rerouting♦ Dos♦ Ddos (!)♦ SNMP attacks
Protecting the router: ManagingPolítica de FW por Centro de Gestión
Centro de Gestión Central
FW
Centro de Gestión local
FW_CGPLAN_Cliente FW_Cliente
Accounting entre EDCs y
CGPTACACS+, Telnet, TFTP,SNMP,...
Trafico entre EDCs y
Gestión CentralSNMP, Syslog, ICMP,...
Trafico entre CGP y
Gestión CentralSSH, Ofimática, Vantive,...
EDCsEDCs
EDCsEDCs
Punto CentralPunto Central
FW Adminstrado por Cliente
PVCsPVCs ServicioServicioGestión LocalGestión Local
Protecting the router: Managing
♦ Local access only for Emergency. Audit.♦ Telnet (?!) ó SSH♦ SNMP access.
– Limit the connections, ACLs
♦ AAA:– Logging and Accounting: Tacacs+– Auditing– Authorizing
Implementing: E-Policy
Cisco
Router Access Security
♦ Physical Security♦ Software Upgrade
– Minimun 12.0.*– Recommended 12.0.9
♦ Virtual interfaces: loopbackCentral# config tEnter configuration commands, one per line. End with CNTL/Z.Central(config)# interface loopback0Central(config-if)# description Main loopback interfaceCentral(config-if)# ip address 14.2.11.250 255.255.255.255Central(config-if)# endCentral#
Login Banners and motd
♦ Banner– No Network architecture information and router
configuration details– AVISO: ha accedido a un sistema propiedad de TELEFONICA.
Necesita tener autorización antes de usarlo, estando usted estrictamente limitado al uso indicado en dicha autorización. Elacceso no autorizado a este sistema o el uso indebido del mismo está prohibido y es contrario a la Política Corporativa de Seguridad y a la legislación vigente. Si usted revela información interna de TELEFONICA o de sus clientes sin previa autorización podrá estar incurriendo en una violación de la Normativa Corporativa, que podría incluso suponer la posible comisión de un delito o falta.
Login♦ Console
Central# config tEnter configuration commands, one per line. End with CNTL/Z.Central(config)# line con 0Central(config-line)# transport input noneCentral(config-line)# login localCentral(config-line)# exec-timeout 5 0Central(config-line)# exitCentral(config)#
♦ VTYs and Remote Administration♦ Privileges, 16 levels♦ Diferents Accounts♦ service password-encryption
– ! SNMP, Radius, TACACS+, NTP, PEER auth. Keys.♦ Auxiliary port disabled
Remote Access1. No Remote: administration is performed on the console
only.2. Remote Internal only with AAA: administration can be
performed on the router from a trusted internal network only, and AAA is used for access control.
3. Remote Internal only: administration can be performed on the router from the internal network only.
4. Remote External with AAA: administration can be performed with both internal and external connections and uses AAA for access control.
5. Remote External: administration can be performed with both internal and external connections.
AAA
♦ Authentication– With SSH or IPsec
♦ Authorization– Command by command. All not allowed is denied.
♦ Acounting– Forensic Analisys
♦ Keep the running configuration and startup configuration syncronized
♦ TFTP is dead
Services
Access Control List
♦ access-list list-number {deny | permit} source[source-wildcard] [log]
♦ access-list list-number {deny | permit} protocolsource source-wildcard source-qualifiersdestination destination-wildcard destination-qualifiers [ log | log-input]
Defense
♦ Spoofing– ACL
♦ TCP SYN AttackEast(config)# ip tcp intercept list 107East(config)# access-list 107 permit tcp any 14.2.6.0 0.0.0.255East(config)# access-list 107 deny ip any any logEast(config)# interface eth 0/0East(config-if)# description "External 10mb ethernet interface"East(config-if)# ip access-group 107 in
Defense♦ LandAttack
East(config)# access-list 100 deny ip host 14.1.1.20 host 14.1.1.20 logEast(config)# access-list 100 permit ip any anyEast(config)# interface eth0/0East(config-if)# description External interface to 14.1.0.0/16East(config-if)# ip address 14.1.1.20 255.255.0.0East(config-if)# ip access-group 100 inEast(config-if)# exit
♦ SmurfEast(config)# access-list 110 deny ip any host 14.2.6.255 logEast(config)# access-list 110 deny ip any host 14.2.6.0 logEast(config)# interface interface eth0/0East(config-if)# ip access-group 110 inEast(config-if)# exit
Defense♦ DDOS
– ! the TRINOO DDoS systemsaccess-list 170 deny tcp any any eq 27665 logaccess-list 170 deny udp any any eq 31335 logaccess-list 170 deny udp any any eq 27444 log– ! the Stacheldraht DDoS systemaccess-list 170 deny tcp any any eq 16660 logaccess-list 170 deny tcp any any eq 65000 log– ! the TrinityV3 systemaccess-list 170 deny tcp any any eq 33270 logaccess-list 170 deny tcp any any eq 39168 log– ! the Subseven DDoS system and some variantsaccess-list 170 deny tcp any any range 6711 6712 logaccess-list 170 deny tcp any any eq 6776 logaccess-list 170 deny tcp any any eq 6669 logaccess-list 170 deny tcp any any eq 2222 logaccess-list 170 deny tcp any any eq 7000 log
Committed Access Rate♦ rate-limit {input | output} [access-group [rate-limit] acl]
token-bit-rate burst-normal-size burst-excess-sizeconform-action action exceed-action action
♦ north(config)# no access-list 160north(config)# access-list 160 deny tcp any any establishednorth(config)# access-list 160 permit tcp any any synnorth(config)# interface eth0/0north(config-if)# rate-limit input access-group 16064000 8000 8000conform-action transmit exceed-action dropnorth(config-if)# end
RAT♦ SSH has been added to Level 2♦ The user is given a choice between telnet and SSH♦ Separate Access Control Lists used for telnet and SSH♦ "exec-timeout" increased to 10 minutes♦ Comments about password resuse added♦ Level 2 authentication now requires a local username♦ The prohibition against local usernames in Level 2 was removed♦ "no ip proxy-arp" moved to Level 2♦ Allow egress filters to be applies on internal interfaces♦ Documented preference for SNMP V3 if SNMP is used♦ Rule to forbid SNMP without an ACL moved to Level 1♦ Loopback rules refer user to local policy♦ Timestamp debug rule added to Level 1♦ Added a note about line passwords being redundant♦ User can now specificy AAA name-list variable ("default", "local_auth" ...).
This was needed to support 12.3's "auto-secure" feature♦ Exec timeout is now a maximum value for all lines (con 0, aux 0), not an exact
value. This allows the rules to accommodate settings that are shorter/more restrictive without flagging an error
References
Books, RFCs, Links
References♦ Books
– Albritton, J. Cisco IOS Essentials, McGraw-Hill, 1999.
– Ballew, S.M., Managing IP Networks with Cisco Routers, O’Reilly Associates, 1997.
– Chappell, L. Introduction to Cisco Router Configuration, Cisco Press, 1998.
– Chappell, L. (ed.) Advanced Cisco Router Configuration, Cisco Press, 1999.
– Perlman, R., Interconnections: Bridges and Routers, McGraw-Hill, 1992.
– Sacket, G., Cisco Router Handbook, McGraw-Hill, 1999.
– Held, G. and Hundley, K., Cisco Security Architectures, McGraw-Hill, 1999.
– Tannenbaum, A., Computer Networks, 2nd edition, Prentice-Hall, 1998.
♦ Papers– “Internetworking Technology
Overview”, Cisco Systems, 1999.http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/
– “OSI Layer 3”, Cisco Systems Brochure, Cisco Systems, 1997.http://www.cisco.com/warp/public/535/2.html
– “TCP/IP”, Cisco Product Overview, Cisco Systems, 1997.http://www.cisco.com/warp/public/535/4.html
References♦ RFCs
– Postel, J., “User Datagram Protocol (UDP)”, RFC 768, 1980.
– Postel, J., “Internet Protocol (IP)”, RFC 791, 1981.
– Postel, J., “Transmission Control Protocol (TCP)”, RFC 793, 1981.
– Postel, J. and Braden, R., “Requirements for Internet Gateways”, RFC 1009, 1987.
– Socolofsky, T. and Kale, C., “A TCP/IP Tutorial”, RFC 1180, 1991.
– Malkin, G. and Parker T.L., “Internet User’s Glossary”, RFC 1392, 1993.
– Rekhter, Y. and Li, T., “An Architecture of IP Address Allocation with CIDR”, RFC 1518, 1993.
– Fuller, V., Li, T., Varadhan K., and Yu, J., “Classless Inter-Domain Routing
– (CIDR): an Address Assignment and Aggregation Strategy”, RFC 1519, 1993.
