Chapter 10Security

A typical secured network

Recognizing Security Threats1- Application-layer attacksEx:http://www. companyname.com/scripts/..%5c../winnt/system32/cmd.exe?/c+dir+c:\2- Autorooters3- Backdoors4- Denial of service (DoS) and distributed denial of service (DDoS) attacks• TCP SYN flood (SYN,SYN-ACK, & ACK)• Ping of death• Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K)• Stacheldraht5- IP spoofing6- Man-in-the-middle attacks (Using Sniffer)7- Network reconnaissance (port scans, DNS queries,and ping sweeps)8- Packet sniffers9- Password attacks (IP spoofing, packet sniffing, & Trojan horses)10- Brute force attack11- Port redirection attacks12- Trojan horse attacks and viruses13- Trust exploitation attacks

Mitigating Security Threats1- Cisco’s IOS Firewall• Stateful IOS Firewall inspection engine using Context-Based Access Control (CBAC)• Intrusion detection• Firewall voice traversal• ICMP inspection• Authentication proxy (RADIUS or TACACS+)

Router(config)#enable use-tacacsRouter(config)#tacacs-server ?host Specify a TACACS serverkey Set TACACS+ encryption keytimeout Time to wait for a TACACS server to replyRouter(config)#enable last-resort

• Destination URL policy management• Per-user firewalls• Cisco IOS router and firewall provisioning• Denial of service (DoS) detection and prevention• Dynamic port mapping• Java applet blocking

2- Basic and Advanced Traffic Filtering• Policy-based, multi-interface support• Network Address Translation (NAT)• Time-based access lists• Peer router authentication (RIPv2, EIGRP, or OSPF)

Access Lists1- Standard access lists2- Extended access lists3- Advanced access lists

a- Inbound access listsb- Outbound access lists

Uses of Access lists• Traffic filtration• Telnet filtration

General Tips• Deny any addresses from your internal networks.• Deny any local host addresses (127.0.0.0/8).• Deny any reserved private addresses.• Deny any addresses in the IP multicast address range (224.0.0.0/4).

Standard Access ListsRouter(config)#access-list NO. Action SourceRouter(config)#access-list ?

<1-99> IP standard access list<100-199> IP extended access list<1100-1199> Extended 48-bit MAC address access list<1300-1999> IP standard access list (expanded range)<200-299> Protocol type-code access list<2000-2699> IP extended access list (expanded range)<700-799> 48-bit MAC address access list compiled Enable IP access-list

compilationdynamic-extended Extend the dynamic ACL absolute timerrate-limit Simple rate-limit specific access list

Router(config)#access-list 10 ?deny Specify packets to rejectpermit Specify packets to forwardremark Access list entry comment

Router(config)#access-list 10 deny ?Hostname or A.B.C.D Address to matchany Any source hosthost A single host address

Router(config-if)#ip access-group 10 out (or in)

Wildcard MaskingRouter(config)#access-list 10 deny 172.16.10.0 0.0.0.255Router(config)#access-list 10 deny 172.16.0.0 0.0.255.255Router(config)#access-list 10 deny 172.16.16.0 0.0.3.255

Controlling VTY (Telnet) AccessRouter(config)#access-list 50 permit 172.16.10.3Router(config)#line vty 0 4Router(config-line)#access-class 50 in

Extended Access ListsRouter(config)#access-list NO. Action Protocol Source Destination Condition Port no.

Ex:Router(config)#access-list 110 permit tcp any host 172.16.30.2 eq 80Router(config)#access-list 110 deny tcp any host 172.16.30.2 gt 1023Router(config)#int s0Router(config-if)#ip access-group 110 out

Access Lists Example

Advanced Access Lists1- Named ACLs2- Switch Port ACLs3- Time based ACLs

1- Named ACLsRouter(config)#ip access-list ?

extended Extended Acclogging Control access list loggingstandard Standard Access List

Router(config)#ip access-list standard BlockSalesRouter(config-std-nacl)#deny 172.16.40.0 0.0.0.255Router(config-std-nacl)#permit anyRouter(config-std-nacl)#exit

2- Switch Port ACLs

Conditions1- Inbound only.2- Named only.

Switch(config)#mac access-list extended Name of listSwitch(config-ext-macl)#Action Source Destination

Ex:Switch(config)#mac access-list extended Block_MAC_SalesSwitch(config-extended-macl)#deny any host 000d.29bd.4b85Switch(config-extended-macl)#permit any anySwitch(config-ext-macl)#int f0/6Switch(config-if)#mac access-group Block_MAC_Sales in

3- Time-Based ACLsRouter(config)#time-range no-httpRouter(config-time-range)#periodic we?

Wednesday weekdays weekend

Router(config-time-range)#periodic weekend ?hh:mm Starting time

Router(config-time-range)#periodic weekend 06:00 to 12:00Router(config-time-range)#exitRouter(config)#time-range tcp-yesRouter(config-time-range)#periodic weekend 06:00 to 12:00Router(config-time-range)#exit

Router(config)#ip access-list extended TimeRouter(config-ext-nacl)#deny tcp any any eq www time-range no-httpRouter(config-ext-nacl)#permit tcp any any time-range tcp-yes

Router(config-ext-nacl)#interface f0/0Router(config-if)#ip access-group Time in

Remarking Access ListsRouter#config tRouter(config)#access-list 110 remark Permit Bob from Sales Only To FinanceRouter(config)#access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255Router(config)#access-list 110 deny ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255

Using SSH instead of Telnet1- Enable the HTTP/HTTPS server

Router(config)#ip http serverRouter(config)#ip http secure-server% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]Router(config)#ip http authentication local

2- Create a user account using privilege level 15 (the highest level)

Router(config)#username cisco privilege ?<0-15> User privilege levelRouter(config)#username cisco privilege 15 password ?0 Specifies an UNENCRYPTED password will follow7 Specifies a HIDDEN password will followLINE The UNENCRYPTED (cleartext) user passwordRouter(config)#username cisco privilege 15 password 0 cisco

3- Configure the console, SSH, and Telnet to provide local login authentication at privilege level access

Router(config)#line console 0Router(config-line)#login localRouter(config-line)#exitRouter(config)#line vty 0 ?

<1-1180> Last Line number<cr>

Router(config)#line vty 0 1180Router(config-line)#privilege level 15Router(config-line)#login localRouter(config-line)#transport input telnetRouter(config-line)#transport input telnet ssh

Router(config-line)#^Z

Router#clock set 00:00:00 21 mar 2009

Viewing Access ListsRouter#show access-listRouter#show access-list 110Router#show ip access-listRouter#show ip interfaceRouter#show running-configSwitch#Show mac access-group