Fundamental IOS Security Features

Fundamental IOS Security Features BRKSEC-2017

Rama Darbha

Customer Support Engineer

CCIE #28006

© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public

About the Presenter

Rama Darbha Technical Assistance Center

– Firewall and VPN technology groups – 5 years experience in network security CCIE #28006, Security track Guest Lecturer at North Carolina State University Participant in IETF Operational Security group Areas of expertise

– IPv6 – Zone Based Firewall – Virtual Security


Agenda

Fundamental Security Features Control Plane Security

Data Plane Security

Protecting User Services

IPv6 Considerations

5


About the Presentation

What is not covered? – Zone Based Firewall (ZBFW) application inspection – Access Control Server (ACS) configuration – User Identity protection – Context Aware security – Scansafe Security Integration – Intrusion Prevention Systems – Advanced IPv6 security configuration

BRKSEC-3007 – Advanced Cisco IOS Security Features

6

Fundamental Security

7



Infrastructure security is the core of network security – Protecting devices which pass traffic

Securing network infrastructure

– Management security – Login security – User Security

Insurance: What to do in case something happens?

– Accounting and monitoring – IOS Resiliency

8


Management Security

• Controlling method of access for management

9


Login Methods

Why SSH over Telnet? – SSH encrypts data – Telnet is clear text Requirements for SSH

– RSA keypair must be created on router – IOS image must support encryption – Management application must support SSH access

10

line vty 0 4

transport input ssh


Restricting Management Access

Only allow trusted IP addresses for management connections Configure access-list (ACL) to restrict login access

Management plane security

11

ip access-list extended LOGIN_ACL

permit tcp host 10.1.1.100 any eq 22

!

line vty 0 4

access-class LOGIN_ACL in

transport input ssh

Router(config)# control-plane host

Router(config-cp-host)# management-interface Fastethernet0/0 allow ssh


Management Security Tiers

• Transport method

• VTY access control

• Management plane security

12

Login Security

13


Login Security

Banner on login prompts Password Security

Restrict connection attempts

14


Login Banner

15

Welcome to Cisco’s Router!

Unauthorized access is not allowed.


Configuring a Banner

Language matters – Requirements from legal department – Laws based on country and state The below example uses the ‘%’ symbol as the message delineator

16

Router(config)# banner login %

Enter TEXT message. End with the character ‘%’.

This is a LOGIN banner %

Router(config)# banner exec %

Enter TEXT message. End with the character ‘%’.

This is a EXEC banner %


Login Banner in Use

17

[User]$ telnet 10.1.1.1

**Unauthorized access to this network device is prohibited.** You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary action.

Username: cisco

Password: cisco

***By successfully logging in, you acknowledge that you have explicit permission to access and configure this device. You accept that all activities performed on this device are logged and violations of this policy may result in disciplinary action.

Router#

Warns user that they should back out now if they are not authorized to access the system.

Acknowledges that user has successfully logged in and is responsible for actions.

Password Security

18


Enhanced Password Security

500,000 devices on internet have default password of root Password Restriction

Password Encryption methods

1. Password Encryption service 2. SHA256/MD5 hash

19


Password Restriction

Cisco IOS routers do not restrict passwords by default Password restriction ensures local passwords adhere to the following rules

– Must contain characters from at least three of the following classes: 1. lowercase letters 2. uppercase letters 3. digits 4. special characters

– Cannot have a character repeated more than three times consecutively. – Cannot be the same as the associated username. – Cannot be variant of the word “cisco”.

20

Router(config)#aaa new-model

Router(config)#aaa password restriction


Password Encryption

Service encryption uses a Cisco proprietary encryption algorithm – Encryption is based on a Vigenere cipher – Weak security because is it a polyalphabetic substitution

21

Router(config)#enable password cisco Router#show run | include enable enable password cisco

Router(config)#service password-encryption Router#show run | include enable enable password 7 02050D480809


Service Password-Encryption

Below is a tool from the first hit on Google – Search term: cisco service password-encryption cracker

22


SHA/MD5 Password Protection

One way hash algorithm that is not reversible SHA256 is the default encryption for IOS routers (Starting in 15.0.1S)

23

Router(config)#enable secret ? 0 Specifies an UNENCRYPTED password will follow 4 Specifies an SHA256 ENCRYPTED secret will follow 5 Specifies an MD5 ENCRYPTED secret will follow LINE The UNENCRYPTED (cleartext) 'enable' secret level Set exec level password Router(config)#enable secret cisco

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY enable password cisco

See Appendix for functionality


Password Cracking

ArsTechnica case study cracked 45% of a 17,000 hashed password list in 90

seconds using above technique SHA256/MD5 hashes are protected using a salt

– Salt is a random sequence of characters added to end of password before hash

24

Hashed Password

Word List

Algorithm

Unencrypted Password

HashCat


Access Control Server (ACS) Integration

Passwords are only as safe as their storage medium

ACS integration provides a centralized services to store passwords

Compromised configurations provide no insight into passwords

Configuring ACS server

25

See Appendix for configuration examples and best practices


One Time Passwords (OTP)

One time passwords are used to restrict access for temporary users – Introduced in 12.4 ACS OTP provides two tier authentication

– Use secure token to generate password – New password for login each session

26

Router(config)#username TAC one-time secret cisco

RSA Token Generator

RSA Token Password RSA Token

Cisco12345 457AE59H


Password Security Tiers

• Simple unencrypted password

• Hashed password (MD5/SHA256)

• Password restrictions

• Centralized storage of passwords (ACS)

• One time use passwords

27


Session Limits

Configuring restrictions on brute force attacks will mitigate the effectiveness of the attack by delaying success Login block for failed login attempts

28

Password Length Time to Crack

12 digit password 6 months

12 digit password + login restriction

758 billion years

See Appendix for configuration examples

login block-for 30 attempts 3 within 10


Login Security Tiers

• Management Access Restriction

• Login Banner

• Password Security

• Session Limits

29

User Security

30


Functionality Based User Security

31

View Configuration

Edit Configuration

Troubleshooting Commands

NOC

Admin

Contractor

TAC


Command Based User Security

32

Configure Interface

Configure Access Control

Configure Routing Protocols

Routing Protocols

Admin

Security


User EXEC Mode

• Privilege Level 0 • Can only enable

Privileged EXEC Mode

• Privilege Level 1 • View status of router

Global Configuration

Mode • Privilege Level 15 • Configuration commands

Privilege Levels

33

Router>

Router#

Router(config)#

See Appendix for complete configuration example


Changing Privilege Levels of Commands

34

Level 15

Level 7

Level 1

interface ethernet0/0 shutdown

username NOC



Role Based Access Control

Creates views so users can only view a subset of commands in the parser Provides more detailed control over CLI access Assigned views to each user with restriction

– Commands seen in parser – Commands allowed to be issued Superviews can be used to aggregate functionality

Introduced in 12.3(7)

35

parser view INTERN secret commands exec include show version commands exec include show



Remote Command Authorization

Centralized server to verify commands before execution – User gets command authorization set based on device – Scalable solution for large network environments Router will communicate with ACS to verify command before execution

36

Will IOS allow user issue command?

• Privilege level of user and command

• Local command authorization

Is the user authorized to run the command?

• ACS server command list

• Remote command authorization



User Security Tiers

• Privilege Levels

• Role Based Access Control

• ACS Command Authorization

37


Insurance

If router is compromised – How to mitigate the impact? – Restore device back to last known working condition? Mitigating the impact of configuration changes

– Configuration Archive – IOS Resiliency Tracking down the source of the change

– Command Accounting

38


Configuration Backup and Rollback

Stores configuration periodically to destination location Force a configuration archive

Rollback configuration

Introduced 12.3(7)T

39

archive path disk0:myconfig_backup maximum 5 time-period 1440

Router# configure replace disk0:myconfig_backup-<date>

Router# archive configuration


Saves a copy of the running-config and system image onto local storage – This is called the primary bootset – Primary bootset can be used to restore a previous image and config Feature can only be disabled by a console session

– Can be initially enabled via any CLI session

Introduced in 12.3(8)T

IOS Resiliency

40

Running Config

System Image Primary Bootset



Network Accounting

Log command history to location – Local archive – ACS Tracks configuration changes

– Per-session – Per-user Introduced 12.4(11)T

41


archive log config logging enable logging size 200 hidekeys notify syslog

Router#show archive log config all idx sess user@line Logged command 1 8 NOC@vty0 |interface Ethernet0/2 2 8 NOC@vty0 | shutdown


Configuration Change Security Tiers

• Configuration Archive

• IOS Resiliency

• Network Accounting

42

Control Plane Security

43


Control Plane Diagram

44

Aggregate Control Plane

Host

Transit

CEF Exception

Queue Threshold Port Filter Policing

Policing

Policing

Inpu

t For

war

ding

Pat

h


Control Plane Policing (CPP)

Rate limit traffic to CPU using quality of service (QoS) policy

Protect against control plane oversubscription

45

Actions for

traffic

Permit

Rate Limit Drop


Control Plane Protection (CoPPr)

46

See Appendix for additional information

Aggregate Control Plane

Host • Traffic destined to

the router • Management • Routing Protocols • Tunnel Traffic

Transit • Traffic traversing

router

CEF Exception • Traffic redirected to

RP • Features that require

additional processing • Packets with special

attributes


Control Plane Protection Example

Problem – Router receiving too much traffic to process on non-listening ports Solution

– Preemptively drop all traffic destined to closed ports Router should only process traffic to open ports

– Services for management – Services for monitoring – Ephemeral ports opened for applications

47

Internet Map of Closed Ports


Control Plane Protection Port Filtering

48

class-map type port-filter match-all PORTFILTER_CMAP match closed-ports ! policy-map type port-filter PORTFILTER_PMAP class PORTFILTER_CMAP drop ! control-plane host service-policy type port-filter input PORTFILTER_PMAP

Match all closed ports

Drop any traffic to a closed port

Apply to host subinterface


Control Plane Protection

Only telnet is enabled on the router

Traffic destined to any other port on the router will be early dropped – Before CPU processing

Viewing Open Ports

49

Router#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN



Control Plane Security Tiers

• Aggregate Control Plane

• Control Plane Subinterface

• Network Addressing/Design

50

Data Plane Security

51


Data Plane Security

52

Client

Ethernet0/0 Ethernet0/1

HTTP

SMTP

SMTP Server HTTP Server

Internet

FTP

HTTP

SMTP SMTP


Access Groups and ACLs

53

Webserver Client ?

ip access-list extended OUT_TO_IN permit tcp any eq 80 host Client interface Ethernet0/1 ip access-group name OUT_TO_IN in

?


ip access-list extended IN_TO_OUT permit tcp host Client any eq 80 interface Ethernet0/0 ip access-group name IN_TO_OUT in

Attacker


Firewall

54

Webserver Client

TRUSTED UNTRUSTED

SMTP Server SMTP

Internet

HTTP

Attacker


Zone Based Firewall

55

Guest

Servers

Internet Inside

See Appendix for explanation of functionality

zone-member INSIDE ! Interface Ethernet0/0 zone-member security INSIDE

zone-member GUEST ! Interface Ethernet0/1 zone-member security GUEST


Zone Based Firewall

Identify Traffic using class-map

• Access-list • Protocol

Apply action using

policy-map

• Inspect • Drop • Pass

Bind to zones using

zone-pair • Service policy applied traffic • Apply action to traffic

Configuration Theory

56


Zone Based Firewall

Identify Traffic using class-map

Apply action using

policy-map

Bind to zones using

zone-pair

Configuration Theory

57

policy-map type inspect INSIDE_OUTBOUND_PMAP class INSIDE_OUTBOUND_CMAP inspect

zone-pair security IN2OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE_OUTBOUND_PMAP

class-map type inspect match-all INSIDE_OUTBOUND_CMAP match protocol http match access-list 100



Datapath Security Tiers

• Access-groups

• Stateful Firewall

• User-Identity Firewall

• Context Aware 58

Protecting User Services

59


Attack Security

60

Denial of Service Attack

TCP SYN Flood

IP Fragmentation Attack

Tiny Fragment

Overlapping Fragment

Buffer Overflow

Spoofing Attack

ICMP Flood


Identifying Attack Vector

61

config# show access-list 100 Extended IP access list 100

permit icmp any any echo (2 matches) permit icmp any any echo-reply (2 matches) permit tcp any any eq www (21374 matches) Permit udp any any (15 matches) permit ip any any (45 matches)


Router(config)# interface Ethernet0/1 Router(config-if)# ip access-group 100 in Router(config-if)# ip flow ingress


Tracking Source of DoS attacks

62

Router# show ip cache flow ... Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-WWW 255 0.0 1 64 255.0 4.0 15.5 ... SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/1 203.0.113.102 Et0/0 10.1.1.10 17 CDF7 0050 1 Et0/1 203.0.113.103 Et0/0 10.1.1.10 17 CDF7 0050 1 Et0/1 203.0.113.104 Et0/0 10.1.1.10 17 CDF7 0050 1 Et0/1 203.0.113.105 Et0/0 10.1.1.10 17 CDF7 0050 1 ...


DoS Attack Mitigation

63


SYN Flood Attack Mitigation using TCP Intercept

64

Intercept Mode

SYN

ACK SYN+ACK

SYN

ACK SYN+ACK

SYN

ACK SYN+ACK

RST RST

Watch Mode



IP Fragmentation Attacks

65

Data

TCP Header IP Header

TCP Header

Data TCP Header IP Header

Fragment 1 Data TCP Header IP Header

Fragment 2 Data IP Header

IP Header

Fragment 1 Data TCP Header IP Header

Fragment 2 Data IP Header

Tiny Fragment

Overlapping Fragments

Buffer Overflow

Original Packet

Buffer


IP Fragmentation Attack Mitigation Fragments keyword in ACL

66

ip access-list extended FRAGMENTS_ACL deny ip any host 192.168.1.100 fragments permit tcp any host 192.168.1.100 eq 80 deny ip any any



Fragment 1 Data TCP Header

Fragment 2 Data

IP Header

IP Header


Spoofing Attacks Unicast Reverse Path Forwarding

67

Packet

Src Dst

Router# show ip route C 10.1.1.0/24 directly connected, Ethernet0/0 C 192.168.1.0/24 directly connected, Ethernet0/1 S 20.1.1.0/24 via Ethernet0/0


20.1.1.100 10.1.1.200


Fundamental IPv6 Security

68


IPv6 Address Scope

/24 2^8 256 2^104 20.282 x 10^30

/16 2^16 65536 2^112 5.192 x 10^33

mask IPv4 IPv6


ICMPv6 Permissions

ICMPv6 is mandatory in IPv6 – Used for infrastructure control – Error notification responses ACL that drop ICMPv4 must be altered to allow ICMPv6

ICMPv6 functionality in IPv6

– Neighbour Discovery – Stateless Address Assignment – Path Maximum Transmission Unit Discovery (pMTUd)

70


Neighbour Discovery

Functionality is to assess reachability of neighbours Maps Layer 3 IPv6 address to Layer 2 MAC address Also used for Duplicate Address Detection (DAD)

71

IPv4 IPv6 ARP Request Neighbour Solicitation

Broadcast Solicited Node Multicast ARP Reply Neighbour Advertisement

Unicast Unicast


Stateful DHCP

DHCPv6 server will allocate one or more IPv6 addresses or prefixes to a DHCPv6 client

DHCP options can be provided to client – DNS server – Domain name

DHCPv6 server maintains state

Stores the leased IPv6 addresses and lease details in its database

Two messages are used – INFORMATION-REQUEST – REPLY

DHCPv6 server only provides configuration information – DNS server – Domain name

Assumption: – Client will acquire IPv6 address

through other means

72

Stateless DHCP (SLAAC)


Summary of Security Best Practices

Control management access to trusted IPs and interfaces Use login banner as notification tool Configure secure passwords stored on a centralized server Control authenticated user movement by using command authorization Archive configurations for insurance Enforce command accounting to track changes on device Protect control plane by rate limiting or dropping traffic to CPU Configure firewall to protect user services Implement attack security features based on network vulnerabilities Be aware of differences in IPv6 networks

73


Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge

points for each session evaluation you complete. Complete your session evaluation

online now through either the mobile app or internet kiosk stations.

Note: This slide is now a Layout choice

74

Appendix

76


Type 4 versus Type 5 vulnerability

Password-Based Key Derivation Function version 2 (PBKDF2) – Hash algorithm = SHA-256 – Password = the user-provided plaintext password – Salt = 80 bits (generated by calling a cryptographically secure random number

generator) – Iteration count = 1,000 (one thousand) Due to an implementation issue, the Type 4 password algorithm does not use

PBKDF2 and does not use a salt, but instead performs a single iteration of SHA-256 over the user-provided plaintext password. This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.

77


ACS Integration

Configure ACS server information on IOS router

Create authentication list to use ACS server

Apply authentication list to management sessions

Configuration Example

78

Router(config)#tacacs server MYTACACS Router(config-server-tacacs)# address ipv4 10.1.1.100 Router(config-server-tacacs)# key Cisco12345

Router(config)#aaa authentication login MANAGEMENT group TACACS local

Router(config)#line vty 0 4 Router(config-line)#login authentication MANAGEMENT


ACS Integration

Local fallback ensures that the router is still accessible when ACS is unavailable

Test ACS configuration before applying to avoid being locked out of the router

Using a reliable source interface will ensure that consistent access to ACS server

Best Practices

79

Router#test aaa group MYTACACS username password new-code User Rejected

Router(config)#ip tacacs source-interface Loopback0

Router(config)#aaa authentication login MANAGEMENT group TACACS local


Example on login blocking and timeouts

Login block configuration Session timeouts

80

line vty 0 4

login authentication MANAGEMENT

transport input telnet

login block-for 30 attempts 3 within 10

line vty 0 4

exec-timeout 5


Changing Privilege Levels of Commands

Commands can be moved down to different privilege levels – Provide restricted configuration access User NOC can shut and no shut interfaces

– Cannot configure any interface features

81

username NOC privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J. ! privilege interface all level 7 shutdown privilege interface all level 7 no shutdown privilege configure level 7 interface privilege exec level 7 configure terminal


Assigning Privilege Levels

82

aaa new-model

!

username admin privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY

username NOC privilege 1 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY

!

aaa authentication login AUTHENTICATION_MANAGEMENT local

aaa authorization exec AUTHORIZATION_MANAGEMENT local

!

line vty 0 4

login authentication AUTHENTICATION_MANAGEMENT

authorization exec AUTHORIZATION_MANAGEMENT


Privilege Levels in Use

83


Trying 10.1.1.1...

Connected to 10.1.1.1

Escape character is '^]'.

This is the LOGIN banner

Username: NOC

Password:

This is the EXEC banner

Router> show privilege

Current privilege level is 1


Trying 10.1.1.1...

Connected to 10.1.1.1

Escape character is '^]'.

This is the LOGIN banner

Username: admin

Password:

This is the EXEC banner

Router# show privilege

Current privilege level is 15


Role Based Access Control Configuration Example

84

parser view INTERN secret commands exec include show version commands exec include show ! parser view NOC secret commands interface include shutdown commands configure include interface commands configure include interface FastEthernet0/1 commands exec include configure terminal commands exec include configure ! parser view ADMIN superview secret view INTERN view NOC


Role Based Access Control

Apply the view setting to the username to force that user into that view

User authorization must be enabled

User Setup

85

username DAFFY privilege 15 view NOC secret DUCK

aaa new-model ! aaa authorization exec EXEC_AUTHORIZATION_LIST local


ACS Command Authorization

ACS authentication must be enabled so users are correctly mapped Router will communicate with ACS to verify command before execution

This provides scalability

– Same users can be allowed the same commands on all devices

86

aaa new-model ! aaa authentication login default group tacacs+ local ! aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa authorization config-commands


IOS Resiliency

From console session From telnet session

87

Router(config)#secure boot-config

*Feb 25 18:56:18.458: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive

[disk0:.runcfg-20130225-185618.ar]

Router(config)#no secure boot-config

*Feb 25 18:56:24.745: %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed disk0:.runcfg-20130225-185618.ar]

Router(config)#no secure boot-config

%You must be logged on the console to apply this command


Network Accounting

Configure router to send command accounting history to ACS

Configuration Example

88

aaa new-model

!

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+



aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+



Cisco IOS can automate security implementation

AutoSecure – Secures a router by using a single CLI command – Disables common IP services that can be exploited – Enables IP services and features to defend the network

AutoSecure can be enabled per feature or all features

AutoSecure

89


AutoSecure Feature Options

90

Router#auto secure ? firewall AutoSecure Firewall forwarding Secure Forwarding Plane full Interactive full session of AutoSecure login AutoSecure Login management Secure Management Plane no-interact Non-interactive session of AutoSecure ntp AutoSecure NTP ssh AutoSecure SSH tcp-intercept AutoSecure TCP Intercept <cr>


AutoSecure Securing Login

91

Router#auto secure login Gathering information about the router for AutoSecure Enter the new enable password: Confirm the enable password: Configuration of local user database Enter the username: cisco Enter the password: Configuring AAA local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 30 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 10


AutoSecure Login configuration

92

enable password 7 02250D4808095E731F1A5C username cisco password 7 02250D4808095E731F1A5C aaa new-model aaa authentication login local_auth local ! line vty 0 4 login authentication local_auth transport input telnet login block-for 30 attempts 3 within 10 ! end


Control Plane Protection (CoPPr)

Extends protection against DoS attacks on infrastructure routers by providing a mechanism for finer policing of control plane traffic that allows you to rate-limit each type individually

Provides a mechanism for early dropping of packets that are directed to closed or nonlistened Cisco IOS TCP/UDP ports

Provides ability to limit protocol queue usage such that no single protocol flood can overwhelm the input interface

Provides QoS control for packets that are destined to the control plane of Cisco routers

Provides better platform reliability, security, and availability

Provides CPU protection so it can be used for important jobs, such as routing

Benefits

93


Control Plane Protection Monitoring Drops

94

Router#show control-plane counters Feature Path Packets processed/dropped/errors Aggregate 3/0/0 Host 3/3/0 Transit 0/0/0 Cef-exception 0/0/0

Router#show control-plane host counters Control plane host path counters : Feature Packets Processed/Dropped/Errors -------------------------------------------------------- TCP/UDP Portfilter 3/3/0 --------------------------------------------------------


Control Plane Protection Monitoring Drops

95

Router#show policy-map type port-filter control-plane all Control Plane Host Service-policy port-filter input: PORTFILTER_PMAP Class-map: PORTFILTER_CMAP (match-all) 3 packets, 180 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: closed-ports drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: any


Infrastructure Security

Infrastructure can be protected if attackers cannot access it – draft-ietf-opsec-lla-only-03

Applying link local addresses to infrastructure links reduces attacks surface – Infrastructure links can only be attacked from the local link

Loopback addresses are configured with Global Unique Addresses – Allows ICMP error response packets – Only Loopback address needs to be secured

IPv6 Consideration

96


IPv6 Link Local Only Example

97

2001:DB8:100::/64 2001:DB8:200::/64

FE80::100 FE80::300

FE80::101 FE80::301

FE80::201 FE80::200


Zone Based Firewall

Current IOS firewall solution

Scalable deployment capability – Class-maps that match traffic can be reused in multiple policies

Security policies are applied to zones and not to interfaces – Reduces redundant configuration for same interfaces

Zones are applied to various router interfaces to control traffic – Integrates well with VTI VPN solutions

Each zone pair has its own security policy – Granular control with traffic directionality

BRKSEC-3007 – Advanced Cisco IOS Security Features

Overview

98


TCP Intercept

TCP intercept is enabled because the one minute rate exceeded 1500

embryonic connection attempts

TCP Intercept was disabled because the one minute rate fell below 900

embryonic connection attempts

99

access-list 101 permit any ! ip tcp intercept list 101 ip tcp intercept mode intercept ip tcp intercept drop-mode random ip tcp intercept max-incomplete low 2000 high 3000 ip tcp intercept one-minute low 1000 high 1500

Jan 1 12:00:01 EST: %TCP-6-INTERCEPT: getting aggressive, count (2700/3000) 1 min 100

Jan 1 12:05:01 EST: %TCP-6-INTERCEPT: calming down, count (1800/2000) 1 min 900

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&links=reference&index=all&query=TCP-6-INTERCEPT

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&links=reference&index=all&query=TCP-6-INTERCEPT


ZBFW configuration example

100

Zone security INSIDE Zone security OUTSIDE ! Interface Ethernet0/0 zone-member security INSIDE Interface Ethernet0/1 zone-member security OUTSIDE ! class-map type inspect INSIDE_OUTBOUND_CMAP match protocol http ! policy-map type inspect INSIDE_OUTBOUND_PMAP class INSIDE_OUTBOUND_CMAP inspect ! zone-pair security IN2OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE_OUTBOUND_PMAP


IP Fragmentation Attack Mitigation

Enabling VFR

Restricting the number of concurrent IP datagrams

Limiting the number of fragments per IP datagram

Drop all IP fragments

IP Virtual Fragment Reassembly (VFR) Configuration

101

Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in max-reassemblies 64

Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in

Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in max-fragments 16

Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in drop-fragments


IP Fragmentation Attack Mitigation

Basic features of enabling VFR

Max-reassemblies – Maximum number of concurrent IP datagrams that can be reassembled

Max-fragments – Maximum number of fragments for the same IP datagram

Drop-fragments – Drops all fragments

IP Virtual Fragment Reassembly (VFR) Logs

102

VFR-4_FRAG_TABLE_OVERFLOW

VFR-4_TOO_MANY_FRAGMENTS

VFR-3-OVERLAP_FRAGMENT

VFR-3-TINY_FRAGMENTS


Spoofing Attack Mitigation

Strict mode – The source address is in the Forwarding Information Base (FIB) and reachable only

through the interface on which the packet was received

Loose mode – If the source address is in the FIB and reachable through any interface on the router – Used for asymmetric routing or multi-homed ISP connections

uRPF configuration example

103

Router(config)# interface Ethernet0/1 Router(config-if)# ip verify unicast source reachable-via rx

Router(config)# interface Ethernet0/1 Router(config-if)# ip verify unicast source reachable-via any


uRPF Advanced Features

Old configuration (DO NOT USE) Above command was replaced by below command in 12.0(15)S

Cisco Express Forwarding (CEF) must be enabled (on by default)

Allow default route for uRPF verification

104

Router(config)# ip cef

Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast source reachable-via allow-default

Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast reserve-path

Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast source reachable-via [rx|any]


Stateful Address Assignment

Centralized server performs all addressing tasks – Assigns IP addresses – Keeps track of Client to address

mapping – Provides additional network

information – DNS server – Default gateway

Examples of Stateful Address protocols – DHCP

Client dynamically takes on addressing tasks – Chooses own IP address

– EUI-64

– DAD used to avoid address duplication

– Additional network information not provided by default

– Provided by supporting server

Examples of Stateless Address protocols – SLAAC (StateLess Address

AutoConfiguration)

Stateless Address Assignment

Fundamental IOS Security Features

Documents

Transcript of Fundamental IOS Security Features