Security Practices in IOS - Cisco - Global Home Page€¦ · Starting nmap V. 2.53 by...

1© 2001, Cisco Systems, Inc. All rights reserved.

PS-5433029_05_2001_c1

Security Best Practices in Cisco IOS® and Other Techniques to Help your Network

Survive in Today’s Internet/Extranet Enviroments

Mike Peeters

SE Toronto

© 2001, Cisco Systems, Inc. All rights reserved. 2PS-5433029_05_2001_c1

Safe Security

• SAFE Blueprint

• Understanding Todays Threats and Vulnerabilities

• Securing the Router

• Securing the Routing Protocols

• Limiting the impact of DOS Attacks

• In Conclusion


The Network of Five Years Ago

Closed NetworkClosed Network

Remote SiteRemote Site

PSTN

Frame RelayX.25

Leased Line

PSTN


Legacy Security Solutions

• Most security designed when networks were simple and static

• Primarily single-point products (access-control) with no network integration or intelligence

• Such legacy products are still seen as default security solutions (a “cure-all”)

• Today, there are serious drawbacks to relying on such “overlay” security to protect sophisticated networks and services


Internet connections have dramatically increased as a frequent point of attack (from 59% in 2000 to 70% in 2001.)

Of those organizations reporting attacks, we learn:

§ 27% say they don't know if there had been unauthorized access or misuse

§ 21% reported from two to five incidents in one year

§ 58% reported ten or more incidents in a single year – something isn’t working!

Computer Security Institute & FBI ReportMarch, 2001

Case in Point…


Code Red and Nimda Worm Impacts

• Rapid penetration and propagation through existing security solutions

• Extensive impact; expensive recovery

• Exploited existing and known vulnerabilities, and bypassed legacy security devices

• Could be prevented and mitigated

• Rapid penetration and propagation through existing security solutions

• Extensive impact; expensive recovery

• Exploited existing and known vulnerabilities, and bypassed legacy security devices

• Could be prevented and mitigated


Impact of Recent Worms

• Major Computer Company... Code Red/Nimda$9 million for remediation

12,000 IT hours for Code Red

6,500 IT hours for Nimda

• Multibillion dollar financial institution... Nimda 75% of core routers down at any given time

Lost trading server for half day ($13 million impact)

Important Lesson Learned:

Security Needs to Be Designed and Implemented Around, In and Through the Network

Important Lesson Learned:

Security Needs to Be Designed and Implemented Around, In and Through the Network


The Network Today


Today’s Threats

• Attackers are taking advantage of complex networks and sophisticated Internet services

• In this environment, everything is a target: Routers, Switches, Hosts, Networks (local and remote), Applications, Operating Systems, Security Devices, Remote Users, Business Partners, Extranets, etc.

• Threats to today’s networks are not addressed by most legacy security products

• In fact, there is no single security device which can protect all of these targets


SAFE Security Blueprint

• Integrates security and network issues• Includes specific configurations for Cisco

and partner solutions• Based on existing, shipping capabilities• Over 3,000 hours of lab testing• Currently, five SAFE white papers:

SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Safe for VPNs


ManagementManagement BuildingBuilding

DistributionDistribution

CoreCoreEdgeEdge

ServerServer

EE--CommerceCommerce

Corporate InternetCorporate Internet

VPN/Remote AccessVPN/Remote Access

WANWAN

ISPISP

PSTNPSTN

FR/ATMFR/ATM

SAFE: Securing E-Business


IdentitySecureConnectivity

PerimeterSecurity

Security Monitoring

Security Management

Defense-in-Depth

FirewallsVPN IDS/Scanning Authentication Policy

• Integration – into network infrastructurecompatibility with network services

• Integration – functional interoperabilityintelligent interaction between elements

• Convergence – with other technology initiativesmobility/wireless, IP telephony, voice/video-enabled VPNs


PS-5433029_05_2001_c1

Understanding Today’s Threats and Vulnerabilities


Classes of Attacks

• ReconnaissanceUnauthorized discovery and mapping of systems, services, or vulnerabilities

• AccessUnauthorized data manipulation, system access, or privilege escalation

• Denial of ServiceDisable or corrupt networks, systems, or services


Reconnaissance Methods

• Common commands and administrative utilities

nslookup, ping, netcat, telnet, finger, rpcinfo, file explorer, srvinfo, dumpacl

• Public tools

Sniffers, SATAN, SAINT, NMAP, custom scripts


nmap

• Network mapper is a utility for port scanning large networks:

TCP connect() scanning, TCP SYN (half open) scanningTCP FIN, Xmas, or NULL (stealth) scanningTCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters)TCP ACK and window scanningUDP raw ICMP port unreachable scanningICMP scanning (ping-sweep) TCP ping scanning Direct (non portmapper) RPC scanning Remote OS identification by TCP/IP fingerprinting (nearly 500)


nmap

• nmap {Scan Type(s)} [Options] <host or net list>• Example:

my-unix-host% nmap -sT my-router

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )

Interesting ports on my-router.example.com (10.12.192.1)

(The 1521 ports scanned but not shown below are in state closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

80/tcp open http


Access Methods

• Exploiting passwordsBrute force

Cracking tools

• Exploit poorly configured or managed servicesAnonymous ftp, tftp, remote registry access, nis,…

Trust relationships: rlogin, rexec,…

IP source routing

File sharing: NFS, windows file sharing


• Exploit application holesMishandled input data: Access outside application domain, buffer overflows, race conditions

• Protocol weaknesses: Fragmentation, TCP session hijacking

• Trojan horses: Programs that plant a backdoor into a host

Access Methods (Cont.)


IP Packet Format

00 1515 1616 3131

4-Bit Version4-Bit Version 4-Bit Header Length

4-Bit Header Length

8-Bit Type of Service (TOS)

16-Bit Identification16-Bit Identification

8-Bit Protocol8-Bit Protocol8-Bit Time to Live (TTL)8-Bit Time to Live (TTL)

DataData

16-Bit Header Checksum16-Bit Header Checksum

16-Bit Total Length (In Bytes)

3-Bit Flags3-Bit Flags 13-Bit Fragment Offset

32-Bit Source IP Address

Options (If Any)

32-Bit Destination IP Address


IP Spoofing

A

B

C

Attacker

Hi, My Name Is B

Hi, My Name Is B


A, C via RaB via Ethernet

A, C via RaB via Ethernet

IP: Normal Routing

Ra

Rb

Rc

A

B

C

Routing Based on Routing Tables

A -> B

A -> B

A -> B

B,C via RaB,C via Ra B via RbC via RcB via RbC via Rc


A -> B via Ra, Rb

IP: Source Routing

Ra

Rb

Rc

A

B

C

Routing Based on IP Datagram Option

B UnknownC via Rc

B UnknownC via Rc A ->

B via Ra,

Rb

A -> B via Ra, Rb


IP Unwanted Routing

DMZDMZ

Intranet

R1

R2

C

A

C->A via R1, R2

C->A via R1, R2

C->A via R1, R2

C->A via R1,R2

B

A UnknownB via InternetA Unknown

B via Internet

A via IntranetB via DMZ

C Unknown

A via IntranetB via DMZ

C Unknown

A UnknownB via DMZ

A UnknownB via DMZ

Internet

A UnknownB via R1

A UnknownB via R1


A via EthernetC via PPP

A via EthernetC via PPP

IP Unwanted Routing (Cont.)

B (Acting as Router)

Dialup PPP

IntranetIntranetA

CC->A via B

C->A via B

C->A via B

A UnknownB via InternetA Unknown

B via Internet

Internet

A UnknownB via PPP

A UnknownB via PPP


B Is a FriendAllow Access

IP Spoofing Using Source Routing

Ra

Rb

Rc

A

B

C

B->A via C, Rc,Ra

Back Traffic Uses the Same Source Route

B->A via C,Rc Ra

B->A via C,Rc,Ra

A->B via Ra, Rc,C

A->B via Ra , Rc,C

A->B via Ra, Rc,C


TCP Packet Format

00 1515 1616 3131

16-Bit Destination Port Number16-Bit Destination Port Number16-Bit Source Port Number16-Bit Source Port Number

TCP OptionsTCP Options

DataData

16-Bit Urgent Pointer16-Bit Urgent Pointer16-Bit TCP Checksum16-Bit TCP Checksum

16-Bit Window Size16-Bit Window SizeReserved(6 Bits)

Reserved(6 Bits)

4-Bit Header Length

4-Bit Header Length

32-Bit Sequence Number

32-Bit Acknowledgment Number

URG

ACK

PSH

RST

SYN

FIN


B A

flags=SYN, seq=(Sb,?)

flags=SYN+ACK, seq=(Sa,Sb)

flags=ACK, seq=(Sb,Sa)


data=“Username:”

TCP Connection Establishment


flags=ACK, seq=(Sa+9,Sb)

data=“myname”



CMasquerading as B

TCP Blind Spoofing

B A



data=“Username:”

A Believes the ConnectionComes from B and Starts

the Application (e.g. rlogin)

A Believes the ConnectionComes from B and Starts

the Application (e.g. rlogin)

C Guesses SaC Guesses Sa


TCP Blind Spoofing (Cont.)

• C masquerades as B

• A believes the connection is coming from trusted B

• C does not see the back traffic

• For this to work, the real B must not be up, and C must be able to guess A’s sequence number


TCP Session Hijacking

B Aflags=SYN, seq=(Sb,?)



“Password:”, seq=(Sb,Sa)

“Xyzzy” , seq=(Sa+9,Sb)

“delete *”, seq=(Sb+5,Sa+9)

CMasquerading B

B Initiates a Connection with A and Is Authenticated

By Application on A

B Initiates a Connection with A and Is Authenticated

By Application on A

C Guesses Sa, SbC Inserts Invalid Data

C Guesses Sa, SbC Inserts Invalid Data


IP Normal Fragmentation

• IP largest data is 65,535 == 2^16-1

• IP fragments a large datagram into smaller datagrams to fit the MTU

• Fragments are identified by fragment offset field

• Destination host reassembles the original datagram


TL=340, FO=960TL=340, FO=960

IP Normal Fragmentation (Cont.)

Before Fragmentation:

After Fragmentation (MTU = 500):

IP HeaderIP Header IP DataIP Data

Data Length 1280Data Length 1280TL=1300, FO=0TL=1300, FO=0

TL=500, FO=0TL=500, FO=0 Data Length 480Data Length 480

TL=500, FO=480TL=500, FO=480

Data Length 320Data Length 320



IP Normal Reassembly

Received from the Network:

Kernel Memory at Destination Host

Reassembly Buffer, 65.535 BytesReassembly Buffer, 65.535 Bytes

TL=500, FO=480TL=500, FO=480

TL=340, FO=960TL=340, FO=960

TL=500, FO=0TL=500, FO=0 Data Length 480Data Length 480


Data Length 480


IP Reassembly Attack

• Send invalid IP datagram

• Fragment offset + fragment size > 65,535

• Usually containing ICMP echo request (ping)

• Not limited to ping of death!


IP Reassembly Attack (Cont.)

Received from the Network:

Reassembly Buffer, 65.535 BytesReassembly Buffer, 65.535 Bytes

64 IP Fragments

…64 IP Fragments with Data Length 1000…

Kernel Memory at Destination Host

TL=1020, FO=65000TL=1020, FO=65000

TL=1020, FO=0TL=1020, FO=0



BUG: Buffer ExceededBUG: Buffer Exceeded


SYN Attack

B A



CMasquerading as B

Denial of ServicesKernel Resources Exhausted

A Allocates Kernel Resource forHandling the Starting ConnectionA Allocates Kernel Resource for

Handling the Starting Connection

No Answer from B…120 Sec Timeout

Free the Resource

No Answer from B…120 Sec Timeout

Free the Resource


SMURF Attack

Directed Broadcast PING

172.18.1.2

160.154.5.0 Attempt toOverwhelm WAN

Link to Destination

ICMP REPLY D=172.18.1.2 S=160.154.5.14ICMP REPLY D=172.18.1.2 S=160.154.5.14





ICMP REQ D=160.154.5.255 S= 172.18.1.2ICMP REQ D=160.154.5.255 S= 172.18.1.2


DDoS Step 1: Find Vulnerable Hosts

AttackerAttacker

Use Reconnaissance Tools to Locate Vulnerable Hosts to Be Used

as Masters and Daemon Agents

Use Reconnaissance Tools to Locate Vulnerable Hosts to Be Used

as Masters and Daemon Agents


DDoS Step 2: Install Software on Masters and Agents

1. Use master and agent programs on all cracked hosts

2. Create a hierarchical covert control channel using innocent looking ICMP packets whose payload contains DDoScommands; Some DDoS furtherencrypt the payload...

1. Use master and agent programs on all cracked hosts

2. Create a hierarchical covert control channel using innocent looking ICMP packets whose payload contains DDoScommands; Some DDoS furtherencrypt the payload...

Innocent MasterInnocent Master

Innocent Master

Innocent Master

InnocentDaemon Agents


Innocent Daemon AgentsInnocent Daemon Agents

AttackerAttacker


Innocent MasterInnocent Master

Innocent Master

Innocent Master



DDoS Step 3: Launch the Attack

Victim

A

Attack AliceNOW !

Attack AliceNOW !

AttackerAttacker


PS-5433029_05_2001_c1

Securing the Router


Passwords:

• Physical access to console port means no password needed upon reboot

• Telnet:Enable password should be different than login password

• SNMP:SNMP Community strings are transmitted in clear (v1,v2)

• Passwords/community strings are stored in clear text on TFTP servers (No service config)

• Use good passwords


Passwords:

• Understand the different password protection mechanisms

service password-encryptionenable password 55 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1line con 0

password 77 00071A150754

• 5 => MD5 protection

Cannot be decrypted

• 7 => Cisco proprietary encryption method

• Use TACAS+/RADIUS for authentication

Beware: Even passwords that are encrypted in the configuration are not encrypted on the wire as an

administrator logs into the router

Beware:Beware: Even passwords that are encrypted in the Even passwords that are encrypted in the configuration are not encrypted on the wire as an configuration are not encrypted on the wire as an

administrator logs into the routeradministrator logs into the router


SNMP:

snmp-server community <string> <view> RO/RW <ACL>

Use Views and ACL’s to prevent unauthorized access.

snmp-server host <ip> <string>

Use snmp-server host for trap forwarding and authentication of traps.

snmp-server trap-source <>

Use source interface to uniquely identify a device


SNMP:

• Change your community strings! Do not use public, private, secret!

• Use different community strings for the RO and RW communities.

• Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!


SNMP Version 3:

• SNMP V3 integrated in routers and switches.

• HP OpenView has plugin for SNMP v3.

• Cisco Enterprise Network Management has at this time no plans to support SNMP version 3. We advise people to use IPsec, to accomplish a secure connection.


Transaction Records

• How do you tell when someone is attempting to access your router?

• Consider some form of audit trails:Using the syslog feature

SNMP traps and alarms

Implementing TACACS+, Radius, Kerberos, or third party solutions like one-time password token cards


• To log messages to a syslog server host, use the logging global configuration commandlogging hostlogging trap level

• To log to internal buffer use:logging buffered size

Configuring Syslog on a Router

•To source the log event to a common address:

logging source-interface e0/1


Global Services You Turn On

• Add timestamping service facility for logs.

service timestamps log datetime localtimeshow-timezone msec

• Add the encryption service facility for console and VTY passwords.

service password-encryption


Setting NTP

• ntp server 192.168.41.40

• ntp server 192.168.41.41

• ntp source Ethernet0/1

• service timestamps log datetime localtime show-timezone

• service timestamps debug datetime localtime show-timezone

• clock timezone EST –5

• clock summer-time EDT recurring


Global Services You Turn OFF

• Some services turned on by default (< IOS 12.x), should be turned off to save memory and prevent security breaches/attacksno service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

no ip bootp server


Global Services You Turn OFF (Cont:)

• Check these services as wellno ip source-routeno mop enabledno ip rsh-enableno ip rcmd rcp-enableno ip identdno ip http


Interface Services You Turn OFF

• All interfaces on an Internet facing router should have the follow as a default:no ip redirects

no ip directed-broadcast

no ip proxy-arp


Cisco Discovery Protocol

• Lets network administrators discover neighbouring Cisco equipment, model numbers and software versions

• Should not be activated on any public facing interface: IXP, customer, upstream ISP –unless part of the peering agreement.

• Disable per interfaceno cdp enable


Cisco Discovery ProtocolDefiant#show cdp neighbors detail-------------------------Device ID: ExcalaburEntry address(es):

IP address: 4.1.2.1Platform: cisco RSP2, Capabilities: RouterInterface: FastEthernet1/1, Port ID (outgoing port):

FastEthernet4/1/0Holdtime : 154 sec

Version :Cisco Internetwork Operating System SoftwareIOS (tm) RSP Software (RSP-K3PV-M), Version 12.0(9.5)S, EARLY

DEPLOYMENT MAINTENANCE INTERIM SOFTWARECopyright (c) 1986-2000 by cisco Systems, Inc.Compiled Fri 03-Mar-00 19:28 by htseng


Login Banner

• Use a good login banner, or nothing at all:

banner login ^

Authorised access only

Disconnect IMMEDIATELY if you are not an authorised user!^


Use Enable Secret

• Encryption '7' on a Cisco is reversible

• The “enable secret” password encrypted via a one-way algorithmenable secret <removed>

no enable password

service password-encryption


VTY and Console Port Timeouts

• Default idle timeout on async ports is 10 minutes 0 secondsexec-timeout 10 0

• Timeout of 0 means permanent connection

• TCP keepalives on incoming network connectionsservice tcp-keepalives-in

• Kills unused connections


VTY Security

• Access to VTYs should be controlled, not left open; consoles should be used for last resort admin only:

access-list 3 permit 215.17.1.0 0.0.0.255

access-list 3 deny any

line vty 0 4

access-class 3 in

exec-timeout 5 0

transport input telnet ssh

transport output none

transport preferred none

password 7 045802150C2E


VTY Security

• Use more robust ACLs with the logging feature to spot the probes on your networkaccess-list 199 permit tcp 1.2.3.0 0.0.0.255 any

access-list 199 permit tcp 1.2.4.0 0.0.0.255 any

access-list 199 deny tcp any any range 0 65535 log

access-list 199 deny ip any any log


VTY Access and SSHv1

• Secure shell supported from IOS 12.1

• Obtain, load and run appropriate crypto images on router

• Set up SSH on routerBeta7200(config)#crypto key generate rsa

• Add it as input transportline vty 0 4transport input telnet ssh


User Authentication

• Account per user, with passwordsaaa new-modelaaa authentication login neteng localusername joe password 7 1104181051B1username jim password 7 0317B21895FEline vty 0 4login netengaccess-class 3 in

• Username/password is more resistant to attack than a plain password


User Authentication

• Use distributed authentication systemaaa new-modelaaa authentication login default tacacs+ enableaaa authentication enable default tacacs+ enableaaa accounting exec start-stop tacacs+ip tacacs source-interface Loopback0tacacs-server host 215.17.1.1tacacs-server key CKr3t#line vty 0 4access-class 3 in


User Authentication

TACACS+ Provides a Detailed Audit Trail of what Is Happening on the Network Devices

User-Name Group-cmd priv-lvl service NAS-Portname task_id NAS-IP-reason

bgreene NOCNOC enable <cr>enable <cr> 00 shellshell tty0tty0 44 210.210.51.224210.210.51.224bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 55 210.210.51.224210.210.51.224bgreene NOCNOC no aaa accounting exec

Workshop <cr>no aaa accounting exec Workshop <cr>

00 shellshell tty0tty0 66 210.210.51.224210.210.51.224

bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 88 210.210.51.224210.210.51.224pfs NOCNOC enable <cr>enable <cr> 00 shellshell tty0tty0 1111 210.210.51.224210.210.51.224pfs NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 1212 210.210.51.224210.210.51.224bgreene NOCNOC enable <cr>enable <cr> 00 shellshell tty0tty0 1414 210.210.51.224210.210.51.224bgreene NOCNOC show accounting <cr>show accounting <cr> 1515 shellshell tty0tty0 1616 210.210.51.224210.210.51.224bgreene NOCNOC write terminal <cr>write terminal <cr> 1515 shellshell tty0tty0 1717 210.210.51.224210.210.51.224bgreene NOCNOC configure <cr>configure <cr> 1515 shellshell tty0tty0 1818 210.210.51.224210.210.51.224bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 2020 210.210.51.224210.210.51.224bgreene NOCNOC write terminal <cr>write terminal <cr> 1515 shellshell tty0tty0 2121 210.210.51.224210.210.51.224bgreene NOCNOC configure <cr>configure <cr> 1515 shellshell tty0tty0 2222 210.210.51.224210.210.51.224bgreene NOCNOC aaa new-model <cr>aaa new-model <cr> 1515 shellshell tty0tty0 2323 210.210.51.224210.210.51.224bgreene NOCNOC aaa authorization commands

0 default tacacs+ none <cr>aaa authorization commands 0 default tacacs+ none <cr>

1515 shellshell tty0tty0 2424 210.210.51.224210.210.51.224

bgreene NOCNOC exit <cr>exit <cr> 00 shellshell tty0tty0 2525 210.210.51.224210.210.51.224bgreene NOCNOC ping <cr>ping <cr> 1515 shellshell tty0tty0 3232 210.210.51.224210.210.51.224bgreene NOCNOC show running-config <cr>show running-config <cr> 1515 shellshell tty66tty66 3535 210.210.51.224210.210.51.224bgreene NOCNOC router ospf 210 <cr>router ospf 210 <cr> 1515 shellshell tty66tty66 4545 210.210.51.224210.210.51.224bgreene NOCNOC debug ip ospf events <cr>debug ip ospf events <cr> 1515 shellshell tty66tty66 4646 210.210.51.224210.210.51.224


Source Routing

• IP has a provision to allow source IP host to specify route through Internet

• should turn this off, unless it is specifically required:no ip source-route


ICMP Unreachable Overload

• All Routers who use any static route to Null0 should put no ip unreachables

• interface Null0no ip unreachables

!

ip route <dest to drop> <mask> Null0


PS-5433029_05_2001_c1

Securing the Routing Protocol


Routing Protocol Security

• Routing protocol can be attacked

Denial of service

Smoke screens

False information

Reroute packets

May Be Accidental or IntentionalMay Be Accidental or Intentional


Secure Routing Route Authentication

Configure Routing Authentication

Signs Route Updates

Verifies Signature

Campus

SignatureSignature Route UpdatesRoute Updates

Certifies Authenticity of Neighbor and Integrity of Route Updates


Signature Generation

Signature = Encrypted Hash of Routing Update

Hash

Router A

HashFunction

HashFunction

SignatureSignature Route UpdatesRoute Updates

Route UpdatesRoute Updates

SignatureSignature


Signature Verification

SignatureSignature

Decrypt UsingPreconfigured Key

Re-Hash the Routing Update

If Hashes Are Equal, Signature

Is Authentic

Hash

Routing UpdateRouting Update

Routing UpdateRouting UpdateSignatureSignature

Hash

Router B

Receiving Router Separates Routing Update and Signature

HashFunction

HashFunction


Route Authentication

• Authenticates routing update packets

• Shared key included in routing updates

Plain text—Protects against accidental problems only

Message Digest 5 (MD5)—Protects against accidental and intentional problems


OSPF Route Authentication

• OSPF area authentication

Two types

Simple password

Message Digest (MD5)

ip ospf authentication-key key (this goes under the specific interface)area area-id authentication (this goes under "router ospf <process-id>")

ip ospf message-digest-key keyid md5 key (used under the interface)area area-id authentication message-digest (used under "router ospf <process-id>")


OSPF and Authentication Example

• OSPFinterface ethernet1

ip address 10.1.1.1 255.255.255.0

ip ospf message-digest-key 100 md5 cisco

!

router ospf 1

network 10.1.1.0 0.0.0.255 area 0

area 0 authentication message-digest


What Ports Are open on the Router?

• It may be useful to see what sockets/ports are open on the router

• Show ip sockets

7206-UUNET-SJ#show ip socketsProto Remote Port Local Port In Out Stat TTYOutputIF17 192.190.224.195 162 204.178.123.178 2168 0 0 0 017 --listen-- 204.178.123.178 67 0 0 9 017 0.0.0.0 123 204.178.123.178 123 0 0 1 0

17 0.0.0.0 0 204.178.123.178 161 0 0 1 0


PS-5433029_05_2001_c1

Securing the Network


Securing the Network

• Route filtering

• Packet filtering

• Rate limits


Ingress Filters—Inbound Traffic

ISP A

ISP B

Customer Network

Traffic Coming into a Network from ISP or

another Customer

Traffic Coming into a Network from ISP or

another Customer


ISP A

ISP B

Customer Network

Traffic Going out of Network from Another

ISP or Customer

Traffic Going out of Network from Another

ISP or Customer

Egress Filters—Outbound Traffic


PS-5433029_05_2001_c1

Route Filtering


Ingress and Egress Route Filtering

• Quick review

0.0.0.0/8 and 0.0.0.0/32—Default and broadcast

127.0.0.0/8—Host loopback

192.0.2.0/24—TEST-NET for documentation

10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16—RFC 1918 private addresses

169.254.0.0/16—End node auto-config for DHCP


Ingress and Egress Route Filtering

• Two flavors of route filtering:

Distribute list—Widely used

Prefix list—Increasingly used (BGP only)

• Both work fine—Engineering preference


PS-5433029_05_2001_c1

Packet Filtering


Ingress and Egress Packet Filtering

You should not be sending any IP packets out to the Internet with a source address other then the address that has been allocated to your network!


Packet Filtering

• Static access list on the edge of the network

• Dynamic access list with AAA profiles

• Unicast RPF


Ingress Packet FilteringCustomer Edge

InternetCustomerBackbone

165.21.0.0/16Serial 0/1

Deny Source Address 165.21.0.0/16

Deny Source Address 165.21.X.0/16(Depending on Customer’s IP Address Block

165.21.20.0/24

165.21.61.0/24

165.21.19.0/24

165.21.10.0/24

Filter Applied on Downstream

Aggregation and NAS Routers



Ex. IP Addresses with a Source of 165.21.10.1 would be Blocked on the

Interface Going to that Customer


ICMP Filtering

Summary of Message Types0 Echo Reply3 Destination Unreachable4 Source Quench5 Redirect8 Echo

11 Time Exceeded12 Parameter Problem13 Timestamp14 Timestamp Reply15 Information Request16 Information Reply

ICMP Codes are not shown

no ip redirects (IOS will not accept)

Extended Access List:access-list 101 permit icmp any any <type> <code>

no ip unreachables (IOS will not send)

RFC 792: INTERNET CONTROL MESSAGE PROTOCOL


Inbound Packet Filtering

• Filter packets with internal addresses as source to prevent IP spoofing attacks

• Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks

• Filter bootp, TFTP, SNMP, and traceroute as incoming to prevent against remote access and reconnaissance attacks

• Allow incoming pings to the external interface of the perimeter router only from the ISP host.

• Permit DNS requests to the DMZ server on the bastion host ( TCP port 53, Not UDP Port 53)


InternetCustomer Backbone

165.21.0.0/16Serial 0/1

Allow Source Address 165.21.X.0/16 (Depending on the IP Address Block Allocated to the Customer)

Block Source Address from All Other Networks

165.21.20.0/24

165.21.61.0/24

165.21.19.0/24

165.21.10.0/24





Ex. IP Addresses with a Source of 10.1.1.1 Would Be Blocked

Egress Packet FilteringCustomer Edge


Outbound Packet Filtering

• Only allow packets with valid internal addresses as source to prevent IP spoofing attacks

• Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks


PS-5433029_05_2001_c1

uRPF Basics


Unicast Reverse Path Forwarding

• Source based feature (!)

• On input path on an interfaceAfter input ACL check

• Requires CEF

• Small to no performance impact

• Does not look inside tunnels (GRE, IPinIP, …)

• History: Coming from Multicast world

• Strict available from 12.0

• Enhancements from 12.1(2)T (ACL & logging)


i/f 1

i/f 2

i/f 3

Strict uRPF Check (Unicast Reverse Path Forwarding)

i/f 1

i/f 2

i/f 3

FIB:. . . S -> i/f 1. . .

S D data

FIB:. . . S -> i/f 2. . .

S D data

Same i/f:Forward

Other i/f:Drop

router(config-if)# ip verify unicast reverse-pathor: ip verify unicast source reachable-via rx allow-default


i/f 1

i/f 2

i/f 3i/f 1

i/f 2

i/f 3

FIB:. . . S -> i/f x. . .

S D data

FIB:. . . . . .. . .

S D data

Any i/f:Forward

Not in FIBor route -> null0:

Drop

?

Loose uRPF Check (Unicast Reverse Path Forwarding)

router(config-if)# ip verify unicast source reachable-via any


PS-5433029_05_2001_c1

Limiting the Impact of DOS Attacks


Limit the Impact of DOS Attacks: Committed Access Rate

Traffic Matching

Specification

Traffic Matching

Specification

Traffic Measurement

Instrumentation

Traffic Measurement

Instrumentation

Next Policy

Excess Traffic

Conforming Traffic

Burst Limit

Tokens• Rate limiting

• Several ways to filter

• “Token bucket” implementation

Action PolicyAction Policy


CAR—Traffic Measurement

• Token bucket configurable parameters

Committed rate (bits/sec)

Configurable in increments of 8Kbits

Normal burst size (bytes)

To handle temporary burst over the committed rate limit without paying a penalty.Minimum value is Committed Rate divided by 2000

Extended burst size (bytes)

Burst in excess of the normal burst sizeTo gradually drop packet in more RED-like fashion instead of entering into tail-drop scenario


• Limit outbound ping to 256 Kbps

• Limit inbound TCP SYN packets to 8 Kbpsinterface xy

rate-limit input access-group 103 8000 8000 8000conform-action transmit exceed-action drop

!access-list 103 deny tcp any host 142.142.42.1 establishedaccess-list 103 permit tcp any host 142.142.42.1

interface xy rate-limit output access-group 102 256000 8000 8000

conform-action transmit exceed-action drop !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply

CAR Rate Limiting

ACL Ave. Rate Burst Excess

Traffic can burst 8K above 256K average for 8k worth of data


PS-5433029_05_2001_c1

In Conclusion


Where to get additional information

• The NSA’s Router Security document and the NIST’srecommendations on data security provide a good starting point for creating default IOS router configurations.

• http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-28-02.asp

• http://csrc.nist.gov/publications/drafts/ITcontingency-planning-guideline.pdf

• http://www.cisecurity.org/

• Cisco’s own SAFE training provides important tips to customers:

• http://www.cisco.com/warp/public/707/newsflash.html

• http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html

• http://cisco.com/warp/public/707/21.html#flood


Cisco Security Courses

• MCNS – Managing Cisco Network Security

• CSIDS – Cisco Secure Intrusion Detection Systems

• CSIHS – Cisco Secure IDS Host Sensor

• CSPFA - Cisco Secure PIX Firewall Advanced

• CSPM – Cisco Secure Policy Manger

• CSVPN – Cisco Secure Virtual Private Networks

• CSDI – Cisco SAFE Design Implementation


Cisco Press Books

Cisco Secure PIX Firewalls(CSPFA) Released December 2001

Cisco Secure Virtual Private Networks(CSVPN) Released December 2001

Managing Cisco Network Security(MCSN) Released January 2001

Cisco Secure Intrusion Detection System(CSIDS) Released October 2001

Available at bookstores, computer stores, and online

booksellers

Security Practices in IOS - Cisco - Global Home Page€¦ · Starting nmap V. 2.53 by...

Documents

Transcript of Security Practices in IOS - Cisco - Global Home Page€¦ · Starting nmap V. 2.53 by...