Security Best Practices in Cisco IOS® and Other Techniques to Help your Network Survive in Today’s Internet/Extranet Enviroments Mike Peeters SE Toronto
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 1 Safe Security
• SAFE Blueprint • Understanding Todays Threats and Vulnerabilities • Securing the Router • Securing the Routing Protocols • Limiting the impact of DOS Attacks • In Conclusion
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2 The Network of Five Years Ago
Closed Network
PSTN
Remote Site Frame Relay X.25 Leased Line PSTN
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3 Legacy Security Solutions
• Most security designed when networks were simple and static • Primarily single-point products (access- control) with no network integration or intelligence • Such legacy products are still seen as default security solutions (a “cure-all”) • Today, there are serious drawbacks to relying on such “overlay” security to protect sophisticated networks and services
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 4 Case in Point…
Internet connections have dramatically increased as a frequent point of attack (from 59% in 2000 to 70% in 2001.) Of those organizations reporting attacks, we learn: § 27% say they don't know if there had been unauthorized access or misuse § 21% reported from two to five incidents in one year § 58% reported ten or more incidents in a single year – something isn’t working!
Computer Security Institute & FBI Report March, 2001 PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5 Code Red and Nimda Worm Impacts
•• RapidRapid penetrationpenetration andand propagationpropagation throughthrough existingexisting securitysecurity solutionssolutions •• ExtensiveExtensive impact;impact; expensiveexpensive recoveryrecovery •• ExploitedExploited existingexisting andand knownknown vulnerabilities,vulnerabilities, andand bypassedbypassed legacylegacy securitysecurity devicesdevices •• CouldCould bebe preventedprevented andand mitigatedmitigated
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6 Impact of Recent Worms
• Major Computer Company... Code Red/Nimda $9 million for remediation 12,000 IT hours for Code Red 6,500 IT hours for Nimda • Multibillion dollar financial institution... Nimda 75% of core routers down at any given time Lost trading server for half day ($13 million impact)
Important Lesson Learned: Security Needs to Be Designed and Implemented Around, In and Through the Network
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7 The Network Today
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8 Today’s Threats
• Attackers are taking advantage of complex networks and sophisticated Internet services
• In this environment, everything is a target: Routers, Switches, Hosts, Networks (local and remote), Applications, Operating Systems, Security Devices, Remote Users, Business Partners, Extranets, etc. • Threats to today’s networks are not addressed by most legacy security products • In fact, there is no single security device which can protect all of these targets
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9 SAFE Security Blueprint
• Integrates security and network issues • Includes specific configurations for Cisco and partner solutions • Based on existing, shipping capabilities • Over 3,000 hours of lab testing • Currently, five SAFE white papers: SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Safe for VPNs
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 SAFE: Securing E-Business
Management Building E-Commerce
ISP
Distribution Corporate Internet Edge Core
Server VPN/Remote Access
PSTN
WAN FR/ATM
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 Defense-in-Depth
Secure Perimeter Security Identity Security Connectivity Security Monitoring Management
VPN Firewalls IDS/Scanning Authentication Policy
• Integration – into network infrastructure compatibility with network services • Integration – functional interoperability intelligent interaction between elements • Convergence – with other technology initiatives
PS-543 mobility/wireless, IP telephony, voice/video-enabled VPNs 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12 Understanding Today’s Threats and Vulnerabilities
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13 Classes of Attacks
• Reconnaissance Unauthorized discovery and mapping of systems, services, or vulnerabilities • Access Unauthorized data manipulation, system access, or privilege escalation • Denial of Service Disable or corrupt networks, systems, or services
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 Reconnaissance Methods
• Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, file explorer, srvinfo, dumpacl • Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 nmap
• Network mapper is a utility for port scanning large networks: TCP connect() scanning, TCP SYN (half open) scanning TCP FIN, Xmas, or NULL (stealth) scanning TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters) TCP ACK and window scanning UDP raw ICMP port unreachable scanning ICMP scanning (ping-sweep) TCP ping scanning Direct (non portmapper) RPC scanning Remote OS identification by TCP/IP fingerprinting (nearly 500)
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 nmap
• nmap {Scan Type(s)} [Options]
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17 Access Methods
• Exploiting passwords Brute force Cracking tools • Exploit poorly configured or managed services Anonymous ftp, tftp, remote registry access, nis,… Trust relationships: rlogin, rexec,… IP source routing File sharing: NFS, windows file sharing
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18 Access Methods (Cont.)
• Exploit application holes Mishandled input data: Access outside application domain, buffer overflows, race conditions • Protocol weaknesses: Fragmentation, TCP session hijacking • Trojan horses: Programs that plant a backdoor into a host
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 IP Packet Format
0 15 16 31
4-Bit Header 8-Bit Type of 4-Bit Version 4-Bit Header 16-Bit Total Length (In Bytes) Length Service (TOS) 16-Bit Identification 3-Bit 13-Bit Fragment Offset 16-Bit Identification Flags 8-Bit Time to Live (TTL) 8-Bit Protocol 16-Bit Header Checksum
32-Bit Source IP Address
32-Bit Destination IP Address
Options (If Any)
Data
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 IP Spoofing
C Attacker
A Hi, My Name Is B
B
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 IP: Normal Routing
A, C via Ra B via Ethernet
Rb B B,C via Ra B via Rb -> B A C via Rc A -> B
A Ra
A -> B Rc C
Routing Based on Routing Tables
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 IP: Source Routing
Rb Rb B B Unknown C via Rc -> B via Ra, A A -> B via Ra, Rb
A Ra
A -> B via Ra, Rb Rc C
Routing Based on IP Datagram Option
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23 IP Unwanted Routing
C R1, R2 C->A via A Unknown Internet B via Internet
A Unknown C->A via R1, B via R1 R2
A Unknown B via DMZ R1 B
C->A via R1, R2 DMZ
A Intranet R2 A via Intranet B via DMZ C->A via R1,R2 C Unknown
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 IP Unwanted Routing (Cont.)
C C ->A via B A Unknown B via Internet Internet
A Unknown A via Ethernet Dialup PPP C via PPP B B via PPP C->A via
A Intranet B (Acting as Router)
C->A via B
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 IP Spoofing Using Source Routing
B Is a Friend Allow Access Rb B
B->A via C,Rc A Ra Ra A->B via Ra
, Rc B->A via C,Rc,Ra ,C Rc C A->B via Ra, Rc,C B->A via C, Rc,Ra
A->B via Ra, Rc,C
Back Traffic Uses the Same Source Route PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26 TCP Packet Format
0 15 16 31
16-Bit Source Port Number 16-Bit Destination Port Number
32-Bit Sequence Number
32-Bit Acknowledgment Number
4-Bit Header Reserved U A P R S F R C S S Y I 16-Bit Window Size Length (6 Bits) G K H T N N 16-Bit TCP Checksum 16-Bit Urgent Pointer
TCP Options
Data
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 TCP Connection Establishment
B A flags=SYN, seq=(Sb,?)
) seq=(Sa,Sb flags=SYN+ACK,
flags=ACK, seq =(Sb,Sa)
) seq=(Sb,Sa flags=ACK, data=“Username:”
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 TCP Blind Spoofing
B A C Masquerading as B seq=(Sb,?) flags=SYN,
=(Sa,Sb) seq ) flags=SYN+ACK, seq=(Sb,Sa flags=ACK, ) seq=(Sb,Sa flags=ACK, C Guesses Sa data=“Username:”
,Sb) seq=(Sa+9 flags=ACK, A Believes the Connection myname” Comes from B and Starts data=“ the Application (e.g. rlogin)
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29 TCP Blind Spoofing (Cont.)
• C masquerades as B • A believes the connection is coming from trusted B • C does not see the back traffic • For this to work, the real B must not be up, and C must be able to guess A’s sequence number
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 30 TCP Session Hijacking
B A C flags=SYN, Masquerading B seq=(Sb,?) B Initiates a Connection ) seq=(Sa,Sb with A and Is Authenticated flags=SYN+ACK, By Application on A flags=ACK, seq =(Sb,Sa) ) seq=(Sb,Sa “Password:”, “Xyzzy” , seq =(Sa+9,Sb) 9) seq=(Sb+5,Sa+ “delete *”, C Guesses Sa, Sb C Inserts Invalid Data
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 31 IP Normal Fragmentation
• IP largest data is 65,535 == 2^16-1 • IP fragments a large datagram into smaller datagrams to fit the MTU • Fragments are identified by fragment offset field • Destination host reassembles the original datagram
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 32 IP Normal Fragmentation (Cont.)
Before Fragmentation:
TL=1300, FO=0 Data Length 1280
IP Header IP Data
After Fragmentation (MTU = 500):
TL=500, FO=0 Data Length 480
TL=500, FO=480 Data Length 480
TL=340, FO=960 Data Length 320
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 33 IP Normal Reassembly
Received from the Network:
TL=500, FO=0 Data Length 480
TL=340, FO=960 Data Length 320
TL=500, FO=480 Data Length 480
Reassembly Buffer, 65.535 Bytes
Kernel Memory at Destination Host
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 34 IP Reassembly Attack
• Send invalid IP datagram • Fragment offset + fragment size > 65,535 • Usually containing ICMP echo request (ping) • Not limited to ping of death!
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 35 IP Reassembly Attack (Cont.)
Received from the Network:
TL=1020, FO=0 Data Length 1000
…64 IP Fragments with Data Length 1000…
TL=1020, FO=65000 Data Length 1000
BUG: Buffer Exceeded
Reassembly Buffer, 65.535 Bytes
64 IP Fragments
Kernel Memory at Destination Host
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 36 SYN Attack
C B A Masquerading as B
seq=(Sb,?) flags=SYN,
) seq=(Sa,Sb flags=SYN+ACK, A Allocates Kernel Resource for Handling the Starting Connection
No Answer from B… 120 Sec Timeout Denial of Services Free the Resource Kernel Resources Exhausted
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 37 SMURF Attack
160.154.5.0 Attempt to Overwhelm WAN ICMP REPLY D=172.18.1.2 S=160.154.5.10 Link to Destination ICMP REPLY D=172.18.1.2 S=160.154.5.11
ICMP REPLY D=172.18.1.2 S=160.154.5.12 ICMP REPLY D=172.18.1.2 S=160.154.5.13 ICMP REPLY D=172.18.1.2 S=160.154.5.13 172.18.1.2 ICMP REPLY D=172.18.1.2 S=160.154.5.14
ICMP REQ D=160.154.5.255 S= 172.18.1.2 Directed Broadcast PING
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 38 DDoS Step 1: Find Vulnerable Hosts
Attacker
Use Reconnaissance Tools to Locate Vulnerable Hosts to Be Used as Masters and Daemon Agents
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 39 DDoS Step 2: Install Software on Masters and Agents
Innocent Master
Attacker
Innocent Daemon Agents
1. Use master and agent programs on all cracked hosts 2. Create a hierarchical covert control channel using innocent looking ICMP packets whose Innocent payload contains DDoS Master Innocent commands; Some DDoS further encrypt the payload... PS-543 Daemon Agents 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 40 DDoS Step 3: Launch the Attack
Innocent Master
Attacker
Attack Alice NOW !
Victim Innocent Master A Innocent
PS-543 Daemon Agents 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 41 Securing the Router
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 42 Passwords:
• Physical access to console port means no password needed upon reboot • Telnet: Enable password should be different than login password • SNMP: SNMP Community strings are transmitted in clear (v1,v2) • Passwords/community strings are stored in clear text on TFTP servers (No service config)
• Use good passwords
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 43 Passwords:
• Understand the different password protection mechanisms service password-encryption enable password 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1 Beware:Beware:line conEvenEven 0 passwordspasswords thatthat areare encryptedencrypted inin thethe password 7 00071A150754 configurationconfiguration areare7 notnot encryptedencrypted onon thethe wirewire asas anan • 5 => MD5administratoradministrator protection logslogs intointo thethe routerrouter Cannot be decrypted • 7 => Cisco proprietary encryption method • Use TACAS+/RADIUS for authentication
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 44 SNMP:
snmp-server community
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 45 SNMP:
• Change your community strings! Do not use public, private, secret! • Use different community strings for the RO and RW communities. • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 46 PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 47 SNMP Version 3:
• SNMP V3 integrated in routers and switches. • HP OpenView has plugin for SNMP v3.
• Cisco Enterprise Network Management has at this time no plans to support SNMP version 3. We advise people to use IPsec, to accomplish a secure connection.
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 48 Transaction Records
• How do you tell when someone is attempting to access your router? • Consider some form of audit trails: Using the syslog feature SNMP traps and alarms Implementing TACACS+, Radius, Kerberos, or third party solutions like one-time password token cards
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 49 Configuring Syslog on a Router
• To log messages to a syslog server host, use the logging global configuration command logging host logging trap level • To log to internal buffer use: logging buffered size
•To source the log event to a common address:
PS-543 3029_05_2001_c1 © 2001,logging Cisco Systems, Inc. All source rights reserved. -interface e0/1 50 Global Services You Turn On
• Add timestamping service facility for logs. service timestamps log datetime localtime show-timezone msec • Add the encryption service facility for console and VTY passwords. service password-encryption
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 51 Setting NTP
• ntp server 192.168.41.40 • ntp server 192.168.41.41 • ntp source Ethernet0/1 • service timestamps log datetime localtime show-timezone • service timestamps debug datetime localtime show-timezone • clock timezone EST –5 • clock summer-time EDT recurring
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 52 Global Services You Turn OFF
• Some services turned on by default (< IOS 12.x), should be turned off to save memory and prevent security breaches/attacks no service finger no service pad no service udp-small-servers no service tcp-small-servers no ip bootp server
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 53 Global Services You Turn OFF (Cont:)
• Check these services as well no ip source-route no mop enabled no ip rsh-enable no ip rcmd rcp-enable no ip identd no ip http
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 54 Interface Services You Turn OFF
• All interfaces on an Internet facing router should have the follow as a default: no ip redirects no ip directed-broadcast no ip proxy-arp
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 55 Cisco Discovery Protocol
• Lets network administrators discover neighbouring Cisco equipment, model numbers and software versions • Should not be activated on any public facing interface: IXP, customer, upstream ISP – unless part of the peering agreement. • Disable per interface no cdp enable
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 56 Cisco Discovery Protocol
Defiant#show cdp neighbors detail ------Device ID: Excalabur Entry address(es): IP address: 4.1.2.1 Platform: cisco RSP2, Capabilities: Router Interface: FastEthernet1/1, Port ID (outgoing port): FastEthernet4/1/0 Holdtime : 154 sec
Version : Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-K3PV-M), Version 12.0(9.5)S, EARLY DEPLOYMENT MAINTEN ANCE INTERIM SOFTWARE Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Fri 03-Mar-00 19:28 by htseng
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 57 Login Banner
• Use a good login banner, or nothing at all:
banner login ^ Authorised access only
Disconnect IMMEDIATELY if you are not an authorised user! ^
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 58 Use Enable Secret
• Encryption '7' on a Cisco is reversible • The “enable secret” password encrypted via a one-way algorithm enable secret
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 59 VTY and Console Port Timeouts
• Default idle timeout on async ports is 10 minutes 0 seconds exec-timeout 10 0 • Timeout of 0 means permanent connection • TCP keepalives on incoming network connections service tcp-keepalives-in • Kills unused connections
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 60 VTY Security
• Access to VTYs should be controlled, not left open; consoles should be used for last resort admin only: access-list 3 permit 215.17.1.0 0.0.0.255 access-list 3 deny any line vty 0 4 access-class 3 in exec-timeout 5 0 transport input telnet ssh transport output none transport preferred none password 7 045802150C2E
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 61 VTY Security
• Use more robust ACLs with the logging feature to spot the probes on your network access-list 199 permit tcp 1.2.3.0 0.0.0.255 any access-list 199 permit tcp 1.2.4.0 0.0.0.255 any access-list 199 deny tcp any any range 0 65535 log access-list 199 deny ip any any log
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 62 VTY Access and SSHv1
• Secure shell supported from IOS 12.1 • Obtain, load and run appropriate crypto images on router • Set up SSH on router Beta7200(config)#crypto key generate rsa • Add it as input transport line vty 0 4 transport input telnet ssh
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 63 User Authentication
• Account per user, with passwords aaa new-model aaa authentication login neteng local username joe password 7 1104181051B1 username jim password 7 0317B21895FE line vty 0 4 login neteng access-class 3 in • Username/password is more resistant to attack than a plain password
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 64 User Authentication
• Use distributed authentication system aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable aaa accounting exec start-stop tacacs+ ip tacacs source-interface Loopback0 tacacs-server host 215.17.1.1 tacacs-server key CKr3t# line vty 0 4 access-class 3 in
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 65 User Authentication TACACS+ Provides a Detailed Audit Trail of what Is Happening on the Network Devices
User-Name Group-cmd priv-lvl service NAS-Portname task_id NAS-IP-reason
bgreene NOC enable
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 66 Source Routing
• IP has a provision to allow source IP host to specify route through Internet • should turn this off, unless it is specifically required: no ip source-route
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 67 ICMP Unreachable Overload
• All Routers who use any static route to Null0 should put no ip unreachables • interface Null0 no ip unreachables ! ip route
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 68 Securing the Routing Protocol
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 69 Routing Protocol Security
• Routing protocol can be attacked Denial of service Smoke screens False information Reroute packets
May Be Accidental or Intentional
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 70 Secure Routing Route Authentication
Configure Routing Authentication
Campus Signs Route Verifies Updates Signature
Signature Route Updates
Certifies Authenticity of Neighbor and Integrity of Route Updates
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 71 Signature Generation
Route Updates Router A
Hash Function
Signature Route Updates Hash
Signature
Signature = Encrypted Hash of Routing Update
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 72 Signature Verification
Router B Receiving Router Separates Signature Routing Update Signature Routing Update Routing Update and Signature
Routing Update Re-Hash the Signature Routing Update
Decrypt Using Hash Preconfigured Key Function
Hash
If Hashes Are Hash Equal, Signature Is Authentic PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 73 Route Authentication
• Authenticates routing update packets • Shared key included in routing updates Plain text—Protects against accidental problems only Message Digest 5 (MD5)—Protects against accidental and intentional problems
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 74 OSPF Route Authentication
• OSPF area authentication Two types Simple password Message Digest (MD5)
ip ospf authentication-key key (this goes under the specific interface) area area-id authentication (this goes under "router ospf
ip ospf message-digest-key keyid md5 key (used under the interface) area area-id authentication message-digest (used under "router ospf
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 75 OSPF and Authentication Example
• OSPF interface ethernet1 ip address 10.1.1.1 255.255.255.0 ip ospf message-digest- key 100 md5 cisco ! router ospf 1 network 10.1.1.0 0.0.0.255 area 0 area 0 authentication message-digest PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 76 What Ports Are open on the Router?
• It may be useful to see what sockets/ports are open on the router • Show ip sockets
7206-UUNET-SJ#show ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 192.190.224.195 162 204.178.123.178 2168 0 0 0 0 17 --listen-- 204.178.123.178 67 0 0 9 0 17 0.0.0.0 123 204.178.123.178 123 0 0 1 0 17 0.0.0.0 0 204.178.123.178 161 0 0 1 0
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 77 Securing the Network
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 78 Securing the Network
• Route filtering • Packet filtering • Rate limits
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 79 Ingress Filters—Inbound Traffic
ISP A
ISP B
Traffic Coming into a Network from ISP or another Customer Customer Network
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 80 Egress Filters—Outbound Traffic
ISP A
ISP B
Traffic Going out of Network from Another ISP or Customer Customer Network
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 81 Route Filtering
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 82 Ingress and Egress Route Filtering
• Quick review 0.0.0.0/8 and 0.0.0.0/32—Default and broadcast 127.0.0.0/8—Host loopback 192.0.2.0/24—TEST-NET for documentation 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16—RFC 1918 private addresses 169.254.0.0/16—End node auto-config for DHCP
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 83 Ingress and Egress Route Filtering
• Two flavors of route filtering: Distribute list—Widely used Prefix list—Increasingly used (BGP only) • Both work fine—Engineering preference
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 84 Packet Filtering
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 85 Ingress and Egress Packet Filtering
You should not be sending any IP packets out to the Internet with a source address other then the address that has been allocated to your network!
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 86 Packet Filtering
• Static access list on the edge of the network • Dynamic access list with AAA profiles • Unicast RPF
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 87 Ingress Packet Filtering Customer Edge
Deny Source Address 165.21.0.0/16
165.21.20.0/24
Customer 165.21.61.0/24 Internet Backbone 165.21.0.0/16 Serial 0/1 165.21.19.0/24
Deny Source Address 165.21.X.0/16 165.21.10.0/24 (Depending on Customer’s IP Address Block
Filter Applied on Ex. IP Addresses with a Source of Downstream 165.21.10.1 would be Blocked on the Aggregation and Interface Going to that Customer NAS Routers
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 88 ICMP Filtering
Extended Access List: access-list 101 permit icmp any any Summary of Message Types 0 Echo Reply 3 Destination Unreachable no ip unreachables (IOS will not send) 4 Source Quench 5 Redirect no ip redirects (IOS will not accept) 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply
ICMP Codes are not shown
RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 89 Inbound Packet Filtering
• Filter packets with internal addresses as source to prevent IP spoofing attacks • Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks • Filter bootp, TFTP, SNMP, and traceroute as incoming to prevent against remote access and reconnaissance attacks • Allow incoming pings to the external interface of the perimeter router only from the ISP host. • Permit DNS requests to the DMZ server on the bastion host ( TCP port 53, Not UDP Port 53)
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 90 Egress Packet Filtering Customer Edge
Allow Source Address 165.21.X.0/16 (Depending on the IP Address Block Allocated to the Customer)
165.21.20.0/24
Customer 165.21.61.0/24 Internet Backbone 165.21.0.0/16 Serial 0/1 165.21.19.0/24
Block Source Address from All Other Networks 165.21.10.0/24
Ex. IP Addresses with a Source of Filter Applied on 10.1.1.1 Would Be Blocked Downstream Aggregation and NAS Routers
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 91 Outbound Packet Filtering
• Only allow packets with valid internal addresses as source to prevent IP spoofing attacks • Filter packets with RFC-reserved addresses as source to prevent IP address spoofing attacks
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 92 uRPF Basics
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 93 Unicast Reverse Path Forwarding
• Source based feature (!) • On input path on an interface After input ACL check • Requires CEF • Small to no performance impact • Does not look inside tunnels (GRE, IPinIP, …) • History: Coming from Multicast world • Strict available from 12.0 • Enhancements from 12.1(2)T (ACL & logging)
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 94 Strict uRPF Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast reverse-path or: ip verify unicast source reachable-via rx allow-default i/f 2 i/f 2
i/f 1 i/f 3 i/f 1 i/f 3 S D data S D data
FIB: FIB: ...... S -> i/f 1 S -> i/f 2 ...... Same i/f: Other i/f: Forward Drop PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 95 Loose uRPF Check (Unicast Reverse Path Forwarding) router(config-if)# ip verify unicast source reachable-via any i/f 2 i/f 2
i/f 1 i/f 3 i/f 1 i/f 3 S D data S D data
FIB: FIB: ...... S -> i/f x ...... ? . .
Any i/f: Not in FIB Forward or route -> null0: PS-543 Drop 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 96 Limiting the Impact of DOS Attacks
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 97 Limit the Impact of DOS Attacks: Committed Access Rate
Traffic Tokens Matching • Rate limiting Specification • Several ways to filter Traffic Burst Traffic Limit Measurement • “Token bucket” Instrumentation implementation
Next Action Conforming Action Policy Traffic Policy
Excess Traffic PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 98 CAR—Traffic Measurement
• Token bucket configurable parameters Committed rate (bits/sec) Configurable in increments of 8Kbits Normal burst size (bytes) To handle temporary burst over the committed rate limit without paying a penalty. Minimum value is Committed Rate divided by 2000 Extended burst size (bytes) Burst in excess of the normal burst size To gradually drop packet in more RED-like fashion instead of entering into tail-drop scenario
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 99 CAR Rate Limiting • Limit outbound ping to 256 Kbps
interface xy ACL Ave. Rate Burst Excess rate-limit output access-group 102 256000 8000 8000 Traffic can burst 8K above 256K conform-action transmit exceed-action drop average for 8k ! worth of data access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo-reply
• Limit inbound TCP SYN packets to 8 Kbps interface xy rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop ! access-list 103 deny tcp any host 142.142.42.1 established access-list 103 permit tcp any host 142.142.42.1
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 100 In Conclusion
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 101 Where to get additional information
• The NSA’s Router Security document and the NIST’s recommendations on data security provide a good starting point for creating default IOS router configurations.
• http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-28-02.asp • http://csrc.nist.gov/publications/drafts/ITcontingency-planning- guideline.pdf • http://www.cisecurity.org/ • Cisco’s own SAFE training provides important tips to customers: • http://www.cisco.com/warp/public/707/newsflash.html
• http://www.cisco.com/warp/public/779/largeent/issues/security/safe.ht ml • http://cisco.com/warp/public/707/21.html#flood
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 102 Cisco Security Courses
• MCNS – Managing Cisco Network Security • CSIDS – Cisco Secure Intrusion Detection Systems • CSIHS – Cisco Secure IDS Host Sensor • CSPFA - Cisco Secure PIX Firewall Advanced • CSPM – Cisco Secure Policy Manger • CSVPN – Cisco Secure Virtual Private Networks • CSDI – Cisco SAFE Design Implementation
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 103 Cisco Press Books
Cisco Secure PIX Firewalls (CSPFA) Released December 2001
Cisco Secure Virtual Private Networks (CSVPN) Released December 2001
Managing Cisco Network Security (MCSN) Released January 2001
Cisco Secure Intrusion Detection System (CSIDS) Released October 2001
Available at bookstores, computer stores, and online booksellers
PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 104