Router & Switch Device Security
Simple Password Protection
- config# line con 0 (console port)
- config-line# login
- config-line# password WORD
- config# line vty 0 15
- config# service password-encryption
- passwords in startup-config will not chance until "copy run start"
- config-line# password 7 <hash>
Better Protection
- config# enable secret 5 <md5>
- config# enable password 7 <encrpyted>
- config# username WORD1 secret WORD2
- config# username WORD1 password WORD2
Secure Shell Protocol (SSH)
- need k9 image
- Configure
- config# hostname WORD1
- config# ip domain-name WORD2
- config# username WORD3 password WORD4
- config# crypto key generate rsa
- config# ip ssh version 2
- config-line# transport input none (disable telnet)
- config-line# transport input ssh
- show ip ssh
User Mode & Priviledged Mode Authentication, Authorization and Accounting (AAA)
- "strongest" authentication, TACACS+ or Radius server
- Cisco Secure Access Control Server (ACS)
- software, database for username & passwords
- Radius - encrypt password; udp; ports 1812/1645
- TACACS+ - encrypt entire payload; tcp; ports 49/49; proprietary
- Default Authentication Methods
- config# aaa new-model (enable aaa)
- config# aaa authentication enable default group radius local
- config# aaa authentication login default group radius none
- config# radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
- config# radius-server key WORD
- Multiple Authentication Methods
- group radius
- group tacacs
- group WORD - defined group of radius/tacacs servers
- enable - "enable secret" or "enable password"
- line - defined by password command in configuration
- local - username is case sensitive, pass is sensitive
- local-case username and password are case sensitive
- none
- Groups of AAA Servers
- IOS automatically groups configurations using "radius-server host" and "tacacs-server host" commands
- Configuration
- config# aaa group server [radius|tacacs] WORD
- config-group# server 10.1.1.3 auth-port 1645 acct-port 1646
- config# aaa new-model
- config# aaa authentication enable default group WORD local
- config# aaa authentication login default group WORD none
- Overriding Default for Login Security
- config# aaa authentication login for-console group radius line
- config# aaa authentication login for-vty group radius local
- config# aaa authentication login for-aux group radius
- config# line con 0
- config-line# login authentication for-console
- config# line aux 0
- config-line# login authentication for-aux
PPP Security
- config# aaa new-model
- config# aaa authentication ppp [default|WORD]
Layer 2 Security
- three general characterizations of switch ports
- unused - not connected to any device
- user - cabled to end user device
- trusted/trunk
Best Practices for Unused and User Ports
- disable unneeded dynamic protocols (CDP and DTP)
- disable trunking (configure as access ports)
- enable BPDU Guard and Root Guard (prevent STP attacks)
- use Dynamic ARP Inspection (DAI) or private VLANs (prevent frame sniffing)
- enable port security (limit number of MACs or restrict to specific MAC)
- use 802.1x user authentication
- use DHCP snooping and IP Source Guard (prevent DHCP DoS and MITM attacks)
Additional Recommendations
- for any port consider VLANs
- VTP authentication globally (prevent DoS)
- disable unused switchports, put them into unused VLAN
- avoid VLAN 1
- for trunks, don't use native VLAN
Configuration
- config# cdp run
- config-if# no cdp enable
- config-if# switchport mode access (prevent trunking)
- config-if# switchport nonegotiate (prevents DTP)
- config-if# spanning-tree guard root
- config-if# spanning-tree bpduguard enable
Port Security
- restrict number of MAC addresses associated with port
Methods
- static configuration of allowed MAC
- dynamic learning of MACs up to defined maximum; lost on reload
- dynamically learns and saves (sticky learning)
Attacks
- flooding frames with different source MAC
- fill CAM table
- packets with legitimate MACs are flooded out all ports
- attacker can sniff all frames
- MAC spoofing
- flooding frames with different source MAC
Configuration
- config-if# switchport mode [access|trunk]
- config-if# switchport port-security [maximum <value>] (default is 1)
- config-if# switchport port-security mac-address <mac> [ vlan [ <id> | [access|voice] ] ]
- config-if# switchport port-security mac-address sticky
- config-if# switchport port-security [aging] [ violation [protect | restrict | shutdown] ]
- protect
- restrict - SNMP traps
- shutdown - err-disabled state, requires "no shut" to recover
Dynamic ARP Inspection (DAI)
- Gratuitous ARP - ARP reply without a request
Man-in-the-Middle Attack
- attacker broadcasts gratuitous ARP for target IP with own MAC
- victim updates ARP table with new address
- victim sends frame to target with attacker's MAC
- switch forwards frame to attacker
Protection
- filters ARPs with source IP thats not in DHCP for a specific port
- filters ARPs using list of statically defined IP/MAC address combinations
- compares source MAC in ethernet header to source MAC in ARP
- should be same, if not then filter
- compares destination ethernet MAC and target MAC in ARP
- filters unexpected IP addresses in ARP - 0.0.0.0, 255.255.255.255, multicast addresses
Configure
DHCP Snooping
- builds table of IP and port mappings (snooping binding table)
- can be used by DAI and IP Source Guard
Man-in-the-Middle Attack
- victim requests IP using DHCP
- attacker replies with good IP/mask but gives own IP as default gateway
- victim sends frames to attacker
- attacker forwards copies of packets
- allows DHCP on trusted, filters on untrusted ports
Denial of Service
- DHCP servers identify clients based on Client Hardware Address
- single device could request with different CHAs
- fills addresses pool
Protection
- filters messages sent exclusively by DHCP servers (mitm)
- checks DHCP Releases and Declines against snooping binding table
- if IP not listed with port in table, then filter
- optionally compares DHCP request's CHA with source MAC in ethernet (DoS)
Configure
- builds table of IP and port mappings (snooping binding table)
IP Source Guard
- adds one more check to DHCP snooping logic
- checks source IP of received packet against DHCP snooping binding database
- can also check MAC
Configuration
- config-if# ip verify source (ip)
- config-if# ip verify source port-security (IP and MAC)
- config-if# ip source binding <mac> vlan <id> <ip> interface <id> (static entry)
802.1X Authentication Using EAP
- user authentication
- requires username and password before switch will enable port for normal user traffic
- verified by radius server
Extensible Authentication Protocol (EAP)
- supports flows that create one-time passwords (OTP)
- encapsulated directly inside ethernet frame
- called EAP over LAN (EAPoL)
- Radius expects EAP message to contain data struct called Radius attribute
- switch translates between EAPoL and Radius
Roles
- supplicant - driver that supplies username/password prompt; EAPoL messages
- authenticator - translates between EAPoL and Radius; enables/disables ports
- authentication server - stores username/passwords and verifies
Configuration
- config# aaa new-model
- config# radius-server host
- config# radius-server key
- config# aaa authentication dot1x default
- config# aaa authentication dot1x group WORD
- config# dot1x system auth-control
- config-if# dot1x port-control [auto | force-authorized | force-unauthorized]
Configuration
- config# aaa new-model
- config# aaa authentication dot1x default group radius
- config# dot1x system auth-control (enabled globally)
- config# radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
- config# radius-server key WORD
- config-if# dot1x port-control [auto | force-authorized | force-unauthorized]
Storm Control
- rate limiting traffic at layer 2
- rising and falling threshold of unicast, broadcast and multicast
- can be configured per port
Actions
- discard excess traffic
- shutdown port
- send SNMP trap
Configure
- config-if# storm-control broadcast level pps 100 50
- config-if# storm-control multicast level 0.50 0.40
- config-if# storm-control unicast level 80/00
- config-if# storm-control action trap
- show storm-control fe0/0 [unicast|broadcast|multicast]
- three general characterizations of switch ports
Layer 3 Security
Security Recommendations
- enable secure telnet or SSH instead of telnet
- enable SNMP (SNMPv3)
- disable unnecessary services
- turn on logging
- enable routing protocol authentication
- enable CEF forwarding path to avoid flow-based paths like fast switching
Additional Recommendations
- if company has IP prefix, packets with source address in that range should not enter this AS form the internet
- packets should only have valid unicast source IP
- Loopback (127.0.0.1), broadcast, multicast, ..., should be filterd
- directed (subnet) broadcasts should not be allowed unless specifically needed
- packets with no return route to source IP should be discarded
- reverse path forwarding (RPF) check
IP Access Control List (ACL)
Rule Summary
- deny ip any host 10.1.1.1
- deny tcp ant gt 1023 host 10.1.1.1 ew 21
- deny tcp ant host 10.1.1.1 eq 23
- deny tcp any host 10.1.1.1 eq telnet
- deny udp 1.0.0.0 0.255.255.255 lt 1023 any
Port Matching
- gt - greater
- lt - less
- eq - equal
- ne - not equal
- range - x-y
- "established" parameter matches if TCP header has ACK flag set
Attacks
Smurf Attacks, Directed Broadcasts and RPF Checks
- attacker sends large number of ICMP Echo requests
- destination address is subnet broadcast address (directional broadcast)
- final router forwards onto LAN as a broadcast
- source IP is set to victim's address
Solutions
- config-if# no ip directional-broadcast (won't broadcast onto the LAN)
- Unicast Reverse-Path-Forwarding (uRPF)
- config-if# ip verify unicast source reachable-via [rx|any] [allow-default] [allow-self-ping] <list>
- Styles
- Strict - "rx" keyword; matches outgoing interface with received interface
- Loose - "any" keyword; checks for ant route to source
- allow-default - says not to ignore default routes
Fraggle Attack
- similar to smurf, instead of ICMP uses UDP Echo
Inappropriate IP Address
- for source and destination addresses
- can use Router Audit Tool (RAT)
- IOS AutoSecure feature auto-configures ACLs
TCP SYN Floos, Established Bit and TCP Intercept
- SYN flood initializes TCP connection but doesn't finish
- consumes memory and resources while waiting to continue
- stateful firewalls can prevent against
- ASA firewall, IOS firewall
Solutions
- filter packets with only SYN flag set in TCP header
- config# ip access-list extended WORD
- config-acl# permit tcp any 1.0.0.0 0.255.255.255 established
- ACK flag set
- TCP Intercept monitors for SYN attacks
- Modes
- Watch
- keeps state information
- if 3-way doesn't complete in time, send TCP Reset to server
- counts the number of connections over time
- Intercept
- router replies to TCP connection
- after 3-way handshake completes, the router connects to the server
- bridges the two connections together
- Watch
- Configuration
- config# ip tcp intercept-list WORD
- config# ip tcp intercept mode watch
- config# ip tcp intercept watch-timeout 20
- Modes
- filter packets with only SYN flag set in TCP header
- SYN flood initializes TCP connection but doesn't finish
Classic Cisco IOS firewall
Context-Based Access Control (CBAC)
- dynamic inspection of traffic
- based on actual protocol commands
- creates temporary openings in firewall
Configuration Requirements
- protocols to inspect
- interfaces on which to preform inspection
- direction of traffic to inspect per interface
TCP versus UDP
- manages UDP by approximating based on source and destination addresses and ports, and relative timing
- protocol-specific timeouts can be configured
Protocol Support
- any TCP
- all UDP "sessions"
- TFP
- SMTP
- TFTP
- H.323 (NetMeeting, ProShare, ...)
- Java
- CU-SeeMe
- Unix R commands (rlogin, rexec, rsh, ...)
- Real Audio
- Sun RPC
- SQL * Net
- Stream Works
- VDOLive
Caveats
- ACLs on interface will filter first
- cannot protect against attacks that originate inside the network
- only works on protocols you specify
- to inspect traffic other than TCP and UDP, you must configure a named inspection rule
- does not inspect traffic destined to or originating from the firewall
- restrictions on encrypted traffic
Configuration
- config# ip inspect name WORD icmp timeout 10
- config# ip insoect name WORD tcp timeout 30
- config-if# ip inspect WORD out
- show ip inspect sessions
Zone-Based Firewall (ZFW)
- router interfaces placed into security zones
- traffic can travel freely between interfaces in same zone
- traffic blocked by default from traveling between zones
- configured using Class-Based Policy Language (CPL)
Protocols
- HTTP & HTTPS
- SMTP, Extended SMTP (ESMTP), POP3 and IMAP
- P2P applications, can use heuristics to track port hopping
- instant messaging applications
- remote procedure calls
Zones and Zone Pairs
Policy Maps
Actions
- Drop - drop the packet
- Inspect - usa CBAC engine
- Pass
- Police
- Service-Policy - use Deep Packet Inspection engine
- URLfilter
Configuration with Parameter Map
- config# parameter-map type inspect WORD
- config-profile# tcp idle-time 300
- config-profile# udp idle-time 300
- config# policy-map type inspect WORD2
- config-pmap# class type inspect WORD3
- config-pmap-c# inspect [WORD]
Service Policies and Zones
- config# zone-pair security internal source WORD1 destination WORD2
- config-sec-zone-pair# service-policy type inspect WORD3
- config-if# zone-member security WORD1
- config-if# zone-member security WORD2
- show zone-pair security
Intrusion Prevention System (IPS)
- compares packets to known signatures
Actions
- drop packet
- reset the connections
- send alarm log message
- block traffic from source for amount of time
- block traffic on connection for amount of time
Configuration
- config# crypto key pubkey-chain rsa
- config-pubkey-chain# named-key realm cisco.pub signature
- config-pubkey-key# key-string
- config-pubkey# WORDS
- config# ip ips signature-category (load basic signature package)
- config-ips-category# category all
- config-ips-category-action# retired true
- config-ips-category# category ios_ips basic
- config-ips-category-action# retired false
- #mkdir flash:ipsData
- config# ip ips name WORD
- config# ip ips config location flash:ipsData
- config-if# ip ips WORD outbound
- show ip ips configuration
Control-Plane Policing (CoPP)
- traffic bound to the router
- leverages MQC to rate-limit or drop traffic
Typical Groupings
- malicious traffic - dropped
- routing protocols - not limited
- SSH and Telnet - limited to small amount
- management protocols (SNMP, FTP, TFTP, ...)
- network applications (HSRP, DHCP, IGMP, ...)
- all other IP traffic
- Default class (includes L2; ARP does not have to match this)
Configuration
- config# control-plane
- config-control-plane# service-policy input WORD (policy map)
Dynamic Multipoint VPN (DMVPN)
IPSec tunnel limitations
- hub-and-spoke environment, traffic to spoke traverses hub site
- traffic is unencrypted, routed and encrypted again
- additional network overhead, memory and CPU
- hub-and-spoke environment, traffic to spoke traverses hub site
- takes advantage of
- IPSec
- GRE tunnels
- Next Hop Resolution Protocol (NHRP)
- supports traffic segmentation across VPNs
- is VRF-aware
- hub router is configured for single multipoint GRE (mGRE) tunnel interface
- supports multicast traffic from hub to spoke routers
Benefits
- simpler hub router configuration
- 1 mGRE interface
- 1 IPSec profile
- no crypto access lists
- hub does not require configuration when new spoke routers are brought online
- automatically initiated IPSec encryption
- dynamic addressing support for spokes
- dynamically created spoke-to-spoke tunnels
- VRF integration for MPLS environments
- simpler hub router configuration
- dynamic routing protocol required, distance vector recommended
Saturday, February 20, 2016
Security
Subscribe to:
Post Comments (Atom)
Security is vital in today’s digital world to protect data and infrastructure. With Firewall Network Security Dubai, businesses gain advanced threat protection, secure access control, and peace of mind against cyberattacks and data breaches.
ReplyDelete