Router & Switch Device Security
Simple Password Protection
- config# line con 0 (console port)
- config-line# login
- config-line# password WORD
- config# line vty 0 15
- config# service password-encryption
- passwords in startup-config will not chance until "copy run start"
- config-line# password 7 <hash>
Better Protection
- config# enable secret 5 <md5>
- config# enable password 7 <encrpyted>
- config# username WORD1 secret WORD2
- config# username WORD1 password WORD2
Secure Shell Protocol (SSH)
- need k9 image
- Configure
- config# hostname WORD1
- config# ip domain-name WORD2
- config# username WORD3 password WORD4
- config# crypto key generate rsa
- config# ip ssh version 2
- config-line# transport input none (disable telnet)
- config-line# transport input ssh
- show ip ssh
User Mode & Priviledged Mode Authentication, Authorization and Accounting (AAA)
- "strongest" authentication, TACACS+ or Radius server
- Cisco Secure Access Control Server (ACS)
- software, database for username & passwords
- Radius - encrypt password; udp; ports 1812/1645
- TACACS+ - encrypt entire payload; tcp; ports 49/49; proprietary
- Default Authentication Methods
- config# aaa new-model (enable aaa)
- config# aaa authentication enable default group radius local
- config# aaa authentication login default group radius none
- config# radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
- config# radius-server key WORD
- Multiple Authentication Methods
- group radius
- group tacacs
- group WORD - defined group of radius/tacacs servers
- enable - "enable secret" or "enable password"
- line - defined by password command in configuration
- local - username is case sensitive, pass is sensitive
- local-case username and password are case sensitive
- none
- Groups of AAA Servers
- IOS automatically groups configurations using "radius-server host" and "tacacs-server host" commands
- Configuration
- config# aaa group server [radius|tacacs] WORD
- config-group# server 10.1.1.3 auth-port 1645 acct-port 1646
- config# aaa new-model
- config# aaa authentication enable default group WORD local
- config# aaa authentication login default group WORD none
- Overriding Default for Login Security
- config# aaa authentication login for-console group radius line
- config# aaa authentication login for-vty group radius local
- config# aaa authentication login for-aux group radius
- config# line con 0
- config-line# login authentication for-console
- config# line aux 0
- config-line# login authentication for-aux
PPP Security
- config# aaa new-model
- config# aaa authentication ppp [default|WORD]
Layer 2 Security
- three general characterizations of switch ports
- unused - not connected to any device
- user - cabled to end user device
- trusted/trunk
Best Practices for Unused and User Ports
- disable unneeded dynamic protocols (CDP and DTP)
- disable trunking (configure as access ports)
- enable BPDU Guard and Root Guard (prevent STP attacks)
- use Dynamic ARP Inspection (DAI) or private VLANs (prevent frame sniffing)
- enable port security (limit number of MACs or restrict to specific MAC)
- use 802.1x user authentication
- use DHCP snooping and IP Source Guard (prevent DHCP DoS and MITM attacks)
Additional Recommendations
- for any port consider VLANs
- VTP authentication globally (prevent DoS)
- disable unused switchports, put them into unused VLAN
- avoid VLAN 1
- for trunks, don't use native VLAN
Configuration
- config# cdp run
- config-if# no cdp enable
- config-if# switchport mode access (prevent trunking)
- config-if# switchport nonegotiate (prevents DTP)
- config-if# spanning-tree guard root
- config-if# spanning-tree bpduguard enable
Port Security
- restrict number of MAC addresses associated with port
Methods
- static configuration of allowed MAC
- dynamic learning of MACs up to defined maximum; lost on reload
- dynamically learns and saves (sticky learning)
Attacks
- flooding frames with different source MAC
- fill CAM table
- packets with legitimate MACs are flooded out all ports
- attacker can sniff all frames
- MAC spoofing
- flooding frames with different source MAC
Configuration
- config-if# switchport mode [access|trunk]
- config-if# switchport port-security [maximum <value>] (default is 1)
- config-if# switchport port-security mac-address <mac> [ vlan [ <id> | [access|voice] ] ]
- config-if# switchport port-security mac-address sticky
- config-if# switchport port-security [aging] [ violation [protect | restrict | shutdown] ]
- protect
- restrict - SNMP traps
- shutdown - err-disabled state, requires "no shut" to recover
Dynamic ARP Inspection (DAI)
- Gratuitous ARP - ARP reply without a request
Man-in-the-Middle Attack
- attacker broadcasts gratuitous ARP for target IP with own MAC
- victim updates ARP table with new address
- victim sends frame to target with attacker's MAC
- switch forwards frame to attacker
Protection
- filters ARPs with source IP thats not in DHCP for a specific port
- filters ARPs using list of statically defined IP/MAC address combinations
- compares source MAC in ethernet header to source MAC in ARP
- should be same, if not then filter
- compares destination ethernet MAC and target MAC in ARP
- filters unexpected IP addresses in ARP - 0.0.0.0, 255.255.255.255, multicast addresses
Configure
DHCP Snooping
- builds table of IP and port mappings (snooping binding table)
- can be used by DAI and IP Source Guard
Man-in-the-Middle Attack
- victim requests IP using DHCP
- attacker replies with good IP/mask but gives own IP as default gateway
- victim sends frames to attacker
- attacker forwards copies of packets
- allows DHCP on trusted, filters on untrusted ports
Denial of Service
- DHCP servers identify clients based on Client Hardware Address
- single device could request with different CHAs
- fills addresses pool
Protection
- filters messages sent exclusively by DHCP servers (mitm)
- checks DHCP Releases and Declines against snooping binding table
- if IP not listed with port in table, then filter
- optionally compares DHCP request's CHA with source MAC in ethernet (DoS)
Configure
- builds table of IP and port mappings (snooping binding table)
IP Source Guard
- adds one more check to DHCP snooping logic
- checks source IP of received packet against DHCP snooping binding database
- can also check MAC
Configuration
- config-if# ip verify source (ip)
- config-if# ip verify source port-security (IP and MAC)
- config-if# ip source binding <mac> vlan <id> <ip> interface <id> (static entry)
802.1X Authentication Using EAP
- user authentication
- requires username and password before switch will enable port for normal user traffic
- verified by radius server
Extensible Authentication Protocol (EAP)
- supports flows that create one-time passwords (OTP)
- encapsulated directly inside ethernet frame
- called EAP over LAN (EAPoL)
- Radius expects EAP message to contain data struct called Radius attribute
- switch translates between EAPoL and Radius
Roles
- supplicant - driver that supplies username/password prompt; EAPoL messages
- authenticator - translates between EAPoL and Radius; enables/disables ports
- authentication server - stores username/passwords and verifies
Configuration
- config# aaa new-model
- config# radius-server host
- config# radius-server key
- config# aaa authentication dot1x default
- config# aaa authentication dot1x group WORD
- config# dot1x system auth-control
- config-if# dot1x port-control [auto | force-authorized | force-unauthorized]
Configuration
- config# aaa new-model
- config# aaa authentication dot1x default group radius
- config# dot1x system auth-control (enabled globally)
- config# radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
- config# radius-server key WORD
- config-if# dot1x port-control [auto | force-authorized | force-unauthorized]
Storm Control
- rate limiting traffic at layer 2
- rising and falling threshold of unicast, broadcast and multicast
- can be configured per port
Actions
- discard excess traffic
- shutdown port
- send SNMP trap
Configure
- config-if# storm-control broadcast level pps 100 50
- config-if# storm-control multicast level 0.50 0.40
- config-if# storm-control unicast level 80/00
- config-if# storm-control action trap
- show storm-control fe0/0 [unicast|broadcast|multicast]
- three general characterizations of switch ports
Layer 3 Security
Security Recommendations
- enable secure telnet or SSH instead of telnet
- enable SNMP (SNMPv3)
- disable unnecessary services
- turn on logging
- enable routing protocol authentication
- enable CEF forwarding path to avoid flow-based paths like fast switching
Additional Recommendations
- if company has IP prefix, packets with source address in that range should not enter this AS form the internet
- packets should only have valid unicast source IP
- Loopback (127.0.0.1), broadcast, multicast, ..., should be filterd
- directed (subnet) broadcasts should not be allowed unless specifically needed
- packets with no return route to source IP should be discarded
- reverse path forwarding (RPF) check
IP Access Control List (ACL)
Rule Summary
- deny ip any host 10.1.1.1
- deny tcp ant gt 1023 host 10.1.1.1 ew 21
- deny tcp ant host 10.1.1.1 eq 23
- deny tcp any host 10.1.1.1 eq telnet
- deny udp 1.0.0.0 0.255.255.255 lt 1023 any
Port Matching
- gt - greater
- lt - less
- eq - equal
- ne - not equal
- range - x-y
- "established" parameter matches if TCP header has ACK flag set
Attacks
Smurf Attacks, Directed Broadcasts and RPF Checks
- attacker sends large number of ICMP Echo requests
- destination address is subnet broadcast address (directional broadcast)
- final router forwards onto LAN as a broadcast
- source IP is set to victim's address
Solutions
- config-if# no ip directional-broadcast (won't broadcast onto the LAN)
- Unicast Reverse-Path-Forwarding (uRPF)
- config-if# ip verify unicast source reachable-via [rx|any] [allow-default] [allow-self-ping] <list>
- Styles
- Strict - "rx" keyword; matches outgoing interface with received interface
- Loose - "any" keyword; checks for ant route to source
- allow-default - says not to ignore default routes
Fraggle Attack
- similar to smurf, instead of ICMP uses UDP Echo
Inappropriate IP Address
- for source and destination addresses
- can use Router Audit Tool (RAT)
- IOS AutoSecure feature auto-configures ACLs
TCP SYN Floos, Established Bit and TCP Intercept
- SYN flood initializes TCP connection but doesn't finish
- consumes memory and resources while waiting to continue
- stateful firewalls can prevent against
- ASA firewall, IOS firewall
Solutions
- filter packets with only SYN flag set in TCP header
- config# ip access-list extended WORD
- config-acl# permit tcp any 1.0.0.0 0.255.255.255 established
- ACK flag set
- TCP Intercept monitors for SYN attacks
- Modes
- Watch
- keeps state information
- if 3-way doesn't complete in time, send TCP Reset to server
- counts the number of connections over time
- Intercept
- router replies to TCP connection
- after 3-way handshake completes, the router connects to the server
- bridges the two connections together
- Watch
- Configuration
- config# ip tcp intercept-list WORD
- config# ip tcp intercept mode watch
- config# ip tcp intercept watch-timeout 20
- Modes
- filter packets with only SYN flag set in TCP header
- SYN flood initializes TCP connection but doesn't finish
Classic Cisco IOS firewall
Context-Based Access Control (CBAC)
- dynamic inspection of traffic
- based on actual protocol commands
- creates temporary openings in firewall
Configuration Requirements
- protocols to inspect
- interfaces on which to preform inspection
- direction of traffic to inspect per interface
TCP versus UDP
- manages UDP by approximating based on source and destination addresses and ports, and relative timing
- protocol-specific timeouts can be configured
Protocol Support
- any TCP
- all UDP "sessions"
- TFP
- SMTP
- TFTP
- H.323 (NetMeeting, ProShare, ...)
- Java
- CU-SeeMe
- Unix R commands (rlogin, rexec, rsh, ...)
- Real Audio
- Sun RPC
- SQL * Net
- Stream Works
- VDOLive
Caveats
- ACLs on interface will filter first
- cannot protect against attacks that originate inside the network
- only works on protocols you specify
- to inspect traffic other than TCP and UDP, you must configure a named inspection rule
- does not inspect traffic destined to or originating from the firewall
- restrictions on encrypted traffic
Configuration
- config# ip inspect name WORD icmp timeout 10
- config# ip insoect name WORD tcp timeout 30
- config-if# ip inspect WORD out
- show ip inspect sessions
Zone-Based Firewall (ZFW)
- router interfaces placed into security zones
- traffic can travel freely between interfaces in same zone
- traffic blocked by default from traveling between zones
- configured using Class-Based Policy Language (CPL)
Protocols
- HTTP & HTTPS
- SMTP, Extended SMTP (ESMTP), POP3 and IMAP
- P2P applications, can use heuristics to track port hopping
- instant messaging applications
- remote procedure calls
Zones and Zone Pairs
Policy Maps
Actions
- Drop - drop the packet
- Inspect - usa CBAC engine
- Pass
- Police
- Service-Policy - use Deep Packet Inspection engine
- URLfilter
Configuration with Parameter Map
- config# parameter-map type inspect WORD
- config-profile# tcp idle-time 300
- config-profile# udp idle-time 300
- config# policy-map type inspect WORD2
- config-pmap# class type inspect WORD3
- config-pmap-c# inspect [WORD]
Service Policies and Zones
- config# zone-pair security internal source WORD1 destination WORD2
- config-sec-zone-pair# service-policy type inspect WORD3
- config-if# zone-member security WORD1
- config-if# zone-member security WORD2
- show zone-pair security
Intrusion Prevention System (IPS)
- compares packets to known signatures
Actions
- drop packet
- reset the connections
- send alarm log message
- block traffic from source for amount of time
- block traffic on connection for amount of time
Configuration
- config# crypto key pubkey-chain rsa
- config-pubkey-chain# named-key realm cisco.pub signature
- config-pubkey-key# key-string
- config-pubkey# WORDS
- config# ip ips signature-category (load basic signature package)
- config-ips-category# category all
- config-ips-category-action# retired true
- config-ips-category# category ios_ips basic
- config-ips-category-action# retired false
- #mkdir flash:ipsData
- config# ip ips name WORD
- config# ip ips config location flash:ipsData
- config-if# ip ips WORD outbound
- show ip ips configuration
Control-Plane Policing (CoPP)
- traffic bound to the router
- leverages MQC to rate-limit or drop traffic
Typical Groupings
- malicious traffic - dropped
- routing protocols - not limited
- SSH and Telnet - limited to small amount
- management protocols (SNMP, FTP, TFTP, ...)
- network applications (HSRP, DHCP, IGMP, ...)
- all other IP traffic
- Default class (includes L2; ARP does not have to match this)
Configuration
- config# control-plane
- config-control-plane# service-policy input WORD (policy map)
Dynamic Multipoint VPN (DMVPN)
IPSec tunnel limitations
- hub-and-spoke environment, traffic to spoke traverses hub site
- traffic is unencrypted, routed and encrypted again
- additional network overhead, memory and CPU
- hub-and-spoke environment, traffic to spoke traverses hub site
- takes advantage of
- IPSec
- GRE tunnels
- Next Hop Resolution Protocol (NHRP)
- supports traffic segmentation across VPNs
- is VRF-aware
- hub router is configured for single multipoint GRE (mGRE) tunnel interface
- supports multicast traffic from hub to spoke routers
Benefits
- simpler hub router configuration
- 1 mGRE interface
- 1 IPSec profile
- no crypto access lists
- hub does not require configuration when new spoke routers are brought online
- automatically initiated IPSec encryption
- dynamic addressing support for spokes
- dynamically created spoke-to-spoke tunnels
- VRF integration for MPLS environments
- simpler hub router configuration
- dynamic routing protocol required, distance vector recommended
Saturday, February 20, 2016
Security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment