Module 2: Security Planning and Policy - Modified


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ANS Institute - The SANS Security Policy Project
  • Module 2: Security Planning and Policy - Modified

    1. 1. © 2004, Cisco Systems, Inc. All rights reserved.
    2. 2. Network Security 1 Module 2 – Security Planning and Policy
    3. 3. Learning Objectives <ul><ul><li>2.1 Discussing Network Security and Cisco </li></ul></ul><ul><ul><li>2.2 Endpoint Protection and Management </li></ul></ul><ul><ul><li>2.3 Network Protection and Management </li></ul></ul><ul><ul><li>2.4 Security Architecture </li></ul></ul><ul><ul><li>2.5 Basic Router Security </li></ul></ul>
    4. 4. Module 2 – Security Planning and Policy 2.1 Discussing Network Security and Cisco
    5. 5. Network Security as a Continuous Process <ul><li>Network security is a continuous process built around a security policy (which enables the application of security measures). </li></ul><ul><ul><li>Step 1: Secure </li></ul></ul><ul><ul><li>Step 2: Monitor </li></ul></ul><ul><ul><li>Step 3: Test </li></ul></ul><ul><ul><li>Step 4: Improve </li></ul></ul>Secure Monitor Test Improve Security Policy
    6. 6. Secure the Network <ul><li>Implement security solutions to stop or prevent unauthorized access or activities, and to protect information: </li></ul><ul><ul><li>Identification Authentication </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>VPNs </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>Vulnerability patching </li></ul></ul>Secure Monitor Test Improve Security Policy
    7. 7. Monitor Security <ul><li>Detects violations to the security policy </li></ul><ul><li>Involves system auditing and real-time intrusion detection </li></ul><ul><li>Validates the security implementation in Step 1. </li></ul>Secure Monitor Test Improve Security Policy
    8. 8. Test Security <ul><li>Validates effectiveness of the security policy through system auditing and vulnerability scanning </li></ul><ul><li>SATAN, Nessus, or NMAP are useful for periodically testing the network security measures at the network and host level </li></ul>Secure Monitor Test Improve Security Policy
    9. 9. Improve Security <ul><li>Improve corporate security </li></ul><ul><li>Collect and analyze information from the monitoring and testing phases to make security improvements </li></ul><ul><li>Adjust the security policy as security vulnerabilities and risks re identified </li></ul>Secure Monitor Test Improve Security Policy
    10. 10. Security Policy <ul><li>All network security features should be configured in compliance with the organization's security policy. </li></ul><ul><li>If a security policy is not present, or if the policy is out of date, the policy should be created or updated before deciding how to configure security on any devices. </li></ul>
    11. 11. What Is a Security Policy? <ul><li>“ A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” </li></ul><ul><li> (RFC 2196, Site Security Handbook) </li></ul>
    12. 12. SANS – Why Do You Need Security Policy?
    13. 13. SANS – Why Do You Need Security Policy?
    14. 15. Why Create a Security Policy? <ul><ul><li>To create a baseline of your current security posture </li></ul></ul><ul><ul><li>To provide a process to audit existing network security </li></ul></ul><ul><ul><li>To set the framework for security implementation </li></ul></ul><ul><ul><li>To define allowed and not allowed behaviors </li></ul></ul><ul><ul><li>To help determine necessary tools and procedures </li></ul></ul><ul><ul><li>To communicate consensus and define responsibilities of users and administrators </li></ul></ul><ul><ul><li>To define how to handle security incidents </li></ul></ul><ul><ul><li>To enable global security implementation and enforcement </li></ul></ul><ul><ul><li>To create a basis for legal action, if necessary </li></ul></ul>
    15. 16. Links – Network Security Policy <ul><li>RFC 2196 Site Security Handbook - </li></ul><ul><li>A sample security policy for the University of Illinois - </li></ul><ul><li>Cisco – Network Security Policy Best Practices White Paper - </li></ul><ul><li>SANS – </li></ul>
    16. 17. 2.2 Endpoint Protection and Management Module 2 – Security Planning and Policy
    17. 18. Desktop Inventory and Maintenance <ul><li>Anti-virus (updated definitions), firewall, and intrusion detection (updated signatures) are valuable tools that can be used to secure network hosts. </li></ul><ul><li>HIPS alerts the management console when an external process tries to monitor/modify a system file. Will monitor for backdoor programs – stop attacks and spread of virus and worms </li></ul>
    18. 19. Host-Based Intrusion Prevention (HIPS)
    19. 20. Desktop Inventory and Maintenance <ul><li>Operating System Patches </li></ul><ul><li>When a new operating system is installed on a computer, the security settings are all set to the default values. In most cases this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems: </li></ul><ul><ul><li>Default usernames and passwords should be changed immediately. </li></ul></ul><ul><ul><li>Access to the system resources should be restricted to only the individuals that are authorized to use those resources. </li></ul></ul><ul><ul><li>Any unnecessary services and applications should be turned off and uninstalled when possible </li></ul></ul>
    20. 21. Module 2 – Security Planning and Policy 2.3 Network Protection and Management
    21. 22. Types of Firewalls <ul><ul><li>Server Based </li></ul></ul><ul><ul><ul><li>Microsoft ISA </li></ul></ul></ul><ul><ul><ul><li>CheckPoint </li></ul></ul></ul><ul><ul><ul><li>BorderManager </li></ul></ul></ul><ul><ul><li>Appliance </li></ul></ul><ul><ul><ul><li>PIX Security Appliance </li></ul></ul></ul><ul><ul><ul><li>Netscreen </li></ul></ul></ul><ul><ul><ul><li>SonicWall </li></ul></ul></ul><ul><ul><li>Personal </li></ul></ul><ul><ul><ul><li>Norton </li></ul></ul></ul><ul><ul><ul><li>McAfee </li></ul></ul></ul><ul><ul><ul><li>ZoneAlarms </li></ul></ul></ul><ul><ul><li>Integrated </li></ul></ul><ul><ul><ul><li>IOS Firewall </li></ul></ul></ul><ul><ul><ul><li>Switch Firewall </li></ul></ul></ul>
    22. 23. Network-Based IDS
    23. 24. VPN Definition
    24. 25. Remote Access VPNs
    25. 26. Site-to-Site VPNs
    26. 27. Trust and Identity <ul><li>Identity refers to the accurate and positive identification of network users, hosts, applications, services, and resources. </li></ul>
    27. 28. Links – Network Based Components and Technologies <ul><li>Cisco Security - </li></ul><ul><li>Cisco PIX Security Appliance - </li></ul><ul><li>Cisco IOS Firewall - </li></ul><ul><li>Microsoft - </li></ul><ul><li>Firewall Certifications - </li></ul><ul><li>Enterprises Firewall Listing - http:// </li></ul>
    28. 29. Security Management <ul><li>The goals of security management is to control access to network resources </li></ul><ul><ul><li>VPN Routers </li></ul></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><li>Network IDS (NIDS) </li></ul></ul><ul><ul><li>Host Intrusion Prevention (HIPS) </li></ul></ul><ul><li>Management Station </li></ul><ul><ul><li>CiscoWorks VPN/Security Management Solution (VMS) </li></ul></ul><ul><ul><li>ASDM (PIX and ASA) - PDM replaced with ASDM in v 7.0 </li></ul></ul><ul><ul><li>SDM (Routers) </li></ul></ul><ul><ul><li>IDM (Sensors) </li></ul></ul>
    29. 30. Major Functions of CiscoWorks VMS <ul><li>CiscoWorks VMS consists of a set of Web-based applications for configuring, monitoring, and troubleshooting enterprise VPNs, firewalls, NIDS, and HIDS. </li></ul><ul><ul><li>Addresses the needs of small and large-scale VPN and security deployments. </li></ul></ul><ul><ul><li>Manage access control lists for Cisco PIX/ASA Security Appliances </li></ul></ul><ul><ul><li>Identifies sensitive network resources </li></ul></ul><ul><ul><li>Monitors and logs access to network resources </li></ul></ul>
    30. 31. Adaptive Security Device Manager (ASDM)
    31. 32. Security Device Manager (SDM)
    32. 33. Links – Network Security Management <ul><li>CiscoWorks VMS - </li></ul><ul><li>PDF on CiscoWorks - </li></ul><ul><li>CiscoWorks SIMS - </li></ul>
    33. 34. Module 2 – Security Planning and Policy 2.4 Security Architecture
    34. 35. Security Architecture (SAFE) <ul><li>SAFE White Papers: </li></ul><ul><li>A Security Blueprint for Enterprise Networks </li></ul><ul><li>Extending the Security Blueprint to Small, Midsize, and Remote-User Networks </li></ul><ul><li>VPN IPSec Virtual Private Networks in Depth </li></ul><ul><li>Wireless LAN Security in Depth – version 2 </li></ul><ul><li>IP Telephony Security in Depth </li></ul><ul><li>IDS Deployment, Tuning, and Logging in Depth </li></ul><ul><li>Worm Mitigation </li></ul>
    35. 36. Security Architecture – Self-Defending Network Strategy <ul><li>Secure Connectivity </li></ul><ul><li>Threat Defense </li></ul><ul><li>Trust and Identity Management </li></ul>
    36. 37. Secure Connectivity <ul><li>Secure Connectivity safely transports applications across different network environments. </li></ul><ul><li>As companies use the flexibility and cost effectiveness of the Internet to extend their networks to branch offices, telecommuters, customers, and partners, security (privacy and integrity) is paramount. </li></ul>
    37. 38. Cisco Threat Defense System <ul><li>Brings together security solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization. </li></ul>
    38. 39. Trust and Identity Management <ul><li>Identity Management </li></ul><ul><li>Identity Based Networking services (IBNS) </li></ul><ul><li>Network Admission Control (NAC) </li></ul>
    39. 40. Identity Management <ul><li>Guarantees the identity and integrity of every entity on the network and applies appropriate access policy. </li></ul><ul><li>Identity Management also secures the centralized management of remote devices and provides Authentication, Authorization, and Accounting (AAA) functionality across all network devices. </li></ul>
    40. 41. Identity Based Networking Services (IBNS) <ul><li>Expands network security by using 802.1x to automatically identify users requesting network access and route them to a VLAN domain with an appropriate degree of access privilege based on policy. </li></ul><ul><li>IBNS also prevents unauthorized network access from rogue wireless access points. </li></ul>
    41. 42. Identity Based Networking Services (IBNS) Step 1: Step 2: Step 3: Step 4:
    42. 43. Network Admission Control (NAC) <ul><li>Allows network access only to trusted endpoint devices that can verify their compliance to network security policies, such as having a current antivirus image, operating system version, or patch update. </li></ul><ul><li>NAC can permit, deny, or restrict network access to any device and quarantine and remediate noncompliant devices. </li></ul>
    43. 45. Plan, Design, Implement, Operate, Optimize (PDIOO)
    44. 46. Module 2 – Security Planning and Policy 2.5 Basic Router Security
    45. 47. Secure Shell (SSH) SSH Server and Client SSH Client TCP Port 22 With authentication and encryption, SSH allows for secure communications over an insecure network.
    46. 48. SSH Server Configuration Router(config)# hostname host-name Router(config)# ip domain-name Router(config)# crypto key generate rsa Router(config)# line vty 0 4 Router(config-line)# transport input ssh
    47. 49. Controlling Access <ul><li>Ensure that logins on all lines are controlled using some sort of authentication mechanism, even on machines that are supposed to be inaccessible from untrusted networks. </li></ul><ul><ul><li>Console Port </li></ul></ul><ul><ul><li>TTY </li></ul></ul><ul><ul><li>VTY </li></ul></ul>
    48. 50. Access Control – Console Port <ul><li>By default, console, auxiliary and Telnet (VTY) sessions time out after 10 minutes of inactivity. You can override this with the exec-timeout command. A common setting is 5 minutes. </li></ul><ul><li>In this slide, the password entered will be displayed as clear text. Better to use local username and password database by specifying login local; better yet, use an external authentication security server for securing line access. </li></ul><ul><li>Service password-encryption command is used to encrypt clear-txt passwords but there are many tools to decrypt this very weak encryption algorithm: http// </li></ul>
    49. 51. Access Control – TTYs <ul><li>The aux port can be used to attach to a CSU/DSU, a modem, or a protocol analyzer. </li></ul><ul><li>You can’t use access-lists on tty ports (like you can on vty ports) to control access but you can require a password and disabling protocol access using the transport command (transport input none). </li></ul><ul><li>Typically, the tty line is used for remote dial-in access for emergency situations. </li></ul><ul><li>If you are using this line for dialup, you should implement security for dialup on your router and run PPP with CHAP for authentication. </li></ul>
    50. 52. Access Control – VTYs <ul><li>Compared to local access, in which you can access user EXEC mode only through the console or aux port, you can access your router remotely through Telnet, RSH, SSH, HTTP, HTTPS, and SNMP. </li></ul><ul><li>VTYS are basically logical lines (for handling incoming/outgoing Telnet connections) but the Cisco IOS treats them as a physical line from a configuration and operation perspective, but they are not something that we can physically touch with our hands. </li></ul><ul><li>Never us it. Why? Because Telnet sends user information across the network in clear text. Remember that if you are using the router as part of a firewall system, you want to keep it as secure as possible. Use either SSH or VPN. </li></ul>
    51. 53. Access Control – VTYs <ul><li>Applying the standard </li></ul><ul><li>ACL requires the use of </li></ul><ul><li>the access-class </li></ul><ul><li>command. </li></ul><ul><li>Specify the direction of </li></ul><ul><li>restriction (in or out). </li></ul><ul><li>When using the out </li></ul><ul><li>parameter, the address </li></ul><ul><li>listed in the ACL is </li></ul><ul><li>viewed as destination, not </li></ul><ul><li>source address. </li></ul>Router(config)# access-list 1 permit Router(config)#access-list 1 permit Router(config)#line vty 0 4 Router(config-line)# transport input ssh Router(config-line)#transport output ssh Router(cofig-line)# access-class 1 in
    52. 54. Access Control – VTYs <ul><li>Applying the standard </li></ul><ul><li>ACL requires the use of </li></ul><ul><li>the access-class </li></ul><ul><li>command. </li></ul><ul><li>Specify the direction of </li></ul><ul><li>restriction (in or out). </li></ul><ul><li>When using the out </li></ul><ul><li>parameter, the address </li></ul><ul><li>listed in the ACL are </li></ul><ul><li>viewed as destination, not </li></ul><ul><li>source address. </li></ul>Router(config)# access-list 1 permit Router(config)#access-list 1 permit Router(config)#line vty 0 4 Router(config-line)# transport input ssh Router(config-line)#transport output ssh Router(cofig-line)# access-class 1 in
    53. 55. <ul><li>Logins may be completely prevented on any line by configuring the router with the login and no password commands. This is the default configuration for vtys, but not for ttys. </li></ul><ul><li>Any vty should be configured to accept connections only with the protocols actually needed. This is done with the transport input command. </li></ul>
    54. 56. <ul><li>A Cisco IOS device has a limited number of vty lines, usually five. When all of the vtys are in use, no more additional remote connections can be established. This creates the opportunity for a DoS attack. If an attacker can open remote sessions to all the vtys on the system, the legitimate administrator may not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt. </li></ul><ul><li>One way of reducing this exposure is to configure a more restrictive ip access-class command on the last vty line in the system. The last vty might be restricted to accept connections only from a single, specific administrative workstation, whereas the other vtys might accept connections from any address in a corporate network . </li></ul>
    55. 57. Passwords <ul><li>Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS: </li></ul><ul><ul><ul><ul><li>Type 7 uses the Cisco-defined encryption algorithm. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Type 5 uses an MD5 hash, which is much stronger. </li></ul></ul></ul></ul><ul><li>Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands. </li></ul><ul><li>Service password encryption should be used. </li></ul><ul><li>Use good password practices when creating passwords. </li></ul><ul><li>Configure both username and password combinations. </li></ul>
    56. 58. Good Password Practices <ul><li>Avoid dictionary words, names, phone numbers, and dates. </li></ul><ul><li>Include at least one lowercase letter, uppercase letter, digit, and special character. </li></ul><ul><li>Make all passwords at least eight characters long. </li></ul><ul><li>Avoid more than four digits or same-case letters in a row. </li></ul><ul><li>Change passwords often. </li></ul><ul><li>Use different passwords on each system. </li></ul><ul><li>Note: When testing th4e sample passwords hello, Enter0, 9spot, 8twelve8, and ilcic41, the only password that wasn’t cracked was ilcic41. </li></ul>
    57. 59. Password Minimum Length Enforcement
    58. 60. Configure the Enable Password Using enable secret router(config)# enable secret password <ul><ul><li>Encrypts the password in the router configuration file </li></ul></ul><ul><ul><li>Uses a strong encryption algorithm based on MD5 </li></ul></ul>Boston(config)# enable secret Curium96 Boston# show running-config ! hostname Boston ! no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ !
    59. 61. Configure the Console Port User-Level Password <ul><ul><li>Creates the user-level password ConUser1 </li></ul></ul><ul><ul><li>The password is unencrypted </li></ul></ul>Boston(config)# line console 0 Boston(config-line)# login Boston(config-line)# password ConUser1 router(config)# line console line-number router(config-line)# login router(config-line)# Password password <ul><ul><li>Enters console line configuration mode </li></ul></ul><ul><ul><li>Enables password checking at login </li></ul></ul><ul><ul><li>Sets the user-level password to password </li></ul></ul>
    60. 62. Configure a VTY User-Level Password Boston(config)# line vty 0 4 Boston(config-line)# login Boston(config-line)# password CantGessMeVTY router(config)# line vty start - line-number end-line-number router(config-line)# login <ul><ul><li>Enters VTY line configuration mode </li></ul></ul><ul><ul><li>Specifies the range of VTY lines to configure </li></ul></ul><ul><ul><li>Enables password checking at login for VTY (Telnet) sessions </li></ul></ul><ul><ul><li>Sets the user-level password to password </li></ul></ul>router(config-line)# password password
    61. 63. Configure an Auxiliary User-Level Password Boston(config)# line aux 0 Boston(config-line)# login Boston(config-line)# password NeverGessMeAux router(config)# line aux line-number router(config-line)# login <ul><ul><li>Enters auxiliary line configuration mode </li></ul></ul><ul><ul><li>Enables password checking at login for Aux connections </li></ul></ul><ul><ul><li>Sets the user-level password to password </li></ul></ul>router(config-line)# password password
    62. 64. Encrypting Passwords Using service password-encryption router(config)# service password-encryption <ul><ul><li>Encrypts all passwords in the router configuration file </li></ul></ul><ul><ul><li>Uses a weak encryption algorithm that can be easily cracked </li></ul></ul>Boston(config)# service password-encryption Boston# show running-config ! line con 0 password 7 0956F57A109A ! line vty 0 4 password 7 034A18F366A0 ! line aux 0 password 7 7A4F5192306A
    63. 65. Setting Timeouts for Router Lines router(config-line)# exec-timeout minutes [ seconds ] <ul><ul><li>Default is 10 minutes </li></ul></ul><ul><ul><li>Terminates an unattended console connection </li></ul></ul><ul><ul><li>Provides an extra safety factor when an administrator walks away from an active console session </li></ul></ul><ul><ul><li>Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds </li></ul></ul>Boston(config)# line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)# line aux 0 Boston(config-line)#exec-timeout 3 30
    64. 66. Setting Multiple Privilege Levels router(config)# privilege mode {level level command | reset command } <ul><ul><li>Level 1 is predefined for user-level access privileges </li></ul></ul><ul><ul><li>Levels 2 – 14 may be customized for user-level privileges </li></ul></ul><ul><ul><li>Level 15 is predefined for enable mode ( enable command) </li></ul></ul>Boston(config)# privilege exec level 2 ping Boston(config)# enable secret level 2 Patriot
    65. 67. Local User Accounts
    66. 68. Local User Accounts <ul><li>No user account should be created above privilege level 1 since it is not possible to use Type 5 encryption on the default EXEC login or the username command. </li></ul><ul><li>User accounts should be created for auditing purposes. </li></ul><ul><li>Higher privilege levels should be protected with the enable secret password. </li></ul>
    67. 69. Privilege Mode Example <ul><li>router#config terminal </li></ul><ul><li>router(config)#username admin-joe privilege 15 password joes-password </li></ul><ul><li>router(config)#username admin-carl privilege 15 password carls-password </li></ul><ul><li>router(config)#username junior-jeff privilege 10 password jeffs-password </li></ul><ul><li>router(config)#username junior-jay privilege 10 password jays-password </li></ul><ul><li>router(config)#username ops-fred privilege 2 password freds-password </li></ul><ul><li>router(config)#username ops-pat privilege 2 password pats-password </li></ul><ul><li>router(config)#privilege exec level 10 telnet </li></ul><ul><li>router config)#privilege exec level 10 debug </li></ul><ul><li>router(config)#privilege exec level 2 clear line </li></ul><ul><li>router(config)#^Z </li></ul><ul><li>router# </li></ul>
    68. 70. Recommended (NSA) Privilege-Level Changes <ul><li>router#config terminal </li></ul><ul><li>router(config)#privilege exec level 15 connect </li></ul><ul><li>router config)#privilege exec level 15 telnet </li></ul><ul><li>router(config)#privilege exec level 15 rlogin </li></ul><ul><li>router config)#privilege exec level 15 show ip access-lists </li></ul><ul><li>router(config)#privilege exec level 15 show access-lists </li></ul><ul><li>router config)#privilege exec level 15 show logging </li></ul><ul><li>router(config)#privilege exec level 1 ip </li></ul><ul><li>router(config)#^Z </li></ul><ul><li>router# </li></ul>Note: The final privilege exec level 1 show ip returns the show and show ip commands to level 1, enabling all other default level 1 commands to still function .
    69. 71. Recommended Privilege-Level Changes <ul><li>router#config terminal </li></ul><ul><li>router(config)#privilege exec level 15 connect </li></ul><ul><li>router config)#privilege exec level 15 telnet </li></ul><ul><li>router(config)#privilege exec level 15 rlogin </li></ul><ul><li>router config)#privilege exec level 15 show ip access-lists </li></ul><ul><li>router(config)#privilege exec level 15 show access-lists </li></ul><ul><li>router config)#privilege exec level 15 show logging </li></ul><ul><li>router(config)#privilege exec level 1 ip </li></ul><ul><li>router(config)#^Z </li></ul><ul><li>router # </li></ul>
    70. 72. <ul><li>There are several considerations to keep in mind when customizing privilege levels: </li></ul><ul><li>Do not use the username command to set up accounts above level one. Instead, use the enable secret command to set a level password. </li></ul><ul><li>Be very careful about moving too much access down from level 15, as this could cause unexpected security holes in the system. </li></ul><ul><li>Be very careful about moving any part of the configure command down from level 15. Once a user has write access, they could leverage this to acquire greater access. </li></ul>
    71. 73. Login Banner <ul><li>Banners should be used on all network devices </li></ul><ul><li>A banner should include </li></ul><ul><ul><ul><li>A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use. </li></ul></ul></ul><ul><ul><ul><li>A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both. </li></ul></ul></ul><ul><ul><ul><li>A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court. </li></ul></ul></ul><ul><ul><ul><li>Specific notices required by specific local laws. </li></ul></ul></ul><ul><li>A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership. </li></ul>
    72. 74. Login Banner Example <ul><li>WARNING!!! </li></ul><ul><li>This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to endure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. </li></ul>
    73. 75. Configuring Banner Messages router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d <ul><ul><li>Specify what is “proper use” of the system </li></ul></ul><ul><ul><li>Specify that the system is being monitored </li></ul></ul><ul><ul><li>Specify that privacy should not be expected when using this system </li></ul></ul><ul><ul><li>Do not use the word “welcome” </li></ul></ul><ul><ul><li>Have legal department review the content of the message </li></ul></ul>Boston(config)# banner motd # WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #
    74. 76. Disable Unneeded Services
    75. 77. Security-Related Router Services <ul><li>Bootp server </li></ul><ul><li>Cisco Discovery Protocol (CDP) </li></ul><ul><li>Classless Routing Behavior </li></ul><ul><li>Configuration auto-loading </li></ul><ul><li>DNS </li></ul><ul><li>Finger </li></ul><ul><li>HTTP server </li></ul><ul><li>IP directed broadcast </li></ul><ul><li>IP mask reply </li></ul><ul><li>IP redirects </li></ul><ul><li>IP source routing </li></ul><ul><li>IP unreachable notifications </li></ul><ul><li>NTP service </li></ul><ul><li>Proxy ARP </li></ul><ul><li>SNMP </li></ul><ul><li>TCP small servers </li></ul><ul><li>UDP small servers </li></ul>
    76. 78. Disable Bootp Server <ul><ul><li>Globally disables the Bootp service for this router. </li></ul></ul>Austin1(config)# no ip bootp server Router(config)# no ip bootp server
    77. 79. Disable Bootp Server (Cont.) <ul><li>Bootp is a datagram protocol that is used by some hosts to load their operating system over the network. </li></ul><ul><li>Supports a deployment strategy where one Cisco router acts as the central repository of IOS software for a collection of such routers. </li></ul><ul><li>There should be no need to offer the service outside your LAN, and it may offer useful information to intruders. For example, to block bootp traffic from passing through the firewall: </li></ul><ul><ul><li>access-list nnn deny udp any any eq 67 log </li></ul></ul><ul><ul><li>access-list nnn deny udp any any eq 68 log </li></ul></ul>
    78. 80. Disable CDP Server <ul><ul><li>Globally disables the CDP service for this router. </li></ul></ul>Austin4(config)# no cdp run Router(config)# no cdp run
    79. 81. Disable IP Classless Routing Service <ul><ul><li>Globally disables the IP classless routing service for this router. </li></ul></ul>Austin4(config)# no ip classless Router(config)# no ip classless
    80. 82. Disable IP Classless Routing Service (Cont.) <ul><li>If a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route. </li></ul><ul><li>A supernet consists of contiguous blocks of Class C address spaces used to simulate a single, larger address space and is designed to relieve the pressure on the rapidly depleting Class B address space. </li></ul><ul><li>When the host sends a packet to, instead of discarding the packet, the router forwards it to the best supernet route. </li></ul><ul><li>If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route, the router discards the packet. </li></ul>
    81. 83. Classful Routing Behavior
    82. 84. Classless Routing Behavior
    83. 85. Restricting DNS Service Austin4(config)# ip name-server Router(config)# ip name-server server-address1 [ server-address2 … server-address6 ] Router(config)# no ip domain-lookup Austin3(config)# no ip domain-lookup
    84. 86. Restricting DNS Service (Cont.) <ul><li>DNS protocol attacks: </li></ul><ul><ul><li>DNS cache poisoning - relates to an attack consisting of making a DNS server cache false information: usually, a wrong record that will map a name to a “wrong” IP address. There are different ways for a hacker to do that, and that they are often related to DNS spoofing. With DNS cache poisoning, the hacker will try to make a DNS answer something he wants for a specific request. </li></ul></ul><ul><ul><li>DNS spoofing - a term referring to the action of answering a DNS request that was intended for another server (a “real” DNS server). The hacker “spoofs” the DNS server’s answer by answering with the DNS server’s IP address in the packets’ source-address field. </li></ul></ul>
    85. 87. Disable Finger Service Austin4(config)# no ip finger Austin4(config)# no service finger Austin4(config)# exit Austin4# connect finger Trying, 79 ... % Connection refused by remote host Router(config)# no ip finger
    86. 88. Disable Finger Service (Cont.) <ul><li>Finger was designed to help Unix users contact each other. A Finger request will tell you whether or not there is an account for an individual on a computer, what that account name is, when the user last logged on, additional contact information for the user, and whatever else that user would like to tell the world. </li></ul><ul><li>Traditionally, finger services have served hackers much more than administrators. Finger can be easily disabled with the no service finger command. This command disables the router only from replying to finger requests; it doesn’t block all finger requests into your network. To do that, you would need to use an ACL that blocks TCP port 79 inbound on all external interfaces. </li></ul><ul><li>Users logged into the router remotely will not be able to see if other users are logged into the router. </li></ul>
    87. 89. Disable HTTP Service Austin4(config)# no ip http server Router(config)# no ip http server
    88. 90. Disable HTTP Service (Cont.) <ul><li>Most recent Cisco IOS Software releases support remote configuration and monitoring using the World Wide Web’s HTTP protocol. </li></ul><ul><li>In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network, and unfortunately, there is no effective provision in HTTP or challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. The default setting for this service is Cisco device dependent. </li></ul><ul><li>If you choose to use HTTP for management (SDM), you should restrict access to appropriate IP addresses using the ip http access-class command. You should also configure authentication using the ip http authentication command. As with interactive logins, the best choice for HTTP authentication is probably to use a TACACS+ or RADIUS server. </li></ul><ul><li>Disable this service to prevent attackers from accessing the HTTP router administrative access interface. </li></ul>
    89. 91. Disable IP Directed Broadcast Austin2(config)# interface e0/1 Austin2(config-if)# no ip directed-broadcast Router(config-if)# no ip directed-broadcast
    90. 92. Disable IP Directed Broadcast (Cont.) <ul><li>IP directed broadcasts are used in the extremely common and popular &quot;smurf&quot; denial of service attacks. </li></ul><ul><li>An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. </li></ul><ul><li>In a &quot;smurf&quot; attack, the attacker sends ICMP echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose address is being falsified. </li></ul>
    91. 93. Disable IP Mask Replies Austin2(config)# interface e0/0 Austin2(config-if)# no ip mask-reply Router(config-if)# no ip mask-reply
    92. 94. Disable IP Redirects Austin2(config)# interface e0/0 Austin2(config-if)# no ip redirect Router(config-if)# no ip redirect
    93. 95. Disable IP Redirects (Cont.) <ul><li>When a packet is sent back out the interface on which it was received, an ICMP Redirect message is also sent. </li></ul><ul><li>The ICMP Redirect message tells the sender of the original packet to remove the route and substitute a specified device that has a more direct route. </li></ul><ul><li>Because you should be concerned about any ICMP messages leaving your network, you should manually disable this feature. </li></ul><ul><li>These messages are useful for diagnosis. An attacker may use this as a method to map the network or to intercept/redirect packets. </li></ul>
    94. 96. Disable IP Source Routing Austin2(config)# no ip source-route Router(config)# no ip source-route
    95. 97. Disable IP Source Routing (Cont.) <ul><li>The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that datagram will take toward its ultimate destination, and generally the route that any reply will take. </li></ul><ul><li>These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets properly, and it may be possible to crash machines running these implementations by sending them datagrams with source routing options. </li></ul>
    96. 98. Disable IP Unreachable Messages Austin2(config)# interface e0/0 Austin2(config-if)# no ip unreachable Router(config-if)# no ip unreachable
    97. 99. Disable NTP Service Austin4(config)# interface e0/0 Austin4(config-if)# ntp disable ntp disable
    98. 100. Disable NTP Service (Cont.) <ul><li>Internet time servers use Network Time Protocol (NTP) to transmit and receive time over TCP/IP networks such as the Internet or a corporate local area network. Internet-based time sources, however, acquired using an Internet time server introduce security issues. </li></ul><ul><li>The problem with Internet Time Servers using NTP program, is that while this time source allows systems to synchronize their clocks with an Internet time source, a potential problem arises because this time source is located beyond the corporate firewall. This means there must be “hole” left open in the firewall (specifically port 123) to allow packets containing the time information through to the Internet Time Server. </li></ul>
    99. 101. Disable Proxy ARP Austin1(config)# interface e0/0 Austin1(config-if)# no ip proxy-arp no ip proxy-arp
    100. 102. Disable Proxy ARP (Cont.) <ul><li>Network hosts use the Address Resolution Protocol (ARP) to translate network addresses into MAC addresses. Normally, ARP transactions are confined to a particular LAN segment. </li></ul><ul><li>A Cisco router can act as an intermediary for ARP, responding to ARP queries on selected interfaces and thus enabling transparent access between multiple LAN segments. This service is called proxy ARP. Proxy ARP should be used only between two LAN segments at the same trust level, and only when absolutely necessary to support legacy network architectures. </li></ul><ul><li>Cisco routers perform proxy ARP by default on all IP interfaces. Disable it on each interface where it is not needed, even on interfaces that are currently idle, using the interface configuration command no ip proxy-arp . </li></ul>
    101. 103. Disable SNMP Austin1(config)# no snmp-server community public ro Austin1(config)# no snmp-server community config rw Austin1(config)# no access-list 60 Austin1(config)# access-list 60 deny any Austin1(config)# snmp-server community dj1973 ro 60 Austin1(config)# no snmp-server enable traps Austin1(config)# no snmp-server system-shutdown Austin1(config)# no snmp-server
    102. 104. Disable Small Servers Austin2(config)# no service tcp-small-servers Austin2(config)# no service udp-small-servers Router(config)# no service tcp-small-servers Router(config)# no service udp-small-servers These services include the echo, discard, daytime, and chargen services.
    103. 105. Disable Small Servers (Cont.) <ul><li>Depending on the IOS version you are running, TCP and UDP small services may be enabled by default (11.3 and prior). </li></ul><ul><li>Some services might be simple and innocuous in themselves, but can be turned to unexpected and detrimental uses. Chargen, for example, is a simple UNIX service that sends out ASCII characters over and over. Chargen is a useful network programming and testing tool because there are certain classes of networking problems that become evident when you can look at a stream of data spanning a whole range of binary representations. </li></ul><ul><li>An unscrupulous hacker, however, might exploit this protocol by forging a SYN packet (connection request) that redirects the output of Chargen to another computer and port. This way the hacker can flood the target computer with data that doesn't even originate from his own computer! </li></ul><ul><li>Abuse Potential – chargen can be redirected to flood other unsuspecting computers. </li></ul>
    104. 106. Disable Unused Router Interfaces Austin1(config)# interface e0/2 Austin1(config-if)# shutdown Router(config-if)# shutdown Austin1 e0/0 e0/1 e0/2 Internet Attack host
    105. 107. No service password-recovery
    106. 108. Routing Table Integrity <ul><li>There are two basic approaches available for protecting routing table integrity: </li></ul><ul><li>Use only static routes: This may work in small networks, but is unsuitable for large networks . </li></ul><ul><li>Authenticate route table updates: By using routing protocols with authentication, network administrators can deter attacks based on unauthorized routing changes. Authenticated router updates ensure that the update messages come from legitimate sources. Bogus messages are automatically discarded. </li></ul><ul><li>MD5 is used by RIPv2, EIGRP and BGP </li></ul>
    107. 109. © 2005, Cisco Systems, Inc. All rights reserved.