In-depth UnderstandingNetwork Security(Hardening CISCO Router/Switch)
CIS Level 1 & 2 Benchmarksand Audit Toolfor Cisco IOS Routers and PIX firewalls
IOS/PIX Benchmarks and RAT forWindowsFeatures of the 2.2 version of the RouterAudit Tool (RAT):– Ability to score Cisco Ro...
RAT for Windows
RAT for WindowsTo run any RAT programs, youll need toknow the drive and pathname where RATwas installed.You can put this d...
RAT for WindowsTo run the rat program and see a list of itsoptions, you could type the following:C:> rat --help
RAT for WindowsBefore you use RAT, you should use thencat_config program to create a rule file specificto your routers.Her...
RAT for Windows1. Copy Template to Test Directory2. Copy configuration files from your router3. Run rat to audit your conf...
RAT for Windows
RAT for Windows
RAT for Windows
RAT for Windows
RAT for Windows
Hardening Cisco RouterBased onNSA Router Security Configuration Guide
Router Security ConfigurationGuide of NSA’s SNAC(Based on version 1.1c)
Physical Security Network equipment, especially routers and switches,should be located in a limited access area. This ar...
Cisco IOS routers have the ability to define internal virtualinterfaces, called loopback interfaces. It is considered best...
Banner Rules
Banner RulesRouter1#configure terminalRouter1(config)#banner motd ^C******************************************************...
Stopping SYN FloodingAttacks
(config)#normal TCP 3-Way Handshake
TCP SYN flooding attackAttack Demonstration:E(config)#nough illegitimateTCBs are inSYN-RECEIVED that alegitimate connectio...
Countermeasures: TCP SYN flooding attackYou can configure a router to protect your servers against TCP SYNattacks by enabl...
TCP Intercept featureWhen you enable the TCP Intercept feature, the routerdoesnt forward the initial SYN packet to the ser...
TCP Intercept featureRouter1(config)#access-list 109 permit ip any host 192.168.99.2Router1(config)#ip tcp intercept list ...
TCP Intercept featureBy default, the router allows 1,100 half-open sessions before going intoaggressive mode.Configure thi...
TCP Intercept featureyou can also set thresholds on the number of TCP sessions initiatedper minute:Router1(config)#ip tcp ...
TCP Intercept featureBy default, the router will allow a TCP session to be inactive for 24 hours(86,400 seconds).However, ...
TCP Intercept featureYou can configure how long the router will watch a session, waiting forit to complete the TCP session...
TCP Intercept featureAnd one final option allows you to set whether the router activelyintercepts and responds to TCP SYN ...
Other IP stack Tune-ups
Nagle congestion control algorithmThe Nagle Algorithm prevents excessive bandwithutilization by applications that send man...
Limit embryonic TCP connectionsTo help limit the vulnerability to TCP SYN-Floodattacks, use the global configuration ip tc...
TCP selective acknowledgmentThe TCP selective acknowledgment mechanism helpsovercome these limitations.The receiving TCP r...
AccessBefore deciding how to control routeraccess, ask these questions?• Who needs access?• When do they need access?• Fro...
Basic Authentication Basic authentication stores passwords as clear text Use(config)#service password-encryption– Encryp...
“Enable” Passwords
Demo: Crack Password
Line Authentication (VTY, CON, AUX)Use Access List to control VTY accessaccess-list 1 permit host 10.1.1.2line vty 0 4pass...
AAASecure user logins with AAA on all ports,virtual and physical– Local AAA (username)– RADIUS (Steel Belted Radius)– TACA...
AAA Example for TACACS/RADIUSSecure user logins with AAA on all ports,virtual and physicalaaa new-modelaaa authentication ...
Demo: Crack RADIUS KEY
You can do with the Cisco IOS service command The TCP keepalive capabilityallows a router to detect when the host with wh...
You can do with the Cisco IOS service command service timestampsYou can use the service timestamps command to createtimes...
Verify that the EXEC process is disabled on the auxiliary (aux) portUnused ports should be disabled, if not required, sinc...
VTYs and Remote Administration
Forbid CDP (Cisco Discovery Protocol)Run GloballyThe Cisco Discovery Protocol is a proprietary protocol that Cisco devices...
Forbid tcp-small-servers,udp-small-serversTCP small services: echo, chargen and daytime (including UDP versions)are rarely...
Forbid Finger ServiceFinger is used to find out whichusers are logged into a device.This service is rarely used inpractica...
The HTTP server allows remote management of routers.Unfortunately, it uses simple HTTP authentication which sendspasswords...
HTTP Server with Access Control(Not Recommended)
the async line BOOTP service should be disabled on your system ifyou do not have a need for it in your networkthe async li...
Forbid Remote Startup ConfigurationService config allows the device to autoload its startup configurationfrom a remote dev...
PAD Service(The packet assembler/disassembler service supports X.25 links)To not accept incoming/outgoing X.25 PacketAssem...
Forbid IP source-routeSource routing is a feature of IP whereby individualpackets can specify routes. This feature is used...
Forbid IP Proxy ARPProxy ARP breaks the LANsecurity perimeter, effectivelyextending a LAN at layer 2across multiple segmen...
Forbid IP Unreachable, Redirects, MaskReplies• Disable translation of directed to physical broadcasts on the same interfac...
Forbid MOPThe Maintenance Operations Protocol (MOP)was used for system utility services in theDECnet protocol suite.The Ma...
Forbid NTP Service
Forbid SNMP Services
Disable Router Name and DNS NameResolution
Configure DNS Server
Set a default DNS domain name(needed for SSH)
Disable Unused Interfaces
Filtering Traffic to the RouterItself
Remote Login (Telnet) Service
SNMP Service(Recommend only SNMPv3 AuthNoPriv& AuthPriv)
Routing Service
Filtering Traffic through theRouter
IP Address Spoof Protection (InboundTraffic)
IP Address Spoof Protection (OutboundTraffic)
Exploits Protection
TCP SYN Attack
Limiting External Access with TCPIntercept (If your IOS support it.)
Land Attack
Land Attack
Smurf Attack
ICMP Message Types and Traceroute
Distributed Denial of Service (DDoS)Attacks
Routing Protocol Security
OSPF MD5 Authentication
RIP MD5 Authentication
EIGRP MD5 Authentication
EIGRP MD5 Authentication
Disabling unneeded routing-related services
Passive Interfaces (OSPF)
Using filters to block routingupdates
First Define Access Control List
Filter Distributed List (OSPF)
Filter Distributed List (RIP)
Not enable OSPF on certain interfaces,
Passive Interfaces (RIP)
Audit and Management
Overview and Motivations for Logging Recording router configuration changes andreboots Recording receipt of traffic that...
Logging Types Console logging Terminal Line logging Buffered logging Syslog logging SNMP trap logging
Cisco Log Message Severity Levels
Format of a Cisco IOS Log Message
Turning on logging services
Setting up Console and BufferedLogging
Buffered logging
Setting up Terminal Line Logging
Setting up Syslog Logging
A Small Syslog Configurationserver host
Centralized Syslog Configuration
Syslog and access list
SNMP Trap Logging
Time Services, Network TimeSynchronization and NTP
Setting the Time Manually
The NTP Hierarchy
Configuring Basic NTP Service
NTP and access-list
Configuring NTP Authentication
SNMP Security
SNMPv3 Security
Configuring SNMP - Getting Started
SNMPv3 with limited view
Cisco IOS Software Updates
Show version
Update Procedure TFTP See Cisco web sites concerning particularmodel of router or switch
Router Status andConfiguration Commands
show logging
show ip protocol summary
show arp
show users
show host
show ip interface brief.
show ip socket
Viewing the current configuration show startup-config show running-config
Viewing currently running processes show process
Router Throughput and TrafficCommands
Clear counter
Viewing IP Protocol Statistics show ip traffic.
Viewing SNMP Protocol Statistics
configure debugging and turn ondebugging messages for ICMP.
Security for Router NetworkAccess Services
AAA Authentication Authorization Accounting
Types of accounting There are several types of accounting whichcan be enabled and configured separately:exec, network, co...
 network accounting– Provides information for PPP, SLIP, and ARAPprotocols. The information includes the numberof packets...
 Command accounting– This applies to commands which are entered inan EXEC shell. This option will apply accountingto all ...
AAA accounting requirement AAA accounting requires that– AAA is enabled,– security servers are defined, and– that a secur...
Method Lists and Server Groups
Authentication
The authentication commands used fordefining messages
The default method list designatesRADIUS
RADIUS security server
Authorization
Authorization There are two primary scenarios whereauthorization is useful. First, if the router is used for dial in acc...
Accounting
Configuration of TACACS+ accounting:
Configuration of RADIUS accounting
Security Server Protocols
RADIUS
TACACS+
Hardening Cisco Switch(Based on NSA Cisco IOSSwitch Security ConfigurationGuide)
Port Security
Restricting a port statically on aCatalyst 3550 switch.
A strict security“unused” macro
A strictA strictsecurity “host”security “host”macromacro
Configure access ports of the switch
Virtual Local Area Networks(VLAN)
Create the out-of-band managementVLAN.
Create a management IP address
Assign the management VLAN to thededicated interface.
Ensure all trunk ports will not carry themanagement VLAN
Assigned the following name for VLAN1.
Assign all inactive interfaces to anunused VLAN (not VLAN1)
Virtual Trunking Protocol (VTP)
If VTP could be disabled
If VTP is necessary
Trunk Auto-Negotiation
Dynamic Trunking Protocol (DTP) A port may use the Dynamic TrunkingProtocol (DTP) to automatically negotiatewhich trunkin...
DTP-related security issues
DTP-related security issues
VLAN Hopping
VLAN Hopping In certain situations it is possible to craft apacket in such a way that a port in trunkingmode will interpr...
Spanning Tree Protocol
STP Portfast Bridge Protocol Data Unit(BPDU) Guard
STP Root Guard
205(config)#no ip bootp server(config)#no tcp-small-servers(config)#no udp-small-servers(config)#service time log datetime...
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
In depth understanding network security
Upcoming SlideShare
Loading in …5
×

In depth understanding network security

256 views
199 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
256
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • As a general practice banners should contain the following information and warnings: Only authorized personnel should gain access System logs are being maintained and could be used as evidence in criminal and/or civil court Unauthorized access is unlawful and is subject to civil and/or criminal penalties Be sure banners comply with corporate policies, so that the verbiage does (config)#not conflict with policies. Consider having banners reviewed by corporate legal counsel. Things (config)#not to put in a banner Do (config)#not mention company name, physical device location. Never use the word ‘welcome’. Different banner messages may be used in different network locations. Border routers may use a message such as this one. Internal routers may include warnings regarding disciplinary actions in addition to or instead of criminal/civil actions.
  •   enable secret The enable secret command is used to set the password that grants privileged administrative access to the IOS system. An enable secret password should always be set. The enable secret should be used, not the older enable password. enable password uses a weak encryption algorithm (see the description of the "service password-encryption" command).   If no enable secret is set, and a password is configured for the console TTY line, the console password may be used to get privileged access, even from a remote VTY session. This is almost certainly not wanted, and is another reason to be certain to configure an enable secret. service password-encryption (and its limitations) The service password-encryption command directs the IOS software to encrypt the passwords, CHAP secrets, and similar data that are saved in its configuration file. This is useful for preventing casual observers from reading passwords, for example, when they happen to look at the screen over an administrator's shoulder.   However, the algorithm used by service password-encryption is a simple Vigenere cipher; any competent amateur cryptographer could easily reverse it in at most a few hours. The algorithm was not designed to protect configuration files against serious analysis by even slightly sophisticated attackers, and should not be used for this purpose. Any Cisco configuration file that contains encrypted passwords should be treated with the same care used for a clear text list of those same passwords. This weak encryption warning does not apply to passwords set with the enable secret command, but it does apply to passwords set with enable password.   The enable secret command uses MD5 for password hashing. The algorithm has had considerable public review, and is not reversible. It is, however, subject to dictionary attacks (a "dictionary attack" is having a computer try every word in a dictionary or other list of candidate passwords).   It's therefore wise to keep your configuration file out of the hands of untrusted sources, especially if you're not sure your passwords are well chosen. More information about password encryption is available on Cisco's Web site at http://www.cisco.com/warp/public/701/64.html .   The following global configuration command encrypts passwords in the written router configurations. Therefore, if the router configuration is copied and listed, the passwords do not appear in the clear-text configuration.   service password-encryption line aux 0 access-class 2 in transport input all line vty 0 4 access-class 1 in password 7 xxxxxxxxxxxxx login ! Add access-lists: ! Allow only specific hosts to telnet into router: access-list 1 permit 169.254.92.39 ! Block access to aux. access-list 2 deny 0.0.0.0 255.255.255.255
  • Console Port It's important to remember that the console port of an IOS device has special privileges. In particular if a BREAK signal is sent to the console port during the first few seconds after a reboot, the password recovery procedure can easily be used to take control of the system. This means that attackers who can interrupt power or induce a system crash, and who have access to the console port via a hardwired terminal, a modem, a terminal server, or some other network device, can take control of the system, even if they do not have physical access to it or the ability to log in to it normally.   It follows that any modem or network device that gives access to the Cisco console port must itself be secured to a standard comparable to the security used for privileged access to the router. At a bare minimum, any console modem should be of a type that can require the dialup user to supply a password for access, and the modem password should be carefully managed.   Also, set a timeout for the console session so that it will time out and require an authenticated login to regain console access. This following command sets the timeout to 5 minutes:   line con 0 exec-timeout 5 0   AUX Port The use of the AUX port on the border router is not recommended. It is recommended that all access to this port be disabled by using a “no exec” command. The following shows an example of doing this.   line aux 0 no exec   VTYs Defining access-classes to limit access to the vty interfaces on routers is recommended. The following access list is used to limit vty (i.e. telnet) access to the border router(s) to addresses from [Client]. Telnet connections originating from outside of [Client] will be ignored.   access-list 1 permit 12.xx.xx.0 0.0.1.255 access-list 1 deny any any line vty 0 4 access-class 1 in   It is recommended that [Client] use TACACS or RADIUS for login authentication. Here is an example of how TACACS might be configured. These commands are pending getting a TACACS server up and running to be able to authenticate router logins.   tacacs-server host w.x.y.z tacacs-server last-resort succeed line vty 0 4 login tacacs   It would be beneficial if there were multiple levels of access to the routers for operations and engineering personnel. This can be accomplished with privilege levels. Below is an example of how to enable this on the routers.   enable password level 10 password10 privilege exec level 10 show startup-config privilege exec level 10 copy run tftp   To change to the appropriate privilege level, run the following command.   enable level   It is also possible to use commands like the following to show the current privilege level and exit out of a privilege level.   show privilege disable level Notes from Scott Hogg: put access-class on its own slide and describe more how it works - it doesn't work for con, aux ports Expand the discussion about RADIUS and TACACS - talk about the pros-cons of each in a Cisco shop
  • privilege level 1 = non-privileged (prompt is router>), the default level for login privilege level 15 = privileged (prompt is router#), the level after going into enable mode privilege level 0 = seldom-used, but includes 5 commands: disable, enable, exit, help, and logout http://www.cisco.com/en/US/tech/tk583/tk547/technologies_tech_note09186a008009465c.shtml
  • (config)#service password-encryption To encrypt passwords, use the (config)#service password-encryption command in global configuration mode. To restore the default, use the (config)#no form of this command. (config)#service password-encryption The TCP keepalive capability allows a router to detect when the host with which it is communicating experiences a system failure, even if data stops being transmitted (in either direction). This is most useful on incoming connections. For example, if a host failure occurs while talking to a printer, the router might never (config)#notice, because the printer does (config)#not generate any traffic in the opposite direction. If keepalives are enabled, they are sent once every minute on otherwise idle connections. If five minutes pass and (config)#no keepalives are detected, the connection is closed. The connection is also closed if the host replies to a keepalive packet with a reset packet. This will happen if the host crashes and comes back up again. To generate keepalive packets on idle incoming network connections (initiated by the remote host), use the (config)#service tcp-keepalives-in global configuration command. To disable the keepalives, use the (config)#no form of this command. (config)#service tcp-keepalives-in To generate keepalive packets on idle outgoing network connections (initiated by a user), use the (config)#service tcp-keepalives-out global configuration command. To disable the keepalives, use the (config)#no form of this command. (config)#service tcp-keepalives-out To configure the system to time-stamp debugging or logging messages, use one of the (config)#service timestamps global configuration commands. To disable this (config)#service, use the (config)#no form of this command. (config)#service timestamps message-type [ uptime ] (config)#service timestamps message-type datetime [ msec ] [ localtime ] [ show-timezone ] (config)#no (config)#service timestamps type
  • In depth understanding network security

    1. 1. In-depth UnderstandingNetwork Security(Hardening CISCO Router/Switch)
    2. 2. CIS Level 1 & 2 Benchmarksand Audit Toolfor Cisco IOS Routers and PIX firewalls
    3. 3. IOS/PIX Benchmarks and RAT forWindowsFeatures of the 2.2 version of the RouterAudit Tool (RAT):– Ability to score Cisco Router IOS.– Ability to score Cisco PIX firewalls.– Includes benchmark documents (PDF) for bothCisco IOS and Cisco ASA, FWSM, and PIXsecurity settings.
    4. 4. RAT for Windows
    5. 5. RAT for WindowsTo run any RAT programs, youll need toknow the drive and pathname where RATwas installed.You can put this directory onto your PATH:C:> set PATH=D:CISRATbin;%PATH%
    6. 6. RAT for WindowsTo run the rat program and see a list of itsoptions, you could type the following:C:> rat --help
    7. 7. RAT for WindowsBefore you use RAT, you should use thencat_config program to create a rule file specificto your routers.Here is how to run ncat_config:D:> ncat_config... lots of questions appear here ...After all QUESTIONS we will get a template named“D:CISRAT/etc/configs/cisco-ios/local.conf"
    8. 8. RAT for Windows1. Copy Template to Test Directory2. Copy configuration files from your router3. Run rat to audit your configuration file:D:>cd TestD:Test> rat -r local.conf cisco-router-confg
    9. 9. RAT for Windows
    10. 10. RAT for Windows
    11. 11. RAT for Windows
    12. 12. RAT for Windows
    13. 13. RAT for Windows
    14. 14. Hardening Cisco RouterBased onNSA Router Security Configuration Guide
    15. 15. Router Security ConfigurationGuide of NSA’s SNAC(Based on version 1.1c)
    16. 16. Physical Security Network equipment, especially routers and switches,should be located in a limited access area. This area should be under some sort of supervision 24hours a day and 7 days a week. A room where routers are located should be free ofelectrostatic and magnetic interference. The area shouldalso be controlled for temperature and humidity. If at all possible, all routers should be placed on anUninterruptible Power Supply (UPS), because a shortpower outage can leave some network equipment inundetermined states.
    17. 17. Cisco IOS routers have the ability to define internal virtualinterfaces, called loopback interfaces. It is considered bestpractice, in configuring Cisco routers, to define one loopbackinterface, and designate it as the source interface for most trafficgenerated by the router itself.Cisco IOS routers have the ability to define internal virtualinterfaces, called loopback interfaces. It is considered bestpractice, in configuring Cisco routers, to define one loopbackinterface, and designate it as the source interface for most trafficgenerated by the router itself.Router Network Traffic and theLoopback Interface
    18. 18. Banner Rules
    19. 19. Banner RulesRouter1#configure terminalRouter1(config)#banner motd ^C*************************************************************!! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGON UNDER PENALTY OFLAW !!This is a private computer network and may be used only bydirect permission of its owner(s). The owner(s) reserves the rightto monitor use of this network to ensure network security and torespond to specific allegations of misuse. Use of this networkshall constitute consent to monitoring for these and any otherpurposes. In addition, the owner(s) reserves the right to consentto a valid law enforcement request to search the network forevidence of a crime stored within this network.*************************************************************^C
    20. 20. Stopping SYN FloodingAttacks
    21. 21. (config)#normal TCP 3-Way Handshake
    22. 22. TCP SYN flooding attackAttack Demonstration:E(config)#nough illegitimateTCBs are inSYN-RECEIVED that alegitimate connectioncan(config)#not be initiated.Attack Demonstration:E(config)#nough illegitimateTCBs are inSYN-RECEIVED that alegitimate connectioncan(config)#not be initiated.
    23. 23. Countermeasures: TCP SYN flooding attackYou can configure a router to protect your servers against TCP SYNattacks by enabling the ip tcp intercept command:Router1#configure terminalRouter1(config)#access-list 109 permit ip any host 192.168.99.2Router1(config)#ip tcp intercept list 109Router1(config)#ip tcp intercept max-incomplete high 10Router1(config)#ip tcp intercept one-minute high 15Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10Router1(config)#endRouter1#You can configure a router to protect your servers against TCP SYNattacks by enabling the ip tcp intercept command:Router1#configure terminalRouter1(config)#access-list 109 permit ip any host 192.168.99.2Router1(config)#ip tcp intercept list 109Router1(config)#ip tcp intercept max-incomplete high 10Router1(config)#ip tcp intercept one-minute high 15Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10Router1(config)#endRouter1#
    24. 24. TCP Intercept featureWhen you enable the TCP Intercept feature, the routerdoesnt forward the initial SYN packet to the server.Instead, it responds directly to the client with a SYN-ACKpacket, as if it were the server.If the client is legitimate and begins the TCP session,then the router quickly opens a session to the server,knits the two ends of the connection together, and stepsinto its more usual role of simply forwarding packets.When you enable the TCP Intercept feature, the routerdoesnt forward the initial SYN packet to the server.Instead, it responds directly to the client with a SYN-ACKpacket, as if it were the server.If the client is legitimate and begins the TCP session,then the router quickly opens a session to the server,knits the two ends of the connection together, and stepsinto its more usual role of simply forwarding packets.
    25. 25. TCP Intercept featureRouter1(config)#access-list 109 permit ip any host 192.168.99.2Router1(config)#ip tcp intercept list 109
    26. 26. TCP Intercept featureBy default, the router allows 1,100 half-open sessions before going intoaggressive mode.Configure this value using the ip tcp intercept max-incomplete highcommand.Router1(config)#ip tcp intercept max-incomplete high 10When we deliberately initiate a series of half-open sessions, we see this logmessage:(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count(10/10) 1 min 0A short time later, the attack ended, and the router went back into its(config)#normal mode:(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min11By default, the router allows 1,100 half-open sessions before going intoaggressive mode.Configure this value using the ip tcp intercept max-incomplete highcommand.Router1(config)#ip tcp intercept max-incomplete high 10When we deliberately initiate a series of half-open sessions, we see this logmessage:(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count(10/10) 1 min 0A short time later, the attack ended, and the router went back into its(config)#normal mode:(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min11
    27. 27. TCP Intercept featureyou can also set thresholds on the number of TCP sessions initiatedper minute:Router1(config)#ip tcp intercept one-minute high 15The conditions for returning to (config)#normal mode are defined bythese two commands:Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10The first command sets the low-water mark for the total number ofhalf-open sessions, while the second command sets the low-watermark for the number of session-initiation attempts per minute.you can also set thresholds on the number of TCP sessions initiatedper minute:Router1(config)#ip tcp intercept one-minute high 15The conditions for returning to (config)#normal mode are defined bythese two commands:Router1(config)#ip tcp intercept max-incomplete low 5Router1(config)#ip tcp intercept one-minute low 10The first command sets the low-water mark for the total number ofhalf-open sessions, while the second command sets the low-watermark for the number of session-initiation attempts per minute.
    28. 28. TCP Intercept featureBy default, the router will allow a TCP session to be inactive for 24 hours(86,400 seconds).However, you can change this using the ip tcp interceptconnection-timeout command, which accepts an argument inseconds. Here we set a maximum value of one hour:Router1(config)#ip tcp intercept connection-timeout 3600By default the aggressive mode of the TCP Intercept feature will drop theoldest half-open connection each time it receives a new connection attempt.However, you can instead configure it to drop a randomly selectedconnection out of the table:Router1(config)#ip tcp intercept drop-mode randomBy default, the router will allow a TCP session to be inactive for 24 hours(86,400 seconds).However, you can change this using the ip tcp interceptconnection-timeout command, which accepts an argument inseconds. Here we set a maximum value of one hour:Router1(config)#ip tcp intercept connection-timeout 3600By default the aggressive mode of the TCP Intercept feature will drop theoldest half-open connection each time it receives a new connection attempt.However, you can instead configure it to drop a randomly selectedconnection out of the table:Router1(config)#ip tcp intercept drop-mode random
    29. 29. TCP Intercept featureYou can configure how long the router will watch a session, waiting forit to complete the TCP session initiation.By default, it waits 30 seconds, but you can change this value with thefollowing command, which specifies this timeout value in seconds:Router1(config)#ip tcp intercept watch-timeout 15You can configure how long the router will watch a session, waiting forit to complete the TCP session initiation.By default, it waits 30 seconds, but you can change this value with thefollowing command, which specifies this timeout value in seconds:Router1(config)#ip tcp intercept watch-timeout 15
    30. 30. TCP Intercept featureAnd one final option allows you to set whether the router activelyintercepts and responds to TCP SYN packets, or instead allowsthese packets to pass through (config)#normally, but watches thesession to ensure that it connects properly.By default the router will completely protect the server by taking overall responsibility for setting up the session. You can configure it tolet the server handle the call, and only step in if there is a problemby configuring watch mode:Router1(config)#ip tcp intercept mode watchAnd one final option allows you to set whether the router activelyintercepts and responds to TCP SYN packets, or instead allowsthese packets to pass through (config)#normally, but watches thesession to ensure that it connects properly.By default the router will completely protect the server by taking overall responsibility for setting up the session. You can configure it tolet the server handle the call, and only step in if there is a problemby configuring watch mode:Router1(config)#ip tcp intercept mode watch
    31. 31. Other IP stack Tune-ups
    32. 32. Nagle congestion control algorithmThe Nagle Algorithm prevents excessive bandwithutilization by applications that send many small packets.It allows slight delays before sending individual smallpackets in order to combine them into a single largerpacket.Router1#configure terminalRouter1(config)#(config)#service nagle
    33. 33. Limit embryonic TCP connectionsTo help limit the vulnerability to TCP SYN-Floodattacks, use the global configuration ip tcpsynwait-time command to limit the secondsthat the router spends waiting for the ACKbefore giving up on a half-open connectionRouter1#configure terminalRouter1(config)#ip tcp synwait-time 10
    34. 34. TCP selective acknowledgmentThe TCP selective acknowledgment mechanism helpsovercome these limitations.The receiving TCP returns selective acknowledgmentpackets to the sender, informing the sender about datathat has been received. The sender can then retransmitonly the missing data segments.Router1#configure terminalRouter1(config)#ip tcp selective-ack
    35. 35. AccessBefore deciding how to control routeraccess, ask these questions?• Who needs access?• When do they need access?• From where do they needaccess?• During what time scheduledo they need access?
    36. 36. Basic Authentication Basic authentication stores passwords as clear text Use(config)#service password-encryption– Encrypts passwords using a Vigenere cipher.– Can be cracked relatively easily– Does not encrypt SNMP community strings– no enable password Use(config)# enable secret <password>– Encrypts passwords using a MD5 hash
    37. 37. “Enable” Passwords
    38. 38. Demo: Crack Password
    39. 39. Line Authentication (VTY, CON, AUX)Use Access List to control VTY accessaccess-list 1 permit host 10.1.1.2line vty 0 4password 7 12552D23830F94exec-timeout 5 0access-class 1 inlogintransport input telnet sshControl CON accessline con 0password 7 12552D23830F94exec-timeout 5 0loginControl AUX accessline aux 0no execexec-timeout 0 0no logintransport input nonetransport output none
    40. 40. AAASecure user logins with AAA on all ports,virtual and physical– Local AAA (username)– RADIUS (Steel Belted Radius)– TACACS+ (Cisco Secure ACS)Use privilege levels to control granularaccess to commands
    41. 41. AAA Example for TACACS/RADIUSSecure user logins with AAA on all ports,virtual and physicalaaa new-modelaaa authentication login default group tacacs+|radius localaaa authorization exec default group tacacs+|radius localusername backup privilege 7 password 0 backuptacacs-server host 171.68.118.101tacacs-server key ciscoradius-server host 171.68.118.101radius-server key ciscoprivilege configure level 7 snmp-server hostprivilege configure level 7 snmp-server enableprivilege configure level 7 snmp-serverprivilege exec level 7 pingprivilege exec level 7 configure terminalprivilege exec level 7 configure
    42. 42. Demo: Crack RADIUS KEY
    43. 43. You can do with the Cisco IOS service command The TCP keepalive capabilityallows a router to detect when the host with which it is communicatingexperiences a system failure, even if data stops being transmitted (ineither direction). This is most useful on incoming connections.For example, if a host failure occurs while talking to a printer, therouter might never notice, because the printer does not generate anytraffic in the opposite direction. If keepalives are enabled, they aresent once every minute on otherwise idle connections. If five minutespass and no keepalives are detected, the connection is closed.(config)#service tcp-keepalives-in(config)#service tcp-keepalives-out
    44. 44. You can do with the Cisco IOS service command service timestampsYou can use the service timestamps command to createtimestamps on the router’s log files.Since version 11.3, the Cisco IOS has enabled certain timestamps bydefault, so most of us have this on.However, there are additional timestamps options that you can enableas well as places where timestamps are probably off by default.(config)#service timestamps message-type [uptime](config)#service timestamps message-type datetime [msec][localtime] [show-timezone]
    45. 45. Verify that the EXEC process is disabled on the auxiliary (aux) portUnused ports should be disabled, if not required, since they providea potential access path for attackers.The auxiliary port is primarily used for dial-up administration, whichis rarely used, via an external modem.Verify that the EXEC process is disabled on the auxiliary (aux) portUnused ports should be disabled, if not required, since they providea potential access path for attackers.The auxiliary port is primarily used for dial-up administration, whichis rarely used, via an external modem.Disable Login Through AUX Port
    46. 46. VTYs and Remote Administration
    47. 47. Forbid CDP (Cisco Discovery Protocol)Run GloballyThe Cisco Discovery Protocol is a proprietary protocol that Cisco devicesuse to identify each other on a LAN segment.It is useful only in specialized situations, and is considered a security risk.There have been published denial-of-service (DoS) attacks that use CDP.CDP should be completely disabled unless there is a need for it.The Cisco Discovery Protocol is a proprietary protocol that Cisco devicesuse to identify each other on a LAN segment.It is useful only in specialized situations, and is considered a security risk.There have been published denial-of-service (DoS) attacks that use CDP.CDP should be completely disabled unless there is a need for it.
    48. 48. Forbid tcp-small-servers,udp-small-serversTCP small services: echo, chargen and daytime (including UDP versions)are rarely used.Services that are not needed should be turned off because they presentpotential avenues of attack and may provide information that could beuseful for gaining unauthorized access.TCP small services: echo, chargen and daytime (including UDP versions)are rarely used.Services that are not needed should be turned off because they presentpotential avenues of attack and may provide information that could beuseful for gaining unauthorized access.
    49. 49. Forbid Finger ServiceFinger is used to find out whichusers are logged into a device.This service is rarely used inpractical environments andcan potentially provide anattacker with usefulinformation.Additionally, the finger servicecan exposed the device Fingerof Death denial-of-service(DoS) attack.
    50. 50. The HTTP server allows remote management of routers.Unfortunately, it uses simple HTTP authentication which sendspasswords in the clear.This could allow unauthorized access to, and [mis]management of therouter.The HTTP server allows remote management of routers.Unfortunately, it uses simple HTTP authentication which sendspasswords in the clear.This could allow unauthorized access to, and [mis]management of therouter.Forbid IP HTTP Server
    51. 51. HTTP Server with Access Control(Not Recommended)
    52. 52. the async line BOOTP service should be disabled on your system ifyou do not have a need for it in your networkthe async line BOOTP service should be disabled on your system ifyou do not have a need for it in your networkDisable Bootp Server
    53. 53. Forbid Remote Startup ConfigurationService config allows the device to autoload its startup configurationfrom a remote device (e.g. a tftp server).The protocols used to transfer configurations files. Since thesemethods are insecure, an attacker could potentially compromise orspoof the remote configuration service enabling maliciousreconfiguration of the device.Service config allows the device to autoload its startup configurationfrom a remote device (e.g. a tftp server).The protocols used to transfer configurations files. Since thesemethods are insecure, an attacker could potentially compromise orspoof the remote configuration service enabling maliciousreconfiguration of the device.
    54. 54. PAD Service(The packet assembler/disassembler service supports X.25 links)To not accept incoming/outgoing X.25 PacketAssembler/Disassembler (PAD) connections this globalconfiguration command should be used.It is important to make sure this is disabled by default.To not accept incoming/outgoing X.25 PacketAssembler/Disassembler (PAD) connections this globalconfiguration command should be used.It is important to make sure this is disabled by default.
    55. 55. Forbid IP source-routeSource routing is a feature of IP whereby individualpackets can specify routes. This feature is used inseveral kinds of attacks.Cisco routers normally accept and process sourceroutes. Unless a network depends on sourcerouting, it should be disabled.Source routing is a feature of IP whereby individualpackets can specify routes. This feature is used inseveral kinds of attacks.Cisco routers normally accept and process sourceroutes. Unless a network depends on sourcerouting, it should be disabled.
    56. 56. Forbid IP Proxy ARPProxy ARP breaks the LANsecurity perimeter, effectivelyextending a LAN at layer 2across multiple segments.Disable proxy ARP on allinterfaces.Proxy ARP breaks the LANsecurity perimeter, effectivelyextending a LAN at layer 2across multiple segments.Disable proxy ARP on allinterfaces.
    57. 57. Forbid IP Unreachable, Redirects, MaskReplies• Disable translation of directed to physical broadcasts on the same interface. Thisconfiguration prevents against “smurf” attacks.• Don’t allow redirect messages to pass through the router. ICMP redirects should bedisabled• Make it more difficult for someone to scan for valid IP addresses by turning off ipunreachables on all interfaces.• To prevent the Cisco IOS software from responding to Internet Control MessageProtocol (ICMP) mask requests by sending ICMP mask reply messages• Disable translation of directed to physical broadcasts on the same interface. Thisconfiguration prevents against “smurf” attacks.• Don’t allow redirect messages to pass through the router. ICMP redirects should bedisabled• Make it more difficult for someone to scan for valid IP addresses by turning off ipunreachables on all interfaces.• To prevent the Cisco IOS software from responding to Internet Control MessageProtocol (ICMP) mask requests by sending ICMP mask reply messages
    58. 58. Forbid MOPThe Maintenance Operations Protocol (MOP)was used for system utility services in theDECnet protocol suite.The Maintenance Operations Protocol (MOP)was used for system utility services in theDECnet protocol suite.
    59. 59. Forbid NTP Service
    60. 60. Forbid SNMP Services
    61. 61. Disable Router Name and DNS NameResolution
    62. 62. Configure DNS Server
    63. 63. Set a default DNS domain name(needed for SSH)
    64. 64. Disable Unused Interfaces
    65. 65. Filtering Traffic to the RouterItself
    66. 66. Remote Login (Telnet) Service
    67. 67. SNMP Service(Recommend only SNMPv3 AuthNoPriv& AuthPriv)
    68. 68. Routing Service
    69. 69. Filtering Traffic through theRouter
    70. 70. IP Address Spoof Protection (InboundTraffic)
    71. 71. IP Address Spoof Protection (OutboundTraffic)
    72. 72. Exploits Protection
    73. 73. TCP SYN Attack
    74. 74. Limiting External Access with TCPIntercept (If your IOS support it.)
    75. 75. Land Attack
    76. 76. Land Attack
    77. 77. Smurf Attack
    78. 78. ICMP Message Types and Traceroute
    79. 79. Distributed Denial of Service (DDoS)Attacks
    80. 80. Routing Protocol Security
    81. 81. OSPF MD5 Authentication
    82. 82. RIP MD5 Authentication
    83. 83. EIGRP MD5 Authentication
    84. 84. EIGRP MD5 Authentication
    85. 85. Disabling unneeded routing-related services
    86. 86. Passive Interfaces (OSPF)
    87. 87. Using filters to block routingupdates
    88. 88. First Define Access Control List
    89. 89. Filter Distributed List (OSPF)
    90. 90. Filter Distributed List (RIP)
    91. 91. Not enable OSPF on certain interfaces,
    92. 92. Passive Interfaces (RIP)
    93. 93. Audit and Management
    94. 94. Overview and Motivations for Logging Recording router configuration changes andreboots Recording receipt of traffic that violatesaccess lists Recording changes in interface and networkstatus Recording router cryptographic securityviolations
    95. 95. Logging Types Console logging Terminal Line logging Buffered logging Syslog logging SNMP trap logging
    96. 96. Cisco Log Message Severity Levels
    97. 97. Format of a Cisco IOS Log Message
    98. 98. Turning on logging services
    99. 99. Setting up Console and BufferedLogging
    100. 100. Buffered logging
    101. 101. Setting up Terminal Line Logging
    102. 102. Setting up Syslog Logging
    103. 103. A Small Syslog Configurationserver host
    104. 104. Centralized Syslog Configuration
    105. 105. Syslog and access list
    106. 106. SNMP Trap Logging
    107. 107. Time Services, Network TimeSynchronization and NTP
    108. 108. Setting the Time Manually
    109. 109. The NTP Hierarchy
    110. 110. Configuring Basic NTP Service
    111. 111. NTP and access-list
    112. 112. Configuring NTP Authentication
    113. 113. SNMP Security
    114. 114. SNMPv3 Security
    115. 115. Configuring SNMP - Getting Started
    116. 116. SNMPv3 with limited view
    117. 117. Cisco IOS Software Updates
    118. 118. Show version
    119. 119. Update Procedure TFTP See Cisco web sites concerning particularmodel of router or switch
    120. 120. Router Status andConfiguration Commands
    121. 121. show logging
    122. 122. show ip protocol summary
    123. 123. show arp
    124. 124. show users
    125. 125. show host
    126. 126. show ip interface brief.
    127. 127. show ip socket
    128. 128. Viewing the current configuration show startup-config show running-config
    129. 129. Viewing currently running processes show process
    130. 130. Router Throughput and TrafficCommands
    131. 131. Clear counter
    132. 132. Viewing IP Protocol Statistics show ip traffic.
    133. 133. Viewing SNMP Protocol Statistics
    134. 134. configure debugging and turn ondebugging messages for ICMP.
    135. 135. Security for Router NetworkAccess Services
    136. 136. AAA Authentication Authorization Accounting
    137. 137. Types of accounting There are several types of accounting whichcan be enabled and configured separately:exec, network, connection, command,system. All types are supported by TACACS+, butRADIUS does not support command orsystem.
    138. 138.  network accounting– Provides information for PPP, SLIP, and ARAPprotocols. The information includes the numberof packets and bytes. EXEC accounting– Provides information about user EXEC sessionson the router. The information includes theusername, date, start and stop times, IP addressof access server, and telephone number the calloriginated from for dial-in users. Connection accounting– Provides information about all outboundconnections made from the network accessserver. This includes telnet, rlogin, etc.
    139. 139.  Command accounting– This applies to commands which are entered inan EXEC shell. This option will apply accountingto all commands issued at the specifiedprivilege level. If accounting is turned on forlevel 15 and user logged in at enable level 15runs a level 1 exec command no accountingevent will be generated. Account records aregenerated based upon the level of the commandnot the level of the user. Accounting records willinclude the command, date, time, and the user.Cisco IOS does not support commandacccounting with RADIUS. System– Provides information about system-level events.This would include information like system
    140. 140. AAA accounting requirement AAA accounting requires that– AAA is enabled,– security servers are defined, and– that a security server is specified for eachaccounting type which is desired.
    141. 141. Method Lists and Server Groups
    142. 142. Authentication
    143. 143. The authentication commands used fordefining messages
    144. 144. The default method list designatesRADIUS
    145. 145. RADIUS security server
    146. 146. Authorization
    147. 147. Authorization There are two primary scenarios whereauthorization is useful. First, if the router is used for dial in access,authorization is useful for controlling whocan access network services, etc. and whocan access and configure the router. Second, authorization can control differentadministrators who have access to differentprivilege levels on the router.
    148. 148. Accounting
    149. 149. Configuration of TACACS+ accounting:
    150. 150. Configuration of RADIUS accounting
    151. 151. Security Server Protocols
    152. 152. RADIUS
    153. 153. TACACS+
    154. 154. Hardening Cisco Switch(Based on NSA Cisco IOSSwitch Security ConfigurationGuide)
    155. 155. Port Security
    156. 156. Restricting a port statically on aCatalyst 3550 switch.
    157. 157. A strict security“unused” macro
    158. 158. A strictA strictsecurity “host”security “host”macromacro
    159. 159. Configure access ports of the switch
    160. 160. Virtual Local Area Networks(VLAN)
    161. 161. Create the out-of-band managementVLAN.
    162. 162. Create a management IP address
    163. 163. Assign the management VLAN to thededicated interface.
    164. 164. Ensure all trunk ports will not carry themanagement VLAN
    165. 165. Assigned the following name for VLAN1.
    166. 166. Assign all inactive interfaces to anunused VLAN (not VLAN1)
    167. 167. Virtual Trunking Protocol (VTP)
    168. 168. If VTP could be disabled
    169. 169. If VTP is necessary
    170. 170. Trunk Auto-Negotiation
    171. 171. Dynamic Trunking Protocol (DTP) A port may use the Dynamic TrunkingProtocol (DTP) to automatically negotiatewhich trunking protocol it will use, and howthe trunking protocol will operate.
    172. 172. DTP-related security issues
    173. 173. DTP-related security issues
    174. 174. VLAN Hopping
    175. 175. VLAN Hopping In certain situations it is possible to craft apacket in such a way that a port in trunkingmode will interpret a native VLAN packet asthough it were from another VLAN, allowingthe packet to become a member of a differentVLAN. This technique is known as VLAN hopping.
    176. 176. Spanning Tree Protocol
    177. 177. STP Portfast Bridge Protocol Data Unit(BPDU) Guard
    178. 178. STP Root Guard
    179. 179. 205(config)#no ip bootp server(config)#no tcp-small-servers(config)#no udp-small-servers(config)#service time log datetime localtime show-timezone msec(config)#service time debug datetime localtime show-timezone mseclogging x.x.x.xlogging trap debugginglogging source loopback0logging buffered 64000 debuggingntp authentication-key 10 md5 <key>ntp authenticatentp trusted-key 10ntp server x.x.x.x [key 10]ntp access-group peer 20access-list 20 permit host x.x.x.xaccess-list 20 deny any(config)#no (config)#service(config)#no (config)#service(config)#no ip http server(config)#no ip source-route(config)#no cdp run(config)#no boot network(config)#no (config)#service config(config)#no ip subnet-zero(config)#no ip identd(config)#no ip finger(config)#service nagleConfiguration basics (1) Turn off all the unneeded (config)#services Use syslog Use (authenticated) NTP

    ×