Cisco Equipment Security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cisco Equipment Security

  1. 1. Seguridad en los elementosde redCisco © Rafael Vida, 2004
  2. 2. Index (I)♦ Introducción – General Situation • Routers • Security Policy • Purpose of a router • Basic Router Functional Architecture – Protecting the Network with the Router
  3. 3. Index (II)♦ Protecting the Router Itself – Attacks on Routers – Managing the Router • SNMP • SSH – Security Policy for Cisco Routers♦ Implementing Security: E-Policy – AAA • Remote Access • Logins, Privileges, Passwords, and Accounts
  4. 4. Index (III)♦ Filtering – ACL – ACR♦ RAT (Router Audit Tool)
  5. 5. Introduction
  6. 6. Introduction♦ Purpose of a router – Directing packets, roting protocols – Filtering:ACL – Modifing packet´s headers: NAT, PAT.♦ Hardware – CPU, Memory: • RAM, NVRAM, Flash, and ROM (PROM, EEPROM) • ROM, NVRAM. – Does Not have Hard disk, floppy, CDROM, etc.
  7. 7. Introduction Network Network Networ Network Network Networ 00 11 ... kknn Interface 0 Interface 1 Interface n ... Routing Fabric CPU ConfRouter Consola
  8. 8. Security Policy
  9. 9. Security Policy♦ Router Security Layers Physical access Electrical Access Physical Integrity Administrative Access Core Static Configuration Software Access Routing Protocolos Dynamic Configuration Management Protocols Access to the networks that the Network traffic router Serves
  10. 10. Security Policy: Checklist♦ Physical Security – Who is autorized to install, de-instal, move, etc. – Making physical connections to the router • Console and direct ports • Recovery procedures♦ Static Configuration – Who is authorized to log into the router – Roles – Password Policy – Log policy – Porcedures and limits of use
  11. 11. Security Policy: Checklist♦ Dynamic Configuration Security – Services permited in the router – Routing protoclos, clock (NTP) – Procedures in key agreement and cryptographic algorithms♦ Compromise Response – ITO?, Netcool?, ... – Response procedures, authorities, and objectives for response after a successful attack against the network – Law
  12. 12. Security Policy: Checklist♦ Network Service Security – Procedures and roles for interactions with external service providers and maintenance technicians – Protocols, ports, services, etc Internet DMZ Management
  13. 13. Protecting networks androuters
  14. 14. Protecting the networks♦ Router Clasification by funcionality – Internal Routers – Backbone – Border (EDCs)
  15. 15. Protecting the router: Attacks♦ Unauthorized access♦ Session hijacking♦ Rerouting♦ Dos♦ Ddos (!)♦ SNMP attacks
  16. 16. Protecting the router: Managing Política de FW por Centro de FW Adminstrado Gestión por Cliente Centro de Gestión local LAN_Cliente FW_Cliente FW_CGP Punto Central EDCs PVCs Servicio Gestión Local EDCs Accounting entre EDCs y CGP TACACS+, Telnet, TFTP,SNMP,... Trafico entre EDCs y FW Gestión Central SNMP, Syslog, ICMP,... Trafico entre CGP y Gestión Central SSH, Ofimática, Vantive,... Centro de Gestión Central
  17. 17. Protecting the router: Managing♦ Local access only for Emergency. Audit.♦ Telnet (?!) ó SSH♦ SNMP access. – Limit the connections, ACLs♦ AAA: – Logging and Accounting: Tacacs+ – Auditing – Authorizing
  18. 18. Implementing: E-PolicyCisco
  19. 19. Router Access Security♦ Physical Security♦ Software Upgrade – Minimun 12.0.* – Recommended 12.0.9♦ Virtual interfaces: loopbackCentral# config tEnter configuration commands, one per line. End with CNTL/Z.Central(config)# interface loopback0Central(config-if)# description Main loopback interfaceCentral(config-if)# ip address endCentral#
  20. 20. Login Banners and motd♦ Banner – No Network architecture information and router configuration details – AVISO: ha accedido a un sistema propiedad de TELEFONICA. Necesita tener autorización antes de usarlo, estando usted estrictamente limitado al uso indicado en dicha autorización. El acceso no autorizado a este sistema o el uso indebido del mismo está prohibido y es contrario a la Política Corporativa de Seguridad y a la legislación vigente. Si usted revela información interna de TELEFONICA o de sus clientes sin previa autorización podrá estar incurriendo en una violación de la Normativa Corporativa, que podría incluso suponer la posible comisión de un delito o falta.
  21. 21. Login♦ Console Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# line con 0 Central(config-line)# transport input none Central(config-line)# login local Central(config-line)# exec-timeout 5 0 Central(config-line)# exit Central(config)#♦ VTYs and Remote Administration♦ Privileges, 16 levels♦ Diferents Accounts♦ service password-encryption – ! SNMP, Radius, TACACS+, NTP, PEER auth. Keys.♦ Auxiliary port disabled
  22. 22. Remote Access1. No Remote: administration is performed on the console only.2. Remote Internal only with AAA: administration can be performed on the router from a trusted internal network only, and AAA is used for access control.3. Remote Internal only: administration can be performed on the router from the internal network only.4. Remote External with AAA: administration can be performed with both internal and external connections and uses AAA for access control.5. Remote External: administration can be performed with both internal and external connections.
  23. 23. AAA♦ Authentication – With SSH or IPsec♦ Authorization – Command by command. All not allowed is denied.♦ Acounting – Forensic Analisys♦ Keep the running configuration and startup configuration syncronized♦ TFTP is dead
  24. 24. Services
  25. 25. Access Control List♦ access-list list-number {deny | permit} source [source-wildcard] [log]♦ access-list list-number {deny | permit} protocol source source-wildcard source-qualifiers destination destination-wildcard destination- qualifiers [ log | log-input]
  26. 26. Defense♦ Spoofing – ACL♦ TCP SYN Attack East(config)# ip tcp intercept list 107 East(config)# access-list 107 permit tcp any East(config)# access-list 107 deny ip any any log East(config)# interface eth 0/0 East(config-if)# description "External 10mb ethernet interface" East(config-if)# ip access-group 107 in
  27. 27. Defense♦ LandAttack East(config)# access-list 100 deny ip host host log East(config)# access-list 100 permit ip any any East(config)# interface eth0/0 East(config-if)# description External interface to East(config-if)# ip address East(config-if)# ip access-group 100 in East(config-if)# exit♦ Smurf East(config)# access-list 110 deny ip any host log East(config)# access-list 110 deny ip any host log East(config)# interface interface eth0/0 East(config-if)# ip access-group 110 in East(config-if)# exit
  28. 28. Defense♦ DDOS – ! the TRINOO DDoS systems access-list 170 deny tcp any any eq 27665 log access-list 170 deny udp any any eq 31335 log access-list 170 deny udp any any eq 27444 log – ! the Stacheldraht DDoS system access-list 170 deny tcp any any eq 16660 log access-list 170 deny tcp any any eq 65000 log – ! the TrinityV3 system access-list 170 deny tcp any any eq 33270 log access-list 170 deny tcp any any eq 39168 log – ! the Subseven DDoS system and some variants access-list 170 deny tcp any any range 6711 6712 log access-list 170 deny tcp any any eq 6776 log access-list 170 deny tcp any any eq 6669 log access-list 170 deny tcp any any eq 2222 log access-list 170 deny tcp any any eq 7000 log
  29. 29. Committed Access Rate♦ rate-limit {input | output} [access-group [rate-limit] acl] token-bit-rate burst-normal-size burst-excess-size conform-action action exceed-action action♦ north(config)# no access-list 160 north(config)# access-list 160 deny tcp any any established north(config)# access-list 160 permit tcp any any syn north(config)# interface eth0/0 north(config-if)# rate-limit input access-group 160 64000 8000 8000 conform-action transmit exceed-action drop north(config-if)# end
  30. 30. RAT been added to Level 2♦SSH has♦ The user is given a choice between telnet and SSH♦ Separate Access Control Lists used for telnet and SSH♦ "exec-timeout" increased to 10 minutes♦ Comments about password resuse added♦ Level 2 authentication now requires a local username♦ The prohibition against local usernames in Level 2 was removed♦ "no ip proxy-arp" moved to Level 2♦ Allow egress filters to be applies on internal interfaces♦ Documented preference for SNMP V3 if SNMP is used♦ Rule to forbid SNMP without an ACL moved to Level 1♦ Loopback rules refer user to local policy♦ Timestamp debug rule added to Level 1♦ Added a note about line passwords being redundant♦ User can now specificy AAA name-list variable ("default", "local_auth" ...). This was needed to support 12.3s "auto-secure" feature♦ Exec timeout is now a maximum value for all lines (con 0, aux 0), not an exact value. This allows the rules to accommodate settings that are shorter/more restrictive without flagging an error
  31. 31. ReferencesBooks, RFCs, Links
  32. 32. References♦ Books ♦ Papers – Albritton, J. Cisco IOS Essentials, McGraw-Hill, 1999. – “Internetworking Technology – Ballew, S.M., Managing IP Networks Overview”, Cisco Systems, with Cisco Routers, O’Reilly 1999. Associates, 1997. cd/cc/td/doc/cisintwk/ito_doc/ – Chappell, L. Introduction to Cisco Router Configuration, Cisco Press, – “OSI Layer 3”, Cisco Systems 1998. Brochure, Cisco Systems, – Chappell, L. (ed.) Advanced Cisco 1997. Router Configuration, Cisco Press, ublic/535/2.html 1999. – Perlman, R., Interconnections: Bridges – “TCP/IP”, Cisco Product and Routers, McGraw-Hill, 1992. Overview, Cisco Systems, – Sacket, G., Cisco Router Handbook, 1997. McGraw-Hill, 1999. ublic/535/4.html – Held, G. and Hundley, K., Cisco Security Architectures, McGraw-Hill, 1999. – Tannenbaum, A., Computer Networks, 2nd edition, Prentice-Hall, 1998.
  33. 33. References♦ RFCs – Postel, J., “User Datagram Protocol – Fuller, V., Li, T., Varadhan K., and Yu, (UDP)”, RFC 768, 1980. J., “Classless Inter-Domain Routing – Postel, J., “Internet Protocol (IP)”, RFC – (CIDR): an Address Assignment and 791, 1981. Aggregation Strategy”, RFC 1519, – Postel, J., “Transmission Control 1993. Protocol (TCP)”, RFC 793, 1981. – Postel, J. and Braden, R., “Requirements for Internet Gateways”, RFC 1009, 1987. – Socolofsky, T. and Kale, C., “A TCP/IP Tutorial”, RFC 1180, 1991. – Malkin, G. and Parker T.L., “Internet User’s Glossary”, RFC 1392, 1993. – Rekhter, Y. and Li, T., “An Architecture of IP Address Allocation with CIDR”, RFC 1518, 1993.
  34. 34. Fin© Rafael Vida,