2. Outline What is the BRST? Target Users and Topologies Default Cisco Router install example Before BRST nmap scan Router Security Disable Unneeded Services Enable Helpful Services Control AccessConfigure Anti-spoofing Logging Demo BRST Generated Configuration Example Nmap scan after using BRST References Copyright 2010 Theodore LeRoy GPLv3
3. What is the BRST? The BRST is a web-based utility Answer questions on web form Click Submit Receive secure configuration via web Cut and paste into terminal session Copyright 2010 Theodore LeRoy GPLv3
4. Target Users and Topologies Target Users Network Administrators May or may not have Cisco experience Target Topologies Border routers Routers between Firewall and Internet Service Provider Concepts can be carried over to larger infrastructures Copyright 2010 Theodore LeRoy GPLv3
5. Default Cisco Router Install Basic Router Config IP Addresses/Subnet Masks on Inside and Outside interfaces IP Subnet Zero IP Classless Default Gateway Username & Password VTY Access & Password Ping from inside outward to ensure connectivity Copyright 2010 Theodore LeRoy GPLv3 version 12.3 service timestamps debug datetimemsec service timestamps log datetimemsec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! no logging console no logging monitor ! no aaa new-model ip subnet-zero ! Username tleroy password 0 Secret ! interface Ethernet0 ip address 4.4.4.2 255.255.255.252 ! interface Serial0 ip address 6.6.6.1 255.255.255.252 shutdown service-module 56k clock source line service-module 56k network-type dds ! ip classless ip route 0.0.0.0 0.0.0.0 4.4.4.1 no ip http server ! line con 0 line vty 0 4 login ! end
6. Nmap Scan Before running BRST Nmap scan reveals several open ports More open ports may be visible on older code versions NMAP Scan Here Banner grabbing can also be effective on an insecure router Telnet, SSH, HTTP, finger, daytime Copyright 2010 Theodore LeRoy GPLv3
7. Router Security Disable Unneeded Services Global Services Interface Services CDP/Yersenia Example Enable Helpful Services SSH Authentication Retries Example Control Access Disable Aux Port Secure Console Port Access Secure Virtual Terminal (vty) Access Copyright 2010 Theodore LeRoy GPLv3
8. Router Security (continued) Configure Anti-spoofing Null-route BOGON and Martian Addresses (if not in use on router) Anti-spoofing Access Control Lists (ACLs) on interfaces Internal IP’s should not enter from outside interface Logging Syslog messages to secure server using a DMZ interface on router Other options: Send syslog messages to DMZ on firewall Local logging only (all logs lost on reboot!) Copyright 2010 Theodore LeRoy GPLv3
9. Live Demo Using BRST to secure a Cisco Router Set delay for TeraTerm (COM flow too fast for older hardware) ! Border Router Security Tool (BRST) Recommended Configuration ! Start Copying Config File Here ! ! Enter the following router commands exactly as shown.!! You may copy and paste directly from the results that appear into ! the router configuration using your terminal emulation software.!! Comments are preceded by an !. They will be ignored by the router.!!! global router commands!! Watch for WARNINGS in the Configuration the BRST provides.! If you see a WARNING, read the warning, click your Browser's ! back button, correct the error, and click "Submit" again.!! Entering Global Configuration mode.!configure terminal!ip subnet-zeroip classless!! default routeip route 0.0.0.0 0.0.0.0 1.1.1.1!!Section 1: Unneeded Services! Copyright 2010 Theodore LeRoy GPLv3
10. Post BRST Config Disabled many services No ipunreachables No ip redirects Enabled positive services tcp-keepalives in and out SSH timeout Configured secure access SSH if available Telnet only from certain hosts if not Configured anti-spoofing Null routing of BOGON’s Enabled logging Copyright 2010 Theodore LeRoy GPLv3 show run Building configuration... Current configuration : 3361 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetimemsec service timestamps log datetimemsec service password-encryption no service dhcp ! hostname Router ! boot-start-marker boot-end-marker ! logging buffered 4096 informational no logging console no logging monitor enable secret 5 $1$YLJj$O5nh6cmiNdspYsbEctgEa. ! aaa new-model ! ! aaa authentication login default local aaa session-id common ip subnet-zero no ip source-route no ip gratuitous-arps ip options drop ! username tleroy password 7 15210E0F162F3F ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 no ip redirects no ipunreachables no ip proxy-arp ! interface Null0 no ipunreachables ! interface Ethernet0 ip address 2.2.2.1 255.255.255.252 ip access-group firewall_in in no ip redirects no ipunreachables no ip proxy-arp no cdp enable… Output truncated
11. Nmap Scan After running BRST Nmap scan reveals no open ports OS Detection is more ambiguous NMAP Scan Here Banner grabbing much less effective No Telnet or HTTP Access SSH only from inside interface (VPN then SSH) Disabled services will not leak information Copyright 2010 Theodore LeRoy GPLv3
12. References U.S. National Security Agency System and Network Attack Center (NSA SNAC) Guide Router Security Configuration Guide http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf Cisco Guide to Harden Cisco IOS Devices http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml Team Cymru’s Secure IOS Template http://www.cymru.com/Documents/secure-ios-template.html “Hardening Cisco Routers,” O’Reilly Media, Akin, Thomas, February 2002 Copyright 2010 Theodore LeRoy GPLv3