Cisco Equipment Security

Seguridad en los elementos
de red

Cisco

© Rafael Vida, 2004

Index (I)
♦ Introducción
– General Situation
• Routers
• Security Policy
• Purpose of a router
• Basic Router Functional Architecture
– Protecting the Network with the Router

Index (II)
♦ Protecting the Router Itself
– Attacks on Routers
– Managing the Router
• SNMP
• SSH
– Security Policy for Cisco Routers
♦ Implementing Security: E-Policy
– AAA
• Remote Access
• Logins, Privileges, Passwords, and Accounts

Index (III)
♦ Filtering
– ACL
– ACR
♦ RAT (Router Audit Tool)

Introduction
♦ Purpose of a router
– Directing packets, roting protocols
– Filtering:ACL
– Modifing packet´s headers: NAT, PAT.
♦ Hardware
– CPU, Memory:
• RAM, NVRAM, Flash, and ROM (PROM, EEPROM)
• ROM, NVRAM.
– Does Not have Hard disk, floppy, CDROM, etc.

Introduction
Network Network Networ
Network Network Networ
00 11 ... kknn

Interface 0 Interface 1 Interface n
...

Routing Fabric

CPU
Conf
Router
Consola

Security Policy
♦ Router Security Layers

Physical access
Electrical Access
Physical Integrity
Administrative Access
Core Static Configuration Software Access

Routing Protocolos
Dynamic Configuration Management Protocols

Access to the networks that the
Network traffic router Serves

Security Policy: Checklist
♦ Physical Security
– Who is autorized to install, de-instal, move, etc.
– Making physical connections to the router
• Console and direct ports
• Recovery procedures
♦ Static Configuration
– Who is authorized to log into the router
– Roles
– Password Policy
– Log policy
– Porcedures and limits of use

♦ Dynamic Configuration Security
– Services permited in the router
– Routing protoclos, clock (NTP)
– Procedures in key agreement and cryptographic
algorithms
♦ Compromise Response
– ITO?, Netcool?, ...
– Response procedures, authorities, and objectives for
response after a successful attack against the network
– Law

♦ Network Service Security
– Procedures and roles for interactions with
external service providers and maintenance
technicians
– Protocols, ports, services, etc

Internet

DMZ

Management

Protecting networks and
routers

Protecting the networks
♦ Router Clasification by funcionality
– Internal Routers

– Backbone

– Border (EDCs)

Protecting the router: Attacks
♦ Unauthorized access
♦ Session hijacking
♦ Rerouting
♦ Dos
♦ Ddos (!)
♦ SNMP attacks

Protecting the router: Managing
Política de FW
por Centro de
FW Adminstrado Gestión
por Cliente Centro de Gestión local

LAN_Cliente FW_Cliente
FW_CGP

Punto Central

EDCs
PVCs Servicio
Gestión Local
EDCs

Accounting entre EDCs y
CGP
TACACS+, Telnet, TFTP,SNMP,...
Trafico entre EDCs y
FW
Gestión Central
SNMP, Syslog, ICMP,...

Trafico entre CGP y
Gestión Central
SSH, Ofimática, Vantive,...

Centro de Gestión Central

Protecting the router: Managing
♦ Local access only for Emergency. Audit.
♦ Telnet (?!) ó SSH
♦ SNMP access.
– Limit the connections, ACLs
♦ AAA:
– Logging and Accounting: Tacacs+
– Auditing
– Authorizing

Router Access Security
♦ Physical Security
♦ Software Upgrade
– Minimun 12.0.*
– Recommended 12.0.9
♦ Virtual interfaces: loopback
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface loopback0
Central(config-if)# description Main loopback interface
Central(config-if)# ip address 14.2.11.250 255.255.255.255
Central(config-if)# end
Central#

Login Banners and motd
♦ Banner
– No Network architecture information and router
configuration details
– AVISO: ha accedido a un sistema propiedad de TELEFONICA.
Necesita tener autorización antes de usarlo, estando usted
estrictamente limitado al uso indicado en dicha autorización. El
acceso no autorizado a este sistema o el uso indebido del mismo
está prohibido y es contrario a la Política Corporativa de
Seguridad y a la legislación vigente. Si usted revela información
interna de TELEFONICA o de sus clientes sin previa autorización
podrá estar incurriendo en una violación de la Normativa
Corporativa, que podría incluso suponer la posible comisión de un
delito o falta.

Login
♦ Console
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# line con 0
Central(config-line)# transport input none
Central(config-line)# login local
Central(config-line)# exec-timeout 5 0
Central(config-line)# exit
Central(config)#
♦ VTYs and Remote Administration
♦ Privileges, 16 levels
♦ Diferents Accounts
♦ service password-encryption
– ! SNMP, Radius, TACACS+, NTP, PEER auth. Keys.
♦ Auxiliary port disabled

Remote Access
1. No Remote: administration is performed on the console
only.
2. Remote Internal only with AAA: administration can be
performed on the router from a trusted internal network
only, and AAA is used for access control.
3. Remote Internal only: administration can be performed
on the router from the internal network only.
4. Remote External with AAA: administration can be
performed with both internal and external connections
and uses AAA for access control.
5. Remote External: administration can be performed with
both internal and external connections.

AAA
♦ Authentication
– With SSH or IPsec
♦ Authorization
– Command by command. All not allowed is denied.
♦ Acounting
– Forensic Analisys
♦ Keep the running configuration and startup
configuration syncronized
♦ TFTP is dead

Access Control List
♦ access-list list-number {deny | permit} source
[source-wildcard] [log]

♦ access-list list-number {deny | permit} protocol
source source-wildcard source-qualifiers
destination destination-wildcard destination-
qualifiers [ log | log-input]

Defense
♦ Spoofing
– ACL
♦ TCP SYN Attack
East(config)# ip tcp intercept list 107
East(config)# access-list 107 permit tcp any 14.2.6.0 0.0.0.255
East(config)# access-list 107 deny ip any any log
East(config)# interface eth 0/0
East(config-if)# description "External 10mb ethernet interface"
East(config-if)# ip access-group 107 in

Defense
♦ LandAttack
East(config)# access-list 100 deny ip host 14.1.1.20 host 14.1.1.20 log
East(config)# access-list 100 permit ip any any
East(config)# interface eth0/0
East(config-if)# description External interface to 14.1.0.0/16
East(config-if)# ip address 14.1.1.20 255.255.0.0
East(config-if)# exit

♦ Smurf
East(config)# access-list 110 deny ip any host 14.2.6.255 log
East(config)# access-list 110 deny ip any host 14.2.6.0 log
East(config)# interface interface eth0/0
East(config-if)# exit

Defense
♦ DDOS
– ! the TRINOO DDoS systems
access-list 170 deny tcp any any eq 27665 log
access-list 170 deny udp any any eq 31335 log
access-list 170 deny udp any any eq 27444 log
– ! the Stacheldraht DDoS system
– ! the TrinityV3 system
– ! the Subseven DDoS system and some variants
access-list 170 deny tcp any any range 6711 6712 log

Committed Access Rate
♦ rate-limit {input | output} [access-group [rate-limit] acl]
token-bit-rate burst-normal-size burst-excess-size
conform-action action exceed-action action
♦ north(config)# no access-list 160
north(config)# access-list 160 deny tcp any any established
north(config)# access-list 160 permit tcp any any syn
north(config)# interface eth0/0
north(config-if)# rate-limit input access-group 160
64000 8000 8000
conform-action transmit exceed-action drop
north(config-if)# end

RAT been added to Level 2
♦SSH has
♦ The user is given a choice between telnet and SSH
♦ Separate Access Control Lists used for telnet and SSH
♦ "exec-timeout" increased to 10 minutes
♦ Comments about password resuse added
♦ Level 2 authentication now requires a local username
♦ The prohibition against local usernames in Level 2 was removed
♦ "no ip proxy-arp" moved to Level 2
♦ Allow egress filters to be applies on internal interfaces
♦ Documented preference for SNMP V3 if SNMP is used
♦ Rule to forbid SNMP without an ACL moved to Level 1
♦ Loopback rules refer user to local policy
♦ Timestamp debug rule added to Level 1
♦ Added a note about line passwords being redundant
♦ User can now specificy AAA name-list variable ("default", "local_auth" ...).
This was needed to support 12.3's "auto-secure" feature
♦ Exec timeout is now a maximum value for all lines (con 0, aux 0), not an exact
value. This allows the rules to accommodate settings that are shorter/more
restrictive without flagging an error

References

Books, RFCs, Links

References
♦ Books ♦ Papers
– Albritton, J. Cisco IOS Essentials,
McGraw-Hill, 1999. – “Internetworking Technology
– Ballew, S.M., Managing IP Networks Overview”, Cisco Systems,
with Cisco Routers, O’Reilly 1999.http://www.cisco.com/univer
Associates, 1997. cd/cc/td/doc/cisintwk/ito_doc/
– Chappell, L. Introduction to Cisco
Router Configuration, Cisco Press, – “OSI Layer 3”, Cisco Systems
1998. Brochure, Cisco Systems,
– Chappell, L. (ed.) Advanced Cisco 1997.http://www.cisco.com/warp/p
Router Configuration, Cisco Press, ublic/535/2.html
1999.
– Perlman, R., Interconnections: Bridges – “TCP/IP”, Cisco Product
and Routers, McGraw-Hill, 1992. Overview, Cisco Systems,
– Sacket, G., Cisco Router Handbook, 1997.http://www.cisco.com/warp/p
McGraw-Hill, 1999. ublic/535/4.html
– Held, G. and Hundley, K., Cisco
Security Architectures, McGraw-Hill,
1999.
– Tannenbaum, A., Computer Networks,
2nd edition, Prentice-Hall, 1998.

References
♦ RFCs
– Postel, J., “User Datagram Protocol
– Fuller, V., Li, T., Varadhan K., and Yu,
(UDP)”, RFC 768, 1980.
J., “Classless Inter-Domain Routing
– Postel, J., “Internet Protocol (IP)”, RFC
– (CIDR): an Address Assignment and
791, 1981.
Aggregation Strategy”, RFC 1519,
– Postel, J., “Transmission Control 1993.
Protocol (TCP)”, RFC 793, 1981.
– Postel, J. and Braden, R.,
“Requirements for Internet Gateways”,
RFC 1009, 1987.
– Socolofsky, T. and Kale, C., “A TCP/IP
Tutorial”, RFC 1180, 1991.
– Malkin, G. and Parker T.L., “Internet
User’s Glossary”, RFC 1392, 1993.
– Rekhter, Y. and Li, T., “An
Architecture of IP Address Allocation
with CIDR”, RFC 1518, 1993.

Cisco Equipment Security

More Related Content

What's hot

Viewers also liked

Similar to Cisco Equipment Security

More from Conferencias FIST

Recently uploaded

Cisco Equipment Security