Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

William Stallings, Cryptography and Network Security 3/e

advertisement 
– Chapter 3 –
Device Security (B)
• Security of major devices:
How to protect the device against attacks aimed at compromising
the device itself
– Routers
– Firewalls
– Switches
– Authentication servers
– wireless access points
– …
Network Security
1
Steps to secure a router:
1.
Backup of configuration
files and the router
software
2.
Controlling access to the
router (tty, vty ports)
3.
Securing access to the
router (via SSH)
4.
Password management
5.
Logging events on the
router
6.
Disabling unnecessary
services
7.
Using loopback interfaces
8. Controlling SNMP as a
management protocol
9. Controlling HTTP as a
management protocol
10.Using CEF as a switching
mechanism
11.Setting up the scheduler from
a security perspective
12.Using the Network Time
Protocol (NTP)
13.Login banners
14.Capturing core dumps
15.Using service nagle to
improve Telnet access during
high CPU events
Network Security
2
2. Controlling access to the router
• A tty port is physically connected to a terminal or
workstation for local administrative access to the
router.
• An aux ports, similar to a tty port, is connected
to a modem for remote out-of-band
administrative access to the router.
• A vty (virtual tty) port is used to allow remote inband connection sessions, via telnet, ssh, or
rlogin.
• Out-of-band management (http://en.wikipedia.org/wiki/Out-ofband_management)
Network Security
3
Vulnerabilities of tty or aux ports
• A tty or aux port may suffer reverse telnet
attack, where the terminal server connected to
the tty port or the modem connected to the aux
port of the router is used by the attacker (as a
remote client) to access the router.
• Reverse Telnet (as defined in Wikipedia)
• Check out this link to see an illustration of using
‘reverse telnet’ to remotely access a router.
(diagrams below)
Network Security
4
Normal telnet
Network Security
5
Reverse Telnet
Network Security
6
Reverse Telnet (cont.)
• Another example:
What is Reverse Telnet and how do I
configure it?
“Reverse Telnet gives you the ability to telnet to a device, and then
console to another device from there. For example, you could
telnet to a router, and then console into a switch, or a modem, or
anything that has a console port. There are a lot of devices out
there that don’t have remote access built into them, their only
option is a console session. Well, this will allow you to remotely
manage these devices.”
“You need a straight through cable going from the console port of
the console-only device to the AUX port on your router.”
Network Security
7
Vulnerabilities of tty or aux ports
• Solution?
– Disable the console port
Line con0
transport input none
– Allow only SSH access to a router’s console port (a
feature added to IOS v12.2 or higher)
Line con0
login authentication default
rotary 1
transport input ssh
ip ssh port 2001 rotary 1
• Requirement: The router must be set up as a SSH server.
Network Security
8
Controlling vty access
1.
Restricted access: Only allow the protocols that will be
used by the network admin
•
•
Only addresses in the ‘access list’ are allowed to
connect: access-class, access-list (See example 3-6)
Short timeouts:
2.
3.
•
4.
Since Cisco IOS v11.1, the default is none.
Example: To allow only telnet and ssh connections
line vty 0 4
transport input telnet ssh
The default timeout value is 10 minutes. To set it to 5 min. 30
sec.
line vty 0 4
exec-timeout 5 30
Authentication for vty access: either local or RADIUS
authentication (preferred).
Network Security
9
3. Securing access to the router using
encryption
•
IPsec VPN client (preferred; more details in Ch 13)
– Two cases:
A. The VPN client access a back-end LAN (the
destination) by building a tunnel between itself and
a router (the IPsec gateway), behind which the
LAN is located.
B. The VPN client is used to remotely administer the
router, which is both the gateway and the
destination.
•
SSH: Only SSH v1 is supported by Cisco IOS
Example 3-11
Network Security
10
4. Password Management
•
Passwords stored on the router should be
properly encrypted.
•
The default password-encryption is either type
0 (clear text passwords) or type 7 (weak
encryption).
•
Use the enable secret command to activate
MD5 when encrypting passwords.
•
Example 3-12
Network Security
11
5. Logging events
• Advantages: Allows auditing and tracking
 forensics (in case of an attack)
performance tuning (maintenance)
• Requirement:
good time stamping  using NTP
• Example: 3-13
Network Security
12
6. Disable unnecessary services
• If a service is not being actively used on a
device, it should be disabled.
• Otherwise it may be used as a back door
for the attacker to gain access to the
device.
• Sample services to be disabled: Table 3-1
TCP small servers, UDP small servers, Finger
server, …
Network Security
13
7. Using loopback interfaces
• A loopback interface is a logical IP address on a
computer or device.
• For example,
the loopback
address
127.0.0.1 on
a PC
represents
the localhost.
• A quick and
easy way to
check the
PC’s network
setup.
Network Security
14
Loopback interface on routers
source: http://routersimulator.certexams.com/network-simulator-labs/configuring-and-testingloopback-interface.html
• The loopback interface is a logical interface internal to a
router. It is not connected to any other device.
• A loopback interface is UP as long as the router is up and
running. It is useful in managing a router as there will always
be at least one interface available on the router, irrespective
other physical interfaces.
• The command used for assigning loopback interface is
Router(config)#interface loopback <number>
– The number can be between 0 and 2147483647
• A loopback interface is automatically put in "no shutdown"
state when created. However, you need to assign an ip address
to use a loopback interface.
Network Security
15
Loopback interface on routers
source: http://routersimulator.certexams.com/network-simulator-labs/configuring-and-testingloopback-interface.html
Network Security
16
•
source: http://routersimulator.certexams.com/network-simulator-labs/configuring-and-testingloopback-interface.html
R1:
>enable
#conf term
(config)# int ser 0
(config-in)#ip address 192.168.1.1 255.255.255.0
(config-in)#no shutdown
(Config-in)#end
#
R2:
>enable
(config)#int ser 0
(config-if)#ip address 192.158.1.2 255.255.255.0
(config-if)#no shutdown
(config-if)#exit
(config)#interface loopback 1
(config-if)#ip address 192.168.1.10 255.255.255.0
(config-if)#end
#
R1:
>enable
#ping 192.168.1.10
<you should get successful ping response>
Network Security
17
Advantages of using
loopback interface on routers
• “With routers using a loopback address as the
source for all IP packets originating from the
router, it becomes very easy to construct
appropriate filters to protect management
systems in the ISP’s network operation centres.”
(Source: slide 6 in
http://ws.edu.isoc.org/data/2004/112350407740360107a09f9/loopback1up.pdf)
Network Security
18
More about loopback interfaces
source: http://www.ciscopress.com/articles/article.asp?p=27137
• It is very common to assign all the IP addresses used for loopback
interfaces from one address block.
– Example: an ISP with around 200 routers in a network might assign a
/24 network (253 usable addresses) for addressing the loopback
interface on each router. If this is done, all dependent systems can be
configured to permit this address range to access the particular function
concerned, whether it is security, unnumbered WAN links, or the iBGP
mesh.
• A loopback interface on a router never changes its state and rarely
has any need to change its IP address. Physical interfaces can be
physically swapped out or renumbered, and address ranges can
change, but the loopback interface will always be there. So, if the
DNS is set up so that the router name maps to the loopback
interface address, there is one less change to worry about during
operational and configuration changes elsewhere in the ISP
backbone.
Network Security
19
Other examples of loopback interfaces
source: http://www.ciscopress.com/articles/article.asp?p=27137
•
BGP Update Source
– In the following example, the iBGP mesh is built using the
loopback interface on each router.
– The loopback doesn't ever disappear, which results in a more
stable iBGP, even if the underlying physical connectivity is less
than reliable.
Network Security
20
Other examples of loopback interfaces
source: http://www.ciscopress.com/articles/article.asp?p=27137
•
Router ID
– If a loopback interface is configured on the router, its IP address
is used as the router ID.
– This is important for ensuring stability and predictability in the
operation of the ISP's network.
– If the loopback isn't configured, BGP uses the highest IP address
on the router. Because of the ever-changing nature of an ISP
network, this value can change, possibly resulting in operational
confusion.
– Configuring and using a loopback interface ensures stability.
Network Security
21
• Access control based on loopback
– Enable a block of IP addresses to be assigned to be
used as the loopback IPs of a block of routers.
– Router IDs: All routers can be forced to use these
loopback IP addresses as source addresses when
accessing the servers.
– Access Control: The servers can then also be locked
down to allow access only from this block of IP
addresses.
– Accesses from addresses outside this block are
denied.
• Examples (next)
Network Security
22
Examples of
access control based on loopback
source: http://ws.edu.isoc.org/data/2004/112350407740360107a09f9/loopback-1up.pdf
• TFTP Server Access
– TFTP is the most common tool for uploading and
downloading configurations.
– The TFTP server's security is critical, which means that
you should always use security tools with IP source
addresses.
– IOS Software allows TFTP to be configured to use specific
IP interfaces address. This allows a fixed ACL on the
TFTP server based on a fixed address on the router (for
example, the loopback interface).
ip tftp source-interface Loopback0
Network Security
23
Examples of access control
based on loopback (cont.)
• Source:
http://ws.edu.isoc.org/data/2004/112350407740360107a09f9/loopback1up.pdf (slide 12)
• TACACS+ distributed authentication system for
management access to routers
– Configure TACACS+ so that the loopback address is used
in packets originating from the router
– Configuration example:
ip tacacs source-interface Loopback0
tacacs-server host 215.17.1.1
Network Security
24
8. Controlling SNMP (as a
management protocol)
• SNMP can be used in read-only and ‘read and write’
modes
• Unless necessary, use read-only mode on routers.
• The ‘read and write’ mode allows the admin to modify
the router’s configurations via SNMP.
• Access into the network via SNMP should be blocked at
the network’s boundary.
• Security of SNMP:
– v1 and v2 use ‘community strings’ as the only authentication
mechanism. (Not secure)
– v3 is more secure by providing MD5 or SHA for authentication,
and DES for encryption.
– SNMP v3 threats vs protections (p.65): next page
Network Security
25
8. Controlling SNMP (as a
management protocol)
• SNMP v3 threats vs protections
Threats
Protections
• modification of info
Message integrity
• masquerade
Message authentication
• disclosure
Encryption
• message stream modification
- Messages might be maliciously reordered,
delayed, or replayed to a greater extent than
can occur through the natural operation of a
subnetwork service to effect unauthorized
management operations.
Timestamped messages,
Session identifiers (sequence
numbers)
Network Security
26
9. Controlling HTTP (as a
management protocol)
• Unless necessary, HTTP access to the router should be
disabled.
• HTTP protocol provides little security.
• The default authentication sends the password as clear
text.
• Admin access to the router via HTTP should be secured,
by activating authentication.
• Example: 3-19
• Ideally, a secure connection via VPN or SSL should be
used. (example: HTTPS)
Network Security
27
10. Using CEF as a switching
mechanism
• Cisco Express Forwarding
• Routers using the traditional switching mechanisms need
to update routing caches when packets destined for new
addresses arrive.
• SYN floods and DDoS attacks use a large number of
random or pseudo-random IP addresses as ultimate
targets.
• CEF replaces the normal routing cache with a data
structure (Forwarding Information Base, or FIB, and
Adjacency Table) that mirrors the entire routing tables.
• It does away with the need to update the cache each
time a new IP address needs to be routed to.
Network Security
28
CEF Components
http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdcef.html#wp1000922
1. Forwarding Information Base
– CEF uses a FIB to make IP destination prefix-based switching decisions.
– The FIB is conceptually similar to a routing table or information base. It maintains
a mirror image of the forwarding information contained in the IP routing table.
– When routing or topology changes occur in the network, the IP routing table is
updated, and those changes are reflected in the FIB. The FIB maintains next-hop
address information based on the information in the IP routing table.
– Because there is a one-to-one correlation between FIB entries and routing table
entries, the FIB contains all known routes and eliminates the need for route
cache maintenance that is associated with switching paths such as fast switching
and optimum switching.
2. Adjacency Tables
– Nodes in the network are said to be adjacent if they can reach each other with a
single hop across a link layer.
– In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing
information. The adjacency table maintains Layer 2 next-hop addresses for all
FIB entries.
Network Security
29
11. Using the scheduler
• scheduler allocate
• scheduler interval
• To prevent the router from becoming too busy responding to the
interrupts on its interfaces due to the large number of packets
arriving  large-scale network attack, esp. a DDoS attack
• Example 3-21
Network Security
30
11. Using the scheduler (cont.)
• Example (from: http://www.cymru.com/Documents/performance.html)
– scheduler allocate 4000 200 // The default values
– Where 4000 is the maximum number of microseconds to allocate to fast
switching any single network interrupt context, and 200 is the minimum
guaranteed number of microseconds to allocate to process level tasks
while network interrupts are masked.
– In cases where extremely high network load presents itself on the
interface of a router, it is possible that other tasks will not be able to run.
– By default, the Cisco IOS allocates 5% of the CPU time to the lower
priority tasks. During a high load event, such as a DDOS, this default
may be insufficient to ensure that other tasks acquire CPU time, such as
routing protocol updates and CEF table maintenance.
Network Security
31
12. Using NTP
• Network Time Protocol
• Critical for services requiring good time
stamping: logging, AAA, Kerberos, …
• Challenge: authentication between
devices exchanging NTP information
Network Security
32
13. Login banners
• Sequence:
–
–
–
–
Login banner
login session
MOTD banner
EXEC banner (or incoming banner) -- for users to enter
commands; show the contexts
Example: 3-25
• Motd banner:
Mainly for legal reasons, give warnings like ‘Authorized access
only!’ to whoever attempting to connect to the device.
(http://www.2000trainers.com/cisco-ccna-07/ccna-motd-banner-message/)
Network Security
33
14. Capturing core dumps
• In the event of system crash, the core
dump may provide useful info for tracking
the attack(s).
• Example: 3-26
Network Security
34
15. Service nagle
• Nagle is an algorithm that can be enabled as a service
on a Cisco router, to allow the router to pace the TCP
connection for Telnet in a way that reduces the burden
on the CPU and generally improves the performance of
the Telnet session.
– service nagle (Example 3-27)
• More info (next)
Network Security
35
•
•
•
•
From: http://www.ciscopress.com/articles/article.asp?p=27137&seqNum=7
The Nagle congestion-control algorithm is something that many ISPs turn on to
improve the performance of their Telnet sessions to and from the router.
When using a standard TCP implementation to send keystrokes between machines,
TCP tends to send one packet for each keystroke typed. On larger networks, many
small packets use up bandwidth and contribute to congestion.
John Nagle's algorithm (RFC 896) helps alleviate the small-packet problem in TCP.
In general, it works this way:
– The first character typed after connection establishment is sent in a single
packet, but TCP holds any additional characters typed until the receiver
acknowledges the previous packet.
– The second, larger packet is sent, and additional typed characters are saved
until the acknowledgment comes back.
– The effect is to accumulate characters into larger chunks and pace them out to
the network at a rate matching the round-trip time of the given connection.
– This method is usually good for all TCP-based traffic and helps when
connectivity to the router is poor or congested or the router itself is busier than
normal.
– However, do not use the service nagle command when real-time traffic (like
voice over IP) are processed on the router — performance will become very
poor.
Network Security
36
Security of other devices
• Firewalls, switches, …
• Similar procedure
– Check the default settings
– ‘Harden’ the device before placing it into use
in the production network.
Network Security
37
Related documents
Assignment 1
Assignment 1
CCNA-Sem2-Skills-ExamII-004
CCNA-Sem2-Skills-ExamII-004
CCNA 2 - Chapter 8 Study Guide 1. Why
CCNA 2 - Chapter 8 Study Guide 1. Why
CCNA Semester 2 Skills Exam II Name, Voranme: Name, Voranme
CCNA Semester 2 Skills Exam II Name, Voranme: Name, Voranme
Router Security Policy
Router Security Policy
If your Internet is not working please try the following steps before
If your Internet is not working please try the following steps before
prelab2
prelab2
Download
advertisement