Implementing Secure
Converged Wide
Area Networks
(ISCW)
Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
1
IDS = Intrution Detection System
IPS = Intrution Protection System
HIPS = Host Intrution Protection System
Encryption /
Access control configuration /
Den nye opdateret
version hedder: RFC
3704 filtering
Worm Attack, Mitigation and Response

The anatomy of a worm attack has three parts:
The enabling vulnerability: A worm installs itself on a vulnerable
system
Propagation mechanism: After gaining access to devices, a
worm replicates and selects new targets
Payload: Once the worm infects the device, the attacker has
access to the host – often as a privileged user. Attackers
use a local exploit to escalate their privilege level to
administrator.
Worm attack mitigation
 Worm attack mitigation requires diligence on the part of system
and network administration staff.
 Coordination between system administration, network engineering,
and security operations personnel is critical in responding
effectively to a worm incident.
 Recommended steps for worm attack mitigation:
Containment: Contain the spread of the worm into your network and
within your network. Compartmentalise uninfected parts of your
network.
Inoculation: Start patching all systems and, if possible, scanning for
vulnerable systems.
Quarantine: Track down each infected machine inside your network.
Disconnect, remove, or block infected machines from the network.
Treatment: Clean and patch each infected system. Some worms may
require complete core system reinstallations to clean the system.
SNMP v3 er krypteret og sikker.
Disabling Unused
Cisco Router
Network Services
and Interfaces
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
12
Unnecessary Services and Interfaces
Router Service
Default
Best Practice
BOOTP server
Enabled
Disable
Cisco Discovery Protocol (CDP)
Enabled
Disable if not required
Configuration auto-loading
Disabled
Disable if not required
Disable if not required.
FTP server
Disabled
Otherwise encrypt traffic within an
IPsec tunnel.
Disable if not required.
TFTP server
Disabled
Otherwise encrypt traffic within an
IPsec tunnel.
Disable if not required.
Network Time Protocol (NTP) service
Disabled
Otherwise configure NTPv3 and
control access between permitted
devices using ACLs.
Packet assembler and disassembler (PAD)
service
Enabled
Disable if not required
Enabled (pre
TCP and UDP minor services
11.3)
Disable if not required
Disabled (11.3+)
Maintenance Operation Protocol (MOP)
service
Enabled
Disable explicitly if not required
Commonly Configured Management Services
Management Service
Enabled by
Default
Best Practice
Simple Network Management Protocol (SNMP)
Enabled
Disable the service. Otherwise
configure SNMPv3.
Disable if not required.
HTTP configuration and monitoring
Device dependent
Domain Name System (DNS)
Client Service –
Enabled
Otherwise restrict access using
ACLs.
Disable if not required.
Otherwise explicitly configure the
DNS server address.
Path Integrity Mechanisms
Path Integrity Mechanism
Enabled by
Default
Best Practice
ICMP redirects
Enabled
Disable the service
IP source routing
Enabled
Disable if not required.
Probe and Scan Features
Probe and Scan Feature
Enabled by
Default
Best Practice
Finger service
Enabled
Disable if not required.
ICMP unreachable notifications
Enabled
Disable explicitly on untrusted
interfaces.
ICMP mask reply
Disabled
Disable explicitly on untrusted
interfaces.
Terminal Access Security
Terminal Access Security
Enabled by
Default
Best Practice
IP identification service
Enabled
Disable
TCP Keepalives
Disabled
Enable
ARP Service
ARP Service
Enabled by
Default
Best Practice
Gratuitous ARP
Enabled
Disable if not required.
Proxy ARP
Enabled
Disable if not required.
AutoSecure Functions

AutoSecure can selectively lock down:
Management plane services and functions:
Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives,
CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP
(redirects, mask-replies), directed broadcast, MOP, banner
Also provides password security and SSH access
Forwarding plane services and functions:
CEF, traffic filtering with ACLs
Firewall services and functions:
Cisco IOS Firewall inspection for common protocols
Login functions:
Password security
NTP protocol
SSH access
Syntax:
TCP Intercept services
Router#Auto Secure ?
Forwarding
Secure Forwarding Plane
Management Secure Management Plane
No-interact Non-Interactive session of AutoSecure
<cr>
SSH-Configuration
Router(Config)#ip domain-name [Domæne navn]
Router(Config)#crypto key genereate rsa ?
General-keys Generate a general purpose RSA key pair for signing and encryption
Usage-keys
Generate seperate RSA key pairs for signing and encryption
<cr>
Router(Config)# crypto key genereate rsa general-keys modulus [modulus = nøgle størrelse i bit (360-2048)]
Nøgler over 512 bit anbefales, normalt bruges 1024 bit.
AutoSecure Failure Rollback Feature
 If AutoSecure fails to complete its operation, the
running configuration may be corrupt:
In Cisco IOS Release 12.3(8)T and later releases:
Pre-AutoSecure configuration snapshot is stored in the flash
under filename pre_autosec.cfg
Rollback reverts the router to the router’s pre-autosecure
configuration
Command: configure replace flash:pre_autosec.cfg
If the router is using software prior to Cisco IOS Release
12.3(8)T, the running configuration should be saved before
running AutoSecure.
Locking Down Routers with Cisco SDM
 SDM simplifies router and security configuration through smart
wizards that help to quickly and easily deploy, configure, and
monitor a Cisco router without requiring knowledge of the CLI
 SDM simplifies firewall and IOS software configuration without
requiring expertise about security or IOS software
 SDM contains a Security Audit wizard that performs a
comprehensive router security audit
 SDM uses security configurations recommended by Cisco
Technical Assistance Center (TAC) and the International Computer
Security Association (ICSA) as the basis for comparisons and
default settings
 The Security Audit wizard assesses the vulnerability of the existing
router and provides quick compliance to best-practice security
policies
 SDM can implement almost all of the configurations that
AutoSecure offers with the One-Step Lockdown feature
Securing Cisco
Router
Administrative
Access
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
23
Setting a Login Failure Blocking Period
router(config)#
login block-for seconds attempts tries within seconds
• Blocks access for a quiet period after a configurable number
of failed login attempts within a specified period
• Must be entered before any other login command
• Mitigates DoS and break-in attacks
Perth(config)#login block-for 100 attempts 2 within 100
Excluding Addresses from Login Blocking
router(config)#
login quiet-mode access-class {acl-name | acl-number}
• Specifies an ACL that is applied to the router when it switches
to the quiet mode
• If not configured, all login requests will be denied during the
quiet mode
• Excludes IP addresses from failure counting for login block-for
command
Perth(config)#login quiet-mode access-class myacl
Setting a Login Delay
router(config)#
login delay seconds
• Configures a delay between successive login attempts
• Helps mitigate dictionary attacks
• If not set, a default delay of one second is enforced after the
login block-for command is configured
Perth(config)#login delay 30
Configuring RoleBased CLI
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
27
Role-Based CLI Overview

Root view is the highest administrative view

Creating and modifying a view or ‘superview’ is possible
only from root view

The difference between root view and privilege Level 15 is
that only a root view user can create or modify views and
superviews

CLI views require AAA new-model:
This is necessary even with local view authentication
View authentication can be offloaded to an AAA server using the
new attribute "cli-view-name"

A maximum of 15 CLI views can exist in addition to the root
view
Getting Started with Role-Based CLI
router#
enable [privilege-level] [view [view-name]]
• Enter a privilege level or a CLI view.
• Use enable command with the view parameter to enter the
root view.
• Root view requires privilege Level 15 authentication.
• The aaa-new model must be enabled.
Perth(config)#aaa new-model
Perth(config)#exit
Perth#enable view
Password:
Perth#
%PARSER-6-VIEW_SWITCH: successfully set to view 'root'
Configuring CLI Views
router(config)#
parser view view-name
• Creates a view and enters view configuration mode
router(config-view)#
password 5 encrypted-password
commands parser-mode {include | include-exclusive |
exclude} [all] [interface interface-name | command]
• Sets a password to protect access to the view
• Adds commands or interfaces to a view
Perth(config)#parser view monitor_view
Perth(config-view)#password 5 hErMeNe%GiLdE!
Perth(config-view)#commands exec include show version
Mitigating Threats
and Attacks with
Access Lists
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
31
Configuring SNMP
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
32
SNMPv1 and SNMPv2 Architecture
SNMP asks agents embedded in network devices for
information or tells the agents to do something.
Community Strings
!
 In effect, having read-write access is equivalent to having the
enable password!
 SNMP agents accept commands and requests only from SNMP
systems that use the correct community string.
 By default, most SNMP systems use a community string of “public”
 If the router SNMP agent is configured to use this commonly
known community string, anyone with an SNMP system is able to
read the router MIB
 Router MIB variables can point to entities like routing tables and
other security-critical components of a router configuration, so it is
very important that custom SNMP community strings are created
SNMPv3 Features and Benefits
It is strongly recommend that all network management systems use
SNMPv3 rather than SNMPv1 or SNMPv2
Features
– Message integrity: Ensures that a packet has
not been tampered with in transit
– Authentication: Determines that the message
is from a valid source
Benefits
– Encryption: Scrambles the contents of a
packet to prevent the packet from being seen
by an unauthorised source
– Data can be collected securely from SNMP
devices without fear of the data being
tampered with or corrupted
– Confidential information, such as SNMP Set
command packets that change a router
configuration, can be encrypted to prevent the
contents from being exposed on the network
Configuring NTP on
Cisco Routers
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
36
NTP-Authentication
NTP-Server
NTP-Associations
Configuring AAA on
Cisco Routers
ISCW-Mod5_L1
© 2007 Cisco Systems, Inc. All rights reserved.
40
The Three Components of AAA
 Authentication
Provides the method of identifying users, including login and password
dialog, challenge and response, messaging support, and, depending
on the security protocol selected, encryption
 Authorisation
Provides the method for remote access control, including one-time
authorisation or authorisation for each service, per-user account list
and profile, user group support, and support of IP, IPX, ARA, and
Telnet
 Accounting
Provides the method for collecting and sending security server
information used for billing, auditing, and reporting, such as user
identities, start and stop times, executed commands (such as PPP),
number of packets, and number of bytes
AAA Protocols: RADIUS and TACACS+
AAA-Server Configuration
AAA-Authentication Configurations CLI
AAA-Authorization Configuration
AAA-Authorization Configuration
AAA-Accounting Configuration
AAA-Accounting Configuration