Upload
nthhtn
View
56
Download
7
Tags:
Embed Size (px)
Citation preview
Fundamental IOS Security Features BRKSEC-2017
Rama Darbha
Customer Support Engineer
CCIE #28006
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
About the Presenter
Rama Darbha Technical Assistance Center
– Firewall and VPN technology groups – 5 years experience in network security CCIE #28006, Security track Guest Lecturer at North Carolina State University Participant in IETF Operational Security group Areas of expertise
– IPv6 – Zone Based Firewall – Virtual Security
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Agenda
Fundamental Security Features Control Plane Security
Data Plane Security
Protecting User Services
IPv6 Considerations
5
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
About the Presentation
What is not covered? – Zone Based Firewall (ZBFW) application inspection – Access Control Server (ACS) configuration – User Identity protection – Context Aware security – Scansafe Security Integration – Intrusion Prevention Systems – Advanced IPv6 security configuration
BRKSEC-3007 – Advanced Cisco IOS Security Features
6
Fundamental Security
7
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Fundamental Security
Infrastructure security is the core of network security – Protecting devices which pass traffic
Securing network infrastructure
– Management security – Login security – User Security
Insurance: What to do in case something happens?
– Accounting and monitoring – IOS Resiliency
8
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Management Security
• Controlling method of access for management
9
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Login Methods
Why SSH over Telnet? – SSH encrypts data – Telnet is clear text Requirements for SSH
– RSA keypair must be created on router – IOS image must support encryption – Management application must support SSH access
10
line vty 0 4
transport input ssh
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Restricting Management Access
Only allow trusted IP addresses for management connections Configure access-list (ACL) to restrict login access
Management plane security
11
ip access-list extended LOGIN_ACL
permit tcp host 10.1.1.100 any eq 22
!
line vty 0 4
access-class LOGIN_ACL in
transport input ssh
Router(config)# control-plane host
Router(config-cp-host)# management-interface Fastethernet0/0 allow ssh
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Management Security Tiers
• Transport method
• VTY access control
• Management plane security
12
Login Security
13
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Login Security
Banner on login prompts Password Security
Restrict connection attempts
14
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Login Banner
15
Welcome to Cisco’s Router!
Unauthorized access is not allowed.
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Configuring a Banner
Language matters – Requirements from legal department – Laws based on country and state The below example uses the ‘%’ symbol as the message delineator
16
Router(config)# banner login %
Enter TEXT message. End with the character ‘%’.
This is a LOGIN banner %
Router(config)# banner exec %
Enter TEXT message. End with the character ‘%’.
This is a EXEC banner %
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Login Banner in Use
17
[User]$ telnet 10.1.1.1
**Unauthorized access to this network device is prohibited.** You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary action.
Username: cisco
Password: cisco
***By successfully logging in, you acknowledge that you have explicit permission to access and configure this device. You accept that all activities performed on this device are logged and violations of this policy may result in disciplinary action.
Router#
Warns user that they should back out now if they are not authorized to access the system.
Acknowledges that user has successfully logged in and is responsible for actions.
Password Security
18
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Enhanced Password Security
500,000 devices on internet have default password of root Password Restriction
Password Encryption methods
1. Password Encryption service 2. SHA256/MD5 hash
19
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Password Restriction
Cisco IOS routers do not restrict passwords by default Password restriction ensures local passwords adhere to the following rules
– Must contain characters from at least three of the following classes: 1. lowercase letters 2. uppercase letters 3. digits 4. special characters
– Cannot have a character repeated more than three times consecutively. – Cannot be the same as the associated username. – Cannot be variant of the word “cisco”.
20
Router(config)#aaa new-model
Router(config)#aaa password restriction
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Password Encryption
Service encryption uses a Cisco proprietary encryption algorithm – Encryption is based on a Vigenere cipher – Weak security because is it a polyalphabetic substitution
21
Router(config)#enable password cisco Router#show run | include enable enable password cisco
Router(config)#service password-encryption Router#show run | include enable enable password 7 02050D480809
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Service Password-Encryption
Below is a tool from the first hit on Google – Search term: cisco service password-encryption cracker
22
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
SHA/MD5 Password Protection
One way hash algorithm that is not reversible SHA256 is the default encryption for IOS routers (Starting in 15.0.1S)
23
Router(config)#enable secret ? 0 Specifies an UNENCRYPTED password will follow 4 Specifies an SHA256 ENCRYPTED secret will follow 5 Specifies an MD5 ENCRYPTED secret will follow LINE The UNENCRYPTED (cleartext) 'enable' secret level Set exec level password Router(config)#enable secret cisco
enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY enable password cisco
See Appendix for functionality
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Password Cracking
ArsTechnica case study cracked 45% of a 17,000 hashed password list in 90
seconds using above technique SHA256/MD5 hashes are protected using a salt
– Salt is a random sequence of characters added to end of password before hash
24
Hashed Password
Word List
Algorithm
Unencrypted Password
HashCat
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Access Control Server (ACS) Integration
Passwords are only as safe as their storage medium
ACS integration provides a centralized services to store passwords
Compromised configurations provide no insight into passwords
Configuring ACS server
25
See Appendix for configuration examples and best practices
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
One Time Passwords (OTP)
One time passwords are used to restrict access for temporary users – Introduced in 12.4 ACS OTP provides two tier authentication
– Use secure token to generate password – New password for login each session
26
Router(config)#username TAC one-time secret cisco
RSA Token Generator
RSA Token Password RSA Token
Cisco12345 457AE59H
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Password Security Tiers
• Simple unencrypted password
• Hashed password (MD5/SHA256)
• Password restrictions
• Centralized storage of passwords (ACS)
• One time use passwords
27
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Session Limits
Configuring restrictions on brute force attacks will mitigate the effectiveness of the attack by delaying success Login block for failed login attempts
28
Password Length Time to Crack
12 digit password 6 months
12 digit password + login restriction
758 billion years
See Appendix for configuration examples
login block-for 30 attempts 3 within 10
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Login Security Tiers
• Management Access Restriction
• Login Banner
• Password Security
• Session Limits
29
User Security
30
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Functionality Based User Security
31
View Configuration
Edit Configuration
Troubleshooting Commands
NOC
Admin
Contractor
TAC
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Command Based User Security
32
Configure Interface
Configure Access Control
Configure Routing Protocols
Routing Protocols
Admin
Security
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
User EXEC Mode
• Privilege Level 0 • Can only enable
Privileged EXEC Mode
• Privilege Level 1 • View status of router
Global Configuration
Mode • Privilege Level 15 • Configuration commands
Privilege Levels
33
Router>
Router#
Router(config)#
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Changing Privilege Levels of Commands
34
Level 15
Level 7
Level 1
interface ethernet0/0 shutdown
username NOC
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Role Based Access Control
Creates views so users can only view a subset of commands in the parser Provides more detailed control over CLI access Assigned views to each user with restriction
– Commands seen in parser – Commands allowed to be issued Superviews can be used to aggregate functionality
Introduced in 12.3(7)
35
parser view INTERN secret commands exec include show version commands exec include show
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Remote Command Authorization
Centralized server to verify commands before execution – User gets command authorization set based on device – Scalable solution for large network environments Router will communicate with ACS to verify command before execution
36
Will IOS allow user issue command?
• Privilege level of user and command
• Local command authorization
Is the user authorized to run the command?
• ACS server command list
• Remote command authorization
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
User Security Tiers
• Privilege Levels
• Role Based Access Control
• ACS Command Authorization
37
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Insurance
If router is compromised – How to mitigate the impact? – Restore device back to last known working condition? Mitigating the impact of configuration changes
– Configuration Archive – IOS Resiliency Tracking down the source of the change
– Command Accounting
38
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Configuration Backup and Rollback
Stores configuration periodically to destination location Force a configuration archive
Rollback configuration
Introduced 12.3(7)T
39
archive path disk0:myconfig_backup maximum 5 time-period 1440
Router# configure replace disk0:myconfig_backup-<date>
Router# archive configuration
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Saves a copy of the running-config and system image onto local storage – This is called the primary bootset – Primary bootset can be used to restore a previous image and config Feature can only be disabled by a console session
– Can be initially enabled via any CLI session
Introduced in 12.3(8)T
IOS Resiliency
40
Running Config
System Image Primary Bootset
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Network Accounting
Log command history to location – Local archive – ACS Tracks configuration changes
– Per-session – Per-user Introduced 12.4(11)T
41
See Appendix for complete configuration example
archive log config logging enable logging size 200 hidekeys notify syslog
Router#show archive log config all idx sess user@line Logged command 1 8 NOC@vty0 |interface Ethernet0/2 2 8 NOC@vty0 | shutdown
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Configuration Change Security Tiers
• Configuration Archive
• IOS Resiliency
• Network Accounting
42
Control Plane Security
43
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Diagram
44
Aggregate Control Plane
Host
Transit
CEF Exception
Queue Threshold Port Filter Policing
Policing
Policing
Inpu
t For
war
ding
Pat
h
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Policing (CPP)
Rate limit traffic to CPU using quality of service (QoS) policy
Protect against control plane oversubscription
45
Actions for
traffic
Permit
Rate Limit Drop
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Protection (CoPPr)
46
See Appendix for additional information
Aggregate Control Plane
Host • Traffic destined to
the router • Management • Routing Protocols • Tunnel Traffic
Transit • Traffic traversing
router
CEF Exception • Traffic redirected to
RP • Features that require
additional processing • Packets with special
attributes
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Protection Example
Problem – Router receiving too much traffic to process on non-listening ports Solution
– Preemptively drop all traffic destined to closed ports Router should only process traffic to open ports
– Services for management – Services for monitoring – Ephemeral ports opened for applications
47
Internet Map of Closed Ports
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Protection Port Filtering
48
class-map type port-filter match-all PORTFILTER_CMAP match closed-ports ! policy-map type port-filter PORTFILTER_PMAP class PORTFILTER_CMAP drop ! control-plane host service-policy type port-filter input PORTFILTER_PMAP
Match all closed ports
Drop any traffic to a closed port
Apply to host subinterface
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Protection
Only telnet is enabled on the router
Traffic destined to any other port on the router will be early dropped – Before CPU processing
Viewing Open Ports
49
Router#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Security Tiers
• Aggregate Control Plane
• Control Plane Subinterface
• Network Addressing/Design
50
Data Plane Security
51
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Data Plane Security
52
Client
Ethernet0/0 Ethernet0/1
HTTP
SMTP
SMTP Server HTTP Server
Internet
FTP
HTTP
SMTP SMTP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Access Groups and ACLs
53
Webserver Client ?
ip access-list extended OUT_TO_IN permit tcp any eq 80 host Client interface Ethernet0/1 ip access-group name OUT_TO_IN in
?
Ethernet0/0 Ethernet0/1
ip access-list extended IN_TO_OUT permit tcp host Client any eq 80 interface Ethernet0/0 ip access-group name IN_TO_OUT in
Attacker
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Firewall
54
Webserver Client
TRUSTED UNTRUSTED
SMTP Server SMTP
Internet
HTTP
Attacker
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Zone Based Firewall
55
Guest
Servers
Internet Inside
See Appendix for explanation of functionality
zone-member INSIDE ! Interface Ethernet0/0 zone-member security INSIDE
zone-member GUEST ! Interface Ethernet0/1 zone-member security GUEST
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Zone Based Firewall
Identify Traffic using class-map
• Access-list • Protocol
Apply action using
policy-map
• Inspect • Drop • Pass
Bind to zones using
zone-pair • Service policy applied traffic • Apply action to traffic
Configuration Theory
56
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Zone Based Firewall
Identify Traffic using class-map
Apply action using
policy-map
Bind to zones using
zone-pair
Configuration Theory
57
policy-map type inspect INSIDE_OUTBOUND_PMAP class INSIDE_OUTBOUND_CMAP inspect
zone-pair security IN2OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE_OUTBOUND_PMAP
class-map type inspect match-all INSIDE_OUTBOUND_CMAP match protocol http match access-list 100
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Datapath Security Tiers
• Access-groups
• Stateful Firewall
• User-Identity Firewall
• Context Aware 58
Protecting User Services
59
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Attack Security
60
Denial of Service Attack
TCP SYN Flood
IP Fragmentation Attack
Tiny Fragment
Overlapping Fragment
Buffer Overflow
Spoofing Attack
ICMP Flood
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Identifying Attack Vector
61
config# show access-list 100 Extended IP access list 100
permit icmp any any echo (2 matches) permit icmp any any echo-reply (2 matches) permit tcp any any eq www (21374 matches) Permit udp any any (15 matches) permit ip any any (45 matches)
Ethernet0/1 Ethernet0/0
Router(config)# interface Ethernet0/1 Router(config-if)# ip access-group 100 in Router(config-if)# ip flow ingress
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Tracking Source of DoS attacks
62
Router# show ip cache flow ... Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-WWW 255 0.0 1 64 255.0 4.0 15.5 ... SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/1 203.0.113.102 Et0/0 10.1.1.10 17 CDF7 0050 1 Et0/1 203.0.113.103 Et0/0 10.1.1.10 17 CDF7 0050 1 Et0/1 203.0.113.104 Et0/0 10.1.1.10 17 CDF7 0050 1 Et0/1 203.0.113.105 Et0/0 10.1.1.10 17 CDF7 0050 1 ...
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
DoS Attack Mitigation
63
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
SYN Flood Attack Mitigation using TCP Intercept
64
Intercept Mode
SYN
ACK SYN+ACK
SYN
ACK SYN+ACK
SYN
ACK SYN+ACK
RST RST
Watch Mode
See Appendix for complete configuration example
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
IP Fragmentation Attacks
65
Data
TCP Header IP Header
TCP Header
Data TCP Header IP Header
Fragment 1 Data TCP Header IP Header
Fragment 2 Data IP Header
IP Header
Fragment 1 Data TCP Header IP Header
Fragment 2 Data IP Header
Tiny Fragment
Overlapping Fragments
Buffer Overflow
Original Packet
Buffer
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
IP Fragmentation Attack Mitigation Fragments keyword in ACL
66
ip access-list extended FRAGMENTS_ACL deny ip any host 192.168.1.100 fragments permit tcp any host 192.168.1.100 eq 80 deny ip any any
See Appendix for complete configuration example
Ethernet0/1 Ethernet0/0
Fragment 1 Data TCP Header
Fragment 2 Data
IP Header
IP Header
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Spoofing Attacks Unicast Reverse Path Forwarding
67
Packet
Src Dst
Router# show ip route C 10.1.1.0/24 directly connected, Ethernet0/0 C 192.168.1.0/24 directly connected, Ethernet0/1 S 20.1.1.0/24 via Ethernet0/0
Ethernet0/1 Ethernet0/0
20.1.1.100 10.1.1.200
See Appendix for complete configuration example
Fundamental IPv6 Security
68
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
IPv6 Address Scope
/24 2^8 256 2^104 20.282 x 10^30
/16 2^16 65536 2^112 5.192 x 10^33
mask IPv4 IPv6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
ICMPv6 Permissions
ICMPv6 is mandatory in IPv6 – Used for infrastructure control – Error notification responses ACL that drop ICMPv4 must be altered to allow ICMPv6
ICMPv6 functionality in IPv6
– Neighbour Discovery – Stateless Address Assignment – Path Maximum Transmission Unit Discovery (pMTUd)
70
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Neighbour Discovery
Functionality is to assess reachability of neighbours Maps Layer 3 IPv6 address to Layer 2 MAC address Also used for Duplicate Address Detection (DAD)
71
IPv4 IPv6 ARP Request Neighbour Solicitation
Broadcast Solicited Node Multicast ARP Reply Neighbour Advertisement
Unicast Unicast
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Stateful DHCP
DHCPv6 server will allocate one or more IPv6 addresses or prefixes to a DHCPv6 client
DHCP options can be provided to client – DNS server – Domain name
DHCPv6 server maintains state
Stores the leased IPv6 addresses and lease details in its database
Two messages are used – INFORMATION-REQUEST – REPLY
DHCPv6 server only provides configuration information – DNS server – Domain name
Assumption: – Client will acquire IPv6 address
through other means
72
Stateless DHCP (SLAAC)
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Summary of Security Best Practices
Control management access to trusted IPs and interfaces Use login banner as notification tool Configure secure passwords stored on a centralized server Control authenticated user movement by using command authorization Archive configurations for insurance Enforce command accounting to track changes on device Protect control plane by rate limiting or dropping traffic to CPU Configure firewall to protect user services Implement attack security features based on network vulnerabilities Be aware of differences in IPv6 networks
73
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in.
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge
points for each session evaluation you complete. Complete your session evaluation
online now through either the mobile app or internet kiosk stations.
Note: This slide is now a Layout choice
74
Appendix
76
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Type 4 versus Type 5 vulnerability
Password-Based Key Derivation Function version 2 (PBKDF2) – Hash algorithm = SHA-256 – Password = the user-provided plaintext password – Salt = 80 bits (generated by calling a cryptographically secure random number
generator) – Iteration count = 1,000 (one thousand) Due to an implementation issue, the Type 4 password algorithm does not use
PBKDF2 and does not use a salt, but instead performs a single iteration of SHA-256 over the user-provided plaintext password. This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.
77
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
ACS Integration
Configure ACS server information on IOS router
Create authentication list to use ACS server
Apply authentication list to management sessions
Configuration Example
78
Router(config)#tacacs server MYTACACS Router(config-server-tacacs)# address ipv4 10.1.1.100 Router(config-server-tacacs)# key Cisco12345
Router(config)#aaa authentication login MANAGEMENT group TACACS local
Router(config)#line vty 0 4 Router(config-line)#login authentication MANAGEMENT
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
ACS Integration
Local fallback ensures that the router is still accessible when ACS is unavailable
Test ACS configuration before applying to avoid being locked out of the router
Using a reliable source interface will ensure that consistent access to ACS server
Best Practices
79
Router#test aaa group MYTACACS username password new-code User Rejected
Router(config)#ip tacacs source-interface Loopback0
Router(config)#aaa authentication login MANAGEMENT group TACACS local
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Example on login blocking and timeouts
Login block configuration Session timeouts
80
line vty 0 4
login authentication MANAGEMENT
transport input telnet
login block-for 30 attempts 3 within 10
line vty 0 4
exec-timeout 5
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Changing Privilege Levels of Commands
Commands can be moved down to different privilege levels – Provide restricted configuration access User NOC can shut and no shut interfaces
– Cannot configure any interface features
81
username NOC privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J. ! privilege interface all level 7 shutdown privilege interface all level 7 no shutdown privilege configure level 7 interface privilege exec level 7 configure terminal
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Assigning Privilege Levels
82
aaa new-model
!
username admin privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY
username NOC privilege 1 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY
!
aaa authentication login AUTHENTICATION_MANAGEMENT local
aaa authorization exec AUTHORIZATION_MANAGEMENT local
!
line vty 0 4
login authentication AUTHENTICATION_MANAGEMENT
authorization exec AUTHORIZATION_MANAGEMENT
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Privilege Levels in Use
83
[User]$ telnet 10.1.1.1
Trying 10.1.1.1...
Connected to 10.1.1.1
Escape character is '^]'.
This is the LOGIN banner
Username: NOC
Password:
This is the EXEC banner
Router> show privilege
Current privilege level is 1
[User]$ telnet 10.1.1.1
Trying 10.1.1.1...
Connected to 10.1.1.1
Escape character is '^]'.
This is the LOGIN banner
Username: admin
Password:
This is the EXEC banner
Router# show privilege
Current privilege level is 15
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Role Based Access Control Configuration Example
84
parser view INTERN secret commands exec include show version commands exec include show ! parser view NOC secret commands interface include shutdown commands configure include interface commands configure include interface FastEthernet0/1 commands exec include configure terminal commands exec include configure ! parser view ADMIN superview secret view INTERN view NOC
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Role Based Access Control
Apply the view setting to the username to force that user into that view
User authorization must be enabled
User Setup
85
username DAFFY privilege 15 view NOC secret DUCK
aaa new-model ! aaa authorization exec EXEC_AUTHORIZATION_LIST local
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
ACS Command Authorization
ACS authentication must be enabled so users are correctly mapped Router will communicate with ACS to verify command before execution
This provides scalability
– Same users can be allowed the same commands on all devices
86
aaa new-model ! aaa authentication login default group tacacs+ local ! aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local aaa authorization config-commands
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
IOS Resiliency
From console session From telnet session
87
Router(config)#secure boot-config
*Feb 25 18:56:18.458: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive
[disk0:.runcfg-20130225-185618.ar]
Router(config)#no secure boot-config
*Feb 25 18:56:24.745: %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed disk0:.runcfg-20130225-185618.ar]
Router(config)#no secure boot-config
%You must be logged on the console to apply this command
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Network Accounting
Configure router to send command accounting history to ACS
Configuration Example
88
aaa new-model
!
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Fundamental Security
Cisco IOS can automate security implementation
AutoSecure – Secures a router by using a single CLI command – Disables common IP services that can be exploited – Enables IP services and features to defend the network
AutoSecure can be enabled per feature or all features
AutoSecure
89
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
AutoSecure Feature Options
90
Router#auto secure ? firewall AutoSecure Firewall forwarding Secure Forwarding Plane full Interactive full session of AutoSecure login AutoSecure Login management Secure Management Plane no-interact Non-interactive session of AutoSecure ntp AutoSecure NTP ssh AutoSecure SSH tcp-intercept AutoSecure TCP Intercept <cr>
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
AutoSecure Securing Login
91
Router#auto secure login Gathering information about the router for AutoSecure Enter the new enable password: Confirm the enable password: Configuration of local user database Enter the username: cisco Enter the password: Configuring AAA local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 30 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 10
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
AutoSecure Login configuration
92
enable password 7 02250D4808095E731F1A5C username cisco password 7 02250D4808095E731F1A5C aaa new-model aaa authentication login local_auth local ! line vty 0 4 login authentication local_auth transport input telnet login block-for 30 attempts 3 within 10 ! end
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Protection (CoPPr)
Extends protection against DoS attacks on infrastructure routers by providing a mechanism for finer policing of control plane traffic that allows you to rate-limit each type individually
Provides a mechanism for early dropping of packets that are directed to closed or nonlistened Cisco IOS TCP/UDP ports
Provides ability to limit protocol queue usage such that no single protocol flood can overwhelm the input interface
Provides QoS control for packets that are destined to the control plane of Cisco routers
Provides better platform reliability, security, and availability
Provides CPU protection so it can be used for important jobs, such as routing
Benefits
93
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Protection Monitoring Drops
94
Router#show control-plane counters Feature Path Packets processed/dropped/errors Aggregate 3/0/0 Host 3/3/0 Transit 0/0/0 Cef-exception 0/0/0
Router#show control-plane host counters Control plane host path counters : Feature Packets Processed/Dropped/Errors -------------------------------------------------------- TCP/UDP Portfilter 3/3/0 --------------------------------------------------------
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Control Plane Protection Monitoring Drops
95
Router#show policy-map type port-filter control-plane all Control Plane Host Service-policy port-filter input: PORTFILTER_PMAP Class-map: PORTFILTER_CMAP (match-all) 3 packets, 180 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: closed-ports drop Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: any
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Infrastructure Security
Infrastructure can be protected if attackers cannot access it – draft-ietf-opsec-lla-only-03
Applying link local addresses to infrastructure links reduces attacks surface – Infrastructure links can only be attacked from the local link
Loopback addresses are configured with Global Unique Addresses – Allows ICMP error response packets – Only Loopback address needs to be secured
IPv6 Consideration
96
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
IPv6 Link Local Only Example
97
2001:DB8:100::/64 2001:DB8:200::/64
FE80::100 FE80::300
FE80::101 FE80::301
FE80::201 FE80::200
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Zone Based Firewall
Current IOS firewall solution
Scalable deployment capability – Class-maps that match traffic can be reused in multiple policies
Security policies are applied to zones and not to interfaces – Reduces redundant configuration for same interfaces
Zones are applied to various router interfaces to control traffic – Integrates well with VTI VPN solutions
Each zone pair has its own security policy – Granular control with traffic directionality
BRKSEC-3007 – Advanced Cisco IOS Security Features
Overview
98
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
TCP Intercept
TCP intercept is enabled because the one minute rate exceeded 1500
embryonic connection attempts
TCP Intercept was disabled because the one minute rate fell below 900
embryonic connection attempts
99
access-list 101 permit any ! ip tcp intercept list 101 ip tcp intercept mode intercept ip tcp intercept drop-mode random ip tcp intercept max-incomplete low 2000 high 3000 ip tcp intercept one-minute low 1000 high 1500
Jan 1 12:00:01 EST: %TCP-6-INTERCEPT: getting aggressive, count (2700/3000) 1 min 100
Jan 1 12:05:01 EST: %TCP-6-INTERCEPT: calming down, count (1800/2000) 1 min 900
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
ZBFW configuration example
100
Zone security INSIDE Zone security OUTSIDE ! Interface Ethernet0/0 zone-member security INSIDE Interface Ethernet0/1 zone-member security OUTSIDE ! class-map type inspect INSIDE_OUTBOUND_CMAP match protocol http ! policy-map type inspect INSIDE_OUTBOUND_PMAP class INSIDE_OUTBOUND_CMAP inspect ! zone-pair security IN2OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE_OUTBOUND_PMAP
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
IP Fragmentation Attack Mitigation
Enabling VFR
Restricting the number of concurrent IP datagrams
Limiting the number of fragments per IP datagram
Drop all IP fragments
IP Virtual Fragment Reassembly (VFR) Configuration
101
Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in max-reassemblies 64
Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in
Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in max-fragments 16
Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in drop-fragments
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
IP Fragmentation Attack Mitigation
Basic features of enabling VFR
Max-reassemblies – Maximum number of concurrent IP datagrams that can be reassembled
Max-fragments – Maximum number of fragments for the same IP datagram
Drop-fragments – Drops all fragments
IP Virtual Fragment Reassembly (VFR) Logs
102
VFR-4_FRAG_TABLE_OVERFLOW
VFR-4_TOO_MANY_FRAGMENTS
VFR-3-OVERLAP_FRAGMENT
VFR-3-TINY_FRAGMENTS
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Spoofing Attack Mitigation
Strict mode – The source address is in the Forwarding Information Base (FIB) and reachable only
through the interface on which the packet was received
Loose mode – If the source address is in the FIB and reachable through any interface on the router – Used for asymmetric routing or multi-homed ISP connections
uRPF configuration example
103
Router(config)# interface Ethernet0/1 Router(config-if)# ip verify unicast source reachable-via rx
Router(config)# interface Ethernet0/1 Router(config-if)# ip verify unicast source reachable-via any
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
uRPF Advanced Features
Old configuration (DO NOT USE) Above command was replaced by below command in 12.0(15)S
Cisco Express Forwarding (CEF) must be enabled (on by default)
Allow default route for uRPF verification
104
Router(config)# ip cef
Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast source reachable-via allow-default
Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast reserve-path
Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast source reachable-via [rx|any]
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-2017 Cisco Public
Stateful Address Assignment
Centralized server performs all addressing tasks – Assigns IP addresses – Keeps track of Client to address
mapping – Provides additional network
information – DNS server – Default gateway
Examples of Stateful Address protocols – DHCP
Client dynamically takes on addressing tasks – Chooses own IP address
– EUI-64
– DAD used to avoid address duplication
– Additional network information not provided by default
– Provided by supporting server
Examples of Stateless Address protocols – SLAAC (StateLess Address
AutoConfiguration)
Stateless Address Assignment