Copyright 2004, Cisco Systems, lnc. Student Guide iSecurSecuring Cisco IOS NetworksVersion 1.1 Student Guide Text Part Number: ii Enterprise Voice Over Data Design (EVODD) v3.3 Copyright 2004, Cisco Systems, lnc. Copyright 2004, Cisco Systems, Inc. AII rights reserved. Cisco Systems has more than 200 oIIices in the Iollowing countries and regions. Addresses. phone numbers. and Iax numbers are listed on the Cisco Web site at www.cisco.com/go/oIIices.Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech Republic Denmark Dubai. UAE Einland Erance Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South AIrica Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright 2004. Cisco Systems. Inc. All rights reserved. CCIP. the Cisco Powered Network mark. the Cisco Systems VeriIied logo. Cisco Unity. Eollow Me Browsing. EormShare. Internet Quotient. iQ Breakthrough. iQ Expertise. iQ EastTrack. the iQ logo. iQ Net Readiness Scorecard. Networking Academy. ScriptShare. SMARTnet. TransPath. and Voice LAN are trademarks oI Cisco Systems. Inc.; Changing the Way We Work. Live. Play. and Learn. Discover All That`s Possible. The Eastest Way to Increase Your Internet Quotient. and iQuick Study are service marks oI Cisco Systems. Inc.; and Aironet. ASIST. BPX. Catalyst. CCDA. CCDP. CCIE. CCNA. CCNP. Cisco. the Cisco CertiIied Internetwork Expert logo. Cisco IOS. the Cisco IOS logo. Cisco Press. Cisco Systems. Cisco Systems Capital. the Cisco Systems logo. Empowering the Internet Generation. Enterprise/Solver. EtherChannel. EtherSwitch. East Step. GigaStack. IOS. IP/TV. LightStream. MGX. MICA. the Networkers logo. Network Registrar. Packet. PIX. Post-Routing. Pre-Routing. RateMUX. Registrar. SlideCast. StrataView Plus. Stratm. SwitchProbe. TeleRouter. and VCO are registered trademarks oI Cisco Systems. Inc. and/or its aIIiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property oI their respective owners. The use oI the word partner does not imply a partnership relationship between Cisco and any other company. (0203R) Copyright 2003, Cisco Systems, lnc. Table of Contents v Table oI Contents COURSE INTRODUCTION 1-1Overview 1-1Course Objectives 1-2Lab Topology Overview 1-7SECURITY FUNDAMENTALS 2-1Overview 2-1Objectives 2-2Need for Network Security 2-3Network Security Policy 2-10Primary Network Threats and Attacks 2-13Denial of Service Attacks and Mitigation 2-32 Worm, Virus, and Trojan Horse Attacks and Mitigation 2-38 Management Protocols and Functions 2-45 Summary 2-50BASIC CISCO ROUTER SECURITY 3-1Objectives 3-2Securing Cisco Router lnstallations 3-3Securing Cisco Router Administrative Access 3-9lntroduction to AAA for Cisco Routers 3-31Configuring AAA for Cisco Perimeter Routers 3-44Summary 3-61 Lab ExerciseConfiguring Basic Cisco Router Security Lab 3-1ADVANCED AAA SECURITY FOR CISCO ROUTER NETWORKS 4-1Overview 4-1Objectives 4-2lntroduction to the Cisco Secure ACS 4-3Product OverviewCisco Secure ACS for Windows Server 4-4Product OverviewCisco Secure ACS for UNlX (Solaris) 4-23Product OverviewCisco Secure ACS Solution Engine 4-27lnstalling Cisco Secure ACS for Windows Server Version 3.2 4-33Administering and Troubleshooting Cisco Secure ACS for Windows Server Version 3.2 4-36TACACS+ Overview and Configuration 4-42Verifying TACACS+ 4-50RADlUS Configuration Overview 4-56vi SECUR 1.0 Copyright 2003, Cisco Systems, lnc. Kerberos Overview 4-62Summary 4-64 Lab ExerciseConfiguring Cisco Secure ACS for Windows NT/2000 Lab 4-1CISCO ROUTER THREAT MITIGATION 5-1Objectives 5-2Securing Router Services and lnterfaces 5-7Disabling Unused Router Services and lnterfaces 5-7lntroduction to Cisco Access Lists 5-39Using Access Lists to Mitigate Security Threats 5-59Filtering Router Service Traffic 5-63Filtering Network Traffic 5-66DDoS Mitigation 5-74Sample Router Configuration 5-78lmplementing Syslog Logging 5-81 Designing Secure Management and Reporting for Enterprise Networks 5-88 Using AutoSecure to Secure Cisco Routers 5-105 Example: Typical Router Configuration Before AutoSecure 5-130 Summary 5-139 Lab ExerciseCisco Router Threat Mitigation Lab 5-1CISCO IOS FIREWALL CONTEXT-BASED ACCESS CONTROL CONFIGURATION 6-1Overview 6-1Objectives 6-2lntroduction to the Cisco lOS Firewall 6-3Context-Based Access Control 6-8Global Timeouts and Thresholds 6-16Port-to-Application Mapping 6-25Define lnspection Rules 6-31lnspection Rules and ACLs Applied to Router lnterfaces 6-43Test and Verify 6-52Summary 6-55 Lab ExerciseConfigure Cisco lOS Firewall CBAC on a Cisco Router Lab 6-1CISCO IOS FIREWALL AUTHENTICATION PROXY 7-1Overview 7-1Objectives 7-2lntroduction to the Cisco lOS Firewall Authentication Proxy 7-3AAA Server Configuration 7-7AAA Configuration 7-12Authentication Proxy Configuration 7-19Test and Verify the Configuration 7-24Summary 7-27 Lab ExerciseConfigure Authentication Proxy on a Cisco Router Lab 7-1Copyright 2003, Cisco Systems, lnc. Table of Contents vii CISCO IOS INTRUSION DETECTION SYSTEM 8-1Overview 8-1Objectives 8-2Cisco lOS lDS lntroduction 8-3lnitializing the Cisco lOS lDS 8-10Configuring, Disabling, and Excluding Signatures 8-13Creating and Applying Audit Rules 8-17Verifying the Configuration 8-22Cisco lDS Network Module lntroduction 8-26 Summary 8-28 Lab ExerciseConfigure a Cisco Router with lOS Firewall lDS Lab 8-1BUILDING IPSEC VPNS USING CISCO ROUTERS 9-1Overview 9-1Objectives 9-2Cisco Routers Enable Secure VPNs 9-3lPSec Overview 9-6lPSec Protocol Framework 9-23How lPSec Works 9-31Configuring lPSec Encryption 9-43Task 1Prepare for lKE and lPSec 9-44Task 2Configure lKE 9-60Task 3Configure lPSec 9-69Step 1Configure Transform Set Suites 9-71Step 2Configure Global lPSec Security Association Lifetimes 9-75Step 3Create Crypto ACLs 9-77Step 4Create Crypto Maps 9-81Step 5Apply Crypto Maps to lnterfaces 9-87Task 4Test and Verify lPSec 9-90Overview of Configuring lPSec Manually 9-101Overview of Configuring lPSec for RSA Encrypted Nonces 9-103Summary 9-108 Lab ExerciseConfigure Cisco lOS lPSec for Pre-Shared Keys Lab 9-1BUILDING ADVANCED IPSEC VPNS USING CISCO ROUTERS AND CERTIFICATE AUTHORITIES 10-1Overview 10-1Objectives 10-2Configure CA Support Tasks 10-3Task 1Prepare for lKE and lPSec 10-4CA Support Overview 10-12Task 2Configure CA Support 10-18Task 3Configure lKE 10-39Task 4Configure lPSec 10-41Task 5Test and Verify lPSec 10-43viii SECUR 1.0 Copyright 2003, Cisco Systems, lnc. Summary 10-46 Lab ExerciseConfigure Cisco lOS CA Support (RSA Signatures) Lab 10-1CONFIGURING IOS REMOTE ACCESS USING CISCO EASY VPN 11-1Overview 11-1Objectives 11-2lntroduction to the Cisco Easy VPN 11-3How the Easy VPN Works 11-8Configuring the Easy VPN Server 11-16 Overview of the Easy VPN Remote Feature 11-12Configuring Easy VPN Remote for the Cisco VPN Client 3.x 11-43 Overview of the Cisco VPN 3.5 Client 11-27Using the Cisco VPN Client 3.x 11-52 How the Cisco Easy VPN Works 11-32Configuring Easy VPN Remote for Access Routers 11-58Summary 11-74 Lab ExerciseConfigure Remote Access Using Cisco Easy VPN Lab 11-1USING SECURITY DEVICE MANAGER 12-1Overview 12-1Objectives 12-2SDM Overview 12-3SDM Software 12-8Using the Startup Wizard 12-15lntroducing the SDM User lnterface 12-27Using SDM to Configure a WAN 12-33Using SDM to Configure a Firewall 12-42Using SDM to Configure a VPN 12-49Using SDM to Perform Security Audits 12-55Using the Factory Reset Wizard 12-61Using SDM Advanced and Monitor Modes 12-62Summary 12-70 Lab ExerciseManaging Enterprise VPN Routers Lab 12-1 USING ROUTER MC 13-1Overview 13-1Objectives 13-2Router MC Overview 13-3lnstalling Router MC 13-7Getting Started 13-9Task 1Creating an Activity 13-20Task 2Creating Device Groups 13-22Task 3lmporting Devices 13-25Task 4Defining VPN Settings 13-34Task 5Defining VPN Policies 13-44Copyright 2003, Cisco Systems, lnc. Table of Contents ix Task 6Approving Activities 13-66Task 7Creating and Deploying Jobs 13-68Configuring General Cisco lOS Firewall Settings 13-78 Building Access Rules 13-84 Using Building Blocks 13-86 Using Upload 13-91 Summary 13-921Course lntroduction OverviewThis lesson includes the Iollowing topics: Course obiectives Course agenda Participant responsibilities General administration Graphic symbols Participant introductions Cisco Security Career CertiIications Lab topology overview 1-2 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. Course Objectives This topic introduces the course and the course obiectives. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-3Course ObjectivesUpon compIetion of this course, you wiII be abIe to perform the foIIowing tasks: Identify network security threats. Secure administrative access using Cisco Secure ACS (for MS Windows 2000) and Cisco IOS software AAA features. Protect Internet access by configuring a Cisco perimeter router. Configure Cisco IOS FirewaII Context-Based Access ControI. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-4Course Objectives (Cont.) Configure the Cisco IOS FirewaII authentication proxy. Configure the Cisco IOS FirewaII IDS. Use IPSec features in Cisco IOS software to create a secure site-to-site VPN using pre-shared keys and digitaI certificates. Use Cisco Easy VPN features to create a secure remote access VPN soIution. Use the Cisco Security Device Manager to manage Cisco access routers. Use the Cisco Router Management Center to manage Cisco router VPN impIementations.Copyright 2004, Cisco Systems, lnc. Course lntroduction 1-3 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-5Course AgendaDay 1 Lesson 1-Introduction Lesson 2-Security FundamentaIs Lesson 3-Basic Cisco Router Security Lunch Lesson 4-Advanced AAA Security for Cisco Router NetworksDay 2 Lesson 5-Cisco Router Threat Mitigation Lunch Lesson 6-Cisco IOS FirewaII Context-Based Access ControI Configuration Lesson 7-Cisco IOS FirewaII Authentication Proxy 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-6Course Agenda (Cont.)Day 3 Lesson 8-Cisco IOS Intrusion Detection System Lunch Lesson 9-BuiIding IPSec VPNs Using Cisco Routers Day 4 Lesson 10-BuiIding Advanced IPSec VPNs Using Cisco Routers and Certificate Authorities Lunch Lesson 11-Configuring Cisco IOS Remote Access Using Cisco Easy VPNDay 5 Lesson 12-Using Cisco Security Device Manager Lesson 13-Using Cisco Router Management Center1-4 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-7Participant ResponsibiIitiesStudent responsibiIities CompIete prerequisites Participate in Iab exercises Ask questions Provide feedback 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-8GeneraI AdministrationCIass-reIated Sign-in sheet Length and times Break and Iunch room Iocations AttireFaciIities-reIated Participant materiaIs Site emergency procedures Restrooms TeIephones/faxesCopyright 2004, Cisco Systems, lnc. Course lntroduction 1-5 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-9Graphic SymboIsIOS Router PIX FirewaII VPN 3000 IDS Sensor CataIyst 6500w/ IDS ModuIeIOS FirewaIINetworkAccess ServerPoIicy Manager CAServerPC Laptop ServerWeb, FTP, etc.Modem Ethernet Link VPN TunneI HubNetworkCIoud 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-10Participant Introductions Your name Your company Prerequisite skiIIs Brief history Objective1-6 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-11Cisco Security Career CertificationsExpand Your ProfessionaI Options and Advance Your Career Cisco Certified Security ProfessionaI (CCSP) CertificationExpertProfessionaICCIECCSPCCNAAssociateProfessionaI-IeveI recognition in designing and impIementing Cisco security soIutionswww.cisco.com/go/trainingRecommended Training through Cisco Learning PartnersRequired Exam642-541 Cisco SAFE ImpIementationNetwork Security642-501 Securing Cisco IOS Networks642-511 Cisco Secure VirtuaI Private Networks642-531 Cisco Secure Intrusion Detection System642-521 Cisco Secure PIX FirewaII Advanced 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-12Cisco Security Career CertificationsEnhance Your Cisco Certifications and VaIidate Your Areas of Expertise Cisco FirewaII, VPN, and IDS SpeciaIists www.cisco.com/go/trainingRecommended Training through Cisco Learning PartnersRequired Exam642-501 Securing Cisco IOS Networks642-521 Cisco Secure PIX FirewaII Advanced Recommended Training through Cisco Learning PartnersRequired Exam642-501 Securing Cisco IOS Networks642-511 Cisco Secure VirtuaI Private Networks Recommended Training through Cisco Learning PartnersRequired Exam642-501 Securing Cisco IOS Networks642-531 Cisco Secure Intrusion Detection System Cisco FirewaII SpeciaIistCisco VPN SpeciaIistCisco IDS SpeciaIistPre-requisite: VaIid CCNA certificationPre-requisite: VaIid CCNA certificationPre-requisite: VaIid CCNA certificationCopyright 2004, Cisco Systems, lnc. Course lntroduction 1-7 Lab TopoIogy Overview This topic explains the lab topology that is used in this course. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-1-14Lab VisuaI Objective172.30.Q.0 172.30.P.0Student PC.2.2Student PCRouterWeb/FTPCSACSWeb/FTPCSACS.1.2.2Router.110.0.P.12 10.0.Q.1210.0.P.0 10.0.Q.0Pods 1-5 Pods 6-10.10WebFTPWebFTP.10172.26.26.0.150.50WebFTPRBB.100RTS.100RTSEach pair oI students will be assigned a pod. In general. you will be setting up VPNs between your pod (pod P) and your assigned peer pod (pod Q). Note: The P in a command indicates your pod number. The Q in a command indicates the pod number of your peer router. 2Security Fundamentals OverviewThis lesson describes security Iundamentals. It includes the Iollowing topics: ObiectivesNeed Ior network security Network security policy Primary network threats and attacks Reconnaissance attacks and mitigation Access attacks and mitigation Denial oI service attacks and mitigation Worm. virus. and Troian horse attacks and mitigation Management protocols and Iunctions Summary 2-2 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. ObjectivesThis topic lists the lesson`s obiectives. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-3ObjectivesUpon compIetion of this chapter, you wiII be abIe to perform the foIIowing tasks: Describe the need for network security. Identify the components of a compIete security poIicy. ExpIain security as an ongoing process. Describe the four types of security threats. Describe the four primary attack categories. Describe the types of attacks associated with each primary attack category and their mitigation methods. Describe the configuration management and management protocoIs and the recommendations for securing them.Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-3 Need for Network Security Over the past Iew years. Internet-enabled business. or e-business. has drastically improved companies` eIIiciency and revenue growth. E-business applications such as e-commerce. supply-chain management. and remote access enable companies to streamline processes. lower operating costs. and increase customer satisIaction. Such applications require mission-critical networks that accommodate voice. video. and data traIIic. and these networks must be scalable to support increasing numbers oI users and the need Ior greater capacity and perIormance. However. as networks enable more and more applications and are available to more and more users. they become ever more vulnerable to a wider range oI security threats. To combat those threats and ensure that e-business transactions are not compromised. security technology must play a maior role in today`s networks. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-5The CIosed NetworkRemote siteCIosed networkPSTNFrame reIay X.25 Ieased IineFrame reIay X.25 Ieased IineThe closed network typically consists oI a network designed and implemented in a corporate environment. and it provides connectivity only to known parties and sites without connecting to public networks. Networks were designed this way in the past and thought to be reasonably secure because there was no outside connectivity. 2-4 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-6The Network TodayMobiIe and remote usersPartnersiteRemote siteOpen networkInternet-based intranet (VPN)PSTNInternet-based extranet (VPN)Internet-based intranet (VPN)Remote site mobiIe and remote usersThe networks oI today are designed with availability to the Internet and public networks. which is a maior requirement. Most oI today`s networks have several access points to other networks both public and private; thereIore. securing these networks has become Iundamentally important. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-5 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-7Threat CapabiIities-More Dangerous and Easier to UseSophistication of hacker tooIsPacket forging/ spoofing1990 1980Password guessingSeIf-repIicating codePassword crackingBack doorsHijacking sessionsScannersSniffersSteaIth diagnosticsTechnicaI knowIedge requiredHighLow 2000ExpIoiting known vuInerabiIitiesDisabIing auditsWith the development oI large open networks there has been a huge increase in security threats in the past 20 years. Not only have hackers discovered more vulnerabilities. but the tools used to hack a network have become simpler and the technical knowledge required has decreased. There are downloadable applications available that require little or no hacking knowledge to implement. There are also applications intended Ior troubleshooting a network that when used improperly can pose severe threats. 2-6 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-8The RoIe of Security Is ChangingAs businesses become more open to supporting Internet-powered initiatives such as e-commerce, customer care, suppIy-chain management, and extranet coIIaboration, network security risks are aIso increasing.Security has moved to the IoreIront oI network management and implementation. It is necessary Ior the survival oI many businesses to allow open access to network resources and ensure that the data and resources are as secure as possible. Security is becoming more important because oI the Iollowing: Required Ior e-businessThe importance oI e-business and the need Ior private data to traverse public networks has increased the need Ior network security. Required Ior communicating and doing business saIely in potentially unsaIe environmentsToday`s business environment requires communication with many public networks and systems. which produces the need Ior as much security as is possible. Networks require development and implementation oI a corporate-wide security policyEstablishing a security policy should be the Iirst step in migrating a network to a secure inIrastructure.Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-7 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-9SuppIy chain Customer care E-commerceE-Iearning Workforce optimizationThe E-Business ChaIIengeExpanded access, heightened security risksInternetaccessInternetaccessCorporateintranetCorporateintranetInternetpresenceInternetpresenceInternetbusinessvaIueBusiness security requirements Defense-in-depth MuItipIe components Integration into e-business infrastructure Comprehensive bIueprintSecurity must be a Iundamental component oI any e-business strategy. As enterprise network managers open their networks to more users and applications. they also expose these networks to greater risk. The result has been an increase in business security requirements. The Internet has radically shiIted expectations oI companies` abilities to build stronger relationships with customers. suppliers. partners. and employees. Driving companies to become more agile and competitive. e-business is giving birth to exciting new applications Ior e-commerce. supply-chain management. customer care. workIorce optimization. and e-learningapplications that streamline and improve processes. speed up turnaround times. lower costs. and increase user satisIaction. E-business requires mission-critical networks that accommodate ever-increasing constituencies and demands Ior greater capacity and perIormance. These networks also need to handle voice. video. and data traIIic as networks converge into multiservice environments. 2-8 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-10LegaI and GovernmentaI PoIicy Issues Many governments have formed cross-border task forces to deaI with privacy issues. The outcome of internationaI privacy efforts is expected to take severaI years to deveIop. NationaI Iaws regarding privacy are expected to continue to evoIve worIdwide.As concerns about privacy increase. many governments have Iormed cross-border task Iorces to deal with privacy issues. International privacy eIIorts are expected to take several years to develop and even longer to implement globally. National laws regarding privacy are expected to continue to evolve worldwide. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-9 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-11Network Security Is a Continuous ProcessNetwork security is a continuous process buiIt around a security poIicy: Step 1: Secure Step 2: Monitor Step 3: Test Step 4: ImproveSecureMonitor and RespondTestManage and ImproveCorporate Security PoIicyAIter setting appropriate policies. a company or organization must methodically consider security as part oI normal network operations. This process could be as simple as conIiguring routers to not accept unauthorized addresses or services. or as complex as installing Iirewalls. intrusion detection systems (IDSs). centralized authentication servers. and encrypted virtual private networks (VPNs). Network security is a continuing process: SecureThe Iollowing are methods used to secure a network: Authentication Encryption Eirewalls Vulnerability patching MonitorTo ensure that a network remains secure. it is important to monitor the state oI security preparation. Network vulnerability scanners can proactively identiIy areas oI weakness. and IDSs can monitor and respond to security events as they occur. Using security monitoring solutions. organizations can obtain unprecedented visibility into both the network data stream and the security posture oI the network. TestTesting security is as important as monitoring. Without testing the security solutions in place. it is impossible to know about existing or new attacks. The hacker community is an ever-changing environment. You can perIorm this testing yourselI or outsource it to a third party such as the Cisco Security Posture Assessment (SPA) group. ImproveMonitoring and testing provides the data necessary to improve network security. Administrators and engineers should use the inIormation Irom the monitor and test phases to make improvements to the security implementation as well as to adiust the security policy as vulnerabilities and risks are identiIied. 2-10 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. Network Security PoIicy A security policy can be as simple as an acceptable use policy Ior network resources or it can be several hundred pages in length and detail every element oI connectivity and associated policies. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-13What Is a Security PoIicy?"A security poIicy is a formaI statement of the ruIes by which peopIe who are given access to an organization's technoIogy and information assets must abide."- RFC 2196, Site Security HandbookAccording to the Site Security Handbook (REC 2196). 'A security policy is a Iormal statement oI the rules by which people who are given access to an organization`s technology and inIormation assets must abide. It Iurther states. 'A security policy is essentially a document summarizing how the corporation will use and protect its computing and network resources. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-11 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-14Why Create a Security PoIicy? To create a baseIine of your current security posture To set the framework for security impIementation To define aIIowed and not-aIIowed behaviors To heIp determine necessary tooIs and procedures To communicate consensus and define roIes To define how to handIe security incidents To inform users of their responsibiIities To define assets and the way to use them To state the ramifications of misuse Security policies provide many beneIits and are worth the time and eIIort needed to develop them. Developing a security policy: Provides a process Ior auditing existing network security. Provides a general security Iramework Ior implementing network security. DeIines which behavior is and is not allowed. Helps determine which tools and procedures are needed Ior the organization. Helps communicate consensus among a group oI key decision makers and deIine responsibilities oI users and administrators. DeIines a process Ior handling network security incidents. Enables global security implementation and enIorcement. Computer security is now an enterprise-wide issue. and computing sites are expected to conIorm to the network security policy. Creates a basis Ior legal action iI necessary. 2-12 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-15What ShouId the Security PoIicy Contain? Statement of authority and scope AcceptabIe use poIicy Identification and authentication poIicy Internet use poIicy Campus access poIicy Remote access poIicy Incident handIing procedureThe Iollowing are some oI the key policy components: Statement oI authority and scopeThis topic speciIies who sponsors the security policy and what areas the policy covers. Acceptable use policyThis topic speciIies what the company will and will not allow regarding its inIormation inIrastructure. IdentiIication and authentication policyThis topic speciIies what technologies. equipment. or combination oI the two the company will use to ensure that only authorized individuals have access to its data. Internet access policyThis topic speciIies what the company considers ethical and proper use oI its Internet access capabilities. Campus access policyThis topic speciIies how on-campus users will use the company`s data inIrastructure. Remote access policyThis topic speciIies how remote users will access the company`s data inIrastructure. Incident handling procedureThis topic speciIies how the company will create an incident response team and the procedures it will use during and aIter an incident. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-13 Primary Network Threats and Attacks This topic provides an overview oI primary network threats and attacks. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-17InternetVariety of AttacksNetwork attacks can be as varied as the systems that they attempt to penetrate. ExternaIexpIoitationExternaIexpIoitationInternaIexpIoitation InternaIexpIoitation DiaI-inexpIoitation DiaI-inexpIoitation Compromised hostWithout proper protection. any part oI any network can be susceptible to attacks or unauthorized activity. Routers. switches. and hosts can all be violated by proIessional hackers. company competitors. or even internal employees. In Iact. according to several studies. more than halI oI all network attacks are waged internally. The Computer Security Institute (CSI) in San Erancisco. CaliIornia. estimates that between 60 and 80 percent oI network misuse comes Irom inside the enterprises where the misuse has taken place. To determine the best ways to protect against attacks. IT managers should understand the many types oI attacks that can be instigated and the damage that these attacks can cause to e-business inIrastructures. 2-14 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-18Network Security ThreatsThere are four generaI categories of security threats to the network: Unstructured threats Structured threats ExternaI threats InternaI threatsThere are Iour general threats to network security: Unstructured threatsThese threats primarily consist oI random hackers using various common tools. such as malicious shell scripts. password crackers. credit card number generators. and dialer daemons. Although hackers in this category may have malicious intent. many are more interested in the intellectual challenge oI cracking saIeguards than in creating havoc. Structured threatsThese threats are created by hackers who are more highly motivated and technically competent. Typically. such hackers act alone or in small groups to understand. develop. and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are oIten involved in the maior Iraud and theIt cases reported to law enIorcement agencies. Occasionally. such hackers are hired by organized crime. industry competitors. or state-sponsored intelligence collection organizations. External threatsThese threats consist oI structured and unstructured threats originating Irom an external source. These threats may have malicious and destructive intent. or they may simply be errors that generate a threat. Internal threatsThese threats typically involve disgruntled Iormer or current employees. Although internal threats may seem more ominous than threats Irom external sources. security measures are available Ior reducing vulnerabilities to internal threats and responding when attacks occur. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-15 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-19The Four Primary Attack CategoriesAII of the foIIowing can be used to compromise your system: Reconnaissance attacks Access attacks DeniaI of service attacks Worms, viruses, and Trojan horsesThere are Iour types oI network attacks: Reconnaissance attacksAn intruder attempts to discover and map systems. services. and vulnerabilities.Access attacksAn intruder attacks networks or systems to retrieve data. gain access. or escalate access privileges. Denial oI service (DoS) attacksAn intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks. systems. or services.Worms. viruses. and Troian horsesMalicious soItware is inserted onto a host in order to damage a system. corrupt a system. replicate itselI. or deny services or access to networks. systems. or services. 2-16 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. Reconnaissance Attacks and Mitigation This topic describes reconnaissance attacks and their mitigation. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-21Reconnaissance AttacksReconnaissance refers to the overaII act of Iearning information about a target network by using readiIy avaiIabIe information and appIications. Reconnaissance is the unauthorized discovery and mapping oI systems. services. or vulnerabilities. It is also known as inIormation gathering and. in most cases. precedes an actual access or DoS attack. The malicious intruder typically conducts a ping sweep oI the target network Iirst to determine which IP addresses are alive. AIter this has been accomplished. the intruder determines which services or ports are active on the live IP addresses. Erom this inIormation. the intruder queries the ports to determine the application type and version as well as the type and version oI the operating system running on the target host. Reconnaissance is somewhat analogous to a thieI casing a neighborhood Ior vulnerable homes to break into. such as an unoccupied residence. a house with an easy-to-open door or window. and so on. In many cases the intruders go as Iar as 'rattling the door handle. not to go in immediately iI it is opened. but to discover vulnerable services that they can exploit later when there is less likelihood that anyone is looking. Reconnaissance attacks can consist oI the Iollowing: Packet sniIIers Port scans Ping sweeps Internet inIormation queries Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-17 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-22Packet SniffersA packet sniffer is a software appIication that uses a network adapter card in promiscuous mode to capture aII network packets.The foIIowing are the packet sniffer features: Packet sniffers expIoit information passed in cIear text. ProtocoIs that pass information in the cIear incIude the foIIowing: TeInet FTP SNMP POP HTTP Packet sniffers must be on the same coIIision domain. Packet sniffers can be generaI purpose or can be designed specificaIIy for attack.Host A Host BRouter A Router B A packet sniIIer is a soItware application that uses a network adapter card in promiscuous mode (a mode in which the network adapter card sends all packets received on the physical network wire to an application Ior processing) to capture all network packets that are sent across a LAN. Several network applications distribute network packets in clear text; that is. the inIormation sent across the network is not encrypted. Because the network packets are not encrypted. they can be processed and understood by any application that can pick them up oII the network and process them. A network protocol speciIies how packets are identiIied and labeled. which enables a computer to determine whether a packet is intended Ior it. Because the speciIications Ior network protocols. such as TCP/IP. are widely published. a third party can easily interpret the network packets and develop a packet sniIIer. (The real threat today results Irom the numerous Ireeware and shareware packet sniIIers that are available. which do not require the user to understand anything about the underlying protocols.) 2-18 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-23Packet Sniffer Attack Mitigation The foIIowing techniques and tooIs can be used to mitigate sniffer attacks: Authentication-A first option for defense against packet sniffers is to use strong authentication, such as one-time passwords. Switched infrastructure-DepIoy a switched infrastructure to counter the use of packet sniffers in your environment. Antisniffer tooIs-Use these tooIs to empIoy software and hardware designed to detect the use of sniffers on a network. Cryptography-The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irreIevant. Host A Host BRouter A Router B The Iollowing techniques and tools can be used to mitigate packet sniIIer attacks: AuthenticationUsing strong authentication is a Iirst option Ior deIense against packet sniIIers. Strong authentication can be broadly deIined as a method oI authenticating users that cannot easily be circumvented. A common example oI strong authentication is one-time passwords (OTPs). An OTP is a type oI two-Iactor authentication. Two-Iactor authentication involves using something you have combined with something you know. Automated teller machines (ATMs) use two-Iactor authentication. A customer needs both an ATM card and a personal identiIication number (PIN) to make transactions. With OTPs you need a PIN and your token card to authenticate to a device or soItware application. A token card is a hardware or soItware device that generates new. seemingly random. passwords at speciIied intervals (usually 60 seconds). A user combines that password with a PIN to create a unique password that works only Ior one instance oI authentication. II a hacker learns that password by using a packet sniIIer. the inIormation is useless because the password has already expired. Note that this mitigation technique is eIIective only against a sniIIer implementation that is designed to grab passwords. SniIIers deployed to learn sensitive inIormation (such as e-mail messages) will still be eIIective.Switched inIrastructureThis technique can be used to counter the use oI packet sniIIers in your network environment. Eor example. iI an entire organization deploys switched Ethernet. hackers can gain access only to the traIIic that Ilows on the speciIic port to which they connect. A switched inIrastructure obviously does not eliminate the threat oI packet sniIIers. but it can greatly reduce their eIIectiveness. AntisniIIer toolsSoItware and hardware designed to detect the use oI sniIIers on a network can be employed. Such soItware and hardware does not completely eliminate the threat. but like many network security tools. they are part oI the overall system. These so-called antisniIIers detect changes in the response time oI hosts to determine whether the hosts are processing more traIIic than their own. One such network security soItware tool. which is available Irom Security SoItware Technologies. is called AntiSniII. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-19 CryptographyRendering packet sniIIers irrelevant is the most eIIective method Ior countering packet sniIIers. even more eIIective than preventing or detecting packet sniIIers. II a communication channel is cryptographically secure. the only data a packet sniIIer will detect is cipher text (a seemingly random string oI bits) and not the original message. The Cisco deployment oI network-level cryptography is based on IPSec. which is a standard method Ior networking devices to communicate privately using IP. Other cryptographic protocols Ior network management include Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL). 2-20 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-24Port Scans and Ping Sweeps These attacks can attempt to: Identify aII services on the network Identify aII hosts and devices on the network Identify the operating systems on the network Identify vuInerabiIities on the networkPort scans and ping sweeps are typically applications built to run various tests against a host or device in order to identiIy vulnerable services. The inIormation is gathered by examining IP addressing and port or banner data Irom both TCP and UDP ports. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-21 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-25 Port scans and ping sweeps cannot be prevented entireIy. IDSs at the network and host IeveIs can usuaIIy notify an administrator when a reconnaissance attack such as a port scan or ping sweep is under way.Port Scan and Ping Sweep Attack MitigationII ICMP echo and echo reply are turned oII on edge routers. Ior example. ping sweeps can be stopped. but at the expense oI network diagnostic data. However. port scans can easily be run without Iull ping sweeps; they simply take longer because they need to scan IP addresses that might not be live. IDSs at the network and host levels can usually notiIy an administrator when a reconnaissance attack is under way. This warning allows the administrator to better prepare Ior the coming attack or to notiIy the Internet service provider (ISP) that is hosting the system launching the reconnaissance probe. 2-22 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-26Internet Information QueriesSampIe IP address querySampIe domain name queryThe Iigure demonstrates how existing Internet tools can be used Ior network reconnaissance (Ior example. an IP address query or a Domain Name System |DNS| query). DNS queries can reveal such inIormation as who owns a particular domain and what addresses have been assigned to that domain. Ping sweeps oI the addresses revealed by the DNS queries can present a picture oI the live hosts in a particular environment. AIter such a list is generated. port scanning tools can cycle through all well-known ports to provide a complete list oI all services running on the hosts discovered by the ping sweep. Einally. the hackers can examine the characteristics oI the applications that are running on the hosts. This step can lead to speciIic inIormation that is useIul when the hacker attempts to compromise that service. IP address queries can reveal inIormation such as who owns a particular IP address or range oI addresses and what domain is associated with them. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-23 Access Attacks and Mitigation This topic describes speciIic access attacks and their mitigation. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-28Access AttacksIn access attacks, intruders typicaIIy attack networks or systems to: Retrieve data Gain access EscaIate their access priviIegesAccess attacks exploit known vulnerabilities in authentication services. ETP services. and Web services to gain entry to Web accounts. conIidential databases. and other sensitive inIormation. Access attacks can consist oI the Iollowing: Password attacks Trust exploitation Port redirectionMan-in-the-middle attacks 2-24 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-29Password AttacksHackers can impIement password attacks using severaI methods: Brute-force attacks Trojan horse programs IP spoofing Packet sniffersPassword attacks can be implemented using several methods. including brute-Iorce attacks. Troian horse programs. IP spooIing. and packet sniIIers. Although packet sniIIers and IP spooIing can yield user accounts and passwords. password attacks usually reIer to repeated attempts to identiIy a user account. password. or both. These repeated attempts are called brute-Iorce attacks. OIten a brute-Iorce attack is perIormed using a program that runs across the network and attempts to log in to a shared resource. such as a server. When an attacker gains access to a resource. he or she has the same access rights as the user whose account has been compromised. II this account has suIIicient privileges. the attacker can create a back door Ior Iuture access. without concern Ior any status and password changes to the compromised user account. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-25 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-30Password Attack ExampIe L0phtCrack can take the hashes of passwords and generate the cIear-text passwords from them. Passwords are computed using two methods: Dictionary cracking Brute-force computationJust as with packet sniIIer and IP spooIing attacks. a brute-Iorce password attack can provide access to accounts that can be used to modiIy critical network Iiles and services. An example that compromises your network`s integrity is an attacker modiIying the routing tables Ior your network. By doing so. the attacker ensures that all network packets are routed to him or her beIore they are transmitted to their Iinal destination. In such a case. an attacker can monitor all network traIIic. eIIectively becoming a man in the middle. The Iollowing are the two methods Ior computing passwords with L0phtCrack: Dictionary crackingThe password hashes Ior all oI the words in a dictionary Iile are computed and compared against all oI the password hashes Ior the users. This method is extremely Iast and Iinds very simple passwords. Brute-Iorce computationThis method uses a particular character set. such as AZ or AZplus 09. and computes the hash Ior every possible password made up oI those characters. It will always compute the password iI that password is made up oI the character set you have selected to test. The downside is that time is required Ior completion oI this type oI attack. 2-26 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-31Password Attack MitigationThe foIIowing are password attack mitigation techniques: Do not aIIow users to use the same password on muItipIe systems. DisabIe accounts after a certain number of unsuccessfuI Iogin attempts. Do not use pIain text passwords. An OTP or a cryptographic password is recommended. Use "strong" passwords. Strong passwords are at Ieast eight characters Iong and contain uppercase Ietters, Iowercase Ietters, numbers, and speciaI characters.The Iollowing are password attack mitigation techniques: Do not allow users to have the same password on multiple systemsMost users will use the same password Ior each system they access. and oIten personal system passwords will be the same as well. Disable accounts aIter a speciIic number oI unsuccessIul loginsThis practice helps to prevent continuous password attempts. Do not use plain-text passwordsUse oI either an OTP or encrypted password is recommended. Use 'strong passwordsMany systems now provide strong password support and can restrict a user to the use oI strong passwords only. Strong passwords are at least eight characters long and contain uppercase letters. lowercase letters. numbers. and special characters.Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-27 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-32Trust ExpIoitation A hacker Ieverages existing trust reIationships. SeveraI trust modeIs exist. Windows Domains Active directory Linux and UNIX NFS NIS+SystemAUser = psmith; Pat SmithSystemB - Compromised by hackerUser = psmith; Pat SmithHackerUser = psmith; Pat Smithson SystemA trusts SystemBSystemB trusts everyoneSystemA trusts everyoneHackergains access to SystemA Although it is not an attack in itselI. trust exploitation reIers to an individual`s taking advantage oI a trust relationship within a network. The classic example is a perimeter network connection Irom a corporation. These network segments oIten house DNS. Simple Mail TransIer Protocol (SMTP). and HTTP servers. Because they all reside on the same segment. a compromise oI one system can lead to the compromise oI other systems iI those other systems in turn trust systems attached to the same network. Another example is a system on the outside oI a Iirewall that has a trust relationship with a system on the inside oI a Iirewall. When the outside system is compromised. the attacker can leverage that trust relationship to attack the inside network. 2-28 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-33Trust ExpIoitation Attack Mitigation Systems on the outside of a firewaII shouId never be absoIuteIy trusted by systems on the inside of a firewaII. Such trust shouId be Iimited to specific protocoIs and shouId be vaIidated by something other than an IP address where possibIe.SystemAUser = psmith; Pat SmithSystemB compromised by hackerUser = psmith; Pat SmithHackerUser = psmith; Pat Smithson HackerbIockedYou can mitigate trust exploitation-based attacks through tight constraints on trust levels within a network. Systems on the outside oI a Iirewall should never be absolutely trusted by systems on the inside oI a Iirewall. Such trust should be limited to speciIic protocols and should be authenticated by something other than an IP address where possible. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-29 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-34Port Redirection Port redirection is a type of trust-expIoitation attack that uses a compromised host to pass traffic through a firewaII that wouId otherwise be dropped. It is mitigated primariIy through the use of proper trust modeIs. Antivirus software and host-based IDS can heIp detect and prevent from a hacker instaIIing port redirection utiIities on the host.Host BAttackerSource: ADestination: BPort: 23CompromisedHost ASource: AttackerDestination: APort: 22Source: AttackerDestination: BPort: 23Port redirection attacks are a type oI trust exploitation attack that uses a compromised host to pass traIIic through a Iirewall that would otherwise be dropped. Consider a Iirewall with three interIaces and a host on each interIace. The host on the outside can reach the host on the public services segment (commonly reIerred to as a Demilitarized Zone |DMZ|). but not the host on the inside. The host on the public services segment can reach the host on both the outside and the inside. II hackers were able to compromise the public services segment host. they could install soItware to redirect traIIic Irom the outside host directly to the inside host. Though neither communication violates the rules implemented in the Iirewall. the outside host has now achieved connectivity to the inside host through the port redirection process on the public services host. An example oI an application that can provide this type oI access is netcat. Port redirection can be mitigated primarily through the use oI proper trust models. which are network speciIic (as mentioned earlier). Assuming a system under attack. a host-based IDS can help detect a hacker and prevent installation oI such utilities on a host. 2-30 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-35Man-in-the-MiddIe Attacks A man-in-the-middIe attack requires that the hacker have access to network packets that come across a network. A man-in-the-middIe attack is impIemented using the foIIowing: Network packet sniffers Routing and transport protocoIs PossibIe man-in-the-middIe attack uses incIude the foIIowing: Theft of information Hijacking of an ongoing session Traffic anaIysis DoS Corruption of transmitted data Introduction of new information into network sessionsHost A Host BRouter A Router B Data in cIear textA man-in-the-middle attack requires that the attacker have access to network packets that come across the network. Such attacks are oIten implemented using network packet sniIIers and routing and transport protocols. The possible uses oI such attacks are theIt oI inIormation. hiiacking oI an ongoing session to gain access to your internal network resources. traIIic analysis to derive inIormation about your network and its users. denial oI service. corruption oI transmitted data. and introduction oI new inIormation into network sessions. An example oI a man-in-the-middle attack could be someone who is working Ior your ISP and who can gain access to all network packets transIerred between your network and any other network.Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-31 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-36Man-in-the-MiddIe Attack MitigationMan-in-the-middIe attacks can be effectiveIy mitigated onIy through the use of cryptography (encryption).Host A Host BRouter A ISP Router B A man-in-the-middIe attack can see onIy cipher textIPSec tunneIMan-in-the-middle attack mitigation is achieved. as shown in the Iigure. by encrypting traIIic in an IPSec tunnel. which would allow the hacker to see only cipher text. 2-32 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. DeniaI of Service Attacks and Mitigation This topic describes speciIic DoS attacks and their mitigation. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-38DeniaI of Service AttacksDeniaI of service attacks occur when an intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks, systems, or services. Certainly the most publicized Iorm oI attack. DoS attacks are also among the most diIIicult to completely eliminate. Even within the hacker community. DoS attacks are regarded as trivial and considered bad Iorm because they require so little eIIort to execute. Still. because oI their ease oI implementation and potentially signiIicant damage. DoS attacks deserve special attention Irom security administrators. II you are interested in learning more about DoS attacks. researching the methods employed by some oI the better-known attacks can be useIul. DoS attacks can consist oI the Iollowing: IP spooIing Distributed denial oI service (DDoS) Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-33 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-39IP Spoofing IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two generaI techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized externaI IP address that is trusted. Uses for IP spoofing incIude the foIIowing: IP spoofing is usuaIIy Iimited to the injection of maIicious data or commands into an existing stream of data. If a hacker changes the routing tabIes to point to the spoofed IP address, then the hacker can receive aII the network packets that are addressed to the spoofed address and repIy, just as any trusted user can.An IP spooIing attack occurs when an attacker outside your network pretends to be a trusted computer. either by using an IP address that is within the range oI IP addresses Ior your network or by using an authorized external IP address that you trust and to which you wish to provide access to speciIied resources on your network. Normally. an IP spooIing attack is limited to the iniection oI data or commands into an existing stream oI data passed between a client and server application or a peer-to-peer network connection. To enable bidirectional communication. the attacker must change all routing tables to point to the spooIed IP address. Another approach the attacker could take is simply not to worry about receiving any response Irom the applications. Eor example. iI an attacker is attempting to get a system to mail him or her a sensitive Iile. application responses are unimportant. However. iI an attacker manages to change the routing tables to point to the spooIed IP address. he or she can receive all the network packets that are addressed to the spooIed address and reply iust as any trusted user can. Like packet sniIIers. IP spooIing use is not restricted to people who are external to the network. Although this use is not as common. IP spooIing can also provide access to user accounts and passwords. and it can also be used in other ways. Eor example. an attacker can emulate one oI your internal users in ways that prove embarrassing Ior your organization; the attacker could send e-mail messages to business partners that appear to have originated Irom someone within your organization. Such attacks are easier when an attacker has a user account and password. but they are possible when simple spooIing attacks are combined with knowledge oI messaging protocols.2-34 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-40IP Spoofing Attack MitigationThe threat of IP spoofing can be reduced, but not eIiminated, through the foIIowing measures: Access controI-The most common method for preventing IP spoofing is to properIy configure access controI. RFC 2827 fiItering-Prevent any outbound traffic on your network that does not have a source address in your organization's own IP range. Require additionaI authentication that does not use IP-based authentication-ExampIes of this technique incIude the foIIowing: Cryptographic (recommended) Strong, two-factor, one-time passwordsThe threat oI IP spooIing can be reduced. but not eliminated. through the Iollowing measures: Access controlThe most common method Ior preventing IP spooIing is to properly conIigure access control. To reduce the eIIectiveness oI IP spooIing. conIigure access control to deny any traIIic Irom the external network that has a source address that should reside on the internal network. Note that this helps prevent spooIing attacks only iI the internal addresses are the only trusted addresses. II some external addresses are trusted. this method is not eIIective. REC 2827 IilteringYou can prevent users oI your network Irom spooIing other networks (and be a good Internet citizen at the same time) by preventing any outbound traIIic on your network that does not have a source address in your organization's own IP range. This Iiltering denies any traIIic that does not have the source address that was expected on a particular interIace. Eor example. iI an ISP is providing a connection to the IP address 15.1.1.0/24. the ISP could Iilter traIIic so that only traIIic sourced Irom address 15.1.1.0/24 can enter the ISP router Irom that interIace. Note that unless all ISPs implement this type oI Iiltering. its eIIectiveness is signiIicantly reduced. Additional authenticationThe most eIIective method Ior mitigating the threat oI IP spooIing is the same as the most eIIective method Ior mitigating the threat oI packet sniIIers: namely. eliminating its eIIectiveness. IP spooIing can Iunction correctly only when devices use IP address-based authentication; thereIore. iI you use additional authentication methods. IP spooIing attacks are irrelevant. Cryptographic authentication is the best Iorm oI additional authentication. but when that is not possible. strong two-Iactor authentication using OTPs can also be eIIective. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-35 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-41DoS and DDoS AttacksDoS attacks focus on making a service unavaiIabIe for normaI use. They have the foIIowing characteristics: Different from most other attacks because they are generaIIy not targeted at gaining access to your network or the information on your network Require very IittIe effort to execute Among the most difficuIt to compIeteIy eIiminateDoS attacks are diIIerent Irom most other attacks because they are not targeted at gaining access to your network or the inIormation on your network. These attacks Iocus on making a service unavailable Ior normal use. which is typically accomplished by exhausting some resource limitation on the network or within an operating system or application. These attacks require little eIIort to execute because they typically take advantage oI protocol weaknesses or because the attacks are carried out using traIIic that would normally be allowed into a network. DoS attacks are among the most diIIicult to completely eliminate because oI the way they use protocol weaknesses and 'native traIIic to attack a network. 2-36 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-42HandIersystemsCIientsystem4. The cIient issues commands to handIers that controI agents in a mass attack.1. Scan for systems to hack.Agentsystems3. Agents are Ioaded with remote controI attack software.DDoS ExampIe2. InstaII software to scan, compromise, and infect agents.DDoS attacks are the 'next generation oI DoS attacks on the Internet. This type oI attack is not newUDP and TCP SYN Ilooding. Internet Control Message Protocol (ICMP) echo request Iloods. and ICMP directed broadcasts (also known as smurI attacks) are similarbut the scope certainly is new. Victims oI DDoS attacks experience packet Ilooding Irom many diIIerent sources. possibly spooIed IP source addresses. that bring their network connectivity to a grinding halt. In the past. the typical DoS attack involved a single attacker`s attempt to Ilood a target host with packets. With DDoS tools. an attacker can conduct the same attack using thousands oI systems. In the Iigure. the hacker uses a terminal to scan Ior systems to hack. When the handler systems are accessed. the hacker then installs soItware on them to scan Ior. compromise. and inIect agent systems. When the agent systems are accessed. the hacker then loads remote control attack soItware to carry out the DoS attack. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-37 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-43DoS and DDoS Attack MitigationThe threat of DoS attacks can be reduced through the foIIowing three methods: Antispoof features-Proper configuration of antispoof features on routers and firewaIIs Anti-DoS features-Proper configuration of anti-DoS features on routers and firewaIIs Traffic rate Iimiting-ImpIement traffic rate Iimiting with the network's ISP When they involve speciIic network server applications. such as an HTTP server or an ETP server. these attacks can Iocus on acquiring and keeping open all the available connections supported by that server. eIIectively locking out valid users oI the server or service. DoS attacks can also be implemented using common Internet protocols. such as TCP and ICMP. While most DoS attacks exploit a weakness in the overall architecture oI the system being attacked rather than a soItware bug or security hole. some attacks compromise the perIormance oI your network by Ilooding the network with undesired. and oIten useless. network packets and by providing Ialse inIormation about the status oI network resources. The threat oI DoS attacks can be reduced through the Iollowing three methods: AntispooI IeaturesProper conIiguration oI antispooI Ieatures on your routers and Iirewalls can reduce your risk. This conIiguration includes REC 2827 Iiltering at a minimum. II hackers cannot mask their identities. they might not attack. Anti-DoS IeaturesProper conIiguration oI anti-DoS Ieatures on routers and Iirewalls can help limit the eIIectiveness oI an attack. These Ieatures oIten involve limits on the amount oI halI-open connections that a system allows at any given time. TraIIic rate limitingAn organization can implement traIIic rate limiting with its ISP. This type oI Iiltering limits the amount oI nonessential traIIic that crosses network segments at a certain rate. A common example is to limit the amount oI ICMP traIIic allowed into a network because it is used only Ior diagnostic purposes. ICMP-based DDoS attacks are common. 2-38 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. Worm, Virus, and Trojan Horse Attacks and MitigationThis topic describes worm. virus. and Troian horse attacks and their mitigation. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-45The primary vuInerabiIities for end-user workstations are worm, virus, and Trojan horse attacks. A worm executes arbitrary code and instaIIs copies of itseIf in the infected computer's memory, which infects other hosts. A virus is maIicious software that is attached to another program to execute a particuIar unwanted function on a user's workstation. A Trojan horse is different onIy in that the entire appIication was written to Iook Iike something eIse, when in fact it is an attack tooI. Worm, Virus, and Trojan Horse AttacksThe primary vulnerabilities Ior end-user workstations are worm. virus. and Troian horse attacks. A worm executes arbitrary code and installs copies oI itselI in the inIected computer`s memory. which inIects other hosts. A virus is malicious soItware that is attached to another program to execute a particular unwanted Iunction on a user's workstation. A Troian horse is diIIerent only in that the entire application was written to look like something else. when in Iact it is an attack tool. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-39 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-46Worm Attacks1. The enabIing vuInerabiIity2. Propagation mechanism3. PayIoadThe anatomy oI a worm attack is as Iollows: The enabling vulnerabilityA worm installs itselI using an exploit vector on a vulnerable system. Propagation mechanismAIter gaining access to devices. a worm replicates and selects new targets.PayloadOnce the device is inIected with a worm. the attacker has access to the hostoIten as a privileged user. Attackers could use a local exploit to escalate their privilege level to administrator. Typically. worms are selI-contained programs that attack a system and try to exploit a vulnerability in the target. Upon successIul exploitation oI the vulnerability. the worm copies its program Irom the attacking host to the newly exploited system to begin the cycle again. A virus normally requires a vector to carry the virus code Irom one system to another. The vector can be a word-processing document. an e-mail message. or an executable program. The key element that distinguishes a computer worm Irom a computer virus is that human interaction is required to Iacilitate the spread oI a virus. 2-40 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-47Worm Attack Mitigation Containment-Contain the spread of the worm inside your network and within your network. Compartmentize parts of your network that have not been infected. InocuIation-Start patching aII systems and, if possibIe, scanning for vuInerabIe systems. Quarantine-Track down each infected machine inside your network. Disconnect, remove, or bIock infected machines from the network. Treatment-CIean and patch each infected system. Some worms may require compIete core system reinstaIIations to cIean the system.Worm attack mitigation requires diligence on the part oI system and network administration staII. Coordination between system administration. network engineering. and security operations personnel is critical in responding eIIectively to a worm incident. The Iollowing are the recommended steps Ior worm attack mitigation: Containment InoculationQuarantineTreatment Typical incident response methodologies can be subdivided into six maior categories. The Iollowing categories are based on the network service provider security (NSP-SEC) incident response methodology: PreparationAcquire the resources to respond. IdentiIicationIdentiIy the worm. ClassiIicationClassiIy the type oI worm. TracebackTrace the worm back to its origin. ReactionIsolate and repair the aIIected systems. Post mortemDocument and analyze the process used Ior the Iuture. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-41 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-48Virus and Trojan Horse Attacks Viruses are maIicious software that is attached to another program to execute a particuIar unwanted function on a user's workstation. End-user workstations are the primary targets. A Trojan horse is different onIy in that the entire appIication was written to Iook Iike something eIse, when in fact it is an attack tooI.The primary vulnerabilities Ior end-user workstations are viruses and Troian horse attacks. Viruses are malicious soItware that is attached to another program to execute a particular unwanted Iunction on a user`s workstation. An example oI a virus is a program that is attached to command.com (the primary interpreter Ior Windows systems) that deletes certain Iiles and inIects any other versions oI command.com that it can Iind. A Troian horse is diIIerent only in that the entire application was written to look like something else. when in Iact it is an attack tool. An example oI a Troian horse is a soItware application that runs a simple game on the user`s workstation. While the user is occupied with the game. the Troian horse mails a copy oI itselI to every user in the user`s address book. The other users receive the game and then play it. thus spreading the Troian horse. 2-42 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-49Virus and Trojan Horse Attack MitigationThese kinds of appIications can be contained by: Effective use of antivirus software Keeping up-to-date with the Iatest deveIopments in these sorts of attacks Keeping up-to-date with the Iatest antivirus software and appIication versionsThese kinds oI applications can be contained through the eIIective use oI antivirus soItware at the user level and potentially at the network level. Antivirus soItware can detect most viruses and many Troian horse applications and prevent them Irom spreading in the network. Keeping up-to-date with the latest developments in these sorts oI attacks can also lead to a more eIIective posture against these attacks. As new virus or Troian applications are released. enterprises need to keep up-to-date with the latest antivirus soItware and application versions. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-43 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-50AppIication-Layer AttacksAppIication-Iayer attacks have the foIIowing characteristics: ExpIoit weII-known weaknesses, such as those in protocoIs, that are intrinsic to an appIication or system (for exampIe, sendmaiI, HTTP, and FTP) Often use ports that are aIIowed through a firewaII (for exampIe, TCP port 80 used in an attack against a web server behind a firewaII) Can never be compIeteIy eIiminated, because new vuInerabiIities are aIways being discovered7 AppIication6 Presentation5 Session4 Transport3 Network2 Data Iink1 PhysicaIApplication-layer attacks can be implemented using several diIIerent methods: One oI the most common methods is exploiting well-known weaknesses in soItware commonly Iound on servers. such as sendmail. PostScript. and ETP. By exploiting these weaknesses. attackers can gain access to a computer with the permissions oI the account running the application. which is usually a privileged. system-level account. Troian horse program attacks are implemented using programs that an attacker substitutes Ior common programs. These programs may provide all the Iunctionality that the normal program provides. but also include other Ieatures that are known to the attacker. such as monitoring login attempts to capture user account and password inIormation. These programs can capture sensitive inIormation and distribute it back to the attacker. They can also modiIy application Iunctionality. such as applying a blind carbon copy to all e-mail messages so that the attacker can read all oI your organization`s e-mail. One oI the oldest Iorms oI application-layer attacks is a Troian horse program that displays a screen. banner. or prompt that the user believes is the valid login sequence. The program then captures the inIormation that the user enters and stores or e-mails it to the attacker. Next. the program either Iorwards the inIormation to the normal login process (normally impossible on modern systems) or simply sends an expected error to the user (Ior example. Bad Username/Password Combination). exits. and starts the normal login sequence. The user. believing that he or she has incorrectly entered the password (a common mistake experienced by everyone). re-enters the inIormation and is allowed access. One oI the newest Iorms oI application-layer attacks exploits the openness oI several new technologies: the HTML speciIication. web browser Iunctionality. and HTTP. These attacks. which include Java applets and ActiveX controls. involve passing harmIul programs across the network and loading them through a user`s browser. 2-44 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-51AppIication-Layer Attack MitigationMeasures you can take to reduce your risks incIude the foIIowing: Read operating system and network Iog fiIes, or have them anaIyzed by Iog anaIysis appIications. Subscribe to maiIing Iists that pubIicize vuInerabiIities. Keep your operating system and appIications current with the Iatest patches. Use IDSs, which can scan for known attacks, monitor and Iog attacks, and in some cases, prevent attacks.The Iollowing are some measures you can take to reduce your risks Ior application-layer attacks: Read operating system and network log Iiles or have them analyzedIt is important to review all logs and take action accordingly. Subscribe to mailing lists that publicize vulnerabilitiesMost application and operating system vulnerabilities are published on the Web by various sources. Keep your operating system and applications current with the latest patchesAlways test patches and Iixes in a nonproduction environment. This practice prevents downtime and keeps errors Irom being generated unnecessarily. Use IDSs to scan Ior known attacks. monitor and log attacks. and in some cases. prevent attacksThe use oI IDSs can be essential to identiIying security threats and mitigating some oI those threats. In most cases. it can be done automatically. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-45 Management ProtocoIs and Functions The protocols used to manage your network can in themselves be a source oI vulnerability. This topic examines common management protocols and how they can be exploited. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-53Configuration Management Configuration management protocoIs incIude SSH, SSL, and TeInet. TeInet issues incIude the foIIowing:The data within a TeInet session is sent as cIear text and may be intercepted by anyone with a packet sniffer Iocated aIong the data path between the device and the management server. The data may incIude sensitive information, such as the configuration of the device itseIf, passwords, and so on. II the managed device does not support any oI the recommended protocols. such as SSH and SSL. Telnet may have to be used (although this protocol is not highly recommended). The network administrator should recognize that the data within a Telnet session is sent as clear text and may be intercepted by anyone with a packet sniIIer located along the data path between the managed device and the management server. The clear text may include important inIormation. such as the conIiguration oI the device itselI. passwords. and other sensitive data. 2-46 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-54Configuration Management RecommendationsWhen possibIe, the foIIowing practices are advised: Use IPSec, SSH, SSL, or any other encrypted and authenticated transport. ACLs shouId be configured to aIIow onIy management servers to connect to the device. AII attempts from other IP addresses shouId be denied and Iogged. RFC 2827 fiItering at the perimeter router shouId be used to mitigate the chance of an outside attacker spoofing the addresses of the management hosts. Regardless oI whether SSH. SSL. or Telnet is used Ior remote access to the managed device. access control lists (ACLs) should be conIigured to allow only management servers to connect to the device. All attempts Irom other IP addresses should be denied and logged. REC 2827 Iiltering at the ingress router should also be implemented to reduce the chance oI an attacker Irom outside the network spooIing the addresses oI the management hosts. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-47 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-55Management ProtocoIsThe foIIowing are management protocoIs that that can be compromised: SNMP-The community string information for simpIe authentication is sent in cIear text. SysIog-Data is sent as cIear text between the managed device and the management host. TFTP-Data is sent as cIear text between the requesting host and the TFTP server. NTP-Many NTP servers on the Internet do not require any authentication of peers. Simple Network Management Protocol (SNMP) is a network management protocol that can be used to retrieve inIormation Irom a network device (commonly reIerred to as read-only access) or to remotely conIigure parameters on the device (commonly reIerred to as read-write access). SNMP uses passwords. called community strings. within each message as a very simple Iorm oI security. UnIortunately. most implementations oI SNMP on networking devices today send the community string in clear text along with the message. ThereIore. SNMP messages may be intercepted by anyone with a packet sniIIer located along the data path between the device and the management server. and the community string may be compromised. Syslog. which is inIormation generated by a device that has been conIigured Ior logging. is sent as clear text between the managed device and the management host. Syslog has no packet-level integrity checking to ensure that the packet contents have not been altered in transit. An attacker may alter Syslog data in order to conIuse a network administrator during an attack. Trivial Eile TransIer Protocol (TETP) is used Ior transIerring conIiguration or system Iiles across the network. TETP uses UDP Ior the data stream between the requesting host and the TETP server.As with other management protocols that send data in clear text. the network administrator should recognize that the data within a TETP session might be intercepted by anyone with a packet sniIIer located along the data path between the device and the management server. Where possible. TETP traIIic should be encrypted within an IPSec tunnel in order to reduce the chance oI its being intercepted. Network Time Protocol (NTP) is used to synchronize the clocks oI various devices across a network. Synchronization oI the clocks within a network is critical Ior digital certiIicates and Ior correct interpretation oI events within Syslog data. A secure method oI providing clocking Ior the network is Ior network administrators to implement their own master clocks Ior private networks synchronized to Coordinated Universal Time (UTC) via satellite or radio. However. clock sources are available Ior synchronization via 2-48 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. the Internet. Ior network administrators who do not wish to implement their own master clocks because oI cost or other reasons. An attacker could attempt a DoS attack on a network by sending bogus NTP data across the Internet in an attempt to change the clocks on network devices in such a manner that digital certiIicates are considered invalid. Eurther. an attacker could attempt to conIuse a network administrator during an attack by disrupting the clocks on network devices. This scenario would make it diIIicult Ior the network administrator to determine the order oI Syslog events on multiple devices. Copyright 2004, Cisco Systems, lnc. Security Fundamentals 2-49 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-56Management ProtocoI Recommendations SNMP recommendations: Configure SNMP with onIy read-onIy community strings. Set up access controI on the device you wish to manage. Use SNMP Version 3 or above. Logging recommendations: Encrypt SysIog traffic within an IPSec tunneI. ImpIement RFC 2827 fiItering. Set up access controI on the firewaII. TFTP recommendations: Encrypt TFTP traffic within an IPSec tunneI. NTP recommendations: ImpIement your own master cIock. Use NTP Version 3 or above. Set up access controI that specifies which network devices are aIIowed to synchronize with other network devices.The Iollowing are SNMP recommendations: ConIigure SNMP with only read-only community strings. Set up access control on the device you wish to manage via SNMP to allow access by only the appropriate management hosts. Use SNMP Version 3 or above. When possible. the Iollowing practices are advised: Encrypt Syslog traIIic within an IPSec tunnel. When allowing Syslog access Irom devices on the outside oI a Iirewall. you should implement REC 2827 Iiltering at the perimeter router. ACLs should also be implemented on the Iirewall in order to allow Syslog data Irom only the managed devices themselves to reach the management hosts. When possible. TETP traIIic should be encrypted within an IPSec tunnel in order to reduce the chance oI its being intercepted. The Iollowing are NTP recommendations: Implement your own master clock Ior private network synchronization. Use NTP Version 3 or above because these versions support a cryptographic authentication mechanism between peers. Use ACLs that speciIy which network devices are allowed to synchronize with other network devices. 2-50 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. SummaryThis topic summarizes what you learned in this lesson. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-58Summary The need for network security has increased as networks have become more compIex and interconnected. The foIIowing are the components of a compIete security poIicy: Statement of authority and scope AcceptabIe use poIicy Identification and authentication poIicy Internet use poIicy Campus access poIicy Remote access poIicy Incident handIing procedure The Security WheeI detaiIs the view that security is an ongoing process. The Security WheeI comprises four phases: secure, monitor, test, and improve. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-2-59Summary (Cont.) The foIIowing are the four types of security threats: Structured Unstructured InternaI ExternaI The foIIowing are the four primary attack categories: Reconnaissance attacks Access attacks DeniaI of service attacks Worms, viruses, and Trojan horses Configuration management and management protocoIs are an important part of securing a network.3Basic Cisco Router Security This lesson presents an introduction to securing Cisco routers using proven methods Ior securing the physical router device. protecting the router administrative interIace. and implementing AAA. In order to practice what you have learned. a hands-on lab exercise has been provided. In this lab exercise you will conIigure secure access Ior a router administrative interIace.This lesson includes the Iollowing topics: ObiectivesSecuring Cisco router installations Securing Cisco router administrative access Introduction to AAA Ior Cisco routers ConIiguring AAA Ior Cisco routers Summary Lab exercise 3-2 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. ObjectivesThis topic lists the lesson`s obiectives. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-3-3ObjectivesUpon compIetion of this Iesson, you wiII be abIe to perform the foIIowing tasks: Describe how to secure Cisco router physicaI instaIIations. Secure administrative access for Cisco routers. Describe the components of a basic AAA impIementation. Configure a perimeter router for AAA using a IocaI database. Test the perimeter router AAA impIementation using appIicabIe debug commands.Copyright 2004, Cisco Systems, lnc. Basic Cisco Router Security 3-3 Securing Cisco Router InstaIIations Insecure installation oI network routers and switches is an oIten-overlooked security threat. which. iI leIt unheeded. can have dire results. SoItware-based security measures alone cannot prevent pre-meditated or even accidental network damage due to poor installations. This topic discusses ways to identiIy and remedy insecure installations. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-3-5InstaIIation Risk AssessmentSOHOPSTNInternetMobiIe workerHeadquartersGeneraIIy Iow risk GeneraIIy high risk(mission criticaI)BeIore discussing how to secure Cisco routing and switching installations. it is important to make a distinction between low-risk and high-risk devices: Low-risk devicesThese devices are typically low-end or small oIIice/home oIIice (SOHO) devices. such as the Cisco 800/900/1700 series routers and Cisco switches that are Iound in environments where access to the physical devices and cabling does not present a high-risk to the corporate network. In these types oI installations. it may be physically impossible and even too costly to provide a locked wiring closet Ior physical device security. In these situations. the IT manager must make a decision on what devices can and cannot be physically secured and at what risk. High-risk (mission-critical) devicesThese devices are typically Iound in larger oIIices or corporate campuses where tens. hundreds. or even thousands oI employees reside. or where the same large numbers oI employees remotely access corporate data. These are usually Cisco Internet routers. Catalyst switches. Iirewalls. and management systems used to route and control large amounts oI data. voice. and video traIIic. These devices represent a much higher security threat iI physically accessed by disgruntled employees or impacted by negative environmental conditions. This topic concentrates on identiIying and physically securing those mission-critical devices while keeping in mind that some physical security resolutions may be easily applied to some low-risk installations as well. 3-4 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-3-6Common Threats to Cisco Router and Switch PhysicaI InstaIIations Hardware threats EnvironmentaI threats EIectricaI threats Maintenance threatsInsecure installations or 'physical access threats can be generally classiIied as Iollows: Hardware threatsThe threat oI physical damage to the router or switch hardware. Environmental threatsThreats such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry). Electrical threatsThreats such as voltage spikes. insuIIicient supply voltage (brown-outs). unconditioned power (noise). and total power loss. Maintenance threatsThreats such as poor handling oI key electronic components (electrostatic discharge). lack oI critical spares. poor cabling. poor labeling. and so on. Copyright 2004, Cisco Systems, lnc. Basic Cisco Router Security 3-5 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-3-7Hardware Threat MitigationHow do you pIan to Iimit physicaI damage to the equipment? No unauthorized access (Iock it up) No access via ceiIing No access via raised fIooring No access via ductwork No window access Log aII entry attempts(eIectronic Iog/monitor) Security cameras (recorded Iog)HELP DESKAC UPS BAYSVRSLANWANCard ReaderSECURE lNTERNET ACCESS COMPUTER ROOMMission-critical Cisco routing and switching equipment should be located in wiring closets or computer or telecommunications rooms that meet the Iollowing minimum requirements: Authorized personnel must lock the room with limited access only. The room should not be accessible via a dropped ceiling. raised Iloor. window. ductwork. or point oI entry other than the secured access point. II possible. electronic access control should be used with all entry attempts logged by security systems and monitored by security personnel. II possible. security personnel should monitor security cameras with automatic log recording.3-6 Securing Cisco lOS Networks (SECUR) v1.1 Copyright 2004, Cisco Systems, lnc. 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-3-8EnvironmentaI Threat MitigationHow do you pIan to Iimit environmentaI damage to the equipment? Temperature controI Humidity controI Positive air fIow Remote environmentaI aIarming and recording and monitoringThe Iollowing items should be used to limit environmental damage to Cisco router and switching devices: The room must be supplied with dependable systems Ior temperature and humidity control. Always veriIy the recommended environmental parameters oI the Cisco routing and switching equipment with the supplied product documentation. II possible. the room environmental parameters should be remotely monitored and alarmed. The room must be Iree Irom electrostatic and magnetic interIerences. Copyright 2004, Cisco Systems, lnc. Basic Cisco Router Security 3-7 2004, Cisco Systems, Inc. AII rights reserved. SECUR 1.1-3-9EIectricaI Threat MitigationHow do you pIan to Iimit eIectricaI suppIy probIems? InstaII UPS systems. InstaII generator sets. FoIIow a preventative maintenance pIan. InstaII redundant power suppIies. Perform remote aIarming and monitoring.Electrical supply problems can be limited by adhering to the Iollowing: Install uninterrupted power supply (UPS) systems Ior mission-critical Cisco routing and switching devices. Install backup generator systems Ior mission-critical supplies. Plan Ior and initiate regular UPS or generator testing and maintenance procedures based on the manuIacturer`s suggested preventative maintenance schedule. Use Iiltered power. Install redundant power supplies on critical devices. Monitor an