In depth understanding network security

In-depth Understanding Network Security

(Hardening CISCO Router/Switch)

CIS Level 1 & 2 Benchmarks and Audit Tool

for Cisco IOS Routers and PIX firewalls

IOS/PIX Benchmarks and RAT for Windows

Features of the 2.2 version of the Router Audit Tool (RAT): – Ability to score Cisco Router IOS.– Ability to score Cisco PIX firewalls.– Includes benchmark documents (PDF) for both

Cisco IOS and Cisco ASA, FWSM, and PIX security settings.

RAT for Windows

RAT for Windows

To run any RAT programs, you'll need to know the drive and pathname where RAT was installed.

You can put this directory onto your PATH:

C:\> set PATH=D:\CIS\RAT\bin;%PATH%

RAT for Windows

To run the rat program and see a list of its options, you could type the following:

C:\> rat --help

RAT for Windows

Before you use RAT, you should use the ncat_config program to create a rule file specific to your routers.

Here is how to run ncat_config:

D:\> ncat_config... lots of questions appear here ...

After all QUESTIONS we will get a template named

“D:\CIS\RAT/etc/configs/cisco-ios/local.conf"

RAT for Windows

1. Copy Template to Test Directory

2. Copy configuration files from your router

3. Run rat to audit your configuration file:

D:\>cd \Test

D:\Test> rat -r local.conf cisco-router-confg

RAT for Windows

RAT for Windows

RAT for Windows

RAT for Windows

RAT for Windows

Hardening Cisco Router

Based on NSA Router Security Configuration Guide

Router Security Configuration Guide of NSA’s SNAC

(Based on version 1.1c)

Physical Security

Network equipment, especially routers and switches, should be located in a limited access area.

This area should be under some sort of supervision 24 hours a day and 7 days a week.

A room where routers are located should be free of electrostatic and magnetic interference. The area should also be controlled for temperature and humidity.

If at all possible, all routers should be placed on an Uninterruptible Power Supply (UPS), because a short power outage can leave some network equipment in undetermined states.

Cisco IOS routers have the ability to define internal virtual interfaces, called loopback interfaces. It is considered best practice, in configuring Cisco routers, to define one loopback interface, and designate it as the source interface for most traffic generated by the router itself.

Cisco IOS routers have the ability to define internal virtual interfaces, called loopback interfaces. It is considered best practice, in configuring Cisco routers, to define one loopback interface, and designate it as the source interface for most traffic generated by the router itself.

Router Network Traffic and the Loopback Interface

Banner Rules

Banner Rules

Router1#configure terminal

Router1(config)#banner motd ^C

*************************************************************!! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGON UNDER PENALTY OF LAW !!This is a private computer network and may be used only bydirect permission of its owner(s). The owner(s) reserves the right to monitor use of this network to ensure network security and to respond to specific allegations of misuse. Use of this network shall constitute consent to monitoring for these and any other purposes. In addition, the owner(s) reserves the right to consent to a valid law enforcement request to search the network for evidence of a crime stored within this network.*************************************************************^C

Stopping SYN Flooding Attacks

(config)#normal TCP 3-Way Handshake

TCP SYN flooding attack

Attack Demonstration:

E(config)#nough illegitimate TCBs are in SYN-RECEIVED that a legitimate connection can(config)#not be initiated.

Attack Demonstration:

E(config)#nough illegitimate TCBs are in SYN-RECEIVED that a legitimate connection can(config)#not be initiated.

Countermeasures: TCP SYN flooding attack

You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:


Router1(config)#access-list 109 permit ip any host 192.168.99.2

Router1(config)#ip tcp intercept list 109

Router1(config)#ip tcp intercept max-incomplete high 10

Router1(config)#ip tcp intercept one-minute high 15

Router1(config)#ip tcp intercept max-incomplete low 5

Router1(config)#ip tcp intercept one-minute low 10

Router1(config)#end

Router1#

You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:


Router1(config)#access-list 109 permit ip any host 192.168.99.2

Router1(config)#ip tcp intercept list 109





Router1(config)#end

Router1#

TCP Intercept feature

When you enable the TCP Intercept feature, the router doesn't forward the initial SYN packet to the server.

Instead, it responds directly to the client with a SYN-ACK packet, as if it were the server.

If the client is legitimate and begins the TCP session, then the router quickly opens a session to the server, knits the two ends of the connection together, and steps into its more usual role of simply forwarding packets.

When you enable the TCP Intercept feature, the router doesn't forward the initial SYN packet to the server.

Instead, it responds directly to the client with a SYN-ACK packet, as if it were the server.

If the client is legitimate and begins the TCP session, then the router quickly opens a session to the server, knits the two ends of the connection together, and steps into its more usual role of simply forwarding packets.


Router1(config)#access-list 109 permit ip any host 192.168.99.2 Router1(config)#ip tcp intercept list 109


By default, the router allows 1,100 half-open sessions before going into aggressive mode.

Configure this value using the ip tcp intercept max-incomplete high command.


When we deliberately initiate a series of half-open sessions, we see this log message:

(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count (10/10) 1 min 0

A short time later, the attack ended, and the router went back into its (config)#normal mode:

(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min 11

By default, the router allows 1,100 half-open sessions before going into aggressive mode.

Configure this value using the ip tcp intercept max-incomplete high command.


When we deliberately initiate a series of half-open sessions, we see this log message:

(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count (10/10) 1 min 0

A short time later, the attack ended, and the router went back into its (config)#normal mode:

(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min 11


you can also set thresholds on the number of TCP sessions initiated per minute:


The conditions for returning to (config)#normal mode are defined by these two commands:



The first command sets the low-water mark for the total number of half-open sessions, while the second command sets the low-water mark for the number of session-initiation attempts per minute.

you can also set thresholds on the number of TCP sessions initiated per minute:


The conditions for returning to (config)#normal mode are defined by these two commands:



The first command sets the low-water mark for the total number of half-open sessions, while the second command sets the low-water mark for the number of session-initiation attempts per minute.


By default, the router will allow a TCP session to be inactive for 24 hours (86,400 seconds).

However, you can change this using the ip tcp intercept connection-timeout command, which accepts an argument in seconds. Here we set a maximum value of one hour:

Router1(config)#ip tcp intercept connection-timeout 3600

By default the aggressive mode of the TCP Intercept feature will drop the oldest half-open connection each time it receives a new connection attempt.

However, you can instead configure it to drop a randomly selected connection out of the table:

Router1(config)#ip tcp intercept drop-mode random

By default, the router will allow a TCP session to be inactive for 24 hours (86,400 seconds).

However, you can change this using the ip tcp intercept connection-timeout command, which accepts an argument in seconds. Here we set a maximum value of one hour:

Router1(config)#ip tcp intercept connection-timeout 3600

By default the aggressive mode of the TCP Intercept feature will drop the oldest half-open connection each time it receives a new connection attempt.

However, you can instead configure it to drop a randomly selected connection out of the table:

Router1(config)#ip tcp intercept drop-mode random


You can configure how long the router will watch a session, waiting for it to complete the TCP session initiation.

By default, it waits 30 seconds, but you can change this value with the following command, which specifies this timeout value in seconds:

Router1(config)#ip tcp intercept watch-timeout 15

You can configure how long the router will watch a session, waiting for it to complete the TCP session initiation.

By default, it waits 30 seconds, but you can change this value with the following command, which specifies this timeout value in seconds:

Router1(config)#ip tcp intercept watch-timeout 15


And one final option allows you to set whether the router actively intercepts and responds to TCP SYN packets, or instead allows these packets to pass through (config)#normally, but watches the session to ensure that it connects properly.

By default the router will completely protect the server by taking over all responsibility for setting up the session. You can configure it to let the server handle the call, and only step in if there is a problem by configuring watch mode:

Router1(config)#ip tcp intercept mode watch

And one final option allows you to set whether the router actively intercepts and responds to TCP SYN packets, or instead allows these packets to pass through (config)#normally, but watches the session to ensure that it connects properly.

By default the router will completely protect the server by taking over all responsibility for setting up the session. You can configure it to let the server handle the call, and only step in if there is a problem by configuring watch mode:

Router1(config)#ip tcp intercept mode watch

Other IP stack Tune-ups

Nagle congestion control algorithm

The Nagle Algorithm prevents excessive bandwith utilization by applications that send many small packets.

It allows slight delays before sending individual small packets in order to combine them into a single larger packet.


Router1(config)#(config)#service nagle

Limit embryonic TCP connections

To help limit the vulnerability to TCP SYN-Flood attacks, use the global configuration ip tcp synwait-time command to limit the seconds that the router spends waiting for the ACK before giving up on a half-open connection


Router1(config)#ip tcp synwait-time 10

TCP selective acknowledgment

The TCP selective acknowledgment mechanism helps overcome these limitations.

The receiving TCP returns selective acknowledgment packets to the sender, informing the sender about data that has been received. The sender can then retransmit only the missing data segments.


Router1(config)#ip tcp selective-ack

Access

Before deciding how to control router access, ask these questions?• Who needs access?• When do they need access?• From where do they need

access?• During what time schedule

do they need access?

Basic Authentication

Basic authentication stores passwords as clear text Use(config)#service password-encryption

– Encrypts passwords using a Vigenere cipher.– Can be cracked relatively easily– Does not encrypt SNMP community strings– no enable password

Use (config)# enable secret <password>

– Encrypts passwords using a MD5 hash

“Enable” Passwords

Demo: Crack Password

Line Authentication (VTY, CON, AUX)

Use Access List to control VTY accessaccess-list 1 permit host 10.1.1.2line vty 0 4 password 7 12552D23830F94 exec-timeout 5 0 access-class 1 in login transport input telnet ssh

Control CON accessline con 0 password 7 12552D23830F94 exec-timeout 5 0 login

Control AUX accessline aux 0 no exec exec-timeout 0 0 no login transport input none transport output none

AAA

Secure user logins with AAA on all ports, virtual and physical

– Local AAA (username)– RADIUS (Steel Belted Radius)– TACACS+ (Cisco Secure ACS)

Use privilege levels to control granular access to commands

AAA Example for TACACS/RADIUS

Secure user logins with AAA on all ports, virtual and physical

aaa new-modelaaa authentication login default group tacacs+|radius localaaa authorization exec default group tacacs+|radius localusername backup privilege 7 password 0 backuptacacs-server host 171.68.118.101tacacs-server key ciscoradius-server host 171.68.118.101radius-server key ciscoprivilege configure level 7 snmp-server hostprivilege configure level 7 snmp-server enableprivilege configure level 7 snmp-serverprivilege exec level 7 pingprivilege exec level 7 configure terminalprivilege exec level 7 configure

Demo: Crack RADIUS KEY

You can do with the Cisco IOS service command

The TCP keepalive capability

allows a router to detect when the host with which it is communicating experiences a system failure, even if data stops being transmitted (in either direction). This is most useful on incoming connections.

For example, if a host failure occurs while talking to a printer, the router might never notice, because the printer does not generate any traffic in the opposite direction. If keepalives are enabled, they are sent once every minute on otherwise idle connections. If five minutes pass and no keepalives are detected, the connection is closed.

(config)#service tcp-keepalives-in

(config)#service tcp-keepalives-out

You can do with the Cisco IOS service command

service timestamps

You can use the service timestamps command to create timestamps on the router’s log files.

Since version 11.3, the Cisco IOS has enabled certain timestamps by default, so most of us have this on.

However, there are additional timestamps options that you can enable as well as places where timestamps are probably off by default.

(config)#service timestamps message-type [uptime]

(config)#service timestamps message-type datetime [msec] [localtime] [show-timezone]

Verify that the EXEC process is disabled on the auxiliary (aux) port

Unused ports should be disabled, if not required, since they provide a potential access path for attackers.

The auxiliary port is primarily used for dial-up administration, which is rarely used, via an external modem.

Verify that the EXEC process is disabled on the auxiliary (aux) port

Unused ports should be disabled, if not required, since they provide a potential access path for attackers.

The auxiliary port is primarily used for dial-up administration, which is rarely used, via an external modem.

Disable Login Through AUX Port

VTYs and Remote Administration

Forbid CDP (Cisco Discovery Protocol) Run Globally

The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment.

It is useful only in specialized situations, and is considered a security risk.

There have been published denial-of-service (DoS) attacks that use CDP. CDP should be completely disabled unless there is a need for it.

The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment.

It is useful only in specialized situations, and is considered a security risk.

There have been published denial-of-service (DoS) attacks that use CDP. CDP should be completely disabled unless there is a need for it.

Forbid tcp-small-servers, udp-small-servers

TCP small services: echo, chargen and daytime (including UDP versions) are rarely used.

Services that are not needed should be turned off because they present potential avenues of attack and may provide information that could be useful for gaining unauthorized access.

TCP small services: echo, chargen and daytime (including UDP versions) are rarely used.

Services that are not needed should be turned off because they present potential avenues of attack and may provide information that could be useful for gaining unauthorized access.

Forbid Finger Service

Finger is used to find out which users are logged into a device.

This service is rarely used in practical environments and can potentially provide an attacker with useful information.

Additionally, the finger service can exposed the device Finger of Death denial-of-service (DoS) attack.

The HTTP server allows remote management of routers.

Unfortunately, it uses simple HTTP authentication which sends passwords in the clear.

This could allow unauthorized access to, and [mis]management of the router.

The HTTP server allows remote management of routers.

Unfortunately, it uses simple HTTP authentication which sends passwords in the clear.

This could allow unauthorized access to, and [mis]management of the router.

Forbid IP HTTP Server

HTTP Server with Access Control(Not Recommended)

the async line BOOTP service should be disabled on your system if you do not have a need for it in your network the async line BOOTP service should be disabled on your system if you do not have a need for it in your network

Disable Bootp Server

Forbid Remote Startup Configuration

Service config allows the device to autoload its startup configuration from a remote device (e.g. a tftp server).

The protocols used to transfer configurations files. Since these methods are insecure, an attacker could potentially compromise or spoof the remote configuration service enabling malicious reconfiguration of the device.

Service config allows the device to autoload its startup configuration from a remote device (e.g. a tftp server).

The protocols used to transfer configurations files. Since these methods are insecure, an attacker could potentially compromise or spoof the remote configuration service enabling malicious reconfiguration of the device.

PAD Service(The packet assembler/disassembler service supports X.25 links)

To not accept incoming/outgoing X.25 Packet Assembler/Disassembler (PAD) connections this global configuration command should be used.

It is important to make sure this is disabled by default.

To not accept incoming/outgoing X.25 Packet Assembler/Disassembler (PAD) connections this global configuration command should be used.

It is important to make sure this is disabled by default.

Forbid IP source-route

Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks.

Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled.

Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks.

Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled.

Forbid IP Proxy ARP

Proxy ARP breaks the LAN security perimeter, effectively extending a LAN at layer 2 across multiple segments.

Disable proxy ARP on all interfaces.

Proxy ARP breaks the LAN security perimeter, effectively extending a LAN at layer 2 across multiple segments.

Disable proxy ARP on all interfaces.

Forbid IP Unreachable, Redirects, Mask Replies

• Disable translation of directed to physical broadcasts on the same interface. This configuration prevents against “smurf” attacks.

• Don’t allow redirect messages to pass through the router. ICMP redirects should be disabled

• Make it more difficult for someone to scan for valid IP addresses by turning off ip unreachables on all interfaces.

• To prevent the Cisco IOS software from responding to Internet Control Message Protocol (ICMP) mask requests by sending ICMP mask reply messages

• Disable translation of directed to physical broadcasts on the same interface. This configuration prevents against “smurf” attacks.

• Don’t allow redirect messages to pass through the router. ICMP redirects should be disabled

• Make it more difficult for someone to scan for valid IP addresses by turning off ip unreachables on all interfaces.

• To prevent the Cisco IOS software from responding to Internet Control Message Protocol (ICMP) mask requests by sending ICMP mask reply messages

Forbid MOP

The Maintenance Operations Protocol (MOP) was used for system utility services in the DECnet protocol suite.

The Maintenance Operations Protocol (MOP) was used for system utility services in the DECnet protocol suite.

Forbid NTP Service

Forbid SNMP Services

Disable Router Name and DNS Name Resolution

Configure DNS Server

Set a default DNS domain name (needed for SSH)

Disable Unused Interfaces

Filtering Traffic to the Router Itself

Remote Login (Telnet) Service

SNMP Service(Recommend only SNMPv3 AuthNoPriv & AuthPriv)

Routing Service

Filtering Traffic through the Router

IP Address Spoof Protection (Inbound Traffic)

IP Address Spoof Protection (Outbound Traffic)

Exploits Protection

TCP SYN Attack

Limiting External Access with TCP Intercept (If your IOS support it.)

Land Attack

Land Attack

Smurf Attack

ICMP Message Types and Traceroute

Distributed Denial of Service (DDoS) Attacks

Routing Protocol Security

OSPF MD5 Authentication

RIP MD5 Authentication

EIGRP MD5 Authentication

EIGRP MD5 Authentication

Disabling unneeded routing-related services

Passive Interfaces (OSPF)

Using filters to block routing updates

First Define Access Control List

Filter Distributed List (OSPF)

Filter Distributed List (RIP)

Not enable OSPF on certain interfaces,

Passive Interfaces (RIP)

Audit and Management

Overview and Motivations for Logging

Recording router configuration changes and reboots

Recording receipt of traffic that violates access lists

Recording changes in interface and network status

Recording router cryptographic security violations

Logging Types

Console logging Terminal Line logging Buffered logging Syslog logging SNMP trap logging

Cisco Log Message Severity Levels

Format of a Cisco IOS Log Message

Turning on logging services

Setting up Console and Buffered Logging

Buffered logging

Setting up Terminal Line Logging

Setting up Syslog Logging

A Small Syslog Configurationserver host

Centralized Syslog Configuration

Syslog and access list

SNMP Trap Logging

Time Services, Network Time Synchronization and NTP

Setting the Time Manually

The NTP Hierarchy

Configuring Basic NTP Service

NTP and access-list

Configuring NTP Authentication

SNMP Security

SNMPv3 Security

Configuring SNMP - Getting Started

SNMPv3 with limited view

Cisco IOS Software Updates

Show version

Update Procedure

TFTP See Cisco web sites concerning particular

model of router or switch

Router Status and Configuration Commands

show logging

show ip protocol summary

show arp

show users

show host

show ip interface brief.

show ip socket

Viewing the current configuration

show startup-config show running-config

Viewing currently running processes

show process

Router Throughput and Traffic Commands

Clear counter

Viewing IP Protocol Statistics

show ip traffic.

Viewing SNMP Protocol Statistics

configure debugging and turn on debugging messages for ICMP.

Security for Router Network Access Services

AAA

Authentication Authorization Accounting

Types of accounting

There are several types of accounting which can be enabled and configured separately: exec, network, connection, command, system.

All types are supported by TACACS+, but RADIUS does not support command or system.

network accounting– Provides information for PPP, SLIP, and ARAP

protocols. The information includes the number of packets and bytes.

EXEC accounting– Provides information about user EXEC sessions

on the router. The information includes the username, date, start and stop times, IP address of access server, and telephone number the call originated from for dial-in users.

Connection accounting– Provides information about all outbound

connections made from the network access server. This includes telnet, rlogin, etc.

Command accounting– This applies to commands which are entered in an EXEC

shell. This option will apply accounting to all commands issued at the specified privilege level. If accounting is turned on for level 15 and user logged in at enable level 15 runs a level 1 exec command no accounting event will be generated. Account records are generated based upon the level of the command not the level of the user. Accounting records will include the command, date, time, and the user. Cisco IOS does not support command acccounting with RADIUS.

System– Provides information about system-level events. This

would include information like system reboots, accounting being turned on or off, etc. Note that system accounting will only use the default list. Cisco’s implementation of RADIUS does not support system accounting.

AAA accounting requirement

AAA accounting requires that – AAA is enabled, – security servers are defined, and – that a security server is specified for each

accounting type which is desired.

Method Lists and Server Groups

Authentication

The authentication commands used for defining messages

The default method list designates RADIUS

RADIUS security server

Authorization

Authorization

There are two primary scenarios where authorization is useful.

First, if the router is used for dial in access, authorization is useful for controlling who can access network services, etc. and who can access and configure the router.

Second, authorization can control different administrators who have access to different privilege levels on the router.

Accounting

Configuration of TACACS+ accounting:

Configuration of RADIUS accounting

Security Server Protocols

RADIUS

TACACS+

Hardening Cisco Switch(Based on NSA Cisco IOS

Switch Security Configuration Guide)

Port Security

Restricting a port statically on a Catalyst 3550 switch.

A strict security “unused” macro

A strict A strict security security

“host” macro“host” macro

Configure access ports of the switch

Virtual Local Area Networks(VLAN)

Create the out-of-band management VLAN.

Create a management IP address

Assign the management VLAN to the dedicated interface.

Ensure all trunk ports will not carry the management VLAN

Assigned the following name for VLAN 1.

Assign all inactive interfaces to an unused VLAN (not VLAN1)

Virtual Trunking Protocol (VTP)

If VTP could be disabled

If VTP is necessary

Trunk Auto-Negotiation

Dynamic Trunking Protocol (DTP)

A port may use the Dynamic Trunking Protocol (DTP) to automatically negotiate which trunking protocol it will use, and how the trunking protocol will operate.

DTP-related security issues

DTP-related security issues

VLAN Hopping

VLAN Hopping

In certain situations it is possible to craft a packet in such a way that a port in trunking mode will interpret a native VLAN packet as though it were from another VLAN, allowing the packet to become a member of a different VLAN.

This technique is known as VLAN hopping.

Spanning Tree Protocol

STP Portfast Bridge Protocol Data Unit (BPDU) Guard

STP Root Guard

205

(config)#no ip bootp server(config)#no tcp-small-servers(config)#no udp-small-servers

(config)#service time log datetime localtime show-timezone msec(config)#service time debug datetime localtime show-timezone mseclogging x.x.x.xlogging trap debugginglogging source loopback0logging buffered 64000 debugging

ntp authentication-key 10 md5 <key>ntp authenticatentp trusted-key 10ntp server x.x.x.x [key 10]ntp access-group peer 20access-list 20 permit host x.x.x.xaccess-list 20 deny any

(config)#no (config)#service finger(config)#no (config)#service pad(config)#no ip http server(config)#no ip source-route

(config)#no cdp run(config)#no boot network(config)#no (config)#service config(config)#no ip subnet-zero

(config)#no ip identd(config)#no ip finger(config)#service nagle

Configuration basics (1)

Turn off all the unneeded (config)#services

Use syslog

Use (authenticated) NTP

Technology

In depth understanding network security