Post on 20-Jan-2015
description
In-depth Understanding Network Security
(Hardening CISCO Router/Switch)
CIS Level 1 & 2 Benchmarks and Audit Tool
for Cisco IOS Routers and PIX firewalls
IOS/PIX Benchmarks and RAT for Windows
Features of the 2.2 version of the Router Audit Tool (RAT): – Ability to score Cisco Router IOS.– Ability to score Cisco PIX firewalls.– Includes benchmark documents (PDF) for both
Cisco IOS and Cisco ASA, FWSM, and PIX security settings.
RAT for Windows
RAT for Windows
To run any RAT programs, you'll need to know the drive and pathname where RAT was installed.
You can put this directory onto your PATH:
C:\> set PATH=D:\CIS\RAT\bin;%PATH%
RAT for Windows
To run the rat program and see a list of its options, you could type the following:
C:\> rat --help
RAT for Windows
Before you use RAT, you should use the ncat_config program to create a rule file specific to your routers.
Here is how to run ncat_config:
D:\> ncat_config... lots of questions appear here ...
After all QUESTIONS we will get a template named
“D:\CIS\RAT/etc/configs/cisco-ios/local.conf"
RAT for Windows
1. Copy Template to Test Directory
2. Copy configuration files from your router
3. Run rat to audit your configuration file:
D:\>cd \Test
D:\Test> rat -r local.conf cisco-router-confg
RAT for Windows
RAT for Windows
RAT for Windows
RAT for Windows
RAT for Windows
Hardening Cisco Router
Based on NSA Router Security Configuration Guide
Router Security Configuration Guide of NSA’s SNAC
(Based on version 1.1c)
Physical Security
Network equipment, especially routers and switches, should be located in a limited access area.
This area should be under some sort of supervision 24 hours a day and 7 days a week.
A room where routers are located should be free of electrostatic and magnetic interference. The area should also be controlled for temperature and humidity.
If at all possible, all routers should be placed on an Uninterruptible Power Supply (UPS), because a short power outage can leave some network equipment in undetermined states.
Cisco IOS routers have the ability to define internal virtual interfaces, called loopback interfaces. It is considered best practice, in configuring Cisco routers, to define one loopback interface, and designate it as the source interface for most traffic generated by the router itself.
Cisco IOS routers have the ability to define internal virtual interfaces, called loopback interfaces. It is considered best practice, in configuring Cisco routers, to define one loopback interface, and designate it as the source interface for most traffic generated by the router itself.
Router Network Traffic and the Loopback Interface
Banner Rules
Banner Rules
Router1#configure terminal
Router1(config)#banner motd ^C
*************************************************************!! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGON UNDER PENALTY OF LAW !!This is a private computer network and may be used only bydirect permission of its owner(s). The owner(s) reserves the right to monitor use of this network to ensure network security and to respond to specific allegations of misuse. Use of this network shall constitute consent to monitoring for these and any other purposes. In addition, the owner(s) reserves the right to consent to a valid law enforcement request to search the network for evidence of a crime stored within this network.*************************************************************^C
Stopping SYN Flooding Attacks
(config)#normal TCP 3-Way Handshake
TCP SYN flooding attack
Attack Demonstration:
E(config)#nough illegitimate TCBs are in SYN-RECEIVED that a legitimate connection can(config)#not be initiated.
Attack Demonstration:
E(config)#nough illegitimate TCBs are in SYN-RECEIVED that a legitimate connection can(config)#not be initiated.
Countermeasures: TCP SYN flooding attack
You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:
Router1#configure terminal
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#
You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:
Router1#configure terminal
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#
TCP Intercept feature
When you enable the TCP Intercept feature, the router doesn't forward the initial SYN packet to the server.
Instead, it responds directly to the client with a SYN-ACK packet, as if it were the server.
If the client is legitimate and begins the TCP session, then the router quickly opens a session to the server, knits the two ends of the connection together, and steps into its more usual role of simply forwarding packets.
When you enable the TCP Intercept feature, the router doesn't forward the initial SYN packet to the server.
Instead, it responds directly to the client with a SYN-ACK packet, as if it were the server.
If the client is legitimate and begins the TCP session, then the router quickly opens a session to the server, knits the two ends of the connection together, and steps into its more usual role of simply forwarding packets.
TCP Intercept feature
Router1(config)#access-list 109 permit ip any host 192.168.99.2 Router1(config)#ip tcp intercept list 109
TCP Intercept feature
By default, the router allows 1,100 half-open sessions before going into aggressive mode.
Configure this value using the ip tcp intercept max-incomplete high command.
Router1(config)#ip tcp intercept max-incomplete high 10
When we deliberately initiate a series of half-open sessions, we see this log message:
(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count (10/10) 1 min 0
A short time later, the attack ended, and the router went back into its (config)#normal mode:
(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min 11
By default, the router allows 1,100 half-open sessions before going into aggressive mode.
Configure this value using the ip tcp intercept max-incomplete high command.
Router1(config)#ip tcp intercept max-incomplete high 10
When we deliberately initiate a series of half-open sessions, we see this log message:
(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count (10/10) 1 min 0
A short time later, the attack ended, and the router went back into its (config)#normal mode:
(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min 11
TCP Intercept feature
you can also set thresholds on the number of TCP sessions initiated per minute:
Router1(config)#ip tcp intercept one-minute high 15
The conditions for returning to (config)#normal mode are defined by these two commands:
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
The first command sets the low-water mark for the total number of half-open sessions, while the second command sets the low-water mark for the number of session-initiation attempts per minute.
you can also set thresholds on the number of TCP sessions initiated per minute:
Router1(config)#ip tcp intercept one-minute high 15
The conditions for returning to (config)#normal mode are defined by these two commands:
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
The first command sets the low-water mark for the total number of half-open sessions, while the second command sets the low-water mark for the number of session-initiation attempts per minute.
TCP Intercept feature
By default, the router will allow a TCP session to be inactive for 24 hours (86,400 seconds).
However, you can change this using the ip tcp intercept connection-timeout command, which accepts an argument in seconds. Here we set a maximum value of one hour:
Router1(config)#ip tcp intercept connection-timeout 3600
By default the aggressive mode of the TCP Intercept feature will drop the oldest half-open connection each time it receives a new connection attempt.
However, you can instead configure it to drop a randomly selected connection out of the table:
Router1(config)#ip tcp intercept drop-mode random
By default, the router will allow a TCP session to be inactive for 24 hours (86,400 seconds).
However, you can change this using the ip tcp intercept connection-timeout command, which accepts an argument in seconds. Here we set a maximum value of one hour:
Router1(config)#ip tcp intercept connection-timeout 3600
By default the aggressive mode of the TCP Intercept feature will drop the oldest half-open connection each time it receives a new connection attempt.
However, you can instead configure it to drop a randomly selected connection out of the table:
Router1(config)#ip tcp intercept drop-mode random
TCP Intercept feature
You can configure how long the router will watch a session, waiting for it to complete the TCP session initiation.
By default, it waits 30 seconds, but you can change this value with the following command, which specifies this timeout value in seconds:
Router1(config)#ip tcp intercept watch-timeout 15
You can configure how long the router will watch a session, waiting for it to complete the TCP session initiation.
By default, it waits 30 seconds, but you can change this value with the following command, which specifies this timeout value in seconds:
Router1(config)#ip tcp intercept watch-timeout 15
TCP Intercept feature
And one final option allows you to set whether the router actively intercepts and responds to TCP SYN packets, or instead allows these packets to pass through (config)#normally, but watches the session to ensure that it connects properly.
By default the router will completely protect the server by taking over all responsibility for setting up the session. You can configure it to let the server handle the call, and only step in if there is a problem by configuring watch mode:
Router1(config)#ip tcp intercept mode watch
And one final option allows you to set whether the router actively intercepts and responds to TCP SYN packets, or instead allows these packets to pass through (config)#normally, but watches the session to ensure that it connects properly.
By default the router will completely protect the server by taking over all responsibility for setting up the session. You can configure it to let the server handle the call, and only step in if there is a problem by configuring watch mode:
Router1(config)#ip tcp intercept mode watch
Other IP stack Tune-ups
Nagle congestion control algorithm
The Nagle Algorithm prevents excessive bandwith utilization by applications that send many small packets.
It allows slight delays before sending individual small packets in order to combine them into a single larger packet.
Router1#configure terminal
Router1(config)#(config)#service nagle
Limit embryonic TCP connections
To help limit the vulnerability to TCP SYN-Flood attacks, use the global configuration ip tcp synwait-time command to limit the seconds that the router spends waiting for the ACK before giving up on a half-open connection
Router1#configure terminal
Router1(config)#ip tcp synwait-time 10
TCP selective acknowledgment
The TCP selective acknowledgment mechanism helps overcome these limitations.
The receiving TCP returns selective acknowledgment packets to the sender, informing the sender about data that has been received. The sender can then retransmit only the missing data segments.
Router1#configure terminal
Router1(config)#ip tcp selective-ack
Access
Before deciding how to control router access, ask these questions?• Who needs access?• When do they need access?• From where do they need
access?• During what time schedule
do they need access?
Basic Authentication
Basic authentication stores passwords as clear text Use(config)#service password-encryption
– Encrypts passwords using a Vigenere cipher.– Can be cracked relatively easily– Does not encrypt SNMP community strings– no enable password
Use (config)# enable secret <password>
– Encrypts passwords using a MD5 hash
“Enable” Passwords
Demo: Crack Password
Line Authentication (VTY, CON, AUX)
Use Access List to control VTY accessaccess-list 1 permit host 10.1.1.2line vty 0 4 password 7 12552D23830F94 exec-timeout 5 0 access-class 1 in login transport input telnet ssh
Control CON accessline con 0 password 7 12552D23830F94 exec-timeout 5 0 login
Control AUX accessline aux 0 no exec exec-timeout 0 0 no login transport input none transport output none
AAA
Secure user logins with AAA on all ports, virtual and physical
– Local AAA (username)– RADIUS (Steel Belted Radius)– TACACS+ (Cisco Secure ACS)
Use privilege levels to control granular access to commands
AAA Example for TACACS/RADIUS
Secure user logins with AAA on all ports, virtual and physical
aaa new-modelaaa authentication login default group tacacs+|radius localaaa authorization exec default group tacacs+|radius localusername backup privilege 7 password 0 backuptacacs-server host 171.68.118.101tacacs-server key ciscoradius-server host 171.68.118.101radius-server key ciscoprivilege configure level 7 snmp-server hostprivilege configure level 7 snmp-server enableprivilege configure level 7 snmp-serverprivilege exec level 7 pingprivilege exec level 7 configure terminalprivilege exec level 7 configure
Demo: Crack RADIUS KEY
You can do with the Cisco IOS service command
The TCP keepalive capability
allows a router to detect when the host with which it is communicating experiences a system failure, even if data stops being transmitted (in either direction). This is most useful on incoming connections.
For example, if a host failure occurs while talking to a printer, the router might never notice, because the printer does not generate any traffic in the opposite direction. If keepalives are enabled, they are sent once every minute on otherwise idle connections. If five minutes pass and no keepalives are detected, the connection is closed.
(config)#service tcp-keepalives-in
(config)#service tcp-keepalives-out
You can do with the Cisco IOS service command
service timestamps
You can use the service timestamps command to create timestamps on the router’s log files.
Since version 11.3, the Cisco IOS has enabled certain timestamps by default, so most of us have this on.
However, there are additional timestamps options that you can enable as well as places where timestamps are probably off by default.
(config)#service timestamps message-type [uptime]
(config)#service timestamps message-type datetime [msec] [localtime] [show-timezone]
Verify that the EXEC process is disabled on the auxiliary (aux) port
Unused ports should be disabled, if not required, since they provide a potential access path for attackers.
The auxiliary port is primarily used for dial-up administration, which is rarely used, via an external modem.
Verify that the EXEC process is disabled on the auxiliary (aux) port
Unused ports should be disabled, if not required, since they provide a potential access path for attackers.
The auxiliary port is primarily used for dial-up administration, which is rarely used, via an external modem.
Disable Login Through AUX Port
VTYs and Remote Administration
Forbid CDP (Cisco Discovery Protocol) Run Globally
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment.
It is useful only in specialized situations, and is considered a security risk.
There have been published denial-of-service (DoS) attacks that use CDP. CDP should be completely disabled unless there is a need for it.
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on a LAN segment.
It is useful only in specialized situations, and is considered a security risk.
There have been published denial-of-service (DoS) attacks that use CDP. CDP should be completely disabled unless there is a need for it.
Forbid tcp-small-servers, udp-small-servers
TCP small services: echo, chargen and daytime (including UDP versions) are rarely used.
Services that are not needed should be turned off because they present potential avenues of attack and may provide information that could be useful for gaining unauthorized access.
TCP small services: echo, chargen and daytime (including UDP versions) are rarely used.
Services that are not needed should be turned off because they present potential avenues of attack and may provide information that could be useful for gaining unauthorized access.
Forbid Finger Service
Finger is used to find out which users are logged into a device.
This service is rarely used in practical environments and can potentially provide an attacker with useful information.
Additionally, the finger service can exposed the device Finger of Death denial-of-service (DoS) attack.
The HTTP server allows remote management of routers.
Unfortunately, it uses simple HTTP authentication which sends passwords in the clear.
This could allow unauthorized access to, and [mis]management of the router.
The HTTP server allows remote management of routers.
Unfortunately, it uses simple HTTP authentication which sends passwords in the clear.
This could allow unauthorized access to, and [mis]management of the router.
Forbid IP HTTP Server
HTTP Server with Access Control(Not Recommended)
the async line BOOTP service should be disabled on your system if you do not have a need for it in your network the async line BOOTP service should be disabled on your system if you do not have a need for it in your network
Disable Bootp Server
Forbid Remote Startup Configuration
Service config allows the device to autoload its startup configuration from a remote device (e.g. a tftp server).
The protocols used to transfer configurations files. Since these methods are insecure, an attacker could potentially compromise or spoof the remote configuration service enabling malicious reconfiguration of the device.
Service config allows the device to autoload its startup configuration from a remote device (e.g. a tftp server).
The protocols used to transfer configurations files. Since these methods are insecure, an attacker could potentially compromise or spoof the remote configuration service enabling malicious reconfiguration of the device.
PAD Service(The packet assembler/disassembler service supports X.25 links)
To not accept incoming/outgoing X.25 Packet Assembler/Disassembler (PAD) connections this global configuration command should be used.
It is important to make sure this is disabled by default.
To not accept incoming/outgoing X.25 Packet Assembler/Disassembler (PAD) connections this global configuration command should be used.
It is important to make sure this is disabled by default.
Forbid IP source-route
Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks.
Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled.
Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks.
Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled.
Forbid IP Proxy ARP
Proxy ARP breaks the LAN security perimeter, effectively extending a LAN at layer 2 across multiple segments.
Disable proxy ARP on all interfaces.
Proxy ARP breaks the LAN security perimeter, effectively extending a LAN at layer 2 across multiple segments.
Disable proxy ARP on all interfaces.
Forbid IP Unreachable, Redirects, Mask Replies
• Disable translation of directed to physical broadcasts on the same interface. This configuration prevents against “smurf” attacks.
• Don’t allow redirect messages to pass through the router. ICMP redirects should be disabled
• Make it more difficult for someone to scan for valid IP addresses by turning off ip unreachables on all interfaces.
• To prevent the Cisco IOS software from responding to Internet Control Message Protocol (ICMP) mask requests by sending ICMP mask reply messages
• Disable translation of directed to physical broadcasts on the same interface. This configuration prevents against “smurf” attacks.
• Don’t allow redirect messages to pass through the router. ICMP redirects should be disabled
• Make it more difficult for someone to scan for valid IP addresses by turning off ip unreachables on all interfaces.
• To prevent the Cisco IOS software from responding to Internet Control Message Protocol (ICMP) mask requests by sending ICMP mask reply messages
Forbid MOP
The Maintenance Operations Protocol (MOP) was used for system utility services in the DECnet protocol suite.
The Maintenance Operations Protocol (MOP) was used for system utility services in the DECnet protocol suite.
Forbid NTP Service
Forbid SNMP Services
Disable Router Name and DNS Name Resolution
Configure DNS Server
Set a default DNS domain name (needed for SSH)
Disable Unused Interfaces
Filtering Traffic to the Router Itself
Remote Login (Telnet) Service
SNMP Service(Recommend only SNMPv3 AuthNoPriv & AuthPriv)
Routing Service
Filtering Traffic through the Router
IP Address Spoof Protection (Inbound Traffic)
IP Address Spoof Protection (Outbound Traffic)
Exploits Protection
TCP SYN Attack
Limiting External Access with TCP Intercept (If your IOS support it.)
Land Attack
Land Attack
Smurf Attack
ICMP Message Types and Traceroute
Distributed Denial of Service (DDoS) Attacks
Routing Protocol Security
OSPF MD5 Authentication
RIP MD5 Authentication
EIGRP MD5 Authentication
EIGRP MD5 Authentication
Disabling unneeded routing-related services
Passive Interfaces (OSPF)
Using filters to block routing updates
First Define Access Control List
Filter Distributed List (OSPF)
Filter Distributed List (RIP)
Not enable OSPF on certain interfaces,
Passive Interfaces (RIP)
Audit and Management
Overview and Motivations for Logging
Recording router configuration changes and reboots
Recording receipt of traffic that violates access lists
Recording changes in interface and network status
Recording router cryptographic security violations
Logging Types
Console logging Terminal Line logging Buffered logging Syslog logging SNMP trap logging
Cisco Log Message Severity Levels
Format of a Cisco IOS Log Message
Turning on logging services
Setting up Console and Buffered Logging
Buffered logging
Setting up Terminal Line Logging
Setting up Syslog Logging
A Small Syslog Configurationserver host
Centralized Syslog Configuration
Syslog and access list
SNMP Trap Logging
Time Services, Network Time Synchronization and NTP
Setting the Time Manually
The NTP Hierarchy
Configuring Basic NTP Service
NTP and access-list
Configuring NTP Authentication
SNMP Security
SNMPv3 Security
Configuring SNMP - Getting Started
SNMPv3 with limited view
Cisco IOS Software Updates
Show version
Update Procedure
TFTP See Cisco web sites concerning particular
model of router or switch
Router Status and Configuration Commands
show logging
show ip protocol summary
show arp
show users
show host
show ip interface brief.
show ip socket
Viewing the current configuration
show startup-config show running-config
Viewing currently running processes
show process
Router Throughput and Traffic Commands
Clear counter
Viewing IP Protocol Statistics
show ip traffic.
Viewing SNMP Protocol Statistics
configure debugging and turn on debugging messages for ICMP.
Security for Router Network Access Services
AAA
Authentication Authorization Accounting
Types of accounting
There are several types of accounting which can be enabled and configured separately: exec, network, connection, command, system.
All types are supported by TACACS+, but RADIUS does not support command or system.
network accounting– Provides information for PPP, SLIP, and ARAP
protocols. The information includes the number of packets and bytes.
EXEC accounting– Provides information about user EXEC sessions
on the router. The information includes the username, date, start and stop times, IP address of access server, and telephone number the call originated from for dial-in users.
Connection accounting– Provides information about all outbound
connections made from the network access server. This includes telnet, rlogin, etc.
Command accounting– This applies to commands which are entered in an EXEC
shell. This option will apply accounting to all commands issued at the specified privilege level. If accounting is turned on for level 15 and user logged in at enable level 15 runs a level 1 exec command no accounting event will be generated. Account records are generated based upon the level of the command not the level of the user. Accounting records will include the command, date, time, and the user. Cisco IOS does not support command acccounting with RADIUS.
System– Provides information about system-level events. This
would include information like system reboots, accounting being turned on or off, etc. Note that system accounting will only use the default list. Cisco’s implementation of RADIUS does not support system accounting.
AAA accounting requirement
AAA accounting requires that – AAA is enabled, – security servers are defined, and – that a security server is specified for each
accounting type which is desired.
Method Lists and Server Groups
Authentication
The authentication commands used for defining messages
The default method list designates RADIUS
RADIUS security server
Authorization
Authorization
There are two primary scenarios where authorization is useful.
First, if the router is used for dial in access, authorization is useful for controlling who can access network services, etc. and who can access and configure the router.
Second, authorization can control different administrators who have access to different privilege levels on the router.
Accounting
Configuration of TACACS+ accounting:
Configuration of RADIUS accounting
Security Server Protocols
RADIUS
TACACS+
Hardening Cisco Switch(Based on NSA Cisco IOS
Switch Security Configuration Guide)
Port Security
Restricting a port statically on a Catalyst 3550 switch.
A strict security “unused” macro
A strict A strict security security
“host” macro“host” macro
Configure access ports of the switch
Virtual Local Area Networks(VLAN)
Create the out-of-band management VLAN.
Create a management IP address
Assign the management VLAN to the dedicated interface.
Ensure all trunk ports will not carry the management VLAN
Assigned the following name for VLAN 1.
Assign all inactive interfaces to an unused VLAN (not VLAN1)
Virtual Trunking Protocol (VTP)
If VTP could be disabled
If VTP is necessary
Trunk Auto-Negotiation
Dynamic Trunking Protocol (DTP)
A port may use the Dynamic Trunking Protocol (DTP) to automatically negotiate which trunking protocol it will use, and how the trunking protocol will operate.
DTP-related security issues
DTP-related security issues
VLAN Hopping
VLAN Hopping
In certain situations it is possible to craft a packet in such a way that a port in trunking mode will interpret a native VLAN packet as though it were from another VLAN, allowing the packet to become a member of a different VLAN.
This technique is known as VLAN hopping.
Spanning Tree Protocol
STP Portfast Bridge Protocol Data Unit (BPDU) Guard
STP Root Guard
205
(config)#no ip bootp server(config)#no tcp-small-servers(config)#no udp-small-servers
(config)#service time log datetime localtime show-timezone msec(config)#service time debug datetime localtime show-timezone mseclogging x.x.x.xlogging trap debugginglogging source loopback0logging buffered 64000 debugging
ntp authentication-key 10 md5 <key>ntp authenticatentp trusted-key 10ntp server x.x.x.x [key 10]ntp access-group peer 20access-list 20 permit host x.x.x.xaccess-list 20 deny any
(config)#no (config)#service finger(config)#no (config)#service pad(config)#no ip http server(config)#no ip source-route
(config)#no cdp run(config)#no boot network(config)#no (config)#service config(config)#no ip subnet-zero
(config)#no ip identd(config)#no ip finger(config)#service nagle
Configuration basics (1)
Turn off all the unneeded (config)#services
Use syslog
Use (authenticated) NTP