CSWcore02-SecIP-v1

7/31/2019 CSWcore02-SecIP-v1

1/57

> N i c o la s F I SCHBAC HIP Engineering Manager - COLT [email protected] - http://www.securite.org/nico/

> Sba s t i e n LACOS TE - SER ISIP R&D Manager, Security Officer - COLT [email protected] - http://www.securite.org/kaneda/

version 1.0

P ro te c t ing you r I Pne tw o rk i n f r a s t ruc tu re


2/57

2 2002 Scurit.Org

Disclaimer : we dont work for Cisco and we dont have Cisco stock :-)

A g e n d a Network Security

> Layer 2, layer 3 and routing protocols attacks> DDoS/worm attacks detection, protection and filtering

> MPLS

> IPv6

Router Security> Integrity checking


3/57

3 2002 Scurit.Org

P ro t o c o l a t t a c k s Well known (not to say old) a ttacks

>ARP cache/CAM table poisoning, gratuitous ARP messagesand ARP/{DHCP,BOOTP} spoofing

> Tools : dsniff, hunt, ARP0c, taranis, etc.

New (not so old) attacks> HSRP/VRRP spoofing

> STP/VTP/DTP attacks

>VLAN jumping/hoping

Future (to come) attacks ?>Advanced routing protocols attacks (eg. IRPAS)

> Rootkits and Loadable Kernel Modules


4/57

4 2002 Scurit.Org

L a ye r 2 p r o t o co ls Layer 2 protocols and traffic

>ARP - Address Resolution Protocol> CDP - Cisco Discovery Protocol

>VLAN - Virtual LAN

> STP - Spanning Tree

> {D/V}TP- Dynamic, VLAN Trunking Protocol> Unicast, Broadcast and Multicast addressing and traffic


5/57

5 2002 Scurit.Org

STP (Spanning Tree Protocol)> STP prevents loops in the Ethernet network topology> Redundant data path forced into standby (blocked) state

> STP enabled on all ports by default

> No traffic forwarding during STP processing

P ro t o co ls : STP ( 1 )

Boot-upinitialisation

Blocking state

Listening state Disabled state

Forwarding state

Learning state


6/57

6 2002 Scurit.Org

STP (Spanning Tree Protocol)> 1. Root Switch Election> 2. STP processing blocks redundant path

P ro t o co ls : STP ( 2 )

Blocked

B

loc

ke

d

Root Switch


7/577 2002 Scurit.Org

P ro t o co ls : STP ( 3 ) Network Traffic Interception

> Must have physical connection to 2 switches> Transparent traffic interception

Root Switch

Blocked

Blo

cke

d

Blocked

Blocke

d



P ro t o co ls : STP ( 4 ) Other STP attacks

> CAM table poisoning> DoS

- Force infinite election

- Ephemere Root

Very hard to track down network topology



P ro t o co ls : STP ( 5 ) Security measures

> Monitor which equipment is the root bridge> Filter MAC addresses (and add static IP-to-MAC mappings)

> Activate BPDU-guard (Bridge PDU) to filter STP

> Limit broadcast traffic

! MLS (Multi Layer Switch) in hybrid mode (Sup w/ CatOS, MSFC w/ IOS)set spantree disable

set spantree portfast bpdu-guard-enable

! MLS in native mode (CatIOS on the Sup and MSFC)

spanning-tree portfast bpduguard

set port security enable 01-02-03-04-05-06 shutdown

set port broadcast 0.01%


10/5710 2002 Scurit.Org

P ro t o co ls : CDP ( 1 ) CDP (Cisco Discovery Protocol)

> Cisco proprietary> Works on any HDLC capable link/device

> Multicast traffic

> Information leaked to other peers : device id/name, network

address, port id, capabilities, software version, platform andIP network prefix

Message format


11/5711 2002 Scurit.Org

P ro t o co ls : CDP ( 2 )


12/5712 2002 Scurit.Org

no cdp run

interface xy

no cdp enable

set cdp disable

P ro t o co ls : CDP ( 3 ) Open to DoS attacks

> Discovered by FX (see the Cisco Security Notice)

Security measures (router)> Global deactivation

> Per interface deactivation

Security measures (switch)> Global/per interface deactivation


13/5713 2002 Scurit.Org

VLAN s : L a y e r 2 p a r t i t io n i n g ( 1 ) The problem with VLANs

>VLANs have never been designed for security but are usedto enforce it

> (Multi-layer) switches become single point of security failure

> Do not use the (native) VLAN 1

Do not use VMPS>VLAN Management Policy Server allows dynamic VLAN

membership based on the MAC address


14/5714 2002 Scurit.Org

set vlan 2

clear trunk 1

VLAN s : L a y e r 2 p a r t i t io n i n g ( 2 ) VLAN jumping/hoping

> Is possible : if you use DTP, if a port is in the sameVLAN as the trunks port Native VLAN (inject 802.1q frames)

>VLAN bridges allow bridging between VLANs for non-routedprotocols

Private VLAN (6k, 4k) and port protected (29xx, 35xx)> Port isolation

> Devices in the same VLAN cant talk directly to each other


15/5715 2002 Scurit.Org

P ro t o co ls : VT P VLAN Trunking Protocol

> Enables central VLAN configuration (Master/Client)> Message format : like CDP (SNAP HDLC 0x2003)

> Communicates only over trunk ports

Attacks> Add/remove VLANs

> Create STP loops

Security measures> Put your switches in transparent VTP mode and use a

password set vtp domain password set vtp mode transparent


16/5716 2002 Scurit.Org

Dynamic Trunking Protocol> Enables automatic port/trunk configuration> Message format : like CDP (SNAP HDLC 0x2004)

>All switch ports are in auto mode by default

Attacks> 802.11q frames injection

>VLAN hoping

Security measures> Turn DTP off on all the ports

set trunk off all

P ro t o co ls : DT P


17/5717 2002 Scurit.Org

L a ye r 3 p r o t o co ls The network layer

> IP(v4) : no built-in security> ICMP : information leakage and side effects

> HSRP / VRRP : provide next-hop redundancy

> RIP / RIPv2 : no authentication (v1) and flooding

> OSPF : multicast (adjacencies and DR/BDR at risk)> BGP : core of the Internet (RR/peerings/sessions at risk)

Not (yet) well known or not so used in enterprisenetworks> ISIS : but a lot of Service Providers are moving from OSPF

to ISIS (usually in relation with MPLS/Traffic Engineeringdeployment)

> (E)IGRP


18/5718 2002 Scurit.Org

P ro t o co ls : BGP ( 1 ) BGP (Border Gateway Protocol)

>Version 4> Runs on port 179/tcp

>Authentication : MD5 (not often used)

> Point-to-point over directly connected interfaces or multi-

hop between non adjacent routers> BGP route injection tools exist (in private circles)

BGP (UPDATE) message format


19/5719 2002 Scurit.Org

P ro t o co ls : BGP ( 2 ) Where are the risks ?

> Internet Exchanges : all providers are usually connected tothe same shared infrastructure (a switch for example) : doprefix/AS_path filtering

>Your direct {up,down}stream : IP filter on interfaces

> Multi-hop configurations (Man-in-the-middle attack) What to monitor ?> AS_path you receive from upstreams

>AS_path that other ISPs are getting that contains your ASN(route servers/looking glasses)

> Are the paths changing (especially the best path) ?

>ARP changes (IX public switches)


20/5720 2002 Scurit.Org

P ro t o co ls : BGP ( 3 ) Additional security measures

> Do not use the same password with all the peers> Log changes (and use IPsec)

router bgp 65000

bgp log-neighbor-changes

network x.x.x.x

neighbor y.y.y.y remote-as 65001neighbor y.y.y.y password

neighbor y.y.y.y version 4

neighbor y.y.y.y prefix-list theirnetworks in

neighbor y.y.y.y prefix-list ournetworks out

neighbor y.y.y.y maximum-prefix 120000

neighbor y.y.y.y route-map ourASpath out

ip prefix-list ournetworks seq 5 permit z.z.z.z/17

ip prefix-list ournetworks seq 10 deny 0.0.0.0/0 le 32ip prefix-list theirnetworks seq 5 permit k.k.k.k/19

ip as-path access-list 99 permit ^( )*$

route-map ourASpath permit 10

match as-path 99


21/5721 2002 Scurit.Org

P ro t o co ls : BG P ( 4 ) BGP route injection tool : what is the challenge ?

> Find the eBGP peer> {Man, Monkey} in the middle attack

> SNMP

> Public route-servers and looking glasses

> Directly adjacent IPs, .1, .254, etc

Inject the update> MITM (or ARP spoofing on IX switches)

> Synchronize with/hijack the TCP session

Future ?> S-BGP (Secure BGP)


22/5722 2002 Scurit.Org

Se q u e n c e n u m b e r p r e d ic t io n ISN problems on Cisco routers

Vulnerable IOS Less vulnerable IOS>Fixed as of 12.0(15) and 12.1(7)

> ISNs are (still) time dependant

Source : http://razor.bindview.com/publish/papers/tcpseq.html


23/5723 2002 Scurit.Org

P ro t o co ls : OSP F ( 1 ) OSPF (Open Shortest Path First)

> Protocol type 89> Multicast traffic : easy to inject LSAs

>Active adjacencies between all the routers and the (B)DRs(DR/BDR status is based on Router ID and priority)

> SPF (Shortest Path First) recalculation takes a lot of timeand CPU

Area 2

Network running

another IGP Area 1

Backbone area (Area 0)

Designated Router

(DR)

Backup Designated

Router (BDR)

Area Border Router(ABR)

Autonomous System

Border Router(ASBR)


24/57

24 2002 Scurit.Org

P ro t o co ls : OSP F ( 2 ) Security measures

>Authenticate OSPF exchanges

> Turn your network into a NBMA (Non Broadcast MultipleAccess - point-to-point links only) network

interface xy

!ip ospf authentication-key

ip ospf message-digest-key 1 md5

router ospf 1

area 0 authentication [message-digest]

interface xy

ip ospf network non-broadcast

router ospf 1

neighbor x.x.x.x


25/57

25 2002 Scurit.Org

router ospf 1

log-adjacency-changes

network x.x.x.x

passive-interface defaultno passive-interface xy

router ospf 1

distribute-list in

distribute-list out

P ro t o co ls : OSP F ( 3 ) Security measures

> Dont put the interfaces that shouldnt send or receive OSPFLSAs in your network statement or then exclude them with apassive-interface statement

> Log changes

> You cant filter what is injected into the local area (thenetwork statement meaning is misleading) only to otherASes

>You can filter what you receive


26/57

26 2002 Scurit.Org

P ro t o co ls : I S I S ( 1 ) IS-IS (Intermediate System to Intermediate System)

> Comes from the OSI world (routed OSI procotols)> Doesnt run on top of IP but directly over the data link

> Encodes the packets in TLV format

> Uses hierarchy levels/addressing (L1/L2) and flooding

- L1 routing means routing in the same area- L2 routing means between areas

> Floods LSPs (Link State PDUs)

- Nothing do to with MPLS LSP (Label Switch Path)

> Contrary to OSPF DR/BDRs a new IS-IS DIS (Designated IS)with higher priority will take precedence (preempt) and allthe routers maintain adjacencies with all the routers in thearea (separate L1 and L2 adjacencies on same LAN)


27/57

27 2002 Scurit.Org

P ro t o co ls : I S I S ( 2 ) Attacks

> Similar to OSPF attacks but more complex to inject databecause of non-IP protocol

> Possible to use the Overload Bit to have transit traffic notsent over a overloaded router and thus try to redirect it

Security measures> Log changes

> Use authentication at

- the interface level- the area level

- the domain level

interface xy

isis password level-

router isis

log-adjacency-changes

domain-password

area-password


28/57

28 2002 Scurit.Org

P r o to c o ls : H SR P /V R R P ( 1 ) HSRP (Hot Standby Routing Protocol)

> Provides next-hop redundancy (RFC2281)> Information disclosure : virtual MAC address

- 00-00-0c-07-ac-

- (by default) the HSRP virtual interface doesnt send ICMPredirects

> You can have more than 2 routers in a standby group, noneed to kill a router, becoming the master is enough

VRRP (Virtual Router Redundancy Protocol - RFC2338)> Supports MD5 for authentication (IP Authentication Header)


29/57

29 2002 Scurit.Org

interface xy

standby 10 priority 200 preempt

standby 10 authentication p4ssw0rd

standby 10 ip x.x.x.x

interface xy

standby 10 mac-address

P r o to c o ls : H SR P /V R R P ( 2 ) Security measures

> Use password authentication

> Change the virtual MAC address

> Use IPsec (Cisco recommendation) but is not trivial(multicast traffic, order of processing depending on IOSrelease, limited to a group of 2 routers)


30/57

30 2002 Scurit.Org

ip flow-export version 5 origin-asip flow-export destination x.x.x.x

interface xy

ip route-cache flow

D D o S d e t e c t io n ( 1 ) The old way

>ACLs/FW logs, CPU and line load, *IDS with data correlation Netflow

>Accounting data (AS, IP flows, protocols, etc)

> Send in clear text over the network (UDP) to a gatherer

> With CEF activated Netflow will only do accounting> Without CEF the router will do netflow switching

> Only counts outgoing traffic on the interface

> How to export the data

> How to view the data : sh ip cache flow


31/57

31 2002 Scurit.Org

D D o S d e t e c t io n ( 2 ) (Un)usual traffic distribution per protocol

> TCP : ~90 % (HTTP, FTP and P2P tools)> UDP : ~10 % (DNS, SNMP, streaming)

> ICMP : IGMP : Mostly 64 bytes packets> RRDtool and Netflow can be used to graph trends, detect

changes and anomalies

Source : Flowscan from UW-Madison (http://wwwstats.net.wisc.edu/)


32/57

32 2002 Scurit.Org

D D o S d e t e c t io n ( 3 ) Netflow data on Multi-Layer Switches

> Netflow-based MLS flow-mode is destination-only nosource address is cached)

> Enable full-flow mode (performance impact on SE1)

> Display the entries

> Poor mans netflow : ntop ?

! MLS in hybrid mode

set mls flow full

! MLS in native modemls flow ip full

! MLS in hybrid mode

set mls ent

! MLS in native modeshow mls ip


33/57

33 2002 Scurit.Org

D D o S p r e v e n t io n ( 1 ) Unicast RPF (Reverse-Path Forwarding)

> Needs CEF (Cisco Express Forwarding) or dCEF> Requires IOS 12.x and uses ~30MB of memory

> Strict : IP packets are checked to ensure that the route backto the source uses the same interface

> Only the best path (if no multi-path or equal cost paths) isin the FIB

> Asymmetric routes are supported (really :-)

> Check the BGP weight if you use strictmode in a multi-homed configuration


34/57

34 2002 Scurit.Org

D D o S p r e v e n t io n ( 2 ) Unicast RPF (Reverse-Path Forwarding)

> Strict (you can use an ACL for exceptions or for logs)

>Loose check (allowed if the prefix exists in the FIB)ip verify unicast source reachable-via any

ip cef [distributed]

interface xy

ip verify unicast reverse-path [allow-self-ping] [acl]


35/57

35 2002 Scurit.Org

D D o S p r e v e n t io n ( 3 ) ICMP, UDP, TCP SYN rate-limiting

> UDP rate-limiting can be a problem if your customer is astreaming company

interface xy

rate-limit input access-group 100 8000 8000 8000 \

conform-action transmit exceed-action drop

rate-limit output access-group 100 8000 8000 8000 \

conform-action transmit exceed-action drop

access-list 100 deny tcp any host x.x.x.x established

access-list 100 permit tcp any host x.x.x.x

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply


36/57

36 2002 Scurit.Org

D D o S p r e v e n t io n ( 4 ) TCP Intercept

> Can do as much good as bad> If enabled : process switching and not full CEF anymore

> The destination host must send a RST (no silent drops) oryoull DoS yourself

> Same is true if you use blackholed routes (route to Null0)ip tcp intercept list 100

ip tcp intercept connection-timeout 60

ip tcp intercept watch-timeout 10

ip tcp intercept one-minute low 1500

ip tcp intercept one-minute high 6000

access-list 100 permit tcp any x.x.x.0 0.0.0.255


37/57

37 2002 Scurit.Org

interface xy

ip access-group 100 in

access-list 100 deny icmp any any fragments

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any source-quenchaccess-list 100 permit icmp any any time-exceeded

access-list 100 deny icmp any any

access-list 100 permit ip any any

D D o S p r e v e n t io n ( 5 ) Advanced ICMP filtering

> Only let the mission critical ICMP messages in and out

> ICMP filtering is a source of dispute (unreachables,

parameter-problem, etc)> ICMP is not just ping, you can break a lot of things (Path

MTU Discovery for example)

>YMMV.


38/57

38 2002 Scurit.Org

D D o S p r e v e n t io n ( 6 ) Advanced technique 1 (1/2) : BGP/Null0

> Pick an IP address from TEST-NET and add a static route toNull0 for it (on all your routers)

> Have a master BGP router set the next-hop for the sourcenetwork you want to drop to the selected IP

> Have BGP redistribute it to the routers in your AS only anduRPF will drop it (at the LC level, not on the RP)

> Do not redistribute it to your peers : use a private AS or ano-export community

router bgp

network mask route-map ddos-nh

route-map ddos-nh

set ip next-hop

ip route 255.255.255.0 Null0


39/57

39 2002 Scurit.Org

D D o S p r e v e n t io n ( 7 ) Advanced technique 1 (2/2) : BGP/Null0

Internetor

Customers

Master BGP router(set the next-hop for the DDoS

sources to 192..0.2.10)

Route reflectors

iBGP sessions

NOC

Core/Access Routers(route 192.0.2.10 to Null0)

Propagate the newnext-hop


40/57

40 2002 Scurit.Org

D D o S p r e v e n t io n ( 8 ) Advanced technique 2 (1/2) : BGP/CAR/FIB

> Set a special community for the network you want to rate-limit on your master BGP router and send this communityto your iBGP peers

router bgp

network mask

neighbor x.x.x.x route-map ddos-rl outneighbor x.x.x.x send community

access-list 10 permit

route-map ddos-rl

match ip address 10

set community :66 no-export

ip route 255.255.255.0 Null0


41/57

41 2002 Scurit.Org

router bgp

table-map ddos-rl

ip community list 1 permit :66

route-map ddos-rl

match community 1

set ip qos-group 66

interface xy

bgp-policy source ip-qos-map

rate-limit input qos-group 66 ...

D D o S p r e v e n t io n ( 9 ) Advanced technique 2 (2/2) : BGP/CAR/FIB

> On the routers change the QoSID entry in the FIB based onthis special community

> Use the QoSID entry of the FIB to rate-limit


42/57

42 2002 Scurit.Org

I ng re s s / eg re s s f i l te r i n g ( 1 ) What you should never route/see/allow through

> RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)> 0.0.0.0/x, 127.0.0.0/8

> 169.254.0.0/16 (auto-configuration when no DHCP)

> 192.0.2.0/24 (Netname: TEST-NET, like example.com)

> Multicast blocks (D Class) and Martian networks (E+)>Hijacked space by some vendors (192.0.0.192 for some

printers)

> (ARIN) Reserved blocks (bogon networks)

> Packets to broadcast addresses or where source ==destination

What you should route/let through>Your network prefixes (anti-spoofing)


43/57

43 2002 Scurit.Org

interface xy

access-group in 100

access-group out 100

access-list 100 deny ip host 0.0.0.0 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255



access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255


access-list 100 deny ip 240.0.0.0 15.255.255.255 any

access-list 100 permit ip any any

! Or permit ip

ip route 10.0.0.0 255.0.0.0 null0

ip route 172.16.0.0 255.240.0.0 null0

ip route 192.168.0.0 255.255.0.0 null0

I ng re s s / eg re s s f i l te r i n g ( 2 ) Example with ACLs

> Filter on network border : CPE/IX/uplinks

Example with route to Null0 (discard on Juniper)


44/57

44 2002 Scurit.Org

W o rm d e t e c t io n a n d p r o te c t io n ( 1 ) How to detect a new worm

> New/unusual number of HTTP/SMTP flows and server logs

How to protect with NBAR (Network-Based ApplicationRecognition)> Needs CEF>Available as of 12.1(5)T

> Like TCP Intercept - do we need it ?

> Side-effect : the TCP handshake is already done but the

server never receives the HTTP GET request> Performance impact : ~20% CPU


45/57

45 2002 Scurit.Org

W o rm d e t e c t io n a n d p r o te c t io n ( 2 ) NBAR Restrictions and limitations

> Supports up to 24 concurrent URLs, hosts or MIME typesmatches

> Cant match beyond the first 400 bytes in a URL

> Cant deal with fragmented packets

> HTTPS traffic (thats normal ;-)> Packets originating from/sent to the router (you cant

protect the local HTTP server)

> Doesnt support Unicode (UTF-8/%u)

Tune the scheduler and the timeoutip nbar resources 600 1000 50

scheduler allocate 30000 2000


46/57

46 2002 Scurit.Org

D D o S /wo rm r e s e a rc h / f u tu r e Worse to come

>A lot of research has been done but nothing has beenpublished/disclosed : risks are too high

> Most of the worms weve seen were quite gentle

> Will the next worm affect IIS/Outlook users again ?

> What are the effects on the Internet stability (CAIDA) ?

What are the trends ?> Routers are used as source (CERT)

> Getting more complex and agents are becoming moreintelligent

> Temporary use of non allocated blocks (Arbor Networks)


47/57

47 2002 Scurit.Org

M P L S (1 ) MultiProtocol Label Switching

> MPLS label added to the IP packet to identify the VPN> Each router (LSR) on the path (LSP) has a local table (LIB)

> The label only has a local meaning and is/may be changedon each hop

MP

LS

Core

Cu

sto

mer

Edg

e

Ro

ute

r

Pro

vid

erE

dg

e

Rou

ter La

belS

witch

Rou

ters

Prim

ary

LS

P(

Lab

elSw

itch

Pa

th)

Ba

ckup

LS

P


48/57

48 2002 Scurit.Org

M P L S (2 ) MultiProtocol Label Switching

>Virtual Circuits, not encrypted/authenticated VPNs>Equivalent to a layer 2 VPN (ATM/FR)

- the security is often provided by hiding the MPLS corestructure/cloud from customers by using filtering or non-routed address space (think security by obscurity)

- as a customer you have to trust the MPLS core

> IPsec can be used to secure the traffic

> VPN partitioning done at routing layer

>One routing table per VPN on each PE router

- separate Virtual Routing and Forwarding instance (VRF)- or extended Route Distinguisher (RD)

> Current trend in SP networks : deploy MPLS+ISIS w/ WideMetrics+TE for subsecond convergence and traffic rerouting


49/57

49 2002 Scurit.Org

M P L S (3 ) Attacks

> Labeled packets injection :- locked by default on all interfaces (Customer Edge Router)

- easy if access to the MPLS routers

> Inject data in the signaling protocols ((MP-)BGP and IGPs)to modify the VPN topology : IPv4-RRs and VPNv4-RRs(Route Reflectors)

> Even a higher risk when the same router is shared forInternet access and a MPLS L2VPN


50/57

50 2002 Scurit.Org

M P L S (4 ) Attacks

> Use new functionality like FRR (MPLS Fast ReRoute)- RSVP (No Route) Path Error message : allows sniffing by

redirecting traffic over a router that is under control and partof the MPLS core

. a new LSP is signaled

. the adjacency table is updated for the tunnel interface

. a LSR receiving a marked packet with label x will accept it on anyinterface and switch it out

MPLS Core

fake/spoofed

IGP LSP/LSAor

RSVP Path Error message

POS7/0173

Label In Label Out Interface Out

POS7/183

old Path

new Path


51/57

51 2002 Scurit.Org

M P L S (5 ) Security measures

> Good configuration of all routers (CE, PE, P, MPLS Core)- ACLs

- Static and dynamic routing

- VRFs

- etc.

> The MPLS network should start on the PE router, not theCE

> Difficult to gather MPLS information from the routers

> Use IPsec (without anonymous key exchanges ;-)


52/57

52 2002 Scurit.Org

I P v6 IPv6

> Basically no new risks/big changes>Native IPsec support

> Higher risks during the transition phase from IPv4 to IPv6 ?

> Protocols used to interconnect IPv4 to IPv4 islands over IPv6

(and vice versa)- GRE

- MPLS

> MAC address can be part of the IP address


53/57

53 2002 Scurit.Org

Rou t e r in t e g r i ty c h e c k i n g ( 1 ) Four steps to build a tripwire-like for IOS/CatOS

> 1. Store your routers and switches configurations in acentral (trusted) repository (CVS for example)

> 2. Get the configuration from the device (scripted telnet inPerl or expect, rsh, tftp, scp) or have the device send youthe configuration (needs a RW SNMP access)

> 3. Check : automatically (cron/at job), when you see

configured by or a router boot in the logfile orwhen you get the configuration changed SNMP trap

snmpset -c \

.1.3.6.1.4.1.9.2.1.55. s


54/57

54 2002 Scurit.Org

Rou t e r in t e g r i ty c h e c k i n g ( 2 ) Four steps to build a tripwire-like for IOS/CatOS

> 4. Diff the configuration with your own script or useCVS/Rancid

Limitations and details>You still have to trust the running IOS/CatOS (no Ciscorootkit yet) and your network (MITM attacks)

> The configuration is transmitted in clear text over thenetwork (unless you use scp or IPsec to encrypt the traffic)

> Do not forget that there are two files: startup-config andrunning-config

> Do the same for the IOS/CatOS images

> Cisco MIBs : CISCO-CONFIG*


55/57

55 2002 Scurit.Org

Inside Cisco IOS software architecture - Cisco Press :- In general, the IOS design emphasizes speed at the expense of

extra fault protection- To minimize overhead, IOS does not employ virtual memory

protection between processes- Everything, including the kernel, runs in user mode on the

CPU and has full access to system resources

Rou t e r in t e g r i ty c h e c k i n g ( 3 ) Cisco IOS rootkit/BoF/FS : is it possible ?

> Proprietary, closed source OS running on MIPS (newermodels) or Mot68K (older models)

> Closed source but fork from (BSD) Unix

- (zlib/SNMPs bugs :-)

> ELF 32-bit MSB executable, statically linked, stripped

> What is possible with remote gdb access :

- gdb {kernelpid pid-num} ?

> Is the ROMMON a good starting point (local gdb) ?


56/57

56 2002 Scurit.Org

Rou t e r in t e g r i ty c h e c k i n g ( 4 ) Cisco IOS rootkit/BoF/FS : open questions/issues

> No (known) local tools/command to interact and play withthe kernel, memory, processes, etc.

> What can be done in enable engineer mode ?

> Is it possible to upload a modified IOS image and start itwithout a reboot (like Linux two kernel monte) ?

- by using dual RPs (Route Processors) - stateful in the future

- by upgrading LCs only (Line Cards)

>A lot of different images exist (but providers usually go for~12.0(x)S) and a tool to patch images would be required

- 37 feature sets and 2500 images out there (90% IP FS)!> What will happen with IOS-NG (support for loadable

modules) ?

- Is Cisco still working on it ? GSR dedicated team ?


57/57

Image: http://www.inforamp.net/~dredge/funkycomputercrowd.html

Th a t s a l l f o l k s : - ) Latest version of this document & presentationincluding tips/commands to secure routers (IOS) andswitches (Cat(I)OS)

Pictures of CanSecWest/core02

Questions ?

< http://www.securite.org/presentations/secip/ >

< http://www.securite.org/csw/core02/ >

CSWcore02-SecIP-v1

Documents

Transcript of CSWcore02-SecIP-v1