In depth understanding network security

In-depth Understanding
Network Security
(Hardening CISCO Router/Switch)

CIS Level 1 & 2 Benchmarks
and Audit Tool
for Cisco IOS Routers and PIX firewalls

IOS/PIX Benchmarks and RAT for
Windows
Features of the 2.2 version of the Router
Audit Tool (RAT):
– Ability to score Cisco Router IOS.
– Ability to score Cisco PIX firewalls.
– Includes benchmark documents (PDF) for both
Cisco IOS and Cisco ASA, FWSM, and PIX
security settings.

RAT for Windows
To run any RAT programs, you'll need to
know the drive and pathname where RAT
was installed.
You can put this directory onto your PATH:
C:> set PATH=D:CISRATbin;%PATH%

RAT for Windows
To run the rat program and see a list of its
options, you could type the following:
C:> rat --help

RAT for Windows
Before you use RAT, you should use the
ncat_config program to create a rule file specific
to your routers.
Here is how to run ncat_config:
D:> ncat_config
... lots of questions appear here ...
After all QUESTIONS we will get a template named
“D:CISRAT/etc/configs/cisco-ios/local.conf"

RAT for Windows
1. Copy Template to Test Directory
2. Copy configuration files from your router
3. Run rat to audit your configuration file:
D:>cd Test
D:Test> rat -r local.conf cisco-router-confg

Hardening Cisco Router
Based on
NSA Router Security Configuration Guide

Router Security Configuration
Guide of NSA’s SNAC
(Based on version 1.1c)

Physical Security
 Network equipment, especially routers and switches,
should be located in a limited access area.
 This area should be under some sort of supervision 24
hours a day and 7 days a week.
 A room where routers are located should be free of
electrostatic and magnetic interference. The area should
also be controlled for temperature and humidity.
 If at all possible, all routers should be placed on an
Uninterruptible Power Supply (UPS), because a short
power outage can leave some network equipment in
undetermined states.

Cisco IOS routers have the ability to define internal virtual
interfaces, called loopback interfaces. It is considered best
practice, in configuring Cisco routers, to define one loopback
interface, and designate it as the source interface for most traffic
generated by the router itself.
Cisco IOS routers have the ability to define internal virtual
interfaces, called loopback interfaces. It is considered best
practice, in configuring Cisco routers, to define one loopback
interface, and designate it as the source interface for most traffic
generated by the router itself.
Router Network Traffic and the
Loopback Interface

Banner Rules
Router1#configure terminal
Router1(config)#banner motd ^C
*************************************************************
!! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGON UNDER PENALTY OF
LAW !!
This is a private computer network and may be used only by
direct permission of its owner(s). The owner(s) reserves the right
to monitor use of this network to ensure network security and to
respond to specific allegations of misuse. Use of this network
shall constitute consent to monitoring for these and any other
purposes. In addition, the owner(s) reserves the right to consent
to a valid law enforcement request to search the network for
evidence of a crime stored within this network.
*************************************************************
^C

(config)#normal TCP 3-Way Handshake

TCP SYN flooding attack
Attack Demonstration:
E(config)#nough illegitimate
TCBs are in
SYN-RECEIVED that a
legitimate connection
can(config)#not be initiated.
Attack Demonstration:
E(config)#nough illegitimate
TCBs are in
SYN-RECEIVED that a
legitimate connection
can(config)#not be initiated.

Countermeasures: TCP SYN flooding attack
You can configure a router to protect your servers against TCP SYN
attacks by enabling the ip tcp intercept command:
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#
You can configure a router to protect your servers against TCP SYN
attacks by enabling the ip tcp intercept command:
Router1(config)#end
Router1#

TCP Intercept feature
When you enable the TCP Intercept feature, the router
doesn't forward the initial SYN packet to the server.
Instead, it responds directly to the client with a SYN-ACK
packet, as if it were the server.
If the client is legitimate and begins the TCP session,
then the router quickly opens a session to the server,
knits the two ends of the connection together, and steps
into its more usual role of simply forwarding packets.
When you enable the TCP Intercept feature, the router
doesn't forward the initial SYN packet to the server.
Instead, it responds directly to the client with a SYN-ACK
packet, as if it were the server.
If the client is legitimate and begins the TCP session,
then the router quickly opens a session to the server,
knits the two ends of the connection together, and steps
into its more usual role of simply forwarding packets.

By default, the router allows 1,100 half-open sessions before going into
aggressive mode.
Configure this value using the ip tcp intercept max-incomplete high
command.
When we deliberately initiate a series of half-open sessions, we see this log
message:
(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count
(10/10) 1 min 0
A short time later, the attack ended, and the router went back into its
(config)#normal mode:
(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min
11
By default, the router allows 1,100 half-open sessions before going into
aggressive mode.
Configure this value using the ip tcp intercept max-incomplete high
command.
When we deliberately initiate a series of half-open sessions, we see this log
message:
(config)#nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count
(10/10) 1 min 0
A short time later, the attack ended, and the router went back into its
(config)#normal mode:
(config)#nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min
11

you can also set thresholds on the number of TCP sessions initiated
per minute:
The conditions for returning to (config)#normal mode are defined by
these two commands:
The first command sets the low-water mark for the total number of
half-open sessions, while the second command sets the low-water
mark for the number of session-initiation attempts per minute.
you can also set thresholds on the number of TCP sessions initiated
per minute:
The conditions for returning to (config)#normal mode are defined by
these two commands:
The first command sets the low-water mark for the total number of
half-open sessions, while the second command sets the low-water
mark for the number of session-initiation attempts per minute.

By default, the router will allow a TCP session to be inactive for 24 hours
(86,400 seconds).
However, you can change this using the ip tcp intercept
connection-timeout command, which accepts an argument in
seconds. Here we set a maximum value of one hour:
Router1(config)#ip tcp intercept connection-timeout 3600
By default the aggressive mode of the TCP Intercept feature will drop the
oldest half-open connection each time it receives a new connection attempt.
However, you can instead configure it to drop a randomly selected
connection out of the table:
Router1(config)#ip tcp intercept drop-mode random
By default, the router will allow a TCP session to be inactive for 24 hours
(86,400 seconds).
However, you can change this using the ip tcp intercept
connection-timeout command, which accepts an argument in
seconds. Here we set a maximum value of one hour:
Router1(config)#ip tcp intercept connection-timeout 3600
By default the aggressive mode of the TCP Intercept feature will drop the
oldest half-open connection each time it receives a new connection attempt.
However, you can instead configure it to drop a randomly selected
connection out of the table:
Router1(config)#ip tcp intercept drop-mode random

You can configure how long the router will watch a session, waiting for
it to complete the TCP session initiation.
By default, it waits 30 seconds, but you can change this value with the
following command, which specifies this timeout value in seconds:
Router1(config)#ip tcp intercept watch-timeout 15
You can configure how long the router will watch a session, waiting for
it to complete the TCP session initiation.
By default, it waits 30 seconds, but you can change this value with the
following command, which specifies this timeout value in seconds:
Router1(config)#ip tcp intercept watch-timeout 15

And one final option allows you to set whether the router actively
intercepts and responds to TCP SYN packets, or instead allows
these packets to pass through (config)#normally, but watches the
session to ensure that it connects properly.
By default the router will completely protect the server by taking over
all responsibility for setting up the session. You can configure it to
let the server handle the call, and only step in if there is a problem
by configuring watch mode:
Router1(config)#ip tcp intercept mode watch
And one final option allows you to set whether the router actively
intercepts and responds to TCP SYN packets, or instead allows
these packets to pass through (config)#normally, but watches the
session to ensure that it connects properly.
By default the router will completely protect the server by taking over
all responsibility for setting up the session. You can configure it to
let the server handle the call, and only step in if there is a problem
by configuring watch mode:
Router1(config)#ip tcp intercept mode watch

Nagle congestion control algorithm
The Nagle Algorithm prevents excessive bandwith
utilization by applications that send many small packets.
It allows slight delays before sending individual small
packets in order to combine them into a single larger
packet.
Router1(config)#(config)#service nagle

Limit embryonic TCP connections
To help limit the vulnerability to TCP SYN-Flood
attacks, use the global configuration ip tcp
synwait-time command to limit the seconds
that the router spends waiting for the ACK
before giving up on a half-open connection
Router1(config)#ip tcp synwait-time 10

TCP selective acknowledgment
The TCP selective acknowledgment mechanism helps
overcome these limitations.
The receiving TCP returns selective acknowledgment
packets to the sender, informing the sender about data
that has been received. The sender can then retransmit
only the missing data segments.
Router1(config)#ip tcp selective-ack

Access
Before deciding how to control router
access, ask these questions?
• Who needs access?
• When do they need access?
• From where do they need
access?
• During what time schedule
do they need access?

Basic Authentication
 Basic authentication stores passwords as clear text
 Use
(config)#service password-encryption
– Encrypts passwords using a Vigenere cipher.
– Can be cracked relatively easily
– Does not encrypt SNMP community strings
– no enable password
 Use
(config)# enable secret <password>
– Encrypts passwords using a MD5 hash

Line Authentication (VTY, CON, AUX)
Use Access List to control VTY access
access-list 1 permit host 10.1.1.2
line vty 0 4
password 7 12552D23830F94
exec-timeout 5 0
access-class 1 in
login
transport input telnet ssh
Control CON access
line con 0
password 7 12552D23830F94
exec-timeout 5 0
login
Control AUX access
line aux 0
no exec
exec-timeout 0 0
no login
transport input none
transport output none

AAA
Secure user logins with AAA on all ports,
virtual and physical
– Local AAA (username)
– RADIUS (Steel Belted Radius)
– TACACS+ (Cisco Secure ACS)
Use privilege levels to control granular
access to commands

AAA Example for TACACS/RADIUS
Secure user logins with AAA on all ports,
virtual and physical
aaa new-model
aaa authentication login default group tacacs+|radius local
aaa authorization exec default group tacacs+|radius local
username backup privilege 7 password 0 backup
tacacs-server host 171.68.118.101
tacacs-server key cisco
radius-server host 171.68.118.101
radius-server key cisco
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

You can do with the Cisco IOS service command
 The TCP keepalive capability
allows a router to detect when the host with which it is communicating
experiences a system failure, even if data stops being transmitted (in
either direction). This is most useful on incoming connections.
For example, if a host failure occurs while talking to a printer, the
router might never notice, because the printer does not generate any
traffic in the opposite direction. If keepalives are enabled, they are
sent once every minute on otherwise idle connections. If five minutes
pass and no keepalives are detected, the connection is closed.
(config)#service tcp-keepalives-in
(config)#service tcp-keepalives-out

You can do with the Cisco IOS service command
 service timestamps
You can use the service timestamps command to create
timestamps on the router’s log files.
Since version 11.3, the Cisco IOS has enabled certain timestamps by
default, so most of us have this on.
However, there are additional timestamps options that you can enable
as well as places where timestamps are probably off by default.
(config)#service timestamps message-type [uptime]
(config)#service timestamps message-type datetime [msec]
[localtime] [show-timezone]

Verify that the EXEC process is disabled on the auxiliary (aux) port
Unused ports should be disabled, if not required, since they provide
a potential access path for attackers.
The auxiliary port is primarily used for dial-up administration, which
is rarely used, via an external modem.
Verify that the EXEC process is disabled on the auxiliary (aux) port
Unused ports should be disabled, if not required, since they provide
a potential access path for attackers.
The auxiliary port is primarily used for dial-up administration, which
is rarely used, via an external modem.
Disable Login Through AUX Port

VTYs and Remote Administration

Forbid CDP (Cisco Discovery Protocol)
Run Globally
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices
use to identify each other on a LAN segment.
It is useful only in specialized situations, and is considered a security risk.
There have been published denial-of-service (DoS) attacks that use CDP.
CDP should be completely disabled unless there is a need for it.
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices
use to identify each other on a LAN segment.
It is useful only in specialized situations, and is considered a security risk.
There have been published denial-of-service (DoS) attacks that use CDP.
CDP should be completely disabled unless there is a need for it.

Forbid tcp-small-servers,
udp-small-servers
TCP small services: echo, chargen and daytime (including UDP versions)
are rarely used.
Services that are not needed should be turned off because they present
potential avenues of attack and may provide information that could be
useful for gaining unauthorized access.
TCP small services: echo, chargen and daytime (including UDP versions)
are rarely used.
Services that are not needed should be turned off because they present
potential avenues of attack and may provide information that could be
useful for gaining unauthorized access.

Forbid Finger Service
Finger is used to find out which
users are logged into a device.
This service is rarely used in
practical environments and
can potentially provide an
attacker with useful
information.
Additionally, the finger service
can exposed the device Finger
of Death denial-of-service
(DoS) attack.

The HTTP server allows remote management of routers.
Unfortunately, it uses simple HTTP authentication which sends
passwords in the clear.
This could allow unauthorized access to, and [mis]management of the
router.
The HTTP server allows remote management of routers.
Unfortunately, it uses simple HTTP authentication which sends
passwords in the clear.
This could allow unauthorized access to, and [mis]management of the
router.
Forbid IP HTTP Server

HTTP Server with Access Control
(Not Recommended)

the async line BOOTP service should be disabled on your system if
you do not have a need for it in your network
the async line BOOTP service should be disabled on your system if
you do not have a need for it in your network
Disable Bootp Server

Forbid Remote Startup Configuration
Service config allows the device to autoload its startup configuration
from a remote device (e.g. a tftp server).
The protocols used to transfer configurations files. Since these
methods are insecure, an attacker could potentially compromise or
spoof the remote configuration service enabling malicious
reconfiguration of the device.
Service config allows the device to autoload its startup configuration
from a remote device (e.g. a tftp server).
The protocols used to transfer configurations files. Since these
methods are insecure, an attacker could potentially compromise or
spoof the remote configuration service enabling malicious
reconfiguration of the device.

PAD Service
(The packet assembler/disassembler service supports X.25 links)
To not accept incoming/outgoing X.25 Packet
Assembler/Disassembler (PAD) connections this global
configuration command should be used.
It is important to make sure this is disabled by default.
To not accept incoming/outgoing X.25 Packet
Assembler/Disassembler (PAD) connections this global
configuration command should be used.
It is important to make sure this is disabled by default.

Forbid IP source-route
Source routing is a feature of IP whereby individual
packets can specify routes. This feature is used in
several kinds of attacks.
Cisco routers normally accept and process source
routes. Unless a network depends on source
routing, it should be disabled.
Source routing is a feature of IP whereby individual
packets can specify routes. This feature is used in
several kinds of attacks.
Cisco routers normally accept and process source
routes. Unless a network depends on source
routing, it should be disabled.

Forbid IP Proxy ARP
Proxy ARP breaks the LAN
security perimeter, effectively
extending a LAN at layer 2
across multiple segments.
Disable proxy ARP on all
interfaces.
Proxy ARP breaks the LAN
security perimeter, effectively
extending a LAN at layer 2
across multiple segments.
Disable proxy ARP on all
interfaces.

Forbid IP Unreachable, Redirects, Mask
Replies
• Disable translation of directed to physical broadcasts on the same interface. This
configuration prevents against “smurf” attacks.
• Don’t allow redirect messages to pass through the router. ICMP redirects should be
disabled
• Make it more difficult for someone to scan for valid IP addresses by turning off ip
unreachables on all interfaces.
• To prevent the Cisco IOS software from responding to Internet Control Message
Protocol (ICMP) mask requests by sending ICMP mask reply messages
• Disable translation of directed to physical broadcasts on the same interface. This
configuration prevents against “smurf” attacks.
• Don’t allow redirect messages to pass through the router. ICMP redirects should be
disabled
• Make it more difficult for someone to scan for valid IP addresses by turning off ip
unreachables on all interfaces.
• To prevent the Cisco IOS software from responding to Internet Control Message
Protocol (ICMP) mask requests by sending ICMP mask reply messages

Forbid MOP
The Maintenance Operations Protocol (MOP)
was used for system utility services in the
DECnet protocol suite.
The Maintenance Operations Protocol (MOP)
was used for system utility services in the
DECnet protocol suite.

Disable Router Name and DNS Name
Resolution

Set a default DNS domain name
(needed for SSH)

Filtering Traffic to the Router
Itself

SNMP Service
(Recommend only SNMPv3 AuthNoPriv
& AuthPriv)

Filtering Traffic through the
Router

IP Address Spoof Protection (Inbound
Traffic)

IP Address Spoof Protection (Outbound
Traffic)

Limiting External Access with TCP
Intercept (If your IOS support it.)

ICMP Message Types and Traceroute

Distributed Denial of Service (DDoS)
Attacks

Disabling unneeded routing-
related services

Using filters to block routing
updates

First Define Access Control List

Filter Distributed List (OSPF)

Not enable OSPF on certain interfaces,

Overview and Motivations for Logging
 Recording router configuration changes and
reboots
 Recording receipt of traffic that violates
access lists
 Recording changes in interface and network
status
 Recording router cryptographic security
violations

Logging Types
 Console logging
 Terminal Line logging
 Buffered logging
 Syslog logging
 SNMP trap logging

Cisco Log Message Severity Levels

Format of a Cisco IOS Log Message

Setting up Console and Buffered
Logging

Setting up Terminal Line Logging

A Small Syslog Configuration
server host

Centralized Syslog Configuration

Time Services, Network Time
Synchronization and NTP

Configuring NTP Authentication

Configuring SNMP - Getting Started

Update Procedure
 TFTP
 See Cisco web sites concerning particular
model of router or switch

Router Status and
Configuration Commands

Viewing the current configuration
 show startup-config
 show running-config

Viewing currently running processes
 show process

Router Throughput and Traffic
Commands

Viewing IP Protocol Statistics
 show ip traffic.

Viewing SNMP Protocol Statistics

configure debugging and turn on
debugging messages for ICMP.

Security for Router Network
Access Services

AAA
 Authentication
 Authorization
 Accounting

Types of accounting
 There are several types of accounting which
can be enabled and configured separately:
exec, network, connection, command,
system.
 All types are supported by TACACS+, but
RADIUS does not support command or
system.

 network accounting
– Provides information for PPP, SLIP, and ARAP
protocols. The information includes the number
of packets and bytes.
 EXEC accounting
– Provides information about user EXEC sessions
on the router. The information includes the
username, date, start and stop times, IP address
of access server, and telephone number the call
originated from for dial-in users.
 Connection accounting
– Provides information about all outbound
connections made from the network access
server. This includes telnet, rlogin, etc.

 Command accounting
– This applies to commands which are entered in
an EXEC shell. This option will apply accounting
to all commands issued at the specified
privilege level. If accounting is turned on for
level 15 and user logged in at enable level 15
runs a level 1 exec command no accounting
event will be generated. Account records are
generated based upon the level of the command
not the level of the user. Accounting records will
include the command, date, time, and the user.
Cisco IOS does not support command
acccounting with RADIUS.
 System
– Provides information about system-level events.
This would include information like system

AAA accounting requirement
 AAA accounting requires that
– AAA is enabled,
– security servers are defined, and
– that a security server is specified for each
accounting type which is desired.

Method Lists and Server Groups

The authentication commands used for
defining messages

The default method list designates
RADIUS

Authorization
 There are two primary scenarios where
authorization is useful.
 First, if the router is used for dial in access,
authorization is useful for controlling who
can access network services, etc. and who
can access and configure the router.
 Second, authorization can control different
administrators who have access to different
privilege levels on the router.

Configuration of TACACS+ accounting:

Configuration of RADIUS accounting

Hardening Cisco Switch
(Based on NSA Cisco IOS
Switch Security Configuration
Guide)

Restricting a port statically on a
Catalyst 3550 switch.

A strict security
“unused” macro

A strictA strict
security “host”security “host”
macromacro

Configure access ports of the switch

Virtual Local Area Networks
(VLAN)

Create the out-of-band management
VLAN.

Create a management IP address

Assign the management VLAN to the
dedicated interface.

Ensure all trunk ports will not carry the
management VLAN

Assigned the following name for VLAN
1.

Assign all inactive interfaces to an
unused VLAN (not VLAN1)

Virtual Trunking Protocol (VTP)

Dynamic Trunking Protocol (DTP)
 A port may use the Dynamic Trunking
Protocol (DTP) to automatically negotiate
which trunking protocol it will use, and how
the trunking protocol will operate.

VLAN Hopping
 In certain situations it is possible to craft a
packet in such a way that a port in trunking
mode will interpret a native VLAN packet as
though it were from another VLAN, allowing
the packet to become a member of a different
VLAN.
 This technique is known as VLAN hopping.

STP Portfast Bridge Protocol Data Unit
(BPDU) Guard

205
(config)#no ip bootp server
(config)#no tcp-small-servers
(config)#no udp-small-servers
(config)#service time log datetime localtime show-timezone msec
(config)#service time debug datetime localtime show-timezone msec
logging x.x.x.x
logging trap debugging
logging source loopback0
logging buffered 64000 debugging
ntp authentication-key 10 md5 <key>
ntp authenticate
ntp trusted-key 10
ntp server x.x.x.x [key 10]
ntp access-group peer 20
access-list 20 permit host x.x.x.x
access-list 20 deny any
(config)#no (config)#service
(config)#no (config)#service
(config)#no ip http server
(config)#no ip source-route
(config)#no cdp run
(config)#no boot network
(config)#no (config)#service config
(config)#no ip subnet-zero
(config)#no ip identd
(config)#no ip finger
(config)#service nagle
Configuration basics (1)
 Turn off all the unneeded (config)#services
 Use syslog
 Use (authenticated) NTP

In depth understanding network security

More Related Content

Viewers also liked (8)

Similar to In depth understanding network security (20)

Recently uploaded (20)

In depth understanding network security

Editor's Notes