Seguridad en los elementos de red
Cisco
Rafael Vida, 2004
�Index (I)
Introduccin
General Situation
Routers Security Policy Purpose of a router Basic Router Functional Architecture
Protecting the Network with the Router
�Index (II)
Protecting the Router Itself
Attacks on Routers Managing the Router
SNMP SSH
Security Policy for Cisco Routers
Implementing Security: E-Policy
AAA
Remote Access Logins, Privileges, Passwords, and Accounts
�Index (III)
Filtering
ACL ACR
RAT (Router Audit Tool)
�Introduction
�Introduction
Purpose of a router Directing packets, roting protocols Filtering:ACL Modifing packets headers: NAT, PAT. Hardware CPU, Memory:
RAM, NVRAM, Flash, and ROM (PROM, EEPROM) ROM, NVRAM.
Does Not have Hard disk, floppy, CDROM, etc.
�Introduction
Network Network 00
Network Network 11
...
Networ Networ kknn
Interface 0
Interface 1
...
Interface n
Routing Fabric
CPU
Conf
Router
Consola
�Security Policy
�Security Policy
Router Security Layers
Physical access Electrical Access Administrative Access Software Access Routing Protocolos Management Protocols Access to the networks that the router Serves
Physical Integrity Core Static Configuration Dynamic Configuration Network traffic
�Security Policy: Checklist
Physical Security Who is autorized to install, de-instal, move, etc. Making physical connections to the router
Console and direct ports Recovery procedures
Static Configuration Who is authorized to log into the router Roles Password Policy Log policy Porcedures and limits of use
�Security Policy: Checklist
Dynamic Configuration Security Services permited in the router Routing protoclos, clock (NTP) Procedures in key agreement and cryptographic algorithms Compromise Response ITO?, Netcool?, ... Response procedures, authorities, and objectives for response after a successful attack against the network Law
�Security Policy: Checklist
Network Service Security
Procedures and roles for interactions with external service providers and maintenance technicians Protocols, ports, services, etc
Internet
DMZ
Management
�Protecting networks and routers
�Protecting the networks
Router Clasification by funcionality
Internal Routers
Backbone
Border (EDCs)
�Protecting the router: Attacks
Unauthorized access Session hijacking Rerouting Dos Ddos (!) SNMP attacks
�Protecting the router: Managing
FW Adminstrado por Cliente Poltica de FW por Centro de Gestin
Centro de Gestin local
FW_Cliente FW_CGP
LAN_Cliente
Punto Central
EDCs EDCs
PVCs Servicio Gestin Local
Accounting entre EDCs y CGP
TACACS+, Telnet, TFTP,SNMP,...
Trafico entre EDCs y Gestin Central
SNMP, Syslog, ICMP,...
FW
Trafico entre CGP y Gestin Central
SSH, Ofimtica, Vantive,...
Centro de Gestin Central
�Protecting the router: Managing
Local access only for Emergency. Audit. Telnet (?!) SSH SNMP access.
Limit the connections, ACLs
AAA:
Logging and Accounting: Tacacs+ Auditing Authorizing
�Implementing: E-Policy
Cisco
�Router Access Security
Physical Security Software Upgrade Minimun 12.0.* Recommended 12.0.9 Virtual interfaces: loopback
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# interface loopback0 Central(config-if)# description Main loopback interface Central(config-if)# ip address 14.2.11.250 255.255.255.255 Central(config-if)# end Central#
�Login Banners and motd
Banner
No Network architecture information and router configuration details
AVISO: ha accedido a un sistema propiedad de TELEFONICA. Necesita tener autorizacin antes de usarlo, estando usted estrictamente limitado al uso indicado en dicha autorizacin. El acceso no autorizado a este sistema o el uso indebido del mismo est prohibido y es contrario a la Poltica Corporativa de Seguridad y a la legislacin vigente. Si usted revela informacin interna de TELEFONICA o de sus clientes sin previa autorizacin podr estar incurriendo en una violacin de la Normativa Corporativa, que podra incluso suponer la posible comisin de un delito o falta.
�Login
Console
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# line con 0 Central(config-line)# transport input none Central(config-line)# login local Central(config-line)# exec-timeout 5 0 Central(config-line)# exit Central(config)#
VTYs and Remote Administration Privileges, 16 levels Diferents Accounts service password-encryption
! SNMP, Radius, TACACS+, NTP, PEER auth. Keys.
Auxiliary port disabled
�Remote Access
1. 2.
3. 4.
5.
No Remote: administration is performed on the console only. Remote Internal only with AAA: administration can be performed on the router from a trusted internal network only, and AAA is used for access control. Remote Internal only: administration can be performed on the router from the internal network only. Remote External with AAA: administration can be performed with both internal and external connections and uses AAA for access control. Remote External: administration can be performed with both internal and external connections.
�AAA
Authentication With SSH or IPsec Authorization Command by command. All not allowed is denied. Acounting Forensic Analisys Keep the running configuration and startup
configuration syncronized TFTP is dead
�Services
�Access Control List
access-list list-number {deny | permit} source
[source-wildcard] [log]
access-list list-number {deny | permit} protocol
source source-wildcard source-qualifiers destination destination-wildcard destinationqualifiers [ log | log-input]
�Defense
Spoofing
ACL
TCP SYN Attack
East(config)# ip tcp intercept list 107 East(config)# access-list 107 permit tcp any 14.2.6.0 0.0.0.255 East(config)# access-list 107 deny ip any any log East(config)# interface eth 0/0 East(config-if)# description "External 10mb ethernet interface" East(config-if)# ip access-group 107 in
�Defense
LandAttack
East(config)# access-list 100 deny ip host 14.1.1.20 host 14.1.1.20 log East(config)# access-list 100 permit ip any any East(config)# interface eth0/0 East(config-if)# description External interface to 14.1.0.0/16 East(config-if)# ip address 14.1.1.20 255.255.0.0 East(config-if)# ip access-group 100 in East(config-if)# exit
Smurf
East(config)# access-list 110 deny ip any host 14.2.6.255 log East(config)# access-list 110 deny ip any host 14.2.6.0 log East(config)# interface interface eth0/0 East(config-if)# ip access-group 110 in East(config-if)# exit
�Defense
DDOS
! the TRINOO DDoS systems access-list 170 deny tcp any any eq 27665 log access-list 170 deny udp any any eq 31335 log access-list 170 deny udp any any eq 27444 log ! the Stacheldraht DDoS system access-list 170 deny tcp any any eq 16660 log access-list 170 deny tcp any any eq 65000 log ! the TrinityV3 system access-list 170 deny tcp any any eq 33270 log access-list 170 deny tcp any any eq 39168 log ! the Subseven DDoS system and some variants access-list 170 deny tcp any any range 6711 6712 log access-list 170 deny tcp any any eq 6776 log access-list 170 deny tcp any any eq 6669 log access-list 170 deny tcp any any eq 2222 log access-list 170 deny tcp any any eq 7000 log
�Committed Access Rate
rate-limit {input | output} [access-group [rate-limit] acl]
token-bit-rate burst-normal-size burst-excess-size conform-action action exceed-action action north(config)# no access-list 160 north(config)# access-list 160 deny tcp any any established north(config)# access-list 160 permit tcp any any syn north(config)# interface eth0/0 north(config-if)# rate-limit input access-group 160 64000 8000 8000 conform-action transmit exceed-action drop north(config-if)# end
�RAT SSH has been added to Level 2
The user is given a choice between telnet and SSH Separate Access Control Lists used for telnet and SSH "exec-timeout" increased to 10 minutes Comments about password resuse added Level 2 authentication now requires a local username The prohibition against local usernames in Level 2 was removed "no ip proxy-arp" moved to Level 2 Allow egress filters to be applies on internal interfaces Documented preference for SNMP V3 if SNMP is used Rule to forbid SNMP without an ACL moved to Level 1 Loopback rules refer user to local policy Timestamp debug rule added to Level 1 Added a note about line passwords being redundant User can now specificy AAA name-list variable ("default", "local_auth" ...).
This was needed to support 12.3's "auto-secure" feature Exec timeout is now a maximum value for all lines (con 0, aux 0), not an exact value. This allows the rules to accommodate settings that are shorter/more restrictive without flagging an error
�References
Books, RFCs, Links
�References
Books
Albritton, J. Cisco IOS Essentials, McGraw-Hill, 1999. Ballew, S.M., Managing IP Networks with Cisco Routers, OReilly Associates, 1997. Chappell, L. Introduction to Cisco Router Configuration , Cisco Press, 1998. Chappell, L. (ed.) Advanced Cisco Router Configuration , Cisco Press, 1999. Perlman, R., Interconnections: Bridges and Routers, McGraw-Hill, 1992. Sacket, G., Cisco Router Handbook, McGraw-Hill, 1999. Held, G. and Hundley, K., Cisco Security Architectures, McGraw-Hill, 1999. Tannenbaum, A., Computer Networks, 2nd edition , Prentice-Hall, 1998.
Papers
Internetworking Technology Overview, Cisco Systems, 1999.http://www.cisco.com/univer cd/cc/td/doc/cisintwk/ito_doc/ OSI Layer 3, Cisco Systems Brochure, Cisco Systems, 1997.http://www.cisco.com/warp/p ublic/535/2.html TCP/IP, Cisco Product Overview, Cisco Systems, 1997.http://www.cisco.com/warp/p ublic/535/4.html
�References
RFCs
Postel, J., User Datagram Protocol (UDP), RFC 768, 1980. Postel, J., Internet Protocol (IP), RFC 791, 1981. Postel, J., Transmission Control Protocol (TCP), RFC 793, 1981. Postel, J. and Braden, R., Requirements for Internet Gateways, RFC 1009, 1987. Socolofsky, T. and Kale, C., A TCP/IP Tutorial, RFC 1180, 1991. Malkin, G. and Parker T.L., Internet Users Glossary, RFC 1392, 1993. Rekhter, Y. and Li, T., An Architecture of IP Address Allocation with CIDR, RFC 1518, 1993. Fuller, V., Li, T., Varadhan K., and Yu, J., Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy, RFC 1519, 1993.
�Fin
Rafael Vida, 2004 [email protected]
