© 2007 cisco systems, inc. all rights reserved.iscw-mod5_l1 1 implementing secure converged wide...
TRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 1
Implementing Secure Converged Wide Area Networks (ISCW)
Module 5 – ‘Cisco Device Hardening’
IDS = Intrution Detection System
IPS = Intrution Protection System
HIPS = Host Intrution Protection System
Encryption /
Access control configuration /
Den nye opdateret version hedder: RFC 3704 filtering
Worm Attack, Mitigation and Response
The anatomy of a worm attack has three parts:
The enabling vulnerability: A worm installs itself on a vulnerable system
Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets
Payload: Once the worm infects the device, the attacker has access to the host – often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.
Worm attack mitigation
Worm attack mitigation requires diligence on the part of system and network administration staff.
Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident.
Recommended steps for worm attack mitigation:
Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network.
Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.
Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.
Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.
SNMP v3 er krypteret og sikker.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 12
Disabling Unused Cisco Router Network Services and Interfaces
Unnecessary Services and Interfaces
Router Service Default Best Practice
BOOTP server Enabled Disable
Cisco Discovery Protocol (CDP) Enabled Disable if not required
Configuration auto-loading Disabled Disable if not required
FTP server Disabled
Disable if not required.
Otherwise encrypt traffic within an IPsec tunnel.
TFTP server Disabled
Disable if not required.
Otherwise encrypt traffic within an IPsec tunnel.
Network Time Protocol (NTP) service Disabled
Disable if not required.
Otherwise configure NTPv3 and control access between permitted
devices using ACLs.
Packet assembler and disassembler (PAD) service
Enabled Disable if not required
TCP and UDP minor servicesEnabled (pre
11.3)
Disabled (11.3+) Disable if not required
Maintenance Operation Protocol (MOP) service
Enabled Disable explicitly if not required
Commonly Configured Management Services
Management ServiceEnabled by
DefaultBest Practice
Simple Network Management Protocol (SNMP) EnabledDisable the service. Otherwise
configure SNMPv3.
HTTP configuration and monitoring Device dependent
Disable if not required.
Otherwise restrict access using ACLs.
Domain Name System (DNS) Client Service – Enabled
Disable if not required.
Otherwise explicitly configure the DNS server address.
Path Integrity Mechanisms
Path Integrity MechanismEnabled by
DefaultBest Practice
ICMP redirects Enabled Disable the service
IP source routing Enabled Disable if not required.
Probe and Scan Features
Probe and Scan FeatureEnabled by
DefaultBest Practice
Finger service Enabled Disable if not required.
ICMP unreachable notifications EnabledDisable explicitly on untrusted
interfaces.
ICMP mask reply DisabledDisable explicitly on untrusted
interfaces.
Terminal Access Security
Terminal Access SecurityEnabled by
DefaultBest Practice
IP identification service Enabled Disable
TCP Keepalives Disabled Enable
ARP Service
ARP ServiceEnabled by
DefaultBest Practice
Gratuitous ARP Enabled Disable if not required.
Proxy ARP Enabled Disable if not required.
AutoSecure Functions
AutoSecure can selectively lock down:Management plane services and functions:
Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner
Also provides password security and SSH access
Forwarding plane services and functions:
CEF, traffic filtering with ACLs
Firewall services and functions:
Cisco IOS Firewall inspection for common protocols
Login functions:
Password security
NTP protocol
SSH access
TCP Intercept services
Syntax:
Router#Auto Secure ? Forwarding Secure Forwarding Plane Management Secure Management Plane No-interact Non-Interactive session of AutoSecure <cr>
SSH-ConfigurationRouter(Config)#ip domain-name [Domæne navn]Router(Config)#crypto key genereate rsa ?
General-keys Generate a general purpose RSA key pair for signing and encryption Usage-keys Generate seperate RSA key pairs for signing and encryption <cr>
Router(Config)# crypto key genereate rsa general-keys modulus [modulus = nøgle størrelse i bit (360-2048)]
Nøgler over 512 bit anbefales, normalt bruges 1024 bit.
AutoSecure Failure Rollback Feature
If AutoSecure fails to complete its operation, the running configuration may be corrupt:
In Cisco IOS Release 12.3(8)T and later releases:
Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg
Rollback reverts the router to the router’s pre-autosecure configuration
Command: configure replace flash:pre_autosec.cfg
If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.
Locking Down Routers with Cisco SDM
SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI
SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software
SDM contains a Security Audit wizard that performs a comprehensive router security audit
SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings
The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies
SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 23
Securing Cisco Router Administrative Access
Setting a Login Failure Blocking Period
router(config)#
login block-for seconds attempts tries within seconds
• Blocks access for a quiet period after a configurable number of failed login attempts within a specified period
• Must be entered before any other login command
• Mitigates DoS and break-in attacks
Perth(config)#login block-for 100 attempts 2 within 100
Excluding Addresses from Login Blocking
router(config)#
login quiet-mode access-class {acl-name | acl-number}
• Specifies an ACL that is applied to the router when it switches to the quiet mode
• If not configured, all login requests will be denied during the quiet mode
• Excludes IP addresses from failure counting for login block-for command
Perth(config)#login quiet-mode access-class myacl
Setting a Login Delay
router(config)#
login delay seconds
• Configures a delay between successive login attempts
• Helps mitigate dictionary attacks
• If not set, a default delay of one second is enforced after the login block-for command is configured
Perth(config)#login delay 30
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 27
Configuring Role-Based CLI
Role-Based CLI Overview
Root view is the highest administrative view
Creating and modifying a view or ‘superview’ is possible only from root view
The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews
CLI views require AAA new-model:
This is necessary even with local view authentication
View authentication can be offloaded to an AAA server using the new attribute "cli-view-name"
A maximum of 15 CLI views can exist in addition to the root view
Getting Started with Role-Based CLI
router#
enable [privilege-level] [view [view-name]]
• Enter a privilege level or a CLI view.• Use enable command with the view parameter to enter the
root view.• Root view requires privilege Level 15 authentication. • The aaa-new model must be enabled.
Perth(config)#aaa new-modelPerth(config)#exitPerth#enable viewPassword:Perth#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'
Configuring CLI Views
router(config)#
• Creates a view and enters view configuration mode
Perth(config)#parser view monitor_viewPerth(config-view)#password 5 hErMeNe%GiLdE!Perth(config-view)#commands exec include show version
parser view view-name
router(config-view)#
password 5 encrypted-password
commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
• Sets a password to protect access to the view• Adds commands or interfaces to a view
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 31
Mitigating Threats and Attacks with Access Lists
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 32
Configuring SNMP
SNMPv1 and SNMPv2 Architecture
SNMP asks agents embedded in network devices for information or tells the agents to do something.
Community Strings
In effect, having read-write access is equivalent to having the enable password!
SNMP agents accept commands and requests only from SNMP systems that use the correct community string.
By default, most SNMP systems use a community string of “public”
If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB
Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created
!
SNMPv3 Features and Benefits
Features – Message integrity: Ensures that a packet has not been tampered with in transit
– Authentication: Determines that the message is from a valid source
– Encryption: Scrambles the contents of a packet to prevent the packet from being seen by an unauthorised source
Benefits – Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted
– Confidential information, such as SNMP Set command packets that change a router configuration, can be encrypted to prevent the contents from being exposed on the network
It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 36
Configuring NTP on Cisco Routers
NTP-Authentication
NTP-Server
NTP-Associations
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 40
Configuring AAA on Cisco Routers
The Three Components of AAA
Authentication
Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption
Authorisation
Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet
Accounting
Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes
AAA Protocols: RADIUS and TACACS+
AAA-Server Configuration
AAA-Authentication Configurations CLI
AAA-Authorization Configuration
AAA-Authorization Configuration
AAA-Accounting Configuration
AAA-Accounting Configuration