Transcription
Network SecurityISOC NTW 2000NTW 2000 2000, Cisco Systems, Inc.1
IntroductionNTW 2000 2000,2000,CiscoCiscoSystems,Systems,Inc.Inc.2
Network Security ComponentsNTW 2000 2000, Cisco Systems, Inc.3
ISP ExampleInternetForeignSite.ISP Service PlaneT1Customer SiteWWW DNS1ISP Management PlaneNTW 2000 2000, Cisco Systems, Inc.Pub 2 DNS2 TFTPPub1.4
Enterprise dminWWWServerDial-UpAccessNTW 2000 2000, Cisco Systems, Inc.DNSServerBusinessPartners5
Current Threats andAttack MethodsNTW 2000 2000,2000,CiscoCiscoSystems,Systems,Inc.Inc.6
Attack Trends Exploiting passwords and poorconfigurations Software bugs Trojan horses Sniffers IP address spoofing Toolkits Distributed attacksNTW 2000 2000, Cisco Systems, Inc.7
Attack 1988NTW 2000 2000, Cisco Systems, Inc.20008
Vulnerability Exploit CycleNovice IntrudersUse CrudeExploit ToolsAutomatedScanning/ExploitTools DevelopedCrude ExploitTools DistributedWidespread Useof AutomatedScanning/ExploitToolsIntruders BeginUsing New Typesof ce: CERT Coordination CenterNTW 2000 2000, Cisco Systems, Inc.9
Increasingly Serious Impacts 10M transferred out of one banking system Loss of intellectual property - 2M in onecase, the entire company in another Extensive compromise of operationalsystems - 15,000 hour recovery operation inone case Alteration of medical diagnostic test results Extortion - demanding payments to avoidoperational problemsNTW 2000 2000, Cisco Systems, Inc.10
Evolving Dependence Networked appliances/homes Wireless stock transactions On-line banking Critical infrastructures Business processesNTW 2000 2000, Cisco Systems, Inc.11
The Community’s xploitation75% vulnerableNTW 2000 2000, Cisco Systems, Inc.100% vulnerableSource: Cisco Security PostureAssessments 1996-199912
Unauthorized 2010019961997199819992000Source: 2000 CSI/FBI Computer Crime and Security SurveyNTW 2000 2000, Cisco Systems, Inc.13
ConclusionSophisticatedattacks Dependency VulnerabilityNTW 2000 2000, Cisco Systems, Inc.14
Classes of Attacks ReconnaisanceUnauthorized discovery andmapping of systems, services,or vulnerabilities AccessUnauthorized datamanipulation, system access,or privilege escalation Denial of ServiceDisable or corrupt networks,systems, or servicesNTW 2000 2000, Cisco Systems, Inc.15
Reconnaissance Methods Common commands andadministrative utilitiesnslookup, ping, netcat, telnet, finger,rpcinfo, File Explorer, srvinfo, dumpacl Public toolsSniffers, SATAN, SAINT, NMAP, customscriptsNTW 2000 2000, Cisco Systems, Inc.16
Network SniffersRouter5Got It !! telnet Router5User Access VerificationUsername: squiggiepassword: Sq%*jkl[;TRouter5 enaPassword: jhervq5Router5#NTW 2000 2000, Cisco Systems, Inc.17
ISP ExampleInternetForeignSite.ISP Service PlaneT1Customer SiteWWW DNS1.ISP Management PlaneNTW 2000 2000, Cisco Systems, Inc.Pub 2 DNS2 TFTP Pub1.18
Enterprise tectedNetworkDial-UpAccessNTW 2000 2000, Cisco Systems, Inc.DNSServerBusinessPartners19
nmap network mapper is a utility for port scanning largenetworks:TCP connect() scanning,TCP SYN (half open) scanning,TCP FIN, Xmas, or NULL (stealth) scanning,TCP ftp proxy (bounce attack) scanningSYN/FIN scanning using IP fragments (bypasses some packetfilters),TCP ACK and Window scanning,UDP raw ICMP port unreachable scanning,ICMP scanning (ping-sweep)TCP Ping scanningDirect (non portmapper) RPC scanningRemote OS Identification by TCP/IP Fingerprinting (nearly 500)Reverse-ident scanning.NTW 2000 2000, Cisco Systems, Inc.20
nmap nmap {Scan Type(s)} [Options] host or net list Example:my-unix-host% nmap -sT my-routerStarting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ )Interesting ports on my-router.example.com (10.12.192.1)(The 1521 ports scanned but not shown below are in state closed)PortStateService21/tcp openftp22/tcp openssh23/tcp opentelnet25/tcp opensmtp37/tcp opentime80/tcp openhttp110/tcp openpop-3NTW 2000 2000, Cisco Systems, Inc.21
Why Do You Care? The more information you have, theeasier it will be to launch asuccessful attack:Map the networkProfile the devices on the networkExploit discovered vulnerabilitiesAchieve objectiveNTW 2000 2000, Cisco Systems, Inc.22
Access Methods Exploiting passwordsBrute forceCracking tools Exploit poorly configured or managedservicesanonymous ftp, tftp, remote registryaccess, nis, Trust relationships: rlogin, rexec, IP source routingFile sharing: NFS, Windows File SharingNTW 2000 2000, Cisco Systems, Inc.23
Access Methods cont’d Exploit application holesMishandled input data: access outsideapplication domain, buffer overflows,race conditions Protocol weaknesses: fragmentation,TCP session hijacking Trojan horses: Programs that plant abackdoor into a hostNTW 2000 2000, Cisco Systems, Inc.24
IP Packet Internet ProtocolIP connectionless network layerSAP 32 bits IP addressRFC 791, Sep 1981NTW 2000 2000, Cisco Systems, Inc.25
IP: Packet Format01230 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Version IHL Type of Service Total Length - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Identification Flags Fragment Offset - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Time to Live Protocol Header Checksum - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Source Address - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Destination Address - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Options Padding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Internet Datagram HeaderNTW 2000 2000, Cisco Systems, Inc.26
IP SpoofingCe ismanymHi,ABAttackerBNTW 2000 2000, Cisco Systems, Inc.27
IP: Normal RoutingA, C via RaB via EthernetB,C via Ra B via RbC via RcAA- BRbBA - BRaA - BRcCRouting based on routing tablesNTW 2000 2000, Cisco Systems, Inc.28
IP: Source RoutingBB unknown- AC via RcAA - B via Ra, RbviaRRb,aRbBA - B via Ra, RbRaRcCRouting based on IP datagram optionNTW 2000 2000, Cisco Systems, Inc.29
IP Unwanted Routingia R1,vA C-R2InternetC - Avia RA unknownB via R11, R2A unknownB via DMZR1C- A via R1, R2AintranetR2C- A via R1,R2NTW 2000 2000, Cisco Systems, Inc.CA unknownB via InternetBDMZA via IntranetB via DMZC unknown30
IP Unwanted Routing (Cont.)CA unknownB via InternetC- AviaBInternetA via EthernetC via PPPAintranetdi aPl-upPPia BvAC- A unknownB via PPPB (acting as router)C- A via BNTW 2000 2000, Cisco Systems, Inc.31
IP Spoofing Using SourceRoutingB is a friendallow accessARaB- A via C,Rc,RaRbBRcCB- Avia C,RcA - RaBvia Ra, Rc,CA- B via Ra, Rc,CB- A via C, Rc,RaA- B via Ra, Rc,CBack traffic uses the same source routeNTW 2000 2000, Cisco Systems, Inc.32
Transport Control Protocol TCP connection oriented transportlayer RFC 793, Sep 1981 SAP 16 bits TCP portsNTW 2000 2000, Cisco Systems, Inc.33
TCP Packet Format01230 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Source Port Destination Port - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sequence Number - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Acknowledgment Number - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Data U A P R S F Offset Reserved R C S S Y I Window G K H T N N - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Checksum Urgent Pointer - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Options Padding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - data - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TCP Header FormatNTW 2000 2000, Cisco Systems, Inc.34
TCP connection establishmentBAflags SYN,seq (Sb,?),Sb)aS( qes, A C Kflags SYNflags ACK,seq (Sb,Sa)a 8)S,bS( qe,sflags ACKe:”manresU“data NTW 2000 2000, Cisco Systems, Inc.35
TCP blind spoofingBCmasquerading as B(Sb,?) qes,NYflags SAa,Sb)S( qes,K A Cflags SYN(Sb,Sa) qes,KCflags A,Sa 8)bS( qes,flags ACKame:”nresU“ atdaC guesses Sab 7)S,8 aS( qACK, se sgalfe”A believes the connectionmanym“ adatcomes from B and startsthe application (e.g. rloginrlogin))NTW 2000 2000, Cisco Systems, Inc.36
TCP blind spoofing (Cont.) C masquerades as B A believes the connection is comingfrom trusted B C does not see the back traffic For this to work, the real B must notbe up, and C must be able to guessA’s sequence numberNTW 2000 2000, Cisco Systems, Inc.37
TCP session hijackingBflags SYN,Aseq (Sb,?)b)S,aS( qes ACK,NYS sgalfflags ACK,seq (Sb,SaCmasquerading BB initiates a connection with Aand is authenticatedby application on A),Sa 9)bS( qes,:”“Password“Xyzzy” , seq (Sa 9,Sb 5)a 18)S,5 bS( seq“delete *”,C guesses Sa, SbC inserts invalid dataNTW 2000 2000, Cisco Systems, Inc.38
It Never EndsLatest FTP Vulnerability“Because of user input going directly into a format string fora *printf function, it is possible to overwrite important data,such as a return address, on the stack. When this isaccomplished, the function can jump into shell code pointedto by the overwritten eip and execute arbitrary commands asroot. While exploited in a manner similar to a buffer overflow,it is actually an input validation problem. Anonymous ftp isexploitable making it even more serious as attacks can comeanonymously from anywhere on the internet.”Source: SecurityFocus.Com, 2000NTW 2000 2000, Cisco Systems, Inc.39
Denial of Service Methods Resource OverloadDisk space, bandwidth, buffers, .Ping floods, SYN flood, UDP bombs, . Software bugsOut of Band Data Crash: Ping of death,fragmentation Toolkits: TRINOO,Tribal Flood Net andfriends Distributed attacks for amplificationNTW 2000 2000, Cisco Systems, Inc.40
IP Normal Fragmentation IP largest data is 65.535 2 16-1 IP fragments a large datagram intosmaller datagrams to fit the MTU fragments are identified by fragmentoffset field destination host reassembles theoriginal datagramNTW 2000 2000, Cisco Systems, Inc.41
IP Normal Fragmentation (Cont.)Before fragmentation:TL 1300, FO 0data length 1280IP HeaderIP dataAfter fragmentation (MTU 500):TL 500, FO 0data length 480TL 500, FO 480data length 480TL 360, FO 960NTW 2000 2000, Cisco Systems, Inc.data length 34042
IP Normal ReassemblyReceived from the network:TL 500, FO 0TL 360, FO 960TL 500, FO 480data length 480data length 340data length 480Reassembly buffer, 65.535 bytesKernel memory at destination hostNTW 2000 2000, Cisco Systems, Inc.43
IP Reassembly Attack send invalid IP datagram fragment offset fragment size 65.535 usually containing ICMP echo request(ping) not limited to ping of death !NTW 2000 2000, Cisco Systems, Inc.44
IP Reassembly Attack (Cont.)Received from the network:TL 1020, FO 0data length 1000 64 IP fragments with data length 1000 .TL 1020, FO 65000data length 1000BUG: buffer exceededReassembly buffer, 65.535 bytes64 IP fragmentsKernel memory at destination hostNTW 2000 2000, Cisco Systems, Inc.45
SYN attackBCmasquerading as BA,?)bS( qes,flags SYNb)S,aS( qes ACK,NYS sgalfA allocates kernel resourcefor handling the starting connectionNo answer from B 120 sec timeoutFree the resourceNTW 2000 2000, Cisco Systems, Inc.Denial of Serviceskernel resources exhausted46
SMURF Attack160.154.5.0Attempt tooverwhelm WANICMP REPLY D 172.18.1.2 S 160.154.5.10link to destinationICMP REPLY D 172.18.1.2 S 160.154.5.11ICMP REPLY D 172.18.1.2 S 160.154.5.12ICMP REPLY D 172.18.1.2 S 160.154.5.13172.18.1.2ICMP REPLY D 172.18.1.2 S 160.154.5.14ICMP REQ D 160.154.5.255 S 172.18.1.2 Directed Broadcast PINGNTW 2000 2000, Cisco Systems, Inc.47
DDoS Step 1: Find VulnerableHostsAttackerUse reconnaissance tools locatevulnerable hosts to be used as mastersand daemonsNTW 2000 2000, Cisco Systems, Inc.48
DDoS Step 2: Install Software onMasters and AgentsInnocent MasterAttackerInnocent daemonagents1) Use master and agent programson all cracked hosts2) create a hierarchical covert controlInnocent daemon channel using innocent looking ICMPpackets whose payload contains DDoSagentsInnocent Mastercommands. Some DDoS furtherencrypt the payload.NTW 2000 2000, Cisco Systems, Inc.49
DDoS Step 3: Launch the attackInnocent MasterAttackerInnocent DaemonAgentsAttack AliceNOW !VictimInnocent MasterNTW 2000 2000, Cisco Systems, Inc.Innocent DaemonAgentsA50
Today New agent software has been createdfor Windows hosts No longer a problem for just Unixsystems Target may be a router!NTW 2000 2000, Cisco Systems, Inc.51
Why Should You Care Protect your own operationalenvironment Protect your customer’s data Protect the services you offer to yourcustomers In other words .to protect yourbusiness !!NTW 2000 2000, Cisco Systems, Inc.52
What Should You Do? Develop security policyfor your organizationfor your customers Develop your security plan Secure your network Develop an incident response procedureNTW 2000 2000, Cisco Systems, Inc.53
Security PolicyNTW 2000 2000, Cisco Systems, Inc.54
Why a Site Security Policy? To protect assets To help prevent security incidents To provide guidance whenincidents occurNTW 2000 2000, Cisco Systems, Inc.55
Security Policy Topics Access Authentication Accountability Privacy Violations handling Supporting information others.NTW 2000 2000, Cisco Systems, Inc.56
Site Security Policy Resources http://secinf.net/info/policy/AusCERT.htmlwritten by Rob McMillan RFC 2196 - Site Security Handbook RFC 1281 - Guidelines for the SecureOperation of the Internet RFC 2504 - Users’ Security HandbookNTW 2000 2000, Cisco Systems, Inc.57
Policies Affecting YourCustomers Service expectations Access policies for customerswhat type of access is allowed and under what circumstances Authentication policy for customerswhat type of authentication must they use when connectingto your site Protection of your customers’ traffic Incident handling policiesinbound incidentsoutbound incidentsNTW 2000 2000, Cisco Systems, Inc.58
Policies Affecting YourCustomers -2 Notification of vulnerabilities and incidentswho is coordinating response to the incidentthe vulnerabilityhow service was affectedwhat is being done to respond to the incidentwhether customer data may have been compromisedwhat is being done to eliminate the vulnerabilitythe expected schedule for response, assuming it can bepredicted Sanctions for policy violations See IETF draft-ietf-grip-isp-expectations-03.txtNTW 2000 2000, Cisco Systems, Inc.59
Security PlanNTW 2000 2000, Cisco Systems, Inc.60
Your Security Plan Describe the assets you want to protectdatahardware and softwareservices Describe how you will protect the assetsaccess restrictions and authenticationredundancyencryptionNTW 2000 2000, Cisco Systems, Inc.61
Your Security Plan -2 Describe disaster recovery plansphysical disastersequipment failuresintrusionsemployee or customer mistakes Regularly test your security plan Update plan based on results of testingNTW 2000 2000, Cisco Systems, Inc.62
Securing Your NetworkNTW 2000 2000, Cisco Systems, Inc.63
Securing Your Network Securing your operational network Securing services offered to yourcustomersNTW 2000 2000, Cisco Systems, Inc.64
Securing Your OperationalNetwork Separate your operational networksfrom your service networks Restrict services to yourorganization’s network/hosts Protect services that are allowed tointernal networkNTW 2000 2000, Cisco Systems, Inc.65
ServerServerLocal OfficeLocal OfficeLocal OfficeNetwork Carriage PlaneNetwork AccessServerLocal OfficeAccess Routerno loose source routingno directed broadcastpermit any source to usenet server TCP port 119permit NetOpsCenter source to usenet serverdeny all elseUpstream Feed rverUsenetServerISP Service PlaneISP Management PlaneAccountingServerSource: ISP Survival Guide, 1999NetworkManagementServerTCP loggingSYN protectionpermit any source connect to TCP port 119permit NetOpsCenter source to any portdeny all else
Secure Initial System Setup - 1 Build off-line Set or disable passwords for all existing accounts Review account groups and privileges Review CERT Advisories and VIBs Install all applicable security patches Minimize system and network services Remove unnecessary softwarecompilers, shells, servers, daemons, etc. Fix file permissionsNTW 2000 2000, Cisco Systems, Inc.67
Secure Initial System Setup - 2 Configure logging and quota mechanisms Install and configure system monitoring tools Replace weak access mechanisms with more secureonesUNIX - e.g., replace telnet, r-commands with SSH Configure file system integrity toolsUNIX - e.g., Tripwire Make a Backup! Deploy on network only when prepared for exposureNTW 2000 2000, Cisco Systems, Inc.68
Domain Name Servers Intruders target domain name serversexploit services that trust host namesmasquerade as another host Consider using internal and external serversexternal servers provide information regarding hostsserving the Internet: email, FTP, WWW.internal servers provide information about internalhosts to internal hosts Use latest version of bindNTW 2000 2000, Cisco Systems, Inc.69
Protecting System PasswordInformation Unixpassword aging16-character passwordsfreely available shadow password suite NT - configure to protect SAM databaseRegistry settings and protectionsUse NTFS file system instead of FAT, setpermissionsNTW 2000 2000, Cisco Systems, Inc.70
Manage Networks Securely Restrict access to routers andservers Require strong authentication whenaccessing any critical system Use SSH to tunnel through firewallsto access networkNTW 2000 2000, Cisco Systems, Inc.71
Configuring Public Servers -1 Turn on logging of all outside access (using TCPWrappers or other tools) Use Tripwire or other cryptographic checksums toverify the integrity of information and systemconfiguration Locate the public servers on a separate networksegment Keep a copy of the information on another systemfor fast backup Consider CD-ROM for information and system filesthat rarely changeNTW 2000 2000, Cisco Systems, Inc.72
TFTP Disable tftpd if it isn’t absolutely necessary Otherwise, restrict tftpd accessNTW 2000 2000, Cisco Systems, Inc.73
Securing the Network Router/Switch/Server Self-ProtectionUse good access controlsLimit SNMP accessDisable unused servicesImplement privilege levels Resource Protection In-band vs Out-of-band Management Good network design and managementRedundancy, Logging AuditNTW 2000 2000, Cisco Systems, Inc.74
Authentication Mechanisms Console, Telnet Local passwordsUsername basedUNIVERSALPASSPORT External AuthenticationTACACS , RADIUS,Kerberos, SSHUSA One-time passwordsNTW 2000 2000, Cisco Systems, Inc.75
Local Passwordsline console 0loginpassword one4allexec-timeout 1 30User Access VerificationPassword: one4all router Password in every device Viewable in plain text in configurationNTW 2000 2000, Cisco Systems, Inc.76
Service Password-Encryptionservice password-encryption!hostname Router!enable password 7 15181E020F Encrypts password in configuration Easily reversibleNTW 2000 2000, Cisco Systems, Inc.77
Enable Secret!hostname Router!enable secret 5 1 hM3l .s/DgJ4TeKdDkTVCJpIBw1 Uses MD5 one-way hash to encryptenable password in configurationNTW 2000 2000, Cisco Systems, Inc.78
Use Good PasswordsHmm, Snoopy is easy to remember! Don’t use easilyguessed passwords Centralize passwordmanagementRADIUS, TACACS NTW 2000 2000, Cisco Systems, Inc.79
Cisco IOS TACACS Login Authenticationversion 12.0!service password-encryption!hostname Router!aaa new-modelaaa authentication login ruth tacacs enableaaa authentication login sarah tacacs localenable secret 5 1 hM3l .s/DgJ4TeKdDk !username john password 7 030E4E050D5Cusername bill password 7 0430F1E060A51!NTW 2000 2000, Cisco Systems, Inc.Encrypts Passwords withEncryption (7)Define List “Ruth” to UseTACACS then theEnable PasswordDefine List “Sarah” to UseTACACS then theLocal User and Password“Enable Secret” Overridesthe (7) EncryptionDefine Local Users80
Cisco IOS TACACS Login Authenticationtacacs-server host 10.1.1.2tacacs-server key key !line con 0login authentication ruthline aux 0login authentication ruthline vty 0 4login authentication sarah!endNTW 2000 2000, Cisco Systems, Inc.Defines the IP Addressof the TACACS ServerDefines the “Encryption”Key for Communicatingwith the TACACS ServerUses the AuthenticationMechanisms Listed in“Ruth”—TACACS thenEnable PasswordUses the AuthenticationMechanisms Listed in“Sarah”—TACACS thena Local User/Password81
PIX TACACS Login AuthenticationPIX Version 4.3(1)enable password BjeuCKspwqCc94Ss encryptedpasswd nU3DFZzS7jF1jYc5 encryptedtacacs-server host 10.1.1.2 key aaa authentication any console tacacs no snmp-server locationno snmp-server contactsnmp-server community notpublicno snmp-server enable trapstelnet 10.1.1.2 255.255.255.255 Cryptochecksum:a21af67f58849f078a515b177df4228: end[OK]NTW 2000 2000, Cisco Systems, Inc.Enable PasswordTelnet PasswordDefine TACACS Server andEncryption KeyUse TACACS for Telnetor Console(Enable) AccessDefines the Device thatCan Telnet into the PIX82
Catalyst TACACS Login AuthenticationEnable Passwordset enablepass 1 CBqb j53diREUitkHDGKfAqFpQset authentication login tacacs enableset authentication enable tacacs enableset tacacs key secretkeyset tacacs server 144.254.5.9NTW 2000 2000, Cisco Systems, Inc.Use TACACS for Telnetor Console(Enable) AccessDefine TACACS Server andEncryption Key83
PassWord of Caution Even passwords that are encryptedin the configuration are notencrypted on the wire as anadministrator logs into the router100101NTW 2000 2000, Cisco Systems, Inc.84
One-Time Passwords May be used with TACACS or RADIUS The same “password” will never bereused by an authorized administrator Key Cards—CryptoCard token serverincluded with CiscoSecure Support for Security Dynamics andSecure Computing token servers inCisco SecureNTW 2000 2000, Cisco Systems, Inc.85
Restrict Telnet Accessaccess-list 12 permit 172.17.55.0 0.0.0.255line vty 0 4access-class 12 inNTW 2000 2000, Cisco Systems, Inc.86
SSH SSH can be used for secured Commandand Control sessions to routers. Full SSH has three componentsa terminal session with a secure transportthe ability to handle “r-commands” similarto rshthe ability to “forward” other TCP-basedprotocolsNTW 2000 2000, Cisco Systems, Inc.87
SSH Authentication There are two levels ofAuthentication required for an SSHsessionHost (or ‘device’) AuthenticationUser AuthenticationNTW 2000 2000, Cisco Systems, Inc.88
Host Authentication Each IOS host has its’ own uniqueRSA key with a user selectable keylength up to 2048 bytes. The RSA authentication will transferthe session key. This authentication will establish theencrypted session.NTW 2000 2000, Cisco Systems, Inc.89
Host Authentication IOS will store its’ own RSA key andwill accept all other keys. In the “full” implementation, keys ofother hosts should be kept inpermanent storage and a warning willbe presented to the user if thehostname/key do not match.NTW 2000 2000, Cisco Systems, Inc.90
User Authentication After the encrypted session is established,user authentication is still required. Since the SSH feature is tied to the vty’s,user authentication is associated withsome of the authentication mechanismsavailable to the vty’s: RADIUS, TACACS and local. The username and password will passbetween the workstation and the routerinside of the encrypted session.NTW 2000 2000, Cisco Systems, Inc.91
User Authentication The session will be terminated ifauthentication fails, or if theauthentication mechanism fails (e.g.a router cannot establish a sessionwith a TACACS server, etc.). If authentication succeeds, a sessionis opened using the encryptionalgorithm selected.NTW 2000 2000, Cisco Systems, Inc.92
SNMP Access ControlRO—Read OnlyRW—Read Writeaccess-list 13 permit 192.85.55.12access-list 13 permit 192.85.55.19snmp-server community PassWord RO 13NTW 2000 2000, Cisco Systems, Inc.93
SNMP Change your community strings! Do notuse public, private, secret! Use different community strings for theRO and RW communities. Use mixed alphanumeric characters inthe community strings: SNMP communitystrings can be cracked, too!NTW 2000 2000, Cisco Systems, Inc.94
Transaction Records How do you tell when someone isattempting to access your router?ip accountingip accounting access-violationslogging 127.0.3.2 Consider some form of audit trails:Using the syslog feature.SNMP Traps and alarms.Implementing TACACS , Radius, Kerberos, or thirdparty solutions like One-Time Password token cards.NTW 2000 2000, Cisco Systems, Inc.95
Route Update Authentication andIntegrityIP HDRKeyAssemble the Packetwith the KeyRoute Update DataHashFunctionSignatureReassemble thePacket with the SignatureIP HDRNTW 2000 2000, Cisco Systems, Inc.SignatureTo the WireRoute Update Data96
Route Filteringrouter ripnetwork 10.0.0.0distribute-list 1 in!access-list 1 deny0.0.0.0access-list 1 permit 10.0.0.00.255.255.255Router# sho ip protoRouting Protocol is "rip"Sending updates every 30 seconds, next due in 12 secondsInvalid after 180 seconds, hold down 180, flushed after 240Outgoing update filter list for all interfaces is not setIncoming update filter list for all interfaces is 1Redistributing: ripNTW 2000 2000, Cisco Systems, Inc.97
Out-of-band ManagementPOPNo management traffic in primaryIP networkNAS Use an access server toconnect console portsthrough reverse TelnetNTW 2000 2000, Cisco Systems, Inc.98
In-band Management Use private addresses for backbonerouters Ingress filter at the Edge: SNMP,ICMP, anti-spoofing, your IP@ assource or destination addresses Encryption and integrityNTW 2000 2000, Cisco Systems, Inc.99
In-band vs Out-of-band Console or Aux ports do not allowSNMP IOS software upgrade may be easierwith console port Outbound needs a dedicateconnection: costNTW 2000 2000, Cisco Systems, Inc.100
Protect Resources Spoofing Source routes Resource consumptionNTW 2000 2000, Cisco Systems, Inc.101
Spoofing172.16.42.84interface Serial 1ip address 172.26.139.2 255.255.255.252ip access-group 111 inno ip directed-broadcast!interface ethernet 0/0ip address 10.1.1.100255.255.0.0no ip directed-broadcast!Access-list 111 deny ip 127.0.0.00.255.255.255 anyAccess-list 111 deny ip 10.1.0.00.0.255.255any10.1.1.2IP (D 10.1.1.2 S 10.1.1.1)NTW 2000 2000, Cisco Systems, Inc.102
Preventing IP spoofingCisco routers, disable source routing(on by default)no ip source routeHosts, disable:1) IP forwarding, usually easy2) source routing, usually impossible (Windowshad to wait until Win NT4 SP5 May 99)3) applications check for IP optionsvia getsockopt( )NTW 2000 2000, Cisco Systems, Inc.103
Ingress & Egress Route FilteringYour customers should not besending any IP packets out tothe Internet with a sourceaddress other then the addressyou have allocated to them!NTW 2000 2000, Cisco Systems, Inc.104
Including Private Addresses 10.0.0.010.0.0.0 -- 10.255.255.25510.255.255.255 (10/8(10/8 prefix)prefix) 172.16.0.0172.16.0.0 -- 172.31.255.255172.31.255.255 (172.16/12(172.16/12prefix)prefix) 192.168.0.0192.168.0.0 -- 192.168.255.255192.168.255.255(192.168/16 prefix)prefix)(192.168/16Source: RFC 1918NTW 2000 2000, Cisco Systems, Inc.105
Ingress Route FilteringAllow source address 165.21.0.0/16ISP165.21.0.0/16InternetSerial 0/1Block source address from all other networksEx. IP addresses with a source of 10.1.1.1 wouldbe blockedNTW 2000 2000, Cisco Systems, Inc.106
Egress Route FilteringDeny source address 165.21.0.0/16ISP165.21.0.0/16InternetSerial 0/1Allow source addresses from all other networksEx. IP addresses with a source of 10.1.1.1 wouldbe blockedNTW 2000 2000, Cisco Systems, Inc.107
Enterprise Ingress and EgressFilteringInternetdeny source Adeny source Bdeny source 127.*.*.*source 127.*.*.*deny source 10.*.*.*source 10.*.*.*deny source 192.168.*.*source 192.168.*.*else permitpermit source Aelse denynetwork ANTW 2000 2000, Cisco Systems, Inc.Use topological informationwith input ACL to protectyour sitepermit source Belse denynetwork B108
Enterprise Ingress and EgressFiltering (Cont.)InternetUse topological informationwith output ACL to protectthe other sites.permit source Apermit source Belse denynetwork Anetwork BSource: RFC 2167NTW 2000 2000, Cisco Systems, Inc.109
Reverse Path Forwarding Supported from 11.1(17)CC images CEF switching must be enabled Source IP packets are checked toensure that the route back to thesource uses the same interface Care required in multihomingsituationsNTW 2000 2000, Cisco Systems, Inc.110
CEF Unicast RPFRouting Table:210.210.0.0172.19.0.0via 172.19.66.7is directly connected, Fddi 2/0/0CEF cency Table:Fddi 2/0/0 172.19.66.7Data50000603E AAAA03000800UnicastRPFIP HeaderInIf OK, RPF passedthe packet to beforwarded by CEF.Fddi 2/0/0Fddi 2/0/0DataIP HeaderOutDropDest Addr: x.x.x.xSrc Addr: 210.210.1.1RPF Checks to see ifthe source address’sreverse path matchesthe input port.NTW 2000 2000, C
network mapper is a utility for port scanning large networks: TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and
