Scribd
Upload
53 views

Router Sec

Uploaded by

valerian.ceaus9927
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
53 views

Router Sec

Uploaded by

valerian.ceaus9927
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 52

©2004 VITALISEC INC.

Vitalisec Inc.
Securing & Auditing
Cisco Routers

May 20, 2004

Travis Schack
[email protected]

Vital Information Security


©2004 VITALISEC INC.

Travis Schack
• Founder and Senior Security Consultant
• Certifications
– CISSP (Certified Information System Security Professional)
– OPST trainer (OSSTMM Professional Security Tester)
– OPSA trainer (OSSTMM Professional Security Analyst)
– NSA IAM (INFOSEC Assessment Methodology)
– 10 years IT and Information Security

• Industry Experience
– IBM, Galileo Int’l, Rhythms Netconnections, Circadence, Janus Funds
– Adjunct faculty for Denver University’s Master’s program in
Information Security
– Extensive Penetration and Vulnerability Testing experience

Vital Information Security


©2004 VITALISEC INC.

• Objectives
– Role of the router in network security
– Router threats and Security drivers
– “Best Practice” router hardening
• Authentication & Authorization
• Access list filtering
• Services
• Logging
• Access controls
– Valuable commands
– Auditing tools and how to use them
– Helpful web resources
• Assumptions
– You already know the OSI Model
– Familiarity with Cisco IOS
– Many aspects are not covered
• Cannot teach router configuration

Vital Information Security


©2004 VITALISEC INC.

Role of the Router

Vital Information Security


©2004 VITALISEC INC.

• Primary function
– Forwarding of packets between network segments
• Routing Decisions
• Applies filters
• Network Traffic Cop

• Router Components
– Processor
– Memory
– Storage
– Interfaces
– Runs on IOS

Vital Information Security


©2004 VITALISEC INC.

Security Device?

Vital Information Security


©2004 VITALISEC INC.

• Security Variables
– Placement of Router
• Core Router (Backbone)
– Route packets as fast as possible
• Distribution Router (Interior)
– Boundary definition
• Access Router (Border)
– Allow access into Network
– Perimeter/Border
– Networks Involved
– Money
• Firewall
• IDS

Vital Information Security


©2004 VITALISEC INC.

Router Threats and Security Drivers

Vital Information Security


©2004 VITALISEC INC.

Vital Information Security


©2004 VITALISEC INC.

Vital Information Security


©2004 VITALISEC INC.

Cisco's IOS Source Leaked


May 17, 2004
By Enterprise IT Planet Staff

Word that source code for Cisco IOS was circulating on the Internet lit up message boards this weekend.
Today, Cisco confirmed that indeed an estimated 800MB of code for IOS 12.3 and 12.3t was indeed taken
after hackers pilfered it from the company's network.
The theft was first reported on a Russian Web site dedicated to computer security, SecurityLab.ru.
IOS is the software that drives the company's routers. The release of this source is significant in that Cisco
is the dominant networking gear provider; its very name is synonymous with the Internet backbone.
Although few are painting gloom-and-doom scenarios this early, the news is nonetheless worrisome for
administrators lording over Cisco-based networks and users of the Internet
Cisco is currently investigating the matter but as of yet no customer data seems to have been exposed
during the breach. Cisco spokesman Jim Brady told tech journal internetnews.com, "Based on preliminary
data, we don't believe any confidential customer information or financial systems were affected."
The exact nature of the breach, be it a vulnerability or an "inside job" still remains unresolved, but the
likelihood of either appears unlikely, according to the company.
Cisco is the latest high-profile company to suffer a source-code leak. In recent months, Microsoft saw
parts of its Windows 2000 source released. Valve, makers of the popular Half-Life PC game, had the
source for its anticipated sequel leached from its systems late last year.

Vital Information Security


©2004 VITALISEC INC.

Cisco IOS Vulnerabilities

20

18

16
Number of Vulnerabilities

14

12
BID
10 ICAT
CVE
8

0
1999 2000 2001 2002 2003 2004
Year

Vital Information Security


©2004 VITALISEC INC.

Cisco IOS Vulnerabilities

60

50
Number of Vulnerabilities

40

30

20

10

0
BID ICAT CVE OSVDB
Source

Vital Information Security


©2004 VITALISEC INC.

Vital Information Security


©2004 VITALISEC INC.

Security Drivers
• Regulations
– Sarbanes-Oxley (Section 404)
– CA 1386
– GLBA
– FISMA
– HIPAA
• Brand/Image
• Liability/Legal
• Rising Costs of Security Incidents
• Proactive Security Culture

Vital Information Security


©2004 VITALISEC INC.

Router Security
“Best Practice Hardening”

Vital Information Security


©2004 VITALISEC INC.

• http://nsa2.www.conxion.com/cisco/download.htm

Vital Information Security


©2004 VITALISEC INC.

Router Version
• Identification of security patches
– http://www.cisco.com/warp/public/707/advisory.html

• Latest Cisco IOS


– http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_category_home.html

• Router Command
– show version
• Display Configuration
– show configuration

Vital Information Security


©2004 VITALISEC INC.

Two Login Modes


• First login
– User EXEC mode

• From User EXEC mode, type “enable”


– Privileged EXEC mode

Vital Information Security


©2004 VITALISEC INC.

Login Banner
• Command
– banner motd delimiter Banner delimiter

– Don’t give out specific information about the


router

Vital Information Security


©2004 VITALISEC INC.

User Accounts
• Use local accounts, AAA, or ACS
– Radius
– TACACS+
• Command
– Username <username> privilege <0-15> password <strong password>

aaa new-model
aaa authentication login remoteauth radius tacacs+ enable
tacacs-server host 172.16.1.11
tacacs-server key testTKey
radius-server host 172.16.1.12
radius-server key TestRKey
line vty 0 4
login authentication remoteauth

Vital Information Security


©2004 VITALISEC INC.

Privileges
• 16 privileges (0-15)
• Predefined
– 1 User EXEC mode
– 15 Privilege EXEC mode
• Commands
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show ip

Vital Information Security


©2004 VITALISEC INC.

Passwords
• Two password schemes
– Type 5 (stronger)
• MD5 hash
• Command
– enable secret
– no enable password
– Type 7 (weak!)
• Mask displayed password
– Command
• service password-encryption

DEMO
Vital Information Security
©2004 VITALISEC INC.

Access
• VTY/Aux/Console
– VTY is used for remote connection
• Access list
• Session timeout Central(config)# ip telnet source-interf
Central(config)# access-list 99 permit 1
– Aux is used for modems Central(config)# access-list 99 permit 1
Central(config)# access-list 99 deny any
• Disable
Central(config)# line vty 0 4
• no exec Central(config-line)# access-class 99 in
Central(config-line)# exec-timeout 5 0
– Console Central(config-line)# transport input te
• line console 0 Central(config-line)# login local
– Password <password> Central(config-line)# exec
Central(config-line)# end
Central#

Vital Information Security


©2004 VITALISEC INC.

SSH
• IOS Versions: 12.1(1)T/12.0(10)S (image with 3DES), scp
as of 12.2T
• Uses SSH version 1
– key recovery, CRC32, traffic analysis (SSHow), timing analysis
and attacks
– You can’t force 3DES only nor use keys
– Fixed in 12.0(20)S, 12.1(8a)E, 12.2(3), ...
hostname <hostname>
ip domain-name <domainname>
crypto key generate rsa
ip ssh timeout 60
ip ssh authentication-retries 3
ip scp server enable

Vital Information Security


©2004 VITALISEC INC.

Access Control List


• Used for filtering traffic
– Across interfaces
– To router

• Basic Structure
– access-list list-number {deny | permit} condition

• Extended ACL
– access-list list-number {deny | permit} protocol source source-wildcard source-
qualifiers destination destination-wildcard destination-qualifiers [ log | log-input]

• Each access list contain at least 1 permit, or all traffic is denied!


• Applying to Interface
– ip access-group <access list #> <in | out>

Vital Information Security


©2004 VITALISEC INC.

Access Control Lists


– TurboACL : uses a hash table, benefits when 5+ ACEs
– Reflexive : enables on-demand dynamic and temporary reply
filters (doesn’t work for H.323 like protocols)
– Dynamic : adds user authentication to Extended ACLs
– Named : allows you to delete individual ACEs
– Time-based : adds a time-range option
– Context-Based Access-Control : “inspects” the protocol
(helper/proxy/fixup-like), used in conjunction with ACLs
– MAC : filters on MAC address (700-799 for standard, 1100-1199
for extended)
– Protocol : filters on protocol type (200-299)

Vital Information Security


©2004 VITALISEC INC.

Recommended Inbound ACL


access-list 100 deny ip <Internal Subnet> any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 permit ip any 14.2.6.0 0.0.0.255

Vital Information Security


©2004 VITALISEC INC.

Recommended Outbound ACL


access-list 102 permit ip <Internal Subnet> any
access-list 102 deny ip any any log

Vital Information Security


©2004 VITALISEC INC.

SYN Flood Protection


Applied Inbound on External Interface

access-list 106 permit tcp any <Internal Subnet> established


access-list 106 deny ip any any log

Vital Information Security


©2004 VITALISEC INC.

Land Attack Protection


Applied Inbound to External Interface

access-list 100 deny ip host <External IP> host <External IP> log
access-list 100 permit ip any any

Vital Information Security


©2004 VITALISEC INC.

Smurf Attack Protection


Applied Inbound on External Interface

access-list 110 deny ip any host x.x.x.255 log


access-list 110 deny ip any host x.x.x.0 log

x.x.x = Internal Subnet

Vital Information Security


©2004 VITALISEC INC.

Unneeded Services
• Recommended
no ip bootp server no boot network
no tcp-small-servers no service config
no udp-small-server no ip subnet-zero
no ip identd no service finger
no ip finger no service pad
service nagle no ip http server
no cdp run no ip source-route

Vital Information Security


©2004 VITALISEC INC.

Unneeded Services – cont’d


Certain UDP broadcasts no ip forward-protocol port 69
no ip forward-protocol port 53
are forwarded by default no ip forward-protocol port 37
no ip forward-protocol port 137
no ip forward-protocol port 138
If UDP broadcasts are no ip forward-protocol port 67
no ip forward-protocol port 68
needed, enable only the
no ip forward-protocol port 49
specific port and control no ip forward-protocol port 42
with access list no ip helper-address

Vital Information Security


©2004 VITALISEC INC.

Interface
• Disable ability to spoof and perform probes

no ip proxy arp
no ip directed-broadcast
no ip unreachable
no ip mask-reply
no ip redirects

Vital Information Security


©2004 VITALISEC INC.

NTP
• Set clock configuration
– clock timezone UTC 0
– no clock summer-time
• Only allow NTP on Interfaces, using access list
• Use Authenticated NTP
ntp update-calendar
ntp authentication-key 10 md5 <key>
ntp authenticate
ntp trusted-key 10
ntp server x.x.x.x [key 10]
ntp access-group peer 20
access-list 20 permit host x.x.x.x
access-list 20 deny any

Vital Information Security


©2004 VITALISEC INC.

SNMP
• Do NOT use SNMP version 1
• Change Public and Private strings
SNMP VERSION 2

snmp-server community r3ad view cutdown RO 10


snmp-server community wr1te RW 10
snmp-server view cutdown ip.21 excluded
snmp-server enable traps <…>
snmp-server host x.x.x.x
snmp-server source loopback0
access-list 10 permit x.x.x.x

SNMP VERSION 3

snmp-server group engineering v3 priv read cutdown 10


snmp-server user nico engineering v3 auth md5 myp4ss priv des56 mydes56
snmp-server view cutdown ip.21 excluded
access-list 10 permit x.x.x.x
access-list 10 deny any log

Vital Information Security


©2004 VITALISEC INC.

Logging
• Syslog
– Oldest entries are overwritten
– Send logs to remots syslog server
– Log all Denys
– Log all configuration changes

no ip domain lookup
service time log datetime localtime show-timezone msec
service time debug datetime localtime show-timezone msec
logging x.x.x.x
logging trap debugging
logging source loopback0
logging buffered 64000 debugging

Vital Information Security


©2004 VITALISEC INC.

Auditing Cisco Routers

Vital Information Security


©2004 VITALISEC INC.

• Auditing router configurations manually can be time


consuming.
– Manual check using a checklist
• Hands-off
• Hands-on
– Need privilege EXEC access
– Crosswalk configuration with a checklist
– NSA checklist is 5 pages long!
• Automation
– Using a script/program to audit configuration against a baseline
configuration
• Corporate standard baseline
• Vendor recommendations
• Industry “Best Practice”

Vital Information Security


©2004 VITALISEC INC.

Tools
• http://home.jwu.edu/jwright/perl.htm
– Various perl scripts for router management
• snatchcisco.pl
• grabciscoconf
– Script that uses SNMP to grab configuration file
• http://tool.sourceforge.net
– Accomplishes several tasks, including downloading and uploading of
configs and execution of commands on single or multiple routers of
various types
– Perl scripts
• configDiff
• configHash
– Downloads configs based on a hostlist, calls confiHash to get the differences
between the new config and the latest archived config

Vital Information Security


©2004 VITALISEC INC.

Tools – cont’d
• http://hotunix.com/tools/
– Shell script that allows the automated audit configurations from
multiple router and switches.
– Based on Cisco, NSA, and SANS security guides and
recommendations.
– Reporting is granular
• Down to individual device interfaces, lines, ACL’s, AS’s, etc.

• Last modified June 20, 2003

Vital Information Security


©2004 VITALISEC INC.

Tools – cont’d
• http://www.shrubbery.net/rancid/
– Really Awesome New Cisco config Differ
– Monitor’s a router configuration, including software and hardware, using
CVS
– Supports the following systems:
• Cisco routers
• Juniper routers
• Catalyst switches
• Foundry switches
• Redback NASs
• ADC EXT3 muxes
• MRTd
• Alteon switches
• HP procurve switches

Vital Information Security


©2004 VITALISEC INC.

Vital Information Security


©2004 VITALISEC INC.

CIS
• http://www.cisecurity.com
– Center for Internet Security
– Non-profit organization
• Mission
– To help organizations around the world effectively manage the
risks related to information security. CIS provides methods and
tools to improve, measure, monitor, and compare the security
status of your Internet-connected systems and appliances, plus
those of your business partners.
• Membership
– SANS, ISC2, ISACA, IIA, AICPA, MITRE

Vital Information Security


©2004 VITALISEC INC.

RAT
• http://www.cisecurity.com/bench_cisco.html
– Router Audit Tool
• http://ncat.sourceforge.net
– Perl based
– Works on both Windows and Unix platforms
– Version 2.1
• Level-1 benchmark
– Minimum-security requirements for due care and is based on NSA Router Security
Configuration Guide.
• Level-2 benchmark
– Settings are optional
– Many settings for which no benchmark standards are yet defined (e.g., ssh, IPSEC,
BGP, OSPF, radius…)
– Downloads configurations from devices (optional) and checks them
against the settings defined in the benchmark.

Vital Information Security


©2004 VITALISEC INC.

• Primary Objective of RAT


– Baseline the router configuration for the protection of the router

• Process
– Create baseline using ncat_config and company standard
– Acquire router configuration(s)
• Use snarf (or rat –a <ip address>
• Manually cut and paste config
• Network administrator sends to you
– Run rat against configuration file
– Review final output
• HTML
• Text
– Customizable

Vital Information Security


©2004 VITALISEC INC.

4 files
ncat.exe
– ncat checks configuration settings in static configuration files. The rules to be
checked for each configuration type are defined in a set of ncat configuration files.
ncat_config.exe
– Utility to build a baseline configuration file
ncat_report.exe
– ncat_report reads one or more ncat output files and produces text and HTML
reports ($config.html, $config.ncat_report.txt) listing rules violations found per the
config file.
rat.exe
– rat audits router configurations. If you have already downloaded the
configuration files by some other means, you may specify the path to
those files on the command line.
snarf.exe
– Utility to download router configuration

Vital Information Security


©2004 VITALISEC INC.

Demo

Vital Information Security


©2004 VITALISEC INC.

References
Cisco Advisories
http://www.cisco.com/warp/public/707/advisory.html
Hardening
http://www.cymru.com/Documents/secure-ios-template.html
http://www.cymru.com/Documents/secure-bgp-template.html
http://www.cisco.com/warp/public/707/21.html
Web Tools
http://www.powertech.no/smurf/
http://www.netscan.org/
Web Links
http://www.networkpackets.com/cisco_links.htm
ftp://ftp-eng.cisco.com/cons/

Vital Information Security


©2004 VITALISEC INC.

Vital Information Security


©2004 VITALISEC INC.

• For more information:


– www.Vitalisec.com
[email protected]
– (720)297-3300

• Travis Schack
[email protected]

Vital Information Security

You might also like