Network Security 1

– Chapter 3 – Device Security (B)

• Security of major devices:

How to protect the device against attacks aimed at compromising the device itself– Routers– Firewalls– Switches– Authentication servers– wireless access points– …

Network Security 2

Steps to secure a router:1. Backup of configuration

files and the router software

2. Controlling access to the router (tty, vty ports)

3. Securing access to the router (via SSH)

4. Password management

5. Logging events on the router

6. Disabling unnecessary services

7. Using loopback interfaces

8. Controlling SNMP as a management protocol

9. Controlling HTTP as a management protocol

10.Using CEF as a switching mechanism

11.Setting up the scheduler from a security perspective

12.Using the Network Time Protocol (NTP)

13.Login banners

14.Capturing core dumps

15.Using service nagle to improve Telnet access during high CPU events

Network Security 3

2. Controlling access to the router

• A tty port is physically connected to a terminal or workstation for local administrative access to the router.

• An aux ports, similar to a tty port, is connected to a modem for remote out-of-band administrative access to the router.

• A vty (virtual tty) port is used to allow remote in-band connection sessions, via telnet, ssh, or rlogin.

• See http://www.netbook.cs.purdue.edu/othrpags/qanda272.htm for Q&A on “out-of-band” network management.

Network Security 4

Vulnerabilities of tty or aux ports

• A tty or aux port may suffer reverse telnet attack, where the terminal server connected to the tty port or the modem connected to the aux port of the router is used by the attacker (as a remote client) to access the router.

• Reverse Telnet (as defined in Wikipedia)

• Check out this link to see an illustration of using ‘reverse telnet’ to remotely access a router. (diagrams below)

Network Security 5

Normal telnet

Network Security 6

Reverse Telnet

Network Security 7

Reverse Telnet (cont.)

• Another example:What is Reverse Telnet and how do I

configure it?

Network Security 8

Vulnerabilities of tty or aux ports• Solution?

– Disable the console portLine con0

transport input none

– Allow only SSH access to a router’s console port (a feature added to IOS v12.2 or higher)

Line con0

login authentication default

rotary 1

transport input ssh

ip ssh port 2001 rotary 1

• Requirement: The router must be set up as a SSH server.

Network Security 9

Controlling vty access1. Restricted access: Only allow the protocols that will be

used by the network admin• Since Cisco IOS v11.1, the default is none.• Example: To allow only telnet and ssh connections

line vty 0 4 transport input telnet ssh

2. Only addresses in the ‘access list’ are allowed to connect: access-class, access-list (See example 3-6)

3. Short timeouts: • The default timeout value is 10 minutes. To set it to 5 min. 30

sec.line vty 0 4 exec-timeout 5 30

4. Authentication for vty access: either local or RADIUS authentication (preferred).

Network Security 10

3. Securing access to the router using encryption

• IPsec VPN client (preferred; more details in Ch 13)

– Two cases:A. The VPN client access a back-end LAN (the

destination) by building a tunnel between itself and a router (the IPsec gateway), behind which the LAN is located.

B. The VPN client is used to remotely administer the router, which is both the gateway and the destination.

• SSH: Only SSH v1 is supported by Cisco IOS

Example 3-11

Network Security 11

4. Password Management

• Passwords stored on the router should be

properly encrypted.

• The default password-encryption is either type

0 (clear text passwords) or type 7 (weak

encryption).

• Use the enable secret command to activate

MD5 when encrypting passwords.

• Example 3-12

Network Security 12

5. Logging events

• Advantages: Allows auditing and tracking forensics (in case of an attack)

performance tuning (maintenance)

• Requirement: good time stamping using NTP

• Example: 3-13

Network Security 13

6. Disable unnecessary services

• If a service is not being actively used on a device, it should be disabled.

• Otherwise it may be used as a back door for the attacker to gain access to the device.

• Sample services to be disabled: Table 3-1TCP small servers, UDP small servers, Finger

server, …

Network Security 14

7. Using loopback interfaces

• Advantages: Enable a block of IP addresses to be assigned to be used by loopback.– All routers can be forced to use these loopback IP

addresses as source addresses when accessing the servers.

– The servers can then also be locked down to allow access only from this block of IP addresses.

• Accesses from addresses outside this block are denied.

• Example 3-14

Network Security 15

8. Controlling SNMP (as a management protocol)

• SNMP can be used in read-only and ‘read and write’ modes

• Unless necessary, use read-only mode on routers.

• The ‘read and write’ mode allows the admin to modify the router’s configurations via SNMP.

• Access into the network via SNMP should be blocked at the network’s boundary.

Network Security 16

8. Controlling SNMP (as a management protocol)

• Security of SNMP:– v1 and v2 use ‘community strings’ as the only

authentication mechanism. (Not secure)– v3 is more secure by providing MD5 or SHA

for authentication, and DES for encryption.– SNMP v3 threats vs protections (p.65): next

page

Network Security 17

8. Controlling SNMP (as a management protocol)

• SNMP v3 threats vs protections

Threats Protections

• modification of info Message integrity

• masquerade Message authentication

• disclosure Encryption

• message stream modification - Messages might be maliciously reordered, delayed, or replayed to a greater extent than can occur through the natural operation of a subnetwork service to effect unauthorized management operations.

Timestamped messages, Session identifiers (sequence numbers)

Network Security 18

9. Controlling HTTP (as a management protocol)

• Unless necessary, HTTP access to the router should be disabled.

• Admin access to the router via HTTP should be secured, by activating authentication.

• Example: 3-19

Network Security 19

10. Using CEF as a switching mechanism

• Cisco Express Forwarding• Routers using the traditional switching mechanisms need

to update routing caches when packets destined for new addresses arrive.

• SYN floods and DDoS attacks use a large number of random or pseudo-random IP addresses as ultimate targets.

• CEF replaces the normal routing cache with a data structure that mirrors the entire routing tables.

• It does away with the need to update the cache each time a new IP address needs to be routed to.

Network Security 20

11. Using the scheduler

• scheduler allocate

• scheduler interval

• To prevent the router from becoming too busy responding to the interrupts on its interfaces due to the large number of packets arriving large-scale network attack, esp. a DDoS attack

• Example 3-21

Network Security 21

12. Using NTP

• Network Time Protocol

• Critical for services requiring good time stamping: logging, AAA, Kerberos, …

• Challenge: authentication between devices exchanging NTP information

Network Security 22

13. Login banners

• Sequence:– Login banner– login session– MOTD banner– EXEC banner (or incoming banner)

• Example: 3-25

Network Security 23

14. Capturing core dumps

• In the event of system crash, the core dump may provide useful info for tracking the attack(s).

• Example: 3-26

Network Security 24

15. Service nagle

• Nagle is an algorithm that can be enabled as a service on a Cisco router, to allow the router to pace the TCP connection for Telnet in a way that reduces the burden on the CPU and generally improves the performance of the Telnet session.– service nagle (Example 3-27)

Network Security 25

Security of other devices

• Firewalls, switches, …

• Similar procedure– Check the default settings– ‘Harden’ the device before placing it into use

in the production network.