©2004 vitalisec inc. vital information security may 20, 2004 securing & auditing cisco routers...
TRANSCRIPT
©2004 VITALISEC INC.
Vital Information Security
May 20, 2004
Securing & Auditing Cisco Routers
Vitalisec Inc.
Travis [email protected]
©2004 VITALISEC INC.
Vital Information Security
Travis Schack• Founder and Senior Security Consultant• Certifications
– CISSP (Certified Information System Security Professional)– OPST trainer (OSSTMM Professional Security Tester)– OPSA trainer (OSSTMM Professional Security Analyst)– NSA IAM (INFOSEC Assessment Methodology)– 10 years IT and Information Security
• Industry Experience– IBM, Galileo Int’l, Rhythms Netconnections, Circadence, Janus Funds– Adjunct faculty for Denver University’s Master’s program in
Information Security– Extensive Penetration and Vulnerability Testing experience
©2004 VITALISEC INC.
Vital Information Security
• Objectives– Role of the router in network security– Router threats and Security drivers– “Best Practice” router hardening
• Authentication & Authorization• Access list filtering• Services• Logging• Access controls
– Valuable commands– Auditing tools and how to use them– Helpful web resources
• Assumptions– You already know the OSI Model– Familiarity with Cisco IOS– Many aspects are not covered
• Cannot teach router configuration
©2004 VITALISEC INC.
Vital Information Security
Role of the Router
©2004 VITALISEC INC.
Vital Information Security
• Primary function– Forwarding of packets between network segments
• Routing Decisions• Applies filters• Network Traffic Cop
• Router Components– Processor– Memory– Storage– Interfaces– Runs on IOS
©2004 VITALISEC INC.
Vital Information Security
Security Device?
©2004 VITALISEC INC.
Vital Information Security
• Security Variables– Placement of Router
• Core Router (Backbone)– Route packets as fast as possible
• Distribution Router (Interior)– Boundary definition
• Access Router (Border)– Allow access into Network– Perimeter/Border
– Networks Involved– Money
• Firewall• IDS
©2004 VITALISEC INC.
Vital Information Security
Router Threats and Security Drivers
©2004 VITALISEC INC.
Vital Information Security
©2004 VITALISEC INC.
Vital Information Security
©2004 VITALISEC INC.
Vital Information Security
Cisco's IOS Source LeakedMay 17, 2004By Enterprise IT Planet Staff
Word that source code for Cisco IOS was circulating on the Internet lit up message boards this weekend. Today, Cisco confirmed that indeed an estimated 800MB of code for IOS 12.3 and 12.3t was indeed taken after hackers pilfered it from the company's network.
The theft was first reported on a Russian Web site dedicated to computer security, SecurityLab.ru.
IOS is the software that drives the company's routers. The release of this source is significant in that Cisco is the dominant networking gear provider; its very name is synonymous with the Internet backbone.
Although few are painting gloom-and-doom scenarios this early, the news is nonetheless worrisome for administrators lording over Cisco-based networks and users of the Internet
Cisco is currently investigating the matter but as of yet no customer data seems to have been exposed during the breach. Cisco spokesman Jim Brady told tech journal internetnews.com, "Based on preliminary data, we don't believe any confidential customer information or financial systems were affected."
The exact nature of the breach, be it a vulnerability or an "inside job" still remains unresolved, but the likelihood of either appears unlikely, according to the company.
Cisco is the latest high-profile company to suffer a source-code leak. In recent months, Microsoft saw parts of its Windows 2000 source released. Valve, makers of the popular Half-Life PC game, had the source for its anticipated sequel leached from its systems late last year.
©2004 VITALISEC INC.
Vital Information Security
Cisco IOS Vulnerabilities
0
2
4
6
8
10
12
14
16
18
20
1999 2000 2001 2002 2003 2004
Year
Nu
mb
er o
f V
uln
erab
iliti
es
BID
ICAT
CVE
©2004 VITALISEC INC.
Vital Information Security
Cisco IOS Vulnerabilities
0
10
20
30
40
50
60
BID ICAT CVE OSVDB
Source
Nu
mb
er o
f V
uln
erab
iliti
es
©2004 VITALISEC INC.
Vital Information Security
1. Passwords2. IOS Bugs3. Protocol Attacks4. Router Management
1. SNMP2. Access
5. Misconfigurations6. Access Controls
Proper configuration management can resolve many of these common vulnerabilities.
Unauthorized AccessAccess Elevation
Change Network FlowBypass Security Devices
Data CapturingDenial of ServiceLoss of Service
©2004 VITALISEC INC.
Vital Information Security
Security Drivers• Regulations
– Sarbanes-Oxley (Section 404)– CA 1386– GLBA– FISMA– HIPAA
• Brand/Image• Liability/Legal• Rising Costs of Security Incidents• Proactive Security Culture
©2004 VITALISEC INC.
Vital Information Security
Router Security“Best Practice Hardening”
©2004 VITALISEC INC.
Vital Information Security
• http://nsa2.www.conxion.com/cisco/download.htm
©2004 VITALISEC INC.
Vital Information Security
Router Version• Identification of security patches
– http://www.cisco.com/warp/public/707/advisory.html
• Latest Cisco IOS– http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_category_home.html
• Router Command– show version
• Display Configuration– show configuration
©2004 VITALISEC INC.
Vital Information Security
Two Login Modes
• First login– User EXEC mode
• From User EXEC mode, type “enable”– Privileged EXEC mode
©2004 VITALISEC INC.
Vital Information Security
Login Banner
• Command– banner motd delimiter Banner delimiter
– Don’t give out specific information about the router
©2004 VITALISEC INC.
Vital Information Security
User Accounts• Use local accounts, AAA, or ACS
– Radius
– TACACS+
• Command– Username <username> privilege <0-15> password <strong password>
aaa new-modelaaa authentication login remoteauth radius tacacs+ enabletacacs-server host 172.16.1.11tacacs-server key testTKeyradius-server host 172.16.1.12radius-server key TestRKeyline vty 0 4 login authentication remoteauth
©2004 VITALISEC INC.
Vital Information Security
Privileges
• 16 privileges (0-15)• Predefined
– 1 User EXEC mode– 15 Privilege EXEC mode
• Commandsprivilege exec level 15 connectprivilege exec level 15 telnetprivilege exec level 15 rloginprivilege exec level 15 show ip access-listsprivilege exec level 15 show access-listsprivilege exec level 15 show loggingprivilege exec level 1 show ip
©2004 VITALISEC INC.
Vital Information Security
Passwords• Two password schemes
– Type 5 (stronger)• MD5 hash• Command
– enable secret– no enable password
– Type 7 (weak!)• Mask displayed password
– Command• service password-encryption
DEMO
©2004 VITALISEC INC.
Vital Information Security
Access
• VTY/Aux/Console– VTY is used for remote connection
• Access list• Session timeout
– Aux is used for modems• Disable• no exec
– Console• line console 0
– Password <password>
Central(config)# ip telnet source-interface loopback0Central(config)# access-list 99 permit 14.2.9.1 logCentral(config)# access-list 99 permit 14.2.6.6 logCentral(config)# access-list 99 deny any logCentral(config)# line vty 0 4Central(config-line)# access-class 99 inCentral(config-line)# exec-timeout 5 0Central(config-line)# transport input telnetCentral(config-line)# login localCentral(config-line)# execCentral(config-line)# endCentral#
©2004 VITALISEC INC.
Vital Information Security
SSH• IOS Versions: 12.1(1)T/12.0(10)S (image with 3DES), scp
as of 12.2T
• Uses SSH version 1– key recovery, CRC32, traffic analysis (SSHow), timing analysis
and attacks
– You can’t force 3DES only nor use keys
– Fixed in 12.0(20)S, 12.1(8a)E, 12.2(3), ...
hostname <hostname>ip domain-name <domainname>crypto key generate rsaip ssh timeout 60ip ssh authentication-retries 3ip scp server enable
©2004 VITALISEC INC.
Vital Information Security
Access Control List• Used for filtering traffic
– Across interfaces– To router
• Basic Structure– access-list list-number {deny | permit} condition
• Extended ACL– access-list list-number {deny | permit} protocol source source-wildcard source-
qualifiers destination destination-wildcard destination-qualifiers [ log | log-input]
• Each access list contain at least 1 permit, or all traffic is denied!• Applying to Interface
– ip access-group <access list #> <in | out>
©2004 VITALISEC INC.
Vital Information Security
Access Control Lists
– TurboACL : uses a hash table, benefits when 5+ ACEs– Reflexive : enables on-demand dynamic and temporary reply
filters (doesn’t work for H.323 like protocols)– Dynamic : adds user authentication to Extended ACLs– Named : allows you to delete individual ACEs– Time-based : adds a time-range option– Context-Based Access-Control : “inspects” the protocol
(helper/proxy/fixup-like), used in conjunction with ACLs– MAC : filters on MAC address (700-799 for standard, 1100-1199
for extended)– Protocol : filters on protocol type (200-299)
©2004 VITALISEC INC.
Vital Information Security
Recommended Inbound ACL
access-list 100 deny ip <Internal Subnet> any logaccess-list 100 deny ip 127.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 10.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 0.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 172.16.0.0 0.15.255.255 any logaccess-list 100 deny ip 192.168.0.0 0.0.255.255 any logaccess-list 100 deny ip 192.0.2.0 0.0.0.255 any logaccess-list 100 deny ip 169.254.0.0 0.0.255.255 any logaccess-list 100 deny ip 224.0.0.0 15.255.255.255 any logaccess-list 100 deny ip host 255.255.255.255 any logaccess-list 100 permit ip any 14.2.6.0 0.0.0.255
©2004 VITALISEC INC.
Vital Information Security
Recommended Outbound ACL
access-list 102 permit ip <Internal Subnet> any
access-list 102 deny ip any any log
©2004 VITALISEC INC.
Vital Information Security
SYN Flood Protection
Applied Inbound on External Interface
access-list 106 permit tcp any <Internal Subnet> established
access-list 106 deny ip any any log
©2004 VITALISEC INC.
Vital Information Security
Land Attack Protection
Applied Inbound to External Interface
access-list 100 deny ip host <External IP> host <External IP> log
access-list 100 permit ip any any
©2004 VITALISEC INC.
Vital Information Security
Smurf Attack Protection
Applied Inbound on External Interface
access-list 110 deny ip any host x.x.x.255 log
access-list 110 deny ip any host x.x.x.0 log
x.x.x = Internal Subnet
©2004 VITALISEC INC.
Vital Information Security
Unneeded Services
• Recommendedno ip bootp serverno tcp-small-serversno udp-small-serverno ip identdno ip fingerservice nagleno cdp run
no boot networkno service configno ip subnet-zerono service fingerno service padno ip http serverno ip source-route
©2004 VITALISEC INC.
Vital Information Security
Unneeded Services – cont’d
no ip forward-protocol port 69
no ip forward-protocol port 53
no ip forward-protocol port 37
no ip forward-protocol port 137
no ip forward-protocol port 138
no ip forward-protocol port 67
no ip forward-protocol port 68
no ip forward-protocol port 49
no ip forward-protocol port 42
no ip helper-address
Certain UDP broadcasts are forwarded by default
If UDP broadcasts are needed, enable only the specific port and control with access list
©2004 VITALISEC INC.
Vital Information Security
Interface
• Disable ability to spoof and perform probes
no ip proxy arpno ip directed-broadcastno ip unreachableno ip mask-replyno ip redirects
©2004 VITALISEC INC.
Vital Information Security
NTP• Set clock configuration
– clock timezone UTC 0– no clock summer-time
• Only allow NTP on Interfaces, using access list• Use Authenticated NTP
ntp update-calendarntp authentication-key 10 md5 <key>ntp authenticatentp trusted-key 10ntp server x.x.x.x [key 10]ntp access-group peer 20access-list 20 permit host x.x.x.xaccess-list 20 deny any
©2004 VITALISEC INC.
Vital Information Security
SNMP• Do NOT use SNMP version 1• Change Public and Private strings
SNMP VERSION 3
snmp-server group engineering v3 priv read cutdown 10snmp-server user nico engineering v3 auth md5 myp4ss priv des56 mydes56snmp-server view cutdown ip.21 excludedaccess-list 10 permit x.x.x.xaccess-list 10 deny any log
SNMP VERSION 2
snmp-server community r3ad view cutdown RO 10snmp-server community wr1te RW 10snmp-server view cutdown ip.21 excludedsnmp-server enable traps <…>snmp-server host x.x.x.xsnmp-server source loopback0access-list 10 permit x.x.x.x
©2004 VITALISEC INC.
Vital Information Security
Logging
• Syslog– Oldest entries are overwritten– Send logs to remots syslog server– Log all Denys– Log all configuration changes
no ip domain lookupservice time log datetime localtime show-timezone msecservice time debug datetime localtime show-timezone mseclogging x.x.x.xlogging trap debugginglogging source loopback0logging buffered 64000 debugging
©2004 VITALISEC INC.
Vital Information Security
Auditing Cisco Routers
©2004 VITALISEC INC.
Vital Information Security
• Auditing router configurations manually can be time consuming.– Manual check using a checklist
• Hands-off• Hands-on
– Need privilege EXEC access
– Crosswalk configuration with a checklist– NSA checklist is 5 pages long!
• Automation– Using a script/program to audit configuration against a baseline
configuration
• Corporate standard baseline• Vendor recommendations• Industry “Best Practice”
©2004 VITALISEC INC.
Vital Information Security
Tools• http://home.jwu.edu/jwright/perl.htm
– Various perl scripts for router management• snatchcisco.pl• grabciscoconf
– Script that uses SNMP to grab configuration file
• http://tool.sourceforge.net– Accomplishes several tasks, including downloading and uploading of
configs and execution of commands on single or multiple routers of various types
– Perl scripts• configDiff• configHash
– Downloads configs based on a hostlist, calls confiHash to get the differences between the new config and the latest archived config
©2004 VITALISEC INC.
Vital Information Security
Tools – cont’d
• http://hotunix.com/tools/– Shell script that allows the automated audit configurations from
multiple router and switches.– Based on Cisco, NSA, and SANS security guides and
recommendations.– Reporting is granular
• Down to individual device interfaces, lines, ACL’s, AS’s, etc.
• Last modified June 20, 2003
©2004 VITALISEC INC.
Vital Information Security
Tools – cont’d• http://www.shrubbery.net/rancid/
– Really Awesome New Cisco config Differ– Monitor’s a router configuration, including software and hardware, using
CVS– Supports the following systems:
• Cisco routers• Juniper routers• Catalyst switches• Foundry switches• Redback NASs• ADC EXT3 muxes• MRTd• Alteon switches• HP procurve switches
©2004 VITALISEC INC.
Vital Information Security
©2004 VITALISEC INC.
Vital Information Security
CIS• http://www.cisecurity.com
– Center for Internet Security
– Non-profit organization
• Mission– To help organizations around the world effectively manage the
risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of your Internet-connected systems and appliances, plus those of your business partners.
• Membership– SANS, ISC2, ISACA, IIA, AICPA, MITRE
©2004 VITALISEC INC.
Vital Information Security
RAT• http://www.cisecurity.com/bench_cisco.html
– Router Audit Tool• http://ncat.sourceforge.net
– Perl based– Works on both Windows and Unix platforms– Version 2.1
• Level-1 benchmark– Minimum-security requirements for due care and is based on NSA Router Security
Configuration Guide.
• Level-2 benchmark– Settings are optional– Many settings for which no benchmark standards are yet defined (e.g., ssh, IPSEC,
BGP, OSPF, radius…)
– Downloads configurations from devices (optional) and checks them against the settings defined in the benchmark.
©2004 VITALISEC INC.
Vital Information Security
• Primary Objective of RAT– Baseline the router configuration for the protection of the router
• Process– Create baseline using ncat_config and company standard
– Acquire router configuration(s)• Use snarf (or rat –a <ip address>
• Manually cut and paste config
• Network administrator sends to you
– Run rat against configuration file
– Review final output• HTML
• Text
– Customizable
©2004 VITALISEC INC.
Vital Information Security
4 filesncat.exe
– ncat checks configuration settings in static configuration files. The rules to be checked for each configuration type are defined in a set of ncat configuration files.
ncat_config.exe– Utility to build a baseline configuration file
ncat_report.exe– ncat_report reads one or more ncat output files and produces text and HTML
reports ($config.html, $config.ncat_report.txt) listing rules violations found per the config file.
rat.exe– rat audits router configurations. If you have already downloaded the
configuration files by some other means, you may specify the path to those files on the command line.
snarf.exe– Utility to download router configuration
©2004 VITALISEC INC.
Vital Information Security
Demo
©2004 VITALISEC INC.
Vital Information Security
ReferencesCisco Advisories
http://www.cisco.com/warp/public/707/advisory.html
Hardeninghttp://www.cymru.com/Documents/secure-ios-template.htmlhttp://www.cymru.com/Documents/secure-bgp-template.htmlhttp://www.cisco.com/warp/public/707/21.html
Web Toolshttp://www.powertech.no/smurf/http://www.netscan.org/
Web Linkshttp://www.networkpackets.com/cisco_links.htmftp://ftp-eng.cisco.com/cons/
©2004 VITALISEC INC.
Vital Information Security
Useful Router Commands
• show clock detail• show version• show running-config• show startup-config• show reload• show ip route• show ip arp• show users• show logging• show cdp entry *• show access-lists
• show ip interface• show interfaces• show tcp brief all• show ip sockets• show ip nat translations verbose• show ip cache flow• show ip cef• show snmp user• show snmp group• show clock detail• show ip protocols
©2004 VITALISEC INC.
Vital Information Security
• For more information:– www.Vitalisec.com– [email protected]– (720)297-3300
• Travis Schack– [email protected]