network security
DESCRIPTION
TRANSCRIPT
34Cisco Systems ConfidentialCisco Systems Confidential 0036_08F7_c2
Internet Security
‘Internet and Intranet - meeting future business needs’
2Cisco Systems Confidential
Before we Begin......
• Attendees agree that this information will be circulated on a very strict need-to-know basis as it is sensitive can cause security problems.
• While the information in this document is not confidential, there is information that could be harmful if given to the wrong individuals.
• The only way to understand security problems is to know what they are. This means that they may also be exploited by those who are untrustworthy.
New Network Threats
CIA Web Site Hacked
Netcom Credit Card
Information Stolen
38Cisco Systems Confidential0603_02F7_c1
4Cisco Systems Confidential
Need for More Security
… and the “Net” Has Changed!
Today’s InternetToday’s Internet ImplicationsImplications
1983:1983:200 Core Nodes; 200 Core Nodes;
Linear GrowthLinear Growth
11.6 Million Core 11.6 Million Core Nodes;Nodes;
Exponential GrowthExponential Growth
Shortage of Unique IP Shortage of Unique IP Network Numbers Network Numbers
ImminentImminent
Large Time-Sharing Large Time-Sharing Nodes, Mostly Nodes, Mostly
EducationalEducational
Large and Large and Distributed Distributed
ISP-Connected ISP-Connected OrganizationsOrganizations
CIDRCIDRNATNAT
DHCP for Client OnlyDHCP for Client OnlyIPv6IPv6
““Difficult” Security Difficult” Security Underlying Technology Underlying Technology
Known to FewKnown to Few
Numerous Untrusted Numerous Untrusted Private Sector Hosts; Private Sector Hosts;
Hackers AboundHackers Abound
FirewallsFirewallsEncryptionEncryption
Original ARPAnetOriginal ARPAnet
5Cisco Systems Confidential
Internetwork
Consumers
Enterprise
SmallBusiness
ProfessionalOffice
Internet
6Cisco Systems Confidential
Putting Things in Perspective
• 75% of computer attacks are never detected.
• Only 15% of all computer crimes are instigated by outsiders.
• 80% - 85% are launched by insiders - people you thought you could trust.
7Cisco Systems Confidential
Where’s the Threat? …...Corporate Space
Internet
TerminalServer
20% 80%
Employees
8Cisco Systems Confidential
Where’s the Threat? …….ISP Space
Internet
TerminalServer
20% 80%
Customers
CorporateNetwork
9Cisco Systems Confidential
Security Services
Source: Computer Security Institute and FBI Computer Crime DivisionFortune 500 Survey, 1995
YesYes48%48%
NoNo52%52%
Have You Experienced Computer or Network Security
Breaches in the Last Year?
10Cisco Systems Confidential
What are the Threats?
“Trusted” UsersRemember....80-85% of all break-ins are caused by
people who are insiders.
AmateursCyberpunks, Hackers, Vandals, Crackers, Jerks, etc
ProfessionalsNo-Win Situation
11Cisco Systems Confidential
What are the Threats?
“Trusted” Users80% - 90% of all break-ins are caused by people
who work for the organizations they broke into!
Many are caught accidentally
Many are amateurs and are caught because they are careless
Most are quietly removed
Very few are reprimanded
12Cisco Systems Confidential
What are the Threats?“Trusted” Users
Extremely few are prosecuted by the legal system
Never at a financial institution
Never at a site with links possible harm to life or where there is a tie-in to public view
Some places there is little understanding about how to handle the legal problem
Most companies do not want publicity
13Cisco Systems Confidential
What are the Threats?
“Trusted” UsersMost break-ins are either:
Greed-oriented
Revenge oriented
Malicious
Information Acquisition
Accidental initially, but an opportunity to the user of the system.
14Cisco Systems Confidential
What are the Threats?
Amateurs
Amateurs usually leave a trail that is not too difficult to pick up
Amateurs will eventually screw-up
Amateurs do not know when to quit
Amateurs, with careful monitoring, may be found quickly
Most Internet Cyberpunks are Amateurs
15Cisco Systems Confidential
What are the Threats?
ProfessionalsProfessionals are rarely detected
Professionals are difficult to find
Professionals will usually originate from a break-in elsewhere
Professionals leave no traceback
Professionals know when it is time to leave
Professionals will take what they want, no matter what is done to safeguard information
16Cisco Systems Confidential
What are the Threats?Bottom Line.......
If someone wants the information bad enough, and he/she knows what they are doing, they will not be stopped and you may consider the information to be “history.”
17Cisco Systems Confidential
IT Issues
• Enterprise information becoming more valuable/vulnerable
Load/Traffic
Today Time
IT Spending<10% Growth
Connectivity
Internet Traffic
Business Value/Importance
The Security Dilemma
• Security is complicated to implement
• Security cannot be implemented uniformly
• Internet connection is a security risk
More than 200 Fortune 1000 companies were asked if they had detected attempts
from outsiders to gain computer access in the past 12 months
If “yes”, how many successfulaccesses were detected?
YesYes58%58%
NoNo12%12%
Don’tKnow30%
1-101-1042%42%
11-2011-2025%25%
21-3016%
31-4031-4010%10%
41-505%50+2%
3Cisco Systems Confidential0595_02F7_c1
Source: Warroom Research
19Cisco Systems Confidential
Solutions Before you Begin.......
• On-Site Security Policy
• Host Security (UNIX/VMS)
• Workstation Security (X, MS , MAC, OS/2)
• Network Security
• Password Policies
• Application Security
• Tools to Track Attacks
• Ability to lock ‘em up (every security policy needs a hammer)
20Cisco Systems Confidential
Creating Cisco Solutions
Integration withIntegration withCisco IOSCisco IOS™™ Software Software
Core Core ProductProduct
ss
AccessAccessProductsProducts
InterWorksInterWorksProductsProducts
WorkgroupWorkgroupProductsProducts
Internet BU ProductsInternet BU ProductsFirewallsFirewalls
Translation GWsTranslation GWsTraffic DirectorsTraffic DirectorsClient SoftwareClient SoftwareServer SoftwareServer Software
End-to-EndSecurity
Solutions
Scalability forGlobal and
Enterprise WWWApplications
Internet/IntranetConnectivity and Security
for Novell, andDEC Customers
End-to-EndMultimediaSolutions
Scalable“Plug-and-Play”
TCP/IPEnvironments
21Cisco Systems Confidential
Security Is a System
Motion Detector(Wheels/Entry)
Perimeter Detector(Door Entry)
Lock Nuts(Wheels)Sound Detector
(Glass Entry)
Engine Kill(Theft)Locator/Detector
(Theft)
Physical Security Example“What Are You Trying to Protect?”
22Cisco Systems Confidential
Technical Requirements
• AuthenticationWho it is
• AuthorizationWhat is permitted
• AccountingWhat was done
• Data integrity
Data is unaltered
• Confidentiality
No unauthorized review
• Assurance
Everything operates as specified
Cisco Security Today
PAP/CHAP
TACACS+/ RADIUS
Kerberos
L2F
Lock-and-Key
Access Control Lists
Token Card Support
Logging
Route Filtering
NAT
GRE Tunnels
CiscoSecure™
Encryption
Privilege Levels
Kerberos
Dial Firewall Network Infrastructure
Certificate AuthorityCertificate Authority
Encryption
TACACS+/ RADIUS TACACS+/ RADIUS
Cut-Through Proxy
24Cisco Systems Confidential0603_02F7_c1
24Cisco Systems Confidential
Solutions Before you Begin.......
Security is an ATTITUDE!
25Cisco Systems Confidential
Security Objective: Balance
Access Security
Connectivity
Performance
Transparency
Authentication
Authorization
Accounting
Assurance
Confidentiality
Data Integrity
Every Customer’s Needs will Be Different!Every Customer’s Needs will Be Different!
26Cisco Systems Confidential
Host Security
File SharingAnonymous FTP
Guest LoginMail
If a host is not secure, then neither is the network
27Cisco Systems Confidential
Network Security Options
• No Internet connection
• Packet filtering with Access Control List (ACL)
• Firewalls
• Privacy with encryption
Encryption
AddressTranslation
User Authentication
SecureRouting
AccessControl
Legacy Integration
EventLogging
MultiprotocolTunnels
Enterprise Gateways
28Cisco Systems Confidential
Definition of a Firewall
Firewalls are perimeter security solutions, deployed between a trusted and untrusted network,
often a corporate LAN and an Internet connection
29Cisco Systems Confidential
Firewall Architecture
PacketFiltering
Internet
PublicWWW
PublicFTP
DNSMail
Cisco IOS 11.2
1. Access lists
2. Packet filtering
3. Network Address Translation
4. Encryption
Cisco IOS
Firewall
30Cisco Systems Confidential
Internet
PublicWWW
PublicFTP
DNSMail
Firewall Architecture
Cisco PIX Firewall Dedicated
31Cisco Systems Confidential
Internet
PublicWWW
PublicFTP
DNSMail
Demilitarized Zone (DMZ)
32Cisco Systems Confidential
Internet
PublicWWW
PublicFTP
DNSMail
ProxyServer
Outbound Only
Outbound Only
Proxy Servers
33Cisco Systems Confidential
Firewall with Address Translation
Internet
PublicWWW
PublicFTP
DNSMail
• Cisco PIX Firewall - dedicated
• Cisco IOS 11.2- NAT in software
Private IPs10.0.0.0
Registered IPs192.128.234.0
CiscoSecureAccess Router
OR
34Cisco Systems Confidential
Encryption
Internet
PublicWWW
PublicFTP
DNSMail
Cipher Text
“YOUR Text”
“2$3B9F37”
“YOUR Text”
35Cisco Systems Confidential
Scaling Internet Firewalls
Fractional E1/T1
> DS3/45 Mbps
• Small office
• All in one
• Costs less
= E1/T1• Gateway router and
firewall encryption performance
• Gateway router and firewalls
• Scalable encryption performance
Link speed
Internet
36Cisco Systems Confidential
Dial Security
• Centralized security with TACACS+ / RADIUS
• Lock and Key
37Cisco Systems Confidential
Centralized Security
Dial client
CiscoSecure—TACACS+
AuthenticationAuthorizationAccounting
RADIUSTACACS+
TACACS+or
RADIUS
38Cisco Systems Confidential
Lock and Key
Non-Authorized User
Authorized User
• Enables dynamic Access Control Lists
• Single user on a LAN
• Per-user authorization and authentication
CiscoSecure
Internet
XX
XX
39Cisco Systems Confidential
Internet
Virtual Private Dial Networks
CiscoSecureTACACS+
Server
• Encrypted access
• Multiprotocol — IP, IPX, SNA, AppleTalk
40Cisco Systems Confidential
Virtual Private Networks
•IOS•PIX
41Cisco Systems Confidential
Virtual Private Networks
• Replace private WAN with public network access
• Intracompany traffic is private and authenticated
• Internet access is transparent
RemoteRemoteOfficeOffice
RemoteRemoteOfficeOffice
CorporateCorporateLANLANPublic
Network
42Cisco Systems Confidential
Encryption Alternatives
Network-Layer Encryption
Application-Layer Encryption
Link-LayerEncryption
Link-LayerEncryption
Application
Layers (5–7)
Transport/Network
Layers (3–4)
Link/Physical
Layers (1–2)
43Cisco Systems Confidential
Application Encryption
• Encrypts traffic to/from interoperable applications
• Specific to application, but network independent
• Application dependentAll users must have interoperable applications
• Examples: S/MIME, PEM, Oracle Securenet, Lotus cc:Mailand Notes.
44Cisco Systems Confidential
• Encrypts traffic between specific networks, subnets,or address/port pairs
• Specific to protocol, but media/interface independent
• Does not need to supported by intermediate network devices
• Independent of intermediate topology
• Example Cisco IOS and PIX
Network Encryption
HRServer
E-MailServer
A to HR Server—Encrypted
All Other Traffic—Clear
A
B
D
45Cisco Systems Confidential
Link Encryption
• Encrypts all traffic on a link, including network-layer headers
• Specific to media/interface type, but protocol independent
• Topology dependentTraffic is encrypted/decrypted on link-by link basis
All alternative paths must be encrypted/decrypted
46Cisco Systems Confidential
To PublicInternet
HR/FinancialServer
E-MailServer
A to C, D
Clear
B to C, D
Encrypt
Cisco IOS Encryption Services
• Policy by network, subnet, oraddress/port pairs (ACL)
• DSS for device authentication Diffie-Hellman for session key management
• DES for bulk encryptionDES 40 bit—generally exportableDES 56 bit—restricted
• Hardware assist—VIP2 service adapter
CA
B
DPrivateWAN
47Cisco Systems Confidential
Cisco IOS Encryption Options
• Cisco IOS software on 100X, 25xx, 4xxx, 7xxx series routers
• On Cisco RSP 7000 and 7500 series encryption services are performed
Centrally on master RSP and/or
Distributed on VIP2-40
• Encryption service adapter for Versatile Interface Processors (VIP)
Provides higher performance encryption for local interfaces
Tamper-proof
Route Switch Processors
VIPVIPVIPIP IP
Cisco 7000 and 7500
Master RSP Slave RSP
EncryptionEncryptionService Service AdapterAdapter
Versatile Interface Processor
Port Port AdapterAdapter
High-Performance High-Performance Hardware Encrypted Virtual Private Networks!
PIX Private Link
IP UDP IIPP
DataData
PIX Private Link Frame
Encapsulation
Header
EncryptedInformation
MAC CRC
33Cisco Systems Confidential 0482_12F7_c1
Public NetworkInternet
PIX/Private Link
PIX/Private LinkNetwork
ANetwork
B
IP Data
PIX/Private LinkNetwork
C
PIX/Private Link Network
D
IP Data
IP Data
IP Data
49Cisco Systems Confidential
PIX Private Link Benefits
• Secures data communication between sites
• Reduces high monthly cost of dedicated leased lines
• Complete privacy
• Easy installation—two commands, no maintenance
• Compliant to IETF IPSEC—supports AH/ESP (RFC 1826) (RFC 1827)
• Adds value to your Internet connection
• Augment and back up existing leased lines
Private LinkPrivate Network—Satellite Division
TACACS+ Server
RADIUS Server
SMTP Gateway
UNIX DB Gateway
Engineering Marketing Executive
Internet
Inte
rnet
Inte
rnet
Intr
anet
Intr
anet
10.0.0.0
171.68.10.4
171.69.236.2DMZ
PIX A
172.17.0.0 172.18.0.0 172.19.0.0
PIX B
35Cisco Systems Confidential 0482_12F7_c1
Tricks to Secure Your Router
Cisco Systems Confidential
52Cisco Systems Confidential
Protecting Your Router
• Terminal Access Security
• Transaction and Accounting Records
• Network Management Security
• Traffic Filters
• Routing Protocol Security
• Securing Router Services
53Cisco Systems Confidential
The Router’s Role in a Network
HostSystems
TCP/IP
IPX
DOS, Windows, Mac Workstations
Router
Router
Router
Internet
TCP/IP
Terminal Access Security
Cisco Systems Confidential
55Cisco Systems Confidential
Console Access
• Change your passwords - do not use the default.
• Make sure the privilege password is different from the access.
• Use mixed character passwords - adds difficulty to crack attempts
• Config Session Time-outs
• Use password encryption features to encrypt the password in the configuration images and files.
• Use enable secret to use the best encryption key.
56Cisco Systems Confidential
Telnet Access
• Configures ALL the VTY ports!
• Create an Access List for the ports - limits the range of IP addresses you can Telnet into the route.
• Limit or block port 57 (open Telnet with no password write over).
• Do not use commands like ip alias on the Cisco, unless you really need to.
• Block connections to echo and discard via the no service tcp-small-servers.
57Cisco Systems Confidential
Telnet Access
Enter configuration commands, one per line. End with CNTL/Z.
serial 2-3 (config) # access-list 101 deny tcp any any eq 57
serial 2-3 (config) # access-list 101 permit tcp 165.21.0.0 255.255.0.0 any
serial 2-3 (config) # line vty 0 5
serial 2-3 ( config-line) # access-class 101 in
Extended IP access list 101
deny tcp any any eq 57
permit tcp 165.21.0.0 255.255.0.0 any
58Cisco Systems Confidential
Multiple Privilege Levels
• Division of responsibilitiesHelp desk and network manager
Security and network operations
• Provides internal controls
• Users can only see configuration settings they have access to
59Cisco Systems Confidential
Configuring Multiple Privilege Levels
• Set the privilege level for a command
• Change the default privilege level for lines
• Display current privilege levels
• Log in to a privilege level
60Cisco Systems Confidential
Multiple Privilege Example
• Configurationenable password level 15 pswd15
privilege exec level 15 configure
enable password level 10 pswd10
privilege exec level 10 show running-config
• Login/Logoutenable <level>
disable <level>
What Is AAA?
• Authentication Something you areare
Unique, can’t be left at home: retina, prints, DNA
Something you havehaveHardware assist: DES card
Something you know knowCheap low overhead solution: fixed passwords
• Authorization What you’re allowed to do: connections, services, commands
• Accounting What you did, and when
• It’s also an architectural framework: Protocol-independent formats Easy to support multiple protocols Consistent configuration interface Good scalability for large ISP’s with volatile databases, lots of accounting data
Cisco Systems Confidential0815_04F7_c3 4
62Cisco Systems Confidential
Virtual Terminal
Router A
"I would like to log into Router A;
my name is JSmith; my
password is *****
"Is JSmith with password ***** an authorized
user?
TACACS+ Client
TACACS+
63Cisco Systems Confidential
username/password + token
access permitted
Security Server Partners
3 1 7 8 4 5 4
Token
Cisco 500-CS
Token Card
Transaction and Accounting Records
Cisco Systems Confidential
65Cisco Systems Confidential
Transaction Records
• Q - How do you tell when someone is cracking into your router, hub, or switch?
• Consider some form of audit trails: Using the UNIX logging features (if it has any). Corn
scripts to alert you when there are potential problems.
SNMP Traps and alarms.
Implementing TACAS+, Radius, Kerberos, or third party solutions like Security Dynamics SmartCard.
66Cisco Systems Confidential
Transaction Records
• UNIX Logging logging buffered 16384
logging trap debugging
logging 169.222.32.1
Logging Flow
RouterUNIX Workstation
w/ Logging Configured
Network Management Security
Cisco Systems Confidential
68Cisco Systems Confidential
SNMP
• #1 Source of Intelligence on a victim's network!
• Do you know when someone is running a SNMP discovery tool on your network?
• Do you block SNMP on your firewall?
69Cisco Systems Confidential
SNMP
• Change your community strings! Do not leave the defaults on!
• Use different community strings for the RO and RW communities.
• Do NOT use RW community unless you are desperate!
• Use mixed characters in the community strings. Yes, even SNMP community strings can be cracked!
70Cisco Systems Confidential
SNMP
• Use a access list on SNMP. Limit who can make SNMP queries. If someone needs special access (I.e. for monitoring a Internet link), then create a special community string and access list.
• Explicitly point SNMP traffic back to the authorized workstation
71Cisco Systems Confidential
SNMP
snmp-server community apricot RO 1
snmp-server trap-authentication
snmp-server enable traps config
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server host 169.223.2.2 apricot
ip access-list 1 permit 169.223.2.2
Traffic Filters
Cisco Systems Confidential
73Cisco Systems Confidential
IP Access List
• <1-99> IP standard access list
• <100-199> IP extended access list
• <1100-1199> Extended 48-bit MAC address access list
• <200-299> Protocol type-code access list
• <700-799> 48-bit MAC address access list
74Cisco Systems Confidential
Extended Access Lists
access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log]
Example:
access-list 101 permit icmp any any log
75Cisco Systems Confidential
Spoofing
• Access list protections are based on matching the source.
• Protect your router with something like the following:access-list 101 deny ip 131.108.0.0 0.0.255.255 0.0.0.0
255.255.255.255
access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
• Turn off ip source-routing
76Cisco Systems Confidential
Spoofing
Internet
Central SiteBranch Office A
Hello, I’m Branch Office X! Here is my routing-update!
77Cisco Systems Confidential
Spoofing
ISP A ISP B
198.92.93.0/24source w/198.92.93.3/24
filter any inbound packets w/ 198.92.93.0/24
78Cisco Systems Confidential
Denial of Service Attacks
• TCP SYN attack: A sender using a series of random source IP addresses starts connections that cannot be completed, causing the connection queues to fill up, thereby denying service to legitimate TCP users.
• UDP diagnostic port attack: A sender using a series of random IP source addresses calls for UDP diagnostic services on the router, causing all CPU resources to be consumed servicing the bogus requests.
79Cisco Systems Confidential
Denial of Service Attacks: TCP SYN
ISP BISP A
Target
Internet
Attacker9.0.0.0/8 10.0.0.0/8
TCP/SYN 192.168.0.4/32
SYN/ACK ?15.0.0.13/32TCP/SYN
SYN/ACK ?172.16.0.2/32
SYN/ACK
TCP/SYN
?
80Cisco Systems Confidential
Denial of Service Attacks: TCP SYN
ISP BISP A
Target
Internet
Attacker9.0.0.0/8 10.0.0.0/8
Filter any addressthat does not contain10.0.0.0/8 as a source
• Ingress FilteringApply an outbound filter…...
access-list 101 permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
81Cisco Systems Confidential
Denial of Service Attacks: UDP diag
ISP BISP A
Target
Internet
Attacker9.0.0.0/8 10.0.0.0/8
attacker floods the routerw/ echo, chargen, and discardrequest
• Turn off small servicesno udp small-servers
no tcp small-servers
82Cisco Systems Confidential
Solution: TCP Intercept
• Tracks, intercepts and validates TCP connection requests
• Two modes: Intercept and monitor
83Cisco Systems Confidential
TCP Intercept—Intercept Mode
• 1. Answer connection requests
• 2. Establishes genuine connection
• 3. Merge connection between client and server
Connection Transferred
Connection EstablishedRequest Intercepted
84Cisco Systems Confidential
TCP Intercept—Monitor Mode
• Passively monitor connection requests
• Terminates connection attempts that exceed configurable time limit
85Cisco Systems Confidential
TCP Intercept Aggressive Behavior
• Begins when high-threshold exceeded, ends when drops below low-threshold
• New connection drops old partial connection
• Retransmission timeout cut in half
• Watch timeout cut in half
86Cisco Systems Confidential
TCP Intercept Considerations
• TCP negotiated options not supported
• Available in release 11.2(4)F Enterprise and Service Provider
• Connection is fast switched except on the RP/SP/SSP based C7000 which supports process switching only
87Cisco Systems Confidential
TCP Intercept Configuration Tasks
• Enable ip tcp intercept list <extended ACL>
• Set mode ip tcp intercept mode {intercept | watch}
• Set drop mode ip tcp intercept drop-mode {oldest | random}
88Cisco Systems Confidential
TCP Intercept Configuration
• Change timers ip tcp intercept watch-timeout <seconds>
ip tcp intercept finrst-timeout <seconds>
ip tcp intercept connection-timeout <seconds>
• Change aggressive thresholds ip tcp intercept max-incomplete low <number>
ip tcp intercept max-incomplete high <number>
ip tcp intercept one-minute low <number>
ip tcp intercept one-minute high <number>
Routing Protocol Security
Cisco Systems Confidential
90Cisco Systems Confidential
Routing Protocols
• Routing protocol can be attacked Denial of Service
Smoke Screens
False information
Reroute packets
May be accidental or intentionalMay be accidental or intentional
91Cisco Systems Confidential
Solution: Route Authentication
• Authenticates routing update packets
• Shared key included in routing updatesPlain text—protects against accidental problems
only
Message Digest 5 (MD5)—protects against accidental and intential problems
92Cisco Systems Confidential
Route Authentication Protocol
• Routing update includes key and key number
• Receiving router verifies received key against local copy
• If keys match update accepted, otherwise it is rejected
93Cisco Systems Confidential
Route Authentication Details
• Multiple keys supportedKey lifetimes based on time of day
Only first valid key sent with each packet
• Supported in: BGP, IS-IS, OSPF, RIPv2, and EIGRP(11.2(4)F)
• Syntax differs depending on routing protocol
94Cisco Systems Confidential
Routing Protocols
• OSPF Area AuthenticationTwo Types
Simple Password
Message Digest (MD5)
ip ospf authentication-key key (this goes under the specific interface)area area-id authentication (this goes under "router ospf <process-id>")
ip ospf message-digest-key keyid md5 key (used under the interface)area area-id authentication message-digest (used under "router ospf <process-id>")
Securing Router Services
Cisco Systems Confidential
96Cisco Systems Confidential
WWW Server
• Yes, IOS now includes a WWW server!
• Makes configurations easier, but opens new security holes (default - turned off).
• Put access list on which addresses are allowed to access port 80.
• Similar to console & TTY access.
Other Areas to Consider
Cisco Systems Confidential
98Cisco Systems Confidential
Other Areas to Consider
• Turn offproxy arp
no ip directed-broadcast
no service finger
99Cisco Systems Confidential
Protecting the Config Files
• Router configs are usually stored some place safe. But are they really safe?
• Protect and limit access to TFTP and MOP servers containing router configs.
100Cisco Systems Confidential
Summary
• Security is not just about protecting your UNIX workstations.
• Your network devices are just as vulnerable.
• Be smart, protect them.
• Routers are the side doorside door into any network.
Cisco Security Today
PAP/CHAP
TACACS+/ RADIUS
Kerberos
L2F
Lock-and-Key
Access Control Lists
Token Card Support
Logging
Route Filtering
NAT
GRE Tunnels
CiscoSecure™
Encryption
Privilege Levels
Kerberos
Dial Firewall Network Infrastructure
Certificate AuthorityCertificate Authority
Encryption
TACACS+/ RADIUS TACACS+/ RADIUS
Cut-Through Proxy
24Cisco Systems Confidential0603_02F7_c1
102Cisco Systems Confidential
http://www.cisco.com/
Where to get more information?
103Cisco Systems Confidential
Where to get more information?
• Security URLs:Computer Emergency Response Team
(CERT)
http://www.cert.org
SATAN (Security Administrator Tool for Analyzing Networks)
http://recycle.cebaf.gov/~doolitt/satan/
Phrack Magazine
http://freeside.com/phrack.html