Securing Network Devices

Table of Contents

Securing Network Devices .............................................................................................................. 2

Enforcing Perimeter Security Policy................................................................................................ 3

Three Areas of Router Security ....................................................................................................... 5

Three Areas of Router Security ....................................................................................................... 7

Three Areas of Router Security ..................................................................................................... 10

Secure Administrative Access ....................................................................................................... 12

Secure Administrative Access ....................................................................................................... 14

Page 1 of 15

Securing Network Devices

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Securing Network Devices

**001 Instructor: Let's take a look at security network devices.

Page 2 of 15

Enforcing Perimeter Security Policy

© 2012 Cisco and/or its affiliates. All rights reserved. 2

Scenario 3

Scenario 2

• Routers are used to secure the network perimeter.

• Scenario 1:– The router protects the LAN.

• Scenario 2:– The router screens traffic before a

firewall (PIX/ASA).

• Scenario 3:– The zone directly connected to the

firewall is called a DMZ. – Internet-accessible servers are

located in the DMZ.

LAN 1192.168.2.0

Router 1 (R1)

Internet

Scenario 1

LAN 1192.168.2.0

R1Internet

Firewall

LAN 1192.168.2.0

R1Internet

R2Firewall

DMZ

**002 We're going to start with routers. Things you can do with a router. This isn't what a router does, this is things you can do with a router, things you can do with perimeter security. So you can do routers securing the perimeter. How do you secure a network perimeter with a router? Anybody? Student: Access control list. Instructor: Access control list. Yeah. So if you want a smarter version of access control list, you might move from a router to a--? Student: Firewall.

Page 3 of 15

Instructor: Firewall. And we'll talk about the differences between routers and firewalls, and that'll get kind of complicated because Cisco also puts out firewall software that goes on the router. So you can turn a router into a firewall. There's a firewall feature set you can put on Cisco routers that makes them act very similar to firewalls. One of the differences is that the actual firewall will have some hardware chips to do some firewall functions on a chip rather than using memory to do it. So they go a little faster. And the third piece is if you're going to have-- whether it's a router or a firewall-- instead of having just inside and outside, what else can you put in? If you look at the bottom slide, it's a DMZ. What's a DMZ? Student: It's an area where you can host proxies of servers that you have inside. Instructor: Right. Because what happens is if you don't have that, you've got the internet, which-- how trusted should you be of stuff coming in off the internet? Right? Basically it's untrusted. Your inside network is trusted. Do you want to let the internet come into your inside network to deliver mail, do webpages, things like that? No, because you don't really trust it. So if you have a DMZ or a partially trusted or a somewhat trusted area, then what you can do is traffic from the outside can go into the DMZ,

Page 4 of 15

drop the data off, and the servers you have in the DMZ have protection on them to detect malware and things like that. Then your hosts from the inside come to the DMZ to pick the data up and bring it inside. That way it got dropped off and checked first, then picked up and brought in. So it's the handoff point.

Three Areas of Router Security

© 2012 Cisco and/or its affiliates. All rights reserved. 3

• Physical security– Secure infrastructure equipment in a locked room that:

• Is accessible only to authorized personnel.• Is free of electrostatic or magnetic interference.• Has fire suppression.• Has controls for temperature and humidity.

– Install an uninterruptible power supply (UPS) and keep spare components available to reduce the possibility of a DoS attack from power loss to the building.

**003 So, physical security. Cisco devices-- Cisco posts on their website how to reset the password for any device, and the reason they do that is they assume that you've put physical security on your network. So the Cisco devices, the infrastructure

Page 5 of 15

devices, the servers, whatever, should be locked up, accessible only to authorized personnel. Then you should also look at-- if you want the equipment to be reliable and to not fail you-- on the CIA-- the CIA security triad is what? Confidentiality? Student: Integrity. Instructor: Integrity. Student: Availability. Instructor: Availability. It's not available if it's hacked, right? But it's also not available if the power goes out, or if the power supply fails, or if any other number of other things happens. So not only do you make server rooms so that you can physically secure things. You also make server rooms because you put redundant infrastructure in there, in terms of power, UPS backups, fire suppression-- all the other things you want to keep your systems from going down.

Page 6 of 15

Three Areas of Router Security

© 2012 Cisco and/or its affiliates. All rights reserved. 4

• Operating system– Configure the router with the maximum amount of memory possible.

• Helps protect it from some DoS attacks. – Use the latest stable version of the operating system that meets the feature

requirements of the network. – Keep a secure copy of the router operating system image and router

configuration file as a backup.

**004 Operating system: configures a router with maximum amount of memory possible. You can actually do memory settings in the router and reallocate memory. Most of the time the defaults are fine, but if you have particular needs you can reallocate the percentage of memory that's allocated to storage versus through processes. Use the latest stable version that meets the feature requirements, and be-- once you've picked the latest stable version, does that mean you're good for the next five years? Why not? Student: It can change again.

Page 7 of 15

Instructor: Yeah. So if I pick 15.0.2 right now, because that's our current version, five years from now, will that still be the current version? Student: No. Instructor: What'll happen between now and then? Student: Patches and updates. Instructor: Right. Probably more vulnerabilities will be discovered, and you don't patch a Cisco router, you don't patch most infrastructure devices. It's not like a Windows box that has hundreds of files in there and you can just update the files one at a time. The Cisco IOS is one file, essentially. So if it's got a vulnerability in it, how do you get rid of the vulnerability? Student: Update. Instructor: Take that version out, replace it with a newer version. It's not patching like Windows where you can just apply patches to the existing OS. You have to take it out and put a newer version in. And then keep a secure copy of the router operating system and config file as a backup, and number of reasons to do that, none the least of which would be: What happens if, despite everybody's testing and everybody's best intentions, you have a known vulnerability in your router? So you grab the new routing software and you put the new router software

Page 8 of 15

into the router and now the router won't boot or the router won't perform one of the functions you want it to do, or doesn't execute things correctly. What's your solution? Student: Old backup. Student: Go back to the previous. Instructor: Go back to the previous version. To go back to the previous version, you have to still have the previous version, right? If you did, as part of your upgrade, and you said, "Erase Flash to make room for the new operating system," if you didn't have a backup then you don't have any way to go back. So always make sure you have a way to get back to where you were. That's part of change management, is always make sure that you can back out of the current change. So that's why you keep a copy of the operating system image as well as the configuration file.

Page 9 of 15

Three Areas of Router Security

© 2012 Cisco and/or its affiliates. All rights reserved. 5

• Router hardening– Secure administrative control to ensure that only authorized personnel have

access and that their level of access is controlled.– Disable unused ports and interfaces to reduce the number of ways a device

can be accessed.– Disable unnecessary services that can be used by an attacker to gather

information or for exploitation.

R1

**005 Router hardening. Hardening means? Anybody? Student: Securing. Student: Make it secure. Instructor: Yeah, making it secure. A lot of it is about reducing your footprint. The more services you have running, the more ways you can attack a device, the more ways it might fail. So if you turn off the unnecessary services-- like if you're going to run SSH, do you still telnet available? If you're not going to use a GUI to manage the router, do you need the web interface available?

Page 10 of 15

Those kinds of things have to do with hardening. So router hardening means turning off as many services as you can, just leaving the things you want to run, and then restricting access as much as you can so that only authorized people can get to it. Should you be able to configure a router from the internet-facing interface? Not a good idea, right? So one of the things to do is to make sure that people can't try to log into the router from the outside interface. You can't get rid of having an outside interface because that's the whole purpose of having a router is to face the internet and carry the traffic, but you can take that interface and not allow any kind of login through that interface.

Page 11 of 15

Secure Administrative Access

© 2012 Cisco and/or its affiliates. All rights reserved. 6

• Restrict device accessibility– Limit the accessible ports, restrict the permitted communicators, and restrict

the permitted methods of access.

• Log and account for all access– For auditing purposes, record anyone who accesses a device, including what

occurs and when.

• Authenticate access– Ensure that access is granted only to authenticated users, groups, and

services. – Limit the number of failed login attempts and the time between logins.

**006 So restrict device accessibility. Restrict the permitted methods of access. We've already talked about eliminating telnet, eliminating HTTP. For the people who do get in, log everything they do. Why do you log everything people do? Student: So you what who did when. So if it becomes a problem, you can evaluate that scenario. Instructor: Yep. And the other thing you could do with that is if the router gets compromised or somebody's attempting to compromise the router, whether

Page 12 of 15

they're successful or not, that activity will also show up in the logs. So you may see a bunch of failed authentication accesses. That means somebody's trying to break in. Or if you don't have anybody that works on the router at night and you find out somebody spent a half hour reconfiguring the router at three a.m., even if they used an authorized account, is that what you expected? So for those reasons. And make sure your access is authenticated. By default in the Cisco router, when you take it out of the box, it has no password for either the console port or for administrative access via the console port. So make sure you're putting passwords on, make sure you limit the number of failed logon attempts, things like that.

Page 13 of 15

Secure Administrative Access

© 2012 Cisco and/or its affiliates. All rights reserved. 7

• Authorize actions– Restrict the actions and views permitted by any particular user, group, or

service.

• Present Legal Notification– Display a legal notice, developed in conjunction with company legal counsel,

for interactive sessions.

• Ensure the confidentiality of data– Protect locally stored sensitive data from viewing and copying. – Consider the vulnerability of data in transit over a communication channel to

sniffing, session hijacking, and man-in-the-middle (MITM) attacks.

**007 You can also have multiple account holders and different account holders can have different levels of access. Not everybody needs full admin access. If people are just using it to monitor status or they want to go in and just read logs, they don't need the ability to configure it. So we'll talk about how to do that. And legal notification. The banner. Used to be known as a welcome banner, and they decided "welcome banner" was a bad term for it. Why? Because you're not always welcoming people. And actually there were-- it's kind of anecdotal and sometimes it's kind of like a story-- but there used

Page 14 of 15

to be friendly banners, like, "Welcome to our router." Right? And what some courts ruled is that because you said, "Hi, come on in," that they weren't violating any laws when they came in because you had essentially invited them. Some other courts have ruled that that's silly. Just because you put a welcome mat out in front of your door at the house doesn't mean a burglar is supposed to be able to walk right in. But there have been enough cases where people have successfully argued that you are now instructed to make sure this says, "Don't come in unless you're authorized," and you can put that on a banner.

Page 15 of 15