2009 SRS 03 Securing Network Devices

8/8/2019 2009 SRS 03 Securing Network Devices

http://slidepdf.com/reader/full/2009-srs-03-securing-network-devices 1/69

SecuringNetworkDevices

20‐oct‐2009



Whatthislectureisabout:

Discussmethodsforsecuringdevices

Howtoconnectsecurelytonetworkdevices Monitoringaccess

AutomatedsecurityfeaturesavailableinCiscoIOS

2



PreviousIOSexperience

AbasicunderstandingofIOScommandsyntaxisrequiredforthislecture.

Thisweek’sCNSlabwillfeatureanintroductorylab.

ForallyouSRSguys…sorry… NoIOSintroductorylabforyou.

YoucansQllaccessthelabfromthecourse’ssiteifyou’re

feelingalilerusty.

Ifyouhaven’thadyoulabyet… Don’tworry,you’llgetthehangofit

3





Coursetopics,indetail(2)

11. IdenQfyingvulnerableservicesonrouters;12. Performingasecurityaudit;

13. LockingdownarouterwithAutoSecure;

14. LockingdownarouterwithSDM.

No,youwon’tgetbored.Notthisevening.

Youshouldhavegoenacoffee.5



Securingthenetwork

Securinganetworkbasicallymeans: Securingtheedgerouter

Whatisanedgerouter?

Yeah,arouterattheedge…butanedgebetweenwhat?

6

Anedgerouteristhelastrouterbetweenthelocal

networkandthe“danger”zone–theInternet.

Firstandlastlineofdefense.

Thereisnouniversalsecuritydesign; Securityisdictatedbythecompany’spolicy.

…andbyyourskills…



Securingtheedgerouter

Theedgerouteristhemostexposedone Youneedtosecurepreymucheverything!

Ensurephysicalsecurity

OperaQngsystemsecurity

AdministraQveaccesssecurity

Remoteaccesssecurity

First,designtheperimeterarchitecture:

TherearedifferentimplementaQons

7



Perimeter–Singlerouterapproach

AsinglerouterbeweentheLANandtheInternet

Therouterhasallthesecuritypoliciesandtrafficfiltering

mechanismconfigured.

TheKISSprinciplemightnotalwaysbethebest…

8

LAN 1192.168.2.0

R1

Internet



Perimeter–Defense‐in‐depthapproach

Rulesintherouterdeterminewhattrafficcanpass Allpassingtrafficisfilteredthroughthefirewall.

CanhavemulQplelayersofroutersandfirewalls

Eachlayercandefendthenetworkusingdifferentmethods

9

LAN 1192.168.2.0

R1

Internet

Firewall



Perimeter–DMZapproach

Aneutralzonebetweentheprivateandthepublicnetwork.

Usedforpublicservers,accessiblefromtheInternet.

CannotiniQatesessionstotheprivatenetwork

IncasetheDMZiscompromised,theLANshouldsQllbesecure.

10

LAN 1192.168.2.0

R1

Internet

R2Firewall

DMZ



Ensuringthesecurityofarouter

Securingaccess ThoroughlysecureadministraQveaccessandauthenQcaQon

Disableanythingunused:ports,services,accounts

Logandaccountallaccesses

SecuringtheoperaQngsystem

Alwaysusethelateststableversion

BackuptheoperaQngsystemanditsconfiguraQon

Physicalsecurity RoutersshouldbeplacesinsecurelocaQons

InstallanuninterrupQblepowersource11



Typesofaccess–localaccess

RequiresadirectconnecQontothedevice

CiscoroutersuseconsoleandAUXports

TheAUXportconnectstoamodem

Theadministratorrequiresonlyaterminalsoware

Xterm,Puy,etc.

12

InternetLAN 1

R1

Administrator Console Port



Typesofaccess–remoteaccess

13

LAN 2

R1

Internet

R2Firewall

LAN 3

Management

LAN

Administration

Host

Logging

Host

Protocolsused: Telnet,SSHfordirectCLI

access;

SNMPforcentralizeddevice

management.

Inlargernetworks,alogging

serverreceivesalllog

entriesfromnetwork

devices.

Moreaboutlogginglateron.



ProtecQngaccesswithpasswords

Allaccessmethodscanbepassword‐protected

StrongpasswordselliminatetheriskofdicQonaryaacks

Lowercase,uppercase,numbers,punctuaQon

Length>10

AvoidrepeQQons

Passwordsmustbechangedoen

Thisshouldbestatedinthesecuritypolicy

Ofcourse,trynottowritethemdownallaroundyou.

14



Configuringaccesspasswords(1)

RestricQngaccesstoprivilegedmode:R1(config)# enable password cisco2

or

R1(config)# enable secret cisco1(notethatyoucannotsetthesamepasswordinbothways)

Thedifference?

15

IntheconfiguraQonfileyou’llsee:R1(config)#show run | include enable

enable secret 5 $1$W5ah$mNNIchs14INIQcQR2qWU1/

enable password cisco2



Configuringaccesspasswords(2)

ProtecQngincomingTelnet&SSHconnecQons:R1(config)#line vty 0 4

R1(config-line)#password cisco

R1(config-line)#login

Bydefault,Ciscorouterssupportupto5simultaneous

TelnetorSSHsessions

ProtecQngconsoleandAUXaccess:R1(config)#line console 0

R1(config-line)#password cisco


R1(config-line)#exit

R1(config)#line aux 0R1(config-line)#password cisco


R1(config-line)#

16



ConfiguringsecureadministraQon(1)

Securingpassword‐protectedadministraQonbyimplemenQngthefollowingprocedures:

Ensureaminimumpasswordlengthisused:R1(config)#security passwords min-length 8

R1(config)#enable secret cisco% Password too short - must be at least 8 characters.Password configuration failed

Passwordsalreadyinplaceareunaffected

Theminimumpasswordlengthcanbesetbetween0and16

characters.

17




DisableidleconnecQons IdleconnecQonsautomaQcallydisconnectaer10minutes(default)

Anaackerhasawindowofopportunitytogainprivileges

R1(config)#line console 0

R1(config-line)#exec-timeout 3 30

[theconsolewilldisconnectanidlesessionaer3:30minutes]

Forasecurelabenvironmentyoucanusethevalues“00”.

DisableunusedconnecQons

Thenoexeccommandwillnotstartanexec(commandlineprocess)

onaspecificline

R1(config)#line vty 0 5

R1(config-line)#no execR2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

[Connection to 10.0.0.1 closed by foreign host]

18




Encryptclear‐textpasswords:R1(config)#service password-encryption

TheconfiguraQonfileisalilebit“safer”now:

Type‐7encrypQonisanextremelyweakmehod

R1#show running-config

line con 0

password 7 110A1016141D4Bline vty 0 4

password 7 02050D480809

Thealgorithmisquicklyreversible

UsefulonlyforprevenQngunauthorizedindividualsfrom

viewingtheconfiguraQonfile. “noservicepasswordencrypQon”commanddisablestheencrypQon,

butpasswordsalreadyencryptedwillremainthesame.

19



UsercreaQon

Usercanhavedifferentprivileges Syntax:

R1(config)#username Gigi secret ?

0 Specifies an UNENCRYPTED secret will follow

5 Specifies a HIDDEN secret will follow

LINE The UNENCRYPTED (cleartext) user secret

R1(config)#username Gigi password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) user password

20

Tousethelocaluserdatabaseinsteadoftheline/console

password(inlineconfiguraQonmode):R1(config-line)#login local



Loginsecurityenhancements(1)

Allehancementshavetobeenabled. Theblock‐forcommand:

R1(config)#login block-for 100 attempts 7 within 60

Blocksallloginaemptsfor100secondsif7loginaempts

werefailedwithin60seconds.

The100‐seconddelayisalsoknownasthe“quietperiod” Thecommandalsointroducesaone‐secondlogindelay

The“block‐for”commandonlyappliestoTelnetandSSH

(notconsolelogins)

Afailedaemptmeansabadusername/password

combinaQon

21



Loginsecurityenhancements(2)

Togeneratelogmessagesforsuccessful/failedloginsuse:login on-failure log

login on-success log

Togenerateamesssagewhenafailurerateisexceeded

SecurityauthenQcaQonfailurerate10log

Sendsalogmessagewhenever10failedloginaemptsaredetectedwithinoneminute.

Toforcealogindelay(seconds),regardlessofvalid/invalid

logincredenQals:R2(config)#login delay 2

Slowsdownbruteforceaacks BFaackstest1000sofpasswords/sec(you’veseeninthelab)

22



Checkingloginfailures(1)

“showlogin”summarizestheloginconfiguraQon:R2#show login

A login delay of 2 seconds is applied.

No Quiet-Mode access list has been configured.

Router enabled to watch for login Attacks.

If more than 7 login failures occur in 60 seconds or less,

logins will be disabled for 100 seconds.

Router presently in Normal-Mode.

Current Watch Window

Time remaining: 4 seconds.

Login failures for current window: 6.

Total login failures: 6.

23

Theseareyourfailures



Checkingloginfailures(2)

“showloginfailures”shows…exactlywhatissays…

R2#show login failures

Total failed logins: 6

Detailed information about last 50 failures

Username SourceIPAddr lPort Count TimeStamprrazvan 10.0.0.1 23 1 00:38:16 UTC Fri Oct 16 2009

doggy 10.0.0.1 23 1 00:38:19 UTC Fri Oct 16 2009

buzz 10.0.0.1 23 1 00:38:27 UTC Fri Oct 16 2009

hacker 10.0.0.1 23 1 00:38:34 UTC Fri Oct 16 2009

evil 10.0.0.1 23 1 00:38:37 UTC Fri Oct 16 2009

nasty 10.0.0.1 23 1 00:38:40 UTC Fri Oct 16 2009

24

Commonlyusedhackernames…



Configuringbanners(1)

Abanner’sroleistoinformpotenQalintrudersthattheyarenotwelcomeonthenetwork.

Theirimportanceislegal‐based

Courtcaseshavebeenwonbecauseintrudersencountereda

“Welcome!”banner.

ExampleconfiguraQonofamessage‐of‐the‐daybanner:R2(config)#banner motd & Access to this private equipment is restricted.

Enter TEXT message. End with the character '&'.

All unauthorized access will be prosecuted to the fully extent of law.&

BannerscanspanmulQplelines Startandendwiththesamecharacter.

25



Configuringbanners(2)

Thereareseveralothertypesofbanners: motd(messageoftheday)

exec

incoming

login

Also,certain“variables”canbeusedinsideabanner:

$(hostname)–displaystherouter’shostname

$(domain)–displaystherouter’sdomainname

$(line)–displaysthecurrentvtyline $(line‐desc)–displaysthelinedescripQon(ifset)

26



Securingremoteaccess

TheTelnetprotocoltransmitsunencrypteddataoverTCPport23.

Traffic(routerconfiguraQons,commands,etc)canbe

easilysniffed.

SoluQons:

DisableTelnetanduseonlythegood’oldconsole..

RealizethatremoteaccessISAMUSTandusesomethingelse

SSH(SecureSHell)providesremoteauthenQcaQonand

encrypQon

NotallIOSimagessupportSSHconnecQons Lookfor“k8”or“k9”intheimage’sfilename

Example:c3640‐jk9o3s‐mz.123‐22.bin

27



PrepareforSSH!

ThingstocheckbeforeconfiguringarouterforSSHaccess:

MakesuretheIOSimagesupportsSSH

Makesuretherouterhasaunique

host

Makesuretherouterhasthecorrectdomainnameofthenetwork

Makesurethatyouhaveatleasta

validuserconfiguredontherouter(or

thattherouterusesAAAfor

authenQcaQon) MoreonAAAinalatercourse

28



StepsforconfiguringSSH(1)

ChecktheIOSimage:R2#show version | include IOS

IOS (tm) 3600 Software (C3640-JK9O3S-M), Version 12.3(22), RELEASESOFTWARE (fc2)

Configureadomainname:R2(config)#ip domain-name my.home

GenerateRSAprivate/publickeypair:R2(config)#crypto key generate rsa general-keys modulus 1024

The name for the keys will be: R2.my.home

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys ...[OK]

R2(config)#

*Oct 19 00:17:23.487: %SSH-5-ENABLED: SSH 1.5 has been enabled

29



StepsforconfiguringSSH(2)

Createatleastavalidusername:R2(config)#username student secret poli

AcQvatetheSSHprotocolforthevirtuallines(vty):R2(config)#line vty 0 4

R2(config-line)#transport input ssh

TestyourconnecQon:R1#ssh ?

-c Select encryption algorithm

-l Log in using this user name

-o Specify options

-p Connect to this port

WORD IP address or hostname of a remote system

R1#ssh -l student 10.0.0.2

Password:

R2> 30



OtherSSHcommands

SengtheSSHversion 2ismoresecurethan1–usesDiffie‐Helmankeyexchangeand

MAC(MessageAuthenQcaQonCode)R2(config)#ip ssh version 2

SpecifyanintervalfortheSSHsessionsQmeout:R2(config)#ip ssh time-out 60

Thedefaultis120seconds.

SetthenumberofauthenQcaQonretries:

R2(config)#ip ssh authentication-retries 5 Thedefaultis3retries.

31



SSH“show”commands

ViewingtheacQveconnecQons:R2#show ssh

Connection Version Encryption State Username

0 1.5 3DES Session started student

DisplayingthecurrentSSHconfiguraQonR2#show ip ssh

SSH Enabled - version 1.5

Authentication timeout: 30 secs; Authentication retries: 5

ViewingyourgeneratedRSApublickey:R2#show crypto key mypubkey rsa

32



Privilegelevels

Privilegelevelsexistbecausecompleteaccessshouldnotbegiventoeveryone.

Youhavemetsofartwoprivilegelevels:

UserEXECmode(privilegelevel1)

Thedefaultlevelforlogin;youcannotchangeanyconfiguraQonor

viewthecurrentconfiguraQonfile.

PriviligedEXECmode(privilegelevel15)

Reservedforthe“enable”command.Userscanchangeany

configuraQonandviewanyconfiguraQonfile.

Butthereareothers:

Level0:

predefined,includesonlyenable,disable,exit,help,logout.

Levels2‐14:canbecustomized

33



Privilegecommandsexamples(1)

CreaQngauserwithaprivilegelevelof1:R2(config)#username luser privilege 1 secret cisco

CreaQngauserwithaprivilegelevelof5,sengthelevel

5secretpasswordandallowingtheshowstartup‐config

commandfortheprivilegelevel5:

R2(config)#username support privilege 5 secret ciscoR2(config)#enable secret level 5 EnableSecret

R2(config)#privilege exec level 5 show startup-config

34



Privilegecommandsexamples(2)

Commandslike:

R2(config)#username support privilege 5 secret cisco

automaQcallyputtheuserinthespecifiedprivilegelevelatlogin.

Commandsareallowedperprivilegemode,notperuser.

Anyusercanchangeitsprivilegemodeusing:enable 5

The“enable”youknewunQlnowwasasynonimfor:enable 15

Privilegemodescanbepassword‐protected(seeprevious

slide)

Toviewyourcurrentprivilegelevel:R2#show privilege

Current privilege level is 5

35



PrivilegelevellimitaQons

Youcannotrestrictaccesstointerfaces,lines,portsorlogicalinterfacesontherouter.

Commandsavailableononeprivilegelevelwillbe

automaQcallyavailableonsuperiorprivileges,too.

whichalsomeansthat…

CommandsavailableononeprivilegelevelwillNOTbe

availableforlowerprivilegelevels.

36



Role‐basedCLI

Role‐basedCLIaccessallowsyoutodefinesetsofcommandsavailableonlytocertainusers.

Defineswhichcommandscanbeenteredbywhichusers

Accesstointerfaces,lines,etccanbecontrolled.

Usersonlyseethecommandstheyhaveaccessto.

37



Role‐basedhierarchy

38



Views

A“view”isacontainerfortheavailablecommands.

Role‐basedCLIprovidesthreetypesofviews:

Rootview

Similartoprivilegelevel15

Onlyarootviewusercancreateviewsandadd/removecommands

CLIview Containsasetofcommandsconfiguredbytheadmin

Unlikeprivilegelevels,thereareno“high”or“low”views

Doesnotinheritcommandsfromotherviews

Superview

Containsotherviews

39



Superviews

Superviewscontainotherviews.

Commandscannotbeaddeddirectlytosuperviews

Commandsmustbeaddedtooneormoreviews

Theviewsmustbeaddedtothesuperview

AsingleviewcanbelongtomulQplesuperviews.

Whenloggedinasuperview,userscanaccesscommands

fromalltheviewsincludedinthatsuperview.

DeleQngasuperviewdoesnotdeletetheviewsinsideit.

Viewsandsuperviewscanbepasswordprotected.

40



Definingaview

AAA(AuthenQcaQon,AuthorizaQon,AccounQng)mustbeenabledontherouter:

R2(config)#aaa new-model

Entertherootviewtocreateaview:R2(config)#enable view

Tocreateaview:R2(config)#parser view SHOWVIEW

Toassignapasswordtotheview:R2(config-view)#secret cisco

ThepasswordmustbeenteredrightaercreaQngtheview.

Assigncommandstotheselectedview:R2(config-view)#commands exec include all show

Thiswillincludeallcommandsbeginningwith“show”

41



Definingaview(2)

Thesyntaxforaddingcommandsis:commands parser-mode {include | include-exclusive | exclude}[all] [interface name | command ]

Include‐exclusiveincludesthecommandsandalsoexcludes

themfromallotherviews.

Changingtoanotherview:R2#enable view SHOWVIEW

DisplayingtheacQveview:R2#show parser view

CreaQngasuperviewandaddingviews:R2(config)#parser view SUPER superview

R2(config-view)#view SHOWVIEW

42



ProtecQngtheIOSanditsconfiguraQon

Ifaackersgainaccesstoarouter,therearemanythingstheycando(ordestroy).

(Aquick)oneofthemistocompletelyerasetheIOSand

theconfiguraQon.

ReinstallingtheIOSimageandrecoveringtheconfiguraQonfile

fromabackupcreateshighnetworkdownQme.

TheCiscoIOSResilientConfiguraQonallowsfaster

recovery:

ThesystemsecurestheIOSimageandtheconfiguraQon

Anyaemptstodelete,replaceormodifytheIOSaredenied

Asecurecopyofthestartupconfigisalsobackedup.

43



SecuringtheIOSanditsconfiguraQon

ThesavedIOSandconfiguraQonfilearecalled“bootset”

TosecuretheIOSimage:Router(config)#secure boot-image

Onlylocallystoredimagescanbesecured.

Thebackupcopycanbestoredonlylocally.

Unsecuringthebootsetrequiresconsoleaccesss.

TosecurethestartupconfiguraQon:Router(config)#secure boot-config

Neitherthebacked‐upIOSortheconfiguraQonfileare

visibleinthefilesystem.

ToviewtheIOS/configuraQonresilienceopQons:Router#show secure bootset

44



Securemanagementandlogging

Seewhat’shappeningonthenetwork

45



Methodsformanagementandlogging

ConsidertheflowofinformaQon Out‐of‐band(OOB)

InformaQonflowsonadedicatedmanagementnetwork,withoutany

producQontraffic.

In‐band

InformaQonflowsacrosstheproducQonnetwork,usingthesamechannelsasthenetwork’straffic.

AdevicemightnothaveenoughinterfacesforOOB.

IfmanagementtrafficmustgoacrosstheproducQon

network,itisrecommendedtouseandencryptedtunneloraVPNtunnel.

Thetunnelmustonlyallowmanagementtraffic46



Threateningthemanagementnetwork

Ifadedicatedmanagementnetworkexists,thenitisanaracQvetargetforhackers

Itspansalloverthenetwork

ItcontainsinformaQonaboutallthedevicesinthenetwork

Ifunsecured,ahackercanuseittotakecontrolofthenetwork

47

Ifadedicatedmanagementnetworkexists,thenitisanaracQvetargetforhackers

Itspansalloverthenetwork

ItcontainsinformaQonaboutallthedevicesinthenetwork

Ifunsecured,ahackercanuseittotakecontrolofthenetwork



SNMP

SimpleNetworkManagementProtocol

Managesnetwork“nodes”

Nodesarerouters,switches,hubs,servers,workstaQons,

securityappliancs.

RunsattheapplicaQonlayer

EnablesremoteadministraQonforthesedevices

Communitystrings

UsedforauthenQcaQon

Canprovideread‐onlyorread‐writeaccess

MulQpleversionsavailable:v1,v2,v3 Onlyversion3offersstrongauthenQcaQonandencrypQon

48



SNMPbasicconcepts

Managingsystems(Masters) AdministraQvecomputersthatmonitoragroupofhosts

AlsocalledNMS(NetworkManagementSystem)

Managedsystems(Slaves)

Ahost/devicethatrunsanAgent

Agent

Sowarecomponentrunningonslavesystemsthatreports

databacktothemastersystem

TheagentusesSNMPtocommunicate.

Exposesdataasvariables:“name”,“freememory”,“processes”

CanreceiveandapplynewconfiguraQons

49



SNMPmessages

50



SNMPv3

51

Agent may enforce access

control to restrict each principal to certain actions on certain

portions of its data.

Managed

Node

Managed

Node

ManagedNode

Managed

Node

Messages may be

encrypted to ensure

privacy

NMS

NMS

Transmissions from manager to

agent may be authenticated toguarantee the identity of the sender

and the integrity and timeliness of a

message.



SNMPlevelsofsecurity(1)

SNMPallowsforthefollowinglevelsofsecurity:

noAuth:authenQcatesapacketonlybycommunitystringor

username

Auth:authenQcatesapacketusingSHA,MD5orHMAC

Priv:AuthenQcatesapacketjustlikeAuthbutalsoprovides

encrypQonusingDES,3DESorAES. SNMPv1andv2onlysupport:

noAuthNoPriv:onlyusecommunitystring,noauthenQcaQon

orencrypQon

SNMPv3supports:

noAuthNoPriv(don’tauthenQcate,don’tencrypt) authNoPriv(authenQcatebutdon’tencrypt)

authPriv(authenQcateandencrypt)52



SNMPlevelsofsecurity(2)

Thedefaultcommunitystringis“public” Manynetworksusethisdefaultvalue

Knowingthecommunitystringislikehavingtheenable

passwordforallthedevicesinthenetwork.

SNMPv1andv2sendtheircommunitystringincleartext

overthenetwork. Ifmanagementisbeingdonein‐bandanyoneonthe

networkcanseethecommunitystring.

Devicesshouldonlybeconfiguredwitharead‐only

communitystring Therewillbenowriteaccessfornetworknodes

53



Networksecurityandlogging

CiscorouterscanloginformaQonaboutmosteventsthattakeplaceinthe

network.

LogmessagescanbesenttoseveralloggingfaciliQes:

Console:thisisonbydefault;logmessageswillappearautomaQcallyon

theconsoleoveryourcommandprompt.

Thisiswhyyouneedtoknowthe“loggingsynchronous”command

Terminallines:EXECsessionsfromTelnetorSSHcanalsoreceivelogmessages

Bufferedlogging:logmessagesarestoredintherouter’smemoryunQl

reboot.

SNMPtraps:certainloggedeventscanbeforwardedasSNMPtrapstoa

NMS.

Syslog:logmessagescanbeforwardedtoanexternalsyslogservice;can

beanapplicaQonrunningonWIndowsorLinux.

54



Asamplelogmessage

Eachlogmessagehasthreefields:

AQmestamp

Thelogmessagenameandtheseveritylevel

Themessagetext

55



Logmessagetypes

56

Examplesofevents:

0:IOScannotload

1:Temperaturetoohigh

2:Unabletoallocatememory

3:Invalidmemorysize

4:CryptooperaQonfailed

5:Interfacechangedstateupordown

6:PacketdeniedbyACL

7:Packettypeinvalid



NetworkTimeProtocol

Clocksonnetworkdevicesmustbemaintainedand

synchronized

Misconfiguredclockscanleadto:

IncorrectQmestampsinsystemlogs

InvalidQme‐basedsecuritycerQficates

OtherQme‐relatedconfiguraQons

TheQmeanddatecanbesetonCiscorouters

Manually(works,butdon’texpectanysynchronizaQon)

Doesnotscalewell

AutomaQcally,usingNTP

57



Manuallysengtheclock

Thisishowyoumanuallysettheclock:R2#clock set 19:02:00 OCT 17 2009

R2#

*Oct 17 19:02:00.000: %SYS-6-CLOCKUPDATE: System clock has beenupdated from 00:05:26 UTC Fri Mar 1 2002 to 19:02:00 UTC Sat Oct17 2009, configured from console by console.

NoQcethesyslogmessage.

AlsonoQcethatthiscommandisNOTenteredinthe

configuraQonmode.Why?

58



NTPfacts

NTPallowsroutersonanetworktosynchronizetheirQme

sengswithaQmeserver.

ObtainingtheQmefromasinglesourceprovidesmore

consistentQmesengs.

YoucanimplementyourownQmeserveroryoucaneven

useapubliclyavailableNTPserver,fromtheInternet. NTPworksonUDPport23.

59



SecuringNTP

GengQmefromtheInternetiseasyandcanbe

accurateenough.But…

MostQmeserversdonotrequireanyauthenQcaQon.

60

AnaackercaninjectafalseQmevaluein

yournetwork

Possiblyduringanaacktomaketracing

difficult

OrtomakedigitalcerQficatesinvalidand

disruptoperaQons



ConfiguringbasicNTP

TomakearouteranNTPserver:R2(config)#ntp master 1

The“1”representsthestratumnumber.

ThestratumnumberisthenumberofhopsbetweentheNTP

serverandauthoritaQvesource,suchasanatomicclock.

ItbasicallysayshowtrustworthytheQmesourceis.

Yes,thelower,thebeer,yougotit!

Then,configuretheserver’saddressontheclients:R1(config)#do sh clock

*00:11:08.955 UTC Fri Mar 1 2002

R1(config)#ntp server 10.0.0.2

R1(config)#do show clock

19:08:14.952 UTC Sat Oct 17 2009

61

Before

Aer



VerifyingbasicNTPR1#show ntp status

Clock is synchronized , stratum 2, reference is 10.0.0.2nominal freq is 250.0000 Hz, actual freq is 249.9997 Hz, precision is 2**18

reference time is CE84969D.9939A4FB (19:16:45.598 UTC Sat Oct 172009)

clock offset is -0.0892 msec, root delay is 3.94 msec

root dispersion is 12.48 msec, peer dispersion is 12.36 msec

Usingthe“ntpserver”clientcommandcausestheclientstocontactthe

server.

ServerscanalsobroadcasttheirQmesengsonaLAN:R2(config-if)#ntp broadcast destination 10.0.0.255

Andclientscanlistenforit:R1(config-if)#ntp broadcast client

TimeaccuracyislowersincecommunicaQonisone‐wayonly.

62



ConfiguringsecureNTP

NTPv3providesacryptographicauthenQcaQon

mechanismbetweenclientsandtheserver.

ToconfigureNTPauthenQcaQon,usethefollowing

commandsontheserverANDtheclients:R2(config)#ntp authenticate

R2(config)#ntp authentication-key 1 md5 CiscoTime

R2(config)#ntp trusted-key 1

NTPv3usesMD5authenQcaQon.

MulQplekeyscanbedefined,the“ntptrusted‐key”

commandindicateswhichkeywillbeused.

InaddiQon,theclientsmustadd:R1(config)#ntp server 10.0.0.2 key 1

TheserverwillsQllrespondtounauthenQcatedrequests.63



VerifyingNTPauthenQcaQon

TocheckthatNTPwithauthenQcaQonisusedonclients:R1#show ntp association detail 10.0.0.2 configured, authenticated, our_master, sane, valid, stratum 1

ref ID .LOCL., time CE849EC8.ABFD8D6E (19:51:36.671 UTC Sat Oct 17 2009)

our mode client, peer mode server, our poll intvl 256, peer poll intvl 256

root delay 0.00 msec, root disp 0.03, reach 377, sync dist 8.347

delay 3.88 msec, offset 5.7161 msec, dispersion 6.38

precision 2**18, version 3

org time CE849ECF.1CB71019 (19:51:43.112 UTC Sat Oct 17 2009)rcv time CE849ECF.1CAC9CDD (19:51:43.112 UTC Sat Oct 17 2009)

xmt time CE849ECF.1AAF3964 (19:51:43.104 UTC Sat Oct 17 2009)

filtdelay = 7.60 7.87 3.88 11.31 63.92 27.66 51.91 23.67

filtoffset = 3.96 -8.11 5.72 13.62 11.68 22.02 9.70 16.05

filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12

Horrible.Let’strythis:R1#show ntp association detail | include 10.0.0.2 10.0.0.2 configured, authenticated, our_master, sane, valid, stratum 1

64

Beer



Auto‐secure

CiscoIOSprovidesaneasywaytolockdownyourrouter

inonestep:the“autosecure”command.

Autosecureisamacrothatwilladdthenecessary

commandstoyourrunningconfiguraQonfile.

AwizardstartsthatqueriestheuserforinformaQon.R1#autosecure

‐‐‐AutoSecureConfigura4on‐‐‐

***AutoSecureconfigura4onenhancesthesecurityof

therouter,butitwillnotmakeitabsolutelyresistant

toallsecuritya@acks***

...

65



AutoSecurelockdown

AutoSecurethemanagementplane

BOOTP,CDP,FTP,TFTP,PAD,UDPandTCPsmallservers,MOP,ICMP,IP

sourcerouQng,finger,passwordencrypQon,TCPkeepalives,gratuitous

ARP,proxyARP,directedbroadcast

Configuresabanner

SecurespasswordsandloginfuncQons

SecuresNTP SecuresSSHaccess

TCPInterceptservices

AutoSecurethedataplane

EnableCiscofirewallinspecQon

Enablestrafficfilteringusingaccesslists

EnablesCiscoExpressForwarding(CEF)

66



AutoSecuremodes

TheAutoSecuresetupcanruninaninteracQvemode:Router#auto secure

Orinanon‐interacQvemode(userisnotasked):Router#auto secure no-interact

67



Longcourse,shortsummary

Securingthenetworkperimeter

SecuringrouteradministraQveaccess

Enhancingsecurityforvirtuallogins

EnablingSSH

ConfiguringadministraQveprivilegelevels

Configuringrole‐basedCLIaccess

SecuringtheIOSimageandconfiguraQonfile

DescribingSNMP

Describinglogging

ConfiguringsecureNTP

LockingdowntherouterwithAutoSecure68



Thequotemeansit’sover

“Using encryption on the Internet is theequivalent of arranging an armored car to deliver credit card information from someone

living in a cardboard box to someone living on a park bench.”

GeneSpafford

69

Documents

2009 SRS 03 Securing Network Devices