405_clonvick_rev4.ppt

405NW’98 1© 1998, Cisco Systems, Inc.


C

Designing SecureEnterprise Network

405NW’98


Infrastructure Security


1Corporate Security Policy

2 SECURE

3 MONITOR

4 AUDIT/TEST

5 MANAGE & IMPROVE

The Security Wheel


Procedures and Operations

Rules

PeriodicReview

Delegationof Authority

Lesson 1

Training


Goals of the Session

• Define what to protectDefine what to protect— anything that could cause problems if it were to stop or malfunction

• Decide how to protect itDecide how to protect it—good enough vs. absolute protection

• Think about the cost of protection vs. Think about the cost of protection vs. the cost of loss or corruptionthe cost of loss or corruption


Agenda

I. Introduction

II. Router/Switch Self-Protection

III. Resource Protection

IV. Perimeter Protection

V. Sustaining Network Security

VI. Security Sustainment Validation

VII. Conclusions


II. Router/Switch Self-Protection

• Threats

• Avoidance Measures


Intruder Attack Points

• The administrative interfaces

Console

Telnet

SNMP

• Overload the data interface

• Overload the processor


The Administrative Interface

• Password Protection

• Password Encryption

Router>Router>


Banners

• Select an appropriate login banner that tells who is allowed into the system

Welcome.Password:Welcome.Password:


Native Passwords

line console 0

login

password one4all

exec-timeout 1 30

User Access Verification

Password: <one4all>

router>

User Access Verification

Password: <one4all>

router>

The native passwords can be viewed by anyone logging in with the enabled password


Service Password-Encryption (7)

• Will encrypt all passwords on the Cisco IOS™

with Cisco-defined encryption type “7”

• Use “enable password 7 <password>” for cut/paste operations

• Cisco proprietary encryption method


Service Password-Encryption

hostname Router

!

enable password one4all

!

service password-encryption

!

hostname Router

!

enable password 7 15181E00F


Enable Secret (5)

• Uses MD5 to produce a one-way hash

• Cannot be decrypted

• Use “enable secret 5 <password>”to cut/paste another “enable secret” password


Enable Secret 5

!

hostname Router

!

enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1

hostname Router

!

enable password 1forAll


PassPassword of Caution

• Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router

100101100101


Use Good Passwords

• Do not use passwords that can be easily guessed

hmm…, How about“Pancho”?


Authentication Mechanisms

• Local Password

• Kerberos

• TACACS+

• RADIUS

• One-time Passwords

UNIVERSALUNIVERSALPASSPORTPASSPORT

USA


Cisco IOS TACACS+ Authentication

version 11.2!service password-encryption!hostname Router!aaa new-modelaaa authentication login ruth tacacs+ enableaaa authentication login sarah tacacs+ localenable secret 5 $1$hM3l$.s/DgJ4TeKdDk…!username john password 7 030E4E050D5Cusername bill password 7 0430F1E060A51!

Encrypts passwords withencryption (7).

Define list “ruth” to useTACACS+ then the enable password

Define list “sarah” to useTACACS+ then thelocal user and password

“enable secret” overridesthe (7) encryption

Define local users


Cisco IOS TACACS+ Authentication

Defines the IP addressof the TACACS+ server

Defines the “encryption”key for communicatingwith the TACACS+ server

Uses the authenticationmechanisms listed in “ruth” —TACACS+ thenenable password

Uses the authenticationmechanisms listed in “sarah” —TACACS+ thena local user/password

tacacs-server host 10.1.1.2tacacs-server key <key>!line con 0 login authentication ruthline aux 0 login authentication ruthline vty 0 4 login authentication sarah length 29 width 92!end


PIX TACACS+ Authentication

PIX Version 4.2(2)enable password BjeuCKspwqCc94Ss encryptedpassword nU3DFZzS7jF1jYc5 encryptedtacacs-server host 10.1.1.2 <key>aaa authentication telnet outbound 0 0 0 0 tacacs+aaa authentication ftp outbound 0 0 0 0 tacacs+aaa authentication http outbound 0 0 0 0 tacacs+no snmp-server locationno snmp-server contactsnmp-server community notpublicno snmp-server enable trapstelnet 10.1.1.2 255.255.255.255...Cryptochecksum:a21af67f58849f078a515b177df4228: end[OK]

Enable Password

Telnet Password

Defines the IP addressof the TACACS+ serverand the key

Defines the services thatrequire authentication

Defines the device thatcan Telnet into the PIX


Encrypted Telnet Sessions

• Kerberos v5

• Strong Authentication within the session

• Relies heavily upon DNS and NTP


One-Time Passwords

• May be used with TACACS+ or RADIUS

• The same “password” will never be reused by an authorized administrator

• Key Cards—CryptoCard token server included with CiscoSecure

• Support for Security Dynamics and Secure Computing token servers in Cisco Secure


Restrict Telnet Access

access-list 12 permit 172.17.55.0 0.0.0.255

line vty 0 4

access-class 12 in


SNMP Access Control

access-list 13 permit 192.85.55.12

access-list 13 permit 192.85.55.19

snmp-server community notpublic RO 13

RO—Read OnlyRW—Read + Write


Switch Access Security

Console> set ip permit 172.100.101.102Console> set ip permit 172.160.161.0 255.255.192.0Console> set ip permit enable

Console> show ip permitIP permit list feature enabled.Permit List Mask---------------- ---------------172.100.101.102 172.160.161.0 255.255.192.0 Denied IP Address Last Accessed Time Type ----------------- ---------------- ------172.100.101.104 01/20/97,07:45:20 SNMP172.187.206.222 01/21/97,14:23:05 TelnetConsole>


SNMP

• Version one sends cleartext communitystrings and has no policy reference

• Version two addresses some of the known security weaknessesof SNMP version one

• Version three is being worked on


Identification Protocol

• The Identification Protocol (Auth) can be enabled for sessions to the router

Telnet Host (D=23, S=4909)

Auth—who’s using (D=23, S=4909)

Auth— (D=23, S=4909) is Chris

Telnet (D=23, S=4909) proceed

RFC 1413: Identification Protocol

“The information returned by this protocol is at most as trustworthy as the host providing it...”


Resource Deprivation Attacks

version 11.2!no service udp-small-serversno service tcp-small-servers!

• Echo (7)

• Discard (9)

• Daytime (13)

• Chargen (19)

These are disabled by default in IOS 11.3These are disabled by default in IOS 11.3


Resource Deprivation Attacks

• Finger (tcp/79)

version 11.2!no service fingerno service udp-small-serversno service tcp-small-servers!


ARP Control

!arp 172.1.1.99 00e0.a08c.70c2 arpa!interface ethernet 0/0ip address 172.1.1.100 255.255.0.0!

172.1.1.9900e0.a08c.70c2

Ethernet 0/0

172.1.1.9900e0.a013.0070


Switch Port Security

Console> set port security 3/1 enable 01-02-03-04-05-06Console> set port security 3/2 enableConsole>

Console> show port 3Port Status Vlan Level Duplex Speed Type ---- -------- ---- ------ ------ ----- ------------3/1 connect 1 normal half 10 10 BASE-T3/2 connect 1 normal half 10 10 BASE-T

Port Security Secure-Src-Addr Last-Src-Addr Shutdown---- -------- ----------------- ----------------- -------3/1 enabled 01-02-03-04-05-06 01-02-03-04-05-06 No3/2 enabled 05-06-07-08-09-10 10-11-12-13-14-15 YesConsole>

Console> show port 3Port Status Vlan Level Duplex Speed Type ---- -------- ---- ------ ------ ----- ------------3/1 connect 1 normal half 10 10 BASE-T3/2 connect 1 normal half 10 10 BASE-T

Port Security Secure-Src-Addr Last-Src-Addr Shutdown---- -------- ----------------- ----------------- -------3/1 enabled 01-02-03-04-05-06 01-02-03-04-05-06 No3/2 enabled 05-06-07-08-09-10 10-11-12-13-14-15 YesConsole>


AdministratorAuthorization Levels

• Sixteen administrative levels that can be used to delegate authority

• Cisco IOS commands can be associated with a level

Router# show priv

Current privilege level is 15

Router# disable

Router>enable 9

Password:

Router# show priv

Current privilege level is 9

Router#

privilege exec level 9 show

enable secret level 9 <AllinOne>

enable secret 5 <OneinAll>


Audit Trail—Cisco IOS Syslog

unix% tail cisco.log Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2)unix% date Tue Feb 17 21:49:53 CST 1998unix%

unix% tail cisco.log Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2)unix% date Tue Feb 17 21:49:53 CST 1998unix%

Router>sho clock*11:53:44.764 CST Tue Mar 2 1993Router>

Router>sho clock*11:53:44.764 CST Tue Mar 2 1993Router>

version 11.2service timestamps log datetime localtime show-timezone!logging 10.1.1.2


Audit Trail—PIX Syslog

unix% tail pix.logFeb 20 07:46:25 [10.1.1.1.2.2] Begin configuration: reading from terminalFeb 20 07:46:29 [10.1.1.1.2.2] 111005 End configuration: OKFeb 20 07:46:32 [10.1.1.1.2.2] 111001 Begin configuration: writing to memoryFeb 20 07:46:32 [10.1.1.1.2.2] 111004 End configuration: OKunix%

unix% tail pix.logFeb 20 07:46:25 [10.1.1.1.2.2] Begin configuration: reading from terminalFeb 20 07:46:29 [10.1.1.1.2.2] 111005 End configuration: OKFeb 20 07:46:32 [10.1.1.1.2.2] 111001 Begin configuration: writing to memoryFeb 20 07:46:32 [10.1.1.1.2.2] 111004 End configuration: OKunix%

PIX Version 4.2(2) …nameslogging console informationallogging monitor informationallogging buffered informationallogging trap informationallogging facility 20logging host inside 10.1.1.2


Use a tool to analyzeyour logs and generate reports


III. Resource Protection

• Individual Resources

• Threats

• Avoidance measures


Spoofing interface Serial 1 ip address 172.26.139.2 255.255.255.252ip access-group 111 inno ip directed-broadcast!interface ethernet 0/0ip address 10.1.1.100 255.255.0.0no ip directed-broadcastAccess-list 111 deny ip 127.0.0.0 0.255.255.255 anyAccess-list 111 deny ip 10.1.0.0 0.0.255.255 anyAccess-list 111 permit ip any any

IP (D=10.1.1.2 S=10.1.1.1)IP (D=10.1.1.2 S=10.1.1.1)

10.1.1.2

172.16.42.84


ICMP Filtering

Summary of Message Types 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply

ICMP Codes are not shown

no ip redirects (IOS will not send or accept)

Extended Access List:access-list 101 permit icmp any any <type> <code>

no ip unreachables (IOS will not send)

RFC 792: INTERNET CONTROL MESSAGE PROTOCOL


Source Routing

RFC 791: Internet protocol

NetworkNetwork10.16.0.010.16.0.0

I’m 10.16.99.99— and I’m 10.16.99.99— and here’s the here’s the route back to meroute back to me

Private

interface Serial 1 ip address 172.16.139.2 255.255.255.252ip access-group 111 inno ip source routing!Access-list 111 permit ip 10.16.0.0 0.0.255.255 any


Example Scenario

Protect the email serverProtect the email server

??SMTP Host


Cisco IOS with an Access List

e0/0

e0/1

interface ethernet 0/0 ip address 172.16.1.100 255.255.0.0!interface ethernet 0/1 ip address 172.17.1.100 255.255.0.0 ip access-group 111 inno ip unreachablesno ip redirects!access-list 111 permit tcp any host 172.16.1.1 eq smtpaccess-list 111 permit tcp any host 172.16.1.1 establishedaccess-list 111 permit icmp any host 172.16.1.1


Cisco PIX

Inside

Outside

PIX Version 4.2(2)nameif ethernet0 outside security0nameif ethernet1 inside security100hostname mypix...fixup protocol smtp 25...interface ethernet0 autointerface ethernet1 autoip address inside 10.1.1.101 255.255.0.0ip address outside 172.17.1.100 255.255.0.0static (inside,outside) 171.68.41.7 10.1.1.2 netmask 255.255.255.255 0 0conduit permit tcp host 171.68.41.7 eq smtp any


Cisco IOS Firewall Feature Set

e0

s0

logging 172.16.27.131ip inspect audit-trail ip inspect dns-timeout 10ip inspect tcp idle-time 60ip inspect name myfw smtp timeout 3600ip inspect name myfw tcp timeout 3600!interface Ethernet 0 ip address 172.16.1.100 255.255.0.0 ip inspect myfw in!interface Serial 0 ip address 172.19.139.1 255.255.255.248 ip access-group 111 in ip inspect myfw in!access-list 111 permit tcp any host 172.16.1.1 eq smtp! Add anti-spoofing here as well..


Intranet Protection Costs

• Versus:

Loss

Corruption

Ease of Use


IV. Perimeter Protection


Firewall Protection

• Use access control listsaccess control lists on the screening screening routerrouter to control traffic

• Isolate each server from traffic with a switch

The InternetThe Internet

DNS WWWMail

DemilitarizedDemilitarizedZone (DMZ)Zone (DMZ)


Syn Attack

TCP syn (D=172.18.1.2 S=1.1.1.1)TCP syn (D=172.18.1.2 S=1.1.1.1)







172.18.1.2172.18.1.2


Cisco IOS Syn Attack Defense

TCP syn

TCP syn/ack

TCP ack• How many session How many session

requests in the last one requests in the last one minute?minute?

• How many incomplete How many incomplete sessions are there?sessions are there?

TCP syn

TCP syn/ack

TCP ack

!ip tcp intercept <access-list number>!


Cisco IOS Syn Attack Defense

• How many session requests in the last one minute?

• How many incomplete sessions are there?

• How long do I wait for the final ack?




TCP ackTCP ack

TCP synTCP syn

TCP syn/ackTCP syn/ack

ip tcp intercept <access-list-number>ip tcp intercept mode watch


PIX—Syn Attack Defense

Inside

Outside

PIX Version 4.2(2)

static (inside,outside) 171.68.41.7 10.1.1.2 netmask

255.255.255.255 0 0 [max_conns [em_limit]]

conduit permit tcp host 171.68.41.7 eq smtp any

max_conns - the maximum number of TCP connections allowed

em_limit - the embryonic connection limit

max_conns - the maximum number of TCP connections allowed

em_limit - the embryonic connection limit


Cisco IOS Firewall Feature Set Syn Attack Defense

TCP synTCP syn

TCP syn/ackTCP syn/ack

TCP ackTCP ack







ip inspect tcp synwait-time [seconds]ip inspect tcp finwait-time [seconds]ip inspect tcp idle-time [seconds]


EDITranslator

EDITranslator

PurchasingSystem

PurchasingSystem

Extranet Options

Gateway

Private LinksPartner

Campus Backbone InternetInternet

Partner

Partner

VANVAN

Virtual Private Networking


Electronic Commerce

WebServer

IntranetIntranet

SecureCommerceServers

Firewall

GatewayRouter

EnterpriseServers

InternetInternet


IntranetIntranet

InternetInternet


VPN Security Requirements

• Encryption for authentication, confidentiality and integrity

• Physical line separation via private lines or frame relay

or


Virtual Private Dial Network

The Internet

• Layer 2 Forwarding

• Layer 2 Tunnel Protocol


VPDN Entrance to the Enterprise

FirewallFirewall

ScreeningScreeningRouterRouter

InternetInternet


IntranetIntranet

InternetInternet

Home GatewayHome Gateway

IntranetIntranet


Dial Access Protection

• Where to place the NAS?

DNSDNS WWWWWWMailMail

ScreeningRouterScreeningRouter


V. Sustaining Network Security

• 24 by 7


Dynamic Routing Protocols

Path Redundancyto Route Around Failures


Keyed Hashing forAuthentication and Integrity

Message

983lna9458hk7436gq

““Secret Key”Secret Key”

HashFunction

HashFunction

• Secret key and message arehashed together

• Recomputation of digest verifies that the message originated with the peer and that the message was not altered in transit

Signature


Route Update Authentication and Integrity

IP HDRIP HDR KeyKey Route Update DataRoute Update Data

HashFunction

HashFunction

IP HDRIP HDR Signature

To the Wire

Route Update DataRoute Update Data

Assemble the Packetwith the Key

Reassemble the Packet with the Signature

Signature


Route Filtering

Router# sho ip protoRouting Protocol is "rip" Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip

Router# sho ip protoRouting Protocol is "rip" Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip

router rip network 10.0.0.0 distribute-list 1 in!access-list 1 deny 0.0.0.0access-list 1 permit 10.0.0.0 0.255.255.255


Secure Vital Services

• Network Time Protocol Sources

• Domain Name Servers

• Certificate Authority


Multi-Level Security -TCSEC, ITSEC and CC

• Not really needed in Enterprise Networks

• Difficult to implement (unless you’re the military)


Session Protection through Encryption

ApplicationApplication

NetworkNetwork

LinkLink

Application to Application

End to End

End to Intermediate

Intermediate to Intermediate

Link Link


Session Protection through Network Layer Encryption

Shared Secret Key Shared Secret Key

(Cleartext)

(Ciphertext)

DES DES

Internet

(Cleartext)

10100010110101010101010010101001010101011101010010110010100101011011

IPSec—the IETF working group defining IP SecurityIPSec—the IETF working group defining IP Security

EncryptEncrypt DecryptDecrypt


NetRanger

• Sensors watch for attacks or problems

• NetRanger stops active attacks

NetRangerDirector

Sensor

Sensor

Sensor

SensorSensorSensor


NetSonar Vulnerability Scanning

Target Target

Target

Target

• Network mapping

Identify live hosts

Identify services on hosts

• Vulnerability scanning

Analyze discovery data for potential vulnerabilities

Confirm vulnerabilities on targeted hosts


VI. Security Sustainment Validation

What steps can you take to make sure that your network will continue to be secure?


Modeling Tools

• NetSys Modeling can verify the access controls in your network


Validating Your Policy through Network Management Systems

• What to monitor?

• What to measure?

Access

Workgroup

IBM

ManagementManagement

Core

Track and report trends that show how you are achieving your security goals

Track and report trends that show how you are achieving your security goals


For the want of a nail, the shoe was lost.

For the want of a shoe, the horse was lost.

For the want of a horse, the rider was lost.

For the want of a rider, the battle was lost.

For the want of a battle, the Kingdom was lost.

And all for the want of a horse shoe nail.

For the want of a nail, the shoe was lost.

For the want of a shoe, the horse was lost.

For the want of a horse, the rider was lost.

For the want of a rider, the battle was lost.

For the want of a battle, the Kingdom was lost.

And all for the want of a horse shoe nail.

VII. Conclusions

Documents

405_clonvick_rev4.ppt