Implementace bezpečnosti pomocíIOS + EEM · © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo

Cisco Expo

2011

Implementacebezpečnosti pomocí IOS + EEM T-SEC

Dimitar (Mitko) Vasilev

Routing and Switching CSE

2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo

• Twitter www.twitter.com/CiscoCZ

• Talk2cisco www.talk2cisco.cz/dotazy

• SMS 732 488 666

http://www.twitter.com/CiscoCZ

http://www.talk2cisco.cz/dotazy

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 3


Branch Office

Head QuarterInternet

Web surfing

DDoS on Router

Threats at the Branch Office and HQ

Worms/Viruses Wireless attacksVoice attacks

Attacks on branch servers

Branch Office

Branch Office

Attack on DMZ


Cisco IOS Security

Branch Office

Head QuarterInternet

Regulate surfing

DDoS on Router

Worms congesting WAN

Voice attacks

Attacks on branch servers

Branch Office

Network Foundation Protection

Application Firewall

011111101010101011111101010101

FPM

ScanSafe Voice Security

Wireless attacks

Wireless Security

Secure Internet access to branch, without the need for additional devices

Control worms and viruses right at the remote site, conserve WAN bandwidth

Protect the router itself from hacking and DoS attacks

Securing the Branch Office and HQ

•Campus Edge

•DC Edge

•DMZ



Zone Based Firewall

IOS Firewall


• Grouping of interfaces into zones

• Firewall policies are applied to traffic traversing zones

• Simple to add or remove interfaces and integrate into firewall policy

12.4(6)T

DMZ

UntrustedTrusted

Private-Public Policy

Public-DMZ Policy

DMZ-Private Policy

Private-DMZ Policy

InternetE0 S0


Supported Features

Stateful inspection

Application inspection

HTTP, SMTP, ESMTP, POP3/IMAP, RPC, FTP/TFTP

IM, P2P, SIP, SCCP, H.323v3/v4

URL filtering

Per-Policy parameter

Transparent Firewall

VRF-aware firewall

User-group Firewall

IPv6

…


• Uses C3PL (Cisco Common Classification Policy Language) frameworkBased on existing MQC framework in IOS

• Only 3 constructs:

Class-map Specifies interesting traffic via “match” conditions

Policy-map Associates actions with the above class map

Parameter-map Operating parameters for the classification and action application

• Each of the constructs is a feature- or protocol-specific type

Example: class-map type inspect match-all my-cmap


class-map type inspect match-any myprotocol

match protocol smtp

match protocol ftp

match protocol http

class-map type inspect match-all myclass

match access-group 102

match class-map myprotocol

policy-map type inspect mypolicy

class type inspect myclass

inspect

zone security private

zone security public

zone-pair security priv-pub source private destination public

service-policy type inspect mypolicy

interface Ethernet0

zone-member security private

interface Serial0

zone-member security public

access-list 102 permit ip 192.168.0.0 0.0.255.255 any

Services with ACL to

define permitted/denied

hosts (Optional)

Define services

inspected by policy

Assign interfaces to zones

Define firewall action for traffic

Establish zone-pair & apply the policy

Setup zones


• We can use CSM to configure ZBFW

• Since CSM 3.3

• Zones are created as Interface role objects


• To display zone and member interfaces

• To display zone-pair information

•

• Show policy stats and session

show policy-map type inspect { <policy name> [class <class

name>] | zone-pair [<zone-pair name>] [sessions | urlfilter

cache] }

show zone security [zone-name]

Router#show zone-pair security source private destination public

Zone-pair name priv-pub

source-Zone private Destination-Zone public

service-policy priv-pub-pol


• Measuring Mbps by 1400 byte packets, pps by 64 byte packets.

• FW test using stateless UDP.

Ingress 1400 byte UDP, same port number packet, hitting a single “let-me-through” policy.

• Result: 3945 RFP ( Drag strip ) performance

IP – 7.5 Gbps

Firewall – 3 Gbps

IP IP+NAT ZBFW IPSec/AES

Mbps pps Mbps pps Mbps pps Mbps pps

3945 7,500 982,318 3,040 288,684 2,928 272,331 848 80,356

3925 6,451 833,334 2,562 241,080 2,399 238,031 770 80,051

2951 4,800 579,948 1,844 159,221 1,262 150,360 282 51,930

2921 3,273 479,156 729 77,340 749 65,476 207 34,226

2911 3,150 352,868 670 60,068 632 56,521 164 26,762

2901 2,910 327,382 641 44,635 584 52,385 154 24,111

1941 2,740 333,334 512 46,130 532 47,618 146 23,808


• Users grouped based on Identity and IP addresses

• Policies applied on whole group

• Easy to segregate business specific functions

• Inspect class-maps support UG-ZBF

• Authentication Protocols supported – TACACS+, RADIUS

• Classification provided based on

• Device type (Computer, IP Phones etc.)

• Location (Building / Floor)

• Role (Engineer, Manager, Accountant)

12.4(20)T


Engineering

Authentication

Server

Vendor / guest network

IP Phone

Network

HR & Accounts

Server Farm

Internet Cloud

Firewall /Authproxy / NAC

Router Intercepts Auth-traffic

Updates its tag database

User-group policies applied

Traffic allowed/denied based on config


• Cisco IOS Firewall enables trusted media control and helps prevent

impersonation attacks

• Trusted Firewall authenticates/authorizes calls to ensure pinholes are only

opened for legitimate calls

• Trusted Firewall is voice protocol version independent and it secures:

Encrypted signaling paths

Asymmetric signalling and media paths

Unified Communication Trusted Firewall

Access

Switch

Cisco IOS Firewall

with TRP

Access

SwitchEndpoint

CUCM

Cisco IOS Firewall

with Trust Relay Point (TRP)Endpoint

Shared secret

configured in

TRPs and FWs

STUN/ICE

message with

crypto token

FW opens pinhole

after verifying

crypto token

IP WAN

12.4(22)T


• Coexists with ZBFW for IPv4

• MIBs are provided for TCP, UDP, ICMPv6 and FRP sessions

• Configuration steps:

Create Inspect-type Parameter map

Create Inspect-type Class map

Create Inspect-type Policy map

Setting Security Zones and Security Pairs

15.1(2)T


parameter-map type inspect v6-param-map sessions maximum 10000 ipv6 routing-header-enforcement loose

class-map type inspect match-any v6-classmatch protocol tcpmatch protocol udpmatch protocol icmpmatch protocol ftp

policy-map type inspect v6-policyclass type inspect v6-class inspect

zone security z1 zone security z2

zone-pair security zp source z1 destination z2 service-policy type inspect v6-policy

Backward compatibility

with legacy IPv6

inspection


• Zone Based FW design guide

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

• User Group Firewall

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_user_fw_supp.html

• ZBFW IPv6 configuration

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr_fw.html#wp1072434

• VRF aware IPS

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_vrf_aware_ips.html








Insight provided by Management Instrumentation



IOS-ZFW# show flow record netflow-original

flow record netflow-original:

Description: Traditional IPv4 input NetFlow with origin ASs

No. of users: 0

Total field space: 53 bytes

Fields:

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

match flow sampler

collect routing source as

collect routing destination as

collect routing next-hop address ipv4

collect ipv4 source mask

collect ipv4 destination mask

collect transport tcp flags

collect interface output

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

Campos que determinam o

―flow‖ são definidos com o

parâmetro ―match‖

Campos ―collect‖ são usados

para registrar informações sobre

cada ―flow‖ (grupo de pacotes

que possuem um conjunto de

características em comum)


IOS-ZFW# show ip cache flow

IP packet size distribution (5176 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .022 .000 .113 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .090

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .772 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

156 active, 3940 inactive, 1174 added

20229 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 34056 bytes

151 active, 873 inactive, 1179 added, 1179 added to flow

0 alloc failures, 0 force free

1 chunk, 0 chunks added

last clearing of statistics 00:12:37

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-FTP 433 0.5 1 460 0.5 0.0 15.4

TCP-SMTP 107 0.1 1 40 0.1 0.0 15.7

UDP-DNS 540 0.7 1 128 0.7 0.0 15.4

ICMP 2 0.0 2002 1398 5.3 26.9 15.5

Total: 1082 1.4 4 1155 6.7 0.0 15.5

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Fa4.1250 172.16.250.85 Vl1252 172.16.252.10 06 20FD 0015 1

Fa4.1250 172.16.250.84 Vl1252 172.16.252.10 06 20FC 0015 1

Fa4.1250 172.16.250.80 Vl1252 172.16.252.10 06 20F8 0015 10

Fa4.1250 172.16.250.87 Vl1252 172.16.252.10 06 20FF 0015 12

Fa4.1250 172.16.250.86 Vl1252 172.16.252.10 06 20FE 0015 3

Fa4.1250 172.16.250.71 Fa4.1251 172.16.251.20 06 17DF 0019 1

Fa4.1250 172.16.250.70 Fa4.1251 172.16.251.20 06 17DE 0019 7

Fa4.1250 172.16.250.69 Fa4.1251 172.16.251.20 06 17DD 0019 1

Fa4.1250 172.16.250.78 Fa4.1251 172.16.251.20 06 17E6 0019 9

Fa4.1250 172.16.250.52 Fa4.1251 172.16.251.10 11 11F0 0035 1

Sample Flow Table

Input

Interface

Output

Interface

Distribution

of Flows per

Protocol

Distribution of

Flows considering

Packet Size

Packets

per Flow


Netflow v9 (basis for the IPFIX standard)

Template

Record

Template

ID #1

(Specific

Field

Types and

Lengths)

Template

Record

Template

ID #2

(Specific

Field

Types and

Lengths)

Template FlowSet

Template 1

Data

Record

(Field

Values)

Data

Record

(Field

Values)

Data FlowSetFlowSet ID #1

H

E

A

D

E

R

FlowSet ID #1

Template 2

Data

Record

(Field

Values)

FlowSet ID #2Data FlowSet


IOS-ZFW# show flow record FLEXRECORD1

flow record FLEXRECORD1:

Description: User defined

No. of users: 1

Total field space: 36 bytes

Fields:

match ipv4 precedence

match ipv4 protocol



match transport source-port

match transport destination-port

match interface input

collect ipv4 total-length

collect ipv4 fragmentation flags

collect ipv4 fragmentation offset

collect transport tcp flags

collect interface output


collect counter packets

flow exporter FLEXNETFLOW1

description *** Exporting to Cisco MARS

destination 192.168.1.114

source FastEthernet4.1102

transport udp 2055

!

flow monitor FLEX1

record FLEXRECORD1

exporter FLEXNETFLOW1

!

interface FastEthernet4.1250

ip flow monitor FLEX1 input

encapsulation dot1Q 1250

ip address 172.16.250.23 255.255.255.0

Allow definition of new Record Formats


Template # 259 (14 Fields)

Some user-defined

Fields in the template

Contains Data

Records described

by Template # 259

Number of Flow Records in this packet

(either Template or Data records)


This packet carries several

Data Records described

by Template # 259

Data Flow Instance : each field

defined in the template

assumes a specific value

(parameter value or field value)


IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 destination address ipv4 precedence

Processed 79 flows

Aggregated to 4 flows

IPV4 DST ADDR IP PREC flows bytes pkts

=============== ======= ========== ========== ==========

172.16.252.20 5 32 11520 32

172.16.252.10 4 16 7360 16

172.16.251.20 2 16 4160 16

172.16.251.10 3 15 1920 15

!

IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 destination address ipv4 protocol

Processed 79 flows


IPV4 DST ADDR IP PROT flows bytes pkts

=============== ======= ========== ========== ==========

172.16.252.20 6 32 11520 32

172.16.252.10 6 16 7360 16

172.16.251.20 6 16 4160 16

172.16.251.10 17 15 1920 15


IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 protocol transport destination-port ipv4 precedence

Processed 79 flows


TRNS DST PORT IP PREC IP PROT flows bytes pkts

============= ======= ======= ========== ========== ==========

80 5 6 32 11520 32

443 4 6 16 7360 16

25 2 6 16 4160 16

0 3 17 8 1024 8

53 3 17 7 896 7

!

IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 fragmentation flags ipv4 protocol transport destination-port

Processed 75 flows


TRNS DST PORT IP PROT IP FRAG FLAGS flows bytes pkts

============= ======= ============= ========== ========== ==========

80 6 0x00 30 10800 30

443 6 0x00 15 6900 15

25 6 0x00 15 3900 15

0 17 0x01 8 1024 8

53 17 0x00 7 896 7


IOS-FW#show flow monitor FLEX1 cache aggregate interface output transport tcp flags

Processed 971 flows


TCP FLAGS INTF OUTPUT flows bytes pkts

========= ==================== ========== ========== ==========

0x12 Fa4.1251 6 1560 6

0x02 Vl1252 926 333560 926

0x18 Vl1252 8 3680 8

0x00 Fa4.1251 15 1920 15

0x18 Fa4.1251 5 1300 5

0x02 Fa4.1251 5 1300 5

0x01 Vl1252 2 920 2

0x10 Vl1252 2 920 2

0x12 Vl1252 2 920 2


Solution: Automate the comparison between ‗unknown‘ versus ‗total‘ traffic

Problem: Application protocols as well as user behavior are changing, hence the traffic mix changes too. We need to permanently assess how effective the NBAR deployment is – especially when using CBQoS with match protocol.

Router# show ip nbar protocol-discovery top-n 5 Serial0/0

Input Output

Protocol Packet Count Packet Count

Byte Count Byte Count

5 minute bit rate (bps) 5 minute bit rate (bps)

---------- ------------------------ ------------------------

: : :

unknown 205 204

14976 10404

0 0

Total 41304 40944

2649809 2619839

3000 3000

][

]100)[((%)

total

unknowntotalizedNBARrecogn

Upon low % of traffic recognized by NBAR, it‘s time to check for new PDLMs …

See: Available as an EASy Package:

http://www.cisco.com/go/easySee: Scripts available from CiscoBeyond:http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2101

http://www.cisco.com/go/easy

http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2101


The ERM framework tracks resource depletion and resource dependencies across processes and within a system

Monitor thresholds for CPU, buffer, and/or memory

For system or line card

ERM can define ―group‖, i.e. group of different CPU processes

CISCO-ERM-MIB

Interface into EEM

Service PlanningEmbedded Resource Manager (ERM)

Available from: IOS 12.2(33)SRB, 12.4(15)T Platforms: UC520, 800, x8xx ISR,x900x ISR, 65xx, 72xx, 73xx, 75xx, 76xx, 10xxx


resource policy

policy my-erm-policy-1 type iosprocess

system

cpu total

critical rising 90 interval 15 falling 20 interval 10 global

major rising 70 interval 15 falling 15 interval 10 global

minor rising 60 interval 15 falling 10 interval 10 global

!

Feb 17 13:32:18.283: %SYS-4-CPURESRISING: System is seeing global cpu util 62% at total level more than the configured minor limit 60%

Service Planning

Example – Monitoring Resources

Problem: During the planning cycle, we would like to understand if total CPU usage reaches critical levels

Solution: Define an ERM policy to notify upon resource depletion

If Total CPU usage count rises above 90% at an interval of 15s, a Critical Up notification is sent


resource policy

policy my-login-policy type iosprocess

system

cpu process

critical rising 30 interval 10 falling 20 interval 10

major rising 20 interval 10 falling 10 interval 10

minor rising 10 interval 10 falling 5 interval 10

user group my-login-group type iosprocess

instance "SSH Process"

instance "SSH Event handler“:

policy my-login-policy

*Aug 25 12:56:26.089: %SYS-4-CPURESRISING: Resource group my-login-group is seeing local cpu util 16% at process level more than the configured minor limit 10%

*Aug 25 12:56:41.089: %SYS-6-CPURESFALLING: Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10%, current value 0%

Service Planning

Example – Monitoring Multiple Processes

Problem: In order to detect resource consumption caused by brute force login attempts, we want to keep an eye on CPU utilization by the login processes

Solution: Define an ERM policy to notify upon critical / suspicious levels

Syslog if Group CPU Usage Count Rises Above 10% at an Interval of 10s


• Developed and patented at Cisco® Systems in

1996

• NetFlow is the defacto standard for acquiring

IP operational data

• Provides network and security monitoring,

network planning, traffic analysis, and IP

accounting

• NetFlow v9 (RFC3954) serves as the basis for

IETF IPFIX Standard (RFC5101 & RFC5102)

What is NetFlow ?


• Traditional NetFlow with the v5, v7, or v8 NetFlow export

• NetFlow Version 9 (RFC3954)

Advantages: extensibility

Integrate new technologies/data types quicker(MPLS, IPv6, BGP next hop, etc.)

Integrate new aggregations quicker

Basis for IETF IPFIX Standard (RFC5101 & RFC5102)

• Flexible NetFlow

Advantages: cache and export content flexibility

User selection of flow keys

User definition of the records

Exporting Process

Metering Process

Service Planning

Flexible NetFlow (FNF)


Router# show flow monitor <monitor> cache aggregate ipv4 source address sort highest counter bytes top 10

Router# show flow monitor <monitor> cache filter ipv4 destination address 10.10.10.0/24 aggregate ipv4 destination address sort highest counter bytes top 5

Router# show flow monitor <monitor> cache aggregate datalink dot1q vlan output sort lowest counter bytes top 5

Top five destination addresses to which we're routing most traffic from the 10.10.10.0/24 prefix

Top ten IP addresses that are sending the most packets

5 VLAN's that we're sending the least bytes to:

Top 20 sources of 1-packet flows:

Router# show flow monitor <monitor> cache filter counter packet 1 aggregate ipv4 source address sort highest flow packet top 20


TTL is:

• An IP Header field used to limit packet life time (upon routing loops)

• Each routing hop along a packet‘s path decrements this value

• Upon TTL==0 the packet is dropped

Low TTL Values are also (mis-)used:

to establish bidirectional TCP sessions across NAT (aka TCP hole-punching)

by some applications (multicast, load-balancing, …)

by security attacks (denial of service, break-in, ...)

Hence Low TTL can indicate:

Routing issues

Funny application behaviour

Security incidents (what is my normal low-TTL traffic ?)

How to report on low-TTL in my network ?


Problem: We want to know about low-TTL traffic

Solution: Use Flexible Netflow and Embedded Event Manager 3.0 to detect traffic flows with TTL < 5

flow record <my-record>

match ipv4 ttl



:

flow monitor <my-monitor>

record <my-record>

:

1. Configure flexible Netflow to match on TTL, Source- and Destination Address

2. Configure the Netflow Event Detector in EEM to notify upon a new flow record

event manager applet my-ttl-applet

event nf monitor-name "my-ttl-monitor" event-type create event1

entry-value "5" field ipv4 ttl entry-op lt

action 1.0 syslog msg “Low-TTL flow from $_nf_source_address"

*Dec 2 17:39:31.221: %HA_EM-6-LOG: my-ttl-applet: Low-TTL flow from 192.168.2.248

3. Syslog message and/or use show flow monitor <my-monitor> cache command

-Top (unexpected) Talkers with low-TTL traffic ?- Deviation from Normal ?- Senders with many low-TTL flows ?- Take Actions (block suspicious senders) ?

Baseline Cache …


Router# show flow monitor <monitor> cache filter ipv4 destination address 10.10.10.0/24

counter packet regex[1-2] aggregate ipv4 source address

ipv4 destination address sort highest flow top 100

TCP SYN

attacks

Servers’ network

10.10.10.0/24

The top 100 pairs of IP addresses with one or two packet(s) that are destined for my servers' network


Beyond Auto SmartPorts

Automatic Port Configuration With EEM• Pre-built port configuration templates for various devices simplify user

experience and minimize configuration error

• Automatic event detection (CDP/LLDP/MAC) triggers auto configuration

• Authentication (802.1x, MAB) and authorization can be conducted before port configuration applied

• Automatic notification can be sent to NMS system to help with asset tracking

• Plug-n-play device deployment lowers overall management cost

CDP

MAC Addr

Radius

Server

802.1x

LLDP

NMS station

mailto:[email protected]


Beyond Auto SmartPorts

Take Full Control With EEM• Auto SmartPorts are powered by EEM

• When a printer is added to the network, use an EEM applet to create a new ASP event

event manager applet dectect-printer

event neighbor-discovery interface regexp FastEthernet.* cdp add

action 001 regexp ".*LasterJet.*" "$_nd_cdp_platform"

action 002 if $_regexp_result eq 1

action 003 cli command "enable"

action 004 cli command "config t"

action 005 cli command "interface $_nd_local_intf_name"

action 006 cli command "switchport access vlan $printer_vlan"

action 007 cli command "switchport mode access"

action 008 cli command "switchport port-security"

action 009 cli command "switchport port-security violation restrict"

action 010 cli command "switchport port-security aging time 2"

action 011 cli command "switchport port-security aging type inactivity"

action 012 cli command "spanning-tree portfast"

action 013 cli command "spanning-tree bpduguard enable"

action 014 cli command "end"

action 015 syslog msg "New printer added: $_nd_cdp_entry_name , type:

$_nd_cdp_platform"

action 016 end


Interface

Source IP Address

SourcePort

DestinationPort

Testing, Verification & Assurance

NetFlow and NBAR

NetFlow

Monitors data in Layers 2 - 4

Determines applications by port

Utilizes a seven-tuple for flow

Flow information who, what, when, where

NBAR

Examines data from Layers 3 - 7

Utilizes Layers 3 and 4 plus packet inspection for classification

Stateful inspection of dynamic-port traffic

Packet and byte counts

Protocol

Link Layer Header

Deep Packet (Payload)Inspection

ToSNetFlow

NBAR

Destination IP Address

IP Header

TCP/UDP Header

Data Packet


Example: Application Flow Aware – 1/4Problem: We want to be aware of application traffic flows

(ie.: who, when, where, what)

Solution: Use Flexible Netflow and NBAR Integration

flow exporter <my-exporter>

destination 10.10.10.1

:

flow record <my-record>



match application name


:

flow monitor <my-monitor>

record <my-record>

exporter <my-exporter>

:

interface <my-interface>

ip flow monitor <my-monitor> input

:

1. Configure flexible Netflow to match Application Name, Source- andDestination Address


Example: Application Flow Aware – 2/42. Then either handle within IOS and/or …

router# show flow monitor <my-monitor> cache

Cache type: Normal

Cache size: 4096

Current entries: 2

High Watermark: 9

Flows added: 4464

Flows aged: 4463

- Active timeout ( 1800 secs) 0

- Inactive timeout ( 15 secs) 4463

- Event aged 0

- Watermark aged 0

- Emergency aged 0

IPV4 SRC ADDR IPV4 DST ADDR APP NAME bytes

=============== =============== ================== ==========

10.55.146.53 10.51.89.177 nbar ssh 10484

10.51.81.117 10.51.89.177 nbar icmp 1000


Example: Application Flow Aware – 3/43. Export to your favorite Reporting System (Screenshot courtesy of Plixer)


Example: Application Flow Aware – 4/43. Export to your favorite Reporting System (Screenshots from Cisco NME-NAM)


Embedded Packet Capture (EPC)

• Capture packets flowing from, to, or through a given device

• Captures can be filtered using ACLs

• Captured packets can be exported for analysis in sniffer programs such as Wireshark

• CEF and process switched flows are supported

• IPv4 and IPv6 are supported

Overview

Available from: 12.4(20)T and 12.2(33)SRE (7200 only)

Platforms: 8xx, 18xx, 28xx, 38xx ISRs, 19xx, 29xx, 39xx ISRG2s, 72xx

Source:http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps10592_TSD_Products_Configuration_Guide_Chapter.html

http://bit.ly/cSMV3N

http://bit.ly/cSMV3N


Embedded Packet Capture (EPC)• Define a Capture Point

Configuration – 1/3

Router#monitor capture point ip cef cappnt GigabitEthernet0/0 both

Switching path

(either cef or

process-switched)

Capture point

name

Interface on which

to capture (or all)

Traffic flow

direction (in, out,

or both)

cef cappnt GigabitEthernet0/0 both

Protocol (either ip

for IPv4 or ipv6 for

IPv6)

ip


• Define a Capture Buffer


Router#monitor capture buffer capbuf size 512 max-size 1518 circular

Capture buffer

name

Router#monitor capture buffer capbuf limit duration 600

Maximum in-

memory size in

kilobytes (KB)

Maximum packet

slice size

Buffer type (linear

locks when full,

circular wraps)

Optionally limit the packets captured

By time

By number of packets captured

Drop every Nth packet

Limit packet rate

capbuf 512 1518 circular



• Optionally define an access-list for filtering (e.g. capture WWW traffic only)

• Configure the ACL on the buffer

• Associate the capture buffer to the capture point


Router(config)#access-list 101 permit tcp any any eq 80

Router(config)#access-list 101 permit tcp any eq 80 any

Router#monitor capture buffer capbuf filter access-list 101

Router#monitor capture point associate cappnt capbuf



• Start the capture

• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met

• The capture can also be manually stopped

Using EPC – 1/3

Router#monitor capture point start cappnt

Router#monitor capture point stop cappnt



• The contents of the buffer can be viewed on the device

• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met

• The capture can also be manually stopped

• Or the buffer can be exported to a network server (or local file) in PCAP format for more detailed analysis

Using EPC – 2/3

Router#show monitor capture buffer capbuf dump

12:55:47.942 EDT Apr 2 2010 : IPv4 CEF Turbo : Gi0/0 None

6A89A4F0: 00101433 D4000017 085A1B16 08004500 ...3T....Z....E.

6A89A500: 002851A4 40003F06 05800E20 64210E20 .(Q$@.?.... d!.

6A89A510: 644BDE23 00171ED3 5BAAF4EC 4C215010 dK^#...S[*tlL!P.

6A89A520: FFFF3162 00000000 00000000 00 ..1b.........

Router#monitor buffer export capbuf tftp://172.18.123.33/http.pcap


Embedded Packet Capture (EPC)Using EPC – 3/3


Embedded Packet Capture (EPC)• Make sure there is enough free memory to hold the maximum

configured capture buffer size

• In 12.4T, capture buffers could only be exported to network servers

Local export was made available in 15.0

• Large frame support (packets over 1024 bytes) was added in 15.0

• Access-list filtering does not match on packets generated by the device itself

• MPLS frames are not currently captured

• Multicast frames are only captured on ingress

Other Considerations


Diagnosing Transient Problems• Problem: you are seeing VPN tunnel drops on your VPN head-end

router at 3:00 am every day. The tunnels continue to flap until the physical interface is reset. You want to analyze the traffic on the wire at that time.


Diagnosing Transient ProblemsDoing Things the Long Way


Diagnosing Transient Problems• Solution: Use Embedded Packet Capture together with Embedded

Event Manager to start a capture session at 3:00 am. When the VPN tunnels first go down, stop the capture, and email the binary capture file as a MIME attachment for analysis at a reasonable hour.


Router#monitor capture point ip cef cappnt Serial2/0 both

Router#monitor capture buffer capbuf size 512 max-size 1518

circular

Router#monitor capture point associate cappnt capbuf

Troubleshooting Transient ProblemsConfiguring EPC• Setup EPC to use a circular buffer, and run forever

• EEM will take care of stopping the capture


::cisco::eem::event_register_timer cron cron_entry "55 2 * * *"

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

if { [catch {cli_open} result] } {

error "Failed to open CLI session: '$result'" $errorInfo

}

array set cliarr $result

if { [catch {cli_exec $cliarr(fd) "enable"} result] } {

error "Failed to enable CLI session: '$result'" $errorInfo

}

if { [catch {cli_exec $cliarr(fd) "monitor capture point start cappnt"}

result] } {

error "Failed to start packet capture: '$result'" $errorInfo

}

catch {cli_close $cliarr(fd) $cliarr(tty_id)} result

Troubleshooting Transient ProblemsStarting the Capture With EEM

Initiate the packet

Capture

Start the capture five

Minutes before the

Event.


::cisco::eem::event_register_syslog pattern "%CRYPTO-4-RECVD_PKT_MAC_ERR:

decrypt: mac verify failed"





}




}

if { [catch {cli_exec $cliarr(fd) "monitor capture point stop cappnt"} result]

} {


}

…

Stop the capture.

React to a syslog

Indicating that the

Tunnels have detected

A problem.


::cisco::eem::event_register_timer cron cron_entry "55 2 * * *"





}




}

if { [catch {cli_exec $cliarr(fd) "monitor capture point start cappnt"}

result] } {


}

catch {cli_close $cliarr(fd) $cliarr(tty_id)} result

Troubleshooting Transient ProblemsStarting the Capture With EEM

Initiate the packet

Capture

Start the capture five

Minutes before the

Event.


::cisco::eem::event_register_syslog pattern "%CRYPTO-4-RECVD_PKT_MAC_ERR:

decrypt: mac verify failed"





}




}

if { [catch {cli_exec $cliarr(fd) "monitor capture point stop cappnt"} result]

} {


}

…

Stop the capture.

React to a syslog

Indicating that the

Tunnels have detected

A problem.


if { [catch {cli_exec $cliarr(fd) "monitor capture buffer capbuf export flash:vpn.pcap"}

result] } {

error "Failed to export capture buffer: '$result'" $errorInfo

}

set email_body_pre "Mailservername: $_email_server

From: $_email_from

To: $_email_to

Cc:

Subject: Email from Router $_router_name

MIME-Version: 1.0

Content-type: multipart/mixed; boundary=\"EEM_email_boundary\"

\n--EEM_email_boundary\n

\n--EEM_email_boundary

Content-Type: application/octet-stream

Content-Transfer-Encoding: Base64

Content-Disposition: attachment; filename=\"vpn.pcap\"\n\n"

if [catch {open "flash:vpn.pcap"} result] {

error "Failed to open flash:vpn.pcap: '$result'" $errorInfo

}

set fd $result

fconfigure $fd –translation binary

set email_b64 [::base64::encode [read $fd]]

close $fd

set email_body_mime "\n--EEM_email_boundary--"

set email_body [format "%s%s%s" $email_body_pre $email_b64 $email_body_mime]

if [catch {smtp_send_email $email_body} result] {

error "Failed to send email: '$result'" $errorInfo

}

Export the capture

To a file on flash.

Create an email with

A MIME header.

Send the email.


1-3. Define a capture buffer, capture point and associate the two

Router# monitor capture buffer my-buffer size 100 max-size 1000 circular

Router# monitor capture point ip process-switched my-capture in

Router# monitor capture point associate my-capture my-buffer

We want to capture process-switched traffic:

4. Start capturing traffic

Router# monitor capture point start all

*Nov 25 10:00:58.990: %BUFCAP-6-ENABLE: Capture Point my-capture enabled.

Router# show monitor capture buffer all parameters

Capture buffer my-buffer (circular buffer)

Buffer Size : 102400 bytes, Max Element Size : 1000 bytes, Packets : 28

Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0

Associated Capture Points:

Name : my-capture, Status : Active

Configuration:

monitor capture buffer my-buffer size 100 max-size 1000 circular

monitor capture point associate my-capture my-buffer

.We have some traffic

Router# show monitor capture buffer my-buffer dump

10:14:05.914 UTC Nov 25 2008 : IPv4 Process : Fa0/0 None

66A3C5B0: FFFFFFFF FFFF0001 64FF4C01 ........d.L.

66A3C5C0: 080045C0 00300000 00000111 0B5AACA1 [email protected],!

66A3C5D0: 0103FFFF FFFF02C7 02C7001C 85F60001 .......G.G...v..

66A3C5E0: 0010AC12 01020000 5D4C0F03 0004AC12 ..,.....]L....,.

5. Show / Analyze on the router …


5. … or export as PCAP file and analyze externally

Router# monitor capture buffer my-buffer export tftp://10.10.10.10/mypcap



• IPv6 vs. to IPv4 from a threat and mitigation perspective

• Advanced IPv6 security topics like transition options and dual stack environments

• Requirements: basic knowledge of the IPv6 and IPSec protocols as well as IPv4 security best practices


• Shared Issues by IPv4 and IPv6

• Specific Issues for IPv6

IPsec everywhere, dual-stack, tunnels and 6VPE

• Enforcing a Security Policy in IPv6

ACL, Firewalls and IPS

• Secure Deployment

Secure IPv6 transport over public network

• IPv6 Security Best Common Practice


Shared Issues

Security Issues Shared by IPv4 and IPv6

IPv4 Vul. IPv6 Vul.


• Public servers will still need to be DNS reachable

More information collected by Google...

• Increased deployment/reliance on dynamic DNS

More information will be in DNS

• Using peer-to-peer clients gives IPv6 addresses of peers

• Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0 or simply IPv4 last octet for dual stack)

• By compromising hosts in a network, an attacker can learn new addresses to scan

• Transition techniques (see further) derive IPv6 address from IPv4 address

can scan again


• Potential router CPU attacks if aggressive scanning

Router will do Neighbor Discovery... And waste CPU and memory

Built-in rate limiter but no option to tune it

• Using a /64 on point-to-point links => a lot of addresses to scan!

• Using infrastructure ACL prevents this scanning

iACL: edge ACL denying packets addressed to your routers

Easy with IPv6 because new addressing scheme can be done


• Viruses and email, IM worms: IPv6 brings no change

• Other worms:

IPv4: reliance on network scanning

IPv6: not so easy (see reconnaissance) => will use alternative techniques

Worm developers will adapt to IPv6

IPv4 best practices around worm detection and mitigation remain valid


Access

Layer

Inter-Networking Device

with uRPF Enabled

Spoofed IPv6

Source Address

X IPv6

Intranet/Internet

No Route to Src Addr prefix

=> Drop

Access

Layer

Inter-Networking Device

with uRPF Enabled

Spoofed IPv6

Source Address

X IPv6

Intranet/Internet

No Route to Src Addr prefix out the

packet inbound interface => Drop

uRPF Loose Mode

uRPF Strict Mode

uRPF Remains the Primary Tool for Protecting Against L3

Spoofing


• Significant changes

• More relied upon

• => ICMP policy on firewalls needs to change

ICMP Message Type ICMPv4 ICMPv6

Connectivity Checks X X

Informational/Error Messaging X X

Fragmentation Needed Notification X X

Address Assignment X

Address Resolution X

Router Discovery X

Multicast Group Management X

Mobile IPv6 Support X


Internet

Internal Server A

Action Src DstICMPv4

TypeICMPv4

CodeName

Permit Any A 0 0 Echo Reply

Permit Any A 8 0 Echo Request

Permit Any A 3 0Dst. Unreachable—Net Unreachable

Permit Any A 3 4Dst. Unreachable—Frag. Needed

Permit Any A 11 0Time Exceeded—TTL Exceeded

For Your

Reference

Border Firewall Policy


For Your

Reference

RFC 4890: Border Firewall Transit Policy

Internet

Internal Server A


TypeICMPv6

CodeName

Permit Any A 128 0 Echo Reply

Permit Any A 129 0 Echo Request

Permit Any A 1 0 No Route to Dst.

Permit Any A 2 0 Packet Too Big

Permit Any A 3 0Time Exceeded—TTL Exceeded

Permit Any A 4 0 Parameter Problem


Internet

Internal Server A

Firewall B


TypeICMPv6

CodeName

Permit Any B 2 0 Packet too Big

Permit Any B 4 0 Parameter Problem

Permit Any B 130–132 0 Multicast Listener

Permit Any B 133/134 0Neighbor Solicitation and Advertisement

Deny Any Any

For Your

Reference

RFC 4890: Border Firewall Receive Policy

For locally

generated

traffic


Fragment Header

• In IPv6 fragmentation is done only by the end system

Tunnel end-points are end systems => Fragmentation / re-assembly can happy inside the network

• Reassembly done by end system like in IPv4

• Attackers can still fragment in intermediate system on purpose

• ==> a great obfuscation tool

Next Header Reserved

Fragment Data

IPv6 Basic HeaderNext Header = 44

Fragment

Header

Fragment Header

Identification

Fragment Offset


Routing TypeExt Hdr Length

• An extension header

• Processed by the listed intermediate routers

• Two types

Type 0: similar to IPv4 source routing (multiple intermediate routers)

Type 2: used for mobile IPv6

Next Header RH Type

IPv6 Basic Header

Routing Header

Next Header = 43

Routing Header

Routing Header

Segments Left

Routing Header Data


• What if attacker sends a packet with RH containing

A -> B -> A -> B -> A -> B -> A -> B -> A ....

• Packet will loop multiple time on the link R1-R2

• An amplification attack!

A B


• Apply same policy for IPv6 as for Ipv4:

Block Routing Header type 0

• Prevent processing at the intermediate nodes

no ipv6 source-route

Windows, Linux, Mac OS: default setting

• At the edge

With an ACL blocking routing header

• RFC 5095 (Dec 2007) RH0 is deprecated

Default IOS changed in 12.4(15)T to ignore and drop RH0


1. RS:

Src = ::

Dst = All-Routers multicast Address

ICMP Type = 133

Data = Query: please send RA

2. RA:

Src = Router Link-local Address

Dst = All-nodes multicast address

ICMP Type = 134

Data= options, prefix, lifetime, autoconfig flag

2. RA2. RA1. RS

RA/RS w/o Any

Authentication

Gives Exactly Same

Level of Security as

ARP for IPv4 (None)

Router Solicitations Are Sent by Booting

Nodes to Request Router Advertisements for

Stateless Address Auto-ConfiguringAttack Tool:

fake_router6

Can Make Any

IPv6 Address the

Default Router


Src = A

Dst = Solicited-node multicast of B

ICMP type = 135

Data = link-layer address of A

Query: what is your link address?

A B

Src = B

Dst = A

ICMP type = 136

Data = link-layer address of B

A and B Can Now Exchange

Packets on This Link

Security Mechanisms

Built into Discovery

Protocol = None

=> Very similar to ARP

Attack Tool:

Parasite6

Answer to all NS,

Claiming to Be All

Systems in the LAN...


• BAD NEWS: nothing like dynamic ARP inspection for IPv6

Will require new hardware on some platforms

Not before mid-2010...

• GOOD NEWS: Secure Neighbor Discovery

SEND = NDP + crypto

IOS 12.4(24)T

But not in Windows Vista, 2008 and 7

Crypto means slower...

• Other GOOD NEWS:

Private VLAN works with IPv6

Port security works with IPv6

801.x works with IPv6

For FTTH & other broadband, DHCP-PD means not need to NDP-proxy


• Certification paths

Anchored on trusted parties, expected to certify the authority of the routers on some prefixes

• Cryptographically Generated Addresses (CGA)

IPv6 addresses whose interface identifiers are cryptographically generated

• RSA signature option

Protect all messages relating to neighbor and router discovery

• Timestamp and nonce options

Prevent replay attacks

• Requires IOS 12.4(24)T


• Each devices has a RSA key pair (no need for cert)

• Ultra light check for validity

• Prevent spoofing a valid CGA address

SHA-1

RSA KeysPriv Pub

Subnet

Prefix

Interface

Identifier

Crypto. Generated Address

Signature

SEND Messages

Modifier

Public

Key

Subnet

Prefix

CGA Params


• Adding a X.509 certificate to RA

• Subject Name contains the list of authorized IPv6 prefixes

Neighbor AdvertisementSource Addr = CGACGA param block (incl pub key)Signed

TrustAnchor X.509

cert

Router AdvertisementSource Addr = CGA

CGA param block (incl pub key)Signed

X.509cert


• Private/public key pair on all devices for CGA

• Overhead introduced

Routers have to do many public/private key calculation (some may be done in advance of use)

=> Potential DoS target

Routers need to keep more state

• Available:

Unix (DoCoMo)

Cisco IOS 12.4(24)T

• Microsoft:

no support in Vista, Windows 2008 and Windows7


ICMP REQ D=160.154.5.255 S= 172.18.1.2

160.154.5.0

Attempt to

Overwhelm

Destination

ICMP REPLY D=172.18.1.2 S=160.154.5.19

ICMP REPLY D=172.18.1.2 S=160.154.5.18

ICMP REPLY D=172.18.1.2 S=160.154.5.17

ICMP REPLY D=172.18.1.2 S=160.154.5.16

ICMP REPLY D=172.18.1.2 S=160.154.5.15

ICMP REPLY D=172.18.1.2 S=160.154.5.14

172.18.1.2

Belgian

Schtroumpf


• There are no broadcast addresses in IPv6

• Broadcast address functionality is replaced with appropriate link local multicast addresses

Link Local All Nodes Multicast—FF02::1

Link Local All Routers Multicast—FF02::2

Link Local All mDNS Multicast—FF02::FB

Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim

http://iana.org/assignments/ipv6-multicast-addresses/


• IOS implements correctly RFC 4443 ICMPv6

No ping-pong on a physical point-to-point link Section 3.1

No ICMP error message should be generated in response to a packet with a multicast destination address Section 2.4 (e.3)

Exceptions for Section 2.4 (e.3)

– packet too big message

– the parameter problem message

•Rate Limit egress ICMP Packets

•Rate limit ICMP messages generation

•Secure the multicast network (source specific multicast)

•Note: Implement Ingress Filtering of Packets with IPv6

Multicast Source Addresses


• BGP, ISIS, EIGRP no change:

An MD5 authentication of the routing update

• OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec

• RIPng, PIM also rely on IPSec

• IPv6 routing attack best practices

Use traditional authentication mechanisms on BGP and IS-IS

Use IPSec to secure protocols such as OSPFv3 and RIPng


• Sniffing

IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4

• Application layer attacks

The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent

• Rogue devices

Rogue devices will be as easy to insert into an IPv6 network as in IPv4

• Man-in-the-Middle Attacks (MITM)

Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4

• Flooding

Flooding attacks are identical between IPv4 and IPv6


• IPv6 stacks are new and could be buggy

• Some examplesCVE-2008-2476 Oct 2008 FreeBSD

OpenBSD NetBSD and others

Lack of validation of NDP messages

CVE-2008-2136 May 2008 Linux DoS caused by memory leak in IPv6 tunnels

CVE-2008-1153 Mar 2008 IOS Cisco IOS dual-stack router IPv6 DoS

CVE-2007-4689 Nov 2007 Apple Mac OS X Packet processing double-free memory corruption

CVE-2007-3038 Aug 2007 Microsoft Microsoft Windows Vista Teredo interface firewall bypass


Specific IPv6 Issues

Issues Applicable only to IPv6

IPv4 Vul. IPv6 Vul.


• Temporary addresses for IPv6 host client application, e.g. web browser

Inhibit device/user tracking

Random 64 bit interface ID, then run Duplicate Address Detection before using it

Rate of change based on local policy

2001

/32 /48 /64/23

Interface ID

Recommendation: Use Privacy Extensions for

External Communication but not for Internal

Networks (Troubleshooting and Attack Trace Back)


• Unlimited size of header chain (spec-wise) can make filtering difficult

• Potential DoS with poor IPv6 stack implementations

More boundary conditions to exploit

Can I overrun buffers with a lot of extension headers?

Perfectly Valid IPv6 Packet

According to the Sniffer

Destination Options Header Should

Be the Last

Header Should Only Appear Once

Destination Header Which Should

Occur at Most Twice

See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html


• Finding the layer 4 information is not trivial in IPv6

Skip all known extension header

Until either known layer 4 header found => SUCCESS

Or unknown extension header/layer 4 header found... => FAILURE

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4???

IPv6 hdr HopByHop Unk. ExtHdr AH TCP data


• Extension headers chain can be so large than it is fragmented!

• Finding the layer 4 information is not trivial in IPv6

Skip all known extension header

Until either known layer 4 header found => SUCCESS

Or unknown extension header/layer 4 header found... => FAILURE

Or end of extension header => FAILURE

IPv6 hdr HopByHop Routing Destination Destination Fragment1

IPv6 hdr HopByHop Fragment2 TCP Data

Layer 4 header is

in 2nd fragment


• IPv6 mandates the implementation of IPsec

• IPv6 does not require the use of IPsec

• Some organizations believe that IPsec should be used to secure all flows...

Interesting scalability issue (n2 issue with IPsec)

Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall

IOS 12.4(20)T can parse the AH

Network telemetry is blinded: NetFlow of little use

Network services hindered: what about QoS?

Recommendation: do not use IPsec end to end within an

administrative domain.

Suggestion: Reserve IPsec for residential or hostile environment or

high profile targets.


• 16+ methods, possibly in combination

• Dual stack

Consider security for both protocols

Cross v4/v6 abuse

Resiliency (shared resources)

• Tunnels

Bypass firewalls (protocol 41 or UDP)

Can cause asymmetric traffic (hence breaking stateful firewalls)


• Host security on a dual-stack device

Applications can be subject to attack on both IPv6 and IPv4

Fate sharing: as secure as the least secure stack...

• Host security controls should block and inspect traffic from both IP versions

Host intrusion prevention, personal firewalls, VPNclients, etc.

Dual Stack Client

IPv4 IPsecVPN with

No Split Tunneling

Does the IPsec Client Stop an

Inbound IPv6 Exploit?

IPv6 HDR IPv6 Exploit


• Your host:

IPv4 is protected by your favorite personal firewall...

IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)

• Your network:

Does not run IPv6

• Your assumption:

I‘m safe

• Reality

You are not safe

Attacker sends Router Advertisements

Your host configures silently to IPv6

You are now under IPv6 attack

• => Probably time to think about IPv6 in your network


IPv6 in IPv4

Tunnel

• Most IPv4/IPv6 transition mechanisms have no authentication built in

• => an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses

Public IPv4

Internet

Server B Server A

Tunnel

Termination

Tunnel

Termination

IPv6 Network IPv6 Network

IPv6 ACLs Are Ineffective

Since IPv4 & IPv6 Is Spoofed

Tunnel Termination Forwards

the Inner IPv6 PacketIPv4

IPv6


• Unauthorized tunnels—firewall bypass (protocol 41)

• IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise

This has implications on network segmentation and network discovery

• No authentication in ISATAP—rogue routers are possible

Windows default to isatap.example.com

• IPv6 addresses can be guessed based on IPv4 prefix (scanning is back!)

ISATAP Router

ISATAP Tunnels

Direct

Communication

Any Host Can Talk

to the Router

IPv4 Network ~ Layer 2 for IPv6 Service


• Root cause

ISATAP routers ignore each other

• ISATAP router:

accepts native IPv6 packets

forwards it inside its ISATAP tunnel

Other ISATAP router decaps and forward as native IPv6

ISATAP router 1

Prefix 2001:db8:1::/64

192.0.2.1

ISATAP router 2

Prefix 2001:db8:2::/64

192.0.2.2

1. Spoofed IPv6 packet

S: 2001:db8:2::200:5efe:c000:201

D: 2001:db8:1::200:5efe:c000:202

http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf

Repeat until Hop Limit == 0

Mitigation:IPv6 anti-spoofing everywhereACL on ISATAP routers accepting IPv4 from valid

clients onlyWithin an enterprise, block IPv4 ISATAP traffic

between ISATAP routersWithin an enterprise block IPv6 packets between

ISATAP routers

2. IPv4 ISATAP packet containing

S: 2001:db8:2::200:5efe:c000:201

D: 2001:db8:1::200:5efe:c000:202

3 IPv6 packet

S: 2001:db8:2::200:5efe:c000:201

D: 2001:db8:1::200:5efe:c000:202


• Teredo navalis

A shipworm drilling holes in boat hulls

• Teredo Microsoftis

IPv6 in IPv4 punching holes in NAT devices

Source: United States Geological Survey


• All outbound traffic inspected: e.g., P2P is blocked

• All inbound traffic blocked by firewall

IPv4 Intranet

IPv4 Firewall

IPv6 Internet

Teredo RelayIPv4 Internet


• Internal users wants to get P2P over IPv6

• Configure the Teredo tunnel (already enabled by default!)

• FW just sees IPv4 UDP traffic (may be on port 53)

• No more outbound control by FW

IPv4 Intranet

IPv4 Firewall


IPv6 Internet

Teredo threats—IPv6 over UDP (port 3544)


• Inbound connections are allowed

• IPv4 firewall unable to control

• IPv6 hackers can penetrate

• Host security needs IPv6 support now

IPv4 Intranet

IPv4 Firewall


IPv6 Internet

Once Teredo Configured


Note: on Windows Teredo is:

-Disabled when firewall is disabled

-Disabled when PC is part of Active Directory domain

-Else enabled

-User can override this protection


• Rogue tunnels by naïve users:

Sure, block IP protocol 41 and UDP/3544

In Windows:

• Really rogue tunnels (covert channels)

No easy way...

Teredo will run over a different UDP port of course

Network devices can be your friend (more to come)

• Deploying native IPv6 (including IPv6 firewalls and IPS) is probably a better alternative

• Or disable IPv6 on Windows through GPO or CSA 6.0But Microsoft does not test any Windows application with IPv6 disabled

netsh interface 6to4 set state state=disabled undoonstop=disabled

netsh interface isatap set state state=disabled

netsh interface teredo set state type=disabled


• Use Flexible Packet Matching (FPM)

Blocking all Teredo addresses 2001::/32 in the UDP payload

• FPM

Available in software since 12.4(4)T

Hardware implementation in PISA (requires Sup32 and Cat6K)

Classify on multiple attributes within a packet

String match and regex

Expressed in XML

0111111010101010000111000100111110010001000100100010001001

Match Pattern And Or Not

Cisco.com/go/fpm

http://www.cisco.com/go/fpm


load protocol bootdisk:ip.phdf

load protocol bootdisk:udp.phdf

class-map type stack match-all cm-ip-udp

match field IP protocol eq 17 next UDP

class-map type access-control match-all cm-teredo1

match start udp payload-start offset 0 size 1 eq 0x60 mask 15

match start udp payload-start offset 8 size 4 eq 0x20010000

class-map type access-control match-all cm-teredo2

match start udp payload-start offset 0 size 1 eq 0x60 mask 15

match start udp payload-start offset 24 size 4 eq 0x20010000

policy-map type access-control pm-teredo

class cm-teredo1

drop

class cm-teredo2

drop

policy-map type access-control pm-udp-teredo

class cm-ip-udp

service-policy pm-teredo

interface GigabitEthernet1/36

service-policy type access-control in pm-udp-teredo

For Your

Reference

The trick is to block

all packets

containing a

Teredo source or

destination

address in the

UDP payload.

Teredo addresses

are in the 2001::/32 (note 32) prefix

IP version = 6

Teredo prefix as

embedded address


• 6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions

PE1

2001:db8:1:1:/64

PE3

PE4

IPv4 only MPLS

10.1.1.0/24

PE2

v4 and v6 VPN

10.1.1.0/24

2001:db8:1:1:/64

v4 only VPN

2001:db8:1:2:/64

v4 and v6 VPN

10.1.2.0/24

2001:db8:1:2:/64

v4 only VPN

10.1.2.0/24

v6 VPN v6 VPN

Dual-Stack

IPv4-IPv6

PE Routers

Dual-Stack

IPv4-IPv6

PE Routers

VR

FVR

F

VR

FVR

F

VR

F

VR

F


• 6PE (dual stack without VPN) is a simple case

• Security is identical to IPv4 MPLS-VPN, see RFC 4381

• Security depends on correct operation and implementation

QoS prevent flooding attack from one VPN to another one

PE routers must be secured: AAA, iACL, CoPP …

• MPLS backbones can be more secure than ―normal‖ IP backbones

Core not accessible from outside

Separate control and data planes

• PE security

Advantage: Only PE-CE interfaces accessible from outside

Makes security easier than in ―normal‖ networks

IPv6 advantage: PE-CE interfaces can use link-local for routing

=> completely unreachable from remote (better than IPv4)


Enforcing a Security Policy


• Very much like in IPv4

Filter traffic based on

Source and destination addresses

Next header presence

Layer 4 information

Implicit deny all at the end of ACL

Empty ACL means traffic allowed

Reflexive and time based ACL

• Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned until:

Layer 4 header found

Unknown extension header is found

• Side note for 7600 & other switches:

No VLAN ACL

Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (end 2010), Cat 6K (mid 2010)


• Can match on

Upper layers: TCP, UDP, SCTP port numbers

TCP flags SYN, ACK, FIN, PUSH, URG, RST

ICMPv6 code and type

Traffic class (only six bits/8) = DSCP

Flow label (0-0xFFFFF)

• IPv6 extension header

routing matches any RH, routing-type matches specific RH

mobility matches any MH, mobility-type matches specific MH

dest-option matches any, dest-option-type matches specific destination options

auth matches AH

Can skip AH (but not ESP) since IOS 12.4(20)T

• fragments keyword matches

Non-initial fragments (same as IPv4)

And the first fragment if the L4 protocol cannot be determined

• undetermined-transport keyword matches (only for deny)

Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header


ipv6 access-list ACCESS_PORT

remark Block all traffic DHCP server -> client

deny udp any eq 547 any eq 546

remark Block Router Advertisements

deny icmp any any router-advertisement

permit any any

Interface gigabitethernet 1/0/1

switchport

ipv6 traffic-filter ACCESS_PORT in

Note: PACL replaces RACL for the interface

In December 2009, only on Nexus-7000 and Cat 3750 12.2(46)SE


• Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:

• Be careful when adding « deny ipv6 any any log » at the end

permit icmp any any nd-na

permit icmp any any nd-ns

deny ipv6 any any

permit icmp any any nd-na

permit icmp any any nd-ns

deny ipv6 any any log


ipv6 access-list VTY

permit ipv6 2001:db8:0:1::/64 any

line vty 0 4

ipv6 access-class VTY in

For Your

Reference


• Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic

• IOS 12.3(7)T (released 2005)

• Stateful inspection of IPv4/IPv6 packets

• IPv6 DoS attack mitigation

• Recognizes IPv6 extension headers

IPv4

Site 3

IPv6

Site 2IPv6 IPv6

Dual Stack

Router

IPv6 Router with

Cisco IOS Firewall

Internet

(IPv4)

IPv6

Site 1IPv6 Router with

Cisco IOS Firewall

IPv6 Router with

Cisco IOS Firewall

IPv6 Router with

Cisco IOS Firewall


• Since version 7.0 (April 2005)

• Dual-stack, IPv6 only, IPv4 only

• Extended IP ACL with stateful inspection

• Application awareness

HTTP, FTP, telnet, SMTP, TCP, SSH, UDP

• uRPF and v6 Frag guard

• IPv6 header security checks

Always block routing-header (type 0 and 2)

• Management access via IPv6

Telnet, SSH, HTTPS

• ASDM support (ASA 8.2)

• Routed & transparent mode (ASA 8.2)

• Fail-over support (ASA 8.2.2)

• Caveats:

Cannot block specific extension headers



interface Ethernet0

nameif outside

ipv6 address 2001:db8:c000:1051::37/64

ipv6 enable

interface Ethernet1

nameif inside

ipv6 address 2001:db8:c000:1052::1/64

ipv6 enable

ipv6 route outside ::/0 2001:db8:c000:1051::1

ipv6 access-list SECURE permit tcp any host

2001:db8:c000:1052::7 eq telnet

ipv6 access-list SECURE permit icmp6 any

2001:db8:c000:1052::/64

access-group SECURE in interface outside

For Your

Reference


interface Ethernet0

nameif outside

ipv6 address 2001:db8:c000:1051::37/64

ipv6 enable

interface Ethernet1

nameif inside

ipv6 address 2001:db8:c000:1052::1/64

ipv6 enable

ipv6 route outside ::/0 2001:db8:c000:1051::1

ipv6 access-list SECURE permit tcp any host

2001:db8:c000:1052::7 eq telnet

ipv6 access-list SECURE permit icmp6 any

2001:db8:c000:1052::/64

access-group SECURE in interface outside

For Your

Reference


• IPS supports IPv6 since IPS 6.2 (November 2008)

• Engines

Specific to IPv6

Common to IPv4 and IPv6

TCP reset works over IPv4

• IPS Manager Express can view IPv6 events

• IPS Device Manager can configure IPv6

• All management plane is over IPv4 only

Not critical for most customers

See also BRKSEC-3030

Advanced Intrusion Prevention Systems



Secure IPv6 Connectivity

How to Secure IPv6 over the WAN


• No traffic sniffing

• No traffic injection

• No service theft

Public Network Site 2 Site Remote Access

IPv4

6in4/GRE Tunnels Protected by IPsec

DMVPN 12.4(20)T

ISATAP Protected by RA IPsec

SSL VPN Client AnyConnect

IPv6IPsec VTI 12.4(6)T N/A


IPv6 in IPv4 tunnel

IPv4

IPv6

Ne

two

rk

IPv6

Ne

two

rk

GRE tunnel can be used to transport both IPv4 and IPv6 in the same

tunnel

IPsec protects IPv4 unicast

traffic... The encapsulated IPv6

packets

IPsec


• IPv6 packets over DMVPN IPv4 tunnels

In IOS release 12.4(20)T (July 2008)

IPv6 and/or IPv4 data packets over same GRE tunnel

• Complete set of NHRP commands

network-id, holdtime, authentication, map, etc.

• NHRP registers two addresses

Link-local for routing protocol (Automatic or Manual)

Global for packet forwarding (Mandatory)

See also BRKSEC-3112

Advanced Concepts of DMVPN


• Since 12.4(6)T, IPsec also works for IPv6

• Using the Virtual Interface

interface Tunnel0

no ip address

ipv6 address 2001:DB8::2811/64

ipv6 enable

tunnel source Serial0/0/1

tunnel destination 2001:DB8:7::2

tunnel mode ipsec ipv6

tunnel protection ipsec profile ipv6

For Your

Reference


• Enabling IPv6 traffic inside the Cisco VPN Client tunnel

NAT and Firewall traversal support

Allow remote host to establish a v6-in-v4 tunnel either automatically or manually

ISATAP—Intra Site Automatic Tunnel Addressing Protocol

Fixed IPv6 address enables server‘s side of any application to be configured on an IPv6 host that could roam overthe world

• Use of ASA 8.0 and SSL VPN Client AnyConnect

Can transfer IPv6 traffic over public IPv4


ISATAP

IPv4IPv6 PC

IPv6

Ne

two

rk

IPsec with NAT-T can traverse NAT

ISATAP encapsulates IPv6 into IPv4

IPsec protects IPv4 unicast traffic... The

encapsulated IPv6 packets

IPsec

ISATAP

Tunnel server

on dual stack

router

Enterprise

VPN head-end

(ASA, IOS, ...)


IPv4 and IPv6 Transport in SSL

IPv4IPv6 PC

AnyConnect

IPv6

Ne

two

rk

ASA 8.0

SSL VPN Concentrator

Dual Stack


IPv6 SecurityBest Common Practice


• Train your network operators and security managers on IPv6

• Selectively filter ICMP (RFC 4890)

• Implement RFC 2827-like filtering

• Block Type 0 Routing Header at the edge

• Determine what extension headers will be allowed through the access control device

• Deny IPv6 fragments destined to an internetworking device when possible

• Use traditional authentication mechanisms on BGP and IS-IS

• Use IPsec to secure protocols such as OSPFv3 and RIPng

• Document procedures for last-hop traceback

For Your

Reference


• Implement privacy extensions carefully

• Filter internal-use IPv6 addresses & ULA at the border routers

• Filter unneeded services at the firewall

• Maintain host and application security

• Use cryptographic protections where critical

• Implement ingress filtering of packets with IPv6 multicast source addresses

• Use static tunneling rather than dynamic tunneling

• Implement outbound filtering on firewall devices to allow only authorized tunneling endpoints

For Your

Reference


Conclusion


• So, nothing really new in IPv6

• Lack of operation experience may hinder security for a while: training is required

• Security enforcement is possible

Control your IPv6 traffic as you do for IPv4

• Leverage IPsec to secure IPv6 when suitable


• Easy to check!

• Look inside NetFlow records

Protocol 41: IPv6 over IPv4 or 6to4 tunnels

IPv4 address: 192.88.99.1 (6to4 anycast server)

UDP 3544, the public part of Teredo, yet another tunnel

• Look into DNS server log for resolution of ISATAP

• Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW


Questions?

And Answers


• Twitter www.twitter.com/CiscoCZ

• Talk2Cisco www.talk2cisco.cz/dotazy

• SMS 732 488 666

You are invited to Ptali jste se… TAURUS, 17:45 – 18:30

http://www.twitter.com/CiscoCZ

http://www.talk2cisco.cz/dotazy


Prosíme, ohodnoťtetuto přednášku.

T-SEC

Documents

Implementace bezpečnosti pomocíIOS + EEM · © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3