Network Security

transcript

34Cisco Systems ConfidentialCisco Systems Confidential 0036_08F7_c2

Internet Security

‘Internet and Intranet - meeting future business needs’

2Cisco Systems Confidential

Before we Begin......

• Attendees agree that this information will be circulated on a very strict need-to-know basis as it is sensitive can cause security problems.

• While the information in this document is not confidential, there is information that could be harmful if given to the wrong individuals.

• The only way to understand security problems is to know what they are. This means that they may also be exploited by those who are untrustworthy.

New Network Threats

CIA Web Site Hacked

Netcom Credit Card

Information Stolen

38Cisco Systems Confidential0603_02F7_c1

Need for More Security

… and the “Net” Has Changed!

Today’s InternetToday’s Internet ImplicationsImplications

1983:1983:200 Core Nodes; 200 Core Nodes;

Linear GrowthLinear Growth

11.6 Million Core 11.6 Million Core Nodes;Nodes;

Exponential GrowthExponential Growth

Shortage of Unique IP Shortage of Unique IP Network Numbers Network Numbers

ImminentImminent

Large Time-Sharing Large Time-Sharing Nodes, Mostly Nodes, Mostly

EducationalEducational

Large and Large and Distributed Distributed

ISP-Connected ISP-Connected OrganizationsOrganizations

CIDRCIDRNATNAT

DHCP for Client OnlyDHCP for Client OnlyIPv6IPv6

““Difficult” Security Difficult” Security Underlying Technology Underlying Technology

Known to FewKnown to Few

Numerous Untrusted Numerous Untrusted Private Sector Hosts; Private Sector Hosts;

Hackers AboundHackers Abound

FirewallsFirewallsEncryptionEncryption

Original ARPAnetOriginal ARPAnet

Internetwork

Consumers

Enterprise

SmallBusiness

ProfessionalOffice

Internet

Putting Things in Perspective

• 75% of computer attacks are never detected.

• Only 15% of all computer crimes are instigated by outsiders.

• 80% - 85% are launched by insiders - people you thought you could trust.

Where’s the Threat? …...Corporate Space

Internet

TerminalServer

20% 80%

Employees

Where’s the Threat? …….ISP Space

Internet

TerminalServer

20% 80%

Customers

CorporateNetwork

Security Services

Source: Computer Security Institute and FBI Computer Crime DivisionFortune 500 Survey, 1995

YesYes48%48%

NoNo52%52%

Have You Experienced Computer or Network Security

Breaches in the Last Year?

What are the Threats?

“Trusted” UsersRemember....80-85% of all break-ins are caused by

people who are insiders.

AmateursCyberpunks, Hackers, Vandals, Crackers, Jerks, etc

ProfessionalsNo-Win Situation

“Trusted” Users80% - 90% of all break-ins are caused by people

who work for the organizations they broke into!

Many are caught accidentally

Many are amateurs and are caught because they are careless

Most are quietly removed

Very few are reprimanded

What are the Threats?“Trusted” Users

Extremely few are prosecuted by the legal system

Never at a financial institution

Never at a site with links possible harm to life or where there is a tie-in to public view

Some places there is little understanding about how to handle the legal problem

Most companies do not want publicity

“Trusted” UsersMost break-ins are either:

Greed-oriented

Revenge oriented

Malicious

Information Acquisition

Accidental initially, but an opportunity to the user of the system.

Amateurs

Amateurs usually leave a trail that is not too difficult to pick up

Amateurs will eventually screw-up

Amateurs do not know when to quit

Amateurs, with careful monitoring, may be found quickly

Most Internet Cyberpunks are Amateurs

ProfessionalsProfessionals are rarely detected

Professionals are difficult to find

Professionals will usually originate from a break-in elsewhere

Professionals leave no traceback

Professionals know when it is time to leave

Professionals will take what they want, no matter what is done to safeguard information

What are the Threats?Bottom Line.......

If someone wants the information bad enough, and he/she knows what they are doing, they will not be stopped and you may consider the information to be “history.”

IT Issues

• Enterprise information becoming more valuable/vulnerable

Load/Traffic

Today Time

IT Spending<10% Growth

Connectivity

Internet Traffic

Business Value/Importance

The Security Dilemma

• Security is complicated to implement

• Security cannot be implemented uniformly

• Internet connection is a security risk

More than 200 Fortune 1000 companies were asked if they had detected attempts

from outsiders to gain computer access in the past 12 months

If “yes”, how many successfulaccesses were detected?

YesYes58%58%

NoNo12%12%

Don’tKnow30%

1-101-1042%42%

11-2011-2025%25%

21-3016%

31-4031-4010%10%

41-505%50+2%

Source: Warroom Research

Solutions Before you Begin.......

• On-Site Security Policy

• Host Security (UNIX/VMS)

• Workstation Security (X, MS , MAC, OS/2)

• Network Security

• Password Policies

• Application Security

• Tools to Track Attacks

• Ability to lock ‘em up (every security policy needs a hammer)

Creating Cisco Solutions

Integration withIntegration withCisco IOSCisco IOS™™ Software Software

Core Core ProductProduct

AccessAccessProductsProducts

InterWorksInterWorksProductsProducts

WorkgroupWorkgroupProductsProducts

Internet BU ProductsInternet BU ProductsFirewallsFirewalls

Translation GWsTranslation GWsTraffic DirectorsTraffic DirectorsClient SoftwareClient SoftwareServer SoftwareServer Software

End-to-EndSecurity

Solutions

Scalability forGlobal and

Enterprise WWWApplications

Internet/IntranetConnectivity and Security

for Novell, andDEC Customers

End-to-EndMultimediaSolutions

Scalable“Plug-and-Play”

TCP/IPEnvironments

Security Is a System

Motion Detector(Wheels/Entry)

Perimeter Detector(Door Entry)

Lock Nuts(Wheels)Sound Detector

(Glass Entry)

Engine Kill(Theft)Locator/Detector

(Theft)

Physical Security Example“What Are You Trying to Protect?”

Technical Requirements

• AuthenticationWho it is

• AuthorizationWhat is permitted

• AccountingWhat was done

• Data integrity

Data is unaltered

• Confidentiality

No unauthorized review

• Assurance

Everything operates as specified

Cisco Security Today

PAP/CHAP

TACACS+/ RADIUS

Kerberos

Lock-and-Key

Access Control Lists

Token Card Support

Logging

Route Filtering

GRE Tunnels

CiscoSecure™

Encryption

Privilege Levels

Kerberos

Dial Firewall Network Infrastructure

Certificate AuthorityCertificate Authority

Encryption

TACACS+/ RADIUS TACACS+/ RADIUS

Cut-Through Proxy

Solutions Before you Begin.......

Security is an ATTITUDE!

Security Objective: Balance

Access Security

Connectivity

Performance

Transparency

Authentication

Authorization

Accounting

Assurance

Confidentiality

Data Integrity

Every Customer’s Needs will Be Different!Every Customer’s Needs will Be Different!

Host Security

File SharingAnonymous FTP

Guest LoginMail

If a host is not secure, then neither is the network

Network Security Options

• No Internet connection

• Packet filtering with Access Control List (ACL)

• Firewalls

• Privacy with encryption

Encryption

AddressTranslation

User Authentication

SecureRouting

AccessControl

Legacy Integration

EventLogging

MultiprotocolTunnels

Enterprise Gateways

Definition of a Firewall

Firewalls are perimeter security solutions, deployed between a trusted and untrusted network,

often a corporate LAN and an Internet connection

Firewall Architecture

PacketFiltering

Internet

PublicWWW

PublicFTP

DNSMail

Cisco IOS 11.2

1. Access lists

2. Packet filtering

3. Network Address Translation

4. Encryption

Cisco IOS

Firewall

Internet

PublicWWW

PublicFTP

DNSMail

Firewall Architecture

Cisco PIX Firewall Dedicated

Internet

PublicWWW

PublicFTP

DNSMail

Demilitarized Zone (DMZ)

Internet

PublicWWW

PublicFTP

DNSMail

ProxyServer

Outbound Only

Proxy Servers

Firewall with Address Translation

Internet

PublicWWW

PublicFTP

DNSMail

• Cisco PIX Firewall - dedicated

• Cisco IOS 11.2- NAT in software

Private IPs10.0.0.0

Registered IPs192.128.234.0

CiscoSecureAccess Router

Encryption

Internet

PublicWWW

PublicFTP

DNSMail

Cipher Text

“YOUR Text”

“2$3B9F37”

“YOUR Text”

Scaling Internet Firewalls

Fractional E1/T1

> DS3/45 Mbps

• Small office

• All in one

• Costs less

= E1/T1• Gateway router and

firewall encryption performance

• Gateway router and firewalls

• Scalable encryption performance

Link speed

Internet

Dial Security

• Centralized security with TACACS+ / RADIUS

• Lock and Key

Centralized Security

Dial client

CiscoSecure—TACACS+

AuthenticationAuthorizationAccounting

RADIUSTACACS+

TACACS+or

RADIUS

Lock and Key

Non-Authorized User

Authorized User

• Enables dynamic Access Control Lists

• Single user on a LAN

• Per-user authorization and authentication

CiscoSecure

Internet

Virtual Private Dial Networks

CiscoSecureTACACS+

Server

• Encrypted access

• Multiprotocol — IP, IPX, SNA, AppleTalk

Virtual Private Networks

•IOS•PIX

Virtual Private Networks

• Replace private WAN with public network access

• Intracompany traffic is private and authenticated

• Internet access is transparent

RemoteRemoteOfficeOffice

CorporateCorporateLANLANPublic

Network

Encryption Alternatives

Network-Layer Encryption

Application-Layer Encryption

Link-LayerEncryption

Application

Layers (5–7)

Transport/Network

Layers (3–4)

Link/Physical

Layers (1–2)

Application Encryption

• Encrypts traffic to/from interoperable applications

• Specific to application, but network independent

• Application dependentAll users must have interoperable applications

• Examples: S/MIME, PEM, Oracle Securenet, Lotus cc:Mailand Notes.

• Encrypts traffic between specific networks, subnets,or address/port pairs

• Specific to protocol, but media/interface independent

• Does not need to supported by intermediate network devices

• Independent of intermediate topology

• Example Cisco IOS and PIX

Network Encryption

HRServer

E-MailServer

A to HR Server—Encrypted

All Other Traffic—Clear

Link Encryption

• Encrypts all traffic on a link, including network-layer headers

• Specific to media/interface type, but protocol independent

• Topology dependentTraffic is encrypted/decrypted on link-by link basis

All alternative paths must be encrypted/decrypted

To PublicInternet

HR/FinancialServer

E-MailServer

A to C, D

B to C, D

Encrypt

Cisco IOS Encryption Services

• Policy by network, subnet, oraddress/port pairs (ACL)

• DSS for device authentication Diffie-Hellman for session key management

• DES for bulk encryptionDES 40 bit—generally exportableDES 56 bit—restricted

• Hardware assist—VIP2 service adapter

DPrivateWAN

Cisco IOS Encryption Options

• Cisco IOS software on 100X, 25xx, 4xxx, 7xxx series routers

• On Cisco RSP 7000 and 7500 series encryption services are performed

Centrally on master RSP and/or

Distributed on VIP2-40

• Encryption service adapter for Versatile Interface Processors (VIP)

Provides higher performance encryption for local interfaces

Tamper-proof

Route Switch Processors

VIPVIPVIPIP IP

Cisco 7000 and 7500

Master RSP Slave RSP

EncryptionEncryptionService Service AdapterAdapter

Versatile Interface Processor

Port Port AdapterAdapter

High-Performance High-Performance Hardware Encrypted Virtual Private Networks!

PIX Private Link

IP UDP IIPP

DataData

PIX Private Link Frame

Encapsulation

Header

EncryptedInformation

MAC CRC

33Cisco Systems Confidential 0482_12F7_c1

Public NetworkInternet

PIX/Private Link

PIX/Private LinkNetwork

ANetwork

IP Data

PIX/Private LinkNetwork

PIX/Private Link Network

IP Data

PIX Private Link Benefits

• Secures data communication between sites

• Reduces high monthly cost of dedicated leased lines

• Complete privacy

• Easy installation—two commands, no maintenance

• Compliant to IETF IPSEC—supports AH/ESP (RFC 1826) (RFC 1827)

• Adds value to your Internet connection

• Augment and back up existing leased lines

Private LinkPrivate Network—Satellite Division

TACACS+ Server

RADIUS Server

SMTP Gateway

UNIX DB Gateway

Engineering Marketing Executive

Internet

10.0.0.0

171.68.10.4

171.69.236.2DMZ

172.17.0.0 172.18.0.0 172.19.0.0

35Cisco Systems Confidential 0482_12F7_c1

Tricks to Secure Your Router

Cisco Systems Confidential

Protecting Your Router

• Terminal Access Security

• Transaction and Accounting Records

• Network Management Security

• Traffic Filters

• Routing Protocol Security

• Securing Router Services

The Router’s Role in a Network

HostSystems

TCP/IP

DOS, Windows, Mac Workstations

Router

Internet

TCP/IP

Terminal Access Security

Console Access

• Change your passwords - do not use the default.

• Make sure the privilege password is different from the access.

• Use mixed character passwords - adds difficulty to crack attempts

• Config Session Time-outs

• Use password encryption features to encrypt the password in the configuration images and files.

• Use enable secret to use the best encryption key.

Telnet Access

• Configures ALL the VTY ports!

• Create an Access List for the ports - limits the range of IP addresses you can Telnet into the route.

• Limit or block port 57 (open Telnet with no password write over).

• Do not use commands like ip alias on the Cisco, unless you really need to.

• Block connections to echo and discard via the no service tcp-small-servers.

Telnet Access

Enter configuration commands, one per line. End with CNTL/Z.

serial 2-3 (config) # access-list 101 deny tcp any any eq 57

serial 2-3 (config) # access-list 101 permit tcp 165.21.0.0 255.255.0.0 any

serial 2-3 (config) # line vty 0 5

serial 2-3 ( config-line) # access-class 101 in

Extended IP access list 101

deny tcp any any eq 57

permit tcp 165.21.0.0 255.255.0.0 any

Multiple Privilege Levels

• Division of responsibilitiesHelp desk and network manager

Security and network operations

• Provides internal controls

• Users can only see configuration settings they have access to

Configuring Multiple Privilege Levels

• Set the privilege level for a command

• Change the default privilege level for lines

• Display current privilege levels

• Log in to a privilege level

Multiple Privilege Example

• Configurationenable password level 15 pswd15

privilege exec level 15 configure

enable password level 10 pswd10

privilege exec level 10 show running-config

• Login/Logoutenable <level>

disable <level>

What Is AAA?

• Authentication Something you areare

Unique, can’t be left at home: retina, prints, DNA

Something you havehaveHardware assist: DES card

Something you know knowCheap low overhead solution: fixed passwords

• Authorization What you’re allowed to do: connections, services, commands

• Accounting What you did, and when

• It’s also an architectural framework: Protocol-independent formats Easy to support multiple protocols Consistent configuration interface Good scalability for large ISP’s with volatile databases, lots of accounting data

Cisco Systems Confidential0815_04F7_c3 4

Virtual Terminal

Router A

"I would like to log into Router A;

my name is JSmith; my

password is *****

"Is JSmith with password ***** an authorized

TACACS+ Client

TACACS+

username/password + token

access permitted

Security Server Partners

3 1 7 8 4 5 4

Cisco 500-CS

Token Card

Transaction and Accounting Records

Transaction Records

• Q - How do you tell when someone is cracking into your router, hub, or switch?

• Consider some form of audit trails: Using the UNIX logging features (if it has any). Corn

scripts to alert you when there are potential problems.

SNMP Traps and alarms.

Implementing TACAS+, Radius, Kerberos, or third party solutions like Security Dynamics SmartCard.

Transaction Records

• UNIX Logging logging buffered 16384

logging trap debugging

logging 169.222.32.1

Logging Flow

RouterUNIX Workstation

w/ Logging Configured

Network Management Security

• #1 Source of Intelligence on a victim's network!

• Do you know when someone is running a SNMP discovery tool on your network?

• Do you block SNMP on your firewall?

• Change your community strings! Do not leave the defaults on!

• Use different community strings for the RO and RW communities.

• Do NOT use RW community unless you are desperate!

• Use mixed characters in the community strings. Yes, even SNMP community strings can be cracked!

• Use a access list on SNMP. Limit who can make SNMP queries. If someone needs special access (I.e. for monitoring a Internet link), then create a special community string and access list.

• Explicitly point SNMP traffic back to the authorized workstation

snmp-server community apricot RO 1

snmp-server trap-authentication

snmp-server enable traps config

snmp-server enable traps envmon

snmp-server enable traps bgp

snmp-server host 169.223.2.2 apricot

ip access-list 1 permit 169.223.2.2

Traffic Filters

IP Access List

• <1-99> IP standard access list

• <100-199> IP extended access list

• <1100-1199> Extended 48-bit MAC address access list

• <200-299> Protocol type-code access list

• <700-799> 48-bit MAC address access list

Extended Access Lists

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log]

Example:

access-list 101 permit icmp any any log

Spoofing

• Access list protections are based on matching the source.

• Protect your router with something like the following:access-list 101 deny ip 131.108.0.0 0.0.255.255 0.0.0.0

255.255.255.255

access-list 101 deny ip 127.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255

access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

• Turn off ip source-routing

Spoofing

Internet

Central SiteBranch Office A

Hello, I’m Branch Office X! Here is my routing-update!

Spoofing

ISP A ISP B

198.92.93.0/24source w/198.92.93.3/24

filter any inbound packets w/ 198.92.93.0/24

Denial of Service Attacks

• TCP SYN attack: A sender using a series of random source IP addresses starts connections that cannot be completed, causing the connection queues to fill up, thereby denying service to legitimate TCP users.

• UDP diagnostic port attack: A sender using a series of random IP source addresses calls for UDP diagnostic services on the router, causing all CPU resources to be consumed servicing the bogus requests.

Denial of Service Attacks: TCP SYN

ISP BISP A

Target

Internet

Attacker9.0.0.0/8 10.0.0.0/8

TCP/SYN 192.168.0.4/32

SYN/ACK ?15.0.0.13/32TCP/SYN

SYN/ACK ?172.16.0.2/32

SYN/ACK

TCP/SYN

Denial of Service Attacks: TCP SYN

ISP BISP A

Target

Internet

Attacker9.0.0.0/8 10.0.0.0/8

Filter any addressthat does not contain10.0.0.0/8 as a source

• Ingress FilteringApply an outbound filter…...

access-list 101 permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255

Denial of Service Attacks: UDP diag

ISP BISP A

Target

Internet

Attacker9.0.0.0/8 10.0.0.0/8

attacker floods the routerw/ echo, chargen, and discardrequest

• Turn off small servicesno udp small-servers

no tcp small-servers

Solution: TCP Intercept

• Tracks, intercepts and validates TCP connection requests

• Two modes: Intercept and monitor

TCP Intercept—Intercept Mode

• 1. Answer connection requests

• 2. Establishes genuine connection

• 3. Merge connection between client and server

Connection Transferred

Connection EstablishedRequest Intercepted

TCP Intercept—Monitor Mode

• Passively monitor connection requests

• Terminates connection attempts that exceed configurable time limit

TCP Intercept Aggressive Behavior

• Begins when high-threshold exceeded, ends when drops below low-threshold

• New connection drops old partial connection

• Retransmission timeout cut in half

• Watch timeout cut in half

TCP Intercept Considerations

• TCP negotiated options not supported

• Available in release 11.2(4)F Enterprise and Service Provider

• Connection is fast switched except on the RP/SP/SSP based C7000 which supports process switching only

TCP Intercept Configuration Tasks

• Enable ip tcp intercept list <extended ACL>

• Set mode ip tcp intercept mode {intercept | watch}

• Set drop mode ip tcp intercept drop-mode {oldest | random}

TCP Intercept Configuration

• Change timers ip tcp intercept watch-timeout <seconds>

ip tcp intercept finrst-timeout <seconds>

ip tcp intercept connection-timeout <seconds>

• Change aggressive thresholds ip tcp intercept max-incomplete low <number>

ip tcp intercept max-incomplete high <number>

ip tcp intercept one-minute low <number>

ip tcp intercept one-minute high <number>

Routing Protocol Security

Routing Protocols

• Routing protocol can be attacked Denial of Service

Smoke Screens

False information

Reroute packets

May be accidental or intentionalMay be accidental or intentional

Solution: Route Authentication

• Authenticates routing update packets

• Shared key included in routing updatesPlain text—protects against accidental problems

Message Digest 5 (MD5)—protects against accidental and intential problems

Route Authentication Protocol

• Routing update includes key and key number

• Receiving router verifies received key against local copy

• If keys match update accepted, otherwise it is rejected

Route Authentication Details

• Multiple keys supportedKey lifetimes based on time of day

Only first valid key sent with each packet

• Supported in: BGP, IS-IS, OSPF, RIPv2, and EIGRP(11.2(4)F)

• Syntax differs depending on routing protocol

Routing Protocols

• OSPF Area AuthenticationTwo Types

Simple Password

Message Digest (MD5)

ip ospf authentication-key key (this goes under the specific interface)area area-id authentication (this goes under "router ospf <process-id>")

ip ospf message-digest-key keyid md5 key (used under the interface)area area-id authentication message-digest (used under "router ospf <process-id>")

Securing Router Services

WWW Server

• Yes, IOS now includes a WWW server!

• Makes configurations easier, but opens new security holes (default - turned off).

• Put access list on which addresses are allowed to access port 80.

• Similar to console & TTY access.

Other Areas to Consider

• Turn offproxy arp

no ip directed-broadcast

no service finger

Protecting the Config Files

• Router configs are usually stored some place safe. But are they really safe?

• Protect and limit access to TFTP and MOP servers containing router configs.

Summary

• Security is not just about protecting your UNIX workstations.

• Your network devices are just as vulnerable.

• Be smart, protect them.

• Routers are the side doorside door into any network.

Cisco Security Today

PAP/CHAP

TACACS+/ RADIUS

Kerberos

Lock-and-Key

Access Control Lists

Token Card Support

Logging

Route Filtering

GRE Tunnels

CiscoSecure™

Encryption

Privilege Levels

Kerberos

Dial Firewall Network Infrastructure

Certificate AuthorityCertificate Authority

Encryption

TACACS+/ RADIUS TACACS+/ RADIUS

Cut-Through Proxy

http://www.cisco.com/

Where to get more information?

• Security URLs:Computer Emergency Response Team

(CERT)

http://www.cert.org

SATAN (Security Administrator Tool for Analyzing Networks)

http://recycle.cebaf.gov/~doolitt/satan/

Phrack Magazine

http://freeside.com/phrack.html

Network Security

Documents