© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 1

Implementing Secure Converged Wide Area Networks (ISCW)

Module 5 – ‘Cisco Device Hardening’

IDS = Intrution Detection System

IPS = Intrution Protection System

HIPS = Host Intrution Protection System

Encryption /

Access control configuration /

Den nye opdateret version hedder: RFC 3704 filtering

Worm Attack, Mitigation and Response

The anatomy of a worm attack has three parts:

The enabling vulnerability: A worm installs itself on a vulnerable system

Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets

Payload: Once the worm infects the device, the attacker has access to the host – often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.

Worm attack mitigation

Worm attack mitigation requires diligence on the part of system and network administration staff.

Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident.

Recommended steps for worm attack mitigation:

Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network.

Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.

Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.

Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

SNMP v3 er krypteret og sikker.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 12

Disabling Unused Cisco Router Network Services and Interfaces

Unnecessary Services and Interfaces

Router Service Default Best Practice

BOOTP server Enabled Disable

Cisco Discovery Protocol (CDP) Enabled Disable if not required

Configuration auto-loading Disabled Disable if not required

FTP server Disabled

Disable if not required.

Otherwise encrypt traffic within an IPsec tunnel.

TFTP server Disabled

Disable if not required.

Otherwise encrypt traffic within an IPsec tunnel.

Network Time Protocol (NTP) service Disabled

Disable if not required.

Otherwise configure NTPv3 and control access between permitted

devices using ACLs.

Packet assembler and disassembler (PAD) service

Enabled Disable if not required

TCP and UDP minor servicesEnabled (pre

11.3)

Disabled (11.3+) Disable if not required

Maintenance Operation Protocol (MOP) service

Enabled Disable explicitly if not required

Commonly Configured Management Services

Management ServiceEnabled by

DefaultBest Practice

Simple Network Management Protocol (SNMP) EnabledDisable the service. Otherwise

configure SNMPv3.

HTTP configuration and monitoring Device dependent

Disable if not required.

Otherwise restrict access using ACLs.

Domain Name System (DNS) Client Service – Enabled

Disable if not required.

Otherwise explicitly configure the DNS server address.

Path Integrity Mechanisms

Path Integrity MechanismEnabled by

DefaultBest Practice

ICMP redirects Enabled Disable the service

IP source routing Enabled Disable if not required.

Probe and Scan Features

Probe and Scan FeatureEnabled by

DefaultBest Practice

Finger service Enabled Disable if not required.

ICMP unreachable notifications EnabledDisable explicitly on untrusted

interfaces.

ICMP mask reply DisabledDisable explicitly on untrusted

interfaces.

Terminal Access Security

Terminal Access SecurityEnabled by

DefaultBest Practice

IP identification service Enabled Disable

TCP Keepalives Disabled Enable

ARP Service

ARP ServiceEnabled by

DefaultBest Practice

Gratuitous ARP Enabled Disable if not required.

Proxy ARP Enabled Disable if not required.

AutoSecure Functions

AutoSecure can selectively lock down:Management plane services and functions:

Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner

Also provides password security and SSH access

Forwarding plane services and functions:

CEF, traffic filtering with ACLs

Firewall services and functions:

Cisco IOS Firewall inspection for common protocols

Login functions:

Password security

NTP protocol

SSH access

TCP Intercept services

Syntax:

Router#Auto Secure ? Forwarding Secure Forwarding Plane Management Secure Management Plane No-interact Non-Interactive session of AutoSecure <cr>

SSH-ConfigurationRouter(Config)#ip domain-name [Domæne navn]Router(Config)#crypto key genereate rsa ?

General-keys Generate a general purpose RSA key pair for signing and encryption Usage-keys Generate seperate RSA key pairs for signing and encryption <cr>

Router(Config)# crypto key genereate rsa general-keys modulus [modulus = nøgle størrelse i bit (360-2048)]

Nøgler over 512 bit anbefales, normalt bruges 1024 bit.

AutoSecure Failure Rollback Feature

If AutoSecure fails to complete its operation, the running configuration may be corrupt:

In Cisco IOS Release 12.3(8)T and later releases:

Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg

Rollback reverts the router to the router’s pre-autosecure configuration

Command: configure replace flash:pre_autosec.cfg

If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.

Locking Down Routers with Cisco SDM

SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI

SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software

SDM contains a Security Audit wizard that performs a comprehensive router security audit

SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings

The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies

SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 23

Securing Cisco Router Administrative Access

Setting a Login Failure Blocking Period

router(config)#

login block-for seconds attempts tries within seconds

• Blocks access for a quiet period after a configurable number of failed login attempts within a specified period

• Must be entered before any other login command

• Mitigates DoS and break-in attacks

Perth(config)#login block-for 100 attempts 2 within 100

Excluding Addresses from Login Blocking

router(config)#

login quiet-mode access-class {acl-name | acl-number}

• Specifies an ACL that is applied to the router when it switches to the quiet mode

• If not configured, all login requests will be denied during the quiet mode

• Excludes IP addresses from failure counting for login block-for command

Perth(config)#login quiet-mode access-class myacl

Setting a Login Delay

router(config)#

login delay seconds

• Configures a delay between successive login attempts

• Helps mitigate dictionary attacks

• If not set, a default delay of one second is enforced after the login block-for command is configured

Perth(config)#login delay 30

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 27

Configuring Role-Based CLI

Role-Based CLI Overview

Root view is the highest administrative view

Creating and modifying a view or ‘superview’ is possible only from root view

The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews

CLI views require AAA new-model:

This is necessary even with local view authentication

View authentication can be offloaded to an AAA server using the new attribute "cli-view-name"

A maximum of 15 CLI views can exist in addition to the root view

Getting Started with Role-Based CLI

router#

enable [privilege-level] [view [view-name]]

• Enter a privilege level or a CLI view.• Use enable command with the view parameter to enter the

root view.• Root view requires privilege Level 15 authentication. • The aaa-new model must be enabled.

Perth(config)#aaa new-modelPerth(config)#exitPerth#enable viewPassword:Perth#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'

Configuring CLI Views

router(config)#

• Creates a view and enters view configuration mode

Perth(config)#parser view monitor_viewPerth(config-view)#password 5 hErMeNe%GiLdE!Perth(config-view)#commands exec include show version

parser view view-name

router(config-view)#

password 5 encrypted-password

commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

• Sets a password to protect access to the view• Adds commands or interfaces to a view

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 31

Mitigating Threats and Attacks with Access Lists

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 32

Configuring SNMP

SNMPv1 and SNMPv2 Architecture

SNMP asks agents embedded in network devices for information or tells the agents to do something.

Community Strings

In effect, having read-write access is equivalent to having the enable password!

SNMP agents accept commands and requests only from SNMP systems that use the correct community string.

By default, most SNMP systems use a community string of “public”

If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB

Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created

!

SNMPv3 Features and Benefits

Features – Message integrity: Ensures that a packet has not been tampered with in transit

– Authentication: Determines that the message is from a valid source

– Encryption: Scrambles the contents of a packet to prevent the packet from being seen by an unauthorised source

Benefits – Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted

– Confidential information, such as SNMP Set command packets that change a router configuration, can be encrypted to prevent the contents from being exposed on the network

It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 36

Configuring NTP on Cisco Routers

NTP-Authentication

NTP-Server

NTP-Associations

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 40

Configuring AAA on Cisco Routers

The Three Components of AAA

Authentication

Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption

Authorisation

Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet

Accounting

Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes

AAA Protocols: RADIUS and TACACS+

AAA-Server Configuration

AAA-Authentication Configurations CLI

AAA-Authorization Configuration

AAA-Authorization Configuration

AAA-Accounting Configuration

AAA-Accounting Configuration