1
Network Security Workshop
10-14 December, 2018
Kathmandu, Nepal
Network Infra Security
Securing the device (Hardening)
2
Think of ALL devices
• 21 Sept 2016 – 600Gbps+ attack on Brian Krebs site (hosted by Akamai)
• https://krebsonsecurity.com
• 30 Sept 2016 – Mirai source code released to https://hackforums.net – More (smarter and competing) variants
• 21 Oct 2016 – ~1.2Tbps attack on Dyn
• 26 Nov 2016 – 900K+ Deutsche Telecom subscribers offline
What caused all these?
• “Internet of STUPID Things (IoT)” – Geoff Huston – CPEs, IP Cameras/webcams, DVRs, etc
• The issue? – Admin password exposed via web interface – Factory (OEM) default admin credentials – WAN management allowed (this means anyone on Internet)
• TR-069 (CWMP)
And the techniques?
• Attack techniques were common (and not so common ones too) – SYN floods – Low bandwidth HTTP floods – DNS water torture (Query floods reported since 2014) – GRE floods*
Password visible - Web Interface
Allow remote access
How difficult is it to find one?
Source: https://www.flickr.com/photos/kylaborg/12887906353/
Mirai brute force – OEM default UN and PW
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
9
root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456root 54321 support support root (none) admin passwordroot root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 root password root 1234 root klv123Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root 00000000 admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech
What was/is the scale?• Geo-locations of Mirai-infected devices as of Oct 2016
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
What was/is the scale?• As many as 20 million devices vulnerable to CWMP
exploits
https://maps.shodan.io
Could device hardening have made a difference?
Secure physical access
• Lock up the server room – Only authorized access
• Set up surveillance • Protect the portables; Pack up the backups
• Social engineering training and awareness • Console/AUX access
• password protected • access via OOB (Out-of-band) management • configure timeouts
Secure Management Plane
• Authenticate Access
• Define explicit access to/from management stations – SNMP – Syslog – NTP – AAA Protocols – SSH, Telnet, etc.
Securing Router Access
Local Access
Remote Access
line console 0 logintransport preferred-nonepassword <console-pw> exec-timeout 5 0
!line vty 0 4
access-class VTY-FILTER in exec-timeout 5 0ipv6 access-class VTY-v6-FILTER intransport preferred-none transport input ssh
!ip access-list ext VTY-FILTER permit ip
<subnet> <wildcard> any deny ip any any log
!ipv6 access-list
permit ipv6 <prefix/length> deny ipv6 any any log
Device Access Control
• Set passwords to something not easily guessed
• Use per-user credentials – avoid group credentials/passwords
• Encrypt passwords in the configuration files
• Use centralized authentication
Secure Access Example
Secure privileged mode
Authenticate individuals & Encrypt passwords
Enforce password length
enable secret <secret-pw>!username <user-1> secret <pw> username <user-2> secret <pw>!username <group> secret <group-secret>!service password-encryption!security password min-length <length>
Centralized AAA
• As opposed to individual databases on each node in your network – Scalability
• Granularity – per-command/per-interface privileges (authorizations)
Centralized AAA• Centralized Access Control
– RADIUS (UDP 1812 and 1813) • ONLY encrypts the password in Access-Request (Username, authorized
services and accounting info could be captured) • Combines Authentication and Authorization • Suited for network user access
– TACACS+ (TCP 49) • Encrypts the entire message • Each AAA service is separated (allows per-command/per-interface
privileges) • Suitable for network device administration
RADIUS
• Remote authentication dial-in user service
Access Request (UN+PW)
Access Accept/Reject
Accounting Request (Start/Stop -Acct info)
Accounting Response (Ack)
Client request (resource access request)
TACAS+ authentication• Terminal access controller access control (plus)
Client request (resource access request)
Start Authentication Reply auth (Get username)
Continue auth (username)
Reply auth (Get password)
Continue auth (password)
Pass/Fail Authorization Request Accounting Request
TACAS+ example config
aaa new-model!aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable!aaa authorization commands <0|1|15> default group tacacs+ none!aaa accounting exec default start-stop group tacacs+aaa accounting commands <0|1|15> default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+!tacacs-server host <server-IP> tacacs-server key <shared-secret>!ip tacacs source-interface Loopback0
Use a ‘Jumphost’
23
Internet Only allow SSH access from the Jump-server
Bastion host
SSH to the bastion host
Securing SNMP (UDP 161)
• SNMPv2 – Community based
(v2C) – Different communities
for read/write
• SNMPv3 – NoAuthNoPriv – AuthNoPriv – AuthPriv
• Auth: HMAC-MD5 or HMAC-SHA
• Encryption: CBC-DES
AgentManager
MIB
Get Request
Get_Next Request
Get_Bulk Request
Set Request
Get Response
Trap
Securing SNMP• Restrict to read-only
• Use separate credentials for write – do not allow write!
• Restrict SNMP views to only required OIDs in the MIB
• Configure ACLs to restrict SNMP access to known managers.
• Use SNMPv3 (might need to update devices to support)
Securing SNMP – Example
access-list 99 permit <snmp-server-IP>OR
access-list 99 permit <snmp-server-subnet> <wildcard>!snmp-server community <community-string> ro 99 snmp-server trap-source Loopback0snmp-server enable traps linkdown linkup coldstart warmstart snmp-server host <snmp-server1-IP> <community-string>snmp-server host <snmp-server2-IP> <community-string>
Banner – What is wrong?
banner login ^Please disconnect from my Router!
^
More Appropriate Banner
banner login ^ Authorised Access Only!All access are being logged.Any unauthorised access will be prosecuted to the full extent of the law!Disconnect immediately if you are not an authorised user! Contact [email protected] or +61 3858 XXXX for help.
^
Centralized Logging (syslog - UDP 514)
logging host <syslog-server-IP> logging trap <0-7>logging alarm <0-4>logging facility syslog !source of the log messages logging source-interface Loopback0
Log changes to the config
(config)#archive(config-archive)#log config(config-archive-log)#logging enable(config-archive-log)#notify syslog (config-archive-log)#hidekeys
logged
logged
logged
logged
*Jan 14 2018 16:34:37.915 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:logging console*Jan 14 2018 16:39:17.592 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:router bgp 45192*Jan 14 2018 16:39:23.541 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:address-family ipv4 unicast*Jan 14 2018 16:39:49.416 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:no neighbor 38.229.6.20 route-map CYMRUBOGONS-V4 in
Turn Off unused services
Feature Description Command
CDP Proprietary layer 2 discovery protocol
no cdp enable
TCP small servers
Standard TCP network services: echo, chargen, etc (19 and lower)
no service tcp-small-servers
UDP small servers
Standard UDP network services: echo, discard, etc (19 and lower)
no service udp-small-servers
Finger Unix user lookup service, allows remote listing of logged in users.
no service finger
HTTP server Some Cisco IOS devices offer web- based configuration
no ip http server no ip http secure-server
Bootp server Service to allow other routers to boot from this one
no ip bootp server
Turn Off Unused Services
Feature Description Command
Unreachables Router will send ICMP unreachable message for unknown destinations (Null0)
no ip unreachables no ipv6 unreachables
IP source routing
Feature that allows a packet to specify its own route
no ip source-route no ipv6 source-route
Proxy ARP Router will act as a proxy for layer 2 address resolution
no ip proxy-arp
IP directed broadcast
Routers will direct packets to broadcast addresses of subnets attached to it
no ip directed-broadcast
Configuration example
! Per-interface interface <interface-ID> no ip
redirectsno ip directed-broadcast no ip proxy arpno cdp enable
!interface Null0
no ip unreachables no ipv6 unreachables
!
! Globally no ip domain-lookup no cdp runno ip http serverno ip http secure-server no ip source-routeno ipv6 source-route no service fingerno ip bootp serverno service udp-small-servers no service tcp-small-server
Route/Packet Filtering
34
Inbound Route Filtering
35
router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peer neighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4
neighbor x4.x4.x4.x4 prefix-list <prefix-filter> in!address-family ipv6
neighbor x6:x6::x6 prefix-list <prefix-filter> in
• Transit provider: – Block bogus routes and accept everything
• Peer: – Only accept their prefixes (and their downstream’s)
Transit Filter: IPv4 prefixes
36
no ip prefix-list in-filterip prefix-list in-filter deny 0.0.0.0/0ip prefix-list in-filter deny 0.0.0.0/8 le 32 ip prefix-list in-filter deny 10.0.0.0/8 le 32
! Default! Network Zero! RFC1918
ip prefix-list in-filter deny 100.64.0.0/10 le 32 ! RFC6598 shared addressip prefix-list in-filter deny <your prefix>/X le 32 ! Your address spaceip prefix-list in-filter deny 127.0.0.0/8 le 32 ! Loopbackip prefix-list in-filter deny 169.254.0.0/16 le 32 ! APIPA ip prefix-list in-filter deny 172.16.0.0/12 le 32 ! RFC1918ip prefix-list in-filter deny 192.0.0.0/24 le 32 ! IETF Protocolip prefix-list in-filter deny 192.0.2.0/24 le 32 ! TEST1 ip prefix-list in-filter deny 192.168.0.0/16 le 32 ! RFC1918ip prefix-list in-filter deny 198.18.0.0/15 le 32 ! Benchmarkingip prefix-list in-filter deny 198.51.100.0/24 le 32 ! TEST2 ip prefix-list in-filter deny 203.0.113.0/24 le 32 ! TEST3
! Multicast! Future Use! Prefixes >/24
ip prefix-list in-filter deny 224.0.0.0/4 le 32 ip prefix-list in-filter deny 240.0.0.0/4 le 32 ip prefix-list in-filter deny 0.0.0.0/0 ge 25 ip prefix-list in-filter permit 0.0.0.0/0 le 32
Transit Filter: IPv6 prefixes
37
no ipv6 prefix-list v6in-filteripv6 prefix-list v6in-filter deny 2001::/32 le 128 ! Teredo subnetsipv6 prefix-list v6in-filter deny 2001:db8::/32 le 128 ! Documentationipv6 prefix-list v6in-filter deny 2002::/16 le 128 ! 6to4 subnetsipv6 prefix-list v6in-filter deny <your::/32> le 128 ! Your prefixipv6 prefix-list v6in-filter deny 3ffe::/16 le 128 ! Old 6boneipv6 prefix-list v6in-filter deny fc00::/7 le 128 ! ULAipv6 prefix-list v6in-filter deny fe00::/9 le 128 ! Reserved IETFipv6 prefix-list v6in-filter deny fe80::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny fec0::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny ff00::/8 le 128 ! Link-localipv6 prefix-list v6in-filter permit 2000::/3 le 48 ! Global Unicastipv6 prefix-list v6in-filter deny ::/0 le 128
Peer Filter: IPv4/v6 prefixes
38
! Peer’s prefix! Peer’s prefix! Deny everything else
no ip prefix-list peer-in-filterip prefix-list peer-in-filter permit A.A.A.A/18 le 24 ip prefix-list peer-in-filter permit B.B.B.B/19 le 24 ip prefix-list peer-in-filter deny 0.0.0.0/0 ge 32!!no ipv6 prefix-list peerv6-in-filteripv6 prefix-list peerv6-in-filter permit 2002:A::/32 le 48 ipv6 prefix-list peerv6-in-filter deny ::/0 le 128
! Peer’s prefix! Deny everything else
Outbound filtering
39
router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peer neighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4
neighbor x4.x4.x4.x4 prefix-list <out-filter> out!address-family ipv6
neighbor x6:x6::x6 prefix-list <outv6-filter> out!!no ip prefix-list <out-filter>
! Your prefix! Your prefix! Deny everything else
ip prefix-list peer-filter permit M.M.M.M/19 le 24 ip prefix-list peer-filter permit N.N.N.N/19 le 24 ip prefix-list peer-filter deny 0.0.0.0/0 ge 32!no ipv6 prefix-list <outv6-filter>ipv6 prefix-list peerv6-filter permit 2002:M::/32 le 48 ! Your prefixipv6 prefix-list peerv6-filter deny ::/0 le 128 ! Deny everything else
• Transit/Peer: – Only advertise your prefixes (and your downstreams)
Bogons• Not all IP (v4 and v6) are allocated by IANA
• Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”) – RFC1918s + Reserved space
• IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users
• https://www.iana.org/assignments/ipv6-unicast-address- assignments/ipv6-unicast-address-assignments.xhtml
• https://www.iana.org/assignments/ipv4-address-space/ipv4-address- space.xhtml
Bogons
• Commonly found as source addresses of DDoS packets
• We should have ingress and egress filters for bogon routes – Should not route them nor accept them from peers
• We could manually craft prefix filters based on the bogon list from IANA – But bogon list is dynamic – New allocations made out of reserved blocks frequently
Bogon Route Server Project
• In comes the Bogon Route Server project by Team Cymru
• Provides dynamic bogons information using eBGP multihop sessions
– Traditional bogons (AS65333) • martians plus prefixes not allocated by IANA
– Full-bogons (AS65332) • above plus prefixes allocated to RIRs but not yet assigned to ISPs/end-
users by RIRs
• For details: – http://www.team-cymru.org/bogon-reference-bgp.html
Peering- Bogon Route Servers
• To peer with bogon route servers – Write to [email protected]
• You should provide: • Your ASN • Which bogons you wish to receive • Your peering addresses • MD5 for BGP? • PGP public key (optional)
• It is recommended to have at least 2 (two) peering sessions for redundancy
Bogon Filter Configuration
44
router bgp 17821neighbor cymru-bogons peer-group neighbor cymru-bogons remote-as 65332neighbor cymru-bogons description Peering with Cymru Bogon RS neighbor cymru-bogons ebgp-multihop 255neighbor cymru-bogons password <md5-pw>neighbor cymru-bogons update-source Loopback0!neighbor cymru-v6bogons peer-group neighbor cymru-v6bogons remote-as 65332neighbor cymru-v6bogons description Peering with Cymru IPv6 Bogon RSneighbor cymru-v6bogons ebgp-multihop 255 neighbor cymru-v6bogons password <md5-pw> neighbor cymru-v6bogons update-source Loopback0!neighbor 2620:0:6B0:XXXX::20 peer-group cymru-v6bogons!neighbor 38.XXX.XXX.20 peer-group cymru-bogons!address-family ipv4
neighbor cymru-bogons prefix-list DENY-ALL outneighbor cymru-bogons maximum-prefix 10000 90 neighbor 38.XXX.XXX.20 activate
!address-family ipv6
neighbor cymru-v6bogons prefix-list DENYv6-ALL outneighbor cymru-v6bogons maximum-prefix 100000 90 neighbor 2620:0:6B0:XXXX::20 activate
Bogon Filter Configuration
45
ip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 le 32 ipv6 prefix-list DENYv6-ALL seq 5 deny ::/0 le 128! !Define communities for Bogons !Cymru full-bogons are tagged with the community 65332:888 ip bgp-community new-formatip community-list 10 permit 65332:888ip community-list 11 permit 17821:888 !our own bogon tag for iBGP peers
!Define route-map to set the next-hop address for the bogons (null routed) !Set local (no-export) community to propagate bogons to partial iBGP peers
route-map CYMRU-BOGONS permit 10 match community 10set local-preference 1000set community 17821:888 no-export set ip next-hop 192.0.2.1
!route-map CYMRU-v6BOGONS permit 10
match community 10set local-preference 1000set community 17821:888 no-export set ipv6 next-hop 2001:db8::1
!
Bogon Filter Configuration
46
!Null route the bogon next hops (this is also needed on all iBGP peers) ip route 192.0.2.1 255.255.255.255 null0ipv6 route 2001:db8::1/128 null0! !Define route-map to propagate the bogons to partial iBGP peers: !route-map iBGP-BOGONS permit 10
description allow our bogons match community 11
!route-map v6—iBGP-BOGONS permit 10
description allow our bogons match community 11
!
Bogon Filter Configuration
47
!Propagate bogons to all iBGP peers:
!router bgp 17821neighbor full-ibgp peer-group neighbor full-ibgp remote-as 17821neighbor full-ibgp update-source Loopback0!neighbor full-ibgpv6 peer-group neighbor full-ibgpv6 remote-as 17821neighbor full-ibgpv6 update-source Loopback0!neighbor rr-client peer-group neighbor rr-client remote-as 17821neighbor rr-client update-source Loopback0!neighbor rrv6-client peer-group neighbor rrv6-client remote-as 17821neighbor rrv6-client update-source Loopback0!
Bogon Filter Configuration
48
!Propagate bogons to all iBGP peers: !address-family ipv4
neighbor full-ibgp send-community neighbor full-ibgp next-hop-selfneighbor full-ibgp route-map CYMRU-BOGONS out!neighbor rr-client send-community neighbor rr-client route-reflector-clientneighbor rr-client next-hop-selfneighbor rr-client route-map iBGP-BOGONS out!
address-family ipv6neighbor full-ibgpv6 send-community neighbor full-ibgpv6 next-hop-selfneighbor full-ibgpv6 route-map CYMRU-v6BOGONS out!neighbor rrv6-client send-community neighbor rrv6-client route-reflector-clientneighbor rrv6-client next-hop-selfneighbor rrv6-client route-map v6—iBGP-BOGONS out
Filtering Considerations
• How does filter depth impact performance?
• Do I need a standalone firewall?
Filtering Best Practices
• Explicitly deny all traffic and only allow what you need
• The default policy should be - if the firewall doesn't know what to do with the packet, drop!
• Don't rely only on your firewall for all protection of your network
• Implement multiple layers of network protection • Make sure all of the network traffic passes through
the firewall
• Log all firewall exceptions (if possible)
Filtering Recommendations
• Log filter port messages properly • Allow only internal addresses to enter the router
from the internal interface • Block packets from outside (untrusted) that are
obviously fake/bogus or commonly used for attacks • Block packets that claim to have a source address
of any internal (trusted) network.
Traffic filter example – IPv4 (equivalent for v6!)
ip access-list extended TRAFFIC-INdeny udp/tcp any any eq 19 ! Chargendeny udp/tcp any any range 135 139 ! netbios stuffdeny udp any any eq 123 ! no one should use our NTPdeny tcp any any eq 445 ! Blaster/SMB wormdeny tcp any any eq 1025 ! uSoft RPC exploitdeny tcp any any eq 1337 ! Redshell backdoordeny tcp any any eq 1433 ! MS SQL wormdeny udp any any eq 1434 ! MS SQL wormdeny udp any any eq 2049 ! Sun NFSdeny tcp any any eq 2745 ! Blaster wormdeny tcp any any eq 3001 ! NessusD backdoordeny tcp any any eq 3127 ! MyDoom wormdeny tcp any any eq 3128 ! MyDoom wormdeny tcp any any eq 5000 ! WindowsXP UPnP portdeny tcp any any eq 6129 ! Dameware backdoordeny tcp any any eq 11768 ! Dipnet/Oddbob wormdeny tcp any any eq 15118 ! Dipnet/Oddbob wormdeny icmp any any fragmentspermit icmp any anydeny ip <your-address> <wildcard> permit ip any any
any
! Block ICMP fragments
Source IP spoofing – Defense
• BCP38 (RFC2827) – Since 1998! – https://tools.ietf.org/html/bcp38
• Only allow traffic with valid source addresses to – Leave your network
• Only packets with source address from your own address space
– To enter/transit your network • Only source addresses from downstream customer address space
53
uRPF – Unicast Reverse Path• Unicast Reverse Path Forwarding (uRPF)
– Router verifies if the source address of any packets received is in the FIB table and reachable (routing table) • Drop if not!
– Recommended on customer facing interfaces
54
(config-if)#ip/ipv6 verify unicast source reachable-via {rx | any}
uRPF – Unicast Reverse Path
55
• Modes of Operation:
– Strict: verifies both source address and incoming interface with FIB entries
– Loose: verifies existence of route to source address
pos0/0ge0/0Src = 172.16.16.2
Src = 192.168.1.1
FIB: 172.16.16.0/24 ge0/0 192.168.1.0/24 fa0/0
pos0/0ge0/0Src = 172.16.16.2
Src = 192.168.1.1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
Edge Packet Filters - Example
access-list 121 permit ip <my-subnet> <wild-card> any access-list 121 deny ip any any log!access-list 200 permit ip <cust-subnet> <wild-card> any access-list 200 deny ip any any log!interface Te0/0/0
description Link to Upstream ip access-group 121 out
interface Gig0/0description link to downstream customer-A ip access-group 200 in
Configuration backup/ archiving
57
Configuration Files
• Careful sending config files - people can snoop the wire – MD5 validation
– SCP should be used to copy files/images • Avoid TFTP and FTP!
• Use tools like ‘rancid’ or ‘oxidized’ to periodically check them against modified configuration files
scp <file|image> user@router-ip:bootflash:<file-image>!scp user@router-ip:bootflash:<file-image> .
#verify /md5 nvram:startup-config.Done!verify /md5 (nvram:startup-config) = 7b9e589178bd133fecb975195701447d
OOB Management
59
• OOB device management should be used - DoS attacks do not hinder access to critical devices
• Reverse Telnet is a good tool in emergencies! AUX <-> Console
telnet <your-IP>:<2000+TTY#>sh line