ISCW Module 5

Implementing Secure Converged Wide Area Networks (ISCW)
ISCW-Mod5_L1
2007 Cisco Systems, Inc. All rights reserved.
Thinking Like a Hacker
Lesson 1 Module 5 Cisco Device Hardening
ISCW-Mod5_L1
Module Introduction (1)

The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
ISCW-Mod5_L1

"If you know yourself but not your enemy, for every victory gained you will also suffer a defeat." Sun Tzu The Art of War
Before learning how to defend against attack, you need to know how a potential attacker operates. The theme of the first few lessons in this module is therefore, know thine enemy.
This module will help you to understand how hackers operate and what attack strategies they can employ. Once you know the nature of the threat, you will be better able to implement the full set of security features contained in Cisco IOS software to provide security for your network.
ISCW-Mod5_L1 2007 Cisco Systems, Inc. All rights reserved.

The module describes the best practices for securing router administrative access using mechanisms such as:
password security features, failed login attempt handling, and role-based command-line interface (CLI).
You will learn how to:

mitigate attacks using access lists; how to design and implement a secure management system including secure protocols such as Secure Shell (SSH), Simple Network Management Protocol version 3 (SNMPv3), and authenticated Network Time Protocol (NTP).
Also discussed are the most ubiquitous authentication, authorisation, and accounting (AAA) protocols - RADIUS and TACACS+, and explanations of the differences between them.
ISCW-Mod5_L1
Objectives
At the completion of this first lesson, you will be able to:
Describe the steps taken by a potential network hacker to gain unauthorised access Explain the detailed information that a hacker is looking to learn, and how this may be used to compromise network security Describe the basic steps that need to be taken to mitigate network attacks
ISCW-Mod5_L1
Seven Steps to Hacking a Network

Seven steps for compromising targets and applications:
Step 1 Perform footprint analysis (reconnaissance) Step 2 Detail the information Step 3 Manipulate users to gain access Step 4 Escalate privileges Step 5 Gather additional passwords and secrets Step 6 Install back doors Step 7 Leverage the compromised system
ISCW-Mod5_L1
Hacking a Network
The goal of any hacker is to compromise the intended target or application Hackers begin with little or no information about the intended target, but by the end of their analysis, they will have accessed the network and will have begun to compromise their target Their approach is always careful and methodical never rushed and never reckless The seven-step process outlined in the previous slide is a good representation of the method that hackers use and a starting point for an analysis of how to defeat it
ISCW-Mod5_L1
Footprint Analysis (Reconnaissance)

Web pages, phone books, company brochures, subsidiaries, etc Knowledge of acquisitions nslookup command to reconcile domain names against IP addresses of the companys servers and devices Port scanning to find open ports and operating systems installed on hosts traceroute command to help build topology WHOIS queries
9
ISCW-Mod5_L1
How to Defeat Footprinting

Keep all sensitive data off-line (business plans, formulas, and proprietary documents) Minimise the amount of information on your public website Examine your own website for insecurities Run a ping sweep on your network Familiarise yourself with one or more of the five Regional Internet Registries such as ARIN for North America to determine network blocks.
ISCW-Mod5_L1
10
Detail the Information

Find your server applications and versions:
What are your web, FTP, and mail server versions? Listen to TCP and UDP ports and send random data to each Cross-reference information to vulnerability databases to look for potential exploits
Exploit selected TCP ports, for example:

Windows NT, 2000, and XP file sharing using SMB protocol which uses TCP port 445. In Windows NT, SMB runs on top of NetBT using ports 137, 138 (UDP), and 139 (TCP).
ISCW-Mod5_L1
11
Software Tools
Hackers can use some of the tools listed here. All of these tools are readily available to download, and security staff should know how these tools work. Netcat: Netcat is a featured networking utility that reads and writes data across network connections using the TCP/IP protocol. Microsoft EPDump and Remote Procedure Call (RPC) Dump: These tools provide information about Microsoft RPC services on a server:
The Microsoft EPDump application shows what is running and waiting on dynamically assigned ports. The RPC Dump (rpcdump.exe) application is a command-line tool that queries RPC endpoints for status and other information on RPC..
GetMAC: This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows 2000 locally or across a network.. Software development kits (SDKs): SDKs provide hackers with the basic tools that they need to learn more about systems.
12
Manipulate Users to Gain Access

Social engineering is a way to manipulate people inside the network to provide the information needed to access the network. A computer is not required!!
Social engineering by telephone Dumpster diving Reverse social engineering Recommended reading: The Art of Deception: Controlling the Human Element of Security Mitnik, KD and Simon, WL; Wiley; New Ed edition (17 Oct 2003)
There is a great deal of anecdotal evidence that this is one of the most successful techniques
ISCW-Mod5_L1
13
Password Cracking
Hackers use many tools and techniques to crack passwords:
Word lists Brute force Hybrids The yellow Post-It stuck on the side of the monitor, or in top of desk drawer..
Password cracking attacks any application or service that accepts user authentication, including those listed here:
NetBIOS over TCP (TCP 139) Direct host (TCP 445) FTP (TCP 21) Telnet (TCP 23) SNMP (UDP 161) PPTP (TCP 1723) Terminal services (TCP 3389)
ISCW-Mod5_L1
14
Escalate Privileges
After securing a password for a user account and user-level privileges to a host, hackers attempt to escalate their privileges. The hacker will review all the information he or she can see on the host:
Files containing user names and passwords Registry keys containing application or user passwords Any available documentation (for example, e-mail)
If the host cannot be seen by the hacker, the hacker may launch a Trojan application such as W32/QAZ to provide it.
ISCW-Mod5_L1
15
Gather Additional Passwords and Secrets

Hackers target:
The local security accounts manager database The active directory of a domain controller
Hackers can use legitimate tools including pwdump and lsadump applications. Hackers gain administrative access to all computers by cross-referencing user names and password combinations
ISCW-Mod5_L1
16
Install Back Doors and Port Redirectors

Back doors:
Back doors provide: A way back into the system if the front door is locked A way into the system that is not likely to be detected
Back doors may use reverse trafficking:

Example: Code Red
Port redirectors:
Port redirectors can help bypass port filters, routers, and firewalls and may even be encrypted over an SSL tunnel to evade intrusion detection devices.
ISCW-Mod5_L1
17
Leverage the Compromised System

Back doors and port redirectors let hackers attack other systems in the network Reverse trafficking lets hackers bypass security mechanisms Trojans let hackers execute commands undetected Scanning and exploiting the network can be automated The hacker remains behind the cover of a valid administrator account The whole seven-step process is repeated as the hacker continues to penetrate the network
ISCW-Mod5_L1
18
Best Practices to Defeat Hackers

Keep patches up to date Shut down unnecessary services and ports Use strong passwords and change them often Control physical access to systems Curtail unexpected and unnecessary input Perform system backups and test them on a regular basis Warn everybody about social engineering Encrypt and password-protect sensitive data Use appropriate security hardware and software Develop a written security policy for the company
ISCW-Mod5_L1
19
Mitigating Network Attacks
ISCW-Mod5_L1
20
Module Introduction
ISCW-Mod5_L1
21
Objectives
At the completion of this second lesson, you will be able to:
Describe some of the more common network attacks, and explain what effect they have on the network Explain how to mitigate the effects of these common attacks
ISCW-Mod5_L1
22
Reconnaissance
Reconnaissance is the unauthorised discovery and mapping of systems, services, or vulnerabilities. Reconnaissance is also known as information gathering, and in most cases, precedes an access or Denial of Service (DoS) attack. The malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive and then determines which services or ports are active on the live IP addresses. The intruder then queries the ports to determine the type and version of the application and operating system that is running on the target host. Reconnaissance attacks can consist of the following:
Packet sniffers Port scans Ping sweeps Internet information queries
23
Attacks Based on Minimal Intelligence
Attacks that require little intelligence about the target network:

Reconnaissance Access attacks DoS and Distributed DoS (DDoS)
24
Attacks Based on Intelligence or Insider Information

Attacks that typically require more intelligence or insider access:
Worms, viruses, and Trojan horses Application layer attacks Threats to management protocols
ISCW-Mod5_L1
25
Packet Sniffing
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN
Packet sniffers can only work in the same collision domain as the network being attacked
Promiscuous mode is a mode in which the network adapter card sends all packets that are received on the physical network wire to an application for processing Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, the packets can be processed and understood by any application that can pick them off the network and process them Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying protocols
ISCW-Mod5_L1
26
Packet Sniffers
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. Packet sniffers: Exploit information passed in plaintext. Protocols that pass information in plaintext are Telnet, FTP, SNMP, POP, and HTTP. Must be on the same collision domain. Can be used legitimately or can be designed specifically for attack.
27
Packet Sniffer Mitigation

The techniques and tools that can be used to mitigate packet sniffer attacks include:
Authentication Using strong authentication is a first option for defense against packet sniffers. Cryptography If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the original message Anti-sniffer tools Antisniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate. Switched infrastructure A switched infrastructure obviously does not eliminate the threat of packet sniffers but can greatly reduce the sniffers effectiveness.
28
Port Scans and Ping Sweeps

As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and devices to identify vulnerable services The information is gathered by examining IP addressing and port or banner data from both TCP and UDP ports Essentially, a port scan consists of sending a message to each port, one port at a time. The kind of response that the sender receives indicates whether the port is used and can therefore be probed for weakness A ping sweep, or ICMP sweep, is a basic network scanning technique that determines which range of IP addresses map to live hosts
29
Port Scans and Ping Sweeps

Port scans and ping sweeps attempt to identify: All services All hosts and devices The operating systems Vulnerabilities
ISCW-Mod5_L1
30
Port Scan and Ping Sweep Mitigation

Port scanning and ping sweeping is not a crime and there is no way to stop these scans and sweeps when a computer is connected to the Internet
There are ways to prevent damage to the system
Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers
When these services are turned off, network diagnostic data is lost
Network-based IPS and host-based IPS (HIPS) can usually notify when a reconnaissance attack is under way ISPs compare incoming traffic to the intrusion detection system (IDS) or the IPS signatures in the IPS database.
Signatures are characteristics of particular traffic patterns. A signature, such as several packets to different destination ports from the same source address within a short period of time, can be used to detect port scans
A stealth scan is more difficult to detect, and many intrusion detection and prevention systems will not notice this scan taking place. Discovering stealth scans requires kernel-level work
31
ISCW-Mod5_L1
Port Scan and Ping Sweep Mitigation

Port scans and ping sweeps cannot be prevented without compromising network capabilities. However, damage can be mitigated using intrusion prevention systems at network and host levels.
ISCW-Mod5_L1
32
Internet Information queries

DNS queries can reveal information such as who owns a particular domain and what addresses have been assigned to that domain Ping sweeps of addresses revealed by DNS queries can present a picture of the live hosts in a particular environment
After such a list is generated, port scanning tools can cycle through all well-known ports to provide a complete list of all services that are running on the hosts that the ping sweep discovered. Hackers can examine the characteristics of the applications that are running on the hosts, which can lead to specific information that is useful when the hacker attempts to compromise that service
IP address queries can reveal information such as who owns a particular IP address or range of addresses and which domain is associated with the addresses
ISCW-Mod5_L1
33
Internet Information queries
Sample IP address query

Attackers can use Internet tools such as WHOIS as weapons.
34
Access Attacks and Mitigation

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information for these reasons:
Retrieve data Gain access Escalate their access privileges
Access attacks can be performed in a number of different ways

Password attacks Trust exploitation Port redirection Man-in-the-middle attacks Buffer overflow
ISCW-Mod5_L1
35
Password Attacks
Hackers implement password attacks using the following:
Brute-force attacks Trojan horse programs IP spoofing Packet sniffers
ISCW-Mod5_L1
36
Password Attacks
Password attacks can be implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. One security risk is the fact that passwords can be stored as plaintext. To overcome this risk, passwords should be encrypted. On most systems, passwords are run through an encryption algorithm to generate a one-way hash. In granting authorisation, the hashes are calculated and compared rather than using the plain password. To use this encryption method, you supply an account and password during the login process, and the algorithm generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, the system assumes that the proper password was supplied.
37
ISCW-Mod5_L1
Password Attack Example

L0phtCrack takes the hashes of passwords and generates the plaintext passwords from them Passwords are compromised using one of two methods: 1. Dictionary cracking 2. Brute-force computation
ISCW-Mod5_L1
38
Password Attack Mitigation

Password attack mitigation techniques:
Do not allow users to use the same password on multiple systems Disable accounts after a certain number of unsuccessful login attempts Do not use plaintext passwords For example strong passwords. (Use mY8!Rthd8y rather than mybirthday)
ISCW-Mod5_L1
39
Trust Exploitation
Trust exploitation refers to an individual taking advantage of a trust relationship within a network. An example of when trust exploitation takes place is when a perimeter network is connected to a corporate network.
These network segments often contain DNS, SMTP, and HTTP servers. Because these servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems also trust systems that are attached to the same network.
Another example of trust exploitation is a Demilitarised Zone (DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface. The inside host trusts the DMZ host. When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host.
ISCW-Mod5_L1
40
Trust Exploitation
A hacker leverages existing trust relationships. Several trust models exist: Windows: Domains Active directory Linux and UNIX: NIS NIS+
ISCW-Mod5_L1
41
Trust Exploitation
Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network
Systems that are inside a firewall should never absolutely trust systems that are outside a firewall. Absolute trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address
In the DMZ example, the hacker connected to the Internet has already exploited some vulnerability of the DMZ host connected to the DMZ interface of the firewall The hackers next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall
To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Once the protocols are known, the attacker searches for vulnerabilities on the inside host. This attack can be stopped if the firewall allows only minimum or no connectivity from the DMZ to the inside interface
ISCW-Mod5_L1
42
Trust Exploitation Attack Mitigation

Trust levels within a network are tightly restrained by ensuring that systems inside a firewall never absolutely trust systems outside the firewall.
ISCW-Mod5_L1
43
Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise have been dropped. Port redirection bypasses the firewall rule sets by changing the normal source port for a type of network traffic. You can mitigate port redirection by using proper trust models that are network-specific. Assuming a system is under attack, an IPS can help detect a hacker and prevent installation of such utilities on a host.
ISCW-Mod5_L1
44
Port Redirection
ISCW-Mod5_L1
45
Man-in-the-Middle Attacks
Man-in-the-middle attacks have these purposes:
Theft of information Hijacking of an ongoing session to gain access to your internal network resources Traffic analysis to obtain information about your network and network users DoS Corruption of transmitted data Introduction of new information into network sessions
An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets that transfer between your network and any other network Man-in-the-middle attacks can be mitigated by encrypting traffic in a VPN tunnel. Encryption allows the hacker to see only cipher text
46
Man-in-the-Middle Attacks and their Mitigation
A man-in-the-middle attack requires that the hacker has access to network packets that come across a network A man-in-the-middle attack is implemented using the following: Network packet sniffers Routing and transport protocols Man-in-the-middle attacks can be effectively mitigated only through the use of cryptographic encryption
47
DoS and DDoS Attacks and Mitigation

A DDoS attack and the simpler version of a DoS attack on a server, send extremely large numbers of requests over a network or the Internet These many requests cause the target server to run well below optimum speeds. Consequently, the attacked server becomes unavailable for legitimate access and use By overloading system resources, DoS and DDoS attacks crash applications and processes by executing exploits or a combination of exploits
DoS and DDoS attacks are the most publicised form of attack and are among the most difficult to completely eliminate
The hacker community regards DoS attacks as trivial and considers them unsophisticated because the attack requires so little effort to execute
48
DoS and DDoS Attack Characteristics

A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services Distributed DoS technique performs simultanous attacks from many distributed sources DoS and DDoS attacks have these characteristics:
Generally not targeted to gain access or information Require very little effort to execute Difficult to eliminate, but their damage can be minimised
DoS and DDoS attacks can use IP spoofing
ISCW-Mod5_L1
49
DDoS Attack Risks

DDoS attack risks include:
Downtime and productivity loss Revenue loss from sales and support services Lost customer loyalty Theft of information Extortion Stock price manipulation Malicious competition
ISCW-Mod5_L1
50
DDoS Attack Example
ISCW-Mod5_L1
51
DoS and DDoS Attack Mitigation

The threat of DoS and DDoS attacks can be reduced using:
Anti-spoof features on routers and firewalls
Proper configuration of anti-spoof features on your routers and firewalls can reduce your risk of attack. These features include an appropriate filtering with access lists, unicast reverse path forwarding that looks up the routing table to identify spoofed packets, disabling of source route options, and others.
Anti-DoS features on routers and firewalls

Proper configuration of anti-DoS features on routers and firewalls can help limit the effectiveness of an attack. These features often involve limits on the amount of half-open TCP connections that a system allows at any given time.
Traffic rate limiting at the ISP level

An organization can implement traffic rate limiting with the organizations ISP
ISCW-Mod5_L1
52
IP Spoofing in DoS and DDoS

IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. IP spoofing can use either a trusted IP address in the network or a trusted external IP address. Uses for IP spoofing include:
Injecting malicious data or commands into an existing data stream Diverting all network packets to the hacker who can then reply as a trusted user by changing the routing tables
IP spoofing may only be one step in a larger attack.

53
IP Spoofing Attack Mitigation

The threat of IP spoofing can be reduced, but not eliminated, using these measures:
Access control configuration Encryption RFC 3704 filtering
Additional authentication requirement that does not use IP address-based authentication; examples are:
Cryptographic (recommended) Strong, two-factor, one-time passwords
ISCW-Mod5_L1
54
Network Attack Using Intelligence
ISCW-Mod5_L1
55
Module Introduction
ISCW-Mod5_L1
56
Objectives
At the completion of this third lesson, you will be able to:
Describe the difference between virus, trojan and worm threats Show how these threats are propagated Explain techniques for dealing with these threats Describe system software that can aid in defending and mitigating against host machine attacks
ISCW-Mod5_L1
57
End Station (Host) Vulnerabilities

Host machines are particularly vulnerable to attack if not adequately protected. The main threats are: Viruses Trojan horse attacks Worms
ISCW-Mod5_L1
58
Viruses
A computer virus is a malicious computer program (executable file) that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus A virus can only spread from one computer to another when its host is taken to an uninfected computer, for instance by a user sending it over a network as a file or as an email payload or carrying it on a removable medium such as a floppy disk, USB disk (memory stick), or CD / DVD Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages
Source: Wikepedia Computer virus
ISCW-Mod5_L1
59
Trojan Horse
A Trojan horse is a program that - unlike a virus - contains or installs a malicious program the payload or 'trojan Trojan horses may appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when executed There are two common types of Trojan horses
One is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives
60
Worms
A computer worm is a self-replicating executable computer program. It uses a network to send copies of itself to other hosts (end-user machines on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
ISCW-Mod5_L1
61
Malicious software containment

Viruses and Trojan horses can be contained by:
Effective use of antivirus software Keeping up to date with the latest developments in these methods of attacks Keeping up to date with the latest antivirus software and application versions Implementing host-based intrusion prevention systems (for example, Cisco Security Agent)
ISCW-Mod5_L1
62
Worm Attack, Mitigation and Response

The anatomy of a worm attack has three parts:
The enabling vulnerability: A worm installs itself on a vulnerable system Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets Payload: Once the worm infects the device, the attacker has access to the host often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.
ISCW-Mod5_L1
63
Worm attack mitigation

Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident. Recommended steps for worm attack mitigation:
Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network. Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems. Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network. Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.
64
Worm attack response

Six typical incident response methodologies to worms are as follows:
1. Preparation: Acquire the resources to respond 2. Identification: Identify the worm 3. Classification: Classify the type of worm 4. Traceback: Trace the worm back to the attacks origin 5. Reaction: Isolate and repair the affected systems 6. Post mortem: Document and analyse the process that you used for future use
ISCW-Mod5_L1
65
Application Layer Attacks and Mitigation

Application layer attacks have the following characteristics:
They exploit well-known weaknesses, such as those in protocols, that are intrinsic to an application or system (for example, sendmail, HTTP, and FTP) They often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) They can never be completely eliminated because new vulnerabilities are always being discovered
ISCW-Mod5_L1
66
Netcat
Netcat is a tool that reads or writes data on any TCP/UDP connections, relays TCP connections, and can act as a TCP/UDP server.
#nc -h connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -i secs delay interval for lines sent, ports scanned -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -u UDP mode -v verbose [use twice to be more verbose] port numbers can be individual or ranges: lo-hi [inclusive]
67
ISCW-Mod5_L1
Netcat Example
ISCW-Mod5_L1
68
Mitigation of Application Layer Attacks

Measures you can take to reduce risks include:
Read operating system and network log files or have the files analysed by log analysis applications Subscribe to mailing lists that publicise vulnerabilities Keep all operating systems and applications current with the latest patches Use IDS/IPS that can scan for known attacks, monitor and log attacks, and, in some cases, prevent attacks
ISCW-Mod5_L1
69
Configuration Management protocols

Configuration management protocols include SSH, SSL and the more insecure Telnet Whichever is chosen for remote access to the managed device, ACLs should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged Ideally use secure management protocols when configuring all network devices. Protocols, such as Telnet and SNMPv2, must be made secure by protecting the data with IPsec The access lists should permit management access, such as SSH or HTTPS, only from the legitimate management hosts
Also implement RFC 3704 filtering at the ingress router to reduce the chance of an attacker from outside the network spoofing the addresses of the management hosts
ISCW-Mod5_L1
70
Management Protocols
These management protocols can be compromised:
SNMP: The community string information for simple authentication is sent in plaintext. syslog: Data is sent as plaintext between the managed device and the management host. TFTP: Data is sent as plaintext between the requesting host and the TFTP server. NTP: Many NTP servers on the Internet do not require any authentication of peers.
ISCW-Mod5_L1
71
Management Protocol Best Practices

The following two slides summarise the best practices to be followed when implementing a secure management solution Recommendations for the correct use of SNMP tools include:
Configure SNMP with only read-only community strings Set up access control on the device you want to manage via SNMP to allow access by only the appropriate management hosts Use SNMP version 3. This version provides secure access to devices through a combination of authenticating and encrypting management packets over the network
ISCW-Mod5_L1
72
Management Protocol Best Practices

Syslog: Encrypt syslog traffic within an IPsec tunnel. Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices outside a firewall. Implement ACLs on the firewall to allow syslog data from only the managed devices themselves to reach the management hosts. TFTP: When possible, encrypt TFTP traffic within an IPsec tunnel in order to reduce the chance of interception. NTP: Implement your own master clock for private network synchronisation. Use NTP version 3 or above because these versions support a cryptographic authentication mechanism between peers. NTP v3 is currently supported by most vendors, including Cisco Systems. The latest version 4 is not defined by any RFC and therefore not widely supported. Use ACLs that specify which network devices are allowed to synchronise with other network devices.
ISCW-Mod5_L1
73
Determining Vulnerabilities and Threats

There are several tools and techniques that can be used to find vulnerabilities in your network Once any vulnerabilities have been identified, mitigation steps can be considered and utilised as appropriate Some common tools include:
Blues PortScanner Wireshark (formerly Ethereal) Microsoft Baseline Security Analyzer Nmap
ISCW-Mod5_L1
74
Blues Port Scanner

Blues Port Scanner is a fast network scanner that can scan over 300 ports per second on a NT or Windows 2000 machine. it comes with a Windows XP style interface, and offers TCP and UDP scanning as well as a Anti-Flood function
Blues Port Scanner

http://www.securityconfig.com/software/specializedscanners/blues_port_scanner.html
ISCW-Mod5_L1
75
Wireshark (Ethereal)
Wireshark is the world's foremost network protocol analyser, and is the standard in many industries. It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development. Wireshark
http://www.wireshark.org/about.html
ISCW-Mod5_L1
76
Microsoft Baseline Security Analyzer
ISCW-Mod5_L1
77
Nmap
Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It is designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source
ISCW-Mod5_L1
78
Disabling Unused Cisco Router Network Services and Interfaces
ISCW-Mod5_L1
79
Module Introduction
ISCW-Mod5_L1
80
Vulnerable Router Services and Interfaces

Medium size and large networks typically use a firewall appliance behind the perimeter router, which adds security features and performs user authentication and more advanced packet filtering Firewall installations also facilitate the creation of Demilitarized Zones (DMZs), where the firewall places hosts that are commonly accessed from the Internet Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall features in the perimeter router. Although this option does not provide the same performance and security features that a Cisco PIX Security Appliance offers, a router with an integrated firewall feature set can solve most smallto-medium business perimeter security requirements. Cisco IOS routers run many services that create potential vulnerabilities. To secure an enterprise network, all unneeded router services and interfaces must be disabled.
ISCW-Mod5_L1
81
Vulnerable Router Services and Interfaces
Cisco IOS routers can be used as: Edge devices Firewalls Internal routers Routers have default services that create potential vulnerabilities (for example, BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP Vulnerabilities can be exploited regardless of where the routers are placed.
82
Vulnerable Router Services

Disable unnecessary services and interfaces (BOOTP, CDP, FTP, TFTP, NTP, PAD, and TCP/UDP minor services) Disable commonly configured management services (SNMP, HTTP, and DNS) Ensure path integrity (ICMP redirects and IP source routing) Disable probes and scans (finger, ICMP unreachables, and ICMP mask replies) Ensure terminal access security (ident and TCP keepalives) Disable gratuitous and proxy ARP Disable IP directed broadcast
ISCW-Mod5_L1
83
Unnecessary Services and Interfaces

Router Service BOOTP server Cisco Discovery Protocol (CDP) Configuration auto-loading FTP server Default
Enabled Enabled Disabled Disabled
Best Practice
Disable Disable if not required Disable if not required Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. Disable if not required. Otherwise configure NTPv3 and control access between permitted devices using ACLs. Disable if not required
TFTP server
Disabled
Network Time Protocol (NTP) service Packet assembler and disassembler (PAD) service TCP and UDP minor services Maintenance Operation Protocol (MOP) service
Disabled
Enabled Enabled (pre

11.3)
Disable if not required
Disabled (11.3+) Enabled Disable explicitly if not required

84
Commonly Configured Management Services

Management Service Simple Network Management Protocol (SNMP) Enabled by Default
Enabled
Best Practice
Disable the service. Otherwise configure SNMPv3. Disable if not required.
HTTP configuration and monitoring
Device dependent
Otherwise restrict access using ACLs.
Domain Name System (DNS)
Client Service Enabled
Disable if not required. Otherwise explicitly configure the DNS server address.
ISCW-Mod5_L1
85
Path Integrity Mechanisms

Path Integrity Mechanism ICMP redirects IP source routing Enabled by Default
Enabled
Best Practice
Disable the service
Enabled
Disable if not required.
ISCW-Mod5_L1
86
Probe and Scan Features

Probe and Scan Feature Finger service ICMP unreachable notifications ICMP mask reply Enabled by Default
Enabled
Best Practice
Disable if not required. Disable explicitly on untrusted interfaces. Disable explicitly on untrusted interfaces.
Enabled
Disabled
ISCW-Mod5_L1
87
Terminal Access Security

Terminal Access Security IP identification service TCP Keepalives Enabled by Default
Enabled
Best Practice
Disable
Disabled
Enable
ISCW-Mod5_L1
88
ARP Service
ARP Service Gratuitous ARP Proxy ARP Enabled by Default
Enabled
Best Practice
Enabled
ISCW-Mod5_L1
89
Router Hardening Considerations

Attackers can exploit unused router services and interfaces. Administrators do not need to know how to exploit the services, but they should know how to disable them. It is tedious to disable the services individually. An automated method is needed to speed up the hardening process.
ISCW-Mod5_L1
90
Locking Down Routers with AutoSecure

The AutoSecure feature was released in Cisco IOS Release 12.3 and later AutoSecure is a single privileged EXEC program that allows elimination of many potential security threats quickly and easily. AutoSecure helps to make you more efficient at securing Cisco routers AutoSecure allows two modes of operation:
1. Interactive mode: Prompts to choose the way you want to configure router services and other security-related features 2. Noninteractive mode: Configures security-related features on your router based on a set of Cisco defaults
ISCW-Mod5_L1
91
AutoSecure Functions
AutoSecure can selectively lock down:
Management plane services and functions: Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner Also provides password security and SSH access Forwarding plane services and functions: CEF, traffic filtering with ACLs Firewall services and functions: Cisco IOS Firewall inspection for common protocols Login functions: Password security NTP protocol SSH access TCP Intercept services
ISCW-Mod5_L1
92
AutoSecure Failure Rollback Feature

If AutoSecure fails to complete its operation, the running configuration may be corrupt:
In Cisco IOS Release 12.3(8)T and later releases: Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg Rollback reverts the router to the routers pre-autosecure configuration Command: configure replace flash:pre_autosec.cfg If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.
ISCW-Mod5_L1
93
AutoSecure Process Overview

router#
auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]
Cisco AutoSecure Interactive Steps: Step 1 Identify outside interfaces. Step 2 Secure the management plane. Step 3 Step 4 Step 5 Step 6 Create security banner. Configure passwords, AAA, and SSH. Secure the interface settings. Secure the forwarding plane.
ISCW-Mod5_L1
94
Auto Secure Parameters

Parameter management forwarding no-interact Description (Optional) Only the management plane will be secured. (Optional) Only the forwarding plane will be secured. (Optional) The user will not be prompted for any interactive configurations. No interactive dialogue parameters will be configured, including usernames or passwords. (Optional) The user will be prompted for all interactive questions. This is the default setting. (Optional) Specifies the configuration of the Network Time Protocol (NTP) feature in the AutoSecure command-line interface (CLI). (Optional) Specifies the configuration of the Login feature in the AutoSecure CLI. (Optional) Specifies the configuration of the SSH feature in the AutoSecure CLI. (Optional) Specifies the configuration of the Firewall feature in the AutoSecure CLI. (Optional) Specifies the configuration of the TCP-Intercept feature in the AutoSecure CLI.
full ntp login ssh firewall tcp-intercept
ISCW-Mod5_L1
95
Step 1: Identify Outside Interfaces

Router#auto secure --- AutoSecure Configuration --*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: y Enter the number of interfaces facing internet [1]: 1 Interface IP-Address OK? Method Status Protocol Ethernet0/0 10.0.2.2 YES NVRAM up up Ethernet0/1 172.30.2.2 YES NVRAM up up Enter the interface name that is facing internet: Ethernet0/1
ISCW-Mod5_L1
96
Step 2: Secure Management Plane Services

Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp
ISCW-Mod5_L1
97
Step 3: Create Security Banner

Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorised Access only This system is the property of Woolloomooloo Pty Ltd. UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of of this policy result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: %This system is the property of Cisco Systems, Inc. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%
ISCW-Mod5_L1
98
Step 4: Passwords and AAA

Enable secret is either not configured or is same as enable password Enter the new enable secret: Curium96 Configuration of local user database Enter the username: student1 Enter the password: student1 Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 300 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 60
ISCW-Mod5_L1
99
Step 5: SSH and Interface-Specific Services

Configure SSH server? [yes]: y Enter the hostname: R2 Enter the domain-name: cisco.com
Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces
ISCW-Mod5_L1
100
Step 6: Forwarding Plane Verification and Deployment

Securing Forwarding plane services.. Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption . . Apply this configuration to running-config? [yes]: y
ISCW-Mod5_L1
101
Auto Secure Configuration Example (1 of 6)

no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd
Disable global services.
Create banner.
banner #This system is the property of Cisco Systems, Inc. Set minimum UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.#
password length.
security passwords min-length 6 security authentication failure rate 10 log
Set the login failure rate.
ISCW-Mod5_L1
102

enable secret 5 $1$6NpI$ClSvtL5Zs63fPpsQT5Dyq/ enable password 7 09674F04100916 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet login block-for 5 attempts 3 within 4
Enable secret password.
Enable local AAA.
Configure local authentication on console, auxiliary and VTY lines for telnet.
Block too many login attempts.
ISCW-Mod5_L1
103

hostname LosAngeles ip domain-name cisco.com crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service service logging logging service logging logging
Configure hostname and domain name.
timestamps debug datetime msec localtime show-timezone timestamps log datetime msec localtime show-timezone facility local2 trap debugging sequence-numbers Configure logging console critical parameters. buffered
ISCW-Mod5_L1
104

interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled
Disable FE interface 0/0 services.
Disable serial port services.
Disable FE interface 0/1 services.
105

ip cef Enable CEF. Apply ACL to inside interface Serial0/0 interface. ip access-group autosec_complete_bogon in exit access-list 100 permit udp any any eq bootpc interface Serial0/0 ip verify unicast source reachable-via rx allow-default 100 ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ip inspect ! end
ISCW-Mod5_L1
audit-trail dns-timeout 7 tcp idle-time 14400 udp idle-time 1800 name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect name autosec_inspect
Turn on the CBAC firewall with common settings.
cuseeme timeout 3600 ftp timeout 3600 http timeout 3600 rcmd timeout 3600 realaudio timeout 3600 smtp timeout 3600 tftp timeout 30 udp timeout 15 tcp timeout 3600
106
ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any Apply CBAC inspect list to outside interface Serial0/0 ip inspect autosec_inspect interface. out ip access-group autosec_firewall_acl in
Apply ACL to outside interface.
ISCW-Mod5_L1
107
Locking Down Routers with Cisco SDM

SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software SDM contains a Security Audit wizard that performs a comprehensive router security audit SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature
ISCW-Mod5_L1
108
Security Device Manager (SDM)

SDM automated hardening features: Security Audit One-Step Lockdown
ISCW-Mod5_L1
109
SDM Security Audit Overview

Security Audit compares router configuration against recommended settings Examples of the audit include:
Shut down unneeded servers Disable unneeded services Apply the firewall to the outside interfaces Disable or harden SNMP Shut down unused interfaces Check password strength Enforce the use of ACLs
ISCW-Mod5_L1
110
SDM Security Audit: Main Window

1.
2. 3.
ISCW-Mod5_L1
111
SDM Security Audit Wizard
ISCW-Mod5_L1
112
SDM Security Audit Interface Configuration
ISCW-Mod5_L1
113
SDM Security Audit
ISCW-Mod5_L1
114
SDM Security Audit: Fix the Security Problems
ISCW-Mod5_L1
115
SDM Security Audit: Summary
ISCW-Mod5_L1
116
SDM One-Step Lockdown: Main Window

1.
2.
3.
ISCW-Mod5_L1
117
SDM One-Step Lockdown Wizard
ISCW-Mod5_L1
118
Securing Cisco Router Administrative Access
ISCW-Mod5_L1
119
Module Introduction
ISCW-Mod5_L1
120
Objectives
At the completion of this fifth lesson, you will be able to:
Correctly and securely set passwords on a Cisco router Protect line access from insecure users Protect a router against a password reset Correctly set timeouts on router access Describe and demonstrate how to correctly set banner messages
ISCW-Mod5_L1
121
Cisco Router Passwords

Strong passwords are the primary defense against unauthorised access to a router The best way to manage passwords is to maintain them on an AAA server
Almost every router needs a locally configured password for privileged access There may also be other password information in the configuration file
When creating passwords for routers etc, always keep these rules in mind: Make passwords lengthy.
The best practice is to have a minimum of ten characters. You can enforce the minimum length using a feature that is available in IOS routers
ISCW-Mod5_L1
122

Passwords may include the following:
Any alphanumeric character A mix of uppercase and lowercase characters Symbols and spaces A combination of letters, numbers, and symbols
Passwords should NOT use dictionary words

Using dictionary words makes the passwords vulnerable to dictionary attacks.
Password-leading spaces are ignored, but all spaces after the first character are NOT ignored Change passwords as often as possible
There should be a policy defining when and how often the passwords must be changed. Changing passwords frequently provides two advantages. This practice limits the window of opportunity in which a hacker can crack a password and limits the window of exposure after a password has been compromised
ISCW-Mod5_L1
123

Local rules can be added to this list, making passwords even safer One well known method of creating strong passwords is to use passphrases
A passphrase is basically a sentence or phrase that serves as a more secure password.
Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of the strong password or pass phrase. For example:
My favorite spy is James Bond 007. would translate into MfsiJB007. It was the best of time, it was the worst of times. would translate into Iwtbotiwtwot. Fly me to the moon. And let me play among the stars. would translate into FmttmAlmpats. Tis better to be brief than tedious (Richard III, I:4) TbtbbttR3I4
ISCW-Mod5_L1
124
Initial Password Configuration

One way to perform initial router configuration tasks, including configuring a password, is to access the router console port
A console is a terminal connected to a router console port. The terminal can be a dumb terminal or a PC running terminal emulation software (Hyperterm; Kermit; Teraterm etc)
Consoles are only one of the ways to obtain administrative access to configure and manage routers Other ways to gain administrative access include:
Telnet SSH SNMP Cisco SDM access using HTTP or HTTPS
ISCW-Mod5_L1
125
Protecting Line Access - console

To secure the router, access should be protected through the console, auxiliary, and vty lines / ports
By default, the Cisco router console ports allow a hard BREAK signal (within 60s of a reboot) to interrupt the normal boot sequence and give the console user complete control of the router
The hard BREAK sequence may be disabled using the no service password-recovery command
If a router is configured with the no service password-recovery command, all access to the ROM Monitor (ROMMON) is disabled.
By default, the console port does not require a password for console administrative access. However, a console port line-level password should always be configured There are two ways to configure a console line password:
Enter the password during the initial configuration dialog, or Use the password command in the console line configuration mode.
126
Protecting vty Line Access #1

(Virtual TeletYpe) A command line interface created in a router for a Telnet session Cisco routers support multiple Telnet sessions (up to five simultaneous sessions, by defaultmore can be added), each serviced by a logical vty. By default, Cisco routers do NOT have any line-level passwords configured for these vty lines. If password checking is enabled, a vty password must also be configured before attempting to access the router using Telnet. If a vty password is NOT configured and password checking is enabled for vty, an error message similar to the following will be produced:
Telnet 10.0.1.2 Trying 10.0.1.2 .. open Password required, but none set [Connection to 10.0.1.2 closed by foreign host]
127

There are two ways to configure a vty password:
1. enter the password during the initial configuration dialog, or 2. use the password command in line vty configuration mode.
The following are more things to consider when securing Telnet connections to a Cisco router: If an enable mode password is NOT set for the router, privilegedEXEC mode can NOT be accessed using Telnet. Use either the enable password or enable secret password command to set the enable password
ISCW-Mod5_L1
128

Telnet access should be limited only to specified systems by building a simple access control list (ACL) that performs the following:
1. Allows Telnet access from specific hosts only 2. Implicitly or explicitly blocks access from untrusted hosts 3. Ties the ACL to the vty lines using the access-class command
This example shows ACL 30 restricting Telnet access only from host 10.0.1.1 and implicitly denying access from all other hosts for vty 0 to 4:
Perth(config)#access-list 30 permit 10.0.1.1 0.0.0.0 Perth(config)#line vty 0 4 Perth(config-line)#access-class 30 in
Passwords must be configured for all of the vty lines on the router Remember that more vty lines can be added to the router
The default vty lines 0 to 4 and any additional lines MUST be protected
129
Protecting Auxiliary Line Access

By default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use auxiliary ports to remotely configure and monitor the router using a dialup modem connection Unlike console and vty passwords, the auxiliary password is not configured during the initial configuration dialog and should be configured using the password command in auxiliary line configuration mode If you want to turn off the EXEC process for the aux port, use the no exec command within the auxiliary line configuration mode Setting the auxiliary line-level password is only one of several steps that must be completed when configuring a router auxiliary port for remote dial-in access
ISCW-Mod5_L1
130
Additional Password Security

IOS software provides a number of enhanced features that allow increasing the security of system passwords. These features include setting a minimum password length, encrypting your passwords, and encrypting usernames
ISCW-Mod5_L1
131
Password Minimum Length Enforcement

router(config)#
security passwords min-length length
Sets the minimum length of all Cisco IOS passwords
Perth(config)#security passwords min-length 10
ISCW-Mod5_L1
132
The service password-encryption Command

router(config)#
service password-encryption
Encrypts all passwords in the router configuration file

Perth(config)#service password-encryption Perth(config)#exit Perth#show running-config enable password 7 06020026144A061E ! line con 0 password 7 0956F57A109A ! line vty 0 4 password 7 034A18F366A0 ! line aux 0 password 7 7A4F5192306A
ISCW-Mod5_L1
133
Enhanced Username Password Security

router(config)#
username name password {[0] password | 7 hidden-password}
Traditional user configuration with plaintext password
router(config)#
username name secret {[0] password | 5 encrypted-secret}
Uses MD5 hashing for strong password protection Better than the type 7 encryption found in service passwordencryption command
Perth(config)#username rtradmin secret 0 Curium96 Perth(config)#username rtradmin secret 5 $1$feb0$a104Qd9UZ./Ak007
ISCW-Mod5_L1
134
username secret Parameters
Parameter name 0 password 5 encrypted-secret
Description The username (Optional) Indicates that the following clear text password will be hashed using MD5 The plaintext password to be hashed using MD5 Indicates that the following encrypted secret password was hashed using MD5 The MD5 encrypted secret password that is stored as the encrypted user password
ISCW-Mod5_L1
135
Protecting Your Router by Securing ROMMON

By default, Cisco IOS routers allow a break sequence during power up, which forces the router into ROM Monitor (ROMMON) mode. Once the router is in ROMMON mode, anyone can choose to enter a new enable secret password using the well-known Cisco password recovery procedure. This procedure, if performed correctly, leaves the router configuration intact. This scenario presents a potential security breach because anyone who gains physical access to the router console port can enter ROMMON, reset the enable secret password, and discover the router configuration. You can mitigate this potential security breach by using the no service password-recovery global configuration command. The no service password-recovery command has no arguments or keywords.
ISCW-Mod5_L1
136
Setting Login Failure Rates and Conditions

Cisco IOS software provides a number of features to secure routers against unauthorised logins by setting login failure rates and conditions
ISCW-Mod5_L1
137
Authentication Failure Rate with Login

router(config)#
security authentication failure rate threshold-rate log
Configures the number of allowable unsuccessful login attempts By default, router allows 10 login failures before initiating a 15-second delay Generates a syslog message when login failure rate is exceeded
Perth(config)#security authentication failure rate 10 log
Parameter threshold-rate log
Description This is the number of allowable unsuccessful login attempts. The default is 10 (the range is 2 to 1024). The log keyword is required. This keyword results in a generated syslog event.
138
ISCW-Mod5_L1
Setting a Login Failure Blocking Period

router(config)#
login block-for seconds attempts tries within seconds
Blocks access for a quiet period after a configurable number of failed login attempts within a specified period Must be entered before any other login command Mitigates DoS and break-in attacks
Perth(config)#login block-for 100 attempts 2 within 100
ISCW-Mod5_L1
139
Logging of Login Requests During Quiet Periods

Quiet-mode logging message:
00:04:07:%SEC_LOGIN-1-QUIET_MODE_ON:Still timeleft for watching failures is 158 seconds, [user:sfd] [Source:10.4.2.11] [localport:23] [Reason:Invalid login], [ACL:22] at 16:17:23 UTC Wed Feb 26 2003
Normal mode logging message:

00:09:07:%SEC_LOGIN-5-QUIET_MODE_OFF:Quiet Mode is OFF, because block period timed out at 16:22:23 UTC Wed Feb 26 2003
ISCW-Mod5_L1
140
Excluding Addresses from Login Blocking

router(config)#
login quiet-mode access-class {acl-name | acl-number}
Specifies an ACL that is applied to the router when it switches to the quiet mode If not configured, all login requests will be denied during the quiet mode Excludes IP addresses from failure counting for login block-for command
Perth(config)#login quiet-mode access-class myacl
ISCW-Mod5_L1
141
Setting a Login Delay

router(config)#
login delay seconds
Configures a delay between successive login attempts Helps mitigate dictionary attacks If not set, a default delay of one second is enforced after the login block-for command is configured
Perth(config)#login delay 30
ISCW-Mod5_L1
142
Verifying Login
router#
show login [failures]
Displays login parameters and failures

Perth(config)#show login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured. All successful login is logged and generate SNMP traps. All failed login is logged and generate SNMP traps. Router enabled to watch for login Attacks. If more than 15 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds. Router presently in Watch-Mode, will remain in Watch-Mode for 95 seconds. Present login failure count 5.
ISCW-Mod5_L1
143
Verifying Login Failures

Perth(config)#show login failures Information about login failure's with the device Username try1 try2 Source IPAddr lPort Count 10.1.1.1 10.1.1.2 23 23 1 1 TimeStamp 21:52:49 UTC Sun Mar 9 2003 21:52:52 UTC Sun Mar 9 2003
ISCW-Mod5_L1
144
Setting Timeouts
By default, an administrative interface stays active (and logged on) for ten minutes after the last session activity. After that time, the interface times out and logs out of the session. Fine-tune these timers to limit the amount of time from two or three minutes maximum. Setting the exec-timeout value to 0 means that there will be no timeout and the session will stay active for an unlimited time. Do not set the value to 0! These timers can be adjusted by using the exectimeout command in line configuration mode for each of the line types used.
145
Setting Multiple Privilege Levels

Cisco routers allow configuration at various privilege levels for administrators. Different passwords can be configured to control who has access to the various privilege levels. This ability is especially helpful in a help desk environment where certain administrators are allowed to configure and monitor every part of the router (level 15) while other administrators may be restricted to only monitoring (customised levels 2 to 14). Privileges are assigned to levels 2 to 14 using the privilege command from global configuration mode.
ISCW-Mod5_L1
146
privilege Parameters
Parameter Mode Level Level Description This command specifies the configuration mode. This command enables setting a privilege level with a specified command. This is the privilege level that is associated with a command. You can specify up to 16 privilege levels, using numbers 0 to 15. This sets the command that the privilege level is associated with. This command resets the privilege level of a command. This is the command that you want to reset the privilege level for.
Command Reset Command
ISCW-Mod5_L1
147
Router Configuration Modes

Configuration Mode
accept-dialin accept-dialout address-family atm-bm-config atm-bundle-config atm-vc-config atmsig_e164_table_mode cascustom configure controller crypto-map dhcp dspfarm exec
Description
Virtual private dialup network (VPDN) group accept dialin configuration mode VPDN group accept dialout configuration mode Address family configuration mode ATM bundle member configuration mode ATM bundle configuration mode ATM virtual circuit configuration mode ATMSIG E164 table Channel associated signaling (CAS) custom configuration mode Global configuration mode Controller configuration mode Crypto map configuration mode DHCP pool configuration mode Digital signal processor (DSP) farm configuration mode EXEC mode
148
ISCW-Mod5_L1
Router Configuration Modes (Cont.)

Configuration Mode
flow-cache interface interface-dlci ip-vrf line map-class map-list null-interface preaut request-dialin request-dialout route-map router vpdn-group voipdialpeer
Description
Flow aggregation cache configuration mode Interface configuration mode Frame Relay data-link connection identifier (DLCI) configuration mode Configure IP VPN routing and forwarding (VRF) parameters Line configuration mode Map class configuration mode Map list configuration mode Null interface configuration mode AAA preauth definitions VPDN group request dialin configuration mode VPDN group request dialout configuration mode Route map configuration mode Router configuration mode VPDN group configuration mode Dial peer configuration mode
ISCW-Mod5_L1
149
Configuring Banner Messages

Banner messages should be used to warn would-be intruders that they are not welcome on your network. Banners are important, especially from a legal perspective. Intruders have been known to win court cases because they did not encounter appropriate warning messages when accessing router networks Choosing what to place in banner messages is extremely important and should be reviewed by lawyers and /or legal counsel before placing the messages on your routers. Never use the word welcome or any other familiar or similar greeting that may be misconstrued as an invitation to use the network
ISCW-Mod5_L1
150
Configuring Banner Messages

There are four valid tokens that you can use within the message section of the banner command:
1. $(hostname): Displays the hostname for the router 2. $(domain): Displays the domain name for the router 3. $(line): Displays the vty or tty (asynchronous) line number 4. $(line-desc): Displays the description attached to the line
Perth(config)#banner motd % WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. %
ISCW-Mod5_L1
151
Configuring RoleBased CLI
ISCW-Mod5_L1
152
Module Introduction
ISCW-Mod5_L1
153
Objectives
At the completion of this sixth lesson, you will be able to:
Describe and configure role based CLI on IOS routers Configure CLI views and Superviews Describe the use of secure configuration files
ISCW-Mod5_L1
154
Role-Based CLI Overview

Although users can control CLI access via both privilege levels and enable mode passwords, these functions do not provide the necessary level of detail needed when working with Cisco IOS routers and switches The Role-Based CLI Access feature allows the administrator to define views, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration mode commands
Views restrict user access to Cisco IOS CLI and configuration information; that is, a view can define what commands are accepted and what configuration information is visible CLI views provide a more detailed access control capability for network administrators, thereby improving the overall security and accountability of Cisco IOS software
ISCW-Mod5_L1
155

As of Cisco IOS Release 12.3(11)T, an interface or a group of interfaces can be assigned to a view, thereby allowing access on the basis of specified interfaces Access to a view is protected with a password. This protection is similar to the concept used by privilege levels To simplify the view management, views can be grouped to superviews to create large sets of commands and interfaces.
A superview encompasses several individual views, resulting in wider administrative privileges.
ISCW-Mod5_L1
156

Root view is the highest administrative view Creating and modifying a view or superview is possible only from root view The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews CLI views require AAA new-model:
This is necessary even with local view authentication View authentication can be offloaded to an AAA server using the new attribute "cli-view-name"
A maximum of 15 CLI views can exist in addition to the root view
ISCW-Mod5_L1
157
Getting Started with Role-Based CLI

Before a view is entered or created, AAA must be enabled via the aaa new-model command. Next, use the enable command with the view parameter to enter the root view. Use the privilege 15 password, if prompted for authentication (if authentication is configured)
ISCW-Mod5_L1
158
Getting Started with Role-Based CLI

router#
enable [privilege-level] [view [view-name]]
Enter a privilege level or a CLI view. Use enable command with the view parameter to enter the root view. Root view requires privilege Level 15 authentication. The aaa-new model must be enabled.
Perth(config)#aaa new-model Perth(config)#exit Perth#enable view Password: Perth# %PARSER-6-VIEW_SWITCH: successfully set to view 'root'
ISCW-Mod5_L1
159
enable Parameters
Parameter privilege-level view Description (Optional) Sets the privilege level at which to log in. (Optional) Enters root view, which enables users to configure CLI views. This keyword is required if you want to configure a CLI view. (Optional) Enters or exits a specified CLI view. This keyword can be used to switch from one CLI view to another CLI view.
view-name
ISCW-Mod5_L1
160
Configuring CLI Views

router(config)#
parser view view-name Creates a view and enters view configuration mode
router(config-view)#
password 5 encrypted-password commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
Sets a password to protect access to the view Adds commands or interfaces to a view
Perth(config)#parser view monitor_view Perth(config-view)#password 5 hErMeNe%GiLdE! Perth(config-view)#commands exec include show version
ISCW-Mod5_L1
161
commands Parameters
Parameter parser-mode include include-exclusive Description Specifies the mode that the specified command exists in Adds a command or an interface to the view and allows the same command or interface to be added to an additional view Adds a command or an interface to the view and excludes the same command or interface from being added to all other views Excludes a command or an interface from the view; that is, customers cannot access a command or an interface (Optional) Specifies a wildcard that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view (Optional) Specifies an interface that is added to the view (Optional) Specifies a command that is added to the view
exclude all
interface interface-name command
ISCW-Mod5_L1
162
Configuring Superviews
router(config)#
parser view view-name
Creates a (super)view and enters the views configuration

router(config-view)#
password 5 encrypted-password view view-name
Sets a password to protect access to the superview Adds a CLI view to a superview
Perth(config)#parser view monitor_audit Perth(config-view)#password 5 AnA6TaSiA$ Perth(config-view)#view monitor_view Perth(config-view)#view audit_view
ISCW-Mod5_L1
163
Configuring Superviews
Superviews have these characteristics:
A CLI view can be shared among multiple superviews Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview Each superview has a password that is used to switch between superviews or from a CLI view to a superview If a superview is deleted, all CLI views associated with that superview are not also deleted
ISCW-Mod5_L1
164
Role-Based CLI Monitoring

When monitoring role-based CLI, use the command show parser view to display information about the view that the user is currently in. The option all displays information for all views configured on the router. The all keyword is available only to root users. However, the all keyword can be configured by a user in root view to be available for users in any CLI view. To display debug messages for all views, use the debug parser view command in privileged EXEC mode.
ISCW-Mod5_L1
165
Role-Based CLI Monitoring

router#
show parser view [all]
Displays the current view name The option all: Displays all CLI views configured on the router Is by default available only to root users Can be added to other CLI views
router#
debug parser view
Displays debug messages for all views
ISCW-Mod5_L1
166
Role-Based CLI Configuration Example

In the next three slides the CLI view first is created and configured to include the commands show version, configure terminal, and all commands starting with show ip Next, the administrator will verify the configuration by entering and viewing the available commands When a user enters the CLI view, an indication message appears. Apart from the commands enable and exit that are available in all views, the only two commands that are visible in the CLI view are configure and show. The slide shows a sample output of the enable command To further verify the view configuration, the user looks at the available options of the show command. The available options include parser, which is always available, and the configured keywords ip and version Next, the user verifies that all sub-options of the show ip command are available in the view as shown in last slide in this group
ISCW-Mod5_L1
167
Role-Based CLI Configuration Example

Perth(config)#aaa new-model Perth(config)#exit Perth#enable view %PARSER-6-VIEW_SWITCH: successfully set to view root. Perth#configure terminal Perth(config)#parser view first %PARSER-6-VIEW_CREATED:view first successfully created. Perth(config-view)#secret 5 firstpass Perth(config-view)#command exec include show version Perth(config-view)#command exec include configure terminal Perth(config-view)#command exec include all show ip Perth(config-view)#exit
ISCW-Mod5_L1
168
Role-Based CLI Verification enable and show Commands

Perth>enable view first Password: %PARSER-6-VIEW_SWITCH:successfully set to view 'first'. Perth#? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information Perth#show ? ip IP information parser Display parser information version System hardware and software status
ISCW-Mod5_L1
169
Role-Based CLI Verification show ip Command

Perth#show ip ? access-lists accounting aliases arp as-path-access-list bgp cache casa cef community-list dfp dhcp --More-List IP access lists The active IP accounting database IP alias table IP ARP table List AS path access lists BGP information IP fast-switching route cache Display casa information Cisco Express Forwarding List community-list DFP information Show items in the DHCP database drp
ISCW-Mod5_L1
170
Cisco IOS Resilient Configuration Feature

Traditional risk that the configuration and the image are erased after a router compromise:
Availability threat (downtime)
Need to secure the primary bootset (configuration file and the running image) Also known as the Cisco IOS Resilient Configuration feature Speeds up the recovery process Files must be stored locally Feature can be disabled through a console session
ISCW-Mod5_L1
171
Securing Configuration Files

router(config)#
secure boot-image
Enables Cisco IOS image resilience

router(config)#
secure boot-config
Stores a secure copy of the primary bootset in persistent storage

router#
show secure bootset
Displays the status of configuration resilience and the primary bootset filename
Perth(config)#secure boot-image Perth(config)#secure boot-config
ISCW-Mod5_L1
172
Cisco IOS Resilient Configuration Feature Verification

Perth#show secure bootset IOS resilience router id JMX0704L5GH IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2005 Secure archive slot0:c3745-js2-mz type is image (elf) [] file size is 25469248 bytes, run size is 25634900 bytes Runnable image, entry point 0x80008000, run from ram IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002 Secure archive slot0:.runcfg-20020616-081702.ar type is config configuration archive size 1059 bytes
ISCW-Mod5_L1
173
Secure Configuration Files Recovery

rommon 1 >
dir [filesystem:] boot [partition-number:][filename]
Lists the contents of the device with secure bootset Boots up the router using the secure bootset image
router(config)#
secure boot-config [restore filename]
Restores the secure configuration to a filename

rommon 1 >dir slot0: rommon 2 >boot slot0:c3745-js2-mz .... Router(config)#secure boot-config restore slot0:rescue Router#copy slot0:rescue running-config
ISCW-Mod5_L1
174
Mitigating Threats and Attacks with Access Lists
ISCW-Mod5_L1
175
Module Introduction
ISCW-Mod5_L1
176
Objectives
At the completion of this seventh lesson, you will be able to:
Describe various network attack techniques that use distributed clients Design and write access lists that mitigate well known network attacks Apply these ACLs to routers within the network
ISCW-Mod5_L1
177
Cisco ACL Overview

An ACL is simply a list of statements Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated ACL, the list is scanned from top to bottom and in the exact order in which the list was entered, for a pattern that matches the incoming packet A permit or deny rule associated with the pattern determines what then happens to that packet Cisco routers use ACLs as packet filters to decide which packets can access a router service, or which packets can be allowed through an interface
Packets that are allowed across an interface are known as permitted packets; those that are not allowed known as denied packets.
ISCW-Mod5_L1
178
Cisco ACL Overview

Router security depends upon well-written and previously considered ACLs to restrict access to router network services and to filter packets as the packets traverse the router Cisco routers support three types of IP ACLs:
1. standard, 2. extended, and 3. enhanced IP ACLs.
Standard IP ACLs: A standard ACL only allows permission or denial of traffic from specific IP addresses. The destination of the packet and the ports that are involved do not matter. Extended IP ACLs: An IP extended ACL is a list of statements that can filter IP packets based on several attributes (protocol type, source and IP address, destination IP address, source TCP or User Datagram Protocol [UDP] ports, destination TCP or UDP ports, or optional protocol type information for finer granularity of control).
ISCW-Mod5_L1
179
Identifying ACLs
Either a number or a name can identify Cisco ACLs and the protocols that they filter Using numbered ACLs is effective on smaller networks that do not have as wide a range of traffic types as do larger networks.
There can be up to 99 standard IP ACLs in the numbered range from 1 to 99 The extended IP ACL number range is assigned from 100 to 199 and from 2000 to 2699
ACLs can also be identified with an alphanumeric string (a name) rather than a number. Named ACLs allow configuration of more ACLs in a router than if using numbered ACLs alone
If the ACL is identified with a name rather than a number, the mode and command syntax for the ACL are slightly different. Currently, only packet and route filters can use a named ACL
ISCW-Mod5_L1
180
Guidelines for Developing ACLs

Before you start to develop any ACLs, consider these basic rules:
Base your ACLs on your security policy: Unless the ACL is anchored in a comprehensive security policy, you cannot be absolutely certain that the ACL will effectively control access in the way access needs to be controlled. Write the ACL out: Never sit down at a router and start to develop an ACL without first spending some time in design. The best ACL developers suggest that you write out a list of things you want the ACL to accomplish. Starting with something as simple as, This ACL must block all Simple Network Management Protocol (SNMP) access to the router except for the SNMP host at 10.1.1.15. Order of statements within an ACL is critical: Once a match is found, no more statements will be checked. For example, the most restrictive statements should be first.
181
Guidelines for Developing ACLs #2

Before you start to develop any ACLs, consider these basic rules: Set up a development system:
Whether you use a laptop PC or a dedicated server, a place is required to develop and store ACLs. Word processors or text editors of any kind are suitable, as long as the files are saved in vanilla ASCII text format Build a library of your most commonly used ACLs and use the saved ACLs as sources for new files. ACLs can be pasted into the router running configuration (via console or Telnet access), or can be stored in a router configuration file for transfer by TFTP A hacker can discover a lot about a network from looking at these easily read text files. For this reason, it is imperative that the system where you choose to develop and store your ACL and router files be a secure system
Test:
If possible, test the ACLs in a secure environment before placing them into production. Testing is a common-sense approach to any router configuration changes. While testing may appear to be an unnecessary cost, testing can save a great amount of time, money and heartache!
ISCW-Mod5_L1
182
Applying ACLs to Router Interfaces

Packet-filtering ACLs must be applied to a router interface to take effect. It is important to note that ACLs are applied to an interface based on the direction of the data flow Consider the simple concept of how to apply the ACL to incoming packets (an in ACL) or outgoing packets (an out ACL), as follows:
Inbound (in): The packet filtering ACL applies to packets received on the router interface Outbound (out): The packet filtering ACL applies to packets transmitted out of the router interface. For outbound ACLs, the filter need only be setup on one outgoing interface rather than on individual incoming interfaces. This configuration improves performance because only the network being protected will force a lookup on the ACL
ISCW-Mod5_L1
183
Applying ACLs to Router Interfaces
Inbound (in): Data flows toward router interface Outbound (out): Data flows away from router interface
ISCW-Mod5_L1
184
Using Traffic Filtering with ACLs

Always apply the following general rules when deciding how to handle router services, ports, and protocols:
Disable unused services, ports, or protocols.
In the case where no machine, including the router itself, needs to use an enabled service, port, or protocol, disable that service, port, or protocol
Limit access to services, ports, or protocols

In the case where a limited number of users or systems require access to an enabled router service, port, or protocol, limit access to that service, port, or protocol using ACLs ACLs are important because they act as traffic filters between the corporate (trusted) network and the Internet (untrusted network). Using ACLs, the router enforces corporate security policies by rejecting protocols and restricting port use
185
ISCW-Mod5_L1
Using Traffic Filtering with ACLs
Use ACLs to filter ingress and egress from routers and firewall appliances. Use ACLs to disable and limit services, ports, and protocols.
ISCW-Mod5_L1
186
Filtering Network Traffic to Mitigate Threats

ACLs can be used to mitigate many threats:
1. IP address spoofing Inbound 2. IP address spoofing Outbound 3. Denial of service (DoS) TCP SYN attacks Blocking external attacks 4. DoS TCP SYN attacks Using TCP Intercept 5. DoS Smurf attacks 6. Filtering Internet Control Message Protocol (ICMP) messages Inbound 7. Filtering ICMP messages Outbound 8. Filtering traceroute
ISCW-Mod5_L1
187
IP Address Spoofing Mitigation: Inbound
R2(config)#access-list 150 deny ip 10.2.1.0 0.0.0.255 any log R2(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any log R2(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any log R2(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any log R2(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any log R2(config)#access-list 150 deny ip host 255.255.255.255 any log R2(config)#access-list 150 permit ip any 10.2.1.0 0.0.0.255 R2(config)#interface e0/0 R2(config-if)#ip access-group 150 in R2(config-if)#exit
ISCW-Mod5_L1
188
IP Address Spoofing Mitigation: Outbound
R2(config)#access-list 105 permit ip 10.2.1.0 0.0.0.255 any R2(config)#access-list 105 deny ip any any log R2(config)#interface e0/1 R2(config-if)#ip access-group 105 in R2(config-if)#end
Be a good citizen and prevent your network from being spoofed.
ISCW-Mod5_L1
189
DoS TCP SYN Attack Mitigation: Blocking External Access
R2(config)#access-list 109 permit tcp any 10.2.1.0 0.0.0.255 established R2(config)#access-list 109 deny ip any any log R2(config)#interface e0/0 R2(config-if)#ip access-group 109 in R2(config-if)#end
ISCW-Mod5_L1
190
DoS TCP SYN Attack Mitigation: Using TCP Intercept
R2(config)#ip tcp intercept list 110 R2(config)#access-list 110 permit tcp any 10.2.1.0 0.0.0.255 R2(config)#access-list 110 deny ip any any R2(config)#interface e0/0 R2(config-if)#ip access-group 110 in R2(config-if)#end
ISCW-Mod5_L1
191
DoS Smurf Attack Mitigation
R2(config)#access-list 111 deny ip any host 10.2.1.255 log R2(config)#access-list 111 permit ip any 10.2.1.0 0.0.0.255 log R2(config)#access-list 112 deny ip any host 10.1.1.255 log R2(config)#access-list 112 permit ip any 10.1.1.0 0.0.0.255 log R2(config)#interface e0/0 R2(config-if)#ip access-group 111 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 112 in R2(config-if)#end
ISCW-Mod5_L1
192
Filtering Inbound ICMP Messages
R2(config)#access-list 112 deny icmp any any echo log R2(config)#access-list 112 deny icmp any any redirect log R2(config)#access-list 112 deny icmp any any mask-request log R2(config)#access-list 112 permit icmp any 10.2.1.0 0.0.0.255 R2(config)#interface e0/0 R2(config-if)#ip access-group 112 in R2(config-if)#end
ISCW-Mod5_L1
193
Filtering Outbound ICMP Messages
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 problem R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 too-big R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 quench R2(config)#access-list 114 deny icmp any any log R2(config)#interface e0/1 R2(config-if)#ip access-group 114 in R2(config-if)#end
any echo any parameterany packetany source-
ISCW-Mod5_L1
194
Filtering UDP Traceroute Messages
R2(config)#access-list 120 deny udp any any range 33400 34400 log R2(config)#access-list 120 permit ip any 10.1.1.0 0.0.0.255 log R2(config)#interface e0/1 R2(config-if)#ip access-group 120 in R2(config-if)#end
ISCW-Mod5_L1
195
Mitigating DDos Attacks

The next slide shows how a DDoS attack occurs:
Behind a Client is a person who launches the attack. A Handler is a compromised host that is running the attacker program. Each Handler is capable of controlling multiple Agents An Agent is a compromised host that is running the attacker program. Each Agent is responsible for generating a stream of packets that is directed toward the intended victim
Generally, routers cannot prevent all DDoS attacks, but they can help reduce the number of occurrences of attacks by building ACLs that filter known attack ports. Methods used to block DDoS by blocking selected ports aim at stopping TRIN00, Stacheldraht, Trinity v3, and SubSeven ACL rules are generally applied to inbound and outbound traffic between the protected network and the Internet
196
Basics of DDoS Attacks
DDoS attacks exploit specific ports. ACLs can control access on a port-by-port basis.
ISCW-Mod5_L1
197
Mitigate DDoS Using Martian Filters

RFC 2827 * recommends that ISPs police their customer traffic by dropping traffic that enters their networks from a source address that the customer network is not legitimately using The filtering includes, but is not limited to, traffic whose source address is a Martian addressa reserved address that includes any address within 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, or 240.0.0.0/4. The reasoning behind this ingress filtering procedure is that DDoS attacks frequently spoof source addresses of other systems, placing a random number in the field
* RFC 3704 is the update to RFC 2827
ISCW-Mod5_L1
198
Mitigate DDoS Using Martian Filters
RFC 3704 is update to RFC 2827

199
TRIN00 attack
TRIN00 is a distributed SYN DoS attack The attack method is a UDP flood The TRIN00 attack sets up communications between clients, handlers, and agents using these ports:
1524 tcp 27665 tcp 27444 udp 31335 udp
The mitigation tactic for the TRIN00 attack, as well as for the other DoS attacks, is to block both interfaces in the in direction. The goal is to prevent infected outside systems from sending messages to an internal network and to prevent any infected internal systems from sending messages out of an internal network to the vulnerable ports
200
ISCW-Mod5_L1
DDoS Attack Mitigation: TRIN00
R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny udp any R2(config)#access-list 190 deny udp any R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
any any any any
eq eq eq eq
1524 log 27665 log 31335 log 27444 log
ISCW-Mod5_L1
201
Stacheldraht attack
Stacheldraht is a DDoS tool that first appeared in 1999 and combines features of TRIN00 and Tribe Flood Network (TFN) Stacheldraht also contains some advanced features such as encrypted attacker-master communication and automated agent updates Possible Stacheldraht attacks are similar to the attacks of TFN; namely, ICMP flood, SYN flood, UDP flood, and smurf attacks
A Stacheldraht attack sets up communication between clients, handlers, and agents using these ports: 16660 tcp 65000 tcp
ISCW-Mod5_L1
202
DDoS Attack Mitigation: Stacheldraht
R2(config)#access-list 190 deny tcp any any eq 16660 log R2(config)#access-list 190 deny tcp any any eq 65000 log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
ISCW-Mod5_L1
203
Trinity
Trinity is capable of launching several types of flooding attacks on a victim site including UDP, fragment, SYN, restore (RST), acknowledgement (ACK), and other floods Communication from the handler or intruder to the agent is accomplished via Internet Relay Chat (IRC) or ICQ from AOL Trinity appears to use primarily TCP port 6667 and also has a backdoor program that listens on TCP port 33270
ISCW-Mod5_L1
204
DDoS Attack Mitigation: Trinity v3
R2(config)#access-list 190 deny tcp any any eq 39168 log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
ISCW-Mod5_L1
205
SubSeven
SubSeven is a backdoor Trojan that targets Windows machines Once a machine is infected, the attacker can take complete control over the system and has full access as if they were a local user The attacker can then use the victims machine to launch DDoS attacks Depending on the version, an attacker will try to exploit the following TCP ports:
1243, 2773, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, and 54283
ISCW-Mod5_L1
206
DDoS Attack Mitigation: SubSeven
R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#access-list 190 deny tcp any R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end
any any any any any any any any any
eq 1243 log eq 2773 log range 6711 6713 log eq 6776 log eq 7000 log eq 7215 log eq 27374 log eq 27573 log eq 54283 log
207
Combined ACL Configuration File (1 of 6)

hostname R2 ! interface Ethernet0/0 ip address 10.1.1.2 255.255.0.0 ip access-group 126 in ! interface Ethernet0/1 ip address 10.2.1.1 255.255.255.0 ip access-group 128 in ! router rip network 10.0.0.0 ! no access-list 126 !
Apply ACL 126 to traffic coming into the network.
Apply ACL 128 to traffic coming out of the network.
Delete ACL 126 to make sure that you create a new ACL.
ISCW-Mod5_L1
208

Prevent spoofing using internal addresses. Prevent spoofing using invalid source addresses.
access-list 126 deny ip 10.2.1.0 0.0.0.255 any log ! access-list 126 deny ip 127.0.0.0 0.255.255.255 any log access-list 126 deny ip 0.0.0.0 0.255.255.255 any log access-list 126 deny ip 172.16.0.0 0.15.255.255 any log access-list 126 deny ip 192.168.0.0 0.0.255.255 any log access-list 126 deny ip 224.0.0.0 15.255.255.255 any log ! access-list 126 deny ip any host 10.2.1.255 log access-list 126 deny ip any host 10.2.1.0 log !
Deny packets destined to the remote access LAN.
access-list 126 permit tcp any 10.2.1.0 0.0.0.255 established !
Permit TCP return traffic to the remote access LAN.

209
ISCW-Mod5_L1

access-list 126 deny icmp any any echo log access-list 126 deny icmp any any redirect log access-list 126 deny icmp any any mask-request log access-list 126 permit icmp any 10.2.1.0 0.0.0.255 ! access-list 126 permit udp 10.1.0.0 0.0.255.255 host 255.255.255.255 eq 512 Block TRIN00, ! access-list 126 deny tcp any any eq 1524 log access-list 126 deny tcp any any eq 27665 log access-list 126 deny tcp any any eq 16660 log access-list 126 deny tcp any any eq 65000 log access-list 126 deny tcp any any eq 39168 log access-list 126 deny tcp any any eq 65000 log ! access-list 126 permit tcp any eq 20 10.2.1.0 0.0.0.255 gt 1023 !
Control ICMP traffic. Permit RIP updates.
Stacheldraht, and Trinity.
Allow FTP clients in the remote access LAN to use FTP.
210

Block the TRIN00 UDP ports. Deny tracing of the remote access LAN.
access-list 126 deny udp any any eq 27444 log access-list 126 deny udp any any eq 31335 log ! access-list 126 deny udp any any range 33400 34400 log ! access-list 126 permit udp any eq 53 10.2.1.0 0.0.0.255 gt 1023 ! access-list 126 deny tcp any range 0 65535 any range 0 65535 log access-list 126 deny udp any range 0 65535 any range 0 65535 log access-list 126 deny ip any any log !
Allow return DNS traffic.
Deny all remaining traffic and provide detailed logging information of denied traffic.
ISCW-Mod5_L1
211

no access-list 128 ! access-list 128 permit icmp 10.2.1.0 0.0.0.255 any echo access-list 128 permit icmp 10.2.1.0 0.0.0.255 any parameter-problem access-list 128 permit icmp 10.2.1.0 0.0.0.255 any packet-too-big access-list 128 permit icmp 10.2.1.0 0.0.0.255 any source-quench ! access-list 128 deny tcp any any range 1 19 log access-list 128 deny tcp any any eq 43 log access-list 128 deny tcp any any eq 93 log access-list 128 deny tcp any any range 135 139 log access-list 128 deny tcp any any eq 445 log access-list 128 deny tcp any any range 512 518 log access-list 128 deny tcp any any eq 540 log !
Delete ACL 128 so it is not appended to new ACL.
Permit needed ICMP messages.
Block access to certain outside TCP services.
212

Permit access to all remaining outside TCP services and to DNS (UDP/53) and allow tracing outside destinations.
access-list 128 permit tcp 10.2.1.0 0.0.0.255 gt 1023 any lt 1024 access-list 128 permit udp 10.2.1.0 0.0.0.255 gt 1023 any eq 53 access-list 128 permit udp 10.2.1.0 0.0.0.255 any range 33400 34400 log ! access-list 128 deny tcp any range 0 65535 any range 0 65535 log access-list 128 deny udp any range 0 65535 any range 0 65535 log access-list 128 deny ip any any log
Deny all remaining access and provide detailed logging of denied access.
ISCW-Mod5_L1
213
ACL Caveats
Statement (Implicit) Deny All Caveat You may not see this statement, but the statement does exist.
Standard ACL limitation You may need to create extended ACLs to implement security policies. Statement evaluation order Order of ACL statements Directional filtering ACL statements are evaluated from top down, so always consider the order of the statements. Place more specific ACL statements higher in the ACL. Ensure that statements at the top of the ACL do not negate any statements found lower in the list. Always double-check the direction (inbound or outbound) of data that your ACL is filtering.
ISCW-Mod5_L1
214
ACL Caveats (Cont.)

Statement Adding statements Special packets Caveat Adding new statements may require a new ACL to be created. If filtering router-generated packets is part of the security policy, the packets must be acted upon by inbound ACLs on adjacent routers or through other router filter mechanisms using ACLs. Always consider placing extended ACLs on routers as close as possible to the source the ACLs are filtering. Always place standard ACLs as close to the destination as possible.
Extended ACL placement Standard ACL placement
ISCW-Mod5_L1
215
Securing Management and Reporting Features
ISCW-Mod5_L1
216
Module Introduction
ISCW-Mod5_L1
217
Objectives
At the completion of this eighth lesson, you will be able to:
Describe and demonstrate how to set up syslog reporting for a large network Demonstrate the importance of secure channels for syslog information Describe the difference between inband and out-of-band reporting Read and analyse syslog reports
ISCW-Mod5_L1
218
Secure Management and Reporting Planning Considerations

Configuring logging for Cisco routers is a straightforward operation when the network contains only a few Cisco routers. However, logging and reading information from hundreds of devices can be a challenging proposition. Too much information can be as bad as too little information and can raise these important questions:
Which are the most important logs? How are important messages separated from routine notifications? How do you prevent tampering with logs? How do you make sure time stamps match? What log data is needed in criminal investigations? How do you deal with the volume of log messages? How do you manage all the devices? How can you track changes when attacks or network failures occur?
219
Secure Management and Reporting Architecture
ISCW-Mod5_L1
220
Information Paths
Information flow between management hosts and the managed devices can take two paths:
In-band: Information flows across the enterprise production network or the Internet (or both) Out of Band (OOB): Information flows within a network on which no production traffic resides
ISCW-Mod5_L1
221
Information Paths
ISCW-Mod5_L1
222
In-Band Management Considerations

Some questions that must be considered when designing an in-band management solution:
Which management protocols does each device support? Does the management channel need to be active at all times? Is SNMP necessary?
ISCW-Mod5_L1
223
Secure Management and Reporting Guidelines

In-band management guidelines:
Apply only to devices needing to be managed or monitored. Use IPsec when possible. Use SSH or SSL instead of Telnet. Decide whether the management channel needs to be open at all times. Keep clocks on hosts and network devices synchronised. Record changes and archive configurations.
OOB management guidelines:

Provide highest level of security and mitigate the risk of passing insecure management protocols over the production network. Keep clocks on hosts and network devices synchronised. Record changes and archive configurations.
224
Configuring an SSH Server for Secure Management and Reporting

Austin2#configure terminal Austin2(config)#ip domain-name cisco.com Austin2(config)#crypto key generate rsa general-keys modulus 1024 Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled Austin2(config)#ip ssh timeout 120 Austin2(config)#ip ssh authentication-retries 4 Austin2(config)#line vty 0 4 Austin2(config-line)#no transport input telnet Austin2(config-line)#transport input ssh Austin2(config-line)#end
1. Configure the IP domain name. 2. Generate the RSA keys. 3. (Optional) Display generated keys. 4. Configure the SSH timeout interval. 5. Configure the SSH retries. 6. Disable vty inbound Telnet sessions. 7. Enable vty inbound SSH sessions.
225
Implementing Log Messaging for Security

Routers should be configured to send log messages to one or more of these:
Console Terminal lines Memory buffer SNMP traps Syslog
Syslog logging is a key security policy component
ISCW-Mod5_L1
226
Syslog Systems
Syslog server: A host that accepts and processes log messages from one or more syslog clients Syslog client: A host that generates log messages and forwards them to a syslog server
227
Cisco Log Severity Levels

Syslog Level and Name 0 LOG_EMERG 1 LOG_ALERT Definition A panic condition normally broadcast to all users A condition that should be corrected immediately, such as a corrupted system database Critical conditions; for example, hard device errors Errors Warning messages Conditions that are not error conditions but should possibly be handled specially Informational messages Messages that contain information that is normally used only when debugging a program Example Cisco IOS software could not load Temperature too high
2 LOG_CRIT 3 LOG_ERR 4 LOG_WARNING 5 LOG_NOTICE
Unable to allocate memory Invalid memory size Crypto operation failed Interface changed state, up or down Packet denied by ACL Packet type invalid
6 LOG_INFO 7 LOG_DEBUG
ISCW-Mod5_L1
228
Log Message Format

Time Stamp Message Text
Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6)
Log Message Name and Severity Level
Note: The log message name is not the same as a severity level name.
ISCW-Mod5_L1
229
Configuring Syslog Step 1

Router(config)#
logging [host-name | ip-address] 1. Sets the destination logging host
Parameter host-name ip-address
Description The name of the host you want to use as a syslog server The IP address of the host you want to use as a syslog server
ISCW-Mod5_L1
230

Router(config)#
logging trap level
2. (Optional) Sets the log severity (trap) level

Parameter level Description Limits the logging of messages to the syslog servers to a specified level. You can enter the level number (0 to 7) or level name.
ISCW-Mod5_L1
231

Router(config)#
logging facility facility-type
3. (Optional) Sets the syslog facility

Parameter facility-type Description The syslog facility type (local0 to local7)
ISCW-Mod5_L1
232
Configuring Syslog Steps 4 and 5

Router(config)#
logging source-interface interface-type interface-number
4. (Optional) Sets the source interface

Parameter interface-type interface-number Description The interface type (for example, Ethernet) The interface number (for example, 0/1)
Router(config)#
logging on
5. Enables logging
ISCW-Mod5_L1
233
Syslog Implementation Example
R3(config)#logging R3(config)#logging R3(config)#logging R3(config)#logging
10.2.2.6 trap informational source-interface loopback 0 on

234
ISCW-Mod5_L1
Configuring SNMP
ISCW-Mod5_L1
235
Module Introduction
ISCW-Mod5_L1
236
Objectives
At the completion of this ninth lesson, you will be able to:
Describe the concepts behind the use of SNMP Explain the various SNMP actions Explain why the use of SNMP v1 and 2 is not recommended Demonstrate how to configure Cisco routers to use SNMPv3
ISCW-Mod5_L1
237
SNMP
SNMP the Simple Network Management Protocol forms part of the internet protocol suite as defined by the IETF SNMP is used by network management systems to monitor network-attached devices for conditions that warrant administrative attention It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects The current version is SNMPv3
SNPv1 and v2 are considered obsolete, and are extremely insecure. It is recommended they NOT be used on a publicly attached network
238
SNMP Components
An SNMP-managed network consists of three key components:
1. Managed devices 2. Agents 3. Network-management systems (NMSs)
1. A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. 2. An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. 3. An NMS executes applications that monitor (and possibly control) managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network.
Ref: Wikepedia - SNMP
ISCW-Mod5_L1
239
SNMP Managed Network
ISCW-Mod5_L1
240
SNMPv1 and SNMPv2 Architecture

SNMP asks agents embedded in network devices for information or tells the agents to do something.
ISCW-Mod5_L1
241
SNMP Actions
The SNMP protocol specifies (in version 1) five core PDUs:
1. GET REQUEST - used to retrieve a piece of management information. 2. GETNEXT REQUEST - used iteratively to retrieve sequences of management information. 3. GET RESPONSE - used agent responds with data to get and set requests from the manager. 4. SET REQUEST - used to initialise and make a change to a value of the network element. 5. TRAP - used to report an alert or other asynchronous event about a managed subsystem. In SNMPv1, asynchronous event reports are called traps while they are called notifications in later versions of SNMP.
242
SNMP Actions
Other PDUs were added in later versions, including:
GETBULK REQUEST - a faster iterator used to retrieve sequences of management information. INFORM - an acknowledged trap.
Typically, SNMP uses UDP ports 161 for the agent and 162 for the manager. The Manager may send Requests from any available ports (source port) to port 161 in the agent (destination port). The agent response will be given back to the source port. The Manager will receive traps on port 162. The agent may generate traps from any available port.
ISCW-Mod5_L1
243
Community Strings
SNMPv1 and SNMPv2 use a community string to access router SNMP agents SNMP community strings act like passwords An SNMP community string is a text string used to authenticate messages between a management station and an SNMP engine If the manager sends one of the correct read-only community strings, the manager can get information but NOT set information in an agent If the manager uses one of the correct read-write community strings, the manager can get or set information in the agent
ISCW-Mod5_L1
244
Community Strings
In effect, having read-write access is equivalent to having the enable password! SNMP agents accept commands and requests only from SNMP systems that use the correct community string. By default, most SNMP systems use a community string of public If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created
ISCW-Mod5_L1
245
SNMP Security Models and Levels

Definitions:
Security model is a security strategy used by the SNMP agent. Security level is the permitted level of security within a security model.
Model v1 v2 v3 Level noAuthNoPriv noAuthNoPriv noAuthNoPriv authNoPriv authPriv Authentication Community String Community String Username MD5 or SHA MD5 or SHA Encryption No No No No DES What Happens Authenticates with a community string match Authenticates with a community string match Authenticates with a username Provides HMAC MD5 or SHA algorithms for authentication Provides HMAC MD5 or SHA algorithms for authentication Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard
ISCW-Mod5_L1
246
SNMPv3 Operational Model
ISCW-Mod5_L1
247
SNMPv3 Operational Model

The concepts of separate SNMP agents and SNMP managers do not apply in SNMPv3 SNMP combines these concepts into single SNMP entities Each managed node and the network management system (NMS) is a single entity There are two types of entities, each containing different applications:
Managed node SNMP entities: The managed node SNMP entity includes an SNMP agent and an SNMP MIB. The agent implements the SNMP protocol and allows a managed node to provide information to the NMS and accept instructions from the NMS. The MIB defines the information that can be collected and used to control the managed node. Information that is exchanged using SNMP takes the form of objects from the MIB SNMP NMS entities: The SNMP entity on an NMS includes an SNMP manager and SNMP applications. The manager implements the SNMP protocol and collects information from managed nodes and sends instructions to the nodes. The SNMP applications are software applications used to manage the network
ISCW-Mod5_L1
248
SNMPv3 Features and Benefits

It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2
Features
Message integrity: Ensures that a packet has not been tampered with in transit Authentication: Determines that the message is from a valid source Encryption: Scrambles the contents of a packet to prevent the packet from being seen by an unauthorised source Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted Confidential information, such as SNMP Set command packets that change a router configuration, can be encrypted to prevent the contents from being exposed on the network
Benefits
ISCW-Mod5_L1
249
Configuring an SNMP Managed Node

These are the four configuration tasks used to set up SNMPv3 communications on a Cisco IOS router:
1. Configure the SNMP-server engine ID to identify the devices for administrative purposes 2. Configure the SNMP-server group names for grouping SNMP users 3. Configure the SNMP-server users to define usernames that reside on hosts that connect to the local agent 4. Configure the SNMP-server hosts to specify the recipient of a notification operation (trap or inform)
ISCW-Mod5_L1
250
Configuring the SNMP-Server Engine ID (1)

To configure a name for either the local or remote SNMP engine on the router, use the snmp-server engineID global configuration command. The SNMP engine ID is a unique string used to identify the device for administration purposes.
An engine ID is not required for the device as a default string is generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device.
If an individualised ID is required do not specify the entire 24character engine ID if the ID contains trailing zeros.
Specify only the portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, specify snmp-server engineID local 1234000000.
251
Configuring the SNMP-Server Engine ID (1)

A remote engine ID must be created when an SNMPv3 inform is configured The remote engine ID is used to compute the security digest for authenticating and encrypting packets that are sent to a user on the remote host
Informs are acknowledged traps. The agent sends an inform to the manager. When the manager receives the inform, the manager sends a response to the agent. Thus, the agent knows that the inform reached the intended destination.
ISCW-Mod5_L1
252
Configuring the SNMP-Server Group Names (2)

To configure a new SNMP group, or a table that maps SNMP users to SNMP views, use the snmp-server group global configuration command
This command groups SNMP users that reside on hosts that connect to the local SNMP agent
An SNMP view is a mapping between SNMP objects and the access rights that are available for those objects
An object can have different access rights in each view Access rights indicate whether the object is accessible by either a community string or a user
ISCW-Mod5_L1
253
Configuring the SNMP-Server Group Names (2)

Router(config)#
snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Configures a new SNMP group or a table that maps SNMP users to SNMP views
PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv
The top example shows how to define a group johngroup for SNMP v3 using authentication but not privacy (encryption) The bottom example shows how to define a group billgroup for SNMP v3 using both authentication and privacy
ISCW-Mod5_L1
254
Configuring the SNMP-Server Users (3)

To add a new user to an SNMP group, use the snmp-server user global configuration command To configure a user that exists on a remote SNMP device, specify the IP address or port number for the remote SNMP device where the user resides Also, before configuring remote users for that device, configure the SNMP engine ID using the command snmp-server engineID with the remote option The SNMP engine ID of the remote device is needed to compute the authentication and privacy digests from the password
If the remote engine ID is not configured first, the configuration command will fail
ISCW-Mod5_L1
255
Configuring the SNMP-Server Users (3)

Configure a new user to an SNMP group
Router(config)#
snmp-server user username groupname [remote ipaddress [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list]
The first example (below) shows how to define a user John belonging to the group johngroup. Authentication uses the password john2passwd and no privacy (no encryption) is applied. The second example shows how user Bill, belonging to the group billgroup, is defined using the password bill3passwd and privacy (encryption) is applied
PR1(config)#snmp-server PR1(config)#snmp-server password2 PR1(config)#snmp-server PR1(config)#snmp-server

user John johngroup v3 auth md5 john2passwd user Bill billgroup v3 auth md5 bill3passwd des56 group johngroup v3 auth group billgroup v3 auth priv
256
Configuring the SNMP-Server Hosts (4)

To specify the recipient of an SNMP notification operation, use the snmpserver host global configuration command.
snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]
SNMP notifications can be sent as traps or inform requests.

Traps are unreliable because the receiver does not send acknowledgments when the receiver receives traps The sender cannot determine if the traps were received
An SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU.
Informs consume more computing resources in the agent and in the network.
If an snmp-server host command is NOT entered, no notifications are sent. To configure the router to send SNMP notifications, at least one snmp-server host command must be entered
If the command is entered with no keywords, all trap types are enabled for the host.
257

To be able to send an inform, perform these steps:
1. Configure a remote engine ID. 2. Configure a remote user. 3. Configure a group on a remote device. 4. Enable traps on the remote device. 5. Enable the SNMP manager.
ISCW-Mod5_L1
258

Configures the recipient of an SNMP trap operation
Router(config)#
snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]
The example (below) shows how to send configuration informs to the 10.1.1.1 remote host
PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server PR1(config)#snmp-server engineID remote 10.1.1.1 1234 user bill billgroup remote 10.1.1.1 v3 group billgroup v3 noauth enable traps host 10.1.1.1 inform version 3 noauth bill manager
259
ISCW-Mod5_L1
SNMP Types of Traps

Trap bgp config hsrp sdlc snmp syslog tty x25 Description Sends Border Gateway Protocol (BGP) state change traps. Sends configuration traps. Sends Hot Standby Router Protocol (HSRP) notifications. Sends Synchronous Data Link Control (SDLC) traps. Sends SNMP traps defined in RFC 1157. Sends error message traps (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command. Sends Cisco enterprise-specific traps when a TCP connection closes. Sends X.25 event traps.
ISCW-Mod5_L1
260
SNMPv3 Configuration
The next slide shows how to configure Cisco IOS routers for SNMPv3. The router Trap_sender is configured to send traps to the NMS host with the IP address 172.16.1.1. The traps are encrypted using the credentials that are configured for the local user snmpuser who belongs to the group snmpgroup. The Trap_sender router sends traps that are related to CPU, configuration, and SNMP. The trap packets are sourced from the router loopback 0 interface The router Walked_device is configured so that the NMS host can read the MIBs on the local device. The NMS server needs to use the username credentials that are configured on the Walked_device (snmpuser with respective authentication and encryption passwords) to gain access to the SNMP information of the router
ISCW-Mod5_L1
261
SNMPv3 Configuration Example
Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server des56 encryptpassword Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server Trap_sender(config)#snmp-server
group snmpgroup v3 auth group snmpgroup v3 priv user snmpuser snmpgroup v3 auth md5 authpassword priv enable traps cpu enable traps config enable traps snmp host 172.16.1.1 traps version 3 priv snmpuser source-interface traps loopback 0
Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 priv Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password
ISCW-Mod5_L1
262
Configuring the NTP Client
ISCW-Mod5_L1
263
Module Introduction
ISCW-Mod5_L1
264
Objectives
At the completion of this tenth lesson, you will be able to:
Explain how a router maintains an accurate time Describe NTP and how it is configured Configure NTP on a router as a server and a client Associate with NTP servers
ISCW-Mod5_L1
265
Understanding NTP
Time has been invented in the universe so that everything would not happen at once
The NTP FAQ and HOWTO - http://www.ntp.org/ntpfaq/
Many features in a computer network depend on time synchronisation, such as accurate time information in syslog messages, certificate-based authentication in VPNs, ACLs with time range configuration, and key rollover in routing protocol authentication (EIGRP and RIP) Most Cisco routers have two clocks: a battery-powered system calendar in the hardware and a software-based system clock These two clocks are managed separately
ISCW-Mod5_L1
266
System Clock
The heart of the router time service is the software-based system clock This clock starts to keep track of time from the moment the system starts The system clock can be set from a number of sources and can be used to distribute the current time through various mechanisms to other systems When a router with a system calendar is initialised or rebooted, the system clock is set based on the time in the internal batterypowered system calendar The system clock can then be set manually or by using the Network Time Protocol (NTP) - an Internet protocol used to synchronise the clocks of network connected devices to some time reference
NTP is an Internet standard protocol currently at v3 and specified in RFC 1305
ISCW-Mod5_L1
267
UTC - GMT
UTC (Temps Universel Coordonn or, in English, Coordinated Universal Time) is an official standard for the current time. UTC evolved from the former GMT (Greenwich Mean Time) that was previously used to accurately set the clocks on sailing ships before they left London for a long journey (very important to determine longitude and avoid navigational embarrassment..) Later GMT was adopted as the world's standard time. It has now been replaced by UTC.
One of the reasons that GMT has been replaced as official standard time was the fact that it was based on the mean solar time. Newer methods of time measurement showed that the mean solar time varied appreciably.
The main components of UTC:

Universal means that the time can be used everywhere in the world, It is independent from time zones (i.e. it's not local time). To convert UTC to local time, add or subtract the local time zone. Coordinated means that several institutions contribute their estimate of the current time, and UTC is built by combining these estimates.
The UTC second has been defined by the 13th General Conference of Weights and Measures in 1967 as "The second is the duration of 9,192,631,770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium-133 atom."
ISCW-Mod5_L1
268
Authoritative Time
In a router, the system clock keeps track of time internally based on UTC (which, despite the comment in the curriculum is not technically the same as GMT.) Information can be configured about the local time zone and daylight savings time so that the time appears correctly relative to the local time zone The system clock keeps track of whether the time is authoritative or not (that is, whether the time has been set by a time source that is considered to be authoritative) If the time is NOT considered authoritative, the time is available only for display purposes and is not redistributed within the network
ISCW-Mod5_L1
269
NTP
NTP is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronise two machines to within 1mS of one another
As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305 documents NTP v3 Cisco devices support only RFC specifications of NTPv3
NTP uses the concept of a stratum to describe how many NTP hops away a machine is from an authoritative time source A stratum 1 time server typically has a radio or atomic clock directly attached to the server; a stratum 2 time server receives the time via NTP from a stratum 1 time server, etc, etc.
A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machines time source This strategy effectively builds a self-organising tree of NTP speakers
270
NTP
NTP is careful to avoid synchronising to a machine whose time may not be accurate. NTP avoids doing so in two ways:
1. NTP never synchronises to a machine that is not synchronised itself 2. NTP compares the time that is reported by several machines and does not synchronise to a machine whose time is significantly different than the others, even if the machines stratum number is lower
The communications (known as associations) between machines that run NTP are usually statically configured; each machine is given the IP address of all machines with which the machine should form associations Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association In a LAN environment, NTP can be configured to use IP broadcast messages instead
This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only
ISCW-Mod5_L1
271
NTP Security
The time that a machine keeps is a critical resource, so the security features of NTP should be used to avoid the accidental or malicious setting of incorrect time Two mechanisms are available:
1. an ACL-based restriction scheme 2. an encrypted authentication mechanism.
Time service for a network should be derived from the public NTP servers that are available on the Internet
If the network is isolated from the Internet, the Cisco implementation of NTP allows a machine to be configured so that the machine acts as though the machine is synchronised via NTP when in fact the machine has determined the time using other means. Other machines then synchronise to that machine via NTP
ISCW-Mod5_L1
272
NTP Association
When multiple sources of time (eg, manual configuration) are available, NTP is always considered to be more authoritative NTP time overrides the time set by any other method An NTP association can be a peer association (this system is willing to either synchronise to the other system or to allow the other system to synchronise to it), or the association can be a server association (only this system will synchronise to the other system, and not vice versa)
ISCW-Mod5_L1
273
NTP Basic Features - Overview

A collected overview of NTP features:
NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. (It will not just make all systems agree on some time, but will make them agree upon the true time as defined by some standard) NTP uses UTC as reference time (NOT GMT..) NTP is a fault-tolerant protocol that will automatically select the best of several available time sources to synchronise to. Multiple candidates can be combined to minimise the accumulated error. Temporarily or permanently insane time sources will be detected and avoided NTP is highly scalable. A synchronisation network may consist of several reference clocks. Each node of such a network can exchange time information either bidirectional or unidirectional. Propagating time from one node to another forms a hierarchical graph with reference clocks at the top Having available several time sources, NTP can select the best candidates to build its estimate of the current time. The protocol is highly accurate, using a resolution of less than a nanosecond (about 2^-32 seconds) Even when a network connection is temporarily unavailable, NTP can use measurements from the past to estimate current time and error For formal reasons NTP will also maintain estimates for the accuracy of the local time
274
Configuring NTP Authentication

NTP services are enabled on all interfaces by default.
To disable NTP on a specific interface, use the ntp disable command in the interface configuration mode.
To authenticate the associations with other systems for security purposes, use the commands in the NTP Authentication Commands table (see next slide)
ISCW-Mod5_L1
275
NTP Authentication Commands

Command ntp authenticate Description Enables the NTP authentication feature. If this command is specified, the system will not synchronize to a system unless the systems NTP messages carry one of the authentication keys that you specify in the ntp trustedkey global configuration command.
ntp Defines an authentication key. Message authentication authentication-key support is provided using the MD5 algorithm. The key number md5 value type md5 is currently the only key type that this command supports. The key value can be any arbitrary string of up to eight characters. ntp trusted-key key-number Defines trusted authentication keys.
The first command enables the NTP authentication feature. The second command defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Finally, a list of trusted authentication keys is defined. If a key is trusted, this system is ready to synchronise to a system that uses this key in the systems NTP packets
276
Configuring NTP Authentication

Router(config)#
ntp authenticate
Enables the authentication feature

Router(config)#
ntp authentication-key number md5 value
Defines the authentication keys Used for both peer and server associations
Router(config)#
ntp trusted-key key-number
Defines the trusted authentication keys Required to synchronise to a system (server association)
R1(config)#ntp authentication R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs R1(config)#ntp trusted-key 1
277
Configuring NTP Associations

To configure a router as an NTP client, either create an association to a server or configure the router to listen to NTP broadcast packets.
ntp server: Although the router can be configured with either a peer or a server association, NTP clients are typically configured with a server association (meaning that only this system will synchronise to the other system, and not vice versa). To allow the software clock to be synchronised by an NTP time server, use the ntp server command in global configuration mode.
ntp broadcast client: In addition to or instead of creating unicast NTP associations, the system can be configured to listen to broadcast packets on an interface-by-interface basis
To do this, use the ntp broadcast client command in interface configuration mode
ISCW-Mod5_L1
278
Configuring NTP Associations

Router(config)#
ntp server {ip-address | hostname} [version number] [key keyid] [source interface] [prefer]
Forms a server association with another system

Router(config-if)#
ntp broadcast client
Receives NTP broadcast packets

R1(config)#ntp server 10.1.1.1 key 1 R1(config)#ntp server 10.2.2.2 key 2 prefer R1(config)#interface Fastethernet 0/1 R1(config-if)#ntp broadcast client
ISCW-Mod5_L1
279
Configuring Additional NTP Options

To control access to NTP services, in addition to packet authentication, a NTP access group can be created and a basic IP ACL applied to it To control access to NTP services, use the ntp access-group command in global configuration mode The access group options are scanned in the following order, from least restrictive to most restrictive:
1. peer: Allows time requests and NTP control queries and allows the system to synchronise itself to a system whose address passes the ACL criteria. This option is used in scenarios where either the local or the remote system can become the NTP source 2. serve: Allows time requests and NTP control queries but does not allow the system to synchronise itself to a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be permitted 3. serve-only: Allows only time requests from a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be denied 4. query-only: Allows only NTP control queries from a system whose address passes the ACL criteria
280
Configuring Additional NTP Options

If the source IP address matches the ACLs for more than one access type, the first access type that is listed is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types are granted When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source command in global configuration mode to configure a specific interface from which the IP source address will be taken ntp source interface
This interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source parameter on the ntp peer or ntp server command
ISCW-Mod5_L1
281
Implementing the NTP Server

Cisco IOS routers work as an NTP server by default. As soon as a router is synchronised to an authoritative time source, the router allows peers with lower stratum to synchronise to that router:
Requires a peer association
You can make a router an authoritative NTP server, even if the system is not synchronised to an outside time source. Two options to establish a peer association:
1. Unicast 2. Broadcast
Same exchange control methods as those methods used with client:

Packet authentication Access group filtering
ISCW-Mod5_L1
282
Configuring the NTP Server

Router(config)#
ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer]
Forms a peer association with another system

Router(config)#
ntp master [stratum] Makes the system an authoritative NTP server

Router(config-int)#
ntp broadcast [version number][destination address][key keyid]
Configures an interface to send NTP broadcast packets

R2(config)#ntp peer 10.1.1.1 key 1 R2(config)#ntp master 3 R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast
ISCW-Mod5_L1
283
NTP Configuration Example
Source(config)#ntp Source(config)#ntp Source(config)#ntp Source(config)#ntp
master 5 authentication-key 1 md5 secretsource peer 172.16.0.2 key 1 source loopback 0
Intermediate(config)#ntp authentication-key 1 md5 secretsource Intermediate(config)#ntp authentication-key 2 md5 secretclient Intermediate(config)#ntp trusted-key 1 Intermediate(config)#ntp server 172.16.0.1 Intermediate(config)#ntp source loopback 0 Intermediate(config)#interface Fastethernet0/0 Intermediate(config-int)#ntp broadcast Client(config)#ntp authentication-key 1 md5 secretclient Client(config)#ntp trusted-key 1 Client(config)#interface Fastethernet0/1 Client(config-int)#ntp broadcast client
ISCW-Mod5_L1
284
Configuring AAA on Cisco Routers
ISCW-Mod5_L1
285
Module Introduction
ISCW-Mod5_L1
286
Objectives
At the completion of this eleventh lesson, you will be able to:
Describe what is meant by the term triple A Explain how and why AAA should be used to secure router and switch access Configure AAA using the IOS CLI and SDM Describe the use of external AAA servers, including a brief overview of CSACS
ISCW-Mod5_L1
287
Authentication, Authorisation & Accounting

It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components:
1. authentication, 2. authorisation, and 3. accounting
also known as AAA These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data Using a Cisco AAA architecture enables consistent, systematic and scalable access security
ISCW-Mod5_L1
288
The Three Components of AAA

Authentication
Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption
Authorisation
Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet
Accounting
Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes
ISCW-Mod5_L1
289
Authentication
Authentication is the way a user is identified prior to being allowed access to the network and network services AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed
The only exception is the default method list (default). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.
All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA
290
Authorisation
Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions
The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server
As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces
291
Accounting
Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces
ISCW-Mod5_L1
292
Access Control
In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA
ISCW-Mod5_L1
293
Implementing AAA
Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment:
1. Self-contained AAA: AAA services can be self-contained in the router or NAS itself (also known as local authentication) 2. Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication 3. Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication
There are also open source AAA servers available that work in conjunction with Cisco IOS devices
ISCW-Mod5_L1
294
Implementing AAA
Administrative access: Console, Telnet, and AUX access Remote user network access: Dialup or VPN access
295
Router Access Modes

All of the AAA commands (except aaa accounting system) apply to either character mode or packet mode. (The mode refers to the format of the packets that request AAA)
If the query is presented as Service-Type = Exec-User, the query is presented in character mode If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, the request is presented in packet mode.
Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements. With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server
296
ISCW-Mod5_L1
Router Access Modes
ISCW-Mod5_L1
297
AAA Protocols: RADIUS and TACACS+
ISCW-Mod5_L1
298
AAA Protocols: RADIUS and TACACS+

The best-known and best-used types of AAA protocols are TACACS+ and RADIUS TACACS+ and RADIUS have different features that make them suitable for different situations RADIUS is maintained by a standard that was created by the IETF TACACS+ is a proprietary Cisco Systems technology that encrypts data
TACACS+ runs over TCP - RADIUS runs over UDP
TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot
Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos
ISCW-Mod5_L1
299
RADIUS Features
Radius is an IETF standard protocol - RFC 2865 Standard attributes can be augmented by proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS
Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default) It includes only two security features:
1.Encryption of passwords (MD5 encryption) 2.Authentication of packets (MD5 fingerprinting)
Authorisation is only possible as part of authentication
ISCW-Mod5_L1
300
RADIUS Authentication and Authorisation
The example shows how RADIUS exchange starts once the NAS is in possession of the username and password The ACS can reply with Access-Accept message, or AccessReject if authentication is not successful
ISCW-Mod5_L1
301
RADIUS Messages
There are four types of messages involved in a RADIUS authentication exchange:
1. Access-Request: Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port 2. Access-Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MSCHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) 3. Access-Accept: The positive answer if the user information is valid 4. Access-Reject: Sent as a negative reply if the user information is invalid
302
RADIUS AV Pairs
RADIUS messages contain zero or more AV-pairs, for example:
1. 2. 3. 4. 5. User-Name User-Password (this is the only encrypted entity in RADIUS) CHAP-Password Service-Type Framed-IP-Address
There are approximately 50 standard-based attributes (RFC 2865) RADIUS allows proprietary attributes Basic attributes are used for authentication purposes Most other attributes are used in the authorisation process Cisco has added several vendor-specific attributes on the server side. Cisco IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can be configured to use only IETF attributes for standard compatibility Accounting information is sent within special RADIUS accounting messages
303
ISCW-Mod5_L1
TACACS+ Attributes and Features

The TACACS+ protocol is much more flexible than the RADIUS communication. TACACS+ protocol permits the TACACS+ server to use virtually arbitrary dialogs to collect enough information until a user is authenticated TACACS+ messages contain AV-pairs, such as:
1. ACL 2. ADDR 3. CMD 4. Interface-Config 5. Priv-Lvl 6. Route
TACACS+ uses TCP on well-known port number 49 TACACS+ establishes a dedicated TCP session for every AAA action Cisco Secure ACS can use one persistent TCP session for all actions Protocol security includes authentication and encryption of all TACACS+ datagrams
304
TACACS+ Authentication
The example shows how TACACS+ exchange starts before the user is prompted for username and password. The prompt text can be supplied by the TACACS+ server.
ISCW-Mod5_L1
305
TACACS+ Network Authorisation
The example shows the process of network authorisation that starts after successful authentication.
ISCW-Mod5_L1
306
TACACS+ Command Authorisation
The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level).
ISCW-Mod5_L1
307
Configuring the AAA Server

These are the first steps in configuring the network access server:
Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Specify the Cisco Secure ACS (if being used, or other server if not) that will provide AAA services for the network access server Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS
ISCW-Mod5_L1
308
Configuring the AAA Server

TACACS+
RADIUS
ISCW-Mod5_L1
309
AAA Configuration Commands

Command aaa new-model tacacs-server host ipaddress single-connection Description Enables AAA on the router. Prerequisite for all other AAA commands. Indicates the address of the Cisco Secure ACS server and specifies use of the TCP single-connection feature of Cisco Secure ACS. This feature improves performance by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session (the default). Establishes the shared secret encryption key between the network access server and the Cisco Secure ACS server. Specifies a RADIUS AAA server. Specifies an encryption key to be used with the RADIUS AAA server.
tacacs-server key key
radius-server host ipaddress radius-server key key
ISCW-Mod5_L1
310
AAA Authentication Commands

Router(config)#
aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]]
Use this command to configure the authentication process

Router(config)#aaa authentication login default group tacacs+ local line
ISCW-Mod5_L1
311
aaa authentication login Parameters

Parameter Description
default
This command creates a default that is automatically applied to all lines and interfaces, specifying the method or sequence of methods for authentication. This command creates a list, with a name of your choosing, that is applied explicitly to a line or interface using the method or methods specified. This defined list overrides the default when you apply the defined list to a specific line or interface. These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command).
list-name
group group-name group radius group tacacs+
ISCW-Mod5_L1
312
aaa authentication login Parameters (Cont.)

Parameter method2 method3 method4 Description This command executes authentication methods in the order that the methods are listed. If an authentication method returns an error, such as a timeout, the Cisco IOS software attempts to execute the next method. If the authentication fails, access is denied. You can configure up to four methods for each operation. The method must be supported by the authentication operation that you specify. A general list of methods includes:
s- enable: s- group: s- krb5: s- line: s- local: s- local-case: s- none:
Uses the enable password for authentication sUses server-group sUses Kerberos Version 5 for authentication sUses the line password for authentication Uses the local username and password database for authentication sUses case-sensitive local username authentication sUses no authentication
ISCW-Mod5_L1
313
Configuring AAA Authentication Using TACACS+

Command Description aaa authentication login The default login is TACACS+ server. If there is no default group tacacs+ response from the server, then use the local username local and password database. aaa authentication login Used for character mode username and password my_list group tacacs+ challenge. A new list name, my_list, is defined, and the only method is TACACS+. line con 0 login authentication my_list line 1 48 login authentication my_list line vty 0 4 Enters console configuration mode. Configures the console line to use the AAA list name my_list, which has been previously defined to use only TACACS+. Configures lines 1 through 48 to use the AAA list name my_list, which has been previously defined to use only TACACS+. On lines vty 0 through 4, the default list is used, which in this case specifies the aaa authentication login default tacacs+ local command.
ISCW-Mod5_L1
314
Character Mode Login Example

Router#show running-config ... aaa new-model aaa authentication login default group tacacs+ local aaa authentication login my_list group tacacs+ ... line con 0 line aux 0 line vty 0 4 login authentication my_list
Because the authentication has not been specified for line con 0 and aux 0, the default option is used
ISCW-Mod5_L1
315
Enabling AAA in SDM
ISCW-Mod5_L1
316
Confirming the AAA Activation
ISCW-Mod5_L1
317
Defining RADIUS Servers
ISCW-Mod5_L1
318
Defining TACACS+ Servers
ISCW-Mod5_L1
319
Creating a Login Authentication Policy
ISCW-Mod5_L1
320
Configuring a Login Authentication Policy
ISCW-Mod5_L1
321
Creating an EXEC Authorisation Policy
ISCW-Mod5_L1
322
Configuring an EXEC Authorisation Policy
ISCW-Mod5_L1
323
Creating Local User Accounts
ISCW-Mod5_L1
324
Configuring VTY Line Parameters
ISCW-Mod5_L1
325
Applying Authentication Policy to VTY Lines
ISCW-Mod5_L1
326
Applying Authorisation Policy to VTY Lines
ISCW-Mod5_L1
327
Verifying AAA Login Authentication Commands

aaa new-model ! aaa authentication login default local aaa authentication login radius_local group radius group radius aaa authorization exec default local ! username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1 ! tacacs-server host 10.1.1.10 single-connection key secrettacacs radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key secretradius ! line vty 0 4 login authentication radius_local
ISCW-Mod5_L1
328
Troubleshoot AAA Login Authentication on Cisco Routers Use the debug aaa authentication command on routers to trace AAA packets and monitor authentication The command displays debugging messages on authentication functions
router#
debug aaa authentication
ISCW-Mod5_L1
329
AAA Authorization Commands

The access server can be configured to restrict the user to perform certain functions only after successful authentication Use the aaa authorization command in global configuration mode to select the function authorised and the method of authorisation Troubleshooting Authorization
To display information on AAA authorisation, use the debug aaa authorization command in privileged-EXEC mode. Use the no debug aaa authorization form of the command to disable this debug mode.
ISCW-Mod5_L1
330
AAA Authorization Commands
router(config)# aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...]
Example:
router(config)#aaa authorization exec default group radius local none
ISCW-Mod5_L1
331
AAA Accounting Commands

Use the aaa accounting command in global configuration mode for auditing and billing purposes.. Accounting of user EXEC sessions requires that aaa new-model is enabled and that the authentication and authorisation configuration is in place. The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality.
Accounting tracks events that occur on the network.
Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing.
ISCW-Mod5_L1
332
AAA Accounting Commands
router(config)# aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius}
Example:
R2(config)#aaa accounting exec default start-stop group tacacs+
ISCW-Mod5_L1
333
AAA Accounting Example

R2#show running-config | begin aaa aaa new-model ! aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+ ... tacacs-server host 10.1.1.3 tacacs-server key SeCrEtKeY ...
The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. The next slide shows a TACACS+ report from Windows ACS
ISCW-Mod5_L1
334
TACACS+ Reports and Activity
ISCW-Mod5_L1
335
Troubleshooting Accounting
Use this command to help troubleshoot AAA accounting problems.
router#
debug aaa accounting
R2#debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
ISCW-Mod5_L1
336
ISCW-Mod5_L1
337

ISCW Module 5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISCW Module 5

Uploaded by

Copyright:

Available Formats

Implementing Secure Converged Wide Area Networks (ISCW)

2007 Cisco Systems, Inc. All rights reserved.

Thinking Like a Hacker

Lesson 1 Module 5 Cisco Device Hardening

2007 Cisco Systems, Inc. All rights reserved.

Module Introduction (1)

2007 Cisco Systems, Inc. All rights reserved.

Module Introduction (2)

Module Introduction (3)

You will learn how to:

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Seven Steps to Hacking a Network

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Footprint Analysis (Reconnaissance)

2007 Cisco Systems, Inc. All rights reserved.

How to Defeat Footprinting

2007 Cisco Systems, Inc. All rights reserved.

Detail the Information

Exploit selected TCP ports, for example:

2007 Cisco Systems, Inc. All rights reserved.

Manipulate Users to Gain Access

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Gather Additional Passwords and Secrets

2007 Cisco Systems, Inc. All rights reserved.

Install Back Doors and Port Redirectors

Back doors may use reverse trafficking:

2007 Cisco Systems, Inc. All rights reserved.

Leverage the Compromised System

2007 Cisco Systems, Inc. All rights reserved.

Best Practices to Defeat Hackers

2007 Cisco Systems, Inc. All rights reserved.

Mitigating Network Attacks

Lesson 2 Module 5 Cisco Device Hardening

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Attacks Based on Minimal Intelligence

Attacks that require little intelligence about the target network:

Attacks Based on Intelligence or Insider Information

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Packet Sniffer Mitigation

Port Scans and Ping Sweeps

Port Scans and Ping Sweeps

2007 Cisco Systems, Inc. All rights reserved.

Port Scan and Ping Sweep Mitigation

2007 Cisco Systems, Inc. All rights reserved.

Port Scan and Ping Sweep Mitigation

2007 Cisco Systems, Inc. All rights reserved.

Internet Information queries

2007 Cisco Systems, Inc. All rights reserved.

Internet Information queries

Sample IP address query

Access Attacks and Mitigation

Access attacks can be performed in a number of different ways

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Password Attack Example