Networkers Template

1
(No Transcript)
2
Designing SecureEnterprise Network
C
405 NW98
3
Infrastructure Security
4
The Security Wheel
2 SECURE
1 Corporate Security Policy
5 MANAGE IMPROVE
3 MONITOR
4 AUDIT/TEST
5
Procedures and Operations
Rules
Training
PeriodicReview
Delegationof Authority
6
Goals of the Session

• Define what to protect
  anything that could cause problems if it were to
  stop or malfunction
• Decide how to protect itgood enough vs. absolute
  protection
• Think about the cost of protection vs. the
  cost of loss or corruption

7
Agenda

• I. Introduction
• II. Router/Switch Self-Protection
• III. Resource Protection
• IV. Perimeter Protection
• V. Sustaining Network Security
• VI. Security Sustainment Validation
• VII. Conclusions

8
II. Router/Switch Self-Protection

• Threats
• Avoidance Measures

9
Intruder Attack Points

• The administrative interfaces
• Console
• Telnet
• SNMP
• Overload the data interface
• Overload the processor

10
The Administrative Interface
Routergt

• Password Protection
• Password Encryption

11
Banners

• Select an appropriate login banner that tells who
  is allowed into the system

12
Native Passwords
line console 0 login password one4all exec-timeout
1 30
User Access Verification Password
ltone4allgt routergt
The native passwords can be viewed by anyone
logging in with the enabled password
13
Service Password-Encryption (7)

• Will encrypt all passwords on the Cisco IOSwith
  Cisco-defined encryption type 7
• Use enable password 7 ltpasswordgt for cut/paste
  operations
• Cisco proprietary encryption method

14
Service Password-Encryption
hostname Router ! enable password one4all !
service password-encryption ! hostname
Router ! enable password 7 15181E00F
15
Enable Secret (5)

• Uses MD5 to produce a one-way hash
• Cannot be decrypted
• Use enable secret 5 ltpasswordgtto cut/paste
  another enable secret password

16
Enable Secret 5
17
Password of Caution

• Even passwords that are encrypted in the
  configuration are not encrypted on the wire as an
  administrator logs into the router

100101
18
Use Good Passwords
hmm, How about Pancho?

• Do not use passwords that can be easily guessed

19
Authentication Mechanisms

• Local Password
• Kerberos
• TACACS
• RADIUS
• One-time Passwords

20
Cisco IOS TACACS Authentication
Encrypts passwords with encryption (7).
version 11.2 ! service password-encryption ! hostn
ame Router ! aaa new-model aaa authentication
login ruth tacacs enable aaa authentication
login sarah tacacs local enable secret 5
1hM3l.s/DgJ4TeKdDk ! username john password
7 030E4E050D5C username bill password 7
0430F1E060A51 !
Define list ruth to use TACACS then the
enable password
Define list sarah to use TACACS then the local
user and password
enable secret overrides the (7) encryption
Define local users
21
Cisco IOS TACACS Authentication
Defines the IP address of the TACACS server
tacacs-server host 10.1.1.2 tacacs-server key
ltkeygt ! line con 0 login authentication
ruth line aux 0 login authentication ruth line
vty 0 4 login authentication sarah length 29
width 92 ! end
Defines the encryption key for
communicating with the TACACS server
Uses the authentication mechanisms listed in
ruth TACACS then enable password
Uses the authentication mechanisms listed in
sarah TACACS then a local user/password
22
PIX TACACS Authentication
PIX Version 4.2(2) enable password
BjeuCKspwqCc94Ss encrypted password
nU3DFZzS7jF1jYc5 encrypted tacacs-server host
10.1.1.2 ltkeygt aaa authentication telnet outbound
0 0 0 0 tacacs aaa authentication ftp outbound 0
0 0 0 tacacs aaa authentication http outbound 0
0 0 0 tacacs no snmp-server location no
snmp-server contact snmp-server community
notpublic no snmp-server enable traps telnet
10.1.1.2 255.255.255.255 ... Cryptochecksuma21af6
7f58849f078a515b177df4228 end OK
Enable Password
Telnet Password
Defines the IP address of the TACACS server and
the key
Defines the services that require authentication
Defines the device that can Telnet into the PIX
23
Encrypted Telnet Sessions

• Kerberos v5
• Strong Authentication within the session
• Relies heavily upon DNS and NTP

24
One-Time Passwords

• May be used with TACACS or RADIUS
• The same password will never be reused by an
  authorized administrator
• Key CardsCryptoCard token server included with
  CiscoSecure
• Support for Security Dynamics and Secure
  Computing token servers in Cisco Secure

25
Restrict Telnet Access
26
SNMP Access Control
RORead Only RWRead Write
27
Switch Access Security
28
SNMP

• Version one sends cleartext communitystrings
  and has no policy reference
• Version two addresses some
  of the known security weaknessesof SNMP
  version one
• Version three is being worked on

29
Identification Protocol

• The Identification Protocol (Auth) can be enabled
  for sessions to the router

Telnet Host (D23, S4909)
Authwhos using (D23, S4909)
Auth (D23, S4909) is Chris
Telnet (D23, S4909) proceed
RFC 1413 Identification Protocol The
information returned by this protocol is at most
as trustworthy as the host providing it...
30
Resource Deprivation Attacks
version 11.2 ! no service udp-small-servers no
service tcp-small-servers !

• Daytime (13)
• Chargen (19)

• Echo (7)
• Discard (9)

These are disabled by default in IOS 11.3
31
Resource Deprivation Attacks

• Finger (tcp/79)

32
ARP Control
33
Switch Port Security
Consolegt set port security 3/1 enable
01-02-03-04-05-06 Consolegt set port security 3/2
enable Consolegt
Consolegt show port 3 Port Status Vlan Level
Duplex Speed Type ---- --------
---- ------ ------ -----
------------ 3/1 connect 1 normal
half 10 10 BASE-T 3/2 connect 1
normal half 10 10
BASE-T Port Security Secure-Src-Addr
Last-Src-Addr Shutdown ----
-------- -----------------
----------------- ------- 3/1
enabled 01-02-03-04-05-06 01-02-03-04-05-06
No 3/2 enabled 05-06-07-08-09-10
10-11-12-13-14-15 Yes Consolegt
34
AdministratorAuthorization Levels

• Sixteen administrative levels that can be used to
  delegate authority
• Cisco IOS commands can be associated with a level

35
Audit TrailCisco IOS Syslog
unix tail cisco.log Feb 17 214826
10.1.1.101.9.132 31 Mar 2 115155 CST
SYS-5-CONFIG_I Configured from console by vty0
(10.1.1.2) unix date Tue Feb 17 214953 CST
1998 unix
version 11.2 service timestamps log datetime
localtime show-timezone ! logging 10.1.1.2
Routergtsho clock 115344.764 CST Tue Mar 2
1993 Routergt
36
Audit TrailPIX Syslog
unix tail pix.log Feb 20 074625 10.1.1.1.2.2
Begin configuration reading from terminal Feb
20 074629 10.1.1.1.2.2 111005 End
configuration OK Feb 20 074632 10.1.1.1.2.2
111001 Begin configuration writing to memory Feb
20 074632 10.1.1.1.2.2 111004 End
configuration OK unix
PIX Version 4.2(2) names logging console
informational logging monitor informational loggin
g buffered informational logging trap
informational logging facility 20 logging host
inside 10.1.1.2
37
(No Transcript)
38
III. Resource Protection

• Individual Resources
• Threats
• Avoidance measures

39
Spoofing
interface Serial 1 ip address 172.26.139.2
255.255.255.252 ip access-group 111 in no ip
directed-broadcast ! interface ethernet 0/0 ip
address 10.1.1.100 255.255.0.0 no ip
directed-broadcast Access-list 111 deny ip
127.0.0.0 0.255.255.255 any Access-list 111 deny
ip 10.1.0.0 0.0.255.255 any Access-list 111
permit ip any any
172.16.42.84
10.1.1.2
IP (D10.1.1.2 S10.1.1.1)
40
ICMP Filtering
Extended Access List access-list 101 permit icmp
any any lttypegt ltcodegt
Summary of Message Types 0 Echo Reply 3
Destination Unreachable 4 Source Quench
5 Redirect 8 Echo 11 Time Exceeded
12 Parameter Problem 13 Timestamp 14
Timestamp Reply 15 Information Request 16
Information Reply ICMP Codes are not shown
no ip unreachables (IOS will not send)
no ip redirects (IOS will not send
or
accept)
RFC 792 INTERNET CONTROL MESSAGE PROTOCOL
41
Source Routing
interface Serial 1 ip address 172.16.139.2
255.255.255.252 ip access-group 111 in no ip
source routing ! Access-list 111 permit ip
10.16.0.0 0.0.255.255 any
Private
Im 10.16.99.99 and heres the route back to me
Network 10.16.0.0
RFC 791 Internet protocol
42
Example Scenario
43
Cisco IOS with an Access List
44
Cisco PIX
45
Cisco IOS Firewall Feature Set
46
Intranet Protection Costs

• Versus
• Loss
• Corruption
• Ease of Use

47
IV. Perimeter Protection
48
Firewall Protection
The Internet
Demilitarized Zone (DMZ)
DNS
WWW
Mail

• Use access control lists on the screening router
  to control traffic
• Isolate each server from traffic with a switch

49
Syn Attack
TCP syn (D172.18.1.2 S1.1.1.1)
TCP syn (D172.18.1.2 S1.1.1.2)
TCP syn (D172.18.1.2 S1.1.1.3)
TCP syn (D172.18.1.2 S1.1.1.4)
TCP syn (D172.18.1.2 S1.1.1.5)
172.18.1.2
TCP syn (D172.18.1.2 S2.1.1.1)
TCP syn (D172.18.1.2 S2.1.1.2)
50
Cisco IOS Syn Attack Defense
51
Cisco IOS Syn Attack Defense
ip tcp intercept ltaccess-list-numbergt ip tcp
intercept mode watch
TCP syn
TCP syn/ack
TCP ack

• How many session requests in the last one minute?
• How many incomplete sessions are there?
• How long do I wait for the final ack?

52
PIXSyn Attack Defense
PIX Version 4.2(2) static (inside,outside)
171.68.41.7 10.1.1.2 netmask
255.255.255.255 0 0 max_conns
em_limit conduit permit tcp host 171.68.41.7
eq smtp any
Inside
Outside
max_conns - the maximum number of TCP connections
allowed em_limit - the embryonic connection limit
53
Cisco IOS Firewall Feature Set Syn Attack Defense
ip inspect tcp synwait-time seconds ip inspect
tcp finwait-time seconds ip inspect tcp
idle-time seconds
TCP syn
TCP syn/ack
TCP ack

• How many session requests in the last one minute?
• How many incomplete sessions are there?
• How long do I wait for the final ack?

54
Extranet Options
Virtual Private Networking
Private Links
Partner
Gateway
Campus Backbone
Internet
Partner
EDI Translator
Purchasing System
Partner
55
Electronic Commerce
Internet
Internet
Gateway Router
Demilitarized Zone (DMZ)
Web Server
Secure Commerce Servers
Intranet
Firewall
Enterprise Servers
Intranet
56
VPN Security Requirements

• Encryption for authentication, confidentiality
  and integrity
• Physical line separation via private lines or
  frame relay

or
57
Virtual Private Dial Network

• Layer 2 Forwarding
• Layer 2 Tunnel Protocol

58
VPDN Entrance to the Enterprise
Internet
Internet
Screening Router
Demilitarized Zone (DMZ)
Home Gateway
Firewall
Intranet
Intranet
59
Dial Access Protection
Screening Router
DNS
WWW
Mail

• Where to place the NAS?

60
V. Sustaining Network Security

• 24 by 7

61
Dynamic Routing Protocols
Path Redundancyto Route Around Failures
62
Keyed Hashing forAuthentication and Integrity

• Secret key and message arehashed together
• Recomputation of digest verifies that the message
  originated with the peer and that the message was
  not altered in transit

Secret Key
Hash Function
983lna9458hk7436gq
63
Route Update Authentication and Integrity
IP HDR
Key
Route Update Data
Assemble the Packet with the Key
Signature
To the Wire
Reassemble the Packet with the Signature
IP HDR
Signature
Route Update Data
64
Route Filtering
router rip network 10.0.0.0 distribute-list 1
in ! access-list 1 deny 0.0.0.0 access-list 1
permit 10.0.0.0 0.255.255.255
Router sho ip proto Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 12
seconds Invalid after 180 seconds, hold down
180, flushed after 240 Outgoing update filter
list for all interfaces is not set Incoming
update filter list for all interfaces is 1
Redistributing rip
65
Secure Vital Services

• Network Time Protocol Sources
• Domain Name Servers
• Certificate Authority

66
Multi-Level Security -TCSEC, ITSEC and CC

• Not really needed in Enterprise Networks
• Difficult to implement
  (unless youre the military)

67
Session Protection through Encryption
Application to Application
Application
End to End
End to Intermediate
Network
Intermediate to Intermediate
Link
Link
Link
68
Session Protection through Network Layer
Encryption
Shared Secret Key
Shared Secret Key
Internet
Decrypt
Encrypt
(Cleartext)
(Cleartext)
(Ciphertext)
IPSecthe IETF working group defining IP Security
69
NetRanger
NetRanger Director

• Sensors watch for attacks or problems
• NetRanger stops active attacks

70
NetSonar Vulnerability Scanning

• Network mapping
• Identify live hosts
• Identify services on hosts
• Vulnerability scanning
• Analyze discovery data for potential
  vulnerabilities
• Confirm vulnerabilities on targeted hosts

71
VI. Security Sustainment Validation

• What steps can you take to make sure that your
  network will continue to be secure?

72
Modeling Tools

• NetSys Modeling can verify the access controls in
  your network

73
Validating Your Policy through Network Management
Systems
Management

• What to monitor?
• What to measure?

Access

Core
Workgroup
Track and report trends that show how you are
achieving your security goals
IBM
74
VII. Conclusions
For the want of a nail, the shoe was lost. For
the want of a shoe, the horse was lost. For the
want of a horse, the rider was lost. For the
want of a rider, the battle was lost. For the
want of a battle, the Kingdom was lost. And all
for the want of a horse shoe nail.
75
(No Transcript)