ISCW Module 5

Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 1

(ISCW)

Thinking Like a Hacker


Lesson 1 – Module 5 – ‘Cisco Device Hardening’

Module Introduction (1)

� The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.


� Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.

� Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.


� "If you know yourself but not your enemy, for every victory gained you will also suffer a defeat." Sun Tzu – The Art of War

Before learning how to defend against attack, you need to know how a potential attacker operates. The theme of the first few


how a potential attacker operates. The theme of the first few lessons in this module is therefore, “know thine enemy”.

� This module will help you to understand how hackers operate and what attack strategies they can employ. Once you know the nature of the threat, you will be better able to implement the full set of security features contained in Cisco IOS software to provide security for your network.


� The module describes the best practices for securing router administrative access using mechanisms such as:

password security features,

failed login attempt handling, and

role-based command-line interface (CLI).

� You will learn how to:


� You will learn how to:

mitigate attacks using access lists;

how to design and implement a secure management system including secure protocols such as Secure Shell (SSH), Simple Network Management Protocol version 3 (SNMPv3), and authenticated Network Time Protocol (NTP).

� Also discussed are the most ubiquitous authentication, authorisation, and accounting (AAA) protocols - RADIUS and TACACS+, and explanations of the differences between them.

Objectives

� At the completion of this first lesson, you will be able to:

Describe the steps taken by a potential network hacker to gain unauthorised access

Explain the detailed information that a hacker is looking to learn, and how this may be used to compromise network security


security

Describe the basic steps that need to be taken to mitigate network attacks

Seven Steps to Hacking a Network

� Seven steps for compromising targets and applications:

Step 1 — Perform footprint analysis (reconnaissance)

Step 2 — Detail the information

Step 3 — Manipulate users to gain access

Step 4 — Escalate privileges


Step 4 — Escalate privileges

Step 5 — Gather additional passwords and secrets

Step 6 — Install back doors

Step 7 — Leverage the compromised system

Hacking a Network

� The goal of any hacker is to compromise the intended target or application

� Hackers begin with little or no information about the intended target, but by the end of their analysis, they will have accessed the network and will have begun to


will have accessed the network and will have begun to compromise their target

� Their approach is always careful and methodical—never rushed and never reckless

� The seven-step process outlined in the previous slide is a good representation of the method that hackers use –and a starting point for an analysis of how to defeat it

Footprint Analysis (Reconnaissance)

� Web pages, phone books, company brochures, subsidiaries, etc

� Knowledge of acquisitions

� nslookup command to reconcile domain names against IP addresses of the company’s servers


against IP addresses of the company’s servers and devices

� Port scanning to find open ports and operating systems installed on hosts

� traceroute command to help build topology

� WHOIS queries

How to Defeat Footprinting

� Keep all sensitive data off-line (business plans, formulas, and proprietary documents)

� Minimise the amount of information on your public website

� Examine your own website for insecurities


� Examine your own website for insecurities

� Run a ping sweep on your network

� Familiarise yourself with one or more of the five Regional Internet Registries – such as ARIN for North America – to determine network blocks.

Detail the Information

� Find your server applications and versions:

What are your web, FTP, and mail server versions?

Listen to TCP and UDP ports and send random data to each

Cross-reference information to vulnerability databases to look for potential exploits


for potential exploits

� Exploit selected TCP ports, for example:

Windows NT, 2000, and XP file sharing using SMB protocol which uses TCP port 445.

In Windows NT, SMB runs on top of NetBT using ports 137, 138 (UDP), and 139 (TCP).

Software Tools

� Hackers can use some of the tools listed here. All of these tools are readily available to download, and security staff should know how these tools work.

� Netcat: Netcat is a featured networking utility that reads and writes data across network connections using the TCP/IP protocol.

� Microsoft EPDump and Remote Procedure Call (RPC) Du mp:These tools provide information about Microsoft RPC services on a server:


These tools provide information about Microsoft RPC services on a server:

The Microsoft EPDump application shows what is running and waiting on dynamically assigned ports.

The RPC Dump (rpcdump.exe) application is a command-line tool that queries RPC endpoints for status and other information on RPC..

� GetMAC: This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows 2000 locally or across a network..

� Software development kits (SDKs): SDKs provide hackers with the basic tools that they need to learn more about systems.

Manipulate Users to Gain Access

� Social engineering is a way to manipulate people inside the network to provide the information needed to access the network. A computer is not required!!

Social engineering by telephone

Dumpster diving


Dumpster diving

Reverse social engineering

Recommended reading: “The Art of Deception: Controlling the Human Element of Security” Mitnik, KD and Simon, WL; Wiley; New Ed edition (17 Oct 2003)

� There is a great deal of anecdotal evidence that this is one of the most successful techniques……

Password Cracking

� Hackers use many tools and techniques to crack pass words:Word lists

Brute force

Hybrids

The yellow Post-It stuck on the side of the monitor, or in top of desk drawer…..

� Password cracking attacks any application or servic e that accepts


� Password cracking attacks any application or servic e that accepts user authentication, including those listed here:

NetBIOS over TCP (TCP 139)

Direct host (TCP 445)

FTP (TCP 21)

Telnet (TCP 23)

SNMP (UDP 161)

PPTP (TCP 1723)

Terminal services (TCP 3389)

Escalate Privileges

� After securing a password for a user account and user-level privileges to a host, hackers attempt to escalate their privileges.

� The hacker will review all the information he or sh e can see on the host:

Files containing user names and passwords


Files containing user names and passwords

Registry keys containing application or user passwo rds

Any available documentation (for example, e-mail)

� If the host cannot be seen by the hacker, the hacke r may launch a Trojan application such as W32/QAZto provide it.

Gather Additional Passwords and Secrets

� Hackers target:

The local security accounts manager database

The active directory of a domain controller

� Hackers can use legitimate tools including pwdumpand lsadump applications.


and lsadump applications.

� Hackers gain administrative access to all computers by cross-referencing user names and password combinations

Install Back Doors and Port Redirectors

� Back doors:Back doors provide:

A way back into the system if the front door is lockedA way into the system that is not likely to be detected

� Back doors may use reverse trafficking:Example: Code Red


Example: Code Red

� Port redirectors:Port redirectors can help bypass port filters, routers, and firewalls and may even be encrypted over an SSL tunnel to evade intrusion detection devices.

Leverage the Compromised System

� Back doors and port redirectors let hackers attack other systems in the network

� Reverse trafficking lets hackers bypass security mechanisms

� Trojans let hackers execute commands undetected


� Trojans let hackers execute commands undetected

� Scanning and exploiting the network can be automated

� The hacker remains behind the cover of a valid administrator account

� The whole seven-step process is repeated as the hacker continues to penetrate the network

Best Practices to Defeat Hackers

� Keep patches up to date

� Shut down unnecessary services and ports

� Use strong passwords and change them often

� Control physical access to systems

� Curtail unexpected and unnecessary input


� Curtail unexpected and unnecessary input

� Perform system backups and test them on a regular basis

� Warn everybody about social engineering

� Encrypt and password-protect sensitive data

� Use appropriate security hardware and software

� Develop a written security policy for the company

Mitigating Network Attacks



Module Introduction





Objectives

� At the completion of this second lesson, you will be able to:

Describe some of the more common network attacks, and explain what effect they have on the network

Explain how to mitigate the effects of these common attacks


Reconnaissance

� Reconnaissance is the unauthorised discovery and mapping of systems, services, or vulnerabilities.

� Reconnaissance is also known as information gathering, and in most cases, precedes an access or Denial of Service (DoS) attack.

� The malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive and then determines which services or ports are active on the live IP addresses.


determines which services or ports are active on the live IP addresses.

� The intruder then queries the ports to determine the type and version of the application and operating system that is running on the target host.

� Reconnaissance attacks can consist of the following:Packet sniffers

Port scans

Ping sweeps

Internet information queries

Attacks Based on Minimal Intelligence


� Attacks that require little intelligence about the target network: Reconnaissance

Access attacks

DoS and Distributed DoS (DDoS)

Attacks Based on Intelligence or Insider Information

� Attacks that typically require more intelligence or insider access:

Worms, viruses, and Trojan horses

Application layer attacks

Threats to management protocols


Packet Sniffing

� A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN

Packet sniffers can only work in the same collision domain as the network being attacked

� Promiscuous mode is a mode in which the network adapter card sends all packets that are received on the physical network wire to an application for processing


an application for processing

� Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, the packets can be processed and understood by any application that can pick them off the network and process them

� Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying protocols

Packet Sniffers

A packet sniffer is a software application that use s a network adapter card in promiscuous mode to capture all net work


adapter card in promiscuous mode to capture all net work packets.

Packet sniffers:

Exploit information passed in plaintext. Protocols that pass information in plaintext are Telnet, FTP, SNMP, POP , and HTTP.

Must be on the same collision domain.

Can be used legitimately or can be designed specifi cally for attack.

Packet Sniffer Mitigation� The techniques and tools that can be used to mitigate packet

sniffer attacks include:

Authentication

Using strong authentication is a first option for defense against packet sniffers.

Cryptography

If a communication channel is cryptographically secure, the only


If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the original message

Anti-sniffer tools

Antisniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate.

Switched infrastructure

A switched infrastructure obviously does not eliminate the threat of packet sniffers but can greatly reduce the sniffers’ effectiveness.

Port Scans and Ping Sweeps

� As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and devices to identify vulnerable services

� The information is gathered by examining IP addressing and port or banner data from both TCP and UDP ports


UDP ports

� Essentially, a port scan consists of sending a message to each port, one port at a time. The kind of response that the sender receives indicates whether the port is used and can therefore be probed for weakness

� A ping sweep, or ICMP sweep, is a basic network scanning technique that determines which range of IP addresses map to live hosts

Port Scans and Ping Sweeps

� Port scans and ping sweeps attempt to identify:

All services

All hosts and


devices

The operating systems

Vulnerabilities

Port Scan and Ping Sweep Mitigation� Port scanning and ping sweeping is not a crime and there is no way to

stop these scans and sweeps when a computer is connected to the Internet

There are ways to prevent damage to the system

� Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers

When these services are turned off, network diagnostic data is lost


� Network-based IPS and host-based IPS (HIPS) can usually notify when a reconnaissance attack is under way

� ISPs compare incoming traffic to the intrusion detection system (IDS) or the IPS signatures in the IPS database.

Signatures are characteristics of particular traffic patterns. A signature, such as “several packets to different destination ports from the same source address within a short period of time,” can be used to detect port scans

� A stealth scan is more difficult to detect, and many intrusion detection and prevention systems will not notice this scan taking place. Discovering stealth scans requires kernel-level work

Port Scan and Ping Sweep Mitigation

Port scans and ping sweeps cannot be prevented without compromising network capabilities.

However, damage can be mitigated using intrusion prevention systems at network and host levels.


Internet Information queries

� DNS queries can reveal information such as who owns a particular domain and what addresses have been assigned to that domain

� Ping sweeps of addresses revealed by DNS queries can present a picture of the live hosts in a particular environment

After such a list is generated, port scanning tools can cycle through all well-known ports to provide a complete list of all services that are


well-known ports to provide a complete list of all services that are running on the hosts that the ping sweep discovered. Hackers can examine the characteristics of the applications that are running on the hosts, which can lead to specific information that is useful when the hacker attempts to compromise that service

� IP address queries can reveal information such as who owns a particular IP address or range of addresses and which domain is associated with the addresses

Internet Information queries


� Sample IP address query

• Attackers can use Internet tools such as “WHOIS” as weapons.

Access Attacks and Mitigation

� Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information for these reasons:

Retrieve data

Gain access


Escalate their access privileges

� Access attacks can be performed in a number of different ways

Password attacks

Trust exploitation

Port redirection

Man-in-the-middle attacks

Buffer overflow

Password Attacks

� Hackers implement password attacks using the following:

Brute-force attacks

Trojan horse programs


Trojan horse programs

IP spoofing

Packet sniffers

Password Attacks

� Password attacks can be implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers.

� One security risk is the fact that passwords can be stored as plaintext. To overcome this risk, passwords should be encrypted. On most systems, passwords are run through an encryption


On most systems, passwords are run through an encryption algorithm to generate a one-way hash.

� In granting authorisation, the hashes are calculated and compared rather than using the plain password.

� To use this encryption method, you supply an account and password during the login process, and the algorithm generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, the system assumes that the proper password was supplied.

Password Attack Example

� L0phtCrack takes the hashes of passwords and generates the plaintext passwords from them

� Passwords are


� Passwords are compromised using one of two methods:

1. Dictionary cracking

2. Brute-force computation

Password Attack Mitigation

� Password attack mitigation techniques:

Do not allow users to use the same password on multiple systems

Disable accounts after a certain number of unsuccessful login attempts


Do not use plaintext passwords

For example “strong” passwords. (Use “mY8!Rthd8y” rather than “mybirthday”)

Trust Exploitation

� Trust exploitation refers to an individual taking advantage of a trust relationship within a network.

� An example of when trust exploitation takes place is when a perimeter network is connected to a corporate network.

These network segments often contain DNS, SMTP, and HTTP servers. Because these servers all reside on the same segment, a


servers. Because these servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems if those other systems also trust systems that are attached to the same network.

� Another example of trust exploitation is a Demilitarised Zone (DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface. The inside host trusts the DMZ host. When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host.

Trust Exploitation

A hacker leverages existing trust relationships.

Several trust models exist:

Windows:

Domains

Active directory


Active directory

Linux and UNIX:

NIS

NIS+

Trust Exploitation

� Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network

Systems that are inside a firewall should never absolutely trust systems that are outside a firewall. Absolute trust should be limited to specific protocols and, where possible, should be validated by something other than an IP address

� In the DMZ example, the hacker connected to the Internet has


� In the DMZ example, the hacker connected to the Internet has already exploited some vulnerability of the DMZ host connected to the DMZ interface of the firewall

� The hacker’s next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall

To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Once the protocols are known, the attacker searches for vulnerabilities on the inside host. This attack can be stopped if the firewall allows only minimum or no connectivity from the DMZ to the inside interface

Trust Exploitation Attack Mitigation

� Trust levels within a network are tightly restrained by ensuring that systems inside a firewall never absolutely trust systems outside the firewall.


Port Redirection

� A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise have been dropped.

� Port redirection bypasses the firewall rule sets by


� Port redirection bypasses the firewall rule sets by changing the normal source port for a type of network traffic.

� You can mitigate port redirection by using proper trust models that are network-specific. Assuming a system is under attack, an IPS can help detect a hacker and prevent installation of such utilities on a host.

Port Redirection


“Man-in-the-Middle” Attacks

� Man-in-the-middle attacks have these purposes:

Theft of information

Hijacking of an ongoing session to gain access to your internal network resources

Traffic analysis to obtain information about your network and network users


DoS

Corruption of transmitted data

Introduction of new information into network sessions

� An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets that transfer between your network and any other network

� Man-in-the-middle attacks can be mitigated by encrypting traffic in a VPN tunnel. Encryption allows the hacker to see only cipher text

Man-in-the-Middle Attacks and their Mitigation


A man-in-the-middle attack requires that the hacker has access to network packets that come across a network

A man-in-the-middle attack is implemented using the following:

Network packet sniffers

Routing and transport protocols

Man-in-the-middle attacks can be effectively mitigated only through the use of cryptographic encryption

DoS and DDoS Attacks and Mitigation

� A DDoS attack and the simpler version of a DoS attack on a server, send extremely large numbers of requests over a network or the Internet

� These many requests cause the target server to run well below optimum speeds. Consequently, the attacked server becomes unavailable for legitimate access and use


unavailable for legitimate access and use

� By overloading system resources, DoS and DDoS attacks crash applications and processes by executing exploits or a combination of exploits

DoS and DDoS attacks are the most publicised form of attack and are among the most difficult to completely eliminate

� The hacker community regards DoS attacks as trivial and considers them unsophisticated because the attack requires so little effort to execute

DoS and DDoS Attack Characteristics

� A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services

� Distributed DoS technique performs simultanous attacks from many distributed sources


attacks from many distributed sources� DoS and DDoS attacks have these characteristics:

Generally not targeted to gain access or information Require very little effort to executeDifficult to eliminate, but their damage can be minimised

� DoS and DDoS attacks can use IP spoofing

DDoS Attack Risks

� DDoS attack risks include:Downtime and productivity lossRevenue loss from sales and support services Lost customer loyaltyTheft of information


Theft of information ExtortionStock price manipulation Malicious competition

DDoS Attack Example


DoS and DDoS Attack Mitigation

� The threat of DoS and DDoS attacks can be reduced using:

Anti-spoof features on routers and firewalls

Proper configuration of anti-spoof features on your routers and firewalls can reduce your risk of attack. These features include an appropriate filtering with access lists, unicast reverse path forwarding that looks up the routing table to identify spoofed packets, disabling of source route options, and others.


others.

Anti-DoS features on routers and firewalls

Proper configuration of anti-DoS features on routers and firewalls can help limit the effectiveness of an attack. These features often involve limits on the amount of half-open TCP connections that a system allows at any given time.

Traffic rate limiting at the ISP level

An organization can implement traffic rate limiting with the organization’s ISP

IP Spoofing in DoS and DDoS

� IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.

� IP spoofing can use either a trusted IP address in the network or a trusted external IP address.


network or a trusted external IP address.

� Uses for IP spoofing include:

Injecting malicious data or commands into an existing data stream

Diverting all network packets to the hacker who can then reply as a trusted user by changing the routing tables

� IP spoofing may only be one step in a larger attack.

IP Spoofing Attack Mitigation

� The threat of IP spoofing can be reduced, but not eliminated, using these measures:

Access control configuration

Encryption

RFC 3704 filtering


RFC 3704 filtering

� Additional authentication requirement that does not use IP address-based authentication; examples are:

Cryptographic (recommended)

Strong, two-factor, one-time passwords

Network Attack Using Intelligence



Module Introduction





Objectives

� At the completion of this third lesson, you will be able to:

Describe the difference between virus, trojan and worm threats

Show how these threats are propagated


Explain techniques for dealing with these threats

Describe system software that can aid in defending and mitigating against host machine attacks

End Station (Host) Vulnerabilities

� Host machines are particularly vulnerable to attack if not adequately protected. The main threats are:

Viruses

Trojan horse attacks


Worms

Viruses

� A virus can only spread from one computer to another when its host is taken to an uninfected computer, for instance by a user

� A computer virus is a malicious computer program (executable file) that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus


� A virus can only spread from one computer to another when its host is taken to an uninfected computer, for instance by a user sending it over a network as a file or as an email payload or carrying it on a removable medium such as a ‘floppy’ disk, USB disk (‘memory stick’), or CD / DVD

� Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages

Source: Wikepedia – Computer virus

Trojan Horse

� Trojan horses may appear to be useful or interesting programs, or at the very least harmless to an unsuspecting user, but are actually harmful when

�A Trojan horse is a program that - unlike a virus - contains or installs a malicious program – the payload or 'trojan‘


unsuspecting user, but are actually harmful when executed

� There are two common types of Trojan horsesOne is otherwise useful software that has been corrupted by a hacker inserting malicious code that executes while the program is used

The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives

Worms

� A computer worm is a self-replicating executable computer program. It uses a network to send copies of itself to other hosts (‘end-user’ machines on the network) and it may do so without any user


network) and it may do so without any user intervention.

� Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

Malicious software containment

� Viruses and Trojan horses can be contained by:

Effective use of antivirus software

Keeping up to date with the latest developments in these methods of attacks

Keeping up to date with the latest antivirus software and


Keeping up to date with the latest antivirus software and application versions

Implementing host-based intrusion prevention systems (for example, Cisco Security Agent)

Worm Attack, Mitigation and Response

� The anatomy of a worm attack has three parts:

The enabling vulnerability: A worm installs itself on a vulnerable system

Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets


Payload: Once the worm infects the device, the attacker has access to the host – often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.

Worm attack mitigation

� Worm attack mitigation requires diligence on the part of system and network administration staff.

� Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident.

� Recommended steps for worm attack mitigation:


� Recommended steps for worm attack mitigation:

Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network.

Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems.

Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network.

Treatment : Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

Worm attack response

� Six typical incident response methodologies to worms are as follows:

1. Preparation: Acquire the resources to respond

2. Identification: Identify the worm

3. Classification: Classify the type of worm


3. Classification: Classify the type of worm

4. Traceback: Trace the worm back to the attack’s origin

5. Reaction: Isolate and repair the affected systems

6. Post mortem: Document and analyse the process that you used for future use

Application Layer Attacks and Mitigation

� Application layer attacks have the following characteristics:

They exploit well-known weaknesses, such as those in protocols, that are intrinsic to an application or system (for example, sendmail, HTTP, and FTP)


HTTP, and FTP)

They often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall)

They can never be completely eliminated because new vulnerabilities are always being discovered

Netcat

� Netcat is a tool that reads or writes data on any TCP/UDP connections, relays TCP connections, and can act as a TCP/UDP server.

#nc -hconnect to somewhere: nc [-options] hostname port [s] [ports] ...listen for inbound: nc - l - p port [ - options] [hostname] [port]


listen for inbound: nc - l - p port [ - options] [hostname] [port]options:

-g gateway source-routing hop point[s] , up to 8-G num source-routing pointer: 4, 8, 12, ...-i secs delay interval for lines se nt, ports scanned-l listen mode, for inbound co nnects-n numeric-only IP addresses, no DNS-o file hex dump of traffic-p port local port number-r randomize local and remote ports-s addr local source address-u UDP mode-v verbose [use twice to be mo re verbose]

port numbers can be individual or ranges: lo-hi [in clusive]

Netcat Example


Mitigation of Application Layer Attacks

� Measures you can take to reduce risks include:

Read operating system and network log files or have the files analysed by log analysis applications

Subscribe to mailing lists that publicise vulnerabilities

Keep all operating systems and applications current with the


Keep all operating systems and applications current with the latest patches

Use IDS/IPS that can scan for known attacks, monitor and log attacks, and, in some cases, prevent attacks

Configuration Management protocols

� Configuration management protocols include SSH, SSL and the more insecure Telnet

� Whichever is chosen for remote access to the managed device, ACLs should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged


be denied and logged

� Ideally use secure management protocols when configuring allnetwork devices. Protocols, such as Telnet and SNMPv2, must be made secure by protecting the data with IPsec

� The access lists should permit management access, such as SSH or HTTPS, only from the legitimate management hosts

Also implement RFC 3704 filtering at the ingress router to reduce the chance of an attacker from outside the network spoofing the addresses of the management hosts

Management Protocols

� These management protocols can be compromised:

SNMP: The community string information for simple authentication is sent in plaintext.

syslog: Data is sent as plaintext between the managed device and the management host.


TFTP: Data is sent as plaintext between the requesting host and the TFTP server.

NTP: Many NTP servers on the Internet do not require any authentication of peers.

Management Protocol Best Practices

� The following two slides summarise the best practices to be followed when implementing a secure management solution

� Recommendations for the correct use of SNMP tools include:


tools include:Configure SNMP with only read-only community string s

Set up access control on the device you want to man age via SNMP to allow access by only the appropriate management hosts

Use SNMP version 3. This version provides secure ac cess to devices through a combination of authenticating and encrypting management packets over the network

Management Protocol Best Practices

� Syslog : Encrypt syslog traffic within an IPsec tunnel.

� Implement RFC 3704 filtering at the perimeter router when allowing syslog access from devices outside a firewall.

� Implement ACLs on the firewall to allow syslog data from only the managed devices themselves to reach the management hosts.

� TFTP: When possible, encrypt TFTP traffic within an IPsec tunnel in order to reduce the chance of interception.


in order to reduce the chance of interception.

� NTP: Implement your own master clock for private network synchronisation.

� Use NTP version 3 or above because these versions support a cryptographic authentication mechanism between peers. NTP v3 is currently supported by most vendors, including Cisco Systems. The latest version 4 is not defined by any RFC and therefore not widely supported.

� Use ACLs that specify which network devices are allowed to synchronise with other network devices.

Determining Vulnerabilities and Threats

� There are several tools and techniques that can be used to find vulnerabilities in your network

� Once any vulnerabilities have been identified, mitigation steps can be considered and utilised as appropriate

� Some common tools include:


� Some common tools include:

Blue’s PortScanner

Wireshark (formerly Ethereal)

Microsoft Baseline Security Analyzer

Nmap

Blue’s Port Scanner

Blue’s Port Scanner is a fast network scanner that can scan over 300 ports per second on a NT or Windows 2000 machine. it comes with a Windows XP -style interface, and offers TCP


Blue’s Port Scanner

style interface, and offers TCP and UDP scanning as well as a Anti-Flood function

http://www.securityconfig.com/software/specializedscanners/blues_port_scanner.html

Wireshark (Ethereal)

� Wireshark is the world's foremost network protocol analyser, and is the standard in many industries. It is the continuation of a project that started in 1998.


that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Wireshark

http://www.wireshark.org/about.html

Microsoft Baseline Security Analyzer


Nmap� Nmap ("Network Mapper") is a

free open source utility for network exploration or security auditing.

� It is designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what


what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

� Nmap runs on most types of computers and both console and graphical versions are available.

� Nmap is free and open source

Disabling Unused Cisco Router Network Services and Interfaces



and Interfaces

Module Introduction





Vulnerable Router Services and Interfaces

� Medium size and large networks typically use a firewall appliance behind the perimeter router, which adds security features and performs user authentication and more advanced packet filtering

� Firewall installations also facilitate the creation of Demilitarized Zones (DMZs), where the firewall ‘places’ hosts that are commonly accessed from the Internet

� Cisco IOS software offers an alternative to a firewall appliance by


� Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall features in the perimeter router. Although this option does not provide the same performance and security features that a Cisco PIX Security Appliance offers, a router with an integrated firewall feature set can solve most small-to-medium business perimeter security requirements.

� Cisco IOS routers run many services that create potential vulnerabilities. To secure an enterprise network, all unneeded router services and interfaces must be disabled.

Vulnerable Router Services and Interfaces


�Cisco IOS routers can be used as:

Edge devices

Firewalls

Internal routers

Routers have default services that create potential vulnerabilities (for example, BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP

Vulnerabilities can be exploited regardless of wher e the routers are placed.

Vulnerable Router Services

Disable unnecessary services and interfaces (BOOTP, CDP, FTP, TFTP, NTP, PAD, and TCP/UDP minor services)

Disable commonly configured management services (SNMP, HTTP, and DNS)

Ensure path integrity (ICMP redirects and IP source routing)

Disable probes and scans (finger, ICMP unreachables, and


Disable probes and scans (finger, ICMP unreachables, and ICMP mask replies)

Ensure terminal access security (ident and TCP keepalives)

Disable gratuitous and proxy ARP

Disable IP directed broadcast

Unnecessary Services and Interfaces

Router Service Default Best Practice

BOOTP server Enabled Disable

Cisco Discovery Protocol (CDP) Enabled Disable if not required

Configuration auto-loading Disabled Disable if not required

FTP server DisabledDisable if not required.

Otherwise encrypt traffic within an IPsec tunnel.

Disable if not required.


TFTP server DisabledDisable if not required.

Otherwise encrypt traffic within an IPsec tunnel.

Network Time Protocol (NTP) service Disabled


Otherwise configure NTPv3 and control access between permitted

devices using ACLs.

Packet assembler and disassembler (PAD) service

Enabled Disable if not required

TCP and UDP minor servicesEnabled (pre

11.3)

Disabled (11.3+)

Disable if not required

Maintenance Operation Protocol (MOP) service

Enabled Disable explicitly if not required

Commonly Configured Management Services

Management Service Enabled by Default Best Practice

Simple Network Management Protocol (SNMP) Enabled Disable the service. Otherwise configure SNMPv3.

HTTP configuration and monitoring Device dependentDisable if not required.

Otherwise restrict access using ACLs.


ACLs.

Domain Name System (DNS) Client Service –Enabled


Otherwise explicitly configure the DNS server address.

Path Integrity Mechanisms

Path Integrity Mechanism Enabled by Default Best Practice

ICMP redirects Enabled Disable the service

IP source routing Enabled Disable if not required.


Probe and Scan Features

Probe and Scan Feature Enabled by Default Best Practice

Finger service Enabled Disable if not required.

ICMP unreachable notifications Enabled Disable explicitly on untrusted interfaces.


ICMP mask reply Disabled Disable explicitly on untrusted interfaces.

Terminal Access Security

Terminal Access Security Enabled by Default Best Practice

IP identification service Enabled Disable

TCP Keepalives Disabled Enable


ARP Service

ARP Service Enabled by Default Best Practice

Gratuitous ARP Enabled Disable if not required.

Proxy ARP Enabled Disable if not required.


Router Hardening Considerations

Attackers can exploit unused router services and interfaces.

Administrators do not need to know how to exploit the services, but they should know how to disable them.

It is tedious to disable the services individually.

An automated method is needed to speed up the hardening


An automated method is needed to speed up the hardening process.

Locking Down Routers with AutoSecure

� The AutoSecure feature was released in Cisco IOS Release 12.3 and later

� AutoSecure is a single privileged EXEC program that allows elimination of many potential security threats quickly and easily. AutoSecure helps to make you


quickly and easily. AutoSecure helps to make you more efficient at securing Cisco routers

� AutoSecure allows two modes of operation:

1. Interactive mode: Prompts to choose the way you want to configure router services and other security-related features

2. Noninteractive mode: Configures security-related features on your router based on a set of Cisco defaults

AutoSecure Functions

� AutoSecure can selectively lock down:Management plane services and functions:

Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner

Also provides password security and SSH access

Forwarding plane services and functions:


CEF, traffic filtering with ACLs

Firewall services and functions:

Cisco IOS Firewall inspection for common protocols

Login functions:

Password security

NTP protocol

SSH access

TCP Intercept services

AutoSecure Failure Rollback Feature

� If AutoSecure fails to complete its operation, the running configuration may be corrupt:

In Cisco IOS Release 12.3(8)T and later releases:

Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg


Rollback reverts the router to the router’s pre-autosecure configuration

Command: configure replace flash:pre_autosec.cfg

If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved beforerunning AutoSecure.

AutoSecure Process Overview

auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]

router#

Cisco AutoSecure Interactive Steps:

Step 1 — Identify outside interfaces.


Step 1 — Identify outside interfaces.

Step 2 — Secure the management plane.

Step 3 — Create security banner.

Step 4 — Configure passwords, AAA, and SSH.

Step 5 — Secure the interface settings.

Step 6 — Secure the forwarding plane.

Auto Secure ParametersParameter Description

management (Optional) Only the management plane will be secured.

forwarding (Optional) Only the forwarding plane will be secured.

no-interact (Optional) The user will not be prompted for any interactive configurations. No interactive dialogue parameters will be configured, including usernames or passwords.

full (Optional) The user will be prompted for all interactive questions. This is


full (Optional) The user will be prompted for all interactive questions. This is the default setting.

ntp (Optional) Specifies the configuration of the Network Time Protocol (NTP) feature in the AutoSecure command-line interface (CLI).

login (Optional) Specifies the configuration of the Login feature in the AutoSecure CLI.

ssh (Optional) Specifies the configuration of the SSH feature in the AutoSecure CLI.

firewall (Optional) Specifies the configuration of the Firewall feature in the AutoSecure CLI.

tcp-intercept (Optional) Specifies the configuration of the TCP-Intercept feature in the AutoSecure CLI.

Router# auto secure--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all sec urity attacks ***All the configuration done as part of AutoSecure wi ll be shown here. For more details of why and how this configuration is u seful, and any possible side effects, please refer to Cisco docume ntation of AutoSecure.

Step 1: Identify Outside Interfaces


AutoSecure.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.Gathering information about the router for AutoSecu re

Is this router connected to internet? [no]: yEnter the number of interfaces facing internet [1]: 1Interface IP-Address OK? Method Status Pr otocolEthernet0/0 10.0.2.2 YES NVRAM up upEthernet0/1 172.30.2.2 YES NVRAM up up

Enter the interface name that is facing internet: Et hernet0/1

Step 2: Secure Management Plane ServicesSecuring Management plane services..

Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in


Enabling service tcp-keepalives-out

Disabling the cdp protocol

Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp

Step 3: Create Security BannerHere is a sample Security Banner to be shown at eve ry access to device. Modify it to suit your enterprise requirements.

Authorised Access only

This system is the property of Woolloomooloo Pty Ltd .

UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.


UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this

device. All activities performed on this device

are logged and violations of of this policy result

in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:

%This system is the property of Cisco Systems, Inc.

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%

Step 4: Passwords and AAAEnable secret is either not configured or is same a s enable password

Enter the new enable secret: Curium96

Configuration of local user database

Enter the username: student1

Enter the password: student1


Configuring aaa local authentication

Configuring console, Aux and vty lines for

local authentication, exec-timeout, transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 300

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login a ttempts: 60

Step 5: SSH and Interface-Specific Services

Configure SSH server? [yes]: y

Enter the hostname: R2

Enter the domain-name: cisco.com

Configuring interface specific AutoSecure services


Disabling the following ip services on all interfac es:

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

Disabling mop on Ethernet interfaces

Step 6: Forwarding Plane Verification and DeploymentSecuring Forwarding plane services..

Enabling CEF (This might impact the memory requirem ents for your platform)

Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:


This is the configuration generated:

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption..

Apply this configuration to running-config? [yes]: y

Auto Secure Configuration Example (1 of 6)

no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http server

Create banner.

Disable global services.


no ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identd

banner #This system is the property of Cisco System s, Inc.UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.#

security passwords min-length 6

security authentication failure rate 10 log

Set minimum password length.

Set the login failure rate.


enable secret 5 $1$6NpI$ClSvtL5Zs63fPpsQT5Dyq/enable password 7 09674F04100916

aaa new-modelaaa authentication login local_auth local

line con 0login authentication local_authexec - timeout 5 0

Enable local AAA.

Enable secret password.

Configure local authentication on


exec - timeout 5 0transport output telnet

line aux 0login authentication local_authexec-timeout 10 0transport output telnet

line vty 0 4login authentication local_authtransport input telnet

login block-for 5 attempts 3 within 4

Configure local authentication on console, auxiliary and VTY lines for telnet.

Block too many login attempts.


hostname LosAngelesip domain-name cisco.comcrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2line vty 0 4

transport input ssh telnet

Configure hostname and domain name.


transport input ssh telnet

service timestamps debug datetime msec localtime sh ow-timezoneservice timestamps log datetime msec localtime show -timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging buffered

Configure logging parameters.


interface FastEthernet0/0no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabled

interface Serial0/0

Disable FE interface 0/0 services.

Disable serial port services.


interface Serial0/0no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-reply

interface FastEthernet0/1no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabled

services.

Disable FE interface 0/1 services.


ip cef

interface Serial0/0ip access-group autosec_complete_bogon in

exitaccess-list 100 permit udp any any eq bootpcinterface Serial0/0

ip verify unicast source reachable-via rx allow-def ault 100

ip inspect audit - trail

Enable CEF.

Apply ACL to inside interface.

Turn on the CBAC firewall


ip inspect audit - trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 360 0ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3 600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600!end

Turn on the CBAC firewall with common settings.


ip access-list extended autosec_firewall_aclpermit udp any any eq bootpcdeny ip any any

interface Serial0/0Apply CBAC inspect list to outside

Apply ACL to outside interface.


interface Serial0/0ip inspect autosec_inspect outip access-group autosec_firewall_acl in

list to outside interface.

Locking Down Routers with Cisco SDM

� SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI

� SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software

� SDM contains a Security Audit wizard that performs a comprehensive router security audit


comprehensive router security audit

� SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings

� The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies

� SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature

Security Device Manager (SDM)

SDM automated hardening features:

• Security Audit

• One-Step Lockdown


SDM Security Audit Overview

� Security Audit compares router configuration against recommended settings

� Examples of the audit include:

Shut down unneeded servers


Disable unneeded services

Apply the firewall to the outside interfaces

Disable or harden SNMP

Shut down unused interfaces

Check password strength

Enforce the use of ACLs

SDM Security Audit: Main Window1.


2.

3.

SDM Security Audit Wizard


SDM Security Audit Interface Configuration


SDM Security Audit


SDM Security Audit: Fix the Security Problems


SDM Security Audit: Summary


SDM One-Step Lockdown: Main Window1.


2.

3.

SDM One-Step Lockdown Wizard


Securing Cisco Router Administrative Access



Access

Module Introduction





Objectives

� At the completion of this fifth lesson, you will be able to:

Correctly and securely set passwords on a Cisco router

Protect line access from insecure users

Protect a router against a password reset

Correctly set timeouts on router access


Correctly set timeouts on router access

Describe and demonstrate how to correctly set banner messages

Cisco Router Passwords

� Strong passwords are the primary defense against unauthorised access to a router

� The best way to manage passwords is to maintain them on an AAA server

Almost every router needs a locally configured password for privileged access

There may also be other password information in the configuration file


There may also be other password information in the configuration file

� When creating passwords for routers etc, always keep these rules in mind:

� Make passwords lengthy. The best practice is to have a minimum of ten characters. You can enforce the minimum length using a feature that is available in IOS routers


� Passwords may include the following:Any alphanumeric character

A mix of uppercase and lowercase characters

Symbols and spaces

A combination of letters, numbers, and symbols

� Passwords should NOT use dictionary words


Using dictionary words makes the passwords vulnerable to dictionary attacks.

� Password-leading spaces are ignored, but all spaces after the first character are NOT ignored

� Change passwords as often as possibleThere should be a policy defining when and how often the passwords must be changed.

Changing passwords frequently provides two advantages. This practice limits the window of opportunity in which a hacker can crack a password and limits the window of exposure after a password has been compromised


� Local rules can be added to this list, making passwords even safer

� One well known method of creating strong passwords is to use passphrases

A passphrase is basically a sentence or phrase that serves as a more secure password.

� Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of the strong password or pass


easily remember as the basis of the strong password or pass phrase.

� For example:“My favorite spy is James Bond 007.” would translate into MfsiJB007.

“It was the best of time, it was the worst of times.” would translate into Iwtbotiwtwot.

“Fly me to the moon. And let me play among the stars.” would translate into FmttmAlmpats.

“Tis better to be brief than tedious” (Richard III, I:4) – TbtbbttR3I4

Initial Password Configuration

� One way to perform initial router configuration tasks, including configuring a password, is to access the router console port

A console is a terminal connected to a router console port.

The terminal can be a “dumb” terminal or a PC running terminal emulation software (Hyperterm; Kermit; Teraterm etc)

� Consoles are only one of the ways to obtain administrative access


� Consoles are only one of the ways to obtain administrative access to configure and manage routers

� Other ways to gain administrative access include:

Telnet

SSH

SNMP

Cisco SDM access using HTTP or HTTPS

Protecting Line Access - console

� To secure the router, access should be protected through the console, auxiliary, and vty lines / ports

By default, the Cisco router console ports allow a hard BREAK signal (within 60s of a reboot) to interrupt the normal boot sequence and give the console user complete control of the router

� The hard BREAK sequence may be disabled using the no service password -recovery command


password -recovery command

If a router is configured with the no service password-recoverycommand, all access to the ROM Monitor (ROMMON) is disabled.

� By default, the console port does not require a password for console administrative access. However, a console port line-level password should always be configured

� There are two ways to configure a console line password:

Enter the password during the initial configuration dialog, or

Use the password command in the console line configuration mode.

Protecting vty Line Access #1

� (Virtual TeletYpe) A command line interface created in a router for a Telnet session

� Cisco routers support multiple Telnet sessions (up to five simultaneous sessions, by default—more can be added), each serviced by a logical vty.

� By default, Cisco routers do NOT have any line-level passwords


� By default, Cisco routers do NOT have any line-level passwords configured for these vty lines.

� If password checking is enabled, a vty password must also be configured before attempting to access the router using Telnet. If a vty password is NOT configured and password checking is enabled for vty, an error message similar to the following will be produced:

Telnet 10.0.1.2Trying 10.0.1.2 ….. openPassword required, but none set[Connection to 10.0.1.2 closed by foreign host]


� There are two ways to configure a vty password:

1. enter the password during the initial configuration dialog, or

2. use the password command in line vty configuration mode.

� The following are more things to consider when securing Telnet connections to a Cisco router:


� If an enable mode password is NOT set for the router, privileged-EXEC mode can NOT be accessed using Telnet.

� Use either the enable password or enable secret password command to set the enable password


� Telnet access should be limited only to specified systems by building a simple access control list (ACL) that performs the following:

1. Allows Telnet access from specific hosts only

2. Implicitly or explicitly blocks access from untrusted hosts

3. Ties the ACL to the vty lines using the access -class command


3. Ties the ACL to the vty lines using the access -class command

� This example shows ACL 30 restricting Telnet access only from host 10.0.1.1 and implicitly denying access from all other hosts for vty 0 to 4:

Perth(config)#access-list 30 permit 10.0.1.1 0.0.0. 0Perth(config)#line vty 0 4Perth(config-line)#access-class 30 in

� Passwords must be configured for all of the vty lines on the router

� Remember that more vty lines can be added to the router

The default vty lines 0 to 4 and any additional lines MUST be protected

Protecting Auxiliary Line Access

� By default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use auxiliary ports to remotely configure and monitor the router using a dialup modem connection

� Unlike console and vty passwords, the auxiliary password is not configured during the initial configuration dialog and should be


configured during the initial configuration dialog and should be configured using the password command in auxiliary line configuration mode

� If you want to turn off the EXEC process for the aux port, use the no exec command within the auxiliary line configuration mode

� Setting the auxiliary line-level password is only one of several steps that must be completed when configuring a router auxiliary port for remote dial-in access

Additional Password Security

� IOS software provides a number of enhanced features that allow increasing the security of system passwords. These features include setting a minimum password length, encrypting your passwords, and encrypting usernames


Password Minimum Length Enforcement

router(config )#

security passwords min-length length

• Sets the minimum length of all Cisco IOS passwords


Perth(config)# security passwords min-length 10

The service password-encryption Command

service password-encryption

• Encrypts all passwords in the router configuration file

router(config)#

Perth(config)# service password-encryptionPerth(config)# exitPerth# show running - config


Perth# show running - configenable password 7 06020026144A061E!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A

Enhanced Username Password Security

router(config)#

router(config)#

username name password {[0] password | 7 hidden-password}

• Traditional user configuration with plaintext passw ord


router(config)#

username name secret {[0] password | 5 encrypted-secret}

• Uses MD5 hashing for strong password protection

• Better than the type 7 encryption found in service password-encryption command

Perth(config)# username rtradmin secret 0 Curium96Perth(config)# username rtradmin secret 5 $1$feb0$a104Qd9UZ./Ak007

username secret Parameters

Parameter Description

name The username

0 (Optional) Indicates that the following clear text password will be hashed using MD5


password will be hashed using MD5

password The plaintext password to be hashed using MD5

5 Indicates that the following encrypted secret password was hashed using MD5

encrypted-secret The MD5 encrypted secret password that is stored as the encrypted user password

Protecting Your Router by Securing ROMMON

� By default, Cisco IOS routers allow a break sequence during power up, which forces the router into ROM Monitor (ROMMON) mode.

� Once the router is in ROMMON mode, anyone can choose to enter a new enable secret password using the well-known Cisco password recovery procedure.

� This procedure, if performed correctly, leaves the router


� This procedure, if performed correctly, leaves the router configuration intact. This scenario presents a potential security breach because anyone who gains physical access to the router console port can enter ROMMON, reset the enable secret password, and discover the router configuration.

� You can mitigate this potential security breach by using the no service password-recovery global configuration command. The no service password-recovery command has no arguments or keywords.

Setting Login Failure Rates and Conditions

� Cisco IOS software provides a number of features to secure routers against unauthorised logins by setting login failure rates and conditions


Authentication Failure Rate with Loginrouter(config)#

security authentication failure rate threshold-rate log

• Configures the number of allowable unsuccessful log in attempts

• By default, router allows 10 login failures before initiating a 15-second delay


15-second delay

• Generates a syslog message when login failure rate is exceeded

Perth(config)# security authentication failure rate 10 log


threshold-rate This is the number of allowable unsuccessful login attempts. The default is 10 (the range is 2 to 1024).

log The log keyword is required. This keyword results in a generated syslog event.

Setting a Login Failure Blocking Period

router(config)#

login block-for seconds attempts tries within seconds

• Blocks access for a quiet period after a configurab le number of failed login attempts within a specified period

• Must be entered before any other login command


• Must be entered before any other login command

• Mitigates DoS and break-in attacks

Perth(config)# login block-for 100 attempts 2 within 100

Logging of Login Requests During Quiet Periods

Quiet-mode logging message:

Normal mode logging message:

00:04:07:%SEC_LOGIN-1-QUIET_MODE_ON:Still timeleft for watching failures is 158 seconds, [user:sfd] [Source:10.4.2.11] [localport:23] [Reason:Invalid l ogin], [ACL:22] at 16:17:23 UTC Wed Feb 26 2003


Normal mode logging message:

00:09:07:%SEC_LOGIN-5-QUIET_MODE_OFF:Quiet Mode is OFF, because block period timed out at 16:22:23 UTC Wed Feb 26 2 003

Excluding Addresses from Login Blocking

router(config)#

login quiet-mode access-class {acl-name | acl-number}

• Specifies an ACL that is applied to the router when it switches to the quiet mode

• If not configured, all login requests will be denied during the


• If not configured, all login requests will be denied during the quiet mode

• Excludes IP addresses from failure counting for login block-forcommand

Perth(config)# login quiet-mode access-class myacl

Setting a Login Delay

router(config)#

login delay seconds

• Configures a delay between successive login attempt s

• Helps mitigate dictionary attacks

• If not set, a default delay of one second is enforced after the


• If not set, a default delay of one second is enforced after the login block-for command is configured

Perth(config)# login delay 30

Verifying Login

router#

show login [failures]

• Displays login parameters and failures

Perth(config)# show login


A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

All successful login is logged and generate SNMP tr aps.

All failed login is logged and generate SNMP traps.

Router enabled to watch for login Attacks.

If more than 15 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds.

Router presently in Watch-Mode, will remain in Watc h-Mode for 95 seconds.

Present login failure count 5.

Verifying Login Failures

Perth(config)# show login failures

Information about login failure's with the device

Username Source IPAddr lPort Count TimeStamp

try1 10.1.1.1 23 1 21:52:49 UTC Sun Mar 9 2003

try2 10.1.1.2 23 1 21:52:52 UTC Sun Mar 9 2003


try2 10.1.1.2 23 1 21:52:52 UTC Sun Mar 9 2003

Setting Timeouts

� By default, an administrative interface stays active (and logged on) for ten minutes after the last session activity. After that time, the interface times out and logs out of the session. Fine-tune these timers to limit the amount of time from two or three minutes maximum.


Setting the exec-timeout value to 0 means that there will be no timeout and the session will stay active for an unlimited time. Do not set the value to 0!

�These timers can be adjusted by using the exec-timeout command in line configuration mode for each of the line types used.

Setting Multiple Privilege Levels

� Cisco routers allow configuration at various privilege levels for administrators. Different passwords can be configured to control who has access to the various privilege levels. This ability is especially helpful in a help desk environment where certain administrators are allowed to configure and monitor every part of the


allowed to configure and monitor every part of the router (level 15) while other administrators may be restricted to only monitoring (customised levels 2 to 14).

� Privileges are assigned to levels 2 to 14 using the privilege command from global configuration mode.

privilege Parameters


Mode This command specifies the configuration mode.

Level This command enables setting a privilege level with a specified command.

Level This is the privilege level that is associated with a command. You can specify up to 16 privilege levels, using numbers 0 to 15.


15.

Command This sets the command that the privilege level is associated with.

Reset This command resets the privilege level of a command.

Command This is the command that you want to reset the privilege level for.

Router Configuration Modes

Configuration Mode Description

accept-dialin Virtual private dialup network (VPDN) group accept dialin configuration mode

accept-dialout VPDN group accept dialout configuration mode

address-family Address family configuration mode

atm-bm-config ATM bundle member configuration mode

atm-bundle-config ATM bundle configuration mode


atm-bundle-config ATM bundle configuration mode

atm-vc-config ATM virtual circuit configuration mode

atmsig_e164_table_mode ATMSIG E164 table

cascustom Channel associated signaling (CAS) custom configuration mode

configure Global configuration mode

controller Controller configuration mode

crypto-map Crypto map configuration mode

dhcp DHCP pool configuration mode

dspfarm Digital signal processor (DSP) farm configuration mode

exec EXEC mode

Router Configuration Modes (Cont.)

Configuration Mode Descriptionflow-cache Flow aggregation cache configuration mode

interface Interface configuration mode

interface-dlci Frame Relay data-link connection identifier (DLCI) configuration mode

ip-vrf Configure IP VPN routing and forwarding (VRF) parameters

line Line configuration mode

map-class Map class configuration mode


map-class Map class configuration mode

map-list Map list configuration mode

null-interface Null interface configuration mode

preaut AAA preauth definitions

request-dialin VPDN group request dialin configuration mode

request-dialout VPDN group request dialout configuration mode

route-map Route map configuration mode

router Router configuration mode

vpdn-group VPDN group configuration mode

voipdialpeer Dial peer configuration mode

Configuring Banner Messages

� Banner messages should be used to warn would-be intruders that they are not welcome on your network. Banners are important, especially from a legal perspective. Intruders have been known to win court cases because they did not encounter appropriate warning messages when accessing router networks

� Choosing what to place in banner messages is extremely


� Choosing what to place in banner messages is extremely important and should be reviewed by lawyers and /or legal counsel before placing the messages on your routers.

� Never use the word “welcome” or any other familiar or similar greeting that may be misconstrued as an invitation to use the network

Configuring Banner Messages

� There are four valid tokens that you can use within the message section of the banner command:

1. $(hostname): Displays the hostname for the router

2. $(domain): Displays the domain name for the router

3. $(line): Displays the vty or tty (asynchronous) line number


3. $(line): Displays the vty or tty (asynchronous) line number

4. $(line-desc): Displays the description attached to the line

Perth(config)# banner motd %WARNING: You are connected to $(hostname) on the Ci sco Systems, Incorporated network. Unauthorized access and use o f this network will be vigorously prosecuted. %

Configuring Role-Based CLI



Module Introduction





Objectives

� At the completion of this sixth lesson, you will be able to:

Describe and configure role based CLI on IOS routers

Configure CLI views and ‘Superviews’

Describe the use of secure configuration files


Describe the use of secure configuration files

Role-Based CLI Overview

� Although users can control CLI access via both privilege levels and enable mode passwords, these functions do not provide the necessary level of detail needed when working with Cisco IOS routers and switches

� The Role-Based CLI Access feature allows the administrator to define “views,” which are a set of operational commands and


define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration mode commands

Views restrict user access to Cisco IOS CLI and configuration information; that is, a view can define what commands are accepted and what configuration information is visible

CLI views provide a more detailed access control capability for network administrators, thereby improving the overall security and accountability of Cisco IOS software


� As of Cisco IOS Release 12.3(11)T, an interface or a group of interfaces can be assigned to a view, thereby allowing access on the basis of specified interfaces

� Access to a view is protected with a password. This protection is similar to the concept used by privilege


protection is similar to the concept used by privilege levels

� To simplify the view management, views can be grouped to ‘superviews’ to create large sets of commands and interfaces.

A ‘superview’ encompasses several individual views, resulting in wider administrative privileges.


� Root view is the highest administrative view

� Creating and modifying a view or ‘superview’ is possible only from root view

� The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews


superviews

� CLI views require AAA new-model:

This is necessary even with local view authentication

View authentication can be offloaded to an AAA server using the new attribute "cli-view-name"

� A maximum of 15 CLI views can exist in addition to the root view

Getting Started with Role-Based CLI

� Before a view is entered or created, AAA must be enabled via the aaa new-model command.

� Next, use the enable command with the viewparameter to enter the root view.

� Use the privilege 15 password, if prompted for


� Use the privilege 15 password, if prompted for authentication (if authentication is configured)

Getting Started with Role-Based CLI

router#

enable [ privilege-level] [view [ view-name]]

• Enter a privilege level or a CLI view.• Use enable command with the view parameter to enter the

root view.• Root view requires privilege Level 15 authenticatio n.


• The aaa-new model must be enabled.

Perth(config)# aaa new-modelPerth(config)# exit

Perth# enable view

Password:

Perth#

%PARSER-6-VIEW_SWITCH: successfully set to view 'ro ot'

enable Parameters


privilege-level (Optional) Sets the privilege level at which to log in.

view (Optional) Enters root view, which enables users to configure CLI views. This keyword is required if you want to configure a CLI view.

view-name (Optional) Enters or exits a specified CLI view. This keyword can be used to switch from one CLI view to


keyword can be used to switch from one CLI view to another CLI view.

Configuring CLI Views

router(config)#

• Creates a view and enters view configuration mode

parser view view-name

router(config-view)#

password 5 encrypted-password


Perth(config)# parser view monitor_viewPerth(config-view)# password 5 hErMeNe%GiLdE!Perth(config-view)# commands exec include show version


commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

• Sets a password to protect access to the view• Adds commands or interfaces to a view

commands Parameters


parser-mode Specifies the mode that the specified command exists in

include Adds a command or an interface to the view and allows the same command or interface to be added to an additional view

include-exclusive Adds a command or an interface to the view and excludes the same command or interface from being added to all other views


exclude Excludes a command or an interface from the view; that is, customers cannot access a command or an interface

all (Optional) Specifies a “wildcard” that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view

interface interface-name (Optional) Specifies an interface that is added to the view

command (Optional) Specifies a command that is added to the view

Configuring Superviewsrouter(config)#

• Creates a (super)view and enters the view’s configur ation

parser view view-name

router(config-view)#



Perth(config)# parser view monitor_auditPerth(config-view)# password 5 AnA6TaSiA$Perth(config-view)# view monitor_view Perth(config-view)# view audit_view


view view-name

• Sets a password to protect access to the superview• Adds a CLI view to a superview

Configuring Superviews

� Superviews have these characteristics:

A CLI view can be shared among multiple superviews

Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview


Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview

Each superview has a password that is used to switch between superviews or from a CLI view to a superview

If a superview is deleted, all CLI views associated with that superview are not also deleted

Role-Based CLI Monitoring

� When monitoring role-based CLI, use the command show parser view to display information about the view that the user is currently in.

� The option all displays information for all views configured on the router.


� The all keyword is available only to root users. However, the all keyword can be configured by a user in root view to be available for users in any CLI view.

� To display debug messages for all views, use the debug parser view command in privileged EXEC mode.

Role-Based CLI Monitoring

router#

• Displays the current view name• The option all:

– Displays all CLI views configured on the router– Is by default available only to root users

show parser view [all]


– Is by default available only to root users– Can be added to other CLI views

router#

debug parser view

• Displays debug messages for all views

Role-Based CLI Configuration Example

� In the next three slides the CLI view first is created and configured to include the commands show version, configure terminal , and all commands starting with show ip

� Next, the administrator will verify the configuration by entering and viewing the available commands

� When a user enters the CLI view, an indication message appears. Apart from the commands enable and exit that are available in all views, the only two commands that are visible in the CLI view are


Apart from the commands enable and exit that are available in all views, the only two commands that are visible in the CLI view are configure and show . The slide shows a sample output of the enable command

� To further verify the view configuration, the user looks at the available options of the show command. The available options include parser, which is always available, and the configured keywords ip and version

� Next, the user verifies that all sub-options of the show ip command are available in the view as shown in last slide in this group

Role-Based CLI Configuration Example

Perth(config)# aaa new-modelPerth(config)# exitPerth# enable view%PARSER-6-VIEW_SWITCH: successfully set to view ‘ro ot’.Perth# configure terminalPerth(config)# parser view first%PARSER-6-VIEW_CREATED:view ‘first’ successfully cre ated.Perth(config-view)# secret 5 firstpassPerth (config - view)# command exec include show version


Perth (config - view)# command exec include show versionPerth(config-view)# command exec include configure terminalPerth(config-view)# command exec include all show ipPerth(config-view)# exit

Role-Based CLI Verification enable and showCommandsPerth> enable view firstPassword: %PARSER-6-VIEW_SWITCH:successfully set to view 'fir st'.Perth# ?Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system informationPerth #show ?


show Show running system informationPerth #show ?ip IP information parser Display parser information version System hardware and software status

Role-Based CLI Verification show ipCommand

Perth# show ip ?access-lists List IP access lists accounting The active IP accounting database aliases IP alias table arp IP ARP table as-path-access-list List AS path access lists bgp BGP information cache IP fast-switching route cache casa Display casa information


casa Display casa information cef Cisco Express Forwarding community-list List community-list dfp DFP information dhcp Show items in the DHCP database drp--More--

Cisco IOS Resilient Configuration Feature

� Traditional risk that the configuration and the image are erased after a router compromise:

� Availability threat (downtime)

� Need to secure the primary bootset (configuration file and the running image)

� Also known as the Cisco IOS Resilient Configuration feature


� Also known as the Cisco IOS Resilient Configuration feature

� Speeds up the recovery process

� Files must be stored locally

� Feature can be disabled through a console session

Securing Configuration Filesrouter(config)#

• Enables Cisco IOS image resilience

secure boot-image

router(config)#

secure boot-config

• Stores a secure copy of the primary bootset in pers istent


Perth(config)# secure boot-imagePerth(config)# secure boot-config

• Stores a secure copy of the primary bootset in pers istent storage

router#

• Displays the status of configuration resilience and the primary bootset filename

show secure bootset

Cisco IOS Resilient Configuration Feature Verification

Perth# show secure bootset

IOS resilience router id JMX0704L5GH

IOS image resilience version 12.3 activated at 08:1 6:51 UTC Sun Jun 16 2005Secure archive slot0:c3745-js2-mz type is image (el f) [] file size is 25469248 bytes, run size is 25634900 b ytes Runnable image, entry point 0x80008000, run from ra m


IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002 Secure archive slot0:.runcfg-20020616-081702.ar type is config configuration archive size 1059 byte s

Secure Configuration Files Recovery

rommon 1 >

• Lists the contents of the device with secure bootset• Boots up the router using the secure bootset image

dir [ filesystem:]

boot [ partition-number:][ filename]


rommon 1 > dir slot0:rommon 2 > boot slot0:c3745-js2-mz....Router(config)# secure boot-config restore slot0:rescueRouter# copy slot0:rescue running-config

router(config)#

• Restores the secure configuration to a filename

secure boot-config [ restore filename]

Mitigating Threats and Attacks with Access Lists



Access Lists

Module Introduction





Objectives

� At the completion of this seventh lesson, you will be able to:

Describe various network attack techniques that use distributed clients

Design and write access lists that mitigate well known


network attacks

Apply these ACLs to routers within the network

Cisco ACL Overview

� An ACL is simply a list of statements

� Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated ACL, the list is scanned from top to bottom and in the exact order in which the list was entered, for a pattern that matches the incoming packet


matches the incoming packet

� A permit or deny rule associated with the pattern determines what then happens to that packet

� Cisco routers use ACLs as packet filters to decide which packets can access a router service, or which packets can be allowed through an interface

Packets that are allowed across an interface are known as permittedpackets; those that are not allowed known as denied packets.

Cisco ACL Overview

� Router security depends upon well-written and previously considered ACLs to restrict access to router network services and to filter packets as the packets traverse the router

� Cisco routers support three types of IP ACLs: 1. standard,

2. extended, and

3. enhanced IP ACLs.


3. enhanced IP ACLs.

� Standard IP ACLs: A standard ACL only allows permission or denial of traffic from specific IP addresses. The destination of the packet and the ports that are involved do not matter.

� Extended IP ACLs: An IP extended ACL is a list of statements that can filter IP packets based on several attributes (protocol type, source and IP address, destination IP address, source TCP or User Datagram Protocol [UDP] ports, destination TCP or UDP ports, or optional protocol type information for finer granularity of control).

Identifying ACLs

� Either a number or a name can identify Cisco ACLs and the protocols that they filter

� Using numbered ACLs is effective on smaller networks that do not have as wide a range of traffic types as do larger networks.

There can be up to 99 standard IP ACLs in the numbered range from 1 to 99


The extended IP ACL number range is assigned from 100 to 199 and from 2000 to 2699

� ACLs can also be identified with an alphanumeric string (a name) rather than a number. Named ACLs allow configuration of more ACLs in a router than if using numbered ACLs alone

If the ACL is identified with a name rather than a number, the mode and command syntax for the ACL are slightly different. Currently, only packet and route filters can use a named ACL

Guidelines for Developing ACLs

� Before you start to develop any ACLs, consider these basic rules:

Base your ACLs on your security policy:

Unless the ACL is anchored in a comprehensive security policy, you cannot be absolutely certain that the ACL will effectively control access in the way access needs to be controlled.

Write the ACL out:


Write the ACL out:

Never sit down at a router and start to develop an ACL without first spending some time in design . The best ACL developers suggest that you write out a list of things you want the ACL to accomplish. Starting with something as simple as, “This ACL must block all Simple Network Management Protocol (SNMP) access to the router except for the SNMP host at 10.1.1.15.”

Order of statements within an ACL is critical:

Once a match is found, no more statements will be checked. For example, “the most restrictive statements should be first.”

Guidelines for Developing ACLs #2� Before you start to develop any ACLs, consider thes e basic rules:

Set up a development system:Whether you use a laptop PC or a dedicated server, a place is required to develop and store ACLs. Word processors or text editors of any kind are suitable, as long as the files are saved in ‘vanilla’ ASCII text format

Build a library of your most commonly used ACLs and use the saved ACLs as sources for new files. ACLs can be pasted into the router running configuration (via console or Telnet access), or can be stored in a router


configuration (via console or Telnet access), or can be stored in a router configuration file for transfer by TFTP

A hacker can discover a lot about a network from looking at these easily read text files. For this reason, it is imperative that the system where you choose to develop and store your ACL and router files be a secure system

Test:If possible, test the ACLs in a secure environment before placing them into production. Testing is a common-sense approach to any router configuration changes. While testing may appear to be an unnecessary cost, testing can save a great amount of time, money and heartache!

Applying ACLs to Router Interfaces

� Packet-filtering ACLs must be applied to a router interface to take effect. It is important to note that ACLs are applied to an interface based on the direction of the data flow

� Consider the simple concept of how to apply the ACL to incoming packets (an “in” ACL) or outgoing packets (an “out” ACL), as follows:


follows:

Inbound (in): The packet filtering ACL applies to packets received onthe router interface

Outbound (out): The packet filtering ACL applies to packets transmitted out of the router interface. For outbound ACLs, the filter need only be setup on one outgoing interface rather than on individual incoming interfaces. This configuration improves performance because only the network being protected will force a lookup on the ACL

Applying ACLs to Router Interfaces


Inbound (in): Data flows toward router interface

Outbound (out): Data flows away from router interface

Using Traffic Filtering with ACLs

� Always apply the following general rules when deciding how to handle router services, ports, and protocols:

Disable unused services, ports, or protocols.

In the case where no machine, including the router itself, needs to use an enabled service, port, or protocol, disable that service, port, or protocol


or protocol

Limit access to services, ports, or protocols

In the case where a limited number of users or systems require access to an enabled router service, port, or protocol, limit access to that service, port, or protocol using ACLs

ACLs are important because they act as traffic filters between the corporate (trusted) network and the Internet (untrusted network). Using ACLs, the router enforces corporate security policies by rejecting protocols and restricting port use

Using Traffic Filtering with ACLs


Use ACLs to filter ingress and egress from routers and firewall appliances.

Use ACLs to disable and limit services, ports, and protocols.

Filtering Network Traffic to Mitigate Threats

� ACLs can be used to mitigate many threats:

1. IP address spoofing – Inbound

2. IP address spoofing – Outbound

3. Denial of service (DoS) TCP SYN attacks – Blocking external attacks


external attacks

4. DoS TCP SYN attacks – Using TCP Intercept

5. DoS Smurf attacks

6. Filtering Internet Control Message Protocol (ICMP) messages – Inbound

7. Filtering ICMP messages – Outbound

8. Filtering traceroute

IP Address Spoofing Mitigation: Inbound


R2(config)# access-list 150 deny ip 10.2.1.0 0.0.0.255 any logR2(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any logR2(config)# access-list 150 deny ip 0.0.0.0 0.255.255.255 any l ogR2(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any logR2(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any logR2(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 an y logR2(config)# access-list 150 deny ip host 255.255.255.255 any lo gR2(config)# access-list 150 permit ip any 10.2.1.0 0.0.0.255R2(config)# interface e0/0R2(config-if)# ip access-group 150 inR2(config-if)# exit

IP Address Spoofing Mitigation: Outbound


“Be a good citizen and prevent your network from be ing spoofed.”

R2(config)# access-list 105 permit ip 10.2.1.0 0.0.0.255 anyR2(config)# access-list 105 deny ip any any logR2(config)# interface e0/1R2(config-if)# ip access-group 105 inR2(config-if)# end

DoS TCP SYN Attack Mitigation: Blocking External Access


R2(config)# access-list 109 permit tcp any 10.2.1.0 0.0.0.255 e stablishedR2(config)# access-list 109 deny ip any any logR2(config)# interface e0/0R2(config-if)# ip access-group 109 inR2(config-if)# end

DoS TCP SYN Attack Mitigation: Using TCP Intercept


R2(config)# ip tcp intercept list 110R2(config)# access-list 110 permit tcp any 10.2.1.0 0.0.0.255R2(config)# access-list 110 deny ip any anyR2(config)# interface e0/0R2(config-if)# ip access-group 110 inR2(config-if)# end

DoS Smurf Attack Mitigation


R2(config)# access-list 111 deny ip any host 10.2.1.255 logR2(config)# access-list 111 permit ip any 10.2.1.0 0.0.0.255 logR2(config)# access-list 112 deny ip any host 10.1.1.255 logR2(config)# access-list 112 permit ip any 10.1.1.0 0.0.0.255 logR2(config)# interface e0/0R2(config-if)# ip access-group 111 inR2(config-if)# endR2(config)# interface e0/1R2(config-if)# ip access-group 112 inR2(config-if)# end

Filtering Inbound ICMP Messages


R2(config)# access-list 112 deny icmp any any echo logR2(config)# access-list 112 deny icmp any any redirect logR2(config)# access-list 112 deny icmp any any mask-request logR2(config)# access-list 112 permit icmp any 10.2.1.0 0.0.0.255R2(config)# interface e0/0R2(config-if)# ip access-group 112 inR2(config-if)# end

Filtering Outbound ICMP Messages


R2(config)# access-list 114 permit icmp 10.2.1.0 0.0.0.255 any echoR2(config)# access-list 114 permit icmp 10.2.1.0 0.0.0.255 any parameter-problem R2(config)# access-list 114 permit icmp 10.2.1.0 0.0.0.255 any packet-too-bigR2(config)# access-list 114 permit icmp 10.2.1.0 0.0.0.255 any s ource-quenchR2(config)# access-list 114 deny icmp any any logR2(config)# interface e0/1R2(config-if)# ip access-group 114 inR2(config-if)# end

Filtering UDP Traceroute Messages


R2(config)# access-list 120 deny udp any any range 33400 34400 logR2(config)# access-list 120 permit ip any 10.1.1.0 0.0.0.255 logR2(config)# interface e0/1R2(config-if)# ip access-group 120 inR2(config-if)# end

Mitigating DDos Attacks

� The next slide shows how a DDoS attack occurs:

Behind a Client is a person who launches the attack.

A Handler is a compromised host that is running the attacker program. Each Handler is capable of controlling multiple Agents

An Agent is a compromised host that is running the attacker program. Each Agent is responsible for generating a stream of


program. Each Agent is responsible for generating a stream of packets that is directed toward the intended victim

� Generally, routers cannot prevent all DDoS attacks, but they can help reduce the number of occurrences of attacks by building ACLs that filter known attack ports. Methods used to block DDoS by blocking selected ports aim at stopping TRIN00, Stacheldraht, Trinity v3, and SubSeven

� ACL rules are generally applied to inbound and outbound traffic between the protected network and the Internet

Basics of DDoS Attacks


DDoS attacks exploit specific ports.

ACLs can control access on a port-by-port basis.

Mitigate DDoS Using Martian Filters

� RFC 2827 * recommends that ISPs police their customer traffic by dropping traffic that enters their networks from a source address that the customer network is not legitimately using

� The filtering includes, but is not limited to, traffic whose source address is a “Martian address”—a


whose source address is a “Martian address”—a reserved address that includes any address within 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, or 240.0.0.0/4.

� The reasoning behind this ingress filtering procedure is that DDoS attacks frequently spoof source addresses of other systems, placing a random number in the field

* RFC 3704 is the update to RFC 2827

Mitigate DDoS Using Martian Filters


RFC 3704 is update to RFC 2827

TRIN00 attack

� TRIN00 is a distributed SYN DoS attack

� The attack method is a UDP flood

� The TRIN00 attack sets up communications between clients, handlers, and agents using these ports:

1524 tcp

27665 tcp


27665 tcp

27444 udp

31335 udp

� The mitigation tactic for the TRIN00 attack, as well as for the other DoS attacks, is to block both interfaces in the in direction. The goal is to prevent infected outside systems from sending messages to an internal network and to prevent any infected internal systems from sending messages out of an internal network to the vulnerable ports

DDoS Attack Mitigation: TRIN00


R2(config)# access-list 190 deny tcp any any eq 1524 logR2(config)# access-list 190 deny tcp any any eq 27665 logR2(config)# access-list 190 deny udp any any eq 31335 logR2(config)# access-list 190 deny udp any any eq 27444 logR2(config)# interface e0/0R2(config-if)# ip access-group 190 inR2(config-if)# endR2(config)# interface e0/1R2(config-if)# ip access-group 190 inR2(config-if)# end

Stacheldraht attack

� Stacheldraht is a DDoS tool that first appeared in 1999 and combines features of TRIN00 and Tribe Flood Network (TFN)

� Stacheldraht also contains some advanced features such as encrypted attacker-master communication and automated agent updates

� Possible Stacheldraht attacks are similar to the attacks of TFN; namely, ICMP flood, SYN flood, UDP flood, and smurf attacks


namely, ICMP flood, SYN flood, UDP flood, and smurf attacks

A Stacheldraht attack sets up communication between clients, handlers, and agents using these ports:

16660 tcp

65000 tcp

DDoS Attack Mitigation: Stacheldraht


R2(config)# access-list 190 deny tcp any any eq 16660 logR2(config)# access-list 190 deny tcp any any eq 65000 logR2(config)# interface e0/0 R2(config-if)# ip access-group 190 inR2(config-if)# endR2(config)# interface e0/1 R2(config-if)# ip access-group 190 inR2(config-if)# end

Trinity

� Trinity is capable of launching several types of flooding attacks on a victim site including UDP, fragment, SYN, restore (RST), acknowledgement (ACK), and other floods

� Communication from the handler or intruder to the agent is accomplished via Internet Relay Chat (IRC) or


agent is accomplished via Internet Relay Chat (IRC) or ICQ from AOL

� Trinity appears to use primarily TCP port 6667 and also has a backdoor program that listens on TCP port 33270

DDoS Attack Mitigation: Trinity v3


R2(config)# access-list 190 deny tcp any any eq 39168 logR2(config)# interface e0/0 R2(config-if)# ip access-group 190 inR2(config-if)# endR2(config)# interface e0/1 R2(config-if)# ip access-group 190 inR2(config-if)# end

SubSeven

� SubSeven is a backdoor Trojan that targets Windows machines

� Once a machine is infected, the attacker can take complete control over the system and has full access as if they were a local user


� The attacker can then use the victim’s machine to launch DDoS attacks

� Depending on the version, an attacker will try to exploit the following TCP ports:

1243, 2773, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, and 54283

DDoS Attack Mitigation: SubSeven

R2(config)# access - list 190 deny tcp any any eq 1243 log


R2(config)# access - list 190 deny tcp any any eq 1243 logR2(config)# access-list 190 deny tcp any any eq 2773 logR2(config)# access-list 190 deny tcp any any range 6711 6713 logR2(config)# access-list 190 deny tcp any any eq 6776 logR2(config)# access-list 190 deny tcp any any eq 7000 logR2(config)# access-list 190 deny tcp any any eq 7215 logR2(config)# access-list 190 deny tcp any any eq 27374 logR2(config)# access-list 190 deny tcp any any eq 27573 logR2(config)# access-list 190 deny tcp any any eq 54283 logR2(config)# interface e0/0 R2(config-if)# ip access-group 190 inR2(config-if)# endR2(config)# interface e0/1 R2(config-if)# ip access-group 190 inR2(config-if)# end

Combined ACL Configuration File (1 of 6)

hostname R2

!

interface Ethernet0/0

ip address 10.1.1.2 255.255.0.0

ip access-group 126 in

!

Apply ACL 126 to traffic coming into the network.


interface Ethernet0/1

ip address 10.2.1.1 255.255.255.0

ip access-group 128 in

!

router rip

network 10.0.0.0

!

no access-list 126

!

Apply ACL 128 to traffic coming out of the network.

Delete ACL 126 to make sure that you create a new ACL.


access-list 126 deny ip 10.2.1.0 0.0.0.255 any log

!


access-list 126 deny ip 0.0.0.0 0.255.255.255 any l og

access - list 126 deny ip 172.16.0.0 0.15.255.255 any log

Prevent spoofing using internal addresses.

Prevent spoofing using invalid


access - list 126 deny ip 172.16.0.0 0.15.255.255 any log


access-list 126 deny ip 224.0.0.0 15.255.255.255 an y log

!

access-list 126 deny ip any host 10.2.1.255 log

access-list 126 deny ip any host 10.2.1.0 log

!

access-list 126 permit tcp any 10.2.1.0 0.0.0.255 e stablished

!

using invalid source addresses.

Deny packets destined to the remote access LAN.

Permit TCP return traffic to the remote access LAN.


access-list 126 deny icmp any any echo log

access-list 126 deny icmp any any redirect log

access-list 126 deny icmp any any mask-request log

access-list 126 permit icmp any 10.2.1.0 0.0.0.255

!

access-list 126 permit udp 10.1.0.0 0.0.255.255 hos t 255.255.255.255 eq 512

Control ICMP traffic.

Permit RIP updates.

Block TRIN00,


512

!

access-list 126 deny tcp any any eq 1524 log






!

access-list 126 permit tcp any eq 20 10.2.1.0 0.0.0 .255 gt 1023

!

Block TRIN00, Stacheldraht, and Trinity.

Allow FTP clients in the remote access LAN to use FTP.


access-list 126 deny udp any any eq 27444 log

access-list 126 deny udp any any eq 31335 log

!

Block the TRIN00 UDP ports.

Deny tracing of the remote access LAN.

Allow return DNS traffic.


!

access-list 126 deny udp any any range 33400 34400 log

!

access-list 126 permit udp any eq 53 10.2.1.0 0.0.0 .255 gt 1023

!

access-list 126 deny tcp any range 0 65535 any rang e 0 65535 log

access-list 126 deny udp any range 0 65535 any rang e 0 65535 log

access-list 126 deny ip any any log

!Deny all remaining traffic and provide detailed logging information of denied traffic.


no access-list 128

!

access-list 128 permit icmp 10.2.1.0 0.0.0.255 any echo

access-list 128 permit icmp 10.2.1.0 0.0.0.255 any parameter-problem

access-list 128 permit icmp 10.2.1.0 0.0.0.255 any packet-too-big

Delete ACL 128 so it is not appended to new ACL.


access-list 128 permit icmp 10.2.1.0 0.0.0.255 any source-quench

!

access-list 128 deny tcp any any range 1 19 log







!

Permit needed ICMP messages.

Block access to certain outside TCP services.


access-list 128 permit tcp 10.2.1.0 0.0.0.255 gt 10 23 any lt 1024

access-list 128 permit udp 10.2.1.0 0.0.0.255 gt 10 23 any eq 53

Permit access to all remaining outside TCP services and to DNS (UDP/53) and allow tracing outside destinations.


access-list 128 permit udp 10.2.1.0 0.0.0.255 any r ange 33400 34400 log

!

access-list 128 deny tcp any range 0 65535 any rang e 0 65535 log

access-list 128 deny udp any range 0 65535 any rang e 0 65535 log

access-list 128 deny ip any any log

Deny all remaining access and provide detailed logging of denied access.

ACL Caveats

Statement Caveat

(Implicit) Deny All You may not see this statement, but the statement does exist.

Standard ACL limitation You may need to create extended ACLs to implement security policies.

Statement evaluation ACL statements are evaluated from top down, so always


Statement evaluation order

ACL statements are evaluated from top down, so always consider the order of the statements.

Order of ACLstatements

Place more specific ACL statements higher in the ACL.

Ensure that statements at the top of the ACL do not negate any statements found lower in the list.

Directional filtering Always double-check the direction (inbound or outbound) of data that your ACL is filtering.

ACL Caveats (Cont.)

Statement Caveat

Adding statements Adding new statements may require a new ACL to be created.

Special packets If filtering router-generated packets is part of the security policy, the packets must be acted upon by inbound ACLs on


adjacent routers or through other router filter mechanisms using ACLs.

Extended ACLplacement

Always consider placing extended ACLs on routers as close as possible to the source the ACLs are filtering.

Standard ACLplacement

Always place standard ACLs as close to the destination as possible.

Securing Management and Reporting Features



Reporting Features

Module Introduction





Objectives

� At the completion of this eighth lesson, you will be able to:

Describe and demonstrate how to set up syslog reporting for a large network

Demonstrate the importance of secure channels for syslog


information

Describe the difference between inband and out-of-band reporting

Read and analyse syslog reports

Secure Management and Reporting Planning Considerations

� Configuring logging for Cisco routers is a straight forward operation when the network contains only a few Cisc o routers. However, logging and reading information f rom hundreds of devices can be a challenging propositio n. Too much information can be as bad as too little inform ation and can raise these important questions:

Which are the most important logs?


How are important messages separated from routine notifications?

How do you prevent tampering with logs?

How do you make sure time stamps match?

What log data is needed in criminal investigations?

How do you deal with the volume of log messages?

How do you manage all the devices?

How can you track changes when attacks or network f ailures occur?

Secure Management andReporting Architecture


Information Paths

� Information flow between management hosts and the managed devices can take two paths:

In-band: Information flows across the enterprise production network or the Internet (or both)

Out of Band (OOB): Information flows within a network on


which no production traffic resides

Information Paths


In-Band Management Considerations

� Some questions that must be considered when designing an in-band management solution:

Which management protocols does each device support?

Does the management channel need to be active at all times?

Is SNMP necessary?


Is SNMP necessary?

Secure Management and Reporting Guidelines

� In-band management guidelines:Apply only to devices needing to be managed or monitored.

Use IPsec when possible.

Use SSH or SSL instead of Telnet.

Decide whether the management channel needs to be open at all


Decide whether the management channel needs to be open at all times.

Keep clocks on hosts and network devices synchronised.

Record changes and archive configurations.

� OOB management guidelines:Provide highest level of security and mitigate the risk of passing insecure management protocols over the production network.

Keep clocks on hosts and network devices synchronised.

Record changes and archive configurations.

Configuring an SSH Server for Secure Management and Reporting

� Austin2# configure terminalAustin2(config)# ip domain-name cisco.comAustin2(config)# crypto key generate rsa general-keys modulus 1024

� Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled

� Austin2(config)# ip ssh timeout 120Austin2(config)# ip ssh authentication-retries 4Austin2(config)# line vty 0 4Austin2(config-line)# no transport input telnetAustin2(config - line)# transport input ssh


Austin2(config - line)# transport input sshAustin2(config-line)# end

1. Configure the IP domain name.

2. Generate the RSA keys.

3. (Optional) Display generated keys.

4. Configure the SSH timeout interval.

5. Configure the SSH retries.

6. Disable vty inbound Telnet sessions.

7. Enable vty inbound SSH sessions .

Implementing Log Messaging for Security

� Routers should be configured to send log messages to one or more of these:

Console

Terminal lines

Memory buffer


Memory buffer

SNMP traps

Syslog

� Syslog logging is a key security policy component

Syslog Systems


Syslog server: A host that accepts and processes log messages from one or more syslog clients

Syslog client: A host that generates log messages and forwards them to a syslog server

Cisco Log Severity Levels

Syslog Level and Name Definition Example

0 LOG_EMERG A panic condition normally broadcast to all users

Cisco IOS software could not load

1 LOG_ALERT A condition that should be corrected immediately, such as a corrupted system database

Temperature too high

2 LOG_CRIT Critical conditions; for example, hard Unable to allocate memory


2 LOG_CRIT Critical conditions; for example, hard device errors

Unable to allocate memory

3 LOG_ERR Errors Invalid memory size

4 LOG_WARNING Warning messages Crypto operation failed

5 LOG_NOTICE Conditions that are not error conditions but should possibly be handled specially

Interface changed state, up or down

6 LOG_INFO Informational messages Packet denied by ACL

7 LOG_DEBUG Messages that contain information that is normally used only when debugging a program

Packet type invalid

Log Message Format

Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (1 0.2.2.6)

Time Stamp Message Text


Log Message Name and Severity

Level

Note: The log message name is not the same as a severit y level name.

Configuring Syslog Step 1


Router(config)#

logging [ host-name | ip-address]

1. Sets the destination logging host



host-name The name of the host you want to use as a syslog server

ip-address The IP address of the host you want to use as a syslog server



Router(config)#

logging trap level

2. (Optional) Sets the log severity (trap) level



level Limits the logging of messages to the syslog servers to a specified level. You can enter the level number (0 to 7) or level name.



Router(config)#

logging facility facility-type

3. (Optional) Sets the syslog facility



facility-type The syslog facility type (local0 to local7)

Configuring Syslog Steps 4 and 5

Router(config)#

logging source-interface interface-type interface-number

4. (Optional) Sets the source interface



interface-type The interface type (for example, Ethernet)

interface-number The interface number (for example, 0/1)

Router(config)#

logging on

5. Enables logging

Syslog Implementation Example


R3(config)# logging 10.2.2.6R3(config)# logging trap informationalR3(config)# logging source-interface loopback 0R3(config)# logging on

Configuring SNMP



Module Introduction





Objectives

� At the completion of this ninth lesson, you will be able to:

Describe the concepts behind the use of SNMP

Explain the various SNMP actions

Explain why the use of SNMP v1 and 2 is not recommended


Explain why the use of SNMP v1 and 2 is not recommended

Demonstrate how to configure Cisco routers to use SNMPv3

SNMP

� SNMP – the Simple Network Management Protocol -forms part of the internet protocol suite as defined by the IETF

� SNMP is used by network management systems to monitor network-attached devices for conditions that warrant administrative attention


warrant administrative attention

� It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects

� The current version is SNMPv3SNPv1 and v2 are considered obsolete, and are extremely insecure. It is recommended they NOT be used on a publicly attached network

SNMP Components

� An SNMP-managed network consists of three key compo nents:1. Managed devices

2. Agents

3. Network-management systems (NMSs)

1. A managed device is a network node that contains an SNMP agentand that resides on a managed network . Managed devices collect and store management information and make this info rmation available to NMSs using SNMP. Managed devices can b e routers


available to NMSs using SNMP. Managed devices can b e routers and access servers, switches and bridges, hubs, com puter hosts, or printers.

2. An agent is a network-management software module that resides in a managed device . An agent has local knowledge of management information and translates that information into a form compatible with SNMP.

3. An NMS executes applications that monitor (and possibly control)managed devices. NMSs provide the bulk of the processing and memory resources required for network management. O ne or more NMSs must exist on any managed network.

Ref: Wikepedia - SNMP

SNMP Managed Network


SNMPv1 and SNMPv2 Architecture

SNMP asks agents embedded in network devices for information or tells the agents to do something.


SNMP Actions

� The SNMP protocol specifies (in version 1) five core PDUs:

1. GET REQUEST - used to retrieve a piece of manageme nt information.

2. GETNEXT REQUEST - used iteratively to retrieve seq uences of management information.


management information.

3. GET RESPONSE - used agent responds with data to ge t and set requests from the manager.

4. SET REQUEST - used to initialise and make a change to a value of the network element.

5. TRAP - used to report an alert or other asynchronous eventabout a managed subsystem.

In SNMPv1, asynchronous event reports are called tr aps while they are called notifications in later versio ns of SNMP.

SNMP Actions

� Other PDUs were added in later versions, including:

GETBULK REQUEST - a faster iterator used to retrieve sequences of management information.

INFORM - an acknowledged trap.

� Typically, SNMP uses UDP ports 161 for the agent and 162 for the manager. The Manager may send Requests from any available


manager. The Manager may send Requests from any available ports (source port) to port 161 in the agent (destination port).

� The agent response will be given back to the source port. The Manager will receive traps on port 162.

� The agent may generate traps from any available port.

Community Strings

� SNMPv1 and SNMPv2 use a community string to access router SNMP agents

� SNMP community strings act like passwords

� An SNMP community string is a text string used to authenticate messages between a management station and an SNMP engine


� If the manager sends one of the correct read-only community strings, the manager can get information but NOT set informationin an agent

� If the manager uses one of the correct read-write community strings, the manager can get or set information in the agent

Community Strings

� In effect, having read-write access is equivalent to having the enable password!

� SNMP agents accept commands and requests only from SNMP systems that use the correct community string.

� By default, most SNMP systems use a community string of “public”


� If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB

� Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created

SNMP Security Models and Levels

Model Level Authentication Encryption What Happens

v1 noAuthNoPriv Community String

No – Authenticates with a community string match

Definitions:• Security model is a security strategy used by the SNMP agent.

• Security level is the permitted level of security within a securit y model.


String match

v2 noAuthNoPriv Community String

No – Authenticates with a community string match

v3 noAuthNoPriv Username No – Authenticates with a username

authNoPriv MD5 or SHA No – Provides HMAC MD5 or SHA algorithms for authentication

authPriv MD5 or SHA DES – Provides HMAC MD5 or SHA algorithms for authentication

– Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard

SNMPv3 Operational Model


SNMPv3 Operational Model

� The concepts of separate SNMP agents and SNMP manag ers do not apply in SNMPv3

� SNMP combines these concepts into single SNMP entities

� Each managed node and the network management system (NMS) is a single entity

� There are two types of entities, each containing di fferent applications:


applications:Managed node SNMP entities: The managed node SNMP entity includes an SNMP agent and an SNMP MIB. The agent implements the SNMP protocol and allows a managed node to provide information to the NMS and accept instructions from the NMS. The MIB defines the information that can be collected and used to control the managed node. Information that is exchanged using SNMP takes the form of objects from the MIB

SNMP NMS entities: The SNMP entity on an NMS includes an SNMP manager and SNMP applications. The manager implements the SNMP protocol and collects information from managed nodes and sends instructions to the nodes. The SNMP applications are software applications used to manage the network

SNMPv3 Features and Benefits

Features – Message integrity: Ensures that a packet has not been tampered with in transit

– Authentication: Determines that the message is from a valid source

– Encryption: Scrambles the contents of a

It is strongly recommend that all network managemen t systems use SNMPv3 rather than SNMPv1 or SNMPv2


– Encryption: Scrambles the contents of a packet to prevent the packet from being seen by an unauthorised source

Benefits – Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted

– Confidential information, such as SNMP Set command packets that change a router configuration, can be encrypted to prevent the contents from being exposed on the network

Configuring an SNMP Managed Node

� These are the four configuration tasks used to set up SNMPv3 communications on a Cisco IOS router:

1. Configure the SNMP-server engine ID to identify the devices for administrative purposes

2. Configure the SNMP-server group names for grouping


SNMP users

3. Configure the SNMP-server users to define usernames that reside on hosts that connect to the local agent

4. Configure the SNMP-server hosts to specify the recipient of a notification operation (trap or inform)

Configuring the SNMP-Server Engine ID (1)

� To configure a name for either the local or remote SNMP engine on the router, use the snmp-server engineID global configuration command.

� The SNMP engine ID is a unique string used to identify the device for administration purposes.

An engine ID is not required for the device as a default string is


An engine ID is not required for the device as a default string is generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device.

� If an individualised ID is required do not specify the entire 24-character engine ID if the ID contains trailing zeros.

Specify only the portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, specify snmp-server engineID local 1234000000.

Configuring the SNMP-Server Engine ID (1)

� A remote engine ID must be created when an SNMPv3 inform is configured

� The remote engine ID is used to compute the security digest for authenticating and encrypting packets that are sent to a user on the remote host


are sent to a user on the remote host

Informs are acknowledged traps. The agent sends an inform to the manager. When the manager receives the inform, the manager sends a response to the agent. Thus, the agent knows that the inform reached the intended destination.

Configuring the SNMP-Server Group Names (2)

� To configure a new SNMP group, or a table that maps SNMP users to SNMP views, use the snmp-server group global configuration command

This command groups SNMP users that reside on hosts that connect to the local SNMP agent


� An SNMP view is a mapping between SNMP objects and the access rights that are available for those objects

An object can have different access rights in each view

Access rights indicate whether the object is accessible by either a community string or a user

Configuring the SNMP-Server Group Names (2)

•snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list]

Router(config)#

• Configures a new SNMP group or a table that maps SN MP


• Configures a new SNMP group or a table that maps SN MP users to SNMP views

PR1(config)#snmp-server group johngroup v3 auth

PR1(config)#snmp-server group billgroup v3 auth priv

• The top example shows how to define a group johngroup for SNMP v3 using authentication but not privacy (encryption)

• The bottom example shows how to define a group billgroup for SNMP v3 using both authentication and privacy

Configuring the SNMP-Server Users (3)

� To add a new user to an SNMP group, use the snmp-server userglobal configuration command

� To configure a user that exists on a remote SNMP device, specify the IP address or port number for the remote SNMP device where the user resides

� Also, before configuring remote users for that device, configure the


� Also, before configuring remote users for that device, configure the SNMP engine ID using the command snmp-server engineID with the remote option

� The SNMP engine ID of the remote device is needed to compute the authentication and privacy digests from the password

If the remote engine ID is not configured first, the configuration command will fail

Configuring the SNMP-Server Users (3)

•snmp-server user username groupname [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list]

Router(config)#

• Configure a new user to an SNMP group


PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd

PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56password2

PR1(config)#snmp-server group johngroup v3 auth

PR1(config)#snmp-server group billgroup v3 auth priv

� The first example (below) shows how to define a use r John belonging to the group johngroup. Authentication uses the password john2passwdand no privacy (no encryption) is applied. The seco nd example shows how user Bill, belonging to the group billgroup, is defined using the password bill3passwd and privacy (encryption) is applied

Configuring the SNMP-Server Hosts (4)

� To specify the recipient of an SNMP notification operation, use the snmp-server host global configuration command.

snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string[udp-port port] [ notification-type]

� SNMP notifications can be sent as traps or inform requests.

Traps are unreliable because the receiver does not send acknowledgments


Traps are unreliable because the receiver does not send acknowledgmentswhen the receiver receives traps

The sender cannot determine if the traps were received

� An SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU.

Informs consume more computing resources in the agent and in the network.

� If an snmp-server host command is NOT entered, no notifications are sent. To configure the router to send SNMP notifications, at least one snmp-server host command must be entered

If the command is entered with no keywords, all trap types are enabled for the host.


� To be able to send an “inform,” perform these steps:

1. Configure a remote engine ID.

2. Configure a remote user.

3. Configure a group on a remote device.

4. Enable traps on the remote device.


4. Enable traps on the remote device.

5. Enable the SNMP manager.


snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string[udp - port port] [ notification-type]

Router(config)#

• Configures the recipient of an SNMP trap operation


[udp - port port] [ notification-type]

PR1(config)#snmp-server engineID remote 10.1.1.1 1234PR1(config)#snmp-server user bill billgroup remote 10.1.1.1 v3PR1(config)#snmp-server group billgroup v3 noauthPR1(config)#snmp-server enable trapsPR1(config)#snmp-server host 10.1.1.1 inform version 3 noauth billPR1(config)#snmp-server manager

�The example (below) shows how to send configuration informs to the 10.1.1.1 remote host

SNMP – Types of Traps

Trap Description

bgp Sends Border Gateway Protocol (BGP) state change traps.

config Sends configuration traps.

hsrp Sends Hot Standby Router Protocol (HSRP) notifications.

sdlc Sends Synchronous Data Link Control (SDLC) traps.

snmp Sends SNMP traps defined in RFC 1157.


snmp Sends SNMP traps defined in RFC 1157.

syslog Sends error message traps (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command.

tty Sends Cisco enterprise-specific traps when a TCP connection closes.

x25 Sends X.25 event traps.

SNMPv3 Configuration

� The next slide shows how to configure Cisco IOS routers for SNMPv3.

� The router Trap_sender is configured to send traps to the NMS host with the IP address 172.16.1.1. The traps are encrypted using the credentials that are configured for the local user snmpuser who belongs to the group snmpgroup. The Trap_sender router sends


belongs to the group snmpgroup. The Trap_sender router sends traps that are related to CPU, configuration, and SNMP. The trap packets are sourced from the router loopback 0 interface

� The router Walked_device is configured so that the NMS host can read the MIBs on the local device. The NMS server needs to use the username credentials that are configured on the Walked_device (snmpuser with respective authentication and encryption passwords) to gain access to the SNMP information of the router

SNMPv3 Configuration Example


Trap_sender(config)#snmp-server group snmpgroup v3 auth Trap_sender(config)#snmp-server group snmpgroup v3 privTrap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)#snmp-server enable traps cpu Trap_sender(config)#snmp-server enable traps configTrap_sender(config)#snmp-server enable traps snmpTrap_sender(config)#snmp-server host 172.16.1.1 traps version 3 priv snmpuserTrap_sender(config)#snmp-server source-interface traps loopback 0

Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 privWalked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password

Configuring the NTP Client



Module Introduction





Objectives

� At the completion of this tenth lesson, you will be able to:

Explain how a router maintains an accurate time

Describe NTP and how it is configured

Configure NTP on a router as a server and a client


Configure NTP on a router as a server and a client

Associate with NTP servers

Understanding NTP

“Time has been invented in the universe so that everything would not happen at once”‘The NTP FAQ and HOWTO’ - http://www.ntp.org/ntpfaq/

� Many features in a computer network depend on time synchronisation, such as accurate time information in syslog messages, certificate-based authentication in VPNs, ACLs with


messages, certificate-based authentication in VPNs, ACLs with time range configuration, and key rollover in routing protocol authentication (EIGRP and RIP)

� Most Cisco routers have two clocks: a battery-powered system calendar in the hardware and a software-based system clock

� These two clocks are managed separately

System Clock

� The heart of the router time service is the software-based system clock

� This clock starts to keep track of time from the moment the system starts

� The system clock can be set from a number of sources and can be used to distribute the current time through various mechanisms to other systems


other systems

� When a router with a system calendar is initialised or rebooted, the system clock is set based on the time in the internal battery-powered system calendar

� The system clock can then be set manually or by using the Network Time Protocol (NTP) - an Internet protocol used to synchronise the clocks of network connected devices to some time reference

NTP is an Internet standard protocol currently at v3 and specified in RFC 1305

UTC - GMT� UTC (Temps Universel Coordonné or, in English, Coordinated Universal

Time ) is an official standard for the current time.

� UTC evolved from the former GMT (Greenwich Mean Time) that was previously used to accurately set the clocks on sailing ships before they left London for a long journey (very important to determine longitude and avoid navigational embarrassment…..)

� Later GMT was adopted as the world's standard time. It has now been replaced by UTC.

One of the reasons that GMT has been replaced as official standard time was


One of the reasons that GMT has been replaced as official standard time was the fact that it was based on the mean solar time. Newer methods of time measurement showed that the mean solar time varied appreciably.

� The main components of UTC:Universal means that the time can be used everywhere in the world, It is independent from time zones (i.e. it's not local time). To convert UTC to local time, add or subtract the local time zone.

Coordinated means that several institutions contribute their estimate of the current time, and UTC is built by combining these estimates.

The UTC second has been defined by the 13th General Conference of Weights and Measures in 1967 as "The second is the duration of 9,192,631,770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium-133 atom."

Authoritative Time

� In a router, the system clock keeps track of time internally based on UTC (which, despite the comment in the curriculum is nottechnically the same as GMT…….)

� Information can be configured about the local time zone and daylight savings time so that the time appears correctly relative to the local time zone


the local time zone

� The system clock keeps track of whether the time is “authoritative” or not (that is, whether the time has been set by a time source that is considered to be “authoritative”)

� If the time is NOT considered authoritative, the time is available only for display purposes and is not redistributed within the network

NTP� NTP is a protocol designed to time-synchronize a net work of

machines. NTP runs over UDP , which in turn runs over IP

� An NTP network usually obtains the time from an aut horitative time source, such as a radio clock or an atomic clock at tached to a time server. NTP then distributes this time across the n etwork. NTP is extremely efficient; no more than one packet per mi nute is necessary to synchronise two machines to within 1mS of one an other

As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305 documents NTP v3


As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305 documents NTP v3

Cisco devices support only RFC specifications of NTPv3

� NTP uses the concept of a “stratum” to describe how m any NTP “hops” away a machine is from an authoritative time s ource

� A “stratum 1” time server typically has a radio or at omic clock directly attached to the server; a “stratum 2” time s erver receives the time via NTP from a “stratum 1” time server, etc, etc .

A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machine’s time source

This strategy effectively builds a self-organising tree of NTP speakers

NTP

� NTP is careful to avoid synchronising to a machine whose time may not be accurate. NTP avoids doing so in two ways:

1. NTP never synchronises to a machine that is not synchronised itself

2. NTP compares the time that is reported by several machines and does not synchronise to a machine whose time is significantly different than the others, even if the machine’s stratum number is lower

� The communications (known as “associations”) between machines that run NTP are usually statically configured; eac h machine is given the IP address of all machines with which the machine should


given the IP address of all machines with which the machine should form associations

� Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association

� In a LAN environment, NTP can be configured to use IP broadcastmessages instead

• This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages.

• However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only

NTP Security� The time that a machine keeps is a critical resourc e, so the

security features of NTP should be used to avoid th e accidental or malicious setting of incorrect time

� Two mechanisms are available:1. an ACL-based restriction scheme

2. an encrypted authentication mechanism.

� Time service for a network should be derived from t he public NTP servers that are available on the Internet


� Time service for a network should be derived from t he public NTP servers that are available on the Internet

• If the network is isolated from the Internet, the Cisco implementation of NTP allows a machine to be configured so that the machine acts as though the machine is synchronised via NTP when in fact the machine has determined the time using other means.

• Other machines then synchronise to that machine via NTP

NTP Association

� When multiple sources of time (eg, manual configuration) are available, NTP is always considered to be more authoritative

� NTP time overrides the time set by any other method

� An NTP association can be a peer association (this system is willing to either synchronise to the other


system is willing to either synchronise to the other system or to allow the other system to synchronise to it), or the association can be a server association (only this system will synchronise to the other system, and not vice versa)

NTP Basic Features - Overview

� A collected overview of NTP features:NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. (It will not just make all systems agree on some time, but will make them agree upon the true time as defined by some standard)

NTP uses UTC as reference time (NOT GMT…..)

NTP is a fault-tolerant protocol that will automatically select the best of several available time sources to synchronise to. Multiple candidates can be combined to minimise the accumulated error. Temporarily or permanently insane time


to minimise the accumulated error. Temporarily or permanently insane time sources will be detected and avoided

NTP is highly scalable. A synchronisation network may consist of several reference clocks. Each node of such a network can exchange time information either bidirectional or unidirectional. Propagating time from one node to another forms a hierarchical graph with reference clocks at the top

Having available several time sources, NTP can select the best candidates to build its estimate of the current time. The protocol is highly accurate, using a resolution of less than a nanosecond (about 2^-32 seconds)

Even when a network connection is temporarily unavailable, NTP can use measurements from the past to estimate current time and error

For formal reasons NTP will also maintain estimates for the accuracy of the local time

Configuring NTP Authentication

� NTP services are enabled on all interfaces by default.

To disable NTP on a specific interface, use the ntp disablecommand in the interface configuration mode.

� To authenticate the associations with other systems for security purposes, use the commands in the “NTP


security purposes, use the commands in the “NTP Authentication Commands” table (see next slide)

NTP Authentication CommandsCommand Description

ntp authenticate Enables the NTP authentication feature. If this command is specified, the system will not synchronize to a system unless the system’s NTP messages carry one of the authentication keys that you specify in the ntp trusted-key global configuration command.

ntp Defines an authentication key. Message authentication


ntp authentication-key number md5 value

Defines an authentication key. Message authentication support is provided using the MD5 algorithm. The key type md5 is currently the only key type that this command supports. The key value can be any arbitrary string of up to eight characters.

ntp trusted-key key-number

Defines trusted authentication keys.

The first command enables the NTP authentication feature. The second command defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Finally, a list of trusted authentication keys is defined. If a key is trusted, this system is ready to synchronise to a system that uses this key in the system’s NTP packets

Configuring NTP Authentication

ntp authenticate

Router(config)#

• Enables the authentication feature

ntp authentication-key number md5 value

• Defines the authentication keys

Router(config)#


R1(config)#ntp authenticationR1(config)#ntp authentication-key 1 md5 NeVeRgUeSsR1(config)#ntp trusted-key 1

• Defines the authentication keys• Used for both peer and server associations

ntp trusted-key key-number

• Defines the trusted authentication keys • Required to synchronise to a system (server associa tion)

Router(config)#

Configuring NTP Associations

� To configure a router as an NTP client, either create an association to a server or configure the router to listen to NTP broadcast packets.

ntp server: Although the router can be configured with either a peer or a server association, NTP clients are typically configured with a server association (meaning that only this system will synchronise to the other system, and not vice versa).


system, and not vice versa).

To allow the software clock to be synchronised by an NTP time server, use the ntp server command in global configuration mode.

� ntp broadcast client: In addition to or instead of creating unicast NTP associations, the system can be configured to listen to broadcast packets on an interface-by-interface basis

To do this, use the ntp broadcast client command in interface configuration mode

Configuring NTP Associations

ntp server { ip-address | hostname} [version number] [key keyid] [source interface] [prefer]

Router(config)#

• Forms a server association with another system

Router(config - if )#


R1(config)#ntp server 10.1.1.1 key 1 R1(config)#ntp server 10.2.2.2 key 2 preferR1(config)#interface Fastethernet 0/1R1(config-if)#ntp broadcast client

ntp broadcast client

• Receives NTP broadcast packets

Router(config - if )#

Configuring Additional NTP Options

� To control access to NTP services, in addition to p acket authentication, a NTP access group can be created a nd a basic IP ACL applied to it

� To control access to NTP services, use the ntp access-groupcommand in global configuration mode

� The access group options are scanned in the followi ng order, from least restrictive to most restrictive:

1. peer: Allows time requests and NTP control queries and allows the system


1. peer: Allows time requests and NTP control queries and allows the system to synchronise itself to a system whose address passes the ACL criteria. This option is used in scenarios where either the local or the remote system can become the NTP source

2. serve: Allows time requests and NTP control queries but does not allow the system to synchronise itself to a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be permitted

3. serve-only: Allows only time requests from a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be denied

4. query-only: Allows only NTP control queries from a system whose address passes the ACL criteria

Configuring Additional NTP Options

� If the source IP address matches the ACLs for more than one access type, the first access type that is listed is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types are granted

� When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP


normally set to the address of the interface through which the NTP packet is sent. Use the ntp source command in global configuration mode to configure a specific interface from which the IP source address will be taken

� ntp source interface

This interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source parameter on the ntp peer or ntp servercommand

Implementing the NTP Server

� Cisco IOS routers work as an NTP server by default.� As soon as a router is synchronised to an authoritative time

source, the router allows peers with lower stratum to synchronise to that router:

Requires a peer association

� You can make a router an authoritative NTP server, even if the system is not synchronised to an outside time source.


the system is not synchronised to an outside time source.� Two options to establish a peer association:

1. Unicast2. Broadcast

� Same exchange control methods as those methods used with client:

Packet authenticationAccess group filtering

Configuring the NTP Server

ntp master [ stratum]

ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer]

Router(config)#

• Forms a peer association with another systemRouter(config)#


ntp master [ stratum]

R2(config)#ntp peer 10.1.1.1 key 1R2(config)#ntp master 3R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast

• Makes the system an authoritative NTP server

ntp broadcast [version number][destination address][key keyid]

• Configures an interface to send NTP broadcast packe ts

Router(config-int)#

NTP Configuration Example

Source(config)#ntp master 5Source (config)# ntp authentication - key 1 md5 secretsource


Source (config)# ntp authentication - key 1 md5 secretsourceSource(config)#ntp peer 172.16.0.2 key 1Source(config)#ntp source loopback 0

Intermediate(config)#ntp authentication-key 1 md5 secretsourceIntermediate(config)#ntp authentication-key 2 md5 secretclientIntermediate(config)#ntp trusted-key 1Intermediate(config)#ntp server 172.16.0.1 Intermediate(config)#ntp source loopback 0Intermediate(config)#interface Fastethernet0/0Intermediate(config-int)#ntp broadcast

Client(config)#ntp authentication-key 1 md5 secretclientClient(config)#ntp trusted-key 1Client(config)#interface Fastethernet0/1Client(config-int)#ntp broadcast client

Configuring AAA on Cisco Routers



Module Introduction





Objectives

� At the completion of this eleventh lesson, you will be able to:

Describe what is meant by the term ‘triple A’

Explain how and why AAA should be used to secure router and switch access


Configure AAA using the IOS CLI and SDM

Describe the use of external AAA servers, including a brief overview of CSACS

Authentication, Authorisation & Accounting

� It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components:

1. authentication,

2. authorisation, and

3. accounting

also known as AAA


also known as AAA

� These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components

� Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data

� Using a Cisco AAA architecture enables consistent, systematic and scalable access security

The Three Components of AAA

� Authentication

Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption

� Authorisation

Provides the method for remote access control, including one-time


Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet

� Accounting

Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes

Authentication

� Authentication is the way a user is identified prior to being allowed access to the network and network services

� AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces

� The method list defines the types of authentication to be performed


� The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed

The only exception is the default method list (“default”). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.

� All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA

Authorisation

� Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet

� AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform


describe what the user is authorised to perform

� These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions

The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server

� As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces

Accounting

� Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes

� Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming

� With AAA accounting activated, the NAS reports user activity to the


� With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records

� Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing

� All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces

Access Control

� In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions

� If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server


RADIUS, TACACS+, or Kerberos security server

� Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA

Implementing AAA

� Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment:

1. Self-contained AAA: AAA services can be self-contained in the router or NAS itself (also known as local authentication)

2. Cisco Secure ACS for Windows Server: AAA services on the


2. Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication

3. Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication

� There are also open source AAA servers available that work in conjunction with Cisco IOS devices

Implementing AAA


Administrative access: Console, Telnet, and AUX accessRemote user network access: Dialup or VPN access

Router Access Modes

� All of the AAA commands (except aaa accounting system) apply to either character mode or packet mode . (The mode refers to the format of the packets that request AAA)

If the query is presented as Service-Type = Exec-User, the query is presented in character mode

If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, the request is presented in packet mode.


� Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method

� Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements.

� With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server

Router Access Modes


AAA Protocols: RADIUS and TACACS+


AAA Protocols: RADIUS and TACACS+

� The best-known and best-used types of AAA protocols are TACACS+ and RADIUS

� TACACS+ and RADIUS have different features that make them suitable for different situations

� RADIUS is maintained by a standard that was created by the IETF

� TACACS+ is a proprietary Cisco Systems technology that encrypts


� TACACS+ is a proprietary Cisco Systems technology that encrypts data

TACACS+ runs over TCP - RADIUS runs over UDP

� TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot

Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos

RADIUS Features

� Radius is an IETF standard protocol - RFC 2865

� Standard attributes can be augmented by proprietary attributes:

Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS

� Uses UDP on standard port numbers (1812 and 1813; CSACS


� Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default)

� It includes only two security features:

1.Encryption of passwords (MD5 encryption)

2.Authentication of packets (MD5 fingerprinting)

� Authorisation is only possible as part of authentication

RADIUS Authentication and Authorisation


The example shows how RADIUS exchange starts once the NAS is in possession of the username and password

The ACS can reply with Access-Accept message, or Access-Reject if authentication is not successful

RADIUS Messages

� There are four types of messages involved in a RADIUS authentication exchange:

1. Access-Request: Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port

2. Access -Challenge:


2. Access -Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

3. Access-Accept: The positive answer if the user information is valid

4. Access-Reject: Sent as a negative reply if the user information is invalid

RADIUS AV Pairs

� RADIUS messages contain zero or more AV-pairs, for e xample:1. User-Name

2. User-Password (this is the only encrypted entity in RADIUS)

3. CHAP-Password

4. Service-Type

5. Framed-IP-Address

� There are approximately 50 standard -based attributes (RFC 2865)


� There are approximately 50 standard -based attributes (RFC 2865)

� RADIUS allows proprietary attributes

� Basic attributes are used for authentication purposes

� Most other attributes are used in the authorisation process

� Cisco has added several vendor-specific attributes on the server side. Cisco IOS devices will, by default, always us e Cisco AV pairs, but Cisco devices can be configured to use o nly IETF attributes for standard compatibility

� Accounting information is sent within special RADIU S accounting messages

TACACS+ Attributes and Features� The TACACS+ protocol is much more flexible than the RADIUS

communication. TACACS+ protocol permits the TACACS+ server to use virtually arbitrary dialogs to collec t enough information until a user is authenticated

� TACACS+ messages contain AV-pairs, such as:1. ACL

2. ADDR

3. CMD


3. CMD

4. Interface-Config

5. Priv-Lvl

6. Route

� TACACS+ uses TCP on well-known port number 49

� TACACS+ establishes a dedicated TCP session for eve ry AAA action

� Cisco Secure ACS can use one persistent TCP session for all actions

� Protocol security includes authentication and encry ption of all TACACS+ datagrams

TACACS+ Authentication


The example shows how TACACS+ exchange starts before the user is prompted for username and password.

The prompt text can be supplied by the TACACS+ server.

TACACS+ Network Authorisation


The example shows the process of network authorisation that starts after successful authentication.

TACACS+ Command Authorisation


The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level).

Configuring the AAA Server

� These are the first steps in configuring the network access server:

� Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.

� Specify the Cisco Secure ACS (if being used, or other


� Specify the Cisco Secure ACS (if being used, or other server if not) that will provide AAA services for the network access server

� Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS

Configuring the AAA Server

TACACS+


RADIUS

AAA Configuration Commands

Command Description

aaa new-model Enables AAA on the router. Prerequisite for all other AAA commands.

tacacs-server host ip-address single-connection

Indicates the address of the Cisco Secure ACS server and specifies use of the TCP single-connection feature of Cisco Secure ACS. This feature improves performance by maintaining a single TCP connection for


performance by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session (the default).

tacacs-server key key Establishes the shared secret encryption key between the network access server and the Cisco Secure ACS server.

radius-server host ip-address

Specifies a RADIUS AAA server.

radius-server key key Specifies an encryption key to be used with the RADIUS AAA server.

AAA Authentication Commands

aaa authentication login {default | list_name} group { group_name | tacacs+ | radius} [method2 [method3 [method4]]]

Router(config)#


• Use this command to configure the authentication pr ocess

Router(config)# aaa authentication login default group tacacs+ local line

aaa authentication login Parameters


default This command creates a default that is automatically applied to all lines and interfaces, specifying the method or sequence of methods for authentication.

list-name This command creates a list, with a name of your choosing, that is applied explicitly to a line or interface using the method or methods specified. This defined list


using the method or methods specified. This defined list overrides the default when you apply the defined list to a specific line or interface.

group group-namegroup radiusgroup tacacs+

These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command).

aaa authentication loginParameters (Cont.)


method2method3method4

This command executes authentication methods in the order that the methods are listed. If an authentication method returns an error, such as a timeout, the Cisco IOS software attempts to execute the next method. If the authentication fails, access is denied. You can configure up to four methods for each operation. The method must be supported by the authentication operation that you specify. A general list of


by the authentication operation that you specify. A general list of methods includes:

■- enable: Uses the enable password for authentication■- group: ■Uses server-group■- krb5: ■Uses Kerberos Version 5 for authentication

■- line: ■Uses the line password for authentication

■- local: Uses the local username and password database for authentication

■- local-case: ■Uses case-sensitive local username authentication

■- none: ■Uses no authentication

Configuring AAA Authentication Using TACACS+

Command Description

aaa authentication login default group tacacs+ local

The default login is TACACS+ server. If there is no response from the server, then use the local username and password database.

aaa authentication login my_list group tacacs+

Used for character mode username and password challenge. A new list name, my_list, is defined, and the only method is TACACS+.


line con 0 Enters console configuration mode.

login authentication my_list

Configures the console line to use the AAA list name my_list, which has been previously defined to use only TACACS+.

line 1 48 login authentication my_list

Configures lines 1 through 48 to use the AAA list name my_list, which has been previously defined to use only TACACS+.

line vty 0 4 On lines vty 0 through 4, the default list is used, which in this case specifies the aaa authentication login default tacacs+ local command.

Character Mode Login Example

Router# show running-config...aaa new-modelaaa authentication login default group tacacs+ loca laaa authentication login my_list group tacacs+...line con 0


line con 0line aux 0line vty 0 4

login authentication my_list

• Because the authentication has not been specified fo r line con 0 and aux 0, the default option is used

Enabling AAA in SDM


Confirming the AAA Activation


Defining RADIUS Servers


Defining TACACS+ Servers


Creating a Login Authentication Policy


Configuring a Login Authentication Policy


Creating an EXEC Authorisation Policy


Configuring an EXEC Authorisation Policy


Creating Local User Accounts


Configuring VTY Line Parameters


Applying Authentication Policy to VTY Lines


Applying Authorisation Policy to VTY Lines


Verifying AAA Login Authentication Commands

aaa new-model!aaa authentication login default localaaa authentication login radius_local group radius group radiusaaa authorization exec default local!username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW 1!tacacs - server host 10.1.1.10 single - connection key secrettacacs


tacacs - server host 10.1.1.10 single - connection key secrettacacsradius-server host 10.1.1.10 auth-port 1645 acct-po rt 1646 key secretradius! line vty 0 4login authentication radius_local

Troubleshoot AAA Login Authentication on Cisco Routers

� Use the debug aaa authentication command on routers to trace AAA packets and monitor authentication

� The command displays debugging messages on authentication functions


authentication functions

debug aaa authentication

router#

‘AAA Authorization’ Commands

� The access server can be configured to restrict the user to perform certain functions only after successful authentication

� Use the aaa authorization command in global configuration mode to select the function authorised


configuration mode to select the function authorised and the method of authorisation

� Troubleshooting AuthorizationTo display information on AAA authorisation, use the debug aaa authorization command in privileged-EXEC mode.

Use the no debug aaa authorization form of the command to disable this debug mode.

‘AAA Authorization’ Commands


aaa authorization {network | exec | commands level | config-commands | reverse-access} {default| list-name} method1 [method2...]

router(config)#

router(config)# aaa authorization exec default group radius local n one

Example:

AAA Accounting Commands

� Use the aaa accounting command in global configuration mode for auditing and billing purposes..

� Accounting of user EXEC sessions requires that aaa new-model is enabled and that the authentication and authorisation configuration is in place.

� The Cisco Secure ACS serves as a central repository for


� The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality.

Accounting tracks events that occur on the network.

� Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing.

AAA Accounting Commands


aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-on ly | wait-start} group {tacacs+ | radius}

router(config)#

R2(config)# aaa accounting exec default start-stop group tacacs +

Example:

AAA Accounting Example

R2#show running-config | begin aaaaaa new-model!aaa authentication login default group tacacs+ loca laaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs +...tacacs - server host 10.1.1.3


tacacs - server host 10.1.1.3tacacs-server key SeCrEtKeY...

The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. The next slide shows a TACACS+ report from Windows ACS

TACACS+ Reports and Activity


Troubleshooting Accounting

debug aaa accounting

router#

• Use this command to help troubleshoot AAA accountin gproblems.


R2#debug aaa accounting16:49:21: AAA/ACCT: EXEC acct start, line 1016:49:32: AAA/ACCT: Connect start, line 10, glare16:49:47: AAA/ACCT: Connection acct stop:task_id=70 service=exec port=10 protocol=telnet add ress=172.31.3.78

cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks _out=54 elapsed_time=14


ISCW Module 5

Documents