Module 2: Security Planning and Policy - Modified

1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.

2© 2005 Cisco Systems, Inc. All rights reserved.

Network Security 1

Module 2 – Security Planning and Policy


Learning Objectives

2.1 Discussing Network Security and Cisco

2.2 Endpoint Protection and Management

2.3 Network Protection and Management

2.4 Security Architecture

2.5 Basic Router Security



2.1 Discussing Network Security and Cisco


Network Security as a Continuous Process

• Network security is a continuous process built around a security policy (which enables the application of security measures).

Step 1: Secure

Step 2: Monitor

Step 3: Test

Step 4: Improve

Secure

Monitor

Test

Improve Security Policy


Secure

Monitor

Test


Secure the Network

• Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:

Identification Authentication

Encryption

VPNs

Firewalls

Vulnerability patching


Secure

Monitor

Test


Monitor Security

• Detects violations to the security policy

• Involves system auditing and real-time intrusion detection

• Validates the security implementation in Step 1.


Secure

Monitor

Test


Test Security

• Validates effectiveness of the security policy through system auditing and vulnerability scanning

• SATAN, Nessus, or NMAP are useful for periodically testing the network security measures at the network and host level


Secure

Monitor

Test


Improve Security

• Improve corporate security

• Collect and analyze information from the monitoring and testing phases to make security improvements

• Adjust the security policy as security vulnerabilities and risks re identified


Security Policy

• All network security features should be configured in compliance with the organization's security policy.

• If a security policy is not present, or if the policy is out of date, the policy should be created or updated before deciding how to configure security on any devices.


What Is a Security Policy?

• “A security policy is a formal statement of the rules by which people who are given access to

an organization’s technology and information assets must abide.”

(RFC 2196, Site Security Handbook)


SANS – Why Do You Need Security Policy?


SANS – Why Do You Need Security Policy?



Why Create a Security Policy?

To create a baseline of your current security posture

To provide a process to audit existing network security

To set the framework for security implementation

To define allowed and not allowed behaviors

To help determine necessary tools and procedures

To communicate consensus and define responsibilities of users and administrators

To define how to handle security incidents

To enable global security implementation and enforcement

To create a basis for legal action, if necessary


Links – Network Security Policy

• RFC 2196 Site Security Handbook - http://www.ietf.org/rfc/rfc2196.txt

• A sample security policy for the University of Illinois - http://www.obfs.uillinois.edu/manual/central_p/sec19-5.htm

• Cisco – Network Security Policy Best Practices White Paper - http://www.cisco.com/warp/public/126/secpol.html

• SANS – http://www.sans.org

http://www.ietf.org/rfc/rfc2196.txt

http://www.obfs.uillinois.edu/manual/central_p/sec19-5.htm

http://www.obfs.uillinois.edu/manual/central_p/sec19-5.htm

http://www.cisco.com/warp/public/126/secpol.html

http://www.sans.org/


2.2 Endpoint Protection and Management



Desktop Inventory and Maintenance

• Anti-virus (updated definitions), firewall, and intrusion detection (updated signatures) are valuable tools that can be used to secure network hosts.

• HIPS alerts the management console when an external process tries to monitor/modify a system file. Will monitor for backdoor programs – stop attacks and spread of virus and worms


Host-Based Intrusion Prevention (HIPS)


Desktop Inventory and Maintenance

• Operating System Patches

• When a new operating system is installed on a computer, the security settings are all set to the default values. In most cases this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems:

Default usernames and passwords should be changed immediately.

Access to the system resources should be restricted to only the individuals that are authorized to use those resources.

Any unnecessary services and applications should be turned off and uninstalled when possible



2.3 Network Protection and Management


Types of Firewalls

Server Based

Microsoft ISA

CheckPoint

BorderManager

Appliance

PIX Security Appliance

Netscreen

SonicWall

Personal

Norton

McAfee

ZoneAlarms

Integrated

IOS Firewall

Switch Firewall


Network-Based IDS


VPN Definition


Remote Access VPNs


Site-to-Site VPNs


Trust and Identity

• Identity refers to the accurate and positive identification of network users, hosts, applications, services, and resources.


Links – Network Based Components and Technologies

• Cisco Security - http://www.cisco.com/en/US/products/hw/vpndevc/

• Cisco PIX Security Appliance - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

• Cisco IOS Firewall - http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

• Microsoft -http://www.microsoft.com/isaserver/default.mspx

• Firewall Certifications - https://www.icsalabs.com/icsa/icsahome.php

• Enterprises Firewall Listing - http://www.networkintrusion.co.uk/fireappent.htm

http://www.cisco.com/en/US/products/hw/vpndevc/

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

https://www.icsalabs.com/icsa/icsahome.php

http://www.networkintrusion.co.uk/fireappent.htm

http://www.networkintrusion.co.uk/fireappent.htm


Security Management

• The goals of security management is to control access to network resources

– VPN Routers

– Firewall

– Network IDS (NIDS)

– Host Intrusion Prevention (HIPS)

• Management Station– CiscoWorks VPN/Security Management Solution (VMS)

– ASDM (PIX and ASA) - PDM replaced with ASDM in v 7.0

– SDM (Routers)

– IDM (Sensors)


Major Functions of CiscoWorks VMS

• CiscoWorks VMS consists of a set of Web-based applications for configuring, monitoring, and troubleshooting enterprise VPNs, firewalls, NIDS, and HIDS.

– Addresses the needs of small and large-scale VPN and security deployments.

– Manage access control lists for Cisco PIX/ASA Security Appliances

– Identifies sensitive network resources

– Monitors and logs access to network resources


Adaptive Security Device Manager (ASDM)


Security Device Manager (SDM)


Links – Network Security Management

• CiscoWorks VMS - http://www.cisco.com/en/US/products/sw/cscowork/ps2330/

• PDF on CiscoWorks - http://www.cisco.com/application/pdf/en/us/guest/products/ps2330/c1244/cdccont_0900aecd8021bff1.pdf

• CiscoWorks SIMS - http://www.cisco.com/en/US/products/sw/cscowork/ps5209/

http://www.cisco.com/en/US/products/sw/cscowork/ps2330/


http://www.cisco.com/application/pdf/en/us/guest/products/ps2330/c1244/cdccont_0900aecd8021bff1.pdf







2.4 Security Architecture


Security Architecture (SAFE)

SAFE White Papers:

• A Security Blueprint for Enterprise Networks

• Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

• VPN IPSec Virtual Private Networks in Depth

• Wireless LAN Security in Depth – version 2

• IP Telephony Security in Depth

• IDS Deployment, Tuning, and Logging in Depth

• Worm Mitigation


Security Architecture – Self-Defending Network Strategy

• Secure Connectivity

• Threat Defense

• Trust and Identity Management


Secure Connectivity

• Secure Connectivity safely transports applications across different network environments.

• As companies use the flexibility and cost effectiveness of the Internet to extend their networks to branch offices, telecommuters, customers, and partners, security (privacy and integrity) is paramount.


Cisco Threat Defense System

• Brings together security solutions and intelligent networking technologies to identify and mitigate both known and unknown threats from inside and outside an organization.


Trust and Identity Management

• Identity Management

• Identity Based Networking services (IBNS)

• Network Admission Control (NAC)


Identity Management

• Guarantees the identity and integrity of every entity on the network and applies appropriate access policy.

• Identity Management also secures the centralized management of remote devices and provides Authentication, Authorization, and Accounting (AAA) functionality across all network devices.


Identity Based Networking Services (IBNS)

• Expands network security by using 802.1x to automatically identify users requesting network access and route them to a VLAN domain with an appropriate degree of access privilege based on policy.

• IBNS also prevents unauthorized network access from rogue wireless access points.


Identity Based Networking Services (IBNS)

Step 1: Step 2:

Step 3: Step 4:


Network Admission Control (NAC)

• Allows network access only to trusted endpoint devices that can verify their compliance to network security policies, such as having a current antivirus image, operating system version, or patch update.

• NAC can permit, deny, or restrict network access to any device and quarantine and remediate noncompliant devices.



Plan, Design, Implement, Operate, Optimize (PDIOO)



2.5 Basic Router Security


Secure Shell (SSH)

SSH Server and Client

SSH Client

TCP Port 22

With authentication and encryption, SSH allows for secure communications over an insecure network.


SSH Server Configuration

Router(config)#

hostname host-name

Router(config)#

ip domain-name domain-name.com

Router(config)#

crypto key generate rsa

Router(config)#

line vty 0 4

Router(config-line)#

transport input ssh


Controlling Access

• Ensure that logins on all lines are controlled using some sort of authentication mechanism, even on machines that are supposed to be inaccessible from untrusted networks.

– Console Port

– TTY

– VTY


Access Control – Console Port

By default, console, auxiliary and Telnet (VTY) sessions time out after 10 minutes of inactivity. You can override this with the exec-timeout command. A common setting is 5 minutes.

In this slide, the password entered will be displayed as clear text. Better to use local username and password database by specifying login local; better yet, use an external authentication security server for securing line access.

Service password-encryption command is used to encrypt clear-txt passwords but there are many tools to decrypt this very weak encryption algorithm: http//www.oldach.net/ciscocrack.shtml.


Access Control – TTYs

• The aux port can be used to attach to a CSU/DSU, a modem, or a protocol analyzer.

• You can’t use access-lists on tty ports (like you can on vty ports) to control access but you can require a password and disabling protocol access using the transport command (transport input none).

• Typically, the tty line is used for remote dial-in access for emergency situations.

• If you are using this line for dialup, you should implement security for dialup on your router and run PPP with CHAP for authentication.


Access Control – VTYs

Compared to local access, in which you can access user EXEC mode only through the console or aux port, you can access your router remotely through Telnet, RSH, SSH, HTTP, HTTPS, and SNMP.

VTYS are basically logical lines (for handling incoming/outgoing Telnet connections) but the Cisco IOS treats them as a physical line from a configuration and operation perspective, but they are not something that we can physically touch with our hands.

Never us it. Why? Because Telnet sends user information across the network in clear text. Remember that if you are using the router as part of a firewall system, you want to keep it as secure as possible. Use either SSH or VPN.



• Applying the standard ACL requires the use of the access-class command.

• Specify the direction of restriction (in or out).

• When using the out parameter, the address listed in the ACL is viewed as destination, not source address.

Router(config)# access-list 1 permit 172.16.3.10Router(config)#access-list 1 permit 172.16.3.1Router(config)#line vty 0 4Router(config-line)# transport input sshRouter(config-line)#transport output sshRouter(cofig-line)# access-class 1 in



• Applying the standard ACL requires the use of the access-class command.

• Specify the direction of restriction (in or out).

• When using the out parameter, the address listed in the ACL are viewed as destination, not source address.

Router(config)# access-list 1 permit 172.16.3.10Router(config)#access-list 1 permit 172.16.3.1Router(config)#line vty 0 4Router(config-line)# transport input sshRouter(config-line)#transport output sshRouter(cofig-line)# access-class 1 in


• Logins may be completely prevented on any line by configuring the router with the login and no password commands. This is the default configuration for vtys, but not for ttys.

• Any vty should be configured to accept connections only with the protocols actually needed. This is done with the transport input command.


• A Cisco IOS device has a limited number of vty lines, usually five. When all of the vtys are in use, no more additional remote connections can be established. This creates the opportunity for a DoS attack. If an attacker can open remote sessions to all the vtys on the system, the legitimate administrator may not be able to log in. The attacker does not have to log in to do this. The sessions can simply be left at the login prompt.

• One way of reducing this exposure is to configure a more restrictive ip access-class command on the last vty line in the system. The last vty might be restricted to accept connections only from a single, specific administrative workstation, whereas the other vtys might accept connections from any address in a corporate network .


Passwords

• Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS:

Type 7 uses the Cisco-defined encryption algorithm.

Type 5 uses an MD5 hash, which is much stronger.

• Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands.

• Service password encryption should be used.

• Use good password practices when creating passwords.

• Configure both username and password combinations.


Good Password Practices

• Avoid dictionary words, names, phone numbers, and dates.

• Include at least one lowercase letter, uppercase letter, digit, and special character.

• Make all passwords at least eight characters long.

• Avoid more than four digits or same-case letters in a row.

• Change passwords often.

• Use different passwords on each system.

• Note: When testing th4e sample passwords hello, Enter0, 9spot, 8twelve8, and ilcic41, the only password that wasn’t cracked was ilcic41.


Password Minimum Length Enforcement


Configure the Enable Password Using enable secret

router(config)#

enable secret password• Encrypts the password in the router configuration file

• Uses a strong encryption algorithm based on MD5

Boston(config)# enable secret Curium96

Boston# show running-config!hostname Boston!no logging consoleenable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/!


Configure the Console Port User-Level Password

Creates the user-level password ConUser1

The password is unencrypted

Boston(config)# line console 0Boston(config-line)# loginBoston(config-line)# password ConUser1

router(config)#

line console line-number

router(config-line)#

login


Password password

• Enters console line configuration mode

• Enables password checking at login

• Sets the user-level password to password


Configure a VTY User-Level Password

Boston(config)# line vty 0 4Boston(config-line)# loginBoston(config-line)# password CantGessMeVTY

router(config)#

line vty start-line-number end-line-number


login

• Enters VTY line configuration mode

• Specifies the range of VTY lines to configure

• Enables password checking at login for VTY (Telnet) sessions



password password


Configure an Auxiliary User-Level Password

Boston(config)# line aux 0Boston(config-line)# loginBoston(config-line)# password NeverGessMeAux

router(config)#

line aux line-number


login

• Enters auxiliary line configuration mode

• Enables password checking at login for Aux connections



password password


Encrypting Passwords Usingservice password-encryption

router(config)#

service password-encryption• Encrypts all passwords in the router configuration file

• Uses a weak encryption algorithm that can be easily cracked

Boston(config)# service password-encryption

Boston# show running-config!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A


Setting Timeouts for Router Lines


exec-timeout minutes [seconds]• Default is 10 minutes

• Terminates an unattended console connection

• Provides an extra safety factor when an administrator walks away from an active console session

• Terminates an unattended console/auxiliary connection after 3 minutes and 30 seconds

Boston(config)# line console 0Boston(config-line)#exec-timeout 3 30

Boston(config)# line aux 0Boston(config-line)#exec-timeout 3 30


Setting Multiple Privilege Levels

router(config)#

privilege mode {level level command | reset command}

• Level 1 is predefined for user-level access privileges

• Levels 2–14 may be customized for user-level privileges

• Level 15 is predefined for enable mode (enable command)

Boston(config)# privilege exec level 2 pingBoston(config)# enable secret level 2 Patriot


Local User Accounts


Local User Accounts

• No user account should be created above privilege level 1 since it is not possible to use Type 5 encryption on the default EXEC login or the username command.

• User accounts should be created for auditing purposes.

• Higher privilege levels should be protected with the enable secret password.


Privilege Mode Example

• router#config terminal

• router(config)#username admin-joe privilege 15 password joes-password

• router(config)#username admin-carl privilege 15 password carls-password

• router(config)#username junior-jeff privilege 10 password jeffs-password

• router(config)#username junior-jay privilege 10 password jays-password

• router(config)#username ops-fred privilege 2 password freds-password

• router(config)#username ops-pat privilege 2 password pats-password

• router(config)#privilege exec level 10 telnet

• router config)#privilege exec level 10 debug

• router(config)#privilege exec level 2 clear line

• router(config)#^Z

• router#


Recommended (NSA) Privilege-Level Changes


• router(config)#privilege exec level 15 connect

• router config)#privilege exec level 15 telnet

• router(config)#privilege exec level 15 rlogin

• router config)#privilege exec level 15 show ip access-lists

• router(config)#privilege exec level 15 show access-lists

• router config)#privilege exec level 15 show logging

• router(config)#privilege exec level 1 ip


• router#

Note: The final privilege exec level 1 show ip returns the show and show ip

commands to level 1, enabling all other default level 1 commands to still function.


Recommended Privilege-Level Changes


• router(config)#privilege exec level 15 connect

• router config)#privilege exec level 15 telnet

• router(config)#privilege exec level 15 rlogin

• router config)#privilege exec level 15 show ip access-lists

• router(config)#privilege exec level 15 show access-lists

• router config)#privilege exec level 15 show logging

• router(config)#privilege exec level 1 ip


• router#


There are several considerations to keep in mind when customizing privilege levels:

• Do not use the username command to set up accounts above level one. Instead, use the enable secret command to set a level password.

• Be very careful about moving too much access down from level 15, as this could cause unexpected security holes in the system.

• Be very careful about moving any part of the configure command down from level 15. Once a user has write access, they could leverage this to acquire greater access.


Login Banner

• Banners should be used on all network devices

• A banner should include

A notice that the system is to be logged into or accessed only by authorized personnel, and information about who may authorize use.

A notice that any unauthorized use of the system is unlawful, and may be subject to civil and criminal penalties, or both.

A notice that any use of the system may be logged or monitored without further notice, and that the resulting logs may be used as evidence in court.

Specific notices required by specific local laws.

• A login banner usually should not contain any specific information about the router, its name, its model, what software it is running, or its ownership.


Login Banner Example

• WARNING!!!

• This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to endure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials.


Configuring Banner Messages

router(config)#

banner {exec | incoming | login | motd |slip-ppp} d message d

• Specify what is “proper use” of the system

• Specify that the system is being monitored

• Specify that privacy should not be expected when using this system

• Do not use the word “welcome”

• Have legal department review the content of the message

Boston(config)# banner motd #WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. #


Disable Unneeded Services


Security-Related Router Services

• Bootp server

• Cisco Discovery Protocol (CDP)

• Classless Routing Behavior

• Configuration auto-loading

• DNS

• Finger

• HTTP server

• IP directed broadcast

• IP mask reply

• IP redirects

• IP source routing

• IP unreachable notifications

• NTP service

• Proxy ARP

• SNMP

• TCP small servers

• UDP small servers


Disable Bootp Server

• Globally disables the Bootp service for this router.

Austin1(config)# no ip bootp server

Router(config)#

no ip bootp server


Disable Bootp Server (Cont.)

• Bootp is a datagram protocol that is used by some hosts to load their operating system over the network.

• Supports a deployment strategy where one Cisco router acts as the central repository of IOS software for a collection of such routers.

• There should be no need to offer the service outside your LAN, and it may offer useful information to intruders. For example, to block bootp traffic from passing through the firewall:

– access-list nnn deny udp any any eq 67 log

– access-list nnn deny udp any any eq 68 log


Disable CDP Server

• Globally disables the CDP service for this router.

Austin4(config)# no cdp run

Router(config)#

no cdp run


Disable IP Classless Routing Service

• Globally disables the IP classless routing service for this router.

Austin4(config)# no ip classless

Router(config)#

no ip classless


Disable IP Classless Routing Service (Cont.)

If a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route.

A supernet consists of contiguous blocks of Class C address spaces used to simulate a single, larger address space and is designed to relieve the pressure on the rapidly depleting Class B address space.

When the host sends a packet to 120.20.4.1, instead of discarding the packet, the router forwards it to the best supernet route.

If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route, the router discards the packet.


Classful Routing Behavior


Classless Routing Behavior


Restricting DNS Service

Austin4(config)# ip name-server 16.1.1.20

Router(config)#

ip name-server server-address1[server-address2…server-address6]

Router(config)#

no ip domain-lookup

Austin3(config)# no ip domain-lookup


Restricting DNS Service (Cont.)

• DNS protocol attacks:

– DNS cache poisoning - relates to an attack consisting of making a DNS server cache false information: usually, a wrong record that will map a name to a “wrong” IP address. There are different ways for a hacker to do that, and that they are often related to DNS spoofing. With DNS cache poisoning, the hacker will try to make a DNS answer something he wants for a specific request.

– DNS spoofing - a term referring to the action of answering a DNS request that was intended for another server (a “real” DNS server). The hacker “spoofs” the DNS server’s answer by answering with the DNS server’s IP address in the packets’ source-address field.


Disable Finger Service

Austin4(config)# no ip fingerAustin4(config)# no service fingerAustin4(config)# exitAustin4# connect 16.1.1.15 fingerTrying 16.1.1.15, 79 ...% Connection refused by remote host

Router(config)#

no ip finger


Disable Finger Service (Cont.)

• Finger was designed to help Unix users contact each other. A Finger request will tell you whether or not there is an account for an individual on a computer, what that account name is, when the user last logged on, additional contact information for the user, and whatever else that user would like to tell the world.

• Traditionally, finger services have served hackers much more than administrators. Finger can be easily disabled with the no service finger command. This command disables the router only from replying to finger requests; it doesn’t block all finger requests into your network. To do that, you would need to use an ACL that blocks TCP port 79 inbound on all external interfaces.

• Users logged into the router remotely will not be able to see if other users are logged into the router.


Disable HTTP Service

Austin4(config)# no ip http server

Router(config)#

no ip http server


Disable HTTP Service (Cont.)

• Most recent Cisco IOS Software releases support remote configuration and monitoring using the World Wide Web’s HTTP protocol.

• In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network, and unfortunately, there is no effective provision in HTTP or challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. The default setting for this service is Cisco device dependent.

• If you choose to use HTTP for management (SDM), you should restrict access to appropriate IP addresses using the ip http access-class command. You should also configure authentication using the ip http authentication command. As with interactive logins, the best choice for HTTP authentication is probably to use a TACACS+ or RADIUS server.

• Disable this service to prevent attackers from accessing the HTTP router administrative access interface.


Disable IP Directed Broadcast

Austin2(config)# interface e0/1Austin2(config-if)# no ip directed-broadcast

Router(config-if)#

no ip directed-broadcast


Disable IP Directed Broadcast (Cont.)

IP directed broadcasts are used in the extremely common and popular "smurf" denial of service attacks.

An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast.

In a "smurf" attack, the attacker sends ICMP echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose address is being falsified.


Disable IP Mask Replies

Austin2(config)# interface e0/0Austin2(config-if)# no ip mask-reply

Router(config-if)#

no ip mask-reply


Disable IP Redirects

Austin2(config)# interface e0/0Austin2(config-if)# no ip redirect

Router(config-if)#

no ip redirect


Disable IP Redirects (Cont.)

When a packet is sent back out the interface on which it was received, an ICMP Redirect message is also sent.

The ICMP Redirect message tells the sender of the original packet to remove the route and substitute a specified device that has a more direct route.

Because you should be concerned about any ICMP messages leaving your network, you should manually disable this feature.

These messages are useful for diagnosis. An attacker may use this as a method to map the network or to intercept/redirect packets.


Disable IP Source Routing

Austin2(config)# no ip source-route

Router(config)#

no ip source-route


Disable IP Source Routing (Cont.)

The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that datagram will take toward its ultimate destination, and generally the route that any reply will take.

These options are rarely used for legitimate purposes in real networks. Some older IP implementations do not process source-routed packets properly, and it may be possible to crash machines running these implementations by sending them datagrams with source routing options.


Disable IP Unreachable Messages

Austin2(config)# interface e0/0Austin2(config-if)# no ip unreachable

Router(config-if)#

no ip unreachable


Disable NTP Service

Austin4(config)# interface e0/0Austin4(config-if)# ntp disable

ntp disable


Disable NTP Service (Cont.)

• Internet time servers use Network Time Protocol (NTP) to transmit and receive time over TCP/IP networks such as the Internet or a corporate local area network. Internet-based time sources, however, acquired using an Internet time server introduce security issues.

• The problem with Internet Time Servers using NTP program, is that while this time source allows systems to synchronize their clocks with an Internet time source, a potential problem arises because this time source is located beyond the corporate firewall. This means there must be “hole” left open in the firewall (specifically port 123) to allow packets containing the time information through to the Internet Time Server.


Disable Proxy ARP

Austin1(config)# interface e0/0Austin1(config-if)# no ip proxy-arp

no ip proxy-arp


Disable Proxy ARP (Cont.)

• Network hosts use the Address Resolution Protocol (ARP) to translate network addresses into MAC addresses. Normally, ARP transactions are confined to a particular LAN segment.

• A Cisco router can act as an intermediary for ARP, responding to ARP queries on selected interfaces and thus enabling transparent access between multiple LAN segments. This service is called proxy ARP. Proxy ARP should be used only between two LAN segments at the same trust level, and only when absolutely necessary to support legacy network architectures.

• Cisco routers perform proxy ARP by default on all IP interfaces. Disable it on each interface where it is not needed, even on interfaces that are currently idle, using the interface configuration command no ip proxy-arp.


Disable SNMP

Austin1(config)# no snmp-server community public roAustin1(config)# no snmp-server community config rwAustin1(config)# no access-list 60Austin1(config)# access-list 60 deny anyAustin1(config)# snmp-server community dj1973 ro 60Austin1(config)# no snmp-server enable trapsAustin1(config)# no snmp-server system-shutdownAustin1(config)# no snmp-server


Disable Small Servers

Austin2(config)# no service tcp-small-serversAustin2(config)# no service udp-small-servers

Router(config)#

no service tcp-small-servers

Router(config)#

no service udp-small-servers

These services include the echo, discard, daytime, and chargen services.


Disable Small Servers (Cont.)

• Depending on the IOS version you are running, TCP and UDP small services may be enabled by default (11.3 and prior).

• Some services might be simple and innocuous in themselves, but can be turned to unexpected and detrimental uses. Chargen, for example, is a simple UNIX service that sends out ASCII characters over and over. Chargen is a useful network programming and testing tool because there are certain classes of networking problems that become evident when you can look at a stream of data spanning a whole range of binary representations.

• An unscrupulous hacker, however, might exploit this protocol by forging a SYN packet (connection request) that redirects the output of Chargen to another computer and port. This way the hacker can flood the target computer with data that doesn't even originate from his own computer!

• Abuse Potential – chargen can be redirected to flood other unsuspecting computers.


Disable Unused Router Interfaces

Austin1(config)# interface e0/2Austin1(config-if)# shutdown

Router(config-if)#

shutdown

Austin1

e0/0 e0/1

e0/2

Internet

Attack host


No service password-recovery


Routing Table Integrity

• There are two basic approaches available for protecting routing table integrity:

• Use only static routes: This may work in small networks, but is unsuitable for large networks .

• Authenticate route table updates: By using routing protocols with authentication, network administrators can deter attacks based on unauthorized routing changes. Authenticated router updates ensure that the update messages come from legitimate sources. Bogus messages are automatically discarded.

• MD5 is used by RIPv2, EIGRP and BGP

109109109© 2005, Cisco Systems, Inc. All rights reserved.

Module 2: Security Planning and Policy - Modified

Documents

monitor security

test security

security planning

level of security

security architecture

security improvements

security vulnerabilities

security incidents