Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device itself –Routers –Firewalls –Switches –Authentication servers –wireless access points –…

Network Security2 Steps to secure a router: 1.Backup of configuration files and the router software 2.Controlling access to the router (tty, vty ports) 3.Securing access to the router (via SSH) 4.Password management 5.Logging events on the router 6.Disabling unnecessary services 7.Using loopback interfaces 8.Controlling SNMP as a management protocol 9.Controlling HTTP as a management protocol 10.Using CEF as a switching mechanism 11.Setting up the scheduler from a security perspective 12.Using the Network Time Protocol (NTP) 13.Login banners 14.Capturing core dumps 15.Using service nagle to improve Telnet access during high CPU events

Network Security3 2. Controlling access to the router A tty port is physically connected to a terminal or workstation for local administrative access to the router. An aux ports, similar to a tty port, is connected to a modem for remote out-of-band administrative access to the router. A vty (virtual tty) port is used to allow remote in- band connection sessions, via telnet, ssh, or rlogin. Out-of-band management ( band_management) band_management

Network Security4 Vulnerabilities of tty or aux ports A tty or aux port may suffer reverse telnet attack, where the terminal server connected to the tty port or the modem connected to the aux port of the router is used by the attacker (as a remote client) to access the router. Reverse Telnet (as defined in Wikipedia)Reverse Telnet Check out this link to see an illustration of using ‘reverse telnet’ to remotely access a router. (diagrams below)this link

Network Security5 Normal telnet

Network Security6 Reverse Telnet

Network Security7 Reverse Telnet (cont.) Another example: What is Reverse Telnet and how do I configure it? “Reverse Telnet gives you the ability to telnet to a device, and then console to another device from there. For example, you could telnet to a router, and then console into a switch, or a modem, or anything that has a console port. There are a lot of devices out there that don’t have remote access built into them, their only option is a console session. Well, this will allow you to remotely manage these devices.” “You need a straight through cable going from the console port of the console-only device to the AUX port on your router.”consolerouter

Network Security8 Vulnerabilities of tty or aux ports Solution? –Disable the console port Line con0 transport input none –Allow only SSH access to a router’s console port (a feature added to IOS v12.2 or higher) Line con0 login authentication default rotary 1 transport input ssh ip ssh port 2001 rotary 1 Requirement: The router must be set up as a SSH server.

Network Security9 Controlling vty access 1.Restricted access: Only allow the protocols that will be used by the network admin Since Cisco IOS v11.1, the default is none. Example: To allow only telnet and ssh connections line vty 0 4 transport input telnet ssh 2.Only addresses in the ‘access list’ are allowed to connect: access-class, access-list (See example 3-6) 3.Short timeouts: The default timeout value is 10 minutes. To set it to 5 min. 30 sec. line vty 0 4 exec-timeout Authentication for vty access: either local or RADIUS authentication (preferred).

Network Security10 3. Securing access to the router using encryption IPsec VPN client (preferred; more details in Ch 13) –Two cases: A.The VPN client access a back-end LAN (the destination) by building a tunnel between itself and a router (the IPsec gateway), behind which the LAN is located. B.The VPN client is used to remotely administer the router, which is both the gateway and the destination. SSH: Only SSH v1 is supported by Cisco IOS Example 3-11

Network Security11 4. Password Management Passwords stored on the router should be properly encrypted. The default password-encryption is either type 0 (clear text passwords) or type 7 (weak encryption). Use the enable secret command to activate MD5 when encrypting passwords. Example 3-12

Network Security12 5. Logging events Advantages: Allows auditing and tracking  forensics (in case of an attack)  performance tuning (maintenance) Requirement: good time stamping  using NTP Example: 3-13

Network Security13 6. Disable unnecessary services If a service is not being actively used on a device, it should be disabled. Otherwise it may be used as a back door for the attacker to gain access to the device. Sample services to be disabled: Table 3-1 TCP small servers, UDP small servers, Finger server, …

Network Security14 7. Using loopback interfaces A loopback interface is a logical IP address on a computer or device. For example, the loopback address on a PC represents the localhost. A quick and easy way to check the PC’s network setup.

Loopback interface on routers source: loopback-interface.htmlhttp://routersimulator.certexams.com/network-simulator-labs/configuring-and-testing- loopback-interface.html The loopback interface is a logical interface internal to a router. It is not connected to any other device. A loopback interface is UP as long as the router is up and running. It is useful in managing a router as there will always be at least one interface available on the router, irrespective other physical interfaces. The command used for assigning loopback interface is Router(config)#interface loopback –The number can be between 0 and A loopback interface is automatically put in "no shutdown" state when created. However, you need to assign an ip address to use a loopback interface. Network Security15

Loopback interface on routers source: loopback-interface.htmlhttp://routersimulator.certexams.com/network-simulator-labs/configuring-and-testing- loopback-interface.html Network Security16

R1: >enable #conf term (config)# int ser 0 (config-in)#ip address (config-in)#no shutdown (Config-in)#end # R2: >enable (config)#int ser 0 (config-if)#ip address (config-if)#no shutdown (config-if)#exit (config)#interface loopback 1 (config-if)#ip address (config-if)#end # R1: >enable #ping Network Security17 source: loopback-interface.htmlhttp://routersimulator.certexams.com/network-simulator-labs/configuring-and-testing- loopback-interface.html

Advantages of using loopback interface on routers “With routers using a loopback address as the source for all IP packets originating from the router, it becomes very easy to construct appropriate filters to protect management systems in the ISP’s network operation centres.” (Source: slide 6 in 1up.pdfhttp://ws.edu.isoc.org/data/2004/ a09f9/loopback- 1up.pdf) Network Security18

Network Security19 More about loopback interfaces source: It is very common to assign all the IP addresses used for loopback interfaces from one address block. –Example: an ISP with around 200 routers in a network might assign a /24 network (253 usable addresses) for addressing the loopback interface on each router. If this is done, all dependent systems can be configured to permit this address range to access the particular function concerned, whether it is security, unnumbered WAN links, or the iBGP mesh. A loopback interface on a router never changes its state and rarely has any need to change its IP address. Physical interfaces can be physically swapped out or renumbered, and address ranges can change, but the loopback interface will always be there. So, if the DNS is set up so that the router name maps to the loopback interface address, there is one less change to worry about during operational and configuration changes elsewhere in the ISP backbone.

Network Security20 Other examples of loopback interfaces source: BGP Update Source –In the following example, the iBGP mesh is built using the loopback interface on each router. –The loopback doesn't ever disappear, which results in a more stable iBGP, even if the underlying physical connectivity is less than reliable.

Network Security21 Other examples of loopback interfaces source: Router ID –If a loopback interface is configured on the router, its IP address is used as the router ID. –This is important for ensuring stability and predictability in the operation of the ISP's network. –If the loopback isn't configured, BGP uses the highest IP address on the router. Because of the ever-changing nature of an ISP network, this value can change, possibly resulting in operational confusion. –Configuring and using a loopback interface ensures stability.

Network Security22 Access control based on loopback –Enable a block of IP addresses to be assigned to be used as the loopback IPs of a block of routers. –Router IDs: All routers can be forced to use these loopback IP addresses as source addresses when accessing the servers. –Access Control: The servers can then also be locked down to allow access only from this block of IP addresses. –Accesses from addresses outside this block are denied. Examples (next)

Examples of access control based on loopback source: TFTP Server Access –TFTP is the most common tool for uploading and downloading configurations. –The TFTP server's security is critical, which means that you should always use security tools with IP source addresses. –IOS Software allows TFTP to be configured to use specific IP interfaces address. This allows a fixed ACL on the TFTP server based on a fixed address on the router (for example, the loopback interface). ip tftp source-interface Loopback0 Network Security23

Examples of access control based on loopback (cont.) Source: 1up.pdf (slide 12) 1up.pdf TACACS+ distributed authentication system for management access to routers –Configure TACACS+ so that the loopback address is used in packets originating from the router –Configuration example: ip tacacs source-interface Loopback0 tacacs-server host Network Security24

Network Security25 8. Controlling SNMP (as a management protocol) SNMP can be used in read-only and ‘read and write’ modes Unless necessary, use read-only mode on routers. The ‘read and write’ mode allows the admin to modify the router’s configurations via SNMP. Access into the network via SNMP should be blocked at the network’s boundary. Security of SNMP: –v1 and v2 use ‘community strings’ as the only authentication mechanism. (Not secure) –v3 is more secure by providing MD5 or SHA for authentication, and DES for encryption. –SNMP v3 threats vs protections (p.65): next page

Network Security26 8. Controlling SNMP (as a management protocol) SNMP v3 threats vs protections ThreatsProtections modification of infoMessage integrity masqueradeMessage authentication disclosureEncryption message stream modification - Messages might be maliciously reordered, delayed, or replayed to a greater extent than can occur through the natural operation of a subnetwork service to effect unauthorized management operations. Timestamped messages, Session identifiers (sequence numbers)

Network Security27 9. Controlling HTTP (as a management protocol) Unless necessary, HTTP access to the router should be disabled. HTTP protocol provides little security. The default authentication sends the password as clear text. Admin access to the router via HTTP should be secured, by activating authentication. Example: 3-19 Ideally, a secure connection via VPN or SSL should be used. (example: HTTPS)

Network Security Using CEF as a switching mechanism Cisco Express Forwarding Routers using the traditional switching mechanisms need to update routing caches when packets destined for new addresses arrive. SYN floods and DDoS attacks use a large number of random or pseudo-random IP addresses as ultimate targets. CEF replaces the normal routing cache with a data structure (Forwarding Information Base, or FIB, and Adjacency Table) that mirrors the entire routing tables. It does away with the need to update the cache each time a new IP address needs to be routed to.

Network Security29 1.Forwarding Information Base –CEF uses a FIB to make IP destination prefix-based switching decisions. –The FIB is conceptually similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. –When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table. –Because there is a one-to-one correlation between FIB entries and routing table entries, the FIB contains all known routes and eliminates the need for route cache maintenance that is associated with switching paths such as fast switching and optimum switching. 2.Adjacency Tables –Nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. –In addition to the FIB, CEF uses adjacency tables to prepend Layer 2 addressing information. The adjacency table maintains Layer 2 next-hop addresses for all FIB entries. CEF Components

Network Security Using the scheduler scheduler allocate scheduler interval To prevent the router from becoming too busy responding to the interrupts on its interfaces due to the large number of packets arriving  large-scale network attack, esp. a DDoS attack Example 3-21

Network Security31 Example (from: –scheduler allocate // The default values –Where 4000 is the maximum number of microseconds to allocate to fast switching any single network interrupt context, and 200 is the minimum guaranteed number of microseconds to allocate to process level tasks while network interrupts are masked. –In cases where extremely high network load presents itself on the interface of a router, it is possible that other tasks will not be able to run. –By default, the Cisco IOS allocates 5% of the CPU time to the lower priority tasks. During a high load event, such as a DDOS, this default may be insufficient to ensure that other tasks acquire CPU time, such as routing protocol updates and CEF table maintenance. 11. Using the scheduler (cont.)

Network Security Using NTP Network Time Protocol Critical for services requiring good time stamping: logging, AAA, Kerberos, … Challenge: authentication between devices exchanging NTP information

Network Security Login banners Sequence: –Login banner –login session –MOTD banner –EXEC banner (or incoming banner) -- for users to enter commands; show the contexts Example: 3-25 Motd banner: Mainly for legal reasons, give warnings like ‘Authorized access only!’ to whoever attempting to connect to the device. (

Network Security Capturing core dumps In the event of system crash, the core dump may provide useful info for tracking the attack(s). Example: 3-26

Network Security Service nagle Nagle is an algorithm that can be enabled as a service on a Cisco router, to allow the router to pace the TCP connection for Telnet in a way that reduces the burden on the CPU and generally improves the performance of the Telnet session. –service nagle (Example 3-27) More info (next)

Network Security36 From: The Nagle congestion-control algorithm is something that many ISPs turn on to improve the performance of their Telnet sessions to and from the router. When using a standard TCP implementation to send keystrokes between machines, TCP tends to send one packet for each keystroke typed. On larger networks, many small packets use up bandwidth and contribute to congestion. John Nagle's algorithm (RFC 896) helps alleviate the small-packet problem in TCP. In general, it works this way: –The first character typed after connection establishment is sent in a single packet, but TCP holds any additional characters typed until the receiver acknowledges the previous packet. –The second, larger packet is sent, and additional typed characters are saved until the acknowledgment comes back. –The effect is to accumulate characters into larger chunks and pace them out to the network at a rate matching the round-trip time of the given connection. –This method is usually good for all TCP-based traffic and helps when connectivity to the router is poor or congested or the router itself is busier than normal. –However, do not use the service nagle command when real-time traffic (like voice over IP) are processed on the router — performance will become very poor.

Network Security37 Security of other devices Firewalls, switches, … Similar procedure –Check the default settings –‘Harden’ the device before placing it into use in the production network.