P. 1
Fundamental IOS Security Features

Fundamental IOS Security Features

|Views: 10|Likes:
Published by nthhtn

More info:

Published by: nthhtn on Jul 15, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/29/2013

pdf

text

original

Sections

  • About the Presenter
  • Agenda
  • About the Presentation
  • Fundamental Security
  • Management Security
  • Login Methods
  • Restricting Management Access
  • Management Security Tiers
  • Login Security
  • Configuring a Banner
  • Enhanced Password Security
  • Password Restriction
  • Password Encryption
  • Service Password-Encryption
  • SHA/MD5 Password Protection
  • Password Cracking
  • Access Control Server (ACS) Integration
  • One Time Passwords (OTP)
  • Password Security Tiers
  • Session Limits
  • Login Security Tiers
  • Functionality Based User Security
  • Command Based User Security
  • Role Based Access Control
  • Remote Command Authorization
  • User Security Tiers
  • Insurance
  • Configuration Backup and Rollback
  • Network Accounting
  • Configuration Change Security Tiers
  • Control Plane Policing (CPP)
  • Control Plane Protection Example
  • Control Plane Security Tiers
  • Access Groups and ACLs
  • Datapath Security Tiers
  • Tracking Source of DoS attacks
  • DoS Attack Mitigation
  • SYN Flood Attack Mitigation using TCP Intercept
  • IP Fragmentation Attacks
  • IP Fragmentation Attack Mitigation
  • Spoofing Attacks
  • IPv6 Address Scope
  • ICMPv6 Permissions
  • Neighbour Discovery
  • Stateful DHCP
  • Stateless DHCP (SLAAC)
  • Summary of Security Best Practices
  • Complete Your Online Session Evaluation
  • Type 4 versus Type 5 vulnerability
  • Example on login blocking and timeouts
  • Changing Privilege Levels of Commands
  • ACS Command Authorization
  • IOS Resiliency
  • Control Plane Protection (CoPPr)
  • Infrastructure Security
  • IPv6 Link Local Only Example
  • Zone Based Firewall
  • TCP Intercept
  • ZBFW configuration example
  • Spoofing Attack Mitigation
  • uRPF Advanced Features

Fundamental IOS Security Features
BRKSEC-2017

Rama Darbha Customer Support Engineer CCIE #28006

About the Presenter
 Rama Darbha  Technical Assistance Center
– Firewall and VPN technology groups – 5 years experience in network security

   

CCIE #28006, Security track Guest Lecturer at North Carolina State University Participant in IETF Operational Security group Areas of expertise
– IPv6 – Zone Based Firewall – Virtual Security

BRKSEC-2017

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Agenda  Fundamental Security Features  Control Plane Security  Data Plane Security  Protecting User Services  IPv6 Considerations BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 .

About the Presentation  What is not covered? – – – – – – – Zone Based Firewall (ZBFW) application inspection Access Control Server (ACS) configuration User Identity protection Context Aware security Scansafe Security Integration Intrusion Prevention Systems Advanced IPv6 security configuration  BRKSEC-3007 – Advanced Cisco IOS Security Features BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 6 . All rights reserved.

Fundamental Security 7 .

Fundamental Security  Infrastructure security is the core of network security – Protecting devices which pass traffic  Securing network infrastructure – Management security – Login security – User Security  Insurance: What to do in case something happens? – Accounting and monitoring – IOS Resiliency BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 8 . All rights reserved.

Cisco Public 9 .Management Security • Controlling method of access for management BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public 10 .Login Methods  Why SSH over Telnet? – SSH encrypts data – Telnet is clear text  Requirements for SSH – RSA keypair must be created on router – IOS image must support encryption – Management application must support SSH access line vty 0 4 transport input ssh BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

100 any eq 22 ! line vty 0 4 access-class LOGIN_ACL in transport input ssh  Management plane security Router(config)# control-plane host Router(config-cp-host)# management-interface Fastethernet0/0 allow ssh BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 11 .1. All rights reserved.1.Restricting Management Access  Only allow trusted IP addresses for management connections  Configure access-list (ACL) to restrict login access ip access-list extended LOGIN_ACL permit tcp host 10.

Management Security Tiers • Transport method • VTY access control • Management plane security BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 12 . All rights reserved.

Login Security 13 .

Login Security  Banner on login prompts  Password Security  Restrict connection attempts BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 14 . All rights reserved.

Login Banner Welcome to Cisco’s Router! BRKSEC-2017 Unauthorized access is not allowed. Cisco Public 15 . All rights reserved. © 2013 Cisco and/or its affiliates.

This is a EXEC banner % BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 16 . End with the character ‘%’. End with the character ‘%’.Configuring a Banner  Language matters – Requirements from legal department – Laws based on country and state  The below example uses the ‘%’ symbol as the message delineator Router(config)# banner login % Enter TEXT message. This is a LOGIN banner % Router(config)# banner exec % Enter TEXT message. All rights reserved.

Cisco Public 17 BRKSEC-2017 .1.** You must have explicit permission to access or configure this device. ***By successfully logging in. Router# Acknowledges that user has successfully logged in and is responsible for actions. All activities performed on this device are logged and violations of this policy may result in disciplinary action. You accept that all activities performed on this device are logged and violations of this policy may result in disciplinary action. you acknowledge that you have explicit permission to access and configure this device. Username: cisco Password: cisco Warns user that they should back out now if they are not authorized to access the system. © 2013 Cisco and/or its affiliates.Login Banner in Use [User]$ telnet 10. All rights reserved.1 **Unauthorized access to this network device is prohibited.1.

Password Security 18 .

Password Encryption service 2. All rights reserved.Enhanced Password Security  500. Cisco Public 19 .000 devices on internet have default password of root  Password Restriction  Password Encryption methods 1. SHA256/MD5 hash BRKSEC-2017 © 2013 Cisco and/or its affiliates.

3. All rights reserved. Must contain characters from at least three of the following classes: lowercase letters uppercase letters digits special characters – – – Cannot have a character repeated more than three times consecutively. 4. 2. Cisco Public 20 .Password Restriction  Cisco IOS routers do not restrict passwords by default  Password restriction ensures local passwords adhere to the following rules – 1. Router(config)#aaa new-model Router(config)#aaa password restriction BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cannot be variant of the word “cisco”. Cannot be the same as the associated username.

All rights reserved.Password Encryption  Service encryption uses a Cisco proprietary encryption algorithm – Encryption is based on a Vigenere cipher – Weak security because is it a polyalphabetic substitution Router(config)#enable password cisco Router#show run | include enable enable password cisco Router(config)#service password-encryption Router#show run | include enable enable password 7 02050D480809 BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 21 .

Cisco Public 22 .Service Password-Encryption  Below is a tool from the first hit on Google – Search term: cisco service password-encryption cracker BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

1S) Router(config)#enable secret ? 0 Specifies an UNENCRYPTED password will follow 4 Specifies an SHA256 ENCRYPTED secret will follow 5 Specifies an MD5 ENCRYPTED secret will follow LINE The UNENCRYPTED (cleartext) 'enable' secret level Set exec level password Router(config)#enable secret cisco enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY enable password cisco BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 23 . All rights reserved.See Appendix for functionality SHA/MD5 Password Protection  One way hash algorithm that is not reversible  SHA256 is the default encryption for IOS routers (Starting in 15.0.

000 hashed password list in 90 seconds using above technique  SHA256/MD5 hashes are protected using a salt – Salt is a random sequence of characters added to end of password before hash BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 24 .Password Cracking HashCat Hashed Password Word List Algorithm Unencrypted Password  ArsTechnica case study cracked 45% of a 17. All rights reserved.

Cisco Public 25 . All rights reserved.See Appendix for configuration examples and best practices Access Control Server (ACS) Integration Configuring ACS server  Passwords are only as safe as their storage medium  ACS integration provides a centralized services to store passwords  Compromised configurations provide no insight into passwords BRKSEC-2017 © 2013 Cisco and/or its affiliates.

All rights reserved.4 Router(config)#username TAC one-time secret cisco  ACS OTP provides two tier authentication – Use secure token to generate password – New password for login each session RSA Token Password Cisco12345 RSA Token RSA Token Generator 457AE59H BRKSEC-2017 © 2013 Cisco and/or its affiliates.One Time Passwords (OTP)  One time passwords are used to restrict access for temporary users – Introduced in 12. Cisco Public 26 .

Cisco Public 27 .Password Security Tiers • Simple unencrypted password • Hashed password (MD5/SHA256) • Password restrictions • Centralized storage of passwords (ACS) • One time use passwords BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public 28 .See Appendix for configuration examples Session Limits  Configuring restrictions on brute force attacks will mitigate the effectiveness of the attack by delaying success Password Length 12 digit password 12 digit password + login restriction Time to Crack 6 months 758 billion years  Login block for failed login attempts login block-for 30 attempts 3 within 10 BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public 29 . All rights reserved.Login Security Tiers • Management Access Restriction • Login Banner • Password Security • Session Limits BRKSEC-2017 © 2013 Cisco and/or its affiliates.

User Security 30 .

All rights reserved.Functionality Based User Security View Configuration NOC Contractor Admin Troubleshooting Commands TAC Edit Configuration BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 31 .

All rights reserved.Command Based User Security Configure Interface Routing Protocols Admin Configure Routing Protocols Security Configure Access Control BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 32 .

All rights reserved. Cisco Public 33 .See Appendix for complete configuration example Privilege Levels User EXEC Mode • Privilege Level 0 • Can only enable Router> Privileged EXEC Mode • Privilege Level 1 • View status of router Router# Global Configuration Mode • Privilege Level 15 • Configuration commands Router(config)# BRKSEC-2017 © 2013 Cisco and/or its affiliates.

All rights reserved.See Appendix for complete configuration example Changing Privilege Levels of Commands Level 15 interface ethernet0/0 shutdown Level 7 Level 1 username NOC BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 34 .

All rights reserved.3(7) BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 35 .See Appendix for complete configuration example Role Based Access Control  Creates views so users can only view a subset of commands in the parser  Provides more detailed control over CLI access  Assigned views to each user with restriction – Commands seen in parser – Commands allowed to be issued  Superviews can be used to aggregate functionality parser view INTERN secret commands exec include show version commands exec include show  Introduced in 12.

See Appendix for complete configuration example Remote Command Authorization  Centralized server to verify commands before execution – User gets command authorization set based on device – Scalable solution for large network environments  Router will communicate with ACS to verify command before execution Will IOS allow user issue command? • Privilege level of user and command • Local command authorization Is the user authorized to run the command? • ACS server command list • Remote command authorization BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 .

All rights reserved. Cisco Public 37 .User Security Tiers • Privilege Levels • Role Based Access Control • ACS Command Authorization BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Cisco Public 38 .Insurance  If router is compromised – How to mitigate the impact? – Restore device back to last known working condition?  Mitigating the impact of configuration changes – Configuration Archive – IOS Resiliency  Tracking down the source of the change – Command Accounting BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

3(7)T BRKSEC-2017 © 2013 Cisco and/or its affiliates.Configuration Backup and Rollback  Stores configuration periodically to destination location archive path disk0:myconfig_backup maximum 5 time-period 1440  Force a configuration archive Router# archive configuration  Rollback configuration Router# configure replace disk0:myconfig_backup-<date>  Introduced 12. Cisco Public 39 . All rights reserved.

3(8)T BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 40 . All rights reserved.See Appendix for complete configuration example IOS Resiliency  Saves a copy of the running-config and system image onto local storage – This is called the primary bootset – Primary bootset can be used to restore a previous image and config  Feature can only be disabled by a console session – Can be initially enabled via any CLI session Running Config Primary Bootset System Image  Introduced in 12.

Logged command |interface Ethernet0/2 | shutdown Cisco Public 41 .See Appendix for complete configuration example Network Accounting  Log command history to location – Local archive – ACS  Tracks configuration changes – Per-session – Per-user archive log config logging enable logging size 200 hidekeys notify syslog  Introduced 12. All rights reserved.4(11)T Router#show archive log config all idx sess user@line 1 8 NOC@vty0 2 8 NOC@vty0 BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Cisco Public 42 . All rights reserved.Configuration Change Security Tiers • Configuration Archive • IOS Resiliency • Network Accounting BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Control Plane Security 43 .

Control Plane Diagram Host Queue Threshold Port Filter Policing Transit Policing CEF Exception Policing Input Forwarding Path Aggregate Control Plane BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 .

Rate Limit Cisco Public 45 .Control Plane Policing (CPP)  Rate limit traffic to CPU using quality of service (QoS) policy Permit Actions for traffic Drop  Protect against control plane oversubscription BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

.See Appendix for additional information Control Plane Protection (CoPPr) Aggregate Control Plane Host • Traffic destined to the router • Management • Routing Protocols • Tunnel Traffic Transit • Traffic traversing router CEF Exception • Traffic redirected to RP • Features that require additional processing • Packets with special attributes Cisco Public 46 BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

Control Plane Protection Example  Problem – Router receiving too much traffic to process on non-listening ports  Solution – Preemptively drop all traffic destined to closed ports  Router should only process traffic to open ports – Services for management – Services for monitoring – Ephemeral ports opened for applications Internet Map of Closed Ports BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 .

Control Plane Protection Port Filtering class-map type port-filter match-all PORTFILTER_CMAP match closed-ports Match all closed ports ! policy-map type port-filter PORTFILTER_PMAP class PORTFILTER_CMAP drop Drop any traffic to a closed port ! control-plane host Apply to host subinterface service-policy type port-filter input PORTFILTER_PMAP BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 .

All rights reserved.See Appendix for complete configuration example Control Plane Protection Viewing Open Ports  Only telnet is enabled on the router Router#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service tcp *:23 *:0 Telnet State LISTEN  Traffic destined to any other port on the router will be early dropped – Before CPU processing BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 49 .

All rights reserved.Control Plane Security Tiers • Aggregate Control Plane • Control Plane Subinterface • Network Addressing/Design BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 50 .

Data Plane Security 51 .

Data Plane Security Internet Ethernet0/1 Ethernet0/0 HTTP SMTP Client HTTP SMTP FTP SMTP SMTP Server HTTP Server © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2017 52 .

Access Groups and ACLs Ethernet0/1 Ethernet0/0 Webserver ? ? Client Attacker ip access-list extended OUT_TO_IN permit tcp any eq 80 host Client interface Ethernet0/1 ip access-group name OUT_TO_IN in BRKSEC-2017 ip access-list extended IN_TO_OUT permit tcp host Client any eq 80 interface Ethernet0/0 ip access-group name IN_TO_OUT in Cisco Public 53 © 2013 Cisco and/or its affiliates. . All rights reserved.

All rights reserved. Cisco Public 54 .Firewall UNTRUSTED TRUSTED HTTP Webserver Client Attacker SMTP Internet SMTP Server BRKSEC-2017 © 2013 Cisco and/or its affiliates.

See Appendix for explanation of functionality Zone Based Firewall zone-member INSIDE ! Interface Ethernet0/0 zone-member security INSIDE Servers Inside Internet Guest zone-member GUEST ! Interface Ethernet0/1 zone-member security GUEST Cisco Public 55 BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. .

All rights reserved.Zone Based Firewall Configuration Theory Identify Traffic using class-map • Access-list • Protocol Apply action using policy-map • Inspect • Drop • Pass Bind to zones using zone-pair BRKSEC-2017 © 2013 Cisco and/or its affiliates. • Service policy applied traffic • Apply action to traffic Cisco Public 56 .

All rights reserved.See Appendix for complete configuration example Zone Based Firewall Configuration Theory class-map type inspect match-all INSIDE_OUTBOUND_CMAP match protocol http match access-list 100 Identify Traffic using class-map Apply action using policy-map policy-map type inspect INSIDE_OUTBOUND_PMAP class INSIDE_OUTBOUND_CMAP inspect Bind to zones using zone-pair BRKSEC-2017 zone-pair security IN2OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE_OUTBOUND_PMAP Cisco Public 57 © 2013 Cisco and/or its affiliates. .

Cisco Public 58 .Datapath Security Tiers • Access-groups • Stateful Firewall • User-Identity Firewall • Context Aware BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

Protecting User Services 59 .

All rights reserved. Cisco Public 60 .Attack Security Denial of Service Attack IP Fragmentation Attack Tiny Fragment TCP SYN Flood Overlapping Fragment Buffer Overflow ICMP Flood Spoofing Attack BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Cisco Public 61 .Identifying Attack Vector Ethernet0/1 Ethernet0/0 Router(config)# interface Ethernet0/1 Router(config-if)# ip access-group 100 in Router(config-if)# ip flow ingress config# show access-list 100 Extended IP access list 100 permit icmp any any echo (2 matches) permit icmp any any echo-reply (2 matches) permit tcp any any eq www (21374 matches) Permit udp any any (15 matches) permit ip any any (45 matches) BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

10 10.0.0.Tracking Source of DoS attacks Router# show ip cache flow ..1.1.1.1.104 203.1.10 10. Protocol Total Flows -------Flows /Sec TCP-WWW 255 0. SrcIf Et0/1 Et0/1 Et0/1 Et0/1 ...103 203. All rights reserved.113.105 DstIf Et0/0 Et0/0 Et0/0 Et0/0 DstIPaddress 10.1.113.0.10 Pr 17 17 17 17 SrcP CDF7 CDF7 CDF7 CDF7 DstP 0050 0050 0050 0050 Pkts 1 1 1 1 Packets Bytes /Flow /Pkt 1 64 Packets Active(Sec) Idle(Sec) /Sec /Flow /Flow 255...0 15.0 .10 10.5 BRKSEC-2017 © 2013 Cisco and/or its affiliates.0.113.0 4.1.1.102 203.113. Cisco Public 62 .. SrcIPaddress 203.

Cisco Public 63 . All rights reserved.DoS Attack Mitigation BRKSEC-2017 © 2013 Cisco and/or its affiliates.

See Appendix for complete configuration example SYN Flood Attack Mitigation using TCP Intercept SYN SYN+ACK Intercept Mode ACK SYN SYN+ACK ACK Watch Mode SYN SYN+ACK ACK RST BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public RST 64 .

Cisco Public .IP Fragmentation Attacks Original Packet IP Header IP Header TCP Header TCP Header TCP Header Data Data Tiny Fragment IP Header IP Header TCP Header Overlapping Fragments Fragment 1 Data Fragment 2 IP Header Data Buffer Fragment 1 Data Fragment 2 IP Header Data 65 Buffer Overflow IP Header TCP Header BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

100 eq 80 deny ip any any Ethernet0/1 IP Header TCP Header Fragment 1 Data Ethernet0/0 IP Header Fragment 2 Data © 2013 Cisco and/or its affiliates. All rights reserved.100 fragments permit tcp any host 192.1.See Appendix for complete configuration example IP Fragmentation Attack Mitigation Fragments keyword in ACL ip access-list extended FRAGMENTS_ACL deny ip any host 192.168.168. Cisco Public 66 BRKSEC-2017 .1.

1.1. Ethernet0/0 C 192.1.1.1. All rights reserved.0/24 directly connected.0/24 via Ethernet0/0 BRKSEC-2017 © 2013 Cisco and/or its affiliates.1. Cisco Public 67 . Ethernet0/1 S 20.1.1.See Appendix for complete configuration example Spoofing Attacks Unicast Reverse Path Forwarding Packet Src 20.0/24 directly connected.100 Dst 10.1.168.200 Ethernet0/1 Ethernet0/0 Router# show ip route C 10.

Fundamental IPv6 Security 68 .

IPv6 Address Scope mask IPv4 IPv6 /24 /16 2^8 256 2^104 2^112 20. All rights reserved.282 x 10^30 5.192 x 10^33 2^16 65536 BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public .

ICMPv6 Permissions
 ICMPv6 is mandatory in IPv6
– Used for infrastructure control – Error notification responses

 ACL that drop ICMPv4 must be altered to allow ICMPv6  ICMPv6 functionality in IPv6
– Neighbour Discovery – Stateless Address Assignment – Path Maximum Transmission Unit Discovery (pMTUd)

BRKSEC-2017

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

70

Neighbour Discovery
IPv4 ARP Request Broadcast ARP Reply Unicast
 Functionality is to assess reachability of neighbours  Maps Layer 3 IPv6 address to Layer 2 MAC address  Also used for Duplicate Address Detection (DAD)

IPv6 Neighbour Solicitation Solicited Node Multicast Neighbour Advertisement Unicast

BRKSEC-2017

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

71

Stateful DHCP
 DHCPv6 server will allocate one or more IPv6 addresses or prefixes to a DHCPv6 client  DHCP options can be provided to client
– DNS server – Domain name

Stateless DHCP (SLAAC)
 Two messages are used
– INFORMATION-REQUEST – REPLY

 DHCPv6 server only provides configuration information
– DNS server – Domain name

 DHCPv6 server maintains state  Stores the leased IPv6 addresses and lease details in its database

 Assumption:
– Client will acquire IPv6 address through other means

BRKSEC-2017

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

72

All rights reserved.Summary of Security Best Practices           Control management access to trusted IPs and interfaces Use login banner as notification tool Configure secure passwords stored on a centralized server Control authenticated user movement by using command authorization Archive configurations for insurance Enforce command accounting to track changes on device Protect control plane by rate limiting or dropping traffic to CPU Configure firewall to protect user services Implement attack security features based on network vulnerabilities Be aware of differences in IPv6 networks BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 73 .

Complete Your Online Session Evaluation
 Give us your feedback and you could win fabulous prizes. Winners announced daily.  Receive 20 Cisco Daily Challenge points for each session evaluation you complete.  Complete your session evaluation online now through either the mobile app or internet kiosk stations.
Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

Note: This slide is now a Layout choice
BRKSEC-2017

Appendix
76

000 (one thousand)  Due to an implementation issue. but instead performs a single iteration of SHA-256 over the user-provided plaintext password.Type 4 versus Type 5 vulnerability  Password-Based Key Derivation Function version 2 (PBKDF2) – Hash algorithm = SHA-256 – Password = the user-provided plaintext password – Salt = 80 bits (generated by calling a cryptographically secure random number generator) – Iteration count = 1. All rights reserved. Cisco Public 77 . BRKSEC-2017 © 2013 Cisco and/or its affiliates. This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity. the Type 4 password algorithm does not use PBKDF2 and does not use a salt.

ACS Integration Configuration Example  Configure ACS server information on IOS router Router(config)#tacacs server MYTACACS Router(config-server-tacacs)# address ipv4 10.1. All rights reserved. Cisco Public 78 .1.100 Router(config-server-tacacs)# key Cisco12345  Create authentication list to use ACS server Router(config)#aaa authentication login MANAGEMENT group TACACS local  Apply authentication list to management sessions Router(config)#line vty 0 4 Router(config-line)#login authentication MANAGEMENT BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Cisco Public 79 .ACS Integration Best Practices  Local fallback ensures that the router is still accessible when ACS is unavailable Router(config)#aaa authentication login MANAGEMENT group TACACS local  Test ACS configuration before applying to avoid being locked out of the router Router#test aaa group MYTACACS username password new-code User Rejected  Using a reliable source interface will ensure that consistent access to ACS server Router(config)#ip tacacs source-interface Loopback0 BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

All rights reserved. Cisco Public 80 .Example on login blocking and timeouts  Login block configuration line vty 0 4 login authentication MANAGEMENT transport input telnet login block-for 30 attempts 3 within 10  Session timeouts line vty 0 4 exec-timeout 5 BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Cisco Public 81 .Changing Privilege Levels of Commands  Commands can be moved down to different privilege levels – Provide restricted configuration access username NOC privilege 7 secret 5 $1$tmIw$1aM7sadKhWMpkVTzxNw1J. All rights reserved. ! privilege interface all level 7 shutdown privilege interface all level 7 no shutdown privilege configure level 7 interface privilege exec level 7 configure terminal  User NOC can shut and no shut interfaces – Cannot configure any interface features BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Assigning Privilege Levels aaa new-model ! username admin privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY username NOC privilege 1 secret 4 tnhtc92DXBhelxjYk8LWJrPV362i4ntXrpb4RFmfqY ! aaa authentication login AUTHENTICATION_MANAGEMENT local aaa authorization exec AUTHORIZATION_MANAGEMENT local ! line vty 0 4 login authentication AUTHENTICATION_MANAGEMENT authorization exec AUTHORIZATION_MANAGEMENT BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 .

Connected to 10.1 Escape character is '^]'.1. Cisco Public 83 .1.1.1.1..1.1..1 Escape character is '^]'. Connected to 10. All rights reserved.1.1.1 Trying 10..1. This is the LOGIN banner Username: admin Password: This is the EXEC banner Router# show privilege Current privilege level is 15 © 2013 Cisco and/or its affiliates. This is the LOGIN banner Username: NOC Password: This is the EXEC banner Router> show privilege Current privilege level is 1 BRKSEC-2017 [User]$ telnet 10.Privilege Levels in Use [User]$ telnet 10..1 Trying 10.1.1.1.1.

Cisco Public 84 . All rights reserved.Role Based Access Control Configuration Example parser view INTERN secret commands exec include show version commands exec include show ! parser view NOC secret commands interface include shutdown commands configure include interface commands configure include interface FastEthernet0/1 commands exec include configure terminal commands exec include configure ! parser view ADMIN superview secret view INTERN view NOC BRKSEC-2017 © 2013 Cisco and/or its affiliates.

All rights reserved. Cisco Public 85 .Role Based Access Control User Setup  Apply the view setting to the username to force that user into that view username DAFFY privilege 15 view NOC secret DUCK  User authorization must be enabled aaa new-model ! aaa authorization exec EXEC_AUTHORIZATION_LIST local BRKSEC-2017 © 2013 Cisco and/or its affiliates.

All rights reserved. Cisco Public 86 .ACS Command Authorization  ACS authentication must be enabled so users are correctly mapped  Router will communicate with ACS to verify command before execution aaa ! aaa ! aaa aaa aaa aaa aaa new-model authentication login default group tacacs+ local authorization authorization authorization authorization authorization exec default group tacacs+ local commands 0 default group tacacs+ local commands 1 default group tacacs+ local commands 15 default group tacacs+ local config-commands  This provides scalability – Same users can be allowed the same commands on all devices BRKSEC-2017 © 2013 Cisco and/or its affiliates.

745: %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed disk0:.runcfg-20130225-185618.ar]  From telnet session Router(config)#no secure boot-config %You must be logged on the console to apply this command BRKSEC-2017 © 2013 Cisco and/or its affiliates.ar] Router(config)#no secure boot-config *Feb 25 18:56:24. Cisco Public 87 . All rights reserved.IOS Resiliency  From console session Router(config)#secure boot-config *Feb 25 18:56:18.runcfg-20130225-185618.458: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [disk0:.

Cisco Public 88 . All rights reserved.Network Accounting Configuration Example  Configure router to send command accounting history to ACS aaa new-model ! aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Cisco Public 89 .Fundamental Security AutoSecure  Cisco IOS can automate security implementation  AutoSecure – Secures a router by using a single CLI command – Disables common IP services that can be exploited – Enables IP services and features to defend the network  AutoSecure can be enabled per feature or all features BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

All rights reserved. Cisco Public 90 .AutoSecure Feature Options Router#auto secure ? firewall AutoSecure Firewall forwarding Secure Forwarding Plane full Interactive full session of AutoSecure login AutoSecure Login management Secure Management Plane no-interact Non-interactive session of AutoSecure ntp AutoSecure NTP ssh AutoSecure SSH tcp-intercept AutoSecure TCP Intercept <cr> BRKSEC-2017 © 2013 Cisco and/or its affiliates.

exec-timeout. Aux and vty lines for local authentication. transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 30 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 10 BRKSEC-2017 © 2013 Cisco and/or its affiliates.AutoSecure Securing Login Router#auto secure login Gathering information about the router for AutoSecure Enter the new enable password: Confirm the enable password: Configuration of local user database Enter the username: cisco Enter the password: Configuring AAA local authentication Configuring console. All rights reserved. Cisco Public 91 .

Cisco Public 92 .AutoSecure Login configuration enable password 7 02250D4808095E731F1A5C username cisco password 7 02250D4808095E731F1A5C aaa new-model aaa authentication login local_auth local ! line vty 0 4 login authentication local_auth transport input telnet login block-for 30 attempts 3 within 10 ! end BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

security. All rights reserved. and availability  Provides CPU protection so it can be used for important jobs. Cisco Public 93 .Control Plane Protection (CoPPr) Benefits  Extends protection against DoS attacks on infrastructure routers by providing a mechanism for finer policing of control plane traffic that allows you to rate-limit each type individually  Provides a mechanism for early dropping of packets that are directed to closed or nonlistened Cisco IOS TCP/UDP ports  Provides ability to limit protocol queue usage such that no single protocol flood can overwhelm the input interface Provides QoS control for packets that are destined to the control plane of Cisco routers  Provides better platform reliability. such as routing BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Control Plane Protection Monitoring Drops Router#show control-plane counters Feature Path Packets processed/dropped/errors Aggregate 3/0/0 Host 3/3/0 Transit 0/0/0 Cef-exception 0/0/0 Router#show control-plane host counters Control plane host path counters : Feature Packets Processed/Dropped/Errors -------------------------------------------------------TCP/UDP Portfilter 3/3/0 -------------------------------------------------------BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 .

drop rate 0000 bps Match: any BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 95 . 180 bytes 5 minute offered rate 0000 bps.Control Plane Protection Monitoring Drops Router#show policy-map type port-filter control-plane all Control Plane Host Service-policy port-filter input: PORTFILTER_PMAP Class-map: PORTFILTER_CMAP (match-all) 3 packets. All rights reserved. 0 bytes 5 minute offered rate 0000 bps. drop rate 0000 bps Match: closed-ports drop Class-map: class-default (match-any) 0 packets.

Cisco Public 96 . All rights reserved.Infrastructure Security IPv6 Consideration  Infrastructure can be protected if attackers cannot access it – draft-ietf-opsec-lla-only-03  Applying link local addresses to infrastructure links reduces attacks surface – Infrastructure links can only be attacked from the local link  Loopback addresses are configured with Global Unique Addresses – Allows ICMP error response packets – Only Loopback address needs to be secured BRKSEC-2017 © 2013 Cisco and/or its affiliates.

All rights reserved. 2001:DB8:200::/64 Cisco Public 97 .IPv6 Link Local Only Example FE80::200 FE80::101 FE80::201 FE80::301 FE80::100 FE80::300 2001:DB8:100::/64 BRKSEC-2017 © 2013 Cisco and/or its affiliates.

Zone Based Firewall Overview  Current IOS firewall solution  Scalable deployment capability – Class-maps that match traffic can be reused in multiple policies  Security policies are applied to zones and not to interfaces – Reduces redundant configuration for same interfaces  Zones are applied to various router interfaces to control traffic – Integrates well with VTI VPN solutions  Each zone pair has its own security policy – Granular control with traffic directionality  BRKSEC-3007 – Advanced Cisco IOS Security Features BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 98 . All rights reserved.

TCP Intercept access-list 101 permit any ! ip tcp intercept list 101 ip tcp intercept mode intercept ip tcp intercept drop-mode random ip tcp intercept max-incomplete low 2000 high 3000 ip tcp intercept one-minute low 1000 high 1500  TCP intercept is enabled because the one minute rate exceeded 1500 embryonic connection attempts Jan 1 12:00:01 EST: %TCP-6-INTERCEPT: getting aggressive. count (2700/3000) 1 min 100  TCP Intercept was disabled because the one minute rate fell below 900 embryonic connection attempts Jan 1 12:05:01 EST: %TCP-6-INTERCEPT: calming down. Cisco Public 99 . count (1800/2000) 1 min 900 BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved.

ZBFW configuration example Zone security INSIDE Zone security OUTSIDE ! Interface Ethernet0/0 zone-member security INSIDE Interface Ethernet0/1 zone-member security OUTSIDE ! class-map type inspect INSIDE_OUTBOUND_CMAP match protocol http ! policy-map type inspect INSIDE_OUTBOUND_PMAP class INSIDE_OUTBOUND_CMAP inspect ! zone-pair security IN2OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE_OUTBOUND_PMAP BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 100 . All rights reserved.

All rights reserved. Cisco Public 101 .IP Fragmentation Attack Mitigation IP Virtual Fragment Reassembly (VFR) Configuration  Enabling VFR Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in  Restricting the number of concurrent IP datagrams Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in max-reassemblies 64  Limiting the number of fragments per IP datagram Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in max-fragments 16  Drop all IP fragments Router(config)# interface Ethernet0/0 Router(config-if)# ip virtual-reassembly in drop-fragments BRKSEC-2017 © 2013 Cisco and/or its affiliates.

All rights reserved.IP Fragmentation Attack Mitigation IP Virtual Fragment Reassembly (VFR) Logs  Basic features of enabling VFR VFR-3-OVERLAP_FRAGMENT VFR-3-TINY_FRAGMENTS  Max-reassemblies – Maximum number of concurrent IP datagrams that can be reassembled VFR-4_FRAG_TABLE_OVERFLOW  Max-fragments – Maximum number of fragments for the same IP datagram VFR-4_TOO_MANY_FRAGMENTS  Drop-fragments – Drops all fragments BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 102 .

Cisco Public 103 . All rights reserved.Spoofing Attack Mitigation uRPF configuration example  Strict mode – The source address is in the Forwarding Information Base (FIB) and reachable only through the interface on which the packet was received Router(config)# interface Ethernet0/1 Router(config-if)# ip verify unicast source reachable-via rx  Loose mode – If the source address is in the FIB and reachable through any interface on the router – Used for asymmetric routing or multi-homed ISP connections Router(config)# interface Ethernet0/1 Router(config-if)# ip verify unicast source reachable-via any BRKSEC-2017 © 2013 Cisco and/or its affiliates.

uRPF Advanced Features  Old configuration (DO NOT USE) Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast reserve-path  Above command was replaced by below command in 12.0(15)S Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast source reachable-via [rx|any]  Cisco Express Forwarding (CEF) must be enabled (on by default) Router(config)# ip cef  Allow default route for uRPF verification Router(config)# interface Ethernet0/0 Router(config-if)# ip verify unicast source reachable-via allow-default BRKSEC-2017 © 2013 Cisco and/or its affiliates. Cisco Public 104 . All rights reserved.

Stateful Address Assignment  Centralized server performs all addressing tasks – Assigns IP addresses – Keeps track of Client to address mapping – Provides additional network information – DNS server – Default gateway Stateless Address Assignment  Client dynamically takes on addressing tasks – Chooses own IP address – EUI-64 – DAD used to avoid address duplication – Additional network information not provided by default – Provided by supporting server  Examples of Stateful Address protocols – DHCP  Examples of Stateless Address protocols – SLAAC (StateLess Address AutoConfiguration) BRKSEC-2017 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public .

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->