Professional Documents
Culture Documents
Security PDF
Security PDF
NTW 2000
Introduction
NTW 2000
2000,
2000,Cisco
CiscoSystems,
Systems,Inc.
Inc.
NTW 2000
ISP Example
Internet
Foreign
Site
...
ISP Service Plane
T1
Customer Site
WWW DNS1
Pub1
...
4
Enterprise Example
Protected
Network
Engineering
Finance
Internet
Admin
WWW
Server
Dial-Up
Access
NTW 2000
DNS
Server
Business
Partners
NTW 2000
2000,
2000,Cisco
CiscoSystems,
Systems,Inc.
Inc.
Attack Trends
Exploiting passwords and poor
configurations
Software bugs
Trojan horses
Sniffers
IP address spoofing
Toolkits
Distributed attacks
NTW 2000
Attack Trends
High
Attacker
Knowledge
Attack
Sophistication
Low
1988
NTW 2000
2000
Automated
Scanning/Exploit
Tools Developed
Crude Exploit
Tools Distributed
Widespread Use
of Automated
Scanning/Exploit
Tools
Intruders Begin
Using New Types
of Exploits
Advanced
Intruders
Discover
Vulnerability
10
Evolving Dependence
Networked appliances/homes
Wireless stock transactions
On-line banking
Critical infrastructures
Business processes
NTW 2000
11
Internet
External
Exploitation
75% vulnerable
NTW 2000
100% vulnerable
Source: Cisco Security Posture
Assessments 1996-1999
12
Unauthorized Use
Percentage
of
Respondents
70
Yes
60
No
50
Don't
Know
40
30
20
10
0
1996
1997
1998
1999
2000
13
Conclusion
Sophisticated
attacks
+
Dependency
+
Vulnerability
NTW 2000
14
Classes of Attacks
Reconnaisance
Unauthorized discovery and
mapping of systems, services,
or vulnerabilities
Access
Unauthorized data
manipulation, system access,
or privilege escalation
Denial of Service
Disable or corrupt networks,
systems, or services
NTW 2000
15
Reconnaissance Methods
Public tools
Sniffers, SATAN, SAINT, NMAP, custom
scripts
NTW 2000
16
Network Sniffers
Router5
Got It !!
telnet Router5
User Access Verification
Username: squiggie
password: Sq%*jkl[;T
Router5>ena
Password: jhervq5
Router5#
NTW 2000
17
ISP Example
Internet
Foreign
Site
...
ISP Service Plane
T1
Customer Site
WWW DNS1
..
ISP Management Plane
NTW 2000
.
18
Enterprise Example
Engineering
Finance
Internet
Admin
WWW
Server
Protected
Network
Dial-Up
Access
NTW 2000
DNS
Server
Business
Partners
19
nmap
network mapper is a utility for port scanning large
networks:
TCP connect() scanning,
TCP SYN (half open) scanning,
TCP FIN, Xmas, or NULL (stealth) scanning,
TCP ftp proxy (bounce attack) scanning
SYN/FIN scanning using IP fragments (bypasses some packet
filters),
TCP ACK and Window scanning,
UDP raw ICMP port unreachable scanning,
ICMP scanning (ping-sweep)
TCP Ping scanning
Direct (non portmapper) RPC scanning
Remote OS Identification by TCP/IP Fingerprinting (nearly 500)
Reverse-ident scanning.
NTW 2000
20
nmap
nmap {Scan Type(s)} [Options] <host or net list>
Example:
my-unix-host% nmap -sT my-router
Starting nmap V. 2.53 by fyodor@insecure.org (
www.insecure.org/nmap/ )
Interesting ports on my-router.example.com (10.12.192.1)
(The 1521 ports scanned but not shown below are in state closed)
Port
State
Service
21/tcp open
ftp
22/tcp open
ssh
23/tcp open
telnet
25/tcp open
smtp
37/tcp open
time
80/tcp open
http
110/tcp open
pop-3
NTW 2000
21
22
Access Methods
Exploiting passwords
Brute force
Cracking tools
23
24
IP Packet
Internet Protocol
IP = connectionless network layer
SAP = 32 bits IP address
RFC 791, Sep 1981
NTW 2000
25
NTW 2000
26
IP Spoofing
C
e is
m
a
n
y
m
Hi,
Attacker
NTW 2000
27
>B
Rb
B
A -> B
Ra
A -> B
Rc
28
B
B unknown
->
A
C via Rc
A
A -> B via Ra, Rb
via
Rb
,
a
Rb
Ra
Rc
NTW 2000
29
IP Unwanted Routing
ia R1,
v
A
>
C-
R2
Internet
C ->
Av
ia R
A unknown
B via R1
1, R
2
A unknown
B via DMZ
R1
intranet
R2
C
A unknown
B via Internet
B
DMZ
A via Intranet
B via DMZ
C unknown
30
C->
A
via
B
Internet
A via Ethernet
C via PPP
A
intranet
di a
P
l-up
PP
ia B
v
A
C->
A unknown
B via PPP
B (acting as router)
C->A via B
NTW 2000
31
Ra
Rb
Rc
B->
Av
ia C
,Rc
A ->
Ra
Bv
ia R
a, R
c,C
32
NTW 2000
33
34
A
flags=SYN
,
seq=(Sb,?
)
,Sb)
a
S
(
=
q
e
s
,
+A C K
flags=SYN
flags=ACK
,
seq=(Sb,S
a
a+8)
S
,
b
S
(
=
q
e
,s
flags=ACK
e:
m
a
n
r
e
s
U
data=
NTW 2000
35
C
masquerading as B
(Sb,?)
=
q
e
s
,
N
Y
flags=S
a,Sb)
S
(
=
q
e
s
,
K
+A C
flags=SYN
(Sb,Sa)
=
q
e
s
,
K
C
flags=A
,Sa+8)
b
S
(
=
q
e
s
,
flags=ACK
ame:
n
r
e
s
U
=
a
t
da
C guesses Sa
b+7)
S
,
8
+
a
S
(
=
q
ACK, se
=
s
g
a
l
f
e
A believes the connection
m
a
n
y
m
=
a
dat
36
37
flags=SYN
,
A
seq=(Sb,?
)
b)
S
,
a
S
(
=
q
e
s
+ACK,
N
Y
S
=
s
g
a
l
f
flags=ACK
,
seq=(Sb,S
a
C
masquerading B
,Sa+9)
b
S
(
=
q
e
s
,
:
Password
Xyzzy , s
eq=(Sa+9,S
b+5)
a+18)
S
,
5
+
b
S
(
=
seq
delete *,
C guesses Sa, Sb
C inserts invalid data
NTW 2000
38
It Never Ends
Latest FTP Vulnerability
Because of user input going directly into a format string for
a *printf function, it is possible to overwrite important data,
such as a return address, on the stack. When this is
accomplished, the function can jump into shell code pointed
to by the overwritten eip and execute arbitrary commands as
root. While exploited in a manner similar to a buffer overflow,
it is actually an input validation problem. Anonymous ftp is
exploitable making it even more serious as attacks can come
anonymously from anywhere on the internet.
39
Software bugs
Out of Band Data Crash: Ping of death,
fragmentation
40
IP Normal Fragmentation
IP largest data is 65.535 == 2^16-1
IP fragments a large datagram into
smaller datagrams to fit the MTU
fragments are identified by fragment
offset field
destination host reassembles the
original datagram
NTW 2000
41
IP Header
IP data
TL=500, FO=480
TL=360, FO=960
NTW 2000
IP Normal Reassembly
Received from the network:
TL=500, FO=0
TL=360, FO=960
TL=500, FO=480
43
IP Reassembly Attack
send invalid IP datagram
fragment offset + fragment size > 65.535
usually containing ICMP echo request
(ping)
not limited to ping of death !
NTW 2000
44
45
SYN attack
B
C
masquerading as B
,?)
b
S
(
=
q
e
s
,
flags=SYN
b)
S
,
a
S
(
=
q
e
s
+ACK,
N
Y
S
=
s
g
a
l
f
NTW 2000
Denial of Services
kernel resources exhausted
46
SMURF Attack
160.154.5.0
Attempt to
overwhelm WAN
ICMP REPLY D=172.18.1.2 S=160.154.5.10
link to destination
ICMP REPLY D=172.18.1.2 S=160.154.5.11
ICMP REPLY D=172.18.1.2 S=160.154.5.12
ICMP REPLY D=172.18.1.2 S=160.154.5.13
172.18.1.2
47
NTW 2000
48
49
Victim
Innocent Master
NTW 2000
Innocent Daemon
Agents
A
50
Today
NTW 2000
51
52
NTW 2000
53
Security Policy
NTW 2000
54
To protect assets
To help prevent security incidents
To provide guidance when
incidents occur
NTW 2000
55
56
NTW 2000
57
58
59
Security Plan
NTW 2000
60
NTW 2000
61
NTW 2000
62
NTW 2000
63
NTW 2000
64
65
Example:
Example:Securing
Securingthe
theUsenet
UsenetServer
Server
Local Office
Local Office
Local Office
Local Office
Access Router
Radius
Server
Mail
Server
DNS
Server
WWW
Cache
WWW
Server
Usenet
Server
Network
Management
Server
TCP logging
SYN protection
permit any source connect to TCP port 119
permit NetOpsCenter source to any port
deny all else
NTW 2000
67
Make a Backup!
Deploy on network only when prepared for exposure
NTW 2000
68
NTW 2000
69
NTW 2000
70
71
72
TFTP
Disable tftpd if it isnt absolutely necessary
Otherwise, restrict tftpd access
NTW 2000
73
Resource Protection
In-band vs Out-of-band Management
Good network design and management
Redundancy, Logging
Audit
NTW 2000
74
Authentication Mechanisms
Console, Telnet
Local passwords
Username based
UNIVERSAL
PASSPORT
External Authentication
TACACS+, RADIUS,
Kerberos, SSH
USA
One-time passwords
NTW 2000
75
Local Passwords
line console 0
login
password one4all
exec-timeout 1 30
76
Service Password-Encryption
service password-encryption
!
hostname Router
!
enable password 7 15181E020F
77
Enable Secret
!
hostname Router
!
enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1
78
79
NTW 2000
80
NTW 2000
81
PIX TACACS+
Login Authentication
PIX Version 4.3(1)
enable password BjeuCKspwqCc94Ss encrypted
passwd nU3DFZzS7jF1jYc5 encrypted
tacacs-server host 10.1.1.2 <key>
aaa authentication any console tacacs+
no snmp-server location
no snmp-server contact
snmp-server community notpublic
no snmp-server enable traps
telnet 10.1.1.2 255.255.255.255
Cryptochecksum:a21af67f58849f078a515b177df4228
: end
[OK]
NTW 2000
Enable Password
Telnet Password
Define TACACS+
Server and
Encryption Key
Use TACACS+ for Telnet
or Console
(Enable) Access
Defines the Device that
Can Telnet into the PIX
82
Catalyst TACACS+
Login Authentication
Enable Password
set enablepass
$1$CBqb$j53diREUitkHDGKfAqFpQ
set authentication login tacacs enable
set authentication enable tacacs enable
set tacacs key secretkey
set tacacs server 144.254.5.9
NTW 2000
83
PassWord of Caution
Even passwords that are encrypted
in the configuration are not
encrypted on the wire as an
administrator logs into the router
100101
NTW 2000
84
One-Time Passwords
May be used with TACACS+ or RADIUS
The same password will never be
reused by an authorized administrator
Key CardsCryptoCard token server
included with CiscoSecure
Support for Security Dynamics and
Secure Computing token servers in
Cisco Secure
NTW 2000
85
NTW 2000
86
SSH
SSH can be used for secured Command
and Control sessions to routers.
Full SSH has three components
a terminal session with a secure transport
the ability to handle r-commands similar
to rsh
the ability to forward other TCP-based
protocols
NTW 2000
87
SSH Authentication
NTW 2000
88
Host Authentication
89
Host Authentication
IOS will store its own RSA key and
will accept all other keys.
In the full implementation, keys of
other hosts should be kept in
permanent storage and a warning will
be presented to the user if the
hostname/key do not match.
NTW 2000
90
User Authentication
After the encrypted session is established,
user authentication is still required.
Since the SSH feature is tied to the vtys,
user authentication is associated with
some of the authentication mechanisms
available to the vtys: RADIUS, TACACS+
and local.
The username and password will pass
between the workstation and the router
inside of the encrypted session.
NTW 2000
91
User Authentication
The session will be terminated if
authentication fails, or if the
authentication mechanism fails (e.g.a router cannot establish a session
with a TACACS+ server, etc.).
If authentication succeeds, a session
is opened using the encryption
algorithm selected.
NTW 2000
92
NTW 2000
93
SNMP
94
Transaction Records
How do you tell when someone is
attempting to access your router?
ip accounting
ip accounting access-violations
logging 127.0.3.2
95
Key
Hash
Function
Signature
Reassemble the
Packet with the Signature
IP HDR
NTW 2000
Signature
To the Wire
96
Route Filtering
router rip
network 10.0.0.0
distribute-list 1 in
!
access-list 1 deny
0.0.0.0
access-list 1 permit 10.0.0.0
0.255.255.255
NTW 2000
97
Out-of-band Management
POP
98
In-band Management
99
In-band vs Out-of-band
100
Protect Resources
Spoofing
Source routes
Resource consumption
NTW 2000
101
Spoofing
172.16.42.84
interface Serial 1
ip address 172.26.139.2 255.255.255.252
ip access-group 111 in
no ip directed-broadcast
!
interface ethernet 0/0
ip address 10.1.1.100
255.255.0.0
no ip directed-broadcast
!
Access-list 111 deny ip 127.0.0.0
0.255.255.255 any
Access-list 111 deny ip 10.1.0.0
0.0.255.255
any
10.1.1.2
IP (D=10.1.1.2 S=10.1.1.1)
NTW 2000
102
Preventing IP spoofing
Cisco routers, disable source routing
(on by default)
no ip source route
Hosts, disable:
1) IP forwarding, usually easy
2) source routing, usually impossible (Windows
had to wait until Win NT4 SP5 May 99)
3) applications check for IP options
via getsockopt()
NTW 2000
103
104
10.0.0.0
10.0.0.0 -- 10.255.255.255
10.255.255.255 (10/8
(10/8 prefix)
prefix)
172.16.0.0
172.16.0.0 -- 172.31.255.255
172.31.255.255 (172.16/12
(172.16/12
prefix)
prefix)
192.168.0.0
192.168.0.0 -- 192.168.255.255
192.168.255.255
(192.168/16 prefix)
prefix)
(192.168/16
Source: RFC 1918
NTW 2000
105
ISP
165.21.0.0/16
Internet
Serial 0/1
NTW 2000
106
ISP
165.21.0.0/16
Internet
Serial 0/1
NTW 2000
107
NTW 2000
permit source=B
else deny
network B
108
permit source=A
permit source=B
else deny
network A
network B
109
110
via 172.19.66.7
is directly connected, Fddi 2/0/0
CEF Table:
210.210.0.0
172.19.66.7
172.19.0.0
attached
Adjacency Table:
Fddi 2/0/0 172.19.66.7
Data
50000603EAAAA03000800
Unicast
RPF
IP Header
In
Fddi 2/0/0
Fddi 2/0/0
Data
IP Header
Out
Drop
111
via 172.19.66.7
is directly connected, Fddi 2/0/0
CEF Table:
210.210.0.0
172.19.66.7
172.19.0.0
attached
Adjacency Table:
Fddi 2/0/0 172.19.66.7
Data
Fddi 2/0/0
Fddi 2/0/0
50000603EAAAA03000800
Unicast
RPF
IP Header
In
Out
Drop
Data
IP Header
112
Echo (7)
Discard (9)
Finger (79)
NTW 2000
Daytime (13)
Chargen (19)
113
114
ICMP Filtering
Extended Access List:
Summary of Message Types
access-list 101 permit icmp any any <type> <code>
0 Echo Reply
3 Destination Unreachable
no ip unreachables
(IOS will not send)
4 Source Quench
5 Redirect
no ip redirects
(IOS will not accept)
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
ICMP Codes are not shown
Source: RFC 792, Internet Control Message Protocol
NTW 2000
115
ICMP Filtering
General Case:
access-list 101 permit icmp any any <type> <code>
no ip unreachables
(IOS will not send)
no ip redirects
(IOS will not accept)
NTW 2000
11
12
13
14
15
16
Time Exceeded
Parameter Problem
Timestamp
Timestamp Reply
Information Request
Information Reply
116
No IP Directed Broadcast
interface Serial 1
ip address 172.26.139.2 255.255.255.252
ip access-group 111 in
no ip directed-broadcast
!
interface ethernet 0/0
ip address 10.1.1.100
255.255.0.0
no ip directed-broadcast
!
Access-list 111 deny ip 127.0.0.0
0.255.255.255 any
Access-list 111 deny ip 10.1.0.0
0.0.255.255 any
NTW 2000
117
No Source Routing
interface Serial 1
ip address 172.16.139.2 255.255.255.252
ip access-group 111 in
no ip source routing
!
Access-list 111 permit ip 10.16.0.0 0.0.255.255 any
Private
Im 10.16.99.99 and
heres the
route back to me
Network
10.16.0.0
118
119
Audit
Dont assume
everything is ok
Actively watch
the network
Investigate any
unusual event
NTW 2000
120
121
Intrusion Detection
To detect
individuals
attempting attacks
against your
network, such as
the following:
Reconnaissance
Access
Denial of Service
NTW 2000
122
Profile-Based Detection
Anomaly
Behavior departs from known profile of
normal activity
Requires creation of statistical user
profiles
NTW 2000
123
Signature-Based Detection
Misuse
Behavior matches known patterns of
malicious activity
Requires creation of misuse signatures
NTW 2000
124
Agent
Agent
Agent
Agent
Agent
Agent
Agent
WWW
Server
NTW 2000
Firewall
Untrusted
Network
Agent
DNS
Server
125
Corporate
Network
Sensor
Sensor
Firewall
Untrusted
Network
Director
NTW 2000
WWW
Server
DNS
Server
126
CERT
Bugtraq
Exploit
Hacker Sites
Victim
Attacker
10101010101001110100101001010010011
Signature
NTW 2000
Pattern
Analysis
127
Intrusion Detection
Untrusted
Network
NTW 2000
Traffic Flow
Packet Capture
Protected
Network
128
192.1.1.3
.1
Private LAN
192.168.1.0/24
.2
DNS
Server
Internet
192.1.1.4
Mail
192.1.1.5
Policy
All users can access the Internet
Servers on DMZ are public
NTW 2000
129
On the firewall
statefully allow returning traffic
NTW 2000
130
131
WWW
Server
192.1.1.3
.1
Private LAN
192.168.1.0/24
.2
DNS
Server
Internet
192.1.1.4
Mail
192.1.1.5
Policy
After authentication, external user may
have access to their bank account
NTW 2000
132
133
Good Practices
To limit OS/Application weaknesses,
dedicate one task per public server
No unnecessary services
Use Intrusion Detection Software
probes in the DMZ
Remember that opening holes
through a FW means stateless
NTW 2000
134
Tools
NTW 2000
135
SSL
136
How It Works
NTW 2000
137
How It Works -2
The user's browser encrypts the session
key itself with the site's public key so only
the site can read the session key.
A secure session is now established. It all takes only
seconds and requires no action by the user.
Depending on the browser, the user may see a key
icon becoming whole or a padlock closing, indicating
that the session is secure.
If your site doesn't have a digital certificate, visitors
will see a warning message when they attempt to
offer credit card or personal information.
Source: Netscape Communications, Inc.
NTW 2000
138
How It Works -3
request
Servers digital certificate
Web server
Secure communication
NTW 2000
139
SSH -1
Secure Shell was designed to replace the UNIX r*
commands: rsh, rlogin, and rcp (ssh, scp, and
slogin)
Added features:
strong end-to-end encryption
improved user and host authentication
TCP and X11 forwarding
140
SSH -2
When installed on a host, a public and private key
pair is generated for that host and stored on the
host. These are used to authenticate the host to
another host with whom a connection is being
established.
The public key of the local host will need to be added to to
the ssh_known_hosts file on all remote hosts that the current
host wants to access. Or, a user can add the remote hosts
public key to a similar file in her home directory. Issue: key
management/directory services
NTW 2000
141
SSH -3
Host A
Host A
NTW 2000
Encrypted with Bs PK
Random string
Encrypted with As PK
Decrypted string
Host B - decrypts it
Host B
142
SSH -4
143
SSH -5
NTW 2000
144
Responding to Security
Incidents
Incident Response
NTW 2000
145
146
147
148
Top
management
(CTO, CIO)
Public
Relations
HR
Incident
Response
Teams
System
Admin
NTW 2000
149
Components of Response
150
Timing
Identify and
Implement
Lessons Learned
Restore System to
Operations
Eliminate Intruder
Access
tn
t1
NTW 2000
151
Analyze Event
What systems were used
to gain access
What systems were
accessed by the intruder
What information assets
were available to those
systems?
What did the intruder do
after obtaining access?
What is the intruder
currently doing?
NTW 2000
152
153
154
Restore Operations
Validate the restored
system
Monitor systems and
networks
Notify users and
management that
systems are again
operational
NTW 2000
155
Preparing to Respond
Create an archive of original media,
configuration files, and security-related
patches for all router and host operating
systems and application software versions
Ensure that backup tools and procedures are
working
Create a database of contact information
Select and install tools to use when
responding to intrusions
NTW 2000
156
157
Responding to Security
Incidents
Forming an Incident Response
Team
NTW 2000
158
159
Purpose
NTW 2000
160
Elements of a CSIRT
Constituency
Sponsorship or
Affiliation
Authority
NTW 2000
161
162
ISP Issues
Will you provide incident response
service for your subscribers?
If not, what role will you play in
helping your customers with security
incidents?
Alerting customers of security
incidents that affect them.
NTW 2000
163
Alerting customers
when the ISPs
infrastructure has
been breached
Providing accurate
contact information
for the reporting of
security problems
NTW 2000
164
In Summary
NTW 2000
165
Are
You
Ready?
Resources
Distributed Systems Intruder Tools Workshop Report
http://www.cert.org/reports/dsit_workshop.pdf
CERT Advisories
http://www.cert.org/
FIRST
http://www.first.org/
NTW 2000
167
More information
Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
NTW 2000
168
NTW2000
169