You are on page 1of 57

Protecting your IP network infrastructure

> Nicolas FISCHBACH

nico@securite.org - http://www.securite.org/nico/

IP Engineering Manager - COLT Telecom

> Sébastien LACOSTE-SERIS

kaneda@securite.org - http://www.securite.org/kaneda/ version 1.0

IP R&D Manager, Security Officer - COLT Telecom

Agenda
» Network Security
> Layer 2, layer 3 and routing protocols attacks > DDoS/worm attacks detection, protection and filtering > MPLS > IPv6

» Router Security
> Integrity checking

Disclaimer : we don’t work for Cisco and we don’t have Cisco stock :-) © 2002 Sécurité.Org
2

Protocol attacks
» Well known (not to say old) attacks
> ARP cache/CAM table poisoning, gratuitous ARP messages and ARP/{DHCP,BOOTP} spoofing > Tools : dsniff, hunt, ARP0c, taranis, etc.

» New (not so old) attacks
> HSRP/VRRP spoofing > STP/VTP/DTP attacks > VLAN jumping/hoping

» Future (to come) attacks ?
> Advanced routing protocols attacks (eg. IRPAS) > Rootkits and Loadable Kernel Modules
© 2002 Sécurité.Org
3

Layer 2 protocols
» Layer 2 protocols and traffic
> ARP - Address Resolution Protocol > CDP - Cisco Discovery Protocol > VLAN - Virtual LAN > STP - Spanning Tree > {D/V}TP - Dynamic, VLAN Trunking Protocol > Unicast, Broadcast and Multicast addressing and traffic

© 2002 Sécurité.Org

4

Protocols : STP (1)
» STP (Spanning Tree Protocol)
> STP prevents loops in the Ethernet network topology > Redundant data path forced into standby (blocked) state > STP enabled on all ports by default > No traffic forwarding during STP processing
Boot-up initialisation Blocking state

Listening state

Disabled state

Learning state

Forwarding state © 2002 Sécurité.Org

5

Protocols : STP (2) » STP (Spanning Tree Protocol) > 1.Org 6 . Root Switch Election > 2. STP processing blocks redundant path Root Switch Blocked © 2002 Sécurité.

Protocols : STP (3) » Network Traffic Interception > Must have physical connection to 2 switches > Transparent traffic interception Root Switch Blocked Blocked © 2002 Sécurité.Org 7 .

Force infinite election .Ephemere Root » Very hard to track down network topology © 2002 Sécurité.Protocols : STP (4) » Other STP attacks > CAM table poisoning > DoS .Org 8 .

01% © 2002 Sécurité. MSFC w/ IOS) set spantree disable set spantree portfast bpdu-guard-enable ! MLS in native mode (CatIOS on the Sup and MSFC) spanning-tree portfast bpduguard > Limit broadcast traffic set port broadcast <mod/port> 0.Org 9 .Protocols : STP (5) » Security measures > Monitor which equipment is the root bridge > Filter MAC addresses (and add static IP-to-MAC mappings) set port security <mod/port> enable 01-02-03-04-05-06 shutdown > Activate BPDU-guard (Bridge PDU) to filter STP ! MLS (Multi Layer Switch) in hybrid mode (Sup w/ CatOS.

network address.Protocols : CDP (1) » CDP (Cisco Discovery Protocol) > Cisco proprietary > Works on any HDLC capable link/device > Multicast traffic > Information leaked to other peers : device id/name. platform and IP network prefix Message format » © 2002 Sécurité. capabilities. software version. port id.Org 10 .

Org 11 .Protocols : CDP (2) © 2002 Sécurité.

Protocols : CDP (3) » Open to DoS attacks > Discovered by FX (see the Cisco Security Notice) » Security measures (router) > Global deactivation no cdp run > Per interface deactivation interface xy no cdp enable » Security measures (switch) > Global/per interface deactivation set cdp disable <mod/port> © 2002 Sécurité.Org 12 .

Org 13 .VLANs : Layer 2 partitioning (1) » The problem with VLANs > VLANs have never been designed for security but are used to enforce it > (Multi-layer) switches become single point of security failure > Do not use the (native) VLAN 1 » Do not use VMPS > VLAN Management Policy Server allows dynamic VLAN membership based on the MAC address © 2002 Sécurité.

if a port is in the same VLAN as the trunk’s port Native VLAN (inject 802.VLANs : Layer 2 partitioning (2) » VLAN jumping/hoping > Is possible : if you use DTP.Org 14 . 4k) and port protected (29xx. 35xx) > Port isolation > Devices in the same VLAN can’t talk directly to each other © 2002 Sécurité.1q frames) set vlan 2 <mod/port> clear trunk <mod/port> 1 > VLAN bridges allow bridging between VLANs for non-routed protocols » Private VLAN (6k.

domain> password <password> set vtp mode transparent © 2002 Sécurité.Org 15 .Protocols : VTP » VLAN Trunking Protocol > Enables central VLAN configuration (Master/Client) > Message format : like CDP (SNAP HDLC 0x2003) > Communicates only over trunk ports » Attacks > Add/remove VLANs > Create STP loops » Security measures > Put your switches in transparent VTP mode and use a password set vtp domain <vtp.

Org 16 .Protocols : DTP » Dynamic Trunking Protocol > Enables automatic port/trunk configuration > Message format : like CDP (SNAP HDLC 0x2004) > All switch ports are in auto mode by default » Attacks > 802.11q frames injection > VLAN hoping » Security measures > Turn DTP off on all the ports set trunk off all © 2002 Sécurité.

Layer 3 protocols » The network layer > IP(v4) : no built-in security > ICMP : information leakage and side effects > HSRP / VRRP : provide next-hop redundancy > RIP / RIPv2 : no authentication (v1) and flooding > OSPF : multicast (adjacencies and DR/BDR at risk) > BGP : core of the Internet (RR/peerings/sessions at risk) Not (yet) well known or not so used in enterprise networks > ISIS : but a lot of Service Providers are moving from OSPF to ISIS (usually in relation with MPLS/Traffic Engineering deployment) > (E)IGRP © 2002 Sécurité.Org 17 » .

Org 18 .Protocols : BGP (1) » BGP (Border Gateway Protocol) > Version 4 > Runs on port 179/tcp > Authentication : MD5 (not often used) > Point-to-point over directly connected interfaces or multihop between non adjacent routers > BGP route injection tools exist (in private circles) » BGP (UPDATE) message format © 2002 Sécurité.

down}stream : IP filter on interfaces > Multi-hop configurations (Man-in-the-middle attack) What to monitor ? > AS_path you receive from upstreams > AS_path that other ISPs are getting that contains your ASN (route servers/looking glasses) > Are the paths changing (especially the best path) ? > ARP changes (IX public switches) » © 2002 Sécurité.Org 19 .Protocols : BGP (2) » Where are the risks ? > Internet Exchanges : all providers are usually connected to the same shared infrastructure (a switch for example) : do prefix/AS_path filtering > Your direct {up.

y.y.y password <MD5password> neighbor y.y.y.z/17 prefix-list ournetworks seq 10 deny 0.0.y prefix-list ournetworks out neighbor y.k.x neighbor y.y.x.y.y.Org 20 .0/0 le 32 prefix-list theirnetworks seq 5 permit k.y prefix-list theirnetworks in neighbor y.y.y.k.y.z.k/19 as-path access-list 99 permit ^<AS>( <AS>)*$ route-map ourASpath permit 10 match as-path 99 © 2002 Sécurité.Protocols : BGP (3) » Additional security measures > Do not use the same password with all the peers > Log changes (and use IPsec) router bgp 65000 bgp log-neighbor-changes network x.y remote-as 65001 neighbor y.y version 4 neighbor y.y.y maximum-prefix 120000 neighbor y.y.y.y.x.0.y route-map ourASpath out ip ip ip ip prefix-list ournetworks seq 5 permit z.z.

Protocols : BGP (4) » BGP route injection tool : what is the challenge ? > Find the eBGP peer > {Man. etc » Inject the update > MITM (or ARP spoofing on IX switches) > Synchronize with/hijack the TCP session » Future ? > S-BGP (Secure BGP) © 2002 Sécurité.1.Org 21 . . Monkey} in the middle attack > SNMP > Public route-servers and looking glasses > Directly adjacent IPs.254. .

html © 2002 Sécurité.Sequence number prediction » ISN problems on Cisco routers Vulnerable IOS “Less” vulnerable IOS > “Fixed” as of 12.1(7) > ISNs are (still) time dependant Source : http://razor.bindview.Org 22 .0(15) and 12.com/publish/papers/tcpseq.

Protocols : OSPF (1) » OSPF (Open Shortest Path First) > Protocol type 89 > Multicast traffic : “easy” to inject LSAs > Active adjacencies between all the routers and the (B)DRs (DR/BDR status is based on Router ID and priority) > SPF (Shortest Path First) recalculation takes a lot of time Backup Designated and CPU Router (BDR) Designated Router (DR) Area 2 Backbone area (Area 0) Autonomous System Border Router (ASBR) Network running another IGP Area 1 Area Border Router (ABR) © 2002 Sécurité.Org 23 .

x.x © 2002 Sécurité.x.“point-to-point links only”) network interface xy ip ospf network non-broadcast router ospf 1 neighbor x.Org 24 .Protocols : OSPF (2) » Security measures > Authenticate OSPF exchanges interface xy !ip ospf authentication-key <key> ip ospf message-digest-key 1 md5 <key> router ospf 1 area 0 authentication [message-digest] > Turn your network into a NBMA (Non Broadcast Multiple Access .

Protocols : OSPF (3) » Security measures > Don’t put the interfaces that shouldn’t send or receive OSPF LSAs in your network statement or then exclude them with a passive-interface statement router ospf 1 > Log changes log-adjacency-changes network x.x.x.Org 25 .x passive-interface default no passive-interface xy > You can’t filter what is injected into the local area (the network statement meaning is misleading) only to other ASes > You can filter what you receive router ospf 1 distribute-list <ACL> in distribute-list <ACL> out © 2002 Sécurité.

L2 routing means between areas > Floods LSPs (Link State PDUs) .Org 26 .Nothing do to with MPLS’ LSP (Label Switch Path) > Contrary to OSPF DR/BDRs a new IS-IS DIS (Designated IS) with higher priority will take precedence (preempt) and all the routers maintain adjacencies with all the routers in the area (separate L1 and L2 adjacencies on same LAN) © 2002 Sécurité.Protocols : ISIS (1) » IS-IS (Intermediate System to Intermediate System) > Comes from the OSI world (routed OSI procotols) > Doesn’t run on top of IP but directly over the data link > Encodes the packets in TLV format > Uses hierarchy levels/addressing (L1/L2) and flooding .L1 routing means routing in the same area .

the domain level interface xy isis password <password> level-<z> router isis log-adjacency-changes domain-password <password> area-password <password> © 2002 Sécurité.the interface level .Protocols : ISIS (2) » Attacks > Similar to OSPF attacks but more complex to inject data because of non-IP protocol > Possible to use the “Overload Bit” to have transit traffic not sent over a “overloaded” router and thus try to redirect it » Security measures > Log changes > Use authentication at .the area level .Org 27 .

no need to kill a router.RFC2338) > Supports MD5 for authentication (IP Authentication Header) © 2002 Sécurité.Protocols : HSRP/VRRP (1) » HSRP (Hot Standby Routing Protocol) > Provides next-hop redundancy (RFC2281) > Information disclosure : virtual MAC address .00-00-0c-07-ac-<group> . becoming the master is enough » VRRP (Virtual Router Redundancy Protocol .Org 28 .(by default) the HSRP virtual interface doesn’t send ICMP redirects > You can have more than 2 routers in a standby group.

x > Change the virtual MAC address interface xy standby 10 mac-address <mac-address> > Use IPsec (“Cisco” recommendation) but is not trivial (multicast traffic.x. limited to a group of 2 routers) © 2002 Sécurité.x.Org 29 .Protocols : HSRP/VRRP (2) » Security measures > Use password authentication interface xy standby 10 priority 200 preempt standby 10 authentication p4ssw0rd standby 10 ip x. order of processing depending on IOS release.

*IDS with data correlation Netflow > Accounting data (AS. protocols.x. IP flows.Org 30 .DDoS detection (1) » The “old way” » > ACLs/FW logs.x. CPU and line load.x interface xy ip route-cache flow > How to view the data : sh ip cache flow © 2002 Sécurité. etc) > Send in clear text over the network (UDP) to a gatherer > With CEF activated Netflow will only do accounting > Without CEF the router will do netflow switching > Only counts outgoing traffic on the interface > How to export the data ip flow-export version 5 origin-as ip flow-export destination x.

wisc.net. detect changes and anomalies Source : Flowscan from UW-Madison (http://wwwstats. FTP and P2P tools) ~10 % (DNS. streaming) <1 % <1 % > Mostly 64 bytes packets > RRDtool and Netflow can be used to graph trends.Org 31 . SNMP.edu/) © 2002 Sécurité.DDoS detection (2) » (Un)usual traffic distribution per protocol > TCP > UDP > ICMP > IGMP : : : : ~90 % (HTTP.

Org 32 .DDoS detection (3) » Netflow data on Multi-Layer Switches > Netflow-based MLS flow-mode is “destination-only” no source address is cached) > Enable “full-flow” mode (performance impact on SE1) ! MLS in hybrid mode set mls flow full ! MLS in native mode mls flow ip full > Display the entries ! MLS in hybrid mode set mls ent ! MLS in native mode show mls ip > Poor man’s netflow : ntop ? © 2002 Sécurité.

Org 33 .DDoS prevention (1) » Unicast RPF (Reverse-Path Forwarding) > Needs CEF (Cisco Express Forwarding) or dCEF > Requires IOS 12.x and uses ~30MB of memory > Strict : IP packets are checked to ensure that the route back to the source uses the same interface > Only the best path (if no multi-path or equal cost paths) is in the FIB > Asymmetric routes are supported (really :-) > Check the BGP weight if you use strict mode in a multi-homed configuration © 2002 Sécurité.

Org 34 .DDoS prevention (2) » Unicast RPF (Reverse-Path Forwarding) > Strict (you can use an ACL for exceptions or for logs) ip cef [distributed] interface xy ip verify unicast reverse-path [allow-self-ping] [acl] > “Loose check” (allowed if the prefix exists in the FIB) ip verify unicast source reachable-via any © 2002 Sécurité.

TCP SYN rate-limiting interface xy rate-limit input access-group 100 8000 8000 8000 \ conform-action transmit exceed-action drop rate-limit output access-group 100 8000 8000 8000 \ conform-action transmit exceed-action drop <…> access-list 100 deny tcp any host x.x established access-list 100 permit tcp any host x.x.DDoS prevention (3) » ICMP.x.x access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply > UDP rate-limiting can be a problem if your customer is a streaming company © 2002 Sécurité.x.x.Org 35 . UDP.

255 © 2002 Sécurité.x.0 0.DDoS prevention (4) » TCP Intercept > Can do as much good as bad > If enabled : process switching and not “full” CEF anymore > The “destination” host must send a RST (no silent drops) or you’ll DoS yourself > Same is true if you use “blackholed” routes (route to Null0) ip ip ip ip ip tcp tcp tcp tcp tcp intercept intercept intercept intercept intercept list 100 connection-timeout 60 watch-timeout 10 one-minute low 1500 one-minute high 6000 access-list 100 permit tcp any x.x.0.Org 36 .0.

© 2002 Sécurité. parameter-problem.Org 37 .DDoS prevention (5) » Advanced ICMP filtering > Only let the “mission critical” ICMP messages in and out interface xy ip access-group 100 in access-list 100 deny icmp any any fragments access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any packet-too-big access-list 100 permit icmp any any source-quench access-list 100 permit icmp any any time-exceeded access-list 100 deny icmp any any access-list 100 permit ip any any > ICMP filtering is a source of dispute (unreachables. etc) > ICMP is not just “ping”. you can break a lot of things (Path MTU Discovery for example) > YMMV.

not on the RP) router bgp <AS> network <sourceOfDDOS> mask <netmask> route-map ddos-nh route-map ddos-nh set ip next-hop <TEST-NETIPaddr> ip route <TEST-NET> 255.0 Null0 > Do not redistribute it to your peers : use a private AS or a “no-export” community © 2002 Sécurité.DDoS prevention (6) » Advanced technique 1 (1/2) : BGP/Null0 > Pick an IP address from TEST-NET and add a static route to Null0 for it (on all your routers) > Have a “master” BGP router set the next-hop for the source network you want to “drop” to the selected IP > Have BGP redistribute it to the routers in your AS only and uRPF will drop it (at the LC level.255.255.Org 38 .

2.DDoS prevention (7) » Advanced technique 1 (2/2) : BGP/Null0 NOC iBGP sessions Master BGP router (set the next-hop for the DDoS sources to 192.10) Route reflectors Propagate the new next-hop Core/Access Routers (route 192.Org 39 .2..10 to Null0) Internet or Customers © 2002 Sécurité.0.0.

255.x.Org 40 .DDoS prevention (8) » Advanced technique 2 (1/2) : BGP/CAR/FIB > Set a special community for the network you want to ratelimit on your “master” BGP router and send this community to your iBGP peers router bgp <AS> network <destOfDDOS> mask <netmask> neighbor x.x.x send community access-list 10 permit <destOfDDOS> route-map ddos-rl match ip address 10 set community <AS>:66 no-export ip route <destOfDDOS> 255.x.255.0 Null0 © 2002 Sécurité.x.x route-map ddos-rl out neighbor x.

Org 41 ..DDoS prevention (9) » Advanced technique 2 (2/2) : BGP/CAR/FIB > On the routers change the QoSID entry in the FIB based on this special community > Use the QoSID entry of the FIB to rate-limit router bgp <AS> table-map ddos-rl ip community list 1 permit <AS>:66 route-map ddos-rl match community 1 set ip qos-group 66 interface xy bgp-policy source ip-qos-map rate-limit input qos-group 66 . © 2002 Sécurité..

Org 42 » .0/8 > 169. 192.0.0.com) > Multicast blocks (D Class) and Martian networks (E+) > “Hijacked” space by some vendors (192.192 for some printers) > (ARIN) Reserved blocks (bogon networks) > Packets to broadcast addresses or where source == destination What you should route/let through > Your network prefixes (anti-spoofing) © 2002 Sécurité.16.0.Ingress/egress filtering (1) » What you should never route/see/allow through > RFC 1918 (10. 172.254.0. like example.0/8.0.0.0/12.0.0/x.0.0/24 (Netname: TEST-NET.0.0/16 (auto-configuration when no DHCP) > 192.0.0/16) > 0.0.0. 127.2.168.

0 255.255.255.0.0.0 null0 © 2002 Sécurité.255.255.0.0.0.0.255.0.0.255 access-list 100 deny ip 10.0.255 255.15.0 0.0.255.0.0.0.0.254.0.0 255.0.255 255.255.0.0.255.16.255 access-list 100 deny ip 172.0 null0 ip route 172.0.0 0.255.240.255.255 access-list 100 deny ip 169.0 0.0 0.0 0.255.0 0.255 access-list 100 deny ip 240.255.0.0 null0 ip route 192.255.2.255 255.0.0 0.Ingress/egress filtering (2) » Example with ACLs > Filter on network border : CPE/IX/uplinks interface xy access-group in 100 access-group out 100 access-list 100 deny ip host 0.0.0.16.0.0 0.0 0.0.0.0 0.0.255 access-list 100 deny ip 192.255.0.255.0.0.168.0 any access-list 100 deny ip 127.255.15.240.0.0.Org 43 .255.0 0.0.255 255.255 255.255 255.0.255.255 any access-list 100 permit ip any any ! Or permit ip <your network prefixes only> » Example with route to Null0 (“discard” on Juniper) ip route 10.0 15.255.0 0.255.0.0 255.168.255.255 access-list 100 deny ip 192.

1(5)T > Like TCP Intercept .Worm detection and protection (1) » How to detect a new worm > New/unusual number of HTTP/SMTP flows and server logs » How to protect with NBAR (Network-Based Application Recognition) > Needs CEF > Available as of 12.do we need it ? > Side-effect : the TCP handshake is already done but the server never receives the HTTP GET request > Performance impact : ~20% CPU © 2002 Sécurité.Org 44 .

hosts or MIME types matches > Can’t match beyond the first 400 bytes in a URL > Can’t deal with fragmented packets > HTTPS traffic (that’s normal .Worm detection and protection (2) » NBAR Restrictions and limitations > Supports up to 24 concurrent URLs.-) > Packets originating from/sent to the router (you can’t protect the local HTTP server) > Doesn’t support Unicode (UTF-8/%u) » Tune the scheduler and the timeout ip nbar resources 600 1000 50 scheduler allocate 30000 2000 © 2002 Sécurité.Org 45 .

Org 46 .DDoS/worm research/future » Worse to come > A lot of research has been done but nothing has been published/disclosed : “risks are too high” > Most of the worms we’ve seen were quite gentle > Will the next worm affect IIS/Outlook users again ? > What are the effects on the Internet stability (CAIDA) ? » What are the trends ? > Routers are used as source (CERT) > Getting more complex and agents are becoming more intelligent > Temporary “use” of non allocated blocks (Arbor Networks) © 2002 Sécurité.

MPLS (1) » MultiProtocol Label Switching > MPLS label added to the IP packet to identify the VPN > Each router (LSR) on the path (LSP) has a local table (LIB) > The label only has a “local” meaning and is/may be changed on each hop )htaP hctiwS lebaL( PSL yramirP PSL pukcaB egdE remotsuC retuoR © 2002 Sécurité.Org sretuoR hctiwS lebaL eroC SLPM 47 egdE redivorP retuoR .

Org 48 . not encrypted/authenticated VPNs > “Equivalent” to a layer 2 VPN (ATM/FR) .as a customer you have to trust the MPLS core > IPsec can be used to secure the traffic > VPN partitioning done at routing layer > “One routing table per VPN” on each PE router .separate Virtual Routing and Forwarding instance (VRF) .the security is often provided by hiding the MPLS core structure/cloud from customers by using filtering or nonrouted address space (think security by obscurity) .or extended Route Distinguisher (RD) > Current trend in SP networks : deploy MPLS+ISIS w/ Wide Metrics+TE for subsecond convergence and traffic rerouting © 2002 Sécurité.MPLS (2) » MultiProtocol Label Switching > Virtual Circuits.

easy if access to the MPLS routers > Inject data in the signaling protocols ((MP-)BGP and IGPs) to modify the VPN topology : IPv4-RRs and VPNv4-RRs (Route Reflectors) > Even a higher risk when the same router is shared for Internet access and a MPLS L2VPN © 2002 Sécurité.Org 49 .MPLS (3) » Attacks > Labeled packets injection : .locked by default on all interfaces (Customer Edge Router) .

RSVP (No Route) Path Error message : allows sniffing by redirecting traffic over a router that is under control and part of the MPLS core .Org 50 . the adjacency table is updated for the tunnel interface . a new LSP is signaled .MPLS (4) » Attacks > Use new functionality like FRR (MPLS Fast ReRoute) . a LSR receiving a marked packet with label x will accept it on any interface and switch it out fake/spoofed IGP LSP/LSA or RSVP Path Error message Label In old Path new Path 3 3 Label Out Interface Out 17 8 POS7/0 POS7/1 MPLS Core © 2002 Sécurité.

MPLS (5) » Security measures > Good configuration of all routers (CE. > The “MPLS network” should start on the PE router. MPLS Core) ACLs Static and dynamic routing VRFs etc. P.Org 51 . PE. not the CE > Difficult to gather MPLS information from the routers > Use IPsec (without anonymous key exchanges .-) © 2002 Sécurité.

GRE .MPLS > MAC address can be part of the IP address © 2002 Sécurité.IPv6 » IPv6 > Basically no new risks/big changes > “Native” IPsec support > Higher risks during the transition phase from IPv4 to IPv6 ? > Protocols used to interconnect IPv4 to IPv4 islands over IPv6 (and vice versa) .Org 52 .

3. when you see “configured by <xyz>” or a router boot in the logfile or when you get the “configuration changed” SNMP trap © 2002 Sécurité.1.1. Check : automatically (cron/at job). Store your routers and switches configurations in a central (trusted) repository (CVS for example) > 2. Get the configuration from the device (scripted telnet in Perl or expect. scp) or have the device send you the configuration (needs a RW SNMP access) snmpset -c <community> <routerIP> \ .Router integrity checking (1) » Four steps to build a tripwire-like for IOS/CatOS > 1.1.2.6.4.<tftpserverIP> s <filename> > 3. rsh. tftp.9.Org 53 .55.1.

Org 54 .Router integrity checking (2) » Four steps to build a tripwire-like for IOS/CatOS > 4. Diff the configuration with your own script or use CVS/Rancid » Limitations and details > You still have to trust the running IOS/CatOS (no Cisco “rootkit” yet) and your network (MITM attacks) > The configuration is transmitted in clear text over the network (unless you use scp or IPsec to encrypt the traffic) > Do not forget that there are two “files”: startup-config and running-config > Do the same for the IOS/CatOS images > Cisco MIBs : CISCO-CONFIG* © 2002 Sécurité.

(zlib/SNMPs bugs :-) > ELF 32-bit MSB executable. statically linked. runs in user mode on the CPU and has full access to system resources” © 2002 Sécurité.Cisco Press : . the IOS design emphasizes speed at the expense of extra fault protection” .“Everything.Router integrity checking (3) » Cisco IOS rootkit/BoF/FS : is it possible ? > Proprietary.Org 55 . stripped > What is possible with remote gdb access : . IOS does not employ virtual memory protection between processes” .gdb {kernel¦pid pid-num} ? > Is the ROMMON a good starting point (local gdb) ? “Inside Cisco IOS software architecture” .“To minimize overhead. closed source OS running on MIPS (newer models) or Mot68K (older models) > Closed source but “fork” from (BSD) Unix .“In general. including the kernel.

by using dual RPs (Route Processors) . memory. processes.stateful in the future .37 feature sets and 2500 images out there (90% IP FS)! > What will happen with IOS-NG (support for loadable modules) ? .Router integrity checking (4) » Cisco IOS rootkit/BoF/FS : open questions/issues > No (known) local tools/command to interact and “play” with the kernel.Is Cisco still working on it ? GSR dedicated team ? © 2002 Sécurité. etc. > What can be done in enable engineer mode ? > Is it possible to upload a modified IOS image and start it without a reboot (like “Linux two kernel monte”) ? .by upgrading LCs only (Line Cards) > A lot of different images exist (but providers usually go for ~12.0(x)S) and a tool to patch images would be required .Org 56 .

org/presentations/secip/ > » Pictures of CanSecWest/core02 < http://www.That’s all folks :-) » Latest version of this document & presentation including tips/commands to secure routers (IOS) and switches (Cat(I)OS) < http://www.securite.securite.inforamp.html © 2002 Sécurité.org/csw/core02/ > » Questions ? Image: http://www.Org 57 .net/~dredge/funkycomputercrowd.

950729 2.9 & 09....54:7$5.8 5. "9  .8 5.9. 5.9.088 8950729)$ $  74:90 2.

663.:..6063:#  P #96.4113.#79  < ..335  51.5  652>5.65..50..#96.02  &! #  #/3096.0..

  '  69%#:766565:.51366253...71.0:  &50965.02.0 P 50..3.'#:::65 P .1.:99:.:::  90.05.9  &.#:     .

"9  .# &09# & 09.

33 .41751.51    &!:.79:.9: 359.. ::359.5.&85054/97910.69 /51 0647/3:7./3"&  1. "9  .43 & 09.79.65 P &!796/34:65:0696.07:8 ./3"& &690.9 :.:6   .

9:.650. :943424:8$8902 47/07#4:907 $# 09477:333 . . "9  . 90.:..:.-430.34907! 70.6063.47/07#4:907 # & 09.&:  0.0.:..  &# &69.7  3.::/.70.90/ .6063:"&#  P "&# "75&69.90/#4:907 # 70.#.6.51...  #96. 70.9.65.1.:..303.#96.:5083.9:.  %: %%:.:165%6.51# #4:907 # 083.050:/.#.9:..36. 70..33.0..9..5..517969.2:.96.4 .

.:9039.:.70.10.6925..5.9432088.#96.0.4.!  !6596. 3.0 54851.:9:  ..5: 39071..0 /089 02/0 74:9074851 .:9039.0 /089(  '95695.6063:"&#  P &09.6."&#0. .943 00 548512088.73 00::.

765.

6..

.. "9  .765.352:653 5./.0 5485130947343 -74.89 74:9074851 30-47    & 09.692 39071.

...7.::.:9:  65.7. .:6315.4.0:.#96.:516990"&# &:5695.5031.45..9.5.4.69.6063:"&#  P &09.692:..

 .692:..0/01.53.6./.5.0 39071.0:.55:4:3.45.9.:9 345. 5..9.308 30947    5. .3.45.690 74:9074851 /897-:90 893 /897-:90 894:9 & 09.9..66...4..88.15 653.0 39071..9.360.03.9 &:  60..5.5: 4 .:50. "9  .3.. 74:9074851  60..88.0  60.15.

6063:&&  P &.#96.

4.& 5.369.9565..1"&79606.676#/.:5'694...7.352  5061:.119::5  .&:..&:.  ::9.4  64:964.02.1.9033:..65.63:  6:5.190.5136615 .941.941."&6931 96.

:.5:96. 96.55.54.4.9. .

54.#: . 96.:  3661:&#: 52&...5:/.5.9.

9.6"&#%%:.6.5&.516..0#.  65./3&. !6. #&&# .9.

050:65:..1&  .51.2790150 7947. ..33 .5.51..33.050:. :7.96.9:4.9..96.9.97969.1.9:5.&& :5.1..4! & 09.33. ..5. "9  .

#96.02:  &43..46906473.650.02:/.6063:&&  P .:6565..1.6"&#.. /0..9....

6.1.9.9.69190...69..9.. P &09.5."936.51.:9:  60.6063  #6::/3.:.9..5:  :..6:.6936.#796.056.4.. :5.65. .1196.5:.0.

9.033 .5. .

.33 .9. .

8847/5.03.8847/ & 09. "9  .308 /42.3 5./. .0  74:90788 4 .70. .8847/0.8847/ . 5.8847/5.0 885.533 39071..8847/5.164...

.51/%6.6063  #961:5.#96.&.6063:&%#%%#  P &%# 6.5#96.

.119:: .679151.651:036:99..50 %  5694.3 .

.

.

0.

.

.0.

967 .

469.96.596..51/967 56 51.4.6233.:  60.9 /0645.9.3.6063.:51 # 9190.016:5.35.:.9:56 P %%# 9..3%6.:.9%151. /1.9:5.5.&%#9.50#96. ...

0.19 & 09. "9  .65. %  &7769..: 69.65 #..5..0.5.

3 43.0 691967960::51751565"& 93.0 89.. .3/- 5     .1.#96.3/- 57479 5700259 89..4.3/- .0..9: & 09.0.:56.65 39071.//7088  :#:0 :069064451. "9  .119:: 39071.0 89.9..5.967696..9..:9039.::691.3 .943588 7/ 89.65 /.6.:.//70882... .: 34.9..3/- 2.5..:9:  :7.6063:&%#%%#  P &09..

0..51..65.5. 514 05479..6&1.363365316..65  P '631..1!.513536.1.6. & #36: 796.9.9..36  0065.943    39071.. "9  .065.¾ P  :36: #...65 !.99  ..933165.6063: .07843473 .....8 514 05479/0893.05  "53065.6769.96.036 & 09.1  &.014  6.0 574:90 .:6.1.1..692 # ...0065.36:..9.69.5.:70.6.5  .6.0..0  6.0  &51503.06993..

6579796.45   #    #   6:.5964.9.51!.663:  '#  # ?  !& &! # :.6&1. 0.69.7.65  P 5 :.9/.663.564.3: &69036:0.0.51##.5:.3.51.360.:  %%.:7.951: 1.6063 ?  ''# '#.3/.9.0.01:.5/:1.02.

: 5. :0 1 & 09... "9  . ..7:.1:65 .

.0..361..65  P !.65 3.6&1.

36.9&.0:  !..

:1 &36./.

65..5.461:1:.

65356 :690./333.01  5.119:::0.

67 & 09.9.5:5..36461 79694.024/0 84285  #6694.5.0.9.5047.024/0 281451:  :73.65& $3-7/24/0 80928141: $33.365. "9  .9: $3-7/24/0 80928039 $33.

%# %9:.65  P 50.6&795.:.

./.:.#7.90021.51::? 64469  &.915 691  %89:"& .6.#.45.:690::..65:9. 5643.02 .69../:..96.02..:.0  "53.915  !1: :0679::69.7.90.9..

9096.698.:.1 9.  :44.33..7.7.306:.9:7769..: : 5.

90.#..  02.6::.43. 4615.

6410659.65 & 09. "9  ..

6&795.65  P 50.:.%# %9:.

3 & 09.4 801 53(..(  66:002 . "9  ..071:3.79:..070..8970.69.0780 5. 60...5:. 5.-0 .:5.915  &..65:696936: 5.90.#.9.071:3.3361..0 5.01/897-:90/( 39071.8984:7..56907.

.6&795.65  P  # # '#&!9..

088 89 /039..5....25.90 2935:9.38290.431472 ....94397.-80/ .94397.3..3489    ...088 74:5     .00/ .0 7.088 89 507299.34.30..30.943/745   .3..3489   089...90 294:95:9..088 89 50729....088 74:5     .5..943/745 7.431472 .5 39071.38290.4 .088 89 50729.4 705  #9.00/ .25.

50.9.5/.649:. "9  . :.450647.34.5 & 09.796/34690:.

53907.9.6!33 59..:/.6&795.:51.4330. 9204:9 59.5.4:.516.65  P '#5.5.53907./317960:::.059430 23:904 59..05.:40661.0263196.1967: 69 6336&69:3  &.5156.943 9204:9 59.96:/3.088 89 507299..4:. "9  .059.33.059430 23:90 .53907.5469  '1:.53907..%&' 56:35.1  5.907.656:.05989 59.3     & 09.: 96.  .059.53907.

35.088 89 50729. 39071.4 .95  "533.:5./3:  7...3 .3.088 89 507295.6&795...3. .25.088 89 50729.3....30.0 5.95:.25..0..25.25.3...317..4.4 705 .088 89 50729.3920 0..088 89 50729.3 #4::..3..384:7..3.088 89 50729..0.25.0 6:03..00/0/ ..25.9.501 #3.20398 .. 59.088 74:5 3 .65  P 1.9.3.30.088 89 /03.3.3   #3.25.088 89 /03.:69061:7..09 944 - .4::6509.516.

473   & 09.796/34 . "9  .36.2.6.0   #:56.5: #. ':06969.:.5/9.75 60..

501.058  #!33  #02.119::964'&'.5#.6&795.65  P 1.

9:.6 !3369...9:  .096. 65.336996.:.9#96.:.4.5.!'...11..51.

//7 574:90%$% %   :  656.&69.6.51 %#331967. 56.5.79..9/..9:569&653.83092.66979::.874:90 2.6769..65.6.#91:.:30.:690 5.1#  . .33 56.96.9/.6926..5//48 3 74:90 2.5//48 3 8095309 45%$% %!..61967.%# 74:907-5$ 3094784:7..0 1 $2..91:..

"9  .06445. & 09.769.

9478 !745.6&795.0894   #4:907010.65  P 1.909030 309 45 470.058  #!33   !8088438 ..8907!74:907 80990309 45147904$ 84:7.501.

.. "9  .088#4:9078 74:90   94: 3907309 47 :8942078 & 09.

306445.501.69.5..5.65  P 1.6&795.058  #%  &...69.:70.6926..

669#79: 74:907-5$ 30947/089 1 $2.83092.9. "9  .51:51..5//48 74:9 30-47   803/.5//48 7 2.:.9#96.422:39$34 05479 574:90/089 1 $   : & 09.//7088 809. 34.9.. .5.65694.088 89 50729/089 1 $ 74:90 2.8 30-47   74:90 2.:06445.422:39 .

  :./.6&795.:165 ..96.95.501.$6&5.65  P 1...96.058  #%  "5.::70.69.$6&5.5.9:0.306445.

422:39 8095648 74:5 39071..90 2935:9648 74:5 & 09.05 648 2.0 -5 54.422:398950729$ 74:90 2. 74:907-5$ 9.9.5 7.5//48 7 5.34.84:7.5//48 7 2. "9  .-0 2..

6.:.59::9::3.336.95  P .6:6315996...96  %                           .

4'&'.0659.65556#      !.5..

0...:: .9:  %! %:91/3602: /6655.119:::699:690 1:..5.96  695.0/:645169:    69:64 795.:.692:   .51 .69279: .692:  #.65 .6/96.9.5.473 064  3.!' 32.6:63196.021:7.:..3.:.02./3602: 3.10.55...

:7665 & 09. "9  P .

692/6919#7352: 39071.:  3.088 89 /035    .6!33 1:0.088 74:53 .3 .3 .9655...088 89 /035489 ..95  P ..088 89 /035         ....59::9::3..473.0 ..088 89 /035         ..3  75072954:73094757010843 P ..088 89 /035         .....96.088 74:54:9 .088 89 /035         .088 89 /035           .473.... "9  .91¾65579 574:90  3: 574:90    3: 574:90    3: & 09.088 89 507295...088 89 /035        ..3....

0..6796.692.61.!% !.65.5694  !5:.354/96''#& '#36:.51:9936: P 6.0.0.6941.0.65  P 6.51796..

65 %065..907..:6   '  2'#5.3.65  !1:  ..:17730./3.

1651.  &1.

 #9694.1165/.5047.39. "9  ...? # & 09.2:.51:.0.''#'98:. :995990:.'#.0.

0 .:5694.90.0.0.0:  ...65:  &7769.%: 6:.65.0/651.45.4.02../.9..17.:69  .5.:7.60650995.1.5.65:.3.:  ''#&..%  .9:.9.51796.5134.6941.7: 4.65  P !%%:..:5.3.

:7769.5964:5.:695..360...6.0.  #.5.96.9 60.02.3''#:99  6:5. 796.5061 '.

4.0/:07..90  & 09.:0139.46. "9  .  P '5..08   8. 53-.51.77084:7.

56.6.1/3602: 9/69!..9.9:.::690 %'  ..9.&".5./3.51.9/0645469 5.5  .9 P 69:.5..:/5 7/3:11:036:19:2:.95.6064  36.3  33.0.9.66  6:.9:6565.692: & 09..:.:65.3360.9:1.546906473.5.5.  '4769.   P ..694..:/5165/.694::598.6&6949:..69:.90. "9  .3662:9:.335.5.951:  %6.90..0.:..

 &# .096.:.05  #&3.6063./0.#96..3./3653../3.#!  .111.067 & 09.6.#&  P 3..615. "9  ./3   '3.9 &% 65.34.#7.360..7.360.:.55./3&.51:4.02.51 65.

1..0.: 56.6.390.35.5.05  9./3&.1#!:  8.5097.9#! ' % ...6063.#96.#&  P 3.3..

90.579611/15.649:/:53.903619640:. #&069 :.:09. .:6.9569565.

0 . .119:::7.1./6/:09.52:09. 96.

655165.5/:1. #&069  #:00. .53.0#96..9.9 .6:09.6496.:..9:.9  "596.5.../379#!65.9.0:...0  #!7.96.6.

. :7.50 % .5.9155:..3%6.9.5169..9.

"9  .90: '69:/:0651065950.:. 69.5 & 09.5:9 %  995.692:1736 #& &&1 .511%6.51.9515&#5.0996.9..

/317..#&  P ..02.:50.65 .02:  .

36021/1.6491%6.65.3.335.0: :.9 .9.

.5..6.35796.:.9:  50.1.6063: #.:5..00::. #&96.

#!. #.67636#.51#:  .6461.

%%:.51#!.

9169 5.99:25.%%: %6.95.00::. "9  .496..9::. #&#! & 09.%30.51.69:  5.:.

02:  :550.65..#&  P ..:.32%% #&.%%6. .3.

..99694::...3.4.007.5535./3:71.9.96..9217. 1.02.9.5&#::5.6.517. #&069 .069. 6. %&# !6%6.050.65.0.&%905.9../333...963.31 .:519065..0 .336::55/ 9190.5 5.. #.0.9.0.51:.9.5.169.1.

854410/ !$!.

977472088.-0 :9 39071.9   .0 .-03 4/!.$ 47 #$'!!..0 :9   ! $.9 30!.

! $.

"9  . !$470 & 09.

3396.4.#&  P &09.656..:9:  6610659.9:  # #  #&69 .

.

.

.

.96..9:  :#:0 .4096.56546:20.9 56.   03..9...#96.692:631:.0.5 %: ..9 #&5694.6.6.65964. : &.5:..5115..65.0  ' #&5.

& 09. "9  .

5109:.51:69 # .#.:0..9..  99:2:195.5:  !.335659:2:/0.# P #  .6063::1.6#:3.5:.65.906550.6#  #96.657.#:0:7769. .:964#.

% .

5/7. "9  .9.119:: & 09. #&  .6.#.119::0.

979.6/31.9.95.%6..7:.0025  P 69:.

.00:: 8325809 .65 51:...33 0965.65964."&   &.9. 9: .07!8103. "9  .51:.0659.696996.%&! #.7 :07 69.96...7 & 09.473   .0659.422:3974:907!           9195807...3 .9.1 976:..9:.9/66..0659..10 :097.0.3269"&..650..10:516 .69 &69.6/ 56: 06591/69. 05.0:0659.35.5 #936970.1.9:.36369 56.51&! #.64.20   02.65:5.5..

%6.7:.95.9.979..6/31.0025  P 69:.

.33.63::.6..9:...9555"&.9..02:  '0659. 5.9.9.9.."& 56:06 966...511.9.692 53::6::0769#:0.69..0  656.3:  6:.0659.6965:097.3269"&.501 P 4...65.2. ..69.5:4....65:..1503.65097...65:.7."&   ....69: &%.692 ' ..51695.9.

065.51 9555.

:.065  6.469."&."&4..:  :06 :&".

"9  ."! & 09.

%6.9 036:1:690"&955565 #& 59 4613: 69 6.95.76::/3  #9679.6&:. 63194613:  36:1:690/.692964 & 5 .2..9.0025  P :06"&966.

3/&! #:/:.

 .

.1/.9771  ./.0.:76::/3... &0.946./3 :.333521 :..00:: .

1/<29537171.

 360.5765..9.0.90.54>  :.9.31/  5:1:06"&:6.661:.%" "!.9¾..

:06#9:: .

:::71..65 ..0.75:6 .3 .796.."&1:547.9.3. 559.

65/..0.34469 796.47369.1 "&16:56.57960::: . '645469.

51. "9  . 9.00::. #.2953 95:5:946165.6::.5 50315.49:690: & 09.:33.

2953 4469 7960::: .65::::  !6 2565 360.95.3..6&6758:. 325..76::/3.9..9..4611"&4.5173. .9.65.663:0644.62953465.0./3559461  :..0.%6.1.6.51.. .9/66..0  .0025  P :06"&966.  .2.6736.51:.5/16555.

/:51.3%#: %6.#960::69: .

.. :.35..9 .

::.663.33669 ?   & . /79.04. /.4.91:  36.15:653 5.79619::..6195.67.:631/9891 ..51.

"&.775.33.:6...514..9:.:.9  #&   . .

6936.1.! :7769./3 4613:  .

&%110.. "9  .33692565.4 & 09..1. ::06:.

.:.'.33632:.

9: "& .51 :.0: ...  "& 995.:.9:656.7:0644. P .51:..:16045. 79:5.6:0996..65 50315.

.

 80.:790 47.

5708039.9438.

80.5.

 P #0.069 995.9:6.5&0:.

.

:790 47. 80.

.8.

.470 .

90961 .7 569.65: 4.43 & 09. P $:.?191520647. "9  ...47 5.