Basic Network Security

Transcription

1 Basic Network Security

2 Basic Network Security Split up the attack surfaces. Management Plane Control Plane Data Plane

3 Management Plane Protecting your access

4 Physical Security Talking about your equipment. This includes; Routers and Switches. Network and Power cables. UPS s and Racks.

5 Physical Security Can people steal your equipment Can they get physical access to it Can they get to your cables If people can steal your equipment, that s going to cause an outage. * Happened at Citylink * *

6 Verizon

7 O2

8 Physical Security Physical access? So maybe they can t take off with the equipment. If people can steal your equipment, that s going to cause an outage. * Happened at Citylink * *

9 Cabling Running tidy cabling is a network stability issue. Using cable bars to run cables helps to prevent accidental pulls of copper cables or macro bends of optical cables.

10 Cabling Don t use zip ties to attach cables, or staple guns. Use Velcro cables, easier and less likely to damage the cable. Also doesn t require cable snips to remove. Make tidy cabling easy, then it will be easier to keep tidy.

11 Cabling Label the cable! Prevent accidental unplugging of cables. Also makes it easier to detect cabling that isn t yours.

12 What are the attack vectors? * Console cable. Connect to the console. * Flash card. Could cause problems during a reboot. What are the dangers?

13 What are the attack vectors? * Attacked from within, messy cables, unplug the wrong one. * Unsecured, you could bump one. * Are they all supposed to be there. What are the Dangers?

14 Attacking Cables? Yup, even the cables are an attack vector. But how? Which is more difficult to pull a passive signal off? Fibre or Copper?

15 Passive fibre tap? It s possible to detect this type of cable tapping, but requires very strict monitoring.

16 Even the equipment

17 Even the equipment Note the MON ports in the above diagram. You can only detect this by auditing the ports.

18 Physical Security No one expects you to secure all of it. It s just not feasible. I just want you to think about it. Perhaps think about where your management cables run, locking your cabinets.

19 Management Plane Protection What is the Management Plane? A step back, let s look at router architecture.

20 The CEF table provides all the adjacency data for the forwarding hardware. Management Plane

21 The CEF is filled with data from the CPU Management Plane

22 Transit packets are forwarded only by the hardware plane. No CPU required. Management Plane

23 Management Plane This called the received path, so packets are destined for the router. Traffic to local IP addresses, non-ip traffic like CDP, ISIS and OSPF. Traffic like ICMP, BGP, SSH management. show ip cef details.

24 Management Plane Then there is punt traffic. It s not destined for the router, but still gets sent to the CPU for processing because it s not just getting forwarded. ACL logging. Cisco IOS firewall. IP Options set. Fragmentation required. ICMP unreachable generation required, MTU or TTL. Malformed packets.

25 Management Plane So when we talk about the Management plane we are talking about protecting the CPU

26 Management Plane Packets are processed on the onboard CPU (which is slow). The same CPU that processes BGP updates and OSPF convergence. Passes straight the dedicated routing hardware. So it s best to use ACL s on the edge to drop unwanted management traffic. That way the least amount of traffic is processed on the management CPU.

27 Management Plane There s no reason to not enable CEF. (bugs not included) You can examine your CEF forwarding information with show cef... and show ip cef show cef interface show ip cef switching statistics show ip cef detail (warning, lots of output)

28 Management Plane This makes the management plane a good target for disrupting the device s operation. How can that be done?

29 Points of Attack

30 Points of Attack

31 Remote Engineers Enforce the use of cryptography SSH, VPN, anything and everything.

32 Management Plane Telnet SSH SNMP HTTP MOP TFTP... Protection Things that effect your ability to interact and configure with the router. show ip socket show tcp brief all

33 Minimise Services Don t run what you don t need. Need to know, for services.

34 Software Upgrades Try to remain as up to date as possible. There are reasons they release new revisions of software. Bug fixes Security enhancements

35 Software Upgrades In 2014 Cisco 23 Juniper 5 In 2015 Cisco 16 Juniper Only Vuls 9 and above.

36 Software Upgrades vendor_id=16&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc =0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=9&cvssscoremax=0&year=2015&month=0&cweid=0&order=1&trc=488&sha=dbf bb02772d29ab0c96d2e1efd9f098060

37 Software Upgrades vendor_id=874&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmem c=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=9&cvssscoremax=0&year=2015&month=0&cweid=0&order=1&trc=29&sha=b84fe596 d9f6ac189d431b73cd0b7a46f830869a

38 Encrypted Passwords service password-encryption Don t use password <password> Type 7, reversible, on purpose. Type 5, MD5 hash. Type 4, SHA-256. Why? Demo? F MD5 hash brute forcing with Cain and Abel, John the Ripper <-- ATI HD 5970 peaks at 5600M/s MD5 hashes PBKDF2

39 Type 5 vs Type 4 Type 5, seed + password hashed 1000 times with MD5. Type 4, (PBKDF2) 80 bit seed + password hashed 1000 times with SHA-256. Except without the seed, Or 999 of the hashes :( So try to avoid type 4.

40 Encrypted Passwords Why is it a problem? Google this; inurl:"startup-config" username "secret 5" inurl:"startup-config" username "password 7" How does it get out there? Perhaps your techs are leaking it, perhaps your vendors are. It s just a matter of time before SHA-256 is cracked or GPU s become fast enough.

41 Cracking Hashes You can do it on a CPU. slowly. Using a GPU can speed it up by times. If it s worth money, just provision a Amazon EC2 instance. Free (Assuming it s not your Credit Card.) Each core on my Mac Mini can do about 11,000 hashes a second. A CPU can speed that up by

42 Encrypted Sessions Telnet is dead, long live telnet. use SSH, everything supports it. For Windows, SecureCRT or PuTTy For Mac OS X or Linux it s baked in.

43 SSH advantages. The session is encrypted. The end point is verified. Can be used for authentication. Tapping a link won t recover the information if the data is encrypted. Makes man in the middle attacks a lot more difficult. Password-less log ins. Does everyone understand how these crypto-schemes work?

44 SNMP Security Check your equipment isn t using the community public and/or private. Allow traffic only from the management network. Use SNMPv3 it has encryption. I have seriously seen equipment like UPSs and environmental monitoring systems with community strings like that. I suggest a multiple step approach, make the management traffic unrouteable, block it at the edges AND at the device. Allocate infrastructure out of a single grouped range. Use SNMPv3 if possible, more complicated, but SNMPv2 is like telnet to SNMPv3 ssh like encryption.

45 SNMP default?

46 MOP What is it? Maintenance Operation Protocol. Layer 2 protocol, MAC to MAC. It allows remote rebooting and console! Enable by default since Based on DECnet a pure layer 2 protocol, it allows remote console Why is that dangerous?

47 What other services CDP LLDP TFTP FTP DNS NTP are there?

48 CDP Cisco Discovery Protocol It enables SNMP like functionality over layer two. It is active, in that it sends out beacons advertising itself. But also accepts and processes CDP packets. No authentication. It allows for advertising SNMP contact details. The intended result is to allow nearby switches and routers to identify each other. Making it very easy to map the network. But there s no authentication, so if it s enabled on a customer port the customer or competitor can start to map your network and find useful things like management addresses. Also provides the Software version of the device. Also it s possible to attack the protocol

49 CDP

50 CDP

51 LLDP Link Layer Discovery Protocol Very similar to CDP, but cross platform. Provides more information than CDP. Still active, processes LLDP packets. No authentication. It s a cross platform replacement for CDP, different in operation. Provides the following; Port description. System Name. System Description. System Capabilities. Management Address! Port VLAN ID. PHY Configuration Status. LLDP-MED has even more

52 TFTP Trivial file transfer protocol. Used for transferring small files over a network. No authentication. Unreliable. What are you sharing with it? IOS images? configuration?

53 FTP File Transfer Protocol More reliable. Has authentication. Uses TCP, which is an attack vector.

54 DNS Domain Name System Simple and generally reliable. Could be subverted and used for man in the middle attacks. Can also be used to trigger buffer overflows.

55 NTP Network Time Protocol Used for providing synchronised time over a network, to other networked devices. If subverted can be used for replay attacks, or be used to confuse log files. Also break billing data.

56 Reduce your attack surface Your management network is not a public service. Be aware of your configuration. Restrict access.

57 Management Plane Protection Feature Not supported on our simulated routers. :( Designate interfaces as management interfaces via CLI command Device only accepts management traffic on a management interface Simplifies using interface ACLs Protocol support: SNMP (all versions), HTTP, HTTPS, FTP, TFTP, Telnet, SSH (v1 and v2) Interfaces supported: physical, sub-interfaces, tunnel (GRE/VTI) Does not impact traffic that is switched/routed through the device

58 Management Plane Protection Feature! control-plane host management-interface Gi 0/3 allow ssh snmp!! Simple to setup.! Allows SSH and SNMP to the local system only via that interface.! Drops all traffic to the local system on all other ports.!

59 Management Plane Protection Feature router#show management-interface Management interface GigabitEthernet0/3 Protocol Packets processed ssh 0 snmp 0

60 Routers individually secured. No overall filtering done. Filter done on the Router CPU? One Method

61 Defence in depth. Layers. Routers looking after each other. Better Method Every router acts like bouncer for the whole network. Filtering traffic as soon as possible reduces dodgy traffic in the core.

62 Access Control Out of band network Make sure no other traffic runs over it. Make sure only management interfaces are in the network. Monitor the edge to make sure it doesn t leak.

63 What is an OOB An Out Of Band network is a separated network from you public, traffic carrying infrastructure.

64 OOB

65 OOB

66 Service DoS or Router crash OOB

67 Fault, or mis-configuration. OOB

68 OOB

69 OOB

70 OOB

71 Why OOB? Running a separate OOB path helps with; Leaking management information. DoS attacks. Mis-Configuration Device Faults Also assists in diagnostics. Reducing response time and cost. costs in SLA pay outs and in not having to send a tech onto site to troubleshoot.

72 Separate OOB Network Using RFC 1918 address space, or unrouted address space is safest. Don t make it a wish list, make it a project. If you have your own network it can be super cheap to deploy. No need for QOS or advanced provisioning profiles. So the equipment can be cheap.

73 Got OOB? some tips. Make it impossible to route customer traffic across. Really impossible. It should be more reliable than your network. But less strict SLAs. Via another provider? use encryption. Terminal servers for direct console is good for crashes. Talk about my previous employers network. If you have fibre, cheap as chips SFPs in a cheap switch. Dial up? ADSL? Cellular Data.

74 Previous Employer We used cheap level one switches with fibre SPFs. Total cost less than $200USD each including SFPs. It was possible to manage but we choose not to, just an address and changed the default username and password.

75 Previous Employer We built a nation wide network gigabit network for less than $4000! (not including installing 800kms of fibre) We later upgraded to Cisco routers for routing when we wanted to use loops for automatic resilience. Kept the switches.

76 Can t get an OOB Use IPSEC tunnels between sites. Filter all traffic at the edge. Don t let your management run unprotected over someone else s network. Have more than one IPSEC box. Perhaps try for dial in terminal servers. Double check you can t. If it s running over someone elses network then it s inside your core and management domain.

77 Public Address Space Filter the traffic to your infrastructure addresses at the border. At every ingress point, customer and peer. Much more difficult to get right. So don t do it.

78 Either way You ll still need to audit the address space. If you have a OOB, you need to audit the network too. Need to be on the lookout for rogue hardware. But also for WAP s that people might add :(

79 Address Allocation In security?

80 Addressing as Security Allocate your addressing in blocks. Allocate customer addresses per POP. Make sure the allocations will scale to your network. The APNIC recommendation is to allocate customer space from the bottom and infrastructure from the top of your space. don t make allocations too small or else you ll need to make more allocations and then they won t be contiguous.

81 Graphically /16 Customer allocations Infrastructure allocations / /22

82 Example? /16 Total allocation Infrastructure assignments /27 - Loopbacks /26 - Linknets Customer allocations by site /24 - London - Linknets /23 - London - Customer assignments /24 - Frankfurt - Linknets /23 - Frankfurt - Customer assignments...

83 So how does this help? ACL s and configuration.

84 This is why /16 is you covering announcement to everyone /22 - London peers and IX s /22 - Frankfurt peers and IX s /24 - Filtered on all borders (that includes customers).

85 This is why. Smaller more compact prefix lists. Smaller means easier to read. Easier to read means easier to get right.

86 AAA Or how I learned stop worrying and love big brother.

87 AAA What is AAA? It s a centralised method of enforcing user based policy. Not just for usernames and passwords. Can be used for network policy enforcement. Dial up x Can also be used for user policy on routers.

88 Triple A What do the A s stand for? Authentication. Authorisation. Auditing.

89 Authentication Please sir, can I log on? SSH keys username and password. 2-Factor authentication. 2-factor, RSA, text to cellphone, etc.

90 Authorisation Only once you have access. What am I permitted to do? What commands can I run? What resources can I see? From assigning a privilege level on log in, to asking for an enable password, to per command authentication.

91 Auditing Event logging. Accounts getting logged in to. What privileges are requested. What commands are run. The logs can helpfully include the remote address that the connection is coming from.

92 TACACS++ Cisco s triple A solution.

93 TACACS Terminal Access Controller Access-Control System

94 No TACACS+

95 No TACACS+ Very basic. You could set up privilege levels. Assign commands to privilege levels. Assign users to those privilege levels. Configure on EVERY DEVICE.

96 Centralised Authentication

97 With TACACS+ Policy is recorded and stored on a central device. Adding, removing or modifying a user doesn t require touching every device! Per command authorisation! Per command logging!

98 But TACACS+ becomes an important service. So protect it, never run it on a public IP address. Certainly don t put it outside your network or put in the cloud.

99 TACACS+ Your AAA server should be protected for obvious reasons. What happens when it goes down? Got a Plan B?

100 Our Plan B We need to retain access.

101 Plan B We need a second source of credentials to use. We don t want them to be usable during normal operation, only during failures.

102 Plan B In the case of the AAA server becoming unreachable, we ll use a local username and password. It shouldn t use the local username and password if the AAA server returns access denied The local statically configured username and password should be changed regularly. The username and password should be stored in the jump kit.

103 Quizz What are the physical security dangers? What does SNMP stand for? What is the management plane? What does triple A stand for? What does OOB stand for? Time for something technical? What are the three encryption functions?