Hardening IPv6 Network Devices

Size: px

Start display at page:

Download "Hardening IPv6 Network Devices"

Susan Bradford
5 years ago
Views:

1 Hardening IPv6 Network Devices ISP Workshos These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (htt://creativecommons.org/licenses/by-nc/4.0/) Last udated 7 th December

2 Acknowledgements This material originated from the Cisco ISP/IXP Worksho Programme develoed by Phili Smith & Barry Greene n These slides were develoed by Dean Pemberton Use of these materials is encouraged as long as the source is fully acknowledged and this notice remains in lace Bug fixes and imrovements are welcomed n Please worksho (at) bg4all.com Phili Smith 2

3 Agenda Limiting Device Access Secure SNMP Access Securing the Data Path Configuration and Archiving 3

4 Limiting Device Access 4

5 Think of ALL Devices The following roblem was reorted in 2013 and affects low-end CPEs (ADSL connections only) n Admin assword exosed via web interface n Allow WAN management (this means anyone on Internet) n Bug fixed and reintroduced deending on the firmware version The bug is quite a number of years old

6 Password Visible via Web Interface

7 How CPE are Exloited

8 Magnitude of Problem 4.5 Million CPEs (ADSL Modems) using a unique malicious DNS In early 2012 more than 300,000 CPEs still infected 40 malicious DNS servers found Could device hardening have made a difference?

9 Device Physical Access Equiment ket in highly restrictive environments Console access n assword rotected n access via OOB management n configure timeouts Individual users authenticated Social engineering training and awareness If you can touch it the device now belongs to you

10 Interface Hardening IPv4 n no i roxy-ar n no i unreachables n no i redirects n no i directed-broadcast n no i mask-rely IPv6 n no iv6 unreachables n no iv6 redirects

11 Device Access Control Set asswords to something not easily guessed Use single-user asswords (avoid grou asswords) Encryt the asswords in the configuration files Use different asswords for different rivilege levels Use different asswords for different modes of access IF AVAILABLE use digital certificate based authentication mechanisms instead of asswords

12 Secure Access with Passwords and Logout Timers line console 0 login assword console-w exec-timeout 1 30 line vty 0 4 login assword vty-w exec-timeout 5 0! enable secret enable-secret username dean secret dean-secret

13 Never Leave Passwords in Clear-Text service assword-encrytion command assword command n Will encryt all asswords on the Cisco IOS n with Cisco-defined encrytion tye 7 n n Use command assword 7 <assword> for cut/aste oerations Cisco rorietary encrytion method secret command n n n n Uses MD5 to roduce a one-way hash Cannot be decryted Use command secret 5 <assword> to cut/aste another enable secret assword

14 Management Plane Filters Authenticate Access Define Exlicit Access To/From Management Stations n SNMP n Syslog n TFTP n NTP n AAA Protocols n DNS n SSH, Telnet, etc.

15 Authenticate Individual Users username dean secret dean-secret username miwa secret miwa-secret username fs secret fs-secret username staff secret grou-secret Do NOT have grou asswords!

16 User Authentication: Good From Cisco IOS 12.3, MD5 encrytion was added for user asswords n Do NOT use tye 7 encrytion (it is easy to reverse) aaa new-model aaa authentication login neteng local username fs secret 5 $1$j6Ac$3KarJszBV3VMaL/2Nio3E. username dean secret 5 $1$LPV2$Q04NwAudy0/4AHHHQHvWj0 line vty 0 4 login neteng access-class 3 in

17 User Authentication: Better Use centralised authentication system n RADIUS (not recommended for system security) n TACACS+ aaa new-model aaa authentication login default grou tacacs+ enable aaa authentication enable default grou tacacs+ enable aaa accounting exec start-sto grou tacacs+! i tacacs source-interface Looback0 tacacs server IPv6-TP address iv6 2001:DB8::1 key CKr3t# tacacs server IPv4-TP address iv key CKr3t# line vty 0 4 access-class 3 in

18 Restrict Access To Trusted Hosts Use filters to secifically ermit hosts to access an infrastructure device Examle: i access-list extended VTY ermit tc host eq 22 log-inut ermit tc host eq 22 log-inut ermit tc host eq 23 log-inut deny i any any log-inut! line vty 0 4 access-class VTY in transort inut ssh telnet

19 Using an SSH Jumhost Peer Customer Conference Net 1 1. SSH to NOC 2. SSH to router Syslog, TFTP, AAA, DNS, SMTP 2 NOC NetFlow, SNMP

20 Banner What Is Wrong? banner login ^C You should not be on this device. ^C Please Get Off My Router!!

21 More Aroriate Banner!!!! WARNING!!!! You have accessed a restricted device. All access is being logged and any unauthorized access will be rosecuted to the full extent of the law.

22 Device OOB Management Out-of-band device management should be used to ensure DoS attacks do not hinder getting access to critical infrastructure devices Dial-back encryted modems are sometimes still used as backu

23 Device Management Common Practice (1) SSH used exclusively n Do NOT use Telnet, not even from Jumhosts HTTP and HTTPS access exlicitly disabled All access authenticated n Varying assword mechanisms n AAA usually used Different servers for in-band vs OOB Different servers for device authentication vs other Static username w or one-time w n Single local database entry for backu

24 Device Management Common Practice (2) Each individual has secific authorization Strict access control via filtering Access is audited with triggered ager/ notifications SNMP is read-only n Restricted to secific hosts n View restricted if caability exists n Community strings udated every days

25 Turn Off Unused Services Global Services n no service finger (before Cisco IOS 12.0) n n n n n n no i finger no service ad no service ud-small-servers no service tc-small-servers no i boot server no cd run Interface Services n n n n no i redirects no i directed-broadcast no i roxy ar no cd enable

26 Secure SNMP Access 26

27 Secure SNMP Access SNMP is rimary source of intelligence on a target network! Block SNMP from the outside access-list 101 deny ud any any eq snm If the router has SNMP, rotect it! snm-server community fo0bar RO 8 access-list 8 ermit Exlicitly direct SNMP traffic to an authorized management station. snm-server host fo0bar

28 Secure SNMP Access iv6 access-list SNMP-PERMIT ermit iv6 2001:DB8:22::/64 any ermit iv6 any 2001:DB8:22::/64! no snm community ublic no snm community rivate! snm-server enable tras snm-server enable tras snm authentication snm-server enable tras snm coldstart snm-server tra-source Looback0 snm-server community v6comm RO iv6 SNMP-PERMIT

29 SNMP Best Practices Do not enable read/write access unless really necessary n Read for access by Networking Monitoring System (eg LibreNMS) n Write never! Choose community strings that are difficult to guess n Use same algorithm as for asswords Limit SNMP access to secific IP addresses Limit SNMP outut with views

30 Secure Logging Infrastructure Log enough information to be useful but not overwhelming. Create backu lan for keeing track of logging information should the syslog server be unavailable Remove rivate information from logs How accurate are your timestams? n NTP needs to be configured n Synchronise with trusted time sources, eg ool.nt.org or GPS receivers

31 Fundamental Device Protection Summary Secure logical access to routers with asswords and timeouts Never leave asswords in clear-text Authenticate individual users Restrict logical access to secified trusted hosts Allow remote vty access only through ssh Disable device access methods that are not used Protect SNMP if used Shut down unused interfaces Shut down unneeded services Ensure accurate timestams for all logging Create aroriate banners Test device integrity on a regular basis

32 Securing the Data Path 32

33 Securing The Data Path Filtering and rate limiting are rimary mitigation techniques Edge filter guidelines for ingress filtering (BCP38/BCP84) Null-route and black-hole any detected malicious traffic Netflow is rimary method used for tracking traffic flows Logging of Excetions

34 Data Plane (Packet) Filters Most common roblems n Poorly-constructed filters n Ordering matters in some devices Scaling and maintainability issues with filters are commonlace Make your filters as modular and simle as ossible Take into consideration alternate routes n Backdoor aths due to network failures

35 Filtering Deloyment Considerations How does the filter load into the router? Does it interrut acket flow? How many filters can be suorted in hardware? How many filters can be suorted in software? How does filter deth imact erformance? How do multile concurrent features affect erformance? Do I need a standalone firewall?

36 General Filtering Best Practices Exlicitly deny all traffic and only allow what you need The default olicy should be that if the firewall doesn't know what to do with the acket, deny/dro it Don't rely only on your firewall for all rotection of your network Imlement multile layers of network rotection Make sure all of the network traffic asses through the firewall Log all firewall excetions (if ossible)

37 Ingress Filtering iv6 access-list INBOUND-iACL remark Permit the legitimate signaling traffic (BGP, EIGRP, PIM) ermit tc host 2001:db8:20::1 host 2001:db8:20::2 eq bg ermit tc host 2001:db8:20::1 eq bg host 2001:db8:20::2 ermit 88 any any ermit 103 any any remark Permit NDP ackets ermit icm any any nd-na ermit icm any any nd-ns ermit icm any any router-advertisement ermit icm any any router-solicitation remark Deny RH0 and other unknown extension headers deny iv6 any any routing-tye 0 log deny iv6 any any log undetermined-transort remark Permit the legitimate management traffic ermit tc 2001:db8:11::/48 any eq 22 ermit tc 2001:db8:11::/48 any eq www ermit ud 2001:db8:11::/48 any eq snm remark Deny any ackets to the infrastructure address sace deny iv6 any 2001:db8:2222::/48 deny iv6 any 2001:db8:20::/48 ermit iv6 any any! interface FastEthernet 0/0 descrition Connection to outside network iv6 address 2001:db8:20::2/64 iv6 traffic-filter INBOUND-iACL in

38 RFC2827 (BCP38) Ingress Filtering If an ISP is aggregating routing announcements for multile downstream networks, strict traffic filtering should be used to rohibit traffic which claims to have originated from outside of these aggregated announcements. The ONLY valid source IP address for ackets originating from a customer network is the one assigned by the ISP (whether statically or dynamically assigned). An edge router could check every acket on ingress to ensure the user is not soofing the source address on the ackets which he is originating.

39 But What About Egress Filtering? In theory, certain addresses should not be seen on the global Internet In ractice they are, and filters aren t being deloyed (even when caability available) iv6 access-list DSL-iv6-Outbound ermit iv6 2001:DB8:AA65::/48 any deny iv6 any any log interface atm 0/0 iv6 traffic-filter DSL-iv6-Outbound out

40 Agenda Item Configuration and archiving

41 System Images and Configuration Files Careful of sending configurations where eole can snoo the wire n CRC or MD5 validation n Sanitize configuration files SCP should be used to coy files n TFTP and FTP should be avoided Use tools like RANCID to eriodically check against modified configuration files

Software and Configuration Ugrade / Integrity Files stored on secific systems with limited access All access to these systems are authenticated and audited SCP is used where ossible; FTP is NEVER

42 Software and Configuration Ugrade / Integrity Files stored on secific systems with limited access All access to these systems are authenticated and audited SCP is used where ossible; FTP is NEVER used; TFTP still used Configuration files are olled and comared on an hourly basis (RANCID) Filters limit uloading / downloading of files to secific systems Many system binaries use MD-5 checks for integrity Configuration files are stored with obfuscated asswords

43 Infrastructure Security Summary Every device in your network could be exloited so make sure to harden them all (esecially change default username/asswords) n Printers, tablets, CPE s, etc Understand what you are sending in the clear from sending device to reciient and rotect where needed Log and audit for trends since sometimes an abnormality can show the start of reconnaissance for a later attack

44 Hardening IPv6 Network Devices ISP Workshos 44

Network Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji

Network Infrastructure Filtering at the border PacNOG19 28th November - 2nd December 2016 Nadi, Fiji Issue Date: [Date] Revision: [XX] What we have in network? Router Switch CPE (ADSL Router / WiFi Router)