PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.

Size: px

Start display at page:

Download "PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC."

Randall Arnold
6 years ago
Views:

1 PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.

2 Configuration Corrupt Config Database RADB Intercept Configuration Transport Transport Attacks Trojan Horses in Code Network Infrastructure 2

3 DDoS is Continual Every Day in Large Networks Mitigation Techniques such as Black Hole but as the last resot Filter & Patch is all you can do Network Infrastructure 3

4 ACL- Access Control Lists NTP ACL SNMP ACL VTY ACL Try using NAMED Access List Control makes the work of a Network Admin easier

5 NTP ACLS Creative Commons: Attribution-NonCommercial-! Core NTP configuration ntp server ! ntp.psg.com ntp server ! rip.psg.com ntp server ! psg.com! ntp source Loopback0! access-list 46 remark utility ACL to block everything access-list 46 deny any! access-list 47 remark NTP peers/servers we sync to/with access-list 47 permit access-list 47 permit access-list 47 permit access-list 47 deny any!! NTP access control ntp access-group query-only 46! deny all NTP control queries ntp access-group serve 46! deny all NTP by default ntp access-group peer 47! permit sync to peer(s)/server(s) ntp access-group serve-only 46! deny NTP time sync requests ntp authenticate! enable NTP authentication ntp authentication-key [key-id] md5 [hash]! define a NTP authentication key Network Infrastructure 5

6 Routing was Designed With no Concern for Security Attacks can be Close or Remote, e.g. YouTube Incident IS-IS a bit Less Vulnerable as it is not Over IP, it is CLNP Use MD5 Auth for Authentication Other Protections Very Active in IETF Network Infrastructure 6

7 Assume Monkeys are in the Middle Authenticate all Control Traffic, MD5 or Stronger Teach Customers to Encrypt: https, imaps, ssh, WPA2 (enterprise) on WiFi Use BGP TTL Security TransportAttacks Network Infrastructure 7

8 MD5 AUTHENTICATION neighbor remote-as 2914 neighbor description variuo customer aggregation neighbor password E Protects against MITM resets Fake Peers

9 IS-IS Is Layer-2, CLNP, not Layer-3 So Can Not be Attacked Remotely Has Other Advantages over OSPF, such as Scaling to 1,000 routers Most Larger Providers Run IS-IS Network Infrastructure Creative Commons: Attribution-NonCommercial- ShareAlike 9

10 Occasional New Ones Usually against ASN.1 Network may be Mapped Traffic may be Monitored Configuration may be Changed Use ACLs on What Host may SNMP Defense is Using SNMPv3 which is Encrypted Network Infrastructure 10

11 SIMPLE SNMP PRECAUTION! snmp pollers Ip access-list standard v4snmp-access permit host Deny ip any any snmp-server enable (for all traps) snmp-server enable traps bgp snmp-server enable traps config snmp-server enable traps envmon snmp-server community <secret> RO v4snmp-access Creative Commons: Attribution-NonCommercial- ShareAlike Network Infrastructure 11

12 RECOMMENDED SNMP V3 The security features provided in SNMPv3 are as follows: Message integrity--ensures that a packet has not been tampered with in transit. Authentication--Determines that the message is from a valid source. Encryption--Scrambles the content of a packet to prevent it from being learned by an unauthorized source. Configuration Example on a CISCO IOS Snmp-server group <group name> <version(v3)> <Pri> Snmp-server user <username> <group name> <version> auth <MD5> <key> pri <DES><key> Obviously you will need to configure the Read/Write String as well as the SNMP Server Host.

13 Configuration Tapping Configuration Session Stealing Password Stealing Configuration Intercept Configuration Transport DO NOT USE Telnet Configure Over ssh Restrict ssh to Special Hosts Network Infrastructure 13

14 SSH ACCESS CONTROL LIST line vty 0 4 secret 5 071C205F C5C exec-timeout 0 0 transport input ssh access-class vty4 in ipv6 access-class vty6 in transport preferred none ip access-list standard vty4 permit permit permit ! ipv6 access-list vty6 permit ipv6 2001:418:1::/48 any Cisco password encryption is trivial to attack So protect your configurations! Creative Commons: Attribution-NonCommercial- ShareAlike Network Infrastructure 14

15 SSH ACCESS LIST WITH TACACS SERVER POSSIBLY USE A TACACS SERVER FOR CENTRALIZED LOGIN TO THE DATA COMM DEVICES. AAA- AUTHORIZATION, AUTHENTICATION AND ACCOUNTING CREATE MULTIPLE USER WITH DIFFERENT USER PRIVILEGE TACACS Server ip access-list standard v4vty-access Permit ip Deny any log (log is optional) line vty 0 4 exec-timeout 0 0 transport input ssh access-class v4vty-access in transport preferred none

16 AAA Configuration CISCO IOS - Example aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ local if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+

17 tacacs-server directed-request tacacs server <Name> address ipv4 X.X.X.X key <key/password> timeout 50 ip tacacs source-interface lo0 ip access-list standard v4vty-access Remark <anything that is easy for you to remember> Permit < ip of the Tacacs Server> Permit < Networks what you want to ssh from> Deny ip any any

18 EXAMPLE OF LOG FILE STORED IN THE TACACS SERVER Sep 3 18:08:12 <destined IP> <username> vty1 <Source IP> start task_id=0 timezone=6 service=shell protocol=ssh Sep 3 18:10:13 <destined IP> <username> vty1 <Source IP> stop task_id=0 timezone=6 service=shell disc_cause=1 disc_cause_ext=1022 bytes_in=0 bytes_out=0 paks_in=0 paks_out=0 elapsed_time=120

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps Network infrastructure devices (routers, switches, load balancers, firewalls etc) are among the assets of an enterprise that play an