Network Infrastructure Security

Similar documents
Network Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji

Note that you can also use the password command but the secret command gives you a better encryption algorithm.

AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Fundamentals of Network Security v1.1 Scope and Sequence

Three interface Router without NAT Cisco IOS Firewall Configuration

Network Infrastructure Filtering at the border. Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

Network security session 9-2 Router Security. Network II

Chapter 2. Switch Concepts and Configuration. Part II

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Teacher s Reference Manual

Network Infra Security Filtering at the Border. Network Security Workshop April 2017 Bali Indonesia

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Chapter 4. Network Security. Part I

Configuring attack detection and prevention 1

Chapter 4. Network Security. Part II

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Cisco Router Security: Principles and Practise. The foundation of network security is router security.

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Configuring the Management Interface and Security

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Linux Network Administration

Chapter 11: Networks

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Configuring Management Access

CCNA Security 1.0 Student Packet Tracer Manual

CSC Network Security

Chapter 10: Denial-of-Services

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Securing CS-MARS C H A P T E R

Configuring attack detection and prevention 1

Lab Guide 1 - Basic Configuration and Interface Configuration

PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.

Lab 7 Configuring Basic Router Settings with IOS CLI

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Configuring Switch-Based Authentication

Firewalls, Tunnels, and Network Intrusion Detection

Network Security. Thierry Sans

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Platform Settings for Firepower Threat Defense

Security Workshop MENOG 4 Manama, Bahrain April Merike Kaeo

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

An Operational Perspective on BGP Security. Geoff Huston February 2005

Routing and router security in an operator environment

Top-Down Network Design

Cisco IPS AIM Deployment, Benefits, and Capabilities

CCNA Semester 2 labs. Labs for chapters 2 10

Global Information Assurance Certification Paper

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Configuring Security Features on an External AAA Server

Module 11 Advanced Router Configuration

Indicate whether the statement is true or false.

Packet Tracer - Configuring Initial Switch Settings

Education Network Security

Implementing Firewall Technologies

co Configuring PIX to Router Dynamic to Static IPSec with

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network

20-CS Cyber Defense Overview Fall, Network Basics

Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls

Lab - Configuring a Switch Management Address

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Network Security Laboratory 23 rd May STATEFUL FIREWALL LAB

IC32E - Pre-Instructional Survey

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Module 11 Advanced Router Configuration

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Configuring a Terminal/Comm Server

Broadcast Infrastructure Cybersecurity - Part 2

CCNA Security Instructor Packet Tracer Manual

Technology Scenarios. INE s CCIE Security Bootcamp - 1 -

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

CCNA Security PT Practice SBA

MULTICAST SECURITY. Piotr Wojciechowski (CCIE #25543)

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Global Information Assurance Certification Paper

CSC 574 Computer and Network Security. TCP/IP Security

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

This document is a tutorial related to the Router Emulator which is available at:

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

A Survey of BGP Security Review

CCNA Security Official Cert Guide First Edition. Copyright 2015 Cisco Systems, Inc. ISBN-10: ISBN-13:

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

CHCSS. Certified Hands-on Cyber Security Specialist (510)

Internet Security Introduction. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok

Transcription:

Network Infrastructure Security Workshop February 18-20, 2005 Merike Kaeo merike@doubleshotsecurity.com

Agenda (Day 1) Threat Models What Are We Protecting Against? Securing The Device Physical and Logical Connections User Authentication / Authorization Access Control Logging Information Integrity System Image / Configuration Integrity LAB Securing The Infrastructure Device SSH on LINUX and to the Router

Agenda (Day 2) Securing Data Traffic Packet Filters Encryption (IPsec vs SSL) Securing Routing Protocols Route Authentication (MD5) Filtering Policies Flap Damping Prefix Limits LAB

Agenda (Day 3) Auditing Tools Sniffers and Traffic Analyzers Vulnerability Assessment (Nessus, NMAP) Logging Information What To Log Storing Logs Mitigating DoS Attacks Blackhole /Sinkhole Routing Rate Limiting LAB

What Are Security Goals? Controlling Data / Network Access Preventing Intrusions Responding to Incidences Ensuring Network Availability Protecting information in Transit

First Step..Security Policy What are you trying to protect? What data is confidential? What resources are precious? What are you trying to protect against? Unauthorized access to confidential data? Malicious attacks on network resources? How can you protect your site?

Typical Network Components NOC Hosts Internet Corporate Network Remote Access Authentication / Syslog Servers Customer Customer

Security Services We Need To Consider User Authentication User Authorization Data Origin Authentication Access Control Data Integrity Data Confidentiality Auditing / Logging DoS Mitigation

Varying Degrees of Robustness for Security Elements Will I Go Bankrupt? Spend More Money Spend More Time Is It An Embarrassment? NEED TO DO A RISK ANALYSIS!

Risk Mitigation vs Cost of Security Risk mitigation: the process of selecting appropriate controls to reduce risk to an acceptable level. The level of acceptable risk is determined by comparing the risk of security hole exposure to the cost of implementing and enforcing the security policy. Assess the cost of certain losses and do not spend more to protect something than it is actually worth.

The Security Practices Should Include.. Physical security controls Media Equipment location Environmental safeguards Logical security controls Subnet boundaries Routing boundaries Logical access control (preventative / detective) System and data integrity Firewalls Network services Data confidentiality

The Security Practices Should Include. Mechanisms to verify and monitor security controls Accounting Management Intrusion detection Policies and procedures for staff that is responsible for the corporate network Secure backups Equipment certification Use of Portable Tools Audit Trails Incident Handling Appropriate security awareness training for users of the corporate network

Definitions (rfc 2828) Threat: A threat is a potential for a security violation, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Threat Action (attack): an assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system Threat Consequence: The threat consequences are the security violations which results from a threat action, i.e. an attack.

Network Attack Sources Passive vs Active Eavesdropping Scanning by injecting traffic On-Path vs Off-Path Insider vs Outsider Trusted/authorized individual causing security compromise? Deliberate vs Unintentional Unintentional causes same problems as deliberate attack

Example Active Reconnaissance Attempt 1 DNS query to figure out which web-servers available DNS Servers 2 Ping sweep to see which servers alive and accessible Intruder Web Servers 3 Port scan to see which services are available for exploitation Target Host

Off-Path, Outsider Attack: War Dialing Large Interesting Corporation 1 Intruder finds list of corporate phone numbers in phone book 2 War dialing application Initiated using phone number block 732-XXXX Intruder 4 Intruder attempts to connect to devices that answered via deceptive route 5 U N I V E R S I T Y Insecure corporate modem bank allows unauthorized access 3 Answered numbers are accessible via database

Threat Consequences (Unauthorized) Disclosure A circumstance or event whereby an entity gains access to data for which the entity is not authorized. Deception A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. Disruption A circumstance or event that interrupts or prevents the correct operation of system services and functions. Usurpation A circumstance or event that results in control of system services or functions by an unauthorized entity.

Disruption Often Caused by DoS and DDoS Attacks TCP SYN TCP ACK UDP, ICMP, TCP floods Fragmented Packets IGMP flood Spoofed and un-spoofed

TCP Packet Format 0 4 8 16 31 Source TCP Port Number Destination TCP Port Number Sequence Number Acknowledgment Number Offset Reserved U A P R S F R C S S Y I G K H T N N Window Size TCP Checksum Urgent Pointer Options (if any) Padding DATA...

Basics of a DDoS Attack DDoS client DDoS handler DDoS handler DDoS handler DDoS agents Victim DDoS Traffic

Automated DDoS Attack 1 Initiate scan 2 Vulnerable hosts are compromised 3 Attack tool installed on each compromised host Attacker 4 Further scanning for compromises 4 4 5 5 Massive DDoS attack launched 5 Victim Network

DDoS Is A Huge Problem Distributed and/or coordinated attacks Increasing rate and sophistication Infrastructure protection Coordinated attack against infrastructure Attacks against multiple infrastructure components Overwhelming amounts of data Huge effort required to analyze Lots of uninteresting events

What If Router Becomes Attack Target? It allows an attacker to: Disable the router & network Compromise other routers Bypass firewalls, IDS systems, etc Monitor and record all outgoing an incoming traffic Redirect whatever traffic they desire

Router CPU Vulnerabilities CPU Overload Attacks on applications on the Internet have affected router CPU performance leading to some BGP instability 100,000+ hosts infected with most hosts attacking routers with forged-source packets Small packet processing is taxing on many routers even high-end Filtering useful but has CPU hit

Securing The Device Miscreants have a far easier time gaining access to devices than you think. Ensure that the basic security capabilities have been configured.

Fundamental Device Protection Security Practices Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users Restrict logical access to specified trusted hosts Allow remote vty access only through ssh Disable device access methods that are not used Protect SNMP if used Shut down unused interfaces Shut down unneeded services Ensure accurate timestamps for all logging Create appropriate banners Test device integrity on a regular basis

Secure Access to Routers with Passwords and Timeouts line console 0 login password letmein exec-timeout 0 0 User Access Verification Password: <letmein> router> The native passwords can be viewed by anyone logging in with the enabled password NOT SECURE!

Secure Access to Routers with Passwords and Timeouts line console 0 login TACACS+ local exec-timeout 1 30 User Access Verification Password: <Ncr1pTd> router> The native passwords can be viewed by anyone logging in with the enabled password MORE SECURE!

Never Leave Passwords in Clear-Text password command Will encrypt all passwords on the Cisco IOS with Cisco-defined encryption type 7 Use command password 7 <password> for cut/paste operations Cisco proprietary encryption method secret command Uses MD5 to produce a one-way hash Cannot be decrypted Use command secret 5 <password> to cut/paste another enable secret password

Authenticate Individual Users service password-encryption enable secret 5 $1$mgfc$lSYSLeC6ookRSV7sI1vXR. enable password 7 075F701C1E0F0C0B! username merike secret 5 $6$mffc$lmnGLeC67okLOMps username staff secret 5 $6$ytjc$lchdLeC6o6klmR7s line con 0 exec -timeout 1 30 login local! line vty 0 4 exec-timeout 5 0 login local transport input ssh

Restrict Access To Trusted Hosts Use filters to specifically permit hosts to access an infrastructure device Example Access-list 103 permit tcp host 192.168.200.7 192.168.1.0 0.0.0.255 eq 22 log-input Access-list 103 permit tcp host 192.168.200.8 192.168.1.0 0.0.0.255 eq 22 log-input Access-list 103 permit tcp host 192.168.100.6 192.168.1.0 0.0.0.255 eq 23 log-input Access-list 103 deny ip any any log-input! Line vty 0 4 Access-class 103 in Transport input ssh telnet

Telnet is Insecure Avoid using Telnet if possible Telnet sends username and password information across the wire in plain text format. Do not use telnet to gain access to any of your boxes (router-to-router could be exception for troubleshooting, but limit access in these instances)

Secure Shell (SSH) Username/password information is encrypted Flexible authentication methods One-time password Kerberos Public key Allows Secure Tunneling TCP port forwarding Forward remote ports to local ones Uses TCP port 22

SSH Support Two flavors of ssh, ssh1 and ssh2 Use ssh2 if possible In general the client connecting to your ssh server will either "speak" ssh1 or ssh2 OpenSSH for UNIX www.openssh.org Supports both ssh1 and ssh2 Putty client for Windows www.chiark.greenend.org.uk/~sgtatham/putty/

Secure SNMP Access SNMP is primary source of intelligence on a target network! Block SNMP from the outside access-list 101 deny udp any any eq snmp If the router has SNMP, protect it! snmp-server community fo0bar RO 1 access-list 1 permit 127.1.3.5 Explicitly direct SNMP traffic to an authorized management station. snmp-server host fo0bar 127.1.3.5

Secure Logging Infrastructure Log enough information to be useful but not overwhelming. Create backup plan for keeping track of logging information should the syslog server be unavailable Remove private information from logs How accurate are your timestamps?

Timestamp Issues unix% tail cisco.log Feb 18 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2) unix% date Tue Feb 18 21:49:53 CST 2005 unix% version 12.2 service timestamps log datetime localtime show-timezone! logging 10.1.1.2 Router>sho clock *11:53:44.764 CST Tue Mar 2 1993 Router>

Banner.what s wrong? banner login ^C Martini 2.5 ounces vodka 1/5 ounce dry vermouth Fill mixing glass with ice, add vermouth and vodka, and stir to chill. Strain into a Martini glass and garnish with an olive or lemon twist. RELAX...INDULGE...Get Off My Router!! ^C

Better Device Banner!!!! WARNING!!!! You have accessed a restricted device. All access is being logged and any unauthorized access will be prosecuted to the full extent of the law.

System Image and Configuration File Security Careful of sending configurations where people can snoop the wire CRC or MD5 validation Sanitize configuration files SCP should be used to copy files TFTP and FTP should be avoided Use tools like rancid to periodically check against modified config files

Bare Minimum Device Security Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users Restrict logical access to specified trusted hosts Allow remote vty access only through ssh Disable device access methods that are not used Shut down unused interfaces Shut down unneeded services Ensure accurate timestamps for all logging Create appropriate banners Test device integrity on a regular basis

LAB Router Device Security SSH on LINUX

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback