ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Enterprise Network Security Describe the general methods used to mitigate security threats to Enterprise networks Configure Basic Router Security Explain how to disable unused Cisco router network services and interfaces Explain how to use Cisco SDM Manage Cisco IOS devices Accessing the WAN Chapter 4 2 Network Security White hat looks for vulnerabilities in networks and reports them Hacker a computer programming expert Black hat or Cracker tries to gain unauthorized access to network resources with malicious intent. Phreaker manipulates the phone network Spammer sends large quantities of unsolicited e-mail messages Phisher Classes of threats to networks Unstructured threats inexperienced individuals using easily available hacking tools Structured threats from individuals or groups that are more highly motivated and technically competent. External threats from the Internet or dialup access servers Internal threats someone who has authorized access to the network with either an account or physical access. use e-mails to trick others into providing sensitive info 3 4 Common types of network attack Reconnaissance unauthorized discovery and mapping of systems, services, or vulnerabilities. Access usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked Denial of Service (DoS) disable or corrupt networks, systems, or services with intent to deny services to legitimate users Malicious Software worms, viruses, and Trojan horses 5 Mitigation techniques to protect against threats Device Hardening Default usernames and passwords should be changed immediately. Access to system resources should be restricted to only the individuals that are authorized to use those resources. Any unnecessary services and applications should be turned off and uninstalled, when possible. Antivirus Software Operating System Patches Intrusion detection systems (IDS), Intrusion prevention systems (IPS) 6
The Network Security Wheel Goals of a comprehensive security policy in an organization A security policy includes the following: Identifies the security objectives of the organization. Documents the resources to be protected. Identifies the network infrastructure with current maps and inventories. Identifies the critical resources that need to be protected. This is called a risk analysis. 7 8 The Role of Routers in Network Security Routers fulfill the following roles: Advertise networks and filter who can use them. Provide access to network segments and subnetworks. Routers are definite targets for network attackers Need to apply Cisco IOS security features to routers: Secure administrative access First line of defense: passwords on console and vty lines Using a single password: R(config)# line console 0 R(config-line)# login R(config-line)# password cisco Using a local database of usernames/passwords R(config)# username mark password kram R(config)# line console 0 R(config-line)# login local Second line of defense: password on privileged mode R(config)# enable secret class 9 10 Password Encryption Routing protocol security 0 By default, Cisco IOS leaves passwords in plain text 7 - Cisco-defined encryption algorithm. Use the service password-encryption global configuration command 5 - Complex encryption using MD5 hash. Replace the keyword password with secret RIPv2, EIGRP, OSPF, IS-IS, and BGP all support various forms of MD5 authentication Configure all interfaces not involved in routing to passive mode. router rip passive-interface default no passive-interface s0/0/0 11 12
Configure authentication for RIPv2: key chain RIP_KEY key 1 key-string cisco ip rip authentication mode md5 ip rip authentication key-chain RIP_KEY Configure authentication for EIGRP: key chain EIGRP_KEY key 1 key-string cisco Configure authentication for OSPF ip ospf message-digest-key 1 md5 cisco ip ospf authentication message-digest router ospf 10 area 0 authentication message-digest ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP_KEY 13 14 Disabling Unused Cisco Router Network Services and Interfaces TCP/IP has many vulnerabilities Disable all services and protocols that are not actually needed. 15 Vulnerable Router Services and Interfaces Global configuration mode: no service tcp-small-servers no service udp-small-servers no ip bootp server no ip finger no service finger no ip http server no snmp-server no ip bootp server no ip name-server no cdp run no boot network no service config no ip source-route no ip classless Interface mode: shutdown no ip directed-broadcast no ip proxy-arp no ip unreachable no ip redirect 16 Locking down a router with Cisco AutoSecure Use a single command to disable non-essential system processes and services, eliminating potential security threats. The Cisco Router and Security Device Manager (SDM) SDM is an easy-to-use, web-based devicemanagement tool. Can be installed on routers or run from a PC Simplifies router and security configuration of key router virtual private network (VPN) and Cisco IOS firewall parameters. Smart wizards guide users step-by-step through router and security configuration Intelligently detects incorrect configurations and propose fixes 17 18
Cisco SDM Interface Configure a router to use SDM: Below is the configuration required to run SDM on a production router: ip http server ip http secure-server ip http authentication local username Student privilege 15 secret cisco line vty 0 4 privilege level 15 login local transport input telnet ssh 19 20 Cisco IOS Integrated File System (IFS) * represents current file system. # bootable disk dir lists the content of the current default file system cd change directory command pwd present working directory Backing up configuration files copy command is used to move configuration files from one place to another, such as RAM, NVRAM, or a TFTP server copy from to Examples: copy system:running-config nvram:startup-config copy system:running-config tftp: copy tftp: system:running-config copy tftp: nvram:startup-config 21 22 Cisco IOS File Naming Conventions c2600-i-mz.122-24.bin Platform c2600 Feature set i designates the IP feature set Where the image runs and if the file is compressed mz Version number 12.2(24) File extension bin - binary 23 Upgrading or Backing Up IOS Software Image Ping the tftp server to establish connectivity Backup existing IOS image copy flash: tftp: Check there is sufficient flash show flash: Upload the new IOS image copy tftp: flash: May be prompted to erase existing image Reload router reload 24
Upgrading IOS Software Image Password Recovery Can only be done from a console port connection. In a router, a configuration register, represented by a single hexadecimal value, tells the router what specific steps to take when powered on. Boot router and press break key on terminal console to enter ROMmon. Type confreg 0x2142 to bypass the startup configuration Type reset to reboot the router without a configuration Read passwords or set new encrypted passwords Set config registe back to original setting: R1(config)# config-register 0x2102 25 26 Security Threats to an Enterprise network include: Unstructured threats Structured threats External threats Internal threats Methods to lessen security threats consist of: Device hardening Use of antivirus software Firewalls Download security updates Basic router security involves the following: Physical security Update and backup IOS Backup configuration files Password configuration Logging router activity Disable unused router interfaces & services to minimize their exploitation by intruders Cisco SDM A web based management tool for configuring security measures on Cisco routers 27 28 Cisco IOS Integrated File System (IFS) Allows for the creation, navigation & manipulation of directories on a cisco device 29