William Stallings, Cryptography and Network Security 3/e - PowerPoint 8 by HC12083104287


									                 – Chapter 3 –
               Device Security (B)
• Security of major devices:
  How to protect the device against attacks aimed at compromising
  the device itself
   – Routers
   – Firewalls
   – Switches
   – Authentication servers
   – wireless access points
   – …

                           Network Security                         1
Steps to secure a router:
1.   Backup of configuration             8. Controlling SNMP as a
     files and the router                   management protocol
     software                            9. Controlling HTTP as a
2.   Controlling access to the              management protocol
     router (tty, vty ports)             10.Using CEF as a switching
3.   Securing access to the
     router (via SSH)                    11.Setting up the scheduler from
                                            a security perspective
4.   Password management
                                         12.Using the Network Time
5.   Logging events on the                  Protocol (NTP)
     router                              13.Login banners
6.   Disabling unnecessary               14.Capturing core dumps
     services                            15.Using service nagle to
7.   Using loopback interfaces              improve Telnet access during
                                            high CPU events
                                 Network Security                           2
 2. Controlling access to the router
• A tty port is physically connected to a terminal or
  workstation for local administrative access to the
• An aux ports, similar to a tty port, is connected
  to a modem for remote out-of-band
  administrative access to the router.
• A vty (virtual tty) port is used to allow remote in-
  band connection sessions, via telnet, ssh, or
• See http://www.netbook.cs.purdue.edu/othrpags/qanda272.htm for Q&A on
  “out-of-band” network management.

                             Network Security                         3
  Vulnerabilities of tty or aux ports
• A tty or aux port may suffer reverse telnet
  attack, where the terminal server connected to
  the tty port or the modem connected to the aux
  port of the router is used by the attacker (as a
  remote client) to access the router.
• Reverse Telnet (as defined in Wikipedia)
• Check out this link to see an illustration of using
  ‘reverse telnet’ to remotely access a router.
  (diagrams below)

                      Network Security                  4
Normal telnet

   Network Security   5
Reverse Telnet

    Network Security   6
      Reverse Telnet (cont.)

• Another example:
  What is Reverse Telnet and how do I
   configure it?

                  Network Security      7
  Vulnerabilities of tty or aux ports
• Solution?
  – Disable the console port
     Line con0
      transport input none
  – Allow only SSH access to a router’s console port (a
    feature added to IOS v12.2 or higher)
     Line con0
      login authentication default
      rotary 1
      transport input ssh
     ip ssh port 2001 rotary 1
     • Requirement: The router must be set up as a SSH server.

                             Network Security                    8
                Controlling vty access
1.       Restricted access: Only allow the protocols that will be
         used by the network admin
     •      Since Cisco IOS v11.1, the default is none.
     •      Example: To allow only telnet and ssh connections
           line vty 0 4
             transport input telnet ssh
2.       Only addresses in the ‘access list’ are allowed to
         connect: access-class, access-list (See example 3-6)
3.       Short timeouts:
     •     The default timeout value is 10 minutes. To set it to 5 min. 30
           line vty 0 4
             exec-timeout 5 30
4.       Authentication for vty access: either local or RADIUS
         authentication (preferred).
                                Network Security                             9
    3. Securing access to the router using
•     IPsec VPN client (preferred; more details in Ch 13)
     – Two cases:
        A. The VPN client access a back-end LAN (the
           destination) by building a tunnel between itself and
           a router (the IPsec gateway), behind which the
           LAN is located.
        B. The VPN client is used to remotely administer the
           router, which is both the gateway and the
•     SSH: Only SSH v1 is supported by Cisco IOS
           Example 3-11

                          Network Security                  10
          4. Password Management

•   Passwords stored on the router should be
    properly encrypted.
•   The default password-encryption is either type
    0 (clear text passwords) or type 7 (weak
•   Use the enable secret command to activate
    MD5 when encrypting passwords.
•   Example 3-12

                     Network Security            11
         5. Logging events

• Advantages: Allows auditing and tracking
   forensics (in case of an attack)
  performance tuning (maintenance)
• Requirement:
  good time stamping  using NTP
• Example: 3-13

                   Network Security          12
6. Disable unnecessary services
• If a service is not being actively used on a
  device, it should be disabled.
• Otherwise it may be used as a back door
  for the attacker to gain access to the
• Sample services to be disabled: Table 3-1
  TCP small servers, UDP small servers, Finger
   server, …
                   Network Security              13
   7. Using loopback interfaces
• Advantages: Enable a block of IP addresses to
  be assigned to be used by loopback.
  – All routers can be forced to use these loopback IP
    addresses as source addresses when accessing the
  – The servers can then also be locked down to allow
    access only from this block of IP addresses.
• Accesses from addresses outside this block are
• Example 3-14
                      Network Security                   14
    8. Controlling SNMP (as a
      management protocol)
• SNMP can be used in read-only and ‘read
  and write’ modes
• Unless necessary, use read-only mode on
• The ‘read and write’ mode allows the
  admin to modify the router’s configurations
  via SNMP.
• Access into the network via SNMP should
  be blocked at the network’s boundary.
                  Network Security          15
    8. Controlling SNMP (as a
      management protocol)
• Security of SNMP:
  – v1 and v2 use ‘community strings’ as the only
    authentication mechanism. (Not secure)
  – v3 is more secure by providing MD5 or SHA
    for authentication, and DES for encryption.
• SNMP v3: threats vs protections (p.65)

                    Network Security            16
    9. Controlling HTTP (as a
     management protocol)
• Unless necessary, HTTP access to the
  router should be disabled.
• Admin access to the router via HTTP
  should be secured, by activating
• Example: 3-19

                 Network Security        17
  10. Using CEF as a switching
• Cisco Express Forwarding
• Routers using the traditional switching mechanisms need
  to update routing caches when packets destined for new
  addresses arrive.
• SYN floods and DDoS attacks use a large number of
  random or pseudo-random IP addresses as ultimate
• CEF replaces the normal routing cache with a data
  structure that mirrors the entire routing tables.
• It does away with the need to update the cache each
  time a new IP address needs to be routed to.
                       Network Security                18
     11. Using the scheduler
• scheduler allocate
• scheduler interval
• To prevent the router from becoming too
  busy responding to the interrupts on its
  interfaces due to the large number of
  packets arriving  large-scale network
  attack, esp. a DDoS attack
• Example 3-21
                  Network Security           19
            12. Using NTP
• Network Time Protocol
• Critical for services requiring good time
  stamping: logging, AAA, Kerberos, …
• Challenge: authentication between
  devices exchanging NTP information

                   Network Security           20
         13. Login banners
• Sequence:
  – Login banner
  – login session
  – MOTD banner
  – EXEC banner (or incoming banner)
• Example: 3-25

                  Network Security     21
    14. Capturing core dumps
• In the event of system crash, the core
  dump may provide useful info for tracking
  the attack(s).
• Example: 3-26

                  Network Security            22
          15. Service nagle
• Nagle is an algorithm that can be enabled
  as a service on a Cisco router, to allow the
  router to pace the TCP connection for
  Telnet in a way that reduces the burden on
  the CPU and generally improves the
  performance of the Telnet session.
  – service nagle (Example 3-27)

                   Network Security         23
     Security of other devices
• Firewalls, switches, …
• Similar procedure
  – Check the default settings
  – ‘Harden’ the device before placing it into use
    in the production network.

                     Network Security                24

To top