1 / 104

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Configuring SNMP. Lesson 9 – Module 5 – ‘Cisco Device Hardening’. Module Introduction.

peri
Télécharger la présentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW)

  2. Configuring SNMP Lesson 9 – Module 5 – ‘Cisco Device Hardening’

  3. Module Introduction • The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. • Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. • Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

  4. Objectives • At the completion of this ninth lesson, you will be able to: • Describe the concepts behind the use of SNMP • Explain the various SNMP actions • Explain why the use of SNMP v1 and 2 is not recommended • Demonstrate how to configure Cisco routers to use SNMPv3

  5. SNMP • SNMP – the Simple Network Management Protocol - forms part of the internet protocol suite as defined by the IETF • SNMP is used by network management systems to monitor network-attached devices for conditions that warrant administrative attention • It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects • The current version is SNMPv3 • SNPv1 and v2 are considered obsolete, and are extremely insecure. It is recommended they NOT be used on a publicly attached network

  6. SNMP Components • An SNMP-managed network consists of three key components: • Managed devices • Agents • Network-management systems (NMSs) • A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. • An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. • An NMS executes applications that monitor (and possibly control) managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network. • Ref: Wikepedia - SNMP

  7. SNMP Managed Network

  8. SNMPv1 and SNMPv2 Architecture • SNMP asks agents embedded in network devices for information or tells the agents to do something.

  9. SNMP Actions • The SNMP protocol specifies (in version 1) five core PDUs: • GET REQUEST - used to retrieve a piece of management information. • GETNEXT REQUEST - used iteratively to retrieve sequences of management information. • GET RESPONSE - used agent responds with data to get and set requests from the manager. • SET REQUEST - used to initialise and make a change to a value of the network element. • TRAP - used to report an alert or other asynchronous event about a managed subsystem. • In SNMPv1, asynchronous event reports are called traps while they are called notifications in later versions of SNMP.

  10. SNMP Actions • Other PDUs were added in later versions, including: • GETBULK REQUEST - a faster iterator used to retrieve sequences of management information. • INFORM - an acknowledged trap. • Typically, SNMP uses UDP ports 161 for the agent and 162 for the manager. The Manager may send Requests from any available ports (source port) to port 161 in the agent (destination port). • The agent response will be given back to the source port. The Manager will receive traps on port 162. • The agent may generate traps from any available port.

  11. Community Strings • SNMPv1 and SNMPv2 use a community string to access router SNMP agents • SNMP community strings act like passwords • An SNMP community string is a text string used to authenticate messages between a management station and an SNMP engine • If the manager sends one of the correct read-only community strings, the manager can getinformation but NOT setinformation in an agent • If the manager uses one of the correct read-write community strings, the manager can getor setinformation in the agent

  12. Community Strings • In effect, having read-write access is equivalent to having the enable password! • SNMP agents accept commands and requests only from SNMP systems that use the correct community string. • By default, most SNMP systems use a community string of “public” • If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB • Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created

  13. SNMP Security Models and Levels • Definitions: • Security model is a security strategy used by the SNMP agent. • Security level is the permitted level of security within a security model.

  14. SNMPv3 Operational Model

  15. SNMPv3 Operational Model • The concepts of separate SNMP agents and SNMP managers do not apply in SNMPv3 • SNMP combines these concepts into single SNMP entities • Each managed node and the network management system (NMS) is a single entity • There are two types of entities, each containing different applications: • Managed node SNMP entities: The managed node SNMP entity includes an SNMP agent and an SNMP MIB. The agent implements the SNMP protocol and allows a managed node to provide information to the NMS and accept instructions from the NMS. The MIB defines the information that can be collected and used to control the managed node. Information that is exchanged using SNMP takes the form of objects from the MIB • SNMP NMS entities: The SNMP entity on an NMS includes an SNMP manager and SNMP applications. The manager implements the SNMP protocol and collects information from managed nodes and sends instructions to the nodes. The SNMP applications are software applications used to manage the network

  16. SNMPv3 Features and Benefits It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2

  17. Configuring an SNMP Managed Node • These are the four configuration tasks used to set up SNMPv3 communications on a Cisco IOS router: • Configure the SNMP-server engine ID to identify the devices for administrative purposes • Configure the SNMP-server group names for grouping SNMP users • Configure the SNMP-server users to define usernames that reside on hosts that connect to the local agent • Configure the SNMP-server hosts to specify the recipient of a notification operation (trap or inform)

  18. Configuring the SNMP-Server Engine ID(1) • To configure a name for either the local or remote SNMP engine on the router, use the snmp-server engineID global configuration command. • The SNMP engine ID is a unique string used to identify the device for administration purposes. • An engine ID is not required for the device as a default string is generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device. • If an individualised ID is required do not specify the entire 24-character engine ID if the ID contains trailing zeros. • Specify only the portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, specify snmp-server engineID local 1234000000.

  19. Configuring the SNMP-Server Engine ID(1) • A remote engine ID must be created when an SNMPv3 inform is configured • The remote engine ID is used to compute the security digest for authenticating and encrypting packets that are sent to a user on the remote host • Informs are acknowledged traps. The agent sends an inform to the manager. When the manager receives the inform, the manager sends a response to the agent. Thus, the agent knows that the inform reached the intended destination.

  20. Configuring the SNMP-Server Group Names (2) • To configure a new SNMP group, or a table that maps SNMP users to SNMP views, use the snmp-server group global configuration command • This command groups SNMP users that reside on hosts that connect to the local SNMP agent • An SNMP view is a mapping between SNMP objects and the access rights that are available for those objects • An object can have different access rights in each view • Access rights indicate whether the object is accessible by either a community string or a user

  21. Configuring the SNMP-Server Group Names (2) • snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Router(config)# • Configures a new SNMP group or a table that maps SNMP users to SNMP views PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv • The top example shows how to define a group johngroup for SNMP v3 using authentication but not privacy (encryption) • The bottom example shows how to define a group billgroup for SNMP v3 using both authentication and privacy

  22. Configuring the SNMP-Server Users (3) • To add a new user to an SNMP group, use the snmp-server user global configuration command • To configure a user that exists on a remote SNMP device, specify the IP address or port number for the remote SNMP device where the user resides • Also, before configuring remote users for that device, configure the SNMP engine ID using the command snmp-server engineID with the remote option • The SNMP engine ID of the remote device is needed to compute the authentication and privacy digests from the password • If the remote engine ID is not configured first, the configuration command will fail

  23. Configuring the SNMP-Server Users (3) • Configure a new user to an SNMP group • snmp-server user usernamegroupname [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list] Router(config)# • The first example (below) shows how to define a user John belonging to the group johngroup. Authentication uses the password john2passwdand no privacy (no encryption) is applied. The second example shows how user Bill, belonging to the group billgroup, is defined using the password bill3passwd and privacy (encryption) is applied PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56password2 PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

  24. Configuring the SNMP-Server Hosts (4) • To specify the recipient of an SNMP notification operation, use the snmp-server host global configuration command. • snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] • SNMP notifications can be sent as traps or inform requests. • Traps are unreliable because the receiver does not send acknowledgments when the receiver receives traps • The sender cannot determine if the traps were received • An SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU. • Informs consume more computing resources in the agent and in the network. • If an snmp-server host command is NOT entered, no notifications are sent. To configure the router to send SNMP notifications, at least one snmp-server host command must be entered • If the command is entered with no keywords, all trap types are enabled for the host.

  25. Configuring the SNMP-Server Hosts (4) • To be able to send an “inform,” perform these steps: • Configure a remote engine ID. • Configure a remote user. • Configure a group on a remote device. • Enable traps on the remote device. • Enable the SNMP manager.

  26. Configuring the SNMP-Server Hosts (4) snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] • Configures the recipient of an SNMP trap operation Router(config)# • The example (below) shows how to send configuration informs to the 10.1.1.1 remote host PR1(config)#snmp-server engineID remote 10.1.1.1 1234 PR1(config)#snmp-server user bill billgroup remote 10.1.1.1 v3 PR1(config)#snmp-server group billgroup v3 noauth PR1(config)#snmp-server enable traps PR1(config)#snmp-server host 10.1.1.1 inform version 3 noauth bill PR1(config)#snmp-server manager

  27. SNMP – Types of Traps

  28. SNMPv3 Configuration • The next slide shows how to configure Cisco IOS routers for SNMPv3. • The router Trap_sender is configured to send traps to the NMS host with the IP address 172.16.1.1. The traps are encrypted using the credentials that are configured for the local user snmpuser who belongs to the group snmpgroup. The Trap_sender router sends traps that are related to CPU, configuration, and SNMP. The trap packets are sourced from the router loopback 0 interface • The router Walked_device is configured so that the NMS host can read the MIBs on the local device. The NMS server needs to use the username credentials that are configured on the Walked_device (snmpuser with respective authentication and encryption passwords) to gain access to the SNMP information of the router

  29. SNMPv3 Configuration Example Trap_sender(config)#snmp-server group snmpgroup v3 auth Trap_sender(config)#snmp-server group snmpgroup v3 priv Trap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)#snmp-server enable traps cpu Trap_sender(config)#snmp-server enable traps config Trap_sender(config)#snmp-server enable traps snmp Trap_sender(config)#snmp-server host 172.16.1.1 traps version 3 priv snmpuser Trap_sender(config)#snmp-server source-interface traps loopback 0 Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 priv Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password

  30. Configuring the NTP Client Lesson 10 – Module 5 – ‘Cisco Device Hardening’

  31. Module Introduction • The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. • Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. • Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

  32. Objectives • At the completion of this tenth lesson, you will be able to: • Explain how a router maintains an accurate time • Describe NTP and how it is configured • Configure NTP on a router as a server and a client • Associate with NTP servers

  33. Understanding NTP “Time has been invented in the universe so that everything would not happen at once”‘The NTP FAQ and HOWTO’ - http://www.ntp.org/ntpfaq/ • Many features in a computer network depend on time synchronisation, such as accurate time information in syslog messages, certificate-based authentication in VPNs, ACLs with time range configuration, and key rollover in routing protocol authentication (EIGRP and RIP) • Most Cisco routers have two clocks: a battery-powered system calendar in the hardware and a software-based system clock • These two clocks are managed separately

  34. System Clock • The heart of the router time service is the software-based system clock • This clock starts to keep track of time from the moment the system starts • The system clock can be set from a number of sources and can be used to distribute the current time through various mechanisms to other systems • When a router with a system calendar is initialised or rebooted, the system clock is set based on the time in the internal battery-powered system calendar • The system clock can then be set manually or by using the Network Time Protocol (NTP) - an Internet protocol used to synchronise the clocks of network connected devices to some time reference • NTP is an Internet standard protocol currently at v3 and specified in RFC 1305

  35. UTC - GMT • UTC (Temps Universel Coordonné or, in English,Coordinated Universal Time) is an official standard for the current time. • UTC evolved from the former GMT (Greenwich Mean Time) that was previously used to accurately set the clocks on sailing ships before they left London for a long journey (very important to determine longitude and avoid navigational embarrassment…..) • Later GMT was adopted as the world's standard time. It has now been replaced by UTC. • One of the reasons that GMT has been replaced as official standard time was the fact that it was based on the mean solar time. Newer methods of time measurement showed that the mean solar time varied appreciably. • The main components of UTC: • Universal means that the time can be used everywhere in the world, It is independent from time zones (i.e. it's not local time). To convert UTC to local time, add or subtract the local time zone. • Coordinated means that several institutions contribute their estimate of the current time, and UTC is built by combining these estimates. • The UTC second has been defined by the 13th General Conference of Weights and Measures in 1967 as "The second is the duration of 9,192,631,770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium-133 atom."

  36. Authoritative Time • In a router, the system clock keeps track of time internally based on UTC (which, despite the comment in the curriculum is not technically the same as GMT…….) • Information can be configured about the local time zone and daylight savings time so that the time appears correctly relative to the local time zone • The system clock keeps track of whether the time is “authoritative” or not (that is, whether the time has been set by a time source that is considered to be “authoritative”) • If the time is NOT considered authoritative, the time is available only for display purposes and is not redistributed within the network

  37. NTP • NTP is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP • An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronise two machines to within 1mS of one another • As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305 documents NTP v3 • Cisco devices support only RFC specifications of NTPv3 • NTP uses the concept of a “stratum” to describe how many NTP “hops” away a machine is from an authoritative time source • A “stratum 1” time server typically has a radio or atomic clock directly attached to the server; a “stratum 2” time server receives the time via NTP from a “stratum 1” time server, etc, etc. • A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machine’s time source • This strategy effectively builds a self-organising tree of NTP speakers

  38. NTP • NTP is careful to avoid synchronising to a machine whose time may not be accurate. NTP avoids doing so in two ways: • NTP never synchronises to a machine that is not synchronised itself • NTP compares the time that is reported by several machines and does not synchronise to a machine whose time is significantly different than the others, even if the machine’s stratum number is lower • The communications (known as “associations”) between machines that run NTP are usually statically configured; each machine is given the IP address of all machines with which the machine should form associations • Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association • In a LAN environment, NTP can be configured to use IP broadcast messages instead • This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. • However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only

  39. NTP Security • The time that a machine keeps is a critical resource, so the security features of NTP should be used to avoid the accidental or malicious setting of incorrect time • Two mechanisms are available: • an ACL-based restriction scheme • an encrypted authentication mechanism. • Time service for a network should be derived from the public NTP servers that are available on the Internet • If the network is isolated from the Internet, the Cisco implementation of NTP allows a machine to be configured so that the machine acts as though the machine is synchronised via NTP when in fact the machine has determined the time using other means. • Other machines then synchronise to that machine via NTP

  40. NTP Association • When multiple sources of time (eg, manual configuration) are available, NTP is always considered to be more authoritative • NTP time overrides the time set by any other method • An NTP association can be a peer association (this system is willing to either synchronise to the other system or to allow the other system to synchronise to it), or the association can be a server association (only this system will synchronise to the other system, and not vice versa)

  41. NTP Basic Features - Overview • A collected overview of NTP features: • NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. (It will not just make all systems agree on some time, but will make them agree upon the true time as defined by some standard) • NTP uses UTC as reference time (NOT GMT…..) • NTP is a fault-tolerant protocol that will automatically select the best of several available time sources to synchronise to. Multiple candidates can be combined to minimise the accumulated error. Temporarily or permanently insane time sources will be detected and avoided • NTP is highly scalable. A synchronisation network may consist of several reference clocks. Each node of such a network can exchange time information either bidirectional or unidirectional. Propagating time from one node to another forms a hierarchical graph with reference clocks at the top • Having available several time sources, NTP can select the best candidates to build its estimate of the current time. The protocol is highly accurate, using a resolution of less than a nanosecond (about 2^-32 seconds) • Even when a network connection is temporarily unavailable, NTP can use measurements from the past to estimate current time and error • For formal reasons NTP will also maintain estimates for the accuracy of the local time

  42. Configuring NTP Authentication • NTP services are enabled on all interfaces by default. • To disable NTP on a specific interface, use the ntp disable command in the interface configuration mode. • To authenticate the associations with other systems for security purposes, use the commands in the “NTP Authentication Commands” table (see next slide)

  43. NTP Authentication Commands The first command enables the NTP authentication feature. The second command defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Finally, a list of trusted authentication keys is defined. If a key is trusted, this system is ready to synchronise to a system that uses this key in the system’s NTP packets

  44. Configuring NTP Authentication Router(config)# ntp authenticate • Enables the authentication feature Router(config)# ntp authentication-key number md5 value • Defines the authentication keys • Used for both peer and server associations Router(config)# ntp trusted-key key-number • Defines the trusted authentication keys • Required to synchronise to a system (server association) R1(config)#ntp authentication R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs R1(config)#ntp trusted-key 1

  45. Configuring NTP Associations • To configure a router as an NTP client, either create an association to a server or configure the router to listen to NTP broadcast packets. • ntp server: Although the router can be configured with either a peer or a server association, NTP clients are typically configured with a server association (meaning that only this system will synchronise to the other system, and not vice versa). • To allow the software clock to be synchronised by an NTP time server, use the ntp server command in global configuration mode. • ntp broadcast client: In addition to or instead of creating unicast NTP associations, the system can be configured to listen to broadcast packets on an interface-by-interface basis • To do this, use the ntp broadcast client command in interface configuration mode

  46. Configuring NTP Associations ntp server {ip-address | hostname} [version number] [key keyid] [source interface] [prefer] Router(config)# • Forms a server association with another system Router(config-if)# ntp broadcast client • Receives NTP broadcast packets R1(config)#ntp server 10.1.1.1 key 1 R1(config)#ntp server 10.2.2.2 key 2 prefer R1(config)#interface Fastethernet 0/1 R1(config-if)#ntp broadcast client

  47. Configuring Additional NTP Options • To control access to NTP services, in addition to packet authentication, a NTP access group can be created and a basic IP ACL applied to it • To control access to NTP services, use the ntp access-group command in global configuration mode • The access group options are scanned in the following order, from least restrictive to most restrictive: • peer: Allows time requests and NTP control queries and allows the system to synchronise itself to a system whose address passes the ACL criteria. This option is used in scenarios where either the local or the remote system can become the NTP source • serve: Allows time requests and NTP control queries but does not allow the system to synchronise itself to a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be permitted • serve-only: Allows only time requests from a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be denied • query-only: Allows only NTP control queries from a system whose address passes the ACL criteria

  48. Configuring Additional NTP Options • If the source IP address matches the ACLs for more than one access type, the first access type that is listed is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types are granted • When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source command in global configuration mode to configure a specific interface from which the IP source address will be taken • ntp sourceinterface • This interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source parameter on the ntp peer or ntp server command

  49. Implementing the NTP Server • Cisco IOS routers work as an NTP server by default. • As soon as a router is synchronised to an authoritative time source, the router allows peers with lower stratum to synchronise to that router: • Requires a peer association • You can make a router an authoritative NTP server, even if the system is not synchronised to an outside time source. • Two options to establish a peer association: • Unicast • Broadcast • Same exchange control methods as those methods used with client: • Packet authentication • Access group filtering

  50. Configuring the NTP Server Router(config)# ntp master [stratum] ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer] • Forms a peer association with another system Router(config)# • Makes the system an authoritative NTP server Router(config-int)# ntp broadcast [version number][destinationaddress][key keyid] • Configures an interface to send NTP broadcast packets R2(config)#ntp peer 10.1.1.1 key 1 R2(config)#ntp master 3 R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast

More Related