1 / 56

Designing Secure Network Infrastructures Peter Elford pelford@cisco

Designing Secure Network Infrastructures Peter Elford pelford@cisco.com. © 1998, Cisco Systems, Inc. . 1. Agenda. I. Introduction II. Router/Switch Security III. Resource Protection IV. Perimeter Protection V. Maintaining Network Integrity VI. Security Maintenance Validation.

KeelyKia
Télécharger la présentation

Designing Secure Network Infrastructures Peter Elford pelford@cisco

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Designing Secure Network InfrastructuresPeter Elfordpelford@cisco.com © 1998, Cisco Systems, Inc. 1

  2. Agenda I. Introduction II. Router/Switch Security III. Resource Protection IV. Perimeter Protection V. Maintaining Network Integrity VI. Security Maintenance Validation

  3. Identify your network assets Determine points of access Know your enemy Limit the scope of access Identify your assumptions Count the cost Remember human factors Keep limited secrets Security is pervasive Understand your network environment Remember physical security Approaching Network Security

  4. SolutionsBefore you Begin....... Security is an ATTITUDE! • On-Site Security Policy • Host Security (UNIX/VMS) • Workstation Security(X, MS , MAC, OS/2) • Network Security • Password Policies • Application Security • Tools to Track Attacks • Ability to lock ‘em up (every security policy needs a big stick)

  5. Define a Security Policy • Define what to protect—anything that could cause problems if it were to stop or malfunction • Decide how to protect it—good enough versus absolute protection • Think about cost of protection vs. cost of loss or corruption

  6. II. Router/Switch Security • Threats • Avoidance Measures

  7. Router Security • Local or Remote Security • Where to store passwords • Network Access Security • How to control access through the router • Terminal Access Security • How to control access to the router • AAA Accounting and Billing • What has gone through and what is done to the router • Traffic Filters • What can go where via the router • Router Access (Neighbour Authentication) • How do I trust a route update? • Network Data Encryption • Stop viewing or tampering of data through network

  8. The Administrative Interface • Password Protection • Password Encryption Router>

  9. Native Passwords line console 0 login password one4all exec-timeout 1 30 User Access Verification Password: <one4all> router> The native passwords can be viewed by anyone logging in with the enabled password

  10. Service Password-Encryption (7) • Will encrypt all passwords on the Cisco IOS™with Cisco-defined encryption type “7” • Use “enable password 7 <password>” for cut/paste operations • Cisco proprietary encryption method

  11. Service Password-Encryption hostname Router ! enable password one4all ! service password-encryption ! hostname Router ! enable password 7 15181E020F

  12. Enable Secret (5) • Uses MD5 to produce a one-way hash • Cannot be decrypted • Use “enable secret 5 <password>”to cut/paste another “enable secret” password

  13. Enable Secret (5) hostname Router ! enable password 1forAll ! hostname Router ! enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1

  14. Use Good Passwords • Do not use passwords that can be easily guessed hmm…, How about “Pancho”?

  15. UNIVERSALPASSPORT USA Authentication Mechanisms • Local Password • Kerberos • TACACS+ • RADIUS • One-time Passwords

  16. Cisco IOS TACACS+ Authentication Encrypts passwords with encryption (7). version 11.2 ! service password-encryption ! hostname Router ! aaa new-model aaa authentication login billy tacacs+ enable aaa authentication login bobby tacacs+ local enable secret 5 $1$hM3l$.s/DgJ4TeKdDk… ! username bill password 7 030E4E050D5C ! Define list “billy” to use TACACS+ then the enable password Define list “bobby” to use TACACS+ then the local user and password “enable secret” overrides the (7) encryption Define a local user and password for “bill”

  17. Cisco IOS TACACS+ Authentication Defines the IP address of the TACACS+ server tacacs-server host 10.1.1.2 tacacs-server key gW78pTkf9 ! line con 0 login authentication billy line aux 0 login authentication billy line vty 0 4 login authentication bobby length 29 width 92 ! end Defines the “encryption” key for communicating with the TACACS+ server Uses the authentication mechanisms listed in “billy” —TACACS+ then enable password Uses the authentication mechanisms listed in “billy” —TACACS+ then a local user/password

  18. PIX TACACS+ Authentication PIX Version 4.0.7 enable password BjeuCKspwqCc94Ss encrypted passwd nU3DFZzS7jF1jYc5 encrypted tacacs-server host 10.1.1.2 <key> aaa authentication telnet outbound 0.0.0.0 0.0.0.0 tacacs+ aaa authentication ftp outbound 0.0.0.0 0.0.0.0 tacacs+ aaa authentication http outbound 0.0.0.0 0.0.0.0 tacacs+ no snmp-server location no snmp-server contact telnet 10.1.1.2 255.255.255.255 mtu outside 1500 mtu inside 1500 : end [OK] Enable Password Telnet Password Defines the IP address of the TACACS+ server and the key Defines the services that require authentication Defines the device that can Telnet into the PIX

  19. UNIVERSALPASSPORT USA Enable Authentication • Cisco IOS—Can use the same authentication mechanisms for “enable” and “login” starting in Cisco IOS 11.3 • PIX—Supports Tacacs+ authentication mechanisms for the Console and “enable” since 4.2

  20. 100101 Password of Caution • Even passwords that are encrypted in the configuration are not encrypted on the wire as an administrator logs into the router

  21. Encrypted Telnet Sessions • Kerberos v5 • Strong Authentication within the session • Relies heavily upon DNS and NTP • Cisco Encryption Technology (CET) • IPSec

  22. One-Time Passwords • May be used with TACACS+ or RADIUS • The same “password” will never be reused by an authorized administrator • Key Cards—CryptoCard token server included with CiscoSecure • Support for Security Dynamics and Secure Computing token servers in Cisco Secure

  23. Restrict Telnet Access access-list 12 permit 172.17.55.0 0.0.0.255 line vty 0 4 access-class 12 in

  24. SNMP • #1 Source of intelligence on a target network! • Block SNMP from the outside • access-list 101 deny udp any any eq snmp • If the router has SNMP, protect it! • snmp-server community fO0bAr RW 1 • access-list 1 permit 127.1.3.5 • Explicitly direct SNMP traffic to an authorized management station. • snmp-server host fO0bAr 127.1.3.5

  25. SNMP • Change your community strings! Do not use public, private, secret! • Use different community strings for the RO and RW communities. • Use mixed alphanumeric characters in the community strings: SNMP community strings can be cracked, too!

  26. SNMP • Version one sends cleartext communitystrings and has no policy reference • Version two addresses some of the known security weaknessesof SNMP version one • Version three is being worked on

  27. Resource Deprivation Attacks version 11.2 ! no service finger no service udp-small-servers no service tcp-small-servers ! • Daytime (13) • Chargen (19) • Echo (7) • Discard (9) • Finger (79)

  28. AdministratorAuthorization Levels privilege exec level 9 show enable secret level 9 <AllinOne> enable secret 5 <OneinAll> • Sixteen administrative levels that can be used to delegate authority • Cisco IOS commands can be associated with a level Router# show priv Current privilege level is 15 Router# disable Router>enable 9 Password: Router# show priv Current privilege level is 9 Router#

  29. Transaction Records • How do you tell when someone is attempting to accessyour router? • ip accounting • ip accounting access-violations • logging 127.0.3.2 • Consider some form of audit trails: • Using the syslog feature. • SNMP Traps and alarms. • Implementing TACACS+, Radius, Kerberos, or third party solutions like One-Time Password token cards.

  30. Audit Trail—Cisco IOS Syslog unix% tail cisco.log Feb 17 21:48:26 [10.1.1.101.9.132] 31: *Mar 2 11:51:55 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.2) unix% date Tue Feb 17 21:49:53 CST 1998 unix% version 11.2 service timestamps log datetime localtime show-timezone ! logging 10.1.1.2 Router>sho clock *11:53:44.764 CST Tue Mar 2 1993 Router>

  31. Catalyst Security • Set passwords & SNMP • set password • set enablepass • set snmp community read-only fO0bAr • Control access to telnet and SNMP • set ip permit enable • set ip permit 172.100.101.102 • set ip permit diablo.cisco.com • set ip permit 172.160.161.0 255.255.192.0 • Console timeout • set logout 5 minutes vs. 20 default

  32. Catalyst Security • Use TACACS for login • set authentication login tacacs enable • set authentication enable tacacs enable • set tacacs key secretkey • set tacacs server 144.254.5.9 • Use logging • set logging console disable • set logging server 144.254.5.5 • set logging server enable • set logging session enable

  33. III. Resource Protection • Individual Resources • Threats • Avoidance measures

  34. Spoofing interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip access-group 111 in no ip directed-broadcast ! interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directed-broadcast ! Access-list 111 deny ip 127.0.0.0 0.255.255.255 any Access-list 111 deny ip 10.1.0.0 0.0.255.255 any 172.16.42.84 10.1.1.2 IP (D=10.1.1.2 S=10.1.1.1)

  35. Source Routing interface Serial 1 ip address 172.16.139.2 255.255.255.252 ip access-group 111 in no ip source routing ! Access-list 111 permit ip 10.16.0.0 0.0.255.255 any Private I’m 10.16.99.99— and here’s the route back to me Network 10.16.0.0 RFC 792: Internet protocol

  36. Cisco IOS with an Access List interface ethernet 0/0 ip address 172.16.1.100 255.255.0.0 ! interface ethernet 0/1 ip address 172.17.1.100 255.255.0.0 ip access-group 111 in no ip unreachables no ip redirects ! access-list 111 permit tcp any host 172.16.1.1 eq smtp access-list 111 permit tcp any host 172.16.1.1 established access-list 111 permit icmp any host 172.16.1.1 e0/0 e0/1

  37. Cisco IOS Firewall Feature Set logging 172.16.27.131 ip inspect audit-trail ip inspect dns-timeout 10 ip inspect tcp idle-time 60 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tcp timeout 3600 ! interface Ethernet 0 ip address 172.16.1.100 255.255.0.0 ip inspect myfw in ! interface Serial 0 ip address 172.19.139.1 255.255.255.248 ip access-group 111 in ! access-list 111 permit tcp any host 172.16.1.1 eq smtp access-list 111 permit tcp any host 172.16.1.1 eq pop3 access-list 111 permit tcp any host 172.16.1.1 eq ident e0 s0

  38. IV. Perimeter Protection

  39. The Internet Firewall Protection Demilitarized Zone (DMZ) DNS Mail WWW • Useaccess control listson thescreening routerto control traffic • Isolate each server from traffic with a switch

  40. Syn Attack TCP syn (D=172.18.1.2 S=1.1.1.1) TCP syn (D=172.18.1.2 S=1.1.1.2) TCP syn (D=172.18.1.2 S=1.1.1.3) TCP syn (D=172.18.1.2 S=1.1.1.4) TCP syn (D=172.18.1.2 S=1.1.1.5) 172.18.1.2 TCP syn (D=172.18.1.2 S=2.1.1.1) TCP syn (D=172.18.1.2 S=2.1.1.2)

  41. Cisco IOS Syn Attack Defense ip tcp intercept <access-list-number> ip tcp intercept mode watch • How many session requests in the last one minute? • How many incomplete sessions are there? • How long do I wait for the final ack? TCP syn TCP syn/ack TCP ack

  42. Cisco IOS Firewall Feature Set Syn Attack Defense ip inspect tcp synwait-time [seconds] ip inspect tcp finwait-time [seconds] ip inspect tcp idle-time [seconds] • How many session requests in the last one minute? • How many incomplete sessions are there? • How long do I wait for the final ack? TCP syn TCP syn/ack TCP ack

  43. V. Network Integrity Maintenance • 24 by 7

  44. Dynamic Routing Protocols Path Redundancyto Route Around Failures

  45. Hash Function Route Update Authentication and Integrity IP HDR Key Route Update Data Assemble the Packet with the Key Signature To the Wire Reassemble the Packet with the Signature IP HDR Signature Route Update Data

  46. Route Filtering router rip network 10.0.0.0 distribute-list 1 in ! access-list 1 deny 0.0.0.0 access-list 1 permit 10.0.0.0 0.255.255.255 Router# show ip protocol Routing Protocol is "rip" Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 1 Redistributing: rip

  47. Secure Vital Services • Network Time Protocol Sources • Domain Name Servers • Certificate Authority

  48. DES DES Decrypt Encrypt 10100010110101010 10101001010100101 01010111010100101 10010100101011011 Session Protection through Network Layer Encryption Shared Secret Key Shared Secret Key Internet (Cleartext) (Cleartext) (Ciphertext) IPSec—the IETF working group defining IP Security

  49. Sensor Sensor Sensor Sensor Sensor Sensor NetRanger • Sensors watch for attacks or problems • NetRanger stops active attacks NetRanger Director

  50. Target Target Target Target Vulnerability Scanning • Network mapping • Identify live hosts • Identify services on hosts • Vulnerability scanning • Analyse discovery data for potential vulnerabilities • Confirm vulnerabilities on targeted hosts

More Related