Intro to Network Security

18

Configuring Routers

Intro to Network Security

Configuring Routers

Reading:

Network Security: The Complete Reference, Bragg, Rhodes-Ousley, Strassberg et al.

Chapter 10

Objectives:

The student shall be able to:

·  Define and describe the advantage of ingress filtering, egress filtering, black hole filtering, direct broadcast filtering, unicast reverse path forwarding.

·  Write CISCO commands to (for example):

·  Prevent tcp packets with port numbers ranging between 135 to 139 into the network from or to any IP address and log any violations.

·  Write two commands to establish a state-driven evaluation that allows only outgoing tcp connections to be established (2)

·  Describe the main goals of programming a router.

·  Save the active configuration to non-volatile memory

·  Audit a router

Class Time:

Lecture 1 hour

Example ½ hour

Exercise 1 hour

Exercise 1 hour

Total: 3.5 hours

Accessing a Router

The router we cover in class is the CISCO router, since CISCO is the most common form of router deployed today. Router commands vary little between different types of routers.

Router Modes

Router modes include:

User mode: User can view information but cannot change anything.

Router>

Privileged mode: Supports modifications to routing tables, use of test and debug commands, and access to configuration modes.

To enter and exit Privileged mode, use commands enable and disable.

Router> enable

Router# disable

Global configuration mode: Used to enter one-line configuration (or routing) commands.

To enter Configuration mode, use commands configure and exit. At console, specify config terminal:

Router# config terminal

Router(config)#

Configuration mode has a number of submodes: interface, router, subinterface, controller, map-list, map-class, line.

Router(config)# interface ethernet 0

Router(config-if)# exit

Router(config)

Getting Help

Tab: Complete command for me

?: Show commands, options

Example:

Router# clock ?

set Set the time and date

Router# clock set ?

Current Time (hh : mm : ss)

Configuration Files

Two configuration files exist: RAM=running-config NVRAM=startup-config

Running-config: What the router uses.

Commands to the config file change this file. Beta test all configurations before storing to nonvolatile (NV) RAM: NVRAM.

Startup-config: The file the router uses after it boots.

Configuring a Router

Rules for routing are established using three techniques:

Standard ACL format: (Checks source IP addresses)

access-list <number> <permit/deny> <sourceIP> [wildcard]

where <number> = 1-99 or 1300-1999

Example: Checks that all outgoing packets from a subnet have valid IP source addresses:

access-list 2 permit 220.10.5.0 0.0.0.255

Example: Checks that all incoming packets from the network have a valid source IP address (do not have an address with a first byte of 10):

access-list 3 deny 10.0.0.0 0.255.255.255

Extended ACL format: (Checks source & destination IP & Port addresses)

access-list <number> <permit/deny> <protocol> <sourceIP> [wildcard] [src-port]

<destIP> [wildcard] [dest-port] [other-options]

where <number> = 100-199 or 2000-2699

Example: Do not allow any TCP packets with port numbers between 135-139 (with ‘any’ source or destination IP addresses):

access-list 101 deny tcp any any range 135 139 log

Example: Permit UDP packets to destination host 220.10.5.33 with destination port number 600:

access-list 102 permit udp any host 220.10.5.33 eq 600

Reflexive ACL format: (Only allow outgoing sessions in this service)

Uses a state table to track state of session. Uses more CPU and memory than other formats. Works only with services that use a single transport connection (e.g., not active FTP.) The following rule requests that the state be tracked for the indicated connections:

<permit/deny> tcp <sourceIP> [wildcard] [port] <destination> [wildcard] [port]

reflect <rulename>

The following command indicates that reply sessions (not-initiated) only are allowed in this direction:

evaluate <rulename>

Example: Only permit outgoing SSH sessions:

permit tcp any any eq 22 reflect ssh-filter

evaluate ssh-filter

Rules must be specified in a named access-list.

Named Access Lists:

An alternate way to specify rules is by grouping them into an access-list, and naming the access list:

ip access-list extended FilterOut

permit tcp any any eq 22 reflect ssh-filter

deny tcp any any range 0 1024

permit udp any any eq tftp

deny udp any any range 0 1024

!

ip access-list extended FilterIn

evaluate ssh-filter

The access-list is then associated with an interface:

interface FastEthernet 0/0

ip address 220.10.5.36 255.255.255.0

ip access-group FilterIn in

ip access-group FilterOut out

Note 1: Each interface has rules for its input and output:

FastEthernet 0/0 FastEthernet 0/1

in out

out in

Note 2: Rules are processed in order. Therefore, most common rules should be specified first for best performance.

Note 3: If an ICMP message is returned to the TCP SSH connect request, we won’t get it.

Static versus Reflexive:

Use static for absolutes: blocking private IP addresses, or specific protocols: SNMP, ping. Static is faster than Reflexives.

Use Reflexives when necessary: Outgoing connections only are allowed.

Interfaces

Interfaces are named according to their speeds:

Ethernet = 10bT

FastEthernet = 100bT

GBICethernet or GbEthernet = 1000bT

Serial = WAN CSU/DSU (with command: clockrate 56000)

0 or 1 = on fixed format routers this is interface 0 or 1

0/0 = On Modular routers (which ours are) this is the first port on the

first card of the router...

0/1 = Second port first card

1/0 = second card first port

so on some routers you can have the following interfaces:

Ethernet 0

FastEthernet 0/0

FastEthernet 0/1

FastEthernet 0/2

FastEthernet 0/3

GBICethernet 0/0

GBICEthernet 1/0

Table of CISCO Keywords in Routing Commands

Keyword / Meaning / Special Notes
access-list / Privileged mode: Establish a rule
Format for 1-99, 1300-1999:
access-list <num> <permit/deny> <sourceIP> <wildcard>
Format for 100-199, 2000-2699:
See above. / Example:
access-list 3 deny any log
access-list 101 deny tcp any any range 135 139 log
any / Any IP address is accepted / Value = 255.255.255.255
banner / Privileged mode:
Sets the default banner upon login / Example:
banner #
Access restricted to UWP system administrators
#
deny / ACL Command mode: Deny these packets / Example:
deny icmp any host 24.33.22.1
description / Interface Command mode:
Assign a description to an interface / Description Engineering LAN
eq / Equal: Match a port address / Example:
deny tcp any any eq telnet
established / Check to make sure SYN bit is not on.
Use reflexive rules instead. / Example:
access-list 100 permit tcp any any established
evaluate / ACL Command mode: Check a reflexive rule. Ensure connection is active before accepting packets. Reflexive rule is created with ‘reflect’ keyword. / Format:
evaluate <rule>
host / Check all bits: expect an exact match for IP address / Value = 0.0.0.0
Example:
deny icmp any host 24.33.22.1
hostname / Config mode:
Changes name of router, and default prompt.
interface / Privileged mode, sets Config mode
Define an interface. Can include a set of commands ending with a
! / Example:
interface FastEthernet 0/0
ip access-group 135 in
!
ip access-list / Privileged mode:
Establish a set of rules as an access-list / Example:
ip access-list extended filtrout
permit tcp any any
ip access-group / Privileged mode:
Match a rule or access list to a router port. / Example:
interface Ethernet0
ip access-group 135 in
!
This applies rule 135 to inward-bound packets for the Ethernet0 interface
ip address / Config mode:
Assign an IP address to an interface.
Placed within interface ! command / Example:
ip address 129.33.22.44
line / Privileged mode, sets Line mode: Enter permitted methods to access router:
Aux, con, vty, …
See more extensive documentation for details / Example:
line vty 0 4
log
log-input / Log any matches to this rule
Log-input: Also record layer 2 address / Example:
deny tcp any any eq 1024 log
no ip <option> / Privileged mode (usually): Disallow options:
directed-broadcast
source-route
finger / Example:
no ip directed-broadcast
no ip soiurce-route
no ip finger
permit / ACL command mode: Allow these packets / Example:
permit tcp any any eq 65
range / Match a port address to a range / Example:
range 135 139
reflect / ACL command mode: Specify a reflexive rule:
Save the state of the session relating to this protocol, source and dest IP address.
Check state when evaluate command specified / permit <protocol> <sourceIP> <destIP> reflect <name>
Remark / ACL command mode: Comment / remark This is a comment
show running-config / Privileged Mode:
Show the currently active configuration file.
show startup-config / Privileged Mode: Show the configuration file that will become active next time the router reboots.
shutdown
no shutdown / Interface config mode:
Turns an interface off and back on.
tcp
udp
icmp-echo
telnet
ftp
ftp-data / Specific protocol name matches / Example:
permit tcp …
permit icmp …

Routing Safeguards

Convergence: Quick network routing convergence results in a short disruption following an attack

Ingress Filtering: Filter packets coming from Internet into the zoned network

·  Protect against flooding, malicious activity from network

·  Filter IP addresses: 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 224.0.0.0/4

·  Further addresses listed at: http://www.cymru.com/Documents/bogon-dd.html

Egress Filtering: Filter packets leaving internal network or zone towards internet

·  Prevents spoof or other attacks from affecting other networks

Rules:

·  Default Permit: “That which is not expressly forbidden is permitted”

·  Default Deny: “That which is not expressly permitted is forbidden”

Which would be used for Ingress Filtering, Egress Filtering?

Black Hole Filtering: Create routes to the null interface (null0) for specific IP addresses

·  Avoid looping: We forward all 128.n.n.n to you – but you don’t have 128.37.64.25 and forward it back to us.

Net Police Filter: Prevents routes larger than 20 or 24 bit masking

·  Ensures routing table does not get too big, thereby slowing routing down

Direct Broadcast Filtering

·  Disable broadcast destination IP addresses

no ip direct-broadcast

·  Smurf attack: Send SYN to broadcast address – all reply with SYN/ACK to origination IP address

Unicast Reverse Path Forwarding

·  Prevent Forgery/Spoofing: Block packets from outside with source IP Addresses = inside

·  Source addresses can be verified against the routing table, by checking the IP address range from whence the packet arrived

access-list 110 deny ip any any log-input

ip cef #Enable Cicso Express Forwarding

interface Ethernet 0

ip verify unicast reverse-path 110

If Routing configured well, turn off:

·  ICMP Redirects: “Don’t send to me – I’ll send it back to you anyway”

no ip redirects

·  Source Routing: Source endpoint dictates packet’s route

no ip source-route

Additional security tips recommended for routing protocols: Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), in Network Security Principles & Practices

Router / Switch / Firewall Security:

·  The routers’ configuration in NVRAM must be backed up

·  Copy router configurations regularly or after config change

·  Access to the router should be limited

·  Allow only tty & SSH/IPsec (best)

·  Use good authentication: MD5 – HMAC standard instead of cleartext password

·  Disable unused services: telnet, SNMP, web, if not used

·  Use Network Time Protocol (NTP) to synchronize logs across the network

·  Login banner should state that unauthorized access to the system is prohibited. Check with legal council for best protection

·  Capturing core dumps may be useful for finding crash causes

Advanced CISCO Router Features

Authentication Proxy: Users authenticate with Router or firewall before accessing inner network, using RADIUS or TACACS+. Similar service: lock-and-key ACLs.

Content-Based Access Control (CBAC): Protects the application layer header for some applications from some attacks. Includes (among other things):

·  Uses ‘ip inspect …’ command

·  SMTP: Validates for a pre-defined set of email commands

·  TCP: Eliminates sequence numbers which are out-of-range.

·  Close half-open sessions which are not completing in a timely manner (SYN or FIN)

·  Close non-active sessions

·  Java Applets: Filter applets from untrusted sites.

·  RPC: Filter specific applications

·  Fragments: Discard fragments received before initial fragment or incomplete packets held until timeout

·  Web: With Websense, N2H2, filters specific URLs or categories of URLs

·  ICMP: Filters pre-defined ICMP messages.

Router Audit Tools

Validation: Does the router implement the established policies?

·  Establish tests to determine that router does allow/deny IP addresses, port numbers, etc.

RAT: Router Audit Tool

·  RAT includes a set of tools to validate the router against best-practices

·  Center for Information Security (CIS) web site: www.cisecurity.org

·  Includes management (router access), control (logging, NTP), and data (filtering) checks.

·  Two levels:

·  Level 1: Basic security applicable to all configurations

·  Level 2: Specific security settings for optional features

·  Steps include:

·  Complete a configuration form to create a rules file, using ncat_config program

·  Read the router configuration from a file or remotely, then compare to the rules file, using the ncat program, producing a CSV report

·  Produce the HTML report from the CSV file using ncat_report.

·  Includes useful documentation:

·  Cicso-ios-router-questionnaire.pdf: Audit checklist

·  Cisco-ios-router-benchmark.pdf: Describes the use of the tool

·  Rscg.pdf: NSA Router Security Configuration Guide: Explanations on security configurations.

Audit Questions:

·  Are filter rules unique (not redundant?)

·  Do filter rules adhere to policy?

·  Do filter rules adhere to best practice?

·  Are filter rules optimized for throughput?

·  Do filter rules work as specified in each direction?

Lab Exercise: Getting to Know Routers

Connecting

Connect to the router as follows:

connect CSpriv

passwd: CSisGood

User Mode

The show command allows you to see a lot of information about the router. Commands include: show version, show processes, show protocols, show memory, show stacks, show buffers, show flash, show running-config.

Q. Run the following commands and describe what you have learned about the router.

> show version

> show protocol

The show interfaces command shows statistics for each interface.