Cisco Device Hardening

Cisco Device Hardening Securing Management and Reporting Features

Secure Management and Reporting Planning Considerations

Secure Management and Reporting Planning Considerations • 가장 중요한 로그는 무엇인가? • 중요한 메시지는 어떻게 분리할 것인가? • 로그의 변경을 어떻게 방지할 것인가? • Time stamp가 일치한다고 어떻게 확신할 것인가? • 어떠한 로그가 침해조사에 필요한가? • 로그 메시지의 양을 어떻게 다룰 것인가? • 장치를 어떻게 관리할 것인가? • 네트워크에 대한 공격 또는 장애에 어떻게 대응할 것인가?

Secure Management and Reporting Architecture

Secure Management andReporting Architecture

Information Paths

In-Band Management Considerations • 각 장비는 어떠한 관리 프로토콜을 지원하는가? • 관리채널은 항상 활성화 되어 있어야 하는가? • SNMP를 필요로 하는가?

Secure Management andReporting Guidelines • In-band management guidelines: • 관리 및 감시가 필요한 장치에만 적용한다. • 가급적 IPSec를 사용한다. • Telnet 대신 SSH를 사용한다. • 관리채널이 항상 열려있어야 하는가에 대한 판단이 필요하다. • Host와Network device의 클럭을동기화 한다. • 기록변경과 설정을 보관한다. • OOB management guidelines: • 높은 보안성의 제공과 불안전한 관리 프로토콜의 배제로 위험요소 감소. • Host와Network device의 클럭을동기화 한다. • 기록변경과 설정을 보관한다.

Configuring an SSH Server for Secure Management and Reporting

Configuring an SSH Server forSecure Management and Reporting • Austin2#configure terminalAustin2(config)#ip domain-name cisco.comAustin2(config)#crypto key generate rsageneral-keys modulus 1024 • Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled • Austin2(config)#ip ssh timeout 120Austin2(config)#ip ssh authentication-retries 4Austin2(config)#line vty 0 4Austin2(config-line)#no transport input telnetAustin2(config-line)#transport input sshAustin2(config-line)#end • IP domain name설정 • RSA key생성 • SSH timeout interval구성 • SSH 재시도 횟수 • Vty의inbound Telnet session비활성화 • Vty의inbound SSH sessions활성화

Using Syslog Logging for Network Security

ImplementingLog Messaging for Security • Router는 다음의 사항 중 하나 이상의 방식으로 log를 전송: • Console • Terminal lines • Memory buffer • SNMP traps • Syslog • Syslog logging은 중요한 보안정책 구성요소이다.

Syslog Systems • Syslog server:하나 이상의 클라이언트로부터 로그를 받아 처리하는 호스트. • Syslog client:로그를 생성하여 서버에 전송하는 호스트.

Level • Name • Description • 0 • Emergencies • Router unusable • 1 • Alerts • Immediate action required • 2 • Critical • Condition critical • 3 • Errors • Error condition • 4 • Warnings • Warning condition • 5 • Notifications • Normal but important event • 6 • Informational • Informational message • 7 • Debugging • Debug message Cisco Log Severity Levels

Log Message Format Time Stamp Message Text Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6) Log Message Name and Severity Level

Configuring Syslog Logging

Configuring Syslog Router(config)# logging [host-name | ip-address] • Sets the destination logging host Router(config)# logging trap level • (Optional) Sets the log severity (trap) level Router(config)# logging facility facility-type • (Optional) Sets the syslog facility

Configuring Syslog (Cont.) Router(config)# logging source-interface interface-type interface-number • (Optional) Sets the source interface Router(config)# logging on • Enables logging

Syslog Implementation Example R3(config)#logging 10.2.2.6R3(config)#logging trap informationalR3(config)#logging source-interface loopback 0R3(config)#logging on

SNMP Version 3

SNMPv1 and SNMPv2 Architecture • SNMP NMS는 정보를 위하여 Device에 내장된 Agent에 Query하거나 Set 명령을 전달할 수 있다.

Community Strings • Management station과SNMPv1또는SNMPv2 engine사이에서 메시지를 인증하기 위해 사용: • Read only community string은 정보를 읽을 수는 있지만 정보를 설정할 수는 없다. • Read-write community string은 정보를 읽을 수 있으며 설정할 수 도 있다.

SNMP Security Models and Levels • Definitions: • Security model은SNMP agent사용을 위한 보안 전략이다. • Security level은Security model내에서 허용된 보안 레벨이다.

SNMPv3 Architecture

SNMPv3 Operational Model

SNMPv3 Features and Benefits

Configuring an SNMP Managed Node

SNMPv3 Configuration Task List • Cisco IOS SNMPv3 server configuration tasks: • Configuring the SNMP-server engineID • Configuring the SNMP-server group names • Configuring the SNMP-server users • Configuring the SNMP-server hosts

Configuring the SNMP-Server Engine ID snmp-server engineID [local engineid-string] | [remote ip-address udp-port port-numberengineid-string] Router(config)# • Configures names for both the local and remote SNMP engine (or copy of SNMP) on the router PR1(config)#snmp-server engineID local 1234

Configuring the SNMP-Server Group Names snmp-server group groupname {v1 | v2c | v3{auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Router(config)# • Configures a new SNMP group, or a table that maps SNMP users to SNMP views PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

Configuring the SNMP-Server Users snmp-server user usernamegroupname[remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list] Router(config)# • Configures a new user to an SNMP group PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56password2 PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

Configuring the SNMP-Server Hosts snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] Router(config)# • Configures the recipient of an SNMP trap operation. PR1(config)#snmp-server engineID remote 10.1.1.1 1234 PR1(config)#snmp-server user bill billgroup remote 10.1.1.1 v3 PR1(config)#snmp-server group billgroup v3 noauth PR1(config)#snmp-server enable traps PR1(config)#snmp-server host 10.1.1.1 inform version 3 noauth bill PR1(config)#snmp-server manager

SNMPv3 Configuration Example Trap_sender(config)#snmp-server group snmpgroup v3 auth Trap_sender(config)#snmp-server group snmpgroup v3 priv Trap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)#snmp-server enable traps cpu Trap_sender(config)#snmp-server enable traps config Trap_sender(config)#snmp-server enable traps snmp Trap_sender(config)#snmp-server host 11.11.11.11 traps version 3 priv snmpuser Trap_sender(config)#snmp-server source-interface traps loopback 0 Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 priv Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password

Configuring NTP Client

Understanding NTP • NTP는 전체 네트워크에서 Clock을 동기화 하기 위해 사용된다. • System clock은 부팅되는 동안 Battery system calendar에 의해 설정. • System clock 인접NTP를 경유하여 수동으로 변경될 수 있다. • NTP는UDP 123번 port를 사용한다. • 현재 사용되는 버전은version4이다. • Version3까지RFC문서화 되어 있다. • Stratum은 신뢰할 수 있는 time source로 부터 몇 번의 “NTP hops”를 경유하는 지를 나타낸다. • NTP는 타임 동기화를 위해 사용된다.

Configuring NTP Authentication Router(config)# ntp authenticate • Enables the authentication feature Router(config)# ntp authentication-key number md5 value • Defines the authentication keys • Used for both peer and server associations Router(config)# ntp trusted-key key-number • Defines the trusted authentication keys • Required to synchronize to a system (server association) R1(config)#ntp authentication R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs R1(config)#ntp trusted-key 1

Configuring NTP Associations Router(config)# ntp server {ip-address | hostname} [version number] [key keyid] [source interface] [prefer] • Forms a server association with another system Router(config-if)# ntp broadcast client • Receives NTP broadcast packets R1(config)#ntp server 10.1.1.1 key 1 R1(config)#ntp server 10.2.2.2 key 2 prefer R1(config)#interface Fastethernet 0/1 R1(config-if)#ntp broadcast client

Configuring Additional NTP Options Router(config)# ntp access-group {query-only | serve-only | serve | peer} access-list-number • Controls NTP message exchange Router(config)# ntp source interface • Modifies the source IP address of NTP packets R1(config)#access-list 1 permit host 10.1.1.1 R1(config)#ntp access-group peer 1 R1(config)#ntp source loopack 0

Configuring NTP Server

Configuring NTP Server Router(config)# ntp master [stratum] ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer] • Forms a peer association with another system Router(config)# • Makes the system an authoritative NTP server Router(config-int)# ntp broadcast [version number][destinationaddress][key keyid] • Configures an interface to send NTP broadcast packets R2(config)#ntp peer 10.1.1.1 key 1 R2(config)#ntp master 3 R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast

NTP Configuration Example Source(config)#ntp master 5 Source(config)#ntp authentication-key 1 md5 secretsource Source(config)#ntp peer 172.16.0.2 key 1 Source(config)#ntp source loopback 0 Intermediate(config)#ntp authentication-key 1 md5 secretsource Intermediate(config)#ntp authentication-key 2 md5 secretclient Intermediate(config)#ntp trusted-key 1 Intermediate(config)#ntp server 172.16.0.1 Intermediate(config)#ntp source loopback 0 Intermediate(config)#interface Fastethernet0/0 Intermediate(config-int)#ntp broadcast Client(config)#ntp authentication-key 1 md5 secretclient Client(config)#ntp trusted-key 1 Client(config)#interface Fastethernet0/1 Client(config-int)#ntp broadcast client

Cisco Device Hardening

Cisco Device Hardening

Presentation Transcript

System Hardening

Cisco Router/Switch Hardening Southern Colorado Cisco Users Group April 14, 2003

Hardening HTaccess

Flame Hardening

Hands-on Demo #1 Hardening your iOS device

Infrastructure Hardening

Website Hardening

HARDENING

PRECIPITATION HARDENING

Cisco Router/Switch Hardening Colorado Springs Cisco Users Group April 8, 2003

Hardening a Cisco Core Network

Cisco Device Hardening

Cisco Device Configuration

Infrastructure Hardening

Cisco Device Startup

RAD hardening

Solid solution strengthening Precipitation hardening (age hardening)

Surface hardening

Work Hardening

Cisco Device Configuration