560 likes | 580 Views
Learn about the importance of router logging and how to review logs, as well as how to secure vulnerable services on a router.
E N D
Network Security Business Information & Engineering Technologies Accessing the WAN– Chapter 4: Part 2 Modified by Bill Bourgeois [from work by Cisco and Tony Chen (College of DuPage)] January 2011
Logging Router Activity Logs allow verification that a router is operating properly. Routers support 8 levels of logging ranging from: 0 - emergencies indicating that the system is unstable To 7 for debugging messages. Logs must be reviewed regularly. Logs can be forwarded to a variety of locations, Router memory Syslog server. A syslog server provides a better solution since all network devices can forward their logs to one central station where an administrator can review them. An example of a syslog server is the Kiwi Syslog Daemon (installed on Collin College Cisco lab computers). • The eight different logging levels. • 0—emergencies • 1—alerts • 2—critical • 3—errors • 4—warnings • 5—notification • 6—informational • 7—debugging
Logging Router Activity R2(config)#logging ? Hostname or A.B.C.D IP address of the logging host . . ---------- Output Omitted -------------- . trap Set syslog server logging level . Accurate time stamps are important to logging. R2(config)#service timestamps ? debug Timestamp debug message log Timestamp log messages <cr>
Vulnerable Router Services and Interfaces Cisco routers support a large number of network services at layers 2, 3, 4, and 7. Some of these services are application layer protocols. Some are automatic processes and settings and are intended to support legacy configurations May pose security risks in today’s environment. Some of these services can be restricted or disabled to improve security without degrading the operational use of the router. Most of the services listed in this section are usually not required. Note: Cisco Discovery Protocol (CDP) is leveraged in some IP Phone implementations. This must be considered before broadly disabling the service.
Vulnerable Router Services and Interfaces Services which possibly should be disabled are. Cisco Discovery Protocol (CDP) - Use the no cdp run (if not used by IP telephony). Source routing- Use the no ip source-route command. Classless routing - Use the no ip classless command. Small services such as echo, discard, and chargen - Use the no service tcp-small-servers or no service udp-small-servers command. Finger - Use the no service finger command. BOOTP - Use the no ip bootp server command. HTTP - Use the no ip http server command. Remote configuration - Use the no service config. SNMP - Use the no snmp-server command.
Vulnerable Router Services and Interfaces The interfaces on the router can be made more secure by using certain commands in interface configuration mode: Unused interfaces - Use the shutdown command. Ad hoc routing- Use the no ip proxy-arpcommand. No SMURF attacks - Use the no ip directed-broadcast. Note: ip directed-broadcast is disabled by default on IOS 12.0 and later
Vulnerable Router Services and Interfaces SNMP SNMP is the Internet protocol for automated remote monitoring and administration. Versions of SNMP prior to version 3 shuttle information in clear text. NTP Cisco routers and other hosts use NTP to keep their time-of-day clocks accurate. If an NTP hierarchy is not available on the network, disable NTP. Disabling NTP on an interface does not prevent NTP messages from traversing the router. To reject all NTP messages at a particular interface, use an access list. DNS Cisco IOS software supports looking up hostnames with the DNS. The basic DNS protocol offers no authentication or integrity assurance. By default, name queries are sent to the broadcast address 255.255.255.255. If one or more name servers are available on the network, and it is desirable to use names in Cisco IOS commands, explicitly set the name server addresses using the global configuration command “ip name-server <addresses>”. Otherwise, turn off DNS name resolution with the command “no ip domain-lookup”.
Routing systems can be attacked in 2 ways: Disruption of peers Disruption of peers is the less critical of the two attacks because routing protocols heal themselves. Falsification of routing information Falsified routing information may be used to cause systems to misinform each other, cause a DoS, or cause traffic to follow a path it would not normally follow. The possible consequences of falsifying routing information are: Redirect traffic to create routing loops Redirect traffic so it can be monitored on an insecure link Redirect traffic to discard it Securing Routing Protocols
Attacking the routing protocols and injecting false information is a way to attack the routing system. The attacker injects false routing information destined to router R1 only, indicating that R3 is the preferred destination to the 192.168.10.10/32 host route. Although R1 has a routing table entry to the directly connected 192.168.10.0/24 network, it will add the injected route to its routing table because of the longer subnet mask. When PC3 sends a packet to PC1 (192.168.10.10), R1 will not forward the packet to the PC1 host. It will route the packet to router R3, because the best path to 192.168.10.10/32 is through R3. When R3 gets the packet, it will look in its routing table and forward the packet back to R1, which creates the loop. Securing Routing Protocols
Securing Routing Protocols To protect routing information on the network authenticate routing update packets using MD5. MD5 allows the routers to compare signatures that should all be the same. The three components of such a system include: 1. Encryption algorithm, which is public knowledge 2. Key used in the encryption algorithm, which is a secret shared by the routers authenticating their packets 3. Contents of the packet itself The originator of the routing information produces a signature using the key and routing data it is about to send as inputs to the encryption algorithm. The routers receiving this data can then repeat the process using the same key, the data it has received, and the same routing data. If the signature the receiver computes is the same as the signature the sender computes, the update is authenticated. RIPv2, EIGRP, OSPF, IS-IS, and BGP all support various forms of MD5 authentication.
Securing Routing Protocols RIPv2 with Routing Protocol Authentication To secure routing updates each router must be configured to support authentication. The steps to secure RIPv2 updates are as follows: Prevent RIP routing update propagation on selected interfaces Prevent processing of bogus RIP updates Verify the operation of RIP routing Preventing RIP Routing Update Propagation Prevents an intruder listening on the network from receiving updates. Force all interfaces on the router into passive mode, and then bring up only those interfaces that are required for sending and receiving RIP updates. An interface in passive mode receives updates but does not send updates. The passive-interface default command disables routing advertisements on all interfaces. The no passive-interface s0/0/0 command enables the S0/0/0 interface to send and receive RIP updates.
Securing Routing Protocols Preventing processing of bogus RIP Updates The intruder is prevented from intercepting RIP updates because MD5 authentication has been enabled on routers. Example commands create a key chain named RIP_KEY. Key 1 is configured to contain a key string called cisco. The key string is similar to a password and routers exchanging authentication keys must configured with the same key string. Interface S0/0/0 is configured to support MD5 authentication. The RIP_KEY chain and the routing update, are processed using the MD5 algorithm to produce a unique signature.
Securing Routing Protocols Verify the Operation of RIP Routing Using the show ip route command the output confirms that router R1 has authenticated with the other routers and has been able to acquire the routes from the routers R2 and R3.
EIGRP The steps to configure EIGRP routing protocol authentication on router R1 are as follows: To create a key chain to be used by all routers in the network. Create a key chain named EIGRP_KEY Create a key number of 1 and a key string of cisco. enable MD5 authentication in EIGRP packets traversing an interface. OSPF The figure shows the commands used to configure routing protocol authentication for OSPF on router R1 on interface S0/0/0. The first command specifies the key that will be used for MD5 authentication. The next command enables MD5 authentication. Securing Routing Protocols
Cisco auto secure uses a single command to disable non-essential system processes and services, eliminating potential security threats. Configure auto secure in privileged EXEC mode using the auto secure command in one of two modes: Interactive mode - This mode prompts for options to enable and disable services and other security features. This is the default mode. Non-interactive mode - This mode automatically executes the auto secure command with the recommended Cisco default settings. This mode is enabled with the no-interact command option. Locking Down a Router with Cisco auto secure Tony Chen COD Cisco Networking Academy
Locking Down Router with Cisco Auto Secure Cisco AutoSecure will ask for for a number of items: Interface specifics Banners Passwords SSH IOS firewall features Tony Chen COD Cisco Networking Academy Router#auto secure ? firewall AutoSecure Firewall forwarding Secure Forwarding Plane full Interactive full session of AutoSecure login AutoSecure Login management Secure Management Plane no-interact Non-interactive session of AutoSecure ntp AutoSecure NTP ssh AutoSecure SSH tcp-intercept AutoSecure TCP Intercept <cr>
Locking Down Router with Cisco Auto Secure R2#show auto secure config no service finger no service pad no service udp-small-servers no service tcp-small-servers . . ---------- Output Omitted -------------- . ip verify unicast source reachable-via rx allow-default 100 ip tcp intercept list autosec_tcp_intercept_list ip tcp intercept drop-mode random ip tcp intercept watch-timeout 15 ip tcp intercept connection-timeout 3600 ip tcp intercept max-incomplete low 450 Tony Chen COD Cisco Networking Academy
What is Cisco SDM? • The Cisco Router and Security Device Manager (SDM) is a web-based device-management tool designed for configuring LAN, WAN, and security features on Cisco IOS software-based routers. • Provides easy-to-use smart wizards, • Automates router security management, • Assists through comprehensive online help. • Cisco SDM ships preinstalled by default on all new Cisco Integrated Services Routers. • If not preinstalled, it must installed. • If SDM is pre-installed, Cisco recommends using Cisco SDM to perform the initial configuration • SDM files can be installed on a router, a PC, or both. • An advantage of installing SDM on the PC is that it saves router memory, and allows SDM to manage other routers on the network.
Cisco SDM Features • Cisco SDM simplifies router and security configuration through the use of intelligent wizards to enable efficient configuration of key router VPN and Cisco IOS firewall parameters. • Cisco SDM smart wizards • guide users step-by-step through router and security configuration workflow by systematically configuring LAN and WAN interfaces, firewall, IPS, and VPNs. • intelligently detects incorrect configurations and proposes fixes, such as allowing DHCP traffic through a firewall if the WAN interface is DHCP-addressed. • Online help embedded within Cisco SDM contains appropriate background information.
Configuring a Router to Support SDM • Before installing SDM on an operational router, ensure that a few configuration settings are present in the router configuration file. • Access the router's CLI interface using Telnet/SSH or the console connection • Enable the HTTP and HTTPS servers on the router • Create a user account defined with privilege level 15 (enable privileges). • Configure SSH and Telnet for local login and privilege level 15.
Starting Cisco SDM • To launch the Cisco SDM use the HTTPS protocol and put the IP address of the router into the browser. • The figure shows the browser with an address of https://198.162.20.1 and the launch page for Cisco SDM. • The http:// prefix can be used if SSL is not available.
When the username and password dialog box appears (not shown), enter a username and password for the privileged (privilege level 15) account on the router. After the launch page appears a signed Cisco SDM Java applet appears which must remain open while Cisco SDM is running. Because it is a signed Cisco SDM Java applet a prompt to accept a certificate may appear. Starting Cisco SDM
Cisco SDM Home Page Overview • After logging in, the Overview page displays • the router model, • total amount of memory, • the versions of flash, IOS, and SDM, • the hardware installed, • a summary of security features, such as firewall status and the number of active VPN connections.
Cisco SDM Home Page Overview It provides basic information: Menu bar - The top of the screen has a typical menu bar with File, Edit, View, Tools, and Help. Tool bar - Below the menu bar, it has the SDM wizards and modes which may be selected. Router information - The current mode is displayed on the left side under the tool bar. Configuration overview - Summarizes the configuration settings.
Locking Down a Router with Cisco SDM • The one-step lockdown wizard is accessed from the Configure GUI interface by clicking the Security Audit task. • The Cisco SDM one-step lockdown wizard implements almost all of the security configurations that Cisco AutoSecure offers. • Do not assume that the network is secure simply because a one-step lockdown was done. • Not all the features of Cisco AutoSecure are implemented in Cisco SDM.
Locking Down a Router with Cisco SDM • The following features are not implemented in this version of Cisco SDM: • Disabling NTP—Based on input, AutoSecure will disable the Network Time Protocol (NTP) if it is not necessary. Otherwise, NTP will be configured with MD5 authentication. Cisco SDM does not support disabling NTP. • Configuring AAA—If the Authentication, Authorization, and Accounting (AAA) service is not configured, AutoSecure configures local AAA and prompts for configuration of a local username and password database on the router. Cisco SDM does not support AAA configuration. • Setting SPD Values—Cisco SDM does not set Selective Packet Discard (SPD) values. • Enabling TCP Intercepts (syn flood DOS protection)—Cisco SDM does not enable TCP intercepts. • Configuring anti-spoofing ACLs on outside interfaces—AutoSecure creates three named access lists used to prevent anti-spoofing source addresses. Cisco SDM does not configure these ACLs. • AutoSecure Features Implemented Differently in Cisco SDM • Disable SNMP: Cisco SDM will disable SNMP, but unlike AutoSecure, it does not provide an option for configuring SNMP version 3. • Enable SSH for Access to the Router: Cisco SDM will enable and configure SSH on crypto Cisco IOS images, but unlike AutoSecure, it will not enable Service Control Point (SCP) or disable other access and file transfer services, such as FTP.
Maintaining Cisco IOS Software Images • There are certain guidelines that must be followed when changing the Cisco IOS software on a router. • Updates: An update replaces one release with another without upgrading the feature set. • The software might be updated to fix a bug • Updates are free. • Upgrades: An upgrade replaces a release with one that has an upgraded feature set. • Software is upgraded to add new features or technologies • Upgrades are not free. • It is not always a good idea to upgrade to the latest version of IOS software. Many times that release is not stable. • Cisco recommends a four-phase migration process to simplify network operations and management. • Plan - Set goals, identify resources, profile network hardware and software, and create a schedule for migrating to new releases. • Design - Choose new Cisco IOS releases. • Implement - Schedule and execute the migration. • Operate - Monitor the migration progress and make backup copies of images that are running on the network.
There are a number of tools available on Cisco.com to aid in migrating Cisco IOS software. The following tools do not require a Cisco.com login: Cisco IOS Reference Guide- Covers the basics of the Cisco IOS software family Cisco IOS software technical documents - Documentation for each release of Cisco IOS software Cisco Feature Navigator- Finds releases that support a set of software features and hardware, and compares releases The following tools require valid Cisco.com login accounts: Download Software - Cisco IOS software downloads Bug Toolkit - Searches for known software fixes based on software version, feature set, and keywords Software Advisor - Compares releases, matches Cisco IOS software and Cisco Catalyst OS features to releases, and finds out which software release supports a given hardware device Cisco IOS Upgrade Planner - Finds releases by hardware, release, and feature set, and downloads images of Cisco IOS software See: http://www.cisco.com/en/US/support/tsd_most_requested_tools.html. Maintaining Cisco IOS Software Images
* # Cisco IOS File Systems and Devices • Cisco IOS devices provide a feature called the Cisco IOS Integrated File System (IFS). • The directories available depend on the platform. • The show file systems command lists all file systems. • It provides information such as the amount of available and free memory, type of file systemand its permissions. • Permissions include read only (ro), write only (wo), and read and write (rw). See for discussion of “opaque”
Flash The flash file system which has an asterisk preceding it indicates that this is the current default file system. the pound symbol (#) appended to the flash listing (on previous chart) indicates that this is a bootable disk. It contains the file of the current IOS running in RAM. NVRAM To change the file system use the cd command. The pwd command displays the working directory The dir command lists the contents of NVRAM. Contains the startup-configuration file. Cisco IOS File Systems and Devices
URL Prefixes for Cisco Devices • Administrators do not have visual cues when working at a router CLI. • File locations are specified in Cisco IFS using the URL convention. • The URLs used by Cisco IOS platforms look similar to the format from the web. • The TFTP example in the figure is: tftp://192.168.20.254/configs/backup-configs. • The expression "tftp:" is called the prefix. The browser will use tftp protocol vice http. • Everything after the double-slash (//) defines the location. • 192.168.20.254 is the location of the TFTP server. • "configs" is the master directory. • "backup-configs" is the filename.
Commands for Managing Configuration Files • The copy command is used to move files from one device to another, such as RAM, NVRAM, or a TFTP server. • Copy the running configuration from RAM to the startup configuration in NVRAM: • R2# copy running-config startup-config • R2# copy system:running-config nvram:startup-config • Copy running configuration from RAM to a remote location: • R2# copy running-config tftp: • R2# copy system:running-config tftp:
Commands for Managing Configuration Files Copy configuration from a remote TFTP server to the running configuration: R2# copy tftp: running-config R2# copy tftp: system:running-config Copy configuration from a remote TFTP server to the startup configuration: R2# copy tftp: startup-config R2# copy tftp: nvram:startup-config
Cisco IOS File Naming Conventions • The IOS image file is based on a special naming convention. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning. • The first part, c1841, identifies the platform on which the image runs. In this example, it is a Cisco 1841. • The second part, ipbase, specifies the feature set. In this case, "ipbase" refers to the basic IP internetworking image. Other feature set possibilities: • i - Designates the IP feature set • j - Designates the enterprise feature set (all protocols) • s - Designates a PLUS feature set • 56i - Designates 56-bit IPsec DES encryption • 3 - Designates the firewall/IDS • k2 - Designates the 3DES IPsec encryption (168 bit) • The third part, mz, indicates where the image runs andif the file is compressed. For example, "mz" indicates that the file runs from RAM and is compressed. • The fourth part, 12.3-14.T7, is the version number. • The final part, bin, is the file extension. The .bin extension indicates that this is a binary executable file. c2691-adventerprisek9_sna-mz.124-13b.bin c2600-ik9s-mz.122-40a.bin
IOS Resilient Configuration A new Cisco IOS software; resilient configuration feature, enables a router to secure and maintain a working copy of the running operating system image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash). This feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. See: Cisco IOS Resilient Configuration
Using TFTP Servers to Manage IOS Images • Retain a backup copy of the IOS image in case the image on the router becomes corrupted or accidentally erased. • A network TFTP server allows image and configuration uploads and downloads over the network. • TFTP server can be another router or a workstation. • Before changing a Cisco IOS image on the router, complete the following: • Determine the memory required for the update. • Set up and test the file transfer capability. • Schedule the required downtime. • When ready to do the update: • Shut down all interfaces not needed to perform the update. • Back up the current operating system and the current configuration file to a TFTP server. • Load the update for either the operating system or the configuration file. • Test to confirm that the update works properly. If the tests are successful, re-enable the interfaces which were disabled.
Backing up IOS Software Images • To copy a IOS image software from flash to the network TFTP server: • Ping the TFTP server to make sure it is accessible. • Verify that the TFTP server has sufficient disk space for the Cisco IOS image. • Use the show flash: command to determine : • Total amount of flash memory on the router • Amount of flash memory available • Name of all the files stored in the flash memory
Backing up IOS Software Images Copy current file from the router to TFTP server, using the copy flash: tftp: command. The command requires that the IP address of the remote host and the name of the source and destination system image files be entered. During the copy process, exclamation points (!) indicate the progress. Each exclamation point signifies that one UDP segment has successfully transferred.
Upgrade IOS Software Images • Upgrading a system to a newer version requires a different system image file to be loaded. • Use the copy tftp: flash: command to download the new image from the network TFTP server. • The command prompts for the IP address of the remote host and the name of the source and destination system image file. • After these entries are confirmed, the Erase flash: prompt appears. • Erase flash memory if there is not sufficient flash memory for more than one Cisco IOS image. If no free flash memory is available, the erase routine is required before new files can be copied. • Each exclamation point (!) means that one UDP segment has successfully transferred. • Note: Make sure that the Cisco IOS image loaded is appropriate for the router platform. If the wrong Cisco IOS image is loaded, the router could be made unbootable, requiring ROM monitor (ROMmon) intervention.
Using tftpdnld to Restore an IOS Image • When an IOS on a router is accidentally deleted from flash, the router is operational since the IOS is still running in RAM. • It is crucial that the router not be rebooted since it would not find a valid IOS in flash. • If the router is rebooted and can no longer load an IOS it boots into the ROMmon prompt by default. • The IOS on router R1 has accidentally been deleted from flash. The router has been rebooted and can no longer load an IOS. Follow the steps below to restore the IOS. • Connect the devices. • Connect the PC to the console port on the affected router. • Connect the TFTP server to the first Ethernet port on the router. • Configure it with a static IP address 192.168.1.1/24.
Using tftpdnld to Restore an IOS Image Set the ROMmon variables. The router boots into ROMmon mode since it does not have a valid Cisco IOS image. Enter all of the variables listed in the figure. Be aware of the following: Variable names are case sensitive. Do not include any spaces before or after the = symbol. Navigational keys are not operational. The IP addresses, subnet mask, and image name in the figure are only examples. The actual variables vary depending on the configuration.
Using tftpdnld to Restore an IOS Image Enter the tftpdnld command at the prompt. The command displays the required variables and warns that all existing data in flash will be erased. Type y to proceed, and press Enter. When connected, the download begins as indicated by the exclamation mark (!) marks. Use the reset command to reload the router with the new Cisco IOS image Using the tftpdnld command is a quick way to copy the image file via the first ethernet interface.
Using xmodem to Restore an IOS Image • Using Xmodemis another method for restoring a Cisco IOS image to a router. • The file transfer is accomplished using the console cable and is very slow when compared to the tftpdnld command via the console. • To restore the IOS using Xmodem.: • Connect the PC to the console port on the affected router. • Boot the router and issue the xmodem command at the ROMmon command prompt. • The command syntax is xmodem [-cyr] [filename]. • The cyr option varies depending on the configuration. For instance, -c specifies CRC-16, y specifies the Ymodem protocol, and r copies the image to RAM.
The figure shows the process for sending a file using HyperTerminal. Select Transfer > Send File. Browse to the location of the IOS image to be transferred and choose the Xmodem protocol. Click Send. A dialog box appears displaying the status of the download. It takes several seconds before the host and the router begin transferring the information. The download time may be dramatically improved if the connection speed of HyperTerminal and the router is changed from 9600 b/s to 115000 b/s. When the transfer is complete, the router automatically reloads with the new Cisco IOS. Using xmodem to Restore an IOS Image
Troubleshooting Cisco IOS Configurations • Two important commands that are used in network administration • Show command • A show command lists the configured parameters and their values. • Use the show command to verify configurations. • Debug command • The debug command allows tracing the execution of a process. • Use the debug command to identify traffic flows through interfaces and router processes.
Using the show Command • The show command displays static information. • Use show commands when gathering facts for isolating problems in an internetwork, including problems with interfaces, nodes, media, servers, clients, or applications. • Use it frequently to confirm that configuration changes have been implemented. • When at the command prompt, type show ? for a list of available show commands for the level and current mode of operation.
Using the debug Command • The debug command displays dynamic events. • Use debug to check the flow of protocol traffic for problems, protocol bugs, or misconfigurations. • By default, the router sends the output from debug commands to the console. • Redirect debug output to a syslog server if desired. • Debugging output is assigned high priority in the CPU process queue and can therefore interfere with normal production processes on a network. • use debug commands during quiet hours and only to troubleshoot specific problems. • All debug commands are entered in privileged EXEC mode. • To list a brief description of all the debugging command options, enter the debug ? command. • To ensure that there are no lingering debugging operations running use the no debug all or un all command.
Considerations when using the debug Command • Using debug commands to troubleshoot a lab network that lacks end-user application traffic obviously does not impact production networks. • Using debug commands on a production network that users depend on for data flow must be very carefully considered. Without proper precautions, the impact of a broadly focused debug command could have significant impact. • With proper, selective, and temporary use of debug commands, one can obtain potentially useful information without the need for a protocol analyzer or other third-party tool.
Commands Related to the debug Command • To optimize the use of the debug command, these commands can help: • The service timestampscommand • is used to add a time stamp to a debug message. • This feature provide timing information about when debug elements occurred. • The show processes command • displays the CPU use for each process. • This data can influence decisions about using a debug command if it indicates that the system is too heavily used for adding a debug command. • The no debug all command • disables all debug commands. • This command can free up system resources after debugging is complete. • The terminal monitor command • displays debug output and system error messages for the current terminal and session. • When Telneting to a device and a debug command is issued, the output is not seen unless this commands is entered.