Pages

CCNA Security Chapter 2 - Securing Network Devices

Securing outgoing network traffic and scrutinizing (analyze) incoming traffic are critical aspects of network security. Securing the edge router, which connects to the outside network, is an important first step in securing the network.
Summary:
 - Secure the physical installation of and the administrative access to Cisco routers based on different network requirements using the CLI and CCP. (Many router services are enabled by default.  )
 - Configure administrative roles using privilege levels and role-based CLI.
 - Implement the management and reporting features of syslog, SNMP, SSH, and NTP.
 - Examine router configurations with the Security Audit feature of CCP, and make the router and network more secure by using the auto secure command or the One-Step Lockdown feature of CCP.
 - A hands-on lab for the chapter, Securing the Router for Administrative Access.
 - A Packet Tracer activity, Configure Cisco Routers for Syslog, NTP, and SSH Operations.

1) Securing the Edge router

1.1) Securing edge devices
Edge devices are routers, routing switches and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices that provide entry points into enterprise or service provider core networks. Edge devices also provide connections into carrier and service provider networks.
The edge router is the last router between the internal network and an untrusted network such as the Internet.  All of an organization's Internet traffic goes through this edge router; therefore, it often functions as the first and last line of defense for a network.
The edge router implementation:
 - Single Router Approach (All security policies are configured on this device. SOHO)
 - Defense-in-Depth Approach (It passes all connections that are intended for the internal LAN to the firewall)
 - DMZ (demilitarized zone) Approach - can be used for servers that must be accessible from the Internet or some other external network.

Three areas of router security must be maintained:
 - Physical Security (UPS, secure locked room that is accessible only to authorized personnel)
 - Router Hardening (only authorized personnel have access, disable unused ports,services, interfaces)
 - Operating System Security (maximum amount of memory, latest stable version, keep a secure copy of IOS and config)

Administrative access is required for router management purposes:
 - Restrict device accessibility
 - Log and account for all access
 - Authenticate access (access is granted only to authenticated users, groups, and service)
 - Authorize actions (restrict the actions and views permitted by any particular user, group, or servic)
 - Present legal notification
 - Ensure the confidentiality of data

There are two ways to access a device for administrative purposes:
 - Local (console)
 - Remote (telnet, ssh, http, https, snmp, aux-modem)

1.2) Secure Administrative Access
Make passwords less easily discovered by intelligent guessing and cracking tools:
 - length of 10 or more characters,
R1(config)#security passwords min-length ?
  <0-16>  Minimum length of all user/enable passwords
 - complex password (a mix of uppercase and lowercase letters, numbers, symbols, and spaces),
 - passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information,
 - deliberately misspell a password (Security = 5ecur1ty),
 - change passwords often,
 - do not write passwords down and leave them in obvious places such as on the desk or monitor,
 - time out session
# exec-timeout <minutes> <second>
 - encrypt all passwords
 # service password-encryption
 # username name password password        <- low encryption  ( type 7)
 # username name secret password             < strong encryption ( MD5 )
On Cisco routers and many other systems, password-leading spaces are ignored, but spaces after the first character are not ignored. Therefore, one method to create a strong password is to use the space bar in the password and create a phrase made of many words. This is called a pass phrase.

Many access ports require passwords on a Cisco router, including the console port, auxiliary port, and virtual terminal connections.
Password management in a large network should be maintained using a central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS). A local username database is also recommended as backup if access to an authentication, authorization, and accounting (AAA) server is compromised.
- Enable Secret Password global configuration command restricts access to privileged EXEC mode. The enable secret password is always hashed inside the router configuration using a Message Digest 5 (MD5) hashing algorithm. If the enable secret password is lost or forgotten, it must be replaced using the Cisco router password recovery procedure.
- Console Line (by default, the console port does not require a password) use the line console 0 command followed by the login and password subcommands to require login and establish a login password on the console line.
- Virtual Terminal Lines (VTY) (by default, Cisco routers support up to five simultaneous vty (Telnet or SSH) sessions) are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password subcommands to require login and establish a login password on incoming Telnet sessions.
- Auxiliary Line (AUX) (by default, Cisco router auxiliary ports do not require a password for remote administrative access) administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection. To access the auxiliary line use the line aux 0 command. Use the login and password subcommands to require login and establish a login password on incoming connections.
By default, with the exception of the enable secret password, all Cisco router passwords are stored in plaintext within the router configuration. These passwords can be viewed with the show running-config command. Sniffers can also see these passwords if the TFTP server configuration files traverse an unsecured intranet or Internet connection. If an intruder gains access to the TFTP server where the router configuration files are stored, the intruder is able to obtain these passwords.

1.3) Virtual Login Security Enhancements:
 - Implement delays between successive login attempts.
 - Enable login shutdown if DoS attacks are suspected.
 - Generate system-logging messages for login detection.
Router# configure terminal
Router(config)# login block-for <1-65535> attempts <1-65535>  within <1-65535>
Router(config)# login quiet-mode access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-failure log [every login]
Router(config)# login on-success log [every login]
All login enhancement features are disabled by default. Commands to enable login enhancements:
1) login block-for
# login block-for <a_seconds> attempts <nr> within <b_seconds>
Block for a_seconds with nr auth attemps failswithin b_seconds.
Operates in two modes:
- Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time.
 - Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
2) login quiet-mode access-class
# login quiet-mode access-class <ACL_name>
Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time.
If not configured, all login requests will be denied during the Quiet-Mode.
3) login delay
login delay <seconds>
Helps mitigate dictionary attacks
This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.

The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default
login on-failure log [every login] generates logs for failed login requests.
login on-success log [every login] generates log messages for successful login requests.
The number of login attempts before a logging message is generated can be specified using the [every login] parameter. The default value is 1 attempt. The valid range is from 1 to 65,535.
As an alternative, the security authentication failure rate <threshold-rate> log command generates a log message when the login failure rate is exceeded.
The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login attempts originated.


Banners are disabled by default and must be explicitly enabled. Use the banner command from global configuration mode to specify appropriate messages.
banner {exec | incoming | login | motd | slip-ppp} d message d
Tokens are optional and can be used within the message section of the banner command:
$(hostname)-Displays the host name for the router.
$(domain)-Displays the domain name for the router.
$(line)-Displays the vty or tty (asynchronous) line number.
$(line-desc)-Displays the description that is attached to the line.
1.4) Configure SSH
Four steps must be completed prior to configuring routers for the SSH protocol:
1) Cisco IOS Release > 12.1(1)T (the IPsec feature set support SSH)
2) Ensure that each of the target routers has a unique host name.
3) Ensure that each of the target routers is using the correct domain name of the network.
4) Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSH connection.

Configure:
1) Configure the IP domain name
# ip domain-name <domain-name>
2) Generate one-way secret keys
# crypto key generate rsa general-keys modulus <modulus-size (368-2048)>

CORP(config)#crypto key generate rsa
  The name for the keys will be: CORP.theccnas.com
  Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024


# show crypto key mypubkey rsa 
        ( verify RSA keys)
% Key pair was generated at: 00:24:45 UTC Apr 15 2013
Key name: R1.CCNA-Sec.com
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00BB8E0C 241DDAE3
  7994B461 B3D62D26 A6E7F980 B3C406A8 EAEEEBAF D6480CA7 8EC5A0BB E8675CFF
  22BEEB06 5016D1B6 3296B904 3007D48B 15582DA9 49F86F89 6B020301 0001
% Key pair was generated at: 00:24:47 UTC Apr 15 2013
Key name: R1.CCNA-Sec.com.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 008E52D8 5D3B60EE
  4A484C83 B8AEB54C CC392430 3D19024B 174EF16F AF06E359 E73B6EF2 E0570D11
  FB9672BA BEECBF6B BC976CFE 36D46D69 5AB471C6 DCFCEDE4 DD06B6A4 2110B69A
  91E0B00C 3D4AED06 90814CEA 05DD3DF7 A3D93131 0E291A17 05020301 0001
3) Verify or create a local database entry
# username <name> secret <secret>
4) Enable VTY inbound SSH sessions.
(config)# line vty 0 4
(config-line)# login local
(config-line)# transport input ssh

Optionally, SSH commands can be used to configure the following:
- SSH version               # ip ssh version 2
- SSH timeout period   # ip ssh time-out 60
- Number of authentication retries   # ip ssh auth-retries 3


2) Privelege levels
2.1) 16 level system (0-15)

Level 0: Predefined for user-level access privileges. Seldom (rarely) used, but includes five commands: disable, enable, exit, help, and logout.
Level 1: The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file.
Levels 2 –14: May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.
Level 15: Reserved for the enable mode privileges (enable command). Users can change configurations and view configuration files.

Router(config)# privilege <mode> {level level command | reset} command
There are two methods for assigning passwords to the different levels:
 - To the privilege level using the global configuration command enable secret level password.
 - To a user that is granted a specific privilege level, using the global configuration command username name privilege level secret password.
Level 10 automatically inherits all the commands from the lower levels.
privilege exec level 10 reload
username jr-admin privilege 10 secret cisco10
enable secret level 10 cisco10

2.2) Role-Based CLI
Advantages: Security, Availability, Operational Efficiency.
Role-based CLI provides three types of views:
- Root view
Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user.
- CLI view
A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views
- Superview
A superview consists of one or more CLI views.
Commands cannot be configured for a specific superview.
Users logged in to a superview can access all commands specified within the associated CLI views.

Config:
R7>en view    !  Enable the root view
% AAA must be configured.
R7#conf t
R7(config)#aaa new-model
R7(config)#enable password 123456
R7(config)#exi
R7#disable

R7>en view
Password:    <- 123456
R7#conf t
R7(config)#parser view MONITOR
R7(config-view)#
*Sep  2 17:50:14.227: %PARSER-6-VIEW_CREATED: view 'MONITOR' successfully created.
R7(config-view)#command exec include show version
% Password not set for the view MONITOR
R7(config-view)#secret 0 1234567
R7(config-view)#command exec include show version
R7(config-view)#command exec include configure terminal
R7(config-view)#command exec include all show ip
R7(config-view)#exi
R7(config)#exi
R7#enable view MONITOR
Password:        <-  1234567
R7#?
Exec commands:
  configure  Enter configuration mode
  enable     Turn on privileged commands
  exit       Exit from the EXEC
  show       Show running system information
R7#
2.3) Monitoring and Managing devices
2.3.1) Securing IOS and configuration files
Cisco IOS Resilient Configuration
Example config - http://packetlife.net/blog/2010/oct/18/ios-resilient-configuration/
The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats flash memory or erases the startup configuration file in NVRAM. This feature allows a router to withstand malicious attempts at erasing the files by securing the router image and maintaining a secure working copy of the running configuration. 
 
The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.
The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
The feature automatically detects image or configuration version mismatch.
Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
The feature can be disabled only through a console session.

Two global configurations commands are available to configure the Cisco IOS resilient configuration features:
(config)# secure boot-image    (Secure the running image)
(config)# secure boot-config   (Archive the startup configuration)
# show secure bootset
# secure boot-config restore filename(config)#secure boot-config restore flash:/test  - Restore the config to a file on flash.
(config)#no secure boot-config      - Disable boot config. Must be connected to the console
The secure boot-image command enables Cisco IOS image resilience. 
When enabled for the first time, the running Cisco IOS image is secured, and a log entry is generated. This feature can be disabled only through a console session using the no form of the command.

The configuration archive is hidden and cannot be viewed or removed directly from the CLI prompt.

Secured files do not appear in the output of a dir command that is issued from the CLI. This is because the Cisco IOS file system prevents secure files from being listed. Because the running image and running configuration archives are not visible in the dir command output, use the show secure bootset command to verify the existence of the archive. This step is important to verify that the Cisco IOS image and configuration files have been properly backed up and secured.

Cisco router password recovering procedure:
1) Connect to the console port.
2) Use the show version command to view and record the configuration register. (Configuration register is 0x2102).If there is no longer access to the router (because of a lost login or TACACS password), an administrator can safely assume that the configuration register is set to 0x2102.
3) Use the power switch to power cycle the router.
4) Issue the break sequence within 60 seconds of power up to put the router into ROMmon.
5) rommon 1> confreg 0x2142
6) rommon 2> reset
7) Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.
8) Router> enable
9) Router# copy startup-config running-config,  show running-config.
10) Router(config)# enable secret cisco
11) Router(config)# config-register 0x2102
12) Router# copy running-config startup-config

An administrator can mitigate this potential security breach by using the no service password-recovery.
If a router is configured with the no service password-recovery command, all access to ROMmon mode is disabled.

To recover a device after the no service password-recovery command is entered, initiate the break sequence within five seconds after the image decompresses during the boot. You are prompted to confirm the break key action. After the action is confirmed, the startup configuration is completely erased, the password recovery procedure is enabled, and the router boots with the factory default configuration. If you do not confirm the break action, the router boots normally with the no service password-recovery command enabled.

CAUTION: If the router flash memory does not contain a valid Cisco IOS image because of corruption or deletion, the ROMmon xmodem command cannot be used to load a new flash image. To repair the router, an administrator must obtain a new Cisco IOS image on a flash SIMM or on a PCMCIA card. Refer to Cisco.com for more information regarding backup flash images.

2.3.2) Securing IOS and configuration files
Several factors should be considered when implementing secure management. 
- configuration change management,
- automated logging and reporting of information from identified devices to management hosts.

Many applications and protocols are also available, such as SNMP, which is used in network management systems to monitor and make configuration changes to devices remotely.

When logging and managing information, the information flow between management hosts and the managed devices can take two paths:
- Out-of-band (OOB) - Information flows on a dedicated management network,
- In-band - Information flows across an enterprise production network, the Internet, or both using regular data channels.


Requirements that must be met if an administrator wants to maintain device configurations via secure in-band management:
 - network devices configured to accommodate SSH,
 - encryption of all remote access management traffic,
 - connection to network devices through a production network or the Internet.

Because the management network has administrative access to nearly every area of the network, it can be a very attractive target to hackers. To mitigate the threat of a compromised device, strong access control should be implemented at the firewall and at every other device. Additionally, management devices should be set up in a fashion that prevents direct communication with other hosts on the same management subnet, using separate LAN segments or VLANs.


2.3.3) Syslog
Implementing a router logging facility is an important part of any network security policy.
The router can send log messages to one or more of the following items:
 - Console - Console logging is on by default.
 - Terminal lines - Enabled EXEC sessions can be configured to receive log messages on any terminal lines. Similar to console logging, this type of logging is not stored by the router and, therefore, is only valuable to the user on that line.
 - Buffered logging - Buffered logging is a little more useful as a security tool because log messages are stored in router memory for a time. However, events are cleared whenever the router is rebooted.
 - SNMP traps - Certain thresholds can be preconfigured on routers and other devices. Router events, such as exceeding a threshold, can be processed by the router and forwarded as SNMP traps to an external SNMP server. SNMP traps are a viable security logging facility but require the configuration and maintenance of an SNMP system.
 - Syslog - Cisco routers can be configured to forward log messages to an external syslog service. This service can reside on any number of servers or workstations, including Microsoft Windows and UNIX-based systems. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location for all router messages.

Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level.

Syslog levels:
  <0-7>          Logging severity level
 emergencies    System is unusable                (severity=0)
 alerts         Immediate action needed           (severity=1)
 critical       Critical conditions               (severity=2)
 errors         Error conditions                  (severity=3)
 warnings       Warning conditions                (severity=4)
 notifications  Normal but significant conditions (severity=5)
 informational  Informational messages            (severity=6)
 debugging      Debugging messages                (severity=7)

Cisco router log messages contain three main parts:
Timestamp    |  Log message name and severity level  |  Message text
*Apr 15 10:57:35.695: %SYS-5-CONFIG_I: Configured from console by console

Syslog is the standard for logging system events:
 - Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients.
 - Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers.

Syslog questions:
What are the most important logs?
How are important messages separated from routine notifications?
How do you prevent tampering with logs?
How do you ensure the time stamps match?
What log data is needed in criminal investigations?
How do you deal with the volume of messages?
How do you manage all of the devices?
How can you track when attacks or network failures occur?

Configure syslog on Cisco device:
Router# configure terminal
Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone]
R1(config)#service timestamps log datetime msec
R1(config)#service timestamps debug datetime msec

Router(config)# logging on
Router(config)# logging host <IP | hostname>
Router(config)# logging trap <level>
Router(config)# logging facility <facility-type>
Router(config)# logging source-interface <interface-type> <interface-number>
Router(config)# end
Router# show logging  

2.3.4) SNMP - Simple Network Management Protocol
SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices.
There are different versions of SNMP: 
- SNMP version 1 (SNMPv1), 
- SNMP version 2 (SNMPv2), 
- SNMP version 3 (SNMPv3). 
All three versions use managers (network management systems [NMSs]), agents (managed nodes), and Management Information Bases (MIBs).

SNMP traps (SNMP v1, in v2 - notifications) - asynchronous messages from devices.
Community strings- authentication messages between a management station and an SNMPv1 or SNMPv2 engine.
Read-write community strings can get and set information in an agent.
Set access is equivalent to having the enable password for a device.

By default, most SNMP systems use "public" as a community string.
It is extremely important that you create your own custom SNMP community strings. However, even if the community string is changed, the strings are sent in plaintext. 
This is a huge vulnerability of the SNMPv1 and SNMPv2 architecture. 
SNMPv3 authenticates and encrypts packets over the network to provide secure access to devices. 

SNMPv3 provides the following security features:
 - Message integrity: Ensures that a packet has not been tampered with in transit.
 - Authentication: Determines that the message is from a valid source.
 
 - Encryption: Scrambles the contents of a packet to prevent it from being seen by an unauthorized source. 
 - Access Control: Restricts each principal to certain actions on specific portions of data.

When enabling SNMP, it is important to consider the security model and the security level. 
1) The security model is an authentication strategy that is set up for a user and the group in which the user resides. 
  * Currently, Cisco IOS software supports three security models: SNMPv1, SNMPv2c, and SNMPv3. 
2) A security level is the permitted level of security within a security model. 
The security level is a type of security algorithm that is performed on each SNMP packet.
There are three security levels:
 
 - noAuth - Authenticates a packet by a string match of the username or community string. 
 - auth - Authenticates a packet by using either the Hashed Message Authentication Code (HMAC) with MD5 method or Secure Hash Algorithms (SHA) method. 
The HMAC method is described in RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
 - priv - Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using the Data Encryption Standard (DES), Triple DES (3DES), or Advanced Encryption Standard (AES) algorithms.

The combination of the model and level determines which security mechanism is employed when handling an SNMP packet. 

Only SNMPv3 supports the auth and priv security levels. 
However, CCP does not support configuration of SNMPv3.

http://blog.ine.com/2008/07/19/snmpv3-tutorial/
The new concepts are: user, group and security level.
A group -  defines the access policy for a set of users.
An access policy - defines which SNMP objects can be accessed for reading and writing or which SNMP objects can generate notifications to the members of a group.

The following security levels exits:
“noAuthNoPriv” (no authentiation and no encryption – noauth keyword in CLI),
“AuthNoPriv” (messages are authenticated but not encrypted – auth keyword in CLI),
“AuthPriv” (messages are authenticated and encrypted – priv keyword in CLI).

SNMPv1 and SNMPv2 models only support the “noAuthNoPriv” model since they use plain community string to match the incoming packets.
The SNMPv3 implementations could be configured to use either of the models on per-group basis (in case if “noAuthNoPriv” is configured, username serves as a replacement for community string).

Example config
access-list 99 permit 155.1.146.0 0.0.0.255
! Set ifIndexes persistent, for view definition is based on IfIndexes
snmp-server ifindex persist
snmp-server view NORMAL iso included
snmp-server view RESTRICTED ifEntry.*.3 included
!
snmp-server group NORMAL v3 priv read NORMAL write NORMAL       ! R/W large portion of the MIB tree
snmp-server group RESTRICTED v3 auth read RESTRICTED access 99  ! limited to Serial 0/0 and ACL=99
snmp-server group TRAP v3 priv                                  ! for sending traps
!
! Users, their passwords and encryption keys are defined now
!
! snmp-serv user <USER> <GROUP> <ver> <AUTH> <HMAC> <PASS> <ENCRY> <ALG-ENCRY> <PASS_PRIVACY>
snmp-server user NORMAL NORMAL   v3   auth    sha   CISCO  priv    des56       CISCO
snmp-server user RESTRICTED RESTRICTED v3 auth sha CISCO
snmp-server user TRAP TRAP v3 auth sha CISCO priv des56 CISCO
!
! Allow sending traps and configure a destination host.
snmp-server enable traps snmp linkup linkdown
snmp-server host 155.1.146.100 traps version 3 priv TRAP

Check
Rack1R6#show snmp user
Rack1R6#show snmp group
Rack1R6#show snmp view

SNMP TRAPS
There are two global configuration commands that you use to configure SNMP traps into a Cisco IOS device:
1) Traps are unreliable because the receiver does not send acknowledgments when this device receives traps.
The sender cannot determine if the traps were received.
snmp-server enable traps [notification-type] [notification-option]
! report only configuration, BGP and tty traps to Network Management System 10.10.10.10
snmp-server host 10.10.10.10 public config bgp tty
snmp-server enable traps config
snmp-server enable traps bgp 

2) Informs:An SNMP entity that receives an inform request acknowledges the message with an SNMP response protocol data unit (PDU).
If the sender never receives the response, the inform request can be sent again.
Therefore, informs are more likely to reach their intended destination.
snmp-server host host-addr [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]

!  send all inform requests to the host myhost.cisco.com using the community string public:
snmp-server enable traps
snmp-server host myhost.cisco.com informs version 

!  send all inform requests to the host myhost.cisco.com, authenticate a user by username (CISCO) and send clear text notification
snmp-server enable traps
snmp-server host myhost.cisco.com informs version 3 noauth CISCO



2.3.4) NTP - Network Time Protocol
Many things involved in the security of a network, such as security logs, depend on an accurate date and timestamp.
NTP is designed to synchronize the time on a network of machines.
NTP allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings.
When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server on the Internet.
NTP uses UDP port 123 and is documented in RFC 1305.


The software and hardware clocks on a Cisco router can have different times and how we can synchronise them between each other.
The following two commands show the difference in time between the two clocks on our Cisco router:
R1# show clock
01:51:31.532 Athens Sun Apr 19 2009

R1# show calendar
01:51:42 Athens Sun Apr 19 2009
While the difference is minor, we want to keep everything in our network synchronised as precisely as possible.
Keep in mind that 'show clock' refers to the software clock and 'show calendar' refers to the hardware clock of your router.
ntp update-calendar - To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode. To disable the periodic updates, use the no form of this command.

R1#show clock detail
*15:14:22.258 UTC Mon Apr 15 2013
Time source is hardware calendar

Configure Cisco device as authoritative  NTP server
Router(config)# ntp master <stratum>
The stratum number is the number of hops away from an authoritative source such as an atomic clock.
Allows the software clock to be synchronized by an NTP time server.
Router(config)# ntp server <IP | hostname> [version <number>] [key <keyid>] [source <interface>] [prefer]
Configures device to receive NTP broadcast messages on the interface.
Router(config-if)# ntp broadcast client
The time that a device keeps is critical; therefore, the security features of NTP should be used to avoid the accidental or malicious setting of incorrect times. There are two security mechanisms available:
 - ACL-based restriction scheme
 
- Encrypted authentication mechanism offered by NTP version 3 or later.
Use the following commands on both the NTP master and the NTP client:
ntp authenticate
ntp authentication-key key-number md5 key-value
ntp trusted-key key-number
show ntp associations detail
RT1#sh ntp associations
Load for five secs: 30%/27%; one minute: 30%; five minutes: 29%
Time source is NTP, 16:02:42.875 EET Fri Aug 17 2012
      address         ref clock     st  when  poll reach  delay  offset    disp
 ~127.127.7.1      127.127.7.1       7    52    64  377     0.0    0.00     0.0
*~195.66.241.2     .PPS.             1   649  1024  377    57.0   -0.11     1.7
+~140.203.16.5     .GPS.             1   761  1024  377    81.8    0.83     1.2
-~129.69.1.153     .PPS.             1    23  1024  377    45.7   -2.10     1.1
+~131.188.3.220    .GPS.             1  1005  1024  377    92.2    3.56     0.9
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

RT1#sh ntp associations  detail
195.66.241.2 configured, our_master, sane, valid, stratum 1
ref ID .PPS., time D3D8BCE2.72AC1DF2 (15:51:46.447 EET Fri Aug 17 2012)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 0.00 msec, root disp 0.34, reach 377, sync dist 43.533
delay 57.02 msec, offset -0.1123 msec, dispersion 1.68
precision 2**19, version 3...

2.4) Using automated auditing features

2.4.1) Performing a security audit
Cisco routers are initially deployed with many services that are enabled by default. This is done for convenience and to simplify the configuration process required to get the device operational. 
However, some of these services can make the device vulnerable to attack if security is not enabled. 

Many practices help ensure a device is secure:
 - Disable unnecessary services and interfaces.

 -
Disable and restrict commonly configured management services, such as SNMP.
 -
Disable probes and scans, such as ICMP.
 -
Ensure terminal access security.
 -
Disable gratuitous and proxy Address Resolution Protocol (ARP).
 -
Disable IP-directed broadcasts.

Cisco Protocols and services default settings:
1)  CDP Cisco Discovery Protocol
Default: enabled
Description: CDP periodically advertises information between Cisco devices, such as the type of device and Cisco IOS version. Such information could be used to determine vulnerabilites and launch specific attachsl. Unless needed inside the network, this service should be disabled globally or disabled on unneccessary interfaces.
(config) no cdp run
(config-if) no cdp enable
2) Configuration autoloading
Default: Enabled (globally and interfaces)
Description: This service permits a router to automatically load a configuration file from a network server upon boot. This service should remain disabled when not needed
(config) no service config
3) FTP server
Default: Disabled
Description: This service permits the router to act as an FTP server for specific files in flash memory. It should remain disabled when not needed.
(config) no ftp-server enable
4) TFTP Server
Default: Disabled
Description: This service permits the router to act as a TFTP server for specific files in flash memory. It should remain disabled when not in use.
(config) no tftp-server file-sys:image-name
5) NTP service
Default: Disabled
Description: This service both receives a time-of-day clock from an NTP server and allows the router to act as an NTP server to NTP clients. Correct time is necessary for accurate time stamps when logging messages. This service should be disabled if not needed, or restricted to only devices that require NTP services.
(config) no ntp server ip-address
6) Packet assembler/disassembler (PAD) service
Default: enabled
Description: This service allows access to X.25 PAD commands in an X.25 network. Such a service is rarely needed in modern networks and should be disabled
(config) no service pad
7) TCP and User Datagram Protocol (UDP) minor services
Default: Enabled before 11.3, disabled after 11.3
Description: These services execute small servers (daemons) in the router, typically used for diagnostics. They are rarely used and should be disabled.
(config) no service tcp-small-servers
(config) no service udp-small-servers
8) Maintenance Operation Protocol (MOP) service
Default: Enabled (most ethernet interfaces)
Description: This service is a Digital Equipment Corporation (DEC) maintenance protocol. Such a service is rarely needed in modern networks and should be disabled.
(config-if) no mop enable
9) Simple Network Management Protocol (SNMP)
Default: Enabled
Description: This service permits the router to respond to queries and configuration requests. If not used, this service should be disabled. If needed, restrict access to the router via access controls lists (ACL) and use SNMPv3 for additional security features.
(config) no snmp-server enable
10) HTTP or HTTPS configuration and monitoring
Default: Device dependent
Description: This service allows the router to be monitored and configured from a web browser. SDM uses secure HTTP (HTTPS). If not used, this service should be disabled. If needed, restrict access to the router via ACLs and use HTTPS for encrypted data transfer.
(config) no ip http server
(config) no ip http secure-server   ! enables the HTTPS server , on default port 443
! HTTP authentication for login can be set using the command
ip http authentication [ enable | local | tacacs | aaa ]
! Set the HTTPS port number from the default value of 443, if required.
ip http secure-port  <port-number>
ip http secure-port  1024

11) Domain Name System (DNS)
Default: Enabled (client services)
Description: Cisco routers use 255.255.255.255 as the default address to reach a DNS server for name resolution. If not used, this service should be disabled. If needed, explicitly set the address of the DNS server.
(config) no ip domain-lookup
12) ICMP Redirects
Default: Enabled
Description: This service causes the router to send an ICMP redirect message when a packet is forwarded out the interface it arrived on. An attacker can use such information to redirect packets to an untrusted device. This service should be disabled when not needed.
If a host tries to send data through a router (R1) and R1 sends the data on another router (R2) and a direct path from the host to R2 is available (that is, the host and R2 are on the same Ethernet segment), then R1 will send a redirect message to inform the host that the best route for the destination is via R2. The host should then send packets for the destination directly to R2. 
(config) no ip icmp redirect
(config-if) no ip redirects
13) IP Source Routing
Default: Enabled
Description: This service allows the sender to control the route that a packet travels through a network. Such a service can permit an attacker to bypass the normal forwarding path and security mechanisms in a network. Because most network devices should not attempt to dictate their preferred path through the network, this service should be disabled.
(config)no ip source-route
14) Finger service
Default: Enabled
Description: The finger protocol (port 79) retrieves a list of users from a network device, which includes the line number, connection name, idle time and terminal location. Such information is also seen in the show users Cisco IOS command and can be used for reconnaissance attacks. This service should be disabled when not needed.
(config) no service finger
15) ICMP unreachable notification
Default: Enabled
Description: This service notifies a sender of invalid destination IP subnets or specific addresses. Such information can be used to map a network . This service should be disabled.
(config-if) no ip unreachables
16) ICMP mask reply
Default: Disabled
Description: This service sends the IP subnet mask when it is requested. Such information can be used to to map a network. This service should be disabled on interfaces to untrusted networks.
(config-if) no ip mask-reply
17) IP identification service
Default: Enabled
Description: The identification protocol (RFC 1413) reports the identity of the TCP connection initiator. Such information can be used in reconnaissance attacks. This service should be disabled.
(config) no ip identd
18) IP directed broadcasts
Default: Enabled (Enabled Cisco IOS prior to 12.0, disabled Cisco IOS later than 12.0)
Description: A directed broadcast can be used to probe or deny service to (via a DoS attack) an entire subnet. The directed broadcast packet is unicast until it reaches the router that is responsible for the segment. At that time, the packet becomes a broadcast for the specific segment. This service should be disabled.
(config-if) no ip directed-broadcast
19) TCP keepalives
Default: Disabled
Description: TCP keepalives help clean up TCP connections when a remote host has stopped processing TCP packets (such as after a reboot). This service should be enabled to help prevent certain DoS attacks.
(config) service tcp-keepalives-in
(config) service tcp-keepalives-out
20) Gratuitous ARP
Default: Enabled
Description: This service is the primary means used in ARP poisoning attacks. Unless needed, this service should be disabled.

Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases. A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.

Gratuitous ARPs are useful for four reasons:
 - They can help detect IP conflicts.
 - They assist in the updating of other machines' ARP tables.
 - They inform switches of the MAC address of the machine on a given switch port.
 - Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.
(config) no ip arp gratuitous
21) Proxy ARP
Default: Enabled
Description: This service permits the router to resolve layer 2 addresses. This feature is only useful if the router is acting as a layer 2 bridge. Because this is unlikely in modern networks, this service should be disabled.
(config) no ip arp proxy

Security audit tools
The three security audit tools that are available include:
  - Cisco AutoSecure (IOS CLI), introduced with IOS 12.3
  - Security Audit wizard (GUI CCP),
  - One-Step Lockdown (GUI CCP).

Both Security Audit wizard and One-Step Lockdown are based on the Cisco IOS AutoSecure feature.

1) Security Audit wizard - a security audit feature provided through CCP.
The Security Audit wizard provides a list of vulnerabilities and then allows the administrator to choose which potential security-related configuration changes to implement on a router.

The wizard compares a router configuration against recommended settings.
The Security Audit wizard compares a router configuration against recommended settings and performs the following:
 - Shuts down unneeded servers.
 - Disables unneeded services.
 - Applies the firewall to the outside interfaces.
 - Disables or hardens SNMP.
 - Shuts down unused interfaces.
 - Checks password strength.
 - Enforces the use of ACLs.

A security audit feature is available through the Cisco IOS CLI.
The autosecure command initiates a security audit and then allows for configuration changes. Based on the mode selected, configuration changes can be automatic or require network administrator input.
   * Interactive mode: prompts the user with options to enable and disable services and other security features
   * Non-interactive mode: automatically executes the Cisco AutoSecure command with the recommended Cisco default setting.
! auto secure INTERACTIVE
Router# auto secure full

! auto secure no-interact - recommended setting are set
Router# auto secure no-interact
!
*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks ***
AutoSecure will modify the configuration of your device.
Some options to know that can be configured by Cisco AutoSecure:
- CBAC (Context-Based Access Control) - provides advanced traffic filtering functionality and can be used as an integral part of your network's firewall (based on application-layer protocol session information: SMTP, TFTP, Java, FTP, h323),
- security banner (motd),
- enable secret password.
2) One-Step Lockdown - a security audit feature provided through CCP. The One-Step Lockdown feature provides a list of vulnerabilities and then automatically makes all recommended security-related configuration changes.
Some three services does CCP One-Step Lockdown enable:
 - password encryption,
 - SSH access to the router,

 -

 firewall on all outside interfaces.


Cisco One-Step Lockdown disables:
Finger service
PAD service
TCP small servers service
UDP small servers service
IP BOOTP server service
IP identification service
Cisco Discovery Protocol
IP source route
IP GARPs
SNMP
IP redirects
IP proxy ARP
IP directed broadcast
MOP service
IP unreachables
IP mask reply
IP unreachables on null interface
Cisco One-Step Lockdown enables:
Password encryption service
TCP keepalives for inbound and outbound Telnet sessions
Sequence numbers and timestamps on debugs
Cisco Express Forwarding with integrated NetFlow switching
Unicast Reverse Path Forwarding (RPF) on outside interfaces
Firewall on all outside interfaces
SSH for access to the router
AAA
Cisco One-Step Lockdown configures:
Minimum password length to six characters
Authentication failure rate to less than three retries
TCP synwait time
Notification banner
Logging parameters
Enable secret password
Scheduler interval
Scheduler allocate
Users
Telnet settings
Access class on HTTP server service
Access class on vty lines
Security Audit recommended settings
Preparing commands for delivery...
Submitting 57 commands, please wait...
Configuration delivered to device.
Copying the Running config to Startup config of your router. Please wait...
Running config copied successfully to Startup Config of your router.
aaa new-model
aaa authorization exec local_author local
aaa authentication login local_authen local
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.10.10.10 0.0.0.255
access-list 1 deny any
line vty 0 4
 login authentication local_authen
 authorization exec local_author
 transport input telnet ssh
 exit
line con 0
 login authentication local_authen
 exec-timeout 10 0
 transport output telnet
 exit
line aux 0
 login authentication local_authen
 exec-timeout 10 0
 transport output telnet
 exit
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip source-route
service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
scheduler allocate 4000 1000
ip http access-class 1
ip tcp synwait-time 10
no cdp run
security authentication failure rate 3 log
ip ssh time-out 60
ip ssh authentication-retries 2
banner login ~  -= Welcome To CCNA Security Test Router =-~
interface Null0
 exit
default interface Null0
interface Null0
 no ip unreachables
 exit
interface GigabitEthernet1/0
 description $FW_INSIDE$
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 exit
interface FastEthernet0/0
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 exit


Chapter 2 Lab
Configure NTP, Syslog, SSH on VTY
NTP
R3(config)#ntp server 192.168.1.5
R3(config)#ntp update-calendar
R3(config)#service timestamps log datetime msec
Syslog
R3(config)#logging host 192.168.1.6
SSH
R3(config)#ip domain-name ccnasecurity.com
R3(config)#username SSHadmin privilege 15 secret ciscosshpa55
R3(config)#line vty 0 4
R3(config-line)#login  local
R3(config-line)#transport input ssh
R3(config)#crypto key zeroize rsa
R3(config)#crypto key generate rsa
The name for the keys will be: R3.ccnasecurity.com
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R3(config)#ip ssh time-out 90
R3(config)#ip ssh authentication-retries 2
R3(config)#ip ssh version 2
R3(config)#do sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 90 secs; Authentication retries: 2

CHECK on PC

PC>ssh -l SSHadmin 192.168.3.1
Open
Password:
R3#

Bonus
Cisco IOS Hardening
http://ecks90.com/?p=176

Cisco CDP Monitor
http://www.tallsoft.com/cdpmonitor.htm

Hardening Cisco IOS Devices
Video presentation http://www.cisco.com/web/learning/le31/le46/cln/qlm/Learning_Center/Security/Hardening_Cisco_IOS_Devices/player.html

Cisco IOS hardening template
http://thenetworkguy.blogspot.com/2006/08/cisco-ios-hardening.html

http://www.softperfect.com/products/networkscanner/

1 comment: