- This centralized server is often referred to as a AAA server.
Introduction to Cisco IOS Security
- A network’s security policy might limit what you as a troubleshooter are allowed to do while troubleshooting.
- You might not be allowed to remove certain access control lists (ACL), even though removing them might simplify your troubleshooting efforts.
Securing the different planes of operation on routers and switches:
■ Management plane - is used to manage a router or a switch. (for example, accessing and configuring a device)
■ Control plane - encompasses protocols used between routers and switches (for example, routing protocols and STP).
■ Data plane - in charge of forwarding data through a router or switch.
Securing the Management Plane
- when connecting to a router or a switch for management purposes,
Modes of Access
1) Command-line interface (CLI) access:
- A router / switch’s CLI can be accessed via a serial connection, known as a console connection.
- a console connection can be password protected, physical security is also a requirement.
- some platforms support the disabling of the password recovery service
no service password-recovery- The ability to disable password recovery, however, does not provide complete protection from an attacker (configuration could be wiped out)
- physical security remains a critical aspect of overall network security.
- CLI access can also be gained over a network connection using protocols such as Telnet and Secure Shell (SSH).
2) Web access
- Many network devices can be monitored and configured via a web-based interface (CCP, SDM).
- either HTTP or HTTPS can be used to access these web-based administrative interfaces, HTTPS is more secure.
3) SNMP access
- SNMP is commonly used to monitor network devices.
- Devices enabled to support SNMP can be configured to support read-only access or read-write access.
- SNMP versions 1 and 2c use community strings that must match between the monitoring device and the managed device. SNMP version 3, however, offers enhanced security through encryption and authentication.
Protecting Management Plane Access
- network (IP) security can be used to limit access to a device’s management plane over a network connection (ACLs).
- Once a connection is made with the device to be managed, the connecting user should then be authenticated.
- Cisco devices support authentication via a single password, or via a username and password combination.
- By centrally locating a common user database accessible by multiple network devices, you eliminate the need to maintain a separate user database on each network device.
Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device.
The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device.
Router(config)# control-plane host
Router(config-cp-host)# management-interface FastEthernet 0/0 allow ssh snmp
.Aug 2 15:25:32.846: %CP-5-FEATURE: Management-Interface feature enabled on Control plane host path
Router# show management-interface
Securing the Control Plane
- Control plane protocols include routing protocols (EIGRP, OSPF,BGP, STP, and ARP) and should be secured.
- These protocols often create data structures that are used directly or indirectly for packet-forwarding decisions by a device.
- Control plane itself should be protected from a denial-of-service (DoS) attack, where all of a control plane’s resources are consumed by malicious traffic.
Securing Routing Protocols
- Although routing protocols can differ in their implementation of authentication methods, most enterprise routing protocols support some sort of authentication.
- Similar authentication methods are available for router redundancy protocols (HSRP, VRRP, GLBP).
Securing STP
- If the root bridge fails, the STP topology will reconverge by electing a new root bridge.
- If an attacker has access to two switch ports (each from a different switch), they might be able to introduce a rogue switch into the network.
- The rogue switch can then be configured with a lower bridge priority than the bridge priority of the root bridge.
- After the rogue switch announces its superior BPDUs, the STP topology reconverges, where all traffic traveling from one switch to another switch now passes through the rogue switch, thus allowing the attacker to capture that traffic.
Root Guard
- can be enabled on all switch ports in the network off of which the root bridge should not appear
- if a port configured for Root Guard receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistentstate.
- While a port is in the root-inconsistent state, no user data is sent across the port.
- However, after the superior BPDUs stop, the port returns to the forwarding state.
BPDU Guard
- Enabled on ports configured with Cisco’s PortFast feature.
- The PortFast feature is enabled on ports that connect out to end-user devices, such as PCs, and it reduces the amount of time required for the port to go into the forwarding state after being connected.
- The logic of PortFast is that a port that connects to an end-user device does not have the potential to create a topology loop.
- Therefore, the port can go active sooner by skipping STP’s Listening and Learning states, which by default take 15 seconds each.
- Because these PortFast ports are connected to end-user devices, these ports should never receive a BPDU.
- Therefore, if a port enabled for BPDU Guard receives a BPDU, the port is disabled.
Securing DHCP and ARP
- On today’s networks, most clients obtain their IP address information dynamically, using DHCP, rather than having their IP statically configured.
- To dynamically obtain IP address information, a client dynamically discovers a DHCP server via a broadcast and sends out a DHCP request;
- the DHCP server sees the request; and a DHCP response (including such information as an IP address, subnet mask, and default gateway) is sent to the requesting client.
If an attacker connects a rogue DHCP server to the network, the rogue DHCP server can respond to a client’s DHCP discovery request.
- The DHCP snooping feature on Cisco Catalyst switches can be used to combat a DHCP server spoofing attack.
- This option is off on most Catalyst switches by default.
Another type of DHCP attack is more of a DoS attack against the DHCP server.
- Attacker can repeatedly request IP address assignments from the DHCP server, thus depleting the pool of addresses available from the DHCP server.
- The attacker can accomplish this by making the DHCP requests appear to come from different MAC addresses.
- To mitigate such a DoS attack, you can use the DHCP snooping to limit the number of DHCP messages per second that are allowed on an interface, thus preventing a flood of spoofed DHCP requests.
DAI
- This DHCP binding table can be used by the Dynamic ARP Inspection(DAI) feature to help prevent Address Resolution Protocol (ARP) spoofing attacks.
- DAI works similarly to DHCP snooping by using trusted and untrusted ports.
- ARP replies are allowed into the switch on trusted ports. However, if an ARP reply enters the switch on an untrusted port, the contents of the ARP reply are compared against the DHCP binding table to verify its accuracy. If the ARP reply is not consistent with the DHCP binding table, the ARP reply is dropped, and the port is disabled.
Securing Against a DoS Attack
- An attacker’s goal might be to make a network device unusable. For example, an attacker might launch a DoS attack against a router’s control plane.
- To protect against flooding of a router’s control plane, you could configure Cisco’s control plane policing (CoPP) or control plane protection (CPP) feature.
- Although both features can limit specific traffic types entering the control plane, CPP offers finer control of the policing action.
Router(config)# mls qos
!
Router(config)# ip access-list extended ACCESS-LIST-NAME
Router(config-ext-nacl)# {permit | deny} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established]
!
Router(config)# class-map TRAFFIC-CLASS-NAME
Router(config-cmap)# match {ip precedence} |{ip dscp} | access-group
!
Router(config)# policy-map SERVICE-POLICY-NAME
Router(config-pmap)# class TRAFFIC-CLASS-NAME
Router(config-pmap-c)# police {bps [normal-burst-bytes] [maximum-burst-bytes] [pir peak-rate-bps]} | [conform-action action] [exceed-action action] [violate-action action]
!
Router(config)# control-plane
Router(config-cp)# service-policy input SERVICE-POLICY-NAME
Securing the Data Plane
- Protecting the management and control planes focuses on protecting a network device (for example, a router or a switch).
- Protecting the data plane, however, focuses on protecting the actual data flowing through a network and protecting other devices (for example, hosts) on the network.
- ACLs (or VLAN access maps on Cisco Catalyst switches) offer a fundamental approach to restricting traffic allowed on a network. For example, an ACL can permit or deny traffic based on source and destination IP address and port number information, in addition to time-of-day restrictions.
- Some networks have a firewall appliance, such as the Cisco Adaptive SecurityAppliance (ASA), a Cisco IOS router can also perform firewalling features
- Intrusion prevention can be accomplished via a dedicated intrusion prevention system (IPS) appliance or through the Cisco IOS IPS feature.
- To prevent a man-in-the-middle attack, a secure virtual private network (VPN) tunnel can be constructed between the originator and destination.
Unicast Reverse Path Forwarding (uRPF) feature
- another example how Cisco IOS router can protect network traffic and other network devices,
- feature allows a router to examine the source IP address of an incoming packet and, based on the router’s IP routing table, determine how traffic would be routed back to that source address.
- If the router notices that the traffic came in on an interface that is different than the interface the router would use to send traffic back to that source IP address, the router can drop the traffic.
- router dropping this traffic - because this behavior could reflect an IP spoofing attack, where an attacker was impersonating a trusted IP address
802.1X
- requires a client to authenticate before communicating on the network.
- once the authentication occurs, a key is generated that is shared between the client and the device to which it attaches (for example, a wireless LAN controller or a Layer 2 switch)
- the key is then used to encrypt traffic coming from and being sent to the client.
802.1X components
- Supplicant (client)- device that wants to gain access to the network.
- Authenticator (Switch) - forwards the supplicant’s authentication request on to an authentication server. Once the authentication server has authenticated the
supplicant, the authenticator receives a key that is used to communicate securely during a session with the supplicant.
- Authentication Server (RADIUS Server) - checks the supplicant’s credentials. If the credentials are acceptable, the authentication server notifies the authenticator that the supplicant is allowed to communicate on the network.
NAC
- An even more sophisticated approach to admission control is the Network Admission Control (NAC) feature.
- Beyond just checking credentials, NAC can check characteristics of the device seeking admission to the network.
- The client’s operating system and version of anti-virus software are examples of these characteristics.
Security Troubleshooting Targets
- Because adding security to a network can complicate your troubleshooting efforts, you should have an understanding of basic security configurations which you might encounter on a router.
Configuring and Troubleshooting the Cisco IOS Firewall Feature
1) Classic Cisco IOS Firewall
- This firewalling feature was previously known as Context-Based Access Control (CBAC).
- The Classic Cisco IOS Firewall inspects traffic flowing from a trusted network to an untrusted network, and returning flows from the untrusted network can be permitted into the trusted network.
- However, if someone attempted to initiate a session from the untrusted network into the trusted network, that session would be denied.
2) Zone-Based Policy Firewall
- This firewalling feature allows various router interfaces to be assigned to a zone.
- Interzone policies can then be configured to dictate what traffic is permitted between these defined zones
Configuring and Troubleshooting AAA
- with AAA services, you can have a single repository for user credentials.
- Another advantage of giving different network administrators their own login credentials, as opposed to an enable secret password used on all routers, is that users can quickly be added and deleted from the database without the need to touch each router.
debug aaa authenticationTroubleshooting a TACACS+ configuration, consider the following common error conditions:
debug aaa authorization
debug aaa accounting
■ The TACACS+ server is offline
This condition might be indicated by the text “Connection refused by remote host” appearing in the output of the debug aaa authentication
■ The shared secret key configured on the AAA client doesn’t match the key configured on the AAA server
This condition might be indicated by the text “Invalid AUTHEN/START packet (check keys)” appearing in the output of the debug aaa authentication
■ An invalid username/password combination was provided by the AAA client:
This condition might be indicated by the text “Authentication failure” appearing in the output of the debug aaa authentication
Troubleshooting a RADIUS configuration, consider the following common error conditions:
■ The RADIUS server is offline
This condition might be indicated by the text “No response from server” appearing in the output of the debug radius
■ The shared secret key configured on the AAA client doesn’t match the key configured on the AAA server
This condition might be indicated by the text “Reply for idfails decrypt” appearing in the output of the debug radius
■ A user is attempting to use a service for which they are not authorized
This condition might be indicated by the text “No appropriate authorization type for user” appearing in the output of the debug radius
■ An invalid username/password combination was provided by the AAA client
This condition might be indicated by the text “Received from id id IP_address:port_number. Access-Reject” appearing in the output of the debug radius
The two most popular AAA protocols used for communicating between a network device and a AAA server are TACACS+ and RADIUS.
- Although multiple TACACS+ and RADIUS servers are available on the market today, be aware of the Cisco product offering in this area—Cisco Secure ACS.
Sampling of Cisco IOS Security Troubleshooting Syntax
Router(config-line)# exec-timeout <minutes> <[seconds]>
! Specifies how long the EXEC process running on a line waits for user input before timing out the connection (defaults to 10 minutes)
Router(config)# access-list <number> {deny|permit} <protocol> <source wildcard-mask> <destination wildcard-mask> [eq port-number] [log]
! Creates an extended IP access list, where the access list number is in the range 100–199
rommon> confreg 0x2142
! Configures a router in ROM Monitor configuration mode to ignore its startup configuration when it boots
rommon> reset
! Causes a router in ROM Monitor configuration mode to reboot
Router(config)# config-register 0x2102
! Configures a router to uses its startup configuration the next time the router boots
Router(config)# enable secret <password>
! Configures a router’s privileged mode password
show access-lists <----Displays access lists configured on a router
show logging <----Displays output collected from logged access list entries
Password recovery process on router
- reboot, and during the first few seconds of the router booting up, a Break was sent from the terminal emulator to the router.
- The Breakcaused the ROM Monitor prompt (that is, rommon) to appear on router’s console.
- The configuration register set to 0x2142 with the command confreg 0x2142
- Setting the configuration register to this value causes the router to ignore its startup configuration when the router boots.
- Reboot router by issuing the reset command at the rommon prompt.
- Because the router ignored the startup configuration, after the router booted, a prompt was presented, asking the administrator if he wanted to go through the setup dialog.
- A no was entered at this prompt. The enable command was entered to go into privileged configuration mode.
- startup configuration, stored in the router’s NVRAM, was merged with the existing running configuration using the command copy star run
- This command does not replacethe running configuration with the startup configuration. Rather, these two configurations are merged.
- enable secret cisco
- config-register 0x2102
- copy run star
- reload
Performing Password Recovery on Router
System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
Copyright (c) 2002 by cisco Systems, Inc.
C2600 platform with 131072 Kbytes of main memory
...BREAK SEQUENCE SENT...
monitor: command “boot” aborted due to user interrupt
rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset
...OUTPUT OMITTED...
---- System Configuration Dialog ----
Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started!
...OUTPUT OMITTED...
Router>enable
Router#copy star run
Destination filename [running-config]?
...OUTPUT OMITTED... <----MERGED
R1(config)# enable secret cisco
R1(config)# config-register 0x2102
R1(config)# end
*Mar 3 12:43:26.016: %SYS-5-CONFIG_I: Configured from console by console
R1# copy run star
Destination filename [startup-config]?
Building configuration...
[OK]
R1# reload
Proceed with reload? [confirm]
...OUTPUT OMITTED...
Press RETURN to get started!
R1>
R1>enable
Password:cisco
R1#