Internet Security Internet and Intranet meeting future business needs

1
Internet SecurityInternet and Intranet -
meeting future business needs
Cisco Systems Confidential
Cisco Systems Confidential
34
0036_08F7_c2
2
Before we Begin......

• Attendees agree that this information will be
  circulated on a very strict need-to-know basis as
  it is sensitive can cause security problems.
• While the information in this document is not
  confidential, there is information that could be
  harmful if given to the wrong individuals.
• The only way to understand security problems is
  to know what they are. This means that they may
  also be exploited by those who are untrustworthy.

3
New Network Threats
Cisco Systems Confidential
38
0603_02F7_c1
4
Need for More Security
and the Net Has Changed!
Todays Internet
Implications
Original ARPAnet
1983200 Core Nodes Linear Growth
11.6 Million Core Nodes Exponential Growth
Shortage of Unique IP Network Numbers Imminent
Large Time-Sharing Nodes, Mostly Educational
Large and Distributed ISP-Connected
Organizations
CIDR NAT DHCP for Client Only IPv6
Difficult Security Underlying Technology Known
to Few
Numerous Untrusted Private Sector Hosts Hackers
Abound
Firewalls Encryption
5
Internetwork
Small Business
Consumers
Internet
Professional Office
Enterprise
6
Putting Things in Perspective

• 75 of computer attacks are never detected.
• Only 15 of all computer crimes are instigated by
  outsiders.
• 80 - 85 are launched by insiders - people you
  thought you could trust.

7
Wheres the Threat? ...Corporate Space
80
20
Internet
Terminal Server
Employees
8
Wheres the Threat? .ISP Space
80
20
Internet
Terminal Server
Customers
9
Security Services
Have You Experienced Computer or Network
Security Breaches in the Last Year?
No52
Yes48
Source Computer Security Institute and FBI
Computer Crime Division Fortune 500 Survey, 1995
10
What are the Threats?

• Trusted Users
• Remember....80-85 of all break-ins are caused by
  people who are insiders.
• Amateurs
• Cyberpunks, Hackers, Vandals, Crackers, Jerks,
  etc
• Professionals
• No-Win Situation

11
What are the Threats?

• Trusted Users
• 80 - 90 of all break-ins are caused by people
  who work for the organizations they broke into!
• Many are caught accidentally
• Many are amateurs and are caught because they are
  careless
• Most are quietly removed
• Very few are reprimanded

12
What are the Threats?

• Trusted Users
• Extremely few are prosecuted by the legal system
• Never at a financial institution
• Never at a site with links possible harm to life
  or where there is a tie-in to public view
• Some places there is little understanding about
  how to handle the legal problem
• Most companies do not want publicity

13
What are the Threats?

• Trusted Users
• Most break-ins are either
• Greed-oriented
• Revenge oriented
• Malicious
• Information Acquisition
• Accidental initially, but an opportunity to the
  user of the system.

14
What are the Threats?

• Amateurs
• Amateurs usually leave a trail that is not too
  difficult to pick up
• Amateurs will eventually screw-up
• Amateurs do not know when to quit
• Amateurs, with careful monitoring, may be found
  quickly
• Most Internet Cyberpunks are Amateurs

15
What are the Threats?

• Professionals
• Professionals are rarely detected
• Professionals are difficult to find
• Professionals will usually originate from a
  break-in elsewhere
• Professionals leave no traceback
• Professionals know when it is time to leave
• Professionals will take what they want, no matter
  what is done to safeguard information

16
What are the Threats?

• Bottom Line.......
• If someone wants the information bad enough, and
  he/she knows what they are doing, they will not
  be stopped and you may consider the information
  to be history.

17
IT Issues
Internet Traffic
Load/Traffic
Connectivity
IT SpendingBusiness Value/Importance
Today
Time

• Enterprise information becoming more
  valuable/vulnerable

18
The Security Dilemma
More than 200 Fortune 1000 companies were asked
if they had detected attempts from outsiders to
gain computer access in the past 12 months

• Security is complicated to implement
• Security cannot be implemented uniformly
• Internet connection is a security risk

DontKnow30
No12
Yes58
If yes, how many successfulaccesses were
detected?
41-505
31-4010
21-3016
502
1-1042
11-2025
Source Warroom Research
Cisco Systems Confidential
3
0595_02F7_c1
19
Solutions Before you Begin.......

• On-Site Security Policy
• Host Security (UNIX/VMS)
• Workstation Security (X, MS , MAC, OS/2)
• Network Security
• Password Policies
• Application Security
• Tools to Track Attacks
• Ability to lock em up (every security policy
  needs a hammer)

20
Creating Cisco Solutions
Internet BU Products Firewalls Translation
GWs Traffic Directors Client Software Server
Software
Core Products
AccessProducts
InterWorksProducts
WorkgroupProducts
Integration withCisco IOS Software
End-to-End SecuritySolutions
End-to-End Multimedia Solutions
Internet/Intranet Connectivity and Security for
Novell, and DEC Customers
Scalable Plug-and-Play TCP/IP Environments
Scalability for Global and Enterprise
WWW Applications
21
Security Is a System
Physical Security Example What Are You Trying to
Protect?
22
Technical Requirements

• Authentication
• Who it is
• Authorization
• What is permitted
• Accounting
• What was done

• Data integrity
• Data is unaltered
• Confidentiality
• No unauthorized review
• Assurance
• Everything operates as specified

23
Cisco Security Today
TACACS/ RADIUS
TACACS/ RADIUS
TACACS/ RADIUS
Logging
NAT
PAP/CHAP
Token Card Support
Route Filtering
GRE Tunnels
CiscoSecure
Privilege Levels
Access Control Lists
Certificate Authority
Certificate Authority
Lock-and-Key
Kerberos
Kerberos
Cut-Through Proxy
Encryption
L2F
Encryption
Dial
Firewall
Network Infrastructure
Cisco Systems Confidential
24
0603_02F7_c1
24
Solutions Before you Begin.......

• Security is an ATTITUDE!

25
Security Objective Balance
Access
Security
Connectivity Performance Transparency
Authentication Authorization Accounting Assurance
Confidentiality Data Integrity
Every Customers Needs will Be Different!
26
Host Security

• If a host is not secure, then neither is the
  network

File SharingAnonymous FTP Guest Login Mail
27
Network Security Options

• No Internet connection
• Packet filtering with Access Control List (ACL)
• Firewalls
• Privacy with encryption

28
Definition of a Firewall
Firewalls are perimeter security solutions,
deployed between a trusted and untrusted network,
often a corporate LAN and an Internet connection
29
Firewall Architecture
Internet
Cisco IOS Firewall
PacketFiltering
PublicWWW
PublicFTP
DNSMail

• Cisco IOS 11.2
• 1. Access lists
• 2. Packet filtering
• 3. Network Address Translation
• 4. Encryption

30
Firewall Architecture
Internet
Cisco PIX Firewall Dedicated
PublicWWW
PublicFTP
DNSMail
31
Demilitarized Zone (DMZ)
Internet
PublicWWW
PublicFTP
DNSMail
32
Proxy Servers
Outbound Only
Outbound Only
Internet
ProxyServer
PublicWWW
PublicFTP
DNSMail
33
Firewall with Address Translation
Private IPs 10.0.0.0
Internet
CiscoSecureAccess Router
OR
PublicWWW
PublicFTP
DNSMail
Registered IPs 192.128.234.0

• Cisco PIX Firewall - dedicated
• Cisco IOS 11.2- NAT in software

34
Encryption
23B9F37
Internet
YOUR Text
YOUR Text
PublicWWW
PublicFTP
DNSMail
Cipher Text
35
Scaling Internet Firewalls
Link speed

• Small office
• All in one
• Costs less

Fractional E1/T1

• Gateway router and firewall encryption performance

E1/T1
Internet

• Gateway router and firewalls
• Scalable encryption performance

DS3/45 Mbps
36
Dial Security

• Centralized security with TACACS / RADIUS
• Lock and Key

37
Centralized Security
Authentication Authorization Accounting
CiscoSecureTACACS
RADIUS
TACACS
TACACS or RADIUS
Dial client
38
Lock and Key
Internet
X
CiscoSecure

• Enables dynamic Access Control Lists
• Single user on a LAN
• Per-user authorization and authentication

X
Non-Authorized User
Authorized User
39
Virtual Private Dial Networks
Internet
CiscoSecure TACACS Server

• Encrypted access
• Multiprotocol IP, IPX, SNA, AppleTalk

40
Virtual Private Networks

• IOS
• PIX

41
Virtual Private Networks
Remote Office
Corporate LAN
Public Network
Remote Office

• Replace private WAN with public network access
• Intracompany traffic is private and authenticated
• Internet access is transparent

42
Encryption Alternatives
Application-Layer Encryption
ApplicationLayers (57)
Network-Layer Encryption
Transport/Network Layers (34)
Link/PhysicalLayers (12)
Link-LayerEncryption
Link-LayerEncryption
43
Application Encryption

• Encrypts traffic to/from interoperable
  applications
• Specific to application, but network independent
• Application dependent
• All users must have interoperable applications
• Examples S/MIME, PEM, Oracle Securenet, Lotus
  ccMailand Notes.

44
Network Encryption
A to HR ServerEncrypted
All Other TrafficClear
HR Server
A
E-Mail Server
B
D

• Encrypts traffic between specific networks,
  subnets,or address/port pairs
• Specific to protocol, but media/interface
  independent
• Does not need to supported by intermediate
  network devices
• Independent of intermediate topology
• Example Cisco IOS and PIX

45
Link Encryption

• Encrypts all traffic on a link, including
  network-layer headers
• Specific to media/interface type, but protocol
  independent
• Topology dependent
• Traffic is encrypted/decrypted on link-by link
  basis
• All alternative paths must be encrypted/decrypted

46
Cisco IOS Encryption Services

• Policy by network, subnet, oraddress/port pairs
  (ACL)
• DSS for device authentication Diffie-Hellman for
  session key management
• DES for bulk encryption
• DES 40 bitgenerally exportable
• DES 56 bitrestricted
• Hardware assistVIP2 service adapter

Clear
A to C, D
Encrypt
B to C, D
C
E-Mail Server
A
HR/FinancialServer
B
D
Private WAN
To Public Internet
47
Cisco IOS Encryption Options
Cisco 7000 and 7500

• Cisco IOS software on 100X, 25xx, 4xxx, 7xxx
  series routers
• On Cisco RSP 7000 and 7500 series encryption
  services are performed
• Centrally on master RSP and/or
• Distributed on VIP2-40
• Encryption service adapter for Versatile
  Interface Processors (VIP)
• Provides higher performance encryption for local
  interfaces
• Tamper-proof

Route Switch Processors
Master RSP
Slave RSP
VIP
VIP
VIP
IP
IP
Versatile Interface Processor
Port Adapter
Encryption Service Adapter
48
PIX Private Link
High-Performance Hardware Encrypted Virtual
Private Networks!
PIX Private Link Frame
IP
UDP
IP
Data
MAC
CRC
Encapsulation Header
Encrypted Information
IP
Data
IP
Data
PIX/Private Link
PIX/Private Link
Network A
Network B
IP
Data
IP
Data
Public Network Internet
PIX/Private Link
PIX/Private Link
Network C
Network D
Cisco Systems Confidential
33
0482_12F7_c1
49
PIX Private Link Benefits

• Secures data communication between sites
• Reduces high monthly cost of dedicated leased
  lines
• Complete privacy
• Easy installationtwo commands, no maintenance
• Compliant to IETF IPSECsupports AH/ESP (RFC
  1826) (RFC 1827)
• Adds value to your Internet connection
• Augment and back up existing leased lines

50
Private Link
Private NetworkSatellite Division
10.0.0.0
PIX B
171.68.10.4
DMZ
171.69.236.2
PIX A
Engineering
Marketing
Executive
TACACS Server
RADIUS Server
172.17.0.0
172.18.0.0
172.19.0.0
SMTP Gateway
UNIX DB Gateway
Cisco Systems Confidential
35
0482_12F7_c1
51
Tricks to Secure Your Router
Cisco Systems Confidential
52
Protecting Your Router

• Terminal Access Security
• Transaction and Accounting Records
• Network Management Security
• Traffic Filters
• Routing Protocol Security
• Securing Router Services

53
The Routers Role in a Network
Internet
Host Systems
Router
TCP/IP
TCP/IP
Router
Router
IPX
DOS, Windows, Mac Workstations
54
Terminal Access Security
Cisco Systems Confidential
55
Console Access

• Change your passwords - do not use the default.
• Make sure the privilege password is different
  from the access.
• Use mixed character passwords - adds difficulty
  to crack attempts
• Config Session Time-outs
• Use password encryption features to encrypt the
  password in the configuration images and files.
• Use enable secret to use the best encryption key.

56
Telnet Access

• Configures ALL the VTY ports!
• Create an Access List for the ports - limits the
  range of IP addresses you can Telnet into the
  route.
• Limit or block port 57 (open Telnet with no
  password write over).
• Do not use commands like ip alias on the Cisco,
  unless you really need to.
• Block connections to echo and discard via the no
  service tcp-small-servers.

57
Telnet Access

• Enter configuration commands, one per line. End
  with CNTL/Z.
• serial 2-3 (config) access-list 101 deny
  tcp any any eq 57
• serial 2-3 (config) access-list 101 permit
  tcp 165.21.0.0 255.255.0.0 any
• serial 2-3 (config) line vty 0 5
• serial 2-3 ( config-line) access-class 101
  in
• Extended IP access list 101
• deny tcp any any eq 57
• permit tcp 165.21.0.0 255.255.0.0 any

58
Multiple Privilege Levels

• Division of responsibilities
• Help desk and network manager
• Security and network operations
• Provides internal controls
• Users can only see configuration settings they
  have access to

59
Configuring Multiple Privilege Levels

• Set the privilege level for a command
• Change the default privilege level for lines
• Display current privilege levels
• Log in to a privilege level

60
Multiple Privilege Example

• Configuration
• enable password level 15 pswd15
• privilege exec level 15 configure
• enable password level 10 pswd10
• privilege exec level 10 show running-config
• Login/Logout
• enable
• disable

61
What Is AAA?

• Authentication
• Something you are
• Unique, cant be left at home retina, prints,
  DNA
• Something you have
• Hardware assist DES card
• Something you know
• Cheap low overhead solution fixed passwords
• Authorization
• What youre allowed to do connections, services,
  commands
• Accounting
• What you did, and when
• Its also an architectural framework
• Protocol-independent formats
• Easy to support multiple protocols
• Consistent configuration interface
• Good scalability for large ISPs with volatile
  databases, lots of accounting data

Cisco Systems Confidential
0815_04F7_c3
4
62
TACACS
"Is JSmith with password an authorized
user?
Router A
TACACS Client
Virtual Terminal
"I would like to log into Router A my name is
JSmith my password is
63
Token Card
Cisco 500-CS
username/password token
access permitted
Security Server Partners
64
Transaction and Accounting Records
Cisco Systems Confidential
65
Transaction Records

• Q - How do you tell when someone is cracking into
  your router, hub, or switch?
• Consider some form of audit trails
• Using the UNIX logging features (if it has any).
  Corn scripts to alert you when there are
  potential problems.
• SNMP Traps and alarms.
• Implementing TACAS, Radius, Kerberos, or third
  party solutions like Security Dynamics SmartCard.

66
Transaction Records

• UNIX Logging
• logging buffered 16384
• logging trap debugging
• logging 169.222.32.1

Router
UNIX Workstation w/ Logging Configured
Logging Flow
67
Network Management Security
Cisco Systems Confidential
68
SNMP

• 1 Source of Intelligence on a victim's network!
• Do you know when someone is running a SNMP
  discovery tool on your network?
• Do you block SNMP on your firewall?

69
SNMP

• Change your community strings! Do not leave the
  defaults on!
• Use different community strings for the RO and RW
  communities.
• Do NOT use RW community unless you are desperate!
• Use mixed characters in the community strings.
  Yes, even SNMP community strings can be cracked!

70
SNMP

• Use a access list on SNMP. Limit who can make
  SNMP queries. If someone needs special access
  (I.e. for monitoring a Internet link), then
  create a special community string and access
  list.
• Explicitly point SNMP traffic back to the
  authorized workstation

71
SNMP

• snmp-server community apricot RO 1
• snmp-server trap-authentication
• snmp-server enable traps config
• snmp-server enable traps envmon
• snmp-server enable traps bgp
• snmp-server host 169.223.2.2 apricot
• ip access-list 1 permit 169.223.2.2

72
Traffic Filters
Cisco Systems Confidential
73
IP Access List

• IP standard access list
• IP extended access list
• Extended 48-bit MAC address access
  list
• Protocol type-code access list
• 48-bit MAC address access list

74
Extended Access Lists

• access-list access-list-number deny permit
  protocol source source-wildcard destination
  destination-wildcard precedence precedence tos
  tos established log
• Example
• access-list 101 permit icmp any any log

75
Spoofing

• Access list protections are based on matching the
  source.
• Protect your router with something like the
  following
• access-list 101 deny ip 131.108.0.0 0.0.255.255
  0.0.0.0 255.255.255.255
• access-list 101 deny ip 127.0.0.0 0.255.255.255
  0.0.0.0 255.255.255.255
• access-list 101 permit ip 0.0.0.0 255.255.255.255
  0.0.0.0 255.255.255.255
• Turn off ip source-routing

76
Spoofing
Internet
Central Site
Branch Office A
Hello, Im Branch Office X! Here is my
routing-update!
77
Spoofing
filter any inbound packets w/ 198.92.93.0/24
ISP A
ISP B
source w/ 198.92.93.3/24
198.92.93.0/24
78
Denial of Service Attacks

• TCP SYN attack A sender using a series of
  random source IP addresses starts connections
  that cannot be completed, causing the connection
  queues to fill up, thereby denying service to
  legitimate TCP users.
• UDP diagnostic port attack A sender using a
  series of random IP source addresses calls for
  UDP diagnostic services on the router, causing
  all CPU resources to be consumed servicing the
  bogus requests.

79
Denial of Service Attacks TCP SYN
Internet
9.0.0.0/8
10.0.0.0/8
Attacker
Target
TCP/SYN
192.168.0.4/32
?
SYN/ACK
15.0.0.13/32
TCP/SYN
SYN/ACK
?
TCP/SYN
172.16.0.2/32
?
SYN/ACK
80
Denial of Service Attacks TCP SYN
Filter any address that does not
contain 10.0.0.0/8 as a source

• Ingress Filtering
• Apply an outbound filter...
• access-list 101 permit ip 10.0.0.0 0.255.255.255
  0.0.0.0 255.255.255.255

81
Denial of Service Attacks UDP diag
Internet
9.0.0.0/8
Target
10.0.0.0/8
Attacker
attacker floods the router w/ echo, chargen, and
discard request

• Turn off small services
• no udp small-servers
• no tcp small-servers

82
Solution TCP Intercept

• Tracks, intercepts and validates TCP connection
  requests
• Two modes Intercept and monitor

83
TCP InterceptIntercept Mode

• 1. Answer connection requests
• 2. Establishes genuine connection
• 3. Merge connection between client and server

84
TCP InterceptMonitor Mode

• Passively monitor connection requests
• Terminates connection attempts that exceed
  configurable time limit

85
TCP Intercept Aggressive Behavior

• Begins when high-threshold exceeded, ends when
  drops below low-threshold
• New connection drops old partial connection
• Retransmission timeout cut in half
• Watch timeout cut in half

86
TCP Intercept Considerations

• TCP negotiated options not supported
• Available in release 11.2(4)F Enterprise and
  Service Provider
• Connection is fast switched except on the
  RP/SP/SSP based C7000 which supports process
  switching only

87
TCP Intercept Configuration Tasks

• Enable
• ip tcp intercept list
• Set mode
• ip tcp intercept mode intercept watch
• Set drop mode
• ip tcp intercept drop-mode oldest random

88
TCP Intercept Configuration

• Change timers
• ip tcp intercept watch-timeout
• ip tcp intercept finrst-timeout
• ip tcp intercept connection-timeout
• Change aggressive thresholds
• ip tcp intercept max-incomplete low
• ip tcp intercept max-incomplete high
• ip tcp intercept one-minute low
• ip tcp intercept one-minute high

89
Routing Protocol Security
Cisco Systems Confidential
90
Routing Protocols

• Routing protocol can be attacked
• Denial of Service
• Smoke Screens
• False information
• Reroute packets

May be accidental or intentional
91
Solution Route Authentication

• Authenticates routing update packets
• Shared key included in routing updates
• Plain textprotects against accidental problems
  only
• Message Digest 5 (MD5)protects against
  accidental and intential problems

92
Route Authentication Protocol

• Routing update includes key and key number
• Receiving router verifies received key against
  local copy
• If keys match update accepted, otherwise it is
  rejected

93
Route Authentication Details

• Multiple keys supported
• Key lifetimes based on time of day
• Only first valid key sent with each packet
• Supported in BGP, IS-IS, OSPF, RIPv2, and
  EIGRP(11.2(4)F)
• Syntax differs depending on routing protocol

94
Routing Protocols

• OSPF Area Authentication
• Two Types
• Simple Password
• Message Digest (MD5)

ip ospf authentication-key key (this goes under
the specific interface) area area-id
authentication (this goes under "router ospf
")
ip ospf message-digest-key keyid md5 key (used
under the interface) area area-id authentication
message-digest (used under "router ospf
")
95
Securing Router Services
Cisco Systems Confidential
96
WWW Server

• Yes, IOS now includes a WWW server!
• Makes configurations easier, but opens new
  security holes (default - turned off).
• Put access list on which addresses are allowed to
  access port 80.
• Similar to console TTY access.

97
Other Areas to Consider
Cisco Systems Confidential
98
Other Areas to Consider

• Turn off
• proxy arp
• no ip directed-broadcast
• no service finger

99
Protecting the Config Files

• Router configs are usually stored some place
  safe. But are they really safe?
• Protect and limit access to TFTP and MOP servers
  containing router configs.

100
Summary

• Security is not just about protecting your UNIX
  workstations.
• Your network devices are just as vulnerable.
• Be smart, protect them.
• Routers are the side door into any network.

101
Cisco Security Today
TACACS/ RADIUS
TACACS/ RADIUS
TACACS/ RADIUS
Logging
NAT
PAP/CHAP
Token Card Support
Route Filtering
GRE Tunnels
CiscoSecure
Privilege Levels
Access Control Lists
Certificate Authority
Certificate Authority
Lock-and-Key
Kerberos
Kerberos
Cut-Through Proxy
Encryption
L2F
Encryption
Dial
Firewall
Network Infrastructure
Cisco Systems Confidential
24
0603_02F7_c1
102
Where to get more information?
http//www.cisco.com/
103
Where to get more information?

• Security URLs
• Computer Emergency Response Team (CERT)
• http//www.cert.org
• SATAN (Security Administrator Tool for Analyzing
  Networks)
• http//recycle.cebaf.gov/doolitt/satan/
• Phrack Magazine
• http//freeside.com/phrack.html