1
Chapter 3 Device Security (B)

• Security of major devices
• How to protect the device against attacks aimed
  at compromising the device itself
• Routers
• Firewalls
• Switches
• Authentication servers
• wireless access points

2
Steps to secure a router

1. Backup of configuration files and the router
   software
2. Controlling access to the router (tty, vty ports)
3. Securing access to the router (via SSH)
4. Password management
5. Logging events on the router
6. Disabling unnecessary services
7. Using loopback interfaces

1. Controlling SNMP as a management protocol
2. Controlling HTTP as a management protocol
3. Using CEF as a switching mechanism
4. Setting up the scheduler from a security
   perspective
5. Using the Network Time Protocol (NTP)
6. Login banners
7. Capturing core dumps
8. Using service nagle to improve Telnet access
   during high CPU events

3
2. Controlling access to the router

• A tty port is physically connected to a terminal
  or workstation for local administrative access to
  the router.
• An aux ports, similar to a tty port, is connected
  to a modem for remote out-of-band administrative
  access to the router.
• A vty (virtual tty) port is used to allow remote
  in-band connection sessions, via telnet, ssh, or
  rlogin.

4
Vulnerabilities of tty or aux ports

• A tty or aux port may suffer reverse telnet
  attack, where the terminal server connected to
  the tty port or the modem connected to the aux
  port of the router is used by the attacker (as a
  remote client) to access the router.
• Check out this link to see an illustration of
  using reverse telnet to remotely access a
  router. (diagrams below)

5
Normal telnet
6
Reverse Telnet
7
Vulnerabilities of tty or aux ports

• Solution?
• Disable the console port
• Line con0
• transport input none
• Allow only SSH access to a routers console port
  (a feature added to IOS v12.2 or higher)
• Line con0
• login authentication default
• rotary 1
• transport input ssh
• ip ssh port 2001 rotary 1
• Requirement The router must be set up as a SSH
  server.

8
Controlling vty access

• Restricted access Only allow the protocols that
  will be used by the network admin
• Since Cisco IOS v11.1, the default is none.
• Example To allow only telnet and ssh connections
• line vty 0 4
• transport input telnet ssh
• Only addresses in the access list are allowed
  to connect access-class, access-list (See
  example 3-6)
• Short timeouts
• The default timeout value is 10 minutes. To set
  it to 5 min. 30 sec.
• line vty 0 4
• exec-timeout 5 30
• Authentication for vty access either local or
  RADIUS authentication (preferred).

9
3. Securing access to the router using encryption

• IPsec VPN client (preferred more details in Ch
  13)
• Two cases
• The VPN client access a back-end LAN (the
  destination) by building a tunnel between itself
  and a router (the IPsec gateway), behind which
  the LAN is located.
• The VPN client is used to remotely administer the
  router, which is both the gateway and the
  destination.
• SSH Only SSH v1 is supported by Cisco IOS
• Example 3-11

10
4. Password Management

• Passwords stored on the router should be properly
  encrypted.
• The default password-encryption is either type 0
  (clear text passwords) or type 7 (weak
  encryption).
• Use the enable secret command to activate MD5
  when encrypting passwords.
• Example 3-12

11
Password Management

• Passwords stored on the router should be properly
  encrypted.
• The default password-encryption is either type 0
  (clear text passwords) or type 7 (weak
  encryption).
• Use the enable secret command to activate MD5
  when encrypting passwords.
• Example 3-12

12
5. Logging events

• Advantages Allows auditing and tracking
• ? forensics (in case of an attack)
• ?performance tuning (maintenance)
• required good time stamping ? using NTP
• Example 3-13

13
6. Disable unnecessary services

• If a service is not being actively used on a
  device, it should be disabled.
• Otherwise it may be used as a back door for the
  attacker to gain access to the device.
• Sample services to be disabled Table 3-1
• TCP small servers, UDP small servers, Finger
  server,

14
7. Using loopback interfaces

• Advantages Enable a block of IP addresses to be
  assigned to be used by loopback.
• All routers can be forced to use these loopback
  IP addresses as source addresses when accessing
  the servers.
• The servers can then also be locked down to allow
  access only from this block of IP addresses.
• Accesses from addresses outside this block are
  denied.
• Example 3-14

15
8. Controlling SNMP (as a management protocol)

• SNMP can be used in read-only and read and
  write modes
• Unless necessary, use read-only mode on routers.
• The read and write mode allows the admin to
  modify the routers configurations via SNMP.
• Access into the network via SNMP should be
  blocked at the networks boundary.

16
8. Controlling SNMP (as a management protocol)

• Security of SNMP
• v1 and v2 use community strings as the only
  authentication mechanism. (Not secure)
• v3 is more secure by providing MD5 or SHA for
  authentication, and DES for encryption.
• SNMP v3 threats vs protections (p.65)

17
9. Controlling HTTP (as a management protocol)

• Unless necessary, HTTP access to the router
  should be disabled.
• Admin access to the router via HTTP should be
  secured, by activating authentication.
• Example 3-19

18
10. Using CEF as a switching mechanism

• Cisco Express Forwarding
• Routers using the traditional switching
  mechanisms need to update routing caches when
  packets destined for new addresses arrive.
• SYN floods and DDoS attacks use a large number
  of random or pseudo-random IP addresses as
  ultimate targets.
• CEF replaces the normal routing cache with a data
  structure that mirrors the entire routing tables.
• It does away with the need to update the cache
  each time a new IP address needs to be routed to.

19
11. Using the scheduler

• scheduler allocate
• scheduler interval
• To prevent the router from becoming too busy
  responding to the interrupts on its interfaces
  due to the large number of packets arriving ?
  large-scale network attack, esp. a DDoS attack
• Example 3-21

20
12. Using NTP

• Network Time Protocol
• Critical for services requiring good time
  stamping logging, AAA, Kerberos,
• Challenge authentication between devices
  exchanging NTP information

21
13. Login banners

• Sequence
• Login banner
• login session
• MOTD banner
• EXEC banner (or incoming banner)
• Example 3-25

22
14. Capturing core dumps

• In the event of system crash, the core dump may
  provide useful info for tracking the attack(s).
• Example 3-26

23
15. Service nagle

• Nagle is an algorithm that can be enabled as a
  service on a Cisco router, to allow the router to
  pace the TCP connection for Telnet in a way that
  reduces the burden on the CPU and generally
  improves the performance of the Telnet session.
• service nagle (Example 3-27)

24
Security of other devices

• Firewalls, switches,
• Similar procedure
• Check the default settings
• Harden the device before placing it into use in
  the production network.