Security

=Security= toc


 * ===__Router & Switch Device Security__===
 * ====**Simple Password Protection**====
 * config# line con 0 (console port)
 * config-line# login
 * config-line# password WORD
 * config# line vty 0 15
 * config# service password-encryption
 * passwords in startup-config will not chance until "copy run start"
 * config-line# password 7
 * ====**Better Protection**====
 * config# enable secret 5
 * config# enable password 7
 * config# username WORD1 secret WORD2
 * config# username WORD1 password WORD2
 * ====**Secure Shell Protocol (SSH)**====
 * need k9 image
 * Configure
 * config# hostname WORD1
 * config# ip domain-name WORD2
 * config# username WORD3 password WORD4
 * config# crypto key generate rsa
 * config# ip ssh version 2
 * config-line# transport input none (disable telnet)
 * config-line# transport input ssh
 * show ip ssh
 * ====**User Mode & Priviledged Mode Authentication, Authorization and Accounting (AAA)**====
 * "strongest" authentication, TACACS+ or Radius server
 * Cisco Secure Access Control Server (ACS)
 * software, database for username & passwords
 * Radius - encrypt password; udp; ports 1812/1645
 * TACACS+ - encrypt entire payload; tcp; ports 49/49; proprietary
 * Default Authentication Methods
 * config# aaa new-model (enable aaa)
 * config# aaa authentication enable default group radius local
 * config# aaa authentication login default group radius none
 * config# radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
 * config# radius-server key WORD
 * Multiple Authentication Methods
 * group radius
 * group tacacs
 * group WORD - defined group of radius/tacacs servers
 * enable - "enable secret" or "enable password"
 * line - defined by password command in configuration
 * local - username is case sensitive, pass is sensitive
 * local-case username and password are case sensitive
 * none
 * Groups of AAA Servers
 * IOS automatically groups configurations using "radius-server host" and "tacacs-server host" commands
 * Configuration
 * config# aaa group server [radius|tacacs] WORD
 * config-group# server 10.1.1.3 auth-port 1645 acct-port 1646
 * config# aaa new-model
 * config# aaa authentication enable default group WORD local
 * config# aaa authentication login default group WORD none
 * Overriding Default for Login Security
 * config# aaa authentication login for-console group radius line
 * config# aaa authentication login for-vty group radius local
 * config# aaa authentication login for-aux group radius
 * config# line con 0
 * config-line# login authentication for-console
 * config# line aux 0
 * config-line# login authentication for-aux
 * ====**PPP Security**====
 * config# aaa new-model
 * config# aaa authentication ppp [default|WORD]
 * ===__Layer 2 Security__===
 * three general characterizations of switch ports
 * unused - not connected to any device
 * user - cabled to end user device
 * trusted/trunk
 * ====**Best Practices for Unused and User Ports**====
 * disable unneeded dynamic protocols (CDP and DTP)
 * disable trunking (configure as access ports)
 * enable BPDU Guard and Root Guard (prevent STP attacks)
 * use Dynamic ARP Inspection (DAI) or private VLANs (prevent frame sniffing)
 * enable port security (limit number of MACs or restrict to specific MAC)
 * use 802.1x user authentication
 * use DHCP snooping and IP Source Guard (prevent DHCP DoS and MITM attacks)
 * =====**Additional Recommendations**=====
 * for any port consider VLANs
 * VTP authentication globally (prevent DoS)
 * disable unused switchports, put them into unused VLAN
 * avoid VLAN 1
 * for trunks, don't use native VLAN
 * =====**Configuration**=====
 * config# cdp run
 * config-if# no cdp enable
 * config-if# switchport mode access (prevent trunking)
 * config-if# switchport nonegotiate (prevents DTP)
 * config-if# spanning-tree guard root
 * config-if# spanning-tree bpduguard enable
 * ====**Port Security**====
 * restrict number of MAC addresses associated with port
 * =====**Methods**=====
 * static configuration of allowed MAC
 * dynamic learning of MACs up to defined maximum; lost on reload
 * dynamically learns and saves (sticky learning)
 * =====**Attacks**=====
 * flooding frames with different source MAC
 * fill CAM table
 * packets with legitimate MACs are flooded out all ports
 * attacker can sniff all frames
 * MAC spoofing
 * =====**Configuration**=====
 * config-if# switchport mode [access|trunk]
 * config-if# switchport port-security [maximum ] (default is 1)
 * config-if# switchport port-security mac-address [ vlan [  | [access|voice] ] ]
 * config-if# switchport port-security mac-address sticky
 * config-if# switchport port-security [aging] [ violation [protect | restrict | shutdown] ]
 * protect
 * restrict - SNMP traps
 * shutdown - err-disabled state, requires "no shut" to recover
 * ====**Dynamic ARP Inspection (DAI)**====
 * Gratuitous ARP - ARP reply without a request
 * =====**Man-in-the-Middle Attack**=====
 * attacker broadcasts gratuitous ARP for target IP with own MAC
 * victim updates ARP table with new address
 * victim sends frame to target with attacker's MAC
 * switch forwards frame to attacker
 * =====**Protection**=====
 * filters ARPs with source IP thats not in DHCP for a specific port
 * filters ARPs using list of statically defined IP/MAC address combinations
 * compares source MAC in ethernet header to source MAC in ARP
 * should be same, if not then filter
 * compares destination ethernet MAC and target MAC in ARP
 * filters unexpected IP addresses in ARP - 0.0.0.0, 255.255.255.255, multicast addresses
 * =====**Configure**=====
 * config# ip arp inspection vlan (enable DAI)
 * config-if# [no] ip arp inspection trust
 * config# ip arp inspection filter vlan [static]
 * config# ip arp inspection validate [src-mac] [dest-mac] [ip]
 * config# ip arp inspection limit [rate [burst interval ] | none]
 * ====**DHCP Snooping**====
 * builds table of IP and port mappings (snooping binding table)
 * can be used by DAI and IP Source Guard
 * =====**Man-in-the-Middle Attack**=====
 * victim requests IP using DHCP
 * attacker replies with good IP/mask but gives own IP as default gateway
 * victim sends frames to attacker
 * attacker forwards copies of packets
 * allows DHCP on trusted, filters on untrusted ports
 * =====**Denial of Service**=====
 * DHCP servers identify clients based on Client Hardware Address
 * single device could request with different CHAs
 * fills addresses pool
 * =====**Protection**=====
 * filters messages sent exclusively by DHCP servers (mitm)
 * checks DHCP Releases and Declines against snooping binding table
 * if IP not listed with port in table, then filter
 * optionally compares DHCP request's CHA with source MAC in ethernet (DoS)
 * =====**Configure**=====
 * config# ip dhcp snooping vlan
 * config-if# [no] ip dhcp snooping trust
 * config# ip dhcp snooping binding vlan   interface  expiry
 * config-if# ip dhcp snooping verify mac-address
 * config-if# ip dhcp snooping limit rate
 * ====**IP Source Guard**====
 * adds one more check to DHCP snooping logic
 * checks source IP of received packet against DHCP snooping binding database
 * can also check MAC
 * =====**Configuration**=====
 * config-if# ip verify source (ip)
 * config-if# ip verify source port-security (IP and MAC)
 * config-if# ip source binding vlan   interface  (static entry)
 * ====**802.1X Authentication Using EAP**====
 * user authentication
 * requires username and password before switch will enable port for normal user traffic
 * verified by radius server
 * =====**Extensible Authentication Protocol (EAP)**=====
 * supports flows that create one-time passwords (OTP)
 * encapsulated directly inside ethernet frame
 * called EAP over LAN (EAPoL)
 * Radius expects EAP message to contain data struct called Radius attribute
 * switch translates between EAPoL and Radius
 * =====**Roles**=====
 * supplicant - driver that supplies username/password prompt; EAPoL messages
 * authenticator - translates between EAPoL and Radius; enables/disables ports
 * authentication server - stores username/passwords and verifies
 * =====**Configuration**=====
 * config# aaa new-model
 * config# radius-server host
 * config# radius-server key
 * config# aaa authentication dot1x default
 * config# aaa authentication dot1x group WORD
 * config# dot1x system auth-control
 * config-if# dot1x port-control [auto | force-authorized | force-unauthorized]
 * =====**Configuration**=====
 * config# aaa new-model
 * config# aaa authentication dot1x default group radius
 * config# dot1x system auth-control (enabled globally)
 * config# radius-server host 10.1.1.1 auth-port 1812 acct-port 1646
 * config# radius-server key WORD
 * config-if# dot1x port-control [auto | force-authorized | force-unauthorized]
 * ====**Storm Control**====
 * rate limiting traffic at layer 2
 * rising and falling threshold of unicast, broadcast and multicast
 * can be configured per port
 * =====**Actions**=====
 * discard excess traffic
 * shutdown port
 * send SNMP trap
 * =====**Configure**=====
 * config-if# storm-control broadcast level pps 100 50
 * config-if# storm-control multicast level 0.50 0.40
 * config-if# storm-control unicast level 80/00
 * config-if# storm-control action trap
 * show storm-control fe0/0 [unicast|broadcast|multicast]
 * ===__Layer 3 Security__===
 * ====**Security Recommendations**====
 * enable secure telnet or SSH instead of telnet
 * enable SNMP (SNMPv3)
 * disable unnecessary services
 * turn on logging
 * enable routing protocol authentication
 * enable CEF forwarding path to avoid flow-based paths like fast switching
 * =====**Additional Recommendations**=====
 * if company has IP prefix, packets with source address in that range should not enter this AS form the internet
 * packets should only have valid unicast source IP
 * Loopback (127.0.0.1), broadcast, multicast, ..., should be filterd
 * directed (subnet) broadcasts should not be allowed unless specifically needed
 * packets with no return route to source IP should be discarded
 * reverse path forwarding (RPF) check
 * ====**IP Access Control List (ACL)**====
 * =====**Rule Summary**=====
 * deny ip any host 10.1.1.1
 * deny tcp ant gt 1023 host 10.1.1.1 ew 21
 * deny tcp ant host 10.1.1.1 eq 23
 * deny tcp any host 10.1.1.1 eq telnet
 * deny udp 1.0.0.0 0.255.255.255 lt 1023 any
 * =====**Port Matching**=====
 * gt - greater
 * lt - less
 * eq - equal
 * ne - not equal
 * range - x-y
 * "established" parameter matches if TCP header has ACK flag set
 * ====**Attacks**====
 * =====**Smurf Attacks, Directed Broadcasts and RPF Checks**=====
 * attacker sends large number of ICMP Echo requests
 * destination address is subnet broadcast address (directional broadcast)
 * final router forwards onto LAN as a broadcast
 * source IP is set to victim's address
 * ======**Solutions**======
 * config-if# no ip directional-broadcast (won't broadcast onto the LAN)
 * Unicast Reverse-Path-Forwarding (uRPF)
 * config-if# ip verify unicast source reachable-via [rx|any] [allow-default] [allow-self-ping]
 * Styles
 * Strict - "rx" keyword; matches outgoing interface with received interface
 * Loose - "any" keyword; checks for ant route to source
 * allow-default - says not to ignore default routes
 * =====**Fraggle Attack**=====
 * similar to smurf, instead of ICMP uses UDP Echo
 * =====**Inappropriate IP Address**=====
 * for source and destination addresses
 * can use Router Audit Tool (RAT)
 * IOS AutoSecure feature auto-configures ACLs
 * =====**TCP SYN Floos, Established Bit and TCP Intercept**=====
 * SYN flood initializes TCP connection but doesn't finish
 * consumes memory and resources while waiting to continue
 * stateful firewalls can prevent against
 * ASA firewall, IOS firewall
 * ======**Solutions**======
 * filter packets with only SYN flag set in TCP header
 * config# ip access-list extended WORD
 * config-acl# permit tcp any 1.0.0.0 0.255.255.255 established
 * ACK flag set
 * TCP Intercept monitors for SYN attacks
 * Modes
 * Watch
 * keeps state information
 * if 3-way doesn't complete in time, send TCP Reset to server
 * counts the number of connections over time
 * Intercept
 * router replies to TCP connection
 * after 3-way handshake completes, the router connects to the server
 * bridges the two connections together
 * Configuration
 * config# ip tcp intercept-list WORD
 * config# ip tcp intercept mode watch
 * config# ip tcp intercept watch-timeout 20
 * ====**Classic Cisco IOS firewall**====
 * =====**Context-Based Access Control (CBAC)**=====
 * dynamic inspection of traffic
 * based on actual protocol commands
 * creates temporary openings in firewall
 * ======**Configuration Requirements**======
 * protocols to inspect
 * interfaces on which to preform inspection
 * direction of traffic to inspect per interface
 * ======**TCP versus UDP**======
 * manages UDP by approximating based on source and destination addresses and ports, and relative timing
 * protocol-specific timeouts can be configured
 * ======**Protocol Support**======
 * any TCP
 * all UDP "sessions"
 * TFP
 * SMTP
 * TFTP
 * H.323 (NetMeeting, ProShare, ...)
 * Java
 * CU-SeeMe
 * Unix R commands (rlogin, rexec, rsh, ...)
 * Real Audio
 * Sun RPC
 * SQL * Net
 * Stream Works
 * VDOLive
 * ======**Caveats**======
 * ACLs on interface will filter first
 * cannot protect against attacks that originate inside the network
 * only works on protocols you specify
 * to inspect traffic other than TCP and UDP, you must configure a named inspection rule
 * does not inspect traffic destined to or originating from the firewall
 * restrictions on encrypted traffic
 * ======**Configuration**======
 * config# ip inspect name WORD icmp timeout 10
 * config# ip insoect name WORD tcp timeout 30
 * config-if# ip inspect WORD out
 * show ip inspect sessions
 * ====**Zone-Based Firewall (ZFW)**====
 * router interfaces placed into security zones
 * traffic can travel freely between interfaces in same zone
 * traffic blocked by default from traveling between zones
 * configured using Class-Based Policy Language (CPL)
 * =====**Protocols**=====
 * HTTP & HTTPS
 * SMTP, Extended SMTP (ESMTP), POP3 and IMAP
 * P2P applications, can use heuristics to track port hopping
 * instant messaging applications
 * remote procedure calls
 * ====**Zones and Zone Pairs**====
 * "self" zone created by default
 * all traffic is allowed to or from
 * ======**Configuration**======
 * config# zone security WORD1
 * config# zone security WORD2
 * config-sec-zone# description WORDS
 * config# zone-pair security internal source WORD1 destination WORD2
 * =====**Policy Maps**=====
 * ======**Actions**======
 * Drop - drop the packet
 * Inspect - usa CBAC engine
 * Pass
 * Police
 * Service-Policy - use Deep Packet Inspection engine
 * URLfilter
 * ======**Configuration with Parameter Map**======
 * config# parameter-map type inspect WORD
 * config-profile# tcp idle-time 300
 * config-profile# udp idle-time 300
 * config# policy-map type inspect WORD2
 * config-pmap# class type inspect WORD3
 * config-pmap-c# inspect [WORD]
 * =====**Service Policies and Zones**=====
 * config# zone-pair security internal source WORD1 destination WORD2
 * config-sec-zone-pair# service-policy type inspect WORD3
 * config-if# zone-member security WORD1
 * config-if# zone-member security WORD2
 * show zone-pair security
 * ====**Intrusion Prevention System (IPS)**====
 * compares packets to known signatures
 * =====**Actions**=====
 * drop packet
 * reset the connections
 * send alarm log message
 * block traffic from source for amount of time
 * block traffic on connection for amount of time
 * =====**Configuration**=====
 * config# crypto key pubkey-chain rsa
 * config-pubkey-chain# named-key realm cisco.pub signature
 * config-pubkey-key# key-string
 * config-pubkey# WORDS
 * config# ip ips signature-category (load basic signature package)
 * config-ips-category# category all
 * config-ips-category-action# retired true
 * config-ips-category# category ios_ips basic
 * config-ips-category-action# retired false
 * #mkdir flash:ipsData
 * config# ip ips name WORD
 * config# ip ips config location flash:ipsData
 * config-if# ip ips WORD outbound
 * show ip ips configuration
 * ====**Control-Plane Policing (CoPP)**====
 * traffic bound to the router
 * leverages MQC to rate-limit or drop traffic
 * =====**Typical Groupings**=====
 * malicious traffic - dropped
 * routing protocols - not limited
 * SSH and Telnet - limited to small amount
 * management protocols (SNMP, FTP, TFTP, ...)
 * network applications (HSRP, DHCP, IGMP, ...)
 * all other IP traffic
 * Default class (includes L2; ARP does not have to match this)
 * =====**Configuration**=====
 * config# control-plane
 * config-control-plane# service-policy input WORD (policy map)
 * ====**Dynamic Multipoint VPN (DMVPN)**====
 * =====**IPSec tunnel limitations**=====
 * hub-and-spoke environment, traffic to spoke traverses hub site
 * traffic is unencrypted, routed and encrypted again
 * additional network overhead, memory and CPU
 * takes advantage of
 * IPSec
 * GRE tunnels
 * Next Hop Resolution Protocol (NHRP)
 * supports traffic segmentation across VPNs
 * is VRF-aware
 * hub router is configured for single multipoint GRE (mGRE) tunnel interface
 * supports multicast traffic from hub to spoke routers
 * =====**Benefits**=====
 * simpler hub router configuration
 * 1 mGRE interface
 * 1 IPSec profile
 * no crypto access lists
 * hub does not require configuration when new spoke routers are brought online
 * automatically initiated IPSec encryption
 * dynamic addressing support for spokes
 * dynamically created spoke-to-spoke tunnels
 * VRF integration for MPLS environments
 * dynamic routing protocol required, distance vector recommended