Cisco Router Security: Principles and Practise ============================================== Slide One: Introduction ----------------------- As the gateway for the network, it is also the first line of defense. If the router is compromised, all else follows. Most attention is given to firewalls, VPNs, intrusion detection etc. Routers are often left with simple configurations with the claim that they do not hold mission-critical data. Routers can be disabled, bringing down the entire network or blocking communication to and from the outside world. There can be internal attacks, often bypassing intrusion detect systems, and can be used as a base to launch external attacks. A compromised router can also be reconfigured, providing a "backdoor" to the network. With default configurations hackers can gather an extraordinary amount of detail concerning a network, including subnets, neighbouring equipment and redundant paths. Network traffic can be monitored, recorded and rerouted. Slide Two: Themes ------------------ This is an introductory presentation; and it's only fourty minutes! It will not discuss password recovery procudures, it is not about ACLs or designing a secure network or a DMZ or PIX firewalls. Part One. Router Security Within A General Plan =============================================== Slide Three: Risk Analysis -------------------------- Risk Analysis is over a time period. If any of these variables approaches zero, the overall risk approaches zero. Risk analysis should be applied firstly to routers that are a gateway to the Internet, those that are part of a firewall, those that connect to secure networks and those that perform packet filtering. From Wikipedia on vulnerability versus threat: "For example, human beings are completely vulnerable to the threat of mind control by aliens, which would have a fairly serious impact. But as we haven't yet met aliens, we can assume that they don't pose much of a threat, and the overall risk is almost zero." Or, a house not proofed against earthquakes in central Australia versus earthquakes in Wellington. Both have the same vulnerability, but the former has a much lower threat. Slide Four: Physical Security ----------------------------- Resistentialism: A joke philosophy that suggests that the physical world is not only conscious but malevolent. "Les choses sont contre nous" (They [Things] are against us). Assume it is true. Ensure adequate fire prevention (smoke alarms, extinguishers), water protection (e.g., link sprinkler activation to circuit breakers) and heat and humidty protection in the area. Ensure all equipment has UPS and the area is free from airbone dust and (of course) bugs. Minimise access to routers (1 person is best). Apart from locked heavy self-closing doors, this includes insuring that walls continue above and below raised flooring and ceilings and that air ducts are too small for access. Keep configuration backups in a separate secure place. Modems. Given sufficient time on some routers it would be possible to perform password recovery remotely. Put modems on the Auxiliary port to provide out-of-band access. Slide Five: Legal Security -------------------------- The apocryphal story of the router administrator who included the word "Welcome" in their MOTD banner and thus gave carte blanche to hackers. MOTD banners should provide enough warnings for legal prosecution to intruders (e.g., "Authorised Users Only"), protect administrators from liability, warn users about monitoring and system use policies (e.g., "Authorised Work Related Activities Only"). Do not include information such as the location of the router, the name of the administrator, contact information etc, all of which could be useful to an attacker. Similar banners can and should also be set for privileged and telnet login and AAA Authentication. Slide Six: IOS Security ----------------------- The most well known security flaw in 2005 allowed unauthenticated, remote attackers on the same IP subnet to execute arbitrary code or cause a denial of service. This particular vulnerability affected all 12.* releases of the Cisco IOS requiring upgrades. John Stewart, Cisco's chief security officer. Cisco's customers have not had to deal with the problems traditionally associated with operating systems like Windows, Linux and Mac OS, which regularly require patches to fix newly discovered security issues. This, he said, means that many administrators are still using very old versions of Cisco's Internetwork Operating System (IOS). Thanks to Munir Kotadia, ZDNet Australia for information on this flaw. Part II (Passwords and Authentication) ====================================== Slide Seven: Accessing the Router --------------------------------- Authorisation varies from viewing router information to completely reconfiguring the router or some level in between. The default levels are 1 (user mode) and 15 (enable or privileged mode). Less common methods of access include HTTP, TFTP, and SNMP. Each access method requires its own configuration through well-known commands and is established through saving the running-config. Keep one VTY passwords different to ensure administrator access at all times. Slide Eight and Nine: Authentication and VTY/AUX access ------------------------------------------------------- Default Cisco router authentication does not require a login name. Problems arise when when more than one administrator has privileged access as there is no accountability. Usernames and passwords should be set, along with local authentication on VTY, console and AUX ports. Note that some of the commands here are somewhat counter-intuitive. Using the command 'no login' on a line will allow anyone to log in without a password; the 'no password' command removes the password but *also* doesn't allow anyone to log in. Slide Ten: Network Access Servers and TFTP ------------------------------------------ The basic system in this regard is the Terminal Access Controller Access System (TACACS). Instead of each router being configured with usernames and passwords, it is configured to ask a TACACS server for information about who is allowed to log in to the router which is administratively a lot easier. TACACS and X-TACACS have been declared at "end-of-maintenance" by Cisco. Note that Kerberos provide authentication not authorisation. If TACACS is used, a local password of last resort should be set in case the router cannot contact the TACACS server ('enable last-resort password'). TACACS doesn't differentiate between user-level authentication request and a privileged-level request. This requires Extended TACACS, RADIUS or TACACS+. When TACACS+ or RADIUS are used, configuration files must be kept secure, since TACACS+ and RADIUS keys are not obscured by the 'service password-encryption' command. TFTP provides no authentication. TFTP is normally used only when a router needs upgrading some routers download their configuration from a TFTP server. When routers use TFTP servers for their configuration files, then the security of the router depends directly on the security of the TFTP server. Also, some new routers can be used as TFTP servers; if this is allowed it should only be for the duration of file transfers then immediately turned off. Slide Eleven: Remote Administration ----------------------------------- Spoofing, sniffing and session hijacks can be prevented through using "out-of-band" access (i.e., dial-up/AUX), employing antispoofing filters and using strongly encrypted protocols such as SSHv2. Telnet should certainly not be used when SSH is available and should be disabled as it passes information in clear text. In addition to disallowing Telnet, it is also worthwhile limiting VTY access to a few secure IPs if possible through ACLs with an exec-timeout of several minutes at the most. If the router IOS does not support SSH services then it is still not a good idea to use Telnet; have a dial-in to a SSH server elsewhere (secure, trusted location) then use that to connect to the router. Use 'service tcp-keepalives-in' at global configuration to ensure that there are no orphaned connections (e.g., when a client crashes whilst connected, the server may still assume a connection exists). When using dial-up access to a router, ensure that both the AUX port and the modem are password protected and configure callback security ('service exec-callback') to a predefined number (this does result in the loss of some flexibility). This will require the local modem to be configured to accept incoming calls. Reverse telnet should be disabled on all physical ports ('transport input none' on config-line). HTTP router management has various information, including passwords, are sent through in plain-text. No means to ensure token-based or single-use passwords. Disable or, if it must be used, limit by IP, access through a VPN with IPSec. Slide Twelve: Passwords and Services ------------------------------------ Passwords should of course in all cases be strong (foreign language phrases - in an obscure language - with numerical and special key components etc). Passwords (weak encryption, Vigenere, stronger encryption MD5) as they are otherwise stored in clear-text in the configuration file. Should be significantly different than the password encryption and user level password. Reconfigure services to the privileged level. Part III: Services, Applications and Protocol Security ====================================================== Slide Thirteen and Fourteen: ICMP --------------------------------- Routers invariably have a number of services automatically activated. Whilst often useful these may provide a security risk providing points of entry or means for information gathering. The Internet Control Message Protocol (ICMP) is one such service which is invaluable for network troubleshooting. Further, disabling ICMP entirely (as some sites do) causes problems when maximum transfer unit (MTU) attempts discovery. Selective disable on interfaces or at the very least between Autonomous Domains. Slide Fifteen: Other Services ----------------------------- Source routing; allows a packet to specify how it should be routed through a network instead of following the routers designated by the internal network's routing protocols). Disable at global configuration ('no service source-route'). Small Services; enabled on default on IOS 11.3 and earlier. Include the echo, discard, daytime, and chargen (well-known exploit through this service) services. Disable at global configuration ('no service tcp-small-servers', 'no service udp-small-servers'). Finger: Allows remote users to find out who is logged into the router. Disable to prevent information leakage. Disable at global configuration ('no service finger' or 'no ip finger') on newer version of the IOS. Slide Sixteen: CDP and Proxy ARP -------------------------------- Cisco Discovery Protocol; extremely useful on providing info on remote interfaces but no information that a properly documented network will not already have recorded. Keep accurate documentation should be kept and disable CDP. Proxy ARP provides hosts a MAC address where they have no router or gateway configured. It is unnecesaary where DHCP is enabled. Attackers are able to spoof packets to take advantage of systems performing proxy ARP and engage in information gathering. It can be disabled on interfaces with the 'no ip proxy-arp' command. Slide Seventeen: Optionally --------------------------- The most dangerous of these is DNS queries and nameservers. By default, Cisco routers have DNS enabled, but no nameserver configured, meaning that DNS queries broadcast. In the best case, this causes delays at the EXEC prompt. In a worse case, the attacker will respond with false information that could fool your router into using the wrong hosts. Slide Eighteen and Nineteen: SNMP --------------------------------- The Simple Network Management Protocol (SNMP) is very useful for monitoring and managing TCP/IP networks. If write access is enabled (read-only is default), SNMP can also be used to configure devices on your network remotely. Read access is also dangerous however, as it can provide a complete map of the network, physical IOS version, MAC to IP bindings and in some cases even the physical location. The most widely used version of SNMP is v1, uses authentication through a 'community string', which is similar to a group password. Further, SNMP v1 packets are unencrypted. In 2004, the IETF determined SNMP v1 and v2 as obsolete and recommended a move to SNMP v3, which uses MD5 or SHA hashed authentication and packet encryption. Cisco routers running IOS 12.0(3)T and above include SNMP v3 support. Three levels of SNMP v3 security are no authentication and no encryption, authentication and no encryption, and authentication and encryption. SNMP read/write access and TFTP is a major security risk. Attackers can use SNMP to cause the router to either TFTP its configuration file to them, or load a new configuration from an arbitrary TFTP server. To avoid this problem, it is important to use the 'snmp-server tftp-server-list' command in an ACL. Slide Twenty and Twenty One: Spoofing ------------------------------------- Ingress; packets coming from an external network, egress; packets leaving your network and going to an external network. Ingress filters make sure that packets entering your network do not claim to be from your network. Both these filters can be created through ACLs which (a) deny all packets coming in from the Internet that claim to have originated from the internal network and (b) only allow packets out of the network which have come from the internal network. Further Cisco has developed Unicast Reverse Packet Forwarding (uRPF) which conducts a sanity check on packets and adjusts to routing and topology changes automatically. However uRPF does have a tendancy to discard packets incorrectly when the reference table lacks sufficient information. For this reason it should only be applied on interfaces connecting to external networks. Slide Twenty Two to Twenty Four: Protocol Authentication -------------------------------------------------------- An excellent means to secure a routing protocol is to use authentication, available on RIP v2, OSPF, EIGRP, and BGP. A routing password is configured on each router on the network and routing information will only be exchanged between routers that know the password. Standard routing protocols don't use authentication by default, with authentication, any routing information an attacker tries to insert into your routers will be ignored. e.g., Use the 'ip ospf message-digest-key' command on each interface to define a key Configure authentication under the OSPF areas where you want to use authentication. This example assumes that your OSPF autonomous number is 10 and that you are setting up area 0 to use authentication: RouterOne#config terminal Enter configuration commands, one per line. End with CNTL/Z. RouterOne(config)#router ospf 10 RouterOne(config-router)#area 0 authentication message-digest RouterOne(config-router)#^Z BGP doesn't support plain-text authentication, only MD5, so there is no need to explicitly specify MD5 authentication. Enable BGP authentication by adding the password keyword to the neighbor command. RouterOne#config terminal Enter configuration commands, one per line. End with CNTL/Z. RouterOne(config)#router bgp 109 RouterOne(config-router)#neighbor 130.18.6.7 password MyBGPpassword RouterOne(config-router)#^Z Part Four: NTP, Logging and Incident Response ============================================= Slide Twenty-Five: NTP ---------------------- Synchronizing time is obviously important on networks and especially for auditing purposes (accounting, fault analusis, network management, time-based authentication and authorisation). NTPv4 is preferred, on IOS-XR software implements NTPv4, othersNTPv3. NTP can operate in four different modes: client, server, peer, and broadcast. NTP modes differ based on how NTP allows communication (time requests and control queries) between systems. Three main configurations are central server, a hierarchical model, or a flat configuration. Central server uses one or two centralized NTP servers to synchronize their time; use 'ntp server ipaddress' at global configuration. Repeat for redundancy. A flat configuation is extremely stable, although scalability issues, administration and convergence are strong negatives. In a small network with flat configuration use the 'ntp peer' command on each router at global configuration. On larger networks requiring more accurate time, use redundant timeservers and synchronize routers to multiple servers to prevent a single point of failure. Use the 'ntp master' with networks not connected to the Internet. Make sure all routers have ACLs preventing them from becoming public time synchronization servers. NTP on Cisco routers support additional options that may be useful for synchronization, keeping the router from being overwhelmed by NTP requests, and disabling NTP on only specific interfaces. A router can be configured to prefer an NTP source over another (e.g., 'ntp server NTPServer1 prefer'), or restrict the maximum number of perr and client associations (e.g., 'ntp max-associations 30'), both on global config, and disable on a per interface basis ('ntp disable'). Cisco routers also support MD5 authentication for NTP. Slide Twenty-Six - Twenty-Seven: Logging ---------------------------------------- Cisco routers can log information in six different ways. Console logging (messages are displayed on the console port), buffered logging (kept in the RAM of the router), terminal logging (log messages are sent to VTY terminals), syslog (messages are sent to external syslog servers), SNMP traps (SNMP can be configured to send traps to an external SNMP server), and AAA accounting (the Network Access Server can log network connections and even command execution). Messages are given a proirity from 0 to 7 (most critical is lowest; 0 is system is unusuble, 1 requires immediate action). Log messages will be timestamped, if necessary to the nearest millisecond (second is default) and with localtime optional. Console logs by default show messages of level 5 and lower (alter with 'logging console X' at global configuration), disable with 'no logging console'. Buffer uses 'logging buffered RAM'. Terminal uses 'logging monitor X' and is disabled with 'no logging monitor'. Syslog is a standard Unix server facility and Cisco routers are usually configured to use one of the reserved facilities local0 through local7. Cisco routers include a feature that stamp each syslog message with a sequence number with the 'service sequence-numbers' command at global config. Further you can throttle the number of error messages sent to the syslog server with an upper critical limit (e.g., 'logging rate-limit all 10 except error'). If you use SNMP use the 'snmp-server host IP_address public' command to configure which SNMP server will receive the traps and use the 'snmp-server enable traps' command to enable SNMP traps. Using the 'log' (standard ACLs) or 'log-input' (standard and extended ACLs) keywords in an ACL causes type, date and time of an ACL violation to be logged applied at the end of an access-list e.g., ('access-list 115 deny ip 130.18.0.0 0.0.255.255 any log-input'). You can apply this ACL in a vty line and therefore alert the admin that an attempted log without authorisation is occurring. Other protocols and services such as HTTP, SNMP, ICMP, and route filtering can be logged in the same way. Just add the keyword log or log-input to the deny statements of the ACLs for each service you want to log. There are five methods of AAA accounting: EXEC, System, Command, Connection, and Network. Here is a short description of each method: EXEC accounting records information about each EXEC, or shell, session on the router. It records information such as username, date, time, and IP of the system connecting to the router. System accounting logs information about system-level events, such as reboots or when accounting is turned on or off. Command accounting logs information about the commands typed at the EXEC shell prompt. It records information (including what command was executed, who executed the command, the privilege level, and the date and time). Connection accounting logs information about outgoing connections made from the router. Include all five methods. Slide Twenty-Eight: Incident response ------------------------------------- Don't reboot the system. Login via the console port. Use hyperterminal or similar (e.g., minicom) to record the session. Work out what is being affected, how it happened, who the attacker is (internal or external), is it ongoing, what other systems are at risk? has the running-config or startup config been changed ('show run', 'show start')? Check system time ('show clock detail'), check IOS, uptime and hardware ('show version'), show scheduled reload ('show reload'), show routing tables ('show ip route'), show ARP tables ('show arp'), 'show users', 'show ip interface', 'show interfaces', 'show ip sockets', 'show ip nat translations verbose' (important!) etc. Print out your session. Sign and date it. Get a witness to counter-sign. If the router is running SNMP, get a copy of the current SNMP tree. Record the time of the SNMP walk from a trusted time source. The worst-case scenario is when the router's enable password has been changed by either an accident or an attacker. In these situations your ability to collect forensic information is severely limited. Password recovery procedures require rebooting the router, which destroys much of the evidence you are interested in. If this happens, attempt to log in with a lower privileged account and run as many of the preceding commands as possible. When you cannot log into the router at all, the information gathered externally becomes much more important because it is all you have. Therefore, be sure to try to use SNMP and port scans to gather as much information about the router as possible.