 We all survived last night, I see. Can everyone hear me in the back of the room? All right. You can't hear me just yell. My name is Robert Muncie. I am a security engineer for a financial institution. And I came up with this presentation after going to Networkers, which is Cisco's premiere event where you go and you spend about three days in an intense router switching camp. And basically this is about an hour-long introduction of a seminar that I took, which was about 10 hours. So there's going to be sections in the slides here that I'm not really going to cover a whole lot of code in, and I've kind of skipped detail on. But if you're interested in more, this is my email address here. And at the end of the presentation, if you want, you can give me my business card. You can give me your business card. And I'll be happy to answer any questions offline as well. We're going to start off with some security principles. Very important to know there is no perfect solution in the world. Everything is always changing. And as security professionals, it kind of feels like we're outnumbered at times by the other side. Our goal here is to make it as hard as possible to get information about your network. All right. I know we have fireworks. There we go. Okay, so we're going to learn how to make it as hard as possible to get information about the network. And we're going to make it even harder for people to gain access. A typical ComPri, a typical network hack, takes three stages. Your first stage is reconnaissance about the target. You then attempt to gain initial access, and then you attempt to gain elevated privileges. Along those notes, we're going to look at what we do with our routers before we even plug in the wires to connect to the internet. We're going to look at turning off unnecessary services, turning on logging, prevent unauthorized telnet access to the router, restrict the SNMP community strings or disable them, and make authentication secure so that the people performing management are the people we want. The very first thing we're going to look at here then is turning off unnecessary services. These three commands here, no service UDP small servers, no service TCP small servers, and no service FINGER are now standard after 12 release of the iOS. Some people may wonder, well, why do we turn off the echo command? Or why is the echo command even part of our router? When Cisco was first coming into being as a company, they took Unix and basically stripped it down and put it onto their router. In the very early routers, there even used to be email capabilities. One thing you can do with echo that's kind of nasty, if you were an attacker, you could send a DNS packet to the router. You falsify the source address. You send it to a false port, in this case 53, which is echo, and the router will ignore any access lists you may have for DNS control and will simply return the packet because it thinks it was a local request. And of course FINGER, no reason to give away any information about the router itself. These commands here are more for the Unix commands. If you're not familiar with them, it's very good to disable these. The first two commands basically are remote commands. The first one is a remote execute command, and the second is a remote file copy. And the last one is a command which enables accurate information about the host TCP ports. These two commands are interface specific. It means you've got to put them on every interface that you want them to have it on. Typically I like to put these on the border routers that connect to the internet. I like to place them on those interfaces absolutely. And after 12.0 release of the iOS, these are now standard. So when you look at your configs after you put an IP onto the interface, these will already be there for you. It's very rare that you would need IP directed broadcasts unless you were doing multicasting and IP source routing. It just says that it'll never forward a packet if it carries a source routing option. And this is kind of anti-spooping. IP and the CEF is Cisco Express 4-Aiding. The IP Verify Unicast RPF is Reverse Path 4-Aiding. These two commands come together. This particular command is only good for symmetric routing environments. This is typical of most companies where you go router A to router B. If we were looking at an ISP, an ISP couldn't do this because they have symmetric router, where router A could go to both C and D and D could go to router B without having to pass through A. The Schedule Interval 500 command is also now standard. It controls the time of responding to interrupts from the network interface. And basically what this means is the router is handling lots and lots of packets that there are always going to be an interrupt packet that it's going to have to stop and look at and try to figure out what it's supposed to be doing with it. With this command we tell it that it can only do that every 500 milliseconds and it gives the router time to process information. Other things to think about is to restrict or turn off NTP, which is the time protocol. I like to take one router and turn it into the network time protocol router for the rest of my network and then restrict what all the other routers can only receive time information. This will become more important as we look into turning on logging and we want to make sure that if for some reason we need to go back and see what happened in a time, we need to know exactly what time those things occurred. We also want to disable CDP, which is a Cisco Discovery protocol. This is real nice if you're setting up your routers, but once you have them set up there's no reason really to have it on. It's a Layer 2 protocol and basically you can type in a command locally on the router and it will tell you what are the routers it can see next to it. And of course as always you want to stay up to date with your iOS levels. It seems like to me that Cisco releases an iOS about every two weeks. And a lot of times, yeah, if you laugh from the audience, especially for us we have 30 some routers in our network currently and trying to stay up to date with those and update the code can sometimes be a challenge. Let's take a look here at a little simple access list. This one prevents unauthorized telnet access to the router. I don't particularly like this particular access list because it allows a huge pool of addresses that could manage my router. If I was going to do it myself or my own particular routers, I would create a subnet that only the network administrators were in and then I would restrict access only to that subnet. That way you would prevent internal users like developers who might have access to your routers for some particular reason and they would have elevated access to their desktops. This command basically works in the fact that you take an access list, you permit your subnet range of whatever you want to do here. So here I've done 10 XXX and then you go down into line VTY and I did 0 to 44 here. You can do 0 to 4 as typical. And then you do, this is a sub-command. The access list 12 in is actually a sub-command to the line command. So in the enable mode you would type line VTY 0 space 4 and then you would type in your command in the sub-interface. Logging. Logging is very important, especially if, you know, after you've been compromised you need to go back and see what happens or if you're doing IDS you want to be able to have a historical log of what was going on here. The MSECS command is only valid if you're using MTP. Some of the very small routers don't have their own time protocols or don't have internal clocks. So you may want to use local instead. And in the last command we have logging and then here we would put in a server IP address. And basically we want to get these logs off of our routers. If you leave the logs on the routers, the log is a fixed size, you can increase it, but if you reboot the router all the logs go with it. Restricting SNMP access. If you're in a small environment, I don't even recommend using the management protocol, but unfortunately in the larger environments it's almost impossible to get away from. So here what this one does is we have access list number 13. In this particular case I'd permit two IPs. So this would be my two SNMP collection boxes. And then I would issue the command SNMP community. I'd community put in the password. In this case we're putting in the read only password. And then the 13 references back to the access list 13. A couple other things to know about SNMP. Be sure and don't use public, private or secret. If so just post it on the internet and let people have fun with it. And be sure to use different strings for the read only and write only communities. Remember they can be cracked, especially if they're easy. So you need to use strong passwords. And be sure and use a mixed alphanumeric strings. I typically like to use about a 10 character password with numbers and capitals mixed in there. Make authentication secure. There's two ways you can type in the enable password. You can do enable password and then the password or you can do enable secret and then the password. I don't recommend using the enable password. It's a very weak algorithm that encrypts the password. If you use enable secret you're using an empty five one way hash. And then the other thing I'd like to do here is I like to use privilege levels. This is good for auxiliary, especially if you're going to connect a modem for out of band management. And here I've given it privilege level five. That means unless you know the enable password the only thing you can do is read only in the router commands. You can go into enable but you can't save and you can't make changes. As an administrator though you can put in a password later and you can pass into true enable mode. Along with this make sure that physical access is highly restricted. Really this should be one or two people should have key access. Given 10 minutes and physical access to your router I can compromise it and you would never know the difference. And Cisco will kindly give you the information on how to do that. Yeah, not necessarily. You would reboot control break into the rom-mon mode. Re, you can blank the password at that point. You reload and you come back with the configuration. And then you just put in whatever password you'd like. It's really just as simple as that. It varies per model on how exactly you do it. And switches are a little different than routers. But for all of them it's pretty straightforward. On Cisco's site you just type in your model number and then recover password and it'll bring up the information here. There's two ways really to do authentication. You can do radius and tack acts. In our environment we use radius. So I've done the radius example here. The AAA new model is just how you tell the router I'm now going to make all authentications secure. In this case I do AAA authentication. Log on radius local which means that anyone connecting in will first either be authenticated to the radius server. And if they don't have an account on the radius server then it goes to local authentication. And then in this case I now do username. And then I type in my name here which would be Robert. And then whatever password, password. To here you can also do privilege levels. So if for instance you wanted to give a developer read-only access so that he could tone it into your router and then maybe tone it into the network itself you could give him only read-only. But you could give your users a higher level of privilege. Also in the logs it now tells you who logged into your router and what changes they made. That's kind of helpful. And then later in the command you have to type in the radius server host which is basically just an IP. And then here I've used a shared key. The shared key by the way is not encrypted inside the configs. Other things to know about authentication No matter what you do, if you're just typing in your password it's in clear text. So if someone is sitting there and watching they can get your passwords fairly easily. I would consider a one-time password method or considering using SSH. The new iOS supports SSH. I'm not really going to go into how to do that because that's a fairly complex topic. It's important. Do what? I still can't hear you. Well, it's 1.x. And then along with that we want to audit our login attempts. So we type in IP Accounting and then IP Account Access Violations. And then this simply goes into the logs. And then in this case I put in logging and then I would type in the IP for my syslog server if I hadn't done it previously. You can also do SNMP traps if you're using some type of SNMP program like OpenView or there's some freeware ones that we use and we like. Okay, now we're ready to plug InternetWareCable and hook up to the Internet. We're going to look at preventing spoofing, some DOS protection. NAT is as good as it's bad. We're going to look at the new firewall feature set available from 12X on which is pretty nifty. And you now also have IDS that you can do either local in the router or have it sent to an IDS product and of course Cisco will be happy to sell you. Preventing spoofing. This is a fairly simple access list here. We have access list 109 deny IP which is my internal. And then two internals here, 172 and 10. And then access list 101 permit IP any any which says any traffic is allowed in except internal traffic behind the router. And then here I've applied it to the serial interfaces IP access group instead of list I don't know why. Cisco makes you do it that way. And then we have access list 101 referencing back to the access list and then in means for inbound traffic. All access list can go in or out. So here we have a little detailed diagram of what's going on here. We have the Internet passing into a border router, passing into an internal router and then passing into our network here. On the serial S01 interface which is connecting between the two routers, we're permitting traffic from the 142 network denying everything else. And then this is all inbound to the S01 which is really outbound to the Internet. That kind of makes sense. And then on the interface serial 0 on the other router, here we have two different groups and this is basically just reversing what's allowed in versus what's allowed out. This is pretty standard here for most networks. Spoofing continued. IP-SEF distributed. And then interface serial and then a number and then you can do IP verify unicast reverse path. This mitigates source outer spoofing by checking that a packet's return path uses the same interface it arrived on. Not appropriate for ISPs but very helpful for us as just business people hooking up to the Internet. DOS protection or prevention. These particular access lists are good to put on your router and then if you come under attack commands into your interface access lists can take performance hits. The more access lists that have to be processed by the packet, the slower your packets are inbound. So this slide and the next slide, I like to have both of these access lists on my router but not active. And here we're basically just saying that all outbound ping responses are limited to 256 kilobytes. And then in the next one we're going to limit inbound TCP SIN packets to 8 kilobytes. Yeah. You mean in the last slide? In the last slide it just it allows only a certain amount of those TCP IP packets through. Yeah. So it looks at them and if it reaches its limit in the queue it starts dropping them and it just puts them into a bit bucket and ignores them. So you don't necessarily stop the attack but you're mitigating the attack on your router and you allow business to continue. NET. That's real good. It hides your entire network behind one IP and allows you for control and monitoring of internet usage. Bad. It may not work for all servers. In this one particular instance as we all go to Windows 2000 as a as we go to Windows 2000 the Windows 2000 DNS servers have to be able to talk to the outside world. So in this case you may have to open up holes in NET and we're going to look at that here in our slides and we'll do that. Also email has to have a way to come through and email does not work through NET. So here we have basic IP NET commands. Here we're setting up the pool and in this case I do IP NET pool and then I just have a particular name here in this case. It's just a random name and then outside IP outside IP this can be a range or it can be one single IP prefix link 30 and then the next we do IP NET inside source route map and then a name. So these commands this IP NET inside source command is going to connect into the next slide here. So here we're setting up the route map so we have route map a name permit and then the 10 is an access list which is going to appear later and then we have match IP addresses to those access lists which says only these IPs pass through NET. Helpful if you have a group that you don't want to go out to the internet. And then we have an IP access list an extended access list. So for here these are people who we're going to allow through our NET or if we want to allow specific services. So in this case here we're going to allow email. So we have IP NET inside source static TCP IP internal IP the port which is 25 to the external IP and then port and then extendable simply means that it can handle multiple types of traffic. It allows a service from the outside world to talk to your internal server. I don't particularly like to do this command and I only like to do it to DMZ servers unless someone feels good about opening up the internet to their exchange server. The firewall feature set has just now become available. It's really great if you have branch offices that you're going to connect to the internet. You don't want to buy firewall for them. Cisco now allows you to buy a higher priced software feature set. You get a basic firewall. It's not a great firewall. I don't recommend it for your main office. There is a performance hit and typically it's good to have lots of memory in your routers as you use it. This is a typical firewall feature set command and basically we turn on the audit trail and then we name what particular services we want to watch. In this case I watch TCP, UDP, FTP, TFTP and SNMP, SMTP. The IDS feature set is also new. It does network base intrusion. It's not as good as a host base intrusion system. It slows down traffic. It's even worse I think really than the firewall feature set because a firewall feature set only has to look at a packet. The IDS has to think about a packet. I typically would only use this on a bigger router if you were using 7200s or something like that. Then in the same action here IP audit, info, action, alarm, drop, reset which says if it happens you're going to note it, you're going to take the following actions. You're going to set up an alarm you're going to drop the packet and you're going to reset that particular connection. The rest of them are logging out. You can also do anti spam with this. In this case this particular command the IP audit SNMP spam 25 says if an email is inbound and it goes to more than 25 people it's spam, it gets dropped. Kind of nice. Do what? No, you can change it. You can make it 10, 100 it depends on what you really consider spam. 25 is the default. Let's see. We're a little off here on the projector. I don't know what happened on this one. The IP audit name is how this one begins and then it has a name info list 99. So now I'm going to use an access list. In this particular case I can say I don't want you to watch packets from my internal network which is where no reason to slow these packets down because I'm hopefully going to trust my internal traffic and then I'm going to permit the files that comes through. I'm going to say I want you to look at it and I want you to monitor. Of course the IDS feature set and the firewall feature set both have to be turned on and they're turned on at the interface level. So in this particular case FastEther00 happens to be connected to the internet I come on and I do IP audit the IDS info is actually the name of whatever you call your IDS service and then for inbound traffic you can also do outbound traffic depending on where you want to put it. Now let's hook up a branch office. Not that we would ever have those. We're going to look at a two office connection. I'm going to talk about some other problems that you may see on slower lines like ISDN and dial up and then what to do if you have more than 10 sites. Why would we want to use the internet to hook up two offices? Well it's a lot cheaper than hooking up a frame relay. It's a lot easier to do. You can protect office traffic using what we're going to look at here. And it's fairly simple once you get it in place. We're going to use encryption here. So here we have crypto map. We're going to give it a name, a number. The name and number are irrelevant and then ipsec-ismkmp setPier we're going to set the branch office IP and then we're going to do a set transform set encryption des. Now you can also do triple des and then match address 101 is matching to the access list here at the bottom. So here we have access list 101 permit IP local IP remote IP and this basically says that only this IP is allowed to send encrypted traffic to this router. And then we're also going to set up the policy. In this case I'm using pre-shared keys which is authentication pre-shared crypto ISAM key and then I'm going to set the key as whatever you want to make it. Once again the keys are in clear text in the configs and then the address we're going to use the remote IP. And then the pre-shared key has to be the same on both sides of course. Problems you may see ISDN and dial-up are more complex. The lines go up and down of course because we don't that's the reason we bought ISDNs. We didn't want to have traffic continuously. Workarounds for that you have to develop access list that can determine if the traffic is interesting to turn back on the crypto tunnels. Otherwise you're just going to send packets and the packets are going to drop because they don't know where they're going. Also if you use smaller routers for this small routers don't have an internal time source. Two workarounds for that is you can tell them to use an NTP source that's out on the network which is okay. Or you could as my Cisco instructor said you could hook up a GPS to the back of your router and it would have a time source. More than 10 sites. After you get to about 10 sites typing in shared keys for each different site could be a little repetitive. Your configs could be a little long. You can then go to what's called TED and TED is an algorithm that allows you to do hundreds of sites and everything is dynamic. The configuration for that like it's been an hour on in slides trying to show what you could do with TED and how it actually works. Hardware limits the amount of tunnels. Particular routers that we have we can do 2,000 tunnels. The 26 20s which just now are capable of the encryption I think can handle like 50. For the problem is you get into speed problems with how much bandwidth can be pushed through those routers. And then of course a fully mesh design would be even more complex if you consider 10 sites. So each of those 10 sites would then have 10 sites and 10 sites so you'd have 40 pre-shared keys. Obviously not the best thing in the world. That's pretty much it. In summary don't use the default blindly. Deploy services that aren't needed. Allow device management from anywhere. Use clear or easy guest passwords. Send important data and clear text. And assume that you're not going to be hacked. Do make sure that you secure your network devices. Use strong authentication. Deploy firewalls on all internet connections. Deploy some form of intrusion detection and make sure that you are logging. These particular sources right here are really good. We have Cisco's improving security on Cisco routers and security technical tips. And then these are more of my personal sites that I like to read just for interesting. Which of course is Infowar Insecure Security Portal, Security Focus Sands and of course Coast. That's it.