00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page i
Course Booklet
CCNA Security Version 1.0
ciscopress.com
00_9781587132483_fm.qxd
ii
7/13/09
1:13 PM
Page ii
CCNA Security Course Booklet, Version 1.0
CCNA Security Course Booklet Version 1.0 Cisco Networking Academy
Publisher Paul Boger Associate Publisher Dave Dusthimer
Copyright© 2010 Cisco Systems, Inc.
Cisco Representative Erik Ullanderson
Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
Cisco Press Program Manager Anand Sundaram
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing August 2009 Library of Congress Cataloging-in-Publication Data is available upon request. ISBN-13: 978-1-58713-248-3
Executive Editor Mary Beth Ray Managing Editor Patrick Kanouse Editorial Assistant Vanessa Evans
ISBN-10: 1-58713-248-6
Designer Louisa Adair
Warning and Disclaimer
Composition Mark Shirar
This book is designed to provide information about networking. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.
00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page iii
iii
Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at
[email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance.
Americas Headquarters Cisco Systems, Inc. San Jose, CA
Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore
Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
00_9781587132483_fm.qxd
iv
7/13/09
1:13 PM
Page iv
CCNA Security Course Booklet, Version 1.0
Contents at a Glance Course Introduction
1
Chapter 1
Modern Network Security Threats
Chapter 2
Securing Network Devices
Chapter 3
Authentication, Authorization, and Accounting
Chapter 4
Implementing Firewall Technologies
Chapter 5
Implementing Intrusion Prevention
Chapter 6
Securing the Local Area Network
Chapter 7
Cryptographic Systems
Chapter 8
Implementing Virtual Private Networks
Chapter 9
Managing a Secure Network Glossary
297
5
27
87 131 157
193
263
227
63
00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page v
v
Contents Course Introduction Chapter 1
1
Modern Network Security Threats Chapter Introduction
5
5
1.1 Fundamental Principles of a Secure Network
1.1.1 Evolution of Network Security 1.1.2 Drivers for Network Security
8
1.1.3 Network Security Organizations 1.1.4 Domains of Network Security 1.1.5 Network Security Policies
9 11
12
1.2 Viruses, Worms, and Trojan Horses
1.2.1 Viruses
13
1.2.2 Worms
13
1.2.3 Trojan Horses
5
5
13
15
1.2.4 Mitigating Viruses, Worms, and Trojan Horses 1.3 Attack Methodologies
17
1.3.1 Reconnaissance Attacks 1.3.2 Access Attacks
17
19
1.3.3 Denial of Service Attacks
20
1.3.4 Mitigating Network Attacks Chapter Summary
Chapter 2
15
22
25
Securing Network Devices Chapter Introduction
27
27
2.1 Securing Device Access
28
2.1.1 Securing the Edge Router
28
2.1.2 Configuring Secure Administrative Access
30
2.1.3 Configuring Enhanced Security for Virtual Logins 2.1.4 Configure SSH
33
35
2.2 Assigning Administrative Roles
38
2.2.1 Configuring Privilege Levels
38
2.2.2 Configuring Role-Based CLI Access 2.3 Monitoring and Managing Devices
41
43
2.3.1 Securing the Cisco IOS Image and Configuration Files 2.3.2 Secure Management and Reporting
46
2.3.3 Using Syslog for Network Security
48
2.3.4 Using SNMP for Network Security
50
2.3.5 Using NTP
52
43
00_9781587132483_fm.qxd
vi
7/13/09
1:13 PM
Page vi
CCNA Security Course Booklet, Version 1.0 2.4 Using Automated Security Features
2.4.1 Performing a Security Audit
54
54
2.4.2 Locking Down a Router Using AutoSecure 56 2.4.3 Locking Down a Router Using SDM Chapter Summary
Chapter 3
57
60
Authentication, Authorization, and Accounting Chapter Introduction 3.1 Purpose of AAA
63
63 63
3.1.1 AAA Overview 63 3.1.2 AAA Characteristics
65
3.2 Local AAA Authentication
66
3.2.1 Configuring Local AAA Authentication with CLI
66
3.2.2 Configuring Local AAA Authentication with SDM 3.2.3 Troubleshooting Local AAA Authentication 3.3 Server-Based AAA
68
69
69
3.3.1 Server-Based AAA Characteristics
69
3.3.2 Server-Based AAA Communication Protocols 3.3.3 Cisco Secure ACS
69
71
3.3.4 Configuring Cisco Secure ACS
73
3.3.5 Configuring Cisco Secure ACS Users and Groups 3.4 Server-Based AAA Authentication
76
77
3.4.1 Configuring Server-Based AAA Authentication with CLI
77
3.4.2 Configuring Server-Based AAA Authentication with SDM 3.4.3 Troubleshooting Server-Based AAA Authentication 3.5 Server-Based AAA Authorization and Accounting
3.5.1 Configuring Server-Based AAA Authorization 3.5.2 Configuring Server-Based AAA Accounting Chapter Summary
Chapter 4
80
80 82
84
Implementing Firewall Technologies Chapter Introduction
80
87
87
4.1 Access Control Lists
88
4.1.1 Configuring Standard and Extended IP ACLs with CLI 4.1.2 Using Standard and Extended IP ACLs
91
4.1.3 Topology and Flow for Access Control Lists
92
4.1.4 Configuring Standard and Extended ACLs with SDM 4.1.5 Configuring TCP Established and Reflexive ACLs 4.1.6 Configuring Dynamic ACLs
99
4.1.8 Troubleshooting Complex ACL Implementations 4.1.9 Mitigating Attacks with ACLs
95
98
4.1.7 Configuring Time-Based ACLs
102
88
101
93
78
00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page vii
vii 4.2 Firewall Technologies
103
4.2.1 Securing Networks with Firewalls 4.2.2 Types of Firewalls
103
105
4.2.3 Firewalls in Network Design
107
4.3 Context-Based Access Control
108
4.3.1 CBAC Characteristics 4.3.2 CBAC Operation
108
110
4.3.3 Configuring CBAC
112
4.3.4 Troubleshooting CBAC 116 4.4 Zone-Based Policy Firewall
118
4.4.1 Zone-Based Policy Firewall Characteristics 4.4.2 Zone-Based Policy Firewall Operation
118
120
4.4.3 Configuring a Zone-Based Policy Firewall with CLI 4.4.4 Configuring Zone-Based Policy Firewall with Manual SDM 123 4.4.5 Configuring Zone-Based Policy Firewall with SDM Wizard 126 4.4.6 Troubleshooting Zone-Based Policy Firewall Chapter Summary
Chapter 5
129
Implementing Intrusion Prevention Chapter Introduction
131
5.1 IPS Technologies
131
5.1.1 IDS and IPS Characteristics
131
131
5.1.2 Host-Based IPS Implementations
133
5.1.3 Network-Based IPS Implementations 5.2 IPS Signatures
137
5.2.1 IPS Signature Characteristics 5.2.2 IPS Signature Alarms 5.2.4 IPS Signature Actions
137
139
5.2.3 Tuning IPS Signature Alarms
142
143
5.2.5 Managing and Monitoring IPS 5.3 Implementing IPS
145
147
5.3.1 Configuring Cisco IOS IPS with CLI 5.3.2 Configuring Cisco IOS IPS with SDM 5.3.3 Modifying Cisco IOS IPS Signatures 5.4 Verify and Monitor IPS
153
5.4.1 Verifying Cisco IOS IPS 5.4.2 Monitoring Cisco IOS IPS Chapter Summary
135
155
153 153
147 149 151
127
121
00_9781587132483_fm.qxd
viii
7/13/09
1:13 PM
Page viii
CCNA Security Course Booklet, Version 1.0
Chapter 6
Securing the Local Area Network Chapter Introduction
157
157
6.1 Endpoint Security
157
6.1.1 Introducing Endpoint Security
157
6.1.2 Endpoint Security with IronPort 160 6.1.3 Endpoint Security with Network Admission Control 6.1.4 Endpoint Security with Cisco Security Agent 6.2 Layer 2 Security Considerations
165
6.2.1 Introducing Layer 2 Security
165
6.2.2 MAC Address Spoofing Attacks
165
6.2.3 MAC Address Table Overflow Attacks 6.2.4 STP Manipulation Attacks 6.2.5 LAN Storm Attack 6.2.6 VLAN Attacks
166
167
167
168
6.3 Configuring Layer 2 Security
169
6.3.1 Configuring Port Security 6.3.2 Verifying Port Security
169
171
6.3.3 Configuring BPDU Guard and Root Guard 6.3.4 Configuring Storm Control
172
173
6.3.5 Configuring VLAN Trunk Security
174
6.3.6 Configuring Cisco Switched Port Analyzer
175
6.3.7 Configuring Cisco Remote Switched Port Analyzer 6.3.8 Recommended Practices for Layer 2 6.4 Wireless, VoIP, and SAN Security
177
177
6.4.1 Enterprise Advanced Technology Security Considerations 177 6.4.2 Wireless Security Considerations 6.4.3 Wireless Security Solutions 6.4.5 VoIP Security Solutions
Chapter 7
185
187
190
Cryptographic Systems Chapter Introduction
193
193
7.1 Cryptographic Services
193
7.1.1 Securing Communications 7.1.2 Cryptography 7.1.3 Cryptanalysis 7.1.4 Cryptology
180
183
6.4.6 SAN Security Considerations 6.4.7 SAN Security Solutions
195 198 199
178
179
6.4.4 VoIP Security Considerations
Chapter Summary
161
163
193
176
00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page ix
ix 7.2 Basic Integrity and Authenticity
7.2.1 Cryptographic Hashes
200
200
7.2.2 Integrity with MD5 and SHA-1
201
7.2.3 Authenticity with HMAC 202 7.2.4 Key Management 7.3 Confidentiality
205
7.3.1 Encryption
205
203
7.3.2 Data Encryption Standard 7.3.3 3DES
208
209
7.3.4 Advanced Encryption Standard
210
7.3.5 Alternate Encryption Algorithms
211
7.3.6 Diffie-Hellman Key Exchange 211 7.4 Public Key Cryptography
213
7.4.1 Symmetric Versus Asymmetric Encryption 7.4.2 Digital Signatures
213
214
7.4.3 Rivest, Shamir, and Alderman
217
7.4.4 Public Key Infrastructure 217 7.4.5 PKI Standards
219
7.4.6 Certificate Authorities
221
7.4.7 Digital Certificates and CAs Chapter Summary
Chapter 8
222
225
Implementing Virtual Private Networks Chapter Introduction 8.1 VPNs
227
227
227
8.1.1 VPN Overview 227 8.1.2 VPN Topologies 8.1.3 VPN Solutions 8.2 GRE VPNs
229 230
233
8.2.1 Configuring a Site-to-Site GRE Tunnel 8.3 IPsec VPN Components and Operation
8.3.1 Introducing IPsec
233 234
234
8.3.2 IPsec Security Protocols
237
8.3.3 Internet Key Exchange 239 8.4 Implementing Site-to-Site IPsec VPNs with CLI
242
8.4.1 Configuring a Site-to-Site IPsec VPN 242 8.4.2 Task 1 - Configure Compatible ACLs
243
8.4.3 Task 2 - Configure IKE 243 8.4.4 Task 3 - Configure the Transform Sets 8.4.5 Task 4 - Configure the Crypto ACLs 8.4.6 Task 5 - Apply the Crypto Map
244 245
246
8.4.7 Verify and Troubleshoot the IPsec Configuration
248
00_9781587132483_fm.qxd
x
7/13/09
1:13 PM
Page x
CCNA Security Course Booklet, Version 1.0 8.5 Implementing Site-to-Site IPsec VPNs with SDM
8.5.1 Configuring IPsec Using SDM 8.5.2 VPN Wizard - Quick Setup
248
248
249
8.5.3 VPN Wizard - Step-by-Step Setup
250
8.5.4 Verifying, Monitoring, and Troubleshooting VPNs 8.6 Implementing Remote-Access VPNs
252
8.6.1 The Changing Corporate Landscape 8.6.2 Introducing Remote-Access VPNs 8.6.3 SSL VPNs
252
252 253
254
8.6.4 Cisco Easy VPN 256 8.6.5 Configure a VPN Server with SDM 8.6.6 Connect with a VPN Client Chapter Summary
Chapter 9
260
Managing a Secure Network Chapter Introduction
257
259
263
263
9.1 Principles of Secure Network Design
264
9.1.1 Ensuring a Network is Secure 264 9.1.2 Threat Identification and Risk Analysis
265
9.1.3 Risk Management and Risk Avoidance
269
9.2 Cisco Self-Defending Network
269
9.2.1 Introducing the Cisco Self-Defending Network
269
9.2.2 Solutions for the Cisco SDN 271 9.2.3 Cisco Integrated Security Portfolio 9.3 Operations Security
274
274
9.3.1 Introducing Operations Security
274
9.3.2 Principles of Operations Security 9.4 Network Security Testing
275
277
9.4.1 Introducing Network Security Testing 9.4.2 Network Security Testing Tools
277
278
9.5 Business Continuity Planning and Disaster Recovery
9.5.1 Continuity Planning
280
9.5.2 Disruptions and Backups
280
9.6 System Development Life Cycle
9.6.1 Introducing the SDLC 281 9.6.2 Phases of the SDLC 282
281
280
00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page xi
xi 9.7 Developing a Comprehensive Security Policy
9.7.1 Security Policy Overview 284 9.7.2 Structure of a Security Policy
285
9.7.3 Standards, Guidelines, and Procedures 9.7.4 Roles and Responsibilities
287
9.7.5 Security Awareness and Training 9.7.6 Laws and Ethics
290
9.7.7 Responding to a Security Breach Chapter Summary
Glossary
297
294
288 292
286
284
00_9781587132483_fm.qxd
xii
7/13/09
1:13 PM
Page xii
CCNA Security Course Booklet, Version 1.0
Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows: ■
Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
■
Italic indicates arguments for which you supply actual values.
■
Vertical bars (|) separate alternative, mutually exclusive elements.
■
Square brackets ([ ]) indicate an optional element.
■
Braces ({ }) indicate a required choice.
■
Braces within brackets ([{ }]) indicate a required choice within an optional element.
00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page xiii
xiii
About this Course Booklet Your Cisco Networking Academy Course Booklet is designed as a study resource you can easily read, highlight, and review on the go, wherever the Internet is not available or practical: ■
The text is extracted directly, word-for-word, from the online course so you can highlight important points and take notes in the “Your Chapter Notes” section.
■
Headings with the exact page correlations provide a quick reference to the online course for your classroom discussions and exam preparation.
■
An icon system directs you to the online curriculum to take full advantage of the images imbedded within the Networking Academy online course interface and reminds you to perform the labs and Packet Tracer activities for each chapter. Refer to Lab Activity for this chapter
Refer to Packet Tracer Activity for this chapter
The Course Booklet is a basic, economical paper-based resource to help you succeed with the Cisco Networking Academy online course.
00_9781587132483_fm.qxd
7/13/09
1:13 PM
Page xxxi
00_9781587132483_intro.qxp
7/13/09
1:10 PM
Page 1
Course Introduction
0.0 Course Introduction 0.0.1.1 Welcome Welcome to the CCNA Security course. The goal of this course is to develop a detailed understanding of network security principles as well as the tools and configurations available. These online course materials will assist you in developing the skills necessary to design and support network security.
More than Just Information This computer-based learning environment is an important part of the overall course experience for students and instructors in the Networking Academies. These online course materials are designed to be used along with several other instructional tools and activities. These include: ■
Class presentation, discussion and practice with your teacher
■
Hands-on labs that use networking equipment within the Networking Academy classroom
■
Online scored assessments and grade book
■
Packet Tracer simulation tool
A Global Community When you participate in the Networking Academies, you are joining a global community linked by common goals and technologies. Schools in over 160 countries participate in the program. You can see an interactive network map of the global Cisco Networking Academy community at http://www.academynetspace.com The material in this course addresses a range of technologies that facilitate how people work, live, play and learn by communicating with voice, video, and other data. We have worked with instructors around the world to create these materials. It is important that you work with your instructor and fellow students to adapt the material in this course to your local situation.
Keep in Touch These on-line instructional materials, and the rest of the course tools, are part of the larger Cisco Networking Academy. The portal for the program is located at http://www.cisco.com/web/learning/netacad/index.htm. This portal is where you access tools, informational updates and other relevant links, including the assessment server and student grade book.
00_9781587132483_intro.qxp
2
7/13/09
1:10 PM
Page 2
CCNA Security Course Booklet, Version 1.0
Mind Wide Open™ An important goal in education is to enrich you, the student, by expanding what you know and can do. It is important to realize, however, that the instructional materials and the instructor can only facilitate the change. You must make the commitment yourself to learn new skills. Below are a few suggestions to help you learn: 1.Take notes. Professionals in the networking field often keep Engineering Journals in which they write down the things they observe and learn. Taking notes is an important way to help your understanding improve over time. 2. Think about it. The course provides information both to change what you know, and what you can do. As you go through the course, ask yourself what makes sense and what doesn’t. Stop and ask questions when you are confused. Try to find out more about topics which interest you. If you are not sure why something is being taught, consider asking your instructor or a friend. Think about how the different parts of the course fit together. 3. Practice. Learning new skills requires practice. We believe this is so important to e-learning that we have a special name for it. We call it e-Doing. It is very important that you complete the activities in the online instructional materials and that you complete the hands-on labs and Packet Tracer activities. 4. Practice again. Have you ever thought you knew how to do something and then, when it was time to show it on a test or at work, you discovered you really hadn’t mastered it? Just like learning any new skill, such as a sport, game, or language, learning a professional skill requires patience and repeated practice before you can say you have truly learned it. The on-line instructional materials in this course provide repeated practice for many skills. Take full advantage of them. Work with your instructor to create additional practice opportunities using Packet Tracer and other tools. 5. Teach it. Teaching a friend or colleague is often a good way to improve your own learning. To teach well, you need to work through details you may have overlooked on your first reading. Conversations about the course material with fellow students, colleagues, and the instructor can help solidify your understanding of networking concepts. 6. Make changes as you go. The course is designed to provide feedback through interactive activities and quizzes, the online assessment system, and through interactions with your instructor. You can use this feedback to better understand where your strengths and weaknesses are. If there is an area you are having trouble with, focus on studying or practicing more in that area. Seek feedback from your instructor and other students.
Explore the World of Networking This version of the course includes a special tool called Packet Tracer. Packet Tracer is a networking learning tool that supports a wide range of physical and logical simulations. It also provides visualization tools to help you to understand the internal workings of a network. The Packet Tracer activities included with the course consist of network simulations, games, activities, and challenges that provide a broad range of learning experiences.
00_9781587132483_intro.qxp
7/13/09
1:10 PM
Page 3
Course Introduction
3
Create your own worlds You can also use Packet Tracer to create your own experiments and networking scenarios. We hope that, over time, you consider using Packet Tracer – not only for experiencing the activities included with the course, but also to become an author, explorer, and experimenter.
0.0.1.2 More and more, we interact and share ideas using a network built on IP services. With more being done in this environment security is a constantly growing requirement. Behind the scenes, the architects of secure communications are network security specialists. We expect the network applications and services we use to be available and secure. And, as the underlying networks become more complex with more services offered, securing these networks becomes a top priority. We rely on network security specialists to ensure our networks can meet our expectations. A well secured network protects our investment in networking technology and provides our organizations with a competitive edge. Career opportunities in network security are growing quickly, as organizations large and small understand the importance of maintaining a secure network.
0.0.1.3 Upon successful completion of this course, you will be able to: ■
Describe the security threats facing modern network infrastructures.
■
Secure Cisco routers.
■
Implement AAA on Cisco routers using local router databases and external servers.
■
Mitigate threats to Cisco routers and networks using ACLs.
■
Implement secure network management and reporting.
■
Mitigate common Layer 2 attacks.
■
Implement the Cisco IOS firewall feature set.
■
Implement the Cisco IOS IPS feature set.
■
Implement site-to-site IPsec VPNs.
00_9781587132483_intro.qxp
4
7/13/09
1:10 PM
Page 4
CCNA Security Course Booklet, Version 1.0
Chapter Summary Refer to Packet Tracer Activity for this chapter
Your Chapter Notes
Refer to Lab Activity for this chapter
01_9781587132483_ch01.qxp
7/13/09
1:07 PM
Page 5
CHAPTER 1
Modern Network Security Threats
Chapter Introduction Network security is now an integral part of computer networking. Network security involves protocols, technologies, devices, tools, and techniques to secure data and mitigate threats. Network security solutions emerged in the 1960s but did not mature into a comprehensive set of solutions for modern networks until the 2000s. Network security is largely driven by the effort to stay one step ahead of ill-intentioned hackers. Just as medical doctors attempt to prevent new illness while treating existing problems, network security professionals attempt to prevent attacks while minimizing the effects of real-time attacks. Business continuity is another major driver of network security. Network security organizations have been created to establish formal communities of network security professionals. These organizations set standards, encourage collaboration, and provide workforce development opportunities for security professionals. It is important for network security professionals to be aware of the resources provided by these organizations. The complexity of network security makes it difficult to master all it encompasses. Different organizations have created domains that subdivide the world of network security into more manageable pieces. This division allows professionals to focus on more precise areas of expertise in their training, research, and employment. Network security policies are created by companies and government organizations to provide a framework for employees to follow during their day-to-day work. Network security professionals at the management level are responsible for creating and maintaining the network security policy. All network security practices relate to and are guided by the network security policy. Just as network security is composed of domains of network security, network attacks are classified so that it is easier to learn about them and address them appropriately. Viruses, worms, and Trojan Horses are specific types of network attacks. More generally, network attacks are classified as reconnaissance, access, or Denial of Service attacks. Mitigating network attacks is the job of a network security professional. In this chapter, the learner masters the underlying theory of network security, which is necessary to understand before beginning an in-depth practice of network security. The methods of network attack mitigation are introduced here, and the implementation of these methods comprises the remainder of this course. A hands-on lab for the chapter, Researching Network Attacks and Security Audit, guides learners through researching network attacks and security audit tools. The lab is found in the lab manual on Academy Connection at cisco.netacad.net.
1.1 Fundamental Principles of a Secure Network 1.1.1 Evolution of Network Security In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts. The worm not only disrupted access to the infected servers, but also affected the local networks hosting
01_9781587132483_ch01.qxp
6
7/13/09
1:07 PM
Page 6
CCNA Security Course Booklet, Version 1.0
the servers, making them very slow or unusable. The Code Red worm caused a Denial of Service (DoS) to millions of users. If the network security professionals responsible for these Code Red-infected servers had developed and implemented a security policy, security patches would have been applied in a timely manner. The Code Red worm would have been stopped and would only merit a footnote in network security history. Network security relates directly to an organization’s business continuity. Network security breaches can disrupt e-commerce, cause the loss of business data, threaten people’s privacy (with the potential legal consequences), and compromise the integrity of information. These breaches can result in lost revenue for corporations, theft of intellectual property, and lawsuits, and can even threaten public safety. Maintaining a secure network ensures the safety of network users and protects commercial interests. To keep a network secure requires vigilance on the part of an organization’s network security professionals. Security professionals must constantly be aware of new and evolving threats and attacks to networks, and vulnerabilities of devices and applications. This information is used to adapt, develop and implement mitigation techniques. However, security of the network is ultimately the responsibility of everyone that uses it. For this reason, it is the job of the network security professional to ensure that all users receive security awareness training. Maintaining a secure, protected network provides a more stable, functional work environment for everyone. “Necessity is the mother of invention.” This saying applies perfectly to network security. In the early days of the Internet, commercial interests were negligible. The vast majority of users were research and development experts. Early users rarely engaged in activities that would harm other users. The Internet was not a secure environment because it did not need to be. Early on, networking involved connecting people and machines through communications media. The job of a networker was to get devices connected to improve people’s ability to communicate information and ideas. The early users of the Internet did not spend much time thinking about whether or not their online activities presented a threat to the network or to their own data. When the first viruses were unleashed and the first DoS attack occurred, the world began to change for networking professionals. To meet the needs of users, network professionals learned techniques to secure networks. The primary focus of many network professionals evolved from designing, building, and growing networks to securing existing networks. Today, the Internet is a very different network compared to its beginnings in the 1960s. The job of a network professional includes ensuring that appropriate personnel are well versed in network security tools, processes, techniques, protocols, and technologies. It is critical that network security professionals maintain a healthy paranoia to manage the constantly evolving collection of threats to networks. As network security became an integral part of everyday operations, devices dedicated to particular network security functions emerged. One of the first network security tools was the intrusion detection system (IDS), first developed by SRI International in 1984. An IDS provides real-time detection of certain types of attacks while they are in progress. This detection allows network professionals to more quickly mitigate the negative impact of these attacks on network devices and users. In the late 1990s, the intrusion prevention system or sensor (IPS) began to replace the IDS solution. IPS devices enable the detection of malicious activity and have the ability to automatically block the attack in real-time. In addition to IDS and IPS solutions, firewalls were developed to prevent undesirable traffic from entering prescribed areas within a network, thereby providing perimeter security. In 1988, Digital
01_9781587132483_ch01.qxp
7/13/09
1:07 PM
Page 7
Chapter 1: Modern Network Security Threats
7
Equipment Corporation (DEC) created the first network firewall in the form of a packet filter. These early firewalls inspected packets to see if they matched sets of predefined rules, with the option of forwarding or dropping the packets accordingly. Packet filtering firewalls inspect each packet in isolation without examining whether a packet is part of an existing connection. In 1989, AT&T Bell Laboratories developed the first stateful firewall. Like packet filtering firewalls, stateful firewalls use predefined rules for permitting or denying traffic. Unlike packet filtering firewalls, stateful firewalls keep track of established connections and determine if a packet belongs to an existing flow of data, providing greater security and more rapid processing. The original firewalls were software features added to existing networking devices, such as routers. Over time, several companies developed standalone, or dedicated, firewalls that enable routers and switches to offload the memory and processor intensive activity of filtering packets. For organizations that do not require a dedicated firewall, modern routers, like the Cisco Integrated Services Router (ISR), can be used as sophisticated stateful firewalls. In addition to dealing with threats from outside of the network, network professionals must also be prepared for threats from inside the network. Internal threats, whether intentional or accidental, can cause even greater damage than external threats because of direct access to and knowledge of the corporate network and data. Despite this fact, it has taken more than 20 years after the introduction of tools and techniques for mitigating external threats to develop mitigation tools and techniques for internal threats. A common scenario for a threat originating from inside the network is a disgruntled employee with some technical skills and a willingness to do harm. Most threats from within the network leverage the protocols and technologies used on the local area network (LAN) or the switched infrastructure. These internal threats basically fall into two categories: spoofing and DoS. Spoofing attacks are attacks in which one device attempts to pose as another by falsifying data. For example, MAC address spoofing occurs when one computer accepts data packets based on the MAC address of another computer. There are other types of spoofing attacks as well. DoS attacks make computer resources unavailable to intended users. Attackers use various methods to launch DoS attacks. As a network security professional, it is important to understand the methods designed specifically for targeting these types of threats and ensuring the security of the LAN. In addition to preventing and denying malicious traffic, network security also requires that data stay protected. Cryptography, the study and practice of hiding information, is used pervasively in modern network security. Today, each type of network communication has a corresponding protocol or technology designed to hide that communication from anyone other than the intended user. Wireless data can be encrypted (hidden) using various cryptography applications. The conversation between two IP phone users can be encrypted. The files on a computer can also be hidden with encryption. These are just a few examples. Cryptography can be used almost anywhere that there is data communication. In fact, the trend is toward all communication being encrypted. Cryptography ensures data confidentiality, which is one of the three components of information security: confidentiality, integrity, and availability. Information security deals with protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Encryption provides confidentiality by hiding plaintext data. Data integrity, meaning that the data is preserved unaltered during any operation, is achieved by the use of hashing mechanisms. Availability, which is data accessibility, is guaranteed by network hardening mechanisms and backup systems.
01_9781587132483_ch01.qxp
8
7/13/09
1:07 PM
Page 8
CCNA Security Course Booklet, Version 1.0
1.1.2 Drivers for Network Security The word hackers has a variety of meanings. For many, it means Internet programmers who try to gain unauthorized access to devices on the Internet. It is also used to refer to individuals that run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers. But for some, the term hacker has a positive interpretation as a network professional that uses sophisticated Internet programming skills to ensure that networks are not vulnerable to attack. Good or bad, hacking is a driving force in network security. From a business perspective, it is important to minimize the effects of hackers with bad intentions. Businesses lose productivity when the network is slow or unresponsive. Business profits are impacted by data loss and data corruption. The job of a network security professional is to stay one step ahead of the hackers by attending training and workshops, participating in security organizations, subscribing to real-time feeds regarding threats, and perusing security websites on a daily basis. The network security professional must also have access to state-of-the art security tools, protocols, techniques, and technologies. Network security professionals should have many of the same traits as law enforcement professionals. They should always remain aware of malicious activities and have the skills and tools to minimize or eliminate the threats associated with those activities. Hacking has the unintended effect of putting network security professionals at the top when it comes to employability and compensation. However, relative to other technology professions, network security has the steepest learning curve and the greatest demand for engaging in constant professional development. Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio frequencies to manipulate phone systems. Phreaking began when AT&T introduced automatic switches to their phone systems. The AT&T phone switches used various tones, or tone dialing, to indicate different functions, such as call termination and call dialing. A few AT&T customers realized that by mimicking a tone using a whistle, they could exploit the phone switches to make free long-distance calls. As communication systems evolved, so did hacking methods. Wardialing became popular in the 1980s with the use of computer modems. Wardialing programs automatically scanned telephone numbers within a local area, dialing each one in search of computers, bulletin board systems, and fax machines. When a phone number was found, password-cracking programs were used to gain access. Wardriving began in the 1990s and is still popular today. With wardriving, users gain unauthorized access to networks via wireless access points. This is accomplished using a vehicle and a wirelessenabled portable computer or PDA. Password-cracking programs are used to authenticate, if necessary, and there is even software to crack the encryption scheme required to associate to the access point. A number of other threats have evolved since the 1960s, including network scanning tools such as Nmap and SATAN, as well as remote system administration hacking tools such as Back Orifice. Network security professionals must be familiar with all of these tools. Trillions of dollars are transacted over the Internet on a daily basis, and the livelihoods of millions depend on Internet commerce. For this reason, criminal laws are in place to protect individual and corporate assets. There are numerous cases of individuals who have had to face the court system due to these laws. The first email virus, the Melissa virus, was written by David Smith of Aberdeen, New Jersey. This virus resulted in memory overflows in Internet mail servers. David Smith was sentenced to 20 months in federal prison and a US$5,000 fine.
01_9781587132483_ch01.qxp
7/13/09
1:07 PM
Page 9
Chapter 1: Modern Network Security Threats
9
Robert Morris created the first Internet worm with 99 lines of code. When the Morris Worm was released, 10% of Internet systems were brought to a halt. Robert Morris was charged and received three years probation, 400 hours of community service, and a fine of US$10,000. One of the most notorious Internet hackers, Kevin Mitnick, was incarcerated for four years for hacking credit card accounts in the early 1990s. Whether the attack is via spam, a virus, DoS, or simply breaking into accounts, when the creativity of hackers is used for malicious purposes, they often end up going to jail, paying large fines, and losing access to the very environment in which they thrive. As a result of hacker exploits, the sophistication of hacker tools, and government legislation, network security solutions developed rapidly in the 1990s. By the late 1990s, many sophisticated network security solutions had been developed for organizations to strategically deploy within their networks. With these solutions came new job opportunities and increased compensation in the field of network security. The annual income for a network security professional is on the high end of the scale for careers in technology because of the depth and breadth of knowledge required. Network security professionals must constantly upgrade their skill set to keep abreast of the latest threats. The challenge of gaining and maintaining the necessary knowledge often translates into a shortage of network security professionals. Network security professionals are responsible for maintaining data assurance for an organization and ensuring the integrity and confidentiality of information. A network security professional might be responsible for setting up firewalls and intrusion prevention systems as well as ensuring encryption of company data. Implementing enterprise authentication schemes is another important task. The job entails maintaining detailed logs of suspicious activity on the network to use for reprimanding or prosecuting violators. As a network security professional, it is also important to maintain familiarity with network security organizations. These organizations often have the latest information on threats and vulnerabilities.
1.1.3 Network Security Organizations Network security professionals must collaborate with professional colleagues more frequently than most other professions. This includes attending workshops and conferences that are often affiliated with, sponsored or organized by local, national, or international technology organizations. Three of the more well-established network security organizations are: ■
SysAdmin, Audit, Network, Security (SANS) Institute
■
Computer Emergency Response Team (CERT)
■
International Information Systems Security Certification Consortium (pronounce (ISC)2 as “I-S-C-squared”)
A number of other network security organizations are also important to network security professionals. InfoSysSec is a network security organization that hosts a security news portal, providing the latest breaking news pertaining to alerts, exploits, and vulnerabilities. The Mitre Corporation maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations. FIRST is a security organization that brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in information sharing, incident prevention and rapid reaction. Finally, the Center for Internet Security (CIS) is a non-profit enterprise that develops security config-
01_9781587132483_ch01.qxp
10
7/13/09
1:07 PM
Page 10
CCNA Security Course Booklet, Version 1.0
uration benchmarks through a global consensus to reduce the risk of business and e-commerce disruptions. SANS was established in 1989 as a cooperative research and education organization. The focus of SANS is information security training and certification. SANS develops research documents about various aspects of information security. A range of individuals, from auditors and network administrators to chief information security officers, share learned lessons and solutions to various challenges. At the heart of SANS are security practitioners in varied global organizations, from corporations to universities, working together to help the entire information security community. SANS resources are largely free upon request. This includes the popular Internet Storm Center, the Internet’s early warning system; NewsBites, the weekly news digest; @RISK, the weekly vulnerability digest; flash security alerts; and more than 1,200 award-winning, original research papers. SANS develops security courses that can be taken to prepare for Global Information Assurance Certification (GIAC) in auditing, management, operations, legal issues, security administration, and software security. GIAC validates the skills of security professionals, ranging from entry-level information security to advanced subject areas like auditing, intrusion detection, incident handling, firewalls and perimeter protection, data forensics, hacker techniques, Windows and UNIX operating system security, and secure software and application coding. CERT is part of the U.S. federally funded Software Engineering Institute (SEI) at Carnegie Mellon University. CERT is chartered to work with the Internet community in detecting and resolving computer security incidents. The Morris Worm motivated the formation of CERT at the directive of the Defense Advanced Research Projects Agency (DARPA). The CERT Coordination Center (CERT/CC) focuses on coordinating communication among experts during security emergencies to help prevent future incidents. CERT responds to major security incidents and analyzes product vulnerabilities. CERT works to manage changes relating to progressive intruder techniques and to the difficulty of detecting attacks and catching attackers. CERT develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of services. CERT focuses on five areas: software assurance, secure systems, organizational security, coordinated response, and education and training. CERT disseminates information by publishing articles, research and technical reports, and papers on a variety of security topics. CERT works with the news media to raise awareness of the risks on the Internet and the steps that users can take to protect themselves. CERT works with other major technology organizations, such as FIRST and IETF, to increase the commitment to security and survivability. CERT also advises U.S. government organizations, such as the National Threat Assessment Center, the National Security Council, and the Homeland Security Council. (ISC)2 provides vendor-neutral education products and career services in more than 135 countries. Its membership includes 60,000 certified industry professionals worldwide. The mission of (ISC)2 is to make the cyber world a safe place through elevating information security to the public domain and supporting and developing information security professionals around the world. (ISC)2 develops and maintains the (ISC)2 Common Body of Knowledge (CBK). The CBK defines global industry standards, serving as a common framework of terms and principles that (ISC)2 credentials are based upon. The CBK allows professionals worldwide to discuss, debate, and resolve matters pertaining to the field.
01_9781587132483_ch01.qxp
7/13/09
1:07 PM
Page 11
Chapter 1: Modern Network Security Threats
11
Most notably, (ISC)2 is universally recognized for its four information security certifications, including one of the most popular certifications in the network security profession, the Certified Information Systems Security Professional (CISSP). These credentials help to ensure that employers. with certified employees, maintain the safety of information assets and infrastructures. (ISC)2 promotes expertise in handling security threats through its education and certification programs. As a member, individuals have access to current industry information and networking opportunities unique to its network of certified information security professionals. In addition to the websites of the various security organizations, one of the most useful tools for the network security professional is Really Simple Syndication (RSS) feeds. RSS is a family of XML-based formats used to publish frequently updated information, such as blog entries, news headlines, audio, and video. RSS uses a standardized format. An RSS feed includes complete or summarized text, plus metadata, such as publishing dates and authorships. RSS benefits professionals who want to subscribe to timely updates from favored websites or to aggregate feeds from many sites into one place. RSS feeds can be read using a web-based RSS reader, typically built into a web browser. The RSS reader software checks the user’s subscribed feeds regularly for new updates and provides an interface to monitor and read the feeds. By using RSS, a network security professional can acquire up-to-date information on a daily basis and aggregate real-time threat information for review at any time. For example, the US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents being reported to the US-CERT. A text-only RSS feed is available at http://www.us-cert.gov/current/index.rdf. This feed reports at all hours of the day and night, with information regarding security advisories, email scams, backup vulnerabilities, malware spreading via social network sites, and other potential threats.
1.1.4 Domains of Network Security It is vital for a network security professional to understand the drivers for network security and be familiar with the organizations dedicated to network security. It is also important to have an understanding of the various network security domains. Domains provide an organized framework to facilitate learning about network security. There are 12 network security domains specified by the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC). Described by ISO/IEC 27002, these 12 domains serve to organize at a high level the vast realm of information under the umbrella of network security. These domains have some significant parallels with domains defined by the CISSP certification. The 12 domains are intended to serve as a common basis for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities. The 12 domains of network security provide a convenient separation for the elements of network security. While it is not important to memorize these 12 domains, it is important to be aware of their existence and formal declaration by the ISO. They serve as a useful reference going forward in your work as a network security professional. One of the most important domains is security policy. A security policy is a formal statement of the rules by which people must abide who are given access to the technology and information assets of an organization. The concept, development, and application of a security policy play a significant role in keeping an organization secure. It is the responsibility of a network security professional to weave the security policy into all aspects of business operations within an organization.
01_9781587132483_ch01.qxp
12
7/13/09
1:07 PM
Page 12
CCNA Security Course Booklet, Version 1.0
1.1.5 Network Security Policies The network security policy is a broad, end-to-end document designed to be clearly applicable to an organization’s operations. The policy is used to aid in network design, convey security principles, and facilitate network deployments. The network security policy outlines rules for network access, determines how policies are enforced, and describes the basic architecture of the organization’s network security environment. The document is generally several pages. Because of its breadth of coverage and impact, it is usually compiled by a committee. It is a complex document meant to govern items such as data access, web browsing, password usage, encryption, and email attachments. A security policy should keep ill-intentioned users out and have control over potentially risky users. When a policy is created, it must be understood first what services are available to which users. The network security policy establishes a hierarchy of access permissions, giving employees only the minimal access necessary to perform their work. The network security policy outlines what assets need to be protected and gives guidance on how it should be protected. This will then be used to determine the security devices and mitigation strategies and procedures that should be implemented on the network. A Cisco Self-Defending Network (SDN) uses the network to identify, prevent, and adapt to threats. Unlike point-solution strategies, where products are purchased individually without consideration for which products work best together, a network-based approach is a strategic approach that meets the current challenges and evolves to address new security needs. A Cisco SDN begins with a strong, secure, flexible network platform from which a security solution is built. A Cisco SDN topology includes Cisco Security Manager, a Monitoring, Analysis, and Response System (MARS), one or more IPSs, one or more firewalls, several routers, and VPN concentrators. Some of these might appear as blades in a Catalyst 6500 switch or as modules in an Integrated Services Router (ISR), perhaps even as software installed on servers or as standalone devices. The Cisco Integrated Security Portfolio is designed to meet the requirements and diverse deployment models of any network and any environment. Many products are available to meet these needs. Most customers do not adopt all the components of the Cisco SDN at one time. For this reason, the Cisco SDN provides products that can be deployed independently and solutions that can link these products together as confidence builds in each product and subsystem. Elements of a Cisco SDN approach can be integrated into a network security policy. By leveraging the Cisco SDN approach when creating and amending the security policy, it can help create a hierarchical structure to the document. While the security policy should be comprehensive, it should also be succinct enough to be usable by the technology practitioners in the organization. One of the most important steps in creating a policy is identifying critical assets. These can include databases, vital applications, customer and employee information, classified commercial information, shared drives, email servers, and web servers. A security policy is a set of objectives for the company, rules of behavior for users and administrators, and requirements for system and management that collectively ensure the security of network and computer systems in an organization. A security policy is a “living document,” meaning that the document is never finished and is continuously updated as technology, business, and employee requirements change.
01_9781587132483_ch01.qxp
7/13/09
1:07 PM
Page 13
Chapter 1: Modern Network Security Threats
13
For example, an organization’s employee laptops will be subject to various types of attacks, such as email viruses. A network security policy explicitly defines how frequently virus software updates and virus definition updates must be installed. Additionally, the network security policy includes guidelines for what users can and cannot do. This is normally stipulated as a formal acceptable use policy (AUP). The AUP must be as explicit as possible to avoid ambiguity or misunderstanding. For example, an AUP might list the Usenet newsgroups that are prohibited. A network security policy drives all the steps to be taken to secure network resources. As you move through this course, the security policy will be revisited to ensure that you understand its integral nature in a well-run organization.
1.2 Viruses, Worms, and Trojan Horses 1.2.1 Viruses The primary vulnerabilities for end-user computers are virus, worm, and Trojan Horse attacks: ■
A virus is malicious software which attaches to another program to execute a specific unwanted function on a computer.
■
A worm executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts.
■
A Trojan Horse is an application written to look like something else. When a Trojan Horse is downloaded and opened, it attacks the end-user computer from within.
Traditionally, the term virus refers to an infectious organism that requires a host cell to grow and replicate. A University of Southern California student named Frederick Cohen suggested the term “computer virus” in 1983. A computer virus, referred to as a virus in the rest of this course, is a program that can copy itself and infect a computer without the knowledge of the user. A virus is a malicious code that is attached to legitimate programs or executable files. Most viruses require end-user activation and can lay dormant for an extended period and then activate at a specific time or date. A simple virus may install itself at the first line of code on an executable file. When activated, the virus might check the disk for other executables, so that it can infect all the files it has not yet infected. Viruses can be harmless, such as those that display a picture on the screen, or they can be destructive, such as those that modify or delete files on the hard drive. Viruses can also be programmed to mutate to avoid detection. In the past, viruses were usually spread via floppy disks and computer modems. Today, most viruses are spread by USB memory sticks, CDs, DVDs, network shares, or email. Email viruses are now the most common type of virus.
1.2.2 Worms Worms Worms are a particularly dangerous type of hostile code. They replicate themselves by independently exploiting vulnerabilities in networks. Worms usually slow down networks. Whereas a virus requires a host program to run, worms can run by themselves. They do not require user participation and can spread extremely fast over the network. Worms are responsible for some of the most devastating attacks on the Internet. For example, the SQL Slammer Worm of January 2003 slowed down global Internet traffic as a result of Denial of
01_9781587132483_ch01.qxp
14
7/13/09
1:07 PM
Page 14
CCNA Security Course Booklet, Version 1.0
Service. Over 250,000 hosts were affected within 30 minutes of its release. The worm exploited a buffer overflow bug in Microsoft’s SQL Server. A patch for this vulnerability was released in mid2002, so the servers that were affected were those that did not have the update patch applied. This is a great example of why it is so important for the security policy of an organization to require timely updates and patches for operating systems and applications. Despite the mitigation techniques that have emerged over the years, worms have continued to evolve with the Internet and still pose a threat. While worms have become more sophisticated over time, they still tend to be based on exploiting weaknesses in software applications. Most worm attacks have three major components: ■
Enabling vulnerability - A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system.
■
Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets.
■
Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host.
Worms are self-contained programs that attack a system to exploit a known vulnerability. Upon successful exploitation, the worm copies itself from the attacking host to the newly exploited system and the cycle begins again. When exploring the major worm and virus attacks over the past 20 years, it is noticeable that the various phases of attack methods employed by hackers are often quite similar. There are five basic phases of attack, regardless of whether a worm or virus is deployed. ■
Probe phase - Vulnerable targets are identified. The goal is to find computers that can be subverted. Internet Control Message Protocol (ICMP) ping scans are used to map networks. Then the application scans and identifies operating systems and vulnerable software. Hackers can obtain passwords using social engineering, dictionary attack, brute-force attack, or network sniffing.
■
Penetrate phase - Exploit code is transferred to the vulnerable target. The goal is to get the target to execute the exploit code through an attack vector, such as a buffer overflow, ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an email virus.
■
Persist phase - After the attack is successfully launched in the memory, the code tries to persist on the target system. The goal is to ensure that the attacker code is running and available to the attacker even if the system reboots. This is achieved by modifying system files, making registry changes, and installing new code.
■
Propagate phase - The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines. Propagation vectors include emailing copies of the attack to other systems, uploading files to other systems using file shares or FTP services, active web connections, and file transfers through Internet Relay Chat (IRC).
■
Paralyze phase - Actual damage is done to the system. Files can be erased, systems can crash, information can be stolen, and distributed DoS (DDoS) attacks can be launched.
The five basic phases of attack allow security experts to conveniently describe worms and viruses according to their particular implementation mechanism for each phase. This makes it easier to categorize worms and viruses. Viruses and worms are two methods of attack. Another method is the Trojan Horse, which leverages viruses or worms with the added element of masquerading as a benign program.
01_9781587132483_ch01.qxp
7/13/09
1:08 PM
Page 15
Chapter 1: Modern Network Security Threats
15
1.2.3 Trojan Horses Trojan Horse The term Trojan Horse originated from Greek mythology. Greek warriors offered the people of Troy (Trojans) a giant hollow horse as a gift. The Trojans brought the giant horse into their walled city, unaware that it contained many Greek warriors. At night, after most Trojans were asleep, the warriors burst out of the horse and overtook the city. A Trojan Horse in the world of computing is malware that carries out malicious operations under the guise of a desired function. A virus or worm could carry a Trojan Horse. A Trojan Horse contains hidden, malicious code that exploits the privileges of the user that runs it. Games can often have a Trojan Horse attached to them. When running the game, the game works, but in the background, the Trojan Horse has been installed on the user’s system and continues running after the game has been closed. The Trojan Horse concept is flexible. It can cause immediate damage, provide remote access to the system (a back door), or perform actions as instructed remotely, such as “send me the password file once per week.” Custom-written Trojan Horses, such as Trojan Horses with a specific target, are difficult to detect. Trojan Horses are usually classified according to the damage that they cause or the manner in which they breach a system: ■
Remote-access Trojan Horse (enables unauthorized remote access)
■
Data sending Trojan Horse (provides the attacker with sensitive data such as passwords)
■
Destructive Trojan Horse (corrupts or deletes files)
■
Proxy Trojan Horse (user’s computer functions as a proxy server)
■
FTP Trojan Horse (opens port 21)
■
Security software disabler Trojan Horse (stops anti-virus programs or firewalls from functioning)
■
Denial of Service Trojan Horse (slows or halts network activity)
1.2.4 Mitigating Viruses, Worms, and Trojan Horses A majority of the software vulnerabilities that are discovered relate to buffer overflows. A buffer is an allocated area of memory used by processes to store data temporarily. A buffer overflow occurs when a fixed-length buffer reaches its capacity and a process attempts to store data above and beyond that maximum limit. This can result in extra data overwriting adjacent memory locations as well as cause other unexpected behavior. Buffer overflows are usually the primary conduit through which viruses, worms, and Trojan Horses do their damage. In fact, there are reports that suggest that one-third of the software vulnerabilities identified by CERT relate to buffer overflows. Viruses and Trojan Horses tend to take advantage of local root buffer overflows. A root buffer overflow is a buffer overflow intended to attain root privileges to a system. Local root buffer overflows require the end user or system to take some type of action. A local root buffer overflow is typically initiated by a user opening an email attachment, visiting a website, or exchanging a file via instant messaging. Worms such as SQL Slammer and Code Red exploit remote root buffer overflows. Remote root buffer overflows are similar to local root buffer overflows, except that local end user or system intervention is not required.
01_9781587132483_ch01.qxp
16
7/13/09
1:08 PM
Page 16
CCNA Security Course Booklet, Version 1.0
Viruses, worms, and Trojan horses can cause serious problems on networks and end systems. Network administrators have several means of mitigating these attacks. Note that mitigation techniques are often referred to in the security community as countermeasures. The primary means of mitigating virus and Trojan horse attacks is anti-virus software. Anti-virus software helps prevent hosts from getting infected and spreading malicious code. It requires much more time to clean up infected computers than it does to maintain up-to-date anti-virus software and anti-virus definitions on the same machines. Anti-virus software is the most widely deployed security product on the market today. Several companies that create anti-virus software, such as Symantec, Computer Associates, McAfee, and Trend Micro, have been in the business of detecting and eliminating viruses for more than a decade. Many corporations and educational institutions purchase volume licensing for their users. The users are able to log in to a website with their account and download the anti-virus software on their desktops, laptops, or servers. Anti-virus products have update automation options so that new virus definitions and new software updates can be downloaded automatically or on demand. This practice is the most critical requirement for keeping a network free of viruses and should be formalized in a network security policy. Anti-virus products are host-based. These products are installed on computers and servers to detect and eliminate viruses. However, they do not prevent viruses from entering the network, so a network security professional needs to be aware of the major viruses and keep track of security updates regarding emerging viruses. Worms are more network-based than viruses. Worm mitigation requires diligence and coordination on the part of network security professionals. The response to a worm infection can be broken down into four phases: containment, inoculation, quarantine, and treatment. The containment phase involves limiting the spread of a worm infection to areas of the network that are already affected. This requires compartmentalization and segmentation of the network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems. Containment requires using both outgoing and incoming ACLs on routers and firewalls at control points within the network. The inoculation phase runs parallel to or subsequent to the containment phase. During the inoculation phase, all uninfected systems are patched with the appropriate vendor patch for the vulnerability. The inoculation process further deprives the worm of any available targets. A network scanner can help identify potentially vulnerable hosts. The mobile environment prevalent on modern networks poses significant challenges. Laptops are routinely taken out of the secure network environment and connected to potentially unsecure environments, such as home networks. Without proper patching of the system, a laptop can be infected with a worm or virus and then bring it back into the secure environment of the organization’s network where it can infect other systems. The quarantine phase involves tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or removing them. This isolates these systems appropriately for the treatment phase. During the treatment phase, actively infected systems are disinfected of the worm. This can involve terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system. Or, in more severe cases, can require completely reinstalling the system to ensure that the worm and its byproducts are removed. In the case of the SQL Slammer worm, malicious traffic was detected on UDP port 1434. This port should normally be blocked by a firewall on the perimeter. However, most infections enter by way
01_9781587132483_ch01.qxp
7/13/09
1:08 PM
Page 17
Chapter 1: Modern Network Security Threats
17
of back doors and do not pass through the firewall; therefore, to prevent the spreading of this worm it would be necessary to block this port on all devices throughout the internal network. In some cases, the port on which the worm is spreading might be critical to business operation. For example, when SQL Slammer was propagating, some organizations could not block UDP port 1434 because it was required to access the SQL Server for legitimate business transactions. In such a situation, alternatives must be considered. If the network devices using the service on the affected port are known, permitting selective access is an option. For example, if only a small number of clients are using SQL Server, one option is to open UDP port 1434 to critical devices only. Selective access is not guaranteed to solve the problem, but it certainly lowers the probability of infection. A comprehensive option for mitigating the effects of viruses, worms, and Trojan Horses is a hostbased intrusion prevention system (HIPS). Cisco Security Agent (CSA) is a host-based intrusion prevention system that can be integrated with anti-virus software from various vendors. CSA protects the operating system from threats on the network. CSA provides a more comprehensive and centralized solution that is not dependent on end users being vigilant about updating anti-virus software and using host-based firewalls. Another solution for mitigating threats is Cisco Network Admission Control (NAC). The Cisco NAC Appliance is a turnkey solution to control network access. It admits only hosts that are authenticated and have had their security posture examined and approved for the network. This solution is a natural fit for organizations with medium-sized networks that need simplified, integrated tracking of operating systems, anti-virus patches, and vulnerability updates. The Cisco NAC Appliance does not need to be part of a Cisco network to function. Cisco Security Monitoring, Analysis, and Response System (MARS) provides security monitoring for network security devices and host applications created by Cisco and other providers. MARS makes precise recommendations for threat removal, including the ability to visualize the attack path and identify the source of the threat with detailed topological graphs that simplify security response. Viruses, worms, and Trojan Horses can slow or stop networks and corrupt or destroy data. Software and hardware options are available for mitigating these threats. Network security professionals must maintain constant vigilance. It is not enough just to react to threats. A good network security professional examines the whole network to find vulnerabilities and fix them before an attack occurs.
1.3 Attack Methodologies 1.3.1 Reconnaissance Attacks There are many different types of network attacks other than viruses, worms, and Trojan Horses. To mitigate attacks, it is useful to first have the various types of attacks categorized. By categorizing network attacks, it is possible to address types of attacks rather than individual attacks. There is no standardized way of categorizing network attacks. The method used in this course classifies attacks in three major categories. Reconnaissance Attacks Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or vulnerabilities. Reconnaissance attacks often employ the use of packet sniffers and port scanners, which are widely available as free downloads on the Internet. Reconnaissance is analogous to a thief surveying a neighborhood for vulnerable homes to break into, such as an unoccupied residence or a house with an easy-to-open door or window.
01_9781587132483_ch01.qxp
18
7/13/09
1:08 PM
Page 18
CCNA Security Course Booklet, Version 1.0
Access Attacks Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. An access attack can be performed in many different ways. An access attack often employs a dictionary attack to guess system passwords. There are also specialized dictionaries for different languages that can be used. Denial of Service Attacks Denial of service attacks send extremely large numbers of requests over a network or the Internet. These excessive requests cause the target device to run suboptimally. Consequently, the attacked device becomes unavailable for legitimate access and use. By executing exploits or combinations of exploits, DoS attacks slow or crash applications and processes. Reconnaissance attacks Reconnaissance is also known as information gathering and, in most cases, precedes an access or DoS attack. In a reconnaissance attack, the malicious intruder typically begins by conducting a ping sweep of the target network to determine which IP addresses are active. The intruder then determines which services or ports are available on the live IP addresses. Nmap is the most popular application for performing port scans. From the port information obtained, the intruder queries the ports to determine the type and version of the application and operating system that is running on the target host. In many cases, the intruders look for vulnerable services that can be exploited later when there is less likelihood of being caught. Reconnaissance attacks use various tools to gain access to a network: ■
Packet sniffers
■
Ping sweeps
■
Port scans
■
Internet information queries
A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN. Promiscuous mode is a mode in which the network adapter card sends all packets that are received to an application for processing. Some network applications distribute network packets in unencrypted plaintext. Because the network packets are not encrypted, they can be understood by any application that can pick them off the network and process them. Packet sniffers can only work in the same collision domain as the network being attacked, unless the attacker has access to the intermediary switches. Numerous freeware and shareware packet sniffers, such as Wireshark, are available and do not require the user to understand anything about the underlying protocols. When used as legitimate tools, ping sweep and port scan applications run a series of tests against hosts and devices to identify vulnerable services. The information is gathered by examining IP addressing and port, or banner, data from both TCP and UDP ports. An attacker uses ping sweeps and port scans to acquire information to compromise the system. A ping sweep is a basic network scanning technique that determines which range of IP addresses map to live hosts. A single ping indicates whether one specified host computer exists on the network. A ping sweep consists of ICMP echo requests sent to multiple hosts. If a given address is live, the address returns an ICMP echo reply. Ping sweeps are among the older and slower methods used to scan a network.
01_9781587132483_ch01.qxp
7/13/09
1:08 PM
Page 19
Chapter 1: Modern Network Security Threats
19
Each service on a host is associated with a well-known port number. Port scanning is a scan of a range of TCP or UDP port numbers on a host to detect listening services. It consists of sending a message to each port on a host. The response that the sender receives indicates whether the port is used. Internet information queries can reveal information such as who owns a particular domain and what addresses have been assigned to that domain. They can also reveal who owns a particular IP address and which domain is associated with the address. Ping sweeps of addresses revealed by Internet information queries can present a picture of the live hosts in a particular environment. After such a list is generated, port scanning tools can cycle through all well-known ports to provide a complete list of all services that are running on the hosts that the ping sweep discovered. Hackers can then examine the characteristics of active applications, which can lead to specific information that is useful to a hacker whose intent is to compromise that service. Keep in mind that reconnaissance attacks are typically the precursor to further attacks with the intention of gaining unauthorized access to a network or disrupting network functionality. A network security professional can detect when a reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as ICMP requests per second. A Cisco ISR supports the security technologies that enable these types of alarms to be triggered. This is made available by the network-based intrusion prevention functionality supported by Cisco IOS security images running on ISRs. Host-based intrusion prevention systems and standalone network-based intrusion detection systems can also be used to notify when a reconnaissance attack is occurring.
1.3.2 Access Attacks Access attacks Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and escalate access privileges. Access attacks often employ password attacks to guess system passwords. Password attacks can be implemented using several methods, including brute-force attacks, Trojan Horse programs, IP spoofing, and packet sniffers. However, most password attacks refer to brute-force attacks, which involve repeated attempts based on a built-in dictionary to identify a user account or password. A brute-force attack is often performed using a program that runs across the network and attempts to log in to a shared resource, such as a server. After an attacker gains access to a resource, the attacker has the same access rights as the user whose account was compromised. If this account has sufficient privileges, the attacker can create a back door for future access without concern for any status and password changes to the compromised user account. As an example, a user can run the L0phtCrack, or LC5, application to perform a brute-force attack to obtain a Windows server password. When the password is obtained, the attacker can install a keylogger, which sends a copy of all keystrokes to a desired destination. Or, a Trojan Horse can be installed to send a copy of all packets sent and received by the target to a particular destination, thus enabling the monitoring of all the traffic to and from that server. There are five types of access attacks: ■
Password attack - An attacker attempts to guess system passwords. A common example is a dictionary attack.
■
Trust exploitation - An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target.
01_9781587132483_ch01.qxp
20
7/13/09
1:08 PM
Page 20
CCNA Security Course Booklet, Version 1.0
■
Port redirection - A compromised system is used as a jump-off point for attacks against other targets. An intrusion tool is installed on the compromised system for session redirection.
■
Man-in-the-middle attack - An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties. A popular man-in-the-middle attack involves a laptop acting as a rogue access point to capture and copy all network traffic from a targeted user. Often the user is in a public location on a wireless hotspot.
■
Buffer overflow - A program writes data beyond the allocated buffer memory. Buffer overflows usually arise as a consequence of a bug in a C or C++ program. A result of the overflow is that valid data is overwritten or exploited to enable the execution of malicious code.
Access attacks in general can be detected by reviewing logs, bandwidth utilization, and process loads. The network security policy should specify that logs are formally maintained for all network devices and servers. By reviewing logs, security personnel can determine if an unusual number of failed login attempts have occurred. Software packages such as ManageEngine EventLog Analyzer or Cisco Secure Access Control Server (CSACS) maintain information regarding failed login attempts to network devices. UNIX and Windows servers also keep a log of failed login attempts. Cisco routers and firewall devices can be configured to prevent login attempts for a given time from a particular source after a prescribed number of failures in a specified amount of time. Man-in-the-middle attacks often involve replicating data. An indication of such an attack is an unusual amount of network activity and bandwidth utilization, as indicated by network monitoring software. Similarly, an access attack resulting in a compromised system would likely be revealed by sluggish activity due to ongoing buffer overflow attacks, as indicated by active process loads viewable on a Windows or UNIX system.
1.3.3 Denial of Service Attacks Denial of Service Attacks A DoS attack is a network attack that results in some sort of interruption of service to users, devices, or applications. Several mechanisms can generate a DoS attack. The simplest method is to generate large amounts of what appears to be valid network traffic. This type of network DoS attack saturates the network so that valid user traffic cannot get through. A DoS attack takes advantage of the fact that target systems such as servers must maintain state information. Applications may rely on expected buffer sizes and specific content of network packets. A DoS attack can exploit this by sending packet sizes or data values that are not expected by the receiving application. There are two major reasons a DoS attack occurs: ■
A host or application fails to handle an unexpected condition, such as maliciously formatted input data, an unexpected interaction of system components, or simple resource exhaustion.
■
A network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow.
DoS attacks attempt to compromise the availability of a network, host, or application. They are considered a major risk because they can easily interrupt a business process and cause significant loss. These attacks are relatively simple to conduct, even by an unskilled attacker. One example of a DoS attack is sending a poisonous packet. A poisonous packet is an improperly formatted packet designed to cause the receiving device to process the packet in an improper fash-
01_9781587132483_ch01.qxp
7/13/09
1:08 PM
Page 21
Chapter 1: Modern Network Security Threats
21
ion. The poisonous packet causes the receiving device to crash or run very slowly. This attack can cause all communications to and from the device to be disrupted. In another example, an attacker sends a continuous stream of packets, which overwhelms the available bandwidth of network links. In most cases, it is impossible to differentiate between the attacker and legitimate traffic and to trace an attack quickly back to its source. If many systems in the Internet core are compromised, the attacker may be able to take advantage of virtually unlimited bandwidth to unleash packet storms toward desired targets. A Distributed Denial of Service Attack (DDoS) is similar in intent to a DoS attack, except that a DDoS attack originates from multiple coordinated sources. In addition to increasing the amount of network traffic from multiple distributed attackers, a DDoS attack also presents the challenge of requiring the network defense to identify and stop each distributed attacker. As an example, a DDoS attack could proceed as follows. A hacker scans for systems that are accessible. After the hacker accesses several “handler” systems, the hacker installs zombie software on them. Zombies then scan and infect agent systems. When the hacker accesses the agent systems, the hacker loads remote-control attack software to carry out the DDoS attack. It is useful to detail three common DoS attacks to get a better understanding of how DoS attacks work. Ping of Death In a ping of death attack, a hacker sends an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. Sending a ping of this size can crash the target computer. A variant of this attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of the target. Smurf Attack In a smurf attack, a perpetrator sends a large number of ICMP requests to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast. If the routing device delivering traffic to those broadcast addresses forwards the directed broadcasts, all hosts on the destination networks send ICMP replies, multiplying the traffic by the number of hosts on the networks. On a multi-access broadcast network, hundreds of machines might reply to each packet. TCP SYN Flood In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. The TCP SYN flood, ping of death, and smurf attacks demonstrate how devastating a DoS attack can be. To date, hundreds of DoS attacks have been documented. There are five basic ways that DoS attacks can do harm: ■
Consumption of resources, such as bandwidth, disk space, or processor time
■
Disruption of configuration information, such as routing information
■
Disruption of state information, such as unsolicited resetting of TCP sessions
■
Disruption of physical network components
01_9781587132483_ch01.qxp
22
7/13/09
1:08 PM
Page 22
CCNA Security Course Booklet, Version 1.0
■
Obstruction of communication between the victim and others.
It is usually not difficult to determine if a DoS attack is occurring. A large number of complaints about not being able to access resources is a first sign of a DoS attack. To minimize the number of attacks, a network utilization software package should be running at all times. This should also be required by the network security policy. A network utilization graph showing unusual activity could indicate a DoS attack. Keep in mind that DoS attacks could be a component of a larger offensive. DoS attacks can lead to problems in the network segments of the computers being attacked. For example, the packet-persecond capacity of a router between the Internet and a LAN might be exceeded by an attack, compromising not only the target system but also the entire network. If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity could be compromised. Not all service outages, even those that result from malicious activity, are necessarily DoS attacks. In any case, DoS attacks are among the most dangerous types of attacks, and it is critical that a network security professional act quickly to mitigate the effects of such attacks.
1.3.4 Mitigating Network Attacks There are a variety of network attacks, network attack methodologies, and categorizations of network attacks. The important question is, ‘How do I mitigate these network attacks?’ The type of attack, as specified by the categorization of reconnaissance, access, or DoS attack, determines the means of mitigating a network threat. Reconnaissance attacks can be mitigated in several ways. Using strong authentication is a first option for defense against packet sniffers. Strong authentication is a method of authenticating users that cannot easily be circumvented. A One-Time Password (OTP) is a form of strong authentication. OTPs utilize two-factor authentication. Two-factor authentication combines something one has, such as a token card, with something one knows, such as a PIN. Automated teller machines (ATMs) use two-factor authentication. Encryption is also effective for mitigating packet sniffer attacks. If traffic is encrypted, it is practically irrelevant if a packet sniffer is being used because the captured data is not readable. Antisniffer software and hardware tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate. While this does not completely eliminate the threat, as part of an overall mitigation system, it can reduce the number of instances of threat. A switched infrastructure is the norm today, which makes it difficult to capture any data except that on your immediate collision domain, which probably contains only one host. A switched infrastructure does not eliminate the threat of packet sniffers, but can greatly reduce the sniffer’s effectiveness. It is impossible to mitigate port scanning. But using an IPS and firewall can limit the information that can be discovered with a port scanner. Ping sweeps can be stopped if ICMP echo and echoreply are turned off on edge routers. However, when these services are turned off, network diagnostic data is lost. Additionally, port scans can be run without full ping sweeps. The scans simply take longer because inactive IP addresses are also scanned. Network-based IPS and host-based IPS can usually notify an administrator when a reconnaissance attack is under way. This warning enables the administrator to better prepare for the coming attack or to notify the ISP from where the reconnaissance probe is launching from. Several techniques are also available for mitigating access attacks.
01_9781587132483_ch01.qxp
7/13/09
1:08 PM
Page 23
Chapter 1: Modern Network Security Threats
23
A surprising number of access attacks are carried out through simple password guessing or bruteforce dictionary attacks against passwords. The use of encrypted or hashed authentication protocols, along with a strong password policy, greatly reduces the probability of successful access attacks. There are specific practices that help to ensure a strong password policy: ■
Disabling accounts after a specific number of unsuccessful logins. This practice helps to prevent continuous password attempts.
■
Not using plaintext passwords. Use either a one-time password (OTP) or encrypted password.
■
Using strong passwords. Strong passwords are at least eight characters and contain uppercase letters, lowercase letters, numbers, and special characters.
The principle of minimum trust should also be designed into the network structure. This means that systems should not use one another unnecessarily. For example, if an organization has a server that is used by untrusted devices, such as web servers, the trusted device (server) should not trust the untrusted devices (web servers) unconditionally. Cryptography is a critical component of any modern secure network. Using encryption for remote access to a network is recommended. Also, routing protocol traffic should be encrypted as well. The more that traffic is encrypted, the less opportunity hackers have for intercepting data with man-in-the-middle attacks. Companies with a high-profile Internet presence should plan in advance how to respond to potential DoS attacks. Historically, many DoS attacks were sourced from spoofed source addresses. These types of attacks can be thwarted using antispoofing technologies on perimeter routers and firewalls. Many DoS attacks today are distributed DoS attacks carried out by compromised hosts on several networks. Mitigating DDoS attacks requires careful diagnostics, planning, and cooperation from ISPs. The most important elements for mitigating DoS attacks are firewalls and IPSs. Both host-based and network-based IPSs are strongly recommended. Cisco routers and switches support a number of antispoofing technologies, such as port security, DHCP snooping, IP Source Guard, Dynamic ARP Inspection, and ACLs. Lastly, although Quality of Service (QoS) is not designed as a security technology, one of its applications, traffic policing, can be used to limit ingress traffic from any given customer on an edge router. This limits the impact a single source can have on ingress bandwidth utilization. Defending your network against attack requires constant vigilance and education. There are 10 best practices that represent the best insurance for your network. Step 1.
Keep patches up to date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.
Step 2.
Shut down unnecessary services and ports.
Step 3.
Use strong passwords and change them often.
Step 4.
Control physical access to systems.
Step 5.
Avoid unnecessary web page inputs. Some websites allow users to enter usernames and passwords. A hacker can enter more than just a username. For example, entering “jdoe; rm -rf /” might allow an attacker to remove the root file system from a UNIX server. Programmers should limit input characters and not accept invalid characters such as | ; < > as input.
01_9781587132483_ch01.qxp
24
7/13/09
1:08 PM
Page 24
CCNA Security Course Booklet, Version 1.0
Step 6.
Perform backups and test the backed up files on a regular basis.
Step 7.
Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.
Step 8.
Encrypt and password-protect sensitive data.
Step 9.
Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, anti-virus software, and content filtering.
Step 10.
Develop a written security policy for the company.
These methods are only a starting point for sound security management. Organizations must remain vigilant at all times to defend against continually evolving threats. Using these proven methods of securing a network and applying the knowledge gained in this chapter, you are now prepared to begin deploying network security solutions. One of the first deployment considerations involves securing access to network devices.
01_9781587132483_ch01.qxp
7/13/09
1:08 PM
Page 25
Chapter 1: Modern Network Security Threats
Chapter Summary Refer to Packet Tracer Activity for this chapter
Your Chapter Notes
Refer to Lab Activity for this chapter
25
01_9781587132483_ch01.qxp
26
7/13/09
1:08 PM
Page 26
CCNA Security Course Booklet, Version 1.0
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 27
CHAPTER 2
Securing Network Devices
Chapter Introduction Securing outgoing network traffic and scrutinizing incoming traffic are critical aspects of network security. Securing the edge router, which connects to the outside network, is an important first step in securing the network. Device hardening is an essential task that must never be overlooked. It involves implementing proven methods for physically securing the router and protecting the router’s administrative access using the Cisco IOS command-line interface (CLI) as well as the Cisco Router and Security Device Manager (SDM). Some of these methods involve securing administrative access, including maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). Because not all information technology personnel should have the same level of access to the infrastructure devices, defining administrative roles in terms of access is another important aspect of securing infrastructure devices. Securing the management and reporting features of Cisco IOS devices is also important. Recommended practices for securing syslog, using Simple Network Management Protocol (SNMP), and configuring Network Time Protocol (NTP) are examined. Many router services are enabled by default. A number of these features are enabled for historical reasons but are no longer required today. This chapter discusses some of these services and examines router configurations with the Security Audit feature of Cisco SDM. This chapter also examines the one-step lockdown Cisco SDM feature and the auto secure command, which can be used to automate device hardening tasks. A hands-on lab for the chapter, Securing the Router for Administrative Access, is a very comprehensive lab that provides an opportunity to practice the wide-ranging security features introduced in this chapter. The lab introduces the various means of securing administrative access to a router, including password best practices, appropriate banner configuration, enhanced login features, and SSH. The role-based CLI access feature relies on creating views as a means of providing different levels of access to routers. The Cisco IOS Resilient Configuration feature permits securing router images and configuration files. Syslog and SNMP are used for management reporting. Cisco AutoSecure is an automated tool for securing Cisco routers using the CLI. The SDM Security Audit feature provides similar functionality to AutoSecure. The lab is found in the lab manual on Academy Connection at cisco.netacad.net. A Packet Tracer activity, Configure Cisco Routers for Syslog, NTP, and SSH Operations, provides learners additional practice implementing the technologies introduced in this chapter. In particular, learners configure routers with NTP, syslog, timestamp logging of messages, local user accounts, exclusive SSH connectivity, and RSA key pairs for SSH servers. Using SSH client access from a Windows PC and from a Cisco router is also explored. Packet Tracer activities for CCNA Security are found on Academy Connection at cisco.netacad.net.
02_9781587132483_ch02.qxp
28
7/13/09
1:09 PM
Page 28
CCNA Security Course Booklet, Version 1.0
2.1 Securing Device Access 2.1.1 Securing the Edge Router Securing the network infrastructure is critical to overall network security. The network infrastructure includes routers, switches, servers, endpoints, and other devices. Consider a disgruntled employee casually looking over the shoulder of a network administrator while the administrator is logging in to an edge router. This is known as shoulder surfing, and it is a surprisingly easy way for an attacker to gain unauthorized access. If an attacker gains access to a router, the security and management of the entire network can be compromised, leaving servers and endpoints at risk. It is critical that the appropriate security policies and controls be implemented to prevent unauthorized access to all infrastructure devices. Although all infrastructure devices are at risk, routers are a primary target for network attackers. This is because routers act as traffic police, directing traffic into, out of and between networks. The edge router is the last router between the internal network and an untrusted network such as the Internet. All of an organization’s Internet traffic goes through this edge router; therefore, it often functions as the first and last line of defense for a network. Through initial and final filtering, the edge router helps to secure the perimeter of a protected network. It is also responsible for implementing security actions that are based on the security policies of the organization. For these reasons, securing network routers is imperative. The edge router implementation varies depending on the size of the organization and the complexity of the required network design. Router implementations can include a single router protecting an entire inside network or a router as the first line of defense in a defense-in-depth approach. Single Router Approach In the single router approach, a single router connects the protected network, or internal LAN, to the Internet. All security policies are configured on this device. This is more commonly deployed in smaller site implementations such as branch and SOHO sites. In smaller networks, the required security features can be supported by ISRs without impeding the router’s performance capabilities. Defense-in-Depth Approach A defense-in-depth approach is more secure than the single router approach. In this approach, the edge router acts as the first line of defense and is known as a screening router. It passes all connections that are intended for the internal LAN to the firewall. The second line of defense is the firewall. The firewall typically picks up where the edge router leaves off and performs additional filtering. It provides additional access control by tracking the state of the connections and acts as a checkpoint device. The edge router has a set of rules specifying which traffic it allows and denies. By default, the firewall denies the initiation of connections from the outside (untrusted) networks to the inside (trusted) network. However, it allows the internal users to establish connections to the untrusted networks and permits the responses to come back through the firewall. It can also perform user authentication (authentication proxy) where users must be authenticated to gain access to network resources. DMZ Approach A variation of the defense-in-depth approach is to offer an intermediate area, often called the demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the Internet or some other external network. The DMZ can be set up between two routers, with an internal router connecting to the protected network and an external router connecting to the unprotected network, or simply be an additional port off of a single router. The firewall, located between the protected and unprotected networks, is set up to permit the required connections (for example, HTTP) from the outside (untrusted) networks to the public servers in the DMZ. The firewall serves
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 29
Chapter 2: Securing Network Devices
29
as the primary protection for all devices on the DMZ. In the DMZ approach, the router provides some protection by filtering some traffic, but leaves the bulk of the protection to the firewall. (The focus of this course is on ISR security features, including explanations of how to configure these features. With respect to the Cisco Adaptive Security Appliance (ASA), the discussion is limited to design implementation in this course. For ASA device configuration, see www.cisco.com.) Securing the edge router is a critical first step in securing the network. If there are other internal routers, they must be securely configured as well. Three areas of router security must be maintained. Physical Security Provide physical security for the routers: ■
Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel, is free of electrostatic or magnetic interference, has fire suppression, and has controls for temperature and humidity.
■
Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a DoS attack from power loss to the building.
Operating System Security Secure the features and performance of the router operating systems: ■
Configure the router with the maximum amount of memory possible. The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services.
■
Use the latest stable version of the operating system that meets the feature requirements of the network. Security features in an operating system evolve over time. Keep in mind that the latest version of an operating system might not be the most stable version available.
■
Keep a secure copy of the router operating system image and router configuration file as a backup.
Router Hardening Eliminate potential abuse of unused ports and services: ■
Secure administrative control. Ensure that only authorized personnel have access and that their level of access is controlled.
■
Disable unused ports and interfaces. Reduce the number of ways a device can be accessed.
■
Disable unnecessary services. Similar to many computers, a router has services that are enabled by default. Some of these services are unnecessary and can be used by an attacker to gather information or for exploitation.
Administrative access is required for router management purposes; therefore, securing administrative access is an extremely important security task. If an unauthorized person were to gain administrative access to a router, that person could alter routing parameters, disable routing functions, or discover and gain access to other systems in the network. Several important tasks are involved in securing administrative access to an infrastructure device: ■
Restrict device accessibility - Limit the accessible ports, restrict the permitted communicators, and restrict the permitted methods of access.
02_9781587132483_ch02.qxp
30
7/13/09
1:09 PM
Page 30
CCNA Security Course Booklet, Version 1.0
■
Log and account for all access - For auditing purposes, record anyone who accesses a device, including what occurs and when.
■
Authenticate access - Ensure that access is granted only to authenticated users, groups, and services. Limit the number of failed login attempts and the time between logins.
■
Authorize actions - Restrict the actions and views permitted by any particular user, group, or service.
■
Present Legal Notification - Display a legal notice, developed in conjunction with company legal counsel, for interactive sessions.
■
Ensure the confidentiality of data - Protect locally stored sensitive data from viewing and copying. Consider the vulnerability of data in transit over a communication channel to sniffing, session hijacking, and man-in-the-middle (MITM) attacks.
There are two ways to access a device for administrative purposes, locally and remotely. All network infrastructure devices can be accessed locally. Local access to a router usually requires a direct connection to a console port on the Cisco router using a computer that is running terminal emulation software. Some network devices can be accessed remotely. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the router from a computer. The computer can be on the same subnet or a different subnet. Some remote access protocols send the data, including usernames and passwords, to the router in plaintext. If an attacker can collect network traffic while an administrator is remotely logged in to a router, the attacker can capture passwords or router configuration information. For this reason, it is preferable to allow only local access to the router. However, remote access might still be necessary. When accessing the network remotely, a few precautions should be taken: ■
Encrypt all traffic between the administrator computer and the router. For example, instead of using Telnet, use SSH. Or instead of using HTTP, use HTTPS.
■
Establish a dedicated management network. The management network should include only identified administration hosts and connections to a dedicated interface on the router.
■
Configure a packet filter to allow only the identified administration hosts and preferred protocols to access the router. For example, permit only SSH requests from the IP address of the administration host to initiate a connection to the routers in the network.
These precautions are valuable, but they do not protect the network completely. Other lines of defense must also be implemented. One of the most basic and important is the use of a secure password.
2.1.2 Configuring Secure Administrative Access Attackers deploy various methods of discovering administrative passwords. They can shoulder surf, attempt to guess passwords based on the user’s personal information, or sniff TFTP packets containing plaintext configuration files. Attackers can also use tools such as L0phtCrack and Cain & Abel to attempt brute force attacks and guess passwords. To protect assets such as routers and switches, follow these common guidelines for choosing strong passwords. These guidelines are designed to make passwords less easily discovered by intelligent guessing and cracking tools: ■
Use a password length of 10 or more characters. The longer, the better.
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 31
Chapter 2: Securing Network Devices
■
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
■
Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information..
■
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
■
Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.
■
Do not write passwords down and leave them in obvious places such as on the desk or monitor.
31
On Cisco routers and many other systems, password-leading spaces are ignored, but spaces after the first character are not ignored. Therefore, one method to create a strong password is to use the space bar in the password and create a phrase made of many words. This is called a pass phrase. A pass phrase is often easier to remember than a simple password. It is also longer and harder to guess. Administrators should ensure that strong passwords are used across the network. One way to accomplish this is to use the same cracking and brute force attack tools that attackers use as a way to verify password strength. Many access ports require passwords on a Cisco router, including the console port, auxiliary port, and virtual terminal connections. Password management in a large network should be maintained using a central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS). All routers must be configured with the user and privileged EXEC passwords. A local username database is also recommended as backup if access to an authentication, authorization, and accounting (AAA) server is compromised. Using a password and assigning privilege levels is a simple way to provide terminal access control in a network. Passwords must be established for privileged EXEC mode access and individual lines such as the console and auxiliary lines. Enable Secret Password The enable secret password global configuration command restricts access to privileged EXEC mode. The enable secret password is always hashed inside the router configuration using a Message Digest 5 (MD5) hashing algorithm. If the enable secret password is lost or forgotten, it must be replaced using the Cisco router password recovery procedure. Console Line By default, the console port does not require a password for console administrative access; however, it should always be configured as a console port line-level password. Use the line console 0 command followed by the login and password subcommands to require login and establish a login password on the console line. Virtual Terminal Lines By default, Cisco routers support up to five simultaneous virtual terminal vty (Telnet or SSH) sessions. On the router, the vty ports are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password subcommands to require login and establish a login password on incoming Telnet sessions.
02_9781587132483_ch02.qxp
32
7/13/09
1:09 PM
Page 32
CCNA Security Course Booklet, Version 1.0
Auxiliary Line By default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection. To access the auxiliary line use the line aux 0 command. Use the login and password subcommands to require login and establish a login password on incoming connections. By default, with the exception of the enable secret password, all Cisco router passwords are stored in plain text within the router configuration. These passwords can be viewed with the show running-config command. Sniffers can also see these passwords if the TFTP server configuration files traverse an unsecured intranet or Internet connection. If an intruder gains access to the TFTP server where the router configuration files are stored, the intruder is able to obtain these passwords. To increase the security of passwords, the following should be configured: ■
Enforce minimum password lengths.
■
Disable unattended connections.
■
Encrypt all passwords in the configuration file.
Minimum Character Length Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum character length for all router passwords from 0 to 16 characters using the global configuration command security passwords min-length length. It is strongly recommended that the minimum password length be set to at least 10 characters to eliminate common passwords that are short and prevalent on most networks, such “lab” and “cisco”. This command affects user passwords, enable secret passwords, and line passwords that are created after the command is executed. Existing router passwords remain unaffected. Any attempt to create a new password that is less than the specified length fails and results in an error message similar to the following: Password too short - must be at least 10 characters. Password configuration failed.
Disable Unattended Connections By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session. If an administrator is away from the terminal while the console connection is active, an attacker has up to 10 minutes to gain privilege level access. It is recommended that these timers be finetuned to limit the amount of time to within a two or three minute maximum. These timers can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used. It is also possible to turn off the exec process for a specific line, such as on the auxiliary port, using the no exec command within the line configuration mode. This command allows only an outgoing connection on the line. The no exec command allows you to disable the EXEC process for connections which may attempt to send unsolicited data to the router. Encrypt All Passwords By default, some passwords are shown in plaintext, meaning not encrypted, in the Cisco IOS software configuration. With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 33
Chapter 2: Securing Network Devices
33
command. This command hashes current and future plaintext passwords in the configuration file into an encrypted ciphertext. To stop encrypting passwords, use the no form of the command. Only passwords created after the no command is issued will be unencrypted. Existing passwords that have been previously encrypted will remain so.
encryption
The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing passwords in the configuration file. The algorithm used by the service password-encryption command is simple and can be easily reversed by someone with access to the encrypted ciphertext and a password-cracking application. For that reason, this command should not be used with the intention to protect configuration files against serious attacks. The enable secret command is far more secure because it encrypts the password using MD5, which is a stronger algorithm. Another available security feature is authentication. Cisco routers can maintain a list of usernames and passwords in a local database on the router for performing local login authentication. There are two methods of configuring local username accounts. username name password password username name secret password
The username secret command is more secure because it uses the stronger algorithm, MD5 hashing, for concealing passwords. MD5 is a much better algorithm than the standard type 7 used by the service password-encryption command. The added layer of MD5 protection is useful in environments in which the password crosses the network or is stored on a TFTP server. Keep in mind that when configuring a username and password combination, password length restrictions must be followed. Use the login local command on the line configuration to enable the local database for authentication. All of the remaining examples in this chapter are using the username of username password.
secret
configuration instead
2.1.3 Configuring Enhanced Security for Virtual Logins Assigning passwords and local authentication does not prevent a device from being targeted for attack. DoS attacks flood a device with so many connection requests that the device might not provide normal login service to legitimate system administrators. A dictionary attack, which is used to gain administrative access to a device, floods a device with thousands of username and password combinations. The end result is much the same as a DoS attack, in that the device cannot process legitimate user requests. The network needs to have systems in place to detect and help prevent these attacks. By enabling a detection profile, a network device can be configured to react to repeated failed login attempts by refusing further connection requests (login blocking). This block can be configured for a period of time, which is called a quiet period. Legitimate connection attempts can still be permitted during a quiet period by configuring an access control list (ACL) with the addresses that are known to be associated with system administrators. The Cisco IOS login enhancements feature provides more security for Cisco IOS devices when creating a virtual connection, such as Telnet, SSH, or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters: ■
Delays between successive login attempts
■
Login shutdown if DoS attacks are suspected
■
Generation of system logging messages for login detection
02_9781587132483_ch02.qxp
34
7/13/09
1:09 PM
Page 34
CCNA Security Course Booklet, Version 1.0
These enhancements do not apply to console connections. It is assumed that only authorized personnel have physical access to the devices. The following commands are available to configure a Cisco IOS device to support the enhanced login features. Router# configure terminal Router(config)# login block-for seconds attempts tries within seconds Router(config)# login quiet-mode access-class {acl-name | acl-number} Router(config)# login delay seconds Router(config)# login on-failure log [every login] Router(config)# login on-success log [every login]
Authentication on vty lines must be configured to use a username and password combination. If the vty lines are configured to use only a password, the enhanced login features are not enabled. What does each command accomplish? All login enhancement features are disabled by default. Use the login able login enhancements. The login
block-for
block-for
command to en-
feature monitors login device activity and operates in two modes:
■
Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time.
■
Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. The ACL must be created and identified using the login quiet-mode access-class command. By default, Cisco IOS devices can accept connections, such as Telnet, SSH, and HTTP, as quickly as they can be processed. This makes devices susceptible to dictionary attack tools, such as Cain or L0phtCrack, which are capable of thousands of password attempts per second. The login blockfor command invokes an automatic delay of 1 second between login attempts. Attackers have to wait 1 second before they can try a different password. This delay time can be changed using the login delay command. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts, including failed or successful attempts. The login block-for, login quiet-mode access-class, and login delay commands help block failed login attempts for a limited period of time but cannot prevent an attacker from trying again. How can an administrator know when someone tries to gain access to the network by guessing the password? The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default. These commands can be used to keep track of the number of successful and failed login attempts. login on-failure log [every login]
generates logs for failed login requests.
login on-success log [every login]
generates log messages for successful login requests.
The number of login attempts before a message is generated can be specified using the [every login] parameter. The default value is 1 attempt. The valid range is from 1 to 65,535.
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 35
Chapter 2: Securing Network Devices
35
As an alternative, the security authentication failure rate threshold-rate log command generates a log message when the login failure rate is exceeded. To verify that the login block-for command is configured and which mode the router is currently in, use the show login command. The router is in either normal or quite mode, depending on whether login thresholds were exceeded. The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login attempts originated. Use banner messages to present legal notification to potential intruders to inform them that they are not welcome on a network. Banners are very important to the network from a legal perspective. Intruders have won court cases because they did not encounter appropriate warning messages when accessing router networks. In addition to warning would-be intruders, banners are also used to inform remote administrators of use restrictions. Choosing what to place in banner messages is important and should be reviewed by legal counsel before putting them on network routers. Never use the word welcome or any other familiar greeting that may be misconstrued as an invitation to use the network. Banners are disabled by default and must be explicitly enabled. Use the banner command from global configuration mode to specify appropriate messages. banner {exec | incoming | login | motd | slip-ppp} d message d
Tokens are optional and can be used within the message section of the banner command: $(hostname) $(domain) $(line)
- Displays the host name for the router.
- Displays the domain name for the router.
- Displays the vty or tty (asynchronous) line number.
$(line-desc)
- Displays the description that is attached to the line.
Be careful in placing this information in the banner because it provides more information to a possible intruder. Cisco SDM can also be used to configure banner messages.
2.1.4 Configure SSH When enabling remote administrative access, it is also important to consider the security implications of sending information across the network. Traditionally, remote access on routers was configured using Telnet on TCP port 23. However, Telnet was developed in the days when security was not an issue, therefore, all Telnet traffic is forwarded in plaintext. Using this protocol, critical data, such as router configurations, is easily accessible to attackers. Hackers can capture packets forwarded by an administrator’s computer using a protocol analyzer such as Wireshark. If the initial Telnet stream is discovered and followed, attackers can learn the administrator’s username and password. However, having remote access capability can save an organization time and money when making necessary configuration changes. So how can a secure remote access connection be established to manage Cisco IOS devices? SSH has replaced Telnet as the recommended practice for providing remote router administration with connections that support confidentiality and session integrity. It provides functionality that is similar to an outbound Telnet connection, except that the connection is encrypted and operates on port 22. With authentication and encryption, SSH allows for secure communication over a non-secure network.
02_9781587132483_ch02.qxp
36
7/13/09
1:09 PM
Page 36
CCNA Security Course Booklet, Version 1.0
Four steps must be completed prior to configuring routers for the SSH protocol: Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. Only the Cisco IOS cryptographic images containing the IPsec feature set support SSH. Specifically, Cisco IOS 12.1 or later IPsec DES or Triple Data Encryption Standard (3DES) cryptographic images support SSH. Typically, these images have image IDs of k8 or k9 in their image names. For example, c1841-advipservicesk9-mz.124-10b.bin is an image that can support SSH. Step 2. Ensure that each of the target routers has a unique host name. Step 3. Ensure that each of the target routers is using the correct domain name of the network. Step 4. Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSH connection. Using the CLI, there are four steps to configure a Cisco router to support SSH: Step 1. If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode. Step 2. One-way secret keys must be generated for a router to encrypt the SSH traffic. These keys are referred to as asymmetric keys. Cisco IOS software uses the Rivest, Shamir, and Adleman (RSA) algorithm to generate keys. To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode. The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits. The larger the modulus, the more secure the RSA key. However, keys with large modulus values take slightly longer to generate and longer to encrypt and decrypt as well. The minimum recommended modulus key length is 1024 bits. To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command. Step 3. Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command. Step 4. Enable vty inbound SSH sessions using the line vty commands login transport input ssh.
local
and
SSH is automatically enabled after the RSA keys are generated. The router SSH service can be accessed using SSH client software. Optional SSH Commands Optionally, SSH commands can be used to configure the following: ■
SSH version
■
SSH timeout period
■
Number of authentication retries
Cisco routers support two versions of SSH: SSH version 1 (SSHv1) and the newer, more secure SSH version 2 (SSHv2). SSHv2 provides better security using the Diffie-Hellman key exchange and the strong integrity-checking message authentication code (MAC). Cisco IOS Release 12.1(1)T and later supports SSHv1. Cisco IOS Release 12.3(4)T and later operates in compatibility mode and supports both SSHv1 and SSHv2. To change from compatibility mode to a specific version, use the ip ssh version {1 | 2} global configuration command.
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 37
Chapter 2: Securing Network Devices
37
The time interval that the router waits for the SSH client to respond during the SSH negotiation phase can be configured using the ip ssh time-out seconds command in global configuration mode. The default is 120 seconds. When the EXEC session starts, the standard exec timeout configured for the vty applies. By default, a user logging in has three attempts before being disconnected. To configure a different number of consecutive SSH retries, use the ip ssh authentication-retries integer command in global configuration mode. To verify the optional SSH command settings, use the show
ip ssh
command.
After SSH is configured, an SSH client is required to connect to an SSH-enabled router. There are two different ways to connect to an SSH-enabled router: ■
Connect using an SSH-enabled Cisco router using the privileged EXEC mode ssh command.
■
Connect using a publicly and commercially available SSH client running on a host. Examples of these clients are PuTTY, OpenSSH, and TeraTerm.
Cisco routers are capable of acting as the SSH server and as an SSH client connecting to another SSH-enabled device. By default, both of these functions are enabled on the router when SSH is enabled. As a server, a router can accept SSH client connections. As a client, a router can SSH to another SSH-enabled router. The procedure for connecting to a Cisco router varies depending on the SSH client application that is being used. Generally, the SSH client initiates an SSH connection to the router. The router SSH service prompts for the correct username and password combination. After the login is verified, the router can be managed as if the administrator was using a standard Telnet session. Use the show
ssh
command to verify the status of the client connections.
Cisco SDM can be used to configure an SSH daemon on a router. To see the current SSH key settings, choose Configure > Additional Tasks > Router Access > SSH. The SSH key settings have two status options. ■
RSA key is not set on this router - This notice appears if there is no cryptographic key configured for the device. If there is no key configured, enter a modulus size and generate a key.
■
RSA key is set on this router - This notice appears if a cryptographic key has been generated, in which case SSH is enabled on this router.
The default configuration file that ships with a Cisco SDM-enabled router automatically enables Telnet and SSH access from the LAN interface and generates an RSA key. The Generate RSA Key button configures a cryptographic key if one is not set. The Key Modulus Size dialog box appears. If the modulus value needs to be between 512 and 1024, enter an integer value that is a multiple of 64. If the modulus value needs to be higher than 1024, enter 1536 or 2048. If a value greater than 512 is entered, key generation can take a minute or longer. After SSH is enabled on the router, the vty lines to support SSH need to be configured. Choose Configure > Additional Tasks > Router Access > VTY. The VTY Lines window displays the vty settings on the router. Click the Edit button to configure vty parameters.
02_9781587132483_ch02.qxp
38
7/13/09
1:09 PM
Page 38
CCNA Security Course Booklet, Version 1.0
2.2 Assigning Administrative Roles 2.2.1 Configuring Privilege Levels While it is important that a system administrator can securely connect to and manage a device, still more configurations are needed to keep the network secure. For example, should complete access be provided for all employees in a company? The answer to that question is usually no. Most company employees require only specific areas of access to the network. What about complete access for all employees in the IT department? Keep in mind that large organizations have many various job functions within an IT department. For example, job titles include Chief Information Officer (CIO), Security Operator, Network Administrator, WAN Engineer, LAN Administrator, Software Administrator, PC Tech support, Help Desk support, and others. Not all job functions should have the same level of access to the infrastructure devices. As an example, a senior network administrator leaves for vacation and, as a precaution, provides a junior administrator with the privileged EXEC mode passwords to all infrastructure devices. A few days later, the curious junior administrator accidentally disables the company network. This is not an uncommon scenario, because all too often a router is secured with only one privileged EXEC password. Anyone with knowledge of this password has open access to the entire router. Configuring privilege levels is the next step for the system administrator who wants to secure the network. Privilege levels determine who should be allowed to connect to the device and what that person should be able to do with it. The Cisco IOS software CLI has two levels of access to commands. ■
User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt.
■
Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.
Although these two levels do provide control, sometimes a more precise level of control is required. Cisco IOS software has two methods of providing infrastructure access: privilege level and rolebased CLI. Assigning Privilege Levels Since Cisco IOS Release 10.3, Cisco routers enable an administrator to configure multiple privilege levels. Configuring privilege levels is especially useful in a help desk environment where certain administrators must be able to configure and monitor every part of the router (level 15), and other administrators need only to monitor, not configure, the router (customized levels 2 to 14). There are 16 privilege levels in total. Levels 0, 1, and 15 have predefined settings. An administrator can define multiple customized privilege levels and assign different commands to each level. The higher the privilege level, the more router access a user has. Commands that are available at lower privilege levels are also executable at higher levels, because a privilege level includes the privileges of all lower levels. For example, a user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10 (if also defined). A privilegelevel-10 user cannot access commands granted to privilege level 11 (or higher). A user authorized for privilege level 15 can execute all Cisco IOS commands. To assign commands to a custom privilege level, use the privilege command from global configuration mode. Router(config)# privilege mode {level level command | reset} command
It is important to note that assigning a command with multiple keywords, such as show ip route, to a specific privilege level automatically assigns all commands associated with the first few key-
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 39
Chapter 2: Securing Network Devices
39
words to the specified privilege level. For example, both the show command and the show ip command are automatically set to the privilege level where show ip route is set. This is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Subcommands coming under show ip route are also automatically assigned to the same privilege level. Assigning the show ip route allows the user to issue all show commands, such as show version. Privilege levels should also be configured for authentication. There are two methods for assigning passwords to the different levels: ■
To the privilege level using the global configuration command enable password.
■
To a user that is granted a specific privilege level, using the global configuration command username name privilege level secret password.
secret level level
For example, an administrator could assign four levels of device access within an organization: ■
A USER account (requiring level 1, not including ping)
■
A SUPPORT account (requiring all level 1 access, plus the ping command)
■
A JR-ADMIN account (requiring all level 1 and 5 access, plus the reload command)
■
An ADMIN account (requiring complete access)
Implementing privilege levels varies depending on the organization’s structure and the different job functions that require access to the infrastructure devices. In the case of the USER, which requires default level 1 (Router>) access, no custom privilege level is defined. This is because the default user mode is equivalent to level 1. The SUPPORT account could be assigned a higher level access such as level 5. Level 5 automatically inherits the commands from levels 1 through 4, plus additional commands can be assigned. Keep in mind that when a command is assigned at a specific level, access to that command is taken away from any lower level. For example, to assign level 5 the ping command, use the following command sequence. privilege exec level 5 ping
The USER account (level 1) no longer has access to the ping command, because a user must have access to level 5 or higher to perform the ping function. To assign a password to level 5, enter the following command. enable secret level 5 cisco5
To access level 5, the password cisco5 must be used. To assign a specific username to privilege level 5, enter the following command. username support privilege 5 secret cisco5
A user that logs in under the username support is only able to access privilege level 5, which also inherits privilege level 1. The JR-ADMIN account needs access to all level 1 and level 5 commands as well as the reload command. This account must be assigned a higher level access, such as level 10. Level 10 automatically inherits all the commands from the lower levels. To assign level 10 to the privileged EXEC mode reload command, use the following command sequence.
02_9781587132483_ch02.qxp
40
7/13/09
1:09 PM
Page 40
CCNA Security Course Booklet, Version 1.0
privilege exec level 10 reload username jr-admin privilege 10 secret cisco10 enable secret level 10 cisco10
By performing these commands, the reload command is only available to users with level 10 access or higher. The username jr-admin is given access to privilege level 10 and all associated commands, including those commands assigned to any lower privilege levels. To access level 10 mode, the password cisco10 is required. An ADMIN account could be assigned the default level 15 access for privileged EXEC mode. In this instance, no custom commands need to be defined. A custom password could be assigned using the enable secret level 15 cisco123 command, however, that does not override the enable secret password, which could also be used to access level 15. Use the username admin privilege 15 secret cisco15 command to assign level 15 access to the user ADMIN with a password of cisco15. Keep in mind that when assigning usernames to privilege levels, the privilege and secret keywords are not interchangeable. For example, the username USER secret cisco privilege 1 command does not assign the USER account level 1 access. Instead, it creates an account requiring the password “cisco privilege 1”. To access established privilege levels, enter the enablelevel command from user mode, and enter the password that was assigned to the custom privilege level. Use the same command to switch from a lower level to a higher level. ■
To switch from level 1 to level 5, use the enable
■
To switch to level 10, use enable
■
To switch from level 10 to level 15, use the enable command. If no privilege level is specified, level 15 is assumed.
10
5
command at the EXEC prompt.
with the correct password.
It is sometimes easy to forget which level of access a user currently has. Use the show privilege command to display and confirm the current privilege level. Remember that the higher privilege levels automatically inherit the command access of the lower levels. Although assigning privilege levels does provide some flexibility, some organizations might not find them suitable because of the following limitations: ■
No access control to specific interfaces, ports, logical interfaces, and slots on a router.
■
Commands available at lower privilege levels are always executable at higher levels.
■
Commands specifically set on a higher privilege level are not available for lower privileged users.
■
Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command.
The biggest limitation however is that if an administrator needs to create a user account that has access to most but not all commands, privilege exec statements must be configured for every command that must be executed at a privilege level lower than 15. This can be a tedious process. How can the limitations of assigning privilege levels be overcome?
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 41
Chapter 2: Securing Network Devices
41
2.2.2 Configuring Role-Based CLI Access Role-Based CLI To provide more flexibility than privilege levels, Cisco introduced the Role-Based CLI Access feature in Cisco IOS Release 12.3(11)T. This feature provides finer, more granular access by controlling specifically which commands are available to specific roles. Role-based CLI access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access. Security Role-based CLI access enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access. Availability Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime. Operational Efficiency Users only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device. Role-based CLI provides three types of views: ■
Root view
■
CLI view
■
Superview
Each view dictates which commands are available. Root View To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views. CLI View A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views. Superview A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated to that one CLI view. Superviews have the following characteristics: ■
A single CLI view can be shared within multiple superviews.
02_9781587132483_ch02.qxp
42
7/13/09
1:09 PM
Page 42
CCNA Security Course Booklet, Version 1.0
■
Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
■
Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.
■
Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
Deleting a superview does not delete the associated CLI views. The CLI views remain available to be assigned to another superview. Before an administrator can create a view, AAA must be enabled using the aaa mand or Cisco SDM.
new-model
com-
To configure and alter views, an administrator must log in as the root view, using the enable view privileged EXEC command. The enable view root command can also be used. When prompted, enter the enable secret password. There are five steps to create and manage a specific view. Step 1. Enable AAA with the aaa new-model global configuration command. Exit and enter the root view with the enable view command. Step 2. Create a view using the parser view view-name command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total. Step 3. Assign a secret password to the view using the secret encrypted-password command. Step 4. Assign commands to the selected view using the commands parser-mode {include | command in view configuration mode.
include-exclusive | exclude} [all] [interface interface-name | command]
Step 5. Exit view configuration mode by typing the exit command. The steps to configure a superview are essentially the same as configuring a CLI view, except that instead of using the commands command to assign commands, use the view view-name command to assign views. The administrator must be in root view to configure a superview. To confirm that root view is being used, use either the enable view or enable view root command. When prompted, enter the enable secret password. There are four steps to create and manage a superview. Step 1. Create a view using the parser view configuration mode.
view view-name superview
command and enter super-
Step 2. Assign a secret password to the view using the secret encrypted-password command. Step 3. Assign an existing view using the view view-name command in view configuration mode. Step 4. Exit superview configuration mode by typing the exit command. More than one view can be assigned to a superview, and views can be shared between superviews. To access existing views, enter the enable view viewname command in user mode and enter the password that was assigned to the custom view. Use the same command to switch from one view to another. To verify a view, use the enable view command. Enter the name of the view to verify, and provide the password to log in to the view. Use the question mark (?) command to verify that the commands available in the view are correct. From the root view, use the show
parser view all
command to see a summary of all views.
02_9781587132483_ch02.qxp
7/13/09
1:09 PM
Page 43
Chapter 2: Securing Network Devices
43
2.3 Monitoring and Managing Devices 2.3.1 Securing the Cisco IOS Image and Configuration Files If attackers gain access to a router there are many things that they could do. For example, they could alter traffic flows, alter configurations, and even erase the startup configuration file and Cisco IOS image. If the configuration or IOS image is erased, the operator might need to retrieve an archived copy to restore the router. The recovery process must then be performed on each affected router, adding to the total network downtime. The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats flash memory or erases the startup configuration file in NVRAM. This feature allows a router to withstand malicious attempts at erasing the files by securing the router image and maintaining a secure working copy of the running configuration. When a Cisco IOS image is secured, the resilient configuration feature denies all requests to copy, modify, or delete it. The secure copy of the startup configuration is stored in flash along with the secure IOS image. This set of Cisco IOS image and router running configuration files is referred to as the bootset. The Cisco IOS resilient configuration feature is only available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash interface. The Cisco IOS image and backup running configuration on the Flash drive are hidden from view, so the files are not included in any directory listing on the drive. Two global configurations commands are available to configure the Cisco IOS resilient configuration features: secure boot-image and secure boot-config. The secure
boot-image
command
The secure boot-image command enables Cisco IOS image resilience. When enabled for the first time, the running Cisco IOS image is secured, and a log entry is generated. This feature can be disabled only through a console session using the no form of the command. This command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. Additionally, the running image must be loaded from persistent storage to be secured as primary. Images that are booted from the network, such as a TFTP server, cannot be secured. The Cisco IOS resilient configuration feature detects image version mismatches. If the router is configured to boot with Cisco IOS resilience and an image with a different version of the Cisco IOS software is detected, a message, similar to the one shown below, is displayed at bootup: ios resilience: Archived image and configuration version 12.2 differs from running version 12.3
To upgrade the image archive to the new running image, reenter the secure boot-image command from the console. A message about the upgraded image is displayed. The old image is released and is visible in the dir command output. The secure
boot-config
command
To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. A log message is displayed on the console notifying the user that configuration resilience is activated. The configuration archive is hidden and cannot be viewed or removed directly from the CLI prompt.
02_9781587132483_ch02.qxp
44
7/13/09
1:09 PM
Page 44
CCNA Security Course Booklet, Version 1.0
The configuration upgrade scenario is similar to an image upgrade. This feature detects a different version of Cisco IOS configurations and notifies the user of a version mismatch. The secure boot-config command can be run to upgrade the configuration archive to a newer version after new configuration commands have been issued. Secured files do not appear in the output of a dir command that is issued from the CLI. This is because the Cisco IOS file system prevents secure files from being listed. Because the running image and running configuration archives are not visible in the dir command output, use the show secure bootset command to verify the existence of the archive. This step is important to verify that the Cisco IOS image and configuration files have been properly backed up and secured. While the Cisco IOS file system prevents these files from being viewed, ROM monitor (ROMmon) mode does not have any such restrictions and can list and boot from secured files. There are five steps to restore a primary bootset from a secure archive after the router has been tampered with (by an NVRAM erase or a disk format): Step 1. Reload the router using the reload command. Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure bootset file. From the CLI, the device name can be found in the output of the show secure bootset command. Step 3. Boot the router with the secure bootset image using the boot command with the filename found in Step 2. When the compromised router boots, change to privileged EXEC mode and restore the configuration. Step 4. Enter global configuration mode using conf t. Step 5. Restore the secure configuration to the supplied filename using the secure restore filename command.
boot-config
In the event that a router is compromised or needs to be recovered from a misconfigured password, an administrator must understand password recovery procedures. For security reasons, password recovery requires the administrator to have physical access to the router through a console cable. Recovering a router password involves several steps. Step 1. Connect to the console port. Step 2. Use the show
version
command to view and record the configuration register.
The configuration register is similar to the BIOS setting of a computer, which controls the bootup process. A configuration register, represented by a single hexadecimal value, tells a router what specific steps to take when powered on. Configuration registers have many uses, and password recovery is probably the most used. To view and record the configuration register, use the show version command. R1> show version
