Download Device Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Extensible Authentication Protocol wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Computer network wikipedia , lookup

Airborne Networking wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer security wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
– Chapter 3 –
Device Security (B)
• Security of major devices:
How to protect the device against attacks aimed at compromising
the device itself
– Routers
– Firewalls
– Switches
– Authentication servers
– wireless access points
– …
Network Security
1
Steps to secure a router:
1.
Backup of configuration
files and the router
software
2.
Controlling access to the
router (tty, vty ports)
3.
Securing access to the
router (via SSH)
4.
Password management
5.
Logging events on the
router
6.
Disabling unnecessary
services
7.
Using loopback interfaces
8. Controlling SNMP as a
management protocol
9. Controlling HTTP as a
management protocol
10.Using CEF as a switching
mechanism
11.Setting up the scheduler from
a security perspective
12.Using the Network Time
Protocol (NTP)
13.Login banners
14.Capturing core dumps
15.Using service nagle to
improve Telnet access during
high CPU events
Network Security
2
2. Controlling access to the router
• A tty port is physically connected to a terminal or
workstation for local administrative access to the
router.
• An aux ports, similar to a tty port, is connected
to a modem for remote out-of-band
administrative access to the router.
• A vty (virtual tty) port is used to allow remote inband connection sessions, via telnet, ssh, or
rlogin.
Network Security
3
Vulnerabilities of tty or aux ports
• A tty or aux port may suffer reverse telnet
attack, where the terminal server connected to
the tty port or the modem connected to the aux
port of the router is used by the attacker (as a
remote client) to access the router.
• Check out this link to see an illustration of using
‘reverse telnet’ to remotely access a router.
(diagrams below)
Network Security
4
Normal telnet
Network Security
5
Reverse Telnet
Network Security
6
Vulnerabilities of tty or aux ports
• Solution?
– Disable the console port
Line con0
transport input none
– Allow only SSH access to a router’s console port (a
feature added to IOS v12.2 or higher)
Line con0
login authentication default
rotary 1
transport input ssh
ip ssh port 2001 rotary 1
• Requirement: The router must be set up as a SSH server.
Network Security
7
Controlling vty access
1.
Restricted access: Only allow the protocols that will be
used by the network admin
•
•
Only addresses in the ‘access list’ are allowed to
connect: access-class, access-list (See example 3-6)
Short timeouts:
2.
3.
•
4.
Since Cisco IOS v11.1, the default is none.
Example: To allow only telnet and ssh connections
line vty 0 4
transport input telnet ssh
The default timeout value is 10 minutes. To set it to 5 min. 30
sec.
line vty 0 4
exec-timeout 5 30
Authentication for vty access: either local or RADIUS
authentication (preferred).
Network Security
8
3. Securing access to the router using
encryption
•
IPsec VPN client (preferred; more details in Ch
13)
– Two cases:
A. The VPN client access a back-end LAN (the
destination) by building a tunnel between itself
and a router (the IPsec gateway), behind which
the LAN is located.
B. The VPN client is used to remotely administer
the router, which is both the gateway and the
destination.
•
SSH: Only SSH v1 is supported by Cisco IOS
Example 3-11
Network Security
9
4. Password Management
•
Passwords stored on the router should be
properly encrypted.
•
The default password-encryption is either type
0 (clear text passwords) or type 7 (weak
encryption).
•
Use the enable secret command to activate
MD5 when encrypting passwords.
•
Example 3-12
Network Security
10
Password Management
•
Passwords stored on the router should be
properly encrypted.
•
The default password-encryption is either type
0 (clear text passwords) or type 7 (weak
encryption).
•
Use the enable secret command to activate
MD5 when encrypting passwords.
•
Example 3-12
Network Security
11
5. Logging events
• Advantages: Allows auditing and tracking
 forensics (in case of an attack)
performance tuning (maintenance)
• required: good time stamping  using
NTP
• Example: 3-13
Network Security
12
6. Disable unnecessary services
• If a service is not being actively used on a
device, it should be disabled.
• Otherwise it may be used as a back door
for the attacker to gain access to the
device.
• Sample services to be disabled: Table 3-1
TCP small servers, UDP small servers, Finger
server, …
Network Security
13
7. Using loopback interfaces
• Advantages: Enable a block of IP addresses to
be assigned to be used by loopback.
– All routers can be forced to use these loopback IP
addresses as source addresses when accessing the
servers.
– The servers can then also be locked down to allow
access only from this block of IP addresses.
• Accesses from addresses outside this block are
denied.
• Example 3-14
Network Security
14
8. Controlling SNMP (as a
management protocol)
• SNMP can be used in read-only and ‘read
and write’ modes
• Unless necessary, use read-only mode on
routers.
• The ‘read and write’ mode allows the
admin to modify the router’s configurations
via SNMP.
• Access into the network via SNMP should
be blocked at the network’s boundary.
Network Security
15
8. Controlling SNMP (as a
management protocol)
• Security of SNMP:
– v1 and v2 use ‘community strings’ as the only
authentication mechanism. (Not secure)
– v3 is more secure by providing MD5 or SHA
for authentication, and DES for encryption.
• SNMP v3: threats vs protections (p.65)
Network Security
16
9. Controlling HTTP (as a
management protocol)
• Unless necessary, HTTP access to the
router should be disabled.
• Admin access to the router via HTTP
should be secured, by activating
authentication.
• Example: 3-19
Network Security
17
10. Using CEF as a switching
mechanism
• Cisco Express Forwarding
• Routers using the traditional switching mechanisms need
to update routing caches when packets destined for new
addresses arrive.
• SYN floods and DDoS attacks use a large number of
random or pseudo-random IP addresses as ultimate
targets.
• CEF replaces the normal routing cache with a data
structure that mirrors the entire routing tables.
• It does away with the need to update the cache each
time a new IP address needs to be routed to.
Network Security
18
11. Using the scheduler
• scheduler allocate
• scheduler interval
• To prevent the router from becoming too
busy responding to the interrupts on its
interfaces due to the large number of
packets arriving  large-scale network
attack, esp. a DDoS attack
• Example 3-21
Network Security
19
12. Using NTP
• Network Time Protocol
• Critical for services requiring good time
stamping: logging, AAA, Kerberos, …
• Challenge: authentication between
devices exchanging NTP information
Network Security
20
13. Login banners
• Sequence:
– Login banner
– login session
– MOTD banner
– EXEC banner (or incoming banner)
• Example: 3-25
Network Security
21
14. Capturing core dumps
• In the event of system crash, the core
dump may provide useful info for tracking
the attack(s).
• Example: 3-26
Network Security
22
15. Service nagle
• Nagle is an algorithm that can be enabled
as a service on a Cisco router, to allow the
router to pace the TCP connection for
Telnet in a way that reduces the burden on
the CPU and generally improves the
performance of the Telnet session.
– service nagle (Example 3-27)
Network Security
23
Security of other devices
• Firewalls, switches, …
• Similar procedure
– Check the default settings
– ‘Harden’ the device before placing it into use
in the production network.
Network Security
24
Related documents
Sample Quiz
Sample Quiz
Device Security
Device Security
Peak Support Services Ltd
Peak Support Services Ltd
glossary - Homework Market
glossary - Homework Market
arch4 - Geoff Huston
arch4 - Geoff Huston
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
Check Your Understanding Chapter 7 Part 1 For a quick review to
Check Your Understanding Chapter 7 Part 1 For a quick review to
U1L6_The_Internet
U1L6_The_Internet
common network terms - Amazon Web Services
common network terms - Amazon Web Services
9 Simple steps to secure your Wi-Fi Network.
9 Simple steps to secure your Wi-Fi Network.
ReviewSheet Midterm2 Last modified January 7
ReviewSheet Midterm2 Last modified January 7
Packet Tracer Scenario
Packet Tracer Scenario
3rd Edition: Chapter 4
3rd Edition: Chapter 4
Chp. 8 - Cisco Networking Academy
Chp. 8 - Cisco Networking Academy
NETWORKING LAB -
NETWORKING LAB -
II. Via URL Content Filter - DraytekTR Draytek Türkiye
II. Via URL Content Filter - DraytekTR Draytek Türkiye