Protecting Cisco IOS from Intrusion

Now that you have a snapshot of modern security concerns, look at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks.

There are, of course, various Cisco IOS vulnerabilities that can only be protected against by new software releases and regular Cisco IOS bulletins and e-mail blasts from Cisco Systems to ensure customers are not compromised.

Figure 7-2 displays a typical network scenario. This shows how to configure the router, separating the public and private networks so that the private network is not vulnerable.

Figure 7-2 Typical Internet Connection on R1

Figure 7-2 Typical Internet Connection on R1

The Nagle algorithm helps alleviate the small tcp packet problem in TCP.

Example 7-1 configures the Router R1 to enable the Nagle algorithm defined in RFC 896. Example 7-1 Enable Nagle Algorithm service nagle service tcp-keepalives-in service tcp-keepalives-out

Cisco.com defines the Nagle algorithm as follows (www.cisco.com/univercd/cc/td/doc/product/ software/ios100/rpcg/36053.htm):

John Nagle's algorithm (RFC-896) helps alleviate the small-packet problem in TCP. In general, it works this way: The first character typed after connection establishment is sent in a single packet, but TCP holds any additional characters typed until the receiver acknowledges the previous packet. Then the second, larger packet is sent, and additional typed characters are saved until the acknowledgment comes back. The effect is to accumulate characters into larger chunks, and pace them out to the network at a rate matching the round-trip time of the given connection. This method is usually effective for all TCP-based traffic. However, do not enable the Nagle slow packet avoidance algorithm if you have XRemote users on X Window sessions.

Enabling this algorithm along with the service tcp keepalive command ensures that no TCP connections on any router get hung.

NOTE To generate keepalive packets on idle incoming network connections (initiated by the remote host), use the service tcp-keepalives-in global configuration command.

To generate keepalive packets on idle outgoing network connections (initiated by a user), use the service tcp-keepalives-out global configuration command.

Example 7-2 configures R1 to disable (on by default) TCP/UDP small servers.

Example 7-2 Disable TCP/UDP Small Servers no service udp-small-servers no service tcp-small-servers

By default, the TCP servers for Echo, Discard, Chargen, and Daytime services are disabled.

When the minor TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and Daytime ports causes the Cisco IOS software to send a TCP reset packet to the sender and discard the original incoming packet. When the commands in Example 7-2 are entered, they do not display the IOS commands just entered when you view the configuration, because the default is to disable TCP/UDP servers.

NOTE When a Cisco IOS router is configured to disable the UDP small servers, access to Echo, Discard, and Chargen ports enable the router to send ICMP port-unreachable messages to the source device, and the incoming packet is discarded. It is up to the source station to act on the ICMP port-unreachable messages. In other words, if this is from an unauthorized host, you will be sending information to the same device.

Example 7-3 configures R1 to encrypt all passwords configured on a Cisco router.

Example 7-3 Encrypting All Passwords service password-encryption enable secret 5 $1$CNqo$C4bT4/zR.iJ F0YEpqMhPF/

enable password 7 13061E010803

This ensures that if anyone (intruder or insider) views the configuration file, the passwords are hidden. Then, define the secret password, because it is hidden using a stronger authentication (MD5) than the enable password.

Example 7-4 configures R1 to disable DHCP, which is enabled by default.

Example 7-4 Disable DHCP no service dhcp

Cisco has enabled routers to act as DHCP servers to clients by default. This is not a necessary service to have running, so it should be disabled to stop any intruder from receiving a valid IP address.

Example 7-5 enables R1 to log any debug output and define each entry with a timestamp.

Example 7-5 Logging Router System Changes and Events service timestamps debug service timestamps log logging buffered 64000 debugging logging rate-limit console 10 except errors no logging console logging trap debugging logging 1.1.1.1

logging 141.108.1.1

logging 5.5.5.5

Make sure that the router's clock is set to the correct time, via NTP or manual entry with the clock set command. This allows you to look at the log after any incident has occurred. Also, because you are logging to a remote host or hosts and locally to the buffer, you can disable the debug output to the console port so that messages do not overwhelm the router. You are logging to three different remote hosts. You can also buffer and output the log file for viewing at a time favorable to the network administrator.

You can enable a Cisco IOS router to log messages with the command logging on. The command logging buffered enables the router to store logged messages, such as configuration to a local file stored in NVRAM, for later viewing. To view a logging message buffered to memory, use the show logging command. Note that trap debug level logging to three different hosts can significantly increase the load on a router's CPU. You may limit logging to one or two hosts or only when troubleshooting. For the purposes of this example, assume that the highest level is used.

Example 7-6 configures R1 with the service sequence command.

Example 7-6 Enable Sequence Numbering I service sequence-numbers

The service category is quite useful. Essentially, enabling it means that your syslog entries will be numbered to ensure that they are not tampered with. R1 is configured for TACACS via the remote host 131.108.1.1.

Example 7-7 configures R1 for AAA.

Example 7-7 AAA Configuration username cisco pass ciSc0 aaa new-model aaa authentication login default group tacacs+ local-case aaa authentication enable default group tacacs+ enable aaa authorization commands 15 default group tacacs+ local aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default stop-only group tacacs+ tacacs-server host 131.108.1.1 tacacs-server key myguitarrocksthisworld

!A backup username is added here in case the tacacs+ server is not reachable. username cisco pass cisco

Example 7-7 configures R1 for AAA authentication, if in the event TACACS+ fails to use local authentication with the command username cisco password cisco.

By default, Cisco IOS software permits a number of default TCP/IP services. Example 7-8 disables some common services.

Example 7-8 Disable Services on by Default no ip http server no ip finger no service pad no ip source-route no ip bootp server

Example 7-8 disables R1 for an HTTP server. The finger command service allows remote users to view the output (equivalent to the show users [wide] command). When ip finger is configured, the router responds to a telnet a.b.c.d finger command from a remote host by immediately displaying the output of the show users command and then closing the connection. You should turn this service off. The service pad command enables all packets to be assembled or disassembled between packet assembler/disassembler (PAD) devices and access servers. The command no ip source-route causes the system to discard any IP datagram containing a source-route option. When you disable the BOOTP server, access to the BOOTP ports causes the Cisco IOS software to send an ICMP port unreachable message to the sender and discard the original incoming packet. If the Cisco router is enabled for helper addresses, then BOOTP requests will now fail, so you might need to leave this command enabled if you are sending DHCP requests to another server.

Example 7-9 enables TCP intercept.

Example 7-9 TCP Intercept ip tcp intercept list 100 ip tcp intercept connection-timeout 60 ip tcp intercept watch-timeout 10 ip tcp intercept one-minute low 1800 ip tcp intercept one-minute high 5000 access-list 100 permit ip any any

TCP intercept helps prevent SYN flood attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP SYN packets from clients to servers that match an extended access list. The router responds; if it is a valid connection, the devices are allowed to communicate.

The low and high commands identify when TCP intercept should deactivate or activate (TCP aggressive mode).

In this case, the Cisco IOS command ip tcp intercept one-minute high 5000 defines the number of connection requests (5000) received in the minute before the Cisco IOS software enters aggressive mode. The Cisco IOS command ip tcp intercept one-minute low 1800 defines the number of connection requests (1800) below which the software leaves aggressive mode.

Example 7-10 configures R1 to dump the router's memory contents in case of a router crash.

Example 7-10 Allowing Core Dumps ip ftp username rooter ip ftp password $%&#*&*$$%&$

exception core-file secure-r01-core-dump exception protocol ftp exception dump 3.3.3.3

It is important to be able to look at the reasons a router crashed, especially a router that provides a security wall to the outside world. Core dumps can be given to Cisco personnel who in turn can decipher the main reason the router crashed. The Cisco IOS command exception core-file secure-r01-core-dump sets the filename generated when the router actually crashes. The Cisco IOS command exception protocol ftp defines the protocol used to send the memory dump. The Cisco IOS command exception dump 3.3.3.3 defines the remote host where the file will be copied; in this case, the file will be copied via FTP to remote host 3.3.3.3. Cisco Systems TAC engineers will use the memory dump to try to decipher why the router crashed.

Example 7-11 shows R1 configured for some common parameters for packets sent to unknown destinations and networks that do not exist. Cisco Discover Protocol (CDP) is also disabled, to stop other Cisco devices from discovering details about this router.

Example 7-11 IP Unreachables and Routes to NullO

interface Ethernet0 ip address 3.3.3.3 255.255.255.255 no ip redirects no ip unreachables ip verify unicast reverse-path no cdp enable no ip proxy-arp no ip mask-reply interface null0 no ip unreachables ip route 131.0.0.0 255.0.0.0 null0

The Cisco IOS command no ip redirects disables the Cisco router from sending ICMP redirect messages to a device's source from the same interface.

The Cisco IOS command no ip unreachables disables the router from sending ICMP unreachable messages for packets it is not configured for. The ip route command ensures that packets received for the network 131.10.0.0/12 are thrown away and not acted on. This can stop a routing loop and an intruder trying to spoof (pretend) to belong to network 131.10.0.0/12.

The ip verify unicast reverse-path command helps mitigate problems caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.

The no ip proxy-arp command disables proxy ARP on the interface. Proxy ARP is a technique in which one host, usually a router, answers ARP requests intended for another machine. Attackers can exploit this by sending a large number of proxy ARP requests, pretending to be a real host by "assuming" or "faking" its identity. Disabling proxy ARP prevents the router from accepting responsibility for routing packets to the "real" destination. Proxy ARP, when used correctly, can help machines on a subnet reach remote subnets without configuring routing or a default gateway. Typically, this issue is resolved by DHCP or statically configured gateways, so you can disable this option on all Cisco IOS-enabled devices. Proxy ARP is defined in RFC 1027.

Disabling mask replies, with the command no ip mask-reply, ensures that the Cisco IOS software does not respond to ICMP mask requests by not allowing ICMP mask reply messages.

Loopback interfaces are the source of log messages. Loopbacks are often used for routing protocols, as well, because a logical interface does not go down and is reliable. Assign an IP address that uniquely identifies this router. Then, configure and activate the null0 interface as a place to send unknown destination packets. This becomes the trap for packets; they can route in but they can't route out if an intruder is spoofing networks from valid IP networks.

The configurations shown in Examples 7-1 through 7-11 are just some of the techniques you can use to ensure that vulnerable routers are secure. Just imagine all the routers in the Internet that do not contain this level of security, and you will be aware of the challenges faced in the day-to-day running of the World Wide Web and the reasons why organizations like CERT/CC are an invaluable resource.

Sometimes even the most basic security can help an organization mitigate a virus. For example, assume that your company uses 135.15.0.0/16 as its network. In that case, any traffic from the outside (Internet) with a 135.15.0.0/16 address must be bogus unless initiated from inside of the network; similarly, any traffic from inside with an address other than 135.15.0.0 would be bogus. These should be logged. In the case of repeat offenders inside, the systems are either being used by a hacker or, more likely, have been infected with a worm that spoofs source addresses.

For more details on improving security on Cisco devices, visit http://www.cisco.com/warp/public/ 707/21.html.

0 0

Post a comment