Protecting Cisco IOS from Intrusion

Now that you have a snapshot of modern security concerns, this section looks at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks.

Figure 8-2 displays a typical network scenario. You see how to configure the router, separating the public and private networks so that the private network is not vulnerable.

Figure 8-2 Typical Internet Connection on R1

Figure 8-2 Typical Internet Connection on R1

Example 8-1 configures the Router R1 to enable the Nagle algorithm defined in RFC 896.

Example 8-1 Enable Nagle service nagle service tcp-keepalives-in service tcp-keepalives-out

Cisco Connection Online defines the NAGLE algorithm (www.cisco.com/univercd/cc/td/doc/ product/software/ios100/rpcg/36053.htm):

The algorithm developed by John Nagle (RFC 896) helps alleviate the small-packet problem in TCP. In general, it works this way: The first character typed after connection establishment is sent in a single packet, but TCP holds any additional characters typed until the receiver acknowledges the previous packet. Then the second, larger packet is sent, and additional typed characters are saved until the acknowledgment comes back. The effect is to accumulate characters into larger chunks, and pace them out to the network at a rate matching the round-trip time of the given connection. This method is usually effective for all TCP-based traffic. However, do not use the service nagle command if you have X Remote users on X Window system sessions.

Enabling this algorithm along with the service tcp keepalive command ensures that no TCP connections on any router get hung.

NOTE To generate keepalive packets on idle incoming network connections (initiated by the remote host), use the service tcp-keepalives-in global configuration command.

To generate keepalive packets on idle outgoing network connections (initiated by a user), use the service tcp-keepalives-out global configuration command.

Example 8-2 configures R1 to disable (on by default) TCP/UDP small servers. Example 8-2 Disable TCP/UDP Small Servers

no

service

udp

small

servers

no

service

tcp

small

servers

By default, the TCP servers for Echo, Discard, Chargen, and Daytime services are disabled.

When the minor TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and Daytime ports causes the Cisco IOS Software to send a TCP Reset packet to the sender and discard the original incoming packet. When the commands in Example 8-2 are entered, they do not display when you view the configuration because the default is to disable TCP/UDP servers.

NOTE When a Cisco IOS router is configured to disable the UDP small servers' access to Echo,

Discard and Chargen ports enable the router to send ICMP port unreachable messages to the source device, and the incoming packet is discarded. It is up to the source station to act on the unreachable ICMP messages. In other words, if this is from an unauthorized host, you will be sending information to the same device.

Example 8-3 configures R1 to encrypt all passwords configured on a Cisco router.

Example 8-3 Encrypting All Passwords service password-encryption enable secret 5 $1$CNqo$C4bT4/zR.iJF0YEpqMhPF/ enable password 7 13061E010803

This ensures that if anyone (intruder or insider) views the configuration file, the passwords are hidden. Then, define the secret password, because it is hidden using a stronger authentication (md5) than the enable password.

Example 8-4 configures R1 to disable DHCP, which is enabled by default.

Example 8-4 Disable DHCP

no service dhcp

Cisco has enabled routers to act as DHCP servers to clients by default. This is not a necessary service to have running, so it should be disabled to stop any intruder from receiving a valid IP address.

Example 8-5 enables the Router R1 to log any debug output and define each entry with a timestamp.

Example 8-5 Logging Router System Changes and Events service timestamps debug service timestamps log logging buffered 64000 debugging logging rate-limit console 10 except errors no logging console logging trap debugging logging 1.1.1.1

logging 141.108.1.1

logging 5.5.5.5

Make sure the router's clock is set to the correct time via NTP or manual entry with the clock set command. This allows you to look at the log after any incident has occurred. Also, because you are logging to a remote host or hosts and locally to the buffer, you can disable the debug output to the console port so that messages do not overwhelm the router. You are logging to three different remote hosts. You also buffer and output the log file for viewing at a time favorable to the network administrator. You can enable a Cisco IOS router to log messages with the command, logging on. The command logging buffered enables the router to store logged messages, such as configuration to a local file stored in NVRAM, for later viewing. To view a logging message buffered to memory, use the show logging command.

Example 8-6 configures R1 with the service sequence.

Example 8-6 Enable Sequence Numbering service sequence-numbers

The service category is quite useful. Essentially, enabling it means your syslog entries will be numbered to ensure that they are not tampered with. R1 is configured for TACACS via the remote host 131.108.1.1.

Example 8-7 configures R1 for AAA.

Example 8-7 AAA Configuration username cisco pass ciSc0 aaa new-model aaa authentication login default group tacacs+ local-case aaa authentication enable default group tacacs+ enable aaa authorization commands 15 default group tacacs+ local aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default stop-only group tacacs+ tacacs-server host 131.108.1.1 tacacs-server key myguitarrocksthisworld

Example 8-7 configures R1 for AAA authentication in the event TACACS+ fails to use local authentication with a case-sensitive password to keep hackers guessing.

By default, Cisco IOS permits a number of default services. Example 8-8 disables some common services.

Example 8-8 Disable Services on by Default no ip http server no ip finger no service pad no ip source-route no ip bootp server

Example 8-8 disables R1 for an HTTP server. The finger command service allows remote users to view the output (equivalent to the show users [wide] command). When ip finger is configured, the router responds to a telnet a.b.c.d finger command from a remote host by immediately displaying the output of the show users command and then closing the connection. You should turn this service off. The service pad enables all packets to be assembled or disassembled (PAD) between PAD devices and access servers. The command no ip source-route causes the system to discard any IP datagram containing a source-route option. When you disable the BOOTP server, access to the BOOTP ports causes the Cisco IOS Software to send an "ICMP port unreachable" message to the sender and discard the original incoming packet.

Example 8-9 enables TCP intercept.

Example 8-9 TCP Intercept ip tcp intercept list 100 ip tcp intercept connection-timeout 60 ip tcp intercept watch-timeout 10 ip tcp intercept one-minute low 1800 ip tcp intercept one-minute high 5000 access-list 100 permit ip any any

TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The router responds; if it is a valid connection, the devices are allowed to communicate.

The low and high identifies when TCP intercept should deactivate or activate (TCP aggressive mode).

In this case, the IOS command ip tcp intercept one-minute high 5000 defines the number of connection requests (5000) received in the minute before the IOS enters aggressive mode. The IOS command ip tcp intercept one-minute low 1800 defines the number of connection requests (1800) below which the software leaves aggressive mode.

Example 8-10 configures R1 to dump the router's memory contents in case of a router crash.

Example 8-10 Allowing Core Dumps ip ftp username rooter ip ftp password $%&#*&"$$%&$

exception core-file secure-r01-core-dump exception protocol ftp exception dump 3.3.3.3

It is important to be able to look at why a router crashed, especially a router that provides a security wall to the outside world. Core dumps can be given to Cisco personnel who can decipher the main reason the router crashed. The IOS command exception core-file secure-r01-core-dump sets the filename generated when the router actually crashes. The IOS command exception protocol ftp defines the protocol used to send the memory dump. The IOS command exception dump 3.3.3.3 defines the remote host where the file will be copied; in this case, the file will be copied via FTP to remote host 3.3.3.3. Cisco Systems TAC engineers will use the memory dump to try and decipher why the router crashed.

Example 8-11 shows R1 configured for some common parameters for packets sent to unknown destinations and networks that do not exist.

Example 8-11 IP Unreachables and Routes to NullO

interface loopback0

ip address 3.3.3.3 255

255.255.255

no ip redirects

no ip unreachables

interface null0

no ip unreachables

ip route 131.0.0.0 255.«

5.0.0 null0

The IOS command no ip redirects disables the Cisco router from sending ICMP redirect messages to a device's source from the same interface.

The IOS command no ip unreachables disables the router from sending ICMP unreachables for packets it is not configured for. The ip route command ensures that packets received for the network 131.0.0.0/8 are thrown away and not acted on. This can stop a routing loop and an intruder trying to spoof (pretending) to belong to network 131.0.0.0/8.

Loopback interfaces are the source of log messages. Loopbacks are often used for routing protocols, as well, because a logical interface does not go down and is reliable. Assign an IP address that uniquely identifies this router. Then, configure and activate the null0 interface as a place to send unknown destination packets. This becomes the trap for packets; they can route in but they can't route out in case an intruder is spoofing networks from valid IP networks.

The configurations shown in Examples 8-1 through 8-11 are just some of the techniques you can use to ensure vulnerable routers are secure. Just imagine all the routers in the Internet that do not contain this level of security, and you will be aware of the challenges faced in the day-to-day running of the WWW and reasons why organizations like CERT/CC are an invaluable resource.

For more details on security configurations visit www.cisco.com/warp/public/707/index.shtml.

Was this article helpful?

0 0

Post a comment