CCNA Security Chapter 6 筆記

CCNA Security Chapter 6 筆記

Endpoint Security

The high-profile threats most often discussed in the media are external threats, such as Internet worms and DoS attacks. But securing an internal local area network (LAN) is just as important as securing the perimeter of a network. Without a secure LAN, users in an organization may not be able to access the network, which can significantly reduce productivity.

Operating systems provide basic security services to applications:

• Trusted code and trusted path - Ensures that the integrity of the operating system is not violated. Trusted code refers to the assurance that the operating system code is not compromised. An operating system might provide integrity checking of all running code by using hash message authentication codes (HMACs) or digital signatures. Integrity verification of add-on software might be necessary at installation. Digital signatures can also be used. Trusted path refers to a facility that ensures that the user is using a genuine system and not a Trojan Horse. 
• Privileged context of execution - Provides identity authentication and certain privileges based on the identity.
• Process memory protection and isolation - Provides separation from other users and their data.
• Access control to resources - Ensures confidentiality and integrity of data.

These are a few techniques that help protect an endpoint from operating system vulnerabilities:

• Least privilege concept - To better protect an endpoint, a process should never be given more privilege than is necessary to perform a job.
• Isolation between processes - Isolation between processes can be virtual or physical. For example, memory protection can be done in hardware. Some trusted operating systems provide isolation using logical execution compartments.
• Reference monitor - A reference monitor is an access control concept that refers to a mechanism or process that mediates all access to objects. It provides a central point for all policy decisions, typically implementing auditing functions to keep track of access. 
• Small, verifiable pieces of code - For all security functionality, it is desirable to have small, easily verifiable pieces of code that are managed and monitored by a reference monitor. 

Layer 2 Security

Network security professionals must mitigate attacks within the Layer 2 infrastructure. These attacks include MAC address spoofing, STP manipulation, MAC address table overflows, LAN storms, and VLAN attacks.

The first step in mitigating attacks such as these is to understand the underlying threats posed by the Layer 2 infrastructure. Layer 2 can be a very weak link to the higher OSI Layers because if Layer 2 is compromised, hackers can work their way up. It is important for the network security professional to remember that Layer 2 attacks typically require internal access, either from an employee or visitor

From a security perspective, Layer 2 independence creates a challenge because when the layer is compromised, other layers are not aware of that fact, leaving them open to being compromised. Network security is only as strong as the weakest link, and that link is often the Data Link Layer.

To help prevent Layer 2 exploitations, an application must carefully validate user input. The input might contain improperly formatted data, control sequences, or too much data, such as with buffer overflows. Remember, buffer overflow exploits try to overwrite memory on an application. 

MAC Address Spoofing Attacks

Unlike hubs, switches regulate the flow of data between ports by creating instant networks that contain only the two endpoint devices communicating with each other at that moment in time. Switches accomplish this by forwarding data out specific ports based on the MAC address. Switches maintain MAC address tables, also known as content-addressable memory (CAM) lookup tables, to track the source MAC addresses associated with each switch port. These lookup tables are populated by an address-learning process on the switch. 

MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host. The attacking host then sends a frame throughout the network with the newly configured MAC address. When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC address table entry and assigns the MAC address to the new port. It then inadvertently forwards frames destined for the target host to the attacking host.

When the switch changes the MAC address table, the target host does not receive any traffic until it sends traffic. When the target host sends traffic, the switch receives and examines the frame, resulting in the MAC address table being rewritten once more, realigning the MAC address to the original port.

MAC Address Flood Attacks

The most common way of implementing a MAC address table overflow attack is using the macof tool. This tool floods a switch with frames containing randomly generated source and destination MAC and IP addresses. Over a short period of time, the MAC address table fills up. When the MAC address table is full of invalid source MAC addresses, the switch begins to flood all frames that it receives. As long as macof is left running, the table on the switch remains full, and the switch continues to flood all received frames out of every port.

STP Manipulation Attacks

Another vulnerability of Layer 2 devices is the Spanning Tree Protocol (STP). STP is a Layer 2 protocol that ensures a loop-free topology. STP operates by electing a root bridge and building a tree topology from that root. STP allows for redundancy, but at the same time, ensures that only one link is operational at a time and no loops are present.

To conduct an STP manipulation attack, the attacking host broadcasts STP configuration and topology change BPDUs to force spanning-tree recalculations. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge. If successful, the attacking host becomes the root bridge and sees a variety of frames that otherwise are not accessible.

LAN Storm Attacks

A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol stack implementation, mistakes in network configurations, or users issuing a DoS attack can cause a storm. Broadcast storms can also occur on networks. Remember that switches always forward broadcasts out all ports. Some necessary protocols, such as ARP and DHCP, use broadcasts; therefore, switches must be able to forward broadcast traffic.

While it is not possible to prevent all types of packet storms and excessive broadcasts, it is possible to suppress them using storm control. Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within a certain time interval and compares the measurement with a predefined suppression-level threshold. Storm control then blocks traffic when the rising threshold is reached.

VLAN Attacks

There are a number of different types of VLAN attacks prevalent in modern switched networks. Rather than list all the types of attacks, it is important to understand the general methodology behind these attacks and the primary approaches to mitigate them.

In a basic VLAN hopping attack, the attacker takes advantage of the default automatic trunking configuration on most switches. The network attacker configures a system to spoof itself as a switch. This spoofing requires that the network attacker be capable of emulating either ISL or 802.1Q signaling along with Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling. By tricking a switch into thinking it is another switch that needs to trunk, an attacker can gain access to all the VLANs allowed on the trunk port. This attack requires a configuration on the port that supports trunking with auto or dynamic mode to succeed. As a result, the attacker is a member of all the VLANS that are trunked on the switch and can hop, that is, send and receive traffic on all the VLANs.

A VLAN hopping attack can be launched in one of two ways:

• Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.
• Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch.

The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.

CCNA Security Chapter 5 筆記

CCNA Security Chapter 5 筆記

IDS and IPS Characteristics 

Internet worms and viruses can spread across the world in a matter of minutes. A network must instantly recognize and mitigate worm and virus threats. Firewalls can only do so much and cannot protect against malware and zero-day attacks.

Intrusion Detection System

1. An attack is launched on a network that has a sensor deployed in promiscuous IDS mode. Copies all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack.
2.  The IDS sensor matches the malicious traffic to a signature and sends the switch command to deny access the malicious traffic.
3. The IDS sends an alarm to a management console for logging and other management purposes.

Intrusion Prevention System

1. An attack is launched on a network that has a sensor deployed in IPS inline mode
2. The IPS sensor analyzes the packets they enter the IPS sensor interface. The IPS sensor match the malicious traffic to a signature and the attack stopped immediately.
3. The IPS sensor can send an alarm to the management console for logging and other management purposes.
4. Traffic by violation can be dropped by IPS sensor.

Common characteristics of IDS and IPS:

1.  Both technologies are deployed as sensors.
2.  Both technologies use signatures to detect patterns of misuse in network traffic.
3.  Both can detect atomic patterns (single-packet) or composite patterns (multi-packet).

IDS Advantages and Disadvantages

• Advantages 
• No impact on network (latency, jitter)
• No network impact if there is a sensor failure
• No network impact if there is sensor overload
• Disadvantages
• Response action cannot stop trigger packets
• Correct tuning required for response actions
• More vulnerable to network security evasion techniques

IPS Advantages and Disadvantages

• Advantages 
• Stops trigger packets
• Can use stream normalization techniques
• Disadvantages
• Sensor issues might affect network traffic
• Sensor overloading impacts the network
• Some impact on network (latency, jitter)

IPS Signature Characteristics

Signatures have three distinctive attributes:

• Type
• Trigger (alarm) 
• Action

Signature Types

Signature types are generally categorized as atomic or composite.

Atomic

An atomic signature is the simplest type of signature. It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature. If it does, an alarm is triggered, and a signature action is performed. Because these signatures can be matched on a single event, they do not require an intrusion system to maintain state information. State refers to situations in which multiple packets of information are required that are not necessarily received at the same time. For example, if there was a requirement to maintain state, it would be necessary for the IDS or IPS to track the three-way handshake of established TCP connections. With atomic signatures, the entire inspection can be accomplished in an atomic operation that does not require any knowledge of past or future activities. 

Detecting atomic signatures consumes minimal resources (such as memory) on the IPS or IDS device. These signatures are easy to identify and understand because they are compared against a specific event or packet. Traffic analysis for these atomic signatures can usually be performed very quickly and efficiently. For example, a LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination. The reason a LAND attack works are because it causes the machine to reply to itself continuously. One packet is required to identify this type of attack. An IDS is particularly vulnerable to an atomic attack because, until it finds the attack, malicious single packets are allowed into the network. However, an IPS prevents these packets from entering the network altogether.

Composite

A composite signature is also called a stateful signature. This type of signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. Unlike atomic signatures, the stateful properties of composite signatures usually require several pieces of data to match an attack signature, and an IPS device must maintain state. The length of time that the signatures must maintain state is known as the event horizon. 

The length of an event horizon varies from one signature to another. An IPS cannot maintain state information indefinitely without eventually running out of resources. Therefore, an IPS uses a configured event horizon to determine how long it looks for a specific attack signature when an initial signature component is detected. Configuring the length of the event horizon is a tradeoff between consuming system resources and being able to detect an attack that occurs over an extended period of time.

Signature Alarm

The heart of any IPS signature is the signature alarm, often referred to as the signature trigger. Consider a home security system. The triggering mechanism for a burglar alarm could be a motion detector that detects the movement of an individual entering a room protected by an alarm. 

The Cisco IDS and IPS sensors can use four types of signature triggers.

• Pattern-based detection
• Anomaly-based detection
• Policy-based detection
• Honey pot-based detection

Pattern-Based Detection

Pattern-based detection, also known as signature-based detection, is the simplest triggering mechanism because it searches for a specific, pre-defined pattern. A signature-based IDS or IPS sensor compares the network traffic to a database of known attacks and triggers an alarm or prevents communication if a match is found. 

Anomaly-Based Detection

Anomaly-based detection, also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. This normal profile can be learned by monitoring activity on the network or specific applications on the host over a period of time. It can also be based on a defined specification, such as an RFC. After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.

Policy-Based Detection

Policy-based detection, also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis. 

Honey Pot-Based Detection

Honey pot-based detection uses a dummy server to attract attacks. The purpose of the honey pot approach is to distract attacks away from real network devices. By staging different types of vulnerabilities in the honey pot server, administrators can analyze incoming types of attacks and malicious traffic patterns. They can then use this analysis to tune their sensor signatures to detect new types of malicious network traffic. Honey pot systems are rarely used in production environments. Antivirus and other security vendors tend to use them for research.

Signature Action

A signature detects the activity for which it is configured, the signature triggers one or more actions. Several actions can be performed:

• Generate an alert.
• Log the activity.
• Drop or prevent the activity.
• Reset a TCP connection.
• Block future activity.
• Allow the activity.

Generating an Alert

Monitoring the alerts generated by network-based and host-based IPS systems is vital to understanding the attacks being launched against the network. If an attacker causes a flood of bogus alerts, examining these alerts can overload the security analysts. Both network- and host-based IPS solutions incorporate two types of alerts to enable an administrator to efficiently monitor the operation of the network: atomic alerts and summary alerts. Understanding these types of alerts is critical to providing the most effective protection for a network. 

Logging the Activity

In some situations, an administrator does not necessarily have enough information to stop an activity. Therefore, logging the actions or packets that are seen so that they can be analyzed later in more detail is very important. By performing a detailed analysis, an administrator can identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.

Dropping or Preventing the Activity

One of the most powerful actions that an IPS device can perform is to drop packets or prevent an activity from occurring. This action enables the device to stop an attack before it has the chance to perform malicious activity. Unlike a traditional IDS device, the IPS device actively forwards packets across two of its interfaces. The analysis engine determines which packets should be forwarded and which packets should be dropped.

Resetting a TCP Connection

The TCP Reset Signature Action is a basic action that can be used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set. Many IPS devices use the TCP reset action to abruptly end a TCP connection that is performing unwanted operations. The reset TCP connection action can be used in conjunction with deny packet and deny connection actions. Deny packet and deny flow actions do not automatically cause TCP reset actions to occur.

Blocking Future Activity

Most IPS devices have the capability to block future traffic by having the IPS device update the access control lists (ACLs) on one of the infrastructure devices. The ACL stops traffic from an attacking system without requiring the IPS to consume resources analyzing the traffic. After a configured period of time, the IPS device removes the ACL. Network IPS devices usually provide this blocking functionality along with other actions such as dropping unwanted packets. One advantage of the blocking action is that a single IPS device can stop traffic at multiple locations throughout the network, regardless of the location of the IPS device. For example, an IPS device located deep within the network can apply ACLs at the perimeter router or firewall.

Allowing the Activity

The final action is the Allow Signature action. It might seem a little confusing, because most IPS devices are designed to stop or prevent unwanted traffic on a network. The allow action is necessary so that an administrator can define exceptions to configured signatures. When an IPS device is configured to disallow certain activities, sometimes there is a need to allow a few systems or users to be exceptions to the configured rule. Configuring exceptions enables administrators to take a more restrictive approach to security because they can first deny everything and then allow only the activities that are needed.

CCNA Security Chapter 4 Firewall 筆記

CCNA Security Chapter 4 Firewall 筆記

Securing Networks with Firewalls

A firewall is a system or group of systems that enforces an access control policy between networks. It can include options such as a packet filtering router, a switch with two VLANs, and multiple hosts with firewall software.

Firewalls are different things to different people and organizations, but all firewalls share some common properties:

• They are resistant to attacks.
• They are the only transit point between networks (all traffic flows through the firewall).
• They enforce the access control policy.

There are several benefits of using a firewall in a network:

• Exposure of sensitive hosts and applications to untrusted users can be prevented. 
• The protocol flow can be sanitized, preventing the exploitation of protocol flaws. 
• Malicious data can be blocked from servers and clients.
• Security policy enforcement can be made simple, scalable, and robust with a properly configured firewall. 
• Offloading most of the network access control to a few points in the network can reduce the complexity of security management.

Firewalls also present some limitations:

• If misconfigured, a firewall can have serious consequences (single point of failure). 
• The data from many applications cannot be passed over firewalls securely. 
• Users might proactively search for ways around the firewall to receive blocked material, exposing the network to potential attack. 
• Network performance can slow down. 
• Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

Types of Firewalls

A firewall system can be composed of many different devices and components. One component is traffic filtering, which is what most people commonly call a firewall.

• Packet filtering firewall - Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information.
• Stateful firewall - Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
• Application gateway firewall (proxy firewall) - A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software.
• Network address translation (NAT) firewall - A firewall that expands the number of IP addresses available and hides network addressing design.

Other methods of implementing firewalls include:

• Host-based (server and personal) firewall - A PC or server with firewall software running on it.
• Transparent firewall - A firewall that filters IP traffic between a pair of bridged interfaces.
• Hybrid firewall - A firewall that is a combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.

Packet filtering firewalls 

Packet filtering firewalls use a simple policy table lookup that permits or denies traffic based on specific criteria:

• Source IP address
• Destination IP address
• Protocol
• Source port number
• Destination port number
• Synchronize/start (SYN) packet receipt

Packet filters do not represent a complete firewall solution, but they are an important element.

Advantages

• Simple permit or deny rule sets can be used to implement a packet filter.
• Packet filters have a low impact on network performance.
• Packet filters are easy to implement, and are supported by most routers.
• An initial degree of security at the Network Layer can be provided by a packet filter.
• A packet filter can perform almost all tasks of a high-end firewall at a much lower cost.

Disadvantages

• Packet filtering is susceptible to IP spoofing. Hackers send arbitrary packets that fit ACL criteria and pass through the filter.
• Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Decisions to use packet filters assume that the filter of the first fragment accurately enforces the policy.
• Complex ACLs are difficult to implement and maintain correctly.
• Packet filters cannot dynamically filter certain services. For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a whole range of ports.
• Packet filters are stateless. They examine each packet individually rather than in the context of the state of a connection.

Stateful firewalls 

Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering using connection information maintained in a state table.

Advantages

• Stateful firewalls are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic.
• By providing more stringent control over security, stateful firewalls strengthen packet filtering.
• Stateful firewalls improve performance over packet filters or proxy servers.
• Stateful firewalls defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source.
• More log information is provided by a stateful firewall than a packet filtering firewall.

Disadvantages

• Stateful firewalls cannot prevent Application Layer attacks because they do not examine the actual contents of the HTTP connection.
• Not all protocols are stateful. For example, UDP and ICMP do not generate connection information for a state table, and therefore do not garner as much support for filtering.
• Some applications open multiple connections requiring a whole new range of ports opened to allow this second connection.
• Stateful firewalls do not support user authentication.

Firewalls in Network Design

In network security, there is often reference to a demilitarized zone (DMZ). A DMZ is a portion of a network bounded by a firewall or set of firewalls. The term was originally used as a military description for an area between military powers where conflict is not permitted.

Some designs are as simple as designating an outside network and inside network, determined by two interfaces on a firewall. The public network (or outside network) is untrusted and the private network (or inside network) is trusted. Typically a firewall with two interfaces is configured as follows:

• Traffic originating from the private network is inspected as it traverses toward the public network, and is permitted with little or no restriction; inspected traffic returning from the public network, that is associated with traffic that originated from the private network, is permitted. 
• Traffic originating from the public network, and traveling to the private network, is generally blocked entirely. 

A network security professional is responsible for creating and maintaining a security policy, including a firewall security policy. This is a partial generic list that can serve as a starting point for firewall security policy:

• Position firewalls at critical security boundaries.
• Firewalls are a critical part of network security, but it is unwise to rely exclusively on a firewall for security.
• Deny all traffic by default, and permit only services that are needed.
• Ensure that physical access to the firewall is controlled.
• Regularly monitor firewall logs. 
• Practice change management for firewall configuration changes.
• Firewalls primarily protect from technical attacks originating from the outside. Inside attacks tend to be nontechnical in nature.

Reference :

1) CCNA Security Cisco Network Academy

CCNA Security Chapter 4 ACLs 筆記

CCNA Security Chapter 4-ACLs

Access control lists (ACLs) are widely used in computer networking and in network security for mitigating network attacks and controlling network traffic.

Configuring Standard and Extended ACLs with CLI

Standard ACLs : ACLs numbered 1-99 or 1300-1999 are standard IPv4 ACLs. Standard       ACLs match packets by examining the source IP address field in the IP header of that packet. These ACLs are used to filter packets based solely on Layer 3 source information.

Syntax for Standard ACLs:

Router(config)# access-list {1-99} {permit|deny} source-addr [source-wildcard]

Extended ACLs: Give greater flexibility and control over network access than standard 

                           ACLs.

Syntax for Extended ACLs:

Router(config)# access-list {100-199} {permit|deny} protocol source-addr [source-wildcard]

                         [operator operand] destination-addr [destination-wildcard] [operator operand]

                         [established]

It is possible to create a named ACL instead of a numbered ACL. Named ACLs must be specified as either standard or extended. 

Router(config)# ip access-list [standard | extended] name_of_ACL

Once the ACL statements are created, the administrator activates the ACL on an interface with the ip access-group command, specifying the name of the ACL.

Router(config-if)# ip access-group access-list-name {in | out}

Using Standard and Extended ACLs

Determining whether to use standard or extended ACLs is based on the overall objective of the entire ACL. 

For Example :

A scenario in which all traffic from a single subnet, 172.16.4.0, must be denied access to another subnet, but all other traffic should be permitted. 

A standard ACL can be applied outbound on interface Fa0/0:

R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255

R1(config)# access-list 1 permit any

R1(config)# interface FastEthernet 0/0

R1(config-if)# ip access-group 1 out

As compared to standard ACLs, extended ACLs allow for specific types of traffic to be denied or permitted. 

For Example :

A scenario in which FTP traffic from one subnet must be denied on another subnet. In this case, an extended ACL is required because a specific traffic type is filtered. 

R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20

R1(config)# access-list 101 permit ip any any

After an ACL is created and applied, editing that ACL requires special attention. 

For example :

Delete a specific entry (ACE) from a numbered ACL, specifying the no parameter followed by the ACE will result in deleting the entire ACL. 

Router# configure terminal

Router(config)# no access-list 101

Topology and Flow for ACLs

Inbound ACLs

Outbound ACLs

In addition to flow, it is important to keep the placement of ACLs in mind. Placement depends on the type of ACL being used.

Standard ACL placement - Standard ACLs are placed as close to the destination as possible. Standard ACLs filter packets based on the source address only. Placing these ACLs too close to the source can adversely affect packets by denying all traffic, including valid traffic. 

Extended ACL placement - Extended ACLs are placed on routers as close as possible to the source that is being filtered. Placing Extended ACLs too far from the source is an inefficient use of network resources. For example, packets can be sent a long way only to be dropped or denied.

Configuring TCP Established and Reflexive ACLs

The syntax for the TCP established option in a numbered extended IP ACL is as follows:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]

The established keyword forces the router to check whether the TCP ACK or RST control flag is set. If the ACK flag is set, the TCP traffic is allowed in. 

The established option does not apply to UDP or ICMP traffic because UDP and ICMP traffic does not rely on any control flags as used with TCP traffic

Configuring Dynamic ACLs

Dynamic ACLs, also known as lock-and-key ACLs

One reason to use dynamic ACLs is to provide a specific remote user or group of remote users access to a host within the network. Another reason to use dynamic ACLs is when a subset of hosts on a local network needs to access a host on a remote network that is protected by a firewall. 

Dynamic ACLs offer these security benefits over standard and static Extended ACLs: 

• Challenge mechanism to authenticate individual users
• Simplified management in large internetworks
• Reduced router processing for ACLs
• Less opportunity for network break-ins by network hackers
• Creation of dynamic user access through a firewall, without compromising other configured security restrictions

A combination of user-prompted and automated device activities occur when a dynamic ACL is implemented and invoked.

First, a remote user must open a Telnet or SSH connection to the router. The external ACL of the router must permit this connection. The router prompts the user for a username and password, which the user must enter.

Next, the router authenticates the connection using either the local username database defined with username commands, an AAA server using RADIUS or TACACS+, or the password command on the vty lines. If the authentication is successful, the Telnet or SSH connection is terminated, because the function of the connection is for authentication only. 

After the user successfully authenticates, Cisco IOS adds a dynamic ACL entry that grants the user access to the configured internal resources. It is not possible to set up per-user access policies. Instead, the administrator defines one policy for all dynamic ACL users, and this single policy is applied to all the authenticated users.

Finally, the user can access the internal resources that would otherwise be denied without the dynamic ACL entry.

There are a few basic steps for setting up a dynamic ACL: 

1. Create an Extended ACL
2. Define the authentication. 
3. Enable the dynamic authentication method.

Example :

Step 1:
R3(config)# username Student password 0 cisco

Step 2:
R3(config)# access-list 101 permit tcp any host 10.2.2.2 eq telnet
R3(config)# access-list 101  dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.255 192.168.30.0 0.0.255

Step 3:
R3(config)# interface serial 0/0/1
R3(config-if)# ip access-group 101 in

Step 4:
R3(config)# line vty 0 4
R3(config-line)# login local

R3(config-line)# autocommand access-enable host timeout 5

Configuring Time-Based ACLs
Time-based ACLs offer the security professional more control over permitting or denying access to resources. Sometimes it is necessary to open a hole in the filter of a router to allow a specific type of traffic. This hole should not be allowed to remain indefinitely. For example, users could be allowed to access the Internet during lunch, but not during regular business hours. Timed ACLs enable the enforcement of this kind of policy.

Time-based ACLs are an extension of numbered and named Extended ACLs. The administrator creates time-based entries and uses the time-range parameter to specify the period of time that the ACL statement is valid. The period of time specified can be recurring or a specific instance that happens only once.


These are the commands for creating a time range:

Router(config)# time-range time_range_name
Router(config-time-range)# absolute [start_time start_date] [end_time end_date]
Router(config-time-range)# periodic day_of_the_week hh:mm to [day_of_the_week] hh:mm

The absolute command specifies a single time period for which the time range is valid. ACL statements that reference this time range are not used after this period.

The periodic command specifies a recurring time period for which the time range is valid. Multiple periodic commands are permitted within the same time range.

• Monday
• Tuesday
• Wednesday
• Thursday
• Friday
• Saturday
• Sunday
• daily (every day)
• weekdays (Monday through Friday)
• weekend (Saturday and Sunday)

Scenario :

A network administrator has a situation that requires time-based ACLs. Users are not allowed to access the Internet during business hours, except during lunch and after hours until 7 p.m. when the office closes. This is a time-based ACL that supports the requirement: 

R1(config)# time-range employee-time

R1(config-time-range)# periodic weekdays 12:00 to 13:00

R1(config-time-range)# periodic weekdays 17:00 to 19:00

R1(config-time-range)# exit

R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time

R1(config)# access-list 100 deny ip any any

R1(config)# interface FastEthernet 0/1

R1(config-if)# ip access-group 100 in

R1(config-if)# exit

Troubleshooting Complex ACL implementations

Verify ACL configuration, use the show access-lists command.

Router# show access-lists [access-list-number | access-list-name] 

The command output shows how many packets have been matched against each entry in the ACLs, enabling the user to monitor the particular packets that have been permitted or denied. 

To troubleshoot an ACL configuration, use the debug ip packet command. 

Router# debug ip packet [access-list-number] [detail]

The debug ip packet command is useful for analyzing the messages traveling between the local and remote hosts. IP packet debugging captures the packets that are process-switched, including received, generated, and forwarded packets.

The detail option displays detailed IP packet debugging information. This information includes the packet types and codes as well as source and destination port numbers.

Mitigating Attacks with ACLs

ACLs can be used to mitigate many network threats:

• IP address spoofing, inbound and outbound
• DoS TCP SYN attacks
• DoS smurf attacks

ACLs can also filter the following traffic:

• ICMP messages, inbound and outbound
• traceroute

Hackers use several ICMP message types to attack networks. However, various management applications use ICMP messages to gather information. Network management uses ICMP messages that are automatically generated by the router.

Hackers can use ICMP echo packets to discover subnets and hosts on a protected network and to generate DoS flood attacks. Hackers can use ICMP redirect messages to alter host routing tables. Both ICMP echo and redirect messages should be blocked inbound by the router.

Several ICMP messages are recommended for proper network operation and should be allowed inbound:

• Echo reply - Allows users to ping external hosts.
• Source quench - Requests the sender to decrease the traffic rate of messages.
• Unreachable - Unreachable messages are generated for packets that are administratively denied by an ACL.

Several ICMP messages are required for proper network operation and should be allowed outbound:

• Echo - Allows users to ping external hosts.
• Parameter problem - Informs the host of packet header problems.
• Packet too big - Required for packet maximum transmission unit (MTU) discovery.
• Source quench - Throttles down traffic when necessary.

As a rule, block all other ICMP message types outbound. 

ACLs are used to block IP address spoofing, selectively permit specific services through a firewall, and to allow only required ICMP messages. 

Management protocols such as SNMP, while useful for remote monitoring and management of networked devices, can be exploited. If SNMP is necessary, exploitation of SNMP vulnerabilities can be mitigated by applying interface ACLs to filter SNMP packets from non-authorized systems. The ACL can then permit known source addresses that are destined for the IOS device itself, such as those devices within a management network. It should be noted that an exploit may still be possible if the SNMP packet is sourced from an address that has been spoofed and is permitted by the ACL. 

While these security measures are helpful, the most effective means of exploitation prevention is to disable the SNMP server on IOS devices that do not require it. To disable SNMP processing on the Cisco IOS devices, issue the command:

Router(config)# no snmp-server

IPv6 ACLs

Many networks have begun the transition to an IPv6 environment. Part of the need for the transition to IPv6 is because of the weaknesses inherent in IPv4. IPv4 was designed without a number of modern-day network requirements such as:

• Security - IPsec
• Device roaming - Mobile IP
• Quality of service - RSVP
• Address scarcity - DHCP, NAT, CIDR, VLSM

The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. These ACLs determine what traffic is blocked and what traffic is forwarded at router interfaces. They allow filtering based on source and destination addresses, inbound and outbound to a specific interface. IPv6 ACLs are defined using the ipv6 access-list command with the deny and permit keywords in global configuration mode. 

Router(config)# ipv6 access-list access-list-name

Configure each access list entry to specifically permit or deny traffic. 

Router(config-ipv6-acl)# {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]]

After the ACL statements are created, the administrator activates the ACL on an interface with the ipv6 traffic-filter command, specifying the name of the ACL and the direction of traffic to which the ACL applies. 

Router(config-if)# ipv6 traffic-filter access-list-name {in | out}

Using Object Group in ACEs

In large networks, ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. 

Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs. 

The following guidelines and limitations apply to object groups:

• Object groups must have unique names.
• Additional objects can be appended to existing object groups
• Objects such as hosts, services, protocols can be grouped
• You cannot delete an object group or make an object group empty if it is being used in an ACE. 

Network and Service Object Group

A network object group is a group of any of the following objects: 

• Hostnames, IP addresses, or subnets
• Ranges of IP addresses
• Existing network object groups

To create a network group, enter the following commands:

Router(config)# object-group network nw_grp_id

Router(config-network-group)# description description-text | host {host-address | host-name} | network-address {/prefix-length | network-mask} | range host-address1 host-address2 | any | group-object nested-object-group-name

A service object group is a group of any of the following objects: 

• Top-level protocols (such as TCP, UDP, or ESP)
• Source and destination protocol ports (such as Telnet or SNMP)
• ICMP types (such as echo, echo-reply, or host-unreachable)
• Existing service object groups

To create a service group, enter the following commands:

Router(config)# object-group service svc_grp_id 

Router(config-service-group)# protocol | [tcp | udp | tcp-udp [source {{[eq]| lt | gt} port1 | range port1 port2}] [{[eq]| lt | gt} port1 | range port1 port2]] | icmp icmp-type

Reference :

1) CCNA Security Cisco Network Academy

CCNA Security Chapter 3 筆記

CCNA Security Chapter 3

AAA Overview

AAA security in Cisco environment has several functional components:

• Authentication : Users and administrators must prove that they are who they say they are
• Authorization : After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform,
• Accounting and auditing : Accounting keep track of how network resources are used.

AAA Authentication

Can be used to authenticate user for administrative access or remote network access. Two access method use different mode to request AAA services:

• Character mode : A user send a request to establish an EXEC mode process with the router for administrative purposes.
• Packet mode : A user send a request to establish a connection through the router with a device on the network 

Local AAA Authentication

Uses a local database for authentication. Stores username and password locally in Cisco router. Is ideal for small networks

1. Client establishes a connection with the router
2. AAA router prompts the user for username and password
3. Router authenticated the username and password using the local database

Server-Based AAA Authentication

Uses an external database server resource that leverage RADIUS or TACACS+ protocols. If there are multiple routers, server-based more appropriate.

1. Client establishes a connection with the router
2. AAA router prompts the user for username and password
3. The router authenticate the username and password using a remote AAA server
4. The user is authorized to access the network based on information on the server.

AAA Authorization

User successfully authenticated against the select AAA data source, then authorized for specific network resources.

1. When a user has been authenticated, a session is established with the AAA server.
2. The router requests authorization for the requested service from the AAA server.
3. The AAA server returns a PASS/FAIL for authorization.

AAA Accounting
Accounting collects and reports usage data so that it can be employed for purposes such as auditing or billing. The collected data might include the start and stop connection times,executed commands, number of products, and number of bytes

1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting process ends.

Configuring Local AAA Authentication with CLI

1. Add username and password to the local router database for user administrative access to the router.
2. Enable AAA globally 
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA configuration 

Server-Based AAA Communication Protocols

Reference :

1) CCNA Security Cisco Network Academy

CCNA Security Chapter 2 筆記

CCNA Security Chapter 2

Securing the Edge Router

Single Router Approach
A single router connects the protected network, or internal LAN to the internet. All security policies configured on this device. This is more commonly deployed in smaller site implementation. In smaller networks, the required security features can be supported  by ISRs without impeding the router's performance capabilities.

Defense-in-Depth Approach

Is more secure than the single router approach. In this approach, the router act as the first line defense and is know as a screening router. It passes all connection that are intended for the internal LAN to the firewall.

The second line of defense is the firewall. The firewall typically picks up the router leave off and perform additional filtering.

DMZ  Approach

A variation of defense-in-depth approach is to offer an intermediate area often call demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the internet or some other external network. In the DMZ approach, the router provides some protection by filtering some traffic, but leaves the bulk of the protection to the firewall.

Three areas of router security must be maintained:

Physical Security:

• Place the router and physical device that connects to it in a secure locked room that is accessible only to authorized personnel,

• Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a DoS attack from power loss to the building.

Router Hardening: Eliminate potential abuse of unused port and services 

• Secure administrator control. Ensure that only authorized personnel have access and that their level of access is controlled.

• Disable unused ports and interfaces. Reduce the  number of ways  a device can be accessed.

• Disable unnecessary services.

Operation System security: Secure the feature and performance of router operating system

• Configure the router with the maximum amount of memory possible.The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services. 

• Use the latest stable version of the operation system that meet the feature requirement of network

• Keep a secure copy of  router operation system image and router configuration files as a backup

Task involved in securing administrative access to an infrastructure device

1. Restrict device accessibility : Limit the accessible port, restrict the permitted communications, and restrict the permitted method of access
2. Log and account for all access : Record anyone who accesses a device, including what occurs and when.
3. Authenticate access : Ensure that access is granted only to authenticated users, groups, and services. Limit the number of failed login attempts and the time between logins.
4. Authorize action : Restrict the actions and views permitted by any particular users, groups, or service.
5. Present legal notifications : Display a legal notice, developed in conjunction with company legal course, for interactive session
6. Ensure the confidentiality of data : Protect locally store sensitive data from viewing and copying 

Two ways to access a device for administrative purposes

Local Access : Local access to a router usually requires a direct connection to a console port on the Cisco router using a computer that is running terminal emulation software.

Remote Access : Some network devices can be accessed remotely. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the router from a computer For security reason, it is preferable to allow only local access to the router. However, remote access might still be necessary. When accessing the network remotely, a few precautions should be taken:

• Encrypt all traffic between administrator computer and router
• Establish a dedicated management network
• Configure packet filter allow only identified administration host and preferable protocol to access the router

Configure Secure Administrative Access

Attacker deploy various methods of discovering administrative passwords. Such as L0phtCrack and Cain & Abel to attempt brute force attacks and guess passwords.

Guidelines designed to make passwords less easily discovered:

• Use a password length of 10 or more characters
• Make password complex. Include mix upper, lower case letters, numbers, symbol, and spaces.
• Avoid password based on repetition or other easily identification information.
• Deliberately misspell password
• Change password often
• Do not write password down and leave them in obvious place.

Configure Router Password

Enable Secret Password

The enable secret password is global configuration commands restricts access to privileged EXEC mode. The password hashed by MD5. If password lost or forgotten, using the Cisco password recovery procedure.

Console Line

Default, console port does not require password. However, it should always configure as a console port line-level password. Use the line console 0 command followed by the login and password on the console line.

Virtual Terminal Lines

Default, Cisco routers support five simultaneous virtual terminal vty (Telnet or SSH) sessions. On the router, the vty ports are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password.

Auxiliary Line

Default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection.

Enhance Security for Virtual Logins

The Cisco IOS login enhancements feature provides more security for Cisco IOS devices when creating a virtual connection, such as Telnet, SSH, or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters:

• Implement delays between successive login attempts.
• Enable login shutdown if DoS attacks are suspected.
• Generate system-logging messages for login detection.

Command: login block-for seconds attempts tries within seconds

All login enhancement features are disabled by default. Use the login block-for command to enable login enhancements. The login block-for feature monitors login device activity and operates in two modes:

• Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. 
• Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.

Login will disabled for 120 seconds if more than 5 login attempts within 60 seconds

• This command must be issued before any other login command can be used.
• This command can help provide DoS detection and prevention.

Command : login quiet-mode access-class {acl-name | acl-number}

When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL.

The example shows a configuration that invokes on ACL named PERMIT-ADMIN. Hoste that match the PERMIT-ADMIN are exempt from the Quiet-Mode.

• Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time.
• If not configured, all login requests will be denied during the Quiet-Mode.

Command : login delay seconds

This delay time can be changed using the login delay command. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts, including failed or successful attempts. 

• Helps mitigate dictionary attacks
• This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.

Command : log commands

1. login on-failure log [every login]
2. login on-success log [every login]

Configuring SSH

1. Configure the IP domain name. : If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.
2. Generate one-way secret keys : To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode
3. Verify or create a local database entry : Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command.
4. Enable VTY inbound SSH sessions : Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.

SSH timeouts and authentication retries

Router(config)#ip ssh time-out seconds

Router(config)#ip ssh authentication-retries tries

Version

Router(config)#ip ssh verison verison

version： 1 or 2

Configuring Privilege Levels

16 Privilege Levels

• Level 0 : Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
• Level 1: The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file.
• Levels 2 –14: May be customized for user-level privileges. 
• Level 15:  Users can change configurations and view configuration files.

Configuring Role-Based CLI Access

Role-based CLI provides three type of views:

Root View : To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views. 

CLI View : A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views. 

Superview : A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated to that one CLI view. 

Superview characteristics : 

• A single CLI view can share within multiple superviews.
• Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
• User who logged into a superview can access all the commands configure by CLI views
• Each superview has a password that is used to switched between superviews or form a CLI view to superview

 

Create and manage specific view :

1.  Exit and enter the root view with the enable view command.
2.  Create a view using parser view command
3. Assign a secret password to the view using secret command
4. Assign commands to the view using the  commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] command in view configuration mode.

Create and manage superview :

1. Create a view using the parser view view-name superview command and enter superview configuration mode.
2. Assign a secret password to view
3. Assign an existing view using the view view_name
4. Exit superview

Restore a primary bootset

1. Reload the router using the reload command
2. The device name can be found in the output from show secure bootset
3. Ｕsing the boot command with the file name found in Step 2.
4.  Go to global configuration mode conf t
5.  Restore secure configuration files using secure boot-config restore filename command

Using Syslog for Network Security

Configure the router to send log messages:

• Console : Console logging is default. Message log to the console can viewed when modifying or testing the router using terminal emulation.
• Terminal lines : Enable EXEC mode can be configured to received log messages on any terminal lines
• Buffered logging : Is a little more useful as a security tool because log messages are stored in router memory for a time. However, the vent are cleared when the router reboot.
• SNMP traps : Can be preconfigured on routers. SNMP traps are a viable security logging facility but required the configuration and maintenance of an SNMP system
• Syslog : Cisco routers can be configured to forward log message to an external syslog service. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location for all router message 

Cisco Router log message contain three main part:

1. Timestamp
2. Log message name and severity level
3. Message text

Severity Levels

Syslog implementations contains two types of system

• Syslog servers : Knows as log hosts, these systems accept and process log messages from syslog clients
• Syslog clients : Routers or other type devices that generate and forward log messages to syslog servers.

Configure system logging :

1. Set the destination host using the logging host command
2. (Optional) Set the log security level using logging trap level command
3. Set the source interface using the logging source-interface command
4. Enable logging 

Reference :

1) CCNA Security Cisco Network Academy