CCNA Security Chapter 4 ACLs 筆記

CCNA Security Chapter 4-ACLs

Access control lists (ACLs) are widely used in computer networking and in network security for mitigating network attacks and controlling network traffic.

Configuring Standard and Extended ACLs with CLI

Standard ACLs : ACLs numbered 1-99 or 1300-1999 are standard IPv4 ACLs. Standard       ACLs match packets by examining the source IP address field in the IP header of that packet. These ACLs are used to filter packets based solely on Layer 3 source information.

Syntax for Standard ACLs:

Router(config)# access-list {1-99} {permit|deny} source-addr [source-wildcard]

Extended ACLs: Give greater flexibility and control over network access than standard 

                           ACLs.

Syntax for Extended ACLs:

Router(config)# access-list {100-199} {permit|deny} protocol source-addr [source-wildcard]

                         [operator operand] destination-addr [destination-wildcard] [operator operand]

                         [established]

It is possible to create a named ACL instead of a numbered ACL. Named ACLs must be specified as either standard or extended. 

Router(config)# ip access-list [standard | extended] name_of_ACL

Once the ACL statements are created, the administrator activates the ACL on an interface with the ip access-group command, specifying the name of the ACL.

Router(config-if)# ip access-group access-list-name {in | out}

Using Standard and Extended ACLs

Determining whether to use standard or extended ACLs is based on the overall objective of the entire ACL. 

For Example :

A scenario in which all traffic from a single subnet, 172.16.4.0, must be denied access to another subnet, but all other traffic should be permitted. 

A standard ACL can be applied outbound on interface Fa0/0:

R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255

R1(config)# access-list 1 permit any

R1(config)# interface FastEthernet 0/0

R1(config-if)# ip access-group 1 out

As compared to standard ACLs, extended ACLs allow for specific types of traffic to be denied or permitted. 

For Example :

A scenario in which FTP traffic from one subnet must be denied on another subnet. In this case, an extended ACL is required because a specific traffic type is filtered. 

R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20

R1(config)# access-list 101 permit ip any any

After an ACL is created and applied, editing that ACL requires special attention. 

For example :

Delete a specific entry (ACE) from a numbered ACL, specifying the no parameter followed by the ACE will result in deleting the entire ACL. 

Router# configure terminal

Router(config)# no access-list 101

Topology and Flow for ACLs

Inbound ACLs

Outbound ACLs

In addition to flow, it is important to keep the placement of ACLs in mind. Placement depends on the type of ACL being used.

Standard ACL placement - Standard ACLs are placed as close to the destination as possible. Standard ACLs filter packets based on the source address only. Placing these ACLs too close to the source can adversely affect packets by denying all traffic, including valid traffic. 

Extended ACL placement - Extended ACLs are placed on routers as close as possible to the source that is being filtered. Placing Extended ACLs too far from the source is an inefficient use of network resources. For example, packets can be sent a long way only to be dropped or denied.

Configuring TCP Established and Reflexive ACLs

The syntax for the TCP established option in a numbered extended IP ACL is as follows:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]

The established keyword forces the router to check whether the TCP ACK or RST control flag is set. If the ACK flag is set, the TCP traffic is allowed in. 

The established option does not apply to UDP or ICMP traffic because UDP and ICMP traffic does not rely on any control flags as used with TCP traffic

Configuring Dynamic ACLs

Dynamic ACLs, also known as lock-and-key ACLs

One reason to use dynamic ACLs is to provide a specific remote user or group of remote users access to a host within the network. Another reason to use dynamic ACLs is when a subset of hosts on a local network needs to access a host on a remote network that is protected by a firewall. 

Dynamic ACLs offer these security benefits over standard and static Extended ACLs: 

• Challenge mechanism to authenticate individual users
• Simplified management in large internetworks
• Reduced router processing for ACLs
• Less opportunity for network break-ins by network hackers
• Creation of dynamic user access through a firewall, without compromising other configured security restrictions

A combination of user-prompted and automated device activities occur when a dynamic ACL is implemented and invoked.

First, a remote user must open a Telnet or SSH connection to the router. The external ACL of the router must permit this connection. The router prompts the user for a username and password, which the user must enter.

Next, the router authenticates the connection using either the local username database defined with username commands, an AAA server using RADIUS or TACACS+, or the password command on the vty lines. If the authentication is successful, the Telnet or SSH connection is terminated, because the function of the connection is for authentication only. 

After the user successfully authenticates, Cisco IOS adds a dynamic ACL entry that grants the user access to the configured internal resources. It is not possible to set up per-user access policies. Instead, the administrator defines one policy for all dynamic ACL users, and this single policy is applied to all the authenticated users.

Finally, the user can access the internal resources that would otherwise be denied without the dynamic ACL entry.

There are a few basic steps for setting up a dynamic ACL: 

1. Create an Extended ACL
2. Define the authentication. 
3. Enable the dynamic authentication method.

Example :

Step 1:
R3(config)# username Student password 0 cisco

Step 2:
R3(config)# access-list 101 permit tcp any host 10.2.2.2 eq telnet
R3(config)# access-list 101  dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.255 192.168.30.0 0.0.255

Step 3:
R3(config)# interface serial 0/0/1
R3(config-if)# ip access-group 101 in

Step 4:
R3(config)# line vty 0 4
R3(config-line)# login local

R3(config-line)# autocommand access-enable host timeout 5

Configuring Time-Based ACLs
Time-based ACLs offer the security professional more control over permitting or denying access to resources. Sometimes it is necessary to open a hole in the filter of a router to allow a specific type of traffic. This hole should not be allowed to remain indefinitely. For example, users could be allowed to access the Internet during lunch, but not during regular business hours. Timed ACLs enable the enforcement of this kind of policy.

Time-based ACLs are an extension of numbered and named Extended ACLs. The administrator creates time-based entries and uses the time-range parameter to specify the period of time that the ACL statement is valid. The period of time specified can be recurring or a specific instance that happens only once.


These are the commands for creating a time range:

Router(config)# time-range time_range_name
Router(config-time-range)# absolute [start_time start_date] [end_time end_date]
Router(config-time-range)# periodic day_of_the_week hh:mm to [day_of_the_week] hh:mm

The absolute command specifies a single time period for which the time range is valid. ACL statements that reference this time range are not used after this period.

The periodic command specifies a recurring time period for which the time range is valid. Multiple periodic commands are permitted within the same time range.

• Monday
• Tuesday
• Wednesday
• Thursday
• Friday
• Saturday
• Sunday
• daily (every day)
• weekdays (Monday through Friday)
• weekend (Saturday and Sunday)

Scenario :

A network administrator has a situation that requires time-based ACLs. Users are not allowed to access the Internet during business hours, except during lunch and after hours until 7 p.m. when the office closes. This is a time-based ACL that supports the requirement: 

R1(config)# time-range employee-time

R1(config-time-range)# periodic weekdays 12:00 to 13:00

R1(config-time-range)# periodic weekdays 17:00 to 19:00

R1(config-time-range)# exit

R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time

R1(config)# access-list 100 deny ip any any

R1(config)# interface FastEthernet 0/1

R1(config-if)# ip access-group 100 in

R1(config-if)# exit

Troubleshooting Complex ACL implementations

Verify ACL configuration, use the show access-lists command.

Router# show access-lists [access-list-number | access-list-name] 

The command output shows how many packets have been matched against each entry in the ACLs, enabling the user to monitor the particular packets that have been permitted or denied. 

To troubleshoot an ACL configuration, use the debug ip packet command. 

Router# debug ip packet [access-list-number] [detail]

The debug ip packet command is useful for analyzing the messages traveling between the local and remote hosts. IP packet debugging captures the packets that are process-switched, including received, generated, and forwarded packets.

The detail option displays detailed IP packet debugging information. This information includes the packet types and codes as well as source and destination port numbers.

Mitigating Attacks with ACLs

ACLs can be used to mitigate many network threats:

• IP address spoofing, inbound and outbound
• DoS TCP SYN attacks
• DoS smurf attacks

ACLs can also filter the following traffic:

• ICMP messages, inbound and outbound
• traceroute

Hackers use several ICMP message types to attack networks. However, various management applications use ICMP messages to gather information. Network management uses ICMP messages that are automatically generated by the router.

Hackers can use ICMP echo packets to discover subnets and hosts on a protected network and to generate DoS flood attacks. Hackers can use ICMP redirect messages to alter host routing tables. Both ICMP echo and redirect messages should be blocked inbound by the router.

Several ICMP messages are recommended for proper network operation and should be allowed inbound:

• Echo reply - Allows users to ping external hosts.
• Source quench - Requests the sender to decrease the traffic rate of messages.
• Unreachable - Unreachable messages are generated for packets that are administratively denied by an ACL.

Several ICMP messages are required for proper network operation and should be allowed outbound:

• Echo - Allows users to ping external hosts.
• Parameter problem - Informs the host of packet header problems.
• Packet too big - Required for packet maximum transmission unit (MTU) discovery.
• Source quench - Throttles down traffic when necessary.

As a rule, block all other ICMP message types outbound. 

ACLs are used to block IP address spoofing, selectively permit specific services through a firewall, and to allow only required ICMP messages. 

Management protocols such as SNMP, while useful for remote monitoring and management of networked devices, can be exploited. If SNMP is necessary, exploitation of SNMP vulnerabilities can be mitigated by applying interface ACLs to filter SNMP packets from non-authorized systems. The ACL can then permit known source addresses that are destined for the IOS device itself, such as those devices within a management network. It should be noted that an exploit may still be possible if the SNMP packet is sourced from an address that has been spoofed and is permitted by the ACL. 

While these security measures are helpful, the most effective means of exploitation prevention is to disable the SNMP server on IOS devices that do not require it. To disable SNMP processing on the Cisco IOS devices, issue the command:

Router(config)# no snmp-server

IPv6 ACLs

Many networks have begun the transition to an IPv6 environment. Part of the need for the transition to IPv6 is because of the weaknesses inherent in IPv4. IPv4 was designed without a number of modern-day network requirements such as:

• Security - IPsec
• Device roaming - Mobile IP
• Quality of service - RSVP
• Address scarcity - DHCP, NAT, CIDR, VLSM

The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. These ACLs determine what traffic is blocked and what traffic is forwarded at router interfaces. They allow filtering based on source and destination addresses, inbound and outbound to a specific interface. IPv6 ACLs are defined using the ipv6 access-list command with the deny and permit keywords in global configuration mode. 

Router(config)# ipv6 access-list access-list-name

Configure each access list entry to specifically permit or deny traffic. 

Router(config-ipv6-acl)# {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]]

After the ACL statements are created, the administrator activates the ACL on an interface with the ipv6 traffic-filter command, specifying the name of the ACL and the direction of traffic to which the ACL applies. 

Router(config-if)# ipv6 traffic-filter access-list-name {in | out}

Using Object Group in ACEs

In large networks, ACLs can be large (hundreds of lines) and difficult to configure and manage, especially if the ACLs frequently change. 

Object group-based ACLs are smaller, more readable, and easier to configure and manage than conventional ACLs. 

The following guidelines and limitations apply to object groups:

• Object groups must have unique names.
• Additional objects can be appended to existing object groups
• Objects such as hosts, services, protocols can be grouped
• You cannot delete an object group or make an object group empty if it is being used in an ACE. 

Network and Service Object Group

A network object group is a group of any of the following objects: 

• Hostnames, IP addresses, or subnets
• Ranges of IP addresses
• Existing network object groups

To create a network group, enter the following commands:

Router(config)# object-group network nw_grp_id

Router(config-network-group)# description description-text | host {host-address | host-name} | network-address {/prefix-length | network-mask} | range host-address1 host-address2 | any | group-object nested-object-group-name

A service object group is a group of any of the following objects: 

• Top-level protocols (such as TCP, UDP, or ESP)
• Source and destination protocol ports (such as Telnet or SNMP)
• ICMP types (such as echo, echo-reply, or host-unreachable)
• Existing service object groups

To create a service group, enter the following commands:

Router(config)# object-group service svc_grp_id 

Router(config-service-group)# protocol | [tcp | udp | tcp-udp [source {{[eq]| lt | gt} port1 | range port1 port2}] [{[eq]| lt | gt} port1 | range port1 port2]] | icmp icmp-type

Reference :

1) CCNA Security Cisco Network Academy

CCNA Security Chapter 3 筆記

CCNA Security Chapter 3

AAA Overview

AAA security in Cisco environment has several functional components:

• Authentication : Users and administrators must prove that they are who they say they are
• Authorization : After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform,
• Accounting and auditing : Accounting keep track of how network resources are used.

AAA Authentication

Can be used to authenticate user for administrative access or remote network access. Two access method use different mode to request AAA services:

• Character mode : A user send a request to establish an EXEC mode process with the router for administrative purposes.
• Packet mode : A user send a request to establish a connection through the router with a device on the network 

Local AAA Authentication

Uses a local database for authentication. Stores username and password locally in Cisco router. Is ideal for small networks

1. Client establishes a connection with the router
2. AAA router prompts the user for username and password
3. Router authenticated the username and password using the local database

Server-Based AAA Authentication

Uses an external database server resource that leverage RADIUS or TACACS+ protocols. If there are multiple routers, server-based more appropriate.

1. Client establishes a connection with the router
2. AAA router prompts the user for username and password
3. The router authenticate the username and password using a remote AAA server
4. The user is authorized to access the network based on information on the server.

AAA Authorization

User successfully authenticated against the select AAA data source, then authorized for specific network resources.

1. When a user has been authenticated, a session is established with the AAA server.
2. The router requests authorization for the requested service from the AAA server.
3. The AAA server returns a PASS/FAIL for authorization.

AAA Accounting
Accounting collects and reports usage data so that it can be employed for purposes such as auditing or billing. The collected data might include the start and stop connection times,executed commands, number of products, and number of bytes

1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting process ends.

Configuring Local AAA Authentication with CLI

1. Add username and password to the local router database for user administrative access to the router.
2. Enable AAA globally 
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA configuration 

Server-Based AAA Communication Protocols

Reference :

1) CCNA Security Cisco Network Academy

CCNA Security Chapter 2 筆記

CCNA Security Chapter 2

Securing the Edge Router

Single Router Approach
A single router connects the protected network, or internal LAN to the internet. All security policies configured on this device. This is more commonly deployed in smaller site implementation. In smaller networks, the required security features can be supported  by ISRs without impeding the router's performance capabilities.

Defense-in-Depth Approach

Is more secure than the single router approach. In this approach, the router act as the first line defense and is know as a screening router. It passes all connection that are intended for the internal LAN to the firewall.

The second line of defense is the firewall. The firewall typically picks up the router leave off and perform additional filtering.

DMZ  Approach

A variation of defense-in-depth approach is to offer an intermediate area often call demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the internet or some other external network. In the DMZ approach, the router provides some protection by filtering some traffic, but leaves the bulk of the protection to the firewall.

Three areas of router security must be maintained:

Physical Security:

• Place the router and physical device that connects to it in a secure locked room that is accessible only to authorized personnel,

• Install an uninterruptible power supply (UPS) and keep spare components available. This reduces the possibility of a DoS attack from power loss to the building.

Router Hardening: Eliminate potential abuse of unused port and services 

• Secure administrator control. Ensure that only authorized personnel have access and that their level of access is controlled.

• Disable unused ports and interfaces. Reduce the  number of ways  a device can be accessed.

• Disable unnecessary services.

Operation System security: Secure the feature and performance of router operating system

• Configure the router with the maximum amount of memory possible.The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services. 

• Use the latest stable version of the operation system that meet the feature requirement of network

• Keep a secure copy of  router operation system image and router configuration files as a backup

Task involved in securing administrative access to an infrastructure device

1. Restrict device accessibility : Limit the accessible port, restrict the permitted communications, and restrict the permitted method of access
2. Log and account for all access : Record anyone who accesses a device, including what occurs and when.
3. Authenticate access : Ensure that access is granted only to authenticated users, groups, and services. Limit the number of failed login attempts and the time between logins.
4. Authorize action : Restrict the actions and views permitted by any particular users, groups, or service.
5. Present legal notifications : Display a legal notice, developed in conjunction with company legal course, for interactive session
6. Ensure the confidentiality of data : Protect locally store sensitive data from viewing and copying 

Two ways to access a device for administrative purposes

Local Access : Local access to a router usually requires a direct connection to a console port on the Cisco router using a computer that is running terminal emulation software.

Remote Access : Some network devices can be accessed remotely. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the router from a computer For security reason, it is preferable to allow only local access to the router. However, remote access might still be necessary. When accessing the network remotely, a few precautions should be taken:

• Encrypt all traffic between administrator computer and router
• Establish a dedicated management network
• Configure packet filter allow only identified administration host and preferable protocol to access the router

Configure Secure Administrative Access

Attacker deploy various methods of discovering administrative passwords. Such as L0phtCrack and Cain & Abel to attempt brute force attacks and guess passwords.

Guidelines designed to make passwords less easily discovered:

• Use a password length of 10 or more characters
• Make password complex. Include mix upper, lower case letters, numbers, symbol, and spaces.
• Avoid password based on repetition or other easily identification information.
• Deliberately misspell password
• Change password often
• Do not write password down and leave them in obvious place.

Configure Router Password

Enable Secret Password

The enable secret password is global configuration commands restricts access to privileged EXEC mode. The password hashed by MD5. If password lost or forgotten, using the Cisco password recovery procedure.

Console Line

Default, console port does not require password. However, it should always configure as a console port line-level password. Use the line console 0 command followed by the login and password on the console line.

Virtual Terminal Lines

Default, Cisco routers support five simultaneous virtual terminal vty (Telnet or SSH) sessions. On the router, the vty ports are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password.

Auxiliary Line

Default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection.

Enhance Security for Virtual Logins

The Cisco IOS login enhancements feature provides more security for Cisco IOS devices when creating a virtual connection, such as Telnet, SSH, or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters:

• Implement delays between successive login attempts.
• Enable login shutdown if DoS attacks are suspected.
• Generate system-logging messages for login detection.

Command: login block-for seconds attempts tries within seconds

All login enhancement features are disabled by default. Use the login block-for command to enable login enhancements. The login block-for feature monitors login device activity and operates in two modes:

• Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time. 
• Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.

Login will disabled for 120 seconds if more than 5 login attempts within 60 seconds

• This command must be issued before any other login command can be used.
• This command can help provide DoS detection and prevention.

Command : login quiet-mode access-class {acl-name | acl-number}

When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL.

The example shows a configuration that invokes on ACL named PERMIT-ADMIN. Hoste that match the PERMIT-ADMIN are exempt from the Quiet-Mode.

• Command specifies an ACL is applied to the router when switched to Quiet-Mode and identifies hosts that are exempt from the Quiet-Mode failure time.
• If not configured, all login requests will be denied during the Quiet-Mode.

Command : login delay seconds

This delay time can be changed using the login delay command. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts, including failed or successful attempts. 

• Helps mitigate dictionary attacks
• This is an optional command. If not set, a default delay of one second is enforced after the login block-for command is configured.

Command : log commands

1. login on-failure log [every login]
2. login on-success log [every login]

Configuring SSH

1. Configure the IP domain name. : If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.
2. Generate one-way secret keys : To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode
3. Verify or create a local database entry : Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command.
4. Enable VTY inbound SSH sessions : Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.

SSH timeouts and authentication retries

Router(config)#ip ssh time-out seconds

Router(config)#ip ssh authentication-retries tries

Version

Router(config)#ip ssh verison verison

version： 1 or 2

Configuring Privilege Levels

16 Privilege Levels

• Level 0 : Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
• Level 1: The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file.
• Levels 2 –14: May be customized for user-level privileges. 
• Level 15:  Users can change configurations and view configuration files.

Configuring Role-Based CLI Access

Role-based CLI provides three type of views:

Root View : To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views. 

CLI View : A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views. 

Superview : A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated to that one CLI view. 

Superview characteristics : 

• A single CLI view can share within multiple superviews.
• Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
• User who logged into a superview can access all the commands configure by CLI views
• Each superview has a password that is used to switched between superviews or form a CLI view to superview

 

Create and manage specific view :

1.  Exit and enter the root view with the enable view command.
2.  Create a view using parser view command
3. Assign a secret password to the view using secret command
4. Assign commands to the view using the  commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] command in view configuration mode.

Create and manage superview :

1. Create a view using the parser view view-name superview command and enter superview configuration mode.
2. Assign a secret password to view
3. Assign an existing view using the view view_name
4. Exit superview

Restore a primary bootset

1. Reload the router using the reload command
2. The device name can be found in the output from show secure bootset
3. Ｕsing the boot command with the file name found in Step 2.
4.  Go to global configuration mode conf t
5.  Restore secure configuration files using secure boot-config restore filename command

Using Syslog for Network Security

Configure the router to send log messages:

• Console : Console logging is default. Message log to the console can viewed when modifying or testing the router using terminal emulation.
• Terminal lines : Enable EXEC mode can be configured to received log messages on any terminal lines
• Buffered logging : Is a little more useful as a security tool because log messages are stored in router memory for a time. However, the vent are cleared when the router reboot.
• SNMP traps : Can be preconfigured on routers. SNMP traps are a viable security logging facility but required the configuration and maintenance of an SNMP system
• Syslog : Cisco routers can be configured to forward log message to an external syslog service. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location for all router message 

Cisco Router log message contain three main part:

1. Timestamp
2. Log message name and severity level
3. Message text

Severity Levels

Syslog implementations contains two types of system

• Syslog servers : Knows as log hosts, these systems accept and process log messages from syslog clients
• Syslog clients : Routers or other type devices that generate and forward log messages to syslog servers.

Configure system logging :

1. Set the destination host using the logging host command
2. (Optional) Set the log security level using logging trap level command
3. Set the source interface using the logging source-interface command
4. Enable logging 

Reference :

1) CCNA Security Cisco Network Academy

CCNA Security Chapter 1 筆記

CCNA Security Chapter 1

Viruses, Worms, and Trojan Horse
The primary vulnerabilities for end users computers are virus, worm and Trojan Horse attacks:

• Viruses = Malicious software which attaches to another program to execute a specific unwanted function on a computer.
• Worm = Executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts.
• Trojan Horse = An application written to look like something else. When a Trojan Horse is downloaded and opened, it attacks the end user computer from within.

Viruses

Malicious code that is attached to legitimate programs or executable files:

• Most viruses require end user activation and can lay dormant for an extended period and then activate at a specific time or date.
• A simple virus may install itself at the first line of code on an executable file.
• Viruses can be harmless, such as those that display a picture on the screen, or can be destructive, such as delete files on the hard drive

Worms

Particularly dangerous type of hostile code. They replicate themselves by independently exploiting vulnerabilities in network.

• Virus require host program to run, worms can run by themselves.
• Do not require user participation and can spread very quickly over network.

Worms attack-Three major components

• Enabling vulnerability = A worms install itself using an exploit mechanism(email-attachment, executable file, Trojan) on a vulnerable system.
• Propagation mechanism = After gaining access to a device, the worm replicates itself and locates new targets. 
• Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host. 

Five phase of attack

1. Probe phase = Vulnerable targets are identified. The goal is to find computer that can be subverted.
2. Penetrate phase = Exploit code is transferred to the vulnerable target. The goal is to get the target to execute the exploit code through an attack vector.
3. Persist phase = After the attack is successfully launched in the memory, the code tries to persist on the target system. The goal is to ensure that the attacker code is running and available to the attacker even if the system reboots.
4. Propagate phase = The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines.
5. Paralyze phase = Actual damage is done to the system. Files can be erased, systems can crash, information can be stolen

Trojan Horse

A Trojan Horse is malware that carries out malicious operations under the guise of a desired function. It's contains hidden, malicious code that exploits the privileges of the user that runs it.

Trojan Horse classified according damage in system:

• Remote-access Trojan Horse - Enables unauthorized remote access
• Data sending Trojan Horse - Provides the attacker with sensitive data such as passwords
• Destructive Trojan Horse - Corrupts or deletes files
• Proxy Trojan Horse - User's computer functions as a proxy server
• FTP Trojan Horse -Opens port 21
• Security software disabled Trojan Horse - Stops antivirus programs or firewalls from functioning
• Denial of Service Trojan Horse - Slows or halts network activity

Mitigating Viruses, Worms, and Trojan Horse

Mitigation technique referred in security community as "countermeasure".

The primary means of mitigating virus and Trojan Horse attacks is antivirus software.

Worm mitigation requires diligence and coordination on the part of network security professionals.The response to a worm infection can be broken down into four phases: 

  

• Containment = Compartmentalization and segmentation of the network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems.
• Inoculation = Runs parallel to or subsequent to the containment phase. During the inoculation phase, all uninfected systems are patched with the appropriate vendor patch for the vulnerability.
• Quarantine = Tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or removing them. Isolates these systems appropriately for the treatment phase.
• Treatment = Actively infected systems are disinfected of the worm. This can involve terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system.

Attack Methodologies

CCNA Security classifies attacks in three major categories:

• Reconnaissance Attacks =  Involve the unauthorized discovery and mapping of systems, services, or vulnerabilities. Reconnaissance attacks often employ the use of packet sniffers and port scanners.
• Access Attacks = Exploits known vulnerabilities in authentication services, FTP services, confidential databases etc. Access attacks often employs a dictionary attacks.attacks.
• Denial of Service Attacks = Send extremely large numbers of request over a network or the Internet. There excessive request cause the target device become unavailable for legitimate access and use.

Reconnaissance Attacks

Reconnaissance also known as information gathering,. The attacks using various tools to gain access to a network.

• Packet sniffer
• Ping sweeps
• Port scans
• Internet information queries

Packet Sniffer

A software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.

Promiscuous mode is a mode causes the controller to pass all traffic it receives to the CPU rather than passing only the frame that the controller is intended to receive.

Packet sniffer can only work in the same collision domain.

Tools : Wireshark

Ping Sweep
Basic network scanning technique that determine which range of IP addresses map to live hosts.

Tools : nmap

Port Scan
Scan a range of TCP and UDP port numbers on a host to detect listening services.

Tools : nmap

Internet information queries

Reveal information such as who owns a particular domain and what addresses have been assigned to that domain. They can also reveal who owns a particular IP address and which domain is associated with the address.

Tools : http://whois.net/

Access Attacks

Hackers use access attacks on networks or systems for three reasons: retrieve data, gain access, and escalate access privileges. 

There are five types of access attacks:

1. Password attacks = An attacker attempts to guess system password
• Brute-force
• Trojan Horse
• Packet sniffer
2. Trust exploitation - An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target.
3. Port redirection - A compromised system is used as a jump-off point for attacks against other targets. An intrusion tool is installed on the compromised system for session redirection.
4. Man-in-the-middle attack - An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties.
5. Buffer overflow - A program writes data beyond the allocated buffer memory. Buffer overflows usually arise as a consequence of a bug in a C or C++ program. A result of the overflow is that valid data is overwritten or exploited to enable the execution of malicious code.

Denial of Service Attack
Is a network attack that results in some sort of interruption of service to users, devices, or applications.

Two major reasons of DoS attacks occurs:

1. A host or application fails to handle unexpected condition.
2. A network, host, or application unable to handle enormous quantity of data

Three common DoS attacks：

• Ping of Death = A hacker sends an echo request in an IP packet larger than the packet maximum size of 65,535 bytes, Sending a ping of this size can crash the target computer.
• Smurf Attack = A perpetrator send a large number of ICMP request to directed broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast.
• TCP SYN Flood = TCP SYN Flood often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back TCP SYN-ACK and waiting for a packet in response from the sender address.

Mitigating Network Attacks
Reconnaissance attack can be mitigate several ways:

1. Implement authentication to ensure proper access.
2. Use encryption to render packet sniffer attacks useless.
3. Use anti-sniffer tools to detect packet sniffer attacks.
4. Implement a switched infrastructure.
5. Use a firewall and IPS.

Mitigate access attacks in several ways:

1. Strong password security
2. Principle of minimum trust
3. Cryptography
4. Applying operating system and application patches

Mitigate DoS Attack:

1. IPS and firewalls
2. Antispoofing technologies
3. Quality of Service – traffic policing

Cisco Network Foundation Protection (NFP) framework 
NFP logically divides router and switches into three functional areas:

• Control Plane = Responsible for routing data correctly. Control plane traffic consists of device-generated packets required for the operation of the network itself such as ARP message exchanges or OSPF routing advertisements.
• Management Plane = Responsible for managing network elements. It is generated either by network devices or network management stations using processes and protocols.
• Data Plane = Responsible for forwarding data.

Control plane
Control plane security can be implemented using the following features:

• Cisco AutoSecure - Provides a one-step device lockdown feature to protect the control plane as well as the management and data planes. It is a script that is initiated from the CLI to configure the security posture of routers. The script disables nonessential system processes and services. It first makes recommendations to address security vulnerabilities and then modifies the router configuration.
• Routing protocol authentication - Routing protocol authentication prevents a router from accepting fraudulent routing updates. 
• Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature designed to allow users to control the flow of traffic that is handled by the route processor of a network device.

Management plane
Management plane security can be implemented using the following features:

• Login and password policy - Restricts device accessibility. Limits the accessible ports and restricts the "who" and "how" methods of access.
• Present legal notification - Displays legal notices. These are often developed by legal counsel of a corporation. 
• Ensure the confidentiality of data - Protects locally stored sensitive data from being viewed or copied. Uses management protocols with strong authentication to mitigate confidentiality attacks aimed at exposing passwords and device configurations. 
• Role-based access control (RBAC) - Ensures access is only granted to authenticated users, groups, and services. RBAC and authentication, authorization, and accounting (AAA) services provide mechanisms to effectively manage access control. 
• Authorize actions - Restricts the actions and views that are permitted by any particular user, group, or service.
• Enable management access reporting - Logs and accounts for all access. Records who accessed the device, what occurred, and when it occurred.

Data plane

Data plane security can be implemented using the following features:

• ACLs
• Antispoofing
• Layer 2 security including port security, DHCP snooping, dynamic ARP inspection (DAI)

Reference :

1) CCNA Security Cisco Network Academy