Network Security

Download Report

Transcript Network Security 

Network Security
Password Control and Device Access
Outline
Network Gatekeepers
 Identifying network threats
and countermeasures
 Using secure router, firewall,
and switch configurations

Network Gatekeepers

Network is the entry point to
application and control access to the
various servers in the enterprise
environment

The basic components of a network,
which act as the front-line gatekeepers,
are the:
◦
Filtering
Port Blocking IDS
Router
◦ The router is the very first line of
defense. It provides packet routing,
It can also be configured to block
or filter the forwarding of packet
types that are known to be
vulnerable or used maliciously, such
as ICMP
◦
Firewall, and
◦
Switch
 Private VLANs
IDS: Intrusion Detection System
Router Considerations

Patches and updates
◦ stay current with both security issues and service
patch

Disable unused interfaces.
 Apply strong password policies.

Use static routing.
◦ An attacker might try to change routes to cause
denial of service or to forward requests to a
rogue server

Audit Web facing administration interfaces
Threats and Countermeasures
An attacker looks for poorly configured
network devices to exploit.
The following are high-level network
threats:
 Information gathering
 Sniffing
 Spoofing
 Session hijacking
 Denial of service

Information Gathering
Information gathering can reveal detailed
information about network topology, system
configuration, and network devices.
Attacks
 Using Tracert (Traceroute) to detect
network topology
 Using Telnet to open ports for banner
grabbing
 Using port scans to detect open ports
 Using broadcast requests to enumerate
hosts on a subnet

Blocking Traceroute
The traceroute command is used to
discover the routes that packets actually
take when traveling to their destination
 Router1#traceroute 34.0.0.4

1 12.0.0.2 4 msec 4 msec 4 msec
2 23.0.0.3 20 msec 16 msec 16 msec
3 34.0.0.4 16 msec * 16 msec
Which protocol is used by
traceroute?
 http://en.wikipedia.org/wiki/Traceroute

Protocols used by Traceroute

Traceroute uses either ICMP (windows) or UDP

To block inbound traceroute you need to block

Block incoming ICMP echo request (ICMP type 8). This
will prevent ping attacks

which can crash some systems.
Apply Here: echo –
reply/time exceeded
Apply Here:
echo -request
◦ access-list 101 deny icmp any any echorequest

Block outgoing ICMP echo-replies (ICMP type 0). traffic
to anyone, especially in response to malicious programs
that uses ICMP echo-replies. Apply this filter outbound
◦ access-list 101 deny icmp any any echoreply

Block outgoing ICMP time-exceeded (ICMP type 11).
Prevent outsiders from mapping your network.
◦ access-list 101 deny icmp any any time
exceeded

Block UDP with ports > 30000 (should block most Unix
traceroutes)
 block outgoing messages destined to UDP
ports 33434 to 33534 or block all UDP except
that which you absolutely need
http://www.sans.org/reading_room/whitepapers/networkdevs/easy-steps-cisco-extended-access-list_231
Countermeasures- Information
gathering

Block telnet


how?
Password control on Telnet
Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# login

By default, console, auxiliary, and Telnet (VTY) sessions time out after 10 minutes of
idling. Change the timeout to 5 minutes for Telnet sessions

Router(config-line)# exec-timeout 5 0

Service Banners

login banner should not contain any specific information about :



the router name,
model, software, or ownership..
Router (config)# banner motd & any unauthorized use of the system
is unlawful and can be subject to civil and criminal penalties &
Block Telnet Access

Telnet sends user information across the
network in clear text

Limit Remote access using Telnet

Router(config)# access-list 1 permit
172.16.3.10

Router(config)# access-list 1 permit
172.16.3.11

Router(config)# line vty 0 4

Router(config-line)# access-class 1 in
172.16.3.10
in
Perimeter
router
172.16.3.11
HTTP ACCESS

By default, the HTTP server function on the router is disabled. To configure HTTP
access, use the following steps:

Step 1. Enable the HTTP server (required).

Router(config)# ip http server

Step 2. Define an authentication method (highly recommended).

Router(config)# ip http authentication {aaa | enable | local}

Step 3. Restrict access through HTTP (highly recommended).

Router(config)# ip http access-class standard_ACL_
This command enables you to restrict, based on the source IP address of the client,
which devices are allowed HTTP or HTTPS access to the route.

Step 4. Change the HTTP port number (optional).

Router(config)# ip http port port_#

Step 6. Restrict the number of HTTP connections (recommended).

Router(config)# ip http max-connections
HTTP Access - Example

Router(config)# access-list 1 permit 172.16.3.10

Router(config)# access-list 1 permit 172.16.3.11

Router(config)# username richard privilege 15 secret bigXdogYlover

Router(config)# username natalie privilege 15 secret BIGxDOGyLOVER

Router(config)# ip http server

Router(config)# ip http authentication local

Router(config)# ip http access-class 1
Sniffing
Sniffing, also called eavesdropping, is the act of
monitoring network traffic for data, such as cleartext passwords or configuration information.
Vulnerabilities
 Weak physical security
 Lack of encryption when sending sensitive data
 Router(config)# line vty 0 4
 Router(config-line)# transport input ssh
 Router(config-line)# transport output ssh
◦
Countermeasures
Some of the countermeasures:
 Strong physical security that prevents
rogue devices from being placed on the
network
 Encrypted credentials and application
traffic over the network
Spoofing – from outside

Spoofing, is a means to hide one's true identity on the network.

Most, but not all, of the spoofing attacks that take place start with someone on the outside of your
network spoofing their IP address to make it look like they are part of the inside of your network.
 deny traffic that has a source IP address inside the RFC 1918 block that is coming into your
network from the outside interface

Router(config) # access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

router(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

router(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

Router(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log

Router(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log

Router(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log (private multicast
range)

Router (config)# interface serial 0/0

Router (config-if)# ip access-group 100 in
Apply here
Spoofing – from inside
192.168.1.0/24
Fa0/1
we also want to prevent our inside people from spoofing to a different IP
address as well. The only range that is allowed to transmit is my internal
network, in this case 192.168.1.0 /24
Router (config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any
Router(config)# access-list 105 deny ip any any log
Router(config)# interface fa0/1
Router(config-if)# ip access-group 105 in
Denial of Service
Network-layer denial of service attacks
usually try to deny service by flooding the
network with traffic, which consumes the
available bandwidth and resources.
 Vulnerabilities
 Weak router and switch configuration
 Unencrypted communication

Considerations - Secure switching


Install latest patches and updates
Virtual Local Area Networks (VLANs)
◦ Virtual LANs separate network segments and
allow application of access control lists based on
security rules.

Insecure defaults
◦ change all factory default passwords and to
prevent network enumeration or total control of
the switch

Services
◦ all unused services are disabled.