The course of the young fighter: protect the router itself
Following the axioms of security, we will assume that any node in the network is a potential goal. Therefore, it would be good to know what potential vulnerabilities these nodes have. Consider a cisco router. Immediately, there will be objections: there are many of them, the services supported are different and in general it is difficult to dump CRS-1 and the ancient 1600 into one heap. However, I don’t set myself to cover everything, but I will describe some common things.
So, the first thing to remember is that the default router does not block any normal traffic on the interface (frames with an incorrect checksum is not counted). However, part of the packets, with a more in-depth review (by the processor), the router recognizes as unnecessary, for example:
1. Packages with TTL = 0 or less
2. Packages that are not known where to send (the destination network of the packet is not present in the routing table and there is no explicit packet sending rule (PBR))
3. Packets related to service protocols (for example, routing protocols) that are not running on the router.
These destroyed packets can play a cruel joke: if there is a lot of such traffic, it can significantly load the router's processor.
Further, in addition to transit traffic, the router handles some service traffic (directed to itself). Often, by default (or ignorance), unnecessary protocols are running on the router. They are dangerous because the router handles packets of this protocol. And you can arrange, for example, a DoS attack, learn remotely information that is not intended for distribution, or explore the network topology. These protocols include
1. TFTP (the router can act as a TFTP server).
2. BOOTP (can distribute their configuration files to diskless stations)
3. DHCP (Router can act as server and client)
4. TCP Small Servers (TCP Echo, Finger, etc.)
5. UDP Small Servers (UDP Echo, Discard, etc.)
6. CDP (Cisco Discovery Protocol)
7. NTP (Network Time Protocol. The router can act as a server and client)
8. DNS (Enabled by default broadad DNS servers in the segment)
9. PAD (Packet Accembler / Disaccembler)
10. SNMP (Default community is often configured)
As a rule, if these protocols are not needed, they are better off.
1. no tftp-server
2. no ip bootp server (old no service bootp command)
3. no ip dhcp pool (no service dhcp)
4. no service tcp-small-servers
5. no service udp-small-servers
6. no cdp run (globally), no cdp enable (on a specific interface). Do not turn this protocol off if a cisco ip phone is connected to the interface, because It is according to this protocol that the autodetection of the connected device occurs (this recommendation is more typical for switches, but still)
7. no ntp master, no ntp server
8. no ip domain-lookup . Remember that often the DNS on the router is needed, so it is not always necessary to disable
9. no service pad
10. no snmp-server community {public | private}
However, even if you turn off these and other service protocols (for example, http, https, ssh), the packets of these protocols coming to the router interface will get into the brain and only there will be thrown back. Those. even turning off everything, you can try to load the router's processor by discarding garbage.
I would like to learn how to discard such packets without loading the brain. Also, there is often a problem to limit the load of service traffic to the processor. For example, specifying the maximum number of service packets (total or by individual protocols) in the queue or the number of service packets per second.
These tasks are solved with the help of a special mode.
control-plane host
')
To use this technology, you can create special traffic classes.
class-map type?
access-control access-control specific class-map
control Configure a control policy class-map
inspect Configure CBAC Class Map
logging Class map for control-plane packet logging
port-filter Class map for port filter
queue-threshold Class map for queue threshold
stack class-map for protocol header stack specification
Create a special policy (Policy-map type)
policy-map type?
access-control access-control specific policy-map
control Configure a control policy policy
inspect Configure CBAC Policy Map
logging control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting
And apply it in this mode:
control-plane host
service-policy type?
logging control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting
Restriction of the load on the brain by service packets is organized, it seems, but for this it is enough to describe the usual class of traffic, the usual policy, where as an action specify the restriction with the word police
police rate [units] pps
Let's look at examples:
1. Limit the number of Telnet packets from all networks except the host 10.1.1.100 to 100 packets per second
To do this, we write an access list
ip access-list extended TELNET
deny tcp host 10.1.1.100 any eq 23
permit tcp any any eq 23
Next, create a traffic class.
class-map TELNET
match access-group TELNET
We describe the policy
policy-map TELNET
class TELNET
police rate 100 pps
And hang policy in control-plane
control-plane host
service-policy input TELNET
2. Block packets directed to application ports that are not used by the router.
Create a special traffic class
class-map type port-filter PORTS
match closed-ports
We describe a special policy
policy-map type port-filter PORTS
class PORTS
drop
And hang policy in control-plane
control-plane host
service-policy type port-filter input PORTS
To protect the management-plane, i.e. router management must remember the following points:
1. If possible, use secure control protocols: ssh, https. To do this, you need to develop a key pair of RSA, specify authentication rules and enable https support (ip http secure-server)
2. Even when using secure control protocols, and especially if it is impossible to use them, it is necessary to restrict administrative access from the outside and from the inside using access lists applied on interfaces, terminal lines (line vty) or in control-plane host mode
3. It is advisable to use complex passwords with a minimum length of 8 characters and containing numbers, letters of different case and symbols. And so that some young administrator of the router does not violate this password creation rule, there is a command
security passwords min-length [length]
4. Passwords in the config is better to have hashed. Then there will be no opportunity to peep the password. To do this, use not the word “password”, but the word “secret”
Examples:
username admin secret {password}
enable secret {password}
5. Do not forget about the port AUX. This is almost the same console and having access to the hardware can connect using AUX to the command line. If there is no password for AUX, then the person who connected will be able to get into at least unprivileged mode.
6. Many routers have a password protection feature. You can block a user after N incorrectly entered passwords, or after several attempts to insert a delay.
Example:
security authentication failure rate [attempts] [log]
After N incorrect passwords (10 by default), a 15 second delay will be inserted. The word log allows you to log such events.
7. Remember that when using the SNMP protocol, it is advisable to use the 3rd version of the protocol with authentication and encryption. When using earlier, practically unprotected versions, be sure to ensure that the default community is disabled.
8. In networks with a large number of devices, it makes sense to allocate the so-called network for management (OOB, Out-of-Band management). This is a separate network segment that does not intersect with the data network. Until recently, a router could only be placed in an OOB via a console server, but on new IOSs you can administer the interface from which you can configure the router and only from it. This is done in the same control-plane host mode by explicitly specifying the interface and allowed protocols.
Example:
control-plane host
management-interface f0 / 0 allow ssh snmp
Routing Protocol Security
Protection of dynamic routing protocols is also a very important topic, because if the attacker manages to damage the routing table, the necessary packets will simply be destroyed or go "not there." Therefore, I highly recommend using update authentication when working with dynamic routing protocols, preferably MD5 sum (hash). Almost all protocols support this technology: BGP, OSPF, RIPv2, EIGRP. Some protocols also support clear text authentication (just a key), but since the key is transmitted in the update package itself; to call such a mechanism a protected language does not turn.
To configure MD5 authentication, you usually need:
1. Describe the same key on all routers working on the same protocol (or on a specific interface, in a specific zone)
2. Configure the protection method (without protection, clear text, MD5)
3. Enable the mechanism
Example: OSPF protocol
Ro (config-if) # ip ospf authentication message-digest
Ro (config-if) # ip ospf message-digest-key 1234 md5 cisco
Where 1234 is the key number, and md5 hash will be calculated from the word “cisco”.
So, the first thing to remember is that the default router does not block any normal traffic on the interface (frames with an incorrect checksum is not counted). However, part of the packets, with a more in-depth review (by the processor), the router recognizes as unnecessary, for example:
1. Packages with TTL = 0 or less
2. Packages that are not known where to send (the destination network of the packet is not present in the routing table and there is no explicit packet sending rule (PBR))
3. Packets related to service protocols (for example, routing protocols) that are not running on the router.
These destroyed packets can play a cruel joke: if there is a lot of such traffic, it can significantly load the router's processor.
Further, in addition to transit traffic, the router handles some service traffic (directed to itself). Often, by default (or ignorance), unnecessary protocols are running on the router. They are dangerous because the router handles packets of this protocol. And you can arrange, for example, a DoS attack, learn remotely information that is not intended for distribution, or explore the network topology. These protocols include
1. TFTP (the router can act as a TFTP server).
2. BOOTP (can distribute their configuration files to diskless stations)
3. DHCP (Router can act as server and client)
4. TCP Small Servers (TCP Echo, Finger, etc.)
5. UDP Small Servers (UDP Echo, Discard, etc.)
6. CDP (Cisco Discovery Protocol)
7. NTP (Network Time Protocol. The router can act as a server and client)
8. DNS (Enabled by default broadad DNS servers in the segment)
9. PAD (Packet Accembler / Disaccembler)
10. SNMP (Default community is often configured)
As a rule, if these protocols are not needed, they are better off.
1. no tftp-server
2. no ip bootp server (old no service bootp command)
3. no ip dhcp pool (no service dhcp)
4. no service tcp-small-servers
5. no service udp-small-servers
6. no cdp run (globally), no cdp enable (on a specific interface). Do not turn this protocol off if a cisco ip phone is connected to the interface, because It is according to this protocol that the autodetection of the connected device occurs (this recommendation is more typical for switches, but still)
7. no ntp master, no ntp server
8. no ip domain-lookup . Remember that often the DNS on the router is needed, so it is not always necessary to disable
9. no service pad
10. no snmp-server community {public | private}
However, even if you turn off these and other service protocols (for example, http, https, ssh), the packets of these protocols coming to the router interface will get into the brain and only there will be thrown back. Those. even turning off everything, you can try to load the router's processor by discarding garbage.
I would like to learn how to discard such packets without loading the brain. Also, there is often a problem to limit the load of service traffic to the processor. For example, specifying the maximum number of service packets (total or by individual protocols) in the queue or the number of service packets per second.
These tasks are solved with the help of a special mode.
control-plane host
')
To use this technology, you can create special traffic classes.
class-map type?
access-control access-control specific class-map
control Configure a control policy class-map
inspect Configure CBAC Class Map
logging Class map for control-plane packet logging
port-filter Class map for port filter
queue-threshold Class map for queue threshold
stack class-map for protocol header stack specification
Create a special policy (Policy-map type)
policy-map type?
access-control access-control specific policy-map
control Configure a control policy policy
inspect Configure CBAC Policy Map
logging control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting
And apply it in this mode:
control-plane host
service-policy type?
logging control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting
Restriction of the load on the brain by service packets is organized, it seems, but for this it is enough to describe the usual class of traffic, the usual policy, where as an action specify the restriction with the word police
police rate [units] pps
Let's look at examples:
1. Limit the number of Telnet packets from all networks except the host 10.1.1.100 to 100 packets per second
To do this, we write an access list
ip access-list extended TELNET
deny tcp host 10.1.1.100 any eq 23
permit tcp any any eq 23
Next, create a traffic class.
class-map TELNET
match access-group TELNET
We describe the policy
policy-map TELNET
class TELNET
police rate 100 pps
And hang policy in control-plane
control-plane host
service-policy input TELNET
2. Block packets directed to application ports that are not used by the router.
Create a special traffic class
class-map type port-filter PORTS
match closed-ports
We describe a special policy
policy-map type port-filter PORTS
class PORTS
drop
And hang policy in control-plane
control-plane host
service-policy type port-filter input PORTS
To protect the management-plane, i.e. router management must remember the following points:
1. If possible, use secure control protocols: ssh, https. To do this, you need to develop a key pair of RSA, specify authentication rules and enable https support (ip http secure-server)
2. Even when using secure control protocols, and especially if it is impossible to use them, it is necessary to restrict administrative access from the outside and from the inside using access lists applied on interfaces, terminal lines (line vty) or in control-plane host mode
3. It is advisable to use complex passwords with a minimum length of 8 characters and containing numbers, letters of different case and symbols. And so that some young administrator of the router does not violate this password creation rule, there is a command
security passwords min-length [length]
4. Passwords in the config is better to have hashed. Then there will be no opportunity to peep the password. To do this, use not the word “password”, but the word “secret”
Examples:
username admin secret {password}
enable secret {password}
5. Do not forget about the port AUX. This is almost the same console and having access to the hardware can connect using AUX to the command line. If there is no password for AUX, then the person who connected will be able to get into at least unprivileged mode.
6. Many routers have a password protection feature. You can block a user after N incorrectly entered passwords, or after several attempts to insert a delay.
Example:
security authentication failure rate [attempts] [log]
After N incorrect passwords (10 by default), a 15 second delay will be inserted. The word log allows you to log such events.
7. Remember that when using the SNMP protocol, it is advisable to use the 3rd version of the protocol with authentication and encryption. When using earlier, practically unprotected versions, be sure to ensure that the default community is disabled.
8. In networks with a large number of devices, it makes sense to allocate the so-called network for management (OOB, Out-of-Band management). This is a separate network segment that does not intersect with the data network. Until recently, a router could only be placed in an OOB via a console server, but on new IOSs you can administer the interface from which you can configure the router and only from it. This is done in the same control-plane host mode by explicitly specifying the interface and allowed protocols.
Example:
control-plane host
management-interface f0 / 0 allow ssh snmp
Routing Protocol Security
Protection of dynamic routing protocols is also a very important topic, because if the attacker manages to damage the routing table, the necessary packets will simply be destroyed or go "not there." Therefore, I highly recommend using update authentication when working with dynamic routing protocols, preferably MD5 sum (hash). Almost all protocols support this technology: BGP, OSPF, RIPv2, EIGRP. Some protocols also support clear text authentication (just a key), but since the key is transmitted in the update package itself; to call such a mechanism a protected language does not turn.
To configure MD5 authentication, you usually need:
1. Describe the same key on all routers working on the same protocol (or on a specific interface, in a specific zone)
2. Configure the protection method (without protection, clear text, MD5)
3. Enable the mechanism
Example: OSPF protocol
Ro (config-if) # ip ospf authentication message-digest
Ro (config-if) # ip ospf message-digest-key 1234 md5 cisco
Where 1234 is the key number, and md5 hash will be calculated from the word “cisco”.
Source: https://habr.com/ru/post/69782/
All Articles