Components of a Hardening Strategy

Device hardening is an inexact science. One administrator's locked-down Linux box is another's security nightmare. Device hardening refers to changing the default posture of a system out of the box to make it more secure. This can have many different meanings and includes everything from disabling unneeded services on a !"# system to shutting off the physical ports you aren't using on an $thernet switch. %ardening isn't &ust a one-time event' but something that must be done on a regular basis as the security needs and functionality re(uirements of your devices change. The lockdown strategies you employ in your security system should be shaped by several conditions' including the following)

*ecurity policy Device location Threat profile +unctional re(uirements ,anagement re(uirements

Security Policy
-s discussed in .hapter /' 0*ecurity 1olicy and Operations Life .ycle'0 your security policy plays a huge role in the overall re(uirements of yoursecurity system. These re(uirements eventually filter down to the configuration standards for network-connected devices. The combination of the hardening conditions &ust listed 2device location' functional re(uirements' and so on3 creates hardening standards and guidelines that can be integrated within your security policy.

Device Location
Device location is a big factor in the overall hardening re(uirements of a particular device. -lthough you might configure all devices in a certain way' the specific location of a device in the network dictates whether you have a relaxed or tight posture on hardening. +or example' a Linux box used for testing in a closed lab probably doesn't need much' if any' hardening. That same device used as an inbound mail server re(uires (uite a bit of attention by virtue of its location 2likely on a demilitari4ed 4one 5D,673' function' value' and risk. 8hen in doubt' harden the device as much as possible and factor in the re(uirements in these next several sections.

Threat Profile
The threat profile defines the likely attacks against a device. The threat profile is affected by device location' but that isn't the only factor. +or example' a network intrusion detection system 2!"D*3 in a D,6 is usually running in promiscuous mode without even an "1 address configured on its interface. "n this example' even though the device is connected to a sensitive network location' its inability to be reached at Layer 9 2L93 mitigates the need to do extensive hardening on the D,6 portion of the !"D* connection. 2The management interface is another matter.3 - web server on that same D,6 interface is sub&ect to a wide range of attacks' causing a dramatically increased need for proper hardening when compared with the !"D*.

Functional Requirements

The same type of device' with the same threat profile' in the same part of the network might still have different hardening re(uirements. Thefunctional re(uirements of the device play a factor in this difference. One web server in a D,6 might contain only static information' while another might need to interact with other servers to generate dynamic content. The second server has increased functional re(uirements that limit the extent of device hardening. :ou always must be mindful of these functional re(uirements when you define hardening standards. Don't forget that if users feel too restricted' they will find a way around your hardening strategies. !OT$ ser 1. standards are a common location for overly restrictive hardening standards. " spent some time at a company that enforces fairlyrestrictive host configuration standards on its users. ;irus scanning is mandated and centrally controlled' the users don't have administrative access to their own machines' management software constantly polls devices to determine software levels' and all this is done in a way that is anything but transparent to the user. -lthough the average user (uietly grumbled and continued on' a whole crop of power users within thisorgani4ation deviated from corporate standards and deployed their own systems with their own software load. The "T organi4ation hopes that these individuals are savvy enough to secure their systems properly< otherwise the security of the network at large can suffer.

Management Requirements
Like functional requirements, different systems with otherwise similar functions can have different management requirements. As discussed in Chapter 6, "General esign Considerations," Cisco iscovery !rotocol "C !# is a Layer $ "L$# protocol that e%changes information among Cisco devices and their management systems. C ! has some security risks and should &e disa&led if you have no plans to take advantage of the functionality it offers. 'owever, if you can(t properly manage your system &ecause C ! is turned off, the security of the device might decrease overall despite turning off C !. Likewise, although it would &e ideal to use )ecure )hell "))'# instead of *elnet for all router management, you might have a managementsystem that requires a *elnet connection to function. At this point, you must carefully weigh the security risks this will introduce with the lost functionality of the management tool should you decide not to use it.

et!or" Devices
!etworking devices include' among others' routers' switches' firewalls' and !"D*. %ardening these four types of devices is the sub&ect of this section. -s you learned earlier' the default security of these devices can be (uite a bit different' which changes the amount of work re(uired to harden a particular device. -n important characteristic of all these devices is the availability of a console port. The console port has privileged access to these devices because it generally implies physical access to the device

2though this could be a modem3. The console port defaults to having initial authentication that is weak or nonexistent and is able to send a break signal to the device upon boot. This is used to reset most of these types of devices or to recover from a lost password. =ecause of the capabilities of a console port' it is important to control physical access to networking devices whenever possible. .hapter > outlines physical security considerations. 8-?!"!@ This section on network devices assumes the devices are not running on general-purpose operating systems. "f they are' be sure to run the host operating system 2O*3hardening as well as the network devicehardening steps.

+rom a configuration perspective, the methods for hardening a router or switch are very similar. etailed e%amples of Cisco ,-) configuration are provided, and Cisco Cat-) switch configuration is covered in summary.

Router
.outer hardening has garnered quite a &it of attention of late &ecause attacks have targeted routed infrastructure more and more. *his section outlines steps to take when hardening a router/ configuration e%amples are for Cisco ,-) devices. Basic Hardening Settings *he following hardening steps are useful on almost every router you deploy in a network. *hese steps include disa&ling unneeded services and ensuring that passwords are encrypted whenever possi&le. Disable Unneeded Services *urn off omain 0ame )ystem " 0)# lookups for the router with the following command. Although not strictly security related , this is the first command to type on a fresh router &efore doing any other configuration " assuming , of course, you don(t need domain resolution for a feature you plan to use#. -therwise , &e careful to avoid input errors. *yping the command enadle instead of ena&le will result in a long timeout while the router tries to find host "enadle" and communicate with it.
Router(config)# no ip domain-lookup

isa&le small services such as echo, chargen, and discard, as well as the finger service. After Cisco ,-) .elease 11.2, these services are disa&led &y default, &ut it never hurts to have these commands as part of the script you use to harden a device. *hese small services should almost always &e turned off &ecause they have no legitimate use3
Router(config)# no service tcp-small-servers Router(config)# service udp-small-servers Router(config)# no service finger no

isa&le &ootp server with the following command if you aren(t using it on your network "most don(t#3

Router(config)#

no ip bootp server

isa&le source routing and directed &roadcast. *hese should &e off &y default on reasona&ly current routers, &ut make sure with the following commands3
Router(config-if)# source-route no ip directed-broadcast Router(config)# no ip

4ou can disa&le !ro%y A.! in most situations, assuming your devices are routing aware3
Router(config-if)# no ip proxy-arp

,C5! redirects should &e sent only to end systems that have multiple out&ound routes from which to choose. ,n situations in which ,! redirects are unnecessary, disa&le them with the following command3
Router(config-if)# no ip redirects

Password Encryption *he following command ena&les a simple 6igenere cipher, which encrypts most passwords on a router that would otherwise &e shown as clearte%t in the configuration. *his cipher, as implemented on Cisco routers, is very weak and can easily &e &roken. ,t is ena&led primarily to prevent a casual o&server from noting your passwords. +or e%ample, you might not want a coworker o&serving your work to learn the password for your router after you type wr t .
Router(config)# service password-encryption

Authentication Settings *his section outlines authentication7related settings, including the use of ena&le secret , login &anners, line access, usernames stored locally or through AAA servers, and device access &y ))'. Enable Secret 8na&le strong 5 9 hashed passwords for router 8na&le mode. *he following password should &e used instead of the &asic ena&le passwordencrypted &y using service password7 encryption . ,t is much more secure, though it has the same suscepti&ility to dictionary attacks as any hashed password. Choosing strong passwords mitigates dictionary attacks.
Router(config)# enable secret password

Login Banner 8na&le a warning &anner to &e presented to users when they connect to the device. *his sort of &anner can aid in prosecution in some :urisdictions and should generally at least include a statement saying that unauthori;ed access is prohi&ited . <e sure not to

disclose any information that would &e useful to the attacker such as platform type, software version, owner, location, and so on.
Router(config)# banner motd ^ Enter TE T message! End wit" t"e c"aracter #^#! Enter your warning banner message "ere! ^

Line Access -n a standard Cisco router, there are three primary ways to log on3 6ty line " line vty = > , though some routers go to 19# Console port " line con = # Au%iliary port " line au% = # +resh out of the &o%, only the console and au% ports can &e used to access the device. Generally, only the console port is needed and not the au% port. *o set up the console port, enter the following commands3
Router(config)# line con $ Router(config-line)# exec-timeout % $ Router(config-line)# password password Router(config-line)# login

*hese commands ena&le login with a local password and time out the connection after 9 minutes and = seconds of inactivity. *o disa&le the au% port, type the following commands3
Router(config)# line aux $ Router(config-line)# no exec

*urning off exec prevents logon to the device. Any additional commands such as transport input none or e%ec7timeout = 1 aren(t going to make you more secure, &ut feel free to type them if you want. Controlling vty access is separate and requires the following commands3
Router(config)# line vty $ & Router(config-line)# exec-timeout % $ Router(config-line)# password password Router(config-line)# login Router(config-line)# transport input protocol

*ypically, a router has 9 vty lines. *he preceding four commands set up access in a very similar fashion to the console port. .eplace protocol with your method of access, prefera&ly ))'. *he following eight lines reserve the last vty port for a specific ,! address. *his is useful if someone is attempting to deny service to the login process on the router "which can &e done without the password#. 4ou can use the access class settings referenced here for lines = to 2 as well. ,f you do, open the access control list "ACL# to allow a wider range of ,! addresses to access "for instance, your entire management su&net#.
Router(config)# line vty ' Router(config-line)# exec-timeout % $ Router(config-line)# password password Router(config-line)# login Router(config-line)# transport input protocol

Router(config-line)# list (( permit "ost any log

access-class (( in Router(config)# accessadmin)* Router(config)# access-list (( deny

Setting Up Usernames ,f you don(t have access to *ACAC)? or .A ,@), local usernames can &e configured on a system as follows 3
Router(config)# Router(config)# username username password password line vty $ ' Router(config-line)# login local

*he preceding commands set up a local username and password and then configure the vty lines to use a local data&ase. *o configure *ACAC)? access to a system, you must first ena&le the AAA system3
Router(config)# aaa new-model

4ou then must define the *ACAC)? host and password3

Router(config)# tacacs-server "ost tacacs-server key password ipaddr Router(config)#

After setting up the host, you must define the authentication methods. *he following uses *ACAC)? as the default authentication &ut also defines an authentication method no7 tacacs, which can &e used for the console port. @sing AAA for the console port is not recommended &ecause if the network is down, you won(t &e a&le to log on to the &o%.
Router(config)# Router(config)# aaa aut"entication login default group tacacs+ aaa aut"entication login no-tacacs line

*he line parameters can then &e modified &ased on which method you want to use to authenticate3
Router(config)# line vty $ ' Router(config-line)# aut"entication default Router(config)# line con $ line)# login aut"entication no-tacacs login Router(config-

)o far, these AAA commands have dealt only with authentication. )ay, for e%ample, you wanted to have a detailed log of every command typed on a router as well as when an administrator logged in or out. *he following commands ena&le *ACAC)? accounting for these events3
, Enable login and logout tracking for router administrators Router(config)# aaa accounting exec default start-stop group tacacs+ , Enable command logging for exec level - commands (basic telnet) Router(config)# aaa accounting commands - default start-stop group tacacs+ , Enable command logging for exec level -% commands (enable

mode) Router(config)# group tacacs+

aaa accounting commands -% default start-stop

AAA can &e very complicated. 4ou have lots of options at your disposal. +or more information a&out configuring AAA on Cisco devices, see the following site3 http3AAwww.cisco.comAunivercdAccAtdAdocAproductAsoftwareAios1$$A1$$cgcrAfsecurBcAfsaa aAinde%.htm. Secure Shell (SSH @se ))' instead of *elnet whenever possi&le. *o configure it, you must first define a hostname, domain name, and generate keys3
Router(config)# "ostname "ostname Router(config)# ip domain-name yourdomain!com Router(config)# crypto key generate rsa

+rom here, you can refer to the transport input command in the "Line Access" section earlier in this chapter. *o set up the vty lines to accept only ))', enter the following command3
Router(config)# line vty $ ' Router(config)# transport input ss"

*here are a few other options with respect to ))' configuration. )ee the following @.L if you(d like more information3 http3AAwww.cisco.comAunivercdAccAtdAdocAproductAsoftwareAios1$$A1$$cgcrAfsecurBcAfoth ersfAscfssh.htm. !anagement Access *his section outlines &asic settings for hardening management access including security settings for the '**! server, )imple 0etwork 5anagement !rotocol ")05!#, C !, syslog, 0etwork *ime !rotocol "0*!#, and various ACL logging options. H""P Server ,f not in use, disa&le the '**! server for router management with the following command3
Router(config)# no ip "ttp server

*he em&edded we& server in routers has had vulnera&ilities in the past, so unless you have a specific need for the '**! functionality "such as a specific management application#, it is &est to disa&le it. ,f you need access to the '**! server, use the http access7class command as shown3
Router(config)# ip "ttp access-class -$ Router(config)# accesslist -$ permit "ost "ttp-mgmnt-ip Router(config)# access-list -$ deny any log

4ou should also require '**! authentication with the following command3

Router(config)# ip "ttp aut"entication . enable /se enable passwords local /se local username and passwords tacacs /se tacacs to aut"ori0e user

*ACAC)? is preferred/ otherwise, a local username and password can &e used. *ry to avoid using the ena&le password. S#!P )05! is widely used as a network management protocol. @nfortunately, it is @ ! &ased "port 161# and, until version 2, had no real security options. 8arlier versions of )05! use a community string for authentication and it is sent in the clear with the rest of the )05! datagram. 8ven though version 2 offers more security, most network management applications use )05! version 1 or version $c. ,f you don(t plan to manage a device with )05!, it is simple to disa&le3
Router(config)# no snmp-server

,f you must use )05! v1 or v$c, consider using read7only as opposed to read7write. 5uch of the damage an attacker can cause with )05! goes away if you remove the a&ility to write changes. ,n either case, the community string should &e set and managed like the root password on any system "change it regularly and so on#. Look to Chapter 16, ")ecure 0etwork 5anagement and 0etwork )ecurity 5anagement," for more information on management channel security. At the &are minimum, an ACL should &e defined that allows only your )05! devices to query the management agents on the network device, as follows3
Router(config)# Router(config)# Router(config)# Router(config)# snmp-server snmp-server access-list access-list community password ro (1 community password rw (1 (1 permit "ost snmp-server-ip (1 deny any log

,f you are using )05! v2 or would like more information on the rest of the )05! configuration, see the following @.L3 http3AAwww.cisco.comAunivercdAccAtdAdocAproductAsoftwareAios1$$A1$$cgcrAffunBcAfcfprt2 Afcf=1>.htm. $DP C ! is a proprietary Cisco protocol that provides a mechanism for Cisco devices to e%change information. ,t is descri&ed in more detail "including situations when you might or might not need to use it on an interface# in Chapter 6. *he following two commands show how to glo&ally disa&le C ! or, alternately, to disa&le it only on a specific interface3
Router(config)# no cdp run Router(config-if)# no cdp enable

Syslog

@sing syslog on a router is one of the easiest ways to trou&leshoot your network. )yslog servers are free "&esides the hardware#, and the messages generated &y syslog are usually easy to understand. ,f you are using any kind of ACLs on a router, you need syslog/ even if you are not, it is a very good idea. 8na&ling syslog is easy. Cust enter one or more logging hosts and make sure timestamps are ena&led3
Router(config)# service timestamps log datetime localtime msec s"owtime0one Router(config)# logging syslog-ip-addr

)ometimes viewing messages locally on the router can &e useful. <esides viewing messages as they are generated on the console, you canoptionally have them &uffered to router memory. 4ou don(t need a large &uffer here since these are simple te%t messages/ even 91$ D< will save lots of messages. <e sure you don(t use up a significant portion of your device memory, or you might affect packet forwarding. "*hat is, if you have E 5< of memory on your router, don(t set the &uffer si;e to 6 5<.# 8nter the following command to ena&le this functionality3
Router(config)# logging buffered buffersi0e

4ou can use the logging trap command to set the level of logging information you will receive/ there is no hard7and7fast rule for where to set this e%cept to say that the highest level of logging is almost always too much information and the lowest level doesn(t provide enough information. *ry a few different levels on your own device to determine the amount of information that makes sense in your environment. )yslog has a num&er of additional options. +or more information, see the following @.L3 http3AAwww.cisco.comAunivercdAccAtdAdocAproductAsoftwareAios1$$A1$$cgcrAffunBcAfcfprt2 Afcf=12.htmF1==116E. #"P Githout proper timestamps, router syslog messages are nearly useless in trou&leshooting. 4our networking devices can &e synchroni;ed to the same clock with 0*!. Configuring 0*! on a router is a simple matter of locally configuring the time ;one and then pointing the router to the 0*! server. ,n the following e%ample, 0*! authentication is ena&led, and an ACL restricting 0*! access to the configured 0*! server is applied3
Router(config)# clock time0one *2T -1 Router(config)# clock summer-time *3T recurring Router(config)# ntp aut"enticate Router(config)# ntp aut"entication-key - md% password Router(config)# ntp trusted-key - Router(config)# ntp access-group peer (4 Router(config)# ntp server ntp-svr-ip key Router(config)# access-list (4 permit "ost ntp-svr-ip Router(config)# access-list (4 deny any log

Although there are several free 0*! services on the ,nternet, it is not advisa&le to use them for security reasons. ,f your time source is corrupted, your log data is useless. Consider, instead, setting up a local time source that connects to a relia&le, known atomic clock to maintain accurate time. 0*! can &e disa&led on interfaces that do not e%pect to receive valid 0*! information. @se the following command3

Router(config-if)#

ntp disable

5ore information on 0*! is availa&le at http3AAwww.cisco.comAunivercdAccAtdAdocAproductAsoftwareAios1$$A1$$cgcrAffunBcAfcfprt2 Afcf=1$.htmF1==11H=. A$L %ptions <y default, the last line in an ACL is an implicit deny all. 5atches to this list are not logged, however. ,f you want to ena&le logging, a manual entry should &e added to the ACL denying all traffic and informing the ACL to log the violation. ,t is possi&le to log permits as well, &ut this tends :ust to fill up a syslog server. *o drop all traffic and log violations in a standard ,! ACL, use the following command3
Router(config)# access-list - deny any log

+or an e%tended ,! ACL, use this command3

Router(config)# access-list -$- deny ip any any log

,n addition to the &asic log keyword, log7input is usually availa&le for e%tended ACLs. log7input adds the source interface and 5edia Access Control "5AC# address to the usual ,! address and port num&er message associated with the ACL entry. %ther Hardening %ptions ,n addition to the configuration discussed in this section, Chapter 6 contains a fair amount of information on router and switch hardening, including3 Antispoof filtering ,C5! filtering L$ security protections .outing protocol authentication enial of service " o)# mitigation "against and through the router# *,! After hardening a router, it is a good idea to scan it with your favorite port scanner. *his ensures that you aren(t running any services you thought you turned off. +or instance, when testing in my la& for this &ook, , reali;ed , accidentally left the '**! server runningI 8%ample 971 is a dump of the router configuration used in testing the configurations in this section. .emem&er that commands that are defaults will not show up in the configuration. E&ample '()* Hardened +outer E&ample
version -5!5 service timestamps debug uptime service timestamps log datetime msec localtime s"ow-time0one service password-encryption , "ostname broken , logging buffered %-5$$$ debugging enable secret %

6ec$k6*78!2 01kl9:;<=a>?4!@$ , clock time0one *2T -1 clock summertime *3T recurring aaa new-model , aaa aut"entication login default group tacacs+ aaa aut"entication login no-tacacs line aaa accounting exec default start-stop group tacacs+ aaa accounting commands default start-stop group tacacs+ aaa accounting commands -% default start-stop group tacacs+ ip subnet-0ero no ip source-route , no ip domain lookup ip domain name "alo$%!com , no ip bootp server , interface >astEt"ernet$8$ ip address -A5!-(!(&!-&% 5%%!5%%!5%%!5'$ no ip redirects no ip proxy-arp , interface >astEt"ernet$8- ip address -A5!-(!(&!5'- 5%%!5%%!5%%!5'$ no ip redirects no ip proxy-arp ntp disable , ip classless no ip "ttp server , logging -A5!-(!(&!-'$ access-list (4 permit -A5!-(!(&!-&- access-list (4 deny any log access-list (( permit -A5!-(!(&!-&- access-list (( deny any log no cdp run , tacacs-server "ost -A5!-(!(&!-&$ single-connection tacacsserver directed-re;uest tacacs-server key 'nAxe$n,x# , banner motd ^B /naut"ori0ed /se *ro"ibited ^B , line con $ exec-timeout % $ password A $('3'-$=-4555&&&%1 login aut"entication no-tacacs line aux $ no exec line vty $ & exec-timeout % $ password A $A$E5E'3'-535E5''' transport input ss" line vty ' access-class (( in exec-timeout % $ password A $155'%%E$:-4 transport input ss" , ntp aut"entication-key - md% -&-%-4$--1-=$=&15> A ntp aut"enticate ntp trusted-key - ntp access-group peer (4 ntp server -A5!-(!(&!-&- key - , end

*,! Cisco ,-) 1$.2 added a new feature called Auto)ecure to simplify the process of locking down a Cisco router. +or more information, see the following @.L3 http3AAwww.cisco.comAunivercdAccAtdAdocAproductAsoftwareAios1$2A1$2newftA1$2B1Aftatos ec.htm.

S!itches
*he types of hardening tasks you do for a switch are very similar to those for a router. 5ost of the options from the router7hardening steps are presented in 8%ample 97$ in summary for a Cisco Cat-) device "a Cat 6D in this e%ample#. A large amount of L$ security precautions can &econsidered switch7hardening tasks. "*hey are discussed in Chapter 6.# E&ample '(,* Hardened Switch $on-ig !inus L, Security Precautions
, Turn on <T* set time0one *2T -1 set summertime *3T set summertime recurring set ntp aut"entication enable set ntp key - trusted md% password set ntp server ntp-svr-ip key - set ntp client enable , Turn off un-needed services set cdp disable set ip "ttp server disable , Turn on logging and snmp set logging server syslog-ipaddr set logging timestamp enable set logging server enable , 9ou can control t"e types of messages logged wit" t"e Cset logging server , severityC command , Enable 2<D* read only! To disable completely Cset snmp disableC set snmp community read-only password set ip permit enable snmp set ip permit snmp-ip-addr snmp , Turn on ::: set tacacs server tacacs-ip-addr primary set tacacs key password set aut"entication login tacacs enable telnet set aut"entication login local disable telnet set accounting exec enable start-stop tacacs+ set accounting commands enable all start-stop tacacs+ , 2et

passwords and access restrictions set banner motd ^ )nsert your warning banner "ere ^ , Bonsole password is set by #set password# , Enter old password followed by new password , , Enable password is set by #set enable# , Enter old password followed by new password , set logout % set ip permit enable telnet set ip permit telnet-ipaddr 5%%!5%%!5%%!5%% telnet , ,2etup 22E ,set crypto key rsa -$5' , set ip permit enable ss" ,set ip permit ss"-client-ips netmask ss"

Fire!alls
+irewalls usually have a default posture that is more secure than a router or switch. *hey also generally have less functionality. *his section descri&es common tasks used in appliance firewall hardening using the Cisco !,J as an e%ample. )everal functions, such as 0*! and )05! configuration, are virtually identical to Cisco ,-) configuration and are not included here/ refer to your firewall documentation for more details. Login +estrictions *o restrict *elnet access to the Cisco !,J, type the following command3
pixfirewall(config)# telnet ip-addr mask interface

+or e%ample, you might enter the following3

pixfirewall(config)# telnet -(5!$!5!%% 5%%!5%%!5%%!5%% inside

*he password must also &e set3

pixfirewall(config)# passwd password

*o authenticate users &y *ACAC)?, enter the following commands3

pixfirewall(config)# aaa-server pixfirewall(config)# aaa-server tacacs-ip-addr password telnet-group telnet-group protocol tacacs+ (inside) "ost

*he telnet7group is an ar&itrary name assigned &y the administrator. After the protocol type and server ,! are defined in the previous two commands, you must map the *elnet process to use the defined group, as follows3
pixfirewall(config)# group aaa aut"entication telnet console telnet-

*o set the ena&le password, enter the following command3

pixfirewall(config)# enable password password

SSH

)etting up ))' on a !,J is very similar to setting up ))' on a router, as shown in 8%ample 972. E&ample '(.* $on-iguring SSH on a P/0 1irewall
,3efine t"e "ostname and domain name Fust like on a router "ostname nsa-pix domain-name yourdomain!com ,Generate key ca generate rsa key -$5' ,2ave t"e key (t"is may take a moment) ca save all ,enable 22E connections on t"e inside interface ss" -(5!$!5!$ 5%%!5%%!5%%!$ inside ,::: can be setup in t"e same way as Telnet ::: on a router , Fust define a new group and enter t"e same commandsH aaa-server ss"group protocol tacacs+ aaa-server ss"-group (inside) "ost tacacs-ipaddr password aaa aut"entication ss" console ss"-group ,)f you are planning to "ave bot" telnet and ss" enabled t"en you could use t"e , 2ame T:B:B2+ config by specifying t"e same aaa-server group for bot" aaa ,aut"entication commands!

Logging )etting up logging on a !,J is fairly simple. 4ou start &y turning logging on and defining the server ,! &y using the following commands3
pixfirewall(config)# logging on inside syslog-ip-addr pixfirewall(config)# logging "ost

4ou then should define the logging level. )etting the logging level to the de&ugging level will give you more alarms than you pro&a&ly want. )et it to "error" to start with "level 2 of H# and then change it as needed. *he facility should also &e defined. *his almost always should &e $= to communicate with most syslog servers. Logging facility is a syslog7specific setting with origins in the original @0,J syslog implementation.
pixfirewall(config)# logging trap error

*o view a list of !,J log messages, see the following @.L3 http3AAwww.cisco.comAunivercdAccAtdAdocAproductAiaa&uApi%Api%B6$AsyslogA.

#DS
!"D* hardening is usually very straightforward. !"D* generally don't support any ancillary services' so they are fairly easy to secure. The primary hardening task is to ensure that the detection interface is not reachable at L9 and that the management interface connects directly back to a trusted location within your management network. This way' the !"D* should be difficult to access from the location in which you are likely to see the most attacks. The second main step includes the more traditional hardening functions for any system. $nable logging' set passwords' use **%' disable unneeded services 2if any3' and configure !T1. .onfiguration commands for the .isco "ntrusion Detection *ystem 2"D*< version A.B was tested for this book3 are based on a simple menu system accessed by connecting to the console port on the device. -fter logging in 2 user ) cisco ' password) cisco 3' you are then prompted to change the password. "nitial configuration is launched by typing setup . %ere you can set the following)

"1 address %ostname ?outing -ccess control to the sensor management .ommunications infrastructure 2communication back to the "D* manager3 1assword for primary "D* user *ecure *ockets Layer 2**L3 and **% access for management

-fter entering these initial values' the "D* sensor can be managed from the "D* management system either embedded on the sensor or at a central location' depending on the si4e of your deployment. +or more details on the initial configuration of a .isco "D* sensor' see the guide for getting started at the following ?L) http)CCwww.cisco.comCunivercdCccCtdCdocCproductCiaabuCcsidsCcsidsDCEF/G/HBE.htm.

Host $perating Systems

'ardening any host is a matter of paring its functionality down to the essentials for successful operation and ensuring that the running functions are as secure as possi&le. 'ost hardening can &e &roken down into a num&er of discrete tasks , each of which is different &ased on the operating system. *hese hardening steps should occur whether or not you run host antivirus "A6#, host firewalls, or host , ). *hese technologies should augment your host security, not replace good system administration. 0-*8 'opefully you aren(t looking to this &ook as an authoritative source for host7hardening guidelines. ,nstead, , recommend that you look at many of the e%cellent we&sites and &ooks already pu&lished on the su&:ect. *he following links and &ook titles are good sources of information on system security3 Gindows 5icrosoft has a num&er of hardening guides and tools designed to help harden 5icrosoft -)s. *hese guides can &e found at the following @.L3 http3AAwww.microsoft.comAtechnetAtreeviewAdefault.aspK urlLAtechnetAsecurityAtoolsAtools.asp. General @0,J At the @0,J level, in general, there are so many guides that it is difficult to choose :ust one. )earch on "@0,J" and "hardening" using your favorite search engine. *he &est &ook on the su&:ect is !ractical @0,J and ,nternet )ecurity , *hird 8dition, &y Garfinkel, )pafford, and )chwart; "-(.eilly, $==2#. )olaris )un hosts a series of white papers on )olaris security at the following @.L3 http3AAwww.sun.comAsoftwareAsecurityA&lueprintsA. Linu% *here are a num&er of different distri&utions of Linu%, and each has its own particular hardening guidelines. As an e%ample, a e&ian Linu% security guide can &e found here3 http3AAwww.linu%security.comAdocsAharden7docAhtmlAsecuring7de&ian7 howtoAinde%.en.html. <) @0,J *here are several different flavors of <erkeley )oftware istri&ution "<) # @0,J. *he hardening guide for +ree<) can &e found here3 http3AApeople.free&sd.orgAM:k&Ahowto.html.

Partitioning Dis" Space

,n the event of a pro&lem, you don(t want one rogue process to consume your entire system(s disk space. Although partitioning is often not done for desktop systems, it is very commonly done for server systems. ,n @0,J, for e%ample, it is good practice to set aside separate partitions for the following components 3 A "or root# *his is the root partition where the -) kernel resides. *his partition is typically fairly small. Avar *his partition usually holds system log data. <y having it in a separate partition, system log events can(t accidentally consume all the free space on the file system. Ahome @ser directories are contained here, where the space they use can &e limited. Ausr *his partition usually contains all the software for the system and is commonly one of the largest partitions on the &o%.

%pplications
-pplication security has many of the same security considerations as host security. The most important is keeping your application up-to-date with the latest security fixes. This doesn't always mean buying the latest version of a piece of code. 2"n fact' sometimes it means sticking with older' stable software.3 Iust make sure your critical applications are still supported by the developer and that any new security issues that are uncovered will be handled in a timely manner. "n addition to keeping a system up-to-date' logging and application configuration are also important. !OT$ %ardening guides for popular applications are available all over the "nternet. The following are a few samples for some more popular applications)

,icrosoft "nternet "nformation *erver 2""*3 :ou can find ""*-hardening guidelines on the ,icrosoft website) http)CCwww.microsoft.comCtechnetCtreeviewCdefault.aspJ urlKCtechnetCsecurityCtoolsCtools.asp.

-pache web server The following site provides guidelines for setting up an -pache web server) http)CChttpd.apache.orgCdocs-/.BCmiscCsecurityHtips.html. =erkeley "nternet !ame Domain 2="!D3 ?ob Thomas provides a secure ="!D template at the following site) http)CCwww.cymru.comCDocumentsCsecure-bind-template.html.

%ppliance&'ased et!or" Services

Iust about anything these days can be sold as an 0appliance.0 The point' from a marketing perspective' is to promote the fact that the system is easy to use and re(uires little intervention from the operator. Iust like your toaster' you &ust push down the lever and it works. T"1 " like the appliance model but offer one caveat. "f your appliance is really &ust a Linux box in a fancy case' you haven't solved your system management problem< you've &ust hidden it under the covers. *ay' for example' you use an appliance firewall that runs on Linux. 8hen the latest Linux security vulnerability is released' will your appliance vendor fix it for you in a timely fashionJ ,ake sure that it will. - large number of appliance products run on general-purpose O*s' even 8indowsL 8hen you are evaluating an appliance product' find out what is running 0under the covers.0 Then ask your vendor how it deals with security issues in the underlying O*. -ppliance products can be real timesavers in systems management' &ust make sure your expectations are clear.

*ome appliances use custom O*s and hardware and can better claim to be an appliance in function 2though this doesn't eliminate the security issues because the custom O* can still have problems3. These devices have no configurable O* running underneath them. The only user interface is the application configuration. *ome devices commonly sold as appliances include the following)

T"1

!etwork-based web cache +irewalls !"D* Load balancers ;irtual private network 2;1!3 gateways "1 telephony gateways

One way to find out what a system is running underneath is to watch for a ma&or vulnerability in a common application and then look at the list of vendors affected by it. +or example' the -pache web server had a vulnerability described by the .omputer $mergency ?esponse Team 2.$?T3) http)CCwww.cert.orgCadvisoriesC.--/BB/-EM.html. "n looking through the list of affected vendors' you can see several you wouldn't expect to be running the -pache server. This isn't a bad thing. "n fact' " would prefer vendors to use a publicly available and code-reviewed web server rather than build their own. Iust be aware that appliances still need fixes' and when you are running an appliance' it might not always be easy to determine if you are affected.

Rogue Device Detection

!o matter how well you harden the devices you know about' an intruder can introduce into your network a device of which you are unaware. These rogue devices pose a nasty security problem' particularly in larger organi4ations. "n large organi4ations' it can be nearly impossible to discover that someone has inserted into the network a device designed to steal passwords' as discussed in the 0?ogue Devices0 section of .hapter 9' 0*ecure !etworking Threats.0 On a small network with only five hosts ' however' it is fairly easy to see that there is now a sixth host on the network. "f the network instead contains EB'BBB hosts' all bets are off. ?ogue device detection and attack mitigation boils down to a few general principles. Iust don't expect tocompletely solve the problem if you run a large network. The main tasks are as follows )

-uthenticate valid devices *trongly authenticate all valid devices so that network resources are very limited to a rogue system. Technologies such as "$$$ GB/.Ex and authenticated routing protocols can help make this happen. =oth have a significant management penalty in large networks. "$$$ GB/.Ex is discussed more fully in .hapter D' 0"dentity Design .onsiderations.0

,ap the network .ontinually map the network from multiple locations. =y using freeware scanners such as !map or commercial products' it is possible to take a snapshot of the available systems on your network. ,any of these tools include the capability to identify the remote O*. This can be a good way to identify not &ust rogue hosts but also rogue network devices 2routers' firewalls' and so on3. nfortunately' in a large network' mapping the entire network can be problematic . "t would take obvious changes to trigger something that was likely an attack. "nstead' you might need to focus your mapping areas on key network areas to which you can pay more close attention 2data centers and so on3 and others that you map but don't track as closely. T"1 *ome organi4ations try to map the network by asset-tracking software tied to network login. This is a good way to track systems your "T organi4ation supports' but a rogue device will never be checked by such a system.

$stablish strong physical security =e vigilant about physical security. *trong physical security is the most effective way to limit rouge devices. *ee .hapter > for more details.

.onsider technology-specific detection methods *ome specific technologies have uni(ue methods for detecting rogue devices. +or example' wireless L-! access point 28L-! -13 devices can be detected by -1Tools' which is available at the following ?L) http)CCwinfingerprint. sourceforge .netCaptools.php. 8L-! -1s can also be detected by roaming "$$$ GB/.EEb scanners' which organi4ations use from time to time. ?ogue 8L-! -1 detection is discussed in .hapter EE' 0*upporting-Technology Design .onsiderations.0

$hapter 2* #etwor3 Security "echnologies

This chapter covers the following topics)

The Difficulties of *ecure !etworking *ecurity Technologies $merging *ecurity Technologies

Technology . . . is a (ueer thing. "t brings you great gifts with one hand' and it stabs you in the back with the other. .. 1. *now' !ew :ork Times' ,arch EF' EDME LBpht' making the theoretical practical since EDD/. LBpht %eavy "ndustries .hapter 9 discussed secure networking threats. This chapter focuses on the broad technologies that can mitigate those threats. The technologies discussed here can be considered foundation technologies for network security and include firewalls' intrusion detection systems 2"D*3' identity systems' and encryption. This chapter follows the same format as .hapter 9. "n each technology discussion' a table first summari4es several of the technology's key attributes. This isn't meant to be a detailed description of each technology. The focus is on discussing design trade-offs and implementation issues as opposed to giving a thorough overview of the technology. !OT$ *tandalone security technologies are only a piece of the pu44le. -s "'ve hinted through the first three chapters' a multitude of features' management techni(ues' and design options affect security. The rest of the book discusses these techni(ues< in this chapter' " want to discuss the basic technologies in one place because we will refer to them throughout the book.

The Difficulties of Secure et!or"ing

.onsidering that we as a community have been working at this problem for many' many years ' understanding some of the reasons why we still don't have completely secure networks is useful. *ecurity is not as simple as flipping the 0secure0 switch on a device' and it might never be. There are many reasons for this' and perhaps the most significant reasons have nothing to do with the technology directly. The following paragraphs outline the reasons that pertain directly to the topics in this book. +irst' security management is hard. =ecause configurations for security tend to restrict traffic flows' there is very little room for error when you are trying to ensure that good traffic passes and bad traffic doesn't 2 assuming you are able to correctly identify the bad traffic' which isn't always the case3. To compound the matter' to maintain your security system' you must receive log messages from all of your security technologies. 8ithout log files' you won't easily be able to tell whether things are working. The volume of these messages can be very burdensome as networks increase in si4e . -lso' patches are released for various vulnerabilities' but the vulnerabilities don't magically disappear. :ou still must find a way to test and apply the patches to all of your systems. *econd' network identity is hard to track. -s a user of the network' you' or your host' can be identified by your ,edia -ccess .ontrol 2,-.3 address' "1 address' username' or a certificate. =ecause security systems make decisions at different layers of the network' it can be difficult to ensure consistent policy implementation across these boundaries. Third' as networks increase in si4e' the performance limitations when adding certain network security technologies are significant. This is the result of not &ust the increased load on a network after adding security features' but also the impact of any necessary changes in network design to accommodate your security system. +ourth' many standards for secure networking methods are either nonexistent or fairly new. .ompounded with the wide variety of vendors that offer pieces of your network security system' it creates an environment that is difficult to maintain 2see point E3. +ifth' computers are complex systems. "t is an ama4ing feat of engineering that computers work at all' let alone are relatively secure. .onsider the components you have in a general-purpose 1.) .1 ' motherboard' network card' video card' hard drive' operating system 2O*3' and applications. "n many computers' each one of these elements is made by a separate company. ?ecall from .hapter E' 0!etwork *ecurity -xioms'0 that complexity is the enemy of security. =y connecting several of these components into an overall network 2which starts the vendor options over again3' you can create an exceedingly complex environment. *ixth' and this is a recurring theme in this book' since most all network systems are shipped in an insecure state out of the box' you must actively choose to make them secure. "f you take this point in light of the difficulties associated with network management 2point E3' dealing with securing these insecure systems is a very time-consuming process. +inally' because of difficulties in management 2point E3 and default device state 2point >3' even if there is a security technology that would clearly benefit network security' there is no guarantee people will use it. -ntispoof filtering is my favorite example) the technology is easy to understand' can be deployed without significant performance penalties with today's hardware' yet is still not

Security Technologies
This chapter breaks down all the security technologies into specific categories. $ach category and each element within the categories are detailed through the rest of the chapter. They are as follows)

"dentity technologies ?eusable passwords' ?emote -uthentication Dial-"n "nfrastructure 21O"3' smart cards' biometrics

ser *ervice

2?-D" *3CTerminal -ccess .ontrol -ccess .ontrol *ystem 2T-.-.*N3' OT1' 1ublic Oey

%ost and application security +ile system integrity checking' host firewalls' %"D*' host antivirus !etwork firewalls ?outer with access control list 2-.L3' stateful firewall .ontent filtering 1roxy servers' web filtering' e-mail filtering !etwork intrusion detection systems 2!"D*3 *ignature-based !"D*' anomaly-based !"D* .ryptography Layer / 2L/3 crypto' network layer crypto' LF to LM crypto' file system crypto

#dentity Technologies
"dentity technologies are primarily concerned with verifying who the user 2or the user's computer3 is on the network. "t is the first - in ---) authentication' authori4ation' and accounting. -s stated earlier' your network identity can be associated with several different elements 2"1 address' username' and so on3< this section focuses on user identity . The "1 address of a computer identifies that computer on the network. The following technologies verify that you are the actual user sitting at that computer)

?eusable passwords ?-D" * and T-.-.*N OT1 1O" *mart cards =iometrics

Host and %pplication Security

'ost and application security relates to the technologies running on the end system to protect the operating system, file system, and applications. )everal security technologies are discussed here, none of which are part of the traditional domain of network security. ,t is important, though, to understand their functions &ecause, to deploy a security system that satisfies the requirement of "defense7 in7depth ," application security cannot &e ignored. *his section covers the following technologies3 +ile system integrity checkers 'ost firewalls

', ) 'ost antivirus

et!or" Fire!alls
-ften the focal point of a secure network perimeter, network firewalls "hereafter called firewalls# allow ACLs to &e applied to control access to hosts and applications running on those hosts. +irewalls certainly enhance security, though they can cause application pro&lems and can impact network performance. *his section outlines two common types of firewalls in use today3 .outers with Layer 2A> stateless ACLs )tateful firewalls

Content Filtering
*his section discusses pro%y servers, we& filtering, and e7mail filtering. *hese technologies are &est deployed in addition to a network firewall deployment and act as another layer of protection in your security system. Pro&y Servers !ro%y servers "also called application gateways # terminate all sessions destined for a server and reinitiate on &ehalf of the client. ,n the mid71NN=s, a fierce de&ate took place over whether application gateways were more secure than firewalls. *oday, it is generally accepted that this is not the case. *he strength of any security device should &e measured against the types of attacks it mitigates as opposed to the method &y which it mitigates those attacks. !ro%y servers are slower than firewalls &y design &ecause they must reesta&lish sessions for each connection. *hat said, if deployed as a caching and authentication solution for your users, the perceived speed might &e greater &ecause of the caching. 'owever, pro%y servers are certainly not the only location in which to do content caching. !ro%y servers also have some difficulty with application support. ,f you plan to pro%y an application through a pro%y server, the server must understand enough a&out the protocol to allow the traffic to pass. *he )-CD) protocol works around this &y tunneling all desired protocols over a single connection to the pro%y. *hen it is up to the pro%y to handle the connection.

et!or" #ntrusion Detection Systems

0, ) can act as another layer of detection in your security system. *his section discusses the two primary 0, ) options3 signature &ased and anomaly &ased. *he vast ma:ority of 0, ) operate much like sniffers. *he device sits on a network with its interfaces in promiscuous mode, watching for suspect traffic. Ghen a packet, or set of

packets, matches a configured signature, an alarm is generated on the management console. ,n consideration of the data in *a&le >7$1, it is easy to see why 0, ) technology got so much momentum &ehind it as security technology. ,t has the most comprehensive set of detected attacks in this entire chapter. @nfortunately, the implementation, tuning, and managea&ility concerns have made it a difficult technology from which to reali;e significant value. *his is why the numeric ratings tend to &e lower, and the overall score of the technology suffers as a result. 0, ) have the a&ility to actively stop an attack, though most deployments do not ena&le these features. ")ee the , ) deployment discussion in Chapter H for more details.# )hould the highlighted issues with , ) &e resolved, using 0, ) to stop attacks will &ecome a more via&le solution and will result in much greater usefulness . All this &eing said, 0, ) technology has a clear function in today(s networks, provided your organi;ation is staffed to deploy it properly. Gith its network7wide visi&ility, it can indicate pro&lems more quickly than only auditing hosts. *he keys to a successful , ) deployment are placement, tuning, and proper management.

Cryptography
!roperly implemented cryptography is designed to protect communication &etween two parties. ,t generally has three main properties3 *he original message cannot &e read &y anyone &ut the intended party. "*his is commonly called encryption. # <oth parties in the communication can validate the identity of the other party. "*his is commonly called authentication. # *he message cannot &e modified in transit without the receiving party knowing it has &een invalidated. "*his is commonly calledintegrity. # 5ost security &ooks spend 2= to >= pages or more on &asic cryptography concepts. *his &ook assumes you have that foundation knowledge or at least have access to it. ,n the conte%t of a security system, cryptography is a tool, :ust like anything else discussed in this chapter. *he most common cryptographic methods are discussed in the ne%t few sections3 Layer $ cryptography 0etwork cryptography L9 to LH cryptography +ile system cryptography GA.0,0G *his might seem o&vious, &ut the attacks listed as "prevented" in this section refer only to systems protected &y the cryptographic technique discussed. +or e%ample, if you have a 6!0 link &etween two sites, ,! spoofing is prevented for the ,! addresses that are taking part in ,!sec. *he rest of the communications are vulnera&le as usual.

L, $ryptography L$ cryptography is simply the process of performing cryptographic functions at Layer $ of the -), model. *he most well7known, though prova&lyinsecure , L$ crypto is Gired 8quivalent !rivacy "G8!#, which is used as part of the E=$.11& standard for wireless LA0s. L$ crypto was, and to a certain e%tent still is, used &y financial institutions as link encryption for their GA0 links. *hese so7called link encryptors sit after a router on a GA0, while an identical device sits on the other end of the link. Link encryptors are sometimes &eing replaced &y network layer encryption devices. *his is primarily &ecause of lower costs, interopera&ility, and &etter managea&ility. #etwor3 Layer $ryptography ,!sec is such a de facto standard in network layer cryptography, , considered naming the category ,!sec. ,!sec is defined in .+Cs $>=1 through $>1= &y the ,8*+. ,t is designed to &e a fle%i&le and interopera&le method of providing L2 cryptography. ,t can operate in a num&er of modes, from simply authenticating messages to providing full encryption, authentication, and integrity. Like L$ encryption, the main &enefit ,!sec offers is the a&ility to provide encryption to multiple protocols with a single security negotiation. )ession layer cryptography, discussed in the ne%t section, is usually specific to a certain protocol, such as *C! in the case of ))'. ,!sec is used throughout this &ook whenever L2 cryptography is called for. ,!sec is certainly not without its pro&lems, &ut it is the &est thing going right now. 5uch of the criticism of ,!sec centers around the comple%ity of its operation. ,!sec is fle%i&le almost to its detriment. ,t is the standard development7&y7committee pro&lem3 to please all parties involved, ,!sec grew into a very comple% &east . ,n the design chapters, this is evident in the comple%ity of the configurations. L' to L4 $ryptography +or the purposes of secure networking design, L9 to LH crypto "))', ))L, !retty Good !rivacy O!G!P, and so on# should &e viewed as an alternative to ,!sec in application7 specific situations. +or e%ample, it would &e administratively impossi&le to use ,!sec instead of ))L for encrypted we& communications. 8very server would need to esta&lish an L2 relationship with the client &efore the communications can &e sent encrypted. Likewise, using ,!sec with *elnet as an alternative to ))' is not advantageous. ))' and ))L allow for reasona&ly secure communications &y using reusa&le passwords and pu&lic keys on the server side. Ghere ))' and ))L have difficulty is in providing ro&ust application support for all enterprise needs. *oday(s networks have a huge variety of applications that they must support. ,!sec &ecomes a superior alternative to ))'A))L when trying to support all of these applications in as consistent a manner as possi&le. ,t all comes down to choosing the right security tool for the requirements. ))' and ))L are used in this &ook primarily for management communications and application7specific security requirements "such as e7commerce#. 1ile System $ryptography

Although not an integrated component of network security, file system cryptography is overlooked enough that it should &e addressed here. *he idea is simple3 file system cryptography encrypts either the entire file system of a host or sensitive directories in that file system. *he &ig rush toward network security has &een predicated on the assumption that servers have all the :uicy information. Although it is certainly true that servers are critical resources in need of protection, stealing a porta&le computer can provide an attacker equally sensitive information with a lot less effort. +ile system security should &e done in most situations where it is via&le. *his generally means mo&ile user systems are a top priority. )ervers can &enefit as well, &ut performance must &e weighed against the fact that servers are often in a secure physical location.

(merging Security Technologies

!etwork security is a rapidly changing field. *ome technologies are so new that it would be careless to recommend them as tested solutions ready for deployment. =ecause the status of these technologies is likely to change over time' evaluating new technologies should be part of yoursecurity design strategy. !one of the technologies radically change any of the best practices in the book. "n fact' most are mergers of existing technologies designed to improve their effectiveness.

Hy)rid Host Solutions

*everal discrete technologies were discussed in the 0%ost and -pplication *ecurity0 section earlier in this chapter)

+ile system integrity checking %ost-based firewalls %ost antivirus %"D*

-n emerging market of products' sometimes billed as 0intrusion prevention'0 is starting to gain customer acceptance. These tools seek to combine the functions of all four technologies into a single tool. The basic idea is if all four functions are handled by a single system' each component can share information and provide better host protection overall. -s these merged systems increase in stability and undergo more real-world testing' they should aid the administrator in managing host security.

#nline #DS
One of the main disadvantages of a !"D* is its inability to easily and reliably stop attacks that it detects. - new crop of applications is in development to allow !"D* to move inline with the flow of traffic' merging with the functions of traditional firewalls. These devices could stop attacks from L/ to LM reliably and before attacks cause any damage. The big potential problem with these systems is that &ust moving an "D* inline does not solve any of the inherent problems with "D*< in fact' it makes some of them worse . +alse positives are tolerated to a certain extent in current "D* because

they don't actually block the nonattack. 8hen an "D* goes inline' the potential to stop legitimate communications significantly increases . Despite this technical hurdle ' several vendors are moving forward with the notion that inline "D* can succeed in areas where traditional !"D* have failed. There is currently an open source inline "D* called %ogwash. +or more information see http)CChogwash.sourceforge .net.

%pplication Fire!alls
*imilar to inline "D*' though with a slightly different focus' application firewalls are designed to allow forwarding decisions on the payload of a particular protocol. The most actively developed protocol is %TT1' which currently tunnels almost every kind of application across it in an effort to bypass traditional firewalls. -pplication firewalls would' in theory' allow permitted web traffic to pass while blocking web-based attacks or other applications tunneling over %TT1 2when this is a violation of policy3. The application firewall could merge with the functions of a traditional firewall and inline "D*' creating a robust platform to stop attacks but a potential single point of failure for your security system. *ee .hapter E for the information on the operational simplicity axiom .

This chapter covers the following topics:

Physical Security Issues Layer 2 Security Considerations IP Addressing Design Considerations ICMP Design Considerations outing Considerations Transport Protocol Design Considerations DoS Design Considerations

Many things difficult to design prove easy to performance. Samuel Johnson, Rasselas: The History of Rasselas, Prince of !issinia, "#$% good scientist is a person &ith original ideas. good engineer is a person &ho ma'es a design that &or's &ith as fe& original ideas as possi!le. There are no prima donnas in engineering. (reeman )yson, Physicist, )istur!ing the *niverse, "%#% At the !eginning of any secure networ" design pro#ect$ %any !est practices apply %ore or less unifor%ly to all areas of the design& This chapter presents these practices in a single location and then draws on the% throughout the rest of the !oo"& The designs presented in Chapter '($ )*dge Security Design$) Chapter '+$ )Ca%pus Security Design$) and Chapter ',$ )Telewor"er Security Design$) are !ased on %any of the concepts descri!ed here and in the co%panion chapters -Chapters ./''0$ which detail specific design considerations for certain technologies& The topics are presented in loose co%pliance with the seven1layer 2SI %odel and$ as such$ cover a diverse set of topics& Chapter '$ )3etwor" Security A4io%s$) presented the security a4io%s5 this chapter translates the% into actiona!le guidance for secure networ" design&

Physical Security Issues

2ne co%%on security truis% is )2nce you have physical access to a !o4$ all !ets are off&) This is a good !eginning assu%ption for this section& If an attac"er has physical access to a co%puter$ router$ switch$ firewall$ or other device$ your security options are a%a6ingly li%ited& 3etwor"ing devices$ with few e4ceptions$ can have their passwords reset !y attaching to their console port& 7osts can !e !ooted with a special floppy dis" or CD1 2M designed to circu%vent %ost host security on the device& This !oo" does not cover physical security issues in detail& Topics such as disaster recovery$ site selection$ and so on are not discussed at all& 7owever$ as a networ" designer$ you %ust "now where you are relying on physical security to aug%ent or support your networ" security& There are so%e rules you can follow to i%prove your security:

Control physical access to facilities& Control physical access to data centers& Separate identity %echanis%s for insecure locations& Prevent password1recovery %echanis%s in insecure locations& 8e aware of ca!le plant issues& 8e aware of electro%agnetic radiation& 8e aware of physical PC security threats&

The rest of this section e4a%ines these seven areas&

Control Physical Access to Facilities

*ffectively controlling physical access to your organi6ation9s facilities should !e the single top concern for !oth your physical security staff and you$ the networ" designer& Most organi6ations utili6e one of three %echanis%s to i%ple%ent physical security -presented in increasing order of security0:

Loc"1and1"ey access :ey card access :ey card access with turnstile

Lock-and-Key Access
The %ost co%%on physical security control$ particularly in s%aller organi6ations$ is traditional loc"1and1"ey access& ;or this %ethod$ individuals who need access to certain roo%s or !uildings are given "eys for access& This option has the following !enefits:

<enerally$ this is the cheapest option for s%all organi6ations&

3o technical e4perience is re=uired& Special "eys are availa!le to thwart "ey duplication&

7owever$ there are also several draw!ac"s:

If e%ployees leave the co%pany on less than a%ica!le ter%s$ they %ight )lose) their "eys or %ight si%ply stop showing up for wor"& In such cases$ it can !e very costly to re"ey the loc"s and redistri!ute "eys to the valid e%ployees& >nless coupled with an alar% syste% that aug%ents the loc"1and1"ey access$ there is no %echanis% to deter%ine when e%ployees with "eys access a given physical location& Most "eys can !e easily duplicated at the local hardware store& :ey authentication is single+factor, %eaning the "ey is all a person needs to access loc"ed areas&

Key Card Access

More co%%on in larger organi6ations$ "ey card access can alleviate so%e of the %anage%ent pro!le%s associated with loc"1and1"ey access and can provide increased security %easures& :ey card access can ta"e the for% of a %agnetic card reader or a s%art card& All of these syste%s have the sa%e !asic pros and cons once you eli%inate the technical differences of the technology& These are the !enefits of a "ey card syste%:

Access to %ultiple locations can !e controlled with a single card& In the event that an e%ployee leaves the co%pany$ the e%ployee9s card can !e =uic"ly disa!led whether or not it is physically returned& Loc"s should never need to !e )re"eyed&) ;acilities with %ultiple entrances are easily supported& eports can !e run to show when individuals entered specific locations&

The draw!ac"s to a "ey card syste% are as follows:

Li"e loc"1and1"ey access$ "ey cards are single1factor security& Any individual with a valid "ey card could access the location& :ey card syste%s can !e e4pensive$ and in the event of a failure in the central authentication syste%$ all users can !e denied access to a facility& The principal pro!le% with "ey card access is tailgating& Tailgating is gaining unauthori6ed access to a !uilding !y following an individual with valid access& 2ftenti%es$ if attac"ers are dressed in the appropriate clothing$ they can si%ply follow legiti%ate individuals into a !uilding without having to present a "ey card& *ven if so%eone re=uests to see a card$ an attac"er can show an invalid card !ecause it %ight not actually !e scanned !y the card reader&

Key Card Access with Turnstile

Although %ost often associated with !allpar"s and stadiu%s$ turnstile access with a "ey card can !e one of the %ost secure %ethods of controlling physical access to a !uilding& ;or this %ethod$ a "ey card is used to activate the turnstile and allow one person into the !uilding& These syste%s are %ost co%%on in large

%ultifloor !uildings$ where access can !e controlled at the ground floor& In the following list$ you can see that this option has all the !enefits of the previous option plus %ore&

Tailgating is greatly di%inished !ecause only one person can enter per card& Access to %ultiple locations can !e controlled with a single card& In the event that an e%ployee leaves the co%pany$ the e%ployee9s card can !e =uic"ly disa!led whether or not it is physically returned& Loc"s should never need to !e )re"eyed&) eports can !e run to show when individuals enter specific locations&

The draw!ac"s of a syste% such as this are as follows:

Li"e the previous two syste%s$ "ey card access with turnstile is a single1factor identity syste%& Any individual with a valid card could gain access to the !uilding& This doesn9t wor" well for facilities with %ultiple !uildings and %ultiple entrances& This %ethod generally re=uires a security guard to verify that individuals are not hopping over the turnstile or tailgating through an entrance designed for persons with physical disa!ilities that !ypasses the turnstile& Turnstiles are not aesthetically pleasing& Turnstile access can !e inconvenient for e%ployees$ escorted guests$ or individuals using dollies for e=uip%ent& This %ethod is %ore e4pensive than si%ple "ey card access and also has the sa%e issues in the event of a failure in the "ey card authentication syste%&

Solving the Single-Factor Identity Problem

A second factor can !e added to either of the previous "ey card authentication processes& The first option is to put a personal identification nu%!er -PI30 code reader at every location where there is a card reader& After using their "ey card$ e%ployees %ust enter a PI3 to unloc" the door& Another option is to use so%e for% of !io%etric authentication& 8io%etric authentication could !e used as either the second factor in a "ey card syste% or the principal factor in a !io%etric syste%& In the second case$ users would enter a PI3 after successful !io%etric authentication& See Chapter +$ )3etwor" Security Technologies$) for the pros and cons of !io%etric authentication& 8oth of these alternatives add cost to the syste% and inconvenience for users&

Control Physical Access to ata Centers

Data1center access can utili6e any of the preceding %echanis%s in addition to PI31reader1only access& The i%portant difference with data1center access is that you are often dealing with a s%aller set of operators$ so issues around "ey %anage%ent are so%ewhat reduced& !"T# I once had the pleasure of e4periencing a physical security audit !y a client who was considering using a facility in one of %y previous #o!s& 3eedless to say$ it didn9t go well& 2ne of the auditors was a!le to gain access to the !uilding !y tailgating& >pon entering$ he as"ed to see the )secure) data center we had advertised& >pon reaching the entrance to the secure roo%$ he stood on a chair and pushed up the ceiling

tile outside the roo%& 7e discovered that the walls to our data center e4tended only '2 inches !eyond the ceiling tiles$ allowing access if so%eone cli%!ed over the%& In the conte4t of this discussion$ data center refers to any location where centrali6ed networ" resources are stored& This could include traditional data centers$ wiring closets$ coat closets$ or so%eone9s des"& It all depends on the si6e of the facility and the way it is organi6ed& TIP So%e ultrasecure data centers utili6e sets of ca%eras$ "ey card access$ !io%etrics$ and )%an1traps) to catch anyone illegally trying to gain access to the roo%&

Se$arate Identity %echanisms &or Insecure Locations

Although identity design considerations are discussed in %ore detail in Chapter ?$ )Identity Design Considerations$) fro% a physical security perspective$ it is i%portant to ensure that passwords in physically insecure locations are not the sa%e as those used in secure locations& 2ften an organi6ation will utili6e co%%on authentication %echanis%s for the various syste%s that %ust access networ" resources& ;or e4a%ple$ S3MP co%%unity strings or Telnet@ SS7 passwords %ight !e set the sa%e on all devices& ;ro% a pure security perspective$ it is prefera!le to use two1factor authentication$ when availa!le$ for each user who accesses the networ" device& Although this %ight !e possi!le for users$ it is often i%possi!le for software %anage%ent syste%s$ which need to run scripts to %a"e changes on several %achines at once& ;or opti%al security$ different passwords should !e used on each device$ !ut this is often operationally i%possi!le for large networ"s& Therefore$ at a %ini%u%$ organi6e your co%%on passwords so that they are never used on syste%s in physically insecure locations& ;or e4a%ple$ assu%e you have ( %ain locations -with data centers0 to your organi6ation and 'A re%ote sites -considered insecure0& In this case$ only use your shared passwords on the %ain sites and ensure that the passwords for each of the re%ote syste%s are uni=ue per site at a %ini%u% and per device ideally& As the nu%!er of insecure locations increases into the hundreds or thousands$ this !eco%es i%possi!le5 refer to the )8usiness 3eeds) section of Chapter 2$ )Security Policy and 2perations Life Cycle$) for guidance on calculating the costs and !enefits of this and any other difficult security %easure& -People generally don9t co%pute cost@!enefit on easy and cheap security %easures&0

Prevent Password 'ecovery %echanisms in Insecure Locations

So%e devices have controls to prevent the recovery of passwords in the event that an attac"er has physical access to your syste%& ;or e4a%ple$ on so%e newer Cisco routers and switches$ the co%%and is as follows:

Router(config)# no service password-recovery

Bhen this co%%and is entered on a router or a switch$ interrupting the !oot process only allows the user to reset the syste% to its factory default configuration& Bithout this co%%and$ the attac"er could clear the password and have access to the original configuration& This is i%portant !ecause the original configuration %ight contain co%%on passwords or co%%unity strings that would allow the attac"er to go after other syste%s& This would !e particularly useful in insecure !ranch offices or other locations where the physical security of a networ" device cannot !e assured&

(e Aware o& Cable Plant Issues

In today9s networ"s$ there are two pri%ary ca!le types: unshielded twisted pair ->TP0 category , -or higher0 and fi!er optic& The ris" of an attac"er accessing your physical ca!ling is i%portant to consider !ecause that level of access often can !ypass other security controls and provide the attac"er with easy access to infor%ation -provided encryption is not used0& >TP ca!le is very easy to tap$ !ut it was thought years ago that fi!er was i%%une to ca!le taps& Be now "now that this is not the case& The 3ational Security Association -3SA0 is ru%ored to have already tapped intercontinental networ" lin"s !y splicing into the ca!le5 read a!out it at the following > L: http:@@6dnet&co%&co%@2'AA1''1,2?C2D&ht%l& It is also theori6ed that fi!er ca!le could !e !ent far enough so that so%e light would escape if the outer layer of the ca!le is re%oved& Bith the right types of e=uip%ent$ this infor%ation could then !e read& Additionally$ if an attac"er gains physical access to a wiring closet or the fi!er ca!le as it runs in a ca!le tray a!ove a drop ceiling$ tapping the ca!le !y installing couplers is another possi!ility& All this !eing said$ fi!er is %ore secure than copper !ecause the %eans to tap the signal are %ore e4pensive$ difficult to e4ecute$ and often re=uire interrupting the original flow of data to install& 2n the other hand$ the %eans to tap a >TP signal can easily !e purchased off of the Internet&

(e Aware o& #lectromagnetic 'adiation

In '?C,$ the concerns of the paranoid a%ong the security co%%unity were confir%ed& Bi% van *c" released a paper confir%ing that a well1resourced attac"er can read the output of a cathode1ray tu!e -C T0 co%puter %onitor !y %easuring the electro%agnetic radiation -*M 0 produced !y the device& This isn9t particularly easy to do$ !ut it is !y no %eans i%possi!le& Bi%9s paper can !e found here: http:@@www&sh%oo&co%@te%pest@e%r&pdf This for% of attac" is now co%%only called van ,c' phrea'ing& Additionally$ in 2AA2$ Mar"us :uhn at the >niversity of Ca%!ridge pu!lished a si%ilar %ethod of reading data off of a C T$ this ti%e !y %easuring the changes in the a%ount of light in a roo%& 7is paper can !e found here: http:@@www&cl&ca%&ac&u"@E%g"2,@ieeeA21optical&pdf And an easy1to1read ;AF on the topic can !e found here: http:@@www&cl&ca%&ac&u"@E%g"2,@e%sec@optical1fa=&ht%l A si%ple way to %itigate van *c" phrea"ing %ight #ust !e to change the type of font you are using& oss Anderson and Mar"us :uhn did so%e e4cellent research on the topic: http:@@www&cl&ca%&ac&u"@E%g"2,@ih?C1te%pest&pdf I a% certainly not reco%%ending that all syste%s %ust address these sorts of security considerations$ !ut it is good to "now that such attac"s are possi!le&

(e Aware o& Physical PC Security Threats

2ftenti%es$ ine4perienced networ" designers !egin with an unac"nowledged assu%ption that all the sensitive data within an organi6ation is contained on servers& In reality$ there is sensitive infor%ation a!out %y co%pany sitting on the laptop I a% using to write this !oo"$ as well as on the servers& Li"e %ost e%ployees at %y co%pany$ server resources are used when necessary$ !ut often interesting infor%ation is stored locally& Several physical security issues %anifest when you operate under the preceding assu%ption:

The first is that porta!le co%puter theft is a !ig pro!le%$ not #ust in the cost of replacing the co%puter !ut in the proprietary infor%ation that is stored on it& The !est protection against having a lost porta!le co%puter turn into lost trade secrets is so%e type of file syste% encryption& -So%e are !uilt into %odern 2Ss&0 Chapter + has %ore details on such syste%s& The second is that !y co%pro%ising the data co%ing into and out of a PC$ you can learn passwords$ sensitive data$ and so on& An attac"er can achieve this through networ" sniffing$ *M e%issions -discussed in the previous section0$ re%ote control software -8ac" 2rifice 2AAA0$ or novel devices that attach !etween the "ey!oard and the PC and record to flash %e%ory every "ey typed& ;or %ore infor%ation see this > L:

Layer ) Security Considerations

As you learned in Chapter ($ )Secure 3etwor"ing Threats$) certain attac"s run at Layer 2 -L20 of the 2SI %odel& 2ftenti%es$ your posture toward L2 attac"s depends on the physical security of the location and the a%ount of trust you have in users$ as defined !y your security policy& This section discusses so%e co%%on design considerations for L2 protocols& The discussion is focused on *thernet$ !ut %ost of these issues apply to wireless networ"s as well&

L) Control Protocols
Control protocols are usually at the core of any L2 security issue& This section discusses design considerations around L2 control protocol usage& 8asic understanding of these protocols is assu%ed& There are two %ain topics in this section: the first covers industry1standard protocol considerations5 the second covers Cisco1specific protocols&

*eneral Protocol Considerations

This section covers the standard protocols CA2&'=$ Spanning1Tree Protocol -STP0$ and !riefly %entions CA2&'4&

+,)-./
The CA2&'= standard specifies a standard %echanis% for *thernet switches to e4change virtual LA3 -GLA30 infor%ation& It adds a +1!yte tag after the source and destination Media Access Control -MAC0 addresses& The first 2 !ytes act as an *thernet tag protocol identifier& The second 2 !ytes contain all the interesting infor%ation& Twelve !its are used as a GLA3 identifier -yielding +A?D choices0$ and ( !its are used as a priority identifier -in the CA2&'p standard0& The addition of + !ytes to the *thernet pac"et increases the %a4i%u% si6e of an *thernet fra%e fro% ','C !ytes to ',22 !ytes& Bhen designing a networ" to ta"e advantage of CA2&'= tagging$ there are a few security concerns that %ust !e addressed:

CA2&'= has had several i%ple%entation flaws in various vendors9 e=uip%ent over the years& Details of an old Cisco vulnera!ility can !e found here: http:@@www&sans&org@resources@idfa=@vlan&php& Many of these pro!le%s have !een fi4ed$ and vendors are !eginning to pay %ore attention to security$ particularly as GLA3s play a greater role in any networ" design& Bhen using GLA3s$ the potential for hu%an error increases !ecause the operator %ust "eep trac" of )virtual) LA3s that %ight not have distinct ca!le plants associated with the%& This can get particularly nasty when you try to re%e%!er which GLA3 nu%!er is the outside of your firewall as opposed to the inside& <ood %anage%ent tools can %itigate the i%pact of this concern& So%e attac"s that use CA2&'= as an attac" %ethod are detailed in a later section of this chapter titled )GLA3 7opping Considerations&)

STP

Spanning1Tree Protocol -STP0 is a L2 loop avoidance %echanis%& Bithout STP$ redundant L2 lin"s would cause large forwarding loops and %assive perfor%ance pro!le%s& ;ro% a security standpoint$ STP has a few design characteristics of interest& ;irst$ STP has no provisions for authentication of the !ridge protocol data units -8PD>s0 that are sent fro% switches and !ridges as they e4change STP infor%ation& These 8PD>s could easily !e sent fro% an unauthori6ed device that could have any nu%!er of undesira!le effects& To start with$ if the attac"er can cause a failure of a lin" in the forwarding state$ it generally ta"es (A to +, seconds for STP to deal with the failure and reconverge the topology& So%e switches now include features to deal with this pro!le%& 2n Cisco devices$ the features are called port fast and uplin" fast& Second$ for there to !e so%e )authority) in the STP networ"$ the participating switches elect a root !ridge& It is fro% this !ridge that the loop+free topology is !uilt& The %ethod for deter%ining the root !ridge is generally through STP configuration %essages$ which indicate the !ridge priority of a given switch& The lowest nu%!er !eco%es the root !ridge& If an attac"er is a!le to send out 8PD>s fro% his station$ he can send out a configuration %essage with a !ridge priority of 6ero& This will li"ely %a"e his syste% the root !ridge and will often change which lin"s are active on a given networ" -since the topology is redeter%ined fro% the perspective of the new root !ridge0& 3o special tools are needed to do this5 so%e >3IH i%ple%entations co%e with *thernet !ridging utilities that allow the% to configure their syste% as a !ridge with full participation in the STP process& As an e4a%ple$ consider the following topology in ;igure D1'& Figure 0-. Starting To$ology In the figure$ you can see that the attac"er has esta!lished two lin"s to two different L2 switches& ; denotes a lin" that is forwarding5 8 is a lin" that is !loc"ed !ecause of STP& This could easily !e done !y wal"ing a long ca!le to another #ac" in a !uilding or !y using a BLA3 networ" -if it was poorly designed0& ;ro% here$ you can see that one of the attac"er9s lin"s is in the !loc"ing state& This is e4actly what STP should do to prevent loops& 7owever$ the attac"er then sends 8PD>s advertising hi%self as !ridge priority 6ero& This causes STP to reconverge and the attac"er to !eco%e the root !ridge& A topology that loo"s li"e the one in ;igure D12 results& Figure 0-) 'esulting To$ology 8ecause the topology is !uilt fro% the perspective of the attac"er$ you can see that all traffic that %ust pass !etween the switches flows through the attac"er9s PC& This allows an attac"er any nu%!er of options$ as outlined in Chapter (& The %ost o!vious are sniffing traffic$ acting as a %an1in1the1%iddle$ or creating a denial of service -DoS0 condition on the networ"& The DoS condition is achieved !ecause the attac"er can %a"e his lin"s %uch slower than the lin"s !etween the two access switches$ which could very li"ely !e connected !y giga!it *thernet& !"T# Iou %ight as"$ )Doesn9t STP ta"e into account !andwidth speed when deter%ining the topologyJ) It does !ut always fro% the perspective of the root !ridge& Bhile testing in the la!$ I was a!le to ta"e a full1duple4 giga!it lin" !etween two access switches and reduce it to a half1duple4 'A %ega!it -M!0 connection !etween those access switches and the attac"ing PC& This is never good for a production networ"& ;ortunately$ %itigating this attac" is fairly straightforward& ;irst$ so%e advocate disa!ling STP in all cases in which you don9t have networ" loops& Although this sounds li"e a good idea$ the attac"er could instead introduce a loop into your networ" as a %eans of attac"& A !etter option is to filter which ports are allowed to participate in the STP process& So%e switches offer the a!ility to do this today& 2n Cisco devices$ the two principal options are 8PD> <uard and oot <uard& (P 1 *uard

8PD> <uard can !e glo!ally ena!led on so%e Cisco switches and is in effect on any port configured with the port fast option& Port fast ports are generally user ports& Bhat 8PD> <uard does is disa!le any port fast port that receives a 8PD> %essage& 8ecause these are user ports$ there should !e no reason for 8PD> %essages to !e sent to the%& The synta4 is as follows:

BatI2J (enable)set spantree portfast bpdu-guard enable )I2(config)#spanning-tree portfast bpduguard

'oot *uard The other option you have is oot <uard& oot <uard can !e ena!led or disa!led on any port and wor"s !y disa!ling a port that would !eco%e the root !ridge as a result of its 8PD> advertise%ent& This is less restrictive on users !ecause it allows the% to plug in an *thernet switch in their wor"space -in case they have %ore than one PC0& The synta4 for oot <uard is as follows:

BatI2J (enable) set spantree guard root 1/1 )I2(config-if)#spanning-tree guard root (or rootguard)
!"T# I learned a!out 8PD> <uard the hard way& I was setting up a s%all la! in %y office to do so%e testing$ and I needed %ore ports than I had availa!le& I plugged in an *thernet switch and pro%ptly lost lin" on %y connection& Pu66led$ I went to the IT staff$ who infor%ed %e that 8PD> <uard was running to prevent unauthori6ed STP advertise%ents& After getting %y port reset$ I went !ac" to %y office and turned off STP on %y s%all switch& Pro!le% solved&

+,)-.2
The standard CA2&'4 specifies a %echanis% to do port1!ased access control in an *thernet networ"& ;or e4a%ple$ !efore granting access to a user who connected to a port in one of your conference roo%s$ you could have CA2&'4 re=uire authentication first& >pon authentication$ the user could !e assigned to a specific GLA3 !ased on the user9s access rights& The CA2&'4 standard could !e used in the future to perfor% additional security chec"s$ perhaps enforcing an access control list -ACL0 for the user or a =uality of service -FoS0 policy& The CA2&'4 standard is covered further in Chapter ?&

Cisco-S$eci&ic Protocols
2ver the years$ Cisco Syste%s has developed a nu%!er of proprietary protocols that have !een used to perfor% different functions on an L2 networ"& Most of these protocols use an I*** CA2&( fra%e for%at with an CA2&2 S3AP encapsulation& Most have a Logical Lin" Control -LLC0 of A4AAAAA( -indicating S3AP0 and the Cisco 2rgani6ational >nit Identifier -2>I0 A4AAAAAc& The %a#ority use a %ulticast destination MAC address to co%%unicate& This is generally a variation on A'AA&Accc&cccc& The S3AP protocol type varies and generally is included in each protocol discussion where appropriate& :nowing the specifics of these protocols should %a"e it easier to identify the% on the networ" when trou!leshooting using a sniffer& ;igure D1( shows in detail the fra%e for%at of %ost Cisco L2 protocols& Figure 0-3 +,)-3 with +,)-) S!AP Frame Format 2f special note is the uni=ue relationship two of these protocols have with GLA3 ' on Cisco switches& Cisco Discovery Protocol -CDP0 and GLA3 trun"ing protocol -GTP0 are discussed in %ore detail later& 8oth of these protocols co%%unicate over GLA3 ' only& *ven if GLA3 ' is not used on a trun" port$ these protocols continue to pass infor%ation on GLA3 '& ;or this reason$ and the fact that GLA3 ' cannot !e deleted$ it is not reco%%ended to use GLA3 ' for user or trun" ports& More infor%ation on this topic can !e found here: http:@@www&cisco&co%@warp@pu!lic@+.(@'A(&ht%l&

Interswitch Linking 4ISL5

Long !efore CA2&'=$ Cisco switches were capa!le of trun"ing %ultiple GLA3s over a single lin" using ISL& ISL use is in decline !ecause there is now an ade=uate standard to replace it& Instead of using a +1!yte field in the *thernet fra%e$ ISL reencapsulates the pac"et with a new *thernet header$ adding 2D !ytes to the pac"et -'A !its is used for the GLA3 ID0& If you re%e%!er$ CA2&'= adds only + !ytes to each pac"et -including priority !y CA2&'p0 and$ as such$ is a %ore efficient protocol& Although it is not reco%%ended to !uild a new networ" fro% scratch using ISL$ %any e4isting networ"s run ISL& The security issues around ISL are virtually identical to those of CA2&'=&

ynamic Trunking Protocol 4 TP5

To help switches deter%ine whether they should !e trun"ing$ Cisco developed DTP& DTP e4changes infor%ation !etween switches$ notifying each other of their preferences regarding trun"ing for a given lin"& Settings such as auto$ on$ off$ desira!le$ and non1negotiate deter%ine whether a given L2 switch will trun" on a given lin"& DTP uses a destination MAC address of A'AA&Accc&cccc and a S3AP protocol type of A42AA+& Cisco Catalyst 2?AAHL and (,AAHL switches do not support DTP& DTP is i%portant fro% a security perspective !ecause the default DTP state of %any switches is auto& This %eans that they will happily trun" -pass traffic on %ultiple GLA3s0 with anyone who notifies the% that they would li"e to do so& DTP spoofing is a part of the attac"s descri!ed in the )GLA3 7opping Considerations) section later in this chapter& To %itigate attac"s that use DTP$ it is reco%%ended that you set all ports without a need to trun" into the DTP off state& The synta4 for these co%%ands is as follows:

BatI2J (enable) set trunk Kmod8portJ off )I2(config-if)#switchport mode access

If you aren9t sure whether your switch defaults to autotrun"ing or not$ you can chec" the trun" status of your ports with the following co%%ands:

BatI2J (enable) show trunk LmodMmod8portN )I2#show interface type number switchport

6LA! Trunking Protocol 46TP5

2ftenti%es$ it can !e a !urden to %anage a large L2 networ" with lots of GLA3s spread around different switches& To ease this !urden$ Cisco developed GTP& GTP allows an ad%inistrator to configure a GLA3 in one location and have its properties auto%atically propagated to other switches inside the GTP do%ain& GTP uses a destination MAC address of A'AA&Accc&cccc and a S3AP protocol type of A42AA(& GTP uses the notion of a client and a server to deter%ine which devices have rights to propagate GLA3 infor%ation in what direction& I9ll !e honest$ having %y GLA3 infor%ation auto%atically propagate to %y different switches doesn9t fill the security part of %y !rain with glee& Start !y strongly considering whether GTP is going to save you ti%e or cause you headaches& If all your GLA3s have si%ilar security levels$ perhaps GTP could !e helpful to you& 8ut if instead you have different security levels on your GLA3s and certain GLA3s should only e4ist on certain switches$ it is pro!a!ly easier$ and safer$ to %anually configure each GLA3 where you need it& If you %ust use GTP$ !e sure to use it with the MD, digest option& This adds a 'D1!yte MD, digest of the GTP pac"et co%!ined with a password and %a"es it %uch harder for an attac"er to send you !ogus GTP infor%ation causing your GLA3s to !e reconfigured& Bithout the MD, authentication$ an attac"er could !e disguised as a GTP server with all GLA3s deleted& This could cause all switches in your entire networ" to re%ove their GLA3 configuration& 3ot a good thing for security at allK The synta4 for configuring a GTP password is as follows:

BatI2J (enable) set vtp Ldomain domain_nameN Lmode Oclient M server M transparent M offPN Lpasswd passwdN Lpruning.Oenable M disablePN Lv5 Oenable M disablePN )I2(config)#vtp password password-value

6LA! 7uery Protocol 467P5

Prior to the esta!lish%ent of the I*** CA2&'4 standard$ Cisco developed a technology called the GLA3 Manage%ent Policy Server -GMPS0& GMPS wor"s with a flat file policy data!ase that is sent to GMPS server switches !y T;TP& GMPS client switches then co%%unicate with the GMPS server using GFP& GMPS allows a switch to dyna%ically assign GLA3s to users !ased on their MAC address or user identity -if used with the >ser egistration Tool L> TM0& >nfortunately$ GFP is a >DP1!ased protocol that does not support any for% of authentication& This %a"es its use in security1sensitive environ%ents inadvisa!le& An attac"er who is a!le to spoof GFP -not hard since it runs >DP0 could then try to prevent networ" logins or %ight #oin a GLA3 unauthori6ed& GFP and GMPS are rarely used for MAC1!ased GLA3 assign%ent !ecause of the %anage%ent !urden of %aintaining the MAC address to GLA3 %apping ta!le& The > T co%ponent is also not fre=uently used$ especially since a standards1!ased %ethod of effectively doing the sa%e thing -CA2&'40 is now availa!le&

C P
To allow Cisco devices to e4change infor%ation a!out one another9s capa!ilities$ Cisco developed CDP& CDP uses a destination MAC address of A'AA&Accc&cccc and a S3AP protocol type of A42AAA& 8y default$ %ost Cisco routers and switches have CDP ena!led& CDP infor%ation is sent in periodic !roadcasts that are updated locally in each device9s CDP data!ase& 8ecause CDP is an L21only protocol$ it -li"e any other L2 protocol discussed here0 is not propagated !y routers& So%e of the types of data propagated !y CDP include the following:

L2@L( capa!ilities 7ostna%e 3ative GLA3 Duple4 setting Software version GTP do%ain settings

;igure D1+ is a portion of an *thereal pac"et trace showing the inside of a CDP pac"et& Figure 0-8 C P #2am$le Packet ;ro% a reconnaissance standpoint$ all of the preceding infor%ation could !e useful to an attac"er& The software version$ in particular$ would allow the attac"er to deter%ine whether there were any specific security vulnera!ilities with that particular version of code& Also$ since CDP is unauthenticated$ an attac"er could craft !ogus CDP pac"ets and have the% received !y the attac"er9s directly connected Cisco device&

So$ with an understanding of the security ris"s$ why don9t you #ust turn CDP off co%pletelyJ Many networ" operators do$ !ut it is i%portant to reali6e that Cisco developed CDP for a reason& So%e networ" %anage%ent applications %a"e use of it$ as do Cisco IP telephones& If you %ust run CDP on your networ"$ consider using it on only the ports that re=uire its use& ;or e4a%ple$ %any networ"s need CDP only on !ac"!one lin"s and not user lin"s& This would allow you to turn off CDP on user ports$ preventing %any of the attac"s discussed in the preceding paragraph& The synta4 to disa!le CDP on a router or a switch is as follows:

BatI2J (enable) set cdp disable KmodJ8KportJ M all )I2(config)#no cdp run )I2(config-if)#no cdp enable

%AC Flooding Considerations

*very L2 switch needs so%e %echanis% to record the port to which a given MAC address is connected& This ensures that unicast co%%unication !etween two hosts can occur without other hosts seeing the traffic& 2ne co%%on %ethod of recording this infor%ation is the use of a Content Addressa!le Me%ory -CAM0 ta!le& A CAM ta!le stores the MAC addresses and GLA3 assign%ents of various hosts connected on a switch& Thin" of it %uch li"e a routing ta!le for a router$ only at L2& Bhen a fra%e arrives at a switch$ a nu%!er of things happen& The se=uence we refer to here is specific to the CAM ta!le and fra%e switching: '& 2& The fra%e arrives at the switch& The source MAC address is inspected to deter%ine whether there is already an e4isting entry in the CAM ta!le& If so$ the switch proceeds to the ne4t step5 if not$ an entry is added to the CAM ta!le for the source MAC address& This way$ when anyone needs to tal" to that MAC address again$ the switch re%e%!ers which port to send the fra%e to reach the destination& The destination MAC address is inspected to deter%ine whether there is already an e4isting entry in the CAM ta!le& If so$ the fra%e is switched out of that destination port and on to the host& If not$ the switch proceeds to step +& The switch floods the fra%e on all ports that are %e%!ers of the sa%e GLA3 as the originating host& Bhen the intended recipient of the fra%e receives the pac"et$ it responds -assu%ing the protocol is two1way0$ and the switch repeats this process fro% step '& The switch adds an entry in the CAM ta!le for the source MAC of this fra%e -the destination MAC of the previous fra%e0& All further unicast co%%unications !etween these two hosts are sent on only the port to which each host is connected&

(&

+&

,&

The preceding illustrates how it is supposed to wor"& A security1conscious networ" designer %ust !e aware of a few things:

CAM ta!les have a li%ited si6e& Depending on the switch$ this can !e anywhere fro% 'AA or so entries to over 'AA$AAA entries& *ntries in the CAM ta!le have an aging ti%er& *ach ti%e a fra%e is trans%itted with a source MAC address %atching the current entry in the CAM ta!le$ the aging ti%er is reset& If a given host does not send fra%es on the switched networ"$ the networ" eventually deletes the CAM ta!le entry for that device& This is of particular interest for one1way protocols such as syslog& If your syslog server does nothing !ut receive >DP syslog %essages$ its CAM entry will !egin to age once it responds to the original Address esolution Protocol -A P0 =uery sent !y a host or router& 2nce aged$ all pac"ets destined for it are always flooded on the local GLA3&

Attack

etails

<iven the previous e4planation of how a CAM ta!le wor"s$ let9s loo" at how the CAM ta!le design can !e attac"ed: '& 2& An attac"er connects to a switch port& The attac"er sends a continuous set of fra%es with rando% source MAC addresses and rando% destination MAC addresses& The attac"er is really concerned with %a"ing sure steps ' and 2 of the preceding list repeat constantly$ each ti%e with a different MAC address& 8ecause CAM ta!les have li%ited si6e$ eventually the switch will run out of roo% and not have any %ore space for new MAC addresses& A victi% host -connected to the sa%e GLA3 as the attac"er0 tries to co%%unicate with a host that does not currently have a CAM ta!le entry& Since there is no %ore roo% in the CAM ta!le for the host without an entry$ all co%%unications to that host %ust !e flooded& The attac"er can now see all the traffic sent fro% the victi% host to the host without a CAM ta!le entry& This could include passwords$ userna%es$ and so forth$ which then allows the attac"er to launch the ne4t attac"&

(&

+&

,&

D&

This attac" is i%portant !ecause *thernet switches were originally thought to increase security !ecause only the ports involved in a particular co%%unication would see the traffic& ;urther%ore$ if the attac"er runs this attac" continuously$ even active hosts %ight soon start flooding as the aging ti%er e4pires during periods of inactivity& The attac"er can further accelerate this process !y sending an STP 8PD> with a Topology Change 3otification -TC30 %essage -such as when an attac"er tries to !eco%e the root !ridge0& Such a %essage will cause the aging ti%er on %ost switches to te%porarily shorten& This is needed so the switch doesn9t "eep stale infor%ation that is no longer valid after the STP topology change& ;or e4a%ple$ %any Cisco switches have a default aging ti%er of (AA seconds& Bhen a Cisco switch receives a TC3 %essage$ it auto%atically reduces the aging ti%er for every entry to ', seconds& As %entioned in Chapter ($ there are several popular tools that auto%ate this attac"& The %ost co%%on is %acof$ written in '??? !y Ian Gite" in a!out 'AA lines of Perl& This code was later ported to C !y Dug Song for his dsniff tools& In a very !asic la! test$ I was a!le to generate ',,$AAA MAC entries per %inute using a stoc" Linu4 !o4& There are a few caveats to this attac" that you should !e aware of:

*ven with a co%pletely full CAM ta!le$ traffic is flooded only on the local GLA3$ %eaning traffic on GLA3 'A stays on GLA3 'A$ !ut everyone with a port on GLA3 'A will see the traffic& 8ecause of the flooding$ this attac" could also flood the CAM ta!le on ad#acent switches& 8ecause of the sheer =uantity of traffic the attac"er sends$ this attac" %ight also result in a DoS condition on the networ"&

Attack %itigation
Stopping this attac" isn9t too difficult$ !ut it isn9t =uite as si%ple as flipping a switch& Many switches offer the a!ility to do so%ething called port security& Port security wor"s !y li%iting the nu%!er of MAC addresses that can co%%unicate on any given port on a switch& ;or e4a%ple$ say you are running switched *thernet to the des"top in your environ%ent& *ach host has its own connection on the switch& 7ere$ you %ight configure port security to allow only one MAC address per port& Nust to !e safe$ you %ight allow two or three in case locations add a s%all hu! to connect a test syste%& Port security wor"s !y learning the nu%!er of MAC

addresses it is configured to allow per port and then shutting down the port if it e4ceeds the li%it& In the case of the %acof tool$ it would !e stopped dead in its trac"s& Iou configure port security in the following way:

BatI2J (enable) set port security mod/ports... Lenable M disableN Lmac_addrN Lage Oage_timePN Lmaximum Onum_ of_macPN Ls"utdown Oshutdown_timePN LviolationOs"utdown M restrictPN )I2(config-if)#port security Laction Os"utdown M trapP M max-maccount addressesN
3ote that there are a lot of other options that aren9t really necessary for stopping CAM ta!le flooding& ;or %ore infor%ation on port security$ you can loo" here: http:@@www&cisco&co%@univercd@cc@td@doc@product@lan@cat,AAA@relO,O+@config@secOport&ht%& ;or e4a%ple$ here9s a configuration in Cisco Cat2S to li%it ports to two MAC addresses:

BatI2J (enable) set port security 3/1-48 enable ma imum !

This uses the default of a per%anent shutdown in the event of a violation& There are other options$ such as setting a ti%er on how long the port is shut off or deciding instead to leave the port operational !ut drop any MAC addresses that aren9t in the original set allowed !y the switch& This latter option is inadvisa!le !ecause it can create increased load on the switch while it tries to deter%ine which traffic to pass or drop& It is also worth noting that this attac"$ li"e all L2 attac"s$ re=uires the attac"er to have local access to the networ" !ecause these attac"s do not cross a router&

6LA! 9o$$ing Considerations

Since GLA3s were first created$ there has !een de!ate over their use in a security role& The threat of GLA3 hopping -causing traffic fro% one GLA3 to !e seen !y another GLA3 without first crossing a router0 was and is still viewed as the %a#or ris"& Designers want to "now whether it is safe to design their networ"s as shown in ;igure D1, instead of using additional switches as shown in ;igure D1D& Figure 0-: 7uestionable 6LA! #dge esign Figure 0-0 #dge esign without 6LA!s The short answer is$ assu%ing your *thernet switch vendor doesn9t have any security1 related !ugs with GLA3s$ GLA3s can !e deployed in a reasona!ly secure %anner& >nfortunately$ the precondition of no !ugs is a hard state to achieve& A nu%!er of !ugs have allowed GLA3 hopping over the years& The !est you can hope for is that any !ugs that are discovered with GLA3 security are =uic"ly fi4ed !y your vendor& Additionally$ %isconfigurations can so%eti%es allow GLA3 hopping to occur$ as you9ll see in the following two sections&

(asic 6LA! 9o$$ing Attack

In the !asic GLA3 hopping attac"$ the adversary ta"es advantage of the default configuration on %ost switches& As we discussed in the preceding section on DTP$ %ost switch ports default to autotrun"ing& This %eans that an attac"er that can successfully tric" a switch into thin"ing it is another switch with a need to trun" can gain access to all the GLA3s allowed on the trun" port& This can !e achieved in one of two ways:

Spoof the DTP %essages fro% the attac"ing host to cause the switch to enter trun"ing %ode& ;ro% here$ the attac"er can send traffic tagged with the target GLA3$ and the switch will happily deliver the pac"ets to the destination&

Introduce a rogue switch and turn trun"ing on& The attac"er can then access all the GLA3s on the victi% switch fro% the rogue switch&

This !asic GLA3 hopping attac" can !e easily %itigated !y turning trun"ing off on all ports without a specific need to trun"& The configuration settings for this are shown in the DTP section earlier in this chapter&

Creative 6LA! 9o$$ing Attacks

This section is a catchall for various %ethods to achieve GLA3 hopping when trun"ing is turned off on the port to which the attac"er is connected& As these %ethods are discovered$ they tend to !e closed !y the vendors affected& 2ne tric"y attac" will ta"e so%e ti%e to stop on all devices& Iou %ight wish to refer to the previous section on CA2&'= if you need %ore infor%ation& The attac" wor"s !y sending fra%es with two CA2&'= tags instead of one& The attac" re=uires the use of two switches$ and the attac"er and victi% %ust !e on separate switches& In addition$ the attac"er and the trun" port %ust have the sa%e CA2&'= native GLA3& The attac" wor"s li"e this: '& 2& The attac"er sends a dou!le1tagged CA2&'= fra%e to the switch& The outer header has the GLA3 tag of the attac"er and trun" port& -;or the purposes of this attac"$ let9s assu%e GLA3 'A&0 The inner tag is the victi% GLA3$ GLA3 2A& The fra%e arrives on the switch$ which loo"s at the first +1!yte CA2&'= tag& The switch sees that the fra%e is destined for GLA3 'A and sends it out on all GLA3 'A ports -including the trun"0 since there is no CAM ta!le entry& e%e%!er that$ at this point$ the second GLA3 tag is still intact and was never inspected !y the first switch& The fra%e arrives at the second switch !ut has no "nowledge that it was supposed to !e for GLA3 'A& - e%e%!er$ native GLA3 traffic is not tagged !y the sending switch as specified in the CA2&'= spec&0 The second switch loo"s at only the CA2&'= tag -the for%er inner tag that the attac"er sent0 and sees the fra%e is destined for GLA3 2A -the victi% GLA30& The second switch sends the pac"et on to the victi% port or floods it$ depending on whether there is an e4isting CAM ta!le entry for the victi% host&

(&

+&

,&

;igure D1. illustrates the attac"& It is i%portant to note that this attac" is only unidirectional and wor"s only when the attac"er and trun" port have the sa%e native GLA3& Figure 0-; ouble-Tagged +,)-./ 6LA! 9o$$ing Attack

This attac" is easy to stop if you follow the !est practice that native GLA3s for trun" ports should never !e used anywhere else on the switch& ;or switches to prevent this attac"$ they %ust loo" further into the pac"et to deter%ine whether %ore than one GLA3 tag is attached to a given fra%e& >nfortunately$ the application1specific integrated circuits -ASICs0 that are used !y %ost switches are only hardware opti%i6ed to loo" for one tag and then to switch the fra%e& The pro!le% of perfor%ance versus security rears its ugly head again& TIP Iou %ight !e wondering why the switch is accepting tagged fra%es on a port that isn9t trun"ing in the first place& efer to the section on CA2&'=$ where we discussed that part of the CA2&'= tag is the CA2&'p tag for fra%e priority -FoS0& So$ to support CA2&'p$ the switch %ust support CA2&'= fra%es&

A'P Considerations

A P is designed to %ap IP addresses to MAC addresses& It was also$ li"e %ost protocols still used in IP networ"ing today$ designed at a ti%e when everyone on a networ" was supposed to !e reasona!ly trustworthy& As a result$ the protocol is designed around efficiently e4ecuting its tas"$ with no provisions for dealing with %alicious use& At a !asic level$ the protocol wor"s !y !roadcasting a pac"et re=uesting the MAC address that owns a particular IP address& All devices on a LA3 will see the re=uest$ !ut only the device that uses the IP address will respond& ;ro% a security standpoint$ there is a %a#or li%itation in A P& A P has no notion of IP address ownership& This %eans any MAC address can %as=uerade as any IP address provided an attac"er has the right software tool to e4ecute the attac"& ;urther%ore$ there is a special type of A P !roadcast called a gratuitous A P -gA P0& A gA P %essage tells all hosts on a LA3$ without having !een as"ed$ what its IP/MAC !inding is& gA P is used in several legiti%ate ways& The %ost prevalent is in high1availa!ility situations in which two syste%s share the sa%e IP address !ut have different MAC addresses& Bhen the pri%ary syste% changes$ it %ust notify the rest of the LA3 of the new MAC address with which to contact the pri%ary host& A P is also used to prevent IP address conflicts& Most %odern 2Ss send an A P re=uest out for the address with which they are configured when they !oot& If a %achine responds$ they "now that another node is already using their configured IP address$ and the interface should !e shut down until the conflict can !e resolved& Consider the following se=uence outlined in ;igure D1C& Figure 0-+ %isuse o& gA'P In the figure$ a host that is not the router is sending gA P !roadcasts clai%ing to !e the router9s IP address !ut using its own MAC address& 7osts 2 and ( generally ignore such a !roadcast if they haven9t yet co%%unicated with the router& Bhen they finally do$ they send an A P re=uest for the router9s MAC address& The real router -&'0 will respond$ !ut as soon as host + sends the ne4t gA P !roadcast clai%ing to !e &'$ hosts 2 and ( will update their A P entry for &' to reflect host +9s MAC address -MAC D0& At this point$ the traffic destined off of the 'A&2&(&A@2+ networ" will go to host +9s MAC address& That host could then send it to the real router$ drop the traffic$ sniff the traffic$ or %odify the contents of a pac"et and send it along to the real router& Then all traffic fro% the hosts flows through the attac"er9s %achine !efore arriving at the actual router& If desired$ the attac"er could also send gA P !roadcasts to the router clai%ing to !e every host on the local LA3$ which allows the attac"er to see the return traffic as well& The attac" descri!ed in the preceding paragraphs is the core pro!le% with A P& The attac" descri!ed is generally referred to as A P redirection or spoofing& Any host on the LA3 can atte%pt to %as=uerade as any other host through the use of A P and gA P %essages& dsniff is a collection of tools written !y Dug Song to launch and further ta"e advantage of this attac"& ;or e4a%ple$ after launching the A P spoofing attac"$ dsniff has a special sniffer designed to find and output to a file the userna%es and passwords of do6ens of co%%on protocols& It even goes so far as to e4ecute %an1 in1the1%iddle -MITM0 attac"s against Secure Soc"ets Layer -SSL0 and SS7 !y presenting false credentials to the user& 8y using this attac"$ it !eco%es possi!le for an attac"er to learn sensitive infor%ation sent over encrypted channels& More infor%ation on dsniff can !e found at the dsniff we!site: http:@@%on"ey&org@Edugsong@dsniff@& Mitigating A P redirection attac"s is a !it tric"ier& Iou could use private GLA3s -PGLA3s0 as descri!ed later in this section$ !ut this would prevent all host1to1host co%%unication$ which isn9t particularly good for a networ" -e4cept in specific cases such as server far%s0& A feature availa!le in so%e Cisco switches is called A P inspection& A P inspection allows GLA3 ACLs -GACLs0 to !e applied to A P traffic flowing across a specific GLA3 on the switch& A co%%on way these GACLs are used is to %a"e sure the MAC address of the default gateway does not change& The following ACL restricts A P %essages for two MAC/IP !indings and prevents any other MAC address fro% clai%ing ownership for those two IPs:

BatI2J (enable) set security acl ip "#$-%& permit arp-inspection host -(5!$!5!- $$-d$-bA-----&--' BatI2J (enable) set security acl ip :BQ-(% deny arp-inspection "ost -(5!$!5!- any log BatI2J (enable) set security acl ip :BQ-(% permit arp-inspection "ost -(5!$!5!5 $$-d$-$$-ea-'&-fc BatI2J (enable) set security acl ip :BQ-(% deny arp-inspection "ost -(5!$!5!5 any log BatI2J (enable) set security acl ip :BQ-(% permit arp-inspection any any BatI2J (enable) set security acl ip :BQ-(% permit ip any any BatI2J (enable) commit security acl "#$-%&
As you can see$ you %ust first per%it the e4plicit !inding& Then you deny any other A P pac"ets for that sa%e IP& ;inally$ you per%it all other A P pac"ets& There are so%e caveats to A P inspection as it is currently i%ple%ented$ and the %anage%ent !urden of trac"ing MAC address and IP !indings for ACL entries pro!a!ly prevents %any syste% ad%inistrators fro% using this for anything other than default gateways and critical syste%s& ;or %ore infor%ation on A P inspection$ see the following > L: http:@@www&cisco&co%@univercd@cc@td@doc@product@lan@catDAAA@swO.O,@confgOgd@accOlist&ht%P'A2AD.(& Iou can also li%it on a per1port !asis the nu%!er of A P pac"ets that are processed !y the switch& *4cess pac"ets are dropped and can optionally cause the port to shut down& This can stop really noisy A P attac"s$ !ut %ost A P tools are less noisy than this& Arpspoof$ for e4a%ple$ sends less than one A P %essage per second& The following e4a%ple sets an inspection li%it of 2, pac"ets per second and a shutdown threshold of ,A pac"ets per second for port 2@'&

BatI2J (enable) set port arp-inspection !/1 drop-threshold !& shutdownt"res"old %$ 3rop T"res"oldR5%S 2"utdown T"res"oldR%$ set on port 58-! BatI2J (enable) BatI2J (enable) s"ow port arp-inspection &8*ort 3rop T"res"old 2"utdown T"res"old ------------------------ -------------- -----------------585% %$

:eep in %ind that$ when syste%s initiali6e$ they %ight send large nu%!ers of legiti%ate A P =ueries& >se this feature with caution$ especially considering it won9t stop the A P attac"s used today& If you deploy A P inspection$ !e sure to use the GACLs as your pri%ary %eans of defense and the A P rate li%iting to stop clearly nonstandard !ehavior&

2ther %ethods that can help include hard1coding static A P entries for "ey devices in your networ"& ;ro% a %anage%ent standpoint$ you9d never !e a!le to do this for all hosts$ !ut for "ey devices it %ight !e worth the effort& TIP >nfortunately$ so%e older Microsoft operating syste%s -2Ss0 allow a static A P entry to !e overwritten !y a gA P !roadcast& 2pen source tools can !e used to help as well: arpwatch is a free tool developed !y Lawrence 8er"eley 3ational La! -L83L0& It wor"s !y "eeping trac" of IP and MAC address !indings on the networ" and can notify you when certain %appings change& The tool can !e downloaded here: http:@@www1nrg&ee&l!l&gov@& Last$ so%e IDS tools have the a!ility to detect certain types of A P attac"s& So%e loo" for large =uantities of A P traffic$ while others operate in %uch the sa%e way as arpwatch&

9CP Considerations
Dyna%ic 7ost Configuration Protocol -D7CP0 allows hosts to re=uest IP addresses fro% a central server& Additional para%eters are usually passed as well$ including D3S server IP address and the default gateway& D7CP can !e attac"ed in two ways:

Attac"ers could continue to re=uest IP addresses fro% a D7CP server !y changing their source MAC addresses in %uch the sa%e way as is done in a CAM ta!le flooding attac"& A tool to e4ecute such an attac" is availa!le here: http:@@pac"etstor%security&org@DoS@D7CPO<o!!ler&tar&g6& If successful$ the attac" will cause all the leases on the D7CP server to !e allocated& The second attac" is a !it nastier& 7ere$ the attac"er introduces a rogue D7CP server into the networ"& The server then atte%pts to offer D7CP addresses to who%ever re=uests the%& The fields for the default gateway and D3S server are set to the attac"er9s host$ ena!ling all sorts of sniffing and MITM attac"s %uch li"e dsniff& *ven if your real D7CP server is operational$ it doesn9t %ean you won9t get a rogue address& Bhat happens to you depends on the host 2S you are running& 7ere is the relevant !it fro% the D7CP ;C 2'(': The client collects D7CP2;;* %essages over a period of ti%e$ selects one D7CP2;;* %essage fro% the -possi!ly %any0 inco%ing D7CP2;;* %essages -e&g&$ the first D7CP2;;* %essage or the D7CP2;;* %essage fro% the previously used server0 and e4tracts the server address fro% the )server identifier) option in the D7CP2;;* %essage& The ti%e over which the client collects %essages and the %echanis% used to select one D7CP2;;* are i%ple%entation dependent&

I tested a nu%!er of different 2Ss and all accepted the first D7CP offer they received$ whether it was for their old IP address or not& The %ethod used to stop the first attac" is identical to how you stop the CAM ta!le flooding attac": use port security& The second attac" is %ore difficult to stop& D7CP Authentication - ;C ('C(0 will help !ut has not yet !een i%ple%ented -and also has so%e nasty "ey %anage%ent i%plications0& 8oth D7CP snooping and specific GACLs can help and are defined in the ne4t sections&

9CP Snoo$ing
So%e Cisco switches offer the a!ility to suppress certain types of D7CP infor%ation on certain ports& The pri%ary feature ena!ling this functionality is D7CP snooping& D7CP snooping wor"s !y separating trusted fro% untrusted interfaces on a switch& Trusted interfaces are allowed to respond to D7CP re=uests5 untrusted interfaces are not& The switch "eeps trac" of the untrusted port9s D7CP !indings and rate li%its the D7CP %essages to a certain speed& The first tas" in configuring D7CP snooping is to ena!le it:

2witc"(config)#ip dhcp snooping

;ro% here$ D7CP snooping %ust !e ena!led for specific GLA3s:

2witc"(config)#ip dhcp snooping vlan number [number]

<A'!I!* As soon as you enter the GLA31specific D7CP co%%and$ all D7CP stops wor"ing until you trust the ports for the D7CP server with the D7CP snooping trust co%%and& Iou should enter the trust co%%and first if deploying to a production networ"& To set up the trusted ports at the interface level$ ports %ust !e defined as trusted or untrusted using the following co%%and:

2witc"(config-if)# ip dhcp snooping trust

>ntrusted ports can !e optionally configured with a rate li%it on the a%ount of D7CP %essages allowed per second:

2witc"(config-if)# ip dhcp snooping limit rate rate

<A'!I!* Do not ena!le rate li%iting on a trusted port !ecause$ when the rate is e4ceeded$ the port is shut down& li%iting is designed %ore to protect the D7CP snooping process on the switch than to stop any D7CP attac"s& Most D7CP attac"s have a very low pac"et per second -pps0 count& ate

D7CP snooping is not particularly useful if there are %ultiple syste%s !ehind a port on a switch -through either a hu! or another switch0& In these environ%ents$ the rouge D7CP server could sit off of this switch or hu! and attac" the local syste%s& ;or %ore infor%ation on other options for D7CP snooping$ see the following: http:@@www&cisco&co%@univercd@cc@td@doc@product@lan@cat+AAA@'2O'O'(@config@dhcp&ht%&

9CP 6ACLs
3ot all switch deploy%ents are a!le to ta"e advantage of D7CP snooping& A lower1tech solution to this pro!le% can !e partially achieved with D7CP GACLs& The GACL can specify which addresses are a!le to send D7CP replies& These replies will co%e fro% the unicast IP address of the D7CP server offering the lease& 8y filtering these replies !y source address$ rogue D7CP servers can !e properly filtered& Consider the typical D7CP deploy%ent depicted in ;igure D1?& Figure 0-= Common 9CP e$loyment 7ere$ a local LA3 is !eing served !y a re%ote D7CP server& This server receives D7CP re=uests !y D7CP relay configured on the default router& Bhen the default router receives the D7CP lease offer !ac" fro% the D7CP server$ it passes it on to the client directly& 7ere is a GACL to protect against rogue D7CP servers in this e4a%ple:

set security acl ip '()*+-,-#. permit udp host 1%!/0/!/1 any e1 28 set security acl ip RIG/E-3EB* permit udp "ost -$!-!-!(( any e; 41 set security acl ip RIG/E-3EB* deny udp any any e; 41 set security acl ip '()*+-,-#. permit ip any any

;ro% the point at which the user PC re=uests an initial lease$ here is what happens: '& 2& (& The user PC !oots up and sends a D7CP re=uest with source A&A&A&A and destination 2,,&2,,&2,,&2,,& 8oth the default router and the rogue D7CP server see this re=uest& The rogue D7CP server replies$ !ut since the source IP address is not '?2&A&2&'$ the reply is dropped !y the access switch& The default router passes the D7CP re=uest to the real D7CP server$ receives a reply$ and passes this infor%ation on to the client& The client connects and uses the networ"&

+&

,&

<A'!I!* >sing GACLs to stop rogue D7CP servers is far fro% co%prehensive protection& The rogue server could still spoof the IP address of the legiti%ate D7CP server& 7owever$ using GACLs will certainly stop all accidental D7CP servers put on the networ" and will thwart %ost co%%on attac"ers&

Private 6LA!s
PGLA3s offer further su!division within an e4isting GLA3$ allowing individual ports to !e separated fro% others while still sharing the sa%e IP su!net& This allows separation !etween devices to occur without re=uiring a separate IP su!net for each device -and the associated IP addresses that would waste0& In its si%plest for%$ PGLA3s support isolated ports and pro%iscuous ports& Isolated ports can tal" only to pro%iscuous ports$ while pro%iscuous ports can tal" to any port& In this deploy%ent$ the %e%!ers of a su!net are isolated ports$ and the gateway device is connected to a pro%iscuous port& This ena!les the hosts on a su!net to offer services to other su!nets and to initiate re=uests of other su!nets !ut not to service the re=uests of %e%!ers of the sa%e su!net& A further PGLA3 option availa!le on so%e switches is co%%unity ports& In this %odel several isolated ports can !e considered part of a co%%unity$ ena!ling the% to co%%unicate with each other and the pro%iscuous port !ut not with other co%%unities or isolated ports& ;igure D1'A su%%ari6es these options& Figure 0-., P6LA!s The %ost co%%on security1related deploy%ent of PGLA3s is in a pu!lic services seg%ent or de%ilitari6ed 6one -DMQ0 connected to a firewall& In this deploy%ent$ PGLA3s prevent the co%pro%ise of one syste% fro% leading to the co%pro%ise of other syste%s connected to the sa%e su!net& Bithout PGLA3s$ an attac"er could go after other vulnera!le syste%s on any port or protocol !ecause the attac"er is already past the firewall& ;or e4a%ple$ a server seg%ent off of your %ain corporate firewall %ight have ;TP$ SMTP$ and BBB servers& There pro!a!ly isn9t %uch need for these devices to co%%unicate with one another$ so PGLA3s can !e used& Configuring PGLA3s varies fro% platfor% to platfor%& The si%plest configuration %ethod -availa!le on entry1 level Cisco I2S switches0 uses the co%%and $ort $rotected entered at the interface configuration level as a way to denote isolated ports& Ports without the $ort $rotected co%%and are pro%iscuous& 2n higher1end switches$ the configuration is %ore co%ple4& The following Cisco Cat2S e4a%ple sets ports (@2/+C as isolated ports and port (@' as the pro%iscuous port& 3ote the need to create two GLA3s and %ap the% together$ creating the single functional PGLA3&

BatI2 (enable) set vlan 31 pvlan primary

TT* advertisements transmitting temporarily stoppedS and will resume after t"e command finis"es! Tlan &- configuration successful BatI2 (enable) s"ow pvlan *rimary 2econdary 2econdary-Type *orts ------- --------- ---------------- -----------&-

BatI2 (enable) set vlan &5 pvlan isolated TT* advertisements transmitting temporarily stoppedS and will resume after t"e command finis"es! Tlan &5 configuration successful BatI2 (enable) set pvlan &- &5 &85-'1 2uccessfully set t"e following ports to *rivate Tlan &-S&5H&85-'1 BatI2 (enable) set pvlan mapping &- &5 &82uccessfully set mapping between &- and &5 on &8There are %any %ore options for PGLA3 configuration& ;or %ore details see the following > L: http:@@www&cisco&co%@univercd@cc@td@doc@product@lan@catDAAA@swO.O'@confOgd@vlans&ht%P4tocidC,+,'?& TIP PGLA3s have different functionalities depending on the switch& 2n so%e switches$ PGLA3s are referred to as PGLA3 edge& Chec" the docu%entation for your switch to understand the specific PGLA3 capa!ilities&

P6LA! Security Considerations

PGLA3s wor" fine unless the attac"er does so%e creative things with A P to try to get past the%& The !asic attac" is to create a static A P entry on the co%pro%ised %achine showing that the victi% %achine is reacha!le !y the router9s MAC address& Bhen the fra%e arrives at the router$ the router will notice that the pac"et is really destined for the victi% and will happily re!uild the fra%e with the correct MAC address and send it on its way& This attac" wor"s only in a unidirectional fashion if the attac"er has co%pro%ised only the attac"ing host& If !oth hosts are co%pro%ised$ !idirectional co%%unication is trivial to set up& Stopping this attac" is pretty easy& Configure an in!ound ACL on your router to stop all traffic from the local su!net to the local su!net& ;or e4a%ple$ if your server far% seg%ent is '.2&'D&(+&A@2+$ configure the following ACL on the default gateway:

)I2(config)#access-list 101 deny ip 13!/12/34/0 0/0/0/!&& -A5!-4!&'!$ $!$!$!5%% log )I2(config)#access-list -$- permit ip any any )I2(config-if)#ip access-group 101 in

L) (est Practices 'ecommendations

In su%%ary$ L2 of the 2SI %odel can !e a pretty wea" lin" in your networ" security syste% if you aren9t careful& Luc"ily$ %ost of the attac"s re=uire local access$ %eaning the attac"s are generated fro% the LA3 they are trying to affect& Iour security policy should provide guidance on how far to go in securing L2 infrastructure& 7ere is a su%%ary of the !est practices outlined in this section:

Always use a dedicated GLA3 ID for all trun" ports& Avoid using GLA3 '& Set all user ports to nontrun"ing& Deploy port security when possi!le for user ports& Choose one or %ore A P security options& *na!le STP attac" %itigation -8PD> <uard$ oot <uard0& >se PGLA3s where appropriate& >se MD, authentication for GTP when GTP is needed& Disa!le CDP where it is not needed& Disa!le all unused ports and put the% in an unused GLA3& *nsure D7CP attac" prevention where needed&

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>IP Addressing esign Considerations

Although security considerations for L2 are i%portant$ the attac"s re=uire local access to !e successful& Bhen designing your L( layout$ the ra%ifications of your decisions are %uch %ore i%portant& This section outlines overall !est practices for IP addressing$ including !asic addressing$ routing$ filtering$ and 3etwor" Address Translation -3AT0&

*eneral (est Practices and 'oute Summari?ation

The !asic !est practices for IP addressing should !e fa%iliar to you& At a high level in your design$ you first %ust decide whether the IP address of the user on your networ" will have any significance fro% a security standpoint& ;or e4a%ple$ if you are an organi6ation with three sites$ are you #ust going to assign a su!net to each of the three sites$ even though there are individuals at each site with different levels of security accessJ This approach is fine if your security syste% depends %ostly on application layer security controls -AAA$ intrusion detection0& I9ve seen %any designs that do this successfully$ !ut it does ta"e away a si%ple control that %any find useful: L( access control& 7ere$ users are put into group1specific su!nets that provide an

additional layer of access control !etween the user and the resources& Iou can co%pare the two approaches in ;igures D1'' and D1'2& Figure 0-.. A$$lication Security esign As you can see in ;igure D1''$ this si%plified diagra% shows three sites$ each with a @2( su!net of the 'A networ"& There are two %ain groups at these three sites$ %ar"eting and RD& In this design$ the servers and PCs for each of these groups share the sa%e site1 specific su!net& This %eans any security controls will !e una!le to ta"e into account the IP address of the syste% atte%pting access& Figure 0-.) A$$lication Security Plus L3 ACL esign

In ;igure D1'2$ the sa%e @2( su!net e4ists per site$ !ut it has !een further divided into two @2+ su!nets$ one for each organi6ation& This allows intersu!net filtering at the routed connection at each site& This filtering could !e used in sites 8 and C to prevent the RD and %ar"eting depart%ents fro% accessing each other9s PCs and at the data center to ensure that only %ar"eting PCs can access %ar"eting servers and li"ewise for the RD depart%ent& TIP This sort of filtering is referred to as role1!ased su!netting throughout the rest of this !oo"& Although the !enefits of the approach shown in ;igure D1'2 are pretty clear$ this "ind of design gets e4ponentially %ore difficult as the nu%!er of sites of different groups in an organi6ation increase& Bireless features and the wired %o!ility of the wor"force also affect the feasi!ility of this design& Technologies such as CA2&'4 -see Chapter ?0 can %a"e this easier !ut !y no %eans solve all the pro!le%s& Li"e any of the discussions in this !oo"$ every design decision should co%e !ac" to the re=uire%ents of your security policy& TIP I have seen so%e designs that atte%pt to trun" GLA3s throughout the sites of an organi6ation& ;or e4a%ple$ consider if the design in ;igure D1'2 had only two su!nets$ one for RD and another for %ar"eting& These su!nets would need to e4ist at all three sites& The principal pro!le% with this design is the need to trun" the GLA3s at L2 throughout the organi6ation& This increases the dependence on STP and could %a"e the design %ore difficult to trou!leshoot& oute su%%ari6ation is always so%ething that sounds easy when you first design a networ" and gets harder and harder as the networ" goes into operation& The !asic idea is to "eep your su!net allocations contiguous per site so that your core routers need the s%allest a%ount of routes in their ta!les to properly forward traffic& In addition to reducing the nu%!er of routes on your routers$ route su%%ari6ation also %a"es a networ" far easier to trou!leshoot& In ;igure D1'2$ you can see a very si%ple e4a%ple of route su%%ari6ation& Sites 8 and C each have two @2+ su!nets$ !ut they are contiguously addressed so they can !e represented as one @2( su!net& These su%%ari6ations also help when writing ACLs since a large nu%!er of su!nets can !e identified with a single su%%ari6ed ACL entry&

Ingress@#gress Filtering
Ingress@egress filtering is different fro% what you would nor%ally call firewalling& Ingress@egress filtering is the process of filtering large classes of networ"s that have no !usiness !eing seen at different parts of your networ"& Although ingress@egress can %ean different things depending on your location$ in this !oo" ingress refers to traffic co%ing into your organi6ation$ and egress refers to traffic leaving it& Several types of traffic can !e filtered in this way$ including ;C '?'C addresses$ ;C 2C2. antispoof filtering$ and nonrouta!le addresses& The ne4t several sections discuss each option as well as a %ethod of easily i%ple%enting filtering using a feature called verify unicast reverse path forwarding -u P;0&

'FC .=.+
;C '?'C$ which can !e downloaded fro% http:@@www&ietf&org@rfc@rfc'?'C&t4t$ states that a !loc" of addresses has !een per%anently set aside for use in private intranets& Many organi6ations today use ;C '?'C addressing inside their organi6ations and then use 3AT to reach the pu!lic Internet& The addresses ;C '?'C sets aside are these:

-$!$!$!$U-$!5%%!5%%!5%% (-$81 prefix) -A5!-4!$!$U-A5!&-!5%%!5%% (-A5!-48-5 prefix) -(5!-41!$!$U-(5!-41!5%%!5%% (-(5!-418-4 prefix)

The !asic idea of ;C '?'C filtering is that there is no reason you should see ;C '?'C addressing fro% outside your networ" co%ing in& So$ in a !asic Internet design$ you should !loc" ;C '?'C addressing !efore it crosses your firewall or BA3 router& An ACL on a Cisco router to !loc" this traffic loo"s li"e this:

)I2(config)#access-list 101 deny ip 10/0/0/0 0/!&&/!&&/!&& any log )I2(config)#access-list -$- deny ip -A5!-4!$!$ $!-%!5%%!5%% any log )I2(config)#access-list -$- deny ip -(5!-41!$!$ $!$!5%%!5%% any log )I2(config)#access-list -$- permit ip any any )I2(config-if)#ip access-group 101 in
This ACL stops any traffic with a source IP address in the ;C '?'C range fro% entering your site& Also$ your Internet service provider -ISP0 should !e !loc"ing ;C '?'C addressing as well5 chec" to %a"e sure it is& !"T# I had a conversation once with the ad%inistrator of a popular we!site who was the victi% of a distri!uted denial of service -DDoS0 attac" that was launched entirely fro% ;C '?'C address space& If only his ISP had !loc"ed this space$ his we!site would have !een unaffected& Iou can !et he had so%e choice words for the ISP after this attac"K 2ne consideration with ;C '?'C addressing is the headaches it can cause when you need to connect to another organi6ation that uses the sa%e range of ;C '?'C addresses& This can happen through a %erger or in an e4tranet arrange%ent& To at least slightly reduce the chances of this$ pic" addresses that aren9t at the !eginning of each %a#or net range& ;or e4a%ple$ use 'A&?D&A&A@'D$ not 'A&'&A&A@'D&

'FC )+);
;C 2C2. defines a %ethod of ingress and egress filtering !ased on the networ" that has !een assigned to your organi6ation& If your organi6ation is assigned the '?2&A&2&A@2+ address$ those are the only IP addresses that should !e used in your networ"& ;C 2C2. filtering can ensure that any pac"et that leaves your networ" has a source IP address of '?2&A&2&A@2+& It can also %a"e sure that any pac"et entering your networ" has a source IP address other than '?2&A&2&A@2+& ;igure D1'( shows how this filtering could !e applied !oth at the custo%er networ" and the ISP& Figure 0-.3 'FC )+); Filtering Bhen i%ple%enting ;C 2C2. filtering in your own networ"$ it is i%portant to push this filtering as close to the edge of your networ" as possi!le& ;iltering at the firewall only %ight allow too %any different spoofed addresses -thus co%plicating your own trace !ac"0& ;igure D1'+ shows filtering options at different points in a networ"&

<A'!I!* 8e careful a!out the potential perfor%ance i%plications of ;C 2C2. filtering& Ma"e sure the devices you are using support hardware ACLs if your perfor%ance re=uire%ents dictate that they %ust& *ven with hardware ACLs$ logging is generally handled !y the CP>$ which can adversely affect perfor%ance when you are under attac"& Figure 0-.8 istributed 'FC )+); Filtering

Bhen using ;C 2C2. filtering near your user syste%s and those syste%s that use D7CP$ you %ust per%it additional IP addresses in your filtering& 7ere are the details$ straight fro% the source - ;C 2C2.0: -f ingress filtering is used in an environment &here )H.P or /00TP is used, the net&or' administrator &ould !e &ell advised to ensure that pac'ets &ith a source address of 1.1.1.1 and a destination of 2$$.2$$.2$$.2$$ are allo&ed to reach the relay agent in routers &hen appropriate. If properly i%ple%ented$ ;C 2C2. can reduce certain types of IP spoofing attac"s against your networ" and can also prevent IP spoofing attac"s -!eyond the local range0 fro% !eing launched against others fro% your site& If everyone worldwide i%ple%ented ;C 2C2. filtering$ the Internet would !e a %uch safer place !ecause hiding !ehind IP spoofing attac"s would !e nearly i%possi!le for attac"ers&

!onroutable !etworks
8esides private networ" addressing and antispoof filtering$ there are a host of other networ"s that have no !usiness !eing seen$ including those that won9t !e seen for so%e ti%e !ecause they haven9t yet !een allocated& ;or e4a%ple$ at the ti%e this was written$ the @C networ"s fro% C2 to '2D had not yet !een allocated fro% the Internet Assigned 3u%!ers Authority -IA3A0 to any of the regional Internet registries - I s0& This data can !e trac"ed at a very high level at the following > L: http:@@www&iana&org@assign%ents@ipv+1address1space& IA3A is responsi!le for allocating Internet Protocol version + -IPv+0 address space to the I s5 the I s then allocate address space to custo%ers and ISPs& All of this is of interest to ISPs$ which %ight try not to forward traffic fro% address space that has yet to !e allocated& In doing so$ they will reduce the availa!le networ"s that attac"ers can use in spoofing attac"s& o! Tho%as -founder of Cy%ru&co%0 %aintains an unofficial page of so%ething called )!ogon) ranges& 8ogon ranges are address ranges that have no !usiness !eing seen on the Internet& They are either reserved$ specified for so%e special use$ or unallocated to any I & ;iltering this co%prehensive list of su!nets can narrow the potential source of spoofed IP pac"ets& 8e aware that this list can change every few %onths$ %eaning these filters %ust also !e periodically changed& Tho%as9s !ogon list is availa!le here: http:@@www&cy%ru&co%@Docu%ents@!ogon1 list&ht%l& <A'!I!* 8e aware that$ with all this filtering$ you are %a"ing things %ore difficult for the attac"er !ut not i%possi!le& An attac" tool could easily decide to spoof only address ranges that have !een allocated& In fact$ attac"ers have started to reduce the a%ount of attac"s that they actually spoof traffic fro%& 8y co%pro%ising several other hosts around the world$ they feel safe launching attac"s fro% those re%ote syste%s directly& ;or organi6ations una!le to trac" the changing !ogon list$ ;C (((A states so%e special su!nets that can per%anently !e filtered fro% your networ"& They are the following:

,-,-,-,@+SThis networ" refers to hosts on this networ"$ %eaning the networ" where the pac"et is seen& This range should !e used only as a source address and should not !e allowed in %ost situations e4cept D7CP@8ootstrap Protocol -822TP0 !roadcast re=uests and other si%ilar operations& It can certainly !e filtered in!ound and out!ound fro% your Internet connection&

.);-,-,-,@+SThis su!net is ho%e to the address '2.&A&A&'$ referring to localhost$ or your %achine& Pac"ets should never !e seen on networ"s sourced fro% the '2.@C networ"& ;C (((A says it !est: )3o addresses within this !loc" should ever appear on any networ" anywhere&) .0=-):8-,-,@.0SThis su!net is reserved for hosts without access to D7CP to autoconfigure the%selves to allow co%%unications on a local lin"& Iou are safe in filtering this su!net on your networ"& .=)-,-)-,@)8SThis su!net$ co%%only called the )T*ST13*T$) is a @2+ su!net allocated for sa%ple code and docu%entation& Iou %ight notice that so%e diagra%s in this !oo" use this address when a registered address is represented& Iou should never see this networ" in use anywhere& .=+-.+-,-,@.:SThis su!net has !een set aside for perfor%ance !ench%ar" testing as defined in ;C 2,++& Legiti%ate networ"1attached devices should not use this address range$ so it can !e filtered& ))8-,-,-,@8SThis is the %ulticast range& 2n %ost networ"s$ this can !e filtered at your Internet edge$ !ut o!viously$ if your networ" supports %ulticast$ this would !e a !ad idea& In %ost cases$ it is a !ad idea to filter it internally !ecause %ulticast addresses are used for %any popular routing protocols& )8,-,-,-,@8SThis is the old Class * address space& >ntil IA3A decides what to do with this space$ it can !e safely filtered at your Internet edge&

TIP

2ne thing to consider is that although filtering !ogons or the su!set listed in ;C (((A is possi!le on your internal networ"$ it isn9t necessary& If you are properly i%ple%enting ;C 2C2. filtering$ you i%plicitly deny any networ" that is not your own$ which would include all !ogon ranges& ;iltering !ogons is %ost appropriate at your Internet edge$ where you would also i%ple%ent ;C 2C2. and ;C '?'C filtering& Bithin your ca%pus networ"$ filtering with ;C 2C2. is sufficient&

u'PF
A far easier way to i%ple%ent ;C 2C2. filtering is to use so%ething that on Cisco devices is called verify unicast reverse path forwarding -u P;0& This functionality is availa!le on %ultiple vendors9 platfor%s$ though it %ight !e "nown !y a different na%e& Cisco docu%entation for !asic u P; configuration can !e found here: http:@@www&cisco&co%@univercd@cc@td@doc@product@software@ios'22@'22cgcr@fsecurOc@fothersf@scfrpf&ht%& This filtering wor"s !y !loc"ing in!ound source IP addresses that don9t have a route in the routing ta!le pointing !ac" at the sa%e interface on which the pac"et arrived& To !e %ore specific$ u P; chec"s the forwarding infor%ation !ase -;I80 that is created fro% the routing ta!le on all Cisco devices running Cisco e4press forwarding -C*;0& As such$ u P; wor"s only on Cisco devices that support C*;& ;or e4a%ple$ consider the following situation: '& 2& A pac"et arrives on a router with a source IP address of '?2&A&2&, at interface *thernetA@A& u P; chec"s the ;I8 !y doing a reverse loo"up to deter%ine whether the return path to the source IP address would use the sa%e interface that the pac"et arrived on& If the !est return path would use a different interface$ the pac"et is dropped& If the !est return path is the interface that the pac"et arrived on$ the pac"et is forwarded toward its destination&

(&

If there are %ultiple !est paths -as in the case of load !alancing0$ u P; will forward the pac"et as long as the interface the pac"et arrived on is in the list of !est paths&

The synta4 for u P; is very si%ple:

)I2(config-if)#ip verify unicast reverse-path

So%e additional options are availa!le to provide %ore granularity in configuration& ;or e4a%ple$ ACLs that are evaluated when a u P; chec" fails can !e applied& <A'!I!* Li"e ;C 2C2.$ u P; is %ost effective close to the edge of your networ"& This is !ecause the edge of your networ" is the %ost li"ely location in your networ" to have routing sy%%etry -%eaning pac"ets arrive on the sa%e interface that the return traffic will use0& Iou should not deploy u P; on interfaces that contain asy%%etrically routed traffic$ or legiti%ate traffic will !e dropped& ;or a service provider or a very large enterprise custo%er$ there is an additional option called u P; loose %ode& -The previous %ode is so%eti%es called strict %ode&0 Loose %ode allows a pac"et to forward as long as there is a return route to the source some&here in the ;I8& This has the result of !loc"ing the entire !ogon list& I say )larger enterprise) here !ecause you generally need the entire 8order <ateway Protocol -8<P0 routing ta!le on your router !efore this is useful5 otherwise$ any spoofed pac"et will have an entry for the ;I8 !ecause of the default route& Bhen you have the entire 8<P routing ta!le on a device$ you usually don9t need a default route& The co%%and for loose1%ode u P; loo"s li"e this:

)I2(config-if)# ip verify unicast source reachable-via any

There is also an allo&+default flag that can !e set$ depending on whether you want the default route to !e considered a valid route when %a"ing the u P; decision&

!AT
;ew technologies have generated as %uch discussion a%ong security co%%unities as 3AT& The idea of translating private addresses to pu!lic addresses is seen !y %any as a good way for organi6ations without their own IP ranges to get on the Internet& ather than address their internal networ" with the addresses provided !y their ISP -thus %a"ing changing ISPs very difficult0$ they si%ply choose to translate ;C '?'C addresses as they leave the networ"& If you want a si%ple rule to follow$ never use 3AT in a security role& 3AT is fine for its intended purpose: address translation& 8ut if you have places in your networ" where your security relies on 3AT$ you pro!a!ly need to reevaluate your design& If you agree with %e and understand why$ feel free to s"ip the rest of this section5 if not$ read on& 3AT can !e done in three %ain ways: static translation is when an internal IP address corresponds to a specific e4ternal IP address& This is generally done for pu!licly accessi!le servers that %ust !e reacha!le fro% the outside on a predicta!le IP address& 0ne+to+one 3 T, or !asic 3 T, is when an IP address inside corresponds to a single address on the outside selected fro% a pool& 2ne day a syste% %ight get '?2&A&2&'A5 another day it %ight get &''& ;inally$ many+to+one 3 T -so%eti%es called port address translation LPATM or 3AT overload0 is when a large nu%!er of private addresses can !e translated to a single pu!lic IP address& This is a very popular use of 3AT for organi6ations with li%ited pu!lic address space& All of their internal users can use a s%all nu%!er of pu!lic IP addresses& There is little de!ate a!out the security !enefits of the first two 3AT options -static and one1to1one0: si%ply put$ there is none& 8ecause each internal address corresponds to a single pu!lic address$ an attac"er would %erely need to attac" the pu!lic address to have that attac" translated to the private address& Bhere the discussion co%es in is a!out the !enefits of %any1to1one 3AT& Although their nu%!ers see% to !e declining$ there are so%e who !elieve that %any1to1one 3AT is a valua!le security tool& The !asic pre%ise is this: when you are using %any1to1one 3AT$ the 3AT syste% "eeps trac" of user connections fro% the inside to the outside !y changing the source port nu%!er at Layer + -L+0& Bhen the return traffic co%es !ac" destined for that port nu%!er@IP address -with the right source IP address and port nu%!er0$ the 3AT syste% translates the destination port nu%!er@IP address to the internal private host and sends the traffic&

This type of protection falls into the security1through1o!scurity category outlined in Chapter '$ )3etwor" Security A4io%s&) An attac"er could do a nu%!er of things that would not !e stopped !y 3AT:

Send a Tro#an application !y e1%ail -or a co%pro%ised we! page0 that opens a connection fro% the private host to the attac"ing host& Send data with the correct port nu%!er and IP address -with the right spoofed source port and IP address0& This would re=uire so%e trial and error on the part of the attac"er$ !ut it cannot !e discounted in the event that the attac"er is going after your networ" specifically& Allow outside connections& Although this isn9t so %uch an attac"er action$ there are %any applications on a host that open periodic connections with hosts on the Internet& 3AT has no way of !loc"ing connections fro% the inside out&

The specifics of when$ where$ and why to use 3AT are general networ"ing design issues$ not security related& ;ro% a security perspective$ I would have no reservations using pu!lic addresses for all of a networ" and not using 3AT at all& TIP ;or telewor"ers and ho%e users$ so%eti%es 3AT %ight !e the only networ"1level security technology availa!le& In these cases$ %any1to1one 3AT is certainly !etter than no networ" security technology& 7owever$ it is !etter to properly secure the hosts on a networ" and have no 3AT than to have 3AT without any host security protections&

IC%P

esign Considerations

2ne way to spot ine4perienced secure networ" design is to loo" for networ"s that co%pletely !loc" Internet Control Message Protocol -ICMP0 traffic& As any operator of all !ut the s%allest networ"s will tell you$ trou!leshooting a networ" without ping is very frustrating$ !ordering on i%possi!le& That said$ ICMP %essages should not !e ena!led everywhere without reservation& So%e security considerations %ust !e understood$ #ust li"e for any other protocol& This section assu%es !asic ICMP understanding& efer to your favorite TCP@IP !oo" for !ac"ground or read ;C .?2& ICMP security can !e a very lengthy discussion !ecause lots of nasty things can !e done with ICMP %essages when scanning networ"s or trying to gain a covert channel& If you are interested in this sort of thing$ 2fir Ar"in9s paper titled )ICMP >sage in Scanning) is availa!le at http:@@www&sys1 security&co%@archive@papers@ICMPOScanningOv2&,&pdf& o! Tho%as has so%e guidelines for ICMP filtering that are availa!le here: http:@@www&cy%ru&co%@Docu%ents@ic%p1%essages&ht%l& The !asics !ehind ICMP design considerations are to define how %uch ICMP traffic you should allow on your networ" and which %essages types you should filter&

IC%P 'ate Limiting

8ecause ICMP is a trou!leshooting and error1reporting tool$ there should !e a li%it to the a%ount of ICMP traffic you see on a given networ"& ;or e4a%ple$ on a 'AA M!ps *thernet lin"$ you %ight !loc" ICMP traffic that e4ceeds ,AA :!ps& A technology called co%%itted access rate -CA 0 ena!les this sort of filtering and is discussed later in this chapter&

IC%P %essage Ty$e Filtering

As Chapter 2 discussed$ your own security policies and threat %odels %ight !e different fro% those assu%ed here& Deploying filters throughout your internal networ" to per%it only the ICMP %essage types re=uired would !e difficult& As a first step$ focus on possi!le !oundaries of trust !etween two networ"s& Iour networ" will have its own trust !oundaries$ !ut here are a few to get you started& Qones of trust are detailed %ore fully in Chapter '2$ )Designing Iour Security Syste%&)

Internet and internal networ" Manage%ent networ" and production networ" Critical applications and production networ"

An easy first step in ICMP filtering is to deny any ICMP %essage that is a frag%ent& ;irst$ the ICMP %essages you %ust per%it are generally s%all& *cho and echo reply$ for e4a%ple$ default on 8SD >3IH to C+ !ytes: 2A1!yte IP header$ C1!yte ICMP header$ and ,D !ytes of ICMP data& 2ther re=uired ICMP %essages are si%ilarly s%all and co%e nowhere near the %ini%u% lin" si6e on today9s IP networ"s& 8loc"ing ICMP frag%ents is easy using an ACL:

access-list -$- deny icmp any any fragments

<A'!I!* The fragments "eyword in a Cisco ACL has so%e special use rules& ;or a detailed discussion of this$ including flow charts and e4a%ples$ chec" the paper at the following > L: http:@@www&cisco&co%@warp@pu!lic@'A,@aclOwp&ht%l& As a =uic" su%%ary of the paper$ the fragments "eyword applies only to noninitial frag%ents -frag%ent offset T A0$ so in the preceding e4a%ple$ the first part of a frag%ented ICMP pac"et will not %atch that entry$ while all su!se=uent frag%ents will& Bhen filtering ICMP %essages !etween trust !oundaries$ apply the security principle )*4pressly per%it$ i%plicitly deny&) Though your specific re=uire%ents %ay vary$ the following ICMP types should !e per%itted in so%e for%:

ICMP echo re=uest and ICMP echo reply ICMP destination unreacha!leSfrag%entation needed !ut D; !it set ICMP ti%e e4ceeded

IC%P #cho 'e/uest and IC%P #cho 'e$ly

ICMP echo re=uest -Type C Code A0 and ICMP echo reply -Type A Code A0 are !etter "nown as the %essage types used !y the $ing co%%and& The for%at of an ICMP echo %essage has the standard C !ytes of ICMP header infor%ation and then allows for a varia!le1length data field that can contain any "ind of data& Certain si6e ping pac"ets caused syste% crashes on so%e older 2Ss& This attac" was co%%only called the Ping of Death& More infor%ation can !e found here: http:@@www&insecure&org@sploits@ping1o1death&ht%l& Per%itting ICMP echo can lead to DoS attac"s and !uffer overflows as discussed in Chapter (& It can also lead to a covert channel !ecause infor%ation can !e e%!edded into the data field in the ICMP echo %essage& An attac"er that installs special software on a host internal to your networ" could co%%unicate !ac" and forth using only ICMP echo re=uest or reply %essages& Covert channels have !een i%ple%ented in %any different protocols$ and they are i%possi!le to co%pletely eli%inate& So$ with these ris"s$ it is understanda!le why a security engineer would want to stop ICMP echo %essages& >nfortunately$ trou!leshooting would !e far too difficult without it %a"ing your overall networ" less secure in %ost cases& Bith all that said$ here are the !est practices:

Per%it ICMP echo re=uest %essages to leave your networ" destined for any networ" you have reason to co%%unicate with& Per%it ICMP echo reply %essages to your internal hosts fro% any networ" you have reason to co%%unicate with& Per%it ICMP echo re=uest %essages fro% e4ternal hosts to servers they %ust access -pu!lic we! servers$ for e4a%ple0& As of this writing$ a rando% sa%pling of top we!sites yielded several that !loc" in!ound pings to their servers and several %ore that per%it the%& As an organi6ation$ you %ust weigh the ris"s of allowing this traffic against the ris"s of denying this traffic and causing potential users trou!leshooting difficulties& Per%it ICMP echo reply %essages fro% any server syste% to the networ"s where that server9s users reside& *cho replies fro% your pu!lic we! server to the Internet at large is an e4a%ple of this& Deny every other ICMP echo %essage&

As an e4a%ple$ consider the very si%plified Internet edge shown in ;igure D1',& Figure 0-.: Sim$le Internet #dge If you were writing ICMP echo access lists for router )police$) the in!ound SerialA ACL would loo" li"e this:

, permit ec"o-re;uest to 2erial$ interface of t"e router access-list -$- permit icmp any "ost -(5!$!5!5 ec"o , permit ec"o-re;uest to public server access-list -$- permit icmp any "ost -54!$!4'!-$ ec"o , permit ec"o-reply from anyw"ere to t"e internal network and t"e public server access-list -$- permit icmp any -54!$!-51!$ $!$!$!5%% ec"o-reply access-list -$- permit icmp any "ost -54!$!4'!-$ ec"o-reply
The ACL on the in!ound *thernetA interface would loo" li"e this:

, permit ec"o-re;uest from t"e internal network to anyw"ere access-list -$5 permit icmp -54!$!-51!$ $!$!$!5%% any ec"o
The ACL on the in!ound *thernet' interface would loo" li"e this:

, permit ec"o-re;uest from t"e public web server to anyw"ere access-list -$& permit icmp "ost -54!$!4'!-$ any ec"o , permit ec"o-reply from t"e public web server to anyw"ere access-list -$& permit icmp "ost -54!$!4'!-$ any ec"o-reply
8ased on these ACLs$ internal users can ping the we! server and the Internet$ the Internet can ping the we! server$ and the we! server can ping the Internet& 2f special note is that the we! server cannot ping internal hosts& 8ased on your security policies$ you can per%it this to aid in trou!leshooting$ !ut !e aware that %any

organi6ations consider pu!lic servers to !e not %uch %ore trusted than the Internet& To %a"e the change$ you would add this line to the *thernetA ACL:

access-list -$5 permit icmp -(5!$!-51!$ $!$!$!5%% "ost -(5!$!4'!-$ ec"o-reply

!"T# Cisco router ACLs can !e applied in!ound or out!ound on a given interface& Security fol"s$ %yself included$ tend to prefer in!ound ACLs$ !ut there are situations in which you %ust use !oth and situations in which an out!ound ACL %a"es %ore sense& I prefer in!ound !ecause the pac"ets are !loc"ed !efore they cross the router& 2ut!ound ACLs allow the pac"et to !e routed !y the router and then are !loc"ed when they try to leave& This could leave the router open to certain attac"s& Another special note on Cisco ACLs is that ACLs never apply to traffic generated !y the router& So$ even if you have an in!ound and an out!ound ACL on a router denying all traffic$ the router will still !e a!le to send any pac"et it wants5 the return pac"et$ however$ will !e !loc"ed as usual&

IC%P estination 1nreachableAFragmentation !eeded but

F (it Set

ICMP destination unreacha!le %essages -type ( code A/',0 are a whole range of %essages designed to alert the sending syste% that so%ething is wrong with a particular %essage sent& This includes specific errors such as networ" unreacha!le -code A0$ host unreacha!le -code '0$ protocol unreacha!le -code 20$ and port unreacha!le -code (0& These types of %essages are generated !y hosts and routers when a sending syste% tries to go so%ewhere that is unreacha!le for whatever reason& Many security ad%inistrators !loc" %ost type ( %essages !ecause the sending host will often figure out that the service is unavaila!le on its own without the !enefit of the ICMP %essage -al!eit %ore slowly0& 2ne %essage is re=uired though: )frag%entation needed !ut D; !it set) -type ( code +0& This %essage is re=uired for path Ma4i%u% Trans%ission >nit -MT>0 discovery to wor"& Path MT> discovery is the %ethod %ost hosts use to deter%ine the IP MT> si6e for their traffic& Bithout it functioning properly$ large TCP seg%ents could !e dropped without a %eans to re%edy the pro!le% !ecause the offending host never "nows why the drop occurs& Path MT> discovery has so%e interesting i%plications in IPsec and is discussed in %ore detail in Chapter 'A$ )IPsec GP3 Design Considerations&) ICMP type ( code + %essages can !e easily per%itted !y adding the following line to the ACLs !uilt for ;igure D1',:

access-list -$- permit icmp any any packet-too-big

IC%P Time #2ceeded

ICMP ti%e e4ceeded: Ti%e1to1Live -TTL0 e=uals A during transit -type '' code A0 is re=uired !ecause it is used !y traceroute& To per%it these %essages$ add the following line to the ICMP ACLs you have seen in this section:

access-list -$- permit icmp any any time-exceeded

IC%P Filtering 'ecommendations

As you can see$ there was a reason that ICMP was created !eyond as a playground for attac"ers& Although %ost of the ', ICMP %essage types can !e !loc"ed$ several are necessary to the healthy operation of a networ"& Be can re!uild the previous ACLs to allow all the %essages we discussed$ to !loc" frag%ents$ and to deny any other ICMP %essages& Those ACLs are as follows&

outer )police) SerialA ACL$ in!ound:

, deny non-initial )BD* >ragments access-list -$- deny icmp any any fragments , permit ec"o-re;uest to 2erial$ interface of t"e router access-list -$- permit icmp any "ost -(5!$!5!5 ec"o , permit ec"o-re;uest to public server access-list -$- permit icmp any "ost -54!$!4'!-$ ec"o , permit ec"o-reply from anyw"ere to t"e internal network and t"e public server access-list -$- permit icmp any -54!$!-51!$ $!$!$!5%% ec"o-reply access-list -$- permit icmp any "ost -54!$!4'!-$ ec"o-reply , permit Cfragmentation needed but 3> bit setC message access-list -$- permit icmp any any packet-too-big , permit CTime exceededC message access-list -$- permit icmp any any time-exceeded , deny any ot"er )BD* message access-list -$- deny icmp any any , from "ere you would continue wit" ot"er non )BD* related :BQ entries
outer )police) *thernetA ACL$ in!ound:

, deny non-initial )BD* >ragments access-list -$5 deny icmp any any fragments , permit ec"o-re;uest from t"e internal network to anyw"ere access-list -$5 permit icmp -54!$!-51!$ $!$!$!5%% any ec"o , permit Cfragmentation needed but 3> bit setC message access-list -$5 permit icmp any any packet-too-big , permit CTime exceededC message access-list -$5 permit icmp any any time-exceeded , deny any ot"er )BD* message access-list -$5 deny icmp any any , from "ere you would continue wit" ot"er non )BD* related :BQ entries
outer )police) *thernet' ACL$ in!ound:

, deny non-initial )BD* >ragments access-list -$& deny icmp any any fragments , permit ec"o-re;uest from t"e public web server to anyw"ere access-list -$& permit icmp "ost -54!$!4'!-$ any ec"o , permit ec"o-reply from t"e public web server to anyw"ere access-list -$& permit icmp "ost -54!$!4'!-$ any ec"o-reply , permit Cfragmentation needed but 3> bit setC message access-list -$& permit icmp any any packet-too-big , permit CTime exceededC message access-list -$& permit icmp any any time-exceeded , deny any ot"er )BD* message access-list -$& deny icmp any any , from "ere you would continue wit" ot"er non )BD* related :BQ entries
!"T# If you want to get very pic"y$ you could pro!a!ly !loc" the pac"et1too1!ig and ti%e1e4ceeded %essages fro% !eing generated !y either the pu!lic server seg%ent or the internal networ"$ depending on the rest of your configuration& Bith protocols such as ICMP -which are often used in trou!leshooting0$ you are pro!a!ly !etter off following the :ISS principle !y %a"ing your ICMP filtering consistent as %uch as possi!le&

'outing Considerations
As we continue to slowly wor" our way up the 2SI %odel with these !est practices$ it is now useful to develop so%e design considerations in the real% of routing& The %ost i%portant is the security of the routing protocol&

'outing Protocol Security

outing security has received varying levels of attention over the past several years and has recently !egun to attract %ore attention specifically around 8<P on the pu!lic Internet& Despite this new attention$ however$ the area %ost open to attac" is often not the Internet9s 8<P ta!les !ut the routing syste%s within your own enterprise networ"& 8ecause of so%e of the sniffing1!ased attac"s discussed in Chapter ( and earlier in this chapter$ an enterprise routing infrastructure can easily !e attac"ed with MITM and other attac"s designed to corrupt or change the routing ta!les with the following results:

Tra&&ic redirectionSIn this attac"$ the adversary is a!le to redirect traffic$ ena!ling the attac"er to %odify traffic in transit or si%ply sniff pac"ets& Tra&&ic sent to a routing black holeS7ere the attac"er is a!le to send specific routes to nullA$ effectively "ic"ing IP addresses off of the networ"&

'outer oSSAttac"ing the routing process can result in a crash of the router or a severe degradation of service& 'outing $rotocol oSSSi%ilar to the attac" previously descri!ed against a whole router$ a routing protocol attac" could !e launched to stop the routing process fro% functioning properly& 1nauthori?ed route $re&i2 originationSThis attac" ai%s to introduce a new prefi4 into the route ta!le that shouldn9t !e there& The attac"er %ight do this to get a covert attac" networ" to !e routa!le throughout the victi% networ"&

There are four pri%ary attac" %ethods for these attac"s:

Configuration %odification of e4isting routers Introduction of a rogue router that participates in routing with legiti%ate routers Spoofing a valid routing protocol %essage or %odifying a valid %essage in transit Sending of %alfor%ed or e4cess pac"ets to a routing protocol process

These four attac" %ethods can !e %itigated in the following ways:

To counter configuration %odification of e4isting routers$ you %ust secure the routers& This includes not only the configuration of the router !ut also the supporting syste%s it %a"es use of$ such as T;TP servers& See Chapter ,$ )Device 7ardening$) for %ore infor%ation& Anyone can atte%pt to introduce a rogue router$ !ut to cause da%age$ the attac"er needs the other routing devices to !elieve the infor%ation that is sent& This can %ost easily !e !loc"ed !y adding %essage authentication to your routing protocol& More on this su!#ect can !e found in the ne4t section& Additionally$ the routing protocol %essage types can !e !loc"ed !y ACLs fro% networ"s with no need to originate the%& Message authentication can also help prevent the spoofing or %odification of a valid routing protocol %essage& In addition$ the transport layer protocol -such as TCP for 8<P0 can further co%plicate %essage spoofing !ecause of the difficulty in guessing pseudorando% initial se=uence nu%!ers -assu%ing a re%ote attac"er0& *4cess pac"ets can !e stopped through the use of traditional DoS %itigation techni=ues$ which are discussed later in the chapter& Malfor%ed pac"ets$ however$ are nearly i%possi!le to stop without the participation of the router vendor& 2nly through e4haustive testing and years of field use do routing protocol i%ple%entations correctly deal with %ost %alfor%ed %essages& This is an area of co%puter security that needs increased attention$ not #ust in routing protocols !ut in all networ" applications&

As you can see$ stopping all these attac"s is not a %atter of flipping on the secure option in your routing protocols& As stated in Chapter 2$ you %ust decide for your own networ" what threats need to !e stopped& In addition to the specific threats %entioned here$ it is also very useful to follow the networ" design !est practices of not running routing protocols on interfaces with no reason to route and of using distri!ution lists to li%it the routing prefi4es that are sent or received !y a specific routing instance& Details on distri!ution lists can !e found in your favorite Internet routing !oo"&

'outing Protocol %essage Authentication

Although they vary in the strength of the authentication they offer$ nearly all routing protocols support so%e for% of %essage authentication& There are two principal types of authentication used in routing protocols today: plainte4t password and MD, digest&

Plainte2t Password Authentication

Plainte4t password authentication is #ust what it sounds li"e& A password is attached to the routing update and is sent in the clear along with the routing update& The passwords have specific length re=uire%ents as defined !y the routing protocol in use& Plainte4t password authentication should !e considered specious security !ecause anyone who sees a single routing update on the wire sees the authentication infor%ation if it is in use& ;ro% this point on$ the attac"er can appear to !e a %e%!er of the trusted routing do%ain& The plainte4t password does offer so%e !enefit in that it prevents routing protocol changes when an invalid router is accidentally introduced into a production routing environ%ent&

% :

igest Authentication

MD, digest wor"s !y creating a 'D1!yte hash of the routing %essage co%!ined with a secret "ey& The 'D1 !yte value is$ therefore$ %essage1specific$ and %odification of the %essage !y an attac"er invalidates the 'D1!yte digest appended to the %essage& Bithout the secret "ey$ which is never sent over the wire !y the routing protocol$ the attac"er is una!le to reconstruct a valid %essage& It is worth noting that the MD, option provides authentication and pac"et integrity$ not confidentiality& ;igure D1'D shows how the hash function operates& Figure 0-.0 % : igest &or 'outing Authentication <A'!I!* MD, passwords should have the sa%e properties as other critical passwords in your networ"& They should follow the password creation guidelines in your security policy& If you choose a wea" password$ it is possi!le for an attac"er to use !rute1force guessing to deter%ine your digest password$ there!y allowing the attac"er to !eco%e a trusted %e%!er of the routing do%ain&

S$eci&ic 'outing Protocol Security "$tions

This section details the security options availa!le in the %ost widely used routing protocols&

'outing In&ormation Protocol

outing Infor%ation Protocol - IP0 version ' - ;C 'A,C0 has no %echanis% whatsoever to authenticate routing %essages& As such$ it should never !e used in security1sensitive environ%ents&

'IP v)
IP v2 - ;C '.2(0 supports a 'D1!yte plainte4t password that can !e attached to routing updates& ;C 2AC2 specifies a proposed standard for adding MD, authentication to IP v2& Bhenever possi!le$ use the MD, digest instead of the !asic password& IP v2 plainte4t %essages have the for%at shown in ;igure D1'.& Figure 0-.; 'IP v) Plainte2t Authentication IP v2 MD, authenticated %essages have the for%at shown in ;igure D1'C& Figure 0-.+ 'IP v) % : Authentication The configuration for IPv2 authentication is as follows:

,Enable R)*

aut"entication

Router(config-if)# ip rip authentication key-chain name-of-chain ,2pecify aut"entication type Router(config-if)# ip rip authentication mode Otext M md%P ,)dentify key c"ain Router(config)# key chain name-of-chain ,2pecify key number Router(config-keyc"ain)# key number ,2pecify actual key Router(config-keyc"ain-key)# key-string text

"$en Shortest Path First

2pen Shortest Path ;irst -2SP;0 - ;C 2(2C0 is one of the %ost widely used interior gateway protocols today& It supports nearly every !ell and whistle you could as" of your routing protocol& 2n the security side$ it offers !oth plainte4t authentication -with !asic %essage chec"su%0 and the %uch %ore secure MD, digest& 2SP; MD, authenticated %essages have the for%at shown in ;igure D1'?& Figure 0-.= "SPF Packet 9eader 3ote that there is no special for%at for 2SP; when you use authentication& Authentication is assu%ed$ even though it defaults to null authentication& In ;igure D1'?$ uType specifies the authentication type& The configuration for 2SP; MD, authentication is as follows:

,T"e D3% key is always defined per interface but enabling D3% can be ,done eit"er on t"e interface as s"own in t"e first command ,or at t"e area as in t"e second command! T"e ,t"ird command is re;uired for bot" options! ,2pecify I2*> aut"entication type Router(config-if)# ip ospf authentication message-digest ,Enable D3% for an area Router(config-router)# area area-id authentication message-digest ,2pecify D3% key Router(config-if)# ip ospf message-digest-key key-id md& key

(*P
8<P is %ost widely used in routing !etween two different routed do%ains$ such as !etween you and your ISP or your ISP and the upstrea% ISP& 8<P supports MD, authentication& 3ote that !ecause 8<P uses TCP as a transport protocol$ the MD, authentication is done as a TCP option& More details on this can !e

found in ;C 2(C,& TCP 2ption '? is specified for this authentication and ta"es the for%at specified in ;igure D12A& Figure 0-), TCP "$tion .= &or (*P % : Authentication The configuration for 8<P MD, authentication is as follows:

, Enable TB* D3% aut"entication for a specific neig"bor Router(config-router)# neighbor neighbor_ip_addr password text
!"T# As of this writing$ 8<P security is receiving a fair a%ount of attention in the industry& Several e4tensions are !eing proposed to allow the 8<P %essages to !e authenticated$ as well as to chec" that an advertiser of a particular prefi4 is authori6ed to do so& Most of these %echanis%s %a"e at least partial use of a Pu!lic :ey Infrastructure -P:I0& These options will ta"e so%e ti%e to !e agreed upon5 in the %eanti%e$ !est practices are the !est line of defense& 8ecause 8<P is unicast as opposed to !roadcast or %ulticast$ IPsec can !e used with it to provide even greater security& As of this writing$ so%e networ"s were in the testing phase of their deploy%ents& I would reco%%end waiting until IPsec in co%!ination with 8<P receives %ore testing !efore deploying on your own networ"& *ven then$ the co%ple4ity of the configuration and trou!leshooting difficulty %ight prevent this fro% !eing a via!le option&

Interior *ateway 'outing Protocol

Interior <ateway outing Protocol -I< P0 is a proprietary Cisco routing protocol %eant to address so%e of the li%itations of IP& The initial version did not address any of its security li%itations$ however$ !ecause I< P supports no for% of authentication& Li"e IP$ I< P should !e avoided in security1sensitive environ%ents&

#nhanced Interior *ateway 'outing Protocol

*nhanced Interior <ateway outing Protocol -*I< P0 is an e4tension to I< P that is also Cisco proprietary& It supports MD, %essage authentication& The configuration for *I< P authentication is as follows:

,2pecify E)GR* D3% aut"entication Router(config-if)# ip authentication mode eigrp autonomous-system md& ,2pecify aut"entication key Router(config-if)# ip authentication key-chain eigrp autonomoussystem name-of-chain ,)dentify key c"ain Router(config)# key chain name-of-chain ,2pecify key number Router(config-keyc"ain)# key number

,2pecify actual key Router(config-keyc"ain-key)4 key-string text

Asymmetric 'outing and State-Aware Security Technology

As networ"s increase in si6e$ so do the chances that they have asy%%etric traffic so%ewhere within the%& symmetric traffic is traffic that uses a different path for its return than the original path of the re=uest& The topology in ;igure D12' shows a representative networ" with several places where asy%%etric traffic can occur& Figure 0-). Asymmetric Tra&&ic Traffic !etween the user PC and either the finance server or the BBB server can flow in an asy%%etric %anner at several points along the networ"& 8etween the PC and the finance server$ switches S' and S( are the %ain location it can occur& 8etween the PC and the BBB server$ traffic could ta"e an asy%%etric route at S' and S2 or at the Internet when returning through ISP A or ISP 8& So far$ this is networ" design 'A'& Most networ" designers don9t have any pro!le% with asy%%etric traffic !ecause IP networ"s are asy%%etric !y nature& At each point in the trans%ission$ an IP router %a"es a forwarding decision !ased on its view of the networ"& This !eco%es pro!le%atic when security devices are introduced that rely on state infor%ation to %a"e forwarding decisions& Consider the revised diagra% in ;igure D122$ where two stateful firewalls are introduced !etween ca%pus A and the two Internet connections& Figure 0-)) Asymmetric Tra&&ic with Security evices 3ow asy%%etric flows really start to cause pro!le%sK Again$ consider the PC co%%unicating with server 7TTP:@@BBB& A perfectly reasona!le pac"et flow %ight have the outgoing connection flow through S+$ S'$ ;B'$ InetO T O'$ ISP A$ and then to server 7TTP:@@BBB& Along the way$ ;B' learns that the PC is trying to co%%unicate with server BBB$ and so it adds an entry in its state ta!le to ena!le the return traffic to flow when it co%es !ac" fro% server 7TTP:@@BBB& >nfortunately$ the return path for the pac"et fro% server BBB to the user PC happens to !e ISP 8$ InetO T O2$ ;B2$ S2$ S+$ user PC& The pac"et never reaches the PC$ though$ !ecause ;B2 doesn9t have any state infor%ation for the co%%unication& As far as it is concerned$ server BBB is initiating new co%%unications to the user PC that are !loc"ed !ased on the configured security policy& This pro!le% can !e further co%plicated !y intrusion detection syste%s -IDS0 deployed within the ca%pus or near the firewalls& If traffic flows !y an IDS in an asy%%etric %anner$ it won9t see all of the data& Conse=uently$ it %ight alar% on traffic that is !enign -false positive0$ or it %ight %iss an attac" altogether -false negative0& I wish there were an easy answer to this pro!le%$ !ut unfortunately there isn9t& This section is included as %uch to !ring the pro!le% to your attention as it is to offer possi!le solutions& Iou do have so%e options$ however:

Ma"e your routing sy%%etric& Load !alance per flow rather than per pac"et& >se state1sharing security devices& Consider L2 redundancy as a wor"around&

Manipulate flows !y using routing or 3AT& >se stateless security features&

%ake Bour 'outing Symmetric

This %ight see% easy$ !ut in real networ" designs it can !e a significant challenge& *ven still$ you would !e surprised to see how %any large networ"s use sy%%etric routing at certain parts of their networ" to ena!le state1aware security devices to function or to solve other networ"ing issues& This is particularly co%%on at Internet edges$ where it is not unheard of to see an entire connection to an ISP lying dor%ant while the pri%ary connection handles all of the load&

Load (alance Per Flow 'ather Than Per Packet

Most L( devices can !e configured to do one of two things when e=ual1cost paths e4ist for a given networ" destination& In the first option$ pac"ets are si%ply !alanced in round1ro!in for%at$ with each successive pac"et going to the ne4t availa!le upstrea% router& This option causes the %ost heartache with internal security syste%s such as IDS& The second$ %ore preferred$ option is to load !alance !ased on a given flow& This %eans traffic with a particular source and destination IP address and port -often called a four tuple0 is always sent !y a specific upstrea% router& This allows IDS syste%s and other state1aware devices to at least see half of the co%%unication in a consistent %anner& >nfortunately$ this does nothing to the return traffic$ which still %ight flow over a different lin"&

1se State-Sharing Security

evices

As the pro!le% of asy%%etric traffic %anifests itself %ore and %ore in networ"s$ networ" security vendors are starting to offer options allowing the state infor%ation within one security device to !e shared with another& In ;igure D122$ ;Bs ' and 2 could e4change their state ta!le infor%ation to ensure that if the other device sees part of a given flow$ it will "now to per%it the traffic& 2ften$ the a%ount of infor%ation e4changed is significant and re=uires that dedicated lin"s !e configured !etween the firewalls to e4change the state infor%ation&

Consider L) 'edundancy as a <orkaround

Bith the careful introduction of L2 redundancy as opposed to L($ technologies such as Girtual outer edundancy Protocol -G P0 or 7ot Stand!y outer Protocol -7S P0 can allow traffic to flow through a single location while still providing redundancy& This option wor"s !est on high1speed connections where the use of only one path instead of two or %ore does not affect networ" perfor%ance& The result is that nor%ally asy%%etric flows can !e %ade sy%%etric for short distances in the networ"$ such as while traffic passes through a firewall& Again$ in ;igure D122$ if ;Bs ' and 2 were connected on !oth sides to the sa%e L2 networ"$ they could use so%ething li"e G P to appear as a single firewall to the upstrea% and downstrea% routers& This %eans that traffic can flow in an asy%%etric %anner out to the Internet and to the internal networ" !ut in a sy%%etric %anner when passing through the firewall& This is generally i%possi!le when the two devices are not in close geographic pro4i%ity to one another& ;or e4a%ple$ if ;B ' is in 8russels$ 8elgiu%$ and ;B 2 is in 7ac"ensac"$ 3ew Nersey$ you are out of luc"&

%ani$ulate Flows by 1sing 'outing or !AT

8ecause this is a !oo" on security$ the ins and outs of 8<P path preference have no place within the te4t& It is worth noting$ however$ that there are a nu%!er of things that can !e done with routing protocols to affect the paths that pac"ets ta"e& To so%e degree$ you can also influence which path outside networ"s ta"e when they %ust co%%unicate with you& Although not very elegant$ so%e other wor"arounds involve using different 3AT pools !ased on which security device a pac"et passes through& eturn pac"ets can then !e forced to a specific security device !ased on the uni=ue 3AT pool they allocate fro%&

1se Stateless Security Features

*ven though firewalls have !een around for %any years$ a nu%!er of co%panies still use !asic ACLs instead of stateful firewalls for$ a%ong other things$ this asy%%etric issue& So%e security functionality is clearly lost& 8asic ACLs don9t trac" state infor%ation$ !ut if your traffic flows are fairly easy to categori6e$ you can still achieve so%e security without needing sy%%etric traffic flows& e%e%!er that if you have properly i%ple%ented a true security system as defined in Chapter '$ the access control function of a firewall is only one part of the overall security story& Bith IDS$ the signatures that wor" i%properly in asy%%etric environ%ents can !e turned off to prevent false positives& Again$ this will reduce the security such syste%s provide !ut will still allow a nu%!er of signatures to fire properly&

Trans$ort Protocol

esign Considerations

At the transport level$ you often don9t have %any choices& Applications you use on your networ" will generally use TCP or >DP& 8ecause TCP is connection oriented and relia!le$ it is generally prefera!le to >DP fro% a security perspective& :eep in %ind that >DP is often faster !ecause of the overhead TCP adds& 2ne of the %ost significant reasons TCP is %ore secure than >DP is the difficulty in spoofing TCP co%%unications& As you learned in Chapter ($ >DP spoofing is trivial since there is no notion of connection& This is a %ain reason why >DP protocols such as S3MP$ T;TP$ and syslog need special attention when deployed in a security1sensitive environ%ent& Spoofing TCP SI3 pac"ets is also easy !ecause no response is needed !y the host& -The connection hasn9t !een for%ed at this point&0 Trying to hi#ac" an esta!lished TCP session$ however$ is very difficult if the attac"er is una!le to see the pac"ets flow on the wire& This is !ecause the (21!it se=uence nu%!er %ust !e guessed !y the attac"er& More details on >DP and TCP spoofing -including header diagra%s0 can !e found in the )Spoof) section of Chapter (&