When logging in a production network, it is recommended that logging traffic (as well as all management traffic) be sent out-of-band. When traffic is in-band, the traffic is said to traverse the same logical path as the production traffic. Having management traffic in-band introduces various security threats. For management traffic to be out-of-band, you can either create a totally separate interface (or sub), or deploy a new VLAN.
A commonly overlooked part of security is the synchronization of clock between network devices. Device clocks are one of the last things a typical administrator would worry about, but having clocks that are not synchronized would introduce a variety of problems. First of all, time-based access-lists would not work properly. Key-chains may expire at the wrong time thus causing various services like routing protocol authentication to break. A general management guideline is to ensure that clocks on network devices are synchronized with at least a time source, whether internal or external.
Time sources are devices running protocols like SNTP and NTP. Time sources are categorized into different strata. Each the stratum level defines the accuracy of the time source. Think of clock strata as a hierarchical structure, with the stratum increasing every step down. For example, an atomic clock is usually stratum 0, with the server synchronizing with it a stratum 1. Computers synchronizing with such servers over the internet through NTP become stratum 2, and network devices synchronizing with such a server would then be stratum 3.
SNTP stands for Simple NTP, where NTP is Network Time Protocol. SNTP is considered less secure than NTP as it does not support cryptographic facilities featured in NTPv3. Authentication capabilities in NTPv3 are also not present in SNTP. SNTP is only meant for simple, non-production, lab setups.
Syslog is a logging facility installed on a host or server in the network. Syslog servers can be deployed with programs like TFTPD32. In syslog, each logged item is categorized into a logging level. The logging level determines the severity (higher the logging level, lower the security). When a logging level is chosen on a device, all events with an equal or higher severity level (lower logging level) are logged. The logging levels are:
7-Debugging
6-Informational
5-Notifications
4-Warnings
3-Errors
2-Critical
1-Alerts
0-Emergencies
Another way an administrator can track their network devices is to make use of SNMP. SNMP stands for Simple Network Management Protocol. SNMP differs from Syslog in that it pulls data on demand instead of waiting for data to be pushed to it. SNMP makes use of an MIB. MIB stands for Management Information Base and it defines the information database that can be read from the device. Using one of the many MIBs, the SNMP server (also known as an NMS, Network Management Server) sends sets and gets to pull data from the device (which in this case is an Agent). Examples of SNMP servers are MRTG and Cacti, with the former being easier to set up.
Being in line with the policy of least privileges, unused router interface and services should be turned off. Cisco's steps to secure vulnerable interfaces/services are:
1) Disable unnecessary services and interface
-Disable router interfaces
in f0/0
shut-Disable bootstrap protocol (BOOTP)
no ip bootp server
ip dhcp bootp ignore-Disable CDP
no cdp run
in f0/0
no cdp run-Disable Autoloading
no service config-Disable FTP server
no ftp-server enable-Disable TFTP server
no tftp-server-Disable NTP Server
ntp disable-Disable TCP and UDP minor services
no service tcp-small-servers
no service udp-small-servers-Disable MOP
no mop enabled2) Disable commonly configured management services.
-Disable SNMP
no snmp-server-Disable HTTP/HTTPS server
no ip http server
no ip http secure-server-Disable domain lookup
no ip domain-lookup3) Ensure path integrity.
-Disable ICMP redirects
in f0/0
no ip redirects-Disable IP source routing
no ip source-route4) Disable probes and scans.
-Disable Finger Service
no service finger-Disable ICMP Unreachable Notifications
no ip unreachables-Disable ICMP Mask Reply
no ip mask-reply5) Ensure terminal access security.
-Disable IDENT
no ip identd-Enable TCP Keepalives
service tcp-keepalives6) Disable gratuitous and proxy ARP.
no ip gratuitous-arp
no ip proxy-arp7) Disable IP directed broadcasts.
no ip directed-broadcastThis seems like a great list to remember. Luckily, Cisco introduced a feature known as AutoSecure. AutoSecure automatically reads the router configuration and attempts to apply the best security practices, mostly those discussed above. In SDM, you can run the Cisco SDM Security Audit Wizard or the One-Step Lockdown based on AutoSecure. Security Audit Wizard steps the administrator through each recommendation while One-Step Lockdown automatically applies all safest policies. Auto-secure is invoked from privileged mode through:
auto secure ?More information about auto secure can be found at Cisco's official documentation.
No comments :
Post a Comment