Monday, May 3, 2010

CCNA Security 11

We have two options for configuring the enable password (Privileged Mode Password. These are:enable password cisco
enable secret cisco

The difference between the two is that enable password is stored in plaintext in the running-configuration, while enable secret stores a hashed (MD5) copy of the password.

When both the enable password and secret are enabled, the secret will precede it. The only reason why enable password is left in the IOS is for backward compatibility with old configurations.

There are several security features in IOS password fields:
1) No echoing of the password
2) Timeout after inactivity
3) Maximum retries

When the enable secret is enabled, you will receive a "% Bad secrets" message for a failed privilege mode login. This will not appear if you only use enable password.

Passwords like enable password, VTY/CON/AUX and local database passwords are shown in cleartext in configuration. To prevent shoulder surfing attacks, we should use Cisco's built-in password encryption service:
service password-encryption

However, this uses Cisco's Type-7 (Vigenere) encryption which is easily reversible using online tools like IFM - Cisco Password Cracker.

A good password is a password that has a minimum length of 8 characters with alphanumeric upper/lower case characters with symbols. It is more effective to have numbers throughout the password than only to have them at the back.

To set the minimum length in IOS, go to global configuration and type:
security password min-length 8

To create a user with secret in the local database, use:
username cisco secret 0 cisco

MD5, otherwise known as Message-Digest Algorithm 5, is considered partially insecure by some security experts. It produces a 128-bit hash value from a variable-length data string. MD5 was preceeded by MD4 which was a non-secure algorithm.

There are readily-available "rainbow tables" online which could reverse MD5 hashes. Salting is adding of random bits to the password before hashing to defend against "rainbow tables" and bruteforce.

Adding a few extra bits into the password would result in a dramatically different output. This is due to MD5's avalanche effect. This is also one of the characteristics of block ciphers discussed in the previous article.

Time synchronization is very important in routers. Having synchronized time allows you to troubleshoot much easier with logging services like syslog. AAA's logging is also dependent on the router's time. Digital certificates also rely on accurate, synchronized time.

Time synchronization is typically done through NTP. NTP uses UDP port 123. A Cisco router can act as a NTP server, client or peer. NTP uses a hierarchical structure for time propagation. At the top of the hierarchy is a stratum 0 atomic clock. A Cisco router cannot get its time from a stratum 0 clock. Typically, a stratum 1 time server synchronizes with an atomic clock, and a Cisco router in turn gets its time from such a time server making it stratum 2.

The NTP server is the one which gives NTP clients the correct time. NTP clients can synchronize with multiple servers to get an averaged time. NTP peers are clients which synchronize with each other.

Recall that digital certificates rely on accurately synchronized time. A known DoS attack is to attempt to desynchronize the authentication server's time by spoofing NTP packets. To protect against spoofed packet, NTPv3 should be used. NTPv3 can do authentication with cryptographic capabilities.

If you should use one of your routers as the NTP master, you can use NTP authentication and/or ACLs to prevent hackers from synchronizing with or desynchronizing your clock or desynchronizing them.

To verify the system's clock, use:
show clock

You can change your timezone using:
conf t
clock timezone SGT +8

To set daylight saving time, use:
clock summer-time EST recurring

To change the system clock, use:
clock set 17:56:45 May 03 2010

To set up the router as NTP master (server), use:
ntp master

To set up authentication, turn it on with:
ntp authenticate

Then set the authentication-key with:
ntp authentication-key 1 md5 cisco

Now we have a working NTP master server. We are now going to set up authentication on another client. It is known for NTP synchronization to take a long time. In a production environment it may take up to tens of minutes. To debug NTP, type:
debug ntp events

To specify an NTP server from a client, use:
ntp server

At this point, your clock should be authenticated and synchronized even without setting up authentication. To check the NTP servers you have synchronized with, use:
show ntp associations

NTP authentication is actually different from other authentications. Instead of the server authenticating the clients, the clients actually authenticate the server. This allows the clients to validate the genuineness of the time-source.

Now we're going to set up NTP peering between R1 ( and R2 ( To do this, go to R1 and type:
ntp peer

Then go to R2 and type:
ntp peer

If you have multiple NTP clocks, you can use the prefer command to prefer a more accurate clock:
ntp server prefer

UTC stands for Coordinated Universal Time. If you're wondering why it isn't CUT: English speakers wanted CUT, while French speakers wanted TUC. The compromise was UTC.

Telnet is a versatile tool to communicate with any terminal-enabled device like routers or Linux systems. However, Telnet communication is done in cleartext and is prone to MITM.

SSH is like Telnet but has encrypted traffic. In Cisco routers, SSH needs to use the local database or AAA for authentication. SSH does not allow a simple password. To configure the local database, use:
line vty 0 4
login local
transport input ssh

We then create a simple username/password database:
user cisco pass cisco

For SSH to really work, you need to set your domain and generate a key. To set a domain, use:
ip domain syraxius.ath.cx

To generate a key, use:
crypto key gen rsa

A minimum secure key length should be 1024 bits and above. Each bit increased in a key size would double the security. This is because the number of iterations required during brute-force is 2^n where n is the key size.

There are various SSH commands. You can set the time-out value in SSH. Time-out in SSH is specified for the negotiation phases (certificate exchange, login, etc). Once the EXEC session starts, standard timeout values specified in VTY configuration applies. To set the time-out, type:
ip ssh time-out 20

You can also set the maximum login retries through:
ip ssh authentication-retries 5

You can still use the access-class command to restrict who can telnet/SSH in. To do this, specify the allowed traffic:
ip access-l standard SSHPERMIT
permit ip
line vty 0 4
access-class SSHPERMIT in

There are a few reasons to create network banners. Banners can be used to notify users of various planned network outages. Banners can also be used to warn potential attackers and specify penalties for unauthorized access.

To set a banner, use:
set banner motd $
Network is going down tonight at 8PM for maintenance

The banner MOTD is shown regardless of whether login is required. If both a banner MOTD and login is set, then the MOTD is shown first. To set a login banner:
banner login $Unauthorized login is not allowed!$

After a user is successfully authenticated, the EXEC banner is shown. To do an EXEC banner, use:
banner exec $
You have logged into the system.
If you do not have permission to
be at this prompt, log off imme-

The industry-standard Security triad is:
C - Confidentiality
I - Integrity
A - Availability

Confidentiality attacks involve two kinds of confidentiality: A compromise of the system's data confidentiality, and the confidentiality of the attack.

Integrity attacks are attacks that modifies data while in transit. This is typical in a MITM attack.

Attacks against availability are attacks that cause a server to not be able to handle requests from legitimate users. DoS attacks are attacks against availability.

DoS attack is an attack designed to prevent legitimate users from accessing network resources. DDoS is an attack that does exactly the same thing, but is launched from multiple sources.

DDoS typically infects a large numbers of computers. These computers are referred to as zombies. A collection of these zombies are known as botnets. The infected computers would launch a coordinated attack at a target from multiple sources at a pre-programmed time.

A typical DoS attack is a SYN-flooding attack. SYN-flooding attack sends multiple SYN packets to a server with spoofed source IP addresses. The server would have a large amount of half-open connections which takes up resources. When there are enough of these connections, the server would not be able to handle new requests.

TCP intercept is a defense against SYN flooding. The router helps the server answer SYN requests. The router then establishes a session with the server to merge the established connection. To turn on intercept mode, use:
ip tcp intercept mode intercept

There are two modes that TCP intercept can be in. The default is the intercept mode which is described above. The other mode, the watch mode, allows the SYN packets to pass through. If the connection isn't completed within 30 seconds (by default), it sends a RST packet to the server to clear resources. To change the watch timer, use:
ip tcp intercept watch-timeout 15

You have to specify the packets to be intercepted. To intercept all packets going to a particular server, first create an extended access-list like this:
ip access-list ext TCPINTERCEPT
permit ip any host

Then apply the access-list to the TCP intercept process:
ip tcp intercept list TCPINTERCEPT

The maximum number of incomplete connections allowed in intercept mode is 1100. By default, the oldest connections would be dropped once it exceeds 1100. You can also change the dropping of connections to be random by using:
ip tcp intercept drop-mode random>

There are certain TCP intercept issues in production. It is recommended to check documentations before using it in your network.

Pings can be really innocent things, but they can also be used for sweeping. A Ping Sweep (using programs like Angry IP Scanner) is used to ping an entire segment for live hosts. A Ping Sweep is known as a vertical scan.

Another attack used with a Ping Sweep is a Port Sweep. Port Sweeps are typically done using programs like NMAP. NMAP allows scanning of a host's open port as part of reconnaissance. This information can then be used to determine the operating system in use, and the exploits which could be launched on them.

Ping of Death is a type of pinging which uses 65535 byte packets. Some Ping of Death attacks allow usage of larger than 65535 byte packets (which is segmented before being sent) which could cause serious problems like BSODs on the receiving machine.

Invite of Death is named after the POD but it's a type of attack on Voice networks.

Ping floods can harm the intended target by taking up bandwidth. The target would also need to use up its resources to process the Echo Packets and craft the corresponding Echo Reply packet. The resulting Echo Reply uses up even more bandwidth.

A Smurf attack uses the IP address of the intended victim as the source address of a flood of ICMP Echo packets. A Smurf attack can be used to send ICMP packets to a directed broadcast address, which causes all hosts in the subnet to send Echo Replies to the intended victim.

The first step in any security policy is to start locking up equipments.

IP Spoofing can be used against your network in a few ways. IP Spoofing can be used to inject malicious codes or commands into your network, or to trick legitimate hosts into sending sensitive data to the attacker. IP Spoofing can also be used as part of a reconnaissance attack.

A person can hijack an existing TCP session by listening to the sequence numbers of a current TCP session. If an attacker sends in an ACK before another legitimate ACK, he can take over another host's connection. The host's connection would then be invalidated due to wrong sequence numbers.

If the attacker is in the same subnet as the target, he is likely to use non-blind spoofing. If the attacker is external, he can make guesses to the sequence numbers, and is therefore known to be doing blind spoofing.

To defend against spoofing, we should block all packets with source RFC 1918 from the ingress interface. The entire list of prohibited addresses are defined in RFC 3704:

This blocking method is sometimes referred to as "2827 filtering" or "3704 filtering". The exam would require you to know the source addresses to block but would not test on the details in the RFCs. The general guideline is to do RFC 3704 Filtering on the outside network, and do encryption and authentication inside.

IP Source Routing allows the sender to change the path a packet takes to arrive to the destination and to return to the source. IP Source Routing is enabled by default on all Cisco routers, so it should be disabled if it's not in use. To disable IP Source Routing, type:
no ip source-route

There are two kinds of source routing defined in RFC 791. Loose Source Routing is so that only a portion of the end-to-end path is hardcoded, and Strict Source Routing has the entire end-to-end path hardcoded.

Packet Sniffers allow attackers to pick packets off wires for examination. Packets that are plaintext are most prone to sniffing. Protocols like HTTP, Telnet and PAP are examples of cleartext protocols.

Queries allow attackers to do enumeration on the network. Queries such as DNS queries, SQL queries and Internet Information queries are examples of query types that can be used for enumeration.

Apart from high-tech attacks, we can do employ techniques like social engineering, shoulder surfing and dumpster diving to gain access to a network. People like Jerry Schneider actually could start companies using equipment obtained from dumpster diving.

Password attack is an overall term used for illegally obtaining a password. This was covered in the previous article. A brute-force attack is an attack that uses a program to try out all possible combination. Deterrence to a brute-force attack is to use long passwords with a large character sets.

A dictionary attack is an attack that makes use of a list of common words. These words are typically tried for case and numbers are typically appended at the back.

A trojan horse is any program that is disguised as a legitimate program. Trojan horses can do things like capturing passwords. Trojan horses can perform data diddling, in which what is shown on the screen is not what is actually done and saved.

Keyloggers can also capture passwords, but they typically turn sessions into transcripts before sending it to the attacker.

A salami attack is a combination of small attacks that adds up over time. A salami attack works on the thought that you can steal a thin slice of salami daily without the owner noticing the missing salami. Over time you can make up a whole salami.

A trust exploitation is when an attacker uses an already-existing trust relationship within a network. Using a web-server in the DMZ to attack the datastore is an example of a trust exploitation. Another type of trust exploitation is Port redirection.

In Cisco, you can actually make use of a privilege level system to work with privilege levels between 0 and 15. Privilege levels allows assignment of commands to a level, and each command can only belong to one level. A user logged into a particular level can use commands available for his current level and below.

An alternative to privilege levels is the Role-based CLI. To create views, we need to enable AAA. This is done with the same old:
aaa new-model

A Superview can be a child of more than one View. Logging into a Superview allows that user to execute all commands contained in all Views that the Superview is a child of. However, deleting the Superview will not affect the Views. Commands can only be assigned to Views, not Superviews.

For example, you can make two views:
View #1: show ip route
View #2: show running-config

Views are not limited to only one command, but in this case it is to simplify things. We can create a Superview to be a child of View #1 and #2 to allow an administrator to run both "show ip route" and "show running-config".

AutoSecure was introduced in IOS 12.3. There are two modes:
-Interactive allows the administrator to customize certain elements. He will be prompted for inputs similar to running Setup mode. This allows you to configure things like SSH, enable secrets etc.
-Non-interactive, on the other hand, uses all Cisco's recommended settings. Depending on your company's security policies, this may be too secure for your network.

By default, Finger, PAD, BOOTP, HTTP Services, IDENT, CDP, NTP, IP Source Routing, TCP and UDP Small Servers are disabled by AutoSecure.

Interface-level services like Proxy ARP, IP Directed Broadcasts, MOP, ICMP Redirects, Unreachables and Mask Replies are also disabled.

Services like password-encryption and TCP Keepalives are enabled by AutoSecure. AutoSecure also sets logging buffer size, logging sequence numbers and provides console log. AutoSecure also prompts to create a banner and passwords are applied to all lines.

If SNMP is not in use, Interactive would ask if the admin would want to disable SNMP. If Non-Interactive mode is used, SNMP would be disabled if community strings are default.

If AAA is not already in use, it will be enabled and Accounting would have sequence numbers and timestamps enabled. The logging console critical, logging buffered and logging trap disabled commands are also enabled.

CEF is also enabled if available and 3704 Filtering is applied. Default route would point to Null0 if not already configured, and TCP Intercept would be enabled if available.

The two ways to run auto-secure are:
auto secure full
auto secure nointeract

Apart from CLI solutions, you can also automatically secure your router through the SDM. There are two tools available: One-Step Lockdown and Security Audit. Both can be accessed from Configure > Security Audit.

Security Audit would present you with a checklist of recommendations, while One-step Lockdown would perform similar to AutoSecure Non-Interactive mode.

You can undo Security Audit/One-step Lockdown settings from SDM as well.

AAA configuration is not supported in SDM Security Audit. AAA will enable and prompt you to create a local database.

SNMP is meant to carry management data. SNMP also allows NMS to send writes into the device to change configuration. This makes SNMP a very sensitive protocol. SNMP v1 till v2c has community strings sent in cleartext. Community strings are like passwords and there is an authority level associated with them (Read, Write, or Read+Write). SNMPv3 uses hash algorithms to protect SNMP messages and should be used whenever possible.

Syslog has many configurable options. First, to enable syslog, we need to specify the location of the logging server. To do this, type:

If you've read the previous articles, you'll know the severity level of the messages. Below is a list:
7 - Debugging
6 - Informational
5 - Notifications
4 - Warning
3 - Error
2 - Critical
1 - Alert
0 - Emergencies

To set the logging level, use:
logging trap error

In this case, anything from error's level and below will be logged.

Viruses and worms are often used interchangeably. However, these two terms refer to different things. A worm is a virus that is able to propagate itself to other hosts without human intervention. Of course, most worms would not execute themselves, so users still need to run them.

There is a relatively new feature from Cisco that is able to deter brute force attacks. When there are more than a specified failed attempts, the router would no longer accept any logins even if it is legitimate. To enable such a security feature, type:
login block-for 60 attempts 5 within 30

This will trigger a quiet period of 60 seconds if there are 5 failed attempts within 30 seconds. To verify login configuration, type:
show login

The quiet mode can be used as a DoS attack to prevent administrators from logging into the router simply by spamming logins. To fix this, we can define IP addresses to be exempt from quiet-mode with an access-list. For example, if we want to exempt from quiet-mode, we should use:
ip access-list standard EXEMPTQUIET
login quiet-mode access-class EXEMPTQUIET

You can also log failed/succeeded logins using:
login on-failure
login on-success

By default it would generate SNMP traps.

Most application layer vulnerabilities are classified under buffer overflows. Even Cisco has been plagued with buffer overflow problems with their Firewall Authentication Proxy in 2005.

A buffer overflow is caused by applications that tries to store data beyond the capacity of the buffer. The extra data would be written to adjacent memory, which could be another buffer, or an execution space.

Deep packet inspection at the network can prevent buffer overflows. The CSA (Cisco Security Agent) can also prevent buffer overflows from the end-system.

To lock up configuration and image, you can make use of Cisco IOS Resilient Configuration. To do this, type:
secure boot-config
secure boot-image

Only platforms with PCMCIA ATA support IOS Resilient Configuration. The files are not visible using "show flash". To see the backed-up files, use:
show secure bootset

By default, all lines have an inactivity timer of 10 minutes. To prevent this timer from expiring and kicking you out to login, you can go under config-line and use:
exec-timeout 0

No comments :

Post a Comment