Young fighter course: protecting the router itself

    Following the safety axioms, we assume that any node in the network is a potential target. Therefore, it would be nice to know what potentially vulnerable places these nodes have. Consider a cisco router. Objections will immediately arise: there are a lot of them, the supported services are different and in general, it is difficult to put CRS-1 and the ancient 1600 into one heap. However, I do not set out to cover everything, but I will describe some general things.

    So, the first thing to remember is that by default the router does not block any normal traffic on the interface (frames with the wrong checksum do not count). However, part of the packets, upon closer examination (by the processor), the router still recognizes as unnecessary, for example:
    1. Packets with TTL = 0 or less
    2. Packets that do not know where to send (packet destination network is not present in the routing table and there is no explicit packet sending rule (PBR))
    3. Packets related to service protocols (for example, routing protocols) that are not running on the router.
    These destroyed packets can play a trick: if there is a lot of such traffic, then it can significantly load the processor of the router.
    Further, in addition to transit traffic, the router processes some overhead traffic (directed at itself). Often, by default (or ignorance), unnecessary protocols are launched on the router. They are dangerous because the router processes packets of this protocol. And you can arrange, for example, a DoS attack, learn remotely information that is not intended for distribution, or explore the network topology. These protocols include
    1. TFTP (the router can act as a TFTP server).
    2. BOOTP (can distribute their configuration files to diskless stations)
    3. DHCP (Router can act as a server and client)
    4. TCP Small Servers (TCP Echo, Finger, etc.)
    5. UDP Small Servers (UDP Echo, Discard, etc. )
    6. CDP (Cisco Discovery Protocol)
    7. NTP (Network Time Protocol. The router can act as a server and client)
    8. DNS (By default, the Broadcast DNS search of servers in the segment is
    enabled ) 9. PAD (Packet Accembler / Disaccembler)
    10. SNMP (Often configured default community)

    As a rule, if these protocols are not needed, it is better to disable them.
    1. no tftp-server
    2. no ip bootp server (old command no service bootp )
    3. no ip dhcp pool (no service dhcp)
    4. no service tcp-small-servers
    5. no service udp-small-servers
    6. no cdp run (globally), no cdp enable(on a specific interface). Do not turn off this protocol if cisco ip phone is connected to the interface, because it is according to this protocol that the connected device is automatically detected (this recommendation is more typical for switches, but still)
    7. no ntp master, no ntp server
    8. no ip domain-lookup . Remember that DNS is often needed on the router, so you do not always have to disconnect
    9. no service pad
    10. no snmp-server community {public | private}

    However, even if you turn off these and other service protocols (for example, http, https, ssh), packets of these protocols that come to the router’s interface will get into the brain and only there will be thrown back. Those. even turning everything off, you can try to load the router processor with garbage disposal.
    I would like to learn how to discard such packets without loading the brain. Also, the task often arises of limiting the load of official traffic on the processor. For example, specifying the maximum number of service packets (total or by separate protocols) in the queue or the number of service packets per second.
    These tasks are solved using a special
    control-plane host mode .

    To use this technology, you can create special class-map type traffic classes

    access-control access-control specific class-map
    control Configure a control policy class-map
    inspect Configure CBAC Class Map
    logging Class map for control-plane packet logging
    port-filter Class map for port filter
    queue-threshold Class map for queue threshold
    stack class -map for protocol header stack specification

    Create a special policy (Policy-map type)
    policy-map type?
    access-control access-control specific policy-map
    control Configure a control policy policy-map
    inspect Configure CBAC Policy Map
    logging Control-plane packet logging
    port-filter Control-plane tcp / udp port filtering
    queue-threshold Control-plane protocol queue limiting

    And apply it in this mode:
    control-plane host
    service-policy type?
    logging Control-plane packet logging
    port-filter Control-plane tcp / udp port filtering
    queue-threshold Control-plane protocol queue limiting It is

    similar to limit the load on the brain with service packets, it’s enough to describe the usual traffic class, the usual policy, where as an action, specify the restriction with the word police
    police rate [units] pps
    Let's analyze the examples:
    1. Limit the number of telnet packets from all networks except the host to 100 packets per second.
    To do this, write an access list
    ip access-list extended TELNET
    deny tcp host any eq 23
    permit tcp any any eq 23

    Next, create class traffic
    class TELNET
    match access-group TELNET

    Let's describe the policy
    policy map TELNET
    class TELNET
    police rate 100 pps

    And hang the policy in control-plane
    control-plane host
    service-policy input TELNET

    2. Block packets directed to application ports, not used by the router
    Create a special traffic
    class class-map type port-filter PORTS
    match closed-ports

    Let us describe a special policy
    policy-map type port-filter PORTS
    class PORTS

    And hang the policy in control-plane
    control-plane host
    service-policy type port-filter input PORTS

    To protect management-plane, i.e. Router management you should remember the following points:
    1. If possible, use secure management protocols: ssh, https. To do this, you need to develop a key RSA pair, specify authentication rules and enable https (ip http secure-server) support
    2. Even when using secure control protocols, and especially when it is impossible to use them, it is necessary to restrict administrative access from the outside and from the inside using access lists applied on interfaces, terminal lines (line vty) or in control-plane host mode
    3. It is advisable to use complex passwords with a minimum length of 8 characters and containing numbers, letters of different registers and characters. And so that some young administrator of the router does not violate this rule for creating passwords, there is a command

    security passwords min-length [length]

    4. It is better to have hashed passwords in the config. Then there will be no way to pry the password. To do this, use not the word “password”, but the word “secret”
    username admin secret {password}
    enable secret {password}

    5. Do not forget about the AUX port. This is almost the same console and having access to hardware can connect using AUX to the command line. If there is no password for AUX, then the connected person will be able to enter at least unprivileged mode.
    6. Many routers have a password protection feature. You can block the user after N incorrectly entered passwords, or you can insert a delay after several attempts.
    security authentication failure rate [attempts] [log]

    After N incorrect passwords (10 by default), a 15 second delay will be inserted. The word log allows you to log such events.
    7. Remember that when using the SNMP protocol, it is advisable to use version 3 of the protocol with authentication and encryption. If you are using earlier, almost unprotected versions, make sure that the default community is disabled.
    8. In networks with a large number of devices, it makes sense to allocate the so-called network for management (OOB, Out-of-Band management). This is a separate network segment that does not intersect with the data network. Until recently, a router could be placed in OOB only through a console server, but in new IOS you can administratively set the interface from which you can configure the router and only from it. This is all done in the same control-plane host mode by explicitly specifying the interface and allowed protocols.
    control-plane host
    management-interface f0 / 0 allow ssh snmp

    Protection of routing protocols
    Protection of dynamic routing protocols is also a very important topic, as if an attacker succeeds in corrupting the routing table, the necessary packets will simply be destroyed or go “not there." Therefore, I highly recommend that you use update authentication when working with dynamic routing protocols, preferably with an MD5 sum (hash). Almost all protocols support this technology: BGP, OSPF, RIPv2, EIGRP. Some protocols also support clear text authentication (just a key), but since the key is transmitted in the service pack itself; to call such a mechanism protected, the language does not rotate.
    To configure MD5 authentication, you usually need to:
    1. Describe the same key on all routers operating on the same protocol (or on a specific interface, in a specific zone)
    2. Configure a security method (no protection, clear text, MD5)

    3. Enable the mechanism

    Example: OSPF

    protocol (config-if ) # ip ospf authentication message-digest Ro (config-if) # ip ospf message-digest-key 1234 md5 cisco
    Where 1234 is the key number, and the word “cisco” will calculate the md5 hash.

    Also popular now: