September 16, 2009 at 00:44Young fighter course: protecting the router itself
Following the safety axioms, we assume that any node in the network is a potential target. Therefore, it would be nice to know what potentially vulnerable places these nodes have. Consider a cisco router. Objections will immediately arise: there are a lot of them, the supported services are different and in general, it is difficult to put CRS-1 and the ancient 1600 into one heap. However, I do not set out to cover everything, but I will describe some general things.
So, the first thing to remember is that by default the router does not block any normal traffic on the interface (frames with the wrong checksum do not count). However, part of the packets, upon closer examination (by the processor), the router still recognizes as unnecessary, for example:
1. Packets with TTL = 0 or less
2. Packets that do not know where to send (packet destination network is not present in the routing table and there is no explicit packet sending rule (PBR))
3. Packets related to service protocols (for example, routing protocols) that are not running on the router.
These destroyed packets can play a trick: if there is a lot of such traffic, then it can significantly load the processor of the router.
Further, in addition to transit traffic, the router processes some overhead traffic (directed at itself). Often, by default (or ignorance), unnecessary protocols are launched on the router. They are dangerous because the router processes packets of this protocol. And you can arrange, for example, a DoS attack, learn remotely information that is not intended for distribution, or explore the network topology. These protocols include
1. TFTP (the router can act as a TFTP server).
2. BOOTP (can distribute their configuration files to diskless stations)
3. DHCP (Router can act as a server and client)
4. TCP Small Servers (TCP Echo, Finger, etc.)
5. UDP Small Servers (UDP Echo, Discard, etc. )
6. CDP (Cisco Discovery Protocol)
7. NTP (Network Time Protocol. The router can act as a server and client)
8. DNS (By default, the Broadcast DNS search of servers in the segment is
enabled ) 9. PAD (Packet Accembler / Disaccembler)
10. SNMP (Often configured default community)
As a rule, if these protocols are not needed, it is better to disable them.
1. no tftp-server
2. no ip bootp server (old command no service bootp )
3. no ip dhcp pool (no service dhcp)
4. no service tcp-small-servers
5. no service udp-small-servers
6. no cdp run (globally), no cdp enable(on a specific interface). Do not turn off this protocol if cisco ip phone is connected to the interface, because it is according to this protocol that the connected device is automatically detected (this recommendation is more typical for switches, but still)
7. no ntp master, no ntp server
8. no ip domain-lookup . Remember that DNS is often needed on the router, so you do not always have to disconnect
9. no service pad
10. no snmp-server community {public | private}
However, even if you turn off these and other service protocols (for example, http, https, ssh), packets of these protocols that come to the router’s interface will get into the brain and only there will be thrown back. Those. even turning everything off, you can try to load the router processor with garbage disposal.
I would like to learn how to discard such packets without loading the brain. Also, the task often arises of limiting the load of official traffic on the processor. For example, specifying the maximum number of service packets (total or by separate protocols) in the queue or the number of service packets per second.
These tasks are solved using a special
control-plane host mode .
To use this technology, you can create special class-map type traffic classes
?
access-control access-control specific class-map
control Configure a control policy class-map
inspect Configure CBAC Class Map
logging Class map for control-plane packet logging
port-filter Class map for port filter
queue-threshold Class map for queue threshold
stack class -map for protocol header stack specification
Create a special policy (Policy-map type)
policy-map type?
access-control access-control specific policy-map
control Configure a control policy policy-map
inspect Configure CBAC Policy Map
logging Control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting
And apply it in this mode:
control-plane host
service-policy type?
logging Control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting It is
similar to limit the load on the brain with service packets, it’s enough to describe the usual traffic class, the usual policy, where as an action, specify the restriction with the word police
police rate [units] pps
Let's analyze the examples:
1. Limit the number of telnet packets from all networks except the host 10.1.1.100 to 100 packets per second.
To do this, write an access list
ip access-list extended TELNET
deny tcp host 10.1.1.100 any eq 23
permit tcp any any eq 23
Next, create class traffic
class TELNET
match access-group TELNET
Let's describe the policy
policy map TELNET
class TELNET
police rate 100 pps
And hang the policy in control-plane
control-plane host
service-policy input TELNET
2. Block packets directed to application ports, not used by the router
Create a special traffic
class class-map type port-filter PORTS
match closed-ports
Let us describe a special policy
policy-map type port-filter PORTS
class PORTS
drop
And hang the policy in control-plane
control-plane host
service-policy type port-filter input PORTS
To protect management-plane, i.e. Router management you should remember the following points:
1. If possible, use secure management protocols: ssh, https. To do this, you need to develop a key RSA pair, specify authentication rules and enable https (ip http secure-server) support
2. Even when using secure control protocols, and especially when it is impossible to use them, it is necessary to restrict administrative access from the outside and from the inside using access lists applied on interfaces, terminal lines (line vty) or in control-plane host mode
3. It is advisable to use complex passwords with a minimum length of 8 characters and containing numbers, letters of different registers and characters. And so that some young administrator of the router does not violate this rule for creating passwords, there is a command
security passwords min-length [length]
4. It is better to have hashed passwords in the config. Then there will be no way to pry the password. To do this, use not the word “password”, but the word “secret”
Examples:
username admin secret {password}
enable secret {password}
5. Do not forget about the AUX port. This is almost the same console and having access to hardware can connect using AUX to the command line. If there is no password for AUX, then the connected person will be able to enter at least unprivileged mode.
6. Many routers have a password protection feature. You can block the user after N incorrectly entered passwords, or you can insert a delay after several attempts.
Example:
security authentication failure rate [attempts] [log]
After N incorrect passwords (10 by default), a 15 second delay will be inserted. The word log allows you to log such events.
7. Remember that when using the SNMP protocol, it is advisable to use version 3 of the protocol with authentication and encryption. If you are using earlier, almost unprotected versions, make sure that the default community is disabled.
8. In networks with a large number of devices, it makes sense to allocate the so-called network for management (OOB, Out-of-Band management). This is a separate network segment that does not intersect with the data network. Until recently, a router could be placed in OOB only through a console server, but in new IOS you can administratively set the interface from which you can configure the router and only from it. This is all done in the same control-plane host mode by explicitly specifying the interface and allowed protocols.
Example:
control-plane host
management-interface f0 / 0 allow ssh snmp
Protection of routing protocols
Protection of dynamic routing protocols is also a very important topic, as if an attacker succeeds in corrupting the routing table, the necessary packets will simply be destroyed or go “not there." Therefore, I highly recommend that you use update authentication when working with dynamic routing protocols, preferably with an MD5 sum (hash). Almost all protocols support this technology: BGP, OSPF, RIPv2, EIGRP. Some protocols also support clear text authentication (just a key), but since the key is transmitted in the service pack itself; to call such a mechanism protected, the language does not rotate.
To configure MD5 authentication, you usually need to:
1. Describe the same key on all routers operating on the same protocol (or on a specific interface, in a specific zone)
2. Configure a security method (no protection, clear text, MD5)
3. Enable the mechanism
Example: OSPF
Ro
protocol (config-if ) # ip ospf authentication message-digest Ro (config-if) # ip ospf message-digest-key 1234 md5 cisco
Where 1234 is the key number, and the word “cisco” will calculate the md5 hash.
So, the first thing to remember is that by default the router does not block any normal traffic on the interface (frames with the wrong checksum do not count). However, part of the packets, upon closer examination (by the processor), the router still recognizes as unnecessary, for example:
1. Packets with TTL = 0 or less
2. Packets that do not know where to send (packet destination network is not present in the routing table and there is no explicit packet sending rule (PBR))
3. Packets related to service protocols (for example, routing protocols) that are not running on the router.
These destroyed packets can play a trick: if there is a lot of such traffic, then it can significantly load the processor of the router.
Further, in addition to transit traffic, the router processes some overhead traffic (directed at itself). Often, by default (or ignorance), unnecessary protocols are launched on the router. They are dangerous because the router processes packets of this protocol. And you can arrange, for example, a DoS attack, learn remotely information that is not intended for distribution, or explore the network topology. These protocols include
1. TFTP (the router can act as a TFTP server).
2. BOOTP (can distribute their configuration files to diskless stations)
3. DHCP (Router can act as a server and client)
4. TCP Small Servers (TCP Echo, Finger, etc.)
5. UDP Small Servers (UDP Echo, Discard, etc. )
6. CDP (Cisco Discovery Protocol)
7. NTP (Network Time Protocol. The router can act as a server and client)
8. DNS (By default, the Broadcast DNS search of servers in the segment is
enabled ) 9. PAD (Packet Accembler / Disaccembler)
10. SNMP (Often configured default community)
As a rule, if these protocols are not needed, it is better to disable them.
1. no tftp-server
2. no ip bootp server (old command no service bootp )
3. no ip dhcp pool (no service dhcp)
4. no service tcp-small-servers
5. no service udp-small-servers
6. no cdp run (globally), no cdp enable(on a specific interface). Do not turn off this protocol if cisco ip phone is connected to the interface, because it is according to this protocol that the connected device is automatically detected (this recommendation is more typical for switches, but still)
7. no ntp master, no ntp server
8. no ip domain-lookup . Remember that DNS is often needed on the router, so you do not always have to disconnect
9. no service pad
10. no snmp-server community {public | private}
However, even if you turn off these and other service protocols (for example, http, https, ssh), packets of these protocols that come to the router’s interface will get into the brain and only there will be thrown back. Those. even turning everything off, you can try to load the router processor with garbage disposal.
I would like to learn how to discard such packets without loading the brain. Also, the task often arises of limiting the load of official traffic on the processor. For example, specifying the maximum number of service packets (total or by separate protocols) in the queue or the number of service packets per second.
These tasks are solved using a special
control-plane host mode .
To use this technology, you can create special class-map type traffic classes
?
access-control access-control specific class-map
control Configure a control policy class-map
inspect Configure CBAC Class Map
logging Class map for control-plane packet logging
port-filter Class map for port filter
queue-threshold Class map for queue threshold
stack class -map for protocol header stack specification
Create a special policy (Policy-map type)
policy-map type?
access-control access-control specific policy-map
control Configure a control policy policy-map
inspect Configure CBAC Policy Map
logging Control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting
And apply it in this mode:
control-plane host
service-policy type?
logging Control-plane packet logging
port-filter Control-plane tcp / udp port filtering
queue-threshold Control-plane protocol queue limiting It is
similar to limit the load on the brain with service packets, it’s enough to describe the usual traffic class, the usual policy, where as an action, specify the restriction with the word police
police rate [units] pps
Let's analyze the examples:
1. Limit the number of telnet packets from all networks except the host 10.1.1.100 to 100 packets per second.
To do this, write an access list
ip access-list extended TELNET
deny tcp host 10.1.1.100 any eq 23
permit tcp any any eq 23
Next, create class traffic
class TELNET
match access-group TELNET
Let's describe the policy
policy map TELNET
class TELNET
police rate 100 pps
And hang the policy in control-plane
control-plane host
service-policy input TELNET
2. Block packets directed to application ports, not used by the router
Create a special traffic
class class-map type port-filter PORTS
match closed-ports
Let us describe a special policy
policy-map type port-filter PORTS
class PORTS
drop
And hang the policy in control-plane
control-plane host
service-policy type port-filter input PORTS
To protect management-plane, i.e. Router management you should remember the following points:
1. If possible, use secure management protocols: ssh, https. To do this, you need to develop a key RSA pair, specify authentication rules and enable https (ip http secure-server) support
2. Even when using secure control protocols, and especially when it is impossible to use them, it is necessary to restrict administrative access from the outside and from the inside using access lists applied on interfaces, terminal lines (line vty) or in control-plane host mode
3. It is advisable to use complex passwords with a minimum length of 8 characters and containing numbers, letters of different registers and characters. And so that some young administrator of the router does not violate this rule for creating passwords, there is a command
security passwords min-length [length]
4. It is better to have hashed passwords in the config. Then there will be no way to pry the password. To do this, use not the word “password”, but the word “secret”
Examples:
username admin secret {password}
enable secret {password}
5. Do not forget about the AUX port. This is almost the same console and having access to hardware can connect using AUX to the command line. If there is no password for AUX, then the connected person will be able to enter at least unprivileged mode.
6. Many routers have a password protection feature. You can block the user after N incorrectly entered passwords, or you can insert a delay after several attempts.
Example:
security authentication failure rate [attempts] [log]
After N incorrect passwords (10 by default), a 15 second delay will be inserted. The word log allows you to log such events.
7. Remember that when using the SNMP protocol, it is advisable to use version 3 of the protocol with authentication and encryption. If you are using earlier, almost unprotected versions, make sure that the default community is disabled.
8. In networks with a large number of devices, it makes sense to allocate the so-called network for management (OOB, Out-of-Band management). This is a separate network segment that does not intersect with the data network. Until recently, a router could be placed in OOB only through a console server, but in new IOS you can administratively set the interface from which you can configure the router and only from it. This is all done in the same control-plane host mode by explicitly specifying the interface and allowed protocols.
Example:
control-plane host
management-interface f0 / 0 allow ssh snmp
Protection of routing protocols
Protection of dynamic routing protocols is also a very important topic, as if an attacker succeeds in corrupting the routing table, the necessary packets will simply be destroyed or go “not there." Therefore, I highly recommend that you use update authentication when working with dynamic routing protocols, preferably with an MD5 sum (hash). Almost all protocols support this technology: BGP, OSPF, RIPv2, EIGRP. Some protocols also support clear text authentication (just a key), but since the key is transmitted in the service pack itself; to call such a mechanism protected, the language does not rotate.
To configure MD5 authentication, you usually need to:
1. Describe the same key on all routers operating on the same protocol (or on a specific interface, in a specific zone)
2. Configure a security method (no protection, clear text, MD5)
3. Enable the mechanism
Example: OSPF
Ro
protocol (config-if ) # ip ospf authentication message-digest Ro (config-if) # ip ospf message-digest-key 1234 md5 cisco
Where 1234 is the key number, and the word “cisco” will calculate the md5 hash.