![](/user_photo/1438_p9ksI.png)
- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi398x1.jpg)
Protecting Cisco IOS from Intrusion 375
Protecting Cisco IOS from Intrusion
Now that you have a snapshot of modern security concerns, this section looks at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks.
Figure 8-2 displays a typical network scenario. You see how to configure the router, separating the public and private networks so that the private network is not vulnerable.
Figure 8-2 Typical Internet Connection on R1
Internet Connection
WWW
|
|
|
|
|
|
|
|
|
|
|
|
|
Host B |
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
Host A |
|
|
|
|
|
|
|
||||||||
.1 |
|
|
131.108.255.0/24 |
|
.2 |
|
|
|
|
|
||||||
|
|
|
||||||||||||||
|
|
|
|
R1 |
|
|
|
|
|
R2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
Performs Firewall |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function |
|
|
|
|
|
|
|
|
|
|
|
Example 8-1 configures the Router R1 to enable the Nagle algorithm defined in RFC 896.
Example 8-1 Enable Nagle
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
Cisco Connection Online defines the NAGLE algorithm (www.cisco.com/univercd/cc/td/doc/ product/software/ios100/rpcg/36053.htm):
The algorithm developed by John Nagle (RFC 896) helps alleviate the small-packet problem in TCP. In general, it works this way: The first character typed after connection establishment is sent in a single packet, but TCP holds any additional characters typed until the receiver acknowledges the previous packet. Then the second, larger packet is sent, and additional typed characters are saved until the acknowledgment comes back. The effect is to accumulate characters into larger chunks, and pace them out to the network at a rate matching the round-trip time of the given connection. This method is usually effective for all TCP-based traffic. However, do not use the service nagle command if you have X Remote users on X Window system sessions.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi399x1.jpg)
376 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Enabling this algorithm along with the service tcp keepalive command ensures that no TCP connections on any router get hung.
NOTE To generate keepalive packets on idle incoming network connections (initiated by the remote host), use the service tcp-keepalives-in global configuration command.
To generate keepalive packets on idle outgoing network connections (initiated by a user), use the service tcp-keepalives-out global configuration command.
Example 8-2 configures R1 to disable (on by default) TCP/UDP small servers.
Example 8-2 Disable TCP/UDP Small Servers
no service udp-small-servers no service tcp-small-servers
|
By default, the TCP servers for Echo, Discard, Chargen, and Daytime services are disabled. |
|
When the minor TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and |
|
Daytime ports causes the Cisco IOS Software to send a TCP Reset packet to the sender and |
|
discard the original incoming packet. When the commands in Example 8-2 are entered, they do |
|
not display when you view the configuration because the default is to disable TCP/UDP servers. |
|
|
NOTE |
When a Cisco IOS router is configured to disable the UDP small servers’ access to Echo, |
|
Discard and Chargen ports enable the router to send ICMP port unreachable messages to the |
|
source device, and the incoming packet is discarded. It is up to the source station to act on the |
|
unreachable ICMP messages. In other words, if this is from an unauthorized host, you will be |
|
sending information to the same device. |
|
|
Example 8-3 configures R1 to encrypt all passwords configured on a Cisco router.
Example 8-3 Encrypting All Passwords
service password-encryption
enable secret 5 $1$CNqo$C4bT4/zR.iJF0YEpqMhPF/ enable password 7 13061E010803
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi400x1.jpg)
Protecting Cisco IOS from Intrusion 377
This ensures that if anyone (intruder or insider) views the configuration file, the passwords are hidden. Then, define the secret password, because it is hidden using a stronger authentication (md5) than the enable password.
Example 8-4 configures R1 to disable DHCP, which is enabled by default.
Example 8-4 Disable DHCP
no service dhcp
Cisco has enabled routers to act as DHCP servers to clients by default. This is not a necessary service to have running, so it should be disabled to stop any intruder from receiving a valid IP address.
Example 8-5 enables the Router R1 to log any debug output and define each entry with a timestamp.
Example 8-5 Logging Router System Changes and Events
service timestamps debug service timestamps log
logging buffered 64000 debugging
logging rate-limit console 10 except errors no logging console
logging trap debugging logging 1.1.1.1 logging 141.108.1.1 logging 5.5.5.5
Make sure the router’s clock is set to the correct time via NTP or manual entry with the clock set command. This allows you to look at the log after any incident has occurred. Also, because you are logging to a remote host or hosts and locally to the buffer, you can disable the debug output to the console port so that messages do not overwhelm the router. You are logging to three different remote hosts. You also buffer and output the log file for viewing at a time favorable to the network administrator. You can enable a Cisco IOS router to log messages with the command, logging on. The command logging buffered enables the router to store logged messages, such as configuration to a local file stored in NVRAM, for later viewing. To view a logging message buffered to memory, use the show logging command.
Example 8-6 configures R1 with the service sequence.
Example 8-6 Enable Sequence Numbering
service sequence-numbers
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi401x1.jpg)
378 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
The service category is quite useful. Essentially, enabling it means your syslog entries will be numbered to ensure that they are not tampered with. R1 is configured for TACACS via the remote host 131.108.1.1.
Example 8-7 configures R1 for AAA.
Example 8-7 AAA Configuration
username cisco pass ciSc0 aaa new-model
aaa authentication login default group tacacs+ local-case aaa authentication enable default group tacacs+ enable aaa authorization commands 15 default group tacacs+ local aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default stop-only group tacacs+ tacacs-server host 131.108.1.1
tacacs-server key myguitarrocksthisworld
Example 8-7 configures R1 for AAA authentication in the event TACACS+ fails to use local authentication with a case-sensitive password to keep hackers guessing.
By default, Cisco IOS permits a number of default services. Example 8-8 disables some common services.
Example 8-8 Disable Services on by Default
no ip http server no ip finger
no service pad
no ip source-route no ip bootp server
Example 8-8 disables R1 for an HTTP server. The finger command service allows remote users to view the output (equivalent to the show users [wide] command). When ip finger is configured, the router responds to a telnet a.b.c.d finger command from a remote host by immediately displaying the output of the show users command and then closing the connection. You should turn this service off. The service pad enables all packets to be assembled or disassembled (PAD) between PAD devices and access servers. The command no ip source-route causes the system to discard any IP datagram containing a source-route option. When you disable the BOOTP server, access to the BOOTP ports causes the Cisco IOS Software to send an “ICMP port unreachable” message to the sender and discard the original incoming packet.
Example 8-9 enables TCP intercept.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi402x1.jpg)
Protecting Cisco IOS from Intrusion 379
Example 8-9 TCP Intercept
ip tcp intercept list 100
ip tcp intercept connection-timeout 60 ip tcp intercept watch-timeout 10
ip tcp intercept one-minute low 1800 ip tcp intercept one-minute high 5000 access-list 100 permit ip any any
TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The router responds; if it is a valid connection, the devices are allowed to communicate.
The low and high identifies when TCP intercept should deactivate or activate (TCP aggressive mode).
In this case, the IOS command ip tcp intercept one-minute high 5000 defines the number of connection requests (5000) received in the minute before the IOS enters aggressive mode. The IOS command ip tcp intercept one-minute low 1800 defines the number of connection requests (1800) below which the software leaves aggressive mode.
Example 8-10 configures R1 to dump the router’s memory contents in case of a router crash.
Example 8-10 Allowing Core Dumps
ip ftp username rooter
ip ftp password $%*&^$$%&$
exception core-file secure-r01-core-dump exception protocol ftp
exception dump 3.3.3.3
It is important to be able to look at why a router crashed, especially a router that provides a security wall to the outside world. Core dumps can be given to Cisco personnel who can decipher the main reason the router crashed. The IOS command exception core-file secure-r01-core-dump sets the filename generated when the router actually crashes. The IOS command exception protocol ftp defines the protocol used to send the memory dump. The IOS command exception dump 3.3.3.3 defines the remote host where the file will be copied; in this case, the file will be copied via FTP to remote host 3.3.3.3. Cisco Systems TAC engineers will use the memory dump to try and decipher why the router crashed.
Example 8-11 shows R1 configured for some common parameters for packets sent to unknown destinations and networks that do not exist.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi403x1.jpg)
380 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Example 8-11 IP Unreachables and Routes to Null0
interface loopback0
ip address 3.3.3.3 255.255.255.255 no ip redirects
no ip unreachables interface null0
no ip unreachables
ip route 131.0.0.0 255.0.0.0 null0
The IOS command no ip redirects disables the Cisco router from sending ICMP redirect messages to a device’s source from the same interface.
The IOS command no ip unreachables disables the router from sending ICMP unreachables for packets it is not configured for. The ip route command ensures that packets received for the network 131.0.0.0/8 are thrown away and not acted on. This can stop a routing loop and an intruder trying to spoof (pretending) to belong to network 131.0.0.0/8.
Loopback interfaces are the source of log messages. Loopbacks are often used for routing protocols, as well, because a logical interface does not go down and is reliable. Assign an IP address that uniquely identifies this router. Then, configure and activate the null0 interface as a place to send unknown destination packets. This becomes the trap for packets; they can route in but they can’t route out in case an intruder is spoofing networks from valid IP networks.
The configurations shown in Examples 8-1 through 8-11 are just some of the techniques you can use to ensure vulnerable routers are secure. Just imagine all the routers in the Internet that do not contain this level of security, and you will be aware of the challenges faced in the day- to-day running of the WWW and reasons why organizations like CERT/CC are an invaluable resource.
For more details on security configurations visit www.cisco.com/warp/public/707/index.shtml.