Protecting Cisco IOS from Intrusion 375
Protecting Cisco IOS from Intrusion
Now that you have a snapshot of modern security concerns, this section looks at Cisco IOS and the configuration commands you can use to deny intruders the ability to harm valuable network resources that are typically connected behind a Cisco router. In particular, this section covers how you can stop DoS attacks.
Figure 8-2 displays a typical network scenario. You see how to configure the router, separating the public and private networks so that the private network is not vulnerable.
Figure 8-2 Typical Internet Connection on R1
Internet Connection
WWW
|
|
|
|
|
|
|
|
|
|
|
|
|
Host B |
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
Host A |
|
|
|
|
|
|
|
||||||||
.1 |
|
|
131.108.255.0/24 |
|
.2 |
|
|
|
|
|
||||||
|
|
|
||||||||||||||
|
|
|
|
R1 |
|
|
|
|
|
R2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
Performs Firewall |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function |
|
|
|
|
|
|
|
|
|
|
|
|
Example 8-1 configures the Router R1 to enable the Nagle algorithm defined in RFC 896.
Example 8-1 Enable Nagle
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
Cisco Connection Online defines the NAGLE algorithm (www.cisco.com/univercd/cc/td/doc/ product/software/ios100/rpcg/36053.htm):
The algorithm developed by John Nagle (RFC 896) helps alleviate the small-packet problem in TCP. In general, it works this way: The first character typed after connection establishment is sent in a single packet, but TCP holds any additional characters typed until the receiver acknowledges the previous packet. Then the second, larger packet is sent, and additional typed characters are saved until the acknowledgment comes back. The effect is to accumulate characters into larger chunks, and pace them out to the network at a rate matching the round-trip time of the given connection. This method is usually effective for all TCP-based traffic. However, do not use the service nagle command if you have X Remote users on X Window system sessions.
376 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Enabling this algorithm along with the service tcp keepalive command ensures that no TCP connections on any router get hung.
NOTE To generate keepalive packets on idle incoming network connections (initiated by the remote host), use the service tcp-keepalives-in global configuration command.
To generate keepalive packets on idle outgoing network connections (initiated by a user), use the service tcp-keepalives-out global configuration command.
Example 8-2 configures R1 to disable (on by default) TCP/UDP small servers.
Example 8-2 Disable TCP/UDP Small Servers
no service udp-small-servers no service tcp-small-servers
|
By default, the TCP servers for Echo, Discard, Chargen, and Daytime services are disabled. |
|
When the minor TCP/IP servers are disabled, access to the Echo, Discard, Chargen, and |
|
Daytime ports causes the Cisco IOS Software to send a TCP Reset packet to the sender and |
|
discard the original incoming packet. When the commands in Example 8-2 are entered, they do |
|
not display when you view the configuration because the default is to disable TCP/UDP servers. |
|
|
NOTE |
When a Cisco IOS router is configured to disable the UDP small servers’ access to Echo, |
|
Discard and Chargen ports enable the router to send ICMP port unreachable messages to the |
|
source device, and the incoming packet is discarded. It is up to the source station to act on the |
|
unreachable ICMP messages. In other words, if this is from an unauthorized host, you will be |
|
sending information to the same device. |
|
|
Example 8-3 configures R1 to encrypt all passwords configured on a Cisco router.
Example 8-3 Encrypting All Passwords
service password-encryption
enable secret 5 $1$CNqo$C4bT4/zR.iJF0YEpqMhPF/ enable password 7 13061E010803
Protecting Cisco IOS from Intrusion 379
Example 8-9 TCP Intercept
ip tcp intercept list 100
ip tcp intercept connection-timeout 60 ip tcp intercept watch-timeout 10
ip tcp intercept one-minute low 1800 ip tcp intercept one-minute high 5000 access-list 100 permit ip any any
TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The router responds; if it is a valid connection, the devices are allowed to communicate.
The low and high identifies when TCP intercept should deactivate or activate (TCP aggressive mode).
In this case, the IOS command ip tcp intercept one-minute high 5000 defines the number of connection requests (5000) received in the minute before the IOS enters aggressive mode. The IOS command ip tcp intercept one-minute low 1800 defines the number of connection requests (1800) below which the software leaves aggressive mode.
Example 8-10 configures R1 to dump the router’s memory contents in case of a router crash.
Example 8-10 Allowing Core Dumps
ip ftp username rooter
ip ftp password $%*&^$$%&$
exception core-file secure-r01-core-dump exception protocol ftp
exception dump 3.3.3.3
It is important to be able to look at why a router crashed, especially a router that provides a security wall to the outside world. Core dumps can be given to Cisco personnel who can decipher the main reason the router crashed. The IOS command exception core-file secure-r01-core-dump sets the filename generated when the router actually crashes. The IOS command exception protocol ftp defines the protocol used to send the memory dump. The IOS command exception dump 3.3.3.3 defines the remote host where the file will be copied; in this case, the file will be copied via FTP to remote host 3.3.3.3. Cisco Systems TAC engineers will use the memory dump to try and decipher why the router crashed.
Example 8-11 shows R1 configured for some common parameters for packets sent to unknown destinations and networks that do not exist.
380 Chapter 8: Network Security Policies, Vulnerabilities, and Protection
Example 8-11 IP Unreachables and Routes to Null0
interface loopback0
ip address 3.3.3.3 255.255.255.255 no ip redirects
no ip unreachables interface null0
no ip unreachables
ip route 131.0.0.0 255.0.0.0 null0
The IOS command no ip redirects disables the Cisco router from sending ICMP redirect messages to a device’s source from the same interface.
The IOS command no ip unreachables disables the router from sending ICMP unreachables for packets it is not configured for. The ip route command ensures that packets received for the network 131.0.0.0/8 are thrown away and not acted on. This can stop a routing loop and an intruder trying to spoof (pretending) to belong to network 131.0.0.0/8.
Loopback interfaces are the source of log messages. Loopbacks are often used for routing protocols, as well, because a logical interface does not go down and is reliable. Assign an IP address that uniquely identifies this router. Then, configure and activate the null0 interface as a place to send unknown destination packets. This becomes the trap for packets; they can route in but they can’t route out in case an intruder is spoofing networks from valid IP networks.
The configurations shown in Examples 8-1 through 8-11 are just some of the techniques you can use to ensure vulnerable routers are secure. Just imagine all the routers in the Internet that do not contain this level of security, and you will be aware of the challenges faced in the day- to-day running of the WWW and reasons why organizations like CERT/CC are an invaluable resource.
For more details on security configurations visit www.cisco.com/warp/public/707/index.shtml.