Cisco IOS methods:
Threat Management
Attack types
- Network reconnaissance
- Denial of Service (DOS)
- IP spoofing
- DHCP snooping
- DNS spoofing
- Session hijacking
- MAC Spoofing
- ARP snooping
- Fragment attack
- TCP syn attack
Attack Mitigations
- Traffic characterization
- Packet classification
- Marking Techniques
- Identifying Attack Patterns
- Understanding Attack vectors
- Common Protocol and Port numbers
Cisco IOS Mitigations Tools
- Cisco IOS firewalling ( CBAC and ZFW) and Cisco IPS are well-known security features
- Other features available to identify and protect against attacks:
: Flexible packet matching (FPM)
: network-based application recognition (NBAR)
: Netflow
FPM :
- performs stateless deep packet inspection providing more granular control than ACLs
- supports IPv4 and IPv6
- Specify custom pattern matching deep within the packet header or payload to block viruses, worms, and attacks while minimizing inadvertent filtering of legitimate network traffic
- with ACLs -legitimate traffic could be blocked
eg stopping slammer with ACLs meant blocking port 1434 - denying business transactions involving microsoft sql
- FPM delivers flexible, granular L 2-7 matching at any offset within the packet.
eg port 1434 + packet length 404B + specific pattern within payload -> slammer
FPM is stateless; it cannot keep track of traffic flow through the configured interface eg port numbers
FPM cannot classify packets with IP options
FPM is not supported on tunnel or multiprotocol label switching (MPLS) interfaces
Non-initial fragments will not be matched by FPM
Config :
class-map
policy-map
service-policy
NBAR :
used for classifying traffic
- Classification of applications that dynamically assign TCP/UDP port numbers
- Classification of http traffic by URL, HOST, or Multipurpose Internet Mail Extension (MIME) type
- Classification of application traffic using sub-port information
- can support customized application
- Protocol discovery via packet description language modules (PDLMs) eg P2P
- Use the classification in conjunction with CAR or traffic policing
- NBAR doesn’t support
: non-ip traffic
: MPLS label packets
: fragmented packtes
: pipelined persistent http requests
: URL/host/MIME classification with secure http
: asymmetric flows with stateful protocols
Config eg:
1. Identify the criteria of interest
2. All scep request to the CA server must be tracked
show policy-map int e0/0
Netflow :
- Provides network administrators with “packet flow” information
- Allows for
: Traffic flow analysis
: Security monitoring
: Anomaly detection
Enable on an interface via # ip flow ingress
tuned by MQC to identify interesting traffic
ip flow global commands customize output (vlan-d , mac-address)
customize displays: ip fow-top-talkers
Netflow mitigates attacks
Netflow classify the attack
Can be used for anomaly detection
Understanding Logical Planes:
Traffic to the control and management plane is always destined to the device. “Receive Packets” and “Exception Packets”
Traffic in the data plane is always destined through the device. “Transit packets”.
Control Plane Policing CoPP:
Police and apply actions to inbound traffic types.
protecting bandwidth for essential operations
Control Plane Protection CPPr.
Finer granularity for policing of inbound control plane traffic and by providing the ability to rate limit on each subinterface (host, transit, and CEF-exception) individually
Ability to limit protocol queue usage, eg limit eBGP on CEF-exception
Filter on closed on nonlistening TCP/UDP ports on a Cisco IOS Devices.
Control Plane Security :
Disable unused control plane services globally
- no service dhcp
ICMP techniques applied on interfaces that limit need for ICMP messages
- no icmp redirects, no icmp unreachables
Selective packet discard - ip options, fragments
ip options drop
deny ip any any option traceroute
MD5 authentication
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
BGP techniques - max prefixes, ttl-security
neigbor ttl-security hops 2
neighbor maximum-prefix 10 65 restart 5
OSPF ttl-security
ip ospf ttl-security hops 254
Route filtering and passive interfaces
Infrastructure ACL’s
Selective Packet discard IPv6 - prioritize routing packets (precedence 7)
ipv6 spd queue max-threshold 60000
OSPFv3 IPv6
ipv6 router ospf 21
area 0 encryption ipsec
Management Plane Security Goals:
limit threat potential by restricting device access
Authorize and monitor access activities
Only allow access from trusted sources
Understanding what the device is doing and apply the best methods
- management plane specific security features
- protocol and best practices features.
Management Plane Protection (MPP)
control-plane host
management-interface g0/1 allow
http telnet
Password security
-SMP security
-Remote terminal access security
-Disable idle user sessions
-Infrastructure ACLs
-Role-based CLI access
-AAA
Data Plane Security Goals:
Prevent punting “transit” packets to the RP as they require some additional processing
Prevent forwarding unnecessary traffic, protect bandwidth and other devices
Discard unknowns as soon as possible
Drop all or selective drop IP options
Disable redirects, source routing directed broadcasts
- eg prevent SMURF attacks
Implement ICMP packet filtering (IPv4 vs IPv6)
- ICMPv4 : reduce activities requiring the RP
- ICMPv6 : neighbor discover protocol is a MUST
SeND
Unicast RPF
- strict and loose modes
TTL expiry control
- ttl expired in transit messages
Device management:
AAA for Device Security
- Local or remote (via AAA server)
-TACACS+ is the protocol of choice for device management
allows for granular command control
per user access levels
- Audit is important to track configuration changes
- Console and line access can be controlled
- Role-based access control (RBAC) methods allow support for users grouped by requirements
Admins versus Help Desk
RBAC requires each role is represented by a Group, users are created and become group members allowing for individual audit trails and group policy application
AAA and login on router lines
By default console and vty - no authentication or password
line vty 0 4
password cisco
login
While login it will ask for password
if password is not set
you will get message “password required” but none set
If no login is set, the line is open
if login local is set, a locally defined username/password is required.
Using aaa new model
R1# aaa new-model
No authentication is required at console but local username and password is required for VTY
Default Method :
R1 # aaa authentication login default local
The default method for authentication is applied to all lines, console and vty
Now vty and cole both require username and password.
Flexvpn:
ikev2 based unified VPN that consolidates site-to-site, remote access, hub-spoke and spoke-spoke topologies
Flex VPN highlights
- common CLI -ikev2 , ipsec-profiles
- Comman infrastructure : leverages IOS p2p VTIs
-Support for dynamic routing for all deployments, or static via route-ste
- DoS protection with anti-clogging cookie
- Simplified config using smart defaults
- Ikev2 standards compliant and consolidates IKEv1 and extensions
IKEv2 Exchanges
IKE_SA_INIT (2 messages) -> IKE_SA authentication parameters negotiated
IKE_AUTH (incl. CREATE_CHILD_SA) 2 msg -> IKE authentication occurs and one CHILD_SA created
CREATE_CHILD_SA (2 msg )
A ———————protected data ———————B
No AUTH payload in IKE_AUTH(i) indicates use EAP (additional IKE_AUTH)
Wireless authentication method:
WLC supports multiple dynamic interfaces -> WLANS -> SSIDs
AP receives an IP address from pool and discovers WLC addr from DHCP option 43
Once AP knows WLC, it will be provisioned and managed by WLC using CAPWAP : UDP (control channel) and 5247 (data channel). This can be encrypted using DTLS
AP may be subject to TrustSec auth method.
a client connects to AP using SSID
SSID mapped to dynamic int
WLAN profile applies security policy
Client IP addresses issued from DHCP server via wired interface
security for wlans can be done at layer 2 (WPA + WPA 2) and layer 3
Port-security keyword provides an additional level of security as it will prevent a device from sending traffic on a switchport (apart from DHCP) until it receives an IP address from DHCP
To allow Telnet or SSH access, you need to specify the incoming source ip address or network
telnet 10.11.11.0 255.255.255.0 inside
ssh 10.11.11.15 255.255.255.255 inside
5 tuples on ASA:
source ip address/port
destination ip address/port
protocol in use
Cisco ASA packet flow :
1. Check ACL . If a connection is already there ACL is bypassed.
2. Check for NAT table if applicable.
3. Route lookup
4. Mac L2 resolution
null is null device
IPS # show interfaces brief
Threat Management
Attack types
- Network reconnaissance
- Denial of Service (DOS)
- IP spoofing
- DHCP snooping
- DNS spoofing
- Session hijacking
- MAC Spoofing
- ARP snooping
- Fragment attack
- TCP syn attack
Attack Mitigations
- Traffic characterization
- Packet classification
- Marking Techniques
- Identifying Attack Patterns
- Understanding Attack vectors
- Common Protocol and Port numbers
Cisco IOS Mitigations Tools
- Cisco IOS firewalling ( CBAC and ZFW) and Cisco IPS are well-known security features
- Other features available to identify and protect against attacks:
: Flexible packet matching (FPM)
: network-based application recognition (NBAR)
: Netflow
FPM :
- performs stateless deep packet inspection providing more granular control than ACLs
- supports IPv4 and IPv6
- Specify custom pattern matching deep within the packet header or payload to block viruses, worms, and attacks while minimizing inadvertent filtering of legitimate network traffic
- with ACLs -legitimate traffic could be blocked
eg stopping slammer with ACLs meant blocking port 1434 - denying business transactions involving microsoft sql
- FPM delivers flexible, granular L 2-7 matching at any offset within the packet.
eg port 1434 + packet length 404B + specific pattern within payload -> slammer
FPM is stateless; it cannot keep track of traffic flow through the configured interface eg port numbers
FPM cannot classify packets with IP options
FPM is not supported on tunnel or multiprotocol label switching (MPLS) interfaces
Non-initial fragments will not be matched by FPM
Config :
class-map
policy-map
service-policy
NBAR :
used for classifying traffic
- Classification of applications that dynamically assign TCP/UDP port numbers
- Classification of http traffic by URL, HOST, or Multipurpose Internet Mail Extension (MIME) type
- Classification of application traffic using sub-port information
- can support customized application
- Protocol discovery via packet description language modules (PDLMs) eg P2P
- Use the classification in conjunction with CAR or traffic policing
- NBAR doesn’t support
: non-ip traffic
: MPLS label packets
: fragmented packtes
: pipelined persistent http requests
: URL/host/MIME classification with secure http
: asymmetric flows with stateful protocols
Config eg:
1. Identify the criteria of interest
2. All scep request to the CA server must be tracked
show policy-map int e0/0
Netflow :
- Provides network administrators with “packet flow” information
- Allows for
: Traffic flow analysis
: Security monitoring
: Anomaly detection
Enable on an interface via # ip flow ingress
tuned by MQC to identify interesting traffic
ip flow global commands customize output (vlan-d , mac-address)
customize displays: ip fow-top-talkers
Netflow mitigates attacks
Netflow classify the attack
Can be used for anomaly detection
Understanding Logical Planes:
Traffic to the control and management plane is always destined to the device. “Receive Packets” and “Exception Packets”
Traffic in the data plane is always destined through the device. “Transit packets”.
Control Plane Policing CoPP:
Police and apply actions to inbound traffic types.
protecting bandwidth for essential operations
Control Plane Protection CPPr.
Finer granularity for policing of inbound control plane traffic and by providing the ability to rate limit on each subinterface (host, transit, and CEF-exception) individually
Ability to limit protocol queue usage, eg limit eBGP on CEF-exception
Filter on closed on nonlistening TCP/UDP ports on a Cisco IOS Devices.
Control Plane Security :
Disable unused control plane services globally
- no service dhcp
ICMP techniques applied on interfaces that limit need for ICMP messages
- no icmp redirects, no icmp unreachables
Selective packet discard - ip options, fragments
ip options drop
deny ip any any option traceroute
MD5 authentication
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
BGP techniques - max prefixes, ttl-security
neigbor
neighbor
OSPF ttl-security
ip ospf ttl-security hops 254
Route filtering and passive interfaces
Infrastructure ACL’s
Selective Packet discard IPv6 - prioritize routing packets (precedence 7)
ipv6 spd queue max-threshold 60000
OSPFv3 IPv6
ipv6 router ospf 21
area 0 encryption ipsec
Management Plane Security Goals:
limit threat potential by restricting device access
Authorize and monitor access activities
Only allow access from trusted sources
Understanding what the device is doing and apply the best methods
- management plane specific security features
- protocol and best practices features.
Management Plane Protection (MPP)
control-plane host
management-interface g0/1 allow
http telnet
Password security
-SMP security
-Remote terminal access security
-Disable idle user sessions
-Infrastructure ACLs
-Role-based CLI access
-AAA
Data Plane Security Goals:
Prevent punting “transit” packets to the RP as they require some additional processing
Prevent forwarding unnecessary traffic, protect bandwidth and other devices
Discard unknowns as soon as possible
Drop all or selective drop IP options
Disable redirects, source routing directed broadcasts
- eg prevent SMURF attacks
Implement ICMP packet filtering (IPv4 vs IPv6)
- ICMPv4 : reduce activities requiring the RP
- ICMPv6 : neighbor discover protocol is a MUST
SeND
Unicast RPF
- strict and loose modes
TTL expiry control
- ttl expired in transit messages
Device management:
AAA for Device Security
- Local or remote (via AAA server)
-TACACS+ is the protocol of choice for device management
allows for granular command control
per user access levels
- Audit is important to track configuration changes
- Console and line access can be controlled
- Role-based access control (RBAC) methods allow support for users grouped by requirements
Admins versus Help Desk
RBAC requires each role is represented by a Group, users are created and become group members allowing for individual audit trails and group policy application
AAA and login on router lines
By default console and vty - no authentication or password
line vty 0 4
password cisco
login
While login it will ask for password
if password is not set
you will get message “password required” but none set
If no login is set, the line is open
if login local is set, a locally defined username/password is required.
Using aaa new model
R1# aaa new-model
No authentication is required at console but local username and password is required for VTY
Default Method :
R1 # aaa authentication login default local
The default method for authentication is applied to all lines, console and vty
Now vty and cole both require username and password.
Flexvpn:
ikev2 based unified VPN that consolidates site-to-site, remote access, hub-spoke and spoke-spoke topologies
Flex VPN highlights
- common CLI -ikev2 , ipsec-profiles
- Comman infrastructure : leverages IOS p2p VTIs
-Support for dynamic routing for all deployments, or static via route-ste
- DoS protection with anti-clogging cookie
- Simplified config using smart defaults
- Ikev2 standards compliant and consolidates IKEv1 and extensions
IKEv2 Exchanges
IKE_SA_INIT (2 messages) -> IKE_SA authentication parameters negotiated
IKE_AUTH (incl. CREATE_CHILD_SA) 2 msg -> IKE authentication occurs and one CHILD_SA created
CREATE_CHILD_SA (2 msg )
A ———————protected data ———————B
No AUTH payload in IKE_AUTH(i) indicates use EAP (additional IKE_AUTH)
Wireless authentication method:
WLC supports multiple dynamic interfaces -> WLANS -> SSIDs
AP receives an IP address from pool and discovers WLC addr from DHCP option 43
Once AP knows WLC, it will be provisioned and managed by WLC using CAPWAP : UDP (control channel) and 5247 (data channel). This can be encrypted using DTLS
AP may be subject to TrustSec auth method.
a client connects to AP using SSID
SSID mapped to dynamic int
WLAN profile applies security policy
Client IP addresses issued from DHCP server via wired interface
security for wlans can be done at layer 2 (WPA + WPA 2) and layer 3
Port-security keyword provides an additional level of security as it will prevent a device from sending traffic on a switchport (apart from DHCP) until it receives an IP address from DHCP
To allow Telnet or SSH access, you need to specify the incoming source ip address or network
telnet 10.11.11.0 255.255.255.0 inside
ssh 10.11.11.15 255.255.255.255 inside
5 tuples on ASA:
source ip address/port
destination ip address/port
protocol in use
Cisco ASA packet flow :
1. Check ACL . If a connection is already there ACL is bypassed.
2. Check for NAT table if applicable.
3. Route lookup
4. Mac L2 resolution
null is null device
IPS # show interfaces brief