Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Introduction to Cisco IOS Security
As the number of security threats continues to grow and the level of required sophistication
for an attacker continues to decline, strategically securing today’s production networks
is a necessity. Adding security features to a network, however, can make
troubleshooting that network more difficult.
For example, in addition to troubleshooting basic Layer 2 and Layer 3 connectivity, you
also need to check such things as firewall, intrusion prevention system (IPS), and virtual
private network (VPN) configurations. Also, a network’s security policy might limit what
you as a troubleshooter are allowed to do while troubleshooting. For example, you might
not be allowed to remove certain access control lists (ACL), even though removing them
might simplify your troubleshooting efforts.
This section focuses on securing the different planes of operation on routers and switches.
Following are these three planes of operation:
■ Management plane: The management plane of operation is used to manage a
router or a switch. This management involves, for example, accessing and configuring
a device.
■ Control plane: The control plane of operation encompasses protocols used between
routers and switches. These protocols include, for example, routing protocols and
Spanning Tree Protocol (STP).
■ Data plane: The data plane is the plane of operation in charge of forwarding data
through a router or switch.
The sections that follow also provide you with tips for troubleshooting network security
issues.
Securing the Management Plane
When you connect to a router or a switch for management purposes (for example, to
make a configuration change), you are accessing the management plane. As shown in
Figure 9-1, the data plane can be accessed in several ways, and from a security perspective,
each of these access methods should be secured.
Modes of Access
The methods of accessing the data plane illustrated in Figure 9-1 allow three primary
modes of access, as described in the list that follows:
■ Command-line interface (CLI) access: A router or switch’s CLI can be accessed via
a serial connection, known as a console connection. This connection enables an administrator
to directly connect into the managed device. Although a console connection
can be password protected, physical security is also a requirement. For example, if
270 CCNP TSHOOT 642-832 Official Certification Guide
Key
Topic
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 9: Security Troubleshooting 271
Management Plane
Control Plane
Data Plane
Console Access
Telnet Access
Secure Shell (SSH)
Access
HTTP Access
HTTPS Access
SNMP Access
Figure 9-1 Methods of Accessing the Data Plane
To prevent a potentially malicious user from performing password recovery on a device,
some platforms support the disabling of the password recovery service. The
global configuration mode command to disable the password recovery service is no
service password-recovery.
The ability to disable password recovery, however, does not provide complete protection
from an attacker. For example, although attackers that gained physical access to a
device would not be able to recover the password of the device, they could wipe out
the configuration. Also, if they had gained sufficient information about the network,
its protocols, and addressing schemes, they could conceivably recreate a working
configuration. They could then add to that working configuration a backdoor for
them to gain access to the device and potentially monitor, intercept, or alter traffic
flowing through that device. Therefore, physical security remains a critical aspect of
overall network security.
CLI access can also be gained over a network connection using protocols such as Telnet
and Secure Shell (SSH). Telnet is not considered secure, because its packets are
sent in clear text. Conversely, SSH encrypts its traffic, preventing an eavesdropper
from interpreting any intercepted traffic.
■ Web access: Many network devices can be monitored and configured via a webbased
interface (for example, the Cisco Configuration Professional [CCP] or Cisco Security
Device Manager [SDM] applications). Although either HTTP or HTTPS can be
used to access these web-based administrative interfaces, HTTPS is more secure. For
example, if an attacker were to intercept HTTP traffic between an administrator’s
workstation and a managed router, the attacker might be able to interpret configurations
being performed on the router. If HTTPS where used instead, an attacker would
not be able to interpret any intercepted configuration information, because HTTPS
encrypts its transmissions.
attackers gained physical access to a router or switch, they could connect to the console
connection and performa password recovery procedure, thus granting themaccess.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
■ SNMP access: As discussed in Chapter 3, “The Maintenance and Troubleshooting
Toolbox,” Simple Network Management Protocol (SNMP) is commonly used to monitor
network devices. Devices enabled to support SNMP can be configured to support
read-only access or read-write access. SNMP versions 1 and 2c use community strings
that must match between the monitoring device and the managed device. SNMP version
3, however, offers enhanced security through encryption and authentication.
Protecting Management Plane Access
Other than the previously mentioned requirement for physical security, network security
can be used to limit access to a device’s management plane over a network connection. For
example, ACLs can be created to permit only specific protocols (such as SSH as opposed
to Telnet and HTTPS as opposed to HTTP) coming from specific sources (for example, the
IP addresses of administrators) to access a device’s management plane.
Once a connection is made with the device to be managed, the connecting user should
then be authenticated. Cisco devices support authentication via a single password, or via a
username and password combination. If you choose to use usernames and passwords,
those credentials could be locally configured on a device. However, for scalability, you
might want to have those credentials stored centrally on a server (for example, a Remote
Authentication Dial In User Service [RADIUS] or Terminal Access Controller Access-Control
System Plus [TACACS+] server). By centrally locating a common user database accessible
by multiple network devices, you eliminate the need to maintain a separate user
database on each network device.
From a troubleshooting perspective, you should understand how to access a device. For
example, a device might be accessible via SSH with username and password credentials.
Also, you might need physical access to a device. If so, you should understand how you
can be granted physical access of that secured device.
Securing the Control Plane
Control plane protocols include routing protocols (for example, Enhanced Interior Gateway
Routing Protocol [EIGRP], Open Shortest Path First [OSPF], and Border Gateway
Protocol [BGP]), STP, and Address Resolution Protocol (ARP). These protocols often create
data structures that are used directly or indirectly for packet-forwarding decisions by a
device. Therefore, such protocols should be secured. Additionally, the control plane itself
should be protected from a denial-of-service (DoS) attack, where all of a control plane’s resources
are consumed by malicious traffic.
Securing Routing Protocols
Although routing protocols can differ in their implementation of authentication methods,
most enterprise routing protocols support some sort of authentication. This authentication
allows adjacent routers to authenticate one another, thereby preventing an attacker
from inserting a rogue router into a network, in an attempt to influence routing decisions.
Similar authentication methods are available for router redundancy protocols (that is, Hot
Standby Routing Protocol [HSRP], Virtual Router Redundancy Protocol [VRRP], and
Gateway Load Balancing Protocol [GLBP]).
272 CCNP TSHOOT 642-832 Official Certification Guide
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Root
Bridge
F
F F
F F
B
Server1
PC3
F
F
F
PC1 PC2 F = Forwarding Port
B = Blocking Port
SW1
SW2
SW3
Figure 9-2 Converged STP Topology
Chapter 9: Security Troubleshooting 273
Securing STP
Chapter 4, “Basic Cisco Catalyst Switch Troubleshooting,” discussed how STP could be
used to add redundancy to a network, while preventing problems which could stem from
Layer 2 topological loops. STP achieves this loop-free topology by electing one switch as
the root bridge. The network administrator can influence which switch becomes the root
bridge through the manipulation of a switch’s bridge priority, where the switch with the
lowest bridge priority becomes the root bridge. Every other switch in the network designates
a root port, which is the port on the switch that is closest to the root bridge, in
terms of cost. The bridge priorities of switches are learned through the exchange of
Bridge Protocol Data Units (BPDU). After the election of a root bridge, all the switch
ports in the topology are either in the blocking state (where user data is not forwarded) or
in the forwarding state (where user data is forwarded).
If the root bridge fails, the STP topology will reconverge by electing a new root bridge. If
an attacker has access to two switch ports (each from a different switch), they might be
able to introduce a rogue switch into the network. The rogue switch can then be configured
with a lower bridge priority than the bridge priority of the root bridge. After the
rogue switch announces its superior BPDUs, the STP topology reconverges, where all
traffic traveling from one switch to another switch now passes through the rogue switch,
thus allowing the attacker to capture that traffic.
As an example, consider the topology shown in Figure 9-2. Data traveling from PC1 to
Server1 passes through SW2 and SW3 (the root bridge).
Notice PC2 and PC3. If an attacker gains access to the switch ports of these two PCs, the
attacker could introduce a rogue switch that advertised superior BPDUs, causing the
rogue switch to be elected as the new root bridge. The new data path between PC1 and
Server1, as illustrated in Figure 9-3, now passes through the attacker’s rogue switch. The
attacker can configure one of the switch ports as a Switch Port Analyzer (SPAN) port. A
SPAN port can receive a copy of traffic crossing another port or VLAN. In this example,
the attacker could use the SPAN port to send a copy of traffic crossing the switch to the
attacker’s PC.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
274 CCNP TSHOOT 642-832 Official Certification Guide
F = Forwarding Port
B = Blocking Port
SW1 SW3
F
F F
F
F
B Server1
SW2
Root
Bridge
F
F B
F
F
Rogue
PC1
Attacker’s
PC
SW2
SW3
Rogue
SW1
Figure 9-3 Introduction of a Rogue Switch
Consider two approaches for protecting a network from this type of STP attack:
■ Protecting with Root Guard: The Root Guard feature can be enabled on all switch
ports in the network off of which the root bridge should not appear (that is, every
port that is not a root port, the port on each switch that is considered to be closest to
the root bridge). If a port configured for Root Guard receives a superior BPDU, instead
of believing the BPDU, the port goes into a root-inconsistent state. While a
port is in the root-inconsistent state, no user data is sent across the port. However, after
the superior BPDUs stop, the port returns to the forwarding state.
■ Protecting with BPDU Guard: The BPDU Guard feature is enabled on ports configured
with Cisco’s PortFast feature. The PortFast feature is enabled on ports that
connect out to end-user devices, such as PCs, and it reduces the amount of time required
for the port to go into the forwarding state after being connected. The logic of
PortFast is that a port that connects to an end-user device does not have the potential
to create a topology loop. Therefore, the port can go active sooner by skipping
STP’s Listening and Learning states, which by default take 15 seconds each. Because
these PortFast ports are connected to end-user devices, these ports should never receive
a BPDU. Therefore, if a port enabled for BPDU Guard receives a BPDU, the port
is disabled.
Securing DHCP and ARP
On today’s networks, most clients obtain their IP address information dynamically, using
Dynamic Host Configuration Protocol (DHCP), rather than having their IP address information
statically configured. To dynamically obtain IP address information, a client (for
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 9: Security Troubleshooting 275
DHCP Response
Client
PC
Corporate DHCP
Server
DHCP
Response
Attacker’s
Rogue DHCP
Server
Figure 9-4 DHCP Server Spoofing
example, a PC) dynamically discovers a DHCP server via a broadcast and sends out a DHCP
request; the DHCP server sees the request; and a DHCP response (including such information
as an IP address, subnet mask, and default gateway) is sent to the requesting client.
However, if an attacker connects a rogue DHCP server to the network, the rogue DHCP
server can respond to a client’s DHCP discovery request. Even though both the rogue
DHCP server and the actual DHCP server respond to the request, the rogue DHCP server’s
response will be used by the client if it reaches the client before the response from the
actual DHCP server, as illustrated in Figure 9-4.
The DHCP response from an attacker’s DHCP server might assign the attacker’s IP address
as the client’s default gateway. As a result, the client sends traffic to the attacker’s IP address.
The attacker can then capture the traffic and then forward the traffic to an appropriate
default gateway. From the client’s perspective, everything is functioning correctly, so
this type of DHCP server spoofing attack can go undetected for a long period of time.
The DHCP snooping feature on Cisco Catalyst switches can be used to combat a DHCP
server spoofing attack. This option is off on most Catalyst switches by default. With this
solution, Cisco Catalyst switch ports are configured in either the trusted or untrusted
state. If a port is trusted, it is allowed to receive DHCP responses (for example, DHCPOFFER,
DHCPACK, or DHCPNAK). Conversely, if a port is untrusted, it is not allowed to receive
DHCP responses, and if a DHCP response does attempt to enter an untrusted port,
the port is disabled. Fortunately, not every switch port needs to be configured to support
DHCP snooping, because if a port is not explicitly configured as a trusted port, it is implicitly
considered to be an untrusted port.
Another type of DHCP attack is more of a DoS attack against the DHCP server. Specifically,
the attacker can repeatedly request IP address assignments from the DHCP server,
thus depleting the pool of addresses available from the DHCP server. The attacker can accomplish
this by making the DHCP requests appear to come from different MAC addresses.
To mitigate such a DoS attack, you can use the previously mentioned DHCP
snooping feature to limit the number of DHCP messages per second that are allowed on
an interface, thus preventing a flood of spoofed DHCP requests.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
276 CCNP TSHOOT 642-832 Official Certification Guide
IP: 192.168.0.2
MAC: AAAA.AAAA.AAAA
Default GW: 192.168.0.1
IP: 192.168.0.1
MAC: CCCC.CCCC.CCCC
Client
PC
GARP
192.168.0.1 corresponds
to BBBB.BBBB.BBBB
GARP
192.168.0.2 corresponds
to BBBB.BBBB.BBBB
Attacker’s PC
IP: 192.168.0.3
MAC: BBBB.BBBB.BBBB
Figure 9-5 ARP Spoofing
The DHCP snooping feature dynamically builds a DHCP binding table, which contains the
MAC addresses associated with specific IP addresses. This DHCP binding table can be
used by the Dynamic ARP Inspection (DAI) feature to help prevent Address Resolution
Protocol (ARP) spoofing attacks.
Recall the purpose of ARP requests. When a network device needs to determine the MAC
address that corresponds to an IP address, the device can send out an ARP request. The
target device replies to the requesting device with an ARP reply. The ARP reply contains
the requested MAC address.
Attackers can attempt to launch an attack by sending gratuitous ARP (GARP) replies.
These GARP messages can tell network devices that the attacker’s MAC address corresponds
to specific IP addresses. For example, the attacker might be able to convince a PC
that the attacker’s MAC address is the MAC address of the PC’s default gateway. As a result,
the PC starts sending traffic to the attacker. The attacker captures the traffic and then
forwards the traffic on to the appropriate default gateway.
To illustrate, consider Figure 9-5. PC1 is configured with a default gateway of 192.168.0.1.
However, the attacker sent GARP messages to PC1, telling PC1 that theMAC address corresponding
to 192.168.0.1 is BBBB.BBBB.BBBB, which is the attacker’sMAC address. Similarly,
the attacker sent GARP messages to the default gateway, claiming that theMAC
address corresponding to PC1’s IP address of 192.168.0.2 was BBBB.BBBB.BBBB. This
ARP cache poisoning causes PC1 and Router1 to exchange traffic via the attacker’s PC.
Therefore, this type of ARP spoofing attack is considered to be a man-in-the-middle
attack.
Networks can be protected from ARP spoofing attacks using the DAI feature. DAI works
similarly to DHCP snooping by using trusted and untrusted ports. ARP replies are allowed
into the switch on trusted ports. However, if an ARP reply enters the switch on an
untrusted port, the contents of the ARP reply are compared against the DHCP binding
table to verify its accuracy. If the ARP reply is not consistent with the DHCP binding
table, the ARP reply is dropped, and the port is disabled.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 9: Security Troubleshooting 277
Key
Topic
Table 9-2 Mitigations for Control Plane Threats
Target Mitigations
Routing protocols Authentication of routing protocols
STP Root Guard
BPDU Guard
DHCP and ARP DHCP Snooping
Dynamic ARP Inspection (DAI)
Control Plane Resources Control Plane Policing (CoPP)
Control Plane Protection (CPP)
Securing Against a DoS Attack
Rather than intercepting or manipulating traffic, an attacker’s goal might be to make a network
device unusable. For example, an attacker might launch a DoS attack against a
router’s control plane.
To protect against flooding of a router’s control plane, you could configure Cisco’s control
plane policing (CoPP) or control plane protection (CPP) feature. Although both features
can limit specific traffic types entering the control plane, CPP offers finer control of the
policing action.
Table 9-2 summarizes the previously discussed mitigations for control plane threats.
Securing the Data Plane
Protecting the management and control planes focuses on protecting a network device
(for example, a router or a switch). Protecting the data plane, however, focuses on protecting
the actual data flowing through a network and protecting other devices (for example,
hosts) on the network.
ACLs (or VLAN access maps on Cisco Catalyst switches) offer a fundamental approach to
restricting traffic allowed on a network. For example, an ACL can permit or deny traffic
based on source and destination IP address and port number information, in addition to
time-of-day restrictions.
Although some networks have a firewall appliance, such as the Cisco Adaptive Security
Appliance (ASA), a Cisco IOS router can also perform firewalling features, as shown in
Figure 9-6. In the diagram, the Cisco IOS firewall allows Telnet traffic into the campus
network from a host on the Internet, if the Telnet session originated from the campus network.
If a user on the Internet attempted to establish a Telnet connection with a host inside
the campus network, however, the Cisco IOS firewall would block the inbound Telnet
traffic.
Similar to firewalling, intrusion prevention can be accomplished via a dedicated intrusion
prevention system (IPS) appliance or through the Cisco IOS IPS feature. Figure 9-7 shows
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
278 CCNP TSHOOT 642-832 Official Certification Guide
Telnet
Telnet
Campus
Network
Cisco IOS
Firewall
Telnet
Internet
Figure 9-6 Cisco IOS Firewall
HTTP
Campus
Network
IPS-Enabled
SYN Flood Attack
Internet
Figure 9-7 Cisco IOS IPS Feature
Attacker
SW1 R1 R1
Originator Hub Destination
Figure 9-8 Man-in-the-Middle Attack
a Cisco IOS router configured with the IPS feature. The router is configured with a database
of signatures that can recognize a collection of well-known attacks. Therefore, while
non-malicious HTTP traffic is allowed to pass through the router, malicious traffic (for example,
a SYN flood attack) is not permitted through the router.
If unencrypted traffic flowing over an unprotected network is intercepted by an attacker,
that attacker might be able to glean valuable information (for example, login credentials or
account codes) from the intercepted traffic. This type of attack is known as a man-in-themiddle
attack. Figure 9-8 illustrates an example of such an attack.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 9: Security Troubleshooting 279
Attacker
R1
? ?
IPsec Tunnel
SW1 R1
Originator Hub Destination
Figure 9-9 Securing Traffic with a VPN
To prevent a man-in-the-middle attack, a secure virtual private network (VPN) tunnel can
be constructed between the originator and destination, as illustrated in Figure 9-9. Because
the traffic traveling over the logical VPN tunnel can be encrypted, a man-in-themiddle
attacker would not be able to interpret any packets they intercepted. Although
multiple VPN protocols exist, IPsec is one of the most popular approaches used to
protect traffic flowing over a VPN tunnel.
As a few other examples of how a Cisco IOS router can protect network traffic and other
network devices, consider the Unicast Reverse Path Forwarding (uRPF) feature. This feature
allows a router to examine the source IP address of an incoming packet and, based on
the router’s IP routing table, determine how traffic would be routed back to that source address.
If the router notices that the traffic came in on an interface that is different than the
interface the router would use to send traffic back to that source IP address, the router can
drop the traffic. The rationale for the router dropping this traffic is that this behavior could
reflect an IP spoofing attack, where an attacker was impersonating a trusted IP address.
Routers can also play a role in granting users access to the network. For example, consider
the IEEE 802.1X technology, as depicted in Figure 9-10.
An 802.1X network requires a client to authenticate before communicating on the network.
Once the authentication occurs, a key is generated that is shared between the client
and the device to which it attaches (for example, a wireless LAN controller or a Layer 2
switch). The key is then used to encrypt traffic coming from and being sent to the client.
In the figure, you see the three primary components of an 802.1X network:
■ Supplicant: The supplicant is the device that wants to gain access to the network.
■ Authenticator: The authenticator forwards the supplicant’s authentication request
on to an authentication server. Once the authentication server has authenticated the
supplicant, the authenticator receives a key that is used to communicate securely during
a session with the supplicant.
■ Authentication Server: The authentication server (for example, a RADIUS server)
checks the supplicant’s credentials. If the credentials are acceptable, the authentication
server notifies the authenticator that the supplicant is allowed to communicate on
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
280 CCNP TSHOOT 642-832 Official Certification Guide
Client
802.1x Authentication
802.1x Wireless LAN
Controller
Authentication
Server
Supplicant Authenticator
Key Management Key Distribution
Secured Data
Figure 9-10 Granting Network Access Using 802.1X
An even more sophisticated approach to admission control is the Network Admission
Control (NAC) feature. Beyond just checking credentials, NAC can check characteristics
of the device seeking admission to the network. The client’s operating system and version
of anti-virus software are examples of these characteristics.
Troubleshooting Network Security Issues
Now that you have reviewed several security measures that networks might have in place
to protect their management, control, and data planes, consider how these layers of security
might impact your troubleshooting efforts. For example, troubleshooting is often
concerned with establishing connectivity between two devices, whereas security features
often strategically limit connectivity. Therefore, to effectively troubleshoot a network,
you should clearly understand what security features are in place, in addition to the desired
behavior of these features.
To begin your troubleshooting efforts in a secure network, you might first determine
if the issue being reported is related to the network’s security policy or if there is an
underlying network problem.
If you determine that there is indeed a network problem, your troubleshooting steps might
be limited to actions that conform to the network’s security policy. For example, you
might want to remove an IPsec configuration from a link between two offices. You should
balance that action against the severity of the problem, the likelihood of a security incident
occurring during the window of time the IPsec tunnel is deactivated, and the corporate
security policy.
No comments:
Post a Comment