COMMON CISCO DEVICE SECURITY FEATURES

The security safeguards expected to be supported by any Cisco router independently of the platform and IOS version (or code train in Ciscospeak) include the following:

  • Authentication, Authorization, and Accounting (AAA) support

  • Standard, extended, dynamic, time-based, and reflexive access lists

  • Passive ports and route distribution lists

  • Route authentication

  • User and enable password encryption

  • Local event logging into a custom size buffer

  • Remote event logging via syslog and Simple Network Management Protocol (SNMP) traps

  • Dial-back for users dialing into the router remotely

  • Static Address Resolution Protocol (ARP)

  • Network Time Protocol (NTP) authentication

All Cisco Catalyst switches support the following:

  • Media Access Control (MAC) address filtering and static MACs

  • Proper static and dynamic virtual LAN (VLAN) segmentation

  • Secure Spanning Tree Protocol (STP) (Cisco RootGuard and BPDUGuard features)

  • Local and remote event logging via syslog and SNMP traps

  • Restricted administrative access to the switch on a source IP basis

  • User and enable password encryption

  • NTP authentication

Everything beyond the listed functions can be implemented by using additional security features in specific IOS versions, adding security modules to modular routers or switches, or using security appliances such as PIX firewalls instead of casual routers.

The first thing you should look at when selecting the code train for your router is the correct IOS release. The two main types of code releases are main releases and early deployment (ED) releases. Main IOS releases are reliable and stable, but they do not accept the addition of the latest features and supported platforms. Bug and security fixes are the impetus for issuing main release maintenance revisions. If you find an IOS main release that completely suits your demands, it makes perfect sense for you to employ this release on your routers with a lower chance of router security being compromised by a malicious hacker exploiting possible vulnerabilities and design flaws in a less tested and tried software. Features that you never use can be abused by attackers to root or crash your box, and the more bloated the code, the higher the chance that security flaws are there. On the other hand, ED releases can introduce new security features you may desperately needfor example, 802.1x support for user authentication. It is up to you to decide which IOS release line you will use, depending on whether the current main releases have all the security and other features and protocol support you consider necessary.

The ED releases are split into four categories:

  • Consolidated Technology Early Deployment (CTED) releases These are also known as the T train and are easily identifiable by their name , which always ends with a T (for Technology ) for example, 11.3T, 12.0T, and 12.1T. T trains are very rich in features, protocol, and platform support.

  • Specific Technology Early Deployment (STED) releases STEDs are usually platform-specific. 11.1CA, 11.1CC, 11.1CT, 11.3NA, 11.3MA, 11.3WA, and 12.0DA are typical examples of STED releases.

  • Specific Market Early Deployment (SMED) releases SMEDs are similar to STEDs, but they target specific market segmentsfor example, Internet Service Providers (ISPs). Examples of SMEDs include Cisco IOS 12.0S and 12.1E.

  • Short-lived Early Deployment releases, also known as X Releases (XED) XEDs do not provide software maintenance revisions or regular software interim revisions. If a bug is found in the XED before its convergence with the CTED, a software rebuild is initiated and a number is appended to the IOS name. For example, Cisco IOS 12.0(2)XB1 and 12.0(2)XB2 are examples of 12.0(2)XB rebuilds.

How about the security relevance of identifiers in the IOS names ? The main IOS security identifiers are k for encryption and o for firewalling, but a few other identifiers can also be important security-wise. For example, quality of service (QoS) features are desirable since they can be used in denial-of-service/distributed denial-of-service (DoS/DDoS) control. Table 2-1 lists the IOS name identifiers relevant to network and router security.

Table 2-1: Security-Relevant IOS Identifiers

IOS Identifier

Description

k2

Triple Data Encryption Standard (DES) on Cisco IOS software releases 11.3 and up. Includes Secure Shell Protocol (SSH) in Cisco IOS software releases 12.1 and up.

k8

Less than or equal to 64-bit encryption. On Cisco IOS software releases 12.2 and up.

k9

Greater than 64-bit encryption on Cisco IOS software releases 12.2 and up. On latest IOS versions, this usually means 128-bit Advanced Encryption Standard (AES).

o

Firewall (formerly IPeXchange Net Management).

o3

Firewall with intrusion detection (Firewall Phase II).

q3

Quality of service (QoS).

q4

Reduced QoS subset. Access Control List (ACL) merge and VLAN map removed.

RM

ROM monitor (ROMMON) image.

u2

Lawful intercept.

w4

Wiretap.

y

IP variant. No Kerberos, Remote Authentication Dial-In User Service (RADIUS), Network Time Protocol (NTP), Open Shortest Path First (OSPF), Protocol Independent Multicast (PIM), Simple Multicast Routing Protocol (SMRP), Next Hop Resolution Protocol (NHRP), and so on (c1600).

y2

IP Plus variant. No Kerberos, RADIUS, NTP, and so on (c1600).

y9

Secure Sockets Layer (SSL) termination engine for Catalyst 6000 family (c6ssl).

40

40-bit encryption.

56

56-bit encryption.

56i

56-bit encryption with IPSec. Includes SSH in Cisco IOS software releases 12.1 and up.

As you can see, Table 2-1 includes not only the identifiers of features that are desirable, but it also shows the identifiers of minimalistic IOS versions such as q4, y, and y2 that should be avoided if possible. As with anything else, security has scalability demands, and even if you don't use RADIUS now, you may well use it in a few months' time (for example, if a wireless network is deployed). Besides, not having NTP support is a very bad security practice. (In case you're wondering why, logs without precise time shown are useless in a court of law and make the entire incident response procedure fruitless. Configuring authenticated NTP synchronization with the major reliable NTP servers in your area is a good networking practice.) As to the QoS features, as we already mentioned they come in handy for containing traffic floods, and you can never know when a DoS/DDoS attack will hit. Of course, the main countermeasure against such attacks is still proper firewalling, which is briefly reviewed later in the book.



Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net