< Day Day Up > |
This chapter has covered several attacks so far. In the sections that follow, you learn how to secure your network firewalls, routers, and switches against these types of attacks. Securing FirewallsThe Cisco PIX Firewall and Adaptive Security Appliances (ASA) use the Adaptive Security Algorithm to perform stateful packet inspection. As each packet enters the firewall, the PIX or ASA inspects it to verify that it is a valid frame. The PIX or ASA does this by recording each session in a flow table, with each session entry containing source and destination IP address, port numbers, and TCP protocol information. Before traffic is allowed back through the PIX or ASA, the PIX or ASA checks the session flow table to verify that an allowed session entry exists. Unlike a router, the default settings of a PIX and ASA firewall do not allow all traffic to pass through it. Interfaces are assigned a security level, and traffic that is initiated from a lower security level is not allowed to access networks that are connected to an interface with a higher security level. You should configure your firewall to allow only the minimal number of ports necessary for operation. If you need traffic from a lower security level interface to access a higher security level interface, you can create an ACL to allow the particular ports to be unfiltered. Securing RoutersAs with the Cisco PIX Firewall and Cisco ASA, you should use ACLs to allow only authorized traffic through your router. In addition to ACLs, you can take other steps to protect yourself against the types of attacks mentioned in this chapter, as described in the sections that follow. Disabling CDPIf you do not need the ability to collect the Layer 3 address, platform, or IOS version of neighboring devices, you can safely disable CDP on your routers and switches. The two commands you can use to disable CDP on your router are as follows:
If you are using CDP internally, then at a minimum you should disable it on the outbound interface. If you do not require CDP internally, you can safely disable it globally. Disabling or Restricting the HTTP ServiceYou should avoid using the HTTP service to manage your router because of the inherent security risks with it. Instead, use the command-line interface (CLI) to configure your router. To disable the HTTP service, enter the following command: Router(config)#no ip http server If you prefer the HTTP service and do not feel comfortable with the CLI, you should restrict access to the router through the use of an ACL. For example, the following commands restrict HTTP access to a router from all hosts except 10.0.0.5. Router(config)#access-list 1 permit host 10.0.0.5 Router(config)#ip http server 1 Securing Router PasswordsNever store your enable password in clear text. At a minimum, you should encrypt it either by using the enable secret or service password-encryption command. As you read earlier, though, these commands do little to protect you against password crackers if a malicious hacker is able to get the password hash. A better option is to use AAA security and authenticate through either a RADIUS or TACACS+ server. The following example enables AAA with the aaa new-model command and shows how to configure your router to authenticate to a TACACS+ server at the address of 10.0.0.10: Router(config)#aaa new-model Router(config)#aaa authentication login default tacacs+ Router(config)#tacacs-server host 10.0.0.5 Enabling Authentication for Routing ProtocolsYou should also enable authentication for your routing protocols. Routing protocols that support authentication are as follows:
RIP AuthenticationTo configure authentication in RIP, first create a key chain with your password. The following example shows the creation of a key chain named MYCHAIN with a password of cisco. Router(config)#key chain MYCHAIN Router(config-keychain)#key 1 Router(config-keychain-key)#key-string cisco Next, associate the key chain you created with each interface running RIP and enable MD5 authentication: Router(config)#interface fastethernet 0/0 Router(config-if)#ip rip authentication key-chain MYCHAIN Router(config-if)#ip rip authentication mode MD5 Router(config)#interface serial 0/0 Router(config-if)#ip rip authentication key-chain MYCHAIN Router(config-if)#ip rip authentication mode MD5 EIGRP AuthenticationThe process for EIGRP authentication is similar to that for RIP authentication. First, create your key chain: Router(config)#key chain MYCHAIN Router(config-keychain)#key 1 Router(config-keychain-key)#key-string cisco Next, go on each interface and associate your key chain with your EIGRP autonomous system number. Do not forget to also enable MD5 authentication: Router(config)#interface fastethernet 0/0 Router(config-if)#ip authentication key-chain eigrp 1 MYCHAIN Router(config-if)#ip authentication mode eigrp 1 md5 OSPF AuthenticationOSPF also supports authentication. You should configure OSPF MD5 authentication on each interface. To do so, assign a key to each link, along with a password. Note that both the key number and password (key) must match among all neighbors on a segment. The following command enables MD5 authentication on an interface with key 1 and a password of cisco. Router(config-if)#ip ospf message-digest-key 1 md5 cisco IS-IS AuthenticationIS-IS provides hierarchical routing through the use of level 1 and level 2 routing. Level 1 area routing is routing to end systems (ES), whereas level 2 area routing is routing across your backbone. IS-IS supports level 1 and level 2 authentication on an interface and level 1 area and level 2 domain passwords. Passwords on an interface affect routers that are connected directly to each other; domain passwords must match throughout the entire area (either level 1 or level 2). To configure IS-IS authentication, go onto each interface and enter the isis password command. The following command enables level-1 authentication with the password of cisco. Router(config-if)#isis password cisco level-1 To configure a single password for an entire area, use the area-password command under the IS-IS routing subconfiguration mode. Router(config-router)#area-password cisco To configure a level-2 domain password, use the domain-password command in the IS-IS router subconfiguration mode: Router(config-router)#domain-password cisco BGP AuthenticationIf you are running BGP, you can configure password authentication, too. With BGP, password authentication is simple and is configured on a per-neighbor basis. The following command configures authentication with a BGP peer at 10.0.0.100 using a password of cisco. Router(config-router)#neighbor 10.0.0.100 password cisco Securing SwitchesThis chapter mentioned the following switch-related attacks:
The sections that follow cover how to secure your network against these attacks. Securing Against VLAN HoppingVLAN hopping relies on DTP. If a port should never be a trunk port, you should manually configure it to be an access port with the following command: Switch(config-if)#switchport mode access If the port is to be a trunk port, you should set it to nonegotiate and manually define which VLANs are allowed across the trunk. You can accomplish this with the following commands: Switch(config-if)#switchport mode nonegotiate Switch(config-if)#switchport trunk allowed vlans [vlan range] Securing Against Spanning Tree AttacksTo prevent a malicious hacker from plugging into your switch and changing the root bridge on your network, you should implement BPDU Guard. BPDU Guard shuts down any access port that is configured with PortFast should it hear any BPDU messages. BPDU Guard is configured with the following global configuration command: Switch(config)#spanning-tree portfast bpduguard Securing Against MAC Table Flooding and ARP AttacksMAC table flooding and ARP attacks can be stopped through port security. With port security, only defined MAC addresses are allowed to use the interface. Should a MAC address enter a port that is not authorized, the port shuts down. Configuring port security is a two-step process:
Securing Against VTP AttacksYou have two options to prevent VTP attacks:
VTP provides convenience of management. If you can live without this added convenience, you can disable VTP by placing the switch in VTP transparent mode, as demonstrated with the following command: Switch#vlan database Switch(vlan)#vtp transparent If you do need VTP, disabling it is not an option. Instead, configure MD5 passwords. The following example configures a switch to use the password of cisco: Switch(vlan)#vtp password cisco Note For more information on VTP, consult CCSP CSI Exam Certification Guide, 2nd Edition or CCSP Self Study: Securing Cisco IOS Networks (SECUR), both from Cisco Press. |
< Day Day Up > |