Securing the Network

This chapter has covered several attacks so far. In the sections that follow, you learn how to secure your network firewalls, routers, and switches against these types of attacks.

Securing Firewalls

The Cisco PIX Firewall and Adaptive Security Appliances (ASA) use the Adaptive Security Algorithm to perform stateful packet inspection. As each packet enters the firewall, the PIX or ASA inspects it to verify that it is a valid frame. The PIX or ASA does this by recording each session in a flow table, with each session entry containing source and destination IP address, port numbers, and TCP protocol information. Before traffic is allowed back through the PIX or ASA, the PIX or ASA checks the session flow table to verify that an allowed session entry exists.

Unlike a router, the default settings of a PIX and ASA firewall do not allow all traffic to pass through it. Interfaces are assigned a security level, and traffic that is initiated from a lower security level is not allowed to access networks that are connected to an interface with a higher security level.

You should configure your firewall to allow only the minimal number of ports necessary for operation. If you need traffic from a lower security level interface to access a higher security level interface, you can create an ACL to allow the particular ports to be unfiltered.

Securing Routers

As with the Cisco PIX Firewall and Cisco ASA, you should use ACLs to allow only authorized traffic through your router. In addition to ACLs, you can take other steps to protect yourself against the types of attacks mentioned in this chapter, as described in the sections that follow.

Disabling CDP

If you do not need the ability to collect the Layer 3 address, platform, or IOS version of neighboring devices, you can safely disable CDP on your routers and switches. The two commands you can use to disable CDP on your router are as follows:

• Router(config)#no cdp run Disables CDP globally on all interfaces

• Router(config-if)#no cdp enable Disables CDP on a particular interface

If you are using CDP internally, then at a minimum you should disable it on the outbound interface. If you do not require CDP internally, you can safely disable it globally.

Disabling or Restricting the HTTP Service

You should avoid using the HTTP service to manage your router because of the inherent security risks with it. Instead, use the command-line interface (CLI) to configure your router. To disable the HTTP service, enter the following command:

Router(config)#no ip http server

If you prefer the HTTP service and do not feel comfortable with the CLI, you should restrict access to the router through the use of an ACL. For example, the following commands restrict HTTP access to a router from all hosts except 10.0.0.5.

Router(config)#access-list 1 permit host 10.0.0.5 Router(config)#ip http server 1

Securing Router Passwords

Never store your enable password in clear text. At a minimum, you should encrypt it either by using the enable secret or service password-encryption command. As you read earlier, though, these commands do little to protect you against password crackers if a malicious hacker is able to get the password hash.

A better option is to use AAA security and authenticate through either a RADIUS or TACACS+ server. The following example enables AAA with the aaa new-model command and shows how to configure your router to authenticate to a TACACS+ server at the address of 10.0.0.10:

Router(config)#aaa new-model Router(config)#aaa authentication login default tacacs+ Router(config)#tacacs-server host 10.0.0.5

Enabling Authentication for Routing Protocols

You should also enable authentication for your routing protocols. Routing protocols that support authentication are as follows:

• RIP Version 2

• EIGRP

• OSPF

• IS-IS

• BGP

RIP Authentication

To configure authentication in RIP, first create a key chain with your password. The following example shows the creation of a key chain named MYCHAIN with a password of cisco.

Router(config)#key chain MYCHAIN Router(config-keychain)#key 1 Router(config-keychain-key)#key-string cisco

Next, associate the key chain you created with each interface running RIP and enable MD5 authentication:

Router(config)#interface fastethernet 0/0 Router(config-if)#ip rip authentication key-chain MYCHAIN Router(config-if)#ip rip authentication mode MD5 Router(config)#interface serial 0/0 Router(config-if)#ip rip authentication key-chain MYCHAIN Router(config-if)#ip rip authentication mode MD5

EIGRP Authentication

The process for EIGRP authentication is similar to that for RIP authentication. First, create your key chain:

Router(config)#key chain MYCHAIN Router(config-keychain)#key 1 Router(config-keychain-key)#key-string cisco

Next, go on each interface and associate your key chain with your EIGRP autonomous system number. Do not forget to also enable MD5 authentication:

Router(config)#interface fastethernet 0/0 Router(config-if)#ip authentication key-chain eigrp 1 MYCHAIN Router(config-if)#ip authentication mode eigrp 1 md5

OSPF Authentication

OSPF also supports authentication. You should configure OSPF MD5 authentication on each interface. To do so, assign a key to each link, along with a password. Note that both the key number and password (key) must match among all neighbors on a segment. The following command enables MD5 authentication on an interface with key 1 and a password of cisco.

Router(config-if)#ip ospf message-digest-key 1 md5 cisco

IS-IS Authentication

IS-IS provides hierarchical routing through the use of level 1 and level 2 routing. Level 1 area routing is routing to end systems (ES), whereas level 2 area routing is routing across your backbone. IS-IS supports level 1 and level 2 authentication on an interface and level 1 area and level 2 domain passwords. Passwords on an interface affect routers that are connected directly to each other; domain passwords must match throughout the entire area (either level 1 or level 2).

To configure IS-IS authentication, go onto each interface and enter the isis password command. The following command enables level-1 authentication with the password of cisco.

Router(config-if)#isis password cisco level-1

To configure a single password for an entire area, use the area-password command under the IS-IS routing subconfiguration mode.

Router(config-router)#area-password cisco

To configure a level-2 domain password, use the domain-password command in the IS-IS router subconfiguration mode:

Router(config-router)#domain-password cisco

BGP Authentication

If you are running BGP, you can configure password authentication, too. With BGP, password authentication is simple and is configured on a per-neighbor basis. The following command configures authentication with a BGP peer at 10.0.0.100 using a password of cisco.

Router(config-router)#neighbor 10.0.0.100 password cisco

Securing Switches

This chapter mentioned the following switch-related attacks:

• VLAN hopping

• Spanning Tree attacks

• MAC table flooding

• ARP attacks

• VTP attacks

The sections that follow cover how to secure your network against these attacks.

Securing Against VLAN Hopping

VLAN hopping relies on DTP. If a port should never be a trunk port, you should manually configure it to be an access port with the following command:

Switch(config-if)#switchport mode access

If the port is to be a trunk port, you should set it to nonegotiate and manually define which VLANs are allowed across the trunk. You can accomplish this with the following commands:

Switch(config-if)#switchport mode nonegotiate Switch(config-if)#switchport trunk allowed vlans [vlan range]

Securing Against Spanning Tree Attacks

To prevent a malicious hacker from plugging into your switch and changing the root bridge on your network, you should implement BPDU Guard. BPDU Guard shuts down any access port that is configured with PortFast should it hear any BPDU messages. BPDU Guard is configured with the following global configuration command:

Switch(config)#spanning-tree portfast bpduguard

Securing Against MAC Table Flooding and ARP Attacks

MAC table flooding and ARP attacks can be stopped through port security. With port security, only defined MAC addresses are allowed to use the interface. Should a MAC address enter a port that is not authorized, the port shuts down.

Configuring port security is a two-step process:

Switch(config)#mac address-table static 09-00-0D-31-00-5F vlan 4   interface fastethernet 0/0

Switch(config)#switchport port-security violation shutdown

Securing Against VTP Attacks

You have two options to prevent VTP attacks:

• Disable VTP

• Configure VTP passwords

VTP provides convenience of management. If you can live without this added convenience, you can disable VTP by placing the switch in VTP transparent mode, as demonstrated with the following command:

Switch#vlan database Switch(vlan)#vtp transparent

If you do need VTP, disabling it is not an option. Instead, configure MD5 passwords. The following example configures a switch to use the password of cisco:

Switch(vlan)#vtp password cisco

Note

For more information on VTP, consult CCSP CSI Exam Certification Guide, 2nd Edition or CCSP Self Study: Securing Cisco IOS Networks (SECUR), both from Cisco Press.