4.2 The Basics | The Practice of Network Security: Deployment Strategies for Production Environments

There are some basic steps that need to be taken with any router to help increase network security. Not all of these steps will be possible in every environment, but as you develop a security strategy for your network, you can incorporate the options that are appropriate for your security needs.

Keep in mind that edge routers have at least two interfaces on them. Many times a network administrator will tighten down the external interface, leaving the internal interface wide open . If someone does manage to invade the network, he or she can use internal servers to launch attacks against other networks. If the internal interface is locked down to the same degree as the external interface on the router, it increases the chances of stopping an attack that originates from within the network.

In Chapter 3 we discussed smurf attacks, which are launched by pinging the broadcast address of a netblock and allowing the responses from the hosts within that network to flood another host.

A very simple way to defeat smurf attacks is to not allow packets to broadcast an address through the router. If the attacks are stopped at the router level, they cannot cause any damage. In Version 12.0 and higher of IOS, Cisco disables access to broadcast addresses by default. If you are running an earlier version of IOS, you should disable it manually for all interfaces:

 gw1(config-if)#no ip directed broadcast

Some vendors , such as Juniper and Extreme, automatically disable directed broadcast access.

In Chapter 3, several spoofing attacks were also described, including one involving source routing. The router can be used to stop all source routing requests :

 gw1(config-if)#no ip source-route

Remember, both of these commands should be applied to all interfaces on your router.

4.2.1 Physical Security

Have you ever forgotten the password to a router, or worse walked into a new job where no one knew the passwords for the routers? You are not alone. Because routers often function with little, or no, manual intervention, they can be left untouched for months, or even years , perhaps even buried under a stack of papers by someone who assumes that it is important, but has no idea what it is.

NOTE

It may sound unbelievable that a router would be buried under a stack of papers, but if you talk to anyone who has worked in the support department of a large ISP, they will tell you it happens more often than you think.

Router companies realize this, which is why most have developed password recovery procedures for most of their products. Cisco even has a nice page that lists all of its networking equipment along with the associated password recovery procedures (www.cisco.com/warp/public/474/ ).

The downside is that anyone with a little bit of knowledge can access this information and use it to log into your routers. Keeping routers physically secured can help prevent this type of physical attack.

The ideal location for core network equipment is in a clean data center, with redundant power sources and multiple cooling sources. A setting like this will help increase the lifetime (availability) of routers as there will be less dust, less temperature fluctuation, and no power surges, all of which have detrimental effects on routing and server equipment.

Realizing that not everyone has the budget for a carrier class data center, there are still precautions that should be taken to keep core networking equipment secure. Start by locking the equipment in a closet or in a room used only by networking personnel, rather than a room with a lot of traffic. Networking equipment should be racked, rather than stacked on a table or a shelf. Racking the equipment helps keep it cooler , and makes it more difficult for someone to walk away with it. Specifically, if the networking equipment is in a room, consider buying an enclosed rack with a lock ”and make sure you use the lock.

A small cooling/filtering unit is also a good idea; at the very least make sure that the area where the equipment is stored has good ventilation . Finally, a high-end uninterruptible power supply (UPS) is important. A UPS serves two purposes: It massages the power, making sure there are no spikes that may damage the equipment. It keeps the equipment running in the event of a power failure. This is important not because you want to keep your network up (though I am sure you do), but more because a hard shut down can damage the router, forcing it to be replaced ”and causing additional downtime.

Once you are confident that your networking equipment has been properly secured, the next to step is to secure the router operating system.

4.2.2 Banners

It has become a common practice to create login banners outlining the security practices of an organization. In part this practice is to let people who may be just snooping know that they should not be. Generally you want to make your welcome message as succinct as possible, and do not use the word welcome . Some people have contended that the word welcome indicates they are being invited to investigate; since that is not the case, it is a good idea to make your point clear. Text like this is usually effective:

 ***************************************************           Organization Name           RESTRICTED ACCESS           No Unauthorized Access.  Contact(s):  Joe Smith:jsmith@example.com  Jane Doe:jdoe@example.com  ***************************************************

This will probably not deter an attacker who has successfully gained access to the system, but it may assist in the event you are able to track down and prosecute the attacker.

4.2.3 Access Lists

Access control lists (ACL) are commonly used to filter unwanted packets at the router. An ACL is a rule, or a group of rules, used to manipulate packets as they pass through the router. Some organizations will attempt to use a router ACL to replace a firewall. This is not a good idea for two reasons:

An ACL does not have the same level of functionality as a firewall.
ACLs can often place a heavy CPU burden on routers. The heavy CPU burden can cause serious performance degradation, and, if the router is not powerful enough to process the incoming information, make your internal network unreachable.

If a company is going to rely on ACLs to help filter unwanted traffic it is a good idea to "super size " the router. Whatever router is recommended by your vendor for your level of connectivity, select a more powerful model. In addition, if you are going to have multiple connections to the Internet, which is good ” where practical ”maintain separate routers for each connection, and allow your internal network to determine the best route.

Each router manufacturer handles ACLs in a slightly different manner, but they all basically follow the same pattern:

 Number  Traffic  Destination IP  Source IP  Action

A typical Cisco access list will look something like this:

 access-list 110 deny ip 192.168.0.0 0.0.255.255 any \  log-input

NOTE

A line of code that ends with a \ indicates that everything should be on one line, but would not fit because of the book margins.

On a Juniper router, this same type of entry is referred to as a route list, and would look something like this:

 policy-options {      policy-statement from-hall2 {          term 1 {               from {                   route-filter 192.168.0.0/16 reject;               }          }          then accept;      }  }

This is a very common ACL rule. It tells the router that all IP traffic destined to any address on the network from the 192.168.0.0 netblock should be denied , and the information should be logged. As mentioned in Chapter 1, the 192.168.0.0 netblock is reserved for private networks only. Packets from the 192.168.0.0 netblock should not be traveling across the WAN, ^[3] so any traffic originating from addresses within that netblock can be denied.

^[3] Barring very badly configured routers ”and you don't want their traffic anyway.

There are other ACL rules that can be effective, but they are more controversial . While they do have their merits, they might meet with resistance inside your organization. One such rule is:

 access-list 110 deny icmp any any redirect log-input

This rule will block all Internet Control Message Protocol (ICMP) traffic into, and out of, your network. ICMP requests are usually sent using Ping. Ping is a very common tool that is used to test system availability:

 [root@test root]# ping -c 5 192.168.0.1  PING 192.168.0.1 (192.168.0.1) from 192.168.0.40 : 56(84) bytes of  data.  64 bytes from 192.168.0.1: icmp_seq=0 ttl=150 time=864 usec  64 bytes from 192.168.0.1: icmp_seq=1 ttl=150 time=749 usec  64 bytes from 192.168.0.1: icmp_seq=2 ttl=150 time=769 usec  64 bytes from 192.168.0.1: icmp_seq=3 ttl=150 time=741 usec  64 bytes from 192.168.0.1: icmp_seq=4 ttl=150 time=745 usec  --- 192.168.0.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss  round-trip min/avg/max/mdev = 0.741/0.773/0.864/0.055 ms

Ping can also be used to launch attacks against a network. Attacks like the Ping of Death exploit weaknesses in the ICMP architecture on certain systems, in order to crash those systems. Ping can also be used as an exploratory tool; attackers use it to determine what systems within a netblock are available. The ICMP architecture itself makes it easily exploitable. ICMP requests do not rely on a specific port, so ICMP requests are not logged, which makes them hard to track if they are used as a weapon to attack your network.

NOTE

The Ping of Death is an exploit introduced in 1996. It was determined that sending Ping packets that exceeded the legal size limit for such a packet (65,535 octets) would lock up certain operating systems, and cause them to be non- responsive .

The downside to disabling Ping packets in this manner is that it can make legitimate network troubleshooting more difficult. You will still be able to Ping hosts within your network, so local troubleshooting will not change, but remote troubleshooting may become more difficult. On balance, the added security gained from disabling ICMP packets through your routers offsets any loss in productivity.

ACL rules are generally processed until a match is found. Similar to firewall rules, which have an explicit deny as the last rule, ACLs usually end with an explicit deny statement (though not always, check with your router manufacturer to make sure). This means that you have to tell the router to allow traffic you are not denying through:

 access-list 110 permit ip any any

Try to arrange ACLs so the most commonly used rules are processed first (which is one reason to log all rule matches to a syslog server). This will speed up connectivity for users, and lessen the load on the router. Also include rules that help speed the process of rule matching. Many network administrators will include a rule similar to this as their first rule:

 access-list 110 permit tcp any any established

This rule says that connections that have already completed the three-way handshake should be allowed to pass through. By making this the first rule you are, in essence, giving users with established connections a priority pass through your router. This allows you to improve performance, while still putting in restrictive access lists.

In addition to the rules used in this section, some of the more common ACL rules used to increase security include:

 access-list 110 deny ip 10.0.0.0 0.255.255.255 any \  log-input  access-list 110 deny ip 172.16.0.0 0.15.255.255 any \  log-input

One word of warning before you begin applying ACLs to your router: Whenever possible, it is best to connect to the router using a console cable when making ACL changes. Countless network administrators have locked themselves out of a router and blocked all traffic by not properly anticipating the results of their access lists. It is always better to test the effect of an access list in a lab before going live, but even lab testing cannot account for bad typing. ^[4]

^[4] Not that the author has ANY first-hand experience with being locked out of a router in this manner. No, definitely not.

NOTE

Most network administrators find it is easier to either "cut and paste" ACL rules into the router, or to manually edit the configuration remotely, then install it on the router.

4.2.4 NTP

The Network Time Protocol (NTP), defined in RFC 1305, synchronizes time settings, ensuring that the time on a device is always accurate, or, at the very least, in synch with the rest of the network.

If you intend to do remote logging of your router, you will undoubtedly want to have NTP enabled. When done properly, NTP can help assure that the logs collected by the remote server are valid, and contain good data.

NTP references the Universal Time Coordinate (UTC) system used by satellites and atomic clocks. NTP can be coordinated using a GPS receiver, phone line, or, of course, TCP/IP. NTP servers are arranged in different stratums, depending on the proximity of the server to a UTC source (e.g., an atomic clock). An atomic clock, or other primary UTC source, is considered to be a Stratum 0 source, a server that connects directly with a UTC primary source is considered a Stratum 1 source, a server that connects with a server that is connected directly with a Stratum 0 source is considered a Stratum 2 source, and so on. The further you drift from Stratum 0 sources the more time disparity devices on your network will have with regard to UTC.

For example, a Stratum 2 device will usually have a 30-millisecond drift from UTC, devices on the local network that are using that source will have a 35 “40 millisecond drift from UTC and devices on the WAN will have 130 “140 millisecond drift from UTC. For most organizations this level of drift is acceptable. If it is not for your organization, consider using a Stratum 1 device, which will cut the level of drift in half, or, if it is practical use an internal Stratum 0 source. A Stratum 0 source within your LAN will decrease network drift to approximately 5 “7 milliseconds .

Before setting NTP up on the router, you will first need to create an NTP server on your network. There are many public NTP servers available, but NTP data is not encrypted by default, so you may leave your network vulnerable by sending NTP packets over the WAN. If you can justify the cost, using your own internal atomic clock is your best solution for an NTP server. If you must use a public server, pick one that allows you to do signed updates. Designate a single server on your LAN to be the NTP server. All other machines will get their updates from that machine. Setting up NTP on a server will be discussed in greater detail in Chapter 11.

On your routers, an NTP server should only be set on one internal interface. In fact, unless you are using your router as an NTP server, NTP should be disabled on all public interfaces, and all but one of the internal interfaces. Some vendors will enable NTP on their routers as a convenience to their customers. This practice is generally not recommended, as it can add unnecessary load to the router, and it may be used as an exploit to crash the router.

Traditionally, NTP has been run as a clear text service. The problem is it makes NTP susceptible to spoofing attacks that can be used to alter the time on a network device and render logged data useless.

NTP, Version 3.0, supports several levels of encryption that have to be enabled on both the client and the server. If NTP traffic will be restricted to the LAN then combining access lists on the server with public-key authentication between the client and the NTP server will provide sufficient levels of authentication, so you can be more assured that your logged data has maintained its integrity. As network attacks have become more common, and the integrity of log files from these attacks has become critical, the current level of security in NTP has been deemed inadequate. NTP, Version 4.0, currently in development, will address these issues and provide for even more robust security.