Securing the Enterprise
The enterprise infrastructure is vulnerable to many different security threats (discussed earlier) from any number of intruders. The solution to the infrastructure security problem is to securely configure components of the network against vulnerabilities based on the network security policy. Most network security vulnerabilities are well known, and the measures used to counteract them will be examined in detail throughout this chapter.
Physical and Logical Security
Physical and logical security include the following:
Securing console access ·
Securing Telnet access ·
Setting privilege levels ·
Disabling password recovery ·
Configuring password encryption ·
Setting banner messages ·
Securing Console Access
It’s important to put the proper physical security mechanisms into place. If the proper physical security mechanisms are not in place, an intruder could potentially bypass all other logical security mechanisms and gain access to the device. If an intruder can gain access to the administrative interface of the router, he could view and change the device’s configuration and gain access to other networking equipment. The first thing you should do to thwart intruders is to set a console password. If the intruder has already gained physical access to the device, he’ll attempt to gain network access through the console port first. The console port supports many different methods for
authenticating a user and allowing access, some of which are listed here:
Local user database
Securing Telnet Access
Telnet is a protocol that allows a user to establish a remote connection to a device. After connected to the remote device, you are presented with a screen that is identical to the screen that would be displayed if you were directly connected to the console port. Telnet ports on a router are referred to as virtual terminal ports. Telnet is really no different from a console connection, and as such, the proper logical security mechanisms should be put into place to ensure that only responsible personnel are allowed Telnet access. Virtual terminal ports support many different methods for authenticating a user and allowing access. Some of the methods are included in the following list:
Local user database
Setting Privilege Levels
Privilege levels associate router commands with each security level configured on the router. This allows for a finer granularity of control when restricting user access. There are 16 privilege levels contained within the router operating system. Level 2 to level 14 are customizable and allow you to configure multiple privilege levels and multiple passwords to enable certain users to have access to specific commands.
Disabling Password Recovery
Setting passwords is the first line of defense against intruders. Sometimes passwords are forgotten and must be recovered. All Cisco password recovery procedures dictate that the user performs the password recovery process from the console port of the router or switch. There are, however, certain circumstances in which the widely available password recovery procedure should be disabled. One such circumstance is an emergency Add, Move, or Change (AMC), whereby a networking device needs to be in a location that does not have the proper mechanisms in place for physical security, thus allowing an intruder a greater chance of circumventing traditional security
Configuring Password Encryption
All Cisco console and Telnet passwords configured on the router are stored in plain text within the configuration of the router by default, thus making them easily readable. If someone issues the show running−config privileged mode command, the password is displayed. Another instance when the password can easily be read is if you store your configurations on a TFTP server, the intruder only needs to gain access into the TFTP machine, after which the intruder can read the configuration with a simple text editor. Password encryption stores passwords in an encrypted manner on the router. The encryption is applied to all configured passwords on the router.
Setting Banner Messages
You can use banner messages to issue statements to users, indicating who is and who is not allowed access into the router. Banner messages should indicate the seriousness of an attempt to gain unauthorized access into the device and should never reflect to the user that gaining unauthorized access is acceptable. If possible, recite certain civil and federal laws that are applicable to unauthorized access and let users know what the punishment would be for accessing the device without express written permission. If possible, have certified legal experts within the company review the banner message.
The Simple Network Management Protocol (SNMP) is an application−layer protocol that helps to facilitate the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. An SNMP network consists of three key components: managed devices, agents, and network−management systems (NMSs). A managed device is a network node that contains an SNMP agent and resides on a managed network. Managed devices collect and store management information and make this information available to NMSs by use of the SNMP
protocol. Managed devices can be routers, access servers, switches, computer hosts, or printers. An agent is a network−management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. An NMS executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. An SNMP managed device has various access levels. These are as follows:
Read−only— Allows read access of the Management Information Base (MIB) on the managed device
Read/write—Allows read and write access of the Management Information Base on the managed device
Write−only—Allows write access of the Management Information Base on the managed device
Routers can send notifications to NMS machines when a particular event occurs. The SNMP notifications can be sent as a trap or inform request. Traps are unreliable because the receiver does not send an acknowledgment that it received a trap. However, an NMS machine that receives an inform request acknowledges the message with an SNMP response. If the NMS does not receive an inform request, it does not send a response. If the sender never receives a response, the inform request can be sent again. Thus, informs are more reliable.
Cisco IOS software supports the following versions of SNMP:
Both SNMPv1 and SNMPv2c use a community−based form of security. The group of managers able to access the agent is defined by an access list and password.
SNMPv2c support includes a bulk retrieval mechanism and more detailed error−message reporting to management stations. The bulk retrieval mechanism supports the retrieval of large quantities of information, minimizing the number of polls required. The SNMPv2c improved error−handling support includes a larger number of error codes that distinguish different kinds of error conditions. Error return codes in SNMPv2c report the error type.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level will determine which security mechanism is employed when an SNMP packet is handled.
Routing Protocol Authentication
Routing protocol authentication prevents the introduction of false or unauthorized routing messages from unapproved sources. With authentication configured, the router will authenticate the source of each routing protocol packet that it receives from its neighbors. Routers exchange an authentication key or a password that is configured on each router. The key or password must match between neighbors.
There are two types of routing protocol authentication: plain text authentication and Message Digest 5 (MD5) authentication. Plain text authentication is generally not recommended because the authentication key is sent across the network in clear text, making plain text authentication susceptible to eavesdropping attempts. MD5 authentication creates a hash value from the key; the hash value instead of the actual password is exchanged between neighbors, preventing the password from being read because the hash, not the password, is transmitted across the network.
Route filtering enables the network administrator to keep tight control over route advertisements. Frequently, companies merge or form a partnership with other companies. This can pose a challenge because the companies need to be interconnected yet remain under separate administrative control. Because you do not have complete control over all parts of the network, the network can become vulnerable to malicious routing or misconfiguration. Route filters ensure that
routers will advertise as well as accept legitimate networks. They work by regulating the flow of routes that are entered into or advertised out of the routing table.
Filtering the networks that are advertised out of a routing process or accepted into the routing process helps to increase security because, if no route is advertised to a downstream or upstream neighbor, then no route apparently exists to the network. This will keep intruders from having logical connectivity to the target destination. It also increases the network stability to a certain degree. Misconfiguration is determined to be the largest contributor of network instability; however, an intruder could introduce into routing updates false information that could result in routing problems.
Suppressing Routing Advertisements
To prevent routers on a local network from learning about routes that are dynamically advertised out on the interface, you can define the interface as passive. Defining an interface as passive keeps routing update messages from being sent through a router interface, preventing other systems on the interface from learning about routes dynamically from this router. You can configure a passive interface for all IP routing protocols except Border Gateway Protocol (BGP).
In networks with large numbers of interfaces, you can set all interfaces to passive using the passive−interface default command. This feature allows the administrator to selectively determine over which interfaces the protocol needs to run. After the determination is made to allow the protocol to run on the interface, the administrator can disable the passive−interface feature on an interface−by−interface basis with the no passive−interface <interface> command.
Note Making an interface passive for the Enhanced Interior Gateway Routing Protocol (EIGRP) disables route advertisements sent out the interface that was made passive, just as any other routing protocol; however, the interface will not listen for route advertisements either.