Documente Academic
Documente Profesional
Documente Cultură
Table Of Contents
1.
1.1. 1.2. 1.3. 1.4. 1.5. 1.6.
INTRODUCTION
DOCUMENT PURPOSE LIMITATIONS EXCLUSIONS INTENDED AUDIENCE THREATS MITIGATED DEFINITIONS
2.
2.1. 2.2. 2.3. 2.4. 2.5. 2.6.
3.
3.1. 3.2. 3.3.
4.
4.1. 4.2. 4.3.
5.
5.1. 5.2. 5.3.
ROUTING PROTOCOLS
GENERAL ROUTING SECURITY OSPF SECURITY EIGRP SECURITY
6.
6.1. 6.2. 6.3. 6.4. 6.5.
7. 8. 9.
APPENDIX A - CISCO ROUTER HARDENING TEMPLATE APPENDIX B ROUTER HARDENING CHECKLIST REFERENCES AND CONTRIBUTIONS
Introduction
Document Purpose
The purpose of this document is to get dirty and detail the minimum functional security requirements of internal, enterprise Layer 3 Routers (not Internet routers!). This documents intention is to provide the hardening guidelines for routers that exist within a trusted (tee-hee) network environment. The document provides generic guidelines for best practices and can be used or modified to best fit your corporate standards (just give us some credit in your references, ok?).
Limitations
This document addresses Layer 3 router hardening with the following limitations:
a. Provides best-practices when hardening routers situated on internal, trusted networks (I use trusted lightly). b. Only provides hardening for two routing protocols; EIGRP and OSPF, as this is all I have experienced in the past. If you guys are using
BGP or RIPv2 in a large corporate environment, well, this guide wont help you learn the fundamentals of network design either (LOL).
c. Provides generic hardening guidelines that can be used for most common enterprise routers such as Cisco, Nortel and Foundry
(suppose it could be applied to a computer running a router daemon too).
d. Only provides hardening scripts for Cisco IOS routers (sorry folks, I have my own limitations). e. I know many of you who know Cisco IOS will look through the generic best-practices sections and say what about CDP? or Why doesnt
he address hardening HSRP or enabling NetFlow?. Well, it has already been stated, this guide tries to address generic security for any router make or model. The template Ive provided in the appendix is just a bonus as Im trying to illustrate how these generic bestpractices can be applied to a Cisco router. There are a lot of other Cisco-specific features that can be used to perform some of the hardening discussed in this document.
Exclusions
This document is not intended to provide security for Internet-facing routers! Hardening guides for routers operating between un-trusted (Internet) and trusted (corporate) perimeters have already been discussed in detail with such guides as NSA Router Security Configuration Guide and the Secure IOS Template created by Rob Thomas.
Intended Audience
This guide was written for security analysts and network administrators whose day-to-day jobs included installation, configuration and maintenance of enterprise network routers. This document will supplement their skill sets and provide guidance for operational hardening of existing network router configurations (I hope).
Threats Mitigated
The routers within enterprise networks provide critical point-to-point connectivity with key business sites and route inter-VLAN traffic across the corporate backbone. This hardening guide refers to router interfaces that reside safely within a trusted or semi-trusted corporate network. Therefore, these best-practices address the following:
Trust-based attacks from within the network Integrity of routing protocols DoS or DDoS traffic management and exposure Secure management of devices
NOTE: I use the term trusted network in this document as a metaphor to express a security control point and not the literal state of the corporations security threat model. The trusted network usually refers to that which is governed and enforced by a corporate security policy and administered by trust-worthy individuals (I hope).
Definitions
AAA ACL ARP Bogon Addresses Authentication Authorization and Accounting Access Control List Address Resolution Protocol The areas of reserved or unallocated Internet Assigned Numbers Authority (IANA) IP address space. The word "Bogon" originates as hacker jargon for addresses that are considered the quantum of "bogosity". Committed Access Rate used by Cisco as a QoS mechanism Distributed Denial of Service Denial of Service Routing Protocol - Enhanced Interior Gateway Routing Protocol Internet Control Message Protocol Institute Of Electrical and Electronics Engineers Local Area Network Media Access Control Network Time Protocol Routing Protocol - Open Shortest Path First Quality of Service Simple Network Management Protocol Secure Shell Terminal Access Control Access Control System Transport Control Protocol User Datagram Protocol Virtual Private Network Wide Area Network Referring to Layer 3 of the OSI model (Network) which handles routing, forwarding, addressing,
CAR DDoS DoS EIGRP ICMP IEEE LAN MAC NTP OSPF QoS SNMP SSH TACACS+ TCP UDP VPN WAN Layer 3
Routing Protocol Routed Protocol HSRP VRRP In-Band Sinkhole Routing Black-hole Routing
error handling, congestion control and sequencing Software that is used to move data across two or more networks after determining the best path Data that can effectively be transmitted across routers on a data network (IP, SNMP, RPC, etc) Hot-Standby Routing Protocol Cisco proprietary HA solution which minimizes single point of failures with static default gateways routers only Virtual Redundancy Routing Protocol RFC 3768, generic HA solution which minimizes single point of failures with static default gateways and serves more than just routers Usually refers to administration using Telnet or SSH console over the LAN to device is connected to, as opposed to out-of-band via console access. Allows administrators to forward all malicious traffic to a single host for examination. Allows administrators to forward all malicious traffic to a NULL IP address or drop the traffic.
a. Inform users that access to the device is restricted to authorized personnel, and, b. Deter potential intruders by providing legal notice of prosecution resulting from unauthorized access, and, c. Must not reveal the company name or the type of device hosting the banner message.
NOTE: A banner for network routers should be approved by your corporate Legal Department so you dont say anything that the legal beagles take offense to or jeopardizes the corporate brand. Example: WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties.
a. Router console ports should be configured to authenticate connections using an AAA authentication scheme such as TACACS (RFC
1942). This ensures that all users passwords are left on a central UNIX AAA Server in an encrypted format that is non-reversible and all access to the router is audited by AAA.
b. Router console ports should be configured with a fall-back method to authenticate connections using a local password in the event that
the AAA authentication scheme is unavailable. This should never be used as the primary means as some vendors local passwords are reversible and can be cracked (think Cisco!).
c. Router console ports should be configured to logout connected sessions automatically after five (5) minutes of inactivity. This mitigates
the threat of an administrator leaving their workstation unlocked with an established console connection to a router that could invite bad guys.
d. Router console ports should not be configured to permit any inbound transport protocols such as telnet, reverse-telnet, rlogin or SSH
(since out-of-band wont be used anyway).
e. Router console ports should be configured to disable modem support or other out-of-band equipment unless permitted explicitly in a
corporate security policy. War-dialing could expose the equipment to outside attackers arbitrarily calling a block a phone numbers.
Network Interfaces
All router network interfaces should be shutdown and should not be configured with an IP Address if not operationally in use. This mitigates the threat of internal users connecting anything to the network and causing an unintentional denial of service with such things as secondary VRRP or HSRP flapping, layer 2 spanning-tree loops, etc.
a. Router auxiliary ports should be configured to logout connected sessions immediately as the port is not to be used. If some transport
such as Telnet was enabled on the AUX port accidentally, then this extra measure would log-out any attempts to connect to the port immediately.
b. Router auxiliary ports should not be configured to permit any inbound transport protocols such as telnet, reverse-telnet, rlogin or SSH. c. Router auxiliary ports should be configured to restrict users from executing any router privileged commands. Again, if the two previous
conditions were to be overridden for any reason this is yet another safeguard to ensure a user session could not do anything malicious.
d. Router auxiliary ports should be configured to disable modem support or other out-of-band equipment unless permitted explicitly in a
corporate security policy. War-dialing could expose the equipment to outside attackers arbitrarily calling a block a phone numbers.
a. Router management ports should be configured to authenticate connections using an AAA authentication scheme such as TACACS
(RFC 1942). This ensures that all users passwords are left on a central UNIX AAA Server in an encrypted format that is non-reversible and all access to the router is audited by AAA.
b. Router management ports should be configured to use fall-back method to authenticate connections using a local password in the event
that the AAA authentication scheme is unavailable. This should never be used as the primary means as some vendors local passwords are reversible and can be cracked (think Cisco!).
c. Router management ports should be configured to logout connected sessions automatically after five (5) minutes of inactivity. This
mitigates the threat of an administrator leaving their workstation unlocked with an established connection to a router that could invite bad guys.
d. Router management ports should not be configured to permit any outbound transport protocols such as telnet, reverse-telnet, rlogin or
SSH. This reduces the risk of router-hopping or connecting from the router to other UNIX systems.
e. Router management ports should be configured to only permit SSH v2 as the preferred inbound transport protocol. f.
Router management ports should be configured to bind the outbound SSH, Telnet and TFTP services to the primary loopback interface of the router. This is especially useful in identifying the router that the connection was made from as the loopback address is usually what is configured in DNS as the management address of the router. permitting only network management servers to connect and no other network equipment or workstations. Hopping from one device to another should not be permitted.
g. Router management ports should be configured to drop unauthorized connections to the SSH service using an access control lists (ACL),
h. All access attempts (permitted or failed) to the router in-band management ports should be logged via the access control list (ACL). i.
Router management ports should be configured to detect and drop any orphaned (broken) TCP connections to the management interface that have accidentally been left idle. This will free up the ports to be used by other management connections.
a. Routers should be configured to authenticate users using an AAA authentication scheme such as RADIUS or TACACS before any
administrative access is granted.
b. Routers should be configured to allow only one local login account (line passwords or local user database) in the event that AAA is
unavailable. However, this should not be the primary or only authentication scheme on any production router.
c. All local passwords or user database passwords should be encrypted using an MD5 hashing algorithm. d. All local passwords should be a minimum of eight characters long and with a combination of six (6) alphabet characters and a minimum
of two (2) numbers
e. All local passwords should be changed every four months or when any employee or contractor with knowledge of the passwords leaves
the organization.
f.
Network Management should assign user accounts with the lowest privilege level that allows router administrators to perform their duties (i.e. analyst vs. operator). or view the configuration.
g. Routers should require user authentication to connect to the router but require further authentication to execute any privileged commands h. Any password used locally on any router should not to be the same as any SNMP community string or any other shared secret. This
means, if you use a b0bbyj03 for the local password, dont use b0bbyj03 for the SNMP write string and b0bbyj03 for the TACACS shared secret (obvious, I know, but I have to say it ).
a. HTTP (TCP 80) services should be disabled on any network router as it an operational risk. If it is to be used for configuration, use an
ACL to limit who can access the service and disable the service once the router is in full production.
b. Finger (TCP 79) services should be disabled on any network router. It can be used to gather detailed information about the users that are
logged into the system.
c. *Bootps (TCP 67) services should be disabled on any network router. d. *Echo (TCP 7) services should be disabled on any network router. e. *Chargen (TCP 19) services should be disabled on any network router. f.
*Discard (TCP 9) services should be disabled on any network router.
a. *Echo (UDP 7) services should be disabled on any network router. b. *Chargen (UDP 19) services should be disabled on any network router. c. *Discard (UDP 9) services should be disabled on any network router.
* Any service lower than UDP port 20 is referred to as UDP small services and should be disabled as they could be used effectively to carry out denial of service attacks.
IP Services Configuration
All network routers should adhere to the following standards regarding IP services:
a. IP Source Routing should be disabled on any interface on any network router. This is an option in the IP header whereby an attacker
could define his or her own source route and the router will forward the packet to the given destination. This is used by IP spoofed attacks.
b. Proxy ARP should be disabled on any interface on any network router. Relying on the router to provide MAC addresses and subsequent
routing to hosts without routing capabilities will result in a large MAC address table on the router, which could hinder performance.
c. IP Directed Broadcast should be disabled on any interface on any network router to mitigate the threat of SMURF attacks. d. IP Unreachable Notifications should be rate limited on any network router to only one unreachable notification per host every 500 ms. e. ICMP Mask Replies to host IP Mask Requests should be disabled on any interface on any network router to mitigate reconnaissance
sweeps of the network.
f.
ICMP Redirect messages should be disabled on any interface on any network router to mitigate system access attempts into corporate demarcations protected my ACLs.
a. All access control lists permitting connections to the router for management purposes should end with an implicit deny statement. b. All access control lists permitting connections to the router for management purposes should be configured to log any connection attempt
whether permitted or rejected by the ACL.
c. All remote in-band management connections to the router should be restricted by a standard access control list which only permits
network management hosts to connect.
d. All SNMP private and public queries against the router should be restricted by a standard access control list which only permits network
management hosts to connect.
a. Access control lists should be used to route any malicious corporate traffic such as connections to RFC 1918 addresses that dont exist
or any of the IANA bogon addresses and route the traffic to a black-hole or sinkhole.
b. Necessary ingress access controls should be applied to each network interface only allowing the local network to access beyond the
router interface to mitigate spoofed addresses from entering the corporate LAN/WAN.
a. Network bandwidth used by management traffic to manage, monitor or report on the network should have priority over any other traffic on
the network.
b. IP Unreachable Notifications should be rate limited on any network router to only one unreachable notification per host every 500 ms.
Routing Protocols
General Routing Security
All network routers should adhere to the following minimum standards regarding general routing protocol security:
a. The enterprise routing infrastructure should not extend beyond any of the enterprise perimeters. All autonomous interior gateway routing
zones should remain internal to the enterprise network.
b. The enterprise routing infrastructure should not be redistributed with any un-trusted networks such as third-parties, vendors or partners. c. Routers on the network perimeter should use static routes with redistribution into the enterprise network on trusted interfaces only. d. All IGP routing protocols chosen for the network enterprise routers should support a keyed MD5 algorithm for cryptographic
authentication. The routing protocol should use a shared secret and the routing update information to create the hash.
OSPF Security
All network routers should adhere to the following minimum standards regarding OSPF routing traffic:
a. The OSPF routing infrastructure should operate in directed mode with explicitly defined peers and should not operate in broadcast mode.
This way all OSPF routers will need to be explicitly configured to talk to OSPF neighbors. Directed mode aids in avoiding misconfiguration.
b. The OSPF routing infrastructure should be configured to authenticate routing updates between peers using an MD5 password key to
mitigate routing updates from un-trusted routers.
EIGRP Security
All network routers should adhere to the following minimum standards regarding EIGRP routing traffic:
a. Access control lists should be used in conjunction with EIGRP routing to only permit routing advertisements from trusted unicast host IP
addresses on appropriate interfaces.
b. The EIGRP routing infrastructure should be configured to authenticate routing updates between peers using an MD5 password key.
a. Local system logging should be configured on every network router with a minimum historical buffer of one (1) business day. In the event
that the router stops communicating with the central Syslog, a local buffer of a day will assist in troubleshooting.
b. Time-stamped system log messages should be configured on every network router with the correct date and time. c. Syslog logging should be configured on every network router, sending live logging events to a minimum of two network management
servers for diversity.
d. Syslog logging should be configured to bind each routers Syslog client to the local loopback address of the router. e. SNMP trap logging should be configured on every network router, sending trap events a minimum of two network management servers
for diversity.
f.
SNMP logging should be configured to bind each routers SNMP client to the local loopback address of the router.
g. Router core dump files should be sent to a management server when the router crashes (if possible). Time Synchronization
All network routers should adhere to the following minimum standards regarding time synchronization:
a. NTP time synchronization should be configured on every network router, using primary and secondary trusted NTP servers. b. NTP time synchronization should be configured to originate from the routers loopback interface on every network router. c. NTP time synchronization should be configured for client-mode synchronization on every network router, initiating an NTP call to stratum
1 or 2 servers on the network.
Network Monitoring
All network routers should adhere to the following minimum standards regarding network monitoring:
a. SNMP v2 or greater should be used on all network routers for management purposes. b. SNMP Public and Private Community password strings should be a minimum of eight characters long and with a combination of six (6)
alphabet characters and a minimum of two (2) numbers.
c. SNMP Public and Private Community password strings should be changed on a quarterly basis on all routers or when a network
administrator leaves the organization.
d. The SNMP Public Community string configured on all network routers should be uniquely different from the SNMP Private Community
string and vice-versa.
e. All SNMP private and public queries against the router should be restricted by a standard access control list which only permits network
management hosts to connect.
a. Router software should be updated periodically to ensure system stability and mitigate known bugs that may compromise the enterprise
network availability.
b. Router software should be updated when any security advisory dictates vulnerabilities which affect the current version of router software. c. When router software security advisories are released to the public, network administrators should provide the Security team with a list of
vulnerable routers that are affected within 24 hours preceding the advisory with dates and times that the vulnerable routers will be remediated.
d. The Security team should be informed of any workarounds that will be deployed in place of a software upgrades suggested by software
advisories. This notification to Security should be complete with the expected expiry of the workaround and timeline for the deployment of replacement router software.
e. Router software should be updated from a central network management repository having been tested on a lab router prior to
deployment.
f.
Network administrators should have written procedures for successfully upgrading and the verification of router software.
a. Router configuration changes should be endorsed through appropriate change management procedures and approvals. No changes are
to be done on any production enterprise router without a change control ticket.
b. Router configuration changes should be conveyed into a text file and approved by an operations manager before being input on a live
production system. A second set of eyes can always find something that one analyst may have missed.
c. All router configurations should be backed up on a daily basis to a central repository server. This ensures that if a router is compromised
or melts under an attack, you can easily restore the configuration on a replacement.
d. Network administrators should have written procedures and templates for successfully configuring network enterprise routers. A little
justification for each feature that is enabled under particular configurations and even documented exceptions for the routers that dont follow the standard template.
2.2
2.3
2.4
2.5
2.6
access-class 5 in ! LINE PASSWORD AUTHENTICATION password <password - 8+ chars, 2 numbers> ! AAA SERVER AUTHENTICATION login authentication <group-password> ! RESTRICT INBOUND/OUTBOUND COMMUNICATIONS TO SSH crypto key generate rsa The name for the keys will be: Router.dod.mil Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 Generating RSA Keys ... [OK] ip ssh time-out 90 ip ssh authentication-retries 2 line vty 0 4 transport input ssh transport output telnet ssh ! LOGOUT CONNECTION AFTER 5 MINS. OF INACTIVITY exec-timeout 5 0 ! CONFIGURATION FOR USER AUTHENTICATION AND AUTHROIZATION config t ! SET LOCAL PASSWORD FOR EXECUTING COMMANDS enable secret <password - 8+ chars, 2 numbers> ! ENCRYPT LOCAL LINE PASSWORDS USING MD5 HASH service password-encryption ! REQUIRED COMMANDS TO ENABLE AAA aaa new-model aaa authentication login default group tacacs+ enable aaa authentication login <group-password> group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host <TACACS SERVER 1> tacacs-server host <TACACS SERVER 2> tacacs-server key <tacacs password> ! ENCRYPT LOCAL LINE PASSWORDS USING MD5 HASH service password-encryption
3.2
3.3
4.2
4.3
5.3
area 0 authentication message-digest area 1 authentication message-digest area 2 authentication message-digest ! THE SAME MUST BE CONFIGURED ON ALL PEERS ! EIGRP SECURITY config t no access-list 104 access-list 104 permit eigrp host <remote peer router 1> <local router> access-list 104 permit eigrp host <remote peer router 2> <local router> access-list 104 deny eigrp any any log-input access-list 104 permit ip any any no access-list 105 access-list 105 deny eigrp any any log-input access-list 105 permit ip any any ! APPLY TO TRUSTED ROUTING INTERFACES interface eth 0/1 ip access-group in 104 ! APPLY TO UN-TRUSTED ROUTING INTERFACES interface serial 0/1 ip access-group in 105 ! CONFIGURE EIGRP AUTHENTICATION ip authentication mode eigrp <process #> md5 ip authentication key-chain eigrp <process #> <key name> key chain <key name> key 1 key-string <secret-key> send-lifetime 00:00:00 Oct 1 2002 00:00:00 Jan 1 2003 accept-lifetime 00:00:00 Oct 1 2002 00:00:00 Jan 7 2003 ! CONFIGURE DIFFERENT EIGRP AUTHENTICATION KEY NAMES ON EACH ROUTER
6.2
6.3
6.4 6.5
take advantage of e-business and compete in the Internet era. SAFE: Best Practices for Securing Routing Protocols NSA Router Security Configuration Guide Executive Summary Card Generic Security Requirements for Routing Protocols OSPF Security Route To Security Secure IOS Template Designing Network Security Managing Cisco Network Security Network Security Database OSSS Open Source Security Standards This document discusses the various threats against routing protocols used by Cisco. This is the executive summary, supplementing the official National Security Agencys Router Security Configuration Guide version 1.1 found here. An Internet Draft document submitted January 2005 by the Internet Engineering Task Force. A generic OSPF Security paper with examples on how to configure the Cisco OSPF routing protocol. A paper that outlines the generic industry-best-practices for securing network routers. Version 3.7 27 JAN 2005 created by Cymru Team and Rob Thomas. Book ISBN 1-57870-043-4, 1999 Cisco Press Publishing Book ISBN 1-57870-103-1, 2001 Cisco Publishing Ciscos countermeasure resource team that create IDS signatures Little cat Z is developing a suite of free to use open information security standards.