Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
1. Introduction ------------------------------------------------------------------------------------------------------------------------ 3 1.1. 1.2. 1.3. 1.4. 1.5. 1.6. 2. Document Purpose ----------------------------------------------------------------------------------------------------------- 3 Limitations--------------------------------------------------------------------------------------------------------------------- 3 Exclusions --------------------------------------------------------------------------------------------------------------------- 3 Intended Audience ------------------------------------------------------------------------------------------------------------ 3 Threats Mitigated------------------------------------------------------------------------------------------------------------- 3 Definitions --------------------------------------------------------------------------------------------------------------------- 4
Router Access Security----------------------------------------------------------------------------------------------------------- 5 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. Login Banner------------------------------------------------------------------------------------------------------------------ 5 Console Port Access---------------------------------------------------------------------------------------------------------- 5 Network Interfaces ----------------------------------------------------------------------------------------------------------- 5 Auxiliary Port Access -------------------------------------------------------------------------------------------------------- 5 In-Band Router Management Access -------------------------------------------------------------------------------------- 6 User Authentication and Authorization------------------------------------------------------------------------------------ 6
3.
Router Network Services Security --------------------------------------------------------------------------------------------- 7 3.1. 3.2. 3.3. TCP Services Configuration ------------------------------------------------------------------------------------------------ 7 UDP Services Configuration------------------------------------------------------------------------------------------------ 7 IP Services Configuration --------------------------------------------------------------------------------------------------- 7
4.
Access Control Lists, Filtering and Rate Limiting-------------------------------------------------------------------------- 8 4.1. 4.2. 4.3. General Access Control Lists (ACLs) -------------------------------------------------------------------------------------- 8 Filtering Network Traffic ---------------------------------------------------------------------------------------------------- 8 Rate Limiting Traffic --------------------------------------------------------------------------------------------------------- 8
5.
Routing Protocols ----------------------------------------------------------------------------------------------------------------- 9 5.1. 5.2. 5.3. General Routing Security---------------------------------------------------------------------------------------------------- 9 OSPF Security ---------------------------------------------------------------------------------------------------------------- 9 EIGRP Security --------------------------------------------------------------------------------------------------------------- 9
6.
Audit and Management -------------------------------------------------------------------------------------------------------- 10 6.1. 6.2. 6.3. 6.4. 6.5. Router Logging ------------------------------------------------------------------------------------------------------------Time Synchronization -----------------------------------------------------------------------------------------------------Network Monitoring-------------------------------------------------------------------------------------------------------Router Software Maintenance -------------------------------------------------------------------------------------------Router Configuration Management -------------------------------------------------------------------------------------10 10 10 11 11
7. 8. 9.
Appendix A - Cisco Router Hardening Template ------------------------------------------------------------------------ 12 Appendix B Router Hardening Checklist ---------------------------------------------------------------------------------- 16 References and Contributions ------------------------------------------------------------------------------------------------ 17
1. Introduction
1.1. Document Purpose
The purpose of this document is to get dirty and detail the minimum functional security requirements of internal, enterprise Layer 3 Routers (not Internet routers!). This documents intention is to provide the hardening guidelines for routers that exist within a trusted (tee-hee) network environment. The document provides generic guidelines for best practices and can be used or modified to best fit your corporate standards (just give us some credit in your references, ok?).
1.2.
Limitations
This document addresses Layer 3 router hardening with the following limitations:
a. b. c. d. e.
Provides best-practices when hardening routers situated on internal, trusted networks (I use trusted lightly). Only provides hardening for two routing protocols; EIGRP and OSPF, as this is all I have experienced in the past. If you guys are using BGP or RIPv2 in a large corporate environment, well, this guide wont help you learn the fundamentals of network design either (LOL). Provides generic hardening guidelines that can be used for most common enterprise routers such as Cisco, Nortel and Foundry (suppose it could be applied to a computer running a router daemon too). Only provides hardening scripts for Cisco IOS routers (sorry folks, I have my own limitations). I know many of you who know Cisco IOS will look through the generic best-practices sections and say what about CDP? or Why doesnt he address hardening HSRP or enabling NetFlow?. Well, it has already been stated, this guide tries to address generic security for any router make or model. The template Ive provided in the appendix is just a bonus as Im trying to illustrate how these generic best-practices can be applied to a Cisco router. There are a lot of other Ciscospecific features that can be used to perform some of the hardening discussed in this document.
1.3.
Exclusions
This document is not intended to provide security for Internet-facing routers! Hardening guides for routers operating between untrusted (Internet) and trusted (corporate) perimeters have already been discussed in detail with such guides as NSA Router Security Configuration Guide and the Secure IOS Template created by Rob Thomas.
1.4.
Intended Audience
This guide was written for security analysts and network administrators whose day-to-day jobs included installation, configuration and maintenance of enterprise network routers. This document will supplement their skill sets and provide guidance for operational hardening of existing network router configurations (I hope).
1.5.
Threats Mitigated
The routers within enterprise networks provide critical point-to-point connectivity with key business sites and route inter-VLAN traffic across the corporate backbone. This hardening guide refers to router interfaces that reside safely within a trusted or semitrusted corporate network. Therefore, these best-practices address the following:
Trust-based attacks from within the network Integrity of routing protocols DoS or DDoS traffic management and exposure Secure management of devices
NOTE: I use the term trusted network in this document as a metaphor to express a security control point and not the literal state of the corporations security threat model. The trusted network usually refers to that which is governed and enforced by a corporate security policy and administered by trust-worthy individuals (I hope).
1.6.
Definitions
AAA ACL ARP Bogon Addresses Authentication Authorization and Accounting Access Control List Address Resolution Protocol The areas of reserved or unallocated Internet Assigned Numbers Authority (IANA) IP address space. The word Bogon originates as hacker jargon for addresses that are considered the quantum of bogosity. Committed Access Rate used by Cisco as a QoS mechanism Distributed Denial of Service Denial of Service Routing Protocol - Enhanced Interior Gateway Routing Protocol Internet Control Message Protocol Institute Of Electrical and Electronics Engineers Local Area Network Media Access Control Network Time Protocol Routing Protocol - Open Shortest Path First Quality of Service Simple Network Management Protocol Secure Shell Terminal Access Control Access Control System Transport Control Protocol User Datagram Protocol Virtual Private Network Wide Area Network Referring to Layer 3 of the OSI model (Network) which handles routing, forwarding, addressing, error handling, congestion control and sequencing Software that is used to move data across two or more networks after determining the best path Data that can effectively be transmitted across routers on a data network (IP, SNMP, RPC, etc) Hot-Standby Routing Protocol Cisco proprietary HA solution which minimizes single point of failures with static default gateways routers only Virtual Redundancy Routing Protocol RFC 3768, generic HA solution which minimizes single point of failures with static default gateways and serves more than just routers Usually refers to administration using Telnet or SSH console over the LAN to device is connected to, as opposed to out-of-band via console access. Allows administrators to forward all malicious traffic to a single host for examination. Allows administrators to forward all malicious traffic to a NULL IP address or drop the traffic.
CAR DDoS DoS EIGRP ICMP IEEE LAN MAC NTP OSPF QoS SNMP SSH TACACS+ TCP UDP VPN WAN Layer 3 Routing Protocol Routed Protocol HSRP VRRP In-Band Sinkhole Routing Black-hole Routing
a. b. c.
Inform users that access to the device is restricted to authorized personnel, and, Deter potential intruders by providing legal notice of prosecution resulting from unauthorized access, and, Must not reveal the company name or the type of device hosting the banner message. NOTE: A banner for network routers should be approved by your corporate Legal Department so you dont say anything that the legal beagles take offence to or jeopardizes the corporate brand. Example: WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties.
2.2.
a. b. c. d. e.
Router console ports should be configured to authenticate connections using an AAA authentication scheme such as TACACS (RFC 1942). This ensures that all users passwords are left on a central UNIX AAA Server in an encrypted format that is non-reversible and all access to the router is audited by AAA. Router console ports should be configured with a fall-back method to authenticate connections using a local password in the event that the AAA authentication scheme is unavailable. This should never be used as the primary means as some vendors local passwords are reversible and can be cracked (think Cisco!). Router console ports should be configured to logout connected sessions automatically after five (5) minutes of inactivity. This mitigates the threat of an administrator leaving their workstation unlocked with an established console connection to a router that could invite bad guys. Router console ports should not be configured to permit any inbound transport protocols such as telnet, reverse-telnet, rlogin or SSH (since out-of-band wont be used anyway). Router console ports should be configured to disable modem support or other out-of-band equipment unless permitted explicitly in a corporate security policy. War-dialling could expose the equipment to outside attackers arbitrarily calling a block a phone numbers.
2.3.
Network Interfaces
All router network interfaces should be shutdown and should not be configured with an IP Address if not operationally in use. This mitigates the threat of internal users connecting anything to the network and causing an unintentional denial of service with such things as secondary VRRP or HSRP flapping, layer 2 spanning-tree loops, etc.
2.4.
a. b. c. d.
Router auxiliary ports should be configured to logout connected sessions immediately as the port is not to be used. If some transport such as Telnet was enabled on the AUX port accidentally, then this extra measure would log-out any attempts to connect to the port immediately. Router auxiliary ports should not be configured to permit any inbound transport protocols such as telnet, reverse-telnet, rlogin or SSH. Router auxiliary ports should be configured to restrict users from executing any router privileged commands. Again, if the two previous conditions were to be overridden for any reason this is yet another safeguard to ensure a user session could not do anything malicious. Router auxiliary ports should be configured to disable modem support or other out-of-band equipment unless permitted explicitly in a corporate security policy. War-dialling could expose the equipment to outside attackers arbitrarily calling a block a phone numbers.
2.5.
a. b. c. d. e. f. g. h. i.
Router management ports should be configured to authenticate connections using an AAA authentication scheme such as TACACS (RFC 1942). This ensures that all users passwords are left on a central UNIX AAA Server in an encrypted format that is non-reversible and all access to the router is audited by AAA. Router management ports should be configured to use fall-back method to authenticate connections using a local password in the event that the AAA authentication scheme is unavailable. This should never be used as the primary means as some vendors local passwords are reversible and can be cracked (think Cisco!). Router management ports should be configured to logout connected sessions automatically after five (5) minutes of inactivity. This mitigates the threat of an administrator leaving their workstation unlocked with an established connection to a router that could invite bad guys. Router management ports should not be configured to permit any outbound transport protocols such as telnet, reversetelnet, rlogin or SSH. This reduces the risk of router-hopping or connecting from the router to other UNIX systems. Router management ports should be configured to only permit SSH v2 as the preferred inbound transport protocol. Router management ports should be configured to bind the outbound SSH, Telnet and TFTP services to the primary loopback interface of the router. This is especially useful in identifying the router that the connection was made from as the loopback address is usually what is configured in DNS as the management address of the router. Router management ports should be configured to drop unauthorized connections to the SSH service using an access control lists (ACL), permitting only network management servers to connect and no other network equipment or workstations. Hopping from one device to another should not be permitted. All access attempts (permitted or failed) to the router in-band management ports should be logged via the access control list (ACL). Router management ports should be configured to detect and drop any orphaned (broken) TCP connections to the management interface that have accidentally been left idle. This will free up the ports to be used by other management connections.
2.6.
a. b. c. d. e. f. g. h.
Routers should be configured to authenticate users using an AAA authentication scheme such as RADIUS or TACACS before any administrative access is granted. Routers should be configured to allow only one local login account (line passwords or local user database) in the event that AAA is unavailable. However, this should not be the primary or only authentication scheme on any production router. All local passwords or user database passwords should be encrypted using an MD5 hashing algorithm. All local passwords should be a minimum of eight characters long and with a combination of six (6) alphabet characters and a minimum of two (2) numbers All local passwords should be changed every four months or when any employee or contractor with knowledge of the passwords leaves the organization. Network Management should assign user accounts with the lowest privilege level that allows router administrators to perform their duties (i.e. analyst vs. operator). Routers should require user authentication to connect to the router but require further authentication to execute any privileged commands or view the configuration. Any password used locally on any router should not to be the same as any SNMP community string or any other shared secret. This means, if you use a b0bbyj03 for the local password, dont use b0bbyj03 for the SNMP write string and b0bbyj03 for the TACACS shared secret (obvious, I know, but I have to say it ).
* Any service lower than TCP port 20 is referred to as TCP small services and should be disabled as they could be used effectively to carry out denial of service attacks.
3.2.
* Any service lower than UDP port 20 is referred to as UDP small services and should be disabled as they could be used effectively to carry out denial of service attacks.
3.3.
IP Services Configuration
All network routers should adhere to the following standards regarding IP services: a. IP Source Routing should be disabled on any interface on any network router. This is an option in the IP header whereby an attacker could define his or her own source route and the router will forward the packet to the given destination. This is used by IP spoofed attacks. Proxy ARP should be disabled on any interface on any network router. Relying on the router to provide MAC addresses and subsequent routing to hosts without routing capabilities will result in a large MAC address table on the router, which could hinder performance. IP Directed Broadcast should be disabled on any interface on any network router to mitigate the threat of SMURF attacks. IP Unreachable Notifications should be rate limited on any network router to only one unreachable notification per host every 500 ms. ICMP Mask Replies to host IP Mask Requests should be disabled on any interface on any network router to mitigate reconnaissance sweeps of the network. ICMP Redirect messages should be disabled on any interface on any network router to mitigate system access attempts into corporate demarcations protected my ACLs.
b.
c. d. e. f.
4.2.
4.3.
5. Routing Protocols
5.1. General Routing Security
All network routers should adhere to the following minimum standards regarding general routing protocol security: a. b. c. d. The enterprise routing infrastructure should not extend beyond any of the enterprise perimeters. All autonomous interior gateway routing zones should remain internal to the enterprise network. The enterprise routing infrastructure should not be redistributed with any un-trusted networks such as third-parties, vendors or partners. Routers on the network perimeter should use static routes with redistribution into the enterprise network on trusted interfaces only. All IGP routing protocols chosen for the network enterprise routers should support a keyed MD5 algorithm for cryptographic authentication. The routing protocol should use a shared secret and the routing update information to create the hash.
5.2.
OSPF Security
All network routers should adhere to the following minimum standards regarding OSPF routing traffic: a. The OSPF routing infrastructure should operate in directed mode with explicitly defined peers and should not operate in broadcast mode. This way all OSPF routers will need to be explicitly configured to talk to OSPF neighbours. Directed mode aids in avoiding mis-configuration. The OSPF routing infrastructure should be configured to authenticate routing updates between peers using an MD5 password key to mitigate routing updates from un-trusted routers.
b.
5.3.
EIGRP Security
All network routers should adhere to the following minimum standards regarding EIGRP routing traffic: a. b. Access control lists should be used in conjunction with EIGRP routing to only permit routing advertisements from trusted unicast host IP addresses on appropriate interfaces. The EIGRP routing infrastructure should be configured to authenticate routing updates between peers using an MD5 password key.
b. c. d. e. f. g.
6.2.
Time Synchronization
All network routers should adhere to the following minimum standards regarding time synchronization: a. b. c. NTP time synchronization should be configured on every network router, using primary and secondary trusted NTP servers. NTP time synchronization should be configured to originate from the routers loopback interface on every network router. NTP time synchronization should be configured for client-mode synchronization on every network router, initiating an NTP call to stratum 1 or 2 servers on the network.
6.3.
Network Monitoring
All network routers should adhere to the following minimum standards regarding network monitoring: a. b. c. d. e. SNMP v2 or greater should be used on all network routers for management purposes. SNMP Public and Private Community password strings should be a minimum of eight characters long and with a combination of six (6) alphabet characters and a minimum of two (2) numbers. SNMP Public and Private Community password strings should be changed on a quarterly basis on all routers or when a network administrator leaves the organization. The SNMP Public Community string configured on all network routers should be uniquely different from the SNMP Private Community string and vice-versa. All SNMP private and public queries against the router should be restricted by a standard access control list which only permits network management hosts to connect.
6.4.
d.
e. f.
6.5.
2.2
2.3
2.4
2.5
Item #
2.6
Recommended Configuration greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 Generating RSA Keys ... [OK] ip ssh time-out 90 ip ssh authentication-retries 2 line vty 0 4 transport input ssh transport output telnet ssh ! LOGOUT CONNECTION AFTER 5 MINS. OF INACTIVITY exec-timeout 5 0 ! CONFIGURATION FOR USER AUTHENTICATION AND AUTHROIZATION config t ! SET LOCAL PASSWORD FOR EXECUTING COMMANDS enable secret <password - 8+ chars, 2 numbers> ! ENCRYPT LOCAL LINE PASSWORDS USING MD5 HASH service password-encryption ! REQUIRED COMMANDS TO ENABLE AAA aaa new-model aaa authentication login default group tacacs+ enable aaa authentication login <group-password> group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host <TACACS SERVER 1> tacacs-server host <TACACS SERVER 2> tacacs-server key <tacacs password> ! ENCRYPT LOCAL LINE PASSWORDS USING MD5 HASH service password-encryption
3.2
3.3
Item #
4.2
4.3
Recommended Configuration ! FILTERING NETWORK ATTACKS (Black-hole) Interface Null0 no ip proxy-arp no ip directed-broadcast no ip mask-reply no ip redirect no shut exit ip route 10.0.0.0 255.0.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route <bogon blocks and masks go here> Null0 ! FOR SINKHOLE ROUTING DEFINE ADDRESS OF ! HONEYPOT OR IPS INSTEAD OF NULL0 IN ROUTE ! ! FILTER ADDRESS SPOOFING ON LOCAL INTERFACES no access-list 190 ip access-list 190 deny ip any any log Interface FastEthernet 0/0 description <<Connect to LAN Segment>> ip verify unicast reverse-path 190 ! RATE LIMITING NETWORK MANAGEMENT TRAFFIC config t no access-list 130 ! CREATE ACL TO DEFINE MANAGEMENT TRAFFIC access-list 130 permit tcp any any eq telnet access-list 130 permit tcp any any eq ssh access-list 130 permit tcp any any eq snmp access-list 130 permit tcp any any eq syslog access-list 130 permit tcp any any eq tftp access-list 130 permit tcp any any eq tacacs no access-list 131 access-list 131 permit icmp any any echo access-list 131 permit icmp any any echo-reply ! APPLY TO LAN INTERFACES interface eth0/0 ! CONFIGURE CAR GIVING PRIORITY TO MANAGEMENT PROTOCOLS rate-limit output access-group 130 1000000 25000 50000 conform-action transmit exceed-action continue rate-limit output access-group 131 16000 8000 8000 conform-action continue exceed-action drop ! CONFIGURE CAR TO DROP EXCESSIVE NON-MANAGEMENT TRAFFIC rate-limit output 9000000 112000 225000 conform-action transmit exceed-action drop exit ! RATE LIMIT ICMP UNREACHABLE MESSAGES TO ONE EVERY 500 SECONDS ip icmp rate-limit unreachable 500
5.3
Item #
Recommended Configuration access-list 104 permit eigrp host <remote peer router 1> <local router> access-list 104 permit eigrp host <remote peer router 2> <local router> access-list 104 deny eigrp any any log-input access-list 104 permit ip any any no access-list 105 access-list 105 deny eigrp any any log-input access-list 105 permit ip any any ! APPLY TO TRUSTED ROUTING INTERFACES interface eth 0/1 ip access-group in 104 ! APPLY TO UN-TRUSTED ROUTING INTERFACES interface serial 0/1 ip access-group in 105 ! CONFIGURE EIGRP AUTHENTICATION ip authentication mode eigrp <process #> md5 ip authentication key-chain eigrp <process #> <key name> key chain <key name> key 1 key-string <secret-key> send-lifetime 00:00:00 Oct 1 2002 00:00:00 Jan 1 2003 accept-lifetime 00:00:00 Oct 1 2002 00:00:00 Jan 7 2003 ! CONFIGURE DIFFERENT EIGRP AUTHENTICATION KEY NAMES ON EACH ROUTER
6.2
6.3
6.4 6.5
SAFE: Best Practices for Securing Routing Protocols NSA Router Security Configuration Guide Executive Summary Card Generic Security Requirements for Routing Protocols OSPF Security
Route To Security
Secure IOS Template Designing Network Security Managing Cisco Network Security Network Security Database OSSS Open Source Security Standards