Layer 3 Security
Recommendation
1. Enable secure Telnet access to a router and use SSH
2. Enable SNMP security, adding SNMPv3 support
3. Turn off unnecessary services on the router platform
4. Turn on logging to provide on audit trail
5. Enable protocol authentication
6. Enable CEF
1. Enable secure Telnet access to a router and use SSH
2. Enable SNMP security, adding SNMPv3 support
3. Turn off unnecessary services on the router platform
4. Turn on logging to provide on audit trail
5. Enable protocol authentication
6. Enable CEF
General Layer3 Security Considerations
1. Smurf Attacks
– a large number of ICMP Echo Requires with same typical IP address in the packet
– the destination address is a subnet broadcast address, also known as a direct broadcast address
– the destination address is a subnet broadcast address, also known as a direct broadcast address
Solutions
1. “no ip directed-broadcast” – by default in IOS version 12.0
– prevents the router from forwarding the broadcast onto the VLAN
2. Unicast Reverse Path Forwarding (uRPF)
– tells cisco IOS to examine the source IP address of incoming packets on that itnerface (CEF must be enabled)
Two Types:
a. Strict RPF – the router checks if the matching route uses an outgoing interface, that is the same interface on which the packet was received, in not => discarded
b. Loose RPF – the router checks for an y route that can be used to reach the source IP address
1. “no ip directed-broadcast” – by default in IOS version 12.0
– prevents the router from forwarding the broadcast onto the VLAN
2. Unicast Reverse Path Forwarding (uRPF)
– tells cisco IOS to examine the source IP address of incoming packets on that itnerface (CEF must be enabled)
Two Types:
a. Strict RPF – the router checks if the matching route uses an outgoing interface, that is the same interface on which the packet was received, in not => discarded
b. Loose RPF – the router checks for an y route that can be used to reach the source IP address
2. TCP Syn flood, the Established Bit and TCP Intercept
TCP Syn flood – creates connections
– “established” ACL can be used, when you only want to open from te inside towards outside
– TCP “intercept” can be used when you want the connections to come from “putside” towards “inside”
– “established” ACL can be used, when you only want to open from te inside towards outside
– TCP “intercept” can be used when you want the connections to come from “putside” towards “inside”
TCP “intercept” works in 2 ways:
1. Watch mode – keeps state information about TCP connections that match a defined ACL
– if a TCP connection does not complete the three-way handshake within a particular time period, it send a TCP reset to the servers
– it also count the number of new connections over time, and if a large number (default 1000), the router temporarily filters new TCP requires to prevent a SYN attack
2. Intercept mode – router applies to TCP connection requirements instead of forwarding them to the actual server
1. Watch mode – keeps state information about TCP connections that match a defined ACL
– if a TCP connection does not complete the three-way handshake within a particular time period, it send a TCP reset to the servers
– it also count the number of new connections over time, and if a large number (default 1000), the router temporarily filters new TCP requires to prevent a SYN attack
2. Intercept mode – router applies to TCP connection requirements instead of forwarding them to the actual server
Classic Cisco IOS firewall
CBAC – Context-Based Access Control
– you must configure the following:
1. Protocol to inspect
2. Interface on which to perform the inspection
3. Direction of the traffic to inspect, per interface
– you must configure the following:
1. Protocol to inspect
2. Interface on which to perform the inspection
3. Direction of the traffic to inspect, per interface
TCP vs UDP with CBAC
– TCP has clear-cut connections, so CBAC can handle it easy
– UDP more difficult to handle
– TCP has clear-cut connections, so CBAC can handle it easy
– UDP more difficult to handle
Common protocol that CBAC can Inspect:
1. Any TCP
2. Any UDP sessions
3. FTP
4. SMTP
5. TFTP
6. H.323
7. Java
8. …
1. Any TCP
2. Any UDP sessions
3. FTP
4. SMTP
5. TFTP
6. H.323
7. Java
8. …
CBAC Disadvantages
– CBAC comes after ACL filters
– CBAC cannot protect against attacks that are coming from inside
– CBAC works only on protocol you set to “inspect”
– to inspect other types of traffic (not TCP or UDP), you must configure a named inspection tool
– CBAC does not inspect traffic generated from itself
– CBAC has restrictions on handling encryption traffic
– CBAC cannot protect against attacks that are coming from inside
– CBAC works only on protocol you set to “inspect”
– to inspect other types of traffic (not TCP or UDP), you must configure a named inspection tool
– CBAC does not inspect traffic generated from itself
– CBAC has restrictions on handling encryption traffic
Cisco IOS Zone-Based Firewalls
– traffic can travel between the interfaces of the same zone, but not between zones
– zones are configured using Class-Based Policy (like MQC)
– can inspect: HTTP, HTTPS, SMTP, ESMTP, POP3, IMAP, Yahoo IM, MSN, RPC and P-2-P application
– zones are configured using Class-Based Policy (like MQC)
– can inspect: HTTP, HTTPS, SMTP, ESMTP, POP3, IMAP, Yahoo IM, MSN, RPC and P-2-P application
Steps to configure ZBF
1. Create zones
2. Decide how traffic should travel between the zones and create zone-pairs on the router
3. Create class-maps to identify inter-zone traffic that must be inspected by the firewall
4. Assign policies to the traffic by creating policy maps and associated class-maps with them
5. Assign policy maps to the appropriate zone-pair
6. Assign interfaces to zone. An interface may be assigned to only one security zone
1. Create zones
2. Decide how traffic should travel between the zones and create zone-pairs on the router
3. Create class-maps to identify inter-zone traffic that must be inspected by the firewall
4. Assign policies to the traffic by creating policy maps and associated class-maps with them
5. Assign policy maps to the appropriate zone-pair
6. Assign interfaces to zone. An interface may be assigned to only one security zone
Cisco IOS IPS
– it provides Deep Packet Inspection (DPI) of traffic transiting the router
– the signature are on flash
– when IPS is configurate, it acts like an inline IPS
– the signature are on flash
– when IPS is configurate, it acts like an inline IPS
Steps
1. Remove all signature category and then import the basic IOS IPS category
2. Create a directory in flash to store the IPS configuration
3. Create an IOS IPS rule
4. Specify the location of the signature
5. Apply the rule to an interface, inbound and/or outbound
6. Once rule applied, the router loads the signature
7. Verify “IPS using: “#show ip ips config”
1. Remove all signature category and then import the basic IOS IPS category
2. Create a directory in flash to store the IPS configuration
3. Create an IOS IPS rule
4. Specify the location of the signature
5. Apply the rule to an interface, inbound and/or outbound
6. Once rule applied, the router loads the signature
7. Verify “IPS using: “#show ip ips config”
Control-Plane Policing (CoPP)
– affects the traffic coming to the router
– addresses this problem by leveraging the MQC to rate-limit or drop control-plane traffic
– used so you do not get locked out
– addresses this problem by leveraging the MQC to rate-limit or drop control-plane traffic
– used so you do not get locked out
Implementing CoPP:
1. Enable QoS globally; else CoPP is done in software and not HW
2. Create the ACL to classify traffic
3. Create class-map and match the appropriate ACL or either IP Precedence or DSCP values
4. Create a Policy Map and associate the class-maps with it
5. Assign allowed bandwidth
6. Assign the policy map to the router or switch control plane as a service policy
1. Enable QoS globally; else CoPP is done in software and not HW
2. Create the ACL to classify traffic
3. Create class-map and match the appropriate ACL or either IP Precedence or DSCP values
4. Create a Policy Map and associate the class-maps with it
5. Assign allowed bandwidth
6. Assign the policy map to the router or switch control plane as a service policy
Dynamic Multipoint VPN (DM-VPN)
– uses IPSEC, GRE, Next Hop Resolvation Protocol (NHRP)
– supports segmentation across VPNs and is VRF-aware
– the HUB router is configured for a single multipoint GRE (mGRE) and a set of profiles applied to the spoke routers
– supports segmentation across VPNs and is VRF-aware
– the HUB router is configured for a single multipoint GRE (mGRE) and a set of profiles applied to the spoke routers
DMVPN vs Hub-Spoke VPN – DMVPN advantages:
1. Simpler Hub configuration. A DMVPN hub router requires only one multipoint GRE tunnel interface, one IPSEC profile and no crypto ACL
2. Zero-touch at the hub router for prvisioning spoke routers. The hub router does not require configuration when new spoke router are brought online
3. Automatically initiated IPSec encrypt, fac by NHRP
4. Dynamic addressing support for spoke routers. Instead of static configuration, the hub learns spoke router addresses when they requires to the network
5. Dynamic created spoke-to-spoke tunnels. Spoke routers learn about each other using NHRP, so they can form tunnels between each other automatically instead of require spoke-to-spoke traffic to be encrypted
6. VRF integration for MPLS environment
A dynamic routing protocol (EIGRP, OSPF, BGP, RIP or even ODR) is required between the hub and the spokes.
1. Simpler Hub configuration. A DMVPN hub router requires only one multipoint GRE tunnel interface, one IPSEC profile and no crypto ACL
2. Zero-touch at the hub router for prvisioning spoke routers. The hub router does not require configuration when new spoke router are brought online
3. Automatically initiated IPSec encrypt, fac by NHRP
4. Dynamic addressing support for spoke routers. Instead of static configuration, the hub learns spoke router addresses when they requires to the network
5. Dynamic created spoke-to-spoke tunnels. Spoke routers learn about each other using NHRP, so they can form tunnels between each other automatically instead of require spoke-to-spoke traffic to be encrypted
6. VRF integration for MPLS environment
A dynamic routing protocol (EIGRP, OSPF, BGP, RIP or even ODR) is required between the hub and the spokes.
No comments:
Post a Comment