Wednesday, December 3, 2008

Cisco Router Hardening

Toda política de seguridad debe contener los procedimientos de hardening de los diferentes dispositivos que se utilizan en la red.

En este caso hago un resumen del manual de hardening del IOS de los routers Cisco.

El procedimiento completo se encuentra en este link : Hardening IOS Cisco

Incluso la NSA ( National Security Agency ) cuenta con una versión de este documento : NSA/SNAC Router Security Configuration Guide

También esta el libro de O´reilly, Hardening Cisco Router pero no tiene buenas criticas.


Mientras el documento de Cisco tiene 60 paginas el de la NSA tiene 300paginas. Por supuesto este ultimo, empieza con el protocolo TCP/IP y termina con Intrusion Detection mediante el IOS.

El manual de hardening de Cisco IOS contiene los siguientes tópicos :

El primer punto Secure Operation son recomendaciones de puntos a tener en cuenta al momento de administrar un router Cisco. El énfasis esta no solamente en realizar el hardening, además en tener un modelo de trabajo que permita mantener en el tiempo la seguridad del equipo.
Por ejemplo recomendaciones sobre mantenerse actualizado con los alertas emitidos por Cisco, mantener los logs en un equipo centralizado, usar SSH y no telnet....etc.

Secure Operations
  • Monitor Cisco Security Advisories and Responses
  • Leverage Authentication, Authorization, and Accounting
  • Centralize Log Collection and Monitoring
  • Use Secure Protocols When Possible
  • Gain Traffic Visibility with NetFlow
  • Configuration Management

El Plan de Administracion o Management Plane, posee todas las funciones que permiten mantener la integridad de la configuración del IOS. Estas son recomendaciones para utilizar passwords encryptadas, deshabilitar servicios, cuidar de dar aviso cuando la CPU supere un limite de trabajo.
Si no tenemos en cuenta de poner en practica estos consejos, la integridad del IOS queda comprometida. Es decir, si tenemos una password fuerte, pero no se encuentra encryptada, entonces el nivel de protección disminuye.

Veamos uno de los puntos

No Service Password−Recovery

In Cisco IOS Software Release 12.3(14)T and later, the No Service Password−Recovery feature does not allow anyone with console access to insecurely access the device configuration and clear the password. It also does not allow malicious users to change the configuration register value and access NVRAM.

!
no service password−recovery
!

Management Plane
  • General Management Plane Hardening
  • Limiting Access to the Network with Infrastructure ACLs
  • Securing Interactive Management Sessions
  • Using Authentication, Authorization, and Accounting
  • Fortifying the Simple Network Management Protocol
  • Logging Best Practices
  • Cisco IOS Software Configuration Management
El Plan de Control permite al administrador clasificar, controlar y restringir el trafico que es enviado al dispositivo para su administración.

Un punto es la utilización de SSH para encryptar los datos transmitidos entre el operador y el dispositivo.

Encrypting Management Sessions
Because information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in cleartext, an attacker can obtain sensitive information about the device and the network.

Estos comandos habilitan SSH en el dispostivo.

!
ip domain−name example.com
!
crypto key generate rsa modulus 2048
!
ip ssh time−out 60
ip ssh authentication−retries 3
ip ssh source−interface GigabitEthernet 0/1
!
line vty 0 4
transport input ssh
!

Control Plane
  • General Control Plane Hardening
  • Limiting CPU Impact of Control Plane Traffic
  • Securing BGP
  • Securing Interior Gateway Protocols
  • Securing First Hop Redundancy Protocols

El Plan de Datos o Data Plane es el encargado de limitar el movimiento de datos entre redes.
Un punto interesante es de antispoofing, es decir no permitir que paquetes con source de redes internas vengan desde interfaces externas.

Anti−Spoofing Protections
Many attacks utilize source IP address spoofing to be effective or to conceal the true source of an attack and hinder accurate traceback. Cisco IOS software provides Unicast RPF and IP Source Guard (IPSG) to deter attacks that rely on source IP address spoofing. In addition, ACLs and null routing are often deployed as a manual means of spoofing prevention.

IP Source Guard can be applied to Layer 2 interfaces belonging to DHCP snooping−enabled VLANs. These commands enable DHCP snooping:
!
ip dhcp snooping
ip dhcp snooping vlan
!
After DHCP snooping is enabled, these commands enable IPSG:
!
interface
ip verify source
!


Data Plane
General Data Plane Hardening
Filtering Transit Traffic with Transit ACLs
Anti−Spoofing Protections
Limiting CPU Impact of Data Plane Traffic
Traffic Identification and Traceback
Access Control with VLAN Maps and Port Access Control Lists
Using Private VLANs


Por ultimo la checklist de la NSA para el hardening de un router. Esta checklist se complementa muy bien con el documento de Cisco, ya que aqui se pone mas enfasis en la parte de procedimentos ( mantener el IOS atualizado, mantener un backuo de la configuracion, tener la documentacion al dia...)
Router Security Checklist

This security checklist is designed to help you review your router security configuration, and remind you of any security area you might have missed.

  • Router security policy written, approved, distributed.
  • Router IOS version checked and up to date.
  • Router configuration kept off-line, backed up, access to it limited.
  • Router configuration is well-documented, commented.
  • Router users and passwords configured and maintained.
  • Password encryption in use, enable secret in use.
  • Enable secret difficult to guess, knowledge of it strictly limited. (if not, change the enable secret immediately)
  • Access restrictions imposed on Console, Aux, VTYs.
  • Unneeded network servers and facilities disabled.
  • Necessary network services configured correctly (e.g. DNS)
  • Unused interfaces and VTYs shut down or disabled.
  • Risky interface services disabled.
  • Port and protocol needs of the network identified and checked.
  • Access lists limit traffic to identified ports and protocols.
  • Access lists block reserved and inappropriate addresses.
  • Static routes configured where necessary.
  • Routing protocols configured to use integrity mechanisms.
  • Logging enabled and log recipient hosts identified and configured.
  • Router’s time of day set accurately, maintained with NTP.
  • Logging set to include consistent time information.
  • Logs checked, reviewed, archived in accordance with local policy.
  • SNMP disabled or enabled with good community strings and ACLs.

En este link tenemos un resumen de los comandos minimos para realizar un hardening :
NSA Cisco IOS sumary
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)