Securing and controlling sisco routers

SECURING AND

CONTROLLING

CISCO ROUTERS

© 2002 by CRC Press LLC

ABCs of IP Addressing

Gilbert Held

ISBN: 0-8493-1144-6

Application Servers for E-Business

Lisa M. Lindgren

ISBN: 0-8493-0827-5

Architectures for E-Business Systems

Sanjiv Purba, Editor

ISBN: 0-8493-1161-6

A Technical Guide to IPSec Virtual

Private Networks

James S. Tiller

ISBN: 0-8493-0876-3

Building an Information Security

Awareness Program

Mark B. Desman

ISBN: 0-8493-0116-5

Computer Telephony Integration

William Yarberry, Jr.

ISBN: 0-8493-9995-5

Cyber Crime Investigator’s

Field Guide

Bruce Middleton

ISBN: 0-8493-1192-6

Cyber Forensics:

A Field Manual for Collecting,

Examining, and Preserving Evidence

of Computer Crimes

Albert J. Marcella and Robert S. Greenfield,

Editors

ISBN: 0-8493-0955-7

Information Security Architecture

Jan Killmeyer Tudor

ISBN: 0-8493-9988-2

Information Security Management

Handbook, 4th Edition, Volume 1

Harold F. Tipton and Micki Krause, Editors

ISBN: 0-8493-9829-0

Information Security Management

Handbook, 4th Edition, Volume 2

Harold F. Tipton and Micki Krause, Editors

ISBN: 0-8493-0800-3

Information Security Management

Handbook, 4th Edition, Volume 3

Harold F. Tipton and Micki Krause, Editors

ISBN: 0-8493-1127-6

Information Security Policies,

Procedures, and Standards:

Guidelines for Effective Information

Security Management

Thomas Peltier

ISBN: 0-8493-1137-3

Information Security Risk Analysis

Thomas Peltier

ISBN: 0-8493-0880-1

Information Technology Control

and Audit

Frederick Gallegos, Sandra Allen-Senft,

and Daniel P. Manson

ISBN: 0-8493-9994-7

New Directions in Internet

Management

Sanjiv Purba, Editor

ISBN: 0-8493-1160-8

New Directions in Project Management

Paul C. Tinnirello, Editor

ISBN: 0-8493-1190-X

A Practical Guide to Security

Engineering and Information

Assurance

Debra Herrmann

ISBN: 0-8493-1163-2

The Privacy Papers:

Managing Technology and Consumers,

Employee, and Legislative Action

Rebecca Herold

ISBN: 0-8493-1248-5

Secure Internet Practices:

Best Practices for Securing Systems

in the Internet and e-Business Age

Patrick McBride, Joday Patilla,

Craig Robinson, Peter Thermos,

and Edward P. Moser

ISBN: 0-8493-1239-6

Securing and Controlling Cisco Routers

Peter T. Davis

ISBN: 0-8493-1290-6

Securing E-Business Applications and

Communications

Jonathan S. Held and John R. Bowers

ISBN: 0-8493-0963-8

Securing Windows NT/2000:

From Policies to Firewalls

Michael A. Simonyi

ISBN: 0-8493-1261-2

TCP/IP Professional Reference Guide

Gilbert Held

ISBN: 0-8493-0824-0

The Complete Book of Middleware

Judith Myerson

ISBN: 0-8493-1272-8

AUERBACH PUBLICATIONS

www.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401

E-mail: [email protected]

OTHER AUERBACH PUBLICATIONS

© 2002 by CRC Press LLC

AUERBACH PUBLICATIONS

A CRC Press Company

Boca Raton London New York Washington, D.C.

SECURING AND

CONTROLLING

CISCO ROUTERS

PETER T. DAVIS

© 2002 by CRC Press LLC

This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted

with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been

made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the

validity of all materials or for the consequences of their use.

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or

mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system,

without prior permission in writing from the publisher.

The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new

works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying.

Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for

identification and explanation, without intent to infringe.

Visit the Auerbach Publications Web site at www.auerbach-publications.com

© 2002 by CRC Press LLC

Auerbach is an imprint of CRC Press LLC

No claim to original U.S. Government works

International Standard Book Number 0-8493-1290-6

Library of Congress Card Number 2002019683

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Printed on acid-free paper

Library of Congress Cataloging-in-Publication Data

Davis, Peter T.

Securing and controlling Cisco routers / Peter T. Davis.

p. cm.

Includes bibliographical references and index.

ISBN 0-8493-1290-6 (alk. paper)

1. Routers (Computer networks) 2. Computer networks--Security measures. I. Title.

TK5105.543 .D38 2002

004.6--dc21

2002019683

© 2002 by CRC Press LLC

Dedication

To Thomas Finlay Brick,

welcome to the world,

with all its frailties.

Peter T. Davis

© 2002 by CRC Press LLC

Contents at a Glance

SECTION I: THE BASICS

1 The Need for Security

2 Understanding OSI and TCP/IP

3 Routed and Routing Protocols

4 Understanding Router Basics

5 Router Management

SECTION II: PREVENTING UNAUTHORIZED ACCESS:

NETWORKING DEVICE

6 Implementing Non-AAA Authentication

7 Implementing AAA Security Services

8 Implementing AAA Authentication

9 Implementing AAA Authorization

10 Implementing AAA Accounting

11 Configuring TACACS and Extended TACACS

12 Configuring TACACS+

13 Configuring RADIUS

14 Configuring Kerberos

SECTION III: PREVENTING UNAUTHORIZED ACCESS:

NETWORKING

15 Basic Traffic Filtering, Part 1

16 Basic Traffic Filtering, Part 2

© 2002 by CRC Press LLC

17 Advanced Traffic Filtering, Part 1

18 Advanced Traffic Filtering, Part 2

SECTION IV: PREVENTING NETWORK DATA INTERCEPTION

19 Using Encryption and IKE

20 Configuring IPSec

SECTION V: PREVENTING DENIAL-OF-SERVICE

21 Configuring Denial-of-Service Security Features

SECTION VI: PREVENTING FRAUDULENT ROUTE UPDATES

AND OTHER UNAUTHORIZED CHANGES

22 Configuring Neighbor Authentication and

Other Security Features

APPENDICES

Appendix A: IP Addressing

Appendix B: Subnetting

Appendix C: IP Protocol Numbers

Appendix D: Well-Known Ports and Services

Appendix E: Hacker, Cracker, Malware, and Trojan Horse Ports

Appendix F: ICMP Types and Codes

Appendix G: Determining Wildcard Mask Ranges

Appendix H: Logical Operations

Appendix I: Helpful Resources

Appendix J: Bibliography

Appendix K: Acronyms and Abbreviations

Appendix L: Glossary

© 2002 by CRC Press LLC

Contents

SECTION I: THE BASICS

1 The Need for Security

The New Reality

Cost of Intrusions

Designing the Security Infrastructure

Security Policy

Security Plan

Phases of Securing a Network

Identifying Security Risks and Threats

Preventing Unauthorized Access into Networking Devices

Cisco IOS Password Vulnerability

Buffer Overflow Vulnerability

Leap Year Vulnerability

Request Authenticator Vulnerability

Preventing Unauthorized Access into Networks

ACL Vulnerability

Preventing Network Data Interception

ISAKMP Vulnerability

Preventing Denial-of-Service Attacks

CDP Vulnerability

ARP Vulnerability

NAT Vulnerability

Scanning Vulnerability

TCP Sequence Guessing Vulnerability

Preventing Fraudulent Route Updates

BGP Vulnerability

Preventing Unauthorized Changes

HTTP Vulnerability

Practice Session

Security and Audit Checklist

Conclusion

© 2002 by CRC Press LLC

2 Understanding OSI and TCP/IP

The OSI Model

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data-Link Layer

Physical Layer

Encapsulation

Protocol Data Units

Frame

Packet

Datagram

Segment

Message

Cell

Data Unit

TCP/IP Overview

Internet Layer

Internet Protocol

Address Resolution Protocol and Reverse Address Resolution Protocol

Internet Control Message Protocol

Transport Layer

Transmission Control Protocol

TCP Connection

Socket

User Datagram Protocol

Practice Session

Security and Audit Checklist

Conclusion

3 Routed and Routing Protocols

Routing Activities

Path Determination

Logical and Hardware Addresses

Communication on the Same Subnet

Communication between Different Subnets

Packet Switching

Routing Tables

Routable Protocols

Routing Protocols

Routing Protocol Basics

Routing Algorithms

Routing Metrics

Types of Routing Protocols

Practice Session

Security and Audit Checklist

Conclusion

4 Understanding Router Basics

Router Overview

User Interface

User Mode

© 2002 by CRC Press LLC

Privileged Mode

Context-Sensitive Help

Command History

Editing Commands

Router Modes

Router Components

Random Access Memory (RAM)

Non-Volatile RAM (NVRAM)

Flash

Read-Only Memory (ROM)

Interfaces

Router Status

Practice Session

Security and Audit Checklist

Conclusion

5 Router Management

Router Setup

Using the Setup Script

Using TFTP

Using Config Maker

Using the Command Line Interface

Using Boot System Commands

Updating the IOS

Using CPSWInst

Using TFTP

Troubleshooting

Using the Packet InterNetwork Groper (Ping)

Using Traceroute

Using Debug

Using Telnet

Using Cisco Discovery Protocol (CDP)

Logging

Console Port Logging

Saving Log Information

Syslog Servers

Recording Access List Violations

Log Processing

Simple Network Management Protocol (SNMP)

Non-Privileged Mode

Privileged Mode

Cisco Discovery Protocol

Last Word on Management

Practice Session

Security and Audit Checklist

Conclusion

SECTION II: PREVENTING UNAUTHORIZED ACCESS:

NETWORKING DEVICE

6 Implementing Non-AAA Authentication

Authentication

Creating Strong Passcodes

© 2002 by CRC Press LLC

Using Router Passwords

Enable Password

Enable Secret Password

Using Console and Auxiliary Passwords

Using Virtual Terminal Passwords

Configuring Privilege Levels

Setting Line Privilege

Encrypting Router Passwords

Getting Around Lost Passwords

Configuring Line Password Protection

Setting TACACS Passwords for Privileged EXEC Mode

Establishing Username Authentication

Enabling CHAP or PAP Authentication

Password Authentication Protocol

Challenge Handshake Authentication Protocol

Enabling PAP or CHAP

Inbound and Outbound Authentication

Enabling Outbound PAP Authentication

Creating a Common CHAP Password

Refusing CHAP Authentication Requests

Delaying CHAP Authentication until Peer Authenticates

Configuring TACACS and Extended TACACS

Password Protection

General Interactive Access

Controlling TTYs

Controlling VTYs and Ensuring VTY Availability

Warning Banners and Router Identification

Practice Session

Security and Audit Checklist

Conclusion

7 Implementing AAA Security Services

Accessing the Network

Looking at Dial-In Issues

Developing Your Policy

Authenticating Dial-In Users

Defining AAA

Authentication

Authorization

Accounting

Benefits of Using AAA

Implementing AAA

Method Lists

Using AAA

Setting up AAA

Enabling AAA

Using Security Servers

Applying a Method List

Selecting Security Servers

Looking at TACACS+

TACACS Authentication Examples

Looking at RADIUS

Looking at Kerberos

© 2002 by CRC Press LLC

Practice Session

Security and Audit Checklist

Conclusion

8 Implementing AAA Authentication

Using Method Lists

Creating a Method List

AAA Authentication Methods

Configuring Log-In Authentication

Log-In Authentication Using Enable Password

Log-In Authentication Using Kerberos

Log-In Authentication Using Line Password

Log-In Authentication Using Local Password

Log-In Authentication Using RADIUS

Log-In Authentication Using TACACS+

Configuring PPP Authentication

PPP Authentication Using Kerberos

PPP Authentication Using Local Password

PPP Authentication Using RADIUS

PPP Authentication Using TACACS+

Configuring AAA Scalability for PPP Requests

Enabling Double Authentication

Understanding Double Authentication

Configuring Double Authentication

Access User Profile after Double Authentication

Enabling Automated Double Authentication

Troubleshooting Double Authentication

Configuring ARA Authentication

ARA Authentication Allowing Authorized Guest Log-Ins

ARA Authentication Allowing Guest Log-Ins

ARA Authentication Using Line Password

ARA Authentication Using Local Password

ARA Authentication Using TACACS+

Configuring NASI Authentication

NASI Authentication Using Enable Password

NASI Authentication Using Line Password

NASI Authentication Using Local Password

NASI Authentication Using TACACS+

Specifying the Amount of Time for Log-In Input

Enabling Password Protection at the Privileged Level

Changing the Text Displayed at the Password Prompt

Configuring Message Banners for AAA Authentication

Configuring a Log-In Banner

Configuring a Failed Log-In Banner

Log-In and Failed Log-In Banner Configuration Examples

Practice Session

Security and Audit Checklist

Conclusion

9 Implementing AAA Authorization

Starting with AAA Authorization

Understanding AAA Authorization

TACACS+ Authorization

If-Authenticated Authorization

© 2002 by CRC Press LLC

None Authorization

Local Authorization

RADIUS Authorization

Kerberos Authorization

Disabling Authorization for Global Configuration Commands

Authorization for Reverse Telnet

Authorization Attribute-Value Pairs

Practice Session

Security and Audit Checklist

Conclusion

10 Implementing AAA Accounting

Starting with AAA Accounting

Configuring AAA Accounting

Named Method Lists for Accounting

Understanding AAA Accounting Types

Command Accounting

Connection Accounting

EXEC Accounting

Network Accounting

System Accounting

Applying a Named List

Suppress Generation of Accounting Records for Null Username Sessions

Generating Interim Accounting Records

Monitoring Accounting

Practice Session

Security and Audit Checklist

Conclusion

11 Configuring TACACS and Extended TACACS

Breaking Down the Protocols

Understanding the TACACS Protocols

Configuring TACACS and Extended TACACS

Establishing the TACACS Server Host

Enabling the Extended TACACS Mode

Disabling Password Checking at the User Level

Setting Optional Password Verification

Setting Notification of User Actions

Setting Authentication of User Actions

Setting Limits on Log-In Attempts

Setting TACACS Password Protection at the User Level

Setting TACACS Password Protection at the Privileged Level

Enabling TACACS and XTACACS for Use

Enabling Extended TACACS for PPP Authentication

Enabling Standard TACACS for ARA Authentication

Enabling Extended TACACS for ARA Authentication

Enabling TACACS to Use a Specific IP Address

Specifying a TACACS Host at Log-In

Practice Session

Security and Audit Checklist

Conclusion

12 Configuring TACACS+

Understanding the TACACS+ Protocol

© 2002 by CRC Press LLC

Comparing TACACS+ and RADIUS

Transport Protocol

Packet Encryption

Authentication and Authorization

Multi-Protocol Support

Router Management

Interoperability

Overhead

Understanding TACACS+ Operation

TACACS+ Configuration Task List

Configuring TACACS+

Identifying the TACACS+ Server Host

Setting the TACACS+ Authentication Key

Specifying TACACS+ Authentication

Specifying TACACS+ Authorization

Specifying TACACS+ Accounting

TACACS+ AV Pairs

Practice Session

Security and Audit Checklist

Conclusion

13 Configuring RADIUS

RADIUS Overview

Cisco and Other Vendor Support

Using RADIUS

Understanding RADIUS Operation

RADIUS Configuration Task List

Configuring RADIUS

Configuring Router-to-RADIUS Server Communication

Configuring Router to Use Vendor-Specific RADIUS Attributes

Configuring Router for Vendor-Proprietary RADIUS

Server Communication

Configuring Router to Query RADIUS Server for Static Routes and

IP Addresses

Configuring Router to Expand Network Access Server

Port Information

Specifying RADIUS Authentication

Specifying RADIUS Authorization

Specifying RADIUS Accounting

RADIUS Attributes

Vendor-Proprietary RADIUS Attributes

Practice Session

Security and Audit Checklist

Conclusion

14 Configuring Kerberos

Kerberos Overview

Supporting Kerberos Client

Authenticating to the Boundary Router

Obtaining a TGT from the KDC

Authenticating to Network Services

Configuring the Router to Use the Kerberos Protocol

Defining a Kerberos Realm

Copying SRVTAB Files

© 2002 by CRC Press LLC

Retrieving a SRVTAB File from the KDC

Specifying Kerberos Authentication

Enabling Credentials Forwarding

Telneting to the Router

Establishing an Encrypted Kerberized Telnet Session

Enabling Mandatory Kerberos Authentication

Enabling Kerberos Instance Mapping

Mapping a Kerberos Instance to a Cisco IOS Privilege Level

Using Kerberos Preauthentication

Monitoring and Maintaining Kerberos

Practice Session

Security and Audit Checklist

Conclusion

SECTION III: PREVENTING UNAUTHORIZED ACCESS:

NETWORKING

15 Basic Traffic Filtering, Part 1

Access List Overview

Understanding Access List Configuration

Creating Access Lists

Assigning a Unique Name or Number to Each Access List

Defining Criteria for Forwarding or Blocking Packets

Router as a Closed System: The Implied Deny All Traffic

Bringing Order to Chaos

Comparing Basic and Advanced Access Lists

Specifying Standard IP Access Lists

Using the Standard Access List

Netmasks and Wildcard Masks

Implicit Wildcard Masks

Understanding Sequential Rule Processing

Specifying Extended IP Access Lists

Creating Access Lists

Applying Access Lists to Interfaces

Creating and Editing Access List Statements on a TFTP Server

Practice Session

Security and Audit Checklist

Conclusion

16 Basic Traffic Filtering, Part 2

Extended IP Access Lists

Named Access Lists

Implementing Routing Policies

Prefix Lists

Monitoring and Verifying Access and Prefix Lists

Viewing Access List Counters

Viewing IP Accounting

Viewing Access List Counters

Practice Session

Security and Audit Checklist

Conclusion

17 Advanced Traffic Filtering, Part 1

Using Time Ranges

© 2002 by CRC Press LLC