Friday, January 2, 2015

CCNP Security: SENSS Part 1-3

1.3 Configure device hardening per best practices


1.3.a Routers
Source:http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Management Plane

  • Passwords
    • Enable MD5 hashing (secret option) for enable and local user passwords
    • Configure the password retry lockout
    • Disable password recovery (consider risk)
  • Disable unused services
  • Configure TCP keepalives for management sessions
  • Set memory and CPU threshold notifications
  • Configure
    • Memory and CPU threshold notifications
    • Reserve memory for console access
    • Memory leak detector
    • Buffer overflow detection
    • Enhanced crashinfo collection
  • Use iACLs to restrict management access
  • Filter (consider risk)
    • ICMP packets
    • IP fragments
    • IP options
    • TTL value in packets
  • Control Plane Protection
    • Configure port filtering
    • Configure queue thresholds
  • Management access
    • Use Management Plane Protection to restrict management interfaces
    • Set exec timeout
    • Use an encrypted transport protocol (such as SSH) for CLI access
    • Control transport for vty and tty lines (access class option)
    • Warn using banners
  • AAA
    • Use AAA for authentication and fallback
    • Use AAA (TACACS+) for command authorization
    • Use AAA for accounting
    • Use redundant AAA servers
  • SNMP
    • Configure SNMPv2 communities and apply ACLs
    • Configure SNMPv3
  • Logging
    • Configure centralized logging
    • Set logging levels for all relevant components
    • Set logging source-interface
    • Configure logging timestamp granularity
  • Configuration Management
    • Replace and rollback
    • Exclusive Configuration Change Access
    • Software resilience configuration
    • Configuration change notifications

Control Plane

  • Disable (consider risk)
    • ICMP redirects
    • ICMP unreachables
    • Proxy ARP
  • Configure NTP authentication if NTP is being used
  • Configure Control Plane Policing/Protection (port filtering, queue thresholds)
  • Secure routing protocols
    • BGP (TTL, MD5, maximum prefixes, prefix lists, system path ACLs)
    • IGP (MD5, passive interface, route filtering, resource consumption)
  • Configure hardware rate limiters
  • Secure First Hop Redundancy Protocols (GLBP, HSRP, VRRP)

Data Plane

  • Configure IP Options Selective Drop
  • Disable (consider risk)
    • IP source routing
    • IP Directed Broadcasts
    • ICMP redirects
  • Limit IP Directed Broadcasts
  • Configure tACLs (consider risk)
    • Filter ICMP
    • Filter IP fragments
    • Filter IP options
    • Filter TTL values
  • Configure required anti-spoofing protections
    • ACLs
    • IP Source Guard
    • Dynamic ARP Inspection
    • Unicast RPF
    • Port security
  • Control Plane Protection (control-plane cef-exception)
  • Configure NetFlow and classification ACLs for traffic identification
  • Configure required access control ACLs (VLAN maps, PACLs, MAC)
  • Configure Private VLANs
1.3.b Switches
See above, there applicable

1.3.c Firewalls 
Source: http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html

Best Practices Checklist

Management Plane Checks
Disable Console Logging - Firewall
Requirement
Severity
Comments
Disable Console Logging
Low
Best practice: Ensure console logging is disabled or set to critical. Although useful for troubleshooting from the console port, it is possible that excessive log messages on the console could make it impossible to manage the device, even from the console.
Command: 
no logging console
- or -
logging console critical
Enable Logging - Firewall
Requirement
Severity
Comments
Enable Logging
Info
Best practice: Check if state of event logging on the firewall is enabled. Logging a firewall's activities and status offers several benefits. Using the information in a log, the administrator can tell whether the firewall is working properly or whether it has been compromised. In some cases, it can show what types of probes or attacks are being attempted against the firewall or the protected network. If the logging is disabled, the events that happen on the firewall are not logged anywhere. This may make it harder to troubleshoot any network issues. This may also cause some of the problems, including attempted attacks, to go unnoticed, as well as prevent collection of evidence about any unauthorized activity. If logging is enabled, ensure the logging messages are sent to only trusted hosts on a protected network so the logs cannot be compromised and cannot be viewed by anyone who is not authorized to view them.
Command: 
logging on | logging enable
Enable Logging Timestamp
Low
Best practice: Timestamps should be enabled for log messages, which will facilitate interpretation of the messages for troubleshooting and investigating network attacks. Ensure that the date/time is correctly set (if NTP is not configured) so that the timestamps provide the proper day/time of the log messages. If the timestamps are not shown in the log messages, it may not be possible to sense the order of events occurring in the network.
Command: 
logging timestamp
Enable Logging to Buffer
Low
Best practice: Cisco devices can store log messages in memory. The buffered data is available only from an exec or enabled exec session, and it is cleared when the device reboots. This form of logging is useful, even though it does not offer enough long-term protection for the logs. Buffered logging keeps the log messages in RAM on the device. A logging buffer must be configured on the device, and this buffer is circular, meaning that when it fills up, the oldest log message is deleted to make room for the new message. If buffer logging is not enabled, it will not be possible to view the most recent log messages on the device for troubleshooting or monitoring purposes.
Command: 
logging buffered <level>
Log Messages to a Syslog Server
Info
Best practice: Cisco devices can be configured to forward log messages to an external Syslog service. It is highly recommended that networks implement a logging structure based on a Syslog infrastructure. Proactive monitoring of firewall logs is an integral part of Security Admin duties. The firewall syslogs are useful for forensics, network troubleshooting, security evaluation, worm and virus attack mitigation, and so on. This is a scalable solution, which provides long-term storage capabilities and a central location for all device messages
Command: 
logging host <interface-name> <ipAddress>
Secure Device Access - Firewall
Requirement
Severity
Comments
Restrict HTTP Access to Certain Addresses
Info
Best practice: To specify hosts that can access the HTTP server internal to the FWSM. The addresses allowed to access the firewall using HTTP can be restricted. Any undefined IP address will not see the prompt at all.
Command: 
http <ip-address> <net-mask> <interface name>
Restrict SSH Access to Certain Addresses
Medium
Best practice: The addresses allowed to access the firewall using SSH can be restricted. Any undefined IP address will not see the prompt at all.
Command: 
ssh <ip-address> <net-mask> <interface name> 
Restrict Telnet Access to Certain Addresses
Medium
Best practice: The addresses allowed to access the firewall using Telnet can be restricted. Any undefined IP address will not see the prompt at all.
Command: 
telnet <ip-address> <net-mask> <interface name> 
Set Enable Password
Info
Best practice: Set enable password to secure access to privilege level. Access to the privileged EXEC mode (enable mode) should be protected by requiring a password else user logged in to user mode can access enable mode.
Command: 
enable password <password>
Set Password
Info
Best practice: To set the login password, use the passwd command in global configuration mode. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode.
Command: 
passwd <password>
Set Suitable Console Timeout
Low
Best practice: For console connections the idle timeout must be configured to avoid undesirable open and unattended console connection to the firewall.
Command: 
console timeout <timeout value in minutes>
Set Suitable SSH Timeout
Low
Best practice: For ssh connections the idle timeout must be configured to avoid undesirable and unattended open ssh connections to the firewall.
Command: 
ssh timeout <timeout in minutes> 
Set Suitable Telnet Timeout
Low
Best practice: For telnet connections the idle timeout must be configured to avoid undesirable open unattended telnet connection to the firewall.
Command: 
telnet timeout <timeout in minutes> 
Use Warning Banner Messages
Low

Best practice: Use of configurable, personalized login and failed-login banners is recommended. This feature lets you change the default message for login and failed-login. You can configure message banners that will be displayed when a user logs in to the system
Command: 
banner <banner-message>
Secure Interactive Access Using AAA - Firewall
Requirement
Severity
Comments
Define AAA Server with Key
Medium
Best practice: An Authentication Authorization and Accounting Server (AAA) is recommended to store all the username / password and privilege levels in one single repository. AAA server should be configured with a key for authentication and encryption.
Command: 
aaa-server TACACS+ <interface> host <ipAddress> <key> 
Use AAA Accounting
Low

Best practice: When you configure the aaa accounting command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers.
Command: 
aaa accounting command EXAUTH LOCAL
Use AAA Authentication for Enable Mode
Medium
Best practice: Authenticates users who access privileged EXEC mode when they use the enable command. For authentication an external server may be used and also supports fallback to local database if external authentication server is down.
Command: 
aaa authentication enable console RADIUS LOCAL
Use AAA Authentication for HTTP
Medium
Best practice: If aaa authentication http console command is not defined, you can gain access to the FWSM (via ASDM) with no username and the FWSM enable password (set with the enable password command).
Command: 
aaa authentication http console RADIUS LOCAL 
Use AAA Authentication for SSH
Info

Best practice: Before the firewall can authenticate a Telnet or SSH user, we must first configure access to the firewall using the telnet or ssh commands. These commands identify the IP addresses that are allowed to communicate with the firewall.
Command: 
aaa authentication ssh console RADIUS LOCAL
Use AAA Authentication for Telnet
Medium
Best practice: Before the firewall can authenticate a Telnet or SSH user, we must first configure access to the firewall using the telnet or ssh commands. These commands identify the IP addresses that are allowed to communicate with the firewall.
Command: 
aaa authentication telnet console RADIUS LOCAL 
Use AAA Authorization
Low

Best practice: The aaa authorization command specifies whether command execution at the CLI is subject to authorization. If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. When configuring command authorization with a TACACS+ server, do not save your configuration until you are sure it works the way you want. If you get locked out because of a mistake, you can usually recover access by restarting the FWSM.
Command: 
aaa authorization command TACACS LOCAL
Use Local Login as Backup to AAA
Info
Best practice: While configuring external authentication it is advisable to keep the local database check as fallback option.
Command: 
aaa authentication http console RADIUS LOCAL
Secure Management Protocols - Firewall
Requirement
Severity
Comments
Authenticate NTP Updates
Medium
Best practice: Network Time Protocol (NTP) is a UDP based protocol used to synchronize time clocks amongst network devices. NTP is especially useful to ensure that timestamps on log messages are consistent throughout the entire network. It is recommended to authenticate NTP updates so that time is synchronized with approved servers only.
Command: 
ntp authentication-key <key-id> md5 <key>
Change Default Community String
High
Best practice: The default community string of "public" and "private" are well known. These should always be changed to more secure strings.
Command: 
snmp-server community <non-default-string> 
Define SNMP Server Host
Low
Best practice: SNMP is an application-layer communication protocol that allows ONS 15454 network devices to exchange management information among these systems and with other devices outside the network. SNMP is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
Command: 
snmp-server host 
Disable SNMP if not used
Low

Best practice: SNMP Protocol should be disabled if not used in the network. If used, access to SNMP service should be protected using appropriate mechanisms like ACLs.
Command: 
no snmp-server 
Enable SNMP Trap Logging
Low

Best practice: SNMP traps are used to report an alert or other asynchronous event about a managed firewall.
Command: 
snmp server enable traps 
Use NTP to Synch Network Clocks
Medium
Best practice: Network Time Protocol (NTP) is a UDP based protocol used to synchronize time clocks amongst network devices. NTP is especially useful to ensure that timestamps on log messages are consistent throughout the entire network.
Command: 
ntp server <ntp server name> source <interface> 

Control Plane Checks
Disable Unneeded Services - Firewall
Requirement
Severity
Comments
Check if Failover is used
Info

Best practice: This rule checks if failover is configured in the firewall devices
Command: 
failover 
Disable HTTP session replication
Info
Best practice: The replication of http session data to the failover firewall should be disabled unless the firewall is not expected to be under extreme load and the http session data is highly critical. Given the short duration of http sessions, low probably of firewall failure and the design of most applications, this is not likely to be needed. This rule checks only firewalls with failover configured.
Command: 
no failover replication http
Disable Proxy ARPs
Low

Best practice: Proxy ARP allows a firewall to extend the network at layer 2 across multiple interfaces (i.e. LAN segments). Hence proxy ARP allows hosts from different segments to function as if they were on the same subnet, and is only safe when used between trusted LAN segments. Attackers can use the trusting nature of proxy ARP by spoofing a trusted host and intercepting packets. Because of this inherent security weakness, proxy ARP should be disabled on interfaces that do not require it, especially those interfaces that connect to untrusted networks.
Command: 
sysopt noproxyarp <interface>
Limit ICMP responses on interfaces
Low
Best practice: Preferable to disable ICMP on outside interfaces at a minimum. The default (i.e. no ICMP control list is configured), is for the PIX/ASA/FWSM to accept all ICMP traffic that terminates at any interface (including the outside interface). This will depend on the customer policy.
Command: 
icmp permit <acl> <interface> 


Data Plane Checks

Data Plane - Firewall
Requirement
Severity
Comments
Enable uRPF anti-spoofing
Info
Best practice: Anti-spoofing should be configured on all outside interfaces. This rule checks if uRFP is enabled on any one interface. 
Command: 
ip verify reverse-path interface <interface-name> 



Posted by at 13 comments:
Labels: ,

CCNP Security: SENSS Part 1-2

1.2 Implement Layer 2 Security

1.2.a Configure DHCP snooping
DHCP snooping protects the LAN from rogue DHCP servers, which could be used to mount a MitM or DoS attack.  DHCP snooping drops messages from untrusted DHCP servers.  This is performed by maintaining a DHCP snooping binding table, which contains the MAC address, IP address, lease time, binding type, vlan number, and interface information as related to the untrusted interfaces on the switch.  Stored as a flat configuration file in flash.  Untrusted interfaces are used for hosts, trusted interfaces are used for upstream switches and networking devices, and DHCP servers.

Enable DHCP snooping globally on the switch
Switch(config)# ip dhcp snooping

 Enable DHCP snooping per vlan
Switch(config)# ip dhcp snooping vlan number | vlan range

 Configure errdisable recovery timer
Switch(config)# errdisable recovery cause dhcp-rate-limit interval interval

 Per-vlan errdisable detection enabled with a violation occuring in shutdown by default
Switch(config)# errdisable detect cause dhcp-rate-limit action shutdown vlan

 Configure the interface as trusted or untrusted.  By default, interfaces are untrusted
Switch(config-if)# ip dhcp snooping trust

 Verification
Switch# show ip dhcp snooping

 Rate limiting function can be used to prevent a DoS attack.  When the threshold is breached, the port is placed in an errdisabled state.
Switch(config-if)# ip dhcp snooping limit rate 100

 Recommended to store the database configuration file off of the switch and on a remote server.
Swtich(config)# ip dhcp snooping database tftp://x.x.x.x/directory/file
Switch# show ip dhcp snooping database detail

 May be necessary to manually read database entries in from a tftp file.  To do so and to show verification:
switch# show ip dhcp snooping database
switch# renew ip dhcp snoop data url
switch# show ip dhcp snoop data
switch# show ip dhcp snoop bind
1.2.b Describe dynamic ARP inspection
DAI is used to help prevent MitM attacks conducted via ARP poisoning. Inspects the arp entries passing through the switch in real time.  Source information used to verify legitimate ARP traffic is pulled from the DHCP snooping table.  If DHCP snooping is not configured, all ARP traffic will be dropped.  By default, ports are placed in the untrusted state for DAI.  After configuring DHCP snooping, configure the trusted ports using the command ip arp inspection trust at the interface level.  After this is configured, enable DAI on the desired vlan(s) ip arp inspection vlan number

 Devices assigned static IPs will be need to either be added to an ARP ACL entry, or have their port placed in the trusted status, as their MAC and IP will never be seen by DHCP snooping.

 DAI has two blocking mechanisms-rate limiting of ARP entries (default value is 15/s), and dropping ARP messages which do not match the DHCP snooping table (example, ARP poisoning attacks directed at the gateway and a host on the network, by abusing the gratuitous ARP reply function).


1.2.c Describe storm control
Storm control feature is used to prevent traffic disruption to ports experiencing a broadcast, multicast, or unicast traffic storm.  Monitors traffic levels over a one second interval and compares traffic rate with the configured storm control level.  This configured value is a percentage of the total bandwidth of the port.  If the threshold is exceeded during the one second interval, the broadcast suppression will be engaged.  Whether this feature operates in hardware or software depends on the switch model.
switch(config-if)# storm-control broadcast level level
switch(config-if)# storm-control action shutdown | trap 
switch# show storm-control
1.2.d Configure port security
Used to control traffic from both static and dynamically learned mac addresses on a switch's access ports.  Can also be used to limit the number of hosts allowed to send traffic across an access port.

Violation modes
Protect- Drops packets from unknown source addresses (ex hosts over the limit)
Restrict- Drops packets and causes securityviolation counter to increase
Shutdown- Interface placed into err-disabled state and sends SNMP trap

switch(config-if)# switchport port-security
switch(config-if)# switchport port-security max number
switch(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx
OR
switch(config-if)# switchport port-security mac-address sticky
switch(config-if)# switchport port-security aging time minutes
switch(config-if)# switchport port-security aging type interval | inactivity
switch(config)# errdisable recovery cause psecure-violation
switch(config)# errdisable recovery interval seconds
1.2.e Describe common Layer 2 threats and attacks and mitigation

VLAN Hopping
1.  Attacker crafts packets to negotiate a trunk to come up on an access port across ISL or 802.1q
2,  Attacker can craft packets to twice encapsulate packets with a VLAN ID

Mitigation:
Disable DTP on user facing ports (switchport mode access, switchport nonegotiate).
Do not use VLAN 1.
Use a dedicated VLAN for trunk ports.
Explicitly configure trunking on trusted ports.
Use tagged mode for native vlan on trunks.  Disable unused ports

CAM table overflow
Attacker sends thousands of packets using bogus source mac addresses per second, causing the switch's cam table to overflow.  Traffic then must be broadcast across all ports, turning the switch effectively into a hub

Mitigation:
Use port security to limit the amount of learned MAC addresses per interface

DHCP starvation attack
Attacker tries to lease all of the available DHCP addresses within a DHCP scope.

Mitigation:
Use port security to limit the amount of L2 addresses which can transit a port.

Rogue DHCP server attack
Attacker stands up a DHCP server, can then affect users default gateway, IP addressing, and DNS server.  Commonly used for DoS and MitM attacks

Mitigation: Use DHCP snooping

ARP Poisoning
Attacker abuses the gratitious ARP request feature to claim to be the owner of a target host(s) IP address.  Commonly used to poison the gateway and target host(s) and perform a MitM attack.  Attack can furthermore be refined to use tools such as SSLstrip to decrypt SSH/SSL traffic.

Mitigation: Use DAI

MAC Spoofing attack
Attacker spoofs mac address to impersonate other hosts on the LAN

Mitigation
DHCP snooping, DAI, IPSG

STP Attacks
Attacker can impersonate the root bridge and force a STP election to occur.  Can then execute a MitM, DoS attack

Mitigation
BPDU filter and rootguard

CDP Attacks
Attacker can crash IOS devices by spamming CDP advertisements and consuming too much memory

Mitigation
Disable CDP unless it is required.

1.2.f Describe MACSec
IEEE 802.1AE standard.  Used in conjunction with 802.1x.  802.1x provides authentication mechanism.
Ensures data confidentiality by providing symmetric encryption at layer 2
Provides integrity by ensuring data cannot be modified in transit
MACSec encrypts packets hop by hop at layer 2
Anyconnect can be used as a supplicant.


1.2.g Configure IP source verification
DHCP snooping must be configured.  Used to prevent hosts from spoofing IP addresses of other hosts in the network.  Enabled per interface.  Switch blocks all IP traffic received on the interface except for packets permitted via DHCP snooping table.  Can also filter mac source addresses

switch(config-if)# ip verify source
switch(config-if)# ip verify source port-security
switch# show ip verify source
Posted by at 3 comments:
Labels: ,
Subscribe to: Posts (Atom)