There are a number of configuration steps that can be taken to ensure the proper operation of your routers and switches. These steps will include applying patches as well as taking the time to configure the device for increased security. The more steps and time taken to patch and harden, the more secure it will be. The various steps that are available in a Cisco environment are detailed in the following sections.
Patches and updates released by the product vendor should be applied in a timely manner. Quick identification of potential problems and installation of patches to address newly discovered security vulnerabilities can make the difference between a minor inconvenience and a major security incident. To ensure you receive timely notification of such vulnerabilities, subscribe to your vendor’s e-mail notification services, as well as to general security mailing lists. The following are links to some popular lists.
Switch Security Practices
Network nodes are not directly aware that switches handle the traffic they send and receive, making switches the silent workhorse of a network. Other than offering an administrative interface, switches do not maintain layer three IP addresses, so hosts cannot send traffic to them directly. The primary attack against a switch is the ARP poisoning attack described earlier in the “Switches” section of this chapter.
However, the possibility of an ARP attack doesn’t mean switches cannot be used as security control devices. As mentioned earlier, MAC addresses are unique for every network interface card, and switches can be configured to allow only specific MAC addresses to send traffic through a specific port on the switch. This function is known as port security, and it is useful where physical access over the network port cannot be relied upon, such as in public kiosks. With port security, a malicious individual cannot unplug the kiosk, plug in a laptop, and use the switch port, because the laptop MAC will not match the kiosk’s MAC and the switch would deny the traffic. While it is possible to spoof a MAC address, locking a port to a specific MAC creates a hurdle for a would-be intruder.
Switches can also be used to create virtual local area networks (VLANs). VLANs are layer two broadcast domains, and they are used to further segment LANs. As described earlier, ARP broadcasts are sent between all hosts within the same VLAN. To communicate with a host that is not in your VLAN, a switch must pass the hosts packets through a layer three device and routed to the appropriate VLAN.
Access Control Lists
Routers have the ability to perform IP packet filtering (packet filtering is discussed in detail in Chapter 11). Access control lists (ACLs) can be configured to permit or deny TCP and UDP traffic based on the source or destination address, or both, as well as on the TCP or UDP port numbers contained in a packet. While firewalls are capable of more in-depth inspection, strategically placed router ACLs can increase network security. For example, ACLs can be used on border routers to drop obviously unwanted traffic, removing the burden from the border firewalls. ACLs can also be used on WAN links to drop broadcast and other unnecessary traffic, thus reducing bandwidth usage.
A simple ACL in a Cisco router could be implemented with the following commands:
This basic ACL tells the router to disallow HTTP sessions with a source address of 10.1.2.3 to all destinations. The second line of the ACL permits all other traffic.
To enforce this ACL, it must be applied to an interface with the access-group command:
Services Not in Use
As with general purpose operating systems, routers run services that are extraneous to the process of routing packets. Taking steps to disable and protect such services can increase the overall security of the network.
Proxy ARP allows one host to respond to ARP requests on behalf of the real host. This is commonly used on a firewall that is proxying traffic for protected hosts. Cisco routers have Proxy ARP enabled by default, and this may allow an attacker to mount an ARP poisoning attack against a host that is not on the local subnet or VLAN.
To disable Proxy ARP on the first Ethernet interface of a Cisco router, issue the following commands while in configuration mode:
The Cisco Discovery Protocol
The Cisco Discovery Protocol (CDP) is a layer two protocol that enables Cisco routers and switches to locate and identify neighboring routers and switches. CDP packets contain information such as router IP addresses and software versions. An attacker who views such packets can gain valuable knowledge about network routers.
CDP can be disabled on a global or per-interface basis. To disable it globally enter the following commands:
Cisco routers provide a number of services that can be disabled if they are not needed. The following is a list of such services with instructions on how to disable them. These commands must be issued from configuration mode, accessed via the enable and config t commands.
These services pose security risks to the normal operation of the router while they are running. For example, Cisco has indicated that it is possible to create a denial-of-service situation with a router running the diagnostic servers. The attack is mounted by sending a large number of requests to echo, chargen, and discard ports from phony IP addresses. Each connection to the router will consume a small amount of CPU time, and if the router is overwhelmed by such requests, they will potentially consume 100 percent of the CPU, degrading performance for other services. Other attacks against these services have been discovered, including one against the Cisco TFTP server. Thus, disabling extraneous services offers protection against newly discovered flaws in these services.
Additional information on the denial-of-service attack can be found at www.cisco.com/warp/public/707/3.pdf. The TFTP bug is documented at www.cisco.com/warp/public/707/ios-tftp-long-filename-pub.shtml.