Home arrow Site Administration arrow Page 4 - Network Device Security

Network Hardening - Administration

This chapter focuses on using routers and switches to increase the security of the network as well as provide appropriate configuration steps for protecting the devices themselves against attacks. The chapter is from the book, Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg, and Keith Strassberg (McGraw-Hill/Osborne, 2003, ISBN: 0072226978).

TABLE OF CONTENTS:
  1. Network Device Security
  2. Switches
  3. Routers
  4. Network Hardening
  5. Administrative Practices
  6. Centralizing Account Management
  7. SNMP and ICMP
By: McGraw-Hill/Osborne
Poor Best
Rating: starstarstarstarstar / 19
May 25, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

There are a number of configuration steps that can be taken to ensure the proper operation of your routers and switches. These steps will include applying patches as well as taking the time to configure the device for increased security. The more steps and time taken to patch and harden, the more secure it will be. The various steps that are available in a Cisco environment are detailed in the following sections.

Patches

Patches and updates released by the product vendor should be applied in a timely manner. Quick identification of potential problems and installation of patches to address newly discovered security vulnerabilities can make the difference between a minor inconvenience and a major security incident. To ensure you receive timely notification of such vulnerabilities, subscribe to your vendor’s e-mail notification services, as well as to general security mailing lists. The following are links to some popular lists.

Switch Security Practices

Network nodes are not directly aware that switches handle the traffic they send and receive, making switches the silent workhorse of a network. Other than offering an administrative interface, switches do not maintain layer three IP addresses, so hosts cannot send traffic to them directly. The primary attack against a switch is the ARP poisoning attack described earlier in the “Switches” section of this chapter.

However, the possibility of an ARP attack doesn’t mean switches cannot be used as security control devices. As mentioned earlier, MAC addresses are unique for every network interface card, and switches can be configured to allow only specific MAC addresses to send traffic through a specific port on the switch. This function is known as port security, and it is useful where physical access over the network port cannot be relied upon, such as in public kiosks. With port security, a malicious individual cannot unplug the kiosk, plug in a laptop, and use the switch port, because the laptop MAC will not match the kiosk’s MAC and the switch would deny the traffic. While it is possible to spoof a MAC address, locking a port to a specific MAC creates a hurdle for a would-be intruder.

Switches can also be used to create virtual local area networks (VLANs). VLANs are layer two broadcast domains, and they are used to further segment LANs. As described earlier, ARP broadcasts are sent between all hosts within the same VLAN. To communicate with a host that is not in your VLAN, a switch must pass the hosts packets through a layer three device and routed to the appropriate VLAN.

Access Control Lists

Routers have the ability to perform IP packet filtering (packet filtering is discussed in detail in Chapter 11). Access control lists (ACLs) can be configured to permit or deny TCP and UDP traffic based on the source or destination address, or both, as well as on the TCP or UDP port numbers contained in a packet. While firewalls are capable of more in-depth inspection, strategically placed router ACLs can increase network security. For example, ACLs can be used on border routers to drop obviously unwanted traffic, removing the burden from the border firewalls. ACLs can also be used on WAN links to drop broadcast and other unnecessary traffic, thus reducing bandwidth usage.

A simple ACL in a Cisco router could be implemented with the following commands:

router(config)#access-list 101 deny tcp host 10.1.2.3 any eq www router(config)#access-list 101 permit ip any any

This basic ACL tells the router to disallow HTTP sessions with a source address of 10.1.2.3 to all destinations. The second line of the ACL permits all other traffic.

To enforce this ACL, it must be applied to an interface with the access-group command:

router(config)#interface ethernet 0
router(config-if)#ip access-group 101 in

Services Not in Use

As with general purpose operating systems, routers run services that are extraneous to the process of routing packets. Taking steps to disable and protect such services can increase the overall security of the network.

Proxy ARP

Proxy ARP allows one host to respond to ARP requests on behalf of the real host. This is commonly used on a firewall that is proxying traffic for protected hosts. Cisco routers have Proxy ARP enabled by default, and this may allow an attacker to mount an ARP poisoning attack against a host that is not on the local subnet or VLAN.

To disable Proxy ARP on the first Ethernet interface of a Cisco router, issue the following commands while in configuration mode:

Router(config)#interface ethernet 0
Router(config-if)#no ip proxy-arp

The Cisco Discovery Protocol

The Cisco Discovery Protocol (CDP) is a layer two protocol that enables Cisco routers and switches to locate and identify neighboring routers and switches. CDP packets contain information such as router IP addresses and software versions. An attacker who views such packets can gain valuable knowledge about network routers.

CDP can be disabled on a global or per-interface basis. To disable it globally enter the following commands:

Router>enable
Router# config t
Router(config)# no cdp run

Extraneous Services

Cisco routers provide a number of services that can be disabled if they are not needed. The following is a list of such services with instructions on how to disable them. These commands must be issued from configuration mode, accessed via the enable and config t commands.

  • Diagnostic servers - Cisco routers have a number of diagnostic servers enabled for certain UDP and TCP services, including echo, chargen, and discard. These services can be disabled by issuing the following commands:
    no service udp-small-servers
    no service tcp-small-servers
     
  • BOOTP server - A Cisco router can be used to provide DHCP addresses to clients through the BOOTP service. This can be disabled by issuing this command:
    no ip bootp server
  • TFTP server - The Cisco Trivial File Transfer Protocol (TFTP) server can be used to simply transfer configuration files and software upgrades to and from the router. However, TFTP does not provide authentication or authorization services for its use. Most administrators run a TFTP server external to the router and enable it as needed. To disable the internal router TFTP server issue this command:
    no tftp-server
  • Finger server - The finger service can be queried to see who is logged in to the router and from where. To disable this source of information leakage, disable finger by issuing this command:
    no service finger
  •  Web server - Cisco also provides a web server for making configuration changes. If the router will not be managed in this manner, the web server can be disabled with this command:
    no ip http server

These services pose security risks to the normal operation of the router while they are running. For example, Cisco has indicated that it is possible to create a denial-of-service situation with a router running the diagnostic servers. The attack is mounted by sending a large number of requests to echo, chargen, and discard ports from phony IP addresses. Each connection to the router will consume a small amount of CPU time, and if the router is overwhelmed by such requests, they will potentially consume 100 percent of the CPU, degrading performance for other services. Other attacks against these services have been discovered, including one against the Cisco TFTP server. Thus, disabling extraneous services offers protection against newly discovered flaws in these services.

Additional information on the denial-of-service attack can be found at www.cisco.com/warp/public/707/3.pdf. The TFTP bug is documented at www.cisco.com/warp/public/707/ios-tftp-long-filename-pub.shtml

This chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg, and Keith Strassberg (McGraw-Hill/Osborne, 2003, ISBN: 0072226978). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Site Administration Articles          >>> More By McGraw-Hill/Osborne
 

blog comments powered by Disqus
   

SITE ADMINISTRATION ARTICLES

- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup
Find More Site Administration Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: