Cisco routers can also be monitored and managed via Simple Network Management Protocol (SNMP), which provides a centralized mechanism for monitoring and configuring routers. SNMP can be used to monitor such things as link operation and CPU load. In addition, managed devices can alert personnel to detected problems by sending traps to configured consoles. Traps are unsolicited messages that a device will send when a configured threshold is exceeded or a failure occurs. SNMP consoles can be used to proactively monitor network devices and generate alerts if connectivity is lost.
The following commands will configure SNMP community strings, as well as configure SNMP traps with a network management host:
One very important step when configuring SNMP strings is to change them from their default values of public for Read Only (RO) and private for Read Write (RW).
To further protect SNMP communications, configure an ACL on the interface containing the following commands to permit SNMP traffic from the management hosts:
Historically, SNMP has also posed a significant security risk. SNMP traffic, including authentication credentials, were not encrypted. Authentication consisted of a community string, and many implementations did not change them from the defaults of public for read access and private for write access. Addressing these weaknesses, SNMPv3 has been developed, and it includes a number of security features, such as encryption, message integrity functions, and authentication of traffic. SNMPv3 should be used wherever possible, and for devices not being managed or monitored via SNMP, it should be disabled.
Internet Control Message Protocol
The Internet Control Message Protocol (ICMP) provides a mechanism for reporting TCP/IP communication problems, as well as utilities for testing IP layer connectivity. It is an invaluable tool when troubleshooting network problems. However, ICMP can also be used to glean important information regarding network topologies and available host services.
ICMP is defined by RFC 792, which details many different types of ICMP communications, commonly known as messages. The following paragraphs will describe relevant ICMP functions and the various risks they pose when used for malicious purposes.
ECHO and Traceroute
Echo requests and replies, more commonly known as pings, are used to determine if another host is available and reachable across the network. If one host can successfully ping another host, it can be concluded that the hosts have proper network operation up to and including layer three of the OSI model.
An attacker can use ping to scan publicly accessible networks to identify available hosts, though more experienced hackers avoid ping and use more stealthy methods of host identification. Another use of ICMP echo and echo reply has been to create covert channels through firewalls. ICMP echo requests and replies should be dropped at the network perimeter.
Traceroute is also used to troubleshoot network layer connectivity by mapping the network path between the source and destination hosts. Traceroute is useful in pinpointing where along the network path any connectivity troubles are occurring.
Traceroute works by sending out consecutive packets with the time to live (TTL) field incremented by one each time. When a network device routes a packet, it always decreases the TTL by 1. When a packet’s TTL is decreased to zero, it is dropped, and an ICMP TTL Exceeded message is returned to the sender. This prevents packets from bouncing around networks forever. For example, a host can send out ICMP packets with TTLs of one, two, and three to identify the first three routers between itself and a destination.
In the hands of an attacker, TTL packets can be used to identify open ports in perimeter firewalls. Using this technique, attackers have devised a method for scanning networks using UDP, TCP, and ICMP packets that expire one hop beyond the perimeter firewall. The attack relies upon receiving ICMP TTL Exceeded messages from firewalled hosts, so dropping TTL Exceeded packets can defend against such attacks. The popular tool used in this kind of attack is called firewalk (www.packetfactory.net).
Another type of ICMP message is a Type 3 Destination Unreachable message. A router will return an ICMP Type 3 message when it cannot forward a packet because the destination address or service specified is unreachable. There are over 15 different types of codes that can be specified within the ICMP unreachable message, and the more popular ones are outlined in Table 10-1.
While these messages may seem necessary for proper network operation, a malicious individual can use these message types to determine available hosts and services on the network. It is a good practice to drop all ICMP unreachable messages at the border of the network by using the following Cisco command from an interface configuration prompt:
There is an important consequence to dropping all unreachables. Code Type 4 is a very important message for proper network operation, and disruptions can occur if hosts cannot be informed that the packets they are sending into the network exceed the maximum transmission unit (MTU) of your network.
The first and last IP address of any given network are treated as being special. These addresses are known as the network and the broadcast addresses, respectively. Sending a packet to either of these addresses is akin to sending an individual packet to each host on that network. Thus, someone who sends a single ping to the broadcast address on a subnet with 75 hosts will receive 75 replies.
This functionality has become the basis for a genre of attacks known as bandwidth amplification attacks. Examples of tools that use this attack are known as smurf and fraggle. In a smurf attack, the attacker sends ICMP traffic to the broadcast address of a number of large networks, inserting the source address of the victim. This is done so that the ICMP replies are sent to the victim and not the attacker. Directed broadcasts can be disabled with this command:
ICMP redirects are used in the normal course of network operation to inform hosts of a more efficient route to a destination network. This is common on networks where multiple routers are present on the same subnet. However, a malicious user may be able to manipulate routing paths, and redirects should be disabled on router interfaces to untrusted and external networks.
To disable redirects on a particular interface, enter configuration mode for that interface and issue this command:
Anti-Spoofing and Source Routing
An attack used against networks is to insert fake or spoofed information in TCP/IP packet headers in the hopes of being taken for a more trusted host. Address spoofing is an attempt to slip through external defenses by masquerading as an internal host, and internal packets should obviously not be arriving inbound on border routers. Dropping such packets protects the network against such attacks, and border routers can be used to drop inbound packets containing source IP addresses matching the internal network. Additionally, routers should also drop packets containing source addresses matching RFC 1918 “private” IP addresses and broadcast packets.
In addition to spoofed packets, routers should be configured to drop packets that contain source routing information. Source routing is used to dictate the path that a packet should take through a network. Such information could be used to route traffic around known filters or to cause a denial of service situation by forcing large amounts of traffic through a single router, overloading it. To disable source routing globally on a Cisco router, issue this command from a configuration prompt:
As with any device, it is a good idea to maintain logs. Routers are able to log information related to ACL activity as well as system-related information. Cisco routers do not have large disks for locally logging information about network and system activity, but they do provide facilities for remote logging to a Syslog server. In addition, the syslog facilities allow for the centralization and aggregation of all the dispersed network logs into a single repository.
To enable logging to a server located at 10.1.2.3 from a Cisco Catalyst switch, issue the following commands:
Routers and switches provide a number of mechanisms that, when properly implemented, increase the overall security and performance of the local network. Merely replacing old network hubs with switches can provide a significant performance increase. Once implemented, switches reduce the risk of sniffing-based attacks against other local workstations, and they can further reduce such risks through the strategic implementation of VLANs. Routers provide the ability to implement ACLs to screen and drop unwanted traffic. In addition, taking the time to harden the router against attacks will also increase the security of the network. This chapter also touched upon the various ICMP message types and the risks they pose. Proactive control of ICMP can prevent an attacker from learning significant information about network topologies.
blog comments powered by Disqus