INTERNET SERVICE PROVIDER SECURITY BEST PRACTICES

(1)

1

SEC-2007 9883_06_2004_X2

INTERNET SERVICE PROVIDER

SECURITY BEST PRACTICES

SESSION SEC-2007

2 2 2

SEC-2007 9883_06_2004_X2

Agenda

• A Brief Review

• Management Plane/Device Security

• Control Plane

• Data Plane

(2)

3 3 3

SEC-2007 9883_06_2004_X2

A BRIEF REVIEW

3 3

Denial of Service and ISPs

• DoS can…

Target an ISP

Target an ISP’s customer Target the core of the Internet

• Attacks are part of every dayoperations and can be

of high severity with a profit motivation!

• Proper preparationcan dramatically reduce affects

(3)

5 5 5

SEC-2007 9883_06_2004_X2

Goal: Secure the Internet

• ISPs compete

• In security, ISPs need to cooperate

• The security of the Internet is a concern for all

• Only a secure Internet will be sellable long term

6 6 6

SEC-2007 9883_06_2004_X2

What Do ISPs Need to Do?

• Protect themselves

• Help protect their customers from

the Internet

• Protect the Internet from their customers

(4)

7 7 7

SEC-2007 9883_06_2004_X2

How to Do It?

• Work with Operations Groups, Standards

Organisations, and Vendors on new solutions

• Implement Best Common Practices (BCPs)

ISP Infrastructure security ISP Network security ISP Services security

The Three

Planes

Ingress Packets Forwarded Packets ToFab to other_{Line Cards}

To the GRP or PRP Forwarding/Feature ASIC Cluster Punt ed Pac k et s ASIC’s Supporting CPU RAW Queue(s)

Also called CPU Queue(s) and Punt

Queue(s)

Receive Path Packets

Packets bound for the LC CPU or RP

Data Plane

Management Plane Control Plane

(5)

9 9 9

SEC-2007 9883_06_2004_X2

What Is a

Punt

?

Packets that need to be sent to the RP:

• Packets sent to a network device (receive adjacencies) • Broadcast and multicast packets

• Logged packets (ACLs or unicast RPF with logging enabled) • Packets with IP Options set

• Packets which cannot be immediately forwarded to a destination and require ARP/ICMP generation:

Packets blocked by ACLs

Packets with unknown destination Packets with expired TTL

Destinations lacking a next-hop adjacency

10 10 10

SEC-2007 9883_06_2004_X2 MANAGEMENT PLANE / DEVICE SECURITY 10 10 10

(6)

11 11 11

SEC-2007 9883_06_2004_X2

Disable Unneeded Services

• No service finger • No service udp-small-servers • No service tcp-small-servers • No ip http server • No ip redirects • No ip directed-broadcast • No ip proxy-arp

Cisco Discovery Protocol

• CDP can be used to learn information about

neighboring devices that are running CDP

IP address, software version…

• CDP is configured per interface

• Disable CDP when it isn’t needed

(7)

13 13 13

SEC-2007 9883_06_2004_X2

Source Routing / IP Options

• IP has a provision to allow source IP host to specify

route through Internet

• ISPs should turn this off, unless it is specifically

required:

no ip source-route

• Packets with IP Options can be dropped or the

options can be ignored (12.0(23)S / 12.3(4)T):

ip options drop ip options ignore

14 14 14

SEC-2007 9883_06_2004_X2

ICMP Unreachable Overload

• Packets that cannot be forwarded are punted for

ICMP Unreachable generation.

• Risk Æhigh number of unreachables overloading

CPU

no ip unreachables

• All Routers with any static route to Null0 should put

no ip unreachables

• If Unreachables are needed, use ICMP Unreachable

Rate-Limiting Command:

ip icmp rate-limit unreachable [DF] <1-4294967295 millisecond>

no ip icmp rate-limit unreachable [df] Default is 500 milliseconds

(8)

15 15 15

SEC-2007 9883_06_2004_X2

What Ports Are Open on the Router?

• It may be useful to see what sockets/ports are open

on the router

• Show ip sockets—show some of the UDP ports

opened

IOSRouter#show ip sockets

ProtoRemote Port Local Port In Out Stat TTY OutputIF

17 192.190.224.195 162 204.178.123.178 2168 0 0 0 0 17 --listen-- 204.178.123.178 67 0 0 9 0 17 0.0.0.0 123 204.178.123.178 123 0 0 1 0 17 0.0.0.0 0 204.178.123.178 161 0 0 1 0

What Ports Are Open on the Router?

• Two steps required for TCP ports:

show tcp brief all show tcp tcb

GSR-1#sh tcp bri all

TCB Local Address Foreign Address (state) 52F6D218 60.20.1.2.11002 60.20.1.1.179 ESTAB 52F7065C 50.20.1.1.179 50.20.1.2.11007 ESTAB 52F6CD8C *.* *.* LISTEN 537D0944 *.179 60.20.1.1.* LISTEN 537CE2C4 *.179 50.20.1.2.* LISTEN

(9)

17 17 17

SEC-2007 9883_06_2004_X2

Network Time Protocol

• Synchronize time across all devices

• When security event occurs, data will have consistent timestamps

From external time source:

Upstream ISP, Internet, GPS, atomic clock From internal time source

Router can act as stratum 1 time source

ntp source loopback0 ntp server 10.223.1.1 source loopback0 ntp authenticate ntp authentication-key number md5 value … 18 18 18

SEC-2007 9883_06_2004_X2

• Syslog data is invaluable

Attack forensics

Day to day events and debugging

• To log messages to a syslog server host, use the logging global configuration command

logging host logging trap level

• To log to internal buffer use: logging buffered size

• Ensure timestamps and sequence numbers service timestamps log…

service sequence-numbers

(10)

19 19 19

SEC-2007 9883_06_2004_X2

Config Change Notification

and Logging

• Allows the tracking of configuration changes entered on a per-session and per-user basis by implementing a configuration log.

• Tracks each configuration command that is applied, who applied the command, the parser return code for that command, and the time that the command was applied.

• Adds a notification mechanism that sends asynchronous

notifications to registered applications whenever the configuration log changes

• Available 12.3(4)T on 1700, 2600, 3600, 3700, 7200, 7500, AS5xxx

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/pr oducts_feature_guide09186a00801d1e81.html

• Also Contextual Configuration Diff utility

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/pr oducts_feature_guide09186a00801d1dc2.html

SNMP

• Version 1 sends cleartext community strings and

has no policy reference

• Version 2 addresses some of the known security

weaknesses of SNMPv1

• Version 3 provides authentication, encryption

Not widely deployed

Confirm NMS application support See NMS-2051 for additional detail.

RFC-2570

Introduction to Version 3 of the Internet-standard Network

Management Framework

Recom mend

(11)

21 21 21

SEC-2007 9883_06_2004_X2

SNMP v1/2

Authentication and Authorization

• Line ACL can filter SNMP access • SNMP Filtering

RO Æread only RW Æread write View ÆMIB restriction

access-list 4 permit 172.16.2.100 snmp-server community <string> RO 4

snmp-server community <string> view <MIB view>

22 22 22

SEC-2007 9883_06_2004_X2

New Features

CPU and Memory Threshold Notification

• CPU Threshold Notification – 12.0(26)S, 12.3(4)T

Generates an SNMP trap message when a predefined threshold of CPU usage is crossed

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1829/ products_feature_guide09186a00801b3a4a.html

• Memory Threshold Notification

12.0(26)S and 12.2(18)S

If available free processor or I/O memory falls below the specified thresholds, the router will log an event. Network operations staff can investigate, and if necessary take action, before router performance is impacted or free memory becomes so low that the router is in danger of crashing.

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1838/ products_feature_guide09186a00801b1bee.html

(12)

23 23 23

SEC-2007 9883_06_2004_X2

NetFlow

• Initially designed as a switching path but now the

primarynetwork accountingtechnology in the

industry.

• NetFlow is the emerging standard traffic

engineering / capacity planningtechnology.

• NetFlow is the primary network anomaly-detection

technology.

• See SEC-2008 and NMS-2032 for details.

Access to the Router

• Console • Telnet • SSH—Encrypted Access • Local passwords Username based on the router • External AAA

TACACS+, RADIUS, Kerberos

(13)

25 25 25

SEC-2007 9883_06_2004_X2

Use Enable Secret

• Service password-encryption is reversible

service password-encryption !

hostname Router !

enable password 7 14181C0E2A2B182A2824

• The “enable secret” password hashed via MD5

!

Hostname Router !

enable secret 5 $1$hM3l$.s/DgJ4TeKdDkTVCJpIBw1

26 26 26

SEC-2007 9883_06_2004_X2

VTY Security

• Access to VTYs should be controlled

• ACL used to filter incoming data

• Logging can be used to provide more information

access-list 3 permit 192.168.1.0 0.0.0.255

access-list 3 deny any line vty 0 4

access-class 3 in transport input ssh

(14)

27 27 27

SEC-2007 9883_06_2004_X2

SSH

• Replaces telnet for a protected command and control communication channel

• Privacy and integrity provided through the use of strong cryptographic algorithms

• Supports TACACS+, RADIUS and Local Authentication • Secure Copy (SCP) available in new SSH

enabled code

• Restrict access to ssh via transport input ssh command • SSHv2 now in IOS (12.3(4)T / 12.1(19)E)

Banners

• Login Banner

This is a legal requirement in some jurisdictions; check with your legal group

banner login ^

Authorised access only

This system is the property of Galactic Internet

Disconnect IMMEDIATELY if you are not an authorised user! Contact [email protected] 555-1212 for help.

(15)

29 29 29

SEC-2007 9883_06_2004_X2

Banners

• Exec Banner

Used to remind staff of specific conditions:

banner exec ^

PLEASE NOTE - THIS ROUTER SHOULD NOT HAVE A DEFAULT ROUTE! It is used to connect paying peers. These ‘customers’ should not be able to default to us.

The config for this router is NON-STANDARD Contact Network Engineering 555-1212 for more info. ^

30 30 30

SEC-2007 9883_06_2004_X2

New Feature

IOS Login Enhancements

• Login Enhancements—Password Retry Delay

• Adds new flexibility to lock-out unwanted attempts

to access the device

• Introduces a delay between successive failed Login

attempts to alleviate dictionary attacks

New global command login delay

• Generation of syslog messages for Login detection

• Available in 12.3(4)T

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ ps5207/products_feature_guide09186a00801d1cb3.html

(16)

31 31 31

SEC-2007 9883_06_2004_X2

Cisco IOS TACACS+

Login Authentication

! service password-encryption ! hostname Router ! aaa new-model

aaa authentication login neteng group tacacs+ enable

aaa authentication login tech group tacacs+ local aaa authentication enable default group tacacs+ enable

enable secret 5 $1$hM3l$.s/DgJ4TeKdDk… !

username bill secret 5

$1$A4Um$1NkLTeSwxYynxIHD6zlfc1 Encrypts Passwords with

Encryption (7)

Define List “neteng” to Use TACACS+

Define List “tech” to Use TACACS+ then the Local User and Password

Enable Secret Overrides

the (7) Encryption Define Local Users Secret Command Æmd5

Cisco IOS TACACS+

Login Authentication

tacacs-server host 172.16.1.4 tacacs-server key <key> !

line con 0

login authentication neteng line aux 0

login authentication neteng line vty 0 4

login authentication tech !

end

Defines the IP Address of the TACACS+ Server Defines the Shared Key for Communicating with the TACACS+ Server Uses the Authentication Mechanisms Listed in “neteng”—TACACS+ then Enable Password

Uses the Authentication Mechanisms Listed in “tech”—TACACS+ then a Local User/Password

(17)

33 33 33

SEC-2007 9883_06_2004_X2

One-Time Passwords

• May be used with TACACS+ or RADIUS

• The same “password” will never be reused by an

authorized administrator

• Key Cards—CryptoCard token server included with

Cisco Secure ACS

• Support for security dynamics and secure

computing token servers in Cisco Secure ACS

34 34 34

SEC-2007 9883_06_2004_X2

Limit Authority—Authorize Commands

• Differentiate staff authority on the router

Help desk Operations

Second level/third level support

• Use privilege levels (0–15)

System Administrator

Level 2:

show, debug, ping

Network Engineer

Level 15: all commands

(18)

35 35 35

SEC-2007 9883_06_2004_X2

Set Privileges

• Set level of privilege for each user class privilege configure level 5 interface privilege interface level 5 shutdown privilege exec level 5 show ip route privilege exec level 5 configure terminal privilege exec level 5 show running-config • Initially difficult to deploy

• Long-term benefit outweighs short term pain

• Other options are TACACS+-based authorization or…

New Feature

Role Based CLI Access

• New Feature: Role-Based CLI, aka CLI Views

• Defines CLI access based on administrative roles

• Security

Enhances the security of the device by defining the set of CLI commands that are accessible to a particular user

• Availability

Avoids unintentional execution of CLI commands by unauthorized personnel

• Operational efficiency

Prohibits users from viewing CLI commands that are inaccessible to them, greatly improving usability

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps 5207/products_feature_guide09186a00801ee18d.html

(19)

37 37 37

SEC-2007 9883_06_2004_X2

Complete AAA Config

aaa new-model

aaa authentication login default tacacs+ local enable aaa authentication enable default tacacs+ local enable aaa authorization exec default tacacs+ local

aaa authorization commands 1 default tacacs+ local aaa authorization commands 15 default tacacs+ local aaa accounting exec start-stop tacacs+

ip tacacs source-interface Loopback0 tacacs-server host 10.1.1.1

tacacs-server host 10.2.1.1 tacacs-server key CKr3t# line vty 0 4

access-class 3 in

username bill secret 5 $1$A4Um$1NkLTeSwxYynxIHD6zlfc1

Try 10.1.1.1 first. If no reply use 10.2.1.1

38 38 38

SEC-2007 9883_06_2004_X2

New IOS Command: AutoSecure

• New CLI command that automates the configuration of security features and disables certain features enabled by default that could be exploited for security holes

Router#auto secure [management | forwarding] [no-interact] • Implements a number of

“best practices” to help secure the router

• Released in 12.3(1) Mainline and 12.3T

• Full details in 12.3 Mainline release documentation:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5187/product s_feature_guide09186a008017d101.html

(20)

39 39 39

SEC-2007 9883_06_2004_X2

Input Hold Queue

• Queue that stores packets destined for

the router

• Input Hold Queue is important for initial BGP

convergence (when you are sending the full table)

• DOS/DDOS attacks against the router can fill the

input hold queue—knocking out legitimate packets

Input Hold Queue

• Input Hold Queue is physically on the Route Processor

(RP for 7500, GRP for 12000)

• Default is 75

• Recommend 1500 (Check memory before applying—

looking for 20M free) – improves BGP convergence with Internet routing table.

• Applied to all interfaces

interface XXXXXX hold-queue 1500 in

(21)

41 41 41

SEC-2007 9883_06_2004_X2

Input Hold Queue

12008-e10-2#sh inter pos 5/0 POS5/0 is up, line protocol is up

.

Output queue 0/40, 0 drops; input queue 97/1500, 54 drops 5 minute input rate 76502000 bits/sec, 31139 packets/sec 5 minute output rate 72517000 bits/sec, 26560 packets/sec .

.

42 42 42

SEC-2007 9883_06_2004_X2

Selective Packet Discard (SPD)

• When a link goes to a saturated state, you will drop

packets; the problem is that you will drop any type of packets—including your routing protocols

• Selective Packet Discard (SPD) will attempt to drop

non-routing packets instead of routing packets when the link is overloaded

(22)

43 43 43

SEC-2007 9883_06_2004_X2

Selective Packet Discard (SPD)

• Input Hold Queue (default 75)

• SPD Headroom (default 100 –

in 12.0(22)S increased to 1000)

• SPD Extended Headroom (default 10)

Interface Input Queue

(Hold Queue) SPD HeadroomSPD Headroom

SPD Extended Headroom 75 0 175 185 Normal IP, BGP,

ISIS, OSPF, HDLC BGP, ISIS, OSPF, HDLC

ISIS, OSPF,

HDLC

Monitoring SPD Queues

• You have a problem when you:

See the number of priority packets drop (H) See the Fast Flushes increase (D)

GSR-2#sh interface pos 0/0 switching POS0/0 Link to GSR#1

Throttle count A

Drops RP B SP C SPD Flushes Fast D SSE E SPD Aggress Fast F

(23)

45 45 45

SEC-2007 9883_06_2004_X2

Monitoring SPD Modes

• SPD has three drop modes:

NORMAL—below threshold

RANDOM—min thresholdhas been reached MAX—max thresholdhas been reached

• There is a problem when Current Modeis MAX

GSR-2#sh ip spd Current mode: normal.

Queue min/max thresholds: 73/100, Headroom: 1000, Extended Headroom: 100 IP normal queue: 0, priority queue: 0.

SPD special drop mode: aggressively drop bad packets

46 46 46

SEC-2007 9883_06_2004_X2

Infrastructure Security

Why should outside devices be talking to your core?

• Infrastructure ACLs (iACL) • Receive ACLs (rACL)

• Control Plane Policing (CoPP)

“outside” “outside”

core

telnet snmp

(24)

47 47 47

SEC-2007 9883_06_2004_X2

Infrastructure ACLs

• Basic premise: filter traffic destined TO your core

routers

Do your core routers really need to process all kinds of garbage?

• Develop list of required protocols that are sourced

from outside your AS and access core routers

Example: eBGP peering, GRE, IPSec, etc. Use classification ACL as required

• Identify core address block(s)

This is the protected address space

Summarization is critical Æsimpler and shorter ACLs

Infrastructure ACLs

• Infrastructure ACL will permit only required

protocols and deny ALL others to infrastructure space

• ACL should also provide anti-spoof filtering

Deny your space from external sources Deny RFC1918 space

Deny multicast sources addresses (224/4) RFC3330 defines special use IPv4 addressing

(25)

49 49 49

SEC-2007 9883_06_2004_X2

Infrastructure ACLs

• Infrastructure ACL must permit transit traffic

Traffic passing through routers must be allowed via permit ip any any

• ACL is applied inbound on ingress interfaces

• Fragments destined to the core can be filtered via

fragments keyword

Fragments pose a security risk: by default they are not filtered by ACLs

Fragments are likely not needed

access-list 101 deny/permit … fragments

50 50 50

SEC-2007 9883_06_2004_X2 PR1 PR2 R1 CR1 R4 R2 R3 R5 SRC: 127.0.0.1 DST: any SRC: valid DST: Rx (any R) SRC: eBGP peer DST: CR1 eBGP SRC: valid DST: external to AS (e.g. customer) CR2

ACL “in” _{ACL “in”}

ACL “in” ACL “in”

(26)

51 51 51

SEC-2007 9883_06_2004_X2

Example: Infrastructure ACL

! Deny our internal space as a source of external packets

access-list 101 deny ip our_CIDR_block any

! Deny src addresses of 0.0.0.0 and 127/8

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

! Deny RFC1918 space from entering AS

access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any

Example: Infrastructure ACL

! The only protocol that require infrastructure access is eBGP. WE have defined both src and dst addresses

access-list 101 permit tcp host peerA host peerB eq 179 access-list 101 permit tcp host peerA eq 179 host peerB

! Deny all other access to infrastructure

access-list 101 deny ip any core_CIDR_block

! Permit all data plane traffic

(27)

53 53 53

SEC-2007 9883_06_2004_X2

Receive ACL’s (7500/GSR)

• Excessive traffic destined to RP can lead to high CPU

ÆDoS

• Receive ACLs filter traffic destined to the RP via

receive adjacencies

• rACLs explicitly permit or deny traffic destined to the

GRP

• rACLs do NOT affect transit traffic

• Traffic is filtering on the ingress LC, prior to RP

processing

• rACLs enforce security policy by filtering who/what

can access the router

54 54 54

SEC-2007 9883_06_2004_X2

Receive Adjacencies

• CEF entries for traffic destined to router

Real interfaces Loopbacks

12000-1#sh ip cef

Prefix Next Hop Interface

10.1.2.0/24 172.16.1.216 GigabitEthernet3/0 10.1.3.0/24 172.16.1.216 GigabitEthernet3/0

172.16.1.196/32 receive

(172.16.1.196 is an interface IP address)

• Packets with next hop receive are sent to the RP

(28)

55 55 55

SEC-2007 9883_06_2004_X2

Receive ACL Command

• Introduced in 12.0(21)S2/12.0(22)S

• ip receive access-list [number]

Standard, extended or compiled ACL

• As with other ACL types, show access-list provide

ACE hit counts

• Only affect IP protocols

IS-IS permit statements not required

• Log keyword can be used for more detail

Receive ACL: Traffic Flow

Line Card Line Card i/f IN OUT Line Card

Line Card _i/f

IN OUT Switch Switch GSR GSR _GRP

[no] ip receive access-list <num>

Packets to the Router Packets through the Router Receive-ACL

(29)

57 57 57

SEC-2007 9883_06_2004_X2

rACL: Building Your ACL

• Develop list of required protocols

OSPF, BGP, ssh, etc.

e.g. access-list 110 permit tcp src_ip host loopback eq 22

• Develop address requirements • Determine interface on router

Many interfaces? Loopback or real?

• Deployment is an iterative process

Start with relatively “open” lists Ætighten as needed

58 58 58

SEC-2007 9883_06_2004_X2

rACL: Summary

• Advantages

Single point of protection for receive adjacencies

• Limitations

Platform support - Only 7500 and GSR Binary Decision

Can only permit or deny packets

Some types of traffic can be either good or bad – it would be nice to have rate-limiting capabilities

(30)

59 59 59

SEC-2007 9883_06_2004_X2

Control Plane Policing (CoPP)

• CoPP leverages Modular QoS CLI (MQC) for QoS

policy definition

• Consistent approach on all boxes

• Dedicated control-plane “interface”

Single point of application

• Highly flexible: permit, deny, rate limit

• Extensible protection

Changes to MQC (e.g. ACL keywords) are applicable to CoPP

Protecting the Control Plane

INCOMING PACKETS

CONTROL PLANE POLICING (Alleviating DoS Attack)

SILENT MODE (Reconnaissance Prevention) PACKET BUFFER OUTPUT PACKET BUFFER Locally Switched Packets CEF/FIB LOOKUP Processor Processor Switched Packets Switched Packets CONTROL PLANE Management

SNMP, Telnet ICMP IPv6

Routing Updates

Management SSH, SSL …..

OUTPUT

from the Control Plane

from the Control Plane INPUT

to the Control Plane

(31)

61 61 61

SEC-2007 9883_06_2004_X2

Configuring CoPP

CoPP policy is applied to the control-plane itself Router(config)# control-plane

Router(config-cp)# service-policy input control-plane-policy

Three Step Process:

– Define classes of traffic ÆCreate class-map’s

– Define actual QoS policy (application of rate-limiting to traffic classes) ÆCreate policy-map’s

– Apply CoPP policy to control plane “interface”

62 62 62

SEC-2007 9883_06_2004_X2

Sample CoPP Configuration

Traffic to be rate-limited: SNMP and ssh from mgmt host Define class-map for

this traffic

Define the policy for this class map: up to 80 kbps: transmit, else drop

Apply policy: to control-plane

Router(config)# access-list 140 permit tcp host 10.1.1.1 any eq ssh Router(config)# access-list 140 permit udp host 10.1.1.2 any eq snmp Router(config)# class-map mgmt-class

Router(config-cmap)# match access-group 140 Router(config-cmap)# exit

Router(config)# policy-map control-plane-policy Router(config-pmap)# class mgmt-class

Router(config-pmap-c)# police 80000 conform transmit exceed drop Router(config-pmap-c)# exit

Router(config-pmap)# exit

Router(config)# control-plane

Router(config-cp)# service-policy input control-plane-policy Router(config-cp)# exit

(32)

63 63 63

SEC-2007 9883_06_2004_X2

Deploying CoPP

• What rate of TCP/179 traffic is normal or

acceptable?

• rACL are relatively simple to deploy

Need BGP/OSPF/SNMP/etc… Deny all else…

• To get the most value from CoPP, detailed planning

is required:

Depends on how you plan to deploy it Bps vs. pps

In vs. out

Deploying CoPP

• Easy answer: mimic rACL behavior

Same limitations as with rACL

• Recommendations:

Develop multiple classes of control plane traffic e.g critical, important, normal, undesirable, default Use ACLs to define traffic for each

Depending on class defined, apply appropriate policy Critical: no rate limit

Important: high rate limit …

• Flexible class definition allows extension of model

(33)

65 65 65

SEC-2007 9883_06_2004_X2

Deploying CoPP: Challenges

• Every network is going to have different rate for all

kinds of traffic

Only time and experience will help

Show commands can help with ACL hits and rate information

• Currently no “log” keyword

Makes it hard to diagnose required traffic

• Real-world hardware vs. software performance

implications GSR, Sup720 • Deployment whitepaper: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/prod ucts_white_paper09186a0080211f39.shtml 66 66 66

SEC-2007 9883_06_2004_X2

CoPP: Release Info / Availability

• Support being added in hardware in the Sup720.

The control-plane policy is pushed down to the hardware forwarding engine(s), and the application of the CoPP policy (policing/dropping) performed in hardware.

• 12.3T

Supported in 12.3(4)T

• 12.2S

Supported in 12.2(18)S

(34)

67 67 67

SEC-2007 9883_06_2004_X2 CONTROL PLANE 67 67 67

9883_06_2004_X2

Routing Protocol Security

• Routing protocols can be attacked

Denial of service Smoke screens False information Reroute packets

• Protect the routing protocol!

Prefix Filtering

Routing Protocol Authentication

May Be Accidental

or Intentional!

May Be Accidental

or Intentional!

(35)

69 69 69

SEC-2007 9883_06_2004_X2

What to Prefix Filter?

• Bogons

IANA has reserved several blocks of IPv4 that have yet to be allocated to a RIR:

http://www.iana.org/assignments/ipv4-address-space

• Special-Use IPv4 Addresses

Special Use Addresses (SUA) are reserved for special use :-) Defined in RFC3330: ftp://ftp.isi.edu/in-notes/rfc3330.txt

Examples: 127.0.0.1, 192.0.2.0/24

• These blocks of IPv4 addresses should never be advertised into the global Internet Route Table

• Filters should be applied on the AS border for all inbound and outbound advertisements

70 70 70

SEC-2007 9883_06_2004_X2

Where to Prefix Filter?

AS 200 AS 400 D D C C E E M M AS 100 AS 300 Customer AS 500 N N X X A A Customer Filters In and Out Ingress Filter Customer’s Prefixes W W B B

Egress Filter Prefixes to Internet. Ingress Filters Coming from Internet

(36)

71 71 71

SEC-2007 9883_06_2004_X2

How to Prefix Filter?

Ingress and Egress Route Filtering

• Two flavors of route filtering:

Distribute list—Widely used Prefix list—Increasingly used

• Both work fine—Engineering preference

• Two filtering techniques:

Explicit Permit (permit then deny any) Explicit Deny (deny then permit any)

Ingress and Egress Route Filtering

access-list 150 deny ip host 0.0.0.0 any

access-list 150 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 150 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 150 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 150 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 150 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 150 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 150 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 150 permit ip any any

(37)

73 73 73

SEC-2007 9883_06_2004_X2

Ingress and Egress Route Filtering

ip prefix-list rfc1918-dsua deny 0.0.0.0/8 le 32 ip prefix-list rfc1918-dsua deny 10.0.0.0/8 le 32 ip prefix-list rfc1918-dsua deny 127.0.0.0/8 le 32 ip prefix-list rfc1918-dsua deny 169.254.0.0/16 le 32 ip prefix-list rfc1918-dsua deny 172.16.0.0/12 le 32 ip prefix-list rfc1918-dsua deny 192.0.2.0.0/24 le 32 ip prefix-list rfc1918-dsua deny 192.168.0.0/16 le 32 ip prefix-list rfc1918-dsua deny 224.0.0.0/3 le 32 ip prefix-list rfc1918-dsua permit 0.0.0.0/0 le 32

Prefix-List for a for a BGP Prefix List

74 74 74

SEC-2007 9883_06_2004_X2

Ingress and Egress Route Filtering

router bgp 200 no synchronization bgp dampening neighbor 10.220.4.1 remote-as 210 neighbor 10.220.4.1 version 4 neighbor 10.220.4.1 distribute-list 150 in neighbor 10.220.4.1 distribute-list 150 out neighbor 10.222.8.1 remote-as 220

neighbor 10.222.8.1 version 4

neighbor 10.222.8.1 prefix-list rfc1918-dsua in neighbor 10.222.8.1 prefix-list rfc1918-dsua out no auto-summary

(38)

75 75 75

SEC-2007 9883_06_2004_X2

Prefix Filter All Routes from Customers!

• ISPs should only accept prefixes which have been assigned or allocated to their downstream peer/customer • Example:

Customer has 10.50.0.0/20 block

Customer should only announce this block upstream You should only accept this prefix from them

Explicitly permit prefixes from other ISPs

(i.e. multihomed customer)

Customer ISP Peer Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter

Prefix Filter All Routes to Peers!

• What do you send to the Internet?

Your prefixes

More specific customers’ prefixes (customers who are multihoming)

• What do you notsend to the Internet?

Special Use Addresses and Bogons— assume garbage willleak into your iBGP

Lower Prefix Boundary—Unless absolutely necessary, do not allow anything in the /25–/32 range

• The egress filter list can grow to be very large

More specifics for customers Specific blocks from other ISPs

Customer ISP Peer Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter

(39)

77 77 77

SEC-2007 9883_06_2004_X2

Prefix Filter All Routes from Peers!

• Ingress Routes from Peers and/or the Upstream ISP are the nets of the Internet

• Ideally, the peering policy should be specific so that exact filters can be put in place

Dynamic nature of the peering makes it hard to maintain specific route filters

• Don’t accept RFC1918 etc prefixes

• Don’t accept your own prefix

• Don’t accept default (unless you need it)

• Don’t accept prefixes longer than/24 Customer ISP Peer Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter Prefix Filter 78 78 78

SEC-2007 9883_06_2004_X2

Secure Routing

Route Authentication

Configure Routing Authentication

Signs Route Updates Verifies Signature Campus Signature

Signature Route UpdatesRoute Updates

Certifies

Authenticity

of Neighbor

(40)

79 79 79

SEC-2007 9883_06_2004_X2

Route Authentication

• Authenticates routing update packets

• Shared key included in routing updates

Plain text—Protects against accidental problems only Message Digest 5 (MD5)—Protects against accidental and intentional problems

• Often non-implemented

“Never seen an attack” “My peer doesn’t use it”

Route Authentication

• Multiple keys supported

Key lifetimes based on time of day Use first valid key

• Supported for BGP, IS-IS, OSPF, RIPv2, and EIGRP

• Syntax differs depending on

(41)

81 81 81

SEC-2007 9883_06_2004_X2

OSPF and ISIS

Authentication Example

• OSPF

interface ethernet1

ip address 10.1.1.1 255.255.255.0

ip ospf message-digest-key 100 md5 qa*&gtHH3 !

router ospf 1

network 10.1.1.0 0.0.0.255 area 0 area 0 authentication message-digest

• ISIS

interface ethernet0

ip address 10.1.1.1 255.255.255.0 ip router isis

isis password pe#$rt@s level-2

82 82 82

SEC-2007 9883_06_2004_X2

BGP Route Authentication

router bgp 200 no synchronization neighbor 10.1.2.1 remote-as 300

neighbor 10.1.2.1 description Link to Excalabur neighbor 10.1.2.1 send-community

neighbor 10.1.2.1 version 4

neighbor 10.1.2.1 soft-reconfiguration inbound neighbor 10.1.2.1 route-map Community1 out neighbor 10.1.2.1 password 7 iuhg9287dhsa7swk

(42)

83 83 83

SEC-2007 9883_06_2004_X2

BGP Route Authentication

• Works per neighbor or for an entire

peer-group –

• Two routers with password mis-match:

%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local router's IP address]:179

• One router has a password and the other

does not:

%TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to [local router's IP address]:179

(43)

85 85 85

SEC-2007 9883_06_2004_X2

RFC 2827/BCP 38 Ingress

Packet Filtering

Your customers should not be sending

any

IP packets out to the Internet with a

source address other then the address

you have allocated to them!

ftp://ftp.isi.edu/in-notes/rfc2827.txt

86 86 86

SEC-2007 9883_06_2004_X2

BCP 38 Packet Filtering Principles

• Filter as close to the edge as possible

• Filter as precisely as possible

• Filter both source and destination

(44)

87 87 87

SEC-2007 9883_06_2004_X2

Techniques for BCP 38 Filtering

• Static ACLs on the edge of the network

• Unicast RPF Strict Mode

• Cable source verify (DHCP)

• Dynamic ACLs with AAA profiles

• IP Source Guard

Access-list 101 permit 96.0.20.0 0.0.0.255 any applied inbound

Static BCP 38 Ingress Packet Filtering

ISP’s Customer Allocation Block: 96.0.0.0/19

BCP 38 Filter = Allow Only Source Addresses from the Customer’s 96.0.X.X/24

Internet ISP

Access-list 101 permit 96.0.18.0 0.0.0.255 any applied inbound

96.0.20.0/24

96.0.21.0/24

96.0.19.0/24

(45)

89 89 89

SEC-2007 9883_06_2004_X2

Unicast Reverse Path Forwarding (uRPF)

• CEF is required

• IP packet source address is checked to ensure that the route back to the source is valid

• Two Flavors of uRPF:

Strict Mode for:

BCP 38/RFC 2827 Filters on Customer Ingress Edge Loose Mode for:

ISP-to-ISP Edge

Remotely Triggered Black Hole Filtering (See SEC-2008 for additional detail)

• Care required in multihomed situations

90 90 90

SEC-2007 9883_06_2004_X2

uRPF

Strict Mode

A simple and scalable implementation of BCP 38:

• How do you manage BCP 38 ACLs for over 10,000 lease line customers?

• One command that automatically configures BCP 38 filtering? • It would be really nice if the line engineer who first brings up the

customer interface can configure this feature without needing to create ACLs or touch the routing protocols!

• It would be nice if the filtercould be automatically updated!

(46)

91 91 91

SEC-2007 9883_06_2004_X2

i/f 1

i/f 2

i/f 3

Strict uRPF Check

(Unicast Reverse Path Forwarding)

i/f 1 i/f 2 i/f 3 FIB: . . . S -> i/f 1 . . . S D data S D data FIB: . . . S -> i/f 2 . . . S D data S D data Same i/f: Forward Other i/f: Drop

router(config-if)#ip verify unicast reverse-path

or:ip verify unicast source reachable-via rx

FIB: . . . . . . . . . i/f 1 i/f 2 i/f 3 i/f 1 i/f 2 i/f 3 S D data

S D data S D dataS D data

Any i/f: Forward Not in FIB or route -> null0: Drop

?

Loose uRPF Check

(Unicast Reverse Path Forwarding)

router(config-if)#ip verify unicast source reachable-via any

FIB: . . . S -> i/f x . . .

(47)

93 93 93

SEC-2007 9883_06_2004_X2

Deploying uRPF

• Single-homed Customers

uRPF provides simple, easy way to deploy BCP 38 filtering Simple config for many customers

• Dual-homed Customers

Asymmetric Routing ÆMust “tweak” routing Use BGP Weight, local_pref to ensure consistent best path

uRPF can be used with dual homed customers with proper engineering

94 94 94

SEC-2007 9883_06_2004_X2

Unicast RPF Verification

Commands:

show ip traffic | include RPF

show ip interface ethernet 0/1/1 | include RPF debug ip cef drops rpf <ACL>

Router# show ip traffic IP statistics:

Rcvd: 1471590 total, 887368 local destination …

Drop: 3 encapsulation failed, 0 unresolved, 0 no adjacency 0 no route, 0 unicast RPF, 0 forced drop

(48)

95 95 95

SEC-2007 9883_06_2004_X2

SUMMARY / NEXT STEPS

95 95 95

9883_06_2004_X2

Summary/Next Steps

• Protecting your infrastructure is your #1 priority

• Proper router configuration is critical first step in

increasing security

• Develop baseline configuration for your various

platforms

• Audit to ensure compliance with standard

• Develop procedures for introducing new routers

into the network

• Once a solid foundation has been deployed,

advanced DoS mitigation techniques can be deployed

(49)

97 97 97

SEC-2007 9883_06_2004_X2 THANK YOU! Q & A 97 97 97

9883_06_2004_X2

98 98 98

SEC-2007 9883_06_2004_X2

Tools: SNMP

• Open source SNMP command-line tools, library,

trap-generator, agent, etc. available from http://www.net-snmp.org/

• Open source SNMP visualization, storage, and graphing tools developed by Tobi Oetiker:

MRTG—the Multi Router Traffic Grapher

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

RRDTool—the Round Robin Database Tool

http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

• Commercial systems such as HP OpenView, Micromuse NetCool, IBM Tivoli, CA Unicenter

• Several open source systems - Big Brother (http://bb4.com/), Big Sister (http://bigsister.graeff.com/), Nagios

(50)

99 99 99

SEC-2007 9883_06_2004_X2

Tools: NetFlow

• OSU FlowTools

Open source NetFlow collection and retrieval tools

developed and maintained by Mark Fullmer, available from:

http://www.splintered.net/sw/flow-tools/

• FlowScan

Open source NetFlow graphing/visualization tools

developed and maintained by Dave Plonka, available from:

http://net.doit.wisc.edu/~plonka/FlowScan/

• Arbor Networks Peakflow products

NetFlow-Based Traffic Characterization and Anomaly Detection:

http://www.arbornetworks.com/products_sp.php

Tools: Syslog

• LogAnalysis.org has references to numerous

logging and analysis tools in their Library:

http://loganalysis.org/

• Syslog-ng from BalaBit adds a lot of useful

functionality:

(51)

101 101 101

SEC-2007 9883_06_2004_X2

SP Security Reference Material

• ISP Essentials

ftp://ftp-eng.cisco.com/cons/

• SP Security Information

(whitepapers and bootcamp):

ftp://ftp-eng.cisco.com/cons/isp/security/

ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/

• NANOG Security Curriculum

http://nanog.org/ispsecurity.html

102 102 102

SEC-2007 9883_06_2004_X2

Cisco Security Reference Material

• Cisco Security Reference Information

http://www.cisco.com/warp/public/707/ref.html

• Improving Security on Cisco Routers

http://www.cisco.com/warp/public/707/21.html

• Cisco Product Security Advisories and Notices

(52)

103 103 103

SEC-2007 9883_06_2004_X2

Cisco Feature Reference Material

• Infrastructure / Transit ACL Reference

http://www.cisco.com/warp/public/707/iacl.html http://www.cisco.com/warp/public/707/tacl.html

• rACL Command Reference

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/ products_feature_guide09186a00800a8531.html

• Control Plane Policing Deployment Whitepaper

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/ products_white_paper09186a0080211f39.shtml

• Access Lists and IP Fragments

http://www.cisco.com/warp/public/105/acl_wp.html

Cisco Feature Reference Material

• Understanding Selective Packet Discard (SPD)

http://www.cisco.com/en/US/partner/products/hw/routers/p s167/products_tech_note09186a008012fb87.shtml

• Cisco Netflow Page

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/ • Cisco SNMP Page http://www.cisco.com/en/US/tech/tk648/tk362/tk605/tech_pr otocol_home.html • SNMP Object Navigator http://www.cisco.com/pcgi-bin/Support/Mibbrowser/unity.pl

(53)

105 105 105

SEC-2007 9883_06_2004_X2

External Reference Material

• Secure Cisco IOS Template

http://www.cymru.com/Documents/secure-ios-template.html • Secure BGP Template http://www.cymru.com/Documents/secure-bgp-template.html • Bogon List http://www.cymru.com/Documents/bogon-list.html

• Dave Dittrich’s DDoS Page

http://staff.washington.edu/dittrich/misc/ddos/

106 106 106

SEC-2007 9883_06_2004_X2

External Reference Material

• BCP-38 (RFC-2827) “Network Ingress Filtering:

Defeating Denial of Service Attacks which Employ IP Source Address Spoofing”

ftp://ftp.isi.edu/in-notes/rfc2827.txt

• RFC-3330 “Special-Use IPv4 Addresses”

(54)

107 107 107

SEC-2007 9883_06_2004_X2

Associated Sessions

• SEC-2004 – Responding to Security Incidents

• SEC-2008 – Service Provider Responses to Denial

of Service Attacks

• NMS-2032 – NetFlow for Accounting, Analysis and

Attack

• NMS-2051 – Securely Managing Your Network and

SNMPv3

Complete Your Online Session Evaluation!

WHAT: Complete an online session evaluation

and your name will be entered into a daily drawing

WHY: Win fabulous prizes! Give us your feedback!

WHERE: Go to the Internet stations located throughout the Convention Center

HOW: Winners will be posted on the onsite

Networkers Website; four winners per day

110 110 110

SEC-2007 9883_06_2004_X2