© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Applying a Security Policy for Cisco Routers
© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Role of Routers in Networks Router Security Principles How Routers Enforce a Perimeter Security Policy Local and Remote Administrative Access Maintaining the Most Recent Versions of Cisco IOS Software Logging Conceptual Basis for a Router Security Policy Creating a Security Policy for a Router Applying Cisco IOS Security Features Summary
© 2006 Cisco Systems, Inc. All rights reserved. SND v Role of Routers in Networks A simple network with two routers File Server User Host LAN LAN LAN WAN Router 2Router 1
© 2006 Cisco Systems, Inc. All rights reserved. SND v Threats to and Attacks on Routers Examples of threats to routers: Unauthorized access Session hijacking Rerouting Masquerading DoS Eavesdropping Information theft Examples of attack techniques: Password guessing Routing protocol attacks SNMP attacks IP fragmentation attacks for DoS Ping of death attacks DDoS attacks Session replay attacks
© 2006 Cisco Systems, Inc. All rights reserved. SND v Router Security Principles There are three principles of router security: Physical security Operating system and router configuration security Router hardening
© 2006 Cisco Systems, Inc. All rights reserved. SND v Scenario 3 Scenario 2 How Routers Enforce Perimeter Security Policy Routers are used to secure the perimeter of networks. Three typical methods are as follows: In scenario 1, the router protects the LAN. In scenario 2, the router provides defense in depth by screening traffic before a firewall. In scenario 3, the zone between R1 and R2 is called a DMZ. Servers that must be accessible from the Internet can be put here. LAN Router 1 (R1) Internet Scenario 1 LAN R1 Internet Firewall LAN R1 Internet R2FW DMZ
© 2006 Cisco Systems, Inc. All rights reserved. SND v Filtering Packets with a Router Most routers can filter on one or more of the following: –Source IP address –Source port –Destination IP address –Destination port –Protocol type Some routers can even filter on any bit or any pattern of bits in the IP header. Typically, routers are not able to filter on the content of services such as the FTP file name.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Local and Remote Administrative Access If remote administrative access is required, use a dedicated management network or encrypt all management traffic. LAN R1 Internet R2FW LAN Management LAN Administration Host Logging Host Internet LAN R1 Local AccessRemote Access Administrator Console Port
© 2006 Cisco Systems, Inc. All rights reserved. SND v Maintaining Most Recent Versions of Cisco IOS Software Before updating Cisco IOS software on routers, complete these tasks: Install additional memory if necessary Test the file transfer capability between the administrator host and the router Schedule the required downtime for the update To update Cisco IOS software on routers, complete these tasks: Shut down or disconnect the interfaces on the router Back up the current Cisco IOS image and configuration files Load the Cisco IOS software or configuration updates Test the updates
© 2006 Cisco Systems, Inc. All rights reserved. SND v Logging The logging host is a dedicated computer whose only job is to store logs. Connect the logging host to a separate, protected network or a dedicated router interface. LAN R1 Internet R2FW LAN Management LAN Administration Host Logging Host
© 2006 Cisco Systems, Inc. All rights reserved. SND v Conceptual Basis for a Router Security Policy Types of access related to router security layers as follows: Physical integrity –Physical access –Electrical access Core static configuration –Administrative access –Software updates Dynamic configuration –Routing protocols –Management protocols Network Traffic –Access to networks that the router serves Source: National Security Agency, December 2005, Router Security Configuration Guide Router Security Layers Network Traffic Through the Router Dynamic Configuration and Router Status Core Static Configuration Physical Integrity
© 2006 Cisco Systems, Inc. All rights reserved. SND v Creating a Security Policy for a Router Here are some objectives for a security policy: Specify security objectives, not particular commands or mechanisms Specify policy for all the zones: –Physical –Static configuration –Dynamic configuration –Traffic flow Deny services and protocols that are not explicitly permitted Update the security policy regularly
© 2006 Cisco Systems, Inc. All rights reserved. SND v Applying Cisco IOS Security Features Secure access to the router itself Secure router network services Control and filter network traffic Configure routing protocol security Manage router security Configure network access control for routers
© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary General threats to routers include unauthorized access, session hijacking, rerouting, masquerading, DoS, eavesdropping, and information theft. Router security depends on physical security, operating system security, and configuration hardening. Routers enforce perimeter security for a network by prohibiting specific traffic and by directing traffic to firewalls. Remote administrative access should be limited to a dedicated management LAN. Update the router operating system to take advantage of new security features and technologies. Logs help the administrator to verify activity and identify potential threats to the network security. Security policies should be developed based on four layers. These layers are physical security, static configuration, dynamic configuration, and traffic flow. A security policy should keep objectives at a high level, specify policy for each of the four zones, and specify that any services and protocols that are not explicitly permitted must be denied. Implementing a security policy on Cisco routers includes physical security, shutting down unnecessary network services, filtering network traffic, securing routing protocols, auditing router configurations, and configuring network access control.
© 2006 Cisco Systems, Inc. All rights reserved. SND v