© 2006 Cisco Systems, Inc. All rights reserved. SND v2.02-1 Securing the Perimeter Disabling Unused Cisco Router Network Services and Interfaces.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.SND v Module Summary Routers play an important role in ensuring that network perimeters are secure;
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Module Summary The Cisco Discovery Protocol is an information-gathering tool used by network.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Module Summary Attacks can target various components of modern networks, such as system integrity,
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing Networks with Cisco IOS IPS Configuring Cisco IOS IPS.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Managing Your Network Environment Managing Cisco Devices.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Applying a Security Policy for Cisco Routers.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Transit Autonomous Systems Configuring a Transit AS.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Complex MPLS VPNs Using Advanced VRF Import and Export Features.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Applying Security Policies to Network Switches.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Network Foundation Protection Securing the Management Plane.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Using Cisco Catalyst Switch Security Features.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Complex MPLS VPNs Introducing Central Services VPNs.
© 2005 Cisco Systems, Inc. All rights reserved. IPTX v Configuring Additional Cisco CallManager Express Features Configuring Cisco CallManager Express.
© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.
© 2006 Cisco Systems, Inc. All rights reserved.SND v Securing the Perimeter Introducing Cisco SDM.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Overview Establishing BGP Sessions.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Disabling Unused Cisco Router Network Services and Interfaces

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Vulnerable Router Services and Interfaces Management Service Vulnerabilities Locking Down Your Router with Cisco AutoSecure Limitations and Cautions Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Vulnerable Router Services and Interfaces Disable these unnecessary services and interfaces : –Unused router interfaces –BOOTP server –Cisco Discovery Protocol –Configuration autoloading –FTP server –TFTP server –NTP service –PAD service –TCP and UDP minor services –DEC MOP service Disable commonly configured management services: –SNMP –HTTP server –DNS Ensure path integrity: –ICMP redirects –IP source routing Disable probes and scans: –Finger –ICMP unreachable notifications –ICMP mask reply Ensure terminal access security: –IP identification service –TCP keepalives Disable gratuitous and proxy ARP: –Gratuitous ARP –Proxy ARP Disable IP-directed broadcast

© 2006 Cisco Systems, Inc. All rights reserved. SND v What You Need to Do Know that these services can be used by attackers. You do not have to know how these services can be used by attackers, but you do need to know how and when to disable them.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Management Service Vulnerabilities Management service vulnerabilities include the following: SNMP passes community strings in clear text. HTTP authentication protocol passes passwords in clear text. Broadcasted DNS lookups can be replied to by a lurking attacker.

© 2006 Cisco Systems, Inc. All rights reserved. SND v auto secure router# Router#auto secure Is this router connected to internet? [no]:y Enter the number of interfaces facing internet [1]:1 Enter the interface name that is facing internet:FastEthernet0/0 Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Locking Down a Router with Cisco AutoSecure Cisco AutoSecure will modify the configuration of your device. Cisco AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Locking Down a Router with Cisco SDM 1. Choose Configure. 2. Choose Security Audit. 3. Click One-step Lockdown. 4. In the Cisco SDM Warning dialog box, click Yes. 5. Deliver commands to the router

© 2006 Cisco Systems, Inc. All rights reserved. SND v Locking Down a Router with Cisco SDM (Cont.) 4 5

© 2006 Cisco Systems, Inc. All rights reserved. SND v Limitations and Cautions These Cisco AutoSecure features are not implemented in Cisco SDM: Disabling NTP Configuring AAA Setting SPD values Enabling TCP intercepts Configuring antispoofing ACLs on outside interfaces These Cisco AutoSecure features are implemented differently in Cisco SDM: Cisco SDM will disable SNMP but will not configure SNMPv3. Cisco SDM will enable and configure SSH on crypto Cisco IOS images, but will not enable Service Control Point or disable other access and file transfer services, such as FTP.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Many services and interfaces are enabled by default on newly commissioned routers. These services and interfaces are vulnerable to attack and should be secured. Router management services, such as SNMP or DNS lookup, can be exploited by attackers. You should disable these services on your routers. Securing a router can be simplified by using Cisco AutoSecure from the CLI or One-Step Lockdown from Cisco SDM. If you use one of these methods, verify the configuration to ensure that the required services are turned on. The One-Step Lockdown feature does not shut down all the services and interfaces that Cisco AutoSecure does. If you use One-Step Lockdown, you may have to manually disable or configure several services.

© 2006 Cisco Systems, Inc. All rights reserved. SND v