1

Network Security Workshop

10-14 December, 2018

Kathmandu, Nepal

Network Infra Security

Securing the device (Hardening)

2

Think of ALL devices

• 21 Sept 2016 – 600Gbps+ attack on Brian Krebs site (hosted by Akamai)

• https://krebsonsecurity.com

• 30 Sept 2016 – Mirai source code released to https://hackforums.net – More (smarter and competing) variants

• 21 Oct 2016 – ~1.2Tbps attack on Dyn

• 26 Nov 2016 – 900K+ Deutsche Telecom subscribers offline

What caused all these?

• “Internet of STUPID Things (IoT)” – Geoff Huston – CPEs, IP Cameras/webcams, DVRs, etc

• The issue? – Admin password exposed via web interface – Factory (OEM) default admin credentials – WAN management allowed (this means anyone on Internet)

• TR-069 (CWMP)

And the techniques?

• Attack techniques were common (and not so common ones too) – SYN floods – Low bandwidth HTTP floods – DNS water torture (Query floods reported since 2014) – GRE floods*

Password visible - Web Interface

Allow remote access

How difficult is it to find one?

Source: https://www.flickr.com/photos/kylaborg/12887906353/

Mirai brute force – OEM default UN and PW

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

9

root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456root 54321 support support root (none) admin passwordroot root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 root password root 1234 root klv123Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root 00000000 admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech

What was/is the scale?• Geo-locations of Mirai-infected devices as of Oct 2016

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

What was/is the scale?• As many as 20 million devices vulnerable to CWMP

exploits

https://maps.shodan.io

Could device hardening have made a difference?

Secure physical access

• Lock up the server room – Only authorized access

• Set up surveillance • Protect the portables; Pack up the backups

• Social engineering training and awareness • Console/AUX access

• password protected • access via OOB (Out-of-band) management • configure timeouts

Secure Management Plane

• Authenticate Access

• Define explicit access to/from management stations – SNMP – Syslog – NTP – AAA Protocols – SSH, Telnet, etc.

Securing Router Access

Local Access

Remote Access

line console 0 logintransport preferred-nonepassword <console-pw> exec-timeout 5 0

!line vty 0 4

access-class VTY-FILTER in exec-timeout 5 0ipv6 access-class VTY-v6-FILTER intransport preferred-none transport input ssh

!ip access-list ext VTY-FILTER permit ip

<subnet> <wildcard> any deny ip any any log

!ipv6 access-list

permit ipv6 <prefix/length> deny ipv6 any any log

Device Access Control

• Set passwords to something not easily guessed

• Use per-user credentials – avoid group credentials/passwords

• Encrypt passwords in the configuration files

• Use centralized authentication

Secure Access Example

Secure privileged mode

Authenticate individuals & Encrypt passwords

Enforce password length

enable secret <secret-pw>!username <user-1> secret <pw> username <user-2> secret <pw>!username <group> secret <group-secret>!service password-encryption!security password min-length <length>

Centralized AAA

• As opposed to individual databases on each node in your network – Scalability

• Granularity – per-command/per-interface privileges (authorizations)

Centralized AAA• Centralized Access Control

– RADIUS (UDP 1812 and 1813) • ONLY encrypts the password in Access-Request (Username, authorized

services and accounting info could be captured) • Combines Authentication and Authorization • Suited for network user access

– TACACS+ (TCP 49) • Encrypts the entire message • Each AAA service is separated (allows per-command/per-interface

privileges) • Suitable for network device administration

RADIUS

• Remote authentication dial-in user service

Access Request (UN+PW)

Access Accept/Reject

Accounting Request (Start/Stop -Acct info)

Accounting Response (Ack)

Client request (resource access request)

TACAS+ authentication• Terminal access controller access control (plus)

Client request (resource access request)

Start Authentication Reply auth (Get username)

Continue auth (username)

Reply auth (Get password)

Continue auth (password)

Pass/Fail Authorization Request Accounting Request

TACAS+ example config

aaa new-model!aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable!aaa authorization commands <0|1|15> default group tacacs+ none!aaa accounting exec default start-stop group tacacs+aaa accounting commands <0|1|15> default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+!tacacs-server host <server-IP> tacacs-server key <shared-secret>!ip tacacs source-interface Loopback0

Use a ‘Jumphost’

23

Internet Only allow SSH access from the Jump-server

Bastion host

SSH to the bastion host

Securing SNMP (UDP 161)

• SNMPv2 – Community based

(v2C) – Different communities

for read/write

• SNMPv3 – NoAuthNoPriv – AuthNoPriv – AuthPriv

• Auth: HMAC-MD5 or HMAC-SHA

• Encryption: CBC-DES

AgentManager

MIB

Get Request

Get_Next Request

Get_Bulk Request

Set Request

Get Response

Trap

Securing SNMP• Restrict to read-only

• Use separate credentials for write – do not allow write!

• Restrict SNMP views to only required OIDs in the MIB

• Configure ACLs to restrict SNMP access to known managers.

• Use SNMPv3 (might need to update devices to support)

Securing SNMP – Example

access-list 99 permit <snmp-server-IP>OR

access-list 99 permit <snmp-server-subnet> <wildcard>!snmp-server community <community-string> ro 99 snmp-server trap-source Loopback0snmp-server enable traps linkdown linkup coldstart warmstart snmp-server host <snmp-server1-IP> <community-string>snmp-server host <snmp-server2-IP> <community-string>

Banner – What is wrong?

banner login ^Please disconnect from my Router!

^

More Appropriate Banner

banner login ^ Authorised Access Only!All access are being logged.Any unauthorised access will be prosecuted to the full extent of the law!Disconnect immediately if you are not an authorised user! Contact training@apnic.net or +61 3858 XXXX for help.

^

Centralized Logging (syslog - UDP 514)

logging host <syslog-server-IP> logging trap <0-7>logging alarm <0-4>logging facility syslog !source of the log messages logging source-interface Loopback0

Log changes to the config

(config)#archive(config-archive)#log config(config-archive-log)#logging enable(config-archive-log)#notify syslog (config-archive-log)#hidekeys

logged

logged

logged

logged

*Jan 14 2018 16:34:37.915 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:logging console*Jan 14 2018 16:39:17.592 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:router bgp 45192*Jan 14 2018 16:39:23.541 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:address-family ipv4 unicast*Jan 14 2018 16:39:49.416 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:tashicommand:no neighbor 38.229.6.20 route-map CYMRUBOGONS-V4 in

Turn Off unused services

Feature Description Command

CDP Proprietary layer 2 discovery protocol

no cdp enable

TCP small servers

Standard TCP network services: echo, chargen, etc (19 and lower)

no service tcp-small-servers

UDP small servers

Standard UDP network services: echo, discard, etc (19 and lower)

no service udp-small-servers

Finger Unix user lookup service, allows remote listing of logged in users.

no service finger

HTTP server Some Cisco IOS devices offer web- based configuration

no ip http server no ip http secure-server

Bootp server Service to allow other routers to boot from this one

no ip bootp server

Turn Off Unused Services

Feature Description Command

Unreachables Router will send ICMP unreachable message for unknown destinations (Null0)

no ip unreachables no ipv6 unreachables

IP source routing

Feature that allows a packet to specify its own route

no ip source-route no ipv6 source-route

Proxy ARP Router will act as a proxy for layer 2 address resolution

no ip proxy-arp

IP directed broadcast

Routers will direct packets to broadcast addresses of subnets attached to it

no ip directed-broadcast

Configuration example

! Per-interface interface <interface-ID> no ip

redirectsno ip directed-broadcast no ip proxy arpno cdp enable

!interface Null0

no ip unreachables no ipv6 unreachables

!

! Globally no ip domain-lookup no cdp runno ip http serverno ip http secure-server no ip source-routeno ipv6 source-route no service fingerno ip bootp serverno service udp-small-servers no service tcp-small-server

Route/Packet Filtering

34

Inbound Route Filtering

35

router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peer neighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4

neighbor x4.x4.x4.x4 prefix-list <prefix-filter> in!address-family ipv6

neighbor x6:x6::x6 prefix-list <prefix-filter> in

• Transit provider: – Block bogus routes and accept everything

• Peer: – Only accept their prefixes (and their downstream’s)

Transit Filter: IPv4 prefixes

36

no ip prefix-list in-filterip prefix-list in-filter deny 0.0.0.0/0ip prefix-list in-filter deny 0.0.0.0/8 le 32 ip prefix-list in-filter deny 10.0.0.0/8 le 32

! Default! Network Zero! RFC1918

ip prefix-list in-filter deny 100.64.0.0/10 le 32 ! RFC6598 shared addressip prefix-list in-filter deny <your prefix>/X le 32 ! Your address spaceip prefix-list in-filter deny 127.0.0.0/8 le 32 ! Loopbackip prefix-list in-filter deny 169.254.0.0/16 le 32 ! APIPA ip prefix-list in-filter deny 172.16.0.0/12 le 32 ! RFC1918ip prefix-list in-filter deny 192.0.0.0/24 le 32 ! IETF Protocolip prefix-list in-filter deny 192.0.2.0/24 le 32 ! TEST1 ip prefix-list in-filter deny 192.168.0.0/16 le 32 ! RFC1918ip prefix-list in-filter deny 198.18.0.0/15 le 32 ! Benchmarkingip prefix-list in-filter deny 198.51.100.0/24 le 32 ! TEST2 ip prefix-list in-filter deny 203.0.113.0/24 le 32 ! TEST3

! Multicast! Future Use! Prefixes >/24

ip prefix-list in-filter deny 224.0.0.0/4 le 32 ip prefix-list in-filter deny 240.0.0.0/4 le 32 ip prefix-list in-filter deny 0.0.0.0/0 ge 25 ip prefix-list in-filter permit 0.0.0.0/0 le 32

Transit Filter: IPv6 prefixes

37

no ipv6 prefix-list v6in-filteripv6 prefix-list v6in-filter deny 2001::/32 le 128 ! Teredo subnetsipv6 prefix-list v6in-filter deny 2001:db8::/32 le 128 ! Documentationipv6 prefix-list v6in-filter deny 2002::/16 le 128 ! 6to4 subnetsipv6 prefix-list v6in-filter deny <your::/32> le 128 ! Your prefixipv6 prefix-list v6in-filter deny 3ffe::/16 le 128 ! Old 6boneipv6 prefix-list v6in-filter deny fc00::/7 le 128 ! ULAipv6 prefix-list v6in-filter deny fe00::/9 le 128 ! Reserved IETFipv6 prefix-list v6in-filter deny fe80::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny fec0::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny ff00::/8 le 128 ! Link-localipv6 prefix-list v6in-filter permit 2000::/3 le 48 ! Global Unicastipv6 prefix-list v6in-filter deny ::/0 le 128

Peer Filter: IPv4/v6 prefixes

38

! Peer’s prefix! Peer’s prefix! Deny everything else

no ip prefix-list peer-in-filterip prefix-list peer-in-filter permit A.A.A.A/18 le 24 ip prefix-list peer-in-filter permit B.B.B.B/19 le 24 ip prefix-list peer-in-filter deny 0.0.0.0/0 ge 32!!no ipv6 prefix-list peerv6-in-filteripv6 prefix-list peerv6-in-filter permit 2002:A::/32 le 48 ipv6 prefix-list peerv6-in-filter deny ::/0 le 128

! Peer’s prefix! Deny everything else

Outbound filtering

39

router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peer neighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4

neighbor x4.x4.x4.x4 prefix-list <out-filter> out!address-family ipv6

neighbor x6:x6::x6 prefix-list <outv6-filter> out!!no ip prefix-list <out-filter>

! Your prefix! Your prefix! Deny everything else

ip prefix-list peer-filter permit M.M.M.M/19 le 24 ip prefix-list peer-filter permit N.N.N.N/19 le 24 ip prefix-list peer-filter deny 0.0.0.0/0 ge 32!no ipv6 prefix-list <outv6-filter>ipv6 prefix-list peerv6-filter permit 2002:M::/32 le 48 ! Your prefixipv6 prefix-list peerv6-filter deny ::/0 le 128 ! Deny everything else

• Transit/Peer: – Only advertise your prefixes (and your downstreams)

Bogons• Not all IP (v4 and v6) are allocated by IANA

• Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”) – RFC1918s + Reserved space

• IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users

• https://www.iana.org/assignments/ipv6-unicast-address- assignments/ipv6-unicast-address-assignments.xhtml

• https://www.iana.org/assignments/ipv4-address-space/ipv4-address- space.xhtml

Bogons

• Commonly found as source addresses of DDoS packets

• We should have ingress and egress filters for bogon routes – Should not route them nor accept them from peers

• We could manually craft prefix filters based on the bogon list from IANA – But bogon list is dynamic – New allocations made out of reserved blocks frequently

Bogon Route Server Project

• In comes the Bogon Route Server project by Team Cymru

• Provides dynamic bogons information using eBGP multihop sessions

– Traditional bogons (AS65333) • martians plus prefixes not allocated by IANA

– Full-bogons (AS65332) • above plus prefixes allocated to RIRs but not yet assigned to ISPs/end-

users by RIRs

• For details: – http://www.team-cymru.org/bogon-reference-bgp.html

Peering- Bogon Route Servers

• To peer with bogon route servers – Write to bogonrs@cymru.com

• You should provide: • Your ASN • Which bogons you wish to receive • Your peering addresses • MD5 for BGP? • PGP public key (optional)

• It is recommended to have at least 2 (two) peering sessions for redundancy

Bogon Filter Configuration

44

router bgp 17821neighbor cymru-bogons peer-group neighbor cymru-bogons remote-as 65332neighbor cymru-bogons description Peering with Cymru Bogon RS neighbor cymru-bogons ebgp-multihop 255neighbor cymru-bogons password <md5-pw>neighbor cymru-bogons update-source Loopback0!neighbor cymru-v6bogons peer-group neighbor cymru-v6bogons remote-as 65332neighbor cymru-v6bogons description Peering with Cymru IPv6 Bogon RSneighbor cymru-v6bogons ebgp-multihop 255 neighbor cymru-v6bogons password <md5-pw> neighbor cymru-v6bogons update-source Loopback0!neighbor 2620:0:6B0:XXXX::20 peer-group cymru-v6bogons!neighbor 38.XXX.XXX.20 peer-group cymru-bogons!address-family ipv4

neighbor cymru-bogons prefix-list DENY-ALL outneighbor cymru-bogons maximum-prefix 10000 90 neighbor 38.XXX.XXX.20 activate

!address-family ipv6

neighbor cymru-v6bogons prefix-list DENYv6-ALL outneighbor cymru-v6bogons maximum-prefix 100000 90 neighbor 2620:0:6B0:XXXX::20 activate

Bogon Filter Configuration

45

ip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 le 32 ipv6 prefix-list DENYv6-ALL seq 5 deny ::/0 le 128! !Define communities for Bogons !Cymru full-bogons are tagged with the community 65332:888 ip bgp-community new-formatip community-list 10 permit 65332:888ip community-list 11 permit 17821:888 !our own bogon tag for iBGP peers

!Define route-map to set the next-hop address for the bogons (null routed) !Set local (no-export) community to propagate bogons to partial iBGP peers

route-map CYMRU-BOGONS permit 10 match community 10set local-preference 1000set community 17821:888 no-export set ip next-hop 192.0.2.1

!route-map CYMRU-v6BOGONS permit 10

match community 10set local-preference 1000set community 17821:888 no-export set ipv6 next-hop 2001:db8::1

!

Bogon Filter Configuration

46

!Null route the bogon next hops (this is also needed on all iBGP peers) ip route 192.0.2.1 255.255.255.255 null0ipv6 route 2001:db8::1/128 null0! !Define route-map to propagate the bogons to partial iBGP peers: !route-map iBGP-BOGONS permit 10

description allow our bogons match community 11

!route-map v6—iBGP-BOGONS permit 10

description allow our bogons match community 11

!

Bogon Filter Configuration

47

!Propagate bogons to all iBGP peers:

!router bgp 17821neighbor full-ibgp peer-group neighbor full-ibgp remote-as 17821neighbor full-ibgp update-source Loopback0!neighbor full-ibgpv6 peer-group neighbor full-ibgpv6 remote-as 17821neighbor full-ibgpv6 update-source Loopback0!neighbor rr-client peer-group neighbor rr-client remote-as 17821neighbor rr-client update-source Loopback0!neighbor rrv6-client peer-group neighbor rrv6-client remote-as 17821neighbor rrv6-client update-source Loopback0!

Bogon Filter Configuration

48

!Propagate bogons to all iBGP peers: !address-family ipv4

neighbor full-ibgp send-community neighbor full-ibgp next-hop-selfneighbor full-ibgp route-map CYMRU-BOGONS out!neighbor rr-client send-community neighbor rr-client route-reflector-clientneighbor rr-client next-hop-selfneighbor rr-client route-map iBGP-BOGONS out!

address-family ipv6neighbor full-ibgpv6 send-community neighbor full-ibgpv6 next-hop-selfneighbor full-ibgpv6 route-map CYMRU-v6BOGONS out!neighbor rrv6-client send-community neighbor rrv6-client route-reflector-clientneighbor rrv6-client next-hop-selfneighbor rrv6-client route-map v6—iBGP-BOGONS out

Filtering Considerations

• How does filter depth impact performance?

• Do I need a standalone firewall?

Filtering Best Practices

• Explicitly deny all traffic and only allow what you need

• The default policy should be - if the firewall doesn't know what to do with the packet, drop!

• Don't rely only on your firewall for all protection of your network

• Implement multiple layers of network protection • Make sure all of the network traffic passes through

the firewall

• Log all firewall exceptions (if possible)

Filtering Recommendations

• Log filter port messages properly • Allow only internal addresses to enter the router

from the internal interface • Block packets from outside (untrusted) that are

obviously fake/bogus or commonly used for attacks • Block packets that claim to have a source address

of any internal (trusted) network.

Traffic filter example – IPv4 (equivalent for v6!)

ip access-list extended TRAFFIC-INdeny udp/tcp any any eq 19 ! Chargendeny udp/tcp any any range 135 139 ! netbios stuffdeny udp any any eq 123 ! no one should use our NTPdeny tcp any any eq 445 ! Blaster/SMB wormdeny tcp any any eq 1025 ! uSoft RPC exploitdeny tcp any any eq 1337 ! Redshell backdoordeny tcp any any eq 1433 ! MS SQL wormdeny udp any any eq 1434 ! MS SQL wormdeny udp any any eq 2049 ! Sun NFSdeny tcp any any eq 2745 ! Blaster wormdeny tcp any any eq 3001 ! NessusD backdoordeny tcp any any eq 3127 ! MyDoom wormdeny tcp any any eq 3128 ! MyDoom wormdeny tcp any any eq 5000 ! WindowsXP UPnP portdeny tcp any any eq 6129 ! Dameware backdoordeny tcp any any eq 11768 ! Dipnet/Oddbob wormdeny tcp any any eq 15118 ! Dipnet/Oddbob wormdeny icmp any any fragmentspermit icmp any anydeny ip <your-address> <wildcard> permit ip any any

any

! Block ICMP fragments

Source IP spoofing – Defense

• BCP38 (RFC2827) – Since 1998! – https://tools.ietf.org/html/bcp38

• Only allow traffic with valid source addresses to – Leave your network

• Only packets with source address from your own address space

– To enter/transit your network • Only source addresses from downstream customer address space

53

uRPF – Unicast Reverse Path• Unicast Reverse Path Forwarding (uRPF)

– Router verifies if the source address of any packets received is in the FIB table and reachable (routing table) • Drop if not!

– Recommended on customer facing interfaces

54

(config-if)#ip/ipv6 verify unicast source reachable-via {rx | any}

uRPF – Unicast Reverse Path

55

• Modes of Operation:

– Strict: verifies both source address and incoming interface with FIB entries

– Loose: verifies existence of route to source address

pos0/0ge0/0Src = 172.16.16.2

Src = 192.168.1.1

FIB: 172.16.16.0/24 ge0/0 192.168.1.0/24 fa0/0

pos0/0ge0/0Src = 172.16.16.2

Src = 192.168.1.1

Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002

Edge Packet Filters - Example

access-list 121 permit ip <my-subnet> <wild-card> any access-list 121 deny ip any any log!access-list 200 permit ip <cust-subnet> <wild-card> any access-list 200 deny ip any any log!interface Te0/0/0

description Link to Upstream ip access-group 121 out

interface Gig0/0description link to downstream customer-A ip access-group 200 in

Configuration backup/ archiving

57

Configuration Files

• Careful sending config files - people can snoop the wire – MD5 validation

– SCP should be used to copy files/images • Avoid TFTP and FTP!

• Use tools like ‘rancid’ or ‘oxidized’ to periodically check them against modified configuration files

scp <file|image> user@router-ip:bootflash:<file-image>!scp user@router-ip:bootflash:<file-image> .

#verify /md5 nvram:startup-config.Done!verify /md5 (nvram:startup-config) = 7b9e589178bd133fecb975195701447d

OOB Management

59

• OOB device management should be used - DoS attacks do not hinder access to critical devices

• Reverse Telnet is a good tool in emergencies! AUX <-> Console

telnet <your-IP>:<2000+TTY#>sh line