Routers are used to route traffic
between different networks based on Layer 3 IP addresses and provide access to
network segment and subnetworks. So said, that makes routers the definite
targets for network attackers. When the border router of an organization’s
network is compromised or gained access to, unauthorized, it poses a potential
threat to its sensitive information and other network services and resources.
Routers can be compromised in many
ways, (Trust exploitation and MITM attacks) and this exposes the internal
network configuration or components to scans and attacks.
Two primary roles router plays in a
network
- Advertise networks and filter (permit/deny) who can use them.
- Provide access to network segments and subnetworks
Quick “Review” of Attacks on Routers
General threats include but are not
limited to: unauthorized access, session hijacking, rerouting, masquerading,
Denial of Service (DoS), eavesdropping, and information theft. In addition to
threats to a router from the network, dial up access to a router exposes it to
further threats.
Attack techniques include: password
guessing, routing protocol attacks, SNMP attacks, IP fragmentation attacks – to
bypass filtering, redirect (address) attacks, and circular redirect – for
denial of service.
Session replay attacks use a sequence
of packets or application commands that can be recorded, possibly manipulated,
and then replayed to cause an unauthorized action or gain access.
Rerouting attacks can include manipulating
router updates to cause traffic to flow to unauthorized destinations. These
kinds of attacks are sometimes called “route injection” attacks.
Masquerade attacks occur when an
attacker manipulates IP packets to falsify IP addresses. Masquerades can be
used to gain unauthorized access or to inject bogus data into a network.
Session hijacking may occur if an
attacker can insert falsified IP packets after session establishment via IP
spoofing, sequence number prediction and alteration, or other methods.
Resource starvation attacks usually
involve flooding the router with traffic or requests designed to consume all of
some limited resource. Target resources may be bandwidth, memory, or even
computation.
Careful router configuration can help
prevent a (compromised) site from being used as part of a Distributed Denial of
Service (DDoS) attack, by blocking spoofed source addresses. DDoS attacks use a
number of compromised sites to flood a target site with sufficient traffic or
service requests to render it useless to legitimate users.
Services to Block Completely at a Border Router
Port
(Transport)
|
Service
|
1 (TCP & UDP)
|
tcpmux
|
7 (TCP & UDP)
|
echo
|
9 (TCP & UDP)
|
discard
|
11 (TCP)
|
systat
|
13 (TCP & UDP)
|
daytime
|
15 (TCP)
|
netstat
|
19 (TCP & UDP)
|
chargen
|
37 (TCP & UDP)
|
time
|
43 (TCP)
|
whois
|
67 (UDP)
|
bootp
|
69 (UDP)
|
Tftp
|
95 (TCP & UDP)
|
supdup
|
111 (TCP & UDP)
|
sunrpc
|
135 (TCP & UDP)
|
loc-srv
|
137 (TCP & UDP)
|
netbios-ns
|
138 (TCP & UDP)
|
netbios-dgm
|
139 (TCP & UDP)
|
netbios-ssn
|
177 (UDP)
|
xdmcp
|
445 (TCP)
|
netbios
(ds)
|
512 (TCP)
|
rexec
|
515 (TCP)
|
lpr
|
517 (UDP)
|
talk
|
518 (UDP)
|
ntalk
|
540 (TCP)
|
uucp
|
1434 (UDP)
|
Microsoft
SQL Server
|
1900, 5000 (TCP & UDP)
|
Microsoft
UPnP SSDP
|
2049 (UDP)
|
NFS
|
6000 - 6063 (TCP)
|
X
Window System
|
6667 (TCP)
|
IRC
|
12345-6 (TCP)
|
NetBus
|
31337 (TCP & UDP)
|
Back
Orifice
|
·
Control
Access to your Router
The first thing to do is apply some
rules to restrict all external access to some ports of the router. You can
block all ports, but it is not always necessary. These commands below will
protect your router against some reconnaissance attacks and, obviously, will
restrict access to these ports:
access-list 110 deny tcp any host $yourRouterIP eq 7
access-list 110 deny tcp any host $yourRouterIP eq 9
access-list 110 deny tcp any host $yourRouterIP eq 13
access-list 110 deny tcp any host $yourRouterIP eq 19
access-list 110 deny tcp any host $yourRouterIP eq 23
access-list 110 deny tcp any host $yourRouterIP eq 79
int x0/0
access-group in 110
Where $yourRouterIP is your router IP and x0/0 is your external interface. We will always use this convention
in this article.
·
Restrict
telnet access to it
Telnet is not a very safe protocol to
use, but if you really need to use it (you should always use ssh) you might
want to restrict all access to it (remember that all your traffic will be
unencrypted). The best way to accomplish that is using a standard access-list
and the access-class command.
access-list 50 permit 192.168.1.1
access-list 50
deny any log
line vty 0 4
access-class 50 in
exec-timeout 5 0
Where 192.168.1.1 is the IP address
allowed to telnet the router.
·
Block
Spoof/Malicious packets
You must never allow
loopback/reserved IP address from the Internet reach your external interface
and you can reject broadcast and multicast addresses too.
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip 172.16.0.0 0.0.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip 224.0.0.0 31.255.255.255 any
access-list 111 deny icmp any any redirect
int x0/0
access-group in 111
·
Restrict
SNMP
SNMP must always be restricting,
unless you want some malicious person getting a lot of information from your
network.
access-list 112 deny udp any any eq snmp
access-list 112
permit ip any any
interface x0/0
access-group 112 in
And if you are not going to use SNMP
at all, disable it:
no snmp-server
·
Encrypt all
passwords
A very important thing to do is
protect all your passwords using the powerful algorithm as possible.
The password from exec mode, that
grants privileged access to the IOS system, Can be set using a MD5 hash, which
is the strongest option available on the Cisco IOS.
enable secret $yourpassword
All other passwords, you can encrypt
using the Vigenere cipher that is not Very strong, but can help. To do that,
you can use the service password-encryption Command that encrypts all passwords
present in you system.
service password-encryption
·
Disable all
unused services
a.
Disable Echo, Chargen and discard
no service tcp-small-servers
no service
udp-small-servers
b.
Disable finger
no service finger
c.
Disable the httpd interface
no ip http server
d.
Disable ntp (if you are not using it)
ntp disable
·
Add some
security options
a.
Disable source routing
no ip source-route
b.
Disable Proxy Arp
no ip proxy-arp
c.
Disable ICMP redirects
interface s0/0 (your external interface)
no ip redirects
d.
Disable Multicast route Caching
interface s0/0 (your
external interface)
no ip mroute-cache
e.
Disable CDP
no cdp run
f.
Disable direct broadcast (protect
against Smurf attacks)
no ip directed-broadcast
·
Log
everything
To finish, you must log everything on
an outside Log Server. You must everything from all your systems and always
analyze the logs.
logging trap debugging
logging 192.168.1.10
where 192.168.1.10 is the ip of your
log server (configured as a Syslog server)
Conclusion
With these simple steps you can add a
lot of security to your router, protecting it against a lot of possible
attacks, increasing your network security.
Only as an example, you can see the
nmap result before and after applying these options:
Before:
bash-2.05b# nmap -O 192.168.1.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.1.1):
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
23/tcp open telnet
79/tcp open finger
80/tcp open http
Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal
server IOS 11.3.6(T1),
Cisco IOS 11.3 - 12.0(11)
After:
bash-2.05b# nmap -P0 -O 192.168.1.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because
we did not find at least 1 open and 1 closed TCP port
All 1601 scanned ports on (192.168.1.1) are: filtered
Too many fingerprints match this host for me to give an
accurate OS guess
Nmap run completed -- 1 IP
address (1 host up) scanned in 403 seconds
There are substantial security
resources available from router vendors. For example, Cisco offers extensive
on-line documentation and printed books about the security features supported
by their products. These books and papers are valuable, but they are not
sufficient. Most vendor-supplied router security documents are focused on documenting
all of the security features offered by the router, and do not always supply
security rationale for selecting and applying those features. This guide attempts
to provide security rationale and concrete security direction, with pertinent references
at the end of each section identifying the most useful vendor documentation.
This guide also provides pointers to related books, vendor documents,
standards, and available software.
----
No comments:
Post a Comment