Securing Network Devices

This chapter covers the following exam topics:

1.0 Network Fundamentals

1.1 Explain the Role of Network Components

1.1.c Next-generation Firewalls and IPS

4.0 IP Services

4.8 Configure network devices for remote access using SSH

5.0 Security Fundamentals

5.3 Configure device access control using local passwords

Encrypting Older IOS Passwords with service password-encryption

service password-encryption

  • encrypts passwords that are normally held as clear text

  • password password (console or vty mode)

  • username name password password

  • enable password password

  • encoding type of “7”

no service password-encryption

  • passwords remain encrypted until password is changed

Hashing the enable secret

  • never stores the clear-text password
  • IOS computes the MD5 hash of the password in the enable secret command and stores the hash of the password in the configuration.
  • IOS hashes the clear-text password as typed by the user.
  • IOS compares the two hashed values

no enable secret

  • Can be used without having to enter the password

Improved Hashes for Cisco’s Enable Secret

The two newer alternative algorithm types

  • Both use an SHA-256 hash instead of MD5

enable [algorithm-type5] secret password

  • Type 5
  • MD5

enable algorithm-type sha256 secret password

  • Type 8
  • SHA-256

enable algorithm-type scrypt secret password

  • Type 9

  • SHA-256

  • New enable secret commands with different algorithm types replace any existing enable secret command.

Encoding the Passwords for Local Usernames

Username secret command Encoding

username name [algorithm-type5] secret password

username name algorithm-type sha-256 secret password

username name algorithm-type scrypt secret password

Controlling Password Attacks with ACLs

(line vty)# access-class 3 in

  • Bond ACL 3 to a vty line

(line vty)# access-class 3 out

  • looks at the destination IP address instead of the source
  • filters based on the device to which the telnet or ssh command is trying to connect.

Traditional Firewalls

  • match the source and destination IP addresses

  • matching their static well-known TCP and UDP ports

  • additional TCP and UDP ports 

  • Match the text in the URI of an HTTP request

  • state information (stateful firewall)

  • storing information about each packet

  • make decisions about filtering future packets based on the historical state information (stateful inspection)

  • could be tracking the number of TCP connections per second

  • recording state information based on earlier packets

  • stateless firewall or a router ACL

  • would not have had the historical state information to realize that a DoS attack was occurring.

Security Zones

  • defining which hosts can initiate new connections.

  • Zone Inside

  • Secure

  • Zone Outside

  • Not secure

  • DMZ

  • Access by public

Intrusion Prevention Systems (IPS

  • IPS first downloads a database of exploit signatures
  • IPS can log the event, discard packets, or even redirect the packets to another security application for further examination.
  • needs to download and keep updating its signature database.

Cisco Next-Generation Firewalls

Cisco firewall

  • Cisco Adaptive Security Appliance (ASA).

  • stateful filtering

  • comparing fields in the IP, TCP, and UDP headers, and using security zones when defining firewall rules

Application Visibility and Control (AVC)

looks at the application layer data to identify the application

  • deep packet inspection
  • can identify many applications based on the data sent (application layer headers plus application data structures far past the TCP and UDP headers).

Duties of a NGFW

Traditional firewall:

stateful firewall filtering, NAT/PAT, and VPN termination.

Application Visibility and Control (AVC)

Advanced Malware Protection:

  • A network-based antimalware function can run on the firewall itself, blocking file transfers that would install malware, and saving copies of files for later analysis.

URL Filtering: This feature

  • examines the URLs in each web request, categorizes the URLs, and either filters or rate limits the traffic based on rules. The Cisco Talos security group monitors and creates reputation scores for each domain known in the Internet, with URL filtering being able to use those scores in its decision to categorize, filter, or rate limit.

NGIPS

Cisco Next-Generation IPS

  • examines the context by gathering data from all the hosts and the users of those hosts.
  • will know the OS, software revision levels, what apps are running, open ports, the transport protocols and port numbers in use, and so on.
  • Armed with that data, the NGIPS can make much more intelligent choices about what events to log.

NGIPS Duties

Traditional IPS:

  • using exploit signatures to compare packet flows, creating a log of events, and possibly discarding and/or redirecting packets.

Application Visibility and Control (AVC):

Contextual Awareness:

  • gather data from hosts—OS, software version/level, patches applied, applications running, open ports, applications currently sending data, and so on. Those facts inform the NGIPS as to the often more limited vulnerabilities in a portion of the network so that the NGIPS can focus on actual vulnerabilities while greatly reducing the number of logged events.

Reputation-Based Filtering:

can perform reputation-based filtering, taking the scores into account.

Event Impact Level:

provides an assessment based on impact levels