Translate

Saturday, 5 September 2015

ACLs in Depth continued

Why use ACLs
*   Limits network traffic to increase network performance.
*   ACLs provides traffic flow control by restricting the delivery of routing updates.
*   It can be used as additional security.
*   Controls which type of traffic are forwarded or blocked by the router.
*   Ability to control which areas a client access.


Types of Access Control Lists

Standard access-list
  • Standard access lists create filters based on source addresses and are used for server based filtering.
  • Address based access lists distinguish routes on a network you want to control by using network address number (IP). 
  • Address-based access lists consist of a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.

Example of the command syntax for configuring a standard numbered IP ACL:


R1(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]


  •  The first value {1-99} specifies the standard ACL number range.
  • The second value specifies whether to permit or deny the configured source IP address traffic.
  •  The third value is the source IP address that must be matched.
  •  The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.



 
Extended access lists
  • Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet based filtering for packets that traverse the network.

Example of the command syntax for configuring an extended numbered IP ACL:

 Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]

  • Like the standard ACLs, the first value {100-199 or 2000 - 2699} specifies the ACL number range.
  • The next value specifies whether to permit or deny according to the criteria that follows.
  • The third value specifies protocol type ( IP, TCP, UDP, or other specific IP sub-protocols). The source IP address and wildcard mask determine traffic source. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. When the destination IP address and mask are configured, the port number  must be specified to match, either by number or by a well-known port name, otherwise all traffic to that destination will be dropped.

Standard and Extended access lists can be applied base on the use of ip access-list command.

Access lists use the deny or permit statement to define which packet is allowed or denied entry into a server or network.

Masks

  • Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 172.16.2.14 with a 255.255.255.0 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "no".


Note these ACL equivalents.

  • The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".
  • The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".
  • If you subtract 255.255.255.0 (normal mask) from 255.255.255.255, it yields 0.0.0.255.



  • The command below defines an ACL that permits this network 192.168.1.0 0.0.0.255.

access-list acl_permit permit ip 192.168.1.0 0.0.0.255
  • Inbound traffic to the router is compared to access lists entries based on the order that the entries occur in the router. The router looks through the entries until it has a match. If the router found no match when it reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. Single-entry access lists with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked.
  • Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:



deny ip any any
  • If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.

Access Control Lists in details


Access Control Lists (ACLs). 

  • Access Control List (ACL) are filters that enable you to control which routing updates or packets are permitted or denied in or out of a network. They are specifically used by network administrators to filter traffic and to provide extra security for their networks. 
  • This can be applied on routers (Cisco).

  • ACLs provide a powerful way to control traffic into and out of your network; this control can be as simple as permitting or denying network hosts or addresses.  You can configure ACLs for all routed network protocols.


  • The most important reason to configure ACLs is to provide security for your network. However, ACLs can also be configured to control network traffic based on the TCP port being used.

 How ACLs works.

  • A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs.

  • To simplify how ACL or a router uses packet filtering work, imagine  a guard stationed at a locked door. The guard's instruction is to allow only people whose names appear on a quest list to pass through the door. The guard is filtering people based on the condition of having their names on the authorized list.


  • When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped. Packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.





Saturday, 24 January 2015

Fresh Start-Beginner

Hi,

This is Kalpesh Hadkar, welcome to world of secure network, I would like to give my small contribution to this security world.

The reason behind it is, when I came to networking world I wasnt well aware of the technology excepts few basics of OSI Layers and Functioning of Routers and Switches. Later it took sometime for me to get acquainted with Firewall Technology by collecting online material. I wanted to reduce the initial problem which starter face searching for stuffs. A small contribution made for Secure Networks.

Hope you all would enjoy learning with Secure Networks.

Wednesday, 21 January 2015

Introduction to Security


Network Security involves 3 basic Objectives-
  • Confidentiality - It means that only authorized individual can view sensitive information. The primary way of protecting the data is to encrypt it before sending it over the network. Another option is using separate network for sending confidential data.    
  • Integrity - It means the data transmitted, remain intact throughout the network. Any change made to the data are done by authorized individuals.                                                              
  • Availability - It states that data needs to be available throughout the network. Availability can be denied by Denial of Service (DOS) attack because of network failure.

Sunday, 18 January 2015

Building a Fortified Network

For Building a Fortress or Secure Network, we break networks into 3 plane considerably :-

  • Management Plane - It deals with securing the device for management purpose for communication. We can secure the management plane by using ssh, https, snmp services. Also it can be secured by restricting whom to allow to login in network. Keeping Brute force attacks away by keeping restrictions for Password attempts and time outs on devices. Providing access to restricted users for authorized privileges using Role Based CLI. Use of Secure NTP (Network time Protocol).                                                                                      
  • Control Plane - Control Plane basically deals with processor or functionality of device. They are Routing updates or Keep Alive messages. For Protecting Control plane authentication of user is must. Also we can specify number of session, device can connect at an instance and limiting the data traffic by restricting a packet size.
  • Data Plane - It is a forwarding plane, which transmits packets from one device to other. Data plane can be protected by using ACL, BPDU Guards and Root Guards to lock down STP. Also Port Security comes in handy in preventing Spoofing of MAC Address.

Thursday, 15 January 2015

Configuring aaa (using authentication method)

aaa new-model
This command changes the router model with aaa new model. If aaa server is installed it will use aaa server for authentication, else it will use local database.
If there is no local database, it will use enable passwords

How do you configure AAA in the Cisco IOS?

Here are the steps to configuring AAA:
  • Enable AAA
  • Configure authentication, using RADIUS or TACACS+
  • Define the method lists for authentication
  • Apply the method lists per line/ per interface
It is important to note that Cisco IOS software attempts authentication with the next-listed authentication method only when there is no response from the previous method. If the security server or user database responds by denying the user access, the authentication process and the user will get a denied user prompt. To configure AAA, use the following statement in global configuration mode:
Router(config)# aaa new-model
From this point, most admins start configuring AAA by setting up authentication.
Here is one example of how to configure login authentication using the enable password.
Router(config)# aaa authentication login default enable
In this you want to apply a method list only to a line console. You would create a method list and then apply it . 
Router(config)# aaa authentication login default group  tacacs+ local
Router(config)# aaa authentication login CON none
Router(config)# line console 0
Router (config-if)# login authentication CON

Securing the Management Plane (AAA)

For Securing the management plane we need to set up enable secrets, give user based privilege mode, locking down access methods and AAA.

What is AAA?
AAA method (AuthenticationAuthorization and Accounting)-
When it comes to network security, AAA is a requirement.
  • Authentication: Identifies users by login and password using challenge and response methodology before the user even gains access to the network. Depending on your security options, it can also support encryption.
  • Authorization:It tells what authority the logged in user has. After initial authentication, authorization looks at what that authenticated user has access to do. RADIUS or TACACS+ security servers perform authorization for specific privileges by defining attribute-value (AV) pairs, which would be specific to the individual user rights. In the Cisco IOS, you can define AAA authorization with a named list or authorization method.
  • AccountingThe last "A" is for accounting. It provides a way of collecting security information that you can use for billing, auditing, and reporting. You can use accounting to see what users do once they are authenticated and authorized. For example, with accounting, you could get a log of when users logged in and when they logged out.

Why every network admin should care about AAA

 AAA is a critical piece of network infrastructure. AAA is what keeps your network secure by making sure only the right users are authenticated,  those users have access only to the right network resources.

Monday, 12 January 2015

Configuring aaa (authorization and accounting method)

For Authorization method list we will use custom list (not default one)

    Router(config)# aaa authorization command 1 TAC1 group tacacs+ local
   Router(config)# aaa authorization command 2 TAC2 group tacacs+ local


For Accounting method list

   Router(config)# aaa accounting command 1 TAC-ACT1 start-stop group tacacs+

Router(config)# aaa accounting command 2 TAC-ACT2 start-stop group tacacs+

Apply Authorization and Accounting to line vty

   Router(config)# line vty 0 4
   Router(config-line)# authorization commands 1 TAC1
   Router(config-line)# authorization commands 2 TAC2
   Router(config-line)# accounting commands 1 TAC-ACT1 
   Router(config-line)# accounting commands 2 TAC-ACT2 

Friday, 9 January 2015

Centralized Management Control using AAA (Radius & TACACS)

In Centralized Database we do not create separate user login for each user.

Client & Server based communication is made in AAA Server, where AAA server authenticates the Client login. The usernames and databases are kept in centralized Server called AAA Server. This keeps Router idle from processing all this. 

Router  --- <communicates with> ---- AAA Server
Router  --- <makes request to> ---- AAA Server
AAA Server ---- <responds back to> ---- Router

This conversation takes place through RADIUS & TACACS Server

RADIUS (Remote Authentication Dial in User Service)

  • It is an open standard method of communicating with AAA Server.
  • It encrypts login passwords, while the other communication between client & Server.
  • It uses UDP layer for Transport Protocol, hence unreliable.
  • It uses port no 1812 for Authentication, 1813-Authorization.
  • It is used for Authenticating end users.
TACACS (Terminal Access Controller Access Control System)

  • It is a Cisco Proprietary method.
  • It encrypts the entire communication between Client & Server.
  • It uses TCP port no.49 at layer 4.
  • It has separate control for communication (for authenticating & authorizing) .




Tuesday, 6 January 2015

Internet Security Issues and Prevention (DHCP Snooping)

Internet has various Security issues like

  • DNS attack- It involves no authentication as the original website has been attacked.
  • Phising - It involves in security breach of entering login information on fake websites.
  • Spams - It includes all fake emails and messages, mostly sent through botnets of infected computers.
Protecting Layer 2-

  • Attacks on Switch- DHCP Snooping is the common attack where DHCP Servers are attacked. It is the man in the middle attack which migrates the traffic going to DHCP Server, by attacking it.
  • This can be prevented by protecting switch ports by not allowing offers & acknowledgement on untrusted ports.
SW1(config)# ip dhcp snooping vlan3

SW1(config)# ip dhcp snooping

SW1(config)# int g 0/1

SW1(config)# ip dhcp snooping trust

IN DHCP Snooping, it doesnt trust all access ports, we have to specify port as trusted ones.

Saturday, 3 January 2015

Overview of DHCP Snooping

Overview of DHCP Snooping


DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

Validates DHCP messages received from untrusted sources and filters out invalid messages.

Rate-limits DHCP traffic from trusted and untrusted sources.

Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.



Trusted and Untrusted Sources


The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.
In an enterprise network, devices under your administrative control are trusted sources. These devices include the switches, routers, and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports and unknown DHCP servers are generally treated as untrusted sources.
A DHCP server that is on your network without your knowledge on an untrusted port is called a spurious DHCP server. A spurious DHCP server is any piece of equipment that is loaded with DHCP server enabled. Some examples are desktop systems and laptop systems that are loaded with DHCP server enabled, or wireless access points honoring DHCP requests on the wired side of your network. If spurious DHCP servers remain undetected, you will have difficulties troubleshooting a network outage. You can detect spurious DHCP servers by sending dummy DHCPDISCOVER packets out to all of the DHCP servers so that a response is sent back to the switch.
In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.In the switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

DHCP Snooping Binding Database

The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
The DHCP snooping feature updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

Packet Validation

The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
To support trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable the DHCP option-82 on untrusted port feature, which enables untrusted aggregation-switch ports to accept DHCP packets that include option-82 information. Configure the port on the edge switch that connects to the aggregation switch as a trusted port.

Thursday, 1 January 2015

PACKET Filtering with IPV4 (protecting Data Plane)

Data Plane in network deals with Traffic in Routing Protocol called packets.
It is essential to protect this packets while its transmission.
  1. ACLS are used for Packet Filtering
      -It manages inbound traffic (getting to router interface from outside network)
      -Outbound traffic (Transit traffic going through the the router or generated by                  router)
     

   There are 2 Types of ACL

  • Standard -They are used for L3 source address based data.
  • Extended- L3/L4 source and destination Address based Data
  1. Like in case we need to block some users from accessing to internet, here we can create an access group and place the IP address of the host/network which are to block those server in that group and apply it on Interface of Router.
  2. Object Group contain multiple network which can be used for packet filtering in ACL. Instead of blocking single host we can also block entire subnet by placing a correct wild card Mask in ACL statement.