Booches.nl

Cisco IOS Security

The first session I attended is about Deploying IOS Security. The session is about using the Cisco IOS as firewall to protect branch offices. We discussed normal classic firewalling and zone-based firewalling. I normally use classing firewalling, but I guess I have to try zone-based firewalling in the future. The advantage of zone-based firewalling is that you can add more than one interface into a zone and create policies between the zones. This is useful when configuring a branch router where the users need Internet access or when configuring a wired and wireless configuration with bridging.

A configuration example of zone-based firewalling is shown below:

class-map type inspect match-all web-dmz
  match protocol http
  match access-group 199

!

access-list 199 permit tcp any host 192.168.10.3
!
policy-map type inspect firewall-policy
  class type inspect web-dmz
    Inspect

!

zone security private
zone security public
zone security dmz

!

zone-pair security zone-policy source public destination dmz
  service-policy type inspect firewall-policy
!
interface fastethernet 0
description public interface
zone-member security public

!

interface fastethernet 1
description dmz interface
zone-member security dmz

The Cisco IOS has also capabilities to be used for IPS (Intrusion Prevention System). When configuring IPS the use of Cisco SDM comes in handy. More tools for configuring routers could be Cisco Configuration Professional or Cisco Security Manager.

The session was very useful and I am sure that I will try some configuration examples in the near future, which I, of course, will post on the blog.

Cisco Live 2008

It took a while to finally register for Cisco Networkers / Live. First we wanted to attend last year, then we wanted to attend in Barcelona, Spain, but there were no more tickets. Now I am sitting in my hotel room in Orlando, Florida after a long trip getting here.

My colleague and I left Brussels International Airport Saturday morning (European Time) and left to Newark. After waiting for three hours, we took the flight to Orlando. There we had our first problem. My colleagues luggage was gone. After talking to Baggage Claims we went to the hotel, hoping the luggage would arrive later on. After being awake for almost 24 hours, it was definitely time to get my well deserved sleep.

Tomorrow I will start with registering at the Orange County Convention Center. This week I will blog about the session I will attend to. Hope to pass along some interesting information for all of you reading my blog….

MAC Authentication Bypass – Continued

Finally I had a day “off” and could test MAC Authentication Bypass (MAB) in our test environment at the office. I created the following test environment:

There are 4 different VLAN’s and a Cisco Catalyst 3750 connects the VLAN’s to each other. I wanted to create an environment with the following properties:

• All switch ports are default member of VLAN 1;
• Authenticated workstations become member of VLAN 25;
• Unauthenticated workstation become member of VLAN 30;
• VoIP phones are member of VLAN 15;
• All workstation should be able to boot with Wake on LAN;
• MS-IAS is used as RADIUS Authentication server;

I have configured the necessary components and got the environment working with the above properties. The next few sections cover the configuration of the different components.

Cisco Catalyst 3750

Most of the configuration is done on the Cisco Catalyst 3750 switch. First of all I created the different VLAN’s on layer 2 of the OSI model. Next I created the SVI’s to make the VLANs routable. I used the standard SVI configuration. I used the ‘quick-and-dirty’ solution for configuring Wake On LAN (WOL) by just adding the ip directed-broadcast command to the SVI’s. The snippet below shows the SVI configuration.

Interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip directed-broadcast
end
!
Interface Vlan10
ip address 192.168.10.254 255.255.255.0
ip directed-broadcast
end
!
Interface Vlan15
ip address 192.168.15.254 255.255.255.0
end
!
Interface Vlan30
ip address 192.168.30.254 255.255.255.0
end

The next step is configuring AAA and the RADIUS group for authenticating the connected clients to the network. The snippet shows these configuration.

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
radius-server host 192.168.10.30 auth-port 1812 acct-port 1813 key ictivity

The following step is to enable 802.1x globally in the switch. You should use the command in the following snippet to enable 802.1x.

dot1x system-auth-control

The last configuration snipper shows the configuration of a switch port. This switch port is configured use MAC Authentication Bypass as backup authentication method if 802.1x cannot authenticate.

interface GigabitEthernet1/0/16
switchport mode access
switchport voice vlan 15
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout tx-period 1
dot1x max-reauth-req 1
dot1x guest-vlan 30
spanning-tree portfast
spanning-tree bpduguard enable

MS-IAS

I configured Internet Authentication Services on a Windows 2003 server. I didn’t configure the Active Directory, but use the local users and local groups to authenticate. I configured the RADIUS client inside IAS and started to create a Remote Access Policy. The Remote Access Policy matches a newly created Windows Group. The important aspects of the Policy are the Authentication options and the Advanced Attributes. The configuration of both is shown below.

The last step in the whole process is configuring the Windows Group and adding users to that group. The MAC address of the workstation is acting as username and password. Important to notice is that all characters are case-sensitive and the username and password should only contain lowercase characters. An example of username and password is: 0016762eccda.

After configuring the test environment I have done some testing. First was trying to connect a workstation and authenticate. This is working perfectly, you will see a nice IAS event message on the Windows 2003 server. Next I connected an IP Phone with a build-in switch and connected the workstation to the IP Phone. The workstation again authenticates flawlessly against the RADIUS server. The last test was trying to wake up the workstation via Wake On LAN. When you should down the workstation, the switch ports first goes in shutdown and re-enables after the complete shutdown of the workstation. Next the switch ports returns to Vlan 1 (switchport access vlan 1). I send the Magic Packet to the broadcast address of VLAN 1. The workstation starts booting and authenticates against the RADIUS server.

I can only say, that MAC Authentication Bypass is working perfectly in my TEST environment. Shortly I will try to implement it on the network of one of our customers, because he wants a cheap method for securing his switch ports.

I know, and I told the customer, that MAC authentication isn’t a very powerful tool for security the switch port. Because spoofing a valid MAC address is enough to get access to the network. But MAC authentication is still better, then no authentication at all. And let’s face it, what are the costs: NOTHING!!!

Most companies have a Windows 2003 server where IAS can be installed or you can use FreeRADIUS, so no costs on the OS. I have tried an IP Base and an IP Services IOS on the Cisco Catalyst 3750, both are working perfectly. A switch has minimal an IP Base image, so no additional costs here. The only costs are made during the configuration and testing of the authentication.

Check the latest article about MAB and MDA in an IP Phone environment

ID Control

Ictivity received via via an e-mail about strong authentication products from ID Control. Strong authentication is authentication were you need multiple factors (what you have, what you know, what you are) to actual authenticate to a system, network or something else. We, as Connectivity Consultant, were asked to look at the different products and start a discussion about these products. Are they interesting for us or some of our customers??

The main focus is on three different authentication products. In this post you can read MY OPINION about the three different authentication items.

HandyID

HandyID is the leading mobile authentication method which provides a One Time Password (OTP) token-based, two-factor authentication solution on your mobile phone (handy), PDA, Blackberry and/or smart phone. HandyID turns your mobile device into a hardware token enabling a cost-effective, easy, convenient and user-friendly strong authentication solution for online banking, government and ecommerce. In combination with ID Control Server the set up and deployment is easy and fast.

Reading the text above I am thinking what HandyID brings extra in comparison to tokens like the ones from RSA. In my opinion I only see disadvantages. According to ID Control, you can use HandyID on every mobile device. I will not run it on my device, because the Nokia I am using isn’t that stable. I see crashing mobile phones, mobile phones with empty batteries and no charger nearby. I see incompatibilities with some tropical applications. In general, I like the concept of HandyID, but I would prefer a decent token from RSA (RSA SecurID).

KeystrokeID

KeystrokeID is the biometric solution based on behaviour traits that are acquired over a certain time period the user is typing on his or her keyboard (versus a physiological characteristic or physical trait). KeystrokeID monitors and analyses all keyboard behaviour performed by the user during his/her access. Based on this keystroke behaviour performed in comparison to the user’s normal behaviour access is granted when this user is also authorized.

Huh?? So reading this, the keyboard is learning the way you type and grants you access on that process. Sounds cool, but again I see a lot of customers having problems accessing the stuff they would like to access. I can image that KeystrokeID would work for a private secretary who finds the keys blindly on the keyboard, but what about people who cannot type that well and what when you are typing at night in bed, without decent light. I guess you won’t type the same as during normal day time. Summarizing, I would advise OUR customers to use KeystrokeID, because I THINK that the product brings more authentication problems than solving authentication problems.

USB Token

ID Control’s USB Token is a portable end-user authentication token that can replace user name and password for workstation, website, VPN, file, email, network, file and/or disk access security. ID Control USB Token plugs into any standard USB port and can even run without any software.

After reading the documentation about USB Token, I definitely imagine advising USB Token to customers and even use one for my own. The USB Tokens ease of use looks really better in comparison to smart-cards or biometrics. Nowadays USB keys are common usage and the price for USB keys won’t be that high. Another advantage of the USB Token is that you only need an enabled USB port on a workstation and that’s it. For smart-cards and biometrics, you normally need extra equipment before you can actually use the smart-cards.

The USB Token can be used for different reasons like Secure VPN Authentication, File and Disk Encryption, Web (Application) Sign-on, Secure Password Manager, Computer and Network Sign-on, Email Encryption & Signing and PKI. I would definitely use the USB Token for File and Disk Encryption and Secure Password Manager. In my line of work and our customers, I can also imagine using the USB Token for Secure VPN Authentication.

PIX / ASA – Threat Detection

From software release 8.0 and later the Cisco PIX and Cisco ASA firewalls support the feature called Threat Detection. In the default configuration Basic Threat Detection is enabled on the security appliance.

Using Threat Detection the appliance monitors the rate of dropped packets and security events due to these reasons (Source):

• Denial by access lists;
• Bad packet format (such as invalid-ip-header or invalid tcp-hdr-length);
• Connection limits exceeded (both system-wide resource limits, and limits set in the configuration);
• DoS attack detected (such as an invalid SPI, Stateful Firewall check failure);
• Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.);
• Suspicious ICMP packets detected;
• Packets failed application inspection;
• Interface overload;
• Scanning attack detected;
• Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected;

When the security appliance detects a threat a syslog message is send. These syslog messages have the following format:

%ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is rate_val per second, max configured rate is rate_val; Current average rate is rate_val per second, max configured rate is rate_val; Cumulative total count is total_cnt

Basic Threat Detection affects the performance of the security appliance only when there are drops or potentials threats. I have monitored the CPU with Basic Threat Detection enabled and disabled in an environment with many deny hits on the outside interface, resulting from port scans and (D)DoS attacks. The performance impact on the security appliance is insignificant.

The security appliance has also the option to actively scan all traffic and shun connections if threats rates are exceeded. The security appliance tracks two types of rates:

1. the average event rate over an interval;
2. the burst event rate over a shorter burst interval;

More information about configuring Threat Detection can be found in the Cisco Security Appliance Command Line Configuration Guide, 8.0 and more specific the chapter Preventing Network Attacks.

In my own experience with Cisco PIX and Cisco ASA firewalls running software release 8.0 and later, I normally disable Basic Threat Detection. Often I receive questions from customers about the syslog messages generated by Basic Threat Detection. Customers always think that something is terribly wrong with the security appliance. For some customers I enabled Basic Threat Detection in conjunction with the Scanning Threat Statistics. Enabling the statistics give you more detailed information about the discovered threat rates. The statistics can be viewed via the Firewall Dashboard when using ASDM or with various show commands using the CLI. Below the output of the command show threat-detection rate.

Average(eps)    Current(eps) Trigger    Total events
10-min ACL  drop:                  1               0       0            119
21-hour ACL  drop:                  2               1       0          7556
10-min SYN attck:                  0               0       0            436
1-hour SYN attck:                  0               0       0           2863
10-min  Scanning:                 12               9   31963            721
31-hour  Scanning:                 20              11   21622         74264
10-min Bad  pkts:                  0               0       0            107
1-hour Bad  pkts:                  0               0       0            682
10-min  Firewall:                  2               1       0           1299
1-hour  Firewall:                  2               1       0           8238
10-min Interface:                 10               0       0           6314
1-hour Interface:                 10              10       0          37220

Enabling the use of statistics could have a bad influence on the performance from the PIX / ASA. Especially the memory usage can increase enormously. With Basic Thread Detection, there is also an option for actively scanning all traffic and shun the traffic when certain threshold are reached. Shunning the traffic is accomplished by adding a policy rule to the configuration. This rule is added to the configuration automatically and stays even after a reboot.

I talked with a Cisco engineer about this feature and he advized me not to use Basic Thread Detection with the scanning feature. The feature is rather new and needs a lot of tweaking, because this functionality can basically be compared with Intrusion Detection and Intrusion Prevention System. The engineer also stated that the gathering of statistics can have an influence on the memory usage of the box. Therefore he also advized to only use the statistics feature in certain environments and circumstances.