cisco press router security strategies phần 10 ppt

config# router is-is Core config-is-is# log adjacency changes No directly comparable command exists in config# logging correlator apply-rule alarm1 location all-of-router Table C-3 Man

Trang 1

Syslog Support

logging: Conﬁgure various syslog

attributes

(config)# logging 10.1.1.1

(config)# logging facility local7

(config)# logging buffered debug

(config)# logging buffered 64000

(config)# no logging console

(config)# logging source-interface

Loopback0

logging: Conﬁgure various syslog attributes.

(config)# logging buffered 2000000 (config)# logging buffered debug (config)# logging 10.1.1.1 (config)# logging facility local7 (config)# logging source-interface Loopback0

(config)# logging trap debugging (config)# logging hostname prefix ThisRouter

(config)# logging history warning (config)# logging history size 2 (config)# logging console disable

bgp log-neighbor-changes: Enable logging

of BGP neighbor status changes (up or

down) and resets

(config)# router bgp 65001

(config-router)# bgp

log-neighbor-changes

bgp log neighbor changes: Enable logging of

BGP neighbor status changes (up or down) and resets

(config)# router bgp 65001 (config-bgp)# no bgp log neighbor changes disable

Note that the default is to log BGP neighbor changes If logging is disabled, it may be re-enabled as shown here

log-adjacency-changes: Enable logging of

IS-IS adjacency change events and other

non-IIH events

(config)# router is-is Core

(config-router)#

log-adjacency-changes

log adjacency changes: Conﬁgure the generation

of a log message when an IS-IS adjacency states change (up or down)

(config)# router is-is Core (config-is-is)# log adjacency changes

No directly comparable command exists in

(config)# logging correlator apply-rule alarm1 location all-of-router

Table C-3 Management Plane Security Commands (Continued)

Trang 2

Management Plane Security Commands 583

TCP Support

service nagle: Enable the Nagle congestion

control algorithm

(config)# service nagle

No directly comparable command exists in IOS

XR Nagle is turned on by default (on a service basis) within IOS XR and is not user-conﬁgurable

per-service tcp-keepalive [in | out]: Enable

TCP keepalives

(config)# service tcp-keepalives in

(config)# service tcp-keepalives out

XR In Cisco IOS XR, each application decides whether to use keepalives or not This is not user-conﬁgurable The Telnet server sends keepalives every 5 minutes The Telnet client does not send them Other TCP-based protocols (BGP, SSH, etc.) have similar built-in keepalive values

tcp: Conﬁgure various TCP attributes.

(config)# tcp path-mtu-discovery age-timer 30

(config)# tcp window-size 32768 (config)# tcp synwait-time 5

(config)# ssh client

To conﬁgure a router for SSH, a host name

and domain name must ﬁrst be speciﬁed In

addition, an RSA key pair must be

generated

(config)# hostname RouterA

(config)# ip domain-name cisco.com

(config)# crypto key generate rsa

SSH Version 2 (SSHv2) uses Digital Signature Algorithm (DSA) keys To configure a router for SSH, a host name and domain name must first be specified In addition, a DSA key pair must be generated

(config)# hostname RouterA (config)# domain-name cisco.com (config)# exit

# crypto key generate dsa

continues

Trang 3

HTTP/HTTPS Support

ip http: Conﬁgure various HTTP server

attributes IOS 12.0S does not support

http server: Conﬁgure various HTTP server

attributes IOS XR supports running HTTP over SSL when enabled

(config)# http server ssl access-group NOC

Note that the FTP feature is being removed

from IOS 12.0S and the above functionality

should be replaced by the Secure Copy

(SCP) feature

ftp: Conﬁgure various FTP attributes.

(config)# ftp client anonymous-password s3cr3t

(config)# ftp client source-interface Loopback0

tftp: Conﬁgure various TFTP attributes.

(config)# tftp ipv4 server access-list NOC homedir disk0

(config)# tftp client source-interface Loopback0

ip scp server enable: Conﬁgure the Secure

Copy functionality

(config)# ip scp server enable

Before enabling SCP, you must correctly

conﬁgure SSH, authentication, and

authorization on the router

SFTP is a feature that provides a secure and authenticated method for copying router conﬁguration or router image ﬁles The SFTP client functionality is provided as part of the SSH component and is always enabled on the router

No additional conﬁgurations are required beyond SSH, authentication, and authorization in order to use SFTP services

Trang 4

rcp: Conﬁgure various rcp attributes.

(config)# rcp client source-interface Loopback0

(config)# rcp client username netadmin1

VTY/Console/Aux Line Support

Line Console Commands Line Console Commands

line con 0: Conﬁgure various console line

line vty 0 4: Conﬁgure various terminal line

Line Auxiliary Port Commands Line Template Commands

line aux 0: Conﬁgure various auxiliary port

Note that the line template command replaces the deprecated aux command.

continues

Trang 5

Banner Support

banner exec: Deﬁne a customized banner

that is displayed whenever the EXEC

process is initiated

banner incoming: Deﬁne a customized

banner that is displayed when there is an

incoming connection to a terminal line from

a host on the network

banner exec: Deﬁne a customized banner that is

displayed whenever the EXEC process is initiated

banner incoming: Deﬁne a customized banner

that is displayed when there is an incoming connection to a terminal line from a host on the network

banner login: Deﬁne a customized banner

that is displayed before the username and

password login prompts

banner motd: Deﬁne a customized

message-of-the-day banner

(config)# banner motd “

Unauthorized Access Is Prohibited

Contact support: 800.555.1212

“

banner login: Deﬁne a customized banner that is

displayed before the username and password login prompts

banner motd: Deﬁne a customized

message-of-the-day banner

banner prompt-timeout: Deﬁne a customized

banner that is displayed when there is a login timeout

(config)# banner motd “ Unauthorized Access Is Prohibited Contact support: 800.555.1212

”

Trang 6

NetFlow Support

ip [ﬂow-export | ﬂow-sampling-mode]:

Conﬁgure various NetFlow attributes

(config)# ip flow-export version 9

(config)# ip flow-export destination

10.10.10.1 9999

(config)# ip flow-sampling-mode

packet-interval 100

ﬂow: Conﬁgure various NetFlow attributes.

(config)# sampler-map Sample1 (config-sm)# random 1 out-of 1 (config-sm)# exit

(config)# flow exporter-map FlowEx1 (config-fem)# version v9

(config-fem-ver)# options interface-table timeout 120

(config-fem-ver)# options sampler-table timeout 120

(config-fem-ver)# template timeout 30 (config-fem-ver)# template data timeout 30 (config-fem-ver)# template options timeout 30

(config-fem-ver)# exit (config-fem)# transport udp 9999 (config-fem)# source TenGigE0/2/0/0 (config-fem)# destination 10.10.10.1 (config-fem)# exit

(config)# flow monitor-map FlowMon1 (config-fmm)# cache permanent (config-fmm)# record ipv4-raw (config-fmm)# exporter FlowEx1 (config-fmm)# exit

IP Route-Cache Commands Interface Flow Commands

ip route-cache ﬂow [input | output |

sampled]: Conﬁgure NetFlow on the

selected interface

(config)# interface POS0/0

(config-if)# ip route-cache flow input

(config-if)# exit

continues

Trang 7

Fault Services Support

Embedded Event Manager Commands Fault Manager Commands

event manager: Conﬁgure various

Embedded Event Manager (EEM)

Line protocol on Interface Loopback10,

changed state to down

fault manager: Conﬁgure various Fault Manager

attributes

(config)# fault manager environment _cron_entry 0-59/2 0-23/1 * * 0-7 (config)# fault manager environment _email_server alpha@cisco.com (config)# fault manager environment _email_from beta@cisco.com

(config)# fault manager environment _email_to beta@cisco.com

(config)# fault manager environment _email_cc

(config)# fault manager directory disk1:user_policy_dir (config)# fault manager policy gw2_proc_avail.tcl username Bob (config)# fault manager policy term0_diag_cmds.tcl username Bob

user-policy-IP Source Tracker

ip source-track: Gather information about

trafﬁc ﬂows to a host that is suspected of

being under attack

(config)# ip source-track

address-limit 2

! configure syslog interval (minutes)

syslog-interval 2

! configure export interval (seconds)

# show ip source-track export flows

Caveat: IP Source Tracker supports native

IPv4 packets only, not MPLS encapsulated

IPv4 packets

XR IP Source Tracker is not available in IOS XR

at the time of this writing Similar capabilities are provided by telemetry-based instrumentation such as NetFlow data export and other management plane tools

Trang 8

Global Process Controls

scheduler allocate {interrupt-time}

{process-time}: Conﬁgure guaranteed CPU

time for processes (in microseconds)

(config)# scheduler allocate 4000 400

There is no equivalent conﬁguration in IOS XR IOS XR uses a microkernel architecture and underlying Real Time Operating System (RTOS) design that is preemptive, and the scheduler is priority based This ensures that context switching between processes is very fast, and the highest-priority threads always have access to CPU when required

boot system ﬂash : Specify the system

image to boot at startup

(config)# boot system flash

disk0:gsr-k4p-mz.120-27.S5.bin

There is no equivalent conﬁguration in IOS XR

memory free low-watermark processor

{threshold}: Conﬁgure a router to issue a

syslog message when available memory

falls below the speciﬁed threshold

(config)# memory free low-watermark

processor 100000

XR Similar functionality is accomplished with IOS XR Fault Manager

Process CPU Threshold Command —

process cpu threshold : Conﬁgure the

router to issue a syslog message when

conﬁgured CPU utilization thresholds are

crossed

(config)# process cpu threshold type

total rising 30 interval 5 falling 20

interval 5

XR Similar functionality is accomplished with IOS XR Fault Manager

continues

Trang 9

Service Commands

service password-encryption: Enable

encrypted password storage

(config)# service password-encryption

No such conﬁguration Passwords are always encrypted in IOS XR

Service Compress Conﬁg Command —

service compress-conﬁg: Compress startup

conﬁguration ﬁles

(config)# service compress-config

No such configuration IOS XR has a different configuration file management model

no service pad: Disable the X.25 packet

assembler/disassembler (PAD) service

(Enabled by default.)

(config)# no service pad

No such conﬁguration IOS XR does not support PAD

Service tcp-small-servers Command Service ipv4 tcp-small-servers Command

no service tcp-small-servers: Disable the

minor TCP servers for Echo, Discard,

Chargen, and Daytime services When

disabled, IOS discards the initial incoming

packet (TCP SYN request) and sends a TCP

RST packet to the source (Enabled by

default,)

(config)# no service

tcp-small-servers

no service ipv4 tcp-small-servers: Disable the

minor TCP servers for Echo, Discard, and Chargen services TCP small-servers are disabled by default

(config)# no service ipv4 servers

tcp-small-Service udp-small-servers Command Service ipv4 udp-small-servers Command

Trang 10

no service udp-small-servers: Disable the

minor UDP servers for Echo, Discard, and

Chargen services When disabled, IOS

discards the initial incoming packet and

sends an ICMP Port Unreachable message

(Type 3, Code 3) to the source (Enabled by

default.)

(config)# no service

udp-small-servers

no service ipv4 udp-small-servers: Disables the

minor UDP servers for Echo, Discard, and Chargen services UDP small-servers are disabled by default

(config)# no service ipv4 servers

udp-small-Service Timestamp Commands Service Timestamp Commands

service timestamps debug : Conﬁgure the

system to apply a time stamp to debugging

messages

(config)# service timestamp debug

datetime msec localtime

service timestamps debug: Conﬁgure the

system to apply a time stamp to debugging messages

(config)# service timestamp debug datetime msec localtime

service timestamps log : Conﬁgure the

system to apply a time stamp to system

logging messages

(config)# service timestamp log

datetime msec localtime

service timestamps log: Conﬁgure the system to

apply a time stamp to system logging messages (config)# service timestamp log datetime msec localtime

Other Global Security Best Practices

no service ﬁnger: Newer versions of IOS

12.0S may also use this form of the

command to disable the ﬁnger service

(config)# no service finger

continues

Trang 11

Services Plane Security Commands

Services plane–specific commands refer to those commands that configure, directly or indirectly, security features within services plane functions such as MPLS VPN TTL propagation, VRF maximum prefix limits, and many others Obviously, it is not possible to list every services plane command here Only those used within this book are included, but many others exit Table C-4 lists Cisco IOS commands and their Cisco IOS XR

counterparts, if any, along with a short example of how each command is used.

no ip bootp server: Disable the Bootstrap

Protocol (BOOTP) service (Enabled by

default.)

(config)# no ip bootp server

No such conﬁguration IOS XR does not support the BOOTP service

Logging Console Command Logging Console Command

no logging console: Disable the logging of

messages to the console terminal

(config)# no logging console

logging console disable: Disable the logging of

messages to the console terminal

(config)# logging console disable

no cdp run: Disable Cisco Discovery

Protocol (CDP) globally (Enabled by

(config-if)# no cdp

IP Domain-Name Command Domain Lookup Command

no ip domain-lookup: Disable Domain

Name System hostname translation

(config)# no ip domain-lookup

domain lookup disable: Disable Domain Name

System hostname translation

(config)# domain lookup disable

Trang 12

Services Plane Security Commands 593

Table C-4 Services Plane Security Commands

MPLS-Related Commands

VRF Maximum Route Command VRF Maximum Preﬁx Command

maximum routes {limit} {threshold |

warn-only}: Conﬁgure limits on the maximum number

of routes that a VRF instance can import to prevent

a PE router from exhausting memory resources

The optional threshold value speciﬁes the

percentage of the maximum argument value at

which an SNMP trap is generated

(config)# ip vrf Customer-A

(config-vrf)# maximum routes 5000 80

(config-vrf)#

maximum preﬁx {limit} {threshold}:

Conﬁgure limits on the maximum nuber of preﬁxes that a VRF instance can import

The optional threshold value speciﬁes the

percentage of the maximum argument value at which an SNMP trap is generated.(config)# vrf Customer-A

(config-vrf)# address-family ipv4 unicast

(config-vrf-af)# maximum prefix

10000 80 (config-vrf-af)#

MPLS TTL Propagate Command MPLS TTL Propagate Command

no mpls ip propagate-ttl [forwarded]: Disable

the propagation (copying) of the IP TTL into the

MPLS label header Instead, set the initial MPLS

TTL value to 255 By default, the IP TTL value is

propagated to the MPLS header TTL ﬁeld when IP

packets enter the MPLS domain Within the MPLS

domain, the MPLS TTL is decremented at each

MPLS hop When an MPLS encapsulated IP

packet exits the MPLS domain, the MPLS TTL is

propagated to the IP header if (and only if) the

MPLS TTL is less than the IP TTL When

propagation is disabled, the MPLS TTL is set to

255 during label imposition and the IP TTL is not

altered

(config)# no mpls ip propagate-ttl

forwarded

mpls ip-ttl-propagate disable: Disable

the propagation (copying) of the IP TTL into the MPLS label header Instead, set the initial MPLS TTL value to 255 By default, the IP TTL is propagated to the MPLS header TTL ﬁeld when IP packets enter the MPLS domain Within the MPLS domain, the MPLS TTL is decremented at each MPLS hop When an MPLS encapsulated IP packet exits the MPLS domain, the MPLS TTL is propagated to the IP header if (and only if) the MPLS TTL is less than the IP TTL When propagation is disabled, the MPLS TTL is set to 255 during label imposition and the

IP TTL is not altered

(config)# mpls ip-ttl-propagate disable

continues

Trang 13

mpls ldp advertise-labels: Control the

distribution of locally assigned (incoming) labels

by means of label distribution protocol (LDP)

(config)# ip access-list standard

label advertise: Control the distribution of

locally assigned (incoming) labels by means of LDP

(config)# ipv4 access-list pfx_acl_1 (config-ipv4-acl)# permit 10.101.0.0 (config-ipv4-acl)# permit 10.221.0.0 (config)# mpls ldp

(config-ldp)# label advertise (config-ldp-lbl-advt)# disable (config-ldp-lbl-advt)# for pfx_acl_1

mpls ldp neighbor labels accept: Conﬁgure a

label switching router (LSR) to ﬁlter LDP inbound

label bindings from a particular LDP peer

(config-ldp-lbl-acpt)# for pfx_acl_2 from 2.2.2.2

(config-ldp-lbl-acpt)# for pfx_acl_3 from 3.3.3.3

Interface MTU-Related Commands

mtu {value}: Conﬁgure the interface Layer 2

MTU value This Layer 2 command applies to any

upper-layer protocols transmitted on the interface

(such as IP, MPLS, ARP, and so on)

(config-if)# mtu 4474

mtu {value}: Conﬁgure the interface

Layer 2 MTU value This Layer 2 command applies to any upper-layer protocols transmitted on the interface (such as IP, MPLS, ARP, and so on).(config)# interface POS0/0/0/0 (config-if)# mtu 4474

ip mtu {value}: Conﬁgure the maximum

transmission unit (MTU) size of IP packets (only)

sent on an interface The maximum MTU size that

can be set on an interface depends on the interface

medium The router will fragment any IP packet

that exceeds the MTU set for the interface

(config-if)# ip mtu 1300

ipv4 mtu {value}: Conﬁgure the MTU

size of IPv4 packets sent on an interface The maximum MTU size that can be set on

an interface depends on the interface medium The router will fragment any IPv4 packet that exceeds the MTU set for the interface

(config)# interface POS0/0/0/0 (config-if)# ipv4 mtu 1300

Table C-4 Services Plane Security Commands (Continued)

Trang 14

Further Reading 595

Further Reading

Converting Cisco IOS Conﬁgurations to Cisco IOS XR Conﬁgurations, Release 3.4.

Cisco Documentation http://www.cisco.com/en/US/products/ps5845/

Converting Cisco IOS Conﬁgurations to Cisco IOS XR Conﬁgurations, Release 3.4.

Cisco Documentation http://www.cisco.com/en/US/partner/products/ps5845/ products_technical_reference_book09186a00806b9204.html.

Trang 16

A P P E N D I X D

Security Incident Handling

Chapter 2 outlined many threats against IP (and L2 Ethernet) networks Chapters 4 through

7 described a wide variety of techniques available to mitigate these threats Although this book focuses on IP network trafﬁc plane security, many other threats exist that aim to exploit vulnerabilities in host operating systems and application software Hence, network operational security must consider both network-based attacks and host-based attacks

This appendix focuses on security incident handling; that is, the method by which you prepare for and respond to active host-based or network-based attacks The industry best common practice (BCP) for incident response handling includes a six-phase approach, which is described here In addition, this appendix provides a brief summary of Cisco product security and several industry incident response teams and network operators’ groups.

Security operators are also recommended to consider building their own security operations center (SOC) This appendix does not cover SOC designs or operations More information

on this topic can be found in the Cisco white paper “How to Build a Cisco Security Operations Center,” available on Cisco.com For more information on security incident handling, see the “Further Reading” list at the end of the appendix.

Six Phases of Incident Response

Malware, including viruses, worms, and distributed DoS attacks, may adversely impact legitimate trafﬁc ﬂows and network infrastructure, including the wider Internet, within minutes or even seconds Consequently, the speed with which you recognize and respond

to attacks is critical to minimizing the impact of an attack When an effective incident response plan is not available, networks are at increased risk

To reduce incident response times, you must proactively establish incident response

procedures within an operational security framework, as opposed to simply reacting to

events This also requires monitoring for security events so that attacks can be quickly detected The industry BCP for incident response handling includes a six-phase approach, which is illustrated in Figure D-1 In adopting these phases (or steps) within your security operations framework, you may signiﬁcantly reduce response times and improve the mitigation effectiveness against attacks In addition, this six-phase approach has proven capable of serving well for addressing both existing and emerging threats.

Trang 17

Figure D-1 Six Phases of Incident Response

Let’s review each of these six phases.

Understand the Threats

As outlined in Chapter 2, there are a variety of methods by which attackers may target

IP networks and devices Further, threats may differ due to the variety of IP networks deployed, including product mix, network topology, trafﬁc behavior, and organizational mission (for example, SP versus enterprise) Understanding the threats against your speciﬁc network will help you to assess your risk, mitigate the risk to acceptable levels, and classify attacks once detected

Deploy Defense in Depth and Breadth Security Strategies

IP routers and network devices today support a wide variety of security mechanisms to detect, prevent, and mitigate attacks, as outlined in Chapters 4 through 7 These

What tools canyou use?

What’s your processfor communication?

ClassificationWhat kind of attack is it?

TracebackWhere is the attack comingfrom?

Where and how is itaffecting the network?

What other currentnetwork problems arerelated?

ReactionWhat options do youhave to remedy?

Which option is thebest under thecircumstances?

Post Mortem

What was done?

Can anything be done to

prevent it?

How can it be less

painful in the future?

Trang 18

Six Phases of Incident Response 599

mechanisms must be proactively deployed, however, because implementing them in the midst of an attack may place the network at even greater risk given the potential for unintended consequences such as misconﬁguration errors and collateral damage For example, implementing certain features may cause router performance degradation When this is not well understood, implementing a feature in the midst of an attack without prior understanding of feature impact can cause more problems than the attack itself

Performance impacts, if any, depend on different factors, as outlined in Chapters 1 and 3 Therefore, to harden the network infrastructure and minimize the risk of an attack (as well

as harmful side effects resulting from reactive conﬁguration changes), defense in depth and breadth strategies should be proactively deployed An example of where this is critical is preprovisioning, testing, and establishing a usage procedure for the mechanisms required

to implement remotely triggered black hole (RTBH) ﬁltering (such as deploying a static route to Null0 on all edge routers and deploying a BGP trigger router as described in Chapter 4) Deploying up-to-date software versions that include ﬁxes for disclosed security vulnerabilities is another proactive step you should take to mitigate the risk of known vulnerabilities

When emergency software upgrades are required, understanding available flash and dynamic memory as well as having prepared procedures for performing upgrades reduces the risk of errors and collateral damage Understandably, deploying infrastructure security can be difficult because it affects many network devices, each of which potentially has its own limitations and platform-specific dependencies Further, there is a cost associated with deploying security measures, which may include administrative overhead, operational inconvenience, and router scale and performance impacts The cost of applying security measures needs to be weighed against the potential risks Organizations (not just security operators) must understand the risks and the cost of applying security measures to mitigate the risk to acceptable levels.

Establish Well-Deﬁned Incident Response Procedures

As previously described, you should prepare the network in advance with any

preconﬁgurations necessary for attack mitigation, as opposed to conﬁguring in real time during an incident Once you have done so, it is then imperative that you establish a

playbook that deﬁnes the roles and responsibilities of everyone on the incident response

team Well-deﬁned procedures must be established and training drills must be conducted This not only helps people understand their roles, but brings to light any areas of question, allowing for procedural modiﬁcations where required Further, these incident response procedures must consider the associated performance impact, if any, of enabling a security feature for all applicable network equipment before deploying it Without knowing the performance impacts, if any, applying a mitigation technique such as an ACL, for example, may actually have a more adverse impact on the network than the attack itself The established incident response procedures must take these factors into consideration as previously stated.

Trang 19

Establish an Incident Response Team

Because security attacks threaten network availability, the incident response team should include both network and security operators They must be well trained and versed in their roles during times of attack Once attacks occur, it is too late to begin identifying who is doing what, where, and when The incident response team owns the six phases of incident response and is responsible for executing against each of them Further, the incident response team should also maintain contact information for all external network peers Many attacks are sourced from external networks Hence, it is important to maintain emergency contact information and understand how they may be able to assist in attack mitigation For SPs, an Inter-NOC (INOC) Dial-By-ASN (DBA) Hotline is also available to facilitate real-time communication among the SP community For more information, refer to http://www.pch.net/inoc-dba/ and http://www.pch.net/technology/operations.php#3.

Identiﬁcation

In order to mitigate an attack, it must first be detected and identified Detection requires visibility into network activity, threats, and traffic patterns Without such network visibility, you are left with an incomplete view of network traffic and events This significantly increases the time to repair (or mitigate) depending upon the root cause diagnosis As stated

in the previous section, detection time is critical to containing the impact of an attack

IP routers support a wide variety of tools that provide network visibility and anomaly detection, as outlined in Chapter 6 These include but are not limited to SNMP polling and traps, syslog messaging, NetFlow telemetry, and various other router health statistics such

as those related to CPU and memory utilization and feature performance Such network telemetry is considered a network security best practice and should be deﬁned and deployed

as part of the preparation phase previously outlined

Further, to detect network anomalies and potential security events, you must ﬁrst

understand the baseline network activity and traffic patterns during normal network operating conditions The comparison of real-time network conditions against the established baseline is the very nature of the identification phase For more information on network telemetry and event identification, refer to the Cisco Networkers 2005 session SEC-2102 entitled “Detection and Classification of Network Traffic.”

Classiﬁcation

Classification provides the context for further action (in other words, the traceback and reaction phases, discussed next) once a network fault or anomaly is identified Network events may be caused by any number of sources, as outlined in Chapter 2, including both intentional and unintentional threats Classification is about diagnosing the problem cause, severity, and scope of the threat For example, does the threat affect a single device or the

Trang 20

Six Phases of Incident Response 601

wider network infrastructure, and what damage is it causing? Classification also relies on network telemetry to gain network visibility Whereas the previous identification phase collects and establishes trends for network activity and traffic patterns, the classification phase correlates the observed network activity and events in order to isolate problem cause and determine a root cause.

IP routers support a wide variety of tools that facilitate source identiﬁcation and traceback

of an attack, including but not limited to classiﬁcation ACLs, NetFlow, IP Source Tracker, and the ICMP backscatter traceback technique If an attack originates externally, then it must be traced back to the point(s) of ingress at the network edge Once it has been traced back to your network edge, the pre-established contacts with your peer networks (as discussed earlier in the section “Establish an Incident Response Team”) become useful for gaining mitigation support from external peer networks Traceback must also consider whether multiple paths exist to the external peer from which the attack originates.

Reaction

Once an attack has been identified, classified, and traced back to the source(s), you may need to explicitly mitigate it If the attack is insignificant or inconsequential, you may decide not to do anything Chapters 4 through 7 describe a variety of mechanisms to protect and mitigate attacks against IP networks and IP routers No single technique can be

identiﬁed as the best approach to mitigate all of the many different threats The

effectiveness of each technique is dependent on specific network environments such as product mix, network topology, traffic behavior, and organizational mission Nevertheless, you should avoid deploying techniques that have not been previously defined within the established incident response procedures documented during the preparation phase previously described Without understanding the potential impacts, if any, applying a mitigation technique may make the problem worse Further, attacks should be mitigated as close to the source or ingress point(s) as possible Otherwise, a mitigated attack may still have the potential to cause collateral damage on intermediate network devices.

Trang 21

Cisco Product Security

The Cisco Product Security Incident Response Team (PSIRT) is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability- related information, related to Cisco products and networks PSIRT works with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks Responses can range from Release Note Enclosures (RNE), which are visible to customers via BugToolkit on Cisco.com, to Security Advisories, depending upon a number of factors Anyone who has a product security issue is strongly encouraged to contact PSIRT directly

To report security-related bugs in Cisco products, or to get assistance with security incidents involving Cisco products, send an e-mail to psirt@cisco.com for nonemergency issues or security-alert@cisco.com for urgent matters Cisco PSIRT may also be contacted via the PSIRT Security Hotline by dialing 877 228-7302 or 408 525-6532 Alternatively, if you are under active security attack or have more general security concerns about your Cisco network, you can contact the Cisco Technical Assistance Center at 408 526-7209,

800 553-2447, or by locating country-speciﬁc contact information Cisco worldwide contact information is available at http://www.cisco.com/warp/public/687/Directory/ DirTAC.shtml The technical support agents will escalate to the proper PSIRT personnel to assist you For more information, refer to the following section, “Cisco Security

Vulnerability Policy.”

Cisco Security Advisories are available via the following methods:

• Cisco’s Internet web portal at http://www.cisco.com/en/US/products/

products_security_advisories_listing.html.

• E-mail via cust-security-announce@cisco.com Anyone interested may subscribe to this e-mail list using the procedures described in the “Subscribing to the Customer Security Announce Mailing List” section of the Cisco Security Vulnerability Policy, described in the following section.

• PSIRT RSS feeds available via Cisco.com These feeds are free and do not require any active Cisco.com registration Information for subscribing to RSS feeds is found at http://www.cisco.com/en/US/products/products_psirt_rss_feed.html.

Major Cisco Security Announcements are also available at http://www.cisco.com/security/ announcements.html.

Trang 22

Cisco Product Security 603

Cisco Security Vulnerability Policy

Cisco’s policy for receiving and responding to products and services security

vulnerabilities is posted at http://www.cisco.com/en/US/products/

products_security_vulnerability_policy.html.

Cisco Computer and Network Security

If you want to report a computer or network security-related incident involving the Cisco corporate network, please contact the Cisco Computer Security Incident Response Team (CSIRT) by sending an e-mail to infosec@cisco.com.

Cisco Safety and Security

To report an issue or inquire about Cisco’s safety and physical security program, including the protection of company employees, property, and information, please call 408 525-1111

or send an e-mail to safetyandsecurity@cisco.com.

Cisco IPS Signature Pack Updates and Archives

Cisco IPS Active Update Bulletins are posted at http://www.cisco.com/security.

Cisco Security Center

Visit the Cisco Security Center site for information on emerging threats and the Cisco network IPS signatures available to protect your network The Cisco Security Center is available at http://www.cisco.com/security/center/home.x.

You can also find Cisco Applied Intelligence Response documents at the Cisco Security Center site Cisco Applied Intelligence Responses (AIRs) provide identification and mitigation techniques that can be deployed on Cisco network devices As applicable, Cisco IOS access control lists, Cisco Intrusion Prevention System (IPS) signatures, Control Plane Policing, and firewall rules are among the techniques discussed in the AIR.

Cisco IntelliShield Alert Manager Service

Cisco Security IntelliShield Alert Manager Service provides a comprehensive, effective solution for delivering the intelligence that organizations need to identify, prevent, and quickly mitigate IT attacks IntelliShield Alert Manager Service is a customizable, web-based threat and vulnerability alert service that allows security staff to easily access

Trang 23

cost-timely, accurate, and credible information about vulnerabilities that may affect their environments, without conducting time-consuming research Registration is required For more information, refer to http://www.cisco.com/en/US/products/ps6834/serv_group_ home.html.

Cisco Software Center

The latest Cisco software is posted to the Cisco Software Center at http://www.cisco.com/ kobayashi/sw-center/ Access requires a Cisco.com username and password.

Industry Security Organizations

There are a number of leading industry and government security organizations that help the industry and Internet community deal effectively with emerging security threats Contact information for Computer Security Incident Response Teams (CSIRT) that have

responsibility for an economy or country is available at http://www.cert.org/csirts/national/ contact.html An interactive map is also available at http://www.cert.org/csirts/national/ to locate CSIRTs around the world with national responsibility

Industry forums include but are not limited to the following:

• CERT/CC (Computer Emergency Readiness Team/Coordination Center)

Trang 24

Regional Network Operators Groups 605

• SANS (SysAdmin, Audit, Network, Security) Institute

Regional Network Operators Groups

In addition to the industry security associations, a number of leading industry operator forums help the industry and regional Internet communities to effectively deal with network operational issues, including operational security (OPSEC) Many have regular meeting forums, Internet portals, and e-mail mailing lists that offer open participation to all interested parties.

• AFNOG (African Network Operators’ Group)

Trang 25

• MENOG (Middle East Network Operators Group)

Kaeo, M “Current Operational Security Practices in Internet Service Provider

Environments.” RFC 4778 IETF, Jan 2007 http://www.ietf.org/rfc/rfc4778.txt

Morrow, C., and B Gemberling “How to Track a DoS Attack.” NANOG

http://www.secsup.org/Tracking/.

Trang 26

“How to Build a Security Operations Center.” Cisco white paper

http://www.cisco.com/en/US/netsol/ns341/ns121/ns310/

networking_solutions_white_paper0900aecd80598c16.shtml.

“ISACs.” Cisco Incident Response Support http://www.cisco.com/web/about/security/ security_services/ciag/incident_response_support/ISACs.html.

“NANOG Security Curriculum.” NANOG http://www.nanog.org/ispsecurity.html.

“New Rapid Response Strategy Helps Security Services Firm Block Emerging Network.” Cisco Case Study http://www.cisco.com/en/US/products/ps6542/

products_case_study0900aecd803fc82a.shtml.

Trang 28

aaa accounting command, 328

aaa authentication command, 328

aaa authorization command, 328

aaa command, 579

aaa new-model command, 322, 328

aaa new-model conﬁguration, 422, 439

access control entries See ACE

access control lists See ACLs

CsC, 373 data plane security, 147–156 IKE, 387

IPsec VPN access control, 393 MPLS VPN case study, 481

IP options, filtering, 177packets, defining classification, 244–247PACLs, 212

aCoPP (aggregate CoPP) deployment, 260–261, 564

activation of rACLs, 233–234

Address Resolution Protocol See ARP

addresses, 545, 548

attacks, 76bogon, 161broadcast, 231destination, 508

limiting, 239–240 trigger routers, 196

feasible uRPF, 167loose mode uRPF, 161–163MAC, 545

dynamically, 208 static, 208 sticky, 208 trafﬁc blocking, 209

Martian, 76, 162NAT, data plane security, 201–203networks, 231

next-hop Layer 2, 39private networks, 76, 162reflectors, 74

source, 507, 545, 548

limiting, 237–239

Trang 29

strict mode uRPF, 157–161

VRF, 163–166

adjacency tables, 45–46

Advanced Encryption Standard (AES), 378

Advanced Technology Attachment (ATA), 319

advertise passive-only command, 571

AES (Advanced Encryption Standard), 378

AFNOG (African Network Operators’ Group),

Cisco IOS XR Software, 59

data plane security, 200–207

P routers, 370–372

PE routers, 365–370 QoS, 350–351 SSL VPN, 395–396 video services, 397–398 VoIP, 396–397

applying interface ACLs, 148 APRICOT (Asia Paciﬁc Regional Internet Conference on Operational Technologies), 605 architecture

ACLs, 152centralized ASIC-based, 52–54centralized CPU-based, 50–51distributed ASIC-based, 56–62distributed CPU-based, 54–56enterprise networks, 8in-band, 300–301

IP router types, 50–62MPLS VPN, 335–341out-of-band, 300–301security, enabling, 122service provider networks, 10

area {area} authentication message-digest command, 572

area authentication message-digest command, 272

area sham-link ttl-security command, 277 area virtual-link ttl-security command, 277 arguments, warn-threshold, 367

Arkin, O., 529 ARP (Address Resolution Protocol), 24, 220

DAI, 288–291proxy, 220sticky, 291–292

arp timeout command, 291

AS path limits, 283 ASIC, 52–62 as-path-set command, 568 asymmetric bandwidth, 7

Trang 30

611

Asynchronous Transfer Mode See ATM

ATA (Advanced Technology Attachment), 319

ATM (Asynchronous Transfer Mode), 5

attachments, dCoPP policy, 262

RST, 511SLAs, 102smurf (ICMP), 528SNMP, mitigating risk of, 307spoofing, 519

Stacheldraht v1.666, 502STP, 292–294

SYN flood, 200–201TCP, 512

TTL expiry, 71UDP

Echo/Chargen, 519 Snork, 519

VPN networks, 96

CE, 98–99 Inter-AS, 103–107 IPsec, 108–111 MPLS, 96–98

VTP, 285–286

authentication command, 574

Authentication Header See AH

authentication key-chain command, 571 authentication mode md5 command, 272 authentication, authorization, and accounting

SeeAAA auto secure command, 330 auto trunking, disabling, 210–211 autodiscovery, 311

AutoSecure, 329–330 AUX (auxiliary port), 301 availability, IP networks, 6

availability, IP networks

Trang 31

banner exec command, 316, 586

banner incoming command, 316–317, 586

banner login command, 317, 586

banner motd command, 317, 586

banner prompt-timeout command, 586

banner slip-ppp command, 318

bearer channel (B channel), 12

BEEP (Blocks Extensible Exchange Protocol),

best common practice See BCP

between trafﬁc planes, 32

BGP (Border Gateway Protocol), 10, 15

external link protection, 191

trigger router conﬁguration, 197

IPsec VPN case study, 458

rACL policies, 237reachability, 139security, 279–285, 438

binding tables, DHCP snooping, 287 bits

DF, 504DSCP, 502

IP headers, 502 See also IP

MF, 504patterns, 168

black hole ﬁltering, remote triggers, 193–200 black list mode, 163

blocking

traffic, 209UUFB, 214

blocks, CIDR, 238 Blocks Extensible Exchange Protocol (BEEP), 324

Blue Screen of Death (BSOD), 515 bogon addresses, 76, 161, 507 Bollapragada, V., 400 Bonica, R., 554 boot system ﬂash command, 589 BOOTP (Bootstrap Protocol), 311

Border Gateway Protocol See BGP

Bottom of Stack (S) ﬁeld, 553 BPDU (Bridge Protocol Data Unit)

messages, 95Guard, 292

breadth, principles of defense, 117–118

core security, 138–141defensive layers, 119–122edge security, 133–138interfaces, 127–132

IP traffic planes, 123–127operational envelope of networks, 122–123organizational operation, 123

protection, determining need for, 119

Bridge Protocol Data Unit See BPDU

bridging loops, 213 broadcasts

addresses, 231CoPP, 265MPLS VPN case study, 482storms, 213

Trang 32

613

brute force attacks, 520

BSOD (Blue Screen of Death), 515

fast switching, viewing, 42

Call Admission Control See CAC

call admission limit command, 387

CAM (content-addressable memory), 89–90

capacity

internal traffic, 9

transit traffic, 9

CapEx (capital expenditure), 6

CAR (committed access rate), 173

Carrier Routing System (CRS-1), 57

Carrier Supporting Carrier See CsC

carrier-class requirements, 5

case studies

IPsec VPN and Internet access, 406

network topology and requirements, 407– 409

CDP (Cisco Discovery Protocol), 23, 311

CE (Customer Edge) routers

channels

covert, 503, 516

IP operations, 12traffic segmentation, 6

checksums

headers, 507ICMP, 531–541TCP, 516UDP headers, 520

Cheng, G, 509 CIA (conﬁdentiality, integrity, and availability), 6 CIDR (classless interdomain routing), 69, 238 Cisco 12000, CoPP implementation, 260–264 Cisco Catalyst 6500/Cisco 7600 CoPP implementation, 264–269

Cisco Discovery Protocol See CDP Cisco Express Forwarding See CEF

Cisco IOS XR Software, 59

Cisco NetFlow See NetFlow

Cisco Product Security Incident Response Team (PSIRT), 602–604

Cisco Security Center, 603 Cisco Security IntelliShield Alert Manager Service, 603

Cisco Security Vulnerability Policy, 603 Cisco Software Center, 604

Cisco Technical Assistance Center, 602

class of service See CoS

Class-Based WFQ, 170 classes

maps, defining packet classification MQC, 247traffic, 170–171, 244

classiﬁcation

ACLs, 150, 244–247

of attacks, 600packets, defining MQC class maps, 247QoS, 171–173, 353

rACLs, 235

SPD, 224 See also SPD

traffic, 148

classiﬁcation

Trang 33

classless interdomain routing (CIDR), 69, 238

CLNP (Connectionless Network Protocol), 188

CLNS (Connectionless Network Service), 187

CNNOG (China Network Operators’ Group),

area {area} authentication message-digest, 572

area authentication message-digest, 272

area sham-link ttl-security, 277

area virtual-link ttl-security, 277

boot system flash, 589

call admission limit, 387clear counters, 359class-map, 245clear ip bgp, 282community-set, 568control plane security, 562–578control-plane, 261

control-plane slot {slot-number}, 262copy, 320

copy running-config startup-config, 208crypto call admission limit ike sa, 387crypto ipsec df-bit clear, 391crypto ipsec fragmentation before-encryption, 391

crypto key generate rsa, 310data plane security, 558–562dialer-list, 148

domain lookup disable, 592drop, 248

ebgp-multihop {hop-count}, 277enable password, 304, 580enable secret, 304enable view, 322errdisable recovery arp-inspection, 290errdisable recovery bpduguard, 293errdisable recovery cause shutdown, 209errdisable recovery dhcp-rate-limit, 289event manager, 588

exec-banner, 316extcommunity, 568fault manager, 588file verify auto, 320flow, 587

ftp, 584hello-password hmac-md5, 572hold-queue {length} in, 228icmp ipv4 rate-limit unreachable, 576interact, 330

ip access-group, 148

ip address, 231

ip arp inspection filter, 290

ip arp inspection limit rate {pps}, 290

ip arp inspection log-buffer entries {number}, 291

ip arp inspection log-buffer logs {number_of_messages} interval {length_in_seconds}, 291

ip arp inspection trust, 290

Tiêu đề	Cisco Press Router Security Strategies Phần 10 Ppt
Thể loại	Tài liệu

Định dạng
Số trang	67
Dung lượng	6,31 MB