CCNPv5 Module 5 Lesson 9

Transcript CCNPv5 Module 5 Lesson 9

Implementing Secure Converged Wide Area Networks (ISCW)

Configuring SNMP

Lesson 9 – Module 5 – ‘Cisco Device Hardening’

Module Introduction

 The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.

 Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.

 Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

Objectives

 At the completion of this ninth lesson, you will be able to: Describe the concepts behind the use of SNMP Explain the various SNMP actions Explain why the use of SNMP v1 and 2 is not recommended Demonstrate how to configure Cisco routers to use SNMPv3 ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

SNMP

 SNMP – the the IETF

Simple Network Management Protocol

forms part of the internet protocol suite as defined by  SNMP is used by network management systems to monitor network-attached devices for conditions that warrant administrative attention  It consists of a set of standards for network management, including an

Application Layer protocol

, a database schema, and a set of data objects  The current version is SNMPv3 SNPv1 and v2 are considered obsolete, and are extremely insecure. It is recommended they

NOT

SNMP Components



An SNMP-managed network consists of three key components:

1. Managed devices 2. Agents 3. Network-management systems (NMSs)

A managed device is a network node that contains an SNMP agent and that printers.

resides on a managed network . Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices can be routers and access servers, switches and bridges, hubs, computer hosts, or An agent is a network-management software module that resides in a managed device with SNMP.

. An agent has local knowledge of management information and translates that information into a form compatible An NMS executes applications that monitor (and possibly control) managed devices.

NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network.

Ref: Wikepedia - SNMP

SNMP Managed Network

SNMPv1 and SNMPv2 Architecture

SNMP asks agents embedded in network devices for information or tells the agents to do something.

SNMP Actions

 The SNMP protocol specifies (in version 1) five core PDUs:

1. GET REQUEST - used to retrieve a piece of management information. 2. GETNEXT REQUEST - used iteratively to retrieve sequences of management information. 3. GET RESPONSE - used agent responds with data to get and set requests from the manager. 4. SET REQUEST - used to initialise and make a change to a value of the network element. 5. TRAP - used to report an alert or other asynchronous event about a managed subsystem. In SNMPv1, asynchronous event reports are called traps while they are called notifications in later versions of SNMP.

SNMP Actions

 Other PDUs were added in later versions, including:

GETBULK REQUEST - a faster iterator used to retrieve sequences of management information. INFORM - an acknowledged trap.

 Typically, SNMP uses UDP ports 161 for the agent and 162 for the manager. The Manager may send Requests from any available ports (source port) to port 161 in the agent (destination port).  The agent response will be given back to the source port. The Manager will receive traps on port 162.  The agent may generate traps from any available port.

Community Strings

 SNMPv1 and SNMPv2 use a community string to access router SNMP agents  SNMP community strings act like passwords  An SNMP community string is a text string used to authenticate messages between a management station and an SNMP engine  If the manager sends one of the correct read-only community strings, the manager can get information but NOT set information in an agent  If the manager uses one of the correct read-write community strings, the manager can get or set information in the agent ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Community Strings

 In effect,

having read-write access is equivalent to having the enable password!

 SNMP agents accept commands and requests only from SNMP systems that use the correct community string.  By default, most SNMP systems use a community string of “ public ”  If the router SNMP agent is configured to use this commonly known community string, read the router MIB anyone with an SNMP system is able to  Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

SNMP Security Models and Levels

Definitions:

• •

Security model is a security strategy used by the SNMP agent.

Security level is the permitted level of security within a security model.

Model v1 v2 v3 Level noAuthNoPriv noAuthNoPriv noAuthNoPriv authNoPriv Authentication Community String Community String Username MD5 or SHA authPriv MD5 or SHA Encryption No No No No DES What Happens – Authenticates with a community string match – Authenticates with a community string match – Authenticates with a username – Provides HMAC MD5 or SHA algorithms for authentication – Provides HMAC MD5 or SHA algorithms for authentication – Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

SNMPv3 Operational Model



The concepts of separate SNMP agents and SNMP managers do not apply in SNMPv3

 

SNMP combines these concepts into single SNMP entities Each managed node and the network management system (NMS) is a single entity



There are two types of entities, each containing different applications: Managed node SNMP entities:

The managed node SNMP entity includes an SNMP agent and an SNMP MIB. The agent implements the SNMP protocol and allows a managed node to provide information to the NMS and accept instructions from the NMS. The MIB defines the information that can be collected and used to control the managed node. Information that is exchanged using SNMP takes the form of objects from the MIB

SNMP NMS entities:

The SNMP entity on an NMS includes an SNMP manager and SNMP applications. The manager implements the SNMP protocol and collects information from managed nodes and sends instructions to the nodes. The SNMP applications are software applications used to manage the network ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

SNMPv3 Features and Benefits

It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2

ISCW-Mod5_L9 Features Benefits – Message integrity: Ensures that a packet has not been tampered with in transit – Authentication: Determines that the message is from a valid source – Encryption: Scrambles the contents of a packet to prevent the packet from being seen by an unauthorised source – Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted – Confidential information, such as SNMP Set command packets that change a router configuration, can be encrypted to prevent the contents from being exposed on the network © 2007 Cisco Systems, Inc. All rights reserved.

Configuring an SNMP Managed Node

 These are the

four

configuration tasks used to set up SNMPv3 communications on a Cisco IOS router: 1. Configure the SNMP-server engine ID to identify the devices for administrative purposes 2. Configure the SNMP-server group names for grouping SNMP users 3. Configure the SNMP-server users to define usernames that reside on hosts that connect to the local agent 4. Configure the SNMP-server hosts to specify the recipient of a notification operation (trap or inform) ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring the SNMP-Server Engine ID (1)

 To configure a name for either the local or remote SNMP engine on the router, use the

snmp-server engineID

global configuration command.  The SNMP engine ID is a unique string used to identify the device for administration purposes. An engine ID is not required for the device as a default string is generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device.

 If an individualised ID is required do not specify the entire 24 character engine ID if the ID contains trailing zeros. Specify only the portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, specify

snmp-server engineID local 1234000000

Configuring the SNMP-Server Engine ID (1)

 A remote engine ID

must

inform is configured be created when an SNMPv3  The remote engine ID is used to compute the security digest for authenticating and encrypting packets that are sent to a user on the remote host Informs are acknowledged traps. The agent sends an inform to the manager. When the manager receives the inform, the manager sends a response to the agent. Thus, the agent knows that the inform reached the intended destination.

Configuring the SNMP-Server Group Names (2)

 To configure a new SNMP group, or a table that maps SNMP users to SNMP views, use the

snmp-server group

global configuration command This command groups SNMP users that reside on hosts that connect to the local SNMP agent  An SNMP view is a mapping between SNMP objects and the access rights that are available for those objects An object can have different access rights in each view Access rights indicate whether the object is accessible by either a community string or a user 20 ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring the SNMP-Server Group Names (2)

Router(config)#

•snmp-server group

groupname

{v1 | v2c | v3 {auth | noauth | priv}} [read

readview

] [write

writeview

] [notify

notifyview

] [access

access-list

] •

Configures a new SNMP group or a table that maps SNMP users to SNMP views PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

• •

The top example shows how to define a group

johngroup

using authentication but not privacy (encryption) for SNMP v3 The bottom example shows how to define a group

billgroup

v3 using both authentication and privacy for SNMP

Configuring the SNMP-Server Users (3)

 To add a new user to an SNMP group, use the

snmp-server user

global configuration command  To configure a user that exists on a remote SNMP device, specify the IP address or port number for the remote SNMP device where the user resides  Also, before configuring remote users for that device, configure the SNMP engine ID using the command the

remote

option

snmp-server engineID

with  The SNMP engine ID of the remote device is needed to compute the authentication and privacy digests from the password If the remote engine ID is not configured first, the configuration command will fail ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring the SNMP-Server Users (3)

• Configure a new user to an SNMP group

Router(config)#

•snmp-server user

username groupname

[remote

ip address

[udp-port

port

]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha}

auth-password

des56

priv-password

]]} [access

access-list

] [priv 

The first example (below) shows how to define a user

John

belonging to the group how user

johngroup Bill

. Authentication uses the password , belonging to the group

billgroup john2passwd

and no privacy (no encryption) is applied. The second example shows , is defined using the password

bill3passwd

and privacy (encryption) is applied PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56 password2 PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

Configuring the SNMP-Server Hosts (4)

 To specify the recipient of an SNMP notification operation, use the

snmp server host

global configuration command. snmp-server host

host-address

[traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}]

community-string

[udp-port

port

] [

notification-type

]  SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the receiver does not send acknowledgments when the receiver receives traps The sender cannot determine if the traps were received  An SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU.

Informs consume more computing resources in the agent and in the network.  If an

snmp-server host snmp-server host

command is

NOT

entered, no notifications are sent. To configure the router to send SNMP notifications, at least one command must be entered If the command is entered with no keywords, all trap types are enabled for the host. ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring the SNMP-Server Hosts (4)

 To be able to send an “inform,” perform these steps: 1. Configure a remote engine ID.

2. Configure a remote user.

3. Configure a group on a remote device.

4. Enable traps on the remote device.

5. Enable the SNMP manager.

Configuring the SNMP-Server Hosts (4)

•

Configures the recipient of an SNMP trap operation Router(config)#

snmp-server host

host-address

[traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}]

community-string

[udp-port

port

] [

notification-type

] 

The example (below) shows how to send configuration informs to the 10.1.1.1 remote host PR1(config)#snmp-server engineID remote 10.1.1.1 1234 PR1(config)#snmp-server user bill billgroup remote 10.1.1.1 v3 PR1(config)#snmp-server group billgroup v3 noauth PR1(config)#snmp-server enable traps PR1(config)#snmp-server host 10.1.1.1 inform version 3 noauth bill PR1(config)#snmp-server manager

Trap bgp config hsrp sdlc snmp syslog tty x25

SNMP – Types of Traps

Description Sends Border Gateway Protocol (BGP) state change traps.

Sends configuration traps.

Sends Hot Standby Router Protocol (HSRP) notifications.

Sends Synchronous Data Link Control (SDLC) traps.

Sends SNMP traps defined in RFC 1157.

Sends error message traps (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command.

Sends Cisco enterprise-specific traps when a TCP connection closes.

Sends X.25 event traps.

SNMPv3 Configuration

 The next slide shows how to configure Cisco IOS routers for SNMPv3.

 The router Trap_sender is configured to send traps to the NMS host with the IP address 172.16.1.1. The traps are encrypted using the credentials that are configured for the local user snmpuser who belongs to the group snmpgroup . The Trap_sender router sends traps that are related to CPU, configuration, and SNMP. The trap packets are sourced from the router loopback 0 interface  The router Walked_device is configured so that the NMS host can read the MIBs on the local device. The NMS server needs to use the username credentials that are configured on the Walked_device (snmpuser with respective authentication and encryption passwords) to gain access to the SNMP information of the router ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

SNMPv3 Configuration Example

Trap_sender(config)#snmp-server group snmpgroup v3 auth Trap_sender(config)#snmp-server group snmpgroup v3 priv Trap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)#snmp-server enable traps cpu Trap_sender(config)#snmp-server enable traps config Trap_sender(config)#snmp-server enable traps snmp Trap_sender(config)#snmp-server host 172.16.1.1 traps version 3 priv snmpuser Trap_sender(config)#snmp-server source-interface traps loopback 0 Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 priv Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password

Configuring the NTP Client

Lesson 10 – Module 5 – ‘Cisco Device Hardening’

Module Introduction

 Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.

Objectives

 At the completion of this tenth lesson, you will be able to: Explain how a router maintains an accurate time Describe NTP and how it is configured Configure NTP on a router as a server and a client Associate with NTP servers ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Understanding NTP

“Time has been invented in the universe so that everything would not happen at once”

‘The NTP FAQ and HOWTO’

http://www.ntp.org/ntpfaq/  Many features in a computer network depend on time synchronisation, such as accurate time information in syslog messages, certificate-based authentication in VPNs, ACLs with time range configuration, and key rollover in routing protocol authentication (EIGRP and RIP)  Most Cisco routers have two clocks: a battery-powered system calendar in the hardware and a software-based system clock  These two clocks are managed separately ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

System Clock

 The heart of the router time service is the software-based system clock  This clock starts to keep track of time from the moment the system starts  The system clock can be set from a number of sources and can be used to distribute the current time through various mechanisms to other systems  When a router with a system calendar is initialised or rebooted, the system clock is set based on the time in the internal battery powered system calendar  The system clock can then be set manually or by using the Network Time Protocol (NTP) synchronise the clocks of network connected devices to some time reference - an Internet protocol used to NTP is an Internet standard protocol currently at v3 and specified in RFC 1305 ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

UTC - GMT

   Later GMT was adopted as the world's standard time. It has now been replaced by UTC. One of the reasons that GMT has been replaced as official standard time was the fact that it was based on the mean solar time. Newer methods of time measurement showed that the mean solar time varied appreciably.

 UTC (

Temps Universel Coordonné

or, in English,

Time

) is an official standard for the current time.

Coordinated Universal

UTC evolved from the former GMT (

Greenwich Mean Time

) that was previously used to accurately set the clocks on sailing ships before they left London for a long journey (very important to determine longitude and avoid navigational embarrassment…..) The main components of UTC:

Universal

means that the time can be used everywhere in the world, It is independent from time zones (i.e. it's not local time). To convert UTC to local time, add or subtract the local time zone.

Coordinated

means that several institutions contribute their estimate of the current time, and UTC is built by combining these estimates. The UTC second has been defined by the 13th General Conference of Weights and Measures in 1967 as "The second is the duration of 9,192,631,770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium-133 atom." ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Authoritative Time

 In a router, the system clock keeps track of time internally based on UTC (which, despite the comment in the curriculum is

not

technically the same as GMT…….)  Information can be configured about the local time zone and daylight savings time so that the time appears correctly relative to the local time zone  The system clock keeps track of whether the time is “authoritative” or not (that is, whether the time has been set by a time source that is considered to be “authoritative”)  If the time is NOT considered authoritative, the time is available only for display purposes and is not redistributed within the network ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

NTP



NTP is a protocol designed to time-synchronize a network of machines. NTP runs over UDP , which in turn runs over IP



An NTP network usually obtains the time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronise two machines to within 1mS of one another

As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305 documents NTP v3   Cisco devices support only RFC specifications of NTPv3

NTP uses the concept of a “stratum” to describe how many NTP “hops” away a machine is from an authoritative time source A “stratum 1” time server typically has a radio or atomic clock directly attached to the server; a “stratum 2” time server receives the time via NTP from a “stratum 1” time server, etc, etc.

A machine that runs NTP automatically chooses the machine with the lowest stratum number to communicate with via NTP as the machine’s time source This strategy effectively builds a self-organising tree of NTP speakers ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

NTP

   

NTP is careful to avoid synchronising to a machine whose time may not be accurate. NTP avoids doing so in two ways:

1. NTP never synchronises to a machine that is not synchronised itself 2. NTP compares the time that is reported by several machines and does not synchronise to a machine whose time is significantly different than the others, even if the machine’s stratum number is lower

The communications (known as “associations”) between machines that run NTP are usually statically configured; each machine is given the IP address of all machines with which the machine should form associations Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association In a LAN environment, NTP can be configured to use IP broadcast messages instead

• This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. • However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

NTP Security

  

The time that a machine keeps is a critical resource, so the security features of NTP should be used to avoid the accidental or malicious setting of incorrect time Two mechanisms are available:

1. an ACL-based restriction scheme 2. an encrypted authentication mechanism.

Time service for a network should be derived from the public NTP servers that are available on the Internet

• If the network is isolated from the Internet, the Cisco implementation of NTP allows a machine to be configured so that the machine acts as though the machine is synchronised via NTP when in fact the machine has determined the time using other means. • Other machines then synchronise to that machine via NTP ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

NTP Association

 When multiple sources of time (eg, manual configuration) are available, NTP is always considered to be more authoritative 

NTP time overrides the time set by any other method

 An NTP association can be a peer association (this system is willing to either synchronise to the other system or to allow the other system to synchronise to it), or the association can be a server association (only this system will synchronise to the other system, and not vice versa) ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

NTP Basic Features - Overview



A collected overview of NTP features:

NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. (It will not just make all systems agree on

some

time, but will make them agree upon the true time as defined by some standard) NTP uses UTC as reference time (

NOT

GMT…..) NTP is a fault-tolerant protocol that will automatically select the best of several available time sources to synchronise to. Multiple candidates can be combined to minimise the accumulated error. Temporarily or permanently insane time sources will be detected and avoided NTP is highly scalable. A synchronisation network may consist of several reference clocks. Each node of such a network can exchange time information either bidirectional or unidirectional. Propagating time from one node to another forms a hierarchical graph with reference clocks at the top Having available several time sources, NTP can select the best candidates to build its estimate of the current time. The protocol is highly accurate, using a resolution of less than a nanosecond (about 2^-32 seconds) Even when a network connection is temporarily unavailable, NTP can use measurements from the past to estimate current time and error For formal reasons NTP will also maintain estimates for the accuracy of the local time ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring NTP Authentication

 NTP services are enabled on all interfaces by default. To disable NTP on a specific interface, use the

ntp disable

command in the interface configuration mode.  To authenticate the associations with other systems for security purposes, use the commands in the “NTP Authentication Commands” table (see next slide) ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

NTP Authentication Commands

Command ntp authenticate Description Enables the NTP authentication feature. If this command is specified, the system will not synchronize to a system unless the system’s NTP messages carry one of the authentication keys that you specify in the

key

global configuration command.

ntp trusted-

ntp authentication-key

number

md5

value

Defines an authentication key. Message authentication support is provided using the MD5 algorithm. The key type

md5

is currently the only key type that this command supports. The key value can be any arbitrary string of up to eight characters.

ntp trusted-key

key-number

Defines trusted authentication keys.

The first command enables the NTP authentication feature. The second command defines each of the authentication keys. Each key has a key number, a type, and a value. Currently the only key type supported is md5. Finally, a list of trusted authentication keys is defined. If a key is trusted, this system is ready to synchronise to a system that uses this key in the system’s NTP packets

ISCW-Mod5_L9 43

Configuring NTP Authentication

Router(config)# ntp authenticate

•

Enables the authentication feature Router(config)# ntp authentication-key number md5 value

• •

Defines the authentication keys Used for both peer and server associations Router(config)# ntp trusted-key key-number

• •

Defines the trusted authentication keys Required to synchronise to a system (server association) R1(config)#ntp authentication R1(config)#ntp authentication-key 1 R1(config)#ntp trusted-key 1 md5 NeVeRgUeSs

Configuring NTP Associations

 To configure a router as an NTP client, either create an association to a server or configure the router to listen to NTP broadcast packets.

ntp server:

Although the router can be configured with either a peer or a server association, NTP clients are typically configured with a server association (meaning that only this system will synchronise to the other system, and not vice versa). To allow the software clock to be synchronised by an NTP time server, use the

ntp server

command in global configuration mode. 

ntp broadcast client:

In addition to or instead of creating unicast NTP associations, the system can be configured to listen to broadcast packets on an interface-by-interface basis To do this, use the

ntp broadcast client

Configuring NTP Associations

Router(config)#

ntp server {

ip-address

hostname

} [version

number

] [key

keyid

] [source

interface

] [prefer] •

Forms a server association with another system Router(config-if)# ntp broadcast client

•

Receives NTP broadcast packets R1(config)#ntp server 10.1.1.1 key 1 R1(config)#ntp server 10.2.2.2 key 2 prefer R1(config)#interface Fastethernet 0/1 R1(config-if)#ntp broadcast client

Configuring Additional NTP Options

  

To control access to NTP services, in addition to packet authentication, a NTP access group can be created and a basic IP ACL applied to it To control access to NTP services, use the

ntp access-group

command in global configuration mode The access group options are scanned in the following order, from least restrictive to most restrictive: 1. peer:

Allows time requests and NTP control queries and allows the system to synchronise itself to a system whose address passes the ACL criteria. This option is used in scenarios where either the local or the remote system can become the NTP source

2. serve:

Allows time requests and NTP control queries but does not allow the system to synchronise itself to a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be permitted

3. serve-only:

denied Allows only time requests from a system whose address passes the ACL criteria. This option lets you filter IP addresses of systems that can become clients of the local system from which NTP control queries will be

4. query-only:

Configuring Additional NTP Options

 If the source IP address matches the ACLs for more than one access type, the first access type that is listed is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types are granted  When the system sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the

ntp source

IP source address will be taken command in global configuration mode to configure a specific interface from which the  ntp source interface This interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the

source

parameter on the

ntp peer

ntp server

Implementing the NTP Server

     Cisco IOS routers work as an NTP server by default.

As soon as a router is synchronised to an authoritative time source, the router allows peers with lower stratum to synchronise to that router: Requires a peer association You can make a router an authoritative NTP server, even if the system is not synchronised to an outside time source.

Two options to establish a peer association: 1. Unicast 2. Broadcast Same exchange control methods as those methods used with client: Packet authentication Access group filtering ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring the NTP Server

Router(config)# ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer]

•

Forms a peer association with another system Router(config)# ntp master [stratum]

•

Makes the system an authoritative NTP server Router(config-int)# ntp broadcast [version number][destination address][key keyid]

•

Configures an interface to send NTP broadcast packets R2(config)#ntp peer 10.1.1.1 key 1 R2(config)#ntp master 3 R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast

NTP Configuration Example

Source(config)#ntp master 5 Source(config)#ntp authentication-key 1 md5 secretsource Source(config)#ntp peer 172.16.0.2 key 1 Source(config)#ntp source loopback 0 Intermediate(config)#ntp authentication-key 1 md5 secretsource Intermediate(config)#ntp authentication-key 2 md5 secretclient Intermediate(config)#ntp trusted-key 1 Intermediate(config)#ntp server 172.16.0.1 Intermediate(config)#ntp source loopback 0 Intermediate(config)#interface Fastethernet0/0 Intermediate(config-int)#ntp broadcast Client(config)#ntp authentication-key 1 md5 secretclient Client(config)#ntp trusted-key 1 Client(config)#interface Fastethernet0/1 Client(config-int)#ntp broadcast client

Configuring AAA on Cisco Routers

Lesson 11 – Module 5 – ‘Cisco Device Hardening’

Module Introduction

 Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.

Objectives

 At the completion of this eleventh lesson, you will be able to: Describe what is meant by the term ‘triple A’ Explain how and why AAA should be used to secure router and switch access Configure AAA using the IOS CLI and SDM Describe the use of external AAA servers, including a brief overview of CSACS ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Authentication, Authorisation & Accounting

    It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components :

1. authentication, 2. authorisation, and 3. accounting

also known as AAA These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data Using a Cisco AAA architecture enables consistent, systematic and scalable access security ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

The Three Components of AAA

 Authentication Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption  Authorisation Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet  Accounting Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Authentication

 Authentication is the way a user is identified prior to being allowed access to the network and network services  AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces  The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed The only exception is the default method list (“default”). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.  All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Authorisation

 Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet  AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform  These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions The database can be located locally on the access server or router, or it can be hosted remotely on a

RADIUS

TACACS+

security server  As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Accounting

 Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes  Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming  With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records  Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing  All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Access Control

 In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions  If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server  Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Implementing AAA

  Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment:

1. Self-contained AAA:

AAA services can be self-contained in the router or NAS itself (also known as local authentication)

2. Cisco Secure ACS for Windows Server:

AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication

3. Cisco Secure ACS Solution Engine:

AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication There are also open source AAA servers available that work in conjunction with Cisco IOS devices ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Implementing AAA

Router Access Modes

 All of the AAA commands (except

aaa accounting system)

apply to either

character mode

packet mode

. (The mode refers to the format of the packets that request AAA) If the query is presented as Service-Type = Exec-User, the query is presented in character mode If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, the request is presented in packet mode.

 Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method  Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements.

 With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Router Access Modes

AAA Protocols: RADIUS and TACACS+

 The best-known and best-used types of AAA protocols are TACACS+ and RADIUS  TACACS+ and RADIUS have different features that make them suitable for different situations  RADIUS is maintained by a standard that was created by the IETF  TACACS+ is a proprietary Cisco Systems technology that encrypts data TACACS+ runs over TCP - RADIUS runs over UDP  TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

RADIUS Features

     Radius is an IETF standard protocol - RFC 2865 Standard attributes can be augmented by proprietary attributes: Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default) It includes only two security features: 1.

Encryption of passwords (MD5 encryption) 2.

RADIUS Authentication and Authorisation

The example shows how RADIUS exchange starts once the NAS is in possession of the username and password The ACS can reply with Access-Accept message, or Access Reject if authentication is not successful ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

RADIUS Messages

 There are four types of messages involved in a RADIUS authentication exchange:

1. Access-Request:

Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port

2. Access-Challenge:

Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS CHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

3. Access-Accept:

is valid The positive answer if the user information

4. Access-Reject:

RADIUS AV Pairs

      

RADIUS messages contain zero or more AV-pairs, for example: 1.

User-Name 2.

User-Password (this is the only encrypted entity in RADIUS) CHAP-Password Service-Type Framed-IP-Address There are approximately 50 standard-based attributes (RFC 2865) RADIUS allows proprietary attributes Basic attributes are used for authentication purposes Most other attributes are used in the authorisation process Cisco has added several vendor-specific attributes on the server side. Cisco IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can be configured to use only IETF attributes for standard compatibility Accounting information is sent within special RADIUS accounting messages

TACACS+ Attributes and Features

     

The TACACS+ protocol is much more flexible than the RADIUS communication. TACACS+ protocol permits the TACACS+ server to use virtually arbitrary dialogs to collect enough information until a user is authenticated TACACS+ messages contain AV-pairs, such as: 1.

ACL ADDR CMD Interface-Config Priv-Lvl Route TACACS+ uses TCP on well-known port number 49 TACACS+ establishes a dedicated TCP session for every AAA action Cisco Secure ACS can use one persistent TCP session for all actions Protocol security includes authentication and encryption of all TACACS+ datagrams

TACACS+ Authentication

The example shows how TACACS+ exchange starts before the user is prompted for username and password.

The prompt text can be supplied by the TACACS+ server.

TACACS+ Network Authorisation

The example shows the process of network authorisation that starts after successful authentication.

TACACS+ Command Authorisation

The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level).

Configuring the AAA Server

  These are the first steps in configuring the network access server: Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.

 Specify the Cisco Secure ACS (if being used, or other server if not) that will provide AAA services for the network access server  Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS 75 ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring the AAA Server

TACACS+ RADIUS

AAA Configuration Commands

Command

aaa new-model tacacs-server host

ip address

single-connection tacacs-server key radius-server host

address key ip-

radius-server key

key

Description

Enables AAA on the router. Prerequisite for all other AAA commands.

Indicates the address of the Cisco Secure ACS server and specifies use of the TCP single-connection feature of Cisco Secure ACS. This feature improves performance by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session (the default).

Establishes the shared secret encryption key between the network access server and the Cisco Secure ACS server.

Specifies a RADIUS AAA server.

Specifies an encryption key to be used with the RADIUS AAA server.

AAA Authentication Commands

Router(config)# aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]]

•

Use this command to configure the authentication process Router(config)# aaa authentication login default group tacacs+ local line

aaa authentication login

Parameters

Parameter

default

list-name

group

group-name

group radius group tacacs+

Description

This command creates a default that is automatically applied to

all

lines and interfaces, specifying the method or sequence of methods for authentication.

This command creates a list, with a name of your choosing, that is applied explicitly to a line or interface using the method or methods specified. This defined list overrides the default when you apply the defined list to a specific line or interface.

These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The

group-name

string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command).

aaa authentication login

Parameters (Cont.)

Parameter method2 method3 method4 Description This command executes authentication methods in the order that the methods are listed. If an authentication method returns an error, such as a timeout, the Cisco IOS software attempts to execute the next method. If the authentication fails, access is denied. You can configure up to four methods for each operation. The method must be supported by the authentication operation that you specify. A general list of methods includes: n- enable: n- group: n- krb5: n- line: Uses the enable password for authentication nUses server-group nUses Kerberos Version 5 for authentication nUses the line password for authentication n- local: n- local-case: n- none: Uses the local username and password database for authentication nUses case-sensitive local username authentication nUses no authentication ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

Configuring AAA Authentication Using TACACS+

Command Description aaa authentication login default group tacacs+ local The default login is TACACS+ server. If there is no response from the server, then use the local username and password database.

aaa authentication login my_list group tacacs+ Used for character mode username and password challenge. A new list name,

my_list

, is defined, and the only method is TACACS+.

line con 0 Enters console configuration mode.

my_list

, which has been previously defined to use only TACACS+.

line 1 48 login authentication my_list Configures lines 1 through 48 to use the AAA list name

my_list

, which has been previously defined to use only TACACS+.

line vty 0 4 On lines vty 0 through 4, the default list is used, which in this case specifies the aaa authentication login default tacacs+ local command.

Character Mode Login Example

Router# show running-config ...

aaa new-model aaa authentication login default group tacacs+ local aaa authentication login my_list group tacacs+ ...

line con 0 line aux 0 line vty 0 4 login authentication my_list

•

Because the authentication has not been specified for line con 0 and aux 0, the default option is used

Enabling AAA in SDM

Confirming the AAA Activation

Defining RADIUS Servers

Defining TACACS+ Servers

Creating a Login Authentication Policy

Configuring a Login Authentication Policy

Creating an EXEC Authorisation Policy

Configuring an EXEC Authorisation Policy

Creating Local User Accounts

Configuring VTY Line Parameters

Applying Authentication Policy to VTY Lines

Applying Authorisation Policy to VTY Lines

Verifying AAA Login Authentication Commands

aaa new-model !

aaa authentication login default local aaa authentication login radius_local group radius group radius aaa authorization exec default local !

username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1 !

tacacs-server host 10.1.1.10 single-connection key secrettacacs radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key secretradius ! line vty 0 4 login authentication radius_local

Troubleshoot AAA Login Authentication on Cisco Routers

 Use the

debug aaa authentication

command on routers to trace AAA packets and monitor authentication  The command displays debugging messages on authentication functions

router# debug aaa authentication

‘AAA Authorization’ Commands

 The access server can be configured to restrict the user to perform certain functions only after successful authentication  Use the

aaa authorization

command in global configuration mode to select the function authorised and the method of authorisation 

Troubleshooting Authorization

To display information on AAA authorisation, use the

debug aaa authorization

command in privileged-EXEC mode. Use the

no debug aaa authorization

disable this debug mode.

‘AAA Authorization’ Commands

router(config)# aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...] Example: router(config)# aaa authorization exec default group radius local none

AAA Accounting Commands

 Use the

aaa accounting

command in global configuration mode for auditing and billing purposes..

 Accounting of user EXEC sessions requires that

aaa new-model

is enabled and that the authentication and authorisation configuration is in place.  The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network.  Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing. ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

AAA Accounting Commands

router(config)# aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius}

Example:

R2(config)# aaa accounting exec default start-stop group tacacs+

100

AAA Accounting Example

R2# !

...

show running-config | begin aaa aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+ tacacs-server host 10.1.1.3

tacacs-server key SeCrEtKeY ...

The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. The next slide shows a TACACS+ report from Windows ACS ISCW-Mod5_L9 © 2007 Cisco Systems, Inc. All rights reserved.

101

TACACS+ Reports and Activity

102

Troubleshooting Accounting

•

Use this command to help troubleshoot AAA accounting problems.

router# debug aaa accounting R2# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14

103

104