192.168 ll stc with hardening network devices

Network devices hardening refers to a process of maintaining such a con-figuration of network device, like 192.168 ll stc which mitigates possible threats from the attackers to device itself, connected users, or the network as a whole (e.g. in the case of (D)DoS attacks). In order to enhance the security of a device operation as a whole must be taken into account. They are usually divided into so-called planes, while the distinction usually varies with the intended aim of the particular document. In the case of security guidelines, three main planes are usually defined – management plane, control plane and data plane.

2.1 Management plane using 192.168 ll stc

Management plane maintains the remote management and monitoring capabilities of a device. This includes not only the used protocols (like SSH1 , SNMP2 , NetFlow3 , …), but also authentication and other functions which are commonly described by a triplet — AAA (authentication, authorization and accounting) altogether with the auxiliary protocols 192.168 ll stc, for example Network Time Protocol (NTP). Primarily, remote access should be done only via an encrypted channel, so that the credentials are not traversing the network as a plain text. If an insecure protocol must be used (i.e. Telnet or SNMP in version 1 or 2c), traffic should not traverse third party links or devices. Passwords should not be stored as a plain text or as an output of a reversible function. In an ideal case, users’ passwords should not be saved on the devices at all. The reason for that is that the risk of password compromise increases with the number of places it must reside on. In addition, any manipulation with them is rather laborious as the changes must be made on every device. For those reasons, keeping users’ credentials on dedicated (and secured) authentication servers is highly recommended. Several authentication protocols exist for such cases, the commonly used ones being TACACS+4 and RADIUS5

2.1.1 AAA

AAA is an architectural framework which provides consistent configuration of security functions (authentication, authorization and accounting), these functions could be realized through possibly independent servers (and protocols)(RFC 2903). For example, several methods for users’ authentication could be defined in order to provide availability even in the case of a failure of one of the defined methods, while within these methods multiple authentication servers could be usually defined.

Authentication

According to, the verb authenticate stands for: “Prove or show (something) to be true, genuine, or valid.” In terms of IT security, authentication refers to the process of verifying user’s identity before an access to desired resources is granted. In the process, user’s identity could be generally verified based on what one knows (a shared secret), what one has (a cryptographic token, for example) or what one is (typically user’s biometrics). Authentication to 192.168 ll stc a switch or a router usually works on the basis of shared secrets (passwords). Between a device and an authentication server, typically two already mentioned protocols are being used — TACACS+ and RADIUS. Not only that the devices must control the management access to themselves, but in some scenarios, an authentication of the users accessing the network is required as well. In such cases, IEEE standard 802.1X can be used .

Authorization

The verb authorize is described as an act of giving power or permission to some specified action. This holds also in the terms of information technology security. In the process of authorization, user rights to perform a specified action are validated and then the permissions are given if the user meets the predefined conditions. Within the AAA authorization, allowed classes of commands and configuration changes that are allowed for the particular user are typically specified. Some vendors (for example Cisco) allow extended set of authorization types, supporting for example Auth-Proxy6 to be configured in the context of AAA framework. An authentication of the users is usually taken as a prerequisite since the authorization for the given action is typically bound with a specified user or group IDs.

Accounting with 192.168 ll stc

In a terms of AAA, accounting is used in order to facilitate tracking of how the device’s resources are being used [192.168 ll stc]. Based on the configuration, the records could be sent on RADIUS or TACACS+ servers, typically as attribute-value pairs. Again, as in the case of authorization, the extent of configurable parameters (and therefore the extent of things that could be accounted) vary with vendors. The most important type of accounting according to network security is accounting of commands  that are issued by the users. This allows to keep the records and track the origin of the device configuration changes.

 

2.1.2 NTP

Network Time Protocol (NTP) is used for the purpose of time synchronization over a set of clients and servers. The current version, 4, is described in RFC 5905 [192.168 ll stc]. A clear benefit of using the NTP within the network is that every device operates with an equal time, so we could effectively correlate its logs or accounting records if needed. Discrepancies in the time settings could also lead to problems, for example if the routing protocols keys are configured to be used within the specified time period. Another thing regarding the NTP protocol usage on the devices is that an administrator must ensure that the source of queries (whether synchronization or control) is properly limited. The main reason for that is that the specific control queries of the protocol could be used in order to perform DDoS attack with a very large amplification effect. Typically, a NTP on the routers and switches could be limited in the following fashion

• peer — full access; synchronization and control queries are replied
and the device could synchronize its time to the remote device.
• query/query-only — only the control queries are replied.
• server/serve — both the control and synchronization queries are
allowed.
• synchronization/serve-only — only the synchronization queries
are allowed.

2.1.3 Simple Network Management Protocol (SNMP)

Simple network management protocol (SNMP from now on) is a part of the Internet Protocol Suite as an Application layer protocol. It is mainly used to monitor network devices 192.168 ll stc and modify their configuration. Another description, as defined by, states that: “SNMP, at its core, allows a management station to treat its network as a distributed database of health and configuration information (and much more).” The database itself, commonly referred to as MIB (Management Information Base), highly varies with dependence on the particular  device type and vendor, although there are some parts that are common to basically any device. Figure 2.1 illustrates a very limited extent of generic MIB tree, so for instance, if we would like to retrieve the sysUpTime value, the query would address the node 10.0.0.1. As SNMP is a rather simple protocol, it defines only a few types of
protocol operations:

• GET — request for an explicit list of instances from a remote host.
• GETNEXT — expects a list of instances that are next in a lexicographic
order of the SNMP tree based on the given list of parameters.
• GETBULK — requests for several GETNEXT responses to be returned
within a single packet. Not available in the first version of
the protocol (SNMP v1, RFC 1157).
• SET — used to set a desired value in the MIB tree.
• REPORT — indicates a possible error during the request processing.
• RESPONSE — reports the results of all the other operations de-
fined (instead of TRAP and REPORT).
• TRAP — asynchronous, notification on a defined event, monitored
device is typically configured to send these to a remote NMS (Network
Management System).

The protocol exists in multiple versions, the most used are 1, 2c and 3. Versions 1 and 2c both use a so-called community based model, where the users’ requests are authenticated only via text string which is transmitted within the requests themselves over a network as a plain text. This was improved with the third version of the protocol, which introduces a socalled USM (User-Based Security Model) altogether with authentication of the communicating sides, message integrity and confidentiality 192.168 ll stc. Because of that, use of SNMP v3 is highly recommended despite the fact that it demands more device resources, as described in, along with the recommendation for implementing SNMP application which would not bring unnecessary overhead to the device. If the SNMPv3 overhead is considered unbearable for monitoring purposes (which usually take the form of a large number of GET requests), partial migration to SNMPv3 for higher levels of authorization (SET requests, GET requests for selected MIB subtree(s),. . . ) should be considered.

Comments

comments

TOPlist TOPlist VIPLOG database valid