Professional Documents
Culture Documents
A A A
A A A
Agenda
Router Architecture (review) Planning & Configuration Key Security Features Cisco AAA (Authentication, Authorization and Accounting) Logging
Copyright 2004, Technology Pathways, LLC
Agenda (2)
Collecting Volatile Information/Router Forensics Resources
DRAM/SRAM (volatile)
Contains the running IOS Can also store the routing table(s), statistics, local logs, etc.
BootROM
Contains code for POST, IOS loading, etc.
Copyright 2004, Technology Pathways, LLC
Plan to Audit
Two thoughts:
In order to audit a log you must first have a log In order to trust the log you must secure the log
Features
AAA (Authentication, Authorization and Accounting) Security Protocols Traffic Filtering and Firewalling IPSEC & Encryption
AAA
Authentication
Identify users
Authorization
Access control
Accounting
Collection & logging
AAA (2)
Authentication can happen locally outside AAA RADIUS, Kerberos, TACACS+ all use AAA As you may suspect AAA provides much more control over authentication
Security Protocols
RADIUS, Kerberos, and TACACS+ allow integration with various external directories and methods
Active Directory LDAP Multi-factor (SecureID etc..)
http://nsa2.www.conxion.com/cisco
Copyright 2004, Technology Pathways, LLC
Logging
Logging
As in any system always a balance:
Information overload Resource overload
Time
In forensics timeline entanglement is of the utmost importance Manage router time settings Set detailed time stamps with:
Router(config)# Service timestamps log datetime msec localtime show-timezone
Logging levels
Seven levels:
(0) Emergencies (7) Debug
Syslog
Centralized logs Key to enterprise management If you are locked out of the router this may be the only audit trail
Netflow Data
Can provide detailed information for:
Network traffic accounting Usage-based network billing Network planning Denial Services (DDOS) monitoring capabilities
Netflow Charting
F.L.A.V.I.O. is a GPL'ed data grapher for netflow data -http://sourceforge.net/projects/flavio/ Cisco and Juniper routers among others, or unix servers running ntop with netflow export plugin) It uses a MySQL backend and has been entirely developed in Perl (Much like MRTG) Flow Tools - http://www.net.ohiostate.edu/software/ , Review and TCP-Shatter NARUS - http://www.narus.com/
Copyright 2004, Technology Pathways, LLC
Logging checklist
Actively monitor logs Configure logging timestamps Enable RAM buffered logging Enable logging sequence numbers Use a syslog for centralization
Volatile Information
Capturing volatile router information is essential in incident response Some may choose to add capturing volatile router information to the regular audit process
Two Tools
Router Audit Tool
PERL Multi-platform (Windows & UNIX) Audit Focused
Further Reading Router Audit Tool: Securing Cisco Routers Made Easy
www.sans.org/rr/papers/38/238.pdf
Copyright 2004, Technology Pathways, LLC
Demo RAT
DEMO
Copyright 2004, Technology Pathways, LLC
Summary
References
Cisco: Internet Security Advisories http://www.cisco.com/warp/public/707/advisory.html "Essential IOS" - Features Every ISP Should Consider http://www.cisco.com/public/cons/isp/documents/IOSEssential sPDF.zip Cisco Flow Logs and Intrusion Detection at the Ohio State University http://www.usenix.org/publications/login/1999-9/osu.html Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html Router Audit Tool: Securing Cisco Routers Made Easy www.sans.org/rr/papers/38/238.pdf CREED http://www.crossrealm.com/creed/
Copyright 2004, Technology Pathways, LLC
References (2)
National Security Agency, Router Security Configuration Guide http://nsa2.www.conxion.com/cisco Cisco Product Security Incident Response (PSIRT) http://www.cisco.com/warp/public/707/sec_incident_response .shtml Information Systems Audit and Control Association http://www.isaca.org/ Information Systems Security Association http://www.issa.org Hardening Cisco Routers - Thomas Akin - OReilly ISBN 0-596-00166-5
Copyright 2004, Technology Pathways, LLC
Thank You!
Updated information is available in the Technology Pathways resource center at www.TechPathways.com Email me if you have any questions or comments at clbrown@TechPathways.com