Network Security first-step

I am writing my first book review here in my blog after almost two years. I guess it is the only technical book that I read within this period “Network Security first-step”. Honestly, I do not feel the necessity to read a book. I can easily googling on the Internet write on forums or better ask my contracted partner for the necessary info.

I was sitting lazy in the office; one of my colleagues came and said “if you want to order a book this year, find it on Barns&Noble and send me the link until afternoon”. Some ideas flow over my mind
– No I don’t need a book
– Maybe a reference book would be good. No I am using Cisco web site and it’s searchable
– Exam preparation books maybe. No they are boring.
– If I found a book that I can read before sleep. Well written, easy to read, but not marketing mambo jambo, to get some real purified info.
I started to search than.

Network Security first-step cover

The book “Network Security first-step”

It has been written by Tom Thomas, published by Cisco Press in 2004. ISBN number is 1-58720-099-6. It has red cover with a lock on it, 431 pages. It has $29.95 price tag on behind.

It is a must read for any IT guy who has “security” word in his/her title or job definition. If you are teaching any kind of information security courses /classes, you too. It is also a must read for all networkers on security specialization path and Information security auditors.

It is nice to read if you are CIO or IT technology manager/director and any kind of networker.

The Content
It starts with basics of hacking; terminology, methods and organizations working against hackers.
It talks about security technologies like ACLs, NAT and TACACS. Continue with security protocols like DES, MD5, PPTP and SSH, A full chapter for firewalls, a full chapter for router security. A very clear and detailed VPN chapter has been followed by wireless security. Wireless security includes both technology related titles like WEP, EAP and history of war walking and wireless hacking tools. IDS chapter is so informative and honeypots was a new term for me explained in this chapter. Last chapter is about real world hacking tools.

Most interesting thing in this book for me was second chapter completely dedicated for security policies. Explains basics of building security policies and than it gives some reusable security policy samples.

Mentioned tools mostly open source tools which you can easily download from Internet and work on your own in more detail. Related URLs has been given for tools and organizations. This will let you use this book as a start point for your further security studies.

He mention about his own company (Granite Systems) in some points. I have to say there are some hidden advertising on it.

Conclusion
This book does the trick. Get one copy of it for your own. I am aware this book has been published in 2004 and I am suggesting it in 2009. You can preview some chapters at Amazon website. You will see why I suggested it.

Reflexive Access Lists

Cisco IOS has statefull firewall features like reflexive access lists. By using this feature you can use your Cisco router as a second firewall (the choke point concept in Cisco firewall trainings) and increase your network security by layered approach.

You can use an access control list (ACL) for the filtering one way traffic but what about the responding packages. You have to add an incoming ACL but it should include only sessions started from internal. Reflexive ACLs helps us in this point.

Requirements
To use reflexive ACLs
1. You MUST use named access lists
2. You MUST add “reflect samplename” to the end of permit line.
3. You MUST create a second named access list and add “evaluate samplename” line for responding traffic.

Sample Scenario
In our example we have a proxy server (e.g. Microsoft ISA Server) with 122.22.22.1 IP address. This server needs access to internet via http (tcp 80) for web browsing and via dns (udp 53) for name resolution.

interface Serial0/0/0
description Internet connection
ip access-group INBOUND in
ip access-group OUTBOUND out
!
ip access-list extended OUTBOUND
permit tcp host 122.22.22.1 any reflect PROXYTCP
permit udp host 122.22.22.1 any eq domain reflect PROXYUDP
!
ip access-list extended INBOUND
evaluate PROXYTCP
evaluate PROXYUDP
!

We used reflect command to create reverse ACL and we added it to inbound ACL with evaluate command.

Last Words
This feature is really powerful tool to increase network security but you should not use it instead of a real firewall for Internet access. It should be used as another security layer.

Advanced SSH settings for Cisco IOS

I mentioned about basic SSH setting in SSH@Cisco article. But I saw that there are other questions about SSH settings, so, I decided to delve a bit deeper. The settings mentioned below are tested with IOS 12.4, but I am not sure about exact version that supports below features.

Q1. What happens if I changed hostname or ip domain name after SSH settings has been done?
A1. Nothing. You need them to create rsa keys but, but afterwards, if you change them, only the key name changes and key data remain same.

ciscolab#sh crypto key mypubkey rsa
% Key pair was generated at: 13:08:15 UTC Aug 28 2007
Key name: ciscolab.mydomain.com
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B67A9F
EED05E82 FFE41EB0 0CE9BC9E 40D1DD1D CF7AA44F CB5C1029 9502C379 469BF37D
099082BD 9618CC4E 8314866E 3B26F01B BE3AC27E 33EC7A2D 7FE5B503 3C24500B
733B391A D2DC4AAF C322C549 8A4638F1 9EAA0FF1 0ABCACD3 B1DF9753 02790FD7
E6A29602 39EFBAB4 2D4D7119 5C95D403 E1E9EB40 E01A1679 231C2F93 53020301 0001
.
.
ciscolab#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ciscolab(config)#hostname sshrouter
sshrouter(config)#end
sshrouter#sh crypto key mypubkey rsa
% Key pair was generated at: 13:08:15 UTC Aug 28 2007
Key name: sshrouter.mydomain.com
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B67A9F
EED05E82 FFE41EB0 0CE9BC9E 40D1DD1D CF7AA44F CB5C1029 9502C379 469BF37D
099082BD 9618CC4E 8314866E 3B26F01B BE3AC27E 33EC7A2D 7FE5B503 3C24500B
733B391A D2DC4AAF C322C549 8A4638F1 9EAA0FF1 0ABCACD3 B1DF9753 02790FD7
E6A29602 39EFBAB4 2D4D7119 5C95D403 E1E9EB40 E01A1679 231C2F93 53020301 0001
.
.
sshrouter#

Q2. Is there any other way to create RSA keys?
A1. Yes, There is. You can create RSA keys which are labeled by you. In this case, you don’t need a hostname (Always, you will have one) and an IP domain name.

ciscolab(config)#crypto key generate rsa general-keys label TEST
The name for the keys will be: TEST
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

ciscolab(config)#

Nov 24 20:08:59: %SSH-5-ENABLED: SSH 1.5 has been enabled


Q3. May I create more than one key?

A3. You can create several keys and chose one of them to use with SSH.You do not need to define which key to be used, but if you want to define, then you have to issue “ip ssh rsa keypair-name” command in the configuration mode.

ciscolab#sh crypto key mypubkey rsa
% Key pair was generated at: 20:08:59 UTC Nov 24 2007
Key name: TEST
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00BDFABF
948EF1FC 1CFC6C5C F5863980 D7D7B9E6 B256D84F 8F279E2E 63303403 A26E6160
A2928C87 4F0A846E F8A9FB0A 7D92108F ABD5734C AE7555BC 94CB13D9 41E8E04C
1514A499 68CC9925 A3DB2CFA 3176A65E 2DC504EE EF5C209E 4D348B20 9C324CBC
230451DD 96EC090C 99C5FB58 E06876D3 161E758E 486987B7 CD147AB0 0F020301 0001
% Key pair was generated at: 20:08:59 UTC Nov 24 2007
Key name: TEST.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01720103 00036B00 30680261 00AEC9A3 4078450F
B1714135 F66FC617 3083F337 1309D493 654BC77D 4D08DE27 5A54FF44 C4CE0174
507385A9 99B93D70 4E980CE1 89465B14 00E2C26D A633F1FB C4D08A90 3A8EF761
EBB41B0D C3EB2190 E4FD1E4B E519A06E 4B6BAE46 4E1FA9D8 C1020301 0001
% Key pair was generated at: 20:11:56 UTC Nov 24 2007
Key name: CHECK
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01720103 00034B00 30480241 00CCB917 D58E9D45
BC5EFF15 E2945343 18E5338B 26E1ED9F 869C2B6F 77C27595 8AC0D7B7 9D503F31
192D08EF C5DE87B5 911779BD 464913CD BB93F883 6F23AE0A 91020301 0001
ciscolab#

ciscolab(config)#ip ssh rsa keypair-name CHECK

Q4. May I create more than one session from the same computer like Telnet?
A4. Yes.

Q5. Is it possible to use SSH1 and SSH2 at the same time?
A5. Yes. If you don’t fix the version with “ip ssh version” configuration command. You can use both protocols simultaneously as shown below.

ciscolab >sh ssh
Connection Version Encryption State Username
0 1.5 3DES Session started sshtest
Connection Version Mode Encryption Hmac State Username
1 2.0 IN aes256-cbc hmac-sha1 Session started sshtest
1 2.0 OUT aes256-cbc hmac-sha1 Session started sshtest
ciscolab>

As you can see here SSH1 uses 3DES and SSH2 uses AES.

Q6. Does SSH cause a slowdown on my device?
A6. No. I made some tests with both SSH1 and SSH2. Tests have been done on Cisco 7206 VXR, Cisco 3845 and Cisco 1841 with size of key modulus 2048. In the 1841 router, key generation took some time (30-40 seconds). There was a small delay (1-2 second) when I first connected the device, but the rest of the interaction was same like the telnet. CPU utilization was at %1 and memory was OK.

Q7. I have copied my whole router / switch configuration but SSH does not work. Why?
A7. Did you create an RSA certificate? Crypto key generate command is a configuration mode command, but it is not a part of the configuration. It will be used for creating your RSA certificate then it is gone. So, just copying configuration is not enough.

Please leave a comment if you have any other questions.

SSH @ Cisco

Recently, I had to swap the Internet router of my company. BGP and cef ate up the whole memory and it was not possible to upgrade the memory of Cisco 3725 router beyond 256MB. It was time to change it.

I had a chance to install a new Cisco 3845 with 1GB memory. Everything was fine except SSH access that I needed because of security policy. I searched the web and found“Configuring Secure Shell on Routers and Switches Running Cisco IOS” document on Cisco web site. It was a little bit different than current one. I made a configuration as explained, but it was not good enough and access to the router via SSH was not possible.

About one week later, I realized that

  • SSH only supports authentication with username/password, but it does not support just access password like telnet
  • So, I had to create a user and set a password with username command
  • I had to enable aaa new-model OR issue login local command under line vty for username/password authentication.
  • Also a hostname and a domain name were required to generate the keys, since router uses its FQDN as the label of the key pair.
  • SSH is enabled by default and I do not need to enable it myself.

Necessary steps to enable SSH are mentioned below.

PRECONDITION: You need a K9 IOS (newer than 12.1) to enable SSH. Catalyst 2900 Series switches do not support SSH.

1) You MUST set a host name
hostname ciscolab

2) You MUST set a ip domain name
ip domain-name mydomain.com

3) You MUST enable aaa new-model OR set “login local” under vty configuration but not just “login”
aaa new-model

4) You MUST create a user
username sshtest password 0 sshpass

5) You MUST generate RSA keys
crypto key generate rsa

if you have RSA keys before you will receive a message, type yes
% You already have RSA keys defined named ciscolab.mydomain.com.
% Do you really want to replace them? [yes/no]: yes

it will ask for modulus size, 1024 is fine (it depends your security needs)
How many bits in the modulus [512]: 1024

6) You MUST set vty access method to all OR ssh (if you chose ssh telnet will be disabled)
line vty 0 4
transport input ssh

7) By using SecureCRT (licensed) or Putty (free), chose SSH1 (SSH in Putty) for the protocol enter hostname or IP address and click connect (Open in Putty). It will ask for username and password. Do not touch the other settings, you do not need them.

If you are able to access your device with SSH and still have some other questions please have a look at Advanced SSH settings for Cisco IOS .