AS SOON AS THE USER HAS SUCCESSFULLY AUTHENTICATED, A TIMER BEGINSF...
5. As soon as the user has successfully authenticated, a timer begins
for each user profile. As long as traffic is being passed through the
firewall, the user will not have to reauthenticate. If the authentica-
tion timer expires, the user must reauthenticate before traffic is
permitted through the firewall again.
Comparison with the Lock-and Key Feature
Another feature that utilizes authentication and dynamic access control
lists is the Lock-and-Key Access List, described in Chapter 2, “Traffic
Filtering on the Cisco IOS.” Table 6.13 compares the authentication proxy
to the features of Lock-and-Key.
Table 6.13 Lock-and Key Comparison
Authentication Proxy Lock and Key
Triggers on Telnet connection requests.
Triggers on HTTP connection requests.
TACACS+ or RADIUS authentication
TACACS+, RADIUS, or local authenti-
and authorization.
cation.
Access lists are retrieved from AAA
Access lists are configured on the
server only.
router only.
Access privileges are granted on a per
Access privileges are granted based on
user and host IP address basis.
the user’s host IP address.
Access lists are limited to one entry
Access lists can have multiple entries
for each host IP address.
as defined by the user profiles on the
AAA server.
Associates a fixed IP address with a
Allows DHCP-based host IP addresses,
specific user. Users must log in from
meaning that the users can log in
the host with that IP address.
from any host location and obtain
authentication and authorization.
https://traloihay.net
Benefits of Authentication Proxy
Every policy or networking concept has its advantages and disadvantages.
The following are some of the benefits provided by the authentication proxy:
■
It provides dynamic, per-user authentication and authorization,
authenticating users by querying a server through TACACS+ or
RADIUS security protocols.
■
It allows ACLs to be altered dynamically by changing the source IP
address to the IP address assigned to the workstation. This makes
it easier for administrators who use DHCP-assigned IP addresses.
■
Since authentication and authorization are being used, it aids in
the overall security policy of a company.
■
User profiles can be tailored on a user-by-user basis. I may be able
to access FTP, Telnet, and HTTP services, whereas another indi-
vidual may be permitted to use HTTP only.
■
Probably one of the greatest benefits of the authentication proxy is
that no special client software is needed. Only an HTTP browser
(which is typically installed on clients anyway) is needed. This
makes it completely transparent to the client (apart from entering
their username and password).
Restrictions of Authentication Proxy
As we stated earlier, there are always some minor restrictions when imple-
menting a protocol or policy. The restrictions of the authentication proxy
are as follows:
■
Only HTTP connections will trigger the authentication proxy.
■
HTTP services must be running on the default (well-known) port 80.
■
Accounting is not currently supported in IOS 5.2.
■
JavaScript must be enabled in the client browsers.
■
The authentication proxy access lists apply to traffic passing
through the PIX. Traffic destined to the router is authenticated by
the existing authentication methods on the IOS software.
■
The authentication proxy does not support concurrent usage. For
example, if two separate users attempt to log in from the same
workstation, authentication and authorization will apply only to
the first user who successfully authenticated. The second user will
be unable to authenticate and unable to pass traffic through the
Cisco Authentication, Authorization, and Accounting Mechanisms • Chapter 6 283■
Load balancing through multiple AAA servers is currently not sup-
ported.
Configuring Authentication Proxy
The first step in configuring the authentication proxy is to specify the AAA
server in which authentication will occur. This section will focus on the
configuration of the authentication proxy on the PIX.
Use the auth-proxy keyword, for example:
aaa new-modelThis command enables AAA functionality on the router.
aaa-server radiusserver protocol radiusThis defines a list of authentication methods at login.
aaa authorization auth-proxy defaultThis uses the auth-proxy keyword to enable authentication proxy for
AAA methods.
aaa-server radius (inside)host 192.168.1.10 radiuskey aaa-server tacacs+ (inside) host 192.168.1.20 tacacskeyThis specifies a TACACS+ and RADIUS AAA server. Specify TACACS+
and RADIUS encryption key for communications between the router and
the AAA server.
access-list 110 permit tcp host 192.168.1.10 eq tacacs host 192.168.1.1This creates an ACL entry to allow the AAA server to return traffic to
the firewall. The source address is the IP address of the AAA server, and
the destination is the IP address of the router interface where the AAA
server resides.
The authentication proxy also requires a per-user access profile config-
uration on the AAA server. Refer to the vendor’s documentation on how to
configure authentication proxy on the AAA server.
Configuring the HTTP Server
To use the authentication proxy, the HTTP server must be enabled on the
firewall or router, and the authentication method should be set to use AAA.
To do this, perform these commands:
ip http serverThis enables the HTTP server. The authentication proxy uses the HTTP
server to communicate with the client for user authentication.
ip http authentication aaaThis sets the HTTP server authentication method to AAA.
ip http access-class 110This specifies the access list for the HTTP server. Use the access list
number that was configured previously.
Configure Authentication Proxy
Finally, to configure the authentication proxy, use the commands shown in
Table 6.14 in global configuration mode.
Table 6.14 Configuring Authentication Proxy
Command Description
ip auth-proxy auth-cache-time
Set the global authentication proxy idle
min
timeout value in minutes. If the timeout
expires, user authentication entries are
removed, along with any associated
dynamic access lists. The default value is
60 minutes.
ip auth-proxy auth-proxy-
(Optional) Display the name of the firewall
banner
router in the authentication proxy login
page. The banner is disabled by default.
Ip auth-proxy name auth-proxy-
Create authentication proxy rules. The rules
name http [auth-cache-time
define how you apply authentication proxy.
min] [list std-access-list]
This command associates connection initi-
ating HTTP protocol traffic with an authen-
tication proxy name. You can associate the
named rule with an access control list, pro-
viding control over which hosts use the
authentication proxy feature. If no stan-
dard access list is defined, the named
authentication proxy rule intercepts HTTP
traffic from all hosts whose connection ini-
tiating packets are received at the config-
ured interface.
auth-proxy-name Name of the authentica-
tion proxy.
ContinuedCisco Authentication, Authorization, and Accounting Mechanisms • Chapter 6 285Table 6.14 Continued
auth-cache-time Optional keyword to
override the global authentication proxy
cache timer. This provides more control
over timeout values. If no value is speci-
fied, the proxy assumes the value set with
the ip auth proxy auth-cache=time com-
mand.
list Optional keyword to specify the stan-
dard access list to apply to a named
authentication proxy rule. HTTP connec-
tions initiated from hosts defined in the
access list are intercepted by the authenti-
cation proxy.
std-access-list Specify the standard access
list for use with the list keyword.
interface type
Enter interface configuration mode by
specifying the interface type on which to
apply the proxy. For example, interface
Ethernet0.
ip auth-proxy auth-proxy-name
In interface configuration mode, apply the
named authentication proxy rule at the
interface. This command enables the
authentication proxy with that name.
Authentication Proxy Configuration Example
The following example shows how to configure the authentication proxy on
a firewall:
aaa authentication login default tacacs+ radiusaaa authorization auth-proxy default tacacs+ radiusThis sets up the aaa new model to use authentication proxy.
aaa-server radius (inside) 192.168.1.10 radiuskeyaaa-server tacacs+ (inside) 102.168.1.20 tacacskeyThis defines the AAA servers and keys.
This enables the HTTP server on the router.
This sets the HTTP server authentication method of AAA.
access-list 20 deny anyip http access-class 20This uses ACL 20 to deny connection from any host to the HTTP server.
ip auth-proxy auth-cache-time 60This sets the global authentication proxy timeout value.
ip auth-proxy name Corp_users httpThis applies a name to the authentication proxy configuration rule.
interface ethernet0ip address 192.168.1.1ip auth-proxy Corp_usersThis enters interface configuration mode and apply the authentication
proxy rule to the interface.
Summary
In this chapter we discussed the mechanisms (authentication, authoriza-
tion, and accounting) that make up AAA, and we discussed how to con-
figure them on Cisco devices.
As we stated earlier, authentication is the process of verifying the iden-
tity of an entity. Authorization is the process of giving permission to an
entity to access a system resource. Accounting enables the network man-
ager to keep track of the services and resources that are used by the
users.
It is important to remember that a simple login and password may not
be enough security to protect data or access to various services. AAA can
be used to provide a complete solution in which authentication, authoriza-
tion, and accounting will give a company complete control over their assets
and who has the ability to access them, as well as an audit trail that can
be logged for future reference.
Cisco Authentication, Authorization, and Accounting Mechanisms • Chapter 6 287FAQs
Q: Should I use RADIUS or TACACS+ as my security protocol?
A: Various factors come into play on this question. If encryption and a
connection-oriented authorization request is important, then TACACS+
would be the best choice. Recall that TACACS+ uses TCP as its trans-
port protocol and it encrypts the entire body of the packet when
sending information back and forth; RADIUS uses UDP for its transport
protocol, and it encrypts the password in the access-request packet
only when sending information back and forth.
Q: Where can I find a RADIUS or TACACS+ server/daemon?
A: There are several programs available to be used as a RADIUS or
TACACS+ server, for example:
■
Cisco Secure ACS at https://traloihay.net
■
Lucent RADIUS at https://traloihay.net
■
RADIUS-VMS Server at https://traloihay.net
Q: I want to use TACACS+ or RADIUS for authentication with the enable
password, but what happens if my security server is unavailable?
A: There are two common ways in which you can us authentication for the
enable password on a Cisco router. You can simply use the local router
enable password, or if you are going to configure authentication with a
security protocol, use the enable keyword when defining the methods in
which the enable password will be authenticated. For example:
aaa authentication login admin-enable tacacs+ enableIn this case, if the TACACS+ server is unavailable, the locally config-
ured enable password can be used for authentication.
Chapter 7
Intrusion Detection
Solutions in this chapter:
■
Network Attacks and Intrusions
■
Network and Host-Based Intrusion
detection
■
Cisco Secure Scanner (NetSonar)
■
Cisco Secure Integrated Software and IOS
IDS (Firewall Feature Set)
■
Cisco Secure Intrusion Detection System
(NetRanger)
289Introduction
A properly configured firewall can do a good job at protecting servers, but
if your server needs to be visible from a public network then total protec-
tion is impossible. From an attacker’s view of your network, any visible
services are likely to be chosen as the first ones to be probed and attacked.
Also if the security policies applied on your firewall allow Web access to
your public server, then that same service can be used to attack the server
for known vulnerabilities.
A popular attack against public servers is called a Denial of Service
(DoS) attack. This renders the service or server unavailable. Several other
types of attacks and intrusions must be investigated in order to under-
stand the role the intrusion detection system can play in your network.
Firewalls, workstation security, and well-written software all contribute
to a secure network. Because we can never be completely sure that best
practices have been followed, a detection system is a logical next step. The
IDS is your best ally against intrusions.
An intrusion detection system gives the network or security manager a
tool to detect and react rapidly to an attack on the network. This chapter
will investigate the various types of attacks and intrusions as well as
describe the tools available from Cisco to implement an intrusion detection
system.
What Is Intrusion Detection?
Intrusion detection is the ongoing process of searching for security viola-
tions on your network; this includes proactive and reactive detection of
vulnerabilities, analysis, and corresponding responses.
Network Attacks and Intrusions
Let’s start with a simple analogy. Imagine you have spent time, money, and
effort working hard on your house to make it just the way that you want it.
Now you remove your curtains, leave the front door open, leave the keys
outside the front door, and learn that the other doors are easily broken
into. None of these issues make you feel comfortable, and you quickly
realize that even though everything inside is perfect; anyone can get in
easily and mess it up. Who knows? You might even meet someone at the
door impersonating the telephone repairman.
As a measure to protect your home, you would probably install a bur-
glar alarm and a good set of locks. As an analogy to systems that take
action against intruders, you might even decide to install a trap door to
Intrusion Detection • Chapter 7 291aggressively identify and trap them! Part of the overall solution you would
use to make your home secure is analogous to the intrusion detection
system available from Cisco Systems.
The first step is for us to identify what an attack or intrusion is. Any
action that violates the security policy of your organization should be con-
sidered a threat, but broadly speaking, attacks and intrusions can be sum-
marized as an exploitation of:
■
Poor network perimeter/device security
■
Poor physical security
■
Application and operating software weaknesses
■
Human failure
■
Weaknesses in the IP suite of protocols
Before we look at these threats in more detail, let me suggest that you
assume a shrewd mindset; it helps when it comes to learning about intru-
sion detection.
Poor Network Perimeter/Device Security
This can be described as the ease of access to devices across the network.
Without access control using a firewall or a packet filtering router, the net-
work is vulnerable.
Network Sniffers
A few years ago I worked in the IT department for a large investment
house. I remember helping to tune an application that some developers
were working on. The application contained sensitive information regarding
the company’s financial strategies. My role was to analyze the traffic to
compare performance from one version of code to the next. In the network
trace I came across some frames containing usernames and cleartext pass-
words. I informed the application developers, and they quickly fixed the
problem. If it wasn’t for my upbringing, I could have easily signed on to the
application and then used that information to tamper with the records.
This method of intrusion is called eavesdropping, or packet snooping,
and the type of network technology implemented directly influences its
susceptibility. For instance, shared networks are easier to eavesdrop on
than switched networks.
Scanner Programs
Certain types of software such as Solarwinds are able to scan entire net-
works, produce detailed reports on what ports are in use, perform password
cracking, and view account details on servers. Although this is a very useful
tool if used for the purpose of legitimate network auditing, in the wrong
hands, it could be devastating. Scanning software commonly uses one or
more of the following methods:
■
Ping sweep
■
SNMP sweep
■
TCP/UDP port scans
■
Scanning logon accounts
Approaching the millennium, I performed a global scan for a company
using an SNMP sweep program. The objective was to ensure that all net-
work devices were running at a compliant release of software. This was
surprisingly easy, and I even ended up accidentally scanning some devices
outside the perimeter of our network inside the carrier’s network.
Incidentally, one device in their network was not Y2K compliant and was
upgraded at our request!
Network Topology
Shared networks are easier to eavesdrop on as all traffic is visible from
everywhere on that shared media. Switched networks on the other hand
are more secure since by default, there is no single viewpoint for traffic.
Cisco Catalyst switches have a feature that is used for troubleshooting
where you can mirror traffic from VLANs or switch ports to a single desig-
nated switch port called the span port. Once you plug your sniffer into the
span port, you easily can view traffic in different VLANs by making config-
uration changes.
Thankfully, most organizations are moving away from shared media for
multiple benefits, including improved security and performance.
Unattended Modems
Installing a modem on a PC for remote access allows a quick and easy way
to access the network from home. Unfortunately, this also means that the
modem and PC may be prone to attack when you are not there. It is not
generally possible to detect modems attached to PCs using most types of
network auditing systems, so tighter software control and education of the
user community is the best solution. If access is essential, you should
explain the benefits of using the (secure) corporate remote access solution
instead.
Intrusion Detection • Chapter 7 293Poor Physical Security
There are simple security measures that can be taken in the physical
world to ensure better security for your systems. Locking your doors is
obviously a good common-sense start, but there are often a number of
simple procedures and safeguards that companies could perform and
implement that, for one reason or another, they do not.
I recently read an article in Packet that described a theft in California
of a file server that contained over 300,000 credit card numbers. The thief
just unplugged the server and walked out with it. A simple tagging system
would have done the trick, as alarms would have sounded when the
machine was removed; even a paper authorization system would have
worked. After all, it’s pretty simple to bypass security on routers and
switches if you can get to the console port, or in the case of servers you
can remove the hard disks and reinstall them elsewhere.
Application and Operating Software
Weaknesses
In this context, software is a term that describes the operating system as
well as the packages that run under its control. Most software is or has
been deficient at some point in its life, and it is not always attributed to
poor programming either. For example, sometimes commercial pressures
can force a company to release software early, before it is debugged com-
pletely.
Software Bugs
Most bugs are based on buffer overflows, unexpected input combinations,
and the exploitation of multithread scheduling. An example of this is where
the cracker tries to race the legitimate code in making modifications to files
in the hope of updating a password file and not causing a software failure;
this is called a race condition.
Web Server/Browser-based Attacks
The Internet is one of the fastest moving areas at present and, as such,
Web applications are often hastily written. General software bugs and
browser configuration errors all provide vulnerabilities for the wily attacker
to break in.
Getting Passwords—Easy Ways in
Cracking Programs
Most people have created a simple password based on objects that are easy
to remember, such as a name or favorite color at some point or other. In
the ten to fifteen companies I’ve worked for, I don’t recall seeing good pass-
word practices being enforced very often. It’s quite simple to get someone
else’s password; many times, all you have to do is ask.
Some other ways that passwords might be obtained are:
■
Observation, over the shoulder.
■
Gaining access to password files.
■
Using a sniffer to look for clear text passwords.
■
Replaying logon traffic recorded on a sniffer that contains the
encrypted password.
■
Dictionary-based attacks, where a software program runs through
every word in a dictionary database.
■