AS SOON AS THE USER HAS SUCCESSFULLY AUTHENTICATED, A TIMER BEGINSF...

5. As soon as the user has successfully authenticated, a timer begins

for each user profile. As long as traffic is being passed through the

firewall, the user will not have to reauthenticate. If the authentica-

tion timer expires, the user must reauthenticate before traffic is

permitted through the firewall again.

Comparison with the Lock-and Key Feature

Another feature that utilizes authentication and dynamic access control

lists is the Lock-and-Key Access List, described in Chapter 2, “Traffic

Filtering on the Cisco IOS.” Table 6.13 compares the authentication proxy

to the features of Lock-and-Key.

Table 6.13 Lock-and Key Comparison

Authentication Proxy Lock and Key

Triggers on Telnet connection requests.

Triggers on HTTP connection requests.

TACACS+ or RADIUS authentication

TACACS+, RADIUS, or local authenti-

and authorization.

cation.

Access lists are retrieved from AAA

Access lists are configured on the

server only.

router only.

Access privileges are granted on a per

Access privileges are granted based on

user and host IP address basis.

the user’s host IP address.

Access lists are limited to one entry

Access lists can have multiple entries

for each host IP address.

as defined by the user profiles on the

AAA server.

Associates a fixed IP address with a

Allows DHCP-based host IP addresses,

specific user. Users must log in from

meaning that the users can log in

the host with that IP address.

from any host location and obtain

authentication and authorization.

https://traloihay.net

Benefits of Authentication Proxy

Every policy or networking concept has its advantages and disadvantages.

The following are some of the benefits provided by the authentication proxy:

■

It provides dynamic, per-user authentication and authorization,

authenticating users by querying a server through TACACS+ or

RADIUS security protocols.

■

It allows ACLs to be altered dynamically by changing the source IP

address to the IP address assigned to the workstation. This makes

it easier for administrators who use DHCP-assigned IP addresses.

■

Since authentication and authorization are being used, it aids in

the overall security policy of a company.

■

User profiles can be tailored on a user-by-user basis. I may be able

to access FTP, Telnet, and HTTP services, whereas another indi-

vidual may be permitted to use HTTP only.

■

Probably one of the greatest benefits of the authentication proxy is

that no special client software is needed. Only an HTTP browser

(which is typically installed on clients anyway) is needed. This

makes it completely transparent to the client (apart from entering

their username and password).

Restrictions of Authentication Proxy

As we stated earlier, there are always some minor restrictions when imple-

menting a protocol or policy. The restrictions of the authentication proxy

are as follows:

■

Only HTTP connections will trigger the authentication proxy.

■

HTTP services must be running on the default (well-known) port 80.

■

Accounting is not currently supported in IOS 5.2.

■

JavaScript must be enabled in the client browsers.

■

The authentication proxy access lists apply to traffic passing

through the PIX. Traffic destined to the router is authenticated by

the existing authentication methods on the IOS software.

■

The authentication proxy does not support concurrent usage. For

example, if two separate users attempt to log in from the same

workstation, authentication and authorization will apply only to

the first user who successfully authenticated. The second user will

be unable to authenticate and unable to pass traffic through the

Cisco Authentication, Authorization, and Accounting Mechanisms • Chapter 6 283

■

Load balancing through multiple AAA servers is currently not sup-

ported.

Configuring Authentication Proxy

The first step in configuring the authentication proxy is to specify the AAA

server in which authentication will occur. This section will focus on the

configuration of the authentication proxy on the PIX.

Use the auth-proxy keyword, for example:

aaa new-model

This command enables AAA functionality on the router.

aaa-server radiusserver protocol radius

This defines a list of authentication methods at login.

aaa authorization auth-proxy default

This uses the auth-proxy keyword to enable authentication proxy for

AAA methods.

aaa-server radius (inside)host 192.168.1.10 radiuskey aaa-server tacacs+ (inside) host 192.168.1.20 tacacskey

This specifies a TACACS+ and RADIUS AAA server. Specify TACACS+

and RADIUS encryption key for communications between the router and

the AAA server.

access-list 110 permit tcp host 192.168.1.10 eq tacacs host 192.168.1.1

This creates an ACL entry to allow the AAA server to return traffic to

the firewall. The source address is the IP address of the AAA server, and

the destination is the IP address of the router interface where the AAA

server resides.

The authentication proxy also requires a per-user access profile config-

uration on the AAA server. Refer to the vendor’s documentation on how to

configure authentication proxy on the AAA server.

Configuring the HTTP Server

To use the authentication proxy, the HTTP server must be enabled on the

firewall or router, and the authentication method should be set to use AAA.

To do this, perform these commands:

ip http server

This enables the HTTP server. The authentication proxy uses the HTTP

server to communicate with the client for user authentication.

ip http authentication aaa

This sets the HTTP server authentication method to AAA.

ip http access-class 110

This specifies the access list for the HTTP server. Use the access list

number that was configured previously.

Configure Authentication Proxy

Finally, to configure the authentication proxy, use the commands shown in

Table 6.14 in global configuration mode.

Table 6.14 Configuring Authentication Proxy

Command Description

ip auth-proxy auth-cache-time

Set the global authentication proxy idle

min

timeout value in minutes. If the timeout

expires, user authentication entries are

removed, along with any associated

dynamic access lists. The default value is

60 minutes.

ip auth-proxy auth-proxy-

(Optional) Display the name of the firewall

banner

router in the authentication proxy login

page. The banner is disabled by default.

Ip auth-proxy name auth-proxy-

Create authentication proxy rules. The rules

name http [auth-cache-time

define how you apply authentication proxy.

min] [list std-access-list]

This command associates connection initi-

ating HTTP protocol traffic with an authen-

tication proxy name. You can associate the

named rule with an access control list, pro-

viding control over which hosts use the

authentication proxy feature. If no stan-

dard access list is defined, the named

authentication proxy rule intercepts HTTP

traffic from all hosts whose connection ini-

tiating packets are received at the config-

ured interface.

auth-proxy-name Name of the authentica-

tion proxy.

ContinuedCisco Authentication, Authorization, and Accounting Mechanisms • Chapter 6 285

Table 6.14 Continued

auth-cache-time Optional keyword to

override the global authentication proxy

cache timer. This provides more control

over timeout values. If no value is speci-

fied, the proxy assumes the value set with

the ip auth proxy auth-cache=time com-

mand.

list Optional keyword to specify the stan-

dard access list to apply to a named

authentication proxy rule. HTTP connec-

tions initiated from hosts defined in the

access list are intercepted by the authenti-

cation proxy.

std-access-list Specify the standard access

list for use with the list keyword.

interface type

Enter interface configuration mode by

specifying the interface type on which to

apply the proxy. For example, interface

Ethernet0.

ip auth-proxy auth-proxy-name

In interface configuration mode, apply the

named authentication proxy rule at the

interface. This command enables the

authentication proxy with that name.

Authentication Proxy Configuration Example

The following example shows how to configure the authentication proxy on

a firewall:

aaa authentication login default tacacs+ radiusaaa authorization auth-proxy default tacacs+ radius

This sets up the aaa new model to use authentication proxy.

aaa-server radius (inside) 192.168.1.10 radiuskeyaaa-server tacacs+ (inside) 102.168.1.20 tacacskey

This defines the AAA servers and keys.

This enables the HTTP server on the router.

This sets the HTTP server authentication method of AAA.

access-list 20 deny anyip http access-class 20

This uses ACL 20 to deny connection from any host to the HTTP server.

ip auth-proxy auth-cache-time 60

This sets the global authentication proxy timeout value.

ip auth-proxy name Corp_users http

This applies a name to the authentication proxy configuration rule.

interface ethernet0ip address 192.168.1.1ip auth-proxy Corp_users

This enters interface configuration mode and apply the authentication

proxy rule to the interface.

Summary

In this chapter we discussed the mechanisms (authentication, authoriza-

tion, and accounting) that make up AAA, and we discussed how to con-

figure them on Cisco devices.

As we stated earlier, authentication is the process of verifying the iden-

tity of an entity. Authorization is the process of giving permission to an

entity to access a system resource. Accounting enables the network man-

ager to keep track of the services and resources that are used by the

users.

It is important to remember that a simple login and password may not

be enough security to protect data or access to various services. AAA can

be used to provide a complete solution in which authentication, authoriza-

tion, and accounting will give a company complete control over their assets

and who has the ability to access them, as well as an audit trail that can

be logged for future reference.

Cisco Authentication, Authorization, and Accounting Mechanisms • Chapter 6 287

FAQs

Q: Should I use RADIUS or TACACS+ as my security protocol?

A: Various factors come into play on this question. If encryption and a

connection-oriented authorization request is important, then TACACS+

would be the best choice. Recall that TACACS+ uses TCP as its trans-

port protocol and it encrypts the entire body of the packet when

sending information back and forth; RADIUS uses UDP for its transport

protocol, and it encrypts the password in the access-request packet

only when sending information back and forth.

Q: Where can I find a RADIUS or TACACS+ server/daemon?

A: There are several programs available to be used as a RADIUS or

TACACS+ server, for example:

■

Cisco Secure ACS at https://traloihay.net

■

Lucent RADIUS at https://traloihay.net

■

RADIUS-VMS Server at https://traloihay.net

Q: I want to use TACACS+ or RADIUS for authentication with the enable

password, but what happens if my security server is unavailable?

A: There are two common ways in which you can us authentication for the

enable password on a Cisco router. You can simply use the local router

enable password, or if you are going to configure authentication with a

security protocol, use the enable keyword when defining the methods in

which the enable password will be authenticated. For example:

aaa authentication login admin-enable tacacs+ enable

In this case, if the TACACS+ server is unavailable, the locally config-

ured enable password can be used for authentication.

Chapter 7

Intrusion Detection

Solutions in this chapter:

■

Network Attacks and Intrusions

■

Network and Host-Based Intrusion

detection

■

Cisco Secure Scanner (NetSonar)

■

Cisco Secure Integrated Software and IOS

IDS (Firewall Feature Set)

■

Cisco Secure Intrusion Detection System

(NetRanger)

289

Introduction

A properly configured firewall can do a good job at protecting servers, but

if your server needs to be visible from a public network then total protec-

tion is impossible. From an attacker’s view of your network, any visible

services are likely to be chosen as the first ones to be probed and attacked.

Also if the security policies applied on your firewall allow Web access to

your public server, then that same service can be used to attack the server

for known vulnerabilities.

A popular attack against public servers is called a Denial of Service

(DoS) attack. This renders the service or server unavailable. Several other

types of attacks and intrusions must be investigated in order to under-

stand the role the intrusion detection system can play in your network.

Firewalls, workstation security, and well-written software all contribute

to a secure network. Because we can never be completely sure that best

practices have been followed, a detection system is a logical next step. The

IDS is your best ally against intrusions.

An intrusion detection system gives the network or security manager a

tool to detect and react rapidly to an attack on the network. This chapter

will investigate the various types of attacks and intrusions as well as

describe the tools available from Cisco to implement an intrusion detection

system.

What Is Intrusion Detection?

Intrusion detection is the ongoing process of searching for security viola-

tions on your network; this includes proactive and reactive detection of

vulnerabilities, analysis, and corresponding responses.

Network Attacks and Intrusions

Let’s start with a simple analogy. Imagine you have spent time, money, and

effort working hard on your house to make it just the way that you want it.

Now you remove your curtains, leave the front door open, leave the keys

outside the front door, and learn that the other doors are easily broken

into. None of these issues make you feel comfortable, and you quickly

realize that even though everything inside is perfect; anyone can get in

easily and mess it up. Who knows? You might even meet someone at the

door impersonating the telephone repairman.

As a measure to protect your home, you would probably install a bur-

glar alarm and a good set of locks. As an analogy to systems that take

action against intruders, you might even decide to install a trap door to

Intrusion Detection • Chapter 7 291

aggressively identify and trap them! Part of the overall solution you would

use to make your home secure is analogous to the intrusion detection

system available from Cisco Systems.

The first step is for us to identify what an attack or intrusion is. Any

action that violates the security policy of your organization should be con-

sidered a threat, but broadly speaking, attacks and intrusions can be sum-

marized as an exploitation of:

■

Poor network perimeter/device security

■

Poor physical security

■

Application and operating software weaknesses

■

Human failure

■

Weaknesses in the IP suite of protocols

Before we look at these threats in more detail, let me suggest that you

assume a shrewd mindset; it helps when it comes to learning about intru-

sion detection.

Poor Network Perimeter/Device Security

This can be described as the ease of access to devices across the network.

Without access control using a firewall or a packet filtering router, the net-

work is vulnerable.

Network Sniffers

A few years ago I worked in the IT department for a large investment

house. I remember helping to tune an application that some developers

were working on. The application contained sensitive information regarding

the company’s financial strategies. My role was to analyze the traffic to

compare performance from one version of code to the next. In the network

trace I came across some frames containing usernames and cleartext pass-

words. I informed the application developers, and they quickly fixed the

problem. If it wasn’t for my upbringing, I could have easily signed on to the

application and then used that information to tamper with the records.

This method of intrusion is called eavesdropping, or packet snooping,

and the type of network technology implemented directly influences its

susceptibility. For instance, shared networks are easier to eavesdrop on

than switched networks.

Scanner Programs

Certain types of software such as Solarwinds are able to scan entire net-

works, produce detailed reports on what ports are in use, perform password

cracking, and view account details on servers. Although this is a very useful

tool if used for the purpose of legitimate network auditing, in the wrong

hands, it could be devastating. Scanning software commonly uses one or

more of the following methods:

■

Ping sweep

■

SNMP sweep

■

TCP/UDP port scans

■

Scanning logon accounts

Approaching the millennium, I performed a global scan for a company

using an SNMP sweep program. The objective was to ensure that all net-

work devices were running at a compliant release of software. This was

surprisingly easy, and I even ended up accidentally scanning some devices

outside the perimeter of our network inside the carrier’s network.

Incidentally, one device in their network was not Y2K compliant and was

upgraded at our request!

Network Topology

Shared networks are easier to eavesdrop on as all traffic is visible from

everywhere on that shared media. Switched networks on the other hand

are more secure since by default, there is no single viewpoint for traffic.

Cisco Catalyst switches have a feature that is used for troubleshooting

where you can mirror traffic from VLANs or switch ports to a single desig-

nated switch port called the span port. Once you plug your sniffer into the

span port, you easily can view traffic in different VLANs by making config-

uration changes.

Thankfully, most organizations are moving away from shared media for

multiple benefits, including improved security and performance.

Unattended Modems

Installing a modem on a PC for remote access allows a quick and easy way

to access the network from home. Unfortunately, this also means that the

modem and PC may be prone to attack when you are not there. It is not

generally possible to detect modems attached to PCs using most types of

network auditing systems, so tighter software control and education of the

user community is the best solution. If access is essential, you should

explain the benefits of using the (secure) corporate remote access solution

instead.

Intrusion Detection • Chapter 7 293

Poor Physical Security

There are simple security measures that can be taken in the physical

world to ensure better security for your systems. Locking your doors is

obviously a good common-sense start, but there are often a number of

simple procedures and safeguards that companies could perform and

implement that, for one reason or another, they do not.

I recently read an article in Packet that described a theft in California

of a file server that contained over 300,000 credit card numbers. The thief

just unplugged the server and walked out with it. A simple tagging system

would have done the trick, as alarms would have sounded when the

machine was removed; even a paper authorization system would have

worked. After all, it’s pretty simple to bypass security on routers and

switches if you can get to the console port, or in the case of servers you

can remove the hard disks and reinstall them elsewhere.

Application and Operating Software

Weaknesses

In this context, software is a term that describes the operating system as

well as the packages that run under its control. Most software is or has

been deficient at some point in its life, and it is not always attributed to

poor programming either. For example, sometimes commercial pressures

can force a company to release software early, before it is debugged com-

pletely.

Software Bugs

Most bugs are based on buffer overflows, unexpected input combinations,

and the exploitation of multithread scheduling. An example of this is where

the cracker tries to race the legitimate code in making modifications to files

in the hope of updating a password file and not causing a software failure;

this is called a race condition.

Web Server/Browser-based Attacks

The Internet is one of the fastest moving areas at present and, as such,

Web applications are often hastily written. General software bugs and

browser configuration errors all provide vulnerabilities for the wily attacker

to break in.

Getting Passwords—Easy Ways in

Cracking Programs

Most people have created a simple password based on objects that are easy

to remember, such as a name or favorite color at some point or other. In

the ten to fifteen companies I’ve worked for, I don’t recall seeing good pass-

word practices being enforced very often. It’s quite simple to get someone

else’s password; many times, all you have to do is ask.

Some other ways that passwords might be obtained are:

■

Observation, over the shoulder.

■

Gaining access to password files.

■

Using a sniffer to look for clear text passwords.

■

Replaying logon traffic recorded on a sniffer that contains the

encrypted password.

■

Dictionary-based attacks, where a software program runs through

every word in a dictionary database.

■

Brute force attacks, where the attacker runs a program that tries

variations of letters, numbers, and common words in the hope of

getting the right combination. Typical programs can try around