CCNA-Security 640-553 - Chapter3 - Part1 - Defending the Perimeter

Part1 - Definitions

- General Security guidelines

- Physical security - devices placed in locked rooms, steadily mounted to rack, UPS, enough RAM etc.
- OS security - using the last stable OS, keeping backup copies of both OS and configuration files in a secure place
- Devices hardening

- hardening a system -  steps taken to rid of system vulnerabilities by:

- upgrading to newer OS -> OS security
- applying current patches -> OS security
- turning off unnecessary applications

- perimeter - border between our locally managed private network and a public network - Internet.

Scenarios

1. Perimeter with one border router

Router secures perimeter - ACLs are configured there, only established connections are allowed to enter LAN from the Internet.

2. Perimeter with a border router and firewall

Border router /screening router/ passes all traffic from the Internet to firewall which inspects connections. This scenario is proffered to scenario with single router.

3. Perimeter with DMZ

Demilitarized zone is an intermediate area between our private LAN network and the Internet.  Severs that need to be accessed from the Internet are placed in DMZ.

Note  Perimeter can be easily broken by plugged unsecured Wireless Access point in campus, using VPN tunnels, encrypted traffic. Therefore the is need for Self-Defending network where all network devices are part of global security solution.

- IOS security features

- Devices loaded with IOS can provide security services such as:

- Stateful firewalling -  in addition to basic traffic filtering using ACLs, IOS devices can perform stateful inspection of traffic CBAC (Context-Based Access Control).

- IPS - Intrusion Prevention System - detect malicious network traffic and stop it

- VPN Routing and Forwarding-aware (VRF aware firewall) - separate routing and forwarding table for each VPN

- Virtual Private Networks - IPSec tunnels between locations connected via Internet

- Cisco ISR routers

- models include 800, 1800, 2800, 3800 series
- provide integrated data, security, voice, wireless services
- 800 series (850, 870) - all features, except of IPS
- 1800 series (1800, 1841)
- 2800 series (2811, 2821, 2851)
- 3800 series (3825, 3845)

- All ISR series have built-in integrated VPN hardware acceleration - support for 3DES and AES encryption algorithm.
- All ISR series except of 850 model have one or two USB ports - IOS, config files, digital certificate can be stored here on USB flash drive.
- Advanced Integration module (AIM) - can be used for VPN encryption, for IPS, in 1800, 2800, 2800 ISR series
- Network modules (NM) - HWIC-AP (wireless module), IDS, Cisco Content Cache (DNS cache), Cisco Network Analyse Module (NAM) - analyse of traffic flow

- Administrative Access to Router

- vty (virtual tty) - telnet (plain text) connection or ssh  (encrypted) - in-band management (if seperate management network exists it is out-of-band management)
- AUX - access via modem - in-band management
- tty - console port - out-band management

- Secure system password

- difficult to guess either using brute-force attack or dictionary attack.
- requirements:

- at least 10 characters
- mix of upper-case and lower-case characters
- special symbols and spaces (no leading space)
- not dictionary words

- password policy - determine when password should be changed.

Part2 - Configuration and Testing

1. Configuring passwords to tty, enable, AUX and vty access and creating local user

- Enforcing password length to 10 characters

Router(config)# security passwords min-length 10

- Configuring password to console

Router(config)# line console 0
Router(config-line)# login
Router(config-line)# password cisco12345

Password is stored in plain text in router's configuration file.

- Configuring password to privileged exec mode 

Router(config)# enable password cisco12345

This is not secure method as password to enable mode is shown as plain-text in router's configuration file. Therefore it is not recommended way to configure any password and it is kept for backward compatibility if downgrade of IOS is needed.

- Configuring password to AUX port

Router(config)# line aux 0
Router(config-line)# login
Router(config-line)# password cisco12345

- Configuring password to vty lines

Router(config)# line vty 0 15
Router(config-line)# login
Router(config-line)# password cisco12345

- Creating a new local user

Router(config)# username admin password cisco12345

This command create a user admin with password cisco12345 with privilege level 0 permission. This user is allowed to get to user exec mode but cannot get to privileged exec mode without entering enable password. We have to specify a privilege level when a non-default privilege level 0 is required to be assigned for the user.

Router(config)# username enable_admin privilege 15 password enable_cisco123456

The command create a user admin with password cisco123456 with privilege level 15. Once users enter correct credentials they are redirected directly to privileged exec mode.

-Authentication to console against local database

Router(config)# line console 0
Router(config-line)# login local

In this case, username/password is required to get access to console. They are two users configured - admin and enable_admin. If the combination of admin/cisco12345 is entered, user gets access to user exec mode. If the enable_admin/cisco123456 is entered, user is redirect to privileged exec mode.

In this case password is set for 16 simultaneous vty (telnet) sessions. Password is stored in plain-text.

2. Password encryption with service-password encryption command

According to configuration examples we have done, passwords are stored in plain-text in router's configuration file. To encrypt them we can call the command:

Router(config)# service password-encryption

This command encrypts all plain-text passwords stored in configuration file and any other passwords set after the command. Now let's have a look on how  passwords are stored in router's configuration file.

Router# show running-config | begin line

line con 0
password 7 045802150C2E1D1C5A4D50
login
stopbits 1
line aux 0
password 7 045802150C2E1D1C5A4D50
login
stopbits 1
line vty 0 4
password 7 045802150C2E1D1C5A4D50
login
line vty 5 15
password 7 045802150C2E1D1C5A4D50
login
!
end

Router# show running-config | include enable

enable password 7 02050D4808095E731F1A5C

The number 7 tells us that passwords are encrypted with Vigenere algorithm. Passwords are not really encrypted as it was not encryption key used but they are not in stored readable form. At least none can inspected them causally looking over admin shoulder. But do not have false feeling of security they can be easily retrieve in few seconds regardless of length of password. Below are two screenshots from from site for on-line  Cisco 7 type password cracking:

Password was  cracked almost immediately after hitting Submit Query button.

There is also perl script for cisco 7 password cracking available here:

http://wiki.nil.com/Deobfuscating_Cisco_IOS_Passwords

3. Password encryption using MD5 algorithm

1.  Theory behind MD5 algorithm

Obviously, it must be a better way to get passwords encrypted as  with standard type 7. When a keyword "secret" instead of "password" is used in configuration, passwords are encrypted with stronger MD5 algorithm. It is preferred method to type 7 encryption.

Router(config)# enable secret cisco123456

Router# show run | include enable

enable secret 5 $1$/SCP$nZ3543lVyoLQOasViGBQH0
enable password 7 02050D4808095E731F1A5C

In the previous example we secured access to privileged exec mode with enable password command. Now we have  both enable password and enable secret configured. In this case, only enable secret is valid to get to privileged exec mode, enable password is ignored.

When a password is encrypted with MD5 algorithm, it is usually stored as 128 bit MD5 hash or digest in configuration file. Before computing MD5 hash, randomly generated characters are added to plain text password. Those extra characters are called salt therefore we have salted MD5 digest. Salt is 24-bit and it is stored together with MD5 hash in configuration file.

Using salt brings two main benefits:

Firstly, the same passwords are never stored as same MD5 hash because salt is randomly generated and should be unique
for each password. In other words, two users have different MD5 hashes in configuration file even their plain-text passwords match.

Secondly, using 24 bit salt is considered to be defence against rainbow attack. The attack uses computed database of hashes. Adding extra 24 bits increases hashes database by 2²⁴. It requires more resources and bigger disk capacity to compute database.

Explanation:

enable secret 5 $1$/SCP$nZ3543lVyoLQOasViGBQH0

5 - password is encrypted with MD5 salted hash method
1 - hash is salted
/SCP- 24 bit salt.
nZ3543lVyoLQOasViGBQH0 - computed MD5 hash

Password can be entered either in plain-text or in encrypted form. They are two options how can we enter password in unencrypted form:

Router(config)# enable secret cisco123456

what is same as

Router(config)# enable secret 0 cisco123456

0 indicates that unencrypted password follows. If we want to have enter a secret password cisco123456 in encrypted form we must indicate it withoption 5.

Router(config)# enable secret 5 $1$/SCP$nZ3543lVyoLQOasViGBQH0

Note  Salted MD5 hashes of passwords can be generated in Linux OS using openssl. We are going to recreate MD5 hash of password cisco123456 manually specifying the same salt /SCP.  As you can see the result is the same salted MD5 hash as it was generated with IOS command.

[brezular@COM-8510p ~]$ openssl passwd -1 -salt /SCP cisco123456

$1$/SCP$nZ3543lVyoLQOasViGBQH0

Theory behind MD5 password hashing is explained in this excellent tutorial:

http://wiki.nil.com/MD5_Password_Hashing_in_IOS

2. Cracking salted MD5 hashes

We will use John the Ripper a fast password cracker to detect weak passwords. Launching an offline brute force attack using John on saved MD5 salted hashes we will show importance of using strong passwords.

First, we will try to break 5 characters password without any special character, numbers and upper-case characters. Then we will configure 5 character password with one leading upper-case character and try to break it.

We have two computers for testing.  John's configuration is left to default settings.

- Notebook PC Compaq 8510w with CPU Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80 GHz
- Desktop PC with CPU Intel(R) Pentium(R) 4 CPU 3.20 GHz, Prescott

a) Install John the Ripper with yum on both computers from repository

[brezular@COM-8510p ~]$ sudo yum install john

Check the version of John.

[brezular@COM-8510p ~]$ john | grep version
John the Ripper password cracker, version 1.7.8

b) Cracking an easy 5 character password

Firstly, we are going to crack an easy password "cisco". Copy salted MD5 hash from IOS configuration file to md5_hash file and run John above this file.

Router(config)# enable secret cisco

Router(config)# do show run | incl enable
enable secret 5 $1$sSWq$CGWilSWbR821tNBqcnFTo.

[brezular@COM-8510p ~]$ echo '$1$sSWq$CGWilSWbR821tNBqcnFTo.' > /home/brezular/md5_hash

Start John.

Notebook

[brezular@COM-8510p ~]$ john /home/brezular/md5_hash
Loaded 1 password hash (FreeBSD MD5 [32/32])
cisco            (?)
guesses: 1  time: 0:00:00:38 (3)  c/s: 4689  trying: cisco
Use the "--show" option to display all of the cracked passwords reliably

Desktop PC

[brezular@Prescott ~]$ john /home/brezular/md5_hash
Loaded 1 password hash (FreeBSD MD5 [32/32])
cisco            (?)
guesses: 1  time: 0:00:00:25 (3)  c/s: 7107  trying: cisco
Use the "--show" option to display all of the cracked passwords reliably

You can see it took about 40 seconds to crack password cisco on notebook and 25 seconds on desktop PC.

Salted MD5 hashes with results are stored in file ~/.john/john.pot.

[brezular@COM-8510p ~]$ cat ~/.john/john.pot
$1$sSWq$CGWilSWbR821tNBqcnFTo.:cisco

c) Cracking an easy 5 characters password with leading uppercase character

Router(config)# enable secret Cisco
Router(config)# do show run | incl enable
enable secret 5 $1$H.ML$ro5Nx3t2mweRBnXpqUNlK/

[brezular@COM-8510p ~]$ echo '$1$H.ML$ro5Nx3t2mweRBnXpqUNlK/' > /home/brezular/md5_hash

Start John on both computers.

John was able to guess a right password after 14 hours 20 minutes and 59 seconds running on notebook and it took 11 hour and 31 seconds on Desktop PC.  Now we might have a real feeling of importance of using strong passwords - changing one letter in a password extends cracking time at least by 11 hours.

guesses: 1  time: 0:14:20:59 (3)  c/s: 4847  trying: Cisco
Use the "--show" option to display all of the cracked passwords reliably

guesses: 1  time: 0:11:00:31 (3)  c/s: 6319  trying: Cisco
Use the "--show" option to display all of the cracked passwords reliably

End.