CISCO NETWORK FOUNDATION PROTECTION

CISCO NETWORK FOUNDATION PROTECTION (putthachai@cisco.com) Enterprise System Engineer Cisco Systems (Thailand) Ltd. 1

Agenda Introduction Configuring Cisco NFP Control Plane Protection Management Plane Protection Data Plane Protection Summary and References Q & A 2

Introduction 2005, Cisco Systems, Inc. All rights reserved. 3

Risk Landscape Denial of Service (DoS) attacks target the network infrastructure by generating IP traffic streams to the control plane at very high rates The control plane is forced to spend an inordinate amount of time, processing this malicious traffic Results in excessive CPU utilization and CPU resource hijacking by the hackers Examples of such attacks include: TCP SYN floods IP Fragments Internet Control Message Protocol (ICMP) Echo Requests Fraggle Attacks 4

Risk Landscape (Cont.) Attacks can devastate a network by causing: High route processor CPU utilization (near 100%) Loss of protocol keepalives and routing protocol updates Route flaps and major network transitions Slow or unresponsive interactive sessions via the CLI Route Processor resource exhaustion Resources such as memory and buffers are unavailable for legitimate IP data packets Indiscriminate packet drops for all incoming packets 5

Secure Network = Available Network Ability to Route Network Availability Ability to Manage Network Cisco NFP Foundation Protection, Messaging, 1/05 1/05 2005, Cisco Systems, Inc. All rights reserved. Ability to Forward Data 6

Securing the Router Plane by Plane Ability to Route Secure Control Plane Network Availability Ability to Manage Secure Management Plane Ability to Forward Data Secure Data Plane Think Divide and Conquer : Methodical Approach to Protect Three Planes 7

Cisco NFP Protection Alcazar Program Secure Networks Must Be Built on a Secure Foundation Control Plane Protection Management Protection Lock down services and routing protocols Secure Access for Management and Instrumentation Data Plane Protection Protect Data forwarding through the device 8

Cisco NFP Three Planes Definitions Cisco Protection (NFP) is a Cisco IOS Technology suite that protects network devices, routing and forwarding of control information, and management of traffic bounded to the network devices Data Mgmt Control Control Plane Protection protects the control plane traffic responsible for traffic forwarding AutoSecure with rollback functionality Control Plane Protection CPU / Memory Threshold Management Plane Protection protects the management plane from unauthorized management access and polling Secure Shell (SSH) only access VTY Access Control List (ACL) Cisco IOS Software login enhancement Command Line Interface (CLI) views Data Plane Protection protects the data plane from malicious traffic Unicast RPF for anti-spoofing Control Plane Protection for Data traffic Committed Access Rate (CAR) 9

Cisco NFP: Features and Benefits Feature Benefits Control Plane Protection Control Plane Protection AutoSecure Routing protocol protection CPU/Memory Thresholding Reduces the success of a DDoS attack by policing the incoming rate of traffic to the control plane Quickly locks down devices based on industry recognized best practices (NSA guidelines) Validates routing peers and source/destination of routing updates, filtering of prefixes Router remains operational under high loads caused by attacks throug reserving CPU/memory Management Plane Protection Secure Access Image Verification Role Based CLI Views Network Telemetry SNMPv3, TACACS+, VTY ACLs, SSH Verifies the Cisco IOS Software images that the router boots from Allows for granular control of CLI with AAA user crential checking Cisco IOS NetFlow for traffic and DDoS analysis 10

Cisco NFP: Features and Benefits (Cont.) Feature Benefits Data Plane Protection Unicast RPF Anti Spoofing for source IP address Access Control Lists ACLs - filter traffic through a device Infrastructure ACL and CAR Remove possibility for illegitimate users to send any traffic to link addresses 11

Control Plane Protection 2005, Cisco Systems, Inc. All rights reserved. 12

Introduction Control Plane Protection Policing CONTROL PLANE Management SNMP, Telnet ICMP IPv6 Routing Updates Management SSH, SSL.. INPUT to the Control Plane OUTPUT from the Control Plane CONTROL PLANE POLICING (Alleviating DoS Attack) SILENT MODE (Reconnaissance Prevention) Processor Switched Packets PACKET BUFFER OUTPUT PACKET BUFFER INCOMING PACKETS Locally Switched Packets CEF/FIB LOOKUP 13

Introduction What CPU Rate Limiters Are Available? CEF Receive CEF Glean CEF No Route IP Errors ICMP Redirect ICMP No Route ICMP ACL Drop RPF Failure L3 Security ACL Input ACL Output VACL Logging IP Options Capture Unicast Rate Limiters Traffic destined to the Router ARP packets Packets with not route in the FIB Packets with IP checksum or length errors Packets that require ICMP redirects ICMP unreachables for unroutable packets ICMP uncreachables for admin deny packets Packets that fail urpf check CBAC, Auth-Proxy, and IPSEC traffic NAT, TCP Int, Reflexive ACLs, Log on ACLs NAT, TCP Int, Reflexive ACLs, Log on ACLs CLI notification of VACL denied packets Unicast traffic with IP Options set Used with Optimized ACL Logging B/BXL Unicast Rate Limiters Multicast FIB-Miss Packets with no mroute in the FIB IGMP IGMP packets Partial Shortcut Partial shortcut entries Directly Connected Local multicast on connected interface IP Options Multicast traffic with IP Options set B/BXL V6 Directly Connect Packets with no mroute in the FIB V6*, G M Bridge IGMP Packets V6*, G Bridge Partial shortcut entries V6 S, G Bridge Partial shortcut entries V6 Route Control Partial shortcut entries V6 Default Route Multicast traffic with IP Options set V6 Second Drop Mulicast traffic with IP Options set Shared across the 10 hardware Revocation Lists. Layer 2 Rate Limiters General Rate Limiters L2PT L2PT encapsulation/decapsulation MTU Failure Packets requiring fragmentation PDU Layer 2 PDUs TTL Failure Packets with TTL<=1 14

Configuring Control Plane Protection Policing Four Step Process 1. 1. Define a packet classification criteria router(config)# router(config)# class-map class-map <traffic_class_name> router(config-cmap)# match match <access-group> <access-group> 2. 2. Define a service policy router(config-pmap)# policy-map<service_policy_name> router(config-pmap)# class class <traffic_class_name> router(config-pmap)# police police <rate> <rate> conform-action conform-action transmit transmit exceed-action exceed-action drop drop 3. 3. Enter control-plane configuration mode router(config)# router(config)# control-plane control-plane router(config-cp)# router(config-cp)# 4. 4. Apply QoS Policy router(config-cp)# router(config-cp)# service-policy service-policy input input <service_policy_name service_policy_name> 15

Control Plane Policing Configuration Must enable QoS globally! (mls qos) Otherwise, CoPP is performed in software only Define ACLs to match traffic Permit means traffic will belong to class; deny means will fall through Define class-maps (class-map <name>) Use match statements to identify traffic associated with the class match {access-group ip {precedence dscp}} Define policy-map (policy-map <name>) and associate classes and actions to it Policing is the only supported action Usual Cisco Catalyst 6500 Series Switch policing syntax Tie the policy-map to the control-plane interface mls qos ip access-list extended CPP-MANAGEMENT remark Remote management permit tcp any any eq SSH permit tcp any eq 23 any permit tcp any any eq 23 class-map match-all CPP-MANAGEMENT description Important traffic, eg management match access-group name CPP-MANAGEMENT policy-map copp description Control plane policing policy class CPP-MANAGEMENT police 500000 12800 12800 conform-action transmit exceed-action drop control-plane service-policy input copp 16

Control Plane Policy Template class-map match-all cpp-bgp - BGP class-map match-all cpp-igp - EIGRP, OSPF, etc... class-map match-all cpp-management - SNMP, NTP, SSH, TACACS, TFTP, etc class-map match-all cpp-reporting - Echo, echo-reply with DSCP marking per class class-map match-all cpp-monitoring - ICMP, traceroute, etc class-map match-all cpp-critical-applications - HSRP, DLSw, SIP/VoIP, etc class-map match-all cpp-layer-2-protocols - ARP class-map match-all cpp-default - Non-specifically marked traffic class-map match-any cpp-deny - Classified attack traffic 17

Configuring CPU Rate Limiter Apply a CPU Rate Limiter at at a specific rate Router(config)# mls mlsrate-limit <all <all unicast multicast layer layer 2> 2> <special_case_rate_limiter> <packets_per_second> Example: Rate Limit traffic with TTL=1 to to 1000pps Router(config)# mls mlsrate-limit all all ttl-failure 1000 1000 18

Test Setup Mitigation of Multiple Attacks CPP configuration policy-map CoPP class cpp-bgp police 32000 1500 1500 conform-action transmit exceed-action transmit class cpp-igp police 32000 1500 1500 conform-action transmit exceed-action transmit class cpp-managment police 32000 1500 1500 conform-action transmit exceed-action transmit class cpp-monitoring police 600000 18750 18750 conform-action transmit exceed-action drop class cpp-critical police 32000 1500 1500 conform-action transmit exceed-action transmit class cpp-undesirable police 320000 10000 10000 conform-action drop exceed-action drop class cpp-default police 620000 19375 19375 conform-action transmit exceed-action drop CPU Rate Limiter configuration mls rate-limit multicast ipv4 partial 1000 100 mls rate-limit unicast ip options 1000 10 mls rate-limit all ttl-failure 1000 10 19

AutoSecure 2005, Cisco Systems, Inc. All rights reserved. 20

Protecting routers: Autosecure AutoSecure command in 12.3(1), 12.2(18)S Cisco.com/en/US/products/sw/iosswrel/ps5187/products_feat ure_guide09186a008017d101.html One Touch Device Lockdown Simplify securing an IOS router and networks attached to an IOS router. Built from security audit scripts and security whitepapers that Cisco and others provide. Large networks uses these to lock down their network. Core Target is the CPE Routers on the edge of the Internet. 800/1800/2800/3700/3800 platforms, but applicable in large extent to all IOS platforms 21

AutoSecure : Global Services Global Services turned off Finger, PAD, Small Servers, Bootp, HTTP service, Identification Service, CDP, NTP, Source Routing Global Services turned on password-encryption service Tuning of scheduler interval/allocation tcp synwait-time tcp-keepalives-in and tcp-kepalives-out SPD configuration no ip unreachables for NULL0 22

AutoSecure : Services & Logging Services Disabled Per Interface ICMP Proxy-Arp Directed Broadcast - disables MOP service. disable icmp unreachables disable icmp mask reply messages. Provide Logging for security Enable sequence numbers & timestamp Provide a console log Set log buffered size Provide an interactive dialogue to configure the logging Log debug traffic 23

AutoSecure : Lockdown accessibility Secure Access to the router Check for a banner and provide facility to add text to Automatically Configure: login, password transport input & output exec-timeout local AAA ssh timeout and ssh authentication-retries to minimum enable only SSH, SCP for access and file transfer to/from the router. disables SNMP (if not being used.) 24

AutoSecure : Forwarding Plane Securing the Forwarding Plane Enables Cisco Express Forwarding (CEF) or Distributed Cisco Express Forwarding (DCEF) Anti-Spoofing Block all IANA reserved ip address blocks more information on this in Securing Routing part of the Techtorial Block private address blocks if customer desires If not using a default route, install a default route to NULL 0. If tcp intercept feature is available and user interested configure TCP intercept for connection-timeout. If router is being used as firewall, start interactive configuration for CBAC on interfaces facing internet. Enable netflow on software forwarding platforms. Password Security. 25

CPU and Memory Threshold Notification 2005, Cisco Systems, Inc. All rights reserved. 26

Reference slide CPU and Memory Threshold Notification CPU threshold notification 12.0(26)S, 12.3(4)T Generates an SNMP trap message when a predefined threshold of CPU usage is crossed process cpu threshold type total rising 80 interval 5 falling 70 interval 5 snmp-server host 1.2.3.4 traps public cpu Memory threshold notification - 12.0(26)S and 12.2(18)S If available free processor or I/O memory falls below the specified thresholds, the router will log an event; network operations staff can investigate, and if necessary take action, before router performance is impacted or free memory becomes so low that the router is in danger of crashing memory free low-watermark processor 20000 memory free low-watermark io 20000 memory reserve critical 1000 27

CPU Thresholding snmp-server enable traps cpu threshold process cpu threshold type total rising 80 interval 5 falling 70 interval 5 100 90 80 70 60 50 40 30 20 10 0 5 0 15 30 45 Rising SNMP Trap TIME 5 Falling SNMP Trap CPU 28

Memory Thresholding memory free low-watermark processor 20000 (KB) Memory (Mb) 50 000029: *Aug 12 22:31:19.559: %SYS-4-FREEMEMLOW: 45 40 35 30 25 20 15 10 5 0 Free Memory has dropped below 20000k Pool: Processor Free: 66814056 freemem_lwm: 204800000 000032: *Aug 12 22:33:29.411: %SYS-5-FREEMEMRECOVER: Free Memory has recovered 20000k Pool: Processor Free: 66813960 freemem_lwm: 0 memory reserved critical 1000 0 15 30 45 TIME Rising Memory will trigger at 5% Above low watermark Memory Free 29

Management Plane Protection 2005, Cisco Systems, Inc. All rights reserved. 30

Access to the Router Console, VTY Telnet (not recommended, use SSH!) SSHv2 end-to-end security Local passwords Username based on the router Username XXX secret YYYY External AAA TACACS+, RADIUS, Kerberos One-Time Passwords (OTP) Use enable secret 31

VTY Security Reference slide Access to VTYs should be controlled ACL used to filter incoming data Logging can be used to provide more information access-list 3 permit 215.17.1.0 0.0.0.255 access-list 3 deny any line vty 0 4 access-class 3 in transport input ssh transport output none Only accept SSH, no telnet! 32

Reference slide What Ports Are Open on the Router? It may be useful to see what sockets/ports are open on the router Show ip sockets show some of the UDP ports opened IOSRouter#show ip sockets Proto Remote Port Local Port In Out Stat TTY 17 192.190.224.195 162 204.178.123.178 2168 0 0 0 0 17 --listen-- 204.178.123.178 67 0 0 9 0 17 0.0.0.0 123 204.178.123.178 123 0 0 1 0 17 0.0.0.0 0 204.178.123.178 161 0 0 1 0 33

Reference slide What Ports Are Open on the Router? Two steps required for TCP ports: show tcp brief all show tcp tcb c1711#sh tcp brief all TCB Local Address Foreign Address (state) 86F5C210 213.145.167.222.22 10.200.1.16.4807 ESTAB 82A72B0C *.443 *.* LISTEN 8293418C *.80 *.* LISTEN 827AB9EC *.1723 *.* LISTEN 34

Reference slide What Ports Are Open on the Router? c1711#sh tcp tcb 86F5C210 Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled Local host: 213.145.167.222, Local port: 22 Foreign host: 10.200.1.16, Foreign port: 4807 Enqueued packets for retransmit: 1, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x6A77C230): Timer Starts Wakeups Next Retrans 57 2 0x6A77C8B4 TimeWait 0 0 0x0 AckHold 40 1 0x0 SendWnd 0 0 0x0 KeepAlive 89 0 0x6A78AC8C GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 iss: 66371059 snduna: 66375348 sndnxt: 66375368 sndwnd: 17568 irs: 4263300308 rcvnxt: 4263301685 rcvwnd: 4028 delrcvwnd: 100 35

Network Time Protocol Reference slide Synchronize time across all devices When security event occurs, data must have consistent timestamps From external time source Upstream ISP, Internet, GPS, atomic clock From internal time source Router can act as stratum 1 time source ntp source loopback0 ntp server 10.1.1.1 source loopback0 Secure NTP! ntp authentication-key 10 md5 keystring ntp authenticate ntp trusted-key 10 36

Configuring Syslog on a Router Syslog data is invaluable Attack forensics Day to day events and debugging To log messages to a syslog server host, use the logging global configuration command logging host logging trap level To log to internal buffer use: logging buffered size Ensure timestamps service timestamps log Do not log to console! It can cause overruns and high CPU loads 37

SNMP Version 1 sends cleartext community strings and has no policy reference Version 2 addresses some of the known security weaknesses of SNMPv1 Version 3 provides authentication, encryption Not yet widely deployed In IOX today (CRS-1) Confirm NMS application support RFC-2570 Introduction to Version 3 of the Internet-Standard Network Management Framework Recommended 38

Config Change Notification and Logging Allows the tracking of configuration changes entered on a per-session and per-user basis by implementing a configuration log Tracks each configuration command that is applied, who applied the command, the parser return code for that command, and the time that the command was applied Adds a notification mechanism that sends asynchronous notifications to registered applications whenever the configuration log changes Available 12.3(4)T on 1800, 2800, 3800, 7200, 7500, AS5xxx http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps5 207/products_feature_guide09186a00801d1e81.html Also Contextual Configuration Diff utility http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps5 207/products_feature_guide09186a00801d1dc2.html 39

ICMP Unreachable Overload Packets that cannot be delivered due to: Null0 next-hops (in some cases) No route in table Risk high number of unreachables overloading CPU no ip unreachables In certain situations we might want ICMP unreachables enabled, but need to limit the generation in order to protect the router: ICMP Unreachable Rate-Limiting Command: ip icmp rate-limit unreachable [DF] <1-4294967295 milliseconds> no ip icmp rate-limit unreachable [df] 40

New Feature IOS Login Enhancements Login enhancements password retry delay Adds new flexibility to lock-out unwanted attempts to access the device Introduces a delay between successive failed Login attempts to alleviate dictionary attacks New global command login delay Generation of syslog messages for login detection Available from 12.3(4)T http://www.cisco.com/en/us/partner/products/sw/iosswrel/ ps5207/products_feature_guide09186a00801d1cb3.html 41

Limit Authority: Authorize Commands Differentiate staff authority on the router Help desk Operations Second level/third level support Use privilege levels (0 15) System Administrator Level 2: show, debug, ping Network Engineer Level 15: all commands Router 42

New Feature Role-Based CLI Access New feature: Role-based CLI, aka CLI views Defines CLI access based on administrative roles Security Enhances the security of the device by defining the set of CLI commands that are accessible to a particular user Availability Avoids unintentional execution of CLI commands by unauthorized personnel Operational efficiency Prohibits users from viewing CLI commands that are inaccessible to them, greatly improving usability Available from 12.3(7)T http://www.cisco.com/en/us/partner/products/sw/iosswrel/ps 5207/products_feature_guide09186a00801ee18d.html 43

NetFlow 2005, Cisco Systems, Inc. All rights reserved. 44

Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network changes and services Improve network usage and application performance Reduce IP service and application costs Optimize network costs Detect and classify security incidents 1. Characterize Flows & understand traffic behaviour 2. Export Flow information 3. Traffic Analysis Network Planning Security Analysis Reports Enable NetFlow 45

Flow is Defined by Seven Unique Keys Source IP address Destination IP address Source port Destination port Layer 3 protocol type Type of Service (ToS) byte (Differentiated Services Code Point (DSCP)) Input logical interface (ifindex) Enable NetFlow NetFlow Export Packets Traffic Traditional Export & Collector New SNMP MIB Interface SNMP Poller GUI 46

NetFlow Cache Example 1. Create and update flows in NetFlow cache Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt Active Idle Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A 2 /24 15 10.0.23.2 1528 1745 4 Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1 Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A 1 /24 15 10.0.23.2 1428 1145.5 3 Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14 2. Expiration Inactive timer is expired (15 sec is default) Active timer is expired (30 min (1800 sec) is default) NetFlow cache is full (oldest flows are expired) RST or FIN TCP Flag Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt Active Idle Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4 3. Aggregation 4. Export version 5. Transport protocol No Non-Aggregated Flows Export Version 5 or 9 Export Packet Header Payload (Flows) Yes e.g. Protocol-Port Aggregation Scheme Becomes Protocol 11 Pkts 11000 SrcPort 00A2 DstPort 00A2 Bytes/Pkt 1528 Aggregated Flows Export Version 8 or 9 47

How Does a DoS Attack Look Like? Potential DoS attack (33 flows) on router1 Estimated: 660 pkt/s 0.2112 Mbps ASxxx is: ASddd is: Real data deleted in this presentation src_ip dst_ip in out src dest pkts bytes prot src_as dst_as int int port port 192.xx.xxx.69 194.yyy.yyy.2 29 49 1308 77 1 40 6 xxx ddd 192.xx.xxx.222 194.yyy.yyy.2 29 49 1774 1243 1 40 6 xxx ddd 192.xx.xxx.108 194.yyy.yyy.2 29 49 1869 1076 1 40 6 xxx ddd 192.xx.xxx.159 194.yyy.yyy.2 29 49 1050 903 1 40 6 xxx ddd 192.xx.xxx.54 194.yyy.yyy.2 29 49 2018 730 1 40 6 xxx ddd 192.xx.xxx.136 194.yyy.yyy.2 29 49 1821 559 1 40 6 xxx ddd 192.xx.xxx.216 194.yyy.yyy.2 29 49 1516 383 1 40 6 xxx ddd 192.xx.xxx.111 194.yyy.yyy.2 29 49 1894 45 1 40 6 xxx ddd 192.xx.xxx.29 194.yyy.yyy.2 29 49 1600 1209 1 40 6 xxx ddd 192.xx.xxx.24 194.yyy.yyy.2 29 49 1120 1034 1 40 6 xxx ddd 192.xx.xxx.39 194.yyy.yyy.2 29 49 1459 868 1 40 6 xxx ddd 192.xx.xxx.249 194.yyy.yyy.2 29 49 1967 692 1 40 6 xxx ddd 192.xx.xxx.57 194.yyy.yyy.2 29 49 1044 521 1 40 6 xxx ddd 48

Tracing Back with Netflow Routers need Netflow to be enabled Victim router1#sh ip cache flow include <destination> Se1 <source> Et0 <destination> 11 0013 0007 159. (lots more flows to the same destination) The flows come from serial 1 router1#sh ip cef se1 Prefix Next Hop Interface 0.0.0.0/0 10.10.10.2 Serial1 10.10.10.0/30 attached Serial1 Find the upstream router on serial 1 Continue on this router 49

show ip cache flow router_a#sh ip cache flow IP packet size distribution (85435 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000.000.000.000 1.00.000.000.000.000.000.000 IP Flow Switching Cache, 278544 bytes 2728 active, 1368 inactive, 85310 added 463824 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Source Interface Flow info summary Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-X 2 0.0 1 1440 0.0 0.0 9.5 TCP-other 82580 11.2 1 1440 11.2 0.0 12.0 SrcIf Total: 82582 11.2 1 1440 11.2 0.0 12.0 Et0/0 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Et0/0 Et0/0 132.122.25.60 Se0/0 192.168.1.1 06 9AEE 0007 1 Et0/0 139.57.220.28 Se0/0 192.168.1.1 06 708D 0007 1 Et0/0 Et0/0 165.172.153.65 Se0/0 192.168.1.1 06 CB46 0007 1 Flow details 50

show ip cache verbose flow router_a#sh ip cache verbose flow IP packet size distribution (23597 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000.000.000.000 1.00.000.000.000.000.000.000 IP Flow Switching Cache, 278544 bytes 1323 active, 2773 inactive, 23533 added 151644 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-other 22210 3.1 1 1440 3.1 0.0 12.9 Total: 22210 3.1 1 1440 3.1 0.0 12.9 SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Port Msk AS Port Msk AS NextHop B/Pk Active Et0/0 216.120.112.114 Se0/0 192.168.1.1 06 00 10 1 5FA7 /0 0 0007 /0 0 0.0.0.0 1440 0.0 Et0/0 175.182.253.65 Se0/0 192.168.1.1 06 00 10 1 Port Msk AS Port Msk AS NextHop B/Pk Active 51

NetFlow MIB Currently available in Cisco IOS Software Releases 12.3(7)T NetFlow information is available: When using SNMP Without NetFlow export Administration of Netflow using the MIB interface NetFlow MIB cannot be used to retrieve all Flow information, but is very useful for security monitoring and locations where export is not possible Packet size distribution Number of bytes exported per second Number of NetFlow MIB flows with Export of Top N talkers Top N Talkers Top N Flows are based on various NetFlow field values (AS Number, destination, ports) MIB and CLI support Releases 12.2(25)S and 12.3(11)T 52

NetFlow Security Enhancement Release 12.4(2nd)T Q4 05 New show commands to understand and parse NetFlow data show flows on port X to destination Y: show ip flow top <N> <aggregate-field> <sort-criteria> <matchcriteria> show ip flow top 10 destination-address packets interface ser0 port-range 100 to 135 53

Network Based Application Recognition (NBAR) 2005, Cisco Systems, Inc. All rights reserved. 54

Overview of NetFlow and Network Based Application Recognition NetFlow Pioneering IP accounting technology Invented and patented by Cisco IETF export standard Network-Based Application Recognition (NBAR) Intelligent application recognition Analyzes and identifies application traffic in real time Classification based on deep packet inspection; NBAR can look deeper into the packet to identify applications HTTP traffic by URL, host name, header fields or MIME type using regular expressions (*,?, [ ]), Citrix ICA traffic, RTP payload type classification Currently supports 90 protocols/applications 55

NetFlow and NBAR Differentiation Link layer header IP header TCP/UDP header Data packet Interface TOS Protocol Source IP address Destination IP address Source port Destination port Deep packet (payload) inspection NetFlow NBAR NetFlow and NBAR both leverage Layer 3 and 4 header information NetFlow Monitors data in Layers 2 through 4 Determines applications by port Utilizes a 7-tuple for flow NBAR Examines data from Layers 3 through 7 Uses Layers 3 and 4 plus packet inspection for classification Stateful inspection of dynamicport traffic 56

NetFlow and NBAR Benefit Footprints Enterprise backbone Enterprise premise edge Service Provider aggregation edge Service Provider core NetFlow Cisco Catalyst 4500, 5000, 6500, 7600 Series ASIC Cisco Catalyst 5000, 6500 Series HW Acceleration Cisco Catalyst 4500 Series ASIC Cisco 7100, 7200, 7300, 75000 Series Cisco AS5300,AS5400, AS5800 Series Cisco 830, 1400, 1700, 1800, 2600XM, 2800, 3700, 3800 Series Cisco Catalyst 4500, 5000, 6500 Series; Cisco 7600 Series ASIC Cisco 7100, 7200, 7300, 75000 Series Cisco AS5300 and AS5800 Series Cisco MGX8000 Series Cisco 10000 and 12000 Series Internet Routers ASIC Cisco Catalyst 5000 and 6500 Series; Cisco 7600 Series ASIC Cisco 7500 Series NBAR Cisco Catalyst 6500 and 7600 Series MSFC Planned Network ASIC Foundation Cisco Catalyst 6500 and 7600 Series FlexWAN, MWAM Planned ASIC Cisco 7100, 7200, and 7500 Series Cisco 830, 1700, 1800 2600XM, 2800,3700 and 3800 Series Cisco Catalyst 6500 and 7600 Series FlexWAN, MWAM Planned ASIC Cisco 7100, 7200, and 7500 Series Cisco Catalyst 6500 and 7600 Series FlexWAN, MWAM Planned ASIC Cisco 7500 Series 57

Network Based Application Recognition IP packet Stateful and dynamic inspection TCP/UDP packet Data packet ToS Protocol Source IP addr Dest IP addr Src port Dst port Sub-port/deep inspection egp exchange kerberos secure-nntp smtp gre finger l2tp notes snmp icmp ftp ldap novadigm socks ipinip secure-ftp secure-ldap ntp sqlnet ipsec gopher netshow pcanywhere ssh eigrp http pptp pop3 streamwork bgp secure-http sqlserver secure-pop3 syslog cuseeme imap netbios printer telnet dhcp irc nfs realaudio secure-telent dns secure-irc nntp rcmd tftp H.323 SIP MGCP Fasttrack Cisco IOS Software Release 12.4(2)T: NBAR and Distributed Network-Based Application Recognition www.cisco.com/en/us/products/ps6350/products_configuration_guide_chapter09186a0080455985.html citrix Edonkey napster BitTorrent vdolive xwindows 58

Packet Description Language Modules Packet Description Language Modules (PDLMs) define applications recognized by NBAR New applications supported by adding new PDLMs No Cisco IOS Software upgrade or reboot required to add new PDLMs New Cisco IOS Software required only when enhanced NBAR infrastructure is required for new PDLM functionality New PDLMs are incorporated natively into subsequent Cisco IOS Software releases Only new/updated PDLMs are loaded Must be produced by Cisco engineers 59

NBAR User-Defined Custom Application Classification IP packet TCP/UDP packet Data packet ToS Protocol Source IP Addr Dest IP Addr Src Port Dst Port FFFF0000MoonbeamFFFF Name Name the match criteria up to 24 characters lunar_light Offset Specify the beginning byte of string or value to be matched in the data packet, counting from zero for the first byte Skip first 8 bytes Format Define the format of the match criteria ASCII, hex or decimal ascii Value The value to match in the packet If ASCII, up to 16 characters Moonbeam [Source or destination port] Optionally restrict the direction of packet inspection; defaults to both directions if not specified [source destination] TCP or UDP Indicate the protocol encapsulated in the IP packet tcp Range or selected port number(s) range with start and end port numbers, up to 1000 1 to 16 individual port numbers range 2000 2999 ip nbar custom lunar_light 8 ascii Moonbeam tcp range 2000 2999 class-map solar_system match protocol lunar_light policy-map astronomy class solar_system set ip dscp AF21 interface <> Example service-policy output astronomy 60

NBAR HTTP Classification Extended Inspection: NBAR looks for an HTTP-specific signature in ports beyond well-known TCP port 80 HTTP GET request contains host/url string HTTP GET request HTTP Clients Router X Responses to HTTP GET Optionally, HTTP responses may be further classified by MIME-type Router Y router(config-cmap)#match protocol http? host host-name-string -- Match Host Name url url-string -- Match URL String mime MIME-type -- Match MIME Type c-header-field -- Client general header field s-header-field -- Server general header field HTTP server Match protocol http: www.cisco.com/en/us/products/ps6350/products_command_reference_chapter09186a008043682c.html#wp1112789 61

NBAR Protocol Discovery MIB Provides statistics per application, per interface via SNMP Enable or disable protocol discovery per interface Display protocol discovery statistics Configure and view multiple top-n tables listing protocols by bandwidth usage Configure thresholds: report breaches and send notifications when these thresholds are crossed Supported by Cisco QoS partners Concord Communications InfoVista: traffic monitoring; DoS attack mitigation NBAR Protocol Discovery MIB www.cisco.com/en/us/products/ps6350/products_configuration_guide_ch apter09186a0080455985.htmlcisco-nbar-protocol-discovery-mib Cisco NBAR Protocol Discovery MIB www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml 62

Unicast Reverse Path Forward (urpf) 2005, Cisco Systems, Inc. All rights reserved. 63

Unicast RPF Overview Cisco Express Forwarding is required Checks to determine whether any packet that is received at a router interface arrives on one of the best return paths to the source of the packet Performs a reverse lookup in the Cisco Express Forwarding table - if urpf does not find a reverse path for the packet, urpf can drop the packet Two types of urpf: Strict mode urpf requires that the source IP address of an incoming packet has a FIB path to the SAME interface as that on which the packet arrived Loose mode urpf requires that the source IP address of an incoming packet has a FIB path to ANY interface on the device, except null 64

Unicast RPF Benefits Operationally simple to maintain urpf path validation criteria is based upon the dynamically updated IP routing tables Network address and routing changes are automatically taken into account, with no static entries to maintain Implementation introduces minimal performance impact on the router or switch 65

urpf Strict Mode router(config-if)# ip verify unicast reverse-path or: ip verify unicast source reachable-via rx allow-default int 2 int 2 int 1 int 3 int 1 int 3 S x D data S x D data S y D data FIB FIB Sy D data Dest Path S x int 1 S y int 2 S z null0 Dest Path Sx int 1 S y int 2 S z null0 sourceip=rx int? sourceip=rx int? IP verify unicast source reachable via rx 66

urpf Loose Mode router(config-if)# ip verify unicast source reachable-via any int 2 int 2 int 1 int 3 int 1 int 3 S y D data S y D data S z D data Sz D data FIB Dest Path S x int 1 S y int 2 S z null0 sourceip=any int? FIB Dest Path Sx int 1 S y int 2 S z null0 sourceip=any int? IP verify unicast source reachable via any 67

Integrated Switch Security 2005, Cisco Systems, Inc. All rights reserved. 68

Port Security MAC Port A 1 B 2 C 3 MAC B Port 2 MAC A Port 1 Port 3 X C->A X -> A Port Security allows 1 Mac ONLY Blocks 2nd Mac Address MAC C 69

Enabling Port Security Enabling Port Security Interface < Interface ID > switchport port-security Defines Maximum Number of MAC address Interface < Interface ID > switchport port-security maximum N Defines Violation Actions Interface < Interface ID > switchport port-security violation {restrict shutdown} Binds Static MAC Address Interface < Interface ID > switchport port-security mac-addressmac_address 70

Man in the Middle Attack Exploiting DHCP Services Pool1 Pool 2 Pool3 Pool4 Accepts Binding (Which Ever Come First) IP Addr DNS/WINS Gateway DHCP Offer DHCP Req DHCP Offer Allocates Legitimate IP Address Valid DNS It Self As GateWay 71

Enabling DHCP Snooping Trust/Untrust Enabling IP DHCP Snooping ip dhcp snooping Enabling IP DHCP Snooping on Specific VLAN ip dhcp snoop vlan X Enabling DHCP Rate Limiting interface < Interface ID > ip dhcp snooping trust // Server 72

Preventing Eavedropping : Dynamic ARP Inspection DHCP Server Learns IP-MAC bindings via DHCP Req/Offer. Allows Packets with matching IP : MAC X User uses Static IP Address X User uses DHCP Allocated IP Address User uses someone s IP Address 73

Enabling Dynamic ARP Inspection Enabling IP DHCP Snooping ip dhcp snooping Enabling IP DHCP Snooping on Specific VLAN ip dhcp snoop vlan X Enabling Dynamic Arp Inspection ip arp inspection vlan X 74

Summary and References 2005, Cisco Systems, Inc. All rights reserved. 75

Cisco Worm Protection in Action System Under Attack Si Si Si Infected Sources Core Protect End Systems the End Overloaded Systems Cisco High Security CPU Applications AgentImpacted System Crashes Access Distribution Police the Links Network Telemetry Traffic Rate Limiting Prefix filtering Protect Network the Network Links Overloaded Devices Loss Auto of Availability Secure Control High Plane Packet Protection Loss CPU/Memory Latency Threshold Role Applications based CLI Impacted Access Secure Management Access Network Prevent Devices the Overloaded Attack Anti Compromised: Spoofing Black Ability Holing to Route DDoS Ability Routing to be Protocol managed Ability Authentication to Forward Data Attacks Protect targeted and to Police end systems your business cause collateral with a secure damage and across available the network infrastructure 76

Hardware Support Hardware Cisco 7600 Series Router Cisco Catalyst 6500 Series Switch Cisco 7200 Series Router Cisco 7500 Series Router Cisco 12000 Series Internet Router Cisco 1751 Series Router Cisco 2600-XM Series Cisco 3700 Series Router Cisco 7200 Series Router Availability Cisco IOS Software Release 12.2(18)SXD1 Cisco IOS Software Release 12.2(18)S Cisco IOS Software Release 12.0(29)S Cisco IOS Software Release 12.3(4)T 77

References Cisco IOS Security Infrastructure www.cisco.com/go/autosecure/ Cisco IOS Software Release 12.2(18)SXD www.cisco.com/go/release122s/ Deploying Control Plane Protection - Policing www.cisco.com/en/us/products/sw/iosswrel/ps1838/products_white_pape r09186a0080211f39.shtml Control Plane Protection Policing Feature Guide www.cisco.com/en/us/products/sw/iosswrel/ps1838/products_feature_gui de09186a00801afad4.html QoS Command Reference Guide www.cisco.com/en/us/products/sw/iosswrel/ps5207/products_command_ reference_book09186a00801a7ec7.html 78

Resources Cisco NFP www.cisco.com/go/nfp Cisco IOS Software Release 12.3T: New Security Features and Hardware, Product Bulletin No. 2358 www.cisco.com/en/us/products/sw/iosswrel/ps5207/prod_bulletin 09186a00801d7229.html Control Plane Protection Documentation www.cisco.com/en/us/products/sw/iosswrel/ps1838/products_fea ture_guide09186a00801afad4.html 79

Glossary Acronym Description CoPP Control Plane Policing RTBH Remote Triggered Black Hole RTRL Remote Triggered Rate Limiting racl iacl urpf Receive ACL Infrastructure ACL Unicast Reverse Path Forwarding 80

Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and services that enable users to secure their foundation 81

Q and A 82

2005, Cisco Systems, Inc. All rights reserved. 83