How to Avoid the Finger of Death and Other Network Threats
Last week I showed you the best ways to battle viruses, worms, Trojan horses and other network threats.
Today, I decided to share a few more important security practices that every network engineer should be familiar with. These handy tips will ensure uninterrupted and healthy network operation.
I’ll go over the steps to configuring your Cisco networking devices to function as a firewall, using the Cisco IOS security features.
Later on, I’ll also introduce the Cisco IOS Firewall feature set, which uses a Context-Based Access Control (CBAC) to filter and discard untrusted packets based on application layer information.
CBAC is an enhanced Cisco IOS feature that allows network administrators to configure and maintain advanced access lists by monitoring and allowing access only to specific applications on a need-to-need basis.
But before we get too far into the topic, let’s begin with a short introduction of all Cisco IOS features that implement security on Cisco routers.
Disabling TCP and UDP Small Servers
Cisco devices running IOS version 11.3 or earlier offer, by default, what is known as small services which are basically a set of simple services that are used for diagnostic purposes.
An attacker could maliciously use these services to gain system information and even launch Denial of Service (DoS) attacks. These services can be disabled by issuing the following commands:
RouterA(config)# no service tcp-small-servers, and
RouterA(config)# no service udp-small-servers
Disabling Finger Service
The Finger service is used to find out which users are logged into the router. A special DoS attack called Finger of death uses the finger service to continuously transmit finger requests to a given device consuming great amounts of processing resources.
To disable this service use the following command:
RouterA(config)# no service finger
Disabling IP BOOTP Server Service
A Cisco router can be configured to act as a BOOTP server and provide IOS software files to a certain number of Cisco network devices. This service could be used by an attacker to download a copy of a network device’s IOS software.
To disable this service, use the following command:
RouterA(config)# no ip bootp server
Disabling IP Source Routing
IP source routing allows the sender of an IP packet to control the route that the packet will take towards its final destination. Source routing should be disabled when it’s not needed because it could be used for various malicious attacks.
The command to disable this feature is:
RouterA(config)# no ip source-route
Disabling Proxy ARP
ARP protocol is used to resolve IP network addresses to MAC layer 2 addresses. Usually this functionality is restricted within the boundaries of a LAN.
Proxy ARP enables extending a LAN across multiple segments and it should be used only if all segment boundaries are trusted. If not needed, this feature should be disabled with the use of the following command in interface configuration mode:
RouterA(config)# interface Ethernet 0
RouterA(config-if)# no ip proxy-arp
Disabling IP Redirects, IP Unreachables and IP Mask Replies
The Internet Control Message Protocol (ICMP) which I already covered my previous article on Internet Control Protocols, is extensively used to reveal various network conditions as well as exact routes and paths of a given traffic flow.
Three ICMP messages are commonly used by untrusted users to diagnose and inspect network conditions. These three messages are:
- ICMP Redirects – These messages instruct a certain end note to take a specific route towards a given destination.
- ICMP Host Unreachable – These messages are sent out when a router receives a packet and has no information on its routing table where it should route it.
- ICMP Mask Reply Messages – These messages are transmitted to the device requesting the subnet mask from a particular subnet network within the internetwork.
All these ICMP messages can be disabled on a per interface basis. To do so, use the following commands on all the interfaces of your router:
RouterA(config)# interface Ethernet 0
RouterA(config-if)# no ip redirect
RouterA(config-if)# no ip unreachable
RouterA(config-if)# no ip mask-reply
Setting TCP Synwait Time
A TCP connection setup consists of a three way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver and then an acceptance of that acknowledgement is sent by the originator.
An attacker could flood a host with a high volume of TCP connection requests for which it does not return back an acknowledgement causing connection queues to fill up at the receiving host. Setting the TCP Synwait time to 15 seconds for example, will instruct the router to shut down any incomplete connections after 15 seconds.
The command to configure this is:
RouterA(config)# ip tcp synwait-time 15
Setting the Authentication Failure Rate to 2 Retries
There is one method of cracking passwords called the dictionary attack, which constantly tries to login to the router using every word in a dictionary.
Configuring your router to lock access (for about 15 seconds) after three unsuccessful login attempts disables this method of malicious attack and at the same time a log message is generated warning about the unsuccessful login attempts.
To set the authentication failure rate to 3 unsuccessful login attempts use the following command:
RouterA(config)# security authentication failure rate 3
Setting up a Cisco Router Firewall
To set up an IOS firewall using Context-Based Access Control (CBAC) on the router, the following steps should be followed:
- Make sure CBAC is supported by your router IOS. You basically need an IOS version with includes the Firewall Feature Set:
Use the show version command to see whether your router supports this feature.
- Set the boundaries of the trusted network and identify the network addresses of the untrusted network you will need.
Trusted network addresses 10.1.1.0 up to 10.1.1.255
Untrusted network addresses – could be anything else for WWW services and host 10.10.10.10 for SMTP and PoP3.
- Decide which services the users on the trusted network will use from the untrusted network
Example: SMTP, POP3, HTTP
- Configure an outbound access list and apply it on the outside interface prohibiting all traffic that should not leave the trusted network.
RouterA(config)# ip access-list extended 120
RouterA(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 any eq www
RouterA(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 host 10.10.10.10 eq smtp
RouterA(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 host 10.10.10.10 eq pop3
RouterA(config-ext-nacl)# deny ip any
RouterA(config)# interface ethernet0
RouterA(config-if)# ip access-group 120 out
- Create a CBAC inspection ruleset named firewall1 regarding the desired services traffic monitoring and make sure that a console alert is triggered (using the alert option) and a log message is generated (using the audit-trail option) when a violation of the rule is noticed.
RouterA(config)# ip ispect firewall1 tcp alert on audit-trail on
RouterA(config)# ip ispect firewall1 smtp alert on audit-trail on
RouterA(config)# ip ispect firewall1 pop3 alert on audit-trail on
- Apply the CBAC inspection ruleset to the desired interface (in our example to the outside interface).
RouterA(config)# interface ethernet0
RouterA(config-if)# ip inspect firewall1 out
- Test your CBAC configuration.
Try to telnet to an untrusted host. CBAC will generate an alert and log this action.
Secure Your Network
Security is the most crucial factor in existence and an on-going functionality of every network infrastructure of every vendor. Do not underestimate the consequences of limited security. Act now and don’t wait until it’s too late.