AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

19. Dezember 2008

NTP security as in RFC 958/1305

Filed under: IP and IOS Features,services — ocsic @ 13:42

When devices should be synced, it’s time to configure ntp with sources, servers and clients/peers.

Every cisco router can act as the ntp master.

ntp master 1

is just everything you need to configure the router as an ntp source. The router will use 127.127.7.1 address as the local source for ntp updates. This is a reference clock for the NTP protocol to be used as the source of time. This is mostly a radio clock or some other kind of clock sometimes even attached directly to the router.

R1#show ntp associations detail
127.127.7.1 configured, our_master, sane, valid, stratum 0

As of IOS 12.1 there are two reference clock drivers for ntp:

R1(config-line)#ntp refclock ?
telecom-solutions Telecom Solutions GPS

When devices should be synced, it’s time to configure ntp with sources, servers and clients/peers.

Every cisco router can act as the ntp master (here with stratum 1).

ntp master 1

is just everything you need to configure the router as an ntp source. The router will use 127.127.7.1 address as the local source for ntp updates. This is a reference clock for the NTP protocol to ne used as the source of time. This is mostly a radio clock or some other kind of clock sometimes even attached directly to the router.

R1#show ntp associations detail
127.127.7.1 configured, our_master, sane, valid, stratum 1

As of IOS 12.1 there are two reference clock drivers for ntp:

R1(config-line)#ntp refclock ?
telecom-solutions Telecom Solutions GPS
trimble Trimble Navigation TSIP Protocol

So it’s possible to have an external clock hooked up to the aux port. Trimble has a „Acutimeâ„¢ Gold GPS Smart Antenna“ with an RS422 port. Don’t know if it’s still possible to use this antenna with the 7200.

So if you use the 127.127.7.1, the local ntp timer, as the master with

ntp master 1

you can also configure the stratum for this clock. In the hierarchal ntp model, where server and clients distribute time to another, the stratum value will give information on how far the original clock is away. Stratum 0 is a real time source, like an external gps or dcf77 receiver. Stratum 1 is normaly a host which uses it’s local clock as a time source, like the „ntp master“ command does. Every client in between adds a stratum and inaccuracy with about 10-100 ms. So the higher stratum values indicate a better time source regarding accuracy.

Access to the NTP service is controlled with the

„ntp access-group“

command.

ntp access-group knows the following options (from the documentation).

The access group options are scanned in the following order, from least restrictive to most restrictive:

1. peer—Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.

2. serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.

3. serve-only—Allows only time requests from a system whose address passes the access list criteria.

4. query-only—Allows only NTP control queries from a system whose address passes the access list criteria.

If you want to update from a local router (software) clock, you have to include the 127.127.7.1 address in the access-list statement also.

ntp master 1

ntp access-group peer 10

access-list 10 permit 127.127.7.1

Otherwise the local clock will not be able to synchronize.

If you want to get time from a remote server 1.1.1.1 and allow only 2.2.2.2 to get time from you:

ntp server 1.1.1.1

ntp access-group peer 1

access-list 1 permit 2.2.2.2

Source:

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dtrimble.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_tech_note09186a008015bb3a.shtml

http://en.wikipedia.org/wiki/Network_Time_Protocol

http://www.ntp.org

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1034942

3. Dezember 2008

3725 on dynamips against 3550/3560 and what is missing

Filed under: dynamips — ocsic @ 22:36

Here is a list of what is missing with the 16 port switching modul for the 3725 in comparision to the 3550/3460 Catalys switches in the lab.

Access Switch Device Manager (SDM) Template
ACL – Improved Merging Algorithm
ARP Optimization
BGP Increased Support of Numbered as-path Access Lists to 500
BGP Restart Neighbor Session After max-prefix Limit Reached
BGP Route-Map Continue Support for Outbound Policy
Clear Counters Per Port
DHCP Snooping
DHCP Snooping Counters
Diagnotics Options on bootup
ErrDisable Reactivation Per Port
ErrDisable timeout
EtherChannel
EtherChannel – Flexible PAgP
Etherchannel Guard
Fallback Bridging
Flex Link Bi-directional Fast Convergence
Flex Link VLAN Load-Balancing
Flex Links Interface Preemption
GOLD – Generic Online Diagnostics
IEEE 802.1ab, Link Layer Discovery Protocol
IEEE 802.1s – Multiple Spanning Tree (MST) Standard Compliance
IEEE 802.1s VLAN Multiple Spanning Trees
IEEE 802.1t
IEEE 802.1W Spanning Tree Rapid Reconfiguration
IEEE 802.1x – Auth Fail Open
IEEE 802.1x – Auth Fail VLAN
IEEE 802.1x – VLAN Assignment
IEEE 802.1x – Wake on LAN Support
IEEE 802.1x Authenticator
IEEE 802.1X Multi-Domain Authentication
IEEE 802.1x RADIUS Accounting
IEEE 802.1x with Port Security
IEEE 802.3ad Link Aggregation (LACP)
IEEE 802.3af Power over Ethernet
IGMP Fast Leave
IGMP Version 1
IGRP
IP Phone Detection Enhancements
IP Phone Enhancement – PHY Loop Detection
IPSG (IP Source Guard)
Jumbo Frames
L2PT – Layer 2 Protocol Tunneling
MAC Authentication Bypass
MLD Snooping
Multicast Etherchannel Load Balancing
NAC – L2 IEEE 802.1x
NAC – L2 IP
NAC – L2 IP with Auth Fail Open
Packet-Based Storm Control
Per Port Per VLAN Policing
Port Security
Port Security on Private VLAN Ports
Private VLANs
QoS Policy Propagation via Border Gateway Protocol (QPPB)
Rapid-Per-VLAN-Spanning Tree (Rapid-PVST)
Reduced MAC Address Usage
Remote SPAN (RSPAN)
Smart Port
Spanning Tree Protocol (STP) – Loop Guard
Spanning Tree Protocol (STP) – Portfast
Spanning Tree Protocol (STP) – PortFast BPDU Filtering
Spanning Tree Protocol (STP) – Portfast Support for Trunks
Spanning Tree Protocol (STP) – Root Guard
Spanning Tree Protocol (STP) – Uplink Load Balancing
SRR (Shaped Round Robin)
Standby Supervisor Port Usage
STP Syslog Messages
Switching Database Manager (SDM)
Trunk Failover
Trusted boundary (extended trust for CDP devices)
Unicast Mac Filtering
UniDirectional Link Detection (UDLD)
VLAN Access Control List (VACL)
VLAN Aware Port Security
Weighted Tail Drop (WTD)

2. Dezember 2008

CCIE Wireless is there

Filed under: Allgemein — ocsic @ 17:47

Interesting news. Wireless is a new topic on the plan. Now we have:

I still go for the Routing and Switching.

Source:

http://www.cisco.com/web/learning/le3/ccie/index.html

Cisco Firewall evolution with access-lists, reflexive access-lists, ip tcp intercept and CBAC

Filed under: IP and IOS Features,Security — ocsic @ 17:25

What can i do with cbac and who to configure it? What is it thought of? What can also be done with reflexive access-lists? Might be ip tcp intercept also helpful?

Reflexive Access Lists are cisco introduction to statefull filtering. For Firewalling it is a nice feature and can be thought as a kind of ip nat with overload without beeing able to reach the inside, only if you have trigged a connection from the inside, then traffic is allowed to pass.

Speaking of a established session, means the device in between records the connection and dynamically adds an allow filter to let the traffic matching to this session passing back through the firewall. That is the meaning of a statefull filter. Cisco standard and extended access-lists can only filter statically. Here is where reflexive access-lists come into play.

This are two configuration examples regarding telnet access for telnet sessions:

1. The first example allows telnet for established sessions in a „extended“ access-listinterface

ip access-list extended ESTABLISHED
permit tcp any eq telnet any established

FastEthernet0/0

ip access-group ESTABLISHED in

Here only telnet traffic originated from the inside client is allowed to come back into the network.

As you already expect there is another way with reflexive access-lists:

FastEthernet0/0

ip access-group REFL_IN in
ip access-group REFL_OUT out

ip access-list extended REFL_IN
evaluate REFLECT
ip access-list extended REFL_OUT
permit tcp any any eq telnet reflect REFLECT timeout 30

FW#sh access-lists

Reflexive IP access list REFLECT
permit tcp host 144.1.18.10 eq telnet host 144.1.5.5 eq 28929 (12 matches) (time left 25)
Extended IP access list REFL_IN
10 evaluate REFLECT
Extended IP access list REFL_OUT
10 permit tcp any any eq telnet reflect REFLECT (7 matches)

Here the host 144.1.18.10 is outside from firewalls perspective and is answering telnet requests from 144.1.5.5. This reflexive access-list is dynamically generated. By default this list is active for 300 seconds. If the connection is idle for that amount of time, the access-list is removed from the list and memory, but does not terminate the session. The active session will again bring up a new reflexive access-list. So this timeout has nothing to do with an absolut or idle timeout in the normal way of understanding idle timeout. It is more a „clean up“ timeout.

Here is a possible use of „ip tcp intercept“. vs. reflexive access-lis

ip tcp intercept list REFL_OUT
ip tcp intercept connection-timeout 20

Here you can set an idle timeout for the tcp connection in your firewall. The idle timeout is now set to 20 seconds.

R2#sh tcp intercept connections
Incomplete:
Client Server State Create Timeout Mode

Established:
Client Server State Create Timeout Mode
144.1.5.5:50346 144.1.18.10:23 ESTAB 00:00:59 00:00:01 I

After that time you can see your firewall sending an TCP Session Reset to both ends:

Packet debug on the firewall:

*Mar 1 10:37:00.665: IP: s=144.1.18.10 (local), d=144.1.5.5 (Vlan5), len 40, sending
*Mar 1 10:37:00.665: TCP src=23, dst=50346, seq=197049759, ack=1038522490, win=0 ACK RST
*Mar 1 10:37:00.665: IP: s=144.1.5.5 (local), d=144.1.18.10 (FastEthernet0/0), len 40, sending
*Mar 1 10:37:00.665: TCP src=50346, dst=23, seq=1038522490, ack=197049759, win=0 ACK RST
The connection is cleanly reset.

With ip tcp intercept you have more possible scenarios. For example if you are under a DOS Syn attack. Here i use nmap as a tool for generating multiple TCP SYN packets.

cat syn-dos-test.sh

nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &
nmap -sS -P0 -p 23 144.1.18.10 &

If you start this several times you will see ip tcp intercept starting some actions against half open sessions. High watermark is the point for starting aggressive mode and low watermark has to be crossed for starting normal mode again.

*Mar 1 13:50:35.548: %TCP-6-INTERCEPT: getting aggressive, count (5/5) 1 min 9
*Mar 1 13:50:35.548: INTERCEPT: Possible attack! Aborting half-open connection SYNRCVD (10.0.0.1:58971 <-> 144.1.18.10:23)
*Mar 1 13:50:35.548: INTERCEPT(*): (10.0.0.1:58971 <- RST 144.1.18.10:23)
*Mar 1 13:50:35.548: INTERCEPT: new connection (10.0.0.1:57671 SYN -> 144.1.18.10:23)
*Mar 1 13:50:35.548: INTERCEPT(*): (10.0.0.1:57671 <- ACK+SYN 144.1.18.10:23)
*Mar 1 13:50:35.584: INTERCEPT: Possible attack! Aborting half-open connection SYNRCVD (10.0.0.1:39401 <-> 144.1.18.10:23)

Now tcp intercept is starting to drop half open connections. Oldest first. You can also change the drop mode.

Next take a look at „ip inspect“ called CBAC (Context-Based Access Control).

interface FastEthernet0/0

ip access-group 101 in
ip inspect TELNET out

access-list 101 deny tcp any eq telnet any

ip inspect tcp idle-time 15
ip inspect name TELNET telnet

After opening a session, the telnet connection is able to establish and inspect has registred the session:

FW#sh ip inspect sessions
Established Sessions
Session 6571BC0C (144.1.5.5:12150)=>(144.1.18.10:23) telnet SIS_OPEN
Rack1SW2#

You can enable an idle timeout for telnet session:

ip inspect name TELNET telnet timeout 10

or for all tcp sessions:

ip inspect tcp idle-time 10

ip inspect max-incomplete low 4
ip inspect max-incomplete high 5
ip inspect name TELNET telnet alert on audit-trail off timeout 10


If you test the TCP Syn flood here also, you will get ip inspect react on the SYN Attack:

*Mar 1 14:24:43.736: %FW-4-ALERT_ON: getting aggressive, count (6/5) current 1-min rate: 6
*Mar 1 14:24:44.012: %FW-4-ALERT_OFF: calming down, count (3/4) current 1-min rate: 16

Audit-trail will log all connections/attempts. Alert will send only those to the log, which have been found suspicious.

CBAC does support many different protocols. Also protocols which negotiate ports dynamically. And is therefore able to inspect at the application layer.

Source:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_tcp_intercpt_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001032

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Powered by WordPress