satellite or radio, to Coordinated Universal Time
(UTC). However, if network administrators do not want to
implement their own master clocks because of cost or other
reasons, clock sources are available for synchronization via
the Internet. The current version of NTP is version 4. The
latest version defined by an RFC is version 3, which is
recommended from a security perspective. An attacker could
attempt a DoS attack on a network by sending bogus NTP data
across the Internet in an attempt to change the clocks on
network devices in such a manner that digital certificates are
considered invalid. An attacker could also attempt to confuse a
network administrator during an attack by disrupting the clocks
on network devices. This scenario makes it difficult for the
network administrator to determine the order of syslog events
on multiple devices.
Content 5.3
Network Attacks Using Intelligence 5.3.5
Management Protocol Best Practices Figure summarizes best
practices to be followed when implementing a secure management
solution. These are recommendations for the correct use of SNMP
tools: - Configure SNMP with only read-only community
strings.
- Set up access control on the device you want
to manage via SNMP to allow access by only the appropriate
management hosts.
- Use SNMP version 3. This version
provides secure access to devices through a combination of
authenticating and encrypting management packets over the
network.
When possible, the following management
practices are advised: - Encrypt syslog traffic within
an IPsec tunnel.
- Implement RFC 3704 filtering at the
perimeter router when allowing syslog access from devices
outside a firewall.
- Implement ACLs on the firewall to
allow syslog data from only the managed devices themselves to
reach the management hosts.
- When possible, encrypt
TFTP traffic within an IPsec tunnel in order to reduce the
chance of interception.
The following are
recommendations to follow when using NTP: - Implement
your own master clock for private network
synchronization.
- Use NTP version 3 or above because
these versions support a cryptographic authentication mechanism
between peers. NTP v3 is currently supported by most vendors,
including Cisco Systems. The latest version 4 is not defined by
any RFC and therefore not widely supported.
- Use ACLs
that specify which network devices are allowed to synchronize
with other network devices.
Content
5.3 Network Attacks Using Intelligence
5.3.6 Determining Vulnerabilities and Threats
You can use several tools and techniques to find
vulnerabilities in your network. Once you identify the
vulnerabilities, you can consider and implement mitigation
steps as appropriate. Use these tools listed in Figure to
determine vulnerabilities: - The Blue’s Port Scanner
scans 300 ports per second on a Windows computer.
-
Wireshark (formerly known as Ethereal) is used by network
professionals around the world for troubleshooting, analysis,
software and protocol development, and education. Wireshark
has all of the standard features that you expect in a protocol
analyzer, and several features not seen in any other product.
The Wireshark open source license allows talented experts in
the networking community to add enhancements. Wireshark runs on
all popular computing platforms, including UNIX, Linux, and
Windows.
Note
As of June, 2006, Ethereal
is now known as Wireshark. - Microsoft Baseline
Security Analyzer (MBSA) is the free, best practices
vulnerability assessment tool for the Microsoft platform. MBSA
is a tool designed for the IT professional that helps with the
assessment phase of an overall security management strategy.
MBSA includes a graphic and command-line interface that can
perform local or remote scans of Windows systems.
-
Nmap is a well-known low-level scanner that is available to the
general public. Nmap is simple to use and has an array of
excellent features that can be used for network mapping and
reconnaissance. The basic functionality of Nmap allows the user
to do the following:
- Perform classic TCP/UDP port
scanning (looking for different services on one host) and
sweeping (looking for the same service on multiple
systems).
- Stealth port scans and sweeps, which are
hard to detect by the target host or intrusion detection
systems.
- Identification of remote operating system
(“operating system fingerprinting”) through TCP idiosyncrasies.
This technique analyzes the responses to different stimuli and
identifies elements that are characteristic to a specific
operating system or platform.
- Advanced features of
Nmap include protocol scanning (Layer 3 port scanning), which
can identify Layer 3 protocol support on a host (generic
routing encapsulation [GRE] support, Open Shortest Path First
[OSPF] support, and so on).
Blue’s
Port Scanner and Wireshark
Figure shows screen captures
from Blue’s Port Scanner and Wireshark. The window on the left
illustrates a TCP host scan and a resulting list of open TCP
ports produced by Blue’s Port Scanner. Blue’s Port Scanner has
been used in this example to scan a single host with the
address 10.1.1.2. The TCP scan shows that SMTP, HTTP, FTP,
HTTPS, EPMAP, and NETBIOS-SSN are open on that host. The image
on the right shows an example of a packet capture using
Wireshark. Wireshark allows you to specify various options,
such as which adapter is used for sniffing and which packet
filters to apply to the capture. In the figure, you see a
number of packets of different protocols, each of which can be
individually investigated in detail. Caution
Limit
the scope of the testing when using Port Scanner or Wireshark
so that you do not cause a DoS attack against your network.
Microsoft Baseline Security Analyzer
Figure
illustrates the results of a host vulnerability scan using the
MBSA. MBSA is an easy-to-use tool that identifies security
vulnerabilities of hosts that are running Microsoft operating
systems. This tool allows you to scan the local host, on which
MBSA is running, or any remote systems. The program provides a
list of found vulnerabilities that can be sorted using
different criteria. The tool provides a description of each
detected vulnerability and recommends methods to fix the
vulnerability. Web Links Blue’s Port Scanner
http://www.bluebitter.de/portscn2.htm Wireshark
http://www.wireshark.org/ Microsoft Baseline Security
Analyzer
http://www.microsoft.com/technet/security/tools/
mbsahome.mspx Nmap
http://insecure.org/nmap/
Content 5.4
Disabling Unused Cisco Router Network Services and
Interfaces 5.4.1 Vulnerable Router Services and
Interfaces Medium size and large networks typically use a
firewall appliance behind the perimeter router, which adds
security features and performs user authentication and more
advanced packet filtering. Firewall installations also
facilitate the creation of Demilitarized Zones (DMZs) where the
firewall places hosts that are commonly accessed from the
Internet. Cisco IOS software offers an alternative to a
firewall appliance by incorporating many firewall features in
the perimeter router. Although this option does not provide the
same performance and security features that a Cisco PIX