Chapter 9. Secure Routing and Antispoofing

This chapter covers both antispoofing and securing the routing protocol your routers use to exchange information. Antispoofing filters prevent external users from sending forged packets that act as if they come from your internal network. Many security controls use a packet’s source IP address to allow or deny access. By sending spoofed packets that look as if they originated on your internal network, attackers can manipulate or bypass these security controls.

Your routers use routing protocols to exchange information. This information is used to determine what direction a router will send a packet once it is received. A functional network requires correct routing information, so, minimally, an attacker can cause a denial-of-service (DoS) attack by inserting false routing information into your routers. A far more damaging attack can involve having all of your network traffic relayed through another system, possibly one controlled by the attacker or one that allows him to bypass your firewall and intrusion detection systems. Protecting how routers exchange routing information is necessary to prevent such dangers.

Antispoofing

Antispoofing filters are usually implemented to protect the networks behind routers, but they are equally important in protecting the routers themselves. These filters keep people from attempting to spoof connections to your routers. They also prevent numerous attacks that, while not directed at the router, must pass through the router and can overwhelm it with excessive traffic.

This chapter will cover both inbound and outbound filters using traditional ACLs and Cisco’s newer unicast reverse packet forwarding feature. Finally, since filtering can cause some performance degradation, the checklist ends with brief descriptions of methods used to reduce the performance impact of antispoofing filters.

Ingress and Egress Filtering

Ingress and egress refer to filters applied to packets traveling into and out of a network, respectively. Ingress refers to packets coming from an external network—like the Internet—into your network, and egress refers to packets leaving your network and going to an external network. Your site needs to implement both types of filters.

Since ingress and egress filters relate to packets entering or leaving your network, they should be applied at the edges of your network—anywhere you connect to a network controlled by another.

Ingress

Ingress filters make sure that packets entering your network do not claim to be from your network. Assume that your network is 130.218.0.0/16. All IPs leaving your network should have a source address of 130.218.x.x. Additionally, no packets coming into your network should have a source address of 130.218.x.x. A packet from an external network with a source address of 130.18.x.x stems from either a misconfiguration or an attacker attempting to send spoofed packets into your network. Either way, packets from external networks claiming to have a source address of your internal network—138.18.x.x, in this example—are dangerous and should be dropped.

To drop these packets:

  1. Create an ACL that:

    1. Denies all packets coming from the Internet claiming to have originated from the internal network

    2. Permits all other packets

  2. Apply that ACL, in the inbound direction, to the router interface that connects to the external network.

Using the interface Serial 0 and the internal network 130.18.00/16, the code would look like:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 15  deny 130.18.0.0 0.0.255.255
Router(config)#access-list 15  permit any
Router(config)#interface Serial 0/0
Router(config-if)#ip access-group 15  in 
Router(config-if)#^Z

If you have more than one network numbering scheme inside your internal network, you would extend the deny statements to include all of your internal networks. For example, if your internal network consisted of the following networks:

203.2.4.0/24
199.10.4.0/27
215.6.45.0/24

your ingress ACL would look like:

access-list 15 deny 203.2.4.0 0.0.0.255
access-list 15 deny 199.10.4.0 0.0.0.31
access-list 15 deny 215.6.45.0 0.0.0.255
access-list 15 permit any

Finally, to fully protect your router and network, you should apply the ingress filter to all interfaces that attach to an external network.

Reserved and private networks

Antispoofing filters also need to include rules that filter out any packets that claim to come from reserved and private networks. The standard list includes the loopback address, the broadcast address, multicast networks, and networks defined in RFC 1918 as reserved:

  • 127.0.0.0/8

  • 10.0.0.0/8

  • 172.16.0.0/12

  • 192.168.0.0/16

  • 224.0.0.0/4

  • 240.0.0.0/5

  • 255.255.255.255/32

Adding these filters to our previous example (in which the internal networks were assumed to be 203.2.4.0/24, 199.10.4.0/27, and 215.6.45.0/24), you get the following ACL:

access-list 15 deny 203.2.4.0 0.0.0.255
access-list 15 deny 199.10.4.0 0.0.0.31
access-list 15 deny 215.6.45.0 0.0.0.255
access-list 15 deny 127.0.0.0 0.255.255.255
access-list 15 deny 10.0.0.0 0.255.255.255
access-list 15 deny 172.16.0.0 0.15.255.255
access-list 15 deny 192.168.0.0 0.0.255.255
access-list 15 deny 224.0.0.0 15.255.255.255
access-list 15 deny 240.0.0.0 7.255.255.255
access-list 15 permit any

Tip

Some administrators like to go all out with their spoofing filters. The site http://www.liquifried.com/docs/security/reservednets.html has a large list of IANA-reserved addresses that you can configure into your antispoofing filters.

Egress

Egress filtering prevents your network from sending spoofed packets out to the Internet. This type of filtering is desirable because it prevents your network and routers from being launching points for attacks involving spoofed packets. Not allowing spoofed packets out of your network makes your network and routers less attractive to attackers since they can no longer use spoofing attacks.

Using the same 130.18.0.0/16 network as before, to perform egress filtering, you must:

  1. Create an ACL that:

    1. Allows packets with a 130.18.x.x source address out

    2. Denies all other packets

  2. Apply the ACL, in the outbound direction, to the interface that connects to an external network.

For example:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 16  permit 130.18.0.0 0.0.255.255
Router(config)#access-list 16  deny any
Router(config)#interface Serial 0/0
Router(config-if)#ip access-group 16  out
Router(config-if)#^Z

With multiple internal networks, add permit statements for each network before the deny any statement. An example ACL would look like:

access-list 16 permit 203.2.4.0 0.0.0.255
access-list 16 permit 199.10.4.0 0.0.0.31
access-list 16 permit 215.6.45.0 0.0.0.255
access-list 16 deny any

Tip

Chapter 11 is entirely about logging, but remember that you should use the log keyword at the end of each deny statement in your ACLs. For example, access-list 16 deny any becomes access-list 16 deny any log. The log keyword causes the ACL to log all violations, giving you a list of all instances when either a misconfiguration or an attacker attempted to send invalid packets through your router. See Chapter 11 for more details.

Unicast Reverse Packet Forwarding

Unicast Reverse Packet Forwarding (uRPF) is a feature designed by Cisco to make administering antispoofing on routers easier. This feature takes advantage of Cisco Express Forwarding (CEF) to make sure packets entering an interface pass a sanity check. uRPF checks the source address of each incoming packet and, based on routing information, determines if the packet should have come in on that interface. If not, the packet is discarded.

The beauty of uRPF is that it adjusts to routing and topology changes automatically. You simply enable it on an interface, and it is automatic. This means no more manual configuration and maintenance of ACLs.

uRPF does have a downside. It can have problems with asymmetrical routing. Depending on the configuration, asymmetrical routing presents the possibility of the CEF table not having enough information and discarding packets incorrectly. Because of this possibility, it is recommended that you do not enable uRPF on internal routers, but only on the edge of your network on interfaces connecting to an external network. Additionally, uRPF doesn’t allow you the logging capability permitted by ACLs. uRPF logs only the number of violations, while ACLs allow you to log details about the spoofed packet.

To enable uRPF, you must first globally enable CEF with the ip cef command and then uRPF on each needed interface with the ip verify unicast reverse-path command:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip cef
Router(config)#interface Serial 0/1
Router(config-if)#ip verify unicast reverse-path
Router(config-if)#^Z

Warning

uRPF requires that CEF be enabled. If you disable CEF while uRPF is turned on, things will stop working.

If you cannot use uRPF on your router, then you must use ACLs to eliminate spoofing. Since ACLs have a greater impact on performance than does uRPF, the following techniques may help increase performance:

  1. Create smaller ACLs. Large ACLs have a much greater impact on router performance than do small ones, so make your ACLs as small as possible.

  2. Apply ACLs inbound. On Cisco routers, inbound filters are more efficient than outbound filters, so modify your ACL so you can apply it inbound.

  3. Use the pass established keyword by putting a line similar to access-list 150 permit tcp any any established at the top of your ACL; TCP packets with the ACK bit will be let through immediately. In return for increased performance, this may open you up to spoofed DoS attacks, but it still prevents antispoofing for all TCP connection attempts.

  4. Cisco’s NetFlow can also be used to increase performance. On many routers, numbered and named ACLs have been modified to work with NetFlow.

  5. Some newer combinations of router software and hardware support Turbo ACLs. ACLs longer than three entries benefit from significant speed enhancements when they are compiled as a Turbo ACL.

Routing Protocol Security

The antispoofing filters discussed previously help prevent numerous attacks on your network and also keep attackers from using spoofed packets to manipulate your network’s routing. Additional measures are required to finish securing your network’s routing.

Static Routing

The most secure routing configuration is static routing. With static routing, an administrator manually configures each router with all appropriate routes. Static routing gives an administrator much control over how packets are passed through a network, and since routers are configured manually, there are no routing protocols for an attacker to manipulate. However, static routing has one significant drawback—it scales horribly. When moving beyond two or three routers, manually configuring static routes on each router becomes a nightmare. Furthermore, adding a new router, or even a new network to an existing router, requires you to go back and change the configuration of every single router manually. So, despite their security advantages, static routes lose their practicality when a network has frequent route changes or grows larger than three routers.

Authentication

The largest improvement to securing your routing protocol is to use authentication. Certain routing protocols such as RIP v2, OSPF, EIGRP, and BGP support authentication. When configuring authentication, you configure a routing password on each router in your network, and routing information will only be exchanged between routers that know the password. Since standard routing protocols don’t use authentication by default, they are vulnerable to an attacker manipulating them. With authentication, any routing information an attacker tries to inject into your routers will be ignored (unless the attacker has the authentication password, so make sure you keep it secure.)

Next, you will find examples for configuring authentication for the interior routing protocols RIP v2, OSPF, EIGRP, and the exterior routing protocol BGP.

RIP v2

One of the problems with RIP Version 1 was its lack of support for authentication. RIP Version 2 was designed to overcome this problem. The RIP v2 protocol standard supports plain-text authentication. Cisco’s implementation of RIP v2 authentication is proprietary and uses the more secure MD5 authentication to keep keys from being sent across the network in the clear.

To use RIP v2 authentication:

  1. Enable RIP v2 authentication on each interface using the ip rip authentication key-chain command.

  2. On each interface using RIP v2, configure it to use MD5 authentication instead of plain-text with the ip rip authentication mode md5 command.

  3. Configure your authentication keys on each router:

    1. Define a key chain with the key chain command in global configuration mode.

    2. Identify the number of your key in this chain with the key command.

    3. Use the key-string command to define the authentication key.

In the following example, RIP v2 authentication is configured on RouterOne using the key UnguessableKey. If RouterOne has three interfaces that are using RIP v2—Fast Ethernet 0/0, Serial 0/0, and Serial 0/1—authentication must be enabled on each interface.

This example uses key chain number 10:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#interface FastEthernet0/0
RouterOne(config-if)#ip rip authentication key-chain 10
RouterOne(config-if)#ip rip authentication mode md5
RouterOne(config-if)#exit
RouterOne(config)#interface Serial 0/0
RouterOne(config-if)#ip rip authentication key-chain 10
RouterOne(config-if)#ip rip authentication mode md5
RouterOne(config-if)#exit
RouterOne(config)#interface Serial 0/1
RouterOne(config-if)#ip rip authentication key-chain 10
RouterOne(config-if)#ip rip authentication mode md5
RouterOne(config-if)#exit
RouterOne(config)#^Z

Next, the key chain 10 is defined. Inside key chain 10, key number 1 is created with the key-string UnguessableKey:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#key chain 10
RouterOne(config-keychain)#key 1
RouterOne(config-keychain-ke)#key-string UnguessableKey
RouterOne(config-keychain-ke)#^Z

Next, perform the same configuration on all of your routers. The most common misconfigurations when using authentication are:

  • Not configuring RIP v2 authentication on every interface

  • Not using the same key string on each router

Check these two items first if you are having trouble with RIP v2 authentication.

EIGRP

Configuring Cisco’s routing protocol EIGRP to use authentication follows similar steps as configuring RIP v2 authentication:

  1. Enable EIGRP authentication on each interface with the ip authentication mode eigrp command.

  2. Define the key chain to use under each interface with the ip authentication key-chain eigrp command.

  3. Create the key chain specified in the previous step:

    1. Define a key chain with the key chain command.

    2. Identify the number of this authentication key with the key command.

    3. Configure the actual authentication key with the key-string command.

Assuming your autonomous system number is 10, you would enable EIGRP authentication on the interfaced FastEthernet 0/0, Serial 0/0, and Serial 0/1 with:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#interface FastEthernet0/0
RouterOne(config-if)#ip authentication mode eigrp 10  md5
RouterOne(config-if)#ip authentication key-chain eigrp 10 Chain1
RouterOne(config-if)#exit
RouterOne(config)#interface Serial 0/0
RouterOne(config-if)#ip authentication mode eigrp 10  md5
RouterOne(config-if)#ip authentication key-chain eigrp 10 Chain1
RouterOne(config-if)#exit
RouterOne(config)#interface Serial 0/1
RouterOne(config-if)#ip authentication mode eigrp 10  md5
RouterOne(config-if)#ip authentication key-chain eigrp 10 Chain1
RouterOne(config-if)#exit
RouterOne(config)#^Z

After your interfaces are configured to use EIGRP authentication, you then define the key chain and the authentication key. The previous commands specify Chain1 as the key chain to use for authentication, so the key chain command needs to be used to create Chain1. In the following example, the authentication key 1 is defined as UnguessableKey:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#key chain Chain1
RouterOne(config-keychain)#key 1
RouterOne(config-keychain-ke)#key-string UnguessageKey
RouterOne(config-keychain-ke)#^Z

Perform this same configuration on all other routers and interfaces that require EIGRP authentication to complete the setup.

OSPF

Configuring OSPF authentication is a little simpler than with RIP v2. Like RIP, OSPF can use both plain-text and MD5 authentication. These examples only cover using secure MD5 authentication. If you are using OSPF as your interior routing protocol to configure authentication:

  1. Use the ip ospf message-digest-key command on each interface to define a key. This includes defining both the key number and the actual authentication key itself.

  2. Use the area ? authentication message-digest command to configure OSPF to use authentication.

Using the interfaces as in the RIP v2 example, configure OSPF authentication on interfaced FastEthernet 0/0, Serial 0/0, and Serial 0/1:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#interface FastEthernet0/0
RouterOne(config-if)#ip ospf message-digest-key 1  md5 UnguessableKey
RouterOne(config-if)#exit
RouterOne(config)#interface Serial 0/0
RouterOne(config-if)#ip ospf message-digest-key 1  md5 UnguessableKey
RouterOne(config-if)#exit
RouterOne(config)#interface Serial 0/1
RouterOne(config-if)#ip ospf message-digest-key 1  md5 UnguessableKey
RouterOne(config-if)#exit
RouterOne(config)#^Z

Next, configure authentication under the OSPF areas where you want to use authentication. This example assumes that your OSPF autonomous number is 10 and that you are setting up area 0 to use authentication:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#router ospf 10
RouterOne(config-router)#area 0  authentication message-digest
RouterOne(config-router)#^Z

Repeat these steps on your other routers and their interfaces using OSPF authentication to complete the setup.

Warning

It is important to note that if authentication is enabled on one OSPF link, then it must be enabled on all other links within that area, or OSPF adjacency can be lost.

BGP

BGP authentication is one of the simplest to configure. BGP doesn’t support plain-text authentication, only MD5, so there is no need to explicitly specify MD5 authentication. Enable BGP authentication by adding the password keyword to the neighbor command. For example, your router’s BGP autonomous number is 109, and 130.18.6.7 is configured as a BGP neighbor; you can enable authentication between RouterOne and 130.18.6.7 with:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#router bgp 109
RouterOne(config-router)#neighbor 130.18.6.7  password MyBGPpassword
RouterOne(config-router)#^Z

Next, use the same commands to configure 130.18.6.7 to authenticate with RouterOne. The only difference is that you use RouterOne's IP address instead of 130.18.6.7. Assuming RouterOne has the IP 19.6.7.8, this would look like:

RouterTwo#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterTwo(config)#router bgp 109
RouterTwo(config-router)#neighbor 19.6.7.8  password MyBGPpassword
RouterTwo(config-router)#^Z

Repeat this configuration with each neighbor you want to use BGP authentication.

Passive Interfaces

Sometimes you want to control the routing information that is sent out or accepted into an interface. This can be done with passive interfaces and route filtering. Using passive interfaces is the easiest way to keep an interface from participating in exchanging routing protocols, but passive interfaces are an all-or-nothing approach. Route filtering can be used when you need an interface to send and receive only specific routing information.

Passive interfaces

When an interface is configured as a passive interface, it stops sending out routing updates. Passive interfaces with most routing protocols—OSPF and EIGRP being the notable exceptions—will still receive routing updates. Passive interfaces are often used on network segments that require the security of static routes or when routing updates should not be sent out for both bandwidth and security reasons.

To configure an interface as a passive interface, from global configuration mode, enter your routing protocol mode with commands such as router rip or router ospf 109. Next, use the passive-interface command followed by the interface you want to stop sending out updates. For example, using RIP, if you wanted to make interface FastEthernet 0/2 a passive interface:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#router rip
RouterOne(config-router)#passive-interface FastEthernet0/2
RouterOne(config-router)#^Z

The passive-interface command would be repeated for every interface you wanted to configure as passive.

OSPF and EIGRP passive interfaces

Unlike passive interfaces in most other protocols, passive interfaces in EIGRP and OSPF not only stop sending routing updates, but also stop receiving them. To have an interface under these protocols stop sending, but still receive routing updates, you must enable EIGRP or OSPF on the interface and then use an outbound routing filter to prevent the sending out of routing updates.

Route Filtering

Route filtering gives you more control over what routing information is sent or received on an interface. Use the distribute-list <ACL> out command to control outbound routing information and distribute-list <ACL> in to control inbound information. These filters are configured under the router’s routing protocol configuration mode and can be configured to apply globally to the entire router or to an individual interface.

Global filtering

To configure route filtering globally:

  1. Create an ACL that defines what network information is allowed in/out.

  2. Configure a distribute-list in the appropriate direction under the router’s routing protocol configuration.

For example, if RouterOne uses EIGRP (AS number 110) and you do not want it to send out routing information about network 130.18.0.0/16, configure an outbound filter with the distribute-list <ACL> out command:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#access-list 14  deny 130.18.0.0 0.0.255.255
RouterOne(config)#access-list 14  permit any
RouterOne(config)#router eigrp 110
RouterOne(config-router)#distribute-list 14  out
RouterOne(config-router)#^Z

Using the same example, but configuring RouterOne to ignore any routing information it receives about network 130.18.0.0/16, use the distribute-list <ACL> in command:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#access-list 14  deny 130.18.0.0 0.0.255.255
RouterOne(config)#access-list 14  permit any
RouterOne(config)#routereigrp 110
RouterOne(config-router)#distribute-list 14  in
RouterOne(config-router)#^Z

Per-interface filtering

To apply filtering to a specific interface, add the name of the interface after the distribute-list command. For example, to keep only interface Serial 0/0 from sending out routing information about network 130.18.0.0/16, refer to this example:

RouterOne#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterOne(config)#access-list 14  deny 130.18.0.0 0.0.255.255
RouterOne(config)#access-list 14  permit any
RouterOne(config)#router eigrp 110
RouterOne(config-router)#distribute-list 14  out Serial 0/0
RouterOne(config-router)#^Z

Notice that the only line that has changed from our previous example was the line distribute-list 14 out Serial 0/0, in which Serial 0/0 was appended to indicate that this filter applies only to routing updates sent out of Serial 0/0.

In addition to distribute lists, BGP allows you to filter routes by neighbor and use prefix lists that have advantages over ACLs. See Cisco’s documentation on BGP for more details on how to use these methods of route filtering.

Filtering at network borders

Route filtering is generally used between external and internal networks. Route filtering at the borders of your network helps minimize the chance that incorrect routing information will be injected into your network without requiring the administrative hassle of creating and maintaining filters on every interface on your network. For example, if network 14.6.0.0/16 is controlled by one of your customers, and you receive routing information for this network from routers controlled by that customer, good security dictates that you configure your border routers to accept only routing updates about the 14.6.0.0/16 network from the customer. This prevents misconfigurations or attackers on the customer’s network from sending false routing information to your routers.

Routing Protocol and Antispoofing Checklist

This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A.

  • Take antispoofing measures at each router bordering an external network:

    • Enable ip verify unicast reverse-path on all interfaces that connect with external networks and are not involved in asymmetrical routing.

    • If uRPF cannot be used (or additional logging is required), apply antispoofing ingress and egress ACLs to all interfaces that connect to an external network.

    • If your network is very small and you need additional security, consider using static routes.

  • When using a routing protocol, choose one that supports authentication and enable authentication on all routers on the network:

    • Choose the authentication password well and make sure controls are in place to keep the authentication passwords secret.

    • Use secure hash protocols such as MD5, not plain-text protocols, for authentication.

  • Use route filters at the border between your network and the networks controlled by others to prevent false routing information from being injected into your network.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.111.49