Paper #4
|
Hardening CISCO Devices based on Cryptography and Security Protocols - Part One: Background Theory
Faisal Waheed and Maaruf Ali
Abstract: Network Security is a vital part of any corporate and enterprise network. Network attacks greatly compromise not only the sensitive data of the consumers but also cause outages to these networks. Thus inadequately protected networks need to be “hardened”. The hardening of network devices refers to the hardware and software components, device operating system’s features, management controls, access-list restrictions, operational configurations and above all making sure that the data and credentials are not stored or transferred in ‘plaintext’ over the network. This article investigates the use of cryptography and network protocols based on encryption, to meet the need for essential security requirements. Use of non-secure protocols, underrating and misconfigurations of management protection are reasons behind network devices not properly being hardened; hence leaving vulnerabilities for the intruders. The gap identified after conducting intense search and review of past work is used as the foundation to present solutions. When performing cryptography techniques by encrypting packets using tunnelling and security protocols, management level credentials are encrypted. These include password encryption and exceptional analysis of the emulated IOS (Internetwork Operating System). Necessary testing is carried out to evaluate an acceptable level of protection of these devices. In a virtual testing environment, security flaws are found mainly in the emulated IOS. The discoveries does not depend on the hardware or chassis of a networking device. Since routers primarily rely on its Operating System (OS), attackers focus on manipulating the command line configuration before initiating an attack. Substantial work is devoted to implementation and testing of a router based on Cryptography and Security Protocols in the border router. This is deployed at the core layer and acts as the first point of entry of any trusted and untrusted traffic. A step-by-step hardening approach is adopted to secure the proposed network framework’s border router. Encrypted services coupled with best practice configurations are implemented and tested in an emulated environment. The use of protocol analysers, CISCO Configuration Professional’s Audit and penetration testing tools corroborated the success of the project.
Keywords: AAA; ACL; APT; ASA; CEF; Control Plane; Cryptography; DDoS; DES; DMVPN; DMZ; DoS; Data Plane; EIGRP; GRE; Hardening CISCO Devices; HSRP; ICMP; IDS; IKE; IOS; IPS; IPSec; Management Plane; NAT; NHRP; OSFP; OSI; PSM; RADIUS; RIP; RIPv2; RSA; Security Protocols; SNMP; SNMPv3; SSH; SSHv2; SSL; TACACS; TCP/IP; VPN; VLAN.
|