Hardening CISCO Devices Based on Cryptography and Security Protocols - Part II: Implementation and Evaluation

This second part covers the implementation, testing, critical evaluation, conclusion and further study. It concentrates on the actual implementation details of hardening of network devices by referring to the hardware and software components, device operating system’s features, management controls, access-list restrictions, operational configurations and critically making sure that the data and credentials are not stored or transferred in ‘plaintext’ over the network by detailed testing and evaluation. It investigates the commands used to enable cryptography and network protocols based on encryption, in order to meet the need for essential security requirements. Substantial work is devoted to the command line details and testing of a router based on Cryptography and Security Protocols in the border router. A step-by-step hardening approach is detailed using the commands used to secure the proposed network framework’s border router. Encrypted services coupled with best practice configurations are explained and tested in an emulated environment. The use of protocol analysers, CISCO Configuration Professional’s Audit and penetration testing tools corroborated the success of the project.


Overview
The hardening of routers and switches require the configuration of the management plane.This hardening process is carried out based on CISCO's NFP (Network Foundation Protection) i.e. upon the Management, Control and Data Planes.The main emphasis is on configuring the management and control planes as this is where the cryptographic keys and protective tools are applied followed by configuration of the security protocols such as DMVPN (Dynamic Multipoint Virtual Private www.aetic.theiaer.orgNetwork) and IPsec.Physical security is also applied at this level.The implementation phase of the project starts with restricting the remote login credentials and setting up access or privilege levels.These are explained as the implementation process is initiated.The passwords are encrypted using the IOS available features such as 'secret' or 'password-encrypt' services.The configurations become more detailed step-by-step.

Configuration Management Passwords
Line Console is the first part of a configuration where users are allowed or restricted access to the privilege mode.Privilege mode is part of the management plane where administrators can access the configurations of the network devices such as that of a router.This must be secured with an encrypted password which is performed later.

Line Console -(Console management port)
CISCO routers have ports enabled by default.Encrypted passwords must be set to block unauthorised access to these.The given configuration is the initial password setting commands for the first telnet session into the router:

Password Encryption -enable mode
The password has to be encrypted using 'password-encryption service':

VTY Lines (Securing Telnet)
VTY is simply telnetted in CISCO terms, the initial configurations instruct users to allow users via Secure Shell (SSH) only:

Securing -Shutting down Auxiliary Port
The given configurations exclusively blocks access to the auxiliary port:

Enable and Encrypt the SSH Session (RSA)
The following commands enables and encrypts the SSH session: www.aetic.theiaer.org

Encrypted Crypto Key certificate
The following commands sets up the asymmetric public-key cryptography encryption, as show in Fig. 1, below: The encrypted crypto key certificate information is shown below in Fig. 2:

Enabling Secure HTTP/HTTPS service
The given configurations enable Hyper Text Transfer Protocol (HTTP) implemented for local telnet and directed to use the local encrypted password services set previously:

Disabling vulnerable IOS services
The following commands disables vulnerable IOS services:

Setting up Privilege Levels
The privilege level plays an important role in securing the management plane.Different privilege levels are assigned to different administrators from the top '15' to the least privilege level '1': www.aetic.theiaer.org1.1.10.1 Encrypted Passwords: The following output verify the encrypted passwords set above.

Restricting Unauthorised Login Attempts
The services are set to a failure rate of five attempts after which the user is locked.This is to prevent a dictionary attack.This is shown in Fig. 3, below:

AAA Authentication
The Authorisation, Authentication and Accounting protocol play an important role in storing multi-router credentials.The protocol stores the user privileges in one of the servers; TACACS or RADIUS.AAA guarantees credential availability in times of a network outage.

Enabling AAA
The following commands enable AAA authentication:

Minimum Length password
The following commands enable a minimum password length of eight characters and tests it:

Configuring TACACS+ and RADIUS Server
Terminal Access Control Access Control System (TACACS) and Remote Authentication Dial-In User Service (RADIUS) are two main types of AAA protocols that are used to store the login credentials of administrators and networks management users in a central database, such as in an AAA server.However, we cannot rely on a single set of login (SSH) credentials stored locally on the router -as this can seriously compromise the security and availability of information stored in the permanent RAM also known as NVRAM.The AAA server is mainly deployed in a production (enterprise) environment where hundreds of routers are deployed, each sharing the same encrypted users credentials.These further secure routers as all the information are stored in a server.Administrators are directed to these servers for authentication and authorisation whenever they wish to login into a router.The servers checks for the provided username and password and allowed access based on the privilege level and authorised services. www.aetic.theiaer.org

TACACS+ implementation with Method-list
The Method-list provides a new flexible approach to programme the AAA protocol to grant access levels to administrators and users.

Authentication
The given configuration sets the local authentication level for login.The authentication level is given the name: 'FREE-BRID'.This simple configuration allows all type of login attempts, telnet, SSH and Aux port access for management purposes: 1.2.4.2 Authorisation AAA authorisation levels are created from highest privilege levels to the lowest level of '1'.

Accounting
Accounting deals with the logs of attempts and sessions that are forwarded to the AAA servers.This concludes the AAA server configurations.
Appropriate method lists have been applied to restrict the access of junior administrators to level 4.However, privilege level 15 has been given full access to management settings.This can sometimes create a security loophole as in many cases IT managers decide to allocate the highest level of access but restrict the administrators to view or run certain commands.This IOS-based security feature is known as 'Parser view'.Next, we are going to completely lockdown the management plane, followed by implementation of the Simple Network Management Protocol (SNMP).

Parser view (custom view -privilege level 15)
The Parser view feature is used to restrict administrators to a level where they can only view (show commands) authorised information.This feature not only provides security for within the administration team but limits unauthorised access to view command line configurations of the network.These set of commands are given below to implement this: www.aetic.theiaer.org

Disabling PAD -CDP -Source-route and TCP Keepalives
The CISCO Discovery Protocol (CDP) is a CISCO propriety service that allows routers to fetch detailed information about the neighbouring device's platform information.This includes ports they are connected to and details of the IOS.Disabling CDP restricts any unauthorised access to the key information of the routers.Packet assembler/disassembler (PAD) is also disabled for security, by the following commands:

Telnet -VTY line -Access Control Lists
Although Secure Shell (SSH) remote sessions provide much better security, telnet is still widely used by the network administrators for remote management.Telnet sessions can be restricted to authorised users only.This is achieved by configuring the standard Access Control lists to permit required hosts and then apply the ACL to the line VTY (telnet) using the 'access-class' command.

ACL configuration 1.3.2 Application to Telnet controls 1.4 CISCO Net flow (SNMP encrypted server)
Net flow is a CISCO proprietary protocol that is mainly designed to capture the interested traffic.The Net flow enabled server captures all the TCP and UDP packets.It works in conjunction with SNMP.
The above commands set the ingress -'incoming traffic' and egress 'outgoing traffic' on port FastEthernet 1/1.The command allows error reporting of internal and external traffic to be forwarded to the server 10.10.10.1 (MS loopback adapter) on the local host.

SNMP V3 (Encrypted -two key authentication)
SNMPv3 provides much better security for remote management as it offers multiple authentication key (encrypted -private key).The older IOS versions supported (Advanced Encryption Standard) but since DES (Data Encryption Standard -56) provides more security, DES is implemented to stop eavesdropping.The configuration is shown in Fig. 4, below.

CCP Initial Audit checks
An interim audit report was issued next in order to check what services required further security.It clearly showed that the bulk of the services had been properly configured.However, a detailed analysis was carried out in the testing part of the project.
Services like CISCO Express forwarding and disabling Gratuitous arp are services that were successfully disabled.TCP and UDP small services along with Finger Services had been exclusively disabled.This closes doors for port scanning and TCP/UDP probe in the form of TCP SYN flood attack.

Securing the Data Plane
The data plane deals with routing and forwarding of traffic.Security protocols such as Access Control Lists (ACLs) are widely configured in routers, firewalls, and IDS.ACL is a must-have configuration that is applied to the interfaces (ports) in order to block any undesired or untrusted traffic in both external and internal environment.The focus remains on hardening the 'area border router' to block unauthorised traffic from outbound and inbound interface.There are two main types of access-list controls i.e. standard and extended.Standard access-lists are usually configured to block the source traffic only.Standard ACLs are not capable of blocking certain services such as Telnet, ICMP or SSH.Instead, it is capable of blocking a host or a whole network in some cases.
On the other hand extended access-lists can do much more as source and destination can be blocked based on the services criteria that needed to be 'permitted' or 'denied'.These are further www.aetic.theiaer.orgcapable of filtering certain packets such as ICMP, IP and TCP and their respective services and ports numbers can also be blocked or allowed.
There are several other services that can be blocked in order to further harden network devices such as BPDU guard UNICAST RPF, Promiscuous Private VLAN (PVLAN), port security and STP/RSTP etc.Since we are mainly dealing with layer 3 routing device that runs on IOS image, certain services are not available within the layer 3 (C7200) router that we have deployed at the 'Network Door'.

Blocking ICMP (ping) packets
These are implemented by the following commands and those in Fig. 9, below.

Data Plane Security -IPsec and Cryptography
The tunnel is a logical connection between two devices such as end-to-end (border routers).IPsec creates a tunnel that encrypts all the packets and the other end decrypts it.Whether it is GRE or DMVPN, encryption provides secure (encrypted) data transfer in a virtual private network.
IPsec has two phases IKE phase 1 and IKE phase 2. IKE 1 tunnel is used for updates of hello packets and general exchange of tables.IKE phase 2 tunnel is mainly used for data transfer.IKE phase 2 is also known as a primary IPsec tunnel.In our case Site 1 Router encrypts the data and the other end decrypts it, from this point the Site 2 Router receives it in plaintext within its secured LAN environment.
www.aetic.theiaer.orgIKE phase 1 negotiates hashing (MD5/SHA), Diffie-Helman (DH 1,2,5).Unlike AES (Asymmetric encryption) that requires a private key at each end.DH dynamically creates a shared crypto-key secret that is capable of securing a session against any middle attacks.We also need to specify the encryption types: DES, 3DES or AES, whilst configuring the router.

Topology Overview
The network topology of the simulation is given in Fig. 10, below.

IPSEC Tunnel Phase 1 Configurations
IPsec phase 1 consists of setting up encryption and hash types, authentication, group (Diffie-Helman) and lifetime (age) of the tunnel.

Crypto Key Implementations
The following commands implement the crypto keys, as shown in Fig. 11.

Securing the Control Plane with GRE and DMVPN
Generic Route Encapsulation (GRE), encapsulates the inside IP address to outside IP address.It creates a tunnel of IP addresses within public-private addresses.IPsec provides encryption whereas GRE provides an extra layer of encapsulated traffic.GRE is mainly deployed on top of IPsec (VPN) but unlike IPsec which is not capable of transferring the multicasts, GRE does.GRE tunnel provides additional security to the packets.Therefore, this was implemented in order to fully secure not only the routers but the respective traffic that it is sending or receiving.

Implementation of Cryptographic Protocols -GRE
The given configuration first creates a tunnel followed by the specified source and destination address.The tunnel (encapsulated) address has a private address (192.168.0.1) encapsulated in the private address (6.6.6.1) and destination address of 6.6.6.2.The router site 1 was configured next with these commands:

Overview
Next in-depth testing of implementation of encryption, keys, protocols and tunnelling methods used to harden the system were carried out.Analysis of the telnet session revealed the clear text password.The test also confirmed that Telnet was disabled and that Secure Shell (SSH) crypto keys were generated using RSA.Verification of SSH sessions also showed their statuses with multi-encryption keys -SHA and AES by packet analysis.SSH version 2.0 was secured with multi-level encryption keys including Advanced Encryption Standard (AES), Secure Hash Algorithm and Hash Message Authentication Code (HMAC).Observation of the TCP streams also verified this.The Telnet ACL was also verified to limit access.This included the login authorization and the allowed IP address (Access).The denied IP address (Access) was also tested.AAA Access level testing was carried out using a 'Free-Bird' method list with administrator rights using AAA debug.Debug also verified that 'FREE-BIRD' all-access login was authenticated by AAA.
Accounting side of AAA protocol kept a log of all the login activities sent to the server, RADIUS or TACACS+.The parser views were verified using sh privilege that showed that 'views' were created for privilege level 15 (root -all access) to privilege level 4 where restricted access is given to the administrator.SNMPv3 Stream content showed encrypted data at all ports as expected.The ingress and egress traffic were also confirmed to be encrypted by SNMPv3 with private key.Debug also confirmed SNMP (UDP) packets were being received at the Border Router.The restricted views were also verified.

EIGRP Secured Authentication
CISCO's proprietary Enhanced Interior Gateway Routing Protocol (EIGRP) is configured to automate routing entries.EIGRP uses 'Hello' packets to authenticate neighbour relationship.It is considered as one of the secured cryptographic protocol as it offers authentication mode of hash message authentication code (HMAC) and Secure Hash Algorithm (SHA 256) encryption decoupled with encryption password type as 'Message Digest' (MD5).EIGRP and Generic Route Encapsulation (GRE) makes a perfect match for 'inter' and intra-routing encryption. www.aetic.theiaer.org

Routing Protocol Debug
NHRP packets were authenticated with Routing Protocol over GRE tunnel.The IPSec Tunnel were also tested by encryption analysis using packet analyser.The Encapsulated Security Payload also revealed the encrypted data payload.Router console encryption was verified by sending pings to the destination LAN at site -2.The GRE functioning was also tested using multicast address 224.0.0.10.Successful tunnel was found to have been created from source 6.6.6.2 to 6.6.6.1.

Testing NHRP and DMVPN -Next Hop Server
Here we verify Next Hop Resolution Protocol configurations that points encapsulated traffic to the next hop server (NHS) and successful pings confirm that.The 'Border Router' have been configured to act as a server in order to encapsulate all the dynamic multicast GRE traffic to other sites.The NHRP registration over the GRE tunnel was also checked.

Hot Standby Routing Protocol (HSRP)
Hot Standby Routing Protocol is CISCO proprietary usually implemented in homogeneous environments.HSRP is a legacy protocol developed after industry standard's First Hop Redundancy Protocol (FHRP).HSRP is implemented where redundant devices are deployed to offer users maximum network availability.HSRP works by setting up the same virtual IP address within the same subnet at gateway interfaces of redundant routers.One router act as an active router where most traffic is directed out to the outer world.In the case of a network outage, as soon as the active router goes down due to a faulty port or a problem with a link, the standby (backup) router takes over as the 'active router'.As a result, users do not notice any interruption.

Hot Standby test
Implementation of Hot Standby Routing Protocol (HSRP) is verified and tested to ensure the border link redundancy.The HSRP was active and the standby routers were found to have been

Reflexive Access-lists
Reflexive Access-lists was one of the advanced ACL types where the router can be hard coded as a firewall where the packets are inspected; denied or accepted entry based on the configurations.The main idea behind Reflexive Access-lists is that any traffic going out is remembered and logged into the system.It is like making a copy of a request going out, only that port number and source IP address will be allowed entry into the system, the rest of the packets will be dropped.

Context-Based Access-Control
CBAC uses firewall inspection rule to inspect the traffic on the way out so that the return traffic can bypass the ACL rule.Fig. 15, below shows the basic configuration of CBAC.

Pen Testing
Penetration Testing provides a real-time experience of 'ethical hacking' to evaluate vulnerabilities and exploits.Hackers require blueprint of a network in order to gain access to networks services.Gaining access to remote session either by Telnet (port 22) or SSH (port 23) is one the first steps for hackers to gain entry to a network.Since the project aims to stop hackers at their www.aetic.theiaer.orgfirst point of entry.Telnet and SSH ports are closed for any unauthorised access.This is tested by using the pen testing tools, i.e.Nmap, CISCO Global Exploit and CISCO Torch.The use of Nmap was able to discover vulnerable open ports.SYN flood attacks were also verified to have been successfully dealt with by observation of the destruction of ports from port 443.

Cross Checking by CCP Security Audit
CISCO Configuration Professional is an advanced and powerful Graphic user interface that is capable of verifying the most complex command line interface configurations.CCP is widely used by network engineers, professionals and for pen testers for auditing purposes.CCP has a built-in security audit feature that is capable of testing IOS based device's security configurations based on the location of the device within a network.CCP, however, does not verify any cryptography analysis as encryption requirements vary according to organisational security requirements.Implementation and testing of crypto-keys and the respective routing protocols have been successfully analysed using protocol analysers.The routers are hardened from the Management plane all the way to making sure that the data is transferred securely over the network (data plane).The project concluded with the router passing the final CCP audit of a router located at the 'border area'.This is shown in Fig. 16, below.

Overview
This section provides the final analysis of the project in the form of evaluation as a result of advanced testing followed by conclusion and further work.

Critical Evaluation
The study was aimed at finding the current problem with networking devices, implementing a solution and later auditing the network in an emulated environment.Previous research and studies had been thoroughly analysed.The implementation of the router's functioning planes was carried out in an emulated environment.IOS was emulated in a virtual environment (hypervisors) due to the limited availability of hardware resources.CISCO framework was introduced within the topology based on best practices.CISCO's Adaptive Security Appliances (ASA) firewall was applied, however, the firewall did not contribute towards the interested part of the framework as the emphasis remained at hardening the 'Border Gateway Router' present at the Core layer of the CISCO design framework.
The background study provided a comprehensive understanding of encryption and hardening techniques used by the previous researchers.The network framework was implemented in the virtual environment, the emulated IOS hypervisors were given access to the real internet and local area network for enhanced real-time testing.Connecting the network environment to the external virtualized operating systems was the most challenging part.
Implementation of real-time encryption services from the management level to the data forwarding component (data plane) gave an insight into the importance of management services security.Hardcoded encryption techniques were applied, available within the CISCO IOS (C7200).Implementation phase revealed a number of vulnerabilities that were left running as default, which are summarised below: • Line VTY (telnet) must be disabled as credentials are stored in clear text.
• Encryption plays an important role in management services.
• Secure Shell (SSH) access must be set as primary remote monitoring protocol.
• Special attention must be paid when applying Access control lists as a little compromise in configuration can cause a major outage.• Password retries max-tries must be set to three to avoid dictionary attack.The research examined the real-time implementation of identified IOS features.The real devices are replaced with emulated operating systems implemented using Dynamips and hypervisors.This greatly reduced the simulation computing requirements.Techniques used in the study are most widely used in networks across the globe.The Management plane has been paid particular attention when closing all the doors for the hackers: Open ports, unencrypted passwords, vulnerable management services, ports, remote monitoring and other mal-configurations that give rise to a number of vulnerabilities exploited by hackers.Hence, leaving loops for the intruders to enter the system.Therefore, the management place is fully secured prior to application of the cryptography keys and security protocols.
The resulting hardened network device provided a safe, efficient, flexible and above all a cost effective solution to provide network security by making use of best practices to network configurations that are compiled in a document.The reality is that hardening network devices are such a broad topic, the study had to be narrowed down to the application of encrypted protocols in order conduct the study in the permitted time scale, budget and utilisation of available resources and budget.
CISCO devices outnumber deployment of networking devices across internetworks and the internet.Although CISCO IOS devices such as routers come with standard 'out of the box' guide but in terms of security, devices require a step-by-step hardening approach in order to fully secure the network based on requirements of an organisation.
Emulated CISCO IOS (C7200 -ver.12.4) is secured based on the location of the router in a corporate network i.e. 'Border Router'.The term 'border router' is used in the study to refer to a router that is located at the edge of a network that acts as the first point of entry of any 'trusted' or 'untrusted' traffic.Although the study aimed at securing one distinct IOS at the border area, remote sites have also been secured by configuring multipoint encryption bundled with tunnelling and encapsulation provided by the implementation of GRE.The resulting router in the framework provides encryption between different 'border router' sites.
To sum up, all the objectives are successfully achieved, tested and audited by CISCO Configuration Professional (CCP) and pen testing tools such as Nmap, CISCO Global Exploit (CGE) and CISCO torch.

Further Study
The project titled 'Hardening CISCO IOS devices based on Cryptography and Security Protocols' provided a detailed analysis of encryption services available within IOS that is implemented and tested.However, the study lacked any analysis of data performance, efficiency or any potential jitter or interruption due to multiple encryption tunnelling or encapsulated packets.Network performance is one of the key business goals of any organisation.Cryptography techniques do provide multilevel protection, but the research indicate that the encryption and decryption process does slow down the data streams.
Further study on evaluation of network performance within cryptographic protocols will provide a detailed analysis of the impact on the actual traffic rate.It is also recommended that 'implementation of the cryptographic techniques with a step-by-step approach to measure network performance' need to be conducted on real hardware devices as this will provide more accurate results.

References
These are given in Part I, available at http://aetic.theiaer.org/archive/v2n3/p4.html.© 2018 by the author(s).Published by Annals of Emerging Technologies in Computing (AETiC), under the terms and conditions of the Creative Commons Attribution (CC BY) license which can be accessed at http://creativecommons.org/licenses/by/4.0/

Figure 5 .
Figure 5. Multiple users showing SNMPv3 authentication as active.
1.6.1 Application of Extended-Named Access-lists Controls 1.6.1.1Blocking internal traffic from any on-HTTP traffic (application in testing) is shown below: 1.6.1.2Blocking Area router to SSH and Telnet (Unauthorised source) This is shown below and confirmed as shown in Fig. 8, below.

Figure 10 .
Figure 10.Topology showing overview of Border area router hardening area.

Figure 12 .
Figure 12.Session status of IPsec on port 500 showing as UP-Active.
www.aetic.theiaer.org•IPsec Virtual Private Network (VPN) alone does not fulfil the network security requirements.• Encrypted routing protocols play a vital role in topology update.