In today's complex network environment, networking devices offer a robust set of configuration options to meet the requirements of different businesses. These services also include a rich set of perimeter security services that protect the network from hostile intentions, as well as security services that protect the networking device itself. To address the increasing complexity of the attacks in a heightened security environment, Cisco has enhanced Cisco IOS® Security Services for both perimeter and device protection, thus ensuring the availability of the device.
Security configuration necessitates a detailed understanding of the security implications of each set parameter. An error or omission in configuring these parameters could jeopardize network security with an easily-exploited hole, compromising the availability, integrity, and privacy of the network information. Many network administrators have limited technical knowledge in terms of understanding the security implication of every Cisco IOS Software feature.
Cisco AutoSecure provides vital security requirements to Enterprise and Service Provider networks by incorporating a straightforward "one touch" device lockdown process. It simplifies the security process by enabling the rapid implementation of security policies and procedures without requiring extensive knowledge of Cisco IOS Software features or the manual execution of the Command Line Interface (CLI). This feature offers a single CLI command that instantly configures the security posture of routers and disables non-essential system processes and services, thereby eliminating potential security threats.
Even the most robust software implementations and hardware architectures are vulnerable to Denial of Service (DoS) attacks. DoS attacks are malicious acts designed to cause failures in a network infrastructure by flooding it with worthless traffic camouflaged as specific types of control packets directed at the control plane processor. Distributed DoS attacks multiply the amount of worthless IP traffic, sometimes by as much as many gigabytes per second, by involving hundreds of sources. These IP streams contain packets that are destined for processing by the control plane of Cisco route processors. Based on the high rate of rogue packets presented to the route processor, the control plane is forced to spend an inordinate amount of time processing and discarding the DoS traffic.
To counter these and similar threats directed towards the heart of the system, the processor, Control Plane Policing can employ a programmable policing functionality on routers that rate limit (or police) traffic to the control plane. In conjunction with Cisco IOS Quality of Service (QoS) classification mechanisms, this policing functionality can be configured to identify and limit certain traffic types completely, or target only those that exceed a specified threshold level.
One requirement for hacking a system is reconnaissance: gaining information about the network. Hackers conduct reconnaissance by listening to system messages, such as the status of packet delivery, which provide information (ie: IP addresses of devices).
Silent Mode is a new Cisco IOS Software feature designed to reduce the amount of information that a hacker can gather about a network. It stops the router from generating certain informational packets. For example, it suppresses the Internet Control Message Protocol (ICMP) Messages and Simple Network Management Protocol (SNMP) traps that are normally generated by the router. Like Control Plane Policing, Silent Mode leverages the familiar Modular QoS CLI (MQC) interface.
To control accessibility to the networking device, Cisco IOS Software requires that users login to the device with a username and password; unfortunately, hackers can exploit this requirement with dictionary attacks. This is an attack in which a hacker gains access to the device by programmatically trying all combinations of username and password.
Cisco IOS Software Login Enhancements offer a new time-based dimension to user login. Network administrators can use this feature to specify a time period between retries, alleviating dictionary attacks. User account lockout can now include a time period during which a user must succeed in order to logon to the device.
CPU and memory are critical resources that mitigate the potential availability impact of the networking device. SNMP MIBs currently enable a monitoring application to inquire as to the availability of a given resource. Due to the dynamic nature of these resources, scheduled polling of these variables often delays the action necessary to maximize network availability.
Memory Thresholding Notification enables users to manage the amount of memory consumed by various resource groups. Users can specify the maximum amount of memory in bytes, or as a percentage of total processor resources. They receive notification when a resource group approaches its specified memory threshold.
Cisco currently uses MD5 hash coding to verify the integrity of Cisco IOS Software images. While the MD5 hash code is available on Cisco.com, users must go through a series of manual steps to perform image verification.
To perform a detailed security analysis of network traffic, many network administrators must attach a tool, such as protocol analyzers or mitigation servers. However, connection of these tools to the router currently requires inline insertion, which is operationally difficult.
RAW IP Traffic Export feature is a lightweight Cisco IOS Software feature that exports IP packets as they arrive at or leave the networking device. A designated LAN interface exports captured IP packets out of the device. The objective is to export raw IP packets in their unaltered form to a designated device (ie: packet analyzer or intrusion detection systems (IDS) device).
- Filter capability (using ACL) to help focus on exporting only interested traffic
- Sampling option reduces the traffic output volume
- User specifies an Ethernet port for exportation utilizing either a MAC/802.1q/ISL address associated with the destination host instead of an IP address.
- Syslog information is provided when the feature is activated or de-activated
On most Cisco routers, a packet with IP Options is filtered and switched in software, because it requires control plane software processing. This is primarily due to the need to process the options and rewrite the IP header. This poses potential security threats, as malformed packets containing IP Options can adversely affect the performance of the device.
ACL IP Options Selective Drop allows Cisco routers to filter packets that contain IP options or to mitigate the effects of IP options on a router by dropping these packets or ignoring the processing of the IP options.
Table 1 Key Cisco IOS Security Infrastructure Enhancements