Solved: Setting up a VRF Firewall

randy.klassen · ‎08-16-2011

Hi all,

I am currently in the process of setting up multiple ACS 5.2 servers in an enterprise environment, while doing the TACACS+ portion of it I ran into a bit of a snag. The TACACS+ works perfectly on all net devices w/ priv level and everything.

Now... my problem is this... After setting up the TACACS+ on all switches and routers, I noticed something in the ACS logs, it seems since I have put this in place, there has been a hacker from somewhere in the asian-pacific trying to use tacacs to log into my router. he tried 12,000+ times the first night and has not let up since, he will never get through due to security I have in place using ACS 5.2 but I would like to put something in place to stop him and/or any future hackers.

I heard setting up a VRF in the router is the best option. Does anyone have any feedback on this? or a site they can direct me to with some config guides or examples?

Or, is there something else I can/should do to lock down the external TACACS+ attempts?

Thanks to anyone who responds,

Randy

hobbe · ‎08-17-2011

First of all either way you should move the service to another port

after that If you decide to honeypot him you can do a nice move that if he is a bot will trick him into thinking it worked.

You setup a router, give it the ip address he is trying to access.

Then setup a firewall outside that just does a port forward from its outside to the inside router of the service port.

and the outside router will forward its port to the firewall. lock down the firewall (if possible use the network outside the router.)

The attacker will se that the keys have changed unless you actually import them to that machine.

They should be exchanged anyway.

Then do a dummy setup in the machine.

and let him in

Just lockdown the firewall tight and log everything you can in the router to se what they want to do.

The dummy router will be totally dead in the water but it will look as if it was the real one if you mimic the networks of the real one.

Regarding defending yourself against further attacks.

I think the best you can do is allow all IPs/networks you want to the service and lockout everything else.

this is normally quite easy to do but if there are many networks then it can start eating resources.

I would recomend that you do that if it is practical.

HTH

Good luck

View solution in original post

Jon Marshall · ‎08-16-2011

Randy

I'm confused. How is the hacker getting access to your router anyway surely you have a firewall that denies TACACS+ from outside ?

Jon

Collin Clark · ‎08-16-2011

Deny SSH on the outside of the device or to save resources, route his address space to null0.

hobbe · ‎08-16-2011

Hi

There is a lot missing in your description such as protocol, type of router and so on.

but the main thing is quite clear.

someone is trying to login to your router from the outside and you do not want that !

Ok

Do YOU need access to your router from the outside ?

If you do not need access to your router from the Internet then block it with an access-list or shut down access to it all together.

If you need access from the internet.

What happens if you move the ssh/telnet/web/snmp/whatever service port to another port ?

is that a possibility ?

Do you need access from his part of the world ?

If not then why not lock that down with an access-list ?

Depending on equipment you might be able to make a lockout for y amount of time after x amount of failed logins.

Fool him.

Do a port forward on the port of the router to another router that servs as a honeypot and let him think that he got in and check out what he does and then report him to his isp ?

Do a port forward to his own address.

Tarpit him.

Blackhole his address

Send him a message that he is being logged everytime he attacks. (Can be done with fx 10 000 ping but with a different payload than normal.)

I would recomend blackholeing or access-lists, if you play around to much with him he can start feeling its a game and escalate his moves.

if you feel that the answer have helped you feel free to rate the postings you feel helped.

HTH

randy.klassen · ‎08-17-2011

Hi Hobbe,

I will need access from the outside, not for myself but for software/hardware contractors that will need to manage their "piece" of the network. But this will come much later.

Moving ports might be a possiblity but the problem is this is a global enterprise environment with sites all over the world, different IT departments from other countries need access as well. This is why i set up TACACS in the first place. I would like to do something on my end here and not involve the rest.

He has been bouncing around IP's lately using proxies i believe so i dont think access list would be doable.

I am using ACS 5.2 for tacacs using AD user data to authenticate. When he does find an account in AD and tries a few passwords it will lock the account. Here is the problem with that... he has hit some of our admin accounts and even locked one out. He is deffinately doing it systematically trying multiples of one name like... Randy, Randy1, Randy12, Randy123, etc.. So with him trying every name he/his bot can think of, it is bound to cause me some major headaches.

Now these ideas are good! I never thought of trapping him, just stopping him. He can "play" around as much as he likes as long as he cant get in but i think the Honeypot idea will work nicely, I let him in there and he sees nothing worth his time and moves on. If that does not work I will try somethign else.

Thanks for all your help and your lengthy reply, helps me out a heap.

Randy

randy.klassen · ‎08-17-2011

Jon,

That is why i am trying to set up a virtual firewall inside the router itself.

Randy

randy.klassen · ‎08-17-2011

Collin,

I would but he uses different IP's now.

Randy

hobbe · ‎08-17-2011

First of all either way you should move the service to another port

after that If you decide to honeypot him you can do a nice move that if he is a bot will trick him into thinking it worked.

You setup a router, give it the ip address he is trying to access.

Then setup a firewall outside that just does a port forward from its outside to the inside router of the service port.

and the outside router will forward its port to the firewall. lock down the firewall (if possible use the network outside the router.)

The attacker will se that the keys have changed unless you actually import them to that machine.

They should be exchanged anyway.

Then do a dummy setup in the machine.

and let him in

Just lockdown the firewall tight and log everything you can in the router to se what they want to do.

The dummy router will be totally dead in the water but it will look as if it was the real one if you mimic the networks of the real one.

Regarding defending yourself against further attacks.

I think the best you can do is allow all IPs/networks you want to the service and lockout everything else.

this is normally quite easy to do but if there are many networks then it can start eating resources.

I would recomend that you do that if it is practical.

HTH

Good luck

randy.klassen · ‎08-17-2011

Hobbe,

I will take your adcive and create an ACL to deny all other networks but our own. This seems the easiest and most secure option. I would love to honeypot him and many other things, but I have too much work to do on the regular and this would just add to my plate of things to do.

Can he still perform a Denial of Service attack after the ACL is in place? He is small scale right now but you never know what he has planned or is capable of.

Thanks,

Randy

randy.klassen · ‎08-17-2011

Hobbe,

Can you help me define a very simple working ACL that will allow our network traffic and deny all others? I am not realy a switch guy and it has been a long time since i worked with acl's.

I just want to permit our networks (lets say they're 10.10.0.0 and 172.0.0.0)

and Deny all others.

Thanks,

Randy

hobbe · ‎08-17-2011

Thanx for the rating.

Yes I will help you, but I need to know what ios is the router running ? or is it an ASA/PIX ?

a DoS attack is one of the hardest attacks to defend against.

basically you cant.

As a general rule you can always fill up someones link its all a matter of using up more bandwith than they have.

But he does not seem to be interested in that sort of things atleast not for the moment.

Sure there are many things you can do to protect yourself but in the end it is all possible to do a successful DoS on anyone.

So just let me know what type of router and ios you have and ill help you with the access-list.

Good luck

randy.klassen · ‎08-17-2011

Hobbe,

Here is what i have so far...

permit tcp 11.0.0.0 0.255.255.255 any eq 22

permit tcp 11.0.0.0 0.255.255.255 any eq 23

permit tcp 172.19.0.0 0.15.255.255 any eq 22

permit tcp 172.19.0.0 0.15.255.255 any eq 23

deny ip any any

then I will apply this to the line vty, and SSH and telnet should be locked down, i hope.

does this look correct to you?

Randy

hobbe · ‎08-18-2011

Different routers have different ways of doing things thats why I asked for the model and version.

but looking at what you have I would put the access-list on the incoming interface.

There I would set something like

ip address of interface of router = 192.168.1.254

permit tcp 11.0.0.0 0.255.255.255 host 192.168.1.254 eq 22

permit tcp 11.0.0.0 0.255.255.255 host 192.168.1.254 eq 23

permit tcp 172.19.0.0 0.0.255.255 host 192.168.1.254 eq 22

permit tcp 172.19.0.0 0.0.255.255 host 192.168.1.254 eq 23

deny tcp any host 192.168.1.254 eq 22

deny tcp any host 192.168.1.254 eq 23

.....the rest of the access-list of this interface

permit ip any any

(if you want all other traffic to pass through, wich you most likely want, atleast some)

-----------------

if you are to add this to a vty then you only have to do

access-list 1 permit 11.0.0.0 0.255.255.255

access-list 1 permit 172.19.0.0 0. 0.0.255.255

line vty 0 4

access-class 1 in

Good luck

HTH

randy.klassen · ‎08-19-2011

Hobbe,

This worked perfect! There is no sign of him for the first time since setting this ACS up and checking on the logs. Now I just have to work on a way for us (admins) to ssh in if needed. But that will be much further down the road.

Thanks for helping me get this up and running.

Do you have any knowledge of using Cisco wireless phones to authenticate with ACS 5.2? I got it working just fine but i wish to improve it to cut down on active sessions within ACS. If you have any knowledge of this, I would love to discuss with you.

Thanks again,

Randy