Brute Force Attack

Brute force (exhaustive key search) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force to try all possible combinations) rather than employing intellectual strategies. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier.

In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security. Because of the nature of such an attack it could be very time consuming to try all possible combinations. There are several hardware ASICs that are purpose built to decrease the time for successful offline brute force attack of an encrypted password.

Mitigation

Strong Password Enforce

In the event of a dictionary or brute force attack, the use of strong passwords makes such an attacks less likely to succeed, since the passwords will not be simple dictionary words. If an AAA server is employed for login authentication, the AAA server typically offers a feature to enforce the use of strong passwords, according to the security policy. If an AAA server is not available to enforce a strong password policy, local device features to minimize vulnerability to dictionary attacks should be employed, as available.

Minimum Password Length

Cisco IOS offers the ability to enforce a minimum password length for user passwords, enable passwords, enable secrets, and line passwords. Once this command is enabled, any password that is less than the specified number of characters will fail.

Login Delay

In the event of a dictionary or brute force attack, introducing a delay between login attempts slows down the attack, increasing the time required for the attack to succeed and the timeframe available for the anomaly to be identified and addressed.

In Cisco IOS, the introduction of a delay between successive login attempts can be achieved using the global configuration login delay command. The default is a 1 second delay.

Password Strength Checking

Cisco NX-OS has the built-in capability to optionally enforce strong password checking when a password is set or entered. This feature is enabled by default and will prevent the selection of a trivial or weak password by requiring the password to match the following criteria:

• Is at least eight characters long

• Does not contain many consecutive characters (abcde, lmnopq, etc.)

• Does not contain dictionary words (English dictionary)

• Does not contain many repeating characters (aaabbb, tttttyyyy, etc.)

• Does not contain common proper names (John, Mary, Joe, Cisco, etc.)

• Contains both uppercase and lowercase letters

• Contains numbers

 

  • Strong Encryption

In order to prevent brute force attack of transported data you should use strong encryption.

Virtual private networks (VPNs) allow secure access to corporate resources by establishing an encrypted tunnel across the Internet. The ubiquity of the Internet, combined with the VPN technologies of today, allows organizations to cost-effectively and securely extend the reach of their networks to anyone, anyplace, anytime.

IPSec

IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (“peers”) such as Cisco routers.

IPsec is designed to provide interoperable, high-quality, and cryptographically based security. IPsec is defined in (RFC 2401). The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and upper-layer protocols (ULPs). Because these services are provided at the IP layer, they can be used by any higher-layer protocol (for example TCP, User Datagram Protocol [UDP], and Border Gateway Protocol [BGP]).

IPsec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm (or algorithms) to use for the service (or services), and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more paths between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

IPSec provides the following network security services.

• Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.

• Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

• Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.

• Anti-Replay—The IPSec receiver can detect and reject replayed packets.

IPSec prevents routed traffic from being examined or tampered with while it travels across a network. This feature causes IP packets to be encrypted at a VPN gateway, routed across a network as encrypted information, and decrypted at the destination VPN gateway. In between the two VPN gateways, the packets are in encrypted form and therefore the packets’ contents cannot be read or altered. You define what traffic should be encrypted between the two VPN gateways, according to what data is more sensitive or critical.

If you want to protect traffic for protocols other than IP, you can encapsulate those other protocols into IP packets using GRE encapsulation, and then encrypt the IP packets.

MACsec

802.1AE is the IEEE MAC Security standard (also known as MACsec) which defines connectionless data confidentiality and integrity for media access independent protocols.

MACsec allows unauthorized LAN connections to be identified and excluded from communication within the network. In common with IPsec and SSL, MACsec defines a security infrastructure to provide data confidentiality, data integrity and data origin authentication.

MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two MACsec-capable devices. Cisco switches like Catalyst 4500 series support 802.1AE encryption with MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host devices. The switches also supports MACsec link layer switch-to-switch security by using Cisco TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP) key exchange. Link layer security can include both packet authentication between switches and MACsec encryption between switches (encryption is optional).

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1X Extensible Authentication Protocol (EAP) framework. Only host facing links (links between network access devices and endpoint devices such as a PC or IP phone) can be secured using MACsec.

A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the client. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the client, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a client) using the current session key.

The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP authentication produces a master session key (MSK) shared by both partners in the data exchange. Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the switch is the authenticator, it is also the key server, generating a random 128-bit secure association key (SAK), which it sends it to the client partner. The client is never a key server and can only interact with a single MKA entity, the key server. After key derivation and generation, the switch sends periodic transports to the partner at a default interval of 2 seconds.

WebVPN (SSL VPN)

The SSL VPN feature (also known as WebVPN) provides support, in Cisco IOS software, for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support.

WebVPN lets users establish a secure, remote-access VPN tunnel to a security appliance using a web browser. Users do not need a software or hardware client. WebVPN provides secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the Internet. WebVPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security to provide the secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.

Encrypted Management

An administrator is able to establish an encrypted and secure remote access management connection to a device by using the SSH or HTTPS (Secure Hypertext Transfer Protocol) features. Cisco IOS software supports SSH version 1.0 (SSHv1), SSH version 2.0 (SSHv2), and HTTPS that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data encryption. Note that SSHv1 and SSHv2 are not compatible.