Router Sec

©2004 VITALISEC INC.
Vitalisec Inc.
Securing & Auditing
Cisco Routers
May 20, 2004
Travis Schack
Travis@Vitalisec.com
Vital Information Security

Travis Schack
• Founder and Senior Security Consultant
• Certifications
– CISSP (Certified Information System Security Professional)
– OPST trainer (OSSTMM Professional Security Tester)
– OPSA trainer (OSSTMM Professional Security Analyst)
– NSA IAM (INFOSEC Assessment Methodology)
– 10 years IT and Information Security
• Industry Experience
– IBM, Galileo Int’l, Rhythms Netconnections, Circadence, Janus Funds
– Adjunct faculty for Denver University’s Master’s program in
Information Security
– Extensive Penetration and Vulnerability Testing experience

• Objectives
– Role of the router in network security
– Router threats and Security drivers
– “Best Practice” router hardening
• Authentication & Authorization
• Access list filtering
• Services
• Logging
• Access controls
– Valuable commands
– Auditing tools and how to use them
– Helpful web resources
• Assumptions
– You already know the OSI Model
– Familiarity with Cisco IOS
– Many aspects are not covered
• Cannot teach router configuration

Role of the Router

• Primary function
– Forwarding of packets between network segments
• Routing Decisions
• Applies filters
• Network Traffic Cop
• Router Components
– Processor
– Memory
– Storage
– Interfaces
– Runs on IOS

Security Device?

• Security Variables
– Placement of Router
• Core Router (Backbone)
– Route packets as fast as possible
• Distribution Router (Interior)
– Boundary definition
• Access Router (Border)
– Allow access into Network
– Perimeter/Border
– Networks Involved
– Money
• Firewall
• IDS

Router Threats and Security Drivers



Cisco's IOS Source Leaked

May 17, 2004
By Enterprise IT Planet Staff
Word that source code for Cisco IOS was circulating on the Internet lit up message boards this weekend.
Today, Cisco confirmed that indeed an estimated 800MB of code for IOS 12.3 and 12.3t was indeed taken
after hackers pilfered it from the company's network.
The theft was first reported on a Russian Web site dedicated to computer security, SecurityLab.ru.
IOS is the software that drives the company's routers. The release of this source is significant in that Cisco
is the dominant networking gear provider; its very name is synonymous with the Internet backbone.
Although few are painting gloom-and-doom scenarios this early, the news is nonetheless worrisome for
administrators lording over Cisco-based networks and users of the Internet
Cisco is currently investigating the matter but as of yet no customer data seems to have been exposed
during the breach. Cisco spokesman Jim Brady told tech journal internetnews.com, "Based on preliminary
data, we don't believe any confidential customer information or financial systems were affected."
The exact nature of the breach, be it a vulnerability or an "inside job" still remains unresolved, but the
likelihood of either appears unlikely, according to the company.
Cisco is the latest high-profile company to suffer a source-code leak. In recent months, Microsoft saw
parts of its Windows 2000 source released. Valve, makers of the popular Half-Life PC game, had the
source for its anticipated sequel leached from its systems late last year.

Cisco IOS Vulnerabilities
20
18
16
Number of Vulnerabilities
14
12
BID
10 ICAT
CVE
8
0
1999 2000 2001 2002 2003 2004
Year

Cisco IOS Vulnerabilities
60
50
Number of Vulnerabilities
40
30
20
10
0
BID ICAT CVE OSVDB
Source


Security Drivers
• Regulations
– Sarbanes-Oxley (Section 404)
– CA 1386
– GLBA
– FISMA
– HIPAA
• Brand/Image
• Liability/Legal
• Rising Costs of Security Incidents
• Proactive Security Culture

Router Security
“Best Practice Hardening”

• http://nsa2.www.conxion.com/cisco/download.htm

Router Version
• Identification of security patches
– http://www.cisco.com/warp/public/707/advisory.html
• Latest Cisco IOS

– http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_category_home.html
• Router Command
– show version
• Display Configuration
– show configuration

Two Login Modes

• First login
– User EXEC mode
• From User EXEC mode, type “enable”

– Privileged EXEC mode

Login Banner
• Command
– banner motd delimiter Banner delimiter
– Don’t give out specific information about the

router

User Accounts
• Use local accounts, AAA, or ACS
– Radius
– TACACS+
• Command
– Username <username> privilege <0-15> password <strong password>
aaa new-model
aaa authentication login remoteauth radius tacacs+ enable
tacacs-server host 172.16.1.11
tacacs-server key testTKey
radius-server host 172.16.1.12
radius-server key TestRKey
line vty 0 4
login authentication remoteauth

Privileges
• 16 privileges (0-15)
• Predefined
– 1 User EXEC mode
– 15 Privilege EXEC mode
• Commands
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show ip

Passwords
• Two password schemes
– Type 5 (stronger)
• MD5 hash
• Command
– enable secret
– no enable password
– Type 7 (weak!)
• Mask displayed password
– Command
• service password-encryption
DEMO
Access
• VTY/Aux/Console
– VTY is used for remote connection
• Access list
• Session timeout Central(config)# ip telnet source-interf
Central(config)# access-list 99 permit 1
– Aux is used for modems Central(config)# access-list 99 permit 1
Central(config)# access-list 99 deny any
• Disable
Central(config)# line vty 0 4
• no exec Central(config-line)# access-class 99 in
Central(config-line)# exec-timeout 5 0
– Console Central(config-line)# transport input te
• line console 0 Central(config-line)# login local
– Password <password> Central(config-line)# exec
Central(config-line)# end
Central#

SSH
• IOS Versions: 12.1(1)T/12.0(10)S (image with 3DES), scp
as of 12.2T
• Uses SSH version 1
– key recovery, CRC32, traffic analysis (SSHow), timing analysis
and attacks
– You can’t force 3DES only nor use keys
– Fixed in 12.0(20)S, 12.1(8a)E, 12.2(3), ...
hostname <hostname>
ip domain-name <domainname>
crypto key generate rsa
ip ssh timeout 60
ip ssh authentication-retries 3
ip scp server enable

Access Control List

• Used for filtering traffic
– Across interfaces
– To router
• Basic Structure
– access-list list-number {deny | permit} condition
• Extended ACL
– access-list list-number {deny | permit} protocol source source-wildcard source-
qualifiers destination destination-wildcard destination-qualifiers [ log | log-input]
• Each access list contain at least 1 permit, or all traffic is denied!

• Applying to Interface
– ip access-group <access list #> <in | out>

Access Control Lists

– TurboACL : uses a hash table, benefits when 5+ ACEs
– Reflexive : enables on-demand dynamic and temporary reply
filters (doesn’t work for H.323 like protocols)
– Dynamic : adds user authentication to Extended ACLs
– Named : allows you to delete individual ACEs
– Time-based : adds a time-range option
– Context-Based Access-Control : “inspects” the protocol
(helper/proxy/fixup-like), used in conjunction with ACLs
– MAC : filters on MAC address (700-799 for standard, 1100-1199
for extended)
– Protocol : filters on protocol type (200-299)

Recommended Inbound ACL

access-list 100 deny ip <Internal Subnet> any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 permit ip any 14.2.6.0 0.0.0.255

Recommended Outbound ACL

access-list 102 permit ip <Internal Subnet> any
access-list 102 deny ip any any log

SYN Flood Protection

Applied Inbound on External Interface
access-list 106 permit tcp any <Internal Subnet> established

access-list 106 deny ip any any log

Land Attack Protection

Applied Inbound to External Interface
access-list 100 deny ip host <External IP> host <External IP> log
access-list 100 permit ip any any

Smurf Attack Protection

Applied Inbound on External Interface
access-list 110 deny ip any host x.x.x.255 log

access-list 110 deny ip any host x.x.x.0 log
x.x.x = Internal Subnet

Unneeded Services
• Recommended
no ip bootp server no boot network
no tcp-small-servers no service config
no udp-small-server no ip subnet-zero
no ip identd no service finger
no ip finger no service pad
service nagle no ip http server
no cdp run no ip source-route

Unneeded Services – cont’d

Certain UDP broadcasts no ip forward-protocol port 69
no ip forward-protocol port 53
are forwarded by default no ip forward-protocol port 37
If UDP broadcasts are no ip forward-protocol port 67
needed, enable only the
specific port and control no ip forward-protocol port 42
with access list no ip helper-address

Interface
• Disable ability to spoof and perform probes
no ip proxy arp
no ip directed-broadcast
no ip unreachable
no ip mask-reply
no ip redirects

NTP
• Set clock configuration
– clock timezone UTC 0
– no clock summer-time
• Only allow NTP on Interfaces, using access list
• Use Authenticated NTP
ntp update-calendar
ntp authentication-key 10 md5 <key>
ntp authenticate
ntp trusted-key 10
ntp server x.x.x.x [key 10]
ntp access-group peer 20
access-list 20 permit host x.x.x.x
access-list 20 deny any

SNMP
• Do NOT use SNMP version 1
• Change Public and Private strings
SNMP VERSION 2
snmp-server community r3ad view cutdown RO 10

snmp-server community wr1te RW 10
snmp-server view cutdown ip.21 excluded
snmp-server enable traps <…>
snmp-server host x.x.x.x
snmp-server source loopback0
access-list 10 permit x.x.x.x
SNMP VERSION 3
snmp-server group engineering v3 priv read cutdown 10

snmp-server user nico engineering v3 auth md5 myp4ss priv des56 mydes56
snmp-server view cutdown ip.21 excluded
access-list 10 permit x.x.x.x
access-list 10 deny any log

Logging
• Syslog
– Oldest entries are overwritten
– Send logs to remots syslog server
– Log all Denys
– Log all configuration changes
no ip domain lookup
service time log datetime localtime show-timezone msec
service time debug datetime localtime show-timezone msec
logging x.x.x.x
logging trap debugging
logging source loopback0
logging buffered 64000 debugging

Auditing Cisco Routers

• Auditing router configurations manually can be time

consuming.
– Manual check using a checklist
• Hands-off
• Hands-on
– Need privilege EXEC access
– Crosswalk configuration with a checklist
– NSA checklist is 5 pages long!
• Automation
– Using a script/program to audit configuration against a baseline
configuration
• Corporate standard baseline
• Vendor recommendations
• Industry “Best Practice”

Tools
• http://home.jwu.edu/jwright/perl.htm
– Various perl scripts for router management
• snatchcisco.pl
• grabciscoconf
– Script that uses SNMP to grab configuration file
• http://tool.sourceforge.net
– Accomplishes several tasks, including downloading and uploading of
configs and execution of commands on single or multiple routers of
various types
– Perl scripts
• configDiff
• configHash
– Downloads configs based on a hostlist, calls confiHash to get the differences
between the new config and the latest archived config

Tools – cont’d
• http://hotunix.com/tools/
– Shell script that allows the automated audit configurations from
multiple router and switches.
– Based on Cisco, NSA, and SANS security guides and
recommendations.
– Reporting is granular
• Down to individual device interfaces, lines, ACL’s, AS’s, etc.
• Last modified June 20, 2003

Tools – cont’d
• http://www.shrubbery.net/rancid/
– Really Awesome New Cisco config Differ
– Monitor’s a router configuration, including software and hardware, using
CVS
– Supports the following systems:
• Cisco routers
• Juniper routers
• Catalyst switches
• Foundry switches
• Redback NASs
• ADC EXT3 muxes
• MRTd
• Alteon switches
• HP procurve switches


CIS
• http://www.cisecurity.com
– Center for Internet Security
– Non-profit organization
• Mission
– To help organizations around the world effectively manage the
risks related to information security. CIS provides methods and
tools to improve, measure, monitor, and compare the security
status of your Internet-connected systems and appliances, plus
those of your business partners.
• Membership
– SANS, ISC2, ISACA, IIA, AICPA, MITRE

RAT
• http://www.cisecurity.com/bench_cisco.html
– Router Audit Tool
• http://ncat.sourceforge.net
– Perl based
– Works on both Windows and Unix platforms
– Version 2.1
• Level-1 benchmark
– Minimum-security requirements for due care and is based on NSA Router Security
Configuration Guide.
• Level-2 benchmark
– Settings are optional
– Many settings for which no benchmark standards are yet defined (e.g., ssh, IPSEC,
BGP, OSPF, radius…)
– Downloads configurations from devices (optional) and checks them
against the settings defined in the benchmark.

• Primary Objective of RAT

– Baseline the router configuration for the protection of the router
• Process
– Create baseline using ncat_config and company standard
– Acquire router configuration(s)
• Use snarf (or rat –a <ip address>
• Manually cut and paste config
• Network administrator sends to you
– Run rat against configuration file
– Review final output
• HTML
• Text
– Customizable

4 files
ncat.exe
– ncat checks configuration settings in static configuration files. The rules to be
checked for each configuration type are defined in a set of ncat configuration files.
ncat_config.exe
– Utility to build a baseline configuration file
ncat_report.exe
– ncat_report reads one or more ncat output files and produces text and HTML
reports ($config.html, $config.ncat_report.txt) listing rules violations found per the
config file.
rat.exe
– rat audits router configurations. If you have already downloaded the
configuration files by some other means, you may specify the path to
those files on the command line.
snarf.exe
– Utility to download router configuration

Demo

References
Cisco Advisories
http://www.cisco.com/warp/public/707/advisory.html
Hardening
http://www.cymru.com/Documents/secure-ios-template.html
http://www.cymru.com/Documents/secure-bgp-template.html
http://www.cisco.com/warp/public/707/21.html
Web Tools
http://www.powertech.no/smurf/
http://www.netscan.org/
Web Links
http://www.networkpackets.com/cisco_links.htm
ftp://ftp-eng.cisco.com/cons/


• For more information:

– www.Vitalisec.com
– Info@Vitalisec.com
– (720)297-3300
• Travis Schack
– Travis@Vitalisec.com

Router Sec

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Router Sec

Enviado por

Direitos autorais:

Formatos disponíveis

©2004 VITALISEC INC.

May 20, 2004

Vital Information Security

Vital Information Security

Vital Information Security

Role of the Router

Vital Information Security

Vital Information Security

Vital Information Security

Vital Information Security

Router Threats and Security Drivers

Vital Information Security

Vital Information Security

Vital Information Security

Cisco's IOS Source Leaked

Vital Information Security

Cisco IOS Vulnerabilities

Vital Information Security

Cisco IOS Vulnerabilities

Vital Information Security

Vital Information Security

Vital Information Security

Vital Information Security

Vital Information Security

• Latest Cisco IOS

Vital Information Security

Two Login Modes

• From User EXEC mode, type “enable”

Vital Information Security

– Don’t give out specific information about the

Vital Information Security

Vital Information Security

Vital Information Security

Vital Information Security

Vital Information Security

Access Control List

• Each access list contain at least 1 permit, or all traffic is denied!

Vital Information Security

Access Control Lists

Vital Information Security

Recommended Inbound ACL

Vital Information Security

Recommended Outbound ACL

Vital Information Security

SYN Flood Protection

access-list 106 permit tcp any <Internal Subnet> established

Vital Information Security

Land Attack Protection

Vital Information Security

Smurf Attack Protection

access-list 110 deny ip any host x.x.x.255 log

x.x.x = Internal Subnet

Vital Information Security

Vital Information Security

Unneeded Services – cont’d

Vital Information Security

Vital Information Security

Vital Information Security

snmp-server community r3ad view cutdown RO 10

snmp-server group engineering v3 priv read cutdown 10

Vital Information Security

Vital Information Security

Auditing Cisco Routers