May 20, 2004

1
Vitalisec Inc.
Securing Auditing Cisco Routers
May 20, 2004
Travis Schack
Travis_at_Vitalisec.com
2
Travis Schack

• Founder and Senior Security Consultant
• Certifications
• CISSP (Certified Information System Security
  Professional)
• OPST trainer (OSSTMM Professional Security
  Tester)
• OPSA trainer (OSSTMM Professional Security
  Analyst)
• NSA IAM (INFOSEC Assessment Methodology)
• 10 years IT and Information Security
• Industry Experience
• IBM, Galileo Intl, Rhythms Netconnections,
  Circadence, Janus Funds
• Adjunct faculty for Denver Universitys Masters
  program in Information Security
• Extensive Penetration and Vulnerability Testing
  experience

3

• Objectives
• Role of the router in network security
• Router threats and Security drivers
• Best Practice router hardening
• Authentication Authorization
• Access list filtering
• Services
• Logging
• Access controls
• Valuable commands
• Auditing tools and how to use them
• Helpful web resources
• Assumptions
• You already know the OSI Model
• Familiarity with Cisco IOS
• Many aspects are not covered
• Cannot teach router configuration

4
Role of the Router
5

• Primary function
• Forwarding of packets between network segments
• Routing Decisions
• Applies filters
• Network Traffic Cop
• Router Components
• Processor
• Memory
• Storage
• Interfaces
• Runs on IOS

6
Security Device?
7

• Security Variables
• Placement of Router
• Core Router (Backbone)
• Route packets as fast as possible
• Distribution Router (Interior)
• Boundary definition
• Access Router (Border)
• Allow access into Network
• Perimeter/Border
• Networks Involved
• Money
• Firewall
• IDS

8
Router Threats and Security Drivers
9
(No Transcript)
10
(No Transcript)
11
Cisco's IOS Source LeakedMay 17, 2004By
Enterprise IT Planet Staff Word that source code
for Cisco IOS was circulating on the Internet lit
up message boards this weekend. Today, Cisco
confirmed that indeed an estimated 800MB of code
for IOS 12.3 and 12.3t was indeed taken after
hackers pilfered it from the company's network.
The theft was first reported on a Russian Web
site dedicated to computer security,
SecurityLab.ru. IOS is the software that drives
the company's routers. The release of this source
is significant in that Cisco is the dominant
networking gear provider its very name is
synonymous with the Internet backbone. Although
few are painting gloom-and-doom scenarios this
early, the news is nonetheless worrisome for
administrators lording over Cisco-based networks
and users of the Internet Cisco is currently
investigating the matter but as of yet no
customer data seems to have been exposed during
the breach. Cisco spokesman Jim Brady told tech
journal internetnews.com, "Based on preliminary
data, we don't believe any confidential customer
information or financial systems were affected."
The exact nature of the breach, be it a
vulnerability or an "inside job" still remains
unresolved, but the likelihood of either appears
unlikely, according to the company. Cisco is the
latest high-profile company to suffer a
source-code leak. In recent months, Microsoft saw
parts of its Windows 2000 source released. Valve,
makers of the popular Half-Life PC game, had the
source for its anticipated sequel leached from
its systems late last year.
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Security Drivers

• Regulations
• Sarbanes-Oxley (Section 404)
• CA 1386
• GLBA
• FISMA
• HIPAA
• Brand/Image
• Liability/Legal
• Rising Costs of Security Incidents
• Proactive Security Culture

16
Router Security

• Best Practice Hardening

17

• http//nsa2.www.conxion.com/cisco/download.htm

18
Router Version

• Identification of security patches
• http//www.cisco.com/warp/public/707/advisory.html
  
• Latest Cisco IOS
• http//www.cisco.com/en/US/products/sw/iosswrel/pr
  oducts_ios_cisco_ios_software_category_home.html
• Router Command
• show version
• Display Configuration
• show configuration

19
Two Login Modes

• First login
• User EXEC mode
• From User EXEC mode, type enable
• Privileged EXEC mode

20
Login Banner

• Command
• banner motd delimiter Banner delimiter
• Dont give out specific information about the
  router

21
User Accounts

• Use local accounts, AAA, or ACS
• Radius
• TACACS
• Command
• Username ltusernamegt privilege lt0-15gt password
  ltstrong passwordgt

aaa new-model aaa authentication login remoteauth
radius tacacs enable tacacs-server host
172.16.1.11 tacacs-server key testTKey radius-serv
er host 172.16.1.12 radius-server key
TestRKey line vty 0 4 login authentication
remoteauth
22
Privileges

• 16 privileges (0-15)
• Predefined
• 1 User EXEC mode
• 15 Privilege EXEC mode
• Commands
• privilege exec level 15 connect
• privilege exec level 15 telnet
• privilege exec level 15 rlogin
• privilege exec level 15 show ip access-lists
• privilege exec level 15 show access-lists
• privilege exec level 15 show logging
• privilege exec level 1 show ip

23
Passwords

• Two password schemes
• Type 5 (stronger)
• MD5 hash
• Command
• enable secret
• no enable password
• Type 7 (weak!)
• Mask displayed password
• Command
• service password-encryption
• DEMO

24
Access

• VTY/Aux/Console
• VTY is used for remote connection
• Access list
• Session timeout
• Aux is used for modems
• Disable
• no exec
• Console
• line console 0
• Password ltpasswordgt

Central(config) ip telnet source-interface
loopback0 Central(config) access-list 99 permit
14.2.9.1 log Central(config) access-list 99
permit 14.2.6.6 log Central(config) access-list
99 deny any log Central(config) line vty 0
4 Central(config-line) access-class 99
in Central(config-line) exec-timeout 5
0 Central(config-line) transport input
telnet Central(config-line) login
local Central(config-line) exec Central(config-li
ne) end Central
25
SSH

• IOS Versions 12.1(1)T/12.0(10)S (image with
  3DES), scp as of 12.2T
• Uses SSH version 1
• key recovery, CRC32, traffic analysis (SSHow),
  timing analysis and attacks
• You cant force 3DES only nor use keys
• Fixed in 12.0(20)S, 12.1(8a)E, 12.2(3), ...

hostname lthostnamegt ip domain-name
ltdomainnamegt crypto key generate rsa ip ssh
timeout 60 ip ssh authentication-retries 3 ip scp
server enable
26
Access Control List

• Used for filtering traffic
• Across interfaces
• To router
• Basic Structure
• access-list list-number deny permit condition
• Extended ACL
• access-list list-number deny permit protocol
  source source-wildcard source-qualifiers
  destination destination-wildcard
  destination-qualifiers log log-input
• Each access list contain at least 1 permit, or
  all traffic is denied!
• Applying to Interface
• ip access-group ltaccess list gt ltin outgt

27
Access Control Lists

• TurboACL uses a hash table, benefits when 5
  ACEs
• Reflexive enables on-demand dynamic and
  temporary reply filters (doesnt work for H.323
  like protocols)
• Dynamic adds user authentication to Extended
  ACLs
• Named allows you to delete individual ACEs
• Time-based adds a time-range option
• Context-Based Access-Control inspects the
  protocol (helper/proxy/fixup-like), used in
  conjunction with ACLs
• MAC filters on MAC address (700-799 for
  standard, 1100-1199 for extended)
• Protocol filters on protocol type (200-299)

28
Recommended Inbound ACL

• access-list 100 deny ip ltInternal Subnetgt any log
• access-list 100 deny ip 127.0.0.0 0.255.255.255
  any log
• access-list 100 deny ip 10.0.0.0 0.255.255.255
  any log
• access-list 100 deny ip 0.0.0.0 0.255.255.255 any
  log
• access-list 100 deny ip 172.16.0.0 0.15.255.255
  any log
• access-list 100 deny ip 192.168.0.0 0.0.255.255
  any log
• access-list 100 deny ip 192.0.2.0 0.0.0.255 any
  log
• access-list 100 deny ip 169.254.0.0 0.0.255.255
  any log
• access-list 100 deny ip 224.0.0.0 15.255.255.255
  any log
• access-list 100 deny ip host 255.255.255.255 any
  log
• access-list 100 permit ip any 14.2.6.0 0.0.0.255

29
Recommended Outbound ACL

• access-list 102 permit ip ltInternal Subnetgt any
• access-list 102 deny ip any any log

30
SYN Flood Protection

• Applied Inbound on External Interface
• access-list 106 permit tcp any ltInternal Subnetgt
  established
• access-list 106 deny ip any any log

31
Land Attack Protection

• Applied Inbound to External Interface
• access-list 100 deny ip host ltExternal IPgt host
  ltExternal IPgt log
• access-list 100 permit ip any any

32
Smurf Attack Protection

• Applied Inbound on External Interface
• access-list 110 deny ip any host x.x.x.255 log
• access-list 110 deny ip any host x.x.x.0 log
• x.x.x Internal Subnet

33
Unneeded Services

• Recommended
• no ip bootp server
• no tcp-small-servers
• no udp-small-server
• no ip identd
• no ip finger
• service nagle
• no cdp run

no boot network no service config no ip
subnet-zero no service finger no service pad no
ip http server no ip source-route
34
Unneeded Services contd

• no ip forward-protocol port 69
• no ip forward-protocol port 53
• no ip forward-protocol port 37
• no ip forward-protocol port 137
• no ip forward-protocol port 138
• no ip forward-protocol port 67
• no ip forward-protocol port 68
• no ip forward-protocol port 49
• no ip forward-protocol port 42
• no ip helper-address

Certain UDP broadcasts are forwarded by
default If UDP broadcasts are needed, enable
only the specific port and control with access
list
35
Interface

• Disable ability to spoof and perform probes

no ip proxy arp no ip directed-broadcast no ip
unreachable no ip mask-reply no ip redirects
36
NTP

• Set clock configuration
• clock timezone UTC 0
• no clock summer-time
• Only allow NTP on Interfaces, using access list
• Use Authenticated NTP

ntp update-calendar ntp authentication-key 10 md5
ltkeygt ntp authenticate ntp trusted-key 10 ntp
server x.x.x.x key 10 ntp access-group peer
20 access-list 20 permit host x.x.x.x access-list
20 deny any
37
SNMP

• Do NOT use SNMP version 1
• Change Public and Private strings

SNMP VERSION 2 snmp-server community r3ad view
cutdown RO 10 snmp-server community wr1te RW
10 snmp-server view cutdown ip.21
excluded snmp-server enable traps ltgt snmp-server
host x.x.x.x snmp-server source
loopback0 access-list 10 permit x.x.x.x
SNMP VERSION 3 snmp-server group engineering v3
priv read cutdown 10 snmp-server user nico
engineering v3 auth md5 myp4ss priv des56
mydes56 snmp-server view cutdown ip.21
excluded access-list 10 permit x.x.x.x access-list
10 deny any log
38
Logging

• Syslog
• Oldest entries are overwritten
• Send logs to remots syslog server
• Log all Denys
• Log all configuration changes

no ip domain lookup service time log datetime
localtime show-timezone msec service time debug
datetime localtime show-timezone msec logging
x.x.x.x logging trap debugging logging source
loopback0 logging buffered 64000 debugging
39
Auditing Cisco Routers
40

• Auditing router configurations manually can be
  time consuming.
• Manual check using a checklist
• Hands-off
• Hands-on
• Need privilege EXEC access
• Crosswalk configuration with a checklist
• NSA checklist is 5 pages long!
• Automation
• Using a script/program to audit configuration
  against a baseline configuration
• Corporate standard baseline
• Vendor recommendations
• Industry Best Practice

41
Tools

• http//home.jwu.edu/jwright/perl.htm
• Various perl scripts for router management
• snatchcisco.pl
• grabciscoconf
• Script that uses SNMP to grab configuration file
• http//tool.sourceforge.net
• Accomplishes several tasks, including downloading
  and uploading of configs and execution of
  commands on single or multiple routers of various
  types
• Perl scripts
• configDiff
• configHash
• Downloads configs based on a hostlist, calls
  confiHash to get the differences between the new
  config and the latest archived config

42
Tools contd

• http//hotunix.com/tools/
• Shell script that allows the automated audit
  configurations from multiple router and switches.
• Based on Cisco, NSA, and SANS security guides and
  recommendations.
• Reporting is granular
• Down to individual device interfaces, lines,
  ACLs, ASs, etc.
• Last modified June 20, 2003

43
Tools contd

• http//www.shrubbery.net/rancid/
• Really Awesome New Cisco config Differ
• Monitors a router configuration, including
  software and hardware, using CVS
• Supports the following systems
• Cisco routers
• Juniper routers
• Catalyst switches
• Foundry switches
• Redback NASs
• ADC EXT3 muxes
• MRTd
• Alteon switches
• HP procurve switches

44
(No Transcript)
45
CIS

• http//www.cisecurity.com
• Center for Internet Security
• Non-profit organization
• Mission
• To help organizations around the world
  effectively manage the risks related to
  information security. CIS provides methods and
  tools to improve, measure, monitor, and compare
  the security status of your Internet-connected
  systems and appliances, plus those of your
  business partners.
• Membership
• SANS, ISC2, ISACA, IIA, AICPA, MITRE

46
RAT

• http//www.cisecurity.com/bench_cisco.html
• Router Audit Tool
• http//ncat.sourceforge.net
• Perl based
• Works on both Windows and Unix platforms
• Version 2.1
• Level-1 benchmark
• Minimum-security requirements for due care and is
  based on NSA Router Security Configuration Guide.
• Level-2 benchmark
• Settings are optional
• Many settings for which no benchmark standards
  are yet defined (e.g., ssh, IPSEC, BGP, OSPF,
  radius)
• Downloads configurations from devices (optional)
  and checks them against the settings defined in
  the benchmark.

47

• Primary Objective of RAT
• Baseline the router configuration for the
  protection of the router
• Process
• Create baseline using ncat_config and company
  standard
• Acquire router configuration(s)
• Use snarf (or rat a ltip addressgt
• Manually cut and paste config
• Network administrator sends to you
• Run rat against configuration file
• Review final output
• HTML
• Text
• Customizable

48

• 4 files
• ncat.exe
• ncat checks configuration settings in static
  configuration files. The rules to be checked for
  each configuration type are defined in a set of
  ncat configuration files.
• ncat_config.exe
• Utility to build a baseline configuration file
• ncat_report.exe
• ncat_report reads one or more ncat output files
  and produces text and HTML reports (config.html,
  config.ncat_report.txt) listing rules violations
  found per the config file.
• rat.exe
• rat audits router configurations. If you have
  already downloaded the configuration files by
  some other means, you may specify the path to
  those files on the command line.
• snarf.exe
• Utility to download router configuration

49
Demo
50
References

• Cisco Advisories
• http//www.cisco.com/warp/public/707/advisory.html
  
• Hardening
• http//www.cymru.com/Documents/secure-ios-template
  .html
• http//www.cymru.com/Documents/secure-bgp-template
  .html
• http//www.cisco.com/warp/public/707/21.html
• Web Tools
• http//www.powertech.no/smurf/
• http//www.netscan.org/
• Web Links
• http//www.networkpackets.com/cisco_links.htm
• ftp//ftp-eng.cisco.com/cons/

51
(No Transcript)
52

• For more information
• www.Vitalisec.com
• Info_at_Vitalisec.com
• (720)297-3300
• Travis Schack
• Travis_at_Vitalisec.com