©2004 VITALISEC INC. Vital Information Security May 20, 2004 Securing & Auditing Cisco Routers Vitalisec Inc. Travis Schack [email protected]

©2004 VITALISEC INC.

Vital Information Security

May 20, 2004

Securing & Auditing Cisco Routers

Vitalisec Inc.

Travis [email protected]



Travis Schack• Founder and Senior Security Consultant• Certifications

– CISSP (Certified Information System Security Professional)– OPST trainer (OSSTMM Professional Security Tester)– OPSA trainer (OSSTMM Professional Security Analyst)– NSA IAM (INFOSEC Assessment Methodology)– 10 years IT and Information Security

• Industry Experience– IBM, Galileo Int’l, Rhythms Netconnections, Circadence, Janus Funds– Adjunct faculty for Denver University’s Master’s program in

Information Security– Extensive Penetration and Vulnerability Testing experience



• Objectives– Role of the router in network security– Router threats and Security drivers– “Best Practice” router hardening

• Authentication & Authorization• Access list filtering• Services• Logging• Access controls

– Valuable commands– Auditing tools and how to use them– Helpful web resources

• Assumptions– You already know the OSI Model– Familiarity with Cisco IOS– Many aspects are not covered

• Cannot teach router configuration



Role of the Router



• Primary function– Forwarding of packets between network segments

• Routing Decisions• Applies filters• Network Traffic Cop

• Router Components– Processor– Memory– Storage– Interfaces– Runs on IOS



Security Device?



• Security Variables– Placement of Router

• Core Router (Backbone)– Route packets as fast as possible

• Distribution Router (Interior)– Boundary definition

• Access Router (Border)– Allow access into Network– Perimeter/Border

– Networks Involved– Money

• Firewall• IDS



Router Threats and Security Drivers







Cisco's IOS Source LeakedMay 17, 2004By Enterprise IT Planet Staff

Word that source code for Cisco IOS was circulating on the Internet lit up message boards this weekend. Today, Cisco confirmed that indeed an estimated 800MB of code for IOS 12.3 and 12.3t was indeed taken after hackers pilfered it from the company's network.

The theft was first reported on a Russian Web site dedicated to computer security, SecurityLab.ru.

IOS is the software that drives the company's routers. The release of this source is significant in that Cisco is the dominant networking gear provider; its very name is synonymous with the Internet backbone.

Although few are painting gloom-and-doom scenarios this early, the news is nonetheless worrisome for administrators lording over Cisco-based networks and users of the Internet

Cisco is currently investigating the matter but as of yet no customer data seems to have been exposed during the breach. Cisco spokesman Jim Brady told tech journal internetnews.com, "Based on preliminary data, we don't believe any confidential customer information or financial systems were affected."

The exact nature of the breach, be it a vulnerability or an "inside job" still remains unresolved, but the likelihood of either appears unlikely, according to the company.

Cisco is the latest high-profile company to suffer a source-code leak. In recent months, Microsoft saw parts of its Windows 2000 source released. Valve, makers of the popular Half-Life PC game, had the source for its anticipated sequel leached from its systems late last year.



Cisco IOS Vulnerabilities

0

2

4

6

8

10

12

14

16

18

20

1999 2000 2001 2002 2003 2004

Year

Nu

mb

er o

f V

uln

erab

iliti

es

BID

ICAT

CVE



Cisco IOS Vulnerabilities

0

10

20

30

40

50

60

BID ICAT CVE OSVDB

Source

Nu

mb

er o

f V

uln

erab

iliti

es



1. Passwords2. IOS Bugs3. Protocol Attacks4. Router Management

1. SNMP2. Access

5. Misconfigurations6. Access Controls

Proper configuration management can resolve many of these common vulnerabilities.

Unauthorized AccessAccess Elevation

Change Network FlowBypass Security Devices

Data CapturingDenial of ServiceLoss of Service



Security Drivers• Regulations

– Sarbanes-Oxley (Section 404)– CA 1386– GLBA– FISMA– HIPAA

• Brand/Image• Liability/Legal• Rising Costs of Security Incidents• Proactive Security Culture



Router Security“Best Practice Hardening”



• http://nsa2.www.conxion.com/cisco/download.htm



Router Version• Identification of security patches

– http://www.cisco.com/warp/public/707/advisory.html

• Latest Cisco IOS– http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_category_home.html

• Router Command– show version

• Display Configuration– show configuration



Two Login Modes

• First login– User EXEC mode

• From User EXEC mode, type “enable”– Privileged EXEC mode



Login Banner

• Command– banner motd delimiter Banner delimiter

– Don’t give out specific information about the router



User Accounts• Use local accounts, AAA, or ACS

– Radius

– TACACS+

• Command– Username <username> privilege <0-15> password <strong password>

aaa new-modelaaa authentication login remoteauth radius tacacs+ enabletacacs-server host 172.16.1.11tacacs-server key testTKeyradius-server host 172.16.1.12radius-server key TestRKeyline vty 0 4 login authentication remoteauth



Privileges

• 16 privileges (0-15)• Predefined

– 1 User EXEC mode– 15 Privilege EXEC mode

• Commandsprivilege exec level 15 connectprivilege exec level 15 telnetprivilege exec level 15 rloginprivilege exec level 15 show ip access-listsprivilege exec level 15 show access-listsprivilege exec level 15 show loggingprivilege exec level 1 show ip



Passwords• Two password schemes

– Type 5 (stronger)• MD5 hash• Command

– enable secret– no enable password

– Type 7 (weak!)• Mask displayed password

– Command• service password-encryption

DEMO



Access

• VTY/Aux/Console– VTY is used for remote connection

• Access list• Session timeout

– Aux is used for modems• Disable• no exec

– Console• line console 0

– Password <password>

Central(config)# ip telnet source-interface loopback0Central(config)# access-list 99 permit 14.2.9.1 logCentral(config)# access-list 99 permit 14.2.6.6 logCentral(config)# access-list 99 deny any logCentral(config)# line vty 0 4Central(config-line)# access-class 99 inCentral(config-line)# exec-timeout 5 0Central(config-line)# transport input telnetCentral(config-line)# login localCentral(config-line)# execCentral(config-line)# endCentral#



SSH• IOS Versions: 12.1(1)T/12.0(10)S (image with 3DES), scp

as of 12.2T

• Uses SSH version 1– key recovery, CRC32, traffic analysis (SSHow), timing analysis

and attacks

– You can’t force 3DES only nor use keys

– Fixed in 12.0(20)S, 12.1(8a)E, 12.2(3), ...

hostname <hostname>ip domain-name <domainname>crypto key generate rsaip ssh timeout 60ip ssh authentication-retries 3ip scp server enable



Access Control List• Used for filtering traffic

– Across interfaces– To router

• Basic Structure– access-list list-number {deny | permit} condition

• Extended ACL– access-list list-number {deny | permit} protocol source source-wildcard source-

qualifiers destination destination-wildcard destination-qualifiers [ log | log-input]

• Each access list contain at least 1 permit, or all traffic is denied!• Applying to Interface

– ip access-group <access list #> <in | out>



Access Control Lists

– TurboACL : uses a hash table, benefits when 5+ ACEs– Reflexive : enables on-demand dynamic and temporary reply

filters (doesn’t work for H.323 like protocols)– Dynamic : adds user authentication to Extended ACLs– Named : allows you to delete individual ACEs– Time-based : adds a time-range option– Context-Based Access-Control : “inspects” the protocol

(helper/proxy/fixup-like), used in conjunction with ACLs– MAC : filters on MAC address (700-799 for standard, 1100-1199

for extended)– Protocol : filters on protocol type (200-299)



Recommended Inbound ACL

access-list 100 deny ip <Internal Subnet> any logaccess-list 100 deny ip 127.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 10.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 0.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 172.16.0.0 0.15.255.255 any logaccess-list 100 deny ip 192.168.0.0 0.0.255.255 any logaccess-list 100 deny ip 192.0.2.0 0.0.0.255 any logaccess-list 100 deny ip 169.254.0.0 0.0.255.255 any logaccess-list 100 deny ip 224.0.0.0 15.255.255.255 any logaccess-list 100 deny ip host 255.255.255.255 any logaccess-list 100 permit ip any 14.2.6.0 0.0.0.255



Recommended Outbound ACL

access-list 102 permit ip <Internal Subnet> any

access-list 102 deny ip any any log



SYN Flood Protection

Applied Inbound on External Interface

access-list 106 permit tcp any <Internal Subnet> established

access-list 106 deny ip any any log



Land Attack Protection

Applied Inbound to External Interface

access-list 100 deny ip host <External IP> host <External IP> log

access-list 100 permit ip any any



Smurf Attack Protection

Applied Inbound on External Interface

access-list 110 deny ip any host x.x.x.255 log

access-list 110 deny ip any host x.x.x.0 log

x.x.x = Internal Subnet



Unneeded Services

• Recommendedno ip bootp serverno tcp-small-serversno udp-small-serverno ip identdno ip fingerservice nagleno cdp run

no boot networkno service configno ip subnet-zerono service fingerno service padno ip http serverno ip source-route



Unneeded Services – cont’d

no ip forward-protocol port 69









no ip helper-address

Certain UDP broadcasts are forwarded by default

If UDP broadcasts are needed, enable only the specific port and control with access list



Interface

• Disable ability to spoof and perform probes

no ip proxy arpno ip directed-broadcastno ip unreachableno ip mask-replyno ip redirects



NTP• Set clock configuration

– clock timezone UTC 0– no clock summer-time

• Only allow NTP on Interfaces, using access list• Use Authenticated NTP

ntp update-calendarntp authentication-key 10 md5 <key>ntp authenticatentp trusted-key 10ntp server x.x.x.x [key 10]ntp access-group peer 20access-list 20 permit host x.x.x.xaccess-list 20 deny any



SNMP• Do NOT use SNMP version 1• Change Public and Private strings

SNMP VERSION 3

snmp-server group engineering v3 priv read cutdown 10snmp-server user nico engineering v3 auth md5 myp4ss priv des56 mydes56snmp-server view cutdown ip.21 excludedaccess-list 10 permit x.x.x.xaccess-list 10 deny any log

SNMP VERSION 2

snmp-server community r3ad view cutdown RO 10snmp-server community wr1te RW 10snmp-server view cutdown ip.21 excludedsnmp-server enable traps <…>snmp-server host x.x.x.xsnmp-server source loopback0access-list 10 permit x.x.x.x



Logging

• Syslog– Oldest entries are overwritten– Send logs to remots syslog server– Log all Denys– Log all configuration changes

no ip domain lookupservice time log datetime localtime show-timezone msecservice time debug datetime localtime show-timezone mseclogging x.x.x.xlogging trap debugginglogging source loopback0logging buffered 64000 debugging



Auditing Cisco Routers



• Auditing router configurations manually can be time consuming.– Manual check using a checklist

• Hands-off• Hands-on

– Need privilege EXEC access

– Crosswalk configuration with a checklist– NSA checklist is 5 pages long!

• Automation– Using a script/program to audit configuration against a baseline

configuration

• Corporate standard baseline• Vendor recommendations• Industry “Best Practice”



Tools• http://home.jwu.edu/jwright/perl.htm

– Various perl scripts for router management• snatchcisco.pl• grabciscoconf

– Script that uses SNMP to grab configuration file

• http://tool.sourceforge.net– Accomplishes several tasks, including downloading and uploading of

configs and execution of commands on single or multiple routers of various types

– Perl scripts• configDiff• configHash

– Downloads configs based on a hostlist, calls confiHash to get the differences between the new config and the latest archived config



Tools – cont’d

• http://hotunix.com/tools/– Shell script that allows the automated audit configurations from

multiple router and switches.– Based on Cisco, NSA, and SANS security guides and

recommendations.– Reporting is granular

• Down to individual device interfaces, lines, ACL’s, AS’s, etc.

• Last modified June 20, 2003



Tools – cont’d• http://www.shrubbery.net/rancid/

– Really Awesome New Cisco config Differ– Monitor’s a router configuration, including software and hardware, using

CVS– Supports the following systems:

• Cisco routers• Juniper routers• Catalyst switches• Foundry switches• Redback NASs• ADC EXT3 muxes• MRTd• Alteon switches• HP procurve switches





CIS• http://www.cisecurity.com

– Center for Internet Security

– Non-profit organization

• Mission– To help organizations around the world effectively manage the

risks related to information security. CIS provides methods and tools to improve, measure, monitor, and compare the security status of your Internet-connected systems and appliances, plus those of your business partners.

• Membership– SANS, ISC2, ISACA, IIA, AICPA, MITRE



RAT• http://www.cisecurity.com/bench_cisco.html

– Router Audit Tool• http://ncat.sourceforge.net

– Perl based– Works on both Windows and Unix platforms– Version 2.1

• Level-1 benchmark– Minimum-security requirements for due care and is based on NSA Router Security

Configuration Guide.

• Level-2 benchmark– Settings are optional– Many settings for which no benchmark standards are yet defined (e.g., ssh, IPSEC,

BGP, OSPF, radius…)

– Downloads configurations from devices (optional) and checks them against the settings defined in the benchmark.



• Primary Objective of RAT– Baseline the router configuration for the protection of the router

• Process– Create baseline using ncat_config and company standard

– Acquire router configuration(s)• Use snarf (or rat –a <ip address>

• Manually cut and paste config

• Network administrator sends to you

– Run rat against configuration file

– Review final output• HTML

• Text

– Customizable



4 filesncat.exe

– ncat checks configuration settings in static configuration files. The rules to be checked for each configuration type are defined in a set of ncat configuration files.

ncat_config.exe– Utility to build a baseline configuration file

ncat_report.exe– ncat_report reads one or more ncat output files and produces text and HTML

reports ($config.html, $config.ncat_report.txt) listing rules violations found per the config file.

rat.exe– rat audits router configurations. If you have already downloaded the

configuration files by some other means, you may specify the path to those files on the command line.

snarf.exe– Utility to download router configuration



Demo



ReferencesCisco Advisories

http://www.cisco.com/warp/public/707/advisory.html

Hardeninghttp://www.cymru.com/Documents/secure-ios-template.htmlhttp://www.cymru.com/Documents/secure-bgp-template.htmlhttp://www.cisco.com/warp/public/707/21.html

Web Toolshttp://www.powertech.no/smurf/http://www.netscan.org/

Web Linkshttp://www.networkpackets.com/cisco_links.htmftp://ftp-eng.cisco.com/cons/



Useful Router Commands

• show clock detail• show version• show running-config• show startup-config• show reload• show ip route• show ip arp• show users• show logging• show cdp entry *• show access-lists

• show ip interface• show interfaces• show tcp brief all• show ip sockets• show ip nat translations verbose• show ip cache flow• show ip cef• show snmp user• show snmp group• show clock detail• show ip protocols



• For more information:– www.Vitalisec.com– [email protected]– (720)297-3300

• Travis Schack– [email protected]