Router and Switch Security Overview


"You are only as secure as your weakest link." Network security professionals often encounter this adage. Present-day networks deploy security measures such as firewalls, intrusion detection systems (IDS), virtual private networks (VPN), and antivirus software to fortify the network. Unfortunately, the most basic network elements routers and switches are often ignored as security devices because routers and switches were originally created to enhance network connectivity rather than to provide network security. Consequently, routers and switches are conceptually less secure than dedicated security devices such as firewalls and IDSs.

While an attack on a web server can just render it unoperational, an attack on the edge router can cut off the entire network from its users. Consequently, an attacker can exploit vulnerabilities in the routers or switches to compromise the security of the entire network. Netadmins should make additional efforts to secure the routers and, in turn, the entire the network. Hence, contrary to popular belief, an edge router, rather than a firewall, is the first line of network defense against outside attacks.

Throughout this chapter, the term router refers to Cisco IOS-based devices. Because Cisco IOS also supports Catalyst switches, many of the tools and technologies discussed in this chapter are applicable for switches as well.

Securing Cisco Routers

The most common causes of security breaches in routers are as follows:

  • Weak passwords This is the most common cause of security breaches; even encrypted passwords are not secure because IOS uses a simpler and reversible encryption algorithm.

  • Unneeded services Unnecessary services or features can introduce related vulnerabilities or provide platforms for launching attacks. Some of the services run by default, while others are inadvertently left on after testing or troubleshooting.

  • Protocol and OS vulnerabilities Vulnerabilities in the implementation of protocols such as Hypertext Transfer Protocol (HTTP), H.323, or Simple Network Management Protocol (SNMP) can be exploited to crash the router.

  • IOS configuration errors A seemingly harmless mistake in router configuration can allow a virus or worm to create a denial of service (DoS) attack, or allow unauthorized access to the router or switch by an attacker.

The following sections cover the tools that a Netadmin can use to discover weaknesses and secure IOS devices.

Cisco Router Passwords

Cisco IOS configuration files offer the following three options for encrypting passwords:

  • Plain text Displays the configured passwords with no encryption; it is the least secure method and is not recommended.

  • Type 7 encryption Encrypts passwords using a proprietary encryption algorithm; it is better than plain text but still not recommended.

  • Type 5 encryption Encrypts passwords using the Message Digest 5 (MD5) hash mechanism. Although it is the most secure option, Type 5 passwords can be cracked with some effort.

By default, IOS configuration files display passwords and other authentication strings in plain text. The service password-encryption command can conceal the password by showing it in encrypted form. However, the IOS passwords and other authentication strings are encrypted using the Cisco proprietary Vigenere-based cipher. The Vigenere algorithm, better known as the Type 7 algorithm, is reversible and simpler compared to other current encryption techniques. According to Cisco, "the encryption scheme was designed to avoid password theft via simple snooping or sniffing. It was never intended to protect against someone conducting a password-cracking effort on the configuration file."

The enable secret command encrypts the password using the one-way MD5 hash mechanism. To determine which scheme has been used to encrypt a specific password, check the digit that precedes the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the Type 7 algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm. The sample IOS configuration snippet in Example 8-1 depicts encrypted passwords. The Type 5 MD5 algorithm encrypts the enable secret password only. The remaining passwords are Type 7.

Example 8-1. Sample Router Configuration Router-Dallas.txt
 hostname Router-Dallas service password-encryption ! enable password is encrypted using MD5 algorithm enable secret 5 $1$rQrR$1j1XTXMbCt/1RGh7Y3BlU1 ! user password is encrypted using the weaker algorithm username user1 password 7 030752180500701E1D ! key chain MYKEY  key 1   key-string 7 141C17125D5679 ! line vty 0 4  password 7 1511021F0725  login ! end 

Many tools are available for decrypting Cisco IOS passwords from the configuration files. Among the choices, Cain & Abel, available at http://www.oxid.it, is the most versatile and user-friendly tool for decrypting passwords. Cain & Abel can decrypt both Type 7 and Type 5 passwords. The following sections cover the steps used to recover both of these types of passwords from IOS devices.

This tool is compatible with MS-Windows NT/2000/2003/XP, and the installation process is simple. Download the .exe file from the home page and save it locally. Double-click the saved file to begin the installation procedure. The tool provides a ready-to-use graphical user interface (GUI) and requires no postinstallation configuration. The only information required is the configuration file from the target router that contains the encrypted passwords.

Note

The router configuration file can be captured by using the show running-configuration command on the router. You can also download the configuration file from the router to a Trivial File Transfer Protocol (TFTP) server using the copy runn tftp command on the router.


Decrypting Type 7 Passwords

Follow these steps to decrypt a Cisco IOS Type 7 password:

Step 1.

Start the Cain & Abel tool kit by choosing Start > Programs > Cain > Cain.

Figure 8-1 shows the main window for Cain & Abel.

Figure 8-1. Cain & Abel


Step 2.

From the Cain & Abel main window, launch the Cisco Type 7 Password

Decoder by choosing Tools > Cisco Type-7 Password Decoder.

Step 3.

Paste the Type 7 encrypted password (from the router configuration file) in the Password Decoder window. The decrypted password is instantly displayed in the Decrypted password field.

Figure 8-2 shows the encrypted password string 030752180500701E1D being decrypted as cisco123. Note that the encrypted password was copied from the username user1 password 7 030752180500701E1D command in Example 8-1.

Figure 8-2. Decrypting a Type 7 Password


Tip

The GetPass utility, from Boson Software Inc. (http://www.boson.com), provides a similar functionality for decrypting Type 7 passwords. But unlike Cain & Abel, GetPass does not offer any other feature.


Decrypting Type 5 Passwords

The Cain & Abel tool, discussed in the previous section of this chapter, can also recover type 5 passwords. Unlike Type 7 passwords, which are encrypted using a reversible algorithm, Type 5 passwords are encrypted using a one-way nonreversible algorithm. The encrypted password string is an MD5 hash that is created from the original password. The Type 5 password-recovery mechanism, used by tools like Cain & Abel, compares the original MD5 hash of the password with the MD5 hash of a known text string. If both the hashes are the same, the password is the same as the known text string. The password-recovery tools work by trying various combinations and lengths of characters. Depending on the length of the original password, decrypting the password can take a large amount of time.

Using Cain & Abel, the Type 5 password-recovery steps are as follows:

Step 1.

Start the Cain & Abel tool kit by choosing Start > Programs > Cain > Cain.

Step 2.

From the Cain & Abel main window, click the Cracker tab and then click the Cisco IOS-MD5 Hashes option in the left pane, as shown in Figure 8-3.

Figure 8-3. Cisco IOS-MD5 Hashes Window


Step 3.

As shown in Figure 8-4, right-click in the right pane and select Add to list from the menu that appears. Follow the prompts to provide the location of the IOS configuration file that contains the MD5 hashes. This example uses the Router-Dallas.txt file from Example 8-1.

Figure 8-4. Cain & Abel IOS Configuration File


The program parses the configuration file and lists all the MD5 hashes in the Hash column.

Step 4.

Right-click the hash and select Brute-Force Attack to launch the Brute-Force Attack window, as shown in Figure 8-5. Accept the default values and click the Start button to begin the process. Depending on the length of the password and the CPU utilization, the process can take a large amount of time.

Figure 8-5. Cain & Abel Brute-Force Attack Window


The process automatically stops after cracking the hash. As shown in Figure 8-6, the process recovered the original password pal that was specified on the router using the -enable secret pal command.

Figure 8-6. Cain & Abel Brute-Force Attack Result


Tip

The short password used in this section is for illustration purposes only. Actual passwords should always be more than eight characters long, with a combination of uppercase and lowercase letters, numbers, and special characters (such as #, %, and &). An eight-character-long password composed only of numbers and uppercase and lowercase alphabetic characters can have 628 (218 trillion) possible combinations.


Simply by making that password nine characters long, the possible combinations increase to 13 quadrillion. On the other hand, an eight-character-long password that also uses special characters (such as #, %, and &) can have 6 quadrillion combinations. Using the same set of characters, a nine-character-long password increases to 572 quadrillion combinations.

To discourage password attacks, Netadmins should take the following actions:

  • Use the enable secret password command instead of the enable password password command on the router.

  • Use longer passwords, with special characters such as *, %, #, $, ~, and!.

  • Remove the encrypted password strings from the configuration text files before e-mailing or making offline backups. To remove password strings, open the configuration file in a text editor (such as Notepad or WordPad), delete the encrypted text, and save the file.

  • Be careful when directly saving configuration files in sophisticated word processing applications such as MS-Word. These applications offer the Version feature, which records all the changes made to the original document. This feature can unintentionally disclose deleted passwords from the document.

  • Avoid accessing devices from computers that belong to others because a keystroke-capture program might be in use. If you access a device in front of unauthorized users or through a third-party computer, change the password as quickly as possible, but be sure to change it in a secure environment.

Unneeded Services Running on Cisco Routers

In addition to running routing protocols, Cisco routers also run various other services, such as HTTP, TFTP, Telnet, and SSH. Multiple vulnerabilities have been reported in SNMP, Cisco Discovery Protocol (CDP), SSH, and HTTP stacks implemented in IOS. These vulnerabilities can crash the router or help an attacker to gain access to the router. Netadmins often start a service or protocol for testing and troubleshooting. Later, the Netadmin might forget about it and unintentionally leave these services running. By conducting a port scan, an attcker can learn about these ports that are in listening state on this router. Armed with this information, the attacker can make an educated guess regarding the services that are running on the router.

Nmap, discussed in Chapter 7, "Network Security Testing," is the ideal tool for port-scanning the router. The command syntax to perform a Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) scan on a router is as follows:

   nmap -sT -sU hostname-or-IP-address 

Example 8-2 shows a TCP and UDP port scan performed on a router with an IP address of 192.168.0.10.

Example 8-2. Port Scanning Using Nmap
 linuxbox:~# nmap -sT -sU 192.168.0.10 Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-11-20 12:33 PST Interesting ports on 192.168.0.10: (The 3136 ports scanned but not shown below are in state: closed) PORT    STATE         SERVICE 23/tcp  open          telnet                                                 67/udp  open|filtered dhcpserver                                             79/tcp  open          finger                                                 80/tcp  open          http                                                   520/udp open|filtered route                                                  MAC Address: 00:10:7B:CC:57:EB (Cisco Systems) Nmap run completed -- 1 IP address (1 host up) scanned in 1242.591 seconds linuxbox:~# 

The port scan results, highlighted in Example 8-2, indicate that the router is running the Routing Information Protocol (RIP) because it is listening on port UDP 520. The other services running on the router are as follows:

  • Telnet on TCP 23

  • DHCP Server (Bootp) on UDP 67

  • Finger on TCP 79

  • HTTP on TCP 80

To secure the router, these services should be manually turned off or configured for restricted access. The global-configuration-mode commands for securing the router in this case are listed in Example 8-3.

Example 8-3. Securing the Router
 ! access-list to restrict  Telnet and http access to the router          access-list 10 permit host 192.168.0.100 access-list 10 permit host 192.168.0.101 ! limit Telnet to the router from host listed in acess-list 10           line vty 0 4  access-class 10 in ! disable Dhcp/Bootp service                                             no ip bootp server ! disable finger service                                                 no ip finger ! limit http access to the router from host listed in acess-list 10 ip http access-class 10 

Protocol and OS Vulnerabilities

The information provided by the port scanner is limited to the ports and services that are running on the router. Nessus, discussed in Chapter 7, provides detailed discovery of the vulnerabilities associated with the services running on the router. Nessus reports include possible solutions for each discovered vulnerability. To scan the router for vulnerabilities, follow these steps:

Step 1.

Start Nessus using the Knoppix live CD.

Step 2.

Log in to the Nessus client using the username knoppix and the password knoppix on the Nessusd host tab.

Step 3.

Choose the appropriate plug-ins from the Plugins tab, as shown in Figure 8-7. Nessus includes a Cisco-specific plug-in that scans for vulnerabilities in Cisco hardware. Along with the Cisco plug-in, you should also include the following plug-ins for a thorough scan:

Denial of Service

Misc.

General

Useless Services

Figure 8-7. Nessus Plug-In Selections


Step 4.

Specify the IP address of the target router on the Target selection tab, and click the Start the scan button to begin the scanning process.

Step 5.

After the scan is complete, save the results in the desired format.

Example 8-4 provides a partial report of the vulnerability scan performed on Router 192.168.0.10. As indicated by the highlighted section, Nessus can detect more information than the port scans. Nessus reports the lists of security holes, warnings, and notes associated with each of the ports that were discovered in listening state. In this example, Nessus discovered that the target router is running Telnet, Finger, WWW, RIP, and Open Shortest Path First (OSPF). The router is also responding to Internet Control Message Protocol (ICMP) traffic. Additional highlighted text shows why Nessus thinks that running RIP is a security risk. The report also provides security holes, warnings, notes, and solutions to the discovered vulnerabilities.

Example 8-4. Nessus Scan Report in Text Format
 Nessus Scan Report ------------------ SUMMARY  - Number of hosts which were alive during the test : 1  - Number of security holes found : 1  - Number of security warnings found : 2  - Number of security notes found : 9 TESTED HOSTS  192.168.0.10 (Security holes found) DETAILS + 192.168.0.10 :  . List of open ports :    o telnet (23/tcp) (Security notes found)                          o finger (79/tcp) (Security notes found)                          o www (80/tcp) (Security notes found)                             o general/tcp (Security warnings found)                           o general/udp (Security notes found)                              o route (520/udp) (Security hole found)                           o general/ospf (Security notes found)                             o general/icmp (Security warnings found)                        . Information found on port telnet (23/tcp)     Remote telnet banner :     User Access Verification         Password:  . Information found on port telnet (23/tcp)     This port was detected as being open by a port scanner but is now closed.     This service might have been crashed by a port scanner or by a plugin !. . . . !. . . . text suppressed for clarity ! . . . .  . Warning found on port general/tcp     The remote host does not discard TCP SYN packets which     have the FIN flag set.     Depending on the kind of firewall you are using, an     attacker may use this flaw to bypass its rules.     See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html                http://www.kb.cert.org/vuls/id/464113     Solution : Contact your vendor for a patch     Risk factor : Medium     BID : 7487  . Information found on port general/tcp     Nmap found that this host is running Cisco IOS 12.0(5)WC3 - 12.0(16a)  . . . .                                                           . Vulnerability found on port route (520/udp) :                       RIP-1 does not implement authentication.                          An attacker may feed your machine with bogus routes and           hijack network connections.                                       Solution : disable the RIP agent if you don't use it, or use                 RIP-2 and implement authentication                     Risk factor : Medium  . . . .   . Information found on port general/ospf      An OSPF v2 agent is running on this host.      The netmask is 255.255.255.0      The Designated Router is 192.168.0.10      Risk factor : Low   . Warning found on port general/icmp      The remote host answers to an ICMP timestamp request. This allows an       attacker to know the date which is set on your machine.       This may help him to defeat all your time based authentication protocols.      Solution : filter out the ICMP timestamp requests (13), and the outgoing       ICMP timestamp replies (14).      Risk factor : Low      CVE : CAN-1999-0524   . . . .  ------------------------------------------------------  This file was generated by the Nessus Security Scanner 

The report shown in Example 8-4 was saved in text format. Nessus also provides options to save the report in colorful Hypertext Markup Language (HTML) format, with embedded hyperlinks, graphs, and pie charts. Figure 8-8 shows the graphical version of the same report. The report shows a pie chart and bar graph that summarize the results. Although not shown in the figure, the report also contains a summary of the scan in text format, complete with hyperlinks for detailed explanations of each item.

Figure 8-8. Nessus Graphical Report


IOS Configuration Errors: Audit Using RAT

Router Audit Tool (RAT), distributed by the Center for Internet Security (CIS), is a benchmark and audit tool for Cisco IOS routers and switches. Unlike the generic security tools, such as Nmap or Nessus, RAT focuses on Cisco routers. RAT reports are detailed and include specific IOS commands for fixing the discovered weaknesses. RAT is supported in both Windows and Linux OSs. The Linux version of RAT is similar to the MS-Windows version, including the command-line interface (CLI) options. Overall, RAT is an excellent tool that Netadmins can use to secure Cisco routers and switches. RAT works for both routers and switches, because many of the router-hardening commands also apply to IOS-based switches. RAT is under development to keep pace with the latest Cisco IOS features.

However, RAT is not a silver bullet for network security or router configuration. Netadmins should exercise caution and common sense while using RAT.

RAT functions as a three-step process:

Step 1.

Acquire Specify the configuration for the target router. RAT can either use a configuration file in text format or Telnet into the destination router to pull the running configuration.

Step 2.

Audit Checks and compares the configuration against the benchmark rules defined by the National Security Agency (NSA) Cisco Router Security Configuration Guide. The predefined benchmark rules are designed primarily to enhance the security of Cisco routers. The benchmark settings are divided into two levels. The Level 1 benchmark provides the framework for a minimum-security requirement, whereas Level 2 is geared toward specific optional features. Level 2 is still under development.

Step 3.

Report Summarizes the results in both HTML and text format. The audit report includes the following items:

Each rule checked with a pass/fail score

A weighted overall score on a scale of 1 to 10

Suggested IOS commands to fix the vulnerabilities

RAT is available for download from the CIS home page at http://www.cisecurity.org/. The installation files include the pdf version of the Router Security Configuration Guide from the National Security Agency.

Although the following discussion is based on the MS-Windows version of RAT, the usage is similar to that of the Linux version.

Installing RAT

The RAT installation steps for the MS-Windows version are as follows:

Step 1.

Download the installer file in .exe format from http://www.cisecurity.org.

Step 2.

Save the file to your local hard drive.

Step 3.

Double-click the saved .exe file and follow the prompts to begin the installation process. The default location for the program files is C:\CIS\RAT. If you install RAT in a nondefault location, avoid using filenames or folder names that contain spaces.

Configuring RAT

RAT is shipped with predefined default rules. These rules are generic and require customization for site-specific information, such as the IP addresses of the syslog server, NTP server, or internal network. RAT documents refer to the customizing process as localizing. RAT provides ncat_config, a CLI-based interactive tool for localizing.

To configure RAT, run the ncat_config.exe file from the command line. Ncat_config prompts you for information specific to the local network, as shown in Example 8-5. The highlighted text indicates data that is input by the user in response to the ncat_config queries. The example is for illustration purposes only; the exact response depends on your network environment.

Example 8-5. Configuring RAT Using ncat_config
 C:\CIS\RAT\bin>ncat_config.exe ncat_config: Select configuration type [cisco-ios] ? ncat_config: Applying rules from: ncat_config:   C:\CIS\RAT/etc/configs/cisco-ios/common.conf ncat_config:   C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf ncat_config:   C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf ncat_config: Apply some or all of the rules that are selectable [Yes] ! ncat_config:   Apply some or all of CIS level 1 rules [Yes] ? ncat_config:     Check rules and data related to system management [Yes] ! ncat_config:       Use local authentication [Yes] ? ncat_config:         Create new AAA model using local usernames and passwords [y es] ! ncat_config:         Create local usernames [yes] ! ncat_config:           Username of user for local authentication [username1] ?   spope                                                                               ncat_config:       Apply standard SNMP checks [Yes] ! ncat_config:         Disable SNMP server [yes] ? no ncat_config:         Forbid SNMP read-write [yes] ? ncat_config:         Forbid SNMP community string 'public' [yes] ! ncat_config:         Forbid SNMP community string 'private' [yes] ! ncat_config:         Require an ACL to be applied for all SNMP access [no] ? yes ncat_config:        Specify ACL number to be used for filtering SNMP requests [99] ? ncat_config:         Define  SNMP ACL [no] ? yes ncat_config:        Address block and mask for SNMP access [192.168.1.0 0.0.0.255] ?   192.168.0.0 0.0.0.255                                                               ncat_config:       Apply standard checks to control access to the router [Yes] ? ncat_config:         Allow Telnet access for remote administration? [Yes] ? ncat_config:           Allow only telnet access for remote login [yes] ! ncat_config:         Specify maximum allowed exec timeout [yes] ! ncat_config:           Exec timeout value [10 0] ? ncat_config:         Disable the aux port [yes] ? ncat_config:         Use default AAA login authentication on each line [Yes] ? Info: skipping IOS - login named list because it conflicts with IOS - login defa   ult which is already selected ncat_config:         require line passwords [yes] ? ncat_config:         Require an enable secret [yes] ! ncat_config:         Check line password quality [yes] ? ncat_config:         Check user password quality [yes] ? ncat_config:         Require VTY ACL to be applied [yes] ! ncat_config:           Specify ACL number to be used for telnet or ssh [182] ? ncat_config:         Define simple (one netblock + one host) VTY ACL [yes] ? ncat_config:           Address block and mask for administrative hosts [192.168.   1.0 0.0.0.255] ? 192.168.0.0 0.0.0.255 ncat_config:           Address for administrative host [192.168.1.254] ? 192.168   .0.100 ncat_config:       Disable unneeded management services [Yes] ? ncat_config:         Forbid finger service (on IOS 11) [yes] ! ncat_config:         Forbid identd service (on IOS 11) [yes] ! ncat_config:         Forbid finger service (on IOS 12) [yes] ! ncat_config:         Forbid finger service (on IOS 12) [yes] ! ncat_config:         Forbid http service [yes] ! ncat_config:         Encrypt passwords in the configuration [yes] ! ncat_config:     Check rules and data related to system control [Yes] ! ncat_config:       Synchronize router time via NTP [Yes] ? ncat_config:         Designate an NTP time server [yes] ! ncat_config:           Address of first NTP server [1.2.3.4] ? 192.168.0.30 ncat_config:         Designate a second NTP time server [yes] ? ncat_config:           Address of second NTP server [5.6.7.8] ? 192.168.0.35 ncat_config:         Designate a third NTP time server [yes] ? no ncat_config:       Apply standard logging rules [Yes] ? ncat_config:         Use GMT for logging instead of localtime [Yes] ? no ncat_config:         Timestamp log messages [yes] ! ncat_config:         Timestamp debug messages [yes] ! ncat_config:         enable logging [yes] ! ncat_config:         Designate syslog server [yes] ! ncat_config:           Address of syslog server [13.14.15.16] ? 192.168.0.30 ncat_config:         Designate local logging buffer size [yes] ! ncat_config:           Local log buffer size [16000] ? ncat_config:         Require console logging of critical messages [yes] ! ncat_config:         Require remote logging of level info or higher [yes] ! ncat_config:       Disable unneeded control services [Yes] ? ncat_config:         Forbid small TCP services (on IOS 11) [yes] ! ncat_config:         Forbid small UDP services (on IOS 11) [yes] ! ncat_config:         Forbid small TCP services (on IOS 12) [yes] ! ncat_config:         Forbid small UDP services (on IOS 12) [yes] ! ncat_config:         Forbid bootp service [yes] ! ncat_config:         Disable CDP service [yes] ? ncat_config:         Forbid config service [yes] ? ncat_config:         Use tcp-keepalive-in service to kill stale connections [yes   ] ! ncat_config:         Forbid tftp service [Yes] ? ncat_config:     Check rules and data related to data flow [Yes] ! ncat_config:       Apply standard routing protections [Yes] ? ncat_config:         Forbid directed broadcasts (on IOS 11) [yes] ! ncat_config:         Forbid directed broadcasts (on IOS 12) [yes] ! ncat_config:         Forbid IP source routing [yes] ! ncat_config:   Apply some or all of CIS Level 2 rules [No] ? Saving selections to C:\CIS\RAT/etc/configs/cisco-ios/local.conf C:\CIS\RAT\bin> 

Most of the rules work well with their default values. However, Example 8-5 shows customizing information, such as usernames and SNMP access control lists (ACL). A complete list of the ncat_config questions is also included in the cisco-ios-router-questionnaire.pdf document, located at the default location of C:\CIS\RAT.

Running RAT

RAT is currently only available as a CLI-based tool. The command syntax for running RAT to audit a router configuration text file is as follows:

   rat router-config-file 

In this syntax, router-config-file is the name and location of the text file that contains the router configuration. Example 8-6 shows RAT auditing the configuration from the text file router-dallas.cfg, located in the C:\CIS\RAT\bin directory.

Example 8-6. RAT Auditing Configuration from Text File
 C:\CIS\RAT\bin>rat router-dallas.cfg auditing router-dallas.cfg... Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ Checking: router-dallas.cfg done checking router-dallas.cfg. Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ ncat_report: writing router-dallas.cfg.ncat_fix.txt.        ncat_report: writing router-dallas.cfg.ncat_report.txt.     ncat_report: writing router-dallas.cfg.html.                ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing all.ncat_fix.txt.                      ncat_report: writing all.ncat_report.txt.                   ncat_report: writing all.html.                              C:\CIS\RAT\bin> 

As highlighted in Example 8-6, RAT creates various report files in text and HTML format. Table 8-1 provides details of some of the files created by RAT.

Table 8-1. Report Files Generated by RAT

Filename/Extension*

Details

index.html

HTML index of reports; suitable for publishing directly to a web server.

all.html

HTML report listing pass/fail status for all rules checked on all devices.

rules.html

HTML version of the benchmark data that was used by RAT to create the audit report.

router-config-filename.html

Audit report in HTML format; this is the most useful report for Netadmins because it contains the pass/fail results, weighted score, and cut-and-paste commands for fixing the problems.

router-config-filename.txt.ncat_report.txt

Audit report in text format.

router-config-filename.txt.ncat_fix.txt

List of cut-and-paste commands that fix problems discovered by RAT.


The device-specific HTML report is split into three sections, as follows:

  • First section Lists the pass/fail results for each rule applied

  • Second section Provides a summary of the results with their score

  • Third section Provides IOS commands for fixing the configurations that were reported as failed in Section 1

The ability to provide ready-to-use IOS commands is a significant advantage offered by RAT over other tools such as Nmap or Nessus.

Figure 8-9 shows the first section of the router-dallas.cfg.html report. Each rule is hyper-linked to the details section in the rules.html file. Also, the rules that failed the benchmark test are color-coded red (shaded gray in this figure) for easy viewing.

Figure 8-9. RAT Audit Report: Rules Test Results


Figure 8-10 depicts the remaining two sections of the router-dallas.cfg.html report. The summary section provides scoring results for the audit checks. The results are expressed as both a percentage and a weighted score. Weighted scores are based on the importance of each rule, as listed in the first column of Section 1.

Figure 8-10. RAT Audit Report: Summary and Fixes


The last section of the report in Figure 8-10, "Fix Script for router-dallas.cfg," provides IOS commands that can be directly pasted into the global configuration mode of Cisco routers. Some of the commands are commented out because they require further editing, such as adding passwords or customized security strings.

Auditing Multiple Configurations

RAT can audit multiple configuration files and create a report for each file. The command syntax is as follows:

   rat router-config-file1 router-config-file2 . . . 

Example 8-7 shows the command used to audit the configuration files SFO-router.cfg, NY-router.cfg, and Corporate-router.cfg. RAT firsts parses all the configuration files for auditing. Next, it creates individual reports for each router configuration file. As shown by the highlighted text in this example, the three reports (SFO-router.cfg.html, NY-router.cfg.html, and Corporate-router.cfg.html) are named after the corresponding configuration file. Also, note that each file is directly created in HTML format and is ready to be published through a web server.

Example 8-7. RAT Auditing Multiple Configuration Files
 C:\CIS\RAT\bin>rat SFO-router.cfg NY-router.cfg Corporate-router.cfg auditing SFO-router.cfg... Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ . . . . . .! IRRELEVENT TEXT REMOVED FOR CLARITY . . . Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ ncat_report: writing SFO-router.cfg.ncat_fix.txt. ncat_report: writing SFO-router.cfg.ncat_report.txt. ncat_report: writing SFO-router.cfg.html.                    ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing NY-router.cfg.ncat_fix.txt. ncat_report: writing NY-router.cfg.ncat_report.txt. ncat_report: writing NY-router.cfg.html.                     ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing Corporate-router.cfg.ncat_fix.txt. ncat_report: writing Corporate-router.cfg.ncat_report.txt. ncat_report: writing Corporate-router.cfg.html.              ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing all.ncat_fix.txt. ncat_report: writing all.ncat_report.txt. ncat_report: writing all.html. C:\CIS\RAT\bin> 

Auditing Live Routers

As shown in the previous example, RAT audits a router by reading the configuration text files. RAT can also directly Telnet into the target router, pull the configuration file, and then perform auditing. The command syntax is as follows:

   rat --snarf [options] ipaddress-of-target-router 

The --snarf switch instructs RAT to download the configuration file through Telnet. You can supply Telnet authentication parameters, such as a username and password, through CLI options. Table 8-2 provides a list of CLI options used by RAT.

Table 8-2. RAT Options

Option

Details

--snarf

Instructs RAT to Telnet into the target router and download the running configuration file

--user

Specifies the name to be used to log in to the router

--userpw

Specifies the Telnet password or the password associated with the username specified by the -- user option

--enablepw

Specifies the enable password for entering the router's privileged mode

--noenable

Instructs RAT not to enter enable mode before downloading the running configuration file


If you use the --snarf option with no other option, RAT prompts you for various passwords. Note that as each of the passwords is entered, RAT echoes them on-screen in clear text.

Example 8-8 illustrates RAT using the -snarf option, with no other options, to audit the router. As shown in the highlighted text, RAT prompts for the login (Telnet) password and enable password. RAT also warns about displaying the password in clear text. RAT downloads, saves, and parses the configuration file to create the audit report. Also note that RAT prompts for a TACACS or SecureID passcode. You can press Enter to skip the prompt because most Cisco routers do not use passcodes.

Example 8-8. RAT Audit Through Telnet
 C:\CIS\RAT\bin>rat --snarf 192.168.0.10 snarfing 192.168.0.10...WARNING: Password will be echo'd to screen. Password: cisco                                                      WARNING: Password will be echo'd to screen. Hit Enter unless using TACACS or SecureID. Passcode: WARNING: Password will be echo'd to screen. Enable password: ciscopal123 C:\CIS\RAT/bin/snarf: Saved ./192.168.0.10 done. auditing 192.168.0.10... Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ Checking: 192.168.0.10 done checking 192.168.0.10. Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ ncat_report: writing 192.168.0.10.ncat_fix.txt. ncat_report: writing 192.168.0.10.ncat_report.txt. ncat_report: writing 192.168.0.10.html. ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing all.ncat_fix.txt. ncat_report: writing all.ncat_report.txt. ncat_report: writing all.html. C:\CIS\RAT\bin> 

Caution

The passwords shown in this example (Telnet password cisco and enable password ciscopal123) are for illustration purposes only. Always use passwords that are at least eight characters long and contain special characters such as #, %, and &.


You can also specify the Telnet and enable passwords through the CLI. To get the same results as shown in Example 8-8, the command is as follows:

   rat --snarf --userpw=cisco --enablepw=ciscopal123 192.168.0.10 

For routers that need a username and password combination for Telnet login, you can use the - -username option. For example, to audit Router 192.168.0.5 with username spope, use the following RAT command:

   rat --snarf --username=spope --userpw=cisco --enablepass=cisco123 192.168.0.5 

The password associated with username spope is cisco, and the enable password is cisco123.

IOS Configuration Errors: Audit Using SDM

Cisco Router and Security Device Manager (SDM) is a web-based device-management tool for configuring routing, switching, security, and quality of service (QoS) services on Cisco routers. The SDM wizards enable users to deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI. Cisco Netadmins can use the Cisco SDM for faster and easier deployment of Cisco routers for both network security features and WAN access. Cisco SDM is supported on Cisco 830S, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, 7200, and 7301 Series routers. Cisco SDM also provides monitoring, fault management, and troubleshooting for Cisco routers. Unlike RAT, SDM supports only IOS routers.

Caution

The configurations generated by SDM are approved by the Cisco Technical Assistance Center (TAC), and the checks that are built into Cisco SDM reduce configuration errors. Despite these facts, Netadmins should exercise caution and common sense while pushing configurations through SDM.


From a router security perspective, SDM provides the following security audit tools:

  • Security Audit Wizard Tests your router configuration to discover potential security problems and then presents you with a screen that lets you determine which problems you want to fix. After you have made this determination, the wizard makes the necessary changes to the router configuration to fix those problems. The wizard is based on security best practices recommended by the International Computer Security Association (ICSA) and the Cisco TAC.

  • One-Step Lockdown Automatically makes the necessary configuration changes to correct potential security problems without going through the wizard.

To use the security audit tool, you must first install and configure SDM on the router. After SDM is installed, you can connect to the router through your browser to launch SDM. From within the SDM window, you can use the built-in utilities such as the Security Audit Wizard or the One-Step Lockdown. The following sections cover each of these tasks.

Deploying SDM on Cisco Routers

SDM comes preinstalled on new router models. You can also download the latest SDM files from the Cisco website and copy them to the router using the following command:

   Router# copy tftp://tftp-server-IP-address/sdm.tar flash: 

A complete list of router models and IOS versions supported by SDM is available at the Cisco SDM home page:

http://www.cisco.com/go/sdm

Note

At the time of publication, Cisco released a newer version of SDM that can also be installed locally on a PC rather than running it off of a router.


Configuring SDM

To configure the router for SDM, enable the HTTP server on the router and define a local username and password. Example 8-9 provides a list of commands that enable the HTTP server with local authentication using the username user1 and the password cisco123. The ip http secure-server command enables an HTTPS server on the router. HTTPS is more secure and is supported on every IOS version that supports the Crypto/IPSec feature set, starting with Cisco IOS Release 12.2.5(T).

Example 8-9. Configuring IOS to Enable SDM
 Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip http server ! --you can also enable https server if supported by the IOS image-- Router(config)#ip http secure-server Router(config)#ip http authentication local Router(config)#username user1 privilege 15 password 0 cisco123 

Note

If you enable an HTTPS server, disable the HTTP server using the no ip http server command to prevent unencrypted access.


Launching SDM to Use the Security Audit Tools

Follow these steps to launch SDM:

Step 1.

Open a Java-enabled web browser on the PC and use the URL https://router-IP-address. If the IOS version does not support HTTPS, use the URL http://router-IP-address.

Step 2.

Enter the username and password in the username/password dialog box and follow the prompts to launch the IOS home page, as shown in Figure 8-11. Based on Example 8-9, the username is user1 and the password is cisco123.

Figure 8-11. IOS Home Page


Step 3.

In the left pane of the IOS home page, click Cisco Router and Security Device Manager to launch the SDM Java applet. SDM is a signed Java applet. This can cause your browser to display a security warning or reprompt you for login credentials. Accept the certificate and supply the same login credentials as you did in Step 2.

The SDM home page provides hardware and software summaries and a configuration overview of the router, as shown in Figure 8-12. The home page is also the starting point for configuring and monitoring the router.

Figure 8-12. SDM Home Page


Using the SDM-Based Security Audit Tools

As previously discussed, the following security audit tools allow you to secure the router:

  • Security Audit Wizard

  • One-Step Lockdown

Using the Security Audit Wizard for Router Security

After launching SDM, you can start the Security Audit Wizard by following these steps:

Step 1.

From the SDM home page, navigate to the Security Audit page by clicking Configure > Security Audit, as shown in Figure 8-13.

Figure 8-13. SDM Security Audit Home Page


Step 2.

Launch the Security Audit Wizard by clicking the Perform security audit button.

Step 3.

In the Security Audit Wizard, click the Next button to navigate to the Security audit interface configuration page.

Step 4.

Choose the inside (trusted) and outside (untrusted) interface on the Security audit interface configuration page and click the Next button.

SDM tests the configuration and provides a status report of each test, as shown in Figure 8-14. To save a local copy of the report in HTML format, click the Save Report button. Click the Close button to return to the wizard.

Figure 8-14. SDM Security Audit Status Report


Based on the report, the wizard provides a list of security problems identified in the configuration, as shown in Figure 8-15.

Figure 8-15. Security Audit List of Problems


Step 5.

In the Select an option field, choose Fix the Security problems. The Fix it check box next to each problem allows you to selectively apply the fixes. You can also click the Fix All button to fix all the listed problems. Click the Next button to launch the Summary page. The Summary page lists all the fixes that SDM will apply to the router.

Step 6.

Click the Finish button to launch the Commands Delivery Status window. Based on the options that you chose in Step 5, SDM might prompt you for fixes on advanced settings before launching the Commands Delivery Status window.

The Commands Delivery Status window provides the status of delivering the commands to the router. After the commands are delivered to the router, click the OK button to return to the Security Audit page.

The router is now secured in accordance with the security best practices recommended by the ICSA and Cisco TAC. To view the new configuration, choose Tools > Running Config on the SDM toolbar.

Using One-Step Lockdown for Router Security

The One-step lockdown button on the Security Audit page configures the router with predefined security settings. Unlike the security wizard, One-Step Lockdown directly applies the settings to the router without prompting the user for customization.

To secure the router using the One-Step Lockdown feature, click the One-step lockdown button on the Security Audit page, as shown in Figure 8-12. To roll back the commands applied by One-Step Lockdown, run the Security Audit Wizard again. On the Security Audit Wizard page, select Undo Security configurations, as shown in Figure 8-16. The Undo check boxes allow you to restore the router to a usable state, especially if problems occur due to One-Step Lockdown.

Figure 8-16. Security Audit Undo Security Configurations


Caution

One-Step Lockdown can cause a service disruption. Always verify the changes in a test environment before deploying the tool in a production environment.


Best Practice Recommendations

In addition to the tools discussed in this chapter, following are two good documents for hardening Cisco routers. Both documents provide good insight into the nuances of hardening Cisco routers and the services running over them. Although the second document appears to be for Internet service providers (ISP), the information is useful for anyone who deals with IOS devices. The URL for each of these documents is as follows:

  • Cisco Router Security Configuration Guide Issued by the National Security Agency (NSA):

    http://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1

  • Cisco ISP Essentials IOS Features Every ISP Should Consider Issued by Cisco TAC:

    http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

Cisco switches provide protection mechanisms for securing the switches and the network against network attacks. Many of the features provide immunity against Layer 2 attacks. The following documents provide Netadmins with a comprehensive checklist for protecting their networks against Layer 2 attacks:

  • Cisco IOS Switch Security Configuration Guide Issued by the NSA:

    http://www.nsa.gov/snac/downloads_switches.cfm?MenuID=scg10.3.1

  • Best Practices for Catalyst Series Switches Running CatOS Software Issued by Cisco TAC:

    http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml

  • Best Practices for Catalyst Series Switches Running Cisco IOS Software Issued by Cisco TAC:

    http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml

Because of the in-depth coverage of security features provided, these documents should find a permanent place in the Netadmin's security tool kit.

Finally, none of the tools discussed in this chapter provide a silver bullet for router security. Each tool has its merits and limitations. Netadmins should appropriately weigh these tools against their network environment and business needs. A configuration change might be in accordance with security best practices but can result in cutting off your corporate network from the rest of the world. Remember, the most secure computer on the Internet is the one with no network connection. Unfortunately, that same computer is of little value.



Network Administrators Survival Guide
Network Administrators Survival Guide
ISBN: 1587052113
EAN: 2147483647
Year: 2006
Pages: 106

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net