"You are only as secure as your weakest link." Network security professionals often encounter this adage. Present-day networks deploy security measures such as firewalls, intrusion detection systems (IDS), virtual private networks (VPN), and antivirus software to fortify the network. Unfortunately, the most basic network elements routers and switches are often ignored as security devices because routers and switches were originally created to enhance network connectivity rather than to provide network security. Consequently, routers and switches are conceptually less secure than dedicated security devices such as firewalls and IDSs. While an attack on a web server can just render it unoperational, an attack on the edge router can cut off the entire network from its users. Consequently, an attacker can exploit vulnerabilities in the routers or switches to compromise the security of the entire network. Netadmins should make additional efforts to secure the routers and, in turn, the entire the network. Hence, contrary to popular belief, an edge router, rather than a firewall, is the first line of network defense against outside attacks. Throughout this chapter, the term router refers to Cisco IOS-based devices. Because Cisco IOS also supports Catalyst switches, many of the tools and technologies discussed in this chapter are applicable for switches as well. Securing Cisco RoutersThe most common causes of security breaches in routers are as follows:
The following sections cover the tools that a Netadmin can use to discover weaknesses and secure IOS devices. Cisco Router PasswordsCisco IOS configuration files offer the following three options for encrypting passwords:
By default, IOS configuration files display passwords and other authentication strings in plain text. The service password-encryption command can conceal the password by showing it in encrypted form. However, the IOS passwords and other authentication strings are encrypted using the Cisco proprietary Vigenere-based cipher. The Vigenere algorithm, better known as the Type 7 algorithm, is reversible and simpler compared to other current encryption techniques. According to Cisco, "the encryption scheme was designed to avoid password theft via simple snooping or sniffing. It was never intended to protect against someone conducting a password-cracking effort on the configuration file." The enable secret command encrypts the password using the one-way MD5 hash mechanism. To determine which scheme has been used to encrypt a specific password, check the digit that precedes the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the Type 7 algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm. The sample IOS configuration snippet in Example 8-1 depicts encrypted passwords. The Type 5 MD5 algorithm encrypts the enable secret password only. The remaining passwords are Type 7. Example 8-1. Sample Router Configuration Router-Dallas.txthostname Router-Dallas service password-encryption ! enable password is encrypted using MD5 algorithm enable secret 5 $1$rQrR$1j1XTXMbCt/1RGh7Y3BlU1 ! user password is encrypted using the weaker algorithm username user1 password 7 030752180500701E1D ! key chain MYKEY key 1 key-string 7 141C17125D5679 ! line vty 0 4 password 7 1511021F0725 login ! end Many tools are available for decrypting Cisco IOS passwords from the configuration files. Among the choices, Cain & Abel, available at http://www.oxid.it, is the most versatile and user-friendly tool for decrypting passwords. Cain & Abel can decrypt both Type 7 and Type 5 passwords. The following sections cover the steps used to recover both of these types of passwords from IOS devices. This tool is compatible with MS-Windows NT/2000/2003/XP, and the installation process is simple. Download the .exe file from the home page and save it locally. Double-click the saved file to begin the installation procedure. The tool provides a ready-to-use graphical user interface (GUI) and requires no postinstallation configuration. The only information required is the configuration file from the target router that contains the encrypted passwords. Note The router configuration file can be captured by using the show running-configuration command on the router. You can also download the configuration file from the router to a Trivial File Transfer Protocol (TFTP) server using the copy runn tftp command on the router. Decrypting Type 7 PasswordsFollow these steps to decrypt a Cisco IOS Type 7 password:
Figure 8-2 shows the encrypted password string 030752180500701E1D being decrypted as cisco123. Note that the encrypted password was copied from the username user1 password 7 030752180500701E1D command in Example 8-1. Figure 8-2. Decrypting a Type 7 PasswordTip The GetPass utility, from Boson Software Inc. (http://www.boson.com), provides a similar functionality for decrypting Type 7 passwords. But unlike Cain & Abel, GetPass does not offer any other feature. Decrypting Type 5 PasswordsThe Cain & Abel tool, discussed in the previous section of this chapter, can also recover type 5 passwords. Unlike Type 7 passwords, which are encrypted using a reversible algorithm, Type 5 passwords are encrypted using a one-way nonreversible algorithm. The encrypted password string is an MD5 hash that is created from the original password. The Type 5 password-recovery mechanism, used by tools like Cain & Abel, compares the original MD5 hash of the password with the MD5 hash of a known text string. If both the hashes are the same, the password is the same as the known text string. The password-recovery tools work by trying various combinations and lengths of characters. Depending on the length of the original password, decrypting the password can take a large amount of time. Using Cain & Abel, the Type 5 password-recovery steps are as follows:
Tip The short password used in this section is for illustration purposes only. Actual passwords should always be more than eight characters long, with a combination of uppercase and lowercase letters, numbers, and special characters (such as #, %, and &). An eight-character-long password composed only of numbers and uppercase and lowercase alphabetic characters can have 628 (218 trillion) possible combinations. Simply by making that password nine characters long, the possible combinations increase to 13 quadrillion. On the other hand, an eight-character-long password that also uses special characters (such as #, %, and &) can have 6 quadrillion combinations. Using the same set of characters, a nine-character-long password increases to 572 quadrillion combinations. To discourage password attacks, Netadmins should take the following actions:
Unneeded Services Running on Cisco RoutersIn addition to running routing protocols, Cisco routers also run various other services, such as HTTP, TFTP, Telnet, and SSH. Multiple vulnerabilities have been reported in SNMP, Cisco Discovery Protocol (CDP), SSH, and HTTP stacks implemented in IOS. These vulnerabilities can crash the router or help an attacker to gain access to the router. Netadmins often start a service or protocol for testing and troubleshooting. Later, the Netadmin might forget about it and unintentionally leave these services running. By conducting a port scan, an attcker can learn about these ports that are in listening state on this router. Armed with this information, the attacker can make an educated guess regarding the services that are running on the router. Nmap, discussed in Chapter 7, "Network Security Testing," is the ideal tool for port-scanning the router. The command syntax to perform a Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) scan on a router is as follows: nmap -sT -sU hostname-or-IP-address Example 8-2 shows a TCP and UDP port scan performed on a router with an IP address of 192.168.0.10. Example 8-2. Port Scanning Using Nmaplinuxbox:~# nmap -sT -sU 192.168.0.10 Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2004-11-20 12:33 PST Interesting ports on 192.168.0.10: (The 3136 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 67/udp open|filtered dhcpserver 79/tcp open finger 80/tcp open http 520/udp open|filtered route MAC Address: 00:10:7B:CC:57:EB (Cisco Systems) Nmap run completed -- 1 IP address (1 host up) scanned in 1242.591 seconds linuxbox:~# The port scan results, highlighted in Example 8-2, indicate that the router is running the Routing Information Protocol (RIP) because it is listening on port UDP 520. The other services running on the router are as follows:
To secure the router, these services should be manually turned off or configured for restricted access. The global-configuration-mode commands for securing the router in this case are listed in Example 8-3. Example 8-3. Securing the Router! access-list to restrict Telnet and http access to the router access-list 10 permit host 192.168.0.100 access-list 10 permit host 192.168.0.101 ! limit Telnet to the router from host listed in acess-list 10 line vty 0 4 access-class 10 in ! disable Dhcp/Bootp service no ip bootp server ! disable finger service no ip finger ! limit http access to the router from host listed in acess-list 10 ip http access-class 10 Protocol and OS VulnerabilitiesThe information provided by the port scanner is limited to the ports and services that are running on the router. Nessus, discussed in Chapter 7, provides detailed discovery of the vulnerabilities associated with the services running on the router. Nessus reports include possible solutions for each discovered vulnerability. To scan the router for vulnerabilities, follow these steps:
Example 8-4. Nessus Scan Report in Text FormatNessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 1 - Number of security warnings found : 2 - Number of security notes found : 9 TESTED HOSTS 192.168.0.10 (Security holes found) DETAILS + 192.168.0.10 : . List of open ports : o telnet (23/tcp) (Security notes found) o finger (79/tcp) (Security notes found) o www (80/tcp) (Security notes found) o general/tcp (Security warnings found) o general/udp (Security notes found) o route (520/udp) (Security hole found) o general/ospf (Security notes found) o general/icmp (Security warnings found) . Information found on port telnet (23/tcp) Remote telnet banner : User Access Verification Password: . Information found on port telnet (23/tcp) This port was detected as being open by a port scanner but is now closed. This service might have been crashed by a port scanner or by a plugin !. . . . !. . . . text suppressed for clarity ! . . . . . Warning found on port general/tcp The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487 . Information found on port general/tcp Nmap found that this host is running Cisco IOS 12.0(5)WC3 - 12.0(16a) . . . . . Vulnerability found on port route (520/udp) : RIP-1 does not implement authentication. An attacker may feed your machine with bogus routes and hijack network connections. Solution : disable the RIP agent if you don't use it, or use RIP-2 and implement authentication Risk factor : Medium . . . . . Information found on port general/ospf An OSPF v2 agent is running on this host. The netmask is 255.255.255.0 The Designated Router is 192.168.0.10 Risk factor : Low . Warning found on port general/icmp The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low CVE : CAN-1999-0524 . . . . ------------------------------------------------------ This file was generated by the Nessus Security Scanner The report shown in Example 8-4 was saved in text format. Nessus also provides options to save the report in colorful Hypertext Markup Language (HTML) format, with embedded hyperlinks, graphs, and pie charts. Figure 8-8 shows the graphical version of the same report. The report shows a pie chart and bar graph that summarize the results. Although not shown in the figure, the report also contains a summary of the scan in text format, complete with hyperlinks for detailed explanations of each item. Figure 8-8. Nessus Graphical ReportIOS Configuration Errors: Audit Using RATRouter Audit Tool (RAT), distributed by the Center for Internet Security (CIS), is a benchmark and audit tool for Cisco IOS routers and switches. Unlike the generic security tools, such as Nmap or Nessus, RAT focuses on Cisco routers. RAT reports are detailed and include specific IOS commands for fixing the discovered weaknesses. RAT is supported in both Windows and Linux OSs. The Linux version of RAT is similar to the MS-Windows version, including the command-line interface (CLI) options. Overall, RAT is an excellent tool that Netadmins can use to secure Cisco routers and switches. RAT works for both routers and switches, because many of the router-hardening commands also apply to IOS-based switches. RAT is under development to keep pace with the latest Cisco IOS features. However, RAT is not a silver bullet for network security or router configuration. Netadmins should exercise caution and common sense while using RAT. RAT functions as a three-step process:
RAT is available for download from the CIS home page at http://www.cisecurity.org/. The installation files include the pdf version of the Router Security Configuration Guide from the National Security Agency. Although the following discussion is based on the MS-Windows version of RAT, the usage is similar to that of the Linux version. Installing RATThe RAT installation steps for the MS-Windows version are as follows:
Configuring RATRAT is shipped with predefined default rules. These rules are generic and require customization for site-specific information, such as the IP addresses of the syslog server, NTP server, or internal network. RAT documents refer to the customizing process as localizing. RAT provides ncat_config, a CLI-based interactive tool for localizing. To configure RAT, run the ncat_config.exe file from the command line. Ncat_config prompts you for information specific to the local network, as shown in Example 8-5. The highlighted text indicates data that is input by the user in response to the ncat_config queries. The example is for illustration purposes only; the exact response depends on your network environment. Example 8-5. Configuring RAT Using ncat_configC:\CIS\RAT\bin>ncat_config.exe ncat_config: Select configuration type [cisco-ios] ? ncat_config: Applying rules from: ncat_config: C:\CIS\RAT/etc/configs/cisco-ios/common.conf ncat_config: C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf ncat_config: C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf ncat_config: Apply some or all of the rules that are selectable [Yes] ! ncat_config: Apply some or all of CIS level 1 rules [Yes] ? ncat_config: Check rules and data related to system management [Yes] ! ncat_config: Use local authentication [Yes] ? ncat_config: Create new AAA model using local usernames and passwords [y es] ! ncat_config: Create local usernames [yes] ! ncat_config: Username of user for local authentication [username1] ? spope ncat_config: Apply standard SNMP checks [Yes] ! ncat_config: Disable SNMP server [yes] ? no ncat_config: Forbid SNMP read-write [yes] ? ncat_config: Forbid SNMP community string 'public' [yes] ! ncat_config: Forbid SNMP community string 'private' [yes] ! ncat_config: Require an ACL to be applied for all SNMP access [no] ? yes ncat_config: Specify ACL number to be used for filtering SNMP requests [99] ? ncat_config: Define SNMP ACL [no] ? yes ncat_config: Address block and mask for SNMP access [192.168.1.0 0.0.0.255] ? 192.168.0.0 0.0.0.255 ncat_config: Apply standard checks to control access to the router [Yes] ? ncat_config: Allow Telnet access for remote administration? [Yes] ? ncat_config: Allow only telnet access for remote login [yes] ! ncat_config: Specify maximum allowed exec timeout [yes] ! ncat_config: Exec timeout value [10 0] ? ncat_config: Disable the aux port [yes] ? ncat_config: Use default AAA login authentication on each line [Yes] ? Info: skipping IOS - login named list because it conflicts with IOS - login defa ult which is already selected ncat_config: require line passwords [yes] ? ncat_config: Require an enable secret [yes] ! ncat_config: Check line password quality [yes] ? ncat_config: Check user password quality [yes] ? ncat_config: Require VTY ACL to be applied [yes] ! ncat_config: Specify ACL number to be used for telnet or ssh [182] ? ncat_config: Define simple (one netblock + one host) VTY ACL [yes] ? ncat_config: Address block and mask for administrative hosts [192.168. 1.0 0.0.0.255] ? 192.168.0.0 0.0.0.255 ncat_config: Address for administrative host [192.168.1.254] ? 192.168 .0.100 ncat_config: Disable unneeded management services [Yes] ? ncat_config: Forbid finger service (on IOS 11) [yes] ! ncat_config: Forbid identd service (on IOS 11) [yes] ! ncat_config: Forbid finger service (on IOS 12) [yes] ! ncat_config: Forbid finger service (on IOS 12) [yes] ! ncat_config: Forbid http service [yes] ! ncat_config: Encrypt passwords in the configuration [yes] ! ncat_config: Check rules and data related to system control [Yes] ! ncat_config: Synchronize router time via NTP [Yes] ? ncat_config: Designate an NTP time server [yes] ! ncat_config: Address of first NTP server [1.2.3.4] ? 192.168.0.30 ncat_config: Designate a second NTP time server [yes] ? ncat_config: Address of second NTP server [5.6.7.8] ? 192.168.0.35 ncat_config: Designate a third NTP time server [yes] ? no ncat_config: Apply standard logging rules [Yes] ? ncat_config: Use GMT for logging instead of localtime [Yes] ? no ncat_config: Timestamp log messages [yes] ! ncat_config: Timestamp debug messages [yes] ! ncat_config: enable logging [yes] ! ncat_config: Designate syslog server [yes] ! ncat_config: Address of syslog server [13.14.15.16] ? 192.168.0.30 ncat_config: Designate local logging buffer size [yes] ! ncat_config: Local log buffer size [16000] ? ncat_config: Require console logging of critical messages [yes] ! ncat_config: Require remote logging of level info or higher [yes] ! ncat_config: Disable unneeded control services [Yes] ? ncat_config: Forbid small TCP services (on IOS 11) [yes] ! ncat_config: Forbid small UDP services (on IOS 11) [yes] ! ncat_config: Forbid small TCP services (on IOS 12) [yes] ! ncat_config: Forbid small UDP services (on IOS 12) [yes] ! ncat_config: Forbid bootp service [yes] ! ncat_config: Disable CDP service [yes] ? ncat_config: Forbid config service [yes] ? ncat_config: Use tcp-keepalive-in service to kill stale connections [yes ] ! ncat_config: Forbid tftp service [Yes] ? ncat_config: Check rules and data related to data flow [Yes] ! ncat_config: Apply standard routing protections [Yes] ? ncat_config: Forbid directed broadcasts (on IOS 11) [yes] ! ncat_config: Forbid directed broadcasts (on IOS 12) [yes] ! ncat_config: Forbid IP source routing [yes] ! ncat_config: Apply some or all of CIS Level 2 rules [No] ? Saving selections to C:\CIS\RAT/etc/configs/cisco-ios/local.conf C:\CIS\RAT\bin> Most of the rules work well with their default values. However, Example 8-5 shows customizing information, such as usernames and SNMP access control lists (ACL). A complete list of the ncat_config questions is also included in the cisco-ios-router-questionnaire.pdf document, located at the default location of C:\CIS\RAT. Running RATRAT is currently only available as a CLI-based tool. The command syntax for running RAT to audit a router configuration text file is as follows: rat router-config-file In this syntax, router-config-file is the name and location of the text file that contains the router configuration. Example 8-6 shows RAT auditing the configuration from the text file router-dallas.cfg, located in the C:\CIS\RAT\bin directory. Example 8-6. RAT Auditing Configuration from Text FileC:\CIS\RAT\bin>rat router-dallas.cfg auditing router-dallas.cfg... Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ Checking: router-dallas.cfg done checking router-dallas.cfg. Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ ncat_report: writing router-dallas.cfg.ncat_fix.txt. ncat_report: writing router-dallas.cfg.ncat_report.txt. ncat_report: writing router-dallas.cfg.html. ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing all.ncat_fix.txt. ncat_report: writing all.ncat_report.txt. ncat_report: writing all.html. C:\CIS\RAT\bin> As highlighted in Example 8-6, RAT creates various report files in text and HTML format. Table 8-1 provides details of some of the files created by RAT.
The device-specific HTML report is split into three sections, as follows:
The ability to provide ready-to-use IOS commands is a significant advantage offered by RAT over other tools such as Nmap or Nessus. Figure 8-9 shows the first section of the router-dallas.cfg.html report. Each rule is hyper-linked to the details section in the rules.html file. Also, the rules that failed the benchmark test are color-coded red (shaded gray in this figure) for easy viewing. Figure 8-9. RAT Audit Report: Rules Test ResultsFigure 8-10 depicts the remaining two sections of the router-dallas.cfg.html report. The summary section provides scoring results for the audit checks. The results are expressed as both a percentage and a weighted score. Weighted scores are based on the importance of each rule, as listed in the first column of Section 1. Figure 8-10. RAT Audit Report: Summary and FixesThe last section of the report in Figure 8-10, "Fix Script for router-dallas.cfg," provides IOS commands that can be directly pasted into the global configuration mode of Cisco routers. Some of the commands are commented out because they require further editing, such as adding passwords or customized security strings. Auditing Multiple ConfigurationsRAT can audit multiple configuration files and create a report for each file. The command syntax is as follows: rat router-config-file1 router-config-file2 . . . Example 8-7 shows the command used to audit the configuration files SFO-router.cfg, NY-router.cfg, and Corporate-router.cfg. RAT firsts parses all the configuration files for auditing. Next, it creates individual reports for each router configuration file. As shown by the highlighted text in this example, the three reports (SFO-router.cfg.html, NY-router.cfg.html, and Corporate-router.cfg.html) are named after the corresponding configuration file. Also, note that each file is directly created in HTML format and is ready to be published through a web server. Example 8-7. RAT Auditing Multiple Configuration FilesC:\CIS\RAT\bin>rat SFO-router.cfg NY-router.cfg Corporate-router.cfg auditing SFO-router.cfg... Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ . . . . . .! IRRELEVENT TEXT REMOVED FOR CLARITY . . . Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ ncat_report: writing SFO-router.cfg.ncat_fix.txt. ncat_report: writing SFO-router.cfg.ncat_report.txt. ncat_report: writing SFO-router.cfg.html. ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing NY-router.cfg.ncat_fix.txt. ncat_report: writing NY-router.cfg.ncat_report.txt. ncat_report: writing NY-router.cfg.html. ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing Corporate-router.cfg.ncat_fix.txt. ncat_report: writing Corporate-router.cfg.ncat_report.txt. ncat_report: writing Corporate-router.cfg.html. ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing all.ncat_fix.txt. ncat_report: writing all.ncat_report.txt. ncat_report: writing all.html. C:\CIS\RAT\bin> Auditing Live RoutersAs shown in the previous example, RAT audits a router by reading the configuration text files. RAT can also directly Telnet into the target router, pull the configuration file, and then perform auditing. The command syntax is as follows: rat --snarf [options] ipaddress-of-target-router The --snarf switch instructs RAT to download the configuration file through Telnet. You can supply Telnet authentication parameters, such as a username and password, through CLI options. Table 8-2 provides a list of CLI options used by RAT.
If you use the --snarf option with no other option, RAT prompts you for various passwords. Note that as each of the passwords is entered, RAT echoes them on-screen in clear text. Example 8-8 illustrates RAT using the -snarf option, with no other options, to audit the router. As shown in the highlighted text, RAT prompts for the login (Telnet) password and enable password. RAT also warns about displaying the password in clear text. RAT downloads, saves, and parses the configuration file to create the audit report. Also note that RAT prompts for a TACACS or SecureID passcode. You can press Enter to skip the prompt because most Cisco routers do not use passcodes. Example 8-8. RAT Audit Through TelnetC:\CIS\RAT\bin>rat --snarf 192.168.0.10 snarfing 192.168.0.10...WARNING: Password will be echo'd to screen. Password: cisco WARNING: Password will be echo'd to screen. Hit Enter unless using TACACS or SecureID. Passcode: WARNING: Password will be echo'd to screen. Enable password: ciscopal123 C:\CIS\RAT/bin/snarf: Saved ./192.168.0.10 done. auditing 192.168.0.10... Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ Checking: 192.168.0.10 done checking 192.168.0.10. Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/ Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/local.conf/ ncat_report: writing 192.168.0.10.ncat_fix.txt. ncat_report: writing 192.168.0.10.ncat_report.txt. ncat_report: writing 192.168.0.10.html. ncat_report: writing rules.html (cisco-ios-benchmark.html). ncat_report: writing all.ncat_fix.txt. ncat_report: writing all.ncat_report.txt. ncat_report: writing all.html. C:\CIS\RAT\bin> Caution The passwords shown in this example (Telnet password cisco and enable password ciscopal123) are for illustration purposes only. Always use passwords that are at least eight characters long and contain special characters such as #, %, and &. You can also specify the Telnet and enable passwords through the CLI. To get the same results as shown in Example 8-8, the command is as follows: rat --snarf --userpw=cisco --enablepw=ciscopal123 192.168.0.10 For routers that need a username and password combination for Telnet login, you can use the - -username option. For example, to audit Router 192.168.0.5 with username spope, use the following RAT command: rat --snarf --username=spope --userpw=cisco --enablepass=cisco123 192.168.0.5 The password associated with username spope is cisco, and the enable password is cisco123. IOS Configuration Errors: Audit Using SDMCisco Router and Security Device Manager (SDM) is a web-based device-management tool for configuring routing, switching, security, and quality of service (QoS) services on Cisco routers. The SDM wizards enable users to deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI. Cisco Netadmins can use the Cisco SDM for faster and easier deployment of Cisco routers for both network security features and WAN access. Cisco SDM is supported on Cisco 830S, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, 7200, and 7301 Series routers. Cisco SDM also provides monitoring, fault management, and troubleshooting for Cisco routers. Unlike RAT, SDM supports only IOS routers. Caution The configurations generated by SDM are approved by the Cisco Technical Assistance Center (TAC), and the checks that are built into Cisco SDM reduce configuration errors. Despite these facts, Netadmins should exercise caution and common sense while pushing configurations through SDM. From a router security perspective, SDM provides the following security audit tools:
To use the security audit tool, you must first install and configure SDM on the router. After SDM is installed, you can connect to the router through your browser to launch SDM. From within the SDM window, you can use the built-in utilities such as the Security Audit Wizard or the One-Step Lockdown. The following sections cover each of these tasks. Deploying SDM on Cisco RoutersSDM comes preinstalled on new router models. You can also download the latest SDM files from the Cisco website and copy them to the router using the following command: Router# copy tftp://tftp-server-IP-address/sdm.tar flash: A complete list of router models and IOS versions supported by SDM is available at the Cisco SDM home page:
Note At the time of publication, Cisco released a newer version of SDM that can also be installed locally on a PC rather than running it off of a router. Configuring SDMTo configure the router for SDM, enable the HTTP server on the router and define a local username and password. Example 8-9 provides a list of commands that enable the HTTP server with local authentication using the username user1 and the password cisco123. The ip http secure-server command enables an HTTPS server on the router. HTTPS is more secure and is supported on every IOS version that supports the Crypto/IPSec feature set, starting with Cisco IOS Release 12.2.5(T). Example 8-9. Configuring IOS to Enable SDMRouter#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip http server ! --you can also enable https server if supported by the IOS image-- Router(config)#ip http secure-server Router(config)#ip http authentication local Router(config)#username user1 privilege 15 password 0 cisco123 Note If you enable an HTTPS server, disable the HTTP server using the no ip http server command to prevent unencrypted access. Launching SDM to Use the Security Audit ToolsFollow these steps to launch SDM:
Figure 8-12. SDM Home PageUsing the SDM-Based Security Audit ToolsAs previously discussed, the following security audit tools allow you to secure the router:
Using the Security Audit Wizard for Router SecurityAfter launching SDM, you can start the Security Audit Wizard by following these steps:
The router is now secured in accordance with the security best practices recommended by the ICSA and Cisco TAC. To view the new configuration, choose Tools > Running Config on the SDM toolbar. Using One-Step Lockdown for Router SecurityThe One-step lockdown button on the Security Audit page configures the router with predefined security settings. Unlike the security wizard, One-Step Lockdown directly applies the settings to the router without prompting the user for customization. To secure the router using the One-Step Lockdown feature, click the One-step lockdown button on the Security Audit page, as shown in Figure 8-12. To roll back the commands applied by One-Step Lockdown, run the Security Audit Wizard again. On the Security Audit Wizard page, select Undo Security configurations, as shown in Figure 8-16. The Undo check boxes allow you to restore the router to a usable state, especially if problems occur due to One-Step Lockdown. Figure 8-16. Security Audit Undo Security ConfigurationsCaution One-Step Lockdown can cause a service disruption. Always verify the changes in a test environment before deploying the tool in a production environment. Best Practice RecommendationsIn addition to the tools discussed in this chapter, following are two good documents for hardening Cisco routers. Both documents provide good insight into the nuances of hardening Cisco routers and the services running over them. Although the second document appears to be for Internet service providers (ISP), the information is useful for anyone who deals with IOS devices. The URL for each of these documents is as follows:
Cisco switches provide protection mechanisms for securing the switches and the network against network attacks. Many of the features provide immunity against Layer 2 attacks. The following documents provide Netadmins with a comprehensive checklist for protecting their networks against Layer 2 attacks:
Because of the in-depth coverage of security features provided, these documents should find a permanent place in the Netadmin's security tool kit. Finally, none of the tools discussed in this chapter provide a silver bullet for router security. Each tool has its merits and limitations. Netadmins should appropriately weigh these tools against their network environment and business needs. A configuration change might be in accordance with security best practices but can result in cutting off your corporate network from the rest of the world. Remember, the most secure computer on the Internet is the one with no network connection. Unfortunately, that same computer is of little value. |