Management Plane

advertisement
Version 0.02
Cisco Route-Switch Security Audit (RSSA)
pg. 1
Not all options discussed are available under all versions of the various Cisco operating systems. Before
attempting to determine the security posture of a Cisco device, research should be conducted on the
capabilities of the IOS installed using the Cisco Feature Navigator or similar Cisco-provided tool.
There are as many ways to secure networking devices as there are devices. It is technically and tactically
impossible to spell out exactly what needs to be done to determine whether or not a generic device is
securely configured. What follows is a compilation of recommendations from over a dozen sources.
Generally, the commands illustrated here should suffice to secure any network device in isolation. Once
the device is incorporated into a viable network, modifications will probably be necessary.
Cisco equipment, like most networking equipment, functions at three distinct operational planes:
management, control, and data. Each plane has different security requirements and is configured using a
unique set of security commands. This document attempts to group the various commands into categories
under each of the three planes of operation. Each plane affects the other two. Should either the control
plane or management plane be compromised, the other, in addition to the data plane, will be adversely
affected. It is therefore vitally important that each plane be vigorously safeguarded against attack.
The best known auditing tool for Cisco routers is the router audit tool, or RAT. Developed by the Center
for Internet Security (CIS), it was written to help audit configurations on Cisco routers. It does not work
on switches, firewalls, or other Cisco devices. It does this by applying baseline tests against the running
configuration loaded on the router. A more detailed description is provided by the rat.txt file from version
2.4.1: “rat audits router configurations. If you have already downloaded the [router] configuration files by
some other means, you may specify the path to those files on the command line. Alternately, with the use
of the --snarf switch, rat will log into the routers specified (you have to provide login info), pull down the
configurations, audit them against a set of rules and produces several output files for each router. One is a
passwd style file listing all rules, pass/fail and other info. Two is a simple text-based report. Three is a
‘fix’ file suitable for cut-and-paste into config mode to fix the problems identified. Four is an HTML
version of the report.”
Management Plane
1. Configuration Management
A. Configuration file archive:
archive
path flash:backup-config
maximum 10
time-period 1440
write-memory
This configuration instructs the IOS to create up to 10 backup configuration files (also referred to
as archived configs) named backup-config-N, where N is the number of the backup, on the disk0:
file system; to create a new backup once a day (1440 minutes); and to create a new backup
whenever the write memory command is issued.
B. Configuration change log:
archive
log config
logging enable
logging size 150
hidekeys
notify syslog
Part of the archive configuration, this series of commands creates logs entries containing data on
configuration changes. The log entries contain identification of the user who made the change,
Version 0.02
Cisco Route-Switch Security Audit (RSSA)
pg. 2
what command was entered along with the time it was executed. The hidekeys option prevents
the logging of passwords, and notify syslog generates a syslog entry. To view the log entries, use
show archive log config all.
C. Rolling back configuration files:
configure replace <filesystem>:<filename>
replaces the running configuration file with one
named <filename> located on <filesystem>
For example:
configure replace flash:backup-config-7
replaces the running-config with one named
backup-config-7 stored on the disk0: file system.
show archive
lists backup files contained in the file systems
D. Exclusive Configuration Change Access: configuration mode exclusive auto automatically locks
the configuration as soon as an administrator issues the configure terminal exec level command;
configuration mode exclusive manual allows the administrator to use the configure terminal
lock command to gain exclusive access to the configuration file.
E. Resilient Configuration: secure boot-image securely stores the IOS currently in use; secure
boot-config securely stores a copy of the configuration file; show secure boot displays the
current running state of the resilient configuration.
2. Access
A. Accessing the management plane should be accomplished through the use of a loopback
interface. Loopback interfaces never go down. As long as the administrator has access to the IOS
through any physical interface on the device, a connection can be established with the loopback.
interface loopback <number>
B. exec, login, and motd banners must be set. In the output of the show run command:
banner [ exec | login | motd ] ^C BANNER TEXT ^C
C. Typically, line connections (vty, tty, & console) time out after ten minutes of inactivity.
line [ vty | con | tty ]
exec-timeout <minutes> [seconds]
A setting of 0 (zero) for <minutes> disables this feature. A timeout of 10 minutes is the default
setting and will not show up in the configuration file.
D. The auxillary port (aux) should be disabled:
line aux 0
no exec
transport input none
E. Access to the lines must be limited to only authorized ip address[es]:
ip access-list <#> permit tcp [ ip_address_+_ mask | host ip_address ] any
ip access-list <#> deny ip any any
line [ vty | con | tty ] [ beg# end# ]
(config-line)#access-class <#> in
F.
Telnet/SSH/SCP – Secure Copy (SCP) is part of the Secure Shell (SSH) package. Activating SSH
requires a series of commands:
Version 0.02
Cisco Route-Switch Security Audit (RSSA)
hostname <hostname>
ip domain-name <domain.name>
crypto key generate rsa
ip ssh version 2
ip ssh time-out 60
ip ssh authentication retries 2
line vty 0 4
pg. 3
activates ssh
should be set to version 2
default is 120 seconds
allowed login attempts
(config-line)#transport input ssh
(activate for all 5 vty lines)
(forces ssh connections; telnet no longer allowed)
ip scp server enable
(activates the secure copy server)
G. HTTP/HTTPS – Cisco devices provide a web-based interface for displaying configuration
information and, alternatively, configuring it. Routers and firewalls provide actual web-based
device management applications such as the Secure Device Manager and Adaptive Security
Device Manager. To insure that configuration information is not exposed to malicious users, the
secure http server should be used.
Typically, on Cisco routers:
no ip http server
ip http secure-server
turns off the unsecure http server
turns on the secure server
The http server(s) provide access to the management plane, access to the http server(s) must be
controlled as well. Access to the servers can be controlled through the use of access control lists
discussed elsewhere in this document or a command line configuration command. The format of
these commands is dependent on the device. Typically, the command would be one of the
following:
ip http authentication local
ip http authentication aaa
uses the local database
uses AAA authentication
Some form of the command ip http authentication <option> should exist.
H. FTP/TFTP:
1) Cisco recommends that the ftp server on its devices be disabled unless necessary for a
specific purpose. The ftp server is disabled by default and has been removed in newer
versions of the IOS. Secure Copy (SCP) should be used in its place. The command ftp server
enable activates the ftp server on versions of the IOS that still support it.
2) In older versions of Cisco IOS, the tftp server can be configured with multiple lines. If there
are lines in the configuration file beginning with tftp-server, every line needs to be removed
using the [no] version of the command. The tftp server is disabled by default and has been
removed from newer versions of the IOS.
3. Authentication
A. Local
1) username <name> privilege <level> secret <password> – creates a local user named
<name> who has exec <level> privileges and an MD5-hashed <password>. The first
execution of this command creates a local database on the device. Subsequent executions add
new users to this database.
2) Local users should have only minimal privilege level access. Users at level 1 (one) have very
basic access, while those at level 15 have unlimited access. Standard Operating Procedures
(SOP) should include guidelines for specific assignment of levels of access.
Version 0.02
Cisco Route-Switch Security Audit (RSSA)
pg. 4
3) login local – when configured on an interface, causes the IOS to use one of the user accounts
stored in the local database.
4) Password retry lockout – using AAA (see next section), it is possible to lockout a local user
account after a specific number of failed password attempts.
aaa local authentication attempts max-fail <max-attempts>
Once locked out, an account remains locked out until a user with level 15 access unlocks it. It
is not possible for level 15 users to lock out themselves.
B. Authentication, Authorization, and Accounting (AAA)
1) AAA should be configured. The first step is to activate it:
aaa new-model
2) AAA authentication is enforced through the use of method lists. These are collections of
procedures, or “methods”, which will be used in sequence to authenticate logins.
3) aaa accounting
aaa attribute
aaa authentication
aaa authorization
cache
configuration
dnis
group
local
max-sessions
memory
nas
new-model
pod
policy
route
server
session-id
session-mib
traceback
user
accounting configuration parameters
AAA attribute definitions
authentication configuration parameters
authorization configuration parameters
AAA cache definitions
Authorization configuration parameters
Associate certain AAA parameters to a specific DNIS number
AAA group definitions
AAA local method options
Adjust initial hash size for estimated max sessions
AAA memory parameters
NAS specific configuration
enable NEW access control commands & functions
POD processing
AAA policy parameters
static route downloading
local AAA server
AAA Session ID
AAA session MIB options
traceback recording
AAA user definitions
4) Authentication
arap
attempts
banner
dot1x
enable
eou
fail-message
login
password-prompt
ppp
sgbp
set authentication list for arap
set maximum number of authentication attempts
message to use when starting login or authentication
set authentication lists for IEEE 80-2.1x
set authentication list for enable
set authentication list for EAPoUDP
message to display for failed login or authentication
set authentication lists for logins
text to use when prompting for a password
set authentication lists for ppp
set authentication lists for sgbp
Version 0.02
suppress
username-prompt
Cisco Route-Switch Security Audit (RSSA)
pg. 5
do not send access request for a specific type of user
text to use when prompting for a username
5) TACACS+
6) RADIUS
C. Passwords – When MD5 is used to hash a password, the resulting hash value replaces the
plaintext password in the configuration file. When a user enters a password, it is hashed and the
resulting hash value is compared to the one stored in the configuration. When examining the
configuration file, the user will see only the hash values, not the passwords.
1) enable secret – sets the password for privileged exec mode and hashes the password using
the MD5 hashing algorithm. The enable password command uses a proprietary encryption
algorithm which provides no security and should not be used.
2) service password encryption – causes passwords on the device to be encrypted using a
proprietary encryption based on a simple Vigenére cipher. Its purpose is to prevent the casual
observation of the passwords, not to secure them.
3) no service password-recovery – prevents anyone with console access from insecurely
accessing the device configuration and clearing the password; it prevents users from changing
configuration register values to allow NVRAM access.
4) username <name> secret <password> – using the secret keyword in the username
command causes the user’s password to be hashed using MD5
5) Although line passwords become superfluous when local authentication or AAA is
configured, they should still be set to guarantee some level of access control.
line [ vty | con | tty ] [ beg# end# ]
password <strong_password>
6) Password retry lockout is enabled using the AAA feature. It is discussed under the local
authentication section.
4. Logging/Monitoring
A. Syslog – Syslog entries should be directed to a syslog server. There are several options available
from the command line.
1) To activate the logging function:
logging on
2) To send syslog traffic to a remote host:
logging [host] <server_ip_address>
(some IOS require the use of the host keyword)
3) To temporarily store syslog messages in memory:
logging buffered <buffer_size> <trap_level> (see 5 below for trap description)
4) Newer IOS support writing syslog traffic to persistent memory. Using this method allows the
administrator to copy the buffered syslogs to a remote ftp server. Assuming there is an ATA
flash disk on the router, the following commands can be used:
logging buffered
logging persistent url disk0:/<filename> size <max_memory> filesize <max_filesize>
Version 0.02
Cisco Route-Switch Security Audit (RSSA)
pg. 6
5) There are 8 levels of logging available. Setting a specific level with the logging trap <#>
command causes log messages at or below that level to be generated. The levels are
numbered 0 through 7. Setting the trap level to 7 can cause excessive cpu load which can lead
to network instability.
logging trap 6
logging buffered 6
logs all messages from levels 0 thru 6
used for buffered syslog traffic
The textual definition of the level can be used in lieu of the number. For example, the
command logging trap informational is equivalent to logging trap 6.
6) To avoid excessive cpu load, logging messages should not be sent to either the console or to a
vty line being used as a monitor. Ensure that these options are disabled.
no logging console
no logging monitor
7) The management loopback interface address should be used as a tag for all syslog traffic.
Using the same interface configured for management (see 2.A. above) will provide a
consistent method of identifying the source of the traffic.
logging source-interface loopback 0
8) Assuming NTP (see D. below) is configured on each device, the following logging
configuration will assure that all syslog traffic is time-stamped consistently to the
millisecond. Consistent time-stamping is absolutely essential in event correlation.
service timestamps log datetime msec show-timezone localtime
B. Simple Network Management Protocol (snmp):
1) If snmp is not to be used, disable the server:
no snmp-server
2) Community Strings: snmp is protected through the use of two passwords called community
strings. One community string is used to allow read-only access to attributes in the
Management Information Base (MIB) for the device, while the other is used to allow write
access to the same attributes. The two community strings must be different to provide
adequate security. Additionally, best practices dictate that they be carefully chosen, changed
often, and constructed of complex character sequences.
snmp-server community <read_only_password> RO
snmp-server community <read_write_password> RW
3) The default community strings for snmp are “public” for RO access and “private” for RW
access. If snmp is enabled, these strings must not be active. Make sure they are set as above.
4) Access to snmp can be controlled through the use of a standard access control list. If, for
example, we wanted only a single network management station (NMS) to have read-write
access to snmp, we would first create an access list and then apply it to the server command.
A second access list could be applied to the read-only setting to allow all other stations in the
LAN access to it.
access-list 14 permit 192.168.5.12
access-list 15 permit 192.168.5.0 0.0.0.255
snmp-server community <read_only_community_string> RO 15
snmp-server community <read_write_community_string > RW 14
5) snmp can submit traps. Traps are alerts that are generated by many different subsystems on
the router. Activate traps with the following
Version 0.02
Cisco Route-Switch Security Audit (RSSA)
pg. 7
snmp-server enable traps snmp [authentication][linkup][linkdown][coldstart][warmstart]
If active, traps should be sent to a specific snmp server.
snmp-server host <ip_address> <trap_community_string>
If traps are not in use, they should be disabled:
no snmp-server enable traps
6) snmp Views: A complete understanding of snmp views requires a thorough understanding of
the MIB. A MIB is divided into categories of attributes, some of which are internet, directory,
mgmt, and system. To limit everyone in the network described in 2 above to only the
directory group of the mib, you would create a view and then assign a community string and
access list to it.
snmp-server view DIRECTORY_ONLY directory include
snmp-server community <directory_only_community_string> DIRECTORY_ONLY
7) For snmp3, encryption and authentication of messages must be enforced. The first step in that
process is to force privacy for every snmp3 group:
snmp-server group <group_name> v3 priv
The next step is to configure encryption and authentication:
snmp-server user <user_name> <group_name> v3
auth sha <auth_password>
priv aes 256 <priv_password>
access <acl_name_or_number>
C. Netflow –
D. Network Timing Protocol (NTP)
1) To configure authentication for ntp:
ntp authenticate
2) To configure an authentication key for use in synchronizing with other devices:
ntp authentication-key <number> md5 <value>
<number> can be any number from 1 to 4294967295. The md5 keyword indicates that the
md5 hashing algorithm should be used to has the <value> which is an arbitrary string of up
to 8 characters.
3) To restrict which remote devices are allowed to interact with the ntp service on the device,
use the ntp access-group command. Proper use of this command is determined by the network
in which the device is connected. If the command is used, the correct format is:
ntp access-group <query-only | serve-only | serve | peer> <access_list_number>
query-only
serve-only
serve
peer
allows ntp control queries
allows only time requests
time requests & control queries
time requests, control queries, synchronize with
remote system
5. Disabling unused services.
A. Small tcp and udp services can be used for denial of service attacks. Cisco recommends that these
services be disabled, which they are in newer IOSs. In older IOSs, turn them off using the no
Version 0.02
Cisco Route-Switch Security Audit (RSSA)
pg. 8
service tcp-small-servers and no service udp-small-servers commands. Services effected by
these commands include echo (port 7), discard (port 9), daytime (port 13), and chargen (port 19).
B. Other services should be disabled individually:
1) no ip finger – The finger command is used to list all currently logged-in users.
2) no ip bootp server – Bootp could allow a malicious user to obtain an IP address.
3) no ip directed-broadcast – Directed broadcasts are used by the Smurf attack. On newer
IOSs, it is disabled by default. It should not be enabled unless specifically required.
4) no ip source-route – IP source routing allows the originator of an IP packet to dictate the
path the packet should take to its destination. It is disabled by default. It should only be
enabled if it is specifically required.
5) no ip unreachables – ICMP unreachable messages can be used to map out the network
topology. It is disabled by default. It should only be enabled if specifically required.
6) ip dhcp bootp ignore – DHCP can respond to bootp requests. Issuing this command sets the
dhcp server to ignore all bootp requests and respond only to dhcp requests.
7) no service dhcp – DHCP could allow a malicious user to obtain an IP address.
8) no mop enabled – The Maintenance Operation Protocol (mop) is used for uploading and
downloading system software and remote testing. Odds are it isn’t necessary.
9) no ip domain-lookup – If DNS is not implemented in your network, you should disable it on
your network devices.
10) no service pad – The packet assembler/disassembler is a service used by X.25 networks.
11) no ip http server – Cisco devices can be accessed by an imbedded webpage or device
manager. If it is necessary to allow http access, use the ip http secure-server command to
provide https access.
12) no ip http secure-server – If not needed, turn off the secure server as well.
13) no service config – Unless configuration files are being downloaded over the network, the
config service is not required.
6. Discovery
A. Cisco Discovery Protocol (cdp) – cdp is not secure. It should not be used on any interface which
faces an untrusted area.
1) no cdp enable – disables cdp on an individual interface; must be entered in interface
configuration mode
2) no cdp run – disable cdp globally; must be entered in global configuration mode
B. Link Layer Discovery Protocol (lldp) – Configure lldp using the same parameters as cdp.
1) no lldp transmit & no lldp receive – interface configuration mode
2) no lldp run global – global configuration mode
7. service tcp-keepalive-[ in | out ] – To ensure that tcp connections with remote devices remain
viable, keepalive messages must be sent on both inbound and outbound links.
Version 0.02
Control Plane
Data Plane
Cisco Route-Switch Security Audit (RSSA)
pg. 9
Download