WP # 2001.00 Audit of Network Routers Description [Describe the nature and intended usage for the program here] Revision Info This program was last reviewed/updated on [Click to Insert Date here] Step Audit Procedure Perf’d/ Approved By Workpaper Reference BACKGROUND & PLANNING 1. Obtain adequate background information on the audit area such as: 2. Audit reports from other audit and/or compliance groups Productivity and performance measurement reports/stats Policies & Procedures List of information technology applications utilized List of laws and regulations Review router security policies and ensure the policies address: Physical Integrity (physical access, electrical access) Core Static Configuration (admin access, software updates, etc) Dynamic configuration and router status (routing protocols) Network traffic through the router (filtering) See router policy checklist in Appendix 3. Examine productivity and performance measures for trends to assist in the developing audit scope. INFORMATION SYSTEMS The following represents general information systems testwork to be performed if warranted based on the risk posed by individual systems. 4. Determine and list the primary information systems utilized within the operations. Consider performing the following testing based on the risk. 5. Review the process for granting and terminating user access. Perform detailed testing to determine if access is terminated timely. Page 1 of 12 WP # 2001.00 Audit of Network Routers Step Audit Procedure 6. On a sample basis, test specific user access to determine if access is commensurate with job functions. Additionally, determine if access promotes adequate segregation of duties. 7. Perform testing where necessary to determine if system data is adequately backed up. 8. Determine the nature and extent of system interfaces. Review (perform testing of) interfaces to determine if data is accurate, complete and timely. Also consider whether there is a process to address interface errors. 9. Determine the effectiveness of basic application controls. Consider the following: Perf’d/ Approved By Does the system Promote the use of strong passwords Contain an appropriate audit trail Contain adequate input validation controls DETERMINE ROUTER RESPONSIBILITIES & PROCESSES 10. Determine router processes and responsibilities by interviewing relevant personnel (system administrators, network administrators, information security team, etc) to gain an understanding of the following: Initial setup (i.e. baselines, standards builds, etc) User management (i.e. user setup, remote access, password policy, etc) Configuration updates/change control Logging and backups Page 2 of 12 Workpaper Reference WP # 2001.00 Audit of Network Routers DETERMINE NETWORK ARCHITECTURE 11. Utilize an up to date network diagram to determine the network architecture. Gain an understanding of function of routers within the network. For example, Interior Routers An interior router forwards traffic between two or more local networks within an organization or enterprise. The networks connected by an interior router often share the same security policy, and the level of trust between them is usually high. Backbone Routers A backbone or exterior router is one that forwards traffic between different enterprises (sometimes called different ‘autonomous systems’). The traffic between the different networks that make up the Internet is directed by backbone routers. Border Routers A border router forwards traffic between an enterprise and exterior networks. The key aspect of a border router is that it forms part of the boundary between the trusted internal networks of an enterprise, and untrusted external networks (e.g. the Internet). 12. With the assistance of and permission from appropriate personnel, use a network mapping tool to obtain an “active footprint” of the network. The appropriate network personnel should have a tool (i.e. nmap, Nessus). Allow information technology personnel to perform the network mapping scan. Determine, at minimum: What hosts are available on the network The operating system and version running Note: It is not necessary to determine the services running at this point. 13. Compare results to information maintained by the IT group (i.e. are there devices connected that IT is unaware of). Page 3 of 12 WP # 2001.00 Audit of Network Routers PHYSICAL SECURITY 14. Determine the physical location of router and firewall equipment. Ensure the area is physical secured in a manner that provides access to relevant personnel only. 2007.00 EVALUATE ROUTER SYSTEM MANAGEMENT 15. Obtain an understanding of the Authentication, Authorization, and Accounting (AAA) functions (i.e. granting, revoking, and monitoring user access). In Cisco routers, this is the new access control facility for controlling access, privileges, and logging of user activities on a router. (1)Authentication is the mechanism for identifying users before allowing access to a network component. (2)Authorization is the method used to describe what a user has the right to do once he has authenticated to the router. (3) Accounting is the component that allows for logging and tracking of user and traffic activities on the router which can be used later for resource tracking or trouble shooting. 16. Based on risk, select specific routers for detailed access testing: Determine the access methods utilized (telnet, ssh, http, snmp, tftp, etc) o Ensure remote access over untrusted networks is adequately protected because the user’s password will travel the network in clear text form (i.e. The security of remote administration can be enhanced by using a protocol that provides confidentiality and integrity assurances, such as IPSec or SSH) Determine if access control lists are used and evaluate the appropriateness of the lists. Ensure the use of timeouts for session activity. Ensure the authentication method is secure (encryption) and requires strong passwords. Ensure “Accounting” is adequate. For example, determine if user access is logged and if logs are adequately secured and maintained in a manner that promotes future reference if necessary. Page 4 of 12 WP # 2001.00 Step Audit of Network Routers Audit Procedure Ensure banners are used to notify individuals of the equipment ownership, intended uses and repercussions of unwarranted uses. Additionally, ensure banners do not contain (1) network architecture or device information in the banner message (2) router model and location information (3) any information that should not be shared with the general public o MOTD (message of the day banner) – displays legal notice o Login Banner – (typically a clear text protocol) o Exec Banner – (displays after authentication) Perf’d/ Approved By Ensure unnecessary management services are disabled. For example: Finger-Unix user lookup service, allows remote listing of logged in users. Identd-The ident protocol is considered dangerous because it allows hackers to gain a list of usernames on a computer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning node information or even gibberish (from the requesters point of view) rather than usernames http-offer web-based configuration EVALUATE ROUTER SYSTEM CONTROL 17. Determine the nature and extent of system controls including but not limited to: Clock Configuration (external synchronization) Logging (enabled, offsite to another server, time stamped messages, buffer sizes appropriate, console level logging enabled, appropriate logging levels (p56)) Control Services (appropriate services enabled/disabled such as small tcp services, small udp services, bootp, cdp, config services, tftp services, use tcp keep-alives) Page 5 of 12 Workpaper Reference WP # 2001.00 Audit of Network Routers Step Audit Procedure 18. Perform detailed testing of select routers and determine if If all are synchronized in a manner that allows for comparative analysis Logging o Logging is enabled o Logs are stored in a secure location o Activity logged is adequate 19. Perform detailed testing of select routers and determine if unnecessary services are disabled and necessary services are enabled. Page 6 of 12 Perf’d/ Approved By Workpaper Reference WP # 2001.00 Audit of Network Routers EVALUATE ROUTER DATA CONTROL 20. Evaluate the measures taken to control information passing through the router and/or information originating from the router itself. Specifically gain an understanding of the philosophy and usage of the following: Directed Broadcast – amplifies a request, can be used to map a network, smurf attacks Source Routing – allowing packets to specify the path to take Proxy ARP – router acts as proxy server Tunneled Interfaces ICMP Redirects & Echo Request – router is giving away too much information ICMP unreachable – router notifies senders of incorrect IP addresses Ingress Filtering – traffic coming in from external sources Loopback addresses – 127.0.0.0/8 – special IP address that allows IP applications to communicate with other applications on the same host without knowing the IP address assigned to the host Link Local addresses – Zero addresses (this network) – 0.0.0.0/8 Egress Filtering – Traffic going out let out packets with a valid source IP address (makes you good net neighbor) Log MAC id of traffic to identify (or come close to identifying offenders) 21. Select a sample of routers and ensure appropriate use of: Directed Broadcasts Source Routing Proxy ARP Tunneled Interfaces Redirects Unreachable Notifications 22. Select a sample of routers and ensure appropriate use of: Inbound traffic filters (i.e. inbound traffic with source IP of internal network and/or reserved addresses blocked) Page 7 of 12 WP # 2001.00 Audit of Network Routers Step Audit Procedure 23. Select a sample of routers and ensure appropriate use of: Perf’d/ Approved By Outbound traffic filters (i.e. only allow owned addresses out). BUSINESS CONTINUITY PLANNING 24. If necessary, obtain and review the department’s business continuity plan. Determine if the plan identifies, at minimum: 25. Critical Business Processes Applications & Systems Process Dependencies Process Recovery Procedures Recovery Site Information Contact Lists Including o Employee Contact Information o Department Notifications o Vendor Notification o Other Emergency Contact Numbers (Local EMS, Fire, Police, Etc) Determine if the plan is tested regularly. Obtain and review the most recent testing documentation. WRAP UP 26. Notate all issues on the issue log. 27. Submit workpapers for review. 28. Clear review notes. 29. Prepare draft report. 30. Prepare final report. 31. Return original client documentation. 32. File workpapers (manual and/or electronic). Page 8 of 12 Workpaper Reference WP # 2001.00 Audit of Network Routers Appendix Overview of IOS Features to Disable or Restrict Feature Cisco Discovery Protocol (CDP) TCP small servers UDP small servers Finger HTTP server Bootp server Configuration auto-loading PAD service IP source routing Proxy ARP IP directed broadcast IP unreachable notifications IP mask reply IP redirects Maintenance Operations Protocol (MOP) NTP service Simple Network Mgmt. Protocol Description Proprietary layer 2 protocol between Cisco devices. Standard TCP network services: echo, chargen, etc. Standard UDP network services: echo, discard, etc. Unix user lookup service, allows remote listing of logged in users. Some Cisco IOS devices offer web-based configuration. Service to allow other routers to boot from this one. Router will attempt to load its configuration via TFTP. Router will support X.25 packet assembler service. Feature that allows a packet to specify its own route. Router will act as a proxy for layer 2 address resolution. Packets can identify a target LAN for broadcasts. Router will explicitly notify senders of incorrect IP addresses. Router will send an interface’s IP address mask in response to an ICMP mask request. Router will send an ICMP redirect message in response to certain routed IP packets. Legacy management protocol , part of the DECNet protocol suite. Router can act as a time server for other devices and hosts. Routers can support SNMP remote query and configuration. Default Enabled Recommendation CDP is almost never needed, disable it. 11.3: disabled11.2: enabled This is a legacy feature, disable it explicitly. 11.3: disabled11.2: enabled This is a legacy feature, disable it explicitly. Enabled Unauthorized persons don’t need to know this, disable it. Varies by device If not in use, explicitly disable, otherwise restrict access. Enabled This is rarely needed and may open a security hole, disable it. Disabled This is rarely used, disable it if it is not in use. Enabled Disable if not explicitly needed. Enabled Can be helpful in attacks, disable it. Enabled Disable this service unless the router is serving as a LAN bridge. Directed broadcast can be used for attacks, disable it. Can aid network mapping, disable on interfaces to untrusted networks. Can aid IP address mapping; explicitly disable on interfaces to untrusted networks. Enabled (11.3 & earlier) Enabled Disabled Enabled Can aid network mapping, disable on interfaces to untrusted networks. Enabled (on Ethernet Disable if not explicitly needed. interfaces) Enabled (if NTP is configured) Enabled Page 9 of 12 If not in use, explicitly disable, otherwise restrict access. If not in use, remove default community strings and explicitly disable, otherwise restrict access. WP # 2001.00 Feature Domain Name Service Audit of Network Routers Description Routers can perform DNS name resolution. Default Enabled (broadcast) Page 10 of 12 Recommendation Set the DNS server addresses explicitly, or disable DNS lookup. WP # 2001.00 Audit of Network Routers Router Security Policy Checklist (from the National Security Agency - System and Network Attack Center (SNAC)) The checklist below is designed as an aid for creating router security policy. After drafting a policy, step through the list and check that each item is addressed in your policy. Physical Security • Designates who is authorized to install, de-install, and move the router. • Designates who is authorized to perform hardware maintenance and to change the physical configuration of the router. • Designates who is authorized to make physical connections to the router. • Defines controls on placement and use of console and other direct access port connections. • Defines recovery procedures for the event of physical damage to the router, or evidence of tampering with the router. Static Configuration Security • Designates who is authorized to log in directly to the router via the console or other direct access port connections. • Designates who is authorized to assume administrative privileges on the router. • Defines procedures and practices for making changes to the router static configuration (e.g. log book, change recording, review procedures) • Defines the password policy for user/login passwords, and for administrative or privilege passwords. Include a list of conditions that require passwords to be changed (e.g lifetime, staff changes, compromise) • Designates who is authorized to log in to the router remotely. • Designates protocols, procedures, and networks permitted for logging in to the router remotely. • Defines the recovery procedures and identifies individuals responsible for recovery, in the case of compromise of the router’s static configuration. • Defines the audit log policy for the router, including outlining log management practices and procedures and log review responsibilities. • Designates procedures and limits on use of automated remote management and monitoring facilities (e.g. SNMP) • Outlines response procedures or guidelines for detection of an attack against the router itself. • Defines the management policy and update intervals for long-term secrets, such as those for routing protocols, NTP, TACACS+, RADIUS, and SNMP. • Defines the key management policy for long-term cryptographic keys (if any). Dynamic Configuration Security • Identifies the dynamic configuration services permitted on the router, and the networks permitted to access those services. • Identifies the routing protocols to be used, and the security features to be employed on each. • Designates mechanisms and policies for setting or automating maintenance of the router’s clock (e.g. manual setting, NTP). • Identifies key agreement and cryptographic algorithms authorized for use in establishing VPN tunnels with other networks (if any). Network Service Security • Enumerates protocols, ports, and services to be permitted or filtered by the router, for each interface or connection (e.g. inbound and outbound), and identifies procedures and authorities for authorizing them. Page 11 of 12 WP # • 2001.00 Audit of Network Routers Describes security procedures and roles for interactions with external service providers and maintenance technicians. Compromise Response • Enumerates individuals or organizations to be notified in the event of a network compromise. • Identifies relevant configuration information to be captured and retained. • Defines response procedures, authorities, and objectives for response after a successful attack against the network, including provision for preserving evidence and for notification of law enforcement. Page 12 of 12