CISCO ROUTER AUDIT

1

• CISCO ROUTER AUDIT
• Courtesy of and with permission of Ted Schwartz,
  Jefferson Wells International

2
Email/Sales
7 Application 6 Presentation 5
Session 4 Transport 3 Network 2 Data
Link 1 Physical
7 Application 6 Presentation 5
Session 4 Transport 3 Network 2 Data
Link 1 Physical
Layered Architecture
Topology Architecture
Exec. LAN
Sales Dept.
HR Dept.
IT Dept.
Accounting Dept.
Where and What do POLICIES refer to?
3
What is tested in a Audit
Email, DNS, LOGIN, Directory Services, Routing
Table Sharing, SNMP, TFTP, BootP, DHCP,
Applications
Web Servers (internal and External, Accounting
(GL, AP, AR, PR), Human Resources, Groupware,
Transport
Port Scan Session Controls SYN Flood
SSL
Internetwork/Net.
Address Scanning Ping of Death, Ping Flood IP
Address Spoofing
Network Interface/DL
NIC/MAC address spoofing Sniffing
4
Enterprise Physical Topological Architecture
Routers C-E-D
Routers F-B-A
5
Firewall Architecture
Email Server
External Router
DMZ Zone
Hub
Internal Router
Hub
Internet
Hub
Hub
Intranet
Firewall
6
Firewall Architecture
Packet Filtering Router
External Client
Internet
DMZ Zone
Hub
Hub
Firewall
Intranet
7
Material Needs

• Obtain these if available Company Network
  Policies and printout of router rulebases,
  Network Map, List of Network Supported business
  applications and network support applications?
  Copies of a sample of network logs. A list of
  Network security applications virus checker,
  firewalls, routers, radius server, TACACS or
  RADIUS server, TFTP, SNMP, Active Directory,
  Netware Directory Services, Intrusion Detection,
  VLANs, VPN,
• What business applications are supported by the
  network versus being on stand alone servers? Are
  they distributed or stand alone? If applications
  are distributed are there over-lay maps and
  operation descriptions telling distributed
  updates
• What applications that are listed in the audit
  test page does this company use? If used are the
  distributed or stand alone applications. Who is
  responsible for each application?

8
Audit Program Preparation

• Security Policy definition of access allowed to
  corporate assets by users and other applications.
• Map the users, applications, user of
  applications, mangers of applications.
• Obtain all distributed overlay network maps with
  operations descriptions. If not available and if
  this is a full security audit draw and describe
  each applications operations than answer these
  question on a per application bases.
• a. How often is data distributed?
• b. How are updates secured?
• c. Are updates done via VPN?

9
Audit Notes

• Remember each network conversation is two ways
  through a router.
• Security Policy definition of access allowed to
  corporate assets by users and other applications.
• Risk The possible loss or malfunction related
  to user of a corporate asset.
• Access Control Controlling access to a network
  by using network device to limit the type, and
  amount of data allowed to be transmitted across
  the network.
• Intrusion an action taken by someone that is
  not allowed access to a network but gets access
  for reasons that are not always known.
• Detection having a piece of software that
  checks the data processing network for actions
  taken that are out of the ordinary. This allows
  the software to notify management of the
  activity.
• Multi-Session Applications Applications such as
  FTP,HTTP that require multiple sessions to
  accomplish their service.
• Stay current on network attacks and
  vulnerabilities.
• Join in security related mailing lists at such
  web site aswww.cert.org, www. Securityfocus, and
  www.sans.org.

10
Access List Section

• How are configurations maintained?
• What are the firewall characteristics used on
  each router beyond layer four?
• What standby devices exist?
• What is the planning for upgrading the network
  capabilities? (VOIP, Video)
• What protocols are forwarded that have not been
  mentioned?
• What applications are supported on the network?
• What protocols are supported by the network and
  in what parts are they placed?
• What is done towards Virus Management?
• What applications are supported on the network?
• What protocols are supported by the network and
  in what parts are they placed?
• What are the network security policies and how
  are they implemented?
• What is done towards Virus Management?
• What is done towards intrusion detection?

11
Access List Section

• Are packets denied that have local host,
  broadcast, and multicast address. (If any
  exceptions please explain.
• Are packet s denied that have no IP address?
• Are NFS, Andrew, Xwindows used?
• How are these protocols controlled? ( NTP, SMTP,
  DNS, DHCP,SNMP, ICMP, LDAP, BGP, HTTP, LPD,
  UUCPD, TFTP, Windows FTP, RPC, POP, IMAP, Netbios
  on NT, ICMP, IGMP,RIP, OSPF, EIGRP, )
• What type of access control lists are used?
• What audit procedures are conducted? (Scanning,
  log forensics,etc.)
• What are the procedures to keep fix and patches
  current?
• What are current IOS version running?
• Are all of these changes documented?
• Who approves the update process?
• When was the last patch applied?

12
Configuration and Change Mgmt

• How is configuration information maintained?
• Are router configurations documented and
  authorized by management?
• Is the configuration creation method defined and
  documented?
• Is a history maintained.
• Are vender IOS changes maintained?
• Are fixes and paths implemented?
• What was the last patch implemented?
• Are changes validated or tested?
• Are validations and tests documented?
• Is the processing power of the router enough and
  is there enough memory?
• Is the a procedure to test and rollout new Cisco
  updates?

13
Policy Creation

• Are NFS, Andrew, Windows used?
• How are these protocols controlled? ( NTP, SMTP,
  DNS, DHCP,SNMP, ICMP, LDAP, BGP, HTTP, LPD,
  UUCPD, TFTP, Windows FTP, RPC, POP, IMAP, Netbios
  on NT, ICMP, IGMP,RIP, OSPF, EIGRP, JAVA, NAT,
  etc.)
• Policy process question
• a. Was a site survey done?
• b. How was needed access to external
  resources determined?
• c. Is a regular review of security
  policy needs done?
• d. Is a disaster recovery plan in
  place that includes the routers?
• e. How were router assets identified
  and located?
• f. How were the standards created for
  classifying router policy?
• g. How were threat assessment
  standards setup?
• h Who is responsible for security
  policy enforcement at the Cisco router level?
• I. How were procedure changes
  evaluated related to impact on business and
  employees?
• Are company security policies keep up to date?
• Are security attack profile kept up to date?
• What are policies related to implementation of
  new security technologies?

14
Policy Creation

• Do written policies exist for router use?
• Do the router policies define rules of conduct,
  roles and responsibilities?
• Do policies define objectives rather than how to
  or acls?
• Do policies cover multiple levels of security
  depending on tasks needing to be accomplished?
• Are service and policies that are not stated as
  be allow assume to be denied?
• Are the network security policies regularly
  reviewed?
• Is there a security policy defined for physical
  damage to the router?
• Is the cryptographic algorithm described in a
  policy?
• Which assets are listed on network policy
  documents?
• Are software assets identified with users and
  user authority?
• Do policies spell out the asset, control types,
  and authority to change controls?
• Who approves the update process? When was the
  last patch applied?
• Is there stated exactly who can login directly to
  the router?
• Are standards defined on how to implement
  policies?
• Do policies define exactly what assets are
  protected by the router?
• Have policies had a legal review by the legal
  department?
• Is the person with ultimate authority over router
  policy stated in a policy?
• Are the network security areas defined in the
  remainder of the ICQ spelled out in security
  policy?

15
Intrusion Detection Audit and Logging

• Are logging methods documented?
• Do alerting and escalation procedures exist?
• Do the procedures exist for 24 hour operation?
• Are advance logging techniques used? (Syslog)
• What is the media that logging archived. (OS)
• Is Cisco IDS implemented on the local routers?
• Are personnel trained in the Intrusion Detection
  System?
• Does a policy exist for the IDS?
• Are IDS configurations defined for each router?
• Who is authorized to deal with router IDS and
  forensics?
• Doer support documentation exist for operational
  methods logging and forensics?
• How are alerts generated for individual
  applications review by CBAC?
• What and when are audit exceptions investigated?
• How are the exceptions documented?
• What events are audited?
• How long are audit logs kept?
• What tools are used for audit tests?
• Are tools regularly used to test security?
• Is logging configured on exec, commands,
  connections and system?

16
Intrusion Detection Audit and Logging

• Are router log update sent to a separate
  computer?
• Is the separate logging computer hardened?
  (unnecessary services are disabled)
• Is the computer on a trusted network?
• Is logging matched to security policies?
• Is logging reviewed on a regular basis? When was
  the later review done for each router?
• Are all router configuration changes logged?
• Are all ACL rule results logged?
• Is the time control over logging established and
  redundant?
• Does your company have a Intrusion Detection
  System such a Cisco IDS?
• What features does it have? (Alarm and Display
  Management, Data Archive, Multiple Level
  Management, Centralized Configuration Management,
  Notification Modules, and Security Database)

17
Password and Access Management

• Are passwords implemented according to
  requirements?
• Is there a minimum size set for passwords and
  what is it?
• Are password changes done according to policy?
• Are test done on password strength?
• What is the process set for initial passwords?
• Do users share passwords?
• How are passwords communicated to the user after
  being set?
• Is a central access authority used? (Radius,
  TACACS)
• Is TACACS-server notify command used to send a
  message when a user makes a TCP connection, logs
  out, or enters the enable command.
• Is extended TACACS configured?
• How are forgotten passwords dealt with?
• Do router administrator/s understand how to
  bypass the enable password?
• Is a browser used for router configuration?
• Are routers accessed through remote devices?
  (Dialup, Firewall I)
• Are exec password put on control and auxiliary
  ports?
• Has a login banner been created to discourage
  inappropriate logins?
• Is IPSEC, Kerberos or SSH used for remote
  management of the router?

18
Physical Security

• Are the routers secured physically?
• Is access to the area restricted to staff that
  administrates routers?
• Is the physical location locked and alarmed?
• If the router is administrated remotely are those
  devices physically secure?
• Are alerts issued if entry is made and are the
  handled?
• Is physical security organized thus preventing
  overlooked security weaknesses.
• Is a control port used for access
• Is the auxiliary port used for access.
• Is there standby equipment available nearby.
• Are the physical ID numbers listed on a document?

19
Specific Protocol Controls

• Is telnet used to administrate the router?
• If telnet is used, make sure access is granted to
  only specific nodes.
• Is service password encryption
• Is the MD5 encryption used for privileged mode?
• Is CDP disabled on all interfaces?
• Is SNMP used for management?
• If used have community access level password or
  community names been changed.
• Is SNMP version III used?
• Ensure that Virtual Terminal Timeouts are set.
• If ICMP is used are these blocked on the internet
  interface echo in both directions, time
  exceeded, redirect, and unreachable
• Are inbound packets addressed to the router or
  127.0.0.1 on the internal interface dropped and
  logged?
• Is HTTP used to access the router
• If appropriate is HTTP-access command used to
  authorize access to certain addresses.
• If DNS is used, only allow DNS traffic to a
  specific server.
• Are DNS responses allowed to leave the screened
  subnet?

20
General Audit Questions

• If CBAC is used are the inspection rules used to
  deal with FTP, TFTP, etc?
• Are inspection rules applied to the appropriate
  interface?
• Is the console line set to time-out if a user
  walks away from a logged in terminal?
• Is MD5 encryption used instead of Cisco
  proprietary encryption?
• Is RIP and OSPF neighbor authentication used?
• How is the key distributed?
• Is a common key used for any group of routers?
• Are any methods used to increase convergence time
  in OSPF and RIP. (Convergence increased time
  being a security value)
• Is the distribution-list command used to suppress
  updates from other routers? (OSPF related to
  external systems)

21
Command Examples

• COMMAND
  EXPLANATION
• Service password encryption
  sets password encryption
• No ip finger
  disables finger
• No ip source route
  not allow source routing
• Exec-timeout
  time out connection
• No CDP run
  turns off CDP
• Access-list list-number (deny/permit) protocol
  source source-wildcard source- qualifiers
  destination destination-wildcard
  destination-qualifiers log
• (Qualifiers are items that affect the
  previously listed command access-list command
  such as the source and destination address shown
  earlier)

22
TCP Termination and ACLs

• TCP termination is critical to the following
  Access Control List functions
• implemented on Cisco Router. The first ACL
  control type is
• TCP Intercept will watch for sessions initiated
  without an ACK header in response to the SYN
  header. It an Cisco router has TCP Inter. Set, it
  watches for ACK to SYN relationship and limits
  the number requests without an ACK. (This
  prevents SYN flood denial of service attacks to a
  server)
• It limits the number of unacknowledged session to
  1100 by default. If it reaches 1100, removes the
  oldest session initiation from its table.
• It waits 5 seconds after the Fin to terminate a
  session allowing for a reset.
• Retransmission Time Outs are normally set at one
  second. (2,4,8,16, and 32) Under aggressive mode,
  time out is halved to .05 seconds and so on. This
  is done per one minute sample period.
• This is done when Context Based ACLs are
  inactive.

23
TCP Termination and ACLs

• TCP termination is critical to the following
  Access Control List functions
• implemented on Cisco Router. The second ACL
  control type are
• Based upon a session request from a trusted
  network, the router waits for the return packets
  with the appropriate information swapped.
• Reflexive Access Lists base the access through a
  router on a session basis. This ACL type operates
  on TCP outbound upper layer session information.
  Based upon the Acknowledge or Reset bits being
  on, the ACL determines if a packet is the first
  packet of a session.
• It also checks addition session
  information such as port and network address when
  establishing a session related temporary access
  list that will be removed at the end of the
  session.

24
Lock and Key ACLs

• Lock and Key access lists allow a temporary
  access through the firewall after being
  authenticated by a name and password.
• A telnet session will initiate temporary access
  through a router.
• After the temporary access is terminated, regular
  standard and static extended ACLs are used.
• It does not work with multi-channel applications
  such as FTP.
• It limits the opportunity time for break-ins by
  hackers.

25
Content Based ACLs

• The capability is available in the Cisco Firewall
  Set.
• It creates temporary entries in the appropriate
  interface when a session is initiated from a
  trusted network.
• It inspects control information on control
  channels TCP multi-channel applications.
  Multi-channel application such as File Transfer
  Protocol and H.323.
• It does work with UDP session but must
  approximate the session state information unlike
  the TCP state information that is in a
  Transmission Control Block.
• Temporary session mean limits on open access and
  removal of ACL entries at the end of a session.