CISCO ROUTER AUDITCourtesy of and with permission of Ted Schwartz, Jefferson

Wells International

7 Application6 Presentation5 Session4 Transport3 Network2 Data Link1 Physical

7 Application6 Presentation5 Session4 Transport3 Network2 Data Link1 Physical

Layered ArchitectureLayered Architecture

Topology ArchitectureTopology Architecture

Hub

Hub

Hub

Hub

Router BRouter BFrame RelayFrame Relay

T1T1 Router DRouter D

Router ERouter E

Router CRouter C

Router FRouter FRouter ARouter A

HDLCHDLC

T1T1

Hub

Where and What do POLICIES refer to?Where and What do POLICIES refer to?

Accounting Dept.Accounting Dept.

Email/Sales Email/Sales

HR Dept.HR Dept.

IT Dept.IT Dept.

Sales Dept.Sales Dept.Exec. LANExec. LAN

NIC/MAC address spoofing

Sniffing

What is tested in a Audit

Applications

Network Interface/DL

Internetwork/Net.

Transport

Address Scanning

Ping of Death, Ping Flood

IP Address Spoofing

Port Scan Session Controls

SYN Flood SSL

Email, DNS, LOGIN, Directory Services, Routing Table Sharing, SNMP, TFTP, BootP, DHCP,

Web Servers (internal and External, Accounting (GL, AP, AR, PR), Human Resources, Groupware,

Hub

F

Hub

B

Routers F-B-A

A

Hub

Routers C-E-D

Hub

C

Hub

E

Hub

D

EnterpriseEnterprise

Physical TopologicalPhysical Topological

ArchitectureArchitecture

Hub

Hub

Router DRouter D

Router ERouter E

Router CRouter C

External RouterExternal Router

Hub

Hub

Router GRouter G

InternetInternet

FirewallFirewall

IntranetIntranet

DMZ ZoneDMZ Zone

Email ServerEmail Server

Internal RouterInternal Router

Router DRouter D

Packet Filtering Packet Filtering RouterRouter

Hub Hub

Router GRouter G

InternetInternet

FirewallFirewallIntranetIntranet

External Client External Client

DMZ ZoneDMZ Zone

1. Obtain these if available: Company Network Policies and printout of router rulebases, Network Map, List of Network Supported business applications and network support applications? Copies of a sample of network logs. A list of Network security applications – virus checker, firewalls, routers, radius server, TACACS or RADIUS server, TFTP, SNMP, Active Directory, Netware Directory Services, Intrusion Detection, VLANs, VPN,

2. What business applications are supported by the network versus being on stand alone servers? Are they distributed or stand alone? If applications are distributed are there over-lay maps and operation descriptions telling distributed updates

3. What applications that are listed in the audit test page does this company use? If used are the distributed or stand alone applications. Who is responsible for each application?

Material Needs

1. Security Policy – definition of access allowed to corporate assets by users and other applications.

2. Map the users, applications, user of applications, mangers of applications.

3. Obtain all distributed overlay network maps with operations descriptions. If not available and if this is a full security audit draw and describe each applications operations than answer these question on a per application bases.

a. How often is data distributed? b. How are updates secured? c. Are updates done via VPN?

Audit Program Preparation

1. Remember each network conversation is two ways through a router.2. Security Policy – definition of access allowed to corporate assets by

users and other applications.3. Risk – The possible loss or malfunction related to user of a corporate

asset.4. Access Control – Controlling access to a network by using network

device to limit the type, and amount of data allowed to be transmitted across the network.

5. Intrusion – an action taken by someone that is not allowed access to a network but gets access for reasons that are not always known.

6. Detection – having a piece of software that checks the data processing network for actions taken that are out of the ordinary. This allows the software to notify management of the activity.

7. Multi-Session Applications – Applications such as FTP,HTTP that require multiple sessions to accomplish their service.

8. Stay current on network attacks and vulnerabilities.9. Join in security related mailing lists at such web site as:www.cert.org,

www. Securityfocus, and www.sans.org.

Audit Notes

1. How are configurations maintained?2. What are the firewall characteristics used on each router beyond layer four?3. What standby devices exist?4. What is the planning for upgrading the network capabilities? (VOIP, Video)5. What protocols are forwarded that have not been mentioned?6. What applications are supported on the network?7. What protocols are supported by the network and in what parts are they

placed?8. What is done towards Virus Management?9. What applications are supported on the network?10. What protocols are supported by the network and in what parts are they

placed?11. What are the network security policies and how are they implemented?12. What is done towards Virus Management?13. What is done towards intrusion detection?

Access List Section

1. Are packets denied that have local host, broadcast, and multicast address. (If any exceptions please explain.

2. Are packet s denied that have no IP address?3. Are NFS, Andrew, Xwindows used?4. How are these protocols controlled? ( NTP, SMTP, DNS, DHCP,SNMP, ICMP,

LDAP, BGP, HTTP, LPD, UUCPD, TFTP, Windows FTP, RPC, POP, IMAP, Netbios on NT, ICMP, IGMP,RIP, OSPF, EIGRP, )

5. What type of access control lists are used?6. What audit procedures are conducted? (Scanning, log forensics,etc.)7. What are the procedures to keep fix and patches current? 8. What are current IOS version running? 9. Are all of these changes documented? 10. Who approves the update process? 11. When was the last patch applied?

Access List Section

1. How is configuration information maintained?2. Are router configurations documented and authorized by management?3. Is the configuration creation method defined and documented?4. Is a history maintained.5. Are vender IOS changes maintained?6. Are fixes and paths implemented?7. What was the last patch implemented?8. Are changes validated or tested?9. Are validations and tests documented?10. Is the processing power of the router enough and is there enough memory?11. Is the a procedure to test and rollout new Cisco updates?

Configuration and Change Mgmt

1. Are NFS, Andrew, Windows used?2. How are these protocols controlled? ( NTP, SMTP, DNS, DHCP,SNMP,

ICMP, LDAP, BGP, HTTP, LPD, UUCPD, TFTP, Windows FTP, RPC, POP, IMAP, Netbios on NT, ICMP, IGMP,RIP, OSPF, EIGRP, JAVA, NAT, etc.)

3. Policy process question: a. Was a site survey done? b. How was needed access to external resources determined? c. Is a regular review of security policy needs done? d. Is a disaster recovery plan in place that includes the routers? e. How were router assets identified and located? f. How were the standards created for classifying router policy? g. How were threat assessment standards setup? h Who is responsible for security policy enforcement at the Cisco router

level? I. How were procedure changes evaluated related to impact on business and

employees?4. Are company security policies keep up to date?5. Are security attack profile kept up to date? 6. What are policies related to implementation of new security technologies?

Policy Creation

1. Do written policies exist for router use?2. Do the router policies define rules of conduct, roles and responsibilities?3. Do policies define objectives rather than how to or acls?4. Do policies cover multiple levels of security depending on tasks needing to be

accomplished?5. Are service and policies that are not stated as be allow assume to be denied?6. Are the network security policies regularly reviewed?7. Is there a security policy defined for physical damage to the router?8. Is the cryptographic algorithm described in a policy?9. Which assets are listed on network policy documents?10. Are software assets identified with users and user authority?11. Do policies spell out the asset, control types, and authority to change controls? 12. Who approves the update process? When was the last patch applied?13. Is there stated exactly who can login directly to the router?14. Are standards defined on how to implement policies?15. Do policies define exactly what assets are protected by the router?16. Have policies had a legal review by the legal department?17. Is the person with ultimate authority over router policy stated in a policy?18. Are the network security areas defined in the remainder of the ICQ spelled out in security

policy?

Policy Creation

1. Are logging methods documented?2. Do alerting and escalation procedures exist?3. Do the procedures exist for 24 hour operation?4. Are advance logging techniques used? (Syslog) 5. What is the media that logging archived. (OS)6. Is Cisco IDS implemented on the local routers?7. Are personnel trained in the Intrusion Detection System?8. Does a policy exist for the IDS?9. Are IDS configurations defined for each router?10. Who is authorized to deal with router IDS and forensics?11. Doer support documentation exist for operational methods logging and forensics?12. How are alerts generated for individual applications review by CBAC?13. What and when are audit exceptions investigated?14. How are the exceptions documented?15. What events are audited?16. How long are audit logs kept?17. What tools are used for audit tests?18. Are tools regularly used to test security?19. Is logging configured on exec, commands, connections and system?20. How often is logging information reviewed?

Intrusion Detection Audit and Logging

1. Are router log update sent to a separate computer?2. Is the separate logging computer hardened? (unnecessary services are disabled)3. Is the computer on a trusted network?4. Is logging matched to security policies?5. Is logging reviewed on a regular basis? When was the later review done for

each router?6. Are all router configuration changes logged?7. Are all ACL rule results logged?8. Is the time control over logging established and redundant?9. Does your company have a Intrusion Detection System such a Cisco IDS?10. What features does it have? (Alarm and Display Management, Data Archive,

Multiple Level Management, Centralized Configuration Management, Notification Modules, and Security Database)

Intrusion Detection Audit and Logging

1. Are passwords implemented according to requirements?2. Is there a minimum size set for passwords and what is it?3. Are password changes done according to policy?4. Are test done on password strength?5. What is the process set for initial passwords?6. Do users share passwords?7. How are passwords communicated to the user after being set?8. Is a central access authority used? (Radius, TACACS)9. Is TACACS-server notify command used to send a message when a user makes

a TCP connection, logs out, or enters the enable command.10. Is extended TACACS configured?11. How are forgotten passwords dealt with?12. Do router administrator/s understand how to bypass the enable password?13. Is a browser used for router configuration?14. Are routers accessed through remote devices? (Dialup, Firewall I)15. Are exec password put on control and auxiliary ports?16. Has a login banner been created to discourage inappropriate logins?17. Is IPSEC, Kerberos or SSH used for remote management of the router?

Password and Access Management

1. Are the routers secured physically?2. Is access to the area restricted to staff that administrates routers?3. Is the physical location locked and alarmed?4. If the router is administrated remotely are those devices physically secure?5. Are alerts issued if entry is made and are the handled?6. Is physical security organized thus preventing overlooked security weaknesses.7. Is a control port used for access”8. Is the auxiliary port used for access.9. Is there standby equipment available nearby.10. Are the physical ID numbers listed on a document?

Physical Security

1. Is telnet used to administrate the router?2. If telnet is used, make sure access is granted to only specific nodes.3. Is “service password encryption4. Is the MD5 encryption used for privileged mode?5. Is CDP disabled on all interfaces?6. Is SNMP used for management?7. If used have community access level password or community names been

changed.8. Is SNMP version III used?9. Ensure that Virtual Terminal Timeouts are set.10. If ICMP is used are these blocked on the internet interface: echo in both

directions, time exceeded, redirect, and unreachable11. Are inbound packets addressed to the router or 127.0.0.1 on the internal

interface dropped and logged?12. Is HTTP used to access the router:13. If appropriate is HTTP-access command used to authorize access to certain

addresses.14. If DNS is used, only allow DNS traffic to a specific server.15. Are DNS responses allowed to leave the screened subnet?

Specific Protocol Controls

1. If CBAC is used are the inspection rules used to deal with: FTP, TFTP, etc?2. Are inspection rules applied to the appropriate interface?3. Is the console line set to time-out if a user walks away from a logged in

terminal?4. Is MD5 encryption used instead of Cisco proprietary encryption?5. Is RIP and OSPF neighbor authentication used?6. How is the key distributed?7. Is a common key used for any group of routers?8. Are any methods used to increase convergence time in OSPF and RIP.

(Convergence increased time being a security value)9. Is the distribution-list command used to suppress updates from other routers?

(OSPF related to external systems)

General Audit Questions

COMMAND EXPLANATION

• Service password encryption sets password encryption

• No ip finger disables finger

• No ip source route not allow source routing

• Exec-timeout time out connection

• No CDP run turns off CDP

• Access-list list-number (deny/permit) protocol source source-wildcard source- qualifiers destination destination-wildcard destination-qualifiers log

(Qualifiers are items that affect the previously listed command access-list

command such as the source and destination address shown earlier)

Command Examples

TCP termination is critical to the following Access Control List functions

implemented on Cisco Router. The first ACL control type is:

a. TCP Intercept will watch for sessions initiated without an ACK header in response to the SYN header. It an Cisco router has TCP Inter. Set, it watches for ACK to SYN relationship and limits the number requests without an ACK. (This prevents SYN flood denial of service attacks to a server)

b. It limits the number of unacknowledged session to 1100 by default. If it reaches 1100, removes the oldest session initiation from its table.

c. It waits 5 seconds after the Fin to terminate a session allowing for a reset.

d. Retransmission Time Outs are normally set at one second. (2,4,8,16, and 32) Under aggressive mode, time out is halved to .05 seconds and so on. This is done per one minute sample period.

e. This is done when Context Based ACLs are inactive.

TCP Termination and ACL’s

TCP termination is critical to the following Access Control List functions

implemented on Cisco Router. The second ACL control type are:

a. Based upon a session request from a trusted network, the router waits for the return packets with the appropriate information swapped.

b. Reflexive Access Lists base the access through a router on a session basis. This ACL type operates on TCP outbound upper layer session information. Based upon the Acknowledge or Reset bits being on, the ACL determines if a packet is the first packet of a session.

It also checks addition session information such as port and network address when establishing a session related temporary access list that will be removed at the end of the session.

TCP Termination and ACL’s

1. Lock and Key access lists allow a temporary access through the firewall after being authenticated by a name and password.

2. A telnet session will initiate temporary access through a router.

3. After the temporary access is terminated, regular standard and static extended ACLs are used.

4. It does not work with multi-channel applications such as FTP.

5. It limits the opportunity time for break-ins by hackers.

Lock and Key ACL’s

1. The capability is available in the Cisco Firewall Set.

2. It creates temporary entries in the appropriate interface when a session is initiated from a trusted network.

3. It inspects control information on control channels TCP multi-channel applications. Multi-channel application such as File Transfer Protocol and H.323.

4. It does work with UDP session but must approximate the session state information unlike the TCP state information that is in a Transmission Control Block.

5. Temporary session mean limits on open access and removal of ACL entries at the end of a session.

Content Based ACL’s