Contributed 1/10/2001 by Justin Snyder (JJSNYDER@up.com) Data Communications - Cisco Routers Audit Program Objective: To determine whether the Cisco switch environment is secure. Overview Determine personnel responsible for the Cisco Routers. Obtain population of Cisco routers (including numbers and types) Obtain the router configuration file for each router. Authentication Determine the types of accounts that were used to access the routers. A user account can be defined with enable privileges with this entry in the configuration file: username user-ID privilege 15 password 7 encryptyed_hash. Determine what users had access to these accounts. Were access attempts to the routers logged? Determine if all accounts had passwords and determine the strength of the passwords. Determine if there was a mechanism for periodically changing passwords. SNMP - The simple network management protocol (SNMP) is a protocol used to manage a network. The protocol allows the viewing and changing of router settings. An SNMP community name can have either read or read/write access. The community names act as passwords. Was simple network management protocol (SNMP) used to configure the network? Determine the version of SNMP employed by the Company. Version one stores community names in clear-text format. Version two adds encryption of community names. Determine the SNMP community names. This could be determined by looking at the configuration file. Cisco routers had two default SNMP community strings (used as passwords): public for read access and private for read/write access. Determine if the routers incorporate strong SNMP community names. Were they changed from the defaults? Determine which sites were able to use the given SNMP community names. Cisco routers could restrict SNMP access to set operations, which change router variables, to certain IP addresses. Determine if SNMP community names could be obtained though the configuration file. The configuration file was used to store most of the configuration settings of the router. Even though this file is binary, the setting (including SNMP community names) were stored as clear-text. Determine whether the Company implemented encryption for set requests from SNMP read/write community names. Determine the frequency of SNMP community name changes. Cisco provides support for an old MIB called OLD-CISCO-SYS-MIB that allows anyone with the read/write community name to TFTP download the configuration file. Determine if the Company's Cisco routers are vulnerable. Control of Services Determine which services were running on the routers. The key services to evaluate were trivial file transfer protocol (TFTP), simple network management protocol (SNMP), file transfer protocol (FTP), and telnet. Determine if open shortest path first (OSPF) was defined on the router. Determined the authentication mechanism that was employed in the Company's implementation of OSPF. Determine whether directed broadcast functionality was enabled on the router. This setting, if enabled, could allow a denial-of-service (DoS) attack of the network (Smurf attack). Cisco's finger service will respond with some useless information, which can help an attacker identify the device as a Cisco device. Determine if the Company's routers respond to the finger service with valuable information. Attackers can connect to Cisco management ports 2001, 4001, and 6001 to help identify the device as a Cisco device. The result of connecting to one of these ports via a browser might look like this: User Access Verification Password: Password: Password: Password: % Bad passwords Another of Cisco's common ports is the XRemote service port (TCP 9001). The XRemote allows sytems on your network to start client Xsessions to the router (typically through a dial-up modem). When an attacker connects to the port, the device will send back a common banner, such as: ---Outbound XRemote Service--- Remote Access Were dial-in connections used to access the routers. Obtain population of routers with modems and obtain the telephone numbers of the routers. Determine if users were properly authenticated when remotely accessing the routers. Determine if access attempts were logged. Determine if the telephone numbers of the routers were within Company defined telephone prefixes. Hackers commonly poll prefixes to obtain access to a network. Change Management Determine how changes to the router environment were made. Determine if changes to the router configuration were documented. Were there procedures for changing router configurations? Was there a separation of duties within the change control of the router environment? Network Monitoring Determine the mechanisms for monitoring the network. Determine the personnel that monitor the network. Determine the security of the network monitoring tools.