SlideShare una empresa de Scribd logo

All about routers

agwanna
agwanna
Tecnología
1 de 8
Descargar para leer sin conexión
Expert Reference Series ofWhite Papers 1-800-COURSES www.globalknowledge.com HowVulnerable Are Your Cisco IOS Routers?
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2 HowVulnerable AreYour Cisco IOS Routers? Carol Kavalla, Global Knowledge Instructor, BS, CCSI, CCDP Introduction Security of the network is a top priority for companies. Of course, this would include securing Cisco routers. It may be surprising to some that Cisco routers run many services that could create vulnerabilities. Some of these services are enabled by default. This white paper lists a number of the services that should be disabled and why.Additionally, some best prac- tices for securing your Cisco routers are defined. This is not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulner- abilities, nor of all best practices for configuring Cisco routers.There are several Cisco security courses that cover this information in depth. Rather, this paper is meant to be a vehicle for discussion regarding the security of Cisco routers. Services that Are Enabled by Default The services below are enabled by default (in some cases depending on the version of IOS installed on the router) and should be disabled if not in use. BOOTP server This allows a router to act as a BOOTP server for other routers; thereby allowing them to load their operating system over the network from the router acting as the BOOTP server. A hacker could use the BOOTP service to download a copy of the router’s IOS software.The tools for this type of attack are available on the Internet. If not required, the BOOTP service should be disabled.The following global command can be used to disable BOOTP: no ip bootp server. Cisco Discovery Protocol (CDP) Cisco Discover Protocol is used to obtain information about directly connected Cisco neighbors.The informa- tion gleaned from CDP includes ip addresses, hardware model information, and operating system version.This
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 3 feature could allow a hacker to gain information about the configuration of the device and of the network infrastructure. If not needed, it should be disabled globally or on an interface by interface basis. CDP can be disabled globally with the no cdp run command and on the interface with the no cdp enable command. CDP needs to be enabled when using Cisco IP phones. If it has been disabled globally on the switch, it can be enabled on the interface using the cdp enable command. There are several known attacks on the Cisco IP Phone CDP feature, so it is a decision for each network adminis- trator to determine the risk versus the obvious benefits of CDP to support Cisco IP Telephony solutions. HTTP Configuration and Monitoring The default setting for this service is device-dependent. HTTP service allows the router to be monitored or con- figured from a web browser. HTTP is a clear-text protocol and is vulnerable to various packet-capture methods. A hacker could monitor network traffic and capture authentication usernames and passwords.This issue is made more serious when the enable password is used for authentication because this knowledge would give the at- tacker full administrative access to the device. Once usernames and passwords have been captured, it is simply a matter of using the credentials to log into the router. If not required, the HTTP service should be disabled. If web access to the device is required, consider using HTTPS or Secure Shell (SSH).The encrypted HTTPS and SSH services may require an IOS or hardware upgrade. The HTTP service can be disabled with the following IOS global command: no ip http server. Domain Name System (DNS) By default, Cisco routers broadcast name requests to 255.255.255.255.A hacker who is able to capture network traffic could monitor DNS queries from the Cisco Router. Domain lookups can be disabled with the following global command: no ip domain-lookup. Packet Assembler / Disassembler (PAD) The Packet Assembler / Disassembler service enables X.25 connections between network systems.The PAD ser- vice is enabled by default on most Cisco IOS devices, but it is only required if support for X.25 links is necessary. Running unused services increases the chances of a hacker finding a security hole or compromising a device. The PAD service can be disabled with the following global configuration: no service pad.
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 4 Internet Control Message Protocol (ICMP) Redirects ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same interface on which it was received. By sending ICMP redirects, a hacker can redirect packets to an untrusted device. To stop ICMP redirects, use the following interface command: no ip redirects.This needs to be done on all interfaces. IP Source Routing IP source routing is a feature whereby a network packet can specify how it should be routed through the net- work. IP source routing can allow a hacker to specify a route for a network packet to follow, possibly to bypass a Firewall or an Intrusion Detection System (IDS).A hacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker. A hacker would have to control either a routing device or an end point device in order to modify a packets route through the network. However, tools are available on the Internet that would allow a hacker to specify source routes.Tools are also available to modify network routing using vulnerabilities in some routing protocols. This can be disabled using the global command: no ip source-route. Finger Service Finger service allows a hacker to find out who is logged into the router and allows them to find out valid login names.The information they could access includes the processes running on the system, the line number, con- nection name, idle time, and terminal location.This information is provided through the Cisco IOS software show users EXEC command. Unauthorized persons can use this information for reconnaissance attacks. This service can easily be disabled using the global command: no service finger or no ip finger (depend- ing on the version of code).This command keeps your router from replying to finger requests. In addition to this command, an inbound access list that blocks port 79 should be applied. Proxy ARP This feature configures the router to act as a proxy for Layer 2 address resolution when hosts have no default gateway configured.When a host sends an ARP, the router responds to it with its own mac address as the one to use for the remote system.When DHCP is being used, there is no need to have Proxy ARP enabled.Attackers may be able to spoof packets and gather information about your router and your network. Proxy ARP can be disabled on the interface with the following command: no ip proxy-arp.
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 5 IP Directed Broadcast This is enabled by default prior to Cisco IOS software Release 12.0 and disabled by default in release 12.0 or later. IP-directed broadcasts are used in the smurf denial of service (DoS) attack and other related attacks. Services that Are Disabled by Default Configuration Auto-loading Auto-loading of configuration files from a network server should remain disabled when not in use by the router. FTP Server The FTP server enables you to use our router as an FTP server for FTP client requests. Because it allows access to certain files in the router Flash memory, this service should remain disabled when it is not required. TFTP Server The TFTP server enables you to use your router as a TFTP server for TFTP clients. It allows access to certain files in your Flash memory.This service should remain disabled if not required. NetworkTime Protocol (NTP) When enabled, the router acts as a time server for other network devices. If configured insecurely, NTP can be used to corrupt the router clock and, potentially, the clock of other devices that learn time from the router. Cor- rect time is essential for setting proper time stamps for IPsec encryption services, log data, and diagnostic and security alerts. If this service is used, it restricts which devices have access to NTP. ICMP Mask Reply When enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask reply messages containing the interface IP address mask.This information can be used to map the network, and this service should be explicitly disabled on interfaces to untrusted networks. TCP keepalives TCP keepalives help terminate TCP connections where a remote host has rebooted or otherwise stopped pro- cessing TCP traffic.This connection could become orphaned, and a hacker could attempt a DoS attack against a Cisco router by exhausting the number of possible connections.TCP keepalives should be enabled globally to confirm that a remote connection is valid and, if not, terminate any orphaned connections. This can be configured from global configuration mode service tcp-keepalives-in. Additional Security Issues In addition to the services listed above, the following security issues should be considered when configuring a Cisco router.
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 6 Router Interfaces Unused router interfaces should be disabled to limit unauthorized access to the router and to the network. ConnectionTimeout Connection timeouts can be configured for console ports, auxiliary ports, and VTY lines. If an administrator does not correctly terminate the connection, it will automatically close after the timeout expires. However, if a time- out is not configured, or is configured to be a long timeout, an unauthorized user may be able to gain access using the administrator’s previously logged-in connection. The attacker would have to gain physical access to the device to use the console port.A default timeout of 10 minutes is configured on the router console port. SoftwareVersion It is extremely important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of a hacker exploiting a known software vulnerability. Auxiliary Port The auxiliary port’s primary purpose is to provide remote administration capability. It can allow a remote admin- istrator to use a modem to dial into the Cisco device. If not in use, the auxiliary port exec should be disabled.This can be done with the no exec command on the aux port:. If the auxiliary port is required for remote administration, the callback feature can be configured to dial a spe- cific preconfigured telephone number for additional security. Minimum Password Length Cisco introduced an option with IOS version 12.3(1) that forces user, enable, secret, and line passwords to meet a minimum length.This setting was introduced to help prevent the use of short passwords.With a small mini- mum password length configured, it is possible for a short password to be used. If a hacker were able to gain a password through a dictionary-attack or by a brute-force method, the attacker could gain a level of access to the router.This is made more serious by the fact that a number of dictionary-based password guessing and password brute-force tools are available on the Internet. A requirement for a minimum password length can be configured.The minimum password length can be config- ured with the following command: security passwords min-length length. Service Password Encryption Cisco service passwords are stored by default in their clear-text form rather than being encrypted.
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 7 If a malicious user were to see a Cisco configuration that contained clear-text passwords, they could use the passwords to access the device. Cisco password encryption service should be enabled.The Cisco password en- cryption service can be started with the following Cisco global command: service password-encryption. Even though these passwords can be easily decrypted with tools available on the Internet, they are still more secure than clear-text passwords. In addition, the encryption prevents an unauthorized person from looking over an administrators shoulder and reading the passwords in clear-text. Summary All of the potential vulnerabilities listed in this paper can be real threats to Cisco routers.An awareness of these threats will be instrumental in securing your Cisco routers. Again, this was not intended to be an exhaustive listing of all services enabled on Cisco routers that could cre- ate vulnerabilities, nor of all best practices for configuring Cisco routers.The intent of this paper has been for it to be a vehicle for discussion regarding the security of those routers. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: CCNA Boot Camp v2.0 ISCW – Implementing Secure Converged Wide Area Networks IINS – Implementing Cisco IOS Unified Communications CCDA Boot Camp For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author Carol Kavalla’s background includes teaching at Rockland Community College in New York, managing networks and being a consultant for the NYS small business development center. For the last eight and a half years Carol has taught for Global Knowledge and is certified to teach nine Cisco Courses: ICND1, ICND2, CCDA, BSCI, BCMSN,TCN, ICMI, BGP and ARCH. She also has a consulting firm in Charleston, South Carolina where she works with small companies (100-200 nodes) installing, configuring routers and switches, and troubleshooting network problems.
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 8 References Akin,Thomas. Cisco Router Device Router Security Report. Akin,Thomas. Hardening Cisco Routers. O’Reilly Media, Inc. Sebastopol, CA. 2002. Akin,Thomas. Implementing Security Wide Area Networks.

Recomendados

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
tleroy0928
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
 
CCA security answers chapter 2 test
CCA security answers chapter 2 testCCA security answers chapter 2 test
CCA security answers chapter 2 test
Soporte Yottatec
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
Cisco Security
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
Tariq Sheikh
 

Recomendados

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tool
tleroy0928
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
 
CCA security answers chapter 2 test
CCA security answers chapter 2 testCCA security answers chapter 2 test
CCA security answers chapter 2 test
Soporte Yottatec
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
Cisco Security
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
Tariq Sheikh
 
012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9
Babaa Naya
 
04 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch504 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch5
Babaa Naya
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_EN
Pierpaolo Palazzoli
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
Alberto Rivai
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
Hoàng Hải Nguyễn
 
Tech f42
Tech f42Tech f42
Tech f42
SelectedPresentations
 
Cipc
CipcCipc
Cipc
ashiesh0007
 
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Ajeet Singh
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
Hanaysha
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliation
Gurjan Oberoi
 
Презентация Huawei на совместном вебинаре, 30.11.2016
Презентация Huawei на совместном вебинаре, 30.11.2016 Презентация Huawei на совместном вебинаре, 30.11.2016
Презентация Huawei на совместном вебинаре, 30.11.2016
S-Terra CSP
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
Musa Stephen HONLUE
 
MIT EmTech TR35 India 2011
MIT EmTech TR35 India 2011MIT EmTech TR35 India 2011
MIT EmTech TR35 India 2011
manav416
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZ
IPMAX s.r.l.
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
IT Tech
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
Ahmed Habib
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
robbuddingh
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
IT Tech
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
NetProtocol Xpert
 

Más contenido relacionado

La actualidad más candente

012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9
Babaa Naya
 
04 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch504 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch5
Babaa Naya
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
Hoàng Hải Nguyễn
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
Hanaysha
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliation
Gurjan Oberoi
 

La actualidad más candente (20)

012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9012 2 ccna sv2-instructor_ppt_ch9
012 2 ccna sv2-instructor_ppt_ch9
 
04 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch504 ccna sv2 instructor_ppt_ch5
04 ccna sv2 instructor_ppt_ch5
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_EN
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
 
Tech f42
Tech f42Tech f42
Tech f42
 
Cipc
CipcCipc
Cipc
 
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud Palo Alto Virtual firewall deployment guide on OpenStack Cloud
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliation
 
Презентация Huawei на совместном вебинаре, 30.11.2016
Презентация Huawei на совместном вебинаре, 30.11.2016 Презентация Huawei на совместном вебинаре, 30.11.2016
Презентация Huawei на совместном вебинаре, 30.11.2016
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
MIT EmTech TR35 India 2011
MIT EmTech TR35 India 2011MIT EmTech TR35 India 2011
MIT EmTech TR35 India 2011
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZ
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
 

Similar a All about routers

8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
IT Tech
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
moonmanik
 
gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2
Anne Starr
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
Anne Starr
 
gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2
Anne Starr
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
Vamsi Krishna Kalavala
 

Similar a All about routers (20)

8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Chapter 5 Routing.pptx
Chapter 5 Routing.pptxChapter 5 Routing.pptx
Chapter 5 Routing.pptx
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
 
gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials domain 2
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
 
gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials domain 2
 
CCNA FUNDAMENTAL
CCNA FUNDAMENTALCCNA FUNDAMENTAL
CCNA FUNDAMENTAL
 
093049ov5.pptx
093049ov5.pptx093049ov5.pptx
093049ov5.pptx
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
 
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notesBasic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
 
CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1CCNA3 Verson6 Chapter1
CCNA3 Verson6 Chapter1
 
Securityic2
Securityic2Securityic2
Securityic2
 
Topic22
Topic22Topic22
Topic22
 
ENSA_Module_10.pptx
ENSA_Module_10.pptxENSA_Module_10.pptx
ENSA_Module_10.pptx
 
DDOS (1).ppt
DDOS (1).pptDDOS (1).ppt
DDOS (1).ppt
 
CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

All about routers

  • 1. Expert Reference Series ofWhite Papers 1-800-COURSES www.globalknowledge.com HowVulnerable Are Your Cisco IOS Routers?
  • 2. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2 HowVulnerable AreYour Cisco IOS Routers? Carol Kavalla, Global Knowledge Instructor, BS, CCSI, CCDP Introduction Security of the network is a top priority for companies. Of course, this would include securing Cisco routers. It may be surprising to some that Cisco routers run many services that could create vulnerabilities. Some of these services are enabled by default. This white paper lists a number of the services that should be disabled and why.Additionally, some best prac- tices for securing your Cisco routers are defined. This is not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulner- abilities, nor of all best practices for configuring Cisco routers.There are several Cisco security courses that cover this information in depth. Rather, this paper is meant to be a vehicle for discussion regarding the security of Cisco routers. Services that Are Enabled by Default The services below are enabled by default (in some cases depending on the version of IOS installed on the router) and should be disabled if not in use. BOOTP server This allows a router to act as a BOOTP server for other routers; thereby allowing them to load their operating system over the network from the router acting as the BOOTP server. A hacker could use the BOOTP service to download a copy of the router’s IOS software.The tools for this type of attack are available on the Internet. If not required, the BOOTP service should be disabled.The following global command can be used to disable BOOTP: no ip bootp server. Cisco Discovery Protocol (CDP) Cisco Discover Protocol is used to obtain information about directly connected Cisco neighbors.The informa- tion gleaned from CDP includes ip addresses, hardware model information, and operating system version.This
  • 3. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 3 feature could allow a hacker to gain information about the configuration of the device and of the network infrastructure. If not needed, it should be disabled globally or on an interface by interface basis. CDP can be disabled globally with the no cdp run command and on the interface with the no cdp enable command. CDP needs to be enabled when using Cisco IP phones. If it has been disabled globally on the switch, it can be enabled on the interface using the cdp enable command. There are several known attacks on the Cisco IP Phone CDP feature, so it is a decision for each network adminis- trator to determine the risk versus the obvious benefits of CDP to support Cisco IP Telephony solutions. HTTP Configuration and Monitoring The default setting for this service is device-dependent. HTTP service allows the router to be monitored or con- figured from a web browser. HTTP is a clear-text protocol and is vulnerable to various packet-capture methods. A hacker could monitor network traffic and capture authentication usernames and passwords.This issue is made more serious when the enable password is used for authentication because this knowledge would give the at- tacker full administrative access to the device. Once usernames and passwords have been captured, it is simply a matter of using the credentials to log into the router. If not required, the HTTP service should be disabled. If web access to the device is required, consider using HTTPS or Secure Shell (SSH).The encrypted HTTPS and SSH services may require an IOS or hardware upgrade. The HTTP service can be disabled with the following IOS global command: no ip http server. Domain Name System (DNS) By default, Cisco routers broadcast name requests to 255.255.255.255.A hacker who is able to capture network traffic could monitor DNS queries from the Cisco Router. Domain lookups can be disabled with the following global command: no ip domain-lookup. Packet Assembler / Disassembler (PAD) The Packet Assembler / Disassembler service enables X.25 connections between network systems.The PAD ser- vice is enabled by default on most Cisco IOS devices, but it is only required if support for X.25 links is necessary. Running unused services increases the chances of a hacker finding a security hole or compromising a device. The PAD service can be disabled with the following global configuration: no service pad.
  • 4. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 4 Internet Control Message Protocol (ICMP) Redirects ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same interface on which it was received. By sending ICMP redirects, a hacker can redirect packets to an untrusted device. To stop ICMP redirects, use the following interface command: no ip redirects.This needs to be done on all interfaces. IP Source Routing IP source routing is a feature whereby a network packet can specify how it should be routed through the net- work. IP source routing can allow a hacker to specify a route for a network packet to follow, possibly to bypass a Firewall or an Intrusion Detection System (IDS).A hacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker. A hacker would have to control either a routing device or an end point device in order to modify a packets route through the network. However, tools are available on the Internet that would allow a hacker to specify source routes.Tools are also available to modify network routing using vulnerabilities in some routing protocols. This can be disabled using the global command: no ip source-route. Finger Service Finger service allows a hacker to find out who is logged into the router and allows them to find out valid login names.The information they could access includes the processes running on the system, the line number, con- nection name, idle time, and terminal location.This information is provided through the Cisco IOS software show users EXEC command. Unauthorized persons can use this information for reconnaissance attacks. This service can easily be disabled using the global command: no service finger or no ip finger (depend- ing on the version of code).This command keeps your router from replying to finger requests. In addition to this command, an inbound access list that blocks port 79 should be applied. Proxy ARP This feature configures the router to act as a proxy for Layer 2 address resolution when hosts have no default gateway configured.When a host sends an ARP, the router responds to it with its own mac address as the one to use for the remote system.When DHCP is being used, there is no need to have Proxy ARP enabled.Attackers may be able to spoof packets and gather information about your router and your network. Proxy ARP can be disabled on the interface with the following command: no ip proxy-arp.
  • 5. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 5 IP Directed Broadcast This is enabled by default prior to Cisco IOS software Release 12.0 and disabled by default in release 12.0 or later. IP-directed broadcasts are used in the smurf denial of service (DoS) attack and other related attacks. Services that Are Disabled by Default Configuration Auto-loading Auto-loading of configuration files from a network server should remain disabled when not in use by the router. FTP Server The FTP server enables you to use our router as an FTP server for FTP client requests. Because it allows access to certain files in the router Flash memory, this service should remain disabled when it is not required. TFTP Server The TFTP server enables you to use your router as a TFTP server for TFTP clients. It allows access to certain files in your Flash memory.This service should remain disabled if not required. NetworkTime Protocol (NTP) When enabled, the router acts as a time server for other network devices. If configured insecurely, NTP can be used to corrupt the router clock and, potentially, the clock of other devices that learn time from the router. Cor- rect time is essential for setting proper time stamps for IPsec encryption services, log data, and diagnostic and security alerts. If this service is used, it restricts which devices have access to NTP. ICMP Mask Reply When enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask reply messages containing the interface IP address mask.This information can be used to map the network, and this service should be explicitly disabled on interfaces to untrusted networks. TCP keepalives TCP keepalives help terminate TCP connections where a remote host has rebooted or otherwise stopped pro- cessing TCP traffic.This connection could become orphaned, and a hacker could attempt a DoS attack against a Cisco router by exhausting the number of possible connections.TCP keepalives should be enabled globally to confirm that a remote connection is valid and, if not, terminate any orphaned connections. This can be configured from global configuration mode service tcp-keepalives-in. Additional Security Issues In addition to the services listed above, the following security issues should be considered when configuring a Cisco router.
  • 6. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 6 Router Interfaces Unused router interfaces should be disabled to limit unauthorized access to the router and to the network. ConnectionTimeout Connection timeouts can be configured for console ports, auxiliary ports, and VTY lines. If an administrator does not correctly terminate the connection, it will automatically close after the timeout expires. However, if a time- out is not configured, or is configured to be a long timeout, an unauthorized user may be able to gain access using the administrator’s previously logged-in connection. The attacker would have to gain physical access to the device to use the console port.A default timeout of 10 minutes is configured on the router console port. SoftwareVersion It is extremely important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of a hacker exploiting a known software vulnerability. Auxiliary Port The auxiliary port’s primary purpose is to provide remote administration capability. It can allow a remote admin- istrator to use a modem to dial into the Cisco device. If not in use, the auxiliary port exec should be disabled.This can be done with the no exec command on the aux port:. If the auxiliary port is required for remote administration, the callback feature can be configured to dial a spe- cific preconfigured telephone number for additional security. Minimum Password Length Cisco introduced an option with IOS version 12.3(1) that forces user, enable, secret, and line passwords to meet a minimum length.This setting was introduced to help prevent the use of short passwords.With a small mini- mum password length configured, it is possible for a short password to be used. If a hacker were able to gain a password through a dictionary-attack or by a brute-force method, the attacker could gain a level of access to the router.This is made more serious by the fact that a number of dictionary-based password guessing and password brute-force tools are available on the Internet. A requirement for a minimum password length can be configured.The minimum password length can be config- ured with the following command: security passwords min-length length. Service Password Encryption Cisco service passwords are stored by default in their clear-text form rather than being encrypted.
  • 7. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 7 If a malicious user were to see a Cisco configuration that contained clear-text passwords, they could use the passwords to access the device. Cisco password encryption service should be enabled.The Cisco password en- cryption service can be started with the following Cisco global command: service password-encryption. Even though these passwords can be easily decrypted with tools available on the Internet, they are still more secure than clear-text passwords. In addition, the encryption prevents an unauthorized person from looking over an administrators shoulder and reading the passwords in clear-text. Summary All of the potential vulnerabilities listed in this paper can be real threats to Cisco routers.An awareness of these threats will be instrumental in securing your Cisco routers. Again, this was not intended to be an exhaustive listing of all services enabled on Cisco routers that could cre- ate vulnerabilities, nor of all best practices for configuring Cisco routers.The intent of this paper has been for it to be a vehicle for discussion regarding the security of those routers. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: CCNA Boot Camp v2.0 ISCW – Implementing Secure Converged Wide Area Networks IINS – Implementing Cisco IOS Unified Communications CCDA Boot Camp For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author Carol Kavalla’s background includes teaching at Rockland Community College in New York, managing networks and being a consultant for the NYS small business development center. For the last eight and a half years Carol has taught for Global Knowledge and is certified to teach nine Cisco Courses: ICND1, ICND2, CCDA, BSCI, BCMSN,TCN, ICMI, BGP and ARCH. She also has a consulting firm in Charleston, South Carolina where she works with small companies (100-200 nodes) installing, configuring routers and switches, and troubleshooting network problems.
  • 8. Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 8 References Akin,Thomas. Cisco Router Device Router Security Report. Akin,Thomas. Hardening Cisco Routers. O’Reilly Media, Inc. Sebastopol, CA. 2002. Akin,Thomas. Implementing Security Wide Area Networks.