* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download What applications are supported on the network?
Survey
Document related concepts
Remote Desktop Services wikipedia , lookup
Internet protocol suite wikipedia , lookup
Computer network wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Network tap wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wireless security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
CISCO ROUTER AUDIT Courtesy of and with permission of Ted Schwartz, Jefferson Wells International Email/Sales 7 6 5 4 3 2 1 Application Presentation Session Transport Network Data Link Physical 7 6 5 4 3 2 1 Layered Architecture Application Presentation Session Transport Network Data Link Physical Topology Architecture Hub Exec. LAN HR Dept. Router B Hub Frame Relay Router C Router D T1 Hub Sales Dept. Router A Router F Router E HDLC Hub Accounting Dept. T1 Hub IT Dept. Where and What do POLICIES refer to? What is tested in a Audit Applications Transport Internetwork/Net. Email, DNS, LOGIN, Directory Services, Routing Table Sharing, SNMP, TFTP, BootP, DHCP, Web Servers (internal and External, Accounting (GL, AP, AR, PR), Human Resources, Groupware, Port Scan Session Controls SYN Flood SSL Address Scanning Ping of Death, Ping Flood IP Address Spoofing Network Interface/DL NIC/MAC address spoofing Sniffing Hub Hub Enterprise Physical Topological Hub Hub Architecture Hub Hub F C B A Routers F-B-A Routers C-E-D E D Email Server External Router Router G Hub Router C DMZ Zone Internal Router Router D Hub Internet Hub Router E Hub Intranet Firewall External Client Packet Filtering Router Router G Router D Internet DMZ Zone Hub Hub Firewall Intranet Material Needs 1. Obtain these if available: Company Network Policies and printout of router rulebases, Network Map, List of Network Supported business applications and network support applications? Copies of a sample of network logs. A list of Network security applications – virus checker, firewalls, routers, radius server, TACACS or RADIUS server, TFTP, SNMP, Active Directory, Netware Directory Services, Intrusion Detection, VLANs, VPN, 2. What business applications are supported by the network versus being on stand alone servers? Are they distributed or stand alone? If applications are distributed are there overlay maps and operation descriptions telling distributed updates 3. What applications that are listed in the audit test page does this company use? If used are the distributed or stand alone applications. Who is responsible for each application? Audit Program Preparation 1. Security Policy – definition of access allowed to corporate assets by users and other applications. 2. Map the users, applications, user of applications, mangers of applications. 3. Obtain all distributed overlay network maps with operations descriptions. If not available and if this is a full security audit draw and describe each applications operations than answer these question on a per application bases. a. How often is data distributed? b. How are updates secured? c. Are updates done via VPN? Audit Notes 1. 2. 3. 4. 5. 6. 7. 8. 9. Remember each network conversation is two ways through a router. Security Policy – definition of access allowed to corporate assets by users and other applications. Risk – The possible loss or malfunction related to user of a corporate asset. Access Control – Controlling access to a network by using network device to limit the type, and amount of data allowed to be transmitted across the network. Intrusion – an action taken by someone that is not allowed access to a network but gets access for reasons that are not always known. Detection – having a piece of software that checks the data processing network for actions taken that are out of the ordinary. This allows the software to notify management of the activity. Multi-Session Applications – Applications such as FTP,HTTP that require multiple sessions to accomplish their service. Stay current on network attacks and vulnerabilities. Join in security related mailing lists at such web site as:www.cert.org, www. Securityfocus, and www.sans.org. Access List Section 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. How are configurations maintained? What are the firewall characteristics used on each router beyond layer four? What standby devices exist? What is the planning for upgrading the network capabilities? (VOIP, Video) What protocols are forwarded that have not been mentioned? What applications are supported on the network? What protocols are supported by the network and in what parts are they placed? What is done towards Virus Management? What applications are supported on the network? What protocols are supported by the network and in what parts are they placed? What are the network security policies and how are they implemented? What is done towards Virus Management? What is done towards intrusion detection? Access List Section 1. Are packets denied that have local host, broadcast, and multicast address. (If any exceptions please explain. 2. Are packet s denied that have no IP address? 3. Are NFS, Andrew, Xwindows used? 4. How are these protocols controlled? ( NTP, SMTP, DNS, DHCP,SNMP, ICMP, LDAP, BGP, HTTP, LPD, UUCPD, TFTP, Windows FTP, RPC, POP, IMAP, Netbios on NT, ICMP, IGMP,RIP, OSPF, EIGRP, ) 5. What type of access control lists are used? 6. What audit procedures are conducted? (Scanning, log forensics,etc.) 7. What are the procedures to keep fix and patches current? 8. What are current IOS version running? 9. Are all of these changes documented? 10. Who approves the update process? 11. When was the last patch applied? Configuration and Change Mgmt 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. How is configuration information maintained? Are router configurations documented and authorized by management? Is the configuration creation method defined and documented? Is a history maintained. Are vender IOS changes maintained? Are fixes and paths implemented? What was the last patch implemented? Are changes validated or tested? Are validations and tests documented? Is the processing power of the router enough and is there enough memory? Is the a procedure to test and rollout new Cisco updates? Policy Creation 1. 2. 3. 4. 5. 6. Are NFS, Andrew, Windows used? How are these protocols controlled? ( NTP, SMTP, DNS, DHCP,SNMP, ICMP, LDAP, BGP, HTTP, LPD, UUCPD, TFTP, Windows FTP, RPC, POP, IMAP, Netbios on NT, ICMP, IGMP,RIP, OSPF, EIGRP, JAVA, NAT, etc.) Policy process question: a. Was a site survey done? b. How was needed access to external resources determined? c. Is a regular review of security policy needs done? d. Is a disaster recovery plan in place that includes the routers? e. How were router assets identified and located? f. How were the standards created for classifying router policy? g. How were threat assessment standards setup? h Who is responsible for security policy enforcement at the Cisco router level? I. How were procedure changes evaluated related to impact on business and employees? Are company security policies keep up to date? Are security attack profile kept up to date? What are policies related to implementation of new security technologies? Policy Creation 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. Do written policies exist for router use? Do the router policies define rules of conduct, roles and responsibilities? Do policies define objectives rather than how to or acls? Do policies cover multiple levels of security depending on tasks needing to be accomplished? Are service and policies that are not stated as be allow assume to be denied? Are the network security policies regularly reviewed? Is there a security policy defined for physical damage to the router? Is the cryptographic algorithm described in a policy? Which assets are listed on network policy documents? Are software assets identified with users and user authority? Do policies spell out the asset, control types, and authority to change controls? Who approves the update process? When was the last patch applied? Is there stated exactly who can login directly to the router? Are standards defined on how to implement policies? Do policies define exactly what assets are protected by the router? Have policies had a legal review by the legal department? Is the person with ultimate authority over router policy stated in a policy? Are the network security areas defined in the remainder of the ICQ spelled out in security policy? Intrusion Detection Audit and Logging 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. Are logging methods documented? Do alerting and escalation procedures exist? Do the procedures exist for 24 hour operation? Are advance logging techniques used? (Syslog) What is the media that logging archived. (OS) Is Cisco IDS implemented on the local routers? Are personnel trained in the Intrusion Detection System? Does a policy exist for the IDS? Are IDS configurations defined for each router? Who is authorized to deal with router IDS and forensics? Doer support documentation exist for operational methods logging and forensics? How are alerts generated for individual applications review by CBAC? What and when are audit exceptions investigated? How are the exceptions documented? What events are audited? How long are audit logs kept? What tools are used for audit tests? Are tools regularly used to test security? Is logging configured on exec, commands, connections and system? How often is logging information reviewed? Intrusion Detection Audit and Logging 1. 2. 3. 4. 5. Are router log update sent to a separate computer? Is the separate logging computer hardened? (unnecessary services are disabled) Is the computer on a trusted network? Is logging matched to security policies? Is logging reviewed on a regular basis? When was the later review done for each router? 6. Are all router configuration changes logged? 7. Are all ACL rule results logged? 8. Is the time control over logging established and redundant? 9. Does your company have a Intrusion Detection System such a Cisco IDS? 10. What features does it have? (Alarm and Display Management, Data Archive, Multiple Level Management, Centralized Configuration Management, Notification Modules, and Security Database) Password and Access Management 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Are passwords implemented according to requirements? Is there a minimum size set for passwords and what is it? Are password changes done according to policy? Are test done on password strength? What is the process set for initial passwords? Do users share passwords? How are passwords communicated to the user after being set? Is a central access authority used? (Radius, TACACS) Is TACACS-server notify command used to send a message when a user makes a TCP connection, logs out, or enters the enable command. Is extended TACACS configured? How are forgotten passwords dealt with? Do router administrator/s understand how to bypass the enable password? Is a browser used for router configuration? Are routers accessed through remote devices? (Dialup, Firewall I) Are exec password put on control and auxiliary ports? Has a login banner been created to discourage inappropriate logins? Is IPSEC, Kerberos or SSH used for remote management of the router? Physical Security 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Are the routers secured physically? Is access to the area restricted to staff that administrates routers? Is the physical location locked and alarmed? If the router is administrated remotely are those devices physically secure? Are alerts issued if entry is made and are the handled? Is physical security organized thus preventing overlooked security weaknesses. Is a control port used for access” Is the auxiliary port used for access. Is there standby equipment available nearby. Are the physical ID numbers listed on a document? Specific Protocol Controls 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Is telnet used to administrate the router? If telnet is used, make sure access is granted to only specific nodes. Is “service password encryption Is the MD5 encryption used for privileged mode? Is CDP disabled on all interfaces? Is SNMP used for management? If used have community access level password or community names been changed. Is SNMP version III used? Ensure that Virtual Terminal Timeouts are set. If ICMP is used are these blocked on the internet interface: echo in both directions, time exceeded, redirect, and unreachable Are inbound packets addressed to the router or 127.0.0.1 on the internal interface dropped and logged? Is HTTP used to access the router: If appropriate is HTTP-access command used to authorize access to certain addresses. If DNS is used, only allow DNS traffic to a specific server. Are DNS responses allowed to leave the screened subnet? General Audit Questions 1. 2. 3. 4. 5. 6. 7. 8. 9. If CBAC is used are the inspection rules used to deal with: FTP, TFTP, etc? Are inspection rules applied to the appropriate interface? Is the console line set to time-out if a user walks away from a logged in terminal? Is MD5 encryption used instead of Cisco proprietary encryption? Is RIP and OSPF neighbor authentication used? How is the key distributed? Is a common key used for any group of routers? Are any methods used to increase convergence time in OSPF and RIP. (Convergence increased time being a security value) Is the distribution-list command used to suppress updates from other routers? (OSPF related to external systems) Command Examples COMMAND EXPLANATION • Service password encryption sets password encryption • No ip finger disables finger • No ip source route not allow source routing • Exec-timeout time out connection • No CDP run turns off CDP • Access-list list-number (deny/permit) protocol source source-wildcard sourcequalifiers destination destination-wildcard destination-qualifiers log (Qualifiers are items that affect the previously listed command access-list command such as the source and destination address shown earlier) TCP Termination and ACL’s TCP termination is critical to the following Access Control List functions implemented on Cisco Router. The first ACL control type is: a. TCP Intercept will watch for sessions initiated without an ACK header in response to the SYN header. It an Cisco router has TCP Inter. Set, it watches for ACK to SYN relationship and limits the number requests without an ACK. (This prevents SYN flood denial of service attacks to a server) b. It limits the number of unacknowledged session to 1100 by default. If it reaches 1100, removes the oldest session initiation from its table. c. It waits 5 seconds after the Fin to terminate a session allowing for a reset. d. Retransmission Time Outs are normally set at one second. (2,4,8,16, and 32) Under aggressive mode, time out is halved to .05 seconds and so on. This is done per one minute sample period. e. This is done when Context Based ACLs are inactive. TCP Termination and ACL’s TCP termination is critical to the following Access Control List functions implemented on Cisco Router. The second ACL control type are: a. Based upon a session request from a trusted network, the router waits for the return packets with the appropriate information swapped. b. Reflexive Access Lists base the access through a router on a session basis. This ACL type operates on TCP outbound upper layer session information. Based upon the Acknowledge or Reset bits being on, the ACL determines if a packet is the first packet of a session. It also checks addition session information such as port and network address when establishing a session related temporary access list that will be removed at the end of the session. Lock and Key ACL’s 1. Lock and Key access lists allow a temporary access through the firewall after being authenticated by a name and password. 2. A telnet session will initiate temporary access through a router. 3. After the temporary access is terminated, regular standard and static extended ACLs are used. 4. It does not work with multi-channel applications such as FTP. 5. It limits the opportunity time for break-ins by hackers. Content Based ACL’s 1. The capability is available in the Cisco Firewall Set. 2. It creates temporary entries in the appropriate interface when a session is initiated from a trusted network. 3. It inspects control information on control channels TCP multi-channel applications. Multi-channel application such as File Transfer Protocol and H.323. 4. It does work with UDP session but must approximate the session state information unlike the TCP state information that is in a Transmission Control Block. 5. Temporary session mean limits on open access and removal of ACL entries at the end of a session.