Download What applications are supported on the network?

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
Document related concepts

Net bias wikipedia , lookup

IEEE 1355 wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Internet protocol suite wikipedia , lookup

Computer network wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Network tap wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wireless security wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
CISCO ROUTER AUDIT
Courtesy of and with permission of Ted Schwartz, Jefferson
Wells International
Email/Sales
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
7
6
5
4
3
2
1
Layered Architecture
Application
Presentation
Session
Transport
Network
Data Link
Physical
Topology Architecture
Hub
Exec. LAN
HR Dept.
Router B
Hub
Frame Relay
Router C
Router D
T1
Hub
Sales Dept.
Router A
Router F
Router E
HDLC
Hub
Accounting Dept.
T1
Hub
IT Dept.
Where and What do POLICIES refer to?
What is tested in a Audit
Applications
Transport
Internetwork/Net.
Email, DNS, LOGIN, Directory
Services, Routing Table Sharing,
SNMP, TFTP, BootP, DHCP,
Web Servers (internal and External,
Accounting (GL, AP, AR, PR), Human
Resources, Groupware,
Port Scan
Session Controls
SYN Flood
SSL
Address Scanning
Ping of Death, Ping Flood
IP Address Spoofing
Network
Interface/DL
NIC/MAC address spoofing
Sniffing
Hub
Hub
Enterprise
Physical Topological
Hub
Hub
Architecture
Hub
Hub
F
C
B
A
Routers
F-B-A
Routers
C-E-D
E
D
Email Server
External Router
Router G
Hub
Router C
DMZ Zone
Internal Router
Router D
Hub
Internet
Hub
Router E
Hub
Intranet
Firewall
External Client
Packet Filtering
Router
Router G
Router D
Internet
DMZ Zone
Hub
Hub
Firewall
Intranet
Material Needs
1. Obtain these if available: Company Network Policies and
printout of router rulebases, Network Map, List of Network
Supported business applications and network support
applications? Copies of a sample of network logs. A list of
Network security applications – virus checker, firewalls,
routers, radius server, TACACS or RADIUS server, TFTP,
SNMP, Active Directory, Netware Directory Services,
Intrusion Detection, VLANs, VPN,
2. What business applications are supported by the network
versus being on stand alone servers? Are they distributed or
stand alone? If applications are distributed are there overlay maps and operation descriptions telling distributed
updates
3. What applications that are listed in the audit test page does
this company use? If used are the distributed or stand alone
applications. Who is responsible for each application?
Audit Program Preparation
1. Security Policy – definition of access allowed to corporate
assets by users and other applications.
2. Map the users, applications, user of applications, mangers
of applications.
3. Obtain all distributed overlay network maps with
operations descriptions. If not available and if this is a full
security audit draw and describe each applications
operations than answer these question on a per application
bases.
a. How often is data distributed?
b. How are updates secured?
c. Are updates done via VPN?
Audit Notes
1.
2.
3.
4.
5.
6.
7.
8.
9.
Remember each network conversation is two ways through a router.
Security Policy – definition of access allowed to corporate assets by
users and other applications.
Risk – The possible loss or malfunction related to user of a corporate
asset.
Access Control – Controlling access to a network by using network
device to limit the type, and amount of data allowed to be transmitted
across the network.
Intrusion – an action taken by someone that is not allowed access to a
network but gets access for reasons that are not always known.
Detection – having a piece of software that checks the data processing
network for actions taken that are out of the ordinary. This allows the
software to notify management of the activity.
Multi-Session Applications – Applications such as FTP,HTTP that
require multiple sessions to accomplish their service.
Stay current on network attacks and vulnerabilities.
Join in security related mailing lists at such web site as:www.cert.org,
www. Securityfocus, and www.sans.org.
Access List Section
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
How are configurations maintained?
What are the firewall characteristics used on each router beyond layer four?
What standby devices exist?
What is the planning for upgrading the network capabilities? (VOIP, Video)
What protocols are forwarded that have not been mentioned?
What applications are supported on the network?
What protocols are supported by the network and in what parts are they
placed?
What is done towards Virus Management?
What applications are supported on the network?
What protocols are supported by the network and in what parts are they
placed?
What are the network security policies and how are they implemented?
What is done towards Virus Management?
What is done towards intrusion detection?
Access List Section
1.
Are packets denied that have local host, broadcast, and multicast address. (If
any exceptions please explain.
2. Are packet s denied that have no IP address?
3. Are NFS, Andrew, Xwindows used?
4. How are these protocols controlled? ( NTP, SMTP, DNS, DHCP,SNMP, ICMP,
LDAP, BGP, HTTP, LPD, UUCPD, TFTP, Windows FTP, RPC, POP, IMAP,
Netbios on NT, ICMP, IGMP,RIP, OSPF, EIGRP, )
5. What type of access control lists are used?
6. What audit procedures are conducted? (Scanning, log forensics,etc.)
7. What are the procedures to keep fix and patches current?
8. What are current IOS version running?
9. Are all of these changes documented?
10. Who approves the update process?
11. When was the last patch applied?
Configuration and Change Mgmt
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
How is configuration information maintained?
Are router configurations documented and authorized by management?
Is the configuration creation method defined and documented?
Is a history maintained.
Are vender IOS changes maintained?
Are fixes and paths implemented?
What was the last patch implemented?
Are changes validated or tested?
Are validations and tests documented?
Is the processing power of the router enough and is there enough memory?
Is the a procedure to test and rollout new Cisco updates?
Policy Creation
1.
2.
3.
4.
5.
6.
Are NFS, Andrew, Windows used?
How are these protocols controlled? ( NTP, SMTP, DNS, DHCP,SNMP, ICMP,
LDAP, BGP, HTTP, LPD, UUCPD, TFTP, Windows FTP, RPC, POP, IMAP,
Netbios on NT, ICMP, IGMP,RIP, OSPF, EIGRP, JAVA, NAT, etc.)
Policy process question:
a. Was a site survey done?
b. How was needed access to external resources determined?
c. Is a regular review of security policy needs done?
d. Is a disaster recovery plan in place that includes the routers?
e. How were router assets identified and located?
f. How were the standards created for classifying router policy?
g. How were threat assessment standards setup?
h Who is responsible for security policy enforcement at the Cisco router
level?
I. How were procedure changes evaluated related to impact on business and
employees?
Are company security policies keep up to date?
Are security attack profile kept up to date?
What are policies related to implementation of new security technologies?
Policy Creation
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Do written policies exist for router use?
Do the router policies define rules of conduct, roles and responsibilities?
Do policies define objectives rather than how to or acls?
Do policies cover multiple levels of security depending on tasks needing to be
accomplished?
Are service and policies that are not stated as be allow assume to be denied?
Are the network security policies regularly reviewed?
Is there a security policy defined for physical damage to the router?
Is the cryptographic algorithm described in a policy?
Which assets are listed on network policy documents?
Are software assets identified with users and user authority?
Do policies spell out the asset, control types, and authority to change controls?
Who approves the update process? When was the last patch applied?
Is there stated exactly who can login directly to the router?
Are standards defined on how to implement policies?
Do policies define exactly what assets are protected by the router?
Have policies had a legal review by the legal department?
Is the person with ultimate authority over router policy stated in a policy?
Are the network security areas defined in the remainder of the ICQ spelled out in security
policy?
Intrusion Detection Audit and Logging
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Are logging methods documented?
Do alerting and escalation procedures exist?
Do the procedures exist for 24 hour operation?
Are advance logging techniques used? (Syslog)
What is the media that logging archived. (OS)
Is Cisco IDS implemented on the local routers?
Are personnel trained in the Intrusion Detection System?
Does a policy exist for the IDS?
Are IDS configurations defined for each router?
Who is authorized to deal with router IDS and forensics?
Doer support documentation exist for operational methods logging and forensics?
How are alerts generated for individual applications review by CBAC?
What and when are audit exceptions investigated?
How are the exceptions documented?
What events are audited?
How long are audit logs kept?
What tools are used for audit tests?
Are tools regularly used to test security?
Is logging configured on exec, commands, connections and system?
How often is logging information reviewed?
Intrusion Detection Audit and Logging
1.
2.
3.
4.
5.
Are router log update sent to a separate computer?
Is the separate logging computer hardened? (unnecessary services are disabled)
Is the computer on a trusted network?
Is logging matched to security policies?
Is logging reviewed on a regular basis? When was the later review done for each
router?
6. Are all router configuration changes logged?
7. Are all ACL rule results logged?
8. Is the time control over logging established and redundant?
9. Does your company have a Intrusion Detection System such a Cisco IDS?
10. What features does it have? (Alarm and Display Management, Data Archive,
Multiple Level Management, Centralized Configuration Management,
Notification Modules, and Security Database)
Password and Access Management
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
Are passwords implemented according to requirements?
Is there a minimum size set for passwords and what is it?
Are password changes done according to policy?
Are test done on password strength?
What is the process set for initial passwords?
Do users share passwords?
How are passwords communicated to the user after being set?
Is a central access authority used? (Radius, TACACS)
Is TACACS-server notify command used to send a message when a user makes
a TCP connection, logs out, or enters the enable command.
Is extended TACACS configured?
How are forgotten passwords dealt with?
Do router administrator/s understand how to bypass the enable password?
Is a browser used for router configuration?
Are routers accessed through remote devices? (Dialup, Firewall I)
Are exec password put on control and auxiliary ports?
Has a login banner been created to discourage inappropriate logins?
Is IPSEC, Kerberos or SSH used for remote management of the router?
Physical Security
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Are the routers secured physically?
Is access to the area restricted to staff that administrates routers?
Is the physical location locked and alarmed?
If the router is administrated remotely are those devices physically secure?
Are alerts issued if entry is made and are the handled?
Is physical security organized thus preventing overlooked security weaknesses.
Is a control port used for access”
Is the auxiliary port used for access.
Is there standby equipment available nearby.
Are the physical ID numbers listed on a document?
Specific Protocol Controls
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Is telnet used to administrate the router?
If telnet is used, make sure access is granted to only specific nodes.
Is “service password encryption
Is the MD5 encryption used for privileged mode?
Is CDP disabled on all interfaces?
Is SNMP used for management?
If used have community access level password or community names been
changed.
Is SNMP version III used?
Ensure that Virtual Terminal Timeouts are set.
If ICMP is used are these blocked on the internet interface: echo in both
directions, time exceeded, redirect, and unreachable
Are inbound packets addressed to the router or 127.0.0.1 on the internal
interface dropped and logged?
Is HTTP used to access the router:
If appropriate is HTTP-access command used to authorize access to certain
addresses.
If DNS is used, only allow DNS traffic to a specific server.
Are DNS responses allowed to leave the screened subnet?
General Audit Questions
1.
2.
3.
4.
5.
6.
7.
8.
9.
If CBAC is used are the inspection rules used to deal with: FTP, TFTP, etc?
Are inspection rules applied to the appropriate interface?
Is the console line set to time-out if a user walks away from a logged in
terminal?
Is MD5 encryption used instead of Cisco proprietary encryption?
Is RIP and OSPF neighbor authentication used?
How is the key distributed?
Is a common key used for any group of routers?
Are any methods used to increase convergence time in OSPF and RIP.
(Convergence increased time being a security value)
Is the distribution-list command used to suppress updates from other routers?
(OSPF related to external systems)
Command Examples
COMMAND
EXPLANATION
•
Service password encryption
sets password encryption
•
No ip finger
disables finger
•
No ip source route
not allow source routing
•
Exec-timeout
time out connection
•
No CDP run
turns off CDP
•
Access-list list-number (deny/permit) protocol source source-wildcard sourcequalifiers destination destination-wildcard destination-qualifiers log
(Qualifiers are items that affect the previously listed command access-list
command such as the source and destination address shown earlier)
TCP Termination and ACL’s
TCP termination is critical to the following Access Control List functions
implemented on Cisco Router. The first ACL control type is:
a.
TCP Intercept will watch for sessions initiated without an ACK header in
response to the SYN header. It an Cisco router has TCP Inter. Set, it
watches for ACK to SYN relationship and limits the number requests
without an ACK. (This prevents SYN flood denial of service attacks to a
server)
b.
It limits the number of unacknowledged session to 1100 by default. If it
reaches 1100, removes the oldest session initiation from its table.
c.
It waits 5 seconds after the Fin to terminate a session allowing for a reset.
d.
Retransmission Time Outs are normally set at one second. (2,4,8,16, and
32) Under aggressive mode, time out is halved to .05 seconds and so on.
This is done per one minute sample period.
e.
This is done when Context Based ACLs are inactive.
TCP Termination and ACL’s
TCP termination is critical to the following Access Control List functions
implemented on Cisco Router. The second ACL control type are:
a.
Based upon a session request from a trusted network, the router waits for
the return packets with the appropriate information swapped.
b.
Reflexive Access Lists base the access through a router on a session
basis. This ACL type operates on TCP outbound upper layer session
information. Based upon the Acknowledge or Reset bits being on, the
ACL determines if a packet is the first packet of a session.
It also checks addition session information such as port and network
address when establishing a session related temporary access list that will
be removed at the end of the session.
Lock and Key ACL’s
1.
Lock and Key access lists allow a temporary access through the firewall
after being authenticated by a name and password.
2.
A telnet session will initiate temporary access through a router.
3.
After the temporary access is terminated, regular standard and static
extended ACLs are used.
4.
It does not work with multi-channel applications such as FTP.
5.
It limits the opportunity time for break-ins by hackers.
Content Based ACL’s
1.
The capability is available in the Cisco Firewall Set.
2.
It creates temporary entries in the appropriate interface when a session is
initiated from a trusted network.
3.
It inspects control information on control channels TCP multi-channel
applications. Multi-channel application such as File Transfer Protocol and
H.323.
4.
It does work with UDP session but must approximate the session state
information unlike the TCP state information that is in a Transmission
Control Block.
5.
Temporary session mean limits on open access and removal of ACL
entries at the end of a session.
Related documents
Sample Quiz
Sample Quiz
Peak Support Services Ltd
Peak Support Services Ltd
sw-p-08 router remote control
sw-p-08 router remote control
glossary - Homework Market
glossary - Homework Market
How to setup the router for Static IP internet connection mode
How to setup the router for Static IP internet connection mode
Presentation: the internet layer, IP, the Internet Protocol
Presentation: the internet layer, IP, the Internet Protocol
Certification Exercise 2
Certification Exercise 2
WT8266-S1 FAQ Forum: bbs.wireless-tag.com
WT8266-S1 FAQ Forum: bbs.wireless-tag.com
Create a standard ACL that will deny traffic from 192
Create a standard ACL that will deny traffic from 192
PPT Version
PPT Version
Internetworking: Concepts, Architecture, and Protocols
Internetworking: Concepts, Architecture, and Protocols
Document
Document