Cisco Router Security Overview

by The Editor [Published on 16 Oct. 2002 / Last Updated on 23 Jan. 2013]

Informative paper including Cisco IOS bugs and patches.

Cisco Router Security Overview

This overview whilst still valid is a little dated (Feb 99) I will try to update it if I ever get a minute, I wrote it to assist security auditors when coming across a router. Use this as a guide only, ensure you use Cisco documentation before carrying out any actions!

Introduction

Gaining Access

Router And Network Configuration

Access Lists

Denial Of Service Attack Prevention

Reducing Information Leakage

Routing Protocols

Novell IPX Security Issues

IOS Vulnerabilities

How-To: Password Encryption

How-To: Password Overide

How-To: Stop Smurfs

How-To: Not Initiate Smurf Attacks

Cisco Warranty

IOS Upgrade

View Mode

Cisco Support

Bibliography

   

Another Cisco Security site

INTRODUCTION

Introduction. A router is a device for connecting subnetworks, it operates at the Transport and Network layers of the OSI 7 layer model. This checksheet does not cover Appletalk or DECNet.

GAINING ACCESS

Physical Protection.

  • Console port. Allows connection of a terminal using RS-232 null modem cable into the back of the router. (HyperTerminal) The most secure form of connection.

  • If physical access to the router is readily available, consider the router compromised as access can be gained by resetting the password. DO NOT DO THIS UNLESS REQUESTED TO DO SO, AS LAST RESORT !!! This method of entry is included in the HOW-TO at the end of this checksheet.

Telnet. Virtual Terminal (TELNET, rlogin LAT etc)

  • Try to TELNET to the router, if you receive the password prompt DO NOT ATTEMPT TO GUESS, USING LONG PASSWORDS as this may cause 700 series IOS to crash. See IOS vulnerability section.

  • Try the password "netman" (default).

  • If this is successful type "enable" and the default password "cisco"

  • If this is unsuccessful, packet sniff the segment, whilst the network manager logs in. Demonstrate to him that you have his password, as Telnet passwords are passed in clear. Alternatively, if he is aware of Telnet vulnerabilities ask him for the basic and enable passwords. See Access Lists for details on how to apply an ACL to a telnet connection.

Note Cisco Passwords are case sensitive.

Auxiliary port. Typically used to connect to telephone network via a modem. Open to external access !! If there is no security on this link other than telephone number obscurity consider it compromised. CHAP authentication can be applied to this type of connection.

TFTP. Trivial File Transfer Protocol. Again, as the name "trivial" implies this is not very secure, there is no user or host authentication and has several known security holes. It uses UDP to transfer data.

  • If a TFTP Server is not configured correctly, attackers can access and modify any data due to be downloaded on a router. IDENTIFY TFTP SERVER AND CHECK IT. See the UNIX tftpd man page for additional details and configuration guidelines.

  • If security measures are in place to cover the above vulnerabilities, then we are off to a good start. However, we need to check to routers configuration to ensure that measures are being taken to reduce the risk of it being subverted by other means.

    ROUTER AND NETWORK CONFIGURATION

    NOTE: If you are at all uncertain about what you are doing ask the System/Network Manager to carry out the following steps:

    Get a copy of the "running_configuration" most of the information required can be derived from this file, though it is easier to do it piece meal as follows:

    PASSWORDS

    Assess the strength of the passwords, if stored in clear, the defaults are "netman" and "cisco" if they are not encrypted, recommend that they are, see the HOW-TO guide at the back.

    Challenge Handshake Authentication Protocol (CHAP)

    CHAP can be used to authenticate dial-up and point-to-point connections without sending the passwords in clear. On Cisco routers it is used for the following connections:

    PPP :- ensure CHAP selected and not PAP.

    Where applicable CHAP should be enabled, though there is a performance penalty

    CHAP passwords should be encrypted in the configuration.

    ROUTER USAGE

    What is the router being used for, this will give you some indication of how securely the router should be tied down.

    Firewall. Not ideally suited, as routers are only able to process at OSI layers 2,3, & 4.

    Standard Routing.

    Border router.

    Screening Router.

    Transparent Bridging. Forwarding non-routable protocols ie NetBEUI.

    Note: unless spanning tree algorithm is used bridges cannot tolerate loops.

    Enter the router, and enable mode giving the relevant passwords.

     

    ROUTER TYPE

    Once we find the router type, it will give us an indication of it usage.

    Type "show version"

    Routers Reply =

    1 Cisco Internetwork Operating System Software

    2 IOS (tm) 3000 Software (IGS-IN-L), Version 11.1(3), RELEASE SOFTWARE (FC2)

    3 Copyright (c) 1986-1996 by Cisco Systems, Inc.

    4 Compiled Tue 14-May-96 02:46 by mkamson

    5 Image text-base; 0x03022424, data-base: 0x00001000

    6 ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE

    7 ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1)

    8 "router_name" uptime is 6 weeks, 1 day, 7 hours, 4 minutes

    9 System restarted by power-on

    10 System image file is "flash:igs-in-1.111-3", booted via flash

    11 Cisco 2500 (68030) processor (revision L) with 2048K/2048K bytes of memory.

    12 Processor board ID 03019539, with hardware revision 00000000

    13 Bridging software

    14 Software, Version 2.0, NET2, BFE and GOSIP compliant.

    15  Basic Rate ISDN software, Version 1.0.

    16 1 Ethernet/IEEE 802.3 interface.

    17 1 ISDN Basic Rate interface.

    18 32K bytes of non-volatile configuration memory

    19 8192K bytes of processor board System flash (Read ONLY)

    20    Configuration register is 0x2102

     

    NOTE the above can vary, depending on the role of the router.

    Line 2. Check revision level of IOS,

    Internetworking Operating System (IOS) Revision level

    ie 11.2.(7) = major revision level . minor revision level . (patch level).

    Latest version as at Feb 99 is 12.0.(0)

    Check for known vulnerabilities for the IOS (see HOW-TO)

    Line 6. Check version of bootstrap ROM. Check for

    Line 7. Check version of IGS-RXBOOT (this should be a few versions behind IOS)

    Line 8. Check router uptime. If the uptime is low ask why.

    Line 9. Check reason for last reboot. Does this raise any suspicions.

    Line11. What family of Cisco Router is it ? (eg 2500, 4000, 7000)

    Corporate Level. Core or Enterprise router, Top of the range 7000 series.

    Departmental Level. Distribution Router, Mid range 4000 series.

    Workgroup or Remote Access level. Access Router 2500, 1000 and 700 series.

      

    ROUTER CONNECTIONS

    We need to take a look at which interfaces on the router are connected to what:

    Type "show interface" Serial Interfaces tend to be connections to WANs and Ethernet Interfaces tend to be connected to LANs ( but don’t quote me). Token Ring Is not covered yet. As 4000 and 7000 routers are modular there may be more than the 4 interfaces labelled below.

    Ethernet 0

    Access groups in use IN

    Access groups in use OUT

    No ip directed-broadcast (smurf attack)

     

    Ethernet 1

    Access groups in use IN

    Access groups in use OUT

    No ip directed-broadcast (smurf attack)

    Serial 0

    Encapsulation = HDLC, PPP, FRAME-RELAY etc PPP is stronger than HDLC when authentication is enabled.

    Access groups in use IN

    Access groups in use OUT

    Serial 1

    Encapsulation = HDLC, PPP, FRAME-RELAY etc PPP is stronger than HDLC when authentication is enabled.

    Access groups in use IN

    Access groups in use OUT

     

    __

    Access groups in use IN

    Access groups in use OUT

     

    __

    Access groups in use IN

    Access groups in use OUT

    __

    Access groups in use IN

    Access groups in use OUT

    __

    Access groups in use IN

    Access groups in use OUT

    Note: Access lists will be covered in more detail later, for now we need to know to which links they are applied.

    VISIBILITY OF OTHER ROUTERS

    To see the routers direct visibility enter the command "show cdp neigh detail " this tells us about neighboring routers, their type and from the hackers perspective the IOS being run and therefore the vulnerabilities therein. We need to find a way of hiding this info without impacting performance.

    ACCESS LISTS

    As soon as a none empty access-list is applied to a connection, an implicit deny all is activated, the only way to allow traffic through is to permit the traffic you desire. However, if an implicit permit all is entered on an access-list then the explicit deny all is bypassed, as is any other subsequent entries. Therefore if an implicit permit all is entered ask why.

    The access-list is processed by the router, one entry at a time, from the top down, as soon a match is made processing stops.

    New commands are added to the end of access-list, this can have repercussions on the processing order.

    Inbound Vs Outbound. It should be noted that by default access-lists are applied to the outbound queue. The more secure solution is to apply the access-list to the inbound queue for 3 reasons:

    The router can protect itself before damage is inflicted.

    The input port is still known, and can be filtered upon.

    It is more efficient to filter packets before routing them.

    Types of access-list. Cisco has several types of access control list, distinguished from each other by their identifier:

    ACL identifier range

    ACL type

    Filtering based on

    0-99

    IP Standard

    IP Addresses

    100-199

    IP Extended

    IP or TCP/UDP information

    800-899

    IPX Standard

    IPX Network Number

    900-999

    IP Extended

    IPX Protocol Type

    1000-1099

    IPX SAP

    Netware Service Type

    ACL Address Masks. Cisco address masks work using an inverse mask eg:

    161.43.25.5 0.0.0.0 whole address must match.

    161.43.0.0 0.0.255.255 Only the first 2 octets must match.

    General Format of ACL Entries.

    IP Standard .

    1

    2

    3

    Access-list "<0-99>"

    permit | Deny

    <source IP address><mask> | any

    Example coming

      

    IP Extended.

    1

    2

    3

    4

    5

    6

    Access-list 100-199

    permit | Deny

    protocol

    <source IP address><mask> | any

    dest IP address><mask> | any

    Protocol specifics

    Example Coming

      

    Assigned port numbers can be found at www.iana.net

    TCP packets can have the syntax "established" added to ensure that only those packets answering outgoing TCP connections are allowed in.

    Example of access-list 10 being applied to inbound Interface Ethernet 0

    Interface Ethernet 0

    Ip access-group 10 in

    Controlling Telnet (vty) Access.

    Routers have 5 vtys by default, the following access-list entry should be applied to all 5. Enterprise feature software can increase the quantity of vtys.

    Only those IP addresses with a need to telnet to the router should be permitted access.

    R???# configure terminal

    R??? (config)# access-list "100-199" permit tcp <distant IP address> 0.0.0.0 <relevant interface IP address> 0.0.0.0 eq telnet

    R??? (config)# line vty 0 4

    R??? (config-line)#access-class "100-199" in

    It is still possible to spoof IP addresses, in addition passwords are still susceptible to sniffing.

    IPX Standard.

    1

    2

    3

    4

    Access-list 800-899

    permit | Deny

    source address

    dest address

    Example : to prevent any traffic from network 3ad accessing network 4bc

    Access-list 810 deny 3ad 4bc

    Interface ethernet 0

    Ips access-group 810 in

    IPX Extended.

    1

    2

    3

    4

    5

    6

    Access-list 800-899

    permit | Deny

    protocol

    <source IP address><mask> | any

    dest IP address><mask> | any

    Protocol specifics

    Example Coming

     

     

    Packet Filtering at the IP Layer.

    TO FOLLOW

    Packet Filtering at the Transport Layer.

    TO FOLLOW

    DENIAL OF SERVICE ATTACK PREVENTION

    Defending Against Smurfs.

    Attack Overview. This attack involves the hacker sending large quantities of ICMP echo requests to a broadcast address using a spoofed source address.

    Victim Protection. Filter ICMP echo replies, the ACL is granular enough to still permit redirects and unreachables.

    Avoid Being an Attack Amplifier. By default all IP routers forward directed broadcasts. Therefore on none point-to-point links with more than 5-10 hosts, directed broadcasts should be disabled. See HOW-TO Stop Smurfs

    Avoid Your Site Generating The Attack. An ACL can be employed to prevent packets with a source addresses other than local, from leaving the network. See HOW-TO: NOT GENERATE SMURF ATTACKS.

    Simple Network Management Protocol. SNMP provides the network manager with a great deal of control over the network. However, as there is minimal authentication a hacker can bring the network to its knees if adequate protection is not in place.

    Further Details on SNMP to follow on how to filter ACLs and how to configure limit SNMPs power on a router.

    IOS Vulnerabilities. Vulnerabilities to Denial Of Service Attacks in Cisco IOSs can be found towards the rear of this checksheet, new vulnerabilities should also be sought on CERT search engines ie X-Force.

      

    REDUCING INFORMATION LEAKAGE

     

    Redistribution. Redistribution is the transfer of routing information between different routing protocols.

    MORE TO FOLLOW CHECK ENTRY BELOW

    Passive Interface. If set it will not send router advertisements on a particular interface, in addition it will not process advertisements received on that interface (prevent spoofing). In effect you can "hide" portions of a network from other routers. Set it using the following;

    router {RIP or IGRP AS}

     

    passive-interface serial 0

    ROUTING PROTOCOLS

    Routing Protocols can be set up to be different for each interface to communicate with the distant end. The routing protocols can be static (more secure) or dynamic which adjust routes according to network problems. Some routing protocols BGP, OSPF and EIGRP allow authentication to be enabled, though this is not mandatory !

    Does the router use static or dynamic routing?

    Static routing means that routes to other networks are set in concrete, and packets to these networks cannot be diverted. However, when a link fails, an alternate path has to be set manually. Therefore dynamic routing can be preferable, these will re-route packets upon failure of a link. The 2 main routing protocols in use within a network are RIP and OSPF, they are known as Interior Gateway Protocols. Where more than one network is in place another routing protocol known as an Exterior Gateway Protocol is used to communicate between autonomous systems. The potential security weakness of most routing protocols is that an attacker can introduce counterfeit routing packets and persuade the target network to route IP packets through a network that is under the attackers control. This allows attackers to hijack IP packets leading to confidentiality, integrity, and denial of service attacks. The strengths and weaknesses of the individual protocols are discussed individually.

    Dynamic routing.

    Broken down further into Simple Distance Vector, Enhanced Distance Vector and Link State.

    Simple Distance Vector.

    IP and IPX RIP. An attacker can make their network appear to be the shortest distance away, this info is then disseminated throughout the network. An attacker can send counterfeit routing packets, thus fooling routers into believing that various routers are unavailable. RIP is considered the weakest with regard to security. Countermeasures: configure screening routers so that only certain routes can legally appear on a given link (prevent internal hosts routing via an external router). Ideally the inner screening router should be hidden behind the bastion host so that it cannot be advertised as unavailable.

    RIPv2. As per RIP but with some authentication (though fairly weak).

    EGP. No support for authentication and therefore easily subverted, causing false routes to be advertised leading to eavesdropping and denial of service attacks. Countermeasure: Whilst a firewall cannot prevent this happening, use the inner screening router to prevent internal traffic from being routed outside the network.

    Enhanced Distance Vector.

    Interior Gateway Routing Protocol (IGRP) Cisco only.

    BGP. As per EGP except its use of TCP as the carrier makes it more difficult to subvert once a connection has been established. Authentication can be enabled.

    Enhanced Interior Gateway Routing Protocol (EIGRP) Cisco only.

    Link State.

    NLSP.

     

    OSPF. Whilst stronger than RIP its authentication is still fairly weak and therefore still prone to eavesdropping and denial of service, its authentication can include passwords. Though I need to investigate further. Countermeasures: configure screening routers so that only certain routes can legally appear on a given link (prevent internal hosts routing via an external router). Ideally the inner screening router should be hidden behind the bastion host so that it cannot be advertised as unavailable.

    NOVELL IPX SECURITY ISSUES

    Novell networks may rely on IPX as their networking protocol, it should be noted that no interaction is possible between IPX RIP and IP RIP. A Cisco router can have a different protocol on each interface card, making it a gateway.

    Gns replies. To ensure that a client will never get a connection to a server on a remote LAN set the following:

    ipx gns-reply-disable

    DECNet / Novell problem; if using both DECNet and Novell on the same router configure all DECNet functions first. Or DECNet will modify the Novell MAC addresses.

    SAP Filters. Novell print service SAP advertisements should be filtered to block them from being propagated outside the local LAN

    Use an access list to filter on either server name or SAP number.

    IOS VULNERABILITIES

    Cisco-7xxcrash Reported Dec 97

    Cisco 7xx routers running IOS 700: May crash when a very long password is entered.

    Fix = IOS/700 later than 4.2(1)

    Default-netranger Reported Jun 98

    Netranger IDS default account: Cisco intrusion detection tool has a default account where login and password are netrangr.

    Fix = change default login and password reported Jun 98.

    Cisco-acl-leakage Reported Nov98

    Cisco 70xx & 75xx running IOS 11.1, 11.2 and 11.3 also 75xx & 72xx running 11.1CC and 11.1CT: IP datagrams can be output to network interfaces even though Access Control List filter them. Only applies to routers configured for Distributed Fast Switching (DFS).

    Fix = Disable DFS using command "no ip route-cache distributed". Caution this fix can overload primary CPU !!

    Cisco-acl-established Reported Sep 98

    Cisco IOS ? 10.3: host may allow unauthorised packets to circumvent a filtering router, where the "established" keyword is employed.

    Fix = IOS users should upgrade to 10,0(10), 10.2(6), 10.3(3). As a temporary measure rewrite access control list to make keyword "established" unnecessary.

    Cisco-ios-aaa-auth Reported Sep 98

    Cisco IOS 11.3(1.2) and 11.3(1.2)T should upgrade IOS. Any user or attacker can issue system commands that would normally be unavailable, or make connections/send packets to destinations they would not normally be able to reach.

    Fix = upgrade IOS

    Cisco-acl-tacacs Reported Sep 98

    Cisco IOS 10.3 with "tacacs-ds" or "tacacs" keyword in extended IP ACLs may result in unauthorized network traffic circumventing a filtering router.

    Fix = upgrade IOS to 10.3(4.3) or later.

    Cisco-CHAP Reported Oct 97

    Cisco IOS < 10.3(19a), 11.0(17), 11.1(14), 11.2(4)F1, 11.2(8) and IOS/700 using PPP may be vulnerable to attackers, allowing the attacker to obtain a PPP connection without a password. If both the keywords "PPP" and "CHAP" do not appear in the system configuration file then the router is NOT vulnerable.

    Fix = upgrade the IOS to at least those mentioned above.

    Cisco-land Reported Sep 98

    Cisco IOS 10.3 to 11.2 may be vulnerable to the TCP/IP "Land" denial of service attack. The exploit initiates a TCP connection, giving the target host’s address as both the source and destination address, the same port is also specified on both.

    Cisco-sourceroute Reported Feb 93

    Cisco IOS < 8.3(7.2), 9.0(5), 9.1(4), 9.17(2.1) Source routed packets that should have been denied may be given access.

    Fix = upgrade IOS to above or higher.

    Cisco-ios-crash Reported Sep 98

    Cisco IOS 9.1 to 10.3 connection to the login prompt from a virtual terminal can cause the router to crash. Access not necessary.

    Fix = upgrade the IOS

    HOW-TO: PASSWORD ENCRYPTION

    To encrypt them suggest that the Network Manager enter the following

    configure terminal

    service password-encryption

    exit

    copy running-config startup-config

    NOTE: The above should only be used as a guide, refer to Cisco documentation before making any adjustments, as syntax may vary between IOS’s.

     

    HOW-TO: PASSWORD OVERIDE

    Connect to the console port, open a HyperTerminal session to the router. If no password is set type show version and note the configuration register setting (around line 20), if the console port has a password set the setting is usually 0x2102 or 0x102

    Switch the router off for 10 seconds then back on.

    After you see the bootstrap message press <ctrl> + <break> (Microsoft terminal emulators) on your keyboard repeatedly until you see a ">" prompt.

    At the ">" prompt type the Commands:

    o/r 0x42 # configures the router to boot from flash memory.

    i #initialise the router

    The router will boot with a blank running-config file, when asked if you would like to enter the initial configuration mode answer "no"to all prompts.

    On completion of the bootstrap process press <enter> to login and type enable to enter enable mode.

    Type show startup-config and confirm that this config is as it should be, if so then type the following commands:

    copy startup-config running-config

    # this will replace the blank running-config file with the # bypassed startup-config, normally used.

    configure terminal

    line con 0

    login

    password "whatever"

    enable secret "whatever"

    enable password "whatever"

    config register 0x2102

    interface ethernet 0

    no shutdown

    interface ethernet 1

    no shutdown

    exit

    exit

    copy running-config startup-config

    reload

    The reset passwords should now work.

     

    HOW-TO: STOP SMURFS

    To disable forwarding of directed broadcasts:

    r???# configure terminal

    r???(config)# interface ethernet 0

    r???(config-if)# no ip directed-broadcast

    r???(config-if)# "ctl +z"

    HOW-TO: NOT INITIATE SMURF ATTACKS

    To prevent your site initiating Smurf Attacks:

    r???# configure terminal

    r???(config)# access-list "100-199" permit 172.16.192.0 0.0.0.255 any

    r???(config)# interface serial 0

    r???(config-if)# ip access-group "100-199" out

    CISCO WARRANTY

    From new only 3 months warranty given.

    Extended standard warranty is called SmartNet, this includes entitlement to any IOS upgrades and 24 hr equipment replacement. However, it costs 10% of purchase price per year.

    Custom service packages are also available.

    Software upgrades will be provided by Cisco on a time and materials basis.

    IOS UPGRADE

    Procedure should include:

    Lab tests before widespread deployment.

    Verification of MD5 signature.

    Back up of old IOS.

    Upgrade should be carried out during quiet hours as some routing functions will be unavailable during upgrade.

     

    VIEW MODE

    To demonstrate information available without entering privileged mode:

    Type show protocols

    What routing protocols are enabled on the router.

    Type show ip route if using IP

    This command shows which IP network numbers the router knows how to reach.

    Type show ipx route if using IPX

    This command shows which IPX network numbers the router knows how to reach.

    Type show ip protocol

    Identify which IP routing protocol is in use:

    RIP

    Etc

     

    What IP networks is the router advertising.

     

    CISCO SUPPORT

    Other than direct contact with Cisco other avenues are available

    Newsgroups: comp.dcom.sys.cisco

    Mailing lists: Cisco@spot.colorado.edu (Cisco Sponsored)

    Websites: www.clark.net/pub/~rbenn/cisco.html

     

    BIBLIOGRAPHY

    CESG COMPUSEC MANUAL N ~ Vulnerabilities of the TCP/IP protocol suite.

    Cisco Security Book ~ ISBN 1-57870-043-4

    Cisco IOS Network Security ~ ISBN 1-57870-057-4

    Featured Links