Cisco Security

1
Cisco Security

• Erik W. Hjelmstad, CISSP
• Security Consultant
• XS Security

2
Overview

• Background Information
• Cisco Vulnerabilities
• What Could Hackers Do?
• Cisco Defense
• Defending the rest of the network

3
Background Information

• Past - Penetration Testing
• Speaking
• Government Black Demon
• Current Colorado Springs Utilities

4
Cisco Vulnerabilities

• General Info
• Default Passwords
• SNMP
• Finger
• HTTP
• Telnet v. ssh
• Traffic sniffing
• ARP Spoofing
• DoS Attacks

5
General Info

• 244 vulnerabilites listed at www.securityfocus.com
  
• 13 pre 2000
• 17 in 2000
• 37 in 2001
• 91 in 2002
• 41 in 2003
• 45 in 2004
• Vulnerabilities vary in severity and in
  applicability to differnet versions of IOS.

6
Default Passwords

• Change all default passwords
• This includes community strings
• Dont use enable password use enable secret
  instead
• Use service password-encryption

7
SNMP

• Cleartext authentication for version 1 of
  protocol (default)
• Change RO and RW community strings from public
  and private
• Make sure to remove the old strings (not just add
  new ones) no snmp community public RO
• Are you actually using SNMP? If not remove it
• Use Snmp-server party for version 2

8
Finger

• Gives away information for free
• finger _at_192.168.1.1 lists all users currently
  logged on, plus other info.

9
HTTP

• Configuration Same problem as telnet, cleartext
• http//ipaddress/level/NUMBER/exec/ where
  NUMBER gt 16. (Normally, only up to 15 was
  expected. Security Focus bid 2936)

10
Telnet v. ssh

• Telnet is cleartext, ssh is encrpyted
• Until recently, ssh not available.
• Use ssh if at all possible, especially if over an
  insecure connection
• Ssh has had vulnerabilities as well

11
Traffic sniffing

• Plan text passwords can be sniffed as they
  traverse the network.
• Requirements
• Shared network
• Insecure protocol (ftp, telnet, pop-3)
• Sniffer plus network card in promiscuous mode
• Switched networks prevent this or do they?

12
Shared Network
13
Shared Network
14
Switched Network
15
Switched Network
16
Switched Network
17
Switched Network
18
Switched Network
19
Switched Network
20
ARP Spoofing

• Faking arp packets so that traffic is routed
  through the attacker
• Allows the attcker to see all of the traffic
• Attacker can insert new traffic, or block traffic
• Can cause a DoS as well

21
DoS Attacks

• Sending more traffic than the device can handle
• Too many port requests
• The wrong port request
• DoSing the router v. DoSing another system

22
What Could Hackers Do?

• Install Older IOS
• Modify ACLs
• Change Routes
• Launching Point
• DoS

23
Defenses

• Banners
• Patch / Upgrade IOS
• Limit Remote Management
• Limit Services
• Lock Ports
• Physical Security
• Prevent Spoofing

24
Banners

• banner login establishes a warning banner
• Use it to help prevent unauthorized access

25
Patch / Upgrade IOS

• Stay current on the latest IOS version
• Older versions have more problems
• Watch Bugtraq and securiyfocus.com for
  vulnerabilities
• Security Policy Does your organization have one
  and what does it cover?

26
Limit Remote Management

• Only from internal
• Only from specific IPs
• Line console and exec-timeout commands

27
Limit Services

• No cdp enable
• No ntp enable
• No service finger
• No service udp-small-servers
• No service tcp-small-servers
• No ip http server
• No ip bootp server
• No tftp-server
• No ip domain-lookup

28
Lock Ports

• Enable port security if possible
• Prevents users from moving around, or from a
  hacker installing a new device
• Port security and port secure commands

29
Physical Security

• Comm Room doors should be locked
• Access should be restricted to those who need
  access REGULARLY.

30
Prevent Spoofing

• No ip source-route
• No ip redirects
• No ip unreachables
• No ip proxy-arp
• Ip access-group list in
• Ip verify unicast rpf
• Block inbound rfc 1918, multicast, and localhost
• Block inbound from your internal addresses

31
Prevent Spoofing

• Access-list 111 deny ip 192.168.0.0 0.0.255.255
  any
• Access-list 111 deny ip 172.16.0.0 0.15.255.255
  any
• Access-list 111 deny ip 10.0.0.0 0.255.255.255 any

32
Defending Your Network

• Block Specific IPs
• Defense against Blaster / Welchia
• Defense against Netsky / Bagle
• Use as a Firewall

33
Block Specific IPs

• Create an ACL to vlock a specific range of IPs.
• Useful against DoS, foreign sites, etc.
• Be Careful! Dont lock yourself out of your own
  system!

34
Defense against Blaster / Welchia

• Blaster infected machines vulnerable to a
  Microsoft vulnerability
• Infected systems by
• Pinging to find systems
• Exploiting vulnerability
• Downloading file via TFTP
• Block ICMP
• Block TFTP

35
Defense against Netsky / Bagle

• NetSKy infected machines by using its own SMTP
  engine
• Connects directly to next system over port 25
• Block SMTP

36
Use as a Firewall

• Not best solution, because thats not what its
  designed fo
• Can be used in a pinch, or under extraordinary
  circumstances
• Shunt around a problem firewall

37
Questions

• Erik Hjelmstad
• XS Security
• erik_at_xssecurity.com
• 719-648-8877