AuditPro Enterprise™

©Network Intelligence India

http://www.niiconsulting.com


Date of Audit : 26/11/2008
Time: 15:58:45
System: router
Hostname: 127.0.0.1

  Legend  
 
Symbol Description
This represents the highest possible risk level. Such a vulnerability will in all likelihood allow an attacker partial or complete access to the system. These vulnerabilities must be addressed immediately by either patching the system, or changing the configuration.
This represents a medium risk vulnerability. Such a vulnerability would typically allow an attacker a limited level of access to the system, but this would not usually be a super user or administrative level of access. These vulnerabilities must be addressed in the short term.
This represents a low vulnerability. It may not necessarily result in a system compromise by itself. But in conjunction with other medium or high risk vulnerabilities it may allow an attacker considerable access to the system. Such vulnerabilities must be addressed in the short to medium term.
This sign represents adherence to the security policy. Usually, this is the case if no violations have been found.
This represents a finding for which no policy match could be found, or it is purely for information purposes. It does not represent a vulnerability. Normally, no action needs to be taken in such cases
WVS The Weighted Vulnerability Score (WVS) is calculated using the formula: (Low x 1) + (Medium x 2) + (High x 3)
 
     


Table of Contents


Information

     1. IOS Version

Boot Control

     2. Boot Configuration

Line Settings

     3. Console Line
     4. Auxillary Line
     5. VTY Lines

Interface Settings

     6. Active Interfaces
     7. Inactive Interfaces

IP and Network Services

     8. Settings
     9. FTP
     10. SSH
     11. Telnet
     12. TFTP

Servers

     13. SNMP
     14. HTTP
     15. RADIUS
     16. TACACS+

Logging

     17. Logging Settings
     18. Syslog
     19. SNMP Trap

AAA

     20. Authentication
     21. Authorization
     22. Accounting

Password and Privileges

     23. Password Control
     24. Privileged Commands

Percentage severity distribution

Weighted score for each probe

  Information  

  Check : IOS Version  
 

Description:
This Check is purely for informational purposes and determines the excat version of the Router.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
version 12.2 version 12.5



Solution:
Please check whether the version discovered is accurate and patches are updated regularly.

 

Back to top
     

  Boot Control  

  Check : Boot Configuration  
 

Description:
Cisco routers are capable of loading their startup configuration from local memory or

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
N/A no boot network
N/A no service config



Solution:
Explicitly disable loading the startup configuration from the network using the commands

 

Back to top
     

  Line Settings  

  Check : Console Line  
 

Description:
User connect to a Cisco Router remotely though Console Line via Telnet, SSH etc. The command 'transport input' and 'transport output' are used to allow remote access to the console port and to create a connection from Router to the outside devices respectively. Command 'exec-timeout' automatically logs out user after a specified period of time. A 'access class' is a set of rules that governs connetions into and out of Router.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
line con 0 line con 0
N/A transport input ssh
N/A transport output none
exec-timeout 5 0 exec-timeout 5 0
N/A login local
N/A access-class in
N/A access-class out



Solution:
Enable remote administration only if required. Allow only required remote connetion to the router from out side using 'transport input' command also monitor connection from Router to the outside devices. To restrict connection from Router to the outside devices use 'transport input' command. Manage to log out user after specific period of time using 'exec-timeout' command.

 

Back to top
     

  Check : Auxillary Line  
 

Description:
The AUX line is the Auxiliary port, seen in the configuration as line aux 0.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
line aux 0 line aux 0
N/A transport input ssh
N/A transport output ssh
exec-timeout 5 0 exec-timeout 5 0
N/A login local
N/A access-class in
N/A access-class out



Solution:
Allow only required remote connetion to the router from out side using 'transport input' command also monitor connection from Router to the outside devices. To restrict connection from Router to the outside devices use 'transport input' command. Manage to log out user after specific period of time using 'exec-timeout' command.

 

Back to top
     

  Check : VTY Lines  
 

Description:
The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They appear in the configuration as line vty 0 4. They are a funtion of software - there is no hardware associated with them.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
line vty 0 4 line vty 0 4
transport input telnet ssh transport input telnet ssh
N/A transport output none
exec-timeout 5 0 exec-timeout 5 0
N/A login local
N/A access-class {Any} in
N/A access-class {Any} out
logging synchronous logging synchronous



Solution:
Enable remote administration only if required. Configure VTY lines to require login. Allow only required remote connetion to the router from out side using 'transport input' command also monitor connection from Router to the outside devices. To restrict connection from Router to the outside devices use 'transport input' command. Manage to log out user after specific period of time using 'exec-timeout' command. Use default AAA login authentication because under AAA (local or network) is to require users to log in using a valid user name and password. Use following commands 1)router(config)# line INSTANCE, 2)router(config-line)# login authentication default, 3)router(config-line)# exit.

 

Back to top
     

  Interface Settings  

  Check : Active Interfaces  
 

Description:
The Active-interface command is used to allow other routers on the network to learn about routes dynamically.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
interface Loopback0 interface Loopback0
ip verify unicast reverse-path ip verify unicast reverse-path
no ip redirects no ip redirects
no ip unreachables no ip unreachables
no ip proxy-arp no ip proxy-arp
N/A no ip mroute-cache
N/A no cdp enable
N/A ip access-group {Any} in
N/A ip access-group {Any} out
N/A no ip mask-reply
N/A ntp disable
N/A no ip directed-broadcast
interface FastEthernet0/0 interface FastEthernet0/0
ip verify unicast reverse-path ip verify unicast reverse-path
N/A no ip redirects
N/A no ip unreachables
no ip proxy-arp no ip proxy-arp
no ip mroute-cache no ip mroute-cache
no cdp enable no cdp enable
N/A ip access-group {Any} in
N/A ip access-group {Any} out
N/A no ip mask-reply
N/A ntp disable
N/A no ip directed-broadcast
interface Ethernet1/0 interface Ethernet1/0
ip verify unicast reverse-path ip verify unicast reverse-path
N/A no ip redirects
N/A no ip unreachables
no ip proxy-arp no ip proxy-arp
no ip mroute-cache no ip mroute-cache
no cdp enable no cdp enable
N/A ip access-group {Any} in
N/A ip access-group {Any} out
N/A no ip mask-reply
N/A ntp disable
N/A no ip directed-broadcast



Solution:
Use 'ip verify unicast reverse-path' command for Unicast Reverse-Path Verification, which uses the routing table to reject mis-addressed and spoof-addressed packets. Proxy arp breaks the LAN security perimeter, so it should be used only between two LAN segments at the same trust level, and only when absolutely necessary to support legacy network architectures. Use 'no ip proxy-arp' to disable proxy ARP on all interfaces. Use 'no ip mroute-cache' to prevent route caching. The Cisco Discovery Protocol (CDP) is a proprietary protocol that Cisco devices use to identify each other on a LAN segment. There have been published denial of service attacks that use CDP. It is used only in specialized situation, and is considered to be a security risk. So disable it eith 'no cdp enable' command. Also use of Network Time Protocol is risky so disable it with 'ntp disable' command. Also disallow directed broadcast with 'no ip directed-broadcast' command.

 

Back to top
     

  Check : Inactive Interfaces  
 

Description:
The passive-interface command is used to prevent other routers on the network

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
interface FastEthernet0/1 interface FastEthernet0/1
ip verify unicast reverse-path ip verify unicast reverse-path
no ip proxy-arp no ip proxy-arp
no ip mroute-cache no ip mroute-cache
no cdp enable no cdp enable
shutdown shutdown
N/A no ip mask-reply
N/A no ip directed-broadcast
interface Ethernet1/1 interface Ethernet1/1
ip verify unicast reverse-path ip verify unicast reverse-path
no ip proxy-arp no ip proxy-arp
no ip mroute-cache no ip mroute-cache
no cdp enable no cdp enable
shutdown shutdown
N/A no ip mask-reply
N/A no ip directed-broadcast
interface Ethernet1/2 interface Ethernet1/2
ip verify unicast reverse-path ip verify unicast reverse-path
no ip proxy-arp no ip proxy-arp
no ip mroute-cache no ip mroute-cache
no cdp enable no cdp enable
shutdown shutdown
N/A no ip mask-reply
N/A no ip directed-broadcast
interface Ethernet1/3 interface Ethernet1/3
ip verify unicast reverse-path ip verify unicast reverse-path
no ip proxy-arp no ip proxy-arp
no ip mroute-cache no ip mroute-cache
no cdp enable no cdp enable
shutdown shutdown
N/A no ip mask-reply
N/A no ip directed-broadcast



Solution:
Use 'ip verify unicast reverse-path' command for Unicast Reverse-Path Verification, which uses the routing table to reject mis-addressed and spoof-addressed packets. Proxy arp breaks the LAN security perimeter, so it should be used only between two LAN segments at the same trust level, and only when absolutely necessary to support legacy network architectures. Use 'no ip proxy-arp' to disable proxy ARP on all interfaces. Use 'no ip mroute-cache' to prevent route caching. The Cisco Discovery Protocol (CDP) is a proprietary protocol that Cisco devices use to identify each other on a LAN segment. There have been published denial of service attacks that use CDP. It is used only in specialized situation, and is considered to be a security risk. So disable it eith 'no cdp enable' command. Also use of Network Time Protocol is risky so disable it with 'ntp disable' command. Also disallow directed broadcast with 'no ip directed-broadcast' command.

 

Back to top
     

  IP and Network Services  

  Check : Settings  
 

Description:
These are the commands to turn off some services that should almost always be turned off.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
no cdp run no cdp run
no ip source-route no ip source-route
N/A no ip classless
N/A no service tcp-small-serv
N/A no service udp-small-serv
N/A no ip finger
N/A no service finger
no ip bootp server no ip bootp server
no ip http server no ip http server
N/A no ip name-server
no ip domain-lookup no ip domain-lookup



Solution:
1) 'no cdp run' to turn of Cisco Discovery Protocol.
2) 'no ip source-route' to disable source routing
3) 'no ip classless' to have a class for every ip
4) 'no service tcp-small-serv' to turn off Small services like echo, discard.
5) 'no ip finger' to turn off finger service.
6) 'no ip http server' to turn off http service.
7) 'no ip name-server' to disable name server.

 

Back to top
     

  Check : FTP  
 

Description:
FTP protocol is used to transfer the configuration files to and from the router.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
ip ftp source-interface Loopback0 ip ftp source-interface Loopback0



Solution:
Authenticate to FTP server and use 'copy startup-config ftp' command to transfer the configuration files to and from the router.

 

Back to top
     

  Check : SSH  
 

Description:
SSH protocol is used to connect remotely to Router for administration through VTY lines.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
ip ssh time-out 120 ip ssh time-out 120
ip ssh authentication-retries 3 ip ssh authentication-retries 3



Solution:
Bind SSH service to the source-interface. Create and apply an access list explicitly listing the hosts or networks from which remote administration will be permitted, and set an exec

 

Back to top
     

  Check : Telnet  
 

Description:
Telnet protocol is used to connect remotely to Router for administration through VTY lines.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
ip telnet source-interface Loopback0 ip telnet source-interface {Any}



Solution:
Bind Telnet service to the source-interface. Create and apply an access list explicitly listing the hosts or networks from which remote administration will be permitted, and set an exec

 

Back to top
     

  Check : TFTP  
 

Description:
TFTP protocol is used to transfer the configuration files to and from the router.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
ip tftp source-interface Loopback0 ip tftp source-interface Loopback0



Solution:
Authenticate to FTP server and use 'copy startup-config ftp' command to transfer the configuration files to and from the router.

 

Back to top
     

  Servers  

  Check : SNMP  
 

Description:
The Simple Network Management Protocol (SNMP) is the standard Internet protocol

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
N/A no snmp-server community public
N/A no-snmp server community {Any}
N/A no snmp-server enable traps
N/A no snmp-server system-shutdown
N/A no snmp-server trap-auth
N/A no snmp-server



Solution:
Use 'no snmp-server community community-name' command to have a predictable community string. Also user 'no snmp-server system-shutdown' to shut it down using SNMP. Also prevent trapping using command 'no snmp-server enable traps'.

 

Back to top
     

  Check : HTTP  
 

Description:
Newer Cisco IOS releases support web-based remote administration using the HTTP

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
N/A ip http access-class {Any}
N/A ip http auth local



Solution:
Web-based remote administration reveal critical passwords in the clear. Therefore, web-based remote administration should be avoided. If necessary then then restrict access using access list.

 

Back to top
     

  Check : RADIUS  
 

Description:
RADIUS is a distributed

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
N/A radius-server host {Any}
N/A radius-server key {Any}



Solution:
Always use RADIUS or TACACS server for authentication.

 

Back to top
     

  Check : TACACS+  
 

Description:
Terminal Access Controller Access Control System plus (TACACS+) is the most

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
tacacs-server host 14.2.61.249 key blarg19-H57-02 tacacs-server host {Any}
N/A tacacs-server key {Any}



Solution:
Always use RADIUS or TACACS server for authentication.

 

Back to top
     

  Logging  

  Check : Logging Settings  
 

Description:
Logging on a router offers several benefits. Using the information in a log, the

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
N/A logging on
logging console critical logging console critical
N/A logging monitor informational
logging buffered 16000 informational logging buffered 16000 informational
service timestamps log datetime msec show-timezone service timestamps log date msec show-timezone



Solution:
Send the router logs to a designated log host, which is a separate computer whose only job is to accept and store logs. The log host should be connected to a trusted or protected network, or an

 

Back to top
     

  Check : Syslog  
 

Description:
Logging is a critical part of router security. Cisco routers can send their log messages to a Unix-style syslog service. A syslog service simply accepts messages, and stores them in files or

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
logging trap debugging logging trap informational
logging buffered 16000 informational logging {Any}
logging rate-limit console 3 except critical logging {Any}
logging console critical logging {Any}
logging trap debugging logging {Any}
logging facility local6 logging {Any}
logging 14.2.61.89 logging {Any}
logging synchronous logging {Any}
logging source-interface Loopback0 logging {Any}
logging facility local6 logging facility local6
logging source-interface Loopback0 logging source-interface Loopback0



Solution:
Always keep logging on.

 

Back to top
     

  Check : SNMP Trap  
 

Description:
Cisco routers can generate Simple Network Management Protocol (SNMP) trap messages. This facility allows routers to be monitored as part of an overall SNMP-based network management infrastructure.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
logging trap debugging logging trap informational
N/A snmp-server host {Any} traps
N/A snmp-server trap-source Loopback0
N/A snmp-server enable traps syslog



Solution:
Always keep logging on.

 

Back to top
     

  AAA  

  Check : Authentication  
 

Description:
This is Cisco’s new access control facility for controlling access, privileges, and

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
aaa new-model aaa new-model
aaa authentication login default group tacacs+ local enable aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable aaa authentication enable default group tacacs+ enable



Solution:
Always use AAA model for Authentication.

 

Back to top
     

  Check : Authorization  
 

Description:
This is Cisco’s new access control facility for controlling access, privileges, and

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
N/A aaa authorization exec default radius
N/A aaa authorization network default radius
N/A aaa authorization reverse-access
N/A aaa authorization commands



Solution:
Always use AAA model for Authorization.

 

Back to top
     

  Check : Accounting  
 

Description:
This is Cisco’s new access control facility for controlling access, privileges, and

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
aaa accounting exec start-stop group tacacs+ aaa accounting exec start-stop group tacacs+
aaa accounting network start-stop group tacacs+ aaa accounting network start-stop group tacacs+
aaa accounting system start-stop group tacacs+ aaa accounting system start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+ aaa accounting commands 15 default start-stop radius
aaa accounting connection start-stop group tacacs+ aaa accounting connection start-stop group tacacs+



Solution:
Always use AAA model for Authorization.

 

Back to top
     

  Password and Privileges  

  Check : Password Control  
 

Description:
There are two password protection schemes in Cisco IOS, Type 7 and Type 5. Type 7 uses the Cisco defined encryption algorithm. Type 5 uses an iterated MD5 hash.

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
enable secret 5 $1$UKAW$u26UyV6TxGPtsgWqKdBL7. enable secret {Any}
N/A no enable password
service password-encryption service password-encryption



Solution:
Type 5 is much more stronger than Type 7, so it is recommended to use Type 5 over Type 7. Type 7 encryption is used by the enable password, username, and line password commands.

 

Back to top
     

  Check : Privileged Commands  
 

Description:
Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS

CVE Reference No.:
Severity Configuration Setting  Policy Compliant Setting 
privilege exec level 15 connect privilege exec level {Any}



Solution:
use appropriate privilege levels for commands.

 

Back to top