Audit Report - Nipper Studio - E-SPIN

NipperStudio

AuditReport2March2017

Summary

NipperStudioperformedanauditon2March2017ofthetwonetworkdevicesdetailedinthescope.Theauditconsistedofthefollowingcomponents:

abestpracticesecurityaudit(Part2);asoftwarevulnerabilityauditreport(Part3);aCISBenchmarkaudit(Part4);aDefenceInformationSystemsAgency(DISA)SecurityTechnicalImplementationGuide(STIG)compliancereport(Part5);aSysAdminAuditNetworkSecurity(SANS)policycompliancereport(Part6);aPaymentCardIndustry(PCI)compliancereport(Part7);anetworkfilteringcomplexityreport(Part8);aconfigurationreport(Part9);arawconfigurationreport(Part10).

Scope

ThescopeofthisauditwaslimitedtothetwodeviceslistedinTable1.

Table1:Auditdevicescope

Device Name OS

CiscoRouter router03 IOS12.3

CiscoRouter CiscoIOS15 IOS15.0

SecurityAuditSummary

NipperStudioperformedasecurityauditofthetwodevicesdetailedinthescopeandidentified73security-relatedissues.AlthoughsignificantissueswereidentifiedtheydidnotcomprisethemostsignificantpercentageoftheissuesidentifiedbyNipperStudio.Eachoftheissuesidentifiedisdescribedingreaterdetailinthemainbodyofthisreport.

NipperStudioidentifiedanumberofclear-textprotocolrelatedissues.Itisimportantthatallclear-textprotocolservicesshouldbereplacedwithcryptographicallysecurealternativesinordertohelppreventunauthorizedeavesdroppingofpotentiallysensitivedata.Furthermoretheclear-textservicesareoftenusedforadministrationpurposesandamalicioususer,orattacker,whoisabletomonitorthecommunicationsmayalsogainaccesstoauthenticationcredentialsthatcouldthenleadthemtogainadministrativeaccesstothesystem.

NipperStudiocandrawthefollowingstatisticsfromtheresultsofthissecurityassessment,(percentageshavebeenrounded).1issue(1%)wasratedascritical,24issues(33%)wereratedashigh,18issues(25%)wereratedasmedium,19issues(26%)wereratedaslowand11issues(15%)wereratedasinformational.Thenumberofdevicesthatcontainvulnerabilitieswithaspecificratingisasfollows;2deviceshadissuesratedascritical,2deviceshadissuesratedashigh,2deviceshadissuesratedasmedium,2deviceshadissuesratedaslowand2deviceshadissuesratedasinformational.

Table2detailsthenumberofissuesidentifiedforeachauditeddeviceandtheratingofthehighestratedissue.

Table2:Summaryoffindingsforeachdevice

Device Name Issues HighestRating

CiscoRouter router03 67 CRITICAL

CiscoRouter CiscoIOS15 24 CRITICAL

VulnerabilityAuditSummary

NipperStudioperformedavulnerabilityauditofthetwodevicesdetailedinthescope.

Table3:SummaryoffindingsfromtheVulnerabilityAuditforeachdevice

Device Name Critical High Medium Low

CiscoRouter router03 13 89 29 2

CiscoRouter CiscoIOS15 3 100 29 0

CISBenchmarkAudit

NipperStudioPerformedaCISBenchmarkAuditonthedevice(s)detailedwithinthescopeandidentifiedatotalof55issuesthatshouldbereviewedassoonasispractical.Eachoftheissuesthatwereidentifiedaredescribedingreaterdetailinthemainbodyofthisreport,andatableprovidinganoverviewoftheissuesraisedcanbefoundattheendoftheCISBenchmarkreport.

Table4belowdetailstheCISBenchmarkprofilethathasbeenrunoneachofthecompatibledevices(percentageshavebeenrounded).

Table4:Listofprofilesrunoneachdevice.

Device Profile Passed Failed Manual Score(Percentage)

router03IOS12.3 Level2 23 52 14 25.84%

CiscoIOS15IOS15.0 Level2 72 3 14 80.90%

DISASTIGSummary

NipperStudioperformedtwoDISASTIGcomplianceaudits.Table5summarizesthefindings.

Table5:DISASTIGdevicecompliancesummary

Name STIG Version IPass IFail IMan IIPass IIFail IIMan IIIPass IIIFail IIIMan

router03 InfrastructureL3SwitchSecureTechnicalImplementationGuide-Cisco 8Release21(28/10/2016) 4 3 4 17 12 34 7 11 16

CiscoIOS15 InfrastructureRouterSecurityTechnicalImplementationGuideCisco 8Release21(28/10/2016) 5 2 3 20 4 24 16 3 10

SANSSummary

NipperStudioperformedtwoSANSpolicycomplianceaudit.Table6summarizesthefindings.

Table6:Summaryoffindingsforeachdevice

Device Name Pass Fail Manual

CiscoRouter router03 2 8 28

CiscoRouter CiscoIOS15 7 4 38

Contents

1YourReport1.1Introduction1.2EvaluationUseOnly1.3ReportConventions1.4ComplianceCheckResults1.5NetworkFilteringActions1.6ObjectFilterTypes

2SecurityAudit2.1Introduction2.2UsersWithDictionary-BasedPasswords2.3DefaultSimpleNetworkManagementProtocol(SNMP)CommunityStringsWereConfigured2.4BorderGatewayProtocol(BGP)NeighborsConfiguredWithNoPasswords2.5NotAllGatewayLoadBalancingProtocol(GLBP)GroupsWereAuthenticated2.6Clear-TextGLBPGroupAuthenticationWasConfigured2.7NotAllHotStandbyRoutingProtocol(HSRP)GroupsWereAuthenticated2.8Clear-TextHSRPGroupAuthenticationWasConfigured2.9NotAllOpenShortestPathFirst(OSPF)RoutingUpdatesWereAuthenticated2.10RoutingInformationProtocol(RIP)Version1WasConfigured2.11Clear-TextRIPAuthenticationWasConfigured2.12NotAllVirtualRouterRedundancyProtocol(VRRP)GroupsWereAuthenticated2.13Clear-TextVRRPGroupAuthenticationWasConfigured2.14NotAllEnhancedInteriorGatewayRoutingProtocol(EIGRP)UpdatesWereAuthenticated2.15NotAllRIPUpdatesWereAuthenticated2.16LowVRRPRouterPriorities2.17NoVLANTrunkingProtocol(VTP)AuthenticationPasswordWasConfigured2.18LowGLBPGroupPriorities2.19LowHSRPRouterPriorities2.20UDPSmallServicesEnabled2.21EnablePasswordConfigured2.22Clear-TextSNMPInUse2.23SNMPWriteAccessEnabled2.24NoHypertextTransferProtocol(HTTP)ServerSessionTimeout2.25NoInboundTransmissionControlProtocol(TCP)ConnectionKeep-Alives2.26InterfacesWereConfiguredWithNoFiltering2.27Dictionary-BasedRoutingProtocolAuthenticationKeys2.28Dictionary-BasedVRRPGroupAuthenticationKeys2.29SNMPSystemShutdownEnabled2.30BGPNeighborsConfiguredWithDictionary-BasedPasswords2.31DTPWasEnabled2.32ClearTextHTTPServiceEnabled2.33UserAccountNamesContained"admin"2.34WeakGLBPGroupAuthenticationKeys2.35WeakHSRPGroupAuthenticationKeys2.36WeakRoutingProtocolAuthenticationKeys2.37LowOSPFRouterPriorities2.38UsersConfiguredWithWeakPasswordEncryption2.39AUXPortNotDisabled2.40NoBGPRouteFlapPrevention2.41NoRIPUpdateNeighborsWereConfigured2.42NoHTTPServiceNetworkAccessRestrictions2.43SyslogLoggingNotEnabled2.44NetworkTimeProtocol(NTP)ControlQueriesWerePermitted2.45NoSNMPTrivialFileTransferProtocol(TFTP)ServerAccessListConfigured2.46NoOSPFLinkStateAdvertisement(LSA)Thresholds2.47NTPAuthenticationWasDisabled2.48TheFingerServiceWasEnabled2.49WeakSNMPCommunityStringsWereConfigured2.50InternetProtocol(IP)DirectedBroadcastsWereEnabled2.51ServicePasswordEncryptionDisabled2.52CiscoDiscoveryProtocol(CDP)WasEnabled

2.53SNMPAccessWithoutNetworkFiltering2.54SNMPAccessWithNoView2.55TheBOOTPServiceWasNotDisabled2.56SwitchPortSecurityDisabled2.57VTPWasInServerMode2.58IPSourceRoutingWasEnabled2.59InternetControlMessageProtocol(ICMP)AddressMaskReplyMessagesWereEnabled2.60ProxyAddressResolutionProtocol(ARP)WasEnabled2.61WeakMinimumPasswordLengthPolicySetting2.62NoWarningInPre-LogonBanner2.63ICMPUnreachableMessagesWereEnabled2.64Dictionary-BasedSNMPTraps2.65WeakSNMPTraps2.66DomainNameSystem(DNS)LookupsWereEnabled2.67NoNetworkFilteringRulesWereConfigured2.68NoPostLogonBannerMessage2.69ICMPRedirectMessagesWereEnabled2.70PacketAssembler/Disassembler(PAD)ServiceEnabled2.71UnrestrictedOutboundAdministrativeAccess2.72TCPSmallServicesEnabled2.73SwitchPortTrunkingAllowsAllVirtualLocalAreaNetworks(VLANs)2.74MaintenanceOperationsProtocol(MOP)Enabled2.75Conclusions2.76Recommendations2.77MitigationClassification

3VulnerabilityAudit3.1Introduction3.2CVE-2006-49503.3CVE-2007-04803.4CVE-2010-05803.5CVE-2010-05813.6CVE-2011-09353.7CVE-2005-34813.8CVE-2006-32913.9CVE-2007-25863.10CVE-2007-42863.11CVE-2007-42923.12CVE-2007-53813.13CVE-2008-38073.14CVE-2011-40123.15CVE-2007-42853.16CVE-2009-06283.17CVE-2015-06353.18CVE-2008-38053.19CVE-2008-38063.20CVE-2012-03843.21CVE-2016-63803.22CVE-2007-04793.23CVE-2007-04813.24CVE-2007-06483.25CVE-2007-28133.26CVE-2008-11523.27CVE-2008-27393.28CVE-2008-37993.29CVE-2008-38083.30CVE-2009-06263.31CVE-2009-06313.32CVE-2009-06363.33CVE-2009-28663.34CVE-2009-28683.35CVE-2009-28703.36CVE-2009-50383.37CVE-2009-50393.38CVE-2010-05763.39CVE-2010-05783.40CVE-2010-05793.41CVE-2010-05823.42CVE-2010-05853.43CVE-2010-05863.44CVE-2010-28283.45CVE-2010-28293.46CVE-2010-28313.47CVE-2010-2832

3.48CVE-2010-28333.49CVE-2010-28343.50CVE-2010-28353.51CVE-2010-28363.52CVE-2010-46713.53CVE-2010-46833.54CVE-2010-46863.55CVE-2011-09393.56CVE-2011-09443.57CVE-2011-09453.58CVE-2011-09463.59CVE-2011-20723.60CVE-2011-32703.61CVE-2011-32733.62CVE-2011-32753.63CVE-2011-32763.64CVE-2011-32773.65CVE-2011-32783.66CVE-2011-32793.67CVE-2011-32803.68CVE-2011-32813.69CVE-2011-32823.70CVE-2012-03813.71CVE-2012-03833.72CVE-2012-03853.73CVE-2012-03863.74CVE-2012-03873.75CVE-2012-03883.76CVE-2012-13103.77CVE-2012-13113.78CVE-2012-13153.79CVE-2012-13503.80CVE-2012-39493.81CVE-2012-46183.82CVE-2012-46193.83CVE-2012-46203.84CVE-2012-46213.85CVE-2012-46233.86CVE-2013-11423.87CVE-2013-11453.88CVE-2013-11463.89CVE-2013-11473.90CVE-2013-54743.91CVE-2013-54753.92CVE-2013-54773.93CVE-2013-54783.94CVE-2013-54793.95CVE-2013-54803.96CVE-2014-21083.97CVE-2014-21093.98CVE-2014-33273.99CVE-2014-33543.100CVE-2014-33573.101CVE-2014-33583.102CVE-2015-06363.103CVE-2015-06373.104CVE-2015-06423.105CVE-2015-06433.106CVE-2015-06463.107CVE-2015-06473.108CVE-2015-06483.109CVE-2015-06493.110CVE-2015-06503.111CVE-2015-62783.112CVE-2015-62793.113CVE-2016-13483.114CVE-2016-13493.115CVE-2016-63783.116CVE-2016-63793.117CVE-2016-63823.118CVE-2016-63843.119CVE-2016-63853.120CVE-2016-63863.121CVE-2016-6391

3.122CVE-2016-63923.123CVE-2005-10573.124CVE-2005-10583.125CVE-2005-21053.126CVE-2005-28413.127CVE-2005-10203.128CVE-2005-10213.129CVE-2006-03403.130CVE-2007-09183.131CVE-2007-42913.132CVE-2007-42933.133CVE-2007-56513.134CVE-2008-11533.135CVE-2008-38003.136CVE-2008-38013.137CVE-2008-38023.138CVE-2008-38093.139CVE-2008-46093.140CVE-2009-06303.141CVE-2009-06333.142CVE-2009-06343.143CVE-2009-28633.144CVE-2009-28733.145CVE-2010-05773.146CVE-2010-28303.147CVE-2010-46843.148CVE-2012-03823.149CVE-2012-39503.150CVE-2012-46223.151CVE-2013-11433.152CVE-2013-11673.153CVE-2013-54723.154CVE-2013-54813.155CVE-2014-21073.156CVE-2014-21113.157CVE-2014-33613.158CVE-2015-06383.159CVE-2015-06813.160CVE-2016-13443.161CVE-2016-63813.162CVE-2016-63933.163CVE-2007-42953.164CVE-2009-28723.165CVE-2009-50403.166CVE-2013-66863.167CVE-2016-14283.168CVE-2016-14323.169CVE-2007-09173.170CVE-2007-25873.171CVE-2012-13383.172CVE-2012-38953.173CVE-2005-01973.174CVE-2011-32743.175CVE-2012-13273.176CVE-2016-14253.177CVE-2013-01493.178CVE-2011-16253.179CVE-2011-25863.180CVE-2011-40073.181CVE-2011-40163.182CVE-2011-40193.183CVE-2008-11563.184CVE-2004-07143.185CVE-2004-14543.186CVE-2004-14643.187CVE-2005-01863.188CVE-2005-01953.189CVE-2005-01963.190CVE-2005-36693.191CVE-2007-44303.192CVE-2010-46873.193CVE-2011-20593.194CVE-2011-23953.195CVE-2012-0338

3.196CVE-2012-03393.197CVE-2012-13673.198CVE-2014-21433.199CVE-2016-13843.200CVE-2016-14093.201CVE-2016-64153.202CVE-2016-14593.203CVE-2006-04853.204CVE-2006-04863.205CVE-2008-38213.206CVE-2012-03623.207CVE-2010-46853.208CVE-2011-32893.209CVE-2012-39233.210CVE-2005-39213.211CVE-2005-24513.212Conclusions3.213Recommendations

4CISBenchmark4.1CISCiscoIOS15Benchmark4.1.1ManagementPlane4.1.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules4.1.1.1.1Enable'aaanew-model'4.1.1.1.2Enable'aaaauthenticationlogin'4.1.1.1.3Enable'aaaauthenticationenabledefault'4.1.1.1.4Set'loginauthenticationfor'linecon0'4.1.1.1.5Set'loginauthenticationfor'linetty'4.1.1.1.6Set'loginauthenticationfor'linevty'4.1.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'4.1.1.1.8Set'aaaaccountingconnection'4.1.1.1.9Set'aaaaccountingexec'4.1.1.1.10Set'aaaaccountingnetwork'4.1.1.1.11Set'aaaaccountingsystem'4.1.1.2AccessRules4.1.1.2.1Set'privilege1'forlocalusers4.1.1.2.2Set'transportinputssh'for'linevty'connections4.1.1.2.3Set'noexec'for'lineaux0'4.1.1.2.4Create'access-list'forusewith'linevty'4.1.1.2.5Set'access-class'for'linevty'4.1.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'4.1.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'4.1.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'4.1.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'4.1.1.2.10Set'transportinputnone'for'lineaux0'4.1.1.3BannerRules4.1.1.3.1Setthe'banner-text'for'bannerexec'4.1.1.3.2Setthe'banner-text'for'bannerlogin'4.1.1.3.3Setthe'banner-text'for'bannermotd'4.1.1.4PasswordRules4.1.1.4.1Set'password'for'enablesecret'4.1.1.4.2Enable'servicepassword-encryption'4.1.1.4.3Set'usernamesecret'foralllocalusers4.1.1.5SNMPRules4.1.1.5.1Set'nosnmp-server'todisableSNMPwhenunused4.1.1.5.2Unset'private'for'snmp-servercommunity'4.1.1.5.3Unset'public'for'snmp-servercommunity'4.1.1.5.4Donotset'RW'forany'snmp-servercommunity'4.1.1.5.5SettheACLforeach'snmp-servercommunity'4.1.1.5.6Createan'access-list'forusewithSNMP4.1.1.5.7Set'snmp-serverhost'whenusingSNMP4.1.1.5.8Set'snmp-serverenabletrapssnmp'4.1.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv34.1.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv34.1.2ControlPlane4.1.2.1GlobalServiceRules4.1.2.1.1SetupSSH4.1.2.1.1.1ConfigurePrerequisitesfortheSSHService4.1.2.1.1.1.1Setthe'hostname'4.1.2.1.1.1.2Setthe'ipdomainname'4.1.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'4.1.2.1.1.1.4Set'seconds'for'ipsshtimeout'4.1.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'4.1.2.1.1.2Setversion2for'ipsshversion'

4.1.2.1.2Set'nocdprun'4.1.2.1.3Set'noipbootpserver'4.1.2.1.4Set'noservicedhcp'4.1.2.1.5Set'noipidentd'4.1.2.1.6Set'servicetcp-keepalives-in'4.1.2.1.7Set'servicetcp-keepalives-out'4.1.2.1.8Set'noservicepad'4.1.2.2LoggingRules4.1.2.2.1Set'loggingon'4.1.2.2.2Set'buffersize'for'loggingbuffered'4.1.2.2.3Set'loggingconsolecritical'4.1.2.2.4SetIPaddressfor'logginghost'4.1.2.2.5Set'loggingtrapinformational'4.1.2.2.6Set'servicetimestampsdebugdatetime'4.1.2.2.7Set'loggingsourceinterface'4.1.2.3NTPRules4.1.2.3.1RequireEncryptionKeysforNTP4.1.2.3.1.1Set'ntpauthenticate'4.1.2.3.1.2Set'ntpauthentication-key'4.1.2.3.1.3Setthe'ntptrusted-key'4.1.2.3.1.4Set'key'foreach'ntpserver'4.1.2.3.2Set'ipaddress'for'ntpserver'4.1.2.4LoopbackRules4.1.2.4.1Createasingle'interfaceloopback'4.1.2.4.2SetAAA'source-interface'4.1.2.4.3Set'ntpsource'toLoopbackInterface4.1.2.4.4Set'iptftpsource-interface'totheLoopbackInterface4.1.3DataPlane4.1.3.1RoutingRules4.1.3.1.1Set'noipsource-route'4.1.3.1.2Set'noipproxy-arp'4.1.3.1.3Set'nointerfacetunnel'4.1.3.1.4Set'ipverifyunicastsourcereachable-via'4.1.3.2BorderRouterFiltering4.1.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks4.1.3.2.2Setinbound'ipaccess-group'ontheExternalInterface4.1.3.3NeighborAuthentication4.1.3.3.1RequireEIGRPAuthenticationifProtocolisUsed4.1.3.3.1.1Set'keychain'4.1.3.3.1.2Set'key'4.1.3.3.1.3Set'key-string'4.1.3.3.1.4Set'address-familyipv4autonomous-system'4.1.3.3.1.5Set'af-interfacedefault'4.1.3.3.1.6Set'authenticationkey-chain'4.1.3.3.1.7Set'authenticationmodemd5'4.1.3.3.1.8Set'ipauthenticationkey-chaineigrp'4.1.3.3.1.9Set'ipauthenticationmodeeigrp'4.1.3.3.2RequireOSPFAuthenticationifProtocolisUsed4.1.3.3.2.1Set'authenticationmessage-digest'forOSPFarea4.1.3.3.2.2Set'ipospfmessage-digest-keymd5'4.1.3.3.3RequireRIPv2AuthenticationifProtocolisUsed4.1.3.3.3.1Set'keychain'4.1.3.3.3.2Set'key'4.1.3.3.3.3Set'key-string'4.1.3.3.3.4Set'ipripauthenticationkey-chain'4.1.3.3.3.5Set'ipripauthenticationmode'to'md5'4.1.3.3.4RequireBGPAuthenticationifProtocolisUsed4.1.3.3.4.1Set'neighborpassword'4.2CISCiscoIOS12Benchmark4.2.1ManagementPlane4.2.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules4.2.1.1.1Enable'aaanew-model'4.2.1.1.2Enable'aaaauthenticationlogin'4.2.1.1.3Enable'aaaauthenticationenabledefault'4.2.1.1.4Set'loginauthenticationfor'linecon0'4.2.1.1.5Set'loginauthenticationfor'linetty'4.2.1.1.6Set'loginauthenticationfor'linevty'4.2.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'4.2.1.1.8Set'aaaaccountingconnection'4.2.1.1.9Set'aaaaccountingexec'4.2.1.1.10Set'aaaaccountingnetwork'4.2.1.1.11Set'aaaaccountingsystem'4.2.1.2AccessRules4.2.1.2.1Set'privilege1'forlocalusers

4.2.1.2.2Set'transportinputssh'for'linevty'connections4.2.1.2.3Set'noexec'for'lineaux0'4.2.1.2.4Create'access-list'forusewith'linevty'4.2.1.2.5Set'access-class'for'linevty'4.2.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'4.2.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'4.2.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'4.2.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'4.2.1.2.10Set'transportinputnone'for'lineaux0'4.2.1.3BannerRules4.2.1.3.1Setthe'banner-text'for'bannerexec'4.2.1.3.2Setthe'banner-text'for'bannerlogin'4.2.1.3.3Setthe'banner-text'for'bannermotd'4.2.1.4PasswordRules4.2.1.4.1Set'password'for'enablesecret'4.2.1.4.2Enable'servicepassword-encryption'4.2.1.4.3Set'usernamesecret'foralllocalusers4.2.1.5SNMPRules4.2.1.5.1Set'nosnmp-server'todisableSNMPwhenunused4.2.1.5.2Unset'private'for'snmp-servercommunity'4.2.1.5.3Unset'public'for'snmp-servercommunity'4.2.1.5.4Donotset'RW'forany'snmp-servercommunity'4.2.1.5.5SettheACLforeach'snmp-servercommunity'4.2.1.5.6Createan'access-list'forusewithSNMP4.2.1.5.7Set'snmp-serverhost'whenusingSNMP4.2.1.5.8Set'snmp-serverenabletrapssnmp'4.2.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv34.2.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv34.2.2ControlPlane4.2.2.1GlobalServiceRules4.2.2.1.1SetupSSH4.2.2.1.1.1ConfigurePrerequisitesfortheSSHService4.2.2.1.1.1.1Setthe'hostname'4.2.2.1.1.1.2Setthe'ipdomainname'4.2.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'4.2.2.1.1.1.4Set'seconds'for'ipsshtimeout'4.2.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'4.2.2.1.1.2Setversion2for'ipsshversion'4.2.2.1.2Set'nocdprun'4.2.2.1.3Set'noipbootpserver'4.2.2.1.4Set'noservicedhcp'4.2.2.1.5Set'noipidentd'4.2.2.1.6Set'servicetcp-keepalives-in'4.2.2.1.7Set'servicetcp-keepalives-out'4.2.2.1.8Set'noservicepad'4.2.2.2LoggingRules4.2.2.2.1Set'loggingon'4.2.2.2.2Set'buffersize'for'loggingbuffered'4.2.2.2.3Set'loggingconsolecritical'4.2.2.2.4SetIPaddressfor'logginghost'4.2.2.2.5Set'loggingtrapinformational'4.2.2.2.6Set'servicetimestampsdebugdatetime'4.2.2.2.7Set'loggingsourceinterface'4.2.2.3NTPRules4.2.2.3.1RequireEncryptionKeysforNTP4.2.2.3.1.1Set'ntpauthenticate'4.2.2.3.1.2Set'ntpauthentication-key'4.2.2.3.1.3Setthe'ntptrusted-key'4.2.2.3.1.4Set'key'foreach'ntpserver'4.2.2.3.2Set'ipaddress'for'ntpserver'4.2.2.4LoopbackRules4.2.2.4.1Createasingle'interfaceloopback'4.2.2.4.2SetAAA'source-interface'4.2.2.4.3Set'ntpsource'toLoopbackInterface4.2.2.4.4Set'iptftpsource-interface'totheLoopbackInterface4.2.3DataPlane4.2.3.1RoutingRules4.2.3.1.1Set'noipsource-route'4.2.3.1.2Set'noipproxy-arp'4.2.3.1.3Set'nointerfacetunnel'4.2.3.1.4Set'ipverifyunicastsourcereachable-via'4.2.3.2BorderRouterFiltering4.2.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks4.2.3.2.2Setinbound'ipaccess-group'ontheExternalInterface

4.2.3.3NeighborAuthentication4.2.3.3.1RequireEIGRPAuthenticationifProtocolisUsed4.2.3.3.1.1Set'keychain'4.2.3.3.1.2Set'key'4.2.3.3.1.3Set'key-string'4.2.3.3.1.4Set'address-familyipv4autonomous-system'4.2.3.3.1.5Set'af-interfacedefault'4.2.3.3.1.6Set'authenticationkey-chain'4.2.3.3.1.7Set'authenticationmodemd5'4.2.3.3.1.8Set'ipauthenticationkey-chaineigrp'4.2.3.3.1.9Set'ipauthenticationmodeeigrp'4.2.3.3.2RequireOSPFAuthenticationifProtocolisUsed4.2.3.3.2.1Set'authenticationmessage-digest'forOSPFarea4.2.3.3.2.2Set'ipospfmessage-digest-keymd5'4.2.3.3.3RequireRIPv2AuthenticationifProtocolisUsed4.2.3.3.3.1Set'keychain'4.2.3.3.3.2Set'key'4.2.3.3.3.3Set'key-string'4.2.3.3.3.4Set'ipripauthenticationkey-chain'4.2.3.3.3.5Set'ipripauthenticationmode'to'md5'4.2.3.3.4RequireBGPAuthenticationifProtocolisUsed4.2.3.3.4.1Set'neighborpassword'4.3Conclusions

5DISASTIGCompliance5.1Introduction5.2router03InfrastructureL3SwitchSecureTechnicalImplementationGuide-CiscoSummary5.3CiscoIOS15InfrastructureRouterSecurityTechnicalImplementationGuideCiscoSummary5.4V-3971-VLAN1isbeingusedasauserVLAN.5.5V-3972-VLAN1traffictraversesacrossunnecessarytrunk5.6V-3973-DisabledportsarenotkeptinanunusedVLAN.5.7V-3984-AccessswitchportsareassignedtothenativeVLAN5.8V-5622-AdedicatedVLANisrequiredforalltrunkports.5.9V-5623-Ensuretrunkingisdisabledonallaccessports.5.10V-5624-Re-authenticationmustoccurevery60minutes.5.11V-5626-NET-NAC-0095.12V-5628-TheVLAN1isbeingusedformanagementtraffic.5.13V-17815-IGPinstancesdonotpeerwithappropriatedomain5.14V-17816-RoutesfromthetwoIGPdomainsareredistributed5.15V-17824-ManagementinterfaceisassignedtoauserVLAN.5.16V-17825-ManagementVLANhasinvalidaddresses5.17V-17826-InvalidportswithmembershiptothemgmtVLAN5.18V-17827-ThemanagementVLANisnotprunedfromtrunklinks5.19V-17832-MgmtVLANdoesnothavecorrectIPaddress5.20V-17833-NoingressACLonmanagementVLANinterface5.21V-18523-ACLsdonotprotectagainstcompromisedservers5.22V-18544-RestrictedVLANnotassignedtonon-802.1xdevice.5.23V-18545-Upstreamaccessnotrestrictedfornon-802.1xVLAN5.24V-18566-NET-NAC-0315.25V-3000-InterfaceACLdenystatementsarenotlogged.5.26V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.5.27V-3012-Networkelementisnotpasswordprotected.5.28V-3013-Loginbannerisnon-existentornotDOD-approved.5.29V-3014-Managementconnectiondoesnottimeout.5.30V-3020-DNSserversmustbedefinedforclientresolver.5.31V-3021-SNMPaccessisnotrestrictedbyIPaddress.5.32V-3034-Interiorroutingprotocolsarenotauthenticated.5.33V-3043-SNMPprivilegedandnon-privilegedaccess.5.34V-3056-Groupaccountsaredefined.5.35V-3057-Accountsassignedleastprivilegesnecessarytoperformduties.5.36V-3058-Unauthorizedaccountsareconfiguredtoaccessdevice.5.37V-3062-Passwordsareviewablewhendisplayingtheconfig.5.38V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.5.39V-3070-Managementconnectionsmustbelogged.5.40V-3072-Runningandstartupconfigurationsarenotsynchronized.5.41V-3078-TCPandUDPsmallserverservicesarenotdisabled.5.42V-3079-Thefingerserviceisnotdisabled.5.43V-3080-Configurationauto-loadingmustbedisabled.5.44V-3081-IPSourceRoutingisnotdisabledonallrouters.5.45V-3083-IPdirectedbroadcastisnotdisabled.5.46V-3085-HTTPserverisnotdisabled5.47V-3086-TheBootpserviceisnotdisabled.5.48V-3143-Devicesexistwithstandarddefaultpasswords.5.49V-3160-Operatingsystemisnotatacurrentreleaselevel.

5.50V-3175-Managementconnectionsmustrequirepasswords.5.51V-3196-AninsecureversionofSNMPisbeingused.5.52V-3210-UsingdefaultSNMPcommunitynames.5.53V-3966-Morethanonelocalaccountisdefined.5.54V-3967-Theconsoleportdoesnottimeoutafter10minutes.5.55V-3969-NetworkelementmustonlyallowSNMPreadaccess.5.56V-4582-Authenticationrequiredforconsoleaccess.5.57V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.5.58V-5611-Managementconnectionsarenotrestricted.5.59V-5612-SSHsessiontimeoutisnot60secondsorless.5.60V-5613-SSHloginattemptsvalueisgreaterthan3.5.61V-5614-ThePADserviceisenabled.5.62V-5615-TCPKeep-Alivesmustbeenabled.5.63V-5616-Identificationsupportisenabled.5.64V-5618-GratuitousARPmustbedisabled.5.65V-5645-CiscoExpressForwarding(CEF)notenabledonsupporteddevices.5.66V-5646-Devicesnotconfiguredtofilteranddrophalf-openconnections.5.67V-7009-AnInfiniteLifetimekeyhasnotbeenimplemented5.68V-7011-Theauxiliaryportisnotdisabled.5.69V-14667-Keyexpirationexceeds180days.5.70V-14669-BSDrcommandsarenotdisabled.5.71V-14671-NTPmessagesarenotauthenticated.5.72V-14672-AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.5.73V-14673-SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.5.74V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.5.75V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.5.76V-14676-Netflowtrafficisnotusingloopbackaddress.5.77V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.5.78V-14681-LoopbackaddressisnotusedastheiBGPsourceIP.5.79V-14693-IPv6SiteLocalUnicastADDRmustnotbedefined5.80V-14705-IPv6routersarenotconfiguredwithCEFenabled5.81V-14707-IPv6EgressOutboundSpoofingFilter5.82V-14717-ThenetworkelementmustnotallowSSHVersion1.5.83V-15288-ISATAPtunnelsmustterminateatinteriorrouter.5.84V-15432-ThedeviceisnotauthenticatedusingaAAAserver.5.85V-15434-Emergencyadministrationaccountprivilegelevelisnotset.5.86V-17754-Managementtrafficisnotrestricted5.87V-17814-RemoteVPNend-pointnotamirroroflocalgateway5.88V-17815-IGPinstancesdonotpeerwithappropriatedomain5.89V-17816-RoutesfromthetwoIGPdomainsareredistributed5.90V-17817-ManagednetworkhasaccesstoOOBMgatewayrouter5.91V-17818-Trafficfromthemanagednetworkwillleak5.92V-17819-Managementtrafficleaksintothemanagednetwork5.93V-17821-TheOOBMinterfacenotconfiguredcorrectly.5.94V-17822-ThemanagementinterfacedoesnothaveanACL.5.95V-17823-ThemanagementinterfaceisnotIGPpassive.5.96V-17834-NoinboundACLformgmtnetworksub-interface5.97V-17835-IPSectrafficisnotrestricted5.98V-17836-Managementtrafficisnotclassifiedandmarked5.99V-17837-Managementtrafficdoesn'tgetpreferredtreatment5.100V-18522-ACLsmustrestrictaccesstoserverVLANs.5.101V-18790-NET-TUNL-0125.102V-19188-Controlplaneprotectionisnotenabled.5.103V-19189-NoAdmin-localorSite-localboundary5.104V-23747-TwoNTPserversarenotusedtosynchronizetime.5.105V-28784-Callhomeserviceisdisabled.5.106V-30577-PIMenabledonwronginterfaces5.107V-30578-PIMneighborfilterisnotconfigured5.108V-30585-Invalidgroupusedforsourcespecificmulticast5.109V-30617-Maximumhoplimitislessthan325.110V-30660-The6-to-4routerisnotfilteringprotocol415.111V-30736-6-to-4routernotfilteringinvalidsourceaddress5.112V-30744-L2TPv3sessionsarenotauthenticated5.113V-31285-BGPmustauthenticateallpeers.5.114Conclusions5.115Recommendations

6SANSPolicyCompliance6.1router03SANSPolicyComplianceAudit6.2CiscoIOS15SANSPolicyComplianceAudit

7PCIAudit7.1Introduction7.2Requirement1:Installandmaintainafirewallconfigurationtoprotectcardholderdata

7.2.1SecureandInsecureServices7.2.2ExplicitDenyRulesinConfigurations7.3Requirement2:Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters7.3.1Defaultauthenticationremovedfromdevices7.3.2Devicescryptographystrength7.4Requirement6:Developandmaintainsecuresystemsandapplications7.4.1Deviceoperatingsystems7.5Requirement10:Trackandmonitorallaccesstonetworkresourcesandcardholderdata7.5.1Systemtimesarecorrect7.5.2Timesynchronizationsettingsarerestricted

8FilteringComplexityReport8.1Introduction8.2UnassignedFilterRuleListsWereConfigured8.3FilterRulesContradictOtherRules8.4FilterRulesOverlapOtherRules

9ConfigurationReport9.1Introduction9.2CiscoRouterrouter03ConfigurationReport9.2.1BasicInformation9.2.2NetworkServices9.2.3GeneralConfigurationInformation9.2.4Authentication9.2.5Administration9.2.6LogonBannerMessages9.2.7SNMPSettings9.2.8MessageLogging9.2.9NameResolutionSettings9.2.10NetworkProtocols9.2.11NetworkInterfaces9.2.12RoutingConfiguration9.2.13NetworkFiltering9.2.14IntrusionProtectionSystem(IPS)Settings9.2.15TimeAndDate9.3CiscoRouterCiscoIOS15ConfigurationReport9.3.1BasicInformation9.3.2NetworkServices9.3.3GeneralConfigurationInformation9.3.4Authentication9.3.5Administration9.3.6LogonBannerMessage9.3.7SNMPSettings9.3.8MessageLogging9.3.9NameResolutionSettings9.3.10NetworkProtocols9.3.11NetworkInterfaces9.3.12RoutingConfiguration9.3.13NetworkFiltering9.3.14IPSSettings9.3.15RemoteAccessSettings9.3.16TimeAndDate

10RawConfiguration10.1Introduction10.2CiscoRouterrouter03RawConfiguration10.3CiscoRouterCiscoIOS15RawConfiguration

11Appendix11.1LoggingSeverityLevels11.2OSPFLSAMessageTypes11.3CommonTimeZones11.4IPProtocols11.5ICMPTypes11.6Abbreviations11.7NipperStudioVersion

1YourReport1.1Introduction

ThisreportwasproducedbyNipperStudioon2March2017.Thisreportiscomprisedofthefollowingsections:

asecurityauditsectionwhichdetailsanyidentifiedsecurity-relatedissues.Eachsecurityissueidentifiedincludesdetailsofwhatwasfoundtogetherwiththeimpactoftheissue,howeasyitwouldbeforanattackertoexploitandarecommendation.Therecommendationsmayincludealternativesand,whererelevant,thecommandstoresolvetheissue;asoftwarevulnerabilityauditsectionthatprovidesacomparisonofthedevicesoftwareversionsagainstadatabaseofknownvulnerabilities.Inadditiontoabriefdescription,eachpotentialvulnerabilityincludesaCVSSv2scoreandreferencestomorespecificinformationprovidedbythedevicemanufacturersandthirdparties;ACISreport;aDISASTIGreportsectionthatprovidescomplianceinformationagainstspecificchecklists.Thereportincludesasummaryofthefindings,detailedfindingsandrecommendationsonremedialactiontogetherwithreferencesandseverityinformation;aSANSpolicyreportsectionthatprovidescomplianceinformationagainstspecificpolicychecklists.Thereportincludesasummaryofthefindingsanddetailsofeachcheckrequirement;anetworkfilteringcomplexityreportthatdescribesareasofthenetworkfilteringthatcanbesimplified.Thefiltercomplexityreportinglooksatavarietyofdifferentaspects,suchasunusedobjects,disabledrules,commenting,overlappingrulesandmanyotherconfigurations;aconfigurationreportwhichdetailstheconfigurationsettingsofalltheauditeddevicesinaneasytoreadformat.Theconfigurationsettingsaredividedintoreportsub-sectionswhichgrouprelatedsettingstogetherandprovideadditionalinformationabouttheirpurpose;arawconfigurationreportdetailstherawconfigurationofdeviceswithoutprovidinganyinterpretation.However,somedeviceswhichhaveextensiveorspeciallyencodedconfigurationswillbeexcludedfrominclusioninthisreport.

Gotothereportcontentsorthestartofthissection.

1.2EvaluationUseOnly

TheversionofNipperStudiousedtogeneratethisreportwaslicensedforevaluationpurposesonly.FormoreinformationonlicensingoptionsyoucancontactTitaniaoroneofourpartnerstodiscussyourrequirements.


1.3ReportConventions

ThisreportmakesuseofthetextconventionsdetailedinTable7.

Table7:Reporttextconventions

Convention Description

command Thistextstylerepresentsadevicecommandthatshouldbeenteredliterally.

userdata Thisstyleoftextrepresentsapartofadevicecommandthatyoushouldsubstitutewitharelevantvalue.Forexample,acommandthatsetsadevice'sIPaddress

wouldusethistextstyleinapositionwheretheaddressshouldbeentered.

[] Theseareusedtoencloseapartofacommandthatshouldbetreatedasoptional.

{} Theseareusedtoencloseapartofacommandthatisrequired.

| Thisisusedtodivideoptionswhichcouldbeenclosedineitherrequiredoroptionalbraces.


1.4ComplianceCheckResults

Eachcomplianceauditcheckisgivenastatusthatindicatestheoutcomeoftheauditforthatcheck.Table8detailseachoftheposiblestatustypes.

Table8:Compliancecheckstatusdefinitions

Status Description

Thecheckpassedalltherequirements.Forexample,theTelnetserviceshouldbedisabledanditwas.

Thecheckfailedtomeetsomeoralloftherequirements.Forexample,thecheckmayspecifythatsupportforonlySSHprotocolversion2mustbeconfiguredand

version1wasallowed.

Thecheckrequiresamanualassessment.Forexample,thecheckmayrequiretheauditortodetermineifcablesarephysicallyattachedtospecificportsonaswitch.


1.5NetworkFilteringActions

Thisreportincludesanumberofnetworkfilterrules.Table9describesthefilterruleactionsusedwithinthereport.

Table9:Networkfilterruleactions

Action Description

Allowthenetworktraffic,enablingittopassthroughtoitsdestination.

Dropthenetworktraffic,preventingitfromreachingitsdestinationandnotinformingthesenderthatithasbeendropped.


1.6ObjectFilterTypes

Thisreportdetailsthetypeofnetworkobjectsusedwithinthefilterrules.Table10describestheobjecttypesusedwithinthereport.

Table10:Networkfilterobjecttypes

ObjectType Description

SpecificIPv4orIPv6networkaddress.

DescribesarangeofIPv4orIPv6addresses.


2SecurityAudit2.1Introduction

NipperStudioperformedasecurityauditon2March2017ofthedevicesdetailedinTable11.

Table11:Securityauditdevicelist

Device Name OS



2.1.1SecurityIssueOverview

EachsecurityissueidentifiedbyNipperStudioisdescribedwithafinding,theimpactoftheissue,howeasyitwouldbeforanattackertoexploittheissueandarecommendation.

IssueFinding

TheissuefindingdescribeswhatNipperStudioidentifiedduringthesecurityaudit.Typically,thefindingwillincludebackgroundinformationonwhatparticularconfigurationsettingsarepriortodescribingwhatwasfound.

IssueImpact

Theissueimpactdescribeswhatanattackercouldachievefromexploitingthesecurityauditfinding.However,itisworthnotingthattheimpactofanissuecanoftenbeinfluencedbyotherconfigurationsettings,whichcouldheightenorpartiallymitigatetheissue.Forexample,aweakpasswordcouldbepartiallymitigatediftheaccessgainedfromusingitisrestrictedinsomeway.

IssueEase

Theissueeasedescribestheknowledge,skill,levelofaccessandtimescalesthatwouldberequiredbyanattackerinordertoexploitanissue.Theissueeasewilldescribe,whererelevant,ifanyOpenSourceorcommerciallyavailabletoolscouldbeusedtoexploitanissue.

IssueRecommendation

EachissueincludesarecommendationsectionwhichdescribesthestepsthatNipperStudiorecommendsshouldbetakeninordertomitigatetheissue.Therecommendationincludes,whererelevant,thecommandsthatcanbeusedtoresolvetheissue.

2.1.2RatingSystemOverview

Eachissueidentifiedinthesecurityauditisratedagainstboththeimpactoftheissueandhoweasyitwouldbeforanattackertoexploit.Thefixratingprovidesaguidetotheeffortrequiredtoresolvetheissue.Theoverallratingfortheissueiscalculatedbasedontheissue'simpactandeaseratings.

ImpactRating

Anissue'simpactratingisdeterminedusingthecriteriaoutlinedinTable12.

Rating Description

CRITICAL Theseissuescanposeaverysignificantsecuritythreat.Theissuesthathaveacriticalimpactaretypicallythosethatwouldallowanattackertogainfull

administrativeaccesstothedevice.Forafirewalldevice,allowingalltraffictopassthroughthedeviceunfilteredwouldreceivethisratingasfilteringtrafficto

protectotherdevicesistheprimarypurposeofafirewall.

HIGH Theseissuesposeasignificantthreattosecurity,buthavesomelimitationsontheextenttowhichtheycanbeabused.UserlevelaccesstoadeviceandaDoS

vulnerabilityinacriticalservicewouldfallintothiscategory.Afirewalldevicethatallowedsignificantunfilteredaccess,suchasallowingentiresubnetsthroughor

notfilteringinalldirections,wouldfallintothiscategory.Arouterthatallowssignificantmodificationofitsroutingconfigurationwouldalsofallintothiscategory.

MEDIUM Theseissueshavesignificantlimitationsonthedirectimpacttheycancause.Typically,theseissueswouldincludesignificantinformationleakageissues,less

significantDoSissuesorthosethatprovidesignificantlylimitedaccess.AnSNMPservicethatissecuredwithadefaultoradictionary-basedcommunitystringwould

typicallyfallintothisrating,aswouldafirewallthatallowsunfilteredaccesstoarangeofservicesonadevice.

LOW Theseissuesrepresentalowlevelsecuritythreat.Atypicalissuewouldinvolveinformationleakagethatcouldbeusefultoanattacker,suchasalistofusersor

versiondetails.Anon-firewalldevicethatwasconfiguredwithweaknetworkfilteringwouldfallintothiscategory.

INFO Theseissuesrepresentaverylowlevelofsecuritythreat.Theseissuesincludeminorinformationleakage,unnecessaryservicesorlegacyprotocolsthatpresentno

realthreattosecurity.

Overall:CRITICAL

Impact:Critical

Ease:Easy

Fix:Quick

Table12:Theimpactrating

EaseRating

Anissue'seaseratingisdeterminedusingthecriteriaoutlinedinTable13.

Table13:Theeaserating

Rating Description

TRIVIAL Theissuerequireslittle-to-noknowledgeonbehalfofanattackerandcanbeexploitedusingstandardoperatingsystemtools.Afirewalldevicewhichhada

networkfilteringconfigurationthatenablestraffictopassthroughwouldfallintothiscategory.

EASY Theissuerequiressomeknowledgeforanattackertoexploit,whichcouldbeperformedusingstandardoperatingsystemtoolsortoolsdownloadedfromthe

Internet.Anadministrativeservicewithoutorwithadefaultpasswordwouldfallintothiscategory,aswouldasimplesoftwarevulnerabilityexploit.

MODERATE Theissuerequiresspecificknowledgeonbehalfofanattacker.Theissuecouldbeexploitedusingacombinationofoperatingsystemtoolsorpubliclyavailable

toolsdownloadedfromtheInternet.

CHALLENGE Asecurityissuethatfallsintothiscategorywouldrequiresignificanteffortandknowledgeonbehalfoftheattacker.Theattackermayrequirespecificphysical

accesstoresourcesortothenetworkinfrastructureinordertosuccessfullyexploitthevulnerability.Furthermore,acombinationofattacksmayberequired.

N/A Theissueisnotdirectlyexploitable.Anissuesuchasenablinglegacyprotocolsorunnecessaryserviceswouldfallintothisratingcategory.

FixRating

Anissue'sfixratingisdeterminedusingthecriteriaoutlinedinTable14.

Table14:Thefixrating

Rating Description

INVOLVED Theresolutionoftheissuewillrequiresignificantresourcestoresolveandislikelytoincludedisruptiontonetworkservices,andpossiblythemodificationofother

networkdeviceconfigurations.Theissuecouldinvolveupgradingadevice'sOSandpossiblemodificationstothehardware.

PLANNED Theissueresolutioninvolvesplanning,testingandcouldcausesomedisruptiontoservices.Thisissuecouldinvolvechangestoroutingprotocolsandchangesto

networkfiltering.

QUICK Theissueisquicktoresolve.Typicallythiswouldjustinvolvechangingasmallnumberofsettingsandwouldhavelittle-to-noeffectonnetworkservices.

Notes

ItisworthnotingthatNipperStudioisunabletoprovideanaccuratethreatassessmentduetoalackofcontextualinformation.Forexample,inthecasewherehighlysensitiveinformationisprocessed,aDenialofService(DoS)vulnerabilityposeslessofathreatthantheintegrityofthedataoranattackergainingaccesstoit.Similarly,forasituationwhereup-timeiscritical,aDoSvulnerabilitycouldbemoreimportantthantheleakageofsensitiveinformation.ThereforetheratingsprovidedbyNipperStudioareonlyintendedtobeaguidetoanissue'ssignificance.


2.2UsersWithDictionary-BasedPasswords

2.2.1AffectedDevices

router03-CiscoRouter;CiscoIOS15-CiscoRouter.

2.2.2Finding

Accesstorestrictednetworkuserandadministrationservicesaretypicallysecuredusingusernameandpasswordauthenticationcredentials.Thestrengthoftheauthenticationcredentialsisevenmoreimportantiftheserviceallowsfordevicestobereconfiguredoritallowsaccesstopotentiallysensitiveinformation.

NipperStudioidentifiedsevendictionary-basedpasswordsonrouter03.ThesearelistedinTable15andincludesadministrativeaccesstothedevice.

Table15:Usersonrouter03withadictionary-basedpassword

User Password Privilege Filter

enable(password) cisco 15

temp password 15

testuser password 15

localuser password 15

ConsoleLine password 1

Auxiliary password 1

VTY0-4Line password 1

NipperStudioidentifiedtwodictionary-basedpasswordsonCiscoIOS15.ThesearelistedinTable16andincludesadministrativeaccesstothedevice.


Overall:HIGH

Impact:High

Ease:Trivial

Fix:Quick

Table16:UsersonCiscoIOS15withadictionary-basedpassword

enable(password) password 15


2.2.3Impact

Amalicioususer,orremoteattacker,whoisabletoconnecttoanadministrativeservicewillbeabletoperformadictionary-basedattackinordertoidentifyvalidauthenticationcredentialsandlogontothedevice.Theattackerwillthenbeabletoperformadministrativeanduserleveltasks.Thiscouldincludere-configuringthedevice,extractingpotentiallysensitiveinformationanddisablingthedevice.Onceanattackerhasobtainedtheconfigurationfromthedevicetheymaybeabletoidentifyauthenticationcredentialsthatcouldthenbeusedtogainaccesstoothernetworkdevices.

2.2.4Ease

Dictionary-basedpasswordguessingattackshavebeenwidelydocumentedontheInternetandpublishedmedia,enablinganattackerwithverylittleknowledgeorexperiencetoperformtheattack.Thereareanumberofdifferentdictionary-basedpasswordguessingtoolsandpassworddictionariesavailableontheInternet.Additionallyanexperiencedattackerislikelytohaveacollectionofpersonalpassworddictionarieswhichtheyhavebuiltupovertime.However,thereareanumberoffactorsthatmaydiscourageanattackerfromperformingadictionary-basedattack.

1. Accountlockoutfacilitiescanquicklypreventaccesstotheaccount.2. Deviceprotectionmechanismsmayslowordisconnectconnectionswheremultipleauthenticationattemptsaremadeinashortperiodoftime.3. Brute-forcingcanbeverytimeconsuming,especiallyifthepasswordislongormadeupofvariouscharactertypes.4. Networkadministratorsmaybealertedtolockedoutaccountsorauthenticationattempts.

2.2.5Recommendation

NipperStudiostronglyrecommendsthatalluseraccountsshouldhaveastrongpassword.

NipperStudiorecommendsthat:

passwordsshouldbeatleasteightcharactersinlength;charactersinthepasswordshouldnotberepeatedmorethanthreetimes;passwordsshouldincludebothuppercaseandlowercasecharacters;passwordsshouldincludenumbers;passwordsshouldincludepunctuationcharacters;passwordsshouldnotincludetheusername;passwordsshouldnotincludeadevice'sname,makeormodel;passwordsshouldnotbebasedondictionarywords.

NotesforCiscoRouterdevices:

ThefollowingcommandscanbeusedonCiscoRouterdevicestosettheenablepassword,createalocaluserwithapasswordandtodeletealocaluser:

enablesecretpassword

usernameusersecretpassword

nousernameuser


2.3DefaultSNMPCommunityStringsWereConfigured

2.3.1AffectedDevice

router03-CiscoRouter.

2.3.2Finding

SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.AccesstotheSNMPManagementInformationBase(MIB)withprotocolversions1and2isrestrictedusingacommunitystringtohelppreventunauthorizedaccess.

NipperStudioidentifiedtwodefaultSNMPcommunitystringsonrouter03.ThesearelistedinTable17.

Table17:DefaultSNMPcommunitystringsonrouter03

Community Access Version View ACL

public ReadOnly 1 20

private Read/Write 1

2.3.3Impact

WithreadaccesstotheSNMPMIBanattackerwouldbeabletoenumeratealargequantityofinformationaboutthedevice,itsconfiguration,networkdetailsandmore.WithwriteaccesstotheSNMPMIBanattackercouldreconfigurethedevice,potentiallycausingaDoS.Additionally,writeaccesstoSNMPonsomedeviceswouldenableanattackertodownloadacopyofadevice'sconfiguration,includingpasswordhashes.

2.3.4Ease

Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

DefaultSNMPcommunitystringsareusuallydocumentedinthemanufacturersmanuals,onthird-partyInternetwebsitesandinthepassworddictionariesoftestingtools.Furthermore,SNMPquerytoolsareinstalledbydefaultonsomeoperatingsystemsandotherSNMPtoolscanbedownloadedfromtheInternet.

2.3.5Recommendation

NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthatonlySNMPversion3shouldbeconfigured.IfaccessusingSNMPcommunitystringsisrequired,NipperStudiorecommendsthatonlystrongcommunitystringsshouldbechosenthatarealsonotusedforanyotherauthentication.


SNMPcommunitystringsshouldbeatleasteightcharactersinlength;charactersintheSNMPcommunitystringshouldnotberepeatedmorethanthreetimes;SNMPcommunitystringsshouldincludebothuppercaseandlowercasecharacters;SNMPcommunitystringsshouldincludenumbers;SNMPcommunitystringsshouldincludepunctuationcharacters;SNMPcommunitystringsshouldnotincludeadevice'sname,makeormodel;SNMPcommunitystringsshouldnotbebasedondictionarywords.


SNMPcanbedisabledwiththefollowingcommand:

nosnmp-server


2.4BGPNeighborsConfiguredWithNoPasswords

2.4.1AffectedDevice


2.4.2Finding

BGPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.RoutingneighborsareconfiguredtodefinewhichBGPhoststheroutingupdateswillbesentto.MessageDigest5(MD5)authenticationcanbeconfiguredforeachneighbortoensurethatBGProutingupdatesaresentfromatrustedsource.

NipperStudiodeterminedthatoneBGPneighboronrouter03hadbeenconfiguredwithnopassword.ThisisshowninTable18.

Table18:BGPneighboronrouter03withnopassword

Address RemoteAS Password Version Weight PeerGroup MapIn MapOut Description

router01 12345 4 0 SitetoSiteConnection

2.4.3Impact

AnattackermayattempttomodifytheroutingtableofaBGProutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:

monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.

2.4.4Ease

Anattackercouldmakeuseoftheirownroutingdevice,orroutingsoftware,inordertoinsertmaliciousroutingupdates.

2.4.5Recommendation

NipperStudiorecommendsthatstrongMD5authenticationpasswordsshouldbeconfiguredforallBGProutingupdates.AlthoughanattackercouldextracttheMD5passwordauthenticationhashfromanetworkpacketandbrute-forcethepassword,itwouldtakesignificantlymoreeffortthanifadefaultpasswordweretobeconfigured.


BGPpasswordsshouldbeatleasteightcharactersinlength;charactersintheBGPpasswordshouldnotberepeatedmorethanthreetimes;BGPpasswordsshouldincludebothuppercaseandlowercasecharacters;BGPpasswordsshouldincludenumbers;BGPpasswordsshouldincludepunctuationcharacters;BGPpasswordsshouldnotincludeadevice'sname,makeormodel;BGPpasswordsshouldnotbebasedondictionarywords.

Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved


BGPneighborauthenticationpasswordscanbeconfiguredonCiscoRouterdeviceswiththefollowingroutercommand:

neighbor{address|group}passwordpassword


2.5NotAllGLBPGroupsWereAuthenticated

2.5.1AffectedDevice


2.5.2Finding

GLBPisaCiscoproprietaryprotocolusedtoproviderouterloadbalancingandredundancyagainstasinglepointoffailure.GLBProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.

NipperStudiodeterminedthatoneGLBPgrouponrouter03wasconfiguredwithnoauthentication.ThisisshowninTable19.

Table19:GLBPgroupwithnoauthenticationonrouter03

Interface Active Group Name Address Priority Weighting Auth KeyChain/ID

GigabitEthernet1/2 Yes 40 192.168.7.42 100 100 None N/A

2.5.3Impact

AnattackerwhoisabletoconfiguretheirrouterwiththerelevantGLBPgroupconfigurationwouldbeabletoparticipateinnetworkroutinginorderto:


2.5.4Ease

AnattackercoulduseaGLBPcapabledeviceinordertoperformtheattack.TheattackercouldthenconfiguretheirGLBPcapableroutertobeinthesamegroupandwithahigherpriorityinordertobecometheActiveVirtualGateway(AVG).

2.5.5Recommendation

NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallGLBPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifnoauthenticationweretobeconfigured.NipperStudiorecommendsthat:

GLBPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheGLBPauthenticationkeyshouldnotberepeatedmorethanthreetimes;GLBPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;GLBPauthenticationkeysshouldincludenumbers;GLBPauthenticationkeysshouldincludepunctuationcharacters;GLBPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;GLBPauthenticationkeysshouldnotbebasedondictionarywords.


MD5GLBPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:

glbp[group]authenticationmd5{key-stringkey|key-chainkey-chain}


2.6Clear-TextGLBPGroupAuthenticationWasConfigured

2.6.1AffectedDevice


2.6.2Finding


Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

NipperStudiodeterminedthatoneGLBPgrouponrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable20.

Table20:GLBPgroupwithclear-textauthenticationonrouter03


GigabitEthernet1/1 Yes 44 192.168.8.42 100 100 ClearText 1

2.6.3Impact

AnattackerwhoisabletoconfigureGLBPwiththerelevantauthenticationconfigurationinordertobecometheAVGwouldbeabletocontrolnetworkroutinginorderto:


2.6.4Ease

AnattackercoulduseaGLBPcapabledeviceintheattack.TheattackercouldthenconfiguretheirGLBPcapabledevicetobeinthesamegrouptobecomeanetworkrouter.TheauthenticationkeycanbeconfiguredusingaGLBPpacketcapturedfromthenetwork.

2.6.5Recommendation

NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallGLBPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:

GLBPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheGLBPauthenticationkeyshouldnotberepeatedmorethanthreetimes;GLBPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;GLBPauthenticationkeysshouldincludenumbers;GLBPauthenticationkeysshouldincludepunctuationcharacters;GLBPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;GLBPauthenticationkeysshouldnotbebasedondictionarywords.





2.7NotAllHSRPGroupsWereAuthenticated

2.7.1AffectedDevice


2.7.2Finding

HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.HSRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.

NipperStudiodeterminedthatoneHSRPgrouponrouter03wasconfiguredwithnoauthentication.ThisisshowninTable21.

Table21:HSRPgroupwithnoauthenticationonrouter03

Interface Active Name Number Version Address MAC Priority Auth KeyChain/ID SSO

GigabitEthernet1/2 Yes 20 1 192.168.5.20 00:00:0C:07:AC:20 100 None N/A Yes

2.7.3Impact

AnattackermayattempttojoinaHSRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:


Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

2.7.4Ease

AnattackercoulduseaHSRPcapabledevice,ordownloadHSRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirHSRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.

2.7.5Recommendation

NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallHSRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifnoauthenticationweretobeconfigured.NipperStudiorecommendsthat:

HSRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheHSRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;HSRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;HSRPauthenticationkeysshouldincludenumbers;HSRPauthenticationkeysshouldincludepunctuationcharacters;HSRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;HSRPauthenticationkeysshouldnotbebasedondictionarywords.


MD5HSRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:

standby[group]authenticationmd5{key-stringkey|key-chainkey-chain}


2.8Clear-TextHSRPGroupAuthenticationWasConfigured

2.8.1AffectedDevice


2.8.2Finding


NipperStudiodeterminedthatoneHSRPgrouponrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable22.

Table22:HSRPgroupwithclear-textauthenticationonrouter03


GigabitEthernet1/1 Yes 0 2 192.168.5.10 00:00:0C:07:AC:00 100 ClearText 1 Yes

2.8.3Impact



2.8.4Ease

AnattackercoulduseaHSRPcapabledevice,ordownloadHSRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirHSRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingaHSRPpacketcapturedfromthenetwork.

2.8.5Recommendation

NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallHSRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:


Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved





2.9NotAllOSPFRoutingUpdatesWereAuthenticated

2.9.1AffectedDevice


2.9.2Finding

OSPFisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.OSPFsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesaresentfromatrustedsource.

NipperStudiodeterminedthatOSPFonrouter03wasconfiguredwithoutauthenticationontwointerfaces.ThesearelistedinTable23.

Table23:OSPFinterfaceswithnoauthenticationonrouter03

Interface Active Passive Area Priority Type AuthMode KeyID RouteCost HelloInterval DeadInterval RetransmitInterval TransmitDelay

GigabitEthernet1/1 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second


2.9.3Impact

Anattackermayattempttomodifytheroutingtableofaroutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:


2.9.4Ease

ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousOSPFroutingupdates.Withnoauthenticationconfigured,anattackerwouldnothavetodeterminetheauthenticationkeypriortosendingmaliciousOSPFrouteupdates.

2.9.5Recommendation

NipperStudiorecommendsthatstrongOSPFauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:

OSPFauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheOSPFauthenticationkeyshouldnotberepeatedmorethanthreetimes;OSPFauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;OSPFauthenticationkeysshouldincludenumbers;OSPFauthenticationkeysshouldincludepunctuationcharacters;OSPFauthenticationkeysshouldnotincludeadevice'sname,makeormodel;OSPFauthenticationkeysshouldnotbebasedondictionarywords.


OSPFauthenticationkeyscanbeconfiguredwithMD5-basedauthenticationwiththefollowinginterfacecommands:

ipospfauthentication-keykey

ipospfauthenticationmessage-digest


2.10RIPVersion1WasConfigured



2.10.2Finding

RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TherearethreemainversionsofRIP:

version1oftheprotocol,outlinedinRFC1058,supportssimpleroutingupdateswithsupportonlyforclassfulroutingandbroadcastupdates;

Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

version2oftheprotocol,outlinedinRFC2453,addedsupportforClasslessInter-DomainRouting(CIDR),authentication(bothinclear-textandMD5forms)andmulticastupdates;NG,outlinedinRFC2080,addssupportforInternetProtocolversion6(IPv6)butdoesnotincludesupportforauthentication.

NipperStudiodeterminedthatsupportforRIPversion1wasconfiguredontwointerfacesonrouter03.ThesearelistedinTable24.

Table24:RIPnetworkinterfaceswhichsupportprotocolversion1onrouter03

Interface Active Passive Send Receive Auth KeyID

GigabitEthernet1/1 Yes No V1 V1andV2 ClearText routing-chain

GigabitEthernet1/2 Yes No V2 V1andV2 None N/A

NipperStudiodeterminedthatsupportforRIPversion1wasconfiguredononeinterfaceonCiscoIOS15.ThisisshowninTable25.

Table25:RIPnetworkinterfacethatsupportsprotocolversion1onCiscoIOS15


FastEthernet0/0 Yes No V1 V1andV2 MD5 keychain

2.10.3Impact



AnotherissuewithRIPversion1,thoughnotnecessarilyasecurityone,isthatbroadcastupdatescanwakeupcomputersthatareshutdownontheLocalAreaNetwork(LAN).

2.10.4Ease

ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousRIProutingupdates.WithRIPversion1supported,theattackerwouldnotneedtoprovideauthenticationinformation.

2.10.5Recommendation

NipperStudiorecommendsthat,ifRIPisrequired,onlysupportforversion2shouldbeconfigured.However,thismayrequireafirmwareupdateifthedevicedoesnotsupportversion2.


SupportforonlyRIPversion2updatescanbeconfiguredonCiscoRouterdeviceswiththefollowingrouterconfigurationcommand:

version2

Additionally,RIPversion2supportcanbeconfiguredonindividualinterfaceswiththefollowinginterfacecommands:

ipripsendversion2

ipripreceiveversion2


2.11Clear-TextRIPAuthenticationWasConfigured

2.11.1AffectedDevice


2.11.2Finding

RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TherearethreemainversionsofRIP;version1,2andNG.Version2ofRIPsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesweresentfromatrustedsource.

NipperStudiodeterminedthatoneinterfacewithRIPonrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable26.

Table26:Networkinterfacewithclear-textRIPauthenticationonrouter03



Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

2.11.3Impact



2.11.4Ease

ToolscanbedownloadedfromtheInternetthatcouldbeusedtosendmaliciousRIProutingupdates.Withclear-textauthenticationconfigured,anattackerwouldsimplyhavetomonitorRIProutingupdatesandextracttheauthenticationkeypriortosendingmaliciousRIProuteupdates.ToolscanbedownloadedfromtheInternetthatarecapableofcapturingRIProuteupdatesandextractingtheauthenticationkey.


NipperStudiorecommendsthatMD5authenticationshouldbeconfiguredforallRIProutingupdates.AlthoughanattackercouldextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredtouseanauthenticationkeythatwassentwithoutencryption.


2.12NotAllVRRPGroupsWereAuthenticated



2.12.2Finding

VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.VRRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.

NipperStudiodeterminedthatoneVRRPgrouponrouter03wasconfiguredwithnoauthentication.ThisisshowninTable27.

Table27:VRRPgroupwithnoauthenticationonrouter03

Interface Active VRRP Address Description Priority Auth KeyChain/ID

GigabitEthernet1/2 Yes 3 192.168.3.2 100 None N/A

2.12.3Impact

AnattackermayattempttojoinaVRRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:


2.12.4Ease

AnattackercoulduseaVRRPcapabledevice,ordownloadVRRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirVRRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.


NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallVRRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifnoauthenticationweretobeconfigured.NipperStudiorecommendsthat:

VRRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheVRRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;VRRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;VRRPauthenticationkeysshouldincludenumbers;VRRPauthenticationkeysshouldincludepunctuationcharacters;VRRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;VRRPauthenticationkeysshouldnotbebasedondictionarywords.

Overall:HIGH

Impact:High

Ease:Easy

Fix:Involved

Overall:HIGH

Impact:High

Ease:Easy

Fix:Planned


MD5VRRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:

vrrpgroupauthenticationmd5{key-stringkey|key-chainkey-chain}


2.13Clear-TextVRRPGroupAuthenticationWasConfigured



2.13.2Finding


NipperStudiodeterminedthatoneVRRPgrouponrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable28.

Table28:VRRPgroupwithclear-textauthenticationonrouter03


GigabitEthernet1/1 Yes 2 192.168.4.2 100 ClearText 1

2.13.3Impact



2.13.4Ease

AnattackercoulduseaVRRPcapabledevice,ordownloadVRRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirVRRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingaVRRPpacketcapturedfromthenetwork.


NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallVRRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:






2.14NotAllEIGRPUpdatesWereAuthenticated



2.14.2Finding

EIGRPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.EIGRPsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesaresentfromatrustedsource.

Overall:HIGH

Impact:High

Ease:Easy

Fix:Planned

NipperStudiodeterminedthatEIGRPwasconfiguredwithoutauthenticationononeinterfaceonrouter03.ThisisshowninTable29.

Table29:NetworkinterfacewithnoEIGRPauthenticationonrouter03

Interface Active AS Passive Interval Hold Bandwidth Auth KeyID

GigabitEthernet1/2 Yes 3 No 5seconds 14seconds 50% None N/A

2.14.3Impact

AnattackermayattempttomodifytheroutingtableofaEIGRProutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:


2.14.4Ease

ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousEIGRProutingupdates.Withnoauthenticationconfigured,anattackerwouldnothavetodeterminetheauthenticationkeypriortosendingmaliciousEIGRProuteupdates.


NipperStudiorecommendsthatstrongEIGRPauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:

EIGRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheEIGRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;EIGRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;EIGRPauthenticationkeysshouldincludenumbers;EIGRPauthenticationkeysshouldincludepunctuationcharacters;EIGRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;EIGRPauthenticationkeysshouldnotbebasedondictionarywords.


2.15NotAllRIPUpdatesWereAuthenticated



2.15.2Finding

RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TherearethreemainversionsofRIP;version1,2andNG.Version2ofRIPsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesweresentfromatrustedsource.

NipperStudiodeterminedthatRIPonrouter03wasconfiguredwithoutauthenticationononeinterface.ThisisdetailedinTable30.

Table30:RIPinterfacewithnoauthenticationonrouter03



2.15.3Impact



2.15.4Ease

ToolscanbedownloadedfromtheInternetthatcouldbeusedtosendmaliciousRIProutingupdates.Withnoauthenticationconfigured,anattackerwouldnothavetodeterminetheauthenticationkeypriortosendingmaliciousRIProuteupdates.


Overall:HIGH

Impact:High

Ease:Easy

Fix:Planned

Overall:HIGH

Impact:High

Ease:Easy

Fix:Planned

NipperStudiorecommendsthatstrongauthenticationkeysshouldbeconfiguredforallRIProutingupdateswithRIPversion2MD5authentication.NipperStudiorecommendsthat:

RIPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheRIPauthenticationkeyshouldnotberepeatedmorethanthreetimes;RIPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;RIPauthenticationkeysshouldincludenumbers;RIPauthenticationkeysshouldincludepunctuationcharacters;RIPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;RIPauthenticationkeysshouldnotbebasedondictionarywords.


2.16LowVRRPRouterPriorities



2.16.2Finding

VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.MultiplerouterscanbeconfiguredinaVRRPgroupinamasterandbackuprouterconfiguration.Themasterrouterisdeterminedbyanelectionwheretherouterwiththehighestprioritywillbecomethemaster.Routerprioritiescanbebetween1and254.

NipperStudiodeterminedthattwoVRRPgroupsonrouter03hadprioritieswerelessthan255.ThesearelistedinTable31.

Table31:VRRPgroupswithaprioritylessthan255onrouter03




2.16.3Impact

AnattackerwhoisabletoconfigureVRRPwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityandforcearouterelectioninordertobecomethemasterrouter.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:


2.16.4Ease

Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingVRRPconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinordertodeterminetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinVRRProuting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.


NipperStudiorecommendsthattheVRRPpriorityof254shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.


VRRPprioritiescanbeconfiguredwiththefollowingCiscoRouterinterfacecommand:

vrrpgroupprioritypriority


2.17NoVTPAuthenticationPasswordWasConfigured



2.17.2Finding

VTPwasdevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.Theprotocolenablestheaddition,renaminganddeletionofVLANsonasingleswitchtobepropagatedtoothernetworkswitchesinthesameVTPdomain.VTPcanbeconfiguredtoauthenticateupdateswiththeuseofapassword.

Overall:HIGH

Impact:High

Ease:Easy

Fix:Planned

NipperStudiodeterminedthatnoVTPpasswordwasconfiguredonrouter03.

2.17.3Impact

IfnoVTPauthenticationpasswordisconfigured,anattackercouldpotentiallymodifytheVLANconfigurationonallthenetworkswitchescausingaDoS.

2.17.4Ease

AnattackercoulddownloadaVTPattacktoolfromtheInternetorusetheirownVTPcapableswitch.However,thenetworkswitcheswouldhavetobeconfiguredtoaccepttheVTPupdates.Theattackerwouldthenhavetoensurethattheirconfigurationhasahigherrevisionnumber.


NipperStudiorecommendsthat,ifnotrequired,VTPshouldbedisabledorplacedintransparentmode.However,ifVTPisrequiredNipperStudiorecommendsthatastrongVTPauthenticationpasswordshouldbeconfiguredonallVTPdevices.NipperStudiorecommendsthat:

passwordsshouldbeatleasteightcharactersinlength;charactersinthepasswordshouldnotberepeatedmorethanthreetimes;passwordsshouldincludebothuppercaseandlowercasecharacters;passwordsshouldincludenumbers;passwordsshouldincludepunctuationcharacters;passwordsshouldnotincludetheusername;passwordsshouldnotincludeadevice'sname,makeormodel;passwordsshouldnotbebasedondictionarywords.


VTPcanbesettotransparentmodeonCiscoRouterdevicesusingoneofthefollowingcommands:

vtptransparent

vtpmodetransparent

AVTPpasswordcanbeconfiguredonaCiscoRouterdeviceusingthefollowingcommand:

vtppasswordpassword-string

OnsomeCiscoRouterdevicestheVTPpasswordisnotincludedintheconfigurationfile,thereforeitisnotpossibleforNipperStudiotovalidatethishasbeensetcorrectly.


2.18LowGLBPGroupPriorities



2.18.2Finding

GLBPisaCiscoproprietaryprotocolwhichisusedforrouterloadbalancingandredundancy.ApriorityisconfiguredtodeterminewhichGLBPenabledrouterwillbecometheAVGandrespondtoARPrequestsonbehalfoftheActiveVirtualForwarders(AVFs).TherouterwiththehighestprioritywillbecometheAVG.

NipperStudiodeterminedthattwoGLBPgroupsonrouter03hadprioritieswerelessthan255.ThesearelistedinTable32.

Table32:GLBPgroupswithaprioritylessthan255onrouter03




2.18.3Impact

AnattackerwhoisabletoconfigureGLBPwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityinordertobecometheAVG.IfanattackerisabletobecometheGLBPAVG,theywouldbeabletocontrolnetworkroutinginorderto:


2.18.4Ease

Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingGLBPconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinorderto

Overall:HIGH

Impact:High

Ease:Easy

Fix:Planned

Overall:HIGH

Impact:High

Ease:Trivial

determinetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinGLBProuting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.


NipperStudiorecommendsthattheGLBPgrouppriorityof255shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.


GLBPprioritiescanbeconfiguredwiththefollowingCiscoRouterinterfacecommand:

glbpgroupprioritypriority


2.19LowHSRPRouterPriorities



2.19.2Finding

HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.MultiplerouterscanbeconfiguredinaHSRPgroupinamasterandbackuprouterconfiguration.Themasterrouterisdeterminedbyanelectionwheretherouterwiththehighestprioritywillbecomethemaster.Routerprioritiescanbebetween1and255.

NipperStudiodeterminedthattwoHSRPgroupsonrouter03hadprioritieswerelessthan255.ThesearelistedinTable33.

Table33:HSRPgroupswithaprioritylessthan255onrouter03




2.19.3Impact

AnattackerwhoisabletoconfigureHSRPwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityandforcearouterelectioninordertobecomethemasterrouter.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:


2.19.4Ease

Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingHSRPconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinordertodeterminetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinHSRProuting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.


NipperStudiorecommendsthattheHSRPpriorityof255shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.


HSRPprioritiescanbeconfiguredwiththefollowingCiscoRouterinterfacecommand:

standbygroupprioritypriority


2.20UDPSmallServicesEnabled



2.20.2Finding

Fix:Quick

Overall:HIGH

Impact:High

Ease:Trivial

Fix:Quick

SomedevicesandplatformsprovideacollectionofsimpleUserDatagramProtocol(UDP)networkservices,whicharealsosometimesreferredtoassmallservices.Theseservicesprovidelittlefunctionalityandarerarelyusedandtheytypicallyinclude:

Echo(definedinRFC862)returnsanydatasenttoitbacktotheconnectingclient;Discard(definedinRFC863)ignoresanydatasenttoitbyaconnectingclient;Chargen(definedinRFC864)generatesprintablecharacterswhicharereturnedtotheconnectingclient.

NipperStudiodeterminedthattheUDPsmallserverswereenabledonrouter03.

2.20.3Impact

AnattackercouldusetheUDPsmallserversaspartofaDoSattack.UDPisaconnection-lessprotocolandanexperiencedattackercouldforgenetworkpacketstousetheechoandchargenservicestoincreasethenetworktrafficandsystemutilizationofdevicesofferingtheservices.Additionally,eachrunningserviceincreasesthechancesofanattackerbeingabletoidentifythedeviceandsuccessfullycompromiseit.Althoughnotassignificant,someoftheservicesmayprovideanattackerwithsimpleinformationthatcouldthenbeusedaspartofatargetedattackagainstthesystem.

2.20.4Ease

ToolsthatcanbeusedtoconnecttotheseservicesareinstalledbydefaultonsomesystemsorcanbedownloadedfromtheInternet.


NipperStudiorecommendsthattheUDPsmallserversshouldbedisabled.


UDPsmallserverscanbedisabledonCiscoRouterdeviceswiththefollowingcommand:

noserviceudp-small-servers


2.21EnablePasswordConfigured



2.21.2Finding

CiscoInternetOperatingSystem(IOS)-baseddevicesenablepasswordscanbestoredusingMD5hashesorusingtheCiscoType7passwordencodingalgorithm.AstrongpasswordstoredusinganMD5hashcantakeasignificantperiodoftimetobrute-force.However,thesamepasswordstoredinCiscoType7formcanbereversedinafractionofasecond.TheMD5enableuserpasswordhashcanbecreatedusingthesecretkeyword,whilsttheCiscoType7hashiscreatedusingthepasswordkeyword.

NipperStudioidentifiedanenablepasswordonrouter03thatwasnotstoredusinganMD5hash.ThisisshowninTable34

Table34:Enablepasswordstoredonrouter03withoutusingMD5



NipperStudioidentifiedanenablepasswordonCiscoIOS15thatwasnotstoredusinganMD5hash.ThisisshowninTable35

Table35:EnablepasswordstoredonCiscoIOS15withoutusingMD5



2.21.3Impact

AnattackercoulduseanenablepasswordfromaCiscodevicetogainadministrativelevelaccesstothedeviceandmodifyitsconfiguration.

2.21.4Ease

AnattackerwhohadaccesstotheCiscoconfigurationfilewouldeasilybeabletoretrievepasswordsthatarestoredinclear-textorusingtheCiscotype-7encryption.However,anattackerwhohadaccesstoaCiscoconfigurationfilecouldattemptabrute-forceattackagainstthestrongerMD5hashes.ToolscanbedownloadedfromtheInternetthatarecapableofreversingCiscoType7passwords.However,anattackerwouldneedtoobtainacopyoftheconfigurationfileandwouldneedtobeabletogaininitialaccesstothedevicebeforetheycouldmakeuseofanenablepassword.


NipperStudiorecommendsthatallenablepasswordsshouldbestoredusingtheMD5hash.ThefollowingcommandcanbeusedtoremovetheCiscoType7enablepassword:

Overall:HIGH

Impact:High

Ease:Easy

Fix:Planned

Overall:HIGH

Impact:High

Ease:Easy

Fix:Quick

noenablepassword

MD5enablepasswordscanbeconfiguredusingthefollowingcommand:

enablesecret[levelpassword]password


2.22Clear-TextSNMPInUse



2.22.2Finding

SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.WithwriteaccesstoSNMP,itispossibletore-configurenetworking,systempropertiesandevenshutdownadevice.

TherearemultipleversionsofSNMPandversionspriortoversion3offernoencryptionofeithertheauthenticationordatanetworktraffic.

NipperStudiodeterminedthattheclear-textSNMPversionswereenabledonthetwodevicesdetailedinTable36.

Table36:Deviceswithclear-textSNMPversionsenabled

Device Name

CiscoRouter router03

CiscoRouter CiscoIOS15

2.22.3Impact

AnattackerormalicioususerwhocanmonitortheunencryptedSNMPnetworktrafficwouldcapturetheSNMPcommunitystringusedtoauthenticateaccesstotheSNMPagentservice.Additionally,theywouldcapturealltheinformationtransferredusingtheunencryptedconnection.

WithwriteaccesstoSNMPanattackercouldmodifyadevice'ssettingsandpotentiallycauseaDoScondition.

2.22.4Ease

NetworkpacketcapturetoolscanbedownloadedfromtheInternetthatcanallowanattackertomonitorthenetworktraffic.Inamodernnetworkenvironment,switchesaretypicallydeployedtoconnectthenetworkinfrastructuredevicesratherthanhubs.Withnetworkswitchdevices,theattackershouldonlybeabletoseebroadcastnetworktrafficortrafficsentdirectlytoorfromtheattacker'shost.However,askilledattackercouldbypassthisrestrictionbyperforminganattacksuchasARPspoofingorexploitingavulnerabilitywiththenetworkrouting.Toolsforbypassinganetworkswitchingenvironment'srestrictionscanbedownloadedfromtheInternet.

ItisworthnotingthatwithnoSNMPviewconfigured,theattackerwouldnotberestrictedtoaspecifiedsubsetoftheSNMPMIB.


NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.However,ifSNMPaccessisrequired,NipperStudiorecommendsthatonlySNMPversion3shouldbeconfiguredwithstrongauthenticationandprivacypasswords.



nosnmp-server


2.23SNMPWriteAccessEnabled



2.23.2Finding

SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.WithwriteaccesstoSNMPitcanbepossibletore-configurenetworking,systempropertiesandevenshutdownadevice.

NipperStudioidentifiedoneSNMPcommunitystringwithwriteaccessonrouter03.ThisisshowninTable37.


Overall:HIGH

Impact:High

Ease:Easy

Fix:Quick

Overall:HIGH

Impact:High

Ease:Easy

Fix:Quick

Table37:SNMPcommunitystringwithwriteaccessonrouter03


2.23.3Impact

Amalicioususer,orattacker,withawriteaccessSNMPcommunitystringcouldmodifytheconfigurationofthedeviceandinsomecircumstancescausethedevicetoreboot.ItisalsoworthnotingthatSNMPwriteaccesscouldenableanattackertoextractthefullconfigurationfromthedevice.

2.23.4Ease

Anattackerwhowantedtomodifyadevice'sconfigurationusingSNMPwouldrequireatoolthatcouldwritetotheSNMPMIBandacommunitystringwithwriteaccess.SNMPtoolsthatcanwritetoaSNMPMIBcanbedownloadedfromtheInternetandsomeOperatingSystem(OS)installthembydefault.


NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.



nosnmp-server


2.24NoHTTPServerSessionTimeout



2.24.2Finding

TheHTTPserversessiontimeoutsettingisusedtodetermineifawebsessionisnolongerbeingused,enablingadevicetodeterminewhenaconnectioncanbeautomaticallydisconnected.AHTTPserversessioncouldbecomeunusedifanadministratorhasnotproperlyterminatedaconnectionandremainsauthenticated,suchaswhenauserdoesnotclickonalogoutbutton.Thesessioncouldalsobecomeunusediftheuserleavestheircomputerunattendedwithoutterminatingthesession.

NipperStudiodeterminedthatnoHTTPserversessiontimeoutwasconfiguredonrouter03.

2.24.3Impact

Ifanattackerwasabletoaccessasystemusinganauthenticatedsessionthatisnolongerbeingused,theattackerwouldbeabletoperforminformationgathering,configurationandothermaliciousactivitiesunderthecontextofthepreviousauthenticateduser.Thelevelofaccesscouldpotentiallybeatanadministrativelevel.

2.24.4Ease

ToexploitthisissueanattackerwouldfirsthavetoidentifyaworkingHTTPserversession,possiblypriortoitbecomingunusedbytheuser,andthenbeabletocontrolthatwebsession.Thismaybeassimpleasusingtheuserscomputerwhilsttheyareaway,otherwisetheattackermayhavetoexploitaweaknessintheprotocolorperformaman-in-the-middleattack.Theman-in-the-middleattackcouldbeperformedusingaproxyserver,butausercouldbecomesuspiciousifthesessionisusingHypertextTransferProtocoloverSSL(HTTPS)andthewebbrowserprovidestheuserwithacertificatewarning.


NipperStudiorecommendsthataHTTPserversessiontimeoutperiodof10minutesshouldbeconfigured.


TheHTTPservertimeoutcanbeconfiguredwiththefollowingcommand:

iphttptimeout-policyidlesecondslifesecondsrequestsnumber


2.25NoInboundTCPConnectionKeep-Alives



2.25.2Finding

Thekeep-alivemessagesareusedtodetermineifaconnectionisactiveorhasbecomeorphanedandisnolongerused.Dependingontheresult,thedevicecanreclaimresourcesallocatedtoinboundconnectionsthathavebecomeorphaned.Connectionstoadevicecouldbecomeorphanedifaconnectionbecomesdisruptedoriftheclienthasnotproperlyterminatedaconnection.

NipperStudiodeterminedthatTCPkeep-alivemessageswerenotconfiguredforinboundconnectionsonrouter03.

Overall:HIGH

Impact:High

Ease:N/A

Fix:Quick

Overall:MEDIUM

Impact:High

2.25.3Impact

AnattackercouldattemptaDoSattackagainstadevicebyexhaustingthenumberofpossibleconnections.Toperformthisattack,theattackercouldkeeprequestingnewconnectionstothedeviceandspoofthesourceIPaddresses.Thiswouldthenpreventanynewlegitimateconnectionstothedevicefrombeingmadeasthedeviceawaitsthecompletionoftheconnectionattemptsthathavealreadybeeninitiated.Thisattackwouldpreventbothusersandadministratorsfromconnectingtothedevice.

2.25.4Ease

ToolscanbedownloadedfromtheInternetthatarecapableofopeningalargenumberofTCPconnectionswithoutcorrectlyterminatingthem.


NipperStudiorecommendsthatTCPkeepalivemessagesshouldbesenttodetectanddroporphanedconnectionsfromremotesystems.


Keep-alivemessagescanbesentforinboundTCPconnectionstoCiscoRouterdeviceswiththefollowingcommand:

servicetcp-keepalives-in


2.26InterfacesWereConfiguredWithNoFiltering



2.26.2Finding

Networkfilteringrulelistscanbeassignedtoindividualnetworkinterfacestoprovidefilteringofnetworktraffic.

NipperStudiodeterminedthattwonetworkinterfacesonrouter03hadnonetworkfilteringrulesassigned.Thesearedetailedbelow.

Table38:Networkinterfaceswithnofilteringonrouter03

Interface Active Description

GigabitEthernet1/1 Yes Firstinterfaceonswitch

GigabitEthernet1/2 Yes Secondinterfaceonswitch

NipperStudiodeterminedthattwonetworkinterfacesonCiscoIOS15hadnonetworkfilteringrulesassigned.Thesearedetailedbelow.

Table39:NetworkinterfaceswithnofilteringonCiscoIOS15

Interface Active

FastEthernet0/0 Yes

Async0/0/0 Yes

2.26.3Impact

Thenetworktrafficfromanattackerattachedtooneofthenetworkinterfacesdetailedabovewouldnotbesubjectedtofiltering,potentiallyprovidingunrestrictedaccesstonetworkservices.

2.26.4Ease

Thenetworktrafficwouldnotbesubjectedtofiltering.


NipperStudiorecommendsthatallnetworkinterfacesshouldbeconfiguredfilteringtohelppreventunauthorizedaccesstonetworkservicesandhosts.


CiscoRouterdevicefilteringcanbeconfiguredoninterfaceswiththefollowingcommand:

ipaccess-groupACL[in|out]


2.27Dictionary-BasedRoutingProtocolAuthenticationKeys



Ease:Moderate

Fix:Involved

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Involved

2.27.2Finding

Routersandroutingdevicescanbeconfiguredtosendrouteupdatestoeachother.Thisenablesdevicestodynamicallyadapttochangesinthenetworktopologyandenablesrouterdevicestomakeinformeddecisionswhenroutingnetworktrafficbetweennetworks.Authenticationkeys,sometimesreferredtoassharedsecrets,canbeconfiguredforroutingprotocols.Theroutingprotocolauthenticationkeysareconfiguredtoensurethatanyroutingupdatessenttothedevicethatwillupdatethedevice'sroutinginformationwereonlysentfromtrustedsources.

NipperStudiodeterminedthattwodictionary-basedroutingprotocolauthenticationkeyswereconfiguredonrouter03.ThesearelistedinTable40.

Table40:Dictionary-basedroutingprotocolauthenticationkeysonrouter03

KeyChain KeyID Key

testchain 1 password

routing-chain 1 cisco

2.27.3Impact



2.27.4Ease

ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousroutingupdates.Withasimpledictionary-basedauthenticationkeyconfigured,itwouldnotbetimeconsumingforanattackertodeterminetheauthenticationkey.Theattackercouldthensendroutingupdatesthatappeartobeauthenticandthesourceaddresscanbespoofed.


NipperStudiorecommendsthatstrongroutingprotocolauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:

routingauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheroutingauthenticationkeyshouldnotberepeatedmorethanthreetimes;routingauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;routingauthenticationkeysshouldincludenumbers;routingauthenticationkeysshouldincludepunctuationcharacters;routingauthenticationkeysshouldnotincludeadevice'sname,makeormodel;routingauthenticationkeysshouldnotbebasedondictionarywords.


AuthenticationkeychainsandkeyscanbeconfiguredonCiscoRouterdeviceswiththefollowingcommands:

keychainchain-name

keykey-number

key-stringauthentication-string


2.28Dictionary-BasedVRRPGroupAuthenticationKeys



2.28.2Finding


NipperStudiodeterminedthatoneVRRPgroupwasconfiguredonrouter03withadictionary-basedauthenticationkey.ThisisshowninTable41.

Table41:Dictionary-basedVRRPgroupauthenticationkeyonrouter03

KeyID Key

1 password

2.28.3Impact

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Quick

Overall:MEDIUM



2.28.4Ease

Foraclear-textVRRPgroupauthentication,theattackercouldmonitorthenetworktrafficinordertogaintheVRRPgroupauthenticationkey.ForMD5authentication,anattackercouldperformadictionary-basedattack.ThiscanbeachievedusingsoftwaredownloadedfromtheInternet.

AnattackercoulduseaVRRPcapabledevice,ordownloadVRRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirVRRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingtheVRRPgroupauthenticationkey.


NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallVRRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:






2.29SNMPSystemShutdownEnabled



2.29.2Finding

ASNMPsystemshutdownfacilitycanbeconfiguredforsomeSNMPagentssothatnetworkadministratorscanremotelyresetthedevicesusingSNMP.

NipperStudiodeterminedthattheSNMPsystemshutdownfacilitywasenabledonrouter03.

2.29.3Impact

AnattackerwhohadSNMPwriteaccesscouldcauseaDoSconditionbycausingthedevicetoshutdown.

2.29.4Ease

ForanattackertoexploitthisissuetheywouldrequireSNMPquerytoolsandacommunitystringwithwriteaccesstotheSNMPMIB.SNMPquerytoolscanbedownloadedfromtheInternetandsomeOSinstallthembydefault.Iftheattackerdoesnotknowthecommunitystringitmaybepossibletodetermineitbymonitoringthenetworktrafficorbybrute-forcingthecommunitystring.


GenerallytheSNMPsystemshutdownfacilityisnotsavedtotheconfigurationfileandshouldnotpersistfollowingasystemshutdown.NipperStudiorecommendsthattheSNMPsystemshutdownfacilityshouldbedisabled.


ThefollowingCiscoRouterdevicecommandcanbeusedtodisabletheSNMPshutdownfacility:

nosnmp-serversystem-shutdown


2.30BGPNeighborsConfiguredWithDictionary-BasedPasswords


Impact:High

Ease:Moderate

Fix:Involved

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Planned

CiscoIOS15-CiscoRouter.

2.30.2Finding

BGPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.RoutingneighborsareconfiguredtodefinewhichBGPhoststheroutingupdateswillbesentto.MD5authenticationcanbeconfiguredforeachneighbortoensurethatBGProutingupdatesaresentfromatrustedsource.

NipperStudiodeterminedthattwoBGPneighborsonCiscoIOS15hadbeenconfiguredwithadictionary-basedpassword.ThesearelistedinTable42.

Table42:BGPneighborsonCiscoIOS15withadictionary-basedpassword

Address RemoteAS Password Version Weight PeerGroup MapIn MapOut Description

1.1.1.1 3 password 4 0

1.2.3.4 1 password 4 0

2.30.3Impact

AnattackermayattempttomodifytheroutingtableofaBGProutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:


2.30.4Ease

Anattackercouldmakeuseoftheirownroutingdevice,orroutingsoftware,inordertoinsertmaliciousroutingupdates.However,theattackermayfirsthavetoperformadictionary-basedattackinordertodeterminethepassword.


NipperStudiorecommendsthatstrongMD5authenticationpasswordsshouldbeconfiguredforallBGProutingupdates.AlthoughanattackercouldextracttheMD5passwordauthenticationhashfromanetworkpacketandbrute-forcethepassword,itwouldtakesignificantlymoreeffortthanifadefaultpasswordweretobeconfigured.


BGPpasswordsshouldbeatleasteightcharactersinlength;charactersintheBGPpasswordshouldnotberepeatedmorethanthreetimes;BGPpasswordsshouldincludebothuppercaseandlowercasecharacters;BGPpasswordsshouldincludenumbers;BGPpasswordsshouldincludepunctuationcharacters;BGPpasswordsshouldnotincludeadevice'sname,makeormodel;BGPpasswordsshouldnotbebasedondictionarywords.


BGPneighborauthenticationpasswordscanbeconfiguredonCiscoRouterdeviceswiththefollowingroutercommand:

neighbor{address|group}passwordpassword


2.31DTPWasEnabled



2.31.2Finding

DTPisaproprietaryprotocoldevelopedbyCiscoforthepurposeofnegotiatingVLANtrunkingbetweenswitches.Whenenabledtheswitchcandynamicallynegotiatetrunkingwithanattachedswitchwithoutrequiringanymanualconfiguration.Oncethenegotiationissuccessful,anyVLANsconfiguredtotrunkwillthenbetransferredbetweenthedevices.IfspecificVLANshavenotbeenspecifiedthenallVLANswillbetransferred.

NipperStudiodeterminedthatDTPwasenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable43.

Table43:Networkinterfacesonrouter03withDTPenabled

Interface Active VLAN Trunk TrunkVLAN DTP Description

GigabitEthernet1/1 Yes 1 Yes All On Firstinterfaceonswitch

GigabitEthernet1/2 Yes 1 Yes All On Secondinterfaceonswitch

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Quick

Overall:MEDIUM

Impact:Critical

Ease:Challenging

Fix:Quick

2.31.3Impact

AnattackercouldattempttonegotiateatrunkwiththedeviceinordertogainaccesstoalltheVLANsconfiguredforthetrunk.ThiswillenableanattackertobypassanynetworkfilteringprovidedtorestrictaccessbetweenVLANs.Forexample,ifamanagementnetworkweretobeavailablethentheattackerwillbeabletoconnecttoallthedevicesandservicesofferedonthatnetworkasiftheywereattachedtoitdirectly.

2.31.4Ease

SoftwaretoenableanattackertonegotiateatrunkisavailableontheInternet.AlternativelyanattackercouldmakeuseoftheirownDTPcapablenetworkdevice.


NipperStudiorecommendsthat,ifnotrequired,DTPshouldbedisabled.NipperStudiorecommendsthatswitchportsshouldbeconfiguredtoeithertrunkornotandthoseportswheretrunkingisrequiredshouldonlybeconfiguredtotrunktherequiredVLANs.


SwitchportscanbeconfiguredtoeithertrunkornotandDTPnegotiationdisabledusingthefollowinginterfacecommands:

switchportmode{access|trunk}

switchportnonegotiate


2.32ClearTextHTTPServiceEnabled



2.32.2Finding

HTTP(RFC2616)providesweb-basedservices,suchasinformationservices,networkdeviceadministrationandotherpotentiallysensitiveservices.HTTPprovidesnoencryptionoftheconnectionbetweentheclientandserverincludinganyauthenticationanddatatransfer.

NipperStudiodeterminedthatthecleartextHTTPserverwasenabledonrouter03.

2.32.3Impact

DuetothelackofencryptionprovidedbytheHTTPservice,anattackerwhoisabletomonitorasessionwouldbeabletoviewalloftheauthenticationcredentialsanddatapassedinthesession.Theattackercouldthenattempttogainaccesstothedeviceusingtheauthenticationcredentialsextractedfromthesessionandpotentiallygainaccessunderthecontextofthatuser.SinceHTTPiscommonlyusedfornetworkdeviceadministrationthiscouldgaintheattackeranadministrativelevelofaccess.

2.32.4Ease

ToexploitthefactthattheHTTPservicedoesnotprovideanyencryption,theattackerwouldneedtobeabletomonitorthesessionbetweenaHTTPserverandwebbrowser.Insomesituationstheattackermaynotneedtoperformanyfurtheractionotherthanlaunchinganetworkmonitoringtool.However,inaswitchednetworktheattackermayneedtoperformadditionalactionssuchasanARPattackandinaroutedenvironmenttheattackermayhavetocompromisethenetworkrouting.

ToolsthatarecapableofbothmonitoringanddisplayingnetworktrafficinaneasytoreadformcanbedownloadedfromtheInternet.Therearealsotoolsthatautomaticallydetectwhereauthenticationcredentialsorfilesarebeingtransferredanddisplayorsavethedata.Toolsarealsoavailablethatenableanattackertoeasilyperformavarietyofnetworkattacksinordertobeabletomonitorandinterceptsessionsbetweentwonetworkdevices.


NipperStudiorecommendsthattheHTTPserviceshouldbedisabled.IfremoteadministrativeaccessisrequiredthenNipperStudiorecommendsthatacryptographicallysecurealternative,suchasHTTPS,shouldbeusedinstead.


TheHTTPservercanbedisabledusingthefollowingcommand:

noiphttpserver


2.33UserAccountNamesContained"admin"



2.33.2Finding

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Involved

WhenUserAccountnamescontain"admin",aclearindicationisgiventoanattackerormalicoususerthattheaccountmostlikelyhashigherprivilegelevelsthanastandarduser.Thisallowsanattackertofocustheirresourcesinamoredirectway,suchastargetedphishingattacksorothersocialengineeringtechniques.

NipperStudioidentifiedoneuseraccountcontaining"admin"intheusernameonCiscoIOS15.ThisisshowninTable44

Table44:UseronCiscoIOS15with'admin'inusername


admin (ENCRYPTED) 1

2.33.3Impact

Amalicioususerwouldbeabletocreatetargetedphishingandsocialengineeringattacksataspecificusertheybelievetohaveadminorelevatedprivileges.Onceaccessisgained,theywouldhavethatuser'saccesstoasystem,whichcouldincludere-configuringthedevice,extractingpotentiallysensitiveinformationanddisablingthedevice.Onceanattackerhasobtainedtheconfigurationfromthedevicetheymaybeabletoidentifyauthenticationcredentialsthatcouldthenbeusedtogainaccesstoothernetworkdevices.

2.33.4Ease

ExploitingthisvulnerabilitywouldrequireanattackertohavegainedaccesstosensitiveinformationdetailinguseraccountsandassociatedID'sbeforebeingabletoidentifyappropriatetargetsforphishingorsocialengineeringattacks.


NipperStudiostronglyrecommendsthatallAdminorelevatedprivilegeaccountsshouldnotcontaininformationthatidentifiesthemasbeingsuch.


2.34WeakGLBPGroupAuthenticationKeys



2.34.2Finding


NipperStudiodeterminedthatoneGLBPgroupwasconfiguredonrouter03withaweakauthenticationkey.ThisisshowninTable45.

Table45:WeakGLBPgroupauthenticationkeyonrouter03

KeyID Key Weakness

1 Passw0rd Nopunctuationcharacters

2.34.3Impact

AnattackerwhoisabletoconfigureGLBPwiththerelevantauthenticationconfigurationinordertobecometheAVGwouldbeabletocontrolnetworkroutinginorderto:


2.34.4Ease

Foraclear-textGLBPgroupauthentication,theattackercouldmonitorthenetworktrafficinordertogaintheGLBPgroupauthenticationkey.ForMD5authentication,anattackercouldperformabrute-forceattack.ThiscanbeachievedusingsoftwaredownloadedfromtheInternet.

AnattackercoulduseaGLBPcapabledeviceintheattack.TheattackercouldthenconfiguretheirGLBPcapablerouter,withtheauthenticationkey,inordertobecomeanetworkrouter.


NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallGLBPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:

GLBPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheGLBPauthenticationkeyshouldnotberepeatedmorethanthreetimes;

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Involved

GLBPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;GLBPauthenticationkeysshouldincludenumbers;GLBPauthenticationkeysshouldincludepunctuationcharacters;GLBPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;GLBPauthenticationkeysshouldnotbebasedondictionarywords.





2.35WeakHSRPGroupAuthenticationKeys



2.35.2Finding


NipperStudiodeterminedthatoneHSRPgroupwasconfiguredonrouter03withaweakauthenticationkey.ThisisshowninTable46.

Table46:WeakHSRPgroupauthenticationkeyonrouter03

KeyID Key Weakness

1 Passw0rd Nopunctuationcharacters

2.35.3Impact



2.35.4Ease

Foraclear-textHSRPgroupauthentication,theattackercouldmonitorthenetworktrafficinordertogaintheHSRPgroupauthenticationkey.ForMD5authentication,anattackercouldperformabruteforceattack.ThiscanbeachievedusingsoftwaredownloadedfromtheInternet.

AnattackercoulduseaHSRPcapabledevice,ordownloadHSRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirHSRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingtheHSRPgroupauthenticationkey.


NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallHSRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:






2.36WeakRoutingProtocolAuthenticationKeys

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Involved

Overall:MEDIUM

Impact:High

Ease:Moderate

Fix:Planned



2.36.2Finding

Routersandroutingdevicescanbeconfiguredtosendrouteupdatestoeachother.Thisenablesdevicestodynamicallyadapttochangesinthenetworktopologyandenablesrouterdevicestomakeinformeddecisionswhenroutingnetworktrafficbetweennetworks.Authenticationkeys,sometimesreferredtoassharedsecrets,canbeconfiguredforroutingprotocols.Theroutingprotocolauthenticationkeysareconfiguredtoensurethatanyroutingupdatessenttothedevicethatwillupdatethedevice'sroutinginformationwereonlysentfromtrustedsources.

NipperStudiodeterminedthatoneweakroutingprotocolauthenticationkeywasconfiguredonCiscoIOS15.ThisisshowninTable47.

Table47:WeakroutingprotocolauthenticationkeyonCiscoIOS15

KeyChain KeyID Key Weakness

keychain 1 key Tooshort

2.36.3Impact



2.36.4Ease

ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousroutingupdates.Withaweakauthenticationkeyconfigured,theattackermayhavetoperformabrute-forceattackinordertodeterminetheauthenticationkey.Theattackercouldthensendroutingupdatesthatappeartobeauthenticandthesourceaddresscanbespoofed.


NipperStudiorecommendsthatstrongroutingprotocolauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:

routingauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheroutingauthenticationkeyshouldnotberepeatedmorethanthreetimes;routingauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;routingauthenticationkeysshouldincludenumbers;routingauthenticationkeysshouldincludepunctuationcharacters;routingauthenticationkeysshouldnotincludeadevice'sname,makeormodel;routingauthenticationkeysshouldnotbebasedondictionarywords.


AuthenticationkeychainsandkeyscanbeconfiguredonCiscoRouterdeviceswiththefollowingcommands:

keychainchain-name

keykey-number

key-stringauthentication-string


2.37LowOSPFRouterPriorities



2.37.2Finding

OSPFisaroutingprotocolthatcanbeconfiguredtodynamicallyupdatetheroutingtablewithchangestothenetworktopology.Multiplerouterscanbeconfiguredonanetworkforfaulttolerance,inthatsituationtherouterwiththehighestprioritywilltakeprecedence.Routerprioritiescanbebetween0and255,ifsetto0therouterwillnotbecomethedesignatedorbackuprouter.Iftworoutershavethesamepriority,therouterwiththehighestrouterIdentifier(ID)willthentakeprecedence.

NipperStudiodeterminedthattwoOSPFprioritiesonrouter03werelessthan255.ThesearelistedinTable48.




Overall:MEDIUM

Impact:High

Ease:Challenging

Fix:Quick

Table48:OSPFwithprioritieslessthan255onrouter03


NipperStudiodeterminedthatoneOSPFpriorityonCiscoIOS15waslessthan255.ThisisshowninTable49.

Table49:OSPFwithaprioritylessthan255onCiscoIOS15


FastEthernet0/0 Yes No 1 Broadcast MD5 6 Default 10seconds 40seconds 5seconds 1second

2.37.3Impact

AnattackerwhoisabletoconfigureOSPFwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityinordertotakeprecedenceovertheexistingrouter.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:


2.37.4Ease

Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingOSPFconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinordertodeterminetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinOSPFrouting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.


NipperStudiorecommendsthattheOSPFpriorityof255shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.


AhighOSPFprioritycanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:

ipospfprioritypriority-no


2.38UsersConfiguredWithWeakPasswordEncryption



2.38.2Finding

UserpasswordsonCiscoIOS-baseddevicescanbeconfiguredtostoreuserpasswordsusingeitheraMD5passwordhashorusingtheCiscoType7passwordencodingalgorithm.WhilsttheCiscoType-7passwordencodingcanbeeasilyreversedtorevealtheoriginalpassword,MD5hashescannotbereversed.InsteadiftheoriginalpasswordneedstobedeterminedfromanMD5hash,thepasswordsmustbeguessedandthenputthroughtheMD5hashingprocess.TheresultingMD5hashescanthenbecomparedinordertodetermineifthepasswordsmatch.

NipperStudiodeterminedthatsixusersstoredtheirpasswordsusingCiscoType-7encodingonrouter03.ThesearedetailedinTable50.

Table50:UserswithCiscoType-7passwordsonrouter03


temp password 15






NipperStudiodeterminedthattwousersstoredtheirpasswordsusingCiscoType-7encodingonCiscoIOS15.ThesearedetailedinTable51.



Overall:MEDIUM

Impact:High

Ease:Challenging

Fix:Quick

Table51:UserswithCiscoType-7passwordsonCiscoIOS15



2.38.3Impact

AstrongpasswordstoredusinganMD5hashcantakeasignificantperiodoftimetobrute-force.However,thesamepasswordstoredinCiscoType7formcanbereversedinafractionofasecond.AnattackercouldusedecodedpasswordsfromaCiscodeviceinordertogainalevelofaccesstothedeviceandpotentiallymodifyitsconfiguration.

2.38.4Ease

AnattackerwhohadaccesstotheCiscoconfigurationfilewouldeasilybeabletoretrieveanddecodepasswordsthatarestoredusingtheCiscotype-7encodingscheme.However,anattackerwhohadaccesstoaCiscoconfigurationfilecouldattemptabrute-forceattackagainstthestrongerMD5hashes.ToolscanbedownloadedfromtheInternetthatarecapableofreversingCiscoType7passwords.However,anattackerwouldneedtoobtainacopyoftheconfigurationfileandwouldneedtobeabletogaininitialaccesstothedevicebeforetheycouldmakeuseofanenablepassword.


NipperStudiorecommendsthatalluserpasswordsshouldbestoredusingtheMD5hash.ThefollowingcommandcanbeusedtoremoveusersusingtheCiscoType7password:

nousername

UserscanbeconfiguredtostorepasswordsusinganMD5hashusingthefollowingcommand:

usernameuser-namesecretpassword


2.39AUXPortNotDisabled



2.39.2Finding

TheAuxilary(AUX)port'sprimarypurposeistoprovidearemoteadministrationcapability.WithamodemconnectedtotheAUXport,aremoteadministratorcoulddialintothedeviceinordertoperformremoteadministration.Asanextralayerofsecurity,somedevicescanbeconfiguredwithacallbackfacility.Thecallbackfacility,ifconfigured,dropsanyincomingcallsanddialsthenetworkadministratorback.

NipperStudiodeterminedthattheAUXporthadnotbeendisabledonrouter03.

TheAUXportlinesettingsthatwereconfiguredonrouter03arelistedinTable52.

Table52:AUXlinesettingsonrouter03

Line Exec Absolute Session Login FilterIn FilterOut

Auxiliary 10minutes None 25minutes 30seconds

2.39.3Impact

IfanattackerisabletodialinandconnecttothedeviceremotelyusingtheAUXport,theattackercouldperformabrute-forceattackagainsttheauthenticationmechanisminordertogainremoteadministrativeaccess.IfamalicioususerwasabletogainphysicalaccesstoadevicewheretheAUXporthadnotbeendisabled,theycouldattachamodeminordertoperformanattackfromaremotelocation.Ifacallbackfacilityhasnotbeenconfigured,thenthedevicewouldnotdropincomingcallsandattempttodialthenetworkadministratorsphonenumber.

2.39.4Ease

Inordertosuccessfullyexploitthisissue,theattackerwouldrequireamodemtobeattachedtotheAUXport.Ifamodemisalreadyattached,anattackercoulddiscoverthemodem'stelephonenumberduringawar-dial.However,eventhoughanumberofwardialtoolsareavailableontheInternet,awardialismorelikelytobediscoveredduetothenumberoftelephoneswhichwouldbecalledinanoffice.


NipperStudiorecommendsthat,ifnotrequired,theAUXportshouldbedisabled.IftheAUXportisrequiredandthedevicesupportscallbackthenNipperStudiosuggeststhatthecallbackfacilityshouldbeconfiguredasanadditionallevelofprotection.


TheauxiliaryportcanbedisabledwiththefollowingIOSauxiliarylinecommands:

transportinputnone

loginlocal

noexec

Overall:MEDIUM

Impact:Medium

Ease:Moderate

Fix:Quick

Overall:MEDIUM

Impact:Medium

Ease:Trivial

Fix:Planned


2.40NoBGPRouteFlapPrevention



2.40.2Finding

BGPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.BGProutersupdatetheirneighborswithchangessuchasnetworklinkstatuschanges.BGProuteflappingisaconditionwhereroutingtablesareconstantlybeingupdatedduetoalinktransitioningbetweenupanddownstatus.Thesetransitionscauseroutingtablestobecontinuouslyupdatedacrosstheinfrastructure.RoutingdevicescanbeconfiguredwithBGProutedampeninginordertohelpmitigateagainstconstantrouteflapping.

NipperStudiodeterminedthatBGProutedampeninghadnotbeenconfiguredonthetwodevicesdetailedinTable53.

Table53:DeviceswithnoBGProutedampening

Device Name



2.40.3Impact

Excessiverouteupdates,causedbyalinkstatusconstantlychangingbetweenuptodown,canimpactnetworkroutingperformance.Networkroutingcouldslowwithnetworkpacketsbeingdropped,possiblycausingaDoScondition.

2.40.4Ease

ItispossibleforanattackertosendBGPpacketstoaroutertoupdatetheroutingtableandcausearouteflappingcondition.However,theattackermayneedadditionalinformationinordertoperformtheattack,suchasaBGPpassword.


NipperStudiorecommendsthatBGProutedampeningshouldbeconfiguredtohelppreventexcessiveroutingupdatesfromcausingaDoScondition.


ThereareanumberofdifferentBGPoptionsthatcanbeconfiguredtohelpreducetheeffectsofrouteflapping.BGProutedampeningcanbeenabledonCiscoRouterdeviceswiththefollowingcommand:

bgpdampening


2.41NoRIPUpdateNeighborsWereConfigured



2.41.2Finding

RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TheroutingdevicescanbeconfiguredtosendRIProutingupdatestospecifiedRIPneighbors.Ifnotspecified,RIProutingupdateswillbesenttoallLANhosts.

NipperStudiodeterminedthatnoRIPneighborswereconfiguredonthetwodevicesdetailedinTable54.

Table54:DeviceswithnoRIPneighbors

Device Name



2.41.3Impact

WithnoRIProutingupdateneighborsconfigured,routeupdateswillbesenttoallLANhosts.Ifanattackerisabletomonitoranetworksegmenttowhichthedeviceisattached,theywouldbeabletomonitortheroutingtraffic.Thiswouldgivetheattacker:

alistofroutesthatthedevicesendingtheupdatesisawareof;ifclear-textauthenticationisused,theauthenticationkey;ifMD5authenticationisused,theauthenticationhashwhichcouldthenbesubjectedtoabrute-forceattack.

Overall:MEDIUM

Impact:Medium

Ease:Trivial

Fix:Quick

Overall:MEDIUM

Impact:Medium

Ease:N/A

Fix:Planned

2.41.4Ease

RIProutingupdateswillbesenttoallhostsontheLAN.ToolscanbedownloadedfromtheInternetthatcanbeusedtomonitor,extractandexploittheinformationcontainedintheRIProuteupdatepackets.


NipperStudiorecommendsthatRIProutingupdateneighborsshouldbeconfiguredtosendRIPupdatestospecificaddresses.


RIPneighborscanbeconfiguredonCiscoRouterdeviceswiththefollowingroutercommand:

neighborip-address


2.42NoHTTPServiceNetworkAccessRestrictions



2.42.2Finding

HTTP(RFC2616)providesweb-basedservices,suchasinformationservices,networkdeviceadministrationandotherpotentiallysensitiveservices.HTTPprovidesnoencryptionoftheconnectionbetweentheclientandserverincludinganyauthenticationanddatatransfer.HTTPS,whichisHTTPoverSecureSocketsLayer(SSL)/TLS,isusedtoprovidecryptographicallysecureweb-basedconnection.

NetworkaccesstotheHTTPservicecanberestrictedbyspecifyingthosehoststhatareallowedtoaccesstheserviceandtherebydenyingaccesstoallothernetworkhostaddresses.

NipperStudiodeterminedthattheHTTPserviceonrouter03wasnotconfiguredtorestrictaccesstoonlythosespecificnetworkhostaddressesthatarerequired.

2.42.3Impact

Withoutmanagementhostaddressrestrictionsanattacker,ormalicioususer,withauthenticationcredentialswouldbeabletoconnecttotheHTTPSservice,logonandaccessthefunctionalityandinformationprovidedforthatuser.Ifanattackerdoesnothaveauthenticationcredentialstheycouldattemptabrute-forceattackinordertoidentifyvalidcredentials.Additionally,ifthereisavulnerabilitywiththeservicethenallowinganyonetoconnecttotheservicecouldenableanattackertoexploitthevulnerability.

2.42.4Ease

WithnoHTTPnetworkhostaccessrestrictionsanattackerwouldnotbepreventedfromconnectingtotheservice.Furthermore,webbrowsersandotherweb-basedclienttoolsareincludedasstandardwithmostoperatingsystems.AlternativewebservicetoolsareavailableontheInternet,togetherwithvulnerabilityexploitcode,enumerationandbrute-forcetools.


NipperStudiorecommendsthataccesstotheHTTPserviceshouldberestrictedtoonlythosenetworkhoststhatrequireaccess.


ManagementhostscanbeconfiguredbyapplyinganAccessControlList(ACL).AnACLcanbeconfiguredandappliedusingthefollowingcommands:

ipaccess-liststandardaccess-list-number

remarkdescription

permitip-addresswildcard[log]

exit

iphttpaccess-classacl-number


2.43SyslogLoggingNotEnabled



2.43.2Finding

Loggingisanimportantcomponentofasecurenetworkconfiguration.Whenappropriatelyconfigured,themessagesloggedprovideawealthofinformationtoanetworkadministratorwhendiagnosingaproblem,identifyinganattackorwhenusedtoprovideanactivityaudittrail.Whenawellconfiguredloggingsystemiscombinedwithagoodmonitoringandalertsystemitwillenablenetworkadministratorstopromptlyrespondtonetworkingissues,DoSattacks,administrativesystemlogonsandahostofotherimportantinformation.

Syslogloggingprovidesanindustrystandardsystem(detailedinRFC5424)forloggingmessages,enablingthecollection,storageandadministrationoflogsfromavarietyofdevicestoasinglelocation.Thesendingoflogstoothersystems,notonlyprovidesextrastoragespaceforlogswhichcouldbesizerestrictedontheoriginatingnetworkdevice,butitalsoprovidesanextralevelofprotectionforthelogsinascenariowhereanattackerhascompromisedthesecurityofthe

Overall:MEDIUM

Impact:Medium

Ease:N/A

Fix:Planned

Overall:LOW

Impact:Medium

Ease:Moderate

Fix:Quick

messagesource.

NipperStudiodeterminedthattheloggingofsystemmessagestoaSyslogloggingserverwasnotconfiguredonrouter03.

2.43.3Impact

Ifloggingofsystemmessagesisnotconfigured,anetworkadministratormaynotbemadeawareofsignificanteventshappeningonthedevice.Theseeventscouldincludesecurityissuessuchasintrusionattempts,networkscans,authenticationfailuresordiagnosticandmanagementinformationsuchaspotentialhardwareissues.Withoutloggingsystemmessages,theinformationwouldnotbeavailabletoeitheraforensicinvestigationorfordiagnosticpurposes.

2.43.4Ease

SystemmessageswillnotbesenttoaSyslogloggingserver.


NipperStudiorecommendsthatSyslogloggingshouldbeconfiguredtoenablesystemmessagestobeloggedtoacentralloggingserver.


TheloggingofsystemmessagestoaremoteSysloghostcanbeconfiguredusingthefollowingcommand:

logginghostip-address


2.44NTPControlQueriesWerePermitted



2.44.2Finding

Timesynchronizationfornetworkdevicesisinherentlyimportant,notjustforthevariousservicesthatmakeuseoftime,butalsofortheaccurateloggingofevents.Thereforenetworkdevicescanbeconfiguredtosynchronizetheirtimeagainstanetworktimesourceinordertoensurethatthetimeissynchronized.

NTP(describedinRFC5905)isacomplextimesynchronizationprotocolwithanumberofdifferentfeaturesandoptions.Inadditiontotime,anumberofcontrolqueriescanbemadetoanNTPserver,theseincluderequestingalistoftheserversNTPpeersandanumberofdifferentvariables.

NipperStudiodeterminedthatNTPcontrolquerieswerepermittedonCiscoIOS15.

2.44.3Impact

AnattackermaysendcontrolqueriestoanNTPserviceinordertogatherinformationaboutthedevice.Inadditiontotimeinformation,anattackermaylearninternalIPaddressesofNTPpeersorbasicoperatingsysteminformation.

2.44.4Ease

NTPquerytoolsareinstalledbydefaultwithsomeoperatingsystemsandNTPtoolscanbedownloadedfromtheInternet.


NipperStudiorecommendsthat,ifatimeservermustbeconfiguredonthedevice,accessshouldberestrictedtoonlytimerequests.


NTPControlQueriescannotbedisabledonCiscoRouterdeviceswithoutdisablingNTP,theycanonlyberestrictedbyapplyinganACLtothem.Thiscanbedonewiththefollowingcommand:

ntpaccess-groupquery-onlyacl

Note,thatthismaystillbeflaggedasanissue,andifyouhavealreadyaddedthislinein,youcansafelyignoreit.


2.45NoSNMPTFTPServerAccessListConfigured



2.45.2Finding

UsingSNMP,somenetworkdevicescanbeinstructedtosenditsconfigurationtoafileonaspecifiedTFTPserver.Thisfeatureenablesnetworkadministratorsandmanagementsoftwaretoquicklyobtainacopyofadevice'sconfiguration.Anetworkaccesslistcanbeconfiguredonthosedevicestohelpsecureaccesstothisfunctionality(supportedonCiscoIOSdevicesfromversion10.2).

NipperStudiodeterminedthattheSNMPTFTPserveraccesslisthadnotbeenconfiguredonthetwodevicesdetailedinTable55.

Overall:LOW

Impact:Medium

Ease:Moderate

Fix:Planned

Table55:DeviceswithnoSNMPTFTPserveraccesslist

Name Type

router03 CiscoRouter

CiscoIOS15 CiscoRouter

2.45.3Impact

AnattackerwhohadSNMPwriteaccesscouldremotelyobtainacopyofadevice'sconfiguration.Theconfigurationwouldincludeanypasswordsforthedeviceandincludetheconfigurationoftheadministrativeservices.

2.45.4Ease

ForanattackertoexploitthisissuetheywouldrequireSNMPquerytools,aTFTPserverandacommunitystringwithwriteaccesstotheSNMPMIB.SNMPquerytoolsandTFTPserversoftwarecanbedownloadedfromtheInternetandsomeOSinstallthembydefault.Iftheattackerdoesnotknowthecommunitystringitmaybepossibletodetermineitbymonitoringthenetworktrafficorbybrute-forcingthecommunitystring.


NipperStudiorecommendsthataSNMPTFTPserverlistACLshouldbeconfiguredtoensurethatconfigurationsareonlysavedtospecifichosts.


ThefollowingexampleconfiguresACLnumber20foruseasaSNMPTFTPserverlistandgivesaccesstoasinglehostwithlogging.

access-list20permit192.168.0.50255.255.255.255log

access-list20denyanylog

TheACLcanthenbeassignedastheSNMPTFTPserverlistwiththefollowingcommand:

snmp-servertftp-server-list20


2.46NoOSPFLSAThresholds



2.46.2Finding

OSPFisaroutingprotocolthatcanbeconfiguredtodynamicallyupdatetheroutingtablewithchangestothenetworktopology.OSPFusesLSAtocommunicatechangestootherroutersandupdatetheroutersownLinkStateDatabase(LSDB).DevicescanbeconfiguredwithaLSAmessagethresholdinordertolimitthenumberofLSAmessagesbeingprocessedbythedevice.

NipperStudiodeterminedthatoneOSPFconfigurationonrouter03didnothaveaLSAmessagethresholdconfigured,thisisshowninTable56.

Table56:OSPFconfigurationswithnoLSAthresholdonrouter03

Process RouterID Active MaxLSA RFC1583

6 Yes Unlimited Yes

NipperStudiodeterminedthatoneOSPFconfigurationonCiscoIOS15didnothaveaLSAmessagethresholdconfigured,thisisshowninTable57.

Table57:OSPFconfigurationswithnoLSAthresholdonCiscoIOS15

Process RouterID Active MaxLSA RFC1583

1 Yes Unlimited Yes

2.46.3Impact

AnattackermaybeabletoperformanOSPFDoSbyfloodingthedevicewithLSAmessages.


2.46.4Ease

Overall:LOW

Impact:Low

Ease:Trivial

Fix:Planned

Overall:LOW

Impact:Low

Ease:Trivial

Fix:Quick

ToolscanbedownloadedfromtheInternetthatcanbeusedtoperformaDoSbyfloodingthedevicewithLSAmessages.


NipperStudiorecommendsthatthenumberofOSPFLSAmessagesacceptedbythedeviceshouldbelimited.


ThenumberofOSPFLSAmessagescanbelimitedonCiscoRouterdeviceswiththefollowingroutercommand:

max-lsathreshold


2.47NTPAuthenticationWasDisabled



2.47.2Finding

Timesynchronizationfornetworkdevicesisinherentlyimportant,notjustforthevariousservicesthatmakeuseoftime,butalsofortheaccurateloggingofevents.Thereforenetworkdevicescanbeconfiguredtosynchronizetheirtimeagainstanetworktimesourceinordertoensurethatthetimeissynchronized.

NTP(describedinRFC5905)isacomplextimesynchronizationprotocolwithanumberofdifferentfeaturesandoptionssuchastimeupdateauthentication.

NipperStudiodeterminedthatNTPauthenticationwasdisabledonrouter03.

2.47.3Impact

Ifanattackerisabletomodifyadevice'stimewithaninaccuratetimeupdatethenitwouldbemoredifficultduringanexaminationtocorrelatethesystemlogs.Furthermore,anysystemsthatdependonaccuratetime,suchassomeauthenticationsystems,couldbedisruptedandpotentiallycauseaDoS.

2.47.4Ease

WithNTPtimeauthenticationdisabled,anattackercouldattempttoupdatethetimebysendingmalicioustimeupdates.Anattackercoulddothisusingopensourcecodeorbysendingcustomizednetworkpacketsandspoofingthesourceaddress.


NipperStudiorecommendsthatNTPtimeauthenticationshouldbeenabled.


AuthenticatedNTPtimeupdatescanbeconfiguredonCiscoRouterdeviceswiththefollowingcommands:

ntpauthenticate

ntpauthentication-keykey-nummd5key-string

ntpserverip-addresskeykey-num[prefer]


2.48TheFingerServiceWasEnabled



2.48.2Finding

TheFingerprotocol(definedinRFC749andRFC1288)enablestheenumerationofstatusanduserinformationfromasystemrunningaFingerservice.TheFingerprotocolissimpleanddoesnotencryptthedataorprovideanyauthentication.ThedefaultTCPportfortheFingerserviceis79.

NipperStudiodeterminedthattheFingerservice(IPv4)wasenabledonrouter03.

2.48.3Impact

AnattackercouldusetheFingerservicetoenumerateusersanduserinformation.Theattackercouldthenusethisinformationaspartofatargetedattacksuchaspasswordguessingorabrute-forceattack.TheFingeruserinformationmayalsobeusedbyanattackerforatargetedattackwhereuseridentityinformationwouldbeuseful.

2.48.4Ease

TheFingerquerytoolisinstalledbydefaultonsomeplatformsbydefaultandisrelativelyeasytouse.Additionally,toolsthatanattackercanusetoattackasystemusingtheinformationobtainedusingFingerareavailabletodownloadfromtheInternet.


Overall:LOW

Impact:Medium

Ease:Moderate

Fix:Quick

Overall:LOW

Impact:Medium

Ease:Moderate

Fix:Quick

NipperStudiorecommendsthattheFingerserviceshouldbedisabledtohelppreventanattackerfromenumeratinguserinformation.


FingercanbedisabledonCiscoRouterdevicesusingthefollowingcommand:

noipfinger


2.49WeakSNMPCommunityStringsWereConfigured



2.49.2Finding

SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.AccesstotheSNMPMIBwithprotocolversions1and2isrestrictedusingacommunitystringtohelppreventunauthorizedaccess.

NipperStudioidentifiedthethreeweakSNMPcommunitystringsonCiscoIOS15thatarelistedbelow.

Table58:WeakSNMPcommunitystringsonCiscoIOS15

Community Access Version View ACL Weakness

Testcom ReadOnly 1 18 Tooshort

cisCommunity ReadOnly 1 3 Nonumbers

trapString ReadOnly 1 3 Nonumbers

2.49.3Impact

WithreadaccesstotheSNMPMIBanattackerwouldbeabletoenumeratealargequantityofinformationaboutthedevice,itsconfiguration,networkdetailsandmore.Theattackercouldthenusethisinformationaspartofatargetedattack.

2.49.4Ease

AnattackerwilltypicallyattempttogainaccesstoanSNMPservicebyguessingthecommunitystringusedtorestrictaccess.Thisusuallymeansthattestingfor"public"and"private"areattemptedfirstasthesearethemostcommoncommunitystrings.Ifsimplecommunitystringguessingdoesnotsucceedthenitwouldbetrivialforanattackertoperformadictionary-basedandbrute-forceattack.Thereareanumberoftoolsavailablethatanattackercoulduseforthisandtheydonotrequireanyadvancedskillsonbehalfoftheattacker.


NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthatonlySNMPversion3shouldbeconfigured.IfaccessusingSNMPcommunitystringsisrequired,NipperStudiorecommendsthatonlystrongcommunitystringsshouldbechosenthatarealsonotusedforanyotherauthentication.





nosnmp-server


2.50IPDirectedBroadcastsWereEnabled



2.50.2Finding

ICMPechorequestscanbeaddressedtoanentirenetworkorsubnetaswellastoindividualhosts.Disablingdirectedbroadcastsoneachindividualnetworkinterfacewillhelppreventnetworkpingrequests.

Overall:LOW

Impact:Medium

Ease:Challenging

Fix:Quick

Overall:LOW

Impact:Low

Ease:Easy

Fix:Quick

NipperStudiodeterminedthatdirectedbroadcastswereenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable59.

Table59:Networkinterfacesonrouter03withdirectedbroadcastsenabled

Interface Active Address Proxy-ARP Directed ACLIn ACLOut Description

GigabitEthernet1/1 Yes 10.0.0.1 Off On Firstinterfaceonswitch

GigabitEthernet1/2 Yes 10.0.0.2 On On Secondinterfaceonswitch

2.50.3Impact

ADoSattackknownasaSmurfattackmakesuseofnetworkICMPechorequeststoperformtheattack.AnattackerwouldsendanICMPechorequestwiththevictimhostsIPaddressspoofedasthesourceaddress.Thehostsonthenetworkwouldthenreplytotheechorequest,floodingthevictimhost.

2.50.4Ease

ToolscanbedownloadedfromtheInternetthatarecapableofperformingthesmurfattackoutlinedabove.


NipperStudiorecommendsthatdirectedbroadcastsshouldbedisabledonallnetworkinterfaces.


DirectedbroadcastscanbedisabledonCiscoRouterdeviceswiththefollowingcommand:

noipdirectedbroadcast


2.51ServicePasswordEncryptionDisabled



2.51.2Finding

Somedevicepasswords,suchasuserauthenticationpasswords,donotneedtobeknownbythedevicewhichcanmakeauthenticationchecksbasedontheencryptedhash.Otherpasswordsneedtobeknownbythedeviceinorderthatitcanperformspecificoperationsusingtheclear-textversionofthepassword.TheservicepasswordencryptionoptioninstructsadevicetostorepasswordsusingCiscotype-7encryptionwhereitispossibleasthesecanbereversedtotheiroriginalclear-textform.Bydefaultthepasswordsareotherwisestoredintheconfigurationfileintheirclear-textform.

NipperStudiodeterminedthatservicepasswordencryptionwasdisabledonrouter03.

2.51.3Impact

Amalicioususeroranattackerwithaccesstothedevice'sconfigurationcouldquicklyextractclear-textpasswordswithouthavingtodecodeorbrute-forcethem.Alternatively,amalicioususercouldgainaclear-textpasswordiftheywerecloselywatchinganetworkadministrator.Theattackercouldthenmakeuseofthestolencredentialstogainalevelofaccesstothedevice.

2.51.4Ease

Anattackerwouldrequireaccesstothedeviceconfigurationorwouldhavetobecloselywatchinganetworkadministrator.Thisissuemayrequiretheattackertohaveaccesstothedeviceorabackupcopyoftheconfigurationforthedevice.


AlthoughCiscotype-7passwordsareeasilyreversed,andthereareanumberofprogramsthatreversethem,theydoprovideaneffectivebarrieragainstacasualobserver.Therefore,NipperStudiorecommendsthatservicepasswordencryptionshouldbeenabled.


ServicepasswordencryptioncanbeenabledonCiscoRouterdevicesusingthefollowingcommand:

servicepassword-encryption


2.52CDPWasEnabled



2.52.2Finding

CDPisaproprietaryprotocolthatwasdevelopedandisprimarilyusedbyCisco.ACDPenableddevicecanbeconfiguredtobroadcastCDPpacketsonthenetworkenablingnetworkmanagementapplicationsandCDPawaredevicestoidentifyeachother.CDPpacketsincludeinformationaboutthe

Overall:LOW

Impact:Low

Ease:Easy

Fix:Quick

sender,suchasOSversionandIPaddressinformation.

NipperStudiodeterminedthatCDPwasenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable60.

Table60:Networkinterfacesonrouter03withCDPenabled

Interface Active Description CDP

GigabitEthernet1/1 Yes Firstinterfaceonswitch On

GigabitEthernet1/2 Yes Secondinterfaceonswitch On

2.52.3Impact

CDPpacketscontaininformationaboutthesender,suchashardwaremodelinformation,operatingsystemversionandIPaddressdetails.Thisinformationwouldgiveanattackervaluableinformationaboutthedevice.Theattackercouldthenusethisinformationaspartofatargetedattack.

2.52.4Ease

CDPpacketsarebroadcasttoanentirenetworksegment.TheattackerormalicioususerwouldrequireaccesstoanetworksegmentonwhichtheCDPpacketsarebroadcastandnetworkmonitoringsoftware.Awidevarietyofnetworkmonitoring,packetcaptureandanalysistoolscanbedownloadedfromtheInternet.


NipperStudiorecommendsthat,ifnotrequired,CDPshouldbedisabled.

InsomeconfigurationswithIPphones,deployedusingeitherAutoDiscoveryorDynamicHostConfigurationProtocol(DHCP),theCDPservicemayneedtobeenabled.However,ifthedevicesupportsdisablingCDPonindividualinterfaces,thenNipperStudiorecommendsthatitshouldbedisabledonalltheinterfaceswhereitisnotrequired.


ThefollowingcommandscanbeusedtodisableCDPonCiscoRouterdevices.ThefirstcommanddisablesCDPfortheentiredevice,whilstthesecondcanbeusedtodisableCDPonindividualinterfaces.

nocdprun

nocdpenable


2.53SNMPAccessWithoutNetworkFiltering



2.53.2Finding

SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.AccesstotheSNMPservicecanberestrictedtospecificNetworkManagementSystem(NMS),orSNMPmanagementhosts,usingafilterlist.

NipperStudiodeterminedthatnonetworkfilteringhadbeenconfiguredtorestrictnetworkaccessusingoneSNMPcommunitystringonrouter03.ThisisshowninTable61.

Table61:SNMPcommunitystringwithnofilteringonrouter03



2.53.3Impact

Amalicioususer,orattacker,withacommunitystringfortheSNMPagent,couldgainaccesstothedataofferedbytheservice.Withnonetworkfilteringtheattackerwouldnotberestrictedbythedevicefromconnectingtotheservice.Additionally,ifasoftwarevulnerabilityexistedintheservice,thentheattackermaybeabletoexploitthevulnerabilitywithoutrequiringknowledgeofacommunitystring.

2.53.4Ease

AnattackerwouldnotbepreventedfromconnectingtotheSNMPagent.SNMPquerytoolsareincludedbydefaultwithsomeoperatingsystemsandfurtherquerytoolscanbedownloadedfromtheInternet.


NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthatonlySNMPversion3shouldbeconfigured.Ifaccessusingcommunitystringsisrequired,NipperStudiorecommendsthatnetworkfilteringshouldbeconfiguredtorestrictaccesstotheservice.


Overall:LOW

Impact:Low

Ease:Easy

Fix:Quick

Overall:LOW

Impact:Low

Ease:Easy

Fix:Quick


nosnmp-server


2.54SNMPAccessWithNoView



2.54.2Finding

SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.ViewsareusedtorestrictaccesstospecificsectionsoftheSNMPMIB.ThisenablesanadministratortorestrictSNMPaccesstoonlytheinformationthatthecallerrequires.

NipperStudiodeterminedthataviewhadnotbeenconfiguredontwoSNMPcommunitystringsonrouter03.ThesearelistedinTable62.

Table62:SNMPcommunitystringswithnoviewonrouter03




NipperStudiodeterminedthataviewhadnotbeenconfiguredonthreeSNMPcommunitystringsonCiscoIOS15.ThesearelistedinTable63.

Table63:SNMPcommunitystringswithnoviewonCiscoIOS15


Testcom ReadOnly 1 18

cisCommunity ReadOnly 1 3

trapString ReadOnly 1 3

2.54.3Impact

Amalicioususer,orattacker,whohasSNMPaccessusingacommunitystringforwhichnoviewhadbeenconfiguredwouldhaveunrestrictedaccesstotheSNMPMIB.

2.54.4Ease

WithnoSNMPviewconfigured,anattackerwouldnotberestrictedtospecificsectionsoftheSNMPMIB.


NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthataviewisconfiguredforeverycommunitystringinordertolimittheaccesstoonlythosesectionsoftheMIBthatarerequired.



nosnmp-server


2.55TheBOOTPServiceWasNotDisabled



2.55.2Finding

BOOTstrapProtocol(BOOTP)(describedinRFC951)isadatagramprotocolthatenablescompatiblehoststoloadtheiroperatingsystemoverthenetworkfromaBOOTPserver.However,thesedaysBOOTPservicesarerarelyused.

NipperStudiodeterminedthattheBOOTPservicehadnotbeendisabledonrouter03.However,itisworthnotingthatnotalldevicemodelswillsupporttheBOOTPserviceandthereforethisissuecouldhavebeenfalselydetermined.

2.55.3Impact

AnattackercoulduseadevicethatoffersaBOOTPservicetodownloadacopyofthedevice'sOSsoftware.

Overall:LOW

Impact:Low

Ease:Easy

Fix:Planned

Overall:LOW

Impact:Low

Ease:Moderate

Fix:Planned

2.55.4Ease

ToolsthatcaninteractwithBOOTPservicescanbedownloadedfromtheInternet.


NipperStudiorecommendsthat,ifnotrequired,theBOOTPserviceshouldbedisabled.


TheBOOTPservicecanbedisabledusingoneofthefollowingcommands:

ipdhcpbootpignore

noipbootpserver


2.56SwitchPortSecurityDisabled



2.56.2Finding

Switchportsecurityisusedtomonitorandrestrictthenumberofnetworkdevicesthatcanbeconnectedtoasingleswitchport.TheswitchdoesthisbymonitoringtheMediaAccessControl(MAC)addressesthatoriginatefromtheswitchport.TheMACaddressescaneitherbespecifiedforaparticularswitchportortheycanbedynamicallylearnedinordertosignificantlyreducetheadministrativeoverhead.WhenthenumberofpermittednumberofMACaddressesconnectedtoasingleswitchportisexceededthenanumberofdifferentactionscanbeperformed,suchasdisablingtheswitchport.

NipperStudiodeterminedthatswitchportsecuritywasdisabledontwoportsonrouter03.Thesearedetailedbelow.

Table64:Gigabitinterfaceswithdisabledportsecurityonrouter03

Interface Active Security MaxMAC Aging AgeType Sticky MAC Description

GigabitEthernet1/1 Yes Off N/A N/A N/A N/A Firstinterfaceonswitch

GigabitEthernet1/2 Yes Off N/A N/A N/A N/A Secondinterfaceonswitch

2.56.3Impact

Aswitchportwithnoconfiguredportsecuritycouldallowanattackertoattachanunauthorizeddeviceandgainaccesstothenetwork.

2.56.4Ease

Anattackerwouldhavetogainaccesstoaswitchportwithnosecurityconfigured.Iftheswitchportisnotdirectlypatchedtoawallsocket,theattackerwouldhavetogainphysicalaccesstothedevice.ItisworthnotingthatanattackercouldassumetheMACaddressofadevicealreadyattachedtotheportinordertogainaccessandbypasstheportsecurityfeature.


NipperStudiorecommendsthat,wherepossible,portsecurityshouldbeenabledonallswitchports.Furthermore,NipperStudiorecommendsthatallswitchportsthatarenotusedshouldbeshutdown.


SwitchportsecuritywithMACaddresslearningandportshutdownonaviolationcanbeconfiguredforeachinterfacewiththefollowingcommands:

switchportport-security

switchportport-securityviolationshutdown

switchportport-securitymac-addresssticky


2.57VTPWasInServerMode



2.57.2Finding

VTPwasdevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.Theprotocolenablestheaddition,renaminganddeletionofVLANsonasingleswitchtobepropagatedtoothernetworkswitchesinthesameVTPdomain.AdeviceinVTPservermodewilltransmitVTPpacketscontainingVLANinformation.IfadeviceinVTPclientmodeinthesamedomainreceivesaVTPnetworkpacketwithahigherrevisionnumberthechangeswillbeapplied.

NipperStudiodeterminedthatVTPwasinservermodeonrouter03.ItisworthmentioningthatalthoughtheVTPwasfoundtobeinservermodeonrouter03(adefaultsetting),noVTPdomainwasconfigured.However,therehavebeeninstanceswhereadeviceinthisconfigurationhavehadtheirVTPdomainset

Overall:LOW

Impact:Low

Ease:Moderate

Fix:Quick

Overall:LOW

Impact:Low

Ease:Easy

Fix:Quick

remotelyfromothernetworkeddevices.

2.57.3Impact

AnattackercoulddeterminetheVLANconfigurationbycapturingVTPpacketssentfromthedeviceandVTPpacketsarenotencrypted,evenwhenapasswordisspecified.TheattackercouldthenusetheVLANinformationorpasswordaspartofatargetedattack.

2.57.4Ease

ToolsthatarecapableofcapturingnetworkpacketsareavailableontheInternetandinstalledbydefaultonsomeOS.


NipperStudiorecommendsthat,ifnotrequired,VTPshouldbedisabledorplacedintransparentmode,evenifnoVTPdomainhasbeenconfigured.


VTPcanbesettotransparentmodeonCiscoRouterdevicesusingoneofthefollowingcommands:

vtptransparent

vtpmodetransparent


2.58IPSourceRoutingWasEnabled



2.58.2Finding

TCP/IPpacketscancontainsourcerouteinformation,thiscanenableapackettodefineitsownroutethroughanetworkratherthanusingaroutedefinedbystaticroutesorroutingprotocols.ThesourcerouteoptionfunctionalitywasdefinedinRFC791.

Manynetworkfilteringandroutingdevicesincludefacilitiesthatenablethemtoignorethesourceroutedefinedinapacketorblockthepacketsentirely.

NipperStudiodeterminedthatIPsourceroutingwasenabledonrouter03.

2.58.3Impact

IPsourceroutingcanallowanattackertospecifyarouteforanetworkpackettofollow,possiblytobypassaFirewalldeviceoranIntrusionDetectionSystem(IDS).Anattackercouldalsousesourceroutingtocapturenetworktrafficbyroutingitthroughasystemcontrolledbytheattacker.

2.58.4Ease

Anattackerwouldhavetocontroleitheraroutingdeviceoranendpointdeviceinordertomodifyapacketsroutethroughthenetwork.However,toolscanbedownloadedfromtheInternetthatwouldallowanattackertospecifysourceroutes.Toolsarealsoavailabletomodifynetworkroutingusingvulnerabilitiesinsomeroutingprotocols.


NipperStudiorecommendsthatIPsourceroutinginformationcontainedinnetworkpacketsshouldbeignored.


IPsourceroutingcanbedisabledonCiscoRouterdevicesusingthefollowingcommand:

noipsource-route


2.59ICMPAddressMaskReplyMessagesWereEnabled



2.59.2Finding

ICMPaddressmaskreplymessagesinformnetworkhostsoftheTCP/IPnetworkmaskforanetworksegment.ThisprotocolcannowberegardedaslegacyashostswilltypicallyeithermakeuseofprotocolssuchasDHCPorbeconfiguredfixedaddressinformation.

NipperStudiodeterminedthattwonetworkinterfacesonrouter03wereconfiguredtosendICMPmaskreplymessages.ThesearedetailedinTable65.

Interface Active Unreachables Redirects MaskReply Information Description

GigabitEthernet1/1 Yes On On On Off Firstinterfaceonswitch

GigabitEthernet1/2 Yes On On On Off Secondinterfaceonswitch

Overall:LOW

Impact:Low

Ease:Easy

Fix:Quick

Overall:LOW

Impact:Low

Ease:Easy

Fix:Quick

Table65:Networkinterfacesonrouter03withICMPinformationreplyenabled

2.59.3Impact

AnattackercouldusetheICMPaddressmaskreplyfeaturetogainadditionalinformationaboutthenetworkconfiguration.

2.59.4Ease

ICMPscanningtools,thatarecapablyofsendingvarioustypesofICMPmessages,canbedownloadedfromtheInternet.Furthermore,someOSincludeICMPtoolsasstandard.


NipperStudiorecommendsthat,ifnotrequired,ICMPaddressmaskreplymessagesshouldbedisabledonallnetworkinterfaces.


ICMPmaskreplymessagesendingcanbedisabledonnetworkinterfaceswiththefollowingcommand:

noipmask-reply


2.60ProxyARPWasEnabled



2.60.2Finding

ARPisaprotocolthatnetworkhostsusetotranslatenetworkIPaddressesintoMACaddresses.Undernormalcircumstances,ARPpacketsareconfinedtothesender'snetworksegment.However,somenetworkdevicescanbeconfiguredtoactasaproxyforARPrequests,retransmittinganARPrequestonothernetworksegmentsandsendinganyresponsebacktotheoriginatoroftherequest.

NipperStudiodeterminedthattheProxyARPfeaturewasenabledononenetworkinterfaceonrouter03.ThisisdetailedinTable66.

Table66:Networkinterfaceonrouter03withProxyARPenabled

Interface Active Address Proxy-ARP Directed ACLIn ACLOut Description

GigabitEthernet1/2 Yes 10.0.0.2 On On Secondinterfaceonswitch

2.60.3Impact

ArouterthatactsasaproxyforARPrequestswillextendlayertwoaccessacrossmultiplenetworksegments,potentiallybreakingperimetersecurity.

2.60.4Ease

AnetworkdevicewithproxyARPenabledwillproxyARPrequestsforallhostsonthoseinterfaces.AnumberofARPtoolscanbedownloadedfromtheInternetforuseinexploitingthisissue.


NipperStudiorecommendsthat,ifnotrequired,theProxyARPfeatureshouldbedisabledonallinterfaces.


ProxyARPcanbedisabledoninterfacesusingthefollowingcommand:

noipproxy-arp


2.61WeakMinimumPasswordLengthPolicySetting



2.61.2Finding

Theminimumpasswordlengthpolicysettingisusedtoforceuserstosetpasswordsthatareatleastthespecifiednumberofcharactersinlength.

NipperStudiodeterminedthattheminimumpasswordlengthpolicysettingwasconfiguredtolessthan8charactersonthetwodevicesdetailedinTable67.

Overall:LOW

Impact:Low

Ease:N/A

Fix:Quick

Table67:Deviceswithaweakminimumpasswordlengthpolicysetting

Name Type PasswordLength

router03 CiscoRouter 2characters

CiscoIOS15 CiscoRouter 6characters

2.61.3Impact

Strongauthenticationcredentialsareakeycomponentofasystemssecurity.Itisthereforeimportantthatauserchoosesastrongpasswordandthatitischangedonaregularbasis.Generally,thegreaterthenumberofcharacterswithinapasswordthestrongerthepasswordwillbe.Withashortminimumpasswordlengthconfiguredausercouldsetashortpassword,requiringlesstimeforanattackertobrute-forcetheauthenticationpassword.

2.61.4Ease

Ittakesfarlesstimeforanattackertobrute-forcetheauthenticationcredentialsforauseraccountthathasashortpassword.


NipperStudiorecommendsthataminimumpasswordlengthpolicysettingof8charactersshouldbeconfigured.


Aminimumpasswordlengthcanbeconfiguredwiththefollowingcommand:

securitypasswordsmin-lengthlength


2.62NoWarningInPre-LogonBanner



2.62.2Finding

Logonbannermessagesareanimportant,butoftenoverlooked,partofasecureconfiguration.Logonbannermessagescanprovideconnectinguserswithimportantinformationandwarnagainstunauthorizedaccess.

NipperStudiodeterminedthatLoginpre-logonbannermessageonrouter03didnotincludeawarningagainstunauthorizedaccess.Theconfiguredbannerwas:

Thisisatestbanner.

NipperStudiodeterminedthatLoginpre-logonbannermessageonCiscoIOS15didnotincludeawarningagainstunauthorizedaccess.Theconfiguredbannerwas:

Thisistheloginbanner

2.62.3Impact

Acarefullywordedwarningmessagecoulddeteracasualattackerormalicioususer,butnotadeterminedattacker.However,itwouldbemoredifficulttoproveanyintentwithoutamessagewarningagainstunauthorizedaccessifanylegalactionweretobetakenagainstanattacker.

2.62.4Ease

Anattackerwouldnotbepresentedwithacarefullywordedlegalwarningpriortoattemptingtologon.


NipperStudiorecommendsthatallpre-logonbannermessagesshouldbeconfiguredtowarnagainstunauthorizedaccess.


TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMessageOfTheDay(MOTD)messageisshownonTelnetconnections.TheLoginbannermessagecanbeconfiguredusingthefollowingcommand:

bannerlogindelimiterbanner-messagedelimiter


TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMOTDmessageisshownonTelnetconnections.TheLoginbannermessagecanbeconfiguredusingthefollowingcommand:

bannerlogindelimiterbanner-messagedelimiter

Overall:LOW

Impact:Low

Ease:N/A

Fix:Quick

Overall:INFORMATIONAL

Impact:Low

Ease:Easy

Fix:Planned


2.63ICMPUnreachableMessagesWereEnabled



2.63.2Finding

Whenanetworkpacketissenttoadestinationhostorservicethatisunreachable,aICMPunreachablemessagecanbesentfromanetworkgatewayorthedestinationhosttoinformtherequesterthatitwasunreachable.IfitisahostthatisunreachablethemessagewillbeintheformofanICMPhostunreachablemessage.ICMPunreachablemessagesaredescribedinmoredetailinRFC792.

NipperStudiodeterminedthattheICMPUnreachablesfeaturewasenabledontwonetworkinterfacesonrouter03.Thesearedetailedbelow.

Table68:Networkinterfacesonrouter03withICMPUnreachablesenabled




NipperStudiodeterminedthattheICMPUnreachablesfeaturewasenabledononenetworkinterfaceonCiscoIOS15.Thisisdetailedbelow.

Table69:NetworkinterfacesonCiscoIOS15withICMPUnreachablesenabled


FastEthernet0/0 Yes On On Off Off

2.63.3Impact

Anattackerwhowasperformingnetworkscanstodeterminewhatserviceswereavailablewouldbeabletoscanadevicemorequickly.IfthedevicebeingscannedsendsICMPunreachablemessages,informingtheattackerthatanetworkorprotocolisnotsupported,theattackerwillnothavetowaitforaconnectiontime-out.

2.63.4Ease

TheICMPmessagesareautomaticallyreturnedbyadevicewiththeICMPunreachablefeatureenabled.NetworkscanningtoolscanbedownloadedfromtheInternetthatareabletoperformawidevarietyofscantypesandtakeintoaccountICMPunreachablemessages.


NipperStudiorecommendsthat,ifnotrequired,ICMPunreachablemessagesshouldbedisabled.However,itisimportanttonotethatwhilstdisablingofICMPunreachablemessageswillnotstopanetworkscan,itwillmakethescanmoretimeconsumingfortheattackertoperform.


ICMPunreachablemessagesendingcanbedisabledonnetworkinterfaceswiththefollowingcommand:

noipunreachables


2.64Dictionary-BasedSNMPTraps



2.64.2Finding

SNMPtrapsandinformscanbeconfiguredtosendnotificationstoaSNMPNMShost.Trapnotificationsaresentwithoutanyconfirmationofreceiptfromthereceivinghost,whilstwithinformnotificationsthereceivinghostsendsaconfirmationofreceipt.Communitystringscanbeconfiguredfortrapsandinformnotificationstoprovideamethodofauthentication.

NipperStudioidentifiedtwodictionary-basedSNMPtrapcommunitystringsonrouter03.ThesearedetailedinTable70.

Table70:Dictionary-basedSNMPtrapcommunitystringsonrouter03

Host Type Version Security Community Notifications Port

192.168.20.30 Trap 1 Community private snmp 162



Impact:Low

Ease:Moderate

Fix:Planned

2.64.3Impact

Anattackerwhohadidentifiedadictionary-basedcommunitystringcouldfloodtheSNMPNMShostwithfalsenotificationmessages.ThefalsenotificationmessagescouldbeusedbyanattackertohideanattackwithinafloodoffalsenotificationsoraspartofaDoSattack.

2.64.4Ease

SNMPmanagementtoolscanbedownloadedfromtheInternetandsomeOSinstallSNMPmanagementtoolsbydefault.Althoughthesendingofnotificationmessagesisnotusuallytheprimarypurposeofmostofthesetools,theconfigurationofthesetoolsforsendingnotificationmessagesisusuallydetailedinthetoolsdocumentation.


NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.However,ifthesendingoftrapsisrequired,NipperStudiorecommendsthatastrongcommunitystringshouldbeconfiguredtoauthenticateallnotificationmessageswithaSNMPNMShost.NipperStudiorecommendsthat



ASNMPtrapcanbeconfiguredwiththefollowingcommand:

snmp-serverhostip-addresstraps[version{1|2c|3[noauth|auth|priv]}]community-string


2.65WeakSNMPTraps



2.65.2Finding

SNMPtrapsandinformscanbeconfiguredtosendnotificationstoaSNMPNMShost.Trapnotificationsaresentwithoutanyconfirmationofreceiptfromthereceivinghost,whilstwithinformnotificationsthereceivinghostsendsaconfirmationofreceipt.Communitystringscanbeconfiguredfortrapsandinformnotificationstoprovideamethodofauthentication.

NipperStudioidentifiedoneweakSNMPtrapcommunitystringonCiscoIOS15.ThisisdetailedinTable71.

Table71:WeakSNMPtrapcommunitystringonCiscoIOS15

Host Type Version Security Community Notifications Port Weakness

1.2.3.4 Trap 1 Community trapString 162snmp 0 Nonumbers

2.65.3Impact

AnattackerwhohadidentifiedaweakcommunitystringcouldfloodtheSNMPNMShostwithfalsenotificationmessages.ThefalsenotificationmessagescouldbeusedbyanattackertohideanattackwithinafloodoffalsenotificationsoraspartofaDoSattack.

2.65.4Ease

SNMPmanagementtoolscanbedownloadedfromtheInternetandsomeOSinstallSNMPmanagementtoolsbydefault.Althoughthesendingofnotificationmessagesisnotusuallytheprimarypurposeofmostofthesetools,theconfigurationofthesetoolsforsendingnotificationmessagesisusuallydetailedinthetoolsdocumentation.


NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.However,ifthesendingoftrapsisrequired,NipperStudiorecommendsthatastrongcommunitystringshouldbeconfiguredtoauthenticateallnotificationmessageswithaSNMPNMShost.NipperStudiorecommendsthat



ASNMPtrapcanbeconfiguredwiththefollowingcommand:


Impact:Informational

Ease:Easy

Fix:Quick



Ease:N/A

Fix:Planned

snmp-serverhostip-addresstraps[version{1|2c|3[noauth|auth|priv]}]community-string


2.66DNSLookupsWereEnabled



2.66.2Finding

SomenetworkdevicescanbeconfiguredtomakeuseofDNStoperformlookupsofaddressesthathavebeenspecifiedusingaDNSname.Inadditiontobeingusedforconnectingtootherdevices,theDNSlookupfunctionalitycouldbeusedforauditingpurposes.

NipperStudiodeterminedthatDNSlookupswereenabledonrouter03.

2.66.3Impact

AnattackerwhoisabletomonitorDNSqueriesfromthedevicethatcouldthenpotentiallybeusedaspartofatargetedattack.Somedevicesincludefunctionalitytoautomaticallyconnecttoadeviceifanadministratorsimplytypesinadevice'sDNSname.Unfortunatelythisalsomeansthatifanadministratormistypesanadministrativecommandthedevicewillautomaticallyperformalookupforthedeviceandattempttoconnecttoit.CiscoIOS-baseddevicesperformthisaction,butitcouldenableanattackertoperformaMan-In-The-Middle(MITM)attackiftheattackerweretoimmediatelyrespondtotheDNSquery,allowtheincomingconnectiontoattackerssystemandthenconnectstraightbacktothesender.

2.66.4Ease

ToolsthatcanmonitorDNSqueriescanbedownloadedfromtheInternet.


NipperStudiosuggeststhat,ifnotrequired,DNSlookupsshouldbedisabled.


DomainlookupscanbedisabledonCiscoRouterdeviceswiththefollowingcommands(thelattercommandisforCiscoIOS12.1andolder):

noipdomainlookup

noipdomain-lookup


2.67NoNetworkFilteringRulesWereConfigured



2.67.2Finding

Networkfilteringcanbeconfiguredtorestrictaccesstonetworkservicesfromonlythosehoststhatrequiretheaccess,helpingtopreventunauthorizedaccess.Whenconfigured,networkfilterrulesareprocessedsequentiallyandthefirstruleinthefilterrulelistwhichmatchesthenetworkpacketisapplied.

NipperStudiodeterminedthatnonetworkfilterruleswereconfiguredonthetwodevicesdetailedinTable72.

Table72:Deviceswithnonetworkfilterrules

Name Type DefaultAction

router03 CiscoRouter Blockallpackets

CiscoIOS15 CiscoRouter Blockallpackets

2.67.3Impact

Typicallyfirewallapplianceswilldropnetworktrafficiftherearenonetworkfilteringrulesconfigured.Whereasmostnon-firewallapplianceswillusuallyallowallnetworktrafficifnonetworkfilteringruleshavebeenconfigured.

Althoughnonetworkfilterruleshadbeenconfiguredthedefaultactionwastodroptheallnetworkpackets.Thereforeanattacker,ormalicioususer,wouldnotbeabletoaccessnetworkservicesasallnetworktrafficwouldbeblocked.

2.67.4Ease

Nospecialistskillsortoolsarerequiredbytheattackertoexploitthisissue.


NipperStudiorecommendsthatnetworkfilterrulesshouldbeconfiguredtohelppreventunauthorizedaccesstonetworkservices.



Ease:N/A

Fix:Quick



Ease:N/A

Fix:Quick


filterrulesshouldonlyallowaccesstospecificdestinationaddresses;filterrulesshouldonlyallowaccesstospecificdestinationnetworkports;filterrulesshouldonlyallowaccessfromspecificsourceaddresses;filterrulesshouldspecifyaspecificnetworkprotocol;ICMPfilterrulesshouldspecifyaspecificmessagetype;filterrulesshouldalwaysdropnetworkpacketsandnotrejectthem;filterrulesshouldperformaspecificactionandnotrelyonadefaultaction.


OnCiscoRouterdevicesnetworkfilterrulesareaddedtoACLwhichcanthenbeusedwhenconfiguringinterfaces,servicesandotheroptions.ACLcanbeeithernamedornumbered.IfnumberedastandardACLwillbenumberedbetween1-99and1300-1999,allotherswillbeextendedACL.ThefollowingcommandsshowhowtocreatebothnamedandnumberedstandardandextendedACLandfilterrules:

ipaccess-liststandardlist-name

[permit|deny]source-address[log]

exit

access-listnumber[permit|deny]source-address[log]

ipaccess-listextendedlist-name

[permit|deny]protocolsource-address[source-port]dest-address[dest-port][log]

exit

access-listnumber[permit|deny]protocolsource-address[source-port]dest-address[dest-port][log]


2.68NoPostLogonBannerMessage



2.68.2Finding

Postlogonbannermessagesareonesthatareshowntousersaftertheyhaveauthenticatedandpriortobeinggivenaccesstothedevice.Itisonethatisshowntouserswhentheyconnecttoadeviceandpriortotheuserlogon.

NipperStudiodeterminedthatrouter03wasconfiguredwithnopostlogonbannermessage.

2.68.3Impact

Thepostlogonbannerisusefulfordetailingtheacceptableusepolicyandthechangecontrolprocedureswhichshouldbefollowedpriortomakinganychangestoadevice'sconfiguration.Anacceptableusemessagedetailingthechangecontrolproceduresandwaningagainstabuseofthepolicycouldhelptopreventad-hocchangesbeingmadetoadevice'sconfiguration.

Additionally,ifadevicedoesnothavethefacilitiestoconfigureapre-logonbannermessagethenthepostlogonbannermessagecouldbetheonlyplacewherealegalwarningagainstunauthorizedaccesscouldbegiven.

2.68.4Ease

Withnopostlogonbannerconfigured,auserwouldnotbegivenareminderoftheacceptableuseandchangecontrolprocedurepolicydetails.


NipperStudiorecommendsthatapostlogonbannermessageisconfiguredthatdetailsboththeacceptableusepolicyandchangecontrolprocedures.Additionally,ifthedevicedoesnotsupportapre-logonbannermessagethenNipperStudiorecommendsthatthepostlogonbannermessageshouldalsoincludeacarefullywordedlegalwarningagainstunauthorizedaccess.


TheExecbannermessageisshownafterlogonandbeforethecommandpromptisshownonCiscoRouterdevices.TheExecbannermessagecanbeconfiguredonCiscoRouterdevicesusingthefollowingcommand:

bannerexecdelimiterbanner-messagedelimiter


2.69ICMPRedirectMessagesWereEnabled



2.69.2Finding

Whensendingnetworktrafficthrougharouter,ICMPredirectmessagescouldbesenttotherouterinordertoindicateaspecificroutethatthesendinghostwouldlikethenetworktraffictotake.OnarouterthatacceptsICMPredirectmessagethenetworktrafficwillbeforwardedusingthespecifiedroute.



Ease:N/A

Fix:Quick


Furthermore,somerouterswillcachethenewroutinginformationforusewithfuturenetworkpackets.

NipperStudiodeterminedthattheICMPRedirectsfeaturewasenabledontwonetworkinterfacesonrouter03.Thesearedetailedbelow.

Table73:Networkinterfacesonrouter03withICMPRedirectsenabled




NipperStudiodeterminedthattheICMPRedirectsfeaturewasenabledononenetworkinterfaceonCiscoIOS15.Thisisdetailedbelow.

Table74:NetworkinterfacesonCiscoIOS15withICMPRedirectsenabled



2.69.3Impact

AnattackercoulduseICMPredirectstomodifytheroutethatapackettakesthroughanetwork.However,itisworthnotingthatonnetworkswithfunctionalnetworkrouting,disablingICMPredirectswillhavelittletonoeffect.

2.69.4Ease

ICMPredirectmessageswillbeaccepted,butnotnecessarilyactedupon.AnattackercoulddownloadsoftwarefromtheInternetinordertoperformthisattack.


NipperStudiorecommendsthat,ifnotrequired,theprocessingofICMPredirectmessagesondevicesshouldbedisabled.


ICMPredirectmessagesendingcanbedisabledonnetworkinterfaceswiththefollowingcommand:

noipredirects


2.70PADServiceEnabled



2.70.2Finding

ThePADserviceenablesX.25commandsandconnectionsbetweenPADdevicesandaccessservers,convertingthecharacterstreamdataintonetworkpacketsandnetworkpacketsintocharacterstreamdata.ThePADserviceisenabledbydefaultonsomedevicesbutitisonlyrequiredifsupportforX.25linksarenecessary.

NipperStudiodeterminedthatthePADservicewasenabledonrouter03.

2.70.3Impact

Inadditiontotheextraoverhead,runningunusedservicesincreasesthechancesofanattackerfindingasecurityholeorfingerprintingadevice.

2.70.4Ease

ThePADservicewasenabled.


NipperStudiorecommendsthat,ifnotrequired,thePADserviceshouldbedisabled.


ThefollowingcommandcanbeusedtodisablethePADserviceonCiscoRouterdevices:

noservicepad


2.71UnrestrictedOutboundAdministrativeAccess


router03-CiscoRouter;


Ease:Challenging

Fix:Quick



Ease:Trivial

Fix:Quick


2.71.2Finding

Manynetworkdevices,suchasswitchesandrouters,containnetworkclienttoolsthatenableanetworkadministratortoconnecttoadministrativeservicesofferedbyotherdevices.Outboundaccessfromthesedevicestootherscanberestrictedtospecifichostaddressesinordertolimittheaccesstoonlythosethatarerequired.

NipperStudiodeterminedthatonrouter03nooutboundadministrativeserviceaccessACLwasconfiguredontheadministrativelinedetailedinTable75.

Table75:router03administrativelinewithnooutboundACL

Line Access Login Level Password Telnet SSH FilterIn

VTY0-4 Yes LinePassword 1 password No Yes 10

NipperStudiodeterminedthatonCiscoIOS15nooutboundadministrativeserviceaccessACLwasconfiguredontheadministrativelinesdetailedinTable76.

Table76:CiscoIOS15administrativelineswithnooutboundACL

Line Access Login Level Password Telnet SSH FilterIn

Interface0/0/0 Yes AAAAuthentication 1 No No

VTY0-4 Yes AAAAuthentication 1 password No Yes 1

VTY5-807 Yes AAAAuthentication 1 No Yes 1

2.71.3Impact

Amalicioususer,orattacker,withabasiclevelofaccesstothedevicecoulduseittoattackotherdevicesonthenetwork.Anattackermayprefertousethisfacilityasawayofmaskingtheirtrailorbecausethetargetdevicemaynotbecontactabledirectly.IfanoutboundACLhadbeenconfiguredthenthepotentiallistoftargetswouldberestrictedtoonlythosenetworkaddresses.

2.71.4Ease

Theattackermusthavealevelofaccesstothedeviceinordertobeabletousetheadministrativeserviceclienttoolstoaccessanothersystem.However,oncealevelofaccesshasbeengainedonthedevicetheattackerwouldthenbeabletousetheavailableclienttoolstoaccessservicesofferedbyotherdevices.


NipperStudiorecommendsthat,unlessrequired,anoutboundACLshouldbeconfiguredandassignedinordertorestrictadministrativeaccesstoothersystems.


OnCiscoRouterdevicesanoutboundACLcanbecreatedandassignedtoanadministrativelineusingthefollowingcommands:

ipaccess-liststandardaccess-list-number

remarkdescription

permitip-addresswildcard[log]

exit

lineline-typeline-number(s)

access-classaccess-list-numberout


2.72TCPSmallServicesEnabled



2.72.2Finding

SomedevicesandplatformsprovideacollectionofsimpleTCPnetworkservices,whicharealsosometimesreferredtoassmallservices.Theseservicesprovidelittlefunctionalityandarerarelyusedandtheytypicallyinclude:

Echo(definedinRFC862)returnsanydatasenttoitbacktotheconnectingclient;Discard(definedinRFC863)ignoresanydatasenttoitbyaconnectingclient;Chargen(definedinRFC864)generatesprintablecharacterswhicharereturnedtotheconnectingclient;Daytime(definedinRFC867)returnsthecurrenttimetoaconnectingclient.

NipperStudiodeterminedthattheTCPsmallserverswereenabledonrouter03.

2.72.3Impact

Eachrunningserviceincreasesthechancesofanattackerbeingabletoidentifythedeviceandsuccessfullycompromiseit.Althoughnotsignificant,someoftheservicesmayprovideanattackerwithsimpleinformationthatcouldthenbeusedaspartofatargetedattackagainstthesystem.



Ease:N/A

Fix:Quick



Ease:N/A

Fix:Quick

2.72.4Ease

ToolssuchasTelnetcanbeusedtoconnecttotheseservicesandareofteninstalledbydefault.


Itisgenerallyconsideredgoodsecuritypracticetodisableallunusedservicesandnotrunningtheserviceswillfreesystemresourcesforotheruse.ThereforeNipperStudiosuggeststhattheTCPsmallserversshouldbedisabled.


TCPsmallserverscanbedisabledonCiscoRouterdeviceswiththefollowingcommand:

noservicetcp-small-servers


2.73SwitchPortTrunkingAllowsAllVLANs



2.73.2Finding

VLANnetworkpacketscanbesentbetweennetworkeddevices,extendingaVLANacrossdifferentphysicaldevices.InordertoextendaVLANtoadifferentphysicaldeviceatrunkhastobecreatedbetweenthedevices.InordertorestrictVLANaccessoverdifferentphysicaldevicestheVLANtrunkcanbeconfiguredtoonlypermitspecificVLANs.

NipperStudiodeterminedthattwonetworkinterfacesonrouter03wereconfiguredtotrunkallVLANs.ThesearedetailedinTable77.

Table77:Networkinterfacesonrouter03thattrunkallVLANs

Interface Active VLAN Trunk TrunkVLAN Description

GigabitEthernet1/1 Yes 1 Yes All Firstinterfaceonswitch

GigabitEthernet1/2 Yes 1 Yes All Secondinterfaceonswitch

2.73.3Impact

AnattackerwhoisabletocreateatrunkwouldgaindirectaccesstoalltheVLANsextendedoverthetrunk.ThiswouldallowanattackertobypassanynetworkfilteringbetweentheVLANsandcapturepotentiallysensitiveinformation.Ifaclear-textprotocolsnetworktrafficistransferredoverthetrunkanattackerwouldgainimmediateaccesstoanyauthenticationcredentialstransferred.

ItisworthnotingthatsomenetworkdevicesdefaulttoallowingtrunkstobenegotiatedonthenetworkportsandbydefaultwillallowaccesstoallVLANs.

2.73.4Ease

ToolscanbedownloadedfromtheInternetthatarecapableofcreatingtrunks,ortheattackercoulduseanetworkswitch.Theattackerwouldrequirealittleknowledgeofnetworktrunking.


NipperStudiorecommendsthat,ifnotrequired,VLANtrunkingshouldbedisabled.Iftrunkingisrequiredonaspecificswitchport,NipperStudiorecommendsthattheswitchportshouldbeconfiguredtotrunkonlytherequiredVLANs.


SwitchportscanbeconfiguredtoprovidenotrunkingoronlytrunkspecificVLANsoneachinterfaceusingthefollowinginterfacecommands:

switchportmodeaccess

switchporttrunkallowedvlanvlan-list


2.74MOPEnabled



2.74.2Finding

MOPisusedwiththeDECnetprotocolsuite.AlthoughtheuseofMOPisnotwidespreaditisenabledbydefaultonanumberofpopularnetworkdevicemanufacturersproducts.

NipperStudiodeterminedthatMOPwasenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable78.

Table78:Networkinterfacesonrouter03withMOPenabled

Interface Active MOP ACLIn ACLOut Description

GigabitEthernet1/1 Yes On Firstinterfaceonswitch

GigabitEthernet1/2 Yes On Secondinterfaceonswitch

2.74.3Impact

Runningunusedservicesincreasesthechancesofanattackerfindingasecurityholeorfingerprintingadevice.

2.74.4Ease

FewtoolsareavailablethatmakeuseofMOP.


NipperStudiorecommendsthat,ifnotrequired,MOPshouldbedisabledonallEthernetinterfaces.


ItisworthnotingthatthisissuemayhavebeenfalselydeterminedonCiscoRouterdevicesduetothedifferencesbetweendifferentmodels.HoweverMOPcanbedisabledonindividualnetworkinterfacesusingthefollowingcommand:

nomopenable


2.75Conclusions

NipperStudioperformedasecurityauditon2March2017ofthedevicesdetailedinTable79.NipperStudioidentified73security-relatedissues.ThemostsignificantissuewasratedasCRITICAL.

Table79:Securityauditdeviceconclusions

Device Name Issues HighestRating

CiscoRouter router03 67 CRITICAL

CiscoRouter CiscoIOS15 24 CRITICAL

OneCRITICALratedsecurityissuewasidentified.NipperStudiodeterminedthat:

dictionary-baseduserauthenticationcredentialswereconfigured(twodevices,seesection2.2).

NipperStudioidentified24HIGHratedsecurityissues.NipperStudiodeterminedthat:

defaultSNMPcommunitystringswereconfigured(onedevice,seesection2.3);BGPneighborswereconfiguredwithnopassword(onedevice,seesection2.4);notallGLBPgroupswereauthenticated(onedevice,seesection2.5);GLBPgroupswereconfiguredwithclear-textauthentication(onedevice,seesection2.6);notallHSRPgroupswereauthenticated(onedevice,seesection2.7);HSRPgroupswereconfiguredwithclear-textauthentication(onedevice,seesection2.8);notallOSPFwereauthenticated(onedevice,seesection2.9);supportforRIPversion1routingupdateswasconfigured(twodevices,seesection2.10);clear-textRIPauthenticationwasconfigured(onedevice,seesection2.11);notallVRRPgroupswereauthenticated(onedevice,seesection2.12);VRRPgroupswereconfiguredwithclear-textauthentication(onedevice,seesection2.13);notallEIGRPupdateswereauthenticated(onedevice,seesection2.14);notallRIPwereauthenticated(onedevice,seesection2.15);lowVRRPprioritieswereconfigured(onedevice,seesection2.16);VTPwasconfiguredwithnopassword(onedevice,seesection2.17);lowGLBPgroupprioritieswereconfigured(onedevice,seesection2.18);lowHSRPprioritieswereconfigured(onedevice,seesection2.19);theUDPsmallserverswereenabled(onedevice,seesection2.20);theenablepasswordisnotstoredusinganMD5hash(twodevices,seesection2.21);theclear-textSNMPservicewasenabled(twodevices,seesection2.22);SNMPwriteaccesswasenabled(onedevice,seesection2.23);noHTTPserversessiontimeoutwasconfigured(onedevice,seesection2.24);TCPkeep-alivemessageswerenotconfiguredforinboundconnections(onedevice,seesection2.25);networkinterfaceswereconfiguredwithoutfiltering(twodevices,seesection2.26).

NipperStudioidentified18MEDIUMratedsecurityissues.NipperStudiodeterminedthat:

dictionary-basedroutingprotocolauthenticationkeyswereconfigured(onedevice,seesection2.27);dictionary-basedVRRPgroupauthenticationkeyswereconfigured(onedevice,seesection2.28);theSNMPsystemshutdownfacilitywasenabled(onedevice,seesection2.29);BGPneighborswereconfiguredwithdictionary-basedpasswords(onedevice,seesection2.30);DTPwasenabled(onedevice,seesection2.31);

theHTTPserverwasenabled(onedevice,seesection2.32);useraccountnamescontained"admin".(onedevice,seesection2.33);weakGLBPgroupauthenticationkeyswereconfigured(onedevice,seesection2.34);weakHSRPgroupauthenticationkeyswereconfigured(onedevice,seesection2.35);weakroutingprotocolauthenticationkeyswereconfigured(onedevice,seesection2.36);lowOSPFprioritieswereconfigured(twodevices,seesection2.37);notalluserswereconfiguredwithpasswordsstoredusingaMD5hash(twodevices,seesection2.38);theAUXportwasnotdisabled(onedevice,seesection2.39);BGProutingprocesseswereconfiguredwithoutroutedampening(twodevices,seesection2.40);noRIProutingupdateneighborswereconfigured(twodevices,seesection2.41);noHTTPnetworkhostaccessaddresseswereconfigured(onedevice,seesection2.42);theloggingofsystemmessagestoaSyslogloggingserverwasnotconfigured(onedevice,seesection2.43);NTPcontrolquerieswerepermitted(onedevice,seesection2.44).

NipperStudioidentified19LOWratedsecurityissues.NipperStudiodeterminedthat:

aSNMPTFTPserveraccesslistwasnotconfigured(twodevices,seesection2.45);noOSPFLSAmessagethresholdswereconfigured(twodevices,seesection2.46);NTPauthenticationwasdisabled(onedevice,seesection2.47);thefingerservicewasenabled(onedevice,seesection2.48);weakSNMPcommunitystringswereconfigured(onedevice,seesection2.49);directedbroadcastswereenabled(onedevice,seesection2.50);servicepasswordencryptionwasdisabled(onedevice,seesection2.51);CDPwasenabled(onedevice,seesection2.52);networkfilteringwasnotconfiguredtorestrictSNMPaccess(onedevice,seesection2.53);SNMPcommunitystringswereconfiguredwithoutaview(twodevices,seesection2.54);theBOOTPservicewasnotdisabled(onedevice,seesection2.55);portsecuritywasnotenabledonallswitchports(onedevice,seesection2.56);theVTPwasinservermode(onedevice,seesection2.57);IPsourceroutingwasenabled(onedevice,seesection2.58);ICMPaddressmaskreplymessageswereenabled(onedevice,seesection2.59);proxyARPwasenabled(onedevice,seesection2.60);aweakminimumpasswordlengthpolicysettingwasconfigured(twodevices,seesection2.61);nounauthorizedaccesswarninginthepre-logonbannermessage(twodevices,seesection2.62);ICMPunreachablemessageswereenabled(twodevices,seesection2.63).

NipperStudioidentifiedelevenINFOratedsecurityissues.NipperStudiodeterminedthat:

dictionary-basedSNMPtrapcommunitystringswereconfigured(onedevice,seesection2.64);weakSNMPtrapcommunitystringswereconfigured(onedevice,seesection2.65);DNSlookupswereenabled(onedevice,seesection2.66);nonetworkfilteringruleswereconfigured(twodevices,seesection2.67);nopostlogonbannermessagewasconfigured(onedevice,seesection2.68);ICMPredirectmessagesendingwasenabled(twodevices,seesection2.69);thePADservicewasenabled(onedevice,seesection2.70);nooutboundadministrativeACLhasbeenconfigured(twodevices,seesection2.71);theTCPsmallserverswereenabled(onedevice,seesection2.72);trunkingwasenabledforallVLANs(onedevice,seesection2.73);MOPwasenabled(onedevice,seesection2.74).

NipperStudiocandrawthefollowingstatisticsfromtheresultsofthissecurityassessment,(percentageshavebeenrounded).1issue(1%)wasratedascritical,24issues(33%)wereratedashigh,18issues(25%)wereratedasmedium,19issues(26%)wereratedaslowand11issues(15%)wereratedasinformational.Thenumberofdevicesthatcontainvulnerabilitieswithaspecificratingisasfollows;2deviceshadissuesratedascritical,2deviceshadissuesratedashigh,2deviceshadissuesratedasmedium,2deviceshadissuesratedaslowand2deviceshadissuesratedasinformational.


2.76Recommendations

Thissectioncollatesthesecurityauditissuerecommendationsintoasinglelocationinordertoprovideaguidetoplanningandmitigatingtheidentifiedissues.TherecommendationsarelistedinTable80togetherwiththeissueratingandalistofaffecteddevices.

Issue Rating Recommendation AffectedDevices

Section

UsersWithDictionary-BasedPasswords CRITICAL Configurestrongpasswordsforalluserauthenticationcredentials. router03 2.2

CiscoIOS15

DefaultSNMPCommunityStringsWereConfigured HIGH ConfigurestrongSNMPcommunitystrings. router03 2.3

BGPNeighborsConfiguredWithNoPasswords HIGH ConfigurestrongBGPneighborauthenticationpasswordsforallroutingupdates. router03 2.4

NotAllGLBPGroupsWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallGLBPgroups. router03 2.5

Clear-TextGLBPGroupAuthenticationWas

Configured

HIGH ConfigureMD5authenticationforallGLBPgroups. router03 2.6

NotAllHSRPGroupsWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallHSRPgroups. router03 2.7

Clear-TextHSRPGroupAuthenticationWas

Configured

HIGH ConfigureMD5authenticationforallHSRPgroups. router03 2.8

NotAllOSPFRoutingUpdatesWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallOSPFroutingupdates. router03 2.9

RIPVersion1WasConfigured HIGH ConfiguresupportforRIPversion2only.

OR

MigratetoadevicethathassupportforRIPversion2.

router03

CiscoIOS15

2.10

Clear-TextRIPAuthenticationWasConfigured HIGH ConfigureMD5authenticationforallroutingupdates. router03 2.11

NotAllVRRPGroupsWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallVRRPgroups. router03 2.12

Clear-TextVRRPGroupAuthenticationWas

Configured

HIGH ConfigureMD5authenticationforallVRRPgroups. router03 2.13

NotAllEIGRPUpdatesWereAuthenticated HIGH ConfigurestrongEIGRPauthenticationkeysforallroutingupdates. router03 2.14

NotAllRIPUpdatesWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallRIProutingupdates. router03 2.15

LowVRRPRouterPriorities HIGH ConfigureonlyhighVRRPpriorities. router03 2.16

NoVTPAuthenticationPasswordWasConfigured HIGH ChangetheVTPmodetotransparent.

OR

ConfigureastrongVTPpassword.

router03 2.17

LowGLBPGroupPriorities HIGH ConfigureonlyhighGLBPgrouppriorities. router03 2.18

LowHSRPRouterPriorities HIGH ConfigureonlyhighHSRPpriorities. router03 2.19

UDPSmallServicesEnabled HIGH DisabletheUDPsmallservers. router03 2.20

EnablePasswordConfigured HIGH ConfigureenablepasswordstobestoredonlyusingtheMD5hash. router03

CiscoIOS15

2.21

Clear-TextSNMPInUse HIGH Disableaccesstotheclear-textSNMPservice.

OR

ConfigureSNMPversion3withauthenticationandprivacypasswordsinsteadofSNMP

versions1or2.

router03

CiscoIOS15

2.22

SNMPWriteAccessEnabled HIGH DisabletheSNMPservice.

OR

ReplaceallwriteaccesscommunitystringswithreadonlySNMPcommunitystrings.

router03 2.23

NoHTTPServerSessionTimeout HIGH ConfigureaHTTPserversessiontimeoutofatmost10minutes. router03 2.24

NoInboundTCPConnectionKeep-Alives HIGH EnableTCPkeep-alivemessagesforinboundconnections. router03 2.25

InterfacesWereConfiguredWithNoFiltering HIGH Assignnetworkfilteringrulestoallnetworkinterfaces. router03

CiscoIOS15

2.26

Dictionary-BasedRoutingProtocolAuthentication

Keys

MEDIUM Configurestrongroutingprotocolauthenticationkeysforallroutingupdates. router03 2.27

Dictionary-BasedVRRPGroupAuthenticationKeys MEDIUM ConfigurestrongVRRPauthenticationkeysforallgroups. router03 2.28

SNMPSystemShutdownEnabled MEDIUM DisableSNMPsystemshutdownfacility. router03 2.29

BGPNeighborsConfiguredWithDictionary-Based

Passwords

MEDIUM ConfigurestrongBGPneighborauthenticationpasswordsforallroutingupdates. CiscoIOS15 2.30

DTPWasEnabled MEDIUM DisableDTP. router03 2.31

ClearTextHTTPServiceEnabled MEDIUM DisabletheHTTPserver. router03 2.32

UserAccountNamesContained"admin" MEDIUM Ensureadminstrativeorelevatedprivilegeaccountsdonotcontaininformation

identifyingthemassuch.

CiscoIOS15 2.33

WeakGLBPGroupAuthenticationKeys MEDIUM ConfigurestrongGLBPauthenticationkeysforallgroups. router03 2.34

WeakHSRPGroupAuthenticationKeys MEDIUM ConfigurestrongHSRPauthenticationkeysforallgroups. router03 2.35

WeakRoutingProtocolAuthenticationKeys MEDIUM Configurestrongroutingprotocolauthenticationkeysforallroutingupdates. CiscoIOS15 2.36

LowOSPFRouterPriorities MEDIUM ConfigureonlyhighOSPFpriorities. router03

CiscoIOS15

2.37

UsersConfiguredWithWeakPasswordEncryption MEDIUM ConfigurealluserstostorepasswordsusinganMD5hash. router03

CiscoIOS15

2.38

AUXPortNotDisabled MEDIUM DisabletheAUXport.

OR

Configurethecallbackfacility.

router03 2.39

NoBGPRouteFlapPrevention MEDIUM ConfigureBGProutedampeningforallBGProutingprocesses. router03

CiscoIOS15

2.40

NoRIPUpdateNeighborsWereConfigured MEDIUM ConfigureRIProutingupdateneighbors router03

CiscoIOS15

2.41

NoHTTPServiceNetworkAccessRestrictions MEDIUM RestricttheHTTPservicetoonlythosehoststhatrequireaccess. router03 2.42

SyslogLoggingNotEnabled MEDIUM ConfigureSyslogmessagelogging. router03 2.43

NTPControlQueriesWerePermitted MEDIUM RestrictNTPserveraccesstoonlytimerequests. CiscoIOS15 2.44

Table80:Securityauditrecommendationslist

NoSNMPTFTPServerAccessListConfigured LOW ConfigureaSNMPTFTPserveraccesslist. router03

CiscoIOS15

2.45

NoOSPFLSAThresholds LOW ConfigureOSPFLSAmessagethresholdsforallOSPFroutingprocesses. router03

CiscoIOS15

2.46

NTPAuthenticationWasDisabled LOW EnableNTPauthentication. router03 2.47

TheFingerServiceWasEnabled LOW Disablethefingerservice. router03 2.48

WeakSNMPCommunityStringsWereConfigured LOW ConfigurestrongSNMPcommunitystrings. CiscoIOS15 2.49

IPDirectedBroadcastsWereEnabled LOW Disabledirectedbroadcastsonallinterfaces. router03 2.50

ServicePasswordEncryptionDisabled LOW Enableservicepasswordencryption. router03 2.51

CDPWasEnabled LOW DisableCDP. router03 2.52

SNMPAccessWithoutNetworkFiltering LOW ConfigureSNMPnetworkfilteringtorestrictnetworkaccess. router03 2.53

SNMPAccessWithNoView LOW ConfigureaviewtolimitaccesstotheSNMPMIB. router03

CiscoIOS15

2.54

TheBOOTPServiceWasNotDisabled LOW DisabletheBOOTPservice. router03 2.55

SwitchPortSecurityDisabled LOW Enableportsecurityonallswitchports. router03 2.56

VTPWasInServerMode LOW ChangetheVTPmodetotransparent. router03 2.57

IPSourceRoutingWasEnabled LOW DisableIPsourcerouting. router03 2.58

ICMPAddressMaskReplyMessagesWereEnabled LOW DisablethesendingofICMPaddressmaskreplymessagesonallnetworkinterfaces. router03 2.59

ProxyARPWasEnabled LOW DisableproxyARPonallinterfaces. router03 2.60

WeakMinimumPasswordLengthPolicySetting LOW Configuredaminimumpasswordlengthpolicysettingof8characters router03

CiscoIOS15

2.61

NoWarningInPre-LogonBanner LOW Modifythepre-logonbannermessagetoincludeacarefullywordedlegalwarning. router03

CiscoIOS15

2.62

ICMPUnreachableMessagesWereEnabled LOW DisablethesendingofICMPunreachablemessages. router03

CiscoIOS15

2.63

Dictionary-BasedSNMPTraps INFO ConfigurestrongSNMPtrapcommunitystrings. router03 2.64

WeakSNMPTraps INFO ConfigurestrongSNMPtrapcommunitystrings. CiscoIOS15 2.65

DNSLookupsWereEnabled INFO DisableDNSlookups. router03 2.66

NoNetworkFilteringRulesWereConfigured INFO Configurenetworkfilteringtorestrictaccesstonetworkservices. router03

CiscoIOS15

2.67

NoPostLogonBannerMessage INFO Configureapostlogonbannermessagedetailingtheacceptableusepolicyandchange

controlprocedures.

router03 2.68

ICMPRedirectMessagesWereEnabled INFO DisablethesendingofICMPredirectmessages. router03

CiscoIOS15

2.69

PADServiceEnabled INFO DisablethePADservice. router03 2.70

UnrestrictedOutboundAdministrativeAccess INFO ConfigureanACLtorestrictoutboundadministrativeserviceaccess. router03

CiscoIOS15

2.71

TCPSmallServicesEnabled INFO DisabletheTCPsmallservers. router03 2.72

SwitchPortTrunkingAllowsAllVLANs INFO DisableVLANtrunking.

OR

ConfiguretrunkingforonlytherequiredVLANs.

router03 2.73

MOPEnabled INFO DisableMOPonallinterfaces. router03 2.74


2.77MitigationClassification

Thissectionaimstoprovideaguidetotheperceivedcomplexityofresolvingaparticularissuebyimplementingtherecommendation.AnoutlineofhoweachmitigationclassificationhasbeendeterminedisdescribedinTable81.

Table81:Themitigationclassification

Classification Description

QUICK Theissueisquicktoresolve.Typicallythiswouldjustinvolvechangingasmallnumberofsettingsandwouldhavelittle-to-noeffectonnetworkservices.

PLANNED Theissueresolutioninvolvesplanning,testingandcouldcausesomedisruptiontoservices.Thisissuecouldinvolvechangestoroutingprotocolsandchangesto

networkfiltering.

INVOLVED Theresolutionoftheissuewillrequiresignificantresourcestoresolveandislikelytoincludedisruptiontonetworkservices,andpossiblythemodificationof

othernetworkdeviceconfigurations.Theissuecouldinvolveupgradingadevice'sOSandpossiblemodificationstothehardware.

NipperStudioidentified38securityissueswithmitigationrecommendationsthatwereclassifiedasQUICK.Thoseissueswere:

CRITICAL:UsersWithDictionary-BasedPasswords(twodevices,seesection2.2);HIGH:DefaultSNMPCommunityStringsWereConfigured(onedevice,seesection2.3);HIGH:UDPSmallServicesEnabled(onedevice,seesection2.20);HIGH:EnablePasswordConfigured(twodevices,seesection2.21);HIGH:SNMPWriteAccessEnabled(onedevice,seesection2.23);

HIGH:NoHTTPServerSessionTimeout(onedevice,seesection2.24);HIGH:NoInboundTCPConnectionKeep-Alives(onedevice,seesection2.25);HIGH:InterfacesWereConfiguredWithNoFiltering(twodevices,seesection2.26);MEDIUM:SNMPSystemShutdownEnabled(onedevice,seesection2.29);MEDIUM:ClearTextHTTPServiceEnabled(onedevice,seesection2.32);MEDIUM:UserAccountNamesContained"admin"(onedevice,seesection2.33);MEDIUM:UsersConfiguredWithWeakPasswordEncryption(twodevices,seesection2.38);MEDIUM:AUXPortNotDisabled(onedevice,seesection2.39);MEDIUM:NoBGPRouteFlapPrevention(twodevices,seesection2.40);MEDIUM:NoHTTPServiceNetworkAccessRestrictions(onedevice,seesection2.42);LOW:NoSNMPTFTPServerAccessListConfigured(twodevices,seesection2.45);LOW:TheFingerServiceWasEnabled(onedevice,seesection2.48);LOW:WeakSNMPCommunityStringsWereConfigured(onedevice,seesection2.49);LOW:IPDirectedBroadcastsWereEnabled(onedevice,seesection2.50);LOW:ServicePasswordEncryptionDisabled(onedevice,seesection2.51);LOW:CDPWasEnabled(onedevice,seesection2.52);LOW:SNMPAccessWithoutNetworkFiltering(onedevice,seesection2.53);LOW:SNMPAccessWithNoView(twodevices,seesection2.54);LOW:TheBOOTPServiceWasNotDisabled(onedevice,seesection2.55);LOW:IPSourceRoutingWasEnabled(onedevice,seesection2.58);LOW:ICMPAddressMaskReplyMessagesWereEnabled(onedevice,seesection2.59);LOW:ProxyARPWasEnabled(onedevice,seesection2.60);LOW:WeakMinimumPasswordLengthPolicySetting(twodevices,seesection2.61);LOW:NoWarningInPre-LogonBanner(twodevices,seesection2.62);LOW:ICMPUnreachableMessagesWereEnabled(twodevices,seesection2.63);INFO:DNSLookupsWereEnabled(onedevice,seesection2.66);INFO:NoPostLogonBannerMessage(onedevice,seesection2.68);INFO:ICMPRedirectMessagesWereEnabled(twodevices,seesection2.69);INFO:PADServiceEnabled(onedevice,seesection2.70);INFO:UnrestrictedOutboundAdministrativeAccess(twodevices,seesection2.71);INFO:TCPSmallServicesEnabled(onedevice,seesection2.72);INFO:SwitchPortTrunkingAllowsAllVLANs(onedevice,seesection2.73);INFO:MOPEnabled(onedevice,seesection2.74).

NipperStudioidentified19securityissueswithmitigationrecommendationsthatwereclassifiedasPLANNED.Thoseissueswere:

HIGH:NotAllEIGRPUpdatesWereAuthenticated(onedevice,seesection2.14);HIGH:NotAllRIPUpdatesWereAuthenticated(onedevice,seesection2.15);HIGH:LowVRRPRouterPriorities(onedevice,seesection2.16);HIGH:NoVTPAuthenticationPasswordWasConfigured(onedevice,seesection2.17);HIGH:LowGLBPGroupPriorities(onedevice,seesection2.18);HIGH:LowHSRPRouterPriorities(onedevice,seesection2.19);HIGH:Clear-TextSNMPInUse(twodevices,seesection2.22);MEDIUM:DTPWasEnabled(onedevice,seesection2.31);MEDIUM:LowOSPFRouterPriorities(twodevices,seesection2.37);MEDIUM:NoRIPUpdateNeighborsWereConfigured(twodevices,seesection2.41);MEDIUM:SyslogLoggingNotEnabled(onedevice,seesection2.43);MEDIUM:NTPControlQueriesWerePermitted(onedevice,seesection2.44);LOW:NoOSPFLSAThresholds(twodevices,seesection2.46);LOW:NTPAuthenticationWasDisabled(onedevice,seesection2.47);LOW:SwitchPortSecurityDisabled(onedevice,seesection2.56);LOW:VTPWasInServerMode(onedevice,seesection2.57);INFO:Dictionary-BasedSNMPTraps(onedevice,seesection2.64);INFO:WeakSNMPTraps(onedevice,seesection2.65);INFO:NoNetworkFilteringRulesWereConfigured(twodevices,seesection2.67).

NipperStudioidentified16securityissueswithmitigationrecommendationsthatwereclassifiedasINVOLVED.Thoseissueswere:

HIGH:BGPNeighborsConfiguredWithNoPasswords(onedevice,seesection2.4);HIGH:NotAllGLBPGroupsWereAuthenticated(onedevice,seesection2.5);HIGH:Clear-TextGLBPGroupAuthenticationWasConfigured(onedevice,seesection2.6);HIGH:NotAllHSRPGroupsWereAuthenticated(onedevice,seesection2.7);HIGH:Clear-TextHSRPGroupAuthenticationWasConfigured(onedevice,seesection2.8);HIGH:NotAllOSPFRoutingUpdatesWereAuthenticated(onedevice,seesection2.9);HIGH:RIPVersion1WasConfigured(twodevices,seesection2.10);HIGH:Clear-TextRIPAuthenticationWasConfigured(onedevice,seesection2.11);HIGH:NotAllVRRPGroupsWereAuthenticated(onedevice,seesection2.12);HIGH:Clear-TextVRRPGroupAuthenticationWasConfigured(onedevice,seesection2.13);MEDIUM:Dictionary-BasedRoutingProtocolAuthenticationKeys(onedevice,seesection2.27);MEDIUM:Dictionary-BasedVRRPGroupAuthenticationKeys(onedevice,seesection2.28);MEDIUM:BGPNeighborsConfiguredWithDictionary-BasedPasswords(onedevice,seesection2.30);MEDIUM:WeakGLBPGroupAuthenticationKeys(onedevice,seesection2.34);MEDIUM:WeakHSRPGroupAuthenticationKeys(onedevice,seesection2.35);MEDIUM:WeakRoutingProtocolAuthenticationKeys(onedevice,seesection2.36).

NipperStudiocandrawthefollowingadditionalconclusionfromthesecurityauditbasedontheclassificationoftherecommendedissuemitigations.Mostofthe

OverallRating:CRITICAL

CVSSv2Score:10.0

CVSSv2Base:AV:N/AC:L/Au:N/C:C/I:C/A:C(10.0)

CVSSv2Temporal:E:ND/RL:ND/RC:ND(10.0)

CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

Published:23/09/2006


CVSSv2Score:10.0



securityissuerecommendationsareperceivedtobequicktoimplement,enablingthemajorityoftheissuestobequicklyresolvedwithoutrequiringasignificantallocationofresourcesorsystemdisruption.Ofthe73securityissuesidentified,38(52%)recommendationswereclassifiedashavingaquickmitigation,19(26%)recommendationswereclassifiedashavingaplannedmitigationand16(21%)recommendationswereclassifiedashavingainvolvedmitigation.


3VulnerabilityAudit3.1Introduction

NipperStudioperformedasoftwarevulnerabilityauditon2March2017ofthetwodevicesdetailedinTable82.Theauditwasperformedbycomparingthedevicesoftwareversionsagainstadatabaseofknownvulnerabilitiesreportedbybothdevicemanufacturersandthird-partysecurityspecialists.

Table82:Softwarevulnerabilityauditscope

Device Type Model Version

router03 CiscoRouter IOS12.3

CiscoIOS15 CiscoRouter IOS15.0

Thevulnerabilitydatabaseusedinthisauditwasupdatedon10February2017.EachvulnerabilityisdetailedwithaCVSSv2score,advisoryreferencesandthird-partyreferences.


3.2CVE-2006-4950

3.2.1Summary

CiscoIOS12.2through12.4before20060920,asusedbyCiscoIAD2430,IAD2431,andIAD2432IntegratedAccessDevices,theVG224AnalogPhoneGateway,andtheMWR1900and1941MobileWirelessEdgeRouters,isincorrectlyidentifiedassupportingDOCSIS,whichallowsremoteattackerstogainread-writeaccessviaahard-codedcable-docsiscommunitystringandreadormodifyarbitrarySNMPvariables.

3.2.2AffectedDevice

TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.

3.2.3References

Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:

SECTRACK1016899Weblink:http://securitytracker.com/id?1016899;CISCO20060920DOCSISRead-WriteCommunityStringEnabledinNon-DOCSISPlatformsWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml;CERT-VNVU#123140Weblink:http://www.kb.cert.org/vuls/id/123140;BID20125Weblink:http://www.securityfocus.com/bid/20125;VUPENADV-2006-3722Weblink:http://www.vupen.com/english/advisories/2006/3722;XFios-docsis-default-snmp(29054)Weblink:http://xforce.iss.net/xforce/xfdb/29054.


3.3CVE-2007-0480

3.3.1Summary

CiscoIOS9.x,10.x,11.x,and12.xandIOSXR2.0.x,3.0.x,and3.2.xallowsremoteattackerstocauseadenialofserviceorexecutearbitrarycodeviaacraftedIPoptionintheIPheaderina(1)ICMP,(2)PIMv2,(3)PGM,or(4)URDpacket.




CVSSv2Score:10.0






CVSSv2Score:10.0





3.3.2AffectedDevice


3.3.3VendorSecurityAdvisory

Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:

CISCO20070124CraftedIPOptionVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb157.shtml.

3.3.4References


SECTRACK1017555Weblink:http://securitytracker.com/id?1017555;CERT-VNVU#341288Weblink:http://www.kb.cert.org/vuls/id/341288;BID22211Weblink:http://www.securityfocus.com/bid/22211;CERTTA07-024AWeblink:http://www.us-cert.gov/cas/techalerts/TA07-024A.html;VUPENADV-2007-0329Weblink:http://www.vupen.com/english/advisories/2007/0329;XFcisco-ip-option-code-execution(31725)Weblink:http://xforce.iss.net/xforce/xfdb/31725.


3.4CVE-2010-0580

3.4.1Summary

UnspecifiedvulnerabilityintheSIPimplementationinCiscoIOS12.3and12.4allowsremoteattackerstoexecutearbitrarycodeviaamalformedSIPmessage,akaBugIDCSCsz48680,the"SIPMessageProcessingArbitraryCodeExecutionVulnerability."

3.4.2AffectedDevice


3.4.3VendorSecurityAdvisories

Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:

Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20064;CISCO20100324CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f32.shtml.

3.4.4Reference

Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:

SECTRACK1023744Weblink:http://securitytracker.com/id?1023744.


3.5CVE-2010-0581

3.5.1Summary

UnspecifiedvulnerabilityintheSIPimplementationinCiscoIOS12.3and12.4allowsremoteattackerstoexecutearbitrarycodeviaamalformedSIPmessage,akaBugIDCSCsz89904,the"SIPPacketParsingArbitraryCodeExecutionVulnerability."

3.5.2AffectedDevice





3.5.4Reference


CVSSv2Score:10.0






CVSSv2Score:9.3

CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)





CVSSv2Score:9.3








3.6CVE-2011-0935

3.6.1Summary

ThePKIfunctionalityinCiscoIOS15.0and15.1doesnotpreventpermanentcachingofcertainpublickeys,whichallowsremoteattackerstobypassauthenticationandhaveunspecifiedotherimpactbyleveraginganIKEpeerrelationshipinwhichakeywaspreviouslyvalidbutlaterrevoked,akaBugIDCSCth82164,adifferentvulnerabilitythanCVE-2010-4685.

3.6.2AffectedDevice

TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.

3.6.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html;Weblink:http://www.cisco.com/en/US/docs/ios/15_1s/release/notes/15_1s_caveats_15_1_1s.html;BID47407Weblink:http://www.securityfocus.com/bid/47407.


3.7CVE-2005-3481

3.7.1Summary

CiscoIOS12.0to12.4mightallowremoteattackerstoexecutearbitrarycodeviaaheap-basedbufferoverflowinsystemtimers.NOTE:thisissuedoesnotcorrespondtoaspecificvulnerability,ratherageneralweaknessthatonlyincreasesthefeasibilityofexploitationofanyvulnerabilitiesthatmightexist.Suchdesign-levelweaknessesnormallyarenotincludedinCVE,soperhapsthisissueshouldbeREJECTed.

3.7.2AffectedDevice




CISCO20051102IOSHeap-basedOverflowVulnerabilityinSystemTimersWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.

3.7.4References


SECTRACK1015139Weblink:http://securitytracker.com/id?1015139;CERT-VNVU#562945Weblink:http://www.kb.cert.org/vuls/id/562945;BID15275Weblink:http://www.securityfocus.com/bid/15275;VUPENADV-2005-2282Weblink:http://www.vupen.com/english/advisories/2005/2282.


3.8CVE-2006-3291

3.8.1Summary

ThewebinterfaceonCiscoIOS12.3(8)JAand12.3(8)JA1,asusedontheCiscoWirelessAccessPointandWirelessBridge,reconfiguresitselfwhenitischangedtousethe"LocalUserListOnly(IndividualPasswords)"setting,whichremovesallsecurityandpasswordconfigurationsandallowsremoteattackerstoaccessthesystem.

3.8.2AffectedDevice


CVSSv2Score:9.3






CVSSv2Score:9.3






3.8.3References


SECTRACK1016399Weblink:http://securitytracker.com/id?1016399;CISCO20060628AccessPointWeb-browserInterfaceVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml;CERT-VNVU#544484Weblink:http://www.kb.cert.org/vuls/id/544484;BID18704Weblink:http://www.securityfocus.com/bid/18704;VUPENADV-2006-2584Weblink:http://www.vupen.com/english/advisories/2006/2584;XFcisco-ap-browser-unauth-access(27437)Weblink:http://xforce.iss.net/xforce/xfdb/27437.


3.9CVE-2007-2586

3.9.1Summary

TheFTPServerinCiscoIOS11.3through12.4doesnotproperlycheckuserauthorization,whichallowsremoteattackerstoexecutearbitrarycode,andhaveotherimpactincludingreadingstartup-config,asdemonstratedbyacraftedMKDcommandthatinvolvesaccesstoaVTYdeviceandoverflowsabuffer,akabugIDCSCek55259.

3.9.2AffectedDevice




CISCO20070509MultipleVulnerabilitiesintheIOSFTPServerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml;VUPENADV-2007-1749Weblink:http://www.vupen.com/english/advisories/2007/1749.

3.9.4References


BUGTRAQ20090120Re:RemoteCiscoIOSFTPexploitWeblink:http://seclists.org/bugtraq/2009/Jan/0183.html;EXPLOIT-DB6155Weblink:http://www.exploit-db.com/exploits/6155;MILW0RM6155Weblink:http://www.milw0rm.com/exploits/6155;BUGTRAQ20080729RemoteCiscoIOSFTPexploitWeblink:http://www.securityfocus.com/archive/1/494868;BID23885Weblink:http://www.securityfocus.com/bid/23885;SECTRACK1018030Weblink:http://www.securitytracker.com/id?1018030;XFcisco-ios-ftp-unauthorized-access(34197)Weblink:http://xforce.iss.net/xforce/xfdb/34197.


3.10CVE-2007-4286

3.10.1Summary

BufferoverflowintheNextHopResolutionProtocol(NHRP)functionalityinCiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(restart)andexecutearbitrarycodeviaacraftedNHRPpacket.



3.10.3References


CVSSv2Score:9.3






CVSSv2Score:9.3






CISCO20070808CiscoIOSNextHopResolutionProtocolVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a008089963b.shtml;CERT-VNVU#201984Weblink:http://www.kb.cert.org/vuls/id/201984;BUGTRAQ20070809CiscoNHRPdenialofservice(cisco-sa-20070808-nhrp)Weblink:http://www.securityfocus.com/archive/1/archive/1/475931/100/0/threaded;BID25238Weblink:http://www.securityfocus.com/bid/25238;SECTRACK1018535Weblink:http://www.securitytracker.com/id?1018535;VUPENADV-2007-2818Weblink:http://www.vupen.com/english/advisories/2007/2818;XFcisco-ios-nexthop-bo(35889)Weblink:http://xforce.iss.net/xforce/xfdb/35889.


3.11CVE-2007-4292

3.11.1Summary

MultiplememoryleaksinCiscoIOS12.0through12.4allowremoteattackerstocauseadenialofservice(devicecrash)viaamalformedSIPpacket,aka(1)CSCsf11855,(2)CSCeb21064,(3)CSCse40276,(4)CSCse68355,(5)CSCsf30058,(6)CSCsb24007,and(7)CSCsc60249.



3.11.3References


SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816;XFcisco-ios-sip-dos(35890)Weblink:http://xforce.iss.net/xforce/xfdb/35890.


3.12CVE-2007-5381

3.12.1Summary

Stack-basedbufferoverflowintheLinePrinterDaemon(LPD)inCiscoIOSbefore12.2(18)SXF11,12.4(16a),and12.4(2)T6allowremoteattackerstoexecutearbitrarycodebysettingalonghostnameonthetargetsystem,thencausinganerrormessagetobeprinted,asdemonstratedbyatelnetsessiontotheLPDfromasourceportotherthan515.



3.12.3References


CISCO20071010CiscoIOSLinePrinterDaemon(LPD)ProtocolStackOverflowWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00808d72e3.html;MISCWeblink:http://www.irmplc.com/index.php/155-Advisory-024;CERT-VNVU#230505Weblink:http://www.kb.cert.org/vuls/id/230505;BID26001Weblink:http://www.securityfocus.com/bid/26001;SECTRACK1018798Weblink:http://www.securitytracker.com/id?1018798;VUPENADV-2007-3457Weblink:http://www.vupen.com/english/advisories/2007/3457;XFcisco-ios-lpd-bo(37046)


CVSSv2Score:9.3






CVSSv2Score:9.3






CVSSv2Score:9.0

CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:C(9.0)




Weblink:http://xforce.iss.net/xforce/xfdb/37046.


3.13CVE-2008-3807

3.13.1Summary

CiscoIOS12.2and12.3onCiscouBR10012seriesdevices,whenlinecardredundancyisconfigured,enablesaread/writeSNMPservicewith"private"asthecommunity,whichallowsremoteattackerstoobtainadministrativeaccessbyguessingthiscommunityandsendingSNMPrequests.



3.13.3References


CISCO20080924CiscouBR10012SeriesDevicesSNMPVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a014b1.shtml;SECTRACK1020941Weblink:http://www.securitytracker.com/id?1020941;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.


3.14CVE-2011-4012

3.14.1Summary

CiscoIOS12.0,15.0,and15.1,whenaPolicyFeatureCard3C(PFC3C)isused,doesnotcreateafragmententryduringprocessingofanICMPv6ACL,whichhasunspecifiedimpactandremoteattackvectors,akaBugIDCSCtj90091.



3.14.3References


Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/caveats_SXJ.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.


3.15CVE-2007-4285

3.15.1Summary

UnspecifiedvulnerabilityinCiscoIOSandCiscoIOSXR12.xupto12.3,includingsomeversionsbefore12.3(15)and12.3(14)T,allowsremoteattackerstoobtainsensitiveinformation(partialpacketcontents)orcauseadenialofservice(routerorcomponentcrash)viacraftedIPv6packetswithaType0routingheader.





CISCO20070808CiscoIOSInformationLeakageUsingIPv6RoutingHeaderWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899647.shtml;VUPENADV-2007-2819Weblink:http://www.vupen.com/english/advisories/2007/2819.

3.15.4References


SECTRACK1018542Weblink:http://www.securitytracker.com/id?1018542;


CVSSv2Score:9.0






CVSSv2Score:9.0





OverallRating:HIGH

CVSSv2Score:8.5

CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:C(8.5)



XFcisco-ios-ipv6-header-dos(35906)Weblink:http://xforce.iss.net/xforce/xfdb/35906.


3.16CVE-2009-0628

3.16.1Summary

MemoryleakintheSSLVPNfeatureinCiscoIOS12.3through12.4allowsremoteattackerstocauseadenialofservice(memoryconsumptionanddevicecrash)bydisconnectinganSSLsessioninanabnormalmanner,leadingtoaTransmissionControlBlock(TCB)leak.





CISCO20090325CiscoIOSSoftwareWebVPNandSSLVPNVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90424.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.

3.16.4References


SECTRACK1021896Weblink:http://securitytracker.com/id?1021896;BID34239Weblink:http://www.securityfocus.com/bid/34239;XFios-sslvpn-tcbleak-dos(49427)Weblink:http://xforce.iss.net/xforce/xfdb/49427.


3.17CVE-2015-0635

3.17.1Summary

TheAutonomicNetworkingInfrastructure(ANI)implementationinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.10.xSthrough3.13.xSbefore3.13.1SallowsremoteattackerstospoofAutonomicNetworkingRegistrationAuthority(ANRA)responses,andconsequentlybypassintendeddeviceandnodeaccessrestrictionsorcauseadenialofservice(disrupteddomainaccess),viacraftedANmessages,akaBugIDCSCup62191.





CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareandIOSXESoftwareAutonomicNetworkingInfrastructureWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ani.

3.17.4Reference


SECTRACK1031982Weblink:http://www.securitytracker.com/id/1031982.


3.18CVE-2008-3805

3.18.1Summary

CiscoIOS12.0through12.4onCisco10000,uBR10012anduBR7200seriesdeviceshandlesexternalUDPpacketsthataresentto127.0.0.0/8addressesintendedforIPCcommunicationwithinthedevice,whichallowsremoteattackerstocauseadenialofservice(deviceorlinecardreload)viacraftedUDPpackets,adifferentvulnerabilitythanCVE-2008-3806.


OverallRating:HIGH

CVSSv2Score:8.5

CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:C(8.5)




OverallRating:HIGH

CVSSv2Score:8.5

CVSSv2Base:AV:N/AC:M/Au:S/C:C/I:C/A:C(8.5)






3.18.3References


Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=16646;CISCO20080924Cisco10000,uBR10012,uBR7200SeriesDevicesIPCVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a014ae.shtml;SECTRACK1020935Weblink:http://www.securitytracker.com/id?1020935;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.


3.19CVE-2008-3806

3.19.1Summary

CiscoIOS12.0through12.4onCisco10000,uBR10012anduBR7200seriesdeviceshandlesexternalUDPpacketsthataresentto127.0.0.0/8addressesintendedforIPCcommunicationwithinthedevice,whichallowsremoteattackerstocauseadenialofservice(deviceorlinecardreload)viacraftedUDPpackets,adifferentvulnerabilitythanCVE-2008-3805.



3.19.3References


Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=16646;CISCO20080924Cisco10000,uBR10012,uBR7200SeriesDevicesIPCVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a014ae.shtml;XFios-udp-ipc-dos-variant2(45592)Weblink:http://xforce.iss.net/xforce/xfdb/45592.


3.20CVE-2012-0384

3.20.1Summary

CiscoIOS12.2through12.4and15.0through15.2andIOSXE2.1.xthrough2.6.xand3.1.xSbefore3.1.2S,3.2.xSthrough3.4.xSbefore3.4.2S,3.5.xSbefore3.5.1S,and3.1.xSGand3.2.xSGbefore3.2.2SG,whenAAAauthorizationisenabled,allowremoteauthenticateduserstobypassintendedaccessrestrictionsandexecutecommandsviaa(1)HTTPor(2)HTTPSsession,akaBugIDCSCtr91106.


Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:

CiscoRouter-router03;CiscoRouter-CiscoIOS15.



CISCO20120328CiscoIOSSoftwareCommandAuthorizationBypassWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai.

3.20.4References


BID52755Weblink:http://www.securityfocus.com/bid/52755;SECTRACK1026860Weblink:http://www.securitytracker.com/id?1026860.


3.21CVE-2016-6380

OverallRating:HIGH

CVSSv2Score:8.3

CVSSv2Base:AV:N/AC:M/Au:N/C:P/I:P/A:C(8.3)




OverallRating:HIGH

CVSSv2Score:7.8

CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)




OverallRating:HIGH

CVSSv2Score:7.8





3.21.1Summary

TheDNSforwarderinCiscoIOS12.0through12.4and15.0through15.6andIOSXE3.1through3.15allowsremoteattackerstoobtainsensitiveinformationfromprocessmemoryorcauseadenialofservice(datacorruptionordevicereload)viaacraftedDNSresponse,akaBugIDCSCup90532.






CISCO20160928CiscoIOSandIOSXESoftwareDNSForwarderDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns.

3.21.4Reference


BID93201Weblink:http://www.securityfocus.com/bid/93201.


3.22CVE-2007-0479

3.22.1Summary

MemoryleakintheTCPlistenerinCiscoIOS9.x,10.x,11.x,and12.xallowsremoteattackerstocauseadenialofservicebysendingcraftedTCPtraffictoanIPv4addressontheIOSdevice.



3.22.3References


SECTRACK1017551Weblink:http://securitytracker.com/id?1017551;CISCO20070124CraftedTCPPacketCanCauseDenialofServiceWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0e4.shtml;CERT-VNVU#217912Weblink:http://www.kb.cert.org/vuls/id/217912;BID22208Weblink:http://www.securityfocus.com/bid/22208;CERTTA07-024AWeblink:http://www.us-cert.gov/cas/techalerts/TA07-024A.html;VUPENADV-2007-0329Weblink:http://www.vupen.com/english/advisories/2007/0329;XFcisco-tcp-ipv4-dos(31716)Weblink:http://xforce.iss.net/xforce/xfdb/31716.


3.23CVE-2007-0481

3.23.1Summary

CiscoIOSallowsremoteattackerstocauseadenialofservice(crash)viaacraftedIPv6Type0Routingheader.



3.23.3References


SECTRACK1017550Weblink:http://securitytracker.com/id?1017550;CISCO20070124IPv6RoutingHeaderVulnerability

OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml;CERT-VNVU#274760Weblink:http://www.kb.cert.org/vuls/id/274760;BID22210Weblink:http://www.securityfocus.com/bid/22210;CERTTA07-024AWeblink:http://www.us-cert.gov/cas/techalerts/TA07-024A.html;VUPENADV-2007-0329Weblink:http://www.vupen.com/english/advisories/2007/0329;XFcisco-ios-ipv6-type0-dos(31715)Weblink:http://xforce.iss.net/xforce/xfdb/31715.


3.24CVE-2007-0648

3.24.1Summary

CiscoIOSafter12.3(14)T,12.3(8)YC1,12.3(8)YG,and12.4,withvoicesupportandwithoutSessionInitiatedProtocol(SIP)configured,allowsremoteattackerstocauseadenialofservice(crash)bysendingacraftedpackettoport5060/UDP.





Weblink:http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml;CISCO20070131SIPPacketReloadsIOSDevicesNotConfiguredforSIPWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.

3.24.4References


SECTRACK1017575Weblink:http://securitytracker.com/id?1017575;CERT-VNVU#438176Weblink:http://www.kb.cert.org/vuls/id/438176;BID22330Weblink:http://www.securityfocus.com/bid/22330;VUPENADV-2007-0428Weblink:http://www.vupen.com/english/advisories/2007/0428;XFcisco-sip-packet-dos(31990)Weblink:http://xforce.iss.net/xforce/xfdb/31990.


3.25CVE-2007-2813

3.25.1Summary

CiscoIOS12.4andearlier,whenusingthecryptopackagesandSSLsupportisenabled,allowsremoteattackerstocauseadenialofserviceviaamalformed(1)ClientHello,(2)ChangeCipherSpec,or(3)FinishedmessageduringanSSLsession.



3.25.3References


CISCO20070522MultipleVulnerabilitiesinCiscoIOSWhileProcessingSSLPacketsWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080847c49.shtml;BID24097Weblink:http://www.securityfocus.com/bid/24097;SECTRACK1018094Weblink:http://www.securitytracker.com/id?1018094;VUPENADV-2007-1910Weblink:http://www.vupen.com/english/advisories/2007/1910;XFcisco-ios-clienthello-dos(34432)Weblink:http://xforce.iss.net/xforce/xfdb/34432;XFcisco-ios-changecipherspec-dos(34436)

OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





Weblink:http://xforce.iss.net/xforce/xfdb/34436;XFcisco-ios-finished-dos(34442)Weblink:http://xforce.iss.net/xforce/xfdb/34442.


3.26CVE-2008-1152

3.26.1Summary

Thedata-linkswitching(DLSw)componentinCiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(devicerestartormemoryconsumption)viacrafted(1)UDPport2067or(2)IPprotocol91packets.



3.26.3References


CISCO20080326MultipleDLSwDenialofServiceVulnerabilitiesinCiscoIOSWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080969866.shtml;BID28465Weblink:http://www.securityfocus.com/bid/28465;SECTRACK1019712Weblink:http://www.securitytracker.com/id?1019712;CERTTA08-087BWeblink:http://www.us-cert.gov/cas/techalerts/TA08-087B.html;VUPENADV-2008-1006Weblink:http://www.vupen.com/english/advisories/2008/1006/references;XFcisco-ios-dlsw-dos(41482)Weblink:http://xforce.iss.net/xforce/xfdb/41482.


3.27CVE-2008-2739

3.27.1Summary

TheSERVICE.DNSsignatureengineintheIntrusionPreventionSystem(IPS)inCiscoIOS12.3and12.4allowsremoteattackerstocauseadenialofservice(devicecrashorhang)vianetworktrafficthattriggersunspecifiedIPSsignatures,adifferentvulnerabilitythanCVE-2008-1447.



3.27.3References


CISCO20080924CiscoIOSIPSDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01556.shtml;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.


3.28CVE-2008-3799

3.28.1Summary

MemoryleakintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(memoryconsumptionandvoice-serviceoutage)viaunspecifiedvalidSIPmessages.



3.28.3References


CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;

OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.


3.29CVE-2008-3808

3.29.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedProtocolIndependentMulticast(PIM)packet.



3.29.3References


CISCO20080924MultipleMulticastVulnerabilitiesinCiscoIOSSoftwareWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01491.shtml;BID31356Weblink:http://www.securityfocus.com/bid/31356;SECTRACK1020936Weblink:http://www.securitytracker.com/id?1020936;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.


3.30CVE-2009-0626

3.30.1Summary

TheSSLVPNfeatureinCiscoIOS12.3through12.4allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viaacraftedHTTPSpacket.





CISCO20090325CiscoIOSSoftwareWebVPNandSSLVPNVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90424.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.

3.30.4References


SECTRACK1021896Weblink:http://securitytracker.com/id?1021896;BID34239Weblink:http://www.securityfocus.com/bid/34239;XFios-sslvpn-dos(49425)Weblink:http://xforce.iss.net/xforce/xfdb/49425.


3.31CVE-2009-0631

3.31.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.0through12.4,whenconfiguredwith(1)IPServiceLevelAgreements(SLAs)Responder,(2)SessionInitiationProtocol(SIP),(3)H.323AnnexECallSignalingTransport,or(4)MediaGatewayControlProtocol(MGCP)allowsremoteattackerstocauseadenialofservice(blockedinputqueueontheinboundinterface)viaacraftedUDPpacket.


OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8








CISCO20090325CiscoIOSSoftwareMultipleFeaturesCraftedUDPPacketVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90426.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml.

3.31.4References


BID34245Weblink:http://www.securityfocus.com/bid/34245;SECTRACK1021904Weblink:http://www.securitytracker.com/id?1021904;XFios-udp-dos(49419)Weblink:http://xforce.iss.net/xforce/xfdb/49419.


3.32CVE-2009-0636

3.32.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.0through12.4,whenSIPvoiceservicesareenabled,allowsremoteattackerstocauseadenialofservice(devicecrash)viaavalidSIPmessage.





Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;CISCO20090325CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a904c0.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.

3.32.4References


SECTRACK1021902Weblink:http://securitytracker.com/id?1021902;BID34243Weblink:http://www.securityfocus.com/bid/34243;XFios-sip-dos(49421)Weblink:http://xforce.iss.net/xforce/xfdb/49421.


3.33CVE-2009-2866

3.33.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.2through12.4allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedH.323packet,akaBugIDCSCsz38104.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18885;CISCO20090923CiscoIOSSoftwareH.323DenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af811a.shtml.

3.33.4References


OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8



BID36494Weblink:http://www.securityfocus.com/bid/36494;SECTRACK1022930Weblink:http://www.securitytracker.com/id?1022930;VUPENADV-2009-2759Weblink:http://www.vupen.com/english/advisories/2009/2759;XFciscoios-h323-dos(53446)Weblink:http://xforce.iss.net/xforce/xfdb/53446.


3.34CVE-2009-2868

3.34.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.2through12.4,whencertificate-basedauthenticationisenabledforIKE,allowsremoteattackerstocauseadenialofservice(Phase1SAexhaustion)viacraftedrequests,akaBugIDsCSCsy07555andCSCee72997.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18887;CISCO20090923CiscoIOSSoftwareInternetKeyExchangeResourceExhaustionVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8117.shtml.

3.34.4Reference


VUPENADV-2009-2759Weblink:http://www.vupen.com/english/advisories/2009/2759.


3.35CVE-2009-2870

3.35.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.2through12.4,whentheCiscoUnifiedBorderElementfeatureisenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedSIPmessages,akaBugIDCSCsx25880.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18891;CISCO20090923CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af811b.shtml.

3.35.4References




3.36CVE-2009-5038

3.36.1Summary

CiscoIOSbefore15.0(1)XAdoesnotproperlyhandleIRCtrafficduringaspecifictimeperiodafteraninitialreload,whichallowsremoteattackerstocauseadenialofservice(devicereload)viaanattemptedconnectiontoacertainIRCserver,relatedtoa"corruptedmagicvalue,"akaBugIDCSCso05336.



OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8








3.36.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45764Weblink:http://www.securityfocus.com/bid/45764;XFciscoios-irctraffic-dos(64682)Weblink:http://xforce.iss.net/xforce/xfdb/64682.


3.37CVE-2009-5039

3.37.1Summary

Memoryleakinthegk_circuit_info_do_in_acffunctionintheH.323implementationinCiscoIOSbefore15.0(1)XAallowsremoteattackerstocauseadenialofservice(memoryconsumption)viaalargenumberofcallsoveralongduration,asdemonstratedbyInterZoneClearToken(IZCT)testtraffic,akaBugIDCSCsz72535.




3.37.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;XFcisco-ios-gkcircuitinfodoinacf-dos(64731)Weblink:http://xforce.iss.net/xforce/xfdb/64731.


3.38CVE-2010-0576

3.38.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.0through12.4,IOSXE2.1.xthrough2.3.xbefore2.3.2,andIOSXR3.2.xthrough3.4.3,whenMultiprotocolLabelSwitching(MPLS)andLabelDistributionProtocol(LDP)areenabled,allowsremoteattackerstocauseadenialofservice(devicereloadorprocessrestart)viaacraftedLDPpacket,akaBugIDsCSCsz45567andCSCsj25893.





CISCO20100324CiscoIOSSoftwareMultiprotocolLabelSwitchingPacketVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee2.shtml.

3.38.4References


BID38938Weblink:http://www.securityfocus.com/bid/38938;SECTRACK1023740Weblink:http://www.securitytracker.com/id?1023740;VUPENADV-2010-0707Weblink:http://www.vupen.com/english/advisories/2010/0707;XFciscoios-ldp-dos(57143)Weblink:http://xforce.iss.net/xforce/xfdb/57143.


OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





3.39CVE-2010-0578

3.39.1Summary

TheIKEimplementationinCiscoIOS12.2through12.4onCisco7200and7301routerswithVAM2+allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedIKEpacket,akaBugIDCSCtb13491.





CISCO20100324CiscoIOSSoftwareIPsecVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee5.shtml.

3.39.4References


BID38932Weblink:http://www.securityfocus.com/bid/38932;SECTRACK1023741Weblink:http://www.securitytracker.com/id?1023741;VUPENADV-2010-0709Weblink:http://www.vupen.com/english/advisories/2010/0709;XFciscoios-vpn-dos(57148)Weblink:http://xforce.iss.net/xforce/xfdb/57148.


3.40CVE-2010-0579

3.40.1Summary

TheSIPimplementationinCiscoIOS12.3and12.4allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSIPmessage,akaBugIDCSCtb93416,the"SIPMessageHandlingDenialofServiceVulnerability."






3.40.4Reference




3.41CVE-2010-0582

3.41.1Summary

CiscoIOS12.1through12.4,and15.0Mbefore15.0(1)M1,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viamalformedH.323packets,akaBugIDCSCta19962.






OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





CISCO20100324CiscoIOSSoftwareH.323DenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee4.shtml.

3.41.4References




3.42CVE-2010-0585

3.42.1Summary

CiscoIOS12.1through12.4,whenCiscoUnifiedCommunicationsManagerExpress(CME)orCiscoUnifiedSurvivableRemoteSiteTelephony(SRST)isenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSkinnyClientControlProtocol(SCCP)message,akaBugIDCSCsz48614,the"SCCPPacketProcessingDenialofServiceVulnerability."





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20069;CISCO20100324CiscoUnifiedCommunicationsManagerExpressDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f33.shtml.


3.43CVE-2010-0586

3.43.1Summary

CiscoIOS12.1through12.4,whenCiscoUnifiedCommunicationsManagerExpress(CME)orCiscoUnifiedSurvivableRemoteSiteTelephony(SRST)isenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSkinnyClientControlProtocol(SCCP)message,akaBugIDCSCsz49741,the"SCCPRequestHandlingDenialofServiceVulnerability."





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20070;CISCO20100324CiscoUnifiedCommunicationsManagerExpressDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f33.shtml.


3.44CVE-2010-2828

3.44.1Summary

UnspecifiedvulnerabilityintheH.323implementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE2.5.xbefore2.5.2and2.6.xbefore2.6.1,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedH.323packets,akaBugIDCSCtc73759.






CISCO20100922CiscoIOSSoftwareH.323DenialofServiceVulnerabilities

OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a300.shtml.


3.45CVE-2010-2829

3.45.1Summary

UnspecifiedvulnerabilityintheH.323implementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE2.5.xbefore2.5.2and2.6.xbefore2.6.1,allowsremoteattackerstocauseadenialofservice(tracebackanddevicereload)viacraftedH.323packets,akaBugIDCSCtd33567.






CISCO20100922CiscoIOSSoftwareH.323DenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a300.shtml.


3.46CVE-2010-2831

3.46.1Summary

UnspecifiedvulnerabilityintheNATforSIPimplementationinCiscoIOS12.1through12.4and15.0through15.1allowsremoteattackerstocauseadenialofservice(devicereload)viatransittrafficonUDPport5060,akaBugIDCSCtf17624.






CISCO20100922CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a311.shtml.


3.47CVE-2010-2832

3.47.1Summary

UnspecifiedvulnerabilityintheNATforH.323implementationinCiscoIOS12.1through12.4and15.0through15.1allowsremoteattackerstocauseadenialofservice(devicereload)viatransittraffic,akaBugIDCSCtf91428.








3.48CVE-2010-2833

3.48.1Summary

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

UnspecifiedvulnerabilityintheNATforH.225.0implementationinCiscoIOS12.1through12.4and15.0through15.1allowsremoteattackerstocauseadenialofservice(devicereload)viatransittraffic,akaBugIDCSCtd86472.








3.49CVE-2010-2834

3.49.1Summary

CiscoIOS12.2through12.4and15.0through15.1,CiscoIOSXE2.5.xand2.6.xbefore2.6.1,andCiscoUnifiedCommunicationsManager(akaCUCM,formerlyCallManager)6.xbefore6.1(5)SU1,7.xbefore7.1(5),and8.0before8.0(2)allowremoteattackerstocauseadenialofservice(devicereloadorvoice-servicesoutage)viacraftedSIPregistrationtrafficoverUDP,akaBugIDsCSCtf72678andCSCtf14987.






CISCO20100922CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a30f.shtml;CISCO20100922CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a313.shtml.


3.50CVE-2010-2835

3.50.1Summary

CiscoIOS12.2through12.4and15.0through15.1,CiscoIOSXE2.5.xand2.6.xbefore2.6.1,andCiscoUnifiedCommunicationsManager(akaCUCM,formerlyCallManager)6.xbefore6.1(5),7.0before7.0(2a)su3,7.1subefore7.1(3b)su2,7.1before7.1(5),and8.0before8.0(1)allowremoteattackerstocauseadenialofservice(devicereloadorvoice-servicesoutage)viaaSIPREFERrequestwithaninvalidRefer-Toheader,akaBugIDsCSCta20040andCSCta31358.






CISCO20100922CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a30f.shtml;CISCO20100922CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a313.shtml.


3.51CVE-2010-2836

3.51.1Summary

MemoryleakintheSSLVPNfeatureinCiscoIOS12.4,15.0,and15.1,whenHTTPportredirectionis

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

enabled,allowsremoteattackerstocauseadenialofservice(memoryconsumption)byimproperlydisconnectingSSLsessions,leadingtoconnectionsthatremainintheCLOSE-WAITstate,akaBugIDCSCtg21685.





CISCO20100922CiscoIOSSSLVPNVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a312.shtml.


3.52CVE-2010-4671

3.52.1Summary

TheNeighborDiscovery(ND)protocolimplementationintheIPv6stackinCiscoIOSbefore15.0(1)XA5allowsremoteattackerstocauseadenialofservice(CPUconsumptionanddevicehang)bysendingmanyRouterAdvertisement(RA)messageswithdifferentsourceaddresses,asdemonstratedbytheflood_router6programinthethc-ipv6package,akaBugIDCSCti33534.




3.52.3References


MISCWeblink:http://events.ccc.de/congress/2010/Fahrplan/events/3957.en.html;MISCWeblink:http://mirror.fem-net.de/CCC/27C3/mp3-audio-only/27c3-3957-en-ipv6_insecurities.mp3;MISCWeblink:http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/27c3-3957-en-ipv6_insecurities.mp4;Weblink:http://www.ciscosystems.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45760Weblink:http://www.securityfocus.com/bid/45760;MISCWeblink:http://www.youtube.com/watch?v=00yjWB6gGy8;XFciscoios-neighbor-discovery-dos(64589)Weblink:http://xforce.iss.net/xforce/xfdb/64589.


3.53CVE-2010-4683

3.53.1Summary

MemoryleakinCiscoIOSbefore15.0(1)XA5mightallowremoteattackerstocauseadenialofservice(memoryconsumption)bysendingacraftedSIPREGISTERmessageoverUDP,akaBugIDCSCtg41733.




3.53.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45786Weblink:http://www.securityfocus.com/bid/45786;XFciscoios-sip-register-dos(64588)Weblink:http://xforce.iss.net/xforce/xfdb/64588.


3.54CVE-2010-4686

3.54.1Summary

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





CallManagerExpress(CME)onCiscoIOSbefore15.0(1)XA1doesnotproperlyhandleSIPTRUNKtrafficthatcontainsrateburstsanda"peculiar"requestsize,whichallowsremoteattackerstocauseadenialofservice(memoryconsumption)bysendingthistrafficoveralongduration,akaBugIDCSCtb47950.




3.54.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-siptrunk-dos(64585)Weblink:http://xforce.iss.net/xforce/xfdb/64585.


3.55CVE-2011-0939

3.55.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.4,15.0,and15.1,andIOSXE2.5.xthrough3.2.x,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedSIPmessage,akaBugIDCSCth03022.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24127;CISCO20110928CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d5a.shtml.


3.56CVE-2011-0944

3.56.1Summary

CiscoIOS12.4,15.0,and15.1allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedIPv6packets,akaBugIDCSCtj41194.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24131;CISCO20110928CiscoIOSSoftwareIPv6DenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d59.shtml.


3.57CVE-2011-0945

3.57.1Summary

MemoryleakintheData-linkswitching(akaDLSw)featureinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSbefore3.1.3Sand3.2.xSbefore3.2.1S,whenimplementedoverFastSequenceTransport(FST),allowsremoteattackerstocauseadenialofservice(memoryconsumptionanddevicereloadorhang)viaacraftedIPprotocol91packet,akaBugIDCSCth69364.




OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8







CISCO20110928CiscoIOSSoftwareData-LinkSwitchingVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4e.shtml.

3.57.4Reference


Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24116.


3.58CVE-2011-0946

3.58.1Summary

TheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viamalformedNetMeetingDirectory(akaInternetLocatorServiceorILS)LDAPtraffic,akaBugIDCSCtd10712.






CISCO20110928CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4d.shtml.

3.58.4Reference




3.59CVE-2011-2072

3.59.1Summary

MemoryleakinCiscoIOS12.4,15.0,and15.1,CiscoIOSXE2.5.xthrough3.2.x,andCiscoUnifiedCommunicationsManager(CUCM)6.xand7.xbefore7.1(5b)su4,8.xbefore8.5(1)su2,and8.6before8.6(1)allowsremoteattackerstocauseadenialofservice(memoryconsumptionanddevicereloadorprocessfailure)viaamalformedSIPmessage,akaBugIDsCSCtl86047andCSCto88686.





CISCO20110928CiscoUnifiedCommunicationsManagerSessionInitiationProtocolMemoryLeakVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d58.shtml;CISCO20110928CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d5a.shtml.

3.59.4References


CISCO20110928CiscoUnifiedCommunicationsManagerMemoryLeakVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-cucm;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24129;SECTRACK1026110Weblink:http://www.securitytracker.com/id?1026110.


OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





3.60CVE-2011-3270

3.60.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.2SBbefore12.2(33)SB10and15.0Sbefore15.0(1)S3aonCisco10000seriesroutersallowsremoteattackerstocauseadenialofservice(devicereload)viaasequenceofcraftedICMPpackets,akaBugIDCSCtk62453.





CISCO20110928Cisco10000SeriesDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d50.shtml.

3.60.4Reference




3.61CVE-2011-3273

3.61.1Summary

MemoryleakinCiscoIOS15.0through15.1,whenIPSorZone-BasedFirewall(akaZBFW)isconfigured,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicecrash)viavectorsthattriggermanysessioncreationflows,akaBugIDCSCti79848.





CISCO20110928CiscoIOSSoftwareIPSandZone-BasedFirewallVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d57.shtml.

3.61.4Reference




3.62CVE-2011-3275

3.62.1Summary

MemoryleakinCiscoIOS12.4,15.0,and15.1,andIOSXE2.5.xthrough3.2.x,allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaacraftedSIPmessage,akaBugIDCSCti48504.





CISCO20110928CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d5a.shtml.

3.62.4Reference




OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





3.63CVE-2011-3276

3.63.1Summary

UnspecifiedvulnerabilityintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereloadorhang)bysendingcraftedSIPpacketstoTCPport5060,akaBugIDCSCso02147.







3.63.4Reference




3.64CVE-2011-3277

3.64.1Summary

UnspecifiedvulnerabilityintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereload)bysendingcraftedH.323packetstoTCPport1720,akaBugIDCSCth11006.







3.64.4Reference




3.65CVE-2011-3278

3.65.1Summary

UnspecifiedvulnerabilityintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereload)bysendingcraftedSIPpacketstoUDPport5060,akaBugIDCSCti48483.







OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





3.65.4Reference




3.66CVE-2011-3279

3.66.1Summary

Theprovider-edgeMPLSNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSIPpackettoUDPport5060,akaBugIDCSCti98219.







3.66.4Reference




3.67CVE-2011-3280

3.67.1Summary

MemoryleakintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)bysendingcraftedSIPpacketstoUDPport5060,akaBugIDCSCtj04672.







3.67.4Reference




3.68CVE-2011-3281

3.68.1Summary

UnspecifiedvulnerabilityinCiscoIOS15.0through15.1,incertainHTTPLayer7ApplicationControlandInspectionconfigurations,allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viaacraftedHTTPpacket,akaBugIDCSCto68554.




OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH


CISCO20110928CiscoIOSSoftwareIPSandZone-BasedFirewallVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d57.shtml.

3.68.4Reference




3.69CVE-2011-3282

3.69.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.2SREbefore12.2(33)SRE4,15.0,and15.1,andIOSXE2.1.xthrough3.3.x,whenanMPLSdomainisconfigured,allowsremoteattackerstocauseadenialofservice(devicereload)viaanICMPv6packet,relatedtoanexpiredMPLSTTL,akaBugIDCSCtj30155.





CISCO20110928CiscoIOSSoftwareIPv6overMPLSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d52.shtml.

3.69.4Reference




3.70CVE-2012-0381

3.70.1Summary

TheIKEv1implementationinCiscoIOS12.2through12.4and15.0through15.2andIOSXE2.1.xthrough2.6.xand3.1.xSthrough3.4.xSbefore3.4.2S,3.5.xSbefore3.5.1S,and3.2.xSGbefore3.2.2SGallowsremoteattackerstocauseadenialofservice(devicereload)bysendingIKEUDPpacketsover(1)IPv4or(2)IPv6,akaBugIDCSCts38429.






CISCO20120328CiscoIOSInternetKeyExchangeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike.

3.70.4References


BID52757Weblink:http://www.securityfocus.com/bid/52757;SECTRACK1026863Weblink:http://www.securitytracker.com/id?1026863;XFciscoios-ike-packet-dos(74427)Weblink:http://xforce.iss.net/xforce/xfdb/74427.


3.71CVE-2012-0383

3.71.1Summary

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





MemoryleakintheNATfeatureinCiscoIOS12.4,15.0,and15.1allowsremoteattackerstocauseadenialofservice(memoryconsumption,anddevicehangorreload)viaSIPpacketsthatrequiretranslation,relatedtoa"memorystarvationvulnerability,"akaBugIDCSCti35326.





CISCO20120328CiscoIOSSoftwareNetworkAddressTranslationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-nat.

3.71.4References


BID52758Weblink:http://www.securityfocus.com/bid/52758;SECTRACK1026864Weblink:http://www.securitytracker.com/id?1026864;XFciscoios-nat-feature-dos(74432)Weblink:http://xforce.iss.net/xforce/xfdb/74432.


3.72CVE-2012-0385

3.72.1Summary

TheSmartInstallfeatureinCiscoIOS12.2,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(devicereload)bysendingamalformedSmartInstallmessageoverTCP,akaBugIDCSCtt16051.





CISCO20120328CiscoIOSSoftwareSmartInstallDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall.

3.72.4References


BID52756Weblink:http://www.securityfocus.com/bid/52756;SECTRACK1026867Weblink:http://www.securitytracker.com/id?1026867;XFciscoios-smartinstall-dos(74430)Weblink:http://xforce.iss.net/xforce/xfdb/74430.


3.73CVE-2012-0386

3.73.1Summary

TheSSHv2implementationinCiscoIOS12.2,12.4,15.0,15.1,and15.2andIOSXE2.3.xthrough2.6.xand3.1.xSthrough3.4.xSbefore3.4.2Sallowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedusernameinareverseSSHloginattempt,akaBugIDCSCtr49064.





CISCO20120328CiscoIOSSoftwareReverseSSHDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ssh.

3.73.4References

OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8






BID52752Weblink:http://www.securityfocus.com/bid/52752;XFciscoios-sshv2-dos(74404)Weblink:http://xforce.iss.net/xforce/xfdb/74404.


3.74CVE-2012-0387

3.74.1Summary

MemoryleakintheHTTPInspectionEnginefeatureintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedtransitHTTPtraffic,akaBugIDCSCtq36153.





CISCO20120328CiscoIOSSoftwareZone-BasedFirewallVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-zbfw.

3.74.4Reference


XFciscoios-inspectionengine-dos(74435)Weblink:http://xforce.iss.net/xforce/xfdb/74435.


3.75CVE-2012-0388

3.75.1Summary

MemoryleakintheH.323inspectionfeatureintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viamalformedtransitH.323traffic,akaBugIDCSCtq45553.






3.75.4Reference


XFciscoios-h323messages-dos(74436)Weblink:http://xforce.iss.net/xforce/xfdb/74436.


3.76CVE-2012-1310

3.76.1Summary

MemoryleakintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedIPpackets,akaBugIDCSCto89536.





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8







3.77CVE-2012-1311

3.77.1Summary

TheRSVPfeatureinCiscoIOS15.0and15.1andIOSXE3.2.xSthrough3.4.xSbefore3.4.2S,whenaVRFinterfaceisconfigured,allowsremoteattackerstocauseadenialofservice(interfacequeuewedgeandserviceoutage)viacraftedRSVPpackets,akaBugIDCSCts80643.





CISCO20120328CiscoIOSSoftwareRSVPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp.

3.77.4Reference




3.78CVE-2012-1315

3.78.1Summary

MemoryleakintheSIPinspectionfeatureintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedtransitSIPtraffic,akaBugIDCSCti46171.






3.78.4Reference


XFciscoios-sip-inspection-dos(74437)Weblink:http://xforce.iss.net/xforce/xfdb/74437.


3.79CVE-2012-1350

3.79.1Summary

CiscoIOS12.3and12.4onAironetaccesspointsallowsremoteattackerstocauseadenialofservice(radio-interfaceinput-queuehang)viaIAPP0x3281packets,akaBugIDCSCtc12426.





Weblink:http://www.cisco.com/en/US/docs/wireless/access_point/ios/release/notes/12_3_8_JED1rn.html.


OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





3.80CVE-2012-3949

3.80.1Summary

TheSIPimplementationinCiscoUnifiedCommunicationsManager(CUCM)6.xand7.xbefore7.1(5b)su5,8.xbefore8.5(1)su4,and8.6before8.6(2a)su1;CiscoIOS12.2through12.4and15.0through15.2;andCiscoIOSXE3.3.xSGbefore3.3.1SG,3.4.xS,and3.5.xSallowsremoteattackerstocauseadenialofservice(servicecrashordevicereload)viaacraftedSIPmessagecontaininganSDPsessiondescription,akaBugIDsCSCtw66721,CSCtj33003,andCSCtw84664.






CISCO20120926CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-cucm;CISCO20120926CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-sip.

3.80.4Reference




3.81CVE-2012-4618

3.81.1Summary

TheSIPALGfeatureintheNATimplementationinCiscoIOS12.2,12.4,and15.0through15.2allowsremoteattackerstocauseadenialofservice(devicereload)viatransitIPpackets,akaBugIDCSCtn76183.





CISCO20120926CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-nat.

3.81.4References




3.82CVE-2012-4619

3.82.1Summary

TheNATimplementationinCiscoIOS12.2,12.4,and15.0through15.2allowsremoteattackerstocauseadenialofservice(devicereload)viatransitIPpackets,akaBugIDCSCtr46123.





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8



3.82.4References




3.83CVE-2012-4620

3.83.1Summary

CiscoIOS12.2and15.0through15.2onCisco10000seriesrouters,whenatunnelinterfaceexists,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viatunneled(1)GRE/IP,(2)IPIP,or(3)IPv6inIPv4packets,akaBugIDCSCts66808.





CISCO20120926CiscoIOSSoftwareTunneledTrafficQueueWedgeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-c10k-tunnels.

3.83.4References


BID55696Weblink:http://www.securityfocus.com/bid/55696;SECTRACK1027578Weblink:http://www.securitytracker.com/id?1027578;XFciscoios-tunneled-dos(78883)Weblink:http://xforce.iss.net/xforce/xfdb/78883.


3.84CVE-2012-4621

3.84.1Summary

TheDeviceSensorfeatureinCiscoIOS15.0through15.2allowsremoteattackerstocauseadenialofservice(devicereload)viaaDHCPpacket,akaBugIDCSCty96049.





CISCO20120926CiscoIOSSoftwareDHCPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcp.

3.84.4Reference


SECTRACK1027572Weblink:http://www.securitytracker.com/id?1027572.


3.85CVE-2012-4623

3.85.1Summary

TheDHCPv6serverinCiscoIOS12.2through12.4and15.0through15.2andIOSXE2.1.xthrough2.6.x,3.1.xSbefore3.1.4S,3.1.xSGand3.2.xSGbefore3.2.5SG,3.2.xS,3.2.xXO,3.3.xS,and3.3.xSGbefore3.3.1SGallowsremoteattackerstocauseadenialofservice(devicereload)viaamalformed




OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

DHCPv6packet,akaBugIDCSCto57723.






CISCO20120926CiscoIOSSoftwareDHCPVersion6ServerDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcpv6.

3.85.4References


BID55700Weblink:http://www.securityfocus.com/bid/55700;SECTRACK1027577Weblink:http://www.securitytracker.com/id?1027577;XFciscoios-ciscoiosxe-dhcpv6-dos(78885)Weblink:http://xforce.iss.net/xforce/xfdb/78885.


3.86CVE-2013-1142

3.86.1Summary

RaceconditionintheVRF-awareNATfeatureinCiscoIOS12.2through12.4and15.0through15.2allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaIPv4packets,akaBugIDsCSCtg47129andCSCtz96745.




3.86.3References


CISCO20130327CiscoIOSSoftwareNetworkAddressTranslationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat;CISCO20130327CiscoIOSSoftwareVRF-AwareNATMemoryStarvationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1142.


3.87CVE-2013-1145

3.87.1Summary

MemoryleakinCiscoIOS12.2,12.4,15.0,and15.1,whenZone-BasedPolicyFirewallSIPapplicationlayergatewayinspectionisenabled,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viamalformedSIPmessages,akaBugIDCSCtl99174.





CISCO20130327CiscoIOSSoftwareZone-BasedPolicyFirewallSessionInitiationProtocolInspectionDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-cce.


3.88CVE-2013-1146

3.88.1Summary

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





TheSmartInstallclientfunctionalityinCiscoIOS12.2and15.0through15.3onCatalystswitchesallowsremoteattackerstocauseadenialofservice(devicereload)viacraftedimagelistparametersinSmartInstallpackets,akaBugIDCSCub55790.





CISCO20130327CiscoIOSSoftwareSmartInstallDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall.


3.89CVE-2013-1147

3.89.1Summary

TheProtocolTranslation(PT)functionalityinCiscoIOS12.3through12.4and15.0through15.3,whenone-stepport-23translationoraTelnet-to-PADrulesetisconfigured,doesnotproperlyvalidateTCPconnectioninformation,whichallowsremoteattackerstocauseadenialofservice(devicereload)viaanattemptedconnectiontoaPTresource,akaBugIDCSCtz35999.






CISCO20130327CiscoIOSSoftwareProtocolTranslationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-pt.


3.90CVE-2013-5474

3.90.1Summary

RaceconditionintheIPv6virtualfragmentationreassembly(VFR)implementationinCiscoIOS12.2through12.4and15.0through15.3allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viafragmentedIPv6packets,akaBugIDCSCud64812.






CISCO20130925CiscoIOSSoftwareIPv6VirtualFragmentationReassemblyDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ipv6vfr.


3.91CVE-2013-5475

3.91.1Summary

CiscoIOS12.2through12.4and15.0through15.3,andIOSXE2.1through3.9,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedDHCPpacketsthatareprocessedlocallybya(1)serveror(2)relayagent,akaBugIDCSCug31561.




OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





CISCO20130925CiscoIOSSoftwareDHCPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp.


3.92CVE-2013-5477

3.92.1Summary

TheT1/E1driver-queuefunctionalityinCiscoIOS12.2and15.0through15.3,whenanHDLC32driverisused,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viaburstynetworktraffic,akaBugIDCSCub67465.





CISCO20130925CiscoIOSSoftwareQueueWedgeDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-wedge.


3.93CVE-2013-5478

3.93.1Summary

CiscoIOS15.0through15.3andIOSXE3.2through3.8,whenaVRFinterfaceexists,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viacraftedUDPRSVPpackets,akaBugIDCSCuf17023.





CISCO20130925CiscoIOSSoftwareResourceReservationProtocolInterfaceQueueWedgeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp.


3.94CVE-2013-5479

3.94.1Summary

TheDNS-over-TCPimplementationinCiscoIOS12.2and15.0through15.3,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedIPv4DNSTCPstream,akaBugIDCSCtn53730.







3.95CVE-2013-5480

3.95.1Summary

TheDNS-over-TCPimplementationinCiscoIOS12.2and15.0through15.3,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedIPv4DNSTCPstream,akaBugIDCSCuf28733.



OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8











3.96CVE-2014-2108

3.96.1Summary

CiscoIOS12.2and15.0through15.3andIOSXE3.2through3.7before3.7.5Sand3.8through3.10before3.10.1Sallowremoteattackerstocauseadenialofservice(devicereload)viaamalformedIKEv2packet,akaBugIDCSCui88426.





CISCO20140326CiscoIOSSoftwareInternetKeyExchangeVersion2DenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2.


3.97CVE-2014-2109

3.97.1Summary

TheTCPInputmoduleinCiscoIOS12.2through12.4and15.0through15.4,whenNATisused,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedTCPpackets,akaBugIDsCSCuh33843andCSCuj41494.








3.98CVE-2014-3327

3.98.1Summary

TheEnergyWisemoduleinCiscoIOS12.2,15.0,15.1,15.2,and15.4andIOSXE3.2.xXO,3.3.xSG,3.4.xSG,and3.5.xEbefore3.5.3Eallowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedIPv4packet,akaBugIDCSCup52101.





CISCO20140806CiscoIOSSoftwareandCiscoIOSXESoftwareEnergyWiseCraftedPacketDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise.


3.99CVE-2014-3354

OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





3.99.1Summary

CiscoIOS12.0,12.2,12.4,15.0,15.1,15.2,and15.3andIOSXE2.xand3.xbefore3.7.4S;3.2.xSEand3.3.xSEbefore3.3.2SE;3.3.xSGand3.4.xSGbefore3.4.4SG;and3.8.xS,3.9.xS,and3.10.xSbefore3.10.1Sallowremoteattackerstocauseadenialofservice(devicereload)viamalformedRSVPpackets,akaBugIDCSCui11547.





CISCO20140924CiscoIOSSoftwareRSVPVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-rsvp.

3.99.4Reference


Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-rsvp/cvrf/cisco-sa-20140924-rsvp_cvrf.xml.


3.100CVE-2014-3357

3.100.1Summary

CiscoIOS15.0,15.1,15.2,and15.4andIOSXE3.3.xSEbefore3.3.2SE,3.3.xXObefore3.3.1XO,3.5.xEbefore3.5.2E,and3.11.xSbefore3.11.1Sallowremoteattackerstocauseadenialofservice(devicereload)viamalformedmDNSpackets,akaBugIDCSCul90866.





CISCO20140924MultipleVulnerabilitiesinCiscoIOSSoftwareMulticastDomainNameSystemWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns.

3.100.4Reference


Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns/cvrf/cisco-sa-20140924-mdns_cvrf.xml.


3.101CVE-2014-3358

3.101.1Summary

MemoryleakinCiscoIOS15.0,15.1,15.2,and15.4andIOSXE3.3.xSEbefore3.3.2SE,3.3.xXObefore3.3.1XO,3.5.xEbefore3.5.2E,and3.11.xSbefore3.11.1Sallowsremoteattackerstocauseadenialofservice(memoryconsumption,andinterfacequeuewedgeordevicereload)viamalformedmDNSpackets,akaBugIDCSCuj58950.





CISCO20140924MultipleVulnerabilitiesinCiscoIOSSoftwareMulticastDomainNameSystemWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns.

3.101.4Reference


Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns/cvrf/cisco-sa-20140924-mdns_cvrf.xml.


OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





3.102CVE-2015-0636

3.102.1Summary

TheAutonomicNetworkingInfrastructure(ANI)implementationinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.10.xSthrough3.13.xSbefore3.13.1Sallowsremoteattackerstocauseadenialofservice(disrupteddomainaccess)viaspoofedANmessagesthatresetafinitestatemachine,akaBugIDCSCup62293.






3.102.4Reference




3.103CVE-2015-0637

3.103.1Summary

TheAutonomicNetworkingInfrastructure(ANI)implementationinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.10.xSthrough3.13.xSbefore3.13.1Sallowsremoteattackerstocauseadenialofservice(devicereload)viaspoofedANmessages,akaBugIDCSCup62315.






3.103.4Reference




3.104CVE-2015-0642

3.104.1Summary

CiscoIOS12.2,12.4,15.0,15.1,15.2,15.3,and15.4andIOSXE2.5.x,2.6.x,3.1.xSthrough3.12.xSbefore3.12.3S,3.2.xEthrough3.7.xEbefore3.7.1E,3.3.xSG,3.4.xSG,and3.13.xSbefore3.13.2Sallowremoteattackerstocauseadenialofservice(devicereload)bysendingmalformedIKEv2packetsover(1)IPv4or(2)IPv6,akaBugIDCSCum36951.





CISCO20150325CiscoIOSSoftwareandIOSXESoftwareInternetKeyExchangeVersion2DenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ikev2;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=37816.

3.104.4Reference

OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8








3.105CVE-2015-0643

3.105.1Summary

CiscoIOS12.2,12.4,15.0,15.1,15.2,15.3,and15.4andIOSXE2.5.x,2.6.x,3.1.xSthrough3.12.xSbefore3.12.3S,3.2.xEthrough3.7.xEbefore3.7.1E,3.3.xSG,3.4.xSG,and3.13.xSbefore3.13.2Sallowremoteattackerstocauseadenialofservice(memoryconsumptionanddevicereload)bysendingmalformedIKEv2packetsover(1)IPv4or(2)IPv6,akaBugIDCSCuo75572.





CISCO20150325CiscoIOSSoftwareandIOSXESoftwareInternetKeyExchangeVersion2DenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ikev2;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=37815.

3.105.4Reference




3.106CVE-2015-0646

3.106.1Summary

MemoryleakintheTCPinputmoduleinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.3.xXO,3.5.xE,3.6.xE,3.8.xSthrough3.10.xSbefore3.10.5S,and3.11.xSand3.12.xSbefore3.12.3Sallowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)bysendingcraftedTCPpacketsover(1)IPv4or(2)IPv6,akaBugIDCSCum94811.





CISCO20150325CiscoIOSSoftwareandIOSXESoftwareTCPPacketMemoryLeakVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak.

3.106.4Reference




3.107CVE-2015-0647

3.107.1Summary

CiscoIOS12.2,12.4,15.0,15.2,and15.3allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedCommonIndustrialProtocol(CIP)UDPpackets,akaBugIDCSCum98371.





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareCommonIndustrialProtocolWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-cip.


3.108CVE-2015-0648

3.108.1Summary

MemoryleakinCiscoIOS12.2,12.4,15.0,15.2,and15.3allowsremoteattackerstocauseadenialofservice(memoryconsumption)viacraftedCommonIndustrialProtocol(CIP)TCPpackets,akaBugIDCSCun49658.







3.109CVE-2015-0649

3.109.1Summary

CiscoIOS12.2,12.4,15.0,15.2,and15.3allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedCommonIndustrialProtocol(CIP)TCPpackets,akaBugIDCSCun63514.







3.110CVE-2015-0650

3.110.1Summary

TheServiceDiscoveryGateway(akamDNSGateway)inCiscoIOS12.2,12.4,15.0,15.1,15.2,15.3,and15.4andIOSXE3.9.xSand3.10.xSbefore3.10.4S,3.11.xSbefore3.11.3S,3.12.xSbefore3.12.2S,and3.13.xSbefore3.13.1Sallowsremoteattackerstocauseadenialofservice(devicereload)bysendingmalformedmDNSUDPpacketsover(1)IPv4or(2)IPv6,akaBugIDCSCup70579.





CISCO20150325CiscoIOSSoftwareandIOSXESoftwaremDNSGatewayDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-mdns.

3.110.4Reference




3.111CVE-2015-6278

3.111.1Summary

TheIPv6snoopingfunctionalityinthefirst-hopsecuritysubsysteminCiscoIOS12.2,15.0,15.1,15.2,

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





15.3,15.4,and15.5andIOSXE3.2SE,3.3SE,3.3XO,3.4SG,3.5E,and3.6Ebefore3.6.3E;3.7Ebefore3.7.2E;3.9Sand3.10Sbefore3.10.6S;3.11Sbefore3.11.4S;3.12Sand3.13Sbefore3.13.3S;and3.14Sbefore3.14.2SdoesnotproperlyimplementtheControlPlaneProtection(akaCPPr)feature,whichallowsremoteattackerstocauseadenialofservice(devicereload)viaafloodofNDpackets,akaBugIDCSCus19794.





CISCO20150923CiscoIOSandIOSXESoftwareIPv6FirstHopSecurityDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs;Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs/cvrf/cisco-sa-20150923-fhs_cvrf.xml.


3.112CVE-2015-6279

3.112.1Summary

TheIPv6snoopingfunctionalityinthefirst-hopsecuritysubsysteminCiscoIOS12.2,15.0,15.1,15.2,15.3,15.4,and15.5andIOSXE3.2SE,3.3SE,3.3XO,3.4SG,3.5E,and3.6Ebefore3.6.3E;3.7Ebefore3.7.2E;3.9Sand3.10Sbefore3.10.6S;3.11Sbefore3.11.4S;3.12Sand3.13Sbefore3.13.3S;and3.14Sbefore3.14.2Sallowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedNDpacketwiththeCryptographicallyGeneratedAddress(CGA)option,akaBugIDCSCuo04400.





CISCO20150923CiscoIOSandIOSXESoftwareIPv6FirstHopSecurityDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs;Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs/cvrf/cisco-sa-20150923-fhs_cvrf.xml.


3.113CVE-2016-1348

3.113.1Summary

CiscoIOS15.0through15.5andIOSXE3.3through3.16allowremoteattackerstocauseadenialofservice(devicereload)viaacraftedDHCPv6Relaymessage,akaBugIDCSCus55821.






CISCO20160323CiscoIOSandIOSXESoftwareDHCPv6RelayDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-dhcpv6.


3.114CVE-2016-1349

3.114.1Summary

TheSmartInstallclientimplementationinCiscoIOS12.2,15.0,and15.2andIOSXE3.2through3.7allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedimagelistparametersinaSmartInstallpacket,akaBugIDCSCuv45410.



OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8







CISCO20160323CiscoIOSandIOSXESoftwareSmartInstallDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-smi.


3.115CVE-2016-6378

3.115.1Summary

CiscoIOSXE3.1through3.17and16.1through16.2allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedICMPpacketsthatrequireNAT,akaBugIDCSCuw85853.






CISCO20160928CiscoIOSXESoftwareNATDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-esp-nat.

3.115.4Reference




3.116CVE-2016-6379

3.116.1Summary

CiscoIOS12.2andIOSXE3.14through3.16and16.1allowremoteattackerstocauseadenialofservice(devicereload)viacraftedIPDetailRecord(IPDR)packets,akaBugIDCSCuu35089.





CISCO20160928CiscoIOSandIOSXESoftwareIPDetailRecordDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-ipdr.

3.116.4Reference




3.117CVE-2016-6382

3.117.1Summary

CiscoIOS15.2through15.6andIOSXE3.6through3.17and16.1allowremoteattackerstocauseadenialofservice(devicerestart)viaamalformedIPv6ProtocolIndependentMulticast(PIM)registerpacket,akaBugIDCSCuy16399.




OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8



CISCO20160928CiscoIOSandIOSXESoftwareMulticastRoutingDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp.

3.117.4Reference




3.118CVE-2016-6384

3.118.1Summary

CiscoIOS12.2through12.4and15.0through15.6andIOSXE3.1through3.17and16.2allowremoteattackerstocauseadenialofservice(devicereload)viacraftedfieldsinanH.323message,akaBugIDCSCux04257.






CISCO20160928CiscoIOSandIOSXESoftwareH.323MessageValidationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323.

3.118.4Reference




3.119CVE-2016-6385

3.119.1Summary

MemoryleakintheSmartInstallclientimplementationinCiscoIOS12.2and15.0through15.2andIOSXE3.2through3.8allowsremoteattackerstocauseadenialofservice(memoryconsumption)viacraftedimage-listparameters,akaBugIDCSCuy82367.





CISCO20160928CiscoIOSandIOSXESoftwareSmartInstallMemoryLeakVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi.

3.119.4Reference




3.120CVE-2016-6386

3.120.1Summary

CiscoIOSXE3.1through3.17and16.1on64-bitplatformsallowsremoteattackerstocauseadenialofservice(data-structurecorruptionanddevicereload)viafragmentedIPv4packets,akaBugID





OverallRating:HIGH

CVSSv2Score:7.8





OverallRating:HIGH

CVSSv2Score:7.8





CSCux66005.






CISCO20160928CiscoIOSXESoftwareIPFragmentReassemblyDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-frag.

3.120.4Reference




3.121CVE-2016-6391

3.121.1Summary

CiscoIOS12.2and15.0through15.3allowsremoteattackerstocauseadenialofservice(traffic-processingoutage)viaacraftedseriesofCommonIndustrialProtocol(CIP)requests,akaBugIDCSCur69036.





CISCO20160928CiscoIOSSoftwareCommonIndustrialProtocolRequestDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-cip.

3.121.4Reference




3.122CVE-2016-6392

3.122.1Summary

CiscoIOS12.2and15.0through15.3andIOSXE3.1through3.9allowremoteattackerstocauseadenialofservice(devicerestart)viaacraftedIPv4MulticastSourceDiscoveryProtocol(MSDP)Source-Active(SA)message,akaBugIDCSCud36767.





CISCO20160928CiscoIOSandIOSXESoftwareMulticastRoutingDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp.

3.122.4Reference




OverallRating:HIGH

CVSSv2Score:7.5

CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:P(7.5)




OverallRating:HIGH

CVSSv2Score:7.5





OverallRating:HIGH

CVSSv2Score:7.5





OverallRating:HIGH

CVSSv2Score:7.5





3.123CVE-2005-1057

3.123.1Summary

CiscoIOS12.2T,12.3and12.3T,whenusingEasyVPNServerXAUTHversion6authentication,allowsremoteattackerstobypassauthenticationviaa"malformedpacket."





CISCO20050406VulnerabilitiesintheInternetKeyExchangeXauthImplementationWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml.


3.124CVE-2005-1058

3.124.1Summary

CiscoIOS12.2T,12.3and12.3T,whenprocessinganISAKMPprofilethatspecifiesXAUTHauthenticationafterPhase1negotiation,maynotprocesscertainattributesintheISAKMPprofilethatspecifiesXAUTH,whichallowsremoteattackerstobypassXAUTHandmovetoPhase2negotiations.





CISCO20050406VulnerabilitiesintheInternetKeyExchangeXauthImplementationWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml.


3.125CVE-2005-2105

3.125.1Summary

CiscoIOS12.2Tthrough12.4allowsremoteattackerstobypassAuthentication,Authorization,andAccounting(AAA)RADIUSauthentication,ifthefallbackmethodissettonone,viaalongusername.





CISCO20050629RADIUSAuthenticationBypassWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml.

3.125.4References


SECTRACK1014330Weblink:http://www.securitytracker.com/alerts/2005/Jun/1014330.html;XFradius-authentication-bypass(21190)Weblink:http://xforce.iss.net/xforce/xfdb/21190.


3.126CVE-2005-2841

3.126.1Summary

BufferoverflowinFirewallAuthenticationProxyforFTPand/orTelnetSessionsforCiscoIOS12.2ZHand12.2ZL,12.3and12.3T,and12.4and12.4Tallowsremoteattackerstocauseadenialofserviceandpossiblyexecutearbitrarycodeviacrafteduserauthenticationcredentials.


OverallRating:HIGH

CVSSv2Score:7.1

CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)




OverallRating:HIGH

CVSSv2Score:7.1








CISCO20050907CiscoIOSFirewallAuthenticationProxyforFTPandTelnetSessionsBufferOverflowWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml;CERT-VNVU#236045Weblink:http://www.kb.cert.org/vuls/id/236045.

3.126.4Reference




3.127CVE-2005-1020

3.127.1Summary

SecureShell(SSH)2inCiscoIOS12.0through12.3allowsremoteattackerstocauseadenialofservice(devicereload)(1)viaausernamethatcontainsadomainnamewhenusingaTACACS+servertoauthenticate,(2)whenanewSSHsessionisintheloginphaseandacurrentlyloggedinuserissuesasendcommand,or(3)whenIOSisloggingmessagesandanSSHsessionisterminatedwhiletheserverissendingdata.





CISCO20050406VulnerabilitiesinCiscoIOSSecureShellServerWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml;SECTRACK1013655Weblink:http://www.securitytracker.com/alerts/2005/Apr/1013655.html.

3.127.4References


BID13043Weblink:http://www.securityfocus.com/bid/13043;XFcisco-ios-sshv2-tacacs-authentication-dos(19987)Weblink:http://xforce.iss.net/xforce/xfdb/19987;XFcisco-ios-authentication-send-dos(19989)Weblink:http://xforce.iss.net/xforce/xfdb/19989;XFcisco-ios-ssh-message-log-dos(19990)Weblink:http://xforce.iss.net/xforce/xfdb/19990.


3.128CVE-2005-1021

3.128.1Summary

MemoryleakinSecureShell(SSH)inCiscoIOS12.0through12.3,whenauthenticatingagainstaTACACS+server,allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaanincorrectusernameorpassword.





CISCO20050406VulnerabilitiesinCiscoIOSSecureShellServerWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml.

3.128.4References


OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





BID13042Weblink:http://www.securityfocus.com/bid/13042;SECTRACK1013655Weblink:http://www.securitytracker.com/alerts/2005/Apr/1013655.html;XFcisco-ios-memory-leak-dos(19991)Weblink:http://xforce.iss.net/xforce/xfdb/19991.


3.129CVE-2006-0340

3.129.1Summary

UnspecifiedvulnerabilityinStackGroupBiddingProtocol(SGBP)supportinCiscoIOS12.0through12.4runningonvariousCiscoproducts,whenSGBPisenabled,allowsremoteattackersonthelocalnetworktocauseadenialofservice(devicehangandnetworktrafficloss)viaacraftedUDPpackettoport9900.





CISCO20060118IOSStackGroupBiddingProtocolCraftedPacketDoSWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml.

3.129.4References


SREASON358Weblink:http://securityreason.com/securityalert/358;SECTRACK1015501Weblink:http://securitytracker.com/id?1015501;BID16303Weblink:http://www.securityfocus.com/bid/16303;VUPENADV-2006-0248Weblink:http://www.vupen.com/english/advisories/2006/0248;XFcisco-ios-sgbp-dos(24182)Weblink:http://xforce.iss.net/xforce/xfdb/24182.


3.130CVE-2007-0918

3.130.1Summary

TheATOMIC.TCPsignatureengineintheIntrusionPreventionSystem(IPS)featureforCiscoIOS12.4XA,12.3YA,12.3T,andothertrainsallowsremoteattackerstocauseadenialofservice(IPScrashandtrafficloss)viaunspecifiedmanipulationsthatarenotproperlyhandledbytheregularexpressionfeature,asdemonstratedusingthe3123.0(NetbusProTraffic)signature.





CISCO20070213MultipleIOSIPSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml;VUPENADV-2007-0597Weblink:http://www.vupen.com/english/advisories/2007/0597.

3.130.4References


MISCWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html;BID22549Weblink:http://www.securityfocus.com/bid/22549;SECTRACK1017631Weblink:http://www.securitytracker.com/id?1017631;XFcisco-ios-ips-dos(32474)

OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





Weblink:http://xforce.iss.net/xforce/xfdb/32474.


3.131CVE-2007-4291

3.131.1Summary

CiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservicevia(1)amalformedMGCPpacket,whichcausesadevicehang,akaCSCsf08998;amalformedH.323packet,whichcausesadevicecrash,asidentifiedby(2)CSCsi60004withProxyUnregistrationand(3)CSCsg70474;andamalformedReal-timeTransportProtocol(RTP)packet,whichcausesadevicecrash,asidentifiedby(4)CSCse68138,relatedtoVOIPRTPLib,and(5)CSCse05642,relatedtoI/Omemorycorruption.



3.131.3References


SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816;XFcisco-ios-mgcp-dos(35903)Weblink:http://xforce.iss.net/xforce/xfdb/35903;XFcisco-ios-h323-dos(35904)Weblink:http://xforce.iss.net/xforce/xfdb/35904;XFcisco-ios-rtp-dos(35905)Weblink:http://xforce.iss.net/xforce/xfdb/35905.


3.132CVE-2007-4293

3.132.1Summary

CiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(devicecrash)via(1)"abnormal"MGCPmessages,akaCSCsd81407;and(2)alargefacsimilepacket,akaCSCej20505.



3.132.3References


SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816;XFcisco-ios-facsimile-dos(35907)Weblink:http://xforce.iss.net/xforce/xfdb/35907.


3.133CVE-2007-5651

3.133.1Summary

UnspecifiedvulnerabilityintheExtensibleAuthenticationProtocol(EAP)implementationinCiscoIOS12.3and12.4onCiscoAccessPointsand1310WirelessBridges(WirelessEAPdevices),IOS12.1and12.2onCiscoswitches(WiredEAPdevices),andCatOS6.xthrough8.xonCiscoswitchesallowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedEAPResponseIdentitypacket.


OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1






3.133.3References


CISCO20071019ExtensibleAuthenticationProtocolVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00808de8bb.html;BID26139Weblink:http://www.securityfocus.com/bid/26139;SECTRACK1018842Weblink:http://www.securitytracker.com/id?1018842;VUPENADV-2007-3566Weblink:http://www.vupen.com/english/advisories/2007/3566;XFcisco-eap-dos(37300)Weblink:http://xforce.iss.net/xforce/xfdb/37300.


3.134CVE-2008-1153

3.134.1Summary

CiscoIOS12.1,12.2,12.3,and12.4,withIPv4UDPservicesandtheIPv6protocolenabled,allowsremoteattackerstocauseadenialofservice(devicecrashandpossibleblockedinterface)viaacraftedIPv6packettothedevice.



3.134.3References


CISCO20080326CiscoIOSUserDatagramProtocolDeliveryIssueForIPv4/IPv6Dual-stackRoutersWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml;CERT-VNVU#936177Weblink:http://www.kb.cert.org/vuls/id/936177;BID28461Weblink:http://www.securityfocus.com/bid/28461;SECTRACK1019713Weblink:http://www.securitytracker.com/id?1019713;CERTTA08-087BWeblink:http://www.us-cert.gov/cas/techalerts/TA08-087B.html;VUPENADV-2008-1006Weblink:http://www.vupen.com/english/advisories/2008/1006/references;XFcisco-ios-ipv6-dualstack-dos(41475)Weblink:http://xforce.iss.net/xforce/xfdb/41475.


3.135CVE-2008-3800

3.135.1Summary

UnspecifiedvulnerabilityintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4andUnifiedCommunicationsManager4.1through6.1,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(deviceorprocessreload)viaunspecifiedvalidSIPmessages,akaCiscoBugIDCSCsu38644,adifferentvulnerabilitythanCVE-2008-3801andCVE-2008-3802.



3.135.3References


CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;CISCO20080924CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a0156a.shtml;BID31367Weblink:http://www.securityfocus.com/bid/31367;SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;

OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1



SECTRACK1020942Weblink:http://www.securitytracker.com/id?1020942;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670;VUPENADV-2008-2671Weblink:http://www.vupen.com/english/advisories/2008/2671.


3.136CVE-2008-3801

3.136.1Summary

UnspecifiedvulnerabilityintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4andUnifiedCommunicationsManager4.1through6.1,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(deviceorprocessreload)viaunspecifiedvalidSIPmessages,akaCiscoBugIDCSCsm46064,adifferentvulnerabilitythanCVE-2008-3800andCVE-2008-3802.



3.136.3References


CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;CISCO20080924CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a0156a.shtml;BID31367Weblink:http://www.securityfocus.com/bid/31367;SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;SECTRACK1020942Weblink:http://www.securitytracker.com/id?1020942;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670;VUPENADV-2008-2671Weblink:http://www.vupen.com/english/advisories/2008/2671.


3.137CVE-2008-3802

3.137.1Summary

UnspecifiedvulnerabilityintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(devicereload)viaunspecifiedvalidSIPmessages,akaCiscobugIDCSCsk42759,adifferentvulnerabilitythanCVE-2008-3800andCVE-2008-3801.



3.137.3References


CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.


3.138CVE-2008-3809

3.138.1Summary

CiscoIOS12.0through12.4onGigabitSwitchRouter(GSR)devices(aka12000Seriesrouters)allowsremoteattackerstocauseadenialofservice(devicecrash)viaamalformedProtocolIndependentMulticast(PIM)packet.



OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1







3.138.3References


Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=16638;CISCO20080924MultipleMulticastVulnerabilitiesinCiscoIOSSoftwareWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01491.shtml;BID31356Weblink:http://www.securityfocus.com/bid/31356;SECTRACK1020936Weblink:http://www.securitytracker.com/id?1020936;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.


3.139CVE-2008-4609

3.139.1Summary

TheTCPimplementationin(1)Linux,(2)platformsbasedonBSDUnix,(3)MicrosoftWindows,(4)Ciscoproducts,andprobablyotheroperatingsystemsallowsremoteattackerstocauseadenialofservice(connectionqueueexhaustion)viamultiplevectorsthatmanipulateinformationintheTCPstatetable,asdemonstratedbysockstress.



3.139.3References


MISCWeblink:http://blog.robertlee.name/2008/10/conjecture-speculation.html;MLIST[dailydave]20081002TCPResourceExhaustionDoSAttackSpeculationWeblink:http://lists.immunitysec.com/pipermail/dailydave/2008-October/005360.html;HPSSRT080138Weblink:http://marc.info/?l=bugtraq&m=125856010926699&w=2;MISCWeblink:http://searchsecurity.techtarget.com.au/articles/27154-TCP-is-fundamentally-borked;CISCO20090908TCPStateManipulationDenialofServiceVulnerabilitiesinMultipleCiscoProductsWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af511d.shtml;CISCO20081017CiscoResponsetoOutpost24TCPStateTableManipulationDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_response09186a0080a15120.html;MISCWeblink:http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf;MANDRIVAMDVSA-2013:150Weblink:http://www.mandriva.com/security/advisories?name=MDVSA-2013:150;MSMS09-048Weblink:http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx;Weblink:http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html;MISCWeblink:http://www.outpost24.com/news/news-2008-10-02.html;CERTTA09-251AWeblink:http://www.us-cert.gov/cas/techalerts/TA09-251A.html;MISCWeblink:https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html.


3.140CVE-2009-0630

3.140.1Summary

The(1)CiscoUnifiedCommunicationsManagerExpress;(2)SIPGatewaySignalingSupportOverTransportLayerSecurity(TLS)Transport;(3)SecureSignalingandMediaEncryption;(4)BlocksExtensibleExchangeProtocol(BEEP);(5)NetworkAdmissionControlHTTPAuthenticationProxy;(6)Per-userURLRedirectforEAPoUDP,Dot1x,andMACAuthenticationBypass;(7)DistributedDirectorwithHTTPRedirects;and(8)TCPDNSfeaturesinCiscoIOS12.0through12.4donotproperlyhandleIPsockets,whichallowsremoteattackerstocauseadenialofservice(outageorresourceconsumption)viaaseriesofcraftedTCPpackets.




OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1






Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;CISCO20090325CiscoIOSSoftwareMultipleFeaturesIPSocketsVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a904c6.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851;XFios-ipsockets-dos(49418)Weblink:http://xforce.iss.net/xforce/xfdb/49418.

3.140.4References


SECTRACK1021897Weblink:http://securitytracker.com/id?1021897;BID34242Weblink:http://www.securityfocus.com/bid/34242.


3.141CVE-2009-0633

3.141.1Summary

Multipleunspecifiedvulnerabilitiesinthe(1)MobileIPNATTraversalfeatureand(2)MobileIPv6subsysteminCiscoIOS12.3through12.4allowremoteattackerstocauseadenialofservice(inputqueuewedgeandinterfaceoutage)viaMIPv6packets,akaBugIDCSCsm97220.





CISCO20090325CiscoIOSSoftwareMobileIPandMobileIPv6VulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a9042f.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.

3.141.4References


SECTRACK1021898Weblink:http://securitytracker.com/id?1021898;BID34241Weblink:http://www.securityfocus.com/bid/34241;XFios-mobile-dos(49424)Weblink:http://xforce.iss.net/xforce/xfdb/49424.


3.142CVE-2009-0634

3.142.1Summary

Multipleunspecifiedvulnerabilitiesinthehomeagent(HA)implementationinthe(1)MobileIPNATTraversalfeatureand(2)MobileIPv6subsysteminCiscoIOS12.3through12.4allowremoteattackerstocauseadenialofservice(inputqueuewedgeandinterfaceoutage)viaanICMPpacket,akaBugIDCSCso05337.





CISCO20090325CiscoIOSSoftwareMobileIPandMobileIPv6VulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a9042f.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.

OverallRating:HIGH

CVSSv2Score:7.1

CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:N/A:N(7.1)




OverallRating:HIGH

CVSSv2Score:7.1





3.142.4References


SECTRACK1021898Weblink:http://securitytracker.com/id?1021898;BID34241Weblink:http://www.securityfocus.com/bid/34241;XFios-mobile-dos(49424)Weblink:http://xforce.iss.net/xforce/xfdb/49424;XFios-mobile-ha-dos(49585)Weblink:http://xforce.iss.net/xforce/xfdb/49585.


3.143CVE-2009-2863

3.143.1Summary

RaceconditionintheFirewallAuthenticationProxyfeatureinCiscoIOS12.0through12.4allowsremoteattackerstobypassauthentication,orbypasstheconsentwebpage,viaacraftedrequest,akaBugIDCSCsy15227.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18882;CISCO20090923CiscoIOSSoftwareAuthenticationProxyVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8132.shtml.

3.143.4References


BID36491Weblink:http://www.securityfocus.com/bid/36491;SECTRACK1022935Weblink:http://www.securitytracker.com/id?1022935;XFciscoios-authenticationproxy-sec-bypass(53453)Weblink:http://xforce.iss.net/xforce/xfdb/53453.


3.144CVE-2009-2873

3.144.1Summary

CiscoIOS12.0through12.4,whenIP-basedtunnelsandtheCiscoExpressForwardingfeatureareenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedpackets,akaBugIDCSCsx70889.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18895;Weblink:http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080af8113.html;CISCO20090923CiscoIOSSoftwareTunnelsVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8115.shtml;Weblink:http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html.

3.144.4References



OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1






3.145CVE-2010-0577

3.145.1Summary

CiscoIOS12.2through12.4,whencertainPMTUD,SNAT,orwindow-sizeconfigurationsareused,allowsremoteattackerstocauseadenialofservice(infiniteloop,anddevicereloadorhang)viaaTCPsegmentwithcraftedoptions,akaBugIDCSCsz75186.





CISCO20100324CiscoIOSSoftwareCraftedTCPPacketDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f34.shtml.

3.145.4References


BID38930Weblink:http://www.securityfocus.com/bid/38930;SECTRACK1023743Weblink:http://www.securitytracker.com/id?1023743;VUPENADV-2010-0703Weblink:http://www.vupen.com/english/advisories/2010/0703;XFciscoios-tcpsegment-dos(57129)Weblink:http://xforce.iss.net/xforce/xfdb/57129.


3.146CVE-2010-2830

3.146.1Summary

TheIGMPv3implementationinCiscoIOS12.2,12.3,12.4,and15.0andIOSXE2.5.xbefore2.5.2,whenPIMisenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedIGMPpacket,akaBugIDCSCte14603.






CISCO20100922CiscoIOSSoftwareInternetGroupManagementProtocolDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a310.shtml.


3.147CVE-2010-4684

3.147.1Summary

CiscoIOSbefore15.0(1)XA1,whencertainTFTPdebuggingisenabled,allowsremoteattackerstocauseadenialofservice(devicecrash)viaaTFTPcopyoverIPv6,akaBugIDCSCtb28877.




3.147.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769

OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-tftp-dos(64587)Weblink:http://xforce.iss.net/xforce/xfdb/64587.


3.148CVE-2012-0382

3.148.1Summary

TheMulticastSourceDiscoveryProtocol(MSDP)implementationinCiscoIOS12.0,12.2through12.4,and15.0through15.2andIOSXE2.1.xthrough2.6.xand3.1.xSthrough3.4.xSbefore3.4.1Sand3.1.xSGand3.2.xSGbefore3.2.2SGallowsremoteattackerstocauseadenialofservice(devicereload)viaencapsulatedIGMPdatainanMSDPpacket,akaBugIDCSCtr28857.






CISCO20120328CiscoIOSSoftwareMulticastSourceDiscoveryProtocolVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp.

3.148.4References


BID52759Weblink:http://www.securityfocus.com/bid/52759;SECTRACK1026868Weblink:http://www.securitytracker.com/id?1026868;XFciscoios-msdp-dos(74431)Weblink:http://xforce.iss.net/xforce/xfdb/74431.


3.149CVE-2012-3950

3.149.1Summary

TheIntrusionPreventionSystem(IPS)featureinCiscoIOS12.3through12.4and15.0through15.2,incertainconfigurationsofenabledcategoriesandmissingsignatures,allowsremoteattackerstocauseadenialofservice(devicereload)viaDNSpackets,akaBugIDCSCtw55976.






CISCO20120926CiscoIOSSoftwareIntrusionPreventionSystemDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-ios-ips.

3.149.4References


BID55695Weblink:http://www.securityfocus.com/bid/55695;SECTRACK1027580Weblink:http://www.securitytracker.com/id?1027580;XFciscoios-ips-dos(78882)Weblink:http://xforce.iss.net/xforce/xfdb/78882.


3.150CVE-2012-4622

OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





3.150.1Summary

CiscoIOSXE03.02.00.XO.15.0(2)XOonCatalyst4500Eseriesswitches,whenaSupervisorEngine7L-Ecardisinstalled,allowsremoteattackerstocauseadenialofservice(cardreload)viamalformedpacketsthattriggeruncorrectedECCerrormessages,akaBugIDCSCty88456.





CISCO20120926CiscoCatalyst4500ESeriesSwitchwithCiscoCatalystSupervisorEngine7L-EDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-ecc.

3.150.4References


BID55701Weblink:http://www.securityfocus.com/bid/55701;SECTRACK1027573Weblink:http://www.securitytracker.com/id?1027573;XFcisco-catalyst-dos(78886)Weblink:http://xforce.iss.net/xforce/xfdb/78886.


3.151CVE-2013-1143

3.151.1Summary

TheRSVPprotocolimplementationinCiscoIOS12.2and15.0through15.2andIOSXE3.1.xSthrough3.4.xSbefore3.4.5Sand3.5.xSthrough3.7.xSbefore3.7.2S,whenMPLS-TEisenabled,allowsremoteattackerstocauseadenialofservice(incorrectmemoryaccessanddevicereload)viaatrafficengineeringPATHmessageinanRSVPpacket,akaBugIDCSCtg39957.





CISCO20130327CiscoIOSSoftwareRSVPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1143.

3.151.4Reference


CISCO20130327CiscoIOSSoftwareResourceReservationProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp.


3.152CVE-2013-1167

3.152.1Summary

CiscoIOSXE3.2through3.4before3.4.2S,and3.5,on1000seriesAggregationServicesRouters(ASR),whenbridgedomaininterface(BDI)isenabled,allowsremoteattackerstocauseadenialofservice(cardreload)viapacketsthatarenotproperlyhandledduringtheprocessingofencapsulation,akaBugIDCSCtt11558.





CISCO20130410MultipleVulnerabilitiesinCiscoIOSXESoftwarefor1000SeriesAggregationServicesRoutersWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000.


OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





3.153CVE-2013-5472

3.153.1Summary

TheNTPimplementationinCiscoIOS12.0through12.4and15.0through15.1,andIOSXE2.1through3.3,doesnotproperlyhandleencapsulationofmulticastNTPpacketswithinMSDPSAmessages,whichallowsremoteattackerstocauseadenialofservice(devicereload)byleveraginganMSDPpeerrelationship,akaBugIDCSCuc81226.






CISCO20130925CiscoIOSSoftwareMulticastNetworkTimeProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ntp.


3.154CVE-2013-5481

3.154.1Summary

ThePPTPimplementationinCiscoIOS12.2and15.0through15.3,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedTCPport-1723packets,akaBugIDCSCtq14817.







3.155CVE-2014-2107

3.155.1Summary

CiscoIOS12.2and15.0through15.3,whenusedwiththeKailashFPGAbefore2.6onRSP720-3C-10GEandRSP720-3CXL-10GEdevices,allowsremoteattackerstocauseadenialofservice(routeswitchprocessoroutage)viacraftedIPpackets,akaBugIDCSCug84789.





CISCO20140326Cisco7600SeriesRouteSwitchProcessor720with10GigabitEthernetUplinksDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-RSP72010GE.


3.156CVE-2014-2111

3.156.1Summary

TheApplicationLayerGateway(ALG)moduleinCiscoIOS12.2through12.4and15.0through15.4,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedDNSpackets,akaBugIDCSCue00996.



CiscoRouter-router03;

OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





CiscoRouter-CiscoIOS15.





3.157CVE-2014-3361

3.157.1Summary

TheALGmoduleinCiscoIOS15.0through15.4doesnotproperlyimplementSIPoverNAT,whichallowsremoteattackerstocauseadenialofservice(devicereload)viamultipartSDPIPv4traffic,akaBugIDCSCun54071.





CISCO20140924CiscoIOSSoftwareNetworkAddressTranslationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat.

3.157.4Reference


Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat/cvrf/cisco-sa-20140924-nat_cvrf.xml.


3.158CVE-2015-0638

3.158.1Summary

CiscoIOS12.2,12.4,15.0,15.2,and15.3,whenaVRFinterfaceisconfigured,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viacraftedICMPv4packets,akaBugIDCSCsi02145.





CISCO20150325CiscoIOSSoftwareVirtualRoutingandForwardingICMPQueueWedgeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-wedge.

3.158.4Reference




3.159CVE-2015-0681

3.159.1Summary

TheTFTPserverinCiscoIOS12.2(44)SQ1,12.2(33)XN1,12.4(25e)JAM1,12.4(25e)JAO5m,12.4(23)JY,15.0(2)ED1,15.0(2)EY3,15.1(3)SVF4a,and15.2(2)JB1andIOSXE2.5.x,2.6.x,3.1.xS,3.2.xS,3.3.xS,3.4.xS,and3.5.xSbefore3.6.0S;3.1.xSG,3.2.xSG,and3.3.xSGbefore3.4.0SG;3.2.xSEbefore3.3.0SE;3.2.xXObefore3.3.0XO;3.2.xSQ;3.3.xSQ;and3.4.xSQallowsremoteattackerstocauseadenialofservice(devicehangorreload)viamultiplerequeststhattriggerimpropermemorymanagement,akaBugIDCSCts66733.



OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1





OverallRating:HIGH

CVSSv2Score:7.1







CISCO20150722CiscoIOSSoftwareTFTPServerDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-tftp;Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-tftp/cvrf/cisco-sa-20150722-tftp_cvrf.xml.


3.160CVE-2016-1344

3.160.1Summary

TheIKEv2implementationinCiscoIOS15.0through15.6andIOSXE3.3through3.17allowsremoteattackerstocauseadenialofservice(devicereload)viafragmentedpackets,akaBugIDCSCux38417.






CISCO20160323CiscoIOSandIOSXESoftwareInternetKeyExchangeVersion2FragmentationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-ios-ikev2.


3.161CVE-2016-6381

3.161.1Summary

CiscoIOS12.4and15.0through15.6andIOSXE3.1through3.18and16.1allowremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viafragmentedIKEv1packets,akaBugIDCSCuy47382.






CISCO20160928CiscoIOSandIOSXESoftwareInternetKeyExchangeVersion1FragmentationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-ios-ikev1.

3.161.4Reference




3.162CVE-2016-6393

3.162.1Summary

TheAAAserviceinCiscoIOS12.0through12.4and15.0through15.6andIOSXE2.1through3.18and16.2allowsremoteattackerstocauseadenialofservice(devicereload)viaafailedSSHconnectionattemptthatismishandledduringgenerationofanerror-logmessage,akaBugIDCSCuy87667.





OverallRating:MEDIUM

CVSSv2Score:6.8

CVSSv2Base:AV:N/AC:M/Au:N/C:P/I:P/A:P(6.8)





CVSSv2Score:6.8

CVSSv2Base:AV:N/AC:L/Au:S/C:N/I:N/A:C(6.8)





CVSSv2Score:6.8


CISCO20160928CiscoIOSandIOSXESoftwareAAALoginDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados.

3.162.4Reference




3.163CVE-2007-4295

3.163.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.0through12.4allowsremoteattackerstoexecutearbitrarycodeviaamalformedSIPpacket,akaCSCsi80749.



3.163.3References


SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816.


3.164CVE-2009-2872

3.164.1Summary

CiscoIOS12.0through12.4,whenIP-basedtunnelsandtheCiscoExpressForwardingfeatureareenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedpacketthatisnotproperlyhandledduringswitchingfromonetunneltoasecondtunnel,akaBugIDsCSCsh97579andCSCsq31776.





Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18893;Weblink:http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080af8113.html;CISCO20090923CiscoIOSSoftwareTunnelsVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8115.shtml;Weblink:http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html.

3.164.4References




3.165CVE-2009-5040

3.165.1Summary

CallManagerExpress(CME)onCiscoIOSbefore15.0(1)XAallowsremoteauthenticateduserstocause






CVSSv2Score:6.8






CVSSv2Score:6.8






CVSSv2Score:6.8



adenialofservice(devicecrash)byusinganextensionmobility(EM)phonetointeractwiththemenuforSNRnumberchanges,akaBugIDCSCta63555.




3.165.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45765Weblink:http://www.securityfocus.com/bid/45765;XFciscoios-callmanager-dos(64681)Weblink:http://xforce.iss.net/xforce/xfdb/64681.


3.166CVE-2013-6686

3.166.1Summary

TheSSLVPNimplementationinCiscoIOS15.3(1)T2andearlierallowsremoteauthenticateduserstocauseadenialofservice(interfacequeuewedge)viacraftedDTLSpacketsinanSSLsession,akaBugIDsCSCuh97409andCSCud90568.





CISCO20131113CiscoIOSSoftwareSSLVPNInterfaceQueueWedgeDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6686;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=31757.


3.167CVE-2016-1428

3.167.1Summary

DoublefreevulnerabilityinCiscoIOSXE3.15S,3.16S,and3.17Sallowsremoteauthenticateduserstocauseadenialofservice(devicerestart)viaasequenceofcraftedSNMPreadrequests,akaBugIDCSCux13174.





CISCO20160620CiscoIOSXESoftwareSNMPSubsystemDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160620-iosxe.

3.167.4Reference




3.168CVE-2016-1432

3.168.1Summary

CiscoIOSXE3.15Sand3.16SoncBR-8ConvergedBroadbandRouterdevicesallowsremoteauthenticateduserstocauseadenialofservice(NULLpointerdereferenceandcardrestart)viaacraftedSNMPrequest,akaBugIDCSCuu68862.




CVSSv2Score:6.4

CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:N(6.4)





CVSSv2Score:6.3

CVSSv2Base:AV:N/AC:M/Au:S/C:N/I:N/A:C(6.3)





CVSSv2Score:6.3








CISCO20160617CiscocBR-8SeriesConvergedBroadbandRouterSNMPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160617-cbr.


3.169CVE-2007-0917

3.169.1Summary

TheIntrusionPreventionSystem(IPS)featureforCiscoIOS12.4XEto12.3TallowsremoteattackerstobypassIPSsignaturesthatuseregularexpressionsviafragmentedpackets.



3.169.3References


CISCO20070213MultipleIOSIPSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml;MISCWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html;BID22549Weblink:http://www.securityfocus.com/bid/22549;SECTRACK1017631Weblink:http://www.securitytracker.com/id?1017631;VUPENADV-2007-0597Weblink:http://www.vupen.com/english/advisories/2007/0597;XFcisco-ios-ips-security-bypass(32473)Weblink:http://xforce.iss.net/xforce/xfdb/32473.


3.170CVE-2007-2587

3.170.1Summary

TheIOSFTPServerinCiscoIOS11.3through12.4allowsremoteauthenticateduserstocauseadenialofservice(IOSreload)viaunspecifiedvectorsinvolvingtransferringfiles(akabugIDCSCse29244).



3.170.3References


CISCO20070509MultipleVulnerabilitiesintheIOSFTPServerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml;BID23885Weblink:http://www.securityfocus.com/bid/23885;SECTRACK1018030Weblink:http://www.securitytracker.com/id?1018030;VUPENADV-2007-1749Weblink:http://www.vupen.com/english/advisories/2007/1749;XFcisco-ios-ftpserver-dos(34196)Weblink:http://xforce.iss.net/xforce/xfdb/34196.


3.171CVE-2012-1338

3.171.1Summary

CiscoIOS15.0and15.1onCatalyst3560and3750seriesswitchesallowsremoteauthenticateduserstocauseadenialofservice(devicereload)bycompletinglocalwebauthenticationquickly,akaBugIDCSCts88664.



CVSSv2Score:6.3






CVSSv2Score:6.1

CVSSv2Base:AV:A/AC:L/Au:N/C:N/I:N/A:C(6.1)









Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/release/notes/OL25302.html.

3.171.4Reference




3.172CVE-2012-3895

3.172.1Summary

CiscoIOS15.0through15.3allowsremoteauthenticateduserstocauseadenialofservice(devicecrash)viaanMVPNv6update,akaBugIDCSCty89224.



3.172.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_2s/release/notes/15_2s_caveats_15_2_2s.html;XFciscoios-mvpnv6-dos(78872)Weblink:http://xforce.iss.net/xforce/xfdb/78872.


3.173CVE-2005-0197

3.173.1Summary

CiscoIOS12.1T,12.2,12.2T,12.3and12.3T,withMultiProtocolLabelSwitching(MPLS)installedbutdisabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedpacketsenttothedisabledinterface.





CISCO20050126CraftedPacketCausesReloadonCiscoRoutersWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml;CERT-VNVU#583638Weblink:http://www.kb.cert.org/vuls/id/583638;CERTTA05-026AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-026A.html;XFcisco-ios-mpls-dos(19071)Weblink:http://xforce.iss.net/xforce/xfdb/19071.

3.173.4References


SECTRACK1013015Weblink:http://securitytracker.com/id?1013015;BID12369Weblink:http://www.securityfocus.com/bid/12369.


3.174CVE-2011-3274

3.174.1Summary

CVSSv2Score:6.1






CVSSv2Score:6.1






CVSSv2Score:6.1






CVSSv2Score:5.8

CVSSv2Base:AV:N/AC:M/Au:N/C:P/I:N/A:P(5.8)


UnspecifiedvulnerabilityinCiscoIOS12.2SREbefore12.2(33)SRE4,15.0,and15.1,andIOSXE2.1.xthrough3.3.x,whenanMPLSdomainisconfigured,allowsremoteattackerstocauseadenialofservice(devicecrash)viaacraftedIPv6packet,relatedtoanexpiredMPLSTTL,akaBugIDCSCto07919.





CISCO20110928CiscoIOSSoftwareIPv6overMPLSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d52.shtml.

3.174.4Reference




3.175CVE-2012-1327

3.175.1Summary

dot11t/t_if_dot11_hal_ath.cinCiscoIOS12.3,12.4,15.0,and15.1allowsremoteattackerstocauseadenialofservice(assertionfailureandreboot)via802.11wirelesstraffic,asdemonstratedbyavideocallfromAppleiOS5.0onaniPhone4S,akaBugIDCSCtt94391.




3.175.3Reference


Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html.


3.176CVE-2016-1425

3.176.1Summary

CiscoIOS15.0(2)SG5,15.1(2)SG3,15.2(1)E,15.3(3)S,and15.4(1.13)Sallowsremoteattackerstocauseadenialofservice(devicecrash)viaacraftedLLDPpacket,akaBugIDCSCun66735.





CISCO20160617CiscoIOSSoftwareLinkLayerDiscoveryProtocolProcessingCodeDenialofServiceVulnerabilityWeblink:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160616-ios1.

3.176.4Reference




3.177CVE-2013-0149

3.177.1Summary

TheOSPFimplementationinCiscoIOS12.0through12.4and15.0through15.3,IOS-XE2.xthrough3.9.xS,ASAandPIX7.xthrough9.1,FWSM,NX-OS,andStarOSbefore14.0.50488doesnotproperlyvalidateLinkStateAdvertisement(LSA)type1packetsbeforeperformingoperationsontheLSA




CVSSv2Score:5.4

CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:N/A:C(5.4)





CVSSv2Score:5.4






CVSSv2Score:5.4

database,whichallowsremoteattackerstocauseadenialofservice(routingdisruption)orobtainsensitivepacketinformationviaa(1)unicastor(2)multicastpacket,akaBugIDsCSCug34485,CSCug34469,CSCug39762,CSCug63304,andCSCug39795.





CISCO20130801OSPFLSAManipulationVulnerabilityinMultipleCiscoProductsWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf.

3.177.4Reference


CERT-VNVU#229804Weblink:http://www.kb.cert.org/vuls/id/229804.


3.178CVE-2011-1625

3.178.1Summary

CiscoIOS12.2,12.3,12.4,15.0,and15.1,whenthedata-linkswitching(DLSw)featureisconfigured,allowsremoteattackerstocauseadenialofservice(devicecrash)bysendingasequenceofmalformedpacketsandleveraginga"narrowtimingwindow,"akaBugIDCSCtf74999,adifferentvulnerabilitythanCVE-2007-0199,CVE-2008-1152,andCVE-2009-0629.




3.178.3Reference


Weblink:http://www.cisco.com/en/US/docs/cable/cmts/release/notes/12_2sc/uBR7200/122_33_SCF/caveats.html.


3.179CVE-2011-2586

3.179.1Summary

TheHTTPclientinCiscoIOS12.4and15.0allowsuser-assistedremoteattackerstocauseadenialofservice(devicecrash)viaamalformedHTTPresponsetoarequestforserviceinstallation,akaBugIDCSCts12249.






3.179.4Reference




3.180CVE-2011-4007

3.180.1Summary

CiscoIOS15.0and15.1andIOSXE3.xdonotproperlyhandlethe"setmplsexperimentalimposition"






CVSSv2Score:5.4






CVSSv2Score:5.4






CVSSv2Score:5.1

CVSSv2Base:AV:N/AC:H/Au:N/C:P/I:P/A:P(5.1)




command,whichallowsremoteattackerstocauseadenialofservice(devicecrash)vianetworktrafficthattriggers(1)fragmentationor(2)reassembly,akaBugIDCSCtr56576.



3.180.3References


Weblink:http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_caveats_33s.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.


3.181CVE-2011-4016

3.181.1Summary

ThePPPimplementationinCiscoIOS12.2and15.0through15.2,whenPoint-to-PointTerminationandAggregation(PTA)andL2TPareused,allowsremoteattackerstocauseadenialofservice(devicecrash)viacraftednetworktraffic,akaBugIDCSCtf71673.



3.181.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.


3.182CVE-2011-4019

3.182.1Summary

MemoryleakinCiscoIOS12.4and15.0through15.2,andCiscoUnifiedCommunicationsManager(CUCM)7.x,allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaacraftedresponsetoaSIPSUBSCRIBEmessage,akaBugIDsCSCto93837andCSCtj61883.



3.182.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TCAVS.html;Weblink:http://www.cisco.com/web/software/282074295/90289/cucm-readme-715bsu5.pdf.


3.183CVE-2008-1156

3.183.1Summary

UnspecifiedvulnerabilityintheMulticastVirtualPrivateNetwork(MVPN)implementationinCiscoIOS12.0,12.2,12.3,and12.4allowsremoteattackerstocreate"extramulticaststatesonthecorerouters"viaacraftedMulticastDistributionTree(MDT)DataJoinmessage.



3.183.3References


CISCO20080326CiscoIOSMulticastVirtualPrivateNetwork(MVPN)DataLeakWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml;BID28464Weblink:http://www.securityfocus.com/bid/28464;


CVSSv2Score:5.0

CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)





CVSSv2Score:5.0





SECTRACK1019715Weblink:http://www.securitytracker.com/id?1019715;CERTTA08-087BWeblink:http://www.us-cert.gov/cas/techalerts/TA08-087B.html;VUPENADV-2008-1006Weblink:http://www.vupen.com/english/advisories/2008/1006/references;XFcisco-ios-mvpm-information-disclosure(41468)Weblink:http://xforce.iss.net/xforce/xfdb/41468.


3.184CVE-2004-0714

3.184.1Summary

CiscoInternetworkOperatingSystem(IOS)12.0Sthrough12.3TattemptstoprocessSNMPsolicitedoperationsonimproperports(UDP162andarandomlychosenUDPport),whichallowsremoteattackerstocauseadenialofservice(devicereloadandmemorycorruption).





CISCO20040420VulnerabilitiesinSNMPMessageProcessingWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml;CERT-VNVU#162451Weblink:http://www.kb.cert.org/vuls/id/162451;BID10186Weblink:http://www.securityfocus.com/bid/10186;CERTTA04-111BWeblink:http://www.us-cert.gov/cas/techalerts/TA04-111B.html.

3.184.4Reference


XFcisco-ios-snmp-udp-dos(15921)Weblink:http://xforce.iss.net/xforce/xfdb/15921.


3.185CVE-2004-1454

3.185.1Summary

CiscoIOS12.0S,12.2,and12.3,withOpenShortestPathFirst(OSPF)enabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedOSPFpacket.





CIACO-199Weblink:http://www.ciac.org/ciac/bulletins/o-199.shtml;CISCO20040818CiscoIOSMalformedOSPFPacketCausesReloadWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml;CERT-VNVU#989406Weblink:http://www.kb.cert.org/vuls/id/989406.

3.185.4References


BID10971Weblink:http://www.securityfocus.com/bid/10971;XFcisco-ios-ospf-dos(17033)Weblink:http://xforce.iss.net/xforce/xfdb/17033.



CVSSv2Score:5.0






CVSSv2Score:5.0






CVSSv2Score:5.0





3.186CVE-2004-1464

3.186.1Summary

CiscoIOS12.2(15)andearlierallowsremoteattackerstocauseadenialofservice(refusedVTY(virtualterminal)connections),viaacraftedTCPconnectiontotheTelnetorreverseTelnetport.





CISCO20040827CiscoTelnetDenialofServiceVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml;CERT-VNVU#384230Weblink:http://www.kb.cert.org/vuls/id/384230.

3.186.4References


SECTRACK1011079Weblink:http://securitytracker.com/id?1011079;BID11060Weblink:http://www.securityfocus.com/bid/11060;XFcisco-ios-telnet-dos(17131)Weblink:http://xforce.iss.net/xforce/xfdb/17131.


3.187CVE-2005-0186

3.187.1Summary

CiscoIOS12.1YD,12.2T,12.3and12.3T,whenconfiguredfortheIOSTelephonyService(ITS),CallManagerExpress(CME)orSurvivableRemoteSiteTelephony(SRST),allowsremoteattackerstocauseadenialofservice(devicereboot)viaamalformedpackettotheSCCPport.





CISCO20050119VulnerabilityinCiscoIOSEmbeddedCallProcessingSolutionsWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml;XFcisco-ios-sccp-dos(18956)Weblink:http://xforce.iss.net/xforce/xfdb/18956.

3.187.4Reference




3.188CVE-2005-0195

3.188.1Summary

CiscoIOS12.0Sthrough12.3YHallowsremoteattackerstocauseadenialofservice(devicerestart)viaacraftedIPv6packet.





CISCO20050126MultipleCraftedIPv6PacketsCauseReloadWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml;


CVSSv2Score:5.0






CVSSv2Score:5.0





CERT-VNVU#472582Weblink:http://www.kb.cert.org/vuls/id/472582;CERTTA05-026AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-026A.html;XFcisco-ios-ipv6-dos(19072)Weblink:http://xforce.iss.net/xforce/xfdb/19072.


3.189CVE-2005-0196

3.189.1Summary

CiscoIOS12.0through12.3YL,withBGPenabledandrunningthebgplog-neighbor-changescommand,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedBGPpacket.





CISCO20050126CiscoIOSMisformedBGPPacketCausesReloadWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml;CERT-VNVU#689326Weblink:http://www.kb.cert.org/vuls/id/689326;CERTTA05-026AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-026A.html;XFcisco-ios-bgp-packetdos(19074)Weblink:http://xforce.iss.net/xforce/xfdb/19074.

3.189.4Reference




3.190CVE-2005-3669

3.190.1Summary

MultipleunspecifiedvulnerabilitiesintheInternetKeyExchangeversion1(IKEv1)implementationinmultipleCiscoproductsallowremoteattackerstocauseadenialofservice(devicereset)viacertainmalformedIKEpackets,asdemonstratedbythePROTOSISAKMPTestSuiteforIKEv1.NOTE:duetothelackofdetailsintheCiscoadvisory,itisunclearwhichofCVE-2005-3666,CVE-2005-3667,and/orCVE-2005-3668thisissueappliesto.





CISCO20051114MultipleVulnerabilitiesFoundbyPROTOSIPSecTestSuiteWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml;CERT-VNVU#226364Weblink:http://www.kb.cert.org/vuls/id/226364;MISCWeblink:http://www.niscc.gov.uk/niscc/docs/br-20051114-01013.html?lang=en.

3.190.4References


MISCWeblink:http://jvn.jp/niscc/NISCC-273756/index.html;SECTRACK1015198Weblink:http://securitytracker.com/id?1015198;SECTRACK1015199Weblink:http://securitytracker.com/id?1015199;SECTRACK1015200Weblink:http://securitytracker.com/id?1015200;


CVSSv2Score:5.0






CVSSv2Score:5.0





SECTRACK1015201Weblink:http://securitytracker.com/id?1015201;SECTRACK1015202Weblink:http://securitytracker.com/id?1015202;MISCWeblink:http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/;BID15401Weblink:http://www.securityfocus.com/bid/15401.


3.191CVE-2007-4430

3.191.1Summary

UnspecifiedvulnerabilityinCiscoIOS12.0through12.4allowscontext-dependentattackerstocauseadenialofservice(devicerestartandBGProutingtablerebuild)viacertainregularexpressionsina"showipbgpregexp"command.NOTE:unauthenticatedremoteattacksarepossibleinenvironmentswithanonymoustelnetandLookingGlassaccess.






3.191.4References


MISCWeblink:http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf7bc9CISCO20070912CiscoIOSReloadonRegularExpressionProcessingWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00808bb91c.html;MISCWeblink:http://www.heise-security.co.uk/news/94526/;BID25352Weblink:http://www.securityfocus.com/bid/25352;SECTRACK1018685Weblink:http://www.securitytracker.com/id?1018685;MLIST[cisco-nsp]20070817Headsup:"shipbgpregexp"crashingrouterWeblink:https://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html;MLIST[cisco-nsp]20070817Aboutthepostingentitled"Headsup:"shipbgpregexp"crashingrouter"Weblink:https://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html.


3.192CVE-2010-4687

3.192.1Summary

STCAPP(akatheSCCPtelephonycontrolapplication)onCiscoIOSbefore15.0(1)XA1doesnotproperlyhandlemultiplecallstoasharedline,whichallowsremoteattackerstocauseadenialofservice(porthang)bysimultaneouslyendingtwocallsthatwerecontrolledbyCallManagerExpress(CME),akaBugIDCSCtd42552.




3.192.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-stcapp-dos(64584)Weblink:http://xforce.iss.net/xforce/xfdb/64584.



CVSSv2Score:5.0

CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:N/A:N(5.0)





CVSSv2Score:5.0

CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:N(5.0)





CVSSv2Score:5.0





3.193CVE-2011-2059

3.193.1Summary

Theipv6componentinCiscoIOSbefore15.1(4)M1.3allowsremoteattackerstoconductfingerprintingattacksandobtainpotentiallysensitiveinformationaboutthepresenceoftheIOSoperatingsystemviaanICMPv6EchoRequestpacketcontainingaHop-by-Hop(HBH)extensionheader(EH)witha0x0c01050cvalueinthePadNoptiondata,akaBugIDCSCtq02219.




3.193.3References


Weblink:http://blogs.cisco.com/security/1999tcp-redux-the-ipv6-flavor;Weblink:http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=36606&signatureSubId=0.


3.194CVE-2011-2395

3.194.1Summary

TheNeighborDiscovery(ND)protocolimplementationinCiscoIOSonunspecifiedswitchesallowsremoteattackerstobypasstheRouterAdvertisementGuardingfunctionalityviaafragmentedIPv6packetinwhichtheRouterAdvertisement(RA)messageiscontainedinthesecondfragment,asdemonstratedby(1)apacketinwhichthefirstfragmentcontainsalongDestinationOptionsextensionheaderor(2)apacketinwhichthefirstfragmentcontainsanICMPv6EchoRequestmessage.



3.194.3References


FULLDISC20110523BypassingCisco'sICMPv6RouterAdvertisementGuardfeatureWeblink:http://seclists.org/fulldisclosure/2011/May/446;SREASON8271Weblink:http://securityreason.com/securityalert/8271;XFciscoios-nd-security-bypass(67940)Weblink:http://xforce.iss.net/xforce/xfdb/67940.


3.195CVE-2012-0338

3.195.1Summary

CiscoIOS12.2through12.4and15.0doesnotrecognizethevrf-alsokeywordduringenforcementofaccess-classcommands,whichallowsremoteattackerstoestablishSSHconnectionsfromarbitrarysourceIPaddressesviaastandardSSHclient,akaBugIDCSCsv86113.




3.195.3References


Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/caveats_SXH_rebuilds.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005;Weblink:https://supportforums.cisco.com/thread/2030226.


3.196CVE-2012-0339


CVSSv2Score:5.0






CVSSv2Score:5.0






CVSSv2Score:5.0






CVSSv2Score:5.0





3.196.1Summary

CiscoIOS12.2through12.4and15.0doesnotrecognizethevrf-alsokeywordduringenforcementofaccess-classcommands,whichallowsremoteattackerstoestablishTELNETconnectionsfromarbitrarysourceIPaddressesviaastandardTELNETclient,akaBugIDCSCsi77774.




3.196.3References


Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/caveats_SXF_rebuilds.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.


3.197CVE-2012-1367

3.197.1Summary

TheMallocLiteimplementationinCiscoIOS12.0,12.2,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(RouteProcessorcrash)viaaBGPUPDATEmessagewithamodifiedlocal-preference(akaLOCAL_PREF)attributelength,akaBugIDCSCtq06538.





Weblink:http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRcavs1.html.


3.198CVE-2014-2143

3.198.1Summary

TheIKEimplementationinCiscoIOS15.4(1)TandearlierandIOSXEallowsremoteattackerstocauseadenialofservice(security-associationdrop)viacraftedMainModepackets,akaBugIDCSCun31021.





CISCO20140403CiscoIOSSoftwareIKEMainModeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=33639.


3.199CVE-2016-1384

3.199.1Summary

TheNTPimplementationinCiscoIOS15.1and15.5andIOSXE3.2through3.17allowsremoteattackerstomodifythesystemtimeviacraftedpackets,akaBugIDCSCux46898.






CVSSv2Score:5.0






CVSSv2Score:5.0

CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:N/A:N(5.0)





CVSSv2Score:4.9


CISCO20160419CiscoIOSandCiscoIOSXEntpSubsystemUnauthorizedAccessVulnerabilityWeblink:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160419-ios.

3.199.4Reference




3.200CVE-2016-1409

3.200.1Summary

TheNeighborDiscovery(ND)protocolimplementationintheIPv6stackinCiscoIOSXE2.1through3.17S,IOSXR2.0.0through5.3.2,andNX-OSallowsremoteattackerstocauseadenialofservice(packet-processingoutage)viacraftedNDmessages,akaBugIDCSCuz66542,asexploitedinthewildinMay2016.






CISCO20160525CiscoProductsIPv6NeighborDiscoveryCraftedPacketDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6.

3.200.4References


Weblink:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160824-01-ipv6-en;BID90872Weblink:http://www.securityfocus.com/bid/90872.


3.201CVE-2016-6415

3.201.1Summary

TheserverIKEv1implementationinCiscoIOS12.2through12.4and15.0through15.6,IOSXEthrough3.18S,IOSXR4.3.xand5.0.xthrough5.2.x,andPIXbefore7.0allowsremoteattackerstoobtainsensitiveinformationfromdevicememoryviaaSecurityAssociation(SA)negotiationrequest,akaBugIDsCSCvb29204andCSCvb36055orBENIGNCERTAIN.






CISCO20160916IKEv1InformationDisclosureVulnerabilityinMultipleCiscoProductsWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;BID93003Weblink:http://www.securityfocus.com/bid/93003.


3.202CVE-2016-1459

3.202.1Summary

CiscoIOS12.4and15.0through15.5andIOSXE3.13through3.17allowremoteauthenticateduserstocauseadenialofservice(devicereload)viacraftedattributesinaBGPmessage,akaBugID

CVSSv2Base:AV:N/AC:H/Au:S/C:N/I:N/A:C(4.9)





CVSSv2Score:4.6

CVSSv2Base:AV:L/AC:L/Au:N/C:P/I:P/A:P(4.6)





CVSSv2Score:4.6

CVSSv2Base:AV:L/AC:L/Au:N/C:P/I:P/A:P(4.6)




CSCuz21061.





CISCO20160715CiscoIOSandIOSXESoftwareBorderGatewayProtocolMessageProcessingDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160715-bgp.

3.202.4Reference




3.203CVE-2006-0485

3.203.1Summary

TheTCLshellinCiscoIOS12.2(14)Sbefore12.2(14)S16,12.2(18)Sbefore12.2(18)S11,andcertainotherreleasesbefore25January2006doesnotperformAuthentication,Authorization,andAccounting(AAA)commandauthorizationchecks,whichmayallowlocaluserstoexecuteIOSEXECcommandsthatwereprohibitedviatheAAAconfiguration,akaBugIDCSCeh73049.





CISCO20060125ResponsetoAAACommandAuthorizationby-passWeblink:http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml.

3.203.4References


SECTRACK1015543Weblink:http://securitytracker.com/id?1015543;BID16383Weblink:http://www.securityfocus.com/bid/16383;VUPENADV-2006-0337Weblink:http://www.vupen.com/english/advisories/2006/0337;XFcisco-aaa-tcl-auth-bypass(24308)Weblink:http://xforce.iss.net/xforce/xfdb/24308.


3.204CVE-2006-0486

3.204.1Summary

CertainCiscoIOSreleasesin12.2Sbasedtrainswithmaintenancereleasenumber25andlater,12.3Tbasedtrains,and12.4basedtrainsreuseaTclShellprocessacrossloginsessionsofdifferentlocalusersonthesameterminalifthefirstuserdoesnotusetclquitbeforeexiting,whichmaycausesubsequentlocaluserstoexecuteunintendedcommandsorbypassAAAcommandauthorizationchecks,akaBugIDCSCef77770.





CISCO20060125ResponsetoAAACommandAuthorizationby-passWeblink:http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml.

3.204.4References


CVSSv2Score:4.3

CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:P/A:N(4.3)





CVSSv2Score:4.3

CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:P/A:N(4.3)





CVSSv2Score:4.0


SECTRACK1015543Weblink:http://securitytracker.com/id?1015543;XFcisco-aaa-tcl-auth-bypass(24308)Weblink:http://xforce.iss.net/xforce/xfdb/24308.


3.205CVE-2008-3821

3.205.1Summary

Multiplecross-sitescripting(XSS)vulnerabilitiesintheHTTPserverinCiscoIOS11.0through12.4allowremoteattackerstoinjectarbitrarywebscriptorHTMLvia(1)thequerystringtothepingprogramor(2)unspecifiedotheraspectsoftheURI.





CISCO20090114CiscoIOSCross-SiteScriptingVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html.

3.205.4References


JVNJVN#28344798Weblink:http://jvn.jp/en/jp/JVN28344798/index.html;SREASON4916Weblink:http://securityreason.com/securityalert/4916;SECTRACK1021598Weblink:http://securitytracker.com/id?1021598;MISCWeblink:http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19;BUGTRAQ20090114PR08-19:XSSonCiscoIOSHTTPServerWeblink:http://www.securityfocus.com/archive/1/archive/1/500063/100/0/threaded;BID33260Weblink:http://www.securityfocus.com/bid/33260;VUPENADV-2009-0138Weblink:http://www.vupen.com/english/advisories/2009/0138;XFcisco-ios-httpserver-ping-xss(47947)Weblink:http://xforce.iss.net/xforce/xfdb/47947.


3.206CVE-2012-0362

3.206.1Summary

TheextendedACLfunctionalityinCiscoIOS12.2(58)SE2and15.0(1)SEdiscardsalllinesthatendwithalogortimekeyword,whichallowsremoteattackerstobypassintendedaccessrestrictionsinopportunisticcircumstancesbysendingnetworktraffic,akaBugIDCSCts01106.



3.206.3References


MLIST[cisco-nsp]20120202AmbiguousACL"log"in12.2(58)SE2?Weblink:http://puck.nether.net/pipermail/cisco-nsp/2012-February/083517.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.


3.207CVE-2010-4685

3.207.1Summary

CiscoIOSbefore15.0(1)XA1doesnotclearthepublickeycacheuponachangetoacertificatemap,

CVSSv2Base:AV:N/AC:L/Au:S/C:P/I:N/A:N(4.0)





CVSSv2Score:3.6

CVSSv2Base:AV:L/AC:L/Au:N/C:P/I:P/A:N(3.6)





CVSSv2Score:3.5

CVSSv2Base:AV:N/AC:M/Au:S/C:N/I:N/A:P(3.5)




OverallRating:LOW

CVSSv2Score:2.6

CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:P/A:N(2.6)


whichallowsremoteauthenticateduserstobypassacertificatebanbyconnectingwithabannedcertificatethathadpreviouslybeenvalid,akaBugIDCSCta79031.




3.207.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-certificate-security-bypass(64586)Weblink:http://xforce.iss.net/xforce/xfdb/64586.


3.208CVE-2011-3289

3.208.1Summary

CiscoIOS12.4and15.0through15.2allowsphysicallyproximateattackerstobypasstheNoServicePassword-Recoveryfeatureandreadthestart-upconfigurationviaunspecifiedvectors,akaBugIDCSCtr97640.



3.208.3References


Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.


3.209CVE-2012-3923

3.209.1Summary

TheSSLVPNimplementationinCiscoIOS12.4,15.0,15.1,and15.2,whenDTLSisnotenabled,doesnotproperlyhandlecertainoutboundACLconfigurations,whichallowsremoteauthenticateduserstocauseadenialofservice(devicecrash)viaasessioninvolvingaPPPoverATM(PPPoA)interface,akaBugIDCSCte41827.





Weblink:http://www.cisco.com/en/US/docs/ios/15_2m_and_t/release/notes/152-1TCAVS.html.

3.209.4Reference


XFciscoios-sslvpn-dtls-dos(78670)Weblink:http://xforce.iss.net/xforce/xfdb/78670.


3.210CVE-2005-3921

3.210.1Summary

Cross-sitescripting(XSS)vulnerabilityinCiscoIOSWebServerforIOS12.0(2a)allowsremoteattackerstoinjectarbitrarywebscriptorHTMLby(1)packetscontainingHTMLthatanadministratorviewsviaanHTTPinterfacetothecontentsofmemorybuffers,asdemonstratedbytheURI/level/15/exec/-/buffers/assigned/dump;or(2)sendingtherouterCiscoDiscoveryProtocol(CDP)packetswithHTML



OverallRating:LOW

CVSSv2Score:2.1

CVSSv2Base:AV:L/AC:L/Au:N/C:N/I:N/A:P(2.1)




payloadthatanadministratorviewsviatheCDPstatuspages.NOTE:thesevectorswereoriginallyreportedasbeingassociatedwiththedumpandpacketoptionsin/level/15/exec/-/show/buffers.





MISCWeblink:http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html.

3.210.4References


SREASON227Weblink:http://securityreason.com/securityalert/227;SECTRACK1015275Weblink:http://securitytracker.com/id?1015275;CISCO20051201IOSHTTPServerCommandInjectionVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml;IDEFENSE20060117CiscoSystemsIOS11WebServiceCDPStatusPageCodeInjectionVulnerabilityWeblink:http://www.idefense.com/intelligence/vulnerabilities/display.php?id=372;BUGTRAQ20051128-CiscoIOSHTTPServercodeinjection/executionvulnerability-Weblink:http://www.securityfocus.com/archive/1/archive/1/417916/100/0/threaded;BID15602Weblink:http://www.securityfocus.com/bid/15602;BID16291Weblink:http://www.securityfocus.com/bid/16291;VUPENADV-2005-2657Weblink:http://www.vupen.com/english/advisories/2005/2657.


3.211CVE-2005-2451

3.211.1Summary

CiscoIOS12.0through12.4andIOSXRbefore3.2,withIPv6enabled,allowsremoteattackersonalocalnetworksegmenttocauseadenialofservice(devicereload)andpossiblyexecutearbitrarycodeviaacraftedIPv6packet.





CISCO20050729IPv6CraftedPacketVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.

3.211.4References


FULLDISC20050729CiscoIOSShellcodePresentationWeblink:http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0663.html;SECTRACK1014598Weblink:http://securitytracker.com/id?1014598;CERT-VNVU#930892Weblink:http://www.kb.cert.org/vuls/id/930892;BID14414Weblink:http://www.securityfocus.com/bid/14414;CERTTA05-210AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-210A.html;XFcisco-ios-ipv6-packet-command-execution(21591)Weblink:http://xforce.iss.net/xforce/xfdb/21591.


3.212Conclusions

NipperStudioperformedasoftwarevulnerabilityauditofthetwodeviceslistedinTable83on2March2017.DuringtheauditNipperStudioidentified210vulnerabilities,themostsignificantwasratedasCRITICAL.

Table83:Softwarevulnerabilityauditconclusions

Device Type Findings Highest

router03 CiscoRouter 133 CRITICAL

CiscoIOS15 CiscoRouter 132 CRITICAL

Table84liststhevulnerabilitiesidentifiedduringtheauditandtheaffecteddevices.

Vulnerability CVSSv2Score Rating AffectedDevices Section

CVE-2006-4950 10.0 CRITICAL router03 3.2




CVE-2011-0935 10.0 CRITICAL CiscoIOS15 3.6












CVE-2008-3805 8.5 HIGH router03 3.18

CVE-2008-3806 8.5 HIGH router03 3.19

CVE-2012-0384 8.5 HIGH router03

CiscoIOS15

3.20


CiscoIOS15

3.21

CVE-2007-0479 7.8 HIGH router03 3.22

CVE-2007-0481 7.8 HIGH router03 3.23

CVE-2007-0648 7.8 HIGH router03 3.24

CVE-2007-2813 7.8 HIGH router03 3.25

CVE-2008-1152 7.8 HIGH router03 3.26

CVE-2008-2739 7.8 HIGH router03 3.27

CVE-2008-3799 7.8 HIGH router03 3.28

CVE-2008-3808 7.8 HIGH router03 3.29

CVE-2009-0626 7.8 HIGH router03 3.30

CVE-2009-0631 7.8 HIGH router03 3.31

CVE-2009-0636 7.8 HIGH router03 3.32

CVE-2009-2866 7.8 HIGH router03 3.33

CVE-2009-2868 7.8 HIGH router03 3.34

CVE-2009-2870 7.8 HIGH router03 3.35


CiscoIOS15

3.36


CiscoIOS15

3.37

CVE-2010-0576 7.8 HIGH router03 3.38

CVE-2010-0578 7.8 HIGH router03 3.39

CVE-2010-0579 7.8 HIGH router03 3.40


CiscoIOS15

3.41

CVE-2010-0585 7.8 HIGH router03 3.42

CVE-2010-0586 7.8 HIGH router03 3.43


CiscoIOS15

3.44


CiscoIOS15

3.45


CiscoIOS15

3.46

CVE-2010-2832 7.8 HIGH router03 3.47

CiscoIOS15


CiscoIOS15

3.48


CiscoIOS15

3.49


CiscoIOS15

3.50

CVE-2010-2836 7.8 HIGH CiscoIOS15 3.51


CiscoIOS15

3.52


CiscoIOS15

3.53


CiscoIOS15

3.54




CiscoIOS15

3.57


CiscoIOS15

3.58






CiscoIOS15

3.63


CiscoIOS15

3.64


CiscoIOS15

3.65


CiscoIOS15

3.66


CiscoIOS15

3.67




CiscoIOS15

3.70









CVE-2012-1350 7.8 HIGH router03 3.79


CiscoIOS15

3.80






CiscoIOS15

3.85


CiscoIOS15

3.86




CiscoIOS15

3.89


CiscoIOS15

3.90


CiscoIOS15

3.91







CiscoIOS15

3.97

















CiscoIOS15

3.113



CiscoIOS15

3.115



CiscoIOS15

3.117


CiscoIOS15

3.118



CiscoIOS15

3.120



CVE-2005-1057 7.5 HIGH router03 3.123

CVE-2005-1058 7.5 HIGH router03 3.124

CVE-2005-2105 7.5 HIGH router03 3.125

CVE-2005-2841 7.5 HIGH router03 3.126

CVE-2005-1020 7.1 HIGH router03 3.127

CVE-2005-1021 7.1 HIGH router03 3.128

CVE-2006-0340 7.1 HIGH router03 3.129

CVE-2007-0918 7.1 HIGH router03 3.130

CVE-2007-4291 7.1 HIGH router03 3.131

CVE-2007-4293 7.1 HIGH router03 3.132

CVE-2007-5651 7.1 HIGH router03 3.133

CVE-2008-1153 7.1 HIGH router03 3.134

CVE-2008-3800 7.1 HIGH router03 3.135

CVE-2008-3801 7.1 HIGH router03 3.136

CVE-2008-3802 7.1 HIGH router03 3.137

CVE-2008-3809 7.1 HIGH router03 3.138

CVE-2008-4609 7.1 HIGH router03 3.139

CVE-2009-0630 7.1 HIGH router03 3.140

CVE-2009-0633 7.1 HIGH router03 3.141

CVE-2009-0634 7.1 HIGH router03 3.142

CVE-2009-2863 7.1 HIGH router03 3.143

CVE-2009-2873 7.1 HIGH router03 3.144

CVE-2010-0577 7.1 HIGH router03 3.145


CiscoIOS15

3.146


CiscoIOS15

3.147

CVE-2012-0382 7.1 HIGH router03 3.148

CiscoIOS15


CiscoIOS15

3.149





CiscoIOS15

3.153




CiscoIOS15

3.156





CiscoIOS15

3.160


CiscoIOS15

3.161


CiscoIOS15

3.162

CVE-2007-4295 6.8 MEDIUM router03 3.163


CVE-2009-5040 6.8 MEDIUM router03

CiscoIOS15

3.165

CVE-2013-6686 6.8 MEDIUM CiscoIOS15 3.166










CiscoIOS15

3.175




CiscoIOS15

3.178















CiscoIOS15

3.192


CiscoIOS15

3.193



CiscoIOS15

3.195


CiscoIOS15

3.196



Table84:Vulnerabilityauditsummaryfindings


CiscoIOS15

3.199


CiscoIOS15

3.200


CiscoIOS15

3.201







CiscoIOS15

3.207



CVE-2005-3921 2.6 LOW router03 3.210

CVE-2005-2451 2.1 LOW router03 3.211

Thevulnerabilitydatabaseusedduringthisauditcontainsonlypublicallyknownvulnerabilitiesandnotundisclosedissuesknownonlytothemanufacturersandthirdparties.Furthermore,itiscommonforsoftwarevulnerabilitiestoadditionallyrequirespecificservices,protocols,configurationsetupordevicemodelsinorderforthemtobeexposed.


3.213Recommendations

NipperStudiostronglyrecommendsthatthelatestsoftwareupdatesshouldbeappliedtotheaffecteddevices.Whenapplyingthelatestsoftwareupdatesusuallyalltheknownvulnerabilitieswillberesolvedatonce.Sincesoftwareupdatestypicallyincludestability,performanceandfeatureimprovementsinadditiontosecurityfixesitisworthreviewinganddeployingthelatestupdatesonaregularbasisnotjustforsecurityreasons.Furthermore,sometimesmanufacturerswillresolvesoftwarevulnerabilitiesandrollthefixesintotheirlatestsoftwareupdateswithoutafulldisclosureoftheissuesbeingresolved.

WhendeployingasoftwareupdateNipperStudiorecommendsthat:

themanufacturerssoftwareupdatereleasenotesshouldbereviewedinordertofamiliaryourselfwithwhatisrequired,theprocedureandanyotherpertinentinformation;youshouldmakeabackupofyourexistingconfigurationpriortotheupdate;ifyouhaveaccesstoaduplicateorcontingencydevicethenitisworthtestingtheprocedureonthatdevicepriortodeployingtheupdatetothelivedevice.

Performingasoftwareupdatesonadeviceisnotalwaysstraightforwardandtypicallyrequiresarebootanddowntime.AlthoughNipperStudiorecommendsinstallingthelatestsoftwareupdatestoresolvesoftwarevulnerabilitiesanalternativemitigationmeasuremaybeavailable.Softwarevulnerabilitiesoftenrequirespecificconfigurationsetupsinordertobepresentandthedevicemanufacturermaypublishconfigurationchangesthatmakeitpossibletomitigatetheexposure.

Moreinformation,supportandsoftwareupdates:

forCiscoRouterdevicesvisithttp://support.cisco.com.


4CISBenchmark4.1CISCiscoIOS15Benchmark

Thisdocument,SecurityConfigurationBenchmarkforCiscoIOS,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforCiscoRouterrunningCiscoIOSversion15.0M.ThisguidewastestedagainstCiscoIOSIPAdvancedIPServicesv15.0.1asinstalledbyc880data-universalk9-mz.150-1.M4.bin.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

4.1.1ManagementPlane

Services,settingsanddatastreamsrelatedtosettingupandexaminingthestaticconfigurationofthefirewall,andtheauthenticationandauthorizationoffirewalladministrators.Examplesofmanagementplaneservicesinclude:administrativedeviceaccess(telnet,ssh,http,andhttps),SNMP,andsecurityprotocolslikeRADIUSandTACACS+.

4.1.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules

RulesintheLocalauthentication,authorizationandaccounting(AAA)configurationclassenforcedeviceaccesscontrol,provideamechanismfortrackingconfigurationchanges,andenforcingsecuritypolicy.

4.1.1.1.1Enable'aaanew-model'

Device Result

router03IOS12.3 Fail

Table85:DeviceResults(1.1.1)

CiscoIOS15IOS15.0 Pass

Description

ThiscommandenablestheAAAaccesscontrolsystem.

Rationale

Authentication,authorizationandaccounting(AAA)servicesprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.

Remediation

Globallyenableauthentication,authorizationandaccounting(AAA)usingthenew-modelcommand.

hostname(config)#aaanew-model

Impact:

ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationcriteria(logins&passwords,challenges&responses,andtokentechnologies),authorizationmethods,andaccountingrequirements.

4.1.1.1.2Enable'aaaauthenticationlogin'


Device Result



Description

Setsauthentication,authorizationandaccounting(AAA)authenticationatlogin.

Rationale

UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.FallbackmodeshouldalsobeenabledtoallowemergencyaccesstotherouterorswitchintheeventthattheAAAserverwasunreachable,byutilizingtheLOCALkeywordaftertheAAAserver-tag.

Remediation

ConfigureAAAauthenticationmethod(s)forloginauthentication.

hostname(config)#aaaauthenticationlogin{default|aaa_list_name}[passwd-expiry]

method1[method2]

Impact:

ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationmethodssuchasloginsandpasswords,challengesandresponses,andwhichtokentechnologieswillbeused.

4.1.1.1.3Enable'aaaauthenticationenabledefault'


Device Result



Description

AuthenticatesuserswhoaccessprivilegedEXECmodewhentheyusetheenablecommand.

Rationale

UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.

Remediation

ConfigureAAAauthenticationmethod(s)forenableauthentication.

hostname(config)#aaaauthenticationenabledefault{method1}enable

Impact:

EnablingCiscoAAA'authenticationenable'modeissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenabling'aaaauthenticationenabledefault'mode,theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.1.1.1.4Set'loginauthenticationfor'linecon0'


Device Result



Description

Authenticatesuserswhoaccesstherouterorswitchusingtheserialconsoleport.

Rationale


Remediation

ConfiguremanagementlinestorequireloginusingthedefaultoranamedAAAauthenticationlist.Thisconfigurationmustbesetindividuallyforalllinetypes.

hostname(config)#lineconsole0

hostname(config-line)#loginauthentication{default|aaa_list_name}

Impact:

EnablingCiscoAAA'linelogin'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'linelogin',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.1.1.1.5Set'loginauthenticationfor'linetty'


Device Result



Description

AuthenticatesuserswhoaccesstherouterorswitchusingtheTTYport.

Rationale


Remediation


hostname(config)#linetty{line-number}[ending-line-number]


Impact:

EnablingCiscoAAA'loginauthenticationforlineTTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineTTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.1.1.1.6Set'loginauthenticationfor'linevty'

Device Result




Description

AuthenticatesuserswhoaccesstherouterorswitchremotelythroughtheVTYport.

Rationale


Remediation


hostname(config)#linevty{line-number}[ending-line-number]


Impact:

EnablingCiscoAAA'loginauthenticationforlineVTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineVTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.1.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'


Device Result



Description

Runsaccountingforallcommandsatthespecifiedprivilegelevel.

Rationale

Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSorTACACS+.

Remediation

ConfigureAAAaccountingforcommands.

hostname(config)#aaaaccountingcommands15{default|list-name|guarantee-first}

{start-stop|stop-only|none}{radius|groupgroup-name}

Impact:

Enabling'aaaaccounting'forprivilegedcommandsrecordsandsendsactivitytotheaccountingserversandenablesorganizationstomonitorandanalyzeprivilegedactivity.

4.1.1.1.8Set'aaaaccountingconnection'


Device Result



Description

Providesinformationaboutalloutboundconnectionsmadefromthenetworkaccessserver.

Rationale

Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.

Remediation

ConfigureAAAaccountingforconnections.

hostname(config)#aaaaccountingconnection{default|list-name|guarantee-first}


Impact:

Implementingaaaaccountingconnectioncreatesaccountingrecordsaboutconnectionsfromthenetworkaccessserver.Organizationsshouldregularmonitortheseconnectionrecordsforexceptions,remediateissues,andreportfindingsregularly.

4.1.1.1.9Set'aaaaccountingexec'


Device Result



Description

RunsaccountingfortheEXECshellsession.

Rationale


Remediation

ConfigureAAAaccountingforEXECshellsession.

hostname(config)#aaaaccountingexec{default|list-name|guarantee-first}


Impact:

EnablingaaaaccountingexeccreatesaccountingrecordsfortheEXECterminalsessionsonthenetworkaccessserver.Theserecordsincludestartandstoptimes,usernames,anddateinformation.Organizationsshouldregularlymonitortheserecordsforexceptions,remediateissues,andreportfindings.

4.1.1.1.10Set'aaaaccountingnetwork'


Device Result



Description

Runsaccountingforallnetwork-relatedservicerequests.

Rationale


Remediation


hostname(config)#aaaaccountingnetwork{default|list-name|guarantee-first}


Impact:

ImplementingaaaaccountingnetworkcreatesaccountingrecordsforamethodlistincludingARA,PPP,SLIP,andNCPssessions.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindings.

4.1.1.1.11Set'aaaaccountingsystem'


Device Result



Description

Performsaccountingforallsystem-leveleventsnotassociatedwithusers,suchasreloads.

Rationale


Remediation

ConfigureAAAaccountingsystem.

hostname(config)#aaaaccountingsystem{default|list-name|guarantee-first}


Impact:

Enablingaaaaccountingsystemcreatesaccountingrecordsforallsystem-levelevents.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindingsregularly.

4.1.1.2AccessRules

Rulesintheaccessclassenforcecontrolsfordeviceadministrativeconnections.

4.1.1.2.1Set'privilege1'forlocalusers


Device Result



Description

Setstheprivilegelevelfortheuser.

Rationale

Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithprivilegelevel1permissionsonlyallowsthelocalusertoaccessthedevicewithEXEC-levelpermissionsandwillbeunabletomodifythedevicewithoutusingtheenablepassword.Inaddition,requiretheuseofanencryptedpasswordaswell(seeSection1.1.4.4-RequireEncryptedUserPasswords).

Remediation

Setthelocalusertoprivilegelevel1.

hostname(config)#username<LOCAL_USERNAME>privilege1

Impact:

Organizationsshouldcreatepoliciesrequiringalllocalaccountswith'privilegelevel1'withencryptedpasswordstoreducetheriskofunauthorizedaccess.Defaultconfigurationsettingsdonotprovidestronguserauthenticationtothedevice.

4.1.1.2.2Set'transportinputssh'for'linevty'connections


Device Result

router03IOS12.3 Pass

CiscoIOS15IOS15.0 Fail

Description

SelectstheSecureShell(SSH)protocol.

Rationale

ConfiguringVTYaccesscontrolrestrictsremoteaccesstoonlythoseauthorizedtomanagethedeviceandpreventsunauthorizedusersfromaccessingthesystem.

Remediation

ApplySSHtotransportinputonallVTYmanagementlines

hostname(config)#linevty<line-number><ending-line-number>

hostname(config-line)#transportinputssh

Impact:

Toreduceriskofunauthorizedaccess,organizationsshouldrequireallVTYmanagementlineprotocolstobelimitedtossh.

4.1.1.2.3Set'noexec'for'lineaux0'


Device Result



Description

The'noexec'commandrestrictsalinetooutgoingconnectionsonly.

Rationale

Unusedportsshouldbedisabled,ifnotrequired,sincetheyprovideapotentialaccesspathforattackers.Somedevicesincludebothanauxiliaryandconsoleportthatcanbeusedtolocallyconnecttoandconfigurethedevice.Theconsoleportisnormallytheprimaryportusedtoconfigurethedevice;evenwhenremote,backupadministrationisrequiredviaconsoleserverorKeyboard,Video,Mouse(KVM)hardware.Theauxiliaryportisprimarilyusedfordial-upadministrationviaanexternalmodem;instead,useotheravailablemethods.

Remediation

DisabletheEXECprocessontheauxiliaryport.

hostname(config)#lineaux0

hostname(config-line)#noexec

Impact:

Organizationscanreducetheriskofunauthorizedaccessbydisablingthe'aux'portwiththe'noexec'command.Conversely,notrestrictingaccessthroughthe'aux'portincreasestheriskofremoteunauthorizedaccess.

4.1.1.2.4Create'access-list'forusewith'linevty'


Device Result



Description

Accesslistscontrolthetransmissionofpacketsonaninterface,controlVirtualTerminalLine(VTY)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.

Rationale

VTYACLscontrolwhataddressesmayattempttologintotherouter.ConfiguringVTYlinestouseanACL,restrictsthesourceswhereausercanmanagethedevice.Youshouldlimitthespecifichost(s)andornetwork(s)authorizedtoconnecttoandconfigurethedevice,viaanapprovedprotocol,tothoseindividualsorsystemsauthorizedtoadministerthedevice.Forexample,youcouldlimitaccesstospecifichosts,sothatonlynetworkmanagerscanconfigurethedevicesonlybyusingspecificnetworkmanagementworkstations.MakesureyouconfigureallVTYlinestousethesameACL.

Remediation

ConfiguretheVTYACLthatwillbeusedtorestrictmanagementaccesstothedevice.

hostname(config)#access-list<vty_acl_number>permittcp<vty_acl_block_with_mask>any

hostname(config)#access-list<vty_acl_number>permittcphost<vty_acl_host>any

hostname(config)#denyipanyanylog

Impact:

Organizationscanreducetheriskofunauthorizedaccessbyimplementingaccess-listsforallVTYlines.Conversely,usingVTYlineswithoutaccess-listsincreases

theriskofunauthorizedaccess.

4.1.1.2.5Set'access-class'for'linevty'


Device Result



Description

The'access-class'settingrestrictsincomingandoutgoingconnectionsbetweenaparticularvty(intoaCiscodevice)andthenetworkingdevicesassociatedwithaddressesinanaccesslist.

Rationale

Restrictingthetypeofnetworkdevices,associatedwiththeaddressesontheaccess-list,furtherrestrictsremoteaccesstothosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.

Remediation

ConfigureremotemanagementaccesscontrolrestrictionsforallVTYlines.


hostname(config-line)#access-class<vty_acl_number>in

Impact:

Applying'access'class'tolineVTYfurtherrestrictsremoteaccesstoonlythosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.Conversely,usingVTYlineswith'accessclass'restrictionsincreasestherisksofunauthorizedaccess.

4.1.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'


Device Result



Description

Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.

Rationale

Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.

Remediation

Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.


hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>

Impact:

Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthofminutesorsecondspreventsunauthorizedaccessofabandonedsessions.

4.1.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'


Device Result



Description


Rationale


Remediation


hostname(config)#linecon0


Impact:

Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestheriskofunauthorizedaccessofabandonedsessions.

4.1.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'


Device Result



Description


Rationale


Remediation


hostname(config)#linetty{line_number}[ending_line_number]


Impact:

Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestherisksofunauthorizedaccessofabandonedsessions.

4.1.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'


Device Result



Description


Rationale


Remediation


hostname(config)#linevty{line_number}[ending_line_number]


Impact:


4.1.1.2.10Set'transportinputnone'for'lineaux0'


Device Result



Description

Whenyouwanttoallowonlyanoutgoingconnectiononaline,usethenoexeccommand.

Rationale


Remediation

Disabletheinboundconnectionsontheauxiliaryport.


hostname(config-line)#transportinputnone

Impact:

Organizationsshouldpreventallunauthorizedaccessofauxiliaryportsbydisablingallprotocolsusingthe'transportinputnone'command.

4.1.1.3BannerRules

Rulesinthebannerclasscommunicatelegalrightstousers.

4.1.1.3.1Setthe'banner-text'for'bannerexec'


Device Result



Description

ThiscommandspecifiesamessagetobedisplayedwhenanEXECprocessiscreated(alineisactivated,oranincomingconnectionismadetoavty).Followthiscommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.

Whenauserconnectstoarouter,themessage-of-the-day(MOTD)bannerappearsfirst,followedbytheloginbannerandprompts.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.

Rationale

"Networkbannersareelectronicmessagesthatprovidenoticeoflegalrightstousersofcomputernetworks.Fromalegalstandpoint,bannershavefourprimaryfunctions.

First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesorotherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).

Remediation

ConfiguretheEXECbannerpresentedtoauserwhenaccessingthedevicesenableprompt.

hostname(config)#bannerexecc

EnterTEXTmessage.Endwiththecharacter'c'.

<banner-text>

c

Impact:

Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerexeccommand.

4.1.1.3.2Setthe'banner-text'for'bannerlogin'


Device Result



Description

Followthebannerlogincommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.

Whenauserconnectstotherouter,themessage-of-the-day(MOTD)banner(ifconfigured)appearsfirst,followedbytheloginbannerandprompts.Aftertheusersuccessfullylogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.

Rationale



Remediation

Configurethedevicesoaloginbannerpresentedtoauserattemptingtoaccessthedevice.

hostname(config)#bannerloginc


<banner-text>

c

Impact:

Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerlogincommand.

4.1.1.3.3Setthe'banner-text'for'bannermotd'


Device Result



Description

ThisMOTDbannerisdisplayedtoallterminalsconnectedandisusefulforsendingmessagesthataffectallusers(suchasimpendingsystemshutdowns).Usethenoexec-bannerornomotd-bannercommandtodisabletheMOTDbanneronaline.Thenoexec-bannercommandalsodisablestheEXECbannerontheline.

Whenauserconnectstotherouter,theMOTDbannerappearsbeforetheloginprompt.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.

Rationale



Remediation

Configurethemessageoftheday(MOTD)bannerpresentedwhenauserfirstconnectstothedevice.

hostname(config)#bannermotdc


<banner-text>

c

Impact:

Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannermotdcommand.

4.1.1.4PasswordRules

Rulesinthepasswordclassenforcesecure,localdeviceauthenticationcredentials.

4.1.1.4.1Set'password'for'enablesecret'


Device Result



Description

Usetheenablesecretcommandtoprovideanadditionallayerofsecurityovertheenablepassword.Theenablesecretcommandprovidesbettersecuritybystoringtheenablesecretpasswordusinganonreversiblecryptographicfunction.TheaddedlayerofsecurityencryptionprovidesisusefulinenvironmentswherethepasswordcrossesthenetworkorisstoredonaTFTPserver.

Rationale

RequiringtheenablesecretsettingprotectsprivilegedEXECmode.Bydefault,astrongpasswordisnotrequired,ausercanjustpresstheEnterkeyatthePasswordprompttostartprivilegedmode.Theenablepasswordcommandcausesthedevicetoenforceuseofapasswordtoaccessprivilegedmode.Enablesecretsuseaone-waycryptographichash(MD5).ThisispreferredtoLevel7enablepasswordsthatuseaweak,well-known,andeasilyreversibleencryptionalgorithm.

Remediation

Configureastrong,enablesecretpassword.

hostname(config)#enablesecret<ENABLE_SECRET_PASSWORD>

Impact:

OrganizationsshouldprotectprivilegedEXECmodethroughpoliciesrequiringthe'enablingsecret'setting,whichenforcesaone-waycryptographichash(MD5).

4.1.1.4.2Enable'servicepassword-encryption'


Device Result



Description

Whenpasswordencryptionisenabled,theencryptedformofthepasswordsisdisplayedwhenamoresystem:running-configcommandisentered.

Rationale

Thisrequirespasswordstobeencryptedintheconfigurationfiletopreventunauthorizedusersfromlearningthepasswordsjustbyreadingtheconfiguration.Whennotenabled,manyofthedevice'spasswordswillberenderedinplaintextintheconfigurationfile.Thisserviceensurespasswordsarerenderedasencryptedstringspreventinganattackerfromeasilydeterminingtheconfiguredvalue.

Remediation

Enablepasswordencryptionservicetoprotectsensitiveaccesspasswordsinthedeviceconfiguration.

hostname(config)#servicepassword-encryption

Impact:

Organizationsimplementing'servicepassword-encryption'reducetheriskofunauthorizeduserslearningcleartextpasswordstoCiscoIOSconfigurationfiles.However,thealgorithmusedisnotdesignedtowithstandseriousanalysisandshouldbetreatedlikeclear-text.

4.1.1.4.3Set'usernamesecret'foralllocalusers


Device Result



Description

UsetheusernamesecretcommandtoconfigureausernameandMD5-encrypteduserpassword.MD5encryptionisastrongencryptionmethodthatisnotretrievable;thus,youcannotuseMD5encryptionwithprotocolsthatrequireclear-textpasswords,suchasChallengeHandshakeAuthenticationProtocol(CHAP).

Theusernamesecretcommandprovidesanadditionallayerofsecurityovertheusernamepassword.ItalsoprovidesbettersecuritybyencryptingthepasswordusingnonreversibleMD5encryptionandstoringtheencryptedtext.TheaddedlayerofMD5encryptionisusefulinenvironmentsinwhichthepasswordcrossesthenetworkorisstoredonaTFTPserver.

Rationale

Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithanencryptedpasswordenforcesloginauthenticationandprovidesafallbackauthenticationmechanismforconfigurationinanamedmethodlistinasituationwherecentralizedauthentication,authorization,andaccountingservicesareunavailable.

Remediation

Createalocaluserwithanencrypted,complex(noteasilyguessed)password.

hostname(config)#username<LOCAL_USERNAME>secret<LOCAL_PASSWORD>

Impact:

Organizationsimplementing'usernamesecret'acrosstheirenterprisereducetheriskofunauthorizedusersgainingaccesstoCiscoIOSdevicesbyapplyingaMD5hashandencryptinguserpasswords.

4.1.1.5SNMPRules

SimpleNetworkManagementProtocol(SNMP)providesastandards-basedinterfacetomanageandmonitornetworkdevices.ThissectionprovidesguidanceonthesecureconfigurationofSNMPparameters.

TherecommendationsinthisSectionapplytoOrganizationsusingSNMP.OrganizationsusingSNMPshouldreviewandimplementtherecommendationsinthissection.

4.1.1.5.1Set'nosnmp-server'todisableSNMPwhenunused


Device Result

router03IOS12.3 Manual

CiscoIOS15IOS15.0 Manual

Description

Ifnotinuse,disablesimplenetworkmanagementprotocol(SNMP),readandwriteaccess.

Rationale

SNMPreadaccessallowsremotemonitoringandmanagementofthedevice.

Remediation

DisableSNMPreadandwriteaccessifnotinusedtomonitorand/ormanagedevice.

hostname(config)#nosnmp-server

Impact:

OrganizationsnotusingSNMPshouldrequireallSNMPservicestobedisabledbyrunningthe'nosnmp-server'command.

4.1.1.5.2Unset'private'for'snmp-servercommunity'


Device Result



Description

AnSNMPcommunitystringpermitsread-onlyaccesstoallobjects.

Rationale

Thedefaultcommunitystring"private"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.

Remediation

DisablethedefaultSNMPcommunitystring"private"

hostname(config)#nosnmp-servercommunity{private}

Impact:

Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'private'settingforsnmp-servercommunity.

4.1.1.5.3Unset'public'for'snmp-servercommunity'


Device Result



Description


Rationale

Thedefaultcommunitystring"public"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.

Remediation

DisablethedefaultSNMPcommunitystring"public"

hostname(config)#nosnmp-servercommunity{public}

Impact:

Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'public'settingforsnmp-servercommunity.

4.1.1.5.4Donotset'RW'forany'snmp-servercommunity'


Device Result



Description

Specifiesread-writeaccess.AuthorizedmanagementstationscanbothretrieveandmodifyMIBobjects.

Rationale

EnablingSNMPread-writeenablesremotemanagementofthedevice.Unlessabsolutelynecessary,donotallowsimplenetworkmanagementprotocol(SNMP)writeaccess.

Remediation

DisableSNMPwriteaccess.

hostname(config)#nosnmp-servercommunity{write_community_string}

Impact:

Toreducetheriskofunauthorizedaccess,OrganizationsshoulddisabletheSNMP'write'accessforsnmp-servercommunity.

4.1.1.5.5SettheACLforeach'snmp-servercommunity'

Device Result




Description

ThisfeaturespecifiesalistofIPaddressesthatareallowedtousethecommunitystringtogainaccesstotheSNMPagent.

Rationale

IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringcanpotentiallymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPaccesstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.Ifpossible,useSNMPv3whichusesauthentication,authorization,anddataprivatization(encryption).

Remediation

ConfigureauthorizedSNMPcommunitystringandrestrictaccesstoauthorizedmanagementsystems.

hostname(config)#snmp-servercommunity<community_string>ro{snmp_access-list_number|

snmp_access-list_name}

Impact:

Toreducetheriskofunauthorizedaccess,Organizationsshouldenableaccesscontrollistsforallsnmp-servercommunitiesandrestricttheaccesstoappropriatetrustedmanagementzones.Ifpossible,implementSNMPv3toapplyauthentication,authorization,anddataprivatization(encryption)foradditionalbenefitstotheorganization.

4.1.1.5.6Createan'access-list'forusewithSNMP


Device Result



Description

Youcanuseaccessliststocontrolthetransmissionofpacketsonaninterface,controlSimpleNetworkManagementProtocol(SNMP)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.

Rationale

SNMPACLscontrolwhataddressesareauthorizedtomanageandmonitorthedeviceviaSNMP.IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringmaymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPcommunitystringstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.

Remediation

ConfigureSNMPACLforrestrictingaccesstothedevicefromauthorizedmanagementstationssegmentedinatrustedmanagementzone.

hostname(config)#access-list<snmp_acl_number>permit<snmp_access-list>

hostname(config)#access-listdenyanylog

4.1.1.5.7Set'snmp-serverhost'whenusingSNMP


Device Result



Description

SNMPnotificationscanbesentastrapstoauthorizedmanagementsystems.

Rationale

IfSNMPisenabledfordevicemanagementanddevicealertsarerequired,thenensurethedeviceisconfiguredtosubmittrapsonlytoauthorizemanagementsystems.

Remediation

ConfigureauthorizedSNMPtrapcommunitystringandrestrictsendingmessagestoauthorizedmanagementsystems.

hostname(config)#snmp-serverhost{ip_address}{trap_community_string}snmp

Impact:

OrganizationsusingSNMPshouldrestrictsendingSNMPmessagesonlytoexplicitlynamedsystemstoreduceunauthorizedaccess.

4.1.1.5.8Set'snmp-serverenabletrapssnmp'


Device Result



Description


Rationale

SNMPhastheabilitytosubmittraps.

Remediation

EnableSNMPtraps.

hostname(config)#snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart

Impact:

OrganizationsusingSNMPshouldrestricttraptypesonlytoexplicitlynamedtrapstoreduceunintendedtraffic.EnablingSNMPtrapswithoutspecifyingtraptypewillenableallSNMPtraptypes.

4.1.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv3


Device Result



Description

SpecifiesauthenticationofapacketwithencryptionwhenusingSNMPv3

Rationale

SNMPv3providesmuchimprovedsecurityoverpreviousversionsbyofferingoptionsforAuthenticationandEncryptionofmessages.WhenconfiguringauserforSNMPv3youhavetheoptionofusingarangeofencryptionschemes,ornoencryptionatall,toprotectmessagesintransit.AES128istheminimumstrengthencryptionmethodthatshouldbedeployed.

Remediation

ForeachSNMPv3groupcreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand...

hostname(config)#snmp-servergroup{group_name}v3priv

Impact:

OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-servergroupv3priv'settingtoencryptmessagesintransit.

4.1.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv3


Device Result



Description

Specifytheuseofaminimumof128-bitAESalgorithmforencryptionwhenusingSNMPv3.

Rationale

SNMPv3providesmuchimprovedsecurityoverpreviousversionsbyofferingoptionsforAuthenticationandEncryptionofmessages.Whenconfiguringauser

forSNMPv3youhavetheoptionofusingarangeofencryptionschemes,ornoencryptionatall,toprotectmessagesintransit.AES128istheminimumstrengthencryptionmethodthatshouldbedeployed.

Remediation

ForeachSNMPv3usercreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand.

hostname(config)#snmp-serveruser{user_name}{group_name}v3encryptedauthsha

{auth_password}privaes128{priv_password}{acl_name_or_number}

Impact:

OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-serveruser'settingwithappropriateauthenticationandprivacyprotocolstoencryptmessagesintransit.

4.1.2ControlPlane

Thecontrolplanecoversmonitoring,routetableupdates,andgenerallythedynamicoperationoftherouter.Services,settings,anddatastreamsthatsupportanddocumenttheoperation,traffichandling,anddynamicstatusoftherouter.Examplesofcontrolplaneservicesinclude:logging(e.g.Syslog),routingprotocols,statusprotocolslikeCDPandHSRP,networktopologyprotocolslikeSTP,andtrafficsecuritycontrolprotocolslikeIKE.NetworkcontrolprotocolslikeICMP,NTP,ARP,andIGMPdirectedtoorsentbytherouteritselfalsofallintothisarea.

4.1.2.1GlobalServiceRules

Rulesintheglobalserviceclassenforceserverandservicecontrolsthatprotectagainstattacksorexposethedevicetoexploitation.

4.1.2.1.1SetupSSH

EnsureuseofSSHremoteconsolesessionstoCiscorouters.

4.1.2.1.1.1ConfigurePrerequisitesfortheSSHService

4.1.2.1.1.1.1Setthe'hostname'

Table122:DeviceResults(2.1.1.1.1)

Device Result



Description

Thehostnameisusedinpromptsanddefaultconfigurationfilenames.

Rationale

ThedomainnameisprerequisiteforsettingupSSH.

Remediation

Configureanappropriatehostnamefortherouter.

hostname(config)#hostname{router_name}

Impact:

Organizationsshouldplantheenterprisenetworkandidentifyanappropriatehostnameforeachrouter.

4.1.2.1.1.1.2Setthe'ipdomainname'


Device Result



Description

DefineadefaultdomainnamethattheCiscoIOSsoftwareusestocompleteunqualifiedhostnames

Rationale

ThedomainnameisaprerequisiteforsettingupSSH.

Remediation

Configureanappropriatedomainnamefortherouter.

hostname(config)#ipdomainname{domain-name}

Impact:

Organizationsshouldplantheenterprisenetworkandidentifyanappropriatedomainnamefortherouter.

4.1.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'


Device Result



Description

UsethiscommandtogenerateRSAkeypairsforyourCiscodevice.

RSAkeysaregeneratedinpairs--onepublicRSAkeyandoneprivateRSAkey.

Rationale

AnRSAkeypairisaprerequisiteforsettingupSSHandshouldbeatleast2048bits.

NOTE:IOSdoesNOTdisplaythemodulusbitvalueintheAuditProcedure.

Remediation

GenerateanRSAkeypairfortherouter.

hostname(config)#cryptokeygeneratersageneral-keysmodulus2048

Impact:

OrganizationsshouldplanandimplemententerprisenetworkcryptographyandgenerateanappropriateRSAkeypairs,suchas'modulus',greaterthanorequalto2048.

4.1.2.1.1.1.4Set'seconds'for'ipsshtimeout'


Device Result



Description

ThetimeintervalthattherouterwaitsfortheSSHclienttorespondbeforedisconnectinganuncompletedloginattempt.

Rationale

Thisreducestheriskofanadministratorleavinganauthenticatedsessionloggedinforanextendedperiodoftime.

Remediation

ConfiguretheSSHtimeout

hostname(config)#ipsshtime-out[60]

Impact:

Organizationsshouldimplementasecuritypolicyrequiringminimumtimeoutsettingsforallnetworkadministratorsandenforcethepolicythroughthe'ipsshtimeout'command.

4.1.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'


Device Result



Description

ThenumberofretriesbeforetheSSHloginsessiondisconnects.

Rationale

ThislimitsthenumberoftimesanunauthorizedusercanattemptapasswordwithouthavingtoestablishanewSSHloginattempt.ThisreducesthepotentialforsuccessduringonlinebruteforceattacksbylimitingthenumberofloginattemptsperSSHconnection.

Remediation

ConfiguretheSSHtimeout:

hostname(config)#ipsshauthentication-retries[3]

Impact:

Organizationsshouldimplementasecuritypolicylimitingthenumberofauthenticationattemptsfornetworkadministratorsandenforcethepolicythroughthe'ipsshauthentication-retries'command.

4.1.2.1.1.2Setversion2for'ipsshversion'

Table127:DeviceResults(2.1.1.2)

Device Result



Description

SpecifytheversionofSecureShell(SSH)toberunonarouter

Rationale

SSHVersion1hasbeensubjecttoanumberofseriousvulnerabilitiesandisnolongerconsideredtobeasecureprotocol,resultingintheadoptionofSSHVersion2asanInternetStandardin2006.

Ciscorouterssupportbothversions,butduetotheweaknessofSSHVersion1onlythelaterstandardshouldbeused.

Remediation

ConfiguretheroutertouseSSHversion2

hostname(config)#ipsshversion2

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicytoreviewtheircurrentprotocolstoensurethemostsecureprotocolversionsareinuse.

4.1.2.1.2Set'nocdprun'


Device Result



Description

DisableCiscoDiscoveryProtocol(CDP)serviceatdevicelevel.

Rationale

TheCiscoDiscoveryProtocolisaproprietaryprotocolthatCiscodevicesusetoidentifyeachotheronaLANsegment.Itisusefulonlyinnetworkmonitoringandtroubleshootingsituationsbutisconsideredasecurityriskbecauseoftheamountofinformationprovidedfromqueries.Inaddition,therehavebeenpublisheddenial-of-service(DoS)attacksthatuseCDP.CDPshouldbecompletelydisabledunlessnecessary.

Remediation

DisableCiscoDiscoveryProtocol(CDP)serviceglobally.

hostname(config)#nocdprun

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocols.

4.1.2.1.3Set'noipbootpserver'


Device Result



Description

DisabletheBootstrapProtocol(BOOTP)serviceonyourroutingdevice.

Rationale

BootPallowsaroutertoissueIPaddresses.Thisshouldbedisabledunlessthereisaspecificrequirement.

Remediation

Disablethebootpserver.

hostname(config)#noipbootpserver

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchas'ipbootpserver'.

4.1.2.1.4Set'noservicedhcp'


Device Result



Description

DisabletheDynamicHostConfigurationProtocol(DHCP)serverandrelayagentfeaturesonyourrouter.

Rationale

TheDHCPserversuppliesautomaticconfigurationparameters,suchasdynamicIPaddress,torequestingsystems.AdedicatedserverlocatedinasecuredmanagementzoneshouldbeusedtoprovideDHCPservicesinstead.Attackerscanpotentiallybeusedfordenial-of-service(DoS)attacks.

Remediation

DisabletheDHCPserver.

hostname(config)#noservicedhcp

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheDynamicHostConfigurationProtocol(DHCP).

4.1.2.1.5Set'noipidentd'


Device Result



Description

Disabletheidentification(identd)server.

Rationale

Identificationprotocolenablesidentifyingauser'stransmissioncontrolprotocol(TCP)session.Thisinformationdisclosurecouldpotentiallyprovideanattackerwithinformationaboutusers.

Remediation

Disabletheidentserver.

hostname(config)#noipidentd

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheidentificationprotocol(identd).

4.1.2.1.6Set'servicetcp-keepalives-in'


Device Result



Description

Generatekeepalivepacketsonidleincomingnetworkconnections.

Rationale

Staleconnectionsuseresourcesandcouldpotentiallybehijackedtogainillegitimateaccess.TheTCPkeepalives-inservicegenerateskeepalivepacketsonidleincomingnetworkconnections(initiatedbyremotehost).Thisserviceallowsthedevicetodetectwhentheremotehostfailsanddropthesession.Ifenabled,keepalivesaresentonceperminuteonidleconnections.Theconnectionisclosedwithinfiveminutesifnokeepalivesarereceivedorimmediatelyifthehostreplieswitharesetpacket.

Remediation

EnableTCPkeepalives-inservice:

hostname(config)#servicetcp-keepalives-in

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-in'command.

4.1.2.1.7Set'servicetcp-keepalives-out'


Device Result



Description

Generatekeepalivepacketsonidleoutgoingnetworkconnections.

Rationale

Staleconnectionsuseresourcesandcouldpotentiallybehijackedtogainillegitimateaccess.TheTCPkeepalives-inservicegenerateskeepalivepacketsonidleincomingnetworkconnections(initiatedbyremotehost).Thisserviceallowsthedevicetodetectwhentheremotehostfailsanddropthesession.Ifenabled,keepalivesaresentonceperminuteonidleconnections.Theclosesconnectionisclosedwithinfiveminutesifnokeepalivesarereceivedorimmediatelyifthehostreplieswitharesetpacket.

Remediation

EnableTCPkeepalives-outservice:

hostname(config)#servicetcp-keepalives-out

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-out'command.

4.1.2.1.8Set'noservicepad'


Device Result



Description

DisableX.25PacketAssembler/Disassembler(PAD)service.

Rationale

IfthePADserviceisnotnecessary,disabletheservicetopreventintrudersfromaccessingtheX.25PADcommandsetontherouter.

Remediation

DisablethePADservice.

hostname(config)#noservicepad

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingunnecessaryservicessuchasthe'PAD'service.

4.1.2.2LoggingRules

Rulesintheloggingclassenforcecontrolsthatprovidearecordofsystemactivityandevents.

4.1.2.2.1Set'loggingon'


Device Result



Description

Enableloggingofsystemmessages.

Rationale

LoggingprovidesachronologicalrecordofactivitiesontheCiscodeviceandallowsmonitoringofbothoperationalandsecurityrelatedevents.

Remediation

Enablesystemlogging.

hostname(config)#loggingon

Impact:

EnablingtheCiscoIOS'loggingon'commandenforcesthemonitoringoftechnologyrisksfortheorganizations'networkdevices.

4.1.2.2.2Set'buffersize'for'loggingbuffered'


Device Result



Description

Enablesystemmessageloggingtoalocalbuffer.

Rationale

Thedevicecancopyandstorelogmessagestoaninternalmemorybuffer.Thebuffereddataisavailableonlyfromarouterexecorenabledexecsession.Thisformofloggingisusefulfordebuggingandmonitoringwhenloggedintoarouter.

Remediation

Configurebufferedlogging(withminimumsize).Recommendedsizeis64000.

hostname(config)#loggingbuffered[log_buffer_size]

Impact:

Dataforensicsiseffectivemanagingtechnologyrisksandanorganizationcanenforcesuchpoliciesbyenablingthe'loggingbuffered'command.

4.1.2.2.3Set'loggingconsolecritical'

Device Result




Description

Verifyloggingtodeviceconsoleisenabledandlimitedtoarationalseverityleveltoavoidimpactingsystemperformanceandmanagement.

Rationale

Thisconfigurationdeterminestheseverityofmessagesthatwillgenerateconsolemessages.Loggingtoconsoleshouldbelimitedonlytothosemessagesrequiredforimmediatetroubleshootingwhileloggedintothedevice.Thisformofloggingisnotpersistent;messagesprintedtotheconsolearenotstoredbytherouter.Consoleloggingishandyforoperatorswhentheyusetheconsole.

Remediation

Configureconsolelogginglevel.

hostname(config)#loggingconsolecritical

Impact:

Loggingcriticalmessagesattheconsoleisimportantforanorganizationmanagingtechnologyrisk.The'loggingconsole'commandshouldcaptureappropriateseveritymessagestobeeffective.

4.1.2.2.4SetIPaddressfor'logginghost'


Device Result



Description

Logsystemmessagesanddebugoutputtoaremotehost.

Rationale

CiscorouterscansendtheirlogmessagestoaUnix-styleSyslogservice.Asyslogservicesimplyacceptsmessagesandstorestheminfilesorprintsthemaccordingtoasimpleconfigurationfile.Thisformofloggingisbestbecauseitcanprovideprotectedlong-termstorageforlogs(thedevicesinternalloggingbufferhaslimitedcapacitytostoreevents.)Inaddition,loggingtoanexternalsystemishighlyrecommendedorrequiredbymostsecuritystandards.Ifdesiredorrequiredbypolicy,lawand/orregulation,enableasecondsyslogserverforredundancy.

Remediation

DesignateoneormoresyslogserversbyIPaddress.

hostname(config)#logginghostsyslog_server

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'logginghost'commandsetstheIPaddressofthelogginghostandenforcestheloggingprocess.

4.1.2.2.5Set'loggingtrapinformational'


Device Result



Description

Limitmessagesloggedtothesyslogserversbasedonseveritylevelinformational.

Rationale

Thisdeterminestheseverityofmessagesthatwillgeneratesimplenetworkmanagementprotocol(SNMP)trapandorsyslogmessages.Thissettingshouldbesettoeither"debugging"(7)or"informational"(6),butnolower.

Remediation

ConfigureSNMPtrapandsysloglogginglevel.

hostname(config)#loggingtrapinformational

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'loggingtrap'commandsetstheseverityofmessagesandenforcestheloggingprocess.

4.1.2.2.6Set'servicetimestampsdebugdatetime'


Device Result



Description

Configurethesystemtoapplyatimestamptodebuggingmessagesorsystemloggingmessages

Rationale

Includingtimestampsinlogmessagesallowscorrelatingeventsandtracingnetworkattacksacrossmultipledevices.Enablingservicetimestamptomarkthetimelogmessagesweregeneratedsimplifiesobtainingaholisticviewofeventsenablingfastertroubleshootingofissuesorattacks.

Remediation

Configuredebugmessagestoincludetimestamps.

hostname(config)#servicetimestampsdebugdatetime{msec}show-timezone

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingatimelineofeventsiscritical.The'servicetimestamps'commandsetsthedateandtimeonentriessenttothelogginghostandenforcestheloggingprocess.

4.1.2.2.7Set'loggingsourceinterface'


Device Result



Description

SpecifythesourceIPv4orIPv6addressofsystemloggingpackets

Rationale

ThisisrequiredsothattheroutersendslogmessagestotheloggingserverfromaconsistentIPaddress.

Remediation

Bindloggingtotheloopbackinterface.

hostname(config)#loggingsource-interfaceloopback{loopback_interface_number}

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingaconsistentsourceofmessagesforthelogginghostiscritical.The'loggingsourceinterfaceloopback'commandsetsaconsistentIPaddresstosendmessagestothelogginghostandenforcestheloggingprocess.

4.1.2.3NTPRules

NetworkTimeProtocolallowsadministratorstosetthesystemtimeonalloftheircompatiblesystemsfromasinglesource,ensuringaconsistenttimestampforloggingandauthenticationprotocols.NTPisaninternetstandard,definedinRFC1305.

4.1.2.3.1RequireEncryptionKeysforNTP

EncryptionkeysshouldbesetforNTPServers.

4.1.2.3.1.1Set'ntpauthenticate'

Device Result




Description

EnableNTPauthentication.

Rationale

UsingauthenticatedNTPensurestheCiscodeviceonlypermitstimeupdatesfromauthorizedNTPservers.

Remediation

ConfigureNTPauthentication:

hostname(config)#ntpauthenticate

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthenticate'commandenforcesauthenticationbetweenNTPhosts.

4.1.2.3.1.2Set'ntpauthentication-key'


Device Result



Description

DefineanauthenticationkeyforNetworkTimeProtocol(NTP).

Rationale

UsinganauthenticationkeyprovidesahigherdegreeofsecurityasonlyauthenticatedNTPserverswillbeabletoupdatetimefortheCiscodevice.

Remediation

ConfigureattheNTPkeyringandencryptionkeyusingthefollowingcommand

hostname(config)#ntpauthentication-key{ntp_key_id}md5{ntp_key}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthentication-key'commandenforcesencryptedauthenticationbetweenNTPhosts.

4.1.2.3.1.3Setthe'ntptrusted-key'


Device Result



Description

EnsureyouauthenticatetheidentityofasystemtowhichNetworkTimeProtocol(NTP)willsynchronize

Rationale

Thisauthenticationfunctionprovidesprotectionagainstaccidentallysynchronizingthesystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.

Remediation

ConfiguretheNTPtrustedkeyusingthefollowingcommand

hostname(config)#ntptrusted-key{ntp_key_id}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntptrusted-key'commandenforcesencryptedauthenticationbetweenNTPhosts.

4.1.2.3.1.4Set'key'foreach'ntpserver'


Device Result



Description

SpecifiestheauthenticationkeyforNTP.

Rationale

Thisauthenticationfeatureprovidesprotectionagainstaccidentallysynchronizingthentpsystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.

Remediation

ConfigureeachNTPServertouseakeyringusingthefollowingcommand.

hostname(config)#ntpserver{ntp-server_ip_address}{keyntp_key_id}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserverkey'commandenforcesencryptedauthenticationbetweenNTPhosts.

4.1.2.3.2Set'ipaddress'for'ntpserver'


Device Result



Description

UsethiscommandifyouwanttoallowthesystemtosynchronizethesystemsoftwareclockwiththespecifiedNTPserver.

Rationale

ToensurethatthetimeonyourCiscorouterisconsistentwithotherdevicesinyournetwork,atleasttwo(andpreferablyatleastthree)NTPServer/sexternaltotheroutershouldbeconfigured.

Ensureyoualsoconfigureconsistenttimezoneanddaylightsavingstimesettingforalldevices.Forsimplicity,thedefaultofCoordinatedUniversalTime(UTC).

Remediation

ConfigureatleastoneexternalNTPServerusingthefollowingcommands

hostname(config)#ntpserver{ipaddress}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserveripaddress'enforcesencryptedauthenticationbetweenNTPhosts.

4.1.2.4LoopbackRules

Whenarouterneedstoinitiateconnectionstoremotehosts,forexampleforSYSLOGorNTP,itwillusethenearestinterfaceforthepacketssourceaddress.Thiscancauseissuesduetothepossiblevariationinsource,potentiallycausingpacketstobedeniedbyinterveningfirewallsorhandledincorrectlybythereceivinghost.TopreventtheseproblemstheroutershouldbeconfiguredwithaLoopbackinterfaceandanyservicesshouldbeboundtothisaddress.

4.1.2.4.1Createasingle'interfaceloopback'


Device Result



Description

Configureasingleloopbackinterface.

Rationale

Software-onlyloopbackinterfacethatemulatesaninterfacethatisalwaysup.Itisavirtualinterfacesupportedonallplatforms.

Alternateloopbackaddressescreateapotentialforabuse,mis-configuration,andinconsistencies.Additionalloopbackinterfacesmustbedocumentedandapprovedpriortousebylocalsecuritypersonnel.

Remediation

Defineandconfigureoneloopbackinterface.

hostname(config)#interfaceloopback<number>

hostname(config-if)#ipaddress<loopback_ip_address><loopback_subnet_mask>

Impact:

Organizationsshouldplanandestablish'loopbackinterfaces'fortheenterprisenetwork.LoopbackinterfacesenablecriticalnetworkinformationsuchasOSPFRouterIDsandprovideterminationpointsforroutingprotocolsessions.

4.1.2.4.2SetAAA'source-interface'


Device Result



Description

ForceAAAtousetheIPaddressofaspecifiedinterfaceforalloutgoingAAApackets

Rationale

ThisisrequiredsothattheAAAserver(RADIUSorTACACS+)caneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.

Remediation

BindAAAservicestotheloopbackinterface.

Hostname(config)#ip{tacacs|radius}source-interfaceloopback{loopback_interface_number)

Impact:

Organizationsshoulddesignandimplementauthentication,authorization,andaccounting(AAA)servicesforeffectivemonitoringofenterprisenetworkdevices.BindingAAAservicestothesource-interfaceloopbackenablestheseservices.

4.1.2.4.3Set'ntpsource'toLoopbackInterface


Device Result



Description

UseaparticularsourceaddressinNetworkTimeProtocol(NTP)packets.

Rationale

SetthesourceaddresstobeusedwhensendingNTPtraffic.ThismayberequirediftheNTPserversyoupeerwithfilterbasedonIPaddress.

Remediation

BindtheNTPservicetotheloopbackinterface.

hostname(config)#ntpsourceloopback{loopback_interface_number}

Impact:

Organizationsshouldplanandimplementnetworktimeprotocol(NTP)servicestoestablishofficialtimeforallenterprisenetworkdevices.Setting'ntpsourceloopback'enforcestheproperIPaddressforNTPservices.

4.1.2.4.4Set'iptftpsource-interface'totheLoopbackInterface

Device Result




Description

SpecifytheIPaddressofaninterfaceasthesourceaddressforTFTPconnections.

Rationale

ThisisrequiredsothattheTFTPserverscaneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.

Remediation

BindtheTFTPclienttotheloopbackinterface.

hostname(config)#iptftpsource-interfaceloopback{loobpback_interface_number}

Impact:

Organizationsshouldplanandimplementtrivialfiletransferprotocol(TFTP)servicesintheenterprisebysetting'tftpsource-interfaceloopback',whichenablestheTFTPserverstoidentifyroutersandauthenticaterequestsbyIPaddress.

4.1.3DataPlane

Servicesandsettingsrelatedtothedatapassingthroughtherouter(asopposedtodirecttoit).Thedataplaneisforeverythingnotincontrolormanagementplanes.Settingsonarouterconcernedwiththedataplaneincludeinterfaceaccesslists,firewallfunctionality(e.g.CBAC),NAT,andIPSec.Settingsfortraffic-affectingserviceslikeunicastRPFverificationandCAR/QoSalsofallintothisarea.

4.1.3.1RoutingRules

Unneededservicesshouldbedisabled.

4.1.3.1.1Set'noipsource-route'


Device Result



Description

DisablethehandlingofIPdatagramswithsourceroutingheaderoptions.

Rationale

SourceroutingisafeatureofIPwherebyindividualpacketscanspecifyroutes.Thisfeatureisusedinseveralkindsofattacks.Ciscoroutersnormallyacceptandprocesssourceroutes.Unlessanetworkdependsonsourcerouting,itshouldbedisabled.

Remediation

Disablesourcerouting.

hostname(config)#noipsource-route

Impact:

Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipsource-route'featurehasbeenusedinseveralattacksandshouldbedisabled.

4.1.3.1.2Set'noipproxy-arp'


Device Result



Description

DisableproxyARPonallinterfaces.

Rationale

AddressResolutionProtocol(ARP)providesresolutionbetweenIPandMACAddresses(orotherNetworkandLinkLayeraddressesonnoneIPnetworks)withina

Layer2network.

ProxyARPisaservicewhereadeviceconnectedtoonenetwork(inthiscasetheCiscorouter)answersARPRequestswhichareaddressedtoahostonanothernetwork,replyingwithitsownMACAddressandforwardingthetrafficontotheintendedhost.

SometimesusedforextendingbroadcastdomainsacrossWANlinks,inmostcasesProxyARPonenterprisenetworksisusedtoenablecommunicationforhostswithmis-configuredsubnetmasks,asituationwhichshouldnolongerbeacommonproblem.ProxyARPeffectivelybreakstheLANSecurityPerimeter,extendinganetworkacrossmultipleLayer2segments.UsingProxyARPcanalsoallowothersecuritycontrolssuchasPVLANtobebypassed.

Remediation


hostname(config)#interface{interface}

hostname(config-if)#noipproxy-arp

Impact:

Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipproxy-arp'featureeffectivelybreakstheLANsecurityperimeterandshouldbedisabled.

4.1.3.1.3Set'nointerfacetunnel'


Device Result



Description

Verifynotunnelinterfacesaredefined.

Rationale

Tunnelinterfacesshouldnotexistingeneral.Theycanbeusedformaliciouspurposes.Iftheyarenecessary,thenetworkadmin'sshouldbewellawareofthemandtheirpurpose.

Remediation

Removeanytunnelinterfaces.

hostname(config)#nointerfacetunnel{instance}

Impact:

Organizationsshouldplanandimplemententerprisenetworksecuritypoliciesthatdisableinsecureandunnecessaryfeaturesthatincreaseattacksurfacessuchas'tunnelinterfaces'.

4.1.3.1.4Set'ipverifyunicastsourcereachable-via'


Device Result



Description

ExaminesincomingpacketstodeterminewhetherthesourceaddressisintheForwardingInformationBase(FIB)andpermitsthepacketonlyifthesourceisreachablethroughtheinterfaceonwhichthepacketwasreceived(sometimesreferredtoasstrictmode).

Rationale

EnableduRPFhelpsmitigateIPspoofingbyensuringonlypacketsourceIPaddressesonlyoriginatefromexpectedinterfaces.Configureunicastreverse-pathforwarding(uRPF)onallexternalorhighriskinterfaces.

Remediation

ConfigureuRPF.

hostname(config)#interface{interface_name}

hostname(config-if)#ipverifyunicastsourcereachable-viarx

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatprotecttheconfidentiality,integrity,andavailabilityofnetworkdevices.The'unicastReverse-PathForwarding'(uRPF)featuredynamicallyusestheroutertabletoeitheracceptordroppacketswhenarrivingonaninterface.

4.1.3.2BorderRouterFiltering

Aborder-filteringdeviceconnects"internal"networkssuchasdesktopnetworks,DMZnetworks,etc.,to"external"networkssuchastheInternet.Ifthisgroupischosen,theningressandegressfilterruleswillberequired.

4.1.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks


Device Result



Description

Thiscommandplacestherouterinaccess-listconfigurationmode,whereyoumustdefinethedeniedorpermittedaccessconditionsbyusingthedenyandpermitcommands.

Rationale

Configuringaccesscontrolscanhelppreventspoofingattacks.ToreducetheeffectivenessofIPspoofing,configureaccesscontroltodenyanytrafficfromtheexternalnetworkthathasasourceaddressthatshouldresideontheinternalnetwork.Includelocalhostaddressoranyreservedprivateaddresses(RFC1918).

Ensurethepermitrule(s)abovethefinaldenyruleonlyallowtrafficaccordingtoyourorganization'sleastprivilegepolicy.

Remediation

ConfigureACLforprivatesourceaddressrestrictionsfromexternalnetworks.

hostname(config)#ipaccess-listextended{name|number}

hostname(config-nacl)#denyip{internal_networks}anylog

hostname(config-nacl)#denyip127.0.0.00.255.255.255anylog





hostname(config-nacl)#denyip

192.0.2.00.0.0.255anylog



hostname(config-nacl)#denyiphost255.255.255.255anylog

hostname(config-nacl)#permit{protocol}{source_ip}{source_mask}{destination}{destination_mask}log

hostname(config-nacl)#denyanyanylog

hostname(config)#interface

<external_interface>

hostname(config-if)#access-group<access-list>in

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatexplicitlyseparateinternalfromexternalnetworks.Adding'ipaccess-list'explicitlypermittinganddenyinginternalandexternalnetworksenforcesthesepolicies.

4.1.3.2.2Setinbound'ipaccess-group'ontheExternalInterface


Device Result



Description


Rationale



Remediation

Applytheaccess-groupfortheexternal(untrusted)interface

hostname(config)#interface{external_interface}

hostname(config-if)#ipaccess-group{name|number}in

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesexplicitlypermittinganddenyingaccessbaseduponaccesslists.Usingthe'ipaccess-group'commandenforcesthesepoliciesbyexplicitlyidentifyinggroupspermittedaccess.

4.1.3.3NeighborAuthentication

Enableroutingauthentication.

4.1.3.3.1RequireEIGRPAuthenticationifProtocolisUsed

Verifyenhancedinteriorgatewayroutingprotocol(EIGRP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.

4.1.3.3.1.1Set'keychain'


Device Result



Description

Defineanauthenticationkeychaintoenableauthenticationforroutingprotocols.Akeychainmusthaveatleastonekeyandcanhaveupto2,147,483,647keys.

NOTE:OnlyDRPAgent,EIGRP,andRIPv2usekeychains.

Rationale

RoutingprotocolssuchasDRPAgent,EIGRP,andRIPv2usekeychainsforauthentication.

Remediation

Establishthekeychain.

hostname(config)#keychain{key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keychains'forroutingprotocolsenforcesthesepolicies.

4.1.3.3.1.2Set'key'


Device Result



Description

Configureanauthenticationkeyonakeychain.

Rationale

Thisispartoftheroutingauthenticationsetup

Remediation

Configurethekeynumber.

hostname(config-keychain)#key{key-number}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keynumbers'forkeychainsforroutingprotocolsenforcesthesepolicies.

4.1.3.3.1.3Set'key-string'


Device Result



Description

Configuretheauthenticationstringforakey.

Rationale


Remediation

Configurethekeystring.

hostname(config-keychain-key)#key-string<key-string>

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keystrings'forkeychainsforroutingprotocolsenforcesthesepolicies.

4.1.3.3.1.4Set'address-familyipv4autonomous-system'


Device Result



Description

ConfiguretheEIGRPaddressfamily.

Rationale

BGPisatruemulti-protocolroutingprotocolandthe'address-family'featureenablesrestrictionofexchangeswithspecificneighbors.

Remediation


hostname(config)#routereigrp<virtual-instance-name>

hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'address-family'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.

4.1.3.3.1.5Set'af-interfacedefault'


Device Result



Description

DefinesuserdefaultstoapplytoEIGRPinterfacesthatbelongtoanaddress-family.

Rationale

PartoftheEIGRPaddress-familysetup

Remediation




hostname(config-router-af)#af-interfacedefault

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'af-interfacedefault'forEIGRPinterfacesenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.

4.1.3.3.1.6Set'authenticationkey-chain'


Device Result



Description

ConfiguretheEIGRPaddressfamilykeychain.

Rationale

ThisispartoftheEIGRPauthenticationconfiguration

Remediation




hostname(config-router-af)#af-interface{interface-name}

hostname(config-router-af-interface)#authenticationkey-chain{eigrp_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingtheaddress-family'keychain'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.

4.1.3.3.1.7Set'authenticationmodemd5'


Device Result



Description

Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseservicemessages.

Rationale


Remediation

ConfiguretheEIGRPaddressfamilyauthenticationmode.




hostname(config-router-af-interface)#authenticationmodemd5

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'authenticationmode'forEIGRPaddress-familyorservice-familypacketsenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.

4.1.3.3.1.8Set'ipauthenticationkey-chaineigrp'


Device Result



Description

SpecifythetypeofauthenticationusedinEnhancedInteriorGatewayRoutingProtocol(EIGRP)packetsperinterface.

Rationale

ConfiguringEIGRPauthenticationkey-chainnumberandnametorestrictpacketexchangesbetweennetworkdevices.

Remediation

ConfiguretheinterfacewiththeEIGRPkeychain.


hostname(config-if)#ipauthenticationkey-chaineigrp{eigrp_as-number}{eigrp_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationkeychain'forEIGRPbynameandnumberenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.

4.1.3.3.1.9Set'ipauthenticationmodeeigrp'


Device Result



Description

Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseroutingmessages.

Rationale


Remediation

ConfiguretheinterfacewiththeEIGRPauthenticationmode.


hostname(config-if)#ipauthenticationmodeeigrp{eigrp_as-number}md5

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationmode'forEIGRPbynumberandmodeenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.

4.1.3.3.2RequireOSPFAuthenticationifProtocolisUsed

Verifyopenshortestpathfirst(OSPF)authenticationisenabled,wherefeasible.

4.1.3.3.2.1Set'authenticationmessage-digest'forOSPFarea


Device Result



Description

EnableMD5authenticationforOSPF.

Rationale

ThisispartoftheOSPFauthenticationsetup.

Remediation

ConfiguretheMessageDigestoptionforOSPF.

hostname(config)#routerospf<ospf_process-id>

hostname(config-router)#area<ospf_area-id>authenticationmessage-digest

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringthearea'authenticationmessage-digest'forOSPFenforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.

4.1.3.3.2.2Set'ipospfmessage-digest-keymd5'


Device Result



Description

EnableOpenShortestPathFirst(OSPF)MessageDigest5(MD5)authentication.

Rationale

ThisispartoftheOSPFauthenticationsetup

Remediation

Configuretheappropriateinterface(s)forMessageDigestauthentication


hostname(config-if)#ipospfmessage-digest-key{ospf_md5_key-id}md5{ospf_md5_key}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperinterface(s)for'ipospfmessage-digest-keymd5'enforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.

4.1.3.3.3RequireRIPv2AuthenticationifProtocolisUsed

RoutingInformationProtocolisadistancevectorprotocolusedforinteriorgatewayroutingonsomenetworks.

RIPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.

Verifyroutinginformationprotocol(RIP)versiontwoauthenticationisenabled,ifroutingprotocolisused,wherefeasible.



Device Result



Description

DefineanauthenticationkeychaintoenableauthenticationforRIPv2routingprotocols.

Rationale

Thisispartoftheroutingauthenticationprocess.

Remediation


hostname(config)#keychain{rip_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key-chain(name)'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.

4.1.3.3.3.2Set'key'


Device Result



Description


Rationale


Remediation



Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.



Device Result



Description


Rationale


Remediation



Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'key-string'forkeychainsforroutingprotocolsenforcesthesepolicies.

4.1.3.3.3.4Set'ipripauthenticationkey-chain'


Device Result



Description

EnableauthenticationforRoutingInformationProtocol(RIP)Version2packetsandtospecifythesetofkeysthatcanbeusedonaninterface.

Rationale

ThisispartoftheRIPv2authenticationsetup

Remediation

ConfiguretheInterfacewiththeRIPv2keychain.


hostname(config-if)#ipripauthenticationkey-chain{rip_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipripauthenticationkey-chain'bynameenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.

4.1.3.3.3.5Set'ipripauthenticationmode'to'md5'


Device Result



Description


Rationale


Remediation

ConfiguretheRIPv2authenticationmodeonthenecessaryinterface(s)

hostname(config)#interface<interface_name>

hostname(config-if)#ipripauthenticationmodemd5

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'ipripauthenticationmodemd5'enforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.

4.1.3.3.4RequireBGPAuthenticationifProtocolisUsed

BorderGatewayProtocol(BGP)isapathvectorprotocolusedforinteriorandexteriorgatewayroutingonsomenetworks.

BGPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.

VerifyBorderGatewayProtocol(BGP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.

4.1.3.3.4.1Set'neighborpassword'


Device Result



Description

Enablemessagedigest5(MD5)authenticationonaTCPconnectionbetweentwoBGPpeers

Rationale

EnforcingroutingauthenticationreducesthelikelihoodofroutingpoisoningandunauthorizedroutersfromjoiningBGProuting.

Remediation

ConfigureBGPneighborauthenticationwherefeasible.

hostname(config)#routerbgp<bgp_as-number>

hostname(config-router)#neighbor<bgp_neighbor-ip|peer-group-name>password<password>

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'neighborpassword'forBGPenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.


4.2CISCiscoIOS12Benchmark

Thisdocument,SecurityConfigurationBenchmarkforCiscoIOS,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforCiscoRouterrunningCiscoIOSversion12.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

4.2.1ManagementPlane

Services,settingsanddatastreamsrelatedtosettingupandexaminingthestaticconfigurationofthefirewall,andtheauthenticationandauthorizationoffirewalladministrators.Examplesofmanagementplaneservicesinclude:administrativedeviceaccess(telnet,ssh,http,andhttps),SNMP,andsecurityprotocolslikeRADIUSandTACACS+.

4.2.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules

RulesintheLocalauthentication,authorizationandaccounting(AAA)configurationclassenforcedeviceaccesscontrol,provideamechanismfortrackingconfigurationchanges,andenforcingsecuritypolicy.

4.2.1.1.1Enable'aaanew-model'


Device Result



Description

ThiscommandenablestheAAAaccesscontrolsystem.

Rationale

Authentication,authorizationandaccounting(AAA)servicesprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.

Remediation

Globallyenableauthentication,authorizationandaccounting(AAA)usingthenew-modelcommand.

hostname(config)#aaanew-model

Impact:

ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationcriteria(logins&passwords,challenges&responses,andtokentechnologies),authorizationmethods,andaccountingrequirements.

4.2.1.1.2Enable'aaaauthenticationlogin'


Device Result



Description

Setsauthentication,authorizationandaccounting(AAA)authenticationatlogin.

Rationale

UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.FallbackmodeshouldalsobeenabledtoallowemergencyaccesstotherouterorswitchintheeventthattheAAAserverwasunreachable,byutilizingtheLOCALkeywordaftertheAAAserver-tag.

Remediation

ConfigureAAAauthenticationmethod(s)forloginauthentication.

hostname(config)#aaaauthenticationlogin{default|aaa_list_name}[passwd-expiry]

method1[method2]

Impact:

ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationmethodssuchasloginsandpasswords,challengesandresponses,andwhichtokentechnologieswillbeused.

4.2.1.1.3Enable'aaaauthenticationenabledefault'


Device Result



Description

AuthenticatesuserswhoaccessprivilegedEXECmodewhentheyusetheenablecommand.

Rationale


Remediation

ConfigureAAAauthenticationmethod(s)forenableauthentication.

hostname(config)#aaaauthenticationenabledefault{method1}enable

Impact:

EnablingCiscoAAA'authenticationenable'modeissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenabling'aaaauthenticationenabledefault'mode,theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.2.1.1.4Set'loginauthenticationfor'linecon0'


Device Result



Description

Authenticatesuserswhoaccesstherouterorswitchusingtheserialconsoleport.

Rationale


Remediation


hostname(config)#lineconsole0


Impact:

EnablingCiscoAAA'linelogin'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'linelogin',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.2.1.1.5Set'loginauthenticationfor'linetty'


Device Result



Description

AuthenticatesuserswhoaccesstherouterorswitchusingtheTTYport.

Rationale


Remediation


hostname(config)#linetty{line-number}[ending-line-number]


Impact:

EnablingCiscoAAA'loginauthenticationforlineTTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineTTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.2.1.1.6Set'loginauthenticationfor'linevty'


Device Result



Description

AuthenticatesuserswhoaccesstherouterorswitchremotelythroughtheVTYport.

Rationale


Remediation


hostname(config)#linevty{line-number}[ending-line-number]


Impact:

EnablingCiscoAAA'loginauthenticationforlineVTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineVTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.

4.2.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'


Device Result



Description

Runsaccountingforallcommandsatthespecifiedprivilegelevel.

Rationale

Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSorTACACS+.

Remediation

ConfigureAAAaccountingforcommands.

hostname(config)#aaaaccountingcommands15{default|list-name|guarantee-first}


Impact:

Enabling'aaaaccounting'forprivilegedcommandsrecordsandsendsactivitytotheaccountingserversandenablesorganizationstomonitorandanalyzeprivilegedactivity.

4.2.1.1.8Set'aaaaccountingconnection'


Device Result



Description

Providesinformationaboutalloutboundconnectionsmadefromthenetworkaccessserver.

Rationale

Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,

centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.

Remediation


hostname(config)#aaaaccountingconnection{default|list-name|guarantee-first}


Impact:

Implementingaaaaccountingconnectioncreatesaccountingrecordsaboutconnectionsfromthenetworkaccessserver.Organizationsshouldregularmonitortheseconnectionrecordsforexceptions,remediateissues,andreportfindingsregularly.

4.2.1.1.9Set'aaaaccountingexec'


Device Result



Description

RunsaccountingfortheEXECshellsession.

Rationale


Remediation

ConfigureAAAaccountingforEXECshellsession.

hostname(config)#aaaaccountingexec{default|list-name|guarantee-first}


Impact:

EnablingaaaaccountingexeccreatesaccountingrecordsfortheEXECterminalsessionsonthenetworkaccessserver.Theserecordsincludestartandstoptimes,usernames,anddateinformation.Organizationsshouldregularlymonitortheserecordsforexceptions,remediateissues,andreportfindings.

4.2.1.1.10Set'aaaaccountingnetwork'


Device Result



Description

Runsaccountingforallnetwork-relatedservicerequests.

Rationale


Remediation


hostname(config)#aaaaccountingnetwork{default|list-name|guarantee-first}


Impact:

ImplementingaaaaccountingnetworkcreatesaccountingrecordsforamethodlistincludingARA,PPP,SLIP,andNCPssessions.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindings.

4.2.1.1.11Set'aaaaccountingsystem'


Device Result



Description

Performsaccountingforallsystem-leveleventsnotassociatedwithusers,suchasreloads.

Rationale


Remediation

ConfigureAAAaccountingsystem.

hostname(config)#aaaaccountingsystem{default|list-name|guarantee-first}


Impact:

Enablingaaaaccountingsystemcreatesaccountingrecordsforallsystem-levelevents.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindingsregularly.

4.2.1.2AccessRules

Rulesintheaccessclassenforcecontrolsfordeviceadministrativeconnections.

4.2.1.2.1Set'privilege1'forlocalusers


Device Result



Description

Setstheprivilegelevelfortheuser.

Rationale

Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithprivilegelevel1permissionsonlyallowsthelocalusertoaccessthedevicewithEXEC-levelpermissionsandwillbeunabletomodifythedevicewithoutusingtheenablepassword.Inaddition,requiretheuseofanencryptedpasswordaswell(seeSection1.1.4.4-RequireEncryptedUserPasswords).

Remediation

Setthelocalusertoprivilegelevel1.

hostname(config)#username<LOCAL_USERNAME>privilege1

Impact:

Organizationsshouldcreatepoliciesrequiringalllocalaccountswith'privilegelevel1'withencryptedpasswordstoreducetheriskofunauthorizedaccess.Defaultconfigurationsettingsdonotprovidestronguserauthenticationtothedevice.

4.2.1.2.2Set'transportinputssh'for'linevty'connections


Device Result



Description

SelectstheSecureShell(SSH)protocol.

Rationale

ConfiguringVTYaccesscontrolrestrictsremoteaccesstoonlythoseauthorizedtomanagethedeviceandpreventsunauthorizedusersfromaccessingthesystem.

Remediation

ApplySSHtotransportinputonallVTYmanagementlines


hostname(config-line)#transportinputssh

Impact:

Toreduceriskofunauthorizedaccess,organizationsshouldrequireallVTYmanagementlineprotocolstobelimitedtossh.

4.2.1.2.3Set'noexec'for'lineaux0'


Device Result



Description

The'noexec'commandrestrictsalinetooutgoingconnectionsonly.

Rationale


Remediation

DisabletheEXECprocessontheauxiliaryport.


hostname(config-line)#noexec

Impact:

Organizationscanreducetheriskofunauthorizedaccessbydisablingthe'aux'portwiththe'noexec'command.Conversely,notrestrictingaccessthroughthe'aux'portincreasestheriskofremoteunauthorizedaccess.

4.2.1.2.4Create'access-list'forusewith'linevty'


Device Result



Description

Accesslistscontrolthetransmissionofpacketsonaninterface,controlVirtualTerminalLine(VTY)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.

Rationale

VTYACLscontrolwhataddressesmayattempttologintotherouter.ConfiguringVTYlinestouseanACL,restrictsthesourceswhereausercanmanagethedevice.Youshouldlimitthespecifichost(s)andornetwork(s)authorizedtoconnecttoandconfigurethedevice,viaanapprovedprotocol,tothoseindividualsorsystemsauthorizedtoadministerthedevice.Forexample,youcouldlimitaccesstospecifichosts,sothatonlynetworkmanagerscanconfigurethedevicesonlybyusingspecificnetworkmanagementworkstations.MakesureyouconfigureallVTYlinestousethesameACL.

Remediation

ConfiguretheVTYACLthatwillbeusedtorestrictmanagementaccesstothedevice.

hostname(config)#access-list<vty_acl_number>permittcp<vty_acl_block_with_mask>any

hostname(config)#access-list<vty_acl_number>permittcphost<vty_acl_host>any

hostname(config)#denyipanyanylog

Impact:

Organizationscanreducetheriskofunauthorizedaccessbyimplementingaccess-listsforallVTYlines.Conversely,usingVTYlineswithoutaccess-listsincreasestheriskofunauthorizedaccess.

4.2.1.2.5Set'access-class'for'linevty'


Device Result



Description

The'access-class'settingrestrictsincomingandoutgoingconnectionsbetweenaparticularvty(intoaCiscodevice)andthenetworkingdevicesassociatedwithaddressesinanaccesslist.

Rationale

Restrictingthetypeofnetworkdevices,associatedwiththeaddressesontheaccess-list,furtherrestrictsremoteaccesstothosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.

Remediation

ConfigureremotemanagementaccesscontrolrestrictionsforallVTYlines.


hostname(config-line)#access-class<vty_acl_number>in

Impact:

Applying'access'class'tolineVTYfurtherrestrictsremoteaccesstoonlythosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.Conversely,usingVTYlineswith'accessclass'restrictionsincreasestherisksofunauthorizedaccess.

4.2.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'


Device Result



Description


Rationale


Remediation




Impact:


4.2.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'


Device Result



Description


Rationale


Remediation


hostname(config)#linecon0


Impact:

Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestheriskofunauthorizedaccessofabandonedsessions.

4.2.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'


Device Result



Description


Rationale


Remediation


hostname(config)#linetty{line_number}[ending_line_number]


Impact:

Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestherisksofunauthorizedaccessofabandonedsessions.

4.2.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'


Device Result



Description


Rationale


Remediation


hostname(config)#linevty{line_number}[ending_line_number]


Impact:


4.2.1.2.10Set'transportinputnone'for'lineaux0'


Device Result



Description

Whenyouwanttoallowonlyanoutgoingconnectiononaline,usethenoexeccommand.

Rationale


Remediation

Disabletheinboundconnectionsontheauxiliaryport.


hostname(config-line)#transportinputnone

Impact:

Organizationsshouldpreventallunauthorizedaccessofauxiliaryportsbydisablingallprotocolsusingthe'transportinputnone'command.

4.2.1.3BannerRules

Rulesinthebannerclasscommunicatelegalrightstousers.

4.2.1.3.1Setthe'banner-text'for'bannerexec'


Device Result



Description

ThiscommandspecifiesamessagetobedisplayedwhenanEXECprocessiscreated(alineisactivated,oranincomingconnectionismadetoavty).Followthiscommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.

Whenauserconnectstoarouter,themessage-of-the-day(MOTD)bannerappearsfirst,followedbytheloginbannerandprompts.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.

Rationale



Remediation

ConfiguretheEXECbannerpresentedtoauserwhenaccessingthedevicesenableprompt.

hostname(config)#bannerexecc


<banner-text>

c

Impact:

Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerexeccommand.

4.2.1.3.2Setthe'banner-text'for'bannerlogin'


Device Result



Description

Followthebannerlogincommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.

Whenauserconnectstotherouter,themessage-of-the-day(MOTD)banner(ifconfigured)appearsfirst,followedbytheloginbannerandprompts.Aftertheusersuccessfullylogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.

Rationale



Remediation

Configurethedevicesoaloginbannerpresentedtoauserattemptingtoaccessthedevice.

hostname(config)#bannerloginc


<banner-text>

c

Impact:

Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerlogincommand.

4.2.1.3.3Setthe'banner-text'for'bannermotd'


Device Result



Description

ThisMOTDbannerisdisplayedtoallterminalsconnectedandisusefulforsendingmessagesthataffectallusers(suchasimpendingsystemshutdowns).Usethenoexec-bannerornomotd-bannercommandtodisabletheMOTDbanneronaline.Thenoexec-bannercommandalsodisablestheEXECbannerontheline.

Whenauserconnectstotherouter,theMOTDbannerappearsbeforetheloginprompt.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.

Rationale


First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesor

otherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).

Remediation

Configurethemessageoftheday(MOTD)bannerpresentedwhenauserfirstconnectstothedevice.

hostname(config)#bannermotdc


<banner-text>

c

Impact:

Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannermotdcommand.

4.2.1.4PasswordRules

Rulesinthepasswordclassenforcesecure,localdeviceauthenticationcredentials.

4.2.1.4.1Set'password'for'enablesecret'


Device Result



Description

Usetheenablesecretcommandtoprovideanadditionallayerofsecurityovertheenablepassword.Theenablesecretcommandprovidesbettersecuritybystoringtheenablesecretpasswordusinganonreversiblecryptographicfunction.TheaddedlayerofsecurityencryptionprovidesisusefulinenvironmentswherethepasswordcrossesthenetworkorisstoredonaTFTPserver.

Rationale

RequiringtheenablesecretsettingprotectsprivilegedEXECmode.Bydefault,astrongpasswordisnotrequired,ausercanjustpresstheEnterkeyatthePasswordprompttostartprivilegedmode.Theenablepasswordcommandcausesthedevicetoenforceuseofapasswordtoaccessprivilegedmode.Enablesecretsuseaone-waycryptographichash(MD5).ThisispreferredtoLevel7enablepasswordsthatuseaweak,well-known,andeasilyreversibleencryptionalgorithm.

Remediation

Configureastrong,enablesecretpassword.

hostname(config)#enablesecret<ENABLE_SECRET_PASSWORD>

Impact:

OrganizationsshouldprotectprivilegedEXECmodethroughpoliciesrequiringthe'enablingsecret'setting,whichenforcesaone-waycryptographichash(MD5).

4.2.1.4.2Enable'servicepassword-encryption'


Device Result



Description

Whenpasswordencryptionisenabled,theencryptedformofthepasswordsisdisplayedwhenamoresystem:running-configcommandisentered.

Rationale

Thisrequirespasswordstobeencryptedintheconfigurationfiletopreventunauthorizedusersfromlearningthepasswordsjustbyreadingtheconfiguration.Whennotenabled,manyofthedevice'spasswordswillberenderedinplaintextintheconfigurationfile.Thisserviceensurespasswordsarerenderedasencryptedstringspreventinganattackerfromeasilydeterminingtheconfiguredvalue.

Remediation

Enablepasswordencryptionservicetoprotectsensitiveaccesspasswordsinthedeviceconfiguration.

hostname(config)#servicepassword-encryption

Impact:

Organizationsimplementing'servicepassword-encryption'reducetheriskofunauthorizeduserslearningcleartextpasswordstoCiscoIOSconfigurationfiles.However,thealgorithmusedisnotdesignedtowithstandseriousanalysisandshouldbetreatedlikeclear-text.

4.2.1.4.3Set'usernamesecret'foralllocalusers


Device Result



Description

UsetheusernamesecretcommandtoconfigureausernameandMD5-encrypteduserpassword.MD5encryptionisastrongencryptionmethodthatisnotretrievable;thus,youcannotuseMD5encryptionwithprotocolsthatrequireclear-textpasswords,suchasChallengeHandshakeAuthenticationProtocol(CHAP).

Theusernamesecretcommandprovidesanadditionallayerofsecurityovertheusernamepassword.ItalsoprovidesbettersecuritybyencryptingthepasswordusingnonreversibleMD5encryptionandstoringtheencryptedtext.TheaddedlayerofMD5encryptionisusefulinenvironmentsinwhichthepasswordcrossesthenetworkorisstoredonaTFTPserver.

Rationale

Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithanencryptedpasswordenforcesloginauthenticationandprovidesafallbackauthenticationmechanismforconfigurationinanamedmethodlistinasituationwherecentralizedauthentication,authorization,andaccountingservicesareunavailable.

Remediation

Createalocaluserwithanencrypted,complex(noteasilyguessed)password.

hostname(config)#username<LOCAL_USERNAME>secret<LOCAL_PASSWORD>

Impact:

Organizationsimplementing'usernamesecret'acrosstheirenterprisereducetheriskofunauthorizedusersgainingaccesstoCiscoIOSdevicesbyapplyingaMD5hashandencryptinguserpasswords.

4.2.1.5SNMPRules

SimpleNetworkManagementProtocol(SNMP)providesastandards-basedinterfacetomanageandmonitornetworkdevices.ThissectionprovidesguidanceonthesecureconfigurationofSNMPparameters.

TherecommendationsinthisSectionapplytoOrganizationsusingSNMP.OrganizationsusingSNMPshouldreviewandimplementtherecommendationsinthissection.

4.2.1.5.1Set'nosnmp-server'todisableSNMPwhenunused


Device Result



Description

Ifnotinuse,disablesimplenetworkmanagementprotocol(SNMP),readandwriteaccess.

Rationale

SNMPreadaccessallowsremotemonitoringandmanagementofthedevice.

Remediation

DisableSNMPreadandwriteaccessifnotinusedtomonitorand/ormanagedevice.

hostname(config)#nosnmp-server

Impact:

OrganizationsnotusingSNMPshouldrequireallSNMPservicestobedisabledbyrunningthe'nosnmp-server'command.

4.2.1.5.2Unset'private'for'snmp-servercommunity'


Device Result



Description


Rationale

Thedefaultcommunitystring"private"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.

Remediation

DisablethedefaultSNMPcommunitystring"private"

hostname(config)#nosnmp-servercommunity{private}

Impact:

Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'private'settingforsnmp-servercommunity.

4.2.1.5.3Unset'public'for'snmp-servercommunity'


Device Result



Description


Rationale

Thedefaultcommunitystring"public"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.

Remediation

DisablethedefaultSNMPcommunitystring"public"

hostname(config)#nosnmp-servercommunity{public}

Impact:

Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'public'settingforsnmp-servercommunity.

4.2.1.5.4Donotset'RW'forany'snmp-servercommunity'


Device Result



Description

Specifiesread-writeaccess.AuthorizedmanagementstationscanbothretrieveandmodifyMIBobjects.

Rationale

EnablingSNMPread-writeenablesremotemanagementofthedevice.Unlessabsolutelynecessary,donotallowsimplenetworkmanagementprotocol(SNMP)writeaccess.

Remediation

DisableSNMPwriteaccess.

hostname(config)#nosnmp-servercommunity{write_community_string}

Impact:

Toreducetheriskofunauthorizedaccess,OrganizationsshoulddisabletheSNMP'write'accessforsnmp-servercommunity.

4.2.1.5.5SettheACLforeach'snmp-servercommunity'


Device Result



Description

ThisfeaturespecifiesalistofIPaddressesthatareallowedtousethecommunitystringtogainaccesstotheSNMPagent.

Rationale

IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringcanpotentiallymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPaccesstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.Ifpossible,useSNMPv3whichusesauthentication,authorization,anddataprivatization(encryption).

Remediation

ConfigureauthorizedSNMPcommunitystringandrestrictaccesstoauthorizedmanagementsystems.

hostname(config)#snmp-servercommunity<community_string>ro{snmp_access-list_number|

snmp_access-list_name}

Impact:

Toreducetheriskofunauthorizedaccess,Organizationsshouldenableaccesscontrollistsforallsnmp-servercommunitiesandrestricttheaccesstoappropriatetrustedmanagementzones.Ifpossible,implementSNMPv3toapplyauthentication,authorization,anddataprivatization(encryption)foradditionalbenefitstotheorganization.

4.2.1.5.6Createan'access-list'forusewithSNMP


Device Result



Description

Youcanuseaccessliststocontrolthetransmissionofpacketsonaninterface,controlSimpleNetworkManagementProtocol(SNMP)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.

Rationale

SNMPACLscontrolwhataddressesareauthorizedtomanageandmonitorthedeviceviaSNMP.IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringmaymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPcommunitystringstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.

Remediation

ConfigureSNMPACLforrestrictingaccesstothedevicefromauthorizedmanagementstationssegmentedinatrustedmanagementzone.

hostname(config)#access-list<snmp_acl_number>permit<snmp_access-list>

hostname(config)#access-listdenyanylog

4.2.1.5.7Set'snmp-serverhost'whenusingSNMP


Device Result



Description


Rationale

IfSNMPisenabledfordevicemanagementanddevicealertsarerequired,thenensurethedeviceisconfiguredtosubmittrapsonlytoauthorizemanagementsystems.

Remediation

ConfigureauthorizedSNMPtrapcommunitystringandrestrictsendingmessagestoauthorizedmanagementsystems.

hostname(config)#snmp-serverhost{ip_address}{trap_community_string}snmp

Impact:

OrganizationsusingSNMPshouldrestrictsendingSNMPmessagesonlytoexplicitlynamedsystemstoreduceunauthorizedaccess.

4.2.1.5.8Set'snmp-serverenabletrapssnmp'


Device Result



Description


Rationale

SNMPhastheabilitytosubmittraps.

Remediation

EnableSNMPtraps.

hostname(config)#snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart

Impact:

OrganizationsusingSNMPshouldrestricttraptypesonlytoexplicitlynamedtrapstoreduceunintendedtraffic.EnablingSNMPtrapswithoutspecifyingtraptypewillenableallSNMPtraptypes.

4.2.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv3


Device Result



Description

SpecifiesauthenticationofapacketwithencryptionwhenusingSNMPv3

Rationale


Remediation

ForeachSNMPv3groupcreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand...

hostname(config)#snmp-servergroup{group_name}v3priv

Impact:

OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-servergroupv3priv'settingtoencryptmessagesintransit.

4.2.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv3


Device Result



Description

Specifytheuseofaminimumof128-bitAESalgorithmforencryptionwhenusingSNMPv3.

Rationale


Remediation

ForeachSNMPv3usercreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand.

hostname(config)#snmp-serveruser{user_name}{group_name}v3encryptedauthsha

{auth_password}privaes128{priv_password}{acl_name_or_number}

Impact:

OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-serveruser'settingwithappropriateauthenticationandprivacyprotocolstoencryptmessagesintransit.

4.2.2ControlPlane

Thecontrolplanecoversmonitoring,routetableupdates,andgenerallythedynamicoperationoftherouter.Services,settings,anddatastreamsthatsupportanddocumenttheoperation,traffichandling,anddynamicstatusoftherouter.Examplesofcontrolplaneservicesinclude:logging(e.g.Syslog),routingprotocols,statusprotocolslikeCDPandHSRP,networktopologyprotocolslikeSTP,andtrafficsecuritycontrolprotocolslikeIKE.NetworkcontrolprotocolslikeICMP,NTP,ARP,andIGMPdirectedtoorsentbytherouteritselfalsofallintothisarea.

4.2.2.1GlobalServiceRules

Rulesintheglobalserviceclassenforceserverandservicecontrolsthatprotectagainstattacksorexposethedevicetoexploitation.

4.2.2.1.1SetupSSH

EnsureuseofSSHremoteconsolesessionstoCiscorouters.

4.2.2.1.1.1ConfigurePrerequisitesfortheSSHService

[Thisspaceintentionallyleftblank]

4.2.2.1.1.1.1Setthe'hostname'


Device Result



Description

Thehostnameisusedinpromptsanddefaultconfigurationfilenames.

Rationale

ThedomainnameisprerequisiteforsettingupSSH.

Remediation

Configureanappropriatehostnamefortherouter.

hostname(config)#hostname{router_name}

Impact:

Organizationsshouldplantheenterprisenetworkandidentifyanappropriatehostnameforeachrouter.

4.2.2.1.1.1.2Setthe'ipdomainname'


Device Result



Description

DefineadefaultdomainnamethattheCiscoIOSsoftwareusestocompleteunqualifiedhostnames

Rationale

ThedomainnameisaprerequisiteforsettingupSSH.

Remediation

Configureanappropriatedomainnamefortherouter.

hostname(config)#ipdomainname{domain-name}

Impact:

Organizationsshouldplantheenterprisenetworkandidentifyanappropriatedomainnamefortherouter.

4.2.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'


Device Result



Description

UsethiscommandtogenerateRSAkeypairsforyourCiscodevice.

RSAkeysaregeneratedinpairs--onepublicRSAkeyandoneprivateRSAkey.

Rationale

AnRSAkeypairisaprerequisiteforsettingupSSHandshouldbeatleast2048bits.

NOTE:IOSdoesNOTdisplaythemodulusbitvalueintheAuditProcedure.

Remediation

GenerateanRSAkeypairfortherouter.

hostname(config)#cryptokeygeneratersageneral-keysmodulus2048

Impact:

OrganizationsshouldplanandimplemententerprisenetworkcryptographyandgenerateanappropriateRSAkeypairs,suchas'modulus',greaterthanorequalto2048.

4.2.2.1.1.1.4Set'seconds'for'ipsshtimeout'


Device Result



Description

ThetimeintervalthattherouterwaitsfortheSSHclienttorespondbeforedisconnectinganuncompletedloginattempt.

Rationale

Thisreducestheriskofanadministratorleavinganauthenticatedsessionloggedinforanextendedperiodoftime.

Remediation

ConfiguretheSSHtimeout

hostname(config)#ipsshtime-out[60]

Impact:

Organizationsshouldimplementasecuritypolicyrequiringminimumtimeoutsettingsforallnetworkadministratorsandenforcethepolicythroughthe'ipsshtimeout'command.

4.2.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'

Device Result




Description

ThenumberofretriesbeforetheSSHloginsessiondisconnects.

Rationale

ThislimitsthenumberoftimesanunauthorizedusercanattemptapasswordwithouthavingtoestablishanewSSHloginattempt.ThisreducesthepotentialforsuccessduringonlinebruteforceattacksbylimitingthenumberofloginattemptsperSSHconnection.

Remediation

ConfiguretheSSHtimeout:

hostname(config)#ipsshauthentication-retries[3]

Impact:

Organizationsshouldimplementasecuritypolicylimitingthenumberofauthenticationattemptsfornetworkadministratorsandenforcethepolicythroughthe'ipsshauthentication-retries'command.

4.2.2.1.1.2Setversion2for'ipsshversion'


Device Result



Description

SpecifytheversionofSecureShell(SSH)toberunonarouter

Rationale

SSHVersion1hasbeensubjecttoanumberofseriousvulnerabilitiesandisnolongerconsideredtobeasecureprotocol,resultingintheadoptionofSSHVersion2asanInternetStandardin2006.

Ciscorouterssupportbothversions,butduetotheweaknessofSSHVersion1onlythelaterstandardshouldbeused.

Remediation

ConfiguretheroutertouseSSHversion2

hostname(config)#ipsshversion2

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicytoreviewtheircurrentprotocolstoensurethemostsecureprotocolversionsareinuse.

4.2.2.1.2Set'nocdprun'


Device Result



Description

DisableCiscoDiscoveryProtocol(CDP)serviceatdevicelevel.

Rationale

TheCiscoDiscoveryProtocolisaproprietaryprotocolthatCiscodevicesusetoidentifyeachotheronaLANsegment.Itisusefulonlyinnetworkmonitoringandtroubleshootingsituationsbutisconsideredasecurityriskbecauseoftheamountofinformationprovidedfromqueries.Inaddition,therehavebeenpublisheddenial-of-service(DoS)attacksthatuseCDP.CDPshouldbecompletelydisabledunlessnecessary.

Remediation

DisableCiscoDiscoveryProtocol(CDP)serviceglobally.

hostname(config)#nocdprun

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocols.

4.2.2.1.3Set'noipbootpserver'


Device Result



Description

DisabletheBootstrapProtocol(BOOTP)serviceonyourroutingdevice.

Rationale

BootPallowsaroutertoissueIPaddresses.Thisshouldbedisabledunlessthereisaspecificrequirement.

Remediation

Disablethebootpserver.

hostname(config)#noipbootpserver

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchas'ipbootpserver'.

4.2.2.1.4Set'noservicedhcp'


Device Result



Description

DisabletheDynamicHostConfigurationProtocol(DHCP)serverandrelayagentfeaturesonyourrouter.

Rationale

TheDHCPserversuppliesautomaticconfigurationparameters,suchasdynamicIPaddress,torequestingsystems.AdedicatedserverlocatedinasecuredmanagementzoneshouldbeusedtoprovideDHCPservicesinstead.Attackerscanpotentiallybeusedfordenial-of-service(DoS)attacks.

Remediation

DisabletheDHCPserver.

hostname(config)#noservicedhcp

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheDynamicHostConfigurationProtocol(DHCP).

4.2.2.1.5Set'noipidentd'


Device Result



Description

Disabletheidentification(identd)server.

Rationale

Identificationprotocolenablesidentifyingauser'stransmissioncontrolprotocol(TCP)session.Thisinformationdisclosurecouldpotentiallyprovideanattacker

withinformationaboutusers.

Remediation

Disabletheidentserver.

hostname(config)#noipidentd

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheidentificationprotocol(identd).

4.2.2.1.6Set'servicetcp-keepalives-in'


Device Result



Description

Generatekeepalivepacketsonidleincomingnetworkconnections.

Rationale


Remediation

EnableTCPkeepalives-inservice:

hostname(config)#servicetcp-keepalives-in

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-in'command.

4.2.2.1.7Set'servicetcp-keepalives-out'


Device Result



Description

Generatekeepalivepacketsonidleoutgoingnetworkconnections.

Rationale


Remediation

EnableTCPkeepalives-outservice:

hostname(config)#servicetcp-keepalives-out

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-out'command.

4.2.2.1.8Set'noservicepad'


Device Result



Description

DisableX.25PacketAssembler/Disassembler(PAD)service.

Rationale

IfthePADserviceisnotnecessary,disabletheservicetopreventintrudersfromaccessingtheX.25PADcommandsetontherouter.

Remediation

DisablethePADservice.

hostname(config)#noservicepad

Impact:

Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingunnecessaryservicessuchasthe'PAD'service.

4.2.2.2LoggingRules

Rulesintheloggingclassenforcecontrolsthatprovidearecordofsystemactivityandevents.

4.2.2.2.1Set'loggingon'


Device Result



Description

Enableloggingofsystemmessages.

Rationale

LoggingprovidesachronologicalrecordofactivitiesontheCiscodeviceandallowsmonitoringofbothoperationalandsecurityrelatedevents.

Remediation

Enablesystemlogging.

hostname(config)#loggingon

Impact:

EnablingtheCiscoIOS'loggingon'commandenforcesthemonitoringoftechnologyrisksfortheorganizations'networkdevices.

4.2.2.2.2Set'buffersize'for'loggingbuffered'


Device Result



Description

Enablesystemmessageloggingtoalocalbuffer.

Rationale

Thedevicecancopyandstorelogmessagestoaninternalmemorybuffer.Thebuffereddataisavailableonlyfromarouterexecorenabledexecsession.Thisformofloggingisusefulfordebuggingandmonitoringwhenloggedintoarouter.

Remediation

Configurebufferedlogging(withminimumsize).Recommendedsizeis64000.

hostname(config)#loggingbuffered[log_buffer_size]

Impact:

Dataforensicsiseffectiveformanagingtechnologyrisksandanorganizationcanenforcesuchpoliciesbyenablingthe'loggingbuffered'command.

4.2.2.2.3Set'loggingconsolecritical'


Device Result



Description

Verifyloggingtodeviceconsoleisenabledandlimitedtoarationalseverityleveltoavoidimpactingsystemperformanceandmanagement.

Rationale

Thisconfigurationdeterminestheseverityofmessagesthatwillgenerateconsolemessages.Loggingtoconsoleshouldbelimitedonlytothosemessagesrequiredforimmediatetroubleshootingwhileloggedintothedevice.Thisformofloggingisnotpersistent;messagesprintedtotheconsolearenotstoredbytherouter.Consoleloggingishandyforoperatorswhentheyusetheconsole.

Remediation

Configureconsolelogginglevel.

hostname(config)#loggingconsolecritical

Impact:

Loggingcriticalmessagesattheconsoleisimportantforanorganizationmanagingtechnologyrisk.The'loggingconsole'commandshouldcaptureappropriateseveritymessagestobeeffective.

4.2.2.2.4SetIPaddressfor'logginghost'


Device Result



Description

Logsystemmessagesanddebugoutputtoaremotehost.

Rationale

CiscorouterscansendtheirlogmessagestoaUnix-styleSyslogservice.Asyslogservicesimplyacceptsmessagesandstorestheminfilesorprintsthemaccordingtoasimpleconfigurationfile.Thisformofloggingisbestbecauseitcanprovideprotectedlong-termstorageforlogs(thedevicesinternalloggingbufferhaslimitedcapacitytostoreevents.)Inaddition,loggingtoanexternalsystemishighlyrecommendedorrequiredbymostsecuritystandards.Ifdesiredorrequiredbypolicy,lawand/orregulation,enableasecondsyslogserverforredundancy.

Remediation

DesignateoneormoresyslogserversbyIPaddress.

hostname(config)#logginghostsyslog_server

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'logginghost'commandsetstheIPaddressofthelogginghostandenforcestheloggingprocess.

4.2.2.2.5Set'loggingtrapinformational'


Device Result



Description

Limitmessagesloggedtothesyslogserversbasedonseveritylevelinformational.

Rationale

Thisdeterminestheseverityofmessagesthatwillgeneratesimplenetworkmanagementprotocol(SNMP)trapandorsyslogmessages.Thissettingshouldbesettoeither"debugging"(7)or"informational"(6),butnolower.

Remediation

ConfigureSNMPtrapandsysloglogginglevel.

hostname(config)#loggingtrapinformational

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'loggingtrap'commandsetstheseverityofmessagesandenforcestheloggingprocess.

4.2.2.2.6Set'servicetimestampsdebugdatetime'


Device Result



Description

Configurethesystemtoapplyatimestamptodebuggingmessagesorsystemloggingmessages

Rationale

Includingtimestampsinlogmessagesallowscorrelatingeventsandtracingnetworkattacksacrossmultipledevices.Enablingservicetimestamptomarkthetimelogmessagesweregeneratedsimplifiesobtainingaholisticviewofeventsenablingfastertroubleshootingofissuesorattacks.

Remediation

Configuredebugmessagestoincludetimestamps.

hostname(config)#servicetimestampsdebugdatetime{msec}show-timezone

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingatimelineofeventsiscritical.The'servicetimestamps'commandsetsthedateandtimeonentriessenttothelogginghostandenforcestheloggingprocess.

4.2.2.2.7Set'loggingsourceinterface'


Device Result



Description

SpecifythesourceIPv4orIPv6addressofsystemloggingpackets

Rationale

ThisisrequiredsothattheroutersendslogmessagestotheloggingserverfromaconsistentIPaddress.

Remediation

Bindloggingtotheloopbackinterface.

hostname(config)#loggingsource-interfaceloopback{loopback_interface_number}

Impact:

Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingaconsistentsourceofmessagesforthelogginghostiscritical.The'loggingsourceinterfaceloopback'commandsetsaconsistentIPaddresstosendmessagestothelogginghostandenforcestheloggingprocess.

4.2.2.3NTPRules

NetworkTimeProtocolallowsadministratorstosetthesystemtimeonalloftheircompatiblesystemsfromasinglesource,ensuringaconsistenttimestampforloggingandauthenticationprotocols.NTPisaninternetstandard,definedinRFC1305.

4.2.2.3.1RequireEncryptionKeysforNTP

EncryptionkeysshouldbesetforNTPServers.

4.2.2.3.1.1Set'ntpauthenticate'


Device Result



Description

EnableNTPauthentication.

Rationale

UsingauthenticatedNTPensurestheCiscodeviceonlypermitstimeupdatesfromauthorizedNTPservers.

Remediation

ConfigureNTPauthentication:

hostname(config)#ntpauthenticate

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthenticate'commandenforcesauthenticationbetweenNTPhosts.

4.2.2.3.1.2Set'ntpauthentication-key'


Device Result



Description

DefineanauthenticationkeyforNetworkTimeProtocol(NTP).

Rationale

UsinganauthenticationkeyprovidesahigherdegreeofsecurityasonlyauthenticatedNTPserverswillbeabletoupdatetimefortheCiscodevice.

Remediation

ConfigureattheNTPkeyringandencryptionkeyusingthefollowingcommand

hostname(config)#ntpauthentication-key{ntp_key_id}md5{ntp_key}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthentication-key'commandenforcesencryptedauthenticationbetweenNTPhosts.

4.2.2.3.1.3Setthe'ntptrusted-key'


Device Result



Description

EnsureyouauthenticatetheidentityofasystemtowhichNetworkTimeProtocol(NTP)willsynchronize

Rationale

Thisauthenticationfunctionprovidesprotectionagainstaccidentallysynchronizingthesystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.

Remediation

ConfiguretheNTPtrustedkeyusingthefollowingcommand

hostname(config)#ntptrusted-key{ntp_key_id}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntptrusted-key'commandenforcesencryptedauthenticationbetweenNTPhosts.

4.2.2.3.1.4Set'key'foreach'ntpserver'


Device Result



Description

SpecifiestheauthenticationkeyforNTP.

Rationale

Thisauthenticationfeatureprovidesprotectionagainstaccidentallysynchronizingthentpsystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.

Remediation

ConfigureeachNTPServertouseakeyringusingthefollowingcommand.

hostname(config)#ntpserver{ntp-server_ip_address}{keyntp_key_id}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserverkey'commandenforcesencryptedauthenticationbetweenNTPhosts.

4.2.2.3.2Set'ipaddress'for'ntpserver'


Device Result



Description

UsethiscommandifyouwanttoallowthesystemtosynchronizethesystemsoftwareclockwiththespecifiedNTPserver.

Rationale

ToensurethatthetimeonyourCiscorouterisconsistentwithotherdevicesinyournetwork,atleasttwo(andpreferablyatleastthree)NTPServer/sexternaltotheroutershouldbeconfigured.

Ensureyoualsoconfigureconsistenttimezoneanddaylightsavingstimesettingforalldevices.Forsimplicity,thedefaultofCoordinatedUniversalTime(UTC).

Remediation

ConfigureatleastoneexternalNTPServerusingthefollowingcommands

hostname(config)#ntpserver{ipaddress}

Impact:

OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserveripaddress'enforcesencryptedauthenticationbetweenNTPhosts.

4.2.2.4LoopbackRules

Whenarouterneedstoinitiateconnectionstoremotehosts,forexampleforSYSLOGorNTP,itwillusethenearestinterfaceforthepacketssourceaddress.Thiscancauseissuesduetothepossiblevariationinsource,potentiallycausingpacketstobedeniedbyinterveningfirewallsorhandledincorrectlybythereceivinghost.TopreventtheseproblemstheroutershouldbeconfiguredwithaLoopbackinterfaceandanyservicesshouldbeboundtothisaddress.

4.2.2.4.1Createasingle'interfaceloopback'

Device Result




Description

Configureasingleloopbackinterface.

Rationale

Software-onlyloopbackinterfacethatemulatesaninterfacethatisalwaysup.Itisavirtualinterfacesupportedonallplatforms.

Alternateloopbackaddressescreateapotentialforabuse,mis-configuration,andinconsistencies.Additionalloopbackinterfacesmustbedocumentedandapprovedpriortousebylocalsecuritypersonnel.

Remediation

Defineandconfigureoneloopbackinterface.

hostname(config)#interfaceloopback<number>

hostname(config-if)#ipaddress<loopback_ip_address><loopback_subnet_mask>

Impact:

Organizationsshouldplanandestablish'loopbackinterfaces'fortheenterprisenetwork.LoopbackinterfacesenablecriticalnetworkinformationsuchasOSPFRouterIDsandprovideterminationpointsforroutingprotocolsessions.

4.2.2.4.2SetAAA'source-interface'


Device Result



Description

ForceAAAtousetheIPaddressofaspecifiedinterfaceforalloutgoingAAApackets

Rationale

ThisisrequiredsothattheAAAserver(RADIUSorTACACS+)caneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.

Remediation

BindAAAservicestotheloopbackinterface.

Hostname(config)#ip{tacacs|radius}source-interfaceloopback{loopback_interface_number)

Impact:

Organizationsshoulddesignandimplementauthentication,authorization,andaccounting(AAA)servicesforeffectivemonitoringofenterprisenetworkdevices.BindingAAAservicestothesource-interfaceloopbackenablestheseservices.

4.2.2.4.3Set'ntpsource'toLoopbackInterface


Device Result



Description

UseaparticularsourceaddressinNetworkTimeProtocol(NTP)packets.

Rationale

SetthesourceaddresstobeusedwhensendingNTPtraffic.ThismayberequirediftheNTPserversyoupeerwithfilterbasedonIPaddress.

Remediation

BindtheNTPservicetotheloopbackinterface.

hostname(config)#ntpsourceloopback{loopback_interface_number}

Impact:

Organizationsshouldplanandimplementnetworktimeprotocol(NTP)servicestoestablishofficialtimeforallenterprisenetworkdevices.Setting'ntpsourceloopback'enforcestheproperIPaddressforNTPservices.

4.2.2.4.4Set'iptftpsource-interface'totheLoopbackInterface


Device Result



Description

SpecifytheIPaddressofaninterfaceasthesourceaddressforTFTPconnections.

Rationale

ThisisrequiredsothattheTFTPserverscaneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.

Remediation

BindtheTFTPclienttotheloopbackinterface.

hostname(config)#iptftpsource-interfaceloopback{loobpback_interface_number}

Impact:

Organizationsshouldplanandimplementtrivialfiletransferprotocol(TFTP)servicesintheenterprisebysetting'tftpsource-interfaceloopback',whichenablestheTFTPserverstoidentifyroutersandauthenticaterequestsbyIPaddress.

4.2.3DataPlane

Servicesandsettingsrelatedtothedatapassingthroughtherouter(asopposedtodirecttoit).Thedataplaneisforeverythingnotincontrolormanagementplanes.Settingsonarouterconcernedwiththedataplaneincludeinterfaceaccesslists,firewallfunctionality(e.g.CBAC),NAT,andIPSec.Settingsfortraffic-affectingserviceslikeunicastRPFverificationandCAR/QoSalsofallintothisarea.

4.2.3.1RoutingRules

Unneededservicesshouldbedisabled.

4.2.3.1.1Set'noipsource-route'


Device Result



Description

DisablethehandlingofIPdatagramswithsourceroutingheaderoptions.

Rationale

SourceroutingisafeatureofIPwherebyindividualpacketscanspecifyroutes.Thisfeatureisusedinseveralkindsofattacks.Ciscoroutersnormallyacceptandprocesssourceroutes.Unlessanetworkdependsonsourcerouting,itshouldbedisabled.

Remediation

Disablesourcerouting.

hostname(config)#noipsource-route

Impact:

Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipsource-route'featurehasbeenusedinseveralattacksandshouldbedisabled.

4.2.3.1.2Set'noipproxy-arp'


Device Result




Description


Rationale

AddressResolutionProtocol(ARP)providesresolutionbetweenIPandMACAddresses(orotherNetworkandLinkLayeraddressesonnoneIPnetworks)withinaLayer2network.

ProxyARPisaservicewhereadeviceconnectedtoonenetwork(inthiscasetheCiscorouter)answersARPRequestswhichareaddressedtoahostonanothernetwork,replyingwithitsownMACAddressandforwardingthetrafficontotheintendedhost.

SometimesusedforextendingbroadcastdomainsacrossWANlinks,inmostcasesProxyARPonenterprisenetworksisusedtoenablecommunicationforhostswithmis-configuredsubnetmasks,asituationwhichshouldnolongerbeacommonproblem.ProxyARPeffectivelybreakstheLANSecurityPerimeter,extendinganetworkacrossmultipleLayer2segments.UsingProxyARPcanalsoallowothersecuritycontrolssuchasPVLANtobebypassed.

Remediation


hostname(config)#interface{interface}

hostname(config-if)#noipproxy-arp

Impact:

Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipproxy-arp'featureeffectivelybreakstheLANsecurityperimeterandshouldbedisabled.

4.2.3.1.3Set'nointerfacetunnel'


Device Result



Description

Verifynotunnelinterfacesaredefined.

Rationale

Tunnelinterfacesshouldnotexistingeneral.Theycanbeusedformaliciouspurposes.Iftheyarenecessary,thenetworkadmin'sshouldbewellawareofthemandtheirpurpose.

Remediation

Removeanytunnelinterfaces.

hostname(config)#nointerfacetunnel{instance}

Impact:

Organizationsshouldplanandimplemententerprisenetworksecuritypoliciesthatdisableinsecureandunnecessaryfeaturesthatincreaseattacksurfacessuchas'tunnelinterfaces'.

4.2.3.1.4Set'ipverifyunicastsourcereachable-via'


Device Result



Description

ExaminesincomingpacketstodeterminewhetherthesourceaddressisintheForwardingInformationBase(FIB)andpermitsthepacketonlyifthesourceisreachablethroughtheinterfaceonwhichthepacketwasreceived(sometimesreferredtoasstrictmode).

Rationale

EnableduRPFhelpsmitigateIPspoofingbyensuringonlypacketsourceIPaddressesonlyoriginatefromexpectedinterfaces.Configureunicastreverse-pathforwarding(uRPF)onallexternalorhighriskinterfaces.

Remediation

ConfigureuRPF.


hostname(config-if)#ipverifyunicastsourcereachable-viarx

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatprotecttheconfidentiality,integrity,andavailabilityofnetworkdevices.The'unicastReverse-PathForwarding'(uRPF)featuredynamicallyusestheroutertabletoeitheracceptordroppacketswhenarrivingonaninterface.

4.2.3.2BorderRouterFiltering

Aborder-filteringdeviceconnects"internal"networkssuchasdesktopnetworks,DMZnetworks,etc.,to"external"networkssuchastheInternet.Ifthisgroupischosen,theningressandegressfilterruleswillberequired.

4.2.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks


Device Result



Description


Rationale



Remediation

ConfigureACLforprivatesourceaddressrestrictionsfromexternalnetworks.

hostname(config)#ipaccess-listextended{name|number}

hostname(config-nacl)#denyip{internal_networks}anylog









hostname(config-nacl)#denyiphost255.255.255.255anylog

hostname(config-nacl)#permit{protocol}{source_ip}{source_mask}{destination}{destination_mask}log

hostname(config-nacl)#denyanyanylog

hostname(config)#interface

<external_interface>

hostname(config-if)#access-group<access-list>in

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatexplicitlyseparateinternalfromexternalnetworks.Adding'ipaccess-list'explicitlypermittinganddenyinginternalandexternalnetworksenforcesthesepolicies.

4.2.3.2.2Setinbound'ipaccess-group'ontheExternalInterface


Device Result



Description


Rationale

Configuringaccesscontrolscanhelppreventspoofingattacks.ToreducetheeffectivenessofIPspoofing,configureaccesscontroltodenyanytrafficfromthe

externalnetworkthathasasourceaddressthatshouldresideontheinternalnetwork.Includelocalhostaddressoranyreservedprivateaddresses(RFC1918).


Remediation

Applytheaccess-groupfortheexternal(untrusted)interface

hostname(config)#interface{external_interface}

hostname(config-if)#ipaccess-group{name|number}in

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesexplicitlypermittinganddenyingaccessbaseduponaccesslists.Usingthe'ipaccess-group'commandenforcesthesepoliciesbyexplicitlyidentifyinggroupspermittedaccess.

4.2.3.3NeighborAuthentication

Enableroutingauthentication.

4.2.3.3.1RequireEIGRPAuthenticationifProtocolisUsed

Verifyenhancedinteriorgatewayroutingprotocol(EIGRP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.



Device Result



Description

Defineanauthenticationkeychaintoenableauthenticationforroutingprotocols.Akeychainmusthaveatleastonekeyandcanhaveupto2,147,483,647keys.

NOTE:OnlyDRPAgent,EIGRP,andRIPv2usekeychains.

Rationale

RoutingprotocolssuchasDRPAgent,EIGRP,andRIPv2usekeychainsforauthentication.

Remediation


hostname(config)#keychain{key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keychains'forroutingprotocolsenforcesthesepolicies.

4.2.3.3.1.2Set'key'


Device Result



Description


Rationale


Remediation



Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keynumbers'

forkeychainsforroutingprotocolsenforcesthesepolicies.



Device Result



Description


Rationale


Remediation



Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keystrings'forkeychainsforroutingprotocolsenforcesthesepolicies.

4.2.3.3.1.4Set'address-familyipv4autonomous-system'


Device Result



Description


Rationale

BGPisatruemulti-protocolroutingprotocolandthe'address-family'featureenablesrestrictionofexchangeswithspecificneighbors.

Remediation




Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'address-family'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.

4.2.3.3.1.5Set'af-interfacedefault'


Device Result



Description

DefinesuserdefaultstoapplytoEIGRPinterfacesthatbelongtoanaddress-family.

Rationale

PartoftheEIGRPaddress-familysetup

Remediation




hostname(config-router-af)#af-interfacedefault

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'af-interfacedefault'forEIGRPinterfacesenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.

4.2.3.3.1.6Set'authenticationkey-chain'


Device Result



Description


Rationale


Remediation





hostname(config-router-af-interface)#authenticationkey-chain{eigrp_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingtheaddress-family'keychain'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.

4.2.3.3.1.7Set'authenticationmodemd5'


Device Result



Description

Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseservicemessages.

Rationale


Remediation

ConfiguretheEIGRPaddressfamilyauthenticationmode.




hostname(config-router-af-interface)#authenticationmodemd5

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'authenticationmode'forEIGRPaddress-familyorservice-familypacketsenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.

4.2.3.3.1.8Set'ipauthenticationkey-chaineigrp'

Device Result




Description

SpecifythetypeofauthenticationusedinEnhancedInteriorGatewayRoutingProtocol(EIGRP)packetsperinterface.

Rationale

ConfiguringEIGRPauthenticationkey-chainnumberandnametorestrictpacketexchangesbetweennetworkdevices.

Remediation

ConfiguretheinterfacewiththeEIGRPkeychain.


hostname(config-if)#ipauthenticationkey-chaineigrp{eigrp_as-number}{eigrp_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationkeychain'forEIGRPbynameandnumberenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.

4.2.3.3.1.9Set'ipauthenticationmodeeigrp'


Device Result



Description

Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseroutingmessages.

Rationale


Remediation

ConfiguretheinterfacewiththeEIGRPauthenticationmode.


hostname(config-if)#ipauthenticationmodeeigrp{eigrp_as-number}md5

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationmode'forEIGRPbynumberandmodeenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.

4.2.3.3.2RequireOSPFAuthenticationifProtocolisUsed

Verifyopenshortestpathfirst(OSPF)authenticationisenabled,wherefeasible.

4.2.3.3.2.1Set'authenticationmessage-digest'forOSPFarea


Device Result



Description

EnableMD5authenticationforOSPF.

Rationale

ThisispartoftheOSPFauthenticationsetup.

Remediation

ConfiguretheMessageDigestoptionforOSPF.

hostname(config)#routerospf<ospf_process-id>

hostname(config-router)#area<ospf_area-id>authenticationmessage-digest

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringthearea'authenticationmessage-digest'forOSPFenforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.

4.2.3.3.2.2Set'ipospfmessage-digest-keymd5'


Device Result



Description

EnableOpenShortestPathFirst(OSPF)MessageDigest5(MD5)authentication.

Rationale

ThisispartoftheOSPFauthenticationsetup

Remediation

Configuretheappropriateinterface(s)forMessageDigestauthentication


hostname(config-if)#ipospfmessage-digest-key{ospf_md5_key-id}md5{ospf_md5_key}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperinterface(s)for'ipospfmessage-digest-keymd5'enforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.

4.2.3.3.3RequireRIPv2AuthenticationifProtocolisUsed

RoutingInformationProtocolisadistancevectorprotocolusedforinteriorgatewayroutingonsomenetworks.

RIPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.

Verifyroutinginformationprotocol(RIP)versiontwoauthenticationisenabled,ifroutingprotocolisused,wherefeasible.



Device Result



Description

DefineanauthenticationkeychaintoenableauthenticationforRIPv2routingprotocols.

Rationale

Thisispartoftheroutingauthenticationprocess.

Remediation


hostname(config)#keychain{rip_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key-chain(name)'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.

4.2.3.3.3.2Set'key'


Device Result



Description


Rationale


Remediation



Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.



Device Result



Description


Rationale


Remediation



Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'key-string'forkeychainsforroutingprotocolsenforcesthesepolicies.

4.2.3.3.3.4Set'ipripauthenticationkey-chain'


Device Result



Description

EnableauthenticationforRoutingInformationProtocol(RIP)Version2packetsandtospecifythesetofkeysthatcanbeusedonaninterface.

Rationale


Remediation



hostname(config-if)#ipripauthenticationkey-chain{rip_key-chain_name}

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipripauthenticationkey-chain'bynameenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.

4.2.3.3.3.5Set'ipripauthenticationmode'to'md5'


Device Result



Description


Rationale


Remediation

ConfiguretheRIPv2authenticationmodeonthenecessaryinterface(s)

hostname(config)#interface<interface_name>

hostname(config-if)#ipripauthenticationmodemd5

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'ipripauthenticationmodemd5'enforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.

4.2.3.3.4RequireBGPAuthenticationifProtocolisUsed

BorderGatewayProtocol(BGP)isapathvectorprotocolusedforinteriorandexteriorgatewayroutingonsomenetworks.

BGPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.

VerifyBorderGatewayProtocol(BGP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.

4.2.3.3.4.1Set'neighborpassword'


Device Result



Description

Enablemessagedigest5(MD5)authenticationonaTCPconnectionbetweentwoBGPpeers

Rationale

EnforcingroutingauthenticationreducesthelikelihoodofroutingpoisoningandunauthorizedroutersfromjoiningBGProuting.

Remediation

ConfigureBGPneighborauthenticationwherefeasible.

hostname(config)#routerbgp<bgp_as-number>

hostname(config-router)#neighbor<bgp_neighbor-ip|peer-group-name>password<password>

Impact:

Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'neighborpassword'forBGPenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.


4.3Conclusions

NipperStudioperformedaCISbenchmarkauditon2March2017againstthedevicesdetailedinTable263.

Table263:BenchmarkIssuesbyDevice

Device Profile Issues

router03IOS12.3 Level2 52

CiscoIOS15IOS15.0 Level2 3

ThissectioncollatestheCISruleswhicharecurrentlynotadheredto,providingaguideforplanningtheirremediation.TherulesarelistedinTable264.

Table264:FailedBenchmarkChecks

Rule Device Section

Set'aaaaccountingnetwork' router03IOS12.3 4.2.1.1.10

Set'aaaaccountingsystem' router03IOS12.3 4.2.1.1.11

Enable'aaanew-model' router03IOS12.3 4.2.1.1.1

Enable'aaaauthenticationlogin' router03IOS12.3 4.2.1.1.2

Enable'aaaauthenticationenabledefault' router03IOS12.3 4.2.1.1.3

Set'loginauthenticationfor'linecon0' router03IOS12.3 4.2.1.1.4

Set'loginauthenticationfor'linetty' router03IOS12.3 4.2.1.1.5

Set'loginauthenticationfor'linevty' router03IOS12.3 4.2.1.1.6

Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15' router03IOS12.3 4.2.1.1.7

Set'aaaaccountingconnection' router03IOS12.3 4.2.1.1.8

Set'aaaaccountingexec' router03IOS12.3 4.2.1.1.9

Set'privilege1'forlocalusers router03IOS12.3 4.2.1.2.1

Set'transportinputssh'for'linevty'connections CiscoIOS15IOS15.0 4.2.1.2.2

Set'noexec'for'lineaux0' router03IOS12.3 4.2.1.2.3

Setthe'banner-text'for'bannerexec' router03IOS12.3 4.2.1.3.1

Setthe'banner-text'for'bannermotd' router03IOS12.3 4.2.1.3.3

Set'password'for'enablesecret' router03IOS12.3 4.2.1.4.1

Enable'servicepassword-encryption' router03IOS12.3 4.2.1.4.2

Set'usernamesecret'foralllocalusers router03IOS12.3

CiscoIOS15IOS15.0

4.2.1.4.3

Donotset'RW'forany'snmp-servercommunity' router03IOS12.3 4.2.1.5.4

SettheACLforeach'snmp-servercommunity' router03IOS12.3 4.2.1.5.5

Set'snmp-serverenabletrapssnmp' router03IOS12.3 4.2.1.5.8

Setthe'ipdomainname' router03IOS12.3 4.2.2.1.1.1.2

Setversion2for'ipsshversion' router03IOS12.3 4.2.2.1.1.2

Set'noipbootpserver' router03IOS12.3 4.2.2.1.3

Set'noservicedhcp' router03IOS12.3 4.2.2.1.4

Set'servicetcp-keepalives-in' router03IOS12.3 4.2.2.1.6

Set'noservicepad' router03IOS12.3 4.2.2.1.8

Set'loggingon' CiscoIOS15IOS15.0 4.2.2.2.1

Set'buffersize'for'loggingbuffered' router03IOS12.3 4.2.2.2.2

Set'loggingconsolecritical' router03IOS12.3 4.2.2.2.3

SetIPaddressfor'logginghost' router03IOS12.3 4.2.2.2.4

Set'servicetimestampsdebugdatetime' router03IOS12.3 4.2.2.2.6

Set'loggingsourceinterface' router03IOS12.3 4.2.2.2.7

Set'ntpauthenticate' router03IOS12.3 4.2.2.3.1.1

Set'ntpauthentication-key' router03IOS12.3 4.2.2.3.1.2

Setthe'ntptrusted-key' router03IOS12.3 4.2.2.3.1.3

Set'key'foreach'ntpserver' router03IOS12.3 4.2.2.3.1.4

SetAAA'source-interface' router03IOS12.3 4.2.2.4.2

Set'ntpsource'toLoopbackInterface router03IOS12.3 4.2.2.4.3

Set'iptftpsource-interface'totheLoopbackInterface router03IOS12.3 4.2.2.4.4

Set'noipsource-route' router03IOS12.3 4.2.3.1.1

Set'noipproxy-arp' router03IOS12.3 4.2.3.1.2

Set'ipverifyunicastsourcereachable-via' router03IOS12.3 4.2.3.1.4

Set'address-familyipv4autonomous-system' router03IOS12.3 4.2.3.3.1.4

Set'af-interfacedefault' router03IOS12.3 4.2.3.3.1.5

Set'authenticationkey-chain' router03IOS12.3 4.2.3.3.1.6

Set'authenticationmodemd5' router03IOS12.3 4.2.3.3.1.7

Set'ipauthenticationkey-chaineigrp' router03IOS12.3 4.2.3.3.1.8

Set'ipauthenticationmodeeigrp' router03IOS12.3 4.2.3.3.1.9

Set'authenticationmessage-digest'forOSPFarea router03IOS12.3 4.2.3.3.2.1

Set'ipospfmessage-digest-keymd5' router03IOS12.3 4.2.3.3.2.2

Set'ipripauthenticationmode'to'md5' router03IOS12.3 4.2.3.3.3.5

Set'neighborpassword' router03IOS12.3 4.2.3.3.4.1


5DISASTIGCompliance5.1Introduction

NipperStudioperformedaDepartmentofDefence(DoD)STIGcomplianceauditon2March2017ofthedevicesandSTIGsdetailedinTable265.

Table265:STIGdeviceauditchecklists

Device STIG Profile Version

router03 InfrastructureL3SwitchSecureTechnicalImplementationGuide-Cisco I-MissionCriticalPublic 8R21(28/10/2016)

CiscoIOS15 InfrastructureRouterSecurityTechnicalImplementationGuideCisco I-MissionCriticalPublic 8R21(28/10/2016)

VulnerabilitySeverityCodeDefinition

Table266providesthevulnerabilityseveritycodesanditsdefinitions.

CAT DISA/DIACAPCategoryCodeGuidelines

Examples

I Anyvulnerability,theexploitationofwhichwill,directlyandimmediately

resultinlossofConfidentiality,Availability,orIntegrity.AnATOwillnotbe

grantedwhileCATIweaknessesarepresent.

Note:Theexploitationofvulnerabilitiesmustbeevaluatedatthelevelof

thesystemorcomponentbeingreviewed.Aworkstationforexample,isa

standalonedeviceforsomepurposesandpartofalargersystemfor

others.Riskstothedevicearefirstconsidered,thenriskstothedevicein

itsenvironment,thenriskspresentedbythedevicetotheenvironment.All

riskfactorsmustbeconsideredwhendevelopingmitigationstrategiesat

thedeviceandsystemlevel.

IncludesBUTNOTLIMITEDtothefollowingexamplesofdirectandimmediateloss:

1.Mayresultinlossoflife,lossoffacilities,orequipment,whichwouldresultinmission

failure.

2.Allowsunauthorizedaccesstosecurityoradministratorlevelresourcesorprivileges.

3.Allowsunauthorizeddisclosureof,oraccessto,classifieddataormaterials.

4.Allowsunauthorizedaccesstoclassifiedfacilities.

5.Allowsdenialofserviceordenialofaccess,whichwillresultinmissionfailure.

6.Preventsauditingormonitoringofcyberorphysicalenvironments.

7.Operationofasystem/capabilitywhichhasnotbeenapprovedbytheappropriateDAA.

8.UnsupportedsoftwarewherethereisnodocumentedacceptanceofDAArisk.

II Anyvulnerability,theexploitationofwhichhasapotentialtoresultinloss

ofConfidentiality,Availability,orIntegrity.CATIIfindingsthathavebeen

satisfactorilymitigatedwillnotpreventanATOfrombeinggranted.








IncludesBUTNOTLIMITEDtothefollowingexamplesthathaveapotentialtoresultinloss:

1.AllowsaccesstoinformationthatcouldleadtoaCATIvulnerability.

2.Couldresultinpersonalinjury,damagetofacilities,orequipmentwhichwoulddegrade

themission.

3.Allowsunauthorizedaccesstouserorapplicationlevelsystemresources.

4.Couldresultinthelossorcompromiseofsensitiveinformation.

5.AllowsunauthorizedaccesstoGovernmentorContractorownedorleasedfacilities.

6.Mayresultinthedisruptionofsystemornetworkresourcesthatdegradestheabilityto

performthemission.

7.Preventsatimelyrecoveryfromanattackorsystemoutage.

8.Providesunauthorizeddisclosureoforaccesstounclassifiedsensitive,PII,orotherdata

ormaterials.

III Anyvulnerability,theexistenceofwhichdegradesmeasurestoprotect

againstlossofConfidentiality,Availability,orIntegrity.

AssignedfindingsthatmayimpactIAposturebutarenotrequiredtobe

mitigatedorcorrectedinorderforanATOtobegranted.








IncludesBUTNOTLIMITEDtothefollowingexamplesthatprovideinformationwhichcould

potentiallyresultindegradationofsysteminformationassurancemeasuresorlossofdata:

1.AllowsaccesstoinformationthatcouldleadtoaCATIIvulnerability.

2.Hasthepotentialtoaffecttheaccuracyorreliabilityofdatapertainingtopersonnel,

resources,operations,orothersensitiveinformation.

3.Allowstherunningofanyapplications,servicesorprotocolsthatdonotsupportmission

functions.

4.Degradesadefenseindepthsystemssecurityarchitecture.

5.Degradesthetimelyrecoveryfromanattackorsystemoutage.

Table266:VulnerabilitySeverityCodeDefinitions

6.Indicatesinadequatesecurityadministration.

7.SystemnotdocumentedinthesitesC&APackage/SSP.

8.LackofdocumentretentionbytheInformationAssuranceManagerIAM(i.e.,completed

useragreementforms).

Disclaimer

ThefollowingcomplianceauditisdesignedtoaddspeedandconveniencetoamanualSTIGassessment.TomaintainvaliditywealwaysrecommendthatyouusethelatestreleaseoftheDISASTIG.Anyautomatedcompliancereportingshouldbecombinedwithcarefulanalysisandadditionalmanualchecksmayberequired.


5.2router03InfrastructureL3SwitchSecureTechnicalImplementationGuide-CiscoSummary

Table267providesasummaryofthe"InfrastructureL3SwitchSecureTechnicalImplementationGuide-Cisco"version8release21(28/10/2016)complianceauditas"I-MissionCriticalPublic"againsttheCiscoRouterdevicerouter03.Amoredetailedanalysisofeachrequirementandthefindingsfollowsthissummary.

Group STIG Title Responsibility IAControls Severity State

V-3971 NET-VLAN-004 VLAN1isbeingusedasauserVLAN. InformationAssurance

Officer

CATII

V-3972 NET-VLAN-005 VLAN1traffictraversesacrossunnecessarytrunk InformationAssurance

Officer

CATIII

V-3973 NET-VLAN-002 DisabledportsarenotkeptinanunusedVLAN. InformationAssurance

Officer

CATIII

V-3984 NET-VLAN-009 AccessswitchportsareassignedtothenativeVLAN InformationAssurance

Officer

CATII

V-5622 NET-VLAN-008 AdedicatedVLANisrequiredforalltrunkports. InformationAssurance

Officer

CATII

V-5623 NET-VLAN-007 Ensuretrunkingisdisabledonallaccessports. InformationAssurance

Officer

CATII

V-5624 NET-NAC-012 Re-authenticationmustoccurevery60minutes. CATII

V-5626 NET-NAC-009 NET-NAC-009 InformationAssurance

Officer

CATI

V-5628 NET-VLAN-006 TheVLAN1isbeingusedformanagementtraffic. InformationAssurance

Officer

CATII

V-

17815

NET0985 IGPinstancesdonotpeerwithappropriatedomain SystemAdministrator CATII

V-

17816

NET0986 RoutesfromthetwoIGPdomainsareredistributed SystemAdministrator ECSC-1 CATII

V-

17824

NET0994 ManagementinterfaceisassignedtoauserVLAN. SystemAdministrator CATII

V-

17825

NET0995 ManagementVLANhasinvalidaddresses SystemAdministrator CATIII

V-

17826

NET0996 InvalidportswithmembershiptothemgmtVLAN SystemAdministrator CATII

V-

17827

NET0997 ThemanagementVLANisnotprunedfromtrunklinks SystemAdministrator CATIII

V-

17832

NET1003 MgmtVLANdoesnothavecorrectIPaddress SystemAdministrator CATII

V-

17833

NET1004 NoingressACLonmanagementVLANinterface CATII

V-

18523

NET-SRVFRM-

004

ACLsdonotprotectagainstcompromisedservers InformationAssurance

Officer

CATII

V-

18544

NET-VLAN-023 RestrictedVLANnotassignedtonon-802.1xdevice. InformationAssurance

Officer

DCSP-1 CATIII

V-

18545

NET-VLAN-024 Upstreamaccessnotrestrictedfornon-802.1xVLAN InformationAssurance

Officer

CATII

V-

18566

NET-NAC-031 NET-NAC-031 InformationAssurance

Officer

DCSP-1 CATII

V-3000 NET1020 InterfaceACLdenystatementsarenotlogged. InformationAssurance

Officer

ECAT-1,ECAT-2,ECSC-

1

CATIII

V-3008 NET1800 IPSecVPNisnotconfiguredasatunneltypeVPN. InformationAssurance

Officer

CATII

V-3012 NET0230 Networkelementisnotpasswordprotected. InformationAssurance CATI

Officer

V-3013 NET0340 Loginbannerisnon-existentornotDOD-approved. InformationAssurance

Officer

CATII

V-3014 NET1639 Managementconnectiondoesnottimeout. InformationAssurance

Officer

CATII

V-3020 NET0820 DNSserversmustbedefinedforclientresolver. InformationAssurance

Officer

CATIII

V-3021 NET0890 SNMPaccessisnotrestrictedbyIPaddress. InformationAssurance

Officer

CATII

V-3034 NET0400 Interiorroutingprotocolsarenotauthenticated. InformationAssurance

Officer

CATII

V-3043 NET1675 SNMPprivilegedandnon-privilegedaccess. InformationAssurance

Officer

CATII

V-3056 NET0460 Groupaccountsaredefined. InformationAssurance

Officer

CATI

V-3057 NET0465 Accountsassignedleastprivilegesnecessarytoperformduties. InformationAssurance

Officer

ECSC-1 CATII

V-3058 NET0470 Unauthorizedaccountsareconfiguredtoaccessdevice. InformationAssurance

Officer

CATII

V-3062 NET0600 Passwordsareviewablewhendisplayingtheconfig. InformationAssurance

Officer

ECSC-1 CATI

V-3069 NET1638 ManagementconnectionsmustbesecuredbyFIPS140-2. InformationAssurance

Officer

DCNR-1,ECSC-1 CATII

V-3070 NET1640 Managementconnectionsmustbelogged. InformationAssurance

Officer

CATIII

V-3072 NET1030 Runningandstartupconfigurationsarenotsynchronized. InformationAssurance

Officer

CATIII

V-3078 NET0720 TCPandUDPsmallserverservicesarenotdisabled. InformationAssurance

Officer

CATIII

V-3079 NET0730 Thefingerserviceisnotdisabled. InformationAssurance

Officer

CATIII

V-3080 NET0760 Configurationauto-loadingmustbedisabled. InformationAssurance

Officer

CATII

V-3081 NET0770 IPSourceRoutingisnotdisabledonallrouters. InformationAssurance

Officer

CATII

V-3083 NET0790 IPdirectedbroadcastisnotdisabled. InformationAssurance

Officer

ECSC-1 CATIII

V-3085 NET0740 HTTPserverisnotdisabled InformationAssurance

Officer

CATII

V-3086 NET0750 TheBootpserviceisnotdisabled. InformationAssurance

Officer

CATIII

V-3143 NET0240 Devicesexistwithstandarddefaultpasswords. InformationAssurance

Officer

CATI

V-3160 NET0700 Operatingsystemisnotatacurrentreleaselevel. InformationAssurance

Officer

CATII

V-3175 NET1636 Managementconnectionsmustrequirepasswords. InformationAssurance

Officer

ECSC-1 CATI

V-3196 NET1660 AninsecureversionofSNMPisbeingused. InformationAssurance

Officer

CATI

V-3210 NET1665 UsingdefaultSNMPcommunitynames. InformationAssurance

Officer

CATI

V-3966 NET0440 Morethanonelocalaccountisdefined. CATII

V-3967 NET1624 Theconsoleportdoesnottimeoutafter10minutes. InformationAssurance

Officer

CATII

V-3969 NET0894 NetworkelementmustonlyallowSNMPreadaccess. InformationAssurance

Officer

ECSC-1 CATII

V-4582 NET1623 Authenticationrequiredforconsoleaccess. InformationAssurance

Officer

IAIA-1,IAIA-2 CATI

V-4584 NET1021 Thenetworkelementmustlogallmessagesexceptdebugging. InformationAssurance

Officer

CATIII

V-5611 NET1637 Managementconnectionsarenotrestricted. CATII

V-5612 NET1645 SSHsessiontimeoutisnot60secondsorless. InformationAssurance

Officer

CATII

V-5613 NET1646 SSHloginattemptsvalueisgreaterthan3. InformationAssurance

Officer

CATII

V-5614 NET0722 ThePADserviceisenabled. InformationAssurance

Officer

CATIII

V-5615 NET0724 TCPKeep-Alivesmustbeenabled. InformationAssurance

Officer

CATIII

V-5616 NET0726 Identificationsupportisenabled. InformationAssurance

Officer

CATIII

V-5618 NET0781 GratuitousARPmustbedisabled. InformationAssurance

Officer

CATII

V-5645 NET0949 CiscoExpressForwarding(CEF)notenabledonsupporteddevices. InformationAssurance

Officer

ECSC-1 CATII

V-5646 NET0965 Devicesnotconfiguredtofilteranddrophalf-openconnections. InformationAssurance

Officer

ECSC-1 CATII

V-7009 NET0425 AnInfiniteLifetimekeyhasnotbeenimplemented InformationAssurance

Officer

ECSC-1 CATI

V-7011 NET1629 Theauxiliaryportisnotdisabled. InformationAssurance

Officer

CATIII

V-

14667

NET0422 Keyexpirationexceeds180days. InformationAssurance

Officer

CATIII

V-

14669

NET0744 BSDrcommandsarenotdisabled. InformationAssurance

Officer

CATII

V-

14671

NET0813 NTPmessagesarenotauthenticated. CATII

V-

14672

NET0897 AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagement

interface.

InformationAssurance

Officer

CATIII

V-

14673

NET0898 SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface. InformationAssurance

Officer

CATIII

V-

14674

NET0899 NTPtrafficisnotusingloopbackaddressorOOBManagementinterface. InformationAssurance

Officer

CATIII

V-

14675

NET0900 SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance

Officer

CATIII

V-

14676

NET0901 Netflowtrafficisnotusingloopbackaddress. InformationAssurance

Officer

CATIII

V-

14677

NET0902 FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance

Officer

ECSC-1 CATIII

V-

14681

NET0903 LoopbackaddressisnotusedastheiBGPsourceIP. InformationAssurance

Officer

CATIII

V-

14693

NET-IPV6-025 IPv6SiteLocalUnicastADDRmustnotbedefined InformationAssurance

Officer

ECSC-1 CATII

V-

14705

NET-IPV6-033 IPv6routersarenotconfiguredwithCEFenabled InformationAssurance

Officer

ECSC-1 CATII

V-

14707

NET-IPV6-034 IPv6EgressOutboundSpoofingFilter InformationAssurance

Officer

CATII

V-

14717

NET1647 ThenetworkelementmustnotallowSSHVersion1. InformationAssurance

Officer

CATII

V-

15288

NET-TUNL-017 ISATAPtunnelsmustterminateatinteriorrouter. InformationAssurance

Officer

ECSC-1 CATII

V-

15432

NET0433 ThedeviceisnotauthenticatedusingaAAAserver. InformationAssurance

Officer

CATII

V-

15434

NET0441 Emergencyadministrationaccountprivilegelevelisnotset. InformationAssurance

Officer

CATI

V-

17754

NET1807 Managementtrafficisnotrestricted InformationAssurance

Officer

CATII

V-

17814

NET1808 RemoteVPNend-pointnotamirroroflocalgateway SystemAdministrator CATII

V-

17817

NET0987 ManagednetworkhasaccesstoOOBMgatewayrouter SystemAdministrator CATII

V-

17818

NET0988 Trafficfromthemanagednetworkwillleak SystemAdministrator CATII

V-

17819

NET0989 Managementtrafficleaksintothemanagednetwork SystemAdministrator CATII

V-

17821

NET0991 TheOOBMinterfacenotconfiguredcorrectly. SystemAdministrator CATII

V-

17822

NET0992 ThemanagementinterfacedoesnothaveanACL. SystemAdministrator CATII

V-

17823

NET0993 ThemanagementinterfaceisnotIGPpassive. SystemAdministrator CATIII

V-

17834

NET1005 NoinboundACLformgmtnetworksub-interface SystemAdministrator CATII

V- NET1006 IPSectrafficisnotrestricted SystemAdministrator CATII

Table267:router03InfrastructureL3SwitchSecureTechnicalImplementationGuide-Ciscosummary

17835

V-

17836

NET1007 Managementtrafficisnotclassifiedandmarked SystemAdministrator CATIII

V-

17837

NET1008 Managementtrafficdoesn'tgetpreferredtreatment SystemAdministrator CATIII

V-

18522

NET-SRVFRM-

003

ACLsmustrestrictaccesstoserverVLANs. InformationAssurance

Officer

ECSC-1 CATII

V-

18790

NET-TUNL-012 NET-TUNL-012 InformationAssurance

Officer

ECSC-1 CATII

V-

19188

NET0966 Controlplaneprotectionisnotenabled. SystemAdministrator CATII

V-

19189

NET-MCAST-010 NoAdmin-localorSite-localboundary SystemAdministrator CATIII

V-

23747

NET0812 TwoNTPserversarenotusedtosynchronizetime. InformationAssurance

Officer

CATIII

V-

28784

NET0405 Callhomeserviceisdisabled. InformationAssurance

Officer

CATII

V-

30577

NET-MCAST-001 PIMenabledonwronginterfaces SystemAdministrator CATII

V-

30578

NET-MCAST-002 PIMneighborfilterisnotconfigured InformationAssurance

Officer

CATII

V-

30585

NET-MCAST-020 Invalidgroupusedforsourcespecificmulticast InformationAssurance

Officer

CATIII

V-

30617

NET-IPV6-059 Maximumhoplimitislessthan32 InformationAssurance

Officer

CATIII

V-

30660

NET-IPV6-065 The6-to-4routerisnotfilteringprotocol41 InformationAssurance

Officer

CATII

V-

30736

NET-IPV6-066 6-to-4routernotfilteringinvalidsourceaddress InformationAssurance

Officer

CATIII

V-

30744

NET-TUNL-034 L2TPv3sessionsarenotauthenticated InformationAssurance

Officer

CATII

V-

31285

NET0408 BGPmustauthenticateallpeers. ECSC-1 CATII


5.3CiscoIOS15InfrastructureRouterSecurityTechnicalImplementationGuideCiscoSummary

Table268providesasummaryofthe"InfrastructureRouterSecurityTechnicalImplementationGuideCisco"version8release21(28/10/2016)complianceauditas"I-MissionCriticalPublic"againsttheCiscoRouterdeviceCiscoIOS15.Amoredetailedanalysisofeachrequirementandthefindingsfollowsthissummary.

Group STIG Title Responsibility IAControls Severity State

V-3000 NET1020 InterfaceACLdenystatementsarenotlogged. InformationAssurance

Officer

ECAT-1,ECAT-2,ECSC-

1

CATIII

V-3008 NET1800 IPSecVPNisnotconfiguredasatunneltypeVPN. InformationAssurance

Officer

CATII

V-3012 NET0230 Networkelementisnotpasswordprotected. InformationAssurance

Officer

CATI

V-3013 NET0340 Loginbannerisnon-existentornotDOD-approved. InformationAssurance

Officer

CATII

V-3014 NET1639 Managementconnectiondoesnottimeout. InformationAssurance

Officer

CATII

V-3020 NET0820 DNSserversmustbedefinedforclientresolver. InformationAssurance

Officer

CATIII

V-3021 NET0890 SNMPaccessisnotrestrictedbyIPaddress. InformationAssurance

Officer

CATII

V-3034 NET0400 Interiorroutingprotocolsarenotauthenticated. InformationAssurance

Officer

CATII

V-3043 NET1675 SNMPprivilegedandnon-privilegedaccess. InformationAssurance

Officer

CATII

V-3056 NET0460 Groupaccountsaredefined. InformationAssurance

Officer

CATI

V-3057 NET0465 Accountsassignedleastprivilegesnecessarytoperformduties. InformationAssurance

Officer

ECSC-1 CATII

V-3058 NET0470 Unauthorizedaccountsareconfiguredtoaccessdevice. InformationAssurance CATII

Officer

V-3062 NET0600 Passwordsareviewablewhendisplayingtheconfig. InformationAssurance

Officer

ECSC-1 CATI

V-3069 NET1638 ManagementconnectionsmustbesecuredbyFIPS140-2. InformationAssurance

Officer

DCNR-1,ECSC-1 CATII

V-3070 NET1640 Managementconnectionsmustbelogged. InformationAssurance

Officer

CATIII

V-3072 NET1030 Runningandstartupconfigurationsarenotsynchronized. InformationAssurance

Officer

CATIII

V-3078 NET0720 TCPandUDPsmallserverservicesarenotdisabled. InformationAssurance

Officer

CATIII

V-3079 NET0730 Thefingerserviceisnotdisabled. InformationAssurance

Officer

CATIII

V-3080 NET0760 Configurationauto-loadingmustbedisabled. InformationAssurance

Officer

CATII

V-3081 NET0770 IPSourceRoutingisnotdisabledonallrouters. InformationAssurance

Officer

CATII

V-3083 NET0790 IPdirectedbroadcastisnotdisabled. InformationAssurance

Officer

ECSC-1 CATIII

V-3085 NET0740 HTTPserverisnotdisabled InformationAssurance

Officer

CATII

V-3086 NET0750 TheBootpserviceisnotdisabled. InformationAssurance

Officer

CATIII

V-3143 NET0240 Devicesexistwithstandarddefaultpasswords. InformationAssurance

Officer

CATI

V-3160 NET0700 Operatingsystemisnotatacurrentreleaselevel. InformationAssurance

Officer

CATII

V-3175 NET1636 Managementconnectionsmustrequirepasswords. InformationAssurance

Officer

ECSC-1 CATI

V-3196 NET1660 AninsecureversionofSNMPisbeingused. InformationAssurance

Officer

CATI

V-3210 NET1665 UsingdefaultSNMPcommunitynames. InformationAssurance

Officer

CATI

V-3966 NET0440 Morethanonelocalaccountisdefined. CATII

V-3967 NET1624 Theconsoleportdoesnottimeoutafter10minutes. InformationAssurance

Officer

CATII

V-3969 NET0894 NetworkelementmustonlyallowSNMPreadaccess. InformationAssurance

Officer

ECSC-1 CATII

V-4582 NET1623 Authenticationrequiredforconsoleaccess. InformationAssurance

Officer

IAIA-1,IAIA-2 CATI

V-4584 NET1021 Thenetworkelementmustlogallmessagesexceptdebugging. InformationAssurance

Officer

CATIII

V-5611 NET1637 Managementconnectionsarenotrestricted. CATII

V-5612 NET1645 SSHsessiontimeoutisnot60secondsorless. InformationAssurance

Officer

CATII

V-5613 NET1646 SSHloginattemptsvalueisgreaterthan3. InformationAssurance

Officer

CATII

V-5614 NET0722 ThePADserviceisenabled. InformationAssurance

Officer

CATIII

V-5615 NET0724 TCPKeep-Alivesmustbeenabled. InformationAssurance

Officer

CATIII

V-5616 NET0726 Identificationsupportisenabled. InformationAssurance

Officer

CATIII

V-5618 NET0781 GratuitousARPmustbedisabled. InformationAssurance

Officer

CATII

V-5645 NET0949 CiscoExpressForwarding(CEF)notenabledonsupporteddevices. InformationAssurance

Officer

ECSC-1 CATII

V-5646 NET0965 Devicesnotconfiguredtofilteranddrophalf-openconnections. InformationAssurance

Officer

ECSC-1 CATII

V-7009 NET0425 AnInfiniteLifetimekeyhasnotbeenimplemented InformationAssurance

Officer

ECSC-1 CATI

V-7011 NET1629 Theauxiliaryportisnotdisabled. InformationAssurance

Officer

CATIII

V-

14667

NET0422 Keyexpirationexceeds180days. InformationAssurance

Officer

CATIII

V- NET0744 BSDrcommandsarenotdisabled. InformationAssurance CATII

14669 Officer

V-

14671

NET0813 NTPmessagesarenotauthenticated. CATII

V-

14672

NET0897 AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagement

interface.

InformationAssurance

Officer

CATIII

V-

14673

NET0898 SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface. InformationAssurance

Officer

CATIII

V-

14674

NET0899 NTPtrafficisnotusingloopbackaddressorOOBManagementinterface. InformationAssurance

Officer

CATIII

V-

14675

NET0900 SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance

Officer

CATIII

V-

14676

NET0901 Netflowtrafficisnotusingloopbackaddress. InformationAssurance

Officer

CATIII

V-

14677

NET0902 FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance

Officer

ECSC-1 CATIII

V-

14681

NET0903 LoopbackaddressisnotusedastheiBGPsourceIP. InformationAssurance

Officer

CATIII

V-

14693

NET-IPV6-025 IPv6SiteLocalUnicastADDRmustnotbedefined InformationAssurance

Officer

ECSC-1 CATII

V-

14705

NET-IPV6-033 IPv6routersarenotconfiguredwithCEFenabled InformationAssurance

Officer

ECSC-1 CATII

V-

14707

NET-IPV6-034 IPv6EgressOutboundSpoofingFilter InformationAssurance

Officer

CATII

V-

14717

NET1647 ThenetworkelementmustnotallowSSHVersion1. InformationAssurance

Officer

CATII

V-

15288

NET-TUNL-017 ISATAPtunnelsmustterminateatinteriorrouter. InformationAssurance

Officer

ECSC-1 CATII

V-

15432

NET0433 ThedeviceisnotauthenticatedusingaAAAserver. InformationAssurance

Officer

CATII

V-

15434

NET0441 Emergencyadministrationaccountprivilegelevelisnotset. InformationAssurance

Officer

CATI

V-

17754

NET1807 Managementtrafficisnotrestricted InformationAssurance

Officer

CATII

V-

17814

NET1808 RemoteVPNend-pointnotamirroroflocalgateway SystemAdministrator CATII

V-

17815

NET0985 IGPinstancesdonotpeerwithappropriatedomain SystemAdministrator ECSC-1 CATII

V-

17816

NET0986 RoutesfromthetwoIGPdomainsareredistributed SystemAdministrator CATII

V-

17817

NET0987 ManagednetworkhasaccesstoOOBMgatewayrouter SystemAdministrator CATII

V-

17818

NET0988 Trafficfromthemanagednetworkwillleak SystemAdministrator CATII

V-

17819

NET0989 Managementtrafficleaksintothemanagednetwork SystemAdministrator CATII

V-

17821

NET0991 TheOOBMinterfacenotconfiguredcorrectly. SystemAdministrator CATII

V-

17822

NET0992 ThemanagementinterfacedoesnothaveanACL. SystemAdministrator CATII

V-

17823

NET0993 ThemanagementinterfaceisnotIGPpassive. SystemAdministrator CATIII

V-

17834

NET1005 NoinboundACLformgmtnetworksub-interface SystemAdministrator CATII

V-

17835

NET1006 IPSectrafficisnotrestricted SystemAdministrator CATII

V-

17836

NET1007 Managementtrafficisnotclassifiedandmarked SystemAdministrator CATIII

V-

17837

NET1008 Managementtrafficdoesn'tgetpreferredtreatment SystemAdministrator CATIII

V-

18522

NET-SRVFRM-

003

ACLsmustrestrictaccesstoserverVLANs. InformationAssurance

Officer

ECSC-1 CATII

V-

18790

NET-TUNL-012 NET-TUNL-012 InformationAssurance

Officer

ECSC-1 CATII

V-

19188

NET0966 Controlplaneprotectionisnotenabled. SystemAdministrator CATII

V-

19189

NET-MCAST-010 NoAdmin-localorSite-localboundary SystemAdministrator CATIII

V- NET0812 TwoNTPserversarenotusedtosynchronizetime. InformationAssurance CATIII

Severity:CATII

RuleID:SV-3971r2_rule

STIGID:NET-VLAN-004

Controls:

Responsibility:InformationAssuranceOfficer

Table268:CiscoIOS15InfrastructureRouterSecurityTechnicalImplementationGuideCiscosummary

23747 Officer

V-

28784

NET0405 Callhomeserviceisdisabled. InformationAssurance

Officer

CATII

V-

30577

NET-MCAST-001 PIMenabledonwronginterfaces SystemAdministrator CATII

V-

30578

NET-MCAST-002 PIMneighborfilterisnotconfigured InformationAssurance

Officer

CATII

V-

30585

NET-MCAST-020 Invalidgroupusedforsourcespecificmulticast InformationAssurance

Officer

CATIII

V-

30617

NET-IPV6-059 Maximumhoplimitislessthan32 InformationAssurance

Officer

CATIII

V-

30660

NET-IPV6-065 The6-to-4routerisnotfilteringprotocol41 InformationAssurance

Officer

CATII

V-

30736

NET-IPV6-066 6-to-4routernotfilteringinvalidsourceaddress InformationAssurance

Officer

CATIII

V-

30744

NET-TUNL-034 L2TPv3sessionsarenotauthenticated InformationAssurance

Officer

CATII

V-

31285

NET0408 BGPmustauthenticateallpeers. ECSC-1 CATII


5.4V-3971-VLAN1isbeingusedasauserVLAN.

5.4.1Summary

VLAN1mustnotbeusedforuserVLANs.Table269providesasummaryresultofthefindings.

Table269:VLAN1isbeingusedasauserVLAN.-Summaryresult

Device Type Status


5.4.2Description

InaVLAN-basednetwork,switchesuseVLAN1asthedefaultVLANforin-bandmanagementandtocommunicatewithothernetworkingdevicesusingSpanning-TreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),VLANTrunkingProtocol(VTP),andPortAggregationProtocol(PAgP)--alluntaggedtraffic.Asaconsequence,VLAN1mayunwiselyspantheentirenetworkifnotappropriatelypruned.Ifitsscopeislargeenough,theriskofcompromisecanincreasesignificantly.

5.4.3Findings

router03

VLANmembershipofnon-trunkinginterfacesonrouter03isdetailedinTable270.

Table270:VLANmembershipofnon-trunkinginterfaces

Interface Active VLAN Trunk TrunkVLAN Description

NoInformation

5.4.4Check

ReviewthedeviceconfigurationandverifythataccessportshavenotbeenassignedmembershiptotheVLAN1.IfanyaccessportsarefoundinVLAN1,thisisafinding.

5.4.5Fix

BestpracticesforVLAN-basednetworksistopruneunnecessaryportsfromgainingaccesstoVLAN1aswellasthemanagementVLAN,andtoseparatein-bandmanagement,deviceprotocol,anddatatraffic.


Severity:CATIII


STIGID:NET-VLAN-005

Controls:


Severity:CATIII


STIGID:NET-VLAN-002

Controls:


Severity:CATII

5.5V-3972-VLAN1traffictraversesacrossunnecessarytrunk

5.5.1Summary

VLAN1mustbeprunedfromalltrunkandaccessportsthatdonotrequireit.Table271providesasummaryresultofthefindings.

Table271:VLAN1traffictraversesacrossunnecessarytrunk-Summaryresult

Device Type Status


5.5.2Description

VLAN1isaspecialVLANthattagsandhandlesmostofthecontrolplanetrafficsuchasSpanning-TreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),VLANTrunkingProtocol(VTP),andPortAggregationProtocol(PAgP)allVLAN1taggedtraffic.VLAN1isenabledonalltrunksandportsbydefault.Withlargercampusnetworks,careneedstobetakenaboutthediameteroftheVLAN1STPdomain;instabilityinonepartofthenetworkcouldaffectVLAN1,therebyinfluencingcontrol-planestabilityandthereforeSTPstabilityforallotherVLANs.

5.5.3Check

ReviewthedeviceconfigurationtodetermineifVLAN1isprunedfromalltrunkandaccessswitchports.IfVLAN1isnotprunedfromtrunkoraccessswitchportswhereit'snotrequired,thisisafinding.

5.5.4Fix

BestpracticeforVLAN-basednetworksistopruneunnecessaryportsfromgainingaccesstoVLAN1andinsurethatitdoesnottraversetrunksnotrequiringVLAN1traffic.


5.6V-3973-DisabledportsarenotkeptinanunusedVLAN.

5.6.1Summary

DisabledswitchportsmustbeplacedinanunusedVLAN(donotuseVLAN1).Table272providesasummaryresultofthefindings.

Table272:DisabledportsarenotkeptinanunusedVLAN.-Summaryresult

Device Type Status


5.6.2Description

ItispossiblethatadisabledportthatisassignedtoauserormanagementVLANbecomesenabledbyaccidentorbyanattackerandasaresultgainsaccesstothatVLANasamember.

5.6.3Check

ReviewthedeviceconfigurationtodetermineifalldisabledportshavebeenplacedintoanunusedVLAN.TheVLANmustnotbeVLAN1.IfdisabledportsarenotassignedtoanunusedVLANorhavebeenplacedintoVLAN1,thisisafinding.

5.6.4Fix

AssignalldisabledportstoanunusedVLAN.DonotuseVLAN1.


5.7V-3984-AccessswitchportsareassignedtothenativeVLAN

5.7.1Summary

AccessswitchportsmustnotbeassignedtothenativeVLAN.Table273providesasummaryresultofthefindings.


STIGID:NET-VLAN-009

Controls:


Severity:CATII


STIGID:NET-VLAN-008

Controls:


Severity:CATII


Table273:AccessswitchportsareassignedtothenativeVLAN-Summaryresult

Device Type Status


5.7.2Description

DoubleencapsulationcanbeinitiatedbyanattackerwhohasaccesstoaswitchportbelongingtothenativeVLANofthetrunkport.Knowingthevictim'sMACaddressandwiththevictimattachedtoadifferentswitchbelongingtothesametrunkgroup,therebyrequiringthetrunklinkandframetagging,themalicioususercanbegintheattackbysendingframeswithtwosetsoftags.Theoutertagthatwillhavetheattacker'sVLANID(probablythewell-knownandomnipresentVLAN1)isstrippedoffbytheswitch,andtheinnertagthatwillhavethevictim'sVLANIDisusedbytheswitchasthenexthopandsentoutthetrunkport.

5.7.3Check

Reviewtheswitchconfigurationsandexamineallaccessports.VerifythattheydonotbelongtothenativeVLAN.IfanyaccessswitchportsareassignedtothenativeVLAN,itisafinding.

5.7.4Fix

Toinsuretheintegrityofthetrunklinkandpreventunauthorizedaccess,thenativeVLANofthetrunkportshouldbechangedfromthedefaultVLAN1toitsownuniqueVLAN.AccessswitchportsmustneverbeassignedtothenativeVLAN.


5.8V-5622-AdedicatedVLANisrequiredforalltrunkports.

5.8.1Summary

ThenativeVLANmustbeassignedtoaVLANIDotherthanthedefaultVLANforall802.1qtrunklinks.Table274providesasummaryresultofthefindings.

Table274:AdedicatedVLANisrequiredforalltrunkports.-Summaryresult

Device Type Status


5.8.2Description

VLANhoppingcanbeinitiatedbyanattackerwhohasaccesstoaswitchportbelongingtothesameVLANasthenativeVLANofthetrunklinkconnectingtoanotherswitchinwhichthevictimisconnectedto.Iftheattackerknowsthevictim'sMACaddress,itcanforgeaframewithtwo802.1qtagsandalayer2headerwiththedestinationaddressofthevictim.SincetheframewillingresstheswitchfromaportbelongingtoitsnativeVLAN,thetrunkportconnectingtovictim'sswitchwillsimplyremovetheoutertagbecausenativeVLANtrafficistobeuntagged.TheswitchwillforwardtheframeuntothetrunklinkunawareoftheinnertagwithaVLANIDforwhichthevictim'sswitchportisamemberof.

5.8.3Check

Reviewthedeviceconfigurationandexaminealltrunklinks.VerifythenativeVLANhasbeenconfiguredtoaVLANotherthanthedefaultVLAN1.IfthenativeVLANhasbeenconfiguredtoVLAN1,thisisafinding.

5.8.4Fix

Toensuretheintegrityofthetrunklinkandpreventunauthorizedaccess,thenativeVLANofthetrunkportshouldbechangedfromthedefaultVLAN1toitsownuniqueVLAN.ThenativeVLANmustbethesameonbothendsofthetrunklink;otherwisetrafficcouldaccidentlyleakbetweenbroadcastdomains.


5.9V-5623-Ensuretrunkingisdisabledonallaccessports.

5.9.1Summary

Porttrunkingmustbedisabledonallaccessports(donotconfiguretrunkon,desirable,non-negotiate,orauto--onlyoff).Table275providesasummaryresultofthefindings.

STIGID:NET-VLAN-007

Controls:


Severity:CATII


STIGID:NET-NAC-012

Controls:

Responsibility:

Table275:Ensuretrunkingisdisabledonallaccessports.-Summaryresult

Device Type Status


5.9.2Description

DoubleencapsulationcanbeinitiatedbyanattackerwhohasaccesstoaswitchportbelongingtothenativeVLANofthetrunkport.KnowingthevictimsMACaddressandwiththevictimattachedtoadifferentswitchbelongingtothesametrunkgroup,therebyrequiringthetrunklinkandframetagging,themalicioususercanbegintheattackbysendingframeswithtwosetsoftags.TheoutertagthatwillhavetheattackersVLANID(probablythewell-knownandomnipresentVLAN1)isstrippedoffbytheswitch,andtheinnertagthatwillhavethevictimsVLANIDisusedbytheswitchasthenexthopandsentoutthetrunkport.

5.9.3Check

Reviewthedeviceconfigurationtodetermineiftrunkinghasbeendisabledonaccessports.Iftrunkingisenabledonanyaccessport,thisisafinding.

5.9.4Fix

Disabletrunkingonallaccessports.


5.10V-5624-Re-authenticationmustoccurevery60minutes.

5.10.1Summary

TheISSO/NSOwillensureif802.1xPortAuthenticationisimplemented,re-authenticationmustoccurevery60minutes.Table276providesasummaryresultofthefindings.

Table276:Re-authenticationmustoccurevery60minutes.-Summaryresult

Device Type Status


5.10.2Description

Eliminatingunauthorizedaccesstothenetworkfrominsidetheenclaveisvitaltokeepinganetworksecure.Internalaccesstotheprivatenetworkisenabledbysimplyconnectingaworkstationorlaptoptoawallplateoraccesspointlocatedintheworkarea.

5.10.3Findings

router03

NipperStudiodeterminedthatForcedAuthorisationPortControlwasenabledonrouter03.

Table277:IEEE802.1xre-authentication

Interface Active IEEE802.1X Re-Auth Description

GigabitEthernet1/1 Yes AlwaysAuthorized Disabled Firstinterfaceonswitch

GigabitEthernet1/2 Yes AlwaysAuthorized Disabled Secondinterfaceonswitch

5.10.4Check

Reviewtheswitchconfigurationforoneofthefollowinginterfacecommand:dot1xreauthenticationorauthenticationperiodicOnceoneoftheinterfacecommands,dot1xreauthenticationorauthenticationperiodic,isenabled,thedefaultis60minutes.Theintervalcanbemadesmaller.Forexample,ifyouwouldwantre-authenticationtooccurevery30minutes,youwouldconfigurethefollowinginterfacecommand:dot1xtimeoutreauth-period1800orauthenticationtimerreauthenticate1800.

5.10.5Fix

Ensure802.1xreauthenticationoccursevery60minutes.

Severity:CATI


STIGID:NET-NAC-009

Controls:



5.11V-5626-NET-NAC-009

5.11.1Summary

Theswitchmustbeconfiguredtouse802.1xauthenticationonhostfacingaccessswitchports.Table278providesasummaryresultofthefindings.

Table278:NET-NAC-009-Summaryresult

Device Type Status


5.11.2Description

TheIEEE802.1xstandardisaclient-serverbasedaccesscontrolandauthenticationprotocolthatrestrictsunauthorizedclientsfromconnectingtoalocalareanetworkthroughhostfacingswitchports.TheauthenticationserverauthenticateseachclientconnectedtotoaswitchportbeforemakinganyservicesavailabletotheclientfromtheLAN.Unlesstheclientissuccessfullyauthenticated,802.1xaccesscontrolallowsonlyExtensibleAuthenticationProtocoloverLAN(EAPOL)trafficthroughtheporttowhichtheclientisconnected.Afterauthenticationissuccessful,normaltrafficcanpassthroughtheport.Withouttheuseof802.1x,amalicioususercouldusetheswitchporttoconnectanunauthorizedpieceofcomputerorothernetworkdevicetoinjectorstealdatafromthenetworkwithoutdetection.

5.11.3Check

Verifyiftheswitchconfigurationhas802.1xauthenticationimplementedforallaccessswitchportsconnectingtoLANoutlets(i.e.RJ-45wallplates)ordevicesnotlocatedinthetelecomroom,wiringclosets,orequipmentrooms.If802.1xauthenticationisnotconfiguredonthesehost-facingaccessswitchports,thisisaCAT1finding.IfMACaddressfilteringisimplementedinlieuof802.1xauthentication,thisfindingwillbedowngradedtoaCAT3.Verify802.1xauthenticationisenabledontheswitchandhostfacingswitchports:Step1:Verifythatan802.1xauthenticationserverhasbeenconfiguredsimilartothefollowingexample:Switch(config)#radius-serverhostx.x.x.xauth-port1813key!R4d1u$K3y!Switch(config)#aaanew-modelSwitch(config)#aaaauthenticationdot1xdefaultgroupradiusStep2:Verify802.1xauthenticationhasbeenenabledgloballyonthenetworkdevicesimilartothefollowingexample:Switch(config)#dot1xsystem-auth-control

Step3:Verifythatallhost-facingaccessswitchportsareconfiguredtouse802.1xsimilartotheexamplesbelow:Switch(config)#interfacefastethernet0/2Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#dot1xport-controlautoORSwitch(config)#interfacefastethernet0/2Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#authenticationport-controlautoIf802.1xisnotbeingused,determineifMACfilteringisusedoneachhost-facingaccessswitchportasshowninthefollowingexample:Switch(config)#interfacefastethernet0/3Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#switchportport-securitymaximum1Switch(config-if)#switchportport-securitymac-address1000.2000.3000NOTE:Thesectionbelowisintendedforclassifiednetworks.Ifit’sdeterminedthat802.1xisnotimplementedonaclassifiednetwork,theTraditionalreviewteammustbenotifiedtodetermineifthephysicalrequirementsareimplemented.ForasitetobedowngradedtoaCATIIIopenfinding,thephysicalsecurityrequirementsmustbeimplementedinadditiontostaticMACorstickysecureMACportsecurity.Ifbothphysicalandlogicaldowngradesarenotimplemented,aCATIopenfindingwillbeissued.IfclassifiedLANdropsarenotauthenticatedbyan802.1ximplementation,theymustbelocatedwithinspacesproperlyestablishedasSecretvaults,SecretSecureRooms(AKA:CollateralClassifiedOpenStorageAreas),TSsecureroom,orSCIF.Otherwise,oneofthefollowingsupplementalphysicalsecuritycontrolsmustbeimplemented.

Severity:CATII


STIGID:NET-VLAN-006

Controls:


Severity:CATII


STIGID:NET0985

Controls:

Responsibility:SystemAdministrator

1.WalljacksmustbesecuredwhenunattendedbypersonswithSecretorhigherclearancewithaproperlyconstructedlockbox(Hoffmanorsimilarcommercialproductorlocallyfabricated).Thelockboxmusthavenoexposedorremovablehinges.Thehasphardwaremustberivetedtotheboxorotherwiseinstalledsothatremovalwillrequirephysicalbreakingofthebox;therebyleavingevidenceofactualorattemptedentry.Thelockboxmustbesecuredwitha3-positionhighsecuritycombinationpadlock(IAWtheNSTISSI7003).TheS&G8077combinationpadlockistheonlyexistingpadlockmeetingthisstandard.

2.Iflockboxesarenotused,thealternativeistophysicallydisconnecttheSIPRNetlinkattheSIPRNetpointofpresence(PoP)afternormaldutyhours.ThePoPmustbelocatedwithinaproperSecretorhighersecureroom.

5.11.4Fix

Configure802.1xauthenticationonallhostfacingaccessswitchports.


5.12V-5628-TheVLAN1isbeingusedformanagementtraffic.

5.12.1Summary

AdedicatedmanagementVLANorVLANsmustbeconfiguredtokeepmanagementtrafficseparatefromuserdataandcontrolplanetraffic.Table279providesasummaryresultofthefindings.

Table279:TheVLAN1isbeingusedformanagementtraffic.-Summaryresult

Device Type Status


5.12.2Description

Allports,includingtheinternalsc0interface,areconfiguredbydefaulttobemembersofVLAN1.InaVLAN-basednetwork,switchesuseVLAN1asthedefaultVLANforin-bandmanagementandtocommunicatewithothernetworkingdevicesusingSpanning-TreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),VLANTrunkingProtocol(VTP),andPortAggregationProtocol(PAgP)alluntaggedtraffic.Asaconsequence,VLAN1mayunwiselyspantheentirenetworkifnotappropriatelypruned.Ifitsscopeislargeenough,theriskofcompromisecanincreasesignificantly.

5.12.3Check

ReviewthedeviceconfigurationstodetermineifadedicatedVLAN(s)havebeenimplementedforthemanagementnetwork.VLAN1mustnotbeused.IfadedicatedVLANorVLANshavenotbeenestablishedforthemanagementnetwork,thisisafinding.IfVLAN1isusedformanagement,thisisalsoafinding.

5.12.4Fix

BestpracticesforVLAN-basednetworksiscreateadedicatedmanagementVLAN,pruneunnecessaryportsfromgainingaccesstoVLAN1aswellasthemanagementVLAN,andtoseparatein-bandmanagement,deviceprotocol,anddatatraffic.


5.13V-17815-IGPinstancesdonotpeerwithappropriatedomain

5.13.1Summary

IGPinstancesconfiguredontheOOBMgatewayrouterdonotpeeronlywiththeirappropriateroutingdomainTable280providesasummaryresultofthefindings.

Table280:IGPinstancesdonotpeerwithappropriatedomain-Summaryresult

Device Type Status


5.13.2Description

IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.

5.13.3Check

VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.ThefollowingwouldbeanexamplewhereEIGRPisrunonthemanagementnetwork10.0.0.0andOSPFinthemanagednetwork172.20.0.0.Thenetwork10.1.20.0/24istheOOBMbackboneand10.1.1.0isthelocalmanagementLANconnectingtotheOOBMinterfacesofthemanagednetwork(i.e.,theprivateandservicenetwork)elements.interfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0interfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.1255.255.255.0interfaceFastethernet0/1descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0interfaceFastethernet0/2descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0!routerospf1network172.20.0.0!routereigrp12network10.0.0.0passive-interfaceFastethernet0/1Note:thepassive-interfacecommandisconfiguredtoavoidbuildinganEIGRPadjacencywithamanagedrouter,whileatthesametime,enablingEIGRPtoadvertisetheenclave’smanagementsubnettotheEIGRPneighborsofthemanagementnetworkbackbone.Ifthenon-dedicatedOOBMgatewayandtheNOCgatewayarenotconnectedbyanOOBbackbone—thatis,connectivityisprovidedoveranIPbackbone(i.e.NIPRNet)—andanIGPisusedtoadvertiserouteswithinthemanagementnetwork,theIGPtrafficmustbeencapsulatedviaGREsothatitcantraversetheIPsectunnel.TheconfigurationbelowisanexampleofGREoverIPSec.TheIPSecpolicyisappliedtotheGREtrafficthatwillencapsulateIGPpackets(noticetheEIGRPnetworkstatementincludestheGREtunnel;hence,EIGRPwillformadjacencieswithneighborsontheothersideofthistunnel.

PremiseRouterConfigurationcryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyourkeyaddress166.4.24.3!cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac!cryptomapvpnmap10ipsec-isakmpsetpeer166.4.24.3settransform-setVPN-transmatchaddress102!interfaceEthernet1ipaddress10.1.1.1255.255.255.0!interfaceSerial1/0ipaddress141.22.4.3255.255.255.252!interfaceTunnel0ipaddress10.10.255.1255.255.255.252ipmtu1400tunnelsourceSerial0/0tunneldestination166.4.24.3cryptomapvpnmap!routereigrp100network10.0.0.00.0.0.255noauto-summary!iproute0.0.0.00.0.0.0141.22.4.1!access-list102permitgrehost141.22.4.3host166.4.24.3

OOBMVPNGatewayConfigurationcryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyourkeyaddress141.22.4.3

Severity:CATII


STIGID:NET0986

Controls:ECSC-1


!cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac!cryptomapvpnmap10ipsec-isakmpsetpeer141.22.4.3settransform-setVPN-transmatchaddress102!interfaceEthernet1ipaddress10.1.2.1255.255.255.0!interfaceSerial1/0ipaddress166.4.24.3255.255.255.252!interfaceTunnel0ipaddress10.10.255.2255.255.255.252ipmtu1400tunnelsourceSerial0/0tunneldestination141.22.4.3cryptomapvpnmap!routereigrp100network10.0.0.00.0.0.255noauto-summary!iproute0.0.0.00.0.0.0166.4.24.1!access-list102permitgrehost166.4.24.3host141.22.4.3

5.13.4Fix

EnsurethatmultipleIGPinstancesconfiguredontheOOBMgatewayrouterpeeronlywiththeirappropriateroutingdomain.VerifythattheallinterfacesareconfiguredfortheappropriateIGPinstance.


5.14V-17816-RoutesfromthetwoIGPdomainsareredistributed

5.14.1Summary

TheroutesfromthetwoIGPdomainsareredistributedtoeachother.Table281providesasummaryresultofthefindings.

Table281:RoutesfromthetwoIGPdomainsareredistributed-Summaryresult

Device Type Status


5.14.2Description

IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.Inaddition,theroutesfromthetwodomainsmustnotberedistributedtoeachother.

5.14.3Findings

router03

NipperStudiodetectednoissueswithredistributedroutingonrouter03

5.14.4Check

VerifythattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.Asanalternative,staticroutescanbeusedtoforwardmanagementtraffictotheOOBMinterface;however,thismethodmaynotscalewell.IfstaticroutesareusedtoforwardmanagementtraffictotheOOBbackbonenetwork,verifythattheOOBMinterfaceisnotanIGPadjacencyandthatthecorrectdestinationprefixhasbeenconfiguredtoforwardthemanagementtraffictothecorrectnext-hopandinterfaceforthestaticroute.Inthefollowingconfigurationexamples,10.1.1.0/24isthemanagementnetworkand10.1.20.4istheinterfaceaddressoftheOOBbackbonerouterthattheOOBgatewayrouter

Severity:CATII


STIGID:NET0994

Controls:


connectsto.Thenetwork10.1.20.0/24istheOOBMbackbone.

5.14.5Fix

EnsurethattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.


5.15V-17824-ManagementinterfaceisassignedtoauserVLAN.

5.15.1Summary

ThemanagementinterfaceisanaccessswitchportandhasnotbeenassignedtoaseparatemanagementVLAN.Table282providesasummaryresultofthefindings.

Table282:ManagementinterfaceisassignedtoauserVLAN.-Summaryresult

Device Type Status


5.15.2Description

TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsothatmanagementtrafficdoesnotleakintothemanagednetworkandthatproductiontrafficdoesnotleakintothemanagementnetwork.

5.15.3Check

ReviewthemanagedswitchconfigurationandverifythattheaccessportconnectedtotheOOBMaccessswitchhasbeenassignedtothemanagementVLAN.Bydefault,themanagementVLANisVLAN1;however,themanagementVLANmustbeconfiguredtoadifferentVLAN.Asshowninthefollowingconfigurationexample,FastEthernet0/1istheportconnectedtotheOOBMaccessswitchandVLAN101isthemanagementVLAN.interfaceFastEthernet0/1switchportaccessvlan10switchportmodeaccess!interfaceFastEthernet0/2switchportaccessvlan2switchportmodeaccess!interfaceFastEthernet0/3switchportaccessvlan2switchportmodeaccess!interfaceFastEthernet0/4switchportaccessvlan2switchportmodeaccessThiscanalsobeverifiedbyenteringaPrivilegedEXECshowvlancommandontheswitchCLIasillustratedinthefollowingexampleoutputofaCisco2950:2950#showvlanVLANNameStatusPorts--------------------------------------------------------------------2ProductionactiveFa0/2,Fa0/3,Fa0/4,Fa0/5,...Fa0/21,Fa0/22,Fa0/23,Fa0/2410ManagementactiveFa0/1

5.15.4Fix

Ifthemanagementinterfaceisanaccessswitchport,assignittoaseparatemanagementVLANwhiletheremainderoftheaccessswitchportscanbeassignedtouserVLANsbelongingtothemanagednetwork.Thisprovidessomelevelofseparationbetweenthemanagementnetworkandthemanagednetwork.


5.16V-17825-ManagementVLANhasinvalidaddresses

5.16.1Summary

AnaddresshasnotbeenconfiguredforthemanagementVLANfromspacebelongingtotheOOBMnetworkassignedtothatsite.Table283providesasummary

Severity:CATIII


STIGID:NET0995

Controls:


Severity:CATII


STIGID:NET0996

Controls:


resultofthefindings.

Table283:ManagementVLANhasinvalidaddresses-Summaryresult

Device Type Status


5.16.2Description

TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.

5.16.3Check

ReviewthemanagedswitchconfigurationandverifythatanaddresshasbeenconfiguredformanagementVLANfromspacebelongingtotheOOBMnetworkthathasbeenassignedtothatsite.interfaceVLAN10ipaddress10.1.1.10255.255.255.0descriptionManagementVLANNote:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.AdefaultgatewayaddressasshownbelowmustbeconfiguredusingtheaddressoftheOOBMgatewayrouterinterfaceconnectingtotheOOBMaccessswitch.ThiswillensurethatallmanagementtrafficisforwardedtowardtheNOCusingtheswitchportattachedtotheOOBMaccessswitch.ipdefault-gateway10.1.1.1

5.16.4Fix

AssignanIPaddresstothemanagementVLANfromtheaddressspacebelongingtotheOOBMnetwork.


5.17V-17826-InvalidportswithmembershiptothemgmtVLAN

5.17.1Summary

TheaccessswitchportconnectingtotheOOBMaccessswitchisnottheonlyportwithmembershiptothemanagementVLAN.Table284providesasummaryresultofthefindings.

Table284:InvalidportswithmembershiptothemgmtVLAN-Summaryresult

Device Type Status


5.17.2Description

TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.

5.17.3Check

ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.BydefaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,managementtrafficshouldnottraverseanytrunklinks.Thefollowing

Severity:CATIII


STIGID:NET0997

Controls:


CatalystIOSconfigurationisanexampleofatrunklinkwiththemanagementVLAN(i.e.10)prunedfromatrunk.

interfacefastEthernet0/1switchporttrunkencapsulationdot1qswitchportmodedynamicdesirableswitchporttrunknativevlan3switchporttrunkallowedvlan2-9Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:Switch-A#showinterfacetrunkPortModeEncapsulationStatusNativevlanFa0/1desirable802.1qtrunking3PortVlansallowedontrunkFa0/12-9PortVlansinspanningtreeforwardingstateandnotprunedFa0/12-5Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeaturedynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOSswitch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbeactiveonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.

5.17.4Fix

EnsurethattheaccessswitchportconnectingtotheOOBMaccessswitchistheonlyportwithmembershiptothemanagementVLAN


5.18V-17827-ThemanagementVLANisnotprunedfromtrunklinks

5.18.1Summary

ThemanagementVLANisnotprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.Table285providesasummaryresultofthefindings.

Table285:ThemanagementVLANisnotprunedfromtrunklinks-Summaryresult

Device Type Status


5.18.2Description

TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsothatmanagementtrafficdoesnotleakintothemanagednetworkandthatproductiontrafficdoesnotleakintothemanagementnetwork.ISLand802.1qtrunkingenablesmultipleVLANstotraversethesamephysicallinksbetweenlayer2switchesorbetweenalayer2switchandarouter.IfthemanagementVLANisnotprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure,managementtraffichasthepotentialtoleakintotheproductionnetwork.

5.18.3Check

ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.BydefaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,managementtrafficshouldnottraverseanytrunklinks.ThefollowingCatalystIOSconfigurationisanexampleofatrunklinkwiththemanagementVLAN(i.e.10)prunedfromatrunk.

interfacefastEthernet0/1switchporttrunkencapsulationdot1qswitchportmodedynamicdesirableswitchporttrunknativevlan3switchporttrunkallowedvlan2-9Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:

Severity:CATII


STIGID:NET1003

Controls:


Severity:CATII


STIGID:NET1004

Controls:

Responsibility:

Switch-A#showinterfacetrunkPortModeEncapsulationStatusNativevlanFa0/1desirable802.1qtrunking3PortVlansallowedontrunkFa0/12-9PortVlansinspanningtreeforwardingstateandnotprunedFa0/12-5Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeaturedynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOSswitch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbeactiveonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.

5.18.4Fix

PrunethemanagementVLANfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.


5.19V-17832-MgmtVLANdoesnothavecorrectIPaddress

5.19.1Summary

ThemanagementVLANisnotconfiguredwithanIPaddressfromthemanagementnetworkaddressblock.Table286providesasummaryresultofthefindings.

Table286:MgmtVLANdoesnothavecorrectIPaddress-Summaryresult

Device Type Status


5.19.2Description

Ifthemanagementsystemsresidewithinthesamelayer2switchingdomainasthemanagednetworkelements,thenseparateVLANswillbedeployedtoprovideseparationatthatlevel.Inthiscase,themanagementnetworkstillhasitsownsubnetwhileatthesametimeitisdefinedasauniqueVLAN.

5.19.3Check

ReviewtheswitchconfigurationandverifythatthemanagementVLANhasbeenassignedanIPaddressfromthemanagementnetworkaddressblock.FollowingisanexampleforaCiscoCatalystswitch:

interfaceVLAN10descriptionManagementVLANipaddress10.1.1.10255.255.255.0Note:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.

5.19.4Fix

ConfigurethemanagementVLANwithanIPaddressfromthemanagementnetworkaddressblock.


5.20V-17833-NoingressACLonmanagementVLANinterface

5.20.1Summary

TheISSOwillensurethatonlyauthorizedmanagementtrafficisforwardedbythemulti-layerswitchfromtheproductionormanagedVLANstothemanagementVLAN.Table287providesasummaryresultofthefindings.

Table287:NoingressACLonmanagementVLANinterface-Summaryresult

Device Type Status


Severity:CATII


STIGID:NET-SRVFRM-004

Controls:


Severity:CATIII


STIGID:NET-VLAN-023

Controls:DCSP-1


5.20.2Description

IfthemanagementsystemsresidewithinthesameLayer2switchingdomainasthemanagednetworkelements,thenseparateVLANswillbedeployedtoprovideseparationatthatlevel.Inthiscase,themanagementnetworkstillhasitsownsubnetwhileatthesametimeitisdefinedasauniqueVLAN.Inter-VLANroutingortheroutingoftrafficbetweennodesresidingindifferentsubnetsrequiresarouterormulti-layerswitch(MLS).Accesscontrollistsmustbeusedtoenforcetheboundariesbetweenthemanagementnetworkandthenetworkbeingmanaged.WhenusingaMLS,analternatemethodtopreventinter-VLANroutingistoconfigurethemanagementVirtualRoutingandForwarding(VRF)tonotimportroutetargetsfromotherVRFswhichwouldensurethereisnoreachabilitybetweennetworks.

5.20.3Check

ReviewtheconfigurationtodetermineifaninboundACLhasbeenconfiguredforthemanagementVLANinterfacetoblocknon-managementtraffic.IfaninboundACLhasnotbeenconfigured,thisisafinding.

5.20.4Fix

IfanMLSisusedtoprovideinter-VLANrouting,configureaninboundACLforthemanagementnetworkVLANinterface.


5.21V-18523-ACLsdonotprotectagainstcompromisedservers

5.21.1Summary

TheIAOwillensuretheServerFarminfrastructureissecuredbyACLsonVLANinterfacesthatrestrictdataoriginatingfromoneserverfarmsegmentdestinedtoanotherserverfarmsegment.Table288providesasummaryresultofthefindings.

Table288:ACLsdonotprotectagainstcompromisedservers-Summaryresult

Device Type Status


5.21.2Description

ACLsonVLANinterfacesdonotprotectagainstcompromisedservers.TheServerfarmvlansneedtoprotecttheserverslocatedononesubnetfromserverslocatedonanothersubnet.Protectingaclient’sdatafromotherclientsisnecessaryandcanbeaccomplishedusingVLANprovisioning,layer3filteringandcontentfilteringattheServerFarmentrypoint.Restrictingprotocol,sourceanddestinationtrafficviafiltersisanoption;howeveradditionalsecuritypracticessuchascontentfilteringarerequired.TheServerfarmprivatevlansneedtoprotecttheserverslocatedononesubnetfromserverslocatedonanothersubnet.

5.21.3Check

Reviewthefirewallprotectingtheserverfarm.Vlanconfigurationsshouldhaveafilterthatsecurestheserverslocatedonthevlansegment.IdentifythesourceipaddressesthathaveaccesstotheserversandverifytheprivilegeintendedwiththeSA.Thefiltershouldbeinadenybydefaultposture.Ifthefilterisnotdefinedonthefirewallandthearchitecturecontainsalayer3switchbetweenthefirewallandtheserver,thanreviewtheVLANdefinitionontheL3switch.

5.21.4Fix

Reviewthefilterandensureaccessfromotherserversegmentsisdeniedunlessnecessaryforapplicationoperation.Theintentofthepolicyshouldbetoprotectserversfromaserverthathasbeencompromisedbyanintruder.


5.22V-18544-RestrictedVLANnotassignedtonon-802.1xdevice.

5.22.1Summary

PrintersmustbeassignedtoaVLANthatisnotsharedbyunlikedevices.Table289providesasummaryresultofthefindings.

Table289:RestrictedVLANnotassignedtonon-802.1xdevice.-Summaryresult

Device Type Status


Severity:CATII


STIGID:NET-VLAN-024

Controls:


Severity:CATII


STIGID:NET-NAC-031

Controls:DCSP-1


5.22.2Description

Aspectsofhardeningthenetworkwallplatemayincludetrafficfilteringorrestrictionsonconnectivitytoenforceadevice-,communityofinterest-,oruser-specificsecuritypolicy.Forexample,ifaprinterwerepluggedintoaswitchport,itwouldbeprudenttoensurethatonlyprintertrafficisallowedonthatswitchport.Iftheprinterisunpluggedandasubstitutedeviceotherthanaprinterispluggedintothatswitchport,thesubstitutedeviceshouldnotbeabletocommunicatearbitrarilywithotherdevicesbecauseonlyprintertrafficisallowedonthatswitchport.

5.22.3Check

ReviewthedeviceconfigurationtodetermineifaVLANhasbeenestablishedforprinters.

5.22.4Fix

CreateaVLANonthedeviceforprinttypedevicesandassignprinterstotheVLANID.


5.23V-18545-Upstreamaccessnotrestrictedfornon-802.1xVLAN

5.23.1Summary

TheSAwillensureapacketfilterisimplementedtofiltertheenclavetraffictoandfromprinterVLANstoallowonlyprinttraffic.Table290providesasummaryresultofthefindings.

Table290:Upstreamaccessnotrestrictedfornon-802.1xVLAN-Summaryresult

Device Type Status


5.23.2Description

AfirewallrulesetcanfilternetworktrafficwithintheprinterVLANtoonlyexpectedprinterprotocols.TheSAmanagingthelocalenclaveshouldidentifytheprinterporttrafficwithintheenclave.Portscommonlyusedbyprintersaretypicallytcpport515,631,1782andtcpports9100,9101,9102butothersareusedthroughouttheindustry.TheSAcanreviewRFC1700PortAssignmentsandreviewprintervendordocumentsforthefilterrule-set.

5.23.3Check

AnACLorfirewallrulesetcanfilternetworktrafficwithintheprinterVLANtoonlyexpectedprinterprotocols.TheSAmanagingthelocalenclaveshouldidentifytheprinterporttrafficwithintheenclave.Portscommonlyusedbyprintersaretypicallytcpport515,631,1782andtcpports9100,9101,9102butothersareusedthroughouttheindustry.TheSAcanreviewRFC1700PortAssignmentsandreviewprintervendordocumentsforthefilterrule-set.VerifythefilterappliedtotheprinterVLANsubnet.

5.23.4Fix

DefinethefilterontheVLANACLorbuildafirewallrulesettoaccomplishtherequirment.


5.24V-18566-NET-NAC-031

5.24.1Summary

TheswitchmustonlyallowamaximumofoneregisteredMACaddressperaccessport.Table291providesasummaryresultofthefindings.

Table291:NET-NAC-031-Summaryresult

Device Type Status


5.24.2Description

LimitingthenumberofregisteredMACaddressesonaswitchaccessportcanhelppreventaCAMtableoverflowattack.Thistypeofattackletsanattackerexploitthehardwareandmemorylimitationsofaswitch.IfthereareenoughentriesstoredinaCAMtablebeforetheexpirationofotherentries,nonewentriescanbeacceptedintotheCAMtable.AnattackerwillabletofloodtheswitchwithmostlyinvalidMACaddressesuntiltheCAMtable’sresourceshavebeen

Severity:CATIII


STIGID:NET1020

Controls:ECAT-1,ECAT-2,ECSC-1


depleted.Whentherearenomoreresources,theswitchhasnochoicebuttofloodallportswithintheVLANwithallincomingtraffic.ThishappensbecausetheswitchcannotfindtheswitchportnumberforacorrespondingMACaddresswithintheCAMtable,allowingtheswitchtobecomeahubandtraffictobemonitored.

5.24.3Check

ReviewtheswitchconfigurationtoverifyeachaccessportisconfiguredforasingleregisteredMACaddress.Configuringport-securityontheCiscoswitchaccessportinterfacewillautomaticallysetthemaximumnumberofregisteredMACaddressestoone.Thevaluewillnotshowupintheconfigurationoftheswitchitself.TovalidatetheaccessporthasamaximumvalueofoneforallowableMACaddresses,youmustrunthefollowingcommand:Switch#showport-securityinterfaceShowCommandExample:Switch#portintfa0/1PortSecurity:EnabledPortStatus:Secure-downViolationMode:ShutdownAgingTime:0minsAgingType:AbsoluteSecureStaticAddressAging:DisabledMaximumMACAddresses:1SometechnologiesareexemptfromrequiringasingleMACaddressperaccessport;however,restrictionsstillapply.VoIPorVTCendpointsmayprovideaPCportsoaPCcanbeconnected.Eachofthedeviceswillneedtobestaticallyassignedtoeachaccessport.AnothergreeninitiativewhereasingleLANdropissharedamongseveraldevicesiscalled"hot-desking",whichisrelatedtoconservationofofficespaceandteleworking.Hot-deskingiswhereseveralpeopleareassignedtoworkatthesamedeskatdifferenttimes,eachuserwiththeirownPC.Inthiscase,adifferentMACaddressneedstobepermittedforeachPCthatisconnectingtotheLANdropintheworkspace.Additionally,thisworkspacecouldcontainasinglephone(andpossiblydesktopVTCendpoint)usedbyallassigneesandthePCportonitmightbetheconnectionfortheirlaptop.Inthiscase,itisbestnottousestickyportsecurity,buttouseastaticmappingofauthorizeddevicesorimplement802.1x.Ifthisisnotateleworkingremotelocation,thisexemptiondoesnotapply.

5.24.4Fix

ConfiguretheswitchtolimitthemaximumnumberofregisteredMACaddressesoneachaccessswitchporttoone.


5.25V-3000-InterfaceACLdenystatementsarenotlogged.

5.25.1Summary

Thenetworkdevicemustlogallaccesscontrollists(ACL)denystatements.Table292providesasummaryresultofthefindings.

Table292:InterfaceACLdenystatementsarenotlogged.-Summaryresult

Device Type Status



5.25.2Description

Auditingandloggingarekeycomponentsofanysecurityarchitecture.Itisessentialforsecuritypersonneltoknowwhatisbeingdone,attemptedtobedone,andbywhominordertocompileanaccurateriskassessment.Auditingtheactionsonnetworkdevicesprovidesameanstorecreateanattack,oridentifyaconfigurationmistakeonthedevice.

5.25.3Findings

router03

NipperStudioidentifiedoneactiverulelistonrouter03thatcontaineddenyrules.

Table293:4040denyrules.

Rule Action Source Log

5 Any Yes

CiscoIOS15

Severity:CATII


STIGID:NET1800

Controls:


NipperStudiodeterminedthatnoactivefilterrulelistscontainingdenyruleswereconfiguredonCiscoIOS15.

5.25.4Check

ReviewthenetworkdeviceinterfaceACLstoverifyalldenystatementsarelogged.CiscoIOSexample:interfaceFastEthernet0/0descriptionexternalinterfacepeeringwithISPornon-DoDnetworkipaddress199.36.92.1255.255.255.252ipaccess-group100in…access-list100denyicmpanyanyfragmentslogaccess-list100denyip169.254.0.00.0.255.255anylogaccess-list100denyip10.0.0.00.255.255.255anylogaccess-list100denyip172.16.0.00.15.255.255anylogaccess-list100denyip192.168.0.00.0.255.255anylogaccess-list100permiticmpanyhost199.36.92.1echo-replyaccess-list100permiticmpanyhost199.36.90.10echo-replyaccess-list100denyicmpanyanylogaccess-list100denyipanyanylog

5.25.5Fix

ConfigureinterfaceACLstologalldenystatements.


5.26V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.

5.26.1Summary

TheIAOwillensureIPSecVPNsareestablishedastunneltypeVPNswhentransportingmanagementtrafficacrossanipbackbonenetwork.Table294providesasummaryresultofthefindings.

Table294:IPSecVPNisnotconfiguredasatunneltypeVPN.-Summaryresult

Device Type Status



5.26.2Description

Usingdedicatedpaths,theOOBMbackboneconnectstheOOBMgatewayrouterslocatedatthepremiseofthemanagednetworksandattheNOC.Dedicatedlinkscanbedeployedusingprovisionedcircuits(ATM,FrameRelay,SONET,T-carrier,andothersorVPNtechnologiessuchassubscribingtoMPLSLayer2andLayer3VPNservices)orimplementingasecuredpathwithgateway-to-gatewayIPsectunnel.Thetunnelmodeensuresthatthemanagementtrafficwillbelogicallyseparatedfromanyothertraffictraversingthesamepath.

5.26.3Findings

router03

NipperStudiodeterminedthattherewasnoIPSecurityprotocol(IPsec)VirtualPrivateNetwork(VPN)configuredonrouter03.

5.26.4Check

HavetheSAdisplaytheconfigurationsettingsthatenablethisfeature.Reviewthenetworktopologydiagram,andreviewVPNconcentrators.Determineiftunnelmodeisbeingusedbyreviewingtheconfiguration.Examples:InCISCORouter(config)#cryptoipsectransform-settransform-set-nametransform1Router(cfg-crypto-tran)#modetunnelORinJunoseditsecurityipsecsecurity-associationsa-name]modetunnel

5.26.5Fix

EstablishtheVPNasatunneledVPN.TerminatethetunneledVPNoutsideofthefirewall.

Severity:CATI


STIGID:NET0230

Controls:


Ensureallhost-to-hostVPNareestablishedbetweentrustedknownhosts.


5.27V-3012-Networkelementisnotpasswordprotected.

5.27.1Summary

Networkdevicesmustbepasswordprotected.Table295providesasummaryresultofthefindings.

Table295:Networkelementisnotpasswordprotected.-Summaryresult

Device Type Status



5.27.2Description

Networkaccesscontrolmechanismsinteroperatetopreventunauthorizedaccessandtoenforcetheorganization'ssecuritypolicy.Accesstothenetworkmustbecategorizedasadministrator,user,orguestsotheappropriateauthorizationcanbeassignedtotheuserrequestingaccesstothenetworkoranetworkdevice.Authorizationrequiresanindividualaccountidentifierthathasbeenapproved,assigned,andconfiguredonanauthenticationserver.Authenticationofuseridentitiesisaccomplishedthroughtheuseofpasswords,tokens,biometrics,orinthecaseofmulti-factorauthentication,somecombinationthereof.Lackofauthenticationenablesanyonetogainaccesstothenetworkorpossiblyanetworkdeviceprovidingopportunityforintruderstocompromiseresourceswithinthenetworkinfrastructure.

5.27.3Findings

router03

Table296detailstheadministrativeinterfacelinesconfiguredonrouter03.

Table296:Administrativelines

Line Access Login Level Password Authorization Accounting FilterIn

Console Yes LinePassword 1 password Off Off

Auxiliary Yes LinePassword 1 password Off Off

VTY0-4 Yes LinePassword 1 password Off Off 10

Table297detailslocalusersconfiguredonrouter03.

Table297:Localusers


temp password 15



CiscoIOS15

Table298detailstheadministrativeinterfacelinesconfiguredonCiscoIOS15.

Table298:Administrativelines


Console Yes AAAAuthentication 1 Off Off

Auxiliary No N/A 1 Off Off

Interface0/0/0 Yes AAAAuthentication 1 Off Off

VTY0-4 Yes AAAAuthentication 1 password Off Off 1

VTY5-807 Yes AAAAuthentication 1 Off Off 1

Table299detailslocalusersconfiguredonCiscoIOS15.

Severity:CATII


STIGID:NET0340

Controls:


Table299:Localusers


admin (ENCRYPTED) 1

Test (ENCRYPTED) 1

5.27.4Check

Reviewthenetworkdevicesconfigurationtodetermineifadministrativeaccesstothedevicerequiressomeformofauthentication--ataminimumapasswordisrequired.Ifpasswordsaren'tusedtoadministrativeaccesstothedevice,thisisafinding.

5.27.5Fix

Configurethenetworkdevicessoitwillrequireapasswordtogainadministrativeaccesstothedevice.


5.28V-3013-Loginbannerisnon-existentornotDOD-approved.

5.28.1Summary

NetworkdevicesmustdisplaytheDoD-approvedlogonbannerwarning.Table300providesasummaryresultofthefindings.

Table300:Loginbannerisnon-existentornotDOD-approved.-Summaryresult

Device Type Status



5.28.2Description

AllnetworkdevicesmustpresentaDoD-approvedwarningbannerpriortoasystemadministratorloggingon.Thebannershouldwarnanyunauthorizedusernottoproceed.Italsoshouldprovideclearandunequivocalnoticetobothauthorizedandunauthorizedpersonnelthataccesstothedeviceissubjecttomonitoringtodetectunauthorizedusage.FailuretodisplaytherequiredlogonwarningbannerpriortologonattemptswilllimitDoD'sabilitytoprosecuteunauthorizedaccessandalsopresentsthepotentialtogiverisetocriminalandcivilliabilityforsystemsadministratorsandinformationsystemsmanagers.Inaddition,DISA'sabilitytomonitorthedevice'susageislimitedunlessaproperwarningbannerisdisplayed.DoDCIOhasissuednew,mandatorypolicystandardizingthewordingof"noticeandconsent"bannersandmatchinguseragreementsforallSecretandbelowDoDinformationsystems,includingstand-alonesystemsbyreleasingDoDCIOMemo,"PolicyonUseofDepartmentofDefense(DoD)InformationSystemsStandardConsentBannerandUserAgreement",dated9May2008.ThebannerismandatoryanddeviationsarenotpermittedexceptasauthorizedinwritingbytheDeputyAssistantSecretaryofDefenseforInformationandIdentityAssurance.ImplementationofthisbannerverbiageisfurtherdirectedtoallDoDcomponentsforallDoDassetsviaUSCYBERCOMCTO08-008A.

5.28.3Findings

router03

NipperStudiodeterminedthattheconfiguredpre-authenticationlogonbannermessagewas:

LoginBanner

Thisisatestbanner.

CiscoIOS15

NipperStudiodeterminedthattheconfiguredpre-authenticationlogonbannermessagewas:

LoginBanner


5.28.4Check

Reviewthedeviceconfigurationorrequestthattheadministratorlogontothedeviceandobservetheterminal.VerifyeitherOptionAorOptionB(forsystemswithcharacterlimitations)oftheStandardMandatoryDoDNoticeandConsentBannerisdisplayedatlogon.Therequiredbannerverbiagefollowsandmustbedisplayedverbatim:

Severity:CATII


STIGID:NET1639

Controls:


OptionAYouareaccessingaU.S.Government(USG)InformationSystem(IS)thatisprovidedforUSG-authorizeduseonly.ByusingthisIS(whichincludesanydeviceattachedtothisIS),youconsenttothefollowingconditions:-TheUSGroutinelyinterceptsandmonitorscommunicationsonthisISforpurposesincluding,butnotlimitedto,penetrationtesting,COMSECmonitoring,networkoperationsanddefense,personnelmisconduct(PM),lawenforcement(LE),andcounterintelligence(CI)investigations.-Atanytime,theUSGmayinspectandseizedatastoredonthisIS.-Communicationsusing,ordatastoredon,thisISarenotprivate,aresubjecttoroutinemonitoring,interception,andsearch,andmaybedisclosedorusedforanyUSG-authorizedpurpose.-ThisISincludessecuritymeasures(e.g.,authenticationandaccesscontrols)toprotectUSGinterests--notforyourpersonalbenefitorprivacy.-Notwithstandingtheabove,usingthisISdoesnotconstituteconsenttoPM,LEorCIinvestigativesearchingormonitoringofthecontentofprivilegedcommunications,orworkproduct,relatedtopersonalrepresentationorservicesbyattorneys,psychotherapists,orclergy,andtheirassistants.Suchcommunicationsandworkproductareprivateandconfidential.SeeUserAgreementfordetails.OptionBIfthesystemisincapableofdisplayingtherequiredbannerverbiageduetoitssize,asmallerbannermustbeused.Themandatoryverbiagefollows:"I'veread&consenttotermsinISuseragreem't."Ifthedeviceconfigurationdoesnothavealogonbannerasstatedabove,thisisafinding.

5.28.5Fix

ConfigureallmanagementinterfacestothenetworkdevicetodisplaytheDoD-mandatedwarningbannerverbiageatlogonregardlessofthemeansofconnectionorcommunication.Therequiredbannerverbiagethatmustbedisplayedverbatimisasfollows:OptionAYouareaccessingaU.S.Government(USG)InformationSystem(IS)thatisprovidedforUSG-authorizeduseonly.ByusingthisIS(whichincludesanydeviceattachedtothisIS),youconsenttothefollowingconditions:-TheUSGroutinelyinterceptsandmonitorscommunicationsonthisISforpurposesincluding,butnotlimitedto,penetrationtesting,COMSECmonitoring,networkoperationsanddefense,personnelmisconduct(PM),lawenforcement(LE),andcounterintelligence(CI)investigations.-Atanytime,theUSGmayinspectandseizedatastoredonthisIS.-Communicationsusing,ordatastoredon,thisISarenotprivate,aresubjecttoroutinemonitoring,interception,andsearch,andmaybedisclosedorusedforanyUSG-authorizedpurpose.-ThisISincludessecuritymeasures(e.g.,authenticationandaccesscontrols)toprotectUSGinterests--notforyourpersonalbenefitorprivacy.-Notwithstandingtheabove,usingthisISdoesnotconstituteconsenttoPM,LEorCIinvestigativesearchingormonitoringofthecontentofprivilegedcommunications,orworkproduct,relatedtopersonalrepresentationorservicesbyattorneys,psychotherapists,orclergy,andtheirassistants.Suchcommunicationsandworkproductareprivateandconfidential.SeeUserAgreementfordetails.OptionBIfthesystemisincapableofdisplayingtherequiredbannerverbiageduetoitssize,asmallerbannermustbeused.Themandatoryverbiagefollows:"I'veread&consenttotermsinISuseragreem't."


5.29V-3014-Managementconnectiondoesnottimeout.

5.29.1Summary

Thenetworkelementmusttimeoutmanagementconnectionsforadministrativeaccessafter10minutesorlessofinactivity.Table301providesasummaryresultofthefindings.

Table301:Managementconnectiondoesnottimeout.-Summaryresult

Device Type Status



5.29.2Description

Settingthetimeoutofthesessionto10minutesorlessincreasesthelevelofprotectionaffordedcriticalnetworkcomponents.

5.29.3Findings

Severity:CATIII


STIGID:NET0820

Controls:


router03

Table302detailstheadministrativeinterfacelineconnectiontimeout(s)configuredonrouter03.

Table302:Administrativelineconnectiontimeoutonrouter03

Line ExecTimeout AbsoluteTimeout SessionTimeout LoginTimeout FilterIn FilterOut

VTY0-4 10minutes None None 30seconds 10

CiscoIOS15

Table303detailstheadministrativeinterfacelineconnectiontimeout(s)configuredonCiscoIOS15.

Table303:AdministrativelineconnectiontimeoutonCiscoIOS15




5.29.4Check

Reviewthemanagementconnectionforadministrativeaccessandverifythenetworkelementisconfiguredtotime-outtheconnectionafter10minutesorlessofinactivity.ThedefaultfortheVTYlineis10minutesandmaynotappearinthedisplayoftheconfiguration.TheVTYlineshouldcontainthefollowingcommand:exec-timeout10

5.29.5Fix

Configurethenetworkdevicestoensurethetimeoutforunattendedadministrativeaccessconnectionsisnolongerthan10minutes.


5.30V-3020-DNSserversmustbedefinedforclientresolver.

5.30.1Summary

ThenetworkelementmusthaveDNSserversdefinedifitisconfiguredasaclientresolver.Table304providesasummaryresultofthefindings.

Table304:DNSserversmustbedefinedforclientresolver.-Summaryresult

Device Type Status



5.30.2Description

ThesusceptibilityofIPaddressestospoofingtranslatestoDNShostnameandIPaddressmappingvulnerabilities.Forexample,supposeasourcehostwishestoestablishaconnectionwithadestinationhostandqueriesaDNSserverfortheIPaddressofthedestinationhostname.IftheresponsetothisqueryistheIPaddressofahostoperatedbyanattacker,thesourcehostwillestablishaconnectionwiththeattackershost,ratherthantheintendedtarget.Theuseronthesourcehostmightthenprovidelogon,authentication,andothersensitivedata.

5.30.3Findings

router03

NipperStudiodeterminedthattheDNSlookupfeatureonrouter03wasenabled.AdditionallyNipperStudiodeterminedthatnoDNSserverswereconfiguredonrouter03.

CiscoIOS15

NipperStudiodeterminedthattheDNSlookupfeatureonCiscoIOS15wasdisabled.AdditionallyNipperStudiodeterminedthatnoDNSserverswereconfiguredonCiscoIOS15.

5.30.4Check

ReviewthedeviceconfigurationtoensurethatDNSservershavebeendefinedifithasbeenconfiguredasaclientresolver(namelookup).Theconfigurationshouldlooksimilartooneofthefollowingexamples:ipdomain-lookup

Severity:CATII


STIGID:NET0890

Controls:


ipname-server192.168.1.253ornoipdomain-lookupThefirstconfigurationexamplehasDNSlookupenabledandhencehasdefineditsDNSserver.ThesecondexamplehasDNSlookupdisabled.Note:ipdomain-lookupisenabledbydefault.Henceitmaynotbeshown—dependingontheIOSrelease.Ifitisenabled,itwillbeshownnearthebeginningoftheconfiguration.

5.30.5Fix

ConfigurethedevicetoincludeDNSserversordisabledomainlookup.


5.31V-3021-SNMPaccessisnotrestrictedbyIPaddress.

5.31.1Summary

ThenetworkelementmustonlyallowSNMPaccessfromaddressesbelongingtothemanagementnetwork.Table305providesasummaryresultofthefindings.

Table305:SNMPaccessisnotrestrictedbyIPaddress.-Summaryresult

Device Type Status



5.31.2Description

DetailedinformationaboutthenetworkissentacrossthenetworkviaSNMP.Ifthisinformationisdiscoveredbyattackersitcouldbeusedtotracethenetwork,showthenetworkstopology,andpossiblygainaccesstonetworkdevices.

5.31.3Findings

router03

ThecommunitystringsdetailedinTable306wereconfiguredonrouter03.

Table306:SNMPcommunityconfiguration




CiscoIOS15

ThecommunitystringsdetailedinTable307wereconfiguredonCiscoIOS15.






5.31.4Check

ReviewdeviceconfigurationandverifythatitisconfiguredtoonlyallowSNMPaccessfromonlyaddressesbelongingtothemanagementnetwork.ThefollowingexamplesforSNMPv1,2,and3depicttheuseofanACLtorestrictSNMPaccesstothedevice.SNMPv1/v2cConfigurationExampleTheexampleACLNMS_LISTisusedtodefinewhatnetworkmanagementstationscanaccessthedeviceforwriteandreadonly(poll).ipaccess-liststandardNMS_LIST

permit10.1.1.24permit10.1.1.22permit10.1.1.23!snmp-servercommunityourCommStrRORWNMS_LISTsnmp-servercommunitywrite_pwRWNMS_LISTsnmp-serverenabletrapssnmplinkdownlinkupsnmp-serverhost10.1.1.1trap_comm_stringNote:Ifyouenterthesnmp-serverhostcommandwithnokeywords,thedefaultisversion1andtosendallenabledtrapstothehost.Noinformswillbesenttothishost.Ifnotrapsorinformskeywordispresent,trapsaresent.SNMPv3ConfigurationExampleTheexampleACLNMS_LISTandADMIN_LISTareusedtodefinewhatnetworkmanagementstationsandadministrator(users)desktopscanaccessthedevice.ipaccess-liststandardADMIN_LISTpermit10.1.1.35permit10.1.1.36ipaccess-liststandardNMS_LISTpermit10.1.1.24permit10.1.1.22permit10.1.1.23!snmp-servergroupNOCv3privreadVIEW_ALLwriteVIEW_LIMITaccessNMS_LISTsnmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0Fsnmp-servergroupADMIN_GROUPv3privreadVIEW_ALLwriteVIEW_ALLaccessADMIN_LISTsnmp-serverviewVIEW_ALLinternetincludedsnmp-serverviewVIEW_LIMITinternetincludedsnmp-serverviewVIEW_LIMITinternet.6.3.15excludedsnmp-serverviewVIEW_LIMITinternet.6.3.16excludedsnmp-serverviewVIEW_LIMITinternet.6.3.18excludedsnmp-serverenabletrapssnmplinkdownlinkupsnmp-serverhost10.1.1.24version3privTRAP_NMS1Note:FortheconfiguredgroupTRAP_GROUP,thenotifyviewisauto-generatedbythesnmp-serverhostcommandwhichbindtheuser(TRAP_NMS1)andthegroupitbelongsto(TRAP_GROUP)tothelistofnotifications(trapsorinforms)whicharesenttothehost.Hence,theconfigurationsnmp-servergroupTRAP_GROUPv3resultsinthefollowing:snmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

Note:Notrequiredbutforillustrationpurpose,theVIEW_LIMITexcludesMIBobjectswhichcouldpotentiallyrevealinformationaboutconfiguredSNMPcredentials.TheseobjectsaresnmpUsmMIB,snmpVacmMIB,andsnmpCommunityMIBwhichisconfiguredas1.3.6.1.6.3.15,1.3.6.1.6.3.16,and1.3.6.1.6.3.18respectively

NotethatSNMPv3usersarenotshowninarunningconfiguration.Youcanviewthemwiththeshowsnmpusercommand.Soforexample,ifthefollowinguserswereconfiguredassuch.snmp-serveruserHP_OVNOCv3authshaHPOVpswdprivaes256HPOVsecretkeysnmp-serveruserAdmin1ADMIN_GROUPv3authshaAdmin1PWprivaes256Admin1keysnmp-serveruserAdmin2ADMIN_GROUPv3authmd5Admin2passpriv3desAdmin2keysnmp-serveruserTRAP_NMS1TRAP_GROUPv3authshatrap_nms1_pwprivaestrap_nms1_keyTheshowsnmpusercommandwoulddepicttheconfiguredusersasfollows:R1#showsnmpuserUsername:HP_OVEngineID:AB12CD34EF56storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:NOCUsername:Admin1EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:ADMIN_GROUPUsername:Admin2

Severity:CATII


STIGID:NET0400

Controls:


EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:MD5PrivacyProtocol:3DESGroup-name:ADMIN_GROUPUsername:TRAP_NMS1EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:TRAP_GROUPR1#

5.31.5Fix

ConfigurethenetworkdevicestoonlyallowSNMPaccessfromonlyaddressesbelongingtothemanagementnetwork.


5.32V-3034-Interiorroutingprotocolsarenotauthenticated.

5.32.1Summary

ThenetworkelementmustauthenticateallIGPpeers.Table308providesasummaryresultofthefindings.

Table308:Interiorroutingprotocolsarenotauthenticated.-Summaryresult

Device Type Status



5.32.2Description

Arogueroutercouldsendafictitiousroutingupdatetoconvinceasite’spremiseroutertosendtraffictoanincorrectorevenaroguedestination.Thisdivertedtrafficcouldbeanalyzedtolearnconfidentialinformationofthesite’snetwork,ormerelyusedtodisruptthenetwork’sabilitytoeffectivelycommunicatewithothernetworks.

5.32.3Findings

router03

OSPFareaauthenticationconfiguredonrouter03isdetailedinTable309.

Table309:OSPFareaauthentication

Area Authentication

0.0.0.0 None

30.10.20.40 None

TheRIPinterfaceauthenticationconfiguredonrouter03isdetailedinTable310.

Table310:RIPinterfaceauthentication

Interface Passive Authentication

GigabitEthernet1/1 No ClearText

GigabitEthernet1/2 No None

TheEIGRPinterfaceauthenticationconfiguredonrouter03isdetailedinTable311.

Table311:EIGRPinterfaceauthentication

Interface AS Passive Authentication

GigabitEthernet1/2 3 No None

Severity:CATII


STIGID:NET1675

Controls:


CiscoIOS15

OSPFareaauthenticationconfiguredonCiscoIOS15isdetailedinTable312.

Table312:OSPFareaauthentication

Area Authentication

0 MD5

TheRIPinterfaceauthenticationconfiguredonCiscoIOS15isdetailedinTable313.

Table313:RIPinterfaceauthentication

Interface Passive Authentication

FastEthernet0/0 No MD5

TheEIGRPinterfaceauthenticationconfiguredonCiscoIOS15isdetailedinTable314.

Table314:EIGRPinterfaceauthentication

Interface AS Passive Authentication

FastEthernet0/0 1 No MD5

5.32.4Check

ReviewthedeviceconfigurationtodetermineifauthenticationisconfiguredforallIGPpeers.IfauthenticationisnotconfiguredforallIGPpeers,thisisafinding.

5.32.5Fix

ConfigureauthenticationforallIGPpeers.


5.33V-3043-SNMPprivilegedandnon-privilegedaccess.

5.33.1Summary

ThenetworkdevicemustusedifferentSNMPcommunitynamesorgroupsforvariouslevelsofreadandwriteaccess.Table315providesasummaryresultofthefindings.

Table315:SNMPprivilegedandnon-privilegedaccess.-Summaryresult

Device Type Status



5.33.2Description

NumerousvulnerabilitiesexistwithSNMP;therefore,withoutuniqueSNMPcommunitynames,theriskofcompromiseisdramaticallyincreased.Thisisespeciallytruewithvendorsdefaultcommunitynameswhicharewidelyknownbyhackersandothernetworkingexperts.Ifahackergainsaccesstothesedevicesandcaneasilyguessthename,thiscouldresultindenialofservice,interceptionofsensitiveinformation,orotherdestructiveactions.

5.33.3Findings

router03

Table316detailstheSNMPcommunitystringsconfiguredonrouter03.





CiscoIOS15

Severity:CATI


STIGID:NET0460

Controls:


Table317detailstheSNMPcommunitystringsconfiguredonCiscoIOS15.






5.33.4Check

ReviewtheSNMPconfigurationofallmanagednodestoensuredifferentcommunitynames(V1/2)orgroups/users(V3)areconfiguredforread-onlyandread-writeaccess.IfuniquecommunitystringsoraccountsarenotusedforSNMPpeers,thisisafinding.

5.33.5Fix

ConfiguretheSNMPcommunitystringsonthenetworkdeviceandchangethemfromthedefaultvalues.SNMPcommunitystringsanduserpasswordsmustbeuniqueandnotmatchanyothernetworkdevicepasswords.Differentcommunitystrings(V1/2)orgroups(V3)mustbeconfiguredforvariouslevelsofreadandwriteaccess.


5.34V-3056-Groupaccountsaredefined.

5.34.1Summary

Groupaccountsmustnotbeconfiguredforuseonthenetworkdevice.Table318providesasummaryresultofthefindings.

Table318:Groupaccountsaredefined.-Summaryresult

Device Type Status



5.34.2Description

Groupaccountsconfiguredforuseonanetworkdevicedonotallowforaccountabilityorrepudiationofindividualsusingthesharedaccount.Ifgroupaccountsarenotchangedwhensomeoneleavesthegroup,thatpersoncouldpossiblygaincontrolofthenetworkdevice.Havinggroupaccountsdoesnotallowforproperauditingofwhoisaccessingorchangingthenetwork.

5.34.3Findings

router03

NipperStudioidentifiedthelocaluseraccountslistedinTable319onrouter03.

Table319:Users


temp password 15



CiscoIOS15

NipperStudioidentifiedthelocaluseraccountslistedinTable320onCiscoIOS15.

Table320:Users


admin (ENCRYPTED) 1

Test (ENCRYPTED) 1

5.34.4Check

Severity:CATII


STIGID:NET0465

Controls:ECSC-1


Reviewthenetworkdeviceconfigurationandvalidatetherearenogroupaccountsconfiguredforaccess.Ifagroupaccountisconfiguredonthedevice,thisisafinding.

5.34.5Fix

Configureindividualuseraccountsforeachauthorizedpersonthenremoveanygroupaccounts.


5.35V-3057-Accountsassignedleastprivilegesnecessarytoperformduties.

5.35.1Summary

Authorizedaccountsmustbeassignedtheleastprivilegelevelnecessarytoperformassignedduties.Table321providesasummaryresultofthefindings.

Table321:Accountsassignedleastprivilegesnecessarytoperformduties.-Summaryresult

Device Type Status



5.35.2Description

Bynotrestrictingauthorizedaccountstotheirproperprivilegelevel,accesstorestrictedfunctionsmaybeallowedbeforeauthorizedpersonellaretrainedorexperiencedenoughtousethosefunctions.Networkdisruptionsoroutagesmayoccurduetomistakesmadebyinexperiencedpersonsusingaccountswithgreaterprivilegesthannecessary.

5.35.3Findings

router03

The3userslistedinTable322wereconfiguredonrouter03.

Table322:Users


temp password 15



Table323:Userprivileges

Mode Level Access

exec chicken privilegeexeclevelchicken

CiscoIOS15

The2userslistedinTable324wereconfiguredonCiscoIOS15.

Table324:Users


admin (ENCRYPTED) 1

Test (ENCRYPTED) 1

5.35.4Check

Reviewtheaccountsauthorizedforaccesstothenetworkdevice.Determineiftheaccountsareassignedthelowestprivilegelevelnecessarytoperformassignedduties.Useraccountsmustbesettoaspecificprivilegelevelwhichcanbemappedtospecificcommandsoragroupofcommands.Authorizedaccountsshouldhavethegreatestprivilegelevelunlessdeemednecessaryforassignedduties.Ifitisdeterminedthatauthorizedaccountsareassignedtogreaterprivilegesthannecessary,thisisafinding.Belowisanexampleofassigningaprivilegeleveltoalocaluseraccountandchangingthedefaultprivilegeleveloftheconfigureterminalcommand.usernamejunior-engineer1privilege7passwordxxxxxx

Severity:CATII


STIGID:NET0470

Controls:


privilegeexeclevel7configureterminalTheaboveexampleonlycoverslocalaccounts.Youwillalsoneedtochecktheaccountsandtheirassociatedprivilegelevelsconfiguredintheauthenticationserver.YoucanalsouseTACACS+forevenmoregranularityatthecommandlevelasshowninthefollowingexample:user=junior-engineer1{password=clear"xxxxx"service=shell{setpriv-lvl=7}}

5.35.5Fix

Configureauthorizedaccountswiththeleastprivilegerule.Eachuserwillhaveaccesstoonlytheprivilegestheyrequiretoperformtheirassignedduties.


5.36V-3058-Unauthorizedaccountsareconfiguredtoaccessdevice.

5.36.1Summary

Unauthorizedaccountsmustnotbeconfiguredforaccesstothenetworkdevice.Table325providesasummaryresultofthefindings.

Table325:Unauthorizedaccountsareconfiguredtoaccessdevice.-Summaryresult

Device Type Status



5.36.2Description

Amalicioususerattemptingtogainaccesstothenetworkdevicemaycompromiseanaccountthatmaybeunauthorizedforuse.Theunauthorizedaccountmaybeatemporaryorinactiveaccountthatisnolongerneededtoaccessthedevice.DenialofService,interceptionofsensitiveinformation,orotherdestructiveactionscouldpotentiallytakeplaceifanunauthorizedaccountisconfiguredtoaccessthenetworkdevice.

5.36.3Findings

router03

NipperStudioidentifiedthelocaluseraccountslistedinTable326onrouter03.

Table326:Users


temp password 15



CiscoIOS15

NipperStudioidentifiedthelocaluseraccountslistedinTable327onCiscoIOS15.

Table327:Users


admin (ENCRYPTED) 1

Test (ENCRYPTED) 1

5.36.4Check

Reviewtheorganization'sresponsibilitieslistandreconcilethelistofauthorizedaccountswiththoseaccountsdefinedforaccesstothenetworkdevice.Ifanunauthorizedaccountisconfiguredforaccesstothedevice,thisisafinding.

5.36.5Fix

Removeanyaccountconfiguredforaccesstothenetworkdevicethatisnotdefinedintheorganization'sresponsibilitieslist.

Severity:CATI


STIGID:NET0600

Controls:ECSC-1



5.37V-3062-Passwordsareviewablewhendisplayingtheconfig.

5.37.1Summary

Thenetworkelementmustbeconfiguredtoensurepasswordsarenotviewablewhendisplayingconfigurationinformation.Table328providesasummaryresultofthefindings.

Table328:Passwordsareviewablewhendisplayingtheconfig.-Summaryresult

Device Type Status



5.37.2Description

Manyattacksinformationsystemsandnetworkelementsarelaunchedfromwithinthenetwork.Hence,itisimperativethatallpasswordsareencryptedsotheycannotbeinterceptedbyviewingtheconsoleorprintoutoftheconfiguration.

5.37.3Findings

router03

NipperStudiodeterminedthattheconfigurationpasswordencryptionoptionwasdisabledonrouter03.

NipperStudioidentifiedthefourusersdetailedinTable329configuredonrouter03.

Table329:Users



temp password 15



CiscoIOS15

NipperStudiodeterminedthattheconfigurationpasswordencryptionoptionwasenabledonCiscoIOS15.

NipperStudioidentifiedthefourusersdetailedinTable330configuredonCiscoIOS15.

Table330:Users


enable(secret) (ENCRYPTED) 15


admin (ENCRYPTED) 1

Test (ENCRYPTED) 1

5.37.4Check

ReviewallCiscoIOSroutersandswitchestodetermineiftheglobalcommand"servicepassword-encryption"ispresentintheconfigurations.Also,reviewallaccountscreatedonthedevicetoensuretheyhavebeensetupusingthe"usernamenamesecretpassword"command.ThefollowingcommandwillbefoundinthedeviceconfigurationsDevice#showrun!servicepassword-encryption!usernamenamesecret5$1$geU5$vc/uDRS5dWiOrpQJTimBw/enablesecret5$1%mer9396y30d$FDA/292/

5.37.5Fix

Configurethenetworkelementtoensurepasswordsarenotviewablewhendisplayingconfigurationinformation.

Severity:CATII


STIGID:NET1638

Controls:DCNR-1,ECSC-1


Device(config)#servicepasswordDevice(config)#usernamenamesecretS3cr3T!Device(config)#enablesecret$MyS3cr3TPW$Device(config)#end


5.38V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.

5.38.1Summary

ManagementconnectionstoanetworkdevicemustbeestablishedusingsecureprotocolswithFIPS140-2validatedcryptographicmodules.Table331providesasummaryresultofthefindings.

Table331:ManagementconnectionsmustbesecuredbyFIPS140-2.-Summaryresult

Device Type Status



5.38.2Description

AdministrationandmanagementconnectionsperformedacrossanetworkareinherentlydangerousbecauseanyonewithapacketsnifferandaccesstotherightLANsegmentcanacquirethenetworkdeviceaccountandpasswordinformation.Withthisinterceptedinformationtheycouldgainaccesstotherouterandcausedenialofserviceattacks,interceptsensitiveinformation,orperformotherdestructiveactions.

5.38.3Findings

router03

NipperStudiodeterminedthatthefollowingfivepotentiallyinsecuremanagementservicesdetailedinTable332wereconfiguredonrouter03

Table332:ManagementServices

Service State

Telnet Disabled

SSHv1 Disabled

RSH Disabled

HTTP Enabled

HTTPS Disabled

CiscoIOS15

NipperStudiodeterminedthatthefollowingfourpotentiallyinsecuremanagementservicesdetailedinTable333wereconfiguredonCiscoIOS15

Table333:ManagementServices

Service State

Telnet Disabled

RSH Disabled

HTTP Disabled

HTTPS Disabled

5.38.4Check

ReviewthenetworkdeviceconfigurationtoverifyonlysecureprotocolsusingFIPS140-2validatedcryptographicmodulesareusedforanyadministrativeaccess.Someofthesecureprotocolsusedforadministrativeandmanagementaccessarelistedbelow.Thislistisnotallinclusiveandrepresentsasampleselectionofsecureprotocols.-SSHv2-SCP-HTTPS-SSL-TLSThisisanexamplethatenablesSSHv2/SCP/HTTPSonanIOSDevice:!

Severity:CATIII


STIGID:NET1640

Controls:


ipdomain-nameexample.com!cryptokeygeneratersamodulus2048!ipsshtime-out60ipsshauthentication-retries3ipsshsource-interfaceGigabitEthernet0/1ipsshversion2!linevty015transportinputssh!ipscpserverenable!iphttpsecure-serverIfmanagementconnectionsareestablishedusingprotocolswithoutFIPS140-2validatedcryptographicmodules,thisisafinding.

5.38.5Fix

ConfigurethenetworkdevicetousesecureprotocolswithFIPS140-2validatedcryptographicmodules.


5.39V-3070-Managementconnectionsmustbelogged.

5.39.1Summary

Thenetworkelementmustlogallattemptstoestablishamanagementconnectionforadministrativeaccess.Table334providesasummaryresultofthefindings.

Table334:Managementconnectionsmustbelogged.-Summaryresult

Device Type Status



5.39.2Description

Auditlogsarenecessarytoprovideatrailofevidenceincasethenetworkiscompromised.Withoutanaudittrailthatprovidesawhen,where,whoandhowsetofinformation,repeatoffenderscouldcontinueattacksagainstthenetworkindefinitely.Withthisinformation,thenetworkadministratorcandevisewaystoblocktheattackandpossiblyidentifyandprosecutetheattacker.

5.39.3Findings

router03

Table335:ActiveAdministrationServices

Service ACL

HTTP

TheadministrativeVTYlineonrouter03wasconfiguredasdetailedinTable336.

Table336:VTYLines

Line Access Login Level Password Authorization Accounting FilterIn SSH Telnet

VTY0-4 Yes LinePassword 1 password Off Off 10 Yes No

CiscoIOS15

ThetwoadministrativeVTYlinesonCiscoIOS15wereconfiguredasdetailedinTable337.

Table337:VTYLines

Line Access Login Level Password Authorization Accounting FilterIn SSH Telnet

VTY0-4 Yes AAAAuthentication 1 password Off Off 1 Yes No

VTY5-807 Yes AAAAuthentication 1 Off Off 1 Yes No

Severity:CATIII


STIGID:NET1030

Controls:


NipperStudioidentifiedaruleinfilterrulelist1withoutlogging,asdetailedinTable338.

Table338:VTYLine0-4ACL1


1 Any No

NipperStudioidentifiedaruleinfilterrulelist1withoutlogging,asdetailedinTable339.

Table339:VTYLine5-807ACL1


1 Any No

5.39.4Check

RevieweachCiscorouterconfigurationtoensurethatallconnectionattemptstotheVTYportsareloggedasshowninthefollowingexample:access-list3permit192.168.1.10logaccess-list3permit192.168.1.11logaccess-list3denyanylog…linevty04access-class3in

5.39.5Fix

Configurethedevicetologallaccessattemptstothedevicetoestablishamanagementconnectionforadministrativeaccess.


5.40V-3072-Runningandstartupconfigurationsarenotsynchronized.

5.40.1Summary

Therunningconfigurationmustbesynchronizedwiththestartupconfigurationafterchangeshavebeenmadeandimplemented.Table340providesasummaryresultofthefindings.

Table340:Runningandstartupconfigurationsarenotsynchronized.-Summaryresult

Device Type Status



5.40.2Description

Iftherunningandstartuprouterconfigurationsarenotsynchronizedproperlyandaroutermalfunctions,itwillnotrestartwithalloftherecentchangesincorporated.Iftherecentchangesweresecurityrelated,thentherouterswouldbevulnerabletoattack.

5.40.3Check

Reviewtherunningandbootconfigurationstodetermineiftheyaresynchronized.IOSProcedure:Withonlineediting,the"showrunning-config"commandwillonlyshowthecurrentrunningconfigurationsettings,whicharedifferentfromtheIOSdefaults.The"showstartup-config"commandwillshowtheNVRAMstartupconfiguration.Comparethetwoconfigurationstoensuretheyaresynchronized.JUNOSProcedure:Thiswillneverbeafinding.Theactiveconfigurationisstoredonflashasjuniper.conf.Acandidateconfigurationallowsconfigurationchangeswhileinconfigurationmodewithoutinitiatingoperationalchanges.Therouterimplementsthecandidateconfigurationwhenitiscommitted;thereby,makingitthenewactiveconfiguration--atwhichtimeitwillbestoredonflashasjuniper.confandtheoldjuniper.confwillbecomejuniper.conf.1.Ifrunningconfigurationandbootconfigurationsarenotthesame,thisisafinding.

5.40.4Fix

Addprocedurestothestandardoperatingproceduretokeeptherunningconfigurationsynchronizedwiththestartupconfiguration.

Severity:CATIII


STIGID:NET0720

Controls:


Severity:CATIII


5.41V-3078-TCPandUDPsmallserverservicesarenotdisabled.

5.41.1Summary

NetworkdevicesmusthaveTCPandUDPsmallserversdisabled.Table341providesasummaryresultofthefindings.

Table341:TCPandUDPsmallserverservicesarenotdisabled.-Summaryresult

Device Type Status



5.41.2Description

CiscoIOSprovidesthe"smallservices"thatincludeecho,chargen,anddiscard.Theseservices,especiallytheirUserDatagramProtocol(UDP)versions,areinfrequentlyusedforlegitimatepurposes.However,theyhavebeenusedtolaunchdenialofserviceattacksthatwouldotherwisebepreventedbypacketfiltering.Forexample,anattackermightsendaDNSpacket,falsifyingthesourceaddresstobeaDNSserverthatwouldotherwisebeunreachable,andfalsifyingthesourceporttobetheDNSserviceport(port53).IfsuchapacketweresenttotheCisco'sUDPechoport,theresultwouldbeCiscosendingaDNSpackettotheserverinquestion.Nooutgoingaccesslistcheckswouldbeappliedtothispacket,sinceitwouldbeconsideredlocallygeneratedbytherouteritself.ThesmallservicesaredisabledbydefaultinCiscoIOS12.0andlatersoftware.Inearliersoftware,theymaybedisabledusingthecommandsnoservicetcp-small-serversandnoserviceudp-small-servers.

5.41.3Findings

router03

Table342detailsthesmallservicesonrouter03.

Table342:SmallServices

Service Status

TCPSmallServers Enabled

UDPSmallServers Enabled

CiscoIOS15

Table343detailsthesmallservicesonCiscoIOS15.

Table343:SmallServices

Service Status

TCPSmallServers Disabled

UDPSmallServers Disabled

5.41.4Check

ReviewallCiscodeviceconfigurationstoverifyserviceudp-small-serversandservicetcp-small-serversarenotfound.IfTCPandUDPserversarenotdisabled,thisisafinding.Note:TheTCPandUDPsmallserversareenabledbydefaultonCiscoIOSSoftwareVersion11.2andearlier.TheyaredisabledbydefaultonCiscoIOSSoftwareVersions11.3andlater.

5.41.5Fix

ChangethedeviceconfigurationtoincludethefollowingIOScommands:noservicetcp-small-serversandnoserviceudp-small-serversforeachdevicerunninganIOSversionpriorto12.0.ThisisthedefaultforIOSversions12.0andlater(i.e.,thesecommandswillnotappearintherunningconfiguration.)


5.42V-3079-Thefingerserviceisnotdisabled.

5.42.1Summary

ThenetworkelementmusthavetheFingerservicedisabled.Table344providesasummaryresultofthefindings.


STIGID:NET0730

Controls:


Severity:CATII


STIGID:NET0760

Controls:


Table344:Thefingerserviceisnotdisabled.-Summaryresult

Device Type Status



5.42.2Description

ThefingerservicesupportstheUNIXfingerprotocol,whichisusedforqueryingahostabouttheusersthatareloggedon.Thisserviceisnotnecessaryforgenericusers.Ifanattackerweretofindoutwhoisusingthenetwork,theymayusesocialengineeringpracticestotrytoelicitclassifiedDoDinformation.

5.42.3Findings

TheFingerservicestatusisdetailedinTable345.

Table345:STIGNET0730Fingerservicestatus

Device FingerService

router03 Enabled

CiscoIOS15 Disabled

5.42.4Check

Reviewthedeviceconfiguration.BeginningwithIOS12.1(5),fingerisdisabledbydefault.ForIOSversion12.0through12.1(4),verifythatthenoipfingercommandispresent.Foranyversionpriorto12.0,verifythatthenoservicefingercommandispresent.

5.42.5Fix

ConfigurethedevicetodisabletheFingerservice.


5.43V-3080-Configurationauto-loadingmustbedisabled.

5.43.1Summary

TheConfigurationauto-loadingfeaturemustbedisabled.Table346providesasummaryresultofthefindings.

Table346:Configurationauto-loadingmustbedisabled.-Summaryresult

Device Type Status



5.43.2Description

DevicescanfindtheirstartupconfigurationeitherintheirownNVRAMoraccessitoverthenetworkviaTFTPorRemoteCopy(rcp).Loadingtheimagefromthenetworkistakingasecurityrisksincetheimagecouldbeinterceptedbyanattackerwhocouldcorrupttheimageresultinginadenialofservice.

5.43.3Check

Reviewthedeviceconfigurationtodetermineiftheconfigurationauto-loadingfeatureisdisabled.Iftheconfigurationauto-loadingfeatureisenabled,thisisafinding.

5.43.4Fix

Disabletheconfigurationauto-loadingfeature.


5.44V-3081-IPSourceRoutingisnotdisabledonallrouters.

Severity:CATII


STIGID:NET0770

Controls:


Severity:CATIII


STIGID:NET0790

Controls:ECSC-1


5.44.1Summary

TheroutermusthaveIPsourceroutingdisabled.Table347providesasummaryresultofthefindings.

Table347:IPSourceRoutingisnotdisabledonallrouters.-Summaryresult

Device Type Status



5.44.2Description

SourceroutingisafeatureofIP,wherebyindividualpacketscanspecifyroutes.Thisfeatureisusedinseveraldifferentnetworkattacksbybypassingperimeterandinternaldefensemechanisms.

5.44.3Check

Reviewtheconfigurationtodetermineifsourceroutingisenabled.TheIOScommandnoipsource-routemustbeincludedintheconfiguration.

5.44.4Fix

ConfiguretheroutertodisableIPsourcerouting.


5.45V-3083-IPdirectedbroadcastisnotdisabled.

5.45.1Summary

IPdirectedbroadcastmustbedisabledonalllayer3interfaces.Table348providesasummaryresultofthefindings.

Table348:IPdirectedbroadcastisnotdisabled.-Summaryresult

Device Type Status



5.45.2Description

AnIPdirectedbroadcastisadatagramsenttothebroadcastaddressofasubnetthatisnotdirectlyattachedtothesendingmachine.Thedirectedbroadcastisroutedthroughthenetworkasaunicastpacketuntilitarrivesatthetargetsubnet,whereitisconvertedintoalink-layerbroadcast.BecauseofthenatureoftheIPaddressingarchitecture,onlythelastrouterinthechain,whichisconnecteddirectlytothetargetsubnet,canconclusivelyidentifyadirectedbroadcast.IPdirectedbroadcastsareusedintheextremelycommonandpopularsmurf,orDenialofService(DoS),attacks.Inasmurfattack,theattackersendsICMPechorequestsfromafalsifiedsourceaddresstoadirectedbroadcastaddress,causingallthehostsonthetargetsubnettosendrepliestothefalsifiedsource.Bysendingacontinuousstreamofsuchrequests,theattackercancreateamuchlargerstreamofreplies,whichcancompletelyinundatethehostwhoseaddressisbeingfalsified.ThisserviceshouldbedisabledonallinterfaceswhennotneededtopreventsmurfandDoSattacks.DirectedbroadcastcanbeenabledoninternalfacinginterfacestosupportservicessuchasWake-On-LAN.Casescenariomayalsoincludesupportforlegacyapplicationswherethecontentserverandtheclientsdonotsupportmulticast.ThecontentserverssendstreamingdatausingUDPbroadcast.Usedinconjunctionwiththeipmulticasthelper-mapfeature,broadcastdatacanbesentacrossamulticasttopology.Thebroadcaststreamsareconvertedtomulticastandviceversaatthefirst-hoproutersandlast-hoproutersbeforeenteringleavingthemulticasttransitarearespectively.Thelast-hoproutermustconvertthemulticasttobroadcast.Hence,thisinterfacemustbeconfiguredtoforwardabroadcastpacket(i.e.adirectedbroadcastaddressisconvertedtotheallnodesbroadcastaddress).

5.45.3Check

IPdirectedbroadcastisdisabledbydefaultinIOSversion12.0andhighersothecommand"noipdirected-broadcast"willnotbedisplayedintherunningconfiguration--verifythattherunningconfigurationdoesnotcontainthecommand"ipdirected-broadcast".Forversionspriorto12.0ensurethecommand"noipdirected-broadcast"isdisplayedintherunningconfiguration.IfIPdirectedbroadcastsareenabledonlayer3interfaces,thisisafinding.

5.45.4Fix

DisableIPdirectedbroadcastsonalllayer3interfaces.

Severity:CATII


STIGID:NET0740

Controls:


Severity:CATIII


STIGID:NET0750

Controls:



5.46V-3085-HTTPserverisnotdisabled

5.46.1Summary

ThenetworkelementmusthaveHTTPserviceforadministrativeaccessdisabled.Table349providesasummaryresultofthefindings.

Table349:HTTPserverisnotdisabled-Summaryresult

Device Type Status



5.46.2Description

Theadditionalservicesthattherouterisenabledforincreasestheriskforanattacksincetherouterwilllistenfortheseservices.Inaddition,theseservicesprovideanunsecuredmethodforanattackertogainaccesstotherouter.MostrecentsoftwareversionssupportremoteconfigurationandmonitoringusingtheWorldWideWeb'sHTTPprotocol.Ingeneral,HTTPaccessisequivalenttointeractiveaccesstotherouter.TheauthenticationprotocolusedforHTTPisequivalenttosendingaclear-textpasswordacrossthenetwork,and,unfortunately,thereisnoeffectiveprovisioninHTTPforchallenge-basedorone-timepasswords.ThismakesHTTParelativelyriskychoiceforuseacrossthepublicInternet.Anyadditionalservicesthatareenabledincreasetheriskforanattacksincetherouterwilllistenfortheseservices.

5.46.3Findings

TheHTTPservicestatusisdetailedinTable350.

Table350:STIGNET0740HTTPservicestatus

Device HTTPService

router03 Enabled

CiscoIOS15 Disabled

5.46.4Check

Verifythatthecommand"iphttp-server"isnotdefinedintheconfiguration.Asof12.4,thehttpserverisstilldisabledbydefault.However,sincemanydefaultsarenotshownbyIOS,youmaynotseethecommand"noiphttp-server"intheconfigurationdependingontherelease.

5.46.5Fix

ConfigurethedevicetodisableusingHTTP(port80)foradministrativeaccess.


5.47V-3086-TheBootpserviceisnotdisabled.

5.47.1Summary

BOOTPservicesmustbedisabled.Table351providesasummaryresultofthefindings.

Table351:TheBootpserviceisnotdisabled.-Summaryresult

Device Type Status



5.47.2Description

BOOTPisauserdatagramprotocol(UDP)thatcanbeusedbyCiscorouterstoaccesscopiesofCiscoIOSSoftwareonanotherCiscorouterrunningtheBOOTPservice.Inthisscenario,oneCiscorouteractsasaCiscoIOSSoftwareserverthatcandownloadthesoftwaretootherCiscoroutersactingasBOOTPclients.Inreality,thisserviceisrarelyusedandcanallowanattackertodownloadacopyofarouter'sCiscoIOSSoftware.

Severity:CATI


STIGID:NET0240

Controls:


Severity:CATII


STIGID:NET0700

Controls:


5.47.3Check

ReviewthedeviceconfigurationtodetermineifBOOTPservicesareenabled.IfBOOTPisenabled,thisisafinding.

5.47.4Fix

ConfigurethedevicetodisableallBOOTPservices.


5.48V-3143-Devicesexistwithstandarddefaultpasswords.

5.48.1Summary

Networkdevicesmustnothaveanydefaultmanufacturerpasswords.Table352providesasummaryresultofthefindings.

Table352:Devicesexistwithstandarddefaultpasswords.-Summaryresult

Device Type Status



5.48.2Description

Networkdevicesnotprotectedwithstrongpasswordschemesprovidetheopportunityforanyonetocrackthepasswordthusgainingaccesstothedeviceandcausingnetworkoutageordenialofservice.Manydefaultvendorpasswordsarewell-known;hence,notremovingthempriortodeployingthenetworkdevicesintoproductionprovidesanopportunityforamalicioususertogainunauthorizedaccesstothedevice.

5.48.3Findings

router03

NipperStudiodeterminedthattherewerenodefaultpasswordsonrouter03.

CiscoIOS15

NipperStudiodeterminedthattherewerenodefaultpasswordsonCiscoIOS15.

5.48.4Check

Reviewthenetworkdevicesconfigurationtodetermineifthevendordefaultpasswordisactive.Ifanyvendordefaultpasswordsareusedonthedevice,thisisafinding.

5.48.5Fix

Removeanyvendordefaultpasswordsfromthenetworkdevicesconfiguration.


5.49V-3160-Operatingsystemisnotatacurrentreleaselevel.

5.49.1Summary

ThenetworkelementmustberunningacurrentandsupportedoperatingsystemwithallIAVMsaddressed.Table353providesasummaryresultofthefindings.

Table353:Operatingsystemisnotatacurrentreleaselevel.-Summaryresult

Device Type Status



5.49.2Description

Severity:CATI


STIGID:NET1636

Controls:ECSC-1


Networkdevicesthatarenotrunningthelatesttestedandapprovedversionsofsoftwarearevulnerabletonetworkattacks.Runningthemostcurrent,approvedversionofsystemanddevicesoftwarehelpsthesitemaintainastablebaseofsecurityfixesandpatches,aswellasenhancementstoIPsecurity.Viruses,denialofserviceattacks,systemweaknesses,backdoorsandotherpotentiallyharmfulsituationscouldrenderasystemvulnerable,allowingunauthorizedaccesstoDoDassets.

5.49.3Findings

NipperStudiodeterminedthedeviceOSinformationdetailedinTable354.

Table354:Deviceinformation

Device Make Model Version

router03 Cisco Router router03

CiscoIOS15 Cisco Router CiscoIOS15

*PleasenotethattheinformationprovidedintheSTIGcheckbelowmaynotbeentirelyaccurate,i.e.newerversionsofIOSmaybeavailable.

5.49.4Check

HavetheadministratorentertheshowversioncommandtodeterminetheinstalledIOSversion.AsofJune2010,thelatestmajorreleaseis12.4forroutersand12.2forswitches(bothaccessandmulti-layer).ThereleasebeingusedmusthaveallIAVMsresolvedandmustnotbeinaCiscodeferredstatusorhasbeenmadeobsolete.AsktheadministratorlogintotheCiscoSoftwareCentertodownloadsoftware.Selectthespecificrouterorswitchmodel.SelecttheIOSSoftwarelinkandthenVerifythatthereleasebeingusedislistedunderthereleasefamily(willneedtoexpandthelist)andnotinthedeferredlist.Ifthereleaseisnotlistedineitherthereleasefamilyordeferred,thenthereleaseisobsolete.VerifythatallIAVMshavebeenaddressed.Note:CiscosoftwareinadifferedstatewillstillbeattheCiscoSoftwareCenterandavailablefordownloadunderthedeferredgroup,whereassoftwaremadeobsoleteisnolongeravailablefordownload.DeferredstatusoccurswhenasoftwaremaintenancereleaseismadeobsoleteandremovedfromorderabilityandserviceoutsideofCisco'snormalreleaseschedule,orCiscocancelsascheduledmaintenancereleasefromreachingtheFirst-Customer-Ship(FCS)milestone.Deferralsaremostoftenrelatedtosoftwarequalityissues.Adeferralcanbeperformedforanentiremaintenancerelease,orjustforcertainsetsofplatformsorfeatureswithinarelease.AdeferralpriortotheFCSmilestonemaybeperformedbyCiscotoprotectcustomersfromreceivingsoftwarewithknowncatastrophicdefects.AdeferralafterFCSwillexpediteobsolescenceforthereleasetolimittheexposureofcustomers.

5.49.5Fix

UpdateoperatingsystemtoasupportedversionthataddressesallrelatedIAVMs.


5.50V-3175-Managementconnectionsmustrequirepasswords.

5.50.1Summary

Thenetworkdevicesmustrequireauthenticationpriortoestablishingamanagementconnectionforadministrativeaccess.Table355providesasummaryresultofthefindings.

Table355:Managementconnectionsmustrequirepasswords.-Summaryresult

Device Type Status



5.50.2Description

Networkdeviceswithnopasswordforadministrativeaccessviaamanagementconnectionprovidetheopportunityforanyonewithnetworkaccesstothedevicetomakeconfigurationchangesenablingthemtodisruptnetworkoperationsresultinginanetworkoutage.

5.50.3Findings

router03

NipperStudiodeterminedthattheLinesconfiguredonrouter03requiredauthenticationforadministrativeaccess.Table356detailstheconfiguredLines.


Console Yes LinePassword 1 password Off Off

Auxiliary Yes LinePassword 1 password Off Off

Severity:CATI


STIGID:NET1660

Controls:


Table356:AdministrativeLinesconfiguredonrouter03.

VTY0-4 Yes LinePassword 1 password Off Off 10

NipperStudiodeterminedthattheUsersconfiguredonrouter03requiredauthenticationforadministrativeaccess.Table357detailstheconfiguredUsers.

Table357:Localusersconfiguredonrouter03.



temp password 15






CiscoIOS15

NipperStudiodeterminedthattheLinesconfiguredonCiscoIOS15requiredauthenticationforadministrativeaccess.Table358detailstheconfiguredLines.

Table358:AdministrativeLinesconfiguredonCiscoIOS15.


Console Yes AAAAuthentication 1 Off Off

Auxiliary No N/A 1 Off Off

Interface0/0/0 Yes AAAAuthentication 1 Off Off



NipperStudiodeterminedthattheUsersconfiguredonCiscoIOS15requiredauthenticationforadministrativeaccess.Table359detailstheconfiguredUsers.

Table359:LocalusersconfiguredonCiscoIOS15.




admin (ENCRYPTED) 1

Test (ENCRYPTED) 1


5.50.4Check

Reviewthenetworkdeviceconfigurationtoverifyallmanagementconnectionsforadministrativeaccessrequireauthentication.ThevtyportsshouldlooksimilartotheexamplebelowthatreferencesanauthenticationlistconfiguredasAUTH_LIST.linevty04loginauthenticationAUTH_LISTexec-timeout100transportinputssh

5.50.5Fix

Configureauthenticationforallmanagementconnections.


5.51V-3196-AninsecureversionofSNMPisbeingused.

5.51.1Summary

ThenetworkdevicemustuseSNMPVersion3SecurityModelwithFIPS140-2validatedcryptographyforanySNMPagentconfiguredonthedevice.Table360providesasummaryresultofthefindings.

Device Type Status

Severity:CATI


STIGID:NET1665

Controls:


Table360:AninsecureversionofSNMPisbeingused.-Summaryresult



5.51.2Description

SNMPVersions1and2arenotconsideredsecure.WithoutthestrongauthenticationandprivacythatisprovidedbytheSNMPVersion3User-basedSecurityModel(USM),anunauthorizedusercangainaccesstonetworkmanagementinformationusedtolaunchanattackagainstthenetwork.

5.51.3Findings

router03

NipperStudiodeterminedthatSNMPversion1/2wasenabledonrouter03.

CiscoIOS15

NipperStudiodeterminedthatSNMPversion1/2wasenabledonCiscoIOS15.

5.51.4Check

ReviewthedeviceconfigurationtoverifyitisconfiguredtouseSNMPv3withbothSHAauthenticationandprivacyusingAESencryption.Downgrades:IfthesiteisusingVersion1orVersion2withalloftheappropriatepatchesandhasdevelopedamigrationplantoimplementtheVersion3SecurityModel,thisfindingcanbedowngradedtoaCategoryII.IfthetargetedassetisrunningSNMPv3anddoesnotsupportSHAorAES,butthedeviceisconfiguredtouseMD5authenticationandDESor3DESencryption,thenthefindingcanbedowngradedtoaCategoryIII.IfthesiteisusingVersion1orVersion2andhasinstalledalloftheappropriatepatchesorupgradestomitigateanyknownsecurityvulnerabilities,thisfindingcanbedowngradedtoaCategoryII.Inaddition,ifthedevicedoesnotsupportSNMPv3,thisfindingcanbedowngradedtoaCategoryIIIprovidedalloftheappropriatepatchestomitigateanyknownsecurityvulnerabilitieshavebeenappliedandhasdevelopedamigrationplanthatincludesthedeviceupgradetosupportVersion3andtheimplementationoftheVersion3SecurityModel.IfthedeviceisconfiguredtousetoanythingotherthanSNMPv3withatleastSHA-1andAES,thisisafinding.Downgradescanbedeterminedbasedonthecriteriaabove.

5.51.5Fix

IfSNMPisenabled,configurethenetworkdevicetouseSNMPVersion3SecurityModelwithFIPS140-2validatedcryptography(i.e.,SHAauthenticationandAESencryption).


5.52V-3210-UsingdefaultSNMPcommunitynames.

5.52.1Summary

Thenetworkdevicemustnotusethedefaultorwell-knownSNMPcommunitystringspublicandprivate.Table361providesasummaryresultofthefindings.

Table361:UsingdefaultSNMPcommunitynames.-Summaryresult

Device Type Status



5.52.2Description

Networkdevicesmaybedistributedbythevendorpre-configuredwithanSNMPagentusingthewell-knownSNMPcommunitystringspublicforreadonlyandprivateforreadandwriteauthorization.Anattackercanobtaininformationaboutanetworkdeviceusingthereadcommunitystring"public".Inaddition,anattackercanchangeasystemconfigurationusingthewritecommunitystring"private".

5.52.3Check

ReviewthenetworkdevicesconfigurationandverifyifeitheroftheSNMPcommunitystrings"public"or"private"isbeingused.Ifdefaultorwell-knowncommunitystringsareusedforSNMP,thisisafinding.

Severity:CATII


STIGID:NET0440

Controls:

Responsibility:

Severity:CATII

5.52.4Fix

ConfigureuniqueSNMPcommunitystringsreplacingthedefaultcommunitystrings.


5.53V-3966-Morethanonelocalaccountisdefined.

5.53.1Summary

Intheeventtheauthenticationserverisunavailable,thenetworkdevicemusthaveasinglelocalaccountoflastresortdefined.Table362providesasummaryresultofthefindings.

Table362:Morethanonelocalaccountisdefined.-Summaryresult

Device Type Status



5.53.2Description

Authenticationforadministrativeaccesstothedeviceisrequiredatalltimes.Asingleaccountoflastresortcanbecreatedonthedevice'slocaldatabaseforuseinanemergencysuchaswhentheauthenticationserverisdownorconnectivitybetweenthedeviceandtheauthenticationserverisnotoperable.Theconsoleorlocalaccountoflastresortlogoncredentialsmustbestoredinasealedenvelopeandkeptinasafe.

5.53.3Findings

router03

NipperStudioidentifiedthreeadministrativelocaluseraccountsconfiguredonrouter03.ThesearedetailedinTable363.

Table363:Users


temp password 15



CiscoIOS15

NipperStudioidentifiedtwoadministrativelocaluseraccountsconfiguredonCiscoIOS15.ThesearedetailedinTable364.

Table364:Users


admin (ENCRYPTED) 1

Test (ENCRYPTED) 1

5.53.4Check

Reviewthenetworkdeviceconfigurationtodetermineifanauthenticationserverisdefinedforgainingadministrativeaccess.Ifso,theremustbeonlyonelocalaccountoflastresortconfiguredlocallyforanemergency.Verifytheusernameandpasswordforthelocalaccountoflastresortiscontainedwithinasealedenvelopekeptinasafe.Ifanauthenticationserverisusedandmorethanonelocalaccountexists,thisisafinding.

5.53.5Fix

Configurethedevicetoonlyallowonelocalaccountoflastresortforemergencyaccessandstorethecredentialsinasecuremanner.


5.54V-3967-Theconsoleportdoesnottimeoutafter10minutes.

5.54.1Summary

Thenetworkelementmusttimeoutaccesstotheconsoleportafter10minutesorlessofinactivity.Table365providesasummaryresultofthefindings.


STIGID:NET1624

Controls:


Severity:CATII


STIGID:NET0894

Controls:ECSC-1


Table365:Theconsoleportdoesnottimeoutafter10minutes.-Summaryresult

Device Type Status



5.54.2Description

Terminatinganidlesessionwithinashorttimeperiodreducesthewindowofopportunityforunauthorizedpersonneltotakecontrolofamanagementsessionenabledontheconsoleorconsoleportthathasbeenleftunattended.Inadditionquicklyterminatinganidlesessionwillalsofreeupresourcescommittedbythemanagednetworkelement.Settingthetimeoutofthesessionto10minutesorlessincreasesthelevelofprotectionaffordedcriticalnetworkcomponents.

5.54.3Check

Reviewtheconfigurationandverifythatasessionusingtheconsoleportwilltimeoutafter10minutesorlessofinactivityasshowninthefollowingexample:linecon0exec-timeout100

5.54.4Fix

Configurethetimeoutforidleconsoleconnectionto10minutesorless.


5.55V-3969-NetworkelementmustonlyallowSNMPreadaccess.

5.55.1Summary

ThenetworkdevicemustonlyallowSNMPread-onlyaccess.Table366providesasummaryresultofthefindings.

Table366:NetworkelementmustonlyallowSNMPreadaccess.-Summaryresult

Device Type Status



5.55.2Description

EnablingwriteaccesstothedeviceviaSNMPprovidesamechanismthatcanbeexploitedbyanattackertosetconfigurationvariablesthatcandisruptnetworkoperations.

5.55.3Check

ReviewthenetworkdeviceconfigurationandverifySNMPcommunitystringsareread-onlywhenusingSNMPv1,v2c,orbasicv3(noauthenticationorprivacy).WriteaccessmaybeusedifauthenticationisconfiguredwhenusingSNMPv3.Ifwrite-accessisusedforSNMPversions1,2c,or3-noAuthNoPrivmodeandthereisnodocumentedapprovalbytheIAO,thisisafinding.SNMPv1/v2cConfigurationExampleDevice#showrun!ipaccess-liststandardNMS_LISTpermit10.1.1.22permit10.1.1.24!snmp-servercommunityc0macc3ssRONMS_LISTsnmp-servercommunityR34dWr1t3RWNMS_LISTsnmp-serverlocationSomewhereUSAsnmp-servercontactsnmp.admin@snmp.milsnmp-serverenabletrapssnmphost10.1.1.22trapsSNMPv1

snmphost10.1.1.24trapsSNMPv2c

SNMPv3ConfigurationExampleTheexampleACLNMS_LISTandADMIN_LISTareusedtodefinewhatnetworkmanagementstationsandadministrator(users)desktopscanaccessthedevice.Examineallgroupstatementstodeterminewhatgroupsareallowedwriteaccess.Havetheadministratorentera"showsnmpuser"commandandexamineallusersforthesegroupstoverifythattheymustbeauthenticated.Device#showrun!ipaccess-liststandardADMIN_LISTpermit10.1.1.35permit10.1.1.36ipaccess-liststandardNMS_LISTpermit10.1.1.24permit10.1.1.22permit10.1.1.23!snmp-servergroupNOCv3privreadVIEW_ALLwriteVIEW_LIMITaccessNMS_LISTsnmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0Fsnmp-servergroupADMIN_GROUPv3privreadVIEW_ALLwriteVIEW_ALLaccessADMIN_LISTsnmp-serverviewVIEW_ALLinternetincludedsnmp-serverviewVIEW_LIMITinternetincludedsnmp-serverviewVIEW_LIMITinternet.6.3.15excludedsnmp-serverviewVIEW_LIMITinternet.6.3.16excludedsnmp-serverviewVIEW_LIMITinternet.6.3.18excludedsnmp-serverenabletrapssnmplinkdownlinkupsnmp-serverhost10.1.1.24version3privTRAP_NMS1Note:FortheconfiguredgroupTRAP_GROUP,thenotifyviewisauto-generatedbythesnmp-serverhostcommandwhichbindtheuser(TRAP_NMS1)andthegroupitbelongsto(TRAP_GROUP)tothelistofnotifications(trapsorinforms)whicharesenttothehost.Hence,theconfigurationsnmp-servergroupTRAP_GROUPv3resultsinthefollowing:snmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0FNote:Also,forillustrationpurposeonly,theVIEW_LIMITexcludesMIBobjectswhichcouldpotentiallyrevealinformationaboutconfiguredSNMPcredentials.TheseobjectsaresnmpUsmMIB,snmpVacmMIB,andsnmpCommunityMIBwhichisconfiguredas1.3.6.1.6.3.15,1.3.6.1.6.3.16,and1.3.6.1.6.3.18respectively

SNMPv3usersarenotshowninarunningconfiguration.Youcanviewthemwiththeshow"snmpuser"command.Soforexample,ifthefollowinguserswereconfiguredassuch.snmp-serveruserHP_OVNOCv3authshaHPOVpswdprivaes256HPOVsecretkeysnmp-serveruserAdmin1ADMIN_GROUPv3authshaAdmin1PWprivaes256Admin1keysnmp-serveruserAdmin2ADMIN_GROUPv3authmd5Admin2passpriv3desAdmin2keysnmp-serveruserTRAP_NMS1TRAP_GROUPv3authshatrap_nms1_pwprivaestrap_nms1_keyTheshowsnmpusercommandwoulddepicttheconfiguredusersasfollows:Device#showsnmpuserUsername:HP_OVEngineID:AB12CD34EF56storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:NOCUsername:Admin1EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:ADMIN_GROUPUsername:Admin2EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:MD5PrivacyProtocol:3DESGroup-name:ADMIN_GROUPUsername:TRAP_NMS1

Severity:CATI


STIGID:NET1623

Controls:IAIA-1,IAIA-2


Severity:CATIII


STIGID:NET1021

Controls:


EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:TRAP_GROUP

5.55.4Fix

Configurethenetworkdevicetoallowforread-onlySNMPaccesswhenusingSNMPv1,v2c,orbasicv3(noauthenticationorprivacy).WriteaccessmaybeusedifauthenticationisconfiguredwhenusingSNMPv3.


5.56V-4582-Authenticationrequiredforconsoleaccess.

5.56.1Summary

Thenetworkdevicemustrequireauthenticationforconsoleaccess.Table367providesasummaryresultofthefindings.

Table367:Authenticationrequiredforconsoleaccess.-Summaryresult

Device Type Status



5.56.2Description

Networkdeviceswithnopasswordforadministrativeaccessviatheconsoleprovidetheopportunityforanyonewithphysicalaccesstothedevicetomakeconfigurationchangesenablingthemtodisruptnetworkoperationsresultinginanetworkoutage.

5.56.3Findings

router03

NipperStudiodeterminedthatconsoleandauxaccessispasswordprotectedonrouter03.

CiscoIOS15

NipperStudiodeterminedthatconsoleandauxaccessispasswordprotectedonCiscoIOS15.

5.56.4Check

Reviewthenetworkdevice'sconfigurationandverifyauthenticationisrequiredforconsoleaccess.Ifthedeviceisaccessedviatheauxport,thenverifythatthisportalsorequiresauthentication.Ifitisnotused,thenitmustbedisabled.TheconsoleportandthedisabledauxportshouldlooksimilartotheconfigurationexamplebelowthatreferencesanauthenticationlistconfiguredasAUTH_LIST.linecon0loginauthenticationAUTH_LISTexec-timeout100lineaux0noexec

5.56.5Fix

Configureauthenticationforconsoleaccessonthenetworkdevice.


5.57V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.

5.57.1Summary

Thenetworkelementmustlogallmessagesexceptdebuggingandsendalllogdatatoasyslogserver.Table368providesasummaryresultofthefindings.

Device Type Status

Table368:Thenetworkelementmustlogallmessagesexceptdebugging.-Summaryresult



5.57.2Description

Loggingisacriticalpartofroutersecurity.Maintaininganaudittrailofsystemactivitylogs(syslog)canhelpidentifyconfigurationerrors,understandpastintrusions,troubleshootservicedisruptions,andreacttoprobesandscansofthenetwork.Sysloglevels0-6arethelevelsrequiredtocollectthenecessaryinformationtohelpintherecoveryprocess.

5.57.3Check

CiscoIOSroutersandswitchesuselevel6(informational)whenloggingpacketsthataredroppedviaaccesscontrollist.(%SEC-6-IPACCESSLOGNP:list1denied01.1.1.2->1.1.1.1,1packet).Hence,itisimperativethatlogmessagesatlevel6arecapturedforfurtheranalysisandincidentreporting.However,thesemessagesdonotneedtogototheconsole,butmustgotothesyslogserver.Toavoidbeinglockedoutoftheconsoleintheeventofanintensivelogmessagegenerationsuchaswhenalargenumberofpacketsarebeingdropped,youcanimplementanyofthefollowing:1.Limittheamountofloggingbasedonsamepacketmatchingviatheaccess-listlog-updatethresholdcommand.Theconfiguredthresholdspecifieshowoftensyslogmessagesaregeneratedandsentaftertheinitialpacketmatchonaperflowbasis.2.Rate-limitmessagesatspecificseveritylevelsdestinedtobeloggedattheconsolevialoggingrate-limitcommand.3.Haveonlymessagesatlevels0-5(or0-4)gototheconsoleandmessagesatlevel0-6gotothesyslogserver.Thebuffercouldbesettonotificationleveloralteredtoadifferentlevelwhenrequired(i.e.debugging).Followingwouldbeanexampleconfiguration:!loggingbuffered4096informationalloggingconsolenotifications…!loggingtrapdebugginglogginghost1.1.1.1!Thedefaultstateforloggingisonandthedefaultforthesyslogserverisinformational(i.e.loggingtrapinformational).Hence,thecommandsloggingonandloggingtrapinformationalwillnotbeshownviashowruncommand.Hence,havetheoperatorissueashowloggingcommandtoverifyloggingisonandthelevelforthesyslogserver(i.e.trap).

R1#showloggingSysloglogging:enabled(12messagesdropped,0messagesrate-limited,0flushes,0overruns,xmldisabled,filteringdisabled)

…

Consolelogging:levelnotifications,56messageslogged,xmldisabled,filteringdisabledMonitorlogging:leveldebugging,0messageslogged,xmldisabled,filteringdisabledBufferlogging:levelinformational,6messageslogged,xmldisabled,filteringdisabled…Traplogging:levelinformational,73messagelinesloggedLoggingto1.1.1.1(udpport514,auditdisabled,authenticationdisabled,encryptiondisabled,linkup),37messagelineslogged,0messagelinesrate-limited,0messagelinesdropped-by-MD,xmldisabled,sequencenumberdisabledfilteringdisabled

Thetablebelowliststheseveritylevelsandmessagetypesforalllogdata.SeverityLevelMessageType

Severity:CATII


STIGID:NET1637

Controls:

Responsibility:

Severity:CATII


STIGID:NET1645

Controls:


0Emergencies1Alerts2Critical3Errors4Warning5Notifications6Informational7Debugging

5.57.4Fix

Configurethenetworkdevicetologallmessagesexceptdebuggingandsendalllogdatatoasyslogserver.


5.58V-5611-Managementconnectionsarenotrestricted.

5.58.1Summary

Thenetworkelementmustonlyallowmanagementconnectionsforadministrativeaccessfromhostsresidingintothemanagementnetwork.Table369providesasummaryresultofthefindings.

Table369:Managementconnectionsarenotrestricted.-Summaryresult

Device Type Status



5.58.2Description

RemoteadministrationisinherentlydangerousbecauseanyonewithasnifferandaccesstotherightLANsegment,couldacquirethedeviceaccountandpasswordinformation.Withthisinterceptedinformationtheycouldgainaccesstotheinfrastructureandcausedenialofserviceattacks,interceptsensitiveinformation,orperformotherdestructiveactions.

5.58.3Check

Reviewtheconfigurationandverifythatmanagementaccesstothedeviceisallowedonlyfromthemanagementnetworkaddressspace.Theconfigurationshouldlooksimilartothefollowing:access-list3permit192.168.1.10logaccess-list3permit192.168.1.11logaccess-list3denyanylog…..linevty04access-class3inIfmanagementaccesscanbegainedfromoutsideoftheauthorizedmanagementnetwork,thisisafinding.

5.58.4Fix

ConfigureanACLorfiltertorestrictmanagementaccesstothedevicefromonlythemanagementnetwork.


5.59V-5612-SSHsessiontimeoutisnot60secondsorless.

5.59.1Summary

Thenetworkelementmustbeconfiguredtotimeoutafter60secondsorlessforincompleteorbrokenSSHsessions.Table370providesasummaryresultofthefindings.

Table370:SSHsessiontimeoutisnot60secondsorless.-Summaryresult

Device Type Status



Severity:CATII


STIGID:NET1646

Controls:


5.59.2Description

AnattackermayattempttoconnecttothedeviceusingSSHbyguessingtheauthenticationmethod,encryptionalgorithm,andkeys.LimitingtheamountoftimeallowedforauthenticatingandnegotiatingtheSSHsessionreducesthewindowofopportunityforthemalicioususerattemptingtomakeaconnectiontothenetworkelement.

5.59.3Findings

router03

NipperStudiodeterminedthatSecureShell(SSH)wasnotenabledonrouter03.

CiscoIOS15

NipperStudiodeterminedthatSSHwasenabledonCiscoIOS15withanegotiationtimeoutof2minutes.

5.59.4Check

Reviewtheconfigurationandverifythetimeoutissetfor60secondsorless.TheSSHserviceterminatestheconnectionifprotocolnegotiation(thatincludesuserauthentication)isnotcompletewithinthistimeoutperiod.ipsshtime-out60

5.59.5Fix

Configurethenetworkdevicessoitwillrequireasecureshelltimeoutof60secondsorless.


5.60V-5613-SSHloginattemptsvalueisgreaterthan3.

5.60.1Summary

ThenetworkelementmustbeconfiguredforamaximumnumberofunsuccessfulSSHloginattemptssetat3beforeresettingtheinterface.Table371providesasummaryresultofthefindings.

Table371:SSHloginattemptsvalueisgreaterthan3.-Summaryresult

Device Type Status



5.60.2Description

AnattackermayattempttoconnecttothedeviceusingSSHbyguessingtheauthenticationmethodandauthenticationkeyorsharedsecret.Settingtheauthenticationretryto3orlessstrengthensagainstaBruteForceattack.

5.60.3Findings

router03

NipperStudiodeterminedthatSSHwasnotenabledonrouter03.

CiscoIOS15

NipperStudiodeterminedthatSSHwasenabledonCiscoIOS15withanauthenticationretrylimitofthree.

5.60.4Check

ReviewtheconfigurationandverifythenumberofunsuccessfulSSHloginattemptsissetat3.ipsshauthentication-retries3

5.60.5Fix

ConfigurethenetworkdevicetorequireamaximumnumberofunsuccessfulSSHlogonattemptsat3.


5.61V-5614-ThePADserviceisenabled.

5.61.1Summary

Severity:CATIII


STIGID:NET0722

Controls:


Severity:CATIII


STIGID:NET0724

Controls:


NetworkdevicesmusthavethePADservicedisabled.Table372providesasummaryresultofthefindings.

Table372:ThePADserviceisenabled.-Summaryresult

Device Type Status



5.61.2Description

PacketAssemblerDisassembler(PAD)isanX.25componentseldomused.ItcollectsthedatatransmissionsfromtheterminalsandgathersthemintoaX.25datastreamandviceversa.PADactslikeamultiplexerfortheterminals.Ifenabled,itcanrenderthedeviceopentoattacks.SomevoicevendorsusePADoninternalrouters.

5.61.3Findings

ThePADservicestatusisdetailedinTable373.

Table373:STIGNET0722PADservicestatus

Device PADService

router03 Enabled

CiscoIOS15 Disabled

5.61.4Check

ReviewthedeviceconfigurationtodetermineifthePADserviceisenabled.IfthePADserviceisenabled,thisisafinding.

5.61.5Fix

ConfigurethedevicetodisablethePADservice.


5.62V-5615-TCPKeep-Alivesmustbeenabled.

5.62.1Summary

NetworkdevicesmusthaveTCPKeep-AlivesenabledforTCPsessions.Table374providesasummaryresultofthefindings.

Table374:TCPKeep-Alivesmustbeenabled.-Summaryresult

Device Type Status



5.62.2Description

IdleTCPsessionscanbesusceptibletounauthorizedaccessandhijackingattacks.Bydefault,routersdonotcontinuallytestwhetherapreviouslyconnectedTCPendpointisstillreachable.IfoneendofaTCPconnectionidlesoutorterminatesabnormally,theoppositeendoftheconnectionmaystillbelievethesessionisavailable.These"orphaned"sessionsuseupvaluablerouterresourcesandcanalsobehijackedbyanattacker.Tomitigatethisrisk,routersmustbeconfiguredtosendperiodickeepalivemessagestocheckthattheremoteendofasessionisstillconnected.Iftheremotedevicefailstorespondtothekeepalivemessage,thesendingrouterwillcleartheconnectionandfreeresourcesallocatedtothesession.

5.62.3Findings

TheinboundTCPkeepalivestatusisdetailedinTable375.

Device InboundTCPKeepAlives

Severity:CATIII


STIGID:NET0726

Controls:


Severity:CATII


STIGID:NET0781

Controls:


Table375:STIGNET0724InboundTCPKeepAlives

router03 Disabled

CiscoIOS15 Enabled

5.62.4Check

Reviewthedeviceconfigurationtoverifythe"servicetcp-keepalives-in"commandisconfigured.IfTCPKeep-Alivesarenotenabled,thisisafinding.

5.62.5Fix

ConfigurethedevicetoenableTCPKeep-Alives.


5.63V-5616-Identificationsupportisenabled.

5.63.1Summary

Networkdevicesmusthaveidentificationsupportdisabled.Table376providesasummaryresultofthefindings.

Table376:Identificationsupportisenabled.-Summaryresult

Device Type Status



5.63.2Description

IdentificationsupportallowsonetoqueryaTCPportforidentification.ThisfeatureenablesanunsecuredprotocoltoreporttheidentityofaclientinitiatingaTCPconnectionandahostrespondingtotheconnection.IdentificationsupportcanconnectaTCPportonahost,issueasimpletextstringtorequestinformation,andreceiveasimpletext-stringreply.Thisisanothermechanismtolearntheroutervendor,modelnumber,andsoftwareversionbeingrun.

5.63.3Findings

TheIdentdstatusisdetailedinTable377.

Table377:STIGNET0726Identdstatus

Device Identd

router03 Disabled

CiscoIOS15 Disabled

5.63.4Check

Reviewthedeviceconfigurationtoverifythatidentificationsupportisnotenabledvia"ipidentd"globalcommand.Itisdisabledbydefault.Ifidentificationssupportisenabled,thisisafinding.

5.63.5Fix

Configurethedevicetodisableidentificationsupport.


5.64V-5618-GratuitousARPmustbedisabled.

5.64.1Summary

GratuitousARPmustbedisabled.Table378providesasummaryresultofthefindings.

Severity:CATII


STIGID:NET0949

Controls:ECSC-1


Table378:GratuitousARPmustbedisabled.-Summaryresult

Device Type Status



5.64.2Description

AgratuitousARPisanARPbroadcastinwhichthesourceanddestinationMACaddressesarethesame.ItisusedtoinformthenetworkaboutahostIPaddress.AspoofedgratuitousARPmessagecancausenetworkmappinginformationtobestoredincorrectly,causingnetworkmalfunction.

5.64.3Findings

ThegratuitousARPstatusisdetailedinTable379.

Table379:STIGNET0781gratuitousARPstatus

Device GratuitousARP

router03 Disabled

CiscoIOS15 Disabled

5.64.4Check

ReviewtheconfigurationtodetermineifgratuitousARPisdisabled.IfgratuitousARPisenabled,thisisafinding.

5.64.5Fix

DisablegratuitousARPonthedevice.


5.65V-5645-CiscoExpressForwarding(CEF)notenabledonsupporteddevices.

5.65.1Summary

CiscoExpressForwarding(CEF)mustbeenabledonallsupportedCiscoLayer3IPdevices.Table380providesasummaryresultofthefindings.

Table380:CiscoExpressForwarding(CEF)notenabledonsupporteddevices.-Summaryresult

Device Type Status



5.65.2Description

TheCiscoExpressForwarding(CEF)switchingmodereplacesthetraditionalCiscoroutingcachewithadatastructurethatmirrorstheentiresystemroutingtable.Becausethereisnoneedtobuildcacheentrieswhentrafficstartsarrivingfornewdestinations,CEFbehavesmorepredictablywhenpresentedwithlargevolumesoftrafficaddressedtomanydestinationssuchasaSYNfloodattacks.BecausemanySYNfloodattacksuserandomizedsourceaddressestowhichthehostsunderattackwillreplyto,therecanbeasubstantialamountoftrafficforalargenumberofdestinationsthattherouterwillhavetohandle.Consequently,routersconfiguredforCEFwillperformbetterunderSYNfloodsdirectedathostsinsidethenetworkthanroutersusingthetraditionalcache.

5.65.3Check

DetermineiftheCiscoLayer3devicesupportstheuseofCEFswitchingmode.IfthecurrentIOSversionavailableforthedevicedoesnotsupportCEFinanycapacity,thisrequirementwillbeNA.MostCiscoLayer3deviceswillsupportCEFineitherDistributedorCentralMode.1.IfthedevicesupportsDistributedCEFMode(dCEF),verifythatithasbeengloballyenabled.2.IfthedeviceonlysupportsCentralCEFMode(CEF),verifythefunctionhasbeengloballyenabled.ManyofthedeviceshaveCEFenabledbydefaultandmanyoftheconfigurationswillnotshowifCEFfunctionalityisenabled.ToverifyCEFisrunningonaCiscoLayer3devicewithIOSrunthefollowingcommand:

Severity:CATII


STIGID:NET0965

Controls:ECSC-1


router#showipcef%CEFnotrunningIfCEFisshowntobenotrunning,thisisafinding.

5.65.4Fix

1.IftheCiscoLayer3IPdeviceisnotenabledbydefault,enableDistributedCEFModeglobally.Router(config)#ipcefdistributed2.IfDistributedCEFModeisnotsupported,enableCentralizedCEFModeglobally.Router(config)#ipcef3.IfCEFisnotsupportedinanycapacityonthedevice,thisfindingisNA.


5.66V-5646-Devicesnotconfiguredtofilteranddrophalf-openconnections.

5.66.1Summary

Thenetworkdevicemustdrophalf-openTCPconnectionsthroughfilteringthresholdsortimeoutperiods.Table381providesasummaryresultofthefindings.

Table381:Devicesnotconfiguredtofilteranddrophalf-openconnections.-Summaryresult

Device Type Status



5.66.2Description

ATCPconnectionconsistsofathree-wayhandshakemessagesequence.Aconnectionrequestistransmittedbytheoriginator,anacknowledgementisreturnedfromthereceiver,andthenanacceptanceofthatacknowledgementissentbytheoriginator.Anattacker’sgoalinthisscenarioistocauseadenialofservicetothenetworkordevicebyinitiatingahighvolumeofTCPpackets,thenneversendinganacknowledgement,leavingconnectionsinahalf-openedstate.Withoutthedevicehavingaconnectionortimethresholdforthesehalf-openedsessions,thedevicerisksbeingavictimofadenialofserviceattack.SettingaTCPtimeoutthresholdwillinstructthedevicetoshutdownanyincompleteconnections.ServicessuchasSSH,BGP,SNMP,LDP,etc.aresomeservicesthatmaybepronetothesetypesofdenialofserviceattacks.IftherouterdoesnothaveanyBGPconnectionswithBGPneighborsacrossWANlinks,valuescouldbesettoeventighterconstraints.

5.66.3Findings

router03

NipperStudiodeterminedthatTCPSYNwaittimewasnotsupportedonrouter03.

CiscoIOS15

NipperStudiodeterminedthatTCPSYNwaittimewasnotsupportedonCiscoIOS15.

5.66.4Check

Reviewthedeviceconfigurationtovalidatethresholdfiltersortimeoutperiodsaresetfordroppingexcessivehalf-openTCPconnections.Fortimeoutperiods,thetimeshouldbesetto10secondsorless.Ifthedevicecannotbeconfiguredfor10secondsorless,itshouldbesettotheleastamountoftimeallowableintheconfiguration.Thresholdfilterswillneedtobedeterminedbytheorganizationforoptimalfiltering.IOSConfigurationExample:iptcpsynwait-time10

5.66.5Fix

Configurethedevicetodrophalf-openTCPconnectionsthroughthresholdfilteringortimeoutperiods.


5.67V-7009-AnInfiniteLifetimekeyhasnotbeenimplemented

5.67.1Summary

Severity:CATI


STIGID:NET0425

Controls:ECSC-1


Severity:CATIII


STIGID:NET1629

Controls:


ThelifetimeoftheMD5Keyexpirationmustbesettoneverexpire.ThelifetimeoftheMD5keywillbeconfiguredasinfiniteforrouteauthentication,ifsupportedbythecurrentapprovedroutersoftwareversion.Table382providesasummaryresultofthefindings.

Table382:AnInfiniteLifetimekeyhasnotbeenimplemented-Summaryresult

Device Type Status



5.67.2Description

OnlyEnhancedInteriorGatewayRoutingProtocol(EIGRP)andRoutingInformationProtocol(RIP)Version2usekeychains.Whenconfiguringauthenticationforroutingprotocolsthatprovidekeychains,configuretworotatingkeyswithoverlappingexpirationdates--bothwitha180-daylifetime.Athirdkeymustalsobedefinedwithaninfinitelifetime.Bothofthesestepsmustensurethattherewillalwaysbeakeythatcanbeplacedintoservicebyallpeers.Ifatimeperiodoccursduringwhichnokeyisactivated,authenticationcannotoccur;hence,routeupdateswillnotoccur.Thelifetimekeyshouldbechanged7daysaftersuccessfulkeyrotationandsynchronizationhasoccurredwithallpeers.

5.67.3Check

Reviewtherunningconfigurationtodetermineifkeyauthenticationhasbeendefinedwithaninfinitelifetime.Ifthekeyhasbeenconfiguredforalifetimeotherthaninfinite,thisisafinding.RIP2ExampleEIGRPExampleinterfaceethernet0interfaceethernet0ipripauthenticationkey-chaintreesipauthenticationmodeeigrp1md5ipripauthenticationmodemd5ipauthenticationkey-chaineigrp1treesrouterriproutereigrp1network172.19.0.0network172.19.0.0version2keychaintreeskeychaintreeskey1key1key-stringwillowkey-stringwillowaccept-lifetime22:45:00Feb10200522:45:00Aug102005accept-lifetime22:45:00Feb10200522:45:00Aug102005send-lifetime23:00:00Feb10200522:45:00Aug102005send-lifetime23:00:00Feb10200522:45:00Aug102005key2key2key-stringbirchkey-stringbirchaccept-lifetime22:45:00Aug9200522:45:00Feb102006accept-lifetime22:45:00Dec10200522:45:00Feb102006send-lifetime23:00:00Aug9200522:45:00Feb102006send-lifetime23:00:00Dec10200522:45:00Jan102006key9999key9999key-stringmaplekey-stringmapleaccept-lifetime22:45:00Feb92005infiniteaccept-lifetime22:45:00Feb92005infinitesend-lifetime23:00:00Feb92005infinitesend-lifetime23:00:00Feb92005infiniteNotes:Note:OnlyEnhancedInteriorGatewayRoutingProtocol(EIGRP)andRoutingInformationProtocol(RIP)Version2usekeychains.Notes:WhenusingMD5authenticationkeys,itisimperativethesiteisincompliancewiththeNTPpolicies.Therouterhastoknowthetime!Notes:Mustmakethisahighnumbertoensureyouhaveplentyofroomtoputkeysinbeforeit.Allsubsequentkeyswillbedecrementedbyone(9998,9997...).

5.67.4Fix

ThischeckisinplacetoensurekeysdonotexpirecreatingaDOSduetoadjacenciesbeingdroppedandroutesbeingagedout.Therecommendationistousetworotatingsixmonthkeyswithathirdkeysetasinfinitelifetime.Thelifetimekeyshouldbechanged7daysaftertherotatingkeyshaveexpiredandredefined.


5.68V-7011-Theauxiliaryportisnotdisabled.

5.68.1Summary

Thenetworkelement’sauxiliaryportmustbedisabledunlessitisconnectedtoasecuredmodemprovidingencryptionandauthentication.Table383providesasummaryresultofthefindings.

Severity:CATIII


STIGID:NET0422

Controls:


Table383:Theauxiliaryportisnotdisabled.-Summaryresult

Device Type Status



5.68.2Description

TheuseofPOTSlinestomodemsconnectingtonetworkdevicesprovidescleartextofauthenticationtrafficovercommercialcircuitsthatcouldbecapturedandusedtocompromisethenetwork.Additionalwardialattacksonthedevicecoulddegradethedeviceandtheproductionnetwork.Securedmodemdevicesmustbeabletoauthenticateusersandmustnegotiateakeyexchangebeforefullencryptiontakesplace.Themodemwillprovidefullencryptioncapability(TripleDES)orstronger.Thetechnicianwhomanagesthesedeviceswillbeauthenticatedusingakeyfobandgrantedaccesstotheappropriatemaintenanceport,thusthetechnicianwillgainaccesstothemanageddevice(router,switch,etc.).Thetokenprovidesamethodofstrong(two-factor)userauthentication.Thetokenworksinconjunctionwithaservertogenerateone-timeuserpasswordsthatwillchangevaluesatsecondintervals.Theusermustknowapersonalidentificationnumber(PIN)andpossessthetokentobeallowedaccesstothedevice.

5.68.3Check

Reviewtheconfigurationandverifythattheauxiliaryportisdisabledunlessasecuredmodemprovidingencryptionandauthenticationisconnectedtoit.ThefollowingconfigurationdisablestheCiscoIOSauxiliaryport:

lineaux0noexecNote:Thecommandtransportinputnonemustbeconfiguredunderthelineaux0.However,thisisthedefaultandwillnotbeshownintherunningconfiguration.

5.68.4Fix

Disabletheauxiliaryport.Ifusedforout-of-bandadministrativeaccess,theportmustbeconnectedtoasecuredmodemprovidingencryptionandauthentication.


5.69V-14667-Keyexpirationexceeds180days.

5.69.1Summary

NetworkdevicesmustbeconfiguredwithrotatingkeysusedforauthenticatingIGPpeersthathaveadurationexceeding180days.Table384providesasummaryresultofthefindings.

Table384:Keyexpirationexceeds180days.-Summaryresult

Device Type Status



5.69.2Description

Ifthekeysusedforroutingprotocolauthenticationareguessed,themalicioususercouldcreatehavocwithinthenetworkbyadvertisingincorrectroutesandredirectingtraffic.Changingthekeysfrequentlyreducestheriskofthemeventuallybeingguessed.Whenconfiguringauthenticationforroutingprotocolsthatprovidekeychains,configuretworotatingkeyswithoverlappingexpirationdates,bothwith180-dayexpirations.

5.69.3Check

Reviewdeviceconfigurationforkeyexpirationsof180daysorless.Ifrotatingkeysarenotconfiguredtoexpireat180daysorless,thisisafinding.

5.69.4Fix

Configurethedevicesorotatingkeysexpireat180daysorless.


5.70V-14669-BSDrcommandsarenotdisabled.

5.70.1Summary

Severity:CATII


STIGID:NET0744

Controls:


Severity:CATII


STIGID:NET0813

Controls:

Responsibility:

TheadministratormustensureBSDrcommandservicesaredisabled.Table385providesasummaryresultofthefindings.

Table385:BSDrcommandsarenotdisabled.-Summaryresult

Device Type Status



5.70.2Description

BerkeleySoftwareDistribution(BSD)“r”commandsallowuserstoexecutecommandsonremotesystemsusingavarietyofprotocols.TheBSD"r"commands(e.g.,rsh,rlogin,rcp,rdump,rrestore,andrdist)aredesignedtoprovideconvenientremoteaccesswithoutpasswordstoservicessuchasremotecommandexecution(rsh),remotelogin(rlogin),andremotefilecopy(rcpandrdist).Thedifficultywiththesecommandsisthattheyuseaddress-basedauthentication.Anattackerwhoconvincesaserverthatheiscomingfroma"trusted"machinecanessentiallygetcompleteandunrestrictedaccesstoasystem.TheattackercanconvincetheserverbyimpersonatingatrustedmachineandusingIPaddress,byconfusingDNSsothatDNSthinksthattheattacker'sIPaddressmapstoatrustedmachine'sname,orbyanyofanumberofothermethods

5.70.3Check

VerifythatthefollowingBSDrglobalcommandsarenotdefinedintheconfiguration:iprcmdrcp-enableiprcmdrsh-enableThesecommandshavebeendisabledbydefaultinIOSsinceversion12.0.

5.70.4Fix

ConfigurethedevicetodisableBSDrcommandservices.


5.71V-14671-NTPmessagesarenotauthenticated.

5.71.1Summary

ThenetworkelementmustauthenticateallNTPmessagesreceivedfromNTPserversandpeers.Table386providesasummaryresultofthefindings.

Table386:NTPmessagesarenotauthenticated.-Summaryresult

Device Type Status



5.71.2Description

SinceNTPisusedtoensureaccuratelogfiletimestampinformation,NTPcouldposeasecurityriskifamalicioususerwereabletofalsifyNTPinformation.TolaunchanattackontheNTPinfrastructure,ahackercouldinjecttimethatwouldbeacceptedbyNTPclientsbyspoofingtheIPaddressofavalidNTPserver.Tomitigatethisrisk,thetimemessagesmustbeauthenticatedbytheclientbeforeacceptingthemasatimesource.TwoNTP-enableddevicescancommunicateineitherclient-servermodeorpeer-to-peermode(aka"symmetricmode").ThepeeringmodeisconfiguredmanuallyonthedeviceandindicatedintheoutgoingNTPpackets.Thefundamentaldifferenceisthesynchronizationbehavior:anNTPservercansynchronizetoapeerwithbetterstratum,whereasitwillneversynchronizetoitsclientregardlessoftheclient'sstratum.Fromaprotocolperspective,NTPclientsarenodifferentfromtheNTPservers.TheNTPclientcansynchronizetomultipleNTPservers,selectthebestserverandsynchronizewithit,orsynchronizetotheaveragedvaluereturnedbytheservers.Ahierarchicalmodelcanbeusedtoimprovescalability.Withthisimplementation,anNTPclientcanalsobecomeanNTPserverprovidingtimetodownstreamclientsatahigherstratumlevelandofdecreasingaccuracythanthatofitsupstreamserver.Toincreaseavailability,NTPpeeringcanbeusedbetweenNTPservers.IntheeventthedevicelosesconnectivitytoitsupstreamNTPserver,itwillbeabletochoosetimefromoneofitspeers.TheNTPauthenticationmodelisoppositeofthetypicalclient-serverauthenticationmodel.NTPauthenticationenablesanNTPclientorpeertoauthenticatetimereceivedfromtheirserversandpeers.ItisnotusedtoauthenticateNTPclientsbecauseNTPserversdonotcareabouttheauthenticityoftheirclients,astheyneveracceptanytimefromthem.

Severity:CATIII


STIGID:NET0897

Controls:


5.71.3Check

ReviewthenetworkelementconfigurationandverifythatitisauthenticatingNTPmessagesreceivedfromtheNTPserverorpeerusingeitherPKIoraFIPS-approvedmessageauthenticationcodealgorithm.FIPS-approvedalgorithmsforauthenticationarethecipher-basedmessageauthenticationcode(CMAC)andthekeyed-hashmessageauthenticationcode(HMAC).AESand3DESareNIST-approvedCMACalgorithms.ThefollowingareNIST-approvedHMACalgorithms:SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224,andSHA-512/256.IfthenetworkelementisnotconfiguredtoauthenticatereceivedNTPmessagesusingPKIoraFIPS-approvedmessageauthenticationcodealgorithm,thisisafinding.

5.71.4Fix

ConfigurethedevicetoauthenticateallreceivedNTPmessagesusingeitherPKI(supportedinNTPv4)oraFIPS-approvedmessageauthenticationcodealgorithm.


5.72V-14672-AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.

5.72.1Summary

TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingTACACS+orRADIUStraffic.Table387providesasummaryresultofthefindings.

Table387:AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.-Summaryresult

Device Type Status



5.72.2Description

Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.TACACS+,RADIUSmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.

5.72.3Findings

router03

NipperStudiodeterminedthatbothTerminalAccessControllerAccessControlSystem(TACACS)andRemoteAuthenticationDial-InUserService(RADIUS)arenotconfiguredonrouter03.

CiscoIOS15

NipperStudiodeterminedthatbothTACACSandRADIUSarenotconfiguredonCiscoIOS15.

5.72.4Check

ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingTACACS+orRADIUStraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Verifythataloopbackaddresshasbeenconfiguredasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255…iptacacssource-interfaceLoopback0ipradiussource-interfaceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.

5.72.5Fix

ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingauthenticationservicestraffic.


5.73V-14673-SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.

5.73.1Summary

Severity:CATIII


STIGID:NET0898

Controls:


Severity:CATIII


STIGID:NET0899

Controls:


TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingsyslogtraffic.Table388providesasummaryresultofthefindings.

Table388:SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.-Summaryresult

Device Type Status



5.73.2Description

Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.Syslogmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.

5.73.3Findings

router03

NipperStudiodeterminedthatSyslogwasnotconfiguredonrouter03.

CiscoIOS15

NipperStudiodetectedthefollowingglobalSysloginterfaceonCiscoIOS15.

Table389:SyslogInterface

GlobalSyslogInterface

Loopback1

5.73.4Check

Reviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingsyslogtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255…loggingonlogginghost192.168.1.100loggingsource-interfaceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.

5.73.5Fix

ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingsyslogtraffic.


5.74V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.

5.74.1Summary

TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNTPtraffic.Table390providesasummaryresultofthefindings.

Table390:NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.-Summaryresult

Device Type Status



5.74.2Description

Severity:CATIII


STIGID:NET0900

Controls:


Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.NTPmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.

5.74.3Findings

router03

NipperStudiodeterminedthatrouter03doesnotusealoopbackaddresswhenoriginatingNTPtraffic.

CiscoIOS15

NipperStudiodeterminedthatCiscoIOS15usesaloopbackaddresswhenoriginatingNTPtraffic.TheconfiguredinterfaceisdetailedinTable391.

Table391:NTPSourceInterface

NTPSourceInterface

Loopback0

5.74.4Check

ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingNTPtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255…ntpserver129.237.32.2ntpserver142.181.31.6ntpsourceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.

5.74.5Fix

ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNTPtraffic.


5.75V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.

5.75.1Summary

TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingSNMPtraffic.Table392providesasummaryresultofthefindings.

Table392:SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.-Summaryresult

Device Type Status



5.75.2Description

Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.SNMPmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.

5.75.3Findings

router03

NipperStudiodeterminedthatnoSNMPtrapswereconfiguredonrouter03.

CiscoIOS15

NipperStudiodeterminedthatCiscoIOS15doesnotusealoopbackaddresswhenoriginatingSNMPtraffic.

Severity:CATIII


STIGID:NET0901

Controls:


Severity:CATIII


STIGID:NET0902

Controls:ECSC-1


5.75.4Check

ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingSNMPtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255……snmp-servertrap-sourceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.

5.75.5Fix

ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingSNMPtraffic.


5.76V-14676-Netflowtrafficisnotusingloopbackaddress.

5.76.1Summary

TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNetFlowtraffic.Table393providesasummaryresultofthefindings.

Table393:Netflowtrafficisnotusingloopbackaddress.-Summaryresult

Device Type Status



5.76.2Description

Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.Netflowmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.

5.76.3Check

ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingNetFlowtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255……ipflow-sampling-modepacket-interval100ipflow-exportdestination192.168.3.339991ipflow-exportsourceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.

5.76.4Fix

ConfiguretheroutertouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNetFlowtraffic.


5.77V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.

5.77.1Summary

ThenetworkdevicemustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingTFTPorFTPtraffic.Table394providesasummaryresultofthefindings.

Device Type Status

Severity:CATIII


Table394:FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.-Summaryresult



5.77.2Description

Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofnetworkdevices.Itiseasiertoconstructappropriateingressfiltersformanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.TFTPandFTPmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.

5.77.3Findings

CiscoIOS15

Table395:FTP/TFTPServices

Service SourceInterface

TFTP Loopback0

5.77.4Check

ReviewtheconfigurationandverifyaloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingTFTPorFTPtraffic.Router#showrunBuildingconfiguration...!!interfaceLoopback0descriptionLoopbackinterfaceipaddressx.x.x.x255.255.255.255noipdirected-broadcast!...iptelnetsource-interfaceLoopback0iptftpsource-interfaceLoopback0ipftpsource-interfaceLoopback0IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Router#showrunBuildingconfiguration...!...iptftpsource-interfacefe0/0ipftpsource-interfacefe0/0

5.77.5Fix

ConfigurethenetworkdevicetousealoopbackinterfaceaddressasthesourceaddresswhenoriginatingTFTPorFTPtraffic.Example:Router(config)#interfaceloopback0Router(config-if)#ipaddressx.x.x.x255.255.255.255Router(config)#ipftpsource-interfaceloopback0Router(config)#iptftpsource-interfaceloopback0IfanOOBmanagementinterfaceisbeingused,configuretheinterfaceforTFTPorFTPtrafficorigination.Example:Router(config)#ipftpsource-interfacefe0/0Router(config)#iptftpsource-interfacefe0/0


5.78V-14681-LoopbackaddressisnotusedastheiBGPsourceIP.

5.78.1Summary

TheroutermustuseitsloopbackinterfaceaddressasthesourceaddressforalliBGPpeeringsessions.Table396providesasummaryresultofthefindings.

STIGID:NET0903

Controls:


Severity:CATII


STIGID:NET-IPV6-025

Controls:ECSC-1


Table396:LoopbackaddressisnotusedastheiBGPsourceIP.-Summaryresult

Device Type Status



5.78.2Description

Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalability.Itiseasiertoconstructappropriatefiltersforcontrolplanetraffic.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.

5.78.3Check

VerifythatthepeeringsessionwithiBGPneighborsusetheloopbackaddressasthesourceaddressasshownintheexamplebelow:interfaceloopback0ipaddress10.10.2.1255.255.255.255…routerbgp100neighbor200.200.200.2remote-as200neighbor188.20.120.2remote-as144neighbor10.10.2.2remote-as100neighbor10.10.2.2update-sourceLoopback0neighbor10.10.2.3remote-as100neighbor10.10.2.3update-sourceLoopback0

5.78.4Fix

Configurethenetworkdevice'sloopbackaddressasthesourceaddressforiBGPpeering.


5.79V-14693-IPv6SiteLocalUnicastADDRmustnotbedefined

5.79.1Summary

ThenetworkdevicemustbeconfiguredtoensureIPv6SiteLocalUnicastaddressesarenotdefinedintheenclave,(FEC0::/10).NotethatthisconsistofalladdressesthatbeginwithFEC,FED,FEEandFEF.Table397providesasummaryresultofthefindings.

Table397:IPv6SiteLocalUnicastADDRmustnotbedefined-Summaryresult

Device Type Status



5.79.2Description

Ascurrentlydefined,sitelocaladdressesareambiguousandcanbepresentinmultiplesites.Theaddressitselfdoesnotcontainanyindicationofthesitetowhichitbelongs.Theuseofsite-localaddresseshasthepotentialtoadverselyaffectnetworksecuritythroughleaks,ambiguityandpotentialmisrouting,asdocumentedinsection2ofRFC3879.RFC3879formallydeprecatestheIPv6site-localunicastprefixdefinedinRFC3513,i.e.,1111111011binaryorFEC0::/10.

5.79.3Findings

router03

NipperStudiodeterminedthatIPv6wasnotconfiguredonrouter03.

CiscoIOS15

NipperStudiodeterminedthatIPv6wasnotconfiguredonCiscoIOS15.

5.79.4Check

ReviewthedeviceconfigurationtoensureFEC0::/10IPaddressesarenotdefined.IfFEC0::/10IPaddressesaredefined,thisisafinding.

Severity:CATII


STIGID:NET-IPV6-033

Controls:ECSC-1


Severity:CATII


STIGID:NET-IPV6-034

Controls:


5.79.5Fix

ConfigurethedeviceusingauthorizedIPaddresses.


5.80V-14705-IPv6routersarenotconfiguredwithCEFenabled

5.80.1Summary

TheadministratorwillenableCEFtoimproverouterstabilityduringaSYNfloodattackinanIPv6enclave.Table398providesasummaryresultofthefindings.

Table398:IPv6routersarenotconfiguredwithCEFenabled-Summaryresult

Device Type Status



5.80.2Description

TheCiscoExpressForwarding(CEF)switchingmodereplacesthetraditionalCiscoroutingcachewithadatastructurethatmirrorstheentiresystemroutingtable.Becausethereisnoneedtobuildcacheentrieswhentrafficstartsarrivingfornewdestinations,CEFbehavesmorepredictablywhenpresentedwithlargevolumesoftrafficaddressedtomanydestinations—suchasaSYNfloodattacksthat.BecausemanySYNfloodattacksuserandomizedsourceaddressestowhichthehostsunderattackwillreplyto,therecanbeasubstantialamountoftrafficforalargenumberofdestinationsthattherouterwillhavetohandle.Consequently,routersconfiguredforCEFwillperformbetterunderSYNfloodsdirectedathostsinsidethenetworkthanroutersusingthetraditionalcache.Note:Juniper’sFPC(FlexiblePICConcentrator)architecturewiththeintegratedPacketForwardingEngineprovidessimilarfunctionalityandcapabilitiesandisfarsuperiorthanthetraditionalroutingcachethatisvulnerabletoaDoSattackdescribedabove.TheforwardingplaneonallJuniperMandTSeriesplatformsarebuiltaroundthisarchitectureandthereforeisnotconfigurable.TheforwardingplaneonallJuniperMandTSeriesplatformsarebuiltaroundtheFPC(FlexiblePICConcentrator)architecturethathassimilarcapabilitiesasCEF.FPCisnotconfigurableandistotallyintegratedwiththePacketForwardingEngine;hence,thiswillalwaysbenotafinding.

5.80.3Check

IOSProcedure:ReviewallCiscorouterstoensurethatCEFhasbeenenabled.Theconfigurationshouldlooksimilartothefollowing:ipv6cef

5.80.4Fix

TheIAOwillensurethattheipv6cefcommandhasbeenconfiguredonCiscorouters.


5.81V-14707-IPv6EgressOutboundSpoofingFilter

5.81.1Summary

ThenetworkelementmustbeconfiguredfromacceptinganyoutboundIPpacketthatcontainsanillegitimateaddressinthesourceaddressfieldviaegressACLorbyenablingUnicastReversePathForwardinginanIPv6enclave.Table399providesasummaryresultofthefindings.

Table399:IPv6EgressOutboundSpoofingFilter-Summaryresult

Device Type Status



5.81.2Description

UnicastReversePathForwarding(uRPF)providesamechanismforIPaddressspoofprotection.WhenuRPFisenabledonaninterface,therouterexaminesallpacketsreceivedasinputonthatinterfacetomakesurethatthesourceaddressandsourceinterfaceappearintheroutingtableandmatchtheinterfaceonwhichthepacketwasreceived.Ifthepacketwasreceivedfromoneofthebestreversepathroutes,thepacketisforwardedasnormal.Ifthereisnoreversepathrouteonthesameinterfacefromwhichthepacketwasreceived,itmightmeanthatthesourceaddresswasmodified.IfUnicastRPFdoesnotfindareversepathforthepacket,thepacketisdropped.IfinternalnodesautomaticallyconfigureanaddressbasedonaprefixfromabogusRouterAdvertisementadangeroussituationmayexist.Aninternalhostmaycontactaninternalserverwhichrespondswithapacketthatcouldberoutedoutsideofthenetworkviadefaultrouting(becausetheroutersdonotrecognize

Severity:CATII


STIGID:NET1647

Controls:


Severity:CATII


STIGID:NET-TUNL-017

Controls:ECSC-1


thedestinationaddressasaninternaladdress).Topreventthis,filteringshouldbeappliedtonetworkinterfacesbetweeninternalhostLANsandinternalserverLANstoinsurethatsourceaddresseshavevalidprefixes.

5.81.3Check

UnicastStrictmode:ReviewtherouterconfigurationtoensureuRPFhasbeenconfiguredonallinternalinterfaces.

5.81.4Fix

ThenetworkelementmustbeconfiguredtoensurethatanACLisconfiguredtorestricttherouterfromacceptinganyoutboundIPpacketthatcontainsanexternalIPaddressinthesourcefield.


5.82V-14717-ThenetworkelementmustnotallowSSHVersion1.

5.82.1Summary

ThenetworkelementmustnotuseSSHVersion1foradministrativeaccess.Table400providesasummaryresultofthefindings.

Table400:ThenetworkelementmustnotallowSSHVersion1.-Summaryresult

Device Type Status



5.82.2Description

SSHVersion1isaprotocolthathasneverbeendefinedinastandard.SinceSSH-1hasinherentdesignflawswhichmakeitvulnerableto,e.g.,man-in-the-middleattacks,itisnowgenerallyconsideredobsoleteandshouldbeavoidedbyexplicitlydisablingfallbacktoSSH-1.

5.82.3Findings

router03

NipperStudiodeterminedthatSSHwasnotenabledonrouter03.

CiscoIOS15

NipperStudiodeterminedthattheSSHservicewasenabledonCiscoIOS15withsupportforonlyprotocolversion2.

5.82.4Check

IfSSHisusedforadministrativeaccess,thenVersion2mustbeconfiguredasshowninthefollowingexample:ipsshversion2

5.82.5Fix

ConfigurethenetworkdevicetouseSSHversion2.


5.83V-15288-ISATAPtunnelsmustterminateatinteriorrouter.

5.83.1Summary

ISATAPtunnelsmustterminateataninteriorrouter.Table401providesasummaryresultofthefindings.

Table401:ISATAPtunnelsmustterminateatinteriorrouter.-Summaryresult

Device Type Status



Severity:CATII


STIGID:NET0433

Controls:


5.83.2Description

ISATAPisanautomatictunnelmechanismthatdoesnotprovideauthenticationsuchasIPSec.Asaresultofthislimitation,ISATAPisthoughtofasatoolthatisusedinsidetheenclaveamongtrustedhosts,whichwouldlimitittointernalattacks.ISATAPisaserviceversusaproduct,andisreadilyavailabletomostusers.IfauserknowstheISATAProuterIPaddress,theycanessentiallygetontotheIPv6intranet.Tocontrolthevulnerabilityofthistunnelmechanism,itiscriticaltocontroltheuseofprotocol41anduseIPv4filterstocontrolwhatIPv4nodescansendprotocol41packetstoanISATAProuterinterface.AlthoughtheISATAPtunnelingmechanismissimilartootherautomatictunnelingmechanisms,suchasIPv66to4tunneling,ISATAPisdesignedfortransportingIPv6packetsbetweensiteswithinanenclave,notbetweenenclaves.

5.83.3Check

VerifyISATAPtunnelsareterminatedontheinfrastructureroutersorL3switcheswithintheenclave.ExampleconfigurationofanISATAPtunnelendpoint:interfacetunnel1noipaddressnoipredirectstunnelsourceethernet1tunnelmodeipv6ipisatapipv6address2001:0DB8::/64eui-64noipv6ndsuppress-ra

5.83.4Fix

TerminateISATAPtunnelsattheinfrastructureroutertoprohibittunneledtrafficfromexitingtheenclaveperimeterpriortoinspectionbytheIDS,IPS,orfirewall.


5.84V-15432-ThedeviceisnotauthenticatedusingaAAAserver.

5.84.1Summary

Networkdevicesmustusetwoormoreauthenticationserversforthepurposeofgrantingadministrativeaccess.Table402providesasummaryresultofthefindings.

Table402:ThedeviceisnotauthenticatedusingaAAAserver.-Summaryresult

Device Type Status



5.84.2Description

TheuseofAuthentication,Authorization,andAccounting(AAA)affordsthebestmethodsforcontrollinguseraccess,authorizationlevels,andactivitylogging.ByenablingAAAontheroutersinconjunctionwithanauthenticationserversuchasTACACS+orRADIUS,theadministratorscaneasilyaddorremoveuseraccounts,addorremovecommandauthorizations,andmaintainalogofuseractivity.Theuseofanauthenticationserverprovidesthecapabilitytoassignrouteradministratorstotieredgroupsthatcontaintheirprivilegelevelthatisusedforauthorizationofspecificcommands.Forexample,usermodewouldbeauthorizedforallauthenticatedadministratorswhileconfigurationoreditmodeshouldonlybegrantedtothoseadministratorsthatarepermittedtoimplementrouterconfigurationchanges.

5.84.3Findings

router03

NipperStudioidentifiedzeroauthenticationserversconfiguredonrouter03

CiscoIOS15

NipperStudioidentifiedoneauthenticationserverconfiguredonCiscoIOS15.Thisisdetailedbelow.

Table403:TACACS+authenticationservers

ServerGroup Address Port Key

18.1.1.1 49

5.84.4Check

Severity:CATI


STIGID:NET0441

Controls:


Severity:CATII


STIGID:NET1807

Controls:


Verifyanauthenticationserverisrequiredtoaccessthedeviceandthattherearetwoormoreauthenticationserversdefined.Ifthedeviceisnotconfiguredfortwoseparateauthenticationservers,thisisafinding.

5.84.5Fix

Configurethedevicetousetwoseparateauthenticationservers.


5.85V-15434-Emergencyadministrationaccountprivilegelevelisnotset.

5.85.1Summary

Theemergencyadministrationaccountmustbesettoanappropriateauthorizationleveltoperformnecessaryadministrativefunctionswhentheauthenticationserverisnotonline.Table404providesasummaryresultofthefindings.

Table404:Emergencyadministrationaccountprivilegelevelisnotset.-Summaryresult

Device Type Status



5.85.2Description

Theemergencyadministrationaccountistobeconfiguredasalocalaccountonthenetworkdevices.Itistobeusedonlywhentheauthenticationserverisofflineornotreachableviathenetwork.Theemergencyaccountmustbesettoanappropriateauthorizationleveltoperformnecessaryadministrativefunctionsduringthistime.

5.85.3Check

Reviewtheemergencyadministrationaccountconfiguredonthenetworkdevicesandverifythatithasbeenassignedtoaprivilegelevelthatwillenabletheadministratortoperformnecessaryadministrativefunctionswhentheauthenticationserverisnotonline.Iftheemergencyadministrationaccountisconfiguredformoreaccessthanneededtotroubleshootissues,thisisafinding.

5.85.4Fix

Assignaprivilegeleveltotheemergencyadministrationaccounttoallowtheadministratortoperformnecessaryadministrativefunctionswhentheauthenticationserverisnotonline.


5.86V-17754-Managementtrafficisnotrestricted

5.86.1Summary

IPSectunnelsusedtotransitmanagementtrafficmustberestrictedtoonlytheauthorizedmanagementpacketsbasedondestinationandsourceIPaddress.Table405providesasummaryresultofthefindings.

Table405:Managementtrafficisnotrestricted-Summaryresult

Device Type Status



5.86.2Description

TheOut-of-BandManagement(OOBM)networkisanIPnetworkusedexclusivelyforthetransportofOAM&PdatafromthenetworkbeingmanagedtotheOSScomponentslocatedattheNOC.ItsdesignprovidesconnectivitytoeachmanagednetworkdeviceenablingnetworkmanagementtraffictoflowbetweenthemanagedNEsandtheNOC.Thisallowstheuseofpathsseparatefromthoseusedbythenetworkbeingmanaged.Trafficfromthemanagednetworktothemanagementnetworkandvice-versamustbesecuredviaIPSecencapsulation.

5.86.3Check

ReviewthedeviceconfigurationtodetermineifIPSectunnelsusedintransitingmanagementtrafficarefilteredtoonlyacceptauthorizedtrafficbasedonsource

Severity:CATII


STIGID:NET1808

Controls:


Severity:CATII


STIGID:NET0985

Controls:ECSC-1


anddestinationIPaddressesofthemanagementnetwork.IffiltersarenotrestrictingonlyauthorizedmanagementtrafficintotheIPSectunnel,thisisafinding.

5.86.4Fix

ConfigurefiltersbasedonsourceanddestinationIPaddresstorestrictonlyauthorizedmanagementtrafficintoIPSectunnelsusedfortransitingmanagementdata.


5.87V-17814-RemoteVPNend-pointnotamirroroflocalgateway

5.87.1Summary

GatewayconfigurationattheremoteVPNend-pointisanotamirrorofthelocalgatewayTable406providesasummaryresultofthefindings.

Table406:RemoteVPNend-pointnotamirroroflocalgateway-Summaryresult

Device Type Status



5.87.2Description

TheIPSectunnelendpointsmaybeconfiguredontheOOBMgatewayroutersconnectingthemanagednetworkandtheNOC.TheymayalsobeconfiguredonafirewallorVPNconcentratorlocatedbehindthegatewayrouter.Ineithercase,thecryptoaccess-listusedtoidentifythetraffictobeprotectedmustbeamirror(bothIPsourceanddestinationaddress)ofthecryptoaccesslistconfiguredattheremoteVPNpeer.

5.87.3Check

VerifytheconfigurationattheremoteVPNend-pointisamirrorconfigurationasthatreviewedforthelocalend-point.

5.87.4Fix

Configurehecryptoaccess-listusedtoidentifythetraffictobeprotectedsothatitisamirror(bothIPsourceanddestinationaddress)ofthecryptoaccesslistconfiguredattheremoteVPNpeer.


5.88V-17815-IGPinstancesdonotpeerwithappropriatedomain

5.88.1Summary

IGPinstancesconfiguredontheOOBMgatewayrouterdonotpeeronlywiththeirappropriateroutingdomain.Table407providesasummaryresultofthefindings.

Table407:IGPinstancesdonotpeerwithappropriatedomain-Summaryresult

Device Type Status


5.88.2Description

IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.

5.88.3Check

VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.

5.88.4Fix

EnsurethatmultipleIGPinstancesconfiguredontheOOBMgatewayrouterpeeronlywiththeirappropriateroutingdomain.Verifythattheallinterfacesare

Severity:CATII


STIGID:NET0986

Controls:


configuredfortheappropriateIGPinstance.


5.89V-17816-RoutesfromthetwoIGPdomainsareredistributed

5.89.1Summary

TheroutesfromthetwoIGPdomainsareredistributedtoeachother.Table408providesasummaryresultofthefindings.

Table408:RoutesfromthetwoIGPdomainsareredistributed-Summaryresult

Device Type Status


5.89.2Description

IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.Inaddition,theroutesfromthetwodomainsmustnotberedistributedtoeachother.

5.89.3Findings

CiscoIOS15

NipperStudiodetectednoissueswithredistributedroutingonCiscoIOS15

5.89.4Check

VerifythattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.

RouteadvertisementsbetweentwothetworoutingdomainssuchasOSPFandEIGRPcanonlybesharedviaredistribution.VerifythattherearenoredistributecommandsconfiguredunderIGPdomainforthemanagementnetworkthatwouldenabledistributingroutesfromtheIGPdomainofthemanagednetwork,orvice-versa.ThefollowingwouldbeanexampleofredistributingroutesfromEIGRPintoOSPF.routerospf1network172.20.0.0redistributeeigrp12

IOSsupportsmultipleinstancesofOSPFandEIGRPthatareconfiguredusingadifferentprocessID.EachEIGRPorOSPFprocesswillrunonlyontheinterfacesofthenetworksspecified.EachEIGRPprocessmaintainsaseparatetopologydatabase;likewise,eachOSPFprocessmaintainsaseparatelink-statedatabase.Routeadvertisementsbetweentwoprocessescanonlybesharedviaredistribution.VerifythattherearenoredistributioncommandsthatwoulddistributeroutesfromtheIGProutingdomainforthemanagementnetworkintotheIGProutingdomainofthemanagednetwork,orvice-versa.ThefollowingwouldbeanexampleofredistributingroutesfromoneEIGRPintoanotherEIGRP.!routereigrp15network172.20.0.0!routereigrp10network10.0.0.0redistributeeigrp15Asanalternative,staticroutescanbeusedtoforwardmanagementtraffictotheOOBMinterface;however,thismethodmaynotscalewell.IfstaticroutesareusedtoforwardmanagementtraffictotheOOBbackbonenetwork,verifythattheOOBMinterfaceisnotanIGPadjacencyandthatthecorrectdestinationprefixhasbeenconfiguredtoforwardthemanagementtraffictothecorrectnext-hopandinterfaceforthestaticroute.Inthefollowingconfigurationexamples,10.1.1.0/24isthemanagementnetworkand10.1.20.4istheinterfaceaddressoftheOOBbackbonerouterthattheOOBgatewayrouterconnectsto.Thenetwork10.1.20.0/24istheOOBMbackbone.interfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0interfaceFastethernet0/0descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0interfaceFastethernet0/1descriptionto_our_ServiceNet

Severity:CATII


STIGID:NET0987

Controls:


ipaddress172.20.5.2255.255.255.0!routerospf1network172.20.0.0!iproute10.1.1.0255.255.255.010.1.20.4Serial0/0

5.89.5Fix

EnsurethattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.


5.90V-17817-ManagednetworkhasaccesstoOOBMgatewayrouter

5.90.1Summary

TrafficfromthemanagednetworkisabletoaccesstheOOBMgatewayrouterTable409providesasummaryresultofthefindings.

Table409:ManagednetworkhasaccesstoOOBMgatewayrouter-Summaryresult

Device Type Status



5.90.2Description

IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.ItisimperativethathostsfromthemanagednetworkarenotabletoaccesstheOOBMgatewayrouiter.

5.90.3Check

ReviewtheACLorfiltersfortherouter’sreceivepathandverifythatonlytrafficsourcedfromthemanagementnetworkisallowedtoaccesstherouter.Thiswouldincludebothmanagementandcontrolplanetraffic.Step1:Verifythattheglobalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:ipreceiveacl199Note:TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityfortrafficthatisdestinedfortherouter.TheIPReceiveACLfilteringoccursafteranyinputACLboundtotheingressinterface.Ondistributedplatforms(i.e.,12000series),theIPreceiveACLfilterstrafficonthedistributedlinecardsbeforepacketsarereceivedbytherouteprocessor;therebypreventingthefloodfromdegradingtheperformanceoftherouteprocessor.Step2:DeterminetheaddressblockofthemanagementnetworkattheNOC.Intheexampleconfigurationbelow,the10.2.2.0/24isthemanagementnetworkattheNOC.Step3:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallmanagementplanetraffictothevalidatednetworkmanagementaddressblockattheNOC.Managementtrafficcanincludetelnet,SSH,SNMP,TACACS,RADIUS,TFTP,FTP,andICMP.ControlplanetrafficfromOOBMbackboneneighborsshouldalsobeallowedtoaccesstherouter.TheACLconfigurationshouldlooksimilartothefollowing:access-list199denyipanyanyfragmentsaccess-list199permitospf10.1.20.00.0.0.255anyaccess-list199permittcp10.2.2.00.0.0.255anyeqsshaccess-list199permitudphost10.2.2.24anyeqsnmpaccess-list199permitudphost10.2.2.25anyeqsnmpaccess-list199permitudphost10.2.2.26anyeqntpaccess-list199permitudphost10.2.2.27anyeqntpaccess-list199permittcphost10.2.2.30eqtacacsanygt1023establishedaccess-list199permittcphost10.2.2.77eqftpanygt1023establishedaccess-list199permittcphost10.2.2.77gt1024anyeqftp-dataaccess-list199permiticmp10.2.2.00.0.0.255anyaccess-list199denyipanyanylogIntheexampleabove,theOSPFneighborswouldbeadjacencieswiththeOOBMbackbonenetwork10.1.20.0/24.Iftheplatformdoesnotsupportthereceivepathfilter,thenverifythatallnon-OOBMinterfaceshaveaningressACLtorestrictaccesstothatinterfaceaddressoranyoftherouter’sloopbackaddressestoonlytrafficsourcedfromthemanagementnetwork.Exceptionwouldbetoallowpacketsdestinedtothese

Severity:CATII


STIGID:NET0988

Controls:


Severity:CATII


STIGID:NET0989

Controls:


interfacesusedfortroubleshootingsuchaspingandtraceroute.

5.90.4Fix

EnsurethattrafficfromthemanagednetworkisnotabletoaccesstheOOBMgatewayrouterusingeitherreceivepathorinterfaceingressACLs.


5.91V-17818-Trafficfromthemanagednetworkwillleak

5.91.1Summary

TrafficfromthemanagednetworkwillleakintothemanagementnetworkviathegatewayrouterinterfaceconnectedtotheOOBMbackbone.Table410providesasummaryresultofthefindings.

Table410:Trafficfromthemanagednetworkwillleak-Summaryresult

Device Type Status



5.91.2Description

IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundariessuchasusinginterfaceACLsorfiltersattheboundariesbetweenthetwonetworks.

5.91.3Check

ExaminetheegressfilterontheOOBMinterfaceofthegatewayroutertoverifythatonlytrafficsourcedfromthemanagementaddressspaceisallowedtotransittheOOBMbackbone.Intheexampleconfigurationsbelow,the10.1.1.0/24isthemanagementnetworkaddressspaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetworkaddressspaceattheNOC.IOSinterfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0ipaccess-group101outinterfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.1255.255.255.0interfaceFastethernet0/1descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0!access-list101permitip10.1.1.00.0.0.25510.2.2.00.0.0.255access-list101denyipanyanylog

5.91.4Fix

ConfiguretheOOBMgatewayrouterinterfaceACLstoensuretrafficfromthemanagednetworkdoesnotleakintothemanagementnetwork.


5.92V-17819-Managementtrafficleaksintothemanagednetwork

5.92.1Summary

Managementnetworktrafficisleakingintothemanagednetwork.Table411providesasummaryresultofthefindings.

Table411:Managementtrafficleaksintothemanagednetwork-Summaryresult

Device Type Status



Severity:CATII


STIGID:NET0991

Controls:


5.92.2Description

IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Toprovideseparation,accesscontrollistsorfiltersmustbeconfiguredtoblockanytrafficfromthemanagementnetworkdestinedforthemanagednetwork’sproductionaddressspaces.

5.92.3Check

ExaminetheingressfilterontheOOBMinterfaceofthegatewayroutertoverifythattrafficisonlydestinedtothelocalmanagementaddressspace.Intheexampleconfigurationsbelow,the10.1.1.0/24isthelocalmanagementnetworkaddressspaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetworkaddressspaceattheNOC.IOSinterfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0ipaccess-group100inipaccess-group101outinterfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.2255.255.255.0interfaceFastethernet0/1descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0interfaceFastethernet0/2descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0!access-list100permitip10.2.2.00.0.0.25510.1.1.00.0.0.255access-list100denyipanyanylog

5.92.4Fix

Configureaccesscontrollistsorfilterstoblockanytrafficfromthemanagementnetworkdestinedforthemanagednetwork'sproductionaddressspaces.


5.93V-17821-TheOOBMinterfacenotconfiguredcorrectly.

5.93.1Summary

Thenetworkelement’sOOBMinterfacemustbeconfiguredwithanOOBMnetworkaddress.Table412providesasummaryresultofthefindings.

Table412:TheOOBMinterfacenotconfiguredcorrectly.-Summaryresult

Device Type Status



5.93.2Description

TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IftheOOBMinterfacedoesnothaveanIPaddressfromthemanagednetworkaddressspace,itwillnothavereachabilityfromtheNOCusingscalableandnormalcontrolplaneandforwardingmechanisms.

5.93.3Check

AfterdeterminingwhichinterfaceisconnectedtotheOOBMaccessswitch,reviewthemanageddeviceconfigurationandverifythattheinterfacehasbeenassignedanaddressfromthelocalmanagementaddressblock.Inthisexample,thatis10.1.1.0/24.Ciscorouter

Severity:CATII


STIGID:NET0992

Controls:


interfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0CiscoCatalystMLSSwitchinterfaceVLAN101descriptionManagement_VLANipaddress10.1.1.22255.255.255.0……interfaceFastEthernet1/6switchportaccessvlan101switchportmodeaccessorinterfaceFastEthernet1/6noswitchportipaddress10.1.1.22255.255.255.0Caveat:Iftheinterfaceisconfiguredasaroutedinterfaceasshownintheaboveconfiguration,therequirementsspecifiedinNOC180mustbeimplemented.

5.93.4Fix

ConfiguretheOOBmanagementinterfacewithanIPaddressfromtheaddressspacebelongingtotheOOBMnetwork.


5.94V-17822-ThemanagementinterfacedoesnothaveanACL.

5.94.1Summary

ThemanagementinterfaceisnotconfiguredwithbothaningressandegressACL.Table413providesasummaryresultofthefindings.

Table413:ThemanagementinterfacedoesnothaveanACL.-Summaryresult

Device Type Status



5.94.2Description

TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsothatmanagementtrafficdoesnotleakintothemanagednetworkandthatproductiontrafficdoesnotleakintothemanagementnetwork

5.94.3Check

Step1:VerifythatthemanagedinterfacehasaninboundandoutboundACLconfiguredasshowninthefollowingexample:interfaceFastEthernet1/1descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0ipaccess-group100inipaccess-group101outStep2:VerifythattheingressACLblocksalltransittraffic—thatis,anytrafficnotdestinedtotherouteritself.Inaddition,trafficaccessingthemanagedelementsshouldbeoriginatedattheNOC.IntheexamplethemanagementnetworkattheNOCis10.2.2.0/24.access-list100permitip10.2.2.00.0.0.255host10.1.1.22access-list100denyipanyanylog

Severity:CATIII


STIGID:NET0993

Controls:


Notethatthedestinationusedbyanyhostwithinthemanagementnetworktoaccessthemanagedelementsmustbeviathemanagementinterface.TheloopbackshouldnotbeavalidaddresssincetheseprefixeswouldnotbeadvertisedintothemanagementnetworkIGPdomain.ThiscouldonlybepossibleifthemanagednetworkElements:hadanIGPadjacencywiththemanagednetwork,whichshouldnotbethecase.Step3:VerifythattheegressACLblocksanytrafficnotoriginatedbythemanagedelementaccess-list101denyipanyanylogCiscorouter-generatedpacketsarenotinspectedbyoutgoingaccess-lists.Hence,theaboveconfigurationwouldsimplydropanypacketsnotgeneratedbytherouteritselfandallowalllocaltraffic.Tofilterlocaltraffic,IOSprovidesafeaturecalledlocalpolicyrouting,whichenablestheadministratortoapplyaroute-maptoanylocalrouter-generatedtraffic.ToprohibitoutgoingtrafficfromthelocalroutertoanydestinationotherthantheNOC,theaconfigurationsuchasthefollowingcouldbeused:!Donotdroptrafficdestinedto10.2.2.0/24.Hence,donotincludeitin!thelocalpolicyroutemap,butincludeallotherdestinations.!ipaccess-listextendedBLOCK_INVALID_DESTdenyipany10.2.2.00.0.0.255permitipanyany!route-mapLOCAL_POLICY10matchipaddressBLOCK_INVALID_DESTsetinterfaceNull0!iplocalpolicyroute-mapLOCAL_POLICY

AlternativeSolution:TheIOSManagementPlaneProtectionFeatureCiscointroducedtheManagementPlaneProtection(MPP)featurewithIOS12.4(6)Twhichallowsanyphysicalin-bandinterfacetobededicatedforOOBmanagement.TheMPPfeatureallowsanetworkoperatortodesignateoneormorerouterinterfacesasmanagementinterfaces.Managementtrafficispermittedtoenteradeviceonlythroughthesemanagementinterfaces.Alloftheotherin-bandinterfacesnotenabledforMPPwillautomaticallydropallingresspacketsassociatedwithanyofthesupportedMPPprotocols(FTP,HTTP,HTTPS,SCP,SSH,SNMP,Telnet,andTFTP).Hence,afterMPPisenabled,nointerfacesexceptmanagementinterfaceswillacceptnetworkmanagementtrafficdestinedtothedevice.Thisfeaturealsoprovidesthecapabilitytorestrictwhichmanagementprotocolsareallowed.Thisfeaturedoesnotchangethebehavioroftheconsole,auxiliary,andmanagementEthernetinterfaces.ThefollowingconfigurationexampledepictsFastEthernet1/1asbeingthedesignatedmanagementinterfacethatwillonlyallowsshandsnmptraffic.

control-planehostmanagement-interfaceFastEthernet1/1allowsshsnmp!interfaceFastEthernet1/1descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0

5.94.4Fix

Ifthemanagementinterfaceisaroutedinterface,itmustbeconfiguredwithbothaningressandegressACL.TheingressACLshouldblockanytransittraffic,whiletheegressACLshouldblockanytrafficthatwasnotoriginatedbythemanagednetworkdevice.


5.95V-17823-ThemanagementinterfaceisnotIGPpassive.

5.95.1Summary

Thenetworkelement’smanagementinterfaceisnotconfiguredaspassivefortheIGPinstancedeployedinthemanagednetwork.Table414providesasummaryresultofthefindings.

Table414:ThemanagementinterfaceisnotIGPpassive.-Summaryresult

Device Type Status



5.95.2Description

TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.

Severity:CATII


STIGID:NET1005

Controls:


AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensurescongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsomanagementtraffic,bothdataplaneandcontrolplane,doesnotleakintothemanagednetworkandproductiontrafficdoesnotleakintothemanagementnetwork.

5.95.3Check

Ifthemanagednetworkelementisalayer3device,reviewtheconfigurationtoverifythemanagementinterfaceisconfiguredaspassivefortheIGPinstanceforthemanagednetwork.Dependingontheplatformandroutingprotocol,thismaysimplyrequirethattheinterfaceoritsIPaddressisnotincludedintheIGPconfiguration.ThefollowingconfigurationwouldbeanexamplewhereOSPFisonlyenabledonallinterfacesexceptthemanagementinterface:interfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0ipaccess-group100inipaccess-group101outinterfaceFastethernet0/1descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0interfaceFastethernet0/2descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0interfaceFastethernet1/1descriptionto_our_DMZipaddress172.20.3.1255.255.255.0!routerospf1network172.20.0.0255.255.255.0area1Note:TheMPPfeaturehasnoeffectoncontrolplanetraffic.Hence,theroutingprotocolmuststillbeconfiguredsothatitisnotenabledonthemanagementinterface.

5.95.4Fix

ConfigurethemanagementinterfaceaspassivefortheIGPinstanceconfiguredforthemanagednetwork.Dependingontheplatformandroutingprotocol,thismaysimplyrequirethattheinterfaceoritsIPaddressisnotincludedintheIGPconfiguration.


5.96V-17834-NoinboundACLformgmtnetworksub-interface

5.96.1Summary

AninboundACLisnotconfiguredforthemanagementnetworksub-interfaceofthetrunklinktoblocknon-managementtraffic.Table415providesasummaryresultofthefindings.

Table415:NoinboundACLformgmtnetworksub-interface-Summaryresult

Device Type Status



5.96.2Description

Ifthemanagementsystemsresidewithinthesamelayer2switchingdomainasthemanagednetworkelements,thenseparateVLANswillbedeployedtoprovideseparationatthatlevel.Inthiscase,themanagementnetworkstillhasitsownsubnetwhileatthesametimeitisdefinedasauniqueVLAN.Inter-VLANroutingortheroutingoftrafficbetweennodesresidingindifferentsubnetsrequiresarouterormulti-layerswitch(MLS).Accesscontrollistsmustbeusedtoenforcetheboundariesbetweenthemanagementnetworkandthenetworkbeingmanaged.Allphysicalandvirtual(i.e.MLSSVI)routedinterfacesmustbeconfiguredwithACLstopreventtheleakingofunauthorizedtrafficfromonenetworktotheother.

5.96.3Check

ReviewtherouterconfigurationandverifythataninboundACLhasbeenconfiguredforthemanagementnetworksub-interfaceasillustratedinthefollowingexampleconfiguration:IOS

Severity:CATII


STIGID:NET1006

Controls:


interfaceGigabitEthernet3noipredirectsnoipdirected-broadcastinterfaceGigabitEthernet3.10encapsulationdot1q10descriptionManagementVLANipaddress10.1.1.1255.255.255.0ipaccess-group108in!access-list108permit…

5.96.4Fix

Ifarouterisusedtoprovideinter-VLANrouting,configureaninboundACLforthemanagementnetworksub-interfaceforthetrunklinktoblocknon-managementtraffic.


5.97V-17835-IPSectrafficisnotrestricted

5.97.1Summary

Trafficenteringthetunnelsisnotrestrictedtoonlytheauthorizedmanagementpacketsbasedondestinationaddress.Table416providesasummaryresultofthefindings.

Table416:IPSectrafficisnotrestricted-Summaryresult

Device Type Status



5.97.2Description

SimilartotheOOBMmodel,whentheproductionnetworkismanagedin-band,themanagementnetworkcouldalsobehousedataNOCthatislocatedlocallyorremotelyatasingleormultipleinterconnectedsites.NOCinterconnectivityaswellasconnectivitybetweentheNOCandthemanagednetworks’premiserouterswouldbeenabledusingeitherprovisionedcircuitsorVPNtechnologiessuchasIPSectunnelsorMPLSVPNservices.

5.97.3Check

Verifythatalltrafficfromthemanagednetworktothemanagementnetworkandvice-versaissecuredviaIPSecencapsulation.Intheconfigurationexamples,10.2.2.0/24isthemanagementnetworkattheNOCand192.168.1.0/24isaddressspaceusedatthenetworkbeingmanaged(i.e.,theenclave).ForCiscorouter,theaccess-listreferencedbythecryptomapmusthavethesourceanddestinationaddressesbelongingtothemanagementnetworkaddressspaceattheenclaveandNOCrespectively.hostnamePremrouter!interfaceSerial1/0ipaddress19.16.1.1255.255.255.0descriptionNIPRNet_LinkcryptomapmyvpninterfaceFastethernet0/0descriptionEnclave_Management_LANipaddress192.168.1.1255.255.255.0!cryptoisakmppolicy1authenticationpre-sharelifetime84600cryptoisakmpkey*******address19.16.2.1!cryptoipsectransform-settoNOCesp-desesp-md5-hmac!cryptomapmyvpn10ipsec-isakmpsetpeer19.16.2.1settransform-settoNOCmatchaddress101!access-list101permitipany10.2.2.00.0.0.255

Severity:CATIII


STIGID:NET1007

Controls:


5.97.4Fix

WhereIPSectechnologyisdeployedtoconnectthemanagednetworktotheNOC,itisimperativethatthetrafficenteringthetunnelsisrestrictedtoonlytheauthorizedmanagementpacketsbasedondestinationaddress.


5.98V-17836-Managementtrafficisnotclassifiedandmarked

5.98.1Summary

ManagementtrafficisnotclassifiedandmarkedatthenearestupstreamMLSorrouterwhenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork.Table417providesasummaryresultofthefindings.

Table417:Managementtrafficisnotclassifiedandmarked-Summaryresult

Device Type Status



5.98.2Description

Whennetworkcongestionoccurs,alltraffichasanequalchanceofbeingdropped.Prioritizationofnetworkmanagementtrafficmustbeimplementedtoensurethatevenduringperiodsofseverenetworkcongestion,thenetworkcanbemanagedandmonitored.QualityofService(QoS)provisioningcategorizesnetworktraffic,prioritizesitaccordingtoitsrelativeimportance,andprovidesprioritytreatmentthroughcongestionavoidancetechniques.ImplementingQoSwithinthenetworkmakesnetworkperformancemorepredictableandbandwidthutilizationmoreeffective.Mostimportant,sincethesamebandwidthisbeingusedtomanagethenetwork,itprovidessomeassurancethattherewillbebandwidthavailabletotroubleshootoutagesandrestoreavailabilitywhenneeded.Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,managementtrafficshouldbeclassifiedandmarkedatthenearestupstreamMLSorrouter.Inaddition,allcorerouterswithinthemanagednetworkmustbeconfiguredtoprovidepreferredtreatmentbasedontheQoSmarkings.Thiswillensurethatmanagementtrafficreceivespreferredtreatment(per-hopbehavior)ateachforwardingdevicealongthepathtothemanagementnetwork.traffic.

5.98.3Check

class-mapmatch-allMANAGEMENT-TRAFFICmatchaccess-groupnameCLASSIFY-MANAGEMENT-TRAFFIC!policy-mapDIST-LAYER-POLICYclassMANAGEMENT-TRAFFICsetipdscp48!interfaceFastEthernet0/0descriptionlinktoLAN1ipaddress192.168.1.1255.255.255.0service-policyinputDIST-LAYER-POLICYinterfaceFastEthernet0/1descriptionlinktoLAN2ipaddress192.168.2.1255.255.255.0service-policyinputDIST-LAYER-POLICYinterfaceFastEthernet0/2descriptionlinktocoreipaddress192.168.13.1255.255.255.0!ipaccess-listextendedCLASSIFY-MANAGEMENT-TRAFFICpermitipany10.2.2.00.0.0.255Note:Trafficismarkedusingthesetcommandinapolicymap.ForDSCPrewrite,ifapacketencountersbothinputandoutputclassificationpolicy,theoutputpolicyhasprecedence.Ifthereisnooutputpolicy,thentheinputpolicyhasprecedence.

5.98.4Fix

Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,classifyandmarkmanagementtrafficatthenearestupstreamMLSorrouter.


5.99V-17837-Managementtrafficdoesn'tgetpreferredtreatment

Severity:CATIII


STIGID:NET1008

Controls:


5.99.1Summary

Thecorerouterwithinthemanagednetworkhasnotbeenconfiguredtoprovidepreferredtreatmentformanagementtrafficthatmusttraverseseveralnodestoreachthemanagementnetwork.Table418providesasummaryresultofthefindings.

Table418:Managementtrafficdoesn'tgetpreferredtreatment-Summaryresult

Device Type Status



5.99.2Description

Whennetworkcongestionoccurs,alltraffichasanequalchanceofbeingdropped.Prioritizationofnetworkmanagementtrafficmustbeimplementedtoensurethatevenduringperiodsofseverenetworkcongestion,thenetworkcanbemanagedandmonitored.QualityofService(QoS)provisioningcategorizesnetworktraffic,prioritizesitaccordingtoitsrelativeimportance,andprovidesprioritytreatmentthroughcongestionavoidancetechniques.ImplementingQoSwithinthenetworkmakesnetworkperformancemorepredictableandbandwidthutilizationmoreeffective.Mostimportant,sincethesamebandwidthisbeingusedtomanagethenetwork,itprovidessomeassurancethattherewillbebandwidthavailabletotroubleshootoutagesandrestoreavailabilitywhenneeded.Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,managementtrafficshouldbeclassifiedandmarkedatthenearestupstreamMLSorrouter.Inaddition,allcorerouterswithinthemanagednetworkmustbeconfiguredtoprovidepreferredtreatmentbasedontheQoSmarkings.Thiswillensurethatmanagementtrafficreceivespreferredtreatment(per-hopbehavior)ateachforwardingdevicealongthepathtothemanagementnetwork.traffic.

5.99.3Check

Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,ensurethatallcorerouterswithinthemanagednetworkhavebeenconfiguredtoprovidepreferredtreatmentformanagementtraffic.Thiswillensurethatmanagementtrafficreceivesguaranteedbandwidthateachforwardingdevicealongthepathtothemanagementnetwork.Step1:Verifythataservicepolicyisboundtoallcoreorinternalrouterinterfacesasshownintheconfigurationbelow:interfaceFastEthernet0/1ipaddress192.168.2.1255.255.255.0service-policyoutputQoS-PolicyinterfaceFastEthernet0/2ipaddress192.168.1.1255.255.255.0service-policyoutputQoS-PolicyStep2:Verifythattheclass-mapsplacemanagementtrafficintheappropriateforwardingclassasshownintheexamplebelow:class-mapmatch-allbest-effortmatchipdscp0class-mapmatch-anydata-AF13-AF23matchipdscp14matchipdscp22class-mapmatch-anyvideo-AF33-AF43matchipdscp30matchipdscp38class-mapmatch-allvoice-EFmatchipdscp46class-mapmatch-allnetwork-controlmatchipdscp48

Step3:Verifythattheclassesarereceivingtherequiredservice.policy-mapQoS-Policyclassbest-effortbandwidthpercent10random-detectdscp-basedclassdata-AF13-AF23bandwidthpercent30random-detectdscp-basedclassvideo-AF33bandwidthpercent15random-detectdscp-basedclassvideo-AF43

Severity:CATII


STIGID:NET-SRVFRM-003

Controls:ECSC-1


bandwidthpercent20random-detectdscp-basedclassvoice-EFprioritypercent20classnetwork-controlbandwidthpercent5random-detectdscp-basedNote1:Thedscp-basedargumentenablesWREDtousetheDSCPvalueofapacketwhenitcalculatesthedropprobabilityforthepacket;whereasiftheprec-basedargumentisspecified,WREDwillusetheIPPrecedencevaluetocalculatedropprobability.Ifneitherisspecified,thedefaultisprec-based.Note2:LLQisenabledwiththeprioritycommandusingeitherakbpsvalueorabandwidthpercentageusingthepercentkeywordfollowedbyapercentagevalue.Note3:Trafficthatdoesnotmeetthematchcriteriaspecifiedintheforwardingclassesistreatedasbelongingtothedefaultforwardingclass.Ifadefaultclassisnotconfigured,thedefaultclasshasnoQoSfunctionality.ThesepacketsarethenplacedintoaFIFOqueueandforwardedataratedeterminedbytheavailableunderlyingbandwidth.ThisFIFOqueueismanagedbytaildrop—ameansofavoidingcongestionthattreatsalltrafficequallyanddoesnotdifferentiatebetweenclassesofservice.Whentheoutputqueueisfullandtaildropisineffect,packetsaredroppeduntilthecongestioniseliminatedandthequeueisnolongerfull.Thefollowingexampleconfiguresadefaultclasscalledpolicy1.policy-mappolicy1classclass-defaultfair-queue10queue-limit20Thedefaultclassshownabovehasthesecharacteristics:10queuesfortrafficthatdoesnotmeetthematchcriteriaofotherclasseswhosepolicyisdefinedbypolicy1,andamaximumof20packetsperqueuebeforetaildropisenactedtohandleadditionalqueuedpackets.

5.99.4Fix

Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,ensurethatallcorerouterswithinthemanagednetworkhavebeenconfiguredtoprovidepreferredtreatmentformanagementtraffic.


5.100V-18522-ACLsmustrestrictaccesstoserverVLANs.

5.100.1Summary

ServerVLANinterfacesmustbeprotectedbyrestrictiveACLsusingadeny-by-defaultsecurityposture.Table419providesasummaryresultofthefindings.

Table419:ACLsmustrestrictaccesstoserverVLANs.-Summaryresult

Device Type Status



5.100.2Description

ProtectingdatasittinginaserverVLANisnecessaryandcanbeaccomplishedusingaccesscontrollistsonVLANsprovisionedforservers.WithoutproperaccesscontroloftrafficenteringorleavingtheserverVLAN,potentialthreatssuchasadenialofservice,datacorruption,ortheftcouldoccur,resultingintheinabilitytocompletemissionrequirementsbyauthorizedusers.

5.100.3Check

ReviewthedeviceconfigurationtovalidateanACLwithadeny-by-defaultsecurityposturehasbeenimplementedontheserverVLANinterface.

5.100.4Fix

ConfigureanACLtoprotecttheserverVLANinterface.TheACLmustbeinadeny-by-defaultsecurityposture.


5.101V-18790-NET-TUNL-012

5.101.1Summary

Defaultroutesmustnotbedirectedtothetunnelentrypoint.Table420providesasummaryresultofthefindings.

Severity:CATII


STIGID:NET-TUNL-012

Controls:ECSC-1


Severity:CATII


STIGID:NET0966

Controls:


Table420:NET-TUNL-012-Summaryresult

Device Type Status



5.101.2Description

Routinginthenetworkcontainingthetunnelentrypointmustbeconfiguredtodirecttheintendedtrafficintothetunnel.Dependingontherouterproductsusedthismaybedonebycreatingroutestoatunnelbyname,byaddress,orbyinterface.IfmultipletunnelsaredefinedorIPv6interfaces,youmustbeselectivewithstaticroutes,policybasedrouting,orevenlettheinteriorgatewayprotocol(IGP)makethedecisionsinceaipv4oripv6addresshasbeenconfiguredonthetunnel.ThekeyistheadministratorshouldcarefullyplanandconfigureorlettheIGPdeterminewhatgoesintoeachtunnel.

5.101.3Check

Identifythetunnelendpoints,thenreviewallroutingdevicestoensurethetunnelentrypointisnotusedasadefaultroute.Trafficdestinedtothetunnelshouldbedirectedtothetunnelendpointbystaticroutes,policybasedrouting,orbythemechanicsoftheinteriorroutingprotocol,butnotbydefaultroutestatements.

5.101.4Fix

TheSAmustcarefullyplanandconfigureorletIGPdeterminewhatgoesintoeachtunnel.


5.102V-19188-Controlplaneprotectionisnotenabled.

5.102.1Summary

Theroutermusthavecontrolplaneprotectionenabled.Table421providesasummaryresultofthefindings.

Table421:Controlplaneprotectionisnotenabled.-Summaryresult

Device Type Status



5.102.2Description

TheRouteProcessor(RP)iscriticaltoallnetworkoperationsasitisthecomponentusedtobuildallforwardingpathsforthedataplaneviacontrolplaneprocesses.Itisalsoinstrumentalwithongoingnetworkmanagementfunctionsthatkeeptheroutersandlinksavailableforprovidingnetworkservices.Hence,anydisruptiontotheRPorthecontrolandmanagementplanescanresultinmissioncriticalnetworkoutages.Inadditiontocontrolplaneandmanagementplanetrafficthatisintherouter’sreceivepath,theRPmustalsohandleothertrafficthatmustbepuntedtotheRP—thatis,thetrafficmustbefastorprocessswitched.Thisistheresultofpacketsthatmustbefragmented,requireanICMPresponse(TTLexpiration,unreachable,etc.)haveIPoptions,etc.ADoSattacktargetingtheRPcanbeperpetratedeitherinadvertentlyormaliciouslyinvolvinghighratesofpuntedtrafficresultinginexcessiveRPCPUandmemoryutilization.Tomaintainnetworkstability,theroutermustbeabletosecurelyhandlespecificcontrolplaneandmanagementplanetrafficthatisdestinedtoit,aswellasotherpuntedtraffic.Usingtheingressfilteronforwardinginterfacesisamethodthathasbeenusedinthepasttofilterbothforwardingpathandreceivingpathtraffic.However,thismethoddoesnotscalewellasthenumberofinterfacesgrowsandthesizeoftheingressfiltersgrow.ControlplanepolicingcanbeusedtoincreasesecurityofroutersandmultilayerswitchesbyprotectingtheRPfromunnecessaryormalicioustraffic.FilteringandratelimitingthetrafficflowofcontrolplanepacketscanbeimplementedtoprotectroutersagainstreconnaissanceandDoSattacksallowingthecontrolplanetomaintainpacketforwardingandprotocolstatesdespiteanattackorheavyloadontherouterormultilayerswitch.

5.102.3Check

ControlPlanePolicing(CoPP)

Ifsupportedbytherouter,CoPPshouldbeusedtoincreasesecurityonCiscoroutersbyprotectingtheRPfromunnecessaryandmalicioustraffic.CoPPallowsnetworkoperatorstoclassifytrafficbasedonimportancethatthenenablestheroutertofilterandratelimitthetrafficaccordingtothedefinedpolicyforeachclass.Step1:Verifytraffictypeshavebeenclassifiedbasedonimportancelevels.Thefollowingisanexampleconfiguration:class-mapmatch-allCoPP_CRITICALmatchaccess-groupnameCoPP_CRITICALclass-mapmatch-anyCoPP_IMPORTANTmatchaccess-groupnameCoPP_IMPORTANTmatchprotocolarpclass-mapmatch-allCoPP_NORMALmatchaccess-groupnameCoPP_NORMALclass-mapmatch-anyCoPP_UNDESIRABLEmatchaccess-groupnameCoPP_UNDESIRABLEclass-mapmatch-allCoPP_DEFAULTmatchaccess-groupnameCoPP_DEFAULTStep2:ReviewtheACLsreferencedbythematchaccess-groupcommandstodetermineifthetrafficisbeingclassifiedappropriately.Thefollowingisanexampleconfiguration:ipaccess-listextendedCoPP_CRITICALremarkourcontrolplaneadjacenciesarecriticalpermitospfhost[OSPFneighborA]anypermitospfhost[OSPFneighborB]anypermitpimhost[PIMneighborA]anypermitpimhost[PIMneighborB]anypermitpimhost[RPaddr]anypermitigmpany224.0.0.015.255.255.255permittcphost[BGPneighbor]eqbgphost[localBGPaddr]permittcphost[BGPneighbor]host[localBGPaddr]eqbgpdenyipanyanyipaccess-listextendedCoPP_IMPORTANTpermittcphost[TACACSserver]eqtacacsanypermittcp[managementsubnet]0.0.0.255anyeq22permitudphost[SNMPmanager]anyeqsnmppermitudphost[NTPserver]eqntpanydenyipanyanyipaccess-listextendedCoPP_NORMALremarkwewillwanttoratelimitICMPtrafficpermiticmpanyanyechopermiticmpanyanyecho-replypermiticmpanyanytime-exceededpermiticmpanyanyunreachabledenyipanyanyipaccess-listextendedCoPP_UNDESIRABLEremarkothermanagementplanetrafficthatshouldnotbereceivedpermitudpanyanyeqntppermitudpanyanyeqsnmptrappermittcpanyanyeq22permittcpanyanyeq23remarkothercontrolplanetrafficnotconfiguredonrouterpermiteigrpanyanypermitudpanyanyeqripdenyipanyanyipaccess-listextendedCoPP_DEFAULTpermitipanyany

Note:ExplicitlydefiningundesirabletrafficwithACLentriesenablesthenetworkoperatortocollectstatistics.ExcessiveARPpacketscanpotentiallymonopolizeRouteProcessorresources,starvingotherimportantprocesses.Currently,ARPistheonlyLayer2protocolthatcanbespecificallyclassifiedusingthematchprotocolcommand.Step3:Reviewthepolicy-maptodetermineifthetrafficisbeingpolicedappropriatelyforeachclassification.Thefollowingisanexampleconfiguration:

policy-mapCONTROL_PLANE_POLICYclassCoPP_CRITICALpolice5120008000conform-actiontransmitexceed-actiontransmit

Severity:CATIII


STIGID:NET-MCAST-010

Controls:


classCoPP_IMPORTANTpolice2560004000conform-actiontransmitexceed-actiondropclassCoPP_NORMALpolice1280002000conform-actiontransmitexceed-actiondropclassCoPP_UNDESIRABLEpolice80001000conform-actiondropexceed-actiondropclasscp-default-inpolice640001000conform-actiontransmitexceed-actiondrop

Step4:VerifythattheCoPPpolicyisenabled.Thefollowingisanexampleconfiguration:control-planeservice-policyinputCONTROL_PLANE_POLICY

Note:StartingwithIOSrelease12.4(4)T,ControlPlaneProtection(CPPr)canbeusedtofilteraswellaspolicecontrolplanetrafficdestinedtotheRP.CPPrisverysimilartoCoPPandhastheabilitytofilterandpolicetrafficusingfinergranularitybydividingtheaggregatecontrolplaneintothreeseparatecategories:(1)host,(2)transit,and(3)CEF-exception.Hence,aseparatepolicy-mapcouldbeconfiguredforeachtrafficcategory.

IfCoPPisnotsupported,thenthealternativewouldbetheimplementationofareceivepathfilter.Step1:AreceivepathACLoraninboundACLoneachinterfacemustbeconfiguredtorestricttrafficdestinedtotherouter.TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityexplicitlyfortrafficthatisdestinedfortherouter.Verifythattheglobalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:ipreceiveacl199Note:Iftheplatformdoesnotsupporttheipreceivepathaclfeature,aninboundACLoneachinterfacemustbeconfigured.Step2:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallcontrolplaneandmanagementplanetraffic.TheACLconfigurationshouldlooksimilartothefollowing:access-list199denyipanyanyfragmentsaccess-list199remarkallowspecificmanagementplanetrafficaccess-list199permittcp[managementsubnet]0.0.0.255anyeq22access-list199permitudphost[SNMPmanager]anyeqsnmpaccess-list199permittcphost[TACACSserver]eqtacacsanyaccess-list199permitudphost[NTPserver]eqntpanyaccess-list199permiticmp[managementsubnet]0.0.0.255anyaccess-list199remarkallowspecificcontrolplanetrafficaccess-list199permitospfhost[OSPFneighborA]anyaccess-list199permitospfhost[OSPFneighborB]anyaccess-list199permitpimhost[PIMneighborA]anyaccess-list199permitpimhost[PIMneighborB]anyaccess-list199permitpimhost[RPaddr]anyaccess-list199permitigmpany224.0.0.015.255.255.255access-list199permittcphost[BGPneighbor]eqbgphost[localBGPaddr]access-list199permittcphost[BGPneighbor]host[localBGPaddr]eqbgpaccess-list199remarkallothertrafficdestinedtothedeviceisdroppedaccess-list199denyipanyany

Note:IftheManagementPlaneProtection(MPP)featureisenabledforanOOBMinterface,therewouldbenopurposeinfilteringthistrafficonthereceivepath.WithMPPenabled,nointerfacesexceptthemanagementinterfacewillacceptnetworkmanagementtrafficdestinedtothedevice.Thisfeaturealsoprovidesthecapabilitytorestrictwhichmanagementprotocolsareallowed.SeeNET0992foradditionalconfigurationinformation.

5.102.4Fix

Implementcontrolplaneprotectionbyclassifyingtraffictypesbasedonimportancelevelsandconfigurefilterstorestrictandratelimitthetrafficpuntedtotherouteprocessorasaccordingtoeachclass.


5.103V-19189-NoAdmin-localorSite-localboundary

5.103.1Summary

TheadministratormustensurethatmulticastroutersareconfiguredtoestablishboundariesforAdmin-localorSite-localscopemulticasttraffic.Table422providesasummaryresultofthefindings.

Table422:NoAdmin-localorSite-localboundary-Summaryresult

Device Type Status



5.103.2Description

Ascopezoneisaninstanceofaconnectedregionofagivenscope.Zonesofthesamescopecannotoverlapwhilezonesofasmallerscopewillfitcompletelywithinazoneofalargerscope.Forexample,Admin-localscopeissmallerthanSite-localscope,sotheadministrativelyconfiguredboundaryfitswithintheboundsofasite.AccordingtoRFC4007IPv6ScopedAddressArchitecture(section5),scopezonesarealsorequiredtobe"convexfromaroutingperspective"-thatis,packetsroutedwithinazonemustnotpassthroughanylinksthatareoutsideofthezone.Thisrequirementforceseachzonetobeonecontiguousislandratherthanaseriesofseparateislands.AsstatedintheDoDIPv6IAGuidanceforMO3,"Oneshouldbeabletoidentifyallinterfacesofazonebydrawingaclosedloopontheirnetworkdiagram,engulfingsomeroutersandpassingthroughsomerouterstoincludeonlysomeoftheirinterfaces."Administrativescopedmulticastaddressesarelocallyassignedandaretobeusedexclusivelybytheenterprisenetworkorenclave.Hence,administrativescopedmulticasttrafficmustnotcrosstheperimeteroftheenclaveineitherdirection.Admin-localscopecouldbeusedtocontainmulticasttraffictoaportionofanenclaveorwithinasite.Thiscanmakeitmoredifficultforamalicioususertoaccesssensitivetrafficifthetrafficisrestrictedtolinksthattheuserdoesnothaveaccessto.Admin-localscopeisencouragedforanymulticasttrafficwithinanetworkthatisintendedfornetworkmanagementaswellascontrolplanetrafficthatmustreachbeyondlink-localdestinations.

5.103.3Check

AnadministrativelyscopedIPmulticastregionisdefinedtobeatopologicalregioninwhichthereareoneormoreboundaryrouterswithcommonboundarydefinitions.Sucharouterissaidtobeaboundaryformulticastscopedaddressesintherangedefinedinitsconfiguration.Inordertosupportadministrativelyscopedmulticast,amulticastboundaryrouterwilldropmulticasttrafficmatchinganinterface'sboundarydefinitionineitherdirection.TheIPv4administrativescopedmulticastaddressspaceis239/8whichisdividedintotwoscopelevels:theLocalScopeandOrganizationLocalScope.TheLocalScoperangeis239.255.0.0/16andcanexpandintothereservedranges239.254.0.0/16and239.253.0.0/16if239.255.0.0/16isexhausted.TheIPv4OrganizationLocalScopeis239.192.0.0/14isthespacefromwhichanorganizationshouldallocatesub-rangeswhendefiningscopesforprivateuse.Thisscopecanbeexpandedto239.128.0.0/10,239.64.0.0/10,and239.0.0.0/10ifnecessary.ThescopeofIPv6multicastpacketsaredeterminedbythescopevaluewhere4(ffx4::/16)isAdmin-local,5(ffx5::/16)isSite-local,and8(ffx8::/16)isOrganization-local.ReviewthemulticasttopologytodetermineanydocumentedAdmin-local(scope=4)orSite-local(scope=5)multicastboundariesforIPv6trafficoranyLocal-scope(addressblock239.255.0.0/16)boundaryforIPv4traffic.Verifythatappropriateboundariesareconfiguredontheapplicablemulticast-enabledinterfaces.IPv4:ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatLocal-scopetrafficisnotallowedintooroutoftheadministrativelyscopedIPv4multicastregion:ipmulticast-routing!interfaceFastEthernet0/1descriptionBoundaryformulticastregionAipaddress198.18.0.1255.255.255.0ippimsparse-modeipmulticastboundaryMCAST_ADMIN_SCOPED_BOUNDARY!ipaccess-liststandardMCAST_ADMIN_SCOPED_BOUNDARYdeny239.255.0.00.255.255.255permit224.0.0.015.255.255.255!Note:ThefilterusedbymulticastboundarycommandwilleffectmulticasttrafficoutsideoftheadministrativelyscopedIPv4multicastspace.IfOrganizationLocalScopetrafficmustcrossthissiteboundary,includethenecessarypermitstatementfromthisaddressrange(239.192.0.0255.252.0.0).Toallowglobalmulticasttraffictopassbythisboundary,ensurethatthefilterwillpermittheglobaladdressspace(224.0.1.0-238.255.255.255)iftheenclavehasdeployedinter-domainmulticastrouting.

IPv6:ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatSite-localscopetrafficisnotallowedintooroutoftheadministrativelyscopedIPv6multicastregion:ipv6multicast-routing!interfaceFastEthernet0/1descriptionlinktoSiteAipv6address2001:1:0:146::/64eui-64ipv6multicastboundaryscope5Note:Filteringthescopevalueof5willensurethatanymulticasttrafficreceivedbytheinterfaceineitherdirectionwithascopeequaltoorlessthan5(Site-local)willbedropped.Hence,allSite-localandAdmin-localtrafficwillbedroppedwhileallowingOrganization-local(scope=8)andglobalmulticasttraffic(scope=14)tobeforwardedforaninter-siteaswellasinter-domainmulticastroutingdeployment.

Severity:CATIII


STIGID:NET0812

Controls:


5.103.4Fix

LocalScoperangeis239.255.0.0/16andcanexpandintothereservedranges239.254.0.0/16and239.253.0.0/16if239.255.0.0/16isexhausted.ThescopeofIPv6multicastpacketsaredeterminedbythescopevaluewhere4isAdmin-localand5isSite-local.Configurethenecessaryboundarytoensurepacketsaddressedtotheseadministrativelyscopedmulticastaddressesdonotcrosstheapplicableadministrativeboundaries.


5.104V-23747-TwoNTPserversarenotusedtosynchronizetime.

5.104.1Summary

ThenetworkelementmustusetwoormoreNTPserverstosynchronizetime.Table423providesasummaryresultofthefindings.

Table423:TwoNTPserversarenotusedtosynchronizetime.-Summaryresult

Device Type Status



5.104.2Description

Withoutsynchronizedtime,accuratelycorrelatinginformationbetweendevicesbecomesdifficult,ifnotimpossible.Ifyoucannotsuccessfullycomparelogsbetweeneachofyourrouters,switches,andfirewalls,itwillbeverydifficulttodeterminetheexacteventsthatresultedinanetworkbreachincident.NTPprovidesanefficientandscalablemethodfornetworkelementstosynchronizetoanaccuratetimesource.

5.104.3Check

ReviewtherouterorswitchconfigurationandverifythattwoNTPservershavebeendefinedtosynchronizetimesimilartothefollowingexample:ntpupdate-calendarntpserver129.237.32.6ntpserver129.237.32.7Someplatformshaveabattery-poweredhardwareclock,referredtointhecommand-lineinterface(CLI)asthe"calendar,"inadditiontothesoftwarebasedsystemclock.Thehardwareclockrunscontinuously,eveniftherouterispoweredofforrebooted.IfthesoftwareclockissynchronizedtoanoutsidetimesourceviaNTP,itisagoodpracticetoperiodicallyupdatethehardwareclockwiththetimelearnedfromNTP.Otherwise,thehardwareclockwilltendtograduallyloseorgaintime(drift)andthesoftwareclockandhardwareclockmaybecomeoutofsynchronizationwitheachother.Thentpupdate-calendarcommandwillenablethehardwareclocktobeperiodicallyupdatedwiththetimespecifiedbytheNTPsource.ThehardwareclockwillbeupdatedonlyifNTPhassynchronizedtoanauthoritativetimeserver.Toforceasingleupdateofthehardwareclockfromthesoftwareclock,usetheclockupdate-calendarcommandinuserEXECmode.Note:Lowerendroutermodels(i.e.,2500series)andaccessswitches(i.e.2950,2970,etc)donothavehardwareclocks,sothiscommandisnotavailableonthoseplatforms.AnyNTP-enableddevicethatreceivesandacceptstimefromastratum-nservercanbecomeastratum-n+1server.However,anNTP-enableddevicewillnotaccepttimeupdatesfromanNTPserveratahigherstratum;therebyenforcingatree-levelhierarchyofclient-serverrelationshipsandpreventingtimesynchronizationloops.Toincreaseavailability,NTPpeeringcanbeusedbetweenNTPservers.Hencethefollowingexampleconfigurationcouldbeusedtoprovidethenecessaryredundancy:ntpupdate-calendarntpserver129.237.32.6ntppeer129.237.32.7AlternativetoqueryinganNTPserverfortimeistoreceiveNTPupdatesviaserverthatisbroadcastingormulticastingthetimeupdatemessages.ThefollowinginterfacecommandwouldbeconfiguredtoreceiveanNTPbroadcastmessage:ntpbroadcastclientTheabovecommandmustbeconfiguredontwointerfacesortheremustbetwoNTPserversonthesameLANsegmentbroadcastingNTPmessages.ThefollowinginterfacecommandwouldbeconfiguredtoreceiveanNTPmulticastmessage:ntpmulticastclient239.x.x.xFormulticast,twodifferentadministrativelyscopedmulticastgroupscanbeused—oneforeachNTPserver.Inaddition,therouterorMLSmustalsohaveippimdense-modeconfiguredontheinterfaceaswellasglobalipmulticast-routing.

5.104.4Fix

Severity:CATII


STIGID:NET0405

Controls:


Severity:CATII



Controls:


ConfigurethedevicetousetwoseparateNTPservers.


5.105V-28784-Callhomeserviceisdisabled.

5.105.1Summary

Aserviceorfeaturethatcallshometothevendormustbedisabled.Table424providesasummaryresultofthefindings.

Table424:Callhomeserviceisdisabled.-Summaryresult

Device Type Status



5.105.2Description

Callhomeservicesorfeatureswillroutinelysenddatasuchasconfigurationanddiagnosticinformationtothevendorforroutineoremergencyanalysisandtroubleshooting.Theriskthattransmissionofsensitivedatasenttounauthorizedpersonscouldresultindatalossordowntimeduetoanattack.

5.105.3Findings

Table425detailsthecallhomeservicestatus.

Table425:STIGNET0405-CallHomeServiceStatus

Device CallHomeService

router03 Disabled

CiscoIOS15 Disabled

5.105.4Check

Verifythecallhomeserviceorfeatureisdisabledonthedevice.OnaCiscoproduct,youwillnotseethecall-homeserviceintherunningconfigunlessit'senabled.

5.105.5Fix

Configurethenetworkdevicetodisablethecallhomeserviceorfeature.Thecommandbelowwilldisablethecall-homeserviceonaCiscodevice.Example:hostname(config)#noservicecall-home


5.106V-30577-PIMenabledonwronginterfaces

5.106.1Summary

TheadministratormustensurethatProtocolIndependentMulticast(PIM)isdisabledonallinterfacesthatarenotrequiredtosupportmulticastrouting.Table426providesasummaryresultofthefindings.

Table426:PIMenabledonwronginterfaces-Summaryresult

Device Type Status



5.106.2Description

Ascopezoneisaninstanceofaconnectedregionofagivenscope.Zonesofthesamescopecannotoverlapwhilezonesofasmallerscopewillfitcompletely

Severity:CATII



Controls:


withinazoneofalargerscope.Forexample,Admin-localscopeissmallerthanSite-localscope,sotheadministrativelyconfiguredboundaryfitswithintheboundsofasite.AccordingtoRFC4007IPv6ScopedAddressArchitecture(section5),scopezonesarealsorequiredtobe“convexfromaroutingperspective”—thatis,packetsroutedwithinazonemustnotpassthroughanylinksthatareoutsideofthezone.Thisrequirementforceseachzonetobeonecontiguousislandratherthanaseriesofseparateislands.AsstatedintheDoDIPv6IAGuidanceforMO3,“Oneshouldbeabletoidentifyallinterfacesofazonebydrawingaclosedloopontheirnetworkdiagram,engulfingsomeroutersandpassingthroughsomerouterstoincludeonlysomeoftheirinterfaces.”Hence,itisimperativethatthenetworkhasdocumentedtheirmulticasttopologyandtherebyknowswhichinterfacesareenabledformulticast.Once,thisisdone,thezonescanbescopedasrequired.

5.106.3Check

IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMisdocumentedinthenetwork’smulticasttopologydiagram.Reviewtherouterormulti-layerswitchconfigurationtodetermineifmulticastroutingisenabledandwhatinterfacesareenabledforPIM.Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.ThefollowingglobalconfigurationcommandswillenableIPv4andIPv6multicastrouting:ipmulticast-routingipv6multicast-routingStep2:PIMisenabledonaninterfacewitheitherofthefollowingcommands:ippimsparse-mode,ippimdense-mode,ippimsparse-dense-mode.ReviewallinterfaceconfigurationsandverifythatonlytherequiredinterfacesareenabledforPIMasdocumentedinthenetworktopologydiagram.WithIPv4,PIMisdisabledbydefaultonallinterfaces.FollowingisanexampleofaninterfacewithPIMenabled.interfaceFastEthernet0/0ipaddress192.168.1.1255.255.255.0ippimsparse-modeYoucanalsoverifywhatIPv4interfacesareenabledforPIMwiththeshowippiminterfacecommand.WithIPv6,PIMisenabledbydefaultonallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviatheglobalipv6multicast-routingcommand.AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.interfaceFastEthernet0/1ipv6address2001:1:0:146::/64eui-64noipv6pimYoucanalsoverifywhatipv6interfacesareenabledforPIMwiththeshowipv6piminterfacecommand.

5.106.4Fix

IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMisdocumentedinthenetwork’smulticasttopologydiagram.EnablePIMonlyontheapplicableinterfacesaccordingtothemulticasttopologydiagram.


5.107V-30578-PIMneighborfilterisnotconfigured

5.107.1Summary

TheadministratormustensurethataPIMneighborfilterisboundtoallinterfacesthathavePIMenabled.Table427providesasummaryresultofthefindings.

Table427:PIMneighborfilterisnotconfigured-Summaryresult

Device Type Status



5.107.2Description

ProtocolIndependentMulticast(PIM)isaroutingprotocolusedtobuildmulticastdistributiontressforforwardingmulticasttrafficacrossthenetworkinfrastructure.PIMtrafficmustbelimitedtoonlyknownPIMneighborsbyconfiguringandbindingaPIMneighborfiltertothoseinterfacesthathavePIMenabled.

5.107.3Check

Reviewtherouterormulti-layerswitchtodetermineifeitherIPv4orIPv6multicastroutingisenabled.Ifeitherisenabled,verifythatallinterfacesenabledforPIMhasaneighborfiltertoonlyacceptPIMcontrolplanetrafficfromthedocumentedroutersaccordingtothemulticasttopologydiagram.

Severity:CATIII



Controls:


IPv4Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothefollowingexample:ipaccess-liststandardPIM_NEIGHBORSpermit192.0.2.1permit192.0.2.3denyanylog

Step2:Verifythatapimneighbor-filtercommandisconfiguredonallPIM-enabledinterfacesthatisreferencingthePIMneighborACLsimilartothefollowingexample:interfaceFastEthernet0/3ipaddress192.0.2.2255.255.255.0ippimsparse-modeippimneighbor-filterPIM_NEIGHBORS

IPv6Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothefollowingexample:ipv6access-listPIM_NEIGHBORSpermithostFE80::1anypermithostFE80::3anydenyanyanylogNote:IPv6PIMadjacenenciesarecreatedusingtherouterunicastlink-localaddressesStep2:Verifythatapimneighbor-filterglobalcommandisconfiguredipv6pimneighbor-filterlistPIM_NEIGHBORS

5.107.4Fix

IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMhasaneighborfiltertoonlyacceptPIMcontrolplanetrafficfromthedocumentedroutersaccordingtothemulticasttopologydiagram.


5.108V-30585-Invalidgroupusedforsourcespecificmulticast

5.108.1Summary

Theadministratormustensurethatmulticastgroupsusedforsourcespecificmulticast(SSM)routingarefromthespecificmulticastaddressspacereservedforthispurpose.Table428providesasummaryresultofthefindings.

Table428:Invalidgroupusedforsourcespecificmulticast-Summaryresult

Device Type Status



5.108.2Description

Packetoriginisaconcernbecauseunauthorizedsourcescouldpotentiallysendmulticastdatatoagroup,usinganysourceaddressthatispermitted.TheunauthorizeddatacouldimpacttheintegrityofthenodesreceivingthedataorcouldcreateaDoScondition.AreceiverthatsubscribestoanSSMchannelonlyreceivesdatafromtherequestedsource.Sinceachannelisspecifictoasource,onlythatsourcecantransmitonthatchannel.Hence,theSSMmodelprovidesmorepacketoriginprotectionthanASM.Toensurethatthesubscriberisjoininganauthorizedorknownmulticastgroupandsourceaddresspair,itisimperativethatthegroupisfromthereservedmulticastaddressspaceasafirststepmeasure.

5.108.3Check

IANAhasreservedtheaddressrange232.0.0.0through232.255.255.255forSSMapplicationsandprotocols.However,CiscoIOSallowsSSMconfigurationforanarbitrarysubsetoftheIPmulticastaddressrange224.0.0.0through239.255.255.255.

IfIPv4orIPv6multicastroutingisenabled,determineifgimpversion3orMLDversion2isenabledforIPv4andIPv6respectively.Ifenabled,thenPIM-SSMisalsoenabled.Hence,youmustverifythatonlytheIANAreservedSSMrangeofaddressesisusedforthisimplementation.TheSSMaddressrangeis232.0.0.0/8andFF3x::/32forIPv4andIPv6respectively.Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.ThefollowingglobalconfigurationcommandswillenableIPv4andIPv6multicastrouting:ipmulticast-routingipv6multicast-routingIfmulticastroutingisnotenabled,thisvulnerabilityisnotapplicable.Step2:IPv4CheckinterfaceconnectedtomulticastsubscriberstodetermineifIGMPv3isenabled.Thisisrequiredforsubscriberstojoinaspecificsource.Thefollowingipv4interfaceconfigurationwouldlookasfollows:ipigmpversion3oripigmpv3liteIfIGMPv3isnotenabledforIPv4multicast,thisvulnerabilityisnotapplicable.IPv6MLDisautomaticallyenabledonaninterfacewhenIPv6PIMisenabledonaninterface.WithIPv6,PIMisenabledbydefaultonallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviatheglobalipv6multicast-routingcommand.AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.MLDcanalsobedisabledonIPv6PIM-enabledinterfaceswiththenoipv6mldrouterinterfacecommand.FollowingisanexampleoftwoIPv6-enabledinterfaces.interfaceFastEthernet0/1ipv6address2001:1:0:146::/64eui-64interfaceFastEthernet0/2ipv6enableMLDv2isthedefaultwithcurrentreleasesofIOS.InsomereleasesofIOS,theipv6mldversioncommandisnotavailable.YoucanverifytheversionofMLDinterfacesviashowipv6mldinterfacecommand.IfMLDv2isnotenabledforIPv6multicast,thisvulnerabilityisnotapplicable.Step3:VerifythattheappropriatemulticastgroupsareusedforSSM.IPv4Thefollowingconfigurationwillallowallofthemulticastgroups232/8reservedforSSM:ippimssmdefaultorThefollowingconfigurationwillonlyallowmulticastgroups232.4.0.0/24access-list4permit232.4.0.00.0.0.255ippimssmrange4Note:Ifarangeisconfiguredasintheexampleshownabove,ensurethattherangeiswithintheIANAreservedrangeforSSMgroups.

IPv6ThefollowingconfigurationwillallowallofthemulticastgroupsFF3x::/32reservedforSSMwherexisanyvalidscopevalue:ipv6pimssmdefaultorThefollowingconfigurationwillonlyallowmulticastgroupswiththeff3e::1:0:0/96range:ipv6access-listSSM_RANGEpermitanyff3e::1:0:0/96

Severity:CATIII


STIGID:NET-IPV6-059

Controls:


Severity:CATII


STIGID:NET-IPV6-065

Controls:


ipv6pimssmrangeSSM_RANGE

5.108.4Fix

IfIGMPversion3orMLDversion2isenabledforIPv4andIPv6multicastrespectively,thenPIM-SSMisalsoenabled.Hence,youmustconfiguretheroutersothatonlytheIANAreservedSSMrangeofaddressescanbeusedforthisimplementation.TheSSMaddressrangeis232.0.0.0/8andFF3x::/32forIPv4andIPv6respectively.


5.109V-30617-Maximumhoplimitislessthan32

5.109.1Summary

Theadministratormustensurethatthemaximumhoplimitisatleast32.Table429providesasummaryresultofthefindings.

Table429:Maximumhoplimitislessthan32-Summaryresult

Device Type Status



5.109.2Description

TheNeighborDiscoveryprotocolallowsahoplimitvaluetobeadvertisedbyroutersinaRouterAdvertisementmessagetobeusedbyhostsinsteadofthestandardizeddefaultvalue.IfaverysmallvaluewasconfiguredandadvertisedtohostsontheLANsegment,communicationswouldfailduetohoplimitreachingzerobeforethepacketssentbyahostreacheditsdestination.

5.109.3Findings

router03

NipperStudiodeterminedthatmaximumhoplimitonrouter03wassetto64.

CiscoIOS15

NipperStudiodeterminedthatmaximumhoplimitonCiscoIOS15wassetto64.

5.109.4Check

ThemaximumnumberofhopsusedinrouteradvertisementsandallIPv6packetsthatareoriginatedbytheroutercanbesetusingtheipv6hop-limitcommandinglobalconfigurationmode.Reviewtherouterormulti-layerswitchconfigurationtodetermineifthemaximumhoplimithasbeenconfigured.Ifithasbeenconfigured,thenitmustbesettoatleast32.Thefollowingglobalcommandsetsthemaxhoplimitto128:ipv6hop-limit128Note:TheIOSdefaultis64.Hence,ifthehoplimitisnotconfigured,therouterwillbeincompliancewiththerequirement.

5.109.5Fix

Configuremaximumhoplimittoatleast32.


5.110V-30660-The6-to-4routerisnotfilteringprotocol41

5.110.1Summary

Theadministratormustensurethe6-to-4routerisconfiguredtodropanyIPv4packetswithprotocol41receivedfromtheinternalnetwork.Table430providesasummaryresultofthefindings.

Table430:The6-to-4routerisnotfilteringprotocol41-Summaryresult

Device Type Status



Severity:CATIII


STIGID:NET-IPV6-066

Controls:


5.110.2Description

The6to4specificfiltersaccomplishtheroleofendpointverificationandprovideassurancethatthetunnelsarebeingusedproperly.Thisprimaryguidanceassumesthatonlythedesignated6to4routerisallowedtoformtunnelpackets.Iftheyarebeingformedinsideanenclaveandpassedtothe6to4router,theyaresuspiciousandmustbedropped.InaccordancewithDoDIPv6IAGuidanceforMO3(S5-C7-8),packetsassuchmustbedroppedandloggedasasecurityevent.

5.110.3Findings

router03


CiscoIOS15


5.110.4Check

Iftherouterisfunctioningasa6to4router,verifythatthereisanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv4packetsthataretunnelingIPv6packets.Step1:Determineiftherouterisfunctioningasa6to4router.Youshouldfindatunnelconfigurationsimilartothefollowingexample:interfaceTunnel0noipaddressnoipredirectsipv6address2000:C0A8:6301::1/64tunnelsourceFastEthernet0/1tunnelmodeipv6ip6to4!…ipv6route2002::/16Tunnel0Step2:Verifythatthereisanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv4packetsthataretunnelingIPv6packets.Youshouldfindaconfigurationsimilartothefollowingexample:interfaceFastEthernet0/1descriptioninternallinkipaddress192.168.1.1255.255.255.0ipv6address6TO4PREFIX::1:0:0:0:1/64ipaccess-groupIPV4_EGRESS_FILTERin!ipaccess-listextendedIPV4_EGRESS_FILTERremarkonlythis6to4routercantunnelIPv6trafficdeny41anyanylog……Note:normallyyouwouldwanttoconfiguretheinternalinterfacefora6to4routerasdualstack.HoweverIPv6onlyispossibleandifconfiguredassuch,havinganIPv4ACLisirrelevantsincetheinterfacewillnotacceptanyIPv4packets.

5.110.5Fix

Iftherouterisfunctioningasa6to4router,configureanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv4packetsthataretunnelingIPv6packets.


5.111V-30736-6-to-4routernotfilteringinvalidsourceaddress

5.111.1Summary

Theadministratormustensurethe6-to-4routerisconfiguredtodropanyoutboundIPv6packetsfromtheinternalnetworkwithasourceaddressthatisnotwithinthe6to4prefix2002:V4ADDR::/48whereV4ADDRisthedesignatedIPv46to4addressfortheenclave.Table431providesasummaryresultofthefindings.

Table431:6-to-4routernotfilteringinvalidsourceaddress-Summaryresult

Device Type Status



Severity:CATII


STIGID:NET-TUNL-034

Controls:


5.111.2Description

Anautomatic6to4tunnelallowsisolatedIPv6domainstobeconnectedoveranIPv4networkandallowsconnectionstoremoteIPv6networks.ThekeydifferencebetweenthisdeploymentandmanuallyconfiguredtunnelsisthattheroutersarenotconfiguredinpairsandthusdonotrequiremanualconfigurationbecausetheytreattheIPv4infrastructureasavirtualnon-broadcastlink,usinganIPv4addressembeddedintheIPv6addresstofindtheremoteendofthetunnel.Inotherwords,thetunneldestinationisdeterminedbytheIPv4addressoftheexternalinterfaceofthe6to4routerthatisconcatenatedtothe2002::/16prefixintheformat2002:V4ADDR::/48.Hence,theimbeddedV4ADDRofthe6to4prefixmustbelongtothesameipv4prefixasconfiguredontheexternal-facinginterfaceofthe6to4router.

5.111.3Findings

router03


CiscoIOS15


5.111.4Check

Iftherouterisfunctioningasa6to4router,verifythatanegressfilter(inboundontheinternal-facinginterface)hasbeenconfiguredtodropanyoutboundIPv6packetsfromtheinternalnetworkwithasourceaddressthatisnotwithinthe6to4prefix2002:V4ADDR::/48whereV4ADDRisthedesignatedIPv46to4addressfortheenclave.Theexamplesbelowareusing2002:c612:1::/48wherec612:1mapsto198.18.0.1whichistheimbeddedV4ADDR.Thesubnetinthisexampleis2002:c612:1:1::/64.TheIPV6ACLwillfilterthesourceaddressoftheIPv6packetsbeforetheyareforwardedtothe6to4tunnel.

ipv6general-prefix6TO4_PREFIX6to4FastEthernet0/1!interfaceTunnel0ipv6address2000:c0a8:6301::1/64tunnelsourceFastEthernet0/0tunnelmodeipv6ip6to4!interfaceFastEthernet0/0ipaddress10.1.12.1255.255.255.0ipv6address6TO4_PREFIX::1:0:0:0:1/64ipv6traffic-filterIPV6_EGRESS_FILTERin!interfaceFastEthernet0/1descriptionDISNCOREfacingipaddress198.18.0.1255.255.255.0!ipv6route2002::/16Tunnel0!ipv6access-listIPV6_EGRESS_FILTERpermitipv62002:C612:1::/48anydenyipv6anyanylogNote:normallyyouwouldwanttoconfiguretheinternalinterfacedualstack,allthoughIPv6onlyispossible.

5.111.5Fix

Iftherouterisfunctioningasa6to4router,configureanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv6packetsfromtheinternalnetworkwithasourceaddressthatisnotwithinthe6to4prefix2002:V4ADDR::/48whereV4ADDRisthedesignatedIPv46to4addressfortheenclave.


5.112V-30744-L2TPv3sessionsarenotauthenticated

5.112.1Summary

TheadministratormustensurethethatallL2TPv3sessionsareauthenticatedpriortotransportingtraffic.Table432providesasummaryresultofthefindings.

Device Type Status



Severity:CATII


STIGID:NET0408

Controls:ECSC-1

Responsibility:

Table432:L2TPv3sessionsarenotauthenticated-Summaryresult

5.112.2Description

L2TPv3sessionscanbeusedtotransportlayer-2protocolsacrossanIPbackbone.Theseprotocolswereintendedforlink-localscopeonlyandarethereforelessdefendedandnotaswell-known.AsstatedinDoDIPv6IAGuidanceforMO3(S4-C7-1),theL2TPtunnelscanalsocarryIPpacketsthatareverydifficulttofilterbecauseoftheadditionalencapsulation.Hence,itisimperativethatL2TPsessionsareauthenticatedpriortotransportingtraffic.

5.112.3Findings

router03

NipperStudiodeterminedthatnoLayer2TunnelingProtocolversion3(L2TPv3)pseudowirehasbeenconfiguredonrouter03.

CiscoIOS15

NipperStudiodeterminedthatnoL2TPv3pseudowirehasbeenconfiguredonCiscoIOS15.

5.112.4Check

Reviewtherouterormulti-layerswitchconfigurationanddetermineifL2TPv3hasbeenconfiguredtoprovidetransportacrossanIPnetwork.Ifithasbeenconfigured,verifythattheL2TPv3sessionrequiresauthentication.Step1:DetermineifanL2TPv3pseudowireisconfiguredonaninterfacewhichwilllooksimilartothefollowingconfiguration:pseudowire-classL2TPV3encapsulationl2tpv3iplocalinterfaceLoopback0!interfaceLoopback0ipaddress1.1.1.1255.255.255.255!interfaceFastEthernet0/0xconnect5.5.5.51encapsulationl2tpv3pw-classL2TPV3Ifyoudonotseeaconfigurationsimilartotheoneabove,thenthisvulnerabilityisnotapplicable.Otherwise,proceedtostep2.Step2:Verifythatthel2tp-classglobalcommandhasbeenconfiguredwithauthenticationasshowninthefollowingexample.l2tp-classL2TP_CLASSauthenticationpassword7011E1F145A1815182E5E4ANote:Ifapasswordisnotconfiguredinthel2tp-classcommandthepasswordassociatedwiththeremotepeerrouteristakenfromthevalueenteredwiththeglobalusernamehostnamepasswordvalue.Note:Layer2ForwardingorL2F(RFC2341),whichisthe"version1",andL2TPv2(RFC2661)areusedforremoteaccessservicesbasedontheVirtualPrivateDial-upNetwork(VPDN)model—notfortunnelingIPpacketsacrossabackboneaswithL2TPv3.WiththeVPDNmodel,auserobtainsalayer-2connectiontoaRASusingdialupPSTNorISDNserviceandthenestablishesaPPPsessionoverthatconnection.TheL2terminationandPPPsessionendpointsresideontheRAS.L2TPextendsthePPPmodelbyallowingtheL2andPPPendpointstoresideondifferentdevicesthatareinterconnectedbyabackbonenetwork.AremoteaccessclienthasanL2connectiontoanL2TPAccessConcentrator(LAC)thattunnelsPPPframesacrosstheIPbackbonetotheL2TPNetworkServer(LNS)residingintheprivatenetwork.

5.112.5Fix

ConfigureL2TPv3touseauthenticationforanypeeringsessions.


5.113V-31285-BGPmustauthenticateallpeers.

5.113.1Summary

ThenetworkelementmustauthenticateallBGPpeerswithinthesameorbetweenautonomoussystems(AS).Table433providesasummaryresultofthefindings.

Table433:BGPmustauthenticateallpeers.-Summaryresult

Device Type Status



5.113.2Description

AsspecifiedinRFC793,TCPutilizessequencecheckingtoensureproperorderingofreceivedpackets.RFC793alsospecifiesthatRST(reset)controlflagsshouldbeprocessedimmediately,withoutwaitingforoutofsequencepacketstoarrive.RFC793alsorequiresthatsequencenumbersarecheckedagainstthewindowsizebeforeacceptingdataorcontrolflagsasvalid.ArouterreceivinganRSTsegmentwillclosetheTCPsessionwiththeBGPpeerthatisbeingspoofed;thereby,purgingallrouteslearnedfromthatBGPneighbor.ARSTsegmentisvalidaslongasthesequencenumberiswithinthewindow.TheTCPresetattackismadepossibleduetotherequirementsthatResetflagsshouldbeprocessedimmediatelyandthataTCPendpointmustacceptoutoforderpacketsthatarewithintherangeofawindowsize.Thisreducesthenumberofsequencenumberguessestheattackmustmakebyafactorequivalenttotheactivewindowsize.Eachsequencenumberguessmadebytheattackercanbesimplyincrementedbythereceivingconnectionswindowsize.TheBGPpeeringsessioncanprotectitselfagainstsuchanattackbyauthenticatingeachTCPsegment.TheTCPheaderoptionsincludeanMD5signatureineverypacketandarecheckedpriortotheacceptanceandprocessingofanyTCPpacket—includingRSTflags.Onewaytocreatehavocinanetworkistoadvertisebogusroutestoanetwork.ArogueroutercouldsendafictitiousroutingupdatetoconvinceaBGProutertosendtraffictoanincorrectorroguedestination.Thisdivertedtrafficcouldbeanalyzedtolearnconfidentialinformationofthesite’snetwork,ormerelyusedtodisruptthenetwork’sabilitytoeffectivelycommunicatewithothernetworks.AnautonomoussystemcanadvertiseincorrectinformationbysendingBGPupdatesmessagestoroutersinaneighboringAS.AmaliciousAScanadvertiseaprefixoriginatedfromanotherASandclaimthatitistheoriginator(prefixhijacking).NeighboringautonomoussystemsreceivingthisannouncementwillbelievethatthemaliciousASistheprefixownerandroutepacketstoit.

5.113.3Check

Reviewtherouterconfigurationtodetermineifauthenticationisbeingusedforallpeers.ApasswordshouldbedefinedforeachBGPneighborregardlessoftheautonomoussystemthepeerbelongsasshowninthefollowingexample:outerbgp100neighborexternal-peerspeer-groupneighbor171.69.232.90remote-as200neighbor171.69.232.90peer-groupexternal-peersneighbor171.69.232.100remote-as300neighbor171.69.232.100peer-groupexternal-peersneighbor171.69.232.90passwordxxxxxxxxxxneighbor171.69.232.100passwordxxxxxxxxxx

5.113.4Fix

ConfigurethedevicetoauthenticateallBGPpeers.


5.114Conclusions

NipperStudioperformedaDoDSTIGcomplianceauditon2March2017ofthedeviceandSTIGsdetailedinTable434.ThehighestratedSTIGcompliancefailurewasaCATI.

Table434:DISASTIGdevicecompliancesummary

Name STIG Version IPass IFail IMan IIPass IIFail IIMan IIIPass IIIFail IIIMan

router03 InfrastructureL3SwitchSecureTechnicalImplementationGuide-

Cisco

8Release21

(28/10/2016)

4 3 4 17 12 34 7 11 16

CiscoIOS15 InfrastructureRouterSecurityTechnicalImplementationGuideCisco 8Release21

(28/10/2016)

5 2 3 20 4 24 16 3 10

STIGCATIchecksareforthosevulnerabilitieswhichifexploitationwill,directlyandimmediatelyresultinlossofconfidentiality,availability,orintegrity.AnATOwillnotbegrantedwhileCATIweaknessesarepresentforadevice.TherewereelevenchecksthathadbeenclassedasCATI.

NipperStudioidentifiedfiveCATIcompliancechecksthatFAILED.Thesecompliancefailureswere:

V-3062-Passwordsareviewablewhendisplayingtheconfig.(failedonrouter03,CiscoIOS15);V-3196-AninsecureversionofSNMPisbeingused.(failedonrouter03,CiscoIOS15);V-3210-UsingdefaultSNMPcommunitynames.(failedonrouter03).

NipperStudioidentifiednineCATIcompliancechecksthatPASSED.Thesecompliancepasseswere:

V-3012-Networkelementisnotpasswordprotected.(passedonrouter03,CiscoIOS15);V-3143-Devicesexistwithstandarddefaultpasswords.(passedonrouter03,CiscoIOS15);V-3175-Managementconnectionsmustrequirepasswords.(passedonrouter03,CiscoIOS15);V-3210-UsingdefaultSNMPcommunitynames.(passedonCiscoIOS15);V-4582-Authenticationrequiredforconsoleaccess.(passedonrouter03,CiscoIOS15).

NipperStudioidentifiedsevenCATIcompliancechecksthatrequireMANUALinspectionsbeforetheycanbecatagorizedaseitherapassorafail.Thesecompliancecheckswere:

V-5626-NET-NAC-009(inspectiononrouter03);V-3056-Groupaccountsaredefined.(inspectiononrouter03,CiscoIOS15);V-7009-AnInfiniteLifetimekeyhasnotbeenimplemented(inspectiononrouter03,CiscoIOS15);

V-15434-Emergencyadministrationaccountprivilegelevelisnotset.(inspectiononrouter03,CiscoIOS15).

STIGCATIIchecksareforthosevulnerabilitieswhereexploitationhasapotentialtoresultinlossofconfidentiality,availability,orintegrity.CATIIfindingsthathavebeensatisfactorilymitigatedwillnotpreventanATOfrombeinggrantedforadevice.Therewere65checksthathadbeenclassedasCATII.

NipperStudioidentified16CATIIcompliancechecksthatFAILED.Thesecompliancefailureswere:

V-5624-Re-authenticationmustoccurevery60minutes.(failedonrouter03);V-3013-Loginbannerisnon-existentornotDOD-approved.(failedonrouter03,CiscoIOS15);V-3021-SNMPaccessisnotrestrictedbyIPaddress.(failedonrouter03);V-3034-Interiorroutingprotocolsarenotauthenticated.(failedonrouter03);V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.(failedonrouter03);V-3081-IPSourceRoutingisnotdisabledonallrouters.(failedonrouter03);V-3085-HTTPserverisnotdisabled(failedonrouter03);V-3966-Morethanonelocalaccountisdefined.(failedonrouter03,CiscoIOS15);V-3969-NetworkelementmustonlyallowSNMPreadaccess.(failedonrouter03);V-5612-SSHsessiontimeoutisnot60secondsorless.(failedonCiscoIOS15);V-14671-NTPmessagesarenotauthenticated.(failedonrouter03);V-15432-ThedeviceisnotauthenticatedusingaAAAserver.(failedonrouter03,CiscoIOS15);V-31285-BGPmustauthenticateallpeers.(failedonrouter03).

NipperStudioidentified38CATIIcompliancechecksthatPASSED.Thesecompliancepasseswere:

V-3971-VLAN1isbeingusedasauserVLAN.(passedonrouter03);V-17816-RoutesfromthetwoIGPdomainsareredistributed(passedonrouter03);V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.(passedonrouter03);V-3014-Managementconnectiondoesnottimeout.(passedonrouter03,CiscoIOS15);V-3034-Interiorroutingprotocolsarenotauthenticated.(passedonCiscoIOS15);V-3043-SNMPprivilegedandnon-privilegedaccess.(passedonrouter03,CiscoIOS15);V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.(passedonCiscoIOS15);V-3080-Configurationauto-loadingmustbedisabled.(passedonrouter03,CiscoIOS15);V-3081-IPSourceRoutingisnotdisabledonallrouters.(passedonCiscoIOS15);V-3085-HTTPserverisnotdisabled(passedonCiscoIOS15);V-3967-Theconsoleportdoesnottimeoutafter10minutes.(passedonrouter03,CiscoIOS15);V-3969-NetworkelementmustonlyallowSNMPreadaccess.(passedonCiscoIOS15);V-5612-SSHsessiontimeoutisnot60secondsorless.(passedonrouter03);V-5613-SSHloginattemptsvalueisgreaterthan3.(passedonrouter03,CiscoIOS15);V-5618-GratuitousARPmustbedisabled.(passedonrouter03,CiscoIOS15);V-5645-CiscoExpressForwarding(CEF)notenabledonsupporteddevices.(passedonrouter03,CiscoIOS15);V-14669-BSDrcommandsarenotdisabled.(passedonrouter03,CiscoIOS15);V-14671-NTPmessagesarenotauthenticated.(passedonCiscoIOS15);V-14693-IPv6SiteLocalUnicastADDRmustnotbedefined(passedonrouter03,CiscoIOS15);V-14717-ThenetworkelementmustnotallowSSHVersion1.(passedonrouter03,CiscoIOS15);V-17816-RoutesfromthetwoIGPdomainsareredistributed(passedonCiscoIOS15);V-28784-Callhomeserviceisdisabled.(passedonrouter03,CiscoIOS15);V-30660-The6-to-4routerisnotfilteringprotocol41(passedonrouter03,CiscoIOS15);V-30744-L2TPv3sessionsarenotauthenticated(passedonrouter03,CiscoIOS15);V-31285-BGPmustauthenticateallpeers.(passedonCiscoIOS15).

NipperStudioidentified59CATIIcompliancechecksthatrequireMANUALinspectionsbeforetheycanbecatagorizedaseitherapassorafail.Thesecompliancecheckswere:

V-3984-AccessswitchportsareassignedtothenativeVLAN(inspectiononrouter03);V-5622-AdedicatedVLANisrequiredforalltrunkports.(inspectiononrouter03);V-5623-Ensuretrunkingisdisabledonallaccessports.(inspectiononrouter03);V-5628-TheVLAN1isbeingusedformanagementtraffic.(inspectiononrouter03);V-17815-IGPinstancesdonotpeerwithappropriatedomain(inspectiononrouter03);V-17824-ManagementinterfaceisassignedtoauserVLAN.(inspectiononrouter03);V-17826-InvalidportswithmembershiptothemgmtVLAN(inspectiononrouter03);V-17832-MgmtVLANdoesnothavecorrectIPaddress(inspectiononrouter03);V-17833-NoingressACLonmanagementVLANinterface(inspectiononrouter03);V-18523-ACLsdonotprotectagainstcompromisedservers(inspectiononrouter03);V-18545-Upstreamaccessnotrestrictedfornon-802.1xVLAN(inspectiononrouter03);V-18566-NET-NAC-031(inspectiononrouter03);V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.(inspectiononCiscoIOS15);V-3021-SNMPaccessisnotrestrictedbyIPaddress.(inspectiononCiscoIOS15);V-3057-Accountsassignedleastprivilegesnecessarytoperformduties.(inspectiononrouter03,CiscoIOS15);V-3058-Unauthorizedaccountsareconfiguredtoaccessdevice.(inspectiononrouter03,CiscoIOS15);V-3160-Operatingsystemisnotatacurrentreleaselevel.(inspectiononrouter03,CiscoIOS15);V-5611-Managementconnectionsarenotrestricted.(inspectiononrouter03,CiscoIOS15);V-5646-Devicesnotconfiguredtofilteranddrophalf-openconnections.(inspectiononrouter03,CiscoIOS15);V-14705-IPv6routersarenotconfiguredwithCEFenabled(inspectiononrouter03,CiscoIOS15);V-14707-IPv6EgressOutboundSpoofingFilter(inspectiononrouter03,CiscoIOS15);V-15288-ISATAPtunnelsmustterminateatinteriorrouter.(inspectiononrouter03,CiscoIOS15);V-17754-Managementtrafficisnotrestricted(inspectiononrouter03,CiscoIOS15);V-17814-RemoteVPNend-pointnotamirroroflocalgateway(inspectiononrouter03,CiscoIOS15);V-17815-IGPinstancesdonotpeerwithappropriatedomain(inspectiononCiscoIOS15);

V-17817-ManagednetworkhasaccesstoOOBMgatewayrouter(inspectiononrouter03,CiscoIOS15);V-17818-Trafficfromthemanagednetworkwillleak(inspectiononrouter03,CiscoIOS15);V-17819-Managementtrafficleaksintothemanagednetwork(inspectiononrouter03,CiscoIOS15);V-17821-TheOOBMinterfacenotconfiguredcorrectly.(inspectiononrouter03,CiscoIOS15);V-17822-ThemanagementinterfacedoesnothaveanACL.(inspectiononrouter03,CiscoIOS15);V-17834-NoinboundACLformgmtnetworksub-interface(inspectiononrouter03,CiscoIOS15);V-17835-IPSectrafficisnotrestricted(inspectiononrouter03,CiscoIOS15);V-18522-ACLsmustrestrictaccesstoserverVLANs.(inspectiononrouter03,CiscoIOS15);V-18790-NET-TUNL-012(inspectiononrouter03,CiscoIOS15);V-19188-Controlplaneprotectionisnotenabled.(inspectiononrouter03,CiscoIOS15);V-30577-PIMenabledonwronginterfaces(inspectiononrouter03,CiscoIOS15);V-30578-PIMneighborfilterisnotconfigured(inspectiononrouter03,CiscoIOS15).

STIGCATIIIchecksareforthosevulnerabilitieswhichdegradesmeasurestoprotectagainstlossofconfidentiality,availability,orintegrity.ThesefindingsthatmayimpacttheIAposturebutarenotrequiredtobemitigatedorcorrectedinorderforanATOtobegrantedforadevice.Therewere34checksthathadbeenclassedasCATIII.

NipperStudioidentifiedfourteenCATIIIcompliancechecksthatFAILED.Thesecompliancefailureswere:

V-3020-DNSserversmustbedefinedforclientresolver.(failedonrouter03);V-3070-Managementconnectionsmustbelogged.(failedonrouter03,CiscoIOS15);V-3078-TCPandUDPsmallserverservicesarenotdisabled.(failedonrouter03);V-3079-Thefingerserviceisnotdisabled.(failedonrouter03);V-3083-IPdirectedbroadcastisnotdisabled.(failedonrouter03);V-3086-TheBootpserviceisnotdisabled.(failedonrouter03);V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.(failedonrouter03);V-5614-ThePADserviceisenabled.(failedonrouter03);V-5615-TCPKeep-Alivesmustbeenabled.(failedonrouter03);V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.(failedonrouter03);V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(failedonCiscoIOS15);V-23747-TwoNTPserversarenotusedtosynchronizetime.(failedonrouter03,CiscoIOS15).

NipperStudioidentified23CATIIIcompliancechecksthatPASSED.Thesecompliancepasseswere:

V-3000-InterfaceACLdenystatementsarenotlogged.(passedonrouter03,CiscoIOS15);V-3020-DNSserversmustbedefinedforclientresolver.(passedonCiscoIOS15);V-3078-TCPandUDPsmallserverservicesarenotdisabled.(passedonCiscoIOS15);V-3079-Thefingerserviceisnotdisabled.(passedonCiscoIOS15);V-3083-IPdirectedbroadcastisnotdisabled.(passedonCiscoIOS15);V-3086-TheBootpserviceisnotdisabled.(passedonCiscoIOS15);V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.(passedonCiscoIOS15);V-5614-ThePADserviceisenabled.(passedonCiscoIOS15);V-5615-TCPKeep-Alivesmustbeenabled.(passedonCiscoIOS15);V-5616-Identificationsupportisenabled.(passedonrouter03,CiscoIOS15);V-14672-AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(passedonrouter03,CiscoIOS15);V-14673-SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.(passedonrouter03,CiscoIOS15);V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.(passedonCiscoIOS15);V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(passedonrouter03);V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(passedonCiscoIOS15);V-30617-Maximumhoplimitislessthan32(passedonrouter03,CiscoIOS15);V-30736-6-to-4routernotfilteringinvalidsourceaddress(passedonrouter03,CiscoIOS15).

NipperStudioidentified26CATIIIcompliancechecksthatrequireMANUALinspectionsbeforetheycanbecatagorizedaseitherapassorafail.Thesecompliancecheckswere:

V-3972-VLAN1traffictraversesacrossunnecessarytrunk(inspectiononrouter03);V-3973-DisabledportsarenotkeptinanunusedVLAN.(inspectiononrouter03);V-17825-ManagementVLANhasinvalidaddresses(inspectiononrouter03);V-17827-ThemanagementVLANisnotprunedfromtrunklinks(inspectiononrouter03);V-18544-RestrictedVLANnotassignedtonon-802.1xdevice.(inspectiononrouter03);V-3072-Runningandstartupconfigurationsarenotsynchronized.(inspectiononrouter03,CiscoIOS15);V-7011-Theauxiliaryportisnotdisabled.(inspectiononrouter03,CiscoIOS15);V-14667-Keyexpirationexceeds180days.(inspectiononrouter03,CiscoIOS15);V-14676-Netflowtrafficisnotusingloopbackaddress.(inspectiononrouter03,CiscoIOS15);V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(inspectiononrouter03);V-14681-LoopbackaddressisnotusedastheiBGPsourceIP.(inspectiononrouter03,CiscoIOS15);V-17823-ThemanagementinterfaceisnotIGPpassive.(inspectiononrouter03,CiscoIOS15);V-17836-Managementtrafficisnotclassifiedandmarked(inspectiononrouter03,CiscoIOS15);V-17837-Managementtrafficdoesn'tgetpreferredtreatment(inspectiononrouter03,CiscoIOS15);V-19189-NoAdmin-localorSite-localboundary(inspectiononrouter03,CiscoIOS15);V-30585-Invalidgroupusedforsourcespecificmulticast(inspectiononrouter03,CiscoIOS15).


5.115Recommendations

NipperStudiorecommendsthatthefindingsofthisauditarereviewed.Furthermore,NipperStudiorecommendsthatmitigationshouldbeimplementedtoresolveanycompliancefailures.Table435liststherecomendedactionsforthecompliancefindingsdetailedinthisreport.

STIG Title Severity State Recommendation AffectedDevices

V-

5626

NET-NAC-009 CATI Verifyiftheswitchconfigurationhas802.1xauthenticationimplementedforallaccessswitchportsconnectingtoLANoutlets

(i.e.RJ-45wallplates)ordevicesnotlocatedinthetelecomroom,wiringclosets,orequipmentrooms.If802.1xauthentication

isnotconfiguredonthesehost-facingaccessswitchports,thisisaCAT1finding.IfMACaddressfilteringisimplementedin

lieuof802.1xauthentication,thisfindingwillbedowngradedtoaCAT3.

Verify802.1xauthenticationisenabledontheswitchandhostfacingswitchports:

Step1:Verifythatan802.1xauthenticationserverhasbeenconfiguredsimilartothefollowingexample:

Switch(config)#radius-serverhostx.x.x.xauth-port1813key!R4d1u$K3y!

Switch(config)#aaanew-model

Switch(config)#aaaauthenticationdot1xdefaultgroupradius

Step2:Verify802.1xauthenticationhasbeenenabledgloballyonthenetworkdevicesimilartothefollowingexample:

Switch(config)#dot1xsystem-auth-control

Step3:Verifythatallhost-facingaccessswitchportsareconfiguredtouse802.1xsimilartotheexamplesbelow:

Switch(config)#interfacefastethernet0/2

Switch(config-if)#switchportmodeaccess

Switch(config-if)#switchportport-security

Switch(config-if)#dot1xport-controlauto

OR




Switch(config-if)#authenticationport-controlauto

If802.1xisnotbeingused,determineifMACfilteringisusedoneachhost-facingaccessswitchportasshowninthefollowing

example:




Switch(config-if)#switchportport-securitymaximum1

Switch(config-if)#switchportport-securitymac-address1000.2000.3000

NOTE:Thesectionbelowisintendedforclassifiednetworks.Ifit’sdeterminedthat802.1xisnotimplementedonaclassified

network,theTraditionalreviewteammustbenotifiedtodetermineifthephysicalrequirementsareimplemented.Forasite

tobedowngradedtoaCATIIIopenfinding,thephysicalsecurityrequirementsmustbeimplementedinadditiontostaticMAC

orstickysecureMACportsecurity.Ifbothphysicalandlogicaldowngradesarenotimplemented,aCATIopenfindingwillbe

issued.

IfclassifiedLANdropsarenotauthenticatedbyan802.1ximplementation,theymustbelocatedwithinspacesproperly

establishedasSecretvaults,SecretSecureRooms(AKA:CollateralClassifiedOpenStorageAreas),TSsecureroom,orSCIF.

Otherwise,oneofthefollowingsupplementalphysicalsecuritycontrolsmustbeimplemented.

1.WalljacksmustbesecuredwhenunattendedbypersonswithSecretorhigherclearancewithaproperlyconstructedlock

box(Hoffmanorsimilarcommercialproductorlocallyfabricated).Thelockboxmusthavenoexposedorremovablehinges.

Thehasphardwaremustberivetedtotheboxorotherwiseinstalledsothatremovalwillrequirephysicalbreakingofthebox;

therebyleavingevidenceofactualorattemptedentry.Thelockboxmustbesecuredwitha3-positionhighsecurity

combinationpadlock(IAWtheNSTISSI7003).TheS&G8077combinationpadlockistheonlyexistingpadlockmeetingthis

router03

standard.

2.Iflockboxesarenotused,thealternativeistophysicallydisconnecttheSIPRNetlinkattheSIPRNetpointofpresence(PoP)

afternormaldutyhours.ThePoPmustbelocatedwithinaproperSecretorhighersecureroom.

V-

3056

Group

accountsare

defined.

CATI Reviewthenetworkdeviceconfigurationandvalidatetherearenogroupaccountsconfiguredforaccess.

Ifagroupaccountisconfiguredonthedevice,thisisafinding.

router03

CiscoIOS15

V-

3062

Passwordsare

viewable

when

displayingthe

config.

CATI Configurethenetworkelementtoensurepasswordsarenotviewablewhendisplayingconfigurationinformation.

Device(config)#servicepassword

Device(config)#usernamenamesecretS3cr3T!

Device(config)#enablesecret$MyS3cr3TPW$

Device(config)#end

router03

CiscoIOS15

V-

3196

Aninsecure

versionof

SNMPisbeing

used.

CATI IfSNMPisenabled,configurethenetworkdevicetouseSNMPVersion3SecurityModelwithFIPS140-2validated

cryptography(i.e.,SHAauthenticationandAESencryption).

router03

CiscoIOS15

V-

3210

Usingdefault

SNMP

community

names.

CATI ConfigureuniqueSNMPcommunitystringsreplacingthedefaultcommunitystrings. router03

V-

7009

AnInfinite

Lifetimekey

hasnotbeen

implemented

CATI Reviewtherunningconfigurationtodetermineifkeyauthenticationhasbeendefinedwithaninfinitelifetime.

Ifthekeyhasbeenconfiguredforalifetimeotherthaninfinite,thisisafinding.

RIP2ExampleEIGRPExample

interfaceethernet0interfaceethernet0

ipripauthenticationkey-chaintreesipauthenticationmodeeigrp1md5

ipripauthenticationmodemd5ipauthenticationkey-chaineigrp1trees

routerriproutereigrp1

network172.19.0.0network172.19.0.0

version2

keychaintreeskeychaintrees

key1key1

key-stringwillowkey-stringwillow

accept-lifetime22:45:00Feb10200522:45:00Aug102005accept-lifetime22:45:00Feb10200522:45:00Aug102005

send-lifetime23:00:00Feb10200522:45:00Aug102005send-lifetime23:00:00Feb10200522:45:00Aug102005

key2key2

key-stringbirchkey-stringbirch

accept-lifetime22:45:00Aug9200522:45:00Feb102006accept-lifetime22:45:00Dec10200522:45:00Feb102006

send-lifetime23:00:00Aug9200522:45:00Feb102006send-lifetime23:00:00Dec10200522:45:00Jan102006

key9999key9999

key-stringmaplekey-stringmaple

accept-lifetime22:45:00Feb92005infiniteaccept-lifetime22:45:00Feb92005infinite

send-lifetime23:00:00Feb92005infinitesend-lifetime23:00:00Feb92005infinite

Notes:Note:OnlyEnhancedInteriorGatewayRoutingProtocol(EIGRP)andRoutingInformationProtocol(RIP)Version2use

keychains.

Notes:WhenusingMD5authenticationkeys,itisimperativethesiteisincompliancewiththeNTPpolicies.Therouterhasto

knowthetime!

Notes:Mustmakethisahighnumbertoensureyouhaveplentyofroomtoputkeysinbeforeit.Allsubsequentkeyswillbe

decrementedbyone(9998,9997...).

router03

CiscoIOS15

V-

15434

Emergency

administration

account

privilegelevel

isnotset.

CATI Reviewtheemergencyadministrationaccountconfiguredonthenetworkdevicesandverifythatithasbeenassignedtoa

privilegelevelthatwillenabletheadministratortoperformnecessaryadministrativefunctionswhentheauthentication

serverisnotonline.

Iftheemergencyadministrationaccountisconfiguredformoreaccessthanneededtotroubleshootissues,thisisafinding.

router03

CiscoIOS15

V-

3984

Access

switchports

areassigned

tothenative

VLAN

CATII Reviewtheswitchconfigurationsandexamineallaccessports.VerifythattheydonotbelongtothenativeVLAN.

IfanyaccessswitchportsareassignedtothenativeVLAN,itisafinding.

router03

V-

5622

Adedicated

VLANis

requiredfor

alltrunkports.

CATII Reviewthedeviceconfigurationandexaminealltrunklinks.VerifythenativeVLANhasbeenconfiguredtoaVLANotherthan

thedefaultVLAN1.

IfthenativeVLANhasbeenconfiguredtoVLAN1,thisisafinding.

router03

V-

5623

Ensure

trunkingis

disabledonall

accessports.

CATII Reviewthedeviceconfigurationtodetermineiftrunkinghasbeendisabledonaccessports.

Iftrunkingisenabledonanyaccessport,thisisafinding.

router03

V-

5624

Re-

authentication

mustoccur

every60

minutes.

CATII Ensure802.1xreauthenticationoccursevery60minutes. router03

V-

5628

TheVLAN1is

beingusedfor

management

traffic.

CATII ReviewthedeviceconfigurationstodetermineifadedicatedVLAN(s)havebeenimplementedforthemanagementnetwork.

VLAN1mustnotbeused.

IfadedicatedVLANorVLANshavenotbeenestablishedforthemanagementnetwork,thisisafinding.

IfVLAN1isusedformanagement,thisisalsoafinding.

router03

V-

17815

IGPinstances

donotpeer

with

appropriate

domain

CATII VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.Thefollowing

wouldbeanexamplewhereEIGRPisrunonthemanagementnetwork10.0.0.0andOSPFinthemanagednetwork172.20.0.0.

Thenetwork10.1.20.0/24istheOOBMbackboneand10.1.1.0isthelocalmanagementLANconnectingtotheOOBM

interfacesofthemanagednetwork(i.e.,theprivateandservicenetwork)elements.

interfaceSerial0/0

descriptionto_OOBM_Backbone

ipaddress10.1.20.3255.255.255.0

interfaceFastethernet0/0

descriptionEnclave_Management_LAN

ipaddress10.1.1.1255.255.255.0


descriptionto_our_PrivateNet

ipaddress172.20.4.2255.255.255.0


descriptionto_our_ServiceNet

ipaddress172.20.5.2255.255.255.0

!

routerospf1

network172.20.0.0

!

routereigrp12

network10.0.0.0

passive-interfaceFastethernet0/1

Note:thepassive-interfacecommandisconfiguredtoavoidbuildinganEIGRPadjacencywithamanagedrouter,whileatthe

sametime,enablingEIGRPtoadvertisetheenclave’smanagementsubnettotheEIGRPneighborsofthemanagement

networkbackbone.

Ifthenon-dedicatedOOBMgatewayandtheNOCgatewayarenotconnectedbyanOOBbackbone—thatis,connectivityis

providedoveranIPbackbone(i.e.NIPRNet)—andanIGPisusedtoadvertiserouteswithinthemanagementnetwork,theIGP

trafficmustbeencapsulatedviaGREsothatitcantraversetheIPsectunnel.TheconfigurationbelowisanexampleofGRE

overIPSec.TheIPSecpolicyisappliedtotheGREtrafficthatwillencapsulateIGPpackets(noticetheEIGRPnetworkstatement

includestheGREtunnel;hence,EIGRPwillformadjacencieswithneighborsontheothersideofthistunnel.

PremiseRouterConfiguration

cryptoisakmppolicy10

authenticationpre-share

cryptoisakmpkeyourkeyaddress166.4.24.3

!

cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac

!

cryptomapvpnmap10ipsec-isakmp

setpeer166.4.24.3

settransform-setVPN-trans

matchaddress102

!

interfaceEthernet1

ipaddress10.1.1.1255.255.255.0

!

interfaceSerial1/0

ipaddress141.22.4.3255.255.255.252

!

interfaceTunnel0

ipaddress10.10.255.1255.255.255.252

ipmtu1400

tunnelsourceSerial0/0

tunneldestination166.4.24.3

cryptomapvpnmap

router03

!

routereigrp100

network10.0.0.00.0.0.255

noauto-summary

!

iproute0.0.0.00.0.0.0141.22.4.1

!

access-list102permitgrehost141.22.4.3host166.4.24.3

OOBMVPNGatewayConfiguration

cryptoisakmppolicy10


cryptoisakmpkeyourkeyaddress141.22.4.3

!

cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac

!

cryptomapvpnmap10ipsec-isakmp

setpeer141.22.4.3

settransform-setVPN-trans

matchaddress102

!

interfaceEthernet1

ipaddress10.1.2.1255.255.255.0

!

interfaceSerial1/0

ipaddress166.4.24.3255.255.255.252

!

interfaceTunnel0

ipaddress10.10.255.2255.255.255.252

ipmtu1400

tunnelsourceSerial0/0

tunneldestination141.22.4.3

cryptomapvpnmap

!

routereigrp100

network10.0.0.00.0.0.255

noauto-summary

!

iproute0.0.0.00.0.0.0166.4.24.1

!

access-list102permitgrehost166.4.24.3host141.22.4.3

V-

17824

Management

interfaceis

assignedtoa

userVLAN.

CATII ReviewthemanagedswitchconfigurationandverifythattheaccessportconnectedtotheOOBMaccessswitchhasbeen

assignedtothemanagementVLAN.Bydefault,themanagementVLANisVLAN1;however,themanagementVLANmustbe

configuredtoadifferentVLAN.Asshowninthefollowingconfigurationexample,FastEthernet0/1istheportconnectedtothe

OOBMaccessswitchandVLAN101isthemanagementVLAN.

interfaceFastEthernet0/1

switchportaccessvlan10


!




!




!




ThiscanalsobeverifiedbyenteringaPrivilegedEXECshowvlancommandontheswitchCLIasillustratedinthefollowing

exampleoutputofaCisco2950:

2950#showvlan

VLANNameStatusPorts

--------------------------------------------------------------------

2ProductionactiveFa0/2,Fa0/3,Fa0/4,Fa0/5,

router03

...

Fa0/21,Fa0/22,Fa0/23,Fa0/24

10ManagementactiveFa0/1

V-

17826

Invalidports

with

membership

tothemgmt

VLAN

CATII ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.By

defaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,

managementtrafficshouldnottraverseanytrunklinks.ThefollowingCatalystIOSconfigurationisanexampleofatrunklink

withthemanagementVLAN(i.e.10)prunedfromatrunk.

interfacefastEthernet0/1

switchporttrunkencapsulationdot1q

switchportmodedynamicdesirable

switchporttrunknativevlan3

switchporttrunkallowedvlan2-9

Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:

Switch-A#showinterfacetrunk

PortModeEncapsulationStatusNativevlan

Fa0/1desirable802.1qtrunking3

PortVlansallowedontrunk

Fa0/12-9

PortVlansinspanningtreeforwardingstateandnotpruned

Fa0/12-5

Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeature

dynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—

afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOS

switch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbe

activeonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.

router03

V-

17832

MgmtVLAN

doesnothave

correctIP

address

CATII ReviewtheswitchconfigurationandverifythatthemanagementVLANhasbeenassignedanIPaddressfromthe

managementnetworkaddressblock.FollowingisanexampleforaCiscoCatalystswitch:

interfaceVLAN10

descriptionManagementVLAN

ipaddress10.1.1.10255.255.255.0

Note:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.

router03

V-

17833

Noingress

ACLon

management

VLAN

interface

CATII ReviewtheconfigurationtodetermineifaninboundACLhasbeenconfiguredforthemanagementVLANinterfacetoblock

non-managementtraffic.

IfaninboundACLhasnotbeenconfigured,thisisafinding.

router03

V-

18523

ACLsdonot

protect

against

compromised

servers

CATII Reviewthefirewallprotectingtheserverfarm.Vlanconfigurationsshouldhaveafilterthatsecurestheserverslocatedonthe

vlansegment.IdentifythesourceipaddressesthathaveaccesstotheserversandverifytheprivilegeintendedwiththeSA.

Thefiltershouldbeinadenybydefaultposture.

Ifthefilterisnotdefinedonthefirewallandthearchitecturecontainsalayer3switchbetweenthefirewallandtheserver,

thanreviewtheVLANdefinitionontheL3switch.

router03

V-

18545

Upstream

accessnot

restrictedfor

non-802.1x

VLAN

CATII AnACLorfirewallrulesetcanfilternetworktrafficwithintheprinterVLANtoonlyexpectedprinterprotocols.TheSA

managingthelocalenclaveshouldidentifytheprinterporttrafficwithintheenclave.Portscommonlyusedbyprintersare

typicallytcpport515,631,1782andtcpports9100,9101,9102butothersareusedthroughouttheindustry.TheSAcan

reviewRFC1700PortAssignmentsandreviewprintervendordocumentsforthefilterrule-set.Verifythefilterappliedtothe

printerVLANsubnet.

router03

V-

18566

NET-NAC-031 CATII ReviewtheswitchconfigurationtoverifyeachaccessportisconfiguredforasingleregisteredMACaddress.

Configuringport-securityontheCiscoswitchaccessportinterfacewillautomaticallysetthemaximumnumberofregistered

MACaddressestoone.Thevaluewillnotshowupintheconfigurationoftheswitchitself.Tovalidatetheaccessporthasa

maximumvalueofoneforallowableMACaddresses,youmustrunthefollowingcommand:

Switch#showport-securityinterface

ShowCommandExample:

Switch#portintfa0/1

PortSecurity:Enabled

PortStatus:Secure-down

ViolationMode:Shutdown

AgingTime:0mins

AgingType:Absolute

SecureStaticAddressAging:Disabled

MaximumMACAddresses:1

router03

SometechnologiesareexemptfromrequiringasingleMACaddressperaccessport;however,restrictionsstillapply.VoIPor

VTCendpointsmayprovideaPCportsoaPCcanbeconnected.Eachofthedeviceswillneedtobestaticallyassignedtoeach

accessport.

AnothergreeninitiativewhereasingleLANdropissharedamongseveraldevicesiscalled"hot-desking",whichisrelatedto

conservationofofficespaceandteleworking.Hot-deskingiswhereseveralpeopleareassignedtoworkatthesamedeskat

differenttimes,eachuserwiththeirownPC.Inthiscase,adifferentMACaddressneedstobepermittedforeachPCthatis

connectingtotheLANdropintheworkspace.Additionally,thisworkspacecouldcontainasinglephone(andpossiblydesktop

VTCendpoint)usedbyallassigneesandthePCportonitmightbetheconnectionfortheirlaptop.Inthiscase,itisbestnotto

usestickyportsecurity,buttouseastaticmappingofauthorizeddevicesorimplement802.1x.Ifthisisnotateleworking

remotelocation,thisexemptiondoesnotapply.

V-

3008

IPSecVPNis

not

configuredas

atunneltype

VPN.

CATII HavetheSAdisplaytheconfigurationsettingsthatenablethisfeature.

Reviewthenetworktopologydiagram,andreviewVPNconcentrators.Determineiftunnelmodeisbeingusedbyreviewing

theconfiguration.Examples:

InCISCO

Router(config)#cryptoipsectransform-settransform-set-nametransform1

Router(cfg-crypto-tran)#modetunnel

ORinJunos

editsecurityipsecsecurity-associationsa-name]modetunnel

CiscoIOS15

V-

3013

Loginbanner

isnon-existent

ornotDOD-

approved.

CATII ConfigureallmanagementinterfacestothenetworkdevicetodisplaytheDoD-mandatedwarningbannerverbiageatlogon

regardlessofthemeansofconnectionorcommunication.Therequiredbannerverbiagethatmustbedisplayedverbatimis

asfollows:

OptionA

YouareaccessingaU.S.Government(USG)InformationSystem(IS)thatisprovidedforUSG-authorizeduseonly.Byusingthis

IS(whichincludesanydeviceattachedtothisIS),youconsenttothefollowingconditions:

-TheUSGroutinelyinterceptsandmonitorscommunicationsonthisISforpurposesincluding,butnotlimitedto,penetration

testing,COMSECmonitoring,networkoperationsanddefense,personnelmisconduct(PM),lawenforcement(LE),and

counterintelligence(CI)investigations.

-Atanytime,theUSGmayinspectandseizedatastoredonthisIS.

-Communicationsusing,ordatastoredon,thisISarenotprivate,aresubjecttoroutinemonitoring,interception,andsearch,

andmaybedisclosedorusedforanyUSG-authorizedpurpose.

-ThisISincludessecuritymeasures(e.g.,authenticationandaccesscontrols)toprotectUSGinterests--notforyourpersonal

benefitorprivacy.

-Notwithstandingtheabove,usingthisISdoesnotconstituteconsenttoPM,LEorCIinvestigativesearchingormonitoringof

thecontentofprivilegedcommunications,orworkproduct,relatedtopersonalrepresentationorservicesbyattorneys,

psychotherapists,orclergy,andtheirassistants.Suchcommunicationsandworkproductareprivateandconfidential.See

UserAgreementfordetails.

OptionB

Ifthesystemisincapableofdisplayingtherequiredbannerverbiageduetoitssize,asmallerbannermustbeused.The

mandatoryverbiagefollows:"I'veread&consenttotermsinISuseragreem't."

router03

CiscoIOS15

V-

3021

SNMPaccess

isnot

restrictedby

IPaddress.

CATII ConfigurethenetworkdevicestoonlyallowSNMPaccessfromonlyaddressesbelongingtothemanagementnetwork. router03

V-

3021

SNMPaccess

isnot

restrictedby

IPaddress.

CATII ReviewdeviceconfigurationandverifythatitisconfiguredtoonlyallowSNMPaccessfromonlyaddressesbelongingtothe

managementnetwork.ThefollowingexamplesforSNMPv1,2,and3depicttheuseofanACLtorestrictSNMPaccesstothe

device.

SNMPv1/v2cConfigurationExample

TheexampleACLNMS_LISTisusedtodefinewhatnetworkmanagementstationscanaccessthedeviceforwriteandread

only(poll).

ipaccess-liststandardNMS_LIST

permit10.1.1.24

permit10.1.1.22

permit10.1.1.23

!

snmp-servercommunityourCommStrRORWNMS_LIST

snmp-servercommunitywrite_pwRWNMS_LIST

snmp-serverenabletrapssnmplinkdownlinkup

snmp-serverhost10.1.1.1trap_comm_string

Note:Ifyouenterthesnmp-serverhostcommandwithnokeywords,thedefaultisversion1andtosendallenabledtrapsto

CiscoIOS15

thehost.Noinformswillbesenttothishost.Ifnotrapsorinformskeywordispresent,trapsaresent.

SNMPv3ConfigurationExample

TheexampleACLNMS_LISTandADMIN_LISTareusedtodefinewhatnetworkmanagementstationsandadministrator(users)

desktopscanaccessthedevice.

ipaccess-liststandardADMIN_LIST

permit10.1.1.35

permit10.1.1.36

ipaccess-liststandardNMS_LIST

permit10.1.1.24

permit10.1.1.22

permit10.1.1.23

!

snmp-servergroupNOCv3privreadVIEW_ALLwriteVIEW_LIMITaccessNMS_LIST

snmp-servergroupTRAP_GROUPv3privnotify

*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp-servergroupADMIN_GROUPv3privreadVIEW_ALLwriteVIEW_ALLaccessADMIN_LIST

snmp-serverviewVIEW_ALLinternetincluded

snmp-serverviewVIEW_LIMITinternetincluded

snmp-serverviewVIEW_LIMITinternet.6.3.15excluded



snmp-serverenabletrapssnmplinkdownlinkup

snmp-serverhost10.1.1.24version3privTRAP_NMS1

Note:FortheconfiguredgroupTRAP_GROUP,thenotifyviewisauto-generatedbythesnmp-serverhostcommandwhich

bindtheuser(TRAP_NMS1)andthegroupitbelongsto(TRAP_GROUP)tothelistofnotifications(trapsorinforms)whichare

senttothehost.Hence,theconfigurationsnmp-servergroupTRAP_GROUPv3resultsinthefollowing:

snmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

Note:Notrequiredbutforillustrationpurpose,theVIEW_LIMITexcludesMIBobjectswhichcouldpotentiallyreveal

informationaboutconfiguredSNMPcredentials.TheseobjectsaresnmpUsmMIB,snmpVacmMIB,andsnmpCommunityMIB

whichisconfiguredas1.3.6.1.6.3.15,1.3.6.1.6.3.16,and1.3.6.1.6.3.18respectively

NotethatSNMPv3usersarenotshowninarunningconfiguration.Youcanviewthemwiththeshowsnmpusercommand.So

forexample,ifthefollowinguserswereconfiguredassuch.

snmp-serveruserHP_OVNOCv3authshaHPOVpswdprivaes256HPOVsecretkey

snmp-serveruserAdmin1ADMIN_GROUPv3authshaAdmin1PWprivaes256Admin1key

snmp-serveruserAdmin2ADMIN_GROUPv3authmd5Admin2passpriv3desAdmin2key

snmp-serveruserTRAP_NMS1TRAP_GROUPv3authshatrap_nms1_pwprivaestrap_nms1_key

Theshowsnmpusercommandwoulddepicttheconfiguredusersasfollows:

R1#showsnmpuser

Username:HP_OV

EngineID:AB12CD34EF56

storage-type:nonvolatileactive

AuthenticationProtocol:SHA

PrivacyProtocol:AES256

Group-name:NOC

Username:Admin1

EngineID:800000090300C20013080000




Group-name:ADMIN_GROUP

Username:Admin2

EngineID:800000090300C20013080000


AuthenticationProtocol:MD5

PrivacyProtocol:3DES

Group-name:ADMIN_GROUP

Username:TRAP_NMS1

EngineID:800000090300C20013080000




Group-name:TRAP_GROUP

R1#

V-

3034

Interior

routing

protocolsare

not

authenticated.

CATII ConfigureauthenticationforallIGPpeers. router03

V-

3057

Accounts

assignedleast

privileges

necessaryto

perform

duties.

CATII Reviewtheaccountsauthorizedforaccesstothenetworkdevice.Determineiftheaccountsareassignedthelowestprivilege

levelnecessarytoperformassignedduties.Useraccountsmustbesettoaspecificprivilegelevelwhichcanbemappedto

specificcommandsoragroupofcommands.Authorizedaccountsshouldhavethegreatestprivilegelevelunlessdeemed

necessaryforassignedduties.

Ifitisdeterminedthatauthorizedaccountsareassignedtogreaterprivilegesthannecessary,thisisafinding.

Belowisanexampleofassigningaprivilegeleveltoalocaluseraccountandchangingthedefaultprivilegelevelofthe

configureterminalcommand.

usernamejunior-engineer1privilege7passwordxxxxxx

privilegeexeclevel7configureterminal

Theaboveexampleonlycoverslocalaccounts.Youwillalsoneedtochecktheaccountsandtheirassociatedprivilegelevels

configuredintheauthenticationserver.YoucanalsouseTACACS+forevenmoregranularityatthecommandlevelasshown

inthefollowingexample:

user=junior-engineer1{

password=clear"xxxxx"

service=shell{

setpriv-lvl=7

}

}

router03

CiscoIOS15

V-

3058

Unauthorized

accountsare

configuredto

accessdevice.

CATII Reviewtheorganization'sresponsibilitieslistandreconcilethelistofauthorizedaccountswiththoseaccountsdefinedfor

accesstothenetworkdevice.

Ifanunauthorizedaccountisconfiguredforaccesstothedevice,thisisafinding.

router03

CiscoIOS15

V-

3069

Management

connections

mustbe

securedby

FIPS140-2.

CATII ConfigurethenetworkdevicetousesecureprotocolswithFIPS140-2validatedcryptographicmodules. router03

V-

3081

IPSource

Routingisnot

disabledonall

routers.

CATII ConfiguretheroutertodisableIPsourcerouting. router03

V-

3085

HTTPserveris

notdisabled

CATII ConfigurethedevicetodisableusingHTTP(port80)foradministrativeaccess. router03

V-

3160

Operating

systemisnot

atacurrent

releaselevel.

CATII HavetheadministratorentertheshowversioncommandtodeterminetheinstalledIOSversion.AsofJune2010,thelatest

majorreleaseis12.4forroutersand12.2forswitches(bothaccessandmulti-layer).Thereleasebeingusedmusthaveall

IAVMsresolvedandmustnotbeinaCiscodeferredstatusorhasbeenmadeobsolete.

AsktheadministratorlogintotheCiscoSoftwareCentertodownloadsoftware.Selectthespecificrouterorswitchmodel.

SelecttheIOSSoftwarelinkandthenVerifythatthereleasebeingusedislistedunderthereleasefamily(willneedtoexpand

thelist)andnotinthedeferredlist.Ifthereleaseisnotlistedineitherthereleasefamilyordeferred,thenthereleaseis

obsolete.

VerifythatallIAVMshavebeenaddressed.

Note:CiscosoftwareinadifferedstatewillstillbeattheCiscoSoftwareCenterandavailablefordownloadunderthedeferred

group,whereassoftwaremadeobsoleteisnolongeravailablefordownload.Deferredstatusoccurswhenasoftware

maintenancereleaseismadeobsoleteandremovedfromorderabilityandserviceoutsideofCisco'snormalreleaseschedule,

orCiscocancelsascheduledmaintenancereleasefromreachingtheFirst-Customer-Ship(FCS)milestone.Deferralsaremost

oftenrelatedtosoftwarequalityissues.Adeferralcanbeperformedforanentiremaintenancerelease,orjustforcertainsets

ofplatformsorfeatureswithinarelease.AdeferralpriortotheFCSmilestonemaybeperformedbyCiscotoprotect

customersfromreceivingsoftwarewithknowncatastrophicdefects.AdeferralafterFCSwillexpediteobsolescenceforthe

releasetolimittheexposureofcustomers.

router03

CiscoIOS15

V-

3966

Morethan

onelocal

accountis

defined.

CATII Configurethedevicetoonlyallowonelocalaccountoflastresortforemergencyaccessandstorethecredentialsinasecure

manner.

router03

CiscoIOS15

V-

3969

Network

elementmust

onlyallow

SNMPread

access.

CATII Configurethenetworkdevicetoallowforread-onlySNMPaccesswhenusingSNMPv1,v2c,orbasicv3(noauthenticationor

privacy).WriteaccessmaybeusedifauthenticationisconfiguredwhenusingSNMPv3.

router03

V-

5611

Management

connections

arenot

restricted.

CATII Reviewtheconfigurationandverifythatmanagementaccesstothedeviceisallowedonlyfromthemanagementnetwork

addressspace.Theconfigurationshouldlooksimilartothefollowing:

access-list3permit192.168.1.10log

access-list3permit192.168.1.11log

access-list3denyanylog

…..

linevty04

access-class3in

Ifmanagementaccesscanbegainedfromoutsideoftheauthorizedmanagementnetwork,thisisafinding.

router03

CiscoIOS15

V-

5612

SSHsession

timeoutisnot

60secondsor

less.

CATII Configurethenetworkdevicessoitwillrequireasecureshelltimeoutof60secondsorless. CiscoIOS15

V-

5646

Devicesnot

configuredto

filteranddrop

half-open

connections.

CATII Reviewthedeviceconfigurationtovalidatethresholdfiltersortimeoutperiodsaresetfordroppingexcessivehalf-openTCP

connections.

Fortimeoutperiods,thetimeshouldbesetto10secondsorless.Ifthedevicecannotbeconfiguredfor10secondsorless,it

shouldbesettotheleastamountoftimeallowableintheconfiguration.Thresholdfilterswillneedtobedeterminedbythe

organizationforoptimalfiltering.

IOSConfigurationExample:

iptcpsynwait-time10

router03

CiscoIOS15

V-

14671

NTPmessages

arenot

authenticated.

CATII ConfigurethedevicetoauthenticateallreceivedNTPmessagesusingeitherPKI(supportedinNTPv4)oraFIPS-approved

messageauthenticationcodealgorithm.

router03

V-

14705

IPv6routers

arenot

configured

withCEF

enabled

CATII IOSProcedure:ReviewallCiscorouterstoensurethatCEFhasbeenenabled.Theconfigurationshouldlooksimilartothe

following:ipv6cef

router03

CiscoIOS15

V-

14707

IPv6Egress

Outbound

SpoofingFilter

CATII UnicastStrictmode:ReviewtherouterconfigurationtoensureuRPFhasbeenconfiguredonallinternalinterfaces. router03

CiscoIOS15

V-

15288

ISATAP

tunnelsmust

terminateat

interior

router.

CATII VerifyISATAPtunnelsareterminatedontheinfrastructureroutersorL3switcheswithintheenclave.

ExampleconfigurationofanISATAPtunnelendpoint:

interfacetunnel1

noipaddress

noipredirects

tunnelsourceethernet1

tunnelmodeipv6ipisatap

ipv6address2001:0DB8::/64eui-64

noipv6ndsuppress-ra

router03

CiscoIOS15

V-

15432

Thedeviceis

not

authenticated

usingaAAA

server.

CATII Configurethedevicetousetwoseparateauthenticationservers. router03

CiscoIOS15

V-

17754

Management

trafficisnot

restricted

CATII ReviewthedeviceconfigurationtodetermineifIPSectunnelsusedintransitingmanagementtrafficarefilteredtoonlyaccept

authorizedtrafficbasedonsourceanddestinationIPaddressesofthemanagementnetwork.

IffiltersarenotrestrictingonlyauthorizedmanagementtrafficintotheIPSectunnel,thisisafinding.

router03

CiscoIOS15

V-

17814

RemoteVPN

end-pointnot

amirrorof

localgateway

CATII VerifytheconfigurationattheremoteVPNend-pointisamirrorconfigurationasthatreviewedforthelocalend-point. router03

CiscoIOS15

V-

17815

IGPinstances

donotpeer

with

appropriate

domain

CATII VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.

CiscoIOS15

V-

17817

Managed

networkhas

accessto

CATII ReviewtheACLorfiltersfortherouter’sreceivepathandverifythatonlytrafficsourcedfromthemanagementnetworkis

allowedtoaccesstherouter.Thiswouldincludebothmanagementandcontrolplanetraffic.

router03

CiscoIOS15

OOBM

gateway

router

Step1:Verifythattheglobalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:

ipreceiveacl199

Note:TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityfortrafficthatisdestinedfortherouter.TheIPReceiveACL

filteringoccursafteranyinputACLboundtotheingressinterface.Ondistributedplatforms(i.e.,12000series),theIPreceive

ACLfilterstrafficonthedistributedlinecardsbeforepacketsarereceivedbytherouteprocessor;therebypreventingthe

floodfromdegradingtheperformanceoftherouteprocessor.

Step2:DeterminetheaddressblockofthemanagementnetworkattheNOC.Intheexampleconfigurationbelow,the

10.2.2.0/24isthemanagementnetworkattheNOC.

Step3:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallmanagementplanetraffictothevalidated

networkmanagementaddressblockattheNOC.Managementtrafficcanincludetelnet,SSH,SNMP,TACACS,RADIUS,TFTP,

FTP,andICMP.ControlplanetrafficfromOOBMbackboneneighborsshouldalsobeallowedtoaccesstherouter.TheACL

configurationshouldlooksimilartothefollowing:

access-list199denyipanyanyfragments

access-list199permitospf10.1.20.00.0.0.255any

access-list199permittcp10.2.2.00.0.0.255anyeqssh

access-list199permitudphost10.2.2.24anyeqsnmp

access-list199permitudphost10.2.2.25anyeqsnmp

access-list199permitudphost10.2.2.26anyeqntp

access-list199permitudphost10.2.2.27anyeqntp

access-list199permittcphost10.2.2.30eqtacacsanygt1023established

access-list199permittcphost10.2.2.77eqftpanygt1023established

access-list199permittcphost10.2.2.77gt1024anyeqftp-data

access-list199permiticmp10.2.2.00.0.0.255any

access-list199denyipanyanylog

Intheexampleabove,theOSPFneighborswouldbeadjacencieswiththeOOBMbackbonenetwork10.1.20.0/24.

Iftheplatformdoesnotsupportthereceivepathfilter,thenverifythatallnon-OOBMinterfaceshaveaningressACLto

restrictaccesstothatinterfaceaddressoranyoftherouter’sloopbackaddressestoonlytrafficsourcedfromthe

managementnetwork.Exceptionwouldbetoallowpacketsdestinedtotheseinterfacesusedfortroubleshootingsuchas

pingandtraceroute.

V-

17818

Trafficfrom

themanaged

networkwill

leak

CATII ExaminetheegressfilterontheOOBMinterfaceofthegatewayroutertoverifythatonlytrafficsourcedfromthe

managementaddressspaceisallowedtotransittheOOBMbackbone.Intheexampleconfigurationsbelow,the10.1.1.0/24is

themanagementnetworkaddressspaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetwork

addressspaceattheNOC.

IOS

interfaceSerial0/0


ipaddress10.1.20.3255.255.255.0

ipaccess-group101out



ipaddress10.1.1.1255.255.255.0



ipaddress172.20.5.2255.255.255.0

!

access-list101permitip10.1.1.00.0.0.25510.2.2.00.0.0.255


router03

CiscoIOS15

V-

17819

Management

trafficleaks

intothe

managed

network

CATII ExaminetheingressfilterontheOOBMinterfaceofthegatewayroutertoverifythattrafficisonlydestinedtothelocal

managementaddressspace.Intheexampleconfigurationsbelow,the10.1.1.0/24isthelocalmanagementnetworkaddress

spaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetworkaddressspaceattheNOC.

IOS

interfaceSerial0/0


ipaddress10.1.20.3255.255.255.0

ipaccess-group100in




ipaddress10.1.1.2255.255.255.0



router03

CiscoIOS15

ipaddress172.20.5.2255.255.255.0



ipaddress172.20.4.2255.255.255.0

!

access-list100permitip10.2.2.00.0.0.25510.1.1.00.0.0.255


V-

17821

TheOOBM

interfacenot

configured

correctly.

CATII AfterdeterminingwhichinterfaceisconnectedtotheOOBMaccessswitch,reviewthemanageddeviceconfigurationand

verifythattheinterfacehasbeenassignedanaddressfromthelocalmanagementaddressblock.Inthisexample,thatis

10.1.1.0/24.

Ciscorouter



ipaddress10.1.1.22255.255.255.0

CiscoCatalystMLSSwitch

interfaceVLAN101

descriptionManagement_VLAN

ipaddress10.1.1.22255.255.255.0

…

…




or


noswitchport

ipaddress10.1.1.22255.255.255.0

Caveat:Iftheinterfaceisconfiguredasaroutedinterfaceasshownintheaboveconfiguration,therequirementsspecifiedin

NOC180mustbeimplemented.

router03

CiscoIOS15

V-

17822

The

management

interfacedoes

nothavean

ACL.

CATII Step1:VerifythatthemanagedinterfacehasaninboundandoutboundACLconfiguredasshowninthefollowingexample:



ipaddress10.1.1.22255.255.255.0

ipaccess-group100in


Step2:VerifythattheingressACLblocksalltransittraffic—thatis,anytrafficnotdestinedtotherouteritself.Inaddition,

trafficaccessingthemanagedelementsshouldbeoriginatedattheNOC.Intheexamplethemanagementnetworkatthe

NOCis10.2.2.0/24.

access-list100permitip10.2.2.00.0.0.255host10.1.1.22


Notethatthedestinationusedbyanyhostwithinthemanagementnetworktoaccessthemanagedelementsmustbeviathe

managementinterface.Theloopbackshouldnotbeavalidaddresssincetheseprefixeswouldnotbeadvertisedintothe

managementnetworkIGPdomain.ThiscouldonlybepossibleifthemanagednetworkElements:hadanIGPadjacencywith

themanagednetwork,whichshouldnotbethecase.

Step3:VerifythattheegressACLblocksanytrafficnotoriginatedbythemanagedelement


Ciscorouter-generatedpacketsarenotinspectedbyoutgoingaccess-lists.Hence,theaboveconfigurationwouldsimplydrop

anypacketsnotgeneratedbytherouteritselfandallowalllocaltraffic.Tofilterlocaltraffic,IOSprovidesafeaturecalledlocal

policyrouting,whichenablestheadministratortoapplyaroute-maptoanylocalrouter-generatedtraffic.Toprohibit

outgoingtrafficfromthelocalroutertoanydestinationotherthantheNOC,theaconfigurationsuchasthefollowingcould

beused:

!Donotdroptrafficdestinedto10.2.2.0/24.Hence,donotincludeitin

!thelocalpolicyroutemap,butincludeallotherdestinations.

!

ipaccess-listextendedBLOCK_INVALID_DEST

denyipany10.2.2.00.0.0.255

router03

CiscoIOS15

permitipanyany

!

route-mapLOCAL_POLICY10

matchipaddressBLOCK_INVALID_DEST

setinterfaceNull0

!

iplocalpolicyroute-mapLOCAL_POLICY

AlternativeSolution:TheIOSManagementPlaneProtectionFeature

CiscointroducedtheManagementPlaneProtection(MPP)featurewithIOS12.4(6)Twhichallowsanyphysicalin-band

interfacetobededicatedforOOBmanagement.TheMPPfeatureallowsanetworkoperatortodesignateoneormorerouter

interfacesasmanagementinterfaces.Managementtrafficispermittedtoenteradeviceonlythroughthesemanagement

interfaces.Alloftheotherin-bandinterfacesnotenabledforMPPwillautomaticallydropallingresspacketsassociatedwith

anyofthesupportedMPPprotocols(FTP,HTTP,HTTPS,SCP,SSH,SNMP,Telnet,andTFTP).Hence,afterMPPisenabled,no

interfacesexceptmanagementinterfaceswillacceptnetworkmanagementtrafficdestinedtothedevice.Thisfeaturealso

providesthecapabilitytorestrictwhichmanagementprotocolsareallowed.Thisfeaturedoesnotchangethebehaviorofthe

console,auxiliary,andmanagementEthernetinterfaces.ThefollowingconfigurationexampledepictsFastEthernet1/1as

beingthedesignatedmanagementinterfacethatwillonlyallowsshandsnmptraffic.

control-planehost

management-interfaceFastEthernet1/1allowsshsnmp

!



ipaddress10.1.1.22255.255.255.0

V-

17834

Noinbound

ACLformgmt

networksub-

interface

CATII ReviewtherouterconfigurationandverifythataninboundACLhasbeenconfiguredforthemanagementnetworksub-

interfaceasillustratedinthefollowingexampleconfiguration:

IOS

interfaceGigabitEthernet3

noipredirects

noipdirected-broadcast

interfaceGigabitEthernet3.10

encapsulationdot1q10


ipaddress10.1.1.1255.255.255.0

ipaccess-group108in

!

access-list108permit…

router03

CiscoIOS15

V-

17835

IPSectrafficis

notrestricted

CATII Verifythatalltrafficfromthemanagednetworktothemanagementnetworkandvice-versaissecuredviaIPSec

encapsulation.Intheconfigurationexamples,10.2.2.0/24isthemanagementnetworkattheNOCand192.168.1.0/24is

addressspaceusedatthenetworkbeingmanaged(i.e.,theenclave).ForCiscorouter,theaccess-listreferencedbythecrypto

mapmusthavethesourceanddestinationaddressesbelongingtothemanagementnetworkaddressspaceattheenclave

andNOCrespectively.

hostnamePremrouter

!

interfaceSerial1/0

ipaddress19.16.1.1255.255.255.0

descriptionNIPRNet_Link

cryptomapmyvpn



ipaddress192.168.1.1255.255.255.0

!

cryptoisakmppolicy1


lifetime84600

cryptoisakmpkey*******address19.16.2.1

!

cryptoipsectransform-settoNOCesp-desesp-md5-hmac

!

cryptomapmyvpn10ipsec-isakmp

setpeer19.16.2.1

settransform-settoNOC

matchaddress101

!

access-list101permitipany10.2.2.00.0.0.255

router03

CiscoIOS15

V-

18522

ACLsmust

restrictaccess

toserver

VLANs.

CATII ReviewthedeviceconfigurationtovalidateanACLwithadeny-by-defaultsecurityposturehasbeenimplementedonthe

serverVLANinterface.

router03

CiscoIOS15

V-

18790

NET-TUNL-012 CATII Identifythetunnelendpoints,thenreviewallroutingdevicestoensurethetunnelentrypointisnotusedasadefaultroute.

Trafficdestinedtothetunnelshouldbedirectedtothetunnelendpointbystaticroutes,policybasedrouting,orbythe

mechanicsoftheinteriorroutingprotocol,butnotbydefaultroutestatements.

router03

CiscoIOS15

V-

19188

Controlplane

protectionis

notenabled.

CATII ControlPlanePolicing(CoPP)

Ifsupportedbytherouter,CoPPshouldbeusedtoincreasesecurityonCiscoroutersbyprotectingtheRPfromunnecessary

andmalicioustraffic.CoPPallowsnetworkoperatorstoclassifytrafficbasedonimportancethatthenenablestherouterto

filterandratelimitthetrafficaccordingtothedefinedpolicyforeachclass.

Step1:Verifytraffictypeshavebeenclassifiedbasedonimportancelevels.Thefollowingisanexampleconfiguration:

class-mapmatch-allCoPP_CRITICAL

matchaccess-groupnameCoPP_CRITICAL

class-mapmatch-anyCoPP_IMPORTANT

matchaccess-groupnameCoPP_IMPORTANT

matchprotocolarp

class-mapmatch-allCoPP_NORMAL

matchaccess-groupnameCoPP_NORMAL

class-mapmatch-anyCoPP_UNDESIRABLE

matchaccess-groupnameCoPP_UNDESIRABLE

class-mapmatch-allCoPP_DEFAULT

matchaccess-groupnameCoPP_DEFAULT

Step2:ReviewtheACLsreferencedbythematchaccess-groupcommandstodetermineifthetrafficisbeingclassified

appropriately.Thefollowingisanexampleconfiguration:

ipaccess-listextendedCoPP_CRITICAL

remarkourcontrolplaneadjacenciesarecritical

permitospfhost[OSPFneighborA]any

permitospfhost[OSPFneighborB]any

permitpimhost[PIMneighborA]any

permitpimhost[PIMneighborB]any

permitpimhost[RPaddr]any

permitigmpany224.0.0.015.255.255.255

permittcphost[BGPneighbor]eqbgphost[localBGPaddr]

permittcphost[BGPneighbor]host[localBGPaddr]eqbgp

denyipanyany

ipaccess-listextendedCoPP_IMPORTANT

permittcphost[TACACSserver]eqtacacsany

permittcp[managementsubnet]0.0.0.255anyeq22

permitudphost[SNMPmanager]anyeqsnmp

permitudphost[NTPserver]eqntpany

denyipanyany

ipaccess-listextendedCoPP_NORMAL

remarkwewillwanttoratelimitICMPtraffic

permiticmpanyanyecho

permiticmpanyanyecho-reply

permiticmpanyanytime-exceeded

permiticmpanyanyunreachable

denyipanyany

ipaccess-listextendedCoPP_UNDESIRABLE

remarkothermanagementplanetrafficthatshouldnotbereceived

permitudpanyanyeqntp

permitudpanyanyeqsnmptrap

permittcpanyanyeq22

permittcpanyanyeq23

remarkothercontrolplanetrafficnotconfiguredonrouter

permiteigrpanyany

permitudpanyanyeqrip

denyipanyany

ipaccess-listextendedCoPP_DEFAULT

permitipanyany

router03

CiscoIOS15

Note:ExplicitlydefiningundesirabletrafficwithACLentriesenablesthenetworkoperatortocollectstatistics.ExcessiveARP

packetscanpotentiallymonopolizeRouteProcessorresources,starvingotherimportantprocesses.Currently,ARPistheonly

Layer2protocolthatcanbespecificallyclassifiedusingthematchprotocolcommand.

Step3:Reviewthepolicy-maptodetermineifthetrafficisbeingpolicedappropriatelyforeachclassification.Thefollowingis

anexampleconfiguration:

policy-mapCONTROL_PLANE_POLICY

classCoPP_CRITICAL

police5120008000conform-actiontransmitexceed-actiontransmit

classCoPP_IMPORTANT

police2560004000conform-actiontransmitexceed-actiondrop

classCoPP_NORMAL


classCoPP_UNDESIRABLE

police80001000conform-actiondropexceed-actiondrop

classcp-default-in


Step4:VerifythattheCoPPpolicyisenabled.Thefollowingisanexampleconfiguration:

control-plane

service-policyinputCONTROL_PLANE_POLICY

Note:StartingwithIOSrelease12.4(4)T,ControlPlaneProtection(CPPr)canbeusedtofilteraswellaspolicecontrolplane

trafficdestinedtotheRP.CPPrisverysimilartoCoPPandhastheabilitytofilterandpolicetrafficusingfinergranularityby

dividingtheaggregatecontrolplaneintothreeseparatecategories:(1)host,(2)transit,and(3)CEF-exception.Hence,a

separatepolicy-mapcouldbeconfiguredforeachtrafficcategory.

IfCoPPisnotsupported,thenthealternativewouldbetheimplementationofareceivepathfilter.

Step1:AreceivepathACLoraninboundACLoneachinterfacemustbeconfiguredtorestricttrafficdestinedtotherouter.

TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityexplicitlyfortrafficthatisdestinedfortherouter.Verifythatthe

globalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:

ipreceiveacl199

Note:Iftheplatformdoesnotsupporttheipreceivepathaclfeature,aninboundACLoneachinterfacemustbeconfigured.

Step2:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallcontrolplaneandmanagementplanetraffic.

TheACLconfigurationshouldlooksimilartothefollowing:

access-list199denyipanyanyfragments

access-list199remarkallowspecificmanagementplanetraffic

access-list199permittcp[managementsubnet]0.0.0.255anyeq22

access-list199permitudphost[SNMPmanager]anyeqsnmp

access-list199permittcphost[TACACSserver]eqtacacsany

access-list199permitudphost[NTPserver]eqntpany

access-list199permiticmp[managementsubnet]0.0.0.255any

access-list199remarkallowspecificcontrolplanetraffic

access-list199permitospfhost[OSPFneighborA]any

access-list199permitospfhost[OSPFneighborB]any

access-list199permitpimhost[PIMneighborA]any

access-list199permitpimhost[PIMneighborB]any

access-list199permitpimhost[RPaddr]any

access-list199permitigmpany224.0.0.015.255.255.255

access-list199permittcphost[BGPneighbor]eqbgphost[localBGPaddr]

access-list199permittcphost[BGPneighbor]host[localBGPaddr]eqbgp

access-list199remarkallothertrafficdestinedtothedeviceisdropped

access-list199denyipanyany

Note:IftheManagementPlaneProtection(MPP)featureisenabledforanOOBMinterface,therewouldbenopurposein

filteringthistrafficonthereceivepath.WithMPPenabled,nointerfacesexceptthemanagementinterfacewillacceptnetwork

managementtrafficdestinedtothedevice.Thisfeaturealsoprovidesthecapabilitytorestrictwhichmanagementprotocols

areallowed.SeeNET0992foradditionalconfigurationinformation.

V-

30577

PIMenabled

onwrong

interfaces

CATII IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMisdocumentedinthenetwork’smulticast

topologydiagram.Reviewtherouterormulti-layerswitchconfigurationtodetermineifmulticastroutingisenabledandwhat

interfacesareenabledforPIM.

router03

CiscoIOS15

Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.Thefollowingglobalconfiguration

commandswillenableIPv4andIPv6multicastrouting:

ipmulticast-routing

ipv6multicast-routing

Step2:PIMisenabledonaninterfacewitheitherofthefollowingcommands:ippimsparse-mode,ippimdense-mode,ippim

sparse-dense-mode.ReviewallinterfaceconfigurationsandverifythatonlytherequiredinterfacesareenabledforPIMas

documentedinthenetworktopologydiagram.

WithIPv4,PIMisdisabledbydefaultonallinterfaces.FollowingisanexampleofaninterfacewithPIMenabled.


ipaddress192.168.1.1255.255.255.0

ippimsparse-mode

YoucanalsoverifywhatIPv4interfacesareenabledforPIMwiththeshowippiminterfacecommand.

WithIPv6,PIMisenabledbydefaultonallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviathe

globalipv6multicast-routingcommand.AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.


ipv6address2001:1:0:146::/64eui-64

noipv6pim

Youcanalsoverifywhatipv6interfacesareenabledforPIMwiththeshowipv6piminterfacecommand.

V-

30578

PIMneighbor

filterisnot

configured

CATII Reviewtherouterormulti-layerswitchtodetermineifeitherIPv4orIPv6multicastroutingisenabled.Ifeitherisenabled,

verifythatallinterfacesenabledforPIMhasaneighborfiltertoonlyacceptPIMcontrolplanetrafficfromthedocumented

routersaccordingtothemulticasttopologydiagram.

IPv4

Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothe

followingexample:

ipaccess-liststandardPIM_NEIGHBORS

permit192.0.2.1

permit192.0.2.3

denyanylog

Step2:Verifythatapimneighbor-filtercommandisconfiguredonallPIM-enabledinterfacesthatis

referencingthePIMneighborACLsimilartothefollowingexample:


ipaddress192.0.2.2255.255.255.0

ippimsparse-mode

ippimneighbor-filterPIM_NEIGHBORS

IPv6

Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothe

followingexample:

ipv6access-listPIM_NEIGHBORS

permithostFE80::1any

permithostFE80::3any

denyanyanylog

Note:IPv6PIMadjacenenciesarecreatedusingtherouterunicastlink-localaddresses

Step2:Verifythatapimneighbor-filterglobalcommandisconfigured

ipv6pimneighbor-filterlistPIM_NEIGHBORS

router03

CiscoIOS15

V-

31285

BGPmust

authenticate

allpeers.

CATII ConfigurethedevicetoauthenticateallBGPpeers. router03

V-

3972

VLAN1traffic

traverses

across

unnecessary

CATIII ReviewthedeviceconfigurationtodetermineifVLAN1isprunedfromalltrunkandaccessswitchports.

IfVLAN1isnotprunedfromtrunkoraccessswitchportswhereit'snotrequired,thisisafinding.

router03

trunk

V-

3973

Disabledports

arenotkeptin

anunused

VLAN.

CATIII ReviewthedeviceconfigurationtodetermineifalldisabledportshavebeenplacedintoanunusedVLAN.TheVLANmustnot

beVLAN1.

IfdisabledportsarenotassignedtoanunusedVLANorhavebeenplacedintoVLAN1,thisisafinding.

router03

V-

17825

Management

VLANhas

invalid

addresses

CATIII ReviewthemanagedswitchconfigurationandverifythatanaddresshasbeenconfiguredformanagementVLANfromspace

belongingtotheOOBMnetworkthathasbeenassignedtothatsite.

interfaceVLAN10

ipaddress10.1.1.10255.255.255.0


Note:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.

AdefaultgatewayaddressasshownbelowmustbeconfiguredusingtheaddressoftheOOBMgatewayrouterinterface

connectingtotheOOBMaccessswitch.ThiswillensurethatallmanagementtrafficisforwardedtowardtheNOCusingthe

switchportattachedtotheOOBMaccessswitch.

ipdefault-gateway10.1.1.1

router03

V-

17827

The

management

VLANisnot

prunedfrom

trunklinks

CATIII ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.By

defaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,

managementtrafficshouldnottraverseanytrunklinks.ThefollowingCatalystIOSconfigurationisanexampleofatrunklink

withthemanagementVLAN(i.e.10)prunedfromatrunk.

interfacefastEthernet0/1

switchporttrunkencapsulationdot1q

switchportmodedynamicdesirable

switchporttrunknativevlan3

switchporttrunkallowedvlan2-9

Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:

Switch-A#showinterfacetrunk

PortModeEncapsulationStatusNativevlan

Fa0/1desirable802.1qtrunking3

PortVlansallowedontrunk

Fa0/12-9

PortVlansinspanningtreeforwardingstateandnotpruned

Fa0/12-5

Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeature

dynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—

afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOS

switch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbe

activeonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.

router03

V-

18544

Restricted

VLANnot

assignedto

non-802.1x

device.

CATIII ReviewthedeviceconfigurationtodetermineifaVLANhasbeenestablishedforprinters. router03

V-

3020

DNSservers

mustbe

definedfor

clientresolver.

CATIII ConfigurethedevicetoincludeDNSserversordisabledomainlookup. router03

V-

3070

Management

connections

mustbe

logged.

CATIII Configurethedevicetologallaccessattemptstothedevicetoestablishamanagementconnectionforadministrativeaccess. router03

CiscoIOS15

V-

3072

Runningand

startup

configurations

arenot

synchronized.

CATIII Reviewtherunningandbootconfigurationstodetermineiftheyaresynchronized.

IOSProcedure:Withonlineediting,the"showrunning-config"commandwillonlyshowthecurrentrunningconfiguration

settings,whicharedifferentfromtheIOSdefaults.The"showstartup-config"commandwillshowtheNVRAMstartup

configuration.Comparethetwoconfigurationstoensuretheyaresynchronized.

JUNOSProcedure:Thiswillneverbeafinding.Theactiveconfigurationisstoredonflashasjuniper.conf.Acandidate

configurationallowsconfigurationchangeswhileinconfigurationmodewithoutinitiatingoperationalchanges.Therouter

implementsthecandidateconfigurationwhenitiscommitted;thereby,makingitthenewactiveconfiguration--atwhichtime

itwillbestoredonflashasjuniper.confandtheoldjuniper.confwillbecomejuniper.conf.1.

Ifrunningconfigurationandbootconfigurationsarenotthesame,thisisafinding.

router03

CiscoIOS15

V-

3078

TCPandUDP

smallserver

servicesare

notdisabled.

CATIII ChangethedeviceconfigurationtoincludethefollowingIOScommands:noservicetcp-small-serversandnoserviceudp-

small-serversforeachdevicerunninganIOSversionpriorto12.0.ThisisthedefaultforIOSversions12.0andlater(i.e.,these

commandswillnotappearintherunningconfiguration.)

router03

V-

3079

Thefinger

serviceisnot

disabled.

CATIII ConfigurethedevicetodisabletheFingerservice. router03

V-

3083

IPdirected

broadcastis

notdisabled.

CATIII DisableIPdirectedbroadcastsonalllayer3interfaces. router03

V-

3086

TheBootp

serviceisnot

disabled.

CATIII ConfigurethedevicetodisableallBOOTPservices. router03

V-

4584

Thenetwork

elementmust

logall

messages

except

debugging.

CATIII Configurethenetworkdevicetologallmessagesexceptdebuggingandsendalllogdatatoasyslogserver. router03

V-

5614

ThePAD

serviceis

enabled.

CATIII ConfigurethedevicetodisablethePADservice. router03

V-

5615

TCPKeep-

Alivesmustbe

enabled.

CATIII ConfigurethedevicetoenableTCPKeep-Alives. router03

V-

7011

Theauxiliary

portisnot

disabled.

CATIII Reviewtheconfigurationandverifythattheauxiliaryportisdisabledunlessasecuredmodemprovidingencryptionand

authenticationisconnectedtoit.ThefollowingconfigurationdisablestheCiscoIOSauxiliaryport:

lineaux0

noexec

Note:Thecommandtransportinputnonemustbeconfiguredunderthelineaux0.However,thisisthedefaultandwillnot

beshownintherunningconfiguration.

router03

CiscoIOS15

V-

14667

Keyexpiration

exceeds180

days.

CATIII Reviewdeviceconfigurationforkeyexpirationsof180daysorless.

Ifrotatingkeysarenotconfiguredtoexpireat180daysorless,thisisafinding.

router03

CiscoIOS15

V-

14674

NTPtrafficis

notusing

loopback

addressor

OOB

Management

interface.

CATIII ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNTP

traffic.

router03

V-

14675

SNMPtraffic

doesnotuse

loopback

addressor

OOB

Management

interface.

CATIII ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginating

SNMPtraffic.

CiscoIOS15

V-

14676

Netflowtraffic

isnotusing

loopback

address.

CATIII ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingNetFlow

traffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.The

configurationshouldlooksimilarasshowninthefollowingexample:

interfaceloopback0

ipaddress10.10.2.1255.255.255.255

…

…

ipflow-sampling-modepacket-interval100

ipflow-exportdestination192.168.3.339991

ipflow-exportsourceLoopback0

Note:IOSallowsmultipleloopbackinterfacestobedefined.

router03

CiscoIOS15

V-

14677

FTP/TFTP

trafficdoes

notuse

loopback

addressor

OOB

Management

interface.

CATIII ReviewtheconfigurationandverifyaloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingTFTPorFTP

traffic.

Router#showrun

Buildingconfiguration...

!

!

interfaceLoopback0

descriptionLoopbackinterface

router03

ipaddressx.x.x.x255.255.255.255

noipdirected-broadcast

!

...

iptelnetsource-interfaceLoopback0

iptftpsource-interfaceLoopback0

ipftpsource-interfaceLoopback0

IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.

Router#showrun

Buildingconfiguration...

!

...

iptftpsource-interfacefe0/0

ipftpsource-interfacefe0/0

V-

14681

Loopback

addressisnot

usedasthe

iBGPsource

IP.

CATIII VerifythatthepeeringsessionwithiBGPneighborsusetheloopbackaddressasthesourceaddressasshownintheexample

below:

interfaceloopback0

ipaddress10.10.2.1255.255.255.255

…

routerbgp100

neighbor200.200.200.2remote-as200



neighbor10.10.2.2update-sourceLoopback0


neighbor10.10.2.3update-sourceLoopback0

router03

CiscoIOS15

V-

17823

The

management

interfaceis

notIGP

passive.

CATIII Ifthemanagednetworkelementisalayer3device,reviewtheconfigurationtoverifythemanagementinterfaceisconfigured

aspassivefortheIGPinstanceforthemanagednetwork.Dependingontheplatformandroutingprotocol,thismaysimply

requirethattheinterfaceoritsIPaddressisnotincludedintheIGPconfiguration.Thefollowingconfigurationwouldbean

examplewhereOSPFisonlyenabledonallinterfacesexceptthemanagementinterface:



ipaddress10.1.1.22255.255.255.0

ipaccess-group100in




ipaddress172.20.4.2255.255.255.0



ipaddress172.20.5.2255.255.255.0


descriptionto_our_DMZ

ipaddress172.20.3.1255.255.255.0

!

routerospf1

network172.20.0.0255.255.255.0area1

Note:TheMPPfeaturehasnoeffectoncontrolplanetraffic.Hence,theroutingprotocolmuststillbeconfiguredsothatitis

notenabledonthemanagementinterface.

router03

CiscoIOS15

V-

17836

Management

trafficisnot

classifiedand

marked

CATIII class-mapmatch-allMANAGEMENT-TRAFFIC

matchaccess-groupnameCLASSIFY-MANAGEMENT-TRAFFIC

!

policy-mapDIST-LAYER-POLICY

classMANAGEMENT-TRAFFIC

setipdscp48

!


descriptionlinktoLAN1

ipaddress192.168.1.1255.255.255.0

service-policyinputDIST-LAYER-POLICY


descriptionlinktoLAN2

ipaddress192.168.2.1255.255.255.0

service-policyinputDIST-LAYER-POLICY


descriptionlinktocore

ipaddress192.168.13.1255.255.255.0

router03

CiscoIOS15

!

ipaccess-listextendedCLASSIFY-MANAGEMENT-TRAFFIC

permitipany10.2.2.00.0.0.255

Note:Trafficismarkedusingthesetcommandinapolicymap.ForDSCPrewrite,ifapacketencountersbothinputand

outputclassificationpolicy,theoutputpolicyhasprecedence.Ifthereisnooutputpolicy,thentheinputpolicyhas

precedence.

V-

17837

Management

trafficdoesn't

getpreferred

treatment

CATIII Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,ensurethatallcorerouterswithin

themanagednetworkhavebeenconfiguredtoprovidepreferredtreatmentformanagementtraffic.Thiswillensurethat

managementtrafficreceivesguaranteedbandwidthateachforwardingdevicealongthepathtothemanagementnetwork.

Step1:Verifythataservicepolicyisboundtoallcoreorinternalrouterinterfacesasshownintheconfigurationbelow:


ipaddress192.168.2.1255.255.255.0

service-policyoutputQoS-Policy


ipaddress192.168.1.1255.255.255.0

service-policyoutputQoS-Policy

Step2:Verifythattheclass-mapsplacemanagementtrafficintheappropriateforwardingclassasshownintheexample

below:

class-mapmatch-allbest-effort

matchipdscp0

class-mapmatch-anydata-AF13-AF23

matchipdscp14

matchipdscp22

class-mapmatch-anyvideo-AF33-AF43

matchipdscp30

matchipdscp38

class-mapmatch-allvoice-EF

matchipdscp46

class-mapmatch-allnetwork-control

matchipdscp48

Step3:Verifythattheclassesarereceivingtherequiredservice.

policy-mapQoS-Policy

classbest-effort

bandwidthpercent10

random-detectdscp-based

classdata-AF13-AF23

bandwidthpercent30


classvideo-AF33

bandwidthpercent15


classvideo-AF43

bandwidthpercent20


classvoice-EF

prioritypercent20

classnetwork-control

bandwidthpercent5


Note1:Thedscp-basedargumentenablesWREDtousetheDSCPvalueofapacketwhenitcalculatesthedropprobabilityfor

thepacket;whereasiftheprec-basedargumentisspecified,WREDwillusetheIPPrecedencevaluetocalculatedrop

probability.Ifneitherisspecified,thedefaultisprec-based.

Note2:LLQisenabledwiththeprioritycommandusingeitherakbpsvalueorabandwidthpercentageusingthepercent

keywordfollowedbyapercentagevalue.

Note3:Trafficthatdoesnotmeetthematchcriteriaspecifiedintheforwardingclassesistreatedasbelongingtothedefault

forwardingclass.Ifadefaultclassisnotconfigured,thedefaultclasshasnoQoSfunctionality.Thesepacketsarethenplaced

intoaFIFOqueueandforwardedataratedeterminedbytheavailableunderlyingbandwidth.ThisFIFOqueueismanagedby

taildrop—ameansofavoidingcongestionthattreatsalltrafficequallyanddoesnotdifferentiatebetweenclassesofservice.

Whentheoutputqueueisfullandtaildropisineffect,packetsaredroppeduntilthecongestioniseliminatedandthequeue

isnolongerfull.Thefollowingexampleconfiguresadefaultclasscalledpolicy1.

policy-mappolicy1

router03

CiscoIOS15

classclass-default

fair-queue10

queue-limit20

Thedefaultclassshownabovehasthesecharacteristics:10queuesfortrafficthatdoesnotmeetthematchcriteriaofother

classeswhosepolicyisdefinedbypolicy1,andamaximumof20packetsperqueuebeforetaildropisenactedtohandle

additionalqueuedpackets.

V-

19189

NoAdmin-

localorSite-

local

boundary

CATIII AnadministrativelyscopedIPmulticastregionisdefinedtobeatopologicalregioninwhichthereareoneormoreboundary

routerswithcommonboundarydefinitions.Sucharouterissaidtobeaboundaryformulticastscopedaddressesinthe

rangedefinedinitsconfiguration.Inordertosupportadministrativelyscopedmulticast,amulticastboundaryrouterwilldrop

multicasttrafficmatchinganinterface'sboundarydefinitionineitherdirection.

TheIPv4administrativescopedmulticastaddressspaceis239/8whichisdividedintotwoscopelevels:theLocalScopeand

OrganizationLocalScope.TheLocalScoperangeis239.255.0.0/16andcanexpandintothereservedranges239.254.0.0/16

and239.253.0.0/16if239.255.0.0/16isexhausted.TheIPv4OrganizationLocalScopeis239.192.0.0/14isthespacefrom

whichanorganizationshouldallocatesub-rangeswhendefiningscopesforprivateuse.Thisscopecanbeexpandedto

239.128.0.0/10,239.64.0.0/10,and239.0.0.0/10ifnecessary.ThescopeofIPv6multicastpacketsaredeterminedbythescope

valuewhere4(ffx4::/16)isAdmin-local,5(ffx5::/16)isSite-local,and8(ffx8::/16)isOrganization-local.

ReviewthemulticasttopologytodetermineanydocumentedAdmin-local(scope=4)orSite-local(scope=5)multicast

boundariesforIPv6trafficoranyLocal-scope(addressblock239.255.0.0/16)boundaryforIPv4traffic.Verifythatappropriate

boundariesareconfiguredontheapplicablemulticast-enabledinterfaces.

IPv4:

ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatLocal-scopetrafficisnotallowed

intooroutoftheadministrativelyscopedIPv4multicastregion:

ipmulticast-routing

!


descriptionBoundaryformulticastregionA

ipaddress198.18.0.1255.255.255.0

ippimsparse-mode

ipmulticastboundaryMCAST_ADMIN_SCOPED_BOUNDARY

!

ipaccess-liststandardMCAST_ADMIN_SCOPED_BOUNDARY

deny239.255.0.00.255.255.255

permit224.0.0.015.255.255.255

!

Note:ThefilterusedbymulticastboundarycommandwilleffectmulticasttrafficoutsideoftheadministrativelyscopedIPv4

multicastspace.IfOrganizationLocalScopetrafficmustcrossthissiteboundary,includethenecessarypermitstatement

fromthisaddressrange(239.192.0.0255.252.0.0).Toallowglobalmulticasttraffictopassbythisboundary,ensurethatthe

filterwillpermittheglobaladdressspace(224.0.1.0-238.255.255.255)iftheenclavehasdeployedinter-domainmulticast

routing.

IPv6:

ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatSite-localscopetrafficisnotallowed

intooroutoftheadministrativelyscopedIPv6multicastregion:


!


descriptionlinktoSiteA

ipv6address2001:1:0:146::/64eui-64

ipv6multicastboundaryscope5

Note:Filteringthescopevalueof5willensurethatanymulticasttrafficreceivedbytheinterfaceineitherdirectionwitha

scopeequaltoorlessthan5(Site-local)willbedropped.Hence,allSite-localandAdmin-localtrafficwillbedroppedwhile

allowingOrganization-local(scope=8)andglobalmulticasttraffic(scope=14)tobeforwardedforaninter-siteaswellas

inter-domainmulticastroutingdeployment.

router03

CiscoIOS15

V-

23747

TwoNTP

serversare

notusedto

synchronize

time.

CATIII ConfigurethedevicetousetwoseparateNTPservers. router03

CiscoIOS15

V-

30585

Invalidgroup

usedfor

sourcespecific

CATIII IANAhasreservedtheaddressrange232.0.0.0through232.255.255.255forSSMapplicationsandprotocols.However,Cisco

IOSallowsSSMconfigurationforanarbitrarysubsetoftheIPmulticastaddressrange224.0.0.0through239.255.255.255.

router03

CiscoIOS15

multicast IfIPv4orIPv6multicastroutingisenabled,determineifgimpversion3orMLDversion2isenabledforIPv4andIPv6

respectively.Ifenabled,thenPIM-SSMisalsoenabled.Hence,youmustverifythatonlytheIANAreservedSSMrangeof

addressesisusedforthisimplementation.TheSSMaddressrangeis232.0.0.0/8andFF3x::/32forIPv4andIPv6respectively.

Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.Thefollowingglobalconfiguration

commandswillenableIPv4andIPv6multicastrouting:

ipmulticast-routing


Ifmulticastroutingisnotenabled,thisvulnerabilityisnotapplicable.

Step2:

IPv4

CheckinterfaceconnectedtomulticastsubscriberstodetermineifIGMPv3isenabled.Thisisrequiredforsubscriberstojoin

aspecificsource.Thefollowingipv4interfaceconfigurationwouldlookasfollows:

ipigmpversion3

or

ipigmpv3lite

IfIGMPv3isnotenabledforIPv4multicast,thisvulnerabilityisnotapplicable.

IPv6

MLDisautomaticallyenabledonaninterfacewhenIPv6PIMisenabledonaninterface.WithIPv6,PIMisenabledbydefault

onallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviatheglobalipv6multicast-routingcommand.

AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.MLDcanalsobedisabledonIPv6PIM-enabled

interfaceswiththenoipv6mldrouterinterfacecommand.

FollowingisanexampleoftwoIPv6-enabledinterfaces.


ipv6address2001:1:0:146::/64eui-64


ipv6enable

MLDv2isthedefaultwithcurrentreleasesofIOS.InsomereleasesofIOS,theipv6mldversioncommandisnotavailable.You

canverifytheversionofMLDinterfacesviashowipv6mldinterfacecommand.IfMLDv2isnotenabledforIPv6multicast,this

vulnerabilityisnotapplicable.

Step3:

VerifythattheappropriatemulticastgroupsareusedforSSM.

IPv4

Thefollowingconfigurationwillallowallofthemulticastgroups232/8reservedforSSM:

ippimssmdefault

or

Thefollowingconfigurationwillonlyallowmulticastgroups232.4.0.0/24

access-list4permit232.4.0.00.0.0.255

ippimssmrange4

Note:Ifarangeisconfiguredasintheexampleshownabove,ensurethattherangeiswithintheIANAreservedrangeforSSM

groups.

IPv6

ThefollowingconfigurationwillallowallofthemulticastgroupsFF3x::/32reservedforSSMwherexisanyvalidscopevalue:

ipv6pimssmdefault

or

Table435:DISASTIGrecommendations

Thefollowingconfigurationwillonlyallowmulticastgroupswiththeff3e::1:0:0/96range:

ipv6access-listSSM_RANGEpermitanyff3e::1:0:0/96

ipv6pimssmrangeSSM_RANGE


6SANSPolicyCompliance6.1router03SANSPolicyComplianceAudit

6.1.1RouterPolicy

TheSANSrouterpolicydescribesarequiredminimalsecurityconfigurationforallroutersandswitchesconnectingtoaproductionnetworkorusedinaproductioncapacityatoronbehalfofNipperStudio.NipperStudioperformedaSANSrouterpolicycomplianceaudit(datedApril18th2007)ofthedevicerouter03.TheresultoftheauditisshowninTable436.

Table436:router03SANSrouterpolicycompliance

Ref Description Status

3.1 Nolocaluseraccountsareconfiguredonthedevice.DevicesmustuseTACACS+foralluserauthentication.

3.2 Theenablepasswordonthedevicemustbekeptinasecureencryptedform.Thedevicemusthavetheenablepasswordsettothecurrentproductiondevice

passwordfromthedevice'ssupportorganization

3.3a IPdirectedbroadcastsdisabled

3.3b IncomingpacketsatthedevicesourcedwithinvalidaddressessuchasRFC1918address

3.3c TCPsmallservicesdisabled

3.3d UDPsmallservicesdisabled

3.3e Allsourceroutingdisabled

3.3f Allwebservicesrunningonrouterdisabled

3.4 UsecorporatestandardizedSNMPcommunitystrings

3.5 Accessrulesaretobeaddedasbusinessneedsarise

3.6 Theroutermustbeincludedinthecorporateenterprisemanagementsystemwithadesignatedpointofcontact

3.7 Eachdevicemusthavethefollowingstatementpostedinclearview:"UNAUTHORIZEDACCESSTOTHISNETWORKDEVICEISPROHIBITED.Youmusthaveexplicit

permissiontoaccessorconfigurethisdevice.Allactivitiesperformedonthisdevicemaybelogged,andviolationsofthispolicymayresultindisciplinaryaction,

andmaybereportedtolawenforcement.Thereisnorighttoprivacyonthisdevice."

3.8 Telnetmayneverbeusedacrossanynetworktomanagearouter,unlessthereisasecuretunnelprotectingtheentirecommunicationpath.SSHisthepreferred

managementprotocol

6.1.2AuditLoggingPolicy

NipperStudioperformedanauditofrouter03againstthecontrolsdetailedintheSANSInformationSystemsAuditLoggingPolicy(2007).Thissectiondetailsthecomplianceofthedeviceagainstthatpolicy.

A-UnderlyingRequirements

Allsystemsthathandleconfidentialinformation,acceptnetworkconnections,ormakeaccesscontrol(authenticationandauthorization)decisionsshallrecordandretainaudit-logginginformationsufficienttorecordtheelementsdetailedinTable437.

Table437:router03auditloggingunderlyingrequirements


A.1 Whatactivitywasperformed?

A.2 Whoorwhatperformedtheactivity,includingwhereoronwhatsystemtheactivitywasperformedfrom(subject)?

A.3 Whattheactivitywasperformedon(object)?

A.4 Whenwastheactivityperformed?

A.5 Whattool(s)wastheactivitywasperformedwith?

A.6 Whatwasthestatus(suchassuccessvs.failure),outcome,orresultoftheactivity?

B-ActivitiestobeLogged

LogsshallbecreatedwheneveranyoftheactivitiesdetailedinTable438arerequestedtobeperformedbythesystem.

Table438:router03auditloggingactivities


B.1 Create,read,update,ordeleteconfidentialinformation,includingconfidentialauthenticationinformationsuchaspasswords

B.2 Create,update,ordeleteinformationnotcoveredinB.1

B.3 Initiateanetworkconnection

B.4 Acceptanetworkconnection

B.5 UserauthenticationandauthorizationforactivitiescoveredinB.1orB.2suchasuserloginandlogout

B.6 Grant,modify,orrevokeaccessrights,includingaddinganewuserorgroup,changinguserprivilegelevels,changingfilepermissions,changingdatabaseobject

permissions,changingfirewallrules,anduserpasswordchanges

B.7 System,network,orservicesconfigurationchanges,includinginstallationofsoftwarepatchesandupdates,orotherinstalledsoftwarechanges

B.8 Applicationprocessstartup,shutdown,orrestart

B.9 Applicationprocessabort,failure,orabnormalend,especiallyduetoresourceexhaustionorreachingaresourcelimitorthreshold(suchasforCPU,memory,

networkconnections,networkbandwidth,diskspace,orotherresources),thefailureofnetworkservicessuchasDHCPorDNS,orhardwarefault

B.10 Detectionofsuspicious/maliciousactivitysuchasfromanIDS/IPS,anti-virussystem,oranti-spywaresystem

C-ElementsoftheLog

LogsshallidentifyorcontainatleasttheelementslistedinTable439eitherdirectlyorindirectly.

Table439:router03auditloggingelements


C.1 Typeofaction-examplesincludeauthorize,create,read,update,delete,andacceptnetworkconnection

C.2 Subsystemperformingtheaction-examplesincludeprocessortransactionname,processortransactionidentifier

C.3 Identifiers(asmanyasavailable)forthesubjectrequestingtheaction-examplesincludeusername,computername,IPaddress,andMACaddress.Notethat

suchidentifiersshouldbestandardizedinordertofacilitatelogcorrelation

C.4 Identifiers(asmanyasavailable)fortheobjecttheactionwasperformedon-examplesincludefilenamesaccessed,uniqueidentifiersofrecordsaccessedina

database,queryparametersusedtodeterminerecordsaccessedinadatabase,computername,IPaddress,andMACaddress.Notethatsuchidentifiersshould

bestandardizedinordertofacilitatelogcorrelation

C.5 Beforeandaftervalueswhenactioninvolvesupdatingadataelement,iffeasible

C.6 Dateandtimetheactionwasperformed,includingrelevanttime-zoneinformationifnotinCoordinatedUniversalTime

C.7 Whethertheactionwasallowedordeniedbyaccess-controlmechanisms

C.8 Descriptionand/orreason-codesofwhytheactionwasdeniedbytheaccess-controlmechanism,ifapplicable

D-FormattingandStorage

Thesystemshallsupporttheformattingandstorageofauditlogsinsuchawayastoensuretheintegrityofthelogsandtosupportenterprise-levelanalysisandreporting.ThestatusofthisrequirementisshowninTable440.

Table440:router03auditloggingstorage


D Supportsenterpriselevelreportingandmaintainslogintegrity

6.1.3AuditCoverage

NipperStudioauditedrouter03againstthefollowingtwoSANSpolicies:

Routerpolicy(April18th2007);Informationsystemsauditloggingpolicy(2007).

NipperStudiocanconcludethefollowingstatisticsfromtheaudit(percentageshavebeenrounded);twocheckspassed(5%),eightchecksfailed(21%),28checksrequireamanualassessment(74%).


6.2CiscoIOS15SANSPolicyComplianceAudit

6.2.1RouterPolicy

TheSANSrouterpolicydescribesarequiredminimalsecurityconfigurationforallroutersandswitchesconnectingtoaproductionnetworkorusedinaproductioncapacityatoronbehalfofNipperStudio.NipperStudioperformedaSANSrouterpolicycomplianceaudit(datedApril18th2007)ofthedeviceCiscoIOS15.TheresultoftheauditisshowninTable441.

Table441:CiscoIOS15SANSrouterpolicycompliance


3.1 Nolocaluseraccountsareconfiguredonthedevice.DevicesmustuseTACACS+foralluserauthentication.

3.2 Theenablepasswordonthedevicemustbekeptinasecureencryptedform.Thedevicemusthavetheenablepasswordsettothecurrentproductiondevice

passwordfromthedevice'ssupportorganization

3.3a IPdirectedbroadcastsdisabled

3.3b IncomingpacketsatthedevicesourcedwithinvalidaddressessuchasRFC1918address

3.3c TCPsmallservicesdisabled

3.3d UDPsmallservicesdisabled

3.3e Allsourceroutingdisabled

3.3f Allwebservicesrunningonrouterdisabled

3.4 UsecorporatestandardizedSNMPcommunitystrings

3.5 Accessrulesaretobeaddedasbusinessneedsarise

3.6 Theroutermustbeincludedinthecorporateenterprisemanagementsystemwithadesignatedpointofcontact

3.7 Eachdevicemusthavethefollowingstatementpostedinclearview:"UNAUTHORIZEDACCESSTOTHISNETWORKDEVICEISPROHIBITED.Youmusthaveexplicit

permissiontoaccessorconfigurethisdevice.Allactivitiesperformedonthisdevicemaybelogged,andviolationsofthispolicymayresultindisciplinaryaction,

andmaybereportedtolawenforcement.Thereisnorighttoprivacyonthisdevice."

3.8 Telnetmayneverbeusedacrossanynetworktomanagearouter,unlessthereisasecuretunnelprotectingtheentirecommunicationpath.SSHisthepreferred

managementprotocol

6.2.2AuditLoggingPolicy

NipperStudioperformedanauditofCiscoIOS15againstthecontrolsdetailedintheSANSInformationSystemsAuditLoggingPolicy(2007).Thissectiondetailsthecomplianceofthedeviceagainstthatpolicy.

A-UnderlyingRequirements

Allsystemsthathandleconfidentialinformation,acceptnetworkconnections,ormakeaccesscontrol(authenticationandauthorization)decisionsshallrecordandretainaudit-logginginformationsufficienttorecordtheelementsdetailedinTable442.

Table442:CiscoIOS15auditloggingunderlyingrequirements


A.1 Whatactivitywasperformed?

A.2 Whoorwhatperformedtheactivity,includingwhereoronwhatsystemtheactivitywasperformedfrom(subject)?

A.3 Whattheactivitywasperformedon(object)?

A.4 Whenwastheactivityperformed?

A.5 Whattool(s)wastheactivitywasperformedwith?

A.6 Whatwasthestatus(suchassuccessvs.failure),outcome,orresultoftheactivity?

B-ActivitiestobeLogged

LogsshallbecreatedwheneveranyoftheactivitiesdetailedinTable443arerequestedtobeperformedbythesystem.


B.1 Create,read,update,ordeleteconfidentialinformation,includingconfidentialauthenticationinformationsuchaspasswords

B.2 Create,update,ordeleteinformationnotcoveredinB.1

B.3 Initiateanetworkconnection

B.4 Acceptanetworkconnection

B.5 UserauthenticationandauthorizationforactivitiescoveredinB.1orB.2suchasuserloginandlogout

B.6 Grant,modify,orrevokeaccessrights,includingaddinganewuserorgroup,changinguserprivilegelevels,changingfilepermissions,changingdatabaseobject

permissions,changingfirewallrules,anduserpasswordchanges

B.7 System,network,orservicesconfigurationchanges,includinginstallationofsoftwarepatchesandupdates,orotherinstalledsoftwarechanges

Table443:CiscoIOS15auditloggingactivities

B.8 Applicationprocessstartup,shutdown,orrestart

B.9 Applicationprocessabort,failure,orabnormalend,especiallyduetoresourceexhaustionorreachingaresourcelimitorthreshold(suchasforCPU,memory,

networkconnections,networkbandwidth,diskspace,orotherresources),thefailureofnetworkservicessuchasDHCPorDNS,orhardwarefault

B.10 Detectionofsuspicious/maliciousactivitysuchasfromanIDS/IPS,anti-virussystem,oranti-spywaresystem

C-ElementsoftheLog

LogsshallidentifyorcontainatleasttheelementslistedinTable444eitherdirectlyorindirectly.

Table444:CiscoIOS15auditloggingelements


C.1 Typeofaction-examplesincludeauthorize,create,read,update,delete,andacceptnetworkconnection

C.2 Subsystemperformingtheaction-examplesincludeprocessortransactionname,processortransactionidentifier

C.3 Identifiers(asmanyasavailable)forthesubjectrequestingtheaction-examplesincludeusername,computername,IPaddress,andMACaddress.Notethat

suchidentifiersshouldbestandardizedinordertofacilitatelogcorrelation

C.4 Identifiers(asmanyasavailable)fortheobjecttheactionwasperformedon-examplesincludefilenamesaccessed,uniqueidentifiersofrecordsaccessedina

database,queryparametersusedtodeterminerecordsaccessedinadatabase,computername,IPaddress,andMACaddress.Notethatsuchidentifiersshould

bestandardizedinordertofacilitatelogcorrelation

C.5 Beforeandaftervalueswhenactioninvolvesupdatingadataelement,iffeasible

C.6 Dateandtimetheactionwasperformed,includingrelevanttime-zoneinformationifnotinCoordinatedUniversalTime

C.7 Whethertheactionwasallowedordeniedbyaccess-controlmechanisms

C.8 Descriptionand/orreason-codesofwhytheactionwasdeniedbytheaccess-controlmechanism,ifapplicable

D-FormattingandStorage

Thesystemshallsupporttheformattingandstorageofauditlogsinsuchawayastoensuretheintegrityofthelogsandtosupportenterprise-levelanalysisandreporting.ThestatusofthisrequirementisshowninTable445.

Table445:CiscoIOS15auditloggingstorage


D Supportsenterpriselevelreportingandmaintainslogintegrity

6.2.3VPNPolicy

TheSANSVPNpolicy(2006)describesarequiredminimalsetofsecuritycontrolsforsecuringVPNaccess.NipperStudioperformedaSANSVPNpolicycomplianceaudit(2006)ofthedeviceCiscoIOS15.TheresultoftheauditisshowninTable446.

Table446:CiscoIOS15SANSVPNpolicycompliance


3.1 ItistheresponsibilityofemployeeswithVPNprivilegestoensurethatunauthorizedusersarenotallowedaccesstoNipperStudiointernalnetworks

3.2 VPNuseistobecontrolledusingeitheraone-timepasswordauthenticationsuchasatokendeviceorapublic/privatekeysystemwithastrongpassphrase

3.3 Whenactivelyconnectedtothecorporatenetwork,VPNswillforcealltraffictoandfromthePCovertheVPNtunnel:allothertrafficwillbedropped

3.4 Dual(split)tunnelingisNOTpermitted;onlyonenetworkconnectionisallowed

3.5 VPNgatewayswillbesetupandmanagedbyNipperStudionetworkoperationalgroups

3.6 AllcomputersconnectedtoNipperStudiointernalnetworksviaVPNoranyothertechnologymustusethemostup-to-dateanti-virussoftwarethatisthe

corporatestandard(provideURLtothissoftware);thisincludespersonalcomputers

3.7 VPNuserswillbeautomaticallydisconnectedfromNipperStudio'snetworkafterthirtyminutesofinactivity.Theusermustthenlogonagaintoreconnecttothe

network.Pingsorotherartificialnetworkprocessesarenottobeusedtokeeptheconnectionopen

3.8 TheVPNconcentratorislimitedtoanabsoluteconnectiontimeof24hours

3.9 UsersofcomputersthatarenotNipperStudio-ownedequipmentmustconfiguretheequipmenttocomplywithNipperStudio'sVPNandNetworkpolicies

3.10 OnlyInfoSec-approvedVPNclientsmaybeused

3.11 ByusingVPNtechnologywithpersonalequipment,usersmustunderstandthattheirmachinesareadefactoextensionofNipperStudio'snetwork,andassuch

aresubjecttothesamerulesandregulationsthatapplytoNipperStudio-ownedequipment,i.e.,theirmachinesmustbeconfiguredtocomplywithInfoSec's

SecurityPolicies

6.2.4AuditCoverage

NipperStudioauditedCiscoIOS15againstthefollowingthreeSANSpolicies:

Routerpolicy(April18th2007);Informationsystemsauditloggingpolicy(2007);VPNpolicy(2006).

NipperStudiocanconcludethefollowingstatisticsfromtheaudit(percentageshavebeenrounded);sevencheckspassed(14%),fourchecksfailed(8%),38checksrequireamanualassessment(78%).


7PCIAudit7.1Introduction

NipperStudioperformedaPCIcomplianceauditon2March2017.TheauditwasperformedbycollectinginformationrelevanttotherequirementsandsecurityassessmentproceduresofPCIDataSecurityStandard(DSS)fromtheselecteddevices.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectcardholderdata.Inordertoadhereto'all'therequirementsofthePCIDSSstandardcompletely,youwillrequireothertoolsandsecurityprocedurestobeimplemented.


7.2Requirement1:Installandmaintainafirewallconfigurationtoprotectcardholderdata

Description

Firewallsaredevicesthatcontrolcomputertrafficallowedbetweenanentity'snetworks(internal)anduntrustednetworks(external),aswellastrafficintoandoutofmoresensitiveareaswithinanentity'sinternaltrustednetworks.Thecardholderdataenvironmentisanexampleofamoresensitiveareawithinanentity'strustednetwork.

Afirewallexaminesallnetworktrafficandblocksthosetransmissionsthatdonotmeetthespecifiedsecuritycriteria.

Allsystemsmustbeprotectedfromunauthorizedaccessfromuntrustednetworks,whetherenteringthesystemviatheInternetase-commerce,employeeInternetaccessthroughdesktopbrowsers,employeee-mailaccess,dedicatedconnectionssuchasbusiness-to-businessconnections,viawirelessnetworks,orviaothersources.Often,seeminglyinsignificantpathstoandfromuntrustednetworkscanprovideunprotectedpathwaysintokeysystems.Firewallsareakeyprotectionmechanismforanycomputernetwork.

Othersystemcomponentsmayprovidefirewallfunctionality,aslongastheymeettheminimumrequirementsforfirewallsasdefinedinRequirement1.Whereothersystemcomponentsareusedwithinthecardholderdataenvironmenttoprovidefirewallfunctionality,thesedevicesmustbeincludedwithinthescopeandassessmentofRequirement1

PCIDSSRequirements TestingProcedures Guidance Result

Requirement1.1.6Documentationof

businessjustification

andapprovalforuseof

allservices,protocols,

andportsallowed,

including

documentationof

securityfeatures

implementedforthose

protocolsconsideredto

beinsecure.

1.1.6.aVerifythatfirewallandrouter

configuration

standardsincludea

documentedlistofall

services,protocols

andports,including

businessjustification

andapprovalfor

each.

Compromisesoftenhappenduetounusedorinsecureserviceandports,sincetheseoftenhaveknownvulnerabilities

andmanyorganizationsdon'tpatchvulnerabilitiesfortheservices,protocols,andportstheydon'tuse(eventhough

thevulnerabilitiesarestillpresent).Byclearlydefininganddocumentingtheservices,protocols,andportsthatare

necessaryforbusiness,organizationscanensurethatallotherservices,protocols,andportsaredisabledor

removed.Approvalsshouldbegrantedbypersonnelindependentofthepersonnelmanagingtheconfiguration.If

insecureservices,protocols,orportsarenecessaryforbusiness,theriskposedbyuseoftheseprotocolsshouldbe

clearlyunderstoodandacceptedbytheorganization,theuseoftheprotocolshouldbejustified,andthesecurity

featuresthatallowtheseprotocolstobeusedsecurelyshouldbedocumentedandimplemented.Iftheseinsecure

services,protocols,orportsarenotnecessaryforbusiness,theyshouldbedisabledorremoved.Forguidanceon

services,protocols,orportsconsideredtobeinsecure,refertoindustrystandardsandguidance(e.g.,NIST,ENISA,

OWASP,etc.).

Data

Collected

1.1.6.bIdentifyinsecureservices,

protocols,andports

allowed;andverify

thatsecurityfeatures

aredocumentedfor

eachservice.

1.1.6.cExamine

1.1.6.cExamine

firewallandrouter

configurationsto

verifythatthe

documentedsecurity

featuresare

implementedfor

eachinsecure

service,protocol,and

port.

Requirement1.2.1Restrictinboundand

outboundtraffictothat

whichisnecessaryfor

thecardholderdata

environment,and

specificallydenyall

othertraffic.

1.2.1.aExamine

firewallandrouter

configuration

standardstoverify

thattheyidentify

inboundand

outboundtraffic

necessaryforthe

cardholderdata

environment.

Examinationofallinboundandoutboundconnectionsallowsforinspectionandrestrictionoftrafficbasedonthe

sourceand/ordestinationaddress,thuspreventingunfilteredaccessbetweenuntrustedandtrustedenvironments.

Thispreventsmaliciousindividualsfromaccessingtheentity'snetworkviaunauthorizedIPaddressesorfromusing

services,protocols,orportsinanunauthorizedmanner(forexample,tosenddatathey'veobtainedfromwithinthe

entity'snetworkouttoanuntrustedserver).Implementingarulethatdeniesallinboundandoutboundtrafficthatis

notspecificallyneededhelpstopreventinadvertentholesthatwouldallowunintendedandpotentiallyharmfultraffic

inorout.

1.2.1.bExamine

firewallandrouter

configurationsto

verifythatinbound

andoutboundtraffic

islimitedtothat

whichisnecessary

forthecardholder

dataenvironment.

1.2.1.cExamine

firewallandrouter

configurationsto

verifythatallother

inboundand

outboundtrafficis

specificallydenied,

forexamplebyusing

anexplicit“denyall”

oranimplicitdeny

afterallow

statement.

Data

Collected

7.2.1SecureandInsecureServices

NipperStudioidentifiedelevenuniqueservicesalongwiththeirtransportprotocolsandportnumbers.Theseshouldbeanalysedtoensurejustificationandapprovalisavailableforeach,inordertomeettestingprocedure1.1.6.a.

ServiceName Protocol Port Enabled Devices

BOOTPService UDP 67 Enabled router03

CiscoIOS15

SNMPService UDP 161 Enabled router03

CiscoIOS15

TCPSmallServers TCP Multiple Enabled router03

CiscoIOS15

UDPSmallServers UDP Multiple Enabled router03

CiscoIOS15

FingerService TCP 79 Enabled router03

CiscoIOS15

WebAdministrationService(HTTP) TCP 80 Enabled router03

CiscoIOS15

NTPService UDP 123 Disabled router03

CiscoIOS15

SSHService TCP 22 Disabled router03

CiscoIOS15

RSHService TCP 514 Disabled router03

CiscoIOS15

Table448:PCIDSSUniqueServices

TelnetService TCP 23 Disabled router03

CiscoIOS15

WebAdministrationService(HTTPS) TCP 443 Disabled router03

CiscoIOS15


7.2.2ExplicitDenyRulesinConfigurations

NipperStudiofoundtwodeviceswithfilterliststorestrictnetworktraffic.Explicitdenyall’sorimplicitdeniesafterallowstatementsmustbefoundonallfilterlistsinordertocomplywithtestingprocedure1.2.1.c.

ExplicitDenyRule-router03

Onrouter03,sixfilterlistswereidentified.theywerefoundtobemissinganexplicitdenyall,oranimplicitdenyafteranallowstatement.

Table449:PCIDSSRequirements1.2.1-router03

AccessList RuleNumber ExplicitDeny

named-acl-1 N/A

named-acl-2 N/A

cp-critical-in 36

110 N/A

120 N/A

40 N/A

ExplicitDenyRule-CiscoIOS15

OnCiscoIOS15,ninefilterlistswereidentified.theywerefoundtobemissinganexplicitdenyall,oranimplicitdenyafteranallowstatement.

Table450:PCIDSSRequirements1.2.1-CiscoIOS15

AccessList RuleNumber ExplicitDeny

named-acl-1 N/A

named-acl-2 N/A

cp-critical-in 36

110 N/A

120 N/A

40 N/A

1 N/A

3 N/A

18 N/A



7.3Requirement2:Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters

Description

Maliciousindividuals(externalandinternaltoanentity)oftenusevendordefaultpasswordsandothervendordefaultsettingstocompromisesystems.Thesepasswordsandsettingsarewellknownbyhackercommunitiesandareeasilydeterminedviapublicinformation.


Requirement2.1Alwayschangevendor-supplieddefaultsand

removeordisableunnecessary

defaultaccountsbefore

installingasystemonthe

network.

ThisappliestoALLdefault

passwords,includingbutnot

limitedtothoseusedby

2.1.aChooseasampleofsystemcomponents,andattempt

tologon(withsystemadministratorhelp)tothedevices

andapplicationsusingdefaultvendor-suppliedaccounts

andpasswords,toverifythatALLdefaultpasswords

(includingthoseonoperatingsystems,softwarethat

providessecurityservices,applicationandsystemaccounts,

POSterminals,andSimpleNetworkManagementProtocol

(SNMP)communitystrings)havebeenchanged.(Usevendor

manualsandsourcesontheInternettofindvendor-

Maliciousindividuals(externalandinternaltoanorganization)often

usevendordefaultsettings,accountnames,andpasswordsto

compromiseoperatingsystemsoftware,applications,andthesystems

onwhichtheyareinstalled.Becausethesedefaultsettingsareoften

publishedandarewellknowninhackercommunities,changingthese

settingswillleavesystemslessvulnerabletoattack.Evenifadefault

accountisnotintendedtobeused,changingthedefaultpasswordtoa

stronguniquepasswordandthendisablingtheaccountwillpreventa

maliciousindividualfromre-enablingtheaccountandgainingaccess

Data

Collected

operatingsystems,softwarethat

providessecurityservices,

applicationandsystemaccounts,

point-of-sale(POS)terminals,

paymentapplications,Simple

NetworkManagementProtocol

(SNMP)communitystrings,etc.).

suppliedaccounts/passwords.)

withthedefaultpassword.

2.1.bForthesampleofsystemcomponents,verifythatall

unnecessarydefaultaccounts(includingaccountsusedby

operatingsystems,securitysoftware,applications,systems

POSterminals,SNMP,etc.)areremovedordisabled.

2.1.cInterviewpersonnelandexaminesupporting

documentationtoverifythat:

Allvendordefaults(includingdefaultpasswordson

operatingsystems,softwareprovidingsecurityservices,

applicationandsystemaccounts,POSterminals,Simple

NetworkManagementProtocol(SNMP)communitystrings,

etc.)arechangedbeforeasystemisinstalledonthe

network.

Unnecessarydefaultaccounts(includingaccountsusedby

operatingsystems,securitysoftware,applications,systems,

POSterminals,SNMP,etc.)areremovedordisabledbefore

asystemisinstalledonthenetwork.

Requirement2.3Encryptallnon-consoleadministrative

accessusingstrong

cryptography.

Note:WhereSSL/earlyTLSis

used,therequirementsin

AppendixA2mustbecompleted.

2.3Selectasampleofsystemcomponentsandverifythat

non-consoleadministrativeaccessisencryptedby

performingthefollowing:

Ifnon-console(includingremote)administrationdoesnotusesecure

authenticationandencryptedcommunications,sensitiveadministrative

oroperationallevelinformation(likeadministrator'sIDsand

passwords)canberevealedtoaneavesdropper.Amaliciousindividual

couldusethisinformationtoaccessthenetwork,become

administrator,andstealdata.

Clear-textprotocols(suchasHTTP,telnet,etc.)donotencrypttrafficor

logondetails,makingiteasyforaneavesdroppertointerceptthis

information.Tobeconsidered“strongcryptography,”

industryrecognizedprotocolswithappropriatekeystrengthsandkey

managementshouldbeinplaceasapplicableforthetypeof

technologyinuse.(Referto"strongcryptography"inthePCIDSSand

PA-DSSGlossaryofTerms,Abbreviations,andAcronyms,andindustry

standardsandbestpracticessuchasNISTSP800-52andSP800-57,OWASP,etc.)

2.3.aObserveanadministratorlogontoeachsystemand

examinesystemconfigurationstoverifythatastrong

encryptionmethodisinvokedbeforetheadministrator's

passwordisrequested.

2.3.bReviewservicesandparameterfilesonsystemsto

determinethatTelnetandotherinsecureremote-login

commandsarenotavailablefornon-consoleaccess.

Data

Collected

2.3.cObserveanadministratorlogontoeachsystemto

verifythatadministratoraccesstoanyweb-based

managementinterfacesisencryptedwithstrong

cryptography.

Data

Collected

2.3.dExaminevendordocumentationandinterview

personneltoverifythatstrongcryptographyforthe

technologyinuseisimplementedaccordingtoindustrybest

practicesand/orvendorrecommendations.

2.3.eIfSSL/earlyTLSisused,performtestingproceduresin

AppendixA2:AdditionalPCIDSSRequirementsforEntities

usingSSL/EarlyTLS.

7.3.1Defaultauthenticationremovedfromdevices

NipperStudiofoundthefollowingaccounts,passwords,keysandcommunitystringspresentonthedevices.Inordertomeettestingprocedure2.1.a,it

shouldbeensuredthatalldefaultaccountsandpasswordshavebeenchanged.Inordertomeettestingprocedure2.1.b,itisrequiredthatallunnecessarydefaultaccountshavebeenremovedordisabled.

Lines(router03)

Table452:Lines(router03)

Type Password

Console password

Auxiliary password

VTY0-4 password

LocalUsers(router03)

Table453:LocalUsers(router03)

User Password

enable(password) cisco

temp password

testuser password

localuser password

ConsoleLine password

Auxiliary password

VTY0-4Line password

SNMPCommunities(router03)

Table454:SNMPCommunities(router03)

Community Access Version

public ReadOnly 1


RoutingKeys(router03)

Table455:RoutingKeys(router03)

Chain RoutingKey

testchain password

routing-chain cisco

GLBPKeys(router03)

Table456:GLBPKeys(router03)

ID GLBPKey

1 Passw0rd

HSRPKeys(router03)

Table457:HSRPKeys(router03)

ID HSRPKey

1 Passw0rd

VRRPKeys(router03)

Table458:VRRPKeys(router03)

ID VRRPKey

1 password

BGPNeighbors(router03)

NeighborAddress Password BGPNeighbors router03

router01 (NOPASSWORD)

Lines(CiscoIOS15)

Table460:Lines(CiscoIOS15)

Type Password

Console (NOPASSWORD)

Auxiliary (NOPASSWORD)

Interface0/0/0 (NOPASSWORD)

VTY0-4 password

VTY5-807 (NOPASSWORD)

LocalUsers(CiscoIOS15)

Table461:LocalUsers(CiscoIOS15)

User Password

enable(secret) (ENCRYPTED)

enable(password) password

admin (ENCRYPTED)

Test (ENCRYPTED)

VTY0-4Line password

Tacacs+Servers(CiscoIOS15)

Table462:Tacacs+Servers(CiscoIOS15)

Server Key

18.1.1.1:49 (NOPASSWORD)

SNMPCommunities(CiscoIOS15)

Table463:SNMPCommunities(CiscoIOS15)

Community Access Version

Testcom ReadOnly 1

cisCommunity ReadOnly 1

trapString ReadOnly 1

RoutingKeys(CiscoIOS15)

Table464:RoutingKeys(CiscoIOS15)

Chain RoutingKey

keychain key

BGPNeighbors(CiscoIOS15)

NeighborAddress Password BGPNeighbors CiscoIOS15

1.1.1.1 password 1.2.3.4 password


7.3.2Devicescryptographystrength

NipperStudiofoundtwodeviceswherenon-consoleinsecureremote-loginserviceswereavailable.Insecureinstancesshouldbedisabledinordertomeettestingprocedure2.3.b.

Table466:Devicesusinginsecureprotocols

Device InsecureSSH InsecureSNMP FtpEnabled TelnetEnabled

router03 False¹ True² False False

CiscoIOS15 False¹ True² False False

¹SSHv1isknowntobeinsecure.

²SNMPv1andSNMPv2areknowntobeinsecure


NipperStudiofoundonedevicewhereadministratoraccesstoaweb-basedmanagementinterfacewasnotencryptedwithstrongcryptography.Accessshouldbeencryptedinordertomeettestingprocedure2.3.c.

Table467:DevicesthatusecleartextHTTPprotocols

Device Status

router03 UsesinsecureHTTPprotocols¹

¹HTTPprotocolsareenabledbutnotHTTPSprotocols



7.4Requirement6:Developandmaintainsecuresystemsandapplications

Description

Unscrupulousindividualsusesecurityvulnerabilitiestogainprivilegedaccesstosystems.Manyofthesevulnerabilitiesarefixedbyvendor-providedsecuritypatches,whichmustbeinstalledbytheentitiesthatmanagethesystems.Allsystemsmusthaveallappropriatesoftwarepatchestoprotectagainsttheexploitationandcompromiseofcardholderdatabymaliciousindividualsandmalicioussoftware.

Note:Appropriatesoftwarepatchesarethosepatchesthathavebeenevaluatedandtestedsufficientlytodeterminethatthepatchesdonotconflictwithexistingsecurityconfigurations.Forin-housedevelopedapplications,numerousvulnerabilitiescanbeavoidedbyusingstandardsystemdevelopmentprocessesandsecurecodingtechniques.


Requirement6.2Ensurethatallsystemcomponentsandsoftwareareprotectedfrom

knownvulnerabilitiesbyinstallingapplicable

vendor-suppliedsecuritypatches.Install

criticalsecuritypatcheswithinonemonthof

release.

Note:Criticalsecuritypatchesshouldbe

identifiedaccordingtotheriskranking

processdefinedinRequirement6.1.

6.2.aExaminepoliciesandprocedures

relatedtosecurity-patchinstallationto

verifyprocessesaredefinedfor:

Installationofapplicablecritical

vendor-suppliedsecuritypatches

withinonemonthofrelease.

Installationofallapplicable

vendor-suppliedsecuritypatches

withinanappropriatetimeframe

(forexample,withinthree

months).

Thereisaconstantstreamofattacksusingwidelypublishedexploits,often

called""zeroday""(anattackthatexploitsapreviouslyunknownvulnerability),

againstotherwisesecuredsystems.Ifthemostrecentpatchesarenot

implementedoncriticalsystemsassoonaspossible,amaliciousindividualcan

usetheseexploitstoattackordisableasystem,orgainaccesstosensitive

data.

Prioritizingpatchesforcriticalinfrastructureensuresthathigh-prioritysystems

anddevicesareprotectedfromvulnerabilitiesassoonaspossibleaftera

patchisreleased.Considerprioritizingpatchinstallationssuchthatsecurity

patchesforcriticalorat-risksystemsareinstalledwithin30days,andotherlower-riskpatchesareinstalledwithin2-3months.

Thisrequirementappliestoapplicablepatchesforallinstalledsoftware,

includingpaymentapplications(boththosethatarePA-DSSvalidatedand

thosethatarenot).

6.2.bForasampleofsystem

componentsandrelatedsoftware,

comparethelistofsecuritypatches

installedoneachsystemtothemost

recentvendorsecurity-patchlist,to

verifythefollowing:

Thatapplicablecriticalvendor-

suppliedsecuritypatchesare

installedwithinonemonthof

release.

Allapplicablevendor-supplied

securitypatchesareinstalled

withinanappropriatetimeframe

(forexample,withinthree

months).

Data

Collected

7.4.1Deviceoperatingsystems

NipperStudiohasidentifiedtheoperatingsystemsandversionsrunningonthedevicesbelow.It'simportanttoensurethatthedeviceshavethecorrect

securitypatchesapplied.Inordertomeetthetestingprocedure6.2.b,itshouldbecheckedthatallcriticalvendor-suppliedsecuritypatcheshavebeinstalledwithinonemonthofrelease,andthatproceduresareinplacetoinstallallotherapplicablevendor-suppliedsecuritypatches.

Table469:DeviceOperatingSystemVersions

DeviceName DeviceModel OSVersion

router03 Router IOS12.3

CiscoIOS15 Router IOS15.0



7.5Requirement10:Trackandmonitorallaccesstonetworkresourcesandcardholderdata

Description

Loggingmechanismsandtheabilitytotrackuseractivitiesarecriticalinpreventing,detecting,orminimizingtheimpactofadatacompromise.Thepresenceoflogsinallenvironmentsallowsthoroughtracking,alerting,andanalysiswhensomethingdoesgowrong.Determiningthecauseofacompromiseisverydifficult,ifnotimpossible,withoutsystemactivitylogs.


Requirement10.4.1Criticalsystemshave

thecorrectandconsistenttime.

10.4.1.aExaminetheprocessforacquiring,distributingandstoringthecorrecttimewithintheorganizationto

verifythat:

Onlythedesignatedcentraltimeserver(s)receivestimesignalsfromexternalsources,andtimesignals

fromexternalsourcesarebasedonInternationalAtomicTimeorUTC.

Wherethereismorethanonedesignatedtimeserver,thetimeserverspeerwithoneanothertokeep

accuratetime,

Systemsreceivetimeinformationonlyfromdesignatedcentraltimeserver(s).

Data

Collected

10.4.1.bObservethetime-relatedsystem-parametersettingsforasampleofsystemcomponentstoverify:

Onlythedesignatedcentraltimeserver(s)receivestimesignalsfromexternalsources,andtimesignals

fromexternalsourcesarebasedonInternationalAtomicTimeorUTC.

Wherethereismorethanonedesignatedtimeserver,thedesignatedcentraltimeserver(s)peerwith

oneanothertokeepaccuratetime.

Systemsreceivetimeonlyfromdesignatedcentraltimeserver(s).

Requirement10.4.2Timedatais

protected.

10.4.2.aExaminesystemconfigurationsandtime-synchronizationsettingstoverifythataccesstotimedatais

restrictedtoonlypersonnelwithabusinessneedtoaccesstimedata.

Data

Collected

10.4.2.bExaminesystemconfigurations,timesynchronizationsettingsandlogs,andprocessestoverifythat

anychangestotimesettingsoncriticalsystemsarelogged,monitored,andreviewed.

7.5.1Systemtimesarecorrect

NipperStudiodetectedtwoNTPserverspresentonthedevices.Theintegrityoftheseshouldbeanalysedinordertomeetthetestingprocedureof10.4.1.a

Table471:router03NTPServerList

Address Description Interface Version AuthorizationKey

1.1.1.1 3 (NOPASSWORD)

Table472:CiscoIOS15NTPServerList

Address Description Interface Version AuthorizationKey

11.11.11.11 3 (ENCRYPTED)


7.5.2Timesynchronizationsettingsarerestricted

NipperStudiofoundoneNTPclientpresentonthedevices.Theintegrityofthefollowingshouldbeanalysedinordertomeetthetestingprocedureof10.4.2.b.

Table473:CiscoIOS15NTPServersAndPeerswithKnownRestrictions

Address Interface Key

11.11.11.11 (ENCRYPTED)



8FilteringComplexityReport8.1Introduction

Thissectionlooksatthecomplexityofthenetworkfilteringconfiguration,highlightingareasthatcouldbesimplified.ThedeviceslistedinTable474wereincludedinthisaudit.

Table474:Filteringcomplexitydevicelist

Device Name OS




8.2UnassignedFilterRuleListsWereConfigured

8.2.1Overview

NipperStudioreviewedthenetworkfilteringandidentifiedanumberoffilterruleliststhathadnotbeenassignedtoaspecificrole.Whilstsomenetworkdeviceshaveasinglefilterrulelistthatdefinesallaccess,othersusemultiplefilterruleliststhatareassignedtospecifictaskssuchasVPNaccess,administrativeserviceaccessorgeneralnetworkfiltering.Unassignedfilterrulelistsarethosethathavebeenconfiguredbuthavenotbeenassignedtoaparticularroleandthereforearenotused.

8.2.2router03CiscoRouter

NipperStudioidentifiedfiveunassignedfilterrulelistsonrouter03.Thoseunassignedfilterrulelistswere:

ExtendedInternetProtocolversion4(IPv4)ACLnamed-acl-1;ExtendedIPv4ACLnamed-acl-2;ExtendedIPv4ACLcp-critical-in;ExtendedIPv4ACL110;ExtendedIPv4ACL120.

8.2.3CiscoIOS15CiscoRouter

NipperStudioidentifiedsixunassignedfilterrulelistsonCiscoIOS15.Thoseunassignedfilterrulelistswere:

ExtendedIPv4ACLnamed-acl-1;ExtendedIPv4ACLnamed-acl-2;ExtendedIPv4ACLcp-critical-in;ExtendedIPv4ACL110;ExtendedIPv4ACL120;StandardIPv4ACL40.


8.3FilterRulesContradictOtherRules

8.3.1Overview

WhenreviewingthenetworkfilteringrulesNipperStudioidentifiedfilterrulesthatcontradictedotherfilterrules.Thefirstrulethatmatchesthenetworktrafficistheonethatisusedforfilteringthenetworktraffic,sothereforeanysubsequentrulesthatareconfiguredtopermitordenythesametrafficwillberedundant.

AnexampleofcontradictingruleswouldbewherearulepermitsaccesstoHTTPSandSSHandislaterfollowedinthesamerulelistbyarulethatdeniesaccesstoSSHforthesamesourceanddestinationaddresses.


NipperStudioidentifiedsixcontradictingrulesconfiguredonrouter03.Thosecontradictingfilterrulesaredetailedbelow.

Rule Action Protocol Source SrcPort Destination DstPort Log

1 Any 172.168.2.3 Any Any Any No

Thefollowingruleiscontradictory.

Table475:ExtendedIPv4ACLnamed-acl-1rulescontradictingrule1

3 Any Any Any Any Any No






Table477:ExtendedIPv4ACL120rulescontradictingrule1


1 Any 50.60.0.0/16 Any Any Any No


8 TCP Any Any 192.168.30.56 9876 No



2 TCP Any 21 Any Any Yes


8 TCP Any Any 192.168.30.56 9876 No



6 TCP Any Any 192.168.30.56 9876 No


8 TCP Any Any 192.168.30.56 9876 No



7 TCP Any Any Any 9876 No


8 TCP Any Any 192.168.30.56 9876 No


NipperStudioidentifiedsixcontradictingrulesconfiguredonCiscoIOS15.Thosecontradictingfilterrulesaredetailedbelow.














8 TCP Any Any 192.168.30.56 9876 No






8 TCP Any Any 192.168.30.56 9876 No



6 TCP Any Any 192.168.30.56 9876 No


8 TCP Any Any 192.168.30.56 9876 No





8 TCP Any Any 192.168.30.56 9876 No


8.4FilterRulesOverlapOtherRules

8.4.1Overview

WhenreviewingthenetworkfilteringrulesNipperStudioidentifiedfilterrulesthatoverlapwithotherfilterrules.Thefirstrulethatmatchesthenetworktrafficistheonethatisusedforfilteringthenetworktraffic,sothereforeanysubsequentrulesthatareconfiguredtopermitordenythesametrafficwillberedundant.

AnexampleofrulesthatoverlapwouldbewherearulepermitsaccesstoHTTPSandSSHandislaterfollowedinthesamerulelistbyarulethatpermitsaccesstoSSHforthesamesourceanddestinationaddresses.


NipperStudioidentified16overlappingrulesconfiguredonrouter03.Thoseoverlappingfilterrulesaredetailedbelow.

Table487:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule1

Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log

1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No

Thefollowingruleoverlaps.

2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No



3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No


4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No



5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No


6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No


7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No



8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No

Table491:ExtendedIPv4ACL120rulesoverlappingrule1



Thefollowing4rulesoverlap.


3 TCP Any Any 192.168.30.40 161 No

6 TCP Any Any 192.168.30.56 9876 No






3 TCP Any Any 192.168.30.40 161 No

4 TCP 192.168.20.10 Any 192.168.30.40 161 No

5 TCP 192.168.20.12 Any 192.168.30.40 161 No

6 TCP Any Any 192.168.30.56 9876 No




3 TCP Any Any 192.168.30.40 161 No


4 TCP 192.168.20.10 Any 192.168.30.40 161 No

5 TCP 192.168.20.12 Any 192.168.30.40 161 No



6 TCP Any Any 192.168.30.56 9876 No




NipperStudioidentified16overlappingrulesconfiguredonCiscoIOS15.Thoseoverlappingfilterrulesaredetailedbelow.



1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No


2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No



3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No


4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No



5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No


6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No



7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No


8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No






3 TCP Any Any 192.168.30.40 161 No

6 TCP Any Any 192.168.30.56 9876 No






3 TCP Any Any 192.168.30.40 161 No

4 TCP 192.168.20.10 Any 192.168.30.40 161 No

5 TCP 192.168.20.12 Any 192.168.30.40 161 No

6 TCP Any Any 192.168.30.56 9876 No




3 TCP Any Any 192.168.30.40 161 No


4 TCP 192.168.20.10 Any 192.168.30.40 161 No

5 TCP 192.168.20.12 Any 192.168.30.40 161 No



6 TCP Any Any 192.168.30.56 9876 No




9ConfigurationReport9.1Introduction

Thissectiondetailstheconfigurationsettingsofyourdevicesinaneasytoreadandunderstandformat.Thevariousdeviceconfigurationsettingsaregroupedintosectionsofrelatedoptions.


9.2CiscoRouterrouter03ConfigurationReport

9.2.1BasicInformation

Table503:Basicinformation

Description Setting

Name router03

Device CiscoRouter

IOS 12.3

ConfigurationRevision sometimeFriJune102006byanyone

9.2.2NetworkServices

Table504outlinesthenetworkservicesconfiguredonthedeviceandtheirstatus.Theservicesettingsaredescribedingreaterdetailintheproceedingsections.

Table504:Networkservices

Service Status Protocol Port

BOOTPService Enabled UDP 67

FingerService Enabled TCP 79

RSHService Disabled TCP 514

TCPSmallServers Enabled TCP Multiple

UDPSmallServers Enabled UDP Multiple

SSHService Disabled TCP 22

TelnetService Disabled TCP 23

WebAdministrationService(HTTP) Enabled TCP 80

WebAdministrationService(HTTPS) Disabled TCP 443

SNMPService Enabled UDP 161

NTPService Disabled UDP 123



SSHService Disabled TCP 22

WebAdministrationService(HTTP) Enabled TCP 80


TCPSmallServers Enabled TCP Multiple

UDPSmallServers Enabled UDP Multiple

BOOTPService Enabled UDP 67

FingerService Enabled TCP 79


IdentDService Disabled TCP 113

NTPService Disabled UDP 123

9.2.3GeneralConfigurationInformation

Thissectiondetailsthedevicesgeneralconfigurationsettings.

Table505:Generalconfigurationinformation

Description Setting

ConfigurationLoadingFromNetwork Disabled

ServicePasswordEncryption Disabled

9.2.4Authentication

CiscoRouterdevicessupportmultipleauthenticationsources,enablingthedevicetoauthenticateusersagainstalocaldatabaseofusersstoredonthedeviceoragainstaremoteuserauthenticationservice.Thissectiondetailstheauthenticationconfigurationsettingsforrouter03.

9.2.4.1UserPolicySettings

Thissectiondetailstheuserpolicyconfigurationsettings.

Table506:Userpolicysettings

Description Setting

AccountLockoutDuration Forever

MinimumPasswordLength 2Characters


9.2.4.2LocalUsers

Thissectiondetailstheusersconfiguredonrouter03.Theuserscanbeassignedtodifferentprivilegelevelswhichareconfigurableanddeterminethelevelofaccessgranted.Alevel15useristhehighestlevelandistypicallyreservedformanagementofthedevice.TheenableuserpasswordistypicallyusedforperformingadministrationonCiscoRouterdevices.Howeverifanenableuserpasswordhasnotbeenconfigured,alinepasswordwillbeusedinstead.

Table507:Users



temp password 15






9.2.4.3UserPrivileges

Table508detailsthecustomuserprivilegesdefinedonthedevice.

Table508:Userprivileges

Mode Level Access

exec chicken privilegeexeclevelchicken

9.2.5Administration

ThissectiondescribestheadministrationservicesandconfigurationsettingsthataresupportedbyCiscoRouterdevices.Eachsubsectioncoverstheconfigurationofaspecificadministrationserviceorservices.

9.2.5.1GeneralAdministrationSettings

ThissectiondescribessomegeneralCiscoRouterdeviceadministrationsettings.

Table509:Generaladministrationsettings

Description Setting

AUXPort Enabled

TCPSYNWaitTime 30seconds

CallHomeService Disabled

9.2.5.2TelnetServiceSettings

TheTelnetserviceenablesremoteadministrativeaccesstoaCommandLineInterface(CLI)onrouter03.TheTelnetprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheTelnetservicesettings.

Table510:Telnetservicesettings

Description Setting

TelnetService Disabled

ServiceTCPPort 23

9.2.5.3BSDRServiceSettings

TheRSHserviceenablesremoteadministrativeaccesstoaCLIonrouter03.TheRSHprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheRSHservicesettings.

Table511:BSDRservicesettings

Description Setting

RSHService Disabled

ServiceTCPPort 514

RCP Disabled

9.2.5.4SSHServiceSettings

TheSSHserviceenablesaremoteadministratortoaccessaCLIonrouter03.TheSSHprotocolprovidescompleteencryptionofthenetworkpacketsbetweentheconnectingclientandtheserver.TherearetwomainversionsoftheSSHprotocol.

CiscoRouterdevicessupportbothSSHprotocolversions1and2.SupportforSSHwasintroducedinIOSversion12.0(5)andsupportforSSHprotocolversion2wasaddedfromIOSversion12.3(2).IOSdevicesthatsupportbothversionsoftheSSHprotocoldefaulttoallowingconnectionsfromclientsusingeitherversion.

ThissectiondetailstheSSHservicesettings.

Table512:SSHservicesettings

Description Setting

SSHService Disabled

ServiceTCPPort 22

SSHProtocolVersions 1and2

AuthenticationTimeout 2minutes

9.2.5.5Web-BasedAdministrationServiceSettings

TheWeb-basedadministrationserviceenablesaremoteadministratortomanagethedeviceusingawebbrowser.CiscoRouterdevicesprovideadministrativeaccessusingboththeHTTPandHTTPSprotocols.AlthoughtheHTTPSprotocolprovidesencryptionoftheconnectionbetweentheadministratorandthedevice,theHTTPprotocolprovidesnoencryption.

Thissectiondetailstheconfigurationoftheweb-basedadministration.

Table513:Web-basedadministrationservicesettings

Description Setting

WebAdministrationService(HTTP) Enabled

HTTPTCPPort 80

WebAdministrationService(HTTPS) Disabled

HTTPSTCPPort 443

SecureWebAdministrationServiceRedirect Disabled

ConnectionTimeout 3minutes

Table514liststheconfiguredHTTPSweb-basedadministrationserviceencryptioncyphers.

Table514:HTTPSweb-basedadministrationserviceencryptionciphers

Encryption MessageAuthentication KeyLength SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2

3DES SHA1 168bits No Yes No No No

RC4 SHA1 128bits No Yes No No No

RC4 MD5 128bits No Yes No No No

DES SHA1 56bits No Yes No No No

9.2.5.6SmallServersSettings

Smallserversaretypicallyprovidedforlegacyordiagnosticspurposes.Theserversinclude"echo"whichrespondswithacopyofwhatissenttoit,"discard"whichignoresanythingthatissenttoitand"chargen"whichreturnscharacters.Thissectiondetailstheirconfiguration.

Table515:Smallerserverssettings

Description Setting

TCPSmallServers Enabled

UDPSmallServers Enabled

9.2.5.7BOOTPServiceSettings

TheBOOTPserviceallowsremotehoststoloadtheiroperatingsystemoverthenetwork.ThissectiondetailstheBOOTPservicesconfiguration.

Table516:BOOTPservicesettings

Description Setting

BOOTPService Enabled

UDPPort 67

9.2.5.8FingerServiceSettings

TheFingerserviceenablesnetworkuserstoqueryCiscoRouterdevicesforinformationonusers.ThissectiondetailstheFingerservicesconfiguration.

Table517:Fingerservicesettings

Description Setting

FingerService Enabled

TCPPort 79

9.2.5.9AdministrativeInterfaceLineSettings

Theadministrativeinterfacelinesettingsareusedonrouter03devicestoconfigureadministrativeaccessusinganumberofdifferentservices.Theprevioussectionshavecoveredthespecificadministrationservicesandtheirauthenticationconfigurations.Thissectiondetailsalltheadministrativeinterfacelinesconfiguredonrouter03,thetimeoutsandotheroptions.

Table518:Administrativeinterfacelineconfiguration


Console 10minutes None 25minutes 30seconds

Auxiliary 10minutes None 25minutes 30seconds


9.2.6LogonBannerMessages

Theimportanceofbannermessagescanoftenbeoverlooked.Bannermessagesareusefulforprovidingadeterrentagainstunauthorizedaccessorremindingauseraboutproceduraldetailsformakingmodificationstoadevicesconfiguration.Ifawarningmessagehasbeenconfiguredandanattackerhasgainedunauthorizedaccess,thebannermessagecouldactasevidenceofanattackersintent.Thissectiondetailsthebannermessagesconfiguredonrouter03.

9.2.6.1LoginBanner

TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMOTDmessageisshownonTelnetconnections.TheLoginbannermessageconfiguredonrouter03follows:

Thisisatestbanner.

Table519:BannerStatus

Status

Enabled

9.2.7SNMPSettings

SNMPisusedtoassistnetworkadministratorsinmonitoringandmanagingawidevarietyofnetworkdevices.TherearethreemainversionsofSNMPinuse.Versions1and2ofSNMParebothsecuredwithacommunitystringandauthenticateandtransmitnetworkpacketswithoutanyformofencryption.SNMPversion3providesseverallevelsofauthenticationandencryption.Themostbasiclevelprovidesasimilarprotectiontothatoftheearlierprotocolversions.However,SNMPversion3canbeconfiguredtoprovideencryptedauthentication(auth)andsecuredfurtherwithsupportforencrypteddatacommunications(priv).

Thissectiondescribestherouter03SNMPconfigurationsettings.

Table520:SNMPsettings

Description Setting

SNMPService Enabled

UDPPort 161

Location Somewhere

TFTPServerFilterList

Manager Disabled

ManagerSessionTimeout 10minutes

SNMPSystemShutdown Enabled

TrapSourceInterface

MaximumTrapQueueLength 10

TrapTimeout 30seconds

MaximumPacketSize 1500Bytes

9.2.7.1SNMPCommunity

SNMPcommunitystringsareusedtoauthenticateaccessbetweenaNMSandtheCiscoRouterSNMPagent.AconnectingNMS,usingSNMPprotocolversions1

or2c,mustprovidetheSNMPagentwithavalidcommunitystringwhenmakingaMIBreadorwriterequest.





9.2.7.2SNMPTrapsAndInforms

TheCiscoRouterSNMPagentcanbeconfiguredtosendtrapnotificationstoaNMSorSNMPmanagerhost.Onceatrapissent,theCiscoRouterSNMPagentassumesthatthereceivinghostreceivedthenotification,noconfirmationisexpected.Informnotificationsaresimilartotraps,butthereceivinghostisexpectedtoconfirmreceiptofthenotification.IfaconfirmationisnotreceivedtheCiscoRouterSNMPagentcanretry.

Table522:SNMPtrapandinformhosts




9.2.8MessageLogging

CiscoRouterdevicesarecapableofloggingsystemeventsandmessages.Thoselogscanthenberecalledatalatertime,assistingadministratorsinthediagnosisofsystemfaultsoralertingsystemadministratorsofanattack.Thissectiondetailsthedevicesloggingconfiguration.

9.2.8.1GeneralLoggingSettings

Thissectiondetailstheconfigurationsettingsthataffecttheloggingfacilities.

Table523:Generalloggingsettings

Description Setting

DeviceLoggingServices Enabled

LoggingMessageRateLimit None

MessageHistorySeverityLevel Warnings(4)

MaximumNumberofHistoryMessages 1

IncludeSequenceNumbersinLogs Disabled

IncludeTimeStampsinLogs Enabled

9.2.8.2SyslogLogging

SyslogmessagescanbesentbyCiscoRouterdevicestoaSyslogserver.Syslogserversprovidethefollowingadvantages:

acentralrepositoryforlogsfromarangeofnetworkdevices;apotentiallylongerretentionperiodforlogsthanadevicemaybecapableofstoring;atroubleshootingresourceforwhenadevicemaynolongerberesponsive;anexternallogsource,incasethesecurityofadevicehasbeencompromised;supportforanindustrystandardloggingsystem.

ThissectiondetailstheSyslogconfigurationsettings.

Table524:Syslogloggingconfiguration

Description Setting

SyslogLogging Disabled

SeverityLevel Informational(6)

SyslogSourceInterface

9.2.8.3InternalBufferLoggingSettings

CiscoRouterdevicescanlogmessagestoaninternalbuffer.Byitsnature,thebufferissizelimitedandthereforenewermessageswilloverwriteolderoneswhenthebufferssizehasbeenreached.Thissectiondetailstheinternalbufferloggingconfigurationsettings.

Table525:Internalbufferloggingconfiguration

Description Setting

BufferLogging Disabled

LoggingSeverityLevel Debugging(7)

BufferSize SystemDefault

9.2.8.4ConsoleLogging

CiscoRouterdevicesarecapableofsendingsystemloggingtotheconsole.Thissectiondetailsthoseconfigurationsettings.

Table526:Consoleloggingconfiguration

Description Setting

ConsoleLogging Enabled


9.2.8.5TerminalLineLogging

CiscoRouterdevicesarecapableofsendingsystemloggingtotheterminallines.Thissectiondetailsthoseconfigurationsettings.

Table527:Terminallineloggingconfiguration

Description Setting

TerminalLineLogging Enabled


9.2.9NameResolutionSettings

CiscoRouterdevicescanbeconfiguredtoresolvenametoaddressmappings.Thissectiondetailsthosesettings.

9.2.9.1DNSClient

TheDNSservicestoresinformationaboutmappingsbetweenadevicesIPaddressandaname,whichiseasierforhumanstorecognizeandremember.CiscoRouterdevicescanbeconfiguredtoqueryaDNSinordertoresolvenamestoaddresses.Thissectiondetailsthoseconfigurationsettings.

Table528:DNSclientconfiguration

Description Setting

DNSType Standard

Domain nipper.org

DNSLookups Enabled

9.2.10NetworkProtocols

ThissectiondetailstheconfigurationofthenetworkprotocolssupportedbyCiscoRouterdevices.Eachsectiondetailsspecificsettingssuchasanynetworkprotocoladdressconfigurationsettings.

9.2.10.1GeneralSettings

Thissectiondetailsthegeneralprotocolandaddressconfigurationsettings.

Table529:Generalinterfacerelatedsettings

Description Setting

GratuitousARP Disabled

IdentDService Disabled

PADService Enabled

9.2.10.2IPv4

ThissectiondetailstheconfigurationoftheIPv4protocolandaddresses.IPv4isdescribedinRFC791.

Table530:GeneralIPv4protocolsettings

Description Setting

InboundTCPKeep-Alives Disabled

OutboundTCPKeep-Alives Enabled

Table531:IPv4addresses

Interface Active Address Proxy-ARP Directed ACLIn ACLOut

GigabitEthernet1/1 Yes 10.0.0.1 Off On

GigabitEthernet1/2 Yes 10.0.0.2 On On

Table532:IPv4ICMPOptions

Interface Active Unreachables Redirects MaskReply Information

GigabitEthernet1/1 Yes On On On Off

GigabitEthernet1/2 Yes On On On Off

9.2.10.3DEC

CiscoRouterdevicescanbeconfiguredwithsupportforDigitalEquipmentCorporation(DEC)protocols.Thissectiondetailsthoseprotocolspecificconfigurationsettings.

Table533:DECinterfaceprotocols

Interface Active MOP ACLIn ACLOut

GigabitEthernet1/1 Yes On


9.2.10.4LLDPSettings

ThissectiondescribestheconfigurationoftheLinkLayerDiscoveryProtocol(LLDP)onrouter03.LLDPisanindustrystandardprotocoldesignedtoadvertisethedevicescapabilitiestoothernetworkdevices.Theinformationsentcanincludethesystemsname,managementaddress,VLAN,capabilitiesandportdetails.LLDPprovidesasimilarfunctiontoproprietaryprotocolssuchasCDPandisdescribedingreaterdetailintheInstituteofElectricalandElectronicsEngineers(IEEE)standardsdocument802.1AB.

Table534:LLDPsettings

Description Setting

LLDPSend Disabled

LLDPReceive Disabled

LLDPRefreshInterval 30seconds

OnCiscoRouterdevices,LLDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table535detailsthosesettings.

Table535:LLDPonnetworkinterfaces

Interface Active LLDPSend LLDPReceive

GigabitEthernet1/1 Yes On On

GigabitEthernet1/2 Yes On On

9.2.10.5CDPSettings

ThissectiondescribestheconfigurationoftheCDPonrouter03.CDPwasdevelopedbyCiscoforusewithnetworkmanagementtoolsand,ifenabled,thenetworkpacketssentwillcontaininformationaboutthesendingdevice.CDPnetworkpacketswilltypicallyincludedetailssuchasthedevicemodelinformation,operatingsysteminformationandotherdeviceconfigurationdetails.

Table536:CDPsettings

Description Setting

CDP Enabled

CDPVersion 2

OnCiscoRouterdevices,CDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table537detailsthosesettings.

Table537:CDPonnetworkinterfaces

Interface Active CDP



9.2.10.6DTPSettings

DTPisapropitiatoryprotocoldevelopedbyCiscoforthepurposeofnegotiatingVLANtrunkingbetweenswitches.DTPisenabledanddisabledonindividualnetworkports,thissectiondescribestheconfigurationoftheDTPonrouter03.

Interface Active VLAN Trunk TrunkVLAN DTP

Table538:DTPonnetworkinterfaces

GigabitEthernet1/1 Yes 1 Yes All On

GigabitEthernet1/2 Yes 1 Yes All On

9.2.10.7VTPSettings

VTPisalayer2protocoldevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.TheprotocolenablestheVLANstobeadded,renamedordeletedonasingleswitchandforthosechangestobepropagatedtootherswitchesinthesameVTPdomain.

Table539:VTPsettings

Description Setting

VTPVersion 1

VTPDomain

VTPPassword VTP

VTPMode Server

VTPPruning Disabled

9.2.10.8IEEE802.1XPortAccessControlSettings

ThissectiondescribestheconfigurationoftheIEEE802.1Xportaccesscontrolsettingsonrouter03.IEEE802.1Xprovidesfortheauthenticationofnetworkclientstohelppreventunauthorizednetworkdevicesfromgainingaccesstonetworkresources.

Table540:IEEE802.1Xonnetworkinterfaces

Interface Active IEEE802.1X Re-Auth

GigabitEthernet1/1 Yes AlwaysAuthorized Disabled

GigabitEthernet1/2 Yes AlwaysAuthorized Disabled

9.2.10.9PortSecuritySettings

Thissectiondescribestheconfigurationoftheportsecuritysettingsonrouter03.PortsecurityprovidesamechanismwherebyaccesstoanetworkinterfacecanbelimitedtospecificMACaddressesthatcaneitherbedefinedordiscovered.IfaccessoutsideofthepermittedMACaddressesisdetectedthenaccesstotheportcanbedisabled.

Table541:Portsecuritysettings

Interface Active Security MaxMAC Aging AgeType Sticky MAC

GigabitEthernet1/1 Yes Off N/A N/A N/A N/A

GigabitEthernet1/2 Yes Off N/A N/A N/A N/A

9.2.11NetworkInterfaces

Thissectiondetailstheconfigurationofbothphysicalandvirtualnetworkinterfaces.

9.2.11.1GigabitEthernetInterfaces

ThissectiondescribestheconfigurationofthedevicesGigabitEthernetinterfaces.

Table542:GigabitEthernetinterfaces

Interface Active VLAN Trunk TrunkVLAN

GigabitEthernet1/1 Yes 1 Yes All

GigabitEthernet1/2 Yes 1 Yes All

9.2.12RoutingConfiguration

CiscoRouterdevicesroutingtablescanbeconfiguredwithstaticroutesorupdateddynamically.Routingprotocolsareusedbynetworkroutingdevicestodynamicallyupdatetheroutingtablesthatdevicesusetoforwardnetworktraffictotheirdestination.Routingprotocolscanbesplitintotwodifferentcategories;InteriorGatewayProtocols(IGPs)andExteriorGatewayProtocols(EGPs).IGPsareusuallyusedinsituationswheretheroutingdevicesareallcontrolledbyasingleentity,suchaswithinacompany.EGPsareusuallyusedinsituationswhereroutingdevicesaremanagedbyanumberofentities,suchastheInternet.Typicallyroutingdeviceswillsupportanumberofstandardroutingprotocols.

Thissectiondescribestheroutingconfigurationsettings.

Description Setting

ClasslessRouting Ignored

Table543:GeneralRoutingSettings

IPSourceRouting Enabled

9.2.12.1RIPConfiguration

RIPisanIGPandcalculatesroutesusingadistancevector.RIPisonlysuitableforsmallnetworks,routingupdatesaresentevery30secondsandcontaintheentireroutingtable.Furthermore,RIPhasamaximumdistanceof15hops.IfRIProuteshavenotbeenupdatedwithinthreeminutestherouteismarkedasunusable.Routesnotupdatedwithinfourminutesareremoved.

Table544:RIPconfiguration

Description Setting

RIPRouting Enabled

RIPSendVersion 1

RIPReceiveVersion 1and2

Timeout 0

UpdateInterval 0

RouteSummary Enabled

InboundDistributionList

OutboundDistributionList

ThefollowingnetworksareincludedintheRIProutingupdates:

10.0.0.0.

Table545detailstheconfigurationofRIPonindividualnetworkinterfaces.

Table545:RIPnetworkinterfaceconfiguration




9.2.12.2OSPFConfiguration

TheOSPFroutingprotocolisanIGP.OSPFnetworkpacketsaresentwhenthenetworkconfigurationchanges,suchaswhenaroutegoesdown,andthepacketsonlycontainthechange.SincetheinformationsentintheOSPFnetworkpacketsislimitedtoanynetworkchanges,theprotocoliswellsuitedtocomplexnetworkconfigurations.

Table546:Process6OSPFconfiguration

Description Setting

OSPFRouting Enabled

RouterID

MaximumLSA Unlimited

RFC1583Compatibility Enabled



Table547:Process6OSPFarea0.0.0.0

Address Authentication

10.0.0.1/24 None

Table548:Process6OSPFarea30.10.20.40

Address Authentication

192.168.0.1/24 None

Table549detailstheconfigurationofOSPFonindividualnetworkinterfaces.

Table549:OSPFnetworkinterfaceconfiguration




9.2.12.3BGPConfiguration

BGPisanEGPandacoreInternetroutingprotocol.BGProutersmaintainalistofreachablenetworkswhicharesharedbetweendefinedBGPpeersusingTCPconnections.ThissectiondetailstheBGProutingconfiguration.

Table550:AS1BGPconfiguration

Description Setting

BGPASNumber 1

RouterID 192.168.56.5

BGPRouteDampening Disabled



ThefollowingnetworksareincludedintheBGProutingupdates:

192.168.22.1255.255.255.255.

ThesectiondetailstheBGPAutonomousSystems(AS)neighborsforwhichroutingupdateswillbeshared.AllauthenticationmakesuseofMD5encryptionforsecurityandintegrity.

Table551:AS1BGPneighbors

Address RemoteAS Password Version Weight PeerGroup MapIn MapOut

router01 12345 4 0

9.2.12.4EIGRPConfiguration

EIGRPisanIGPandisadistancevectorbasedprotocollikeRIP,butincorporatessomefeaturesfromlinkstateprotocolssuchasOSPF.EIGRPwasdevelopedbyCiscoasanenhancedversionofInteriorGatewayRoutingProtocol(IGRP).UnlikeRIP,EIGRPtransmitschangestonetworkroutestoitsneighborsandissuitableforlargernetworks.

Table552:EIGRPAS14configuration

Description Setting

RouterID

AutoSummary Disabled


OutboundDistributionList 40

RoutingupdatescanberedistributedbyEIGRPfromanalternativeroutingprotocol,orconfiguration.ThefollowingroutesourcesareconfiguredtoberedistributedbyEIGRP:

connected;static.

Table553:EIGRPAS14networks

Address

10.0.0.0

172.10.1.0

Table554:EIGRPAS3configuration

Description Setting

RouterID 127.0.0.1




Table555:EIGRPAS3networks

Address

192.168.56.0

Table556detailstheconfigurationofEIGRPonindividualnetworkinterfaces.

Table556:EIGRPnetworkinterfaceconfiguration


GigabitEthernet1/2 Yes 3 No 5seconds 14seconds 50% None N/A

9.2.12.5HSRPConfiguration

HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.HSRPusesavirtualrouteraddresswhichisusedtoprocessroutingandisthenroutedbythephysicalroutersintheHSRProutergroup.

HSRProuterwillsendmulticastadvertisementswiththeirpriorityandtheHSRProuterwiththehighestprioritywillactasthevirtualgateway.Iftherouterfailsforwhateverreason,therouterwiththenexthighestprioritywilltakeover.TheHSRProutergroupwillrespondtothesameMACaddress,providingtransparencyfornetworkdevices.ThedefaultMACaddressis00:00:0C:07:AC:xy,wherexyistheHSRProutergroup(thedefaultgroupis0).

HSRPisnotaroutingprotocol.

Table557:HSRPnetworkinterfaceconfiguration




HSRPsupportsauthenticationusingakey.Table558detailstheconfiguredHSRPauthenticationkeys.

Table558:HSRPauthenticationkeys

KeyID AuthenticationKey

1 Passw0rd

9.2.12.6VRRPConfiguration

VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.VRRPusesavirtualrouteraddresswhichisusedtoprocessroutingandisthenroutedbythephysicalroutersintheVRRProutergroup.

VRRPmasterrouterwillsendadvertisementstootherroutersinthesameVRRPgroup.IfthemasterVRRProuterfails,theotherroutersintheVRRPgroupholdanelectiontodeterminewhichrouterwillbecomethenewmaster.Aprioritynumberisusedinthemasterrouterelection,withthehighestprioritynumbertakingprecedence.

VRRPisnotaroutingprotocol.

Table559:VRRPconfiguration

Description Setting

VRRPRouting v2

Table560:VRRPnetworkinterfaceconfiguration




VRRPsupportsauthenticationusingakey(orsharedsecret).Table561detailstheconfiguredVRRPauthenticationkeys.

Table561:VRRPauthenticationkeys


1 password

9.2.12.7GLBPConfiguration

GLBPisaCiscoproprietaryprotocolusedtoproviderouterloadbalancingandredundancyagainstasinglepointoffailure.GLBPusesavirtualrouteraddresswhichisusedtoprocessroutingandisthenroutedbythephysicalroutersintheGLBProutergroup.

TheGLBPgrouppriorityisusedtodeterminewhichrouterbecomestheAVGandwhichwillbecometheAVFs.TherouterwiththehighestprioritywillbecometheAVG,itisalsousedtodeterminethenextAVGifthefirstonefails.TheAVGrespondstoARPrequestsforthevirtualrouterandrespondswithavirtualMACaddressfortheAVFs.

TheGLBPweightingisusedtodeterminetheroutingcapacityofeachrouter.

GLBPisnotaroutingprotocol.

Table562:GLBPnetworkinterfaceconfiguration




GLBPsupportsauthenticationusingakey(orsharedsecret).Table563detailstheconfiguredGLBPauthenticationkeys.

Table563:GLBPauthenticationkeys


1 Passw0rd

9.2.12.8RoutingAuthenticationKeyConfiguration

Authenticationkeys,alsoreferredtoassharedsecrets,canbeconfiguredtoprovideamethodofauthenticatingroutingupdatesinordertoprovidealevelofassurancethatroutingupdatesarefromtrustedsources.Thissectiondetailstheconfiguredroutingauthenticationkeys.

Table564:Routingauthenticationkeys

KeyChain KeyID Key

testchain 1 password

routing-chain 1 cisco

9.2.13NetworkFiltering

CiscoRouterdevicescanbeconfiguredtofilternetworktrafficinordertorestrictaccesstodevicesandservices.Thosenetworkfilteringsettingsaredetailedinthissection.

9.2.13.1ExtendedIPv4ACL

ExtendedACLspermitordenynetworktrafficbasedonIPv4sourceanddestinationaddressesandnetworkports.ExtendedACLsareusedforchecksontrafficpassingthroughthedevice.

Table565:ExtendedIPv4ACLnamed-acl-1










Controlplanecriticaltraffic-inbound

BGP

1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No

2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No

3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No

4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No

5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No

6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No

7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No

8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No

9 TCP 192.168.123.123 Any 192.192.192.192 21 No Any No

DHCP

10 UDP 0.0.0.0 Any 255.255.255.255 67 No Any No

11 UDP 10.1.23.1 67 Any 67 No Any No

Table567:ExtendedIPv4ACLcp-critical-in

CSMProbesHTTP

12 TCP 192.168.224.10 Any 192.168.224.51 80 No Any No

13 TCP 192.168.224.10 Any 192.168.224.52 80 No Any No

14 TCP 192.168.224.51 80 192.168.224.10 Any No Any No

15 TCP 192.168.224.52 80 192.168.224.10 Any No ESTABLISHED No

16 TCP 192.168.224.11 Any 192.168.224.51 80 No Any No

17 TCP 192.168.224.11 Any 192.168.224.52 80 No Any No

18 TCP 192.168.224.51 80 192.168.224.11 Any Yes Any No

19 TCP 192.168.224.52 80 192.168.224.11 Any No Any No

CSMProbesHTTPS

20 TCP 192.168.224.10 Any 192.168.224.51 443 No Any No

21 TCP 192.168.224.10 Any 192.168.224.52 443 No Any Yes

22 TCP 192.168.224.51 443 192.168.224.10 Any No Any No

23 TCP 192.168.224.52 443 192.168.224.10 Any No Any No

24 TCP 192.168.224.11 Any 192.168.224.51 443 No Any Yes

25 TCP 192.168.224.11 Any 192.168.224.52 443 No Any No

26 TCP 192.168.224.51 443 192.168.224.11 Any No Any No

27 TCP 192.168.224.52 443 192.168.224.11 Any No Any No

CSMProbesICMP

28 ICMP 192.168.224.10 192.168.224.51 No Any No

29 ICMP 192.168.224.10 192.168.224.52 No Any No

30 ICMP 192.168.224.51 192.168.224.10 No Any No

31 ICMP 192.168.224.52 192.168.224.10 No Any No

32 ICMP 192.168.224.11 192.168.224.51 No Any No

33 ICMP 192.168.224.11 192.168.224.52 No Any No

34 ICMP 192.168.224.51 192.168.224.11 No Any No

35 ICMP 192.168.224.52 192.168.224.11 No Any No

36 Any Any Any Any Any No Any No

Table568:ExtendedIPv4ACL110


1 TCP Any Any Any Any No





3 TCP Any Any 192.168.30.40 161 No

4 TCP 192.168.20.10 Any 192.168.30.40 161 No

5 TCP 192.168.20.12 Any 192.168.30.40 161 No

6 TCP Any Any 192.168.30.56 9876 No


8 TCP Any Any 192.168.30.56 9876 No

9.2.13.2StandardIPv4ACL

StandardACLsonlydefinetheIPv4sourceaddressandprocessthenetworkpacketssolelybasedonthat.StandardACLsaretypicallyusedtorestrictaccesstodeviceservicesorprotocols.


1 192.168.2.1 No

Table570:StandardIPv4ACL40

2 172.10.1.35 No

3 10.0.0.1 No

4 192.168.0.1 No

5 Any Yes

9.2.14IPSSettings

CiscoRouterdevicescanbeconfiguredtodetectnetworktrafficpatternsthataretypicallyassociatedwithmaliciousactivityorissimplyundesirable.IPSsettingsarethosethatenablethedevicetopreventthepotentiallymaliciousnetworkactivitybyblockingthenetworktrafficwhendetected.Thissectiondetailsthoseconfigurationsettings.

Table571:GeneralIPSsettings

Description Setting

CiscoExpressForwarding Enabled

Table572:IPSsettings

IPSFeature Setting

UnicastRPFVerification EnabledonGigabitEthernet1/1

EnabledonGigabitEthernet1/2

9.2.15TimeAndDate

Itcanbecriticallyimportantthatthetimeanddatesetonallnetworkdevicesmatch.Manyauthenticationservicesdependonthetimebetweendevicesbeingsynchronized,ifaclockisoutsideathresholdthenthatdevicemaynolongerbeabletoperformauthentication.Furthermore,diagnosingissueswiththeuseofmessagelogsbecomesmuchmorecumbersomeifthetimeanddatesbetweendevicesdonotmatch.CiscoRouterdevicescanbeconfiguredtoobtaintimeupdatesfromanetworktimesource.Thissectiondetailsthetimeanddateconfigurationsettings.

9.2.15.1TimeZones

Table573:GeneralTimeSettings

Description Setting

TimeZone GMT0

SummerTimeDaylightSaving Enabled

9.2.15.2NTPClientConfiguration

CiscoRouterdevicescanbeconfiguredtosynchronizetheirtimefromaNTPtimesource(RequestForChange(RFC)1305http://www.faqs.org/rfcs/rfc1305.html).ThissectiondetailsthoseNTPclientconfigurationsettings.

Table574:NTPclientsettings

Description Setting

NTPClient Enabled

AcceptBroadcastUpdates Disabled

AcceptMulticastUpdates Disabled

NTPAuthentication Disabled

SourceInterface

Table575detailstheNTPtimesourcesusedtoprovidethetimeupdatestothedevice.

Table575:NTPclienttimesources

Address AuthKey Version

1.1.1.1 3

NTPclientsettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable576.

Table576:InterfaceNTPclientsettings

Interface Active NTP NTPBroadcasts NTPMulticasts

GigabitEthernet1/1 Yes Enabled Disabled Disabled

GigabitEthernet1/2 Yes Enabled Disabled Disabled

9.2.15.3NTPServerConfiguration

CiscoRouterdevicescanbeconfiguredtoprovideanNTPtimesourceforothernetworkdevices.ThissectiondetailstheNTPserverconfiguration.

Table577:NTPserverconfiguration

Description Setting

NTPService Disabled

MulticastNTPServer Disabled

BroadcastNTPServer Disabled

NTPMaster Disabled

NTPserversettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable578.

Table578:InterfaceNTPserversettings

Interface Active NTP BroadcastServer BroadcastVersion MulticastAddress MulticastKey MulticastVersion

GigabitEthernet1/1 Yes Enabled Disabled 3 3

GigabitEthernet1/2 Yes Enabled Disabled 3 3


9.3CiscoRouterCiscoIOS15ConfigurationReport

9.3.1BasicInformation

Table579:Basicinformation

Description Setting

Name CiscoIOS15

Device CiscoRouter

IOS 15.0

ConfigurationRevision 12:42:43UTCWedAug242016byadmin

9.3.2NetworkServices

Table580outlinesthenetworkservicesconfiguredonthedeviceandtheirstatus.Theservicesettingsaredescribedingreaterdetailintheproceedingsections.

Table580:Networkservices

Service Status Protocol Port

BOOTPService Disabled UDP 67

FingerService Disabled TCP 79


TCPSmallServers Disabled TCP Multiple

UDPSmallServers Disabled UDP Multiple

SSHService Enabled TCP 22


WebAdministrationService(HTTP) Disabled TCP 80



NTPService Enabled UDP 123



SSHService Enabled TCP 22

WebAdministrationService(HTTP) Disabled TCP 80


TCPSmallServers Disabled TCP Multiple

UDPSmallServers Disabled UDP Multiple

BOOTPService Disabled UDP 67

FingerService Disabled TCP 79


IdentDService Disabled TCP 113

NTPService Enabled UDP 123

9.3.3GeneralConfigurationInformation

Thissectiondetailsthedevicesgeneralconfigurationsettings.

Table581:Generalconfigurationinformation

Description Setting

ConfigurationLoadingFromNetwork Disabled

ServicePasswordEncryption Enabled

Table582liststheconfiguredaliases.

Table582:AliasList

System Alias Command

atm-vc-config vbr vbr-nrt

exec h help

exec lo logout

exec p ping

exec r resume

exec s show

exec u undebug

exec un undebug

exec w where

9.3.4Authentication

CiscoRouterdevicessupportmultipleauthenticationsources,enablingthedevicetoauthenticateusersagainstalocaldatabaseofusersstoredonthedeviceoragainstaremoteuserauthenticationservice.ThissectiondetailstheauthenticationconfigurationsettingsforCiscoIOS15.

9.3.4.1UserPolicySettings

Thissectiondetailstheuserpolicyconfigurationsettings.


Description Setting

AccountLockoutDuration Forever

MinimumPasswordLength 6Characters

9.3.4.2LocalUsers

ThissectiondetailstheusersconfiguredonCiscoIOS15.Theuserscanbeassignedtodifferentprivilegelevelswhichareconfigurableanddeterminethelevelofaccessgranted.Alevel15useristhehighestlevelandistypicallyreservedformanagementofthedevice.TheenableuserpasswordistypicallyusedforperformingadministrationonCiscoRouterdevices.Howeverifanenableuserpasswordhasnotbeenconfigured,alinepasswordwillbeusedinstead.

Table584:Users




admin (ENCRYPTED) 1

Test (ENCRYPTED) 1


9.3.4.3TACACS+Authentication

CiscoRouterdevicessupportauthenticationusingTerminalAccessControllerAccessControlSystemPlus(TACACS+)authenticationservers.Thissectiondetailstheconfiguration.

Table585:TACACS+settings

Description Setting

TACACS+Authentication Enabled

TACACS+SourceInterface Loopback0

Table586detailstheconfiguredTACACS+Authenticationservers.

Table586:TACACS+Authenticationservers

ServerGroup Address Port Key

18.1.1.1 49

9.3.5Administration

ThissectiondescribestheadministrationservicesandconfigurationsettingsthataresupportedbyCiscoRouterdevices.Eachsubsectioncoverstheconfigurationofaspecificadministrationserviceorservices.

9.3.5.1GeneralAdministrationSettings

ThissectiondescribessomegeneralCiscoRouterdeviceadministrationsettings.

Table587:Generaladministrationsettings

Description Setting

AUXPort Disabled

TCPSYNWaitTime 30seconds

CallHomeService Disabled

9.3.5.2TelnetServiceSettings

TheTelnetserviceenablesremoteadministrativeaccesstoaCLIonCiscoIOS15.TheTelnetprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheTelnetservicesettings.

Table588:Telnetservicesettings

Description Setting

TelnetService Disabled

ServiceTCPPort 23

9.3.5.3BSDRServiceSettings

TheRSHserviceenablesremoteadministrativeaccesstoaCLIonCiscoIOS15.TheRSHprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheRSHservicesettings.

Table589:BSDRservicesettings

Description Setting

RSHService Disabled

ServiceTCPPort 514

RCP Disabled

9.3.5.4SSHServiceSettings

TheSSHserviceenablesaremoteadministratortoaccessaCLIonCiscoIOS15.TheSSHprotocolprovidescompleteencryptionofthenetworkpacketsbetweentheconnectingclientandtheserver.TherearetwomainversionsoftheSSHprotocol.

CiscoRouterdevicessupportbothSSHprotocolversions1and2.SupportforSSHwasintroducedinIOSversion12.0(5)andsupportforSSHprotocolversion2wasaddedfromIOSversion12.3(2).IOSdevicesthatsupportbothversionsoftheSSHprotocoldefaulttoallowingconnectionsfromclientsusingeitherversion.

ThissectiondetailstheSSHservicesettings.

Table590:SSHservicesettings

Description Setting

SSHService Enabled

ServiceTCPPort 22

SSHProtocolVersion 2

AuthenticationTimeout 2minutes

AccesstotheSSHserviceonCiscoIOS15devicesisconfiguredusingadministrativeinterfacelines.Table591detailstheSSHadministrativeinterfacelineconfiguration.


Table591:SSHservicelines



9.3.5.5Web-BasedAdministrationServiceSettings

TheWeb-basedadministrationserviceenablesaremoteadministratortomanagethedeviceusingawebbrowser.CiscoRouterdevicesprovideadministrativeaccessusingboththeHTTPandHTTPSprotocols.AlthoughtheHTTPSprotocolprovidesencryptionoftheconnectionbetweentheadministratorandthedevice,theHTTPprotocolprovidesnoencryption.

Thissectiondetailstheconfigurationoftheweb-basedadministration.

Table592:Web-basedadministrationservicesettings

Description Setting

WebAdministrationService(HTTP) Disabled

HTTPTCPPort 80

WebAdministrationService(HTTPS) Disabled

HTTPSTCPPort 443

SecureWebAdministrationServiceRedirect Disabled

ConnectionTimeout 3minutes

Table593liststheconfiguredHTTPSweb-basedadministrationserviceencryptioncyphers.

Table593:HTTPSweb-basedadministrationserviceencryptionciphers

Encryption MessageAuthentication KeyLength SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2

3DES SHA1 168bits No Yes No No No

RC4 SHA1 128bits No Yes No No No

RC4 MD5 128bits No Yes No No No

DES SHA1 56bits No Yes No No No

9.3.5.6SmallServersSettings

Smallserversaretypicallyprovidedforlegacyordiagnosticspurposes.Theserversinclude"echo"whichrespondswithacopyofwhatissenttoit,"discard"whichignoresanythingthatissenttoitand"chargen"whichreturnscharacters.Thissectiondetailstheirconfiguration.

Table594:Smallerserverssettings

Description Setting

TCPSmallServers Disabled

UDPSmallServers Disabled

9.3.5.7BOOTPServiceSettings

TheBOOTPserviceallowsremotehoststoloadtheiroperatingsystemoverthenetwork.ThissectiondetailstheBOOTPservicesconfiguration.

Table595:BOOTPservicesettings

Description Setting

BOOTPService Disabled

UDPPort 67

9.3.5.8FingerServiceSettings

TheFingerserviceenablesnetworkuserstoqueryCiscoRouterdevicesforinformationonusers.ThissectiondetailstheFingerservicesconfiguration.

Table596:Fingerservicesettings

Description Setting

FingerService Disabled

TCPPort 79

9.3.5.9AdministrativeInterfaceLineSettings

TheadministrativeinterfacelinesettingsareusedonCiscoIOS15devicestoconfigureadministrativeaccessusinganumberofdifferentservices.Theprevious

sectionshavecoveredthespecificadministrationservicesandtheirauthenticationconfigurations.ThissectiondetailsalltheadministrativeinterfacelinesconfiguredonCiscoIOS15,thetimeoutsandotheroptions.

Table597:Administrativeinterfacelineconfiguration


Console 9minutes None None 30seconds

Auxiliary 9minutes None None 30seconds

Interface0/0/0 9minutes None None 30seconds



9.3.6LogonBannerMessage

Theimportanceofbannermessagescanoftenbeoverlooked.Bannermessagesareusefulforprovidingadeterrentagainstunauthorizedaccessorremindingauseraboutproceduraldetailsformakingmodificationstoadevicesconfiguration.Ifawarningmessagehasbeenconfiguredandanattackerhasgainedunauthorizedaccess,thebannermessagecouldactasevidenceofanattackersintent.ThissectiondetailsthebannermessagesconfiguredonCiscoIOS15.

9.3.6.1ExecBanner

TheExecbannermessageispresentedtousersaftertheylogontoCiscoRouterdevices.TheExecbannermessageconfiguredonCiscoIOS15follows:

Thisistheexecbanner


Status

Enabled

9.3.6.2LoginBanner

TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMOTDmessageisshownonTelnetconnections.TheLoginbannermessageconfiguredonCiscoIOS15follows:



Status

Enabled

9.3.6.3MOTDBanner

TheMOTDbannermessageispresentedtousersbeforetheylogonforTelnetconnectionsandfollowinglogonforSSHconnections.TheconfiguredMOTDbannermessagefollows:

Thisisthemotdbanner


Status

Enabled

9.3.7SNMPSettings

SNMPisusedtoassistnetworkadministratorsinmonitoringandmanagingawidevarietyofnetworkdevices.TherearethreemainversionsofSNMPinuse.Versions1and2ofSNMParebothsecuredwithacommunitystringandauthenticateandtransmitnetworkpacketswithoutanyformofencryption.SNMPversion3providesseverallevelsofauthenticationandencryption.Themostbasiclevelprovidesasimilarprotectiontothatoftheearlierprotocolversions.However,SNMPversion3canbeconfiguredtoprovideencryptedauthentication(auth)andsecuredfurtherwithsupportforencrypteddatacommunications(priv).

ThissectiondescribestheCiscoIOS15SNMPconfigurationsettings.

Description Setting

SNMPService Enabled

UDPPort 161

Table601:SNMPsettings

Chassis FCZ130693M0

TFTPServerFilterList

Manager Disabled

ManagerSessionTimeout 10minutes

SNMPSystemShutdown Disabled

TrapSourceInterface

MaximumTrapQueueLength 10

TrapTimeout 30seconds

MaximumPacketSize 1500Bytes

9.3.7.1SNMPCommunity

SNMPcommunitystringsareusedtoauthenticateaccessbetweenaNMSandtheCiscoRouterSNMPagent.AconnectingNMS,usingSNMPprotocolversions1or2c,mustprovidetheSNMPagentwithavalidcommunitystringwhenmakingaMIBreadorwriterequest.






9.3.7.2SNMPTrapsAndInforms

TheCiscoRouterSNMPagentcanbeconfiguredtosendtrapnotificationstoaNMSorSNMPmanagerhost.Onceatrapissent,theCiscoRouterSNMPagentassumesthatthereceivinghostreceivedthenotification,noconfirmationisexpected.Informnotificationsaresimilartotraps,butthereceivinghostisexpectedtoconfirmreceiptofthenotification.IfaconfirmationisnotreceivedtheCiscoRouterSNMPagentcanretry.

Table603:SNMPtrapandinformhosts


1.2.3.4 Trap 1 Community trapString 162snmp 0

Table604:SNMPnotifications

Notification Options Action

link nosnmp-servertraplinkietf Exclude

authentication snmp-servertrapauthenticationvrf Include

authentication snmp-servertrapauthenticationacl-failure Include

authentication snmp-servertrapauthenticationunknown-content Include

snmp serverenabletrapssnmpauthenticationlinkdownlinkupcoldstart Include

nhrp nhsup Exclude

nhrp nhsdown Exclude

nhrp nhcup Exclude

nhrp nhcdown Exclude

nhrp nhpup Exclude

nhrp nhpdown Exclude

nhrp quota-exceeded Exclude

9.3.7.3SNMPGroups

SNMPv3accesstoCiscoRoutercanbeconfiguredusingUsersandGroups.Thissectiondetailsthoseconfigurationsettings.

Table605:SNMPgroups

Group Version Security ReadView WriteView NotifyView ACL

snmpCISGroup 3 Auth+Priv v1default

9.3.7.4SNMPViews

SNMPviewsareusedtorestricttheareasoftheMIBaNMScanaccess.

MIB Action

system Include

Table606:*ilmiSNMPviewconfiguration

atmForumUni Include

Table607:v1defaultSNMPviewconfiguration

MIB Action

iso Include

internet.6.3.15 Exclude



ciscoMgmt.394 Exclude




Table608:*tv.00000001.00000000.00000000.00000000.000000000FSNMPviewconfiguration

MIB Action

ieee802dot11 Include

internet Include

9.3.8MessageLogging

CiscoRouterdevicesarecapableofloggingsystemeventsandmessages.Thoselogscanthenberecalledatalatertime,assistingadministratorsinthediagnosisofsystemfaultsoralertingsystemadministratorsofanattack.Thissectiondetailsthedevicesloggingconfiguration.

9.3.8.1GeneralLoggingSettings

Thissectiondetailstheconfigurationsettingsthataffecttheloggingfacilities.

Table609:Generalloggingsettings

Description Setting

DeviceLoggingServices Enabled

LoggingMessageRateLimit None

MessageHistorySeverityLevel Warnings(4)

MaximumNumberofHistoryMessages 0

IncludeSequenceNumbersinLogs Disabled

IncludeTimeStampsinLogs Enabled

9.3.8.2SyslogLogging

SyslogmessagescanbesentbyCiscoRouterdevicestoaSyslogserver.Syslogserversprovidethefollowingadvantages:

acentralrepositoryforlogsfromarangeofnetworkdevices;apotentiallylongerretentionperiodforlogsthanadevicemaybecapableofstoring;atroubleshootingresourceforwhenadevicemaynolongerberesponsive;anexternallogsource,incasethesecurityofadevicehasbeencompromised;supportforanindustrystandardloggingsystem.

ThissectiondetailstheSyslogconfigurationsettings.

Table610:Syslogloggingconfiguration

Description Setting

SyslogLogging Enabled

SeverityLevel Informational(6)

SyslogSourceInterface Loopback1

Table611:Sysloghosts

Host Protocol Port

buginf UDP 514

10.10.10.10 UDP 514

9.3.8.3InternalBufferLoggingSettings

CiscoRouterdevicescanlogmessagestoaninternalbuffer.Byitsnature,thebufferissizelimitedandthereforenewermessageswilloverwriteolderoneswhenthebufferssizehasbeenreached.Thissectiondetailstheinternalbufferloggingconfigurationsettings.

Table612:Internalbufferloggingconfiguration

Description Setting

BufferLogging Enabled


BufferSize 4096

9.3.8.4ConsoleLogging

CiscoRouterdevicesarecapableofsendingsystemloggingtotheconsole.Thissectiondetailsthoseconfigurationsettings.

Table613:Consoleloggingconfiguration

Description Setting

ConsoleLogging Enabled

LoggingSeverityLevel Critical(2)

9.3.8.5TerminalLineLogging

CiscoRouterdevicesarecapableofsendingsystemloggingtotheterminallines.Thissectiondetailsthoseconfigurationsettings.

Table614:Terminallineloggingconfiguration

Description Setting

TerminalLineLogging Enabled


9.3.9NameResolutionSettings

CiscoRouterdevicescanbeconfiguredtoresolvenametoaddressmappings.Thissectiondetailsthosesettings.

9.3.9.1DNSClient

TheDNSservicestoresinformationaboutmappingsbetweenadevicesIPaddressandaname,whichiseasierforhumanstorecognizeandremember.CiscoRouterdevicescanbeconfiguredtoqueryaDNSinordertoresolvenamestoaddresses.Thissectiondetailsthoseconfigurationsettings.

Table615:DNSclientconfiguration

Description Setting

DNSType Standard

Domain test.test

DNSLookups Disabled

9.3.10NetworkProtocols

ThissectiondetailstheconfigurationofthenetworkprotocolssupportedbyCiscoRouterdevices.Eachsectiondetailsspecificsettingssuchasanynetworkprotocoladdressconfigurationsettings.


Thissectiondetailsthegeneralprotocolandaddressconfigurationsettings.

Table616:Generalinterfacerelatedsettings

Description Setting

GratuitousARP Disabled

IdentDService Disabled

PADService Disabled

9.3.10.2IPv4

ThissectiondetailstheconfigurationoftheIPv4protocolandaddresses.IPv4isdescribedinRFC791.

Description Setting

InboundTCPKeep-Alives Enabled

Table617:GeneralIPv4protocolsettings

OutboundTCPKeep-Alives Enabled

Table618:IPv4addresses

Interface Active Address Proxy-ARP Directed ACLIn ACLOut

Loopback0 Yes Off Off

Loopback1 Yes Off Off

FastEthernet0/0 Yes 192.168.0.17/24 Off Off

FastEthernet0/1 No Off Off

ATM0/1/0 No Off Off

Async0/0/0 Yes Off Off

Table619:IPv4ICMPOptions

Interface Active Unreachables Redirects MaskReply Information

Loopback0 Yes Off On Off Off

Loopback1 Yes Off On Off Off


FastEthernet0/1 No On On Off Off

ATM0/1/0 No Off On Off Off

Async0/0/0 Yes Off On Off Off

9.3.10.3DEC

CiscoRouterdevicescanbeconfiguredwithsupportforDECprotocols.Thissectiondetailsthoseprotocolspecificconfigurationsettings.

Table620:DECinterfaceprotocols

Interface Active MOP ACLIn ACLOut

FastEthernet0/0 Yes Off

FastEthernet0/1 No On

9.3.10.4LLDPSettings

ThissectiondescribestheconfigurationoftheLLDPonCiscoIOS15.LLDPisanindustrystandardprotocoldesignedtoadvertisethedevicescapabilitiestoothernetworkdevices.Theinformationsentcanincludethesystemsname,managementaddress,VLAN,capabilitiesandportdetails.LLDPprovidesasimilarfunctiontoproprietaryprotocolssuchasCDPandisdescribedingreaterdetailintheIEEEstandardsdocument802.1AB.

Table621:LLDPsettings

Description Setting

LLDPSend Disabled

LLDPReceive Disabled

LLDPRefreshInterval 30seconds

OnCiscoRouterdevices,LLDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table622detailsthosesettings.

Table622:LLDPonnetworkinterfaces

Interface Active LLDPSend LLDPReceive

FastEthernet0/0 Yes On On

FastEthernet0/1 No On On

9.3.10.5CDPSettings

ThissectiondescribestheconfigurationoftheCDPonCiscoIOS15.CDPwasdevelopedbyCiscoforusewithnetworkmanagementtoolsand,ifenabled,thenetworkpacketssentwillcontaininformationaboutthesendingdevice.CDPnetworkpacketswilltypicallyincludedetailssuchasthedevicemodelinformation,operatingsysteminformationandotherdeviceconfigurationdetails.

Table623:CDPsettings

Description Setting

CDP Disabled

CDPVersion 2

OnCiscoRouterdevices,CDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table624detailsthosesettings.

Table624:CDPonnetworkinterfaces

Interface Active CDP

FastEthernet0/0 Yes On

FastEthernet0/1 No On

9.3.10.6VTPSettings

VTPisalayer2protocoldevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.TheprotocolenablestheVLANstobeadded,renamedordeletedonasingleswitchandforthosechangestobepropagatedtootherswitchesinthesameVTPdomain.

Table625:VTPsettings

Description Setting

VTPVersion 1

VTPDomain

VTPPassword VTP

VTPMode Transparent

VTPPruning Disabled

9.3.11NetworkInterfaces

Thissectiondetailstheconfigurationofbothphysicalandvirtualnetworkinterfaces.

9.3.11.1LoopbackInterfaces

Loopbackinterfacesarevirtualinterfacesthatarehandledbysoftware.Thissectiondescribestheconfigurationoftheloopbackinterfaces.

Table626:Loopbackinterfaces

Interface Active

Loopback0 Yes

Loopback1 Yes

9.3.11.2FastEthernetInterfaces

ThissectiondescribestheconfigurationofthedevicesfastEthernetinterfaces.

Table627:FastEthernetinterfaces

Interface Active VLAN

FastEthernet0/0 Yes 1

FastEthernet0/1 No 1

9.3.11.3ATMInterfaces

ThissectiondescribestheconfigurationofthedevicesAsynchronousTransferMode(ATM)interfaces.

Table628:ATMinterfaces

Interface Active

ATM0/1/0 No

9.3.11.4OtherInterfaces

Thissectiondescribestheconfigurationoftheotherinterfacesconfiguredon.

Table629:Otherinterfaces

Interface Active

Async0/0/0 Yes

9.3.12RoutingConfiguration

CiscoRouterdevicesroutingtablescanbeconfiguredwithstaticroutesorupdateddynamically.Routingprotocolsareusedbynetworkroutingdevicesto

dynamicallyupdatetheroutingtablesthatdevicesusetoforwardnetworktraffictotheirdestination.Routingprotocolscanbesplitintotwodifferentcategories;IGPsandEGPs.IGPsareusuallyusedinsituationswheretheroutingdevicesareallcontrolledbyasingleentity,suchaswithinacompany.EGPsareusuallyusedinsituationswhereroutingdevicesaremanagedbyanumberofentities,suchastheInternet.Typicallyroutingdeviceswillsupportanumberofstandardroutingprotocols.

Thissectiondescribestheroutingconfigurationsettings.

Table630:GeneralRoutingSettings

Description Setting

ClasslessRouting Ignored

IPSourceRouting Disabled

9.3.12.1StaticRoutes

CiscoRouterdevicescanbeconfiguredwithstaticnetworkroutes.Thissectiondetailsthestaticnetworkroutes.

Table631:Staticnetworkroutes

Interface Address Gateway Metric

0.0.0.0/0 10.200.4.254

9.3.12.2RIPConfiguration

RIPisanIGPandcalculatesroutesusingadistancevector.RIPisonlysuitableforsmallnetworks,routingupdatesaresentevery30secondsandcontaintheentireroutingtable.Furthermore,RIPhasamaximumdistanceof15hops.IfRIProuteshavenotbeenupdatedwithinthreeminutestherouteismarkedasunusable.Routesnotupdatedwithinfourminutesareremoved.

Table632:RIPconfiguration

Description Setting

RIPRouting Enabled

RIPSendVersion 1

RIPReceiveVersion 1and2

Timeout 0

UpdateInterval 0

RouteSummary Enabled



ThefollowingnetworksareincludedintheRIProutingupdates:

3.0.0.0.

Table633detailstheconfigurationofRIPonindividualnetworkinterfaces.

Table633:RIPnetworkinterfaceconfiguration


FastEthernet0/0 Yes No V1 V1andV2 MD5 keychain

FastEthernet0/1 No No V1 V1andV2 None N/A

ATM0/1/0 No No V1 V1andV2 None N/A

9.3.12.3OSPFConfiguration

TheOSPFroutingprotocolisanIGP.OSPFnetworkpacketsaresentwhenthenetworkconfigurationchanges,suchaswhenaroutegoesdown,andthepacketsonlycontainthechange.SincetheinformationsentintheOSPFnetworkpacketsislimitedtoanynetworkchanges,theprotocoliswellsuitedtocomplexnetworkconfigurations.

Table634:Process1OSPFconfiguration

Description Setting

OSPFRouting Enabled

RouterID

MaximumLSA Unlimited

RFC1583Compatibility Enabled



Table635detailstheconfigurationofOSPFonindividualnetworkinterfaces.

Table635:OSPFnetworkinterfaceconfiguration


FastEthernet0/0 Yes No 1 Broadcast MD5 6 Default 10seconds 40seconds 5seconds 1second

9.3.12.4BGPConfiguration

BGPisanEGPandacoreInternetroutingprotocol.BGProutersmaintainalistofreachablenetworkswhicharesharedbetweendefinedBGPpeersusingTCPconnections.ThissectiondetailstheBGProutingconfiguration.

Table636:AS1BGPconfiguration

Description Setting

BGPASNumber 1

RouterID

BGPRouteDampening Disabled



ThesectiondetailstheBGPASneighborsforwhichroutingupdateswillbeshared.AllauthenticationmakesuseofMD5encryptionforsecurityandintegrity.

Table637:AS1BGPneighbors

Address RemoteAS Password Version Weight PeerGroup MapIn MapOut

1.1.1.1 3 password 4 0

1.2.3.4 1 password 4 0

9.3.12.5EIGRPConfiguration

EIGRPisanIGPandisadistancevectorbasedprotocollikeRIP,butincorporatessomefeaturesfromlinkstateprotocolssuchasOSPF.EIGRPwasdevelopedbyCiscoasanenhancedversionofIGRP.UnlikeRIP,EIGRPtransmitschangestonetworkroutestoitsneighborsandissuitableforlargernetworks.

Table638:EIGRPASnameconfiguration

Description Setting

RouterID




Table639detailstheconfigurationofEIGRPonindividualnetworkinterfaces.

Table639:EIGRPnetworkinterfaceconfiguration


FastEthernet0/0 Yes 1 No 5seconds 15seconds 50% MD5 keychain

9.3.12.6RoutingAuthenticationKeyConfiguration

Authenticationkeys,alsoreferredtoassharedsecrets,canbeconfiguredtoprovideamethodofauthenticatingroutingupdatesinordertoprovidealevelofassurancethatroutingupdatesarefromtrustedsources.Thissectiondetailstheconfiguredroutingauthenticationkeys.

Table640:Routingauthenticationkeys

KeyChain KeyID Key

keychain 1 key

9.3.13NetworkFiltering

CiscoRouterdevicescanbeconfiguredtofilternetworktrafficinordertorestrictaccesstodevicesandservices.Thosenetworkfilteringsettingsaredetailedinthissection.

9.3.13.1ExtendedIPv4ACL

ExtendedACLspermitordenynetworktrafficbasedonIPv4sourceanddestinationaddressesandnetworkports.ExtendedACLsareusedforchecksontrafficpassingthroughthedevice.











Controlplanecriticaltraffic-inbound

BGP

1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No

2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No

3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No

4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No

5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No

6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No

7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No

8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No

9 TCP 192.168.123.123 Any 192.192.192.192 21 No Any No

DHCP

10 UDP 0.0.0.0 Any 255.255.255.255 67 No Any No

11 UDP 10.1.23.1 67 Any 67 No Any No

CSMProbesHTTP

12 TCP 192.168.224.10 Any 192.168.224.51 80 No Any No

13 TCP 192.168.224.10 Any 192.168.224.52 80 No Any No

14 TCP 192.168.224.51 80 192.168.224.10 Any No Any No

15 TCP 192.168.224.52 80 192.168.224.10 Any No ESTABLISHED No

16 TCP 192.168.224.11 Any 192.168.224.51 80 No Any No

17 TCP 192.168.224.11 Any 192.168.224.52 80 No Any No

18 TCP 192.168.224.51 80 192.168.224.11 Any Yes Any No

19 TCP 192.168.224.52 80 192.168.224.11 Any No Any No

CSMProbesHTTPS

20 TCP 192.168.224.10 Any 192.168.224.51 443 No Any No

21 TCP 192.168.224.10 Any 192.168.224.52 443 No Any Yes

22 TCP 192.168.224.51 443 192.168.224.10 Any No Any No

23 TCP 192.168.224.52 443 192.168.224.10 Any No Any No

24 TCP 192.168.224.11 Any 192.168.224.51 443 No Any Yes

25 TCP 192.168.224.11 Any 192.168.224.52 443 No Any No

26 TCP 192.168.224.51 443 192.168.224.11 Any No Any No

27 TCP 192.168.224.52 443 192.168.224.11 Any No Any No

CSMProbesICMP

28 ICMP 192.168.224.10 192.168.224.51 No Any No

29 ICMP 192.168.224.10 192.168.224.52 No Any No

30 ICMP 192.168.224.51 192.168.224.10 No Any No

31 ICMP 192.168.224.52 192.168.224.10 No Any No

Table643:ExtendedIPv4ACLcp-critical-in

32 ICMP 192.168.224.11 192.168.224.51 No Any No

33 ICMP 192.168.224.11 192.168.224.52 No Any No

34 ICMP 192.168.224.51 192.168.224.11 No Any No

35 ICMP 192.168.224.52 192.168.224.11 No Any No

36 Any Any Any Any Any No Any No



1 TCP Any Any Any Any No





3 TCP Any Any 192.168.30.40 161 No

4 TCP 192.168.20.10 Any 192.168.30.40 161 No

5 TCP 192.168.20.12 Any 192.168.30.40 161 No

6 TCP Any Any 192.168.30.56 9876 No


8 TCP Any Any 192.168.30.56 9876 No

9.3.13.2StandardIPv4ACL

StandardACLsonlydefinetheIPv4sourceaddressandprocessthenetworkpacketssolelybasedonthat.StandardACLsaretypicallyusedtorestrictaccesstodeviceservicesorprotocols.



1 192.168.2.1 No

2 172.10.1.35 No

3 10.0.0.1 No

4 192.168.0.1 No

5 Any Yes



1 Any No



1 Any No



1 Any No

9.3.14IPSSettings

CiscoRouterdevicescanbeconfiguredtodetectnetworktrafficpatternsthataretypicallyassociatedwithmaliciousactivityorissimplyundesirable.IPSsettingsarethosethatenablethedevicetopreventthepotentiallymaliciousnetworkactivitybyblockingthenetworktrafficwhendetected.Thissectiondetailsthoseconfigurationsettings.

Table650:GeneralIPSsettings

Description Setting

CiscoExpressForwarding Enabled

CiscoExpressForwardingIPv6 Disabled

Table651:IPSsettings

IPSFeature Setting

UnicastRPFVerification EnabledonLoopback1

EnabledonFastEthernet0/0

EnabledonFastEthernet0/1

EnabledonATM0/1/0

EnabledonAsync0/0/0

9.3.15RemoteAccessSettings

Thissectiondescribestheconfigurationoftheremoteaccessservices.Eachsubsectioncoversaspecificremoteaccessservice.


Thissectiondetailsthegeneralremoteaccessconfigurationsettings.

Table652:Generalremoteaccesssettings

Description Setting

VPNEnabled No

9.3.16TimeAndDate

Itcanbecriticallyimportantthatthetimeanddatesetonallnetworkdevicesmatch.Manyauthenticationservicesdependonthetimebetweendevicesbeingsynchronized,ifaclockisoutsideathresholdthenthatdevicemaynolongerbeabletoperformauthentication.Furthermore,diagnosingissueswiththeuseofmessagelogsbecomesmuchmorecumbersomeifthetimeanddatesbetweendevicesdonotmatch.CiscoRouterdevicescanbeconfiguredtoobtaintimeupdatesfromanetworktimesource.Thissectiondetailsthetimeanddateconfigurationsettings.

9.3.16.1TimeZones

Table653:GeneralTimeSettings

Description Setting

TimeZone UTC

SummerTimeDaylightSaving Disabled

9.3.16.2NTPClientConfiguration

CiscoRouterdevicescanbeconfiguredtosynchronizetheirtimefromaNTPtimesource(RFC1305http://www.faqs.org/rfcs/rfc1305.html).ThissectiondetailsthoseNTPclientconfigurationsettings.

Table654:NTPclientsettings

Description Setting

NTPClient Enabled

AcceptBroadcastUpdates Disabled

AcceptMulticastUpdates Disabled

NTPAuthentication Enabled

SourceInterface Loopback0

Table655detailstheNTPtimesourcesusedtoprovidethetimeupdatestothedevice.

Table655:NTPclienttimesources

Address AuthKey Version

11.11.11.11 5 3

NTPclientsettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable656.

Interface Active NTP NTPBroadcasts NTPMulticasts

Loopback0 Yes Disabled Disabled Disabled

Table656:InterfaceNTPclientsettings

Loopback1 Yes Disabled Disabled Disabled

FastEthernet0/0 Yes Enabled Disabled Disabled

FastEthernet0/1 No Enabled Disabled Disabled

ATM0/1/0 No Enabled Disabled Disabled

Async0/0/0 Yes Enabled Disabled Disabled

9.3.16.3NTPServerConfiguration

CiscoRouterdevicescanbeconfiguredtoprovideanNTPtimesourceforothernetworkdevices.ThissectiondetailstheNTPserverconfiguration.

Table657:NTPserverconfiguration

Description Setting

NTPService Enabled

MulticastNTPServer Disabled

BroadcastNTPServer Disabled

NTPMaster Disabled

NTPserversettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable658.

Table658:InterfaceNTPserversettings

Interface Active NTP BroadcastServer BroadcastVersion MulticastAddress MulticastKey MulticastVersion

Loopback0 Yes Disabled Disabled 3 3

Loopback1 Yes Disabled Disabled 3 3

FastEthernet0/0 Yes Enabled Disabled 3 3

FastEthernet0/1 No Enabled Disabled 3 3

ATM0/1/0 No Enabled Disabled 3 3

Async0/0/0 Yes Enabled Disabled 3 3

9.3.16.4TimeSynchronizationAuthenticationKeys

Thissectiondetailsthetimesynchronizationauthenticationkeyconfiguration.

Table659:Timesynchronizationauthenticationkeys

ID KeyString Trusted

5 (ENCRYPTED) Yes


10RawConfiguration10.1Introduction

Thissectiondetailstherawconfigurationofadevicewithoutperforminganyinterpretationofthecontent.Therefore,tounderstandtheinformationshowninthissectionwillrequiresometechnicalknowledge.


10.2CiscoRouterrouter03RawConfiguration1router03#shrun

2Buildingconfiguration...

3

4Currentconfiguration:anumberofbytes

5!

6!LastconfigurationchangeatsometimeFriJune102006byanyone

7!NVRAMconfiglastupdatedatsometimeSatAugust22006byanyone

8!

9!Passwith--edgetoproduceallroutererrors.

10

11version12.3

12servicetcp-keepalives-out

13!

14hostnamerouter03

15!

16clocktimezoneGMT0

17clocksummer-timeGMTrecurring

18ipdomain-namenipper.org

19privilegeexeclevelchicken

20enablepasswordcisco

21keychaintestchain

22key1

23key-string7044B0A151C36435C0D

24usernametempprivilege15password7095C4F1A0A1218000F

25usernametestuserprivilege15password7095C4F1A0A1218000F

26usernamelocaluserprivilege15password7095C4F1A0A1218000F

27bootnetwork

28servicefinger

29servicetcp-small-servers

30serviceudp-small-servers

31securitypasswordsmin-length2

32snmp-servercommunitypublicRO20

33snmp-servercommunityprivateRW

34snmp-serverlocationSomewhere

35snmp-serverhost192.168.20.30privatesnmp

36snmp-serverhost192.168.20.40privatesnmp

37snmp-serversystem-shutdown

38!

39bannerlogin^C

40Thisisatestbanner.

41^C

42!

43keychainrouting-chain

44key1

45key-stringcisco

46!

47ntpserver1.1.1.1

48!

49interfaceGigabitEthernet1/1

50descriptionFirstinterfaceonswitch

51speed100

52duplexfull

53ipaddress10.0.0.1

54ipdirected-broadcast

55ipospfnetworkpoint-to-multipoint

56switchportmodetrunk

57ipmask-reply

58noipproxy-arp

59vrrp2ip192.168.4.2

60vrrp2authenticationtextpassword

61ipripauthenticationkey-chainrouting-chain

62ipripauthenticationmodetext

63standbyip192.168.5.10

64standbyversion2

65standbyauthenticationtextPassw0rd

66glbp44ip192.168.8.42

67glbp44authenticationtextPassw0rd

68!

69interfaceGigabitEthernet1/2

70descriptionSecondinterfaceonswitch

71speed100

72duplexfull

73ipaddress10.0.0.2

74ipdirected-broadcast

75ipospfnetworkpoint-to-multipoint

76iphold-timeeigrp314

77switchportmodetrunk

78ipmask-reply

79vrrp3ip192.168.3.2

80ipripsendversion2

81standby20ip192.168.5.20

82glbp40ip192.168.7.42

83!

84ipaccess-listextendednamed-acl-1

85denyiphost172.168.2.3any


87permitipanyany


89permitiphost192.168.76.4any


91!

92ipaccess-listextendedcp-critical-in

93remarkControlplanecriticaltraffic-inbound

94remarkBGP

95permittcphost212.241.243.217host212.241.243.218eqbgp

96permittcphost212.241.243.217eqbgphost212.241.243.218







103permittcphost192.168.123.123host192.192.192.192eqftp

104remarkDHCP

105permitudphost0.0.0.0host255.255.255.255eqbootps

106permitudphost10.1.23.1eqbootpsanyeqbootps

107remarkCSMProbesHTTP

108permittcphost192.168.224.10host192.168.224.51eqwww


110permittcphost192.168.224.51eqwwwhost192.168.224.10

111permittcphost192.168.224.52eqwwwhost192.168.224.10established



114permittcphost192.168.224.51eqwwwhost192.168.224.11fragments


116remarkCSMProbesHTTPS

117permittcphost192.168.224.10host192.168.224.51eq443

118permittcphost192.168.224.10host192.168.224.52eq443log

119permittcphost192.168.224.51eq443host192.168.224.10






125remarkCSMProbesICMP

126permiticmphost192.168.224.10host192.168.224.51echo


128permiticmphost192.168.224.51host192.168.224.10echo-reply






134denyipanyany

135access-list110permittcpanyany

136access-list120permitip50.60.0.00.0.255.255any

137access-list120permittcpanyeqftpanylog-input

138access-list120permittcpanyhost192.168.30.40eqsnmp

139access-list120permittcphost192.168.20.10host192.168.30.40eqsnmp


141access-list120permittcpanyhost192.168.30.56eq9876

142access-list120permittcpanyanyeq9876

143access-list120denytcpanyhost192.168.30.56eq9876

144access-list40permit192.168.2.1




148access-list40denyanylog

149!

150routereigrp14

151redistributeconnected

152redistributestatic

153network10.0.0.0

154network172.10.1.0

155distribute-list40out

156noauto-summary

157noeigrplog-neighbor-warnings

158!

159routerbgp1

160nosynchronization

161bgprouter-id192.168.56.5

162bgplog-neighbor-changes

163network192.168.22.1mask255.255.255.255

164neighborrouter01peer-group

165neighborrouter01remote-as12345

166neighborrouter01descriptionSitetoSiteConnection

167neighborrouter01version4

168noauto-summary

169!

170routerospf6

171network10.0.0.10.0.0.255area0.0.0.0

172network192.168.0.10.0.0.255area30.10.20.40

173area0.0.0.0range10.0.0.1255.255.255.0

174area30.10.20.40range192.168.0.1255.255.255.0

175!

176routereigrp3

177eigrprouter-id127.0.0.1

178network192.168.56.0

179!

180routerrip

181network10.0.0.0

182!

183!

184linecon0

185session-timeout25

186password7095C4F1A0A1218000F

187login

188lineaux0

189session-timeout25

190login


192linevty04

193access-class10invrf-also


195loggingsynchronous

196transportinputssh

197!

198end

199

200router03#

Table660:CiscoRouterrouter03ConfigurationHashes

Type Hash

MD5 2e14cef9f0af91f86d448a8f21338d37

SHA-1 3d9f619619bf459626c1e8aef13786a77a2d8bcc

SHA-256 3f61de3497272ed71a9626d360279381b912f205a58fe5e1d030ad0e3876a343


10.3CiscoRouterCiscoIOS15RawConfiguration1Currentconfigurationwithdefaultconfigurationsexposed:11447bytes

2!

3!Lastconfigurationchangeat12:42:43UTCWedAug242016byadmin

4!

5version15.0

6parsercache

7parserconfigpartition

8noservicelogbacktrace

9noserviceconfig

10noserviceexec-callback

11noservicenagle

12serviceslave-log

13noserviceslave-coredump

14noservicepadto-xot

15noservicepadfrom-xot

16noservicepadcmns

17noservicepad

18noservicetelnet-zeroidle

19servicetcp-keepalives-in

20servicetcp-keepalives-out

21servicetimestampsdebugdatetimemsecshow-timezone

22servicetimestampslogdatetimemsec

23servicepassword-encryption

24noserviceexec-wait

25noservicelinenumber

26noserviceinternal

27noservicescripting

28noservicecompress-config

29servicepromptconfig

30noserviceold-slip-prompts

31noservicept-vty-logging

32noservicedisable-ip-fast-frag

33noservicesequence-numbers

34noservicedhcp

35!

36hostnameCiscoIOS15

37!

38boot-start-marker

39boot-end-marker

40!

41nologgingdiscriminator

42loggingexception4096

43nologgingcount

44nologgingmessage-counterlog

45nologgingmessage-counterdebug

46loggingmessage-countersyslog

47nologgingsnmp-authfail

48nologginguserinfo

49loggingbuginf

50loggingqueue-limit100

51loggingqueue-limitesm0

52loggingqueue-limittrap100

53loggingbuffered4096

54loggingreloadmessage-limit1000notifications

55nologgingpersistent

56loggingrate-limitconsole10excepterrors

57loggingconsoleguaranteed

58loggingconsolecritical

59loggingmonitordebugging

60loggingcns-eventsinformational

61loggingon

62enablesecret5$1$8je9$O10MwM4HVnnM6rGeHFHel0

63enablepassword7095C4F1A0A1218000F

64!

65ipcholdqthresholdupper0

66ipcholdqthresholdlower0

67ipcheader-cachepermanent1000100

68ipcbuffersmin-free1

69ipcbuffersmax-free8

70ipcbufferspermanent2

71aaanew-model

72!

73!

74aaaauthenticationlogindefaultenable

75aaaauthenticationenabledefaultenable

76aaaaccountingexecdefault

77action-typenone

78!

79aaaaccountingcommands15default

80action-typenone

81!

82aaaaccountingnetworkdefault

83action-typenone

84!

85aaaaccountingconnectiondefault

86action-typenone

87!

88aaaaccountingsystemdefault

89action-typenone

90!

91!

92!

93!

94!

95!

96aaasession-idcommon

97!

98!

99!

100ceftableconsistency-checkIPv4auto-repairdelay10holddown300

101ceftableconsistency-checkIPv6auto-repairdelay10holddown300

102ceftablerate-monitor-period5

103errdisabledetectcauseall

104errdisablerecoveryinterval300

105dot11syslog

106dot11activity-timeoutunknowndefault60

107dot11activity-timeoutclientdefault60

108dot11activity-timeoutrepeaterdefault60

109dot11activity-timeoutworkgroup-bridgedefault60

110dot11activity-timeoutbridgedefault60

111dot11aaacsiddefault

112promptconfighostname-length20

113noipsource-route

114ipicmpredirectsubnet

115ipspdqueuethresholdminimum73maximum74

116!

117!

118!

119!

120ipcef

121ipcefload-sharingalgorithmuniversal34ED9DC6

122noipbootpserver

123noipdomainlookup

124ipdomainnametest.test

125ipipsmemorythreshold26

126ipigmpsnoopingvlan1

127ipigmpsnoopingvlan1mrouterlearnpim-dvmrp

128ipigmpsnooping

129noipv6cef

130ipv6cefload-sharingalgorithmuniversal34ED9DC6

131ipv6dhcppingpackets0

132!

133multilinkbundle-nameauthenticated

134!

135cwmpagent

136noenabledownload

137noenable

138requestoutstanding5

139parameterchangenotifyinterval60

140sessionretrylimit11

141managementserverusername00000C-CISCO1841V05-FCZ130693M0

142nomanagementserverpassword

143nomanagementserverurl

144noprovisioncode

145noconnectionrequestusername

146noconnectionrequestpassword

147nowanipaddress

148!

149!

150keychainkeychain

151key1

152key-string7020D0142

153!

154!

155!

156!

157nosnapnotificationexcludeserviceacl

158nosnapnotificationexcludeserviceeem

159nosnapnotificationexcludeservicesnapt

160licenseudipidCISCO1841snFCZ130693M0

161archive

162logconfig

163norecordrc

164nologgingenable

165loggingsize100

166nonotifysyslogcontenttypeplaintext

167nonotifysyslogcontenttypexml

168nohidekeys

169pathflash:rollbackconfig

170maximum2

171norollbackfilteradaptive

172rollbackretrytimeout0

173nowrite-memory

174time-period0

175filepromptalert

176emmclear1b5b324a1b5b303b30480d

177vtpfileflash:vlan.dat

178vtpmodetransparent

179vtpversion1

180modemcall-recordtersemax-userid30

181usernameadminsecret5$1$spr6$R9GYbviV7MFKSwoAsb0MD0

182usernameTestsecret5$1$cM/.$55zreXKAkf234gowEWj6j0

183!

184redundancy

185nomaintenance-mode

186scriptingtcllow-memory63198267

187scriptingtcltrustpointuntrustedterminate

188noscriptingtclsecure-mode

189!

190!

191iptftpsource-interfaceLoopback0

192ipsshtime-out120

193ipsshauthentication-retries3

194ipsshbreak-string~break

195ipsshversion2

196ipsshdhminsize1024

197!

198nocryptoisakmpdiagnoseerror

199!

200!

201!

202!

203!

204!

205interfaceLoopback0

206noipaddress

207ipredirects

208noipproxy-arp

209ipload-sharingper-destination

210ipcefaccountingnon-recursiveinternal

211snmptraplink-status

212!

213!

214interfaceLoopback1

215noipaddress

216ipredirects

217noipproxy-arp

218ipverifyunicastsourcereachable-viarx




222!

223!

224interfaceFastEthernet0/0

225ipaddress192.168.0.17255.255.255.0

226ipredirects

227noipproxy-arp

228ipauthenticationmodeeigrp1md5

229ipauthenticationkey-chaineigrp1keychain



232ipripauthenticationmodemd5

233ipripauthenticationkey-chainkeychain

234ipospfmessage-digest-key1md5704500E1F

235speedauto

236half-duplex


238nomopenabled

239!

240!

241interfaceFastEthernet0/1

242noipaddress

243ipredirects

244noipproxy-arp



247shutdown

248duplexauto

249speedauto


251!

252!

253interfaceATM0/1/0

254noipaddress

255ipredirects

256noipproxy-arp



259shutdown

260atmrestarttimer300

261noatmilmi-keepalive

262dsloperating-modeauto

263nodslenable-training-log

264dslopen-delay5

265clockrateaal58000000

266clockrateaal28000000


268!

269!

270interfaceAsync0/0/0

271noipaddress

272ipredirects

273noipproxy-arp



276encapsulationslip


278!

279!




283permitipanyany




287!

288ipaccess-listextendedcp-critical-in

289remarkControlplanecriticaltraffic-inbound

290remarkBGP









299permittcphost192.168.123.123host192.192.192.192eqftp

300remarkDHCP

301permitudphost0.0.0.0host255.255.255.255eqbootps

302permitudphost10.1.23.1eqbootpsanyeqbootps

303remarkCSMProbesHTTP




307permittcphost192.168.224.52eqwwwhost192.168.224.10established



310permittcphost192.168.224.51eqwwwhost192.168.224.11fragments


312remarkCSMProbesHTTPS









321remarkCSMProbesICMP









330denyipanyany

331access-list110permittcpanyany

332access-list120permitip50.60.0.00.0.255.255any

333access-list120permittcpanyeqftpanylog-input

334access-list120permittcpanyhost192.168.30.40eqsnmp



337access-list120permittcpanyhost192.168.30.56eq9876

338access-list120permittcpanyanyeq9876

339access-list120denytcpanyhost192.168.30.56eq9876





344access-list40denyanylog

345!

346routereigrpname

347!

348address-familyipv4unicastautonomous-system1

349!

350af-interfacedefault

351authenticationmodemd5

352authenticationkey-chainkeychain

353exit-af-interface

354!

355topologybase

356exit-af-topology

357exit-address-family

358!

359routerospf1

360log-adjacency-changes

361area0authenticationmessage-digest

362!

363routerrip

364network3.0.0.0

365!

366routerbgp1

367nosynchronization

368bgplog-neighbor-changes

369neighbor1.1.1.1remote-as3

370neighbor1.1.1.1password713151601181B0B382F

371neighbor1.2.3.4remote-as1

372neighbor1.2.3.4password703145A1815182E5E4A

373noauto-summary

374!

375ipdefault-gateway10.200.4.254

376ipforward-protocolnd

377noiphttpserver

378iphttpport80

379iphttpauthenticationenable

380noiphttpsecure-server

381iphttpsecure-port443

382iphttpsecure-active-session-modulesall

383iphttpmax-connections5

384iphttptimeout-policyidle180life180requests1

385iphttpactive-session-modulesall

386iphttpdigestalgorithmmd5

387iphttpclientcachememorypool100

388iphttpclientcachememoryfile2

389iphttpclientcacheagerinterval5

390iphttpclientconnectiontimeout10

391iphttpclientconnectionretry1

392iphttpclientconnectionpipeline-length5

393iphttpclientconnectionidletimeout30

394iphttpclientresponsetimeout30

395iphttppath

396!

397!

398iprtcpreportinterval5000

399iprtcpsub-rtcpmessage-type209

400iptacacssource-interfaceLoopback0

401!

402noipslaloggingtraps

403logginghistorysize1

404logginghistorywarnings

405loggingtrapinformational

406loggingdelimitertcp

407nologgingorigin-id

408loggingfacilitylocal7

409loggingsource-interfaceLoopback1

410logging10.10.10.10

411access-list1permitany



414mac-address-tableaging-time300

415nocdprun

416

417!

418!

419!

420!

421snmp-serverengineIDlocal8000000903000024977E9F46

422snmp-servergroupsnmpCISGroupv3privmatchexactreadv1default

423snmp-serverview*ilmisystemincluded

424snmp-serverview*ilmiatmForumUniincluded

425snmp-serverviewv1defaultisoincluded

426snmp-serverviewv1defaultinternet.6.3.15excluded



429snmp-serverviewv1defaultciscoMgmt.394excluded




433snmp-serverview*tv.00000001.00000000.00000000.00000000.000000000Fieee802dot11included

434snmp-serverview*tv.00000001.00000000.00000000.00000000.000000000Finternetincluded

435snmp-servercommunityTestcomv1defaultRO18

436snmp-servercommunitycisCommunityv1defaultRO3

437snmp-servercommunitytrapStringv1defaultRO3

438snmp-serverprioritynormal

439nosnmp-servertraplinkietf

440snmp-servertrapauthenticationvrf

441snmp-servertrapauthenticationacl-failure

442snmp-servertrapauthenticationunknown-content

443snmp-serverpacketsize1500

444snmp-serverqueue-limitnotification-host10

445snmp-serverchassis-idFCZ130693M0

446snmp-serverenabletrapssnmpauthenticationlinkdownlinkupcoldstart

447nosnmp-serverenabletrapsnhrpnhsup

448nosnmp-serverenabletrapsnhrpnhsdown

449nosnmp-serverenabletrapsnhrpnhcup

450nosnmp-serverenabletrapsnhrpnhcdown

451nosnmp-serverenabletrapsnhrpnhpup

452nosnmp-serverenabletrapsnhrpnhpdown

453nosnmp-serverenabletrapsnhrpquota-exceeded

454snmp-serverhost1.2.3.4trapsversion1trapStringudp-port162snmp

455snmp-serverinformretries3timeout15pending25

456snmpmibeventsampleminimum60

457snmpmibeventsampleinstancemaximum0

458snmpmibexpressiondeltaminimum1

459snmpmibexpressiondeltawildcardmaximum0

460snmpmibnhrp

461snmpmibnotification-logglobalsize500

462snmpmibnotification-logglobalageout15

463snmpmibcommunity-mapILMIengineid8000000903000024977E9F46

464snmpmibcommunity-mapTestcomengineid8000000903000024977E9F46

465snmpmibcommunity-mapcisCommunityengineid8000000903000024977E9F46

466snmpmibcommunity-maptrapStringengineid8000000903000024977E9F46

467!

468tacacs-serverhost18.1.1.1

469!

470control-plane

471!

472!

473aliasatm-vc-configvbrvbr-nrt

474aliasexechhelp

475aliasexeclologout

476aliasexecpping

477aliasexecrresume

478aliasexecsshow

479aliasexecuundebug

480aliasexecunundebug

481aliasexecwwhere

482bannerexec^C

483Thisistheexecbanner^C

484bannerlogin^C

485Thisistheloginbanner^C

486bannermotd^C

487Thisisthemotdbanner^C

488default-valueexec-character-bits7

489default-valuespecial-character-bits7

490default-valuedata-character-bits8

491!

492linecon0

493exec-timeout90

494loginauthenticationcisTest

495lineaux0

496exec-timeout90


498noexec

499line0/0/0

500exec-timeout90


502stopbits1

503speed115200

504flowcontrolhardware

505linevty04

506access-class1in

507exec-timeout90

508password7021605481811003348



511linevty5807

512access-class1in

513exec-timeout90



516!

517schedulerallocate200001000

518ntpauthentication-key5md5140713181F132539207

519ntpauthenticate

520ntptrusted-key5

521ntpsourceLoopback0

522ntpserver11.11.11.11key5

523cnsidhostname

524cnsidhostnameevent

525cnsidhostnameimage

526cnsimageretry60

527netconfmax-sessions4

528netconflock-time10

529netconfmax-message0

530eventmanagerschedulerscriptthreadclassdefaultnumber1

531eventmanagerschedulerappletthreadclassdefaultnumber32

532eventmanagerhistorysizeevents10

533eventmanagerhistorysizetraps10

534end

Table661:CiscoRouterCiscoIOS15ConfigurationHashes

Type Hash

MD5 391387404dfd26d441f3da414addc7f5

SHA-1 ad6fce43eea8726cadb77bb16843fcad276cfd49

SHA-256 c2d4f4da2c8ef96a760bfcb79c1474234d8212fd44b44101de035e4c5580770b


11Appendix11.1LoggingSeverityLevels

Loggingmessageseveritylevelsprovideawayoftagginglogmessageswithanindicationofhowsignificantthemessageis.Table662liststhevariousstandardloggingseveritylevelsthatcanbeconfigured.

Table662:Loggingmessageseveritylevels

Level Name Description

0 Emergencies Thesystemisunusable.

1 Alerts Immediateactionisrequired

2 Critical Criticalconditions

3 Errors Errorconditions

4 Warnings Warningconditions

5 Notifications Significantconditions

6 Informational Informationalmessages

7 Debugging Debuggingmessages


11.2OSPFLSAMessageTypes

OSPFisaroutingprotocolwhichisdesignedtodynamicallyadjusttonetworktopologychanges,updatingitsownroutingtablesandnotifyingothernetworkdevicesofthechanges.OSPFroutersexchangeinformationusingLSAmessages.ThissectiondetailsthedifferentOSPFLSAmessagetypes.

Type Brief Description

1 RouterLSA Thesemessagesaresentonlywithinthedefinedareaandliststherouters,thenetworksandtheirmetrics.

Table663:OSPFLSAmessagetypes

2 NetworkLSA Thedesignatedroutersendsthesemessagescontainingalistofroutersonasegment.Thesemessagesaresentonlywithinthedefinedarea.

3 SummaryLSA AnABRsendsaroutingsummaryLSAmessagesforitsattachedareastootherarearouters.ThesemessagesenablescalabilitywithotherOSPFarea

routersbeingsentsummaryinformationaboutotherareas.

4 ASBRSummary

LSA

ThismessagetypecontainsadditionalroutesummaryinformationforASBR.

5 ExternalLSA Thesemessagescontainroutinginformationextractedfromalternativeroutingprocesses.Thesemessagesaresenttoallareas,exceptstubs.

6 GroupMessage

LSA

ThismessagetyperelatestoMOSPFandisnotingeneraluse.

7 NSSARouters RoutersinNSSAwillnotreceiveupdatesfromABRasexternalLSAarenotpermitted.Insteadthistypeofmessageisusedtosummarizeexternalroutes

toABR.

8 IPv6LSA ThesemessagescontaininformationIPv6addressingandinternetworkingBGP.

9 LinkLocal

OpaqueLSA

Thesemessagescontainprefixesforstubandtransitnetworks.

10 AreaLocal

OpaqueLSA

Thesemessagescontaininformationthatshouldbesenttootherrouterseveniftheroutersareunabletounderstandtheinformation.

11 OpaqueLSA Thesemessagescontaininformationthatshouldbesenttootherrouters,exceptstubareas.


11.3CommonTimeZones

Whensynchronisingtimefromacentralsource,timezonescanconfiguredinordertooffsetthetimeinformationforaspecificlocality.Thissectiondetailsthemostcommontimezones.

Table664:Commontimezones

Region Acronym TimeZone UTCOffset

Australia CST CentralStandardTime +9.5hours

Australia EST EasternStandard/SummerTime +10hours

Australia WST WesternStandardTime +8hours

Europe BST BritishSummerTime +1hour

Europe CEST CentralEuropeSummerTime +2hours

Europe CET CentralEuropeTime +1hour

Europe EEST EasternEuropeSummerTime +3hours

Europe EST EasternEuropeTime +2hours

Europe GMT GreenwichMeanTime

Europe IST IrishSummerTime +1hour

Europe MSK MoscowTime +3hours

Europe WEST WesternEuropeSummerTime +1hour

Europe WET WesternEuropeTime +1hour

USAandCanada ADT AtlanticDaylightTime -3hours

USAandCanada AKDT AlaskaStandardDaylightSavingTime -8hours

USAandCanada AKST AlaskaStandardTime -9hours

USAandCanada AST AtlanticStandardTime -4hours

USAandCanada CDT CentralDaylightSavingTime -5hours

USAandCanada CST CentralStandardTime -6hours

USAandCanada EDT EasternDaylightTime -4hours

USAandCanada EST EasternStandardTime -5hours

USAandCanada HST HawaiianStandardTime -10hours

USAandCanada MDT MountainDaylightTime -6hours

USAandCanada MST MountainStandardTime -7hours

USAandCanada PDT PacificDaylightTime -7hours

USAandCanada PST PacificStandardTime -3hours


11.4IPProtocols

ThissectionliststheIPprotocolsreferencedwithinthisreport.

Name Description ID RFC

NVP NetworkVoiceProtocol 11 RFC741

Reserved 255

UseforExperimentationandTesting 253-254 RFC3692

Unassigned 140-252

HIP HostIdentityProtocol 139 RFC5201

MANET MANETProtocols 138

MPLS-in-IP EncapsulatingMPLSinIP 137 RFC4023

UDPLite LightweightUDP 136 RFC3828

MobilityHeader MobilitySupportinIPv6 135 RFC3775

RSVP-E2E-IGNORE RSVPforIPv4andIPv6 134 RFC3175

FC FibreChannel 133

SCTP StreamControlTransmissionProtocol 132

PIPE PrivateIPEncapsulationwithinIP 131

SPS SecurePacketShield 130

IPLT IPLT 129

SSCOPMCE SSCOPMCE 128

CRUDP CombatRadioUserDatagram 127

CRTP CombatRadioTransportProtocol 126

FIRE FIRE 125

ISISoverIPv4 IntermediateSystemtoIntermediateSystemoverIPv4 124

PTP PerformanceTransparencyProtocol 123

SM SM 122

SMP SimpleMessageProtocol 121

UTI UTI 120

SRP SpectraLinkRadioProtocol 119

STP ScheduleTransferProtocol 118

IATP InteractiveAgentTransferProtocol 117

DDX D-IIDataExchange 116

L2TP LayerTwoTunnelingProtocol 115

Any0HopProtocol 114

PGM PGMReliableTransportProtocol 113

VRRP VirtualRouterRedundancyProtocol 112 RFC3768

IPX-in-IP IPXinIP 111

Compaq-Peer CompaqPeerProtocol 110

SNP SitaraNetworksProtocol 109

PCP IPPayloadCompressionProtocol 108 RFC3173

IPComp IPPayloadCompressionProtocol 108 RFC3173

A/N ActiveNetworks 107

QNX QNX 106

SCPS SCPS 105

ARIS ARIS 104

PIM ProtocolIndependentMulticastP 103

PNNI PNNIoverIP 102

IFMP IpsilonFlowManagementProtocol 101

GMTP GMTP 100

AnyPrivateEncryptionScheme 99

ENCAP EncapsulationHeader 98 RFC1241

ETHERIP Ethernet-within-IPEncapsulation 97 RFC3378

SCC-SP SemaphoreCommunicationsSecurityProtocol 96

MICP MobileInternetworkingControlProtocol 95

NOS KA9QNOS 94

IPIP IP-within-IPEncapsulationProtocol 94

AX.25 AX.25Frames 93

MTP MulticastTransportProtocol 92

LARP LocusAddressResolutionProtocol 91

Sprite-RPC SpriteRPCProtocol 90

OSPF OpenShortestPathFirst 89 RFC1583

EIGRP EnhancedIGRP 88

TCF TCF 87

DGP DissimilarGatewayProtocol 86

NSFNET-IGP NSFNET-IGP 85

TTP TTP 84

VINES VINES 83

SECURE-VMTP SecureVMTP 82

VMTP VersatileMessageTransactionProtocol 81 RFC1045

ISO-IP ISOInternetProtocol 80

WB-EXPAK WIDEBANDEXPAK 79

WB-MON WIDEBANDMonitoring 78

SUN-ND SUNNDPROTOCOL-Temporary 77

BR-SAT-MON BackroomSATNETMonitoring 76

PVP PacketVideoProtocol 75

WSN WangSpanNetwork 74

CPHB ComputerProtocolHeartBeat 73

CPNX ComputerProtocolNetworkExecutive 72

IPCV InternetPacketCoreUtility 71

VISA VISAProtocol 70

SAT-MON SATNETMonitoring 69

AnyDistributedFileSystem 68

IPPC InternetPluribusPacketCore 67

RVD MITRemoteVirtualDiskProtocol 66

KRYPTOLAN Kryptolan 65

SAT-EXPAK SATNETandBackroomEXPAK 64

AnyLocalNetwork 63

CFTP CFTP 62

AnyHostInternalProtocol 61

Opts6 DestinationOptionsforIPv6 60 RFC1883

IPv6-Opts DestinationOptionsforIPv6 60 RFC1883

NoNxt6 NoNextHeaderforIPv6 59 RFC1883

IPv6-NoNxt NoNextHeaderforIPv6 59 RFC1883

ICMP6 ICMPforIPv6 58 RFC1883

IPv6-ICMP ICMPforIPv6 58 RFC1883

SKIP SKIP 57

TLSP TransportLayerSecurityProtocol 56

MOBILE IPMobility 55

NARP NBMAAddressResolutionProtocol 54 RFC1735

SWIPE IPwithEncryption 53

I-NLSP IntegratedNetLayerSecurityProtocol 52

AHP AuthenticationHeader 51 RFC2402

AH AuthenticationHeader 51 RFC2402

ESP EncapsulatingSecurityPayload 50 RFC2406

BNA BNA 49

DSR DynamicSourceRoutingProtocol 48 RFC4728

GRE GeneralRoutingEncapsulation 47

RSVP ReservationProtocol 46

IDRP Inter-DomainRoutingProtocol 45

IPv6-Frag FragmentHeaderforIPv6 44

IPv6-Route RoutingHeaderforIPv6 43

SDRP SourceDemandRoutingProtocol 42

IPv6 IPv6inIPv4(encapsulation) 41

IL ILTransportProtocol 40

TP++ TP++TransportProtocol 39

IDPR-CMTP IDPRControlMessageTransportProtocol 38

DDP DatagramDeliveryProtocol 37

XTP XTP 36

IDPR Inter-DomainPolicyRoutingProtocol 35

3PC ThirdPartyConnectProtocol 34

DCCP DatagramCongestionControlProtocol 33 RFC4340

MERIT-INP MERITInternodalProtocol 32

MFE-NSP MFENetworkServicesProtocol 31

NETBLT BulkDataTransferProtocol 30 RFC969

ISO-TP4 ISOTransportProtocolClass4 29 RFC905

IRTP InternetReliableTransactioProtocol 28 RFC938

RDP ReliableDataProtocol 27 RFC908

LEAF-2 Leaf-2 26

LEAF-1 Leaf-1 25

TRUNK-2 Trunk-2 24

TRUNK-1 Trunk-1 23

Table665:IPProtocols

XNS-IDP XEROXNSIDP 22

PRM PacketRadioMeasurement 21

HMP HostMonitoringProtocol 20 RFC869

DCN-MEAS DCNMeasurementSubsystems 19

MUX Multiplexing 18

UDP UserDatagramProtocol 17 RFC768

CHAOS Chaos 16

XNET CrossNetDebugger 15

EMCON EMCON 14

ARGUS ARGUS 13

PUP PARCUniversalPacket 12

NVP-II NetworkVoiceProtocol 11 RFC741

BBN-RCC-MON BBNRCCMonitoring 10

IGP InteriorGatewayProtocol 9

IGRP InteriorGatewayProtocol 9

EGP ExteriorGatewayProtocol 8 RFC888

CBT CBT 7

TCP TransmissionControlProtocol 6 RFC793

ST Stream 5 RFC1819

IPINIP IPinIP(encapsulation) 4 RFC2003

IPIP IPinIP(encapsulation) 4 RFC2003

GGP Gateway-to-Gateway 3 RFC823

IGMP InternetGroupManagement 2 RFC1112

ICMP InternetControlMessage 1 RFC792

HOPOPT IPv6Hop-by-HopOption 0 RFC1883


11.5ICMPTypes

ThissectionliststheICMPtypesreferencedwithinthisreport.

Description Type Code RFC

NeedAuthorization 40 5 RFC2521

NeedAuthentication 40 4 RFC2521

DecryptionFailed 40 3 RFC2521

DecompressionFailed 40 2 RFC2521

AuthenticationFailed 40 1 RFC2521

BadSPI 40 0 RFC2521

Photuris 40 -1 RFC2521

SKIP 39 -1

DomainNameReply 38 -1 RFC1788

DomainNameRequest 37 -1 RFC1788

MobileRegistrationReply 36 -1

MobileRegistrationRequest 35 -1

IPv6I-Am-Here 34 -1

IPv6Where-Are-You 33 -1

MobileHostRedirect 32 -1

DatagramConversionError 31 -1 RFC1475

Traceroute 30 -1 RFC1393

AddressMaskReply 18 -1 RFC950

AddressMaskRequest 17 -1 RFC950

InformationReply 16 -1 RFC792

InformationRequest 15 -1 RFC792

TimestampReply 14 -1 RFC792

TimestampRequest 13 -1 RFC792

BadLength 12 2 RFC1108

MissingaRequiredOption 12 1 RFC1108

PointerIndicatestheError 12 0 RFC792

ParameterProblem 12 -1 RFC792

FragmentReassemblyTimeExceeded 11 1 RFC792

TimetoLiveExceededinTransit 11 0 RFC792

Table666:ICMPTypes

TimeExceeded 11 -1 RFC792

RouterSolicitation 10 -1 RFC1256

DoesNotRouteCommonTraffic 9 16 RFC2002

RouterAdvertisement 9 0 RFC1256

EchoRequest 8 -1 RFC792

Echo 8 -1 RFC792

AlternateHostAddress 6 -1 RFC792

RedirectDatagramfortheTypeofServiceandHost 5 3 RFC792

RedirectDatagramfortheTypeofServiceandNetwork 5 2 RFC792

RedirectDatagramfortheHost 5 1 RFC792

RedirectDatagramfortheNetwork(orsubnet) 5 0 RFC792

Redirect 5 -1 RFC792

SourceQuench 4 -1 RFC792

PrecedenceCutoffinEffect 3 15 RFC1812

HostPrecedenceViolation 3 14 RFC1812

CommunicationAdministrativelyProhibited 3 13 RFC1812

DestinationHostUnreachableforTypeofService 3 12 RFC1122

DestinationNetworkUnreachableforTypeofService 3 11 RFC1122

CommunicationwithDestinationHostisAdministrativelyProhibited 3 10 RFC1122

CommunicationwithDestinationNetworkisAdministrativelyProhibited 3 9 RFC1122

SourceHostIsolated 3 8 RFC1122

DestinationHostUnknown 3 7 RFC1122

DestinationNetworkUnknown 3 6 RFC1122

SourceRouteFailed 3 5 RFC792

FragementationNeeded 3 4 RFC792

PortUnreachable 3 3 RFC792

ProtocolUnreachable 3 2 RFC792

HostUnreachable 3 1 RFC792

NetUnreachable 3 0 RFC792

DestinationUnreachable 3 -1 RFC792

EchoReply 0 -1 RFC792


11.6Abbreviations

Abbreviation Description

VTY VirtualTeletype

VTP VLANTrunkingProtocol

VRRP VirtualRouterRedundancyProtocol

VPN VirtualPrivateNetwork

VLAN VirtualLocalAreaNetwork

UTC CoordinatedUniversalTime

URL UniformResourceLocator

UDP UserDatagramProtocol

TFTP TrivialFileTransferProtocol

TCP TransmissionControlProtocol

TACACS+ TerminalAccessControllerAccessControlSystemPlus

TACACS TerminalAccessControllerAccessControlSystem

STIG SecurityTechnicalImplementationGuide

SSP SystemSecurityPlan

SSL SecureSocketsLayer

SSH SecureShell

SNMP SimpleNetworkManagementProtocol

SHA1 SecureHashStandard1

SFTP SecureFileTransferProtocol

SANS SysAdminAuditNetworkSecurity

RPF ReversePathForwarding

RIP RoutingInformationProtocol

RFC RequestForChange

RC4 RivestCipher4

RADIUS RemoteAuthenticationDial-InUserService

PII PersonallyIdentifiableInformation

PCI PaymentCardIndustry

PAD PacketAssembler/Disassembler

OSPF OpenShortestPathFirst

OS OperatingSystem

NTP NetworkTimeProtocol

NMS NetworkManagementSystem

MOTD MessageOfTheDay

MOP MaintenanceOperationsProtocol

MITM Man-In-The-Middle

MIB ManagementInformationBase

MD5 MessageDigest5

MAC MediaAccessControl

LSDB LinkStateDatabase

LSA LinkStateAdvertisement

LLDP LinkLayerDiscoveryProtocol

LAN LocalAreaNetwork

L2TPv3 Layer2TunnelingProtocolversion3

IPv6 InternetProtocolversion6

IPv4 InternetProtocolversion4

IPsec IPSecurityprotocol

IPS IntrusionProtectionSystem

IP InternetProtocol

IOS InternetOperatingSystem

IGRP InteriorGatewayRoutingProtocol

IGP InteriorGatewayProtocol

IEEE InstituteofElectricalandElectronicsEngineers

IDS IntrusionDetectionSystem

ID Identifier

ICMP InternetControlMessageProtocol

IAM InformationAssuranceManager

IA InformationAssurance

HTTPS HypertextTransferProtocoloverSSL

HTTP HypertextTransferProtocol

HSRP HotStandbyRoutingProtocol

GLBP GatewayLoadBalancingProtocol

FTP FileTransferProtocol

EIGRP EnhancedInteriorGatewayRoutingProtocol

EGP ExteriorGatewayProtocol

DSS DataSecurityStandard

DoS DenialofService

DoD DepartmentofDefence

DNS DomainNameSystem

DISA DefenceInformationSystemsAgency

DIACAP DoDInformationAssuranceCertificationandAccreditationProcess

DHCP DynamicHostConfigurationProtocol

DES DataEncryptionStandard

DEC DigitalEquipmentCorporation

DAA DesignatedApprovingAuthority

CPU CentralProcessingUnit

CLI CommandLineInterface

CIDR ClasslessInter-DomainRouting

CDP CiscoDiscoveryProtocol

BOOTP BOOTstrapProtocol

BGP BorderGatewayProtocol

AVG ActiveVirtualGateway

AVF ActiveVirtualForwarder

AUX Auxilary

ATO AuthoritytoOperate

ATM AsynchronousTransferMode

AS AutonomousSystems

ARP AddressResolutionProtocol

Table667:Abbreviations

ACL AccessControlList

3DES TripleDataEncryptionStandard


11.7NipperStudioVersion

ThisreportwaswrittenusingNipperStudioversion2.5.2.5130.


Audit Report - Nipper Studio - E-SPIN

Documents

Transcript of Audit Report - Nipper Studio - E-SPIN