Audit Report - Nipper Studio - E-SPIN
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Audit Report - Nipper Studio - E-SPIN
NipperStudio
AuditReport2March2017
Summary
NipperStudioperformedanauditon2March2017ofthetwonetworkdevicesdetailedinthescope.Theauditconsistedofthefollowingcomponents:
abestpracticesecurityaudit(Part2);asoftwarevulnerabilityauditreport(Part3);aCISBenchmarkaudit(Part4);aDefenceInformationSystemsAgency(DISA)SecurityTechnicalImplementationGuide(STIG)compliancereport(Part5);aSysAdminAuditNetworkSecurity(SANS)policycompliancereport(Part6);aPaymentCardIndustry(PCI)compliancereport(Part7);anetworkfilteringcomplexityreport(Part8);aconfigurationreport(Part9);arawconfigurationreport(Part10).
Scope
ThescopeofthisauditwaslimitedtothetwodeviceslistedinTable1.
Table1:Auditdevicescope
Device Name OS
CiscoRouter router03 IOS12.3
CiscoRouter CiscoIOS15 IOS15.0
SecurityAuditSummary
NipperStudioperformedasecurityauditofthetwodevicesdetailedinthescopeandidentified73security-relatedissues.AlthoughsignificantissueswereidentifiedtheydidnotcomprisethemostsignificantpercentageoftheissuesidentifiedbyNipperStudio.Eachoftheissuesidentifiedisdescribedingreaterdetailinthemainbodyofthisreport.
NipperStudioidentifiedanumberofclear-textprotocolrelatedissues.Itisimportantthatallclear-textprotocolservicesshouldbereplacedwithcryptographicallysecurealternativesinordertohelppreventunauthorizedeavesdroppingofpotentiallysensitivedata.Furthermoretheclear-textservicesareoftenusedforadministrationpurposesandamalicioususer,orattacker,whoisabletomonitorthecommunicationsmayalsogainaccesstoauthenticationcredentialsthatcouldthenleadthemtogainadministrativeaccesstothesystem.
NipperStudiocandrawthefollowingstatisticsfromtheresultsofthissecurityassessment,(percentageshavebeenrounded).1issue(1%)wasratedascritical,24issues(33%)wereratedashigh,18issues(25%)wereratedasmedium,19issues(26%)wereratedaslowand11issues(15%)wereratedasinformational.Thenumberofdevicesthatcontainvulnerabilitieswithaspecificratingisasfollows;2deviceshadissuesratedascritical,2deviceshadissuesratedashigh,2deviceshadissuesratedasmedium,2deviceshadissuesratedaslowand2deviceshadissuesratedasinformational.
Table2detailsthenumberofissuesidentifiedforeachauditeddeviceandtheratingofthehighestratedissue.
Table2:Summaryoffindingsforeachdevice
Device Name Issues HighestRating
CiscoRouter router03 67 CRITICAL
CiscoRouter CiscoIOS15 24 CRITICAL
VulnerabilityAuditSummary
NipperStudioperformedavulnerabilityauditofthetwodevicesdetailedinthescope.
Table3:SummaryoffindingsfromtheVulnerabilityAuditforeachdevice
Device Name Critical High Medium Low
CiscoRouter router03 13 89 29 2
CiscoRouter CiscoIOS15 3 100 29 0
CISBenchmarkAudit
NipperStudioPerformedaCISBenchmarkAuditonthedevice(s)detailedwithinthescopeandidentifiedatotalof55issuesthatshouldbereviewedassoonasispractical.Eachoftheissuesthatwereidentifiedaredescribedingreaterdetailinthemainbodyofthisreport,andatableprovidinganoverviewoftheissuesraisedcanbefoundattheendoftheCISBenchmarkreport.
Table4belowdetailstheCISBenchmarkprofilethathasbeenrunoneachofthecompatibledevices(percentageshavebeenrounded).
Table4:Listofprofilesrunoneachdevice.
Device Profile Passed Failed Manual Score(Percentage)
router03IOS12.3 Level2 23 52 14 25.84%
CiscoIOS15IOS15.0 Level2 72 3 14 80.90%
DISASTIGSummary
NipperStudioperformedtwoDISASTIGcomplianceaudits.Table5summarizesthefindings.
Table5:DISASTIGdevicecompliancesummary
Name STIG Version IPass IFail IMan IIPass IIFail IIMan IIIPass IIIFail IIIMan
router03 InfrastructureL3SwitchSecureTechnicalImplementationGuide-Cisco 8Release21(28/10/2016) 4 3 4 17 12 34 7 11 16
CiscoIOS15 InfrastructureRouterSecurityTechnicalImplementationGuideCisco 8Release21(28/10/2016) 5 2 3 20 4 24 16 3 10
SANSSummary
NipperStudioperformedtwoSANSpolicycomplianceaudit.Table6summarizesthefindings.
Table6:Summaryoffindingsforeachdevice
Device Name Pass Fail Manual
CiscoRouter router03 2 8 28
CiscoRouter CiscoIOS15 7 4 38
Contents
1YourReport1.1Introduction1.2EvaluationUseOnly1.3ReportConventions1.4ComplianceCheckResults1.5NetworkFilteringActions1.6ObjectFilterTypes
2SecurityAudit2.1Introduction2.2UsersWithDictionary-BasedPasswords2.3DefaultSimpleNetworkManagementProtocol(SNMP)CommunityStringsWereConfigured2.4BorderGatewayProtocol(BGP)NeighborsConfiguredWithNoPasswords2.5NotAllGatewayLoadBalancingProtocol(GLBP)GroupsWereAuthenticated2.6Clear-TextGLBPGroupAuthenticationWasConfigured2.7NotAllHotStandbyRoutingProtocol(HSRP)GroupsWereAuthenticated2.8Clear-TextHSRPGroupAuthenticationWasConfigured2.9NotAllOpenShortestPathFirst(OSPF)RoutingUpdatesWereAuthenticated2.10RoutingInformationProtocol(RIP)Version1WasConfigured2.11Clear-TextRIPAuthenticationWasConfigured2.12NotAllVirtualRouterRedundancyProtocol(VRRP)GroupsWereAuthenticated2.13Clear-TextVRRPGroupAuthenticationWasConfigured2.14NotAllEnhancedInteriorGatewayRoutingProtocol(EIGRP)UpdatesWereAuthenticated2.15NotAllRIPUpdatesWereAuthenticated2.16LowVRRPRouterPriorities2.17NoVLANTrunkingProtocol(VTP)AuthenticationPasswordWasConfigured2.18LowGLBPGroupPriorities2.19LowHSRPRouterPriorities2.20UDPSmallServicesEnabled2.21EnablePasswordConfigured2.22Clear-TextSNMPInUse2.23SNMPWriteAccessEnabled2.24NoHypertextTransferProtocol(HTTP)ServerSessionTimeout2.25NoInboundTransmissionControlProtocol(TCP)ConnectionKeep-Alives2.26InterfacesWereConfiguredWithNoFiltering2.27Dictionary-BasedRoutingProtocolAuthenticationKeys2.28Dictionary-BasedVRRPGroupAuthenticationKeys2.29SNMPSystemShutdownEnabled2.30BGPNeighborsConfiguredWithDictionary-BasedPasswords2.31DTPWasEnabled2.32ClearTextHTTPServiceEnabled2.33UserAccountNamesContained"admin"2.34WeakGLBPGroupAuthenticationKeys2.35WeakHSRPGroupAuthenticationKeys2.36WeakRoutingProtocolAuthenticationKeys2.37LowOSPFRouterPriorities2.38UsersConfiguredWithWeakPasswordEncryption2.39AUXPortNotDisabled2.40NoBGPRouteFlapPrevention2.41NoRIPUpdateNeighborsWereConfigured2.42NoHTTPServiceNetworkAccessRestrictions2.43SyslogLoggingNotEnabled2.44NetworkTimeProtocol(NTP)ControlQueriesWerePermitted2.45NoSNMPTrivialFileTransferProtocol(TFTP)ServerAccessListConfigured2.46NoOSPFLinkStateAdvertisement(LSA)Thresholds2.47NTPAuthenticationWasDisabled2.48TheFingerServiceWasEnabled2.49WeakSNMPCommunityStringsWereConfigured2.50InternetProtocol(IP)DirectedBroadcastsWereEnabled2.51ServicePasswordEncryptionDisabled2.52CiscoDiscoveryProtocol(CDP)WasEnabled
2.53SNMPAccessWithoutNetworkFiltering2.54SNMPAccessWithNoView2.55TheBOOTPServiceWasNotDisabled2.56SwitchPortSecurityDisabled2.57VTPWasInServerMode2.58IPSourceRoutingWasEnabled2.59InternetControlMessageProtocol(ICMP)AddressMaskReplyMessagesWereEnabled2.60ProxyAddressResolutionProtocol(ARP)WasEnabled2.61WeakMinimumPasswordLengthPolicySetting2.62NoWarningInPre-LogonBanner2.63ICMPUnreachableMessagesWereEnabled2.64Dictionary-BasedSNMPTraps2.65WeakSNMPTraps2.66DomainNameSystem(DNS)LookupsWereEnabled2.67NoNetworkFilteringRulesWereConfigured2.68NoPostLogonBannerMessage2.69ICMPRedirectMessagesWereEnabled2.70PacketAssembler/Disassembler(PAD)ServiceEnabled2.71UnrestrictedOutboundAdministrativeAccess2.72TCPSmallServicesEnabled2.73SwitchPortTrunkingAllowsAllVirtualLocalAreaNetworks(VLANs)2.74MaintenanceOperationsProtocol(MOP)Enabled2.75Conclusions2.76Recommendations2.77MitigationClassification
3VulnerabilityAudit3.1Introduction3.2CVE-2006-49503.3CVE-2007-04803.4CVE-2010-05803.5CVE-2010-05813.6CVE-2011-09353.7CVE-2005-34813.8CVE-2006-32913.9CVE-2007-25863.10CVE-2007-42863.11CVE-2007-42923.12CVE-2007-53813.13CVE-2008-38073.14CVE-2011-40123.15CVE-2007-42853.16CVE-2009-06283.17CVE-2015-06353.18CVE-2008-38053.19CVE-2008-38063.20CVE-2012-03843.21CVE-2016-63803.22CVE-2007-04793.23CVE-2007-04813.24CVE-2007-06483.25CVE-2007-28133.26CVE-2008-11523.27CVE-2008-27393.28CVE-2008-37993.29CVE-2008-38083.30CVE-2009-06263.31CVE-2009-06313.32CVE-2009-06363.33CVE-2009-28663.34CVE-2009-28683.35CVE-2009-28703.36CVE-2009-50383.37CVE-2009-50393.38CVE-2010-05763.39CVE-2010-05783.40CVE-2010-05793.41CVE-2010-05823.42CVE-2010-05853.43CVE-2010-05863.44CVE-2010-28283.45CVE-2010-28293.46CVE-2010-28313.47CVE-2010-2832
3.48CVE-2010-28333.49CVE-2010-28343.50CVE-2010-28353.51CVE-2010-28363.52CVE-2010-46713.53CVE-2010-46833.54CVE-2010-46863.55CVE-2011-09393.56CVE-2011-09443.57CVE-2011-09453.58CVE-2011-09463.59CVE-2011-20723.60CVE-2011-32703.61CVE-2011-32733.62CVE-2011-32753.63CVE-2011-32763.64CVE-2011-32773.65CVE-2011-32783.66CVE-2011-32793.67CVE-2011-32803.68CVE-2011-32813.69CVE-2011-32823.70CVE-2012-03813.71CVE-2012-03833.72CVE-2012-03853.73CVE-2012-03863.74CVE-2012-03873.75CVE-2012-03883.76CVE-2012-13103.77CVE-2012-13113.78CVE-2012-13153.79CVE-2012-13503.80CVE-2012-39493.81CVE-2012-46183.82CVE-2012-46193.83CVE-2012-46203.84CVE-2012-46213.85CVE-2012-46233.86CVE-2013-11423.87CVE-2013-11453.88CVE-2013-11463.89CVE-2013-11473.90CVE-2013-54743.91CVE-2013-54753.92CVE-2013-54773.93CVE-2013-54783.94CVE-2013-54793.95CVE-2013-54803.96CVE-2014-21083.97CVE-2014-21093.98CVE-2014-33273.99CVE-2014-33543.100CVE-2014-33573.101CVE-2014-33583.102CVE-2015-06363.103CVE-2015-06373.104CVE-2015-06423.105CVE-2015-06433.106CVE-2015-06463.107CVE-2015-06473.108CVE-2015-06483.109CVE-2015-06493.110CVE-2015-06503.111CVE-2015-62783.112CVE-2015-62793.113CVE-2016-13483.114CVE-2016-13493.115CVE-2016-63783.116CVE-2016-63793.117CVE-2016-63823.118CVE-2016-63843.119CVE-2016-63853.120CVE-2016-63863.121CVE-2016-6391
3.122CVE-2016-63923.123CVE-2005-10573.124CVE-2005-10583.125CVE-2005-21053.126CVE-2005-28413.127CVE-2005-10203.128CVE-2005-10213.129CVE-2006-03403.130CVE-2007-09183.131CVE-2007-42913.132CVE-2007-42933.133CVE-2007-56513.134CVE-2008-11533.135CVE-2008-38003.136CVE-2008-38013.137CVE-2008-38023.138CVE-2008-38093.139CVE-2008-46093.140CVE-2009-06303.141CVE-2009-06333.142CVE-2009-06343.143CVE-2009-28633.144CVE-2009-28733.145CVE-2010-05773.146CVE-2010-28303.147CVE-2010-46843.148CVE-2012-03823.149CVE-2012-39503.150CVE-2012-46223.151CVE-2013-11433.152CVE-2013-11673.153CVE-2013-54723.154CVE-2013-54813.155CVE-2014-21073.156CVE-2014-21113.157CVE-2014-33613.158CVE-2015-06383.159CVE-2015-06813.160CVE-2016-13443.161CVE-2016-63813.162CVE-2016-63933.163CVE-2007-42953.164CVE-2009-28723.165CVE-2009-50403.166CVE-2013-66863.167CVE-2016-14283.168CVE-2016-14323.169CVE-2007-09173.170CVE-2007-25873.171CVE-2012-13383.172CVE-2012-38953.173CVE-2005-01973.174CVE-2011-32743.175CVE-2012-13273.176CVE-2016-14253.177CVE-2013-01493.178CVE-2011-16253.179CVE-2011-25863.180CVE-2011-40073.181CVE-2011-40163.182CVE-2011-40193.183CVE-2008-11563.184CVE-2004-07143.185CVE-2004-14543.186CVE-2004-14643.187CVE-2005-01863.188CVE-2005-01953.189CVE-2005-01963.190CVE-2005-36693.191CVE-2007-44303.192CVE-2010-46873.193CVE-2011-20593.194CVE-2011-23953.195CVE-2012-0338
3.196CVE-2012-03393.197CVE-2012-13673.198CVE-2014-21433.199CVE-2016-13843.200CVE-2016-14093.201CVE-2016-64153.202CVE-2016-14593.203CVE-2006-04853.204CVE-2006-04863.205CVE-2008-38213.206CVE-2012-03623.207CVE-2010-46853.208CVE-2011-32893.209CVE-2012-39233.210CVE-2005-39213.211CVE-2005-24513.212Conclusions3.213Recommendations
4CISBenchmark4.1CISCiscoIOS15Benchmark4.1.1ManagementPlane4.1.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules4.1.1.1.1Enable'aaanew-model'4.1.1.1.2Enable'aaaauthenticationlogin'4.1.1.1.3Enable'aaaauthenticationenabledefault'4.1.1.1.4Set'loginauthenticationfor'linecon0'4.1.1.1.5Set'loginauthenticationfor'linetty'4.1.1.1.6Set'loginauthenticationfor'linevty'4.1.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'4.1.1.1.8Set'aaaaccountingconnection'4.1.1.1.9Set'aaaaccountingexec'4.1.1.1.10Set'aaaaccountingnetwork'4.1.1.1.11Set'aaaaccountingsystem'4.1.1.2AccessRules4.1.1.2.1Set'privilege1'forlocalusers4.1.1.2.2Set'transportinputssh'for'linevty'connections4.1.1.2.3Set'noexec'for'lineaux0'4.1.1.2.4Create'access-list'forusewith'linevty'4.1.1.2.5Set'access-class'for'linevty'4.1.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'4.1.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'4.1.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'4.1.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'4.1.1.2.10Set'transportinputnone'for'lineaux0'4.1.1.3BannerRules4.1.1.3.1Setthe'banner-text'for'bannerexec'4.1.1.3.2Setthe'banner-text'for'bannerlogin'4.1.1.3.3Setthe'banner-text'for'bannermotd'4.1.1.4PasswordRules4.1.1.4.1Set'password'for'enablesecret'4.1.1.4.2Enable'servicepassword-encryption'4.1.1.4.3Set'usernamesecret'foralllocalusers4.1.1.5SNMPRules4.1.1.5.1Set'nosnmp-server'todisableSNMPwhenunused4.1.1.5.2Unset'private'for'snmp-servercommunity'4.1.1.5.3Unset'public'for'snmp-servercommunity'4.1.1.5.4Donotset'RW'forany'snmp-servercommunity'4.1.1.5.5SettheACLforeach'snmp-servercommunity'4.1.1.5.6Createan'access-list'forusewithSNMP4.1.1.5.7Set'snmp-serverhost'whenusingSNMP4.1.1.5.8Set'snmp-serverenabletrapssnmp'4.1.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv34.1.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv34.1.2ControlPlane4.1.2.1GlobalServiceRules4.1.2.1.1SetupSSH4.1.2.1.1.1ConfigurePrerequisitesfortheSSHService4.1.2.1.1.1.1Setthe'hostname'4.1.2.1.1.1.2Setthe'ipdomainname'4.1.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'4.1.2.1.1.1.4Set'seconds'for'ipsshtimeout'4.1.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'4.1.2.1.1.2Setversion2for'ipsshversion'
4.1.2.1.2Set'nocdprun'4.1.2.1.3Set'noipbootpserver'4.1.2.1.4Set'noservicedhcp'4.1.2.1.5Set'noipidentd'4.1.2.1.6Set'servicetcp-keepalives-in'4.1.2.1.7Set'servicetcp-keepalives-out'4.1.2.1.8Set'noservicepad'4.1.2.2LoggingRules4.1.2.2.1Set'loggingon'4.1.2.2.2Set'buffersize'for'loggingbuffered'4.1.2.2.3Set'loggingconsolecritical'4.1.2.2.4SetIPaddressfor'logginghost'4.1.2.2.5Set'loggingtrapinformational'4.1.2.2.6Set'servicetimestampsdebugdatetime'4.1.2.2.7Set'loggingsourceinterface'4.1.2.3NTPRules4.1.2.3.1RequireEncryptionKeysforNTP4.1.2.3.1.1Set'ntpauthenticate'4.1.2.3.1.2Set'ntpauthentication-key'4.1.2.3.1.3Setthe'ntptrusted-key'4.1.2.3.1.4Set'key'foreach'ntpserver'4.1.2.3.2Set'ipaddress'for'ntpserver'4.1.2.4LoopbackRules4.1.2.4.1Createasingle'interfaceloopback'4.1.2.4.2SetAAA'source-interface'4.1.2.4.3Set'ntpsource'toLoopbackInterface4.1.2.4.4Set'iptftpsource-interface'totheLoopbackInterface4.1.3DataPlane4.1.3.1RoutingRules4.1.3.1.1Set'noipsource-route'4.1.3.1.2Set'noipproxy-arp'4.1.3.1.3Set'nointerfacetunnel'4.1.3.1.4Set'ipverifyunicastsourcereachable-via'4.1.3.2BorderRouterFiltering4.1.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks4.1.3.2.2Setinbound'ipaccess-group'ontheExternalInterface4.1.3.3NeighborAuthentication4.1.3.3.1RequireEIGRPAuthenticationifProtocolisUsed4.1.3.3.1.1Set'keychain'4.1.3.3.1.2Set'key'4.1.3.3.1.3Set'key-string'4.1.3.3.1.4Set'address-familyipv4autonomous-system'4.1.3.3.1.5Set'af-interfacedefault'4.1.3.3.1.6Set'authenticationkey-chain'4.1.3.3.1.7Set'authenticationmodemd5'4.1.3.3.1.8Set'ipauthenticationkey-chaineigrp'4.1.3.3.1.9Set'ipauthenticationmodeeigrp'4.1.3.3.2RequireOSPFAuthenticationifProtocolisUsed4.1.3.3.2.1Set'authenticationmessage-digest'forOSPFarea4.1.3.3.2.2Set'ipospfmessage-digest-keymd5'4.1.3.3.3RequireRIPv2AuthenticationifProtocolisUsed4.1.3.3.3.1Set'keychain'4.1.3.3.3.2Set'key'4.1.3.3.3.3Set'key-string'4.1.3.3.3.4Set'ipripauthenticationkey-chain'4.1.3.3.3.5Set'ipripauthenticationmode'to'md5'4.1.3.3.4RequireBGPAuthenticationifProtocolisUsed4.1.3.3.4.1Set'neighborpassword'4.2CISCiscoIOS12Benchmark4.2.1ManagementPlane4.2.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules4.2.1.1.1Enable'aaanew-model'4.2.1.1.2Enable'aaaauthenticationlogin'4.2.1.1.3Enable'aaaauthenticationenabledefault'4.2.1.1.4Set'loginauthenticationfor'linecon0'4.2.1.1.5Set'loginauthenticationfor'linetty'4.2.1.1.6Set'loginauthenticationfor'linevty'4.2.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'4.2.1.1.8Set'aaaaccountingconnection'4.2.1.1.9Set'aaaaccountingexec'4.2.1.1.10Set'aaaaccountingnetwork'4.2.1.1.11Set'aaaaccountingsystem'4.2.1.2AccessRules4.2.1.2.1Set'privilege1'forlocalusers
4.2.1.2.2Set'transportinputssh'for'linevty'connections4.2.1.2.3Set'noexec'for'lineaux0'4.2.1.2.4Create'access-list'forusewith'linevty'4.2.1.2.5Set'access-class'for'linevty'4.2.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'4.2.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'4.2.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'4.2.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'4.2.1.2.10Set'transportinputnone'for'lineaux0'4.2.1.3BannerRules4.2.1.3.1Setthe'banner-text'for'bannerexec'4.2.1.3.2Setthe'banner-text'for'bannerlogin'4.2.1.3.3Setthe'banner-text'for'bannermotd'4.2.1.4PasswordRules4.2.1.4.1Set'password'for'enablesecret'4.2.1.4.2Enable'servicepassword-encryption'4.2.1.4.3Set'usernamesecret'foralllocalusers4.2.1.5SNMPRules4.2.1.5.1Set'nosnmp-server'todisableSNMPwhenunused4.2.1.5.2Unset'private'for'snmp-servercommunity'4.2.1.5.3Unset'public'for'snmp-servercommunity'4.2.1.5.4Donotset'RW'forany'snmp-servercommunity'4.2.1.5.5SettheACLforeach'snmp-servercommunity'4.2.1.5.6Createan'access-list'forusewithSNMP4.2.1.5.7Set'snmp-serverhost'whenusingSNMP4.2.1.5.8Set'snmp-serverenabletrapssnmp'4.2.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv34.2.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv34.2.2ControlPlane4.2.2.1GlobalServiceRules4.2.2.1.1SetupSSH4.2.2.1.1.1ConfigurePrerequisitesfortheSSHService4.2.2.1.1.1.1Setthe'hostname'4.2.2.1.1.1.2Setthe'ipdomainname'4.2.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'4.2.2.1.1.1.4Set'seconds'for'ipsshtimeout'4.2.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'4.2.2.1.1.2Setversion2for'ipsshversion'4.2.2.1.2Set'nocdprun'4.2.2.1.3Set'noipbootpserver'4.2.2.1.4Set'noservicedhcp'4.2.2.1.5Set'noipidentd'4.2.2.1.6Set'servicetcp-keepalives-in'4.2.2.1.7Set'servicetcp-keepalives-out'4.2.2.1.8Set'noservicepad'4.2.2.2LoggingRules4.2.2.2.1Set'loggingon'4.2.2.2.2Set'buffersize'for'loggingbuffered'4.2.2.2.3Set'loggingconsolecritical'4.2.2.2.4SetIPaddressfor'logginghost'4.2.2.2.5Set'loggingtrapinformational'4.2.2.2.6Set'servicetimestampsdebugdatetime'4.2.2.2.7Set'loggingsourceinterface'4.2.2.3NTPRules4.2.2.3.1RequireEncryptionKeysforNTP4.2.2.3.1.1Set'ntpauthenticate'4.2.2.3.1.2Set'ntpauthentication-key'4.2.2.3.1.3Setthe'ntptrusted-key'4.2.2.3.1.4Set'key'foreach'ntpserver'4.2.2.3.2Set'ipaddress'for'ntpserver'4.2.2.4LoopbackRules4.2.2.4.1Createasingle'interfaceloopback'4.2.2.4.2SetAAA'source-interface'4.2.2.4.3Set'ntpsource'toLoopbackInterface4.2.2.4.4Set'iptftpsource-interface'totheLoopbackInterface4.2.3DataPlane4.2.3.1RoutingRules4.2.3.1.1Set'noipsource-route'4.2.3.1.2Set'noipproxy-arp'4.2.3.1.3Set'nointerfacetunnel'4.2.3.1.4Set'ipverifyunicastsourcereachable-via'4.2.3.2BorderRouterFiltering4.2.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks4.2.3.2.2Setinbound'ipaccess-group'ontheExternalInterface
4.2.3.3NeighborAuthentication4.2.3.3.1RequireEIGRPAuthenticationifProtocolisUsed4.2.3.3.1.1Set'keychain'4.2.3.3.1.2Set'key'4.2.3.3.1.3Set'key-string'4.2.3.3.1.4Set'address-familyipv4autonomous-system'4.2.3.3.1.5Set'af-interfacedefault'4.2.3.3.1.6Set'authenticationkey-chain'4.2.3.3.1.7Set'authenticationmodemd5'4.2.3.3.1.8Set'ipauthenticationkey-chaineigrp'4.2.3.3.1.9Set'ipauthenticationmodeeigrp'4.2.3.3.2RequireOSPFAuthenticationifProtocolisUsed4.2.3.3.2.1Set'authenticationmessage-digest'forOSPFarea4.2.3.3.2.2Set'ipospfmessage-digest-keymd5'4.2.3.3.3RequireRIPv2AuthenticationifProtocolisUsed4.2.3.3.3.1Set'keychain'4.2.3.3.3.2Set'key'4.2.3.3.3.3Set'key-string'4.2.3.3.3.4Set'ipripauthenticationkey-chain'4.2.3.3.3.5Set'ipripauthenticationmode'to'md5'4.2.3.3.4RequireBGPAuthenticationifProtocolisUsed4.2.3.3.4.1Set'neighborpassword'4.3Conclusions
5DISASTIGCompliance5.1Introduction5.2router03InfrastructureL3SwitchSecureTechnicalImplementationGuide-CiscoSummary5.3CiscoIOS15InfrastructureRouterSecurityTechnicalImplementationGuideCiscoSummary5.4V-3971-VLAN1isbeingusedasauserVLAN.5.5V-3972-VLAN1traffictraversesacrossunnecessarytrunk5.6V-3973-DisabledportsarenotkeptinanunusedVLAN.5.7V-3984-AccessswitchportsareassignedtothenativeVLAN5.8V-5622-AdedicatedVLANisrequiredforalltrunkports.5.9V-5623-Ensuretrunkingisdisabledonallaccessports.5.10V-5624-Re-authenticationmustoccurevery60minutes.5.11V-5626-NET-NAC-0095.12V-5628-TheVLAN1isbeingusedformanagementtraffic.5.13V-17815-IGPinstancesdonotpeerwithappropriatedomain5.14V-17816-RoutesfromthetwoIGPdomainsareredistributed5.15V-17824-ManagementinterfaceisassignedtoauserVLAN.5.16V-17825-ManagementVLANhasinvalidaddresses5.17V-17826-InvalidportswithmembershiptothemgmtVLAN5.18V-17827-ThemanagementVLANisnotprunedfromtrunklinks5.19V-17832-MgmtVLANdoesnothavecorrectIPaddress5.20V-17833-NoingressACLonmanagementVLANinterface5.21V-18523-ACLsdonotprotectagainstcompromisedservers5.22V-18544-RestrictedVLANnotassignedtonon-802.1xdevice.5.23V-18545-Upstreamaccessnotrestrictedfornon-802.1xVLAN5.24V-18566-NET-NAC-0315.25V-3000-InterfaceACLdenystatementsarenotlogged.5.26V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.5.27V-3012-Networkelementisnotpasswordprotected.5.28V-3013-Loginbannerisnon-existentornotDOD-approved.5.29V-3014-Managementconnectiondoesnottimeout.5.30V-3020-DNSserversmustbedefinedforclientresolver.5.31V-3021-SNMPaccessisnotrestrictedbyIPaddress.5.32V-3034-Interiorroutingprotocolsarenotauthenticated.5.33V-3043-SNMPprivilegedandnon-privilegedaccess.5.34V-3056-Groupaccountsaredefined.5.35V-3057-Accountsassignedleastprivilegesnecessarytoperformduties.5.36V-3058-Unauthorizedaccountsareconfiguredtoaccessdevice.5.37V-3062-Passwordsareviewablewhendisplayingtheconfig.5.38V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.5.39V-3070-Managementconnectionsmustbelogged.5.40V-3072-Runningandstartupconfigurationsarenotsynchronized.5.41V-3078-TCPandUDPsmallserverservicesarenotdisabled.5.42V-3079-Thefingerserviceisnotdisabled.5.43V-3080-Configurationauto-loadingmustbedisabled.5.44V-3081-IPSourceRoutingisnotdisabledonallrouters.5.45V-3083-IPdirectedbroadcastisnotdisabled.5.46V-3085-HTTPserverisnotdisabled5.47V-3086-TheBootpserviceisnotdisabled.5.48V-3143-Devicesexistwithstandarddefaultpasswords.5.49V-3160-Operatingsystemisnotatacurrentreleaselevel.
5.50V-3175-Managementconnectionsmustrequirepasswords.5.51V-3196-AninsecureversionofSNMPisbeingused.5.52V-3210-UsingdefaultSNMPcommunitynames.5.53V-3966-Morethanonelocalaccountisdefined.5.54V-3967-Theconsoleportdoesnottimeoutafter10minutes.5.55V-3969-NetworkelementmustonlyallowSNMPreadaccess.5.56V-4582-Authenticationrequiredforconsoleaccess.5.57V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.5.58V-5611-Managementconnectionsarenotrestricted.5.59V-5612-SSHsessiontimeoutisnot60secondsorless.5.60V-5613-SSHloginattemptsvalueisgreaterthan3.5.61V-5614-ThePADserviceisenabled.5.62V-5615-TCPKeep-Alivesmustbeenabled.5.63V-5616-Identificationsupportisenabled.5.64V-5618-GratuitousARPmustbedisabled.5.65V-5645-CiscoExpressForwarding(CEF)notenabledonsupporteddevices.5.66V-5646-Devicesnotconfiguredtofilteranddrophalf-openconnections.5.67V-7009-AnInfiniteLifetimekeyhasnotbeenimplemented5.68V-7011-Theauxiliaryportisnotdisabled.5.69V-14667-Keyexpirationexceeds180days.5.70V-14669-BSDrcommandsarenotdisabled.5.71V-14671-NTPmessagesarenotauthenticated.5.72V-14672-AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.5.73V-14673-SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.5.74V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.5.75V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.5.76V-14676-Netflowtrafficisnotusingloopbackaddress.5.77V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.5.78V-14681-LoopbackaddressisnotusedastheiBGPsourceIP.5.79V-14693-IPv6SiteLocalUnicastADDRmustnotbedefined5.80V-14705-IPv6routersarenotconfiguredwithCEFenabled5.81V-14707-IPv6EgressOutboundSpoofingFilter5.82V-14717-ThenetworkelementmustnotallowSSHVersion1.5.83V-15288-ISATAPtunnelsmustterminateatinteriorrouter.5.84V-15432-ThedeviceisnotauthenticatedusingaAAAserver.5.85V-15434-Emergencyadministrationaccountprivilegelevelisnotset.5.86V-17754-Managementtrafficisnotrestricted5.87V-17814-RemoteVPNend-pointnotamirroroflocalgateway5.88V-17815-IGPinstancesdonotpeerwithappropriatedomain5.89V-17816-RoutesfromthetwoIGPdomainsareredistributed5.90V-17817-ManagednetworkhasaccesstoOOBMgatewayrouter5.91V-17818-Trafficfromthemanagednetworkwillleak5.92V-17819-Managementtrafficleaksintothemanagednetwork5.93V-17821-TheOOBMinterfacenotconfiguredcorrectly.5.94V-17822-ThemanagementinterfacedoesnothaveanACL.5.95V-17823-ThemanagementinterfaceisnotIGPpassive.5.96V-17834-NoinboundACLformgmtnetworksub-interface5.97V-17835-IPSectrafficisnotrestricted5.98V-17836-Managementtrafficisnotclassifiedandmarked5.99V-17837-Managementtrafficdoesn'tgetpreferredtreatment5.100V-18522-ACLsmustrestrictaccesstoserverVLANs.5.101V-18790-NET-TUNL-0125.102V-19188-Controlplaneprotectionisnotenabled.5.103V-19189-NoAdmin-localorSite-localboundary5.104V-23747-TwoNTPserversarenotusedtosynchronizetime.5.105V-28784-Callhomeserviceisdisabled.5.106V-30577-PIMenabledonwronginterfaces5.107V-30578-PIMneighborfilterisnotconfigured5.108V-30585-Invalidgroupusedforsourcespecificmulticast5.109V-30617-Maximumhoplimitislessthan325.110V-30660-The6-to-4routerisnotfilteringprotocol415.111V-30736-6-to-4routernotfilteringinvalidsourceaddress5.112V-30744-L2TPv3sessionsarenotauthenticated5.113V-31285-BGPmustauthenticateallpeers.5.114Conclusions5.115Recommendations
6SANSPolicyCompliance6.1router03SANSPolicyComplianceAudit6.2CiscoIOS15SANSPolicyComplianceAudit
7PCIAudit7.1Introduction7.2Requirement1:Installandmaintainafirewallconfigurationtoprotectcardholderdata
7.2.1SecureandInsecureServices7.2.2ExplicitDenyRulesinConfigurations7.3Requirement2:Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters7.3.1Defaultauthenticationremovedfromdevices7.3.2Devicescryptographystrength7.4Requirement6:Developandmaintainsecuresystemsandapplications7.4.1Deviceoperatingsystems7.5Requirement10:Trackandmonitorallaccesstonetworkresourcesandcardholderdata7.5.1Systemtimesarecorrect7.5.2Timesynchronizationsettingsarerestricted
8FilteringComplexityReport8.1Introduction8.2UnassignedFilterRuleListsWereConfigured8.3FilterRulesContradictOtherRules8.4FilterRulesOverlapOtherRules
9ConfigurationReport9.1Introduction9.2CiscoRouterrouter03ConfigurationReport9.2.1BasicInformation9.2.2NetworkServices9.2.3GeneralConfigurationInformation9.2.4Authentication9.2.5Administration9.2.6LogonBannerMessages9.2.7SNMPSettings9.2.8MessageLogging9.2.9NameResolutionSettings9.2.10NetworkProtocols9.2.11NetworkInterfaces9.2.12RoutingConfiguration9.2.13NetworkFiltering9.2.14IntrusionProtectionSystem(IPS)Settings9.2.15TimeAndDate9.3CiscoRouterCiscoIOS15ConfigurationReport9.3.1BasicInformation9.3.2NetworkServices9.3.3GeneralConfigurationInformation9.3.4Authentication9.3.5Administration9.3.6LogonBannerMessage9.3.7SNMPSettings9.3.8MessageLogging9.3.9NameResolutionSettings9.3.10NetworkProtocols9.3.11NetworkInterfaces9.3.12RoutingConfiguration9.3.13NetworkFiltering9.3.14IPSSettings9.3.15RemoteAccessSettings9.3.16TimeAndDate
10RawConfiguration10.1Introduction10.2CiscoRouterrouter03RawConfiguration10.3CiscoRouterCiscoIOS15RawConfiguration
11Appendix11.1LoggingSeverityLevels11.2OSPFLSAMessageTypes11.3CommonTimeZones11.4IPProtocols11.5ICMPTypes11.6Abbreviations11.7NipperStudioVersion
1YourReport1.1Introduction
ThisreportwasproducedbyNipperStudioon2March2017.Thisreportiscomprisedofthefollowingsections:
asecurityauditsectionwhichdetailsanyidentifiedsecurity-relatedissues.Eachsecurityissueidentifiedincludesdetailsofwhatwasfoundtogetherwiththeimpactoftheissue,howeasyitwouldbeforanattackertoexploitandarecommendation.Therecommendationsmayincludealternativesand,whererelevant,thecommandstoresolvetheissue;asoftwarevulnerabilityauditsectionthatprovidesacomparisonofthedevicesoftwareversionsagainstadatabaseofknownvulnerabilities.Inadditiontoabriefdescription,eachpotentialvulnerabilityincludesaCVSSv2scoreandreferencestomorespecificinformationprovidedbythedevicemanufacturersandthirdparties;ACISreport;aDISASTIGreportsectionthatprovidescomplianceinformationagainstspecificchecklists.Thereportincludesasummaryofthefindings,detailedfindingsandrecommendationsonremedialactiontogetherwithreferencesandseverityinformation;aSANSpolicyreportsectionthatprovidescomplianceinformationagainstspecificpolicychecklists.Thereportincludesasummaryofthefindingsanddetailsofeachcheckrequirement;anetworkfilteringcomplexityreportthatdescribesareasofthenetworkfilteringthatcanbesimplified.Thefiltercomplexityreportinglooksatavarietyofdifferentaspects,suchasunusedobjects,disabledrules,commenting,overlappingrulesandmanyotherconfigurations;aconfigurationreportwhichdetailstheconfigurationsettingsofalltheauditeddevicesinaneasytoreadformat.Theconfigurationsettingsaredividedintoreportsub-sectionswhichgrouprelatedsettingstogetherandprovideadditionalinformationabouttheirpurpose;arawconfigurationreportdetailstherawconfigurationofdeviceswithoutprovidinganyinterpretation.However,somedeviceswhichhaveextensiveorspeciallyencodedconfigurationswillbeexcludedfrominclusioninthisreport.
Gotothereportcontentsorthestartofthissection.
1.2EvaluationUseOnly
TheversionofNipperStudiousedtogeneratethisreportwaslicensedforevaluationpurposesonly.FormoreinformationonlicensingoptionsyoucancontactTitaniaoroneofourpartnerstodiscussyourrequirements.
Gotothereportcontentsorthestartofthissection.
1.3ReportConventions
ThisreportmakesuseofthetextconventionsdetailedinTable7.
Table7:Reporttextconventions
Convention Description
command Thistextstylerepresentsadevicecommandthatshouldbeenteredliterally.
userdata Thisstyleoftextrepresentsapartofadevicecommandthatyoushouldsubstitutewitharelevantvalue.Forexample,acommandthatsetsadevice'sIPaddress
wouldusethistextstyleinapositionwheretheaddressshouldbeentered.
[] Theseareusedtoencloseapartofacommandthatshouldbetreatedasoptional.
{} Theseareusedtoencloseapartofacommandthatisrequired.
| Thisisusedtodivideoptionswhichcouldbeenclosedineitherrequiredoroptionalbraces.
Gotothereportcontentsorthestartofthissection.
1.4ComplianceCheckResults
Eachcomplianceauditcheckisgivenastatusthatindicatestheoutcomeoftheauditforthatcheck.Table8detailseachoftheposiblestatustypes.
Table8:Compliancecheckstatusdefinitions
Status Description
Thecheckpassedalltherequirements.Forexample,theTelnetserviceshouldbedisabledanditwas.
Thecheckfailedtomeetsomeoralloftherequirements.Forexample,thecheckmayspecifythatsupportforonlySSHprotocolversion2mustbeconfiguredand
version1wasallowed.
Thecheckrequiresamanualassessment.Forexample,thecheckmayrequiretheauditortodetermineifcablesarephysicallyattachedtospecificportsonaswitch.
Gotothereportcontentsorthestartofthissection.
1.5NetworkFilteringActions
Thisreportincludesanumberofnetworkfilterrules.Table9describesthefilterruleactionsusedwithinthereport.
Table9:Networkfilterruleactions
Action Description
Allowthenetworktraffic,enablingittopassthroughtoitsdestination.
Dropthenetworktraffic,preventingitfromreachingitsdestinationandnotinformingthesenderthatithasbeendropped.
Gotothereportcontentsorthestartofthissection.
1.6ObjectFilterTypes
Thisreportdetailsthetypeofnetworkobjectsusedwithinthefilterrules.Table10describestheobjecttypesusedwithinthereport.
Table10:Networkfilterobjecttypes
ObjectType Description
SpecificIPv4orIPv6networkaddress.
DescribesarangeofIPv4orIPv6addresses.
Gotothereportcontentsorthestartofthissection.
2SecurityAudit2.1Introduction
NipperStudioperformedasecurityauditon2March2017ofthedevicesdetailedinTable11.
Table11:Securityauditdevicelist
Device Name OS
CiscoRouter router03 IOS12.3
CiscoRouter CiscoIOS15 IOS15.0
2.1.1SecurityIssueOverview
EachsecurityissueidentifiedbyNipperStudioisdescribedwithafinding,theimpactoftheissue,howeasyitwouldbeforanattackertoexploittheissueandarecommendation.
IssueFinding
TheissuefindingdescribeswhatNipperStudioidentifiedduringthesecurityaudit.Typically,thefindingwillincludebackgroundinformationonwhatparticularconfigurationsettingsarepriortodescribingwhatwasfound.
IssueImpact
Theissueimpactdescribeswhatanattackercouldachievefromexploitingthesecurityauditfinding.However,itisworthnotingthattheimpactofanissuecanoftenbeinfluencedbyotherconfigurationsettings,whichcouldheightenorpartiallymitigatetheissue.Forexample,aweakpasswordcouldbepartiallymitigatediftheaccessgainedfromusingitisrestrictedinsomeway.
IssueEase
Theissueeasedescribestheknowledge,skill,levelofaccessandtimescalesthatwouldberequiredbyanattackerinordertoexploitanissue.Theissueeasewilldescribe,whererelevant,ifanyOpenSourceorcommerciallyavailabletoolscouldbeusedtoexploitanissue.
IssueRecommendation
EachissueincludesarecommendationsectionwhichdescribesthestepsthatNipperStudiorecommendsshouldbetakeninordertomitigatetheissue.Therecommendationincludes,whererelevant,thecommandsthatcanbeusedtoresolvetheissue.
2.1.2RatingSystemOverview
Eachissueidentifiedinthesecurityauditisratedagainstboththeimpactoftheissueandhoweasyitwouldbeforanattackertoexploit.Thefixratingprovidesaguidetotheeffortrequiredtoresolvetheissue.Theoverallratingfortheissueiscalculatedbasedontheissue'simpactandeaseratings.
ImpactRating
Anissue'simpactratingisdeterminedusingthecriteriaoutlinedinTable12.
Rating Description
CRITICAL Theseissuescanposeaverysignificantsecuritythreat.Theissuesthathaveacriticalimpactaretypicallythosethatwouldallowanattackertogainfull
administrativeaccesstothedevice.Forafirewalldevice,allowingalltraffictopassthroughthedeviceunfilteredwouldreceivethisratingasfilteringtrafficto
protectotherdevicesistheprimarypurposeofafirewall.
HIGH Theseissuesposeasignificantthreattosecurity,buthavesomelimitationsontheextenttowhichtheycanbeabused.UserlevelaccesstoadeviceandaDoS
vulnerabilityinacriticalservicewouldfallintothiscategory.Afirewalldevicethatallowedsignificantunfilteredaccess,suchasallowingentiresubnetsthroughor
notfilteringinalldirections,wouldfallintothiscategory.Arouterthatallowssignificantmodificationofitsroutingconfigurationwouldalsofallintothiscategory.
MEDIUM Theseissueshavesignificantlimitationsonthedirectimpacttheycancause.Typically,theseissueswouldincludesignificantinformationleakageissues,less
significantDoSissuesorthosethatprovidesignificantlylimitedaccess.AnSNMPservicethatissecuredwithadefaultoradictionary-basedcommunitystringwould
typicallyfallintothisrating,aswouldafirewallthatallowsunfilteredaccesstoarangeofservicesonadevice.
LOW Theseissuesrepresentalowlevelsecuritythreat.Atypicalissuewouldinvolveinformationleakagethatcouldbeusefultoanattacker,suchasalistofusersor
versiondetails.Anon-firewalldevicethatwasconfiguredwithweaknetworkfilteringwouldfallintothiscategory.
INFO Theseissuesrepresentaverylowlevelofsecuritythreat.Theseissuesincludeminorinformationleakage,unnecessaryservicesorlegacyprotocolsthatpresentno
realthreattosecurity.
Overall:CRITICAL
Impact:Critical
Ease:Easy
Fix:Quick
Table12:Theimpactrating
EaseRating
Anissue'seaseratingisdeterminedusingthecriteriaoutlinedinTable13.
Table13:Theeaserating
Rating Description
TRIVIAL Theissuerequireslittle-to-noknowledgeonbehalfofanattackerandcanbeexploitedusingstandardoperatingsystemtools.Afirewalldevicewhichhada
networkfilteringconfigurationthatenablestraffictopassthroughwouldfallintothiscategory.
EASY Theissuerequiressomeknowledgeforanattackertoexploit,whichcouldbeperformedusingstandardoperatingsystemtoolsortoolsdownloadedfromthe
Internet.Anadministrativeservicewithoutorwithadefaultpasswordwouldfallintothiscategory,aswouldasimplesoftwarevulnerabilityexploit.
MODERATE Theissuerequiresspecificknowledgeonbehalfofanattacker.Theissuecouldbeexploitedusingacombinationofoperatingsystemtoolsorpubliclyavailable
toolsdownloadedfromtheInternet.
CHALLENGE Asecurityissuethatfallsintothiscategorywouldrequiresignificanteffortandknowledgeonbehalfoftheattacker.Theattackermayrequirespecificphysical
accesstoresourcesortothenetworkinfrastructureinordertosuccessfullyexploitthevulnerability.Furthermore,acombinationofattacksmayberequired.
N/A Theissueisnotdirectlyexploitable.Anissuesuchasenablinglegacyprotocolsorunnecessaryserviceswouldfallintothisratingcategory.
FixRating
Anissue'sfixratingisdeterminedusingthecriteriaoutlinedinTable14.
Table14:Thefixrating
Rating Description
INVOLVED Theresolutionoftheissuewillrequiresignificantresourcestoresolveandislikelytoincludedisruptiontonetworkservices,andpossiblythemodificationofother
networkdeviceconfigurations.Theissuecouldinvolveupgradingadevice'sOSandpossiblemodificationstothehardware.
PLANNED Theissueresolutioninvolvesplanning,testingandcouldcausesomedisruptiontoservices.Thisissuecouldinvolvechangestoroutingprotocolsandchangesto
networkfiltering.
QUICK Theissueisquicktoresolve.Typicallythiswouldjustinvolvechangingasmallnumberofsettingsandwouldhavelittle-to-noeffectonnetworkservices.
Notes
ItisworthnotingthatNipperStudioisunabletoprovideanaccuratethreatassessmentduetoalackofcontextualinformation.Forexample,inthecasewherehighlysensitiveinformationisprocessed,aDenialofService(DoS)vulnerabilityposeslessofathreatthantheintegrityofthedataoranattackergainingaccesstoit.Similarly,forasituationwhereup-timeiscritical,aDoSvulnerabilitycouldbemoreimportantthantheleakageofsensitiveinformation.ThereforetheratingsprovidedbyNipperStudioareonlyintendedtobeaguidetoanissue'ssignificance.
Gotothereportcontentsorthestartofthissection.
2.2UsersWithDictionary-BasedPasswords
2.2.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.2.2Finding
Accesstorestrictednetworkuserandadministrationservicesaretypicallysecuredusingusernameandpasswordauthenticationcredentials.Thestrengthoftheauthenticationcredentialsisevenmoreimportantiftheserviceallowsfordevicestobereconfiguredoritallowsaccesstopotentiallysensitiveinformation.
NipperStudioidentifiedsevendictionary-basedpasswordsonrouter03.ThesearelistedinTable15andincludesadministrativeaccesstothedevice.
Table15:Usersonrouter03withadictionary-basedpassword
User Password Privilege Filter
enable(password) cisco 15
temp password 15
testuser password 15
localuser password 15
ConsoleLine password 1
Auxiliary password 1
VTY0-4Line password 1
NipperStudioidentifiedtwodictionary-basedpasswordsonCiscoIOS15.ThesearelistedinTable16andincludesadministrativeaccesstothedevice.
User Password Privilege Filter
Overall:HIGH
Impact:High
Ease:Trivial
Fix:Quick
Table16:UsersonCiscoIOS15withadictionary-basedpassword
enable(password) password 15
VTY0-4Line password 1
2.2.3Impact
Amalicioususer,orremoteattacker,whoisabletoconnecttoanadministrativeservicewillbeabletoperformadictionary-basedattackinordertoidentifyvalidauthenticationcredentialsandlogontothedevice.Theattackerwillthenbeabletoperformadministrativeanduserleveltasks.Thiscouldincludere-configuringthedevice,extractingpotentiallysensitiveinformationanddisablingthedevice.Onceanattackerhasobtainedtheconfigurationfromthedevicetheymaybeabletoidentifyauthenticationcredentialsthatcouldthenbeusedtogainaccesstoothernetworkdevices.
2.2.4Ease
Dictionary-basedpasswordguessingattackshavebeenwidelydocumentedontheInternetandpublishedmedia,enablinganattackerwithverylittleknowledgeorexperiencetoperformtheattack.Thereareanumberofdifferentdictionary-basedpasswordguessingtoolsandpassworddictionariesavailableontheInternet.Additionallyanexperiencedattackerislikelytohaveacollectionofpersonalpassworddictionarieswhichtheyhavebuiltupovertime.However,thereareanumberoffactorsthatmaydiscourageanattackerfromperformingadictionary-basedattack.
1. Accountlockoutfacilitiescanquicklypreventaccesstotheaccount.2. Deviceprotectionmechanismsmayslowordisconnectconnectionswheremultipleauthenticationattemptsaremadeinashortperiodoftime.3. Brute-forcingcanbeverytimeconsuming,especiallyifthepasswordislongormadeupofvariouscharactertypes.4. Networkadministratorsmaybealertedtolockedoutaccountsorauthenticationattempts.
2.2.5Recommendation
NipperStudiostronglyrecommendsthatalluseraccountsshouldhaveastrongpassword.
NipperStudiorecommendsthat:
passwordsshouldbeatleasteightcharactersinlength;charactersinthepasswordshouldnotberepeatedmorethanthreetimes;passwordsshouldincludebothuppercaseandlowercasecharacters;passwordsshouldincludenumbers;passwordsshouldincludepunctuationcharacters;passwordsshouldnotincludetheusername;passwordsshouldnotincludeadevice'sname,makeormodel;passwordsshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
ThefollowingcommandscanbeusedonCiscoRouterdevicestosettheenablepassword,createalocaluserwithapasswordandtodeletealocaluser:
enablesecretpassword
usernameusersecretpassword
nousernameuser
Gotothereportcontentsorthestartofthissection.
2.3DefaultSNMPCommunityStringsWereConfigured
2.3.1AffectedDevice
router03-CiscoRouter.
2.3.2Finding
SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.AccesstotheSNMPManagementInformationBase(MIB)withprotocolversions1and2isrestrictedusingacommunitystringtohelppreventunauthorizedaccess.
NipperStudioidentifiedtwodefaultSNMPcommunitystringsonrouter03.ThesearelistedinTable17.
Table17:DefaultSNMPcommunitystringsonrouter03
Community Access Version View ACL
public ReadOnly 1 20
private Read/Write 1
2.3.3Impact
WithreadaccesstotheSNMPMIBanattackerwouldbeabletoenumeratealargequantityofinformationaboutthedevice,itsconfiguration,networkdetailsandmore.WithwriteaccesstotheSNMPMIBanattackercouldreconfigurethedevice,potentiallycausingaDoS.Additionally,writeaccesstoSNMPonsomedeviceswouldenableanattackertodownloadacopyofadevice'sconfiguration,includingpasswordhashes.
2.3.4Ease
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
DefaultSNMPcommunitystringsareusuallydocumentedinthemanufacturersmanuals,onthird-partyInternetwebsitesandinthepassworddictionariesoftestingtools.Furthermore,SNMPquerytoolsareinstalledbydefaultonsomeoperatingsystemsandotherSNMPtoolscanbedownloadedfromtheInternet.
2.3.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthatonlySNMPversion3shouldbeconfigured.IfaccessusingSNMPcommunitystringsisrequired,NipperStudiorecommendsthatonlystrongcommunitystringsshouldbechosenthatarealsonotusedforanyotherauthentication.
NipperStudiorecommendsthat:
SNMPcommunitystringsshouldbeatleasteightcharactersinlength;charactersintheSNMPcommunitystringshouldnotberepeatedmorethanthreetimes;SNMPcommunitystringsshouldincludebothuppercaseandlowercasecharacters;SNMPcommunitystringsshouldincludenumbers;SNMPcommunitystringsshouldincludepunctuationcharacters;SNMPcommunitystringsshouldnotincludeadevice'sname,makeormodel;SNMPcommunitystringsshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
SNMPcanbedisabledwiththefollowingcommand:
nosnmp-server
Gotothereportcontentsorthestartofthissection.
2.4BGPNeighborsConfiguredWithNoPasswords
2.4.1AffectedDevice
router03-CiscoRouter.
2.4.2Finding
BGPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.RoutingneighborsareconfiguredtodefinewhichBGPhoststheroutingupdateswillbesentto.MessageDigest5(MD5)authenticationcanbeconfiguredforeachneighbortoensurethatBGProutingupdatesaresentfromatrustedsource.
NipperStudiodeterminedthatoneBGPneighboronrouter03hadbeenconfiguredwithnopassword.ThisisshowninTable18.
Table18:BGPneighboronrouter03withnopassword
Address RemoteAS Password Version Weight PeerGroup MapIn MapOut Description
router01 12345 4 0 SitetoSiteConnection
2.4.3Impact
AnattackermayattempttomodifytheroutingtableofaBGProutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.4.4Ease
Anattackercouldmakeuseoftheirownroutingdevice,orroutingsoftware,inordertoinsertmaliciousroutingupdates.
2.4.5Recommendation
NipperStudiorecommendsthatstrongMD5authenticationpasswordsshouldbeconfiguredforallBGProutingupdates.AlthoughanattackercouldextracttheMD5passwordauthenticationhashfromanetworkpacketandbrute-forcethepassword,itwouldtakesignificantlymoreeffortthanifadefaultpasswordweretobeconfigured.
NipperStudiorecommendsthat:
BGPpasswordsshouldbeatleasteightcharactersinlength;charactersintheBGPpasswordshouldnotberepeatedmorethanthreetimes;BGPpasswordsshouldincludebothuppercaseandlowercasecharacters;BGPpasswordsshouldincludenumbers;BGPpasswordsshouldincludepunctuationcharacters;BGPpasswordsshouldnotincludeadevice'sname,makeormodel;BGPpasswordsshouldnotbebasedondictionarywords.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
NotesforCiscoRouterdevices:
BGPneighborauthenticationpasswordscanbeconfiguredonCiscoRouterdeviceswiththefollowingroutercommand:
neighbor{address|group}passwordpassword
Gotothereportcontentsorthestartofthissection.
2.5NotAllGLBPGroupsWereAuthenticated
2.5.1AffectedDevice
router03-CiscoRouter.
2.5.2Finding
GLBPisaCiscoproprietaryprotocolusedtoproviderouterloadbalancingandredundancyagainstasinglepointoffailure.GLBProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneGLBPgrouponrouter03wasconfiguredwithnoauthentication.ThisisshowninTable19.
Table19:GLBPgroupwithnoauthenticationonrouter03
Interface Active Group Name Address Priority Weighting Auth KeyChain/ID
GigabitEthernet1/2 Yes 40 192.168.7.42 100 100 None N/A
2.5.3Impact
AnattackerwhoisabletoconfiguretheirrouterwiththerelevantGLBPgroupconfigurationwouldbeabletoparticipateinnetworkroutinginorderto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.5.4Ease
AnattackercoulduseaGLBPcapabledeviceinordertoperformtheattack.TheattackercouldthenconfiguretheirGLBPcapableroutertobeinthesamegroupandwithahigherpriorityinordertobecometheActiveVirtualGateway(AVG).
2.5.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallGLBPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifnoauthenticationweretobeconfigured.NipperStudiorecommendsthat:
GLBPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheGLBPauthenticationkeyshouldnotberepeatedmorethanthreetimes;GLBPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;GLBPauthenticationkeysshouldincludenumbers;GLBPauthenticationkeysshouldincludepunctuationcharacters;GLBPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;GLBPauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
MD5GLBPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
glbp[group]authenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.6Clear-TextGLBPGroupAuthenticationWasConfigured
2.6.1AffectedDevice
router03-CiscoRouter.
2.6.2Finding
GLBPisaCiscoproprietaryprotocolusedtoproviderouterloadbalancingandredundancyagainstasinglepointoffailure.GLBProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
NipperStudiodeterminedthatoneGLBPgrouponrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable20.
Table20:GLBPgroupwithclear-textauthenticationonrouter03
Interface Active Group Name Address Priority Weighting Auth KeyChain/ID
GigabitEthernet1/1 Yes 44 192.168.8.42 100 100 ClearText 1
2.6.3Impact
AnattackerwhoisabletoconfigureGLBPwiththerelevantauthenticationconfigurationinordertobecometheAVGwouldbeabletocontrolnetworkroutinginorderto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.6.4Ease
AnattackercoulduseaGLBPcapabledeviceintheattack.TheattackercouldthenconfiguretheirGLBPcapabledevicetobeinthesamegrouptobecomeanetworkrouter.TheauthenticationkeycanbeconfiguredusingaGLBPpacketcapturedfromthenetwork.
2.6.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallGLBPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:
GLBPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheGLBPauthenticationkeyshouldnotberepeatedmorethanthreetimes;GLBPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;GLBPauthenticationkeysshouldincludenumbers;GLBPauthenticationkeysshouldincludepunctuationcharacters;GLBPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;GLBPauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
MD5GLBPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
glbp[group]authenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.7NotAllHSRPGroupsWereAuthenticated
2.7.1AffectedDevice
router03-CiscoRouter.
2.7.2Finding
HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.HSRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneHSRPgrouponrouter03wasconfiguredwithnoauthentication.ThisisshowninTable21.
Table21:HSRPgroupwithnoauthenticationonrouter03
Interface Active Name Number Version Address MAC Priority Auth KeyChain/ID SSO
GigabitEthernet1/2 Yes 20 1 192.168.5.20 00:00:0C:07:AC:20 100 None N/A Yes
2.7.3Impact
AnattackermayattempttojoinaHSRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
2.7.4Ease
AnattackercoulduseaHSRPcapabledevice,ordownloadHSRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirHSRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.
2.7.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallHSRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifnoauthenticationweretobeconfigured.NipperStudiorecommendsthat:
HSRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheHSRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;HSRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;HSRPauthenticationkeysshouldincludenumbers;HSRPauthenticationkeysshouldincludepunctuationcharacters;HSRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;HSRPauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
MD5HSRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
standby[group]authenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.8Clear-TextHSRPGroupAuthenticationWasConfigured
2.8.1AffectedDevice
router03-CiscoRouter.
2.8.2Finding
HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.HSRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneHSRPgrouponrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable22.
Table22:HSRPgroupwithclear-textauthenticationonrouter03
Interface Active Name Number Version Address MAC Priority Auth KeyChain/ID SSO
GigabitEthernet1/1 Yes 0 2 192.168.5.10 00:00:0C:07:AC:00 100 ClearText 1 Yes
2.8.3Impact
AnattackermayattempttojoinaHSRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.8.4Ease
AnattackercoulduseaHSRPcapabledevice,ordownloadHSRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirHSRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingaHSRPpacketcapturedfromthenetwork.
2.8.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallHSRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:
HSRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheHSRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;HSRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;HSRPauthenticationkeysshouldincludenumbers;HSRPauthenticationkeysshouldincludepunctuationcharacters;HSRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;HSRPauthenticationkeysshouldnotbebasedondictionarywords.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
NotesforCiscoRouterdevices:
MD5HSRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
standby[group]authenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.9NotAllOSPFRoutingUpdatesWereAuthenticated
2.9.1AffectedDevice
router03-CiscoRouter.
2.9.2Finding
OSPFisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.OSPFsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesaresentfromatrustedsource.
NipperStudiodeterminedthatOSPFonrouter03wasconfiguredwithoutauthenticationontwointerfaces.ThesearelistedinTable23.
Table23:OSPFinterfaceswithnoauthenticationonrouter03
Interface Active Passive Area Priority Type AuthMode KeyID RouteCost HelloInterval DeadInterval RetransmitInterval TransmitDelay
GigabitEthernet1/1 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second
GigabitEthernet1/2 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second
2.9.3Impact
Anattackermayattempttomodifytheroutingtableofaroutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.9.4Ease
ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousOSPFroutingupdates.Withnoauthenticationconfigured,anattackerwouldnothavetodeterminetheauthenticationkeypriortosendingmaliciousOSPFrouteupdates.
2.9.5Recommendation
NipperStudiorecommendsthatstrongOSPFauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:
OSPFauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheOSPFauthenticationkeyshouldnotberepeatedmorethanthreetimes;OSPFauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;OSPFauthenticationkeysshouldincludenumbers;OSPFauthenticationkeysshouldincludepunctuationcharacters;OSPFauthenticationkeysshouldnotincludeadevice'sname,makeormodel;OSPFauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
OSPFauthenticationkeyscanbeconfiguredwithMD5-basedauthenticationwiththefollowinginterfacecommands:
ipospfauthentication-keykey
ipospfauthenticationmessage-digest
Gotothereportcontentsorthestartofthissection.
2.10RIPVersion1WasConfigured
2.10.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.10.2Finding
RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TherearethreemainversionsofRIP:
version1oftheprotocol,outlinedinRFC1058,supportssimpleroutingupdateswithsupportonlyforclassfulroutingandbroadcastupdates;
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
version2oftheprotocol,outlinedinRFC2453,addedsupportforClasslessInter-DomainRouting(CIDR),authentication(bothinclear-textandMD5forms)andmulticastupdates;NG,outlinedinRFC2080,addssupportforInternetProtocolversion6(IPv6)butdoesnotincludesupportforauthentication.
NipperStudiodeterminedthatsupportforRIPversion1wasconfiguredontwointerfacesonrouter03.ThesearelistedinTable24.
Table24:RIPnetworkinterfaceswhichsupportprotocolversion1onrouter03
Interface Active Passive Send Receive Auth KeyID
GigabitEthernet1/1 Yes No V1 V1andV2 ClearText routing-chain
GigabitEthernet1/2 Yes No V2 V1andV2 None N/A
NipperStudiodeterminedthatsupportforRIPversion1wasconfiguredononeinterfaceonCiscoIOS15.ThisisshowninTable25.
Table25:RIPnetworkinterfacethatsupportsprotocolversion1onCiscoIOS15
Interface Active Passive Send Receive Auth KeyID
FastEthernet0/0 Yes No V1 V1andV2 MD5 keychain
2.10.3Impact
Anattackermayattempttomodifytheroutingtableofaroutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
AnotherissuewithRIPversion1,thoughnotnecessarilyasecurityone,isthatbroadcastupdatescanwakeupcomputersthatareshutdownontheLocalAreaNetwork(LAN).
2.10.4Ease
ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousRIProutingupdates.WithRIPversion1supported,theattackerwouldnotneedtoprovideauthenticationinformation.
2.10.5Recommendation
NipperStudiorecommendsthat,ifRIPisrequired,onlysupportforversion2shouldbeconfigured.However,thismayrequireafirmwareupdateifthedevicedoesnotsupportversion2.
NotesforCiscoRouterdevices:
SupportforonlyRIPversion2updatescanbeconfiguredonCiscoRouterdeviceswiththefollowingrouterconfigurationcommand:
version2
Additionally,RIPversion2supportcanbeconfiguredonindividualinterfaceswiththefollowinginterfacecommands:
ipripsendversion2
ipripreceiveversion2
Gotothereportcontentsorthestartofthissection.
2.11Clear-TextRIPAuthenticationWasConfigured
2.11.1AffectedDevice
router03-CiscoRouter.
2.11.2Finding
RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TherearethreemainversionsofRIP;version1,2andNG.Version2ofRIPsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesweresentfromatrustedsource.
NipperStudiodeterminedthatoneinterfacewithRIPonrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable26.
Table26:Networkinterfacewithclear-textRIPauthenticationonrouter03
Interface Active Passive Send Receive Auth KeyID
GigabitEthernet1/1 Yes No V1 V1andV2 ClearText routing-chain
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
2.11.3Impact
Anattackermayattempttomodifytheroutingtableofaroutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.11.4Ease
ToolscanbedownloadedfromtheInternetthatcouldbeusedtosendmaliciousRIProutingupdates.Withclear-textauthenticationconfigured,anattackerwouldsimplyhavetomonitorRIProutingupdatesandextracttheauthenticationkeypriortosendingmaliciousRIProuteupdates.ToolscanbedownloadedfromtheInternetthatarecapableofcapturingRIProuteupdatesandextractingtheauthenticationkey.
2.11.5Recommendation
NipperStudiorecommendsthatMD5authenticationshouldbeconfiguredforallRIProutingupdates.AlthoughanattackercouldextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredtouseanauthenticationkeythatwassentwithoutencryption.
Gotothereportcontentsorthestartofthissection.
2.12NotAllVRRPGroupsWereAuthenticated
2.12.1AffectedDevice
router03-CiscoRouter.
2.12.2Finding
VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.VRRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneVRRPgrouponrouter03wasconfiguredwithnoauthentication.ThisisshowninTable27.
Table27:VRRPgroupwithnoauthenticationonrouter03
Interface Active VRRP Address Description Priority Auth KeyChain/ID
GigabitEthernet1/2 Yes 3 192.168.3.2 100 None N/A
2.12.3Impact
AnattackermayattempttojoinaVRRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.12.4Ease
AnattackercoulduseaVRRPcapabledevice,ordownloadVRRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirVRRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.
2.12.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallVRRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifnoauthenticationweretobeconfigured.NipperStudiorecommendsthat:
VRRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheVRRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;VRRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;VRRPauthenticationkeysshouldincludenumbers;VRRPauthenticationkeysshouldincludepunctuationcharacters;VRRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;VRRPauthenticationkeysshouldnotbebasedondictionarywords.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Involved
Overall:HIGH
Impact:High
Ease:Easy
Fix:Planned
NotesforCiscoRouterdevices:
MD5VRRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
vrrpgroupauthenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.13Clear-TextVRRPGroupAuthenticationWasConfigured
2.13.1AffectedDevice
router03-CiscoRouter.
2.13.2Finding
VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.VRRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneVRRPgrouponrouter03wasconfiguredwithclear-textauthentication.ThisisshowninTable28.
Table28:VRRPgroupwithclear-textauthenticationonrouter03
Interface Active VRRP Address Description Priority Auth KeyChain/ID
GigabitEthernet1/1 Yes 2 192.168.4.2 100 ClearText 1
2.13.3Impact
AnattackermayattempttojoinaVRRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.13.4Ease
AnattackercoulduseaVRRPcapabledevice,ordownloadVRRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirVRRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingaVRRPpacketcapturedfromthenetwork.
2.13.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallVRRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:
VRRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheVRRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;VRRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;VRRPauthenticationkeysshouldincludenumbers;VRRPauthenticationkeysshouldincludepunctuationcharacters;VRRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;VRRPauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
MD5VRRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
vrrpgroupauthenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.14NotAllEIGRPUpdatesWereAuthenticated
2.14.1AffectedDevice
router03-CiscoRouter.
2.14.2Finding
EIGRPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.EIGRPsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesaresentfromatrustedsource.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Planned
NipperStudiodeterminedthatEIGRPwasconfiguredwithoutauthenticationononeinterfaceonrouter03.ThisisshowninTable29.
Table29:NetworkinterfacewithnoEIGRPauthenticationonrouter03
Interface Active AS Passive Interval Hold Bandwidth Auth KeyID
GigabitEthernet1/2 Yes 3 No 5seconds 14seconds 50% None N/A
2.14.3Impact
AnattackermayattempttomodifytheroutingtableofaEIGRProutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.14.4Ease
ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousEIGRProutingupdates.Withnoauthenticationconfigured,anattackerwouldnothavetodeterminetheauthenticationkeypriortosendingmaliciousEIGRProuteupdates.
2.14.5Recommendation
NipperStudiorecommendsthatstrongEIGRPauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:
EIGRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheEIGRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;EIGRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;EIGRPauthenticationkeysshouldincludenumbers;EIGRPauthenticationkeysshouldincludepunctuationcharacters;EIGRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;EIGRPauthenticationkeysshouldnotbebasedondictionarywords.
Gotothereportcontentsorthestartofthissection.
2.15NotAllRIPUpdatesWereAuthenticated
2.15.1AffectedDevice
router03-CiscoRouter.
2.15.2Finding
RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TherearethreemainversionsofRIP;version1,2andNG.Version2ofRIPsupportsauthenticationusingeitherclear-textorMD5authenticationmethods.Thisensuresthatroutingupdatesweresentfromatrustedsource.
NipperStudiodeterminedthatRIPonrouter03wasconfiguredwithoutauthenticationononeinterface.ThisisdetailedinTable30.
Table30:RIPinterfacewithnoauthenticationonrouter03
Interface Active Passive Send Receive Auth KeyID
GigabitEthernet1/2 Yes No V2 V1andV2 None N/A
2.15.3Impact
Anattackermayattempttomodifytheroutingtableofaroutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.15.4Ease
ToolscanbedownloadedfromtheInternetthatcouldbeusedtosendmaliciousRIProutingupdates.Withnoauthenticationconfigured,anattackerwouldnothavetodeterminetheauthenticationkeypriortosendingmaliciousRIProuteupdates.
2.15.5Recommendation
Overall:HIGH
Impact:High
Ease:Easy
Fix:Planned
Overall:HIGH
Impact:High
Ease:Easy
Fix:Planned
NipperStudiorecommendsthatstrongauthenticationkeysshouldbeconfiguredforallRIProutingupdateswithRIPversion2MD5authentication.NipperStudiorecommendsthat:
RIPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheRIPauthenticationkeyshouldnotberepeatedmorethanthreetimes;RIPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;RIPauthenticationkeysshouldincludenumbers;RIPauthenticationkeysshouldincludepunctuationcharacters;RIPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;RIPauthenticationkeysshouldnotbebasedondictionarywords.
Gotothereportcontentsorthestartofthissection.
2.16LowVRRPRouterPriorities
2.16.1AffectedDevice
router03-CiscoRouter.
2.16.2Finding
VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.MultiplerouterscanbeconfiguredinaVRRPgroupinamasterandbackuprouterconfiguration.Themasterrouterisdeterminedbyanelectionwheretherouterwiththehighestprioritywillbecomethemaster.Routerprioritiescanbebetween1and254.
NipperStudiodeterminedthattwoVRRPgroupsonrouter03hadprioritieswerelessthan255.ThesearelistedinTable31.
Table31:VRRPgroupswithaprioritylessthan255onrouter03
Interface Active VRRP Address Description Priority Auth KeyChain/ID
GigabitEthernet1/1 Yes 2 192.168.4.2 100 ClearText 1
GigabitEthernet1/2 Yes 3 192.168.3.2 100 None N/A
2.16.3Impact
AnattackerwhoisabletoconfigureVRRPwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityandforcearouterelectioninordertobecomethemasterrouter.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.16.4Ease
Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingVRRPconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinordertodeterminetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinVRRProuting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.
2.16.5Recommendation
NipperStudiorecommendsthattheVRRPpriorityof254shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.
NotesforCiscoRouterdevices:
VRRPprioritiescanbeconfiguredwiththefollowingCiscoRouterinterfacecommand:
vrrpgroupprioritypriority
Gotothereportcontentsorthestartofthissection.
2.17NoVTPAuthenticationPasswordWasConfigured
2.17.1AffectedDevice
router03-CiscoRouter.
2.17.2Finding
VTPwasdevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.Theprotocolenablestheaddition,renaminganddeletionofVLANsonasingleswitchtobepropagatedtoothernetworkswitchesinthesameVTPdomain.VTPcanbeconfiguredtoauthenticateupdateswiththeuseofapassword.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Planned
NipperStudiodeterminedthatnoVTPpasswordwasconfiguredonrouter03.
2.17.3Impact
IfnoVTPauthenticationpasswordisconfigured,anattackercouldpotentiallymodifytheVLANconfigurationonallthenetworkswitchescausingaDoS.
2.17.4Ease
AnattackercoulddownloadaVTPattacktoolfromtheInternetorusetheirownVTPcapableswitch.However,thenetworkswitcheswouldhavetobeconfiguredtoaccepttheVTPupdates.Theattackerwouldthenhavetoensurethattheirconfigurationhasahigherrevisionnumber.
2.17.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,VTPshouldbedisabledorplacedintransparentmode.However,ifVTPisrequiredNipperStudiorecommendsthatastrongVTPauthenticationpasswordshouldbeconfiguredonallVTPdevices.NipperStudiorecommendsthat:
passwordsshouldbeatleasteightcharactersinlength;charactersinthepasswordshouldnotberepeatedmorethanthreetimes;passwordsshouldincludebothuppercaseandlowercasecharacters;passwordsshouldincludenumbers;passwordsshouldincludepunctuationcharacters;passwordsshouldnotincludetheusername;passwordsshouldnotincludeadevice'sname,makeormodel;passwordsshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
VTPcanbesettotransparentmodeonCiscoRouterdevicesusingoneofthefollowingcommands:
vtptransparent
vtpmodetransparent
AVTPpasswordcanbeconfiguredonaCiscoRouterdeviceusingthefollowingcommand:
vtppasswordpassword-string
OnsomeCiscoRouterdevicestheVTPpasswordisnotincludedintheconfigurationfile,thereforeitisnotpossibleforNipperStudiotovalidatethishasbeensetcorrectly.
Gotothereportcontentsorthestartofthissection.
2.18LowGLBPGroupPriorities
2.18.1AffectedDevice
router03-CiscoRouter.
2.18.2Finding
GLBPisaCiscoproprietaryprotocolwhichisusedforrouterloadbalancingandredundancy.ApriorityisconfiguredtodeterminewhichGLBPenabledrouterwillbecometheAVGandrespondtoARPrequestsonbehalfoftheActiveVirtualForwarders(AVFs).TherouterwiththehighestprioritywillbecometheAVG.
NipperStudiodeterminedthattwoGLBPgroupsonrouter03hadprioritieswerelessthan255.ThesearelistedinTable32.
Table32:GLBPgroupswithaprioritylessthan255onrouter03
Interface Active Group Name Address Priority Weighting Auth KeyChain/ID
GigabitEthernet1/1 Yes 44 192.168.8.42 100 100 ClearText 1
GigabitEthernet1/2 Yes 40 192.168.7.42 100 100 None N/A
2.18.3Impact
AnattackerwhoisabletoconfigureGLBPwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityinordertobecometheAVG.IfanattackerisabletobecometheGLBPAVG,theywouldbeabletocontrolnetworkroutinginorderto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.18.4Ease
Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingGLBPconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinorderto
Overall:HIGH
Impact:High
Ease:Easy
Fix:Planned
Overall:HIGH
Impact:High
Ease:Trivial
determinetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinGLBProuting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.
2.18.5Recommendation
NipperStudiorecommendsthattheGLBPgrouppriorityof255shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.
NotesforCiscoRouterdevices:
GLBPprioritiescanbeconfiguredwiththefollowingCiscoRouterinterfacecommand:
glbpgroupprioritypriority
Gotothereportcontentsorthestartofthissection.
2.19LowHSRPRouterPriorities
2.19.1AffectedDevice
router03-CiscoRouter.
2.19.2Finding
HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.MultiplerouterscanbeconfiguredinaHSRPgroupinamasterandbackuprouterconfiguration.Themasterrouterisdeterminedbyanelectionwheretherouterwiththehighestprioritywillbecomethemaster.Routerprioritiescanbebetween1and255.
NipperStudiodeterminedthattwoHSRPgroupsonrouter03hadprioritieswerelessthan255.ThesearelistedinTable33.
Table33:HSRPgroupswithaprioritylessthan255onrouter03
Interface Active Name Number Version Address MAC Priority Auth KeyChain/ID SSO
GigabitEthernet1/1 Yes 0 2 192.168.5.10 00:00:0C:07:AC:00 100 ClearText 1 Yes
GigabitEthernet1/2 Yes 20 1 192.168.5.20 00:00:0C:07:AC:20 100 None N/A Yes
2.19.3Impact
AnattackerwhoisabletoconfigureHSRPwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityandforcearouterelectioninordertobecomethemasterrouter.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.19.4Ease
Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingHSRPconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinordertodeterminetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinHSRProuting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.
2.19.5Recommendation
NipperStudiorecommendsthattheHSRPpriorityof255shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.
NotesforCiscoRouterdevices:
HSRPprioritiescanbeconfiguredwiththefollowingCiscoRouterinterfacecommand:
standbygroupprioritypriority
Gotothereportcontentsorthestartofthissection.
2.20UDPSmallServicesEnabled
2.20.1AffectedDevice
router03-CiscoRouter.
2.20.2Finding
Fix:Quick
Overall:HIGH
Impact:High
Ease:Trivial
Fix:Quick
SomedevicesandplatformsprovideacollectionofsimpleUserDatagramProtocol(UDP)networkservices,whicharealsosometimesreferredtoassmallservices.Theseservicesprovidelittlefunctionalityandarerarelyusedandtheytypicallyinclude:
Echo(definedinRFC862)returnsanydatasenttoitbacktotheconnectingclient;Discard(definedinRFC863)ignoresanydatasenttoitbyaconnectingclient;Chargen(definedinRFC864)generatesprintablecharacterswhicharereturnedtotheconnectingclient.
NipperStudiodeterminedthattheUDPsmallserverswereenabledonrouter03.
2.20.3Impact
AnattackercouldusetheUDPsmallserversaspartofaDoSattack.UDPisaconnection-lessprotocolandanexperiencedattackercouldforgenetworkpacketstousetheechoandchargenservicestoincreasethenetworktrafficandsystemutilizationofdevicesofferingtheservices.Additionally,eachrunningserviceincreasesthechancesofanattackerbeingabletoidentifythedeviceandsuccessfullycompromiseit.Althoughnotassignificant,someoftheservicesmayprovideanattackerwithsimpleinformationthatcouldthenbeusedaspartofatargetedattackagainstthesystem.
2.20.4Ease
ToolsthatcanbeusedtoconnecttotheseservicesareinstalledbydefaultonsomesystemsorcanbedownloadedfromtheInternet.
2.20.5Recommendation
NipperStudiorecommendsthattheUDPsmallserversshouldbedisabled.
NotesforCiscoRouterdevices:
UDPsmallserverscanbedisabledonCiscoRouterdeviceswiththefollowingcommand:
noserviceudp-small-servers
Gotothereportcontentsorthestartofthissection.
2.21EnablePasswordConfigured
2.21.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.21.2Finding
CiscoInternetOperatingSystem(IOS)-baseddevicesenablepasswordscanbestoredusingMD5hashesorusingtheCiscoType7passwordencodingalgorithm.AstrongpasswordstoredusinganMD5hashcantakeasignificantperiodoftimetobrute-force.However,thesamepasswordstoredinCiscoType7formcanbereversedinafractionofasecond.TheMD5enableuserpasswordhashcanbecreatedusingthesecretkeyword,whilsttheCiscoType7hashiscreatedusingthepasswordkeyword.
NipperStudioidentifiedanenablepasswordonrouter03thatwasnotstoredusinganMD5hash.ThisisshowninTable34
Table34:Enablepasswordstoredonrouter03withoutusingMD5
User Password Privilege Filter
enable(password) cisco 15
NipperStudioidentifiedanenablepasswordonCiscoIOS15thatwasnotstoredusinganMD5hash.ThisisshowninTable35
Table35:EnablepasswordstoredonCiscoIOS15withoutusingMD5
User Password Privilege Filter
enable(password) password 15
2.21.3Impact
AnattackercoulduseanenablepasswordfromaCiscodevicetogainadministrativelevelaccesstothedeviceandmodifyitsconfiguration.
2.21.4Ease
AnattackerwhohadaccesstotheCiscoconfigurationfilewouldeasilybeabletoretrievepasswordsthatarestoredinclear-textorusingtheCiscotype-7encryption.However,anattackerwhohadaccesstoaCiscoconfigurationfilecouldattemptabrute-forceattackagainstthestrongerMD5hashes.ToolscanbedownloadedfromtheInternetthatarecapableofreversingCiscoType7passwords.However,anattackerwouldneedtoobtainacopyoftheconfigurationfileandwouldneedtobeabletogaininitialaccesstothedevicebeforetheycouldmakeuseofanenablepassword.
2.21.5Recommendation
NipperStudiorecommendsthatallenablepasswordsshouldbestoredusingtheMD5hash.ThefollowingcommandcanbeusedtoremovetheCiscoType7enablepassword:
Overall:HIGH
Impact:High
Ease:Easy
Fix:Planned
Overall:HIGH
Impact:High
Ease:Easy
Fix:Quick
noenablepassword
MD5enablepasswordscanbeconfiguredusingthefollowingcommand:
enablesecret[levelpassword]password
Gotothereportcontentsorthestartofthissection.
2.22Clear-TextSNMPInUse
2.22.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.22.2Finding
SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.WithwriteaccesstoSNMP,itispossibletore-configurenetworking,systempropertiesandevenshutdownadevice.
TherearemultipleversionsofSNMPandversionspriortoversion3offernoencryptionofeithertheauthenticationordatanetworktraffic.
NipperStudiodeterminedthattheclear-textSNMPversionswereenabledonthetwodevicesdetailedinTable36.
Table36:Deviceswithclear-textSNMPversionsenabled
Device Name
CiscoRouter router03
CiscoRouter CiscoIOS15
2.22.3Impact
AnattackerormalicioususerwhocanmonitortheunencryptedSNMPnetworktrafficwouldcapturetheSNMPcommunitystringusedtoauthenticateaccesstotheSNMPagentservice.Additionally,theywouldcapturealltheinformationtransferredusingtheunencryptedconnection.
WithwriteaccesstoSNMPanattackercouldmodifyadevice'ssettingsandpotentiallycauseaDoScondition.
2.22.4Ease
NetworkpacketcapturetoolscanbedownloadedfromtheInternetthatcanallowanattackertomonitorthenetworktraffic.Inamodernnetworkenvironment,switchesaretypicallydeployedtoconnectthenetworkinfrastructuredevicesratherthanhubs.Withnetworkswitchdevices,theattackershouldonlybeabletoseebroadcastnetworktrafficortrafficsentdirectlytoorfromtheattacker'shost.However,askilledattackercouldbypassthisrestrictionbyperforminganattacksuchasARPspoofingorexploitingavulnerabilitywiththenetworkrouting.Toolsforbypassinganetworkswitchingenvironment'srestrictionscanbedownloadedfromtheInternet.
ItisworthnotingthatwithnoSNMPviewconfigured,theattackerwouldnotberestrictedtoaspecifiedsubsetoftheSNMPMIB.
2.22.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.However,ifSNMPaccessisrequired,NipperStudiorecommendsthatonlySNMPversion3shouldbeconfiguredwithstrongauthenticationandprivacypasswords.
NotesforCiscoRouterdevices:
SNMPcanbedisabledwiththefollowingcommand:
nosnmp-server
Gotothereportcontentsorthestartofthissection.
2.23SNMPWriteAccessEnabled
2.23.1AffectedDevice
router03-CiscoRouter.
2.23.2Finding
SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.WithwriteaccesstoSNMPitcanbepossibletore-configurenetworking,systempropertiesandevenshutdownadevice.
NipperStudioidentifiedoneSNMPcommunitystringwithwriteaccessonrouter03.ThisisshowninTable37.
Community Access Version View ACL
Overall:HIGH
Impact:High
Ease:Easy
Fix:Quick
Overall:HIGH
Impact:High
Ease:Easy
Fix:Quick
Table37:SNMPcommunitystringwithwriteaccessonrouter03
private Read/Write 1
2.23.3Impact
Amalicioususer,orattacker,withawriteaccessSNMPcommunitystringcouldmodifytheconfigurationofthedeviceandinsomecircumstancescausethedevicetoreboot.ItisalsoworthnotingthatSNMPwriteaccesscouldenableanattackertoextractthefullconfigurationfromthedevice.
2.23.4Ease
Anattackerwhowantedtomodifyadevice'sconfigurationusingSNMPwouldrequireatoolthatcouldwritetotheSNMPMIBandacommunitystringwithwriteaccess.SNMPtoolsthatcanwritetoaSNMPMIBcanbedownloadedfromtheInternetandsomeOperatingSystem(OS)installthembydefault.
2.23.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.
NotesforCiscoRouterdevices:
SNMPcanbedisabledwiththefollowingcommand:
nosnmp-server
Gotothereportcontentsorthestartofthissection.
2.24NoHTTPServerSessionTimeout
2.24.1AffectedDevice
router03-CiscoRouter.
2.24.2Finding
TheHTTPserversessiontimeoutsettingisusedtodetermineifawebsessionisnolongerbeingused,enablingadevicetodeterminewhenaconnectioncanbeautomaticallydisconnected.AHTTPserversessioncouldbecomeunusedifanadministratorhasnotproperlyterminatedaconnectionandremainsauthenticated,suchaswhenauserdoesnotclickonalogoutbutton.Thesessioncouldalsobecomeunusediftheuserleavestheircomputerunattendedwithoutterminatingthesession.
NipperStudiodeterminedthatnoHTTPserversessiontimeoutwasconfiguredonrouter03.
2.24.3Impact
Ifanattackerwasabletoaccessasystemusinganauthenticatedsessionthatisnolongerbeingused,theattackerwouldbeabletoperforminformationgathering,configurationandothermaliciousactivitiesunderthecontextofthepreviousauthenticateduser.Thelevelofaccesscouldpotentiallybeatanadministrativelevel.
2.24.4Ease
ToexploitthisissueanattackerwouldfirsthavetoidentifyaworkingHTTPserversession,possiblypriortoitbecomingunusedbytheuser,andthenbeabletocontrolthatwebsession.Thismaybeassimpleasusingtheuserscomputerwhilsttheyareaway,otherwisetheattackermayhavetoexploitaweaknessintheprotocolorperformaman-in-the-middleattack.Theman-in-the-middleattackcouldbeperformedusingaproxyserver,butausercouldbecomesuspiciousifthesessionisusingHypertextTransferProtocoloverSSL(HTTPS)andthewebbrowserprovidestheuserwithacertificatewarning.
2.24.5Recommendation
NipperStudiorecommendsthataHTTPserversessiontimeoutperiodof10minutesshouldbeconfigured.
NotesforCiscoRouterdevices:
TheHTTPservertimeoutcanbeconfiguredwiththefollowingcommand:
iphttptimeout-policyidlesecondslifesecondsrequestsnumber
Gotothereportcontentsorthestartofthissection.
2.25NoInboundTCPConnectionKeep-Alives
2.25.1AffectedDevice
router03-CiscoRouter.
2.25.2Finding
Thekeep-alivemessagesareusedtodetermineifaconnectionisactiveorhasbecomeorphanedandisnolongerused.Dependingontheresult,thedevicecanreclaimresourcesallocatedtoinboundconnectionsthathavebecomeorphaned.Connectionstoadevicecouldbecomeorphanedifaconnectionbecomesdisruptedoriftheclienthasnotproperlyterminatedaconnection.
NipperStudiodeterminedthatTCPkeep-alivemessageswerenotconfiguredforinboundconnectionsonrouter03.
Overall:HIGH
Impact:High
Ease:N/A
Fix:Quick
Overall:MEDIUM
Impact:High
2.25.3Impact
AnattackercouldattemptaDoSattackagainstadevicebyexhaustingthenumberofpossibleconnections.Toperformthisattack,theattackercouldkeeprequestingnewconnectionstothedeviceandspoofthesourceIPaddresses.Thiswouldthenpreventanynewlegitimateconnectionstothedevicefrombeingmadeasthedeviceawaitsthecompletionoftheconnectionattemptsthathavealreadybeeninitiated.Thisattackwouldpreventbothusersandadministratorsfromconnectingtothedevice.
2.25.4Ease
ToolscanbedownloadedfromtheInternetthatarecapableofopeningalargenumberofTCPconnectionswithoutcorrectlyterminatingthem.
2.25.5Recommendation
NipperStudiorecommendsthatTCPkeepalivemessagesshouldbesenttodetectanddroporphanedconnectionsfromremotesystems.
NotesforCiscoRouterdevices:
Keep-alivemessagescanbesentforinboundTCPconnectionstoCiscoRouterdeviceswiththefollowingcommand:
servicetcp-keepalives-in
Gotothereportcontentsorthestartofthissection.
2.26InterfacesWereConfiguredWithNoFiltering
2.26.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.26.2Finding
Networkfilteringrulelistscanbeassignedtoindividualnetworkinterfacestoprovidefilteringofnetworktraffic.
NipperStudiodeterminedthattwonetworkinterfacesonrouter03hadnonetworkfilteringrulesassigned.Thesearedetailedbelow.
Table38:Networkinterfaceswithnofilteringonrouter03
Interface Active Description
GigabitEthernet1/1 Yes Firstinterfaceonswitch
GigabitEthernet1/2 Yes Secondinterfaceonswitch
NipperStudiodeterminedthattwonetworkinterfacesonCiscoIOS15hadnonetworkfilteringrulesassigned.Thesearedetailedbelow.
Table39:NetworkinterfaceswithnofilteringonCiscoIOS15
Interface Active
FastEthernet0/0 Yes
Async0/0/0 Yes
2.26.3Impact
Thenetworktrafficfromanattackerattachedtooneofthenetworkinterfacesdetailedabovewouldnotbesubjectedtofiltering,potentiallyprovidingunrestrictedaccesstonetworkservices.
2.26.4Ease
Thenetworktrafficwouldnotbesubjectedtofiltering.
2.26.5Recommendation
NipperStudiorecommendsthatallnetworkinterfacesshouldbeconfiguredfilteringtohelppreventunauthorizedaccesstonetworkservicesandhosts.
NotesforCiscoRouterdevices:
CiscoRouterdevicefilteringcanbeconfiguredoninterfaceswiththefollowingcommand:
ipaccess-groupACL[in|out]
Gotothereportcontentsorthestartofthissection.
2.27Dictionary-BasedRoutingProtocolAuthenticationKeys
2.27.1AffectedDevice
router03-CiscoRouter.
Ease:Moderate
Fix:Involved
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Involved
2.27.2Finding
Routersandroutingdevicescanbeconfiguredtosendrouteupdatestoeachother.Thisenablesdevicestodynamicallyadapttochangesinthenetworktopologyandenablesrouterdevicestomakeinformeddecisionswhenroutingnetworktrafficbetweennetworks.Authenticationkeys,sometimesreferredtoassharedsecrets,canbeconfiguredforroutingprotocols.Theroutingprotocolauthenticationkeysareconfiguredtoensurethatanyroutingupdatessenttothedevicethatwillupdatethedevice'sroutinginformationwereonlysentfromtrustedsources.
NipperStudiodeterminedthattwodictionary-basedroutingprotocolauthenticationkeyswereconfiguredonrouter03.ThesearelistedinTable40.
Table40:Dictionary-basedroutingprotocolauthenticationkeysonrouter03
KeyChain KeyID Key
testchain 1 password
routing-chain 1 cisco
2.27.3Impact
Anattackermayattempttomodifytheroutingtableofaroutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.27.4Ease
ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousroutingupdates.Withasimpledictionary-basedauthenticationkeyconfigured,itwouldnotbetimeconsumingforanattackertodeterminetheauthenticationkey.Theattackercouldthensendroutingupdatesthatappeartobeauthenticandthesourceaddresscanbespoofed.
2.27.5Recommendation
NipperStudiorecommendsthatstrongroutingprotocolauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:
routingauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheroutingauthenticationkeyshouldnotberepeatedmorethanthreetimes;routingauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;routingauthenticationkeysshouldincludenumbers;routingauthenticationkeysshouldincludepunctuationcharacters;routingauthenticationkeysshouldnotincludeadevice'sname,makeormodel;routingauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
AuthenticationkeychainsandkeyscanbeconfiguredonCiscoRouterdeviceswiththefollowingcommands:
keychainchain-name
keykey-number
key-stringauthentication-string
Gotothereportcontentsorthestartofthissection.
2.28Dictionary-BasedVRRPGroupAuthenticationKeys
2.28.1AffectedDevice
router03-CiscoRouter.
2.28.2Finding
VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.VRRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneVRRPgroupwasconfiguredonrouter03withadictionary-basedauthenticationkey.ThisisshowninTable41.
Table41:Dictionary-basedVRRPgroupauthenticationkeyonrouter03
KeyID Key
1 password
2.28.3Impact
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Quick
Overall:MEDIUM
AnattackermayattempttojoinaVRRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.28.4Ease
Foraclear-textVRRPgroupauthentication,theattackercouldmonitorthenetworktrafficinordertogaintheVRRPgroupauthenticationkey.ForMD5authentication,anattackercouldperformadictionary-basedattack.ThiscanbeachievedusingsoftwaredownloadedfromtheInternet.
AnattackercoulduseaVRRPcapabledevice,ordownloadVRRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirVRRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingtheVRRPgroupauthenticationkey.
2.28.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallVRRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:
VRRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheVRRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;VRRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;VRRPauthenticationkeysshouldincludenumbers;VRRPauthenticationkeysshouldincludepunctuationcharacters;VRRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;VRRPauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
MD5VRRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
vrrpgroupauthenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.29SNMPSystemShutdownEnabled
2.29.1AffectedDevice
router03-CiscoRouter.
2.29.2Finding
ASNMPsystemshutdownfacilitycanbeconfiguredforsomeSNMPagentssothatnetworkadministratorscanremotelyresetthedevicesusingSNMP.
NipperStudiodeterminedthattheSNMPsystemshutdownfacilitywasenabledonrouter03.
2.29.3Impact
AnattackerwhohadSNMPwriteaccesscouldcauseaDoSconditionbycausingthedevicetoshutdown.
2.29.4Ease
ForanattackertoexploitthisissuetheywouldrequireSNMPquerytoolsandacommunitystringwithwriteaccesstotheSNMPMIB.SNMPquerytoolscanbedownloadedfromtheInternetandsomeOSinstallthembydefault.Iftheattackerdoesnotknowthecommunitystringitmaybepossibletodetermineitbymonitoringthenetworktrafficorbybrute-forcingthecommunitystring.
2.29.5Recommendation
GenerallytheSNMPsystemshutdownfacilityisnotsavedtotheconfigurationfileandshouldnotpersistfollowingasystemshutdown.NipperStudiorecommendsthattheSNMPsystemshutdownfacilityshouldbedisabled.
NotesforCiscoRouterdevices:
ThefollowingCiscoRouterdevicecommandcanbeusedtodisabletheSNMPshutdownfacility:
nosnmp-serversystem-shutdown
Gotothereportcontentsorthestartofthissection.
2.30BGPNeighborsConfiguredWithDictionary-BasedPasswords
2.30.1AffectedDevice
Impact:High
Ease:Moderate
Fix:Involved
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Planned
CiscoIOS15-CiscoRouter.
2.30.2Finding
BGPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.RoutingneighborsareconfiguredtodefinewhichBGPhoststheroutingupdateswillbesentto.MD5authenticationcanbeconfiguredforeachneighbortoensurethatBGProutingupdatesaresentfromatrustedsource.
NipperStudiodeterminedthattwoBGPneighborsonCiscoIOS15hadbeenconfiguredwithadictionary-basedpassword.ThesearelistedinTable42.
Table42:BGPneighborsonCiscoIOS15withadictionary-basedpassword
Address RemoteAS Password Version Weight PeerGroup MapIn MapOut Description
1.1.1.1 3 password 4 0
1.2.3.4 1 password 4 0
2.30.3Impact
AnattackermayattempttomodifytheroutingtableofaBGProutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.30.4Ease
Anattackercouldmakeuseoftheirownroutingdevice,orroutingsoftware,inordertoinsertmaliciousroutingupdates.However,theattackermayfirsthavetoperformadictionary-basedattackinordertodeterminethepassword.
2.30.5Recommendation
NipperStudiorecommendsthatstrongMD5authenticationpasswordsshouldbeconfiguredforallBGProutingupdates.AlthoughanattackercouldextracttheMD5passwordauthenticationhashfromanetworkpacketandbrute-forcethepassword,itwouldtakesignificantlymoreeffortthanifadefaultpasswordweretobeconfigured.
NipperStudiorecommendsthat:
BGPpasswordsshouldbeatleasteightcharactersinlength;charactersintheBGPpasswordshouldnotberepeatedmorethanthreetimes;BGPpasswordsshouldincludebothuppercaseandlowercasecharacters;BGPpasswordsshouldincludenumbers;BGPpasswordsshouldincludepunctuationcharacters;BGPpasswordsshouldnotincludeadevice'sname,makeormodel;BGPpasswordsshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
BGPneighborauthenticationpasswordscanbeconfiguredonCiscoRouterdeviceswiththefollowingroutercommand:
neighbor{address|group}passwordpassword
Gotothereportcontentsorthestartofthissection.
2.31DTPWasEnabled
2.31.1AffectedDevice
router03-CiscoRouter.
2.31.2Finding
DTPisaproprietaryprotocoldevelopedbyCiscoforthepurposeofnegotiatingVLANtrunkingbetweenswitches.Whenenabledtheswitchcandynamicallynegotiatetrunkingwithanattachedswitchwithoutrequiringanymanualconfiguration.Oncethenegotiationissuccessful,anyVLANsconfiguredtotrunkwillthenbetransferredbetweenthedevices.IfspecificVLANshavenotbeenspecifiedthenallVLANswillbetransferred.
NipperStudiodeterminedthatDTPwasenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable43.
Table43:Networkinterfacesonrouter03withDTPenabled
Interface Active VLAN Trunk TrunkVLAN DTP Description
GigabitEthernet1/1 Yes 1 Yes All On Firstinterfaceonswitch
GigabitEthernet1/2 Yes 1 Yes All On Secondinterfaceonswitch
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Quick
Overall:MEDIUM
Impact:Critical
Ease:Challenging
Fix:Quick
2.31.3Impact
AnattackercouldattempttonegotiateatrunkwiththedeviceinordertogainaccesstoalltheVLANsconfiguredforthetrunk.ThiswillenableanattackertobypassanynetworkfilteringprovidedtorestrictaccessbetweenVLANs.Forexample,ifamanagementnetworkweretobeavailablethentheattackerwillbeabletoconnecttoallthedevicesandservicesofferedonthatnetworkasiftheywereattachedtoitdirectly.
2.31.4Ease
SoftwaretoenableanattackertonegotiateatrunkisavailableontheInternet.AlternativelyanattackercouldmakeuseoftheirownDTPcapablenetworkdevice.
2.31.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,DTPshouldbedisabled.NipperStudiorecommendsthatswitchportsshouldbeconfiguredtoeithertrunkornotandthoseportswheretrunkingisrequiredshouldonlybeconfiguredtotrunktherequiredVLANs.
NotesforCiscoRouterdevices:
SwitchportscanbeconfiguredtoeithertrunkornotandDTPnegotiationdisabledusingthefollowinginterfacecommands:
switchportmode{access|trunk}
switchportnonegotiate
Gotothereportcontentsorthestartofthissection.
2.32ClearTextHTTPServiceEnabled
2.32.1AffectedDevice
router03-CiscoRouter.
2.32.2Finding
HTTP(RFC2616)providesweb-basedservices,suchasinformationservices,networkdeviceadministrationandotherpotentiallysensitiveservices.HTTPprovidesnoencryptionoftheconnectionbetweentheclientandserverincludinganyauthenticationanddatatransfer.
NipperStudiodeterminedthatthecleartextHTTPserverwasenabledonrouter03.
2.32.3Impact
DuetothelackofencryptionprovidedbytheHTTPservice,anattackerwhoisabletomonitorasessionwouldbeabletoviewalloftheauthenticationcredentialsanddatapassedinthesession.Theattackercouldthenattempttogainaccesstothedeviceusingtheauthenticationcredentialsextractedfromthesessionandpotentiallygainaccessunderthecontextofthatuser.SinceHTTPiscommonlyusedfornetworkdeviceadministrationthiscouldgaintheattackeranadministrativelevelofaccess.
2.32.4Ease
ToexploitthefactthattheHTTPservicedoesnotprovideanyencryption,theattackerwouldneedtobeabletomonitorthesessionbetweenaHTTPserverandwebbrowser.Insomesituationstheattackermaynotneedtoperformanyfurtheractionotherthanlaunchinganetworkmonitoringtool.However,inaswitchednetworktheattackermayneedtoperformadditionalactionssuchasanARPattackandinaroutedenvironmenttheattackermayhavetocompromisethenetworkrouting.
ToolsthatarecapableofbothmonitoringanddisplayingnetworktrafficinaneasytoreadformcanbedownloadedfromtheInternet.Therearealsotoolsthatautomaticallydetectwhereauthenticationcredentialsorfilesarebeingtransferredanddisplayorsavethedata.Toolsarealsoavailablethatenableanattackertoeasilyperformavarietyofnetworkattacksinordertobeabletomonitorandinterceptsessionsbetweentwonetworkdevices.
2.32.5Recommendation
NipperStudiorecommendsthattheHTTPserviceshouldbedisabled.IfremoteadministrativeaccessisrequiredthenNipperStudiorecommendsthatacryptographicallysecurealternative,suchasHTTPS,shouldbeusedinstead.
NotesforCiscoRouterdevices:
TheHTTPservercanbedisabledusingthefollowingcommand:
noiphttpserver
Gotothereportcontentsorthestartofthissection.
2.33UserAccountNamesContained"admin"
2.33.1AffectedDevice
CiscoIOS15-CiscoRouter.
2.33.2Finding
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Involved
WhenUserAccountnamescontain"admin",aclearindicationisgiventoanattackerormalicoususerthattheaccountmostlikelyhashigherprivilegelevelsthanastandarduser.Thisallowsanattackertofocustheirresourcesinamoredirectway,suchastargetedphishingattacksorothersocialengineeringtechniques.
NipperStudioidentifiedoneuseraccountcontaining"admin"intheusernameonCiscoIOS15.ThisisshowninTable44
Table44:UseronCiscoIOS15with'admin'inusername
User Password Privilege Filter
admin (ENCRYPTED) 1
2.33.3Impact
Amalicioususerwouldbeabletocreatetargetedphishingandsocialengineeringattacksataspecificusertheybelievetohaveadminorelevatedprivileges.Onceaccessisgained,theywouldhavethatuser'saccesstoasystem,whichcouldincludere-configuringthedevice,extractingpotentiallysensitiveinformationanddisablingthedevice.Onceanattackerhasobtainedtheconfigurationfromthedevicetheymaybeabletoidentifyauthenticationcredentialsthatcouldthenbeusedtogainaccesstoothernetworkdevices.
2.33.4Ease
ExploitingthisvulnerabilitywouldrequireanattackertohavegainedaccesstosensitiveinformationdetailinguseraccountsandassociatedID'sbeforebeingabletoidentifyappropriatetargetsforphishingorsocialengineeringattacks.
2.33.5Recommendation
NipperStudiostronglyrecommendsthatallAdminorelevatedprivilegeaccountsshouldnotcontaininformationthatidentifiesthemasbeingsuch.
Gotothereportcontentsorthestartofthissection.
2.34WeakGLBPGroupAuthenticationKeys
2.34.1AffectedDevice
router03-CiscoRouter.
2.34.2Finding
GLBPisaCiscoproprietaryprotocolusedtoproviderouterloadbalancingandredundancyagainstasinglepointoffailure.GLBProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneGLBPgroupwasconfiguredonrouter03withaweakauthenticationkey.ThisisshowninTable45.
Table45:WeakGLBPgroupauthenticationkeyonrouter03
KeyID Key Weakness
1 Passw0rd Nopunctuationcharacters
2.34.3Impact
AnattackerwhoisabletoconfigureGLBPwiththerelevantauthenticationconfigurationinordertobecometheAVGwouldbeabletocontrolnetworkroutinginorderto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.34.4Ease
Foraclear-textGLBPgroupauthentication,theattackercouldmonitorthenetworktrafficinordertogaintheGLBPgroupauthenticationkey.ForMD5authentication,anattackercouldperformabrute-forceattack.ThiscanbeachievedusingsoftwaredownloadedfromtheInternet.
AnattackercoulduseaGLBPcapabledeviceintheattack.TheattackercouldthenconfiguretheirGLBPcapablerouter,withtheauthenticationkey,inordertobecomeanetworkrouter.
2.34.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallGLBPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:
GLBPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheGLBPauthenticationkeyshouldnotberepeatedmorethanthreetimes;
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Involved
GLBPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;GLBPauthenticationkeysshouldincludenumbers;GLBPauthenticationkeysshouldincludepunctuationcharacters;GLBPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;GLBPauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
MD5GLBPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
glbp[group]authenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.35WeakHSRPGroupAuthenticationKeys
2.35.1AffectedDevice
router03-CiscoRouter.
2.35.2Finding
HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.HSRProutersareconfiguredinagroupwhichcanbeauthenticatedusingeitherclear-textorMD5authentication.Authenticationisconfiguredtoensurethatroutingwillnotbeperformedbyanuntrustedrouter.
NipperStudiodeterminedthatoneHSRPgroupwasconfiguredonrouter03withaweakauthenticationkey.ThisisshowninTable46.
Table46:WeakHSRPgroupauthenticationkeyonrouter03
KeyID Key Weakness
1 Passw0rd Nopunctuationcharacters
2.35.3Impact
AnattackermayattempttojoinaHSRProutinggroupandbecomethemasterrouter.Ifanattackerisabletobecomearouter,theywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.35.4Ease
Foraclear-textHSRPgroupauthentication,theattackercouldmonitorthenetworktrafficinordertogaintheHSRPgroupauthenticationkey.ForMD5authentication,anattackercouldperformabruteforceattack.ThiscanbeachievedusingsoftwaredownloadedfromtheInternet.
AnattackercoulduseaHSRPcapabledevice,ordownloadHSRPsoftwarefromtheInternet.TheattackercouldthenconfiguretheirHSRPtobeinthesamegroupandwithahigherpriorityinordertobecomethemasterduringanelection.Theauthenticationkey(orsharedsecret)canbeconfiguredusingtheHSRPgroupauthenticationkey.
2.35.5Recommendation
NipperStudiorecommendsthatMD5authenticationwithastrongkeyshouldbeconfiguredforallHSRPgroups.AlthoughitmaybepossibleforanattackertoextracttheMD5authenticationhashfromanetworkpacketandbrute-forcetheauthenticationkey,itwouldtakesignificantlymoreeffortthanwouldberequiredifclear-textauthenticationweretobeconfigured.NipperStudiorecommendsthat:
HSRPauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheHSRPauthenticationkeyshouldnotberepeatedmorethanthreetimes;HSRPauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;HSRPauthenticationkeysshouldincludenumbers;HSRPauthenticationkeysshouldincludepunctuationcharacters;HSRPauthenticationkeysshouldnotincludeadevice'sname,makeormodel;HSRPauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
MD5HSRPgroupauthenticationcanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
standby[group]authenticationmd5{key-stringkey|key-chainkey-chain}
Gotothereportcontentsorthestartofthissection.
2.36WeakRoutingProtocolAuthenticationKeys
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Involved
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Planned
2.36.1AffectedDevice
CiscoIOS15-CiscoRouter.
2.36.2Finding
Routersandroutingdevicescanbeconfiguredtosendrouteupdatestoeachother.Thisenablesdevicestodynamicallyadapttochangesinthenetworktopologyandenablesrouterdevicestomakeinformeddecisionswhenroutingnetworktrafficbetweennetworks.Authenticationkeys,sometimesreferredtoassharedsecrets,canbeconfiguredforroutingprotocols.Theroutingprotocolauthenticationkeysareconfiguredtoensurethatanyroutingupdatessenttothedevicethatwillupdatethedevice'sroutinginformationwereonlysentfromtrustedsources.
NipperStudiodeterminedthatoneweakroutingprotocolauthenticationkeywasconfiguredonCiscoIOS15.ThisisshowninTable47.
Table47:WeakroutingprotocolauthenticationkeyonCiscoIOS15
KeyChain KeyID Key Weakness
keychain 1 key Tooshort
2.36.3Impact
Anattackermayattempttomodifytheroutingtableofaroutingdeviceinanattempttoroutenetworktrafficthroughadevicethattheycontrol.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.36.4Ease
ToolscanbedownloadedfromtheInternetthatcanbeusedtosendmaliciousroutingupdates.Withaweakauthenticationkeyconfigured,theattackermayhavetoperformabrute-forceattackinordertodeterminetheauthenticationkey.Theattackercouldthensendroutingupdatesthatappeartobeauthenticandthesourceaddresscanbespoofed.
2.36.5Recommendation
NipperStudiorecommendsthatstrongroutingprotocolauthenticationkeysshouldbeconfiguredforallroutingupdates.NipperStudiorecommendsthat:
routingauthenticationkeysshouldbeatleasteightcharactersinlength;charactersintheroutingauthenticationkeyshouldnotberepeatedmorethanthreetimes;routingauthenticationkeysshouldincludebothuppercaseandlowercasecharacters;routingauthenticationkeysshouldincludenumbers;routingauthenticationkeysshouldincludepunctuationcharacters;routingauthenticationkeysshouldnotincludeadevice'sname,makeormodel;routingauthenticationkeysshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
AuthenticationkeychainsandkeyscanbeconfiguredonCiscoRouterdeviceswiththefollowingcommands:
keychainchain-name
keykey-number
key-stringauthentication-string
Gotothereportcontentsorthestartofthissection.
2.37LowOSPFRouterPriorities
2.37.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.37.2Finding
OSPFisaroutingprotocolthatcanbeconfiguredtodynamicallyupdatetheroutingtablewithchangestothenetworktopology.Multiplerouterscanbeconfiguredonanetworkforfaulttolerance,inthatsituationtherouterwiththehighestprioritywilltakeprecedence.Routerprioritiescanbebetween0and255,ifsetto0therouterwillnotbecomethedesignatedorbackuprouter.Iftworoutershavethesamepriority,therouterwiththehighestrouterIdentifier(ID)willthentakeprecedence.
NipperStudiodeterminedthattwoOSPFprioritiesonrouter03werelessthan255.ThesearelistedinTable48.
Interface Active Passive Area Priority Type AuthMode KeyID RouteCost HelloInterval DeadInterval RetransmitInterval TransmitDelay
GigabitEthernet1/1 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second
GigabitEthernet1/2 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second
Overall:MEDIUM
Impact:High
Ease:Challenging
Fix:Quick
Table48:OSPFwithprioritieslessthan255onrouter03
GigabitEthernet1/2 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second
NipperStudiodeterminedthatoneOSPFpriorityonCiscoIOS15waslessthan255.ThisisshowninTable49.
Table49:OSPFwithaprioritylessthan255onCiscoIOS15
Interface Active Passive Area Priority Type AuthMode KeyID RouteCost HelloInterval DeadInterval RetransmitInterval TransmitDelay
FastEthernet0/0 Yes No 1 Broadcast MD5 6 Default 10seconds 40seconds 5seconds 1second
2.37.3Impact
AnattackerwhoisabletoconfigureOSPFwiththerelevantauthenticationconfiguration,couldconfigureahigherpriorityinordertotakeprecedenceovertheexistingrouter.Ifanattackerisabletocontrolaroutingdevicetheywouldbeableto:
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.37.4Ease
Toperformthisattack,theattackerwouldfirsthavetodeterminetheexistingOSPFconfiguration.Ifauthenticationcredentialsareused,theattackercouldextractthemfromthecapturednetworkpackets.WithMD5-basedauthentication,theattackerwouldhaveuseadictionary/brute-forceattackinordertodeterminetheauthenticationkey.Additionally,theattackerwouldrequireaccesstoanetworksegmentwheretheycouldparticipateinOSPFrouting.Theattackercouldthenconfiguretheirrouterwithahigherpriorityinordertoperformtheattack.AllofthesoftwarerequiredtocompleteeachofthesecomponentscanbedownloadedfromtheInternet.
2.37.5Recommendation
NipperStudiorecommendsthattheOSPFpriorityof255shouldbeconfigured.Iftwoormoreroutersarepresent,NipperStudiorecommendsthateachoftheroutersshouldbeconfiguredwithhighnumberedpriorities.
NotesforCiscoRouterdevices:
AhighOSPFprioritycanbeconfiguredonCiscoRouterdeviceswiththefollowinginterfacecommand:
ipospfprioritypriority-no
Gotothereportcontentsorthestartofthissection.
2.38UsersConfiguredWithWeakPasswordEncryption
2.38.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.38.2Finding
UserpasswordsonCiscoIOS-baseddevicescanbeconfiguredtostoreuserpasswordsusingeitheraMD5passwordhashorusingtheCiscoType7passwordencodingalgorithm.WhilsttheCiscoType-7passwordencodingcanbeeasilyreversedtorevealtheoriginalpassword,MD5hashescannotbereversed.InsteadiftheoriginalpasswordneedstobedeterminedfromanMD5hash,thepasswordsmustbeguessedandthenputthroughtheMD5hashingprocess.TheresultingMD5hashescanthenbecomparedinordertodetermineifthepasswordsmatch.
NipperStudiodeterminedthatsixusersstoredtheirpasswordsusingCiscoType-7encodingonrouter03.ThesearedetailedinTable50.
Table50:UserswithCiscoType-7passwordsonrouter03
User Password Privilege Filter
temp password 15
testuser password 15
localuser password 15
ConsoleLine password 1
Auxiliary password 1
VTY0-4Line password 1
NipperStudiodeterminedthattwousersstoredtheirpasswordsusingCiscoType-7encodingonCiscoIOS15.ThesearedetailedinTable51.
User Password Privilege Filter
enable(password) password 15
Overall:MEDIUM
Impact:High
Ease:Challenging
Fix:Quick
Table51:UserswithCiscoType-7passwordsonCiscoIOS15
enable(password) password 15
VTY0-4Line password 1
2.38.3Impact
AstrongpasswordstoredusinganMD5hashcantakeasignificantperiodoftimetobrute-force.However,thesamepasswordstoredinCiscoType7formcanbereversedinafractionofasecond.AnattackercouldusedecodedpasswordsfromaCiscodeviceinordertogainalevelofaccesstothedeviceandpotentiallymodifyitsconfiguration.
2.38.4Ease
AnattackerwhohadaccesstotheCiscoconfigurationfilewouldeasilybeabletoretrieveanddecodepasswordsthatarestoredusingtheCiscotype-7encodingscheme.However,anattackerwhohadaccesstoaCiscoconfigurationfilecouldattemptabrute-forceattackagainstthestrongerMD5hashes.ToolscanbedownloadedfromtheInternetthatarecapableofreversingCiscoType7passwords.However,anattackerwouldneedtoobtainacopyoftheconfigurationfileandwouldneedtobeabletogaininitialaccesstothedevicebeforetheycouldmakeuseofanenablepassword.
2.38.5Recommendation
NipperStudiorecommendsthatalluserpasswordsshouldbestoredusingtheMD5hash.ThefollowingcommandcanbeusedtoremoveusersusingtheCiscoType7password:
nousername
UserscanbeconfiguredtostorepasswordsusinganMD5hashusingthefollowingcommand:
usernameuser-namesecretpassword
Gotothereportcontentsorthestartofthissection.
2.39AUXPortNotDisabled
2.39.1AffectedDevice
router03-CiscoRouter.
2.39.2Finding
TheAuxilary(AUX)port'sprimarypurposeistoprovidearemoteadministrationcapability.WithamodemconnectedtotheAUXport,aremoteadministratorcoulddialintothedeviceinordertoperformremoteadministration.Asanextralayerofsecurity,somedevicescanbeconfiguredwithacallbackfacility.Thecallbackfacility,ifconfigured,dropsanyincomingcallsanddialsthenetworkadministratorback.
NipperStudiodeterminedthattheAUXporthadnotbeendisabledonrouter03.
TheAUXportlinesettingsthatwereconfiguredonrouter03arelistedinTable52.
Table52:AUXlinesettingsonrouter03
Line Exec Absolute Session Login FilterIn FilterOut
Auxiliary 10minutes None 25minutes 30seconds
2.39.3Impact
IfanattackerisabletodialinandconnecttothedeviceremotelyusingtheAUXport,theattackercouldperformabrute-forceattackagainsttheauthenticationmechanisminordertogainremoteadministrativeaccess.IfamalicioususerwasabletogainphysicalaccesstoadevicewheretheAUXporthadnotbeendisabled,theycouldattachamodeminordertoperformanattackfromaremotelocation.Ifacallbackfacilityhasnotbeenconfigured,thenthedevicewouldnotdropincomingcallsandattempttodialthenetworkadministratorsphonenumber.
2.39.4Ease
Inordertosuccessfullyexploitthisissue,theattackerwouldrequireamodemtobeattachedtotheAUXport.Ifamodemisalreadyattached,anattackercoulddiscoverthemodem'stelephonenumberduringawar-dial.However,eventhoughanumberofwardialtoolsareavailableontheInternet,awardialismorelikelytobediscoveredduetothenumberoftelephoneswhichwouldbecalledinanoffice.
2.39.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,theAUXportshouldbedisabled.IftheAUXportisrequiredandthedevicesupportscallbackthenNipperStudiosuggeststhatthecallbackfacilityshouldbeconfiguredasanadditionallevelofprotection.
NotesforCiscoRouterdevices:
TheauxiliaryportcanbedisabledwiththefollowingIOSauxiliarylinecommands:
transportinputnone
loginlocal
noexec
Overall:MEDIUM
Impact:Medium
Ease:Moderate
Fix:Quick
Overall:MEDIUM
Impact:Medium
Ease:Trivial
Fix:Planned
Gotothereportcontentsorthestartofthissection.
2.40NoBGPRouteFlapPrevention
2.40.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.40.2Finding
BGPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangestothenetworktopology.BGProutersupdatetheirneighborswithchangessuchasnetworklinkstatuschanges.BGProuteflappingisaconditionwhereroutingtablesareconstantlybeingupdatedduetoalinktransitioningbetweenupanddownstatus.Thesetransitionscauseroutingtablestobecontinuouslyupdatedacrosstheinfrastructure.RoutingdevicescanbeconfiguredwithBGProutedampeninginordertohelpmitigateagainstconstantrouteflapping.
NipperStudiodeterminedthatBGProutedampeninghadnotbeenconfiguredonthetwodevicesdetailedinTable53.
Table53:DeviceswithnoBGProutedampening
Device Name
CiscoRouter router03
CiscoRouter CiscoIOS15
2.40.3Impact
Excessiverouteupdates,causedbyalinkstatusconstantlychangingbetweenuptodown,canimpactnetworkroutingperformance.Networkroutingcouldslowwithnetworkpacketsbeingdropped,possiblycausingaDoScondition.
2.40.4Ease
ItispossibleforanattackertosendBGPpacketstoaroutertoupdatetheroutingtableandcausearouteflappingcondition.However,theattackermayneedadditionalinformationinordertoperformtheattack,suchasaBGPpassword.
2.40.5Recommendation
NipperStudiorecommendsthatBGProutedampeningshouldbeconfiguredtohelppreventexcessiveroutingupdatesfromcausingaDoScondition.
NotesforCiscoRouterdevices:
ThereareanumberofdifferentBGPoptionsthatcanbeconfiguredtohelpreducetheeffectsofrouteflapping.BGProutedampeningcanbeenabledonCiscoRouterdeviceswiththefollowingcommand:
bgpdampening
Gotothereportcontentsorthestartofthissection.
2.41NoRIPUpdateNeighborsWereConfigured
2.41.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.41.2Finding
RIPisaroutingprotocolthatallowsnetworkdevicestodynamicallyadapttochangesinthenetworkinfrastructure.TheroutingdevicescanbeconfiguredtosendRIProutingupdatestospecifiedRIPneighbors.Ifnotspecified,RIProutingupdateswillbesenttoallLANhosts.
NipperStudiodeterminedthatnoRIPneighborswereconfiguredonthetwodevicesdetailedinTable54.
Table54:DeviceswithnoRIPneighbors
Device Name
CiscoRouter router03
CiscoRouter CiscoIOS15
2.41.3Impact
WithnoRIProutingupdateneighborsconfigured,routeupdateswillbesenttoallLANhosts.Ifanattackerisabletomonitoranetworksegmenttowhichthedeviceisattached,theywouldbeabletomonitortheroutingtraffic.Thiswouldgivetheattacker:
alistofroutesthatthedevicesendingtheupdatesisawareof;ifclear-textauthenticationisused,theauthenticationkey;ifMD5authenticationisused,theauthenticationhashwhichcouldthenbesubjectedtoabrute-forceattack.
Overall:MEDIUM
Impact:Medium
Ease:Trivial
Fix:Quick
Overall:MEDIUM
Impact:Medium
Ease:N/A
Fix:Planned
2.41.4Ease
RIProutingupdateswillbesenttoallhostsontheLAN.ToolscanbedownloadedfromtheInternetthatcanbeusedtomonitor,extractandexploittheinformationcontainedintheRIProuteupdatepackets.
2.41.5Recommendation
NipperStudiorecommendsthatRIProutingupdateneighborsshouldbeconfiguredtosendRIPupdatestospecificaddresses.
NotesforCiscoRouterdevices:
RIPneighborscanbeconfiguredonCiscoRouterdeviceswiththefollowingroutercommand:
neighborip-address
Gotothereportcontentsorthestartofthissection.
2.42NoHTTPServiceNetworkAccessRestrictions
2.42.1AffectedDevice
router03-CiscoRouter.
2.42.2Finding
HTTP(RFC2616)providesweb-basedservices,suchasinformationservices,networkdeviceadministrationandotherpotentiallysensitiveservices.HTTPprovidesnoencryptionoftheconnectionbetweentheclientandserverincludinganyauthenticationanddatatransfer.HTTPS,whichisHTTPoverSecureSocketsLayer(SSL)/TLS,isusedtoprovidecryptographicallysecureweb-basedconnection.
NetworkaccesstotheHTTPservicecanberestrictedbyspecifyingthosehoststhatareallowedtoaccesstheserviceandtherebydenyingaccesstoallothernetworkhostaddresses.
NipperStudiodeterminedthattheHTTPserviceonrouter03wasnotconfiguredtorestrictaccesstoonlythosespecificnetworkhostaddressesthatarerequired.
2.42.3Impact
Withoutmanagementhostaddressrestrictionsanattacker,ormalicioususer,withauthenticationcredentialswouldbeabletoconnecttotheHTTPSservice,logonandaccessthefunctionalityandinformationprovidedforthatuser.Ifanattackerdoesnothaveauthenticationcredentialstheycouldattemptabrute-forceattackinordertoidentifyvalidcredentials.Additionally,ifthereisavulnerabilitywiththeservicethenallowinganyonetoconnecttotheservicecouldenableanattackertoexploitthevulnerability.
2.42.4Ease
WithnoHTTPnetworkhostaccessrestrictionsanattackerwouldnotbepreventedfromconnectingtotheservice.Furthermore,webbrowsersandotherweb-basedclienttoolsareincludedasstandardwithmostoperatingsystems.AlternativewebservicetoolsareavailableontheInternet,togetherwithvulnerabilityexploitcode,enumerationandbrute-forcetools.
2.42.5Recommendation
NipperStudiorecommendsthataccesstotheHTTPserviceshouldberestrictedtoonlythosenetworkhoststhatrequireaccess.
NotesforCiscoRouterdevices:
ManagementhostscanbeconfiguredbyapplyinganAccessControlList(ACL).AnACLcanbeconfiguredandappliedusingthefollowingcommands:
ipaccess-liststandardaccess-list-number
remarkdescription
permitip-addresswildcard[log]
exit
iphttpaccess-classacl-number
Gotothereportcontentsorthestartofthissection.
2.43SyslogLoggingNotEnabled
2.43.1AffectedDevice
router03-CiscoRouter.
2.43.2Finding
Loggingisanimportantcomponentofasecurenetworkconfiguration.Whenappropriatelyconfigured,themessagesloggedprovideawealthofinformationtoanetworkadministratorwhendiagnosingaproblem,identifyinganattackorwhenusedtoprovideanactivityaudittrail.Whenawellconfiguredloggingsystemiscombinedwithagoodmonitoringandalertsystemitwillenablenetworkadministratorstopromptlyrespondtonetworkingissues,DoSattacks,administrativesystemlogonsandahostofotherimportantinformation.
Syslogloggingprovidesanindustrystandardsystem(detailedinRFC5424)forloggingmessages,enablingthecollection,storageandadministrationoflogsfromavarietyofdevicestoasinglelocation.Thesendingoflogstoothersystems,notonlyprovidesextrastoragespaceforlogswhichcouldbesizerestrictedontheoriginatingnetworkdevice,butitalsoprovidesanextralevelofprotectionforthelogsinascenariowhereanattackerhascompromisedthesecurityofthe
Overall:MEDIUM
Impact:Medium
Ease:N/A
Fix:Planned
Overall:LOW
Impact:Medium
Ease:Moderate
Fix:Quick
messagesource.
NipperStudiodeterminedthattheloggingofsystemmessagestoaSyslogloggingserverwasnotconfiguredonrouter03.
2.43.3Impact
Ifloggingofsystemmessagesisnotconfigured,anetworkadministratormaynotbemadeawareofsignificanteventshappeningonthedevice.Theseeventscouldincludesecurityissuessuchasintrusionattempts,networkscans,authenticationfailuresordiagnosticandmanagementinformationsuchaspotentialhardwareissues.Withoutloggingsystemmessages,theinformationwouldnotbeavailabletoeitheraforensicinvestigationorfordiagnosticpurposes.
2.43.4Ease
SystemmessageswillnotbesenttoaSyslogloggingserver.
2.43.5Recommendation
NipperStudiorecommendsthatSyslogloggingshouldbeconfiguredtoenablesystemmessagestobeloggedtoacentralloggingserver.
NotesforCiscoRouterdevices:
TheloggingofsystemmessagestoaremoteSysloghostcanbeconfiguredusingthefollowingcommand:
logginghostip-address
Gotothereportcontentsorthestartofthissection.
2.44NTPControlQueriesWerePermitted
2.44.1AffectedDevice
CiscoIOS15-CiscoRouter.
2.44.2Finding
Timesynchronizationfornetworkdevicesisinherentlyimportant,notjustforthevariousservicesthatmakeuseoftime,butalsofortheaccurateloggingofevents.Thereforenetworkdevicescanbeconfiguredtosynchronizetheirtimeagainstanetworktimesourceinordertoensurethatthetimeissynchronized.
NTP(describedinRFC5905)isacomplextimesynchronizationprotocolwithanumberofdifferentfeaturesandoptions.Inadditiontotime,anumberofcontrolqueriescanbemadetoanNTPserver,theseincluderequestingalistoftheserversNTPpeersandanumberofdifferentvariables.
NipperStudiodeterminedthatNTPcontrolquerieswerepermittedonCiscoIOS15.
2.44.3Impact
AnattackermaysendcontrolqueriestoanNTPserviceinordertogatherinformationaboutthedevice.Inadditiontotimeinformation,anattackermaylearninternalIPaddressesofNTPpeersorbasicoperatingsysteminformation.
2.44.4Ease
NTPquerytoolsareinstalledbydefaultwithsomeoperatingsystemsandNTPtoolscanbedownloadedfromtheInternet.
2.44.5Recommendation
NipperStudiorecommendsthat,ifatimeservermustbeconfiguredonthedevice,accessshouldberestrictedtoonlytimerequests.
NotesforCiscoRouterdevices:
NTPControlQueriescannotbedisabledonCiscoRouterdeviceswithoutdisablingNTP,theycanonlyberestrictedbyapplyinganACLtothem.Thiscanbedonewiththefollowingcommand:
ntpaccess-groupquery-onlyacl
Note,thatthismaystillbeflaggedasanissue,andifyouhavealreadyaddedthislinein,youcansafelyignoreit.
Gotothereportcontentsorthestartofthissection.
2.45NoSNMPTFTPServerAccessListConfigured
2.45.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.45.2Finding
UsingSNMP,somenetworkdevicescanbeinstructedtosenditsconfigurationtoafileonaspecifiedTFTPserver.Thisfeatureenablesnetworkadministratorsandmanagementsoftwaretoquicklyobtainacopyofadevice'sconfiguration.Anetworkaccesslistcanbeconfiguredonthosedevicestohelpsecureaccesstothisfunctionality(supportedonCiscoIOSdevicesfromversion10.2).
NipperStudiodeterminedthattheSNMPTFTPserveraccesslisthadnotbeenconfiguredonthetwodevicesdetailedinTable55.
Overall:LOW
Impact:Medium
Ease:Moderate
Fix:Planned
Table55:DeviceswithnoSNMPTFTPserveraccesslist
Name Type
router03 CiscoRouter
CiscoIOS15 CiscoRouter
2.45.3Impact
AnattackerwhohadSNMPwriteaccesscouldremotelyobtainacopyofadevice'sconfiguration.Theconfigurationwouldincludeanypasswordsforthedeviceandincludetheconfigurationoftheadministrativeservices.
2.45.4Ease
ForanattackertoexploitthisissuetheywouldrequireSNMPquerytools,aTFTPserverandacommunitystringwithwriteaccesstotheSNMPMIB.SNMPquerytoolsandTFTPserversoftwarecanbedownloadedfromtheInternetandsomeOSinstallthembydefault.Iftheattackerdoesnotknowthecommunitystringitmaybepossibletodetermineitbymonitoringthenetworktrafficorbybrute-forcingthecommunitystring.
2.45.5Recommendation
NipperStudiorecommendsthataSNMPTFTPserverlistACLshouldbeconfiguredtoensurethatconfigurationsareonlysavedtospecifichosts.
NotesforCiscoRouterdevices:
ThefollowingexampleconfiguresACLnumber20foruseasaSNMPTFTPserverlistandgivesaccesstoasinglehostwithlogging.
access-list20permit192.168.0.50255.255.255.255log
access-list20denyanylog
TheACLcanthenbeassignedastheSNMPTFTPserverlistwiththefollowingcommand:
snmp-servertftp-server-list20
Gotothereportcontentsorthestartofthissection.
2.46NoOSPFLSAThresholds
2.46.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.46.2Finding
OSPFisaroutingprotocolthatcanbeconfiguredtodynamicallyupdatetheroutingtablewithchangestothenetworktopology.OSPFusesLSAtocommunicatechangestootherroutersandupdatetheroutersownLinkStateDatabase(LSDB).DevicescanbeconfiguredwithaLSAmessagethresholdinordertolimitthenumberofLSAmessagesbeingprocessedbythedevice.
NipperStudiodeterminedthatoneOSPFconfigurationonrouter03didnothaveaLSAmessagethresholdconfigured,thisisshowninTable56.
Table56:OSPFconfigurationswithnoLSAthresholdonrouter03
Process RouterID Active MaxLSA RFC1583
6 Yes Unlimited Yes
NipperStudiodeterminedthatoneOSPFconfigurationonCiscoIOS15didnothaveaLSAmessagethresholdconfigured,thisisshowninTable57.
Table57:OSPFconfigurationswithnoLSAthresholdonCiscoIOS15
Process RouterID Active MaxLSA RFC1583
1 Yes Unlimited Yes
2.46.3Impact
AnattackermaybeabletoperformanOSPFDoSbyfloodingthedevicewithLSAmessages.
monitornetworktrafficsentbetweennetworksegments;performamaninthemiddleattack;captureclear-textprotocolauthenticationcredentials;captureencryptedauthenticationhasheswhichcouldbesubjectedtoabrute-forceattack;performanetworkwideDoS;routeupdatescouldberedistributedbythedevicetootherroutingdevicesandpossiblyusingotherroutingprotocolsandauthentication.
2.46.4Ease
Overall:LOW
Impact:Low
Ease:Trivial
Fix:Planned
Overall:LOW
Impact:Low
Ease:Trivial
Fix:Quick
ToolscanbedownloadedfromtheInternetthatcanbeusedtoperformaDoSbyfloodingthedevicewithLSAmessages.
2.46.5Recommendation
NipperStudiorecommendsthatthenumberofOSPFLSAmessagesacceptedbythedeviceshouldbelimited.
NotesforCiscoRouterdevices:
ThenumberofOSPFLSAmessagescanbelimitedonCiscoRouterdeviceswiththefollowingroutercommand:
max-lsathreshold
Gotothereportcontentsorthestartofthissection.
2.47NTPAuthenticationWasDisabled
2.47.1AffectedDevice
router03-CiscoRouter.
2.47.2Finding
Timesynchronizationfornetworkdevicesisinherentlyimportant,notjustforthevariousservicesthatmakeuseoftime,butalsofortheaccurateloggingofevents.Thereforenetworkdevicescanbeconfiguredtosynchronizetheirtimeagainstanetworktimesourceinordertoensurethatthetimeissynchronized.
NTP(describedinRFC5905)isacomplextimesynchronizationprotocolwithanumberofdifferentfeaturesandoptionssuchastimeupdateauthentication.
NipperStudiodeterminedthatNTPauthenticationwasdisabledonrouter03.
2.47.3Impact
Ifanattackerisabletomodifyadevice'stimewithaninaccuratetimeupdatethenitwouldbemoredifficultduringanexaminationtocorrelatethesystemlogs.Furthermore,anysystemsthatdependonaccuratetime,suchassomeauthenticationsystems,couldbedisruptedandpotentiallycauseaDoS.
2.47.4Ease
WithNTPtimeauthenticationdisabled,anattackercouldattempttoupdatethetimebysendingmalicioustimeupdates.Anattackercoulddothisusingopensourcecodeorbysendingcustomizednetworkpacketsandspoofingthesourceaddress.
2.47.5Recommendation
NipperStudiorecommendsthatNTPtimeauthenticationshouldbeenabled.
NotesforCiscoRouterdevices:
AuthenticatedNTPtimeupdatescanbeconfiguredonCiscoRouterdeviceswiththefollowingcommands:
ntpauthenticate
ntpauthentication-keykey-nummd5key-string
ntpserverip-addresskeykey-num[prefer]
Gotothereportcontentsorthestartofthissection.
2.48TheFingerServiceWasEnabled
2.48.1AffectedDevice
router03-CiscoRouter.
2.48.2Finding
TheFingerprotocol(definedinRFC749andRFC1288)enablestheenumerationofstatusanduserinformationfromasystemrunningaFingerservice.TheFingerprotocolissimpleanddoesnotencryptthedataorprovideanyauthentication.ThedefaultTCPportfortheFingerserviceis79.
NipperStudiodeterminedthattheFingerservice(IPv4)wasenabledonrouter03.
2.48.3Impact
AnattackercouldusetheFingerservicetoenumerateusersanduserinformation.Theattackercouldthenusethisinformationaspartofatargetedattacksuchaspasswordguessingorabrute-forceattack.TheFingeruserinformationmayalsobeusedbyanattackerforatargetedattackwhereuseridentityinformationwouldbeuseful.
2.48.4Ease
TheFingerquerytoolisinstalledbydefaultonsomeplatformsbydefaultandisrelativelyeasytouse.Additionally,toolsthatanattackercanusetoattackasystemusingtheinformationobtainedusingFingerareavailabletodownloadfromtheInternet.
2.48.5Recommendation
Overall:LOW
Impact:Medium
Ease:Moderate
Fix:Quick
Overall:LOW
Impact:Medium
Ease:Moderate
Fix:Quick
NipperStudiorecommendsthattheFingerserviceshouldbedisabledtohelppreventanattackerfromenumeratinguserinformation.
NotesforCiscoRouterdevices:
FingercanbedisabledonCiscoRouterdevicesusingthefollowingcommand:
noipfinger
Gotothereportcontentsorthestartofthissection.
2.49WeakSNMPCommunityStringsWereConfigured
2.49.1AffectedDevice
CiscoIOS15-CiscoRouter.
2.49.2Finding
SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.AccesstotheSNMPMIBwithprotocolversions1and2isrestrictedusingacommunitystringtohelppreventunauthorizedaccess.
NipperStudioidentifiedthethreeweakSNMPcommunitystringsonCiscoIOS15thatarelistedbelow.
Table58:WeakSNMPcommunitystringsonCiscoIOS15
Community Access Version View ACL Weakness
Testcom ReadOnly 1 18 Tooshort
cisCommunity ReadOnly 1 3 Nonumbers
trapString ReadOnly 1 3 Nonumbers
2.49.3Impact
WithreadaccesstotheSNMPMIBanattackerwouldbeabletoenumeratealargequantityofinformationaboutthedevice,itsconfiguration,networkdetailsandmore.Theattackercouldthenusethisinformationaspartofatargetedattack.
2.49.4Ease
AnattackerwilltypicallyattempttogainaccesstoanSNMPservicebyguessingthecommunitystringusedtorestrictaccess.Thisusuallymeansthattestingfor"public"and"private"areattemptedfirstasthesearethemostcommoncommunitystrings.Ifsimplecommunitystringguessingdoesnotsucceedthenitwouldbetrivialforanattackertoperformadictionary-basedandbrute-forceattack.Thereareanumberoftoolsavailablethatanattackercoulduseforthisandtheydonotrequireanyadvancedskillsonbehalfoftheattacker.
2.49.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthatonlySNMPversion3shouldbeconfigured.IfaccessusingSNMPcommunitystringsisrequired,NipperStudiorecommendsthatonlystrongcommunitystringsshouldbechosenthatarealsonotusedforanyotherauthentication.
NipperStudiorecommendsthat:
SNMPcommunitystringsshouldbeatleasteightcharactersinlength;charactersintheSNMPcommunitystringshouldnotberepeatedmorethanthreetimes;SNMPcommunitystringsshouldincludebothuppercaseandlowercasecharacters;SNMPcommunitystringsshouldincludenumbers;SNMPcommunitystringsshouldincludepunctuationcharacters;SNMPcommunitystringsshouldnotincludeadevice'sname,makeormodel;SNMPcommunitystringsshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
SNMPcanbedisabledwiththefollowingcommand:
nosnmp-server
Gotothereportcontentsorthestartofthissection.
2.50IPDirectedBroadcastsWereEnabled
2.50.1AffectedDevice
router03-CiscoRouter.
2.50.2Finding
ICMPechorequestscanbeaddressedtoanentirenetworkorsubnetaswellastoindividualhosts.Disablingdirectedbroadcastsoneachindividualnetworkinterfacewillhelppreventnetworkpingrequests.
Overall:LOW
Impact:Medium
Ease:Challenging
Fix:Quick
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
NipperStudiodeterminedthatdirectedbroadcastswereenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable59.
Table59:Networkinterfacesonrouter03withdirectedbroadcastsenabled
Interface Active Address Proxy-ARP Directed ACLIn ACLOut Description
GigabitEthernet1/1 Yes 10.0.0.1 Off On Firstinterfaceonswitch
GigabitEthernet1/2 Yes 10.0.0.2 On On Secondinterfaceonswitch
2.50.3Impact
ADoSattackknownasaSmurfattackmakesuseofnetworkICMPechorequeststoperformtheattack.AnattackerwouldsendanICMPechorequestwiththevictimhostsIPaddressspoofedasthesourceaddress.Thehostsonthenetworkwouldthenreplytotheechorequest,floodingthevictimhost.
2.50.4Ease
ToolscanbedownloadedfromtheInternetthatarecapableofperformingthesmurfattackoutlinedabove.
2.50.5Recommendation
NipperStudiorecommendsthatdirectedbroadcastsshouldbedisabledonallnetworkinterfaces.
NotesforCiscoRouterdevices:
DirectedbroadcastscanbedisabledonCiscoRouterdeviceswiththefollowingcommand:
noipdirectedbroadcast
Gotothereportcontentsorthestartofthissection.
2.51ServicePasswordEncryptionDisabled
2.51.1AffectedDevice
router03-CiscoRouter.
2.51.2Finding
Somedevicepasswords,suchasuserauthenticationpasswords,donotneedtobeknownbythedevicewhichcanmakeauthenticationchecksbasedontheencryptedhash.Otherpasswordsneedtobeknownbythedeviceinorderthatitcanperformspecificoperationsusingtheclear-textversionofthepassword.TheservicepasswordencryptionoptioninstructsadevicetostorepasswordsusingCiscotype-7encryptionwhereitispossibleasthesecanbereversedtotheiroriginalclear-textform.Bydefaultthepasswordsareotherwisestoredintheconfigurationfileintheirclear-textform.
NipperStudiodeterminedthatservicepasswordencryptionwasdisabledonrouter03.
2.51.3Impact
Amalicioususeroranattackerwithaccesstothedevice'sconfigurationcouldquicklyextractclear-textpasswordswithouthavingtodecodeorbrute-forcethem.Alternatively,amalicioususercouldgainaclear-textpasswordiftheywerecloselywatchinganetworkadministrator.Theattackercouldthenmakeuseofthestolencredentialstogainalevelofaccesstothedevice.
2.51.4Ease
Anattackerwouldrequireaccesstothedeviceconfigurationorwouldhavetobecloselywatchinganetworkadministrator.Thisissuemayrequiretheattackertohaveaccesstothedeviceorabackupcopyoftheconfigurationforthedevice.
2.51.5Recommendation
AlthoughCiscotype-7passwordsareeasilyreversed,andthereareanumberofprogramsthatreversethem,theydoprovideaneffectivebarrieragainstacasualobserver.Therefore,NipperStudiorecommendsthatservicepasswordencryptionshouldbeenabled.
NotesforCiscoRouterdevices:
ServicepasswordencryptioncanbeenabledonCiscoRouterdevicesusingthefollowingcommand:
servicepassword-encryption
Gotothereportcontentsorthestartofthissection.
2.52CDPWasEnabled
2.52.1AffectedDevice
router03-CiscoRouter.
2.52.2Finding
CDPisaproprietaryprotocolthatwasdevelopedandisprimarilyusedbyCisco.ACDPenableddevicecanbeconfiguredtobroadcastCDPpacketsonthenetworkenablingnetworkmanagementapplicationsandCDPawaredevicestoidentifyeachother.CDPpacketsincludeinformationaboutthe
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
sender,suchasOSversionandIPaddressinformation.
NipperStudiodeterminedthatCDPwasenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable60.
Table60:Networkinterfacesonrouter03withCDPenabled
Interface Active Description CDP
GigabitEthernet1/1 Yes Firstinterfaceonswitch On
GigabitEthernet1/2 Yes Secondinterfaceonswitch On
2.52.3Impact
CDPpacketscontaininformationaboutthesender,suchashardwaremodelinformation,operatingsystemversionandIPaddressdetails.Thisinformationwouldgiveanattackervaluableinformationaboutthedevice.Theattackercouldthenusethisinformationaspartofatargetedattack.
2.52.4Ease
CDPpacketsarebroadcasttoanentirenetworksegment.TheattackerormalicioususerwouldrequireaccesstoanetworksegmentonwhichtheCDPpacketsarebroadcastandnetworkmonitoringsoftware.Awidevarietyofnetworkmonitoring,packetcaptureandanalysistoolscanbedownloadedfromtheInternet.
2.52.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,CDPshouldbedisabled.
InsomeconfigurationswithIPphones,deployedusingeitherAutoDiscoveryorDynamicHostConfigurationProtocol(DHCP),theCDPservicemayneedtobeenabled.However,ifthedevicesupportsdisablingCDPonindividualinterfaces,thenNipperStudiorecommendsthatitshouldbedisabledonalltheinterfaceswhereitisnotrequired.
NotesforCiscoRouterdevices:
ThefollowingcommandscanbeusedtodisableCDPonCiscoRouterdevices.ThefirstcommanddisablesCDPfortheentiredevice,whilstthesecondcanbeusedtodisableCDPonindividualinterfaces.
nocdprun
nocdpenable
Gotothereportcontentsorthestartofthissection.
2.53SNMPAccessWithoutNetworkFiltering
2.53.1AffectedDevice
router03-CiscoRouter.
2.53.2Finding
SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.AccesstotheSNMPservicecanberestrictedtospecificNetworkManagementSystem(NMS),orSNMPmanagementhosts,usingafilterlist.
NipperStudiodeterminedthatnonetworkfilteringhadbeenconfiguredtorestrictnetworkaccessusingoneSNMPcommunitystringonrouter03.ThisisshowninTable61.
Table61:SNMPcommunitystringwithnofilteringonrouter03
Community Access Version View ACL
private Read/Write 1
2.53.3Impact
Amalicioususer,orattacker,withacommunitystringfortheSNMPagent,couldgainaccesstothedataofferedbytheservice.Withnonetworkfilteringtheattackerwouldnotberestrictedbythedevicefromconnectingtotheservice.Additionally,ifasoftwarevulnerabilityexistedintheservice,thentheattackermaybeabletoexploitthevulnerabilitywithoutrequiringknowledgeofacommunitystring.
2.53.4Ease
AnattackerwouldnotbepreventedfromconnectingtotheSNMPagent.SNMPquerytoolsareincludedbydefaultwithsomeoperatingsystemsandfurtherquerytoolscanbedownloadedfromtheInternet.
2.53.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthatonlySNMPversion3shouldbeconfigured.Ifaccessusingcommunitystringsisrequired,NipperStudiorecommendsthatnetworkfilteringshouldbeconfiguredtorestrictaccesstotheservice.
NotesforCiscoRouterdevices:
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
SNMPcanbedisabledwiththefollowingcommand:
nosnmp-server
Gotothereportcontentsorthestartofthissection.
2.54SNMPAccessWithNoView
2.54.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.54.2Finding
SNMPisanindustrystandardprotocolformonitoringandmanagingavarietyofdevices.SNMPservicestypicallyofferdetailedinformationthatincludesadevice'soperatingsystem,networkinterfaces,memory,systemcountersandsystemusers.ViewsareusedtorestrictaccesstospecificsectionsoftheSNMPMIB.ThisenablesanadministratortorestrictSNMPaccesstoonlytheinformationthatthecallerrequires.
NipperStudiodeterminedthataviewhadnotbeenconfiguredontwoSNMPcommunitystringsonrouter03.ThesearelistedinTable62.
Table62:SNMPcommunitystringswithnoviewonrouter03
Community Access Version View ACL
public ReadOnly 1 20
private Read/Write 1
NipperStudiodeterminedthataviewhadnotbeenconfiguredonthreeSNMPcommunitystringsonCiscoIOS15.ThesearelistedinTable63.
Table63:SNMPcommunitystringswithnoviewonCiscoIOS15
Community Access Version View ACL
Testcom ReadOnly 1 18
cisCommunity ReadOnly 1 3
trapString ReadOnly 1 3
2.54.3Impact
Amalicioususer,orattacker,whohasSNMPaccessusingacommunitystringforwhichnoviewhadbeenconfiguredwouldhaveunrestrictedaccesstotheSNMPMIB.
2.54.4Ease
WithnoSNMPviewconfigured,anattackerwouldnotberestrictedtospecificsectionsoftheSNMPMIB.
2.54.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.IfSNMPisrequiredthenNipperStudiorecommendsthataviewisconfiguredforeverycommunitystringinordertolimittheaccesstoonlythosesectionsoftheMIBthatarerequired.
NotesforCiscoRouterdevices:
SNMPcanbedisabledwiththefollowingcommand:
nosnmp-server
Gotothereportcontentsorthestartofthissection.
2.55TheBOOTPServiceWasNotDisabled
2.55.1AffectedDevice
router03-CiscoRouter.
2.55.2Finding
BOOTstrapProtocol(BOOTP)(describedinRFC951)isadatagramprotocolthatenablescompatiblehoststoloadtheiroperatingsystemoverthenetworkfromaBOOTPserver.However,thesedaysBOOTPservicesarerarelyused.
NipperStudiodeterminedthattheBOOTPservicehadnotbeendisabledonrouter03.However,itisworthnotingthatnotalldevicemodelswillsupporttheBOOTPserviceandthereforethisissuecouldhavebeenfalselydetermined.
2.55.3Impact
AnattackercoulduseadevicethatoffersaBOOTPservicetodownloadacopyofthedevice'sOSsoftware.
Overall:LOW
Impact:Low
Ease:Easy
Fix:Planned
Overall:LOW
Impact:Low
Ease:Moderate
Fix:Planned
2.55.4Ease
ToolsthatcaninteractwithBOOTPservicescanbedownloadedfromtheInternet.
2.55.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,theBOOTPserviceshouldbedisabled.
NotesforCiscoRouterdevices:
TheBOOTPservicecanbedisabledusingoneofthefollowingcommands:
ipdhcpbootpignore
noipbootpserver
Gotothereportcontentsorthestartofthissection.
2.56SwitchPortSecurityDisabled
2.56.1AffectedDevice
router03-CiscoRouter.
2.56.2Finding
Switchportsecurityisusedtomonitorandrestrictthenumberofnetworkdevicesthatcanbeconnectedtoasingleswitchport.TheswitchdoesthisbymonitoringtheMediaAccessControl(MAC)addressesthatoriginatefromtheswitchport.TheMACaddressescaneitherbespecifiedforaparticularswitchportortheycanbedynamicallylearnedinordertosignificantlyreducetheadministrativeoverhead.WhenthenumberofpermittednumberofMACaddressesconnectedtoasingleswitchportisexceededthenanumberofdifferentactionscanbeperformed,suchasdisablingtheswitchport.
NipperStudiodeterminedthatswitchportsecuritywasdisabledontwoportsonrouter03.Thesearedetailedbelow.
Table64:Gigabitinterfaceswithdisabledportsecurityonrouter03
Interface Active Security MaxMAC Aging AgeType Sticky MAC Description
GigabitEthernet1/1 Yes Off N/A N/A N/A N/A Firstinterfaceonswitch
GigabitEthernet1/2 Yes Off N/A N/A N/A N/A Secondinterfaceonswitch
2.56.3Impact
Aswitchportwithnoconfiguredportsecuritycouldallowanattackertoattachanunauthorizeddeviceandgainaccesstothenetwork.
2.56.4Ease
Anattackerwouldhavetogainaccesstoaswitchportwithnosecurityconfigured.Iftheswitchportisnotdirectlypatchedtoawallsocket,theattackerwouldhavetogainphysicalaccesstothedevice.ItisworthnotingthatanattackercouldassumetheMACaddressofadevicealreadyattachedtotheportinordertogainaccessandbypasstheportsecurityfeature.
2.56.5Recommendation
NipperStudiorecommendsthat,wherepossible,portsecurityshouldbeenabledonallswitchports.Furthermore,NipperStudiorecommendsthatallswitchportsthatarenotusedshouldbeshutdown.
NotesforCiscoRouterdevices:
SwitchportsecuritywithMACaddresslearningandportshutdownonaviolationcanbeconfiguredforeachinterfacewiththefollowingcommands:
switchportport-security
switchportport-securityviolationshutdown
switchportport-securitymac-addresssticky
Gotothereportcontentsorthestartofthissection.
2.57VTPWasInServerMode
2.57.1AffectedDevice
router03-CiscoRouter.
2.57.2Finding
VTPwasdevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.Theprotocolenablestheaddition,renaminganddeletionofVLANsonasingleswitchtobepropagatedtoothernetworkswitchesinthesameVTPdomain.AdeviceinVTPservermodewilltransmitVTPpacketscontainingVLANinformation.IfadeviceinVTPclientmodeinthesamedomainreceivesaVTPnetworkpacketwithahigherrevisionnumberthechangeswillbeapplied.
NipperStudiodeterminedthatVTPwasinservermodeonrouter03.ItisworthmentioningthatalthoughtheVTPwasfoundtobeinservermodeonrouter03(adefaultsetting),noVTPdomainwasconfigured.However,therehavebeeninstanceswhereadeviceinthisconfigurationhavehadtheirVTPdomainset
Overall:LOW
Impact:Low
Ease:Moderate
Fix:Quick
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
remotelyfromothernetworkeddevices.
2.57.3Impact
AnattackercoulddeterminetheVLANconfigurationbycapturingVTPpacketssentfromthedeviceandVTPpacketsarenotencrypted,evenwhenapasswordisspecified.TheattackercouldthenusetheVLANinformationorpasswordaspartofatargetedattack.
2.57.4Ease
ToolsthatarecapableofcapturingnetworkpacketsareavailableontheInternetandinstalledbydefaultonsomeOS.
2.57.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,VTPshouldbedisabledorplacedintransparentmode,evenifnoVTPdomainhasbeenconfigured.
NotesforCiscoRouterdevices:
VTPcanbesettotransparentmodeonCiscoRouterdevicesusingoneofthefollowingcommands:
vtptransparent
vtpmodetransparent
Gotothereportcontentsorthestartofthissection.
2.58IPSourceRoutingWasEnabled
2.58.1AffectedDevice
router03-CiscoRouter.
2.58.2Finding
TCP/IPpacketscancontainsourcerouteinformation,thiscanenableapackettodefineitsownroutethroughanetworkratherthanusingaroutedefinedbystaticroutesorroutingprotocols.ThesourcerouteoptionfunctionalitywasdefinedinRFC791.
Manynetworkfilteringandroutingdevicesincludefacilitiesthatenablethemtoignorethesourceroutedefinedinapacketorblockthepacketsentirely.
NipperStudiodeterminedthatIPsourceroutingwasenabledonrouter03.
2.58.3Impact
IPsourceroutingcanallowanattackertospecifyarouteforanetworkpackettofollow,possiblytobypassaFirewalldeviceoranIntrusionDetectionSystem(IDS).Anattackercouldalsousesourceroutingtocapturenetworktrafficbyroutingitthroughasystemcontrolledbytheattacker.
2.58.4Ease
Anattackerwouldhavetocontroleitheraroutingdeviceoranendpointdeviceinordertomodifyapacketsroutethroughthenetwork.However,toolscanbedownloadedfromtheInternetthatwouldallowanattackertospecifysourceroutes.Toolsarealsoavailabletomodifynetworkroutingusingvulnerabilitiesinsomeroutingprotocols.
2.58.5Recommendation
NipperStudiorecommendsthatIPsourceroutinginformationcontainedinnetworkpacketsshouldbeignored.
NotesforCiscoRouterdevices:
IPsourceroutingcanbedisabledonCiscoRouterdevicesusingthefollowingcommand:
noipsource-route
Gotothereportcontentsorthestartofthissection.
2.59ICMPAddressMaskReplyMessagesWereEnabled
2.59.1AffectedDevice
router03-CiscoRouter.
2.59.2Finding
ICMPaddressmaskreplymessagesinformnetworkhostsoftheTCP/IPnetworkmaskforanetworksegment.ThisprotocolcannowberegardedaslegacyashostswilltypicallyeithermakeuseofprotocolssuchasDHCPorbeconfiguredfixedaddressinformation.
NipperStudiodeterminedthattwonetworkinterfacesonrouter03wereconfiguredtosendICMPmaskreplymessages.ThesearedetailedinTable65.
Interface Active Unreachables Redirects MaskReply Information Description
GigabitEthernet1/1 Yes On On On Off Firstinterfaceonswitch
GigabitEthernet1/2 Yes On On On Off Secondinterfaceonswitch
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
Table65:Networkinterfacesonrouter03withICMPinformationreplyenabled
2.59.3Impact
AnattackercouldusetheICMPaddressmaskreplyfeaturetogainadditionalinformationaboutthenetworkconfiguration.
2.59.4Ease
ICMPscanningtools,thatarecapablyofsendingvarioustypesofICMPmessages,canbedownloadedfromtheInternet.Furthermore,someOSincludeICMPtoolsasstandard.
2.59.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,ICMPaddressmaskreplymessagesshouldbedisabledonallnetworkinterfaces.
NotesforCiscoRouterdevices:
ICMPmaskreplymessagesendingcanbedisabledonnetworkinterfaceswiththefollowingcommand:
noipmask-reply
Gotothereportcontentsorthestartofthissection.
2.60ProxyARPWasEnabled
2.60.1AffectedDevice
router03-CiscoRouter.
2.60.2Finding
ARPisaprotocolthatnetworkhostsusetotranslatenetworkIPaddressesintoMACaddresses.Undernormalcircumstances,ARPpacketsareconfinedtothesender'snetworksegment.However,somenetworkdevicescanbeconfiguredtoactasaproxyforARPrequests,retransmittinganARPrequestonothernetworksegmentsandsendinganyresponsebacktotheoriginatoroftherequest.
NipperStudiodeterminedthattheProxyARPfeaturewasenabledononenetworkinterfaceonrouter03.ThisisdetailedinTable66.
Table66:Networkinterfaceonrouter03withProxyARPenabled
Interface Active Address Proxy-ARP Directed ACLIn ACLOut Description
GigabitEthernet1/2 Yes 10.0.0.2 On On Secondinterfaceonswitch
2.60.3Impact
ArouterthatactsasaproxyforARPrequestswillextendlayertwoaccessacrossmultiplenetworksegments,potentiallybreakingperimetersecurity.
2.60.4Ease
AnetworkdevicewithproxyARPenabledwillproxyARPrequestsforallhostsonthoseinterfaces.AnumberofARPtoolscanbedownloadedfromtheInternetforuseinexploitingthisissue.
2.60.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,theProxyARPfeatureshouldbedisabledonallinterfaces.
NotesforCiscoRouterdevices:
ProxyARPcanbedisabledoninterfacesusingthefollowingcommand:
noipproxy-arp
Gotothereportcontentsorthestartofthissection.
2.61WeakMinimumPasswordLengthPolicySetting
2.61.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.61.2Finding
Theminimumpasswordlengthpolicysettingisusedtoforceuserstosetpasswordsthatareatleastthespecifiednumberofcharactersinlength.
NipperStudiodeterminedthattheminimumpasswordlengthpolicysettingwasconfiguredtolessthan8charactersonthetwodevicesdetailedinTable67.
Overall:LOW
Impact:Low
Ease:N/A
Fix:Quick
Table67:Deviceswithaweakminimumpasswordlengthpolicysetting
Name Type PasswordLength
router03 CiscoRouter 2characters
CiscoIOS15 CiscoRouter 6characters
2.61.3Impact
Strongauthenticationcredentialsareakeycomponentofasystemssecurity.Itisthereforeimportantthatauserchoosesastrongpasswordandthatitischangedonaregularbasis.Generally,thegreaterthenumberofcharacterswithinapasswordthestrongerthepasswordwillbe.Withashortminimumpasswordlengthconfiguredausercouldsetashortpassword,requiringlesstimeforanattackertobrute-forcetheauthenticationpassword.
2.61.4Ease
Ittakesfarlesstimeforanattackertobrute-forcetheauthenticationcredentialsforauseraccountthathasashortpassword.
2.61.5Recommendation
NipperStudiorecommendsthataminimumpasswordlengthpolicysettingof8charactersshouldbeconfigured.
NotesforCiscoRouterdevices:
Aminimumpasswordlengthcanbeconfiguredwiththefollowingcommand:
securitypasswordsmin-lengthlength
Gotothereportcontentsorthestartofthissection.
2.62NoWarningInPre-LogonBanner
2.62.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.62.2Finding
Logonbannermessagesareanimportant,butoftenoverlooked,partofasecureconfiguration.Logonbannermessagescanprovideconnectinguserswithimportantinformationandwarnagainstunauthorizedaccess.
NipperStudiodeterminedthatLoginpre-logonbannermessageonrouter03didnotincludeawarningagainstunauthorizedaccess.Theconfiguredbannerwas:
Thisisatestbanner.
NipperStudiodeterminedthatLoginpre-logonbannermessageonCiscoIOS15didnotincludeawarningagainstunauthorizedaccess.Theconfiguredbannerwas:
Thisistheloginbanner
2.62.3Impact
Acarefullywordedwarningmessagecoulddeteracasualattackerormalicioususer,butnotadeterminedattacker.However,itwouldbemoredifficulttoproveanyintentwithoutamessagewarningagainstunauthorizedaccessifanylegalactionweretobetakenagainstanattacker.
2.62.4Ease
Anattackerwouldnotbepresentedwithacarefullywordedlegalwarningpriortoattemptingtologon.
2.62.5Recommendation
NipperStudiorecommendsthatallpre-logonbannermessagesshouldbeconfiguredtowarnagainstunauthorizedaccess.
NotesforCiscoRouterdevices:
TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMessageOfTheDay(MOTD)messageisshownonTelnetconnections.TheLoginbannermessagecanbeconfiguredusingthefollowingcommand:
bannerlogindelimiterbanner-messagedelimiter
NotesforCiscoRouterdevices:
TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMOTDmessageisshownonTelnetconnections.TheLoginbannermessagecanbeconfiguredusingthefollowingcommand:
bannerlogindelimiterbanner-messagedelimiter
Overall:LOW
Impact:Low
Ease:N/A
Fix:Quick
Overall:INFORMATIONAL
Impact:Low
Ease:Easy
Fix:Planned
Gotothereportcontentsorthestartofthissection.
2.63ICMPUnreachableMessagesWereEnabled
2.63.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.63.2Finding
Whenanetworkpacketissenttoadestinationhostorservicethatisunreachable,aICMPunreachablemessagecanbesentfromanetworkgatewayorthedestinationhosttoinformtherequesterthatitwasunreachable.IfitisahostthatisunreachablethemessagewillbeintheformofanICMPhostunreachablemessage.ICMPunreachablemessagesaredescribedinmoredetailinRFC792.
NipperStudiodeterminedthattheICMPUnreachablesfeaturewasenabledontwonetworkinterfacesonrouter03.Thesearedetailedbelow.
Table68:Networkinterfacesonrouter03withICMPUnreachablesenabled
Interface Active Unreachables Redirects MaskReply Information Description
GigabitEthernet1/1 Yes On On On Off Firstinterfaceonswitch
GigabitEthernet1/2 Yes On On On Off Secondinterfaceonswitch
NipperStudiodeterminedthattheICMPUnreachablesfeaturewasenabledononenetworkinterfaceonCiscoIOS15.Thisisdetailedbelow.
Table69:NetworkinterfacesonCiscoIOS15withICMPUnreachablesenabled
Interface Active Unreachables Redirects MaskReply Information Description
FastEthernet0/0 Yes On On Off Off
2.63.3Impact
Anattackerwhowasperformingnetworkscanstodeterminewhatserviceswereavailablewouldbeabletoscanadevicemorequickly.IfthedevicebeingscannedsendsICMPunreachablemessages,informingtheattackerthatanetworkorprotocolisnotsupported,theattackerwillnothavetowaitforaconnectiontime-out.
2.63.4Ease
TheICMPmessagesareautomaticallyreturnedbyadevicewiththeICMPunreachablefeatureenabled.NetworkscanningtoolscanbedownloadedfromtheInternetthatareabletoperformawidevarietyofscantypesandtakeintoaccountICMPunreachablemessages.
2.63.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,ICMPunreachablemessagesshouldbedisabled.However,itisimportanttonotethatwhilstdisablingofICMPunreachablemessageswillnotstopanetworkscan,itwillmakethescanmoretimeconsumingfortheattackertoperform.
NotesforCiscoRouterdevices:
ICMPunreachablemessagesendingcanbedisabledonnetworkinterfaceswiththefollowingcommand:
noipunreachables
Gotothereportcontentsorthestartofthissection.
2.64Dictionary-BasedSNMPTraps
2.64.1AffectedDevice
router03-CiscoRouter.
2.64.2Finding
SNMPtrapsandinformscanbeconfiguredtosendnotificationstoaSNMPNMShost.Trapnotificationsaresentwithoutanyconfirmationofreceiptfromthereceivinghost,whilstwithinformnotificationsthereceivinghostsendsaconfirmationofreceipt.Communitystringscanbeconfiguredfortrapsandinformnotificationstoprovideamethodofauthentication.
NipperStudioidentifiedtwodictionary-basedSNMPtrapcommunitystringsonrouter03.ThesearedetailedinTable70.
Table70:Dictionary-basedSNMPtrapcommunitystringsonrouter03
Host Type Version Security Community Notifications Port
192.168.20.30 Trap 1 Community private snmp 162
192.168.20.40 Trap 1 Community private snmp 162
Overall:INFORMATIONAL
Impact:Low
Ease:Moderate
Fix:Planned
2.64.3Impact
Anattackerwhohadidentifiedadictionary-basedcommunitystringcouldfloodtheSNMPNMShostwithfalsenotificationmessages.ThefalsenotificationmessagescouldbeusedbyanattackertohideanattackwithinafloodoffalsenotificationsoraspartofaDoSattack.
2.64.4Ease
SNMPmanagementtoolscanbedownloadedfromtheInternetandsomeOSinstallSNMPmanagementtoolsbydefault.Althoughthesendingofnotificationmessagesisnotusuallytheprimarypurposeofmostofthesetools,theconfigurationofthesetoolsforsendingnotificationmessagesisusuallydetailedinthetoolsdocumentation.
2.64.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.However,ifthesendingoftrapsisrequired,NipperStudiorecommendsthatastrongcommunitystringshouldbeconfiguredtoauthenticateallnotificationmessageswithaSNMPNMShost.NipperStudiorecommendsthat
SNMPcommunitystringsshouldbeatleasteightcharactersinlength;charactersintheSNMPcommunitystringshouldnotberepeatedmorethanthreetimes;SNMPcommunitystringsshouldincludebothuppercaseandlowercasecharacters;SNMPcommunitystringsshouldincludenumbers;SNMPcommunitystringsshouldincludepunctuationcharacters;SNMPcommunitystringsshouldnotincludeadevice'sname,makeormodel;SNMPcommunitystringsshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
ASNMPtrapcanbeconfiguredwiththefollowingcommand:
snmp-serverhostip-addresstraps[version{1|2c|3[noauth|auth|priv]}]community-string
Gotothereportcontentsorthestartofthissection.
2.65WeakSNMPTraps
2.65.1AffectedDevice
CiscoIOS15-CiscoRouter.
2.65.2Finding
SNMPtrapsandinformscanbeconfiguredtosendnotificationstoaSNMPNMShost.Trapnotificationsaresentwithoutanyconfirmationofreceiptfromthereceivinghost,whilstwithinformnotificationsthereceivinghostsendsaconfirmationofreceipt.Communitystringscanbeconfiguredfortrapsandinformnotificationstoprovideamethodofauthentication.
NipperStudioidentifiedoneweakSNMPtrapcommunitystringonCiscoIOS15.ThisisdetailedinTable71.
Table71:WeakSNMPtrapcommunitystringonCiscoIOS15
Host Type Version Security Community Notifications Port Weakness
1.2.3.4 Trap 1 Community trapString 162snmp 0 Nonumbers
2.65.3Impact
AnattackerwhohadidentifiedaweakcommunitystringcouldfloodtheSNMPNMShostwithfalsenotificationmessages.ThefalsenotificationmessagescouldbeusedbyanattackertohideanattackwithinafloodoffalsenotificationsoraspartofaDoSattack.
2.65.4Ease
SNMPmanagementtoolscanbedownloadedfromtheInternetandsomeOSinstallSNMPmanagementtoolsbydefault.Althoughthesendingofnotificationmessagesisnotusuallytheprimarypurposeofmostofthesetools,theconfigurationofthesetoolsforsendingnotificationmessagesisusuallydetailedinthetoolsdocumentation.
2.65.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,SNMPshouldbedisabled.However,ifthesendingoftrapsisrequired,NipperStudiorecommendsthatastrongcommunitystringshouldbeconfiguredtoauthenticateallnotificationmessageswithaSNMPNMShost.NipperStudiorecommendsthat
SNMPcommunitystringsshouldbeatleasteightcharactersinlength;charactersintheSNMPcommunitystringshouldnotberepeatedmorethanthreetimes;SNMPcommunitystringsshouldincludebothuppercaseandlowercasecharacters;SNMPcommunitystringsshouldincludenumbers;SNMPcommunitystringsshouldincludepunctuationcharacters;SNMPcommunitystringsshouldnotincludeadevice'sname,makeormodel;SNMPcommunitystringsshouldnotbebasedondictionarywords.
NotesforCiscoRouterdevices:
ASNMPtrapcanbeconfiguredwiththefollowingcommand:
Overall:INFORMATIONAL
Impact:Informational
Ease:Easy
Fix:Quick
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Planned
snmp-serverhostip-addresstraps[version{1|2c|3[noauth|auth|priv]}]community-string
Gotothereportcontentsorthestartofthissection.
2.66DNSLookupsWereEnabled
2.66.1AffectedDevice
router03-CiscoRouter.
2.66.2Finding
SomenetworkdevicescanbeconfiguredtomakeuseofDNStoperformlookupsofaddressesthathavebeenspecifiedusingaDNSname.Inadditiontobeingusedforconnectingtootherdevices,theDNSlookupfunctionalitycouldbeusedforauditingpurposes.
NipperStudiodeterminedthatDNSlookupswereenabledonrouter03.
2.66.3Impact
AnattackerwhoisabletomonitorDNSqueriesfromthedevicethatcouldthenpotentiallybeusedaspartofatargetedattack.Somedevicesincludefunctionalitytoautomaticallyconnecttoadeviceifanadministratorsimplytypesinadevice'sDNSname.Unfortunatelythisalsomeansthatifanadministratormistypesanadministrativecommandthedevicewillautomaticallyperformalookupforthedeviceandattempttoconnecttoit.CiscoIOS-baseddevicesperformthisaction,butitcouldenableanattackertoperformaMan-In-The-Middle(MITM)attackiftheattackerweretoimmediatelyrespondtotheDNSquery,allowtheincomingconnectiontoattackerssystemandthenconnectstraightbacktothesender.
2.66.4Ease
ToolsthatcanmonitorDNSqueriescanbedownloadedfromtheInternet.
2.66.5Recommendation
NipperStudiosuggeststhat,ifnotrequired,DNSlookupsshouldbedisabled.
NotesforCiscoRouterdevices:
DomainlookupscanbedisabledonCiscoRouterdeviceswiththefollowingcommands(thelattercommandisforCiscoIOS12.1andolder):
noipdomainlookup
noipdomain-lookup
Gotothereportcontentsorthestartofthissection.
2.67NoNetworkFilteringRulesWereConfigured
2.67.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.67.2Finding
Networkfilteringcanbeconfiguredtorestrictaccesstonetworkservicesfromonlythosehoststhatrequiretheaccess,helpingtopreventunauthorizedaccess.Whenconfigured,networkfilterrulesareprocessedsequentiallyandthefirstruleinthefilterrulelistwhichmatchesthenetworkpacketisapplied.
NipperStudiodeterminedthatnonetworkfilterruleswereconfiguredonthetwodevicesdetailedinTable72.
Table72:Deviceswithnonetworkfilterrules
Name Type DefaultAction
router03 CiscoRouter Blockallpackets
CiscoIOS15 CiscoRouter Blockallpackets
2.67.3Impact
Typicallyfirewallapplianceswilldropnetworktrafficiftherearenonetworkfilteringrulesconfigured.Whereasmostnon-firewallapplianceswillusuallyallowallnetworktrafficifnonetworkfilteringruleshavebeenconfigured.
Althoughnonetworkfilterruleshadbeenconfiguredthedefaultactionwastodroptheallnetworkpackets.Thereforeanattacker,ormalicioususer,wouldnotbeabletoaccessnetworkservicesasallnetworktrafficwouldbeblocked.
2.67.4Ease
Nospecialistskillsortoolsarerequiredbytheattackertoexploitthisissue.
2.67.5Recommendation
NipperStudiorecommendsthatnetworkfilterrulesshouldbeconfiguredtohelppreventunauthorizedaccesstonetworkservices.
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Quick
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Quick
NipperStudiorecommendsthat:
filterrulesshouldonlyallowaccesstospecificdestinationaddresses;filterrulesshouldonlyallowaccesstospecificdestinationnetworkports;filterrulesshouldonlyallowaccessfromspecificsourceaddresses;filterrulesshouldspecifyaspecificnetworkprotocol;ICMPfilterrulesshouldspecifyaspecificmessagetype;filterrulesshouldalwaysdropnetworkpacketsandnotrejectthem;filterrulesshouldperformaspecificactionandnotrelyonadefaultaction.
NotesforCiscoRouterdevices:
OnCiscoRouterdevicesnetworkfilterrulesareaddedtoACLwhichcanthenbeusedwhenconfiguringinterfaces,servicesandotheroptions.ACLcanbeeithernamedornumbered.IfnumberedastandardACLwillbenumberedbetween1-99and1300-1999,allotherswillbeextendedACL.ThefollowingcommandsshowhowtocreatebothnamedandnumberedstandardandextendedACLandfilterrules:
ipaccess-liststandardlist-name
[permit|deny]source-address[log]
exit
access-listnumber[permit|deny]source-address[log]
ipaccess-listextendedlist-name
[permit|deny]protocolsource-address[source-port]dest-address[dest-port][log]
exit
access-listnumber[permit|deny]protocolsource-address[source-port]dest-address[dest-port][log]
Gotothereportcontentsorthestartofthissection.
2.68NoPostLogonBannerMessage
2.68.1AffectedDevice
router03-CiscoRouter.
2.68.2Finding
Postlogonbannermessagesareonesthatareshowntousersaftertheyhaveauthenticatedandpriortobeinggivenaccesstothedevice.Itisonethatisshowntouserswhentheyconnecttoadeviceandpriortotheuserlogon.
NipperStudiodeterminedthatrouter03wasconfiguredwithnopostlogonbannermessage.
2.68.3Impact
Thepostlogonbannerisusefulfordetailingtheacceptableusepolicyandthechangecontrolprocedureswhichshouldbefollowedpriortomakinganychangestoadevice'sconfiguration.Anacceptableusemessagedetailingthechangecontrolproceduresandwaningagainstabuseofthepolicycouldhelptopreventad-hocchangesbeingmadetoadevice'sconfiguration.
Additionally,ifadevicedoesnothavethefacilitiestoconfigureapre-logonbannermessagethenthepostlogonbannermessagecouldbetheonlyplacewherealegalwarningagainstunauthorizedaccesscouldbegiven.
2.68.4Ease
Withnopostlogonbannerconfigured,auserwouldnotbegivenareminderoftheacceptableuseandchangecontrolprocedurepolicydetails.
2.68.5Recommendation
NipperStudiorecommendsthatapostlogonbannermessageisconfiguredthatdetailsboththeacceptableusepolicyandchangecontrolprocedures.Additionally,ifthedevicedoesnotsupportapre-logonbannermessagethenNipperStudiorecommendsthatthepostlogonbannermessageshouldalsoincludeacarefullywordedlegalwarningagainstunauthorizedaccess.
NotesforCiscoRouterdevices:
TheExecbannermessageisshownafterlogonandbeforethecommandpromptisshownonCiscoRouterdevices.TheExecbannermessagecanbeconfiguredonCiscoRouterdevicesusingthefollowingcommand:
bannerexecdelimiterbanner-messagedelimiter
Gotothereportcontentsorthestartofthissection.
2.69ICMPRedirectMessagesWereEnabled
2.69.1AffectedDevices
router03-CiscoRouter;CiscoIOS15-CiscoRouter.
2.69.2Finding
Whensendingnetworktrafficthrougharouter,ICMPredirectmessagescouldbesenttotherouterinordertoindicateaspecificroutethatthesendinghostwouldlikethenetworktraffictotake.OnarouterthatacceptsICMPredirectmessagethenetworktrafficwillbeforwardedusingthespecifiedroute.
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Quick
Overall:INFORMATIONAL
Furthermore,somerouterswillcachethenewroutinginformationforusewithfuturenetworkpackets.
NipperStudiodeterminedthattheICMPRedirectsfeaturewasenabledontwonetworkinterfacesonrouter03.Thesearedetailedbelow.
Table73:Networkinterfacesonrouter03withICMPRedirectsenabled
Interface Active Unreachables Redirects MaskReply Information Description
GigabitEthernet1/1 Yes On On On Off Firstinterfaceonswitch
GigabitEthernet1/2 Yes On On On Off Secondinterfaceonswitch
NipperStudiodeterminedthattheICMPRedirectsfeaturewasenabledononenetworkinterfaceonCiscoIOS15.Thisisdetailedbelow.
Table74:NetworkinterfacesonCiscoIOS15withICMPRedirectsenabled
Interface Active Unreachables Redirects MaskReply Information Description
FastEthernet0/0 Yes On On Off Off
2.69.3Impact
AnattackercoulduseICMPredirectstomodifytheroutethatapackettakesthroughanetwork.However,itisworthnotingthatonnetworkswithfunctionalnetworkrouting,disablingICMPredirectswillhavelittletonoeffect.
2.69.4Ease
ICMPredirectmessageswillbeaccepted,butnotnecessarilyactedupon.AnattackercoulddownloadsoftwarefromtheInternetinordertoperformthisattack.
2.69.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,theprocessingofICMPredirectmessagesondevicesshouldbedisabled.
NotesforCiscoRouterdevices:
ICMPredirectmessagesendingcanbedisabledonnetworkinterfaceswiththefollowingcommand:
noipredirects
Gotothereportcontentsorthestartofthissection.
2.70PADServiceEnabled
2.70.1AffectedDevice
router03-CiscoRouter.
2.70.2Finding
ThePADserviceenablesX.25commandsandconnectionsbetweenPADdevicesandaccessservers,convertingthecharacterstreamdataintonetworkpacketsandnetworkpacketsintocharacterstreamdata.ThePADserviceisenabledbydefaultonsomedevicesbutitisonlyrequiredifsupportforX.25linksarenecessary.
NipperStudiodeterminedthatthePADservicewasenabledonrouter03.
2.70.3Impact
Inadditiontotheextraoverhead,runningunusedservicesincreasesthechancesofanattackerfindingasecurityholeorfingerprintingadevice.
2.70.4Ease
ThePADservicewasenabled.
2.70.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,thePADserviceshouldbedisabled.
NotesforCiscoRouterdevices:
ThefollowingcommandcanbeusedtodisablethePADserviceonCiscoRouterdevices:
noservicepad
Gotothereportcontentsorthestartofthissection.
2.71UnrestrictedOutboundAdministrativeAccess
2.71.1AffectedDevices
router03-CiscoRouter;
Impact:Informational
Ease:Challenging
Fix:Quick
Overall:INFORMATIONAL
Impact:Informational
Ease:Trivial
Fix:Quick
CiscoIOS15-CiscoRouter.
2.71.2Finding
Manynetworkdevices,suchasswitchesandrouters,containnetworkclienttoolsthatenableanetworkadministratortoconnecttoadministrativeservicesofferedbyotherdevices.Outboundaccessfromthesedevicestootherscanberestrictedtospecifichostaddressesinordertolimittheaccesstoonlythosethatarerequired.
NipperStudiodeterminedthatonrouter03nooutboundadministrativeserviceaccessACLwasconfiguredontheadministrativelinedetailedinTable75.
Table75:router03administrativelinewithnooutboundACL
Line Access Login Level Password Telnet SSH FilterIn
VTY0-4 Yes LinePassword 1 password No Yes 10
NipperStudiodeterminedthatonCiscoIOS15nooutboundadministrativeserviceaccessACLwasconfiguredontheadministrativelinesdetailedinTable76.
Table76:CiscoIOS15administrativelineswithnooutboundACL
Line Access Login Level Password Telnet SSH FilterIn
Interface0/0/0 Yes AAAAuthentication 1 No No
VTY0-4 Yes AAAAuthentication 1 password No Yes 1
VTY5-807 Yes AAAAuthentication 1 No Yes 1
2.71.3Impact
Amalicioususer,orattacker,withabasiclevelofaccesstothedevicecoulduseittoattackotherdevicesonthenetwork.Anattackermayprefertousethisfacilityasawayofmaskingtheirtrailorbecausethetargetdevicemaynotbecontactabledirectly.IfanoutboundACLhadbeenconfiguredthenthepotentiallistoftargetswouldberestrictedtoonlythosenetworkaddresses.
2.71.4Ease
Theattackermusthavealevelofaccesstothedeviceinordertobeabletousetheadministrativeserviceclienttoolstoaccessanothersystem.However,oncealevelofaccesshasbeengainedonthedevicetheattackerwouldthenbeabletousetheavailableclienttoolstoaccessservicesofferedbyotherdevices.
2.71.5Recommendation
NipperStudiorecommendsthat,unlessrequired,anoutboundACLshouldbeconfiguredandassignedinordertorestrictadministrativeaccesstoothersystems.
NotesforCiscoRouterdevices:
OnCiscoRouterdevicesanoutboundACLcanbecreatedandassignedtoanadministrativelineusingthefollowingcommands:
ipaccess-liststandardaccess-list-number
remarkdescription
permitip-addresswildcard[log]
exit
lineline-typeline-number(s)
access-classaccess-list-numberout
Gotothereportcontentsorthestartofthissection.
2.72TCPSmallServicesEnabled
2.72.1AffectedDevice
router03-CiscoRouter.
2.72.2Finding
SomedevicesandplatformsprovideacollectionofsimpleTCPnetworkservices,whicharealsosometimesreferredtoassmallservices.Theseservicesprovidelittlefunctionalityandarerarelyusedandtheytypicallyinclude:
Echo(definedinRFC862)returnsanydatasenttoitbacktotheconnectingclient;Discard(definedinRFC863)ignoresanydatasenttoitbyaconnectingclient;Chargen(definedinRFC864)generatesprintablecharacterswhicharereturnedtotheconnectingclient;Daytime(definedinRFC867)returnsthecurrenttimetoaconnectingclient.
NipperStudiodeterminedthattheTCPsmallserverswereenabledonrouter03.
2.72.3Impact
Eachrunningserviceincreasesthechancesofanattackerbeingabletoidentifythedeviceandsuccessfullycompromiseit.Althoughnotsignificant,someoftheservicesmayprovideanattackerwithsimpleinformationthatcouldthenbeusedaspartofatargetedattackagainstthesystem.
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Quick
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Quick
2.72.4Ease
ToolssuchasTelnetcanbeusedtoconnecttotheseservicesandareofteninstalledbydefault.
2.72.5Recommendation
Itisgenerallyconsideredgoodsecuritypracticetodisableallunusedservicesandnotrunningtheserviceswillfreesystemresourcesforotheruse.ThereforeNipperStudiosuggeststhattheTCPsmallserversshouldbedisabled.
NotesforCiscoRouterdevices:
TCPsmallserverscanbedisabledonCiscoRouterdeviceswiththefollowingcommand:
noservicetcp-small-servers
Gotothereportcontentsorthestartofthissection.
2.73SwitchPortTrunkingAllowsAllVLANs
2.73.1AffectedDevice
router03-CiscoRouter.
2.73.2Finding
VLANnetworkpacketscanbesentbetweennetworkeddevices,extendingaVLANacrossdifferentphysicaldevices.InordertoextendaVLANtoadifferentphysicaldeviceatrunkhastobecreatedbetweenthedevices.InordertorestrictVLANaccessoverdifferentphysicaldevicestheVLANtrunkcanbeconfiguredtoonlypermitspecificVLANs.
NipperStudiodeterminedthattwonetworkinterfacesonrouter03wereconfiguredtotrunkallVLANs.ThesearedetailedinTable77.
Table77:Networkinterfacesonrouter03thattrunkallVLANs
Interface Active VLAN Trunk TrunkVLAN Description
GigabitEthernet1/1 Yes 1 Yes All Firstinterfaceonswitch
GigabitEthernet1/2 Yes 1 Yes All Secondinterfaceonswitch
2.73.3Impact
AnattackerwhoisabletocreateatrunkwouldgaindirectaccesstoalltheVLANsextendedoverthetrunk.ThiswouldallowanattackertobypassanynetworkfilteringbetweentheVLANsandcapturepotentiallysensitiveinformation.Ifaclear-textprotocolsnetworktrafficistransferredoverthetrunkanattackerwouldgainimmediateaccesstoanyauthenticationcredentialstransferred.
ItisworthnotingthatsomenetworkdevicesdefaulttoallowingtrunkstobenegotiatedonthenetworkportsandbydefaultwillallowaccesstoallVLANs.
2.73.4Ease
ToolscanbedownloadedfromtheInternetthatarecapableofcreatingtrunks,ortheattackercoulduseanetworkswitch.Theattackerwouldrequirealittleknowledgeofnetworktrunking.
2.73.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,VLANtrunkingshouldbedisabled.Iftrunkingisrequiredonaspecificswitchport,NipperStudiorecommendsthattheswitchportshouldbeconfiguredtotrunkonlytherequiredVLANs.
NotesforCiscoRouterdevices:
SwitchportscanbeconfiguredtoprovidenotrunkingoronlytrunkspecificVLANsoneachinterfaceusingthefollowinginterfacecommands:
switchportmodeaccess
switchporttrunkallowedvlanvlan-list
Gotothereportcontentsorthestartofthissection.
2.74MOPEnabled
2.74.1AffectedDevice
router03-CiscoRouter.
2.74.2Finding
MOPisusedwiththeDECnetprotocolsuite.AlthoughtheuseofMOPisnotwidespreaditisenabledbydefaultonanumberofpopularnetworkdevicemanufacturersproducts.
NipperStudiodeterminedthatMOPwasenabledontwonetworkinterfacesonrouter03.ThesearedetailedinTable78.
Table78:Networkinterfacesonrouter03withMOPenabled
Interface Active MOP ACLIn ACLOut Description
GigabitEthernet1/1 Yes On Firstinterfaceonswitch
GigabitEthernet1/2 Yes On Secondinterfaceonswitch
2.74.3Impact
Runningunusedservicesincreasesthechancesofanattackerfindingasecurityholeorfingerprintingadevice.
2.74.4Ease
FewtoolsareavailablethatmakeuseofMOP.
2.74.5Recommendation
NipperStudiorecommendsthat,ifnotrequired,MOPshouldbedisabledonallEthernetinterfaces.
NotesforCiscoRouterdevices:
ItisworthnotingthatthisissuemayhavebeenfalselydeterminedonCiscoRouterdevicesduetothedifferencesbetweendifferentmodels.HoweverMOPcanbedisabledonindividualnetworkinterfacesusingthefollowingcommand:
nomopenable
Gotothereportcontentsorthestartofthissection.
2.75Conclusions
NipperStudioperformedasecurityauditon2March2017ofthedevicesdetailedinTable79.NipperStudioidentified73security-relatedissues.ThemostsignificantissuewasratedasCRITICAL.
Table79:Securityauditdeviceconclusions
Device Name Issues HighestRating
CiscoRouter router03 67 CRITICAL
CiscoRouter CiscoIOS15 24 CRITICAL
OneCRITICALratedsecurityissuewasidentified.NipperStudiodeterminedthat:
dictionary-baseduserauthenticationcredentialswereconfigured(twodevices,seesection2.2).
NipperStudioidentified24HIGHratedsecurityissues.NipperStudiodeterminedthat:
defaultSNMPcommunitystringswereconfigured(onedevice,seesection2.3);BGPneighborswereconfiguredwithnopassword(onedevice,seesection2.4);notallGLBPgroupswereauthenticated(onedevice,seesection2.5);GLBPgroupswereconfiguredwithclear-textauthentication(onedevice,seesection2.6);notallHSRPgroupswereauthenticated(onedevice,seesection2.7);HSRPgroupswereconfiguredwithclear-textauthentication(onedevice,seesection2.8);notallOSPFwereauthenticated(onedevice,seesection2.9);supportforRIPversion1routingupdateswasconfigured(twodevices,seesection2.10);clear-textRIPauthenticationwasconfigured(onedevice,seesection2.11);notallVRRPgroupswereauthenticated(onedevice,seesection2.12);VRRPgroupswereconfiguredwithclear-textauthentication(onedevice,seesection2.13);notallEIGRPupdateswereauthenticated(onedevice,seesection2.14);notallRIPwereauthenticated(onedevice,seesection2.15);lowVRRPprioritieswereconfigured(onedevice,seesection2.16);VTPwasconfiguredwithnopassword(onedevice,seesection2.17);lowGLBPgroupprioritieswereconfigured(onedevice,seesection2.18);lowHSRPprioritieswereconfigured(onedevice,seesection2.19);theUDPsmallserverswereenabled(onedevice,seesection2.20);theenablepasswordisnotstoredusinganMD5hash(twodevices,seesection2.21);theclear-textSNMPservicewasenabled(twodevices,seesection2.22);SNMPwriteaccesswasenabled(onedevice,seesection2.23);noHTTPserversessiontimeoutwasconfigured(onedevice,seesection2.24);TCPkeep-alivemessageswerenotconfiguredforinboundconnections(onedevice,seesection2.25);networkinterfaceswereconfiguredwithoutfiltering(twodevices,seesection2.26).
NipperStudioidentified18MEDIUMratedsecurityissues.NipperStudiodeterminedthat:
dictionary-basedroutingprotocolauthenticationkeyswereconfigured(onedevice,seesection2.27);dictionary-basedVRRPgroupauthenticationkeyswereconfigured(onedevice,seesection2.28);theSNMPsystemshutdownfacilitywasenabled(onedevice,seesection2.29);BGPneighborswereconfiguredwithdictionary-basedpasswords(onedevice,seesection2.30);DTPwasenabled(onedevice,seesection2.31);
theHTTPserverwasenabled(onedevice,seesection2.32);useraccountnamescontained"admin".(onedevice,seesection2.33);weakGLBPgroupauthenticationkeyswereconfigured(onedevice,seesection2.34);weakHSRPgroupauthenticationkeyswereconfigured(onedevice,seesection2.35);weakroutingprotocolauthenticationkeyswereconfigured(onedevice,seesection2.36);lowOSPFprioritieswereconfigured(twodevices,seesection2.37);notalluserswereconfiguredwithpasswordsstoredusingaMD5hash(twodevices,seesection2.38);theAUXportwasnotdisabled(onedevice,seesection2.39);BGProutingprocesseswereconfiguredwithoutroutedampening(twodevices,seesection2.40);noRIProutingupdateneighborswereconfigured(twodevices,seesection2.41);noHTTPnetworkhostaccessaddresseswereconfigured(onedevice,seesection2.42);theloggingofsystemmessagestoaSyslogloggingserverwasnotconfigured(onedevice,seesection2.43);NTPcontrolquerieswerepermitted(onedevice,seesection2.44).
NipperStudioidentified19LOWratedsecurityissues.NipperStudiodeterminedthat:
aSNMPTFTPserveraccesslistwasnotconfigured(twodevices,seesection2.45);noOSPFLSAmessagethresholdswereconfigured(twodevices,seesection2.46);NTPauthenticationwasdisabled(onedevice,seesection2.47);thefingerservicewasenabled(onedevice,seesection2.48);weakSNMPcommunitystringswereconfigured(onedevice,seesection2.49);directedbroadcastswereenabled(onedevice,seesection2.50);servicepasswordencryptionwasdisabled(onedevice,seesection2.51);CDPwasenabled(onedevice,seesection2.52);networkfilteringwasnotconfiguredtorestrictSNMPaccess(onedevice,seesection2.53);SNMPcommunitystringswereconfiguredwithoutaview(twodevices,seesection2.54);theBOOTPservicewasnotdisabled(onedevice,seesection2.55);portsecuritywasnotenabledonallswitchports(onedevice,seesection2.56);theVTPwasinservermode(onedevice,seesection2.57);IPsourceroutingwasenabled(onedevice,seesection2.58);ICMPaddressmaskreplymessageswereenabled(onedevice,seesection2.59);proxyARPwasenabled(onedevice,seesection2.60);aweakminimumpasswordlengthpolicysettingwasconfigured(twodevices,seesection2.61);nounauthorizedaccesswarninginthepre-logonbannermessage(twodevices,seesection2.62);ICMPunreachablemessageswereenabled(twodevices,seesection2.63).
NipperStudioidentifiedelevenINFOratedsecurityissues.NipperStudiodeterminedthat:
dictionary-basedSNMPtrapcommunitystringswereconfigured(onedevice,seesection2.64);weakSNMPtrapcommunitystringswereconfigured(onedevice,seesection2.65);DNSlookupswereenabled(onedevice,seesection2.66);nonetworkfilteringruleswereconfigured(twodevices,seesection2.67);nopostlogonbannermessagewasconfigured(onedevice,seesection2.68);ICMPredirectmessagesendingwasenabled(twodevices,seesection2.69);thePADservicewasenabled(onedevice,seesection2.70);nooutboundadministrativeACLhasbeenconfigured(twodevices,seesection2.71);theTCPsmallserverswereenabled(onedevice,seesection2.72);trunkingwasenabledforallVLANs(onedevice,seesection2.73);MOPwasenabled(onedevice,seesection2.74).
NipperStudiocandrawthefollowingstatisticsfromtheresultsofthissecurityassessment,(percentageshavebeenrounded).1issue(1%)wasratedascritical,24issues(33%)wereratedashigh,18issues(25%)wereratedasmedium,19issues(26%)wereratedaslowand11issues(15%)wereratedasinformational.Thenumberofdevicesthatcontainvulnerabilitieswithaspecificratingisasfollows;2deviceshadissuesratedascritical,2deviceshadissuesratedashigh,2deviceshadissuesratedasmedium,2deviceshadissuesratedaslowand2deviceshadissuesratedasinformational.
Gotothereportcontentsorthestartofthissection.
2.76Recommendations
Thissectioncollatesthesecurityauditissuerecommendationsintoasinglelocationinordertoprovideaguidetoplanningandmitigatingtheidentifiedissues.TherecommendationsarelistedinTable80togetherwiththeissueratingandalistofaffecteddevices.
Issue Rating Recommendation AffectedDevices
Section
UsersWithDictionary-BasedPasswords CRITICAL Configurestrongpasswordsforalluserauthenticationcredentials. router03 2.2
CiscoIOS15
DefaultSNMPCommunityStringsWereConfigured HIGH ConfigurestrongSNMPcommunitystrings. router03 2.3
BGPNeighborsConfiguredWithNoPasswords HIGH ConfigurestrongBGPneighborauthenticationpasswordsforallroutingupdates. router03 2.4
NotAllGLBPGroupsWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallGLBPgroups. router03 2.5
Clear-TextGLBPGroupAuthenticationWas
Configured
HIGH ConfigureMD5authenticationforallGLBPgroups. router03 2.6
NotAllHSRPGroupsWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallHSRPgroups. router03 2.7
Clear-TextHSRPGroupAuthenticationWas
Configured
HIGH ConfigureMD5authenticationforallHSRPgroups. router03 2.8
NotAllOSPFRoutingUpdatesWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallOSPFroutingupdates. router03 2.9
RIPVersion1WasConfigured HIGH ConfiguresupportforRIPversion2only.
OR
MigratetoadevicethathassupportforRIPversion2.
router03
CiscoIOS15
2.10
Clear-TextRIPAuthenticationWasConfigured HIGH ConfigureMD5authenticationforallroutingupdates. router03 2.11
NotAllVRRPGroupsWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallVRRPgroups. router03 2.12
Clear-TextVRRPGroupAuthenticationWas
Configured
HIGH ConfigureMD5authenticationforallVRRPgroups. router03 2.13
NotAllEIGRPUpdatesWereAuthenticated HIGH ConfigurestrongEIGRPauthenticationkeysforallroutingupdates. router03 2.14
NotAllRIPUpdatesWereAuthenticated HIGH ConfigurestrongauthenticationkeysforallRIProutingupdates. router03 2.15
LowVRRPRouterPriorities HIGH ConfigureonlyhighVRRPpriorities. router03 2.16
NoVTPAuthenticationPasswordWasConfigured HIGH ChangetheVTPmodetotransparent.
OR
ConfigureastrongVTPpassword.
router03 2.17
LowGLBPGroupPriorities HIGH ConfigureonlyhighGLBPgrouppriorities. router03 2.18
LowHSRPRouterPriorities HIGH ConfigureonlyhighHSRPpriorities. router03 2.19
UDPSmallServicesEnabled HIGH DisabletheUDPsmallservers. router03 2.20
EnablePasswordConfigured HIGH ConfigureenablepasswordstobestoredonlyusingtheMD5hash. router03
CiscoIOS15
2.21
Clear-TextSNMPInUse HIGH Disableaccesstotheclear-textSNMPservice.
OR
ConfigureSNMPversion3withauthenticationandprivacypasswordsinsteadofSNMP
versions1or2.
router03
CiscoIOS15
2.22
SNMPWriteAccessEnabled HIGH DisabletheSNMPservice.
OR
ReplaceallwriteaccesscommunitystringswithreadonlySNMPcommunitystrings.
router03 2.23
NoHTTPServerSessionTimeout HIGH ConfigureaHTTPserversessiontimeoutofatmost10minutes. router03 2.24
NoInboundTCPConnectionKeep-Alives HIGH EnableTCPkeep-alivemessagesforinboundconnections. router03 2.25
InterfacesWereConfiguredWithNoFiltering HIGH Assignnetworkfilteringrulestoallnetworkinterfaces. router03
CiscoIOS15
2.26
Dictionary-BasedRoutingProtocolAuthentication
Keys
MEDIUM Configurestrongroutingprotocolauthenticationkeysforallroutingupdates. router03 2.27
Dictionary-BasedVRRPGroupAuthenticationKeys MEDIUM ConfigurestrongVRRPauthenticationkeysforallgroups. router03 2.28
SNMPSystemShutdownEnabled MEDIUM DisableSNMPsystemshutdownfacility. router03 2.29
BGPNeighborsConfiguredWithDictionary-Based
Passwords
MEDIUM ConfigurestrongBGPneighborauthenticationpasswordsforallroutingupdates. CiscoIOS15 2.30
DTPWasEnabled MEDIUM DisableDTP. router03 2.31
ClearTextHTTPServiceEnabled MEDIUM DisabletheHTTPserver. router03 2.32
UserAccountNamesContained"admin" MEDIUM Ensureadminstrativeorelevatedprivilegeaccountsdonotcontaininformation
identifyingthemassuch.
CiscoIOS15 2.33
WeakGLBPGroupAuthenticationKeys MEDIUM ConfigurestrongGLBPauthenticationkeysforallgroups. router03 2.34
WeakHSRPGroupAuthenticationKeys MEDIUM ConfigurestrongHSRPauthenticationkeysforallgroups. router03 2.35
WeakRoutingProtocolAuthenticationKeys MEDIUM Configurestrongroutingprotocolauthenticationkeysforallroutingupdates. CiscoIOS15 2.36
LowOSPFRouterPriorities MEDIUM ConfigureonlyhighOSPFpriorities. router03
CiscoIOS15
2.37
UsersConfiguredWithWeakPasswordEncryption MEDIUM ConfigurealluserstostorepasswordsusinganMD5hash. router03
CiscoIOS15
2.38
AUXPortNotDisabled MEDIUM DisabletheAUXport.
OR
Configurethecallbackfacility.
router03 2.39
NoBGPRouteFlapPrevention MEDIUM ConfigureBGProutedampeningforallBGProutingprocesses. router03
CiscoIOS15
2.40
NoRIPUpdateNeighborsWereConfigured MEDIUM ConfigureRIProutingupdateneighbors router03
CiscoIOS15
2.41
NoHTTPServiceNetworkAccessRestrictions MEDIUM RestricttheHTTPservicetoonlythosehoststhatrequireaccess. router03 2.42
SyslogLoggingNotEnabled MEDIUM ConfigureSyslogmessagelogging. router03 2.43
NTPControlQueriesWerePermitted MEDIUM RestrictNTPserveraccesstoonlytimerequests. CiscoIOS15 2.44
Table80:Securityauditrecommendationslist
NoSNMPTFTPServerAccessListConfigured LOW ConfigureaSNMPTFTPserveraccesslist. router03
CiscoIOS15
2.45
NoOSPFLSAThresholds LOW ConfigureOSPFLSAmessagethresholdsforallOSPFroutingprocesses. router03
CiscoIOS15
2.46
NTPAuthenticationWasDisabled LOW EnableNTPauthentication. router03 2.47
TheFingerServiceWasEnabled LOW Disablethefingerservice. router03 2.48
WeakSNMPCommunityStringsWereConfigured LOW ConfigurestrongSNMPcommunitystrings. CiscoIOS15 2.49
IPDirectedBroadcastsWereEnabled LOW Disabledirectedbroadcastsonallinterfaces. router03 2.50
ServicePasswordEncryptionDisabled LOW Enableservicepasswordencryption. router03 2.51
CDPWasEnabled LOW DisableCDP. router03 2.52
SNMPAccessWithoutNetworkFiltering LOW ConfigureSNMPnetworkfilteringtorestrictnetworkaccess. router03 2.53
SNMPAccessWithNoView LOW ConfigureaviewtolimitaccesstotheSNMPMIB. router03
CiscoIOS15
2.54
TheBOOTPServiceWasNotDisabled LOW DisabletheBOOTPservice. router03 2.55
SwitchPortSecurityDisabled LOW Enableportsecurityonallswitchports. router03 2.56
VTPWasInServerMode LOW ChangetheVTPmodetotransparent. router03 2.57
IPSourceRoutingWasEnabled LOW DisableIPsourcerouting. router03 2.58
ICMPAddressMaskReplyMessagesWereEnabled LOW DisablethesendingofICMPaddressmaskreplymessagesonallnetworkinterfaces. router03 2.59
ProxyARPWasEnabled LOW DisableproxyARPonallinterfaces. router03 2.60
WeakMinimumPasswordLengthPolicySetting LOW Configuredaminimumpasswordlengthpolicysettingof8characters router03
CiscoIOS15
2.61
NoWarningInPre-LogonBanner LOW Modifythepre-logonbannermessagetoincludeacarefullywordedlegalwarning. router03
CiscoIOS15
2.62
ICMPUnreachableMessagesWereEnabled LOW DisablethesendingofICMPunreachablemessages. router03
CiscoIOS15
2.63
Dictionary-BasedSNMPTraps INFO ConfigurestrongSNMPtrapcommunitystrings. router03 2.64
WeakSNMPTraps INFO ConfigurestrongSNMPtrapcommunitystrings. CiscoIOS15 2.65
DNSLookupsWereEnabled INFO DisableDNSlookups. router03 2.66
NoNetworkFilteringRulesWereConfigured INFO Configurenetworkfilteringtorestrictaccesstonetworkservices. router03
CiscoIOS15
2.67
NoPostLogonBannerMessage INFO Configureapostlogonbannermessagedetailingtheacceptableusepolicyandchange
controlprocedures.
router03 2.68
ICMPRedirectMessagesWereEnabled INFO DisablethesendingofICMPredirectmessages. router03
CiscoIOS15
2.69
PADServiceEnabled INFO DisablethePADservice. router03 2.70
UnrestrictedOutboundAdministrativeAccess INFO ConfigureanACLtorestrictoutboundadministrativeserviceaccess. router03
CiscoIOS15
2.71
TCPSmallServicesEnabled INFO DisabletheTCPsmallservers. router03 2.72
SwitchPortTrunkingAllowsAllVLANs INFO DisableVLANtrunking.
OR
ConfiguretrunkingforonlytherequiredVLANs.
router03 2.73
MOPEnabled INFO DisableMOPonallinterfaces. router03 2.74
Gotothereportcontentsorthestartofthissection.
2.77MitigationClassification
Thissectionaimstoprovideaguidetotheperceivedcomplexityofresolvingaparticularissuebyimplementingtherecommendation.AnoutlineofhoweachmitigationclassificationhasbeendeterminedisdescribedinTable81.
Table81:Themitigationclassification
Classification Description
QUICK Theissueisquicktoresolve.Typicallythiswouldjustinvolvechangingasmallnumberofsettingsandwouldhavelittle-to-noeffectonnetworkservices.
PLANNED Theissueresolutioninvolvesplanning,testingandcouldcausesomedisruptiontoservices.Thisissuecouldinvolvechangestoroutingprotocolsandchangesto
networkfiltering.
INVOLVED Theresolutionoftheissuewillrequiresignificantresourcestoresolveandislikelytoincludedisruptiontonetworkservices,andpossiblythemodificationof
othernetworkdeviceconfigurations.Theissuecouldinvolveupgradingadevice'sOSandpossiblemodificationstothehardware.
NipperStudioidentified38securityissueswithmitigationrecommendationsthatwereclassifiedasQUICK.Thoseissueswere:
CRITICAL:UsersWithDictionary-BasedPasswords(twodevices,seesection2.2);HIGH:DefaultSNMPCommunityStringsWereConfigured(onedevice,seesection2.3);HIGH:UDPSmallServicesEnabled(onedevice,seesection2.20);HIGH:EnablePasswordConfigured(twodevices,seesection2.21);HIGH:SNMPWriteAccessEnabled(onedevice,seesection2.23);
HIGH:NoHTTPServerSessionTimeout(onedevice,seesection2.24);HIGH:NoInboundTCPConnectionKeep-Alives(onedevice,seesection2.25);HIGH:InterfacesWereConfiguredWithNoFiltering(twodevices,seesection2.26);MEDIUM:SNMPSystemShutdownEnabled(onedevice,seesection2.29);MEDIUM:ClearTextHTTPServiceEnabled(onedevice,seesection2.32);MEDIUM:UserAccountNamesContained"admin"(onedevice,seesection2.33);MEDIUM:UsersConfiguredWithWeakPasswordEncryption(twodevices,seesection2.38);MEDIUM:AUXPortNotDisabled(onedevice,seesection2.39);MEDIUM:NoBGPRouteFlapPrevention(twodevices,seesection2.40);MEDIUM:NoHTTPServiceNetworkAccessRestrictions(onedevice,seesection2.42);LOW:NoSNMPTFTPServerAccessListConfigured(twodevices,seesection2.45);LOW:TheFingerServiceWasEnabled(onedevice,seesection2.48);LOW:WeakSNMPCommunityStringsWereConfigured(onedevice,seesection2.49);LOW:IPDirectedBroadcastsWereEnabled(onedevice,seesection2.50);LOW:ServicePasswordEncryptionDisabled(onedevice,seesection2.51);LOW:CDPWasEnabled(onedevice,seesection2.52);LOW:SNMPAccessWithoutNetworkFiltering(onedevice,seesection2.53);LOW:SNMPAccessWithNoView(twodevices,seesection2.54);LOW:TheBOOTPServiceWasNotDisabled(onedevice,seesection2.55);LOW:IPSourceRoutingWasEnabled(onedevice,seesection2.58);LOW:ICMPAddressMaskReplyMessagesWereEnabled(onedevice,seesection2.59);LOW:ProxyARPWasEnabled(onedevice,seesection2.60);LOW:WeakMinimumPasswordLengthPolicySetting(twodevices,seesection2.61);LOW:NoWarningInPre-LogonBanner(twodevices,seesection2.62);LOW:ICMPUnreachableMessagesWereEnabled(twodevices,seesection2.63);INFO:DNSLookupsWereEnabled(onedevice,seesection2.66);INFO:NoPostLogonBannerMessage(onedevice,seesection2.68);INFO:ICMPRedirectMessagesWereEnabled(twodevices,seesection2.69);INFO:PADServiceEnabled(onedevice,seesection2.70);INFO:UnrestrictedOutboundAdministrativeAccess(twodevices,seesection2.71);INFO:TCPSmallServicesEnabled(onedevice,seesection2.72);INFO:SwitchPortTrunkingAllowsAllVLANs(onedevice,seesection2.73);INFO:MOPEnabled(onedevice,seesection2.74).
NipperStudioidentified19securityissueswithmitigationrecommendationsthatwereclassifiedasPLANNED.Thoseissueswere:
HIGH:NotAllEIGRPUpdatesWereAuthenticated(onedevice,seesection2.14);HIGH:NotAllRIPUpdatesWereAuthenticated(onedevice,seesection2.15);HIGH:LowVRRPRouterPriorities(onedevice,seesection2.16);HIGH:NoVTPAuthenticationPasswordWasConfigured(onedevice,seesection2.17);HIGH:LowGLBPGroupPriorities(onedevice,seesection2.18);HIGH:LowHSRPRouterPriorities(onedevice,seesection2.19);HIGH:Clear-TextSNMPInUse(twodevices,seesection2.22);MEDIUM:DTPWasEnabled(onedevice,seesection2.31);MEDIUM:LowOSPFRouterPriorities(twodevices,seesection2.37);MEDIUM:NoRIPUpdateNeighborsWereConfigured(twodevices,seesection2.41);MEDIUM:SyslogLoggingNotEnabled(onedevice,seesection2.43);MEDIUM:NTPControlQueriesWerePermitted(onedevice,seesection2.44);LOW:NoOSPFLSAThresholds(twodevices,seesection2.46);LOW:NTPAuthenticationWasDisabled(onedevice,seesection2.47);LOW:SwitchPortSecurityDisabled(onedevice,seesection2.56);LOW:VTPWasInServerMode(onedevice,seesection2.57);INFO:Dictionary-BasedSNMPTraps(onedevice,seesection2.64);INFO:WeakSNMPTraps(onedevice,seesection2.65);INFO:NoNetworkFilteringRulesWereConfigured(twodevices,seesection2.67).
NipperStudioidentified16securityissueswithmitigationrecommendationsthatwereclassifiedasINVOLVED.Thoseissueswere:
HIGH:BGPNeighborsConfiguredWithNoPasswords(onedevice,seesection2.4);HIGH:NotAllGLBPGroupsWereAuthenticated(onedevice,seesection2.5);HIGH:Clear-TextGLBPGroupAuthenticationWasConfigured(onedevice,seesection2.6);HIGH:NotAllHSRPGroupsWereAuthenticated(onedevice,seesection2.7);HIGH:Clear-TextHSRPGroupAuthenticationWasConfigured(onedevice,seesection2.8);HIGH:NotAllOSPFRoutingUpdatesWereAuthenticated(onedevice,seesection2.9);HIGH:RIPVersion1WasConfigured(twodevices,seesection2.10);HIGH:Clear-TextRIPAuthenticationWasConfigured(onedevice,seesection2.11);HIGH:NotAllVRRPGroupsWereAuthenticated(onedevice,seesection2.12);HIGH:Clear-TextVRRPGroupAuthenticationWasConfigured(onedevice,seesection2.13);MEDIUM:Dictionary-BasedRoutingProtocolAuthenticationKeys(onedevice,seesection2.27);MEDIUM:Dictionary-BasedVRRPGroupAuthenticationKeys(onedevice,seesection2.28);MEDIUM:BGPNeighborsConfiguredWithDictionary-BasedPasswords(onedevice,seesection2.30);MEDIUM:WeakGLBPGroupAuthenticationKeys(onedevice,seesection2.34);MEDIUM:WeakHSRPGroupAuthenticationKeys(onedevice,seesection2.35);MEDIUM:WeakRoutingProtocolAuthenticationKeys(onedevice,seesection2.36).
NipperStudiocandrawthefollowingadditionalconclusionfromthesecurityauditbasedontheclassificationoftherecommendedissuemitigations.Mostofthe
OverallRating:CRITICAL
CVSSv2Score:10.0
CVSSv2Base:AV:N/AC:L/Au:N/C:C/I:C/A:C(10.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(10.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2006
OverallRating:CRITICAL
CVSSv2Score:10.0
CVSSv2Base:AV:N/AC:L/Au:N/C:C/I:C/A:C(10.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(10.0)
securityissuerecommendationsareperceivedtobequicktoimplement,enablingthemajorityoftheissuestobequicklyresolvedwithoutrequiringasignificantallocationofresourcesorsystemdisruption.Ofthe73securityissuesidentified,38(52%)recommendationswereclassifiedashavingaquickmitigation,19(26%)recommendationswereclassifiedashavingaplannedmitigationand16(21%)recommendationswereclassifiedashavingainvolvedmitigation.
Gotothereportcontentsorthestartofthissection.
3VulnerabilityAudit3.1Introduction
NipperStudioperformedasoftwarevulnerabilityauditon2March2017ofthetwodevicesdetailedinTable82.Theauditwasperformedbycomparingthedevicesoftwareversionsagainstadatabaseofknownvulnerabilitiesreportedbybothdevicemanufacturersandthird-partysecurityspecialists.
Table82:Softwarevulnerabilityauditscope
Device Type Model Version
router03 CiscoRouter IOS12.3
CiscoIOS15 CiscoRouter IOS15.0
Thevulnerabilitydatabaseusedinthisauditwasupdatedon10February2017.EachvulnerabilityisdetailedwithaCVSSv2score,advisoryreferencesandthird-partyreferences.
Gotothereportcontentsorthestartofthissection.
3.2CVE-2006-4950
3.2.1Summary
CiscoIOS12.2through12.4before20060920,asusedbyCiscoIAD2430,IAD2431,andIAD2432IntegratedAccessDevices,theVG224AnalogPhoneGateway,andtheMWR1900and1941MobileWirelessEdgeRouters,isincorrectlyidentifiedassupportingDOCSIS,whichallowsremoteattackerstogainread-writeaccessviaahard-codedcable-docsiscommunitystringandreadormodifyarbitrarySNMPvariables.
3.2.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.2.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1016899Weblink:http://securitytracker.com/id?1016899;CISCO20060920DOCSISRead-WriteCommunityStringEnabledinNon-DOCSISPlatformsWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml;CERT-VNVU#123140Weblink:http://www.kb.cert.org/vuls/id/123140;BID20125Weblink:http://www.securityfocus.com/bid/20125;VUPENADV-2006-3722Weblink:http://www.vupen.com/english/advisories/2006/3722;XFios-docsis-default-snmp(29054)Weblink:http://xforce.iss.net/xforce/xfdb/29054.
Gotothereportcontentsorthestartofthissection.
3.3CVE-2007-0480
3.3.1Summary
CiscoIOS9.x,10.x,11.x,and12.xandIOSXR2.0.x,3.0.x,and3.2.xallowsremoteattackerstocauseadenialofserviceorexecutearbitrarycodeviaacraftedIPoptionintheIPheaderina(1)ICMP,(2)PIMv2,(3)PGM,or(4)URDpacket.
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:24/01/2007
OverallRating:CRITICAL
CVSSv2Score:10.0
CVSSv2Base:AV:N/AC:L/Au:N/C:C/I:C/A:C(10.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(10.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
OverallRating:CRITICAL
CVSSv2Score:10.0
CVSSv2Base:AV:N/AC:L/Au:N/C:C/I:C/A:C(10.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(10.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
3.3.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.3.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20070124CraftedIPOptionVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb157.shtml.
3.3.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1017555Weblink:http://securitytracker.com/id?1017555;CERT-VNVU#341288Weblink:http://www.kb.cert.org/vuls/id/341288;BID22211Weblink:http://www.securityfocus.com/bid/22211;CERTTA07-024AWeblink:http://www.us-cert.gov/cas/techalerts/TA07-024A.html;VUPENADV-2007-0329Weblink:http://www.vupen.com/english/advisories/2007/0329;XFcisco-ip-option-code-execution(31725)Weblink:http://xforce.iss.net/xforce/xfdb/31725.
Gotothereportcontentsorthestartofthissection.
3.4CVE-2010-0580
3.4.1Summary
UnspecifiedvulnerabilityintheSIPimplementationinCiscoIOS12.3and12.4allowsremoteattackerstoexecutearbitrarycodeviaamalformedSIPmessage,akaBugIDCSCsz48680,the"SIPMessageProcessingArbitraryCodeExecutionVulnerability."
3.4.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.4.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20064;CISCO20100324CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f32.shtml.
3.4.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1023744Weblink:http://securitytracker.com/id?1023744.
Gotothereportcontentsorthestartofthissection.
3.5CVE-2010-0581
3.5.1Summary
UnspecifiedvulnerabilityintheSIPimplementationinCiscoIOS12.3and12.4allowsremoteattackerstoexecutearbitrarycodeviaamalformedSIPmessage,akaBugIDCSCsz89904,the"SIPPacketParsingArbitraryCodeExecutionVulnerability."
3.5.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.5.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20065;CISCO20100324CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f32.shtml.
3.5.4Reference
OverallRating:CRITICAL
CVSSv2Score:10.0
CVSSv2Base:AV:N/AC:L/Au:N/C:C/I:C/A:C(10.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(10.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:14/04/2011
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/11/2005
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/06/2006
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1023744Weblink:http://securitytracker.com/id?1023744.
Gotothereportcontentsorthestartofthissection.
3.6CVE-2011-0935
3.6.1Summary
ThePKIfunctionalityinCiscoIOS15.0and15.1doesnotpreventpermanentcachingofcertainpublickeys,whichallowsremoteattackerstobypassauthenticationandhaveunspecifiedotherimpactbyleveraginganIKEpeerrelationshipinwhichakeywaspreviouslyvalidbutlaterrevoked,akaBugIDCSCth82164,adifferentvulnerabilitythanCVE-2010-4685.
3.6.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.6.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html;Weblink:http://www.cisco.com/en/US/docs/ios/15_1s/release/notes/15_1s_caveats_15_1_1s.html;BID47407Weblink:http://www.securityfocus.com/bid/47407.
Gotothereportcontentsorthestartofthissection.
3.7CVE-2005-3481
3.7.1Summary
CiscoIOS12.0to12.4mightallowremoteattackerstoexecutearbitrarycodeviaaheap-basedbufferoverflowinsystemtimers.NOTE:thisissuedoesnotcorrespondtoaspecificvulnerability,ratherageneralweaknessthatonlyincreasesthefeasibilityofexploitationofanyvulnerabilitiesthatmightexist.Suchdesign-levelweaknessesnormallyarenotincludedinCVE,soperhapsthisissueshouldbeREJECTed.
3.7.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.7.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20051102IOSHeap-basedOverflowVulnerabilityinSystemTimersWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
3.7.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1015139Weblink:http://securitytracker.com/id?1015139;CERT-VNVU#562945Weblink:http://www.kb.cert.org/vuls/id/562945;BID15275Weblink:http://www.securityfocus.com/bid/15275;VUPENADV-2005-2282Weblink:http://www.vupen.com/english/advisories/2005/2282.
Gotothereportcontentsorthestartofthissection.
3.8CVE-2006-3291
3.8.1Summary
ThewebinterfaceonCiscoIOS12.3(8)JAand12.3(8)JA1,asusedontheCiscoWirelessAccessPointandWirelessBridge,reconfiguresitselfwhenitischangedtousethe"LocalUserListOnly(IndividualPasswords)"setting,whichremovesallsecurityandpasswordconfigurationsandallowsremoteattackerstoaccessthesystem.
3.8.2AffectedDevice
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/05/2007
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/08/2007
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.8.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1016399Weblink:http://securitytracker.com/id?1016399;CISCO20060628AccessPointWeb-browserInterfaceVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml;CERT-VNVU#544484Weblink:http://www.kb.cert.org/vuls/id/544484;BID18704Weblink:http://www.securityfocus.com/bid/18704;VUPENADV-2006-2584Weblink:http://www.vupen.com/english/advisories/2006/2584;XFcisco-ap-browser-unauth-access(27437)Weblink:http://xforce.iss.net/xforce/xfdb/27437.
Gotothereportcontentsorthestartofthissection.
3.9CVE-2007-2586
3.9.1Summary
TheFTPServerinCiscoIOS11.3through12.4doesnotproperlycheckuserauthorization,whichallowsremoteattackerstoexecutearbitrarycode,andhaveotherimpactincludingreadingstartup-config,asdemonstratedbyacraftedMKDcommandthatinvolvesaccesstoaVTYdeviceandoverflowsabuffer,akabugIDCSCek55259.
3.9.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.9.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20070509MultipleVulnerabilitiesintheIOSFTPServerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml;VUPENADV-2007-1749Weblink:http://www.vupen.com/english/advisories/2007/1749.
3.9.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BUGTRAQ20090120Re:RemoteCiscoIOSFTPexploitWeblink:http://seclists.org/bugtraq/2009/Jan/0183.html;EXPLOIT-DB6155Weblink:http://www.exploit-db.com/exploits/6155;MILW0RM6155Weblink:http://www.milw0rm.com/exploits/6155;BUGTRAQ20080729RemoteCiscoIOSFTPexploitWeblink:http://www.securityfocus.com/archive/1/494868;BID23885Weblink:http://www.securityfocus.com/bid/23885;SECTRACK1018030Weblink:http://www.securitytracker.com/id?1018030;XFcisco-ios-ftp-unauthorized-access(34197)Weblink:http://xforce.iss.net/xforce/xfdb/34197.
Gotothereportcontentsorthestartofthissection.
3.10CVE-2007-4286
3.10.1Summary
BufferoverflowintheNextHopResolutionProtocol(NHRP)functionalityinCiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(restart)andexecutearbitrarycodeviaacraftedNHRPpacket.
3.10.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.10.3References
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/08/2007
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:11/10/2007
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20070808CiscoIOSNextHopResolutionProtocolVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a008089963b.shtml;CERT-VNVU#201984Weblink:http://www.kb.cert.org/vuls/id/201984;BUGTRAQ20070809CiscoNHRPdenialofservice(cisco-sa-20070808-nhrp)Weblink:http://www.securityfocus.com/archive/1/archive/1/475931/100/0/threaded;BID25238Weblink:http://www.securityfocus.com/bid/25238;SECTRACK1018535Weblink:http://www.securitytracker.com/id?1018535;VUPENADV-2007-2818Weblink:http://www.vupen.com/english/advisories/2007/2818;XFcisco-ios-nexthop-bo(35889)Weblink:http://xforce.iss.net/xforce/xfdb/35889.
Gotothereportcontentsorthestartofthissection.
3.11CVE-2007-4292
3.11.1Summary
MultiplememoryleaksinCiscoIOS12.0through12.4allowremoteattackerstocauseadenialofservice(devicecrash)viaamalformedSIPpacket,aka(1)CSCsf11855,(2)CSCeb21064,(3)CSCse40276,(4)CSCse68355,(5)CSCsf30058,(6)CSCsb24007,and(7)CSCsc60249.
3.11.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.11.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816;XFcisco-ios-sip-dos(35890)Weblink:http://xforce.iss.net/xforce/xfdb/35890.
Gotothereportcontentsorthestartofthissection.
3.12CVE-2007-5381
3.12.1Summary
Stack-basedbufferoverflowintheLinePrinterDaemon(LPD)inCiscoIOSbefore12.2(18)SXF11,12.4(16a),and12.4(2)T6allowremoteattackerstoexecutearbitrarycodebysettingalonghostnameonthetargetsystem,thencausinganerrormessagetobeprinted,asdemonstratedbyatelnetsessiontotheLPDfromasourceportotherthan515.
3.12.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.12.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20071010CiscoIOSLinePrinterDaemon(LPD)ProtocolStackOverflowWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00808d72e3.html;MISCWeblink:http://www.irmplc.com/index.php/155-Advisory-024;CERT-VNVU#230505Weblink:http://www.kb.cert.org/vuls/id/230505;BID26001Weblink:http://www.securityfocus.com/bid/26001;SECTRACK1018798Weblink:http://www.securitytracker.com/id?1018798;VUPENADV-2007-3457Weblink:http://www.vupen.com/english/advisories/2007/3457;XFcisco-ios-lpd-bo(37046)
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
OverallRating:CRITICAL
CVSSv2Score:9.3
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:C/A:C(9.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
OverallRating:CRITICAL
CVSSv2Score:9.0
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:C(9.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/08/2007
Weblink:http://xforce.iss.net/xforce/xfdb/37046.
Gotothereportcontentsorthestartofthissection.
3.13CVE-2008-3807
3.13.1Summary
CiscoIOS12.2and12.3onCiscouBR10012seriesdevices,whenlinecardredundancyisconfigured,enablesaread/writeSNMPservicewith"private"asthecommunity,whichallowsremoteattackerstoobtainadministrativeaccessbyguessingthiscommunityandsendingSNMPrequests.
3.13.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.13.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080924CiscouBR10012SeriesDevicesSNMPVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a014b1.shtml;SECTRACK1020941Weblink:http://www.securitytracker.com/id?1020941;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.
Gotothereportcontentsorthestartofthissection.
3.14CVE-2011-4012
3.14.1Summary
CiscoIOS12.0,15.0,and15.1,whenaPolicyFeatureCard3C(PFC3C)isused,doesnotcreateafragmententryduringprocessingofanICMPv6ACL,whichhasunspecifiedimpactandremoteattackvectors,akaBugIDCSCtj90091.
3.14.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.14.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/caveats_SXJ.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.
Gotothereportcontentsorthestartofthissection.
3.15CVE-2007-4285
3.15.1Summary
UnspecifiedvulnerabilityinCiscoIOSandCiscoIOSXR12.xupto12.3,includingsomeversionsbefore12.3(15)and12.3(14)T,allowsremoteattackerstoobtainsensitiveinformation(partialpacketcontents)orcauseadenialofservice(routerorcomponentcrash)viacraftedIPv6packetswithaType0routingheader.
3.15.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.15.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20070808CiscoIOSInformationLeakageUsingIPv6RoutingHeaderWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899647.shtml;VUPENADV-2007-2819Weblink:http://www.vupen.com/english/advisories/2007/2819.
3.15.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1018542Weblink:http://www.securitytracker.com/id?1018542;
OverallRating:CRITICAL
CVSSv2Score:9.0
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:C(9.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2009
OverallRating:CRITICAL
CVSSv2Score:9.0
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:C(9.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(9.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:8.5
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:C(8.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(8.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
XFcisco-ios-ipv6-header-dos(35906)Weblink:http://xforce.iss.net/xforce/xfdb/35906.
Gotothereportcontentsorthestartofthissection.
3.16CVE-2009-0628
3.16.1Summary
MemoryleakintheSSLVPNfeatureinCiscoIOS12.3through12.4allowsremoteattackerstocauseadenialofservice(memoryconsumptionanddevicecrash)bydisconnectinganSSLsessioninanabnormalmanner,leadingtoaTransmissionControlBlock(TCB)leak.
3.16.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.16.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20090325CiscoIOSSoftwareWebVPNandSSLVPNVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90424.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.
3.16.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1021896Weblink:http://securitytracker.com/id?1021896;BID34239Weblink:http://www.securityfocus.com/bid/34239;XFios-sslvpn-tcbleak-dos(49427)Weblink:http://xforce.iss.net/xforce/xfdb/49427.
Gotothereportcontentsorthestartofthissection.
3.17CVE-2015-0635
3.17.1Summary
TheAutonomicNetworkingInfrastructure(ANI)implementationinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.10.xSthrough3.13.xSbefore3.13.1SallowsremoteattackerstospoofAutonomicNetworkingRegistrationAuthority(ANRA)responses,andconsequentlybypassintendeddeviceandnodeaccessrestrictionsorcauseadenialofservice(disrupteddomainaccess),viacraftedANmessages,akaBugIDCSCup62191.
3.17.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.17.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareandIOSXESoftwareAutonomicNetworkingInfrastructureWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ani.
3.17.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031982Weblink:http://www.securitytracker.com/id/1031982.
Gotothereportcontentsorthestartofthissection.
3.18CVE-2008-3805
3.18.1Summary
CiscoIOS12.0through12.4onCisco10000,uBR10012anduBR7200seriesdeviceshandlesexternalUDPpacketsthataresentto127.0.0.0/8addressesintendedforIPCcommunicationwithinthedevice,whichallowsremoteattackerstocauseadenialofservice(deviceorlinecardreload)viacraftedUDPpackets,adifferentvulnerabilitythanCVE-2008-3806.
Published:26/09/2008
OverallRating:HIGH
CVSSv2Score:8.5
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:C(8.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(8.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
OverallRating:HIGH
CVSSv2Score:8.5
CVSSv2Base:AV:N/AC:M/Au:S/C:C/I:C/A:C(8.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(8.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
3.18.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.18.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=16646;CISCO20080924Cisco10000,uBR10012,uBR7200SeriesDevicesIPCVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a014ae.shtml;SECTRACK1020935Weblink:http://www.securitytracker.com/id?1020935;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.
Gotothereportcontentsorthestartofthissection.
3.19CVE-2008-3806
3.19.1Summary
CiscoIOS12.0through12.4onCisco10000,uBR10012anduBR7200seriesdeviceshandlesexternalUDPpacketsthataresentto127.0.0.0/8addressesintendedforIPCcommunicationwithinthedevice,whichallowsremoteattackerstocauseadenialofservice(deviceorlinecardreload)viacraftedUDPpackets,adifferentvulnerabilitythanCVE-2008-3805.
3.19.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.19.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=16646;CISCO20080924Cisco10000,uBR10012,uBR7200SeriesDevicesIPCVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a014ae.shtml;XFios-udp-ipc-dos-variant2(45592)Weblink:http://xforce.iss.net/xforce/xfdb/45592.
Gotothereportcontentsorthestartofthissection.
3.20CVE-2012-0384
3.20.1Summary
CiscoIOS12.2through12.4and15.0through15.2andIOSXE2.1.xthrough2.6.xand3.1.xSbefore3.1.2S,3.2.xSthrough3.4.xSbefore3.4.2S,3.5.xSbefore3.5.1S,and3.1.xSGand3.2.xSGbefore3.2.2SG,whenAAAauthorizationisenabled,allowremoteauthenticateduserstobypassintendedaccessrestrictionsandexecutecommandsviaa(1)HTTPor(2)HTTPSsession,akaBugIDCSCtr91106.
3.20.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.20.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareCommandAuthorizationBypassWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-pai.
3.20.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID52755Weblink:http://www.securityfocus.com/bid/52755;SECTRACK1026860Weblink:http://www.securitytracker.com/id?1026860.
Gotothereportcontentsorthestartofthissection.
3.21CVE-2016-6380
OverallRating:HIGH
CVSSv2Score:8.3
CVSSv2Base:AV:N/AC:M/Au:N/C:P/I:P/A:C(8.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(8.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:24/01/2007
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:24/01/2007
3.21.1Summary
TheDNSforwarderinCiscoIOS12.0through12.4and15.0through15.6andIOSXE3.1through3.15allowsremoteattackerstoobtainsensitiveinformationfromprocessmemoryorcauseadenialofservice(datacorruptionordevicereload)viaacraftedDNSresponse,akaBugIDCSCup90532.
3.21.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.21.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareDNSForwarderDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns.
3.21.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93201Weblink:http://www.securityfocus.com/bid/93201.
Gotothereportcontentsorthestartofthissection.
3.22CVE-2007-0479
3.22.1Summary
MemoryleakintheTCPlistenerinCiscoIOS9.x,10.x,11.x,and12.xallowsremoteattackerstocauseadenialofservicebysendingcraftedTCPtraffictoanIPv4addressontheIOSdevice.
3.22.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.22.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1017551Weblink:http://securitytracker.com/id?1017551;CISCO20070124CraftedTCPPacketCanCauseDenialofServiceWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0e4.shtml;CERT-VNVU#217912Weblink:http://www.kb.cert.org/vuls/id/217912;BID22208Weblink:http://www.securityfocus.com/bid/22208;CERTTA07-024AWeblink:http://www.us-cert.gov/cas/techalerts/TA07-024A.html;VUPENADV-2007-0329Weblink:http://www.vupen.com/english/advisories/2007/0329;XFcisco-tcp-ipv4-dos(31716)Weblink:http://xforce.iss.net/xforce/xfdb/31716.
Gotothereportcontentsorthestartofthissection.
3.23CVE-2007-0481
3.23.1Summary
CiscoIOSallowsremoteattackerstocauseadenialofservice(crash)viaacraftedIPv6Type0Routingheader.
3.23.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.23.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1017550Weblink:http://securitytracker.com/id?1017550;CISCO20070124IPv6RoutingHeaderVulnerability
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:31/01/2007
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:22/05/2007
Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0fd.shtml;CERT-VNVU#274760Weblink:http://www.kb.cert.org/vuls/id/274760;BID22210Weblink:http://www.securityfocus.com/bid/22210;CERTTA07-024AWeblink:http://www.us-cert.gov/cas/techalerts/TA07-024A.html;VUPENADV-2007-0329Weblink:http://www.vupen.com/english/advisories/2007/0329;XFcisco-ios-ipv6-type0-dos(31715)Weblink:http://xforce.iss.net/xforce/xfdb/31715.
Gotothereportcontentsorthestartofthissection.
3.24CVE-2007-0648
3.24.1Summary
CiscoIOSafter12.3(14)T,12.3(8)YC1,12.3(8)YG,and12.4,withvoicesupportandwithoutSessionInitiatedProtocol(SIP)configured,allowsremoteattackerstocauseadenialofservice(crash)bysendingacraftedpackettoport5060/UDP.
3.24.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.24.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://www.cisco.com/warp/public/707/cisco-air-20070131-sip.shtml;CISCO20070131SIPPacketReloadsIOSDevicesNotConfiguredforSIPWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.
3.24.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1017575Weblink:http://securitytracker.com/id?1017575;CERT-VNVU#438176Weblink:http://www.kb.cert.org/vuls/id/438176;BID22330Weblink:http://www.securityfocus.com/bid/22330;VUPENADV-2007-0428Weblink:http://www.vupen.com/english/advisories/2007/0428;XFcisco-sip-packet-dos(31990)Weblink:http://xforce.iss.net/xforce/xfdb/31990.
Gotothereportcontentsorthestartofthissection.
3.25CVE-2007-2813
3.25.1Summary
CiscoIOS12.4andearlier,whenusingthecryptopackagesandSSLsupportisenabled,allowsremoteattackerstocauseadenialofserviceviaamalformed(1)ClientHello,(2)ChangeCipherSpec,or(3)FinishedmessageduringanSSLsession.
3.25.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.25.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20070522MultipleVulnerabilitiesinCiscoIOSWhileProcessingSSLPacketsWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080847c49.shtml;BID24097Weblink:http://www.securityfocus.com/bid/24097;SECTRACK1018094Weblink:http://www.securitytracker.com/id?1018094;VUPENADV-2007-1910Weblink:http://www.vupen.com/english/advisories/2007/1910;XFcisco-ios-clienthello-dos(34432)Weblink:http://xforce.iss.net/xforce/xfdb/34432;XFcisco-ios-changecipherspec-dos(34436)
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2008
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
Weblink:http://xforce.iss.net/xforce/xfdb/34436;XFcisco-ios-finished-dos(34442)Weblink:http://xforce.iss.net/xforce/xfdb/34442.
Gotothereportcontentsorthestartofthissection.
3.26CVE-2008-1152
3.26.1Summary
Thedata-linkswitching(DLSw)componentinCiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(devicerestartormemoryconsumption)viacrafted(1)UDPport2067or(2)IPprotocol91packets.
3.26.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.26.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080326MultipleDLSwDenialofServiceVulnerabilitiesinCiscoIOSWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080969866.shtml;BID28465Weblink:http://www.securityfocus.com/bid/28465;SECTRACK1019712Weblink:http://www.securitytracker.com/id?1019712;CERTTA08-087BWeblink:http://www.us-cert.gov/cas/techalerts/TA08-087B.html;VUPENADV-2008-1006Weblink:http://www.vupen.com/english/advisories/2008/1006/references;XFcisco-ios-dlsw-dos(41482)Weblink:http://xforce.iss.net/xforce/xfdb/41482.
Gotothereportcontentsorthestartofthissection.
3.27CVE-2008-2739
3.27.1Summary
TheSERVICE.DNSsignatureengineintheIntrusionPreventionSystem(IPS)inCiscoIOS12.3and12.4allowsremoteattackerstocauseadenialofservice(devicecrashorhang)vianetworktrafficthattriggersunspecifiedIPSsignatures,adifferentvulnerabilitythanCVE-2008-1447.
3.27.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.27.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080924CiscoIOSIPSDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01556.shtml;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.
Gotothereportcontentsorthestartofthissection.
3.28CVE-2008-3799
3.28.1Summary
MemoryleakintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(memoryconsumptionandvoice-serviceoutage)viaunspecifiedvalidSIPmessages.
3.28.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.28.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2009
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2009
SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.
Gotothereportcontentsorthestartofthissection.
3.29CVE-2008-3808
3.29.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedProtocolIndependentMulticast(PIM)packet.
3.29.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.29.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080924MultipleMulticastVulnerabilitiesinCiscoIOSSoftwareWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01491.shtml;BID31356Weblink:http://www.securityfocus.com/bid/31356;SECTRACK1020936Weblink:http://www.securitytracker.com/id?1020936;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.
Gotothereportcontentsorthestartofthissection.
3.30CVE-2009-0626
3.30.1Summary
TheSSLVPNfeatureinCiscoIOS12.3through12.4allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viaacraftedHTTPSpacket.
3.30.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.30.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20090325CiscoIOSSoftwareWebVPNandSSLVPNVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90424.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.
3.30.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1021896Weblink:http://securitytracker.com/id?1021896;BID34239Weblink:http://www.securityfocus.com/bid/34239;XFios-sslvpn-dos(49425)Weblink:http://xforce.iss.net/xforce/xfdb/49425.
Gotothereportcontentsorthestartofthissection.
3.31CVE-2009-0631
3.31.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.0through12.4,whenconfiguredwith(1)IPServiceLevelAgreements(SLAs)Responder,(2)SessionInitiationProtocol(SIP),(3)H.323AnnexECallSignalingTransport,or(4)MediaGatewayControlProtocol(MGCP)allowsremoteattackerstocauseadenialofservice(blockedinputqueueontheinboundinterface)viaacraftedUDPpacket.
3.31.2AffectedDevice
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2009
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/09/2009
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.31.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20090325CiscoIOSSoftwareMultipleFeaturesCraftedUDPPacketVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90426.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml.
3.31.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID34245Weblink:http://www.securityfocus.com/bid/34245;SECTRACK1021904Weblink:http://www.securitytracker.com/id?1021904;XFios-udp-dos(49419)Weblink:http://xforce.iss.net/xforce/xfdb/49419.
Gotothereportcontentsorthestartofthissection.
3.32CVE-2009-0636
3.32.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.0through12.4,whenSIPvoiceservicesareenabled,allowsremoteattackerstocauseadenialofservice(devicecrash)viaavalidSIPmessage.
3.32.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.32.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;CISCO20090325CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a904c0.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.
3.32.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1021902Weblink:http://securitytracker.com/id?1021902;BID34243Weblink:http://www.securityfocus.com/bid/34243;XFios-sip-dos(49421)Weblink:http://xforce.iss.net/xforce/xfdb/49421.
Gotothereportcontentsorthestartofthissection.
3.33CVE-2009-2866
3.33.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.2through12.4allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedH.323packet,akaBugIDCSCsz38104.
3.33.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.33.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18885;CISCO20090923CiscoIOSSoftwareH.323DenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af811a.shtml.
3.33.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/09/2009
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/09/2009
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
BID36494Weblink:http://www.securityfocus.com/bid/36494;SECTRACK1022930Weblink:http://www.securitytracker.com/id?1022930;VUPENADV-2009-2759Weblink:http://www.vupen.com/english/advisories/2009/2759;XFciscoios-h323-dos(53446)Weblink:http://xforce.iss.net/xforce/xfdb/53446.
Gotothereportcontentsorthestartofthissection.
3.34CVE-2009-2868
3.34.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.2through12.4,whencertificate-basedauthenticationisenabledforIKE,allowsremoteattackerstocauseadenialofservice(Phase1SAexhaustion)viacraftedrequests,akaBugIDsCSCsy07555andCSCee72997.
3.34.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.34.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18887;CISCO20090923CiscoIOSSoftwareInternetKeyExchangeResourceExhaustionVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8117.shtml.
3.34.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
VUPENADV-2009-2759Weblink:http://www.vupen.com/english/advisories/2009/2759.
Gotothereportcontentsorthestartofthissection.
3.35CVE-2009-2870
3.35.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.2through12.4,whentheCiscoUnifiedBorderElementfeatureisenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedSIPmessages,akaBugIDCSCsx25880.
3.35.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.35.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18891;CISCO20090923CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af811b.shtml.
3.35.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1022930Weblink:http://www.securitytracker.com/id?1022930;VUPENADV-2009-2759Weblink:http://www.vupen.com/english/advisories/2009/2759.
Gotothereportcontentsorthestartofthissection.
3.36CVE-2009-5038
3.36.1Summary
CiscoIOSbefore15.0(1)XAdoesnotproperlyhandleIRCtrafficduringaspecifictimeperiodafteraninitialreload,whichallowsremoteattackerstocauseadenialofservice(devicereload)viaanattemptedconnectiontoacertainIRCserver,relatedtoa"corruptedmagicvalue,"akaBugIDCSCso05336.
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
3.36.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.36.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45764Weblink:http://www.securityfocus.com/bid/45764;XFciscoios-irctraffic-dos(64682)Weblink:http://xforce.iss.net/xforce/xfdb/64682.
Gotothereportcontentsorthestartofthissection.
3.37CVE-2009-5039
3.37.1Summary
Memoryleakinthegk_circuit_info_do_in_acffunctionintheH.323implementationinCiscoIOSbefore15.0(1)XAallowsremoteattackerstocauseadenialofservice(memoryconsumption)viaalargenumberofcallsoveralongduration,asdemonstratedbyInterZoneClearToken(IZCT)testtraffic,akaBugIDCSCsz72535.
3.37.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.37.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;XFcisco-ios-gkcircuitinfodoinacf-dos(64731)Weblink:http://xforce.iss.net/xforce/xfdb/64731.
Gotothereportcontentsorthestartofthissection.
3.38CVE-2010-0576
3.38.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.0through12.4,IOSXE2.1.xthrough2.3.xbefore2.3.2,andIOSXR3.2.xthrough3.4.3,whenMultiprotocolLabelSwitching(MPLS)andLabelDistributionProtocol(LDP)areenabled,allowsremoteattackerstocauseadenialofservice(devicereloadorprocessrestart)viaacraftedLDPpacket,akaBugIDsCSCsz45567andCSCsj25893.
3.38.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.38.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100324CiscoIOSSoftwareMultiprotocolLabelSwitchingPacketVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee2.shtml.
3.38.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID38938Weblink:http://www.securityfocus.com/bid/38938;SECTRACK1023740Weblink:http://www.securitytracker.com/id?1023740;VUPENADV-2010-0707Weblink:http://www.vupen.com/english/advisories/2010/0707;XFciscoios-ldp-dos(57143)Weblink:http://xforce.iss.net/xforce/xfdb/57143.
Gotothereportcontentsorthestartofthissection.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
3.39CVE-2010-0578
3.39.1Summary
TheIKEimplementationinCiscoIOS12.2through12.4onCisco7200and7301routerswithVAM2+allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedIKEpacket,akaBugIDCSCtb13491.
3.39.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.39.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100324CiscoIOSSoftwareIPsecVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee5.shtml.
3.39.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID38932Weblink:http://www.securityfocus.com/bid/38932;SECTRACK1023741Weblink:http://www.securitytracker.com/id?1023741;VUPENADV-2010-0709Weblink:http://www.vupen.com/english/advisories/2010/0709;XFciscoios-vpn-dos(57148)Weblink:http://xforce.iss.net/xforce/xfdb/57148.
Gotothereportcontentsorthestartofthissection.
3.40CVE-2010-0579
3.40.1Summary
TheSIPimplementationinCiscoIOS12.3and12.4allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSIPmessage,akaBugIDCSCtb93416,the"SIPMessageHandlingDenialofServiceVulnerability."
3.40.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.40.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20063;CISCO20100324CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f32.shtml.
3.40.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1023744Weblink:http://securitytracker.com/id?1023744.
Gotothereportcontentsorthestartofthissection.
3.41CVE-2010-0582
3.41.1Summary
CiscoIOS12.1through12.4,and15.0Mbefore15.0(1)M1,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viamalformedH.323packets,akaBugIDCSCta19962.
3.41.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.41.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
CISCO20100324CiscoIOSSoftwareH.323DenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee4.shtml.
3.41.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1023742Weblink:http://www.securitytracker.com/id?1023742;VUPENADV-2010-0706Weblink:http://www.vupen.com/english/advisories/2010/0706.
Gotothereportcontentsorthestartofthissection.
3.42CVE-2010-0585
3.42.1Summary
CiscoIOS12.1through12.4,whenCiscoUnifiedCommunicationsManagerExpress(CME)orCiscoUnifiedSurvivableRemoteSiteTelephony(SRST)isenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSkinnyClientControlProtocol(SCCP)message,akaBugIDCSCsz48614,the"SCCPPacketProcessingDenialofServiceVulnerability."
3.42.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.42.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20069;CISCO20100324CiscoUnifiedCommunicationsManagerExpressDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f33.shtml.
Gotothereportcontentsorthestartofthissection.
3.43CVE-2010-0586
3.43.1Summary
CiscoIOS12.1through12.4,whenCiscoUnifiedCommunicationsManagerExpress(CME)orCiscoUnifiedSurvivableRemoteSiteTelephony(SRST)isenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSkinnyClientControlProtocol(SCCP)message,akaBugIDCSCsz49741,the"SCCPRequestHandlingDenialofServiceVulnerability."
3.43.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.43.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=20070;CISCO20100324CiscoUnifiedCommunicationsManagerExpressDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f33.shtml.
Gotothereportcontentsorthestartofthissection.
3.44CVE-2010-2828
3.44.1Summary
UnspecifiedvulnerabilityintheH.323implementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE2.5.xbefore2.5.2and2.6.xbefore2.6.1,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedH.323packets,akaBugIDCSCtc73759.
3.44.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.44.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100922CiscoIOSSoftwareH.323DenialofServiceVulnerabilities
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a300.shtml.
Gotothereportcontentsorthestartofthissection.
3.45CVE-2010-2829
3.45.1Summary
UnspecifiedvulnerabilityintheH.323implementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE2.5.xbefore2.5.2and2.6.xbefore2.6.1,allowsremoteattackerstocauseadenialofservice(tracebackanddevicereload)viacraftedH.323packets,akaBugIDCSCtd33567.
3.45.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.45.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100922CiscoIOSSoftwareH.323DenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a300.shtml.
Gotothereportcontentsorthestartofthissection.
3.46CVE-2010-2831
3.46.1Summary
UnspecifiedvulnerabilityintheNATforSIPimplementationinCiscoIOS12.1through12.4and15.0through15.1allowsremoteattackerstocauseadenialofservice(devicereload)viatransittrafficonUDPport5060,akaBugIDCSCtf17624.
3.46.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.46.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100922CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a311.shtml.
Gotothereportcontentsorthestartofthissection.
3.47CVE-2010-2832
3.47.1Summary
UnspecifiedvulnerabilityintheNATforH.323implementationinCiscoIOS12.1through12.4and15.0through15.1allowsremoteattackerstocauseadenialofservice(devicereload)viatransittraffic,akaBugIDCSCtf91428.
3.47.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.47.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100922CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a311.shtml.
Gotothereportcontentsorthestartofthissection.
3.48CVE-2010-2833
3.48.1Summary
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
UnspecifiedvulnerabilityintheNATforH.225.0implementationinCiscoIOS12.1through12.4and15.0through15.1allowsremoteattackerstocauseadenialofservice(devicereload)viatransittraffic,akaBugIDCSCtd86472.
3.48.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.48.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100922CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a311.shtml.
Gotothereportcontentsorthestartofthissection.
3.49CVE-2010-2834
3.49.1Summary
CiscoIOS12.2through12.4and15.0through15.1,CiscoIOSXE2.5.xand2.6.xbefore2.6.1,andCiscoUnifiedCommunicationsManager(akaCUCM,formerlyCallManager)6.xbefore6.1(5)SU1,7.xbefore7.1(5),and8.0before8.0(2)allowremoteattackerstocauseadenialofservice(devicereloadorvoice-servicesoutage)viacraftedSIPregistrationtrafficoverUDP,akaBugIDsCSCtf72678andCSCtf14987.
3.49.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.49.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20100922CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a30f.shtml;CISCO20100922CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a313.shtml.
Gotothereportcontentsorthestartofthissection.
3.50CVE-2010-2835
3.50.1Summary
CiscoIOS12.2through12.4and15.0through15.1,CiscoIOSXE2.5.xand2.6.xbefore2.6.1,andCiscoUnifiedCommunicationsManager(akaCUCM,formerlyCallManager)6.xbefore6.1(5),7.0before7.0(2a)su3,7.1subefore7.1(3b)su2,7.1before7.1(5),and8.0before8.0(1)allowremoteattackerstocauseadenialofservice(devicereloadorvoice-servicesoutage)viaaSIPREFERrequestwithaninvalidRefer-Toheader,akaBugIDsCSCta20040andCSCta31358.
3.50.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.50.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20100922CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a30f.shtml;CISCO20100922CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a313.shtml.
Gotothereportcontentsorthestartofthissection.
3.51CVE-2010-2836
3.51.1Summary
MemoryleakintheSSLVPNfeatureinCiscoIOS12.4,15.0,and15.1,whenHTTPportredirectionis
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
OverallRating:HIGH
enabled,allowsremoteattackerstocauseadenialofservice(memoryconsumption)byimproperlydisconnectingSSLsessions,leadingtoconnectionsthatremainintheCLOSE-WAITstate,akaBugIDCSCtg21685.
3.51.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.51.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100922CiscoIOSSSLVPNVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a312.shtml.
Gotothereportcontentsorthestartofthissection.
3.52CVE-2010-4671
3.52.1Summary
TheNeighborDiscovery(ND)protocolimplementationintheIPv6stackinCiscoIOSbefore15.0(1)XA5allowsremoteattackerstocauseadenialofservice(CPUconsumptionanddevicehang)bysendingmanyRouterAdvertisement(RA)messageswithdifferentsourceaddresses,asdemonstratedbytheflood_router6programinthethc-ipv6package,akaBugIDCSCti33534.
3.52.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.52.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
MISCWeblink:http://events.ccc.de/congress/2010/Fahrplan/events/3957.en.html;MISCWeblink:http://mirror.fem-net.de/CCC/27C3/mp3-audio-only/27c3-3957-en-ipv6_insecurities.mp3;MISCWeblink:http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/27c3-3957-en-ipv6_insecurities.mp4;Weblink:http://www.ciscosystems.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45760Weblink:http://www.securityfocus.com/bid/45760;MISCWeblink:http://www.youtube.com/watch?v=00yjWB6gGy8;XFciscoios-neighbor-discovery-dos(64589)Weblink:http://xforce.iss.net/xforce/xfdb/64589.
Gotothereportcontentsorthestartofthissection.
3.53CVE-2010-4683
3.53.1Summary
MemoryleakinCiscoIOSbefore15.0(1)XA5mightallowremoteattackerstocauseadenialofservice(memoryconsumption)bysendingacraftedSIPREGISTERmessageoverUDP,akaBugIDCSCtg41733.
3.53.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.53.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45786Weblink:http://www.securityfocus.com/bid/45786;XFciscoios-sip-register-dos(64588)Weblink:http://xforce.iss.net/xforce/xfdb/64588.
Gotothereportcontentsorthestartofthissection.
3.54CVE-2010-4686
3.54.1Summary
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
CallManagerExpress(CME)onCiscoIOSbefore15.0(1)XA1doesnotproperlyhandleSIPTRUNKtrafficthatcontainsrateburstsanda"peculiar"requestsize,whichallowsremoteattackerstocauseadenialofservice(memoryconsumption)bysendingthistrafficoveralongduration,akaBugIDCSCtb47950.
3.54.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.54.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-siptrunk-dos(64585)Weblink:http://xforce.iss.net/xforce/xfdb/64585.
Gotothereportcontentsorthestartofthissection.
3.55CVE-2011-0939
3.55.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.4,15.0,and15.1,andIOSXE2.5.xthrough3.2.x,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedSIPmessage,akaBugIDCSCth03022.
3.55.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.55.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24127;CISCO20110928CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d5a.shtml.
Gotothereportcontentsorthestartofthissection.
3.56CVE-2011-0944
3.56.1Summary
CiscoIOS12.4,15.0,and15.1allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedIPv6packets,akaBugIDCSCtj41194.
3.56.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.56.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24131;CISCO20110928CiscoIOSSoftwareIPv6DenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d59.shtml.
Gotothereportcontentsorthestartofthissection.
3.57CVE-2011-0945
3.57.1Summary
MemoryleakintheData-linkswitching(akaDLSw)featureinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSbefore3.1.3Sand3.2.xSbefore3.2.1S,whenimplementedoverFastSequenceTransport(FST),allowsremoteattackerstocauseadenialofservice(memoryconsumptionanddevicereloadorhang)viaacraftedIPprotocol91packet,akaBugIDCSCth69364.
3.57.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
3.57.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareData-LinkSwitchingVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4e.shtml.
3.57.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24116.
Gotothereportcontentsorthestartofthissection.
3.58CVE-2011-0946
3.58.1Summary
TheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viamalformedNetMeetingDirectory(akaInternetLocatorServiceorILS)LDAPtraffic,akaBugIDCSCtd10712.
3.58.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.58.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4d.shtml.
3.58.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24117.
Gotothereportcontentsorthestartofthissection.
3.59CVE-2011-2072
3.59.1Summary
MemoryleakinCiscoIOS12.4,15.0,and15.1,CiscoIOSXE2.5.xthrough3.2.x,andCiscoUnifiedCommunicationsManager(CUCM)6.xand7.xbefore7.1(5b)su4,8.xbefore8.5(1)su2,and8.6before8.6(1)allowsremoteattackerstocauseadenialofservice(memoryconsumptionanddevicereloadorprocessfailure)viaamalformedSIPmessage,akaBugIDsCSCtl86047andCSCto88686.
3.59.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.59.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20110928CiscoUnifiedCommunicationsManagerSessionInitiationProtocolMemoryLeakVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d58.shtml;CISCO20110928CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d5a.shtml.
3.59.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20110928CiscoUnifiedCommunicationsManagerMemoryLeakVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-cucm;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24129;SECTRACK1026110Weblink:http://www.securitytracker.com/id?1026110.
Gotothereportcontentsorthestartofthissection.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
3.60CVE-2011-3270
3.60.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.2SBbefore12.2(33)SB10and15.0Sbefore15.0(1)S3aonCisco10000seriesroutersallowsremoteattackerstocauseadenialofservice(devicereload)viaasequenceofcraftedICMPpackets,akaBugIDCSCtk62453.
3.60.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.60.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928Cisco10000SeriesDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d50.shtml.
3.60.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24114.
Gotothereportcontentsorthestartofthissection.
3.61CVE-2011-3273
3.61.1Summary
MemoryleakinCiscoIOS15.0through15.1,whenIPSorZone-BasedFirewall(akaZBFW)isconfigured,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicecrash)viavectorsthattriggermanysessioncreationflows,akaBugIDCSCti79848.
3.61.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.61.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareIPSandZone-BasedFirewallVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d57.shtml.
3.61.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24123.
Gotothereportcontentsorthestartofthissection.
3.62CVE-2011-3275
3.62.1Summary
MemoryleakinCiscoIOS12.4,15.0,and15.1,andIOSXE2.5.xthrough3.2.x,allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaacraftedSIPmessage,akaBugIDCSCti48504.
3.62.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.62.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d5a.shtml.
3.62.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24130.
Gotothereportcontentsorthestartofthissection.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
3.63CVE-2011-3276
3.63.1Summary
UnspecifiedvulnerabilityintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereloadorhang)bysendingcraftedSIPpacketstoTCPport5060,akaBugIDCSCso02147.
3.63.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.63.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4d.shtml.
3.63.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24118.
Gotothereportcontentsorthestartofthissection.
3.64CVE-2011-3277
3.64.1Summary
UnspecifiedvulnerabilityintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereload)bysendingcraftedH.323packetstoTCPport1720,akaBugIDCSCth11006.
3.64.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.64.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4d.shtml.
3.64.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24119.
Gotothereportcontentsorthestartofthissection.
3.65CVE-2011-3278
3.65.1Summary
UnspecifiedvulnerabilityintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereload)bysendingcraftedSIPpacketstoUDPport5060,akaBugIDCSCti48483.
3.65.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.65.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4d.shtml.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
3.65.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24120.
Gotothereportcontentsorthestartofthissection.
3.66CVE-2011-3279
3.66.1Summary
Theprovider-edgeMPLSNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedSIPpackettoUDPport5060,akaBugIDCSCti98219.
3.66.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.66.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4d.shtml.
3.66.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24121.
Gotothereportcontentsorthestartofthissection.
3.67CVE-2011-3280
3.67.1Summary
MemoryleakintheNATimplementationinCiscoIOS12.1through12.4and15.0through15.1,andIOSXE3.1.xSG,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)bysendingcraftedSIPpacketstoUDPport5060,akaBugIDCSCtj04672.
3.67.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.67.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4d.shtml.
3.67.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24120.
Gotothereportcontentsorthestartofthissection.
3.68CVE-2011-3281
3.68.1Summary
UnspecifiedvulnerabilityinCiscoIOS15.0through15.1,incertainHTTPLayer7ApplicationControlandInspectionconfigurations,allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viaacraftedHTTPpacket,akaBugIDCSCto68554.
3.68.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.68.3VendorSecurityAdvisory
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareIPSandZone-BasedFirewallVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d57.shtml.
3.68.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24124.
Gotothereportcontentsorthestartofthissection.
3.69CVE-2011-3282
3.69.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.2SREbefore12.2(33)SRE4,15.0,and15.1,andIOSXE2.1.xthrough3.3.x,whenanMPLSdomainisconfigured,allowsremoteattackerstocauseadenialofservice(devicereload)viaanICMPv6packet,relatedtoanexpiredMPLSTTL,akaBugIDCSCtj30155.
3.69.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.69.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareIPv6overMPLSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d52.shtml.
3.69.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24126.
Gotothereportcontentsorthestartofthissection.
3.70CVE-2012-0381
3.70.1Summary
TheIKEv1implementationinCiscoIOS12.2through12.4and15.0through15.2andIOSXE2.1.xthrough2.6.xand3.1.xSthrough3.4.xSbefore3.4.2S,3.5.xSbefore3.5.1S,and3.2.xSGbefore3.2.2SGallowsremoteattackerstocauseadenialofservice(devicereload)bysendingIKEUDPpacketsover(1)IPv4or(2)IPv6,akaBugIDCSCts38429.
3.70.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.70.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSInternetKeyExchangeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ike.
3.70.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID52757Weblink:http://www.securityfocus.com/bid/52757;SECTRACK1026863Weblink:http://www.securitytracker.com/id?1026863;XFciscoios-ike-packet-dos(74427)Weblink:http://xforce.iss.net/xforce/xfdb/74427.
Gotothereportcontentsorthestartofthissection.
3.71CVE-2012-0383
3.71.1Summary
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
MemoryleakintheNATfeatureinCiscoIOS12.4,15.0,and15.1allowsremoteattackerstocauseadenialofservice(memoryconsumption,anddevicehangorreload)viaSIPpacketsthatrequiretranslation,relatedtoa"memorystarvationvulnerability,"akaBugIDCSCti35326.
3.71.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.71.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareNetworkAddressTranslationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-nat.
3.71.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID52758Weblink:http://www.securityfocus.com/bid/52758;SECTRACK1026864Weblink:http://www.securitytracker.com/id?1026864;XFciscoios-nat-feature-dos(74432)Weblink:http://xforce.iss.net/xforce/xfdb/74432.
Gotothereportcontentsorthestartofthissection.
3.72CVE-2012-0385
3.72.1Summary
TheSmartInstallfeatureinCiscoIOS12.2,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(devicereload)bysendingamalformedSmartInstallmessageoverTCP,akaBugIDCSCtt16051.
3.72.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.72.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareSmartInstallDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-smartinstall.
3.72.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID52756Weblink:http://www.securityfocus.com/bid/52756;SECTRACK1026867Weblink:http://www.securitytracker.com/id?1026867;XFciscoios-smartinstall-dos(74430)Weblink:http://xforce.iss.net/xforce/xfdb/74430.
Gotothereportcontentsorthestartofthissection.
3.73CVE-2012-0386
3.73.1Summary
TheSSHv2implementationinCiscoIOS12.2,12.4,15.0,15.1,and15.2andIOSXE2.3.xthrough2.6.xand3.1.xSthrough3.4.xSbefore3.4.2Sallowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedusernameinareverseSSHloginattempt,akaBugIDCSCtr49064.
3.73.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.73.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareReverseSSHDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-ssh.
3.73.4References
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID52752Weblink:http://www.securityfocus.com/bid/52752;XFciscoios-sshv2-dos(74404)Weblink:http://xforce.iss.net/xforce/xfdb/74404.
Gotothereportcontentsorthestartofthissection.
3.74CVE-2012-0387
3.74.1Summary
MemoryleakintheHTTPInspectionEnginefeatureintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedtransitHTTPtraffic,akaBugIDCSCtq36153.
3.74.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.74.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareZone-BasedFirewallVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-zbfw.
3.74.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
XFciscoios-inspectionengine-dos(74435)Weblink:http://xforce.iss.net/xforce/xfdb/74435.
Gotothereportcontentsorthestartofthissection.
3.75CVE-2012-0388
3.75.1Summary
MemoryleakintheH.323inspectionfeatureintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viamalformedtransitH.323traffic,akaBugIDCSCtq45553.
3.75.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.75.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareZone-BasedFirewallVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-zbfw.
3.75.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
XFciscoios-h323messages-dos(74436)Weblink:http://xforce.iss.net/xforce/xfdb/74436.
Gotothereportcontentsorthestartofthissection.
3.76CVE-2012-1310
3.76.1Summary
MemoryleakintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedIPpackets,akaBugIDCSCto89536.
3.76.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.76.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:06/08/2012
CISCO20120328CiscoIOSSoftwareZone-BasedFirewallVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-zbfw.
Gotothereportcontentsorthestartofthissection.
3.77CVE-2012-1311
3.77.1Summary
TheRSVPfeatureinCiscoIOS15.0and15.1andIOSXE3.2.xSthrough3.4.xSbefore3.4.2S,whenaVRFinterfaceisconfigured,allowsremoteattackerstocauseadenialofservice(interfacequeuewedgeandserviceoutage)viacraftedRSVPpackets,akaBugIDCSCts80643.
3.77.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.77.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareRSVPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-rsvp.
3.77.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID52754Weblink:http://www.securityfocus.com/bid/52754.
Gotothereportcontentsorthestartofthissection.
3.78CVE-2012-1315
3.78.1Summary
MemoryleakintheSIPinspectionfeatureintheZone-BasedFirewallinCiscoIOS12.4,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedtransitSIPtraffic,akaBugIDCSCti46171.
3.78.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.78.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareZone-BasedFirewallVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-zbfw.
3.78.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
XFciscoios-sip-inspection-dos(74437)Weblink:http://xforce.iss.net/xforce/xfdb/74437.
Gotothereportcontentsorthestartofthissection.
3.79CVE-2012-1350
3.79.1Summary
CiscoIOS12.3and12.4onAironetaccesspointsallowsremoteattackerstocauseadenialofservice(radio-interfaceinput-queuehang)viaIAPP0x3281packets,akaBugIDCSCtc12426.
3.79.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.79.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
Weblink:http://www.cisco.com/en/US/docs/wireless/access_point/ios/release/notes/12_3_8_JED1rn.html.
Gotothereportcontentsorthestartofthissection.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
3.80CVE-2012-3949
3.80.1Summary
TheSIPimplementationinCiscoUnifiedCommunicationsManager(CUCM)6.xand7.xbefore7.1(5b)su5,8.xbefore8.5(1)su4,and8.6before8.6(2a)su1;CiscoIOS12.2through12.4and15.0through15.2;andCiscoIOSXE3.3.xSGbefore3.3.1SG,3.4.xS,and3.5.xSallowsremoteattackerstocauseadenialofservice(servicecrashordevicereload)viaacraftedSIPmessagecontaininganSDPsessiondescription,akaBugIDsCSCtw66721,CSCtj33003,andCSCtw84664.
3.80.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.80.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20120926CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-cucm;CISCO20120926CiscoIOSSoftwareSessionInitiationProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-sip.
3.80.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID55697Weblink:http://www.securityfocus.com/bid/55697.
Gotothereportcontentsorthestartofthissection.
3.81CVE-2012-4618
3.81.1Summary
TheSIPALGfeatureintheNATimplementationinCiscoIOS12.2,12.4,and15.0through15.2allowsremoteattackerstocauseadenialofservice(devicereload)viatransitIPpackets,akaBugIDCSCtn76183.
3.81.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.81.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120926CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-nat.
3.81.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID55693Weblink:http://www.securityfocus.com/bid/55693;SECTRACK1027579Weblink:http://www.securitytracker.com/id?1027579.
Gotothereportcontentsorthestartofthissection.
3.82CVE-2012-4619
3.82.1Summary
TheNATimplementationinCiscoIOS12.2,12.4,and15.0through15.2allowsremoteattackerstocauseadenialofservice(devicereload)viatransitIPpackets,akaBugIDCSCtr46123.
3.82.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.82.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CISCO20120926CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-nat.
3.82.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID55705Weblink:http://www.securityfocus.com/bid/55705;SECTRACK1027579Weblink:http://www.securitytracker.com/id?1027579.
Gotothereportcontentsorthestartofthissection.
3.83CVE-2012-4620
3.83.1Summary
CiscoIOS12.2and15.0through15.2onCisco10000seriesrouters,whenatunnelinterfaceexists,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viatunneled(1)GRE/IP,(2)IPIP,or(3)IPv6inIPv4packets,akaBugIDCSCts66808.
3.83.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.83.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120926CiscoIOSSoftwareTunneledTrafficQueueWedgeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-c10k-tunnels.
3.83.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID55696Weblink:http://www.securityfocus.com/bid/55696;SECTRACK1027578Weblink:http://www.securitytracker.com/id?1027578;XFciscoios-tunneled-dos(78883)Weblink:http://xforce.iss.net/xforce/xfdb/78883.
Gotothereportcontentsorthestartofthissection.
3.84CVE-2012-4621
3.84.1Summary
TheDeviceSensorfeatureinCiscoIOS15.0through15.2allowsremoteattackerstocauseadenialofservice(devicereload)viaaDHCPpacket,akaBugIDCSCty96049.
3.84.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.84.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120926CiscoIOSSoftwareDHCPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcp.
3.84.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1027572Weblink:http://www.securitytracker.com/id?1027572.
Gotothereportcontentsorthestartofthissection.
3.85CVE-2012-4623
3.85.1Summary
TheDHCPv6serverinCiscoIOS12.2through12.4and15.0through15.2andIOSXE2.1.xthrough2.6.x,3.1.xSbefore3.1.4S,3.1.xSGand3.2.xSGbefore3.2.5SG,3.2.xS,3.2.xXO,3.3.xS,and3.3.xSGbefore3.3.1SGallowsremoteattackerstocauseadenialofservice(devicereload)viaamalformed
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/03/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/03/2013
OverallRating:HIGH
DHCPv6packet,akaBugIDCSCto57723.
3.85.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.85.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120926CiscoIOSSoftwareDHCPVersion6ServerDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-dhcpv6.
3.85.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID55700Weblink:http://www.securityfocus.com/bid/55700;SECTRACK1027577Weblink:http://www.securitytracker.com/id?1027577;XFciscoios-ciscoiosxe-dhcpv6-dos(78885)Weblink:http://xforce.iss.net/xforce/xfdb/78885.
Gotothereportcontentsorthestartofthissection.
3.86CVE-2013-1142
3.86.1Summary
RaceconditionintheVRF-awareNATfeatureinCiscoIOS12.2through12.4and15.0through15.2allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaIPv4packets,akaBugIDsCSCtg47129andCSCtz96745.
3.86.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.86.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20130327CiscoIOSSoftwareNetworkAddressTranslationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-nat;CISCO20130327CiscoIOSSoftwareVRF-AwareNATMemoryStarvationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1142.
Gotothereportcontentsorthestartofthissection.
3.87CVE-2013-1145
3.87.1Summary
MemoryleakinCiscoIOS12.2,12.4,15.0,and15.1,whenZone-BasedPolicyFirewallSIPapplicationlayergatewayinspectionisenabled,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viamalformedSIPmessages,akaBugIDCSCtl99174.
3.87.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.87.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130327CiscoIOSSoftwareZone-BasedPolicyFirewallSessionInitiationProtocolInspectionDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-cce.
Gotothereportcontentsorthestartofthissection.
3.88CVE-2013-1146
3.88.1Summary
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/03/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/03/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
TheSmartInstallclientfunctionalityinCiscoIOS12.2and15.0through15.3onCatalystswitchesallowsremoteattackerstocauseadenialofservice(devicereload)viacraftedimagelistparametersinSmartInstallpackets,akaBugIDCSCub55790.
3.88.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.88.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130327CiscoIOSSoftwareSmartInstallDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-smartinstall.
Gotothereportcontentsorthestartofthissection.
3.89CVE-2013-1147
3.89.1Summary
TheProtocolTranslation(PT)functionalityinCiscoIOS12.3through12.4and15.0through15.3,whenone-stepport-23translationoraTelnet-to-PADrulesetisconfigured,doesnotproperlyvalidateTCPconnectioninformation,whichallowsremoteattackerstocauseadenialofservice(devicereload)viaanattemptedconnectiontoaPTresource,akaBugIDCSCtz35999.
3.89.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.89.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130327CiscoIOSSoftwareProtocolTranslationVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-pt.
Gotothereportcontentsorthestartofthissection.
3.90CVE-2013-5474
3.90.1Summary
RaceconditionintheIPv6virtualfragmentationreassembly(VFR)implementationinCiscoIOS12.2through12.4and15.0through15.3allowsremoteattackerstocauseadenialofservice(devicereloadorhang)viafragmentedIPv6packets,akaBugIDCSCud64812.
3.90.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.90.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareIPv6VirtualFragmentationReassemblyDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ipv6vfr.
Gotothereportcontentsorthestartofthissection.
3.91CVE-2013-5475
3.91.1Summary
CiscoIOS12.2through12.4and15.0through15.3,andIOSXE2.1through3.9,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedDHCPpacketsthatareprocessedlocallybya(1)serveror(2)relayagent,akaBugIDCSCug31561.
3.91.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
3.91.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareDHCPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp.
Gotothereportcontentsorthestartofthissection.
3.92CVE-2013-5477
3.92.1Summary
TheT1/E1driver-queuefunctionalityinCiscoIOS12.2and15.0through15.3,whenanHDLC32driverisused,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viaburstynetworktraffic,akaBugIDCSCub67465.
3.92.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.92.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareQueueWedgeDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-wedge.
Gotothereportcontentsorthestartofthissection.
3.93CVE-2013-5478
3.93.1Summary
CiscoIOS15.0through15.3andIOSXE3.2through3.8,whenaVRFinterfaceexists,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viacraftedUDPRSVPpackets,akaBugIDCSCuf17023.
3.93.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.93.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareResourceReservationProtocolInterfaceQueueWedgeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-rsvp.
Gotothereportcontentsorthestartofthissection.
3.94CVE-2013-5479
3.94.1Summary
TheDNS-over-TCPimplementationinCiscoIOS12.2and15.0through15.3,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedIPv4DNSTCPstream,akaBugIDCSCtn53730.
3.94.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.94.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-nat.
Gotothereportcontentsorthestartofthissection.
3.95CVE-2013-5480
3.95.1Summary
TheDNS-over-TCPimplementationinCiscoIOS12.2and15.0through15.3,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedIPv4DNSTCPstream,akaBugIDCSCuf28733.
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2014
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2014
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:11/08/2014
3.95.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.95.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-nat.
Gotothereportcontentsorthestartofthissection.
3.96CVE-2014-2108
3.96.1Summary
CiscoIOS12.2and15.0through15.3andIOSXE3.2through3.7before3.7.5Sand3.8through3.10before3.10.1Sallowremoteattackerstocauseadenialofservice(devicereload)viaamalformedIKEv2packet,akaBugIDCSCui88426.
3.96.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.96.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140326CiscoIOSSoftwareInternetKeyExchangeVersion2DenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2.
Gotothereportcontentsorthestartofthissection.
3.97CVE-2014-2109
3.97.1Summary
TheTCPInputmoduleinCiscoIOS12.2through12.4and15.0through15.4,whenNATisused,allowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viacraftedTCPpackets,akaBugIDsCSCuh33843andCSCuj41494.
3.97.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.97.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140326CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat.
Gotothereportcontentsorthestartofthissection.
3.98CVE-2014-3327
3.98.1Summary
TheEnergyWisemoduleinCiscoIOS12.2,15.0,15.1,15.2,and15.4andIOSXE3.2.xXO,3.3.xSG,3.4.xSG,and3.5.xEbefore3.5.3Eallowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedIPv4packet,akaBugIDCSCup52101.
3.98.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.98.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140806CiscoIOSSoftwareandCiscoIOSXESoftwareEnergyWiseCraftedPacketDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise.
Gotothereportcontentsorthestartofthissection.
3.99CVE-2014-3354
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/09/2014
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/09/2014
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/09/2014
3.99.1Summary
CiscoIOS12.0,12.2,12.4,15.0,15.1,15.2,and15.3andIOSXE2.xand3.xbefore3.7.4S;3.2.xSEand3.3.xSEbefore3.3.2SE;3.3.xSGand3.4.xSGbefore3.4.4SG;and3.8.xS,3.9.xS,and3.10.xSbefore3.10.1Sallowremoteattackerstocauseadenialofservice(devicereload)viamalformedRSVPpackets,akaBugIDCSCui11547.
3.99.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.99.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140924CiscoIOSSoftwareRSVPVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-rsvp.
3.99.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-rsvp/cvrf/cisco-sa-20140924-rsvp_cvrf.xml.
Gotothereportcontentsorthestartofthissection.
3.100CVE-2014-3357
3.100.1Summary
CiscoIOS15.0,15.1,15.2,and15.4andIOSXE3.3.xSEbefore3.3.2SE,3.3.xXObefore3.3.1XO,3.5.xEbefore3.5.2E,and3.11.xSbefore3.11.1Sallowremoteattackerstocauseadenialofservice(devicereload)viamalformedmDNSpackets,akaBugIDCSCul90866.
3.100.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.100.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140924MultipleVulnerabilitiesinCiscoIOSSoftwareMulticastDomainNameSystemWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns.
3.100.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns/cvrf/cisco-sa-20140924-mdns_cvrf.xml.
Gotothereportcontentsorthestartofthissection.
3.101CVE-2014-3358
3.101.1Summary
MemoryleakinCiscoIOS15.0,15.1,15.2,and15.4andIOSXE3.3.xSEbefore3.3.2SE,3.3.xXObefore3.3.1XO,3.5.xEbefore3.5.2E,and3.11.xSbefore3.11.1Sallowsremoteattackerstocauseadenialofservice(memoryconsumption,andinterfacequeuewedgeordevicereload)viamalformedmDNSpackets,akaBugIDCSCuj58950.
3.101.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.101.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140924MultipleVulnerabilitiesinCiscoIOSSoftwareMulticastDomainNameSystemWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns.
3.101.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-mdns/cvrf/cisco-sa-20140924-mdns_cvrf.xml.
Gotothereportcontentsorthestartofthissection.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
3.102CVE-2015-0636
3.102.1Summary
TheAutonomicNetworkingInfrastructure(ANI)implementationinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.10.xSthrough3.13.xSbefore3.13.1Sallowsremoteattackerstocauseadenialofservice(disrupteddomainaccess)viaspoofedANmessagesthatresetafinitestatemachine,akaBugIDCSCup62293.
3.102.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.102.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareandIOSXESoftwareAutonomicNetworkingInfrastructureWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ani.
3.102.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031982Weblink:http://www.securitytracker.com/id/1031982.
Gotothereportcontentsorthestartofthissection.
3.103CVE-2015-0637
3.103.1Summary
TheAutonomicNetworkingInfrastructure(ANI)implementationinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.10.xSthrough3.13.xSbefore3.13.1Sallowsremoteattackerstocauseadenialofservice(devicereload)viaspoofedANmessages,akaBugIDCSCup62315.
3.103.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.103.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareandIOSXESoftwareAutonomicNetworkingInfrastructureWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ani.
3.103.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031982Weblink:http://www.securitytracker.com/id/1031982.
Gotothereportcontentsorthestartofthissection.
3.104CVE-2015-0642
3.104.1Summary
CiscoIOS12.2,12.4,15.0,15.1,15.2,15.3,and15.4andIOSXE2.5.x,2.6.x,3.1.xSthrough3.12.xSbefore3.12.3S,3.2.xEthrough3.7.xEbefore3.7.1E,3.3.xSG,3.4.xSG,and3.13.xSbefore3.13.2Sallowremoteattackerstocauseadenialofservice(devicereload)bysendingmalformedIKEv2packetsover(1)IPv4or(2)IPv6,akaBugIDCSCum36951.
3.104.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.104.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20150325CiscoIOSSoftwareandIOSXESoftwareInternetKeyExchangeVersion2DenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ikev2;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=37816.
3.104.4Reference
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031978Weblink:http://www.securitytracker.com/id/1031978.
Gotothereportcontentsorthestartofthissection.
3.105CVE-2015-0643
3.105.1Summary
CiscoIOS12.2,12.4,15.0,15.1,15.2,15.3,and15.4andIOSXE2.5.x,2.6.x,3.1.xSthrough3.12.xSbefore3.12.3S,3.2.xEthrough3.7.xEbefore3.7.1E,3.3.xSG,3.4.xSG,and3.13.xSbefore3.13.2Sallowremoteattackerstocauseadenialofservice(memoryconsumptionanddevicereload)bysendingmalformedIKEv2packetsover(1)IPv4or(2)IPv6,akaBugIDCSCuo75572.
3.105.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.105.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20150325CiscoIOSSoftwareandIOSXESoftwareInternetKeyExchangeVersion2DenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ikev2;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=37815.
3.105.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031978Weblink:http://www.securitytracker.com/id/1031978.
Gotothereportcontentsorthestartofthissection.
3.106CVE-2015-0646
3.106.1Summary
MemoryleakintheTCPinputmoduleinCiscoIOS12.2,12.4,15.0,15.2,15.3,and15.4andIOSXE3.3.xXO,3.5.xE,3.6.xE,3.8.xSthrough3.10.xSbefore3.10.5S,and3.11.xSand3.12.xSbefore3.12.3Sallowsremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)bysendingcraftedTCPpacketsover(1)IPv4or(2)IPv6,akaBugIDCSCum94811.
3.106.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.106.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325CiscoIOSSoftwareandIOSXESoftwareTCPPacketMemoryLeakVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak.
3.106.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031980Weblink:http://www.securitytracker.com/id/1031980.
Gotothereportcontentsorthestartofthissection.
3.107CVE-2015-0647
3.107.1Summary
CiscoIOS12.2,12.4,15.0,15.2,and15.3allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedCommonIndustrialProtocol(CIP)UDPpackets,akaBugIDCSCum98371.
3.107.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.107.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareCommonIndustrialProtocolWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-cip.
Gotothereportcontentsorthestartofthissection.
3.108CVE-2015-0648
3.108.1Summary
MemoryleakinCiscoIOS12.2,12.4,15.0,15.2,and15.3allowsremoteattackerstocauseadenialofservice(memoryconsumption)viacraftedCommonIndustrialProtocol(CIP)TCPpackets,akaBugIDCSCun49658.
3.108.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.108.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareCommonIndustrialProtocolWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-cip.
Gotothereportcontentsorthestartofthissection.
3.109CVE-2015-0649
3.109.1Summary
CiscoIOS12.2,12.4,15.0,15.2,and15.3allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedCommonIndustrialProtocol(CIP)TCPpackets,akaBugIDCSCun63514.
3.109.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.109.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325MultipleVulnerabilitiesinCiscoIOSSoftwareCommonIndustrialProtocolWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-cip.
Gotothereportcontentsorthestartofthissection.
3.110CVE-2015-0650
3.110.1Summary
TheServiceDiscoveryGateway(akamDNSGateway)inCiscoIOS12.2,12.4,15.0,15.1,15.2,15.3,and15.4andIOSXE3.9.xSand3.10.xSbefore3.10.4S,3.11.xSbefore3.11.3S,3.12.xSbefore3.12.2S,and3.13.xSbefore3.13.1Sallowsremoteattackerstocauseadenialofservice(devicereload)bysendingmalformedmDNSUDPpacketsover(1)IPv4or(2)IPv6,akaBugIDCSCup70579.
3.110.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.110.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325CiscoIOSSoftwareandIOSXESoftwaremDNSGatewayDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-mdns.
3.110.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031979Weblink:http://www.securitytracker.com/id/1031979.
Gotothereportcontentsorthestartofthissection.
3.111CVE-2015-6278
3.111.1Summary
TheIPv6snoopingfunctionalityinthefirst-hopsecuritysubsysteminCiscoIOS12.2,15.0,15.1,15.2,
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2015
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2016
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2016
15.3,15.4,and15.5andIOSXE3.2SE,3.3SE,3.3XO,3.4SG,3.5E,and3.6Ebefore3.6.3E;3.7Ebefore3.7.2E;3.9Sand3.10Sbefore3.10.6S;3.11Sbefore3.11.4S;3.12Sand3.13Sbefore3.13.3S;and3.14Sbefore3.14.2SdoesnotproperlyimplementtheControlPlaneProtection(akaCPPr)feature,whichallowsremoteattackerstocauseadenialofservice(devicereload)viaafloodofNDpackets,akaBugIDCSCus19794.
3.111.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.111.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20150923CiscoIOSandIOSXESoftwareIPv6FirstHopSecurityDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs;Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs/cvrf/cisco-sa-20150923-fhs_cvrf.xml.
Gotothereportcontentsorthestartofthissection.
3.112CVE-2015-6279
3.112.1Summary
TheIPv6snoopingfunctionalityinthefirst-hopsecuritysubsysteminCiscoIOS12.2,15.0,15.1,15.2,15.3,15.4,and15.5andIOSXE3.2SE,3.3SE,3.3XO,3.4SG,3.5E,and3.6Ebefore3.6.3E;3.7Ebefore3.7.2E;3.9Sand3.10Sbefore3.10.6S;3.11Sbefore3.11.4S;3.12Sand3.13Sbefore3.13.3S;and3.14Sbefore3.14.2Sallowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedNDpacketwiththeCryptographicallyGeneratedAddress(CGA)option,akaBugIDCSCuo04400.
3.112.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.112.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20150923CiscoIOSandIOSXESoftwareIPv6FirstHopSecurityDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs;Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150923-fhs/cvrf/cisco-sa-20150923-fhs_cvrf.xml.
Gotothereportcontentsorthestartofthissection.
3.113CVE-2016-1348
3.113.1Summary
CiscoIOS15.0through15.5andIOSXE3.3through3.16allowremoteattackerstocauseadenialofservice(devicereload)viaacraftedDHCPv6Relaymessage,akaBugIDCSCus55821.
3.113.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.113.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160323CiscoIOSandIOSXESoftwareDHCPv6RelayDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-dhcpv6.
Gotothereportcontentsorthestartofthissection.
3.114CVE-2016-1349
3.114.1Summary
TheSmartInstallclientimplementationinCiscoIOS12.2,15.0,and15.2andIOSXE3.2through3.7allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedimagelistparametersinaSmartInstallpacket,akaBugIDCSCuv45410.
3.114.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
3.114.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160323CiscoIOSandIOSXESoftwareSmartInstallDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-smi.
Gotothereportcontentsorthestartofthissection.
3.115CVE-2016-6378
3.115.1Summary
CiscoIOSXE3.1through3.17and16.1through16.2allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedICMPpacketsthatrequireNAT,akaBugIDCSCuw85853.
3.115.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.115.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSXESoftwareNATDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-esp-nat.
3.115.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93200Weblink:http://www.securityfocus.com/bid/93200.
Gotothereportcontentsorthestartofthissection.
3.116CVE-2016-6379
3.116.1Summary
CiscoIOS12.2andIOSXE3.14through3.16and16.1allowremoteattackerstocauseadenialofservice(devicereload)viacraftedIPDetailRecord(IPDR)packets,akaBugIDCSCuu35089.
3.116.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.116.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareIPDetailRecordDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-ipdr.
3.116.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93205Weblink:http://www.securityfocus.com/bid/93205.
Gotothereportcontentsorthestartofthissection.
3.117CVE-2016-6382
3.117.1Summary
CiscoIOS15.2through15.6andIOSXE3.6through3.17and16.1allowremoteattackerstocauseadenialofservice(devicerestart)viaamalformedIPv6ProtocolIndependentMulticast(PIM)registerpacket,akaBugIDCSCuy16399.
3.117.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.8
3.117.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareMulticastRoutingDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp.
3.117.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93211Weblink:http://www.securityfocus.com/bid/93211.
Gotothereportcontentsorthestartofthissection.
3.118CVE-2016-6384
3.118.1Summary
CiscoIOS12.2through12.4and15.0through15.6andIOSXE3.1through3.17and16.2allowremoteattackerstocauseadenialofservice(devicereload)viacraftedfieldsinanH.323message,akaBugIDCSCux04257.
3.118.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.118.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareH.323MessageValidationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323.
3.118.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93209Weblink:http://www.securityfocus.com/bid/93209.
Gotothereportcontentsorthestartofthissection.
3.119CVE-2016-6385
3.119.1Summary
MemoryleakintheSmartInstallclientimplementationinCiscoIOS12.2and15.0through15.2andIOSXE3.2through3.8allowsremoteattackerstocauseadenialofservice(memoryconsumption)viacraftedimage-listparameters,akaBugIDCSCuy82367.
3.119.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.119.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareSmartInstallMemoryLeakVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi.
3.119.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93203Weblink:http://www.securityfocus.com/bid/93203.
Gotothereportcontentsorthestartofthissection.
3.120CVE-2016-6386
3.120.1Summary
CiscoIOSXE3.1through3.17and16.1on64-bitplatformsallowsremoteattackerstocauseadenialofservice(data-structurecorruptionanddevicereload)viafragmentedIPv4packets,akaBugID
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.8
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:C(7.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
CSCux66005.
3.120.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.120.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSXESoftwareIPFragmentReassemblyDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-frag.
3.120.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93202Weblink:http://www.securityfocus.com/bid/93202.
Gotothereportcontentsorthestartofthissection.
3.121CVE-2016-6391
3.121.1Summary
CiscoIOS12.2and15.0through15.3allowsremoteattackerstocauseadenialofservice(traffic-processingoutage)viaacraftedseriesofCommonIndustrialProtocol(CIP)requests,akaBugIDCSCur69036.
3.121.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.121.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSSoftwareCommonIndustrialProtocolRequestDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-cip.
3.121.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93197Weblink:http://www.securityfocus.com/bid/93197.
Gotothereportcontentsorthestartofthissection.
3.122CVE-2016-6392
3.122.1Summary
CiscoIOS12.2and15.0through15.3andIOSXE3.1through3.9allowremoteattackerstocauseadenialofservice(devicerestart)viaacraftedIPv4MulticastSourceDiscoveryProtocol(MSDP)Source-Active(SA)message,akaBugIDCSCud36767.
3.122.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.122.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareMulticastRoutingDenialofServiceVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp.
3.122.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93211Weblink:http://www.securityfocus.com/bid/93211.
Gotothereportcontentsorthestartofthissection.
OverallRating:HIGH
CVSSv2Score:7.5
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:P(7.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2005
OverallRating:HIGH
CVSSv2Score:7.5
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:P(7.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2005
OverallRating:HIGH
CVSSv2Score:7.5
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:P(7.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/07/2005
OverallRating:HIGH
CVSSv2Score:7.5
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:P(7.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:08/09/2005
3.123CVE-2005-1057
3.123.1Summary
CiscoIOS12.2T,12.3and12.3T,whenusingEasyVPNServerXAUTHversion6authentication,allowsremoteattackerstobypassauthenticationviaa"malformedpacket."
3.123.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.123.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20050406VulnerabilitiesintheInternetKeyExchangeXauthImplementationWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml.
Gotothereportcontentsorthestartofthissection.
3.124CVE-2005-1058
3.124.1Summary
CiscoIOS12.2T,12.3and12.3T,whenprocessinganISAKMPprofilethatspecifiesXAUTHauthenticationafterPhase1negotiation,maynotprocesscertainattributesintheISAKMPprofilethatspecifiesXAUTH,whichallowsremoteattackerstobypassXAUTHandmovetoPhase2negotiations.
3.124.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.124.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20050406VulnerabilitiesintheInternetKeyExchangeXauthImplementationWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml.
Gotothereportcontentsorthestartofthissection.
3.125CVE-2005-2105
3.125.1Summary
CiscoIOS12.2Tthrough12.4allowsremoteattackerstobypassAuthentication,Authorization,andAccounting(AAA)RADIUSauthentication,ifthefallbackmethodissettonone,viaalongusername.
3.125.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.125.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20050629RADIUSAuthenticationBypassWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml.
3.125.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1014330Weblink:http://www.securitytracker.com/alerts/2005/Jun/1014330.html;XFradius-authentication-bypass(21190)Weblink:http://xforce.iss.net/xforce/xfdb/21190.
Gotothereportcontentsorthestartofthissection.
3.126CVE-2005-2841
3.126.1Summary
BufferoverflowinFirewallAuthenticationProxyforFTPand/orTelnetSessionsforCiscoIOS12.2ZHand12.2ZL,12.3and12.3T,and12.4and12.4Tallowsremoteattackerstocauseadenialofserviceandpossiblyexecutearbitrarycodeviacrafteduserauthenticationcredentials.
3.126.2AffectedDevice
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2005
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2005
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.126.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20050907CiscoIOSFirewallAuthenticationProxyforFTPandTelnetSessionsBufferOverflowWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml;CERT-VNVU#236045Weblink:http://www.kb.cert.org/vuls/id/236045.
3.126.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
VUPENADV-2005-1669Weblink:http://www.vupen.com/english/advisories/2005/1669.
Gotothereportcontentsorthestartofthissection.
3.127CVE-2005-1020
3.127.1Summary
SecureShell(SSH)2inCiscoIOS12.0through12.3allowsremoteattackerstocauseadenialofservice(devicereload)(1)viaausernamethatcontainsadomainnamewhenusingaTACACS+servertoauthenticate,(2)whenanewSSHsessionisintheloginphaseandacurrentlyloggedinuserissuesasendcommand,or(3)whenIOSisloggingmessagesandanSSHsessionisterminatedwhiletheserverissendingdata.
3.127.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.127.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20050406VulnerabilitiesinCiscoIOSSecureShellServerWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml;SECTRACK1013655Weblink:http://www.securitytracker.com/alerts/2005/Apr/1013655.html.
3.127.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID13043Weblink:http://www.securityfocus.com/bid/13043;XFcisco-ios-sshv2-tacacs-authentication-dos(19987)Weblink:http://xforce.iss.net/xforce/xfdb/19987;XFcisco-ios-authentication-send-dos(19989)Weblink:http://xforce.iss.net/xforce/xfdb/19989;XFcisco-ios-ssh-message-log-dos(19990)Weblink:http://xforce.iss.net/xforce/xfdb/19990.
Gotothereportcontentsorthestartofthissection.
3.128CVE-2005-1021
3.128.1Summary
MemoryleakinSecureShell(SSH)inCiscoIOS12.0through12.3,whenauthenticatingagainstaTACACS+server,allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaanincorrectusernameorpassword.
3.128.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.128.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20050406VulnerabilitiesinCiscoIOSSecureShellServerWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml.
3.128.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:20/01/2006
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:13/02/2007
BID13042Weblink:http://www.securityfocus.com/bid/13042;SECTRACK1013655Weblink:http://www.securitytracker.com/alerts/2005/Apr/1013655.html;XFcisco-ios-memory-leak-dos(19991)Weblink:http://xforce.iss.net/xforce/xfdb/19991.
Gotothereportcontentsorthestartofthissection.
3.129CVE-2006-0340
3.129.1Summary
UnspecifiedvulnerabilityinStackGroupBiddingProtocol(SGBP)supportinCiscoIOS12.0through12.4runningonvariousCiscoproducts,whenSGBPisenabled,allowsremoteattackersonthelocalnetworktocauseadenialofservice(devicehangandnetworktrafficloss)viaacraftedUDPpackettoport9900.
3.129.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.129.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20060118IOSStackGroupBiddingProtocolCraftedPacketDoSWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml.
3.129.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SREASON358Weblink:http://securityreason.com/securityalert/358;SECTRACK1015501Weblink:http://securitytracker.com/id?1015501;BID16303Weblink:http://www.securityfocus.com/bid/16303;VUPENADV-2006-0248Weblink:http://www.vupen.com/english/advisories/2006/0248;XFcisco-ios-sgbp-dos(24182)Weblink:http://xforce.iss.net/xforce/xfdb/24182.
Gotothereportcontentsorthestartofthissection.
3.130CVE-2007-0918
3.130.1Summary
TheATOMIC.TCPsignatureengineintheIntrusionPreventionSystem(IPS)featureforCiscoIOS12.4XA,12.3YA,12.3T,andothertrainsallowsremoteattackerstocauseadenialofservice(IPScrashandtrafficloss)viaunspecifiedmanipulationsthatarenotproperlyhandledbytheregularexpressionfeature,asdemonstratedusingthe3123.0(NetbusProTraffic)signature.
3.130.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.130.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20070213MultipleIOSIPSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml;VUPENADV-2007-0597Weblink:http://www.vupen.com/english/advisories/2007/0597.
3.130.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
MISCWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html;BID22549Weblink:http://www.securityfocus.com/bid/22549;SECTRACK1017631Weblink:http://www.securitytracker.com/id?1017631;XFcisco-ios-ips-dos(32474)
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/08/2007
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/08/2007
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/10/2007
Weblink:http://xforce.iss.net/xforce/xfdb/32474.
Gotothereportcontentsorthestartofthissection.
3.131CVE-2007-4291
3.131.1Summary
CiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservicevia(1)amalformedMGCPpacket,whichcausesadevicehang,akaCSCsf08998;amalformedH.323packet,whichcausesadevicecrash,asidentifiedby(2)CSCsi60004withProxyUnregistrationand(3)CSCsg70474;andamalformedReal-timeTransportProtocol(RTP)packet,whichcausesadevicecrash,asidentifiedby(4)CSCse68138,relatedtoVOIPRTPLib,and(5)CSCse05642,relatedtoI/Omemorycorruption.
3.131.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.131.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816;XFcisco-ios-mgcp-dos(35903)Weblink:http://xforce.iss.net/xforce/xfdb/35903;XFcisco-ios-h323-dos(35904)Weblink:http://xforce.iss.net/xforce/xfdb/35904;XFcisco-ios-rtp-dos(35905)Weblink:http://xforce.iss.net/xforce/xfdb/35905.
Gotothereportcontentsorthestartofthissection.
3.132CVE-2007-4293
3.132.1Summary
CiscoIOS12.0through12.4allowsremoteattackerstocauseadenialofservice(devicecrash)via(1)"abnormal"MGCPmessages,akaCSCsd81407;and(2)alargefacsimilepacket,akaCSCej20505.
3.132.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.132.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816;XFcisco-ios-facsimile-dos(35907)Weblink:http://xforce.iss.net/xforce/xfdb/35907.
Gotothereportcontentsorthestartofthissection.
3.133CVE-2007-5651
3.133.1Summary
UnspecifiedvulnerabilityintheExtensibleAuthenticationProtocol(EAP)implementationinCiscoIOS12.3and12.4onCiscoAccessPointsand1310WirelessBridges(WirelessEAPdevices),IOS12.1and12.2onCiscoswitches(WiredEAPdevices),andCatOS6.xthrough8.xonCiscoswitchesallowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedEAPResponseIdentitypacket.
3.133.2AffectedDevice
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2008
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.133.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20071019ExtensibleAuthenticationProtocolVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00808de8bb.html;BID26139Weblink:http://www.securityfocus.com/bid/26139;SECTRACK1018842Weblink:http://www.securitytracker.com/id?1018842;VUPENADV-2007-3566Weblink:http://www.vupen.com/english/advisories/2007/3566;XFcisco-eap-dos(37300)Weblink:http://xforce.iss.net/xforce/xfdb/37300.
Gotothereportcontentsorthestartofthissection.
3.134CVE-2008-1153
3.134.1Summary
CiscoIOS12.1,12.2,12.3,and12.4,withIPv4UDPservicesandtheIPv6protocolenabled,allowsremoteattackerstocauseadenialofservice(devicecrashandpossibleblockedinterface)viaacraftedIPv6packettothedevice.
3.134.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.134.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080326CiscoIOSUserDatagramProtocolDeliveryIssueForIPv4/IPv6Dual-stackRoutersWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml;CERT-VNVU#936177Weblink:http://www.kb.cert.org/vuls/id/936177;BID28461Weblink:http://www.securityfocus.com/bid/28461;SECTRACK1019713Weblink:http://www.securitytracker.com/id?1019713;CERTTA08-087BWeblink:http://www.us-cert.gov/cas/techalerts/TA08-087B.html;VUPENADV-2008-1006Weblink:http://www.vupen.com/english/advisories/2008/1006/references;XFcisco-ios-ipv6-dualstack-dos(41475)Weblink:http://xforce.iss.net/xforce/xfdb/41475.
Gotothereportcontentsorthestartofthissection.
3.135CVE-2008-3800
3.135.1Summary
UnspecifiedvulnerabilityintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4andUnifiedCommunicationsManager4.1through6.1,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(deviceorprocessreload)viaunspecifiedvalidSIPmessages,akaCiscoBugIDCSCsu38644,adifferentvulnerabilitythanCVE-2008-3801andCVE-2008-3802.
3.135.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.135.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;CISCO20080924CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a0156a.shtml;BID31367Weblink:http://www.securityfocus.com/bid/31367;SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
SECTRACK1020942Weblink:http://www.securitytracker.com/id?1020942;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670;VUPENADV-2008-2671Weblink:http://www.vupen.com/english/advisories/2008/2671.
Gotothereportcontentsorthestartofthissection.
3.136CVE-2008-3801
3.136.1Summary
UnspecifiedvulnerabilityintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4andUnifiedCommunicationsManager4.1through6.1,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(deviceorprocessreload)viaunspecifiedvalidSIPmessages,akaCiscoBugIDCSCsm46064,adifferentvulnerabilitythanCVE-2008-3800andCVE-2008-3802.
3.136.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.136.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;CISCO20080924CiscoUnifiedCommunicationsManagerSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a0156a.shtml;BID31367Weblink:http://www.securityfocus.com/bid/31367;SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;SECTRACK1020942Weblink:http://www.securitytracker.com/id?1020942;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670;VUPENADV-2008-2671Weblink:http://www.vupen.com/english/advisories/2008/2671.
Gotothereportcontentsorthestartofthissection.
3.137CVE-2008-3802
3.137.1Summary
UnspecifiedvulnerabilityintheSessionInitiationProtocol(SIP)implementationinCiscoIOS12.2through12.4,whenVoIPisconfigured,allowsremoteattackerstocauseadenialofservice(devicereload)viaunspecifiedvalidSIPmessages,akaCiscobugIDCSCsk42759,adifferentvulnerabilitythanCVE-2008-3800andCVE-2008-3801.
3.137.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.137.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080924MultipleCiscoIOSSessionInitiationProtocolDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01562.shtml;SECTRACK1020939Weblink:http://www.securitytracker.com/id?1020939;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.
Gotothereportcontentsorthestartofthissection.
3.138CVE-2008-3809
3.138.1Summary
CiscoIOS12.0through12.4onGigabitSwitchRouter(GSR)devices(aka12000Seriesrouters)allowsremoteattackerstocauseadenialofservice(devicecrash)viaamalformedProtocolIndependentMulticast(PIM)packet.
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2008
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:20/10/2008
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2009
3.138.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.138.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=16638;CISCO20080924MultipleMulticastVulnerabilitiesinCiscoIOSSoftwareWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01491.shtml;BID31356Weblink:http://www.securityfocus.com/bid/31356;SECTRACK1020936Weblink:http://www.securitytracker.com/id?1020936;VUPENADV-2008-2670Weblink:http://www.vupen.com/english/advisories/2008/2670.
Gotothereportcontentsorthestartofthissection.
3.139CVE-2008-4609
3.139.1Summary
TheTCPimplementationin(1)Linux,(2)platformsbasedonBSDUnix,(3)MicrosoftWindows,(4)Ciscoproducts,andprobablyotheroperatingsystemsallowsremoteattackerstocauseadenialofservice(connectionqueueexhaustion)viamultiplevectorsthatmanipulateinformationintheTCPstatetable,asdemonstratedbysockstress.
3.139.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.139.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
MISCWeblink:http://blog.robertlee.name/2008/10/conjecture-speculation.html;MLIST[dailydave]20081002TCPResourceExhaustionDoSAttackSpeculationWeblink:http://lists.immunitysec.com/pipermail/dailydave/2008-October/005360.html;HPSSRT080138Weblink:http://marc.info/?l=bugtraq&m=125856010926699&w=2;MISCWeblink:http://searchsecurity.techtarget.com.au/articles/27154-TCP-is-fundamentally-borked;CISCO20090908TCPStateManipulationDenialofServiceVulnerabilitiesinMultipleCiscoProductsWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af511d.shtml;CISCO20081017CiscoResponsetoOutpost24TCPStateTableManipulationDenialofServiceVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_response09186a0080a15120.html;MISCWeblink:http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf;MANDRIVAMDVSA-2013:150Weblink:http://www.mandriva.com/security/advisories?name=MDVSA-2013:150;MSMS09-048Weblink:http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx;Weblink:http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html;MISCWeblink:http://www.outpost24.com/news/news-2008-10-02.html;CERTTA09-251AWeblink:http://www.us-cert.gov/cas/techalerts/TA09-251A.html;MISCWeblink:https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html.
Gotothereportcontentsorthestartofthissection.
3.140CVE-2009-0630
3.140.1Summary
The(1)CiscoUnifiedCommunicationsManagerExpress;(2)SIPGatewaySignalingSupportOverTransportLayerSecurity(TLS)Transport;(3)SecureSignalingandMediaEncryption;(4)BlocksExtensibleExchangeProtocol(BEEP);(5)NetworkAdmissionControlHTTPAuthenticationProxy;(6)Per-userURLRedirectforEAPoUDP,Dot1x,andMACAuthenticationBypass;(7)DistributedDirectorwithHTTPRedirects;and(8)TCPDNSfeaturesinCiscoIOS12.0through12.4donotproperlyhandleIPsockets,whichallowsremoteattackerstocauseadenialofservice(outageorresourceconsumption)viaaseriesofcraftedTCPpackets.
3.140.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.140.3VendorSecurityAdvisories
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2009
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2009
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;CISCO20090325CiscoIOSSoftwareMultipleFeaturesIPSocketsVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a904c6.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851;XFios-ipsockets-dos(49418)Weblink:http://xforce.iss.net/xforce/xfdb/49418.
3.140.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1021897Weblink:http://securitytracker.com/id?1021897;BID34242Weblink:http://www.securityfocus.com/bid/34242.
Gotothereportcontentsorthestartofthissection.
3.141CVE-2009-0633
3.141.1Summary
Multipleunspecifiedvulnerabilitiesinthe(1)MobileIPNATTraversalfeatureand(2)MobileIPv6subsysteminCiscoIOS12.3through12.4allowremoteattackerstocauseadenialofservice(inputqueuewedgeandinterfaceoutage)viaMIPv6packets,akaBugIDCSCsm97220.
3.141.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.141.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20090325CiscoIOSSoftwareMobileIPandMobileIPv6VulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a9042f.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.
3.141.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1021898Weblink:http://securitytracker.com/id?1021898;BID34241Weblink:http://www.securityfocus.com/bid/34241;XFios-mobile-dos(49424)Weblink:http://xforce.iss.net/xforce/xfdb/49424.
Gotothereportcontentsorthestartofthissection.
3.142CVE-2009-0634
3.142.1Summary
Multipleunspecifiedvulnerabilitiesinthehomeagent(HA)implementationinthe(1)MobileIPNATTraversalfeatureand(2)MobileIPv6subsysteminCiscoIOS12.3through12.4allowremoteattackerstocauseadenialofservice(inputqueuewedgeandinterfaceoutage)viaanICMPpacket,akaBugIDCSCso05337.
3.142.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.142.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20090325CiscoIOSSoftwareMobileIPandMobileIPv6VulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a9042f.shtml;Weblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080a90469.shtml;VUPENADV-2009-0851Weblink:http://www.vupen.com/english/advisories/2009/0851.
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:C/I:N/A:N(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/09/2009
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/09/2009
3.142.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1021898Weblink:http://securitytracker.com/id?1021898;BID34241Weblink:http://www.securityfocus.com/bid/34241;XFios-mobile-dos(49424)Weblink:http://xforce.iss.net/xforce/xfdb/49424;XFios-mobile-ha-dos(49585)Weblink:http://xforce.iss.net/xforce/xfdb/49585.
Gotothereportcontentsorthestartofthissection.
3.143CVE-2009-2863
3.143.1Summary
RaceconditionintheFirewallAuthenticationProxyfeatureinCiscoIOS12.0through12.4allowsremoteattackerstobypassauthentication,orbypasstheconsentwebpage,viaacraftedrequest,akaBugIDCSCsy15227.
3.143.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.143.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18882;CISCO20090923CiscoIOSSoftwareAuthenticationProxyVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8132.shtml.
3.143.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID36491Weblink:http://www.securityfocus.com/bid/36491;SECTRACK1022935Weblink:http://www.securitytracker.com/id?1022935;XFciscoios-authenticationproxy-sec-bypass(53453)Weblink:http://xforce.iss.net/xforce/xfdb/53453.
Gotothereportcontentsorthestartofthissection.
3.144CVE-2009-2873
3.144.1Summary
CiscoIOS12.0through12.4,whenIP-basedtunnelsandtheCiscoExpressForwardingfeatureareenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viamalformedpackets,akaBugIDCSCsx70889.
3.144.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.144.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18895;Weblink:http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080af8113.html;CISCO20090923CiscoIOSSoftwareTunnelsVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8115.shtml;Weblink:http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html.
3.144.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1022930Weblink:http://www.securitytracker.com/id?1022930;VUPENADV-2009-2759Weblink:http://www.vupen.com/english/advisories/2009/2759.
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2010
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:23/09/2010
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
Gotothereportcontentsorthestartofthissection.
3.145CVE-2010-0577
3.145.1Summary
CiscoIOS12.2through12.4,whencertainPMTUD,SNAT,orwindow-sizeconfigurationsareused,allowsremoteattackerstocauseadenialofservice(infiniteloop,anddevicereloadorhang)viaaTCPsegmentwithcraftedoptions,akaBugIDCSCsz75186.
3.145.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.145.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100324CiscoIOSSoftwareCraftedTCPPacketDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20f34.shtml.
3.145.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID38930Weblink:http://www.securityfocus.com/bid/38930;SECTRACK1023743Weblink:http://www.securitytracker.com/id?1023743;VUPENADV-2010-0703Weblink:http://www.vupen.com/english/advisories/2010/0703;XFciscoios-tcpsegment-dos(57129)Weblink:http://xforce.iss.net/xforce/xfdb/57129.
Gotothereportcontentsorthestartofthissection.
3.146CVE-2010-2830
3.146.1Summary
TheIGMPv3implementationinCiscoIOS12.2,12.3,12.4,and15.0andIOSXE2.5.xbefore2.5.2,whenPIMisenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedIGMPpacket,akaBugIDCSCte14603.
3.146.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.146.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20100922CiscoIOSSoftwareInternetGroupManagementProtocolDenialofServiceVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4a310.shtml.
Gotothereportcontentsorthestartofthissection.
3.147CVE-2010-4684
3.147.1Summary
CiscoIOSbefore15.0(1)XA1,whencertainTFTPdebuggingisenabled,allowsremoteattackerstocauseadenialofservice(devicecrash)viaaTFTPcopyoverIPv6,akaBugIDCSCtb28877.
3.147.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.147.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/03/2012
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-tftp-dos(64587)Weblink:http://xforce.iss.net/xforce/xfdb/64587.
Gotothereportcontentsorthestartofthissection.
3.148CVE-2012-0382
3.148.1Summary
TheMulticastSourceDiscoveryProtocol(MSDP)implementationinCiscoIOS12.0,12.2through12.4,and15.0through15.2andIOSXE2.1.xthrough2.6.xand3.1.xSthrough3.4.xSbefore3.4.1Sand3.1.xSGand3.2.xSGbefore3.2.2SGallowsremoteattackerstocauseadenialofservice(devicereload)viaencapsulatedIGMPdatainanMSDPpacket,akaBugIDCSCtr28857.
3.148.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.148.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120328CiscoIOSSoftwareMulticastSourceDiscoveryProtocolVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120328-msdp.
3.148.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID52759Weblink:http://www.securityfocus.com/bid/52759;SECTRACK1026868Weblink:http://www.securitytracker.com/id?1026868;XFciscoios-msdp-dos(74431)Weblink:http://xforce.iss.net/xforce/xfdb/74431.
Gotothereportcontentsorthestartofthissection.
3.149CVE-2012-3950
3.149.1Summary
TheIntrusionPreventionSystem(IPS)featureinCiscoIOS12.3through12.4and15.0through15.2,incertainconfigurationsofenabledcategoriesandmissingsignatures,allowsremoteattackerstocauseadenialofservice(devicereload)viaDNSpackets,akaBugIDCSCtw55976.
3.149.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.149.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120926CiscoIOSSoftwareIntrusionPreventionSystemDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-ios-ips.
3.149.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID55695Weblink:http://www.securityfocus.com/bid/55695;SECTRACK1027580Weblink:http://www.securitytracker.com/id?1027580;XFciscoios-ips-dos(78882)Weblink:http://xforce.iss.net/xforce/xfdb/78882.
Gotothereportcontentsorthestartofthissection.
3.150CVE-2012-4622
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/09/2012
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/03/2013
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:11/04/2013
3.150.1Summary
CiscoIOSXE03.02.00.XO.15.0(2)XOonCatalyst4500Eseriesswitches,whenaSupervisorEngine7L-Ecardisinstalled,allowsremoteattackerstocauseadenialofservice(cardreload)viamalformedpacketsthattriggeruncorrectedECCerrormessages,akaBugIDCSCty88456.
3.150.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.150.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20120926CiscoCatalyst4500ESeriesSwitchwithCiscoCatalystSupervisorEngine7L-EDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120926-ecc.
3.150.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID55701Weblink:http://www.securityfocus.com/bid/55701;SECTRACK1027573Weblink:http://www.securitytracker.com/id?1027573;XFcisco-catalyst-dos(78886)Weblink:http://xforce.iss.net/xforce/xfdb/78886.
Gotothereportcontentsorthestartofthissection.
3.151CVE-2013-1143
3.151.1Summary
TheRSVPprotocolimplementationinCiscoIOS12.2and15.0through15.2andIOSXE3.1.xSthrough3.4.xSbefore3.4.5Sand3.5.xSthrough3.7.xSbefore3.7.2S,whenMPLS-TEisenabled,allowsremoteattackerstocauseadenialofservice(incorrectmemoryaccessanddevicereload)viaatrafficengineeringPATHmessageinanRSVPpacket,akaBugIDCSCtg39957.
3.151.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.151.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130327CiscoIOSSoftwareRSVPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1143.
3.151.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
CISCO20130327CiscoIOSSoftwareResourceReservationProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp.
Gotothereportcontentsorthestartofthissection.
3.152CVE-2013-1167
3.152.1Summary
CiscoIOSXE3.2through3.4before3.4.2S,and3.5,on1000seriesAggregationServicesRouters(ASR),whenbridgedomaininterface(BDI)isenabled,allowsremoteattackerstocauseadenialofservice(cardreload)viapacketsthatarenotproperlyhandledduringtheprocessingofencapsulation,akaBugIDCSCtt11558.
3.152.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.152.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130410MultipleVulnerabilitiesinCiscoIOSXESoftwarefor1000SeriesAggregationServicesRoutersWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130410-asr1000.
Gotothereportcontentsorthestartofthissection.
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/09/2013
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2014
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2014
3.153CVE-2013-5472
3.153.1Summary
TheNTPimplementationinCiscoIOS12.0through12.4and15.0through15.1,andIOSXE2.1through3.3,doesnotproperlyhandleencapsulationofmulticastNTPpacketswithinMSDPSAmessages,whichallowsremoteattackerstocauseadenialofservice(devicereload)byleveraginganMSDPpeerrelationship,akaBugIDCSCuc81226.
3.153.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.153.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareMulticastNetworkTimeProtocolDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ntp.
Gotothereportcontentsorthestartofthissection.
3.154CVE-2013-5481
3.154.1Summary
ThePPTPimplementationinCiscoIOS12.2and15.0through15.3,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedTCPport-1723packets,akaBugIDCSCtq14817.
3.154.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.154.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130925CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-nat.
Gotothereportcontentsorthestartofthissection.
3.155CVE-2014-2107
3.155.1Summary
CiscoIOS12.2and15.0through15.3,whenusedwiththeKailashFPGAbefore2.6onRSP720-3C-10GEandRSP720-3CXL-10GEdevices,allowsremoteattackerstocauseadenialofservice(routeswitchprocessoroutage)viacraftedIPpackets,akaBugIDCSCug84789.
3.155.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.155.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140326Cisco7600SeriesRouteSwitchProcessor720with10GigabitEthernetUplinksDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-RSP72010GE.
Gotothereportcontentsorthestartofthissection.
3.156CVE-2014-2111
3.156.1Summary
TheApplicationLayerGateway(ALG)moduleinCiscoIOS12.2through12.4and15.0through15.4,whenNATisused,allowsremoteattackerstocauseadenialofservice(devicereload)viacraftedDNSpackets,akaBugIDCSCue00996.
3.156.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/09/2014
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:26/03/2015
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:24/07/2015
CiscoRouter-CiscoIOS15.
3.156.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140326CiscoIOSSoftwareNetworkAddressTranslationVulnerabilitiesWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat.
Gotothereportcontentsorthestartofthissection.
3.157CVE-2014-3361
3.157.1Summary
TheALGmoduleinCiscoIOS15.0through15.4doesnotproperlyimplementSIPoverNAT,whichallowsremoteattackerstocauseadenialofservice(devicereload)viamultipartSDPIPv4traffic,akaBugIDCSCun54071.
3.157.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.157.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20140924CiscoIOSSoftwareNetworkAddressTranslationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat.
3.157.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat/cvrf/cisco-sa-20140924-nat_cvrf.xml.
Gotothereportcontentsorthestartofthissection.
3.158CVE-2015-0638
3.158.1Summary
CiscoIOS12.2,12.4,15.0,15.2,and15.3,whenaVRFinterfaceisconfigured,allowsremoteattackerstocauseadenialofservice(interfacequeuewedge)viacraftedICMPv4packets,akaBugIDCSCsi02145.
3.158.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.158.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20150325CiscoIOSSoftwareVirtualRoutingandForwardingICMPQueueWedgeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-wedge.
3.158.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1031983Weblink:http://www.securitytracker.com/id/1031983.
Gotothereportcontentsorthestartofthissection.
3.159CVE-2015-0681
3.159.1Summary
TheTFTPserverinCiscoIOS12.2(44)SQ1,12.2(33)XN1,12.4(25e)JAM1,12.4(25e)JAO5m,12.4(23)JY,15.0(2)ED1,15.0(2)EY3,15.1(3)SVF4a,and15.2(2)JB1andIOSXE2.5.x,2.6.x,3.1.xS,3.2.xS,3.3.xS,3.4.xS,and3.5.xSbefore3.6.0S;3.1.xSG,3.2.xSG,and3.3.xSGbefore3.4.0SG;3.2.xSEbefore3.3.0SE;3.2.xXObefore3.3.0XO;3.2.xSQ;3.3.xSQ;and3.4.xSQallowsremoteattackerstocauseadenialofservice(devicehangorreload)viamultiplerequeststhattriggerimpropermemorymanagement,akaBugIDCSCts66733.
3.159.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:25/03/2016
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
OverallRating:HIGH
CVSSv2Score:7.1
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:N/A:C(7.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(7.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/10/2016
3.159.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20150722CiscoIOSSoftwareTFTPServerDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-tftp;Weblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-tftp/cvrf/cisco-sa-20150722-tftp_cvrf.xml.
Gotothereportcontentsorthestartofthissection.
3.160CVE-2016-1344
3.160.1Summary
TheIKEv2implementationinCiscoIOS15.0through15.6andIOSXE3.3through3.17allowsremoteattackerstocauseadenialofservice(devicereload)viafragmentedpackets,akaBugIDCSCux38417.
3.160.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.160.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160323CiscoIOSandIOSXESoftwareInternetKeyExchangeVersion2FragmentationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-ios-ikev2.
Gotothereportcontentsorthestartofthissection.
3.161CVE-2016-6381
3.161.1Summary
CiscoIOS12.4and15.0through15.6andIOSXE3.1through3.18and16.1allowremoteattackerstocauseadenialofservice(memoryconsumptionordevicereload)viafragmentedIKEv1packets,akaBugIDCSCuy47382.
3.161.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.161.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareInternetKeyExchangeVersion1FragmentationDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-ios-ikev1.
3.161.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93195Weblink:http://www.securityfocus.com/bid/93195.
Gotothereportcontentsorthestartofthissection.
3.162CVE-2016-6393
3.162.1Summary
TheAAAserviceinCiscoIOS12.0through12.4and15.0through15.6andIOSXE2.1through3.18and16.2allowsremoteattackerstocauseadenialofservice(devicereload)viaafailedSSHconnectionattemptthatismishandledduringgenerationofanerror-logmessage,akaBugIDCSCuy87667.
3.162.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.162.3VendorSecurityAdvisory
OverallRating:MEDIUM
CVSSv2Score:6.8
CVSSv2Base:AV:N/AC:M/Au:N/C:P/I:P/A:P(6.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/08/2007
OverallRating:MEDIUM
CVSSv2Score:6.8
CVSSv2Base:AV:N/AC:L/Au:S/C:N/I:N/A:C(6.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:28/09/2009
OverallRating:MEDIUM
CVSSv2Score:6.8
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160928CiscoIOSandIOSXESoftwareAAALoginDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados.
3.162.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID93196Weblink:http://www.securityfocus.com/bid/93196.
Gotothereportcontentsorthestartofthissection.
3.163CVE-2007-4295
3.163.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.0through12.4allowsremoteattackerstoexecutearbitrarycodeviaamalformedSIPpacket,akaCSCsi80749.
3.163.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.163.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1018533Weblink:http://securitytracker.com/id?1018533;CISCO20070808VoiceVulnerabilitiesinCiscoIOSandCiscoUnifiedCommunicationsManagerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml;BID25239Weblink:http://www.securityfocus.com/bid/25239;VUPENADV-2007-2816Weblink:http://www.vupen.com/english/advisories/2007/2816.
Gotothereportcontentsorthestartofthissection.
3.164CVE-2009-2872
3.164.1Summary
CiscoIOS12.0through12.4,whenIP-basedtunnelsandtheCiscoExpressForwardingfeatureareenabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedpacketthatisnotproperlyhandledduringswitchingfromonetunneltoasecondtunnel,akaBugIDsCSCsh97579andCSCsq31776.
3.164.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.164.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=18893;Weblink:http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080af8113.html;CISCO20090923CiscoIOSSoftwareTunnelsVulnerabilityWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8115.shtml;Weblink:http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep09.html.
3.164.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1022930Weblink:http://www.securitytracker.com/id?1022930;VUPENADV-2009-2759Weblink:http://www.vupen.com/english/advisories/2009/2759.
Gotothereportcontentsorthestartofthissection.
3.165CVE-2009-5040
3.165.1Summary
CallManagerExpress(CME)onCiscoIOSbefore15.0(1)XAallowsremoteauthenticateduserstocause
CVSSv2Base:AV:N/AC:L/Au:S/C:N/I:N/A:C(6.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
OverallRating:MEDIUM
CVSSv2Score:6.8
CVSSv2Base:AV:N/AC:L/Au:S/C:N/I:N/A:C(6.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:17/11/2013
OverallRating:MEDIUM
CVSSv2Score:6.8
CVSSv2Base:AV:N/AC:L/Au:S/C:N/I:N/A:C(6.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.8)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:22/06/2016
OverallRating:MEDIUM
CVSSv2Score:6.8
CVSSv2Base:AV:N/AC:L/Au:S/C:N/I:N/A:C(6.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.8)
adenialofservice(devicecrash)byusinganextensionmobility(EM)phonetointeractwiththemenuforSNRnumberchanges,akaBugIDCSCta63555.
3.165.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.165.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45765Weblink:http://www.securityfocus.com/bid/45765;XFciscoios-callmanager-dos(64681)Weblink:http://xforce.iss.net/xforce/xfdb/64681.
Gotothereportcontentsorthestartofthissection.
3.166CVE-2013-6686
3.166.1Summary
TheSSLVPNimplementationinCiscoIOS15.3(1)T2andearlierallowsremoteauthenticateduserstocauseadenialofservice(interfacequeuewedge)viacraftedDTLSpacketsinanSSLsession,akaBugIDsCSCuh97409andCSCud90568.
3.166.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.166.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20131113CiscoIOSSoftwareSSLVPNInterfaceQueueWedgeDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6686;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=31757.
Gotothereportcontentsorthestartofthissection.
3.167CVE-2016-1428
3.167.1Summary
DoublefreevulnerabilityinCiscoIOSXE3.15S,3.16S,and3.17Sallowsremoteauthenticateduserstocauseadenialofservice(devicerestart)viaasequenceofcraftedSNMPreadrequests,akaBugIDCSCux13174.
3.167.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.167.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160620CiscoIOSXESoftwareSNMPSubsystemDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160620-iosxe.
3.167.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1036140Weblink:http://www.securitytracker.com/id/1036140.
Gotothereportcontentsorthestartofthissection.
3.168CVE-2016-1432
3.168.1Summary
CiscoIOSXE3.15Sand3.16SoncBR-8ConvergedBroadbandRouterdevicesallowsremoteauthenticateduserstocauseadenialofservice(NULLpointerdereferenceandcardrestart)viaacraftedSNMPrequest,akaBugIDCSCuu68862.
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:17/06/2016
OverallRating:MEDIUM
CVSSv2Score:6.4
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:P/A:N(6.4)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.4)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:13/02/2007
OverallRating:MEDIUM
CVSSv2Score:6.3
CVSSv2Base:AV:N/AC:M/Au:S/C:N/I:N/A:C(6.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:09/05/2007
OverallRating:MEDIUM
CVSSv2Score:6.3
CVSSv2Base:AV:N/AC:M/Au:S/C:N/I:N/A:C(6.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
3.168.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.168.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160617CiscocBR-8SeriesConvergedBroadbandRouterSNMPDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160617-cbr.
Gotothereportcontentsorthestartofthissection.
3.169CVE-2007-0917
3.169.1Summary
TheIntrusionPreventionSystem(IPS)featureforCiscoIOS12.4XEto12.3TallowsremoteattackerstobypassIPSsignaturesthatuseregularexpressionsviafragmentedpackets.
3.169.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.169.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20070213MultipleIOSIPSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml;MISCWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html;BID22549Weblink:http://www.securityfocus.com/bid/22549;SECTRACK1017631Weblink:http://www.securitytracker.com/id?1017631;VUPENADV-2007-0597Weblink:http://www.vupen.com/english/advisories/2007/0597;XFcisco-ios-ips-security-bypass(32473)Weblink:http://xforce.iss.net/xforce/xfdb/32473.
Gotothereportcontentsorthestartofthissection.
3.170CVE-2007-2587
3.170.1Summary
TheIOSFTPServerinCiscoIOS11.3through12.4allowsremoteauthenticateduserstocauseadenialofservice(IOSreload)viaunspecifiedvectorsinvolvingtransferringfiles(akabugIDCSCse29244).
3.170.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.170.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20070509MultipleVulnerabilitiesintheIOSFTPServerWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml;BID23885Weblink:http://www.securityfocus.com/bid/23885;SECTRACK1018030Weblink:http://www.securitytracker.com/id?1018030;VUPENADV-2007-1749Weblink:http://www.vupen.com/english/advisories/2007/1749;XFcisco-ios-ftpserver-dos(34196)Weblink:http://xforce.iss.net/xforce/xfdb/34196.
Gotothereportcontentsorthestartofthissection.
3.171CVE-2012-1338
3.171.1Summary
CiscoIOS15.0and15.1onCatalyst3560and3750seriesswitchesallowsremoteauthenticateduserstocauseadenialofservice(devicereload)bycompletinglocalwebauthenticationquickly,akaBugIDCSCts88664.
Published:06/08/2012
OverallRating:MEDIUM
CVSSv2Score:6.3
CVSSv2Base:AV:N/AC:M/Au:S/C:N/I:N/A:C(6.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:16/09/2012
OverallRating:MEDIUM
CVSSv2Score:6.1
CVSSv2Base:AV:A/AC:L/Au:N/C:N/I:N/A:C(6.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2005
OverallRating:MEDIUM
3.171.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.171.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/release/notes/OL25302.html.
3.171.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1027349Weblink:http://www.securitytracker.com/id?1027349.
Gotothereportcontentsorthestartofthissection.
3.172CVE-2012-3895
3.172.1Summary
CiscoIOS15.0through15.3allowsremoteauthenticateduserstocauseadenialofservice(devicecrash)viaanMVPNv6update,akaBugIDCSCty89224.
3.172.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.172.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_2s/release/notes/15_2s_caveats_15_2_2s.html;XFciscoios-mvpnv6-dos(78872)Weblink:http://xforce.iss.net/xforce/xfdb/78872.
Gotothereportcontentsorthestartofthissection.
3.173CVE-2005-0197
3.173.1Summary
CiscoIOS12.1T,12.2,12.2T,12.3and12.3T,withMultiProtocolLabelSwitching(MPLS)installedbutdisabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaacraftedpacketsenttothedisabledinterface.
3.173.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.173.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20050126CraftedPacketCausesReloadonCiscoRoutersWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml;CERT-VNVU#583638Weblink:http://www.kb.cert.org/vuls/id/583638;CERTTA05-026AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-026A.html;XFcisco-ios-mpls-dos(19071)Weblink:http://xforce.iss.net/xforce/xfdb/19071.
3.173.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1013015Weblink:http://securitytracker.com/id?1013015;BID12369Weblink:http://www.securityfocus.com/bid/12369.
Gotothereportcontentsorthestartofthissection.
3.174CVE-2011-3274
3.174.1Summary
CVSSv2Score:6.1
CVSSv2Base:AV:A/AC:L/Au:N/C:N/I:N/A:C(6.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/10/2011
OverallRating:MEDIUM
CVSSv2Score:6.1
CVSSv2Base:AV:A/AC:L/Au:N/C:N/I:N/A:C(6.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/05/2012
OverallRating:MEDIUM
CVSSv2Score:6.1
CVSSv2Base:AV:A/AC:L/Au:N/C:N/I:N/A:C(6.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(6.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/07/2016
OverallRating:MEDIUM
CVSSv2Score:5.8
CVSSv2Base:AV:N/AC:M/Au:N/C:P/I:N/A:P(5.8)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.8)
UnspecifiedvulnerabilityinCiscoIOS12.2SREbefore12.2(33)SRE4,15.0,and15.1,andIOSXE2.1.xthrough3.3.x,whenanMPLSdomainisconfigured,allowsremoteattackerstocauseadenialofservice(devicecrash)viaacraftedIPv6packet,relatedtoanexpiredMPLSTTL,akaBugIDCSCto07919.
3.174.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.174.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20110928CiscoIOSSoftwareIPv6overMPLSVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d52.shtml.
3.174.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24125.
Gotothereportcontentsorthestartofthissection.
3.175CVE-2012-1327
3.175.1Summary
dot11t/t_if_dot11_hal_ath.cinCiscoIOS12.3,12.4,15.0,and15.1allowsremoteattackerstocauseadenialofservice(assertionfailureandreboot)via802.11wirelesstraffic,asdemonstratedbyavideocallfromAppleiOS5.0onaniPhone4S,akaBugIDCSCtt94391.
3.175.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.175.3Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html.
Gotothereportcontentsorthestartofthissection.
3.176CVE-2016-1425
3.176.1Summary
CiscoIOS15.0(2)SG5,15.1(2)SG3,15.2(1)E,15.3(3)S,and15.4(1.13)Sallowsremoteattackerstocauseadenialofservice(devicecrash)viaacraftedLLDPpacket,akaBugIDCSCun66735.
3.176.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.176.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160617CiscoIOSSoftwareLinkLayerDiscoveryProtocolProcessingCodeDenialofServiceVulnerabilityWeblink:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160616-ios1.
3.176.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID91545Weblink:http://www.securityfocus.com/bid/91545.
Gotothereportcontentsorthestartofthissection.
3.177CVE-2013-0149
3.177.1Summary
TheOSPFimplementationinCiscoIOS12.0through12.4and15.0through15.3,IOS-XE2.xthrough3.9.xS,ASAandPIX7.xthrough9.1,FWSM,NX-OS,andStarOSbefore14.0.50488doesnotproperlyvalidateLinkStateAdvertisement(LSA)type1packetsbeforeperformingoperationsontheLSA
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:05/08/2013
OverallRating:MEDIUM
CVSSv2Score:5.4
CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:N/A:C(5.4)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.4)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:18/08/2011
OverallRating:MEDIUM
CVSSv2Score:5.4
CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:N/A:C(5.4)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.4)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
OverallRating:MEDIUM
CVSSv2Score:5.4
database,whichallowsremoteattackerstocauseadenialofservice(routingdisruption)orobtainsensitivepacketinformationviaa(1)unicastor(2)multicastpacket,akaBugIDsCSCug34485,CSCug34469,CSCug39762,CSCug63304,andCSCug39795.
3.177.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.177.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20130801OSPFLSAManipulationVulnerabilityinMultipleCiscoProductsWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf.
3.177.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
CERT-VNVU#229804Weblink:http://www.kb.cert.org/vuls/id/229804.
Gotothereportcontentsorthestartofthissection.
3.178CVE-2011-1625
3.178.1Summary
CiscoIOS12.2,12.3,12.4,15.0,and15.1,whenthedata-linkswitching(DLSw)featureisconfigured,allowsremoteattackerstocauseadenialofservice(devicecrash)bysendingasequenceofmalformedpacketsandleveraginga"narrowtimingwindow,"akaBugIDCSCtf74999,adifferentvulnerabilitythanCVE-2007-0199,CVE-2008-1152,andCVE-2009-0629.
3.178.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.178.3Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/cable/cmts/release/notes/12_2sc/uBR7200/122_33_SCF/caveats.html.
Gotothereportcontentsorthestartofthissection.
3.179CVE-2011-2586
3.179.1Summary
TheHTTPclientinCiscoIOS12.4and15.0allowsuser-assistedremoteattackerstocauseadenialofservice(devicecrash)viaamalformedHTTPresponsetoarequestforserviceinstallation,akaBugIDCSCts12249.
3.179.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.179.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=24436.
3.179.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.
Gotothereportcontentsorthestartofthissection.
3.180CVE-2011-4007
3.180.1Summary
CiscoIOS15.0and15.1andIOSXE3.xdonotproperlyhandlethe"setmplsexperimentalimposition"
CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:N/A:C(5.4)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.4)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
OverallRating:MEDIUM
CVSSv2Score:5.4
CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:N/A:C(5.4)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.4)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
OverallRating:MEDIUM
CVSSv2Score:5.4
CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:N/A:C(5.4)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.4)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/05/2012
OverallRating:MEDIUM
CVSSv2Score:5.1
CVSSv2Base:AV:N/AC:H/Au:N/C:P/I:P/A:P(5.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/03/2008
command,whichallowsremoteattackerstocauseadenialofservice(devicecrash)vianetworktrafficthattriggers(1)fragmentationor(2)reassembly,akaBugIDCSCtr56576.
3.180.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.180.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_caveats_33s.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.
Gotothereportcontentsorthestartofthissection.
3.181CVE-2011-4016
3.181.1Summary
ThePPPimplementationinCiscoIOS12.2and15.0through15.2,whenPoint-to-PointTerminationandAggregation(PTA)andL2TPareused,allowsremoteattackerstocauseadenialofservice(devicecrash)viacraftednetworktraffic,akaBugIDCSCtf71673.
3.181.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.181.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.
Gotothereportcontentsorthestartofthissection.
3.182CVE-2011-4019
3.182.1Summary
MemoryleakinCiscoIOS12.4and15.0through15.2,andCiscoUnifiedCommunicationsManager(CUCM)7.x,allowsremoteattackerstocauseadenialofservice(memoryconsumption)viaacraftedresponsetoaSIPSUBSCRIBEmessage,akaBugIDsCSCto93837andCSCtj61883.
3.182.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.182.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TCAVS.html;Weblink:http://www.cisco.com/web/software/282074295/90289/cucm-readme-715bsu5.pdf.
Gotothereportcontentsorthestartofthissection.
3.183CVE-2008-1156
3.183.1Summary
UnspecifiedvulnerabilityintheMulticastVirtualPrivateNetwork(MVPN)implementationinCiscoIOS12.0,12.2,12.3,and12.4allowsremoteattackerstocreate"extramulticaststatesonthecorerouters"viaacraftedMulticastDistributionTree(MDT)DataJoinmessage.
3.183.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.183.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
CISCO20080326CiscoIOSMulticastVirtualPrivateNetwork(MVPN)DataLeakWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml;BID28464Weblink:http://www.securityfocus.com/bid/28464;
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:27/07/2004
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:31/12/2004
SECTRACK1019715Weblink:http://www.securitytracker.com/id?1019715;CERTTA08-087BWeblink:http://www.us-cert.gov/cas/techalerts/TA08-087B.html;VUPENADV-2008-1006Weblink:http://www.vupen.com/english/advisories/2008/1006/references;XFcisco-ios-mvpm-information-disclosure(41468)Weblink:http://xforce.iss.net/xforce/xfdb/41468.
Gotothereportcontentsorthestartofthissection.
3.184CVE-2004-0714
3.184.1Summary
CiscoInternetworkOperatingSystem(IOS)12.0Sthrough12.3TattemptstoprocessSNMPsolicitedoperationsonimproperports(UDP162andarandomlychosenUDPport),whichallowsremoteattackerstocauseadenialofservice(devicereloadandmemorycorruption).
3.184.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.184.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20040420VulnerabilitiesinSNMPMessageProcessingWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml;CERT-VNVU#162451Weblink:http://www.kb.cert.org/vuls/id/162451;BID10186Weblink:http://www.securityfocus.com/bid/10186;CERTTA04-111BWeblink:http://www.us-cert.gov/cas/techalerts/TA04-111B.html.
3.184.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
XFcisco-ios-snmp-udp-dos(15921)Weblink:http://xforce.iss.net/xforce/xfdb/15921.
Gotothereportcontentsorthestartofthissection.
3.185CVE-2004-1454
3.185.1Summary
CiscoIOS12.0S,12.2,and12.3,withOpenShortestPathFirst(OSPF)enabled,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedOSPFpacket.
3.185.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.185.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CIACO-199Weblink:http://www.ciac.org/ciac/bulletins/o-199.shtml;CISCO20040818CiscoIOSMalformedOSPFPacketCausesReloadWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml;CERT-VNVU#989406Weblink:http://www.kb.cert.org/vuls/id/989406.
3.185.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
BID10971Weblink:http://www.securityfocus.com/bid/10971;XFcisco-ios-ospf-dos(17033)Weblink:http://xforce.iss.net/xforce/xfdb/17033.
Gotothereportcontentsorthestartofthissection.
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:31/12/2004
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:19/01/2005
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2005
3.186CVE-2004-1464
3.186.1Summary
CiscoIOS12.2(15)andearlierallowsremoteattackerstocauseadenialofservice(refusedVTY(virtualterminal)connections),viaacraftedTCPconnectiontotheTelnetorreverseTelnetport.
3.186.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.186.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20040827CiscoTelnetDenialofServiceVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml;CERT-VNVU#384230Weblink:http://www.kb.cert.org/vuls/id/384230.
3.186.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1011079Weblink:http://securitytracker.com/id?1011079;BID11060Weblink:http://www.securityfocus.com/bid/11060;XFcisco-ios-telnet-dos(17131)Weblink:http://xforce.iss.net/xforce/xfdb/17131.
Gotothereportcontentsorthestartofthissection.
3.187CVE-2005-0186
3.187.1Summary
CiscoIOS12.1YD,12.2T,12.3and12.3T,whenconfiguredfortheIOSTelephonyService(ITS),CallManagerExpress(CME)orSurvivableRemoteSiteTelephony(SRST),allowsremoteattackerstocauseadenialofservice(devicereboot)viaamalformedpackettotheSCCPport.
3.187.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.187.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20050119VulnerabilityinCiscoIOSEmbeddedCallProcessingSolutionsWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml;XFcisco-ios-sccp-dos(18956)Weblink:http://xforce.iss.net/xforce/xfdb/18956.
3.187.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1012945Weblink:http://securitytracker.com/id?1012945.
Gotothereportcontentsorthestartofthissection.
3.188CVE-2005-0195
3.188.1Summary
CiscoIOS12.0Sthrough12.3YHallowsremoteattackerstocauseadenialofservice(devicerestart)viaacraftedIPv6packet.
3.188.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.188.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20050126MultipleCraftedIPv6PacketsCauseReloadWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml;
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2005
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:18/11/2005
CERT-VNVU#472582Weblink:http://www.kb.cert.org/vuls/id/472582;CERTTA05-026AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-026A.html;XFcisco-ios-ipv6-dos(19072)Weblink:http://xforce.iss.net/xforce/xfdb/19072.
Gotothereportcontentsorthestartofthissection.
3.189CVE-2005-0196
3.189.1Summary
CiscoIOS12.0through12.3YL,withBGPenabledandrunningthebgplog-neighbor-changescommand,allowsremoteattackerstocauseadenialofservice(devicereload)viaamalformedBGPpacket.
3.189.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.189.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20050126CiscoIOSMisformedBGPPacketCausesReloadWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml;CERT-VNVU#689326Weblink:http://www.kb.cert.org/vuls/id/689326;CERTTA05-026AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-026A.html;XFcisco-ios-bgp-packetdos(19074)Weblink:http://xforce.iss.net/xforce/xfdb/19074.
3.189.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
SECTRACK1013013Weblink:http://securitytracker.com/id?1013013.
Gotothereportcontentsorthestartofthissection.
3.190CVE-2005-3669
3.190.1Summary
MultipleunspecifiedvulnerabilitiesintheInternetKeyExchangeversion1(IKEv1)implementationinmultipleCiscoproductsallowremoteattackerstocauseadenialofservice(devicereset)viacertainmalformedIKEpackets,asdemonstratedbythePROTOSISAKMPTestSuiteforIKEv1.NOTE:duetothelackofdetailsintheCiscoadvisory,itisunclearwhichofCVE-2005-3666,CVE-2005-3667,and/orCVE-2005-3668thisissueappliesto.
3.190.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.190.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20051114MultipleVulnerabilitiesFoundbyPROTOSIPSecTestSuiteWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml;CERT-VNVU#226364Weblink:http://www.kb.cert.org/vuls/id/226364;MISCWeblink:http://www.niscc.gov.uk/niscc/docs/br-20051114-01013.html?lang=en.
3.190.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
MISCWeblink:http://jvn.jp/niscc/NISCC-273756/index.html;SECTRACK1015198Weblink:http://securitytracker.com/id?1015198;SECTRACK1015199Weblink:http://securitytracker.com/id?1015199;SECTRACK1015200Weblink:http://securitytracker.com/id?1015200;
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:20/08/2007
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
SECTRACK1015201Weblink:http://securitytracker.com/id?1015201;SECTRACK1015202Weblink:http://securitytracker.com/id?1015202;MISCWeblink:http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/isakmp/;BID15401Weblink:http://www.securityfocus.com/bid/15401.
Gotothereportcontentsorthestartofthissection.
3.191CVE-2007-4430
3.191.1Summary
UnspecifiedvulnerabilityinCiscoIOS12.0through12.4allowscontext-dependentattackerstocauseadenialofservice(devicerestartandBGProutingtablerebuild)viacertainregularexpressionsina"showipbgpregexp"command.NOTE:unauthenticatedremoteattacksarepossibleinenvironmentswithanonymoustelnetandLookingGlassaccess.
3.191.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.191.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
VUPENADV-2007-3136Weblink:http://www.vupen.com/english/advisories/2007/3136.
3.191.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
MISCWeblink:http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf7bc9CISCO20070912CiscoIOSReloadonRegularExpressionProcessingWeblink:http://www.cisco.com/en/US/products/products_security_response09186a00808bb91c.html;MISCWeblink:http://www.heise-security.co.uk/news/94526/;BID25352Weblink:http://www.securityfocus.com/bid/25352;SECTRACK1018685Weblink:http://www.securitytracker.com/id?1018685;MLIST[cisco-nsp]20070817Headsup:"shipbgpregexp"crashingrouterWeblink:https://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html;MLIST[cisco-nsp]20070817Aboutthepostingentitled"Headsup:"shipbgpregexp"crashingrouter"Weblink:https://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html.
Gotothereportcontentsorthestartofthissection.
3.192CVE-2010-4687
3.192.1Summary
STCAPP(akatheSCCPtelephonycontrolapplication)onCiscoIOSbefore15.0(1)XA1doesnotproperlyhandlemultiplecallstoasharedline,whichallowsremoteattackerstocauseadenialofservice(porthang)bysimultaneouslyendingtwocallsthatwerecontrolledbyCallManagerExpress(CME),akaBugIDCSCtd42552.
3.192.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.192.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-stcapp-dos(64584)Weblink:http://xforce.iss.net/xforce/xfdb/64584.
Gotothereportcontentsorthestartofthissection.
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:N/A:N(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:21/10/2011
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:N(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:08/06/2011
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:N(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
3.193CVE-2011-2059
3.193.1Summary
Theipv6componentinCiscoIOSbefore15.1(4)M1.3allowsremoteattackerstoconductfingerprintingattacksandobtainpotentiallysensitiveinformationaboutthepresenceoftheIOSoperatingsystemviaanICMPv6EchoRequestpacketcontainingaHop-by-Hop(HBH)extensionheader(EH)witha0x0c01050cvalueinthePadNoptiondata,akaBugIDCSCtq02219.
3.193.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.193.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://blogs.cisco.com/security/1999tcp-redux-the-ipv6-flavor;Weblink:http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=36606&signatureSubId=0.
Gotothereportcontentsorthestartofthissection.
3.194CVE-2011-2395
3.194.1Summary
TheNeighborDiscovery(ND)protocolimplementationinCiscoIOSonunspecifiedswitchesallowsremoteattackerstobypasstheRouterAdvertisementGuardingfunctionalityviaafragmentedIPv6packetinwhichtheRouterAdvertisement(RA)messageiscontainedinthesecondfragment,asdemonstratedby(1)apacketinwhichthefirstfragmentcontainsalongDestinationOptionsextensionheaderor(2)apacketinwhichthefirstfragmentcontainsanICMPv6EchoRequestmessage.
3.194.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.194.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
FULLDISC20110523BypassingCisco'sICMPv6RouterAdvertisementGuardfeatureWeblink:http://seclists.org/fulldisclosure/2011/May/446;SREASON8271Weblink:http://securityreason.com/securityalert/8271;XFciscoios-nd-security-bypass(67940)Weblink:http://xforce.iss.net/xforce/xfdb/67940.
Gotothereportcontentsorthestartofthissection.
3.195CVE-2012-0338
3.195.1Summary
CiscoIOS12.2through12.4and15.0doesnotrecognizethevrf-alsokeywordduringenforcementofaccess-classcommands,whichallowsremoteattackerstoestablishSSHconnectionsfromarbitrarysourceIPaddressesviaastandardSSHclient,akaBugIDCSCsv86113.
3.195.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.195.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/caveats_SXH_rebuilds.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005;Weblink:https://supportforums.cisco.com/thread/2030226.
Gotothereportcontentsorthestartofthissection.
3.196CVE-2012-0339
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:N(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:06/08/2012
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:04/04/2014
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:P/A:N(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:20/04/2016
3.196.1Summary
CiscoIOS12.2through12.4and15.0doesnotrecognizethevrf-alsokeywordduringenforcementofaccess-classcommands,whichallowsremoteattackerstoestablishTELNETconnectionsfromarbitrarysourceIPaddressesviaastandardTELNETclient,akaBugIDCSCsi77774.
3.196.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.196.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/caveats_SXF_rebuilds.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.
Gotothereportcontentsorthestartofthissection.
3.197CVE-2012-1367
3.197.1Summary
TheMallocLiteimplementationinCiscoIOS12.0,12.2,15.0,15.1,and15.2allowsremoteattackerstocauseadenialofservice(RouteProcessorcrash)viaaBGPUPDATEmessagewithamodifiedlocal-preference(akaLOCAL_PREF)attributelength,akaBugIDCSCtq06538.
3.197.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.197.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
Weblink:http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRcavs1.html.
Gotothereportcontentsorthestartofthissection.
3.198CVE-2014-2143
3.198.1Summary
TheIKEimplementationinCiscoIOS15.4(1)TandearlierandIOSXEallowsremoteattackerstocauseadenialofservice(security-associationdrop)viacraftedMainModepackets,akaBugIDCSCun31021.
3.198.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.198.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20140403CiscoIOSSoftwareIKEMainModeVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143;Weblink:http://tools.cisco.com/security/center/viewAlert.x?alertId=33639.
Gotothereportcontentsorthestartofthissection.
3.199CVE-2016-1384
3.199.1Summary
TheNTPimplementationinCiscoIOS15.1and15.5andIOSXE3.2through3.17allowsremoteattackerstomodifythesystemtimeviacraftedpackets,akaBugIDCSCux46898.
3.199.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.199.3VendorSecurityAdvisory
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:N/I:N/A:P(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:29/05/2016
OverallRating:MEDIUM
CVSSv2Score:5.0
CVSSv2Base:AV:N/AC:L/Au:N/C:P/I:N/A:N(5.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(5.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:18/09/2016
OverallRating:MEDIUM
CVSSv2Score:4.9
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160419CiscoIOSandCiscoIOSXEntpSubsystemUnauthorizedAccessVulnerabilityWeblink:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160419-ios.
3.199.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID86685Weblink:http://www.securityfocus.com/bid/86685.
Gotothereportcontentsorthestartofthissection.
3.200CVE-2016-1409
3.200.1Summary
TheNeighborDiscovery(ND)protocolimplementationintheIPv6stackinCiscoIOSXE2.1through3.17S,IOSXR2.0.0through5.3.2,andNX-OSallowsremoteattackerstocauseadenialofservice(packet-processingoutage)viacraftedNDmessages,akaBugIDCSCuz66542,asexploitedinthewildinMay2016.
3.200.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.200.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160525CiscoProductsIPv6NeighborDiscoveryCraftedPacketDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6.
3.200.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160824-01-ipv6-en;BID90872Weblink:http://www.securityfocus.com/bid/90872.
Gotothereportcontentsorthestartofthissection.
3.201CVE-2016-6415
3.201.1Summary
TheserverIKEv1implementationinCiscoIOS12.2through12.4and15.0through15.6,IOSXEthrough3.18S,IOSXR4.3.xand5.0.xthrough5.2.x,andPIXbefore7.0allowsremoteattackerstoobtainsensitiveinformationfromdevicememoryviaaSecurityAssociation(SA)negotiationrequest,akaBugIDsCSCvb29204andCSCvb36055orBENIGNCERTAIN.
3.201.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.201.3VendorSecurityAdvisories
Thefollowingisalistofsecurityadvisoriescontainmorespecificinformationdirectfromthemanufacturersaboutthisvulnerability:
CISCO20160916IKEv1InformationDisclosureVulnerabilityinMultipleCiscoProductsWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;BID93003Weblink:http://www.securityfocus.com/bid/93003.
Gotothereportcontentsorthestartofthissection.
3.202CVE-2016-1459
3.202.1Summary
CiscoIOS12.4and15.0through15.5andIOSXE3.13through3.17allowremoteauthenticateduserstocauseadenialofservice(devicereload)viacraftedattributesinaBGPmessage,akaBugID
CVSSv2Base:AV:N/AC:H/Au:S/C:N/I:N/A:C(4.9)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(4.9)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:17/07/2016
OverallRating:MEDIUM
CVSSv2Score:4.6
CVSSv2Base:AV:L/AC:L/Au:N/C:P/I:P/A:P(4.6)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(4.6)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:31/01/2006
OverallRating:MEDIUM
CVSSv2Score:4.6
CVSSv2Base:AV:L/AC:L/Au:N/C:P/I:P/A:P(4.6)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(4.6)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:31/01/2006
CSCuz21061.
3.202.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.202.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20160715CiscoIOSandIOSXESoftwareBorderGatewayProtocolMessageProcessingDenialofServiceVulnerabilityWeblink:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160715-bgp.
3.202.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
BID91800Weblink:http://www.securityfocus.com/bid/91800.
Gotothereportcontentsorthestartofthissection.
3.203CVE-2006-0485
3.203.1Summary
TheTCLshellinCiscoIOS12.2(14)Sbefore12.2(14)S16,12.2(18)Sbefore12.2(18)S11,andcertainotherreleasesbefore25January2006doesnotperformAuthentication,Authorization,andAccounting(AAA)commandauthorizationchecks,whichmayallowlocaluserstoexecuteIOSEXECcommandsthatwereprohibitedviatheAAAconfiguration,akaBugIDCSCeh73049.
3.203.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.203.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20060125ResponsetoAAACommandAuthorizationby-passWeblink:http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml.
3.203.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1015543Weblink:http://securitytracker.com/id?1015543;BID16383Weblink:http://www.securityfocus.com/bid/16383;VUPENADV-2006-0337Weblink:http://www.vupen.com/english/advisories/2006/0337;XFcisco-aaa-tcl-auth-bypass(24308)Weblink:http://xforce.iss.net/xforce/xfdb/24308.
Gotothereportcontentsorthestartofthissection.
3.204CVE-2006-0486
3.204.1Summary
CertainCiscoIOSreleasesin12.2Sbasedtrainswithmaintenancereleasenumber25andlater,12.3Tbasedtrains,and12.4basedtrainsreuseaTclShellprocessacrossloginsessionsofdifferentlocalusersonthesameterminalifthefirstuserdoesnotusetclquitbeforeexiting,whichmaycausesubsequentlocaluserstoexecuteunintendedcommandsorbypassAAAcommandauthorizationchecks,akaBugIDCSCef77770.
3.204.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.204.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20060125ResponsetoAAACommandAuthorizationby-passWeblink:http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml.
3.204.4References
OverallRating:MEDIUM
CVSSv2Score:4.3
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:P/A:N(4.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(4.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:16/01/2009
OverallRating:MEDIUM
CVSSv2Score:4.3
CVSSv2Base:AV:N/AC:M/Au:N/C:N/I:P/A:N(4.3)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(4.3)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
OverallRating:MEDIUM
CVSSv2Score:4.0
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SECTRACK1015543Weblink:http://securitytracker.com/id?1015543;XFcisco-aaa-tcl-auth-bypass(24308)Weblink:http://xforce.iss.net/xforce/xfdb/24308.
Gotothereportcontentsorthestartofthissection.
3.205CVE-2008-3821
3.205.1Summary
Multiplecross-sitescripting(XSS)vulnerabilitiesintheHTTPserverinCiscoIOS11.0through12.4allowremoteattackerstoinjectarbitrarywebscriptorHTMLvia(1)thequerystringtothepingprogramor(2)unspecifiedotheraspectsoftheURI.
3.205.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.205.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20090114CiscoIOSCross-SiteScriptingVulnerabilitiesWeblink:http://www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html.
3.205.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
JVNJVN#28344798Weblink:http://jvn.jp/en/jp/JVN28344798/index.html;SREASON4916Weblink:http://securityreason.com/securityalert/4916;SECTRACK1021598Weblink:http://securitytracker.com/id?1021598;MISCWeblink:http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19;BUGTRAQ20090114PR08-19:XSSonCiscoIOSHTTPServerWeblink:http://www.securityfocus.com/archive/1/archive/1/500063/100/0/threaded;BID33260Weblink:http://www.securityfocus.com/bid/33260;VUPENADV-2009-0138Weblink:http://www.vupen.com/english/advisories/2009/0138;XFcisco-ios-httpserver-ping-xss(47947)Weblink:http://xforce.iss.net/xforce/xfdb/47947.
Gotothereportcontentsorthestartofthissection.
3.206CVE-2012-0362
3.206.1Summary
TheextendedACLfunctionalityinCiscoIOS12.2(58)SE2and15.0(1)SEdiscardsalllinesthatendwithalogortimekeyword,whichallowsremoteattackerstobypassintendedaccessrestrictionsinopportunisticcircumstancesbysendingnetworktraffic,akaBugIDCSCts01106.
3.206.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.206.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
MLIST[cisco-nsp]20120202AmbiguousACL"log"in12.2(58)SE2?Weblink:http://puck.nether.net/pipermail/cisco-nsp/2012-February/083517.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.
Gotothereportcontentsorthestartofthissection.
3.207CVE-2010-4685
3.207.1Summary
CiscoIOSbefore15.0(1)XA1doesnotclearthepublickeycacheuponachangetoacertificatemap,
CVSSv2Base:AV:N/AC:L/Au:S/C:P/I:N/A:N(4.0)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(4.0)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:07/01/2011
OverallRating:MEDIUM
CVSSv2Score:3.6
CVSSv2Base:AV:L/AC:L/Au:N/C:P/I:P/A:N(3.6)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(3.6)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:02/05/2012
OverallRating:MEDIUM
CVSSv2Score:3.5
CVSSv2Base:AV:N/AC:M/Au:S/C:N/I:N/A:P(3.5)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(3.5)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:16/09/2012
OverallRating:LOW
CVSSv2Score:2.6
CVSSv2Base:AV:N/AC:H/Au:N/C:N/I:P/A:N(2.6)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(2.6)
whichallowsremoteauthenticateduserstobypassacertificatebanbyconnectingwithabannedcertificatethathadpreviouslybeenvalid,akaBugIDCSCta79031.
3.207.2AffectedDevices
Thefollowing2auditeddeviceswereaffectedbythissecurityvulnerability:
CiscoRouter-router03;CiscoRouter-CiscoIOS15.
3.207.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_0/15_0x/15_01_XA/rn800xa.pdf;BID45769Weblink:http://www.securityfocus.com/bid/45769;XFciscoios-certificate-security-bypass(64586)Weblink:http://xforce.iss.net/xforce/xfdb/64586.
Gotothereportcontentsorthestartofthissection.
3.208CVE-2011-3289
3.208.1Summary
CiscoIOS12.4and15.0through15.2allowsphysicallyproximateattackerstobypasstheNoServicePassword-Recoveryfeatureandreadthestart-upconfigurationviaunspecifiedvectors,akaBugIDCSCtr97640.
3.208.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.208.3References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
Weblink:http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151-2TCAVS.html;SECTRACK1027005Weblink:http://www.securitytracker.com/id?1027005.
Gotothereportcontentsorthestartofthissection.
3.209CVE-2012-3923
3.209.1Summary
TheSSLVPNimplementationinCiscoIOS12.4,15.0,15.1,and15.2,whenDTLSisnotenabled,doesnotproperlyhandlecertainoutboundACLconfigurations,whichallowsremoteauthenticateduserstocauseadenialofservice(devicecrash)viaasessioninvolvingaPPPoverATM(PPPoA)interface,akaBugIDCSCte41827.
3.209.2AffectedDevice
TheCiscoRouterCiscoIOS15wasaffectedbythissecurityvulnerability.
3.209.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
Weblink:http://www.cisco.com/en/US/docs/ios/15_2m_and_t/release/notes/152-1TCAVS.html.
3.209.4Reference
Thefollowingreferencecontainsfurtherinformationaboutthisvulnerability:
XFciscoios-sslvpn-dtls-dos(78670)Weblink:http://xforce.iss.net/xforce/xfdb/78670.
Gotothereportcontentsorthestartofthissection.
3.210CVE-2005-3921
3.210.1Summary
Cross-sitescripting(XSS)vulnerabilityinCiscoIOSWebServerforIOS12.0(2a)allowsremoteattackerstoinjectarbitrarywebscriptorHTMLby(1)packetscontainingHTMLthatanadministratorviewsviaanHTTPinterfacetothecontentsofmemorybuffers,asdemonstratedbytheURI/level/15/exec/-/buffers/assigned/dump;or(2)sendingtherouterCiscoDiscoveryProtocol(CDP)packetswithHTML
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:30/11/2005
OverallRating:LOW
CVSSv2Score:2.1
CVSSv2Base:AV:L/AC:L/Au:N/C:N/I:N/A:P(2.1)
CVSSv2Temporal:E:ND/RL:ND/RC:ND(2.1)
CVSSv2Environmental::CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Published:03/08/2005
payloadthatanadministratorviewsviatheCDPstatuspages.NOTE:thesevectorswereoriginallyreportedasbeingassociatedwiththedumpandpacketoptionsin/level/15/exec/-/show/buffers.
3.210.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.210.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
MISCWeblink:http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html.
3.210.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
SREASON227Weblink:http://securityreason.com/securityalert/227;SECTRACK1015275Weblink:http://securitytracker.com/id?1015275;CISCO20051201IOSHTTPServerCommandInjectionVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml;IDEFENSE20060117CiscoSystemsIOS11WebServiceCDPStatusPageCodeInjectionVulnerabilityWeblink:http://www.idefense.com/intelligence/vulnerabilities/display.php?id=372;BUGTRAQ20051128-CiscoIOSHTTPServercodeinjection/executionvulnerability-Weblink:http://www.securityfocus.com/archive/1/archive/1/417916/100/0/threaded;BID15602Weblink:http://www.securityfocus.com/bid/15602;BID16291Weblink:http://www.securityfocus.com/bid/16291;VUPENADV-2005-2657Weblink:http://www.vupen.com/english/advisories/2005/2657.
Gotothereportcontentsorthestartofthissection.
3.211CVE-2005-2451
3.211.1Summary
CiscoIOS12.0through12.4andIOSXRbefore3.2,withIPv6enabled,allowsremoteattackersonalocalnetworksegmenttocauseadenialofservice(devicereload)andpossiblyexecutearbitrarycodeviaacraftedIPv6packet.
3.211.2AffectedDevice
TheCiscoRouterrouter03wasaffectedbythissecurityvulnerability.
3.211.3VendorSecurityAdvisory
Thefollowingsecurityadvisoryprovidesmoreinformationaboutthisvulnerabilityfromthemanufacturer:
CISCO20050729IPv6CraftedPacketVulnerabilityWeblink:http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
3.211.4References
Thefollowingreferencescontainfurtherinformationaboutthisvulnerability:
FULLDISC20050729CiscoIOSShellcodePresentationWeblink:http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0663.html;SECTRACK1014598Weblink:http://securitytracker.com/id?1014598;CERT-VNVU#930892Weblink:http://www.kb.cert.org/vuls/id/930892;BID14414Weblink:http://www.securityfocus.com/bid/14414;CERTTA05-210AWeblink:http://www.us-cert.gov/cas/techalerts/TA05-210A.html;XFcisco-ios-ipv6-packet-command-execution(21591)Weblink:http://xforce.iss.net/xforce/xfdb/21591.
Gotothereportcontentsorthestartofthissection.
3.212Conclusions
NipperStudioperformedasoftwarevulnerabilityauditofthetwodeviceslistedinTable83on2March2017.DuringtheauditNipperStudioidentified210vulnerabilities,themostsignificantwasratedasCRITICAL.
Table83:Softwarevulnerabilityauditconclusions
Device Type Findings Highest
router03 CiscoRouter 133 CRITICAL
CiscoIOS15 CiscoRouter 132 CRITICAL
Table84liststhevulnerabilitiesidentifiedduringtheauditandtheaffecteddevices.
Vulnerability CVSSv2Score Rating AffectedDevices Section
CVE-2006-4950 10.0 CRITICAL router03 3.2
CVE-2007-0480 10.0 CRITICAL router03 3.3
CVE-2010-0580 10.0 CRITICAL router03 3.4
CVE-2010-0581 10.0 CRITICAL router03 3.5
CVE-2011-0935 10.0 CRITICAL CiscoIOS15 3.6
CVE-2005-3481 9.3 CRITICAL router03 3.7
CVE-2006-3291 9.3 CRITICAL router03 3.8
CVE-2007-2586 9.3 CRITICAL router03 3.9
CVE-2007-4286 9.3 CRITICAL router03 3.10
CVE-2007-4292 9.3 CRITICAL router03 3.11
CVE-2007-5381 9.3 CRITICAL router03 3.12
CVE-2008-3807 9.3 CRITICAL router03 3.13
CVE-2011-4012 9.3 CRITICAL CiscoIOS15 3.14
CVE-2007-4285 9.0 CRITICAL router03 3.15
CVE-2009-0628 9.0 CRITICAL router03 3.16
CVE-2015-0635 9.0 CRITICAL CiscoIOS15 3.17
CVE-2008-3805 8.5 HIGH router03 3.18
CVE-2008-3806 8.5 HIGH router03 3.19
CVE-2012-0384 8.5 HIGH router03
CiscoIOS15
3.20
CVE-2016-6380 8.3 HIGH router03
CiscoIOS15
3.21
CVE-2007-0479 7.8 HIGH router03 3.22
CVE-2007-0481 7.8 HIGH router03 3.23
CVE-2007-0648 7.8 HIGH router03 3.24
CVE-2007-2813 7.8 HIGH router03 3.25
CVE-2008-1152 7.8 HIGH router03 3.26
CVE-2008-2739 7.8 HIGH router03 3.27
CVE-2008-3799 7.8 HIGH router03 3.28
CVE-2008-3808 7.8 HIGH router03 3.29
CVE-2009-0626 7.8 HIGH router03 3.30
CVE-2009-0631 7.8 HIGH router03 3.31
CVE-2009-0636 7.8 HIGH router03 3.32
CVE-2009-2866 7.8 HIGH router03 3.33
CVE-2009-2868 7.8 HIGH router03 3.34
CVE-2009-2870 7.8 HIGH router03 3.35
CVE-2009-5038 7.8 HIGH router03
CiscoIOS15
3.36
CVE-2009-5039 7.8 HIGH router03
CiscoIOS15
3.37
CVE-2010-0576 7.8 HIGH router03 3.38
CVE-2010-0578 7.8 HIGH router03 3.39
CVE-2010-0579 7.8 HIGH router03 3.40
CVE-2010-0582 7.8 HIGH router03
CiscoIOS15
3.41
CVE-2010-0585 7.8 HIGH router03 3.42
CVE-2010-0586 7.8 HIGH router03 3.43
CVE-2010-2828 7.8 HIGH router03
CiscoIOS15
3.44
CVE-2010-2829 7.8 HIGH router03
CiscoIOS15
3.45
CVE-2010-2831 7.8 HIGH router03
CiscoIOS15
3.46
CVE-2010-2832 7.8 HIGH router03 3.47
CiscoIOS15
CVE-2010-2833 7.8 HIGH router03
CiscoIOS15
3.48
CVE-2010-2834 7.8 HIGH router03
CiscoIOS15
3.49
CVE-2010-2835 7.8 HIGH router03
CiscoIOS15
3.50
CVE-2010-2836 7.8 HIGH CiscoIOS15 3.51
CVE-2010-4671 7.8 HIGH router03
CiscoIOS15
3.52
CVE-2010-4683 7.8 HIGH router03
CiscoIOS15
3.53
CVE-2010-4686 7.8 HIGH router03
CiscoIOS15
3.54
CVE-2011-0939 7.8 HIGH CiscoIOS15 3.55
CVE-2011-0944 7.8 HIGH CiscoIOS15 3.56
CVE-2011-0945 7.8 HIGH router03
CiscoIOS15
3.57
CVE-2011-0946 7.8 HIGH router03
CiscoIOS15
3.58
CVE-2011-2072 7.8 HIGH CiscoIOS15 3.59
CVE-2011-3270 7.8 HIGH CiscoIOS15 3.60
CVE-2011-3273 7.8 HIGH CiscoIOS15 3.61
CVE-2011-3275 7.8 HIGH CiscoIOS15 3.62
CVE-2011-3276 7.8 HIGH router03
CiscoIOS15
3.63
CVE-2011-3277 7.8 HIGH router03
CiscoIOS15
3.64
CVE-2011-3278 7.8 HIGH router03
CiscoIOS15
3.65
CVE-2011-3279 7.8 HIGH router03
CiscoIOS15
3.66
CVE-2011-3280 7.8 HIGH router03
CiscoIOS15
3.67
CVE-2011-3281 7.8 HIGH CiscoIOS15 3.68
CVE-2011-3282 7.8 HIGH CiscoIOS15 3.69
CVE-2012-0381 7.8 HIGH router03
CiscoIOS15
3.70
CVE-2012-0383 7.8 HIGH CiscoIOS15 3.71
CVE-2012-0385 7.8 HIGH CiscoIOS15 3.72
CVE-2012-0386 7.8 HIGH CiscoIOS15 3.73
CVE-2012-0387 7.8 HIGH CiscoIOS15 3.74
CVE-2012-0388 7.8 HIGH CiscoIOS15 3.75
CVE-2012-1310 7.8 HIGH CiscoIOS15 3.76
CVE-2012-1311 7.8 HIGH CiscoIOS15 3.77
CVE-2012-1315 7.8 HIGH CiscoIOS15 3.78
CVE-2012-1350 7.8 HIGH router03 3.79
CVE-2012-3949 7.8 HIGH router03
CiscoIOS15
3.80
CVE-2012-4618 7.8 HIGH CiscoIOS15 3.81
CVE-2012-4619 7.8 HIGH CiscoIOS15 3.82
CVE-2012-4620 7.8 HIGH CiscoIOS15 3.83
CVE-2012-4621 7.8 HIGH CiscoIOS15 3.84
CVE-2012-4623 7.8 HIGH router03
CiscoIOS15
3.85
CVE-2013-1142 7.8 HIGH router03
CiscoIOS15
3.86
CVE-2013-1145 7.8 HIGH CiscoIOS15 3.87
CVE-2013-1146 7.8 HIGH CiscoIOS15 3.88
CVE-2013-1147 7.8 HIGH router03
CiscoIOS15
3.89
CVE-2013-5474 7.8 HIGH router03
CiscoIOS15
3.90
CVE-2013-5475 7.8 HIGH router03
CiscoIOS15
3.91
CVE-2013-5477 7.8 HIGH CiscoIOS15 3.92
CVE-2013-5478 7.8 HIGH CiscoIOS15 3.93
CVE-2013-5479 7.8 HIGH CiscoIOS15 3.94
CVE-2013-5480 7.8 HIGH CiscoIOS15 3.95
CVE-2014-2108 7.8 HIGH CiscoIOS15 3.96
CVE-2014-2109 7.8 HIGH router03
CiscoIOS15
3.97
CVE-2014-3327 7.8 HIGH CiscoIOS15 3.98
CVE-2014-3354 7.8 HIGH CiscoIOS15 3.99
CVE-2014-3357 7.8 HIGH CiscoIOS15 3.100
CVE-2014-3358 7.8 HIGH CiscoIOS15 3.101
CVE-2015-0636 7.8 HIGH CiscoIOS15 3.102
CVE-2015-0637 7.8 HIGH CiscoIOS15 3.103
CVE-2015-0642 7.8 HIGH CiscoIOS15 3.104
CVE-2015-0643 7.8 HIGH CiscoIOS15 3.105
CVE-2015-0646 7.8 HIGH CiscoIOS15 3.106
CVE-2015-0647 7.8 HIGH CiscoIOS15 3.107
CVE-2015-0648 7.8 HIGH CiscoIOS15 3.108
CVE-2015-0649 7.8 HIGH CiscoIOS15 3.109
CVE-2015-0650 7.8 HIGH CiscoIOS15 3.110
CVE-2015-6278 7.8 HIGH CiscoIOS15 3.111
CVE-2015-6279 7.8 HIGH CiscoIOS15 3.112
CVE-2016-1348 7.8 HIGH router03
CiscoIOS15
3.113
CVE-2016-1349 7.8 HIGH CiscoIOS15 3.114
CVE-2016-6378 7.8 HIGH router03
CiscoIOS15
3.115
CVE-2016-6379 7.8 HIGH CiscoIOS15 3.116
CVE-2016-6382 7.8 HIGH router03
CiscoIOS15
3.117
CVE-2016-6384 7.8 HIGH router03
CiscoIOS15
3.118
CVE-2016-6385 7.8 HIGH CiscoIOS15 3.119
CVE-2016-6386 7.8 HIGH router03
CiscoIOS15
3.120
CVE-2016-6391 7.8 HIGH CiscoIOS15 3.121
CVE-2016-6392 7.8 HIGH CiscoIOS15 3.122
CVE-2005-1057 7.5 HIGH router03 3.123
CVE-2005-1058 7.5 HIGH router03 3.124
CVE-2005-2105 7.5 HIGH router03 3.125
CVE-2005-2841 7.5 HIGH router03 3.126
CVE-2005-1020 7.1 HIGH router03 3.127
CVE-2005-1021 7.1 HIGH router03 3.128
CVE-2006-0340 7.1 HIGH router03 3.129
CVE-2007-0918 7.1 HIGH router03 3.130
CVE-2007-4291 7.1 HIGH router03 3.131
CVE-2007-4293 7.1 HIGH router03 3.132
CVE-2007-5651 7.1 HIGH router03 3.133
CVE-2008-1153 7.1 HIGH router03 3.134
CVE-2008-3800 7.1 HIGH router03 3.135
CVE-2008-3801 7.1 HIGH router03 3.136
CVE-2008-3802 7.1 HIGH router03 3.137
CVE-2008-3809 7.1 HIGH router03 3.138
CVE-2008-4609 7.1 HIGH router03 3.139
CVE-2009-0630 7.1 HIGH router03 3.140
CVE-2009-0633 7.1 HIGH router03 3.141
CVE-2009-0634 7.1 HIGH router03 3.142
CVE-2009-2863 7.1 HIGH router03 3.143
CVE-2009-2873 7.1 HIGH router03 3.144
CVE-2010-0577 7.1 HIGH router03 3.145
CVE-2010-2830 7.1 HIGH router03
CiscoIOS15
3.146
CVE-2010-4684 7.1 HIGH router03
CiscoIOS15
3.147
CVE-2012-0382 7.1 HIGH router03 3.148
CiscoIOS15
CVE-2012-3950 7.1 HIGH router03
CiscoIOS15
3.149
CVE-2012-4622 7.1 HIGH CiscoIOS15 3.150
CVE-2013-1143 7.1 HIGH CiscoIOS15 3.151
CVE-2013-1167 7.1 HIGH CiscoIOS15 3.152
CVE-2013-5472 7.1 HIGH router03
CiscoIOS15
3.153
CVE-2013-5481 7.1 HIGH CiscoIOS15 3.154
CVE-2014-2107 7.1 HIGH CiscoIOS15 3.155
CVE-2014-2111 7.1 HIGH router03
CiscoIOS15
3.156
CVE-2014-3361 7.1 HIGH CiscoIOS15 3.157
CVE-2015-0638 7.1 HIGH CiscoIOS15 3.158
CVE-2015-0681 7.1 HIGH CiscoIOS15 3.159
CVE-2016-1344 7.1 HIGH router03
CiscoIOS15
3.160
CVE-2016-6381 7.1 HIGH router03
CiscoIOS15
3.161
CVE-2016-6393 7.1 HIGH router03
CiscoIOS15
3.162
CVE-2007-4295 6.8 MEDIUM router03 3.163
CVE-2009-2872 6.8 MEDIUM router03 3.164
CVE-2009-5040 6.8 MEDIUM router03
CiscoIOS15
3.165
CVE-2013-6686 6.8 MEDIUM CiscoIOS15 3.166
CVE-2016-1428 6.8 MEDIUM CiscoIOS15 3.167
CVE-2016-1432 6.8 MEDIUM CiscoIOS15 3.168
CVE-2007-0917 6.4 MEDIUM router03 3.169
CVE-2007-2587 6.3 MEDIUM router03 3.170
CVE-2012-1338 6.3 MEDIUM CiscoIOS15 3.171
CVE-2012-3895 6.3 MEDIUM CiscoIOS15 3.172
CVE-2005-0197 6.1 MEDIUM router03 3.173
CVE-2011-3274 6.1 MEDIUM CiscoIOS15 3.174
CVE-2012-1327 6.1 MEDIUM router03
CiscoIOS15
3.175
CVE-2016-1425 6.1 MEDIUM CiscoIOS15 3.176
CVE-2013-0149 5.8 MEDIUM CiscoIOS15 3.177
CVE-2011-1625 5.4 MEDIUM router03
CiscoIOS15
3.178
CVE-2011-2586 5.4 MEDIUM CiscoIOS15 3.179
CVE-2011-4007 5.4 MEDIUM CiscoIOS15 3.180
CVE-2011-4016 5.4 MEDIUM CiscoIOS15 3.181
CVE-2011-4019 5.4 MEDIUM CiscoIOS15 3.182
CVE-2008-1156 5.1 MEDIUM router03 3.183
CVE-2004-0714 5.0 MEDIUM router03 3.184
CVE-2004-1454 5.0 MEDIUM router03 3.185
CVE-2004-1464 5.0 MEDIUM router03 3.186
CVE-2005-0186 5.0 MEDIUM router03 3.187
CVE-2005-0195 5.0 MEDIUM router03 3.188
CVE-2005-0196 5.0 MEDIUM router03 3.189
CVE-2005-3669 5.0 MEDIUM router03 3.190
CVE-2007-4430 5.0 MEDIUM router03 3.191
CVE-2010-4687 5.0 MEDIUM router03
CiscoIOS15
3.192
CVE-2011-2059 5.0 MEDIUM router03
CiscoIOS15
3.193
CVE-2011-2395 5.0 MEDIUM router03 3.194
CVE-2012-0338 5.0 MEDIUM router03
CiscoIOS15
3.195
CVE-2012-0339 5.0 MEDIUM router03
CiscoIOS15
3.196
CVE-2012-1367 5.0 MEDIUM CiscoIOS15 3.197
CVE-2014-2143 5.0 MEDIUM CiscoIOS15 3.198
Table84:Vulnerabilityauditsummaryfindings
CVE-2016-1384 5.0 MEDIUM router03
CiscoIOS15
3.199
CVE-2016-1409 5.0 MEDIUM router03
CiscoIOS15
3.200
CVE-2016-6415 5.0 MEDIUM router03
CiscoIOS15
3.201
CVE-2016-1459 4.9 MEDIUM CiscoIOS15 3.202
CVE-2006-0485 4.6 MEDIUM router03 3.203
CVE-2006-0486 4.6 MEDIUM router03 3.204
CVE-2008-3821 4.3 MEDIUM router03 3.205
CVE-2012-0362 4.3 MEDIUM CiscoIOS15 3.206
CVE-2010-4685 4.0 MEDIUM router03
CiscoIOS15
3.207
CVE-2011-3289 3.6 MEDIUM CiscoIOS15 3.208
CVE-2012-3923 3.5 MEDIUM CiscoIOS15 3.209
CVE-2005-3921 2.6 LOW router03 3.210
CVE-2005-2451 2.1 LOW router03 3.211
Thevulnerabilitydatabaseusedduringthisauditcontainsonlypublicallyknownvulnerabilitiesandnotundisclosedissuesknownonlytothemanufacturersandthirdparties.Furthermore,itiscommonforsoftwarevulnerabilitiestoadditionallyrequirespecificservices,protocols,configurationsetupordevicemodelsinorderforthemtobeexposed.
Gotothereportcontentsorthestartofthissection.
3.213Recommendations
NipperStudiostronglyrecommendsthatthelatestsoftwareupdatesshouldbeappliedtotheaffecteddevices.Whenapplyingthelatestsoftwareupdatesusuallyalltheknownvulnerabilitieswillberesolvedatonce.Sincesoftwareupdatestypicallyincludestability,performanceandfeatureimprovementsinadditiontosecurityfixesitisworthreviewinganddeployingthelatestupdatesonaregularbasisnotjustforsecurityreasons.Furthermore,sometimesmanufacturerswillresolvesoftwarevulnerabilitiesandrollthefixesintotheirlatestsoftwareupdateswithoutafulldisclosureoftheissuesbeingresolved.
WhendeployingasoftwareupdateNipperStudiorecommendsthat:
themanufacturerssoftwareupdatereleasenotesshouldbereviewedinordertofamiliaryourselfwithwhatisrequired,theprocedureandanyotherpertinentinformation;youshouldmakeabackupofyourexistingconfigurationpriortotheupdate;ifyouhaveaccesstoaduplicateorcontingencydevicethenitisworthtestingtheprocedureonthatdevicepriortodeployingtheupdatetothelivedevice.
Performingasoftwareupdatesonadeviceisnotalwaysstraightforwardandtypicallyrequiresarebootanddowntime.AlthoughNipperStudiorecommendsinstallingthelatestsoftwareupdatestoresolvesoftwarevulnerabilitiesanalternativemitigationmeasuremaybeavailable.Softwarevulnerabilitiesoftenrequirespecificconfigurationsetupsinordertobepresentandthedevicemanufacturermaypublishconfigurationchangesthatmakeitpossibletomitigatetheexposure.
Moreinformation,supportandsoftwareupdates:
forCiscoRouterdevicesvisithttp://support.cisco.com.
Gotothereportcontentsorthestartofthissection.
4CISBenchmark4.1CISCiscoIOS15Benchmark
Thisdocument,SecurityConfigurationBenchmarkforCiscoIOS,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforCiscoRouterrunningCiscoIOSversion15.0M.ThisguidewastestedagainstCiscoIOSIPAdvancedIPServicesv15.0.1asinstalledbyc880data-universalk9-mz.150-1.M4.bin.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
4.1.1ManagementPlane
Services,settingsanddatastreamsrelatedtosettingupandexaminingthestaticconfigurationofthefirewall,andtheauthenticationandauthorizationoffirewalladministrators.Examplesofmanagementplaneservicesinclude:administrativedeviceaccess(telnet,ssh,http,andhttps),SNMP,andsecurityprotocolslikeRADIUSandTACACS+.
4.1.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules
RulesintheLocalauthentication,authorizationandaccounting(AAA)configurationclassenforcedeviceaccesscontrol,provideamechanismfortrackingconfigurationchanges,andenforcingsecuritypolicy.
4.1.1.1.1Enable'aaanew-model'
Device Result
router03IOS12.3 Fail
Table85:DeviceResults(1.1.1)
CiscoIOS15IOS15.0 Pass
Description
ThiscommandenablestheAAAaccesscontrolsystem.
Rationale
Authentication,authorizationandaccounting(AAA)servicesprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.
Remediation
Globallyenableauthentication,authorizationandaccounting(AAA)usingthenew-modelcommand.
hostname(config)#aaanew-model
Impact:
ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationcriteria(logins&passwords,challenges&responses,andtokentechnologies),authorizationmethods,andaccountingrequirements.
4.1.1.1.2Enable'aaaauthenticationlogin'
Table86:DeviceResults(1.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Setsauthentication,authorizationandaccounting(AAA)authenticationatlogin.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.FallbackmodeshouldalsobeenabledtoallowemergencyaccesstotherouterorswitchintheeventthattheAAAserverwasunreachable,byutilizingtheLOCALkeywordaftertheAAAserver-tag.
Remediation
ConfigureAAAauthenticationmethod(s)forloginauthentication.
hostname(config)#aaaauthenticationlogin{default|aaa_list_name}[passwd-expiry]
method1[method2]
Impact:
ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationmethodssuchasloginsandpasswords,challengesandresponses,andwhichtokentechnologieswillbeused.
4.1.1.1.3Enable'aaaauthenticationenabledefault'
Table87:DeviceResults(1.1.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
AuthenticatesuserswhoaccessprivilegedEXECmodewhentheyusetheenablecommand.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfigureAAAauthenticationmethod(s)forenableauthentication.
hostname(config)#aaaauthenticationenabledefault{method1}enable
Impact:
EnablingCiscoAAA'authenticationenable'modeissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenabling'aaaauthenticationenabledefault'mode,theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.1.1.1.4Set'loginauthenticationfor'linecon0'
Table88:DeviceResults(1.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Authenticatesuserswhoaccesstherouterorswitchusingtheserialconsoleport.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfiguremanagementlinestorequireloginusingthedefaultoranamedAAAauthenticationlist.Thisconfigurationmustbesetindividuallyforalllinetypes.
hostname(config)#lineconsole0
hostname(config-line)#loginauthentication{default|aaa_list_name}
Impact:
EnablingCiscoAAA'linelogin'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'linelogin',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.1.1.1.5Set'loginauthenticationfor'linetty'
Table89:DeviceResults(1.1.5)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
AuthenticatesuserswhoaccesstherouterorswitchusingtheTTYport.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfiguremanagementlinestorequireloginusingthedefaultoranamedAAAauthenticationlist.Thisconfigurationmustbesetindividuallyforalllinetypes.
hostname(config)#linetty{line-number}[ending-line-number]
hostname(config-line)#loginauthentication{default|aaa_list_name}
Impact:
EnablingCiscoAAA'loginauthenticationforlineTTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineTTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.1.1.1.6Set'loginauthenticationfor'linevty'
Device Result
router03IOS12.3 Fail
Table90:DeviceResults(1.1.6)
CiscoIOS15IOS15.0 Pass
Description
AuthenticatesuserswhoaccesstherouterorswitchremotelythroughtheVTYport.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfiguremanagementlinestorequireloginusingthedefaultoranamedAAAauthenticationlist.Thisconfigurationmustbesetindividuallyforalllinetypes.
hostname(config)#linevty{line-number}[ending-line-number]
hostname(config-line)#loginauthentication{default|aaa_list_name}
Impact:
EnablingCiscoAAA'loginauthenticationforlineVTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineVTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.1.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'
Table91:DeviceResults(1.1.7)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Runsaccountingforallcommandsatthespecifiedprivilegelevel.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSorTACACS+.
Remediation
ConfigureAAAaccountingforcommands.
hostname(config)#aaaaccountingcommands15{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
Enabling'aaaaccounting'forprivilegedcommandsrecordsandsendsactivitytotheaccountingserversandenablesorganizationstomonitorandanalyzeprivilegedactivity.
4.1.1.1.8Set'aaaaccountingconnection'
Table92:DeviceResults(1.1.8)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Providesinformationaboutalloutboundconnectionsmadefromthenetworkaccessserver.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingforconnections.
hostname(config)#aaaaccountingconnection{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
Implementingaaaaccountingconnectioncreatesaccountingrecordsaboutconnectionsfromthenetworkaccessserver.Organizationsshouldregularmonitortheseconnectionrecordsforexceptions,remediateissues,andreportfindingsregularly.
4.1.1.1.9Set'aaaaccountingexec'
Table93:DeviceResults(1.1.9)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
RunsaccountingfortheEXECshellsession.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingforEXECshellsession.
hostname(config)#aaaaccountingexec{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
EnablingaaaaccountingexeccreatesaccountingrecordsfortheEXECterminalsessionsonthenetworkaccessserver.Theserecordsincludestartandstoptimes,usernames,anddateinformation.Organizationsshouldregularlymonitortheserecordsforexceptions,remediateissues,andreportfindings.
4.1.1.1.10Set'aaaaccountingnetwork'
Table94:DeviceResults(1.1.10)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Runsaccountingforallnetwork-relatedservicerequests.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingforconnections.
hostname(config)#aaaaccountingnetwork{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
ImplementingaaaaccountingnetworkcreatesaccountingrecordsforamethodlistincludingARA,PPP,SLIP,andNCPssessions.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindings.
4.1.1.1.11Set'aaaaccountingsystem'
Table95:DeviceResults(1.1.11)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Performsaccountingforallsystem-leveleventsnotassociatedwithusers,suchasreloads.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingsystem.
hostname(config)#aaaaccountingsystem{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
Enablingaaaaccountingsystemcreatesaccountingrecordsforallsystem-levelevents.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindingsregularly.
4.1.1.2AccessRules
Rulesintheaccessclassenforcecontrolsfordeviceadministrativeconnections.
4.1.1.2.1Set'privilege1'forlocalusers
Table96:DeviceResults(1.2.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Setstheprivilegelevelfortheuser.
Rationale
Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithprivilegelevel1permissionsonlyallowsthelocalusertoaccessthedevicewithEXEC-levelpermissionsandwillbeunabletomodifythedevicewithoutusingtheenablepassword.Inaddition,requiretheuseofanencryptedpasswordaswell(seeSection1.1.4.4-RequireEncryptedUserPasswords).
Remediation
Setthelocalusertoprivilegelevel1.
hostname(config)#username<LOCAL_USERNAME>privilege1
Impact:
Organizationsshouldcreatepoliciesrequiringalllocalaccountswith'privilegelevel1'withencryptedpasswordstoreducetheriskofunauthorizedaccess.Defaultconfigurationsettingsdonotprovidestronguserauthenticationtothedevice.
4.1.1.2.2Set'transportinputssh'for'linevty'connections
Table97:DeviceResults(1.2.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Fail
Description
SelectstheSecureShell(SSH)protocol.
Rationale
ConfiguringVTYaccesscontrolrestrictsremoteaccesstoonlythoseauthorizedtomanagethedeviceandpreventsunauthorizedusersfromaccessingthesystem.
Remediation
ApplySSHtotransportinputonallVTYmanagementlines
hostname(config)#linevty<line-number><ending-line-number>
hostname(config-line)#transportinputssh
Impact:
Toreduceriskofunauthorizedaccess,organizationsshouldrequireallVTYmanagementlineprotocolstobelimitedtossh.
4.1.1.2.3Set'noexec'for'lineaux0'
Table98:DeviceResults(1.2.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
The'noexec'commandrestrictsalinetooutgoingconnectionsonly.
Rationale
Unusedportsshouldbedisabled,ifnotrequired,sincetheyprovideapotentialaccesspathforattackers.Somedevicesincludebothanauxiliaryandconsoleportthatcanbeusedtolocallyconnecttoandconfigurethedevice.Theconsoleportisnormallytheprimaryportusedtoconfigurethedevice;evenwhenremote,backupadministrationisrequiredviaconsoleserverorKeyboard,Video,Mouse(KVM)hardware.Theauxiliaryportisprimarilyusedfordial-upadministrationviaanexternalmodem;instead,useotheravailablemethods.
Remediation
DisabletheEXECprocessontheauxiliaryport.
hostname(config)#lineaux0
hostname(config-line)#noexec
Impact:
Organizationscanreducetheriskofunauthorizedaccessbydisablingthe'aux'portwiththe'noexec'command.Conversely,notrestrictingaccessthroughthe'aux'portincreasestheriskofremoteunauthorizedaccess.
4.1.1.2.4Create'access-list'forusewith'linevty'
Table99:DeviceResults(1.2.4)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Accesslistscontrolthetransmissionofpacketsonaninterface,controlVirtualTerminalLine(VTY)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.
Rationale
VTYACLscontrolwhataddressesmayattempttologintotherouter.ConfiguringVTYlinestouseanACL,restrictsthesourceswhereausercanmanagethedevice.Youshouldlimitthespecifichost(s)andornetwork(s)authorizedtoconnecttoandconfigurethedevice,viaanapprovedprotocol,tothoseindividualsorsystemsauthorizedtoadministerthedevice.Forexample,youcouldlimitaccesstospecifichosts,sothatonlynetworkmanagerscanconfigurethedevicesonlybyusingspecificnetworkmanagementworkstations.MakesureyouconfigureallVTYlinestousethesameACL.
Remediation
ConfiguretheVTYACLthatwillbeusedtorestrictmanagementaccesstothedevice.
hostname(config)#access-list<vty_acl_number>permittcp<vty_acl_block_with_mask>any
hostname(config)#access-list<vty_acl_number>permittcphost<vty_acl_host>any
hostname(config)#denyipanyanylog
Impact:
Organizationscanreducetheriskofunauthorizedaccessbyimplementingaccess-listsforallVTYlines.Conversely,usingVTYlineswithoutaccess-listsincreases
theriskofunauthorizedaccess.
4.1.1.2.5Set'access-class'for'linevty'
Table100:DeviceResults(1.2.5)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
The'access-class'settingrestrictsincomingandoutgoingconnectionsbetweenaparticularvty(intoaCiscodevice)andthenetworkingdevicesassociatedwithaddressesinanaccesslist.
Rationale
Restrictingthetypeofnetworkdevices,associatedwiththeaddressesontheaccess-list,furtherrestrictsremoteaccesstothosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.
Remediation
ConfigureremotemanagementaccesscontrolrestrictionsforallVTYlines.
hostname(config)#linevty<line-number><ending-line-number>
hostname(config-line)#access-class<vty_acl_number>in
Impact:
Applying'access'class'tolineVTYfurtherrestrictsremoteaccesstoonlythosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.Conversely,usingVTYlineswith'accessclass'restrictionsincreasestherisksofunauthorizedaccess.
4.1.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'
Table101:DeviceResults(1.2.6)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#lineaux0
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthofminutesorsecondspreventsunauthorizedaccessofabandonedsessions.
4.1.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'
Table102:DeviceResults(1.2.7)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#linecon0
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestheriskofunauthorizedaccessofabandonedsessions.
4.1.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'
Table103:DeviceResults(1.2.8)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#linetty{line_number}[ending_line_number]
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestherisksofunauthorizedaccessofabandonedsessions.
4.1.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'
Table104:DeviceResults(1.2.9)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#linevty{line_number}[ending_line_number]
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthofminutesorsecondspreventsunauthorizedaccessofabandonedsessions.
4.1.1.2.10Set'transportinputnone'for'lineaux0'
Table105:DeviceResults(1.2.10)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Whenyouwanttoallowonlyanoutgoingconnectiononaline,usethenoexeccommand.
Rationale
Unusedportsshouldbedisabled,ifnotrequired,sincetheyprovideapotentialaccesspathforattackers.Somedevicesincludebothanauxiliaryandconsoleportthatcanbeusedtolocallyconnecttoandconfigurethedevice.Theconsoleportisnormallytheprimaryportusedtoconfigurethedevice;evenwhenremote,backupadministrationisrequiredviaconsoleserverorKeyboard,Video,Mouse(KVM)hardware.Theauxiliaryportisprimarilyusedfordial-upadministrationviaanexternalmodem;instead,useotheravailablemethods.
Remediation
Disabletheinboundconnectionsontheauxiliaryport.
hostname(config)#lineaux0
hostname(config-line)#transportinputnone
Impact:
Organizationsshouldpreventallunauthorizedaccessofauxiliaryportsbydisablingallprotocolsusingthe'transportinputnone'command.
4.1.1.3BannerRules
Rulesinthebannerclasscommunicatelegalrightstousers.
4.1.1.3.1Setthe'banner-text'for'bannerexec'
Table106:DeviceResults(1.3.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ThiscommandspecifiesamessagetobedisplayedwhenanEXECprocessiscreated(alineisactivated,oranincomingconnectionismadetoavty).Followthiscommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.
Whenauserconnectstoarouter,themessage-of-the-day(MOTD)bannerappearsfirst,followedbytheloginbannerandprompts.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.
Rationale
"Networkbannersareelectronicmessagesthatprovidenoticeoflegalrightstousersofcomputernetworks.Fromalegalstandpoint,bannershavefourprimaryfunctions.
First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesorotherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).
Remediation
ConfiguretheEXECbannerpresentedtoauserwhenaccessingthedevicesenableprompt.
hostname(config)#bannerexecc
EnterTEXTmessage.Endwiththecharacter'c'.
<banner-text>
c
Impact:
Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerexeccommand.
4.1.1.3.2Setthe'banner-text'for'bannerlogin'
Table107:DeviceResults(1.3.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Followthebannerlogincommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.
Whenauserconnectstotherouter,themessage-of-the-day(MOTD)banner(ifconfigured)appearsfirst,followedbytheloginbannerandprompts.Aftertheusersuccessfullylogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.
Rationale
"Networkbannersareelectronicmessagesthatprovidenoticeoflegalrightstousersofcomputernetworks.Fromalegalstandpoint,bannershavefourprimaryfunctions.
First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesorotherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).
Remediation
Configurethedevicesoaloginbannerpresentedtoauserattemptingtoaccessthedevice.
hostname(config)#bannerloginc
EnterTEXTmessage.Endwiththecharacter'c'.
<banner-text>
c
Impact:
Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerlogincommand.
4.1.1.3.3Setthe'banner-text'for'bannermotd'
Table108:DeviceResults(1.3.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ThisMOTDbannerisdisplayedtoallterminalsconnectedandisusefulforsendingmessagesthataffectallusers(suchasimpendingsystemshutdowns).Usethenoexec-bannerornomotd-bannercommandtodisabletheMOTDbanneronaline.Thenoexec-bannercommandalsodisablestheEXECbannerontheline.
Whenauserconnectstotherouter,theMOTDbannerappearsbeforetheloginprompt.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.
Rationale
"Networkbannersareelectronicmessagesthatprovidenoticeoflegalrightstousersofcomputernetworks.Fromalegalstandpoint,bannershavefourprimaryfunctions.
First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesorotherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).
Remediation
Configurethemessageoftheday(MOTD)bannerpresentedwhenauserfirstconnectstothedevice.
hostname(config)#bannermotdc
EnterTEXTmessage.Endwiththecharacter'c'.
<banner-text>
c
Impact:
Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannermotdcommand.
4.1.1.4PasswordRules
Rulesinthepasswordclassenforcesecure,localdeviceauthenticationcredentials.
4.1.1.4.1Set'password'for'enablesecret'
Table109:DeviceResults(1.4.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Usetheenablesecretcommandtoprovideanadditionallayerofsecurityovertheenablepassword.Theenablesecretcommandprovidesbettersecuritybystoringtheenablesecretpasswordusinganonreversiblecryptographicfunction.TheaddedlayerofsecurityencryptionprovidesisusefulinenvironmentswherethepasswordcrossesthenetworkorisstoredonaTFTPserver.
Rationale
RequiringtheenablesecretsettingprotectsprivilegedEXECmode.Bydefault,astrongpasswordisnotrequired,ausercanjustpresstheEnterkeyatthePasswordprompttostartprivilegedmode.Theenablepasswordcommandcausesthedevicetoenforceuseofapasswordtoaccessprivilegedmode.Enablesecretsuseaone-waycryptographichash(MD5).ThisispreferredtoLevel7enablepasswordsthatuseaweak,well-known,andeasilyreversibleencryptionalgorithm.
Remediation
Configureastrong,enablesecretpassword.
hostname(config)#enablesecret<ENABLE_SECRET_PASSWORD>
Impact:
OrganizationsshouldprotectprivilegedEXECmodethroughpoliciesrequiringthe'enablingsecret'setting,whichenforcesaone-waycryptographichash(MD5).
4.1.1.4.2Enable'servicepassword-encryption'
Table110:DeviceResults(1.4.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Whenpasswordencryptionisenabled,theencryptedformofthepasswordsisdisplayedwhenamoresystem:running-configcommandisentered.
Rationale
Thisrequirespasswordstobeencryptedintheconfigurationfiletopreventunauthorizedusersfromlearningthepasswordsjustbyreadingtheconfiguration.Whennotenabled,manyofthedevice'spasswordswillberenderedinplaintextintheconfigurationfile.Thisserviceensurespasswordsarerenderedasencryptedstringspreventinganattackerfromeasilydeterminingtheconfiguredvalue.
Remediation
Enablepasswordencryptionservicetoprotectsensitiveaccesspasswordsinthedeviceconfiguration.
hostname(config)#servicepassword-encryption
Impact:
Organizationsimplementing'servicepassword-encryption'reducetheriskofunauthorizeduserslearningcleartextpasswordstoCiscoIOSconfigurationfiles.However,thealgorithmusedisnotdesignedtowithstandseriousanalysisandshouldbetreatedlikeclear-text.
4.1.1.4.3Set'usernamesecret'foralllocalusers
Table111:DeviceResults(1.4.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Fail
Description
UsetheusernamesecretcommandtoconfigureausernameandMD5-encrypteduserpassword.MD5encryptionisastrongencryptionmethodthatisnotretrievable;thus,youcannotuseMD5encryptionwithprotocolsthatrequireclear-textpasswords,suchasChallengeHandshakeAuthenticationProtocol(CHAP).
Theusernamesecretcommandprovidesanadditionallayerofsecurityovertheusernamepassword.ItalsoprovidesbettersecuritybyencryptingthepasswordusingnonreversibleMD5encryptionandstoringtheencryptedtext.TheaddedlayerofMD5encryptionisusefulinenvironmentsinwhichthepasswordcrossesthenetworkorisstoredonaTFTPserver.
Rationale
Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithanencryptedpasswordenforcesloginauthenticationandprovidesafallbackauthenticationmechanismforconfigurationinanamedmethodlistinasituationwherecentralizedauthentication,authorization,andaccountingservicesareunavailable.
Remediation
Createalocaluserwithanencrypted,complex(noteasilyguessed)password.
hostname(config)#username<LOCAL_USERNAME>secret<LOCAL_PASSWORD>
Impact:
Organizationsimplementing'usernamesecret'acrosstheirenterprisereducetheriskofunauthorizedusersgainingaccesstoCiscoIOSdevicesbyapplyingaMD5hashandencryptinguserpasswords.
4.1.1.5SNMPRules
SimpleNetworkManagementProtocol(SNMP)providesastandards-basedinterfacetomanageandmonitornetworkdevices.ThissectionprovidesguidanceonthesecureconfigurationofSNMPparameters.
TherecommendationsinthisSectionapplytoOrganizationsusingSNMP.OrganizationsusingSNMPshouldreviewandimplementtherecommendationsinthissection.
4.1.1.5.1Set'nosnmp-server'todisableSNMPwhenunused
Table112:DeviceResults(1.5.1)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Ifnotinuse,disablesimplenetworkmanagementprotocol(SNMP),readandwriteaccess.
Rationale
SNMPreadaccessallowsremotemonitoringandmanagementofthedevice.
Remediation
DisableSNMPreadandwriteaccessifnotinusedtomonitorand/ormanagedevice.
hostname(config)#nosnmp-server
Impact:
OrganizationsnotusingSNMPshouldrequireallSNMPservicestobedisabledbyrunningthe'nosnmp-server'command.
4.1.1.5.2Unset'private'for'snmp-servercommunity'
Table113:DeviceResults(1.5.2)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
AnSNMPcommunitystringpermitsread-onlyaccesstoallobjects.
Rationale
Thedefaultcommunitystring"private"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.
Remediation
DisablethedefaultSNMPcommunitystring"private"
hostname(config)#nosnmp-servercommunity{private}
Impact:
Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'private'settingforsnmp-servercommunity.
4.1.1.5.3Unset'public'for'snmp-servercommunity'
Table114:DeviceResults(1.5.3)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
AnSNMPcommunitystringpermitsread-onlyaccesstoallobjects.
Rationale
Thedefaultcommunitystring"public"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.
Remediation
DisablethedefaultSNMPcommunitystring"public"
hostname(config)#nosnmp-servercommunity{public}
Impact:
Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'public'settingforsnmp-servercommunity.
4.1.1.5.4Donotset'RW'forany'snmp-servercommunity'
Table115:DeviceResults(1.5.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Specifiesread-writeaccess.AuthorizedmanagementstationscanbothretrieveandmodifyMIBobjects.
Rationale
EnablingSNMPread-writeenablesremotemanagementofthedevice.Unlessabsolutelynecessary,donotallowsimplenetworkmanagementprotocol(SNMP)writeaccess.
Remediation
DisableSNMPwriteaccess.
hostname(config)#nosnmp-servercommunity{write_community_string}
Impact:
Toreducetheriskofunauthorizedaccess,OrganizationsshoulddisabletheSNMP'write'accessforsnmp-servercommunity.
4.1.1.5.5SettheACLforeach'snmp-servercommunity'
Device Result
Table116:DeviceResults(1.5.5)
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ThisfeaturespecifiesalistofIPaddressesthatareallowedtousethecommunitystringtogainaccesstotheSNMPagent.
Rationale
IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringcanpotentiallymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPaccesstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.Ifpossible,useSNMPv3whichusesauthentication,authorization,anddataprivatization(encryption).
Remediation
ConfigureauthorizedSNMPcommunitystringandrestrictaccesstoauthorizedmanagementsystems.
hostname(config)#snmp-servercommunity<community_string>ro{snmp_access-list_number|
snmp_access-list_name}
Impact:
Toreducetheriskofunauthorizedaccess,Organizationsshouldenableaccesscontrollistsforallsnmp-servercommunitiesandrestricttheaccesstoappropriatetrustedmanagementzones.Ifpossible,implementSNMPv3toapplyauthentication,authorization,anddataprivatization(encryption)foradditionalbenefitstotheorganization.
4.1.1.5.6Createan'access-list'forusewithSNMP
Table117:DeviceResults(1.5.6)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Youcanuseaccessliststocontrolthetransmissionofpacketsonaninterface,controlSimpleNetworkManagementProtocol(SNMP)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.
Rationale
SNMPACLscontrolwhataddressesareauthorizedtomanageandmonitorthedeviceviaSNMP.IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringmaymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPcommunitystringstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.
Remediation
ConfigureSNMPACLforrestrictingaccesstothedevicefromauthorizedmanagementstationssegmentedinatrustedmanagementzone.
hostname(config)#access-list<snmp_acl_number>permit<snmp_access-list>
hostname(config)#access-listdenyanylog
4.1.1.5.7Set'snmp-serverhost'whenusingSNMP
Table118:DeviceResults(1.5.7)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
SNMPnotificationscanbesentastrapstoauthorizedmanagementsystems.
Rationale
IfSNMPisenabledfordevicemanagementanddevicealertsarerequired,thenensurethedeviceisconfiguredtosubmittrapsonlytoauthorizemanagementsystems.
Remediation
ConfigureauthorizedSNMPtrapcommunitystringandrestrictsendingmessagestoauthorizedmanagementsystems.
hostname(config)#snmp-serverhost{ip_address}{trap_community_string}snmp
Impact:
OrganizationsusingSNMPshouldrestrictsendingSNMPmessagesonlytoexplicitlynamedsystemstoreduceunauthorizedaccess.
4.1.1.5.8Set'snmp-serverenabletrapssnmp'
Table119:DeviceResults(1.5.8)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SNMPnotificationscanbesentastrapstoauthorizedmanagementsystems.
Rationale
SNMPhastheabilitytosubmittraps.
Remediation
EnableSNMPtraps.
hostname(config)#snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
Impact:
OrganizationsusingSNMPshouldrestricttraptypesonlytoexplicitlynamedtrapstoreduceunintendedtraffic.EnablingSNMPtrapswithoutspecifyingtraptypewillenableallSNMPtraptypes.
4.1.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv3
Table120:DeviceResults(1.5.9)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
SpecifiesauthenticationofapacketwithencryptionwhenusingSNMPv3
Rationale
SNMPv3providesmuchimprovedsecurityoverpreviousversionsbyofferingoptionsforAuthenticationandEncryptionofmessages.WhenconfiguringauserforSNMPv3youhavetheoptionofusingarangeofencryptionschemes,ornoencryptionatall,toprotectmessagesintransit.AES128istheminimumstrengthencryptionmethodthatshouldbedeployed.
Remediation
ForeachSNMPv3groupcreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand...
hostname(config)#snmp-servergroup{group_name}v3priv
Impact:
OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-servergroupv3priv'settingtoencryptmessagesintransit.
4.1.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv3
Table121:DeviceResults(1.5.10)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Specifytheuseofaminimumof128-bitAESalgorithmforencryptionwhenusingSNMPv3.
Rationale
SNMPv3providesmuchimprovedsecurityoverpreviousversionsbyofferingoptionsforAuthenticationandEncryptionofmessages.Whenconfiguringauser
forSNMPv3youhavetheoptionofusingarangeofencryptionschemes,ornoencryptionatall,toprotectmessagesintransit.AES128istheminimumstrengthencryptionmethodthatshouldbedeployed.
Remediation
ForeachSNMPv3usercreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand.
hostname(config)#snmp-serveruser{user_name}{group_name}v3encryptedauthsha
{auth_password}privaes128{priv_password}{acl_name_or_number}
Impact:
OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-serveruser'settingwithappropriateauthenticationandprivacyprotocolstoencryptmessagesintransit.
4.1.2ControlPlane
Thecontrolplanecoversmonitoring,routetableupdates,andgenerallythedynamicoperationoftherouter.Services,settings,anddatastreamsthatsupportanddocumenttheoperation,traffichandling,anddynamicstatusoftherouter.Examplesofcontrolplaneservicesinclude:logging(e.g.Syslog),routingprotocols,statusprotocolslikeCDPandHSRP,networktopologyprotocolslikeSTP,andtrafficsecuritycontrolprotocolslikeIKE.NetworkcontrolprotocolslikeICMP,NTP,ARP,andIGMPdirectedtoorsentbytherouteritselfalsofallintothisarea.
4.1.2.1GlobalServiceRules
Rulesintheglobalserviceclassenforceserverandservicecontrolsthatprotectagainstattacksorexposethedevicetoexploitation.
4.1.2.1.1SetupSSH
EnsureuseofSSHremoteconsolesessionstoCiscorouters.
4.1.2.1.1.1ConfigurePrerequisitesfortheSSHService
4.1.2.1.1.1.1Setthe'hostname'
Table122:DeviceResults(2.1.1.1.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Thehostnameisusedinpromptsanddefaultconfigurationfilenames.
Rationale
ThedomainnameisprerequisiteforsettingupSSH.
Remediation
Configureanappropriatehostnamefortherouter.
hostname(config)#hostname{router_name}
Impact:
Organizationsshouldplantheenterprisenetworkandidentifyanappropriatehostnameforeachrouter.
4.1.2.1.1.1.2Setthe'ipdomainname'
Table123:DeviceResults(2.1.1.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DefineadefaultdomainnamethattheCiscoIOSsoftwareusestocompleteunqualifiedhostnames
Rationale
ThedomainnameisaprerequisiteforsettingupSSH.
Remediation
Configureanappropriatedomainnamefortherouter.
hostname(config)#ipdomainname{domain-name}
Impact:
Organizationsshouldplantheenterprisenetworkandidentifyanappropriatedomainnamefortherouter.
4.1.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'
Table124:DeviceResults(2.1.1.1.3)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
UsethiscommandtogenerateRSAkeypairsforyourCiscodevice.
RSAkeysaregeneratedinpairs--onepublicRSAkeyandoneprivateRSAkey.
Rationale
AnRSAkeypairisaprerequisiteforsettingupSSHandshouldbeatleast2048bits.
NOTE:IOSdoesNOTdisplaythemodulusbitvalueintheAuditProcedure.
Remediation
GenerateanRSAkeypairfortherouter.
hostname(config)#cryptokeygeneratersageneral-keysmodulus2048
Impact:
OrganizationsshouldplanandimplemententerprisenetworkcryptographyandgenerateanappropriateRSAkeypairs,suchas'modulus',greaterthanorequalto2048.
4.1.2.1.1.1.4Set'seconds'for'ipsshtimeout'
Table125:DeviceResults(2.1.1.1.4)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
ThetimeintervalthattherouterwaitsfortheSSHclienttorespondbeforedisconnectinganuncompletedloginattempt.
Rationale
Thisreducestheriskofanadministratorleavinganauthenticatedsessionloggedinforanextendedperiodoftime.
Remediation
ConfiguretheSSHtimeout
hostname(config)#ipsshtime-out[60]
Impact:
Organizationsshouldimplementasecuritypolicyrequiringminimumtimeoutsettingsforallnetworkadministratorsandenforcethepolicythroughthe'ipsshtimeout'command.
4.1.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'
Table126:DeviceResults(2.1.1.1.5)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
ThenumberofretriesbeforetheSSHloginsessiondisconnects.
Rationale
ThislimitsthenumberoftimesanunauthorizedusercanattemptapasswordwithouthavingtoestablishanewSSHloginattempt.ThisreducesthepotentialforsuccessduringonlinebruteforceattacksbylimitingthenumberofloginattemptsperSSHconnection.
Remediation
ConfiguretheSSHtimeout:
hostname(config)#ipsshauthentication-retries[3]
Impact:
Organizationsshouldimplementasecuritypolicylimitingthenumberofauthenticationattemptsfornetworkadministratorsandenforcethepolicythroughthe'ipsshauthentication-retries'command.
4.1.2.1.1.2Setversion2for'ipsshversion'
Table127:DeviceResults(2.1.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifytheversionofSecureShell(SSH)toberunonarouter
Rationale
SSHVersion1hasbeensubjecttoanumberofseriousvulnerabilitiesandisnolongerconsideredtobeasecureprotocol,resultingintheadoptionofSSHVersion2asanInternetStandardin2006.
Ciscorouterssupportbothversions,butduetotheweaknessofSSHVersion1onlythelaterstandardshouldbeused.
Remediation
ConfiguretheroutertouseSSHversion2
hostname(config)#ipsshversion2
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicytoreviewtheircurrentprotocolstoensurethemostsecureprotocolversionsareinuse.
4.1.2.1.2Set'nocdprun'
Table128:DeviceResults(2.1.2)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
DisableCiscoDiscoveryProtocol(CDP)serviceatdevicelevel.
Rationale
TheCiscoDiscoveryProtocolisaproprietaryprotocolthatCiscodevicesusetoidentifyeachotheronaLANsegment.Itisusefulonlyinnetworkmonitoringandtroubleshootingsituationsbutisconsideredasecurityriskbecauseoftheamountofinformationprovidedfromqueries.Inaddition,therehavebeenpublisheddenial-of-service(DoS)attacksthatuseCDP.CDPshouldbecompletelydisabledunlessnecessary.
Remediation
DisableCiscoDiscoveryProtocol(CDP)serviceglobally.
hostname(config)#nocdprun
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocols.
4.1.2.1.3Set'noipbootpserver'
Table129:DeviceResults(2.1.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisabletheBootstrapProtocol(BOOTP)serviceonyourroutingdevice.
Rationale
BootPallowsaroutertoissueIPaddresses.Thisshouldbedisabledunlessthereisaspecificrequirement.
Remediation
Disablethebootpserver.
hostname(config)#noipbootpserver
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchas'ipbootpserver'.
4.1.2.1.4Set'noservicedhcp'
Table130:DeviceResults(2.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisabletheDynamicHostConfigurationProtocol(DHCP)serverandrelayagentfeaturesonyourrouter.
Rationale
TheDHCPserversuppliesautomaticconfigurationparameters,suchasdynamicIPaddress,torequestingsystems.AdedicatedserverlocatedinasecuredmanagementzoneshouldbeusedtoprovideDHCPservicesinstead.Attackerscanpotentiallybeusedfordenial-of-service(DoS)attacks.
Remediation
DisabletheDHCPserver.
hostname(config)#noservicedhcp
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheDynamicHostConfigurationProtocol(DHCP).
4.1.2.1.5Set'noipidentd'
Table131:DeviceResults(2.1.5)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Disabletheidentification(identd)server.
Rationale
Identificationprotocolenablesidentifyingauser'stransmissioncontrolprotocol(TCP)session.Thisinformationdisclosurecouldpotentiallyprovideanattackerwithinformationaboutusers.
Remediation
Disabletheidentserver.
hostname(config)#noipidentd
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheidentificationprotocol(identd).
4.1.2.1.6Set'servicetcp-keepalives-in'
Table132:DeviceResults(2.1.6)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Generatekeepalivepacketsonidleincomingnetworkconnections.
Rationale
Staleconnectionsuseresourcesandcouldpotentiallybehijackedtogainillegitimateaccess.TheTCPkeepalives-inservicegenerateskeepalivepacketsonidleincomingnetworkconnections(initiatedbyremotehost).Thisserviceallowsthedevicetodetectwhentheremotehostfailsanddropthesession.Ifenabled,keepalivesaresentonceperminuteonidleconnections.Theconnectionisclosedwithinfiveminutesifnokeepalivesarereceivedorimmediatelyifthehostreplieswitharesetpacket.
Remediation
EnableTCPkeepalives-inservice:
hostname(config)#servicetcp-keepalives-in
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-in'command.
4.1.2.1.7Set'servicetcp-keepalives-out'
Table133:DeviceResults(2.1.7)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Generatekeepalivepacketsonidleoutgoingnetworkconnections.
Rationale
Staleconnectionsuseresourcesandcouldpotentiallybehijackedtogainillegitimateaccess.TheTCPkeepalives-inservicegenerateskeepalivepacketsonidleincomingnetworkconnections(initiatedbyremotehost).Thisserviceallowsthedevicetodetectwhentheremotehostfailsanddropthesession.Ifenabled,keepalivesaresentonceperminuteonidleconnections.Theclosesconnectionisclosedwithinfiveminutesifnokeepalivesarereceivedorimmediatelyifthehostreplieswitharesetpacket.
Remediation
EnableTCPkeepalives-outservice:
hostname(config)#servicetcp-keepalives-out
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-out'command.
4.1.2.1.8Set'noservicepad'
Table134:DeviceResults(2.1.8)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisableX.25PacketAssembler/Disassembler(PAD)service.
Rationale
IfthePADserviceisnotnecessary,disabletheservicetopreventintrudersfromaccessingtheX.25PADcommandsetontherouter.
Remediation
DisablethePADservice.
hostname(config)#noservicepad
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingunnecessaryservicessuchasthe'PAD'service.
4.1.2.2LoggingRules
Rulesintheloggingclassenforcecontrolsthatprovidearecordofsystemactivityandevents.
4.1.2.2.1Set'loggingon'
Table135:DeviceResults(2.2.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Fail
Description
Enableloggingofsystemmessages.
Rationale
LoggingprovidesachronologicalrecordofactivitiesontheCiscodeviceandallowsmonitoringofbothoperationalandsecurityrelatedevents.
Remediation
Enablesystemlogging.
hostname(config)#loggingon
Impact:
EnablingtheCiscoIOS'loggingon'commandenforcesthemonitoringoftechnologyrisksfortheorganizations'networkdevices.
4.1.2.2.2Set'buffersize'for'loggingbuffered'
Table136:DeviceResults(2.2.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Enablesystemmessageloggingtoalocalbuffer.
Rationale
Thedevicecancopyandstorelogmessagestoaninternalmemorybuffer.Thebuffereddataisavailableonlyfromarouterexecorenabledexecsession.Thisformofloggingisusefulfordebuggingandmonitoringwhenloggedintoarouter.
Remediation
Configurebufferedlogging(withminimumsize).Recommendedsizeis64000.
hostname(config)#loggingbuffered[log_buffer_size]
Impact:
Dataforensicsiseffectivemanagingtechnologyrisksandanorganizationcanenforcesuchpoliciesbyenablingthe'loggingbuffered'command.
4.1.2.2.3Set'loggingconsolecritical'
Device Result
Table137:DeviceResults(2.2.3)
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Verifyloggingtodeviceconsoleisenabledandlimitedtoarationalseverityleveltoavoidimpactingsystemperformanceandmanagement.
Rationale
Thisconfigurationdeterminestheseverityofmessagesthatwillgenerateconsolemessages.Loggingtoconsoleshouldbelimitedonlytothosemessagesrequiredforimmediatetroubleshootingwhileloggedintothedevice.Thisformofloggingisnotpersistent;messagesprintedtotheconsolearenotstoredbytherouter.Consoleloggingishandyforoperatorswhentheyusetheconsole.
Remediation
Configureconsolelogginglevel.
hostname(config)#loggingconsolecritical
Impact:
Loggingcriticalmessagesattheconsoleisimportantforanorganizationmanagingtechnologyrisk.The'loggingconsole'commandshouldcaptureappropriateseveritymessagestobeeffective.
4.1.2.2.4SetIPaddressfor'logginghost'
Table138:DeviceResults(2.2.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Logsystemmessagesanddebugoutputtoaremotehost.
Rationale
CiscorouterscansendtheirlogmessagestoaUnix-styleSyslogservice.Asyslogservicesimplyacceptsmessagesandstorestheminfilesorprintsthemaccordingtoasimpleconfigurationfile.Thisformofloggingisbestbecauseitcanprovideprotectedlong-termstorageforlogs(thedevicesinternalloggingbufferhaslimitedcapacitytostoreevents.)Inaddition,loggingtoanexternalsystemishighlyrecommendedorrequiredbymostsecuritystandards.Ifdesiredorrequiredbypolicy,lawand/orregulation,enableasecondsyslogserverforredundancy.
Remediation
DesignateoneormoresyslogserversbyIPaddress.
hostname(config)#logginghostsyslog_server
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'logginghost'commandsetstheIPaddressofthelogginghostandenforcestheloggingprocess.
4.1.2.2.5Set'loggingtrapinformational'
Table139:DeviceResults(2.2.5)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Limitmessagesloggedtothesyslogserversbasedonseveritylevelinformational.
Rationale
Thisdeterminestheseverityofmessagesthatwillgeneratesimplenetworkmanagementprotocol(SNMP)trapandorsyslogmessages.Thissettingshouldbesettoeither"debugging"(7)or"informational"(6),butnolower.
Remediation
ConfigureSNMPtrapandsysloglogginglevel.
hostname(config)#loggingtrapinformational
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'loggingtrap'commandsetstheseverityofmessagesandenforcestheloggingprocess.
4.1.2.2.6Set'servicetimestampsdebugdatetime'
Table140:DeviceResults(2.2.6)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Configurethesystemtoapplyatimestamptodebuggingmessagesorsystemloggingmessages
Rationale
Includingtimestampsinlogmessagesallowscorrelatingeventsandtracingnetworkattacksacrossmultipledevices.Enablingservicetimestamptomarkthetimelogmessagesweregeneratedsimplifiesobtainingaholisticviewofeventsenablingfastertroubleshootingofissuesorattacks.
Remediation
Configuredebugmessagestoincludetimestamps.
hostname(config)#servicetimestampsdebugdatetime{msec}show-timezone
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingatimelineofeventsiscritical.The'servicetimestamps'commandsetsthedateandtimeonentriessenttothelogginghostandenforcestheloggingprocess.
4.1.2.2.7Set'loggingsourceinterface'
Table141:DeviceResults(2.2.7)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifythesourceIPv4orIPv6addressofsystemloggingpackets
Rationale
ThisisrequiredsothattheroutersendslogmessagestotheloggingserverfromaconsistentIPaddress.
Remediation
Bindloggingtotheloopbackinterface.
hostname(config)#loggingsource-interfaceloopback{loopback_interface_number}
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingaconsistentsourceofmessagesforthelogginghostiscritical.The'loggingsourceinterfaceloopback'commandsetsaconsistentIPaddresstosendmessagestothelogginghostandenforcestheloggingprocess.
4.1.2.3NTPRules
NetworkTimeProtocolallowsadministratorstosetthesystemtimeonalloftheircompatiblesystemsfromasinglesource,ensuringaconsistenttimestampforloggingandauthenticationprotocols.NTPisaninternetstandard,definedinRFC1305.
4.1.2.3.1RequireEncryptionKeysforNTP
EncryptionkeysshouldbesetforNTPServers.
4.1.2.3.1.1Set'ntpauthenticate'
Device Result
router03IOS12.3 Fail
Table142:DeviceResults(2.3.1.1)
CiscoIOS15IOS15.0 Pass
Description
EnableNTPauthentication.
Rationale
UsingauthenticatedNTPensurestheCiscodeviceonlypermitstimeupdatesfromauthorizedNTPservers.
Remediation
ConfigureNTPauthentication:
hostname(config)#ntpauthenticate
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthenticate'commandenforcesauthenticationbetweenNTPhosts.
4.1.2.3.1.2Set'ntpauthentication-key'
Table143:DeviceResults(2.3.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DefineanauthenticationkeyforNetworkTimeProtocol(NTP).
Rationale
UsinganauthenticationkeyprovidesahigherdegreeofsecurityasonlyauthenticatedNTPserverswillbeabletoupdatetimefortheCiscodevice.
Remediation
ConfigureattheNTPkeyringandencryptionkeyusingthefollowingcommand
hostname(config)#ntpauthentication-key{ntp_key_id}md5{ntp_key}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthentication-key'commandenforcesencryptedauthenticationbetweenNTPhosts.
4.1.2.3.1.3Setthe'ntptrusted-key'
Table144:DeviceResults(2.3.1.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
EnsureyouauthenticatetheidentityofasystemtowhichNetworkTimeProtocol(NTP)willsynchronize
Rationale
Thisauthenticationfunctionprovidesprotectionagainstaccidentallysynchronizingthesystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.
Remediation
ConfiguretheNTPtrustedkeyusingthefollowingcommand
hostname(config)#ntptrusted-key{ntp_key_id}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntptrusted-key'commandenforcesencryptedauthenticationbetweenNTPhosts.
4.1.2.3.1.4Set'key'foreach'ntpserver'
Table145:DeviceResults(2.3.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifiestheauthenticationkeyforNTP.
Rationale
Thisauthenticationfeatureprovidesprotectionagainstaccidentallysynchronizingthentpsystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.
Remediation
ConfigureeachNTPServertouseakeyringusingthefollowingcommand.
hostname(config)#ntpserver{ntp-server_ip_address}{keyntp_key_id}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserverkey'commandenforcesencryptedauthenticationbetweenNTPhosts.
4.1.2.3.2Set'ipaddress'for'ntpserver'
Table146:DeviceResults(2.3.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
UsethiscommandifyouwanttoallowthesystemtosynchronizethesystemsoftwareclockwiththespecifiedNTPserver.
Rationale
ToensurethatthetimeonyourCiscorouterisconsistentwithotherdevicesinyournetwork,atleasttwo(andpreferablyatleastthree)NTPServer/sexternaltotheroutershouldbeconfigured.
Ensureyoualsoconfigureconsistenttimezoneanddaylightsavingstimesettingforalldevices.Forsimplicity,thedefaultofCoordinatedUniversalTime(UTC).
Remediation
ConfigureatleastoneexternalNTPServerusingthefollowingcommands
hostname(config)#ntpserver{ipaddress}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserveripaddress'enforcesencryptedauthenticationbetweenNTPhosts.
4.1.2.4LoopbackRules
Whenarouterneedstoinitiateconnectionstoremotehosts,forexampleforSYSLOGorNTP,itwillusethenearestinterfaceforthepacketssourceaddress.Thiscancauseissuesduetothepossiblevariationinsource,potentiallycausingpacketstobedeniedbyinterveningfirewallsorhandledincorrectlybythereceivinghost.TopreventtheseproblemstheroutershouldbeconfiguredwithaLoopbackinterfaceandanyservicesshouldbeboundtothisaddress.
4.1.2.4.1Createasingle'interfaceloopback'
Table147:DeviceResults(2.4.1)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Configureasingleloopbackinterface.
Rationale
Software-onlyloopbackinterfacethatemulatesaninterfacethatisalwaysup.Itisavirtualinterfacesupportedonallplatforms.
Alternateloopbackaddressescreateapotentialforabuse,mis-configuration,andinconsistencies.Additionalloopbackinterfacesmustbedocumentedandapprovedpriortousebylocalsecuritypersonnel.
Remediation
Defineandconfigureoneloopbackinterface.
hostname(config)#interfaceloopback<number>
hostname(config-if)#ipaddress<loopback_ip_address><loopback_subnet_mask>
Impact:
Organizationsshouldplanandestablish'loopbackinterfaces'fortheenterprisenetwork.LoopbackinterfacesenablecriticalnetworkinformationsuchasOSPFRouterIDsandprovideterminationpointsforroutingprotocolsessions.
4.1.2.4.2SetAAA'source-interface'
Table148:DeviceResults(2.4.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ForceAAAtousetheIPaddressofaspecifiedinterfaceforalloutgoingAAApackets
Rationale
ThisisrequiredsothattheAAAserver(RADIUSorTACACS+)caneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.
Remediation
BindAAAservicestotheloopbackinterface.
Hostname(config)#ip{tacacs|radius}source-interfaceloopback{loopback_interface_number)
Impact:
Organizationsshoulddesignandimplementauthentication,authorization,andaccounting(AAA)servicesforeffectivemonitoringofenterprisenetworkdevices.BindingAAAservicestothesource-interfaceloopbackenablestheseservices.
4.1.2.4.3Set'ntpsource'toLoopbackInterface
Table149:DeviceResults(2.4.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
UseaparticularsourceaddressinNetworkTimeProtocol(NTP)packets.
Rationale
SetthesourceaddresstobeusedwhensendingNTPtraffic.ThismayberequirediftheNTPserversyoupeerwithfilterbasedonIPaddress.
Remediation
BindtheNTPservicetotheloopbackinterface.
hostname(config)#ntpsourceloopback{loopback_interface_number}
Impact:
Organizationsshouldplanandimplementnetworktimeprotocol(NTP)servicestoestablishofficialtimeforallenterprisenetworkdevices.Setting'ntpsourceloopback'enforcestheproperIPaddressforNTPservices.
4.1.2.4.4Set'iptftpsource-interface'totheLoopbackInterface
Device Result
Table150:DeviceResults(2.4.4)
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifytheIPaddressofaninterfaceasthesourceaddressforTFTPconnections.
Rationale
ThisisrequiredsothattheTFTPserverscaneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.
Remediation
BindtheTFTPclienttotheloopbackinterface.
hostname(config)#iptftpsource-interfaceloopback{loobpback_interface_number}
Impact:
Organizationsshouldplanandimplementtrivialfiletransferprotocol(TFTP)servicesintheenterprisebysetting'tftpsource-interfaceloopback',whichenablestheTFTPserverstoidentifyroutersandauthenticaterequestsbyIPaddress.
4.1.3DataPlane
Servicesandsettingsrelatedtothedatapassingthroughtherouter(asopposedtodirecttoit).Thedataplaneisforeverythingnotincontrolormanagementplanes.Settingsonarouterconcernedwiththedataplaneincludeinterfaceaccesslists,firewallfunctionality(e.g.CBAC),NAT,andIPSec.Settingsfortraffic-affectingserviceslikeunicastRPFverificationandCAR/QoSalsofallintothisarea.
4.1.3.1RoutingRules
Unneededservicesshouldbedisabled.
4.1.3.1.1Set'noipsource-route'
Table151:DeviceResults(3.1.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisablethehandlingofIPdatagramswithsourceroutingheaderoptions.
Rationale
SourceroutingisafeatureofIPwherebyindividualpacketscanspecifyroutes.Thisfeatureisusedinseveralkindsofattacks.Ciscoroutersnormallyacceptandprocesssourceroutes.Unlessanetworkdependsonsourcerouting,itshouldbedisabled.
Remediation
Disablesourcerouting.
hostname(config)#noipsource-route
Impact:
Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipsource-route'featurehasbeenusedinseveralattacksandshouldbedisabled.
4.1.3.1.2Set'noipproxy-arp'
Table152:DeviceResults(3.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisableproxyARPonallinterfaces.
Rationale
AddressResolutionProtocol(ARP)providesresolutionbetweenIPandMACAddresses(orotherNetworkandLinkLayeraddressesonnoneIPnetworks)withina
Layer2network.
ProxyARPisaservicewhereadeviceconnectedtoonenetwork(inthiscasetheCiscorouter)answersARPRequestswhichareaddressedtoahostonanothernetwork,replyingwithitsownMACAddressandforwardingthetrafficontotheintendedhost.
SometimesusedforextendingbroadcastdomainsacrossWANlinks,inmostcasesProxyARPonenterprisenetworksisusedtoenablecommunicationforhostswithmis-configuredsubnetmasks,asituationwhichshouldnolongerbeacommonproblem.ProxyARPeffectivelybreakstheLANSecurityPerimeter,extendinganetworkacrossmultipleLayer2segments.UsingProxyARPcanalsoallowothersecuritycontrolssuchasPVLANtobebypassed.
Remediation
DisableproxyARPonallinterfaces.
hostname(config)#interface{interface}
hostname(config-if)#noipproxy-arp
Impact:
Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipproxy-arp'featureeffectivelybreakstheLANsecurityperimeterandshouldbedisabled.
4.1.3.1.3Set'nointerfacetunnel'
Table153:DeviceResults(3.1.3)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Verifynotunnelinterfacesaredefined.
Rationale
Tunnelinterfacesshouldnotexistingeneral.Theycanbeusedformaliciouspurposes.Iftheyarenecessary,thenetworkadmin'sshouldbewellawareofthemandtheirpurpose.
Remediation
Removeanytunnelinterfaces.
hostname(config)#nointerfacetunnel{instance}
Impact:
Organizationsshouldplanandimplemententerprisenetworksecuritypoliciesthatdisableinsecureandunnecessaryfeaturesthatincreaseattacksurfacessuchas'tunnelinterfaces'.
4.1.3.1.4Set'ipverifyunicastsourcereachable-via'
Table154:DeviceResults(3.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ExaminesincomingpacketstodeterminewhetherthesourceaddressisintheForwardingInformationBase(FIB)andpermitsthepacketonlyifthesourceisreachablethroughtheinterfaceonwhichthepacketwasreceived(sometimesreferredtoasstrictmode).
Rationale
EnableduRPFhelpsmitigateIPspoofingbyensuringonlypacketsourceIPaddressesonlyoriginatefromexpectedinterfaces.Configureunicastreverse-pathforwarding(uRPF)onallexternalorhighriskinterfaces.
Remediation
ConfigureuRPF.
hostname(config)#interface{interface_name}
hostname(config-if)#ipverifyunicastsourcereachable-viarx
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatprotecttheconfidentiality,integrity,andavailabilityofnetworkdevices.The'unicastReverse-PathForwarding'(uRPF)featuredynamicallyusestheroutertabletoeitheracceptordroppacketswhenarrivingonaninterface.
4.1.3.2BorderRouterFiltering
Aborder-filteringdeviceconnects"internal"networkssuchasdesktopnetworks,DMZnetworks,etc.,to"external"networkssuchastheInternet.Ifthisgroupischosen,theningressandegressfilterruleswillberequired.
4.1.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks
Table155:DeviceResults(3.2.1)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Thiscommandplacestherouterinaccess-listconfigurationmode,whereyoumustdefinethedeniedorpermittedaccessconditionsbyusingthedenyandpermitcommands.
Rationale
Configuringaccesscontrolscanhelppreventspoofingattacks.ToreducetheeffectivenessofIPspoofing,configureaccesscontroltodenyanytrafficfromtheexternalnetworkthathasasourceaddressthatshouldresideontheinternalnetwork.Includelocalhostaddressoranyreservedprivateaddresses(RFC1918).
Ensurethepermitrule(s)abovethefinaldenyruleonlyallowtrafficaccordingtoyourorganization'sleastprivilegepolicy.
Remediation
ConfigureACLforprivatesourceaddressrestrictionsfromexternalnetworks.
hostname(config)#ipaccess-listextended{name|number}
hostname(config-nacl)#denyip{internal_networks}anylog
hostname(config-nacl)#denyip127.0.0.00.255.255.255anylog
hostname(config-nacl)#denyip10.0.0.00.255.255.255anylog
hostname(config-nacl)#denyip0.0.0.00.255.255.255anylog
hostname(config-nacl)#denyip172.16.0.00.15.255.255anylog
hostname(config-nacl)#denyip192.168.0.00.0.255.255anylog
hostname(config-nacl)#denyip
192.0.2.00.0.0.255anylog
hostname(config-nacl)#denyip169.254.0.00.0.255.255anylog
hostname(config-nacl)#denyip224.0.0.031.255.255.255anylog
hostname(config-nacl)#denyiphost255.255.255.255anylog
hostname(config-nacl)#permit{protocol}{source_ip}{source_mask}{destination}{destination_mask}log
hostname(config-nacl)#denyanyanylog
hostname(config)#interface
<external_interface>
hostname(config-if)#access-group<access-list>in
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatexplicitlyseparateinternalfromexternalnetworks.Adding'ipaccess-list'explicitlypermittinganddenyinginternalandexternalnetworksenforcesthesepolicies.
4.1.3.2.2Setinbound'ipaccess-group'ontheExternalInterface
Table156:DeviceResults(3.2.2)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Thiscommandplacestherouterinaccess-listconfigurationmode,whereyoumustdefinethedeniedorpermittedaccessconditionsbyusingthedenyandpermitcommands.
Rationale
Configuringaccesscontrolscanhelppreventspoofingattacks.ToreducetheeffectivenessofIPspoofing,configureaccesscontroltodenyanytrafficfromtheexternalnetworkthathasasourceaddressthatshouldresideontheinternalnetwork.Includelocalhostaddressoranyreservedprivateaddresses(RFC1918).
Ensurethepermitrule(s)abovethefinaldenyruleonlyallowtrafficaccordingtoyourorganization'sleastprivilegepolicy.
Remediation
Applytheaccess-groupfortheexternal(untrusted)interface
hostname(config)#interface{external_interface}
hostname(config-if)#ipaccess-group{name|number}in
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesexplicitlypermittinganddenyingaccessbaseduponaccesslists.Usingthe'ipaccess-group'commandenforcesthesepoliciesbyexplicitlyidentifyinggroupspermittedaccess.
4.1.3.3NeighborAuthentication
Enableroutingauthentication.
4.1.3.3.1RequireEIGRPAuthenticationifProtocolisUsed
Verifyenhancedinteriorgatewayroutingprotocol(EIGRP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.
4.1.3.3.1.1Set'keychain'
Table157:DeviceResults(3.3.1.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Defineanauthenticationkeychaintoenableauthenticationforroutingprotocols.Akeychainmusthaveatleastonekeyandcanhaveupto2,147,483,647keys.
NOTE:OnlyDRPAgent,EIGRP,andRIPv2usekeychains.
Rationale
RoutingprotocolssuchasDRPAgent,EIGRP,andRIPv2usekeychainsforauthentication.
Remediation
Establishthekeychain.
hostname(config)#keychain{key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keychains'forroutingprotocolsenforcesthesepolicies.
4.1.3.3.1.2Set'key'
Table158:DeviceResults(3.3.1.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configureanauthenticationkeyonakeychain.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeynumber.
hostname(config-keychain)#key{key-number}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keynumbers'forkeychainsforroutingprotocolsenforcesthesepolicies.
4.1.3.3.1.3Set'key-string'
Table159:DeviceResults(3.3.1.3)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configuretheauthenticationstringforakey.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeystring.
hostname(config-keychain-key)#key-string<key-string>
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keystrings'forkeychainsforroutingprotocolsenforcesthesepolicies.
4.1.3.3.1.4Set'address-familyipv4autonomous-system'
Table160:DeviceResults(3.3.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ConfiguretheEIGRPaddressfamily.
Rationale
BGPisatruemulti-protocolroutingprotocolandthe'address-family'featureenablesrestrictionofexchangeswithspecificneighbors.
Remediation
ConfiguretheEIGRPaddressfamily.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'address-family'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.
4.1.3.3.1.5Set'af-interfacedefault'
Table161:DeviceResults(3.3.1.5)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DefinesuserdefaultstoapplytoEIGRPinterfacesthatbelongtoanaddress-family.
Rationale
PartoftheEIGRPaddress-familysetup
Remediation
ConfiguretheEIGRPaddressfamily.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
hostname(config-router-af)#af-interfacedefault
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'af-interfacedefault'forEIGRPinterfacesenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.
4.1.3.3.1.6Set'authenticationkey-chain'
Table162:DeviceResults(3.3.1.6)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ConfiguretheEIGRPaddressfamilykeychain.
Rationale
ThisispartoftheEIGRPauthenticationconfiguration
Remediation
ConfiguretheEIGRPaddressfamilykeychain.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
hostname(config-router-af)#af-interface{interface-name}
hostname(config-router-af-interface)#authenticationkey-chain{eigrp_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingtheaddress-family'keychain'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.
4.1.3.3.1.7Set'authenticationmodemd5'
Table163:DeviceResults(3.3.1.7)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseservicemessages.
Rationale
ThisispartoftheEIGRPauthenticationconfiguration
Remediation
ConfiguretheEIGRPaddressfamilyauthenticationmode.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
hostname(config-router-af)#af-interface{interface-name}
hostname(config-router-af-interface)#authenticationmodemd5
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'authenticationmode'forEIGRPaddress-familyorservice-familypacketsenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.
4.1.3.3.1.8Set'ipauthenticationkey-chaineigrp'
Table164:DeviceResults(3.3.1.8)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifythetypeofauthenticationusedinEnhancedInteriorGatewayRoutingProtocol(EIGRP)packetsperinterface.
Rationale
ConfiguringEIGRPauthenticationkey-chainnumberandnametorestrictpacketexchangesbetweennetworkdevices.
Remediation
ConfiguretheinterfacewiththeEIGRPkeychain.
hostname(config)#interface{interface_name}
hostname(config-if)#ipauthenticationkey-chaineigrp{eigrp_as-number}{eigrp_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationkeychain'forEIGRPbynameandnumberenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.
4.1.3.3.1.9Set'ipauthenticationmodeeigrp'
Table165:DeviceResults(3.3.1.9)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseroutingmessages.
Rationale
ThisispartoftheEIGRPauthenticationconfiguration
Remediation
ConfiguretheinterfacewiththeEIGRPauthenticationmode.
hostname(config)#interface{interface_name}
hostname(config-if)#ipauthenticationmodeeigrp{eigrp_as-number}md5
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationmode'forEIGRPbynumberandmodeenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.
4.1.3.3.2RequireOSPFAuthenticationifProtocolisUsed
Verifyopenshortestpathfirst(OSPF)authenticationisenabled,wherefeasible.
4.1.3.3.2.1Set'authenticationmessage-digest'forOSPFarea
Table166:DeviceResults(3.3.2.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
EnableMD5authenticationforOSPF.
Rationale
ThisispartoftheOSPFauthenticationsetup.
Remediation
ConfiguretheMessageDigestoptionforOSPF.
hostname(config)#routerospf<ospf_process-id>
hostname(config-router)#area<ospf_area-id>authenticationmessage-digest
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringthearea'authenticationmessage-digest'forOSPFenforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.
4.1.3.3.2.2Set'ipospfmessage-digest-keymd5'
Table167:DeviceResults(3.3.2.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
EnableOpenShortestPathFirst(OSPF)MessageDigest5(MD5)authentication.
Rationale
ThisispartoftheOSPFauthenticationsetup
Remediation
Configuretheappropriateinterface(s)forMessageDigestauthentication
hostname(config)#interface{interface_name}
hostname(config-if)#ipospfmessage-digest-key{ospf_md5_key-id}md5{ospf_md5_key}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperinterface(s)for'ipospfmessage-digest-keymd5'enforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.
4.1.3.3.3RequireRIPv2AuthenticationifProtocolisUsed
RoutingInformationProtocolisadistancevectorprotocolusedforinteriorgatewayroutingonsomenetworks.
RIPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.
Verifyroutinginformationprotocol(RIP)versiontwoauthenticationisenabled,ifroutingprotocolisused,wherefeasible.
4.1.3.3.3.1Set'keychain'
Table168:DeviceResults(3.3.3.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
DefineanauthenticationkeychaintoenableauthenticationforRIPv2routingprotocols.
Rationale
Thisispartoftheroutingauthenticationprocess.
Remediation
Establishthekeychain.
hostname(config)#keychain{rip_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key-chain(name)'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.
4.1.3.3.3.2Set'key'
Table169:DeviceResults(3.3.3.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configureanauthenticationkeyonakeychain.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeynumber.
hostname(config-keychain)#key{key-number}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.
4.1.3.3.3.3Set'key-string'
Table170:DeviceResults(3.3.3.3)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configuretheauthenticationstringforakey.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeystring.
hostname(config-keychain-key)#key-string<key-string>
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'key-string'forkeychainsforroutingprotocolsenforcesthesepolicies.
4.1.3.3.3.4Set'ipripauthenticationkey-chain'
Table171:DeviceResults(3.3.3.4)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
EnableauthenticationforRoutingInformationProtocol(RIP)Version2packetsandtospecifythesetofkeysthatcanbeusedonaninterface.
Rationale
ThisispartoftheRIPv2authenticationsetup
Remediation
ConfiguretheInterfacewiththeRIPv2keychain.
hostname(config)#interface{interface_name}
hostname(config-if)#ipripauthenticationkey-chain{rip_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipripauthenticationkey-chain'bynameenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.
4.1.3.3.3.5Set'ipripauthenticationmode'to'md5'
Table172:DeviceResults(3.3.3.5)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ConfiguretheInterfacewiththeRIPv2keychain.
Rationale
ThisispartoftheRIPv2authenticationsetup
Remediation
ConfiguretheRIPv2authenticationmodeonthenecessaryinterface(s)
hostname(config)#interface<interface_name>
hostname(config-if)#ipripauthenticationmodemd5
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'ipripauthenticationmodemd5'enforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.
4.1.3.3.4RequireBGPAuthenticationifProtocolisUsed
BorderGatewayProtocol(BGP)isapathvectorprotocolusedforinteriorandexteriorgatewayroutingonsomenetworks.
BGPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.
VerifyBorderGatewayProtocol(BGP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.
4.1.3.3.4.1Set'neighborpassword'
Table173:DeviceResults(3.3.4.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Enablemessagedigest5(MD5)authenticationonaTCPconnectionbetweentwoBGPpeers
Rationale
EnforcingroutingauthenticationreducesthelikelihoodofroutingpoisoningandunauthorizedroutersfromjoiningBGProuting.
Remediation
ConfigureBGPneighborauthenticationwherefeasible.
hostname(config)#routerbgp<bgp_as-number>
hostname(config-router)#neighbor<bgp_neighbor-ip|peer-group-name>password<password>
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'neighborpassword'forBGPenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.
Gotothereportcontentsorthestartofthissection.
4.2CISCiscoIOS12Benchmark
Thisdocument,SecurityConfigurationBenchmarkforCiscoIOS,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforCiscoRouterrunningCiscoIOSversion12.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
4.2.1ManagementPlane
Services,settingsanddatastreamsrelatedtosettingupandexaminingthestaticconfigurationofthefirewall,andtheauthenticationandauthorizationoffirewalladministrators.Examplesofmanagementplaneservicesinclude:administrativedeviceaccess(telnet,ssh,http,andhttps),SNMP,andsecurityprotocolslikeRADIUSandTACACS+.
4.2.1.1LocalAuthentication,AuthorizationandAccounting(AAA)Rules
RulesintheLocalauthentication,authorizationandaccounting(AAA)configurationclassenforcedeviceaccesscontrol,provideamechanismfortrackingconfigurationchanges,andenforcingsecuritypolicy.
4.2.1.1.1Enable'aaanew-model'
Table174:DeviceResults(1.1.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ThiscommandenablestheAAAaccesscontrolsystem.
Rationale
Authentication,authorizationandaccounting(AAA)servicesprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.
Remediation
Globallyenableauthentication,authorizationandaccounting(AAA)usingthenew-modelcommand.
hostname(config)#aaanew-model
Impact:
ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationcriteria(logins&passwords,challenges&responses,andtokentechnologies),authorizationmethods,andaccountingrequirements.
4.2.1.1.2Enable'aaaauthenticationlogin'
Table175:DeviceResults(1.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Setsauthentication,authorizationandaccounting(AAA)authenticationatlogin.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.FallbackmodeshouldalsobeenabledtoallowemergencyaccesstotherouterorswitchintheeventthattheAAAserverwasunreachable,byutilizingtheLOCALkeywordaftertheAAAserver-tag.
Remediation
ConfigureAAAauthenticationmethod(s)forloginauthentication.
hostname(config)#aaaauthenticationlogin{default|aaa_list_name}[passwd-expiry]
method1[method2]
Impact:
ImplementingCiscoAAAissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeimplementingCiscoAAA,theorganizationshouldcarefullyreviewandplantheirauthenticationmethodssuchasloginsandpasswords,challengesandresponses,andwhichtokentechnologieswillbeused.
4.2.1.1.3Enable'aaaauthenticationenabledefault'
Table176:DeviceResults(1.1.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
AuthenticatesuserswhoaccessprivilegedEXECmodewhentheyusetheenablecommand.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfigureAAAauthenticationmethod(s)forenableauthentication.
hostname(config)#aaaauthenticationenabledefault{method1}enable
Impact:
EnablingCiscoAAA'authenticationenable'modeissignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenabling'aaaauthenticationenabledefault'mode,theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.2.1.1.4Set'loginauthenticationfor'linecon0'
Table177:DeviceResults(1.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Authenticatesuserswhoaccesstherouterorswitchusingtheserialconsoleport.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfiguremanagementlinestorequireloginusingthedefaultoranamedAAAauthenticationlist.Thisconfigurationmustbesetindividuallyforalllinetypes.
hostname(config)#lineconsole0
hostname(config-line)#loginauthentication{default|aaa_list_name}
Impact:
EnablingCiscoAAA'linelogin'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'linelogin',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.2.1.1.5Set'loginauthenticationfor'linetty'
Table178:DeviceResults(1.1.5)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
AuthenticatesuserswhoaccesstherouterorswitchusingtheTTYport.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfiguremanagementlinestorequireloginusingthedefaultoranamedAAAauthenticationlist.Thisconfigurationmustbesetindividuallyforalllinetypes.
hostname(config)#linetty{line-number}[ending-line-number]
hostname(config-line)#loginauthentication{default|aaa_list_name}
Impact:
EnablingCiscoAAA'loginauthenticationforlineTTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineTTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.2.1.1.6Set'loginauthenticationfor'linevty'
Table179:DeviceResults(1.1.6)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
AuthenticatesuserswhoaccesstherouterorswitchremotelythroughtheVTYport.
Rationale
UsingAAAauthenticationforinteractivemanagementaccesstothedeviceprovidesconsistent,centralizedcontrolofyournetwork.ThedefaultunderAAA(localornetwork)istorequireuserstologinusingavalidusernameandpassword.ThisruleappliesforbothlocalandnetworkAAA.
Remediation
ConfiguremanagementlinestorequireloginusingthedefaultoranamedAAAauthenticationlist.Thisconfigurationmustbesetindividuallyforalllinetypes.
hostname(config)#linevty{line-number}[ending-line-number]
hostname(config-line)#loginauthentication{default|aaa_list_name}
Impact:
EnablingCiscoAAA'loginauthenticationforlineVTY'issignificantlydisruptiveasformeraccessmethodsareimmediatelydisabled.Therefore,beforeenablingCiscoAAA'loginauthenticationforlineVTY',theorganizationshouldplanandimplementauthenticationloginsandpasswords,challengesandresponses,andtokentechnologies.
4.2.1.1.7Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15'
Table180:DeviceResults(1.1.7)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Runsaccountingforallcommandsatthespecifiedprivilegelevel.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSorTACACS+.
Remediation
ConfigureAAAaccountingforcommands.
hostname(config)#aaaaccountingcommands15{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
Enabling'aaaaccounting'forprivilegedcommandsrecordsandsendsactivitytotheaccountingserversandenablesorganizationstomonitorandanalyzeprivilegedactivity.
4.2.1.1.8Set'aaaaccountingconnection'
Table181:DeviceResults(1.1.8)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Providesinformationaboutalloutboundconnectionsmadefromthenetworkaccessserver.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,
centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingforconnections.
hostname(config)#aaaaccountingconnection{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
Implementingaaaaccountingconnectioncreatesaccountingrecordsaboutconnectionsfromthenetworkaccessserver.Organizationsshouldregularmonitortheseconnectionrecordsforexceptions,remediateissues,andreportfindingsregularly.
4.2.1.1.9Set'aaaaccountingexec'
Table182:DeviceResults(1.1.9)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
RunsaccountingfortheEXECshellsession.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingforEXECshellsession.
hostname(config)#aaaaccountingexec{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
EnablingaaaaccountingexeccreatesaccountingrecordsfortheEXECterminalsessionsonthenetworkaccessserver.Theserecordsincludestartandstoptimes,usernames,anddateinformation.Organizationsshouldregularlymonitortheserecordsforexceptions,remediateissues,andreportfindings.
4.2.1.1.10Set'aaaaccountingnetwork'
Table183:DeviceResults(1.1.10)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Runsaccountingforallnetwork-relatedservicerequests.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingforconnections.
hostname(config)#aaaaccountingnetwork{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
ImplementingaaaaccountingnetworkcreatesaccountingrecordsforamethodlistincludingARA,PPP,SLIP,andNCPssessions.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindings.
4.2.1.1.11Set'aaaaccountingsystem'
Table184:DeviceResults(1.1.11)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Performsaccountingforallsystem-leveleventsnotassociatedwithusers,suchasreloads.
Rationale
Authentication,authorizationandaccounting(AAA)systemsprovideanauthoritativesourceformanagingandmonitoringaccessfordevices.Centralizingcontrolimprovesconsistencyofaccesscontrol,theservicesthatmaybeaccessedonceauthenticatedandaccountabilitybytrackingservicesaccessed.Additionally,centralizingaccesscontrolsimplifiesandreducesadministrativecostsofaccountprovisioningandde-provisioning,especiallywhenmanagingalargenumberofdevices.AAAAccountingprovidesamanagementandaudittrailforuserandadministrativesessionsthroughRADIUSandTACACS+.
Remediation
ConfigureAAAaccountingsystem.
hostname(config)#aaaaccountingsystem{default|list-name|guarantee-first}
{start-stop|stop-only|none}{radius|groupgroup-name}
Impact:
Enablingaaaaccountingsystemcreatesaccountingrecordsforallsystem-levelevents.Organizationsshouldregularmonitortheserecordsforexceptions,remediateissues,andreportfindingsregularly.
4.2.1.2AccessRules
Rulesintheaccessclassenforcecontrolsfordeviceadministrativeconnections.
4.2.1.2.1Set'privilege1'forlocalusers
Table185:DeviceResults(1.2.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Setstheprivilegelevelfortheuser.
Rationale
Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithprivilegelevel1permissionsonlyallowsthelocalusertoaccessthedevicewithEXEC-levelpermissionsandwillbeunabletomodifythedevicewithoutusingtheenablepassword.Inaddition,requiretheuseofanencryptedpasswordaswell(seeSection1.1.4.4-RequireEncryptedUserPasswords).
Remediation
Setthelocalusertoprivilegelevel1.
hostname(config)#username<LOCAL_USERNAME>privilege1
Impact:
Organizationsshouldcreatepoliciesrequiringalllocalaccountswith'privilegelevel1'withencryptedpasswordstoreducetheriskofunauthorizedaccess.Defaultconfigurationsettingsdonotprovidestronguserauthenticationtothedevice.
4.2.1.2.2Set'transportinputssh'for'linevty'connections
Table186:DeviceResults(1.2.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Fail
Description
SelectstheSecureShell(SSH)protocol.
Rationale
ConfiguringVTYaccesscontrolrestrictsremoteaccesstoonlythoseauthorizedtomanagethedeviceandpreventsunauthorizedusersfromaccessingthesystem.
Remediation
ApplySSHtotransportinputonallVTYmanagementlines
hostname(config)#linevty<line-number><ending-line-number>
hostname(config-line)#transportinputssh
Impact:
Toreduceriskofunauthorizedaccess,organizationsshouldrequireallVTYmanagementlineprotocolstobelimitedtossh.
4.2.1.2.3Set'noexec'for'lineaux0'
Table187:DeviceResults(1.2.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
The'noexec'commandrestrictsalinetooutgoingconnectionsonly.
Rationale
Unusedportsshouldbedisabled,ifnotrequired,sincetheyprovideapotentialaccesspathforattackers.Somedevicesincludebothanauxiliaryandconsoleportthatcanbeusedtolocallyconnecttoandconfigurethedevice.Theconsoleportisnormallytheprimaryportusedtoconfigurethedevice;evenwhenremote,backupadministrationisrequiredviaconsoleserverorKeyboard,Video,Mouse(KVM)hardware.Theauxiliaryportisprimarilyusedfordial-upadministrationviaanexternalmodem;instead,useotheravailablemethods.
Remediation
DisabletheEXECprocessontheauxiliaryport.
hostname(config)#lineaux0
hostname(config-line)#noexec
Impact:
Organizationscanreducetheriskofunauthorizedaccessbydisablingthe'aux'portwiththe'noexec'command.Conversely,notrestrictingaccessthroughthe'aux'portincreasestheriskofremoteunauthorizedaccess.
4.2.1.2.4Create'access-list'forusewith'linevty'
Table188:DeviceResults(1.2.4)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Accesslistscontrolthetransmissionofpacketsonaninterface,controlVirtualTerminalLine(VTY)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.
Rationale
VTYACLscontrolwhataddressesmayattempttologintotherouter.ConfiguringVTYlinestouseanACL,restrictsthesourceswhereausercanmanagethedevice.Youshouldlimitthespecifichost(s)andornetwork(s)authorizedtoconnecttoandconfigurethedevice,viaanapprovedprotocol,tothoseindividualsorsystemsauthorizedtoadministerthedevice.Forexample,youcouldlimitaccesstospecifichosts,sothatonlynetworkmanagerscanconfigurethedevicesonlybyusingspecificnetworkmanagementworkstations.MakesureyouconfigureallVTYlinestousethesameACL.
Remediation
ConfiguretheVTYACLthatwillbeusedtorestrictmanagementaccesstothedevice.
hostname(config)#access-list<vty_acl_number>permittcp<vty_acl_block_with_mask>any
hostname(config)#access-list<vty_acl_number>permittcphost<vty_acl_host>any
hostname(config)#denyipanyanylog
Impact:
Organizationscanreducetheriskofunauthorizedaccessbyimplementingaccess-listsforallVTYlines.Conversely,usingVTYlineswithoutaccess-listsincreasestheriskofunauthorizedaccess.
4.2.1.2.5Set'access-class'for'linevty'
Table189:DeviceResults(1.2.5)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
The'access-class'settingrestrictsincomingandoutgoingconnectionsbetweenaparticularvty(intoaCiscodevice)andthenetworkingdevicesassociatedwithaddressesinanaccesslist.
Rationale
Restrictingthetypeofnetworkdevices,associatedwiththeaddressesontheaccess-list,furtherrestrictsremoteaccesstothosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.
Remediation
ConfigureremotemanagementaccesscontrolrestrictionsforallVTYlines.
hostname(config)#linevty<line-number><ending-line-number>
hostname(config-line)#access-class<vty_acl_number>in
Impact:
Applying'access'class'tolineVTYfurtherrestrictsremoteaccesstoonlythosedevicesauthorizedtomanagethedeviceandreducestheriskofunauthorizedaccess.Conversely,usingVTYlineswith'accessclass'restrictionsincreasestherisksofunauthorizedaccess.
4.2.1.2.6Set'exec-timeout'tolessthanorequalto10minutesfor'lineaux0'
Table190:DeviceResults(1.2.6)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#lineaux0
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthofminutesorsecondspreventsunauthorizedaccessofabandonedsessions.
4.2.1.2.7Set'exec-timeout'tolessthanorequalto10minutes'lineconsole0'
Table191:DeviceResults(1.2.7)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#linecon0
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestheriskofunauthorizedaccessofabandonedsessions.
4.2.1.2.8Set'exec-timeout'lessthanorequalto10minutes'linetty'
Table192:DeviceResults(1.2.8)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#linetty{line_number}[ending_line_number]
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthreducestherisksofunauthorizedaccessofabandonedsessions.
4.2.1.2.9Set'exec-timeout'tolessthanorequalto10minutes'linevty'
Table193:DeviceResults(1.2.9)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Ifnoinputisdetectedduringtheinterval,theEXECfacilityresumesthecurrentconnection.Ifnoconnectionsexist,theEXECfacilityreturnstheterminaltotheidlestateanddisconnectstheincomingsession.
Rationale
Thispreventsunauthorizedusersfrommisusingabandonedsessions.Forexample,ifthenetworkadministratorleavesforthedayandleavesacomputeropenwithanenabledloginsessionaccessible.Thereisatrade-offherebetweensecurity(shortertimeouts)andusability(longertimeouts).Reviewyourlocalpoliciesandoperationalneedstodeterminethebesttimeoutvalue.Inmostcases,thisshouldbenomorethan10minutes.
Remediation
Configuredevicetimeout(10minutesorless)todisconnectsessionsafterafixedidletime.
hostname(config)#linevty{line_number}[ending_line_number]
hostname(config-line)#exec-timeout<timeout_in_minutes><timeout_in_seconds>
Impact:
Organizationsshouldpreventunauthorizeduseofunattendedorabandonedsessionsbyanautomatedcontrol.Enabling'exec-timeout'withanappropriatelengthofminutesorsecondspreventsunauthorizedaccessofabandonedsessions.
4.2.1.2.10Set'transportinputnone'for'lineaux0'
Table194:DeviceResults(1.2.10)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Whenyouwanttoallowonlyanoutgoingconnectiononaline,usethenoexeccommand.
Rationale
Unusedportsshouldbedisabled,ifnotrequired,sincetheyprovideapotentialaccesspathforattackers.Somedevicesincludebothanauxiliaryandconsoleportthatcanbeusedtolocallyconnecttoandconfigurethedevice.Theconsoleportisnormallytheprimaryportusedtoconfigurethedevice;evenwhenremote,backupadministrationisrequiredviaconsoleserverorKeyboard,Video,Mouse(KVM)hardware.Theauxiliaryportisprimarilyusedfordial-upadministrationviaanexternalmodem;instead,useotheravailablemethods.
Remediation
Disabletheinboundconnectionsontheauxiliaryport.
hostname(config)#lineaux0
hostname(config-line)#transportinputnone
Impact:
Organizationsshouldpreventallunauthorizedaccessofauxiliaryportsbydisablingallprotocolsusingthe'transportinputnone'command.
4.2.1.3BannerRules
Rulesinthebannerclasscommunicatelegalrightstousers.
4.2.1.3.1Setthe'banner-text'for'bannerexec'
Table195:DeviceResults(1.3.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ThiscommandspecifiesamessagetobedisplayedwhenanEXECprocessiscreated(alineisactivated,oranincomingconnectionismadetoavty).Followthiscommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.
Whenauserconnectstoarouter,themessage-of-the-day(MOTD)bannerappearsfirst,followedbytheloginbannerandprompts.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.
Rationale
"Networkbannersareelectronicmessagesthatprovidenoticeoflegalrightstousersofcomputernetworks.Fromalegalstandpoint,bannershavefourprimaryfunctions.
First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesorotherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).
Remediation
ConfiguretheEXECbannerpresentedtoauserwhenaccessingthedevicesenableprompt.
hostname(config)#bannerexecc
EnterTEXTmessage.Endwiththecharacter'c'.
<banner-text>
c
Impact:
Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerexeccommand.
4.2.1.3.2Setthe'banner-text'for'bannerlogin'
Table196:DeviceResults(1.3.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Followthebannerlogincommandwithoneormoreblankspacesandadelimitingcharacterofyourchoice.Thenenteroneormorelinesoftext,terminatingthemessagewiththesecondoccurrenceofthedelimitingcharacter.
Whenauserconnectstotherouter,themessage-of-the-day(MOTD)banner(ifconfigured)appearsfirst,followedbytheloginbannerandprompts.Aftertheusersuccessfullylogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.
Rationale
"Networkbannersareelectronicmessagesthatprovidenoticeoflegalrightstousersofcomputernetworks.Fromalegalstandpoint,bannershavefourprimaryfunctions.
First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesorotherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).
Remediation
Configurethedevicesoaloginbannerpresentedtoauserattemptingtoaccessthedevice.
hostname(config)#bannerloginc
EnterTEXTmessage.Endwiththecharacter'c'.
<banner-text>
c
Impact:
Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannerlogincommand.
4.2.1.3.3Setthe'banner-text'for'bannermotd'
Table197:DeviceResults(1.3.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ThisMOTDbannerisdisplayedtoallterminalsconnectedandisusefulforsendingmessagesthataffectallusers(suchasimpendingsystemshutdowns).Usethenoexec-bannerornomotd-bannercommandtodisabletheMOTDbanneronaline.Thenoexec-bannercommandalsodisablestheEXECbannerontheline.
Whenauserconnectstotherouter,theMOTDbannerappearsbeforetheloginprompt.Aftertheuserlogsintotherouter,theEXECbannerorincomingbannerwillbedisplayed,dependingonthetypeofconnection.ForareverseTelnetlogin,theincomingbannerwillbedisplayed.Forallotherconnections,therouterwilldisplaytheEXECbanner.
Rationale
"Networkbannersareelectronicmessagesthatprovidenoticeoflegalrightstousersofcomputernetworks.Fromalegalstandpoint,bannershavefourprimaryfunctions.
First,bannersmaybeusedtogenerateconsenttoreal-timemonitoringunderTitleIII;Second,bannersmaybeusedtogenerateconsenttotheretrievalofstoredfilesandrecordspursuanttoECPA;Third,inthecaseofgovernmentnetworks,bannersmayeliminateanyFourthAmendment"reasonableexpectationofprivacy"thatgovernmentemployeesor
otherusersmightotherwiseretainintheiruseofthegovernment'snetworkunderO'Connorv.Ortega,480U.S.709(1987);Fourth,inthecaseofanon-governmentnetwork,bannersmayestablishasystemadministrator's"commonauthority"toconsenttoalawenforcementsearchpursuanttoUnitedStatesv.Matlock,415U.S.164(1974)."(USDepartmentofJusticeAPPENDIXA:SampleNetworkBannerLanguage).
Remediation
Configurethemessageoftheday(MOTD)bannerpresentedwhenauserfirstconnectstothedevice.
hostname(config)#bannermotdc
EnterTEXTmessage.Endwiththecharacter'c'.
<banner-text>
c
Impact:
Organizationsprovideappropriatelegalnotice(s)andwarning(s)topersonsaccessingtheirnetworksbyusinga'banner-text'forthebannermotdcommand.
4.2.1.4PasswordRules
Rulesinthepasswordclassenforcesecure,localdeviceauthenticationcredentials.
4.2.1.4.1Set'password'for'enablesecret'
Table198:DeviceResults(1.4.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Usetheenablesecretcommandtoprovideanadditionallayerofsecurityovertheenablepassword.Theenablesecretcommandprovidesbettersecuritybystoringtheenablesecretpasswordusinganonreversiblecryptographicfunction.TheaddedlayerofsecurityencryptionprovidesisusefulinenvironmentswherethepasswordcrossesthenetworkorisstoredonaTFTPserver.
Rationale
RequiringtheenablesecretsettingprotectsprivilegedEXECmode.Bydefault,astrongpasswordisnotrequired,ausercanjustpresstheEnterkeyatthePasswordprompttostartprivilegedmode.Theenablepasswordcommandcausesthedevicetoenforceuseofapasswordtoaccessprivilegedmode.Enablesecretsuseaone-waycryptographichash(MD5).ThisispreferredtoLevel7enablepasswordsthatuseaweak,well-known,andeasilyreversibleencryptionalgorithm.
Remediation
Configureastrong,enablesecretpassword.
hostname(config)#enablesecret<ENABLE_SECRET_PASSWORD>
Impact:
OrganizationsshouldprotectprivilegedEXECmodethroughpoliciesrequiringthe'enablingsecret'setting,whichenforcesaone-waycryptographichash(MD5).
4.2.1.4.2Enable'servicepassword-encryption'
Table199:DeviceResults(1.4.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Whenpasswordencryptionisenabled,theencryptedformofthepasswordsisdisplayedwhenamoresystem:running-configcommandisentered.
Rationale
Thisrequirespasswordstobeencryptedintheconfigurationfiletopreventunauthorizedusersfromlearningthepasswordsjustbyreadingtheconfiguration.Whennotenabled,manyofthedevice'spasswordswillberenderedinplaintextintheconfigurationfile.Thisserviceensurespasswordsarerenderedasencryptedstringspreventinganattackerfromeasilydeterminingtheconfiguredvalue.
Remediation
Enablepasswordencryptionservicetoprotectsensitiveaccesspasswordsinthedeviceconfiguration.
hostname(config)#servicepassword-encryption
Impact:
Organizationsimplementing'servicepassword-encryption'reducetheriskofunauthorizeduserslearningcleartextpasswordstoCiscoIOSconfigurationfiles.However,thealgorithmusedisnotdesignedtowithstandseriousanalysisandshouldbetreatedlikeclear-text.
4.2.1.4.3Set'usernamesecret'foralllocalusers
Table200:DeviceResults(1.4.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Fail
Description
UsetheusernamesecretcommandtoconfigureausernameandMD5-encrypteduserpassword.MD5encryptionisastrongencryptionmethodthatisnotretrievable;thus,youcannotuseMD5encryptionwithprotocolsthatrequireclear-textpasswords,suchasChallengeHandshakeAuthenticationProtocol(CHAP).
Theusernamesecretcommandprovidesanadditionallayerofsecurityovertheusernamepassword.ItalsoprovidesbettersecuritybyencryptingthepasswordusingnonreversibleMD5encryptionandstoringtheencryptedtext.TheaddedlayerofMD5encryptionisusefulinenvironmentsinwhichthepasswordcrossesthenetworkorisstoredonaTFTPserver.
Rationale
Defaultdeviceconfigurationdoesnotrequirestronguserauthenticationpotentiallyenablingunfetteredaccesstoanattackerthatisabletoreachthedevice.Creatingalocalaccountwithanencryptedpasswordenforcesloginauthenticationandprovidesafallbackauthenticationmechanismforconfigurationinanamedmethodlistinasituationwherecentralizedauthentication,authorization,andaccountingservicesareunavailable.
Remediation
Createalocaluserwithanencrypted,complex(noteasilyguessed)password.
hostname(config)#username<LOCAL_USERNAME>secret<LOCAL_PASSWORD>
Impact:
Organizationsimplementing'usernamesecret'acrosstheirenterprisereducetheriskofunauthorizedusersgainingaccesstoCiscoIOSdevicesbyapplyingaMD5hashandencryptinguserpasswords.
4.2.1.5SNMPRules
SimpleNetworkManagementProtocol(SNMP)providesastandards-basedinterfacetomanageandmonitornetworkdevices.ThissectionprovidesguidanceonthesecureconfigurationofSNMPparameters.
TherecommendationsinthisSectionapplytoOrganizationsusingSNMP.OrganizationsusingSNMPshouldreviewandimplementtherecommendationsinthissection.
4.2.1.5.1Set'nosnmp-server'todisableSNMPwhenunused
Table201:DeviceResults(1.5.1)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Ifnotinuse,disablesimplenetworkmanagementprotocol(SNMP),readandwriteaccess.
Rationale
SNMPreadaccessallowsremotemonitoringandmanagementofthedevice.
Remediation
DisableSNMPreadandwriteaccessifnotinusedtomonitorand/ormanagedevice.
hostname(config)#nosnmp-server
Impact:
OrganizationsnotusingSNMPshouldrequireallSNMPservicestobedisabledbyrunningthe'nosnmp-server'command.
4.2.1.5.2Unset'private'for'snmp-servercommunity'
Table202:DeviceResults(1.5.2)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
AnSNMPcommunitystringpermitsread-onlyaccesstoallobjects.
Rationale
Thedefaultcommunitystring"private"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.
Remediation
DisablethedefaultSNMPcommunitystring"private"
hostname(config)#nosnmp-servercommunity{private}
Impact:
Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'private'settingforsnmp-servercommunity.
4.2.1.5.3Unset'public'for'snmp-servercommunity'
Table203:DeviceResults(1.5.3)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
AnSNMPcommunitystringpermitsread-onlyaccesstoallobjects.
Rationale
Thedefaultcommunitystring"public"iswellknown.Usingeasytoguess,wellknowncommunitystringposesathreatthatanattackercaneffortlesslygainunauthorizedaccesstothedevice.
Remediation
DisablethedefaultSNMPcommunitystring"public"
hostname(config)#nosnmp-servercommunity{public}
Impact:
Toreducetheriskofunauthorizedaccess,Organizationsshoulddisabledefault,easytoguess,settingssuchasthe'public'settingforsnmp-servercommunity.
4.2.1.5.4Donotset'RW'forany'snmp-servercommunity'
Table204:DeviceResults(1.5.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Specifiesread-writeaccess.AuthorizedmanagementstationscanbothretrieveandmodifyMIBobjects.
Rationale
EnablingSNMPread-writeenablesremotemanagementofthedevice.Unlessabsolutelynecessary,donotallowsimplenetworkmanagementprotocol(SNMP)writeaccess.
Remediation
DisableSNMPwriteaccess.
hostname(config)#nosnmp-servercommunity{write_community_string}
Impact:
Toreducetheriskofunauthorizedaccess,OrganizationsshoulddisabletheSNMP'write'accessforsnmp-servercommunity.
4.2.1.5.5SettheACLforeach'snmp-servercommunity'
Table205:DeviceResults(1.5.5)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ThisfeaturespecifiesalistofIPaddressesthatareallowedtousethecommunitystringtogainaccesstotheSNMPagent.
Rationale
IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringcanpotentiallymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPaccesstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.Ifpossible,useSNMPv3whichusesauthentication,authorization,anddataprivatization(encryption).
Remediation
ConfigureauthorizedSNMPcommunitystringandrestrictaccesstoauthorizedmanagementsystems.
hostname(config)#snmp-servercommunity<community_string>ro{snmp_access-list_number|
snmp_access-list_name}
Impact:
Toreducetheriskofunauthorizedaccess,Organizationsshouldenableaccesscontrollistsforallsnmp-servercommunitiesandrestricttheaccesstoappropriatetrustedmanagementzones.Ifpossible,implementSNMPv3toapplyauthentication,authorization,anddataprivatization(encryption)foradditionalbenefitstotheorganization.
4.2.1.5.6Createan'access-list'forusewithSNMP
Table206:DeviceResults(1.5.6)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Youcanuseaccessliststocontrolthetransmissionofpacketsonaninterface,controlSimpleNetworkManagementProtocol(SNMP)access,andrestrictthecontentsofroutingupdates.TheCiscoIOSsoftwarestopscheckingtheextendedaccesslistafteramatchoccurs.
Rationale
SNMPACLscontrolwhataddressesareauthorizedtomanageandmonitorthedeviceviaSNMP.IfACLsarenotapplied,thenanyonewithavalidSNMPcommunitystringmaymonitorandmanagetherouter.AnACLshouldbedefinedandappliedforallSNMPcommunitystringstolimitaccesstoasmallnumberofauthorizedmanagementstationssegmentedinatrustedmanagementzone.
Remediation
ConfigureSNMPACLforrestrictingaccesstothedevicefromauthorizedmanagementstationssegmentedinatrustedmanagementzone.
hostname(config)#access-list<snmp_acl_number>permit<snmp_access-list>
hostname(config)#access-listdenyanylog
4.2.1.5.7Set'snmp-serverhost'whenusingSNMP
Table207:DeviceResults(1.5.7)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
SNMPnotificationscanbesentastrapstoauthorizedmanagementsystems.
Rationale
IfSNMPisenabledfordevicemanagementanddevicealertsarerequired,thenensurethedeviceisconfiguredtosubmittrapsonlytoauthorizemanagementsystems.
Remediation
ConfigureauthorizedSNMPtrapcommunitystringandrestrictsendingmessagestoauthorizedmanagementsystems.
hostname(config)#snmp-serverhost{ip_address}{trap_community_string}snmp
Impact:
OrganizationsusingSNMPshouldrestrictsendingSNMPmessagesonlytoexplicitlynamedsystemstoreduceunauthorizedaccess.
4.2.1.5.8Set'snmp-serverenabletrapssnmp'
Table208:DeviceResults(1.5.8)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SNMPnotificationscanbesentastrapstoauthorizedmanagementsystems.
Rationale
SNMPhastheabilitytosubmittraps.
Remediation
EnableSNMPtraps.
hostname(config)#snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
Impact:
OrganizationsusingSNMPshouldrestricttraptypesonlytoexplicitlynamedtrapstoreduceunintendedtraffic.EnablingSNMPtrapswithoutspecifyingtraptypewillenableallSNMPtraptypes.
4.2.1.5.9Set'priv'foreach'snmp-servergroup'usingSNMPv3
Table209:DeviceResults(1.5.9)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
SpecifiesauthenticationofapacketwithencryptionwhenusingSNMPv3
Rationale
SNMPv3providesmuchimprovedsecurityoverpreviousversionsbyofferingoptionsforAuthenticationandEncryptionofmessages.WhenconfiguringauserforSNMPv3youhavetheoptionofusingarangeofencryptionschemes,ornoencryptionatall,toprotectmessagesintransit.AES128istheminimumstrengthencryptionmethodthatshouldbedeployed.
Remediation
ForeachSNMPv3groupcreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand...
hostname(config)#snmp-servergroup{group_name}v3priv
Impact:
OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-servergroupv3priv'settingtoencryptmessagesintransit.
4.2.1.5.10Require'aes128'asminimumfor'snmp-serveruser'whenusingSNMPv3
Table210:DeviceResults(1.5.10)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Specifytheuseofaminimumof128-bitAESalgorithmforencryptionwhenusingSNMPv3.
Rationale
SNMPv3providesmuchimprovedsecurityoverpreviousversionsbyofferingoptionsforAuthenticationandEncryptionofmessages.WhenconfiguringauserforSNMPv3youhavetheoptionofusingarangeofencryptionschemes,ornoencryptionatall,toprotectmessagesintransit.AES128istheminimumstrengthencryptionmethodthatshouldbedeployed.
Remediation
ForeachSNMPv3usercreatedonyourrouteraddprivacyoptionsbyissuingthefollowingcommand.
hostname(config)#snmp-serveruser{user_name}{group_name}v3encryptedauthsha
{auth_password}privaes128{priv_password}{acl_name_or_number}
Impact:
OrganizationsusingSNMPcansignificantlyreducetherisksofunauthorizedaccessbyusingthe'snmp-serveruser'settingwithappropriateauthenticationandprivacyprotocolstoencryptmessagesintransit.
4.2.2ControlPlane
Thecontrolplanecoversmonitoring,routetableupdates,andgenerallythedynamicoperationoftherouter.Services,settings,anddatastreamsthatsupportanddocumenttheoperation,traffichandling,anddynamicstatusoftherouter.Examplesofcontrolplaneservicesinclude:logging(e.g.Syslog),routingprotocols,statusprotocolslikeCDPandHSRP,networktopologyprotocolslikeSTP,andtrafficsecuritycontrolprotocolslikeIKE.NetworkcontrolprotocolslikeICMP,NTP,ARP,andIGMPdirectedtoorsentbytherouteritselfalsofallintothisarea.
4.2.2.1GlobalServiceRules
Rulesintheglobalserviceclassenforceserverandservicecontrolsthatprotectagainstattacksorexposethedevicetoexploitation.
4.2.2.1.1SetupSSH
EnsureuseofSSHremoteconsolesessionstoCiscorouters.
4.2.2.1.1.1ConfigurePrerequisitesfortheSSHService
[Thisspaceintentionallyleftblank]
4.2.2.1.1.1.1Setthe'hostname'
Table211:DeviceResults(2.1.1.1.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Thehostnameisusedinpromptsanddefaultconfigurationfilenames.
Rationale
ThedomainnameisprerequisiteforsettingupSSH.
Remediation
Configureanappropriatehostnamefortherouter.
hostname(config)#hostname{router_name}
Impact:
Organizationsshouldplantheenterprisenetworkandidentifyanappropriatehostnameforeachrouter.
4.2.2.1.1.1.2Setthe'ipdomainname'
Table212:DeviceResults(2.1.1.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DefineadefaultdomainnamethattheCiscoIOSsoftwareusestocompleteunqualifiedhostnames
Rationale
ThedomainnameisaprerequisiteforsettingupSSH.
Remediation
Configureanappropriatedomainnamefortherouter.
hostname(config)#ipdomainname{domain-name}
Impact:
Organizationsshouldplantheenterprisenetworkandidentifyanappropriatedomainnamefortherouter.
4.2.2.1.1.1.3Set'modulus'togreaterthanorequalto2048for'cryptokeygeneratersa'
Table213:DeviceResults(2.1.1.1.3)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
UsethiscommandtogenerateRSAkeypairsforyourCiscodevice.
RSAkeysaregeneratedinpairs--onepublicRSAkeyandoneprivateRSAkey.
Rationale
AnRSAkeypairisaprerequisiteforsettingupSSHandshouldbeatleast2048bits.
NOTE:IOSdoesNOTdisplaythemodulusbitvalueintheAuditProcedure.
Remediation
GenerateanRSAkeypairfortherouter.
hostname(config)#cryptokeygeneratersageneral-keysmodulus2048
Impact:
OrganizationsshouldplanandimplemententerprisenetworkcryptographyandgenerateanappropriateRSAkeypairs,suchas'modulus',greaterthanorequalto2048.
4.2.2.1.1.1.4Set'seconds'for'ipsshtimeout'
Table214:DeviceResults(2.1.1.1.4)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
ThetimeintervalthattherouterwaitsfortheSSHclienttorespondbeforedisconnectinganuncompletedloginattempt.
Rationale
Thisreducestheriskofanadministratorleavinganauthenticatedsessionloggedinforanextendedperiodoftime.
Remediation
ConfiguretheSSHtimeout
hostname(config)#ipsshtime-out[60]
Impact:
Organizationsshouldimplementasecuritypolicyrequiringminimumtimeoutsettingsforallnetworkadministratorsandenforcethepolicythroughthe'ipsshtimeout'command.
4.2.2.1.1.1.5Setmaximimumvaluefor'ipsshauthentication-retries'
Device Result
router03IOS12.3 Manual
Table215:DeviceResults(2.1.1.1.5)
CiscoIOS15IOS15.0 Manual
Description
ThenumberofretriesbeforetheSSHloginsessiondisconnects.
Rationale
ThislimitsthenumberoftimesanunauthorizedusercanattemptapasswordwithouthavingtoestablishanewSSHloginattempt.ThisreducesthepotentialforsuccessduringonlinebruteforceattacksbylimitingthenumberofloginattemptsperSSHconnection.
Remediation
ConfiguretheSSHtimeout:
hostname(config)#ipsshauthentication-retries[3]
Impact:
Organizationsshouldimplementasecuritypolicylimitingthenumberofauthenticationattemptsfornetworkadministratorsandenforcethepolicythroughthe'ipsshauthentication-retries'command.
4.2.2.1.1.2Setversion2for'ipsshversion'
Table216:DeviceResults(2.1.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifytheversionofSecureShell(SSH)toberunonarouter
Rationale
SSHVersion1hasbeensubjecttoanumberofseriousvulnerabilitiesandisnolongerconsideredtobeasecureprotocol,resultingintheadoptionofSSHVersion2asanInternetStandardin2006.
Ciscorouterssupportbothversions,butduetotheweaknessofSSHVersion1onlythelaterstandardshouldbeused.
Remediation
ConfiguretheroutertouseSSHversion2
hostname(config)#ipsshversion2
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicytoreviewtheircurrentprotocolstoensurethemostsecureprotocolversionsareinuse.
4.2.2.1.2Set'nocdprun'
Table217:DeviceResults(2.1.2)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
DisableCiscoDiscoveryProtocol(CDP)serviceatdevicelevel.
Rationale
TheCiscoDiscoveryProtocolisaproprietaryprotocolthatCiscodevicesusetoidentifyeachotheronaLANsegment.Itisusefulonlyinnetworkmonitoringandtroubleshootingsituationsbutisconsideredasecurityriskbecauseoftheamountofinformationprovidedfromqueries.Inaddition,therehavebeenpublisheddenial-of-service(DoS)attacksthatuseCDP.CDPshouldbecompletelydisabledunlessnecessary.
Remediation
DisableCiscoDiscoveryProtocol(CDP)serviceglobally.
hostname(config)#nocdprun
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocols.
4.2.2.1.3Set'noipbootpserver'
Table218:DeviceResults(2.1.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisabletheBootstrapProtocol(BOOTP)serviceonyourroutingdevice.
Rationale
BootPallowsaroutertoissueIPaddresses.Thisshouldbedisabledunlessthereisaspecificrequirement.
Remediation
Disablethebootpserver.
hostname(config)#noipbootpserver
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchas'ipbootpserver'.
4.2.2.1.4Set'noservicedhcp'
Table219:DeviceResults(2.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisabletheDynamicHostConfigurationProtocol(DHCP)serverandrelayagentfeaturesonyourrouter.
Rationale
TheDHCPserversuppliesautomaticconfigurationparameters,suchasdynamicIPaddress,torequestingsystems.AdedicatedserverlocatedinasecuredmanagementzoneshouldbeusedtoprovideDHCPservicesinstead.Attackerscanpotentiallybeusedfordenial-of-service(DoS)attacks.
Remediation
DisabletheDHCPserver.
hostname(config)#noservicedhcp
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheDynamicHostConfigurationProtocol(DHCP).
4.2.2.1.5Set'noipidentd'
Table220:DeviceResults(2.1.5)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Disabletheidentification(identd)server.
Rationale
Identificationprotocolenablesidentifyingauser'stransmissioncontrolprotocol(TCP)session.Thisinformationdisclosurecouldpotentiallyprovideanattacker
withinformationaboutusers.
Remediation
Disabletheidentserver.
hostname(config)#noipidentd
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingnetworkprotocolsandexplicitlyrequiredisablingallinsecureorunnecessaryprotocolssuchastheidentificationprotocol(identd).
4.2.2.1.6Set'servicetcp-keepalives-in'
Table221:DeviceResults(2.1.6)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Generatekeepalivepacketsonidleincomingnetworkconnections.
Rationale
Staleconnectionsuseresourcesandcouldpotentiallybehijackedtogainillegitimateaccess.TheTCPkeepalives-inservicegenerateskeepalivepacketsonidleincomingnetworkconnections(initiatedbyremotehost).Thisserviceallowsthedevicetodetectwhentheremotehostfailsanddropthesession.Ifenabled,keepalivesaresentonceperminuteonidleconnections.Theconnectionisclosedwithinfiveminutesifnokeepalivesarereceivedorimmediatelyifthehostreplieswitharesetpacket.
Remediation
EnableTCPkeepalives-inservice:
hostname(config)#servicetcp-keepalives-in
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-in'command.
4.2.2.1.7Set'servicetcp-keepalives-out'
Table222:DeviceResults(2.1.7)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Generatekeepalivepacketsonidleoutgoingnetworkconnections.
Rationale
Staleconnectionsuseresourcesandcouldpotentiallybehijackedtogainillegitimateaccess.TheTCPkeepalives-inservicegenerateskeepalivepacketsonidleincomingnetworkconnections(initiatedbyremotehost).Thisserviceallowsthedevicetodetectwhentheremotehostfailsanddropthesession.Ifenabled,keepalivesaresentonceperminuteonidleconnections.Theconnectionisclosedwithinfiveminutesifnokeepalivesarereceivedorimmediatelyifthehostreplieswitharesetpacket.
Remediation
EnableTCPkeepalives-outservice:
hostname(config)#servicetcp-keepalives-out
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictinghowlongtoallowterminatedsessionsandenforcethispolicythroughtheuseof'tcp-keepalives-out'command.
4.2.2.1.8Set'noservicepad'
Table223:DeviceResults(2.1.8)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisableX.25PacketAssembler/Disassembler(PAD)service.
Rationale
IfthePADserviceisnotnecessary,disabletheservicetopreventintrudersfromaccessingtheX.25PADcommandsetontherouter.
Remediation
DisablethePADservice.
hostname(config)#noservicepad
Impact:
Toreducetheriskofunauthorizedaccess,organizationsshouldimplementasecuritypolicyrestrictingunnecessaryservicessuchasthe'PAD'service.
4.2.2.2LoggingRules
Rulesintheloggingclassenforcecontrolsthatprovidearecordofsystemactivityandevents.
4.2.2.2.1Set'loggingon'
Table224:DeviceResults(2.2.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Fail
Description
Enableloggingofsystemmessages.
Rationale
LoggingprovidesachronologicalrecordofactivitiesontheCiscodeviceandallowsmonitoringofbothoperationalandsecurityrelatedevents.
Remediation
Enablesystemlogging.
hostname(config)#loggingon
Impact:
EnablingtheCiscoIOS'loggingon'commandenforcesthemonitoringoftechnologyrisksfortheorganizations'networkdevices.
4.2.2.2.2Set'buffersize'for'loggingbuffered'
Table225:DeviceResults(2.2.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Enablesystemmessageloggingtoalocalbuffer.
Rationale
Thedevicecancopyandstorelogmessagestoaninternalmemorybuffer.Thebuffereddataisavailableonlyfromarouterexecorenabledexecsession.Thisformofloggingisusefulfordebuggingandmonitoringwhenloggedintoarouter.
Remediation
Configurebufferedlogging(withminimumsize).Recommendedsizeis64000.
hostname(config)#loggingbuffered[log_buffer_size]
Impact:
Dataforensicsiseffectiveformanagingtechnologyrisksandanorganizationcanenforcesuchpoliciesbyenablingthe'loggingbuffered'command.
4.2.2.2.3Set'loggingconsolecritical'
Table226:DeviceResults(2.2.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Verifyloggingtodeviceconsoleisenabledandlimitedtoarationalseverityleveltoavoidimpactingsystemperformanceandmanagement.
Rationale
Thisconfigurationdeterminestheseverityofmessagesthatwillgenerateconsolemessages.Loggingtoconsoleshouldbelimitedonlytothosemessagesrequiredforimmediatetroubleshootingwhileloggedintothedevice.Thisformofloggingisnotpersistent;messagesprintedtotheconsolearenotstoredbytherouter.Consoleloggingishandyforoperatorswhentheyusetheconsole.
Remediation
Configureconsolelogginglevel.
hostname(config)#loggingconsolecritical
Impact:
Loggingcriticalmessagesattheconsoleisimportantforanorganizationmanagingtechnologyrisk.The'loggingconsole'commandshouldcaptureappropriateseveritymessagestobeeffective.
4.2.2.2.4SetIPaddressfor'logginghost'
Table227:DeviceResults(2.2.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Logsystemmessagesanddebugoutputtoaremotehost.
Rationale
CiscorouterscansendtheirlogmessagestoaUnix-styleSyslogservice.Asyslogservicesimplyacceptsmessagesandstorestheminfilesorprintsthemaccordingtoasimpleconfigurationfile.Thisformofloggingisbestbecauseitcanprovideprotectedlong-termstorageforlogs(thedevicesinternalloggingbufferhaslimitedcapacitytostoreevents.)Inaddition,loggingtoanexternalsystemishighlyrecommendedorrequiredbymostsecuritystandards.Ifdesiredorrequiredbypolicy,lawand/orregulation,enableasecondsyslogserverforredundancy.
Remediation
DesignateoneormoresyslogserversbyIPaddress.
hostname(config)#logginghostsyslog_server
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'logginghost'commandsetstheIPaddressofthelogginghostandenforcestheloggingprocess.
4.2.2.2.5Set'loggingtrapinformational'
Table228:DeviceResults(2.2.5)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Limitmessagesloggedtothesyslogserversbasedonseveritylevelinformational.
Rationale
Thisdeterminestheseverityofmessagesthatwillgeneratesimplenetworkmanagementprotocol(SNMP)trapandorsyslogmessages.Thissettingshouldbesettoeither"debugging"(7)or"informational"(6),butnolower.
Remediation
ConfigureSNMPtrapandsysloglogginglevel.
hostname(config)#loggingtrapinformational
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyrisk.The'loggingtrap'commandsetstheseverityofmessagesandenforcestheloggingprocess.
4.2.2.2.6Set'servicetimestampsdebugdatetime'
Table229:DeviceResults(2.2.6)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Configurethesystemtoapplyatimestamptodebuggingmessagesorsystemloggingmessages
Rationale
Includingtimestampsinlogmessagesallowscorrelatingeventsandtracingnetworkattacksacrossmultipledevices.Enablingservicetimestamptomarkthetimelogmessagesweregeneratedsimplifiesobtainingaholisticviewofeventsenablingfastertroubleshootingofissuesorattacks.
Remediation
Configuredebugmessagestoincludetimestamps.
hostname(config)#servicetimestampsdebugdatetime{msec}show-timezone
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingatimelineofeventsiscritical.The'servicetimestamps'commandsetsthedateandtimeonentriessenttothelogginghostandenforcestheloggingprocess.
4.2.2.2.7Set'loggingsourceinterface'
Table230:DeviceResults(2.2.7)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifythesourceIPv4orIPv6addressofsystemloggingpackets
Rationale
ThisisrequiredsothattheroutersendslogmessagestotheloggingserverfromaconsistentIPaddress.
Remediation
Bindloggingtotheloopbackinterface.
hostname(config)#loggingsource-interfaceloopback{loopback_interface_number}
Impact:
Loggingisanimportantprocessforanorganizationmanagingtechnologyriskandestablishingaconsistentsourceofmessagesforthelogginghostiscritical.The'loggingsourceinterfaceloopback'commandsetsaconsistentIPaddresstosendmessagestothelogginghostandenforcestheloggingprocess.
4.2.2.3NTPRules
NetworkTimeProtocolallowsadministratorstosetthesystemtimeonalloftheircompatiblesystemsfromasinglesource,ensuringaconsistenttimestampforloggingandauthenticationprotocols.NTPisaninternetstandard,definedinRFC1305.
4.2.2.3.1RequireEncryptionKeysforNTP
EncryptionkeysshouldbesetforNTPServers.
4.2.2.3.1.1Set'ntpauthenticate'
Table231:DeviceResults(2.3.1.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
EnableNTPauthentication.
Rationale
UsingauthenticatedNTPensurestheCiscodeviceonlypermitstimeupdatesfromauthorizedNTPservers.
Remediation
ConfigureNTPauthentication:
hostname(config)#ntpauthenticate
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthenticate'commandenforcesauthenticationbetweenNTPhosts.
4.2.2.3.1.2Set'ntpauthentication-key'
Table232:DeviceResults(2.3.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DefineanauthenticationkeyforNetworkTimeProtocol(NTP).
Rationale
UsinganauthenticationkeyprovidesahigherdegreeofsecurityasonlyauthenticatedNTPserverswillbeabletoupdatetimefortheCiscodevice.
Remediation
ConfigureattheNTPkeyringandencryptionkeyusingthefollowingcommand
hostname(config)#ntpauthentication-key{ntp_key_id}md5{ntp_key}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpauthentication-key'commandenforcesencryptedauthenticationbetweenNTPhosts.
4.2.2.3.1.3Setthe'ntptrusted-key'
Table233:DeviceResults(2.3.1.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
EnsureyouauthenticatetheidentityofasystemtowhichNetworkTimeProtocol(NTP)willsynchronize
Rationale
Thisauthenticationfunctionprovidesprotectionagainstaccidentallysynchronizingthesystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.
Remediation
ConfiguretheNTPtrustedkeyusingthefollowingcommand
hostname(config)#ntptrusted-key{ntp_key_id}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntptrusted-key'commandenforcesencryptedauthenticationbetweenNTPhosts.
4.2.2.3.1.4Set'key'foreach'ntpserver'
Table234:DeviceResults(2.3.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifiestheauthenticationkeyforNTP.
Rationale
Thisauthenticationfeatureprovidesprotectionagainstaccidentallysynchronizingthentpsystemtoanothersystemthatisnottrusted,becausetheothersystemmustknowthecorrectauthenticationkey.
Remediation
ConfigureeachNTPServertouseakeyringusingthefollowingcommand.
hostname(config)#ntpserver{ntp-server_ip_address}{keyntp_key_id}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserverkey'commandenforcesencryptedauthenticationbetweenNTPhosts.
4.2.2.3.2Set'ipaddress'for'ntpserver'
Table235:DeviceResults(2.3.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
UsethiscommandifyouwanttoallowthesystemtosynchronizethesystemsoftwareclockwiththespecifiedNTPserver.
Rationale
ToensurethatthetimeonyourCiscorouterisconsistentwithotherdevicesinyournetwork,atleasttwo(andpreferablyatleastthree)NTPServer/sexternaltotheroutershouldbeconfigured.
Ensureyoualsoconfigureconsistenttimezoneanddaylightsavingstimesettingforalldevices.Forsimplicity,thedefaultofCoordinatedUniversalTime(UTC).
Remediation
ConfigureatleastoneexternalNTPServerusingthefollowingcommands
hostname(config)#ntpserver{ipaddress}
Impact:
OrganizationsshouldestablishthreeNetworkTimeProtocol(NTP)hoststosetconsistenttimeacrosstheenterprise.Enablingthe'ntpserveripaddress'enforcesencryptedauthenticationbetweenNTPhosts.
4.2.2.4LoopbackRules
Whenarouterneedstoinitiateconnectionstoremotehosts,forexampleforSYSLOGorNTP,itwillusethenearestinterfaceforthepacketssourceaddress.Thiscancauseissuesduetothepossiblevariationinsource,potentiallycausingpacketstobedeniedbyinterveningfirewallsorhandledincorrectlybythereceivinghost.TopreventtheseproblemstheroutershouldbeconfiguredwithaLoopbackinterfaceandanyservicesshouldbeboundtothisaddress.
4.2.2.4.1Createasingle'interfaceloopback'
Device Result
Table236:DeviceResults(2.4.1)
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Configureasingleloopbackinterface.
Rationale
Software-onlyloopbackinterfacethatemulatesaninterfacethatisalwaysup.Itisavirtualinterfacesupportedonallplatforms.
Alternateloopbackaddressescreateapotentialforabuse,mis-configuration,andinconsistencies.Additionalloopbackinterfacesmustbedocumentedandapprovedpriortousebylocalsecuritypersonnel.
Remediation
Defineandconfigureoneloopbackinterface.
hostname(config)#interfaceloopback<number>
hostname(config-if)#ipaddress<loopback_ip_address><loopback_subnet_mask>
Impact:
Organizationsshouldplanandestablish'loopbackinterfaces'fortheenterprisenetwork.LoopbackinterfacesenablecriticalnetworkinformationsuchasOSPFRouterIDsandprovideterminationpointsforroutingprotocolsessions.
4.2.2.4.2SetAAA'source-interface'
Table237:DeviceResults(2.4.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ForceAAAtousetheIPaddressofaspecifiedinterfaceforalloutgoingAAApackets
Rationale
ThisisrequiredsothattheAAAserver(RADIUSorTACACS+)caneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.
Remediation
BindAAAservicestotheloopbackinterface.
Hostname(config)#ip{tacacs|radius}source-interfaceloopback{loopback_interface_number)
Impact:
Organizationsshoulddesignandimplementauthentication,authorization,andaccounting(AAA)servicesforeffectivemonitoringofenterprisenetworkdevices.BindingAAAservicestothesource-interfaceloopbackenablestheseservices.
4.2.2.4.3Set'ntpsource'toLoopbackInterface
Table238:DeviceResults(2.4.3)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
UseaparticularsourceaddressinNetworkTimeProtocol(NTP)packets.
Rationale
SetthesourceaddresstobeusedwhensendingNTPtraffic.ThismayberequirediftheNTPserversyoupeerwithfilterbasedonIPaddress.
Remediation
BindtheNTPservicetotheloopbackinterface.
hostname(config)#ntpsourceloopback{loopback_interface_number}
Impact:
Organizationsshouldplanandimplementnetworktimeprotocol(NTP)servicestoestablishofficialtimeforallenterprisenetworkdevices.Setting'ntpsourceloopback'enforcestheproperIPaddressforNTPservices.
4.2.2.4.4Set'iptftpsource-interface'totheLoopbackInterface
Table239:DeviceResults(2.4.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
SpecifytheIPaddressofaninterfaceasthesourceaddressforTFTPconnections.
Rationale
ThisisrequiredsothattheTFTPserverscaneasilyidentifyroutersandauthenticaterequestsbytheirIPaddress.
Remediation
BindtheTFTPclienttotheloopbackinterface.
hostname(config)#iptftpsource-interfaceloopback{loobpback_interface_number}
Impact:
Organizationsshouldplanandimplementtrivialfiletransferprotocol(TFTP)servicesintheenterprisebysetting'tftpsource-interfaceloopback',whichenablestheTFTPserverstoidentifyroutersandauthenticaterequestsbyIPaddress.
4.2.3DataPlane
Servicesandsettingsrelatedtothedatapassingthroughtherouter(asopposedtodirecttoit).Thedataplaneisforeverythingnotincontrolormanagementplanes.Settingsonarouterconcernedwiththedataplaneincludeinterfaceaccesslists,firewallfunctionality(e.g.CBAC),NAT,andIPSec.Settingsfortraffic-affectingserviceslikeunicastRPFverificationandCAR/QoSalsofallintothisarea.
4.2.3.1RoutingRules
Unneededservicesshouldbedisabled.
4.2.3.1.1Set'noipsource-route'
Table240:DeviceResults(3.1.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DisablethehandlingofIPdatagramswithsourceroutingheaderoptions.
Rationale
SourceroutingisafeatureofIPwherebyindividualpacketscanspecifyroutes.Thisfeatureisusedinseveralkindsofattacks.Ciscoroutersnormallyacceptandprocesssourceroutes.Unlessanetworkdependsonsourcerouting,itshouldbedisabled.
Remediation
Disablesourcerouting.
hostname(config)#noipsource-route
Impact:
Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipsource-route'featurehasbeenusedinseveralattacksandshouldbedisabled.
4.2.3.1.2Set'noipproxy-arp'
Table241:DeviceResults(3.1.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Table241:DeviceResults(3.1.2)
Description
DisableproxyARPonallinterfaces.
Rationale
AddressResolutionProtocol(ARP)providesresolutionbetweenIPandMACAddresses(orotherNetworkandLinkLayeraddressesonnoneIPnetworks)withinaLayer2network.
ProxyARPisaservicewhereadeviceconnectedtoonenetwork(inthiscasetheCiscorouter)answersARPRequestswhichareaddressedtoahostonanothernetwork,replyingwithitsownMACAddressandforwardingthetrafficontotheintendedhost.
SometimesusedforextendingbroadcastdomainsacrossWANlinks,inmostcasesProxyARPonenterprisenetworksisusedtoenablecommunicationforhostswithmis-configuredsubnetmasks,asituationwhichshouldnolongerbeacommonproblem.ProxyARPeffectivelybreakstheLANSecurityPerimeter,extendinganetworkacrossmultipleLayer2segments.UsingProxyARPcanalsoallowothersecuritycontrolssuchasPVLANtobebypassed.
Remediation
DisableproxyARPonallinterfaces.
hostname(config)#interface{interface}
hostname(config-if)#noipproxy-arp
Impact:
Organizationsshouldplanandimplementnetworkpoliciestoensureunnecessaryservicesareexplicitlydisabled.The'ipproxy-arp'featureeffectivelybreakstheLANsecurityperimeterandshouldbedisabled.
4.2.3.1.3Set'nointerfacetunnel'
Table242:DeviceResults(3.1.3)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Verifynotunnelinterfacesaredefined.
Rationale
Tunnelinterfacesshouldnotexistingeneral.Theycanbeusedformaliciouspurposes.Iftheyarenecessary,thenetworkadmin'sshouldbewellawareofthemandtheirpurpose.
Remediation
Removeanytunnelinterfaces.
hostname(config)#nointerfacetunnel{instance}
Impact:
Organizationsshouldplanandimplemententerprisenetworksecuritypoliciesthatdisableinsecureandunnecessaryfeaturesthatincreaseattacksurfacessuchas'tunnelinterfaces'.
4.2.3.1.4Set'ipverifyunicastsourcereachable-via'
Table243:DeviceResults(3.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ExaminesincomingpacketstodeterminewhetherthesourceaddressisintheForwardingInformationBase(FIB)andpermitsthepacketonlyifthesourceisreachablethroughtheinterfaceonwhichthepacketwasreceived(sometimesreferredtoasstrictmode).
Rationale
EnableduRPFhelpsmitigateIPspoofingbyensuringonlypacketsourceIPaddressesonlyoriginatefromexpectedinterfaces.Configureunicastreverse-pathforwarding(uRPF)onallexternalorhighriskinterfaces.
Remediation
ConfigureuRPF.
hostname(config)#interface{interface_name}
hostname(config-if)#ipverifyunicastsourcereachable-viarx
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatprotecttheconfidentiality,integrity,andavailabilityofnetworkdevices.The'unicastReverse-PathForwarding'(uRPF)featuredynamicallyusestheroutertabletoeitheracceptordroppacketswhenarrivingonaninterface.
4.2.3.2BorderRouterFiltering
Aborder-filteringdeviceconnects"internal"networkssuchasdesktopnetworks,DMZnetworks,etc.,to"external"networkssuchastheInternet.Ifthisgroupischosen,theningressandegressfilterruleswillberequired.
4.2.3.2.1Set'ipaccess-listextended'toForbidPrivateSourceAddressesfromExternalNetworks
Table244:DeviceResults(3.2.1)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Thiscommandplacestherouterinaccess-listconfigurationmode,whereyoumustdefinethedeniedorpermittedaccessconditionsbyusingthedenyandpermitcommands.
Rationale
Configuringaccesscontrolscanhelppreventspoofingattacks.ToreducetheeffectivenessofIPspoofing,configureaccesscontroltodenyanytrafficfromtheexternalnetworkthathasasourceaddressthatshouldresideontheinternalnetwork.Includelocalhostaddressoranyreservedprivateaddresses(RFC1918).
Ensurethepermitrule(s)abovethefinaldenyruleonlyallowtrafficaccordingtoyourorganization'sleastprivilegepolicy.
Remediation
ConfigureACLforprivatesourceaddressrestrictionsfromexternalnetworks.
hostname(config)#ipaccess-listextended{name|number}
hostname(config-nacl)#denyip{internal_networks}anylog
hostname(config-nacl)#denyip127.0.0.00.255.255.255anylog
hostname(config-nacl)#denyip10.0.0.00.255.255.255anylog
hostname(config-nacl)#denyip0.0.0.00.255.255.255anylog
hostname(config-nacl)#denyip172.16.0.00.15.255.255anylog
hostname(config-nacl)#denyip192.168.0.00.0.255.255anylog
hostname(config-nacl)#denyip192.0.2.00.0.0.255anylog
hostname(config-nacl)#denyip169.254.0.00.0.255.255anylog
hostname(config-nacl)#denyip224.0.0.031.255.255.255anylog
hostname(config-nacl)#denyiphost255.255.255.255anylog
hostname(config-nacl)#permit{protocol}{source_ip}{source_mask}{destination}{destination_mask}log
hostname(config-nacl)#denyanyanylog
hostname(config)#interface
<external_interface>
hostname(config-if)#access-group<access-list>in
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatexplicitlyseparateinternalfromexternalnetworks.Adding'ipaccess-list'explicitlypermittinganddenyinginternalandexternalnetworksenforcesthesepolicies.
4.2.3.2.2Setinbound'ipaccess-group'ontheExternalInterface
Table245:DeviceResults(3.2.2)
Device Result
router03IOS12.3 Manual
CiscoIOS15IOS15.0 Manual
Description
Thiscommandplacestherouterinaccess-listconfigurationmode,whereyoumustdefinethedeniedorpermittedaccessconditionsbyusingthedenyandpermitcommands.
Rationale
Configuringaccesscontrolscanhelppreventspoofingattacks.ToreducetheeffectivenessofIPspoofing,configureaccesscontroltodenyanytrafficfromthe
externalnetworkthathasasourceaddressthatshouldresideontheinternalnetwork.Includelocalhostaddressoranyreservedprivateaddresses(RFC1918).
Ensurethepermitrule(s)abovethefinaldenyruleonlyallowtrafficaccordingtoyourorganization'sleastprivilegepolicy.
Remediation
Applytheaccess-groupfortheexternal(untrusted)interface
hostname(config)#interface{external_interface}
hostname(config-if)#ipaccess-group{name|number}in
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesexplicitlypermittinganddenyingaccessbaseduponaccesslists.Usingthe'ipaccess-group'commandenforcesthesepoliciesbyexplicitlyidentifyinggroupspermittedaccess.
4.2.3.3NeighborAuthentication
Enableroutingauthentication.
4.2.3.3.1RequireEIGRPAuthenticationifProtocolisUsed
Verifyenhancedinteriorgatewayroutingprotocol(EIGRP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.
4.2.3.3.1.1Set'keychain'
Table246:DeviceResults(3.3.1.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Defineanauthenticationkeychaintoenableauthenticationforroutingprotocols.Akeychainmusthaveatleastonekeyandcanhaveupto2,147,483,647keys.
NOTE:OnlyDRPAgent,EIGRP,andRIPv2usekeychains.
Rationale
RoutingprotocolssuchasDRPAgent,EIGRP,andRIPv2usekeychainsforauthentication.
Remediation
Establishthekeychain.
hostname(config)#keychain{key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keychains'forroutingprotocolsenforcesthesepolicies.
4.2.3.3.1.2Set'key'
Table247:DeviceResults(3.3.1.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configureanauthenticationkeyonakeychain.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeynumber.
hostname(config-keychain)#key{key-number}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keynumbers'
forkeychainsforroutingprotocolsenforcesthesepolicies.
4.2.3.3.1.3Set'key-string'
Table248:DeviceResults(3.3.1.3)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configuretheauthenticationstringforakey.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeystring.
hostname(config-keychain-key)#key-string<key-string>
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'keystrings'forkeychainsforroutingprotocolsenforcesthesepolicies.
4.2.3.3.1.4Set'address-familyipv4autonomous-system'
Table249:DeviceResults(3.3.1.4)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ConfiguretheEIGRPaddressfamily.
Rationale
BGPisatruemulti-protocolroutingprotocolandthe'address-family'featureenablesrestrictionofexchangeswithspecificneighbors.
Remediation
ConfiguretheEIGRPaddressfamily.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'address-family'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.
4.2.3.3.1.5Set'af-interfacedefault'
Table250:DeviceResults(3.3.1.5)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
DefinesuserdefaultstoapplytoEIGRPinterfacesthatbelongtoanaddress-family.
Rationale
PartoftheEIGRPaddress-familysetup
Remediation
ConfiguretheEIGRPaddressfamily.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
hostname(config-router-af)#af-interfacedefault
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'af-interfacedefault'forEIGRPinterfacesenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.
4.2.3.3.1.6Set'authenticationkey-chain'
Table251:DeviceResults(3.3.1.6)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ConfiguretheEIGRPaddressfamilykeychain.
Rationale
ThisispartoftheEIGRPauthenticationconfiguration
Remediation
ConfiguretheEIGRPaddressfamilykeychain.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
hostname(config-router-af)#af-interface{interface-name}
hostname(config-router-af-interface)#authenticationkey-chain{eigrp_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingtheaddress-family'keychain'forEIGRPenforcesthesepoliciesbyrestrictingtheexchangesbetweenpredefinednetworkdevices.
4.2.3.3.1.7Set'authenticationmodemd5'
Table252:DeviceResults(3.3.1.7)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseservicemessages.
Rationale
ThisispartoftheEIGRPauthenticationconfiguration
Remediation
ConfiguretheEIGRPaddressfamilyauthenticationmode.
hostname(config)#routereigrp<virtual-instance-name>
hostname(config-router)#address-familyipv4autonomous-system{eigrp_as-number}
hostname(config-router-af)#af-interface{interface-name}
hostname(config-router-af-interface)#authenticationmodemd5
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'authenticationmode'forEIGRPaddress-familyorservice-familypacketsenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.
4.2.3.3.1.8Set'ipauthenticationkey-chaineigrp'
Device Result
router03IOS12.3 Fail
Table253:DeviceResults(3.3.1.8)
CiscoIOS15IOS15.0 Pass
Description
SpecifythetypeofauthenticationusedinEnhancedInteriorGatewayRoutingProtocol(EIGRP)packetsperinterface.
Rationale
ConfiguringEIGRPauthenticationkey-chainnumberandnametorestrictpacketexchangesbetweennetworkdevices.
Remediation
ConfiguretheinterfacewiththeEIGRPkeychain.
hostname(config)#interface{interface_name}
hostname(config-if)#ipauthenticationkey-chaineigrp{eigrp_as-number}{eigrp_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationkeychain'forEIGRPbynameandnumberenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.
4.2.3.3.1.9Set'ipauthenticationmodeeigrp'
Table254:DeviceResults(3.3.1.9)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Configureauthenticationtopreventunapprovedsourcesfromintroducingunauthorizedorfalseroutingmessages.
Rationale
ThisispartoftheEIGRPauthenticationconfiguration
Remediation
ConfiguretheinterfacewiththeEIGRPauthenticationmode.
hostname(config)#interface{interface_name}
hostname(config-if)#ipauthenticationmodeeigrp{eigrp_as-number}md5
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipauthenticationmode'forEIGRPbynumberandmodeenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.
4.2.3.3.2RequireOSPFAuthenticationifProtocolisUsed
Verifyopenshortestpathfirst(OSPF)authenticationisenabled,wherefeasible.
4.2.3.3.2.1Set'authenticationmessage-digest'forOSPFarea
Table255:DeviceResults(3.3.2.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
EnableMD5authenticationforOSPF.
Rationale
ThisispartoftheOSPFauthenticationsetup.
Remediation
ConfiguretheMessageDigestoptionforOSPF.
hostname(config)#routerospf<ospf_process-id>
hostname(config-router)#area<ospf_area-id>authenticationmessage-digest
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringthearea'authenticationmessage-digest'forOSPFenforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.
4.2.3.3.2.2Set'ipospfmessage-digest-keymd5'
Table256:DeviceResults(3.3.2.2)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
EnableOpenShortestPathFirst(OSPF)MessageDigest5(MD5)authentication.
Rationale
ThisispartoftheOSPFauthenticationsetup
Remediation
Configuretheappropriateinterface(s)forMessageDigestauthentication
hostname(config)#interface{interface_name}
hostname(config-if)#ipospfmessage-digest-key{ospf_md5_key-id}md5{ospf_md5_key}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperinterface(s)for'ipospfmessage-digest-keymd5'enforcesthesepoliciesbyrestrictingexchangesbetweennetworkdevices.
4.2.3.3.3RequireRIPv2AuthenticationifProtocolisUsed
RoutingInformationProtocolisadistancevectorprotocolusedforinteriorgatewayroutingonsomenetworks.
RIPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.
Verifyroutinginformationprotocol(RIP)versiontwoauthenticationisenabled,ifroutingprotocolisused,wherefeasible.
4.2.3.3.3.1Set'keychain'
Table257:DeviceResults(3.3.3.1)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
DefineanauthenticationkeychaintoenableauthenticationforRIPv2routingprotocols.
Rationale
Thisispartoftheroutingauthenticationprocess.
Remediation
Establishthekeychain.
hostname(config)#keychain{rip_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key-chain(name)'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.
4.2.3.3.3.2Set'key'
Table258:DeviceResults(3.3.3.2)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configureanauthenticationkeyonakeychain.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeynumber.
hostname(config-keychain)#key{key-number}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheproperauthentication'key'forRIPv2protocolsenforcesthesepoliciesbyrestrictingacceptableauthenticationbetweennetworkdevices.
4.2.3.3.3.3Set'key-string'
Table259:DeviceResults(3.3.3.3)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
Configuretheauthenticationstringforakey.
Rationale
Thisispartoftheroutingauthenticationsetup
Remediation
Configurethekeystring.
hostname(config-keychain-key)#key-string<key-string>
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Using'key-string'forkeychainsforroutingprotocolsenforcesthesepolicies.
4.2.3.3.3.4Set'ipripauthenticationkey-chain'
Table260:DeviceResults(3.3.3.4)
Device Result
router03IOS12.3 Pass
CiscoIOS15IOS15.0 Pass
Description
EnableauthenticationforRoutingInformationProtocol(RIP)Version2packetsandtospecifythesetofkeysthatcanbeusedonaninterface.
Rationale
ThisispartoftheRIPv2authenticationsetup
Remediation
ConfiguretheInterfacewiththeRIPv2keychain.
hostname(config)#interface{interface_name}
hostname(config-if)#ipripauthenticationkey-chain{rip_key-chain_name}
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Configuringtheinterfacewith'ipripauthenticationkey-chain'bynameenforcesthesepoliciesbyrestrictingtheexchangesbetweennetworkdevices.
4.2.3.3.3.5Set'ipripauthenticationmode'to'md5'
Table261:DeviceResults(3.3.3.5)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
ConfiguretheInterfacewiththeRIPv2keychain.
Rationale
ThisispartoftheRIPv2authenticationsetup
Remediation
ConfiguretheRIPv2authenticationmodeonthenecessaryinterface(s)
hostname(config)#interface<interface_name>
hostname(config-if)#ipripauthenticationmodemd5
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'ipripauthenticationmodemd5'enforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.
4.2.3.3.4RequireBGPAuthenticationifProtocolisUsed
BorderGatewayProtocol(BGP)isapathvectorprotocolusedforinteriorandexteriorgatewayroutingonsomenetworks.
BGPisacomplexprotocol,withmanyconfigurationoptionswhichmayhaveeffectswhicharenotimmediatelyobvious.
VerifyBorderGatewayProtocol(BGP)authenticationisenabled,ifroutingprotocolisused,wherefeasible.
4.2.3.3.4.1Set'neighborpassword'
Table262:DeviceResults(3.3.4.1)
Device Result
router03IOS12.3 Fail
CiscoIOS15IOS15.0 Pass
Description
Enablemessagedigest5(MD5)authenticationonaTCPconnectionbetweentwoBGPpeers
Rationale
EnforcingroutingauthenticationreducesthelikelihoodofroutingpoisoningandunauthorizedroutersfromjoiningBGProuting.
Remediation
ConfigureBGPneighborauthenticationwherefeasible.
hostname(config)#routerbgp<bgp_as-number>
hostname(config-router)#neighbor<bgp_neighbor-ip|peer-group-name>password<password>
Impact:
Organizationsshouldplanandimplemententerprisesecuritypoliciesthatrequirerigorousauthenticationmethodsforroutingprotocols.Usingthe'neighborpassword'forBGPenforcesthesepoliciesbyrestrictingthetypeofauthenticationbetweennetworkdevices.
Gotothereportcontentsorthestartofthissection.
4.3Conclusions
NipperStudioperformedaCISbenchmarkauditon2March2017againstthedevicesdetailedinTable263.
Table263:BenchmarkIssuesbyDevice
Device Profile Issues
router03IOS12.3 Level2 52
CiscoIOS15IOS15.0 Level2 3
ThissectioncollatestheCISruleswhicharecurrentlynotadheredto,providingaguideforplanningtheirremediation.TherulesarelistedinTable264.
Table264:FailedBenchmarkChecks
Rule Device Section
Set'aaaaccountingnetwork' router03IOS12.3 4.2.1.1.10
Set'aaaaccountingsystem' router03IOS12.3 4.2.1.1.11
Enable'aaanew-model' router03IOS12.3 4.2.1.1.1
Enable'aaaauthenticationlogin' router03IOS12.3 4.2.1.1.2
Enable'aaaauthenticationenabledefault' router03IOS12.3 4.2.1.1.3
Set'loginauthenticationfor'linecon0' router03IOS12.3 4.2.1.1.4
Set'loginauthenticationfor'linetty' router03IOS12.3 4.2.1.1.5
Set'loginauthenticationfor'linevty' router03IOS12.3 4.2.1.1.6
Set'aaaaccounting'tologallprivilegedusecommandsusing'commands15' router03IOS12.3 4.2.1.1.7
Set'aaaaccountingconnection' router03IOS12.3 4.2.1.1.8
Set'aaaaccountingexec' router03IOS12.3 4.2.1.1.9
Set'privilege1'forlocalusers router03IOS12.3 4.2.1.2.1
Set'transportinputssh'for'linevty'connections CiscoIOS15IOS15.0 4.2.1.2.2
Set'noexec'for'lineaux0' router03IOS12.3 4.2.1.2.3
Setthe'banner-text'for'bannerexec' router03IOS12.3 4.2.1.3.1
Setthe'banner-text'for'bannermotd' router03IOS12.3 4.2.1.3.3
Set'password'for'enablesecret' router03IOS12.3 4.2.1.4.1
Enable'servicepassword-encryption' router03IOS12.3 4.2.1.4.2
Set'usernamesecret'foralllocalusers router03IOS12.3
CiscoIOS15IOS15.0
4.2.1.4.3
Donotset'RW'forany'snmp-servercommunity' router03IOS12.3 4.2.1.5.4
SettheACLforeach'snmp-servercommunity' router03IOS12.3 4.2.1.5.5
Set'snmp-serverenabletrapssnmp' router03IOS12.3 4.2.1.5.8
Setthe'ipdomainname' router03IOS12.3 4.2.2.1.1.1.2
Setversion2for'ipsshversion' router03IOS12.3 4.2.2.1.1.2
Set'noipbootpserver' router03IOS12.3 4.2.2.1.3
Set'noservicedhcp' router03IOS12.3 4.2.2.1.4
Set'servicetcp-keepalives-in' router03IOS12.3 4.2.2.1.6
Set'noservicepad' router03IOS12.3 4.2.2.1.8
Set'loggingon' CiscoIOS15IOS15.0 4.2.2.2.1
Set'buffersize'for'loggingbuffered' router03IOS12.3 4.2.2.2.2
Set'loggingconsolecritical' router03IOS12.3 4.2.2.2.3
SetIPaddressfor'logginghost' router03IOS12.3 4.2.2.2.4
Set'servicetimestampsdebugdatetime' router03IOS12.3 4.2.2.2.6
Set'loggingsourceinterface' router03IOS12.3 4.2.2.2.7
Set'ntpauthenticate' router03IOS12.3 4.2.2.3.1.1
Set'ntpauthentication-key' router03IOS12.3 4.2.2.3.1.2
Setthe'ntptrusted-key' router03IOS12.3 4.2.2.3.1.3
Set'key'foreach'ntpserver' router03IOS12.3 4.2.2.3.1.4
SetAAA'source-interface' router03IOS12.3 4.2.2.4.2
Set'ntpsource'toLoopbackInterface router03IOS12.3 4.2.2.4.3
Set'iptftpsource-interface'totheLoopbackInterface router03IOS12.3 4.2.2.4.4
Set'noipsource-route' router03IOS12.3 4.2.3.1.1
Set'noipproxy-arp' router03IOS12.3 4.2.3.1.2
Set'ipverifyunicastsourcereachable-via' router03IOS12.3 4.2.3.1.4
Set'address-familyipv4autonomous-system' router03IOS12.3 4.2.3.3.1.4
Set'af-interfacedefault' router03IOS12.3 4.2.3.3.1.5
Set'authenticationkey-chain' router03IOS12.3 4.2.3.3.1.6
Set'authenticationmodemd5' router03IOS12.3 4.2.3.3.1.7
Set'ipauthenticationkey-chaineigrp' router03IOS12.3 4.2.3.3.1.8
Set'ipauthenticationmodeeigrp' router03IOS12.3 4.2.3.3.1.9
Set'authenticationmessage-digest'forOSPFarea router03IOS12.3 4.2.3.3.2.1
Set'ipospfmessage-digest-keymd5' router03IOS12.3 4.2.3.3.2.2
Set'ipripauthenticationmode'to'md5' router03IOS12.3 4.2.3.3.3.5
Set'neighborpassword' router03IOS12.3 4.2.3.3.4.1
Gotothereportcontentsorthestartofthissection.
5DISASTIGCompliance5.1Introduction
NipperStudioperformedaDepartmentofDefence(DoD)STIGcomplianceauditon2March2017ofthedevicesandSTIGsdetailedinTable265.
Table265:STIGdeviceauditchecklists
Device STIG Profile Version
router03 InfrastructureL3SwitchSecureTechnicalImplementationGuide-Cisco I-MissionCriticalPublic 8R21(28/10/2016)
CiscoIOS15 InfrastructureRouterSecurityTechnicalImplementationGuideCisco I-MissionCriticalPublic 8R21(28/10/2016)
VulnerabilitySeverityCodeDefinition
Table266providesthevulnerabilityseveritycodesanditsdefinitions.
CAT DISA/DIACAPCategoryCodeGuidelines
Examples
I Anyvulnerability,theexploitationofwhichwill,directlyandimmediately
resultinlossofConfidentiality,Availability,orIntegrity.AnATOwillnotbe
grantedwhileCATIweaknessesarepresent.
Note:Theexploitationofvulnerabilitiesmustbeevaluatedatthelevelof
thesystemorcomponentbeingreviewed.Aworkstationforexample,isa
standalonedeviceforsomepurposesandpartofalargersystemfor
others.Riskstothedevicearefirstconsidered,thenriskstothedevicein
itsenvironment,thenriskspresentedbythedevicetotheenvironment.All
riskfactorsmustbeconsideredwhendevelopingmitigationstrategiesat
thedeviceandsystemlevel.
IncludesBUTNOTLIMITEDtothefollowingexamplesofdirectandimmediateloss:
1.Mayresultinlossoflife,lossoffacilities,orequipment,whichwouldresultinmission
failure.
2.Allowsunauthorizedaccesstosecurityoradministratorlevelresourcesorprivileges.
3.Allowsunauthorizeddisclosureof,oraccessto,classifieddataormaterials.
4.Allowsunauthorizedaccesstoclassifiedfacilities.
5.Allowsdenialofserviceordenialofaccess,whichwillresultinmissionfailure.
6.Preventsauditingormonitoringofcyberorphysicalenvironments.
7.Operationofasystem/capabilitywhichhasnotbeenapprovedbytheappropriateDAA.
8.UnsupportedsoftwarewherethereisnodocumentedacceptanceofDAArisk.
II Anyvulnerability,theexploitationofwhichhasapotentialtoresultinloss
ofConfidentiality,Availability,orIntegrity.CATIIfindingsthathavebeen
satisfactorilymitigatedwillnotpreventanATOfrombeinggranted.
Note:Theexploitationofvulnerabilitiesmustbeevaluatedatthelevelof
thesystemorcomponentbeingreviewed.Aworkstationforexample,isa
standalonedeviceforsomepurposesandpartofalargersystemfor
others.Riskstothedevicearefirstconsidered,thenriskstothedevicein
itsenvironment,thenriskspresentedbythedevicetotheenvironment.All
riskfactorsmustbeconsideredwhendevelopingmitigationstrategiesat
thedeviceandsystemlevel.
IncludesBUTNOTLIMITEDtothefollowingexamplesthathaveapotentialtoresultinloss:
1.AllowsaccesstoinformationthatcouldleadtoaCATIvulnerability.
2.Couldresultinpersonalinjury,damagetofacilities,orequipmentwhichwoulddegrade
themission.
3.Allowsunauthorizedaccesstouserorapplicationlevelsystemresources.
4.Couldresultinthelossorcompromiseofsensitiveinformation.
5.AllowsunauthorizedaccesstoGovernmentorContractorownedorleasedfacilities.
6.Mayresultinthedisruptionofsystemornetworkresourcesthatdegradestheabilityto
performthemission.
7.Preventsatimelyrecoveryfromanattackorsystemoutage.
8.Providesunauthorizeddisclosureoforaccesstounclassifiedsensitive,PII,orotherdata
ormaterials.
III Anyvulnerability,theexistenceofwhichdegradesmeasurestoprotect
againstlossofConfidentiality,Availability,orIntegrity.
AssignedfindingsthatmayimpactIAposturebutarenotrequiredtobe
mitigatedorcorrectedinorderforanATOtobegranted.
Note:Theexploitationofvulnerabilitiesmustbeevaluatedatthelevelof
thesystemorcomponentbeingreviewed.Aworkstationforexample,isa
standalonedeviceforsomepurposesandpartofalargersystemfor
others.Riskstothedevicearefirstconsidered,thenriskstothedevicein
itsenvironment,thenriskspresentedbythedevicetotheenvironment.All
riskfactorsmustbeconsideredwhendevelopingmitigationstrategiesat
thedeviceandsystemlevel.
IncludesBUTNOTLIMITEDtothefollowingexamplesthatprovideinformationwhichcould
potentiallyresultindegradationofsysteminformationassurancemeasuresorlossofdata:
1.AllowsaccesstoinformationthatcouldleadtoaCATIIvulnerability.
2.Hasthepotentialtoaffecttheaccuracyorreliabilityofdatapertainingtopersonnel,
resources,operations,orothersensitiveinformation.
3.Allowstherunningofanyapplications,servicesorprotocolsthatdonotsupportmission
functions.
4.Degradesadefenseindepthsystemssecurityarchitecture.
5.Degradesthetimelyrecoveryfromanattackorsystemoutage.
Table266:VulnerabilitySeverityCodeDefinitions
6.Indicatesinadequatesecurityadministration.
7.SystemnotdocumentedinthesitesC&APackage/SSP.
8.LackofdocumentretentionbytheInformationAssuranceManagerIAM(i.e.,completed
useragreementforms).
Disclaimer
ThefollowingcomplianceauditisdesignedtoaddspeedandconveniencetoamanualSTIGassessment.TomaintainvaliditywealwaysrecommendthatyouusethelatestreleaseoftheDISASTIG.Anyautomatedcompliancereportingshouldbecombinedwithcarefulanalysisandadditionalmanualchecksmayberequired.
Gotothereportcontentsorthestartofthissection.
5.2router03InfrastructureL3SwitchSecureTechnicalImplementationGuide-CiscoSummary
Table267providesasummaryofthe"InfrastructureL3SwitchSecureTechnicalImplementationGuide-Cisco"version8release21(28/10/2016)complianceauditas"I-MissionCriticalPublic"againsttheCiscoRouterdevicerouter03.Amoredetailedanalysisofeachrequirementandthefindingsfollowsthissummary.
Group STIG Title Responsibility IAControls Severity State
V-3971 NET-VLAN-004 VLAN1isbeingusedasauserVLAN. InformationAssurance
Officer
CATII
V-3972 NET-VLAN-005 VLAN1traffictraversesacrossunnecessarytrunk InformationAssurance
Officer
CATIII
V-3973 NET-VLAN-002 DisabledportsarenotkeptinanunusedVLAN. InformationAssurance
Officer
CATIII
V-3984 NET-VLAN-009 AccessswitchportsareassignedtothenativeVLAN InformationAssurance
Officer
CATII
V-5622 NET-VLAN-008 AdedicatedVLANisrequiredforalltrunkports. InformationAssurance
Officer
CATII
V-5623 NET-VLAN-007 Ensuretrunkingisdisabledonallaccessports. InformationAssurance
Officer
CATII
V-5624 NET-NAC-012 Re-authenticationmustoccurevery60minutes. CATII
V-5626 NET-NAC-009 NET-NAC-009 InformationAssurance
Officer
CATI
V-5628 NET-VLAN-006 TheVLAN1isbeingusedformanagementtraffic. InformationAssurance
Officer
CATII
V-
17815
NET0985 IGPinstancesdonotpeerwithappropriatedomain SystemAdministrator CATII
V-
17816
NET0986 RoutesfromthetwoIGPdomainsareredistributed SystemAdministrator ECSC-1 CATII
V-
17824
NET0994 ManagementinterfaceisassignedtoauserVLAN. SystemAdministrator CATII
V-
17825
NET0995 ManagementVLANhasinvalidaddresses SystemAdministrator CATIII
V-
17826
NET0996 InvalidportswithmembershiptothemgmtVLAN SystemAdministrator CATII
V-
17827
NET0997 ThemanagementVLANisnotprunedfromtrunklinks SystemAdministrator CATIII
V-
17832
NET1003 MgmtVLANdoesnothavecorrectIPaddress SystemAdministrator CATII
V-
17833
NET1004 NoingressACLonmanagementVLANinterface CATII
V-
18523
NET-SRVFRM-
004
ACLsdonotprotectagainstcompromisedservers InformationAssurance
Officer
CATII
V-
18544
NET-VLAN-023 RestrictedVLANnotassignedtonon-802.1xdevice. InformationAssurance
Officer
DCSP-1 CATIII
V-
18545
NET-VLAN-024 Upstreamaccessnotrestrictedfornon-802.1xVLAN InformationAssurance
Officer
CATII
V-
18566
NET-NAC-031 NET-NAC-031 InformationAssurance
Officer
DCSP-1 CATII
V-3000 NET1020 InterfaceACLdenystatementsarenotlogged. InformationAssurance
Officer
ECAT-1,ECAT-2,ECSC-
1
CATIII
V-3008 NET1800 IPSecVPNisnotconfiguredasatunneltypeVPN. InformationAssurance
Officer
CATII
V-3012 NET0230 Networkelementisnotpasswordprotected. InformationAssurance CATI
Officer
V-3013 NET0340 Loginbannerisnon-existentornotDOD-approved. InformationAssurance
Officer
CATII
V-3014 NET1639 Managementconnectiondoesnottimeout. InformationAssurance
Officer
CATII
V-3020 NET0820 DNSserversmustbedefinedforclientresolver. InformationAssurance
Officer
CATIII
V-3021 NET0890 SNMPaccessisnotrestrictedbyIPaddress. InformationAssurance
Officer
CATII
V-3034 NET0400 Interiorroutingprotocolsarenotauthenticated. InformationAssurance
Officer
CATII
V-3043 NET1675 SNMPprivilegedandnon-privilegedaccess. InformationAssurance
Officer
CATII
V-3056 NET0460 Groupaccountsaredefined. InformationAssurance
Officer
CATI
V-3057 NET0465 Accountsassignedleastprivilegesnecessarytoperformduties. InformationAssurance
Officer
ECSC-1 CATII
V-3058 NET0470 Unauthorizedaccountsareconfiguredtoaccessdevice. InformationAssurance
Officer
CATII
V-3062 NET0600 Passwordsareviewablewhendisplayingtheconfig. InformationAssurance
Officer
ECSC-1 CATI
V-3069 NET1638 ManagementconnectionsmustbesecuredbyFIPS140-2. InformationAssurance
Officer
DCNR-1,ECSC-1 CATII
V-3070 NET1640 Managementconnectionsmustbelogged. InformationAssurance
Officer
CATIII
V-3072 NET1030 Runningandstartupconfigurationsarenotsynchronized. InformationAssurance
Officer
CATIII
V-3078 NET0720 TCPandUDPsmallserverservicesarenotdisabled. InformationAssurance
Officer
CATIII
V-3079 NET0730 Thefingerserviceisnotdisabled. InformationAssurance
Officer
CATIII
V-3080 NET0760 Configurationauto-loadingmustbedisabled. InformationAssurance
Officer
CATII
V-3081 NET0770 IPSourceRoutingisnotdisabledonallrouters. InformationAssurance
Officer
CATII
V-3083 NET0790 IPdirectedbroadcastisnotdisabled. InformationAssurance
Officer
ECSC-1 CATIII
V-3085 NET0740 HTTPserverisnotdisabled InformationAssurance
Officer
CATII
V-3086 NET0750 TheBootpserviceisnotdisabled. InformationAssurance
Officer
CATIII
V-3143 NET0240 Devicesexistwithstandarddefaultpasswords. InformationAssurance
Officer
CATI
V-3160 NET0700 Operatingsystemisnotatacurrentreleaselevel. InformationAssurance
Officer
CATII
V-3175 NET1636 Managementconnectionsmustrequirepasswords. InformationAssurance
Officer
ECSC-1 CATI
V-3196 NET1660 AninsecureversionofSNMPisbeingused. InformationAssurance
Officer
CATI
V-3210 NET1665 UsingdefaultSNMPcommunitynames. InformationAssurance
Officer
CATI
V-3966 NET0440 Morethanonelocalaccountisdefined. CATII
V-3967 NET1624 Theconsoleportdoesnottimeoutafter10minutes. InformationAssurance
Officer
CATII
V-3969 NET0894 NetworkelementmustonlyallowSNMPreadaccess. InformationAssurance
Officer
ECSC-1 CATII
V-4582 NET1623 Authenticationrequiredforconsoleaccess. InformationAssurance
Officer
IAIA-1,IAIA-2 CATI
V-4584 NET1021 Thenetworkelementmustlogallmessagesexceptdebugging. InformationAssurance
Officer
CATIII
V-5611 NET1637 Managementconnectionsarenotrestricted. CATII
V-5612 NET1645 SSHsessiontimeoutisnot60secondsorless. InformationAssurance
Officer
CATII
V-5613 NET1646 SSHloginattemptsvalueisgreaterthan3. InformationAssurance
Officer
CATII
V-5614 NET0722 ThePADserviceisenabled. InformationAssurance
Officer
CATIII
V-5615 NET0724 TCPKeep-Alivesmustbeenabled. InformationAssurance
Officer
CATIII
V-5616 NET0726 Identificationsupportisenabled. InformationAssurance
Officer
CATIII
V-5618 NET0781 GratuitousARPmustbedisabled. InformationAssurance
Officer
CATII
V-5645 NET0949 CiscoExpressForwarding(CEF)notenabledonsupporteddevices. InformationAssurance
Officer
ECSC-1 CATII
V-5646 NET0965 Devicesnotconfiguredtofilteranddrophalf-openconnections. InformationAssurance
Officer
ECSC-1 CATII
V-7009 NET0425 AnInfiniteLifetimekeyhasnotbeenimplemented InformationAssurance
Officer
ECSC-1 CATI
V-7011 NET1629 Theauxiliaryportisnotdisabled. InformationAssurance
Officer
CATIII
V-
14667
NET0422 Keyexpirationexceeds180days. InformationAssurance
Officer
CATIII
V-
14669
NET0744 BSDrcommandsarenotdisabled. InformationAssurance
Officer
CATII
V-
14671
NET0813 NTPmessagesarenotauthenticated. CATII
V-
14672
NET0897 AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagement
interface.
InformationAssurance
Officer
CATIII
V-
14673
NET0898 SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface. InformationAssurance
Officer
CATIII
V-
14674
NET0899 NTPtrafficisnotusingloopbackaddressorOOBManagementinterface. InformationAssurance
Officer
CATIII
V-
14675
NET0900 SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance
Officer
CATIII
V-
14676
NET0901 Netflowtrafficisnotusingloopbackaddress. InformationAssurance
Officer
CATIII
V-
14677
NET0902 FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance
Officer
ECSC-1 CATIII
V-
14681
NET0903 LoopbackaddressisnotusedastheiBGPsourceIP. InformationAssurance
Officer
CATIII
V-
14693
NET-IPV6-025 IPv6SiteLocalUnicastADDRmustnotbedefined InformationAssurance
Officer
ECSC-1 CATII
V-
14705
NET-IPV6-033 IPv6routersarenotconfiguredwithCEFenabled InformationAssurance
Officer
ECSC-1 CATII
V-
14707
NET-IPV6-034 IPv6EgressOutboundSpoofingFilter InformationAssurance
Officer
CATII
V-
14717
NET1647 ThenetworkelementmustnotallowSSHVersion1. InformationAssurance
Officer
CATII
V-
15288
NET-TUNL-017 ISATAPtunnelsmustterminateatinteriorrouter. InformationAssurance
Officer
ECSC-1 CATII
V-
15432
NET0433 ThedeviceisnotauthenticatedusingaAAAserver. InformationAssurance
Officer
CATII
V-
15434
NET0441 Emergencyadministrationaccountprivilegelevelisnotset. InformationAssurance
Officer
CATI
V-
17754
NET1807 Managementtrafficisnotrestricted InformationAssurance
Officer
CATII
V-
17814
NET1808 RemoteVPNend-pointnotamirroroflocalgateway SystemAdministrator CATII
V-
17817
NET0987 ManagednetworkhasaccesstoOOBMgatewayrouter SystemAdministrator CATII
V-
17818
NET0988 Trafficfromthemanagednetworkwillleak SystemAdministrator CATII
V-
17819
NET0989 Managementtrafficleaksintothemanagednetwork SystemAdministrator CATII
V-
17821
NET0991 TheOOBMinterfacenotconfiguredcorrectly. SystemAdministrator CATII
V-
17822
NET0992 ThemanagementinterfacedoesnothaveanACL. SystemAdministrator CATII
V-
17823
NET0993 ThemanagementinterfaceisnotIGPpassive. SystemAdministrator CATIII
V-
17834
NET1005 NoinboundACLformgmtnetworksub-interface SystemAdministrator CATII
V- NET1006 IPSectrafficisnotrestricted SystemAdministrator CATII
Table267:router03InfrastructureL3SwitchSecureTechnicalImplementationGuide-Ciscosummary
17835
V-
17836
NET1007 Managementtrafficisnotclassifiedandmarked SystemAdministrator CATIII
V-
17837
NET1008 Managementtrafficdoesn'tgetpreferredtreatment SystemAdministrator CATIII
V-
18522
NET-SRVFRM-
003
ACLsmustrestrictaccesstoserverVLANs. InformationAssurance
Officer
ECSC-1 CATII
V-
18790
NET-TUNL-012 NET-TUNL-012 InformationAssurance
Officer
ECSC-1 CATII
V-
19188
NET0966 Controlplaneprotectionisnotenabled. SystemAdministrator CATII
V-
19189
NET-MCAST-010 NoAdmin-localorSite-localboundary SystemAdministrator CATIII
V-
23747
NET0812 TwoNTPserversarenotusedtosynchronizetime. InformationAssurance
Officer
CATIII
V-
28784
NET0405 Callhomeserviceisdisabled. InformationAssurance
Officer
CATII
V-
30577
NET-MCAST-001 PIMenabledonwronginterfaces SystemAdministrator CATII
V-
30578
NET-MCAST-002 PIMneighborfilterisnotconfigured InformationAssurance
Officer
CATII
V-
30585
NET-MCAST-020 Invalidgroupusedforsourcespecificmulticast InformationAssurance
Officer
CATIII
V-
30617
NET-IPV6-059 Maximumhoplimitislessthan32 InformationAssurance
Officer
CATIII
V-
30660
NET-IPV6-065 The6-to-4routerisnotfilteringprotocol41 InformationAssurance
Officer
CATII
V-
30736
NET-IPV6-066 6-to-4routernotfilteringinvalidsourceaddress InformationAssurance
Officer
CATIII
V-
30744
NET-TUNL-034 L2TPv3sessionsarenotauthenticated InformationAssurance
Officer
CATII
V-
31285
NET0408 BGPmustauthenticateallpeers. ECSC-1 CATII
Gotothereportcontentsorthestartofthissection.
5.3CiscoIOS15InfrastructureRouterSecurityTechnicalImplementationGuideCiscoSummary
Table268providesasummaryofthe"InfrastructureRouterSecurityTechnicalImplementationGuideCisco"version8release21(28/10/2016)complianceauditas"I-MissionCriticalPublic"againsttheCiscoRouterdeviceCiscoIOS15.Amoredetailedanalysisofeachrequirementandthefindingsfollowsthissummary.
Group STIG Title Responsibility IAControls Severity State
V-3000 NET1020 InterfaceACLdenystatementsarenotlogged. InformationAssurance
Officer
ECAT-1,ECAT-2,ECSC-
1
CATIII
V-3008 NET1800 IPSecVPNisnotconfiguredasatunneltypeVPN. InformationAssurance
Officer
CATII
V-3012 NET0230 Networkelementisnotpasswordprotected. InformationAssurance
Officer
CATI
V-3013 NET0340 Loginbannerisnon-existentornotDOD-approved. InformationAssurance
Officer
CATII
V-3014 NET1639 Managementconnectiondoesnottimeout. InformationAssurance
Officer
CATII
V-3020 NET0820 DNSserversmustbedefinedforclientresolver. InformationAssurance
Officer
CATIII
V-3021 NET0890 SNMPaccessisnotrestrictedbyIPaddress. InformationAssurance
Officer
CATII
V-3034 NET0400 Interiorroutingprotocolsarenotauthenticated. InformationAssurance
Officer
CATII
V-3043 NET1675 SNMPprivilegedandnon-privilegedaccess. InformationAssurance
Officer
CATII
V-3056 NET0460 Groupaccountsaredefined. InformationAssurance
Officer
CATI
V-3057 NET0465 Accountsassignedleastprivilegesnecessarytoperformduties. InformationAssurance
Officer
ECSC-1 CATII
V-3058 NET0470 Unauthorizedaccountsareconfiguredtoaccessdevice. InformationAssurance CATII
Officer
V-3062 NET0600 Passwordsareviewablewhendisplayingtheconfig. InformationAssurance
Officer
ECSC-1 CATI
V-3069 NET1638 ManagementconnectionsmustbesecuredbyFIPS140-2. InformationAssurance
Officer
DCNR-1,ECSC-1 CATII
V-3070 NET1640 Managementconnectionsmustbelogged. InformationAssurance
Officer
CATIII
V-3072 NET1030 Runningandstartupconfigurationsarenotsynchronized. InformationAssurance
Officer
CATIII
V-3078 NET0720 TCPandUDPsmallserverservicesarenotdisabled. InformationAssurance
Officer
CATIII
V-3079 NET0730 Thefingerserviceisnotdisabled. InformationAssurance
Officer
CATIII
V-3080 NET0760 Configurationauto-loadingmustbedisabled. InformationAssurance
Officer
CATII
V-3081 NET0770 IPSourceRoutingisnotdisabledonallrouters. InformationAssurance
Officer
CATII
V-3083 NET0790 IPdirectedbroadcastisnotdisabled. InformationAssurance
Officer
ECSC-1 CATIII
V-3085 NET0740 HTTPserverisnotdisabled InformationAssurance
Officer
CATII
V-3086 NET0750 TheBootpserviceisnotdisabled. InformationAssurance
Officer
CATIII
V-3143 NET0240 Devicesexistwithstandarddefaultpasswords. InformationAssurance
Officer
CATI
V-3160 NET0700 Operatingsystemisnotatacurrentreleaselevel. InformationAssurance
Officer
CATII
V-3175 NET1636 Managementconnectionsmustrequirepasswords. InformationAssurance
Officer
ECSC-1 CATI
V-3196 NET1660 AninsecureversionofSNMPisbeingused. InformationAssurance
Officer
CATI
V-3210 NET1665 UsingdefaultSNMPcommunitynames. InformationAssurance
Officer
CATI
V-3966 NET0440 Morethanonelocalaccountisdefined. CATII
V-3967 NET1624 Theconsoleportdoesnottimeoutafter10minutes. InformationAssurance
Officer
CATII
V-3969 NET0894 NetworkelementmustonlyallowSNMPreadaccess. InformationAssurance
Officer
ECSC-1 CATII
V-4582 NET1623 Authenticationrequiredforconsoleaccess. InformationAssurance
Officer
IAIA-1,IAIA-2 CATI
V-4584 NET1021 Thenetworkelementmustlogallmessagesexceptdebugging. InformationAssurance
Officer
CATIII
V-5611 NET1637 Managementconnectionsarenotrestricted. CATII
V-5612 NET1645 SSHsessiontimeoutisnot60secondsorless. InformationAssurance
Officer
CATII
V-5613 NET1646 SSHloginattemptsvalueisgreaterthan3. InformationAssurance
Officer
CATII
V-5614 NET0722 ThePADserviceisenabled. InformationAssurance
Officer
CATIII
V-5615 NET0724 TCPKeep-Alivesmustbeenabled. InformationAssurance
Officer
CATIII
V-5616 NET0726 Identificationsupportisenabled. InformationAssurance
Officer
CATIII
V-5618 NET0781 GratuitousARPmustbedisabled. InformationAssurance
Officer
CATII
V-5645 NET0949 CiscoExpressForwarding(CEF)notenabledonsupporteddevices. InformationAssurance
Officer
ECSC-1 CATII
V-5646 NET0965 Devicesnotconfiguredtofilteranddrophalf-openconnections. InformationAssurance
Officer
ECSC-1 CATII
V-7009 NET0425 AnInfiniteLifetimekeyhasnotbeenimplemented InformationAssurance
Officer
ECSC-1 CATI
V-7011 NET1629 Theauxiliaryportisnotdisabled. InformationAssurance
Officer
CATIII
V-
14667
NET0422 Keyexpirationexceeds180days. InformationAssurance
Officer
CATIII
V- NET0744 BSDrcommandsarenotdisabled. InformationAssurance CATII
14669 Officer
V-
14671
NET0813 NTPmessagesarenotauthenticated. CATII
V-
14672
NET0897 AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagement
interface.
InformationAssurance
Officer
CATIII
V-
14673
NET0898 SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface. InformationAssurance
Officer
CATIII
V-
14674
NET0899 NTPtrafficisnotusingloopbackaddressorOOBManagementinterface. InformationAssurance
Officer
CATIII
V-
14675
NET0900 SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance
Officer
CATIII
V-
14676
NET0901 Netflowtrafficisnotusingloopbackaddress. InformationAssurance
Officer
CATIII
V-
14677
NET0902 FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface. InformationAssurance
Officer
ECSC-1 CATIII
V-
14681
NET0903 LoopbackaddressisnotusedastheiBGPsourceIP. InformationAssurance
Officer
CATIII
V-
14693
NET-IPV6-025 IPv6SiteLocalUnicastADDRmustnotbedefined InformationAssurance
Officer
ECSC-1 CATII
V-
14705
NET-IPV6-033 IPv6routersarenotconfiguredwithCEFenabled InformationAssurance
Officer
ECSC-1 CATII
V-
14707
NET-IPV6-034 IPv6EgressOutboundSpoofingFilter InformationAssurance
Officer
CATII
V-
14717
NET1647 ThenetworkelementmustnotallowSSHVersion1. InformationAssurance
Officer
CATII
V-
15288
NET-TUNL-017 ISATAPtunnelsmustterminateatinteriorrouter. InformationAssurance
Officer
ECSC-1 CATII
V-
15432
NET0433 ThedeviceisnotauthenticatedusingaAAAserver. InformationAssurance
Officer
CATII
V-
15434
NET0441 Emergencyadministrationaccountprivilegelevelisnotset. InformationAssurance
Officer
CATI
V-
17754
NET1807 Managementtrafficisnotrestricted InformationAssurance
Officer
CATII
V-
17814
NET1808 RemoteVPNend-pointnotamirroroflocalgateway SystemAdministrator CATII
V-
17815
NET0985 IGPinstancesdonotpeerwithappropriatedomain SystemAdministrator ECSC-1 CATII
V-
17816
NET0986 RoutesfromthetwoIGPdomainsareredistributed SystemAdministrator CATII
V-
17817
NET0987 ManagednetworkhasaccesstoOOBMgatewayrouter SystemAdministrator CATII
V-
17818
NET0988 Trafficfromthemanagednetworkwillleak SystemAdministrator CATII
V-
17819
NET0989 Managementtrafficleaksintothemanagednetwork SystemAdministrator CATII
V-
17821
NET0991 TheOOBMinterfacenotconfiguredcorrectly. SystemAdministrator CATII
V-
17822
NET0992 ThemanagementinterfacedoesnothaveanACL. SystemAdministrator CATII
V-
17823
NET0993 ThemanagementinterfaceisnotIGPpassive. SystemAdministrator CATIII
V-
17834
NET1005 NoinboundACLformgmtnetworksub-interface SystemAdministrator CATII
V-
17835
NET1006 IPSectrafficisnotrestricted SystemAdministrator CATII
V-
17836
NET1007 Managementtrafficisnotclassifiedandmarked SystemAdministrator CATIII
V-
17837
NET1008 Managementtrafficdoesn'tgetpreferredtreatment SystemAdministrator CATIII
V-
18522
NET-SRVFRM-
003
ACLsmustrestrictaccesstoserverVLANs. InformationAssurance
Officer
ECSC-1 CATII
V-
18790
NET-TUNL-012 NET-TUNL-012 InformationAssurance
Officer
ECSC-1 CATII
V-
19188
NET0966 Controlplaneprotectionisnotenabled. SystemAdministrator CATII
V-
19189
NET-MCAST-010 NoAdmin-localorSite-localboundary SystemAdministrator CATIII
V- NET0812 TwoNTPserversarenotusedtosynchronizetime. InformationAssurance CATIII
Severity:CATII
RuleID:SV-3971r2_rule
STIGID:NET-VLAN-004
Controls:
Responsibility:InformationAssuranceOfficer
Table268:CiscoIOS15InfrastructureRouterSecurityTechnicalImplementationGuideCiscosummary
23747 Officer
V-
28784
NET0405 Callhomeserviceisdisabled. InformationAssurance
Officer
CATII
V-
30577
NET-MCAST-001 PIMenabledonwronginterfaces SystemAdministrator CATII
V-
30578
NET-MCAST-002 PIMneighborfilterisnotconfigured InformationAssurance
Officer
CATII
V-
30585
NET-MCAST-020 Invalidgroupusedforsourcespecificmulticast InformationAssurance
Officer
CATIII
V-
30617
NET-IPV6-059 Maximumhoplimitislessthan32 InformationAssurance
Officer
CATIII
V-
30660
NET-IPV6-065 The6-to-4routerisnotfilteringprotocol41 InformationAssurance
Officer
CATII
V-
30736
NET-IPV6-066 6-to-4routernotfilteringinvalidsourceaddress InformationAssurance
Officer
CATIII
V-
30744
NET-TUNL-034 L2TPv3sessionsarenotauthenticated InformationAssurance
Officer
CATII
V-
31285
NET0408 BGPmustauthenticateallpeers. ECSC-1 CATII
Gotothereportcontentsorthestartofthissection.
5.4V-3971-VLAN1isbeingusedasauserVLAN.
5.4.1Summary
VLAN1mustnotbeusedforuserVLANs.Table269providesasummaryresultofthefindings.
Table269:VLAN1isbeingusedasauserVLAN.-Summaryresult
Device Type Status
router03 CiscoRouter
5.4.2Description
InaVLAN-basednetwork,switchesuseVLAN1asthedefaultVLANforin-bandmanagementandtocommunicatewithothernetworkingdevicesusingSpanning-TreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),VLANTrunkingProtocol(VTP),andPortAggregationProtocol(PAgP)--alluntaggedtraffic.Asaconsequence,VLAN1mayunwiselyspantheentirenetworkifnotappropriatelypruned.Ifitsscopeislargeenough,theriskofcompromisecanincreasesignificantly.
5.4.3Findings
router03
VLANmembershipofnon-trunkinginterfacesonrouter03isdetailedinTable270.
Table270:VLANmembershipofnon-trunkinginterfaces
Interface Active VLAN Trunk TrunkVLAN Description
NoInformation
5.4.4Check
ReviewthedeviceconfigurationandverifythataccessportshavenotbeenassignedmembershiptotheVLAN1.IfanyaccessportsarefoundinVLAN1,thisisafinding.
5.4.5Fix
BestpracticesforVLAN-basednetworksistopruneunnecessaryportsfromgainingaccesstoVLAN1aswellasthemanagementVLAN,andtoseparatein-bandmanagement,deviceprotocol,anddatatraffic.
Gotothereportcontentsorthestartofthissection.
Severity:CATIII
RuleID:SV-3972r2_rule
STIGID:NET-VLAN-005
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-3973r2_rule
STIGID:NET-VLAN-002
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
5.5V-3972-VLAN1traffictraversesacrossunnecessarytrunk
5.5.1Summary
VLAN1mustbeprunedfromalltrunkandaccessportsthatdonotrequireit.Table271providesasummaryresultofthefindings.
Table271:VLAN1traffictraversesacrossunnecessarytrunk-Summaryresult
Device Type Status
router03 CiscoRouter
5.5.2Description
VLAN1isaspecialVLANthattagsandhandlesmostofthecontrolplanetrafficsuchasSpanning-TreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),VLANTrunkingProtocol(VTP),andPortAggregationProtocol(PAgP)allVLAN1taggedtraffic.VLAN1isenabledonalltrunksandportsbydefault.Withlargercampusnetworks,careneedstobetakenaboutthediameteroftheVLAN1STPdomain;instabilityinonepartofthenetworkcouldaffectVLAN1,therebyinfluencingcontrol-planestabilityandthereforeSTPstabilityforallotherVLANs.
5.5.3Check
ReviewthedeviceconfigurationtodetermineifVLAN1isprunedfromalltrunkandaccessswitchports.IfVLAN1isnotprunedfromtrunkoraccessswitchportswhereit'snotrequired,thisisafinding.
5.5.4Fix
BestpracticeforVLAN-basednetworksistopruneunnecessaryportsfromgainingaccesstoVLAN1andinsurethatitdoesnottraversetrunksnotrequiringVLAN1traffic.
Gotothereportcontentsorthestartofthissection.
5.6V-3973-DisabledportsarenotkeptinanunusedVLAN.
5.6.1Summary
DisabledswitchportsmustbeplacedinanunusedVLAN(donotuseVLAN1).Table272providesasummaryresultofthefindings.
Table272:DisabledportsarenotkeptinanunusedVLAN.-Summaryresult
Device Type Status
router03 CiscoRouter
5.6.2Description
ItispossiblethatadisabledportthatisassignedtoauserormanagementVLANbecomesenabledbyaccidentorbyanattackerandasaresultgainsaccesstothatVLANasamember.
5.6.3Check
ReviewthedeviceconfigurationtodetermineifalldisabledportshavebeenplacedintoanunusedVLAN.TheVLANmustnotbeVLAN1.IfdisabledportsarenotassignedtoanunusedVLANorhavebeenplacedintoVLAN1,thisisafinding.
5.6.4Fix
AssignalldisabledportstoanunusedVLAN.DonotuseVLAN1.
Gotothereportcontentsorthestartofthissection.
5.7V-3984-AccessswitchportsareassignedtothenativeVLAN
5.7.1Summary
AccessswitchportsmustnotbeassignedtothenativeVLAN.Table273providesasummaryresultofthefindings.
RuleID:SV-3984r2_rule
STIGID:NET-VLAN-009
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-5622r2_rule
STIGID:NET-VLAN-008
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-5623r2_rule
Table273:AccessswitchportsareassignedtothenativeVLAN-Summaryresult
Device Type Status
router03 CiscoRouter
5.7.2Description
DoubleencapsulationcanbeinitiatedbyanattackerwhohasaccesstoaswitchportbelongingtothenativeVLANofthetrunkport.Knowingthevictim'sMACaddressandwiththevictimattachedtoadifferentswitchbelongingtothesametrunkgroup,therebyrequiringthetrunklinkandframetagging,themalicioususercanbegintheattackbysendingframeswithtwosetsoftags.Theoutertagthatwillhavetheattacker'sVLANID(probablythewell-knownandomnipresentVLAN1)isstrippedoffbytheswitch,andtheinnertagthatwillhavethevictim'sVLANIDisusedbytheswitchasthenexthopandsentoutthetrunkport.
5.7.3Check
Reviewtheswitchconfigurationsandexamineallaccessports.VerifythattheydonotbelongtothenativeVLAN.IfanyaccessswitchportsareassignedtothenativeVLAN,itisafinding.
5.7.4Fix
Toinsuretheintegrityofthetrunklinkandpreventunauthorizedaccess,thenativeVLANofthetrunkportshouldbechangedfromthedefaultVLAN1toitsownuniqueVLAN.AccessswitchportsmustneverbeassignedtothenativeVLAN.
Gotothereportcontentsorthestartofthissection.
5.8V-5622-AdedicatedVLANisrequiredforalltrunkports.
5.8.1Summary
ThenativeVLANmustbeassignedtoaVLANIDotherthanthedefaultVLANforall802.1qtrunklinks.Table274providesasummaryresultofthefindings.
Table274:AdedicatedVLANisrequiredforalltrunkports.-Summaryresult
Device Type Status
router03 CiscoRouter
5.8.2Description
VLANhoppingcanbeinitiatedbyanattackerwhohasaccesstoaswitchportbelongingtothesameVLANasthenativeVLANofthetrunklinkconnectingtoanotherswitchinwhichthevictimisconnectedto.Iftheattackerknowsthevictim'sMACaddress,itcanforgeaframewithtwo802.1qtagsandalayer2headerwiththedestinationaddressofthevictim.SincetheframewillingresstheswitchfromaportbelongingtoitsnativeVLAN,thetrunkportconnectingtovictim'sswitchwillsimplyremovetheoutertagbecausenativeVLANtrafficistobeuntagged.TheswitchwillforwardtheframeuntothetrunklinkunawareoftheinnertagwithaVLANIDforwhichthevictim'sswitchportisamemberof.
5.8.3Check
Reviewthedeviceconfigurationandexaminealltrunklinks.VerifythenativeVLANhasbeenconfiguredtoaVLANotherthanthedefaultVLAN1.IfthenativeVLANhasbeenconfiguredtoVLAN1,thisisafinding.
5.8.4Fix
Toensuretheintegrityofthetrunklinkandpreventunauthorizedaccess,thenativeVLANofthetrunkportshouldbechangedfromthedefaultVLAN1toitsownuniqueVLAN.ThenativeVLANmustbethesameonbothendsofthetrunklink;otherwisetrafficcouldaccidentlyleakbetweenbroadcastdomains.
Gotothereportcontentsorthestartofthissection.
5.9V-5623-Ensuretrunkingisdisabledonallaccessports.
5.9.1Summary
Porttrunkingmustbedisabledonallaccessports(donotconfiguretrunkon,desirable,non-negotiate,orauto--onlyoff).Table275providesasummaryresultofthefindings.
STIGID:NET-VLAN-007
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-5624r2_rule
STIGID:NET-NAC-012
Controls:
Responsibility:
Table275:Ensuretrunkingisdisabledonallaccessports.-Summaryresult
Device Type Status
router03 CiscoRouter
5.9.2Description
DoubleencapsulationcanbeinitiatedbyanattackerwhohasaccesstoaswitchportbelongingtothenativeVLANofthetrunkport.KnowingthevictimsMACaddressandwiththevictimattachedtoadifferentswitchbelongingtothesametrunkgroup,therebyrequiringthetrunklinkandframetagging,themalicioususercanbegintheattackbysendingframeswithtwosetsoftags.TheoutertagthatwillhavetheattackersVLANID(probablythewell-knownandomnipresentVLAN1)isstrippedoffbytheswitch,andtheinnertagthatwillhavethevictimsVLANIDisusedbytheswitchasthenexthopandsentoutthetrunkport.
5.9.3Check
Reviewthedeviceconfigurationtodetermineiftrunkinghasbeendisabledonaccessports.Iftrunkingisenabledonanyaccessport,thisisafinding.
5.9.4Fix
Disabletrunkingonallaccessports.
Gotothereportcontentsorthestartofthissection.
5.10V-5624-Re-authenticationmustoccurevery60minutes.
5.10.1Summary
TheISSO/NSOwillensureif802.1xPortAuthenticationisimplemented,re-authenticationmustoccurevery60minutes.Table276providesasummaryresultofthefindings.
Table276:Re-authenticationmustoccurevery60minutes.-Summaryresult
Device Type Status
router03 CiscoRouter
5.10.2Description
Eliminatingunauthorizedaccesstothenetworkfrominsidetheenclaveisvitaltokeepinganetworksecure.Internalaccesstotheprivatenetworkisenabledbysimplyconnectingaworkstationorlaptoptoawallplateoraccesspointlocatedintheworkarea.
5.10.3Findings
router03
NipperStudiodeterminedthatForcedAuthorisationPortControlwasenabledonrouter03.
Table277:IEEE802.1xre-authentication
Interface Active IEEE802.1X Re-Auth Description
GigabitEthernet1/1 Yes AlwaysAuthorized Disabled Firstinterfaceonswitch
GigabitEthernet1/2 Yes AlwaysAuthorized Disabled Secondinterfaceonswitch
5.10.4Check
Reviewtheswitchconfigurationforoneofthefollowinginterfacecommand:dot1xreauthenticationorauthenticationperiodicOnceoneoftheinterfacecommands,dot1xreauthenticationorauthenticationperiodic,isenabled,thedefaultis60minutes.Theintervalcanbemadesmaller.Forexample,ifyouwouldwantre-authenticationtooccurevery30minutes,youwouldconfigurethefollowinginterfacecommand:dot1xtimeoutreauth-period1800orauthenticationtimerreauthenticate1800.
5.10.5Fix
Ensure802.1xreauthenticationoccursevery60minutes.
Severity:CATI
RuleID:SV-42190r2_rule
STIGID:NET-NAC-009
Controls:
Responsibility:InformationAssuranceOfficer
Gotothereportcontentsorthestartofthissection.
5.11V-5626-NET-NAC-009
5.11.1Summary
Theswitchmustbeconfiguredtouse802.1xauthenticationonhostfacingaccessswitchports.Table278providesasummaryresultofthefindings.
Table278:NET-NAC-009-Summaryresult
Device Type Status
router03 CiscoRouter
5.11.2Description
TheIEEE802.1xstandardisaclient-serverbasedaccesscontrolandauthenticationprotocolthatrestrictsunauthorizedclientsfromconnectingtoalocalareanetworkthroughhostfacingswitchports.TheauthenticationserverauthenticateseachclientconnectedtotoaswitchportbeforemakinganyservicesavailabletotheclientfromtheLAN.Unlesstheclientissuccessfullyauthenticated,802.1xaccesscontrolallowsonlyExtensibleAuthenticationProtocoloverLAN(EAPOL)trafficthroughtheporttowhichtheclientisconnected.Afterauthenticationissuccessful,normaltrafficcanpassthroughtheport.Withouttheuseof802.1x,amalicioususercouldusetheswitchporttoconnectanunauthorizedpieceofcomputerorothernetworkdevicetoinjectorstealdatafromthenetworkwithoutdetection.
5.11.3Check
Verifyiftheswitchconfigurationhas802.1xauthenticationimplementedforallaccessswitchportsconnectingtoLANoutlets(i.e.RJ-45wallplates)ordevicesnotlocatedinthetelecomroom,wiringclosets,orequipmentrooms.If802.1xauthenticationisnotconfiguredonthesehost-facingaccessswitchports,thisisaCAT1finding.IfMACaddressfilteringisimplementedinlieuof802.1xauthentication,thisfindingwillbedowngradedtoaCAT3.Verify802.1xauthenticationisenabledontheswitchandhostfacingswitchports:Step1:Verifythatan802.1xauthenticationserverhasbeenconfiguredsimilartothefollowingexample:Switch(config)#radius-serverhostx.x.x.xauth-port1813key!R4d1u$K3y!Switch(config)#aaanew-modelSwitch(config)#aaaauthenticationdot1xdefaultgroupradiusStep2:Verify802.1xauthenticationhasbeenenabledgloballyonthenetworkdevicesimilartothefollowingexample:Switch(config)#dot1xsystem-auth-control
Step3:Verifythatallhost-facingaccessswitchportsareconfiguredtouse802.1xsimilartotheexamplesbelow:Switch(config)#interfacefastethernet0/2Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#dot1xport-controlautoORSwitch(config)#interfacefastethernet0/2Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#authenticationport-controlautoIf802.1xisnotbeingused,determineifMACfilteringisusedoneachhost-facingaccessswitchportasshowninthefollowingexample:Switch(config)#interfacefastethernet0/3Switch(config-if)#switchportmodeaccessSwitch(config-if)#switchportport-securitySwitch(config-if)#switchportport-securitymaximum1Switch(config-if)#switchportport-securitymac-address1000.2000.3000NOTE:Thesectionbelowisintendedforclassifiednetworks.Ifit’sdeterminedthat802.1xisnotimplementedonaclassifiednetwork,theTraditionalreviewteammustbenotifiedtodetermineifthephysicalrequirementsareimplemented.ForasitetobedowngradedtoaCATIIIopenfinding,thephysicalsecurityrequirementsmustbeimplementedinadditiontostaticMACorstickysecureMACportsecurity.Ifbothphysicalandlogicaldowngradesarenotimplemented,aCATIopenfindingwillbeissued.IfclassifiedLANdropsarenotauthenticatedbyan802.1ximplementation,theymustbelocatedwithinspacesproperlyestablishedasSecretvaults,SecretSecureRooms(AKA:CollateralClassifiedOpenStorageAreas),TSsecureroom,orSCIF.Otherwise,oneofthefollowingsupplementalphysicalsecuritycontrolsmustbeimplemented.
Severity:CATII
RuleID:SV-5628r2_rule
STIGID:NET-VLAN-006
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-19297r1_rule
STIGID:NET0985
Controls:
Responsibility:SystemAdministrator
1.WalljacksmustbesecuredwhenunattendedbypersonswithSecretorhigherclearancewithaproperlyconstructedlockbox(Hoffmanorsimilarcommercialproductorlocallyfabricated).Thelockboxmusthavenoexposedorremovablehinges.Thehasphardwaremustberivetedtotheboxorotherwiseinstalledsothatremovalwillrequirephysicalbreakingofthebox;therebyleavingevidenceofactualorattemptedentry.Thelockboxmustbesecuredwitha3-positionhighsecuritycombinationpadlock(IAWtheNSTISSI7003).TheS&G8077combinationpadlockistheonlyexistingpadlockmeetingthisstandard.
2.Iflockboxesarenotused,thealternativeistophysicallydisconnecttheSIPRNetlinkattheSIPRNetpointofpresence(PoP)afternormaldutyhours.ThePoPmustbelocatedwithinaproperSecretorhighersecureroom.
5.11.4Fix
Configure802.1xauthenticationonallhostfacingaccessswitchports.
Gotothereportcontentsorthestartofthissection.
5.12V-5628-TheVLAN1isbeingusedformanagementtraffic.
5.12.1Summary
AdedicatedmanagementVLANorVLANsmustbeconfiguredtokeepmanagementtrafficseparatefromuserdataandcontrolplanetraffic.Table279providesasummaryresultofthefindings.
Table279:TheVLAN1isbeingusedformanagementtraffic.-Summaryresult
Device Type Status
router03 CiscoRouter
5.12.2Description
Allports,includingtheinternalsc0interface,areconfiguredbydefaulttobemembersofVLAN1.InaVLAN-basednetwork,switchesuseVLAN1asthedefaultVLANforin-bandmanagementandtocommunicatewithothernetworkingdevicesusingSpanning-TreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),VLANTrunkingProtocol(VTP),andPortAggregationProtocol(PAgP)alluntaggedtraffic.Asaconsequence,VLAN1mayunwiselyspantheentirenetworkifnotappropriatelypruned.Ifitsscopeislargeenough,theriskofcompromisecanincreasesignificantly.
5.12.3Check
ReviewthedeviceconfigurationstodetermineifadedicatedVLAN(s)havebeenimplementedforthemanagementnetwork.VLAN1mustnotbeused.IfadedicatedVLANorVLANshavenotbeenestablishedforthemanagementnetwork,thisisafinding.IfVLAN1isusedformanagement,thisisalsoafinding.
5.12.4Fix
BestpracticesforVLAN-basednetworksiscreateadedicatedmanagementVLAN,pruneunnecessaryportsfromgainingaccesstoVLAN1aswellasthemanagementVLAN,andtoseparatein-bandmanagement,deviceprotocol,anddatatraffic.
Gotothereportcontentsorthestartofthissection.
5.13V-17815-IGPinstancesdonotpeerwithappropriatedomain
5.13.1Summary
IGPinstancesconfiguredontheOOBMgatewayrouterdonotpeeronlywiththeirappropriateroutingdomainTable280providesasummaryresultofthefindings.
Table280:IGPinstancesdonotpeerwithappropriatedomain-Summaryresult
Device Type Status
router03 CiscoRouter
5.13.2Description
IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.
5.13.3Check
VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.ThefollowingwouldbeanexamplewhereEIGRPisrunonthemanagementnetwork10.0.0.0andOSPFinthemanagednetwork172.20.0.0.Thenetwork10.1.20.0/24istheOOBMbackboneand10.1.1.0isthelocalmanagementLANconnectingtotheOOBMinterfacesofthemanagednetwork(i.e.,theprivateandservicenetwork)elements.interfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0interfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.1255.255.255.0interfaceFastethernet0/1descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0interfaceFastethernet0/2descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0!routerospf1network172.20.0.0!routereigrp12network10.0.0.0passive-interfaceFastethernet0/1Note:thepassive-interfacecommandisconfiguredtoavoidbuildinganEIGRPadjacencywithamanagedrouter,whileatthesametime,enablingEIGRPtoadvertisetheenclave’smanagementsubnettotheEIGRPneighborsofthemanagementnetworkbackbone.Ifthenon-dedicatedOOBMgatewayandtheNOCgatewayarenotconnectedbyanOOBbackbone—thatis,connectivityisprovidedoveranIPbackbone(i.e.NIPRNet)—andanIGPisusedtoadvertiserouteswithinthemanagementnetwork,theIGPtrafficmustbeencapsulatedviaGREsothatitcantraversetheIPsectunnel.TheconfigurationbelowisanexampleofGREoverIPSec.TheIPSecpolicyisappliedtotheGREtrafficthatwillencapsulateIGPpackets(noticetheEIGRPnetworkstatementincludestheGREtunnel;hence,EIGRPwillformadjacencieswithneighborsontheothersideofthistunnel.
PremiseRouterConfigurationcryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyourkeyaddress166.4.24.3!cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac!cryptomapvpnmap10ipsec-isakmpsetpeer166.4.24.3settransform-setVPN-transmatchaddress102!interfaceEthernet1ipaddress10.1.1.1255.255.255.0!interfaceSerial1/0ipaddress141.22.4.3255.255.255.252!interfaceTunnel0ipaddress10.10.255.1255.255.255.252ipmtu1400tunnelsourceSerial0/0tunneldestination166.4.24.3cryptomapvpnmap!routereigrp100network10.0.0.00.0.0.255noauto-summary!iproute0.0.0.00.0.0.0141.22.4.1!access-list102permitgrehost141.22.4.3host166.4.24.3
OOBMVPNGatewayConfigurationcryptoisakmppolicy10authenticationpre-sharecryptoisakmpkeyourkeyaddress141.22.4.3
Severity:CATII
RuleID:SV-19069r1_rule
STIGID:NET0986
Controls:ECSC-1
Responsibility:SystemAdministrator
!cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac!cryptomapvpnmap10ipsec-isakmpsetpeer141.22.4.3settransform-setVPN-transmatchaddress102!interfaceEthernet1ipaddress10.1.2.1255.255.255.0!interfaceSerial1/0ipaddress166.4.24.3255.255.255.252!interfaceTunnel0ipaddress10.10.255.2255.255.255.252ipmtu1400tunnelsourceSerial0/0tunneldestination141.22.4.3cryptomapvpnmap!routereigrp100network10.0.0.00.0.0.255noauto-summary!iproute0.0.0.00.0.0.0166.4.24.1!access-list102permitgrehost166.4.24.3host141.22.4.3
5.13.4Fix
EnsurethatmultipleIGPinstancesconfiguredontheOOBMgatewayrouterpeeronlywiththeirappropriateroutingdomain.VerifythattheallinterfacesareconfiguredfortheappropriateIGPinstance.
Gotothereportcontentsorthestartofthissection.
5.14V-17816-RoutesfromthetwoIGPdomainsareredistributed
5.14.1Summary
TheroutesfromthetwoIGPdomainsareredistributedtoeachother.Table281providesasummaryresultofthefindings.
Table281:RoutesfromthetwoIGPdomainsareredistributed-Summaryresult
Device Type Status
router03 CiscoRouter
5.14.2Description
IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.Inaddition,theroutesfromthetwodomainsmustnotberedistributedtoeachother.
5.14.3Findings
router03
NipperStudiodetectednoissueswithredistributedroutingonrouter03
5.14.4Check
VerifythattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.Asanalternative,staticroutescanbeusedtoforwardmanagementtraffictotheOOBMinterface;however,thismethodmaynotscalewell.IfstaticroutesareusedtoforwardmanagementtraffictotheOOBbackbonenetwork,verifythattheOOBMinterfaceisnotanIGPadjacencyandthatthecorrectdestinationprefixhasbeenconfiguredtoforwardthemanagementtraffictothecorrectnext-hopandinterfaceforthestaticroute.Inthefollowingconfigurationexamples,10.1.1.0/24isthemanagementnetworkand10.1.20.4istheinterfaceaddressoftheOOBbackbonerouterthattheOOBgatewayrouter
Severity:CATII
RuleID:SV-19337r1_rule
STIGID:NET0994
Controls:
Responsibility:SystemAdministrator
connectsto.Thenetwork10.1.20.0/24istheOOBMbackbone.
5.14.5Fix
EnsurethattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.
Gotothereportcontentsorthestartofthissection.
5.15V-17824-ManagementinterfaceisassignedtoauserVLAN.
5.15.1Summary
ThemanagementinterfaceisanaccessswitchportandhasnotbeenassignedtoaseparatemanagementVLAN.Table282providesasummaryresultofthefindings.
Table282:ManagementinterfaceisassignedtoauserVLAN.-Summaryresult
Device Type Status
router03 CiscoRouter
5.15.2Description
TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsothatmanagementtrafficdoesnotleakintothemanagednetworkandthatproductiontrafficdoesnotleakintothemanagementnetwork.
5.15.3Check
ReviewthemanagedswitchconfigurationandverifythattheaccessportconnectedtotheOOBMaccessswitchhasbeenassignedtothemanagementVLAN.Bydefault,themanagementVLANisVLAN1;however,themanagementVLANmustbeconfiguredtoadifferentVLAN.Asshowninthefollowingconfigurationexample,FastEthernet0/1istheportconnectedtotheOOBMaccessswitchandVLAN101isthemanagementVLAN.interfaceFastEthernet0/1switchportaccessvlan10switchportmodeaccess!interfaceFastEthernet0/2switchportaccessvlan2switchportmodeaccess!interfaceFastEthernet0/3switchportaccessvlan2switchportmodeaccess!interfaceFastEthernet0/4switchportaccessvlan2switchportmodeaccessThiscanalsobeverifiedbyenteringaPrivilegedEXECshowvlancommandontheswitchCLIasillustratedinthefollowingexampleoutputofaCisco2950:2950#showvlanVLANNameStatusPorts--------------------------------------------------------------------2ProductionactiveFa0/2,Fa0/3,Fa0/4,Fa0/5,...Fa0/21,Fa0/22,Fa0/23,Fa0/2410ManagementactiveFa0/1
5.15.4Fix
Ifthemanagementinterfaceisanaccessswitchport,assignittoaseparatemanagementVLANwhiletheremainderoftheaccessswitchportscanbeassignedtouserVLANsbelongingtothemanagednetwork.Thisprovidessomelevelofseparationbetweenthemanagementnetworkandthemanagednetwork.
Gotothereportcontentsorthestartofthissection.
5.16V-17825-ManagementVLANhasinvalidaddresses
5.16.1Summary
AnaddresshasnotbeenconfiguredforthemanagementVLANfromspacebelongingtotheOOBMnetworkassignedtothatsite.Table283providesasummary
Severity:CATIII
RuleID:SV-19338r1_rule
STIGID:NET0995
Controls:
Responsibility:SystemAdministrator
Severity:CATII
RuleID:SV-19339r1_rule
STIGID:NET0996
Controls:
Responsibility:SystemAdministrator
resultofthefindings.
Table283:ManagementVLANhasinvalidaddresses-Summaryresult
Device Type Status
router03 CiscoRouter
5.16.2Description
TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.
5.16.3Check
ReviewthemanagedswitchconfigurationandverifythatanaddresshasbeenconfiguredformanagementVLANfromspacebelongingtotheOOBMnetworkthathasbeenassignedtothatsite.interfaceVLAN10ipaddress10.1.1.10255.255.255.0descriptionManagementVLANNote:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.AdefaultgatewayaddressasshownbelowmustbeconfiguredusingtheaddressoftheOOBMgatewayrouterinterfaceconnectingtotheOOBMaccessswitch.ThiswillensurethatallmanagementtrafficisforwardedtowardtheNOCusingtheswitchportattachedtotheOOBMaccessswitch.ipdefault-gateway10.1.1.1
5.16.4Fix
AssignanIPaddresstothemanagementVLANfromtheaddressspacebelongingtotheOOBMnetwork.
Gotothereportcontentsorthestartofthissection.
5.17V-17826-InvalidportswithmembershiptothemgmtVLAN
5.17.1Summary
TheaccessswitchportconnectingtotheOOBMaccessswitchisnottheonlyportwithmembershiptothemanagementVLAN.Table284providesasummaryresultofthefindings.
Table284:InvalidportswithmembershiptothemgmtVLAN-Summaryresult
Device Type Status
router03 CiscoRouter
5.17.2Description
TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.
5.17.3Check
ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.BydefaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,managementtrafficshouldnottraverseanytrunklinks.Thefollowing
Severity:CATIII
RuleID:SV-19340r1_rule
STIGID:NET0997
Controls:
Responsibility:SystemAdministrator
CatalystIOSconfigurationisanexampleofatrunklinkwiththemanagementVLAN(i.e.10)prunedfromatrunk.
interfacefastEthernet0/1switchporttrunkencapsulationdot1qswitchportmodedynamicdesirableswitchporttrunknativevlan3switchporttrunkallowedvlan2-9Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:Switch-A#showinterfacetrunkPortModeEncapsulationStatusNativevlanFa0/1desirable802.1qtrunking3PortVlansallowedontrunkFa0/12-9PortVlansinspanningtreeforwardingstateandnotprunedFa0/12-5Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeaturedynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOSswitch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbeactiveonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.
5.17.4Fix
EnsurethattheaccessswitchportconnectingtotheOOBMaccessswitchistheonlyportwithmembershiptothemanagementVLAN
Gotothereportcontentsorthestartofthissection.
5.18V-17827-ThemanagementVLANisnotprunedfromtrunklinks
5.18.1Summary
ThemanagementVLANisnotprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.Table285providesasummaryresultofthefindings.
Table285:ThemanagementVLANisnotprunedfromtrunklinks-Summaryresult
Device Type Status
router03 CiscoRouter
5.18.2Description
TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsothatmanagementtrafficdoesnotleakintothemanagednetworkandthatproductiontrafficdoesnotleakintothemanagementnetwork.ISLand802.1qtrunkingenablesmultipleVLANstotraversethesamephysicallinksbetweenlayer2switchesorbetweenalayer2switchandarouter.IfthemanagementVLANisnotprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure,managementtraffichasthepotentialtoleakintotheproductionnetwork.
5.18.3Check
ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.BydefaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,managementtrafficshouldnottraverseanytrunklinks.ThefollowingCatalystIOSconfigurationisanexampleofatrunklinkwiththemanagementVLAN(i.e.10)prunedfromatrunk.
interfacefastEthernet0/1switchporttrunkencapsulationdot1qswitchportmodedynamicdesirableswitchporttrunknativevlan3switchporttrunkallowedvlan2-9Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:
Severity:CATII
RuleID:SV-19702r1_rule
STIGID:NET1003
Controls:
Responsibility:SystemAdministrator
Severity:CATII
RuleID:SV-19703r2_rule
STIGID:NET1004
Controls:
Responsibility:
Switch-A#showinterfacetrunkPortModeEncapsulationStatusNativevlanFa0/1desirable802.1qtrunking3PortVlansallowedontrunkFa0/12-9PortVlansinspanningtreeforwardingstateandnotprunedFa0/12-5Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeaturedynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOSswitch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbeactiveonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.
5.18.4Fix
PrunethemanagementVLANfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.
Gotothereportcontentsorthestartofthissection.
5.19V-17832-MgmtVLANdoesnothavecorrectIPaddress
5.19.1Summary
ThemanagementVLANisnotconfiguredwithanIPaddressfromthemanagementnetworkaddressblock.Table286providesasummaryresultofthefindings.
Table286:MgmtVLANdoesnothavecorrectIPaddress-Summaryresult
Device Type Status
router03 CiscoRouter
5.19.2Description
Ifthemanagementsystemsresidewithinthesamelayer2switchingdomainasthemanagednetworkelements,thenseparateVLANswillbedeployedtoprovideseparationatthatlevel.Inthiscase,themanagementnetworkstillhasitsownsubnetwhileatthesametimeitisdefinedasauniqueVLAN.
5.19.3Check
ReviewtheswitchconfigurationandverifythatthemanagementVLANhasbeenassignedanIPaddressfromthemanagementnetworkaddressblock.FollowingisanexampleforaCiscoCatalystswitch:
interfaceVLAN10descriptionManagementVLANipaddress10.1.1.10255.255.255.0Note:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.
5.19.4Fix
ConfigurethemanagementVLANwithanIPaddressfromthemanagementnetworkaddressblock.
Gotothereportcontentsorthestartofthissection.
5.20V-17833-NoingressACLonmanagementVLANinterface
5.20.1Summary
TheISSOwillensurethatonlyauthorizedmanagementtrafficisforwardedbythemulti-layerswitchfromtheproductionormanagedVLANstothemanagementVLAN.Table287providesasummaryresultofthefindings.
Table287:NoingressACLonmanagementVLANinterface-Summaryresult
Device Type Status
router03 CiscoRouter
Severity:CATII
RuleID:SV-20062r1_rule
STIGID:NET-SRVFRM-004
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-20088r2_rule
STIGID:NET-VLAN-023
Controls:DCSP-1
Responsibility:InformationAssuranceOfficer
5.20.2Description
IfthemanagementsystemsresidewithinthesameLayer2switchingdomainasthemanagednetworkelements,thenseparateVLANswillbedeployedtoprovideseparationatthatlevel.Inthiscase,themanagementnetworkstillhasitsownsubnetwhileatthesametimeitisdefinedasauniqueVLAN.Inter-VLANroutingortheroutingoftrafficbetweennodesresidingindifferentsubnetsrequiresarouterormulti-layerswitch(MLS).Accesscontrollistsmustbeusedtoenforcetheboundariesbetweenthemanagementnetworkandthenetworkbeingmanaged.WhenusingaMLS,analternatemethodtopreventinter-VLANroutingistoconfigurethemanagementVirtualRoutingandForwarding(VRF)tonotimportroutetargetsfromotherVRFswhichwouldensurethereisnoreachabilitybetweennetworks.
5.20.3Check
ReviewtheconfigurationtodetermineifaninboundACLhasbeenconfiguredforthemanagementVLANinterfacetoblocknon-managementtraffic.IfaninboundACLhasnotbeenconfigured,thisisafinding.
5.20.4Fix
IfanMLSisusedtoprovideinter-VLANrouting,configureaninboundACLforthemanagementnetworkVLANinterface.
Gotothereportcontentsorthestartofthissection.
5.21V-18523-ACLsdonotprotectagainstcompromisedservers
5.21.1Summary
TheIAOwillensuretheServerFarminfrastructureissecuredbyACLsonVLANinterfacesthatrestrictdataoriginatingfromoneserverfarmsegmentdestinedtoanotherserverfarmsegment.Table288providesasummaryresultofthefindings.
Table288:ACLsdonotprotectagainstcompromisedservers-Summaryresult
Device Type Status
router03 CiscoRouter
5.21.2Description
ACLsonVLANinterfacesdonotprotectagainstcompromisedservers.TheServerfarmvlansneedtoprotecttheserverslocatedononesubnetfromserverslocatedonanothersubnet.Protectingaclient’sdatafromotherclientsisnecessaryandcanbeaccomplishedusingVLANprovisioning,layer3filteringandcontentfilteringattheServerFarmentrypoint.Restrictingprotocol,sourceanddestinationtrafficviafiltersisanoption;howeveradditionalsecuritypracticessuchascontentfilteringarerequired.TheServerfarmprivatevlansneedtoprotecttheserverslocatedononesubnetfromserverslocatedonanothersubnet.
5.21.3Check
Reviewthefirewallprotectingtheserverfarm.Vlanconfigurationsshouldhaveafilterthatsecurestheserverslocatedonthevlansegment.IdentifythesourceipaddressesthathaveaccesstotheserversandverifytheprivilegeintendedwiththeSA.Thefiltershouldbeinadenybydefaultposture.Ifthefilterisnotdefinedonthefirewallandthearchitecturecontainsalayer3switchbetweenthefirewallandtheserver,thanreviewtheVLANdefinitionontheL3switch.
5.21.4Fix
Reviewthefilterandensureaccessfromotherserversegmentsisdeniedunlessnecessaryforapplicationoperation.Theintentofthepolicyshouldbetoprotectserversfromaserverthathasbeencompromisedbyanintruder.
Gotothereportcontentsorthestartofthissection.
5.22V-18544-RestrictedVLANnotassignedtonon-802.1xdevice.
5.22.1Summary
PrintersmustbeassignedtoaVLANthatisnotsharedbyunlikedevices.Table289providesasummaryresultofthefindings.
Table289:RestrictedVLANnotassignedtonon-802.1xdevice.-Summaryresult
Device Type Status
router03 CiscoRouter
Severity:CATII
RuleID:SV-20089r1_rule
STIGID:NET-VLAN-024
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-49133r1_rule
STIGID:NET-NAC-031
Controls:DCSP-1
Responsibility:InformationAssuranceOfficer
5.22.2Description
Aspectsofhardeningthenetworkwallplatemayincludetrafficfilteringorrestrictionsonconnectivitytoenforceadevice-,communityofinterest-,oruser-specificsecuritypolicy.Forexample,ifaprinterwerepluggedintoaswitchport,itwouldbeprudenttoensurethatonlyprintertrafficisallowedonthatswitchport.Iftheprinterisunpluggedandasubstitutedeviceotherthanaprinterispluggedintothatswitchport,thesubstitutedeviceshouldnotbeabletocommunicatearbitrarilywithotherdevicesbecauseonlyprintertrafficisallowedonthatswitchport.
5.22.3Check
ReviewthedeviceconfigurationtodetermineifaVLANhasbeenestablishedforprinters.
5.22.4Fix
CreateaVLANonthedeviceforprinttypedevicesandassignprinterstotheVLANID.
Gotothereportcontentsorthestartofthissection.
5.23V-18545-Upstreamaccessnotrestrictedfornon-802.1xVLAN
5.23.1Summary
TheSAwillensureapacketfilterisimplementedtofiltertheenclavetraffictoandfromprinterVLANstoallowonlyprinttraffic.Table290providesasummaryresultofthefindings.
Table290:Upstreamaccessnotrestrictedfornon-802.1xVLAN-Summaryresult
Device Type Status
router03 CiscoRouter
5.23.2Description
AfirewallrulesetcanfilternetworktrafficwithintheprinterVLANtoonlyexpectedprinterprotocols.TheSAmanagingthelocalenclaveshouldidentifytheprinterporttrafficwithintheenclave.Portscommonlyusedbyprintersaretypicallytcpport515,631,1782andtcpports9100,9101,9102butothersareusedthroughouttheindustry.TheSAcanreviewRFC1700PortAssignmentsandreviewprintervendordocumentsforthefilterrule-set.
5.23.3Check
AnACLorfirewallrulesetcanfilternetworktrafficwithintheprinterVLANtoonlyexpectedprinterprotocols.TheSAmanagingthelocalenclaveshouldidentifytheprinterporttrafficwithintheenclave.Portscommonlyusedbyprintersaretypicallytcpport515,631,1782andtcpports9100,9101,9102butothersareusedthroughouttheindustry.TheSAcanreviewRFC1700PortAssignmentsandreviewprintervendordocumentsforthefilterrule-set.VerifythefilterappliedtotheprinterVLANsubnet.
5.23.4Fix
DefinethefilterontheVLANACLorbuildafirewallrulesettoaccomplishtherequirment.
Gotothereportcontentsorthestartofthissection.
5.24V-18566-NET-NAC-031
5.24.1Summary
TheswitchmustonlyallowamaximumofoneregisteredMACaddressperaccessport.Table291providesasummaryresultofthefindings.
Table291:NET-NAC-031-Summaryresult
Device Type Status
router03 CiscoRouter
5.24.2Description
LimitingthenumberofregisteredMACaddressesonaswitchaccessportcanhelppreventaCAMtableoverflowattack.Thistypeofattackletsanattackerexploitthehardwareandmemorylimitationsofaswitch.IfthereareenoughentriesstoredinaCAMtablebeforetheexpirationofotherentries,nonewentriescanbeacceptedintotheCAMtable.AnattackerwillabletofloodtheswitchwithmostlyinvalidMACaddressesuntiltheCAMtable’sresourceshavebeen
Severity:CATIII
RuleID:SV-15474r3_rule
STIGID:NET1020
Controls:ECAT-1,ECAT-2,ECSC-1
Responsibility:InformationAssuranceOfficer
depleted.Whentherearenomoreresources,theswitchhasnochoicebuttofloodallportswithintheVLANwithallincomingtraffic.ThishappensbecausetheswitchcannotfindtheswitchportnumberforacorrespondingMACaddresswithintheCAMtable,allowingtheswitchtobecomeahubandtraffictobemonitored.
5.24.3Check
ReviewtheswitchconfigurationtoverifyeachaccessportisconfiguredforasingleregisteredMACaddress.Configuringport-securityontheCiscoswitchaccessportinterfacewillautomaticallysetthemaximumnumberofregisteredMACaddressestoone.Thevaluewillnotshowupintheconfigurationoftheswitchitself.TovalidatetheaccessporthasamaximumvalueofoneforallowableMACaddresses,youmustrunthefollowingcommand:Switch#showport-securityinterfaceShowCommandExample:Switch#portintfa0/1PortSecurity:EnabledPortStatus:Secure-downViolationMode:ShutdownAgingTime:0minsAgingType:AbsoluteSecureStaticAddressAging:DisabledMaximumMACAddresses:1SometechnologiesareexemptfromrequiringasingleMACaddressperaccessport;however,restrictionsstillapply.VoIPorVTCendpointsmayprovideaPCportsoaPCcanbeconnected.Eachofthedeviceswillneedtobestaticallyassignedtoeachaccessport.AnothergreeninitiativewhereasingleLANdropissharedamongseveraldevicesiscalled"hot-desking",whichisrelatedtoconservationofofficespaceandteleworking.Hot-deskingiswhereseveralpeopleareassignedtoworkatthesamedeskatdifferenttimes,eachuserwiththeirownPC.Inthiscase,adifferentMACaddressneedstobepermittedforeachPCthatisconnectingtotheLANdropintheworkspace.Additionally,thisworkspacecouldcontainasinglephone(andpossiblydesktopVTCendpoint)usedbyallassigneesandthePCportonitmightbetheconnectionfortheirlaptop.Inthiscase,itisbestnottousestickyportsecurity,buttouseastaticmappingofauthorizeddevicesorimplement802.1x.Ifthisisnotateleworkingremotelocation,thisexemptiondoesnotapply.
5.24.4Fix
ConfiguretheswitchtolimitthemaximumnumberofregisteredMACaddressesoneachaccessswitchporttoone.
Gotothereportcontentsorthestartofthissection.
5.25V-3000-InterfaceACLdenystatementsarenotlogged.
5.25.1Summary
Thenetworkdevicemustlogallaccesscontrollists(ACL)denystatements.Table292providesasummaryresultofthefindings.
Table292:InterfaceACLdenystatementsarenotlogged.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.25.2Description
Auditingandloggingarekeycomponentsofanysecurityarchitecture.Itisessentialforsecuritypersonneltoknowwhatisbeingdone,attemptedtobedone,andbywhominordertocompileanaccurateriskassessment.Auditingtheactionsonnetworkdevicesprovidesameanstorecreateanattack,oridentifyaconfigurationmistakeonthedevice.
5.25.3Findings
router03
NipperStudioidentifiedoneactiverulelistonrouter03thatcontaineddenyrules.
Table293:4040denyrules.
Rule Action Source Log
5 Any Yes
CiscoIOS15
Severity:CATII
RuleID:SV-3008r1_rule
STIGID:NET1800
Controls:
Responsibility:InformationAssuranceOfficer
NipperStudiodeterminedthatnoactivefilterrulelistscontainingdenyruleswereconfiguredonCiscoIOS15.
5.25.4Check
ReviewthenetworkdeviceinterfaceACLstoverifyalldenystatementsarelogged.CiscoIOSexample:interfaceFastEthernet0/0descriptionexternalinterfacepeeringwithISPornon-DoDnetworkipaddress199.36.92.1255.255.255.252ipaccess-group100in…access-list100denyicmpanyanyfragmentslogaccess-list100denyip169.254.0.00.0.255.255anylogaccess-list100denyip10.0.0.00.255.255.255anylogaccess-list100denyip172.16.0.00.15.255.255anylogaccess-list100denyip192.168.0.00.0.255.255anylogaccess-list100permiticmpanyhost199.36.92.1echo-replyaccess-list100permiticmpanyhost199.36.90.10echo-replyaccess-list100denyicmpanyanylogaccess-list100denyipanyanylog
5.25.5Fix
ConfigureinterfaceACLstologalldenystatements.
Gotothereportcontentsorthestartofthissection.
5.26V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.
5.26.1Summary
TheIAOwillensureIPSecVPNsareestablishedastunneltypeVPNswhentransportingmanagementtrafficacrossanipbackbonenetwork.Table294providesasummaryresultofthefindings.
Table294:IPSecVPNisnotconfiguredasatunneltypeVPN.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.26.2Description
Usingdedicatedpaths,theOOBMbackboneconnectstheOOBMgatewayrouterslocatedatthepremiseofthemanagednetworksandattheNOC.Dedicatedlinkscanbedeployedusingprovisionedcircuits(ATM,FrameRelay,SONET,T-carrier,andothersorVPNtechnologiessuchassubscribingtoMPLSLayer2andLayer3VPNservices)orimplementingasecuredpathwithgateway-to-gatewayIPsectunnel.Thetunnelmodeensuresthatthemanagementtrafficwillbelogicallyseparatedfromanyothertraffictraversingthesamepath.
5.26.3Findings
router03
NipperStudiodeterminedthattherewasnoIPSecurityprotocol(IPsec)VirtualPrivateNetwork(VPN)configuredonrouter03.
5.26.4Check
HavetheSAdisplaytheconfigurationsettingsthatenablethisfeature.Reviewthenetworktopologydiagram,andreviewVPNconcentrators.Determineiftunnelmodeisbeingusedbyreviewingtheconfiguration.Examples:InCISCORouter(config)#cryptoipsectransform-settransform-set-nametransform1Router(cfg-crypto-tran)#modetunnelORinJunoseditsecurityipsecsecurity-associationsa-name]modetunnel
5.26.5Fix
EstablishtheVPNasatunneledVPN.TerminatethetunneledVPNoutsideofthefirewall.
Severity:CATI
RuleID:SV-3012r4_rule
STIGID:NET0230
Controls:
Responsibility:InformationAssuranceOfficer
Ensureallhost-to-hostVPNareestablishedbetweentrustedknownhosts.
Gotothereportcontentsorthestartofthissection.
5.27V-3012-Networkelementisnotpasswordprotected.
5.27.1Summary
Networkdevicesmustbepasswordprotected.Table295providesasummaryresultofthefindings.
Table295:Networkelementisnotpasswordprotected.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.27.2Description
Networkaccesscontrolmechanismsinteroperatetopreventunauthorizedaccessandtoenforcetheorganization'ssecuritypolicy.Accesstothenetworkmustbecategorizedasadministrator,user,orguestsotheappropriateauthorizationcanbeassignedtotheuserrequestingaccesstothenetworkoranetworkdevice.Authorizationrequiresanindividualaccountidentifierthathasbeenapproved,assigned,andconfiguredonanauthenticationserver.Authenticationofuseridentitiesisaccomplishedthroughtheuseofpasswords,tokens,biometrics,orinthecaseofmulti-factorauthentication,somecombinationthereof.Lackofauthenticationenablesanyonetogainaccesstothenetworkorpossiblyanetworkdeviceprovidingopportunityforintruderstocompromiseresourceswithinthenetworkinfrastructure.
5.27.3Findings
router03
Table296detailstheadministrativeinterfacelinesconfiguredonrouter03.
Table296:Administrativelines
Line Access Login Level Password Authorization Accounting FilterIn
Console Yes LinePassword 1 password Off Off
Auxiliary Yes LinePassword 1 password Off Off
VTY0-4 Yes LinePassword 1 password Off Off 10
Table297detailslocalusersconfiguredonrouter03.
Table297:Localusers
User Password Privilege Filter
temp password 15
testuser password 15
localuser password 15
CiscoIOS15
Table298detailstheadministrativeinterfacelinesconfiguredonCiscoIOS15.
Table298:Administrativelines
Line Access Login Level Password Authorization Accounting FilterIn
Console Yes AAAAuthentication 1 Off Off
Auxiliary No N/A 1 Off Off
Interface0/0/0 Yes AAAAuthentication 1 Off Off
VTY0-4 Yes AAAAuthentication 1 password Off Off 1
VTY5-807 Yes AAAAuthentication 1 Off Off 1
Table299detailslocalusersconfiguredonCiscoIOS15.
Severity:CATII
RuleID:SV-3013r4_rule
STIGID:NET0340
Controls:
Responsibility:InformationAssuranceOfficer
Table299:Localusers
User Password Privilege Filter
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
5.27.4Check
Reviewthenetworkdevicesconfigurationtodetermineifadministrativeaccesstothedevicerequiressomeformofauthentication--ataminimumapasswordisrequired.Ifpasswordsaren'tusedtoadministrativeaccesstothedevice,thisisafinding.
5.27.5Fix
Configurethenetworkdevicessoitwillrequireapasswordtogainadministrativeaccesstothedevice.
Gotothereportcontentsorthestartofthissection.
5.28V-3013-Loginbannerisnon-existentornotDOD-approved.
5.28.1Summary
NetworkdevicesmustdisplaytheDoD-approvedlogonbannerwarning.Table300providesasummaryresultofthefindings.
Table300:Loginbannerisnon-existentornotDOD-approved.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.28.2Description
AllnetworkdevicesmustpresentaDoD-approvedwarningbannerpriortoasystemadministratorloggingon.Thebannershouldwarnanyunauthorizedusernottoproceed.Italsoshouldprovideclearandunequivocalnoticetobothauthorizedandunauthorizedpersonnelthataccesstothedeviceissubjecttomonitoringtodetectunauthorizedusage.FailuretodisplaytherequiredlogonwarningbannerpriortologonattemptswilllimitDoD'sabilitytoprosecuteunauthorizedaccessandalsopresentsthepotentialtogiverisetocriminalandcivilliabilityforsystemsadministratorsandinformationsystemsmanagers.Inaddition,DISA'sabilitytomonitorthedevice'susageislimitedunlessaproperwarningbannerisdisplayed.DoDCIOhasissuednew,mandatorypolicystandardizingthewordingof"noticeandconsent"bannersandmatchinguseragreementsforallSecretandbelowDoDinformationsystems,includingstand-alonesystemsbyreleasingDoDCIOMemo,"PolicyonUseofDepartmentofDefense(DoD)InformationSystemsStandardConsentBannerandUserAgreement",dated9May2008.ThebannerismandatoryanddeviationsarenotpermittedexceptasauthorizedinwritingbytheDeputyAssistantSecretaryofDefenseforInformationandIdentityAssurance.ImplementationofthisbannerverbiageisfurtherdirectedtoallDoDcomponentsforallDoDassetsviaUSCYBERCOMCTO08-008A.
5.28.3Findings
router03
NipperStudiodeterminedthattheconfiguredpre-authenticationlogonbannermessagewas:
LoginBanner
Thisisatestbanner.
CiscoIOS15
NipperStudiodeterminedthattheconfiguredpre-authenticationlogonbannermessagewas:
LoginBanner
Thisistheloginbanner
5.28.4Check
Reviewthedeviceconfigurationorrequestthattheadministratorlogontothedeviceandobservetheterminal.VerifyeitherOptionAorOptionB(forsystemswithcharacterlimitations)oftheStandardMandatoryDoDNoticeandConsentBannerisdisplayedatlogon.Therequiredbannerverbiagefollowsandmustbedisplayedverbatim:
Severity:CATII
RuleID:SV-15453r2_rule
STIGID:NET1639
Controls:
Responsibility:InformationAssuranceOfficer
OptionAYouareaccessingaU.S.Government(USG)InformationSystem(IS)thatisprovidedforUSG-authorizeduseonly.ByusingthisIS(whichincludesanydeviceattachedtothisIS),youconsenttothefollowingconditions:-TheUSGroutinelyinterceptsandmonitorscommunicationsonthisISforpurposesincluding,butnotlimitedto,penetrationtesting,COMSECmonitoring,networkoperationsanddefense,personnelmisconduct(PM),lawenforcement(LE),andcounterintelligence(CI)investigations.-Atanytime,theUSGmayinspectandseizedatastoredonthisIS.-Communicationsusing,ordatastoredon,thisISarenotprivate,aresubjecttoroutinemonitoring,interception,andsearch,andmaybedisclosedorusedforanyUSG-authorizedpurpose.-ThisISincludessecuritymeasures(e.g.,authenticationandaccesscontrols)toprotectUSGinterests--notforyourpersonalbenefitorprivacy.-Notwithstandingtheabove,usingthisISdoesnotconstituteconsenttoPM,LEorCIinvestigativesearchingormonitoringofthecontentofprivilegedcommunications,orworkproduct,relatedtopersonalrepresentationorservicesbyattorneys,psychotherapists,orclergy,andtheirassistants.Suchcommunicationsandworkproductareprivateandconfidential.SeeUserAgreementfordetails.OptionBIfthesystemisincapableofdisplayingtherequiredbannerverbiageduetoitssize,asmallerbannermustbeused.Themandatoryverbiagefollows:"I'veread&consenttotermsinISuseragreem't."Ifthedeviceconfigurationdoesnothavealogonbannerasstatedabove,thisisafinding.
5.28.5Fix
ConfigureallmanagementinterfacestothenetworkdevicetodisplaytheDoD-mandatedwarningbannerverbiageatlogonregardlessofthemeansofconnectionorcommunication.Therequiredbannerverbiagethatmustbedisplayedverbatimisasfollows:OptionAYouareaccessingaU.S.Government(USG)InformationSystem(IS)thatisprovidedforUSG-authorizeduseonly.ByusingthisIS(whichincludesanydeviceattachedtothisIS),youconsenttothefollowingconditions:-TheUSGroutinelyinterceptsandmonitorscommunicationsonthisISforpurposesincluding,butnotlimitedto,penetrationtesting,COMSECmonitoring,networkoperationsanddefense,personnelmisconduct(PM),lawenforcement(LE),andcounterintelligence(CI)investigations.-Atanytime,theUSGmayinspectandseizedatastoredonthisIS.-Communicationsusing,ordatastoredon,thisISarenotprivate,aresubjecttoroutinemonitoring,interception,andsearch,andmaybedisclosedorusedforanyUSG-authorizedpurpose.-ThisISincludessecuritymeasures(e.g.,authenticationandaccesscontrols)toprotectUSGinterests--notforyourpersonalbenefitorprivacy.-Notwithstandingtheabove,usingthisISdoesnotconstituteconsenttoPM,LEorCIinvestigativesearchingormonitoringofthecontentofprivilegedcommunications,orworkproduct,relatedtopersonalrepresentationorservicesbyattorneys,psychotherapists,orclergy,andtheirassistants.Suchcommunicationsandworkproductareprivateandconfidential.SeeUserAgreementfordetails.OptionBIfthesystemisincapableofdisplayingtherequiredbannerverbiageduetoitssize,asmallerbannermustbeused.Themandatoryverbiagefollows:"I'veread&consenttotermsinISuseragreem't."
Gotothereportcontentsorthestartofthissection.
5.29V-3014-Managementconnectiondoesnottimeout.
5.29.1Summary
Thenetworkelementmusttimeoutmanagementconnectionsforadministrativeaccessafter10minutesorlessofinactivity.Table301providesasummaryresultofthefindings.
Table301:Managementconnectiondoesnottimeout.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.29.2Description
Settingthetimeoutofthesessionto10minutesorlessincreasesthelevelofprotectionaffordedcriticalnetworkcomponents.
5.29.3Findings
Severity:CATIII
RuleID:SV-15330r2_rule
STIGID:NET0820
Controls:
Responsibility:InformationAssuranceOfficer
router03
Table302detailstheadministrativeinterfacelineconnectiontimeout(s)configuredonrouter03.
Table302:Administrativelineconnectiontimeoutonrouter03
Line ExecTimeout AbsoluteTimeout SessionTimeout LoginTimeout FilterIn FilterOut
VTY0-4 10minutes None None 30seconds 10
CiscoIOS15
Table303detailstheadministrativeinterfacelineconnectiontimeout(s)configuredonCiscoIOS15.
Table303:AdministrativelineconnectiontimeoutonCiscoIOS15
Line ExecTimeout AbsoluteTimeout SessionTimeout LoginTimeout FilterIn FilterOut
VTY0-4 9minutes None None 30seconds 1
VTY5-807 9minutes None None 30seconds 1
5.29.4Check
Reviewthemanagementconnectionforadministrativeaccessandverifythenetworkelementisconfiguredtotime-outtheconnectionafter10minutesorlessofinactivity.ThedefaultfortheVTYlineis10minutesandmaynotappearinthedisplayoftheconfiguration.TheVTYlineshouldcontainthefollowingcommand:exec-timeout10
5.29.5Fix
Configurethenetworkdevicestoensurethetimeoutforunattendedadministrativeaccessconnectionsisnolongerthan10minutes.
Gotothereportcontentsorthestartofthissection.
5.30V-3020-DNSserversmustbedefinedforclientresolver.
5.30.1Summary
ThenetworkelementmusthaveDNSserversdefinedifitisconfiguredasaclientresolver.Table304providesasummaryresultofthefindings.
Table304:DNSserversmustbedefinedforclientresolver.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.30.2Description
ThesusceptibilityofIPaddressestospoofingtranslatestoDNShostnameandIPaddressmappingvulnerabilities.Forexample,supposeasourcehostwishestoestablishaconnectionwithadestinationhostandqueriesaDNSserverfortheIPaddressofthedestinationhostname.IftheresponsetothisqueryistheIPaddressofahostoperatedbyanattacker,thesourcehostwillestablishaconnectionwiththeattackershost,ratherthantheintendedtarget.Theuseronthesourcehostmightthenprovidelogon,authentication,andothersensitivedata.
5.30.3Findings
router03
NipperStudiodeterminedthattheDNSlookupfeatureonrouter03wasenabled.AdditionallyNipperStudiodeterminedthatnoDNSserverswereconfiguredonrouter03.
CiscoIOS15
NipperStudiodeterminedthattheDNSlookupfeatureonCiscoIOS15wasdisabled.AdditionallyNipperStudiodeterminedthatnoDNSserverswereconfiguredonCiscoIOS15.
5.30.4Check
ReviewthedeviceconfigurationtoensurethatDNSservershavebeendefinedifithasbeenconfiguredasaclientresolver(namelookup).Theconfigurationshouldlooksimilartooneofthefollowingexamples:ipdomain-lookup
Severity:CATII
RuleID:SV-15332r2_rule
STIGID:NET0890
Controls:
Responsibility:InformationAssuranceOfficer
ipname-server192.168.1.253ornoipdomain-lookupThefirstconfigurationexamplehasDNSlookupenabledandhencehasdefineditsDNSserver.ThesecondexamplehasDNSlookupdisabled.Note:ipdomain-lookupisenabledbydefault.Henceitmaynotbeshown—dependingontheIOSrelease.Ifitisenabled,itwillbeshownnearthebeginningoftheconfiguration.
5.30.5Fix
ConfigurethedevicetoincludeDNSserversordisabledomainlookup.
Gotothereportcontentsorthestartofthissection.
5.31V-3021-SNMPaccessisnotrestrictedbyIPaddress.
5.31.1Summary
ThenetworkelementmustonlyallowSNMPaccessfromaddressesbelongingtothemanagementnetwork.Table305providesasummaryresultofthefindings.
Table305:SNMPaccessisnotrestrictedbyIPaddress.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.31.2Description
DetailedinformationaboutthenetworkissentacrossthenetworkviaSNMP.Ifthisinformationisdiscoveredbyattackersitcouldbeusedtotracethenetwork,showthenetworkstopology,andpossiblygainaccesstonetworkdevices.
5.31.3Findings
router03
ThecommunitystringsdetailedinTable306wereconfiguredonrouter03.
Table306:SNMPcommunityconfiguration
Community Access Version View ACL
public ReadOnly 1 20
private Read/Write 1
CiscoIOS15
ThecommunitystringsdetailedinTable307wereconfiguredonCiscoIOS15.
Table307:SNMPcommunityconfiguration
Community Access Version View ACL
Testcom ReadOnly 1 18
cisCommunity ReadOnly 1 3
trapString ReadOnly 1 3
5.31.4Check
ReviewdeviceconfigurationandverifythatitisconfiguredtoonlyallowSNMPaccessfromonlyaddressesbelongingtothemanagementnetwork.ThefollowingexamplesforSNMPv1,2,and3depicttheuseofanACLtorestrictSNMPaccesstothedevice.SNMPv1/v2cConfigurationExampleTheexampleACLNMS_LISTisusedtodefinewhatnetworkmanagementstationscanaccessthedeviceforwriteandreadonly(poll).ipaccess-liststandardNMS_LIST
permit10.1.1.24permit10.1.1.22permit10.1.1.23!snmp-servercommunityourCommStrRORWNMS_LISTsnmp-servercommunitywrite_pwRWNMS_LISTsnmp-serverenabletrapssnmplinkdownlinkupsnmp-serverhost10.1.1.1trap_comm_stringNote:Ifyouenterthesnmp-serverhostcommandwithnokeywords,thedefaultisversion1andtosendallenabledtrapstothehost.Noinformswillbesenttothishost.Ifnotrapsorinformskeywordispresent,trapsaresent.SNMPv3ConfigurationExampleTheexampleACLNMS_LISTandADMIN_LISTareusedtodefinewhatnetworkmanagementstationsandadministrator(users)desktopscanaccessthedevice.ipaccess-liststandardADMIN_LISTpermit10.1.1.35permit10.1.1.36ipaccess-liststandardNMS_LISTpermit10.1.1.24permit10.1.1.22permit10.1.1.23!snmp-servergroupNOCv3privreadVIEW_ALLwriteVIEW_LIMITaccessNMS_LISTsnmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0Fsnmp-servergroupADMIN_GROUPv3privreadVIEW_ALLwriteVIEW_ALLaccessADMIN_LISTsnmp-serverviewVIEW_ALLinternetincludedsnmp-serverviewVIEW_LIMITinternetincludedsnmp-serverviewVIEW_LIMITinternet.6.3.15excludedsnmp-serverviewVIEW_LIMITinternet.6.3.16excludedsnmp-serverviewVIEW_LIMITinternet.6.3.18excludedsnmp-serverenabletrapssnmplinkdownlinkupsnmp-serverhost10.1.1.24version3privTRAP_NMS1Note:FortheconfiguredgroupTRAP_GROUP,thenotifyviewisauto-generatedbythesnmp-serverhostcommandwhichbindtheuser(TRAP_NMS1)andthegroupitbelongsto(TRAP_GROUP)tothelistofnotifications(trapsorinforms)whicharesenttothehost.Hence,theconfigurationsnmp-servergroupTRAP_GROUPv3resultsinthefollowing:snmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
Note:Notrequiredbutforillustrationpurpose,theVIEW_LIMITexcludesMIBobjectswhichcouldpotentiallyrevealinformationaboutconfiguredSNMPcredentials.TheseobjectsaresnmpUsmMIB,snmpVacmMIB,andsnmpCommunityMIBwhichisconfiguredas1.3.6.1.6.3.15,1.3.6.1.6.3.16,and1.3.6.1.6.3.18respectively
NotethatSNMPv3usersarenotshowninarunningconfiguration.Youcanviewthemwiththeshowsnmpusercommand.Soforexample,ifthefollowinguserswereconfiguredassuch.snmp-serveruserHP_OVNOCv3authshaHPOVpswdprivaes256HPOVsecretkeysnmp-serveruserAdmin1ADMIN_GROUPv3authshaAdmin1PWprivaes256Admin1keysnmp-serveruserAdmin2ADMIN_GROUPv3authmd5Admin2passpriv3desAdmin2keysnmp-serveruserTRAP_NMS1TRAP_GROUPv3authshatrap_nms1_pwprivaestrap_nms1_keyTheshowsnmpusercommandwoulddepicttheconfiguredusersasfollows:R1#showsnmpuserUsername:HP_OVEngineID:AB12CD34EF56storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:NOCUsername:Admin1EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:ADMIN_GROUPUsername:Admin2
Severity:CATII
RuleID:SV-15290r2_rule
STIGID:NET0400
Controls:
Responsibility:InformationAssuranceOfficer
EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:MD5PrivacyProtocol:3DESGroup-name:ADMIN_GROUPUsername:TRAP_NMS1EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:TRAP_GROUPR1#
5.31.5Fix
ConfigurethenetworkdevicestoonlyallowSNMPaccessfromonlyaddressesbelongingtothemanagementnetwork.
Gotothereportcontentsorthestartofthissection.
5.32V-3034-Interiorroutingprotocolsarenotauthenticated.
5.32.1Summary
ThenetworkelementmustauthenticateallIGPpeers.Table308providesasummaryresultofthefindings.
Table308:Interiorroutingprotocolsarenotauthenticated.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.32.2Description
Arogueroutercouldsendafictitiousroutingupdatetoconvinceasite’spremiseroutertosendtraffictoanincorrectorevenaroguedestination.Thisdivertedtrafficcouldbeanalyzedtolearnconfidentialinformationofthesite’snetwork,ormerelyusedtodisruptthenetwork’sabilitytoeffectivelycommunicatewithothernetworks.
5.32.3Findings
router03
OSPFareaauthenticationconfiguredonrouter03isdetailedinTable309.
Table309:OSPFareaauthentication
Area Authentication
0.0.0.0 None
30.10.20.40 None
TheRIPinterfaceauthenticationconfiguredonrouter03isdetailedinTable310.
Table310:RIPinterfaceauthentication
Interface Passive Authentication
GigabitEthernet1/1 No ClearText
GigabitEthernet1/2 No None
TheEIGRPinterfaceauthenticationconfiguredonrouter03isdetailedinTable311.
Table311:EIGRPinterfaceauthentication
Interface AS Passive Authentication
GigabitEthernet1/2 3 No None
Severity:CATII
RuleID:SV-3043r4_rule
STIGID:NET1675
Controls:
Responsibility:InformationAssuranceOfficer
CiscoIOS15
OSPFareaauthenticationconfiguredonCiscoIOS15isdetailedinTable312.
Table312:OSPFareaauthentication
Area Authentication
0 MD5
TheRIPinterfaceauthenticationconfiguredonCiscoIOS15isdetailedinTable313.
Table313:RIPinterfaceauthentication
Interface Passive Authentication
FastEthernet0/0 No MD5
TheEIGRPinterfaceauthenticationconfiguredonCiscoIOS15isdetailedinTable314.
Table314:EIGRPinterfaceauthentication
Interface AS Passive Authentication
FastEthernet0/0 1 No MD5
5.32.4Check
ReviewthedeviceconfigurationtodetermineifauthenticationisconfiguredforallIGPpeers.IfauthenticationisnotconfiguredforallIGPpeers,thisisafinding.
5.32.5Fix
ConfigureauthenticationforallIGPpeers.
Gotothereportcontentsorthestartofthissection.
5.33V-3043-SNMPprivilegedandnon-privilegedaccess.
5.33.1Summary
ThenetworkdevicemustusedifferentSNMPcommunitynamesorgroupsforvariouslevelsofreadandwriteaccess.Table315providesasummaryresultofthefindings.
Table315:SNMPprivilegedandnon-privilegedaccess.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.33.2Description
NumerousvulnerabilitiesexistwithSNMP;therefore,withoutuniqueSNMPcommunitynames,theriskofcompromiseisdramaticallyincreased.Thisisespeciallytruewithvendorsdefaultcommunitynameswhicharewidelyknownbyhackersandothernetworkingexperts.Ifahackergainsaccesstothesedevicesandcaneasilyguessthename,thiscouldresultindenialofservice,interceptionofsensitiveinformation,orotherdestructiveactions.
5.33.3Findings
router03
Table316detailstheSNMPcommunitystringsconfiguredonrouter03.
Table316:SNMPcommunityconfiguration
Community Access Version View ACL
public ReadOnly 1 20
private Read/Write 1
CiscoIOS15
Severity:CATI
RuleID:SV-3056r7_rule
STIGID:NET0460
Controls:
Responsibility:InformationAssuranceOfficer
Table317detailstheSNMPcommunitystringsconfiguredonCiscoIOS15.
Table317:SNMPcommunityconfiguration
Community Access Version View ACL
Testcom ReadOnly 1 18
cisCommunity ReadOnly 1 3
trapString ReadOnly 1 3
5.33.4Check
ReviewtheSNMPconfigurationofallmanagednodestoensuredifferentcommunitynames(V1/2)orgroups/users(V3)areconfiguredforread-onlyandread-writeaccess.IfuniquecommunitystringsoraccountsarenotusedforSNMPpeers,thisisafinding.
5.33.5Fix
ConfiguretheSNMPcommunitystringsonthenetworkdeviceandchangethemfromthedefaultvalues.SNMPcommunitystringsanduserpasswordsmustbeuniqueandnotmatchanyothernetworkdevicepasswords.Differentcommunitystrings(V1/2)orgroups(V3)mustbeconfiguredforvariouslevelsofreadandwriteaccess.
Gotothereportcontentsorthestartofthissection.
5.34V-3056-Groupaccountsaredefined.
5.34.1Summary
Groupaccountsmustnotbeconfiguredforuseonthenetworkdevice.Table318providesasummaryresultofthefindings.
Table318:Groupaccountsaredefined.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.34.2Description
Groupaccountsconfiguredforuseonanetworkdevicedonotallowforaccountabilityorrepudiationofindividualsusingthesharedaccount.Ifgroupaccountsarenotchangedwhensomeoneleavesthegroup,thatpersoncouldpossiblygaincontrolofthenetworkdevice.Havinggroupaccountsdoesnotallowforproperauditingofwhoisaccessingorchangingthenetwork.
5.34.3Findings
router03
NipperStudioidentifiedthelocaluseraccountslistedinTable319onrouter03.
Table319:Users
User Password Privilege Filter
temp password 15
testuser password 15
localuser password 15
CiscoIOS15
NipperStudioidentifiedthelocaluseraccountslistedinTable320onCiscoIOS15.
Table320:Users
User Password Privilege Filter
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
5.34.4Check
Severity:CATII
RuleID:SV-15471r3_rule
STIGID:NET0465
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Reviewthenetworkdeviceconfigurationandvalidatetherearenogroupaccountsconfiguredforaccess.Ifagroupaccountisconfiguredonthedevice,thisisafinding.
5.34.5Fix
Configureindividualuseraccountsforeachauthorizedpersonthenremoveanygroupaccounts.
Gotothereportcontentsorthestartofthissection.
5.35V-3057-Accountsassignedleastprivilegesnecessarytoperformduties.
5.35.1Summary
Authorizedaccountsmustbeassignedtheleastprivilegelevelnecessarytoperformassignedduties.Table321providesasummaryresultofthefindings.
Table321:Accountsassignedleastprivilegesnecessarytoperformduties.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.35.2Description
Bynotrestrictingauthorizedaccountstotheirproperprivilegelevel,accesstorestrictedfunctionsmaybeallowedbeforeauthorizedpersonellaretrainedorexperiencedenoughtousethosefunctions.Networkdisruptionsoroutagesmayoccurduetomistakesmadebyinexperiencedpersonsusingaccountswithgreaterprivilegesthannecessary.
5.35.3Findings
router03
The3userslistedinTable322wereconfiguredonrouter03.
Table322:Users
User Password Privilege Filter
temp password 15
testuser password 15
localuser password 15
Table323:Userprivileges
Mode Level Access
exec chicken privilegeexeclevelchicken
CiscoIOS15
The2userslistedinTable324wereconfiguredonCiscoIOS15.
Table324:Users
User Password Privilege Filter
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
5.35.4Check
Reviewtheaccountsauthorizedforaccesstothenetworkdevice.Determineiftheaccountsareassignedthelowestprivilegelevelnecessarytoperformassignedduties.Useraccountsmustbesettoaspecificprivilegelevelwhichcanbemappedtospecificcommandsoragroupofcommands.Authorizedaccountsshouldhavethegreatestprivilegelevelunlessdeemednecessaryforassignedduties.Ifitisdeterminedthatauthorizedaccountsareassignedtogreaterprivilegesthannecessary,thisisafinding.Belowisanexampleofassigningaprivilegeleveltoalocaluseraccountandchangingthedefaultprivilegeleveloftheconfigureterminalcommand.usernamejunior-engineer1privilege7passwordxxxxxx
Severity:CATII
RuleID:SV-3058r5_rule
STIGID:NET0470
Controls:
Responsibility:InformationAssuranceOfficer
privilegeexeclevel7configureterminalTheaboveexampleonlycoverslocalaccounts.Youwillalsoneedtochecktheaccountsandtheirassociatedprivilegelevelsconfiguredintheauthenticationserver.YoucanalsouseTACACS+forevenmoregranularityatthecommandlevelasshowninthefollowingexample:user=junior-engineer1{password=clear"xxxxx"service=shell{setpriv-lvl=7}}
5.35.5Fix
Configureauthorizedaccountswiththeleastprivilegerule.Eachuserwillhaveaccesstoonlytheprivilegestheyrequiretoperformtheirassignedduties.
Gotothereportcontentsorthestartofthissection.
5.36V-3058-Unauthorizedaccountsareconfiguredtoaccessdevice.
5.36.1Summary
Unauthorizedaccountsmustnotbeconfiguredforaccesstothenetworkdevice.Table325providesasummaryresultofthefindings.
Table325:Unauthorizedaccountsareconfiguredtoaccessdevice.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.36.2Description
Amalicioususerattemptingtogainaccesstothenetworkdevicemaycompromiseanaccountthatmaybeunauthorizedforuse.Theunauthorizedaccountmaybeatemporaryorinactiveaccountthatisnolongerneededtoaccessthedevice.DenialofService,interceptionofsensitiveinformation,orotherdestructiveactionscouldpotentiallytakeplaceifanunauthorizedaccountisconfiguredtoaccessthenetworkdevice.
5.36.3Findings
router03
NipperStudioidentifiedthelocaluseraccountslistedinTable326onrouter03.
Table326:Users
User Password Privilege Filter
temp password 15
testuser password 15
localuser password 15
CiscoIOS15
NipperStudioidentifiedthelocaluseraccountslistedinTable327onCiscoIOS15.
Table327:Users
User Password Privilege Filter
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
5.36.4Check
Reviewtheorganization'sresponsibilitieslistandreconcilethelistofauthorizedaccountswiththoseaccountsdefinedforaccesstothenetworkdevice.Ifanunauthorizedaccountisconfiguredforaccesstothedevice,thisisafinding.
5.36.5Fix
Removeanyaccountconfiguredforaccesstothenetworkdevicethatisnotdefinedintheorganization'sresponsibilitieslist.
Severity:CATI
RuleID:SV-41449r2_rule
STIGID:NET0600
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Gotothereportcontentsorthestartofthissection.
5.37V-3062-Passwordsareviewablewhendisplayingtheconfig.
5.37.1Summary
Thenetworkelementmustbeconfiguredtoensurepasswordsarenotviewablewhendisplayingconfigurationinformation.Table328providesasummaryresultofthefindings.
Table328:Passwordsareviewablewhendisplayingtheconfig.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.37.2Description
Manyattacksinformationsystemsandnetworkelementsarelaunchedfromwithinthenetwork.Hence,itisimperativethatallpasswordsareencryptedsotheycannotbeinterceptedbyviewingtheconsoleorprintoutoftheconfiguration.
5.37.3Findings
router03
NipperStudiodeterminedthattheconfigurationpasswordencryptionoptionwasdisabledonrouter03.
NipperStudioidentifiedthefourusersdetailedinTable329configuredonrouter03.
Table329:Users
User Password Privilege Filter
enable(password) cisco 15
temp password 15
testuser password 15
localuser password 15
CiscoIOS15
NipperStudiodeterminedthattheconfigurationpasswordencryptionoptionwasenabledonCiscoIOS15.
NipperStudioidentifiedthefourusersdetailedinTable330configuredonCiscoIOS15.
Table330:Users
User Password Privilege Filter
enable(secret) (ENCRYPTED) 15
enable(password) password 15
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
5.37.4Check
ReviewallCiscoIOSroutersandswitchestodetermineiftheglobalcommand"servicepassword-encryption"ispresentintheconfigurations.Also,reviewallaccountscreatedonthedevicetoensuretheyhavebeensetupusingthe"usernamenamesecretpassword"command.ThefollowingcommandwillbefoundinthedeviceconfigurationsDevice#showrun!servicepassword-encryption!usernamenamesecret5$1$geU5$vc/uDRS5dWiOrpQJTimBw/enablesecret5$1%mer9396y30d$FDA/292/
5.37.5Fix
Configurethenetworkelementtoensurepasswordsarenotviewablewhendisplayingconfigurationinformation.
Severity:CATII
RuleID:SV-15451r3_rule
STIGID:NET1638
Controls:DCNR-1,ECSC-1
Responsibility:InformationAssuranceOfficer
Device(config)#servicepasswordDevice(config)#usernamenamesecretS3cr3T!Device(config)#enablesecret$MyS3cr3TPW$Device(config)#end
Gotothereportcontentsorthestartofthissection.
5.38V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.
5.38.1Summary
ManagementconnectionstoanetworkdevicemustbeestablishedusingsecureprotocolswithFIPS140-2validatedcryptographicmodules.Table331providesasummaryresultofthefindings.
Table331:ManagementconnectionsmustbesecuredbyFIPS140-2.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.38.2Description
AdministrationandmanagementconnectionsperformedacrossanetworkareinherentlydangerousbecauseanyonewithapacketsnifferandaccesstotherightLANsegmentcanacquirethenetworkdeviceaccountandpasswordinformation.Withthisinterceptedinformationtheycouldgainaccesstotherouterandcausedenialofserviceattacks,interceptsensitiveinformation,orperformotherdestructiveactions.
5.38.3Findings
router03
NipperStudiodeterminedthatthefollowingfivepotentiallyinsecuremanagementservicesdetailedinTable332wereconfiguredonrouter03
Table332:ManagementServices
Service State
Telnet Disabled
SSHv1 Disabled
RSH Disabled
HTTP Enabled
HTTPS Disabled
CiscoIOS15
NipperStudiodeterminedthatthefollowingfourpotentiallyinsecuremanagementservicesdetailedinTable333wereconfiguredonCiscoIOS15
Table333:ManagementServices
Service State
Telnet Disabled
RSH Disabled
HTTP Disabled
HTTPS Disabled
5.38.4Check
ReviewthenetworkdeviceconfigurationtoverifyonlysecureprotocolsusingFIPS140-2validatedcryptographicmodulesareusedforanyadministrativeaccess.Someofthesecureprotocolsusedforadministrativeandmanagementaccessarelistedbelow.Thislistisnotallinclusiveandrepresentsasampleselectionofsecureprotocols.-SSHv2-SCP-HTTPS-SSL-TLSThisisanexamplethatenablesSSHv2/SCP/HTTPSonanIOSDevice:!
Severity:CATIII
RuleID:SV-15455r2_rule
STIGID:NET1640
Controls:
Responsibility:InformationAssuranceOfficer
ipdomain-nameexample.com!cryptokeygeneratersamodulus2048!ipsshtime-out60ipsshauthentication-retries3ipsshsource-interfaceGigabitEthernet0/1ipsshversion2!linevty015transportinputssh!ipscpserverenable!iphttpsecure-serverIfmanagementconnectionsareestablishedusingprotocolswithoutFIPS140-2validatedcryptographicmodules,thisisafinding.
5.38.5Fix
ConfigurethenetworkdevicetousesecureprotocolswithFIPS140-2validatedcryptographicmodules.
Gotothereportcontentsorthestartofthissection.
5.39V-3070-Managementconnectionsmustbelogged.
5.39.1Summary
Thenetworkelementmustlogallattemptstoestablishamanagementconnectionforadministrativeaccess.Table334providesasummaryresultofthefindings.
Table334:Managementconnectionsmustbelogged.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.39.2Description
Auditlogsarenecessarytoprovideatrailofevidenceincasethenetworkiscompromised.Withoutanaudittrailthatprovidesawhen,where,whoandhowsetofinformation,repeatoffenderscouldcontinueattacksagainstthenetworkindefinitely.Withthisinformation,thenetworkadministratorcandevisewaystoblocktheattackandpossiblyidentifyandprosecutetheattacker.
5.39.3Findings
router03
Table335:ActiveAdministrationServices
Service ACL
HTTP
TheadministrativeVTYlineonrouter03wasconfiguredasdetailedinTable336.
Table336:VTYLines
Line Access Login Level Password Authorization Accounting FilterIn SSH Telnet
VTY0-4 Yes LinePassword 1 password Off Off 10 Yes No
CiscoIOS15
ThetwoadministrativeVTYlinesonCiscoIOS15wereconfiguredasdetailedinTable337.
Table337:VTYLines
Line Access Login Level Password Authorization Accounting FilterIn SSH Telnet
VTY0-4 Yes AAAAuthentication 1 password Off Off 1 Yes No
VTY5-807 Yes AAAAuthentication 1 Off Off 1 Yes No
Severity:CATIII
RuleID:SV-3072r3_rule
STIGID:NET1030
Controls:
Responsibility:InformationAssuranceOfficer
NipperStudioidentifiedaruleinfilterrulelist1withoutlogging,asdetailedinTable338.
Table338:VTYLine0-4ACL1
Rule Action Source Log
1 Any No
NipperStudioidentifiedaruleinfilterrulelist1withoutlogging,asdetailedinTable339.
Table339:VTYLine5-807ACL1
Rule Action Source Log
1 Any No
5.39.4Check
RevieweachCiscorouterconfigurationtoensurethatallconnectionattemptstotheVTYportsareloggedasshowninthefollowingexample:access-list3permit192.168.1.10logaccess-list3permit192.168.1.11logaccess-list3denyanylog…linevty04access-class3in
5.39.5Fix
Configurethedevicetologallaccessattemptstothedevicetoestablishamanagementconnectionforadministrativeaccess.
Gotothereportcontentsorthestartofthissection.
5.40V-3072-Runningandstartupconfigurationsarenotsynchronized.
5.40.1Summary
Therunningconfigurationmustbesynchronizedwiththestartupconfigurationafterchangeshavebeenmadeandimplemented.Table340providesasummaryresultofthefindings.
Table340:Runningandstartupconfigurationsarenotsynchronized.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.40.2Description
Iftherunningandstartuprouterconfigurationsarenotsynchronizedproperlyandaroutermalfunctions,itwillnotrestartwithalloftherecentchangesincorporated.Iftherecentchangesweresecurityrelated,thentherouterswouldbevulnerabletoattack.
5.40.3Check
Reviewtherunningandbootconfigurationstodetermineiftheyaresynchronized.IOSProcedure:Withonlineediting,the"showrunning-config"commandwillonlyshowthecurrentrunningconfigurationsettings,whicharedifferentfromtheIOSdefaults.The"showstartup-config"commandwillshowtheNVRAMstartupconfiguration.Comparethetwoconfigurationstoensuretheyaresynchronized.JUNOSProcedure:Thiswillneverbeafinding.Theactiveconfigurationisstoredonflashasjuniper.conf.Acandidateconfigurationallowsconfigurationchangeswhileinconfigurationmodewithoutinitiatingoperationalchanges.Therouterimplementsthecandidateconfigurationwhenitiscommitted;thereby,makingitthenewactiveconfiguration--atwhichtimeitwillbestoredonflashasjuniper.confandtheoldjuniper.confwillbecomejuniper.conf.1.Ifrunningconfigurationandbootconfigurationsarenotthesame,thisisafinding.
5.40.4Fix
Addprocedurestothestandardoperatingproceduretokeeptherunningconfigurationsynchronizedwiththestartupconfiguration.
Severity:CATIII
RuleID:SV-3078r3_rule
STIGID:NET0720
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
Gotothereportcontentsorthestartofthissection.
5.41V-3078-TCPandUDPsmallserverservicesarenotdisabled.
5.41.1Summary
NetworkdevicesmusthaveTCPandUDPsmallserversdisabled.Table341providesasummaryresultofthefindings.
Table341:TCPandUDPsmallserverservicesarenotdisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.41.2Description
CiscoIOSprovidesthe"smallservices"thatincludeecho,chargen,anddiscard.Theseservices,especiallytheirUserDatagramProtocol(UDP)versions,areinfrequentlyusedforlegitimatepurposes.However,theyhavebeenusedtolaunchdenialofserviceattacksthatwouldotherwisebepreventedbypacketfiltering.Forexample,anattackermightsendaDNSpacket,falsifyingthesourceaddresstobeaDNSserverthatwouldotherwisebeunreachable,andfalsifyingthesourceporttobetheDNSserviceport(port53).IfsuchapacketweresenttotheCisco'sUDPechoport,theresultwouldbeCiscosendingaDNSpackettotheserverinquestion.Nooutgoingaccesslistcheckswouldbeappliedtothispacket,sinceitwouldbeconsideredlocallygeneratedbytherouteritself.ThesmallservicesaredisabledbydefaultinCiscoIOS12.0andlatersoftware.Inearliersoftware,theymaybedisabledusingthecommandsnoservicetcp-small-serversandnoserviceudp-small-servers.
5.41.3Findings
router03
Table342detailsthesmallservicesonrouter03.
Table342:SmallServices
Service Status
TCPSmallServers Enabled
UDPSmallServers Enabled
CiscoIOS15
Table343detailsthesmallservicesonCiscoIOS15.
Table343:SmallServices
Service Status
TCPSmallServers Disabled
UDPSmallServers Disabled
5.41.4Check
ReviewallCiscodeviceconfigurationstoverifyserviceudp-small-serversandservicetcp-small-serversarenotfound.IfTCPandUDPserversarenotdisabled,thisisafinding.Note:TheTCPandUDPsmallserversareenabledbydefaultonCiscoIOSSoftwareVersion11.2andearlier.TheyaredisabledbydefaultonCiscoIOSSoftwareVersions11.3andlater.
5.41.5Fix
ChangethedeviceconfigurationtoincludethefollowingIOScommands:noservicetcp-small-serversandnoserviceudp-small-serversforeachdevicerunninganIOSversionpriorto12.0.ThisisthedefaultforIOSversions12.0andlater(i.e.,thesecommandswillnotappearintherunningconfiguration.)
Gotothereportcontentsorthestartofthissection.
5.42V-3079-Thefingerserviceisnotdisabled.
5.42.1Summary
ThenetworkelementmusthavetheFingerservicedisabled.Table344providesasummaryresultofthefindings.
RuleID:SV-15305r2_rule
STIGID:NET0730
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-3080r3_rule
STIGID:NET0760
Controls:
Responsibility:InformationAssuranceOfficer
Table344:Thefingerserviceisnotdisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.42.2Description
ThefingerservicesupportstheUNIXfingerprotocol,whichisusedforqueryingahostabouttheusersthatareloggedon.Thisserviceisnotnecessaryforgenericusers.Ifanattackerweretofindoutwhoisusingthenetwork,theymayusesocialengineeringpracticestotrytoelicitclassifiedDoDinformation.
5.42.3Findings
TheFingerservicestatusisdetailedinTable345.
Table345:STIGNET0730Fingerservicestatus
Device FingerService
router03 Enabled
CiscoIOS15 Disabled
5.42.4Check
Reviewthedeviceconfiguration.BeginningwithIOS12.1(5),fingerisdisabledbydefault.ForIOSversion12.0through12.1(4),verifythatthenoipfingercommandispresent.Foranyversionpriorto12.0,verifythatthenoservicefingercommandispresent.
5.42.5Fix
ConfigurethedevicetodisabletheFingerservice.
Gotothereportcontentsorthestartofthissection.
5.43V-3080-Configurationauto-loadingmustbedisabled.
5.43.1Summary
TheConfigurationauto-loadingfeaturemustbedisabled.Table346providesasummaryresultofthefindings.
Table346:Configurationauto-loadingmustbedisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.43.2Description
DevicescanfindtheirstartupconfigurationeitherintheirownNVRAMoraccessitoverthenetworkviaTFTPorRemoteCopy(rcp).Loadingtheimagefromthenetworkistakingasecurityrisksincetheimagecouldbeinterceptedbyanattackerwhocouldcorrupttheimageresultinginadenialofservice.
5.43.3Check
Reviewthedeviceconfigurationtodetermineiftheconfigurationauto-loadingfeatureisdisabled.Iftheconfigurationauto-loadingfeatureisenabled,thisisafinding.
5.43.4Fix
Disabletheconfigurationauto-loadingfeature.
Gotothereportcontentsorthestartofthissection.
5.44V-3081-IPSourceRoutingisnotdisabledonallrouters.
Severity:CATII
RuleID:SV-15316r2_rule
STIGID:NET0770
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-3083r3_rule
STIGID:NET0790
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
5.44.1Summary
TheroutermusthaveIPsourceroutingdisabled.Table347providesasummaryresultofthefindings.
Table347:IPSourceRoutingisnotdisabledonallrouters.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.44.2Description
SourceroutingisafeatureofIP,wherebyindividualpacketscanspecifyroutes.Thisfeatureisusedinseveraldifferentnetworkattacksbybypassingperimeterandinternaldefensemechanisms.
5.44.3Check
Reviewtheconfigurationtodetermineifsourceroutingisenabled.TheIOScommandnoipsource-routemustbeincludedintheconfiguration.
5.44.4Fix
ConfiguretheroutertodisableIPsourcerouting.
Gotothereportcontentsorthestartofthissection.
5.45V-3083-IPdirectedbroadcastisnotdisabled.
5.45.1Summary
IPdirectedbroadcastmustbedisabledonalllayer3interfaces.Table348providesasummaryresultofthefindings.
Table348:IPdirectedbroadcastisnotdisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.45.2Description
AnIPdirectedbroadcastisadatagramsenttothebroadcastaddressofasubnetthatisnotdirectlyattachedtothesendingmachine.Thedirectedbroadcastisroutedthroughthenetworkasaunicastpacketuntilitarrivesatthetargetsubnet,whereitisconvertedintoalink-layerbroadcast.BecauseofthenatureoftheIPaddressingarchitecture,onlythelastrouterinthechain,whichisconnecteddirectlytothetargetsubnet,canconclusivelyidentifyadirectedbroadcast.IPdirectedbroadcastsareusedintheextremelycommonandpopularsmurf,orDenialofService(DoS),attacks.Inasmurfattack,theattackersendsICMPechorequestsfromafalsifiedsourceaddresstoadirectedbroadcastaddress,causingallthehostsonthetargetsubnettosendrepliestothefalsifiedsource.Bysendingacontinuousstreamofsuchrequests,theattackercancreateamuchlargerstreamofreplies,whichcancompletelyinundatethehostwhoseaddressisbeingfalsified.ThisserviceshouldbedisabledonallinterfaceswhennotneededtopreventsmurfandDoSattacks.DirectedbroadcastcanbeenabledoninternalfacinginterfacestosupportservicessuchasWake-On-LAN.Casescenariomayalsoincludesupportforlegacyapplicationswherethecontentserverandtheclientsdonotsupportmulticast.ThecontentserverssendstreamingdatausingUDPbroadcast.Usedinconjunctionwiththeipmulticasthelper-mapfeature,broadcastdatacanbesentacrossamulticasttopology.Thebroadcaststreamsareconvertedtomulticastandviceversaatthefirst-hoproutersandlast-hoproutersbeforeenteringleavingthemulticasttransitarearespectively.Thelast-hoproutermustconvertthemulticasttobroadcast.Hence,thisinterfacemustbeconfiguredtoforwardabroadcastpacket(i.e.adirectedbroadcastaddressisconvertedtotheallnodesbroadcastaddress).
5.45.3Check
IPdirectedbroadcastisdisabledbydefaultinIOSversion12.0andhighersothecommand"noipdirected-broadcast"willnotbedisplayedintherunningconfiguration--verifythattherunningconfigurationdoesnotcontainthecommand"ipdirected-broadcast".Forversionspriorto12.0ensurethecommand"noipdirected-broadcast"isdisplayedintherunningconfiguration.IfIPdirectedbroadcastsareenabledonlayer3interfaces,thisisafinding.
5.45.4Fix
DisableIPdirectedbroadcastsonalllayer3interfaces.
Severity:CATII
RuleID:SV-41467r1_rule
STIGID:NET0740
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-3086r3_rule
STIGID:NET0750
Controls:
Responsibility:InformationAssuranceOfficer
Gotothereportcontentsorthestartofthissection.
5.46V-3085-HTTPserverisnotdisabled
5.46.1Summary
ThenetworkelementmusthaveHTTPserviceforadministrativeaccessdisabled.Table349providesasummaryresultofthefindings.
Table349:HTTPserverisnotdisabled-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.46.2Description
Theadditionalservicesthattherouterisenabledforincreasestheriskforanattacksincetherouterwilllistenfortheseservices.Inaddition,theseservicesprovideanunsecuredmethodforanattackertogainaccesstotherouter.MostrecentsoftwareversionssupportremoteconfigurationandmonitoringusingtheWorldWideWeb'sHTTPprotocol.Ingeneral,HTTPaccessisequivalenttointeractiveaccesstotherouter.TheauthenticationprotocolusedforHTTPisequivalenttosendingaclear-textpasswordacrossthenetwork,and,unfortunately,thereisnoeffectiveprovisioninHTTPforchallenge-basedorone-timepasswords.ThismakesHTTParelativelyriskychoiceforuseacrossthepublicInternet.Anyadditionalservicesthatareenabledincreasetheriskforanattacksincetherouterwilllistenfortheseservices.
5.46.3Findings
TheHTTPservicestatusisdetailedinTable350.
Table350:STIGNET0740HTTPservicestatus
Device HTTPService
router03 Enabled
CiscoIOS15 Disabled
5.46.4Check
Verifythatthecommand"iphttp-server"isnotdefinedintheconfiguration.Asof12.4,thehttpserverisstilldisabledbydefault.However,sincemanydefaultsarenotshownbyIOS,youmaynotseethecommand"noiphttp-server"intheconfigurationdependingontherelease.
5.46.5Fix
ConfigurethedevicetodisableusingHTTP(port80)foradministrativeaccess.
Gotothereportcontentsorthestartofthissection.
5.47V-3086-TheBootpserviceisnotdisabled.
5.47.1Summary
BOOTPservicesmustbedisabled.Table351providesasummaryresultofthefindings.
Table351:TheBootpserviceisnotdisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.47.2Description
BOOTPisauserdatagramprotocol(UDP)thatcanbeusedbyCiscorouterstoaccesscopiesofCiscoIOSSoftwareonanotherCiscorouterrunningtheBOOTPservice.Inthisscenario,oneCiscorouteractsasaCiscoIOSSoftwareserverthatcandownloadthesoftwaretootherCiscoroutersactingasBOOTPclients.Inreality,thisserviceisrarelyusedandcanallowanattackertodownloadacopyofarouter'sCiscoIOSSoftware.
Severity:CATI
RuleID:SV-3143r4_rule
STIGID:NET0240
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-15302r2_rule
STIGID:NET0700
Controls:
Responsibility:InformationAssuranceOfficer
5.47.3Check
ReviewthedeviceconfigurationtodetermineifBOOTPservicesareenabled.IfBOOTPisenabled,thisisafinding.
5.47.4Fix
ConfigurethedevicetodisableallBOOTPservices.
Gotothereportcontentsorthestartofthissection.
5.48V-3143-Devicesexistwithstandarddefaultpasswords.
5.48.1Summary
Networkdevicesmustnothaveanydefaultmanufacturerpasswords.Table352providesasummaryresultofthefindings.
Table352:Devicesexistwithstandarddefaultpasswords.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.48.2Description
Networkdevicesnotprotectedwithstrongpasswordschemesprovidetheopportunityforanyonetocrackthepasswordthusgainingaccesstothedeviceandcausingnetworkoutageordenialofservice.Manydefaultvendorpasswordsarewell-known;hence,notremovingthempriortodeployingthenetworkdevicesintoproductionprovidesanopportunityforamalicioususertogainunauthorizedaccesstothedevice.
5.48.3Findings
router03
NipperStudiodeterminedthattherewerenodefaultpasswordsonrouter03.
CiscoIOS15
NipperStudiodeterminedthattherewerenodefaultpasswordsonCiscoIOS15.
5.48.4Check
Reviewthenetworkdevicesconfigurationtodetermineifthevendordefaultpasswordisactive.Ifanyvendordefaultpasswordsareusedonthedevice,thisisafinding.
5.48.5Fix
Removeanyvendordefaultpasswordsfromthenetworkdevicesconfiguration.
Gotothereportcontentsorthestartofthissection.
5.49V-3160-Operatingsystemisnotatacurrentreleaselevel.
5.49.1Summary
ThenetworkelementmustberunningacurrentandsupportedoperatingsystemwithallIAVMsaddressed.Table353providesasummaryresultofthefindings.
Table353:Operatingsystemisnotatacurrentreleaselevel.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.49.2Description
Severity:CATI
RuleID:SV-15448r3_rule
STIGID:NET1636
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Networkdevicesthatarenotrunningthelatesttestedandapprovedversionsofsoftwarearevulnerabletonetworkattacks.Runningthemostcurrent,approvedversionofsystemanddevicesoftwarehelpsthesitemaintainastablebaseofsecurityfixesandpatches,aswellasenhancementstoIPsecurity.Viruses,denialofserviceattacks,systemweaknesses,backdoorsandotherpotentiallyharmfulsituationscouldrenderasystemvulnerable,allowingunauthorizedaccesstoDoDassets.
5.49.3Findings
NipperStudiodeterminedthedeviceOSinformationdetailedinTable354.
Table354:Deviceinformation
Device Make Model Version
router03 Cisco Router router03
CiscoIOS15 Cisco Router CiscoIOS15
*PleasenotethattheinformationprovidedintheSTIGcheckbelowmaynotbeentirelyaccurate,i.e.newerversionsofIOSmaybeavailable.
5.49.4Check
HavetheadministratorentertheshowversioncommandtodeterminetheinstalledIOSversion.AsofJune2010,thelatestmajorreleaseis12.4forroutersand12.2forswitches(bothaccessandmulti-layer).ThereleasebeingusedmusthaveallIAVMsresolvedandmustnotbeinaCiscodeferredstatusorhasbeenmadeobsolete.AsktheadministratorlogintotheCiscoSoftwareCentertodownloadsoftware.Selectthespecificrouterorswitchmodel.SelecttheIOSSoftwarelinkandthenVerifythatthereleasebeingusedislistedunderthereleasefamily(willneedtoexpandthelist)andnotinthedeferredlist.Ifthereleaseisnotlistedineitherthereleasefamilyordeferred,thenthereleaseisobsolete.VerifythatallIAVMshavebeenaddressed.Note:CiscosoftwareinadifferedstatewillstillbeattheCiscoSoftwareCenterandavailablefordownloadunderthedeferredgroup,whereassoftwaremadeobsoleteisnolongeravailablefordownload.DeferredstatusoccurswhenasoftwaremaintenancereleaseismadeobsoleteandremovedfromorderabilityandserviceoutsideofCisco'snormalreleaseschedule,orCiscocancelsascheduledmaintenancereleasefromreachingtheFirst-Customer-Ship(FCS)milestone.Deferralsaremostoftenrelatedtosoftwarequalityissues.Adeferralcanbeperformedforanentiremaintenancerelease,orjustforcertainsetsofplatformsorfeatureswithinarelease.AdeferralpriortotheFCSmilestonemaybeperformedbyCiscotoprotectcustomersfromreceivingsoftwarewithknowncatastrophicdefects.AdeferralafterFCSwillexpediteobsolescenceforthereleasetolimittheexposureofcustomers.
5.49.5Fix
UpdateoperatingsystemtoasupportedversionthataddressesallrelatedIAVMs.
Gotothereportcontentsorthestartofthissection.
5.50V-3175-Managementconnectionsmustrequirepasswords.
5.50.1Summary
Thenetworkdevicesmustrequireauthenticationpriortoestablishingamanagementconnectionforadministrativeaccess.Table355providesasummaryresultofthefindings.
Table355:Managementconnectionsmustrequirepasswords.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.50.2Description
Networkdeviceswithnopasswordforadministrativeaccessviaamanagementconnectionprovidetheopportunityforanyonewithnetworkaccesstothedevicetomakeconfigurationchangesenablingthemtodisruptnetworkoperationsresultinginanetworkoutage.
5.50.3Findings
router03
NipperStudiodeterminedthattheLinesconfiguredonrouter03requiredauthenticationforadministrativeaccess.Table356detailstheconfiguredLines.
Line Access Login Level Password Authorization Accounting FilterIn
Console Yes LinePassword 1 password Off Off
Auxiliary Yes LinePassword 1 password Off Off
Severity:CATI
RuleID:SV-3196r4_rule
STIGID:NET1660
Controls:
Responsibility:InformationAssuranceOfficer
Table356:AdministrativeLinesconfiguredonrouter03.
VTY0-4 Yes LinePassword 1 password Off Off 10
NipperStudiodeterminedthattheUsersconfiguredonrouter03requiredauthenticationforadministrativeaccess.Table357detailstheconfiguredUsers.
Table357:Localusersconfiguredonrouter03.
User Password Privilege Filter
enable(password) cisco 15
temp password 15
testuser password 15
localuser password 15
ConsoleLine password 1
Auxiliary password 1
VTY0-4Line password 1
CiscoIOS15
NipperStudiodeterminedthattheLinesconfiguredonCiscoIOS15requiredauthenticationforadministrativeaccess.Table358detailstheconfiguredLines.
Table358:AdministrativeLinesconfiguredonCiscoIOS15.
Line Access Login Level Password Authorization Accounting FilterIn
Console Yes AAAAuthentication 1 Off Off
Auxiliary No N/A 1 Off Off
Interface0/0/0 Yes AAAAuthentication 1 Off Off
VTY0-4 Yes AAAAuthentication 1 password Off Off 1
VTY5-807 Yes AAAAuthentication 1 Off Off 1
NipperStudiodeterminedthattheUsersconfiguredonCiscoIOS15requiredauthenticationforadministrativeaccess.Table359detailstheconfiguredUsers.
Table359:LocalusersconfiguredonCiscoIOS15.
User Password Privilege Filter
enable(secret) (ENCRYPTED) 15
enable(password) password 15
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
VTY0-4Line password 1
5.50.4Check
Reviewthenetworkdeviceconfigurationtoverifyallmanagementconnectionsforadministrativeaccessrequireauthentication.ThevtyportsshouldlooksimilartotheexamplebelowthatreferencesanauthenticationlistconfiguredasAUTH_LIST.linevty04loginauthenticationAUTH_LISTexec-timeout100transportinputssh
5.50.5Fix
Configureauthenticationforallmanagementconnections.
Gotothereportcontentsorthestartofthissection.
5.51V-3196-AninsecureversionofSNMPisbeingused.
5.51.1Summary
ThenetworkdevicemustuseSNMPVersion3SecurityModelwithFIPS140-2validatedcryptographyforanySNMPagentconfiguredonthedevice.Table360providesasummaryresultofthefindings.
Device Type Status
Severity:CATI
RuleID:SV-3210r4_rule
STIGID:NET1665
Controls:
Responsibility:InformationAssuranceOfficer
Table360:AninsecureversionofSNMPisbeingused.-Summaryresult
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.51.2Description
SNMPVersions1and2arenotconsideredsecure.WithoutthestrongauthenticationandprivacythatisprovidedbytheSNMPVersion3User-basedSecurityModel(USM),anunauthorizedusercangainaccesstonetworkmanagementinformationusedtolaunchanattackagainstthenetwork.
5.51.3Findings
router03
NipperStudiodeterminedthatSNMPversion1/2wasenabledonrouter03.
CiscoIOS15
NipperStudiodeterminedthatSNMPversion1/2wasenabledonCiscoIOS15.
5.51.4Check
ReviewthedeviceconfigurationtoverifyitisconfiguredtouseSNMPv3withbothSHAauthenticationandprivacyusingAESencryption.Downgrades:IfthesiteisusingVersion1orVersion2withalloftheappropriatepatchesandhasdevelopedamigrationplantoimplementtheVersion3SecurityModel,thisfindingcanbedowngradedtoaCategoryII.IfthetargetedassetisrunningSNMPv3anddoesnotsupportSHAorAES,butthedeviceisconfiguredtouseMD5authenticationandDESor3DESencryption,thenthefindingcanbedowngradedtoaCategoryIII.IfthesiteisusingVersion1orVersion2andhasinstalledalloftheappropriatepatchesorupgradestomitigateanyknownsecurityvulnerabilities,thisfindingcanbedowngradedtoaCategoryII.Inaddition,ifthedevicedoesnotsupportSNMPv3,thisfindingcanbedowngradedtoaCategoryIIIprovidedalloftheappropriatepatchestomitigateanyknownsecurityvulnerabilitieshavebeenappliedandhasdevelopedamigrationplanthatincludesthedeviceupgradetosupportVersion3andtheimplementationoftheVersion3SecurityModel.IfthedeviceisconfiguredtousetoanythingotherthanSNMPv3withatleastSHA-1andAES,thisisafinding.Downgradescanbedeterminedbasedonthecriteriaabove.
5.51.5Fix
IfSNMPisenabled,configurethenetworkdevicetouseSNMPVersion3SecurityModelwithFIPS140-2validatedcryptography(i.e.,SHAauthenticationandAESencryption).
Gotothereportcontentsorthestartofthissection.
5.52V-3210-UsingdefaultSNMPcommunitynames.
5.52.1Summary
Thenetworkdevicemustnotusethedefaultorwell-knownSNMPcommunitystringspublicandprivate.Table361providesasummaryresultofthefindings.
Table361:UsingdefaultSNMPcommunitynames.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.52.2Description
Networkdevicesmaybedistributedbythevendorpre-configuredwithanSNMPagentusingthewell-knownSNMPcommunitystringspublicforreadonlyandprivateforreadandwriteauthorization.Anattackercanobtaininformationaboutanetworkdeviceusingthereadcommunitystring"public".Inaddition,anattackercanchangeasystemconfigurationusingthewritecommunitystring"private".
5.52.3Check
ReviewthenetworkdevicesconfigurationandverifyifeitheroftheSNMPcommunitystrings"public"or"private"isbeingused.Ifdefaultorwell-knowncommunitystringsareusedforSNMP,thisisafinding.
Severity:CATII
RuleID:SV-15469r6_rule
STIGID:NET0440
Controls:
Responsibility:
Severity:CATII
5.52.4Fix
ConfigureuniqueSNMPcommunitystringsreplacingthedefaultcommunitystrings.
Gotothereportcontentsorthestartofthissection.
5.53V-3966-Morethanonelocalaccountisdefined.
5.53.1Summary
Intheeventtheauthenticationserverisunavailable,thenetworkdevicemusthaveasinglelocalaccountoflastresortdefined.Table362providesasummaryresultofthefindings.
Table362:Morethanonelocalaccountisdefined.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.53.2Description
Authenticationforadministrativeaccesstothedeviceisrequiredatalltimes.Asingleaccountoflastresortcanbecreatedonthedevice'slocaldatabaseforuseinanemergencysuchaswhentheauthenticationserverisdownorconnectivitybetweenthedeviceandtheauthenticationserverisnotoperable.Theconsoleorlocalaccountoflastresortlogoncredentialsmustbestoredinasealedenvelopeandkeptinasafe.
5.53.3Findings
router03
NipperStudioidentifiedthreeadministrativelocaluseraccountsconfiguredonrouter03.ThesearedetailedinTable363.
Table363:Users
User Password Privilege Filter
temp password 15
testuser password 15
localuser password 15
CiscoIOS15
NipperStudioidentifiedtwoadministrativelocaluseraccountsconfiguredonCiscoIOS15.ThesearedetailedinTable364.
Table364:Users
User Password Privilege Filter
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
5.53.4Check
Reviewthenetworkdeviceconfigurationtodetermineifanauthenticationserverisdefinedforgainingadministrativeaccess.Ifso,theremustbeonlyonelocalaccountoflastresortconfiguredlocallyforanemergency.Verifytheusernameandpasswordforthelocalaccountoflastresortiscontainedwithinasealedenvelopekeptinasafe.Ifanauthenticationserverisusedandmorethanonelocalaccountexists,thisisafinding.
5.53.5Fix
Configurethedevicetoonlyallowonelocalaccountoflastresortforemergencyaccessandstorethecredentialsinasecuremanner.
Gotothereportcontentsorthestartofthissection.
5.54V-3967-Theconsoleportdoesnottimeoutafter10minutes.
5.54.1Summary
Thenetworkelementmusttimeoutaccesstotheconsoleportafter10minutesorlessofinactivity.Table365providesasummaryresultofthefindings.
RuleID:SV-15444r2_rule
STIGID:NET1624
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-30086r3_rule
STIGID:NET0894
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Table365:Theconsoleportdoesnottimeoutafter10minutes.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.54.2Description
Terminatinganidlesessionwithinashorttimeperiodreducesthewindowofopportunityforunauthorizedpersonneltotakecontrolofamanagementsessionenabledontheconsoleorconsoleportthathasbeenleftunattended.Inadditionquicklyterminatinganidlesessionwillalsofreeupresourcescommittedbythemanagednetworkelement.Settingthetimeoutofthesessionto10minutesorlessincreasesthelevelofprotectionaffordedcriticalnetworkcomponents.
5.54.3Check
Reviewtheconfigurationandverifythatasessionusingtheconsoleportwilltimeoutafter10minutesorlessofinactivityasshowninthefollowingexample:linecon0exec-timeout100
5.54.4Fix
Configurethetimeoutforidleconsoleconnectionto10minutesorless.
Gotothereportcontentsorthestartofthissection.
5.55V-3969-NetworkelementmustonlyallowSNMPreadaccess.
5.55.1Summary
ThenetworkdevicemustonlyallowSNMPread-onlyaccess.Table366providesasummaryresultofthefindings.
Table366:NetworkelementmustonlyallowSNMPreadaccess.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.55.2Description
EnablingwriteaccesstothedeviceviaSNMPprovidesamechanismthatcanbeexploitedbyanattackertosetconfigurationvariablesthatcandisruptnetworkoperations.
5.55.3Check
ReviewthenetworkdeviceconfigurationandverifySNMPcommunitystringsareread-onlywhenusingSNMPv1,v2c,orbasicv3(noauthenticationorprivacy).WriteaccessmaybeusedifauthenticationisconfiguredwhenusingSNMPv3.Ifwrite-accessisusedforSNMPversions1,2c,or3-noAuthNoPrivmodeandthereisnodocumentedapprovalbytheIAO,thisisafinding.SNMPv1/v2cConfigurationExampleDevice#showrun!ipaccess-liststandardNMS_LISTpermit10.1.1.22permit10.1.1.24!snmp-servercommunityc0macc3ssRONMS_LISTsnmp-servercommunityR34dWr1t3RWNMS_LISTsnmp-serverlocationSomewhereUSAsnmp-servercontactsnmp.admin@snmp.milsnmp-serverenabletrapssnmphost10.1.1.22trapsSNMPv1
snmphost10.1.1.24trapsSNMPv2c
SNMPv3ConfigurationExampleTheexampleACLNMS_LISTandADMIN_LISTareusedtodefinewhatnetworkmanagementstationsandadministrator(users)desktopscanaccessthedevice.Examineallgroupstatementstodeterminewhatgroupsareallowedwriteaccess.Havetheadministratorentera"showsnmpuser"commandandexamineallusersforthesegroupstoverifythattheymustbeauthenticated.Device#showrun!ipaccess-liststandardADMIN_LISTpermit10.1.1.35permit10.1.1.36ipaccess-liststandardNMS_LISTpermit10.1.1.24permit10.1.1.22permit10.1.1.23!snmp-servergroupNOCv3privreadVIEW_ALLwriteVIEW_LIMITaccessNMS_LISTsnmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0Fsnmp-servergroupADMIN_GROUPv3privreadVIEW_ALLwriteVIEW_ALLaccessADMIN_LISTsnmp-serverviewVIEW_ALLinternetincludedsnmp-serverviewVIEW_LIMITinternetincludedsnmp-serverviewVIEW_LIMITinternet.6.3.15excludedsnmp-serverviewVIEW_LIMITinternet.6.3.16excludedsnmp-serverviewVIEW_LIMITinternet.6.3.18excludedsnmp-serverenabletrapssnmplinkdownlinkupsnmp-serverhost10.1.1.24version3privTRAP_NMS1Note:FortheconfiguredgroupTRAP_GROUP,thenotifyviewisauto-generatedbythesnmp-serverhostcommandwhichbindtheuser(TRAP_NMS1)andthegroupitbelongsto(TRAP_GROUP)tothelistofnotifications(trapsorinforms)whicharesenttothehost.Hence,theconfigurationsnmp-servergroupTRAP_GROUPv3resultsinthefollowing:snmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0FNote:Also,forillustrationpurposeonly,theVIEW_LIMITexcludesMIBobjectswhichcouldpotentiallyrevealinformationaboutconfiguredSNMPcredentials.TheseobjectsaresnmpUsmMIB,snmpVacmMIB,andsnmpCommunityMIBwhichisconfiguredas1.3.6.1.6.3.15,1.3.6.1.6.3.16,and1.3.6.1.6.3.18respectively
SNMPv3usersarenotshowninarunningconfiguration.Youcanviewthemwiththeshow"snmpuser"command.Soforexample,ifthefollowinguserswereconfiguredassuch.snmp-serveruserHP_OVNOCv3authshaHPOVpswdprivaes256HPOVsecretkeysnmp-serveruserAdmin1ADMIN_GROUPv3authshaAdmin1PWprivaes256Admin1keysnmp-serveruserAdmin2ADMIN_GROUPv3authmd5Admin2passpriv3desAdmin2keysnmp-serveruserTRAP_NMS1TRAP_GROUPv3authshatrap_nms1_pwprivaestrap_nms1_keyTheshowsnmpusercommandwoulddepicttheconfiguredusersasfollows:Device#showsnmpuserUsername:HP_OVEngineID:AB12CD34EF56storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:NOCUsername:Admin1EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:ADMIN_GROUPUsername:Admin2EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:MD5PrivacyProtocol:3DESGroup-name:ADMIN_GROUPUsername:TRAP_NMS1
Severity:CATI
RuleID:SV-19270r3_rule
STIGID:NET1623
Controls:IAIA-1,IAIA-2
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-15476r2_rule
STIGID:NET1021
Controls:
Responsibility:InformationAssuranceOfficer
EngineID:800000090300C20013080000storage-type:nonvolatileactiveAuthenticationProtocol:SHAPrivacyProtocol:AES256Group-name:TRAP_GROUP
5.55.4Fix
Configurethenetworkdevicetoallowforread-onlySNMPaccesswhenusingSNMPv1,v2c,orbasicv3(noauthenticationorprivacy).WriteaccessmaybeusedifauthenticationisconfiguredwhenusingSNMPv3.
Gotothereportcontentsorthestartofthissection.
5.56V-4582-Authenticationrequiredforconsoleaccess.
5.56.1Summary
Thenetworkdevicemustrequireauthenticationforconsoleaccess.Table367providesasummaryresultofthefindings.
Table367:Authenticationrequiredforconsoleaccess.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.56.2Description
Networkdeviceswithnopasswordforadministrativeaccessviatheconsoleprovidetheopportunityforanyonewithphysicalaccesstothedevicetomakeconfigurationchangesenablingthemtodisruptnetworkoperationsresultinginanetworkoutage.
5.56.3Findings
router03
NipperStudiodeterminedthatconsoleandauxaccessispasswordprotectedonrouter03.
CiscoIOS15
NipperStudiodeterminedthatconsoleandauxaccessispasswordprotectedonCiscoIOS15.
5.56.4Check
Reviewthenetworkdevice'sconfigurationandverifyauthenticationisrequiredforconsoleaccess.Ifthedeviceisaccessedviatheauxport,thenverifythatthisportalsorequiresauthentication.Ifitisnotused,thenitmustbedisabled.TheconsoleportandthedisabledauxportshouldlooksimilartotheconfigurationexamplebelowthatreferencesanauthenticationlistconfiguredasAUTH_LIST.linecon0loginauthenticationAUTH_LISTexec-timeout100lineaux0noexec
5.56.5Fix
Configureauthenticationforconsoleaccessonthenetworkdevice.
Gotothereportcontentsorthestartofthissection.
5.57V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.
5.57.1Summary
Thenetworkelementmustlogallmessagesexceptdebuggingandsendalllogdatatoasyslogserver.Table368providesasummaryresultofthefindings.
Device Type Status
Table368:Thenetworkelementmustlogallmessagesexceptdebugging.-Summaryresult
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.57.2Description
Loggingisacriticalpartofroutersecurity.Maintaininganaudittrailofsystemactivitylogs(syslog)canhelpidentifyconfigurationerrors,understandpastintrusions,troubleshootservicedisruptions,andreacttoprobesandscansofthenetwork.Sysloglevels0-6arethelevelsrequiredtocollectthenecessaryinformationtohelpintherecoveryprocess.
5.57.3Check
CiscoIOSroutersandswitchesuselevel6(informational)whenloggingpacketsthataredroppedviaaccesscontrollist.(%SEC-6-IPACCESSLOGNP:list1denied01.1.1.2->1.1.1.1,1packet).Hence,itisimperativethatlogmessagesatlevel6arecapturedforfurtheranalysisandincidentreporting.However,thesemessagesdonotneedtogototheconsole,butmustgotothesyslogserver.Toavoidbeinglockedoutoftheconsoleintheeventofanintensivelogmessagegenerationsuchaswhenalargenumberofpacketsarebeingdropped,youcanimplementanyofthefollowing:1.Limittheamountofloggingbasedonsamepacketmatchingviatheaccess-listlog-updatethresholdcommand.Theconfiguredthresholdspecifieshowoftensyslogmessagesaregeneratedandsentaftertheinitialpacketmatchonaperflowbasis.2.Rate-limitmessagesatspecificseveritylevelsdestinedtobeloggedattheconsolevialoggingrate-limitcommand.3.Haveonlymessagesatlevels0-5(or0-4)gototheconsoleandmessagesatlevel0-6gotothesyslogserver.Thebuffercouldbesettonotificationleveloralteredtoadifferentlevelwhenrequired(i.e.debugging).Followingwouldbeanexampleconfiguration:!loggingbuffered4096informationalloggingconsolenotifications…!loggingtrapdebugginglogginghost1.1.1.1!Thedefaultstateforloggingisonandthedefaultforthesyslogserverisinformational(i.e.loggingtrapinformational).Hence,thecommandsloggingonandloggingtrapinformationalwillnotbeshownviashowruncommand.Hence,havetheoperatorissueashowloggingcommandtoverifyloggingisonandthelevelforthesyslogserver(i.e.trap).
R1#showloggingSysloglogging:enabled(12messagesdropped,0messagesrate-limited,0flushes,0overruns,xmldisabled,filteringdisabled)
…
Consolelogging:levelnotifications,56messageslogged,xmldisabled,filteringdisabledMonitorlogging:leveldebugging,0messageslogged,xmldisabled,filteringdisabledBufferlogging:levelinformational,6messageslogged,xmldisabled,filteringdisabled…Traplogging:levelinformational,73messagelinesloggedLoggingto1.1.1.1(udpport514,auditdisabled,authenticationdisabled,encryptiondisabled,linkup),37messagelineslogged,0messagelinesrate-limited,0messagelinesdropped-by-MD,xmldisabled,sequencenumberdisabledfilteringdisabled
Thetablebelowliststheseveritylevelsandmessagetypesforalllogdata.SeverityLevelMessageType
Severity:CATII
RuleID:SV-15449r3_rule
STIGID:NET1637
Controls:
Responsibility:
Severity:CATII
RuleID:SV-15457r2_rule
STIGID:NET1645
Controls:
Responsibility:InformationAssuranceOfficer
0Emergencies1Alerts2Critical3Errors4Warning5Notifications6Informational7Debugging
5.57.4Fix
Configurethenetworkdevicetologallmessagesexceptdebuggingandsendalllogdatatoasyslogserver.
Gotothereportcontentsorthestartofthissection.
5.58V-5611-Managementconnectionsarenotrestricted.
5.58.1Summary
Thenetworkelementmustonlyallowmanagementconnectionsforadministrativeaccessfromhostsresidingintothemanagementnetwork.Table369providesasummaryresultofthefindings.
Table369:Managementconnectionsarenotrestricted.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.58.2Description
RemoteadministrationisinherentlydangerousbecauseanyonewithasnifferandaccesstotherightLANsegment,couldacquirethedeviceaccountandpasswordinformation.Withthisinterceptedinformationtheycouldgainaccesstotheinfrastructureandcausedenialofserviceattacks,interceptsensitiveinformation,orperformotherdestructiveactions.
5.58.3Check
Reviewtheconfigurationandverifythatmanagementaccesstothedeviceisallowedonlyfromthemanagementnetworkaddressspace.Theconfigurationshouldlooksimilartothefollowing:access-list3permit192.168.1.10logaccess-list3permit192.168.1.11logaccess-list3denyanylog…..linevty04access-class3inIfmanagementaccesscanbegainedfromoutsideoftheauthorizedmanagementnetwork,thisisafinding.
5.58.4Fix
ConfigureanACLorfiltertorestrictmanagementaccesstothedevicefromonlythemanagementnetwork.
Gotothereportcontentsorthestartofthissection.
5.59V-5612-SSHsessiontimeoutisnot60secondsorless.
5.59.1Summary
Thenetworkelementmustbeconfiguredtotimeoutafter60secondsorlessforincompleteorbrokenSSHsessions.Table370providesasummaryresultofthefindings.
Table370:SSHsessiontimeoutisnot60secondsorless.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
Severity:CATII
RuleID:SV-15458r2_rule
STIGID:NET1646
Controls:
Responsibility:InformationAssuranceOfficer
5.59.2Description
AnattackermayattempttoconnecttothedeviceusingSSHbyguessingtheauthenticationmethod,encryptionalgorithm,andkeys.LimitingtheamountoftimeallowedforauthenticatingandnegotiatingtheSSHsessionreducesthewindowofopportunityforthemalicioususerattemptingtomakeaconnectiontothenetworkelement.
5.59.3Findings
router03
NipperStudiodeterminedthatSecureShell(SSH)wasnotenabledonrouter03.
CiscoIOS15
NipperStudiodeterminedthatSSHwasenabledonCiscoIOS15withanegotiationtimeoutof2minutes.
5.59.4Check
Reviewtheconfigurationandverifythetimeoutissetfor60secondsorless.TheSSHserviceterminatestheconnectionifprotocolnegotiation(thatincludesuserauthentication)isnotcompletewithinthistimeoutperiod.ipsshtime-out60
5.59.5Fix
Configurethenetworkdevicessoitwillrequireasecureshelltimeoutof60secondsorless.
Gotothereportcontentsorthestartofthissection.
5.60V-5613-SSHloginattemptsvalueisgreaterthan3.
5.60.1Summary
ThenetworkelementmustbeconfiguredforamaximumnumberofunsuccessfulSSHloginattemptssetat3beforeresettingtheinterface.Table371providesasummaryresultofthefindings.
Table371:SSHloginattemptsvalueisgreaterthan3.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.60.2Description
AnattackermayattempttoconnecttothedeviceusingSSHbyguessingtheauthenticationmethodandauthenticationkeyorsharedsecret.Settingtheauthenticationretryto3orlessstrengthensagainstaBruteForceattack.
5.60.3Findings
router03
NipperStudiodeterminedthatSSHwasnotenabledonrouter03.
CiscoIOS15
NipperStudiodeterminedthatSSHwasenabledonCiscoIOS15withanauthenticationretrylimitofthree.
5.60.4Check
ReviewtheconfigurationandverifythenumberofunsuccessfulSSHloginattemptsissetat3.ipsshauthentication-retries3
5.60.5Fix
ConfigurethenetworkdevicetorequireamaximumnumberofunsuccessfulSSHlogonattemptsat3.
Gotothereportcontentsorthestartofthissection.
5.61V-5614-ThePADserviceisenabled.
5.61.1Summary
Severity:CATIII
RuleID:SV-5614r3_rule
STIGID:NET0722
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-5615r3_rule
STIGID:NET0724
Controls:
Responsibility:InformationAssuranceOfficer
NetworkdevicesmusthavethePADservicedisabled.Table372providesasummaryresultofthefindings.
Table372:ThePADserviceisenabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.61.2Description
PacketAssemblerDisassembler(PAD)isanX.25componentseldomused.ItcollectsthedatatransmissionsfromtheterminalsandgathersthemintoaX.25datastreamandviceversa.PADactslikeamultiplexerfortheterminals.Ifenabled,itcanrenderthedeviceopentoattacks.SomevoicevendorsusePADoninternalrouters.
5.61.3Findings
ThePADservicestatusisdetailedinTable373.
Table373:STIGNET0722PADservicestatus
Device PADService
router03 Enabled
CiscoIOS15 Disabled
5.61.4Check
ReviewthedeviceconfigurationtodetermineifthePADserviceisenabled.IfthePADserviceisenabled,thisisafinding.
5.61.5Fix
ConfigurethedevicetodisablethePADservice.
Gotothereportcontentsorthestartofthissection.
5.62V-5615-TCPKeep-Alivesmustbeenabled.
5.62.1Summary
NetworkdevicesmusthaveTCPKeep-AlivesenabledforTCPsessions.Table374providesasummaryresultofthefindings.
Table374:TCPKeep-Alivesmustbeenabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.62.2Description
IdleTCPsessionscanbesusceptibletounauthorizedaccessandhijackingattacks.Bydefault,routersdonotcontinuallytestwhetherapreviouslyconnectedTCPendpointisstillreachable.IfoneendofaTCPconnectionidlesoutorterminatesabnormally,theoppositeendoftheconnectionmaystillbelievethesessionisavailable.These"orphaned"sessionsuseupvaluablerouterresourcesandcanalsobehijackedbyanattacker.Tomitigatethisrisk,routersmustbeconfiguredtosendperiodickeepalivemessagestocheckthattheremoteendofasessionisstillconnected.Iftheremotedevicefailstorespondtothekeepalivemessage,thesendingrouterwillcleartheconnectionandfreeresourcesallocatedtothesession.
5.62.3Findings
TheinboundTCPkeepalivestatusisdetailedinTable375.
Device InboundTCPKeepAlives
Severity:CATIII
RuleID:SV-5616r3_rule
STIGID:NET0726
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-5618r3_rule
STIGID:NET0781
Controls:
Responsibility:InformationAssuranceOfficer
Table375:STIGNET0724InboundTCPKeepAlives
router03 Disabled
CiscoIOS15 Enabled
5.62.4Check
Reviewthedeviceconfigurationtoverifythe"servicetcp-keepalives-in"commandisconfigured.IfTCPKeep-Alivesarenotenabled,thisisafinding.
5.62.5Fix
ConfigurethedevicetoenableTCPKeep-Alives.
Gotothereportcontentsorthestartofthissection.
5.63V-5616-Identificationsupportisenabled.
5.63.1Summary
Networkdevicesmusthaveidentificationsupportdisabled.Table376providesasummaryresultofthefindings.
Table376:Identificationsupportisenabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.63.2Description
IdentificationsupportallowsonetoqueryaTCPportforidentification.ThisfeatureenablesanunsecuredprotocoltoreporttheidentityofaclientinitiatingaTCPconnectionandahostrespondingtotheconnection.IdentificationsupportcanconnectaTCPportonahost,issueasimpletextstringtorequestinformation,andreceiveasimpletext-stringreply.Thisisanothermechanismtolearntheroutervendor,modelnumber,andsoftwareversionbeingrun.
5.63.3Findings
TheIdentdstatusisdetailedinTable377.
Table377:STIGNET0726Identdstatus
Device Identd
router03 Disabled
CiscoIOS15 Disabled
5.63.4Check
Reviewthedeviceconfigurationtoverifythatidentificationsupportisnotenabledvia"ipidentd"globalcommand.Itisdisabledbydefault.Ifidentificationssupportisenabled,thisisafinding.
5.63.5Fix
Configurethedevicetodisableidentificationsupport.
Gotothereportcontentsorthestartofthissection.
5.64V-5618-GratuitousARPmustbedisabled.
5.64.1Summary
GratuitousARPmustbedisabled.Table378providesasummaryresultofthefindings.
Severity:CATII
RuleID:SV-5645r4_rule
STIGID:NET0949
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Table378:GratuitousARPmustbedisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.64.2Description
AgratuitousARPisanARPbroadcastinwhichthesourceanddestinationMACaddressesarethesame.ItisusedtoinformthenetworkaboutahostIPaddress.AspoofedgratuitousARPmessagecancausenetworkmappinginformationtobestoredincorrectly,causingnetworkmalfunction.
5.64.3Findings
ThegratuitousARPstatusisdetailedinTable379.
Table379:STIGNET0781gratuitousARPstatus
Device GratuitousARP
router03 Disabled
CiscoIOS15 Disabled
5.64.4Check
ReviewtheconfigurationtodetermineifgratuitousARPisdisabled.IfgratuitousARPisenabled,thisisafinding.
5.64.5Fix
DisablegratuitousARPonthedevice.
Gotothereportcontentsorthestartofthissection.
5.65V-5645-CiscoExpressForwarding(CEF)notenabledonsupporteddevices.
5.65.1Summary
CiscoExpressForwarding(CEF)mustbeenabledonallsupportedCiscoLayer3IPdevices.Table380providesasummaryresultofthefindings.
Table380:CiscoExpressForwarding(CEF)notenabledonsupporteddevices.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.65.2Description
TheCiscoExpressForwarding(CEF)switchingmodereplacesthetraditionalCiscoroutingcachewithadatastructurethatmirrorstheentiresystemroutingtable.Becausethereisnoneedtobuildcacheentrieswhentrafficstartsarrivingfornewdestinations,CEFbehavesmorepredictablywhenpresentedwithlargevolumesoftrafficaddressedtomanydestinationssuchasaSYNfloodattacks.BecausemanySYNfloodattacksuserandomizedsourceaddressestowhichthehostsunderattackwillreplyto,therecanbeasubstantialamountoftrafficforalargenumberofdestinationsthattherouterwillhavetohandle.Consequently,routersconfiguredforCEFwillperformbetterunderSYNfloodsdirectedathostsinsidethenetworkthanroutersusingthetraditionalcache.
5.65.3Check
DetermineiftheCiscoLayer3devicesupportstheuseofCEFswitchingmode.IfthecurrentIOSversionavailableforthedevicedoesnotsupportCEFinanycapacity,thisrequirementwillbeNA.MostCiscoLayer3deviceswillsupportCEFineitherDistributedorCentralMode.1.IfthedevicesupportsDistributedCEFMode(dCEF),verifythatithasbeengloballyenabled.2.IfthedeviceonlysupportsCentralCEFMode(CEF),verifythefunctionhasbeengloballyenabled.ManyofthedeviceshaveCEFenabledbydefaultandmanyoftheconfigurationswillnotshowifCEFfunctionalityisenabled.ToverifyCEFisrunningonaCiscoLayer3devicewithIOSrunthefollowingcommand:
Severity:CATII
RuleID:SV-15435r4_rule
STIGID:NET0965
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
router#showipcef%CEFnotrunningIfCEFisshowntobenotrunning,thisisafinding.
5.65.4Fix
1.IftheCiscoLayer3IPdeviceisnotenabledbydefault,enableDistributedCEFModeglobally.Router(config)#ipcefdistributed2.IfDistributedCEFModeisnotsupported,enableCentralizedCEFModeglobally.Router(config)#ipcef3.IfCEFisnotsupportedinanycapacityonthedevice,thisfindingisNA.
Gotothereportcontentsorthestartofthissection.
5.66V-5646-Devicesnotconfiguredtofilteranddrophalf-openconnections.
5.66.1Summary
Thenetworkdevicemustdrophalf-openTCPconnectionsthroughfilteringthresholdsortimeoutperiods.Table381providesasummaryresultofthefindings.
Table381:Devicesnotconfiguredtofilteranddrophalf-openconnections.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.66.2Description
ATCPconnectionconsistsofathree-wayhandshakemessagesequence.Aconnectionrequestistransmittedbytheoriginator,anacknowledgementisreturnedfromthereceiver,andthenanacceptanceofthatacknowledgementissentbytheoriginator.Anattacker’sgoalinthisscenarioistocauseadenialofservicetothenetworkordevicebyinitiatingahighvolumeofTCPpackets,thenneversendinganacknowledgement,leavingconnectionsinahalf-openedstate.Withoutthedevicehavingaconnectionortimethresholdforthesehalf-openedsessions,thedevicerisksbeingavictimofadenialofserviceattack.SettingaTCPtimeoutthresholdwillinstructthedevicetoshutdownanyincompleteconnections.ServicessuchasSSH,BGP,SNMP,LDP,etc.aresomeservicesthatmaybepronetothesetypesofdenialofserviceattacks.IftherouterdoesnothaveanyBGPconnectionswithBGPneighborsacrossWANlinks,valuescouldbesettoeventighterconstraints.
5.66.3Findings
router03
NipperStudiodeterminedthatTCPSYNwaittimewasnotsupportedonrouter03.
CiscoIOS15
NipperStudiodeterminedthatTCPSYNwaittimewasnotsupportedonCiscoIOS15.
5.66.4Check
Reviewthedeviceconfigurationtovalidatethresholdfiltersortimeoutperiodsaresetfordroppingexcessivehalf-openTCPconnections.Fortimeoutperiods,thetimeshouldbesetto10secondsorless.Ifthedevicecannotbeconfiguredfor10secondsorless,itshouldbesettotheleastamountoftimeallowableintheconfiguration.Thresholdfilterswillneedtobedeterminedbytheorganizationforoptimalfiltering.IOSConfigurationExample:iptcpsynwait-time10
5.66.5Fix
Configurethedevicetodrophalf-openTCPconnectionsthroughthresholdfilteringortimeoutperiods.
Gotothereportcontentsorthestartofthissection.
5.67V-7009-AnInfiniteLifetimekeyhasnotbeenimplemented
5.67.1Summary
Severity:CATI
RuleID:SV-7363r2_rule
STIGID:NET0425
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-15446r2_rule
STIGID:NET1629
Controls:
Responsibility:InformationAssuranceOfficer
ThelifetimeoftheMD5Keyexpirationmustbesettoneverexpire.ThelifetimeoftheMD5keywillbeconfiguredasinfiniteforrouteauthentication,ifsupportedbythecurrentapprovedroutersoftwareversion.Table382providesasummaryresultofthefindings.
Table382:AnInfiniteLifetimekeyhasnotbeenimplemented-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.67.2Description
OnlyEnhancedInteriorGatewayRoutingProtocol(EIGRP)andRoutingInformationProtocol(RIP)Version2usekeychains.Whenconfiguringauthenticationforroutingprotocolsthatprovidekeychains,configuretworotatingkeyswithoverlappingexpirationdates--bothwitha180-daylifetime.Athirdkeymustalsobedefinedwithaninfinitelifetime.Bothofthesestepsmustensurethattherewillalwaysbeakeythatcanbeplacedintoservicebyallpeers.Ifatimeperiodoccursduringwhichnokeyisactivated,authenticationcannotoccur;hence,routeupdateswillnotoccur.Thelifetimekeyshouldbechanged7daysaftersuccessfulkeyrotationandsynchronizationhasoccurredwithallpeers.
5.67.3Check
Reviewtherunningconfigurationtodetermineifkeyauthenticationhasbeendefinedwithaninfinitelifetime.Ifthekeyhasbeenconfiguredforalifetimeotherthaninfinite,thisisafinding.RIP2ExampleEIGRPExampleinterfaceethernet0interfaceethernet0ipripauthenticationkey-chaintreesipauthenticationmodeeigrp1md5ipripauthenticationmodemd5ipauthenticationkey-chaineigrp1treesrouterriproutereigrp1network172.19.0.0network172.19.0.0version2keychaintreeskeychaintreeskey1key1key-stringwillowkey-stringwillowaccept-lifetime22:45:00Feb10200522:45:00Aug102005accept-lifetime22:45:00Feb10200522:45:00Aug102005send-lifetime23:00:00Feb10200522:45:00Aug102005send-lifetime23:00:00Feb10200522:45:00Aug102005key2key2key-stringbirchkey-stringbirchaccept-lifetime22:45:00Aug9200522:45:00Feb102006accept-lifetime22:45:00Dec10200522:45:00Feb102006send-lifetime23:00:00Aug9200522:45:00Feb102006send-lifetime23:00:00Dec10200522:45:00Jan102006key9999key9999key-stringmaplekey-stringmapleaccept-lifetime22:45:00Feb92005infiniteaccept-lifetime22:45:00Feb92005infinitesend-lifetime23:00:00Feb92005infinitesend-lifetime23:00:00Feb92005infiniteNotes:Note:OnlyEnhancedInteriorGatewayRoutingProtocol(EIGRP)andRoutingInformationProtocol(RIP)Version2usekeychains.Notes:WhenusingMD5authenticationkeys,itisimperativethesiteisincompliancewiththeNTPpolicies.Therouterhastoknowthetime!Notes:Mustmakethisahighnumbertoensureyouhaveplentyofroomtoputkeysinbeforeit.Allsubsequentkeyswillbedecrementedbyone(9998,9997...).
5.67.4Fix
ThischeckisinplacetoensurekeysdonotexpirecreatingaDOSduetoadjacenciesbeingdroppedandroutesbeingagedout.Therecommendationistousetworotatingsixmonthkeyswithathirdkeysetasinfinitelifetime.Thelifetimekeyshouldbechanged7daysaftertherotatingkeyshaveexpiredandredefined.
Gotothereportcontentsorthestartofthissection.
5.68V-7011-Theauxiliaryportisnotdisabled.
5.68.1Summary
Thenetworkelement’sauxiliaryportmustbedisabledunlessitisconnectedtoasecuredmodemprovidingencryptionandauthentication.Table383providesasummaryresultofthefindings.
Severity:CATIII
RuleID:SV-15301r3_rule
STIGID:NET0422
Controls:
Responsibility:InformationAssuranceOfficer
Table383:Theauxiliaryportisnotdisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.68.2Description
TheuseofPOTSlinestomodemsconnectingtonetworkdevicesprovidescleartextofauthenticationtrafficovercommercialcircuitsthatcouldbecapturedandusedtocompromisethenetwork.Additionalwardialattacksonthedevicecoulddegradethedeviceandtheproductionnetwork.Securedmodemdevicesmustbeabletoauthenticateusersandmustnegotiateakeyexchangebeforefullencryptiontakesplace.Themodemwillprovidefullencryptioncapability(TripleDES)orstronger.Thetechnicianwhomanagesthesedeviceswillbeauthenticatedusingakeyfobandgrantedaccesstotheappropriatemaintenanceport,thusthetechnicianwillgainaccesstothemanageddevice(router,switch,etc.).Thetokenprovidesamethodofstrong(two-factor)userauthentication.Thetokenworksinconjunctionwithaservertogenerateone-timeuserpasswordsthatwillchangevaluesatsecondintervals.Theusermustknowapersonalidentificationnumber(PIN)andpossessthetokentobeallowedaccesstothedevice.
5.68.3Check
Reviewtheconfigurationandverifythattheauxiliaryportisdisabledunlessasecuredmodemprovidingencryptionandauthenticationisconnectedtoit.ThefollowingconfigurationdisablestheCiscoIOSauxiliaryport:
lineaux0noexecNote:Thecommandtransportinputnonemustbeconfiguredunderthelineaux0.However,thisisthedefaultandwillnotbeshownintherunningconfiguration.
5.68.4Fix
Disabletheauxiliaryport.Ifusedforout-of-bandadministrativeaccess,theportmustbeconnectedtoasecuredmodemprovidingencryptionandauthentication.
Gotothereportcontentsorthestartofthissection.
5.69V-14667-Keyexpirationexceeds180days.
5.69.1Summary
NetworkdevicesmustbeconfiguredwithrotatingkeysusedforauthenticatingIGPpeersthathaveadurationexceeding180days.Table384providesasummaryresultofthefindings.
Table384:Keyexpirationexceeds180days.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.69.2Description
Ifthekeysusedforroutingprotocolauthenticationareguessed,themalicioususercouldcreatehavocwithinthenetworkbyadvertisingincorrectroutesandredirectingtraffic.Changingthekeysfrequentlyreducestheriskofthemeventuallybeingguessed.Whenconfiguringauthenticationforroutingprotocolsthatprovidekeychains,configuretworotatingkeyswithoverlappingexpirationdates,bothwith180-dayexpirations.
5.69.3Check
Reviewdeviceconfigurationforkeyexpirationsof180daysorless.Ifrotatingkeysarenotconfiguredtoexpireat180daysorless,thisisafinding.
5.69.4Fix
Configurethedevicesorotatingkeysexpireat180daysorless.
Gotothereportcontentsorthestartofthissection.
5.70V-14669-BSDrcommandsarenotdisabled.
5.70.1Summary
Severity:CATII
RuleID:SV-15314r2_rule
STIGID:NET0744
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-16089r3_rule
STIGID:NET0813
Controls:
Responsibility:
TheadministratormustensureBSDrcommandservicesaredisabled.Table385providesasummaryresultofthefindings.
Table385:BSDrcommandsarenotdisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.70.2Description
BerkeleySoftwareDistribution(BSD)“r”commandsallowuserstoexecutecommandsonremotesystemsusingavarietyofprotocols.TheBSD"r"commands(e.g.,rsh,rlogin,rcp,rdump,rrestore,andrdist)aredesignedtoprovideconvenientremoteaccesswithoutpasswordstoservicessuchasremotecommandexecution(rsh),remotelogin(rlogin),andremotefilecopy(rcpandrdist).Thedifficultywiththesecommandsisthattheyuseaddress-basedauthentication.Anattackerwhoconvincesaserverthatheiscomingfroma"trusted"machinecanessentiallygetcompleteandunrestrictedaccesstoasystem.TheattackercanconvincetheserverbyimpersonatingatrustedmachineandusingIPaddress,byconfusingDNSsothatDNSthinksthattheattacker'sIPaddressmapstoatrustedmachine'sname,orbyanyofanumberofothermethods
5.70.3Check
VerifythatthefollowingBSDrglobalcommandsarenotdefinedintheconfiguration:iprcmdrcp-enableiprcmdrsh-enableThesecommandshavebeendisabledbydefaultinIOSsinceversion12.0.
5.70.4Fix
ConfigurethedevicetodisableBSDrcommandservices.
Gotothereportcontentsorthestartofthissection.
5.71V-14671-NTPmessagesarenotauthenticated.
5.71.1Summary
ThenetworkelementmustauthenticateallNTPmessagesreceivedfromNTPserversandpeers.Table386providesasummaryresultofthefindings.
Table386:NTPmessagesarenotauthenticated.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.71.2Description
SinceNTPisusedtoensureaccuratelogfiletimestampinformation,NTPcouldposeasecurityriskifamalicioususerwereabletofalsifyNTPinformation.TolaunchanattackontheNTPinfrastructure,ahackercouldinjecttimethatwouldbeacceptedbyNTPclientsbyspoofingtheIPaddressofavalidNTPserver.Tomitigatethisrisk,thetimemessagesmustbeauthenticatedbytheclientbeforeacceptingthemasatimesource.TwoNTP-enableddevicescancommunicateineitherclient-servermodeorpeer-to-peermode(aka"symmetricmode").ThepeeringmodeisconfiguredmanuallyonthedeviceandindicatedintheoutgoingNTPpackets.Thefundamentaldifferenceisthesynchronizationbehavior:anNTPservercansynchronizetoapeerwithbetterstratum,whereasitwillneversynchronizetoitsclientregardlessoftheclient'sstratum.Fromaprotocolperspective,NTPclientsarenodifferentfromtheNTPservers.TheNTPclientcansynchronizetomultipleNTPservers,selectthebestserverandsynchronizewithit,orsynchronizetotheaveragedvaluereturnedbytheservers.Ahierarchicalmodelcanbeusedtoimprovescalability.Withthisimplementation,anNTPclientcanalsobecomeanNTPserverprovidingtimetodownstreamclientsatahigherstratumlevelandofdecreasingaccuracythanthatofitsupstreamserver.Toincreaseavailability,NTPpeeringcanbeusedbetweenNTPservers.IntheeventthedevicelosesconnectivitytoitsupstreamNTPserver,itwillbeabletochoosetimefromoneofitspeers.TheNTPauthenticationmodelisoppositeofthetypicalclient-serverauthenticationmodel.NTPauthenticationenablesanNTPclientorpeertoauthenticatetimereceivedfromtheirserversandpeers.ItisnotusedtoauthenticateNTPclientsbecauseNTPserversdonotcareabouttheauthenticityoftheirclients,astheyneveracceptanytimefromthem.
Severity:CATIII
RuleID:SV-16091r2_rule
STIGID:NET0897
Controls:
Responsibility:InformationAssuranceOfficer
5.71.3Check
ReviewthenetworkelementconfigurationandverifythatitisauthenticatingNTPmessagesreceivedfromtheNTPserverorpeerusingeitherPKIoraFIPS-approvedmessageauthenticationcodealgorithm.FIPS-approvedalgorithmsforauthenticationarethecipher-basedmessageauthenticationcode(CMAC)andthekeyed-hashmessageauthenticationcode(HMAC).AESand3DESareNIST-approvedCMACalgorithms.ThefollowingareNIST-approvedHMACalgorithms:SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224,andSHA-512/256.IfthenetworkelementisnotconfiguredtoauthenticatereceivedNTPmessagesusingPKIoraFIPS-approvedmessageauthenticationcodealgorithm,thisisafinding.
5.71.4Fix
ConfigurethedevicetoauthenticateallreceivedNTPmessagesusingeitherPKI(supportedinNTPv4)oraFIPS-approvedmessageauthenticationcodealgorithm.
Gotothereportcontentsorthestartofthissection.
5.72V-14672-AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.
5.72.1Summary
TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingTACACS+orRADIUStraffic.Table387providesasummaryresultofthefindings.
Table387:AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.72.2Description
Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.TACACS+,RADIUSmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.
5.72.3Findings
router03
NipperStudiodeterminedthatbothTerminalAccessControllerAccessControlSystem(TACACS)andRemoteAuthenticationDial-InUserService(RADIUS)arenotconfiguredonrouter03.
CiscoIOS15
NipperStudiodeterminedthatbothTACACSandRADIUSarenotconfiguredonCiscoIOS15.
5.72.4Check
ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingTACACS+orRADIUStraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Verifythataloopbackaddresshasbeenconfiguredasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255…iptacacssource-interfaceLoopback0ipradiussource-interfaceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.
5.72.5Fix
ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingauthenticationservicestraffic.
Gotothereportcontentsorthestartofthissection.
5.73V-14673-SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.
5.73.1Summary
Severity:CATIII
RuleID:SV-15340r2_rule
STIGID:NET0898
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-15343r2_rule
STIGID:NET0899
Controls:
Responsibility:InformationAssuranceOfficer
TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingsyslogtraffic.Table388providesasummaryresultofthefindings.
Table388:SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.73.2Description
Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.Syslogmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.
5.73.3Findings
router03
NipperStudiodeterminedthatSyslogwasnotconfiguredonrouter03.
CiscoIOS15
NipperStudiodetectedthefollowingglobalSysloginterfaceonCiscoIOS15.
Table389:SyslogInterface
GlobalSyslogInterface
Loopback1
5.73.4Check
Reviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingsyslogtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255…loggingonlogginghost192.168.1.100loggingsource-interfaceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.
5.73.5Fix
ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingsyslogtraffic.
Gotothereportcontentsorthestartofthissection.
5.74V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.
5.74.1Summary
TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNTPtraffic.Table390providesasummaryresultofthefindings.
Table390:NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.74.2Description
Severity:CATIII
RuleID:SV-15346r2_rule
STIGID:NET0900
Controls:
Responsibility:InformationAssuranceOfficer
Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.NTPmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.
5.74.3Findings
router03
NipperStudiodeterminedthatrouter03doesnotusealoopbackaddresswhenoriginatingNTPtraffic.
CiscoIOS15
NipperStudiodeterminedthatCiscoIOS15usesaloopbackaddresswhenoriginatingNTPtraffic.TheconfiguredinterfaceisdetailedinTable391.
Table391:NTPSourceInterface
NTPSourceInterface
Loopback0
5.74.4Check
ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingNTPtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255…ntpserver129.237.32.2ntpserver142.181.31.6ntpsourceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.
5.74.5Fix
ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNTPtraffic.
Gotothereportcontentsorthestartofthissection.
5.75V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.
5.75.1Summary
TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingSNMPtraffic.Table392providesasummaryresultofthefindings.
Table392:SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.75.2Description
Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.SNMPmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.
5.75.3Findings
router03
NipperStudiodeterminedthatnoSNMPtrapswereconfiguredonrouter03.
CiscoIOS15
NipperStudiodeterminedthatCiscoIOS15doesnotusealoopbackaddresswhenoriginatingSNMPtraffic.
Severity:CATIII
RuleID:SV-15349r2_rule
STIGID:NET0901
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATIII
RuleID:SV-15352r3_rule
STIGID:NET0902
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
5.75.4Check
ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingSNMPtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255……snmp-servertrap-sourceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.
5.75.5Fix
ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingSNMPtraffic.
Gotothereportcontentsorthestartofthissection.
5.76V-14676-Netflowtrafficisnotusingloopbackaddress.
5.76.1Summary
TheroutermustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNetFlowtraffic.Table393providesasummaryresultofthefindings.
Table393:Netflowtrafficisnotusingloopbackaddress.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.76.2Description
Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofrouters.Itiseasiertoconstructappropriateingressfiltersforroutermanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.Netflowmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.
5.76.3Check
ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingNetFlowtraffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Theconfigurationshouldlooksimilarasshowninthefollowingexample:interfaceloopback0ipaddress10.10.2.1255.255.255.255……ipflow-sampling-modepacket-interval100ipflow-exportdestination192.168.3.339991ipflow-exportsourceLoopback0Note:IOSallowsmultipleloopbackinterfacestobedefined.
5.76.4Fix
ConfiguretheroutertouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNetFlowtraffic.
Gotothereportcontentsorthestartofthissection.
5.77V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.
5.77.1Summary
ThenetworkdevicemustuseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingTFTPorFTPtraffic.Table394providesasummaryresultofthefindings.
Device Type Status
Severity:CATIII
RuleID:SV-15359r2_rule
Table394:FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.-Summaryresult
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.77.2Description
Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalabilityofnetworkdevices.Itiseasiertoconstructappropriateingressfiltersformanagementplanetrafficdestinedtothenetworkmanagementsubnetsincethesourceaddresseswillbefromtherangeusedforloopbackinterfacesinsteadofalargerrangeofaddressesusedforphysicalinterfaces.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.TFTPandFTPmessagessenttomanagementserversshouldusetheloopbackaddressasthesourceaddress.
5.77.3Findings
CiscoIOS15
Table395:FTP/TFTPServices
Service SourceInterface
TFTP Loopback0
5.77.4Check
ReviewtheconfigurationandverifyaloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingTFTPorFTPtraffic.Router#showrunBuildingconfiguration...!!interfaceLoopback0descriptionLoopbackinterfaceipaddressx.x.x.x255.255.255.255noipdirected-broadcast!...iptelnetsource-interfaceLoopback0iptftpsource-interfaceLoopback0ipftpsource-interfaceLoopback0IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.Router#showrunBuildingconfiguration...!...iptftpsource-interfacefe0/0ipftpsource-interfacefe0/0
5.77.5Fix
ConfigurethenetworkdevicetousealoopbackinterfaceaddressasthesourceaddresswhenoriginatingTFTPorFTPtraffic.Example:Router(config)#interfaceloopback0Router(config-if)#ipaddressx.x.x.x255.255.255.255Router(config)#ipftpsource-interfaceloopback0Router(config)#iptftpsource-interfaceloopback0IfanOOBmanagementinterfaceisbeingused,configuretheinterfaceforTFTPorFTPtrafficorigination.Example:Router(config)#ipftpsource-interfacefe0/0Router(config)#iptftpsource-interfacefe0/0
Gotothereportcontentsorthestartofthissection.
5.78V-14681-LoopbackaddressisnotusedastheiBGPsourceIP.
5.78.1Summary
TheroutermustuseitsloopbackinterfaceaddressasthesourceaddressforalliBGPpeeringsessions.Table396providesasummaryresultofthefindings.
STIGID:NET0903
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-15397r2_rule
STIGID:NET-IPV6-025
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Table396:LoopbackaddressisnotusedastheiBGPsourceIP.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.78.2Description
Usingaloopbackaddressasthesourceaddressoffersamultitudeofusesforsecurity,access,management,andscalability.Itiseasiertoconstructappropriatefiltersforcontrolplanetraffic.Loginformationrecordedbyauthenticationandsyslogserverswillrecordtherouter’sloopbackaddressinsteadofthenumerousphysicalinterfaceaddresses.
5.78.3Check
VerifythatthepeeringsessionwithiBGPneighborsusetheloopbackaddressasthesourceaddressasshownintheexamplebelow:interfaceloopback0ipaddress10.10.2.1255.255.255.255…routerbgp100neighbor200.200.200.2remote-as200neighbor188.20.120.2remote-as144neighbor10.10.2.2remote-as100neighbor10.10.2.2update-sourceLoopback0neighbor10.10.2.3remote-as100neighbor10.10.2.3update-sourceLoopback0
5.78.4Fix
Configurethenetworkdevice'sloopbackaddressasthesourceaddressforiBGPpeering.
Gotothereportcontentsorthestartofthissection.
5.79V-14693-IPv6SiteLocalUnicastADDRmustnotbedefined
5.79.1Summary
ThenetworkdevicemustbeconfiguredtoensureIPv6SiteLocalUnicastaddressesarenotdefinedintheenclave,(FEC0::/10).NotethatthisconsistofalladdressesthatbeginwithFEC,FED,FEEandFEF.Table397providesasummaryresultofthefindings.
Table397:IPv6SiteLocalUnicastADDRmustnotbedefined-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.79.2Description
Ascurrentlydefined,sitelocaladdressesareambiguousandcanbepresentinmultiplesites.Theaddressitselfdoesnotcontainanyindicationofthesitetowhichitbelongs.Theuseofsite-localaddresseshasthepotentialtoadverselyaffectnetworksecuritythroughleaks,ambiguityandpotentialmisrouting,asdocumentedinsection2ofRFC3879.RFC3879formallydeprecatestheIPv6site-localunicastprefixdefinedinRFC3513,i.e.,1111111011binaryorFEC0::/10.
5.79.3Findings
router03
NipperStudiodeterminedthatIPv6wasnotconfiguredonrouter03.
CiscoIOS15
NipperStudiodeterminedthatIPv6wasnotconfiguredonCiscoIOS15.
5.79.4Check
ReviewthedeviceconfigurationtoensureFEC0::/10IPaddressesarenotdefined.IfFEC0::/10IPaddressesaredefined,thisisafinding.
Severity:CATII
RuleID:SV-15425r1_rule
STIGID:NET-IPV6-033
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-15429r1_rule
STIGID:NET-IPV6-034
Controls:
Responsibility:InformationAssuranceOfficer
5.79.5Fix
ConfigurethedeviceusingauthorizedIPaddresses.
Gotothereportcontentsorthestartofthissection.
5.80V-14705-IPv6routersarenotconfiguredwithCEFenabled
5.80.1Summary
TheadministratorwillenableCEFtoimproverouterstabilityduringaSYNfloodattackinanIPv6enclave.Table398providesasummaryresultofthefindings.
Table398:IPv6routersarenotconfiguredwithCEFenabled-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.80.2Description
TheCiscoExpressForwarding(CEF)switchingmodereplacesthetraditionalCiscoroutingcachewithadatastructurethatmirrorstheentiresystemroutingtable.Becausethereisnoneedtobuildcacheentrieswhentrafficstartsarrivingfornewdestinations,CEFbehavesmorepredictablywhenpresentedwithlargevolumesoftrafficaddressedtomanydestinations—suchasaSYNfloodattacksthat.BecausemanySYNfloodattacksuserandomizedsourceaddressestowhichthehostsunderattackwillreplyto,therecanbeasubstantialamountoftrafficforalargenumberofdestinationsthattherouterwillhavetohandle.Consequently,routersconfiguredforCEFwillperformbetterunderSYNfloodsdirectedathostsinsidethenetworkthanroutersusingthetraditionalcache.Note:Juniper’sFPC(FlexiblePICConcentrator)architecturewiththeintegratedPacketForwardingEngineprovidessimilarfunctionalityandcapabilitiesandisfarsuperiorthanthetraditionalroutingcachethatisvulnerabletoaDoSattackdescribedabove.TheforwardingplaneonallJuniperMandTSeriesplatformsarebuiltaroundthisarchitectureandthereforeisnotconfigurable.TheforwardingplaneonallJuniperMandTSeriesplatformsarebuiltaroundtheFPC(FlexiblePICConcentrator)architecturethathassimilarcapabilitiesasCEF.FPCisnotconfigurableandistotallyintegratedwiththePacketForwardingEngine;hence,thiswillalwaysbenotafinding.
5.80.3Check
IOSProcedure:ReviewallCiscorouterstoensurethatCEFhasbeenenabled.Theconfigurationshouldlooksimilartothefollowing:ipv6cef
5.80.4Fix
TheIAOwillensurethattheipv6cefcommandhasbeenconfiguredonCiscorouters.
Gotothereportcontentsorthestartofthissection.
5.81V-14707-IPv6EgressOutboundSpoofingFilter
5.81.1Summary
ThenetworkelementmustbeconfiguredfromacceptinganyoutboundIPpacketthatcontainsanillegitimateaddressinthesourceaddressfieldviaegressACLorbyenablingUnicastReversePathForwardinginanIPv6enclave.Table399providesasummaryresultofthefindings.
Table399:IPv6EgressOutboundSpoofingFilter-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.81.2Description
UnicastReversePathForwarding(uRPF)providesamechanismforIPaddressspoofprotection.WhenuRPFisenabledonaninterface,therouterexaminesallpacketsreceivedasinputonthatinterfacetomakesurethatthesourceaddressandsourceinterfaceappearintheroutingtableandmatchtheinterfaceonwhichthepacketwasreceived.Ifthepacketwasreceivedfromoneofthebestreversepathroutes,thepacketisforwardedasnormal.Ifthereisnoreversepathrouteonthesameinterfacefromwhichthepacketwasreceived,itmightmeanthatthesourceaddresswasmodified.IfUnicastRPFdoesnotfindareversepathforthepacket,thepacketisdropped.IfinternalnodesautomaticallyconfigureanaddressbasedonaprefixfromabogusRouterAdvertisementadangeroussituationmayexist.Aninternalhostmaycontactaninternalserverwhichrespondswithapacketthatcouldberoutedoutsideofthenetworkviadefaultrouting(becausetheroutersdonotrecognize
Severity:CATII
RuleID:SV-15460r2_rule
STIGID:NET1647
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-16068r2_rule
STIGID:NET-TUNL-017
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
thedestinationaddressasaninternaladdress).Topreventthis,filteringshouldbeappliedtonetworkinterfacesbetweeninternalhostLANsandinternalserverLANstoinsurethatsourceaddresseshavevalidprefixes.
5.81.3Check
UnicastStrictmode:ReviewtherouterconfigurationtoensureuRPFhasbeenconfiguredonallinternalinterfaces.
5.81.4Fix
ThenetworkelementmustbeconfiguredtoensurethatanACLisconfiguredtorestricttherouterfromacceptinganyoutboundIPpacketthatcontainsanexternalIPaddressinthesourcefield.
Gotothereportcontentsorthestartofthissection.
5.82V-14717-ThenetworkelementmustnotallowSSHVersion1.
5.82.1Summary
ThenetworkelementmustnotuseSSHVersion1foradministrativeaccess.Table400providesasummaryresultofthefindings.
Table400:ThenetworkelementmustnotallowSSHVersion1.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.82.2Description
SSHVersion1isaprotocolthathasneverbeendefinedinastandard.SinceSSH-1hasinherentdesignflawswhichmakeitvulnerableto,e.g.,man-in-the-middleattacks,itisnowgenerallyconsideredobsoleteandshouldbeavoidedbyexplicitlydisablingfallbacktoSSH-1.
5.82.3Findings
router03
NipperStudiodeterminedthatSSHwasnotenabledonrouter03.
CiscoIOS15
NipperStudiodeterminedthattheSSHservicewasenabledonCiscoIOS15withsupportforonlyprotocolversion2.
5.82.4Check
IfSSHisusedforadministrativeaccess,thenVersion2mustbeconfiguredasshowninthefollowingexample:ipsshversion2
5.82.5Fix
ConfigurethenetworkdevicetouseSSHversion2.
Gotothereportcontentsorthestartofthissection.
5.83V-15288-ISATAPtunnelsmustterminateatinteriorrouter.
5.83.1Summary
ISATAPtunnelsmustterminateataninteriorrouter.Table401providesasummaryresultofthefindings.
Table401:ISATAPtunnelsmustterminateatinteriorrouter.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
Severity:CATII
RuleID:SV-16259r4_rule
STIGID:NET0433
Controls:
Responsibility:InformationAssuranceOfficer
5.83.2Description
ISATAPisanautomatictunnelmechanismthatdoesnotprovideauthenticationsuchasIPSec.Asaresultofthislimitation,ISATAPisthoughtofasatoolthatisusedinsidetheenclaveamongtrustedhosts,whichwouldlimitittointernalattacks.ISATAPisaserviceversusaproduct,andisreadilyavailabletomostusers.IfauserknowstheISATAProuterIPaddress,theycanessentiallygetontotheIPv6intranet.Tocontrolthevulnerabilityofthistunnelmechanism,itiscriticaltocontroltheuseofprotocol41anduseIPv4filterstocontrolwhatIPv4nodescansendprotocol41packetstoanISATAProuterinterface.AlthoughtheISATAPtunnelingmechanismissimilartootherautomatictunnelingmechanisms,suchasIPv66to4tunneling,ISATAPisdesignedfortransportingIPv6packetsbetweensiteswithinanenclave,notbetweenenclaves.
5.83.3Check
VerifyISATAPtunnelsareterminatedontheinfrastructureroutersorL3switcheswithintheenclave.ExampleconfigurationofanISATAPtunnelendpoint:interfacetunnel1noipaddressnoipredirectstunnelsourceethernet1tunnelmodeipv6ipisatapipv6address2001:0DB8::/64eui-64noipv6ndsuppress-ra
5.83.4Fix
TerminateISATAPtunnelsattheinfrastructureroutertoprohibittunneledtrafficfromexitingtheenclaveperimeterpriortoinspectionbytheIDS,IPS,orfirewall.
Gotothereportcontentsorthestartofthissection.
5.84V-15432-ThedeviceisnotauthenticatedusingaAAAserver.
5.84.1Summary
Networkdevicesmustusetwoormoreauthenticationserversforthepurposeofgrantingadministrativeaccess.Table402providesasummaryresultofthefindings.
Table402:ThedeviceisnotauthenticatedusingaAAAserver.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.84.2Description
TheuseofAuthentication,Authorization,andAccounting(AAA)affordsthebestmethodsforcontrollinguseraccess,authorizationlevels,andactivitylogging.ByenablingAAAontheroutersinconjunctionwithanauthenticationserversuchasTACACS+orRADIUS,theadministratorscaneasilyaddorremoveuseraccounts,addorremovecommandauthorizations,andmaintainalogofuseractivity.Theuseofanauthenticationserverprovidesthecapabilitytoassignrouteradministratorstotieredgroupsthatcontaintheirprivilegelevelthatisusedforauthorizationofspecificcommands.Forexample,usermodewouldbeauthorizedforallauthenticatedadministratorswhileconfigurationoreditmodeshouldonlybegrantedtothoseadministratorsthatarepermittedtoimplementrouterconfigurationchanges.
5.84.3Findings
router03
NipperStudioidentifiedzeroauthenticationserversconfiguredonrouter03
CiscoIOS15
NipperStudioidentifiedoneauthenticationserverconfiguredonCiscoIOS15.Thisisdetailedbelow.
Table403:TACACS+authenticationservers
ServerGroup Address Port Key
18.1.1.1 49
5.84.4Check
Severity:CATI
RuleID:SV-16261r5_rule
STIGID:NET0441
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-18945r2_rule
STIGID:NET1807
Controls:
Responsibility:InformationAssuranceOfficer
Verifyanauthenticationserverisrequiredtoaccessthedeviceandthattherearetwoormoreauthenticationserversdefined.Ifthedeviceisnotconfiguredfortwoseparateauthenticationservers,thisisafinding.
5.84.5Fix
Configurethedevicetousetwoseparateauthenticationservers.
Gotothereportcontentsorthestartofthissection.
5.85V-15434-Emergencyadministrationaccountprivilegelevelisnotset.
5.85.1Summary
Theemergencyadministrationaccountmustbesettoanappropriateauthorizationleveltoperformnecessaryadministrativefunctionswhentheauthenticationserverisnotonline.Table404providesasummaryresultofthefindings.
Table404:Emergencyadministrationaccountprivilegelevelisnotset.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.85.2Description
Theemergencyadministrationaccountistobeconfiguredasalocalaccountonthenetworkdevices.Itistobeusedonlywhentheauthenticationserverisofflineornotreachableviathenetwork.Theemergencyaccountmustbesettoanappropriateauthorizationleveltoperformnecessaryadministrativefunctionsduringthistime.
5.85.3Check
Reviewtheemergencyadministrationaccountconfiguredonthenetworkdevicesandverifythatithasbeenassignedtoaprivilegelevelthatwillenabletheadministratortoperformnecessaryadministrativefunctionswhentheauthenticationserverisnotonline.Iftheemergencyadministrationaccountisconfiguredformoreaccessthanneededtotroubleshootissues,thisisafinding.
5.85.4Fix
Assignaprivilegeleveltotheemergencyadministrationaccounttoallowtheadministratortoperformnecessaryadministrativefunctionswhentheauthenticationserverisnotonline.
Gotothereportcontentsorthestartofthissection.
5.86V-17754-Managementtrafficisnotrestricted
5.86.1Summary
IPSectunnelsusedtotransitmanagementtrafficmustberestrictedtoonlytheauthorizedmanagementpacketsbasedondestinationandsourceIPaddress.Table405providesasummaryresultofthefindings.
Table405:Managementtrafficisnotrestricted-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.86.2Description
TheOut-of-BandManagement(OOBM)networkisanIPnetworkusedexclusivelyforthetransportofOAM&PdatafromthenetworkbeingmanagedtotheOSScomponentslocatedattheNOC.ItsdesignprovidesconnectivitytoeachmanagednetworkdeviceenablingnetworkmanagementtraffictoflowbetweenthemanagedNEsandtheNOC.Thisallowstheuseofpathsseparatefromthoseusedbythenetworkbeingmanaged.Trafficfromthemanagednetworktothemanagementnetworkandvice-versamustbesecuredviaIPSecencapsulation.
5.86.3Check
ReviewthedeviceconfigurationtodetermineifIPSectunnelsusedintransitingmanagementtrafficarefilteredtoonlyacceptauthorizedtrafficbasedonsource
Severity:CATII
RuleID:SV-19063r1_rule
STIGID:NET1808
Controls:
Responsibility:SystemAdministrator
Severity:CATII
RuleID:SV-19068r1_rule
STIGID:NET0985
Controls:ECSC-1
Responsibility:SystemAdministrator
anddestinationIPaddressesofthemanagementnetwork.IffiltersarenotrestrictingonlyauthorizedmanagementtrafficintotheIPSectunnel,thisisafinding.
5.86.4Fix
ConfigurefiltersbasedonsourceanddestinationIPaddresstorestrictonlyauthorizedmanagementtrafficintoIPSectunnelsusedfortransitingmanagementdata.
Gotothereportcontentsorthestartofthissection.
5.87V-17814-RemoteVPNend-pointnotamirroroflocalgateway
5.87.1Summary
GatewayconfigurationattheremoteVPNend-pointisanotamirrorofthelocalgatewayTable406providesasummaryresultofthefindings.
Table406:RemoteVPNend-pointnotamirroroflocalgateway-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.87.2Description
TheIPSectunnelendpointsmaybeconfiguredontheOOBMgatewayroutersconnectingthemanagednetworkandtheNOC.TheymayalsobeconfiguredonafirewallorVPNconcentratorlocatedbehindthegatewayrouter.Ineithercase,thecryptoaccess-listusedtoidentifythetraffictobeprotectedmustbeamirror(bothIPsourceanddestinationaddress)ofthecryptoaccesslistconfiguredattheremoteVPNpeer.
5.87.3Check
VerifytheconfigurationattheremoteVPNend-pointisamirrorconfigurationasthatreviewedforthelocalend-point.
5.87.4Fix
Configurehecryptoaccess-listusedtoidentifythetraffictobeprotectedsothatitisamirror(bothIPsourceanddestinationaddress)ofthecryptoaccesslistconfiguredattheremoteVPNpeer.
Gotothereportcontentsorthestartofthissection.
5.88V-17815-IGPinstancesdonotpeerwithappropriatedomain
5.88.1Summary
IGPinstancesconfiguredontheOOBMgatewayrouterdonotpeeronlywiththeirappropriateroutingdomain.Table407providesasummaryresultofthefindings.
Table407:IGPinstancesdonotpeerwithappropriatedomain-Summaryresult
Device Type Status
CiscoIOS15 CiscoRouter
5.88.2Description
IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.
5.88.3Check
VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.
5.88.4Fix
EnsurethatmultipleIGPinstancesconfiguredontheOOBMgatewayrouterpeeronlywiththeirappropriateroutingdomain.Verifythattheallinterfacesare
Severity:CATII
RuleID:SV-19299r1_rule
STIGID:NET0986
Controls:
Responsibility:SystemAdministrator
configuredfortheappropriateIGPinstance.
Gotothereportcontentsorthestartofthissection.
5.89V-17816-RoutesfromthetwoIGPdomainsareredistributed
5.89.1Summary
TheroutesfromthetwoIGPdomainsareredistributedtoeachother.Table408providesasummaryresultofthefindings.
Table408:RoutesfromthetwoIGPdomainsareredistributed-Summaryresult
Device Type Status
CiscoIOS15 CiscoRouter
5.89.2Description
IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Sincethemanagednetworkandthemanagementnetworkareseparateroutingdomains,separateIGProutinginstancesmustbeconfiguredontherouter—oneforthemanagednetworkandonefortheOOBMnetwork.Inaddition,theroutesfromthetwodomainsmustnotberedistributedtoeachother.
5.89.3Findings
CiscoIOS15
NipperStudiodetectednoissueswithredistributedroutingonCiscoIOS15
5.89.4Check
VerifythattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.
RouteadvertisementsbetweentwothetworoutingdomainssuchasOSPFandEIGRPcanonlybesharedviaredistribution.VerifythattherearenoredistributecommandsconfiguredunderIGPdomainforthemanagementnetworkthatwouldenabledistributingroutesfromtheIGPdomainofthemanagednetwork,orvice-versa.ThefollowingwouldbeanexampleofredistributingroutesfromEIGRPintoOSPF.routerospf1network172.20.0.0redistributeeigrp12
IOSsupportsmultipleinstancesofOSPFandEIGRPthatareconfiguredusingadifferentprocessID.EachEIGRPorOSPFprocesswillrunonlyontheinterfacesofthenetworksspecified.EachEIGRPprocessmaintainsaseparatetopologydatabase;likewise,eachOSPFprocessmaintainsaseparatelink-statedatabase.Routeadvertisementsbetweentwoprocessescanonlybesharedviaredistribution.VerifythattherearenoredistributioncommandsthatwoulddistributeroutesfromtheIGProutingdomainforthemanagementnetworkintotheIGProutingdomainofthemanagednetwork,orvice-versa.ThefollowingwouldbeanexampleofredistributingroutesfromoneEIGRPintoanotherEIGRP.!routereigrp15network172.20.0.0!routereigrp10network10.0.0.0redistributeeigrp15Asanalternative,staticroutescanbeusedtoforwardmanagementtraffictotheOOBMinterface;however,thismethodmaynotscalewell.IfstaticroutesareusedtoforwardmanagementtraffictotheOOBbackbonenetwork,verifythattheOOBMinterfaceisnotanIGPadjacencyandthatthecorrectdestinationprefixhasbeenconfiguredtoforwardthemanagementtraffictothecorrectnext-hopandinterfaceforthestaticroute.Inthefollowingconfigurationexamples,10.1.1.0/24isthemanagementnetworkand10.1.20.4istheinterfaceaddressoftheOOBbackbonerouterthattheOOBgatewayrouterconnectsto.Thenetwork10.1.20.0/24istheOOBMbackbone.interfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0interfaceFastethernet0/0descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0interfaceFastethernet0/1descriptionto_our_ServiceNet
Severity:CATII
RuleID:SV-19301r1_rule
STIGID:NET0987
Controls:
Responsibility:SystemAdministrator
ipaddress172.20.5.2255.255.255.0!routerospf1network172.20.0.0!iproute10.1.1.0255.255.255.010.1.20.4Serial0/0
5.89.5Fix
EnsurethattheIGPinstanceusedforthemanagednetworkdoesnotredistributeroutesintotheIGPinstanceusedforthemanagementnetworkandviceversa.
Gotothereportcontentsorthestartofthissection.
5.90V-17817-ManagednetworkhasaccesstoOOBMgatewayrouter
5.90.1Summary
TrafficfromthemanagednetworkisabletoaccesstheOOBMgatewayrouterTable409providesasummaryresultofthefindings.
Table409:ManagednetworkhasaccesstoOOBMgatewayrouter-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.90.2Description
IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.ItisimperativethathostsfromthemanagednetworkarenotabletoaccesstheOOBMgatewayrouiter.
5.90.3Check
ReviewtheACLorfiltersfortherouter’sreceivepathandverifythatonlytrafficsourcedfromthemanagementnetworkisallowedtoaccesstherouter.Thiswouldincludebothmanagementandcontrolplanetraffic.Step1:Verifythattheglobalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:ipreceiveacl199Note:TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityfortrafficthatisdestinedfortherouter.TheIPReceiveACLfilteringoccursafteranyinputACLboundtotheingressinterface.Ondistributedplatforms(i.e.,12000series),theIPreceiveACLfilterstrafficonthedistributedlinecardsbeforepacketsarereceivedbytherouteprocessor;therebypreventingthefloodfromdegradingtheperformanceoftherouteprocessor.Step2:DeterminetheaddressblockofthemanagementnetworkattheNOC.Intheexampleconfigurationbelow,the10.2.2.0/24isthemanagementnetworkattheNOC.Step3:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallmanagementplanetraffictothevalidatednetworkmanagementaddressblockattheNOC.Managementtrafficcanincludetelnet,SSH,SNMP,TACACS,RADIUS,TFTP,FTP,andICMP.ControlplanetrafficfromOOBMbackboneneighborsshouldalsobeallowedtoaccesstherouter.TheACLconfigurationshouldlooksimilartothefollowing:access-list199denyipanyanyfragmentsaccess-list199permitospf10.1.20.00.0.0.255anyaccess-list199permittcp10.2.2.00.0.0.255anyeqsshaccess-list199permitudphost10.2.2.24anyeqsnmpaccess-list199permitudphost10.2.2.25anyeqsnmpaccess-list199permitudphost10.2.2.26anyeqntpaccess-list199permitudphost10.2.2.27anyeqntpaccess-list199permittcphost10.2.2.30eqtacacsanygt1023establishedaccess-list199permittcphost10.2.2.77eqftpanygt1023establishedaccess-list199permittcphost10.2.2.77gt1024anyeqftp-dataaccess-list199permiticmp10.2.2.00.0.0.255anyaccess-list199denyipanyanylogIntheexampleabove,theOSPFneighborswouldbeadjacencieswiththeOOBMbackbonenetwork10.1.20.0/24.Iftheplatformdoesnotsupportthereceivepathfilter,thenverifythatallnon-OOBMinterfaceshaveaningressACLtorestrictaccesstothatinterfaceaddressoranyoftherouter’sloopbackaddressestoonlytrafficsourcedfromthemanagementnetwork.Exceptionwouldbetoallowpacketsdestinedtothese
Severity:CATII
RuleID:SV-19303r1_rule
STIGID:NET0988
Controls:
Responsibility:SystemAdministrator
Severity:CATII
RuleID:SV-19305r1_rule
STIGID:NET0989
Controls:
Responsibility:SystemAdministrator
interfacesusedfortroubleshootingsuchaspingandtraceroute.
5.90.4Fix
EnsurethattrafficfromthemanagednetworkisnotabletoaccesstheOOBMgatewayrouterusingeitherreceivepathorinterfaceingressACLs.
Gotothereportcontentsorthestartofthissection.
5.91V-17818-Trafficfromthemanagednetworkwillleak
5.91.1Summary
TrafficfromthemanagednetworkwillleakintothemanagementnetworkviathegatewayrouterinterfaceconnectedtotheOOBMbackbone.Table410providesasummaryresultofthefindings.
Table410:Trafficfromthemanagednetworkwillleak-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.91.2Description
IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundariessuchasusinginterfaceACLsorfiltersattheboundariesbetweenthetwonetworks.
5.91.3Check
ExaminetheegressfilterontheOOBMinterfaceofthegatewayroutertoverifythatonlytrafficsourcedfromthemanagementaddressspaceisallowedtotransittheOOBMbackbone.Intheexampleconfigurationsbelow,the10.1.1.0/24isthemanagementnetworkaddressspaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetworkaddressspaceattheNOC.IOSinterfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0ipaccess-group101outinterfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.1255.255.255.0interfaceFastethernet0/1descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0!access-list101permitip10.1.1.00.0.0.25510.2.2.00.0.0.255access-list101denyipanyanylog
5.91.4Fix
ConfiguretheOOBMgatewayrouterinterfaceACLstoensuretrafficfromthemanagednetworkdoesnotleakintothemanagementnetwork.
Gotothereportcontentsorthestartofthissection.
5.92V-17819-Managementtrafficleaksintothemanagednetwork
5.92.1Summary
Managementnetworktrafficisleakingintothemanagednetwork.Table411providesasummaryresultofthefindings.
Table411:Managementtrafficleaksintothemanagednetwork-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
Severity:CATII
RuleID:SV-20205r2_rule
STIGID:NET0991
Controls:
Responsibility:SystemAdministrator
5.92.2Description
IfthegatewayrouterisnotadedicateddevicefortheOOBMnetwork,severalsafeguardsmustbeimplementedforcontainmentofmanagementandproductiontrafficboundaries.Toprovideseparation,accesscontrollistsorfiltersmustbeconfiguredtoblockanytrafficfromthemanagementnetworkdestinedforthemanagednetwork’sproductionaddressspaces.
5.92.3Check
ExaminetheingressfilterontheOOBMinterfaceofthegatewayroutertoverifythattrafficisonlydestinedtothelocalmanagementaddressspace.Intheexampleconfigurationsbelow,the10.1.1.0/24isthelocalmanagementnetworkaddressspaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetworkaddressspaceattheNOC.IOSinterfaceSerial0/0descriptionto_OOBM_Backboneipaddress10.1.20.3255.255.255.0ipaccess-group100inipaccess-group101outinterfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.2255.255.255.0interfaceFastethernet0/1descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0interfaceFastethernet0/2descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0!access-list100permitip10.2.2.00.0.0.25510.1.1.00.0.0.255access-list100denyipanyanylog
5.92.4Fix
Configureaccesscontrollistsorfilterstoblockanytrafficfromthemanagementnetworkdestinedforthemanagednetwork'sproductionaddressspaces.
Gotothereportcontentsorthestartofthissection.
5.93V-17821-TheOOBMinterfacenotconfiguredcorrectly.
5.93.1Summary
Thenetworkelement’sOOBMinterfacemustbeconfiguredwithanOOBMnetworkaddress.Table412providesasummaryresultofthefindings.
Table412:TheOOBMinterfacenotconfiguredcorrectly.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.93.2Description
TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IftheOOBMinterfacedoesnothaveanIPaddressfromthemanagednetworkaddressspace,itwillnothavereachabilityfromtheNOCusingscalableandnormalcontrolplaneandforwardingmechanisms.
5.93.3Check
AfterdeterminingwhichinterfaceisconnectedtotheOOBMaccessswitch,reviewthemanageddeviceconfigurationandverifythattheinterfacehasbeenassignedanaddressfromthelocalmanagementaddressblock.Inthisexample,thatis10.1.1.0/24.Ciscorouter
Severity:CATII
RuleID:SV-20208r1_rule
STIGID:NET0992
Controls:
Responsibility:SystemAdministrator
interfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0CiscoCatalystMLSSwitchinterfaceVLAN101descriptionManagement_VLANipaddress10.1.1.22255.255.255.0……interfaceFastEthernet1/6switchportaccessvlan101switchportmodeaccessorinterfaceFastEthernet1/6noswitchportipaddress10.1.1.22255.255.255.0Caveat:Iftheinterfaceisconfiguredasaroutedinterfaceasshownintheaboveconfiguration,therequirementsspecifiedinNOC180mustbeimplemented.
5.93.4Fix
ConfiguretheOOBmanagementinterfacewithanIPaddressfromtheaddressspacebelongingtotheOOBMnetwork.
Gotothereportcontentsorthestartofthissection.
5.94V-17822-ThemanagementinterfacedoesnothaveanACL.
5.94.1Summary
ThemanagementinterfaceisnotconfiguredwithbothaningressandegressACL.Table413providesasummaryresultofthefindings.
Table413:ThemanagementinterfacedoesnothaveanACL.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.94.2Description
TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensuresthatcongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsothatmanagementtrafficdoesnotleakintothemanagednetworkandthatproductiontrafficdoesnotleakintothemanagementnetwork
5.94.3Check
Step1:VerifythatthemanagedinterfacehasaninboundandoutboundACLconfiguredasshowninthefollowingexample:interfaceFastEthernet1/1descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0ipaccess-group100inipaccess-group101outStep2:VerifythattheingressACLblocksalltransittraffic—thatis,anytrafficnotdestinedtotherouteritself.Inaddition,trafficaccessingthemanagedelementsshouldbeoriginatedattheNOC.IntheexamplethemanagementnetworkattheNOCis10.2.2.0/24.access-list100permitip10.2.2.00.0.0.255host10.1.1.22access-list100denyipanyanylog
Severity:CATIII
RuleID:SV-19334r2_rule
STIGID:NET0993
Controls:
Responsibility:SystemAdministrator
Notethatthedestinationusedbyanyhostwithinthemanagementnetworktoaccessthemanagedelementsmustbeviathemanagementinterface.TheloopbackshouldnotbeavalidaddresssincetheseprefixeswouldnotbeadvertisedintothemanagementnetworkIGPdomain.ThiscouldonlybepossibleifthemanagednetworkElements:hadanIGPadjacencywiththemanagednetwork,whichshouldnotbethecase.Step3:VerifythattheegressACLblocksanytrafficnotoriginatedbythemanagedelementaccess-list101denyipanyanylogCiscorouter-generatedpacketsarenotinspectedbyoutgoingaccess-lists.Hence,theaboveconfigurationwouldsimplydropanypacketsnotgeneratedbytherouteritselfandallowalllocaltraffic.Tofilterlocaltraffic,IOSprovidesafeaturecalledlocalpolicyrouting,whichenablestheadministratortoapplyaroute-maptoanylocalrouter-generatedtraffic.ToprohibitoutgoingtrafficfromthelocalroutertoanydestinationotherthantheNOC,theaconfigurationsuchasthefollowingcouldbeused:!Donotdroptrafficdestinedto10.2.2.0/24.Hence,donotincludeitin!thelocalpolicyroutemap,butincludeallotherdestinations.!ipaccess-listextendedBLOCK_INVALID_DESTdenyipany10.2.2.00.0.0.255permitipanyany!route-mapLOCAL_POLICY10matchipaddressBLOCK_INVALID_DESTsetinterfaceNull0!iplocalpolicyroute-mapLOCAL_POLICY
AlternativeSolution:TheIOSManagementPlaneProtectionFeatureCiscointroducedtheManagementPlaneProtection(MPP)featurewithIOS12.4(6)Twhichallowsanyphysicalin-bandinterfacetobededicatedforOOBmanagement.TheMPPfeatureallowsanetworkoperatortodesignateoneormorerouterinterfacesasmanagementinterfaces.Managementtrafficispermittedtoenteradeviceonlythroughthesemanagementinterfaces.Alloftheotherin-bandinterfacesnotenabledforMPPwillautomaticallydropallingresspacketsassociatedwithanyofthesupportedMPPprotocols(FTP,HTTP,HTTPS,SCP,SSH,SNMP,Telnet,andTFTP).Hence,afterMPPisenabled,nointerfacesexceptmanagementinterfaceswillacceptnetworkmanagementtrafficdestinedtothedevice.Thisfeaturealsoprovidesthecapabilitytorestrictwhichmanagementprotocolsareallowed.Thisfeaturedoesnotchangethebehavioroftheconsole,auxiliary,andmanagementEthernetinterfaces.ThefollowingconfigurationexampledepictsFastEthernet1/1asbeingthedesignatedmanagementinterfacethatwillonlyallowsshandsnmptraffic.
control-planehostmanagement-interfaceFastEthernet1/1allowsshsnmp!interfaceFastEthernet1/1descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0
5.94.4Fix
Ifthemanagementinterfaceisaroutedinterface,itmustbeconfiguredwithbothaningressandegressACL.TheingressACLshouldblockanytransittraffic,whiletheegressACLshouldblockanytrafficthatwasnotoriginatedbythemanagednetworkdevice.
Gotothereportcontentsorthestartofthissection.
5.95V-17823-ThemanagementinterfaceisnotIGPpassive.
5.95.1Summary
Thenetworkelement’smanagementinterfaceisnotconfiguredaspassivefortheIGPinstancedeployedinthemanagednetwork.Table414providesasummaryresultofthefindings.
Table414:ThemanagementinterfaceisnotIGPpassive.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.95.2Description
TheOOBMaccessswitchwillconnecttothemanagementinterfaceofthemanagednetworkelements.ThemanagementinterfacecanbeatrueOOBMinterfaceorastandardinterfacefunctioningasthemanagementinterface.Ineithercase,themanagementinterfaceofthemanagednetworkelementwillbedirectlyconnectedtotheOOBMnetwork.
Severity:CATII
RuleID:SV-19308r1_rule
STIGID:NET1005
Controls:
Responsibility:SystemAdministrator
AnOOBMinterfacedoesnotforwardtransittraffic;thereby,providingcompleteseparationofproductionandmanagementtraffic.Sinceallmanagementtrafficisimmediatelyforwardedintothemanagementnetwork,itisnotexposedtopossibletampering.Theseparationalsoensurescongestionorfailuresinthemanagednetworkdonotaffectthemanagementofthedevice.IfthedevicedoesnothaveanOOBMport,theinterfacefunctioningasthemanagementinterfacemustbeconfiguredsomanagementtraffic,bothdataplaneandcontrolplane,doesnotleakintothemanagednetworkandproductiontrafficdoesnotleakintothemanagementnetwork.
5.95.3Check
Ifthemanagednetworkelementisalayer3device,reviewtheconfigurationtoverifythemanagementinterfaceisconfiguredaspassivefortheIGPinstanceforthemanagednetwork.Dependingontheplatformandroutingprotocol,thismaysimplyrequirethattheinterfaceoritsIPaddressisnotincludedintheIGPconfiguration.ThefollowingconfigurationwouldbeanexamplewhereOSPFisonlyenabledonallinterfacesexceptthemanagementinterface:interfaceFastethernet0/0descriptionEnclave_Management_LANipaddress10.1.1.22255.255.255.0ipaccess-group100inipaccess-group101outinterfaceFastethernet0/1descriptionto_our_PrivateNetipaddress172.20.4.2255.255.255.0interfaceFastethernet0/2descriptionto_our_ServiceNetipaddress172.20.5.2255.255.255.0interfaceFastethernet1/1descriptionto_our_DMZipaddress172.20.3.1255.255.255.0!routerospf1network172.20.0.0255.255.255.0area1Note:TheMPPfeaturehasnoeffectoncontrolplanetraffic.Hence,theroutingprotocolmuststillbeconfiguredsothatitisnotenabledonthemanagementinterface.
5.95.4Fix
ConfigurethemanagementinterfaceaspassivefortheIGPinstanceconfiguredforthemanagednetwork.Dependingontheplatformandroutingprotocol,thismaysimplyrequirethattheinterfaceoritsIPaddressisnotincludedintheIGPconfiguration.
Gotothereportcontentsorthestartofthissection.
5.96V-17834-NoinboundACLformgmtnetworksub-interface
5.96.1Summary
AninboundACLisnotconfiguredforthemanagementnetworksub-interfaceofthetrunklinktoblocknon-managementtraffic.Table415providesasummaryresultofthefindings.
Table415:NoinboundACLformgmtnetworksub-interface-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.96.2Description
Ifthemanagementsystemsresidewithinthesamelayer2switchingdomainasthemanagednetworkelements,thenseparateVLANswillbedeployedtoprovideseparationatthatlevel.Inthiscase,themanagementnetworkstillhasitsownsubnetwhileatthesametimeitisdefinedasauniqueVLAN.Inter-VLANroutingortheroutingoftrafficbetweennodesresidingindifferentsubnetsrequiresarouterormulti-layerswitch(MLS).Accesscontrollistsmustbeusedtoenforcetheboundariesbetweenthemanagementnetworkandthenetworkbeingmanaged.Allphysicalandvirtual(i.e.MLSSVI)routedinterfacesmustbeconfiguredwithACLstopreventtheleakingofunauthorizedtrafficfromonenetworktotheother.
5.96.3Check
ReviewtherouterconfigurationandverifythataninboundACLhasbeenconfiguredforthemanagementnetworksub-interfaceasillustratedinthefollowingexampleconfiguration:IOS
Severity:CATII
RuleID:SV-19310r1_rule
STIGID:NET1006
Controls:
Responsibility:SystemAdministrator
interfaceGigabitEthernet3noipredirectsnoipdirected-broadcastinterfaceGigabitEthernet3.10encapsulationdot1q10descriptionManagementVLANipaddress10.1.1.1255.255.255.0ipaccess-group108in!access-list108permit…
5.96.4Fix
Ifarouterisusedtoprovideinter-VLANrouting,configureaninboundACLforthemanagementnetworksub-interfaceforthetrunklinktoblocknon-managementtraffic.
Gotothereportcontentsorthestartofthissection.
5.97V-17835-IPSectrafficisnotrestricted
5.97.1Summary
Trafficenteringthetunnelsisnotrestrictedtoonlytheauthorizedmanagementpacketsbasedondestinationaddress.Table416providesasummaryresultofthefindings.
Table416:IPSectrafficisnotrestricted-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.97.2Description
SimilartotheOOBMmodel,whentheproductionnetworkismanagedin-band,themanagementnetworkcouldalsobehousedataNOCthatislocatedlocallyorremotelyatasingleormultipleinterconnectedsites.NOCinterconnectivityaswellasconnectivitybetweentheNOCandthemanagednetworks’premiserouterswouldbeenabledusingeitherprovisionedcircuitsorVPNtechnologiessuchasIPSectunnelsorMPLSVPNservices.
5.97.3Check
Verifythatalltrafficfromthemanagednetworktothemanagementnetworkandvice-versaissecuredviaIPSecencapsulation.Intheconfigurationexamples,10.2.2.0/24isthemanagementnetworkattheNOCand192.168.1.0/24isaddressspaceusedatthenetworkbeingmanaged(i.e.,theenclave).ForCiscorouter,theaccess-listreferencedbythecryptomapmusthavethesourceanddestinationaddressesbelongingtothemanagementnetworkaddressspaceattheenclaveandNOCrespectively.hostnamePremrouter!interfaceSerial1/0ipaddress19.16.1.1255.255.255.0descriptionNIPRNet_LinkcryptomapmyvpninterfaceFastethernet0/0descriptionEnclave_Management_LANipaddress192.168.1.1255.255.255.0!cryptoisakmppolicy1authenticationpre-sharelifetime84600cryptoisakmpkey*******address19.16.2.1!cryptoipsectransform-settoNOCesp-desesp-md5-hmac!cryptomapmyvpn10ipsec-isakmpsetpeer19.16.2.1settransform-settoNOCmatchaddress101!access-list101permitipany10.2.2.00.0.0.255
Severity:CATIII
RuleID:SV-19313r1_rule
STIGID:NET1007
Controls:
Responsibility:SystemAdministrator
5.97.4Fix
WhereIPSectechnologyisdeployedtoconnectthemanagednetworktotheNOC,itisimperativethatthetrafficenteringthetunnelsisrestrictedtoonlytheauthorizedmanagementpacketsbasedondestinationaddress.
Gotothereportcontentsorthestartofthissection.
5.98V-17836-Managementtrafficisnotclassifiedandmarked
5.98.1Summary
ManagementtrafficisnotclassifiedandmarkedatthenearestupstreamMLSorrouterwhenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork.Table417providesasummaryresultofthefindings.
Table417:Managementtrafficisnotclassifiedandmarked-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.98.2Description
Whennetworkcongestionoccurs,alltraffichasanequalchanceofbeingdropped.Prioritizationofnetworkmanagementtrafficmustbeimplementedtoensurethatevenduringperiodsofseverenetworkcongestion,thenetworkcanbemanagedandmonitored.QualityofService(QoS)provisioningcategorizesnetworktraffic,prioritizesitaccordingtoitsrelativeimportance,andprovidesprioritytreatmentthroughcongestionavoidancetechniques.ImplementingQoSwithinthenetworkmakesnetworkperformancemorepredictableandbandwidthutilizationmoreeffective.Mostimportant,sincethesamebandwidthisbeingusedtomanagethenetwork,itprovidessomeassurancethattherewillbebandwidthavailabletotroubleshootoutagesandrestoreavailabilitywhenneeded.Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,managementtrafficshouldbeclassifiedandmarkedatthenearestupstreamMLSorrouter.Inaddition,allcorerouterswithinthemanagednetworkmustbeconfiguredtoprovidepreferredtreatmentbasedontheQoSmarkings.Thiswillensurethatmanagementtrafficreceivespreferredtreatment(per-hopbehavior)ateachforwardingdevicealongthepathtothemanagementnetwork.traffic.
5.98.3Check
class-mapmatch-allMANAGEMENT-TRAFFICmatchaccess-groupnameCLASSIFY-MANAGEMENT-TRAFFIC!policy-mapDIST-LAYER-POLICYclassMANAGEMENT-TRAFFICsetipdscp48!interfaceFastEthernet0/0descriptionlinktoLAN1ipaddress192.168.1.1255.255.255.0service-policyinputDIST-LAYER-POLICYinterfaceFastEthernet0/1descriptionlinktoLAN2ipaddress192.168.2.1255.255.255.0service-policyinputDIST-LAYER-POLICYinterfaceFastEthernet0/2descriptionlinktocoreipaddress192.168.13.1255.255.255.0!ipaccess-listextendedCLASSIFY-MANAGEMENT-TRAFFICpermitipany10.2.2.00.0.0.255Note:Trafficismarkedusingthesetcommandinapolicymap.ForDSCPrewrite,ifapacketencountersbothinputandoutputclassificationpolicy,theoutputpolicyhasprecedence.Ifthereisnooutputpolicy,thentheinputpolicyhasprecedence.
5.98.4Fix
Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,classifyandmarkmanagementtrafficatthenearestupstreamMLSorrouter.
Gotothereportcontentsorthestartofthissection.
5.99V-17837-Managementtrafficdoesn'tgetpreferredtreatment
Severity:CATIII
RuleID:SV-19315r1_rule
STIGID:NET1008
Controls:
Responsibility:SystemAdministrator
5.99.1Summary
Thecorerouterwithinthemanagednetworkhasnotbeenconfiguredtoprovidepreferredtreatmentformanagementtrafficthatmusttraverseseveralnodestoreachthemanagementnetwork.Table418providesasummaryresultofthefindings.
Table418:Managementtrafficdoesn'tgetpreferredtreatment-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.99.2Description
Whennetworkcongestionoccurs,alltraffichasanequalchanceofbeingdropped.Prioritizationofnetworkmanagementtrafficmustbeimplementedtoensurethatevenduringperiodsofseverenetworkcongestion,thenetworkcanbemanagedandmonitored.QualityofService(QoS)provisioningcategorizesnetworktraffic,prioritizesitaccordingtoitsrelativeimportance,andprovidesprioritytreatmentthroughcongestionavoidancetechniques.ImplementingQoSwithinthenetworkmakesnetworkperformancemorepredictableandbandwidthutilizationmoreeffective.Mostimportant,sincethesamebandwidthisbeingusedtomanagethenetwork,itprovidessomeassurancethattherewillbebandwidthavailabletotroubleshootoutagesandrestoreavailabilitywhenneeded.Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,managementtrafficshouldbeclassifiedandmarkedatthenearestupstreamMLSorrouter.Inaddition,allcorerouterswithinthemanagednetworkmustbeconfiguredtoprovidepreferredtreatmentbasedontheQoSmarkings.Thiswillensurethatmanagementtrafficreceivespreferredtreatment(per-hopbehavior)ateachforwardingdevicealongthepathtothemanagementnetwork.traffic.
5.99.3Check
Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,ensurethatallcorerouterswithinthemanagednetworkhavebeenconfiguredtoprovidepreferredtreatmentformanagementtraffic.Thiswillensurethatmanagementtrafficreceivesguaranteedbandwidthateachforwardingdevicealongthepathtothemanagementnetwork.Step1:Verifythataservicepolicyisboundtoallcoreorinternalrouterinterfacesasshownintheconfigurationbelow:interfaceFastEthernet0/1ipaddress192.168.2.1255.255.255.0service-policyoutputQoS-PolicyinterfaceFastEthernet0/2ipaddress192.168.1.1255.255.255.0service-policyoutputQoS-PolicyStep2:Verifythattheclass-mapsplacemanagementtrafficintheappropriateforwardingclassasshownintheexamplebelow:class-mapmatch-allbest-effortmatchipdscp0class-mapmatch-anydata-AF13-AF23matchipdscp14matchipdscp22class-mapmatch-anyvideo-AF33-AF43matchipdscp30matchipdscp38class-mapmatch-allvoice-EFmatchipdscp46class-mapmatch-allnetwork-controlmatchipdscp48
Step3:Verifythattheclassesarereceivingtherequiredservice.policy-mapQoS-Policyclassbest-effortbandwidthpercent10random-detectdscp-basedclassdata-AF13-AF23bandwidthpercent30random-detectdscp-basedclassvideo-AF33bandwidthpercent15random-detectdscp-basedclassvideo-AF43
Severity:CATII
RuleID:SV-20061r2_rule
STIGID:NET-SRVFRM-003
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
bandwidthpercent20random-detectdscp-basedclassvoice-EFprioritypercent20classnetwork-controlbandwidthpercent5random-detectdscp-basedNote1:Thedscp-basedargumentenablesWREDtousetheDSCPvalueofapacketwhenitcalculatesthedropprobabilityforthepacket;whereasiftheprec-basedargumentisspecified,WREDwillusetheIPPrecedencevaluetocalculatedropprobability.Ifneitherisspecified,thedefaultisprec-based.Note2:LLQisenabledwiththeprioritycommandusingeitherakbpsvalueorabandwidthpercentageusingthepercentkeywordfollowedbyapercentagevalue.Note3:Trafficthatdoesnotmeetthematchcriteriaspecifiedintheforwardingclassesistreatedasbelongingtothedefaultforwardingclass.Ifadefaultclassisnotconfigured,thedefaultclasshasnoQoSfunctionality.ThesepacketsarethenplacedintoaFIFOqueueandforwardedataratedeterminedbytheavailableunderlyingbandwidth.ThisFIFOqueueismanagedbytaildrop—ameansofavoidingcongestionthattreatsalltrafficequallyanddoesnotdifferentiatebetweenclassesofservice.Whentheoutputqueueisfullandtaildropisineffect,packetsaredroppeduntilthecongestioniseliminatedandthequeueisnolongerfull.Thefollowingexampleconfiguresadefaultclasscalledpolicy1.policy-mappolicy1classclass-defaultfair-queue10queue-limit20Thedefaultclassshownabovehasthesecharacteristics:10queuesfortrafficthatdoesnotmeetthematchcriteriaofotherclasseswhosepolicyisdefinedbypolicy1,andamaximumof20packetsperqueuebeforetaildropisenactedtohandleadditionalqueuedpackets.
5.99.4Fix
Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,ensurethatallcorerouterswithinthemanagednetworkhavebeenconfiguredtoprovidepreferredtreatmentformanagementtraffic.
Gotothereportcontentsorthestartofthissection.
5.100V-18522-ACLsmustrestrictaccesstoserverVLANs.
5.100.1Summary
ServerVLANinterfacesmustbeprotectedbyrestrictiveACLsusingadeny-by-defaultsecurityposture.Table419providesasummaryresultofthefindings.
Table419:ACLsmustrestrictaccesstoserverVLANs.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.100.2Description
ProtectingdatasittinginaserverVLANisnecessaryandcanbeaccomplishedusingaccesscontrollistsonVLANsprovisionedforservers.WithoutproperaccesscontroloftrafficenteringorleavingtheserverVLAN,potentialthreatssuchasadenialofservice,datacorruption,ortheftcouldoccur,resultingintheinabilitytocompletemissionrequirementsbyauthorizedusers.
5.100.3Check
ReviewthedeviceconfigurationtovalidateanACLwithadeny-by-defaultsecurityposturehasbeenimplementedontheserverVLANinterface.
5.100.4Fix
ConfigureanACLtoprotecttheserverVLANinterface.TheACLmustbeinadeny-by-defaultsecurityposture.
Gotothereportcontentsorthestartofthissection.
5.101V-18790-NET-TUNL-012
5.101.1Summary
Defaultroutesmustnotbedirectedtothetunnelentrypoint.Table420providesasummaryresultofthefindings.
Severity:CATII
RuleID:SV-20504r2_rule
STIGID:NET-TUNL-012
Controls:ECSC-1
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-21167r2_rule
STIGID:NET0966
Controls:
Responsibility:SystemAdministrator
Table420:NET-TUNL-012-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.101.2Description
Routinginthenetworkcontainingthetunnelentrypointmustbeconfiguredtodirecttheintendedtrafficintothetunnel.Dependingontherouterproductsusedthismaybedonebycreatingroutestoatunnelbyname,byaddress,orbyinterface.IfmultipletunnelsaredefinedorIPv6interfaces,youmustbeselectivewithstaticroutes,policybasedrouting,orevenlettheinteriorgatewayprotocol(IGP)makethedecisionsinceaipv4oripv6addresshasbeenconfiguredonthetunnel.ThekeyistheadministratorshouldcarefullyplanandconfigureorlettheIGPdeterminewhatgoesintoeachtunnel.
5.101.3Check
Identifythetunnelendpoints,thenreviewallroutingdevicestoensurethetunnelentrypointisnotusedasadefaultroute.Trafficdestinedtothetunnelshouldbedirectedtothetunnelendpointbystaticroutes,policybasedrouting,orbythemechanicsoftheinteriorroutingprotocol,butnotbydefaultroutestatements.
5.101.4Fix
TheSAmustcarefullyplanandconfigureorletIGPdeterminewhatgoesintoeachtunnel.
Gotothereportcontentsorthestartofthissection.
5.102V-19188-Controlplaneprotectionisnotenabled.
5.102.1Summary
Theroutermusthavecontrolplaneprotectionenabled.Table421providesasummaryresultofthefindings.
Table421:Controlplaneprotectionisnotenabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.102.2Description
TheRouteProcessor(RP)iscriticaltoallnetworkoperationsasitisthecomponentusedtobuildallforwardingpathsforthedataplaneviacontrolplaneprocesses.Itisalsoinstrumentalwithongoingnetworkmanagementfunctionsthatkeeptheroutersandlinksavailableforprovidingnetworkservices.Hence,anydisruptiontotheRPorthecontrolandmanagementplanescanresultinmissioncriticalnetworkoutages.Inadditiontocontrolplaneandmanagementplanetrafficthatisintherouter’sreceivepath,theRPmustalsohandleothertrafficthatmustbepuntedtotheRP—thatis,thetrafficmustbefastorprocessswitched.Thisistheresultofpacketsthatmustbefragmented,requireanICMPresponse(TTLexpiration,unreachable,etc.)haveIPoptions,etc.ADoSattacktargetingtheRPcanbeperpetratedeitherinadvertentlyormaliciouslyinvolvinghighratesofpuntedtrafficresultinginexcessiveRPCPUandmemoryutilization.Tomaintainnetworkstability,theroutermustbeabletosecurelyhandlespecificcontrolplaneandmanagementplanetrafficthatisdestinedtoit,aswellasotherpuntedtraffic.Usingtheingressfilteronforwardinginterfacesisamethodthathasbeenusedinthepasttofilterbothforwardingpathandreceivingpathtraffic.However,thismethoddoesnotscalewellasthenumberofinterfacesgrowsandthesizeoftheingressfiltersgrow.ControlplanepolicingcanbeusedtoincreasesecurityofroutersandmultilayerswitchesbyprotectingtheRPfromunnecessaryormalicioustraffic.FilteringandratelimitingthetrafficflowofcontrolplanepacketscanbeimplementedtoprotectroutersagainstreconnaissanceandDoSattacksallowingthecontrolplanetomaintainpacketforwardingandprotocolstatesdespiteanattackorheavyloadontherouterormultilayerswitch.
5.102.3Check
ControlPlanePolicing(CoPP)
Ifsupportedbytherouter,CoPPshouldbeusedtoincreasesecurityonCiscoroutersbyprotectingtheRPfromunnecessaryandmalicioustraffic.CoPPallowsnetworkoperatorstoclassifytrafficbasedonimportancethatthenenablestheroutertofilterandratelimitthetrafficaccordingtothedefinedpolicyforeachclass.Step1:Verifytraffictypeshavebeenclassifiedbasedonimportancelevels.Thefollowingisanexampleconfiguration:class-mapmatch-allCoPP_CRITICALmatchaccess-groupnameCoPP_CRITICALclass-mapmatch-anyCoPP_IMPORTANTmatchaccess-groupnameCoPP_IMPORTANTmatchprotocolarpclass-mapmatch-allCoPP_NORMALmatchaccess-groupnameCoPP_NORMALclass-mapmatch-anyCoPP_UNDESIRABLEmatchaccess-groupnameCoPP_UNDESIRABLEclass-mapmatch-allCoPP_DEFAULTmatchaccess-groupnameCoPP_DEFAULTStep2:ReviewtheACLsreferencedbythematchaccess-groupcommandstodetermineifthetrafficisbeingclassifiedappropriately.Thefollowingisanexampleconfiguration:ipaccess-listextendedCoPP_CRITICALremarkourcontrolplaneadjacenciesarecriticalpermitospfhost[OSPFneighborA]anypermitospfhost[OSPFneighborB]anypermitpimhost[PIMneighborA]anypermitpimhost[PIMneighborB]anypermitpimhost[RPaddr]anypermitigmpany224.0.0.015.255.255.255permittcphost[BGPneighbor]eqbgphost[localBGPaddr]permittcphost[BGPneighbor]host[localBGPaddr]eqbgpdenyipanyanyipaccess-listextendedCoPP_IMPORTANTpermittcphost[TACACSserver]eqtacacsanypermittcp[managementsubnet]0.0.0.255anyeq22permitudphost[SNMPmanager]anyeqsnmppermitudphost[NTPserver]eqntpanydenyipanyanyipaccess-listextendedCoPP_NORMALremarkwewillwanttoratelimitICMPtrafficpermiticmpanyanyechopermiticmpanyanyecho-replypermiticmpanyanytime-exceededpermiticmpanyanyunreachabledenyipanyanyipaccess-listextendedCoPP_UNDESIRABLEremarkothermanagementplanetrafficthatshouldnotbereceivedpermitudpanyanyeqntppermitudpanyanyeqsnmptrappermittcpanyanyeq22permittcpanyanyeq23remarkothercontrolplanetrafficnotconfiguredonrouterpermiteigrpanyanypermitudpanyanyeqripdenyipanyanyipaccess-listextendedCoPP_DEFAULTpermitipanyany
Note:ExplicitlydefiningundesirabletrafficwithACLentriesenablesthenetworkoperatortocollectstatistics.ExcessiveARPpacketscanpotentiallymonopolizeRouteProcessorresources,starvingotherimportantprocesses.Currently,ARPistheonlyLayer2protocolthatcanbespecificallyclassifiedusingthematchprotocolcommand.Step3:Reviewthepolicy-maptodetermineifthetrafficisbeingpolicedappropriatelyforeachclassification.Thefollowingisanexampleconfiguration:
policy-mapCONTROL_PLANE_POLICYclassCoPP_CRITICALpolice5120008000conform-actiontransmitexceed-actiontransmit
Severity:CATIII
RuleID:SV-21169r1_rule
STIGID:NET-MCAST-010
Controls:
Responsibility:SystemAdministrator
classCoPP_IMPORTANTpolice2560004000conform-actiontransmitexceed-actiondropclassCoPP_NORMALpolice1280002000conform-actiontransmitexceed-actiondropclassCoPP_UNDESIRABLEpolice80001000conform-actiondropexceed-actiondropclasscp-default-inpolice640001000conform-actiontransmitexceed-actiondrop
Step4:VerifythattheCoPPpolicyisenabled.Thefollowingisanexampleconfiguration:control-planeservice-policyinputCONTROL_PLANE_POLICY
Note:StartingwithIOSrelease12.4(4)T,ControlPlaneProtection(CPPr)canbeusedtofilteraswellaspolicecontrolplanetrafficdestinedtotheRP.CPPrisverysimilartoCoPPandhastheabilitytofilterandpolicetrafficusingfinergranularitybydividingtheaggregatecontrolplaneintothreeseparatecategories:(1)host,(2)transit,and(3)CEF-exception.Hence,aseparatepolicy-mapcouldbeconfiguredforeachtrafficcategory.
IfCoPPisnotsupported,thenthealternativewouldbetheimplementationofareceivepathfilter.Step1:AreceivepathACLoraninboundACLoneachinterfacemustbeconfiguredtorestricttrafficdestinedtotherouter.TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityexplicitlyfortrafficthatisdestinedfortherouter.Verifythattheglobalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:ipreceiveacl199Note:Iftheplatformdoesnotsupporttheipreceivepathaclfeature,aninboundACLoneachinterfacemustbeconfigured.Step2:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallcontrolplaneandmanagementplanetraffic.TheACLconfigurationshouldlooksimilartothefollowing:access-list199denyipanyanyfragmentsaccess-list199remarkallowspecificmanagementplanetrafficaccess-list199permittcp[managementsubnet]0.0.0.255anyeq22access-list199permitudphost[SNMPmanager]anyeqsnmpaccess-list199permittcphost[TACACSserver]eqtacacsanyaccess-list199permitudphost[NTPserver]eqntpanyaccess-list199permiticmp[managementsubnet]0.0.0.255anyaccess-list199remarkallowspecificcontrolplanetrafficaccess-list199permitospfhost[OSPFneighborA]anyaccess-list199permitospfhost[OSPFneighborB]anyaccess-list199permitpimhost[PIMneighborA]anyaccess-list199permitpimhost[PIMneighborB]anyaccess-list199permitpimhost[RPaddr]anyaccess-list199permitigmpany224.0.0.015.255.255.255access-list199permittcphost[BGPneighbor]eqbgphost[localBGPaddr]access-list199permittcphost[BGPneighbor]host[localBGPaddr]eqbgpaccess-list199remarkallothertrafficdestinedtothedeviceisdroppedaccess-list199denyipanyany
Note:IftheManagementPlaneProtection(MPP)featureisenabledforanOOBMinterface,therewouldbenopurposeinfilteringthistrafficonthereceivepath.WithMPPenabled,nointerfacesexceptthemanagementinterfacewillacceptnetworkmanagementtrafficdestinedtothedevice.Thisfeaturealsoprovidesthecapabilitytorestrictwhichmanagementprotocolsareallowed.SeeNET0992foradditionalconfigurationinformation.
5.102.4Fix
Implementcontrolplaneprotectionbyclassifyingtraffictypesbasedonimportancelevelsandconfigurefilterstorestrictandratelimitthetrafficpuntedtotherouteprocessorasaccordingtoeachclass.
Gotothereportcontentsorthestartofthissection.
5.103V-19189-NoAdmin-localorSite-localboundary
5.103.1Summary
TheadministratormustensurethatmulticastroutersareconfiguredtoestablishboundariesforAdmin-localorSite-localscopemulticasttraffic.Table422providesasummaryresultofthefindings.
Table422:NoAdmin-localorSite-localboundary-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.103.2Description
Ascopezoneisaninstanceofaconnectedregionofagivenscope.Zonesofthesamescopecannotoverlapwhilezonesofasmallerscopewillfitcompletelywithinazoneofalargerscope.Forexample,Admin-localscopeissmallerthanSite-localscope,sotheadministrativelyconfiguredboundaryfitswithintheboundsofasite.AccordingtoRFC4007IPv6ScopedAddressArchitecture(section5),scopezonesarealsorequiredtobe"convexfromaroutingperspective"-thatis,packetsroutedwithinazonemustnotpassthroughanylinksthatareoutsideofthezone.Thisrequirementforceseachzonetobeonecontiguousislandratherthanaseriesofseparateislands.AsstatedintheDoDIPv6IAGuidanceforMO3,"Oneshouldbeabletoidentifyallinterfacesofazonebydrawingaclosedloopontheirnetworkdiagram,engulfingsomeroutersandpassingthroughsomerouterstoincludeonlysomeoftheirinterfaces."Administrativescopedmulticastaddressesarelocallyassignedandaretobeusedexclusivelybytheenterprisenetworkorenclave.Hence,administrativescopedmulticasttrafficmustnotcrosstheperimeteroftheenclaveineitherdirection.Admin-localscopecouldbeusedtocontainmulticasttraffictoaportionofanenclaveorwithinasite.Thiscanmakeitmoredifficultforamalicioususertoaccesssensitivetrafficifthetrafficisrestrictedtolinksthattheuserdoesnothaveaccessto.Admin-localscopeisencouragedforanymulticasttrafficwithinanetworkthatisintendedfornetworkmanagementaswellascontrolplanetrafficthatmustreachbeyondlink-localdestinations.
5.103.3Check
AnadministrativelyscopedIPmulticastregionisdefinedtobeatopologicalregioninwhichthereareoneormoreboundaryrouterswithcommonboundarydefinitions.Sucharouterissaidtobeaboundaryformulticastscopedaddressesintherangedefinedinitsconfiguration.Inordertosupportadministrativelyscopedmulticast,amulticastboundaryrouterwilldropmulticasttrafficmatchinganinterface'sboundarydefinitionineitherdirection.TheIPv4administrativescopedmulticastaddressspaceis239/8whichisdividedintotwoscopelevels:theLocalScopeandOrganizationLocalScope.TheLocalScoperangeis239.255.0.0/16andcanexpandintothereservedranges239.254.0.0/16and239.253.0.0/16if239.255.0.0/16isexhausted.TheIPv4OrganizationLocalScopeis239.192.0.0/14isthespacefromwhichanorganizationshouldallocatesub-rangeswhendefiningscopesforprivateuse.Thisscopecanbeexpandedto239.128.0.0/10,239.64.0.0/10,and239.0.0.0/10ifnecessary.ThescopeofIPv6multicastpacketsaredeterminedbythescopevaluewhere4(ffx4::/16)isAdmin-local,5(ffx5::/16)isSite-local,and8(ffx8::/16)isOrganization-local.ReviewthemulticasttopologytodetermineanydocumentedAdmin-local(scope=4)orSite-local(scope=5)multicastboundariesforIPv6trafficoranyLocal-scope(addressblock239.255.0.0/16)boundaryforIPv4traffic.Verifythatappropriateboundariesareconfiguredontheapplicablemulticast-enabledinterfaces.IPv4:ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatLocal-scopetrafficisnotallowedintooroutoftheadministrativelyscopedIPv4multicastregion:ipmulticast-routing!interfaceFastEthernet0/1descriptionBoundaryformulticastregionAipaddress198.18.0.1255.255.255.0ippimsparse-modeipmulticastboundaryMCAST_ADMIN_SCOPED_BOUNDARY!ipaccess-liststandardMCAST_ADMIN_SCOPED_BOUNDARYdeny239.255.0.00.255.255.255permit224.0.0.015.255.255.255!Note:ThefilterusedbymulticastboundarycommandwilleffectmulticasttrafficoutsideoftheadministrativelyscopedIPv4multicastspace.IfOrganizationLocalScopetrafficmustcrossthissiteboundary,includethenecessarypermitstatementfromthisaddressrange(239.192.0.0255.252.0.0).Toallowglobalmulticasttraffictopassbythisboundary,ensurethatthefilterwillpermittheglobaladdressspace(224.0.1.0-238.255.255.255)iftheenclavehasdeployedinter-domainmulticastrouting.
IPv6:ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatSite-localscopetrafficisnotallowedintooroutoftheadministrativelyscopedIPv6multicastregion:ipv6multicast-routing!interfaceFastEthernet0/1descriptionlinktoSiteAipv6address2001:1:0:146::/64eui-64ipv6multicastboundaryscope5Note:Filteringthescopevalueof5willensurethatanymulticasttrafficreceivedbytheinterfaceineitherdirectionwithascopeequaltoorlessthan5(Site-local)willbedropped.Hence,allSite-localandAdmin-localtrafficwillbedroppedwhileallowingOrganization-local(scope=8)andglobalmulticasttraffic(scope=14)tobeforwardedforaninter-siteaswellasinter-domainmulticastroutingdeployment.
Severity:CATIII
RuleID:SV-41497r1_rule
STIGID:NET0812
Controls:
Responsibility:InformationAssuranceOfficer
5.103.4Fix
LocalScoperangeis239.255.0.0/16andcanexpandintothereservedranges239.254.0.0/16and239.253.0.0/16if239.255.0.0/16isexhausted.ThescopeofIPv6multicastpacketsaredeterminedbythescopevaluewhere4isAdmin-localand5isSite-local.Configurethenecessaryboundarytoensurepacketsaddressedtotheseadministrativelyscopedmulticastaddressesdonotcrosstheapplicableadministrativeboundaries.
Gotothereportcontentsorthestartofthissection.
5.104V-23747-TwoNTPserversarenotusedtosynchronizetime.
5.104.1Summary
ThenetworkelementmustusetwoormoreNTPserverstosynchronizetime.Table423providesasummaryresultofthefindings.
Table423:TwoNTPserversarenotusedtosynchronizetime.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.104.2Description
Withoutsynchronizedtime,accuratelycorrelatinginformationbetweendevicesbecomesdifficult,ifnotimpossible.Ifyoucannotsuccessfullycomparelogsbetweeneachofyourrouters,switches,andfirewalls,itwillbeverydifficulttodeterminetheexacteventsthatresultedinanetworkbreachincident.NTPprovidesanefficientandscalablemethodfornetworkelementstosynchronizetoanaccuratetimesource.
5.104.3Check
ReviewtherouterorswitchconfigurationandverifythattwoNTPservershavebeendefinedtosynchronizetimesimilartothefollowingexample:ntpupdate-calendarntpserver129.237.32.6ntpserver129.237.32.7Someplatformshaveabattery-poweredhardwareclock,referredtointhecommand-lineinterface(CLI)asthe"calendar,"inadditiontothesoftwarebasedsystemclock.Thehardwareclockrunscontinuously,eveniftherouterispoweredofforrebooted.IfthesoftwareclockissynchronizedtoanoutsidetimesourceviaNTP,itisagoodpracticetoperiodicallyupdatethehardwareclockwiththetimelearnedfromNTP.Otherwise,thehardwareclockwilltendtograduallyloseorgaintime(drift)andthesoftwareclockandhardwareclockmaybecomeoutofsynchronizationwitheachother.Thentpupdate-calendarcommandwillenablethehardwareclocktobeperiodicallyupdatedwiththetimespecifiedbytheNTPsource.ThehardwareclockwillbeupdatedonlyifNTPhassynchronizedtoanauthoritativetimeserver.Toforceasingleupdateofthehardwareclockfromthesoftwareclock,usetheclockupdate-calendarcommandinuserEXECmode.Note:Lowerendroutermodels(i.e.,2500series)andaccessswitches(i.e.2950,2970,etc)donothavehardwareclocks,sothiscommandisnotavailableonthoseplatforms.AnyNTP-enableddevicethatreceivesandacceptstimefromastratum-nservercanbecomeastratum-n+1server.However,anNTP-enableddevicewillnotaccepttimeupdatesfromanNTPserveratahigherstratum;therebyenforcingatree-levelhierarchyofclient-serverrelationshipsandpreventingtimesynchronizationloops.Toincreaseavailability,NTPpeeringcanbeusedbetweenNTPservers.Hencethefollowingexampleconfigurationcouldbeusedtoprovidethenecessaryredundancy:ntpupdate-calendarntpserver129.237.32.6ntppeer129.237.32.7AlternativetoqueryinganNTPserverfortimeistoreceiveNTPupdatesviaserverthatisbroadcastingormulticastingthetimeupdatemessages.ThefollowinginterfacecommandwouldbeconfiguredtoreceiveanNTPbroadcastmessage:ntpbroadcastclientTheabovecommandmustbeconfiguredontwointerfacesortheremustbetwoNTPserversonthesameLANsegmentbroadcastingNTPmessages.ThefollowinginterfacecommandwouldbeconfiguredtoreceiveanNTPmulticastmessage:ntpmulticastclient239.x.x.xFormulticast,twodifferentadministrativelyscopedmulticastgroupscanbeused—oneforeachNTPserver.Inaddition,therouterorMLSmustalsohaveippimdense-modeconfiguredontheinterfaceaswellasglobalipmulticast-routing.
5.104.4Fix
Severity:CATII
RuleID:SV-38003r2_rule
STIGID:NET0405
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-40312r1_rule
STIGID:NET-MCAST-001
Controls:
Responsibility:SystemAdministrator
ConfigurethedevicetousetwoseparateNTPservers.
Gotothereportcontentsorthestartofthissection.
5.105V-28784-Callhomeserviceisdisabled.
5.105.1Summary
Aserviceorfeaturethatcallshometothevendormustbedisabled.Table424providesasummaryresultofthefindings.
Table424:Callhomeserviceisdisabled.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.105.2Description
Callhomeservicesorfeatureswillroutinelysenddatasuchasconfigurationanddiagnosticinformationtothevendorforroutineoremergencyanalysisandtroubleshooting.Theriskthattransmissionofsensitivedatasenttounauthorizedpersonscouldresultindatalossordowntimeduetoanattack.
5.105.3Findings
Table425detailsthecallhomeservicestatus.
Table425:STIGNET0405-CallHomeServiceStatus
Device CallHomeService
router03 Disabled
CiscoIOS15 Disabled
5.105.4Check
Verifythecallhomeserviceorfeatureisdisabledonthedevice.OnaCiscoproduct,youwillnotseethecall-homeserviceintherunningconfigunlessit'senabled.
5.105.5Fix
Configurethenetworkdevicetodisablethecallhomeserviceorfeature.Thecommandbelowwilldisablethecall-homeserviceonaCiscodevice.Example:hostname(config)#noservicecall-home
Gotothereportcontentsorthestartofthissection.
5.106V-30577-PIMenabledonwronginterfaces
5.106.1Summary
TheadministratormustensurethatProtocolIndependentMulticast(PIM)isdisabledonallinterfacesthatarenotrequiredtosupportmulticastrouting.Table426providesasummaryresultofthefindings.
Table426:PIMenabledonwronginterfaces-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.106.2Description
Ascopezoneisaninstanceofaconnectedregionofagivenscope.Zonesofthesamescopecannotoverlapwhilezonesofasmallerscopewillfitcompletely
Severity:CATII
RuleID:SV-40315r1_rule
STIGID:NET-MCAST-002
Controls:
Responsibility:InformationAssuranceOfficer
withinazoneofalargerscope.Forexample,Admin-localscopeissmallerthanSite-localscope,sotheadministrativelyconfiguredboundaryfitswithintheboundsofasite.AccordingtoRFC4007IPv6ScopedAddressArchitecture(section5),scopezonesarealsorequiredtobe“convexfromaroutingperspective”—thatis,packetsroutedwithinazonemustnotpassthroughanylinksthatareoutsideofthezone.Thisrequirementforceseachzonetobeonecontiguousislandratherthanaseriesofseparateislands.AsstatedintheDoDIPv6IAGuidanceforMO3,“Oneshouldbeabletoidentifyallinterfacesofazonebydrawingaclosedloopontheirnetworkdiagram,engulfingsomeroutersandpassingthroughsomerouterstoincludeonlysomeoftheirinterfaces.”Hence,itisimperativethatthenetworkhasdocumentedtheirmulticasttopologyandtherebyknowswhichinterfacesareenabledformulticast.Once,thisisdone,thezonescanbescopedasrequired.
5.106.3Check
IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMisdocumentedinthenetwork’smulticasttopologydiagram.Reviewtherouterormulti-layerswitchconfigurationtodetermineifmulticastroutingisenabledandwhatinterfacesareenabledforPIM.Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.ThefollowingglobalconfigurationcommandswillenableIPv4andIPv6multicastrouting:ipmulticast-routingipv6multicast-routingStep2:PIMisenabledonaninterfacewitheitherofthefollowingcommands:ippimsparse-mode,ippimdense-mode,ippimsparse-dense-mode.ReviewallinterfaceconfigurationsandverifythatonlytherequiredinterfacesareenabledforPIMasdocumentedinthenetworktopologydiagram.WithIPv4,PIMisdisabledbydefaultonallinterfaces.FollowingisanexampleofaninterfacewithPIMenabled.interfaceFastEthernet0/0ipaddress192.168.1.1255.255.255.0ippimsparse-modeYoucanalsoverifywhatIPv4interfacesareenabledforPIMwiththeshowippiminterfacecommand.WithIPv6,PIMisenabledbydefaultonallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviatheglobalipv6multicast-routingcommand.AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.interfaceFastEthernet0/1ipv6address2001:1:0:146::/64eui-64noipv6pimYoucanalsoverifywhatipv6interfacesareenabledforPIMwiththeshowipv6piminterfacecommand.
5.106.4Fix
IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMisdocumentedinthenetwork’smulticasttopologydiagram.EnablePIMonlyontheapplicableinterfacesaccordingtothemulticasttopologydiagram.
Gotothereportcontentsorthestartofthissection.
5.107V-30578-PIMneighborfilterisnotconfigured
5.107.1Summary
TheadministratormustensurethataPIMneighborfilterisboundtoallinterfacesthathavePIMenabled.Table427providesasummaryresultofthefindings.
Table427:PIMneighborfilterisnotconfigured-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.107.2Description
ProtocolIndependentMulticast(PIM)isaroutingprotocolusedtobuildmulticastdistributiontressforforwardingmulticasttrafficacrossthenetworkinfrastructure.PIMtrafficmustbelimitedtoonlyknownPIMneighborsbyconfiguringandbindingaPIMneighborfiltertothoseinterfacesthathavePIMenabled.
5.107.3Check
Reviewtherouterormulti-layerswitchtodetermineifeitherIPv4orIPv6multicastroutingisenabled.Ifeitherisenabled,verifythatallinterfacesenabledforPIMhasaneighborfiltertoonlyacceptPIMcontrolplanetrafficfromthedocumentedroutersaccordingtothemulticasttopologydiagram.
Severity:CATIII
RuleID:SV-40326r1_rule
STIGID:NET-MCAST-020
Controls:
Responsibility:InformationAssuranceOfficer
IPv4Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothefollowingexample:ipaccess-liststandardPIM_NEIGHBORSpermit192.0.2.1permit192.0.2.3denyanylog
Step2:Verifythatapimneighbor-filtercommandisconfiguredonallPIM-enabledinterfacesthatisreferencingthePIMneighborACLsimilartothefollowingexample:interfaceFastEthernet0/3ipaddress192.0.2.2255.255.255.0ippimsparse-modeippimneighbor-filterPIM_NEIGHBORS
IPv6Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothefollowingexample:ipv6access-listPIM_NEIGHBORSpermithostFE80::1anypermithostFE80::3anydenyanyanylogNote:IPv6PIMadjacenenciesarecreatedusingtherouterunicastlink-localaddressesStep2:Verifythatapimneighbor-filterglobalcommandisconfiguredipv6pimneighbor-filterlistPIM_NEIGHBORS
5.107.4Fix
IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMhasaneighborfiltertoonlyacceptPIMcontrolplanetrafficfromthedocumentedroutersaccordingtothemulticasttopologydiagram.
Gotothereportcontentsorthestartofthissection.
5.108V-30585-Invalidgroupusedforsourcespecificmulticast
5.108.1Summary
Theadministratormustensurethatmulticastgroupsusedforsourcespecificmulticast(SSM)routingarefromthespecificmulticastaddressspacereservedforthispurpose.Table428providesasummaryresultofthefindings.
Table428:Invalidgroupusedforsourcespecificmulticast-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.108.2Description
Packetoriginisaconcernbecauseunauthorizedsourcescouldpotentiallysendmulticastdatatoagroup,usinganysourceaddressthatispermitted.TheunauthorizeddatacouldimpacttheintegrityofthenodesreceivingthedataorcouldcreateaDoScondition.AreceiverthatsubscribestoanSSMchannelonlyreceivesdatafromtherequestedsource.Sinceachannelisspecifictoasource,onlythatsourcecantransmitonthatchannel.Hence,theSSMmodelprovidesmorepacketoriginprotectionthanASM.Toensurethatthesubscriberisjoininganauthorizedorknownmulticastgroupandsourceaddresspair,itisimperativethatthegroupisfromthereservedmulticastaddressspaceasafirststepmeasure.
5.108.3Check
IANAhasreservedtheaddressrange232.0.0.0through232.255.255.255forSSMapplicationsandprotocols.However,CiscoIOSallowsSSMconfigurationforanarbitrarysubsetoftheIPmulticastaddressrange224.0.0.0through239.255.255.255.
IfIPv4orIPv6multicastroutingisenabled,determineifgimpversion3orMLDversion2isenabledforIPv4andIPv6respectively.Ifenabled,thenPIM-SSMisalsoenabled.Hence,youmustverifythatonlytheIANAreservedSSMrangeofaddressesisusedforthisimplementation.TheSSMaddressrangeis232.0.0.0/8andFF3x::/32forIPv4andIPv6respectively.Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.ThefollowingglobalconfigurationcommandswillenableIPv4andIPv6multicastrouting:ipmulticast-routingipv6multicast-routingIfmulticastroutingisnotenabled,thisvulnerabilityisnotapplicable.Step2:IPv4CheckinterfaceconnectedtomulticastsubscriberstodetermineifIGMPv3isenabled.Thisisrequiredforsubscriberstojoinaspecificsource.Thefollowingipv4interfaceconfigurationwouldlookasfollows:ipigmpversion3oripigmpv3liteIfIGMPv3isnotenabledforIPv4multicast,thisvulnerabilityisnotapplicable.IPv6MLDisautomaticallyenabledonaninterfacewhenIPv6PIMisenabledonaninterface.WithIPv6,PIMisenabledbydefaultonallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviatheglobalipv6multicast-routingcommand.AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.MLDcanalsobedisabledonIPv6PIM-enabledinterfaceswiththenoipv6mldrouterinterfacecommand.FollowingisanexampleoftwoIPv6-enabledinterfaces.interfaceFastEthernet0/1ipv6address2001:1:0:146::/64eui-64interfaceFastEthernet0/2ipv6enableMLDv2isthedefaultwithcurrentreleasesofIOS.InsomereleasesofIOS,theipv6mldversioncommandisnotavailable.YoucanverifytheversionofMLDinterfacesviashowipv6mldinterfacecommand.IfMLDv2isnotenabledforIPv6multicast,thisvulnerabilityisnotapplicable.Step3:VerifythattheappropriatemulticastgroupsareusedforSSM.IPv4Thefollowingconfigurationwillallowallofthemulticastgroups232/8reservedforSSM:ippimssmdefaultorThefollowingconfigurationwillonlyallowmulticastgroups232.4.0.0/24access-list4permit232.4.0.00.0.0.255ippimssmrange4Note:Ifarangeisconfiguredasintheexampleshownabove,ensurethattherangeiswithintheIANAreservedrangeforSSMgroups.
IPv6ThefollowingconfigurationwillallowallofthemulticastgroupsFF3x::/32reservedforSSMwherexisanyvalidscopevalue:ipv6pimssmdefaultorThefollowingconfigurationwillonlyallowmulticastgroupswiththeff3e::1:0:0/96range:ipv6access-listSSM_RANGEpermitanyff3e::1:0:0/96
Severity:CATIII
RuleID:SV-40389r1_rule
STIGID:NET-IPV6-059
Controls:
Responsibility:InformationAssuranceOfficer
Severity:CATII
RuleID:SV-40454r1_rule
STIGID:NET-IPV6-065
Controls:
Responsibility:InformationAssuranceOfficer
ipv6pimssmrangeSSM_RANGE
5.108.4Fix
IfIGMPversion3orMLDversion2isenabledforIPv4andIPv6multicastrespectively,thenPIM-SSMisalsoenabled.Hence,youmustconfiguretheroutersothatonlytheIANAreservedSSMrangeofaddressescanbeusedforthisimplementation.TheSSMaddressrangeis232.0.0.0/8andFF3x::/32forIPv4andIPv6respectively.
Gotothereportcontentsorthestartofthissection.
5.109V-30617-Maximumhoplimitislessthan32
5.109.1Summary
Theadministratormustensurethatthemaximumhoplimitisatleast32.Table429providesasummaryresultofthefindings.
Table429:Maximumhoplimitislessthan32-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.109.2Description
TheNeighborDiscoveryprotocolallowsahoplimitvaluetobeadvertisedbyroutersinaRouterAdvertisementmessagetobeusedbyhostsinsteadofthestandardizeddefaultvalue.IfaverysmallvaluewasconfiguredandadvertisedtohostsontheLANsegment,communicationswouldfailduetohoplimitreachingzerobeforethepacketssentbyahostreacheditsdestination.
5.109.3Findings
router03
NipperStudiodeterminedthatmaximumhoplimitonrouter03wassetto64.
CiscoIOS15
NipperStudiodeterminedthatmaximumhoplimitonCiscoIOS15wassetto64.
5.109.4Check
ThemaximumnumberofhopsusedinrouteradvertisementsandallIPv6packetsthatareoriginatedbytheroutercanbesetusingtheipv6hop-limitcommandinglobalconfigurationmode.Reviewtherouterormulti-layerswitchconfigurationtodetermineifthemaximumhoplimithasbeenconfigured.Ifithasbeenconfigured,thenitmustbesettoatleast32.Thefollowingglobalcommandsetsthemaxhoplimitto128:ipv6hop-limit128Note:TheIOSdefaultis64.Hence,ifthehoplimitisnotconfigured,therouterwillbeincompliancewiththerequirement.
5.109.5Fix
Configuremaximumhoplimittoatleast32.
Gotothereportcontentsorthestartofthissection.
5.110V-30660-The6-to-4routerisnotfilteringprotocol41
5.110.1Summary
Theadministratormustensurethe6-to-4routerisconfiguredtodropanyIPv4packetswithprotocol41receivedfromtheinternalnetwork.Table430providesasummaryresultofthefindings.
Table430:The6-to-4routerisnotfilteringprotocol41-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
Severity:CATIII
RuleID:SV-40539r1_rule
STIGID:NET-IPV6-066
Controls:
Responsibility:InformationAssuranceOfficer
5.110.2Description
The6to4specificfiltersaccomplishtheroleofendpointverificationandprovideassurancethatthetunnelsarebeingusedproperly.Thisprimaryguidanceassumesthatonlythedesignated6to4routerisallowedtoformtunnelpackets.Iftheyarebeingformedinsideanenclaveandpassedtothe6to4router,theyaresuspiciousandmustbedropped.InaccordancewithDoDIPv6IAGuidanceforMO3(S5-C7-8),packetsassuchmustbedroppedandloggedasasecurityevent.
5.110.3Findings
router03
NipperStudiodeterminedthatIPv6wasnotconfiguredonrouter03.
CiscoIOS15
NipperStudiodeterminedthatIPv6wasnotconfiguredonCiscoIOS15.
5.110.4Check
Iftherouterisfunctioningasa6to4router,verifythatthereisanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv4packetsthataretunnelingIPv6packets.Step1:Determineiftherouterisfunctioningasa6to4router.Youshouldfindatunnelconfigurationsimilartothefollowingexample:interfaceTunnel0noipaddressnoipredirectsipv6address2000:C0A8:6301::1/64tunnelsourceFastEthernet0/1tunnelmodeipv6ip6to4!…ipv6route2002::/16Tunnel0Step2:Verifythatthereisanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv4packetsthataretunnelingIPv6packets.Youshouldfindaconfigurationsimilartothefollowingexample:interfaceFastEthernet0/1descriptioninternallinkipaddress192.168.1.1255.255.255.0ipv6address6TO4PREFIX::1:0:0:0:1/64ipaccess-groupIPV4_EGRESS_FILTERin!ipaccess-listextendedIPV4_EGRESS_FILTERremarkonlythis6to4routercantunnelIPv6trafficdeny41anyanylog……Note:normallyyouwouldwanttoconfiguretheinternalinterfacefora6to4routerasdualstack.HoweverIPv6onlyispossibleandifconfiguredassuch,havinganIPv4ACLisirrelevantsincetheinterfacewillnotacceptanyIPv4packets.
5.110.5Fix
Iftherouterisfunctioningasa6to4router,configureanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv4packetsthataretunnelingIPv6packets.
Gotothereportcontentsorthestartofthissection.
5.111V-30736-6-to-4routernotfilteringinvalidsourceaddress
5.111.1Summary
Theadministratormustensurethe6-to-4routerisconfiguredtodropanyoutboundIPv6packetsfromtheinternalnetworkwithasourceaddressthatisnotwithinthe6to4prefix2002:V4ADDR::/48whereV4ADDRisthedesignatedIPv46to4addressfortheenclave.Table431providesasummaryresultofthefindings.
Table431:6-to-4routernotfilteringinvalidsourceaddress-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
Severity:CATII
RuleID:SV-40556r1_rule
STIGID:NET-TUNL-034
Controls:
Responsibility:InformationAssuranceOfficer
5.111.2Description
Anautomatic6to4tunnelallowsisolatedIPv6domainstobeconnectedoveranIPv4networkandallowsconnectionstoremoteIPv6networks.ThekeydifferencebetweenthisdeploymentandmanuallyconfiguredtunnelsisthattheroutersarenotconfiguredinpairsandthusdonotrequiremanualconfigurationbecausetheytreattheIPv4infrastructureasavirtualnon-broadcastlink,usinganIPv4addressembeddedintheIPv6addresstofindtheremoteendofthetunnel.Inotherwords,thetunneldestinationisdeterminedbytheIPv4addressoftheexternalinterfaceofthe6to4routerthatisconcatenatedtothe2002::/16prefixintheformat2002:V4ADDR::/48.Hence,theimbeddedV4ADDRofthe6to4prefixmustbelongtothesameipv4prefixasconfiguredontheexternal-facinginterfaceofthe6to4router.
5.111.3Findings
router03
NipperStudiodeterminedthatIPv6wasnotconfiguredonrouter03.
CiscoIOS15
NipperStudiodeterminedthatIPv6wasnotconfiguredonCiscoIOS15.
5.111.4Check
Iftherouterisfunctioningasa6to4router,verifythatanegressfilter(inboundontheinternal-facinginterface)hasbeenconfiguredtodropanyoutboundIPv6packetsfromtheinternalnetworkwithasourceaddressthatisnotwithinthe6to4prefix2002:V4ADDR::/48whereV4ADDRisthedesignatedIPv46to4addressfortheenclave.Theexamplesbelowareusing2002:c612:1::/48wherec612:1mapsto198.18.0.1whichistheimbeddedV4ADDR.Thesubnetinthisexampleis2002:c612:1:1::/64.TheIPV6ACLwillfilterthesourceaddressoftheIPv6packetsbeforetheyareforwardedtothe6to4tunnel.
ipv6general-prefix6TO4_PREFIX6to4FastEthernet0/1!interfaceTunnel0ipv6address2000:c0a8:6301::1/64tunnelsourceFastEthernet0/0tunnelmodeipv6ip6to4!interfaceFastEthernet0/0ipaddress10.1.12.1255.255.255.0ipv6address6TO4_PREFIX::1:0:0:0:1/64ipv6traffic-filterIPV6_EGRESS_FILTERin!interfaceFastEthernet0/1descriptionDISNCOREfacingipaddress198.18.0.1255.255.255.0!ipv6route2002::/16Tunnel0!ipv6access-listIPV6_EGRESS_FILTERpermitipv62002:C612:1::/48anydenyipv6anyanylogNote:normallyyouwouldwanttoconfiguretheinternalinterfacedualstack,allthoughIPv6onlyispossible.
5.111.5Fix
Iftherouterisfunctioningasa6to4router,configureanegressfilter(inboundontheinternal-facinginterface)todropanyoutboundIPv6packetsfromtheinternalnetworkwithasourceaddressthatisnotwithinthe6to4prefix2002:V4ADDR::/48whereV4ADDRisthedesignatedIPv46to4addressfortheenclave.
Gotothereportcontentsorthestartofthissection.
5.112V-30744-L2TPv3sessionsarenotauthenticated
5.112.1Summary
TheadministratormustensurethethatallL2TPv3sessionsareauthenticatedpriortotransportingtraffic.Table432providesasummaryresultofthefindings.
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
Severity:CATII
RuleID:SV-41555r2_rule
STIGID:NET0408
Controls:ECSC-1
Responsibility:
Table432:L2TPv3sessionsarenotauthenticated-Summaryresult
5.112.2Description
L2TPv3sessionscanbeusedtotransportlayer-2protocolsacrossanIPbackbone.Theseprotocolswereintendedforlink-localscopeonlyandarethereforelessdefendedandnotaswell-known.AsstatedinDoDIPv6IAGuidanceforMO3(S4-C7-1),theL2TPtunnelscanalsocarryIPpacketsthatareverydifficulttofilterbecauseoftheadditionalencapsulation.Hence,itisimperativethatL2TPsessionsareauthenticatedpriortotransportingtraffic.
5.112.3Findings
router03
NipperStudiodeterminedthatnoLayer2TunnelingProtocolversion3(L2TPv3)pseudowirehasbeenconfiguredonrouter03.
CiscoIOS15
NipperStudiodeterminedthatnoL2TPv3pseudowirehasbeenconfiguredonCiscoIOS15.
5.112.4Check
Reviewtherouterormulti-layerswitchconfigurationanddetermineifL2TPv3hasbeenconfiguredtoprovidetransportacrossanIPnetwork.Ifithasbeenconfigured,verifythattheL2TPv3sessionrequiresauthentication.Step1:DetermineifanL2TPv3pseudowireisconfiguredonaninterfacewhichwilllooksimilartothefollowingconfiguration:pseudowire-classL2TPV3encapsulationl2tpv3iplocalinterfaceLoopback0!interfaceLoopback0ipaddress1.1.1.1255.255.255.255!interfaceFastEthernet0/0xconnect5.5.5.51encapsulationl2tpv3pw-classL2TPV3Ifyoudonotseeaconfigurationsimilartotheoneabove,thenthisvulnerabilityisnotapplicable.Otherwise,proceedtostep2.Step2:Verifythatthel2tp-classglobalcommandhasbeenconfiguredwithauthenticationasshowninthefollowingexample.l2tp-classL2TP_CLASSauthenticationpassword7011E1F145A1815182E5E4ANote:Ifapasswordisnotconfiguredinthel2tp-classcommandthepasswordassociatedwiththeremotepeerrouteristakenfromthevalueenteredwiththeglobalusernamehostnamepasswordvalue.Note:Layer2ForwardingorL2F(RFC2341),whichisthe"version1",andL2TPv2(RFC2661)areusedforremoteaccessservicesbasedontheVirtualPrivateDial-upNetwork(VPDN)model—notfortunnelingIPpacketsacrossabackboneaswithL2TPv3.WiththeVPDNmodel,auserobtainsalayer-2connectiontoaRASusingdialupPSTNorISDNserviceandthenestablishesaPPPsessionoverthatconnection.TheL2terminationandPPPsessionendpointsresideontheRAS.L2TPextendsthePPPmodelbyallowingtheL2andPPPendpointstoresideondifferentdevicesthatareinterconnectedbyabackbonenetwork.AremoteaccessclienthasanL2connectiontoanL2TPAccessConcentrator(LAC)thattunnelsPPPframesacrosstheIPbackbonetotheL2TPNetworkServer(LNS)residingintheprivatenetwork.
5.112.5Fix
ConfigureL2TPv3touseauthenticationforanypeeringsessions.
Gotothereportcontentsorthestartofthissection.
5.113V-31285-BGPmustauthenticateallpeers.
5.113.1Summary
ThenetworkelementmustauthenticateallBGPpeerswithinthesameorbetweenautonomoussystems(AS).Table433providesasummaryresultofthefindings.
Table433:BGPmustauthenticateallpeers.-Summaryresult
Device Type Status
router03 CiscoRouter
CiscoIOS15 CiscoRouter
5.113.2Description
AsspecifiedinRFC793,TCPutilizessequencecheckingtoensureproperorderingofreceivedpackets.RFC793alsospecifiesthatRST(reset)controlflagsshouldbeprocessedimmediately,withoutwaitingforoutofsequencepacketstoarrive.RFC793alsorequiresthatsequencenumbersarecheckedagainstthewindowsizebeforeacceptingdataorcontrolflagsasvalid.ArouterreceivinganRSTsegmentwillclosetheTCPsessionwiththeBGPpeerthatisbeingspoofed;thereby,purgingallrouteslearnedfromthatBGPneighbor.ARSTsegmentisvalidaslongasthesequencenumberiswithinthewindow.TheTCPresetattackismadepossibleduetotherequirementsthatResetflagsshouldbeprocessedimmediatelyandthataTCPendpointmustacceptoutoforderpacketsthatarewithintherangeofawindowsize.Thisreducesthenumberofsequencenumberguessestheattackmustmakebyafactorequivalenttotheactivewindowsize.Eachsequencenumberguessmadebytheattackercanbesimplyincrementedbythereceivingconnectionswindowsize.TheBGPpeeringsessioncanprotectitselfagainstsuchanattackbyauthenticatingeachTCPsegment.TheTCPheaderoptionsincludeanMD5signatureineverypacketandarecheckedpriortotheacceptanceandprocessingofanyTCPpacket—includingRSTflags.Onewaytocreatehavocinanetworkistoadvertisebogusroutestoanetwork.ArogueroutercouldsendafictitiousroutingupdatetoconvinceaBGProutertosendtraffictoanincorrectorroguedestination.Thisdivertedtrafficcouldbeanalyzedtolearnconfidentialinformationofthesite’snetwork,ormerelyusedtodisruptthenetwork’sabilitytoeffectivelycommunicatewithothernetworks.AnautonomoussystemcanadvertiseincorrectinformationbysendingBGPupdatesmessagestoroutersinaneighboringAS.AmaliciousAScanadvertiseaprefixoriginatedfromanotherASandclaimthatitistheoriginator(prefixhijacking).NeighboringautonomoussystemsreceivingthisannouncementwillbelievethatthemaliciousASistheprefixownerandroutepacketstoit.
5.113.3Check
Reviewtherouterconfigurationtodetermineifauthenticationisbeingusedforallpeers.ApasswordshouldbedefinedforeachBGPneighborregardlessoftheautonomoussystemthepeerbelongsasshowninthefollowingexample:outerbgp100neighborexternal-peerspeer-groupneighbor171.69.232.90remote-as200neighbor171.69.232.90peer-groupexternal-peersneighbor171.69.232.100remote-as300neighbor171.69.232.100peer-groupexternal-peersneighbor171.69.232.90passwordxxxxxxxxxxneighbor171.69.232.100passwordxxxxxxxxxx
5.113.4Fix
ConfigurethedevicetoauthenticateallBGPpeers.
Gotothereportcontentsorthestartofthissection.
5.114Conclusions
NipperStudioperformedaDoDSTIGcomplianceauditon2March2017ofthedeviceandSTIGsdetailedinTable434.ThehighestratedSTIGcompliancefailurewasaCATI.
Table434:DISASTIGdevicecompliancesummary
Name STIG Version IPass IFail IMan IIPass IIFail IIMan IIIPass IIIFail IIIMan
router03 InfrastructureL3SwitchSecureTechnicalImplementationGuide-
Cisco
8Release21
(28/10/2016)
4 3 4 17 12 34 7 11 16
CiscoIOS15 InfrastructureRouterSecurityTechnicalImplementationGuideCisco 8Release21
(28/10/2016)
5 2 3 20 4 24 16 3 10
STIGCATIchecksareforthosevulnerabilitieswhichifexploitationwill,directlyandimmediatelyresultinlossofconfidentiality,availability,orintegrity.AnATOwillnotbegrantedwhileCATIweaknessesarepresentforadevice.TherewereelevenchecksthathadbeenclassedasCATI.
NipperStudioidentifiedfiveCATIcompliancechecksthatFAILED.Thesecompliancefailureswere:
V-3062-Passwordsareviewablewhendisplayingtheconfig.(failedonrouter03,CiscoIOS15);V-3196-AninsecureversionofSNMPisbeingused.(failedonrouter03,CiscoIOS15);V-3210-UsingdefaultSNMPcommunitynames.(failedonrouter03).
NipperStudioidentifiednineCATIcompliancechecksthatPASSED.Thesecompliancepasseswere:
V-3012-Networkelementisnotpasswordprotected.(passedonrouter03,CiscoIOS15);V-3143-Devicesexistwithstandarddefaultpasswords.(passedonrouter03,CiscoIOS15);V-3175-Managementconnectionsmustrequirepasswords.(passedonrouter03,CiscoIOS15);V-3210-UsingdefaultSNMPcommunitynames.(passedonCiscoIOS15);V-4582-Authenticationrequiredforconsoleaccess.(passedonrouter03,CiscoIOS15).
NipperStudioidentifiedsevenCATIcompliancechecksthatrequireMANUALinspectionsbeforetheycanbecatagorizedaseitherapassorafail.Thesecompliancecheckswere:
V-5626-NET-NAC-009(inspectiononrouter03);V-3056-Groupaccountsaredefined.(inspectiononrouter03,CiscoIOS15);V-7009-AnInfiniteLifetimekeyhasnotbeenimplemented(inspectiononrouter03,CiscoIOS15);
V-15434-Emergencyadministrationaccountprivilegelevelisnotset.(inspectiononrouter03,CiscoIOS15).
STIGCATIIchecksareforthosevulnerabilitieswhereexploitationhasapotentialtoresultinlossofconfidentiality,availability,orintegrity.CATIIfindingsthathavebeensatisfactorilymitigatedwillnotpreventanATOfrombeinggrantedforadevice.Therewere65checksthathadbeenclassedasCATII.
NipperStudioidentified16CATIIcompliancechecksthatFAILED.Thesecompliancefailureswere:
V-5624-Re-authenticationmustoccurevery60minutes.(failedonrouter03);V-3013-Loginbannerisnon-existentornotDOD-approved.(failedonrouter03,CiscoIOS15);V-3021-SNMPaccessisnotrestrictedbyIPaddress.(failedonrouter03);V-3034-Interiorroutingprotocolsarenotauthenticated.(failedonrouter03);V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.(failedonrouter03);V-3081-IPSourceRoutingisnotdisabledonallrouters.(failedonrouter03);V-3085-HTTPserverisnotdisabled(failedonrouter03);V-3966-Morethanonelocalaccountisdefined.(failedonrouter03,CiscoIOS15);V-3969-NetworkelementmustonlyallowSNMPreadaccess.(failedonrouter03);V-5612-SSHsessiontimeoutisnot60secondsorless.(failedonCiscoIOS15);V-14671-NTPmessagesarenotauthenticated.(failedonrouter03);V-15432-ThedeviceisnotauthenticatedusingaAAAserver.(failedonrouter03,CiscoIOS15);V-31285-BGPmustauthenticateallpeers.(failedonrouter03).
NipperStudioidentified38CATIIcompliancechecksthatPASSED.Thesecompliancepasseswere:
V-3971-VLAN1isbeingusedasauserVLAN.(passedonrouter03);V-17816-RoutesfromthetwoIGPdomainsareredistributed(passedonrouter03);V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.(passedonrouter03);V-3014-Managementconnectiondoesnottimeout.(passedonrouter03,CiscoIOS15);V-3034-Interiorroutingprotocolsarenotauthenticated.(passedonCiscoIOS15);V-3043-SNMPprivilegedandnon-privilegedaccess.(passedonrouter03,CiscoIOS15);V-3069-ManagementconnectionsmustbesecuredbyFIPS140-2.(passedonCiscoIOS15);V-3080-Configurationauto-loadingmustbedisabled.(passedonrouter03,CiscoIOS15);V-3081-IPSourceRoutingisnotdisabledonallrouters.(passedonCiscoIOS15);V-3085-HTTPserverisnotdisabled(passedonCiscoIOS15);V-3967-Theconsoleportdoesnottimeoutafter10minutes.(passedonrouter03,CiscoIOS15);V-3969-NetworkelementmustonlyallowSNMPreadaccess.(passedonCiscoIOS15);V-5612-SSHsessiontimeoutisnot60secondsorless.(passedonrouter03);V-5613-SSHloginattemptsvalueisgreaterthan3.(passedonrouter03,CiscoIOS15);V-5618-GratuitousARPmustbedisabled.(passedonrouter03,CiscoIOS15);V-5645-CiscoExpressForwarding(CEF)notenabledonsupporteddevices.(passedonrouter03,CiscoIOS15);V-14669-BSDrcommandsarenotdisabled.(passedonrouter03,CiscoIOS15);V-14671-NTPmessagesarenotauthenticated.(passedonCiscoIOS15);V-14693-IPv6SiteLocalUnicastADDRmustnotbedefined(passedonrouter03,CiscoIOS15);V-14717-ThenetworkelementmustnotallowSSHVersion1.(passedonrouter03,CiscoIOS15);V-17816-RoutesfromthetwoIGPdomainsareredistributed(passedonCiscoIOS15);V-28784-Callhomeserviceisdisabled.(passedonrouter03,CiscoIOS15);V-30660-The6-to-4routerisnotfilteringprotocol41(passedonrouter03,CiscoIOS15);V-30744-L2TPv3sessionsarenotauthenticated(passedonrouter03,CiscoIOS15);V-31285-BGPmustauthenticateallpeers.(passedonCiscoIOS15).
NipperStudioidentified59CATIIcompliancechecksthatrequireMANUALinspectionsbeforetheycanbecatagorizedaseitherapassorafail.Thesecompliancecheckswere:
V-3984-AccessswitchportsareassignedtothenativeVLAN(inspectiononrouter03);V-5622-AdedicatedVLANisrequiredforalltrunkports.(inspectiononrouter03);V-5623-Ensuretrunkingisdisabledonallaccessports.(inspectiononrouter03);V-5628-TheVLAN1isbeingusedformanagementtraffic.(inspectiononrouter03);V-17815-IGPinstancesdonotpeerwithappropriatedomain(inspectiononrouter03);V-17824-ManagementinterfaceisassignedtoauserVLAN.(inspectiononrouter03);V-17826-InvalidportswithmembershiptothemgmtVLAN(inspectiononrouter03);V-17832-MgmtVLANdoesnothavecorrectIPaddress(inspectiononrouter03);V-17833-NoingressACLonmanagementVLANinterface(inspectiononrouter03);V-18523-ACLsdonotprotectagainstcompromisedservers(inspectiononrouter03);V-18545-Upstreamaccessnotrestrictedfornon-802.1xVLAN(inspectiononrouter03);V-18566-NET-NAC-031(inspectiononrouter03);V-3008-IPSecVPNisnotconfiguredasatunneltypeVPN.(inspectiononCiscoIOS15);V-3021-SNMPaccessisnotrestrictedbyIPaddress.(inspectiononCiscoIOS15);V-3057-Accountsassignedleastprivilegesnecessarytoperformduties.(inspectiononrouter03,CiscoIOS15);V-3058-Unauthorizedaccountsareconfiguredtoaccessdevice.(inspectiononrouter03,CiscoIOS15);V-3160-Operatingsystemisnotatacurrentreleaselevel.(inspectiononrouter03,CiscoIOS15);V-5611-Managementconnectionsarenotrestricted.(inspectiononrouter03,CiscoIOS15);V-5646-Devicesnotconfiguredtofilteranddrophalf-openconnections.(inspectiononrouter03,CiscoIOS15);V-14705-IPv6routersarenotconfiguredwithCEFenabled(inspectiononrouter03,CiscoIOS15);V-14707-IPv6EgressOutboundSpoofingFilter(inspectiononrouter03,CiscoIOS15);V-15288-ISATAPtunnelsmustterminateatinteriorrouter.(inspectiononrouter03,CiscoIOS15);V-17754-Managementtrafficisnotrestricted(inspectiononrouter03,CiscoIOS15);V-17814-RemoteVPNend-pointnotamirroroflocalgateway(inspectiononrouter03,CiscoIOS15);V-17815-IGPinstancesdonotpeerwithappropriatedomain(inspectiononCiscoIOS15);
V-17817-ManagednetworkhasaccesstoOOBMgatewayrouter(inspectiononrouter03,CiscoIOS15);V-17818-Trafficfromthemanagednetworkwillleak(inspectiononrouter03,CiscoIOS15);V-17819-Managementtrafficleaksintothemanagednetwork(inspectiononrouter03,CiscoIOS15);V-17821-TheOOBMinterfacenotconfiguredcorrectly.(inspectiononrouter03,CiscoIOS15);V-17822-ThemanagementinterfacedoesnothaveanACL.(inspectiononrouter03,CiscoIOS15);V-17834-NoinboundACLformgmtnetworksub-interface(inspectiononrouter03,CiscoIOS15);V-17835-IPSectrafficisnotrestricted(inspectiononrouter03,CiscoIOS15);V-18522-ACLsmustrestrictaccesstoserverVLANs.(inspectiononrouter03,CiscoIOS15);V-18790-NET-TUNL-012(inspectiononrouter03,CiscoIOS15);V-19188-Controlplaneprotectionisnotenabled.(inspectiononrouter03,CiscoIOS15);V-30577-PIMenabledonwronginterfaces(inspectiononrouter03,CiscoIOS15);V-30578-PIMneighborfilterisnotconfigured(inspectiononrouter03,CiscoIOS15).
STIGCATIIIchecksareforthosevulnerabilitieswhichdegradesmeasurestoprotectagainstlossofconfidentiality,availability,orintegrity.ThesefindingsthatmayimpacttheIAposturebutarenotrequiredtobemitigatedorcorrectedinorderforanATOtobegrantedforadevice.Therewere34checksthathadbeenclassedasCATIII.
NipperStudioidentifiedfourteenCATIIIcompliancechecksthatFAILED.Thesecompliancefailureswere:
V-3020-DNSserversmustbedefinedforclientresolver.(failedonrouter03);V-3070-Managementconnectionsmustbelogged.(failedonrouter03,CiscoIOS15);V-3078-TCPandUDPsmallserverservicesarenotdisabled.(failedonrouter03);V-3079-Thefingerserviceisnotdisabled.(failedonrouter03);V-3083-IPdirectedbroadcastisnotdisabled.(failedonrouter03);V-3086-TheBootpserviceisnotdisabled.(failedonrouter03);V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.(failedonrouter03);V-5614-ThePADserviceisenabled.(failedonrouter03);V-5615-TCPKeep-Alivesmustbeenabled.(failedonrouter03);V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.(failedonrouter03);V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(failedonCiscoIOS15);V-23747-TwoNTPserversarenotusedtosynchronizetime.(failedonrouter03,CiscoIOS15).
NipperStudioidentified23CATIIIcompliancechecksthatPASSED.Thesecompliancepasseswere:
V-3000-InterfaceACLdenystatementsarenotlogged.(passedonrouter03,CiscoIOS15);V-3020-DNSserversmustbedefinedforclientresolver.(passedonCiscoIOS15);V-3078-TCPandUDPsmallserverservicesarenotdisabled.(passedonCiscoIOS15);V-3079-Thefingerserviceisnotdisabled.(passedonCiscoIOS15);V-3083-IPdirectedbroadcastisnotdisabled.(passedonCiscoIOS15);V-3086-TheBootpserviceisnotdisabled.(passedonCiscoIOS15);V-4584-Thenetworkelementmustlogallmessagesexceptdebugging.(passedonCiscoIOS15);V-5614-ThePADserviceisenabled.(passedonCiscoIOS15);V-5615-TCPKeep-Alivesmustbeenabled.(passedonCiscoIOS15);V-5616-Identificationsupportisenabled.(passedonrouter03,CiscoIOS15);V-14672-AuthenticationtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(passedonrouter03,CiscoIOS15);V-14673-SyslogtrafficisnotusingloopbackaddressorOOBmanagementinterface.(passedonrouter03,CiscoIOS15);V-14674-NTPtrafficisnotusingloopbackaddressorOOBManagementinterface.(passedonCiscoIOS15);V-14675-SNMPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(passedonrouter03);V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(passedonCiscoIOS15);V-30617-Maximumhoplimitislessthan32(passedonrouter03,CiscoIOS15);V-30736-6-to-4routernotfilteringinvalidsourceaddress(passedonrouter03,CiscoIOS15).
NipperStudioidentified26CATIIIcompliancechecksthatrequireMANUALinspectionsbeforetheycanbecatagorizedaseitherapassorafail.Thesecompliancecheckswere:
V-3972-VLAN1traffictraversesacrossunnecessarytrunk(inspectiononrouter03);V-3973-DisabledportsarenotkeptinanunusedVLAN.(inspectiononrouter03);V-17825-ManagementVLANhasinvalidaddresses(inspectiononrouter03);V-17827-ThemanagementVLANisnotprunedfromtrunklinks(inspectiononrouter03);V-18544-RestrictedVLANnotassignedtonon-802.1xdevice.(inspectiononrouter03);V-3072-Runningandstartupconfigurationsarenotsynchronized.(inspectiononrouter03,CiscoIOS15);V-7011-Theauxiliaryportisnotdisabled.(inspectiononrouter03,CiscoIOS15);V-14667-Keyexpirationexceeds180days.(inspectiononrouter03,CiscoIOS15);V-14676-Netflowtrafficisnotusingloopbackaddress.(inspectiononrouter03,CiscoIOS15);V-14677-FTP/TFTPtrafficdoesnotuseloopbackaddressorOOBManagementinterface.(inspectiononrouter03);V-14681-LoopbackaddressisnotusedastheiBGPsourceIP.(inspectiononrouter03,CiscoIOS15);V-17823-ThemanagementinterfaceisnotIGPpassive.(inspectiononrouter03,CiscoIOS15);V-17836-Managementtrafficisnotclassifiedandmarked(inspectiononrouter03,CiscoIOS15);V-17837-Managementtrafficdoesn'tgetpreferredtreatment(inspectiononrouter03,CiscoIOS15);V-19189-NoAdmin-localorSite-localboundary(inspectiononrouter03,CiscoIOS15);V-30585-Invalidgroupusedforsourcespecificmulticast(inspectiononrouter03,CiscoIOS15).
Gotothereportcontentsorthestartofthissection.
5.115Recommendations
NipperStudiorecommendsthatthefindingsofthisauditarereviewed.Furthermore,NipperStudiorecommendsthatmitigationshouldbeimplementedtoresolveanycompliancefailures.Table435liststherecomendedactionsforthecompliancefindingsdetailedinthisreport.
STIG Title Severity State Recommendation AffectedDevices
V-
5626
NET-NAC-009 CATI Verifyiftheswitchconfigurationhas802.1xauthenticationimplementedforallaccessswitchportsconnectingtoLANoutlets
(i.e.RJ-45wallplates)ordevicesnotlocatedinthetelecomroom,wiringclosets,orequipmentrooms.If802.1xauthentication
isnotconfiguredonthesehost-facingaccessswitchports,thisisaCAT1finding.IfMACaddressfilteringisimplementedin
lieuof802.1xauthentication,thisfindingwillbedowngradedtoaCAT3.
Verify802.1xauthenticationisenabledontheswitchandhostfacingswitchports:
Step1:Verifythatan802.1xauthenticationserverhasbeenconfiguredsimilartothefollowingexample:
Switch(config)#radius-serverhostx.x.x.xauth-port1813key!R4d1u$K3y!
Switch(config)#aaanew-model
Switch(config)#aaaauthenticationdot1xdefaultgroupradius
Step2:Verify802.1xauthenticationhasbeenenabledgloballyonthenetworkdevicesimilartothefollowingexample:
Switch(config)#dot1xsystem-auth-control
Step3:Verifythatallhost-facingaccessswitchportsareconfiguredtouse802.1xsimilartotheexamplesbelow:
Switch(config)#interfacefastethernet0/2
Switch(config-if)#switchportmodeaccess
Switch(config-if)#switchportport-security
Switch(config-if)#dot1xport-controlauto
OR
Switch(config)#interfacefastethernet0/2
Switch(config-if)#switchportmodeaccess
Switch(config-if)#switchportport-security
Switch(config-if)#authenticationport-controlauto
If802.1xisnotbeingused,determineifMACfilteringisusedoneachhost-facingaccessswitchportasshowninthefollowing
example:
Switch(config)#interfacefastethernet0/3
Switch(config-if)#switchportmodeaccess
Switch(config-if)#switchportport-security
Switch(config-if)#switchportport-securitymaximum1
Switch(config-if)#switchportport-securitymac-address1000.2000.3000
NOTE:Thesectionbelowisintendedforclassifiednetworks.Ifit’sdeterminedthat802.1xisnotimplementedonaclassified
network,theTraditionalreviewteammustbenotifiedtodetermineifthephysicalrequirementsareimplemented.Forasite
tobedowngradedtoaCATIIIopenfinding,thephysicalsecurityrequirementsmustbeimplementedinadditiontostaticMAC
orstickysecureMACportsecurity.Ifbothphysicalandlogicaldowngradesarenotimplemented,aCATIopenfindingwillbe
issued.
IfclassifiedLANdropsarenotauthenticatedbyan802.1ximplementation,theymustbelocatedwithinspacesproperly
establishedasSecretvaults,SecretSecureRooms(AKA:CollateralClassifiedOpenStorageAreas),TSsecureroom,orSCIF.
Otherwise,oneofthefollowingsupplementalphysicalsecuritycontrolsmustbeimplemented.
1.WalljacksmustbesecuredwhenunattendedbypersonswithSecretorhigherclearancewithaproperlyconstructedlock
box(Hoffmanorsimilarcommercialproductorlocallyfabricated).Thelockboxmusthavenoexposedorremovablehinges.
Thehasphardwaremustberivetedtotheboxorotherwiseinstalledsothatremovalwillrequirephysicalbreakingofthebox;
therebyleavingevidenceofactualorattemptedentry.Thelockboxmustbesecuredwitha3-positionhighsecurity
combinationpadlock(IAWtheNSTISSI7003).TheS&G8077combinationpadlockistheonlyexistingpadlockmeetingthis
router03
standard.
2.Iflockboxesarenotused,thealternativeistophysicallydisconnecttheSIPRNetlinkattheSIPRNetpointofpresence(PoP)
afternormaldutyhours.ThePoPmustbelocatedwithinaproperSecretorhighersecureroom.
V-
3056
Group
accountsare
defined.
CATI Reviewthenetworkdeviceconfigurationandvalidatetherearenogroupaccountsconfiguredforaccess.
Ifagroupaccountisconfiguredonthedevice,thisisafinding.
router03
CiscoIOS15
V-
3062
Passwordsare
viewable
when
displayingthe
config.
CATI Configurethenetworkelementtoensurepasswordsarenotviewablewhendisplayingconfigurationinformation.
Device(config)#servicepassword
Device(config)#usernamenamesecretS3cr3T!
Device(config)#enablesecret$MyS3cr3TPW$
Device(config)#end
router03
CiscoIOS15
V-
3196
Aninsecure
versionof
SNMPisbeing
used.
CATI IfSNMPisenabled,configurethenetworkdevicetouseSNMPVersion3SecurityModelwithFIPS140-2validated
cryptography(i.e.,SHAauthenticationandAESencryption).
router03
CiscoIOS15
V-
3210
Usingdefault
SNMP
community
names.
CATI ConfigureuniqueSNMPcommunitystringsreplacingthedefaultcommunitystrings. router03
V-
7009
AnInfinite
Lifetimekey
hasnotbeen
implemented
CATI Reviewtherunningconfigurationtodetermineifkeyauthenticationhasbeendefinedwithaninfinitelifetime.
Ifthekeyhasbeenconfiguredforalifetimeotherthaninfinite,thisisafinding.
RIP2ExampleEIGRPExample
interfaceethernet0interfaceethernet0
ipripauthenticationkey-chaintreesipauthenticationmodeeigrp1md5
ipripauthenticationmodemd5ipauthenticationkey-chaineigrp1trees
routerriproutereigrp1
network172.19.0.0network172.19.0.0
version2
keychaintreeskeychaintrees
key1key1
key-stringwillowkey-stringwillow
accept-lifetime22:45:00Feb10200522:45:00Aug102005accept-lifetime22:45:00Feb10200522:45:00Aug102005
send-lifetime23:00:00Feb10200522:45:00Aug102005send-lifetime23:00:00Feb10200522:45:00Aug102005
key2key2
key-stringbirchkey-stringbirch
accept-lifetime22:45:00Aug9200522:45:00Feb102006accept-lifetime22:45:00Dec10200522:45:00Feb102006
send-lifetime23:00:00Aug9200522:45:00Feb102006send-lifetime23:00:00Dec10200522:45:00Jan102006
key9999key9999
key-stringmaplekey-stringmaple
accept-lifetime22:45:00Feb92005infiniteaccept-lifetime22:45:00Feb92005infinite
send-lifetime23:00:00Feb92005infinitesend-lifetime23:00:00Feb92005infinite
Notes:Note:OnlyEnhancedInteriorGatewayRoutingProtocol(EIGRP)andRoutingInformationProtocol(RIP)Version2use
keychains.
Notes:WhenusingMD5authenticationkeys,itisimperativethesiteisincompliancewiththeNTPpolicies.Therouterhasto
knowthetime!
Notes:Mustmakethisahighnumbertoensureyouhaveplentyofroomtoputkeysinbeforeit.Allsubsequentkeyswillbe
decrementedbyone(9998,9997...).
router03
CiscoIOS15
V-
15434
Emergency
administration
account
privilegelevel
isnotset.
CATI Reviewtheemergencyadministrationaccountconfiguredonthenetworkdevicesandverifythatithasbeenassignedtoa
privilegelevelthatwillenabletheadministratortoperformnecessaryadministrativefunctionswhentheauthentication
serverisnotonline.
Iftheemergencyadministrationaccountisconfiguredformoreaccessthanneededtotroubleshootissues,thisisafinding.
router03
CiscoIOS15
V-
3984
Access
switchports
areassigned
tothenative
VLAN
CATII Reviewtheswitchconfigurationsandexamineallaccessports.VerifythattheydonotbelongtothenativeVLAN.
IfanyaccessswitchportsareassignedtothenativeVLAN,itisafinding.
router03
V-
5622
Adedicated
VLANis
requiredfor
alltrunkports.
CATII Reviewthedeviceconfigurationandexaminealltrunklinks.VerifythenativeVLANhasbeenconfiguredtoaVLANotherthan
thedefaultVLAN1.
IfthenativeVLANhasbeenconfiguredtoVLAN1,thisisafinding.
router03
V-
5623
Ensure
trunkingis
disabledonall
accessports.
CATII Reviewthedeviceconfigurationtodetermineiftrunkinghasbeendisabledonaccessports.
Iftrunkingisenabledonanyaccessport,thisisafinding.
router03
V-
5624
Re-
authentication
mustoccur
every60
minutes.
CATII Ensure802.1xreauthenticationoccursevery60minutes. router03
V-
5628
TheVLAN1is
beingusedfor
management
traffic.
CATII ReviewthedeviceconfigurationstodetermineifadedicatedVLAN(s)havebeenimplementedforthemanagementnetwork.
VLAN1mustnotbeused.
IfadedicatedVLANorVLANshavenotbeenestablishedforthemanagementnetwork,thisisafinding.
IfVLAN1isusedformanagement,thisisalsoafinding.
router03
V-
17815
IGPinstances
donotpeer
with
appropriate
domain
CATII VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.Thefollowing
wouldbeanexamplewhereEIGRPisrunonthemanagementnetwork10.0.0.0andOSPFinthemanagednetwork172.20.0.0.
Thenetwork10.1.20.0/24istheOOBMbackboneand10.1.1.0isthelocalmanagementLANconnectingtotheOOBM
interfacesofthemanagednetwork(i.e.,theprivateandservicenetwork)elements.
interfaceSerial0/0
descriptionto_OOBM_Backbone
ipaddress10.1.20.3255.255.255.0
interfaceFastethernet0/0
descriptionEnclave_Management_LAN
ipaddress10.1.1.1255.255.255.0
interfaceFastethernet0/1
descriptionto_our_PrivateNet
ipaddress172.20.4.2255.255.255.0
interfaceFastethernet0/2
descriptionto_our_ServiceNet
ipaddress172.20.5.2255.255.255.0
!
routerospf1
network172.20.0.0
!
routereigrp12
network10.0.0.0
passive-interfaceFastethernet0/1
Note:thepassive-interfacecommandisconfiguredtoavoidbuildinganEIGRPadjacencywithamanagedrouter,whileatthe
sametime,enablingEIGRPtoadvertisetheenclave’smanagementsubnettotheEIGRPneighborsofthemanagement
networkbackbone.
Ifthenon-dedicatedOOBMgatewayandtheNOCgatewayarenotconnectedbyanOOBbackbone—thatis,connectivityis
providedoveranIPbackbone(i.e.NIPRNet)—andanIGPisusedtoadvertiserouteswithinthemanagementnetwork,theIGP
trafficmustbeencapsulatedviaGREsothatitcantraversetheIPsectunnel.TheconfigurationbelowisanexampleofGRE
overIPSec.TheIPSecpolicyisappliedtotheGREtrafficthatwillencapsulateIGPpackets(noticetheEIGRPnetworkstatement
includestheGREtunnel;hence,EIGRPwillformadjacencieswithneighborsontheothersideofthistunnel.
PremiseRouterConfiguration
cryptoisakmppolicy10
authenticationpre-share
cryptoisakmpkeyourkeyaddress166.4.24.3
!
cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac
!
cryptomapvpnmap10ipsec-isakmp
setpeer166.4.24.3
settransform-setVPN-trans
matchaddress102
!
interfaceEthernet1
ipaddress10.1.1.1255.255.255.0
!
interfaceSerial1/0
ipaddress141.22.4.3255.255.255.252
!
interfaceTunnel0
ipaddress10.10.255.1255.255.255.252
ipmtu1400
tunnelsourceSerial0/0
tunneldestination166.4.24.3
cryptomapvpnmap
router03
!
routereigrp100
network10.0.0.00.0.0.255
noauto-summary
!
iproute0.0.0.00.0.0.0141.22.4.1
!
access-list102permitgrehost141.22.4.3host166.4.24.3
OOBMVPNGatewayConfiguration
cryptoisakmppolicy10
authenticationpre-share
cryptoisakmpkeyourkeyaddress141.22.4.3
!
cryptoipsectransform-setVPN-transesp-3desesp-md5-hmac
!
cryptomapvpnmap10ipsec-isakmp
setpeer141.22.4.3
settransform-setVPN-trans
matchaddress102
!
interfaceEthernet1
ipaddress10.1.2.1255.255.255.0
!
interfaceSerial1/0
ipaddress166.4.24.3255.255.255.252
!
interfaceTunnel0
ipaddress10.10.255.2255.255.255.252
ipmtu1400
tunnelsourceSerial0/0
tunneldestination141.22.4.3
cryptomapvpnmap
!
routereigrp100
network10.0.0.00.0.0.255
noauto-summary
!
iproute0.0.0.00.0.0.0166.4.24.1
!
access-list102permitgrehost166.4.24.3host141.22.4.3
V-
17824
Management
interfaceis
assignedtoa
userVLAN.
CATII ReviewthemanagedswitchconfigurationandverifythattheaccessportconnectedtotheOOBMaccessswitchhasbeen
assignedtothemanagementVLAN.Bydefault,themanagementVLANisVLAN1;however,themanagementVLANmustbe
configuredtoadifferentVLAN.Asshowninthefollowingconfigurationexample,FastEthernet0/1istheportconnectedtothe
OOBMaccessswitchandVLAN101isthemanagementVLAN.
interfaceFastEthernet0/1
switchportaccessvlan10
switchportmodeaccess
!
interfaceFastEthernet0/2
switchportaccessvlan2
switchportmodeaccess
!
interfaceFastEthernet0/3
switchportaccessvlan2
switchportmodeaccess
!
interfaceFastEthernet0/4
switchportaccessvlan2
switchportmodeaccess
ThiscanalsobeverifiedbyenteringaPrivilegedEXECshowvlancommandontheswitchCLIasillustratedinthefollowing
exampleoutputofaCisco2950:
2950#showvlan
VLANNameStatusPorts
--------------------------------------------------------------------
2ProductionactiveFa0/2,Fa0/3,Fa0/4,Fa0/5,
router03
...
Fa0/21,Fa0/22,Fa0/23,Fa0/24
10ManagementactiveFa0/1
V-
17826
Invalidports
with
membership
tothemgmt
VLAN
CATII ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.By
defaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,
managementtrafficshouldnottraverseanytrunklinks.ThefollowingCatalystIOSconfigurationisanexampleofatrunklink
withthemanagementVLAN(i.e.10)prunedfromatrunk.
interfacefastEthernet0/1
switchporttrunkencapsulationdot1q
switchportmodedynamicdesirable
switchporttrunknativevlan3
switchporttrunkallowedvlan2-9
Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:
Switch-A#showinterfacetrunk
PortModeEncapsulationStatusNativevlan
Fa0/1desirable802.1qtrunking3
PortVlansallowedontrunk
Fa0/12-9
PortVlansinspanningtreeforwardingstateandnotpruned
Fa0/12-5
Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeature
dynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—
afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOS
switch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbe
activeonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.
router03
V-
17832
MgmtVLAN
doesnothave
correctIP
address
CATII ReviewtheswitchconfigurationandverifythatthemanagementVLANhasbeenassignedanIPaddressfromthe
managementnetworkaddressblock.FollowingisanexampleforaCiscoCatalystswitch:
interfaceVLAN10
descriptionManagementVLAN
ipaddress10.1.1.10255.255.255.0
Note:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.
router03
V-
17833
Noingress
ACLon
management
VLAN
interface
CATII ReviewtheconfigurationtodetermineifaninboundACLhasbeenconfiguredforthemanagementVLANinterfacetoblock
non-managementtraffic.
IfaninboundACLhasnotbeenconfigured,thisisafinding.
router03
V-
18523
ACLsdonot
protect
against
compromised
servers
CATII Reviewthefirewallprotectingtheserverfarm.Vlanconfigurationsshouldhaveafilterthatsecurestheserverslocatedonthe
vlansegment.IdentifythesourceipaddressesthathaveaccesstotheserversandverifytheprivilegeintendedwiththeSA.
Thefiltershouldbeinadenybydefaultposture.
Ifthefilterisnotdefinedonthefirewallandthearchitecturecontainsalayer3switchbetweenthefirewallandtheserver,
thanreviewtheVLANdefinitionontheL3switch.
router03
V-
18545
Upstream
accessnot
restrictedfor
non-802.1x
VLAN
CATII AnACLorfirewallrulesetcanfilternetworktrafficwithintheprinterVLANtoonlyexpectedprinterprotocols.TheSA
managingthelocalenclaveshouldidentifytheprinterporttrafficwithintheenclave.Portscommonlyusedbyprintersare
typicallytcpport515,631,1782andtcpports9100,9101,9102butothersareusedthroughouttheindustry.TheSAcan
reviewRFC1700PortAssignmentsandreviewprintervendordocumentsforthefilterrule-set.Verifythefilterappliedtothe
printerVLANsubnet.
router03
V-
18566
NET-NAC-031 CATII ReviewtheswitchconfigurationtoverifyeachaccessportisconfiguredforasingleregisteredMACaddress.
Configuringport-securityontheCiscoswitchaccessportinterfacewillautomaticallysetthemaximumnumberofregistered
MACaddressestoone.Thevaluewillnotshowupintheconfigurationoftheswitchitself.Tovalidatetheaccessporthasa
maximumvalueofoneforallowableMACaddresses,youmustrunthefollowingcommand:
Switch#showport-securityinterface
ShowCommandExample:
Switch#portintfa0/1
PortSecurity:Enabled
PortStatus:Secure-down
ViolationMode:Shutdown
AgingTime:0mins
AgingType:Absolute
SecureStaticAddressAging:Disabled
MaximumMACAddresses:1
router03
SometechnologiesareexemptfromrequiringasingleMACaddressperaccessport;however,restrictionsstillapply.VoIPor
VTCendpointsmayprovideaPCportsoaPCcanbeconnected.Eachofthedeviceswillneedtobestaticallyassignedtoeach
accessport.
AnothergreeninitiativewhereasingleLANdropissharedamongseveraldevicesiscalled"hot-desking",whichisrelatedto
conservationofofficespaceandteleworking.Hot-deskingiswhereseveralpeopleareassignedtoworkatthesamedeskat
differenttimes,eachuserwiththeirownPC.Inthiscase,adifferentMACaddressneedstobepermittedforeachPCthatis
connectingtotheLANdropintheworkspace.Additionally,thisworkspacecouldcontainasinglephone(andpossiblydesktop
VTCendpoint)usedbyallassigneesandthePCportonitmightbetheconnectionfortheirlaptop.Inthiscase,itisbestnotto
usestickyportsecurity,buttouseastaticmappingofauthorizeddevicesorimplement802.1x.Ifthisisnotateleworking
remotelocation,thisexemptiondoesnotapply.
V-
3008
IPSecVPNis
not
configuredas
atunneltype
VPN.
CATII HavetheSAdisplaytheconfigurationsettingsthatenablethisfeature.
Reviewthenetworktopologydiagram,andreviewVPNconcentrators.Determineiftunnelmodeisbeingusedbyreviewing
theconfiguration.Examples:
InCISCO
Router(config)#cryptoipsectransform-settransform-set-nametransform1
Router(cfg-crypto-tran)#modetunnel
ORinJunos
editsecurityipsecsecurity-associationsa-name]modetunnel
CiscoIOS15
V-
3013
Loginbanner
isnon-existent
ornotDOD-
approved.
CATII ConfigureallmanagementinterfacestothenetworkdevicetodisplaytheDoD-mandatedwarningbannerverbiageatlogon
regardlessofthemeansofconnectionorcommunication.Therequiredbannerverbiagethatmustbedisplayedverbatimis
asfollows:
OptionA
YouareaccessingaU.S.Government(USG)InformationSystem(IS)thatisprovidedforUSG-authorizeduseonly.Byusingthis
IS(whichincludesanydeviceattachedtothisIS),youconsenttothefollowingconditions:
-TheUSGroutinelyinterceptsandmonitorscommunicationsonthisISforpurposesincluding,butnotlimitedto,penetration
testing,COMSECmonitoring,networkoperationsanddefense,personnelmisconduct(PM),lawenforcement(LE),and
counterintelligence(CI)investigations.
-Atanytime,theUSGmayinspectandseizedatastoredonthisIS.
-Communicationsusing,ordatastoredon,thisISarenotprivate,aresubjecttoroutinemonitoring,interception,andsearch,
andmaybedisclosedorusedforanyUSG-authorizedpurpose.
-ThisISincludessecuritymeasures(e.g.,authenticationandaccesscontrols)toprotectUSGinterests--notforyourpersonal
benefitorprivacy.
-Notwithstandingtheabove,usingthisISdoesnotconstituteconsenttoPM,LEorCIinvestigativesearchingormonitoringof
thecontentofprivilegedcommunications,orworkproduct,relatedtopersonalrepresentationorservicesbyattorneys,
psychotherapists,orclergy,andtheirassistants.Suchcommunicationsandworkproductareprivateandconfidential.See
UserAgreementfordetails.
OptionB
Ifthesystemisincapableofdisplayingtherequiredbannerverbiageduetoitssize,asmallerbannermustbeused.The
mandatoryverbiagefollows:"I'veread&consenttotermsinISuseragreem't."
router03
CiscoIOS15
V-
3021
SNMPaccess
isnot
restrictedby
IPaddress.
CATII ConfigurethenetworkdevicestoonlyallowSNMPaccessfromonlyaddressesbelongingtothemanagementnetwork. router03
V-
3021
SNMPaccess
isnot
restrictedby
IPaddress.
CATII ReviewdeviceconfigurationandverifythatitisconfiguredtoonlyallowSNMPaccessfromonlyaddressesbelongingtothe
managementnetwork.ThefollowingexamplesforSNMPv1,2,and3depicttheuseofanACLtorestrictSNMPaccesstothe
device.
SNMPv1/v2cConfigurationExample
TheexampleACLNMS_LISTisusedtodefinewhatnetworkmanagementstationscanaccessthedeviceforwriteandread
only(poll).
ipaccess-liststandardNMS_LIST
permit10.1.1.24
permit10.1.1.22
permit10.1.1.23
!
snmp-servercommunityourCommStrRORWNMS_LIST
snmp-servercommunitywrite_pwRWNMS_LIST
snmp-serverenabletrapssnmplinkdownlinkup
snmp-serverhost10.1.1.1trap_comm_string
Note:Ifyouenterthesnmp-serverhostcommandwithnokeywords,thedefaultisversion1andtosendallenabledtrapsto
CiscoIOS15
thehost.Noinformswillbesenttothishost.Ifnotrapsorinformskeywordispresent,trapsaresent.
SNMPv3ConfigurationExample
TheexampleACLNMS_LISTandADMIN_LISTareusedtodefinewhatnetworkmanagementstationsandadministrator(users)
desktopscanaccessthedevice.
ipaccess-liststandardADMIN_LIST
permit10.1.1.35
permit10.1.1.36
ipaccess-liststandardNMS_LIST
permit10.1.1.24
permit10.1.1.22
permit10.1.1.23
!
snmp-servergroupNOCv3privreadVIEW_ALLwriteVIEW_LIMITaccessNMS_LIST
snmp-servergroupTRAP_GROUPv3privnotify
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-servergroupADMIN_GROUPv3privreadVIEW_ALLwriteVIEW_ALLaccessADMIN_LIST
snmp-serverviewVIEW_ALLinternetincluded
snmp-serverviewVIEW_LIMITinternetincluded
snmp-serverviewVIEW_LIMITinternet.6.3.15excluded
snmp-serverviewVIEW_LIMITinternet.6.3.16excluded
snmp-serverviewVIEW_LIMITinternet.6.3.18excluded
snmp-serverenabletrapssnmplinkdownlinkup
snmp-serverhost10.1.1.24version3privTRAP_NMS1
Note:FortheconfiguredgroupTRAP_GROUP,thenotifyviewisauto-generatedbythesnmp-serverhostcommandwhich
bindtheuser(TRAP_NMS1)andthegroupitbelongsto(TRAP_GROUP)tothelistofnotifications(trapsorinforms)whichare
senttothehost.Hence,theconfigurationsnmp-servergroupTRAP_GROUPv3resultsinthefollowing:
snmp-servergroupTRAP_GROUPv3privnotify*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
Note:Notrequiredbutforillustrationpurpose,theVIEW_LIMITexcludesMIBobjectswhichcouldpotentiallyreveal
informationaboutconfiguredSNMPcredentials.TheseobjectsaresnmpUsmMIB,snmpVacmMIB,andsnmpCommunityMIB
whichisconfiguredas1.3.6.1.6.3.15,1.3.6.1.6.3.16,and1.3.6.1.6.3.18respectively
NotethatSNMPv3usersarenotshowninarunningconfiguration.Youcanviewthemwiththeshowsnmpusercommand.So
forexample,ifthefollowinguserswereconfiguredassuch.
snmp-serveruserHP_OVNOCv3authshaHPOVpswdprivaes256HPOVsecretkey
snmp-serveruserAdmin1ADMIN_GROUPv3authshaAdmin1PWprivaes256Admin1key
snmp-serveruserAdmin2ADMIN_GROUPv3authmd5Admin2passpriv3desAdmin2key
snmp-serveruserTRAP_NMS1TRAP_GROUPv3authshatrap_nms1_pwprivaestrap_nms1_key
Theshowsnmpusercommandwoulddepicttheconfiguredusersasfollows:
R1#showsnmpuser
Username:HP_OV
EngineID:AB12CD34EF56
storage-type:nonvolatileactive
AuthenticationProtocol:SHA
PrivacyProtocol:AES256
Group-name:NOC
Username:Admin1
EngineID:800000090300C20013080000
storage-type:nonvolatileactive
AuthenticationProtocol:SHA
PrivacyProtocol:AES256
Group-name:ADMIN_GROUP
Username:Admin2
EngineID:800000090300C20013080000
storage-type:nonvolatileactive
AuthenticationProtocol:MD5
PrivacyProtocol:3DES
Group-name:ADMIN_GROUP
Username:TRAP_NMS1
EngineID:800000090300C20013080000
storage-type:nonvolatileactive
AuthenticationProtocol:SHA
PrivacyProtocol:AES256
Group-name:TRAP_GROUP
R1#
V-
3034
Interior
routing
protocolsare
not
authenticated.
CATII ConfigureauthenticationforallIGPpeers. router03
V-
3057
Accounts
assignedleast
privileges
necessaryto
perform
duties.
CATII Reviewtheaccountsauthorizedforaccesstothenetworkdevice.Determineiftheaccountsareassignedthelowestprivilege
levelnecessarytoperformassignedduties.Useraccountsmustbesettoaspecificprivilegelevelwhichcanbemappedto
specificcommandsoragroupofcommands.Authorizedaccountsshouldhavethegreatestprivilegelevelunlessdeemed
necessaryforassignedduties.
Ifitisdeterminedthatauthorizedaccountsareassignedtogreaterprivilegesthannecessary,thisisafinding.
Belowisanexampleofassigningaprivilegeleveltoalocaluseraccountandchangingthedefaultprivilegelevelofthe
configureterminalcommand.
usernamejunior-engineer1privilege7passwordxxxxxx
privilegeexeclevel7configureterminal
Theaboveexampleonlycoverslocalaccounts.Youwillalsoneedtochecktheaccountsandtheirassociatedprivilegelevels
configuredintheauthenticationserver.YoucanalsouseTACACS+forevenmoregranularityatthecommandlevelasshown
inthefollowingexample:
user=junior-engineer1{
password=clear"xxxxx"
service=shell{
setpriv-lvl=7
}
}
router03
CiscoIOS15
V-
3058
Unauthorized
accountsare
configuredto
accessdevice.
CATII Reviewtheorganization'sresponsibilitieslistandreconcilethelistofauthorizedaccountswiththoseaccountsdefinedfor
accesstothenetworkdevice.
Ifanunauthorizedaccountisconfiguredforaccesstothedevice,thisisafinding.
router03
CiscoIOS15
V-
3069
Management
connections
mustbe
securedby
FIPS140-2.
CATII ConfigurethenetworkdevicetousesecureprotocolswithFIPS140-2validatedcryptographicmodules. router03
V-
3081
IPSource
Routingisnot
disabledonall
routers.
CATII ConfiguretheroutertodisableIPsourcerouting. router03
V-
3085
HTTPserveris
notdisabled
CATII ConfigurethedevicetodisableusingHTTP(port80)foradministrativeaccess. router03
V-
3160
Operating
systemisnot
atacurrent
releaselevel.
CATII HavetheadministratorentertheshowversioncommandtodeterminetheinstalledIOSversion.AsofJune2010,thelatest
majorreleaseis12.4forroutersand12.2forswitches(bothaccessandmulti-layer).Thereleasebeingusedmusthaveall
IAVMsresolvedandmustnotbeinaCiscodeferredstatusorhasbeenmadeobsolete.
AsktheadministratorlogintotheCiscoSoftwareCentertodownloadsoftware.Selectthespecificrouterorswitchmodel.
SelecttheIOSSoftwarelinkandthenVerifythatthereleasebeingusedislistedunderthereleasefamily(willneedtoexpand
thelist)andnotinthedeferredlist.Ifthereleaseisnotlistedineitherthereleasefamilyordeferred,thenthereleaseis
obsolete.
VerifythatallIAVMshavebeenaddressed.
Note:CiscosoftwareinadifferedstatewillstillbeattheCiscoSoftwareCenterandavailablefordownloadunderthedeferred
group,whereassoftwaremadeobsoleteisnolongeravailablefordownload.Deferredstatusoccurswhenasoftware
maintenancereleaseismadeobsoleteandremovedfromorderabilityandserviceoutsideofCisco'snormalreleaseschedule,
orCiscocancelsascheduledmaintenancereleasefromreachingtheFirst-Customer-Ship(FCS)milestone.Deferralsaremost
oftenrelatedtosoftwarequalityissues.Adeferralcanbeperformedforanentiremaintenancerelease,orjustforcertainsets
ofplatformsorfeatureswithinarelease.AdeferralpriortotheFCSmilestonemaybeperformedbyCiscotoprotect
customersfromreceivingsoftwarewithknowncatastrophicdefects.AdeferralafterFCSwillexpediteobsolescenceforthe
releasetolimittheexposureofcustomers.
router03
CiscoIOS15
V-
3966
Morethan
onelocal
accountis
defined.
CATII Configurethedevicetoonlyallowonelocalaccountoflastresortforemergencyaccessandstorethecredentialsinasecure
manner.
router03
CiscoIOS15
V-
3969
Network
elementmust
onlyallow
SNMPread
access.
CATII Configurethenetworkdevicetoallowforread-onlySNMPaccesswhenusingSNMPv1,v2c,orbasicv3(noauthenticationor
privacy).WriteaccessmaybeusedifauthenticationisconfiguredwhenusingSNMPv3.
router03
V-
5611
Management
connections
arenot
restricted.
CATII Reviewtheconfigurationandverifythatmanagementaccesstothedeviceisallowedonlyfromthemanagementnetwork
addressspace.Theconfigurationshouldlooksimilartothefollowing:
access-list3permit192.168.1.10log
access-list3permit192.168.1.11log
access-list3denyanylog
…..
linevty04
access-class3in
Ifmanagementaccesscanbegainedfromoutsideoftheauthorizedmanagementnetwork,thisisafinding.
router03
CiscoIOS15
V-
5612
SSHsession
timeoutisnot
60secondsor
less.
CATII Configurethenetworkdevicessoitwillrequireasecureshelltimeoutof60secondsorless. CiscoIOS15
V-
5646
Devicesnot
configuredto
filteranddrop
half-open
connections.
CATII Reviewthedeviceconfigurationtovalidatethresholdfiltersortimeoutperiodsaresetfordroppingexcessivehalf-openTCP
connections.
Fortimeoutperiods,thetimeshouldbesetto10secondsorless.Ifthedevicecannotbeconfiguredfor10secondsorless,it
shouldbesettotheleastamountoftimeallowableintheconfiguration.Thresholdfilterswillneedtobedeterminedbythe
organizationforoptimalfiltering.
IOSConfigurationExample:
iptcpsynwait-time10
router03
CiscoIOS15
V-
14671
NTPmessages
arenot
authenticated.
CATII ConfigurethedevicetoauthenticateallreceivedNTPmessagesusingeitherPKI(supportedinNTPv4)oraFIPS-approved
messageauthenticationcodealgorithm.
router03
V-
14705
IPv6routers
arenot
configured
withCEF
enabled
CATII IOSProcedure:ReviewallCiscorouterstoensurethatCEFhasbeenenabled.Theconfigurationshouldlooksimilartothe
following:ipv6cef
router03
CiscoIOS15
V-
14707
IPv6Egress
Outbound
SpoofingFilter
CATII UnicastStrictmode:ReviewtherouterconfigurationtoensureuRPFhasbeenconfiguredonallinternalinterfaces. router03
CiscoIOS15
V-
15288
ISATAP
tunnelsmust
terminateat
interior
router.
CATII VerifyISATAPtunnelsareterminatedontheinfrastructureroutersorL3switcheswithintheenclave.
ExampleconfigurationofanISATAPtunnelendpoint:
interfacetunnel1
noipaddress
noipredirects
tunnelsourceethernet1
tunnelmodeipv6ipisatap
ipv6address2001:0DB8::/64eui-64
noipv6ndsuppress-ra
router03
CiscoIOS15
V-
15432
Thedeviceis
not
authenticated
usingaAAA
server.
CATII Configurethedevicetousetwoseparateauthenticationservers. router03
CiscoIOS15
V-
17754
Management
trafficisnot
restricted
CATII ReviewthedeviceconfigurationtodetermineifIPSectunnelsusedintransitingmanagementtrafficarefilteredtoonlyaccept
authorizedtrafficbasedonsourceanddestinationIPaddressesofthemanagementnetwork.
IffiltersarenotrestrictingonlyauthorizedmanagementtrafficintotheIPSectunnel,thisisafinding.
router03
CiscoIOS15
V-
17814
RemoteVPN
end-pointnot
amirrorof
localgateway
CATII VerifytheconfigurationattheremoteVPNend-pointisamirrorconfigurationasthatreviewedforthelocalend-point. router03
CiscoIOS15
V-
17815
IGPinstances
donotpeer
with
appropriate
domain
CATII VerifythattheOOBMinterfaceisanadjacencyonlyintheIGProutingdomainforthemanagementnetwork.
CiscoIOS15
V-
17817
Managed
networkhas
accessto
CATII ReviewtheACLorfiltersfortherouter’sreceivepathandverifythatonlytrafficsourcedfromthemanagementnetworkis
allowedtoaccesstherouter.Thiswouldincludebothmanagementandcontrolplanetraffic.
router03
CiscoIOS15
OOBM
gateway
router
Step1:Verifythattheglobalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:
ipreceiveacl199
Note:TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityfortrafficthatisdestinedfortherouter.TheIPReceiveACL
filteringoccursafteranyinputACLboundtotheingressinterface.Ondistributedplatforms(i.e.,12000series),theIPreceive
ACLfilterstrafficonthedistributedlinecardsbeforepacketsarereceivedbytherouteprocessor;therebypreventingthe
floodfromdegradingtheperformanceoftherouteprocessor.
Step2:DeterminetheaddressblockofthemanagementnetworkattheNOC.Intheexampleconfigurationbelow,the
10.2.2.0/24isthemanagementnetworkattheNOC.
Step3:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallmanagementplanetraffictothevalidated
networkmanagementaddressblockattheNOC.Managementtrafficcanincludetelnet,SSH,SNMP,TACACS,RADIUS,TFTP,
FTP,andICMP.ControlplanetrafficfromOOBMbackboneneighborsshouldalsobeallowedtoaccesstherouter.TheACL
configurationshouldlooksimilartothefollowing:
access-list199denyipanyanyfragments
access-list199permitospf10.1.20.00.0.0.255any
access-list199permittcp10.2.2.00.0.0.255anyeqssh
access-list199permitudphost10.2.2.24anyeqsnmp
access-list199permitudphost10.2.2.25anyeqsnmp
access-list199permitudphost10.2.2.26anyeqntp
access-list199permitudphost10.2.2.27anyeqntp
access-list199permittcphost10.2.2.30eqtacacsanygt1023established
access-list199permittcphost10.2.2.77eqftpanygt1023established
access-list199permittcphost10.2.2.77gt1024anyeqftp-data
access-list199permiticmp10.2.2.00.0.0.255any
access-list199denyipanyanylog
Intheexampleabove,theOSPFneighborswouldbeadjacencieswiththeOOBMbackbonenetwork10.1.20.0/24.
Iftheplatformdoesnotsupportthereceivepathfilter,thenverifythatallnon-OOBMinterfaceshaveaningressACLto
restrictaccesstothatinterfaceaddressoranyoftherouter’sloopbackaddressestoonlytrafficsourcedfromthe
managementnetwork.Exceptionwouldbetoallowpacketsdestinedtotheseinterfacesusedfortroubleshootingsuchas
pingandtraceroute.
V-
17818
Trafficfrom
themanaged
networkwill
leak
CATII ExaminetheegressfilterontheOOBMinterfaceofthegatewayroutertoverifythatonlytrafficsourcedfromthe
managementaddressspaceisallowedtotransittheOOBMbackbone.Intheexampleconfigurationsbelow,the10.1.1.0/24is
themanagementnetworkaddressspaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetwork
addressspaceattheNOC.
IOS
interfaceSerial0/0
descriptionto_OOBM_Backbone
ipaddress10.1.20.3255.255.255.0
ipaccess-group101out
interfaceFastethernet0/0
descriptionEnclave_Management_LAN
ipaddress10.1.1.1255.255.255.0
interfaceFastethernet0/1
descriptionto_our_ServiceNet
ipaddress172.20.5.2255.255.255.0
!
access-list101permitip10.1.1.00.0.0.25510.2.2.00.0.0.255
access-list101denyipanyanylog
router03
CiscoIOS15
V-
17819
Management
trafficleaks
intothe
managed
network
CATII ExaminetheingressfilterontheOOBMinterfaceofthegatewayroutertoverifythattrafficisonlydestinedtothelocal
managementaddressspace.Intheexampleconfigurationsbelow,the10.1.1.0/24isthelocalmanagementnetworkaddress
spaceattheenclaveormanagednetworkand10.2.2.0/24isthemanagementnetworkaddressspaceattheNOC.
IOS
interfaceSerial0/0
descriptionto_OOBM_Backbone
ipaddress10.1.20.3255.255.255.0
ipaccess-group100in
ipaccess-group101out
interfaceFastethernet0/0
descriptionEnclave_Management_LAN
ipaddress10.1.1.2255.255.255.0
interfaceFastethernet0/1
descriptionto_our_ServiceNet
router03
CiscoIOS15
ipaddress172.20.5.2255.255.255.0
interfaceFastethernet0/2
descriptionto_our_PrivateNet
ipaddress172.20.4.2255.255.255.0
!
access-list100permitip10.2.2.00.0.0.25510.1.1.00.0.0.255
access-list100denyipanyanylog
V-
17821
TheOOBM
interfacenot
configured
correctly.
CATII AfterdeterminingwhichinterfaceisconnectedtotheOOBMaccessswitch,reviewthemanageddeviceconfigurationand
verifythattheinterfacehasbeenassignedanaddressfromthelocalmanagementaddressblock.Inthisexample,thatis
10.1.1.0/24.
Ciscorouter
interfaceFastethernet0/0
descriptionEnclave_Management_LAN
ipaddress10.1.1.22255.255.255.0
CiscoCatalystMLSSwitch
interfaceVLAN101
descriptionManagement_VLAN
ipaddress10.1.1.22255.255.255.0
…
…
interfaceFastEthernet1/6
switchportaccessvlan101
switchportmodeaccess
or
interfaceFastEthernet1/6
noswitchport
ipaddress10.1.1.22255.255.255.0
Caveat:Iftheinterfaceisconfiguredasaroutedinterfaceasshownintheaboveconfiguration,therequirementsspecifiedin
NOC180mustbeimplemented.
router03
CiscoIOS15
V-
17822
The
management
interfacedoes
nothavean
ACL.
CATII Step1:VerifythatthemanagedinterfacehasaninboundandoutboundACLconfiguredasshowninthefollowingexample:
interfaceFastEthernet1/1
descriptionEnclave_Management_LAN
ipaddress10.1.1.22255.255.255.0
ipaccess-group100in
ipaccess-group101out
Step2:VerifythattheingressACLblocksalltransittraffic—thatis,anytrafficnotdestinedtotherouteritself.Inaddition,
trafficaccessingthemanagedelementsshouldbeoriginatedattheNOC.Intheexamplethemanagementnetworkatthe
NOCis10.2.2.0/24.
access-list100permitip10.2.2.00.0.0.255host10.1.1.22
access-list100denyipanyanylog
Notethatthedestinationusedbyanyhostwithinthemanagementnetworktoaccessthemanagedelementsmustbeviathe
managementinterface.Theloopbackshouldnotbeavalidaddresssincetheseprefixeswouldnotbeadvertisedintothe
managementnetworkIGPdomain.ThiscouldonlybepossibleifthemanagednetworkElements:hadanIGPadjacencywith
themanagednetwork,whichshouldnotbethecase.
Step3:VerifythattheegressACLblocksanytrafficnotoriginatedbythemanagedelement
access-list101denyipanyanylog
Ciscorouter-generatedpacketsarenotinspectedbyoutgoingaccess-lists.Hence,theaboveconfigurationwouldsimplydrop
anypacketsnotgeneratedbytherouteritselfandallowalllocaltraffic.Tofilterlocaltraffic,IOSprovidesafeaturecalledlocal
policyrouting,whichenablestheadministratortoapplyaroute-maptoanylocalrouter-generatedtraffic.Toprohibit
outgoingtrafficfromthelocalroutertoanydestinationotherthantheNOC,theaconfigurationsuchasthefollowingcould
beused:
!Donotdroptrafficdestinedto10.2.2.0/24.Hence,donotincludeitin
!thelocalpolicyroutemap,butincludeallotherdestinations.
!
ipaccess-listextendedBLOCK_INVALID_DEST
denyipany10.2.2.00.0.0.255
router03
CiscoIOS15
permitipanyany
!
route-mapLOCAL_POLICY10
matchipaddressBLOCK_INVALID_DEST
setinterfaceNull0
!
iplocalpolicyroute-mapLOCAL_POLICY
AlternativeSolution:TheIOSManagementPlaneProtectionFeature
CiscointroducedtheManagementPlaneProtection(MPP)featurewithIOS12.4(6)Twhichallowsanyphysicalin-band
interfacetobededicatedforOOBmanagement.TheMPPfeatureallowsanetworkoperatortodesignateoneormorerouter
interfacesasmanagementinterfaces.Managementtrafficispermittedtoenteradeviceonlythroughthesemanagement
interfaces.Alloftheotherin-bandinterfacesnotenabledforMPPwillautomaticallydropallingresspacketsassociatedwith
anyofthesupportedMPPprotocols(FTP,HTTP,HTTPS,SCP,SSH,SNMP,Telnet,andTFTP).Hence,afterMPPisenabled,no
interfacesexceptmanagementinterfaceswillacceptnetworkmanagementtrafficdestinedtothedevice.Thisfeaturealso
providesthecapabilitytorestrictwhichmanagementprotocolsareallowed.Thisfeaturedoesnotchangethebehaviorofthe
console,auxiliary,andmanagementEthernetinterfaces.ThefollowingconfigurationexampledepictsFastEthernet1/1as
beingthedesignatedmanagementinterfacethatwillonlyallowsshandsnmptraffic.
control-planehost
management-interfaceFastEthernet1/1allowsshsnmp
!
interfaceFastEthernet1/1
descriptionEnclave_Management_LAN
ipaddress10.1.1.22255.255.255.0
V-
17834
Noinbound
ACLformgmt
networksub-
interface
CATII ReviewtherouterconfigurationandverifythataninboundACLhasbeenconfiguredforthemanagementnetworksub-
interfaceasillustratedinthefollowingexampleconfiguration:
IOS
interfaceGigabitEthernet3
noipredirects
noipdirected-broadcast
interfaceGigabitEthernet3.10
encapsulationdot1q10
descriptionManagementVLAN
ipaddress10.1.1.1255.255.255.0
ipaccess-group108in
!
access-list108permit…
router03
CiscoIOS15
V-
17835
IPSectrafficis
notrestricted
CATII Verifythatalltrafficfromthemanagednetworktothemanagementnetworkandvice-versaissecuredviaIPSec
encapsulation.Intheconfigurationexamples,10.2.2.0/24isthemanagementnetworkattheNOCand192.168.1.0/24is
addressspaceusedatthenetworkbeingmanaged(i.e.,theenclave).ForCiscorouter,theaccess-listreferencedbythecrypto
mapmusthavethesourceanddestinationaddressesbelongingtothemanagementnetworkaddressspaceattheenclave
andNOCrespectively.
hostnamePremrouter
!
interfaceSerial1/0
ipaddress19.16.1.1255.255.255.0
descriptionNIPRNet_Link
cryptomapmyvpn
interfaceFastethernet0/0
descriptionEnclave_Management_LAN
ipaddress192.168.1.1255.255.255.0
!
cryptoisakmppolicy1
authenticationpre-share
lifetime84600
cryptoisakmpkey*******address19.16.2.1
!
cryptoipsectransform-settoNOCesp-desesp-md5-hmac
!
cryptomapmyvpn10ipsec-isakmp
setpeer19.16.2.1
settransform-settoNOC
matchaddress101
!
access-list101permitipany10.2.2.00.0.0.255
router03
CiscoIOS15
V-
18522
ACLsmust
restrictaccess
toserver
VLANs.
CATII ReviewthedeviceconfigurationtovalidateanACLwithadeny-by-defaultsecurityposturehasbeenimplementedonthe
serverVLANinterface.
router03
CiscoIOS15
V-
18790
NET-TUNL-012 CATII Identifythetunnelendpoints,thenreviewallroutingdevicestoensurethetunnelentrypointisnotusedasadefaultroute.
Trafficdestinedtothetunnelshouldbedirectedtothetunnelendpointbystaticroutes,policybasedrouting,orbythe
mechanicsoftheinteriorroutingprotocol,butnotbydefaultroutestatements.
router03
CiscoIOS15
V-
19188
Controlplane
protectionis
notenabled.
CATII ControlPlanePolicing(CoPP)
Ifsupportedbytherouter,CoPPshouldbeusedtoincreasesecurityonCiscoroutersbyprotectingtheRPfromunnecessary
andmalicioustraffic.CoPPallowsnetworkoperatorstoclassifytrafficbasedonimportancethatthenenablestherouterto
filterandratelimitthetrafficaccordingtothedefinedpolicyforeachclass.
Step1:Verifytraffictypeshavebeenclassifiedbasedonimportancelevels.Thefollowingisanexampleconfiguration:
class-mapmatch-allCoPP_CRITICAL
matchaccess-groupnameCoPP_CRITICAL
class-mapmatch-anyCoPP_IMPORTANT
matchaccess-groupnameCoPP_IMPORTANT
matchprotocolarp
class-mapmatch-allCoPP_NORMAL
matchaccess-groupnameCoPP_NORMAL
class-mapmatch-anyCoPP_UNDESIRABLE
matchaccess-groupnameCoPP_UNDESIRABLE
class-mapmatch-allCoPP_DEFAULT
matchaccess-groupnameCoPP_DEFAULT
Step2:ReviewtheACLsreferencedbythematchaccess-groupcommandstodetermineifthetrafficisbeingclassified
appropriately.Thefollowingisanexampleconfiguration:
ipaccess-listextendedCoPP_CRITICAL
remarkourcontrolplaneadjacenciesarecritical
permitospfhost[OSPFneighborA]any
permitospfhost[OSPFneighborB]any
permitpimhost[PIMneighborA]any
permitpimhost[PIMneighborB]any
permitpimhost[RPaddr]any
permitigmpany224.0.0.015.255.255.255
permittcphost[BGPneighbor]eqbgphost[localBGPaddr]
permittcphost[BGPneighbor]host[localBGPaddr]eqbgp
denyipanyany
ipaccess-listextendedCoPP_IMPORTANT
permittcphost[TACACSserver]eqtacacsany
permittcp[managementsubnet]0.0.0.255anyeq22
permitudphost[SNMPmanager]anyeqsnmp
permitudphost[NTPserver]eqntpany
denyipanyany
ipaccess-listextendedCoPP_NORMAL
remarkwewillwanttoratelimitICMPtraffic
permiticmpanyanyecho
permiticmpanyanyecho-reply
permiticmpanyanytime-exceeded
permiticmpanyanyunreachable
denyipanyany
ipaccess-listextendedCoPP_UNDESIRABLE
remarkothermanagementplanetrafficthatshouldnotbereceived
permitudpanyanyeqntp
permitudpanyanyeqsnmptrap
permittcpanyanyeq22
permittcpanyanyeq23
remarkothercontrolplanetrafficnotconfiguredonrouter
permiteigrpanyany
permitudpanyanyeqrip
denyipanyany
ipaccess-listextendedCoPP_DEFAULT
permitipanyany
router03
CiscoIOS15
Note:ExplicitlydefiningundesirabletrafficwithACLentriesenablesthenetworkoperatortocollectstatistics.ExcessiveARP
packetscanpotentiallymonopolizeRouteProcessorresources,starvingotherimportantprocesses.Currently,ARPistheonly
Layer2protocolthatcanbespecificallyclassifiedusingthematchprotocolcommand.
Step3:Reviewthepolicy-maptodetermineifthetrafficisbeingpolicedappropriatelyforeachclassification.Thefollowingis
anexampleconfiguration:
policy-mapCONTROL_PLANE_POLICY
classCoPP_CRITICAL
police5120008000conform-actiontransmitexceed-actiontransmit
classCoPP_IMPORTANT
police2560004000conform-actiontransmitexceed-actiondrop
classCoPP_NORMAL
police1280002000conform-actiontransmitexceed-actiondrop
classCoPP_UNDESIRABLE
police80001000conform-actiondropexceed-actiondrop
classcp-default-in
police640001000conform-actiontransmitexceed-actiondrop
Step4:VerifythattheCoPPpolicyisenabled.Thefollowingisanexampleconfiguration:
control-plane
service-policyinputCONTROL_PLANE_POLICY
Note:StartingwithIOSrelease12.4(4)T,ControlPlaneProtection(CPPr)canbeusedtofilteraswellaspolicecontrolplane
trafficdestinedtotheRP.CPPrisverysimilartoCoPPandhastheabilitytofilterandpolicetrafficusingfinergranularityby
dividingtheaggregatecontrolplaneintothreeseparatecategories:(1)host,(2)transit,and(3)CEF-exception.Hence,a
separatepolicy-mapcouldbeconfiguredforeachtrafficcategory.
IfCoPPisnotsupported,thenthealternativewouldbetheimplementationofareceivepathfilter.
Step1:AreceivepathACLoraninboundACLoneachinterfacemustbeconfiguredtorestricttrafficdestinedtotherouter.
TheIOSIPReceiveACLfeatureprovidesfilteringcapabilityexplicitlyfortrafficthatisdestinedfortherouter.Verifythatthe
globalipreceiveaclstatementhasbeenconfiguredasshowninthefollowingexample:
ipreceiveacl199
Note:Iftheplatformdoesnotsupporttheipreceivepathaclfeature,aninboundACLoneachinterfacemustbeconfigured.
Step2:VerifythattheACLreferencedbytheipreceiveaclstatementrestrictsallcontrolplaneandmanagementplanetraffic.
TheACLconfigurationshouldlooksimilartothefollowing:
access-list199denyipanyanyfragments
access-list199remarkallowspecificmanagementplanetraffic
access-list199permittcp[managementsubnet]0.0.0.255anyeq22
access-list199permitudphost[SNMPmanager]anyeqsnmp
access-list199permittcphost[TACACSserver]eqtacacsany
access-list199permitudphost[NTPserver]eqntpany
access-list199permiticmp[managementsubnet]0.0.0.255any
access-list199remarkallowspecificcontrolplanetraffic
access-list199permitospfhost[OSPFneighborA]any
access-list199permitospfhost[OSPFneighborB]any
access-list199permitpimhost[PIMneighborA]any
access-list199permitpimhost[PIMneighborB]any
access-list199permitpimhost[RPaddr]any
access-list199permitigmpany224.0.0.015.255.255.255
access-list199permittcphost[BGPneighbor]eqbgphost[localBGPaddr]
access-list199permittcphost[BGPneighbor]host[localBGPaddr]eqbgp
access-list199remarkallothertrafficdestinedtothedeviceisdropped
access-list199denyipanyany
Note:IftheManagementPlaneProtection(MPP)featureisenabledforanOOBMinterface,therewouldbenopurposein
filteringthistrafficonthereceivepath.WithMPPenabled,nointerfacesexceptthemanagementinterfacewillacceptnetwork
managementtrafficdestinedtothedevice.Thisfeaturealsoprovidesthecapabilitytorestrictwhichmanagementprotocols
areallowed.SeeNET0992foradditionalconfigurationinformation.
V-
30577
PIMenabled
onwrong
interfaces
CATII IfIPv4orIPv6multicastroutingisenabled,ensurethatallinterfacesenabledforPIMisdocumentedinthenetwork’smulticast
topologydiagram.Reviewtherouterormulti-layerswitchconfigurationtodetermineifmulticastroutingisenabledandwhat
interfacesareenabledforPIM.
router03
CiscoIOS15
Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.Thefollowingglobalconfiguration
commandswillenableIPv4andIPv6multicastrouting:
ipmulticast-routing
ipv6multicast-routing
Step2:PIMisenabledonaninterfacewitheitherofthefollowingcommands:ippimsparse-mode,ippimdense-mode,ippim
sparse-dense-mode.ReviewallinterfaceconfigurationsandverifythatonlytherequiredinterfacesareenabledforPIMas
documentedinthenetworktopologydiagram.
WithIPv4,PIMisdisabledbydefaultonallinterfaces.FollowingisanexampleofaninterfacewithPIMenabled.
interfaceFastEthernet0/0
ipaddress192.168.1.1255.255.255.0
ippimsparse-mode
YoucanalsoverifywhatIPv4interfacesareenabledforPIMwiththeshowippiminterfacecommand.
WithIPv6,PIMisenabledbydefaultonallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviathe
globalipv6multicast-routingcommand.AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.
interfaceFastEthernet0/1
ipv6address2001:1:0:146::/64eui-64
noipv6pim
Youcanalsoverifywhatipv6interfacesareenabledforPIMwiththeshowipv6piminterfacecommand.
V-
30578
PIMneighbor
filterisnot
configured
CATII Reviewtherouterormulti-layerswitchtodetermineifeitherIPv4orIPv6multicastroutingisenabled.Ifeitherisenabled,
verifythatallinterfacesenabledforPIMhasaneighborfiltertoonlyacceptPIMcontrolplanetrafficfromthedocumented
routersaccordingtothemulticasttopologydiagram.
IPv4
Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothe
followingexample:
ipaccess-liststandardPIM_NEIGHBORS
permit192.0.2.1
permit192.0.2.3
denyanylog
Step2:Verifythatapimneighbor-filtercommandisconfiguredonallPIM-enabledinterfacesthatis
referencingthePIMneighborACLsimilartothefollowingexample:
interfaceFastEthernet0/3
ipaddress192.0.2.2255.255.255.0
ippimsparse-mode
ippimneighbor-filterPIM_NEIGHBORS
IPv6
Step1:VerifythatanACLisconfiguredthatwillspecifytheallowablePIMneighborssimilartothe
followingexample:
ipv6access-listPIM_NEIGHBORS
permithostFE80::1any
permithostFE80::3any
denyanyanylog
Note:IPv6PIMadjacenenciesarecreatedusingtherouterunicastlink-localaddresses
Step2:Verifythatapimneighbor-filterglobalcommandisconfigured
ipv6pimneighbor-filterlistPIM_NEIGHBORS
router03
CiscoIOS15
V-
31285
BGPmust
authenticate
allpeers.
CATII ConfigurethedevicetoauthenticateallBGPpeers. router03
V-
3972
VLAN1traffic
traverses
across
unnecessary
CATIII ReviewthedeviceconfigurationtodetermineifVLAN1isprunedfromalltrunkandaccessswitchports.
IfVLAN1isnotprunedfromtrunkoraccessswitchportswhereit'snotrequired,thisisafinding.
router03
trunk
V-
3973
Disabledports
arenotkeptin
anunused
VLAN.
CATIII ReviewthedeviceconfigurationtodetermineifalldisabledportshavebeenplacedintoanunusedVLAN.TheVLANmustnot
beVLAN1.
IfdisabledportsarenotassignedtoanunusedVLANorhavebeenplacedintoVLAN1,thisisafinding.
router03
V-
17825
Management
VLANhas
invalid
addresses
CATIII ReviewthemanagedswitchconfigurationandverifythatanaddresshasbeenconfiguredformanagementVLANfromspace
belongingtotheOOBMnetworkthathasbeenassignedtothatsite.
interfaceVLAN10
ipaddress10.1.1.10255.255.255.0
descriptionManagementVLAN
Note:TheIPaddressoftheswitchcanbeaccessedonlybynodesconnectedtoportsthatbelongtothemanagementVLAN.
AdefaultgatewayaddressasshownbelowmustbeconfiguredusingtheaddressoftheOOBMgatewayrouterinterface
connectingtotheOOBMaccessswitch.ThiswillensurethatallmanagementtrafficisforwardedtowardtheNOCusingthe
switchportattachedtotheOOBMaccessswitch.
ipdefault-gateway10.1.1.1
router03
V-
17827
The
management
VLANisnot
prunedfrom
trunklinks
CATIII ThemanagementVLANmustbeprunedfromanyVLANtrunklinksbelongingtothemanagednetwork’sinfrastructure.By
defaultalltheVLANsthatexistonaswitchareactiveonatrunklink.SincetheswitchisbeingmanagedviaOOBMconnection,
managementtrafficshouldnottraverseanytrunklinks.ThefollowingCatalystIOSconfigurationisanexampleofatrunklink
withthemanagementVLAN(i.e.10)prunedfromatrunk.
interfacefastEthernet0/1
switchporttrunkencapsulationdot1q
switchportmodedynamicdesirable
switchporttrunknativevlan3
switchporttrunkallowedvlan2-9
Thiscanalsobeverifiedwiththeshowinterfacetrunkcommandasshownbelow:
Switch-A#showinterfacetrunk
PortModeEncapsulationStatusNativevlan
Fa0/1desirable802.1qtrunking3
PortVlansallowedontrunk
Fa0/12-9
PortVlansinspanningtreeforwardingstateandnotpruned
Fa0/12-5
Note:VTPpruningallowstheswitchtonotforwardusertrafficforVLANsthatarenotactiveonaremoteswitch.Thisfeature
dynamicallyprunesunneededtrafficacrosstrunklinks.VTPpruningneedstobeenabledontheserverfortheVTPdomains—
afterwhichallVTPclientsintheVTPdomainwillautomaticallyenableVTPpruning.ToenableVTPpruningonaCiscoIOS
switch,youusethevtppruningVLANconfigurationorglobalconfigurationcommand.Since,themanagementVLANwillbe
activeonallmanagedswitchs,VTPwillneverprunethisVLAN.Hence,itwillhavetobemanuallyremovedasshownabove.
router03
V-
18544
Restricted
VLANnot
assignedto
non-802.1x
device.
CATIII ReviewthedeviceconfigurationtodetermineifaVLANhasbeenestablishedforprinters. router03
V-
3020
DNSservers
mustbe
definedfor
clientresolver.
CATIII ConfigurethedevicetoincludeDNSserversordisabledomainlookup. router03
V-
3070
Management
connections
mustbe
logged.
CATIII Configurethedevicetologallaccessattemptstothedevicetoestablishamanagementconnectionforadministrativeaccess. router03
CiscoIOS15
V-
3072
Runningand
startup
configurations
arenot
synchronized.
CATIII Reviewtherunningandbootconfigurationstodetermineiftheyaresynchronized.
IOSProcedure:Withonlineediting,the"showrunning-config"commandwillonlyshowthecurrentrunningconfiguration
settings,whicharedifferentfromtheIOSdefaults.The"showstartup-config"commandwillshowtheNVRAMstartup
configuration.Comparethetwoconfigurationstoensuretheyaresynchronized.
JUNOSProcedure:Thiswillneverbeafinding.Theactiveconfigurationisstoredonflashasjuniper.conf.Acandidate
configurationallowsconfigurationchangeswhileinconfigurationmodewithoutinitiatingoperationalchanges.Therouter
implementsthecandidateconfigurationwhenitiscommitted;thereby,makingitthenewactiveconfiguration--atwhichtime
itwillbestoredonflashasjuniper.confandtheoldjuniper.confwillbecomejuniper.conf.1.
Ifrunningconfigurationandbootconfigurationsarenotthesame,thisisafinding.
router03
CiscoIOS15
V-
3078
TCPandUDP
smallserver
servicesare
notdisabled.
CATIII ChangethedeviceconfigurationtoincludethefollowingIOScommands:noservicetcp-small-serversandnoserviceudp-
small-serversforeachdevicerunninganIOSversionpriorto12.0.ThisisthedefaultforIOSversions12.0andlater(i.e.,these
commandswillnotappearintherunningconfiguration.)
router03
V-
3079
Thefinger
serviceisnot
disabled.
CATIII ConfigurethedevicetodisabletheFingerservice. router03
V-
3083
IPdirected
broadcastis
notdisabled.
CATIII DisableIPdirectedbroadcastsonalllayer3interfaces. router03
V-
3086
TheBootp
serviceisnot
disabled.
CATIII ConfigurethedevicetodisableallBOOTPservices. router03
V-
4584
Thenetwork
elementmust
logall
messages
except
debugging.
CATIII Configurethenetworkdevicetologallmessagesexceptdebuggingandsendalllogdatatoasyslogserver. router03
V-
5614
ThePAD
serviceis
enabled.
CATIII ConfigurethedevicetodisablethePADservice. router03
V-
5615
TCPKeep-
Alivesmustbe
enabled.
CATIII ConfigurethedevicetoenableTCPKeep-Alives. router03
V-
7011
Theauxiliary
portisnot
disabled.
CATIII Reviewtheconfigurationandverifythattheauxiliaryportisdisabledunlessasecuredmodemprovidingencryptionand
authenticationisconnectedtoit.ThefollowingconfigurationdisablestheCiscoIOSauxiliaryport:
lineaux0
noexec
Note:Thecommandtransportinputnonemustbeconfiguredunderthelineaux0.However,thisisthedefaultandwillnot
beshownintherunningconfiguration.
router03
CiscoIOS15
V-
14667
Keyexpiration
exceeds180
days.
CATIII Reviewdeviceconfigurationforkeyexpirationsof180daysorless.
Ifrotatingkeysarenotconfiguredtoexpireat180daysorless,thisisafinding.
router03
CiscoIOS15
V-
14674
NTPtrafficis
notusing
loopback
addressor
OOB
Management
interface.
CATIII ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginatingNTP
traffic.
router03
V-
14675
SNMPtraffic
doesnotuse
loopback
addressor
OOB
Management
interface.
CATIII ConfigurethedevicetouseitsloopbackorOOBmanagementinterfaceaddressasthesourceaddresswhenoriginating
SNMPtraffic.
CiscoIOS15
V-
14676
Netflowtraffic
isnotusing
loopback
address.
CATIII ReviewtheconfigurationandverifytheloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingNetFlow
traffic.IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.The
configurationshouldlooksimilarasshowninthefollowingexample:
interfaceloopback0
ipaddress10.10.2.1255.255.255.255
…
…
ipflow-sampling-modepacket-interval100
ipflow-exportdestination192.168.3.339991
ipflow-exportsourceLoopback0
Note:IOSallowsmultipleloopbackinterfacestobedefined.
router03
CiscoIOS15
V-
14677
FTP/TFTP
trafficdoes
notuse
loopback
addressor
OOB
Management
interface.
CATIII ReviewtheconfigurationandverifyaloopbackinterfaceaddressisusedasthesourceaddresswhenoriginatingTFTPorFTP
traffic.
Router#showrun
Buildingconfiguration...
!
!
interfaceLoopback0
descriptionLoopbackinterface
router03
ipaddressx.x.x.x255.255.255.255
noipdirected-broadcast
!
...
iptelnetsource-interfaceLoopback0
iptftpsource-interfaceLoopback0
ipftpsource-interfaceLoopback0
IfthedeviceismanagedfromanOOBmanagementnetwork,theOOBinterfacemustbeusedinstead.
Router#showrun
Buildingconfiguration...
!
...
iptftpsource-interfacefe0/0
ipftpsource-interfacefe0/0
V-
14681
Loopback
addressisnot
usedasthe
iBGPsource
IP.
CATIII VerifythatthepeeringsessionwithiBGPneighborsusetheloopbackaddressasthesourceaddressasshownintheexample
below:
interfaceloopback0
ipaddress10.10.2.1255.255.255.255
…
routerbgp100
neighbor200.200.200.2remote-as200
neighbor188.20.120.2remote-as144
neighbor10.10.2.2remote-as100
neighbor10.10.2.2update-sourceLoopback0
neighbor10.10.2.3remote-as100
neighbor10.10.2.3update-sourceLoopback0
router03
CiscoIOS15
V-
17823
The
management
interfaceis
notIGP
passive.
CATIII Ifthemanagednetworkelementisalayer3device,reviewtheconfigurationtoverifythemanagementinterfaceisconfigured
aspassivefortheIGPinstanceforthemanagednetwork.Dependingontheplatformandroutingprotocol,thismaysimply
requirethattheinterfaceoritsIPaddressisnotincludedintheIGPconfiguration.Thefollowingconfigurationwouldbean
examplewhereOSPFisonlyenabledonallinterfacesexceptthemanagementinterface:
interfaceFastethernet0/0
descriptionEnclave_Management_LAN
ipaddress10.1.1.22255.255.255.0
ipaccess-group100in
ipaccess-group101out
interfaceFastethernet0/1
descriptionto_our_PrivateNet
ipaddress172.20.4.2255.255.255.0
interfaceFastethernet0/2
descriptionto_our_ServiceNet
ipaddress172.20.5.2255.255.255.0
interfaceFastethernet1/1
descriptionto_our_DMZ
ipaddress172.20.3.1255.255.255.0
!
routerospf1
network172.20.0.0255.255.255.0area1
Note:TheMPPfeaturehasnoeffectoncontrolplanetraffic.Hence,theroutingprotocolmuststillbeconfiguredsothatitis
notenabledonthemanagementinterface.
router03
CiscoIOS15
V-
17836
Management
trafficisnot
classifiedand
marked
CATIII class-mapmatch-allMANAGEMENT-TRAFFIC
matchaccess-groupnameCLASSIFY-MANAGEMENT-TRAFFIC
!
policy-mapDIST-LAYER-POLICY
classMANAGEMENT-TRAFFIC
setipdscp48
!
interfaceFastEthernet0/0
descriptionlinktoLAN1
ipaddress192.168.1.1255.255.255.0
service-policyinputDIST-LAYER-POLICY
interfaceFastEthernet0/1
descriptionlinktoLAN2
ipaddress192.168.2.1255.255.255.0
service-policyinputDIST-LAYER-POLICY
interfaceFastEthernet0/2
descriptionlinktocore
ipaddress192.168.13.1255.255.255.0
router03
CiscoIOS15
!
ipaccess-listextendedCLASSIFY-MANAGEMENT-TRAFFIC
permitipany10.2.2.00.0.0.255
Note:Trafficismarkedusingthesetcommandinapolicymap.ForDSCPrewrite,ifapacketencountersbothinputand
outputclassificationpolicy,theoutputpolicyhasprecedence.Ifthereisnooutputpolicy,thentheinputpolicyhas
precedence.
V-
17837
Management
trafficdoesn't
getpreferred
treatment
CATIII Whenmanagementtrafficmusttraverseseveralnodestoreachthemanagementnetwork,ensurethatallcorerouterswithin
themanagednetworkhavebeenconfiguredtoprovidepreferredtreatmentformanagementtraffic.Thiswillensurethat
managementtrafficreceivesguaranteedbandwidthateachforwardingdevicealongthepathtothemanagementnetwork.
Step1:Verifythataservicepolicyisboundtoallcoreorinternalrouterinterfacesasshownintheconfigurationbelow:
interfaceFastEthernet0/1
ipaddress192.168.2.1255.255.255.0
service-policyoutputQoS-Policy
interfaceFastEthernet0/2
ipaddress192.168.1.1255.255.255.0
service-policyoutputQoS-Policy
Step2:Verifythattheclass-mapsplacemanagementtrafficintheappropriateforwardingclassasshownintheexample
below:
class-mapmatch-allbest-effort
matchipdscp0
class-mapmatch-anydata-AF13-AF23
matchipdscp14
matchipdscp22
class-mapmatch-anyvideo-AF33-AF43
matchipdscp30
matchipdscp38
class-mapmatch-allvoice-EF
matchipdscp46
class-mapmatch-allnetwork-control
matchipdscp48
Step3:Verifythattheclassesarereceivingtherequiredservice.
policy-mapQoS-Policy
classbest-effort
bandwidthpercent10
random-detectdscp-based
classdata-AF13-AF23
bandwidthpercent30
random-detectdscp-based
classvideo-AF33
bandwidthpercent15
random-detectdscp-based
classvideo-AF43
bandwidthpercent20
random-detectdscp-based
classvoice-EF
prioritypercent20
classnetwork-control
bandwidthpercent5
random-detectdscp-based
Note1:Thedscp-basedargumentenablesWREDtousetheDSCPvalueofapacketwhenitcalculatesthedropprobabilityfor
thepacket;whereasiftheprec-basedargumentisspecified,WREDwillusetheIPPrecedencevaluetocalculatedrop
probability.Ifneitherisspecified,thedefaultisprec-based.
Note2:LLQisenabledwiththeprioritycommandusingeitherakbpsvalueorabandwidthpercentageusingthepercent
keywordfollowedbyapercentagevalue.
Note3:Trafficthatdoesnotmeetthematchcriteriaspecifiedintheforwardingclassesistreatedasbelongingtothedefault
forwardingclass.Ifadefaultclassisnotconfigured,thedefaultclasshasnoQoSfunctionality.Thesepacketsarethenplaced
intoaFIFOqueueandforwardedataratedeterminedbytheavailableunderlyingbandwidth.ThisFIFOqueueismanagedby
taildrop—ameansofavoidingcongestionthattreatsalltrafficequallyanddoesnotdifferentiatebetweenclassesofservice.
Whentheoutputqueueisfullandtaildropisineffect,packetsaredroppeduntilthecongestioniseliminatedandthequeue
isnolongerfull.Thefollowingexampleconfiguresadefaultclasscalledpolicy1.
policy-mappolicy1
router03
CiscoIOS15
classclass-default
fair-queue10
queue-limit20
Thedefaultclassshownabovehasthesecharacteristics:10queuesfortrafficthatdoesnotmeetthematchcriteriaofother
classeswhosepolicyisdefinedbypolicy1,andamaximumof20packetsperqueuebeforetaildropisenactedtohandle
additionalqueuedpackets.
V-
19189
NoAdmin-
localorSite-
local
boundary
CATIII AnadministrativelyscopedIPmulticastregionisdefinedtobeatopologicalregioninwhichthereareoneormoreboundary
routerswithcommonboundarydefinitions.Sucharouterissaidtobeaboundaryformulticastscopedaddressesinthe
rangedefinedinitsconfiguration.Inordertosupportadministrativelyscopedmulticast,amulticastboundaryrouterwilldrop
multicasttrafficmatchinganinterface'sboundarydefinitionineitherdirection.
TheIPv4administrativescopedmulticastaddressspaceis239/8whichisdividedintotwoscopelevels:theLocalScopeand
OrganizationLocalScope.TheLocalScoperangeis239.255.0.0/16andcanexpandintothereservedranges239.254.0.0/16
and239.253.0.0/16if239.255.0.0/16isexhausted.TheIPv4OrganizationLocalScopeis239.192.0.0/14isthespacefrom
whichanorganizationshouldallocatesub-rangeswhendefiningscopesforprivateuse.Thisscopecanbeexpandedto
239.128.0.0/10,239.64.0.0/10,and239.0.0.0/10ifnecessary.ThescopeofIPv6multicastpacketsaredeterminedbythescope
valuewhere4(ffx4::/16)isAdmin-local,5(ffx5::/16)isSite-local,and8(ffx8::/16)isOrganization-local.
ReviewthemulticasttopologytodetermineanydocumentedAdmin-local(scope=4)orSite-local(scope=5)multicast
boundariesforIPv6trafficoranyLocal-scope(addressblock239.255.0.0/16)boundaryforIPv4traffic.Verifythatappropriate
boundariesareconfiguredontheapplicablemulticast-enabledinterfaces.
IPv4:
ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatLocal-scopetrafficisnotallowed
intooroutoftheadministrativelyscopedIPv4multicastregion:
ipmulticast-routing
!
interfaceFastEthernet0/1
descriptionBoundaryformulticastregionA
ipaddress198.18.0.1255.255.255.0
ippimsparse-mode
ipmulticastboundaryMCAST_ADMIN_SCOPED_BOUNDARY
!
ipaccess-liststandardMCAST_ADMIN_SCOPED_BOUNDARY
deny239.255.0.00.255.255.255
permit224.0.0.015.255.255.255
!
Note:ThefilterusedbymulticastboundarycommandwilleffectmulticasttrafficoutsideoftheadministrativelyscopedIPv4
multicastspace.IfOrganizationLocalScopetrafficmustcrossthissiteboundary,includethenecessarypermitstatement
fromthisaddressrange(239.192.0.0255.252.0.0).Toallowglobalmulticasttraffictopassbythisboundary,ensurethatthe
filterwillpermittheglobaladdressspace(224.0.1.0-238.255.255.255)iftheenclavehasdeployedinter-domainmulticast
routing.
IPv6:
ThefollowingexamplewillestablishamulticastboundaryontheinterfacetoensurethatSite-localscopetrafficisnotallowed
intooroutoftheadministrativelyscopedIPv6multicastregion:
ipv6multicast-routing
!
interfaceFastEthernet0/1
descriptionlinktoSiteA
ipv6address2001:1:0:146::/64eui-64
ipv6multicastboundaryscope5
Note:Filteringthescopevalueof5willensurethatanymulticasttrafficreceivedbytheinterfaceineitherdirectionwitha
scopeequaltoorlessthan5(Site-local)willbedropped.Hence,allSite-localandAdmin-localtrafficwillbedroppedwhile
allowingOrganization-local(scope=8)andglobalmulticasttraffic(scope=14)tobeforwardedforaninter-siteaswellas
inter-domainmulticastroutingdeployment.
router03
CiscoIOS15
V-
23747
TwoNTP
serversare
notusedto
synchronize
time.
CATIII ConfigurethedevicetousetwoseparateNTPservers. router03
CiscoIOS15
V-
30585
Invalidgroup
usedfor
sourcespecific
CATIII IANAhasreservedtheaddressrange232.0.0.0through232.255.255.255forSSMapplicationsandprotocols.However,Cisco
IOSallowsSSMconfigurationforanarbitrarysubsetoftheIPmulticastaddressrange224.0.0.0through239.255.255.255.
router03
CiscoIOS15
multicast IfIPv4orIPv6multicastroutingisenabled,determineifgimpversion3orMLDversion2isenabledforIPv4andIPv6
respectively.Ifenabled,thenPIM-SSMisalsoenabled.Hence,youmustverifythatonlytheIANAreservedSSMrangeof
addressesisusedforthisimplementation.TheSSMaddressrangeis232.0.0.0/8andFF3x::/32forIPv4andIPv6respectively.
Step1:Determineifmulticastroutingisenabled.Bydefault,multicastisdisabledglobally.Thefollowingglobalconfiguration
commandswillenableIPv4andIPv6multicastrouting:
ipmulticast-routing
ipv6multicast-routing
Ifmulticastroutingisnotenabled,thisvulnerabilityisnotapplicable.
Step2:
IPv4
CheckinterfaceconnectedtomulticastsubscriberstodetermineifIGMPv3isenabled.Thisisrequiredforsubscriberstojoin
aspecificsource.Thefollowingipv4interfaceconfigurationwouldlookasfollows:
ipigmpversion3
or
ipigmpv3lite
IfIGMPv3isnotenabledforIPv4multicast,thisvulnerabilityisnotapplicable.
IPv6
MLDisautomaticallyenabledonaninterfacewhenIPv6PIMisenabledonaninterface.WithIPv6,PIMisenabledbydefault
onallIPv6-enabledinterfacesifIPv6multicastroutingisenabledontherouterviatheglobalipv6multicast-routingcommand.
AninterfacecanbedisabledforPIMusingthenoipv6piminterfacecommand.MLDcanalsobedisabledonIPv6PIM-enabled
interfaceswiththenoipv6mldrouterinterfacecommand.
FollowingisanexampleoftwoIPv6-enabledinterfaces.
interfaceFastEthernet0/1
ipv6address2001:1:0:146::/64eui-64
interfaceFastEthernet0/2
ipv6enable
MLDv2isthedefaultwithcurrentreleasesofIOS.InsomereleasesofIOS,theipv6mldversioncommandisnotavailable.You
canverifytheversionofMLDinterfacesviashowipv6mldinterfacecommand.IfMLDv2isnotenabledforIPv6multicast,this
vulnerabilityisnotapplicable.
Step3:
VerifythattheappropriatemulticastgroupsareusedforSSM.
IPv4
Thefollowingconfigurationwillallowallofthemulticastgroups232/8reservedforSSM:
ippimssmdefault
or
Thefollowingconfigurationwillonlyallowmulticastgroups232.4.0.0/24
access-list4permit232.4.0.00.0.0.255
ippimssmrange4
Note:Ifarangeisconfiguredasintheexampleshownabove,ensurethattherangeiswithintheIANAreservedrangeforSSM
groups.
IPv6
ThefollowingconfigurationwillallowallofthemulticastgroupsFF3x::/32reservedforSSMwherexisanyvalidscopevalue:
ipv6pimssmdefault
or
Table435:DISASTIGrecommendations
Thefollowingconfigurationwillonlyallowmulticastgroupswiththeff3e::1:0:0/96range:
ipv6access-listSSM_RANGEpermitanyff3e::1:0:0/96
ipv6pimssmrangeSSM_RANGE
Gotothereportcontentsorthestartofthissection.
6SANSPolicyCompliance6.1router03SANSPolicyComplianceAudit
6.1.1RouterPolicy
TheSANSrouterpolicydescribesarequiredminimalsecurityconfigurationforallroutersandswitchesconnectingtoaproductionnetworkorusedinaproductioncapacityatoronbehalfofNipperStudio.NipperStudioperformedaSANSrouterpolicycomplianceaudit(datedApril18th2007)ofthedevicerouter03.TheresultoftheauditisshowninTable436.
Table436:router03SANSrouterpolicycompliance
Ref Description Status
3.1 Nolocaluseraccountsareconfiguredonthedevice.DevicesmustuseTACACS+foralluserauthentication.
3.2 Theenablepasswordonthedevicemustbekeptinasecureencryptedform.Thedevicemusthavetheenablepasswordsettothecurrentproductiondevice
passwordfromthedevice'ssupportorganization
3.3a IPdirectedbroadcastsdisabled
3.3b IncomingpacketsatthedevicesourcedwithinvalidaddressessuchasRFC1918address
3.3c TCPsmallservicesdisabled
3.3d UDPsmallservicesdisabled
3.3e Allsourceroutingdisabled
3.3f Allwebservicesrunningonrouterdisabled
3.4 UsecorporatestandardizedSNMPcommunitystrings
3.5 Accessrulesaretobeaddedasbusinessneedsarise
3.6 Theroutermustbeincludedinthecorporateenterprisemanagementsystemwithadesignatedpointofcontact
3.7 Eachdevicemusthavethefollowingstatementpostedinclearview:"UNAUTHORIZEDACCESSTOTHISNETWORKDEVICEISPROHIBITED.Youmusthaveexplicit
permissiontoaccessorconfigurethisdevice.Allactivitiesperformedonthisdevicemaybelogged,andviolationsofthispolicymayresultindisciplinaryaction,
andmaybereportedtolawenforcement.Thereisnorighttoprivacyonthisdevice."
3.8 Telnetmayneverbeusedacrossanynetworktomanagearouter,unlessthereisasecuretunnelprotectingtheentirecommunicationpath.SSHisthepreferred
managementprotocol
6.1.2AuditLoggingPolicy
NipperStudioperformedanauditofrouter03againstthecontrolsdetailedintheSANSInformationSystemsAuditLoggingPolicy(2007).Thissectiondetailsthecomplianceofthedeviceagainstthatpolicy.
A-UnderlyingRequirements
Allsystemsthathandleconfidentialinformation,acceptnetworkconnections,ormakeaccesscontrol(authenticationandauthorization)decisionsshallrecordandretainaudit-logginginformationsufficienttorecordtheelementsdetailedinTable437.
Table437:router03auditloggingunderlyingrequirements
Ref Description Status
A.1 Whatactivitywasperformed?
A.2 Whoorwhatperformedtheactivity,includingwhereoronwhatsystemtheactivitywasperformedfrom(subject)?
A.3 Whattheactivitywasperformedon(object)?
A.4 Whenwastheactivityperformed?
A.5 Whattool(s)wastheactivitywasperformedwith?
A.6 Whatwasthestatus(suchassuccessvs.failure),outcome,orresultoftheactivity?
B-ActivitiestobeLogged
LogsshallbecreatedwheneveranyoftheactivitiesdetailedinTable438arerequestedtobeperformedbythesystem.
Table438:router03auditloggingactivities
Ref Description Status
B.1 Create,read,update,ordeleteconfidentialinformation,includingconfidentialauthenticationinformationsuchaspasswords
B.2 Create,update,ordeleteinformationnotcoveredinB.1
B.3 Initiateanetworkconnection
B.4 Acceptanetworkconnection
B.5 UserauthenticationandauthorizationforactivitiescoveredinB.1orB.2suchasuserloginandlogout
B.6 Grant,modify,orrevokeaccessrights,includingaddinganewuserorgroup,changinguserprivilegelevels,changingfilepermissions,changingdatabaseobject
permissions,changingfirewallrules,anduserpasswordchanges
B.7 System,network,orservicesconfigurationchanges,includinginstallationofsoftwarepatchesandupdates,orotherinstalledsoftwarechanges
B.8 Applicationprocessstartup,shutdown,orrestart
B.9 Applicationprocessabort,failure,orabnormalend,especiallyduetoresourceexhaustionorreachingaresourcelimitorthreshold(suchasforCPU,memory,
networkconnections,networkbandwidth,diskspace,orotherresources),thefailureofnetworkservicessuchasDHCPorDNS,orhardwarefault
B.10 Detectionofsuspicious/maliciousactivitysuchasfromanIDS/IPS,anti-virussystem,oranti-spywaresystem
C-ElementsoftheLog
LogsshallidentifyorcontainatleasttheelementslistedinTable439eitherdirectlyorindirectly.
Table439:router03auditloggingelements
Ref Description Status
C.1 Typeofaction-examplesincludeauthorize,create,read,update,delete,andacceptnetworkconnection
C.2 Subsystemperformingtheaction-examplesincludeprocessortransactionname,processortransactionidentifier
C.3 Identifiers(asmanyasavailable)forthesubjectrequestingtheaction-examplesincludeusername,computername,IPaddress,andMACaddress.Notethat
suchidentifiersshouldbestandardizedinordertofacilitatelogcorrelation
C.4 Identifiers(asmanyasavailable)fortheobjecttheactionwasperformedon-examplesincludefilenamesaccessed,uniqueidentifiersofrecordsaccessedina
database,queryparametersusedtodeterminerecordsaccessedinadatabase,computername,IPaddress,andMACaddress.Notethatsuchidentifiersshould
bestandardizedinordertofacilitatelogcorrelation
C.5 Beforeandaftervalueswhenactioninvolvesupdatingadataelement,iffeasible
C.6 Dateandtimetheactionwasperformed,includingrelevanttime-zoneinformationifnotinCoordinatedUniversalTime
C.7 Whethertheactionwasallowedordeniedbyaccess-controlmechanisms
C.8 Descriptionand/orreason-codesofwhytheactionwasdeniedbytheaccess-controlmechanism,ifapplicable
D-FormattingandStorage
Thesystemshallsupporttheformattingandstorageofauditlogsinsuchawayastoensuretheintegrityofthelogsandtosupportenterprise-levelanalysisandreporting.ThestatusofthisrequirementisshowninTable440.
Table440:router03auditloggingstorage
Ref Description Status
D Supportsenterpriselevelreportingandmaintainslogintegrity
6.1.3AuditCoverage
NipperStudioauditedrouter03againstthefollowingtwoSANSpolicies:
Routerpolicy(April18th2007);Informationsystemsauditloggingpolicy(2007).
NipperStudiocanconcludethefollowingstatisticsfromtheaudit(percentageshavebeenrounded);twocheckspassed(5%),eightchecksfailed(21%),28checksrequireamanualassessment(74%).
Gotothereportcontentsorthestartofthissection.
6.2CiscoIOS15SANSPolicyComplianceAudit
6.2.1RouterPolicy
TheSANSrouterpolicydescribesarequiredminimalsecurityconfigurationforallroutersandswitchesconnectingtoaproductionnetworkorusedinaproductioncapacityatoronbehalfofNipperStudio.NipperStudioperformedaSANSrouterpolicycomplianceaudit(datedApril18th2007)ofthedeviceCiscoIOS15.TheresultoftheauditisshowninTable441.
Table441:CiscoIOS15SANSrouterpolicycompliance
Ref Description Status
3.1 Nolocaluseraccountsareconfiguredonthedevice.DevicesmustuseTACACS+foralluserauthentication.
3.2 Theenablepasswordonthedevicemustbekeptinasecureencryptedform.Thedevicemusthavetheenablepasswordsettothecurrentproductiondevice
passwordfromthedevice'ssupportorganization
3.3a IPdirectedbroadcastsdisabled
3.3b IncomingpacketsatthedevicesourcedwithinvalidaddressessuchasRFC1918address
3.3c TCPsmallservicesdisabled
3.3d UDPsmallservicesdisabled
3.3e Allsourceroutingdisabled
3.3f Allwebservicesrunningonrouterdisabled
3.4 UsecorporatestandardizedSNMPcommunitystrings
3.5 Accessrulesaretobeaddedasbusinessneedsarise
3.6 Theroutermustbeincludedinthecorporateenterprisemanagementsystemwithadesignatedpointofcontact
3.7 Eachdevicemusthavethefollowingstatementpostedinclearview:"UNAUTHORIZEDACCESSTOTHISNETWORKDEVICEISPROHIBITED.Youmusthaveexplicit
permissiontoaccessorconfigurethisdevice.Allactivitiesperformedonthisdevicemaybelogged,andviolationsofthispolicymayresultindisciplinaryaction,
andmaybereportedtolawenforcement.Thereisnorighttoprivacyonthisdevice."
3.8 Telnetmayneverbeusedacrossanynetworktomanagearouter,unlessthereisasecuretunnelprotectingtheentirecommunicationpath.SSHisthepreferred
managementprotocol
6.2.2AuditLoggingPolicy
NipperStudioperformedanauditofCiscoIOS15againstthecontrolsdetailedintheSANSInformationSystemsAuditLoggingPolicy(2007).Thissectiondetailsthecomplianceofthedeviceagainstthatpolicy.
A-UnderlyingRequirements
Allsystemsthathandleconfidentialinformation,acceptnetworkconnections,ormakeaccesscontrol(authenticationandauthorization)decisionsshallrecordandretainaudit-logginginformationsufficienttorecordtheelementsdetailedinTable442.
Table442:CiscoIOS15auditloggingunderlyingrequirements
Ref Description Status
A.1 Whatactivitywasperformed?
A.2 Whoorwhatperformedtheactivity,includingwhereoronwhatsystemtheactivitywasperformedfrom(subject)?
A.3 Whattheactivitywasperformedon(object)?
A.4 Whenwastheactivityperformed?
A.5 Whattool(s)wastheactivitywasperformedwith?
A.6 Whatwasthestatus(suchassuccessvs.failure),outcome,orresultoftheactivity?
B-ActivitiestobeLogged
LogsshallbecreatedwheneveranyoftheactivitiesdetailedinTable443arerequestedtobeperformedbythesystem.
Ref Description Status
B.1 Create,read,update,ordeleteconfidentialinformation,includingconfidentialauthenticationinformationsuchaspasswords
B.2 Create,update,ordeleteinformationnotcoveredinB.1
B.3 Initiateanetworkconnection
B.4 Acceptanetworkconnection
B.5 UserauthenticationandauthorizationforactivitiescoveredinB.1orB.2suchasuserloginandlogout
B.6 Grant,modify,orrevokeaccessrights,includingaddinganewuserorgroup,changinguserprivilegelevels,changingfilepermissions,changingdatabaseobject
permissions,changingfirewallrules,anduserpasswordchanges
B.7 System,network,orservicesconfigurationchanges,includinginstallationofsoftwarepatchesandupdates,orotherinstalledsoftwarechanges
Table443:CiscoIOS15auditloggingactivities
B.8 Applicationprocessstartup,shutdown,orrestart
B.9 Applicationprocessabort,failure,orabnormalend,especiallyduetoresourceexhaustionorreachingaresourcelimitorthreshold(suchasforCPU,memory,
networkconnections,networkbandwidth,diskspace,orotherresources),thefailureofnetworkservicessuchasDHCPorDNS,orhardwarefault
B.10 Detectionofsuspicious/maliciousactivitysuchasfromanIDS/IPS,anti-virussystem,oranti-spywaresystem
C-ElementsoftheLog
LogsshallidentifyorcontainatleasttheelementslistedinTable444eitherdirectlyorindirectly.
Table444:CiscoIOS15auditloggingelements
Ref Description Status
C.1 Typeofaction-examplesincludeauthorize,create,read,update,delete,andacceptnetworkconnection
C.2 Subsystemperformingtheaction-examplesincludeprocessortransactionname,processortransactionidentifier
C.3 Identifiers(asmanyasavailable)forthesubjectrequestingtheaction-examplesincludeusername,computername,IPaddress,andMACaddress.Notethat
suchidentifiersshouldbestandardizedinordertofacilitatelogcorrelation
C.4 Identifiers(asmanyasavailable)fortheobjecttheactionwasperformedon-examplesincludefilenamesaccessed,uniqueidentifiersofrecordsaccessedina
database,queryparametersusedtodeterminerecordsaccessedinadatabase,computername,IPaddress,andMACaddress.Notethatsuchidentifiersshould
bestandardizedinordertofacilitatelogcorrelation
C.5 Beforeandaftervalueswhenactioninvolvesupdatingadataelement,iffeasible
C.6 Dateandtimetheactionwasperformed,includingrelevanttime-zoneinformationifnotinCoordinatedUniversalTime
C.7 Whethertheactionwasallowedordeniedbyaccess-controlmechanisms
C.8 Descriptionand/orreason-codesofwhytheactionwasdeniedbytheaccess-controlmechanism,ifapplicable
D-FormattingandStorage
Thesystemshallsupporttheformattingandstorageofauditlogsinsuchawayastoensuretheintegrityofthelogsandtosupportenterprise-levelanalysisandreporting.ThestatusofthisrequirementisshowninTable445.
Table445:CiscoIOS15auditloggingstorage
Ref Description Status
D Supportsenterpriselevelreportingandmaintainslogintegrity
6.2.3VPNPolicy
TheSANSVPNpolicy(2006)describesarequiredminimalsetofsecuritycontrolsforsecuringVPNaccess.NipperStudioperformedaSANSVPNpolicycomplianceaudit(2006)ofthedeviceCiscoIOS15.TheresultoftheauditisshowninTable446.
Table446:CiscoIOS15SANSVPNpolicycompliance
Ref Description Status
3.1 ItistheresponsibilityofemployeeswithVPNprivilegestoensurethatunauthorizedusersarenotallowedaccesstoNipperStudiointernalnetworks
3.2 VPNuseistobecontrolledusingeitheraone-timepasswordauthenticationsuchasatokendeviceorapublic/privatekeysystemwithastrongpassphrase
3.3 Whenactivelyconnectedtothecorporatenetwork,VPNswillforcealltraffictoandfromthePCovertheVPNtunnel:allothertrafficwillbedropped
3.4 Dual(split)tunnelingisNOTpermitted;onlyonenetworkconnectionisallowed
3.5 VPNgatewayswillbesetupandmanagedbyNipperStudionetworkoperationalgroups
3.6 AllcomputersconnectedtoNipperStudiointernalnetworksviaVPNoranyothertechnologymustusethemostup-to-dateanti-virussoftwarethatisthe
corporatestandard(provideURLtothissoftware);thisincludespersonalcomputers
3.7 VPNuserswillbeautomaticallydisconnectedfromNipperStudio'snetworkafterthirtyminutesofinactivity.Theusermustthenlogonagaintoreconnecttothe
network.Pingsorotherartificialnetworkprocessesarenottobeusedtokeeptheconnectionopen
3.8 TheVPNconcentratorislimitedtoanabsoluteconnectiontimeof24hours
3.9 UsersofcomputersthatarenotNipperStudio-ownedequipmentmustconfiguretheequipmenttocomplywithNipperStudio'sVPNandNetworkpolicies
3.10 OnlyInfoSec-approvedVPNclientsmaybeused
3.11 ByusingVPNtechnologywithpersonalequipment,usersmustunderstandthattheirmachinesareadefactoextensionofNipperStudio'snetwork,andassuch
aresubjecttothesamerulesandregulationsthatapplytoNipperStudio-ownedequipment,i.e.,theirmachinesmustbeconfiguredtocomplywithInfoSec's
SecurityPolicies
6.2.4AuditCoverage
NipperStudioauditedCiscoIOS15againstthefollowingthreeSANSpolicies:
Routerpolicy(April18th2007);Informationsystemsauditloggingpolicy(2007);VPNpolicy(2006).
NipperStudiocanconcludethefollowingstatisticsfromtheaudit(percentageshavebeenrounded);sevencheckspassed(14%),fourchecksfailed(8%),38checksrequireamanualassessment(78%).
Gotothereportcontentsorthestartofthissection.
7PCIAudit7.1Introduction
NipperStudioperformedaPCIcomplianceauditon2March2017.TheauditwasperformedbycollectinginformationrelevanttotherequirementsandsecurityassessmentproceduresofPCIDataSecurityStandard(DSS)fromtheselecteddevices.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectcardholderdata.Inordertoadhereto'all'therequirementsofthePCIDSSstandardcompletely,youwillrequireothertoolsandsecurityprocedurestobeimplemented.
Gotothereportcontentsorthestartofthissection.
7.2Requirement1:Installandmaintainafirewallconfigurationtoprotectcardholderdata
Description
Firewallsaredevicesthatcontrolcomputertrafficallowedbetweenanentity'snetworks(internal)anduntrustednetworks(external),aswellastrafficintoandoutofmoresensitiveareaswithinanentity'sinternaltrustednetworks.Thecardholderdataenvironmentisanexampleofamoresensitiveareawithinanentity'strustednetwork.
Afirewallexaminesallnetworktrafficandblocksthosetransmissionsthatdonotmeetthespecifiedsecuritycriteria.
Allsystemsmustbeprotectedfromunauthorizedaccessfromuntrustednetworks,whetherenteringthesystemviatheInternetase-commerce,employeeInternetaccessthroughdesktopbrowsers,employeee-mailaccess,dedicatedconnectionssuchasbusiness-to-businessconnections,viawirelessnetworks,orviaothersources.Often,seeminglyinsignificantpathstoandfromuntrustednetworkscanprovideunprotectedpathwaysintokeysystems.Firewallsareakeyprotectionmechanismforanycomputernetwork.
Othersystemcomponentsmayprovidefirewallfunctionality,aslongastheymeettheminimumrequirementsforfirewallsasdefinedinRequirement1.Whereothersystemcomponentsareusedwithinthecardholderdataenvironmenttoprovidefirewallfunctionality,thesedevicesmustbeincludedwithinthescopeandassessmentofRequirement1
PCIDSSRequirements TestingProcedures Guidance Result
Requirement1.1.6Documentationof
businessjustification
andapprovalforuseof
allservices,protocols,
andportsallowed,
including
documentationof
securityfeatures
implementedforthose
protocolsconsideredto
beinsecure.
1.1.6.aVerifythatfirewallandrouter
configuration
standardsincludea
documentedlistofall
services,protocols
andports,including
businessjustification
andapprovalfor
each.
Compromisesoftenhappenduetounusedorinsecureserviceandports,sincetheseoftenhaveknownvulnerabilities
andmanyorganizationsdon'tpatchvulnerabilitiesfortheservices,protocols,andportstheydon'tuse(eventhough
thevulnerabilitiesarestillpresent).Byclearlydefininganddocumentingtheservices,protocols,andportsthatare
necessaryforbusiness,organizationscanensurethatallotherservices,protocols,andportsaredisabledor
removed.Approvalsshouldbegrantedbypersonnelindependentofthepersonnelmanagingtheconfiguration.If
insecureservices,protocols,orportsarenecessaryforbusiness,theriskposedbyuseoftheseprotocolsshouldbe
clearlyunderstoodandacceptedbytheorganization,theuseoftheprotocolshouldbejustified,andthesecurity
featuresthatallowtheseprotocolstobeusedsecurelyshouldbedocumentedandimplemented.Iftheseinsecure
services,protocols,orportsarenotnecessaryforbusiness,theyshouldbedisabledorremoved.Forguidanceon
services,protocols,orportsconsideredtobeinsecure,refertoindustrystandardsandguidance(e.g.,NIST,ENISA,
OWASP,etc.).
Data
Collected
1.1.6.bIdentifyinsecureservices,
protocols,andports
allowed;andverify
thatsecurityfeatures
aredocumentedfor
eachservice.
1.1.6.cExamine
1.1.6.cExamine
firewallandrouter
configurationsto
verifythatthe
documentedsecurity
featuresare
implementedfor
eachinsecure
service,protocol,and
port.
Requirement1.2.1Restrictinboundand
outboundtraffictothat
whichisnecessaryfor
thecardholderdata
environment,and
specificallydenyall
othertraffic.
1.2.1.aExamine
firewallandrouter
configuration
standardstoverify
thattheyidentify
inboundand
outboundtraffic
necessaryforthe
cardholderdata
environment.
Examinationofallinboundandoutboundconnectionsallowsforinspectionandrestrictionoftrafficbasedonthe
sourceand/ordestinationaddress,thuspreventingunfilteredaccessbetweenuntrustedandtrustedenvironments.
Thispreventsmaliciousindividualsfromaccessingtheentity'snetworkviaunauthorizedIPaddressesorfromusing
services,protocols,orportsinanunauthorizedmanner(forexample,tosenddatathey'veobtainedfromwithinthe
entity'snetworkouttoanuntrustedserver).Implementingarulethatdeniesallinboundandoutboundtrafficthatis
notspecificallyneededhelpstopreventinadvertentholesthatwouldallowunintendedandpotentiallyharmfultraffic
inorout.
1.2.1.bExamine
firewallandrouter
configurationsto
verifythatinbound
andoutboundtraffic
islimitedtothat
whichisnecessary
forthecardholder
dataenvironment.
1.2.1.cExamine
firewallandrouter
configurationsto
verifythatallother
inboundand
outboundtrafficis
specificallydenied,
forexamplebyusing
anexplicit“denyall”
oranimplicitdeny
afterallow
statement.
Data
Collected
7.2.1SecureandInsecureServices
NipperStudioidentifiedelevenuniqueservicesalongwiththeirtransportprotocolsandportnumbers.Theseshouldbeanalysedtoensurejustificationandapprovalisavailableforeach,inordertomeettestingprocedure1.1.6.a.
ServiceName Protocol Port Enabled Devices
BOOTPService UDP 67 Enabled router03
CiscoIOS15
SNMPService UDP 161 Enabled router03
CiscoIOS15
TCPSmallServers TCP Multiple Enabled router03
CiscoIOS15
UDPSmallServers UDP Multiple Enabled router03
CiscoIOS15
FingerService TCP 79 Enabled router03
CiscoIOS15
WebAdministrationService(HTTP) TCP 80 Enabled router03
CiscoIOS15
NTPService UDP 123 Disabled router03
CiscoIOS15
SSHService TCP 22 Disabled router03
CiscoIOS15
RSHService TCP 514 Disabled router03
CiscoIOS15
Table448:PCIDSSUniqueServices
TelnetService TCP 23 Disabled router03
CiscoIOS15
WebAdministrationService(HTTPS) TCP 443 Disabled router03
CiscoIOS15
Gotothereportcontentsorthestartofthissection.
7.2.2ExplicitDenyRulesinConfigurations
NipperStudiofoundtwodeviceswithfilterliststorestrictnetworktraffic.Explicitdenyall’sorimplicitdeniesafterallowstatementsmustbefoundonallfilterlistsinordertocomplywithtestingprocedure1.2.1.c.
ExplicitDenyRule-router03
Onrouter03,sixfilterlistswereidentified.theywerefoundtobemissinganexplicitdenyall,oranimplicitdenyafteranallowstatement.
Table449:PCIDSSRequirements1.2.1-router03
AccessList RuleNumber ExplicitDeny
named-acl-1 N/A
named-acl-2 N/A
cp-critical-in 36
110 N/A
120 N/A
40 N/A
ExplicitDenyRule-CiscoIOS15
OnCiscoIOS15,ninefilterlistswereidentified.theywerefoundtobemissinganexplicitdenyall,oranimplicitdenyafteranallowstatement.
Table450:PCIDSSRequirements1.2.1-CiscoIOS15
AccessList RuleNumber ExplicitDeny
named-acl-1 N/A
named-acl-2 N/A
cp-critical-in 36
110 N/A
120 N/A
40 N/A
1 N/A
3 N/A
18 N/A
Gotothereportcontentsorthestartofthissection.
Gotothereportcontentsorthestartofthissection.
7.3Requirement2:Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters
Description
Maliciousindividuals(externalandinternaltoanentity)oftenusevendordefaultpasswordsandothervendordefaultsettingstocompromisesystems.Thesepasswordsandsettingsarewellknownbyhackercommunitiesandareeasilydeterminedviapublicinformation.
PCIDSSRequirements TestingProcedures Guidance Result
Requirement2.1Alwayschangevendor-supplieddefaultsand
removeordisableunnecessary
defaultaccountsbefore
installingasystemonthe
network.
ThisappliestoALLdefault
passwords,includingbutnot
limitedtothoseusedby
2.1.aChooseasampleofsystemcomponents,andattempt
tologon(withsystemadministratorhelp)tothedevices
andapplicationsusingdefaultvendor-suppliedaccounts
andpasswords,toverifythatALLdefaultpasswords
(includingthoseonoperatingsystems,softwarethat
providessecurityservices,applicationandsystemaccounts,
POSterminals,andSimpleNetworkManagementProtocol
(SNMP)communitystrings)havebeenchanged.(Usevendor
manualsandsourcesontheInternettofindvendor-
Maliciousindividuals(externalandinternaltoanorganization)often
usevendordefaultsettings,accountnames,andpasswordsto
compromiseoperatingsystemsoftware,applications,andthesystems
onwhichtheyareinstalled.Becausethesedefaultsettingsareoften
publishedandarewellknowninhackercommunities,changingthese
settingswillleavesystemslessvulnerabletoattack.Evenifadefault
accountisnotintendedtobeused,changingthedefaultpasswordtoa
stronguniquepasswordandthendisablingtheaccountwillpreventa
maliciousindividualfromre-enablingtheaccountandgainingaccess
Data
Collected
operatingsystems,softwarethat
providessecurityservices,
applicationandsystemaccounts,
point-of-sale(POS)terminals,
paymentapplications,Simple
NetworkManagementProtocol
(SNMP)communitystrings,etc.).
suppliedaccounts/passwords.)
withthedefaultpassword.
2.1.bForthesampleofsystemcomponents,verifythatall
unnecessarydefaultaccounts(includingaccountsusedby
operatingsystems,securitysoftware,applications,systems
POSterminals,SNMP,etc.)areremovedordisabled.
2.1.cInterviewpersonnelandexaminesupporting
documentationtoverifythat:
Allvendordefaults(includingdefaultpasswordson
operatingsystems,softwareprovidingsecurityservices,
applicationandsystemaccounts,POSterminals,Simple
NetworkManagementProtocol(SNMP)communitystrings,
etc.)arechangedbeforeasystemisinstalledonthe
network.
Unnecessarydefaultaccounts(includingaccountsusedby
operatingsystems,securitysoftware,applications,systems,
POSterminals,SNMP,etc.)areremovedordisabledbefore
asystemisinstalledonthenetwork.
Requirement2.3Encryptallnon-consoleadministrative
accessusingstrong
cryptography.
Note:WhereSSL/earlyTLSis
used,therequirementsin
AppendixA2mustbecompleted.
2.3Selectasampleofsystemcomponentsandverifythat
non-consoleadministrativeaccessisencryptedby
performingthefollowing:
Ifnon-console(includingremote)administrationdoesnotusesecure
authenticationandencryptedcommunications,sensitiveadministrative
oroperationallevelinformation(likeadministrator'sIDsand
passwords)canberevealedtoaneavesdropper.Amaliciousindividual
couldusethisinformationtoaccessthenetwork,become
administrator,andstealdata.
Clear-textprotocols(suchasHTTP,telnet,etc.)donotencrypttrafficor
logondetails,makingiteasyforaneavesdroppertointerceptthis
information.Tobeconsidered“strongcryptography,”
industryrecognizedprotocolswithappropriatekeystrengthsandkey
managementshouldbeinplaceasapplicableforthetypeof
technologyinuse.(Referto"strongcryptography"inthePCIDSSand
PA-DSSGlossaryofTerms,Abbreviations,andAcronyms,andindustry
standardsandbestpracticessuchasNISTSP800-52andSP800-57,OWASP,etc.)
2.3.aObserveanadministratorlogontoeachsystemand
examinesystemconfigurationstoverifythatastrong
encryptionmethodisinvokedbeforetheadministrator's
passwordisrequested.
2.3.bReviewservicesandparameterfilesonsystemsto
determinethatTelnetandotherinsecureremote-login
commandsarenotavailablefornon-consoleaccess.
Data
Collected
2.3.cObserveanadministratorlogontoeachsystemto
verifythatadministratoraccesstoanyweb-based
managementinterfacesisencryptedwithstrong
cryptography.
Data
Collected
2.3.dExaminevendordocumentationandinterview
personneltoverifythatstrongcryptographyforthe
technologyinuseisimplementedaccordingtoindustrybest
practicesand/orvendorrecommendations.
2.3.eIfSSL/earlyTLSisused,performtestingproceduresin
AppendixA2:AdditionalPCIDSSRequirementsforEntities
usingSSL/EarlyTLS.
7.3.1Defaultauthenticationremovedfromdevices
NipperStudiofoundthefollowingaccounts,passwords,keysandcommunitystringspresentonthedevices.Inordertomeettestingprocedure2.1.a,it
shouldbeensuredthatalldefaultaccountsandpasswordshavebeenchanged.Inordertomeettestingprocedure2.1.b,itisrequiredthatallunnecessarydefaultaccountshavebeenremovedordisabled.
Lines(router03)
Table452:Lines(router03)
Type Password
Console password
Auxiliary password
VTY0-4 password
LocalUsers(router03)
Table453:LocalUsers(router03)
User Password
enable(password) cisco
temp password
testuser password
localuser password
ConsoleLine password
Auxiliary password
VTY0-4Line password
SNMPCommunities(router03)
Table454:SNMPCommunities(router03)
Community Access Version
public ReadOnly 1
private Read/Write 1
RoutingKeys(router03)
Table455:RoutingKeys(router03)
Chain RoutingKey
testchain password
routing-chain cisco
GLBPKeys(router03)
Table456:GLBPKeys(router03)
ID GLBPKey
1 Passw0rd
HSRPKeys(router03)
Table457:HSRPKeys(router03)
ID HSRPKey
1 Passw0rd
VRRPKeys(router03)
Table458:VRRPKeys(router03)
ID VRRPKey
1 password
BGPNeighbors(router03)
NeighborAddress Password BGPNeighbors router03
router01 (NOPASSWORD)
Lines(CiscoIOS15)
Table460:Lines(CiscoIOS15)
Type Password
Console (NOPASSWORD)
Auxiliary (NOPASSWORD)
Interface0/0/0 (NOPASSWORD)
VTY0-4 password
VTY5-807 (NOPASSWORD)
LocalUsers(CiscoIOS15)
Table461:LocalUsers(CiscoIOS15)
User Password
enable(secret) (ENCRYPTED)
enable(password) password
admin (ENCRYPTED)
Test (ENCRYPTED)
VTY0-4Line password
Tacacs+Servers(CiscoIOS15)
Table462:Tacacs+Servers(CiscoIOS15)
Server Key
18.1.1.1:49 (NOPASSWORD)
SNMPCommunities(CiscoIOS15)
Table463:SNMPCommunities(CiscoIOS15)
Community Access Version
Testcom ReadOnly 1
cisCommunity ReadOnly 1
trapString ReadOnly 1
RoutingKeys(CiscoIOS15)
Table464:RoutingKeys(CiscoIOS15)
Chain RoutingKey
keychain key
BGPNeighbors(CiscoIOS15)
NeighborAddress Password BGPNeighbors CiscoIOS15
1.1.1.1 password 1.2.3.4 password
Gotothereportcontentsorthestartofthissection.
7.3.2Devicescryptographystrength
NipperStudiofoundtwodeviceswherenon-consoleinsecureremote-loginserviceswereavailable.Insecureinstancesshouldbedisabledinordertomeettestingprocedure2.3.b.
Table466:Devicesusinginsecureprotocols
Device InsecureSSH InsecureSNMP FtpEnabled TelnetEnabled
router03 False¹ True² False False
CiscoIOS15 False¹ True² False False
¹SSHv1isknowntobeinsecure.
²SNMPv1andSNMPv2areknowntobeinsecure
Gotothereportcontentsorthestartofthissection.
NipperStudiofoundonedevicewhereadministratoraccesstoaweb-basedmanagementinterfacewasnotencryptedwithstrongcryptography.Accessshouldbeencryptedinordertomeettestingprocedure2.3.c.
Table467:DevicesthatusecleartextHTTPprotocols
Device Status
router03 UsesinsecureHTTPprotocols¹
¹HTTPprotocolsareenabledbutnotHTTPSprotocols
Gotothereportcontentsorthestartofthissection.
Gotothereportcontentsorthestartofthissection.
7.4Requirement6:Developandmaintainsecuresystemsandapplications
Description
Unscrupulousindividualsusesecurityvulnerabilitiestogainprivilegedaccesstosystems.Manyofthesevulnerabilitiesarefixedbyvendor-providedsecuritypatches,whichmustbeinstalledbytheentitiesthatmanagethesystems.Allsystemsmusthaveallappropriatesoftwarepatchestoprotectagainsttheexploitationandcompromiseofcardholderdatabymaliciousindividualsandmalicioussoftware.
Note:Appropriatesoftwarepatchesarethosepatchesthathavebeenevaluatedandtestedsufficientlytodeterminethatthepatchesdonotconflictwithexistingsecurityconfigurations.Forin-housedevelopedapplications,numerousvulnerabilitiescanbeavoidedbyusingstandardsystemdevelopmentprocessesandsecurecodingtechniques.
PCIDSSRequirements TestingProcedures Guidance Result
Requirement6.2Ensurethatallsystemcomponentsandsoftwareareprotectedfrom
knownvulnerabilitiesbyinstallingapplicable
vendor-suppliedsecuritypatches.Install
criticalsecuritypatcheswithinonemonthof
release.
Note:Criticalsecuritypatchesshouldbe
identifiedaccordingtotheriskranking
processdefinedinRequirement6.1.
6.2.aExaminepoliciesandprocedures
relatedtosecurity-patchinstallationto
verifyprocessesaredefinedfor:
Installationofapplicablecritical
vendor-suppliedsecuritypatches
withinonemonthofrelease.
Installationofallapplicable
vendor-suppliedsecuritypatches
withinanappropriatetimeframe
(forexample,withinthree
months).
Thereisaconstantstreamofattacksusingwidelypublishedexploits,often
called""zeroday""(anattackthatexploitsapreviouslyunknownvulnerability),
againstotherwisesecuredsystems.Ifthemostrecentpatchesarenot
implementedoncriticalsystemsassoonaspossible,amaliciousindividualcan
usetheseexploitstoattackordisableasystem,orgainaccesstosensitive
data.
Prioritizingpatchesforcriticalinfrastructureensuresthathigh-prioritysystems
anddevicesareprotectedfromvulnerabilitiesassoonaspossibleaftera
patchisreleased.Considerprioritizingpatchinstallationssuchthatsecurity
patchesforcriticalorat-risksystemsareinstalledwithin30days,andotherlower-riskpatchesareinstalledwithin2-3months.
Thisrequirementappliestoapplicablepatchesforallinstalledsoftware,
includingpaymentapplications(boththosethatarePA-DSSvalidatedand
thosethatarenot).
6.2.bForasampleofsystem
componentsandrelatedsoftware,
comparethelistofsecuritypatches
installedoneachsystemtothemost
recentvendorsecurity-patchlist,to
verifythefollowing:
Thatapplicablecriticalvendor-
suppliedsecuritypatchesare
installedwithinonemonthof
release.
Allapplicablevendor-supplied
securitypatchesareinstalled
withinanappropriatetimeframe
(forexample,withinthree
months).
Data
Collected
7.4.1Deviceoperatingsystems
NipperStudiohasidentifiedtheoperatingsystemsandversionsrunningonthedevicesbelow.It'simportanttoensurethatthedeviceshavethecorrect
securitypatchesapplied.Inordertomeetthetestingprocedure6.2.b,itshouldbecheckedthatallcriticalvendor-suppliedsecuritypatcheshavebeinstalledwithinonemonthofrelease,andthatproceduresareinplacetoinstallallotherapplicablevendor-suppliedsecuritypatches.
Table469:DeviceOperatingSystemVersions
DeviceName DeviceModel OSVersion
router03 Router IOS12.3
CiscoIOS15 Router IOS15.0
Gotothereportcontentsorthestartofthissection.
Gotothereportcontentsorthestartofthissection.
7.5Requirement10:Trackandmonitorallaccesstonetworkresourcesandcardholderdata
Description
Loggingmechanismsandtheabilitytotrackuseractivitiesarecriticalinpreventing,detecting,orminimizingtheimpactofadatacompromise.Thepresenceoflogsinallenvironmentsallowsthoroughtracking,alerting,andanalysiswhensomethingdoesgowrong.Determiningthecauseofacompromiseisverydifficult,ifnotimpossible,withoutsystemactivitylogs.
PCIDSSRequirements TestingProcedures Guidance Result
Requirement10.4.1Criticalsystemshave
thecorrectandconsistenttime.
10.4.1.aExaminetheprocessforacquiring,distributingandstoringthecorrecttimewithintheorganizationto
verifythat:
Onlythedesignatedcentraltimeserver(s)receivestimesignalsfromexternalsources,andtimesignals
fromexternalsourcesarebasedonInternationalAtomicTimeorUTC.
Wherethereismorethanonedesignatedtimeserver,thetimeserverspeerwithoneanothertokeep
accuratetime,
Systemsreceivetimeinformationonlyfromdesignatedcentraltimeserver(s).
Data
Collected
10.4.1.bObservethetime-relatedsystem-parametersettingsforasampleofsystemcomponentstoverify:
Onlythedesignatedcentraltimeserver(s)receivestimesignalsfromexternalsources,andtimesignals
fromexternalsourcesarebasedonInternationalAtomicTimeorUTC.
Wherethereismorethanonedesignatedtimeserver,thedesignatedcentraltimeserver(s)peerwith
oneanothertokeepaccuratetime.
Systemsreceivetimeonlyfromdesignatedcentraltimeserver(s).
Requirement10.4.2Timedatais
protected.
10.4.2.aExaminesystemconfigurationsandtime-synchronizationsettingstoverifythataccesstotimedatais
restrictedtoonlypersonnelwithabusinessneedtoaccesstimedata.
Data
Collected
10.4.2.bExaminesystemconfigurations,timesynchronizationsettingsandlogs,andprocessestoverifythat
anychangestotimesettingsoncriticalsystemsarelogged,monitored,andreviewed.
7.5.1Systemtimesarecorrect
NipperStudiodetectedtwoNTPserverspresentonthedevices.Theintegrityoftheseshouldbeanalysedinordertomeetthetestingprocedureof10.4.1.a
Table471:router03NTPServerList
Address Description Interface Version AuthorizationKey
1.1.1.1 3 (NOPASSWORD)
Table472:CiscoIOS15NTPServerList
Address Description Interface Version AuthorizationKey
11.11.11.11 3 (ENCRYPTED)
Gotothereportcontentsorthestartofthissection.
7.5.2Timesynchronizationsettingsarerestricted
NipperStudiofoundoneNTPclientpresentonthedevices.Theintegrityofthefollowingshouldbeanalysedinordertomeetthetestingprocedureof10.4.2.b.
Table473:CiscoIOS15NTPServersAndPeerswithKnownRestrictions
Address Interface Key
11.11.11.11 (ENCRYPTED)
Gotothereportcontentsorthestartofthissection.
Gotothereportcontentsorthestartofthissection.
8FilteringComplexityReport8.1Introduction
Thissectionlooksatthecomplexityofthenetworkfilteringconfiguration,highlightingareasthatcouldbesimplified.ThedeviceslistedinTable474wereincludedinthisaudit.
Table474:Filteringcomplexitydevicelist
Device Name OS
CiscoRouter router03 IOS12.3
CiscoRouter CiscoIOS15 IOS15.0
Gotothereportcontentsorthestartofthissection.
8.2UnassignedFilterRuleListsWereConfigured
8.2.1Overview
NipperStudioreviewedthenetworkfilteringandidentifiedanumberoffilterruleliststhathadnotbeenassignedtoaspecificrole.Whilstsomenetworkdeviceshaveasinglefilterrulelistthatdefinesallaccess,othersusemultiplefilterruleliststhatareassignedtospecifictaskssuchasVPNaccess,administrativeserviceaccessorgeneralnetworkfiltering.Unassignedfilterrulelistsarethosethathavebeenconfiguredbuthavenotbeenassignedtoaparticularroleandthereforearenotused.
8.2.2router03CiscoRouter
NipperStudioidentifiedfiveunassignedfilterrulelistsonrouter03.Thoseunassignedfilterrulelistswere:
ExtendedInternetProtocolversion4(IPv4)ACLnamed-acl-1;ExtendedIPv4ACLnamed-acl-2;ExtendedIPv4ACLcp-critical-in;ExtendedIPv4ACL110;ExtendedIPv4ACL120.
8.2.3CiscoIOS15CiscoRouter
NipperStudioidentifiedsixunassignedfilterrulelistsonCiscoIOS15.Thoseunassignedfilterrulelistswere:
ExtendedIPv4ACLnamed-acl-1;ExtendedIPv4ACLnamed-acl-2;ExtendedIPv4ACLcp-critical-in;ExtendedIPv4ACL110;ExtendedIPv4ACL120;StandardIPv4ACL40.
Gotothereportcontentsorthestartofthissection.
8.3FilterRulesContradictOtherRules
8.3.1Overview
WhenreviewingthenetworkfilteringrulesNipperStudioidentifiedfilterrulesthatcontradictedotherfilterrules.Thefirstrulethatmatchesthenetworktrafficistheonethatisusedforfilteringthenetworktraffic,sothereforeanysubsequentrulesthatareconfiguredtopermitordenythesametrafficwillberedundant.
AnexampleofcontradictingruleswouldbewherearulepermitsaccesstoHTTPSandSSHandislaterfollowedinthesamerulelistbyarulethatdeniesaccesstoSSHforthesamesourceanddestinationaddresses.
8.3.2router03CiscoRouter
NipperStudioidentifiedsixcontradictingrulesconfiguredonrouter03.Thosecontradictingfilterrulesaredetailedbelow.
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 172.168.2.3 Any Any Any No
Thefollowingruleiscontradictory.
Table475:ExtendedIPv4ACLnamed-acl-1rulescontradictingrule1
3 Any Any Any Any Any No
Table476:ExtendedIPv4ACLnamed-acl-1rulescontradictingrule2
Rule Action Protocol Source SrcPort Destination DstPort Log
2 Any 10.8.10.11 Any Any Any No
Thefollowingruleiscontradictory.
3 Any Any Any Any Any No
Table477:ExtendedIPv4ACL120rulescontradictingrule1
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 50.60.0.0/16 Any Any Any No
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
Table478:ExtendedIPv4ACL120rulescontradictingrule2
Rule Action Protocol Source SrcPort Destination DstPort Log
2 TCP Any 21 Any Any Yes
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
Table479:ExtendedIPv4ACL120rulescontradictingrule6
Rule Action Protocol Source SrcPort Destination DstPort Log
6 TCP Any Any 192.168.30.56 9876 No
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
Table480:ExtendedIPv4ACL120rulescontradictingrule7
Rule Action Protocol Source SrcPort Destination DstPort Log
7 TCP Any Any Any 9876 No
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
8.3.3CiscoIOS15CiscoRouter
NipperStudioidentifiedsixcontradictingrulesconfiguredonCiscoIOS15.Thosecontradictingfilterrulesaredetailedbelow.
Table481:ExtendedIPv4ACLnamed-acl-1rulescontradictingrule1
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 172.168.2.3 Any Any Any No
Thefollowingruleiscontradictory.
3 Any Any Any Any Any No
Table482:ExtendedIPv4ACLnamed-acl-1rulescontradictingrule2
Rule Action Protocol Source SrcPort Destination DstPort Log
2 Any 10.8.10.11 Any Any Any No
Thefollowingruleiscontradictory.
3 Any Any Any Any Any No
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 50.60.0.0/16 Any Any Any No
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
Table483:ExtendedIPv4ACL120rulescontradictingrule1
Table484:ExtendedIPv4ACL120rulescontradictingrule2
Rule Action Protocol Source SrcPort Destination DstPort Log
2 TCP Any 21 Any Any Yes
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
Table485:ExtendedIPv4ACL120rulescontradictingrule6
Rule Action Protocol Source SrcPort Destination DstPort Log
6 TCP Any Any 192.168.30.56 9876 No
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
Table486:ExtendedIPv4ACL120rulescontradictingrule7
Rule Action Protocol Source SrcPort Destination DstPort Log
7 TCP Any Any Any 9876 No
Thefollowingruleiscontradictory.
8 TCP Any Any 192.168.30.56 9876 No
Gotothereportcontentsorthestartofthissection.
8.4FilterRulesOverlapOtherRules
8.4.1Overview
WhenreviewingthenetworkfilteringrulesNipperStudioidentifiedfilterrulesthatoverlapwithotherfilterrules.Thefirstrulethatmatchesthenetworktrafficistheonethatisusedforfilteringthenetworktraffic,sothereforeanysubsequentrulesthatareconfiguredtopermitordenythesametrafficwillberedundant.
AnexampleofrulesthatoverlapwouldbewherearulepermitsaccesstoHTTPSandSSHandislaterfollowedinthesamerulelistbyarulethatpermitsaccesstoSSHforthesamesourceanddestinationaddresses.
8.4.2router03CiscoRouter
NipperStudioidentified16overlappingrulesconfiguredonrouter03.Thoseoverlappingfilterrulesaredetailedbelow.
Table487:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule1
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No
Thefollowingruleoverlaps.
2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No
Table488:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule3
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No
Thefollowingruleoverlaps.
4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No
Table489:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule5
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No
Thefollowingruleoverlaps.
6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No
Table490:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule7
Thefollowingruleoverlaps.
8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No
Table491:ExtendedIPv4ACL120rulesoverlappingrule1
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 50.60.0.0/16 Any Any Any No
Thefollowing4rulesoverlap.
2 TCP Any 21 Any Any Yes
3 TCP Any Any 192.168.30.40 161 No
6 TCP Any Any 192.168.30.56 9876 No
7 TCP Any Any Any 9876 No
Table492:ExtendedIPv4ACL120rulesoverlappingrule2
Rule Action Protocol Source SrcPort Destination DstPort Log
2 TCP Any 21 Any Any Yes
Thefollowing5rulesoverlap.
3 TCP Any Any 192.168.30.40 161 No
4 TCP 192.168.20.10 Any 192.168.30.40 161 No
5 TCP 192.168.20.12 Any 192.168.30.40 161 No
6 TCP Any Any 192.168.30.56 9876 No
7 TCP Any Any Any 9876 No
Table493:ExtendedIPv4ACL120rulesoverlappingrule3
Rule Action Protocol Source SrcPort Destination DstPort Log
3 TCP Any Any 192.168.30.40 161 No
Thefollowing2rulesoverlap.
4 TCP 192.168.20.10 Any 192.168.30.40 161 No
5 TCP 192.168.20.12 Any 192.168.30.40 161 No
Table494:ExtendedIPv4ACL120rulesoverlappingrule6
Rule Action Protocol Source SrcPort Destination DstPort Log
6 TCP Any Any 192.168.30.56 9876 No
Thefollowingruleoverlaps.
7 TCP Any Any Any 9876 No
8.4.3CiscoIOS15CiscoRouter
NipperStudioidentified16overlappingrulesconfiguredonCiscoIOS15.Thoseoverlappingfilterrulesaredetailedbelow.
Table495:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule1
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No
Thefollowingruleoverlaps.
2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No
Table496:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule3
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No
Thefollowingruleoverlaps.
4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No
Table497:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule5
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No
Thefollowingruleoverlaps.
6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No
Table498:ExtendedIPv4ACLcp-critical-inrulesoverlappingrule7
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No
Thefollowingruleoverlaps.
8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No
Table499:ExtendedIPv4ACL120rulesoverlappingrule1
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 50.60.0.0/16 Any Any Any No
Thefollowing4rulesoverlap.
2 TCP Any 21 Any Any Yes
3 TCP Any Any 192.168.30.40 161 No
6 TCP Any Any 192.168.30.56 9876 No
7 TCP Any Any Any 9876 No
Table500:ExtendedIPv4ACL120rulesoverlappingrule2
Rule Action Protocol Source SrcPort Destination DstPort Log
2 TCP Any 21 Any Any Yes
Thefollowing5rulesoverlap.
3 TCP Any Any 192.168.30.40 161 No
4 TCP 192.168.20.10 Any 192.168.30.40 161 No
5 TCP 192.168.20.12 Any 192.168.30.40 161 No
6 TCP Any Any 192.168.30.56 9876 No
7 TCP Any Any Any 9876 No
Table501:ExtendedIPv4ACL120rulesoverlappingrule3
Rule Action Protocol Source SrcPort Destination DstPort Log
3 TCP Any Any 192.168.30.40 161 No
Thefollowing2rulesoverlap.
4 TCP 192.168.20.10 Any 192.168.30.40 161 No
5 TCP 192.168.20.12 Any 192.168.30.40 161 No
Table502:ExtendedIPv4ACL120rulesoverlappingrule6
Rule Action Protocol Source SrcPort Destination DstPort Log
6 TCP Any Any 192.168.30.56 9876 No
Thefollowingruleoverlaps.
7 TCP Any Any Any 9876 No
Gotothereportcontentsorthestartofthissection.
9ConfigurationReport9.1Introduction
Thissectiondetailstheconfigurationsettingsofyourdevicesinaneasytoreadandunderstandformat.Thevariousdeviceconfigurationsettingsaregroupedintosectionsofrelatedoptions.
Gotothereportcontentsorthestartofthissection.
9.2CiscoRouterrouter03ConfigurationReport
9.2.1BasicInformation
Table503:Basicinformation
Description Setting
Name router03
Device CiscoRouter
IOS 12.3
ConfigurationRevision sometimeFriJune102006byanyone
9.2.2NetworkServices
Table504outlinesthenetworkservicesconfiguredonthedeviceandtheirstatus.Theservicesettingsaredescribedingreaterdetailintheproceedingsections.
Table504:Networkservices
Service Status Protocol Port
BOOTPService Enabled UDP 67
FingerService Enabled TCP 79
RSHService Disabled TCP 514
TCPSmallServers Enabled TCP Multiple
UDPSmallServers Enabled UDP Multiple
SSHService Disabled TCP 22
TelnetService Disabled TCP 23
WebAdministrationService(HTTP) Enabled TCP 80
WebAdministrationService(HTTPS) Disabled TCP 443
SNMPService Enabled UDP 161
NTPService Disabled UDP 123
TelnetService Disabled TCP 23
RSHService Disabled TCP 514
SSHService Disabled TCP 22
WebAdministrationService(HTTP) Enabled TCP 80
WebAdministrationService(HTTPS) Disabled TCP 443
TCPSmallServers Enabled TCP Multiple
UDPSmallServers Enabled UDP Multiple
BOOTPService Enabled UDP 67
FingerService Enabled TCP 79
SNMPService Enabled UDP 161
IdentDService Disabled TCP 113
NTPService Disabled UDP 123
9.2.3GeneralConfigurationInformation
Thissectiondetailsthedevicesgeneralconfigurationsettings.
Table505:Generalconfigurationinformation
Description Setting
ConfigurationLoadingFromNetwork Disabled
ServicePasswordEncryption Disabled
9.2.4Authentication
CiscoRouterdevicessupportmultipleauthenticationsources,enablingthedevicetoauthenticateusersagainstalocaldatabaseofusersstoredonthedeviceoragainstaremoteuserauthenticationservice.Thissectiondetailstheauthenticationconfigurationsettingsforrouter03.
9.2.4.1UserPolicySettings
Thissectiondetailstheuserpolicyconfigurationsettings.
Table506:Userpolicysettings
Description Setting
AccountLockoutDuration Forever
MinimumPasswordLength 2Characters
Table506:Userpolicysettings
9.2.4.2LocalUsers
Thissectiondetailstheusersconfiguredonrouter03.Theuserscanbeassignedtodifferentprivilegelevelswhichareconfigurableanddeterminethelevelofaccessgranted.Alevel15useristhehighestlevelandistypicallyreservedformanagementofthedevice.TheenableuserpasswordistypicallyusedforperformingadministrationonCiscoRouterdevices.Howeverifanenableuserpasswordhasnotbeenconfigured,alinepasswordwillbeusedinstead.
Table507:Users
User Password Privilege Filter
enable(password) cisco 15
temp password 15
testuser password 15
localuser password 15
ConsoleLine password 1
Auxiliary password 1
VTY0-4Line password 1
9.2.4.3UserPrivileges
Table508detailsthecustomuserprivilegesdefinedonthedevice.
Table508:Userprivileges
Mode Level Access
exec chicken privilegeexeclevelchicken
9.2.5Administration
ThissectiondescribestheadministrationservicesandconfigurationsettingsthataresupportedbyCiscoRouterdevices.Eachsubsectioncoverstheconfigurationofaspecificadministrationserviceorservices.
9.2.5.1GeneralAdministrationSettings
ThissectiondescribessomegeneralCiscoRouterdeviceadministrationsettings.
Table509:Generaladministrationsettings
Description Setting
AUXPort Enabled
TCPSYNWaitTime 30seconds
CallHomeService Disabled
9.2.5.2TelnetServiceSettings
TheTelnetserviceenablesremoteadministrativeaccesstoaCommandLineInterface(CLI)onrouter03.TheTelnetprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheTelnetservicesettings.
Table510:Telnetservicesettings
Description Setting
TelnetService Disabled
ServiceTCPPort 23
9.2.5.3BSDRServiceSettings
TheRSHserviceenablesremoteadministrativeaccesstoaCLIonrouter03.TheRSHprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheRSHservicesettings.
Table511:BSDRservicesettings
Description Setting
RSHService Disabled
ServiceTCPPort 514
RCP Disabled
9.2.5.4SSHServiceSettings
TheSSHserviceenablesaremoteadministratortoaccessaCLIonrouter03.TheSSHprotocolprovidescompleteencryptionofthenetworkpacketsbetweentheconnectingclientandtheserver.TherearetwomainversionsoftheSSHprotocol.
CiscoRouterdevicessupportbothSSHprotocolversions1and2.SupportforSSHwasintroducedinIOSversion12.0(5)andsupportforSSHprotocolversion2wasaddedfromIOSversion12.3(2).IOSdevicesthatsupportbothversionsoftheSSHprotocoldefaulttoallowingconnectionsfromclientsusingeitherversion.
ThissectiondetailstheSSHservicesettings.
Table512:SSHservicesettings
Description Setting
SSHService Disabled
ServiceTCPPort 22
SSHProtocolVersions 1and2
AuthenticationTimeout 2minutes
9.2.5.5Web-BasedAdministrationServiceSettings
TheWeb-basedadministrationserviceenablesaremoteadministratortomanagethedeviceusingawebbrowser.CiscoRouterdevicesprovideadministrativeaccessusingboththeHTTPandHTTPSprotocols.AlthoughtheHTTPSprotocolprovidesencryptionoftheconnectionbetweentheadministratorandthedevice,theHTTPprotocolprovidesnoencryption.
Thissectiondetailstheconfigurationoftheweb-basedadministration.
Table513:Web-basedadministrationservicesettings
Description Setting
WebAdministrationService(HTTP) Enabled
HTTPTCPPort 80
WebAdministrationService(HTTPS) Disabled
HTTPSTCPPort 443
SecureWebAdministrationServiceRedirect Disabled
ConnectionTimeout 3minutes
Table514liststheconfiguredHTTPSweb-basedadministrationserviceencryptioncyphers.
Table514:HTTPSweb-basedadministrationserviceencryptionciphers
Encryption MessageAuthentication KeyLength SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2
3DES SHA1 168bits No Yes No No No
RC4 SHA1 128bits No Yes No No No
RC4 MD5 128bits No Yes No No No
DES SHA1 56bits No Yes No No No
9.2.5.6SmallServersSettings
Smallserversaretypicallyprovidedforlegacyordiagnosticspurposes.Theserversinclude"echo"whichrespondswithacopyofwhatissenttoit,"discard"whichignoresanythingthatissenttoitand"chargen"whichreturnscharacters.Thissectiondetailstheirconfiguration.
Table515:Smallerserverssettings
Description Setting
TCPSmallServers Enabled
UDPSmallServers Enabled
9.2.5.7BOOTPServiceSettings
TheBOOTPserviceallowsremotehoststoloadtheiroperatingsystemoverthenetwork.ThissectiondetailstheBOOTPservicesconfiguration.
Table516:BOOTPservicesettings
Description Setting
BOOTPService Enabled
UDPPort 67
9.2.5.8FingerServiceSettings
TheFingerserviceenablesnetworkuserstoqueryCiscoRouterdevicesforinformationonusers.ThissectiondetailstheFingerservicesconfiguration.
Table517:Fingerservicesettings
Description Setting
FingerService Enabled
TCPPort 79
9.2.5.9AdministrativeInterfaceLineSettings
Theadministrativeinterfacelinesettingsareusedonrouter03devicestoconfigureadministrativeaccessusinganumberofdifferentservices.Theprevioussectionshavecoveredthespecificadministrationservicesandtheirauthenticationconfigurations.Thissectiondetailsalltheadministrativeinterfacelinesconfiguredonrouter03,thetimeoutsandotheroptions.
Table518:Administrativeinterfacelineconfiguration
Line ExecTimeout AbsoluteTimeout SessionTimeout LoginTimeout FilterIn FilterOut
Console 10minutes None 25minutes 30seconds
Auxiliary 10minutes None 25minutes 30seconds
VTY0-4 10minutes None None 30seconds 10
9.2.6LogonBannerMessages
Theimportanceofbannermessagescanoftenbeoverlooked.Bannermessagesareusefulforprovidingadeterrentagainstunauthorizedaccessorremindingauseraboutproceduraldetailsformakingmodificationstoadevicesconfiguration.Ifawarningmessagehasbeenconfiguredandanattackerhasgainedunauthorizedaccess,thebannermessagecouldactasevidenceofanattackersintent.Thissectiondetailsthebannermessagesconfiguredonrouter03.
9.2.6.1LoginBanner
TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMOTDmessageisshownonTelnetconnections.TheLoginbannermessageconfiguredonrouter03follows:
Thisisatestbanner.
Table519:BannerStatus
Status
Enabled
9.2.7SNMPSettings
SNMPisusedtoassistnetworkadministratorsinmonitoringandmanagingawidevarietyofnetworkdevices.TherearethreemainversionsofSNMPinuse.Versions1and2ofSNMParebothsecuredwithacommunitystringandauthenticateandtransmitnetworkpacketswithoutanyformofencryption.SNMPversion3providesseverallevelsofauthenticationandencryption.Themostbasiclevelprovidesasimilarprotectiontothatoftheearlierprotocolversions.However,SNMPversion3canbeconfiguredtoprovideencryptedauthentication(auth)andsecuredfurtherwithsupportforencrypteddatacommunications(priv).
Thissectiondescribestherouter03SNMPconfigurationsettings.
Table520:SNMPsettings
Description Setting
SNMPService Enabled
UDPPort 161
Location Somewhere
TFTPServerFilterList
Manager Disabled
ManagerSessionTimeout 10minutes
SNMPSystemShutdown Enabled
TrapSourceInterface
MaximumTrapQueueLength 10
TrapTimeout 30seconds
MaximumPacketSize 1500Bytes
9.2.7.1SNMPCommunity
SNMPcommunitystringsareusedtoauthenticateaccessbetweenaNMSandtheCiscoRouterSNMPagent.AconnectingNMS,usingSNMPprotocolversions1
or2c,mustprovidetheSNMPagentwithavalidcommunitystringwhenmakingaMIBreadorwriterequest.
Table521:SNMPcommunityconfiguration
Community Access Version View ACL
public ReadOnly 1 20
private Read/Write 1
9.2.7.2SNMPTrapsAndInforms
TheCiscoRouterSNMPagentcanbeconfiguredtosendtrapnotificationstoaNMSorSNMPmanagerhost.Onceatrapissent,theCiscoRouterSNMPagentassumesthatthereceivinghostreceivedthenotification,noconfirmationisexpected.Informnotificationsaresimilartotraps,butthereceivinghostisexpectedtoconfirmreceiptofthenotification.IfaconfirmationisnotreceivedtheCiscoRouterSNMPagentcanretry.
Table522:SNMPtrapandinformhosts
Host Type Version Security Community Notifications Port
192.168.20.30 Trap 1 Community private snmp 162
192.168.20.40 Trap 1 Community private snmp 162
9.2.8MessageLogging
CiscoRouterdevicesarecapableofloggingsystemeventsandmessages.Thoselogscanthenberecalledatalatertime,assistingadministratorsinthediagnosisofsystemfaultsoralertingsystemadministratorsofanattack.Thissectiondetailsthedevicesloggingconfiguration.
9.2.8.1GeneralLoggingSettings
Thissectiondetailstheconfigurationsettingsthataffecttheloggingfacilities.
Table523:Generalloggingsettings
Description Setting
DeviceLoggingServices Enabled
LoggingMessageRateLimit None
MessageHistorySeverityLevel Warnings(4)
MaximumNumberofHistoryMessages 1
IncludeSequenceNumbersinLogs Disabled
IncludeTimeStampsinLogs Enabled
9.2.8.2SyslogLogging
SyslogmessagescanbesentbyCiscoRouterdevicestoaSyslogserver.Syslogserversprovidethefollowingadvantages:
acentralrepositoryforlogsfromarangeofnetworkdevices;apotentiallylongerretentionperiodforlogsthanadevicemaybecapableofstoring;atroubleshootingresourceforwhenadevicemaynolongerberesponsive;anexternallogsource,incasethesecurityofadevicehasbeencompromised;supportforanindustrystandardloggingsystem.
ThissectiondetailstheSyslogconfigurationsettings.
Table524:Syslogloggingconfiguration
Description Setting
SyslogLogging Disabled
SeverityLevel Informational(6)
SyslogSourceInterface
9.2.8.3InternalBufferLoggingSettings
CiscoRouterdevicescanlogmessagestoaninternalbuffer.Byitsnature,thebufferissizelimitedandthereforenewermessageswilloverwriteolderoneswhenthebufferssizehasbeenreached.Thissectiondetailstheinternalbufferloggingconfigurationsettings.
Table525:Internalbufferloggingconfiguration
Description Setting
BufferLogging Disabled
LoggingSeverityLevel Debugging(7)
BufferSize SystemDefault
9.2.8.4ConsoleLogging
CiscoRouterdevicesarecapableofsendingsystemloggingtotheconsole.Thissectiondetailsthoseconfigurationsettings.
Table526:Consoleloggingconfiguration
Description Setting
ConsoleLogging Enabled
LoggingSeverityLevel Debugging(7)
9.2.8.5TerminalLineLogging
CiscoRouterdevicesarecapableofsendingsystemloggingtotheterminallines.Thissectiondetailsthoseconfigurationsettings.
Table527:Terminallineloggingconfiguration
Description Setting
TerminalLineLogging Enabled
LoggingSeverityLevel Debugging(7)
9.2.9NameResolutionSettings
CiscoRouterdevicescanbeconfiguredtoresolvenametoaddressmappings.Thissectiondetailsthosesettings.
9.2.9.1DNSClient
TheDNSservicestoresinformationaboutmappingsbetweenadevicesIPaddressandaname,whichiseasierforhumanstorecognizeandremember.CiscoRouterdevicescanbeconfiguredtoqueryaDNSinordertoresolvenamestoaddresses.Thissectiondetailsthoseconfigurationsettings.
Table528:DNSclientconfiguration
Description Setting
DNSType Standard
Domain nipper.org
DNSLookups Enabled
9.2.10NetworkProtocols
ThissectiondetailstheconfigurationofthenetworkprotocolssupportedbyCiscoRouterdevices.Eachsectiondetailsspecificsettingssuchasanynetworkprotocoladdressconfigurationsettings.
9.2.10.1GeneralSettings
Thissectiondetailsthegeneralprotocolandaddressconfigurationsettings.
Table529:Generalinterfacerelatedsettings
Description Setting
GratuitousARP Disabled
IdentDService Disabled
PADService Enabled
9.2.10.2IPv4
ThissectiondetailstheconfigurationoftheIPv4protocolandaddresses.IPv4isdescribedinRFC791.
Table530:GeneralIPv4protocolsettings
Description Setting
InboundTCPKeep-Alives Disabled
OutboundTCPKeep-Alives Enabled
Table531:IPv4addresses
Interface Active Address Proxy-ARP Directed ACLIn ACLOut
GigabitEthernet1/1 Yes 10.0.0.1 Off On
GigabitEthernet1/2 Yes 10.0.0.2 On On
Table532:IPv4ICMPOptions
Interface Active Unreachables Redirects MaskReply Information
GigabitEthernet1/1 Yes On On On Off
GigabitEthernet1/2 Yes On On On Off
9.2.10.3DEC
CiscoRouterdevicescanbeconfiguredwithsupportforDigitalEquipmentCorporation(DEC)protocols.Thissectiondetailsthoseprotocolspecificconfigurationsettings.
Table533:DECinterfaceprotocols
Interface Active MOP ACLIn ACLOut
GigabitEthernet1/1 Yes On
GigabitEthernet1/2 Yes On
9.2.10.4LLDPSettings
ThissectiondescribestheconfigurationoftheLinkLayerDiscoveryProtocol(LLDP)onrouter03.LLDPisanindustrystandardprotocoldesignedtoadvertisethedevicescapabilitiestoothernetworkdevices.Theinformationsentcanincludethesystemsname,managementaddress,VLAN,capabilitiesandportdetails.LLDPprovidesasimilarfunctiontoproprietaryprotocolssuchasCDPandisdescribedingreaterdetailintheInstituteofElectricalandElectronicsEngineers(IEEE)standardsdocument802.1AB.
Table534:LLDPsettings
Description Setting
LLDPSend Disabled
LLDPReceive Disabled
LLDPRefreshInterval 30seconds
OnCiscoRouterdevices,LLDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table535detailsthosesettings.
Table535:LLDPonnetworkinterfaces
Interface Active LLDPSend LLDPReceive
GigabitEthernet1/1 Yes On On
GigabitEthernet1/2 Yes On On
9.2.10.5CDPSettings
ThissectiondescribestheconfigurationoftheCDPonrouter03.CDPwasdevelopedbyCiscoforusewithnetworkmanagementtoolsand,ifenabled,thenetworkpacketssentwillcontaininformationaboutthesendingdevice.CDPnetworkpacketswilltypicallyincludedetailssuchasthedevicemodelinformation,operatingsysteminformationandotherdeviceconfigurationdetails.
Table536:CDPsettings
Description Setting
CDP Enabled
CDPVersion 2
OnCiscoRouterdevices,CDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table537detailsthosesettings.
Table537:CDPonnetworkinterfaces
Interface Active CDP
GigabitEthernet1/1 Yes On
GigabitEthernet1/2 Yes On
9.2.10.6DTPSettings
DTPisapropitiatoryprotocoldevelopedbyCiscoforthepurposeofnegotiatingVLANtrunkingbetweenswitches.DTPisenabledanddisabledonindividualnetworkports,thissectiondescribestheconfigurationoftheDTPonrouter03.
Interface Active VLAN Trunk TrunkVLAN DTP
Table538:DTPonnetworkinterfaces
GigabitEthernet1/1 Yes 1 Yes All On
GigabitEthernet1/2 Yes 1 Yes All On
9.2.10.7VTPSettings
VTPisalayer2protocoldevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.TheprotocolenablestheVLANstobeadded,renamedordeletedonasingleswitchandforthosechangestobepropagatedtootherswitchesinthesameVTPdomain.
Table539:VTPsettings
Description Setting
VTPVersion 1
VTPDomain
VTPPassword VTP
VTPMode Server
VTPPruning Disabled
9.2.10.8IEEE802.1XPortAccessControlSettings
ThissectiondescribestheconfigurationoftheIEEE802.1Xportaccesscontrolsettingsonrouter03.IEEE802.1Xprovidesfortheauthenticationofnetworkclientstohelppreventunauthorizednetworkdevicesfromgainingaccesstonetworkresources.
Table540:IEEE802.1Xonnetworkinterfaces
Interface Active IEEE802.1X Re-Auth
GigabitEthernet1/1 Yes AlwaysAuthorized Disabled
GigabitEthernet1/2 Yes AlwaysAuthorized Disabled
9.2.10.9PortSecuritySettings
Thissectiondescribestheconfigurationoftheportsecuritysettingsonrouter03.PortsecurityprovidesamechanismwherebyaccesstoanetworkinterfacecanbelimitedtospecificMACaddressesthatcaneitherbedefinedordiscovered.IfaccessoutsideofthepermittedMACaddressesisdetectedthenaccesstotheportcanbedisabled.
Table541:Portsecuritysettings
Interface Active Security MaxMAC Aging AgeType Sticky MAC
GigabitEthernet1/1 Yes Off N/A N/A N/A N/A
GigabitEthernet1/2 Yes Off N/A N/A N/A N/A
9.2.11NetworkInterfaces
Thissectiondetailstheconfigurationofbothphysicalandvirtualnetworkinterfaces.
9.2.11.1GigabitEthernetInterfaces
ThissectiondescribestheconfigurationofthedevicesGigabitEthernetinterfaces.
Table542:GigabitEthernetinterfaces
Interface Active VLAN Trunk TrunkVLAN
GigabitEthernet1/1 Yes 1 Yes All
GigabitEthernet1/2 Yes 1 Yes All
9.2.12RoutingConfiguration
CiscoRouterdevicesroutingtablescanbeconfiguredwithstaticroutesorupdateddynamically.Routingprotocolsareusedbynetworkroutingdevicestodynamicallyupdatetheroutingtablesthatdevicesusetoforwardnetworktraffictotheirdestination.Routingprotocolscanbesplitintotwodifferentcategories;InteriorGatewayProtocols(IGPs)andExteriorGatewayProtocols(EGPs).IGPsareusuallyusedinsituationswheretheroutingdevicesareallcontrolledbyasingleentity,suchaswithinacompany.EGPsareusuallyusedinsituationswhereroutingdevicesaremanagedbyanumberofentities,suchastheInternet.Typicallyroutingdeviceswillsupportanumberofstandardroutingprotocols.
Thissectiondescribestheroutingconfigurationsettings.
Description Setting
ClasslessRouting Ignored
Table543:GeneralRoutingSettings
IPSourceRouting Enabled
9.2.12.1RIPConfiguration
RIPisanIGPandcalculatesroutesusingadistancevector.RIPisonlysuitableforsmallnetworks,routingupdatesaresentevery30secondsandcontaintheentireroutingtable.Furthermore,RIPhasamaximumdistanceof15hops.IfRIProuteshavenotbeenupdatedwithinthreeminutestherouteismarkedasunusable.Routesnotupdatedwithinfourminutesareremoved.
Table544:RIPconfiguration
Description Setting
RIPRouting Enabled
RIPSendVersion 1
RIPReceiveVersion 1and2
Timeout 0
UpdateInterval 0
RouteSummary Enabled
InboundDistributionList
OutboundDistributionList
ThefollowingnetworksareincludedintheRIProutingupdates:
10.0.0.0.
Table545detailstheconfigurationofRIPonindividualnetworkinterfaces.
Table545:RIPnetworkinterfaceconfiguration
Interface Active Passive Send Receive Auth KeyID
GigabitEthernet1/1 Yes No V1 V1andV2 ClearText routing-chain
GigabitEthernet1/2 Yes No V2 V1andV2 None N/A
9.2.12.2OSPFConfiguration
TheOSPFroutingprotocolisanIGP.OSPFnetworkpacketsaresentwhenthenetworkconfigurationchanges,suchaswhenaroutegoesdown,andthepacketsonlycontainthechange.SincetheinformationsentintheOSPFnetworkpacketsislimitedtoanynetworkchanges,theprotocoliswellsuitedtocomplexnetworkconfigurations.
Table546:Process6OSPFconfiguration
Description Setting
OSPFRouting Enabled
RouterID
MaximumLSA Unlimited
RFC1583Compatibility Enabled
InboundDistributionList
OutboundDistributionList
Table547:Process6OSPFarea0.0.0.0
Address Authentication
10.0.0.1/24 None
Table548:Process6OSPFarea30.10.20.40
Address Authentication
192.168.0.1/24 None
Table549detailstheconfigurationofOSPFonindividualnetworkinterfaces.
Table549:OSPFnetworkinterfaceconfiguration
Interface Active Passive Area Priority Type AuthMode KeyID RouteCost HelloInterval DeadInterval RetransmitInterval TransmitDelay
GigabitEthernet1/1 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second
GigabitEthernet1/2 Yes No 1 PointtoMultiPoint None N/A Default 10seconds 40seconds 5seconds 1second
9.2.12.3BGPConfiguration
BGPisanEGPandacoreInternetroutingprotocol.BGProutersmaintainalistofreachablenetworkswhicharesharedbetweendefinedBGPpeersusingTCPconnections.ThissectiondetailstheBGProutingconfiguration.
Table550:AS1BGPconfiguration
Description Setting
BGPASNumber 1
RouterID 192.168.56.5
BGPRouteDampening Disabled
InboundDistributionList
OutboundDistributionList
ThefollowingnetworksareincludedintheBGProutingupdates:
192.168.22.1255.255.255.255.
ThesectiondetailstheBGPAutonomousSystems(AS)neighborsforwhichroutingupdateswillbeshared.AllauthenticationmakesuseofMD5encryptionforsecurityandintegrity.
Table551:AS1BGPneighbors
Address RemoteAS Password Version Weight PeerGroup MapIn MapOut
router01 12345 4 0
9.2.12.4EIGRPConfiguration
EIGRPisanIGPandisadistancevectorbasedprotocollikeRIP,butincorporatessomefeaturesfromlinkstateprotocolssuchasOSPF.EIGRPwasdevelopedbyCiscoasanenhancedversionofInteriorGatewayRoutingProtocol(IGRP).UnlikeRIP,EIGRPtransmitschangestonetworkroutestoitsneighborsandissuitableforlargernetworks.
Table552:EIGRPAS14configuration
Description Setting
RouterID
AutoSummary Disabled
InboundDistributionList
OutboundDistributionList 40
RoutingupdatescanberedistributedbyEIGRPfromanalternativeroutingprotocol,orconfiguration.ThefollowingroutesourcesareconfiguredtoberedistributedbyEIGRP:
connected;static.
Table553:EIGRPAS14networks
Address
10.0.0.0
172.10.1.0
Table554:EIGRPAS3configuration
Description Setting
RouterID 127.0.0.1
AutoSummary Disabled
InboundDistributionList
OutboundDistributionList
Table555:EIGRPAS3networks
Address
192.168.56.0
Table556detailstheconfigurationofEIGRPonindividualnetworkinterfaces.
Table556:EIGRPnetworkinterfaceconfiguration
Interface Active AS Passive Interval Hold Bandwidth Auth KeyID
GigabitEthernet1/2 Yes 3 No 5seconds 14seconds 50% None N/A
9.2.12.5HSRPConfiguration
HSRPisaCiscoproprietaryprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.HSRPusesavirtualrouteraddresswhichisusedtoprocessroutingandisthenroutedbythephysicalroutersintheHSRProutergroup.
HSRProuterwillsendmulticastadvertisementswiththeirpriorityandtheHSRProuterwiththehighestprioritywillactasthevirtualgateway.Iftherouterfailsforwhateverreason,therouterwiththenexthighestprioritywilltakeover.TheHSRProutergroupwillrespondtothesameMACaddress,providingtransparencyfornetworkdevices.ThedefaultMACaddressis00:00:0C:07:AC:xy,wherexyistheHSRProutergroup(thedefaultgroupis0).
HSRPisnotaroutingprotocol.
Table557:HSRPnetworkinterfaceconfiguration
Interface Active Name Number Version Address MAC Priority Auth KeyChain/ID SSO
GigabitEthernet1/1 Yes 0 2 192.168.5.10 00:00:0C:07:AC:00 100 ClearText 1 Yes
GigabitEthernet1/2 Yes 20 1 192.168.5.20 00:00:0C:07:AC:20 100 None N/A Yes
HSRPsupportsauthenticationusingakey.Table558detailstheconfiguredHSRPauthenticationkeys.
Table558:HSRPauthenticationkeys
KeyID AuthenticationKey
1 Passw0rd
9.2.12.6VRRPConfiguration
VRRPisanindustrystandardprotocolusedtoproviderouterredundancyagainstasinglepointoffailure.VRRPusesavirtualrouteraddresswhichisusedtoprocessroutingandisthenroutedbythephysicalroutersintheVRRProutergroup.
VRRPmasterrouterwillsendadvertisementstootherroutersinthesameVRRPgroup.IfthemasterVRRProuterfails,theotherroutersintheVRRPgroupholdanelectiontodeterminewhichrouterwillbecomethenewmaster.Aprioritynumberisusedinthemasterrouterelection,withthehighestprioritynumbertakingprecedence.
VRRPisnotaroutingprotocol.
Table559:VRRPconfiguration
Description Setting
VRRPRouting v2
Table560:VRRPnetworkinterfaceconfiguration
Interface Active VRRP Address Description Priority Auth KeyChain/ID
GigabitEthernet1/1 Yes 2 192.168.4.2 100 ClearText 1
GigabitEthernet1/2 Yes 3 192.168.3.2 100 None N/A
VRRPsupportsauthenticationusingakey(orsharedsecret).Table561detailstheconfiguredVRRPauthenticationkeys.
Table561:VRRPauthenticationkeys
KeyID AuthenticationKey
1 password
9.2.12.7GLBPConfiguration
GLBPisaCiscoproprietaryprotocolusedtoproviderouterloadbalancingandredundancyagainstasinglepointoffailure.GLBPusesavirtualrouteraddresswhichisusedtoprocessroutingandisthenroutedbythephysicalroutersintheGLBProutergroup.
TheGLBPgrouppriorityisusedtodeterminewhichrouterbecomestheAVGandwhichwillbecometheAVFs.TherouterwiththehighestprioritywillbecometheAVG,itisalsousedtodeterminethenextAVGifthefirstonefails.TheAVGrespondstoARPrequestsforthevirtualrouterandrespondswithavirtualMACaddressfortheAVFs.
TheGLBPweightingisusedtodeterminetheroutingcapacityofeachrouter.
GLBPisnotaroutingprotocol.
Table562:GLBPnetworkinterfaceconfiguration
Interface Active Group Name Address Priority Weighting Auth KeyChain/ID
GigabitEthernet1/1 Yes 44 192.168.8.42 100 100 ClearText 1
GigabitEthernet1/2 Yes 40 192.168.7.42 100 100 None N/A
GLBPsupportsauthenticationusingakey(orsharedsecret).Table563detailstheconfiguredGLBPauthenticationkeys.
Table563:GLBPauthenticationkeys
KeyID AuthenticationKey
1 Passw0rd
9.2.12.8RoutingAuthenticationKeyConfiguration
Authenticationkeys,alsoreferredtoassharedsecrets,canbeconfiguredtoprovideamethodofauthenticatingroutingupdatesinordertoprovidealevelofassurancethatroutingupdatesarefromtrustedsources.Thissectiondetailstheconfiguredroutingauthenticationkeys.
Table564:Routingauthenticationkeys
KeyChain KeyID Key
testchain 1 password
routing-chain 1 cisco
9.2.13NetworkFiltering
CiscoRouterdevicescanbeconfiguredtofilternetworktrafficinordertorestrictaccesstodevicesandservices.Thosenetworkfilteringsettingsaredetailedinthissection.
9.2.13.1ExtendedIPv4ACL
ExtendedACLspermitordenynetworktrafficbasedonIPv4sourceanddestinationaddressesandnetworkports.ExtendedACLsareusedforchecksontrafficpassingthroughthedevice.
Table565:ExtendedIPv4ACLnamed-acl-1
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 172.168.2.3 Any Any Any No
2 Any 10.8.10.11 Any Any Any No
3 Any Any Any Any Any No
Table566:ExtendedIPv4ACLnamed-acl-2
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 192.168.76.4 Any Any Any No
2 Any 172.18.19.1 Any Any Any No
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
Controlplanecriticaltraffic-inbound
BGP
1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No
2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No
3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No
4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No
5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No
6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No
7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No
8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No
9 TCP 192.168.123.123 Any 192.192.192.192 21 No Any No
DHCP
10 UDP 0.0.0.0 Any 255.255.255.255 67 No Any No
11 UDP 10.1.23.1 67 Any 67 No Any No
Table567:ExtendedIPv4ACLcp-critical-in
CSMProbesHTTP
12 TCP 192.168.224.10 Any 192.168.224.51 80 No Any No
13 TCP 192.168.224.10 Any 192.168.224.52 80 No Any No
14 TCP 192.168.224.51 80 192.168.224.10 Any No Any No
15 TCP 192.168.224.52 80 192.168.224.10 Any No ESTABLISHED No
16 TCP 192.168.224.11 Any 192.168.224.51 80 No Any No
17 TCP 192.168.224.11 Any 192.168.224.52 80 No Any No
18 TCP 192.168.224.51 80 192.168.224.11 Any Yes Any No
19 TCP 192.168.224.52 80 192.168.224.11 Any No Any No
CSMProbesHTTPS
20 TCP 192.168.224.10 Any 192.168.224.51 443 No Any No
21 TCP 192.168.224.10 Any 192.168.224.52 443 No Any Yes
22 TCP 192.168.224.51 443 192.168.224.10 Any No Any No
23 TCP 192.168.224.52 443 192.168.224.10 Any No Any No
24 TCP 192.168.224.11 Any 192.168.224.51 443 No Any Yes
25 TCP 192.168.224.11 Any 192.168.224.52 443 No Any No
26 TCP 192.168.224.51 443 192.168.224.11 Any No Any No
27 TCP 192.168.224.52 443 192.168.224.11 Any No Any No
CSMProbesICMP
28 ICMP 192.168.224.10 192.168.224.51 No Any No
29 ICMP 192.168.224.10 192.168.224.52 No Any No
30 ICMP 192.168.224.51 192.168.224.10 No Any No
31 ICMP 192.168.224.52 192.168.224.10 No Any No
32 ICMP 192.168.224.11 192.168.224.51 No Any No
33 ICMP 192.168.224.11 192.168.224.52 No Any No
34 ICMP 192.168.224.51 192.168.224.11 No Any No
35 ICMP 192.168.224.52 192.168.224.11 No Any No
36 Any Any Any Any Any No Any No
Table568:ExtendedIPv4ACL110
Rule Action Protocol Source SrcPort Destination DstPort Log
1 TCP Any Any Any Any No
Table569:ExtendedIPv4ACL120
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 50.60.0.0/16 Any Any Any No
2 TCP Any 21 Any Any Yes
3 TCP Any Any 192.168.30.40 161 No
4 TCP 192.168.20.10 Any 192.168.30.40 161 No
5 TCP 192.168.20.12 Any 192.168.30.40 161 No
6 TCP Any Any 192.168.30.56 9876 No
7 TCP Any Any Any 9876 No
8 TCP Any Any 192.168.30.56 9876 No
9.2.13.2StandardIPv4ACL
StandardACLsonlydefinetheIPv4sourceaddressandprocessthenetworkpacketssolelybasedonthat.StandardACLsaretypicallyusedtorestrictaccesstodeviceservicesorprotocols.
Rule Action Source Log
1 192.168.2.1 No
Table570:StandardIPv4ACL40
2 172.10.1.35 No
3 10.0.0.1 No
4 192.168.0.1 No
5 Any Yes
9.2.14IPSSettings
CiscoRouterdevicescanbeconfiguredtodetectnetworktrafficpatternsthataretypicallyassociatedwithmaliciousactivityorissimplyundesirable.IPSsettingsarethosethatenablethedevicetopreventthepotentiallymaliciousnetworkactivitybyblockingthenetworktrafficwhendetected.Thissectiondetailsthoseconfigurationsettings.
Table571:GeneralIPSsettings
Description Setting
CiscoExpressForwarding Enabled
Table572:IPSsettings
IPSFeature Setting
UnicastRPFVerification EnabledonGigabitEthernet1/1
EnabledonGigabitEthernet1/2
9.2.15TimeAndDate
Itcanbecriticallyimportantthatthetimeanddatesetonallnetworkdevicesmatch.Manyauthenticationservicesdependonthetimebetweendevicesbeingsynchronized,ifaclockisoutsideathresholdthenthatdevicemaynolongerbeabletoperformauthentication.Furthermore,diagnosingissueswiththeuseofmessagelogsbecomesmuchmorecumbersomeifthetimeanddatesbetweendevicesdonotmatch.CiscoRouterdevicescanbeconfiguredtoobtaintimeupdatesfromanetworktimesource.Thissectiondetailsthetimeanddateconfigurationsettings.
9.2.15.1TimeZones
Table573:GeneralTimeSettings
Description Setting
TimeZone GMT0
SummerTimeDaylightSaving Enabled
9.2.15.2NTPClientConfiguration
CiscoRouterdevicescanbeconfiguredtosynchronizetheirtimefromaNTPtimesource(RequestForChange(RFC)1305http://www.faqs.org/rfcs/rfc1305.html).ThissectiondetailsthoseNTPclientconfigurationsettings.
Table574:NTPclientsettings
Description Setting
NTPClient Enabled
AcceptBroadcastUpdates Disabled
AcceptMulticastUpdates Disabled
NTPAuthentication Disabled
SourceInterface
Table575detailstheNTPtimesourcesusedtoprovidethetimeupdatestothedevice.
Table575:NTPclienttimesources
Address AuthKey Version
1.1.1.1 3
NTPclientsettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable576.
Table576:InterfaceNTPclientsettings
Interface Active NTP NTPBroadcasts NTPMulticasts
GigabitEthernet1/1 Yes Enabled Disabled Disabled
GigabitEthernet1/2 Yes Enabled Disabled Disabled
9.2.15.3NTPServerConfiguration
CiscoRouterdevicescanbeconfiguredtoprovideanNTPtimesourceforothernetworkdevices.ThissectiondetailstheNTPserverconfiguration.
Table577:NTPserverconfiguration
Description Setting
NTPService Disabled
MulticastNTPServer Disabled
BroadcastNTPServer Disabled
NTPMaster Disabled
NTPserversettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable578.
Table578:InterfaceNTPserversettings
Interface Active NTP BroadcastServer BroadcastVersion MulticastAddress MulticastKey MulticastVersion
GigabitEthernet1/1 Yes Enabled Disabled 3 3
GigabitEthernet1/2 Yes Enabled Disabled 3 3
Gotothereportcontentsorthestartofthissection.
9.3CiscoRouterCiscoIOS15ConfigurationReport
9.3.1BasicInformation
Table579:Basicinformation
Description Setting
Name CiscoIOS15
Device CiscoRouter
IOS 15.0
ConfigurationRevision 12:42:43UTCWedAug242016byadmin
9.3.2NetworkServices
Table580outlinesthenetworkservicesconfiguredonthedeviceandtheirstatus.Theservicesettingsaredescribedingreaterdetailintheproceedingsections.
Table580:Networkservices
Service Status Protocol Port
BOOTPService Disabled UDP 67
FingerService Disabled TCP 79
RSHService Disabled TCP 514
TCPSmallServers Disabled TCP Multiple
UDPSmallServers Disabled UDP Multiple
SSHService Enabled TCP 22
TelnetService Disabled TCP 23
WebAdministrationService(HTTP) Disabled TCP 80
WebAdministrationService(HTTPS) Disabled TCP 443
SNMPService Enabled UDP 161
NTPService Enabled UDP 123
TelnetService Disabled TCP 23
RSHService Disabled TCP 514
SSHService Enabled TCP 22
WebAdministrationService(HTTP) Disabled TCP 80
WebAdministrationService(HTTPS) Disabled TCP 443
TCPSmallServers Disabled TCP Multiple
UDPSmallServers Disabled UDP Multiple
BOOTPService Disabled UDP 67
FingerService Disabled TCP 79
SNMPService Enabled UDP 161
IdentDService Disabled TCP 113
NTPService Enabled UDP 123
9.3.3GeneralConfigurationInformation
Thissectiondetailsthedevicesgeneralconfigurationsettings.
Table581:Generalconfigurationinformation
Description Setting
ConfigurationLoadingFromNetwork Disabled
ServicePasswordEncryption Enabled
Table582liststheconfiguredaliases.
Table582:AliasList
System Alias Command
atm-vc-config vbr vbr-nrt
exec h help
exec lo logout
exec p ping
exec r resume
exec s show
exec u undebug
exec un undebug
exec w where
9.3.4Authentication
CiscoRouterdevicessupportmultipleauthenticationsources,enablingthedevicetoauthenticateusersagainstalocaldatabaseofusersstoredonthedeviceoragainstaremoteuserauthenticationservice.ThissectiondetailstheauthenticationconfigurationsettingsforCiscoIOS15.
9.3.4.1UserPolicySettings
Thissectiondetailstheuserpolicyconfigurationsettings.
Table583:Userpolicysettings
Description Setting
AccountLockoutDuration Forever
MinimumPasswordLength 6Characters
9.3.4.2LocalUsers
ThissectiondetailstheusersconfiguredonCiscoIOS15.Theuserscanbeassignedtodifferentprivilegelevelswhichareconfigurableanddeterminethelevelofaccessgranted.Alevel15useristhehighestlevelandistypicallyreservedformanagementofthedevice.TheenableuserpasswordistypicallyusedforperformingadministrationonCiscoRouterdevices.Howeverifanenableuserpasswordhasnotbeenconfigured,alinepasswordwillbeusedinstead.
Table584:Users
User Password Privilege Filter
enable(secret) (ENCRYPTED) 15
enable(password) password 15
admin (ENCRYPTED) 1
Test (ENCRYPTED) 1
VTY0-4Line password 1
9.3.4.3TACACS+Authentication
CiscoRouterdevicessupportauthenticationusingTerminalAccessControllerAccessControlSystemPlus(TACACS+)authenticationservers.Thissectiondetailstheconfiguration.
Table585:TACACS+settings
Description Setting
TACACS+Authentication Enabled
TACACS+SourceInterface Loopback0
Table586detailstheconfiguredTACACS+Authenticationservers.
Table586:TACACS+Authenticationservers
ServerGroup Address Port Key
18.1.1.1 49
9.3.5Administration
ThissectiondescribestheadministrationservicesandconfigurationsettingsthataresupportedbyCiscoRouterdevices.Eachsubsectioncoverstheconfigurationofaspecificadministrationserviceorservices.
9.3.5.1GeneralAdministrationSettings
ThissectiondescribessomegeneralCiscoRouterdeviceadministrationsettings.
Table587:Generaladministrationsettings
Description Setting
AUXPort Disabled
TCPSYNWaitTime 30seconds
CallHomeService Disabled
9.3.5.2TelnetServiceSettings
TheTelnetserviceenablesremoteadministrativeaccesstoaCLIonCiscoIOS15.TheTelnetprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheTelnetservicesettings.
Table588:Telnetservicesettings
Description Setting
TelnetService Disabled
ServiceTCPPort 23
9.3.5.3BSDRServiceSettings
TheRSHserviceenablesremoteadministrativeaccesstoaCLIonCiscoIOS15.TheRSHprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheRSHservicesettings.
Table589:BSDRservicesettings
Description Setting
RSHService Disabled
ServiceTCPPort 514
RCP Disabled
9.3.5.4SSHServiceSettings
TheSSHserviceenablesaremoteadministratortoaccessaCLIonCiscoIOS15.TheSSHprotocolprovidescompleteencryptionofthenetworkpacketsbetweentheconnectingclientandtheserver.TherearetwomainversionsoftheSSHprotocol.
CiscoRouterdevicessupportbothSSHprotocolversions1and2.SupportforSSHwasintroducedinIOSversion12.0(5)andsupportforSSHprotocolversion2wasaddedfromIOSversion12.3(2).IOSdevicesthatsupportbothversionsoftheSSHprotocoldefaulttoallowingconnectionsfromclientsusingeitherversion.
ThissectiondetailstheSSHservicesettings.
Table590:SSHservicesettings
Description Setting
SSHService Enabled
ServiceTCPPort 22
SSHProtocolVersion 2
AuthenticationTimeout 2minutes
AccesstotheSSHserviceonCiscoIOS15devicesisconfiguredusingadministrativeinterfacelines.Table591detailstheSSHadministrativeinterfacelineconfiguration.
Line Access Login Level Password Authorization Accounting FilterIn
Table591:SSHservicelines
VTY0-4 Yes AAAAuthentication 1 password Off Off 1
VTY5-807 Yes AAAAuthentication 1 Off Off 1
9.3.5.5Web-BasedAdministrationServiceSettings
TheWeb-basedadministrationserviceenablesaremoteadministratortomanagethedeviceusingawebbrowser.CiscoRouterdevicesprovideadministrativeaccessusingboththeHTTPandHTTPSprotocols.AlthoughtheHTTPSprotocolprovidesencryptionoftheconnectionbetweentheadministratorandthedevice,theHTTPprotocolprovidesnoencryption.
Thissectiondetailstheconfigurationoftheweb-basedadministration.
Table592:Web-basedadministrationservicesettings
Description Setting
WebAdministrationService(HTTP) Disabled
HTTPTCPPort 80
WebAdministrationService(HTTPS) Disabled
HTTPSTCPPort 443
SecureWebAdministrationServiceRedirect Disabled
ConnectionTimeout 3minutes
Table593liststheconfiguredHTTPSweb-basedadministrationserviceencryptioncyphers.
Table593:HTTPSweb-basedadministrationserviceencryptionciphers
Encryption MessageAuthentication KeyLength SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2
3DES SHA1 168bits No Yes No No No
RC4 SHA1 128bits No Yes No No No
RC4 MD5 128bits No Yes No No No
DES SHA1 56bits No Yes No No No
9.3.5.6SmallServersSettings
Smallserversaretypicallyprovidedforlegacyordiagnosticspurposes.Theserversinclude"echo"whichrespondswithacopyofwhatissenttoit,"discard"whichignoresanythingthatissenttoitand"chargen"whichreturnscharacters.Thissectiondetailstheirconfiguration.
Table594:Smallerserverssettings
Description Setting
TCPSmallServers Disabled
UDPSmallServers Disabled
9.3.5.7BOOTPServiceSettings
TheBOOTPserviceallowsremotehoststoloadtheiroperatingsystemoverthenetwork.ThissectiondetailstheBOOTPservicesconfiguration.
Table595:BOOTPservicesettings
Description Setting
BOOTPService Disabled
UDPPort 67
9.3.5.8FingerServiceSettings
TheFingerserviceenablesnetworkuserstoqueryCiscoRouterdevicesforinformationonusers.ThissectiondetailstheFingerservicesconfiguration.
Table596:Fingerservicesettings
Description Setting
FingerService Disabled
TCPPort 79
9.3.5.9AdministrativeInterfaceLineSettings
TheadministrativeinterfacelinesettingsareusedonCiscoIOS15devicestoconfigureadministrativeaccessusinganumberofdifferentservices.Theprevious
sectionshavecoveredthespecificadministrationservicesandtheirauthenticationconfigurations.ThissectiondetailsalltheadministrativeinterfacelinesconfiguredonCiscoIOS15,thetimeoutsandotheroptions.
Table597:Administrativeinterfacelineconfiguration
Line ExecTimeout AbsoluteTimeout SessionTimeout LoginTimeout FilterIn FilterOut
Console 9minutes None None 30seconds
Auxiliary 9minutes None None 30seconds
Interface0/0/0 9minutes None None 30seconds
VTY0-4 9minutes None None 30seconds 1
VTY5-807 9minutes None None 30seconds 1
9.3.6LogonBannerMessage
Theimportanceofbannermessagescanoftenbeoverlooked.Bannermessagesareusefulforprovidingadeterrentagainstunauthorizedaccessorremindingauseraboutproceduraldetailsformakingmodificationstoadevicesconfiguration.Ifawarningmessagehasbeenconfiguredandanattackerhasgainedunauthorizedaccess,thebannermessagecouldactasevidenceofanattackersintent.ThissectiondetailsthebannermessagesconfiguredonCiscoIOS15.
9.3.6.1ExecBanner
TheExecbannermessageispresentedtousersaftertheylogontoCiscoRouterdevices.TheExecbannermessageconfiguredonCiscoIOS15follows:
Thisistheexecbanner
Table598:BannerStatus
Status
Enabled
9.3.6.2LoginBanner
TheLoginbannermessageispresentedtousersbeforetheylogontoCiscoRouterdevicesandaftertheMOTDmessageisshownonTelnetconnections.TheLoginbannermessageconfiguredonCiscoIOS15follows:
Thisistheloginbanner
Table599:BannerStatus
Status
Enabled
9.3.6.3MOTDBanner
TheMOTDbannermessageispresentedtousersbeforetheylogonforTelnetconnectionsandfollowinglogonforSSHconnections.TheconfiguredMOTDbannermessagefollows:
Thisisthemotdbanner
Table600:BannerStatus
Status
Enabled
9.3.7SNMPSettings
SNMPisusedtoassistnetworkadministratorsinmonitoringandmanagingawidevarietyofnetworkdevices.TherearethreemainversionsofSNMPinuse.Versions1and2ofSNMParebothsecuredwithacommunitystringandauthenticateandtransmitnetworkpacketswithoutanyformofencryption.SNMPversion3providesseverallevelsofauthenticationandencryption.Themostbasiclevelprovidesasimilarprotectiontothatoftheearlierprotocolversions.However,SNMPversion3canbeconfiguredtoprovideencryptedauthentication(auth)andsecuredfurtherwithsupportforencrypteddatacommunications(priv).
ThissectiondescribestheCiscoIOS15SNMPconfigurationsettings.
Description Setting
SNMPService Enabled
UDPPort 161
Table601:SNMPsettings
Chassis FCZ130693M0
TFTPServerFilterList
Manager Disabled
ManagerSessionTimeout 10minutes
SNMPSystemShutdown Disabled
TrapSourceInterface
MaximumTrapQueueLength 10
TrapTimeout 30seconds
MaximumPacketSize 1500Bytes
9.3.7.1SNMPCommunity
SNMPcommunitystringsareusedtoauthenticateaccessbetweenaNMSandtheCiscoRouterSNMPagent.AconnectingNMS,usingSNMPprotocolversions1or2c,mustprovidetheSNMPagentwithavalidcommunitystringwhenmakingaMIBreadorwriterequest.
Table602:SNMPcommunityconfiguration
Community Access Version View ACL
Testcom ReadOnly 1 18
cisCommunity ReadOnly 1 3
trapString ReadOnly 1 3
9.3.7.2SNMPTrapsAndInforms
TheCiscoRouterSNMPagentcanbeconfiguredtosendtrapnotificationstoaNMSorSNMPmanagerhost.Onceatrapissent,theCiscoRouterSNMPagentassumesthatthereceivinghostreceivedthenotification,noconfirmationisexpected.Informnotificationsaresimilartotraps,butthereceivinghostisexpectedtoconfirmreceiptofthenotification.IfaconfirmationisnotreceivedtheCiscoRouterSNMPagentcanretry.
Table603:SNMPtrapandinformhosts
Host Type Version Security Community Notifications Port
1.2.3.4 Trap 1 Community trapString 162snmp 0
Table604:SNMPnotifications
Notification Options Action
link nosnmp-servertraplinkietf Exclude
authentication snmp-servertrapauthenticationvrf Include
authentication snmp-servertrapauthenticationacl-failure Include
authentication snmp-servertrapauthenticationunknown-content Include
snmp serverenabletrapssnmpauthenticationlinkdownlinkupcoldstart Include
nhrp nhsup Exclude
nhrp nhsdown Exclude
nhrp nhcup Exclude
nhrp nhcdown Exclude
nhrp nhpup Exclude
nhrp nhpdown Exclude
nhrp quota-exceeded Exclude
9.3.7.3SNMPGroups
SNMPv3accesstoCiscoRoutercanbeconfiguredusingUsersandGroups.Thissectiondetailsthoseconfigurationsettings.
Table605:SNMPgroups
Group Version Security ReadView WriteView NotifyView ACL
snmpCISGroup 3 Auth+Priv v1default
9.3.7.4SNMPViews
SNMPviewsareusedtorestricttheareasoftheMIBaNMScanaccess.
MIB Action
system Include
Table606:*ilmiSNMPviewconfiguration
atmForumUni Include
Table607:v1defaultSNMPviewconfiguration
MIB Action
iso Include
internet.6.3.15 Exclude
internet.6.3.16 Exclude
internet.6.3.18 Exclude
ciscoMgmt.394 Exclude
ciscoMgmt.395 Exclude
ciscoMgmt.399 Exclude
ciscoMgmt.400 Exclude
Table608:*tv.00000001.00000000.00000000.00000000.000000000FSNMPviewconfiguration
MIB Action
ieee802dot11 Include
internet Include
9.3.8MessageLogging
CiscoRouterdevicesarecapableofloggingsystemeventsandmessages.Thoselogscanthenberecalledatalatertime,assistingadministratorsinthediagnosisofsystemfaultsoralertingsystemadministratorsofanattack.Thissectiondetailsthedevicesloggingconfiguration.
9.3.8.1GeneralLoggingSettings
Thissectiondetailstheconfigurationsettingsthataffecttheloggingfacilities.
Table609:Generalloggingsettings
Description Setting
DeviceLoggingServices Enabled
LoggingMessageRateLimit None
MessageHistorySeverityLevel Warnings(4)
MaximumNumberofHistoryMessages 0
IncludeSequenceNumbersinLogs Disabled
IncludeTimeStampsinLogs Enabled
9.3.8.2SyslogLogging
SyslogmessagescanbesentbyCiscoRouterdevicestoaSyslogserver.Syslogserversprovidethefollowingadvantages:
acentralrepositoryforlogsfromarangeofnetworkdevices;apotentiallylongerretentionperiodforlogsthanadevicemaybecapableofstoring;atroubleshootingresourceforwhenadevicemaynolongerberesponsive;anexternallogsource,incasethesecurityofadevicehasbeencompromised;supportforanindustrystandardloggingsystem.
ThissectiondetailstheSyslogconfigurationsettings.
Table610:Syslogloggingconfiguration
Description Setting
SyslogLogging Enabled
SeverityLevel Informational(6)
SyslogSourceInterface Loopback1
Table611:Sysloghosts
Host Protocol Port
buginf UDP 514
10.10.10.10 UDP 514
9.3.8.3InternalBufferLoggingSettings
CiscoRouterdevicescanlogmessagestoaninternalbuffer.Byitsnature,thebufferissizelimitedandthereforenewermessageswilloverwriteolderoneswhenthebufferssizehasbeenreached.Thissectiondetailstheinternalbufferloggingconfigurationsettings.
Table612:Internalbufferloggingconfiguration
Description Setting
BufferLogging Enabled
LoggingSeverityLevel Debugging(7)
BufferSize 4096
9.3.8.4ConsoleLogging
CiscoRouterdevicesarecapableofsendingsystemloggingtotheconsole.Thissectiondetailsthoseconfigurationsettings.
Table613:Consoleloggingconfiguration
Description Setting
ConsoleLogging Enabled
LoggingSeverityLevel Critical(2)
9.3.8.5TerminalLineLogging
CiscoRouterdevicesarecapableofsendingsystemloggingtotheterminallines.Thissectiondetailsthoseconfigurationsettings.
Table614:Terminallineloggingconfiguration
Description Setting
TerminalLineLogging Enabled
LoggingSeverityLevel Debugging(7)
9.3.9NameResolutionSettings
CiscoRouterdevicescanbeconfiguredtoresolvenametoaddressmappings.Thissectiondetailsthosesettings.
9.3.9.1DNSClient
TheDNSservicestoresinformationaboutmappingsbetweenadevicesIPaddressandaname,whichiseasierforhumanstorecognizeandremember.CiscoRouterdevicescanbeconfiguredtoqueryaDNSinordertoresolvenamestoaddresses.Thissectiondetailsthoseconfigurationsettings.
Table615:DNSclientconfiguration
Description Setting
DNSType Standard
Domain test.test
DNSLookups Disabled
9.3.10NetworkProtocols
ThissectiondetailstheconfigurationofthenetworkprotocolssupportedbyCiscoRouterdevices.Eachsectiondetailsspecificsettingssuchasanynetworkprotocoladdressconfigurationsettings.
9.3.10.1GeneralSettings
Thissectiondetailsthegeneralprotocolandaddressconfigurationsettings.
Table616:Generalinterfacerelatedsettings
Description Setting
GratuitousARP Disabled
IdentDService Disabled
PADService Disabled
9.3.10.2IPv4
ThissectiondetailstheconfigurationoftheIPv4protocolandaddresses.IPv4isdescribedinRFC791.
Description Setting
InboundTCPKeep-Alives Enabled
Table617:GeneralIPv4protocolsettings
OutboundTCPKeep-Alives Enabled
Table618:IPv4addresses
Interface Active Address Proxy-ARP Directed ACLIn ACLOut
Loopback0 Yes Off Off
Loopback1 Yes Off Off
FastEthernet0/0 Yes 192.168.0.17/24 Off Off
FastEthernet0/1 No Off Off
ATM0/1/0 No Off Off
Async0/0/0 Yes Off Off
Table619:IPv4ICMPOptions
Interface Active Unreachables Redirects MaskReply Information
Loopback0 Yes Off On Off Off
Loopback1 Yes Off On Off Off
FastEthernet0/0 Yes On On Off Off
FastEthernet0/1 No On On Off Off
ATM0/1/0 No Off On Off Off
Async0/0/0 Yes Off On Off Off
9.3.10.3DEC
CiscoRouterdevicescanbeconfiguredwithsupportforDECprotocols.Thissectiondetailsthoseprotocolspecificconfigurationsettings.
Table620:DECinterfaceprotocols
Interface Active MOP ACLIn ACLOut
FastEthernet0/0 Yes Off
FastEthernet0/1 No On
9.3.10.4LLDPSettings
ThissectiondescribestheconfigurationoftheLLDPonCiscoIOS15.LLDPisanindustrystandardprotocoldesignedtoadvertisethedevicescapabilitiestoothernetworkdevices.Theinformationsentcanincludethesystemsname,managementaddress,VLAN,capabilitiesandportdetails.LLDPprovidesasimilarfunctiontoproprietaryprotocolssuchasCDPandisdescribedingreaterdetailintheIEEEstandardsdocument802.1AB.
Table621:LLDPsettings
Description Setting
LLDPSend Disabled
LLDPReceive Disabled
LLDPRefreshInterval 30seconds
OnCiscoRouterdevices,LLDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table622detailsthosesettings.
Table622:LLDPonnetworkinterfaces
Interface Active LLDPSend LLDPReceive
FastEthernet0/0 Yes On On
FastEthernet0/1 No On On
9.3.10.5CDPSettings
ThissectiondescribestheconfigurationoftheCDPonCiscoIOS15.CDPwasdevelopedbyCiscoforusewithnetworkmanagementtoolsand,ifenabled,thenetworkpacketssentwillcontaininformationaboutthesendingdevice.CDPnetworkpacketswilltypicallyincludedetailssuchasthedevicemodelinformation,operatingsysteminformationandotherdeviceconfigurationdetails.
Table623:CDPsettings
Description Setting
CDP Disabled
CDPVersion 2
OnCiscoRouterdevices,CDPcanbeenabledanddisabledonindividualnetworkinterfaces.Table624detailsthosesettings.
Table624:CDPonnetworkinterfaces
Interface Active CDP
FastEthernet0/0 Yes On
FastEthernet0/1 No On
9.3.10.6VTPSettings
VTPisalayer2protocoldevelopedbyCiscotoassistwiththemanagementofVLANsovermultipledevices.TheprotocolenablestheVLANstobeadded,renamedordeletedonasingleswitchandforthosechangestobepropagatedtootherswitchesinthesameVTPdomain.
Table625:VTPsettings
Description Setting
VTPVersion 1
VTPDomain
VTPPassword VTP
VTPMode Transparent
VTPPruning Disabled
9.3.11NetworkInterfaces
Thissectiondetailstheconfigurationofbothphysicalandvirtualnetworkinterfaces.
9.3.11.1LoopbackInterfaces
Loopbackinterfacesarevirtualinterfacesthatarehandledbysoftware.Thissectiondescribestheconfigurationoftheloopbackinterfaces.
Table626:Loopbackinterfaces
Interface Active
Loopback0 Yes
Loopback1 Yes
9.3.11.2FastEthernetInterfaces
ThissectiondescribestheconfigurationofthedevicesfastEthernetinterfaces.
Table627:FastEthernetinterfaces
Interface Active VLAN
FastEthernet0/0 Yes 1
FastEthernet0/1 No 1
9.3.11.3ATMInterfaces
ThissectiondescribestheconfigurationofthedevicesAsynchronousTransferMode(ATM)interfaces.
Table628:ATMinterfaces
Interface Active
ATM0/1/0 No
9.3.11.4OtherInterfaces
Thissectiondescribestheconfigurationoftheotherinterfacesconfiguredon.
Table629:Otherinterfaces
Interface Active
Async0/0/0 Yes
9.3.12RoutingConfiguration
CiscoRouterdevicesroutingtablescanbeconfiguredwithstaticroutesorupdateddynamically.Routingprotocolsareusedbynetworkroutingdevicesto
dynamicallyupdatetheroutingtablesthatdevicesusetoforwardnetworktraffictotheirdestination.Routingprotocolscanbesplitintotwodifferentcategories;IGPsandEGPs.IGPsareusuallyusedinsituationswheretheroutingdevicesareallcontrolledbyasingleentity,suchaswithinacompany.EGPsareusuallyusedinsituationswhereroutingdevicesaremanagedbyanumberofentities,suchastheInternet.Typicallyroutingdeviceswillsupportanumberofstandardroutingprotocols.
Thissectiondescribestheroutingconfigurationsettings.
Table630:GeneralRoutingSettings
Description Setting
ClasslessRouting Ignored
IPSourceRouting Disabled
9.3.12.1StaticRoutes
CiscoRouterdevicescanbeconfiguredwithstaticnetworkroutes.Thissectiondetailsthestaticnetworkroutes.
Table631:Staticnetworkroutes
Interface Address Gateway Metric
0.0.0.0/0 10.200.4.254
9.3.12.2RIPConfiguration
RIPisanIGPandcalculatesroutesusingadistancevector.RIPisonlysuitableforsmallnetworks,routingupdatesaresentevery30secondsandcontaintheentireroutingtable.Furthermore,RIPhasamaximumdistanceof15hops.IfRIProuteshavenotbeenupdatedwithinthreeminutestherouteismarkedasunusable.Routesnotupdatedwithinfourminutesareremoved.
Table632:RIPconfiguration
Description Setting
RIPRouting Enabled
RIPSendVersion 1
RIPReceiveVersion 1and2
Timeout 0
UpdateInterval 0
RouteSummary Enabled
InboundDistributionList
OutboundDistributionList
ThefollowingnetworksareincludedintheRIProutingupdates:
3.0.0.0.
Table633detailstheconfigurationofRIPonindividualnetworkinterfaces.
Table633:RIPnetworkinterfaceconfiguration
Interface Active Passive Send Receive Auth KeyID
FastEthernet0/0 Yes No V1 V1andV2 MD5 keychain
FastEthernet0/1 No No V1 V1andV2 None N/A
ATM0/1/0 No No V1 V1andV2 None N/A
9.3.12.3OSPFConfiguration
TheOSPFroutingprotocolisanIGP.OSPFnetworkpacketsaresentwhenthenetworkconfigurationchanges,suchaswhenaroutegoesdown,andthepacketsonlycontainthechange.SincetheinformationsentintheOSPFnetworkpacketsislimitedtoanynetworkchanges,theprotocoliswellsuitedtocomplexnetworkconfigurations.
Table634:Process1OSPFconfiguration
Description Setting
OSPFRouting Enabled
RouterID
MaximumLSA Unlimited
RFC1583Compatibility Enabled
InboundDistributionList
OutboundDistributionList
Table635detailstheconfigurationofOSPFonindividualnetworkinterfaces.
Table635:OSPFnetworkinterfaceconfiguration
Interface Active Passive Area Priority Type AuthMode KeyID RouteCost HelloInterval DeadInterval RetransmitInterval TransmitDelay
FastEthernet0/0 Yes No 1 Broadcast MD5 6 Default 10seconds 40seconds 5seconds 1second
9.3.12.4BGPConfiguration
BGPisanEGPandacoreInternetroutingprotocol.BGProutersmaintainalistofreachablenetworkswhicharesharedbetweendefinedBGPpeersusingTCPconnections.ThissectiondetailstheBGProutingconfiguration.
Table636:AS1BGPconfiguration
Description Setting
BGPASNumber 1
RouterID
BGPRouteDampening Disabled
InboundDistributionList
OutboundDistributionList
ThesectiondetailstheBGPASneighborsforwhichroutingupdateswillbeshared.AllauthenticationmakesuseofMD5encryptionforsecurityandintegrity.
Table637:AS1BGPneighbors
Address RemoteAS Password Version Weight PeerGroup MapIn MapOut
1.1.1.1 3 password 4 0
1.2.3.4 1 password 4 0
9.3.12.5EIGRPConfiguration
EIGRPisanIGPandisadistancevectorbasedprotocollikeRIP,butincorporatessomefeaturesfromlinkstateprotocolssuchasOSPF.EIGRPwasdevelopedbyCiscoasanenhancedversionofIGRP.UnlikeRIP,EIGRPtransmitschangestonetworkroutestoitsneighborsandissuitableforlargernetworks.
Table638:EIGRPASnameconfiguration
Description Setting
RouterID
AutoSummary Disabled
InboundDistributionList
OutboundDistributionList
Table639detailstheconfigurationofEIGRPonindividualnetworkinterfaces.
Table639:EIGRPnetworkinterfaceconfiguration
Interface Active AS Passive Interval Hold Bandwidth Auth KeyID
FastEthernet0/0 Yes 1 No 5seconds 15seconds 50% MD5 keychain
9.3.12.6RoutingAuthenticationKeyConfiguration
Authenticationkeys,alsoreferredtoassharedsecrets,canbeconfiguredtoprovideamethodofauthenticatingroutingupdatesinordertoprovidealevelofassurancethatroutingupdatesarefromtrustedsources.Thissectiondetailstheconfiguredroutingauthenticationkeys.
Table640:Routingauthenticationkeys
KeyChain KeyID Key
keychain 1 key
9.3.13NetworkFiltering
CiscoRouterdevicescanbeconfiguredtofilternetworktrafficinordertorestrictaccesstodevicesandservices.Thosenetworkfilteringsettingsaredetailedinthissection.
9.3.13.1ExtendedIPv4ACL
ExtendedACLspermitordenynetworktrafficbasedonIPv4sourceanddestinationaddressesandnetworkports.ExtendedACLsareusedforchecksontrafficpassingthroughthedevice.
Table641:ExtendedIPv4ACLnamed-acl-1
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 172.168.2.3 Any Any Any No
2 Any 10.8.10.11 Any Any Any No
3 Any Any Any Any Any No
Table642:ExtendedIPv4ACLnamed-acl-2
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 192.168.76.4 Any Any Any No
2 Any 172.18.19.1 Any Any Any No
Rule Action Protocol Source SrcPort Destination DstPort Frag ConnectionState Log
Controlplanecriticaltraffic-inbound
BGP
1 TCP 212.241.243.217 Any 212.241.243.218 179 No Any No
2 TCP 212.241.243.217 179 212.241.243.218 Any No Any No
3 TCP 192.168.224.154 Any 192.168.224.153 179 No Any No
4 TCP 192.168.224.154 179 192.168.224.153 Any No Any No
5 TCP 192.168.224.150 Any 192.168.224.149 179 No Any No
6 TCP 192.168.224.150 179 192.168.224.149 Any No Any No
7 TCP 192.168.224.162 Any 192.168.224.161 179 No Any No
8 TCP 192.168.224.162 179 192.168.224.161 Any No Any No
9 TCP 192.168.123.123 Any 192.192.192.192 21 No Any No
DHCP
10 UDP 0.0.0.0 Any 255.255.255.255 67 No Any No
11 UDP 10.1.23.1 67 Any 67 No Any No
CSMProbesHTTP
12 TCP 192.168.224.10 Any 192.168.224.51 80 No Any No
13 TCP 192.168.224.10 Any 192.168.224.52 80 No Any No
14 TCP 192.168.224.51 80 192.168.224.10 Any No Any No
15 TCP 192.168.224.52 80 192.168.224.10 Any No ESTABLISHED No
16 TCP 192.168.224.11 Any 192.168.224.51 80 No Any No
17 TCP 192.168.224.11 Any 192.168.224.52 80 No Any No
18 TCP 192.168.224.51 80 192.168.224.11 Any Yes Any No
19 TCP 192.168.224.52 80 192.168.224.11 Any No Any No
CSMProbesHTTPS
20 TCP 192.168.224.10 Any 192.168.224.51 443 No Any No
21 TCP 192.168.224.10 Any 192.168.224.52 443 No Any Yes
22 TCP 192.168.224.51 443 192.168.224.10 Any No Any No
23 TCP 192.168.224.52 443 192.168.224.10 Any No Any No
24 TCP 192.168.224.11 Any 192.168.224.51 443 No Any Yes
25 TCP 192.168.224.11 Any 192.168.224.52 443 No Any No
26 TCP 192.168.224.51 443 192.168.224.11 Any No Any No
27 TCP 192.168.224.52 443 192.168.224.11 Any No Any No
CSMProbesICMP
28 ICMP 192.168.224.10 192.168.224.51 No Any No
29 ICMP 192.168.224.10 192.168.224.52 No Any No
30 ICMP 192.168.224.51 192.168.224.10 No Any No
31 ICMP 192.168.224.52 192.168.224.10 No Any No
Table643:ExtendedIPv4ACLcp-critical-in
32 ICMP 192.168.224.11 192.168.224.51 No Any No
33 ICMP 192.168.224.11 192.168.224.52 No Any No
34 ICMP 192.168.224.51 192.168.224.11 No Any No
35 ICMP 192.168.224.52 192.168.224.11 No Any No
36 Any Any Any Any Any No Any No
Table644:ExtendedIPv4ACL110
Rule Action Protocol Source SrcPort Destination DstPort Log
1 TCP Any Any Any Any No
Table645:ExtendedIPv4ACL120
Rule Action Protocol Source SrcPort Destination DstPort Log
1 Any 50.60.0.0/16 Any Any Any No
2 TCP Any 21 Any Any Yes
3 TCP Any Any 192.168.30.40 161 No
4 TCP 192.168.20.10 Any 192.168.30.40 161 No
5 TCP 192.168.20.12 Any 192.168.30.40 161 No
6 TCP Any Any 192.168.30.56 9876 No
7 TCP Any Any Any 9876 No
8 TCP Any Any 192.168.30.56 9876 No
9.3.13.2StandardIPv4ACL
StandardACLsonlydefinetheIPv4sourceaddressandprocessthenetworkpacketssolelybasedonthat.StandardACLsaretypicallyusedtorestrictaccesstodeviceservicesorprotocols.
Table646:StandardIPv4ACL40
Rule Action Source Log
1 192.168.2.1 No
2 172.10.1.35 No
3 10.0.0.1 No
4 192.168.0.1 No
5 Any Yes
Table647:StandardIPv4ACL1
Rule Action Source Log
1 Any No
Table648:StandardIPv4ACL3
Rule Action Source Log
1 Any No
Table649:StandardIPv4ACL18
Rule Action Source Log
1 Any No
9.3.14IPSSettings
CiscoRouterdevicescanbeconfiguredtodetectnetworktrafficpatternsthataretypicallyassociatedwithmaliciousactivityorissimplyundesirable.IPSsettingsarethosethatenablethedevicetopreventthepotentiallymaliciousnetworkactivitybyblockingthenetworktrafficwhendetected.Thissectiondetailsthoseconfigurationsettings.
Table650:GeneralIPSsettings
Description Setting
CiscoExpressForwarding Enabled
CiscoExpressForwardingIPv6 Disabled
Table651:IPSsettings
IPSFeature Setting
UnicastRPFVerification EnabledonLoopback1
EnabledonFastEthernet0/0
EnabledonFastEthernet0/1
EnabledonATM0/1/0
EnabledonAsync0/0/0
9.3.15RemoteAccessSettings
Thissectiondescribestheconfigurationoftheremoteaccessservices.Eachsubsectioncoversaspecificremoteaccessservice.
9.3.15.1GeneralSettings
Thissectiondetailsthegeneralremoteaccessconfigurationsettings.
Table652:Generalremoteaccesssettings
Description Setting
VPNEnabled No
9.3.16TimeAndDate
Itcanbecriticallyimportantthatthetimeanddatesetonallnetworkdevicesmatch.Manyauthenticationservicesdependonthetimebetweendevicesbeingsynchronized,ifaclockisoutsideathresholdthenthatdevicemaynolongerbeabletoperformauthentication.Furthermore,diagnosingissueswiththeuseofmessagelogsbecomesmuchmorecumbersomeifthetimeanddatesbetweendevicesdonotmatch.CiscoRouterdevicescanbeconfiguredtoobtaintimeupdatesfromanetworktimesource.Thissectiondetailsthetimeanddateconfigurationsettings.
9.3.16.1TimeZones
Table653:GeneralTimeSettings
Description Setting
TimeZone UTC
SummerTimeDaylightSaving Disabled
9.3.16.2NTPClientConfiguration
CiscoRouterdevicescanbeconfiguredtosynchronizetheirtimefromaNTPtimesource(RFC1305http://www.faqs.org/rfcs/rfc1305.html).ThissectiondetailsthoseNTPclientconfigurationsettings.
Table654:NTPclientsettings
Description Setting
NTPClient Enabled
AcceptBroadcastUpdates Disabled
AcceptMulticastUpdates Disabled
NTPAuthentication Enabled
SourceInterface Loopback0
Table655detailstheNTPtimesourcesusedtoprovidethetimeupdatestothedevice.
Table655:NTPclienttimesources
Address AuthKey Version
11.11.11.11 5 3
NTPclientsettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable656.
Interface Active NTP NTPBroadcasts NTPMulticasts
Loopback0 Yes Disabled Disabled Disabled
Table656:InterfaceNTPclientsettings
Loopback1 Yes Disabled Disabled Disabled
FastEthernet0/0 Yes Enabled Disabled Disabled
FastEthernet0/1 No Enabled Disabled Disabled
ATM0/1/0 No Enabled Disabled Disabled
Async0/0/0 Yes Enabled Disabled Disabled
9.3.16.3NTPServerConfiguration
CiscoRouterdevicescanbeconfiguredtoprovideanNTPtimesourceforothernetworkdevices.ThissectiondetailstheNTPserverconfiguration.
Table657:NTPserverconfiguration
Description Setting
NTPService Enabled
MulticastNTPServer Disabled
BroadcastNTPServer Disabled
NTPMaster Disabled
NTPserversettingsonCiscoRouterdevicescanbeconfiguredonindividualinterfaces.ThesearelistedinTable658.
Table658:InterfaceNTPserversettings
Interface Active NTP BroadcastServer BroadcastVersion MulticastAddress MulticastKey MulticastVersion
Loopback0 Yes Disabled Disabled 3 3
Loopback1 Yes Disabled Disabled 3 3
FastEthernet0/0 Yes Enabled Disabled 3 3
FastEthernet0/1 No Enabled Disabled 3 3
ATM0/1/0 No Enabled Disabled 3 3
Async0/0/0 Yes Enabled Disabled 3 3
9.3.16.4TimeSynchronizationAuthenticationKeys
Thissectiondetailsthetimesynchronizationauthenticationkeyconfiguration.
Table659:Timesynchronizationauthenticationkeys
ID KeyString Trusted
5 (ENCRYPTED) Yes
Gotothereportcontentsorthestartofthissection.
10RawConfiguration10.1Introduction
Thissectiondetailstherawconfigurationofadevicewithoutperforminganyinterpretationofthecontent.Therefore,tounderstandtheinformationshowninthissectionwillrequiresometechnicalknowledge.
Gotothereportcontentsorthestartofthissection.
10.2CiscoRouterrouter03RawConfiguration1router03#shrun
2Buildingconfiguration...
3
4Currentconfiguration:anumberofbytes
5!
6!LastconfigurationchangeatsometimeFriJune102006byanyone
7!NVRAMconfiglastupdatedatsometimeSatAugust22006byanyone
8!
9!Passwith--edgetoproduceallroutererrors.
10
11version12.3
12servicetcp-keepalives-out
13!
14hostnamerouter03
15!
16clocktimezoneGMT0
17clocksummer-timeGMTrecurring
18ipdomain-namenipper.org
19privilegeexeclevelchicken
20enablepasswordcisco
21keychaintestchain
22key1
23key-string7044B0A151C36435C0D
24usernametempprivilege15password7095C4F1A0A1218000F
25usernametestuserprivilege15password7095C4F1A0A1218000F
26usernamelocaluserprivilege15password7095C4F1A0A1218000F
27bootnetwork
28servicefinger
29servicetcp-small-servers
30serviceudp-small-servers
31securitypasswordsmin-length2
32snmp-servercommunitypublicRO20
33snmp-servercommunityprivateRW
34snmp-serverlocationSomewhere
35snmp-serverhost192.168.20.30privatesnmp
36snmp-serverhost192.168.20.40privatesnmp
37snmp-serversystem-shutdown
38!
39bannerlogin^C
40Thisisatestbanner.
41^C
42!
43keychainrouting-chain
44key1
45key-stringcisco
46!
47ntpserver1.1.1.1
48!
49interfaceGigabitEthernet1/1
50descriptionFirstinterfaceonswitch
51speed100
52duplexfull
53ipaddress10.0.0.1
54ipdirected-broadcast
55ipospfnetworkpoint-to-multipoint
56switchportmodetrunk
57ipmask-reply
58noipproxy-arp
59vrrp2ip192.168.4.2
60vrrp2authenticationtextpassword
61ipripauthenticationkey-chainrouting-chain
62ipripauthenticationmodetext
63standbyip192.168.5.10
64standbyversion2
65standbyauthenticationtextPassw0rd
66glbp44ip192.168.8.42
67glbp44authenticationtextPassw0rd
68!
69interfaceGigabitEthernet1/2
70descriptionSecondinterfaceonswitch
71speed100
72duplexfull
73ipaddress10.0.0.2
74ipdirected-broadcast
75ipospfnetworkpoint-to-multipoint
76iphold-timeeigrp314
77switchportmodetrunk
78ipmask-reply
79vrrp3ip192.168.3.2
80ipripsendversion2
81standby20ip192.168.5.20
82glbp40ip192.168.7.42
83!
84ipaccess-listextendednamed-acl-1
85denyiphost172.168.2.3any
86denyiphost10.8.10.11any
87permitipanyany
88ipaccess-listextendednamed-acl-2
89permitiphost192.168.76.4any
90permitiphost172.18.19.1any
91!
92ipaccess-listextendedcp-critical-in
93remarkControlplanecriticaltraffic-inbound
94remarkBGP
95permittcphost212.241.243.217host212.241.243.218eqbgp
96permittcphost212.241.243.217eqbgphost212.241.243.218
97permittcphost192.168.224.154host192.168.224.153eqbgp
98permittcphost192.168.224.154eqbgphost192.168.224.153
99permittcphost192.168.224.150host192.168.224.149eqbgp
100permittcphost192.168.224.150eqbgphost192.168.224.149
101permittcphost192.168.224.162host192.168.224.161eqbgp
102permittcphost192.168.224.162eqbgphost192.168.224.161
103permittcphost192.168.123.123host192.192.192.192eqftp
104remarkDHCP
105permitudphost0.0.0.0host255.255.255.255eqbootps
106permitudphost10.1.23.1eqbootpsanyeqbootps
107remarkCSMProbesHTTP
108permittcphost192.168.224.10host192.168.224.51eqwww
109permittcphost192.168.224.10host192.168.224.52eqwww
110permittcphost192.168.224.51eqwwwhost192.168.224.10
111permittcphost192.168.224.52eqwwwhost192.168.224.10established
112permittcphost192.168.224.11host192.168.224.51eqwww
113permittcphost192.168.224.11host192.168.224.52eqwww
114permittcphost192.168.224.51eqwwwhost192.168.224.11fragments
115permittcphost192.168.224.52eqwwwhost192.168.224.11
116remarkCSMProbesHTTPS
117permittcphost192.168.224.10host192.168.224.51eq443
118permittcphost192.168.224.10host192.168.224.52eq443log
119permittcphost192.168.224.51eq443host192.168.224.10
120permittcphost192.168.224.52eq443host192.168.224.10
121permittcphost192.168.224.11host192.168.224.51eq443log
122permittcphost192.168.224.11host192.168.224.52eq443
123permittcphost192.168.224.51eq443host192.168.224.11
124permittcphost192.168.224.52eq443host192.168.224.11
125remarkCSMProbesICMP
126permiticmphost192.168.224.10host192.168.224.51echo
127permiticmphost192.168.224.10host192.168.224.52echo
128permiticmphost192.168.224.51host192.168.224.10echo-reply
129permiticmphost192.168.224.52host192.168.224.10echo-reply
130permiticmphost192.168.224.11host192.168.224.51echo
131permiticmphost192.168.224.11host192.168.224.52echo
132permiticmphost192.168.224.51host192.168.224.11echo-reply
133permiticmphost192.168.224.52host192.168.224.11echo-reply
134denyipanyany
135access-list110permittcpanyany
136access-list120permitip50.60.0.00.0.255.255any
137access-list120permittcpanyeqftpanylog-input
138access-list120permittcpanyhost192.168.30.40eqsnmp
139access-list120permittcphost192.168.20.10host192.168.30.40eqsnmp
140access-list120permittcphost192.168.20.12host192.168.30.40eqsnmp
141access-list120permittcpanyhost192.168.30.56eq9876
142access-list120permittcpanyanyeq9876
143access-list120denytcpanyhost192.168.30.56eq9876
144access-list40permit192.168.2.1
145access-list40permit172.10.1.35
146access-list40permit10.0.0.1
147access-list40permit192.168.0.1
148access-list40denyanylog
149!
150routereigrp14
151redistributeconnected
152redistributestatic
153network10.0.0.0
154network172.10.1.0
155distribute-list40out
156noauto-summary
157noeigrplog-neighbor-warnings
158!
159routerbgp1
160nosynchronization
161bgprouter-id192.168.56.5
162bgplog-neighbor-changes
163network192.168.22.1mask255.255.255.255
164neighborrouter01peer-group
165neighborrouter01remote-as12345
166neighborrouter01descriptionSitetoSiteConnection
167neighborrouter01version4
168noauto-summary
169!
170routerospf6
171network10.0.0.10.0.0.255area0.0.0.0
172network192.168.0.10.0.0.255area30.10.20.40
173area0.0.0.0range10.0.0.1255.255.255.0
174area30.10.20.40range192.168.0.1255.255.255.0
175!
176routereigrp3
177eigrprouter-id127.0.0.1
178network192.168.56.0
179!
180routerrip
181network10.0.0.0
182!
183!
184linecon0
185session-timeout25
186password7095C4F1A0A1218000F
187login
188lineaux0
189session-timeout25
190login
191password7095C4F1A0A1218000F
192linevty04
193access-class10invrf-also
194password7095C4F1A0A1218000F
195loggingsynchronous
196transportinputssh
197!
198end
199
200router03#
Table660:CiscoRouterrouter03ConfigurationHashes
Type Hash
MD5 2e14cef9f0af91f86d448a8f21338d37
SHA-1 3d9f619619bf459626c1e8aef13786a77a2d8bcc
SHA-256 3f61de3497272ed71a9626d360279381b912f205a58fe5e1d030ad0e3876a343
Gotothereportcontentsorthestartofthissection.
10.3CiscoRouterCiscoIOS15RawConfiguration1Currentconfigurationwithdefaultconfigurationsexposed:11447bytes
2!
3!Lastconfigurationchangeat12:42:43UTCWedAug242016byadmin
4!
5version15.0
6parsercache
7parserconfigpartition
8noservicelogbacktrace
9noserviceconfig
10noserviceexec-callback
11noservicenagle
12serviceslave-log
13noserviceslave-coredump
14noservicepadto-xot
15noservicepadfrom-xot
16noservicepadcmns
17noservicepad
18noservicetelnet-zeroidle
19servicetcp-keepalives-in
20servicetcp-keepalives-out
21servicetimestampsdebugdatetimemsecshow-timezone
22servicetimestampslogdatetimemsec
23servicepassword-encryption
24noserviceexec-wait
25noservicelinenumber
26noserviceinternal
27noservicescripting
28noservicecompress-config
29servicepromptconfig
30noserviceold-slip-prompts
31noservicept-vty-logging
32noservicedisable-ip-fast-frag
33noservicesequence-numbers
34noservicedhcp
35!
36hostnameCiscoIOS15
37!
38boot-start-marker
39boot-end-marker
40!
41nologgingdiscriminator
42loggingexception4096
43nologgingcount
44nologgingmessage-counterlog
45nologgingmessage-counterdebug
46loggingmessage-countersyslog
47nologgingsnmp-authfail
48nologginguserinfo
49loggingbuginf
50loggingqueue-limit100
51loggingqueue-limitesm0
52loggingqueue-limittrap100
53loggingbuffered4096
54loggingreloadmessage-limit1000notifications
55nologgingpersistent
56loggingrate-limitconsole10excepterrors
57loggingconsoleguaranteed
58loggingconsolecritical
59loggingmonitordebugging
60loggingcns-eventsinformational
61loggingon
62enablesecret5$1$8je9$O10MwM4HVnnM6rGeHFHel0
63enablepassword7095C4F1A0A1218000F
64!
65ipcholdqthresholdupper0
66ipcholdqthresholdlower0
67ipcheader-cachepermanent1000100
68ipcbuffersmin-free1
69ipcbuffersmax-free8
70ipcbufferspermanent2
71aaanew-model
72!
73!
74aaaauthenticationlogindefaultenable
75aaaauthenticationenabledefaultenable
76aaaaccountingexecdefault
77action-typenone
78!
79aaaaccountingcommands15default
80action-typenone
81!
82aaaaccountingnetworkdefault
83action-typenone
84!
85aaaaccountingconnectiondefault
86action-typenone
87!
88aaaaccountingsystemdefault
89action-typenone
90!
91!
92!
93!
94!
95!
96aaasession-idcommon
97!
98!
99!
100ceftableconsistency-checkIPv4auto-repairdelay10holddown300
101ceftableconsistency-checkIPv6auto-repairdelay10holddown300
102ceftablerate-monitor-period5
103errdisabledetectcauseall
104errdisablerecoveryinterval300
105dot11syslog
106dot11activity-timeoutunknowndefault60
107dot11activity-timeoutclientdefault60
108dot11activity-timeoutrepeaterdefault60
109dot11activity-timeoutworkgroup-bridgedefault60
110dot11activity-timeoutbridgedefault60
111dot11aaacsiddefault
112promptconfighostname-length20
113noipsource-route
114ipicmpredirectsubnet
115ipspdqueuethresholdminimum73maximum74
116!
117!
118!
119!
120ipcef
121ipcefload-sharingalgorithmuniversal34ED9DC6
122noipbootpserver
123noipdomainlookup
124ipdomainnametest.test
125ipipsmemorythreshold26
126ipigmpsnoopingvlan1
127ipigmpsnoopingvlan1mrouterlearnpim-dvmrp
128ipigmpsnooping
129noipv6cef
130ipv6cefload-sharingalgorithmuniversal34ED9DC6
131ipv6dhcppingpackets0
132!
133multilinkbundle-nameauthenticated
134!
135cwmpagent
136noenabledownload
137noenable
138requestoutstanding5
139parameterchangenotifyinterval60
140sessionretrylimit11
141managementserverusername00000C-CISCO1841V05-FCZ130693M0
142nomanagementserverpassword
143nomanagementserverurl
144noprovisioncode
145noconnectionrequestusername
146noconnectionrequestpassword
147nowanipaddress
148!
149!
150keychainkeychain
151key1
152key-string7020D0142
153!
154!
155!
156!
157nosnapnotificationexcludeserviceacl
158nosnapnotificationexcludeserviceeem
159nosnapnotificationexcludeservicesnapt
160licenseudipidCISCO1841snFCZ130693M0
161archive
162logconfig
163norecordrc
164nologgingenable
165loggingsize100
166nonotifysyslogcontenttypeplaintext
167nonotifysyslogcontenttypexml
168nohidekeys
169pathflash:rollbackconfig
170maximum2
171norollbackfilteradaptive
172rollbackretrytimeout0
173nowrite-memory
174time-period0
175filepromptalert
176emmclear1b5b324a1b5b303b30480d
177vtpfileflash:vlan.dat
178vtpmodetransparent
179vtpversion1
180modemcall-recordtersemax-userid30
181usernameadminsecret5$1$spr6$R9GYbviV7MFKSwoAsb0MD0
182usernameTestsecret5$1$cM/.$55zreXKAkf234gowEWj6j0
183!
184redundancy
185nomaintenance-mode
186scriptingtcllow-memory63198267
187scriptingtcltrustpointuntrustedterminate
188noscriptingtclsecure-mode
189!
190!
191iptftpsource-interfaceLoopback0
192ipsshtime-out120
193ipsshauthentication-retries3
194ipsshbreak-string~break
195ipsshversion2
196ipsshdhminsize1024
197!
198nocryptoisakmpdiagnoseerror
199!
200!
201!
202!
203!
204!
205interfaceLoopback0
206noipaddress
207ipredirects
208noipproxy-arp
209ipload-sharingper-destination
210ipcefaccountingnon-recursiveinternal
211snmptraplink-status
212!
213!
214interfaceLoopback1
215noipaddress
216ipredirects
217noipproxy-arp
218ipverifyunicastsourcereachable-viarx
219ipload-sharingper-destination
220ipcefaccountingnon-recursiveinternal
221snmptraplink-status
222!
223!
224interfaceFastEthernet0/0
225ipaddress192.168.0.17255.255.255.0
226ipredirects
227noipproxy-arp
228ipauthenticationmodeeigrp1md5
229ipauthenticationkey-chaineigrp1keychain
230ipload-sharingper-destination
231ipcefaccountingnon-recursiveinternal
232ipripauthenticationmodemd5
233ipripauthenticationkey-chainkeychain
234ipospfmessage-digest-key1md5704500E1F
235speedauto
236half-duplex
237snmptraplink-status
238nomopenabled
239!
240!
241interfaceFastEthernet0/1
242noipaddress
243ipredirects
244noipproxy-arp
245ipload-sharingper-destination
246ipcefaccountingnon-recursiveinternal
247shutdown
248duplexauto
249speedauto
250snmptraplink-status
251!
252!
253interfaceATM0/1/0
254noipaddress
255ipredirects
256noipproxy-arp
257ipload-sharingper-destination
258ipcefaccountingnon-recursiveinternal
259shutdown
260atmrestarttimer300
261noatmilmi-keepalive
262dsloperating-modeauto
263nodslenable-training-log
264dslopen-delay5
265clockrateaal58000000
266clockrateaal28000000
267snmptraplink-status
268!
269!
270interfaceAsync0/0/0
271noipaddress
272ipredirects
273noipproxy-arp
274ipload-sharingper-destination
275ipcefaccountingnon-recursiveinternal
276encapsulationslip
277snmptraplink-status
278!
279!
280ipaccess-listextendednamed-acl-1
281denyiphost172.168.2.3any
282denyiphost10.8.10.11any
283permitipanyany
284ipaccess-listextendednamed-acl-2
285permitiphost192.168.76.4any
286permitiphost172.18.19.1any
287!
288ipaccess-listextendedcp-critical-in
289remarkControlplanecriticaltraffic-inbound
290remarkBGP
291permittcphost212.241.243.217host212.241.243.218eqbgp
292permittcphost212.241.243.217eqbgphost212.241.243.218
293permittcphost192.168.224.154host192.168.224.153eqbgp
294permittcphost192.168.224.154eqbgphost192.168.224.153
295permittcphost192.168.224.150host192.168.224.149eqbgp
296permittcphost192.168.224.150eqbgphost192.168.224.149
297permittcphost192.168.224.162host192.168.224.161eqbgp
298permittcphost192.168.224.162eqbgphost192.168.224.161
299permittcphost192.168.123.123host192.192.192.192eqftp
300remarkDHCP
301permitudphost0.0.0.0host255.255.255.255eqbootps
302permitudphost10.1.23.1eqbootpsanyeqbootps
303remarkCSMProbesHTTP
304permittcphost192.168.224.10host192.168.224.51eqwww
305permittcphost192.168.224.10host192.168.224.52eqwww
306permittcphost192.168.224.51eqwwwhost192.168.224.10
307permittcphost192.168.224.52eqwwwhost192.168.224.10established
308permittcphost192.168.224.11host192.168.224.51eqwww
309permittcphost192.168.224.11host192.168.224.52eqwww
310permittcphost192.168.224.51eqwwwhost192.168.224.11fragments
311permittcphost192.168.224.52eqwwwhost192.168.224.11
312remarkCSMProbesHTTPS
313permittcphost192.168.224.10host192.168.224.51eq443
314permittcphost192.168.224.10host192.168.224.52eq443log
315permittcphost192.168.224.51eq443host192.168.224.10
316permittcphost192.168.224.52eq443host192.168.224.10
317permittcphost192.168.224.11host192.168.224.51eq443log
318permittcphost192.168.224.11host192.168.224.52eq443
319permittcphost192.168.224.51eq443host192.168.224.11
320permittcphost192.168.224.52eq443host192.168.224.11
321remarkCSMProbesICMP
322permiticmphost192.168.224.10host192.168.224.51echo
323permiticmphost192.168.224.10host192.168.224.52echo
324permiticmphost192.168.224.51host192.168.224.10echo-reply
325permiticmphost192.168.224.52host192.168.224.10echo-reply
326permiticmphost192.168.224.11host192.168.224.51echo
327permiticmphost192.168.224.11host192.168.224.52echo
328permiticmphost192.168.224.51host192.168.224.11echo-reply
329permiticmphost192.168.224.52host192.168.224.11echo-reply
330denyipanyany
331access-list110permittcpanyany
332access-list120permitip50.60.0.00.0.255.255any
333access-list120permittcpanyeqftpanylog-input
334access-list120permittcpanyhost192.168.30.40eqsnmp
335access-list120permittcphost192.168.20.10host192.168.30.40eqsnmp
336access-list120permittcphost192.168.20.12host192.168.30.40eqsnmp
337access-list120permittcpanyhost192.168.30.56eq9876
338access-list120permittcpanyanyeq9876
339access-list120denytcpanyhost192.168.30.56eq9876
340access-list40permit192.168.2.1
341access-list40permit172.10.1.35
342access-list40permit10.0.0.1
343access-list40permit192.168.0.1
344access-list40denyanylog
345!
346routereigrpname
347!
348address-familyipv4unicastautonomous-system1
349!
350af-interfacedefault
351authenticationmodemd5
352authenticationkey-chainkeychain
353exit-af-interface
354!
355topologybase
356exit-af-topology
357exit-address-family
358!
359routerospf1
360log-adjacency-changes
361area0authenticationmessage-digest
362!
363routerrip
364network3.0.0.0
365!
366routerbgp1
367nosynchronization
368bgplog-neighbor-changes
369neighbor1.1.1.1remote-as3
370neighbor1.1.1.1password713151601181B0B382F
371neighbor1.2.3.4remote-as1
372neighbor1.2.3.4password703145A1815182E5E4A
373noauto-summary
374!
375ipdefault-gateway10.200.4.254
376ipforward-protocolnd
377noiphttpserver
378iphttpport80
379iphttpauthenticationenable
380noiphttpsecure-server
381iphttpsecure-port443
382iphttpsecure-active-session-modulesall
383iphttpmax-connections5
384iphttptimeout-policyidle180life180requests1
385iphttpactive-session-modulesall
386iphttpdigestalgorithmmd5
387iphttpclientcachememorypool100
388iphttpclientcachememoryfile2
389iphttpclientcacheagerinterval5
390iphttpclientconnectiontimeout10
391iphttpclientconnectionretry1
392iphttpclientconnectionpipeline-length5
393iphttpclientconnectionidletimeout30
394iphttpclientresponsetimeout30
395iphttppath
396!
397!
398iprtcpreportinterval5000
399iprtcpsub-rtcpmessage-type209
400iptacacssource-interfaceLoopback0
401!
402noipslaloggingtraps
403logginghistorysize1
404logginghistorywarnings
405loggingtrapinformational
406loggingdelimitertcp
407nologgingorigin-id
408loggingfacilitylocal7
409loggingsource-interfaceLoopback1
410logging10.10.10.10
411access-list1permitany
412access-list3permitany
413access-list18permitany
414mac-address-tableaging-time300
415nocdprun
416
417!
418!
419!
420!
421snmp-serverengineIDlocal8000000903000024977E9F46
422snmp-servergroupsnmpCISGroupv3privmatchexactreadv1default
423snmp-serverview*ilmisystemincluded
424snmp-serverview*ilmiatmForumUniincluded
425snmp-serverviewv1defaultisoincluded
426snmp-serverviewv1defaultinternet.6.3.15excluded
427snmp-serverviewv1defaultinternet.6.3.16excluded
428snmp-serverviewv1defaultinternet.6.3.18excluded
429snmp-serverviewv1defaultciscoMgmt.394excluded
430snmp-serverviewv1defaultciscoMgmt.395excluded
431snmp-serverviewv1defaultciscoMgmt.399excluded
432snmp-serverviewv1defaultciscoMgmt.400excluded
433snmp-serverview*tv.00000001.00000000.00000000.00000000.000000000Fieee802dot11included
434snmp-serverview*tv.00000001.00000000.00000000.00000000.000000000Finternetincluded
435snmp-servercommunityTestcomv1defaultRO18
436snmp-servercommunitycisCommunityv1defaultRO3
437snmp-servercommunitytrapStringv1defaultRO3
438snmp-serverprioritynormal
439nosnmp-servertraplinkietf
440snmp-servertrapauthenticationvrf
441snmp-servertrapauthenticationacl-failure
442snmp-servertrapauthenticationunknown-content
443snmp-serverpacketsize1500
444snmp-serverqueue-limitnotification-host10
445snmp-serverchassis-idFCZ130693M0
446snmp-serverenabletrapssnmpauthenticationlinkdownlinkupcoldstart
447nosnmp-serverenabletrapsnhrpnhsup
448nosnmp-serverenabletrapsnhrpnhsdown
449nosnmp-serverenabletrapsnhrpnhcup
450nosnmp-serverenabletrapsnhrpnhcdown
451nosnmp-serverenabletrapsnhrpnhpup
452nosnmp-serverenabletrapsnhrpnhpdown
453nosnmp-serverenabletrapsnhrpquota-exceeded
454snmp-serverhost1.2.3.4trapsversion1trapStringudp-port162snmp
455snmp-serverinformretries3timeout15pending25
456snmpmibeventsampleminimum60
457snmpmibeventsampleinstancemaximum0
458snmpmibexpressiondeltaminimum1
459snmpmibexpressiondeltawildcardmaximum0
460snmpmibnhrp
461snmpmibnotification-logglobalsize500
462snmpmibnotification-logglobalageout15
463snmpmibcommunity-mapILMIengineid8000000903000024977E9F46
464snmpmibcommunity-mapTestcomengineid8000000903000024977E9F46
465snmpmibcommunity-mapcisCommunityengineid8000000903000024977E9F46
466snmpmibcommunity-maptrapStringengineid8000000903000024977E9F46
467!
468tacacs-serverhost18.1.1.1
469!
470control-plane
471!
472!
473aliasatm-vc-configvbrvbr-nrt
474aliasexechhelp
475aliasexeclologout
476aliasexecpping
477aliasexecrresume
478aliasexecsshow
479aliasexecuundebug
480aliasexecunundebug
481aliasexecwwhere
482bannerexec^C
483Thisistheexecbanner^C
484bannerlogin^C
485Thisistheloginbanner^C
486bannermotd^C
487Thisisthemotdbanner^C
488default-valueexec-character-bits7
489default-valuespecial-character-bits7
490default-valuedata-character-bits8
491!
492linecon0
493exec-timeout90
494loginauthenticationcisTest
495lineaux0
496exec-timeout90
497loginauthenticationcisTest
498noexec
499line0/0/0
500exec-timeout90
501loginauthenticationcisTest
502stopbits1
503speed115200
504flowcontrolhardware
505linevty04
506access-class1in
507exec-timeout90
508password7021605481811003348
509loginauthenticationcisTest
510transportinputssh
511linevty5807
512access-class1in
513exec-timeout90
514loginauthenticationcisTest
515transportinputssh
516!
517schedulerallocate200001000
518ntpauthentication-key5md5140713181F132539207
519ntpauthenticate
520ntptrusted-key5
521ntpsourceLoopback0
522ntpserver11.11.11.11key5
523cnsidhostname
524cnsidhostnameevent
525cnsidhostnameimage
526cnsimageretry60
527netconfmax-sessions4
528netconflock-time10
529netconfmax-message0
530eventmanagerschedulerscriptthreadclassdefaultnumber1
531eventmanagerschedulerappletthreadclassdefaultnumber32
532eventmanagerhistorysizeevents10
533eventmanagerhistorysizetraps10
534end
Table661:CiscoRouterCiscoIOS15ConfigurationHashes
Type Hash
MD5 391387404dfd26d441f3da414addc7f5
SHA-1 ad6fce43eea8726cadb77bb16843fcad276cfd49
SHA-256 c2d4f4da2c8ef96a760bfcb79c1474234d8212fd44b44101de035e4c5580770b
Gotothereportcontentsorthestartofthissection.
11Appendix11.1LoggingSeverityLevels
Loggingmessageseveritylevelsprovideawayoftagginglogmessageswithanindicationofhowsignificantthemessageis.Table662liststhevariousstandardloggingseveritylevelsthatcanbeconfigured.
Table662:Loggingmessageseveritylevels
Level Name Description
0 Emergencies Thesystemisunusable.
1 Alerts Immediateactionisrequired
2 Critical Criticalconditions
3 Errors Errorconditions
4 Warnings Warningconditions
5 Notifications Significantconditions
6 Informational Informationalmessages
7 Debugging Debuggingmessages
Gotothereportcontentsorthestartofthissection.
11.2OSPFLSAMessageTypes
OSPFisaroutingprotocolwhichisdesignedtodynamicallyadjusttonetworktopologychanges,updatingitsownroutingtablesandnotifyingothernetworkdevicesofthechanges.OSPFroutersexchangeinformationusingLSAmessages.ThissectiondetailsthedifferentOSPFLSAmessagetypes.
Type Brief Description
1 RouterLSA Thesemessagesaresentonlywithinthedefinedareaandliststherouters,thenetworksandtheirmetrics.
Table663:OSPFLSAmessagetypes
2 NetworkLSA Thedesignatedroutersendsthesemessagescontainingalistofroutersonasegment.Thesemessagesaresentonlywithinthedefinedarea.
3 SummaryLSA AnABRsendsaroutingsummaryLSAmessagesforitsattachedareastootherarearouters.ThesemessagesenablescalabilitywithotherOSPFarea
routersbeingsentsummaryinformationaboutotherareas.
4 ASBRSummary
LSA
ThismessagetypecontainsadditionalroutesummaryinformationforASBR.
5 ExternalLSA Thesemessagescontainroutinginformationextractedfromalternativeroutingprocesses.Thesemessagesaresenttoallareas,exceptstubs.
6 GroupMessage
LSA
ThismessagetyperelatestoMOSPFandisnotingeneraluse.
7 NSSARouters RoutersinNSSAwillnotreceiveupdatesfromABRasexternalLSAarenotpermitted.Insteadthistypeofmessageisusedtosummarizeexternalroutes
toABR.
8 IPv6LSA ThesemessagescontaininformationIPv6addressingandinternetworkingBGP.
9 LinkLocal
OpaqueLSA
Thesemessagescontainprefixesforstubandtransitnetworks.
10 AreaLocal
OpaqueLSA
Thesemessagescontaininformationthatshouldbesenttootherrouterseveniftheroutersareunabletounderstandtheinformation.
11 OpaqueLSA Thesemessagescontaininformationthatshouldbesenttootherrouters,exceptstubareas.
Gotothereportcontentsorthestartofthissection.
11.3CommonTimeZones
Whensynchronisingtimefromacentralsource,timezonescanconfiguredinordertooffsetthetimeinformationforaspecificlocality.Thissectiondetailsthemostcommontimezones.
Table664:Commontimezones
Region Acronym TimeZone UTCOffset
Australia CST CentralStandardTime +9.5hours
Australia EST EasternStandard/SummerTime +10hours
Australia WST WesternStandardTime +8hours
Europe BST BritishSummerTime +1hour
Europe CEST CentralEuropeSummerTime +2hours
Europe CET CentralEuropeTime +1hour
Europe EEST EasternEuropeSummerTime +3hours
Europe EST EasternEuropeTime +2hours
Europe GMT GreenwichMeanTime
Europe IST IrishSummerTime +1hour
Europe MSK MoscowTime +3hours
Europe WEST WesternEuropeSummerTime +1hour
Europe WET WesternEuropeTime +1hour
USAandCanada ADT AtlanticDaylightTime -3hours
USAandCanada AKDT AlaskaStandardDaylightSavingTime -8hours
USAandCanada AKST AlaskaStandardTime -9hours
USAandCanada AST AtlanticStandardTime -4hours
USAandCanada CDT CentralDaylightSavingTime -5hours
USAandCanada CST CentralStandardTime -6hours
USAandCanada EDT EasternDaylightTime -4hours
USAandCanada EST EasternStandardTime -5hours
USAandCanada HST HawaiianStandardTime -10hours
USAandCanada MDT MountainDaylightTime -6hours
USAandCanada MST MountainStandardTime -7hours
USAandCanada PDT PacificDaylightTime -7hours
USAandCanada PST PacificStandardTime -3hours
Gotothereportcontentsorthestartofthissection.
11.4IPProtocols
ThissectionliststheIPprotocolsreferencedwithinthisreport.
Name Description ID RFC
NVP NetworkVoiceProtocol 11 RFC741
Reserved 255
UseforExperimentationandTesting 253-254 RFC3692
Unassigned 140-252
HIP HostIdentityProtocol 139 RFC5201
MANET MANETProtocols 138
MPLS-in-IP EncapsulatingMPLSinIP 137 RFC4023
UDPLite LightweightUDP 136 RFC3828
MobilityHeader MobilitySupportinIPv6 135 RFC3775
RSVP-E2E-IGNORE RSVPforIPv4andIPv6 134 RFC3175
FC FibreChannel 133
SCTP StreamControlTransmissionProtocol 132
PIPE PrivateIPEncapsulationwithinIP 131
SPS SecurePacketShield 130
IPLT IPLT 129
SSCOPMCE SSCOPMCE 128
CRUDP CombatRadioUserDatagram 127
CRTP CombatRadioTransportProtocol 126
FIRE FIRE 125
ISISoverIPv4 IntermediateSystemtoIntermediateSystemoverIPv4 124
PTP PerformanceTransparencyProtocol 123
SM SM 122
SMP SimpleMessageProtocol 121
UTI UTI 120
SRP SpectraLinkRadioProtocol 119
STP ScheduleTransferProtocol 118
IATP InteractiveAgentTransferProtocol 117
DDX D-IIDataExchange 116
L2TP LayerTwoTunnelingProtocol 115
Any0HopProtocol 114
PGM PGMReliableTransportProtocol 113
VRRP VirtualRouterRedundancyProtocol 112 RFC3768
IPX-in-IP IPXinIP 111
Compaq-Peer CompaqPeerProtocol 110
SNP SitaraNetworksProtocol 109
PCP IPPayloadCompressionProtocol 108 RFC3173
IPComp IPPayloadCompressionProtocol 108 RFC3173
A/N ActiveNetworks 107
QNX QNX 106
SCPS SCPS 105
ARIS ARIS 104
PIM ProtocolIndependentMulticastP 103
PNNI PNNIoverIP 102
IFMP IpsilonFlowManagementProtocol 101
GMTP GMTP 100
AnyPrivateEncryptionScheme 99
ENCAP EncapsulationHeader 98 RFC1241
ETHERIP Ethernet-within-IPEncapsulation 97 RFC3378
SCC-SP SemaphoreCommunicationsSecurityProtocol 96
MICP MobileInternetworkingControlProtocol 95
NOS KA9QNOS 94
IPIP IP-within-IPEncapsulationProtocol 94
AX.25 AX.25Frames 93
MTP MulticastTransportProtocol 92
LARP LocusAddressResolutionProtocol 91
Sprite-RPC SpriteRPCProtocol 90
OSPF OpenShortestPathFirst 89 RFC1583
EIGRP EnhancedIGRP 88
TCF TCF 87
DGP DissimilarGatewayProtocol 86
NSFNET-IGP NSFNET-IGP 85
TTP TTP 84
VINES VINES 83
SECURE-VMTP SecureVMTP 82
VMTP VersatileMessageTransactionProtocol 81 RFC1045
ISO-IP ISOInternetProtocol 80
WB-EXPAK WIDEBANDEXPAK 79
WB-MON WIDEBANDMonitoring 78
SUN-ND SUNNDPROTOCOL-Temporary 77
BR-SAT-MON BackroomSATNETMonitoring 76
PVP PacketVideoProtocol 75
WSN WangSpanNetwork 74
CPHB ComputerProtocolHeartBeat 73
CPNX ComputerProtocolNetworkExecutive 72
IPCV InternetPacketCoreUtility 71
VISA VISAProtocol 70
SAT-MON SATNETMonitoring 69
AnyDistributedFileSystem 68
IPPC InternetPluribusPacketCore 67
RVD MITRemoteVirtualDiskProtocol 66
KRYPTOLAN Kryptolan 65
SAT-EXPAK SATNETandBackroomEXPAK 64
AnyLocalNetwork 63
CFTP CFTP 62
AnyHostInternalProtocol 61
Opts6 DestinationOptionsforIPv6 60 RFC1883
IPv6-Opts DestinationOptionsforIPv6 60 RFC1883
NoNxt6 NoNextHeaderforIPv6 59 RFC1883
IPv6-NoNxt NoNextHeaderforIPv6 59 RFC1883
ICMP6 ICMPforIPv6 58 RFC1883
IPv6-ICMP ICMPforIPv6 58 RFC1883
SKIP SKIP 57
TLSP TransportLayerSecurityProtocol 56
MOBILE IPMobility 55
NARP NBMAAddressResolutionProtocol 54 RFC1735
SWIPE IPwithEncryption 53
I-NLSP IntegratedNetLayerSecurityProtocol 52
AHP AuthenticationHeader 51 RFC2402
AH AuthenticationHeader 51 RFC2402
ESP EncapsulatingSecurityPayload 50 RFC2406
BNA BNA 49
DSR DynamicSourceRoutingProtocol 48 RFC4728
GRE GeneralRoutingEncapsulation 47
RSVP ReservationProtocol 46
IDRP Inter-DomainRoutingProtocol 45
IPv6-Frag FragmentHeaderforIPv6 44
IPv6-Route RoutingHeaderforIPv6 43
SDRP SourceDemandRoutingProtocol 42
IPv6 IPv6inIPv4(encapsulation) 41
IL ILTransportProtocol 40
TP++ TP++TransportProtocol 39
IDPR-CMTP IDPRControlMessageTransportProtocol 38
DDP DatagramDeliveryProtocol 37
XTP XTP 36
IDPR Inter-DomainPolicyRoutingProtocol 35
3PC ThirdPartyConnectProtocol 34
DCCP DatagramCongestionControlProtocol 33 RFC4340
MERIT-INP MERITInternodalProtocol 32
MFE-NSP MFENetworkServicesProtocol 31
NETBLT BulkDataTransferProtocol 30 RFC969
ISO-TP4 ISOTransportProtocolClass4 29 RFC905
IRTP InternetReliableTransactioProtocol 28 RFC938
RDP ReliableDataProtocol 27 RFC908
LEAF-2 Leaf-2 26
LEAF-1 Leaf-1 25
TRUNK-2 Trunk-2 24
TRUNK-1 Trunk-1 23
Table665:IPProtocols
XNS-IDP XEROXNSIDP 22
PRM PacketRadioMeasurement 21
HMP HostMonitoringProtocol 20 RFC869
DCN-MEAS DCNMeasurementSubsystems 19
MUX Multiplexing 18
UDP UserDatagramProtocol 17 RFC768
CHAOS Chaos 16
XNET CrossNetDebugger 15
EMCON EMCON 14
ARGUS ARGUS 13
PUP PARCUniversalPacket 12
NVP-II NetworkVoiceProtocol 11 RFC741
BBN-RCC-MON BBNRCCMonitoring 10
IGP InteriorGatewayProtocol 9
IGRP InteriorGatewayProtocol 9
EGP ExteriorGatewayProtocol 8 RFC888
CBT CBT 7
TCP TransmissionControlProtocol 6 RFC793
ST Stream 5 RFC1819
IPINIP IPinIP(encapsulation) 4 RFC2003
IPIP IPinIP(encapsulation) 4 RFC2003
GGP Gateway-to-Gateway 3 RFC823
IGMP InternetGroupManagement 2 RFC1112
ICMP InternetControlMessage 1 RFC792
HOPOPT IPv6Hop-by-HopOption 0 RFC1883
Gotothereportcontentsorthestartofthissection.
11.5ICMPTypes
ThissectionliststheICMPtypesreferencedwithinthisreport.
Description Type Code RFC
NeedAuthorization 40 5 RFC2521
NeedAuthentication 40 4 RFC2521
DecryptionFailed 40 3 RFC2521
DecompressionFailed 40 2 RFC2521
AuthenticationFailed 40 1 RFC2521
BadSPI 40 0 RFC2521
Photuris 40 -1 RFC2521
SKIP 39 -1
DomainNameReply 38 -1 RFC1788
DomainNameRequest 37 -1 RFC1788
MobileRegistrationReply 36 -1
MobileRegistrationRequest 35 -1
IPv6I-Am-Here 34 -1
IPv6Where-Are-You 33 -1
MobileHostRedirect 32 -1
DatagramConversionError 31 -1 RFC1475
Traceroute 30 -1 RFC1393
AddressMaskReply 18 -1 RFC950
AddressMaskRequest 17 -1 RFC950
InformationReply 16 -1 RFC792
InformationRequest 15 -1 RFC792
TimestampReply 14 -1 RFC792
TimestampRequest 13 -1 RFC792
BadLength 12 2 RFC1108
MissingaRequiredOption 12 1 RFC1108
PointerIndicatestheError 12 0 RFC792
ParameterProblem 12 -1 RFC792
FragmentReassemblyTimeExceeded 11 1 RFC792
TimetoLiveExceededinTransit 11 0 RFC792
Table666:ICMPTypes
TimeExceeded 11 -1 RFC792
RouterSolicitation 10 -1 RFC1256
DoesNotRouteCommonTraffic 9 16 RFC2002
RouterAdvertisement 9 0 RFC1256
EchoRequest 8 -1 RFC792
Echo 8 -1 RFC792
AlternateHostAddress 6 -1 RFC792
RedirectDatagramfortheTypeofServiceandHost 5 3 RFC792
RedirectDatagramfortheTypeofServiceandNetwork 5 2 RFC792
RedirectDatagramfortheHost 5 1 RFC792
RedirectDatagramfortheNetwork(orsubnet) 5 0 RFC792
Redirect 5 -1 RFC792
SourceQuench 4 -1 RFC792
PrecedenceCutoffinEffect 3 15 RFC1812
HostPrecedenceViolation 3 14 RFC1812
CommunicationAdministrativelyProhibited 3 13 RFC1812
DestinationHostUnreachableforTypeofService 3 12 RFC1122
DestinationNetworkUnreachableforTypeofService 3 11 RFC1122
CommunicationwithDestinationHostisAdministrativelyProhibited 3 10 RFC1122
CommunicationwithDestinationNetworkisAdministrativelyProhibited 3 9 RFC1122
SourceHostIsolated 3 8 RFC1122
DestinationHostUnknown 3 7 RFC1122
DestinationNetworkUnknown 3 6 RFC1122
SourceRouteFailed 3 5 RFC792
FragementationNeeded 3 4 RFC792
PortUnreachable 3 3 RFC792
ProtocolUnreachable 3 2 RFC792
HostUnreachable 3 1 RFC792
NetUnreachable 3 0 RFC792
DestinationUnreachable 3 -1 RFC792
EchoReply 0 -1 RFC792
Gotothereportcontentsorthestartofthissection.
11.6Abbreviations
Abbreviation Description
VTY VirtualTeletype
VTP VLANTrunkingProtocol
VRRP VirtualRouterRedundancyProtocol
VPN VirtualPrivateNetwork
VLAN VirtualLocalAreaNetwork
UTC CoordinatedUniversalTime
URL UniformResourceLocator
UDP UserDatagramProtocol
TFTP TrivialFileTransferProtocol
TCP TransmissionControlProtocol
TACACS+ TerminalAccessControllerAccessControlSystemPlus
TACACS TerminalAccessControllerAccessControlSystem
STIG SecurityTechnicalImplementationGuide
SSP SystemSecurityPlan
SSL SecureSocketsLayer
SSH SecureShell
SNMP SimpleNetworkManagementProtocol
SHA1 SecureHashStandard1
SFTP SecureFileTransferProtocol
SANS SysAdminAuditNetworkSecurity
RPF ReversePathForwarding
RIP RoutingInformationProtocol
RFC RequestForChange
RC4 RivestCipher4
RADIUS RemoteAuthenticationDial-InUserService
PII PersonallyIdentifiableInformation
PCI PaymentCardIndustry
PAD PacketAssembler/Disassembler
OSPF OpenShortestPathFirst
OS OperatingSystem
NTP NetworkTimeProtocol
NMS NetworkManagementSystem
MOTD MessageOfTheDay
MOP MaintenanceOperationsProtocol
MITM Man-In-The-Middle
MIB ManagementInformationBase
MD5 MessageDigest5
MAC MediaAccessControl
LSDB LinkStateDatabase
LSA LinkStateAdvertisement
LLDP LinkLayerDiscoveryProtocol
LAN LocalAreaNetwork
L2TPv3 Layer2TunnelingProtocolversion3
IPv6 InternetProtocolversion6
IPv4 InternetProtocolversion4
IPsec IPSecurityprotocol
IPS IntrusionProtectionSystem
IP InternetProtocol
IOS InternetOperatingSystem
IGRP InteriorGatewayRoutingProtocol
IGP InteriorGatewayProtocol
IEEE InstituteofElectricalandElectronicsEngineers
IDS IntrusionDetectionSystem
ID Identifier
ICMP InternetControlMessageProtocol
IAM InformationAssuranceManager
IA InformationAssurance
HTTPS HypertextTransferProtocoloverSSL
HTTP HypertextTransferProtocol
HSRP HotStandbyRoutingProtocol
GLBP GatewayLoadBalancingProtocol
FTP FileTransferProtocol
EIGRP EnhancedInteriorGatewayRoutingProtocol
EGP ExteriorGatewayProtocol
DSS DataSecurityStandard
DoS DenialofService
DoD DepartmentofDefence
DNS DomainNameSystem
DISA DefenceInformationSystemsAgency
DIACAP DoDInformationAssuranceCertificationandAccreditationProcess
DHCP DynamicHostConfigurationProtocol
DES DataEncryptionStandard
DEC DigitalEquipmentCorporation
DAA DesignatedApprovingAuthority
CPU CentralProcessingUnit
CLI CommandLineInterface
CIDR ClasslessInter-DomainRouting
CDP CiscoDiscoveryProtocol
BOOTP BOOTstrapProtocol
BGP BorderGatewayProtocol
AVG ActiveVirtualGateway
AVF ActiveVirtualForwarder
AUX Auxilary
ATO AuthoritytoOperate
ATM AsynchronousTransferMode
AS AutonomousSystems
ARP AddressResolutionProtocol