17762_RouterVulnerabilities

8/3/2019 17762_RouterVulnerabilities

1/8

Expert Re erence Series o White Papers

1-800-COURSES www.globalknowledge.com

How Vulnerable Are

Your Cisco IOSRouters?


2/8

Copyright 2009 Global Knowledge Training LLC. All rights reserved. 2

How Vulnerable Are Your Cisco IOS

Routers?Carol Kavalla, Global Knowledge Instructor, BS, CCSI, CCDPIntroductionSecurity o the network is a top priority or companies. O course, this would include securing Cisco routers. Itmay be surprising to some that Cisco routers run many services that could create vulnerabilities. Some o theseservices are enabled by de ault.

This white paper lists a number o the services that should be disabled and why. Additionally, some best prac-

tices or securing your Cisco routers are defned.

This is not intended to be an exhaustive listing o all services enabled on Cisco routers that could create vulner-abilities, nor o all best practices or confguring Cisco routers. There are several Cisco security courses that coverthis in ormation in depth. Rather, this paper is meant to be a vehicle or discussion regarding the security o Cisco routers.

Services that Are Enabled by De aultThe services below are enabled by de ault (in some cases depending on the version o IOS installed on therouter) and should be disabled i not in use.

BOOTP server This allows a router to act as a BOOTP server or other routers; thereby allowing them to load their operatingsystem over the network rom the router acting as the BOOTP server.

A hacker could use the BOOTP service to download a copy o the routers IOS so tware. The tools or this type oattack are available on the Internet.

I not required, the BOOTP service should be disabled. The ollowing global command can be used to disable

BOOTP:no ip bootp server .

Cisco Discovery Protocol (CDP)Cisco Discover Protocol is used to obtain in ormation about directly connected Cisco neighbors. The in orma-tion gleaned rom CDP includes ip addresses, hardware model in ormation, and operating system version. This


3/8


eature could allow a hacker to gain in ormation about the confguration o the device and o the networkin rastructure. I not needed, it should be disabled globally or on an inter ace by inter ace basis.

CDP can be disabled globally with theno cdp run command and on the inter ace with theno cdp enable command.

CDP needs to be enabled when using Cisco IP phones. I it has been disabled globally on the switch, it can beenabled on the inter ace using the cdp enable command.

There are several known attacks on the Cisco IP Phone CDP eature, so it is a decision or each network adminis-trator to determine the risk versus the obvious benefts o CDP to support Cisco IP Telephony solutions.

HTTP Confguration and MonitoringThe de ault setting or this service is device-dependent. HTTP service allows the router to be monitored or con-fgured rom a web browser. HTTP is a clear-text protocol and is vulnerable to various packet-capture methods.

A hacker could monitor network tra fc and capture authentication usernames and passwords. This issue is mademore serious when the enable password is used or authentication because this knowledge would give the at-tacker ull administrative access to the device. Once usernames and passwords have been captured, it is simplya matter o using the credentials to log into the router. I not required, the HTTP service should be disabled. I web access to the device is required, consider usingHTTPS or Secure Shell (SSH). The encrypted HTTPS and SSH services may require an IOS or hardware upgrade.

The HTTP service can be disabled with the ollowing IOS global command:no ip http server .

Domain Name System (DNS)By de ault, Cisco routers broadcast name requests to 255.255.255.255. A hacker who is able to capture networktra fc could monitor DNS queries rom the Cisco Router.

Domain lookups can be disabled with the ollowing global command:no ip domain-lookup .

Packet Assembler / Disassembler (PAD)The Packet Assembler / Disassembler service enables X.25 connections between network systems. The PAD ser-

vice is enabled by de ault on most Cisco IOS devices, but it is only required i support or X.25 links is necessary.Running unused services increases the chances o a hacker fnding a security hole or compromising a device.

The PAD service can be disabled with the ollowing global confguration:no service pad .


4/8


Internet Control Message Protocol (ICMP) RedirectsICMP redirects cause the router to send ICMP redirect messages whenever the router is orced to resend apacket through the same inter ace on which it was received. By sending ICMP redirects, a hacker can redirectpackets to an untrusted device.

To stop ICMP redirects, use the ollowing inter ace command:no ip redirects . This needs to be done on allinter aces.

IP Source RoutingIP source routing is a eature whereby a network packet can speci y how it should be routed through the net-work. IP source routing can allow a hacker to speci y a route or a network packet to ollow, possibly to bypass aFirewall or an Intrusion Detection System (IDS). A hacker could also use source routing to capture network tra fcby routing it through a system controlled by the attacker.

A hacker would have to control either a routing device or an end point device in order to modi y a packets route

through the network. However, tools are available on the Internet that would allow a hacker to speci y sourceroutes. Tools are also available to modi y network routing using vulnerabilities in some routing protocols.

This can be disabled using the global command:no ip source-route .

Finger ServiceFinger service allows a hacker to fnd out who is logged into the router and allows them to fnd out valid loginnames. The in ormation they could access includes the processes running on the system, the line number, con-nection name, idle time, and terminal location. This in ormation is provided through the Cisco IOS so twareshow users EXEC command. Unauthorized persons can use this in ormation or reconnaissance attacks.

This service can easily be disabled using the global command:no service fnger or no ip fnger (depend-ing on the version o code). This command keeps your router rom replying to fnger requests. In addition to thiscommand, an inbound access list that blocks port 79 should be applied.

Proxy ARPThis eature confgures the router to act as a proxy or Layer 2 address resolution when hosts have no de aultgateway confgured. When a host sends an ARP, the router responds to it with its own mac address as the oneto use or the remote system. When DHCP is being used, there is no need to have Proxy ARP enabled. Attackersmay be able to spoo packets and gather in ormation about your router and your network.

Proxy ARP can be disabled on the inter ace with the ollowing command:no ip proxy-arp .


5/8


IP Directed BroadcastThis is enabled by de ault prior to Cisco IOS so tware Release 12.0 and disabled by de ault in release 12.0 orlater. IP-directed broadcasts are used in the smur denial o service (DoS) attack and other related attacks.

Services that Are Disabled by De aultConfguration Auto-loadingAuto-loading o confguration fles rom a network server should remain disabled when not in use by the router.

FTP Server The FTP server enables you to use our router as an FTP server or FTP client requests. Because it allows access tocertain fles in the router Flash memory, this service should remain disabled when it is not required.

TFTP Server The TFTP server enables you to use your router as a TFTP server or TFTP clients. It allows access to certain flesin your Flash memory. This service should remain disabled i not required.

Network Time Protocol (NTP)When enabled, the router acts as a time server or other network devices. I confgured insecurely, NTP can beused to corrupt the router clock and, potentially, the clock o other devices that learn time rom the router. Cor-rect time is essential or setting proper time stamps or IPsec encryption services, log data, and diagnostic andsecurity alerts. I this service is used, it restricts which devices have access to NTP.

ICMP Mask ReplyWhen enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask replymessages containing the inter ace IP address mask. This in ormation can be used to map the network, and thisservice should be explicitly disabled on inter aces to untrusted networks.

TCP keepalivesTCP keepalives help terminate TCP connections where a remote host has rebooted or otherwise stopped pro-cessing TCP tra fc. This connection could become orphaned, and a hacker could attempt a DoS attack againsta Cisco router by exhausting the number o possible connections. TCP keepalives should be enabled globally toconfrm that a remote connection is valid and, i not, terminate any orphaned connections.

This can be confgured rom global confguration modeservice tcp-keepalives-in .

Additional Security IssuesIn addition to the services listed above, the ollowing security issues should be considered when confguring aCisco router.


6/8


Router Inter acesUnused router inter aces should be disabled to limit unauthorized access to the router and to the network.

Connection TimeoutConnection timeouts can be confgured or console ports, auxiliary ports, and VTY lines. I an administrator doesnot correctly terminate the connection, it will automatically close a ter the timeout expires. However, i a time-out is not confgured, or is confgured to be a long timeout, an unauthorized user may be able to gain accessusing the administrators previously logged-in connection. The attacker would have to gain physical access to the device to use the console port. A de ault timeout o 10minutes is confgured on the router console port.

So tware VersionIt is extremely important that so tware be regularly maintained with patches and upgrades in order to helpmitigate the risk o a hacker exploiting a known so tware vulnerability.

Auxiliary PortThe auxiliary ports primary purpose is to provide remote administration capability. It can allow a remote admin-istrator to use a modem to dial into the Cisco device. I not in use, the auxiliary port exec should be disabled. This can be done with theno exec command on theaux port:.

I the auxiliary port is required or remote administration, the callback eature can be confgured to dial a spe-

cifc preconfgured telephone number or additional security.

Minimum Password LengthCisco introduced an option with IOS version 12.3(1) that orces user, enable, secret, and line passwords to meeta minimum length. This setting was introduced to help prevent the use o short passwords. With a small mini-mum password length confgured, it is possible or a short password to be used. I a hacker were able to gaina password through a dictionary-attack or by a brute- orce method, the attacker could gain a level o accessto the router. This is made more serious by the act that a number o dictionary-based password guessing andpassword brute- orce tools are available on the Internet. A requirement or a minimum password length can be confgured. The minimum password length can be confg-ured with the ollowing command:security passwords min-length .

Service Password EncryptionCisco service passwords are stored by de ault in their clear-text orm rather than being encrypted.


7/8


I a malicious user were to see a Cisco confguration that contained clear-text passwords, they could use thepasswords to access the device. Cisco password encryption service should be enabled. The Cisco password en-cryption service can be started with the ollowing Cisco global command:service password-encryption .

Even though these passwords can be easily decrypted with tools available on the Internet, they are still more

secure than clear-text passwords. In addition, the encryption prevents an unauthorized person rom looking overan administrators shoulder and reading the passwords in clear-text.

SummaryAll o the potential vulnerabilities listed in this paper can be real threats to Cisco routers. An awareness o thesethreats will be instrumental in securing your Cisco routers.

Again, this was not intended to be an exhaustive listing o all services enabled on Cisco routers that could cre-ate vulnerabilities, nor o all best practices or confguring Cisco routers. The intent o this paper has been or itto be a vehicle or discussion regarding the security o those routers.

Learn MoreLearn more about how you can improve productivity, enhance e fciency, and sharpen your competitive edge.Check out the ollowing Global Knowledge courses:CCNA Boot Camp v2.0ISCW Implementing Secure Converged Wide Area NetworksIINS Implementing Cisco IOS Unifed CommunicationsCCDA Boot Camp

For more in ormation or to register, visitwww.globalknowledge.com or call1-800-COURSESto speak with asales representative.

Our courses and enhanced, hands-on labs o er practical skills and tips that you can immediately put to use. Ourexpert instructors draw upon their experiences to help you understand key concepts and how to apply them toyour specifc work situation. Choose rom our more than 700 courses, delivered through Classrooms, e-Learning,and On-site sessions, to meet your IT and management training needs.

About the Author Carol Kavallas background includes teaching at Rockland Community College in New York, managing networksand being a consultant or the NYS small business development center. For the last eight and a hal years Carolhas taught or Global Knowledge and is certifed to teach nine Cisco Courses: ICND1, ICND2, CCDA, BSCI,BCMSN, TCN, ICMI, BGP and ARCH. She also has a consulting frm in Charleston, South Carolina where sheworks with small companies (100-200 nodes) installing, confguring routers and switches, and troubleshootingnetwork problems.


8/8


Re erencesAkin, Thomas.Cisco Router Device Router Security Report .Akin, Thomas.Hardening Cisco Routers . OReilly Media, Inc. Sebastopol, CA. 2002.Akin, Thomas.Implementing Security Wide Area Networks .

Documents

17762_RouterVulnerabilities