-
Notifications
You must be signed in to change notification settings - Fork 97
List of the checks
Older versions of IOS may contain vulnerabilities.
Also some services and options depends on firmware version (it might be enabled by default earlier X version and disabled later)
Some of these service can be used by attackers.
Tool check if service is disabled and if is not is warning generated.
List of potentially dangerous services:
- Packet assembler/disassembler (PAD)
The service that allows cisco IOS software devices and other X.25 network equipment establish PAD sessions -> can be used to gain unauthorized or inappropriate access.
- Config service
The service that enables autoloading of configuration files from a remote host -> can be used to load fake configuration.
- TCP and UDP small servers
The daemons that were designed for diagnostic purposes and enable echo, chargen, daytime, and discard services -> can be used to gather information, or to directly attack the Cisco IOS software device.
- Finger service
The protocol that can be used to obtain information about users logged into a remote host or network device.
- Smart install (vstack)
Plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches -> can be used to steal the whole device configuration.
- Identd
The protocol that allows a system to query the identity of a user initiating a TCP connection or a host responding to a TCP connection -> allows a user to obtain identity information by simple connecting to a TCP port on a system, and issuing a simple text string requesting information.
- Source-route
The option that allows a sender of an IP packet to control the route that the datagram will take toward its ultimate destination, and generally the route that any reply will take. Some older IP implementations don't process source-routed packets properly -> it may be possible to crash machines running these implementations by sending them datagrams with source routing options.
- BOOTP server
The bootstrap protocol that allows a diskless workstation to configure itself at boot time by dynamically obtaining an IP address, the IP address of the BOOTP server, and a configuration file -> can be used to gather device information.
- HTTP server
Web Server and Client feature that provides a consistent interface for users and applications -> provides unsecure connection.
- Maintenance Operation Protocol (MOP) (L3 switches)
The protocol of remote communications between hosts and servers, that has been proven vulnerable to various attacks -> it should be disabled on all access and externally facing interfaces unless they provide connectivity to DECNet networks.
Cisco devices have 16 privilege levels from 0 to 15. The «1» level is user's privilege and the «15» level is highest administrator's rights.
- User has 1st privilege level:
(config)# username user privilege 1 password cisco
The number of users with privilege level 15 must be kept to a minimum so the main idea here is to count admin accounts in system and notify as warning if it's number 3 or more.
- Configuration with warning result:
(config)# username user1 privilege 15 password cisco1
(config)# username user2 privilege 15 password cisco2
(config)# username user3 privilege 15 password cisco3
AAA (Authentication Authorization and Accounting) is authentication and event system built into the Cisco IOS that provide users secure remote access to Cisco devices.
This tool checks if AAA is enabled and makes some configuration checks related to authentication method.
-
Check AAA for enable
(config)# aaa new-model -
If enable method is defined the tool checks privelege mode password:
(config)# aaa authentication login {default | list-name} enable -
If local method is defined the tool checks users passwords:
(config)# aaa authentication login {default | list-name} local -
If none method is defined the tool will notify about it as a red warning (if its on 1st place in methods) or as a yellow one (if its just in methods):
(config)# aaa authentication login {default | list-name} local none
-
First, Tacacs+ or Radius server must be defined by following command with defining server address after it:
(config)# aaa group server tacacs+/radius access-group -
At first user authentication will be verified with Tacacs+/Radius and then in the local user database (if authentication contains enable, local or none methods it will be checked according to the same logic as in local checks above.):
(config)# aaa authentication login {default | list-name} group access-group local enable -
If both local and none methods are not defined the tool checks AAA logging by searching accounting option:
(config)# aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [method1 [method2...]] -
If default list is not defined the tool checks every line for using custom lists from AAA configuration, and if its not - notifies about it:
(config-line)# login authentication access-group
If the administrator relies on Tacacs+/Radius server he can install less secure logins and passwords in local user database. However attacker may ddos the Tacacs+ server and after that he will be able to implement the bruteforce attack at logins from the local database.
The tool checks what type of encryption used for password storage on device. There are 4 types of password encryption (MD5, SHA-256, PBKDF2-SHA-256 and scrypt), one type is Vigenere cipher and one type is password in clear text. It is recommended to use strong encryption for password storage because of risk that configuration files can be stolen from tftp-server or got in another malicious way.
The tool makes the following password checks:
-
Storing password as hash:
(config)# service password-encryption -
Privileged mode password:
(config)# enable password MyEnablePassword
or
(config)# enable secret SecretPassword -
Users passwords:
(config)# username user password pass -
Password for console, telnet and other connection:
(config-line)# password MyPassword
(config-line)# login
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2.
The tool makes following checks related to ssh:
-
Protocol version
By default SSH runs in compatibility mode, that is, both SSH Version 1 and SSH Version 2 connections are honored. Version 2 is considered secure.
(config)# ip ssh version 2 -
Authentication-retries
Sets the number of authentication attempts after which the interface is reset. If the number is > 5, the tool will notify about it.
(config)# ip ssh authentication-retries 2 -
Time-out
Sets the time interval (in seconds) that the device waits for the SSH client to respond (300 seconds by default). If the interval is > 300, the tool will warn about it; if its < 300 but > 100, the tool will just notify about it.
(config)# ip ssh time-out 180 -
Maxstartups
Sets the maximum concurrent sessions allowed on a SSH. If the sessions number is > 5, the tool will notify about it.
(config)# ip ssh maxstartups 2 -
Inbound and outbound protocols on lines
Defines which protocols to use to connect to a specific line of the router. If the protocol is defined and it is neither SSH nor none, the tool will notify about it.
(config-line)# transport {input | output} {ssh | none} -
Inactive session timeout on lines
Configures the inactive session timeout on the console port or the virtual terminal (in minutes + seconds). If the timeout is > 30 or 0 (disabled timeout), the tool will warn about it; if it is < 30 but > 15, the tool will just notify about it.
(config-line)# exec-timeout 5 0
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. It prevents usage of DHCP servers on untrusted interfaces, helps prevent MITM attacks and DHCP starvation. Also if DHCP snooping is enabled, switch remembers ip-mac binding.
The tool makes following checks related to DHCP snooping:
-
Global status
Globally enable DHCP snooping.
(config)# ip dhcp snooping -
Included VLANs
Enable DHCP snooping for VLAN 13
(config)# ip dhcp snooping vlan 13 -
Limit rate on interface
Cisco recommends an untrusted rate limit of not more than 100 packets per second (pps). If it is more, the tool will notify about it.
(config-if)# ip dhcp snooping limit rate 10 -
Сomparison vlanmap and interface type
In case if interface is not trusted according to vlanmap, but marked as trusted, the tool will warn about it.
(config-if)# ip dhcp snooping trust
A Man-In-The-Middle attack which achieves when an attacker poisons the ARP cache of two devices with the MAC address of their Ethernet NIC (Network Interface Card).
Feature, binds mac-ip to an interface, using DHCP snooping ip-mac binding table
-
Global status
Enable arp inspection for VLAN 13.
(config)# ip arp inspection vlan 13 -
Сomparison vlanmap and interface type
In case if interface is not trusted according to vlanmap, but marked as trusted, the tool will warn about it.
(config-if)# ip arp inspection trust
Feature, binds mac-ip to an interface, using DHCP snooping ip-mac binding table.
-
Interface status
(config-if)# ip verify source port-securityEnable source guard on interface.
or
(config)# ip source binding <mac.add.ress> vlan <id> <IP.add.re.ss> interface <name>Without DHCP snooping table.
Technique that helps machines on a subnet reach remote subnets without configuring routing or a default gateway.
-
Interface status
If ARP proxy is enabled - a machine can claim to be another in order to intercept packets.
(config-if)# no ip proxy-arp
All packets from interfaces with no VLAN and 802.1 (standart ethernet) packets arriving at 802.1Q trunk are automatically assigned to native VLAN. Native VLAN sent through trunk are also sent as 802.1 packets (no 802.1Q headers). By default, native VLAN number is 1, but custom native VLAN is possible.
-
Native VLAN number
SOON: If native VLAN number was changed - the tool will notify about it.
(config-if)# switchport trunk native vlan 7
Access - receives 802.1 packets and sends them to this interface's VLAN. Trunk - receives 802.1q, packets and sends them corresponding VLAN, if 802.1 packet is receiver, sends it to native VLAN.
-
Static VLAN type
Define stricly VLAN type instead of dynamic mode.
(config-if)# switchport access vlan 11
(config-if)# switchport mode trunk -
Insecure configuration example:
SOON: Also it is possible to set interface to automatically switch between trunk and access (dynamic) modes, but it is very bad security choice.
(config-if)# switchport mode dynamic {desirable | auto}
Type of attack, in which attacker can comminicate with hosts in other VLAN.
-
Protection
SOON: To protect from VLAN hopping attack we recommend not to use native VLAN. In case if you REALLY need it - tag native VLAN on trunk.
(config)# vlan dot1q tag native
- Use ARP inspection and source guard with DHCP snooping.
- Split network to VLAN.
- Use only static interface type (trunk/access).
- Do not use native VLAN.
VTP distributes VLAN settings through all switches in the domain. By default, VTP is enabled.
-
Global status (mode)
By default, VTP is enabled in server mode. As a best practice, deploying VTP in transparent mode for better VLAN control, security, and manageability is recommended.
(config)# vtp mode transparentA VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements.
Also you just can disable VTP at all by following command.
(config)# vtp mode offThe same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks.
DTP is used to negotiate forming a trunk between two Cisco devices. By default, DTP is enabled.
-
Interface status
A general best practice is to turn off DTP if it is not really needed. The following command prevents the port from generating DTP frames.
(config-if)# switchport nonegotiate
Device discovery protocols. They allow network management applications to automatically discover and learn about other devices connected to the network. Attacker can use these technologies to collect information about network, so we recommend to disable discovery protocols.
-
Global status
By default, CDP is enabled, but LLDP is disabled.
(config)# no {cdp | lldp} run -
Interface status
Also, CDP protocol might be disabled on a single interface.
(config-if)# no cdp enable
Protocol, that prevents logical loops in switched networks with redundant links. By default, STP is enabled.
The command has two effects: ports that come up are put directly in the forwarding STP mode, instead of going through the learning and listening process AND the switch never generates a TCN when a port configured for portfast goes up or down.
(This feature should not be necessary for server ports. It should definitely be avoided on ports that lead to hubs or other bridges. A port that directly transitions to forwarding state on a redundant link can cause temporary bridging loops.)
-
Global status
By default, portfast is disabled globally.
(config)# spanning-tree portfast default -
Status on access interface
Portfast should be enabled, so if it is not - the tool will warn about it.
(config-if)# spanning-tree portfast -
Status on trunk interface
Due to potential loops between 2 switches portfast should be disabled, and if it is not - the tool will warn about it.
(config-if)# spanning-tree portfast disable
Since STP does not implement any authentication or encryption to protect the exchange of BPDUs, it is vulnerable to unauthorized participation and attacks, as highlighted earlier. The BPDU Guard feature restricts participation in spanning tree. BPDU can be configured per port or globally.
-
Global status
In this case BPDU Guard is only effective on ports in the operational PortFast state. By default, BPDU guard is disabled globally.
(config)# spanning-tree portfast bpduguard default -
Status on access interface
BPDU Guard should be enabled, so if it is not - the tool will warn about it.
(config-if)# spanning-tree bpduguard enable
Loop guard checks if a root port or an alternate root port receives BPDUs. If the port is receiving BPDUs, loop guard puts the port into an inconsistent state until it starts receiving BPDUs again.
-
Global status
By default, loop guard is disabled.
(config)# spanning-tree loopguard default
This feature protects type of attacks, when an attacker can mount a DoS attack against infrastructure devices by using MAC flooding to cause MAC address table exhaustion, as well as other Layer 2 Content Addressable Memory (CAM) overflow attacks.
The tool makes following checks related to port-security:
-
Interface status
Enable port-security on interface.
(config-if)# switchport port-security -
Maximum for mac-address port-security
Maximum number, that can be specified as tool key --max_number_mac. By default, the value is 10.
(config-if)# switchport port-security maximum 4 -
Violation type
Cisco configuration has 3 violation types: protect, restrict and shutdown. By default, violation type is shutdown. Protect type is considered less secure.
(config-if)# switchport port-security violation restrict -
Aging time
This provides for a MAC address to be removed from being learned after a configured amount of time (in minutes). By default, aging is disabled. If aging time is more than 20 minutes - the tool will notify about it.
(config-if)# switchport port-security aging time 2
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces.
-
Interface status
Traffic storm control is enabled by the following level commands, but if they are not specified - the tool will notify about it.
-
Level
Specifies the threshold levels for broadcast, multicast, or unicast traffic, that can be specified as tool key --storm_level. By default, the value is 80.
(config-if)# storm-control {broadcast | multicast | unicast} level 50.00 -
Action
Specifies the action to take when a storm occurs on a port
(config-if)# storm-control action {shutdown | trap}
An interface without any settings.
-
Status
In a most situations enabled interfaces without settings may be cause of potential attacks. So, please, just disable them.
(config-if)# shutdown
- RA guard
Router Advertisement - DHCP for IPv6
simple case (Drop all RA on an interface)
(config-if)#ipv6 nd raguard
complex case
!
ipv6 nd raguard policy ONLY-DHCPv6-RAs
! role 'router' allows the RAs through but triggers deep inspection
device-role router
! The RAs that we let through have to have Managed flag set.
managed-config-flag on
! The Other configuration flag also needs to be set.
other-config-flag on
! Only allow the RAs that advertise the prefixes from our own address space
match ra prefix-list IPv6-SPACE
!
! . . .
!
interface Ethernet0/0
description connection to R1 from Sw3
switchport
switchport access vlan 100
switchport mode access
! Attach the policy to the port connecting to the router
ipv6 nd raguard attach-policy ONLY-DHCPv6-RAs
spanning-tree portfast
!
! . . .
!
ipv6 prefix-list IPv6-SPACE permit 2001:db8:cafe::/48 ge 64 le 64
- Fragmentation
Packet fragmentation allows bypass of ra guard
Below is configuration, that helps to avoid this attack
!
interface GigabitEthernet1/0/1
ipv6 traffic-filter nofrags in
!
ipv6 access-list nofrags
deny ipv6 any FE80::/64 undetermined-transport
permit ipv6 any any
!
-
IPv6 snooping
Network Discovery (IPv6 ARP) Inspection + RA guard + IPv6 address gleaning
(config)# ipv6 snooping policy ROUTER
(config-ipv6-snooping)# device-role router
(config)# ipv6 snooping policy HOST
On an interface with router:
(config-if)#ipv6 nd raguard attach-policy ROUTER
on an interface with hosts:
(config-if)#ipv6 nd raguard attach-policy HOST -
IPv6 source guard
ARP inspection analog(config)# ipv6 source-guard policy SG
(config)# ipv6 source-guard attach-policy SG -
Check realization:
TODO
| Feature | Default | Global | Interface |
|---|---|---|---|
| VTP | + | + | |
| DTP | + | + | |
| STORM | + | ||
| STP | + | + | |
| CDP | + | + | + |
| LLDP | + | ||
| DHCP SNOOP | + | + | |
| DAI | + | + |