Translate

Sunday, 15 September 2013

Layer 5 Attacks (Session Layer Attacks)

Here we will see the different Session Layer Attacks. The session layer sets up, manages and terminates exchanges and conversations.
Session Layer features:

  • Session Checkpoint
  • Session Adjournment
  • Session Termination
  • Half- and Full-Duplex Operations

Session Hijacking
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:

Man in the Middle Attack

  • Attacker intercepts all communications between two hosts. 
  • With communications between a client and server now flowing through the attacker, he or she is free to modify their content. 
  • Protocols that rely on the exchange of public keys to protect communications are often the target of these types of attacks

Blind Hijacking

  • An attacker injects data such as malicious commands into intercepted communications between two hosts commands like "net.exe localgroup administrators /add EvilAttacker". 
  • This is called Blind Hijacking because the attacker can only inject data into the communications stream, but cannot see the response to that data (such as "The command completed successfully.") 
  • Essentially, the blind hijack attacker is shooting data in the dark, but this method is still very effective

Man-in-the-Browser attack
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.
Points of effect:

  • Browser Helper Objects – dynamically-loaded libraries loaded by Internet Explorer upon startup
  • Extensions – the equivalent to Browser Helper Objects for Firefox Browser
  • API-Hooking – this is the technique used by Man-in-the-Browser to perform its Man-in-the-Middle between the executable application (EXE) and its libraries (DLL).
  • Javascript – By using a malicious Ajax worm

Session Sniffing

  • First the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server. 
  • Sniff the victim for the valid session
  • Use the Session ID sniffed from the victim to authenticate with the web server
  • Activate the victim session in your own system 

SSH Downgrade Attack
  • SSH is the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH1 protocol.
  • The client sends a request to establish a SSH link to the server and asks it for the version it supports The server answers either with:
  • ssh-2.xx The server supports only SSH2
    ssh-1.99 The server supports SSH1 and SSH2
    ssh-1.51 The server supports only SSH1
  •  This attack occurs at the server that supports both SSH1 and SSH2

Thursday, 29 August 2013

Layer 3 (Network Layer) Attack and Mitigation

With the likes of protocols like IP(Internet Protocol) lets us take a look into what Layer 3 Network Layer attacks and their mitigation procedures looks like:

  • IP Spoofing
  • Routing (RIP) Attacks
  • ICMP Attacks
  • PING Flood (ICMP Flood)
  • Ping of Death Attack
  • Teardrop Attack
  • Packet Sniffing

IP Spoofing:
IP Spoofing is changing the source ip address while sending to the destination with some trusted IP. A way to mislead the receiver on the origin of the information sent. Method can be used in Spamming and to perpetrate Denial of Service.
Tools:

  • Engage Packet Builder v2.20 - Scriptable packet builder for Windows
  • HPing v2.0.0 - Command-line oriented TCP/IP packet assembler/analyzer
  • Nemesis v1.4 beta3 - Command-line portable IP stack
  • LSRscan v1.0 - Loose Source Route Scanning Tool
  • Scapy v2.0.0.10 - Interactive packet manipulation tool

Mitigations:

  • Implement Input access-lists; they should filter at the ingress interfaces. 
  • Unicast Reverse Path Forwarding (uRPF) is a common technique used to mitigate source address spoofing by discarding the IP Packets that lack a verifiable IP source address in the IP Routing Table.
  • IP Source Guard is a Layer 2 security feature that prevents IP spoofing attacks by restricting IP traffic on untrusted Layer 2 ports to clients with an assigned IP address.

Routing (RIP) Attack:
Routing Information Protocol (RIP) is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. The original version of RIP has no built in authentication, and the information provided in a RIP packet is often used without verifying it. An attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine instead.
Tools:

  • RPAK (Routing Protocol Attack Kit)- contains tools for RIP, RIP2, IGRP and OSPF.  

Mitigations:

  • The version 2 of RIP was enhanced with a simple password authentication algorithm, which makes RIP attack harder to happen.
  • IPSec VPN provides a way to keep routing information encrypted among the routers implemented the IPsec VPN.

ICMP Attack:
ICMP is used by the IP layer to send one-way informational messages to a host. There is no authentication in ICMP, which leads to attacks using ICMP that can result in a denial of service, or allowing the attacker to intercept packets. An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a denial of service (DoS) to legitimate traffic.
Tools:

  • icmp-reset - Blindly resetting arbitrary TCP connections (icmp-reset.tar.gz)
  • icmp-quench - Blindly reducing the throughput of an arbitrary TCP connections (icmp-quench.tar.gz)
  • icmp-mtu - Blindly reducing the performance of an arbitrary TCP connections (icmp-mtu.tar.gz)

Mitigations:

  • Most ICMP attacks can be effectively reduced by deploying Firewalls at critical locations of a network to filter un-wanted traffic and from any destinations.
  • In addition, to keep a reasonable balance between services and security, you should configure your ICMP parameters in your network devices as follows:
            - Allow ping ICMP Echo-Request outbound and Echo-Reply messages inbound.

            - Allow traceroute TTL-Exceeded and Port-Unreachable messages inbound.
            - Allow path MTU ICMP Fragmentation-DF-Set messages inbound.
            - Blocking other types of ICMP traffic.

PING Flood (ICMP Flood):
PING is one of the most common uses of ICMP which sends an ICMP "Echo Request" to a host, and waits for that host to send back an ICMP "Echo Reply" message. Attacker simply sends a huge number of "ICMP Echo Requests" typically overloading its victim that it expends all its resources responding until it can no longer process valid network traffic.
Tools:

  • Trinoo
  • Tribe Flood Network (TFN)
  • Stacheldraht

Mitigations:

  • The most obvious way to mitigate an ICMP/PING Flood is to block ICMP altogether at perimeter of your network via firewall filters.
  • By limiting the rate at which a single source can send ICMP Packets. This threshold is per second.


Ping of Death Attack:
The principle of ping of death simply involves creating an IP datagram whose total size exceeds the maximum authorized size (65,536 bytes). When such a packet is sent to a system with a vulnerable TCP/IP stack, it will cause the system to crash.
Tools:

  • CPU DEATH PING 2.0

Mitigations:

  • All the recent and latest OS are not vulnerable to this attack.


Teardrop Attack:
The principle of the Teardrop attack involves inserting false offset information into fragmented packets. As a result, during reassembly, there are empty or overlapping fragments that can cause the system to be unstable.
Tools:

  • Nessus API: Packet forgery

Mitigations:

  • A simple reboot is the preferred remedy after this happen.
  • Recent systems are no longer vulnerable to this attack.


Packet Sniffing:
Because most network applications distribute network packets in clear text, a packet sniffing tool can exploit information passed in clear text providing the hacker with sensitive information such as user account names and passwords.
Tools:

  • Wireshark
  • TCPdump

Mitigations:

  • Authentication - Using strong authentication, such as one-time passwords.
  • Cryptography - The most effective method for countering packet sniffers does renders them irrelevant.
  • Switched Infrastructure - Deploy a switched infrastructure to counter the use of packet sniffers in your environment.
  • Anti-sniffer tools - Use these tools to employ software and hardware designed to detect the use of sniffers on a network.

Tuesday, 27 August 2013

Firewall Audit Checklist


No.
Security Elements
Review the rule-sets to ensure that they follow the order as follows:
    • anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
    • User permit rules (e.g. allow HTTP to public webserver)
    • Management permit rules (e.g. SNMP traps to network management server)
    • Noise drops (e.g. discard OSPF and HSRP chatter)
    • Deny and Alert (alert systems administrator about traffic that is suspicious)
    • Deny and log (log remaining traffic for analysis)
Firewalls operate on a first match basis, thus the above structure is important to ensure that suspicious traffic is kept out instead of inadvertently allowing them in by not following the proper order.
Application based firewall
Ensure that the administrators monitor any attempts to violate the security policy using the audit logs generated by the application level firewall. Alternatively some application level firewalls provide the functionality to log to intrusion detection systems. In such a circumstance ensure that the correct host, which is hosting the IDS, is defined in the application level firewall.
Ensure that there is a process to update the application level firewall’s vulnerabilities checked to the most current vulnerabilities.
Ensure that there is a process to update the software with the latest attack signatures.
In the event of the signatures being downloaded from the vendors’ site, ensure that it is a trusted site.
In the event of the signature being e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and that the information transmitted has not been modified en-route.
The following commands should be blocked for SMTP at the application level firewall:
    • EXPN (expand)
    • VRFY (verify)
    • DEBUG
    • WIZARD
The following command should be blocked for FTP:
  • PUT
Review the denied URL’s and ensure that they are appropriate for e.g. any URL’s to hacker sites should be blocked. In some instances organisations may want to block access to x-rated sites or other harmful sites. As such they would subscribe to sites, which maintain listings of such harmful sites. Ensure that the URL’s to deny are updated as released by the sites that warn of harmful sites.
Ensure that only authorized users are authenticated by the application level firewall.
Stateful inspection
Review the state tables to ensure that appropriate rules are set up in terms of source and destination IP’s, source and destination ports and timeouts.
Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack.
For URL’s
    • If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. If the filtering server is external to the organisation ensure that it is a trusted source.
    • If the URL is from a file, ensure that there is adequate protection for this file to ensure no unauthorized modifications.
Ensure that specific traffic containing scripts; ActiveX and java are striped prior to being allowed into the internal network.
If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s as defined in the security policy.
Logging
Ensure that logging is enabled and that the logs are reviewed to identify any potential patterns that could indicate an attack.
Patches and updates
Ensure that the latest patches and updates relating to your firewall product is tested and installed.
If patches and updates are automatically downloaded from the vendors’ websites, ensure that the update is received from a trusted site.
In the event that patches and updates are e-mailed to the systems administrator ensure that digital signatures are used to verify the vendor and ensure that the information has not been modified en-route.
Location – DMZ
Ensure that there are two firewalls – one to connect the web server to the internet and the other to connect the web server to the internal network.
In the event of two firewalls ensure that it is of different types and that dual NIC’s are used. This would increase security since a hacker would need to have knowledge of the strengths, weaknesses and bugs of both firewalls.
The rule-sets for both firewalls would vary based on their location e.g. between web server and the internet and between web server and the internal network.
Vulnerability assessments/ Testing
Ascertain if there is a procedure to test for open ports using nmap and whether unnecessary ports are closed.
Ensure that there is a procedure to test the rule-sets when established or changed so as not to create a denial of service on the organisation or allow any weaknesses to continue undetected.
Compliance with security policy
Ensure that the rule-set complies with the organisation security policy.
Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked:
Standard unroutables
    • 255.255.255.255
    • 127.0.0.0
Private (RFC 1918) addresses
  • 10.0.0.0 – 10.255.255.255
  • 172.16.0.0 – 172.31.255.255
  • 192.168.0.0 - 192.168.255.255
Reserved addresses
  • 240.0.0.0
Illegal addresses
  • 0.0.0.0
UDP echo
ICMP broadcast (RFC 2644)
Ensure that traffic from the above addresses is not transmitted by the interface.
Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall.
Port restrictions
The following ports should blocked:
Service
Port Type
Port Number
DNS Zone Transfers except from external secondary DNS servers
TCP

53

TFTP Daemon
UDP
69
Link
TCP
87
SUN RPC
TCP & UDP
111
BSD UNIX
TCP
512 – 514
LPD
TCP
515
UUCPD
TCP
540
Open Windows
TCP & UDP
2000
NFS
TCP & UDP
2049
X Windows
TCP & UDP
6000 – 6255
Small services
TCP & UDP
20 and below
FTP
TCP
21
SSH
TCP
22
Telnet
TCP
23
SMTP (except external mail relays)
TCP
25
NTP
TCP & UDP
37
Finger
TCP
79
HTTP (except to external web servers)
TCP
80
POP
TCP
109 &110
NNTP
TCP
119
NTP
TCP
123
NetBIOS in Windows NT
TCP &UDP
135
NetBIOS in Windows NT
UDP
137 & 138
NetBIOS
TCP
139
IMAP
TCP
143
SNMP
TCP
161 &162
SNMP
UDP
161 &162
BGP
TCP
179
LDAP
TCP &UDP
389
SSL (except to external web servers)
TCP
443
NetBIOS in Win2k
TCP &UDP
445
Syslog
UDP
514
SOCKS
TCP
1080
Cisco AUX port
TCP
2001
Cisco AUX port (stream)
TCP
4001
Lockd (Linux DoS Vulnerability)
TCP &UDP
4045
Cisco AUX port (binary)
TCP
6001
Common high order HTTP ports
TCP
8000, 8080, 8888

Remote access
If remote access is to be used, ensure that the SSH protocol (port 22) is used instead of Telnet.
File Transfers
If FTP is a requirement, ensure that the server, which supports FTP, is placed in a different subnet than the internal protected network.
Mail Traffic
Ascertain which protocol is used for mail and ensure that there is a rule to block incoming mail traffic except to internal mail.
ICMP (ICMP 8, 11, 3)
Ensure that there is a rule blocking ICMP echo requests and replies.
Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.
IP Readdressing/IP Masquerading
Ensure that the firewall rules have the readdressing option enabled such that internal IP addresses are not displayed to the external untrusted networks.
Zone Transfers
If the firewall is stateful, ensure packet filtering for UDP/TCP 53. IP packets for UDP 53 from the Internet are limited to authorized replies from the internal network. If the packet were not replying to a request from the internal DNS server, the firewall would deny it. The firewall is also denying IP packets for TCP 53 on the internal DNS server, besides those from authorized external secondary DNS servers, to prevent unauthorized zone transfers.
Egress Filtering
Ensure that there is a rule specifying that only traffic originating from IP’s within the internal network be allowed. Traffic with IP’s other than from the Internal network are to be dropped.
Ensure that any traffic originating from IP’s other than from the internal network are logged.
Critical servers
Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources. This rule is based on the organisational requirements, since some organisations may allow traffic via a web application to be routed via a DMZ.
Personal firewalls
Ensure that laptop users are given appropriate training regarding the threats, types of elements blocked by the firewall and guidelines for operation of the personal firewall. This element is essential, since often times personal firewalls rely on user prompt to respond to attacks e.g. whether to accept/deny a request from a specific address.
Review the security settings of the personal firewall to ensure that it restricts access to specific ports, protects against known attacks, and that there is adequate logging and user alerts in the event of an intrusion.
Ensure that there is a procedure to update the software for any new attacks that become known.
Alternatively most tools provide the option of transferring automatic updates via the internet. In such instances ensure that updates are received from trusted sites.
Distributed firewalls
Ensure that the security policy is consistently distributed to all hosts especially when there are changes to the policy.
Ensure that there are adequate controls to ensure the integrity of the policy during transfer, e.g. IPSec to encrypt the policy when in transfer.
Ensure that there are adequate controls to authenticate the appropriate host. Again IPSec can be used for authentication with cryptographic certificates.
Stealth Firewalls
Ensure that default users and passwords are reset.
Ensure that the firewall is appropriately configured to know which hosts are on which interface.
Review the firewall access control lists to ensure that the appropriate traffic is routed to the appropriate segments.
A stealth firewall does not have a presence on the network it is protecting and it makes it more difficult for the hacker to determine which firewall product is being used and their versions and to ascertain the topology of the network.
Ensure that ACK bit monitoring is established to ensure that a remote system cannot initiate a TCP connection, but can only respond to packets sent to it.
Continued availability of Firewalls
Ensure that there is a hot standby for the primary firewall.


Monday, 26 August 2013

Router Security Audit Checklist - ISO27001

Questions
Findings
ISO 27001 Control
Standard/Best Practice
Yes
No
Router Policy
Is a router security policy in place?


A.5.1.1
A.11.4.1

Disable Unneeded Services
Are unused interfaces disabled?


A.11.4.4
Unused interfaces on the router should be disabled.
Router(config-if)# shutdown
Is DNS lookups for the router turned off?


A.11.5.4
A.12.6.1
This client service is enabled by default and is not required on most routers.
The following command is used to turn DNS lookup off.
Router(config)#no ip domain-lookup
Is TCP small servers and UDP small servers service disabled on the router? {applicable before Cisco IOS 11.3}


A.12.6.1
These services are rarely used and hence can be disabled. This is disabled by default after Cisco IOS 11.3
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
Is Cisco Discovery Protocol disabled on the router?


A.11.4.4
A.12.6.1.
CDP which is used to obtain information such as the ip address, platform type of the neighboring Cisco devices should be disabled on the router if not used by any application.
Router(config)# no cdp run OR
Router(config-if)# no cdp enable
Is the finger service disabled on the router? {applicable before Cisco IOS 11.3}


A.11.4.4
A.11.5.4
A.12.6.1
Unauthorized persons can use the information obtained through this command for reconnaissance attacks. This service should be disabled.
Router(config)#no service finger
Is Bootp server disabled on the routers?


A.11.4.4
A.11.5.4
A.12.6.1
The Bootp server service which is enabled by default allows other routers to boot from this router.
This feature should be disabled on the router as it is rarely used on today’s networks.
The following command is used to disable the service.
Router(config)#no ip bootp server
Is directed broadcast disabled on all interfaces?
{applicable before Cisco IOS 11.3}


A.12.6.1
Directed broadcasts permit a host on one LAN segment to initiate a physical broadcast on a different LAN segment. This feature should be disabled on the router as it could be used in denial-of-service attacks. The following command is used to disable the service.
Router(config-if)#no ip directed-broadcast
Is source routing disabled on the router?


A.12.6.1
Source routing is a feature that allows individual packets to specify routes. This is used in various attacks.
This feature should be disabled on the router.
The following command is used to disable the service.
Router(config)#no ip source-route
Is Proxy ARP disabled on the router?


A.12.6.1
Proxy ARP helps in extending a LAN at layer 2 across multiple segments thereby breaking the LAN security perimeter.
This feature should be disabled on the router.
The following command is used to disable the service on individual interfaces.
Router(config-if)#no ip proxy-arp
Is ICMP redirects disabled on the router?


A.12.6.1
The three ICMP messages that are commonly used by attackers for network mapping and diagnosis are: Host unreachable, ‘Redirect’ and ‘Mask Reply’. Automatic generation of these messages should be disabled on all interfaces, especially those connected to untrusted networks.
The following command is used to disable the service.
Router(config-if)#no ip redirects
Router(config-if)#no ip unreachables
Router(config-if)#no ip-mask reply
Password Encryption
Do passwords appear in encrypted form when viewed at the configuration file?


A.11.5.3
Passwords should appear encrypted when viewed through the configuration file.
The following command is used to implement the same.
Router(config)#service password-encryption
Authentication Settings
Is enable secret used for the router enable mode?


A.11.5.3
The enable secret command should be enabled to implement MD5 hashed password on enable mode.
Router(config)#enable secret password
Does the enable secret password match any other username password; enable password, or the enable secret password of another router in the network?


A.11.5.3
The enable secret password should be unique across each router. If the routers are too many, instead of keeping a single enable secret password for all, the password could be different for routers in different zones.
Is a Message of the Day (MOTD) banner defined?



A.11.5.1
Login banners should be used as a preventive measure against unauthorized access to the routers.
Use the following command to enable a MOTD banner:
Router# config t
Router(config)# banner motd ^
Is the following defined on the console port:
1. Exec-timeout
2. Password



A.11.5.1
A.11.3.1
These parameters should be defined on the console port to reduce the chance of an unauthorized access on the console port.
The following commands can be used to implement the same:
Cisco(config)#line con 0
Cisco(config-line)#exec-timeout 5 0
Cisco(config-line)#password password
Cisco(config-line)#login
Is the aux port disabled?


A.11.4.4
The aux port should be disabled if there is no business need for the same.
Use the following command to disable the aux port:
Router(config)#line aux 0
Router(config-line)#no exec
Is the following defined on the vty lines:
1. Exec-timeout (Yes/No)
2. Password


A.11.5.1
A.11.3.1
These parameter should be defined on the vty port to reduce the chance of an unauthorized access.
Use the following to enable these parameters on the vty lines:
Router(config)#line vty 0 4
Router(config-line)#exec timeout 5 0
Router(config-line)#password password
Router(config-line)#login
Router(config-line)#transport input protocol
Is the vty lines restricted to certain IP Addresses only?


A.11.4.3
If the vty lines use telnet as the transport protocol, it is advisable to restrict access to certain IP Addresses only since telnet transmits data in clear text.
Use the following command to restrict vty access to certain ip addresses:
Router(config)#access-list 50 permit 192.168.1.x (x represents the IP address of the administrator’s machine)
Router(config)#access-list 50 deny any log
Router(config)#line vty 0 4
Router(config-line)#access-class 50 in
According to policy, how often do router passwords (telnet, username, enable) have to be changed?

A.11.5.3
Router passwords need to be changed periodically, typically once every 4-6 months depending on the functionality of the router.
Do the router passwords meet with the required complexity as defined by the policy?


A.11.3.1
All password defined on the router should meet the following criteria:
· Minimum 8 characters in length
· Should be alphanumeric along with special characters (@#$%)
· Should not include organization’s name in it
Is SSH used for the vty lines?


A.12.3.1
SSH is a preferred protocol over Telnet for vty access since it encrypts the data while in transit on the network.
Do any applications use telnet to perform management activities such as backing up configuration?


A.10.6.1
The Telnet protocol transfers data in clear text thereby allowing an intruder to sniff valuable data such as passwords.
As a remedy the following can be done:
· Using secure protocols such as SSH wherever possible
· Restricting access from certain workstations only
· Maintaining strong passwords
Administrator Authentication
Is authentication on the router done through:
· Locally configured usernames and passwords
· TACACS+/RADUIS server

     
     
Is there a documented procedure for creation of users?


A.10.1.1
A.11.2.1
A documented procedure for creation of administrators on the router should exist.
The procedure should address:
· Approval from the department head
· Recording the authorization level given to the new administrator and the duration
Does each router administrator have a unique account for himself/herself?


A.11.2.1
Each router administrator should have a unique account for him/her to maintain accountability.
The following commands can be executed to create unique local usernames on the router:
Router(config)#username username password password
Router(config)#line vty 0 4
Router(config-line)#login local
Is login and logout tracking/command logging for the router administrators through the TACACS+ system enabled?


A.10.10.1
A.10.10.4
A detailed log of every command typed on the router as well as when an administrator logged in or out can be recorded for audit purposes.
Router(config)#aaa accounting exec default start-stop group tacacs+
Router(config)aaa accounting commands 15 default start-stop group tacacs+
Are all user accounts assigned the lowest privilege level that allows them to perform their duties? (Principle of Least Privilege)


A.11.2.2
All user accounts should be assigned the lowest privilege level that allows them to perform their duties.

If multiple administrators exist on the router, each administrator should be given an individual username and password and assigned the lowest privilege levels.
Management Access
Is the http/https Server used for router management?


A.10.6.1
This service allows the router to be monitored or have its configuration modified from the web browser.
If not used, this service should be disabled.
Router(config)#no ip http server
If this service is required, restrict access to the http/https service using access control lists.
Router(config)#ip http access-class 22
Router(config)#access-list 22 permit host mgmt ip
Router(config)#access-list 22 deny any log
Which version of SNMP is used to manage the router?


A.10.6.1
Ideally SNMP version 3 should be used on the router since it introduces authentication in the form of a username and password and offers encryption as well.
Since the SNMP process is enabled by default, it should be disabled if not used.
Router(config)# no snmp-server
Is the SNMP process restricted to certain range of IP Addresses only?


A.10.6.1
A.11.4.3
If SNMP v1 or v2c is used, ACL’s should be configured to limit the addresses that can send SNMP commands to the device. SNMP v1 or v2c uses the community string as the only form of authentication and is sent in clear text across the network.
Router(config)#access-list 67 permit host snmp-server
Router(config)#access-list 67 deny any log
Is the default community strings such as ‘public’ and ‘private’ changed?


A.11.2.3
Default community strings such as ‘public’ and ‘private’ should be changed immediately before bring the router on the network.
How often is the SNMP community string changed?


A.11.3.1
If SNMP v1 or v2c is being used, the SNMP community strings should be treated like root passwords by changing them often and introducing complexity in them.
Is any access list defined restricting the syslog host to receive log messages from the routers only and only administrators’ systems to connect to the log host?


A.11.4.6
     
Is the NTP server service used to synchronize the clocks of all the routers?


A.10.10.6
The NTP service which is disabled by default helps to synchronize clocks between networking devices thereby maintaining a consistent time which is essential for diagnostic and security alerts and log data. However if configured insecurely, it could used to corrupt the time clock of the network devices. To prevent this, restrict which devices have access to NTP.
The service should also be disabled if not used.
Ingress/Egress Filtering
Is RFC 1918 filtering implemented?


A.11.4.7
RFC 1918 addresses are meant to be used for internal networks only and have no reason to be seen on the Internet.
The following access-lists should be implemented on the Internet router:
Router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
Router(config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
Router(config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
Router(config)#access-list 101 permit ip any any
Is uRPF enabled on the Cisco router?


A.11.4.7
Unicast Reverse Path Forwarding is an alternative to RFC 2827 filtering.
It can enabled using the following commands:
Router(config-if)#ip verify unicast reverse-path
Route Protocol Security
Is routing protocol message authentication enabled?


A.11.4.7
Message authentication helps prevent the spoofing or modification of a valid routing protocol message.
Configuration Maintenance
How often is the router configurations backed up?



A.10.5.1
Router configurations should be backed up periodically depending on importance and frequency of changes made to the configuration.
Is the backup moved to an off-site/DR site?


A.10.5.1
Backup copies should be maintained off-site for quick recovery during a disaster.
On the system where the configuration files are stored, is the local operating system’s security mechanisms used for restricting access to the files (i.e., the machine should be password enabled and prevent unauthorized individuals from accessing the machine.)?


A.10.5.1
If a file server is used to store configuration files, the files should be restricted to authorized personnel only.
Is the TFTP protocol used to transfer configuration or image files to and from the router?
If yes,
· Is the TFTP process restricted to certain addresses only?
· Is the TFTP service disabled when not in use?


A.10.6.1
The TFTP protocol which is disabled by default transfers files in clear text and hence is unsafe to use.
The TFTP process should be restricted to certain addresses only (management workstations) to reduce the risk. The service should also be disabled when not in use because it allows access to certain files in the router flash.
Is there a documented procedure for backup of router configurations?


A.10.5.1

Router Change Management
Are all router changes and updates documented in a manner suitable for review according to a change management procedure?


A.10.1.2
     
Router Redundancy
Is there a router redundancy in cold standby or hot standby?


A.14.1.3
     
Are disaster recovery procedures for the router/network documented and are they tested?


A.14.1.3
A.14.1.5
     
Log monitoring and Incident Handling
Are all attempts to any port, protocol, or service that is denied logged?


A.13.1.1
     
Is the CPU utilization/memory of the router monitored?


A.10.10.2
     
Is logging to a syslog server enabled on the router?


A.10.10.1
A.13.1.1
Syslog messages allows for easy troubleshooting of the network.
Use the following commands to enable syslog
Router(config)#logging syslog-ip-address
Router(config)#service timestamps log datetime localtime msec show-timezone
Are procedures for audit log review generated by the router documented and followed?


A.10.1.1
     
How often is the router logs (covering administrator access /access control) reviewed?


A.10.10.1
A.10.10.2
A.10.10.5
     
Are reports and analyses carried out based on the log messages?


A.13.2.2
     
What is the course of action to be followed if any malicious incident is noticed?


A.13.2.1
     
Security Updates
Is the network engineer aware of the latest vulnerabilities that could affect the router?


A.6.1.7
A.12.6.1
The network engineer should receive periodic updates on the vulnerabilities and patches affecting the router.