Monday, February 26, 2007

Don'ts for Cisco router p1

Just compiled a list of services i used to check when i audit a Cisco router. Of course, there are lots more, but for now, i will just provide the basics. Enjoy and email me if there are any questions.

no cdp enable (Disbale cdp. It is susceptible to spoofing and DoS. Need Proof of Concept? Email me)

no ip unreachables (Disables ICMP unreachable messages)

no ip source-route (Disables source routing)

no service finger (Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username)

no service udp-small-servers ( Disables all small UDP and TCP services on your router (echo, chargen, and some others))

no service tcp-small-servers (Same as udp-small-servers)

no snmp-server (Disable SNMP if not in use. SNMP provides lotsa juicy info when being enumerated)

no ip http server (Disable the internal http web server of the Cisco devices)

no service config (Disables the loading of remote configs files)

no ip bootp server (Disables the bootp server)

no tftp-server (Only enable this if you absolutely need the service, else disable it)

no ip directed-broadcast (Direct broadcasts allow smurf attacks)

no ip proxy-arp (Disable proxy-arp to prevent extending a LAN to multiple segments)

6 comments:

Anonymous said...

Hi, i understand the vulnerabilites for no cdp run. But if the router is not facing the internet, would you consider it high risk too? We do maintain cdp run, so that we can do a discover and see if there are any rogue systems plugged in. as in, unknown/unauthorised systems. Are there work arounds without the use of cdp?

i would like your comment on syslog levels too. Sys log 4 or 5? 5 consumes a lot of space, but it may have info that is useful for audit trail and forensics. The standard is level 6 i believe but it is unnecessary.

Anonymous said...

Well, cdp v1 is considered high risk to me if i were to setup a router. CDP is known to DoS attack and i had tested it before. As for workaround, try CDP v2. Personaly, i had not tested it, but you can give it a try.

For syslog, i personally use 6 or 7. But if you would prefer to use 4 or 5, and if you think it consumes a lot of space, make sure there is a constant monitoring of space and archieving is performed.

Hackathology

Anonymous said...

I forgot to add something for cdp, i know it is not facing the internet, but if i compromise your external router, i can know what are your neighbors by issuing the show cdp neighbors. Refer to my previous post for the images, i managed to hacked the routers and firewall, and what if i issue those commands?

Hackathology

Anonymous said...

agree that if it is compromised.

but cdp neighbours is a command needed by my network guys. is there another way they can discover without using cdp? the issues with cdp have long been documented, and company policy does call for it to be turned off. but the impact of turning it off affects their work.

i have to measure up the risk the functionality of it to decide if it should be approved or not.

as for syslogging, it is not about monitoring. these are monitored for sure, however the decision not to log at a certain level means if there is a need to do forensics or security audit due to an incident, the information may not be complete due to lack of details in the log.

Anonymous said...

Unfortunately, i dont know any other commands other than cdp. you can try show ip route, but you need to figure out manually.

Hackathology

Unknown said...

In addressing the router enables wireless networking connection, really amazing what Technology has changed these days. I like meeting new things. This is why i have come to this blog, I find it very interesting.This is like
costa rica investment opportunities really interesting too.