Expert Reference Series of White Papers

How Vulnerable Are Your Cisco IOS Routers?

1-800-COURSES

www.globalknowledge.com

How Vulnerable Are Your Cisco IOS Routers?

Carol Kavalla, Global Knowledge Instructor, BS, CCSI, CCDP

Introduction
Security of the network is a top priority for companies. Of course, this would include securing Cisco routers. It may be surprising to some that Cisco routers run many services that could create vulnerabilities. Some of these services are enabled by default. This white paper lists a number of the services that should be disabled and why. Additionally, some best practices for securing your Cisco routers are defined. This is not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulnerabilities, nor of all best practices for configuring Cisco routers. There are several Cisco security courses that cover this information in depth. Rather, this paper is meant to be a vehicle for discussion regarding the security of Cisco routers.

Services that Are Enabled by Default

The services below are enabled by default (in some cases depending on the version of IOS installed on the router) and should be disabled if not in use.

BOOTP server
This allows a router to act as a BOOTP server for other routers; thereby allowing them to load their operating system over the network from the router acting as the BOOTP server. A hacker could use the BOOTP service to download a copy of the routers IOS software. The tools for this type of attack are available on the Internet. If not required, the BOOTP service should be disabled. The following global command can be used to disable BOOTP: no ip bootp server.

Cisco Discovery Protocol (CDP)

Cisco Discover Protocol is used to obtain information about directly connected Cisco neighbors. The information gleaned from CDP includes ip addresses, hardware model information, and operating system version. This

Copyright 2009 Global Knowledge Training LLC. All rights reserved.

feature could allow a hacker to gain information about the configuration of the device and of the network infrastructure. If not needed, it should be disabled globally or on an interface by interface basis. CDP can be disabled globally with the no cdp run command and on the interface with the no cdp enable command. CDP needs to be enabled when using Cisco IP phones. If it has been disabled globally on the switch, it can be enabled on the interface using the cdp enable command. There are several known attacks on the Cisco IP Phone CDP feature, so it is a decision for each network administrator to determine the risk versus the obvious benefits of CDP to support Cisco IP Telephony solutions.

HTTP Configuration and Monitoring

The default setting for this service is device-dependent. HTTP service allows the router to be monitored or configured from a web browser. HTTP is a clear-text protocol and is vulnerable to various packet-capture methods. A hacker could monitor network traffic and capture authentication usernames and passwords. This issue is made more serious when the enable password is used for authentication because this knowledge would give the attacker full administrative access to the device. Once usernames and passwords have been captured, it is simply a matter of using the credentials to log into the router. If not required, the HTTP service should be disabled. If web access to the device is required, consider using HTTPS or Secure Shell (SSH). The encrypted HTTPS and SSH services may require an IOS or hardware upgrade. The HTTP service can be disabled with the following IOS global command: no ip http server.

Domain Name System (DNS)

By default, Cisco routers broadcast name requests to 255.255.255.255. A hacker who is able to capture network traffic could monitor DNS queries from the Cisco Router. Domain lookups can be disabled with the following global command: no ip domain-lookup.

Packet Assembler / Disassembler (PAD)

The Packet Assembler / Disassembler service enables X.25 connections between network systems. The PAD service is enabled by default on most Cisco IOS devices, but it is only required if support for X.25 links is necessary. Running unused services increases the chances of a hacker finding a security hole or compromising a device. The PAD service can be disabled with the following global configuration: no service pad.

Copyright 2009 Global Knowledge Training LLC. All rights reserved.

Internet Control Message Protocol (ICMP) Redirects

ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same interface on which it was received. By sending ICMP redirects, a hacker can redirect packets to an untrusted device. To stop ICMP redirects, use the following interface command: no ip redirects. This needs to be done on all interfaces.

IP Source Routing
IP source routing is a feature whereby a network packet can specify how it should be routed through the network. IP source routing can allow a hacker to specify a route for a network packet to follow, possibly to bypass a Firewall or an Intrusion Detection System (IDS). A hacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker. A hacker would have to control either a routing device or an end point device in order to modify a packets route through the network. However, tools are available on the Internet that would allow a hacker to specify source routes. Tools are also available to modify network routing using vulnerabilities in some routing protocols. This can be disabled using the global command: no ip source-route.

Finger Service
Finger service allows a hacker to find out who is logged into the router and allows them to find out valid login names. The information they could access includes the processes running on the system, the line number, connection name, idle time, and terminal location. This information is provided through the Cisco IOS software show users EXEC command. Unauthorized persons can use this information for reconnaissance attacks. This service can easily be disabled using the global command: no service finger or no ip finger (depending on the version of code). This command keeps your router from replying to finger requests. In addition to this command, an inbound access list that blocks port 79 should be applied.

Proxy ARP
This feature configures the router to act as a proxy for Layer 2 address resolution when hosts have no default gateway configured. When a host sends an ARP, the router responds to it with its own mac address as the one to use for the remote system. When DHCP is being used, there is no need to have Proxy ARP enabled. Attackers may be able to spoof packets and gather information about your router and your network. Proxy ARP can be disabled on the interface with the following command: no ip proxy-arp.

Copyright 2009 Global Knowledge Training LLC. All rights reserved.

IP Directed Broadcast
This is enabled by default prior to Cisco IOS software Release 12.0 and disabled by default in release 12.0 or later. IP-directed broadcasts are used in the smurf denial of service (DoS) attack and other related attacks.

Services that Are Disabled by Default

Configuration Auto-loading FTP Server
The FTP server enables you to use our router as an FTP server for FTP client requests. Because it allows access to certain files in the router Flash memory, this service should remain disabled when it is not required. Auto-loading of configuration files from a network server should remain disabled when not in use by the router.

TFTP Server
The TFTP server enables you to use your router as a TFTP server for TFTP clients. It allows access to certain files in your Flash memory. This service should remain disabled if not required.

Network Time Protocol (NTP)

When enabled, the router acts as a time server for other network devices. If configured insecurely, NTP can be used to corrupt the router clock and, potentially, the clock of other devices that learn time from the router. Correct time is essential for setting proper time stamps for IPsec encryption services, log data, and diagnostic and security alerts. If this service is used, it restricts which devices have access to NTP.

ICMP Mask Reply

When enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask reply messages containing the interface IP address mask. This information can be used to map the network, and this service should be explicitly disabled on interfaces to untrusted networks.

TCP keepalives
TCP keepalives help terminate TCP connections where a remote host has rebooted or otherwise stopped processing TCP traffic. This connection could become orphaned, and a hacker could attempt a DoS attack against a Cisco router by exhausting the number of possible connections. TCP keepalives should be enabled globally to confirm that a remote connection is valid and, if not, terminate any orphaned connections. This can be configured from global configuration mode service tcp-keepalives-in.

Additional Security Issues

In addition to the services listed above, the following security issues should be considered when configuring a Cisco router.

Copyright 2009 Global Knowledge Training LLC. All rights reserved.

Router Interfaces
Unused router interfaces should be disabled to limit unauthorized access to the router and to the network.

Connection Timeout
Connection timeouts can be configured for console ports, auxiliary ports, and VTY lines. If an administrator does not correctly terminate the connection, it will automatically close after the timeout expires. However, if a timeout is not configured, or is configured to be a long timeout, an unauthorized user may be able to gain access using the administrators previously logged-in connection. The attacker would have to gain physical access to the device to use the console port. A default timeout of 10 minutes is configured on the router console port.

Software Version
It is extremely important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of a hacker exploiting a known software vulnerability.

Auxiliary Port
The auxiliary ports primary purpose is to provide remote administration capability. It can allow a remote administrator to use a modem to dial into the Cisco device. If not in use, the auxiliary port exec should be disabled. This can be done with the no exec command on the aux port:. If the auxiliary port is required for remote administration, the callback feature can be configured to dial a specific preconfigured telephone number for additional security.

Minimum Password Length

Cisco introduced an option with IOS version 12.3(1) that forces user, enable, secret, and line passwords to meet a minimum length. This setting was introduced to help prevent the use of short passwords. With a small minimum password length configured, it is possible for a short password to be used. If a hacker were able to gain a password through a dictionary-attack or by a brute-force method, the attacker could gain a level of access to the router. This is made more serious by the fact that a number of dictionary-based password guessing and password brute-force tools are available on the Internet. A requirement for a minimum password length can be configured. The minimum password length can be configured with the following command: security passwords min-length <length>.

Service Password Encryption

Cisco service passwords are stored by default in their clear-text form rather than being encrypted.

Copyright 2009 Global Knowledge Training LLC. All rights reserved.

If a malicious user were to see a Cisco configuration that contained clear-text passwords, they could use the passwords to access the device. Cisco password encryption service should be enabled. The Cisco password encryption service can be started with the following Cisco global command: service password-encryption. Even though these passwords can be easily decrypted with tools available on the Internet, they are still more secure than clear-text passwords. In addition, the encryption prevents an unauthorized person from looking over an administrators shoulder and reading the passwords in clear-text.

Summary
All of the potential vulnerabilities listed in this paper can be real threats to Cisco routers. An awareness of these threats will be instrumental in securing your Cisco routers. Again, this was not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulnerabilities, nor of all best practices for configuring Cisco routers. The intent of this paper has been for it to be a vehicle for discussion regarding the security of those routers.

Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: CCNA Boot Camp v2.0 ISCW Implementing Secure Converged Wide Area Networks IINS Implementing Cisco IOS Unified Communications CCDA Boot Camp For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs.

About the Author

Carol Kavallas background includes teaching at Rockland Community College in New York, managing networks and being a consultant for the NYS small business development center. For the last eight and a half years Carol has taught for Global Knowledge and is certified to teach nine Cisco Courses: ICND1, ICND2, CCDA, BSCI, BCMSN, TCN, ICMI, BGP and ARCH. She also has a consulting firm in Charleston, South Carolina where she works with small companies (100-200 nodes) installing, configuring routers and switches, and troubleshooting network problems.

Copyright 2009 Global Knowledge Training LLC. All rights reserved.

References
Akin, Thomas. Cisco Router Device Router Security Report. Akin, Thomas. Hardening Cisco Routers. OReilly Media, Inc. Sebastopol, CA. 2002. Akin, Thomas. Implementing Security Wide Area Networks.

Copyright 2009 Global Knowledge Training LLC. All rights reserved.