Scribd Logo
Upload

Welcome to Scribd!

  • A A A

    Uploaded by

    Lokesh Shanjeev
    27 views50 pages
    Auditing CISCO Routers 31st annual computer security conference and exhibition. CISSP, CCNA, CCDA presents on Auditing CISCO Routers. Presenter explains Key security features AAA (authentication, authorization and accounting) secure audit log features Preserving volatile information Collecting forensic evidence from Cisco routers - plan, configure, log externally.

    Original Description:

    Original Title

    A a A

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Auditing CISCO Routers 31st annual computer security conference and exhibition. CISSP, CCNA, CCDA presents on Auditing CISCO Routers. Presenter explains Key security features AAA (authentication, authorization and accounting) secure audit log features Preserving volatile information Collecting forensic evidence from Cisco routers - plan, configure, log externally.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    27 views50 pages

    A A A

    Uploaded by

    Lokesh Shanjeev
    Auditing CISCO Routers 31st annual computer security conference and exhibition. CISSP, CCNA, CCDA presents on Auditing CISCO Routers. Presenter explains Key security features AAA (authentication, authorization and accounting) secure audit log features Preserving volatile information Collecting forensic evidence from Cisco routers - plan, configure, log externally.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 50

    Auditing CISCO Routers

    31st Annual Computer Security Conference and Exhibition


    Copyright 2004, Technology Pathways, LLC

    Purpose of this Presentation


    Introduce administrators to:
    Key Cisco IOS security features AAA (Authentication, Authorization and Accounting) Secure audit log features Preserving volatile information Collecting forensic evidence from Cisco routers

    Copyright 2004, Technology Pathways, LLC

    Christopher L. T. Brown, CISSP, CCNA, CCDA


    Founder and CTO of Technology Pathways, LLC.
    Provide Security Focused Software & Services
    ProDiscover family of Computer Forensics and IR software Corporate computer forensics & incident response support Digital Discovery in support of Litigation Risk analysis and vulnerability assessment
    Copyright 2004, Technology Pathways, LLC

    Agenda
    Router Architecture (review) Planning & Configuration Key Security Features Cisco AAA (Authentication, Authorization and Accounting) Logging
    Copyright 2004, Technology Pathways, LLC

    Agenda (2)
    Collecting Volatile Information/Router Forensics Resources

    Copyright 2004, Technology Pathways, LLC

    Router Architecture (review)

    Copyright 2004, Technology Pathways, LLC

    Router architecture (1)


    Hardware (model dependant)
    Mother board, CPU, memory, bus, I/O interfaces

    Can become complex in higher end models


    Passive backplanes (multi-CPU), ASICs, etc

    Copyright 2004, Technology Pathways, LLC

    Router architecture (2)


    Key point is memory configuration
    Flash (non volatile)
    Contains the (compressed) IOS image and other files

    DRAM/SRAM (volatile)
    Contains the running IOS Can also store the routing table(s), statistics, local logs, etc.

    NVRAM (non volatile)


    Contains the startup configuration boot config

    BootROM
    Contains code for POST, IOS loading, etc.
    Copyright 2004, Technology Pathways, LLC

    Planning & Configuration

    Copyright 2004, Technology Pathways, LLC

    Plan to Audit
    Two thoughts:
    In order to audit a log you must first have a log In order to trust the log you must secure the log

    Copyright 2004, Technology Pathways, LLC

    Plan to Audit (2)


    Most information available from a router for audit/forensics is volatile To enable audit/forensics:
    Plan, configure, log externally

    Copyright 2004, Technology Pathways, LLC

    Planning & Configuration


    Keep IOS current (general deployment images) Regularly check Cisco security advisories Harden your routers Manage access Set & maintain time

    Copyright 2004, Technology Pathways, LLC

    Key Security Features

    Copyright 2004, Technology Pathways, LLC

    Features
    AAA (Authentication, Authorization and Accounting) Security Protocols Traffic Filtering and Firewalling IPSEC & Encryption

    Copyright 2004, Technology Pathways, LLC

    AAA
    Authentication
    Identify users

    Authorization
    Access control

    Accounting
    Collection & logging

    Copyright 2004, Technology Pathways, LLC

    AAA (2)
    Authentication can happen locally outside AAA RADIUS, Kerberos, TACACS+ all use AAA As you may suspect AAA provides much more control over authentication

    Copyright 2004, Technology Pathways, LLC

    Security Protocols
    RADIUS, Kerberos, and TACACS+ allow integration with various external directories and methods
    Active Directory LDAP Multi-factor (SecureID etc..)

    Copyright 2004, Technology Pathways, LLC

    Traffic Filtering & Firewalling


    Understanding Access-List is considered the cornerstone of IOS security Statefull packet inspection firewalling IOS images are available in many cases

    Copyright 2004, Technology Pathways, LLC

    IPSEC & Encryption


    Normally an IOS option CET (Cisco Encryption Technology)
    Provides encryption for data and/or payload Can work with CAs

    Copyright 2004, Technology Pathways, LLC

    Hardening & Security


    Complete Hardening and security is beyond the scope of this presentation. The three best refs:
    Hardening Cisco Routers - Thomas Akin - OReilly Essential IOS Features Every ISP Should Consider v 2.9 CISCO http://www.cisco.com/public/cons/isp/documents/IOSEssen tialsPDF.zip National Security Agency, Router Security Configuration Guide

    http://nsa2.www.conxion.com/cisco
    Copyright 2004, Technology Pathways, LLC

    Logging

    Copyright 2004, Technology Pathways, LLC

    Logging
    As in any system always a balance:
    Information overload Resource overload

    Copyright 2004, Technology Pathways, LLC

    Six Ways to Log


    1. 2. 3. 4. 5. 6. Console logging screen only Buffered logging RAM (fifo) Terminal logging send to vty Syslog central log server SNMP traps to snmp console AAA accounting net connections and access

    Copyright 2004, Technology Pathways, LLC

    Time
    In forensics timeline entanglement is of the utmost importance Manage router time settings Set detailed time stamps with:
    Router(config)# Service timestamps log datetime msec localtime show-timezone

    Copyright 2004, Technology Pathways, LLC

    Logging levels
    Seven levels:
    (0) Emergencies (7) Debug

    Router(config) # logging console 7 or Router(config) # logging console debug

    Copyright 2004, Technology Pathways, LLC

    Syslog
    Centralized logs Key to enterprise management If you are locked out of the router this may be the only audit trail

    Copyright 2004, Technology Pathways, LLC

    Router Security Audit Logs


    Introduced in 12.2(18)S Allows to track changes via syslog and hash for:
    Running version, hardware config, file system, startup config and running config

    Copyright 2004, Technology Pathways, LLC

    Router Security Audit Logs (2)


    Summary Steps:
    1. 2. 3. 4. 5. 6. Enable Config term Audit filesize size Audit interval seconds Exit Show audit

    Copyright 2004, Technology Pathways, LLC

    Netflow Data
    Can provide detailed information for:
    Network traffic accounting Usage-based network billing Network planning Denial Services (DDOS) monitoring capabilities

    Very resource intensive on both ends

    Copyright 2004, Technology Pathways, LLC

    Netflow Charting
    F.L.A.V.I.O. is a GPL'ed data grapher for netflow data -http://sourceforge.net/projects/flavio/ Cisco and Juniper routers among others, or unix servers running ntop with netflow export plugin) It uses a MySQL backend and has been entirely developed in Perl (Much like MRTG) Flow Tools - http://www.net.ohiostate.edu/software/ , Review and TCP-Shatter NARUS - http://www.narus.com/
    Copyright 2004, Technology Pathways, LLC

    Logging checklist
    Actively monitor logs Configure logging timestamps Enable RAM buffered logging Enable logging sequence numbers Use a syslog for centralization

    Copyright 2004, Technology Pathways, LLC

    Collecting Volatile Information/Router Forensics

    Copyright 2004, Technology Pathways, LLC

    Volatile Information
    Capturing volatile router information is essential in incident response Some may choose to add capturing volatile router information to the regular audit process

    Copyright 2004, Technology Pathways, LLC

    Router Show Commands


    # show clock detail # show ntp # show version # show running-config # show startup-config # show reload

    Copyright 2004, Technology Pathways, LLC

    Router Show Commands (2)


    # show ip route # show ip arp # show users # show logging # show interfaces # show ip interfaces

    Copyright 2004, Technology Pathways, LLC

    Router Show Commands (3)


    # show access-lists # show tcp brief all # show ip sockets # show ip nat translations verbose # show ip cache flow # show ip cef

    Copyright 2004, Technology Pathways, LLC

    Router Show Commands (4)


    # show snmp users # show snmp groups # show clock detail

    Copyright 2004, Technology Pathways, LLC

    Automated Audits and Forensics

    Copyright 2004, Technology Pathways, LLC

    Two Tools
    Router Audit Tool
    PERL Multi-platform (Windows & UNIX) Audit Focused

    CREED (CISCO Rtr Evidence Extraction Disk)


    bootable Linux floppy Incident Response & Forensics Focused
    Copyright 2004, Technology Pathways, LLC

    Router Audit Tool (1)


    Primarily Means for Automating Audits Perl Script consolidates 4 other Perl programs
    snarf (download rtr config files) ncat (reads rule config files and outputs) ncat_report (creates html reports) ncat_config (localizes rules)

    Copyright 2004, Technology Pathways, LLC

    Router Audit Tool (2)


    When run provides with HTML report including
    Rule-by-rule scoring against baseline Links for rule documentation (all checked pass or fail) Summary Fix script to correct any issues found (use with caution
    Copyright 2004, Technology Pathways, LLC

    Router Audit Tool (3)

    Copyright 2004, Technology Pathways, LLC

    Router Audit Tool (4)


    RAT and CISCO Rtr Benchmark documents are available at:
    http://www.cisecurity.org

    Further Reading Router Audit Tool: Securing Cisco Routers Made Easy
    www.sans.org/rr/papers/38/238.pdf
    Copyright 2004, Technology Pathways, LLC

    Demo RAT

    Copyright 2004, Technology Pathways, LLC

    CREED - Cisco Router Evidence


    Extraction Disk (1)
    Bootable Linux Floppy Created by Thomas Akin for use by AF personnel in the filed to extract router config data and volatile memory Forensics focused, not an enterprise audit tool

    Copyright 2004, Technology Pathways, LLC

    CREED - Cisco Router Evidence


    Extraction Disk (2)
    Easy to use Connects via console port Available from:
    http://www.crossrealm.com/creed/

    DEMO
    Copyright 2004, Technology Pathways, LLC

    Summary

    Copyright 2004, Technology Pathways, LLC

    References
    Cisco: Internet Security Advisories http://www.cisco.com/warp/public/707/advisory.html "Essential IOS" - Features Every ISP Should Consider http://www.cisco.com/public/cons/isp/documents/IOSEssential sPDF.zip Cisco Flow Logs and Intrusion Detection at the Ohio State University http://www.usenix.org/publications/login/1999-9/osu.html Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html Router Audit Tool: Securing Cisco Routers Made Easy www.sans.org/rr/papers/38/238.pdf CREED http://www.crossrealm.com/creed/
    Copyright 2004, Technology Pathways, LLC

    References (2)
    National Security Agency, Router Security Configuration Guide http://nsa2.www.conxion.com/cisco Cisco Product Security Incident Response (PSIRT) http://www.cisco.com/warp/public/707/sec_incident_response .shtml Information Systems Audit and Control Association http://www.isaca.org/ Information Systems Security Association http://www.issa.org Hardening Cisco Routers - Thomas Akin - OReilly ISBN 0-596-00166-5
    Copyright 2004, Technology Pathways, LLC

    Thank You!
    Updated information is available in the Technology Pathways resource center at www.TechPathways.com Email me if you have any questions or comments at clbrown@TechPathways.com

    Copyright 2004, Technology Pathways, LLC

    You might also like