Auditing CISCO Routers

Transcription

1 Auditing CISCO Routers 31st Annual Computer Security Conference and Exhibition

2 Purpose of this Presentation Introduce administrators to: Key Cisco IOS security features AAA (Authentication, Authorization and Accounting) Secure audit log features Preserving volatile information Collecting forensic evidence from Cisco routers

3 Christopher L. T. Brown, CISSP, CCNA, CCDA Founder and CTO of Technology Pathways, LLC. Provide Security Focused Software & Services ProDiscover family of Computer Forensics and IR software Corporate computer forensics & incident response support Digital Discovery in support of Litigation Risk analysis and vulnerability assessment

4 Agenda Router Architecture (review) Planning & Configuration Key Security Features Cisco AAA (Authentication, Authorization and Accounting) Logging

5 Agenda (2) Collecting Volatile Information/Router Forensics Resources

6 Router Architecture (review)

7 Router architecture (1) Hardware (model dependant) Mother board, CPU, memory, bus, I/O interfaces Can become complex in higher end models Passive backplanes (multi-cpu), ASICs, etc

8 Router architecture (2) Key point is memory configuration Flash (non volatile) Contains the (compressed) IOS image and other files DRAM/SRAM (volatile) Contains the running IOS Can also store the routing table(s), statistics, local logs, etc. NVRAM (non volatile) Contains the startup configuration boot config BootROM Contains code for POST, IOS loading, etc.

9 Planning & Configuration

10 Two thoughts: Plan to Audit In order to audit a log you must first have a log In order to trust the log you must secure the log

11 Plan to Audit (2) Most information available from a router for audit/forensics is volatile To enable audit/forensics: Plan, configure, log externally

12 Planning & Configuration Keep IOS current (general deployment images) Regularly check Cisco security advisories Harden your routers Manage access Set & maintain time

13 Key Security Features

14 Features AAA (Authentication, Authorization and Accounting) Security Protocols Traffic Filtering and Firewalling IPSEC & Encryption

15 Authentication Identify users Authorization Access control Accounting Collection & logging AAA

16 AAA (2) Authentication can happen locally outside AAA RADIUS, Kerberos, TACACS+ all use AAA As you may suspect AAA provides much more control over authentication

17 Security Protocols RADIUS, Kerberos, and TACACS+ allow integration with various external directories and methods Active Directory LDAP Multi-factor (SecureID etc..)

18 Traffic Filtering & Firewalling Understanding Access-List is considered the cornerstone of IOS security Statefull packet inspection firewalling IOS images are available in many cases

19 IPSEC & Encryption Normally an IOS option CET (Cisco Encryption Technology) Provides encryption for data and/or payload Can work with CA s

20 Hardening & Security Complete Hardening and security is beyond the scope of this presentation. The three best refs: Hardening Cisco Routers - Thomas Akin - O Reilly Essential IOS Features Every ISP Should Consider v 2.9 CISCO - tialspdf.zip National Security Agency, Router Security Configuration Guide

21 Logging

22 Logging As in any system always a balance: Information overload Resource overload

23 Six Ways to Log 1. Console logging screen only 2. Buffered logging RAM (fifo) 3. Terminal logging send to vty 4. Syslog central log server 5. SNMP traps to snmp console 6. AAA accounting net connections and access

24 Time In forensics timeline entanglement is of the utmost importance Manage router time settings Set detailed time stamps with: Router(config)# Service timestamps log datetime msec localtime show-timezone

25 Logging levels Seven levels: (0) Emergencies (7) Debug Router(config) # logging console 7 or Router(config) # logging console debug

26 Syslog Centralized logs Key to enterprise management If you are locked out of the router this may be the only audit trail

27 Router Security Audit Logs Introduced in 12.2(18)S Allows to track changes via syslog and hash for: Running version, hardware config, file system, startup config and running config

28 Router Security Audit Logs (2) Summary Steps: 1. Enable 2. Config term 3. Audit filesize size 4. Audit interval seconds 5. Exit 6. Show audit

29 Netflow Data Can provide detailed information for: Network traffic accounting Usage-based network billing Network planning Denial Services (DDOS) monitoring capabilities Very resource intensive on both ends

30 Netflow Charting F.L.A.V.I.O. is a GPL'ed data grapher for netflow data - Cisco and Juniper routers among others, or unix servers running ntop with netflow export plugin) It uses a MySQL backend and has been entirely developed in Perl (Much like MRTG) Flow Tools - Review and TCP-Shatter NARUS -

31 Logging checklist Actively monitor logs Configure logging timestamps Enable RAM buffered logging Enable logging sequence numbers Use a syslog for centralization

32 Collecting Volatile Information/Router Forensics

33 Volatile Information Capturing volatile router information is essential in incident response Some may choose to add capturing volatile router information to the regular audit process

34 Router Show Commands # show clock detail # show ntp # show version # show running-config # show startup-config # show reload

35 Router Show Commands (2) # show ip route # show ip arp # show users # show logging # show interfaces # show ip interfaces

36 Router Show Commands (3) # show access-lists # show tcp brief all # show ip sockets # show ip nat translations verbose # show ip cache flow # show ip cef

37 Router Show Commands (4) # show snmp users # show snmp groups # show clock detail

38 Automated Audits and Forensics

39 Router Audit Tool Two Tools PERL Multi-platform (Windows & UNIX) Audit Focused CREED (CISCO Rtr Evidence Extraction Disk) bootable Linux floppy Incident Response & Forensics Focused

40 Router Audit Tool (1) Primarily Means for Automating Audits Perl Script consolidates 4 other Perl programs snarf (download rtr config files) ncat (reads rule config files and outputs) ncat_report (creates html reports) ncat_config (localizes rules)

41 Router Audit Tool (2) When run provides with HTML report including Rule-by-rule scoring against baseline Links for rule documentation (all checked pass or fail) Summary Fix script to correct any issues found (use with caution

42 Router Audit Tool (3)

43 Router Audit Tool (4) RAT and CISCO Rtr Benchmark documents are available at: Further Reading Router Audit Tool: Securing Cisco Routers Made Easy

44 Demo RAT

45 CREED - Cisco Router Evidence Extraction Disk (1) Bootable Linux Floppy Created by Thomas Akin for use by AF personnel in the filed to extract router config data and volatile memory Forensics focused, not an enterprise audit tool

46 CREED - Cisco Router Evidence Extraction Disk (2) Easy to use Connects via console port Available from: DEMO

47 Summary

48 References Cisco: Internet Security Advisories "Essential IOS" - Features Every ISP Should Consider spdf.zip Cisco Flow Logs and Intrusion Detection at the Ohio State University Improving Security on Cisco Routers Router Audit Tool: Securing Cisco Routers Made Easy CREED

49 References (2) National Security Agency, Router Security Configuration Guide Cisco Product Security Incident Response (PSIRT) Information Systems Audit and Control Association Information Systems Security Association Hardening Cisco Routers - Thomas Akin - O Reilly ISBN

50 Thank You! Updated information is available in the Technology Pathways resource center at me if you have any questions or comments at