Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Similar documents
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Firewall Identification: Banner Grabbing

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

Securing CS-MARS C H A P T E R

Simple and Powerful Security for PCI DSS

Fundamentals of Network Security v1.1 Scope and Sequence

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

PrecisionAccess Trusted Access Control

Cisco Security Solutions for Systems Engineers (SSSE) Practice Test. Version

Chapter 2. Switch Concepts and Configuration. Part II

How to configure the AT-AR450S Firewall using the Graphical User Interface (GUI)

Remote Desktop Security for the SMB

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Global Information Assurance Certification Paper

IC32E - Pre-Instructional Survey

Security in Bomgar Remote Support

CISCO EXAM QUESTIONS & ANSWERS

Security in the Privileged Remote Access Appliance

Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router

ASA/PIX Security Appliance

Firewalls, Tunnels, and Network Intrusion Detection

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Recommendations for Device Provisioning Security

CTS2134 Introduction to Networking. Module 08: Network Security

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Network security session 9-2 Router Security. Network II

Indicate whether the statement is true or false.

A. The portal will function as an identity provider and issue an authentication assertion

CISCO EXAM QUESTIONS & ANSWERS

Chapter 11: Networks

Network Infrastructure Security

AccessEnforcer Version 4.0 Features List

Security Considerations for Cloud Readiness

Welcome! APNIC Security Tutorial. Securing edge network devices. Overview

Design your network to aid forensics investigation

SITUATIONAL INFORMATION REPORT FEDERAL BUREAU OF INVESTIGATION Cyber Alert

Securing Access to Network Devices

AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Inspection of Router-Generated Traffic

Network Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Electronic Access Controls June 27, Kevin B. Perry Director, Critical Infrastructure Protection

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Cisco 5921 Embedded Services Router

Context Based Access Control (CBAC): Introduction and Configuration

Administration of Symantec Cyber Security Services (July 2015) Sample Exam

Configuring OpenVPN on pfsense

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Training UNIFIED SECURITY. Signature based packet analysis

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Teacher s Reference Manual

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

How to open ports in the DSL router firmware version 2.xx and above

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Information Governance, the Next Evolution of Privacy and Security

VerifiedDumps. Get the Valid and Verified Exam Questions & Answers Dump for 100% Pass

Chapter 11: It s a Network. Introduction to Networking

Endpoint Protection : Last line of defense?

Security Principles for Stratos. Part no. 667/UE/31701/004

CCNA Course Access Control Lists

MyPBX Security Configuration Guide

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

Ethernet / TCP-IP - Training Suite Application level protocols

Configuring Web Cache Services By Using WCCP

Virtual Private Networks (VPNs)

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Quick Start Guide. Remote Console Manager

JPCERT/CC Internet Threat Monitoring Report [July 1, September 30, 2016]

Quick Start Guide. Remote Console Manager Quick Start Guide

Lab Student Lab Orientation

Network Security and Cryptography. 2 September Marking Scheme

CSC 474/574 Information Systems Security

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Understanding Cisco Cybersecurity Fundamentals

Chapter 4. Network Security. Part I

ch02 True/False Indicate whether the statement is true or false.

Network Security Platform 8.1

Securing Wireless Networks by By Joe Klemencic Mon. Apr

1.1 Configuring HQ Router as Remote Access Group VPN Server

Implementing Firewall Technologies

Implementation Guide - VPN Network with Static Routing

Security, Internet Access, and Communication Ports

Extended ACL Configuration Mode Commands

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Configuring Management Access

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Audit report and analyse overview. Audit report user guide v1.1

General Important Protocols for Examination of IA Examination 2018

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Computer Network Vulnerabilities

Cisco WAAS Software Command Summary

I N D E X. Numerics. 3DES (triple Data Encryption Standard), 199

Firewall Policy. Edit Firewall Policy/ACL CHAPTER7. Configure a Firewall Before Using the Firewall Policy Feature

ForeScout Extended Module for Carbon Black

Chapter 8. User Authentication

Network Defenses 21 JANUARY KAMI VANIEA 1

Transcription:

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

1 U.S. and U.K. authorities last week alerted the public to an on-going effort to exploit network infrastructure devices including routers, switches, and firewalls by Russian state-sponsored actors. The warning came as a technical alert (TA18-106A), the result of a joint effort by the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the U.K. National Cyber Security Centre (NCSC). Attackers have successfully exploited large numbers of enterpriseclass and small home and office (SOHO) routers and switches, according to the alert. Information on the attacks has been gathered since 2015. Systems affected: Cisco Smart Install (SMI) Enabled Devices Simple Network Management Protocol (SNMP) Enabled Network Devices Generic Routing Encapsulation (GRE) Enabled Devices Targets are primarily: Government organizations Private sector organizations Critical infrastructure providers Internet service providers (ISPs) The attackers typically establish a man-in-the-middle position once a device is compromised. This can grant broad power over the network, allowing them to extract or modify device configurations, create Generic Routing Encapsulation (GRE) tunnels, or redirect network traffic. Attackers can also modify or deny a victim s network traffic in this scenario, however no reports of this have surfaced. AccessEnforcer UTM Firewall Impact Cisco Smart Install (SMI) The most significant attacks described in the alert apply exclusively to Cisco devices running Cisco Internetwork Operating System (IOS). They do not affect AccessEnforcer. This includes attacks leveraging Cisco Smart Install (SMI). SMI is an unauthenticated management protocol that allows administrators to download or overwrite files on any Cisco router or switch that supports the feature. AccessEnforcer does not support this protocol.

2 Simple Network Management Protocol (SNMP) SNMP is an application-layer protocol used to monitor and manage devices on the network. SNMP versions 1 and 2 are not encrypted and pass information in plain text. Version 3 is encrypted. The technical alert describes attacks using SNMP versions 1 and 2 to gather reconnaissance data, steal passwords, and alter device configurations. AccessEnforcer offers an SNMP agent (version 2) that is disabled by default. Once enabled, it makes available AccessEnforcer system data to SNMP monitoring tools. The agent listens for requests on IP addresses defined by the administrator and responds with system data. The SNMP agent in AccessEnforcer is read-only. It cannot initiate management actions or configuration changes. The available system data is limited and does not include user information. Device information that may be useful to an attacker s reconnaissance efforts can be gathered from an AccessEnforcer via SNMP but only if all of the following conditions are met: An administrator has enabled the SNMP agent An attacker can reach the associated network and port on which the agent is listening The attacker knows the SNMP community string This is why SNMP agents should never be enabled on a public WAN or other untrusted network. Also, SNMP community strings should follow best practices for password complexity (see additional information under Recommendations ). Generic Routing Encapsulation (GRE) GRE tunneling encapsulates one or more network protocols to create a point-to-point link between two end points. Attackers can use GRE tunnels to route traffic from a victim s system to a system they control. AccessEnforcer does not support GRE tunnels. They cannot be established to or from the device. However, other devices on the network can create GRE tunnels to remote systems (assuming both endpoints support the protocol). Additional Information Below are excerpts from the technical alert describing other methods of cyber attack and comments on the impact to AccessEnforcer.

3 1. Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement. AccessEnforcer has two relevant services: GUI login the HTTPS login screen identifies the device as a Calyptix AccessEnforcer by default. No further specifics are provided. This page can be modified to remove any mention of AccessEnforcer, leaving only the text boxes for username and password. Remote management can also be limited to specific IP addresses, blocking access to this page by unauthorized hosts (see more under Recommendations below). SSH login this command-line login prompt reveals only that the device is an up-to-date OpenBSD/OpenSSH host with no further information. 2. Commercial and government security organizations have identified specially crafted SNMP and SMI packets that trigger the scanned device to send its configuration file This vulnerability is specific to Cisco devices and does not affect AccessEnforcer. 3. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials Every AccessEnforcer is given a unique password of random characters at the time of manufacture. New passwords must contain at least seven characters and cannot contain only letters. All login attempts are entered in syslog with the corresponding source address. 4. Protocols targeted in this scanning include: Telnet (TCP port 23 or a wide range others such as 80, 8080, etc.) Hypertext Transport Protocol (HTTP port 80) Simple Network Management Protocol (SNMP ports 161/162) Cisco Smart Install (SMI port 4786). These ports are closed on AccessEnforcer by default. If opened, connections can be limited to IP addresses or CIDRs specified by the administrator.

4 Recommendations for AccessEnforcer AccessEnforcer has many features to prevent attacks of this type. The Calyptix development team will also incorporate further mitigations in coming releases of AccessEnforcer firmware to block similar threats. We highly recommend the following configuration settings for AccessEnforcer to protect your network. Do not enable the SNMP agent unless necessary. If enabled, do not configure the agent to listen for requests on a public WAN or other untrusted network. Do not use simple or default phrases for any SNMP community string/name. Treat them as passwords and follow best practices for complexity. Restrict remote management to specific, trusted hosts. If using a default-allow policy for outbound filtering, create rules to block the following outbound ports: TCP & UDP 135 (MS RPC) TCP & UDP 137-139 (NetBIOS/IP)* TCP 445 (SMB/IP)* UDP 69 (TFTP) UDP 514 (Syslog) UDP 161-162 (SNMP) TCP 6660-6669 (Internet Relay Chat (IRC)) TCP 4786 (SMI) Investigate or block inbound connections to the following WAN-side ports: TCP 23 (Telnet) UDP 69 (TFTP) UDP 161-162 (SNMP) TCP 4786 (SMI) Also, be sure to patch or replace all aging network hardware, including modems, routers, switches, and firewalls. *AccessEnforcer blocks outbound traffic on ports TCP 139 and TCP 445 by default. However, they can be opened with port forwarding and outbound filtering rules.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback