1. About This Report
1.1.
Organisation
1.2.
Conventions
2. Security Audit
2.1.
Introduction
2.2.
Simple Network Management Protocol
2.3.
Telnet
2.4.
Access Control Lists
2.5.
Access Control Lists Disabled
2.6.
Conclusions
3. Device Configuration
3.1.
Introduction
3.2.
General
3.3.
Services
3.4.
Simple Network Management Protocol
3.5.
Access Control List
4. Appendix
4.1.
Abbreviations
4.2.
Common Ports
4.3.
Logging Severity Levels
4.4.
Time Zones
4.5.
Nipper Details
1. About This Report
This Cisco Content Services Switch (CSS) cssdev01 report was produced by Nipper on Saturday 22 March 2008. The report contains the following sections:
- a security audit report section that details any identified security-related issues. Each security issue includes a description of the issue, its impact, how easy it would be to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to resolve the issue;
- a configuration report section that details the configuration settings;
- an abbreviations appendix section that expands any abbreviations used within the report;
- a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
- an appendix section detailing the logging severity levels used by the logging facility;
- a time zones appendix section that details a number of the most commonly used time zones;
- an appendix section detailing the software used to produce this report.
This report makes use of the text conventions outlined in Table 1.
Table 1: Report text conventions
| Convention |
Description |
command | This text style represents the Cisco CSS command text that has to be entered literally. |
string | This text style represents the Cisco CSS command text that the you have to enter. |
[ ] | Used to enclose a Cisco CSS command option. |
{ } | Used to enclose a Cisco CSS command requirement. |
| | Divides command option or requirement choices. |
Nipper performed a security audit of the Cisco CSS cssdev01 on Saturday 22 March 2008. This section details the findings of the security audit together with the impact and recommendations.
Observation: Simple Network Management Protocol (SNMP) is widely used to assist network administrators in monitoring and managing a variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are secured with a community string, both authenticate and transmit network packets with no encryption. SNMP version 3 provides three authentication methods. SNMP version 3 No-Auth access requires a username to authenticate and provides no encryption. SNMP version 3 Auth access requires a username and the auth keyword, authentication is encrypted but SNMP network packets are transmitted with no encryption. SNMP version 3 Auth and Priv access requires a username, auth and priv keywords. SNMP version 3 Auth and Priv access provides complete encryption of authentication and SNMP network packets.
Cisco CSS devices support only SNMP protocol versions 1 and 2c. Nipper determined that SNMP was configured on cssdev01. Furthermore, Nipper determined that cssdev01 was configured to send SNMP traps to other hosts.
Impact: Due to the unencrypted nature of SNMP protocol versions 1 and 2c, an attacker who was able to monitor network traffic could capture device configuration settings, including authentication details.
Ease: Network packet monitoring and capture tools are widely available on the Internet and SNMP tools are included as standard with some operating systems.
Recommendation: On Cisco CSS devices, SNMP version 3 with auth and priv authentication cannot be configured. Therefore, Nipper recommends that, if not required, SNMP be disabled. Additionally, Nipper recommends that, if not required, the sending of SNMP traps to other hosts be disabled. SNMP access to cssdev01 can be disabled with the following command:
restrict snmp
Observation: Telnet is widely used to provide remote command-based access to a variety of devices and is commonly used on network devices for remote administration. However, Telnet is a clear-text protocol and is vulnerable to various packet capture techniques.
Nipper determined that Telnet was enabled on cssdev01.
Impact: An attacker who was able to monitor network traffic could capture sensitive information or authentication credentials.
Ease: Network packet and password sniffing tools are widely available on the Internet and some of the tools are specifically designed to capture clear-text protocol authentication credentials. However, in a switched environment an attacker may not be able to capture network traffic destined for other devices without employing an attack such as Address Resolution Protocol (ARP) spoofing.
Recommendation: Nipper recommends that, if possible, Telnet be disabled. If Telnet is required, Nipper recommends that filtering be implemented to restrict access. Telnet can be disabled with the following command:
restrict telnet
Observation: Access Control List (ACL) are sequential lists of allow, deny and bypass clauses that determine whether network traffic is permitted or dropped. All ACLs have a hidden deny all clause as the final clause, clause 255. ACLs are used to restrict access to services and network devices, preventing access to services and devices that should not be accessible.
Nipper identified 16 insecure ACL clauses, these are listed in Table 2.
Table 2: Insecure ACL Clauses
| ACL |
Clause |
Description |
| 3 | 1 | Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service. |
| 3 | N/A | ACL does not end with a deny all and log. |
| 2 | 1 | Bypasses the remaining clauses.
Does not log denied access. |
| 2 | 10 | Allows access from a network source to any address.
Allows access from 192.168.21.0 / 255.255.255.0 to any destination.
Allows access from 192.168.21.0 / 255.255.255.0 to any destination service. |
| 2 | N/A | ACL does not end with a deny all and log. |
| 1 | 2 | Bypasses the remaining clauses.
Does not log denied access. |
| 1 | 1 | Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service. |
| 1 | N/A | ACL does not end with a deny all and log. |
Impact: If ACL clauses are not sufficiently restrictive, an attacker may be able to access services or network devices that should not be accessible. Furthermore, an attacker who had compromised a device could install some backdoor software which could listen on a network port that was not filtered.
Ease: N/A
Recommendation: Nipper recommends that the ACLs be reviewed and, where possible, modified to ensure that:
- clauses do not allow access from any source;
- clauses do not allow access from entire source networks;
- clauses do not allow access to any destination;
- clauses do not allow access to entire destination networks;
- clauses do not allow access to any destination port;
- clauses log denied access;
- ACL should not be bypassed;
- ACL end with a deny all and log.
However, in certain circumstances, such as a public web server, a more relaxed configuration may be required to allow any host to access specific hosts and services.
Observation: ACLs are used to restrict access to services and network devices, preventing access to services and devices that should not be accessible. However, without enabling ACL all network traffic is allowed.
Nipper determined that, although ACL have been configured, ACL are disabled on cssdev01.
Impact: With ACLs disabled, an attacker could gain access to hosts and services for which they should not be able to access.
Ease: N/A
Recommendation: Nipper recommends that ACL be enabled. Once enabled, all traffic is denied by default, so an ACL should be configured to permit traffic to the device prior to enabling ACL. ACL can be enabled with the following Cisco CSS command:
acl enable
Nipper performed a security audit of the Cisco CSS device cssdev01 on Saturday 22 March 2008 and identified four security-related issues. Nipper determined that:
- clear-text remote administration was enabled using SNMP;
- clear-text remote administration was enabled using Telnet;
- insecure ACL were configured;
- ACL are disabled.
This section details the configuration settings of the Cisco CSS device cssdev01.
Table 3: General device settings
| Description |
Setting |
| Hostname | cssdev01 |
| CSS Version | 7.50(203) |
Table 4: Device services
| Service |
Status |
| FTP Server | Enabled |
| SNMP Server | Enabled |
| SSH Server | Enabled |
| Telnet Server | Enabled |
| Web Management Server | Disabled |
SNMP is widely used to assist network administrators in monitoring and managing a variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are secured with a community string, both authenticate and transmit network packets with no encryption. SNMP version 3 provides three authentication methods. SNMP version 3 No-Auth access requires a username to authenticate and provides no encryption. SNMP version 3 Auth access requires a username and the auth keyword, authentication is encrypted but SNMP network packets are transmitted with no encryption. SNMP version 3 Auth and Priv access requires a username, auth and priv keywords. SNMP version 3 Auth and Priv access provides complete encryption of authentication and SNMP network packets. However, Cisco CSS currently only support SNMP versions 1 and 2.
Table 5: General SNMP service configuration
| Description |
Setting |
| Hostname | "CSSDEV01" |
| Contact | |
| Location | "Does it matter" |
| SNMP Device Reload | Disabled |
Table 6: SNMP community strings
| Community |
Access Type |
| public | Read Only |
Table 7: SNMP hosts
| SNMP Host |
SNMP Version |
Community String |
| 192.168.0.1 | SNMP v2c | private |
| 192.168.0.2 | SNMP v2c | private |
Cisco CSS device ACL are sequential lists of permit, deny or bypass clauses that are applied to a VLAN circuit. An ACL is processed sequentially with the first clause that matches the incoming traffic applying. If the entire ACL has been processed without a clause matching, then the traffic is denied by a hidden deny all rule. However, ACL have to be enabled on Cisco CSS otherwise all traffic will be permitted regardless of the ACL. Once enabled, any VLAN circuits without an ACL applied will be denied by the hidden deny all rule.
ACL are disabled on cssdev01.
Table 8: ACL 3 (applied to circuit-(VLAN101))
| Clause |
Filter |
Protocol |
Source |
Source Service |
Destination |
Destination Service |
Log |
| 1 | Permit | any | Any | Any | Any | Any | No |
Table 9: ACL 2 (applied to circuit-(VLAN102))
| Clause |
Filter |
Protocol |
Source |
Source Service |
Destination |
Destination Service |
Log |
| 1 | Bypass | any | 192.168.20.0 / 255.255.255.0 | Any | 192.168.40.0 / 255.255.255.0 | Any | No |
| 10 | Permit | any | 192.168.21.0 / 255.255.255.0 | Any | Any | Any | No |
Table 10: ACL 1 (applied to circuit-(VLAN1))
| Clause |
Filter |
Protocol |
Source |
Source Service |
Destination |
Destination Service |
Log |
| 2 | Bypass | any | 192.168.31.0 / 255.255.255.0 | Any | 192.168.32.0 / 255.255.255.0 | Any | No |
| 1 | Permit | icmp | Any | Any | Any | Any | No |
| ACL | Access Control List |
| ARP | Address Resolution Protocol |
| CSS | Content Services Switch |
| FTP | File Transfer Protocol |
| SNMP | Simple Network Management Protocol |
| SSH | Secure Shell |
Table 11: Common ports
| Service |
Port |
| FTP | 21 |
| SSH | 22 |
| SNMP | 161 |
Table 12: Logging message severity levels
| Level |
Level Name |
Description |
| 0 | Emergencies | System is unstable |
| 1 | Alerts | Immediate action is required |
| 2 | Critical | Critical conditions |
| 3 | Errors | Error conditions |
| 4 | Warnings | Warning conditions |
| 5 | Notifications | Significant conditions |
| 6 | Informational | Informational messages |
| 7 | Debugging | Debugging messages |
Table 13: Common time zone acronyms
| Region |
Acronym |
Time Zone |
UTC Offset |
| Australia | CST | Central Standard Time | +9.5 hours |
| Australia | EST | Eastern Standard/Summer Time | +10 hours |
| Australia | WST | Western Standard Time | +8 hours |
| Europe | BST | British Summer Time | +1 hour |
| Europe | CEST | Central Europe Summer Time | +2 hours |
| Europe | CET | Central Europe Time | +1 hour |
| Europe | EEST | Eastern Europe Summer Time | +3 hours |
| Europe | EST | Eastern Europe Time | +2 hours |
| Europe | GMT | Greenwich Mean Time | |
| Europe | IST | Irish Summer Time | +1 hour |
| Europe | MSK | Moscow Time | +3 hours |
| Europe | WEST | Western Europe Summer Time | +1 hour |
| Europe | WET | Western Europe Time | +1 hour |
| USA and Canada | ADT | Atlantic Daylight Time | -3 hours |
| USA and Canada | AKDT | Alaska Standard Daylight Saving Time | -8 hours |
| USA and Canada | AKST | Alaska Standard Time | -9 hours |
| USA and Canada | AST | Atlantic Standard Time | -4 hours |
| USA and Canada | CDT | Central Daylight Saving Time | -5 hours |
| USA and Canada | CST | Central Standard Time | -6 hours |
| USA and Canada | EDT | Eastern Daylight Time | -4 hours |
| USA and Canada | EST | Eastern Standard Time | -5 hours |
| USA and Canada | HST | Hawaiian Standard Time | -10 hours |
| USA and Canada | MDT | Mountain Daylight Time | -6 hours |
| USA and Canada | MST | Mountain Standard Time | -7 hours |
| USA and Canada | PDT | Pacific Daylight Time | -7 hours |
| USA and Canada | PST | Pacific Standard Time | -3 hours |
This report was generated using Nipper version 0.11.5. Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. The latest version of Nipper can be found at the following URL:
http://nipper.sourceforge.net.