1. About This Report
1.1.
Organisation
1.2.
Conventions
2. Security Audit
2.1.
Introduction
2.2.
Software Version
2.3.
Dictionary-based Passwords / Keys
2.4.
Weak Passwords / Keys
2.5.
Configuration Auto-Loading
2.6.
Directed Broadcasts
2.7.
Border Gateway Protocol Route Flapping
2.8.
OSPF Authentication
2.9.
EIGRP Authentication
2.10.
RIP Authentication
2.11.
VRRP Authentication
2.12.
Inbound TCP Connection Keep Alives
2.13.
Connection Timeout
2.14.
Auxiliary Port
2.15.
IP Source Routing
2.16.
Finger
2.17.
HyperText Transport Protocol Service
2.18.
Simple Network Management Protocol
2.19.
Telnet
2.20.
ICMP Redirects
2.21.
Access Control Lists
2.22.
Unicast Reverse Packet Forwarding Verification
2.23.
Logging
2.24.
Proxy ARP
2.25.
SSH Protocol Version
2.26.
Cisco Discovery Protocol
2.27.
Classless Routing
2.28.
Minimum Password Length
2.29.
BOOTP
2.30.
TCP and UDP Small Servers
2.31.
IP Unreachables
2.32.
ICMP Mask Reply
2.33.
Enable Secret
2.34.
Service Password Encryption
2.35.
Login Banner
2.36.
Domain Lookups
2.37.
Packet Assembler / Disassembler
2.38.
Maintenance Operations Protocol
2.39.
Conclusions
3. Device Configuration
3.1.
Introduction
3.2.
General
3.3.
Services
3.4.
Domain Name Settings
3.5.
Time Zone Settings
3.6.
User Accounts and Privilages
3.7.
Simple Network Management Protocol
3.8.
Routing
3.9.
Lines
3.10.
Interfaces
3.11.
Access Control List
4. Appendix
4.1.
Abbreviations
4.2.
Common Ports
4.3.
Logging Severity Levels
4.4.
Time Zones
4.5.
Nipper Details
1. About This Report
This Cisco Router router03 report was produced by Nipper on Saturday 22 March 2008. The report contains the following sections:
- a security audit report section that details any identified security-related issues. Each security issue includes a description of the issue, its impact, how easy it would be to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to resolve the issue;
- a configuration report section that details the configuration settings;
- an abbreviations appendix section that expands any abbreviations used within the report;
- a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
- an appendix section detailing the logging severity levels used by the logging facility;
- a time zones appendix section that details a number of the most commonly used time zones;
- an appendix section detailing the software used to produce this report.
This report makes use of the text conventions outlined in Table 1.
Table 1: Report text conventions
| Convention |
Description |
command | This text style represents the Cisco Router command text that has to be entered literally. |
string | This text style represents the Cisco Router command text that the you have to enter. |
[ ] | Used to enclose a Cisco Router command option. |
{ } | Used to enclose a Cisco Router command requirement. |
| | Divides command option or requirement choices. |
Nipper performed a security audit of the Cisco Router router03 on Saturday 22 March 2008. This section details the findings of the security audit together with the impact and recommendations.
Observation: It is critically important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of an attacker exploiting a known software vulnerability. Furthermore, additional security features and other functionality are normally added or extended with each software revision.
Nipper determined that the Cisco Router router03 was running the out of date software Internet Operating System (IOS) version 12.3. Some of the known vulnerabilities for this software version are listed in Table 2.
Table 2: Potential software vulnerabilities
| Description |
CVE Reference |
Bugtraq ID |
| Telnet remote denial of service | CVE-2004-1464 | 11060 |
| IPv4 TCP listener denial of service | CVE-2007-0479 | 22208 |
It is worth noting that Nipper used the version number detailed in the device configuration to identify the potential vulnerabilities, and patches may have already been applied. Additionally, a specific device configuration may be required in order for the device to become vulnerable.
Impact: The vulnerabilities listed in Table 2 could allow an attacker to perform a Denial of Service (DoS) attack.
Ease: Exploit code is widely available on the Internet for known Cisco Router vulnerabilities.
Recommendation: Nipper strongly recommends that the software be updated and patched to the latest software version. Furthermore, Nipper recommends that the current patch policy be reviewed.
Observation: Attackers will often have dictionaries of words that contain names, places, default passwords and other common passwords. If a password or key is likely to be contained within an attacker's dictionary, they could gain access to the system.
The passwords and keys of the device router03 were tested against a small dictionary and nine passwords / keys were identified. These are listed in Table 3.
Table 3: Dictionary-based passwords / keys
| Type |
Service |
Username |
Password |
| Password | Enable | Level 15 | cisco |
| Password | Users | testuser | password |
| Password | Users | temp | password |
| Community | SNMP | read-only | public |
| Community | SNMP | read/write | private |
| Community | SNMP | Host: 192.168.20.30 | private |
| Community | SNMP | Host: 192.168.20.40 | private |
| Password | Line | Console line 0 | password |
| Password | Line | VTY lines 0 - 4 | password |
Impact: An attacker who was able to identify a password or key would be able to gain a level of access to the device, based on what service the password / key was used for.
Ease: Tools are available on the Internet that can perform dictionary-based password guessing against a number of network services.
Recommendation: Nipper strongly recommends that the passwords identified be immediately changed to something that is more difficult to guess. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.
Observation: Strong passwords tend to contain a number of different types of character, such as uppercase and lowercase letters, numbers and punctuation characters. Weaker passwords tend not to contain a mixture of character types. Additionally, weaker passwords tend to be short in length.
Nipper identified nine passwords / keys that did not meet the minimum password complexity requirements. These are listed in Table 4.
Table 4: Weak passwords / keys
| Type |
Service |
Username |
Password |
| Password | Enable | Level 15 | cisco |
| Password | Users | testuser | password |
| Password | Users | temp | password |
| Community | SNMP | read-only | public |
| Community | SNMP | read/write | private |
| Community | SNMP | Host: 192.168.20.30 | private |
| Community | SNMP | Host: 192.168.20.40 | private |
| Password | Line | Console line 0 | password |
| Password | Line | VTY lines 0 - 4 | password |
Impact: If an attacker were able to gain a password or key, either through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to router03.
Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.
Recommendation: Nipper strongly recommends that the weak passwords be immediately changed to ones that are stronger. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.
Observation: Cisco devices are capable of loading their configuration from other network devices, rather than using a local configuration file.
Although the configuration auto-loading feature is typically disabled by default on Cisco devices, Nipper determined that the router03 had configuration auto-loading enabled.
Impact: The Cisco device configuration files are transmitted unencrypted over the network. An attacker who is able to monitor the network would be able to capture a copy of the device configuration. The attacker would also be able to capture any clear-text passwords or password hashes contained within the configuration file.
Ease: Tools are widely available on the Internet that would allow an attacker to capture network traffic and reconstruct network streams.
Recommendation: Nipper recommends that, if not required, configuration auto-loading be disabled. The following Cisco IOS commands can be used to disable configuration auto-loading:
no boot network
no service config
Observation: Internet Control Message Protocol (ICMP) echo requests can be addressed to an entire network or subnet as well as to individual hosts. Disabling directed broadcasts on each individual network interface will help prevent network ping requests. Directed broadcasts are usually enabled by default on Cisco devices running IOS version 11.3 and earlier.
Nipper determined that the device router03 had support for directed broadcasts enabled on the network interfaces listed in Table 5.
Table 5: Interfaces with directed broadcasts enabled
| Interface |
Description |
| GigabitEthernet1/1 | First interface on switch |
| GigabitEthernet1/2 | Second interface on switch |
Impact: A DoS attack exists that makes use of network echo requests, known as a smurf attack. An attacker would send an ICMP echo request with the victim hosts IP address spoofed as the source. The hosts on the network would then reply to the echo request, flooding the victim host.
Ease: Tools are available on the Internet that can perform the smurf attack outlined above.
Recommendation: Nipper recommends that directed broadcasts be disabled on all network interfaces. Directed broadcasts can be disabled on each individual network interface using the following command:
no ip directed broadcast
Observation: Border Gateway Protocol (BGP) route flapping is a condition where routing tables are constantly being updated due to a link transitioning between up and down status. These transitions cause routing tables to be continuously updated across the infrastructure. Configuring route dampening can help mitigate against constant route flapping.
Nipper determined that BGP route dampening was not configured on router03.
Impact: Excessive route updates, caused by a link status constantly changing between up to down, can impact network routing performance. Network routing could slow with network packets being dropped, possibly causing a DoS condition.
Ease: It is possible for an attacker to send BGP packets to a router to update the routing table and cause a route flapping condition. However, the attacker may need additional information in order to perform the attack, such as a BGP password.
Recommendation: Nipper recommends that BGP route dampening be configured. Additionally, there are a number of BGP dampening options that can be configured. The following Cisco IOS router command will enable BGP route dampening:
bgp dampening
Observation: Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) used by routers to update routing tables. OSPF packets can be configured to use one of three levels of security; no authentication, clear-text authentication and MD5 authentication. The clear-text authentication method is almost as insecure as no authentication, as the key is included in the packet. Using the MD5 authentication method the packets are signed to prevent route tampering.
Nipper determined that OSPF with no authentication was configured on the areas listed in Table 6.
Table 6: OSPF areas with insecure authentication configuration
| Process ID |
Area ID |
Authentication |
| 6 | 0.0.0.0 | No Authentication |
| 6 | 30.10.20.40 | No Authentication |
Impact: An attacker who is able to update the routing tables could capture network traffic, perform a network-wide DoS or a man-in-the-middle attack.
Ease: Once an attacker has established what the type of authentication in use, they could use the information to pose as a router and insert routes into the routing tables by sending specially crafted OSPF packets. OSPF packets can be captured using a variety of techniques, and tools are available on the Internet that can be used to exploit insecure OSPF configurations.
Recommendation: Nipper recommends that, if possible, all OSPF areas be configured to use MD5-based authentication. Message digest authentication needs to be configured for each OSPF area and a key be specified on each OSPF network interface. The Cisco IOS command to enable MD5 authentication for an area is:
area {area id} authentication [message-digest]
The command to configure the MD5 authentication key on an interface is:
ip ospf message-digest-key {key id} md5
Observation: Cisco developed Enhanced Interior Gateway Routing Protocol (EIGRP) as an enhanced version of Interior Gateway Routing Protocol (IGRP), an IGP used by routers to dynamically update routing tables. Each interface where EIGRP is used can be configured with MD5-based authentication.
Nipper determined that two EIGRP interfaces were configured with no authentication, these are listed in Table 7.
Table 7: Interfaces with no EIGRP authentication
| Interface |
Description |
| GigabitEthernet1/1 | First interface on switch |
| GigabitEthernet1/2 | Second interface on switch |
Impact: An attacker who is able to update the routing tables could capture network traffic, perform a network-wide DoS or a man-in-the-middle attack.
Ease: Once an attacker has established the type of authentication in use, they could use the information to pose as a router and insert routes into the routing tables by sending specially crafted EIGRP packets. EIGRP packets can be captured using a variety of techniques and tools are available on the Internet that can be used to exploit insecure EIGRP configurations.
Recommendation: Nipper recommends that all EIGRP interfaces be configured with EIGRP MD5-based authentication. Furthermore, Nipper recommends that all interfaces where EIGRP is not required be configured as passive. EIGRP MD5 authentication can be configured on each interface with the following commands:
ip authentication mode eigrp {autonomous number} md5
ip authentication key-chain eigrp {autonomous number} {key chain}
Passive interfaces can be configured with the following EIGRP router command:
passive-interface {interface type} {interface number}
Observation: Routing Information Protocol (RIP) is a routing protocol that allows network devices to dynamically adapt to changes in the network infrastructure, enabling network devices to forward traffic using the shortest route to their destination. There are two versions of RIP configurable on Cisco Router devices. RIP version 2 provides a mechanism where routing updates can be authenticated, however RIP version 1 provides no similar mechanism. RIP version 2 supports clear-text authentication and MD5 authentication.
Nipper determined that RIP had been configured without encrypted authentication for sent and received updates on two network interfaces, these are listed in Table 8.
Table 8: Insecure RIP interface configurations
| Interface |
Description |
| GigabitEthernet1/1 | No RIP version 2 key chain or MD5 authentication was configured. |
| GigabitEthernet1/2 | No RIP version 2 key chain or MD5 authentication was configured. |
Impact: If RIP updates are sent and received without encrypted authentication an attacker may be able to inject their own route into the routing table. An attacker could modify routes in order to enable the capture of network traffic or to perform a network DoS.
Ease: An attacker would have to determine what authentication, if any, was configured. Once an attacker has identified an insecure RIP configuration they could attempt to pose as a router and inject routes. Tools are available on the Internet that can transmit RIP updates.
Recommendation: Nipper recommends RIP be configured with encrypted authentication for all interfaces where RIP packets will be sent and received. Furthermore, Nipper recommends that all interfaces where RIP will not be used be configured as passive. RIP version 2 can be configured with the following router command:
version 2
RIP authentication can be configured on each interface using the following commands:
ip rip authentication key-chain {Key Chain}
ip rip authentication mode md5
RIP can be disabled on each individual interfaces using the following router command:
passive-interface {interface type} {interface number}
Observation: Cisco Router devices support Virtual Router Redundancy Protocol (VRRP), which is used for router load balancing and redundancy. One VRRP group router will be a master router and VRRP advertisements are sent from it to group members. The advertisements contain the priority and state of the master. If the master router becomes unavailable, an election is held to determine a new VRRP master router. VRRP messages can be unauthenticated or authenticated. VRRP authentication uses either a clear-text password or a MD5 password.
Nipper determined that VRRP was configured on router03 without MD5 authentication on all VRRP interfaces.
Impact: An attacker could transmit VRRP group messages in an attempt to become the VRRP master. If an attacker were able to become the VRRP group master, they could modify the network traffic route in order to capture traffic or to perform a network DoS.
Ease: The attacker would have to monitor VRRP traffic in order to determine the VRRP group, priority and the authentication method in use. The attacker would then have to transmit VRRP group messages with a higher priority than the VRRP master in order to become the VRRP master.
Recommendation: Nipper recommends that MD5 authentication be configured on all VRRP interfaces. MD5 VRRP key string authentication can be configured on each VRRP interface with the following command:
vrrp {group} authentication md5 {[key-string password] | [key-chain key chain]}
Observation: Connections to a Cisco Router device could become orphaned if a connection becomes disrupted. An attacker could attempt a DoS attack against a Cisco Router by exhausting the number of possible connections. Transmission Control Protocol (TCP) keep alive messages can be configured to confirm that a remote connection is valid and then terminate any orphaned connections.
Nipper determined that TCP keep alive messages are not sent for connections from remote hosts.
Impact: An attacker could attempt a DoS by exhausting the number of possible connections.
Ease: Tools are available on the Internet that can open large numbers of TCP connections without correctly terminating them.
Recommendation: Nipper recommends that TCP keep alive messages be sent to detect and drop orphaned connections from remote systems. TCP keep alive messages can be enabled for connections from remote systems using the following command:
service tcp-keepalives-in
Observation: Connection timeouts can be configured for a number of the device services. If a timeout were configured on an administrative service, an administrator that did not correctly terminate the connection would have it automatically closed after the timeout expires. However, if a timeout is not configured, or is configured to be a long timeout, an unauthorised user may be able to gain access using the administrator's previously logged-in connection.
Nipper identified three connection settings that were not configured to timeout within ten minutes, these are listed in Table 9.
Table 9: Connections with inadequate timeout periods
| Connection |
Timeout |
| Console line 0 | Session Timeout: 25 minutes |
| Auxiliary line 0 | Session Timeout: 25 minutes |
| VTY lines 0 to 4 | No Timeout |
Impact: An attacker who was able to gain access to a connection that had not expired, would be able to continue using that connection. A connection could be a console port on the device that was not correctly terminated or a remote administrative connection.
Ease: The attacker would have to gain physical access to the device to use the console port, or gain remote access to an administration machine that is attached to the port. To gain access to remote connections, an attacker would have to be able to intercept network traffic between the client and router03. The attacker would then have to take over the connection, which could be very difficult with some services. Tools are available on the Internet that would facilitate the monitoring of network connections.
Recommendation: Nipper recommends that a timeout period of ten minutes be configured for connections to the device router03.
Observation: The auxiliary port's primary purpose is to provide a remote administration capability. It can allow a remote administrator to use a modem to dial into the Cisco device.
Nipper determined that the auxiliary port on the Cisco device router03 allowed exec connections and did not appear to have the callback feature configured.
Impact: An attacker may discover the modem number for the device during a war-dial. If an attacker were able to connect to the device remotely, then they may be able to brute-force the login to gain access to the device.
Ease: The attacker would have to first identify the telephone number of the device, probably through a war-dial. A modem attached to a telephone line would have to be attached directly to the Cisco device's auxiliary port. Then the attacker would be able to attach to the device in order to perform a brute-force of the login.
Recommendation: Nipper recommends that, if not required, the auxiliary port exec be disabled. Exec can be disabled on the aux port with the following command:
no exec
If the auxiliary port is required for remote administration, the callback feature can be configured to dial a specific preconfigured telephone number.
Observation: IP source routing is a feature whereby a network packet can specify how it should be routed through the network. Cisco routers normally accept and process source routes specified by a packet, unless the feature has been disabled.
Nipper determined that IP source routing was not disabled.
Impact: IP source routing can allow an attacker to specify a route for a network packet to follow, possibly to bypass a Firewall device or an Intruder Detection System (IDS). An attacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker.
Ease: An attacker would have to control either a routing device or an end point device in order to modify a packets route through the network. However, tools are available on the Internet that would allow an attacker to specify source routes. Tools are also available to modify network routing using vulnerabilities in some routing protocols.
Recommendation: Nipper recommends that, if not required, IP source routing be disabled. IP source routing can be disabled by issuing the following IOS command:
no ip source routing
Observation: The finger service was traditionally installed by default on UNIX-based operating systems, though more recently it is disabled by default. The finger service is started by default on Cisco devices and was not explicitly disabled on router03.
Impact: A malicious user could use the finger service to gain information about users logged in to the device.
Ease: Tools for querying the finger service are widely available on the Internet and some operating systems include the tools by default.
Recommendation: Nipper recommends that, if not required, the finger service be disabled. Users who do not have authenticated access to the device do not normally need to know who is logged in to the device. Users who have authenticated access to the device are able to log in and show the current users using the following Cisco IOS command:
show users
The following Cisco IOS commands can be used to disable the finger service:
no ip finger
no service finger
Observation: Recent Cisco IOS-based devices support web-based administration using the HTTP protocol. Cisco web-based administration facilities can sometimes be basic but they do provide a simple method of administering remote devices. However, HTTP is a clear-text protocol and is vulnerable to various packet-capture techniques.
Even though the HTTP service had not been configured, it can be enabled by default on some Cisco devices.
Impact: An attacker who was able to monitor network traffic could capture authentication credentials.
Ease: Network packet and password sniffing tools are widely available on the Internet. Once authentication credentials have been captured it is trivial to use the credentials to log in using the captured credentials.
Recommendation: Nipper recommends that, if not required, the HTTP service be disabled. If a remote method of access to the device is required, consider using HTTPS or Secure Shell (SSH). The encrypted HTTPS and SSH services may require a firmware or hardware upgrade. The HTTP service can be disabled with the following IOS command:
no ip http server
If it is not possible to upgrade the device to use the encrypted HTTPS or SSH services, additional security can be configured. An access list can be configured to restrict access to the device. An access list can be specified with the following command:
ip http access-class {access list number}
The authentication method can be changed using the following command (where the authentication method is either local, enable, tacacs or aaa):
ip http authentication [authentication method]
Observation: Simple Network Management Protocol (SNMP) is widely used to assist network administrators in monitoring and managing a variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are secured with a community string, both authenticate and transmit network packets with no encryption. SNMP version 3 provides three authentication methods. SNMP version 3 No-Auth access requires a username to authenticate and provides no encryption. SNMP version 3 Auth access requires a username and the auth keyword, authentication is encrypted but SNMP network packets are transmitted with no encryption. SNMP version 3 Auth and Priv access requires a username, auth and priv keywords. SNMP version 3 Auth and Priv access provides complete encryption of authentication and SNMP network packets.
Nipper determined that SNMP protocol version 1 was configured on router03.
Impact: Due to the unencrypted nature of SNMP protocol versions 1 and 2c, an attacker who was able to monitor network traffic could capture device configuration settings, including authentication details.
Ease: Network packet monitoring and capture tools are widely available on the Internet and SNMP tools are included as standard with some operating systems.
Recommendation: Nipper recommends that, if possible, SNMP version 1 be disabled. Furthermore, Nipper recommends that, if SNMP is required, protocol version 3 be configured with Auth and Priv authentication. SNMP protocol version 1 can be disabled with the following command for each community string:
no snmp-server community {Community String} {[RO] | [RW]}
SNMP version 3 Auth and Priv access can be configured with the following commands:
snmp-server group {Group Name} v3 priv
snmp-server user {Username} {Group Name} v3 auth md5 {Auth Keyword} priv {[3des] | [aes 128] | [aes 192]} {Priv Keyword}
Observation: Telnet is widely used to provide remote command-based access to a variety of devices and is commonly used on network devices for remote administration. However, Telnet is a clear-text protocol and is vulnerable to various packet capture techniques.
Nipper determined that Telnet was enabled on router03.
Impact: An attacker who was able to monitor network traffic could capture sensitive information or authentication credentials.
Ease: Network packet and password sniffing tools are widely available on the Internet and some of the tools are specifically designed to capture clear-text protocol authentication credentials. However, in a switched environment an attacker may not be able to capture network traffic destined for other devices without employing an attack such as Address Resolution Protocol (ARP) spoofing.
Recommendation: Nipper recommends that, if possible, Telnet be disabled. If remote administrative access to the device is required, Nipper recommends that SSH be configured. The Telnet service can be disabled on individual lines with the following command:
transport input none
The following Cisco IOS command can be used to disable Telnet on individual lines, but enable SSH:
transport input ssh
Observation: ICMP redirect messages allow systems to change the route that network traffic takes. On networks with functional network routing, disabling ICMP redirects will have little to no effect. ICMP redirects are usually enabled by default on Cisco devices.
Nipper determined that the device router03 had support for ICMP redirects enabled on the network interfaces listed in Table 10.
Table 10: Interfaces with ICMP redirects enabled
| Interface |
Description |
| GigabitEthernet1/1 | First interface on switch |
| GigabitEthernet1/2 | Second interface on switch |
Impact: An attacker could use ICMP redirect messages to route network traffic through their own router, possibly allowing them to monitor network traffic.
Ease: Tools are widely available that can send ICMP redirect messages.
Recommendation: Nipper recommends that, if not required, ICMP redirects be disabled on all network interfaces. ICMP redirects can be disabled on each individual network interface using the following command:
no ip redirects
Observation: Access Control List (ACL) are sequential lists of allow and deny Access Control Entries (ACE) that specify whether network traffic should be allowed or dropped. ACLs are used to restrict access to services and network devices, preventing access to services and devices that should not be accessible.
Nipper identified 24 security-related issues with the configured ACL, these are listed in Table 11.
Table 11: Insecure Access Control Entries
| ACL |
Line |
Description |
| named-acl-1 | 1 | Does not log denied access. |
| named-acl-1 | 2 | Does not log denied access. |
| named-acl-1 | 3 | Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service. |
| named-acl-1 | N/A | ACL does not end with a deny all and log. |
| named-acl-2 | 1 | Allows access from 192.168.76.4 to any destination.
Allows access from 192.168.76.4 to any destination service. |
| named-acl-2 | 2 | Allows access from 172.18.19.1 to any destination.
Allows access from 172.18.19.1 to any destination service. |
| named-acl-2 | N/A | ACL does not end with a deny all and log. |
| 110 | 1 | Allows access from any source to / .
Allows access from any address to a network destination.
Allows access from any address to any destination service. |
| 110 | N/A | ACL does not end with a deny all and log. |
| 120 | 1 | Allows access from a network source to any address.
Allows access from 50.60.0.0 / 0.0.255.255 to any destination.
Allows access from 50.60.0.0 / 0.0.255.255 to any destination service. |
| 120 | 2 | Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service. |
| 120 | 3 | Allows access from any source to 192.168.30.40. |
| 120 | 4 | Allows access from any source to 192.168.30.56. |
| 120 | N/A | ACL does not end with a deny all and log. |
Impact: If ACEs are not sufficiently restrictive, an attacker may be able to access services or network devices that should not be accessible. Furthermore, an attacker who had compromised a device could install a backdoor which could listen on a network port that was not filtered.
Ease: N/A
Recommendation: Nipper recommends that the ACLs be reviewed and, where possible, modified to ensure that:
- ACE do not allow access from any source;
- ACE do not allow access from entire source networks;
- ACE do not allow access to any destination;
- ACE do not allow access to entire destination networks;
- ACE do not allow access to any destination port;
- ACE log denied access;
- ACL end with a deny all and log.
However, in certain circumstances, such as a public web server, a more relaxed configuration may be required to allow any host to access specific hosts and services.
Observation: Any configured network packet filtering will have an impact on a device's performance and the more filtering configured, the greater the impact. Typically, additional filtering is configured to perform sanity checks on network traffic to ensure that traffic being routed through the network originates from a valid IP address, this ensures that traffic entering a network does not originate from an internal IP address range. Cisco provides uRPF verification to perform network traffic sanity checks without the performance impact of ACL network filtering. uRPF verification must be enabled on each interface on which sanity checks should be performed and will automatically adjust to topology changes. uRPF verification makes use of Cisco Express Forwarding (CEF), which must be enabled.
Nipper determined that CEF was not enabled.
Impact: A network packet with a spoofed source address could be routed by the device, bypassing any configured ACLs.
Ease: N/A
Recommendation: Nipper recommends that, where possible, uRPF verification be enabled on all network interfaces. uRPF verification can be enabled on each network interface with the following command:
ip verify unicast reverse-path
CEF can be enabled with the following command on routers without Versatile Interface Processors (VIPs):
ip cef
On routers with VIPs the following command will enable CEF:
ip cef distributed
It is worth noting that not all devices support uRPF verification and it is best implemented only on edge routers. Furthermore, uRPF verification should not be used if any of the router's interfaces participate in asymmetric routes. If it is not possible to implement uRPF verification, then Nipper recommends that ACL be configured on edge routers to perform sanity checks on network traffic.
Observation: Logging is an essential component of a secure network configuration. Logging not only assists network administrators to identify issues when troubleshooting, but enables network administrators to react to intrusion attempts or Denial-of-Service attacks. It is therefore critical that logs be monitored, allowing administrators to take immediate action when an attack has been identified. Furthermore, system logs are a key component of a forensic investigation into past intrusions or service disruptions.
Nipper determined that logging had not been configured on router03.
Impact: An attacker could attempt to map and bypass any configured ACL or to gain access to the Cisco Router without network administrators being alerted to the attempts. Furthermore, after an unauthorised intrusion into the network had been detected, it would be more difficult for an investigation to identify the source of the attack or the entry point without access to logs.
Ease: N/A
Recommendation: Nipper recommends that Syslog and Buffered logging be configured on router03. Logging can be enabled with the following command:
logging on
To configure Syslog logging, four things need to be set; a source interface for the Syslog messages to be sent from, one or more Syslog hosts to send messages to, the Syslog logging message severity level and the Syslog facility. The following commands can be used to configure Syslog logging:
logging source-interface {Interface}
logging host {Syslog IP address or hostname}
logging trap {Logging message severity level}
logging facility {Syslog facility}
Buffered logging can be configured with the following command:
logging buffered {Buffer Size} {Logging message severity level}
Observation: ARP is a protocol that network hosts use to translate network addresses into media addresses. Under normal circumstances, ARP packets are confined to the sender's network segment. However, a Cisco router with Proxy ARP enabled on network interfaces can act as a proxy for ARP, responding to queries and acting as an intermediary.
Nipper identified two interfaces that had Proxy ARP enabled. These are listed in Table 12.
Table 12: Interfaces with Proxy ARP enabled
| Interface |
Description |
| GigabitEthernet1/1 | First interface on switch |
| GigabitEthernet1/2 | Second interface on switch |
Impact: A router that acts as a proxy for ARP requests will extend layer two access across multiple network segments, breaking perimeter security.
Ease: A Cisco device with Proxy ARP enabled will proxy ARP requests for all hosts on those interfaces.
Recommendation: Nipper recommends that, if not required, Proxy ARP be disabled on all interfaces. Proxy ARP can be disabled on each interface with the following Cisco IOS command:
no ip proxy-arp
Observation: The SSH service is commonly used for encrypted command-based remote device management. There are multiple SSH protocol versions and SSH servers will often support multiple versions to maintain backwards compatibility. Although flaws have been identified in implementations of version 2 of the SSH protocol, fundamental flaws exist in SSH protocol version 1.
Nipper determined that support for version 1 of the SSH protocol was supported on router03.
Impact: An attacker who was able to intercept SSH protocol version 1 traffic would be able to perform a man-in-the-middle style attack. The attacker could then capture network traffic and possibly authentication credentials.
Ease: Although vulnerabilities are widely known, exploiting the vulnerabilities in the SSH protocol can be difficult.
Recommendation: Nipper recommends that the SSH service be configured to support only version 2 of the SSH protocol. Version 2 of the SSH protocol can be configured with the following command:
ip ssh version 2
Observation: Cisco Discovery Protocol (CDP) is a proprietary protocol that is primarily used by Cisco, but has been used by others. CDP allows some network management applications and CDP aware devices to identify each other on a Local Area Network (LAN) segment. Cisco devices, including switches, bridges and routers are configured to broadcast CDP packets by default. The devices can be configured to disable the CDP service or disable CDP on individual network interfaces.
Nipper determined that the CDP service had not been disabled, and additionally, had not been disabled on all the active network interfaces.
Impact: CDP packets contain information about the sender, such as hardware model information, operating system version and IP address details. This information would allow an attacker to gain information about the configuration of the network infrastructure.
Ease: CDP packets are broadcast to an entire network segment. An attacker could use one of the many publicly available tools to capture network traffic and view the leaked information.
Recommendation: Nipper recommends that, if not required, the CDP service be disabled on the Cisco device router03. If CDP is required, Nipper recommends that CDP be disabled on all interfaces except those that are explicitly required.
The CDP service can be disabled by issuing the following Cisco IOS command:
no cdp run
CDP can be disabled on individual interfaces using the following command:
no cdp enable
In some configurations with IP phones, deployed using either Auto Discovery or Dynamic Host Configuration Protocol (DHCP), the CDP service may need to be enabled. In this situation CDP should be disabled on all network interfaces for which it is not required.
Observation: Classless routing is enabled by default on Cisco routers. If a router has classless routing enabled and it receives a network packet for which there is no configured route, the router will forward the packet to the best destination. With classless routing disabled, the router would discard any network traffic for which no route is defined.
Nipper determined that classless routing was enabled on router03.
Impact: Network traffic that should not be routed by the router may be routed when classless routing is enabled.
Ease: N/A
Recommendation: Nipper recommends that, if possible, classless routing be disabled. Classless routing can be disabled with the following command:
no ip classless
Observation: Cisco introduced an option from IOS version 12.3(1) which forces user, enable, secret and line passwords to meet a minimum length. This setting was introduced to help prevent the use of short passwords such as "cisco".
Nipper determined that a minimum password length of six characters was configured.
Impact: With a small minimum password length configured, it would be possible for a short password to be used. If an attacker were able to gain a password through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to router03.
Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.
Recommendation: Nipper recommends that a minimum password length of at least eight characters be configured. The minimum password length can be configured with the following command:
security passwords min-length {length}
Observation: BOOTstrap Protocol (BOOTP) is a datagram protocol that allows compatible hosts to load their operating system over the network from a BOOTP server. Cisco routers are capable of acting as BOOTP servers for other Cisco devices and the service is enabled by default. However, BOOTP is rarely used and may represent a security risk.
Nipper determined that BOOTP was not disabled. However, it is worth noting that not all Cisco devices support BOOTP.
Impact: An attacker could use the BOOTP service to download a copy of the router's IOS software.
Ease: Tools are available on the Internet to access BOOTP servers.
Recommendation: Nipper recommends that, if not required, the BOOTP service be disabled. The following command can be used to disable BOOTP:
no ip bootp server
Observation: Cisco devices provide a set of simple servers which are collectively known as TCP small servers and User Datagram Protocol (UDP) small servers. The services provide little functionality and include chargen, echo and daytime. Cisco IOS version 11.2 and older enable these services by default; newer IOS versions explicitly require them to be started.
Nipper determined that both the TCP and UDP small servers were not disabled.
Impact: Each running service increases the chances of an attacker being able to identify the device and successfully compromise it. It is good security practice to disable all unused services.
Ease: Tools are widely available to query these services and some operating systems install these tools by default.
Recommendation: Nipper recommends that, if not required, TCP and UDP small servers be explicitly disabled. TCP and UDP small services are rarely used and are disabled by default in newer versions of Cisco IOS.
TCP small servers can be disabled with the following IOS command:
no service tcp-small-servers
UDP small servers can be disabled with the following IOS command:
no service udp-small-servers
Observation: ICMP IP unreachable messages can be generated by a Cisco device when a host attempts to connect to a non-existent host, network, or use an unsupported protocol. ICMP IP unreachable messages will let the connecting host know that the host, network or protocol is not supported or cannot be contacted. Therefore, the host does not have to wait for a connection time-out. ICMP IP unreachable messages are normally enabled by default on Cisco devices and must be explicitly disabled.
Nipper determined that the Cisco device router03 had ICMP IP unreachable messages enabled on the interfaces listed in Table 13.
Table 13: Interfaces with IP unreachables enabled
| Interface |
Description |
| GigabitEthernet1/1 | First interface on switch |
| GigabitEthernet1/2 | Second interface on switch |
Impact: An attacker who was performing network scans to determine what services were available would be able to scan a device more quickly.
Ease: Tools are available on the Internet that can perform a wide variety of scan types.
Recommendation: Nipper recommends that, if not required, IP unreachables be disabled on all network interfaces. However, whilst disabling IP unreachables will not stop scans, it does make it more difficult for an attacker. The IP unreachables option is disabled or enabled individually for each network interface. It can be disabled with the following command:
no ip unreachables
Observation: ICMP mask reply messages inform network hosts of the TCP/IP network mask for a network segment. This protocol can now be regarded as legacy as it has been superseded by protocols such as DHCP, or hosts will already be configured with this information.
Nipper determined that the Cisco device router03 had the ICMP mask reply option enabled on the interfaces listed in Table 14.
Table 14: Interfaces with ICMP mask reply enabled
| Interface |
Description |
| GigabitEthernet1/1 | First interface on switch |
| GigabitEthernet1/2 | Second interface on switch |
Impact: An attacker could use the ICMP mask reply feature to gain additional information about the network configuration.
Ease: Tools are available on the Internet that can perform ICMP mask requests.
Recommendation: Nipper recommends that, if not required, ICMP mask reply be disabled on all network interfaces. ICMP mask reply can be disabled on each individual network interface using the following command:
no ip mask-reply
Observation: Cisco IOS-based device enable passwords can be stored using an iterated MD5 hash, which is far stronger than the easily reversible Cisco type-7 encryption.
Nipper identified one enable password that was not stored using the MD5 hash.
Impact: An attacker could use an enable password from a Cisco device to access the device and possibly modify its configuration.
Ease: An attacker who had access to the Cisco configuration file would easily be able to retrieve passwords that are stored in clear-text or using the Cisco type-7 encryption. However, an attacker who had access to a Cisco configuration file could brute-force any stronger MD5 passwords.
Recommendation: Nipper recommends that all enable passwords be stored using the MD5 hash. Enable passwords can be stored using the MD5 hash with the following Cisco IOS command:
enable secret
Observation: Cisco service passwords are stored by default in their clear-text form rather than being encrypted. However, it is possible to have these passwords stored using the reversible Cisco type-7 encryption.
Nipper determined that the Cisco device router03 was not running the password encryption service that helps provide a basic level of encryption to passwords that otherwise would be stored in clear-text.
Impact: If a malicious user were to see a Cisco configuration that contained clear-text passwords, they could use the passwords to access the device. However, an attacker who had access to a Cisco configuration file would easily be able to reverse the passwords.
Ease: Even though it is trivial to reverse Cisco type-7 passwords, they do provide a greater level of security than clear-text passwords. Tools are widely available on the Internet that reverse Cisco type-7 passwords.
Recommendation: Nipper recommends that the Cisco password encryption service be enabled. The Cisco password encryption service can be started with the following Cisco IOS command:
service password-encryption
Observation: A banner message can be shown to users who connect to one of the remote management services, such as Telnet. Typically banner messages will include information on the law with regard to unauthorised access to the device, warning users who do not have the authority to access the device about the consequences.
Nipper determined that no login banner was configured.
Impact: Attackers who have gained access to a device could avoid legal action if no banner is configured to warn against unauthorised access.
Ease: N/A
Recommendation: Nipper recommends that a banner be configured that warns against unauthorised access. Banners are configured on Cisco devices using a delimiter character. A delimiter character is specified in the banner command and is used again to mark the end of the banner. The Cisco command to add a login banner, that is presented to users prior to authentication, is:
banner login {delimiter} The banner text {delimiter}
Observation: Cisco IOS-based devices support name lookups using the Domain Name System (DNS). However, if a DNS server has not been configured, then the DNS request is broadcast.
Nipper determined that name lookups had not been disabled and no DNS servers had been configured.
Impact: An attacker who was able to capture network traffic could monitor DNS queries from the Cisco Router. Furthermore, Cisco devices can connect to Telnet servers by supplying only the hostname or IP address of the server. A mistyped Cisco command could be interpreted as an attempt to connect to a Telnet server and broadcast on the network.
Ease: It would be trivial for an attacker to capture network traffic broadcast from a Cisco Router. Furthermore, network traffic capture tools are widely available on the Internet.
Recommendation: Nipper recommends that domain lookups be disabled. Domain lookups can be disabled with the following command:
no ip domain-lookup
If domain lookups are required, Nipper recommends that DNS be configured. DNS can be configured with the following command:
ip name-server {IP address}
Observation: The Packet Assembler / Disassembler (PAD) service enables X.25 connections between network systems. The PAD service is enabled by default on most Cisco IOS devices but it is only required if support for X.25 links is necessary.
Nipper determined that the PAD service had not been disabled.
Impact: Running unused services increases the chances of an attacker finding a security hole or fingerprinting a device.
Ease: N/A
Recommendation: Nipper recommends that, if not required, the PAD service be disabled. Use the following command to disable the PAD service:
no service pad
Observation: Maintenance Operations Protocol (MOP) is used with the DECnet protocol suite. MOP is enabled by default on ethernet interfaces in some versions of IOS.
Nipper determined that MOP had not been disabled on all ethernet interfaces.
Impact: Running unused services increases the chances of an attacker finding a security hole or fingerprinting a device.
Ease: N/A
Recommendation: Nipper recommends that, if not required, MOP be disabled on all ethernet interfaces. MOP can be disabled on each interface with the following command:
no mop enabled
Nipper performed a security audit of the Cisco Router device router03 on Saturday 22 March 2008 and identified 37 security-related issues. Nipper determined that:
- the software version was out of date;
- dictionary-based passwords / keys were in use;
- weak passwords / keys were identified;
- configuration auto-loading was configured;
- directed broadcasts were enabled;
- BGP route dampening was not configured;
- the OSPF configuration did not include MD5 authentication for all OSPF areas;
- the EIGRP configuration did not include MD5 authentication for all EIGRP interfaces;
- the RIP configuration did not include MD5 authentication for all RIP interfaces;
- the VRRP configuration did not include MD5 authentication for all VRRP interfaces;
- TCP keep alive messages are not configured for inbound connections;
- all connections were not configured with secure connection timeout periods;
- the AUX port was configured to allow EXEC connections without the callback functionality;
- IP source routing was enabled;
- the finger service was enabled;
- clear-text remote web-based administration was enabled using HTTP;
- clear-text remote administration was enabled using SNMP;
- clear-text remote administration was enabled using Telnet;
- ICMP redirects were not disabled for all network interfaces;
- insecure ACL were configured;
- uRPF verification was not enabled on all interfaces;
- insufficient logging was configured;
- ARP request proxying was not disabled on all network interfaces;
- SSH protocol version 1 was configured;
- CDP was not disabled;
- classless routing was enabled;
- an inadequate minimum password length was configured;
- BootP was enabled;
- all small servers have not been disabled;
- IP unreachables have not been disabled on all interfaces;
- ICMP Mask Reply is not disabled on all interfaces;
- the enable password is not stored using the MD5 hash;
- the service passwords are stored in clear-text;
- no login banner has been configured;
- domain lookups were enabled;
- the PAD service was enabled;
- MOP had not been disabled on all interfaces.
This section details the configuration settings of the Cisco Router device router03.
Table 15: General device settings
| Description |
Setting |
| Hostname | router03 |
| IOS Version | 12.3 |
| Service Password Encryption | Disabled |
| Minimum Password Length | 6 characters |
| IP Source Routing | Enabled |
| BOOTP | Enabled |
| Service Config | Disabled |
| TCP Keep Alives (In) | Disabled |
| TCP Keep Alives (Out) | Enabled |
| Cisco Express Forwarding | Disabled |
| Gratuitous ARPs | Disabled |
| Classless Routing | Enabled |
Table 16: Device services
| Service |
Status |
| Telnet | Enabled |
| SSH | Enabled |
| HTTP | Unconfigured |
| Finger | Enabled |
| TCP Small Services | Enabled |
| UDP Small Services | Enabled |
| SNMP | Enabled |
| CDP | Enabled |
| PAD | Enabled |
Table 17: Domain name settings
| Description |
Setting |
| Domain Name | nipper.org |
| Domain Lookup | Enabled |
Table 18: Time zone settings
| Description |
Setting |
| Time Zone | GMT |
| UTC Offset | None |
| Summer Time Zone | GMT |
| Authorative Time Source | No |
Table 19: Enable Passwords
| Level |
Password |
Encryption |
| 15 | cisco | None |
Table 20: User Accounts
| Username |
Privilage |
Password |
Encryption |
| testuser | 15 | password | Type-7 |
| temp | 15 | password | Type-7 |
SNMP is widely used to assist network administrators in monitoring and managing a variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are secured with a community string, both authenticate and transmit network packets with no encryption. SNMP version 3 provides three authentication methods. SNMP version 3 No-Auth access requires a username to authenticate and provides no encryption. SNMP version 3 Auth access requires a username and the auth keyword, authentication is encrypted but SNMP network packets are transmitted with no encryption. SNMP version 3 Auth and Priv access requires a username, auth and priv keywords. SNMP version 3 Auth and Priv access provides complete encryption of authentication and SNMP network packets.
Table 21: General SNMP service configuration
| Description |
Setting |
| Service enabled | Yes |
| Location | Somewhere |
| Trap Timeout | 30 seconds |
| TFTP Server List | Disabled |
Table 22: SNMP community strings
| Community |
Access |
View |
Access-List |
Enabled |
| public | Read-Only | | 20 | Yes |
| private | Read/Write | | 20 | Yes |
Table 23: SNMP hosts
| SNMP Host |
SNMP Version |
Community String |
| 192.168.20.30 | 1 | private |
| 192.168.20.40 | 1 | private |
A network device's routing tables can be configured with static routes or updated dynamically. Routing protocols are used by network routing devices to dynamically update the routing tables that devices use to forward network traffic to their destination. Router protocols can be split into two different categories; IGPs and Exterior Gateway Protocols (EGPs). IGPs are usually used in situations where the routing devices are all controlled by a single entity, such as within a company. EGPs are usually used in situations where routing devices are managed by a number of entities, such as the Internet. Typically routing devices support a number of standard routing protocols.
VRRP is used to provide router load balancing and redundancy against a single point of failure. A VRRP master router will send advertisements to other routers in the same VRRP group. If the master VRRP router fails, the other routers in the VRRP group hold an election to determine which router will become the new master.
Table 24: VRRP configuration
| Interface |
VRRP Group |
VRRP |
Description |
IP Address |
Secondary IP |
Priority |
Authentication |
Password |
Active |
| GigabitEthernet1/1 | 2 | Active | | 192.168.4.2 | | 100 | None | | Yes |
| GigabitEthernet1/2 | 3 | Active | | 192.168.3.2 | | 100 | None | | Yes |
RIP is an IGP and calculates routes using a distance vector. RIP is only suitable for small networks, routing updates are sent every 30 seconds and contain the entire routing table. Furthermore, RIP has a maximum distance of 15 hops. If RIP routes have not been updated within three minutes the route is marked as unusable. Routes not updated within four minutes are removed.
Table 25: RIP configuration
| Description |
Setting |
| RIP Version | 2 |
| Route Auto Summarisation | Enabled |
| Default Route Generation | Disabled |
| Default Metric | Automatic |
| Input Queue Depth | 50 |
| RIP Update Delay | 0 milliseconds |
| Validate Update Source | Disabled |
Table 26: RIP network interface configuration
| Interface |
Description |
IP Address |
Authentication |
Key Chain |
Send Version |
Receive Version |
v2 Broadcast |
Triggered |
| GigabitEthernet1/1 | First interface on switch | 10.0.0.1 | None | | 2 | 2 | Off | Off |
| GigabitEthernet1/2 | Second interface on switch | 10.0.0.2 | None | | 2 | 2 | Off | Off |
Table 27: RIP networks
| RIP Network |
| 10.0.0.0 |
EIGRP is an IGP and is a distance vector based protocol like RIP, but incorporates some features from link state protocols such as OSPF. EIGRP was developed by Cisco as an enhanced version of IGRP. Unlike RIP, EIGRP transmits changes to network routes to its neighbors and is suitable for larger networks.
Table 28: EIGRP autonomous number 3 configuration
| Description |
Setting |
| Router ID | Automatic |
| Maximum Hops | 100 |
| EIGRP Stub Router | Disabled |
| Auto Summary | Disabled |
| Internal Administrative Distance | 90 |
| External Administrative Distance | 170 |
| Log Neighbor Changes | Enabled |
| Log Neighbor Warnings | Enabled |
| Network IP Address | 192.168.56.0 |
Table 29: EIGRP autonomous number 3 interface configuration
| Interface |
Description |
IP Address |
Active |
Passive |
MD5 Auth |
Key Chain |
Bandwidth |
| GigabitEthernet1/1 | First interface on switch | 10.0.0.1 | Yes | No | No | | 50% |
| GigabitEthernet1/2 | Second interface on switch | 10.0.0.2 | Yes | No | No | | 50% |
BGP is an EGP. BGP route updates are sent from defined BGP peers using TCP connections.
Table 30: BGP autonomous number 1 configuration
| Description |
Setting |
| Autonomous Number | 1 |
| Log Neighbor Changes | Yes |
| Route Flap Dampening | Off |
Table 31: BGP autonomous number 1 neighbors
| Neibhbor |
Description |
Password |
Password Encryption |
Autonomous Number |
TTL Hops |
| router01 | Site to Site Connection | | | 12345 | Off |
Table 32: BGP autonomous number 1 interface configuration
| Interface |
Description |
IP Address |
Active |
Passive |
| GigabitEthernet1/1 | First interface on switch | 10.0.0.1 | Yes | No |
| GigabitEthernet1/2 | Second interface on switch | 10.0.0.2 | Yes | No |
OSPF protocol is an IGP. OSPF packets are sent when the network configuration changes, such as when a route goes down, and the packets only contain the change. Since the information sent in OSPF packets is limited to any network changes, the protocol is well suited to complex network configurations.
For OSPF to work on a network interface it must be included within an OSPF network area.
Table 33: OSPF process ID 6 network areas
| Network |
Network Mask |
Area ID |
| 10.0.0.1 | 0.0.0.255 | 0.0.0.0 |
| 192.168.0.1 | 0.0.0.255 | 30.10.20.40 |
Table 34: OSPF process ID 6 area configuration
| Area ID |
Default Cost |
Authentication |
| 0.0.0.0 | 1 | None |
| 30.10.20.40 | 1 | None |
Table 35: OSPF process ID 6 interface configuration
| Interface |
Description |
IP Address |
Authentication |
Authentication Key |
Key Encryption |
Flood Reduction |
OSPF Mode |
| GigabitEthernet1/1 | First interface on switch | 10.0.0.1 | None | | None | N/A | Point to Multipoint |
| GigabitEthernet1/2 | Second interface on switch | 10.0.0.2 | None | | None | N/A | Point to Multipoint |
The Cisco line configuration settings are used to configure administrative access to the device. The console line type is used for accessing the Cisco device directly through a cable attached to the device's console port. The auxiliary lines are used for remote access to the device, typically through attached modems. The Virtual Teletype (VTY) lines are used for access to the device through a remote access service such as SSH or Telnet.
Table 36: Line configuration
| Line Type |
Start Line |
End Line |
Logins |
Exec |
Authorization |
Accounting |
Telnet |
SSH |
Timeout |
Exec Timeout |
Session Timeout |
Absolute Timeout |
Password |
Password Encryption |
| Console | 0 | | Allowed | On | Off | Off | On | On | 0s | 0s | 1500s | 0s | password | Type-7 |
| Auxiliary | 0 | | Allowed | On | Off | Off | Off | Off | 0s | 0s | 1500s | 0s | | |
| VTY | 0 | 4 | Allowed | On | Off | Off | On | On | 0s | 0s | 0s | 0s | password | Type-7 |
Table 37: Interfaces
| Interface |
Active |
IP Address |
Proxy ARP |
IP Unreachable |
IP Redirect |
IP Mask Reply |
IP Direct Broadcast |
NTP |
CDP |
uRPF |
MOP |
| GigabitEthernet1/1 | Yes | 10.0.0.1 | On | On | On | On | On | On | On | Off | On |
| GigabitEthernet1/2 | Yes | 10.0.0.2 | On | On | On | On | On | On | On | Off | On |
A Cisco ACL is a sequential list of apply or deny ACEs that a Cisco device will apply to network traffic. The Cisco device will check network traffic against the ACL and the first ACE match will determine whether the packet is accepted or rejected. If the Cisco device does not have an ACE that applies then the packet is denied. When a packet is rejected after access list processing, an ICMP host unreachable message is sent, unless it had been disabled.
There are two different types of ACLs on IOS-based Cisco devices, standard and extended. Standard ACLs have an access list number between 1 and 99, extended ACLs are numbered 100 or above. Standard ACLs only define the source address and process the packet solely based on that. Extended ACLs contain additional checks, such as destination address and network port numbers.
Table 38: Extended ACL named-acl-1
| Line |
Filter |
Protocol |
Source |
Source Service |
Destination |
Destination Service |
Log |
Options |
| 1 | Deny | ip | 172.168.2.3 | Any | Any | Any | No | |
| 2 | Deny | ip | 10.8.10.11 | Any | Any | Any | No | |
| 3 | Permit | ip | Any | Any | Any | Any | No | |
Table 39: Extended ACL named-acl-2
| Line |
Filter |
Protocol |
Source |
Source Service |
Destination |
Destination Service |
Log |
Options |
| 1 | Permit | ip | 192.168.76.4 | Any | Any | Any | No | |
| 2 | Permit | ip | 172.18.19.1 | Any | Any | Any | No | |
Table 40: Extended ACL 110
| Line |
Filter |
Protocol |
Source |
Source Service |
Destination |
Destination Service |
Log |
Options |
| 1 | Permit | tcp | Any | Any | / | Any | No | |
Table 41: Extended ACL 120
| Line |
Filter |
Protocol |
Source |
Source Service |
Destination |
Destination Service |
Log |
Options |
| 1 | Permit | ip | 50.60.0.0 / 0.0.255.255 | Any | Any | Any | No | |
| 2 | Permit | tcp | Any | ftp | Any | Any | Yes | |
| 3 | Permit | tcp | Any | Any | 192.168.30.40 | snmp | No | |
| 4 | Permit | tcp | Any | Any | 192.168.30.56 | 9876 | No | |
Table 42: Standard ACL 40
| Line |
Filter |
Source |
Log |
| 1 | Permit | 192.168.2.1 | No |
| 2 | Permit | 172.10.1.35 | No |
| 3 | Permit | 10.0.0.1 | No |
| 4 | Permit | 192.168.0.1 | No |
| 5 | Deny | Any | Yes |
| ACE | Access Control Entry |
| ACL | Access Control List |
| ARP | Address Resolution Protocol |
| BGP | Border Gateway Protocol |
| BID | Bugtraq ID |
| BOOTP | BOOTstrap Protocol |
| CDP | Cisco Discovery Protocol |
| CEF | Cisco Express Forwarding |
| CVE | Common Vulnerabilities and Exposures |
| DHCP | Dynamic Host Configuration Protocol |
| DNS | Domain Name System |
| DoS | Denial of Service |
| EGP | Exterior Gateway Protocol |
| EIGRP | Enhanced Interior Gateway Routing Protocol |
| FTP | File Transfer Protocol |
| HTTP | HyperText Transfer Protocol |
| HTTPS | HyperText Transfer Protocol over SSL |
| ICMP | Internet Control Message Protocol |
| IDS | Intruder Detection System |
| IGP | Interior Gateway Protocol |
| IGRP | Interior Gateway Routing Protocol |
| IOS | Internet Operating System |
| IP | Internet Protocol |
| LAN | Local Area Network |
| MD5 | Message Digest 5 |
| MOP | Maintenance Operations Protocol |
| NTP | Network Time Protocol |
| OSPF | Open Shortest Path First |
| PAD | Packet Assembler / Disassembler |
| RIP | Routing Information Protocol |
| SNMP | Simple Network Management Protocol |
| SSH | Secure Shell |
| SSL | Secure Sockets Layer |
| TCP | Transmission Control Protocol |
| TFTP | Trivial File Transfer Protocol |
| TTL | Time To Live |
| UDP | User Datagram Protocol |
| UTC | Coordinated Universal Time |
| VIP | Versatile Interface Processor |
| VRRP | Virtual Router Redundancy Protocol |
| VTY | Virtual Teletype |
Table 43: Common ports
| Service |
Port |
| FTP | 21 |
| SSH | 22 |
| DHCP | 67 |
| TFTP | 69 |
| HTTP | 80 |
| NTP | 123 |
| SNMP | 161 |
| BGP | 179 |
| HTTPS | 443 |
| RIP | 520 |
Table 44: Logging message severity levels
| Level |
Level Name |
Description |
| 0 | Emergencies | System is unstable |
| 1 | Alerts | Immediate action is required |
| 2 | Critical | Critical conditions |
| 3 | Errors | Error conditions |
| 4 | Warnings | Warning conditions |
| 5 | Notifications | Significant conditions |
| 6 | Informational | Informational messages |
| 7 | Debugging | Debugging messages |
Table 45: Common time zone acronyms
| Region |
Acronym |
Time Zone |
UTC Offset |
| Australia | CST | Central Standard Time | +9.5 hours |
| Australia | EST | Eastern Standard/Summer Time | +10 hours |
| Australia | WST | Western Standard Time | +8 hours |
| Europe | BST | British Summer Time | +1 hour |
| Europe | CEST | Central Europe Summer Time | +2 hours |
| Europe | CET | Central Europe Time | +1 hour |
| Europe | EEST | Eastern Europe Summer Time | +3 hours |
| Europe | EST | Eastern Europe Time | +2 hours |
| Europe | GMT | Greenwich Mean Time | |
| Europe | IST | Irish Summer Time | +1 hour |
| Europe | MSK | Moscow Time | +3 hours |
| Europe | WEST | Western Europe Summer Time | +1 hour |
| Europe | WET | Western Europe Time | +1 hour |
| USA and Canada | ADT | Atlantic Daylight Time | -3 hours |
| USA and Canada | AKDT | Alaska Standard Daylight Saving Time | -8 hours |
| USA and Canada | AKST | Alaska Standard Time | -9 hours |
| USA and Canada | AST | Atlantic Standard Time | -4 hours |
| USA and Canada | CDT | Central Daylight Saving Time | -5 hours |
| USA and Canada | CST | Central Standard Time | -6 hours |
| USA and Canada | EDT | Eastern Daylight Time | -4 hours |
| USA and Canada | EST | Eastern Standard Time | -5 hours |
| USA and Canada | HST | Hawaiian Standard Time | -10 hours |
| USA and Canada | MDT | Mountain Daylight Time | -6 hours |
| USA and Canada | MST | Mountain Standard Time | -7 hours |
| USA and Canada | PDT | Pacific Daylight Time | -7 hours |
| USA and Canada | PST | Pacific Standard Time | -3 hours |
This report was generated using Nipper version 0.11.5. Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. The latest version of Nipper can be found at the following URL:
http://nipper.sourceforge.net.