CERT Finds Routers Increasingly Being Cracked 294
alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."
Routers can be secured... (Score:5, Informative)
Tripwire makes Tripwire for Routers - Tripwire [tripwire.com] has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.
P.S. - I don't work for Tripwire, but I do like their products. 8-)
It boils down to this (Score:4, Informative)
Most companies and people that run them don't understand what it takes to properly setup and maintain a network.
I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.
Re:cisco updates (Score:3, Informative)
router security (Score:4, Informative)
Re:Cisco IOS (Score:3, Informative)
password
config t
line vty 0 1
password 7 (insert password here}
^Z
wr mem
Oh yeah, real hard. 5 lines of commands is super difficult.
Quality of Company Hires (Score:4, Informative)
Re:Posts from idiots.. (Score:2, Informative)
br.
tsk tsk. the original poster was simply using common, ordinary terms instead of the more specific terms that you apparently require. perhaps he should have stated, "the volume of noise a specialized computer [read 'router'] could generate absolutely dwarfs what a general-purpose computer [read 'computer'] could do."
theo
--
Life is short; think quickly.
Article on SecurityFocus (Score:4, Informative)
The volume of noise a router could generate absolutely dwarfs what a computer could do.
Of course, a router is a computer.
I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.
SecurityFocus.com [securityfocus.com] has an article [securityfocus.com] by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:
Cisco router security could be a lot worse. (Score:3, Informative)
Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.
Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.
When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.
The NSA and CERT agree - (Score:4, Informative)
CERT has been saying this for a while now [sans.org]
Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.
Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.
Re:Need more facts! (Score:3, Informative)
Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.
So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.
HOWTO crack routers - Funny+Serious (Score:2, Informative)
2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.
3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.
It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc
Don't even get me started on HP JetDirects !
ACL's on vty lines (Score:2, Informative)
line vty 0 4
access-class 1 in
ummm.....not too dificult and unless the version of IOS running is vulnerable, this will restrict access to the vty lines ala tcp wrappers.
Re:Routing Nightmare (Score:3, Informative)
Restrict access to the cisco vty to a list of known hosts. You can use ssh to get from anywhere to one of the permitted hosts, from there you can telnet to the router. If you have the rackspace available, drop an old 486 running *bsd/linux physically right next to each of your routers.
Add an acl to restrict access to the virtual terminals as follows:
access-list 2 remark vty access list
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
....etc....
access-list 2 deny any
line vty 0 4
access-class 2 in
As with any cisco ACL, be careful that you dont "cut off the branch you are sitting on". If you dont understand what the above ACL does, try it out on a test router before you install it on a router 5 timezones away.
Re:Cisco IOS (Score:1, Informative)
line vty 0 4
access-class 99 in
password 7 xxxxx
login
access-list 99 permit 1.2.3.4 0.0.0.0
(that 0.0.0.0 is a wildcard mask, not a netmask for any non-cisco types that read this).
And of course an enable secret is a useful thing.
Hell if you want to make it even more secure and easier to change the password in bulk for multiple routers, set then up to authenticate to a radius or tacacs+ server and have no local accounts configured (you can still get to it on the aux or com serial ports if the link to the auth server dies).
How to secure your cisco router (Score:5, Informative)
Juniper, Unisphere, whatever, has similar precautions that you can take.
http://www.cisco.com/warp/public/707/
Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...
Secure the console;
Turn HTTP servicing OFF!!!
If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).
"no ip http server"
If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.
Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;
"line con 0"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport input none"
Same thing for telnet sessions;
"line vty 0 4"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport preferred none"
"transport input telnet"
Access list telnet access to special subnets! This is VERY VERY important;
Add "access-class 5 in" where you have the following access list on the router;
"access-list 5 remark VTY.ACCESS.CONTROL"
"access-list 5 remark 10.3.4.1/32"
"access-list 5 permit 10.3.4.1"
"access-list 5 remark 10.22.33.136/29"
"access-list 5 deny 10.22.33.128 0.0.0.7"
"access-list 5 permit 10.22.33.128 0.0.0.15"
Do not forget the aux port;
"line aux 0"
"login local"
"transport output none"
Authentication;
Use enable secret, NOT enable password!;
enable secret blah-blah-blah-md5-encrypted
Make at least one local user;
username bob password goldfish
Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;
http://www.cisco.com/warp/public/480/tacplus.sh
Encrypt your passwords too;
service password-encryption
Log stuff, and know when stuff happens;
Turn on logging;
"service timestamps debug datetime msec localtime show-timezone"
"service timestamps log datetime msec localtime show-timezone"
"logging buffered 32000 debugging"
Hate log messages on the console?
"no logging console"
Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.
Synch to an NTP server so you know when stuff happens;
"ntp server 1.2.3.4 prefer"
Get NTP servers here;
http://www.eecis.udel.edu/~mills/ntp/servers.ht
Interfaces;
EVERY DAMN interface should have the following, unless you know better;
"no ip redirects"
"no ip directed-broadcast"
"no ip proxy-arp"
"no cdp enable"
Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
Turn CDP off, if you can. There is little reason to use it;
Turn it off, on ALL interfaces;
"no cdp run"
Turn it off on an individual interface;
"no cdp enable"
Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.
One-time passwords (Score:2, Informative)
Where I work we use one-time passwords. We have special cards that you punch in a personal code and it gives you a one-time use password that expires after use or after 30 seconds. The routers authenticate using TACACS to a server that is synchronized with the cards. Makes it nearly impossible to break into them remotely.
Another thing router admins need to be aware of is the way they set up SNMP. SNMP can be used to modify just about ANY part of a router. All the attacked needs to know is the read/write string (basically a static passsword). And because SNMP uses UDP, it has the potential of being spoofed if access lists are used to determine which machines may send SNMP commands. The only way to guard against this is edged filters everywhere and keeping the location of the password server and SNMP allowed hosts in a secure segment/area.
IOS rules;config checking tool (Score:2, Informative)
configs against the NSA rule set. If you're
interested in testing, drop me a note at
gmj AT users dot sourceforge dot net
Also, for reference, here are three good sources
of security configs for IOS:
# "NSA Router Security Configuration Guidelins", NSA, September, 2001
# http://nsa2.www.conxion.com/cisco/download.htm
#
# "Improving Security on Cisco Routers", Cisco, October 17, 2001
# http://www.cisco.com/warp/public/707/21.html
#
# "Secure IOS Template Version 2.3", Rob Thomas, October, 2001
# http://www.cymru.com/~robt/Docs/Articles/secure-i
You'd be suprised... (Score:2, Informative)
Securing Cisco Routers (Score:2, Informative)
From Cisco:
http://www.cisco.com/warp/public/707/21.html
From the NSA:
http://nsa2.www.conxion.com/cisco/index.html
Its not a solution, but its a start
-- Kevin