nipper
Nipper ir tūlis network devaišu auditēšanai. Nipper`im iebarojot kaut kādu nebūt divaisa konfigu un pretī tiek saņemta atskaite par to kas un kā ir slikti vai labi konkrētajā devaisī. Par cik вешь хорошая un cilvēki izrādīja vēlmi lietot šo tūli, bet devaiši daudz, parādījās vajadzība izveidot kaut kādu sistēmu kā ērti apskatīt rezultātu. Tad nu pa fikso uzkļikāju php frontendu un crontabā ieliku džobu kas katru nedēļu auditē visus devaišu konfigu pēc kārtas.
Priekš vindas džeki arī ir uztaisījuši kaut kādu forntend`u, arī, bet nav sanācis pastīties.
Novilkt var šeit, kā uzstādīt aprakstīts šeit, lai uzstādītu ir vajadzīgs cmake.
Par cik arhīvu šeit pievienot nav iespējams, nāksies postēt visu iekšā seit.
Ieliekam crontab`ā audit.php failu lai tiktu palaists katru dienu – 0 7 * * * php /var/www/html/nipper/audit.php
audit.php
<?
error_reporting(E_ALL ^ E_NOTICE);
/*
CMD Option Device Type
=================================================
--auto Auto-Detect Device (Default)
--3com-firewall 3Com SuperStack 3 Firewall
--accelar Bay Networks Accelar
--cp-firewall CheckPoint Firewall Module
--cp-management CheckPoint Management Module
--ios-router Cisco IOS-based Router
--ios-catalyst Cisco IOS-based Catalyst Switch
--pix Cisco PIX-based Firewall
--asa Cisco ASA-based Firewall
--fwsm Cisco FWSM-based Router
--catos Cisco CatOS-based Catalyst
--nmp Cisco NMP-based Catalyst
--css Cisco Content Services Switch
--procurve HP ProCurve Switches
--screenos Juniper NetScreen Firewall
--nokiaip Nokia IP Firewall
--passport Nortel Passport Device
--nortel-switch Nortel Ethernet Routing Switch 8300
--sonicos SonicWall SonicOS Firewall
#
Audits tiek veikts katru dienu un katru dienu tiek auditētas $step iekārtas - $fel līdz $lel no saraksta.
Pievienojot jaunu iekārtu auditēšanai, formāts ir -
"configa fails uz diska,iekārtas tips no saraksta augstāk,iekārtas nosaukums kas parādīsies webā",
pievienot šo te nepieciešam $dev_arr pēc redzamās shēmas.
Piemēri:
"/tftpboot/catalyst1-confg,ios-catalyst,catalyst1"
*/
$step=5;
$today=date('w');
if ($today==0) {$today=7;}
$fel=($today-1)*$step;
$lel=$today*$step;
$dev_arr=array(
"/tftp/asa-config,asa,asa1",
);
function audits($config_file,$device_type,$device_name) {
if ($config_file=="") {exit();}
else {
$datums = date('jnY');
$diena = date('j');
$menesis = date('n');
$gads = date('Y');
$output_dir="/var/www/html/nipper/files/";
$DBHost = "localhost";
$DBName = "nipper";
$DBUser = "nipper";
$DBPass = "nipper";
$db_table= "nipper_events";
mysql_connect ($DBHost, $DBUser, $DBPass) OR die (mysql_error());
mysql_select_db ($DBName) or die (mysql_error());
exec('nipper --' . $device_type . ' --input=' . $config_file .' --output=' . $output_dir . $device_name . '_' . $datums . '.html');
exec('chown -R apache: ' . $output_dir . '');
mysql_query("INSERT INTO $db_table ( `nipper_id` , `nipper_day` , `nipper_month` , `nipper_year` , `nipper_title`) VALUES ('', '" . $diena . "', '" . $menesis . "', '" . $gads . "', '" . $device_name . "')");
}}
for ($y=$fel; $y<$lel; $y++) {
if ($dev_arr[$y]=="") {exit();}
else {
$out=$dev_arr[$y];
list($config_file, $device_type, $device_name) = split(",", $out);
audits($config_file,$device_type,$device_name);
}
}
?>
cal.css
body {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 11px; background-image:url("fd.gif"); background-repeat: no-repeat;}
#nipper {position:absolute; bottom:0; right:0; background-image:url("nipper.gif"); width:300px; height:268px;}
td {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 11px;}
th {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 11px;}
tr.topdays {background-color: #eaffff; font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 11px; color : #000000;}
.toprightnumber {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 10px; font-weight: bold;}
.eventinbox {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 10px;}
.currentdate {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 17px; font-weight: bold;}
a:link,a:active,a:visited {color : #000000; text-decoration: none;}
a:hover {text-decoration: underline; color : #000000;}
td.beforedayboxes {background-color: #ffffff; color: #000000;}
td.dayboxes {background-color: #ffffff; color: #000000;}
td.afterdayboxes {background-color: #ffffff; color: #000000;}
td.highlighteddayboxes {background-color: #EFEFEF; color: #000000;}
.event {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 12px; font-weight: bold;}
.eventdetail {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 11px;}
.eventwhen {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 15px; font-weight: bold;}
.addevent {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 12px; font-weight: bold;}
.addeventextrainfo {font-family: Verdana, Geneva, Arial, helvetica, sans-serif; font-size: 10px;}
config.php
<?
$version = "0.1";
$installed = 1;
$use_auth = 1;
// MYSQL DB INFO
$DBHost = "localhost";
$DBName = "nipper";
$DBUser = "nipper";
$DBPass = "nipper";
$TBL_PR = "nipper_";
$db_table= "nipper_event";
?>
index.php
<?
require_once("config.php");
$db_connection = mysql_connect ($DBHost, $DBUser, $DBPass) OR die (mysql_error());
$db_select = mysql_select_db ($DBName) or die (mysql_error());
$db_table = $TBL_PR . "events";
function getmicrotime(){
list($usec, $sec) = explode(" ",microtime());
return ((float)$usec + (float)$sec);
}
$time_start = getmicrotime();
IF(!isset($_GET['year'])){
$_GET['year'] = date("Y");
}
IF(!isset($_GET['month'])){
$_GET['month'] = date("n")+1;
}
$month = addslashes($_GET['month'] - 1);
$year = addslashes($_GET['year']);
$query = "SELECT * FROM $db_table WHERE nipper_month='$month' AND nipper_year='$year'";
$query_result = mysql_query ($query);
while ($info = mysql_fetch_array($query_result))
{
$day = $info['nipper_day'];
$event_id = $info['nipper_id'];
$events[$day][] = $info['nipper_id'];
$event_info[$event_id]['0'] = $info['nipper_title'];
$event_info[$event_id]['1'] = $info['nipper_day'];
$event_info[$event_id]['2'] = $info['nipper_month'];
$event_info[$event_id]['3'] = $info['nipper_year'];
}
$todays_date = date("j");
$todays_month = date("n");
$days_in_month = date ("t", mktime(0,0,0,$_GET['month'],0,$_GET['year']));
$first_day_of_month = date ("w", mktime(0,0,0,$_GET['month']-1,1,$_GET['year']));
$first_day_of_month = $first_day_of_month;
$count_boxes = 0;
$days_so_far = 0;
IF($_GET['month'] == 13){
$next_month = 2;
$next_year = $_GET['year'] + 1;
} ELSE {
$next_month = $_GET['month'] + 1;
$next_year = $_GET['year'];
}
IF($_GET['month'] == 2){
$prev_month = 13;
$prev_year = $_GET['year'] - 1;
} ELSE {
$prev_month = $_GET['month'] - 1;
$prev_year = $_GET['year'];
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Network Device Configuration Audit</title>
<link rel="shortcut icon" href="/favicon.ico" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="cal.css" rel="stylesheet" type="text/css">
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_jumpMenu(targ,selObj,restore){ //v3.0
eval(targ+".location='"+selObj.options[selObj.selectedIndex].value+"'");
if (restore) selObj.selectedIndex=0;
}
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);
}
//-->
</script>
</head>
<body>
<div align="center"><span class="currentdate"><? echo date ("F Y", mktime(0,0,0,$_GET['month']-1,1,$_GET['year'])); ?></span><br>
<br>
</div>
<div align="center"><br>
<table width="700" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><div align="right"><a href="<? echo "index.php?month=$prev_month&year=$prev_year"; ?>"><<</a></div></td>
<td width="200"><div align="center">
<select name="month" id="month" onChange="MM_jumpMenu('parent',this,0)">
<?
for ($i = 1; $i <= 12; $i++) {
$link = $i+1;
IF($_GET['month'] == $link){
$selected = "selected";
} ELSE {
$selected = "";
}
echo "<option value=\"index.php?month=$link&year=$_GET[year]\" $selected>" . date ("F", mktime(0,0,0,$i,1,$_GET['year'])) . "</option>\n";
}
?>
</select>
<select name="year" id="year" onChange="MM_jumpMenu('parent',this,0)">
<?
for ($i = 2000; $i <= 2010; $i++) {
IF($i == $_GET['year']){
$selected = "selected";
} ELSE {
$selected = "";
}
echo "<option value=\"index.php?month=$_GET[month]&year=$i\" $selected>$i</option>\n";
}
?>
</select>
</div></td>
<td><div align="left"><a href="<? echo "index.php?month=$next_month&year=$next_year"; ?>">>></a></div></td>
</tr>
</table>
<br>
</div>
<table width="700" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#000000">
<tr>
<td><table width="100%" border="0" cellpadding="0" cellspacing="1">
<tr class="topdays">
<td><div align="center">Monday</div></td>
<td><div align="center">Tuesday</div></td>
<td><div align="center">Wednesday</div></td>
<td><div align="center">Thursday</div></td>
<td><div align="center">Friday</div></td>
<td><div align="center">Saturday</div></td>
<td><div align="center">Sunday</div></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<?
for ($i = 1; $i <= $first_day_of_month-1; $i++) {
$days_so_far = $days_so_far + 1;
$count_boxes = $count_boxes + 1;
echo "<td width=\"100\" height=\"100\" class=\"beforedayboxes\"></td>\n";
}
for ($i = 1; $i <= $days_in_month; $i++) {
$days_so_far = $days_so_far + 1;
$count_boxes = $count_boxes + 1;
IF($_GET['month'] == $todays_month+1){
IF($i == $todays_date){
$class = "highlighteddayboxes";
} ELSE {
$class = "dayboxes";
}
} ELSE {
IF($i == 1){
$class = "highlighteddayboxes";
} ELSE {
$class = "dayboxes";
}
}
echo "<td width=\"100\" height=\"100\" class=\"$class\">\n";
$link_month = $_GET['month'] - 1;
echo "<div align=\"right\"><span class=\"toprightnumber\">\n$i </span></div>\n";
IF(isset($events[$i])){
echo "<div align=\"left\"><span class=\"eventinbox\">\n";
while (list($key, $value) = each ($events[$i])) {
echo " <a href=\"javascript:MM_openBrWindow('files/" . $event_info[$value]['0'] . "_" . $event_info[$value]['1'] . $event_info[$value]['2'] . $event_info[$value]['3'] . ".html','','scrollbars=1,width=1024,height=800');\">" . $event_info[$value]['0'] . "</a>\n<br>\n";
}
echo "</span></div>\n";
}
echo "</td>\n";
IF(($count_boxes == 7) AND ($days_so_far != (($first_day_of_month-1) + $days_in_month))){
$count_boxes = 0;
echo "</TR><TR valign=\"top\">\n";
}
}
$extra_boxes = 7 - $count_boxes;
for ($i = 1; $i <= $extra_boxes; $i++) {
echo "<td width=\"100\" height=\"100\" class=\"afterdayboxes\"></td>\n";
}
$time_end = getmicrotime();
$time = round($time_end - $time_start, 3);
?>
</tr>
</table></td>
</tr>
</table>
<div id="nipper"></div>
</body>
</html>
nipper.sql
DROP TABLE IF EXISTS `nipper_events`;
CREATE TABLE `nipper_events` (
`nipper_id` int(5) unsigned NOT NULL auto_increment,
`nipper_day` int(2) NOT NULL default '0',
`nipper_month` int(2) NOT NULL default '0',
`nipper_year` int(4) NOT NULL default '0',
`nipper_title` varchar(200) NOT NULL default '',
PRIMARY KEY (`nipper_id`)
) ENGINE=MyISAM AUTO_INCREMENT=409 DEFAULT CHARSET=latin1;
UPD:
Audita atskaites piemērs no cisco pix vienkārši konfigurēta. Atskaiti izguvu text formātā, bet pārskatāmāka ir html formā izgūta.
Contents
========
1. About Your Report
1.1. Organisation
1.2. Conventions
2. Security Audit
2.1. Introduction
2.2. A User Was Configured With A Dictionary-Based Password
2.3. Interfaces Were Configured With No Filtering
2.4. No Console Connection Timeout
2.5. No ACL Were Configured
2.6. No Pre-Logon Banner Message
2.7. No Post Logon Banner Message
2.8. Potentially Unused Network Interfaces
2.9. Conclusions
2.10. Recommendations
3. Device Configuration
3.1. Introduction
3.2. General Device Settings
3.3. Network Services
3.4. Administration Settings
3.5. Authentication Settings
3.6. SNMP Settings
3.7. Network Interface Settings
4. Appendix
4.1. Abbreviations
4.2. Common Network Ports
4.3. IP Protocols
4.4. ICMP Types
4.5. Nipper Details
Index Of Tables
===============
Table 1. Report text conventions
Table 2. Impact ratings
Table 3. Ease ratings
Table 4. Fix ratings
Table 5. User with a dictionary-based password
Table 6. Physical network interfaces were not configured to filter network traffic
Table 7. Physical network interfaces were active and potentially unused
Table 8. Recommendations
Table 9. General device settings
Table 10. Network services
Table 11. General administration settings
Table 12. Telnet service settings
Table 13. SSH service settings
Table 14. HTTPS service settings
Table 15. HTTPS service encryption ciphers
Table 16. Authentication Methods
Table 17. Configured users
Table 18. SNMP settings
Table 19. SNMP community configuration
Table 20. Physical network interfaces
Table 21. Abbreviations
Table 22. Common network ports
Table 23. IP protocols
Table 24. ICMP types
1. About Your Report
====================
1.1. Organisation
~~~~~~~~~~~~~~~~~
This Cisco PIX Security Appliance report was produced by BIBO on Wednesday 22nd April 2009. The report is comprised of the following sections:
* a security audit report section that details any identified security-related issues. Each security issue includes a finding, its impact, how easy it would be for an attacker to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to mitigate the issue;
* a configuration report section that details the Cisco PIX Security Appliance configuration settings;
* an abbreviations appendix section that expands any abbreviations used within the report;
* a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
* an appendix section detailing the severity levels used by the logging facility;
* a time zones appendix section that details a number of the most commonly used time zones;
* an appendix section detailing the software used to produce this report.
1.2. Conventions
~~~~~~~~~~~~~~~~
This report makes use of the text conventions outlined in Table 1.
——————————–
Convention, Description
——————————–
“command”
, This text style represents the Cisco PIX Security Appliance command text that has to be entered literally.
“string”
, This text style represents the Cisco PIX Security Appliance command text that you have to enter.
“[ ]”
, Used to enclose a Cisco PIX Security Appliance command option.
“{ }”
, Used to enclose a Cisco PIX Security Appliance command requirement.
“|”
, Divides command option or requirement choices.
——————————–
Table 1: Report text conventions
2. Security Audit
=================
2.1. Introduction
~~~~~~~~~~~~~~~~~
Each security issue identified by BIBO is described with a finding, the impact of the issue, how easy it would be for an attacker to exploit the issue and a recommendation. Each security issue is rated based on a number of factors, each of these are described in the following sections.
Issue Finding:
The issue finding describes what configuration setting BIBO identified that potentially poses a security threat. In addition to the finding details, any releveant background information is also described.
Issue Impact:
The impact section describes what an attacker could gain from exploiting the security issue. The impact of an issue is often defined by other configuration settings that could heighten the issue or partially mitigate it. For example, a weak password could be partially mitigated if the access gained from using it is restricted in some way. The impact is rated depending on the significance of the security threat. Table 2 outlines the possible impact ratings and their significance.
———————–
Rating, Description
———————–
Critical, These issues can pose a very significant security threat. The issues that have a critical impact are typically those that would allow an attacker to gain full administrative access to the device. For a firewall device, allowing all traffic to pass through the device unfiltered would receive this rating as filtering traffic to protect other devices is the primary purpose of a firewall.
High, These issues pose a significant threat to security, but have some limitations on the extent to which they can be abused. User level access to a device and a DoS vulnerability in a critical service would fall into this category. A firewall deivce that allowed significant unfiltered access, such as allowing entire subnets through or not filtering in all directions, would fall into this category. A router that allows significant modification of its routing configuration would also fall into this category.
Medium, These issues have significant limitations on the direct impact they can cause. Typically these issues would include significant information leakage issues, denial of service issues or those that provide significantly limited access. A SNMP service that is secured with default or a dictionary based community string would typically fall into this rating, as would a firewall that allows unfiltered access to a range of services on a device.
Low, These issues represent a low level security threat. A typical issue would involve information leakage that could be useful to an attacker, such as a list of users or version details. A non-firewall device that was configured with weak network filtering would fall into this category.
Info, These issues represent a very low level of security threat. These issues include minor information leakage, unnecessary services or legacy protocols that provide no real threat to security.
———————–
Table 2: Impact ratings
Issue Ease:
The ease section of each issue describes the knowledge, skill and physical access that would be required of an attacker in order to exploit it. The ease will describe if open source or commercially available tools are required for an attacker to exploit an issue. Additionally, the ease will note where an extended period of time is required to exploit the issue, such as cracking weak encryption ciphers. Each issue is rated upon how easily it can be exploited, the ratings for which are described in Table 3.
———————
Rating, Description
———————
Trivial, The issue requires little-to-no knowledge on behalf of an attacker and can be exploited using standard operating system tools. A firewall device which had a network filtering configuration that enables traffic to pass through would fall into this category.
Easy, The issue requires some knowledge for an attacker to exploit, which could be performed using standard operating system tools or tools downloaded from the Internet. An administrative service without or with a default password would fall into this category, as would a simple software vulnerability exploit.
Moderate, The issue requires specific knowledge on behalf of an attacker. The issue could be exploited using a combination of operating system tools or publicly available tools downloaded from the Internet.
Challenge, A security issue that falls into this category would require significant effort and knowledge on behalf of the attacker. The attacker may require specific physical access to resources or to the network infrastructure in order to successfully exploit it. Furthermore, a combination of attacks may be required.
N/A, The issue is not directly exploitable. An issue such as enabling legacy protocols or unnecessary services would fall into this rating category.
———————
Table 3: Ease ratings
Issue Recommendation:
Each issue includes a recommendation section which describes what steps Nipper recommends should be taken in order to mitigate the issue. The recommendation will sometimes include various options, if several mitigating choices are available, and any relevant system commands.
Directly following the recommendation, the issue dependencies and other relevant issues are referenced. The dependency issues are those that when mitigated will eliminate the described issue. For example, if the Simple Network Management Protocol (SNMP) is disabled it no longer matters if a view has not been configured. The relevant issues are ones that can affect the impact or the ease that the issue can be exploited.
The recommendation includes a rating that indicates how easy an issue is to resolve, these are described in Table 4.
——————–
Rating, Description
——————–
Involved, The resolution of the issue will require significant resources to resolve and is likely to include disruption to network services, and possibly the modification of other network device configurations. The issue could involve upgrading the Cisco PIX Security Appliance OS and possibly modifications to the hardware.
Planned, The issue resolution involves planning, testing and could cause some disruption to services. This issue could involve changes to routing protocols and changes to network filtering.
Quick, The issue is quick to resolve. Typically this would just involve changing a small number of settings and would have little-to-no effect on network services.
——————–
Table 4: Fix ratings
Issue Overall Rating:
The previous sections describe each section that is reported for an individual issue and the rating that is associated with it, they do not describe how the overall rating is calculated. The overall security issue rating is calculated based on a combination of the impact and the ease of exploiting an issue, the recommendation rating is not included as it does not represent the significance of a security issue. The overall rating uses the same ratings as the impact, but modified by how easy it is to exploit.
It is worth noting that BIBO is unable to provide an accurate threat assessment due to a lack of information. For example, in the case where highly sensitive information is processed, a Denial of Service (DoS) vulnerability poses less of a threat than the integrity of the data or an attacker gaining access to it. Similarly, for a situation where uptime is critical, a DoS vulnerability could be more important than the leakage of sensitive information. The ratings provided by BIBO are intended to be a guide.
2.2. A User Was Configured With A Dictionary-Based Password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDING: Authentication credentials are configured on Cisco PIX Security Appliance devices in order to help prevent unauthorised access and to restrict the access to specific authorised users.
A dictionay of passwords was used to check the strength of the passwords for the local users on asa. BIBO determined that one user was configured with a dictionary-based password. This is shown in Table 5.
———————————————-
User, Password, Privilege Level
———————————————-
password, cisco, –
———————————————-
Table 5: User with a dictionary-based password
IMPACT: With access to asa the attacker could enumerate information about the device and the networks configuration. The attacker may also be able to use the device to attack other network devices, possibly bypassing any access restrictions. Furthermore, with administrative access, the attacker could reconfigure asa in order to gain access to other devices, monitor network connections or perform a DoS attack.
Ease: Attackers will often have access to a collection of password dictionaries and some can be downloaded from the Internet. These dictionaries are lists of well known passwords, names, places, sport teams and so on. Experienced attackers may have an extensive collection of password dictionaries that contain passwords that they have extracted whilst attacking various systems. These password dictionaries can then be used to check authentication credentials of other systems. Tools are available on the Internet that can use a password dictionary to guess the authentication credentials. Once a password has been identified, the tools to connect to authentication services are provided with most OS.
Recommendation: BIBO recommends that a strong password should be configured for all Cisco PIX Security Appliance users. BIBO recommends that passwords:
* are at least eight characters in length;
* must include uppercase characters;
* must include lowercase characters;
* must include numbers;
* must include non-alphanumeric characters;
* must not contain the username/service name;
* must not contain the devices host name;
* must not contain device details (i.e. make, model);
* must not be dictionary based with character substitution (i.e. an “i” swapped for a “1”);
* must not contain character sequences (i.e. “qwerty”);
* must not be dictionary based with common characters appended (i.e. “1”).
The following commands can be used on Cisco PIX Security Appliance devices to configure the initial password, enable password and a user account with a password:
“password password”
“enable password password”
“username name password password”
2.3. Interfaces Were Configured With No Filtering
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDING: Cisco PIX Security Appliance devices can be configured with Access Control List (ACL) to filter network traffic in order to prevent unauthorised access to hosts and services.
BIBO determined that eight interfaces were configured without inbound network filtering. These are listed below.
———————————————————————————-
Interface, Active, Name, Security, Address, Standby, ACL
———————————————————————————-
Ethernet0/0, Yes, -, 0, -, -, –
Ethernet0/1, Yes, -, 0, -, -, –
Ethernet0/2, Yes, -, 0, -, -, –
Ethernet0/3, Yes, -, 0, -, -, –
Ethernet0/4, Yes, -, 0, -, -, –
Ethernet0/5, Yes, -, 0, -, -, –
Ethernet0/6, Yes, -, 0, -, -, –
Ethernet0/7, Yes, -, 0, -, -, –
———————————————————————————-
Table 6: Physical network interfaces were not configured to filter network traffic
IMPACT: With no ACL configured on all the active interfaces an attacker would not be prevented by asa from accessing hosts or services.
Ease: With no ACL a user or attacker would not be restricted by asa when access network services.
Recommendation: BIBO recommends that all active interfaces should be configured with ACL to filter inbound network traffic.
An ACL can be configured on an interface with the following command:
“access-group acl in interface interface-name”
2.4. No Console Connection Timeout
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDING: The console connection timeout setting is used by Cisco PIX Security Appliance devices to determine if a console connection is no longer being used and can be closed. The console connection could become unused if an administrator has not correctly terminated the connection and still remains logged into the console or they have left their computer without terminating the console connection.
BIBO determined that there was no console connection timeout was configured on asa.
IMPACT: An attacker with physical access to asa would be able to connect to the console port and continue using a terminated connection. Due to the nature of the device the user access the attacker would gain is likely to be an administrative level user.
Ease: An attacker would require physical access to the device in order to connect to the console port. Although this may seem like a significant barrier, a malicious user or attacker who has legitimate access to the room where asa is located would be able to access the console port. A locked server rack would provide little barrier to a motivated attacker.
Recommendation: BIBO recommends that a timeout period of 10 minutes should be configured for the console connection.
The console timeout can be configured with the following command:
“console timeout timeout-minutes”
2.5. No ACL Were Configured
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDING: Cisco PIX Security Appliance devices can be configured with ACL to restrict access to network devices and services. BIBO determined that no ACL were configured on asa.
IMPACT: With no ACL configured an attacker or malicious user would not be able to access network services through the device as all network traffic would be blocked by asa.
Ease: With no ACL a user or attacker would not be able to access any network services through asa.
Recommendation: If asa is not required, BIBO recommends that asa is decomissioned. If asa is required, BIBO recommends that ACL are configured.
BIBO recommends that ACLs are configured to ensure that:
* Access Control Entry (ACE) do not allow access from any source;
* ACE do not allow access from a source network address;
* ACE do not allow access to any destination;
* ACE do not allow access to a destination network address;
* ACE do not allow access to any destination service;
* ACE do not allow access to a range of destination services;
* ACE do not allow clear text protocol services;
* ACE do not overlap or duplicate other ACE;
* ACE do not contradict other ACE;
* no unused ACE exist;
* no unused ACL exist.
2.6. No Pre-Logon Banner Message
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDING: A pre-logon banner message can be configured on Cisco PIX Security Appliance devices. Logon banners are useful for passing on information to users and, with a carefully worded legal warning, as a deterrant to a potential attacker.
BIBO determined that no pre-logon banner was configured on asa.
IMPACT: A pre-logon banner message is important in warning any potential attacker against unauthorised access to the Cisco PIX Security Appliance. With a carefully worded pre-logon banner, which warns against unauthorised access, if any legal action is taken it would be easier to prove intent on behalf of the attacker.
Ease: Without a pre-login banner, an attacker would not be presented with a legal warning against unauthorised access prior to a logon attempt.
Recommendation: BIBO recommends that a carefully worded legal banner should be configured that warns against unauthorised access to asa.
The Message Of The Day (MOTD) banner message is displayed before logon for connections to asa. The MOTD banner message can be configured with the following command:
“banner motd message-text”
2.7. No Post Logon Banner Message
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDING: On Cisco PIX Security Appliance devices it is possible to configure a banner message that is presented to users after they have authenticated. The post logon banner is useful for detailing the acceptable use policy and what change control procedures should be followed prior to making any changes to the devices configuration.
BIBO determined that no post logon banner message had been configured on asa.
IMPACT: An acceptable use message detailing any change control procedures could help to prevent ad-hoc changes being made to the Cisco PIX Security Appliance configuration.
Ease: No banner message is sent by asa after a user logon occurs.
Recommendation: BIBO recommends that a post logon banner message is configured that details the acceptable use and change control procedure.
The Exec banner message is displayed once a successful logon has occured, before the enable prompt. The Exec banner message can be configured with the following command:
“banner exec message-text”
2.8. Potentially Unused Network Interfaces
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FINDING: On Cisco PIX Security Appliance devices it is possible to enable and disable individual network interfaces. It is good security practice to disable unused interfaces to help prevent unauthorised access to the network.
BIBO determined that eight interfaces were active and potentially unused. These are listed below.
————————————————————————-
Interface, Active, Name, Security, Address, Standby, ACL
————————————————————————-
Ethernet0/0, Yes, -, 0, -, -, –
Ethernet0/1, Yes, -, 0, -, -, –
Ethernet0/2, Yes, -, 0, -, -, –
Ethernet0/3, Yes, -, 0, -, -, –
Ethernet0/4, Yes, -, 0, -, -, –
Ethernet0/5, Yes, -, 0, -, -, –
Ethernet0/6, Yes, -, 0, -, -, –
Ethernet0/7, Yes, -, 0, -, -, –
————————————————————————-
Table 7: Physical network interfaces were active and potentially unused
IMPACT: If unused interfaces are not disabled, an attacker may be able to gain access with risking detection by unplugging an existing connection.
Ease: The attacker would require physical access to the Cisco PIX Security Appliance device in order to connect to an unused network connection.
Recommendation: BIBO recommends that the list of potentially unused active network connections should be reviewed and any unused interfaces disabled.
Interfaces can be disabled Cisco PIX Security Appliance device using the following command:
“interface interface-name shutdown”
2.9. Conclusions
~~~~~~~~~~~~~~~~
BIBO performed a security audit of the Cisco PIX Security Appliance asa on Wednesday 22nd April 2009 and identified seven security-related issues. The most significant issue identified was rated as High.
One High rated security issue was identified. BIBO determined that:
* a dictionary-based authentication credential password was configured (see section 2.2).
One Medium rated security issue was identified. BIBO determined that:
* interfaces were configured without inbound network filtering (see section 2.3).
BIBO identified three Low rated security issues. BIBO determined that:
* no console connection timeout was configured (see section 2.4);
* no ACL were configured (see section 2.5);
* no pre-logon banner message was configured (see section 2.6).
BIBO identified two Info rated security issues. BIBO determined that:
* no post logon banner message is configured (see section 2.7);
* potentially unused interfaces were active (see section 2.8).
2.10. Recommendations
~~~~~~~~~~~~~~~~~~~~~
This section is designed to assist in the mitigation of the security issues identified by collating the security issue recommendations into a single location. The recommendations are listed in Table 8 together with the issue ratings.
———————————————————-
Issue, Overall, Impact, Ease, Fix, Recommendation, Section
———————————————————-
A User Was Configured With A Dictionary-Based Password, High, Critical, Easy, Quick, Configure strong authentication credential passwords for all users, 2.2
Interfaces Were Configured With No Filtering, Medium, Medium, N/A, Quick, Configure inbound network filtering on all interfaces, 2.3
No Console Connection Timeout, Low, Critical, Challenge, Quick, Configure a console connection timeout of 10 minutes, 2.4
No ACL Were Configured, Low, Low, Trivial, Planned, Configure ACL to restrict access or decommision asa, 2.5
No Pre-Logon Banner Message, Low, Low, N/A, Quick, Configure a pre-logon banner message with a carefully worded legal warning, 2.6
No Post Logon Banner Message, Info, Info, N/A, Quick, Configure a post logon banner message which details the acceptable use and change control policies, 2.7
Potentially Unused Network Interfaces, Info, Info, Challenge, Quick, Disable all unused interfaces, 2.8
———————————————————-
Table 8: Recommendations
3. Device Configuration
=======================
3.1. Introduction
~~~~~~~~~~~~~~~~~
This section details the configuration settings of the Cisco PIX Security Appliance device asa.
3.2. General Device Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
——————————–
Description, Setting
——————————–
Hostname, asa
PIX Version, 6.3(2)
——————————–
Table 9: General device settings
3.3. Network Services
~~~~~~~~~~~~~~~~~~~~~
Table 10 outlines the network services supported by Cisco PIX Security Appliance devices and their status on asa. The service settings are described in greater detail in the proceeding sections.
————————–
Service, Status
————————–
Telnet Service, Disabled
SSH Service, Disabled
HTTPS Service, Disabled
SNMP Service, Enabled
————————–
Table 10: Network services
3.4. Administration Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section describes the services that are supported by Cisco PIX Security Appliance for administration. Each subsection covers a particular service and its configuration settings.
General Administration Settings:
This section describes some general Cisco PIX Security Appliance device settings.
—————————————–
Description, Setting
—————————————–
Console Port, Enabled
Console Connection Timeout, No Timeout
—————————————–
Table 11: General administration settings
Telnet Service Settings:
The Telnet service enables remote administrative access to a Command Line Interface (CLI) on asa. The Telnet protocol implemented by the service is simple and provides no encryption of the network communications between the client and the server. This section details the Telnet service settings.
———————————
Description, Setting
———————————
Telnet Service, Disabled
Service TCP Port, 23
Connection Timeout, 5 minutes
———————————
Table 12: Telnet service settings
SSH Service Settings:
The SSH service enables a remote administrator to access a CLI on asa. The Secure Shell (SSH) protocol provides complete encryption of the network packets between the connecting client and the server. There are two main versions of the SSH protocol.
Cisco PIX Security Appliance devices support SSH protocol version 1 from around PIX version 6. Support for SSH protocol version 2 was added with PIX version 7.0
This section details the SSH service settings.
———————————————–
Description, Setting
———————————————–
SSH Service, Disabled
Service TCP Port, 22
SSH Protocol Version(s), 1 and 2
Connection Timeout, 5 minutes
———————————————–
Table 13: SSH service settings
HTTPS Service Settings:
Cisco PIX Security Appliance devices can provide web-based administrative access. The HTTPS service provides full encryption of communications between the client and server. This section details the web service settings:
————————————————-
Description, Setting
————————————————-
HTTPS Service, Disabled
HTTPS Service TCP Port, 443
————————————————-
Table 14: HTTPS service settings
Table 15 lists the configured HTTPS service encryption cyphers.
—————————————————————————————————————–
Encryption, Authentication, Key Length, SSL v2, SSL v3, TLS v1
—————————————————————————————————————–
3DES, SHA1, 168 bits, Yes, Yes, Yes
3DES, SHA1, 56 bits, Yes, Yes, Yes
RC4, MD5, 40 bits, Yes, Yes, Yes
RC4, MD5, 56 bits, Yes, Yes, Yes
RC4, MD5, 64 bits, Yes, Yes, Yes
RC4, MD5, 128 bits, Yes, Yes, Yes
AES, SHA1, 128 bits, Yes, Yes, Yes
AES, SHA1, 192 bits, Yes, Yes, Yes
AES, SHA1, 256 bits, Yes, Yes, Yes
—————————————————————————————————————–
Table 15: HTTPS service encryption ciphers
It is worth noting that the ciphers were determined using the defaults that Cisco PIX Security Appliance devices are typically configured with. However, these can differ between different models.
3.5. Authentication Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section describes the various Cisco PIX Security Appliance device authentication settings.
General:
This section details the general authentication configuration settings on asa.
——————————–
Name, Type, For
——————————–
LOCAL, Local Users Database, ssh
——————————–
Table 16: Authentication Methods
Users:
This section details the users configured on asa.
——————————————-
User, Password, Encryption, Privilege Level
——————————————-
enable, 8Ry2YjIyt7RRXU24, MD5, 15
password, cisco, None, –
——————————————-
Table 17: Configured users
3.6. SNMP Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SNMP is used to assist network administrators in monitoring and managing a wide variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are both secured with a community string and authenticate and transmit network packets without any form of encryption. SNMP version 3 provides several levels of authentication and encryption. The most basic level provides a similar protection to that of the earlier protocol versions. However, SNMP version 3 can be configured to provide encrypted authentication (auth) and secured further with support for encrypted data communications (priv).
Cisco PIX Security Appliance do not support version 3 of the SNMP. This section describes the asa SNMP configuration settings.
—————————————-
Description, Setting
—————————————-
SNMP Service, Enabled
SNMP Service UDP Port, 161
—————————————-
Table 18: SNMP settings
SNMP Community:
SNMP community strings are used to authenticate access between a Network Management System (NMS) and the Cisco PIX Security Appliance SNMP agent. A connecting NMS, using SNMP protocol versions 1 or 2c, must provide the SNMP agent with a valid community string when making a Management Information Base (MIB) read or write request.
——————————————————-
Community, Access, Version
——————————————————-
public, Read Only, 1
——————————————————-
Table 19: SNMP community configuration
3.7. Network Interface Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The section details the Cisco PIX Security Appliance devices network interface configuration settings.
Physical Network Interfaces:
This section describes the configuration of the Cisco PIX Security Appliance devices physical network interfaces.
————————————————————————-
Interface, Active, Name, Security, Address, Standby, ACL
————————————————————————-
ethernet0, No, outside, 0, 209.165.200.226 / 255.255.255.224, -, –
ethernet1, No, inside, 100, 10.1.1.1 / 255.255.255.0, -, –
Ethernet0/0, Yes, -, 0, -, -, –
Ethernet0/1, Yes, -, 0, -, -, –
Ethernet0/2, Yes, -, 0, -, -, –
Ethernet0/3, Yes, -, 0, -, -, –
Ethernet0/4, Yes, -, 0, -, -, –
Ethernet0/5, Yes, -, 0, -, -, –
Ethernet0/6, Yes, -, 0, -, -, –
Ethernet0/7, Yes, -, 0, -, -, –
————————————————————————-
Table 20: Physical network interfaces
4. Appendix
===========
4.1. Abbreviations
~~~~~~~~~~~~~~~~~~
————————-
Abbreviation, Description
————————-
3DES, Tripple Data Encryption Standard
ACL, Access Control List
AES, Advanced Encryption Standard
ASA, Adaptive Security Appliance
CLI, Command Line Interface
DES, Data Encryption Standard
DoS, Denial of Service
HTTP, HyperText Transfer Protocol
HTTPS, HyperText Transfer Protocol over SSL
MD5, Message Digest 5
MIB, Management Information Base
MOTD, Message Of The Day
NMS, Network Management System
RC4, Rivest Cipher 4
SHA1, Secure Hash Standard 1
SNMP, Simple Network Management Protocol
SSH, Secure Shell
SSL, Secure Sockets Layer
TCP, Transmission Control Protocol
UDP, User Datagram Protocol
————————-
Table 21: Abbreviations
4.2. Common Network Ports
~~~~~~~~~~~~~~~~~~~~~~~~~
——————————
Port, Network Service
——————————
22, SSH
23, Telnet
80, HTTP
101, Hostname
161, SNMP
443, HTTPS
——————————
Table 22: Common network ports
4.3. IP Protocols
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
————————————————-
Protocol, Name, Description, RFC
————————————————-
1, ICMP, Internet Control Message, RFC792
6, TCP, Transmission Control Protocol, RFC793
17, UDP, User Datagram Protocol, RFC768
————————————————-
Table 23: IP protocols
4.4. ICMP Types
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
————————————-
Type, Code, Description, RFC
————————————-
0, -, Echo Reply, RFC792
8, -, Echo, RFC792
————————————-
Table 24: ICMP types
4.5. Nipper Details
~~~~~~~~~~~~~~~~~~~
This report was generated using Nipper version 0.12.6.
Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. More information on Nipper and how you can contribute to the project are on the projects web site http://nipper.titania.co.uk.
Web`a skrīnšots un html atskaites skrīnšots:
BIBO pieraksti 
Izskatas jau incanti, bet mosh var dabut redzet kadu skrinshotinju ar to verkji darbiibaa?
ra1 said this on 2009.04.21 at 17:34
Posta beigās pievienoju vienu atskaiti un pārīti skrīnšotu.
BIBO said this on 2009.04.22 at 15:24