March 31st, 2005, 10:11 PM
Auditing Routers: The Checklist - Looking for Feedback
I am reviewing our checklist to audit routers - the concentration being on Cisco routers. I have the checklist below and was wondering if I am missing anything. Please let me know if we can add/change/delete anything - thinking if that you were going to audit your organization's router(s) - how would you approach it?
NOTE: My apologies for the formatting I had to quick change the formatting to fit the information here. This checklist is an amalgam of many authors/auditors in our organization.
0. Background Information Sources
A. External Resources:
(1) Cisco System field notices -> http://cisco.com/public/support/tac/fn_index.html
(2) Cisco System security advisories -> http://cisco.com/en/US/products/prod...s_listing.html
(3) Cisco IOS documentation -> http://www.cisco.com/en/US/products/...mentation.html
(4) Center for Internet Security Benchmark for Cisco IOS ->
(5) Nortel Networks -> http://www.nortelnetworks.com/index.html
(6) US-CERT Vulnerability Notes Database -> http://www.kb.cert.org/vuls
(7) IETF Network Ingress Filtering -> http://www.ietf.org/rfc/rfc2827.txt
(8) IETF Address Allocation for Private Internets -> http://www.ietf.org/rfc/rfc1918.txt
1. Routing Rules
A. Is IP directed broadcast disabled on each router interface ('no ip directed broadcast')?
B. Is source routing disabled on each router interface ('no ip source-route')?
C. Is IP unreachables disabled on each router interface ('no ip unreachables')?
D. Are inbound anti-spoof filters applied on external router interfaces?
E. Are inbound ACLs defined to block RFC1918 -reserved and internal IP addresses on external router interfaces?
F. Are outbound anti-spoof filters applied on external router interfaces?
G. Are outbound traffic that does not have a valid internal source IP address blocked on external router interfaces?
H. Are defined ACLs appropriate and as restrictive as possible (e.g. permitting specific IP addresses instead of IP address ranges, etc)?
I. Are ACL entries ordered in terms of traffic volumes for efficient use of CPU cycles?
2. Availability Management
A. Is the router proactively monitored and the network group notified in the event of unavailability?
B. Do software and hardware maintenance contracts exist? If so, are the problem response and resolution time appropriate?
C. Does redundant equipment exist (e.g. hot, warm, cold standby)?
D. Are there availability requirements? If so, are the requirements met?
3. Capacity management
A. Is there regular monitoring of router utlization and performance?
B. Is router capacity forecasting and planning performed?
4. Security Management - Access control
A. Are routers password protected (e.g. TACACS authentication, etc)?
B. Do router passwords comply with corporate policies for password management?
C. Are router passwords changed on a regularly basis?
D. Is the list of authorized users with logical access restricted?
E. Do formal procedures exist for granting and removing users with logical access?
F. Is the list of authorized users reviewed on a regular basis? Inactive accounts should be disabled and deleted in a timely manner.
G. Are logical access attempts logged and regularly reviewed?
H. Are passwords encrypted in the router configuration (e.g. using 'enable secret', 'service password-encryption', etc)?
I. Is logical access to the router restricted by hosts and/or networks using ACLs?
J. Is physical access to routers restricted (e.g. secured in data center) and recorded?
K. Are unnecessary network services disabled on the router (e.g. FINGER, CDP, BOOTP, HTTP, udp-small-servers, tcp-small-servers, etc)?
L. If SNMP service is required, are default SNMP communities (e.g. public, private, etc) denied access?
(1) Is SNMP access restricted to authorized communities? Is SNMP access restricted to certain IP addresses?
(2) Are SNMP community names changed on a regular basis?
M. Are sessions disconnected after a fixed idle time?
N. Are login warning banners in place to warn both authorized and unauthorized users of intentional misuse?
O. Are dial-in connections used for remote access? If so, are appropriate access controls in place (e.g. user authentication, logging of access attempts, etc)
Encrypted access options: Direct console session, SSH
Unencrypted access options: TELNET, SNMP, TFTP
To show status of SSH:
Router> show ip ssh
TCP and UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier.
The TCP small servers are:
Echo: Echoes back whatever you type by using the telnet x.x.x.x echo command.
Chargen: Generates a stream of ASCII data. The command to use is telnet x.x.x.x chargen.
Discard: Throws away whatever you type. The command to use is telnet x.x.x.x discard
Daytime: Returns system date and time, if correct. It is correct if you are running Network Time Protocol (NTP) or have set the date and time manually from the exec level. The command to use is telnet x.x.x.x daytime.
The UDP small servers are:
Echo: Echoes the payload of the datagram you send.
Discard: Silently pitches the datagram you send.
Chargen: Pitches the datagram you send and responds with a 72 character string of ASCII characters terminated with a CR+LF.
To disable TCP and UDP small servers:
Router# no service tcp-small-servers
Router# no service udp-small-servers
To show status of CDP service:
Router> show cdp
To disable CDP:
Router> no cdp
To disable BOOTP service:
Router# no ip bootp server
To disable FINGER service:
Router# no service finger
To show status of HTTP service:
Router# show ip http server status
To disable HTTP service:
Router# no ip http server
To show status of SNMP service:
Router# show snmp
5. Security Management - Audit / Logging
A. Are audit (e.g. syslog) functions enabled?
B. Are logs of appropriate level (e.g. informational) recorded?
C. Are Deny ACLs logged (Parameter 'log' or 'log-input' should be configured at the end of the ACLs to be logged)?
D. Are log entries recorded on a secured management workstation and reviewed by the network group on a regular basis?
E. Are system logs archived on a regular basis?
To show status of system logging:
Router# show logging
To show the router ACLs
Router> show access-lists [access-list-number | access-list-name]
6. Change Management
A. Are appropriate change management procedures established?
B. Are change records maintained?
C. Are the changes authorized prior to deployment?
D. Are contingency plans in place prior to implementing changes?
E. Who is authorized to make changes to the router?
F. Are the change management procedures supported by segregation of duties principles?
7. Release Management
A. Are routers running vendor supported software versions?
B. Are routers running software appropriate for the hardware and features required?
C. Are routers maintained with current fixes/patches?
D. Are applied patches/fixes documented?
E. Are patches/fixes applied in a timely manner?
F. Does the network group follow established change management procedures for applying patches/fixes?
G. Are patches/fixes tested and approved before deployment?
To show Cisco IOS software version
Router> show version
8. Configuration Management
A. Are backup copies of the router configurations maintained?
B. Are the backup router configurations stored in a secured location?
C. Are router configurations documented?
D. When are router configuration backups performed (e.g. regular basis, post change)?
E. Have the router configurations ever been restored (production or test)?
F. Does the network group follow established change management procedures for applying configuration?
G. Are configurations tested and approved before deployment?
9. Problem Management
A. Are problems tracked and resolved on a timely basis?
B. Does adequate problem investigation and diagnosis procedures exist?
C. Are the members of the network group fully qualified and trained in router management and configuration?
D. Are there escalation paths (e.g. vendor, corporate, etc) for problem resolution?
A. Test services that are supposed to be permitted.
B. Test services that are supposed to be denied.
C. Test from both the internal network and the external Internet (via ISP connection).
Well that's this checklist on routers (Cisco focused). I look forward to your feedback. I am hoping we have all the technical/administrative areas covered. Also, please note that this is one part of our whole audit of internet services. We also have a separate checklist for wireless networks now as well.
Thank you in advance for your help!
Note: I realized yesterday that I said "Feeback" instead of "Feedback" I could only fix it in the subject line. Sorry about that.
April 1st, 2005, 02:07 AM
Hey KuiXing-2005, great topic, I'm actually writing a tutorial for hardening routers that I will be submitting in the Tut section soon.
You have covered most of the bases. I love an eye for detail
However, if I could just add some thoughts:
0. Background Information Sources
NSA's Router Security Configuration Guide
Cisco SAFE Blueprint
1. Routing Rules
Why not assess whether there is MD5 encryption or access-control for routing updates for peers?
Internal traceroute and some management protocols such as Cisco Works and Tivoli require IP unreachables to be enabled. In this case you may want to allow ICMP unreachables, but to avoid backscatter, you could use "ip icmp rate-limit unreachable" instead.
Do you utilize a sinkhole or null routes for egress traffic that violates RFC1918 or is bogon?
2. Availability Management
I would add authetication or spoof protection on VRRP or HSRP updates.
Here is a list of other options you may want to consider:
- Disable AUX port
- Set timeout on AUX port to 0 0
- Disable transport protocols on AUX and CON ports
- Source all routed protocols (syslog, snmp, AAA) from router loopback address
- Is syslog sent to a central syslog server
- Is NTP running in client mode (good) instead of broadcast (bad)?
Very small list compared to what you have already put together
April 4th, 2005, 04:44 PM
Great feedback aciscorouter! I will take back to the other author to incorporate.