Management Protocols Vulnerabilities
Remote management of Cisco devices is possible through a variance of protocols, which requires additional attention from a security perspective. Apart from risking unauthorized administrative access, many of these protocols are vulnerable to reconnaissance and DoS attacks. Knowing what goes on in your network is an important aspect of network security. There are several different methods available to manage and monitor network devices. IDS/IPS systems can be implemented to monitor network traffic for suspicious activity, network monitors such as sniffers on a computer with a NIC in promiscuous mode can capture raw network traffic, and an administrator can use the same scanning tools that are popular amongst hackers. Following are some of the most common management protocols and their primary vulnerabilities. The actions to mitigate the risks or prevent the attacks that abuse these vulnerabilities will be covered in more detail in future TechNotes.
Telnet is still the most commonly used protocol to manage network devices. Telnet is a terminal emulation protocol that allows access to a CLI on a remote system. Telnet is consider ed insecure mainly because it sends information, including passwords, in clear text. Therefore, Telnet should be disabled, and replac ed with SSH (Secure SHell). SSH provides similar functionality as Telnet but is much more secure. It employs encryption through certificates and authenticates the router to the client. SSH is available only if it the IOS image is a crypto image. Access lists should be configured to restrict VTY line access to the IP address of administrators and network management stations.
The Trivial File Transfer Protocol (TFTP) is a connectionless Application layer protocol used for transferring IOS images and configuration files between a router and a TFTP server. Just as Telnet, TFTP sends information over the network in clear text format. Which means an attacker can use a sniffer and capture configuration files or image files when they are transferred b y a legitimate user. Using the service password encryption keeps the passwords confidential even when they are captured, but the remaining information in a configuration file can be very valuable to an attacker. The best solution is to use TFTP over IPSec protected connections only. TFTP uses UDP port 69, which should be blocked on border routers wherever possible. On devices that support it, the Secure Copy Protocol (SCP) should be used to transfer files securely using SSH. Just as with Telnet, access lists should be configured to restrict TFTP access to certain IP addresses.
Many of the newer Cisco systems support remote management through a web-based GUI. This allows administrators to use a web browser to access network devices if there is a connection that allows HTTP. Although the IOS HTTP server supports client authentication, it does not encrypt traffic. To prevent interception of confidential information such as passwords, HTTPS (HTTP over SSL) should be configured on the device. SSL supports MD5, SHA1, and digital signatures for integrity, confidentiality, and authentication.
The Simple Network Management Protocol (SNMP) is an application layer protocol that is used to monitor, and gather information about, network systems and devices. An SNMP agent is installed on managed devices and sends statistics, events, and other information to a central network management station. On the management station, the information is stored in a database that can be used to produce graphs, reports, baselines and other useful overviews of the network. Because the information SNMP provides can be valuable to an attacker as well, outgoing SNMP traffic should be blocked at border routers or firewalls. SNMP uses UDP port 161 and 162. Besides passively monitoring, SNMP can also be used to configure network devices by using SNMP write commands. Although not all devices support this feature by default, if it is and you do not necessarily need it, make sure it not configured.
SNMP uses community strings as a password to provide access. The default community string for read operations is Public, and for read-write operations it is Private. These ‘passwords’ are well known and should be changed to something confidential. Even then, an attacker can use publicly available hacker tools to gain access to SNMP information. SNMP version 3 supports MD5 and SHA-1 authentication, as well as message encryption, and should be used if available.
Syslog is a logging service installed on a server and to which network devices can log events. Examples are IDS/IPS alarms, PIX firewall events, and CBAC audit trails. to syslog server. The main problem with syslog, is that logging information is sent to the syslog server in plaintext format. This means an attacker can easily capture the packets and interpret the contents. Because syslog packets do not contain an integrity check, the attacker could even change the contents of the packets. The reduce the risks involved in using syslog, access lists should be configured on the server to block syslog events originating from malicious sources, and event should be sent over secure channels only, i.e. through IPsec encrypted tunnels.
The Network Time Protocol (NTP) is an Application layer protocol used to provide accurate time synchronization in LANs and WANs by synchronizing the time of a computer to a reference time source, such as an NTP server, a radio or satellite receiver. NTP is capable of synchronizing distributed clocks to the millisecond. Keeping the time on network devices synchronized and accurate is important for several reasons. Events, notifications, and alarms with incorrect timestamps violate the integrity of log files and audit trails. Security protocols such as IPSec, Kerberos, and digital signatures use timestamps to prevent the information from being reused in a replay attack. If there is a mismatch between the times on two devices, processes such as authentication including setting up IPSec tunnels will fail. In other words, an attacker can forge NTP packets to alter the time on devices creating a denial of service situation for various other services that rely on NTP. NTP version 3 and higher support MD5 authentication and should be used if available. NTP uses UDP port 123.
The Cisco Discovery Protocol (CDP) is a media- and network protocol independent layer 2 protocol that is used to discover information about neighboring network devices. Because CDP operates at the Data Link layer, it doesn't need a network layer protocol, such as IP or IPX, to transfer information. It gathers information about neighboring devices such as the type of device, software version, and network layer addresses. A malicious individual can use this information for a reconnaissance attack or send large amounts of CDP traffic to create a denial of service situation. The best remedy against these vulnerabilities is disabling CDP on the device, or enabling it only on the interfaces that require it. CDP should never be enabled on public interfaces.