Solution for Your Systems

Ağ güvenliği, gün geçtikçe daha çok önem kazanan bir konu haline gelmektedir. Bunun başlıca sebepleri arasında e-ticaretin hızla yaygınlaşması, bankaların interaktif uygulamalarının çeşitlenmesi ve e-devlet kavramının önem kazanması olarak gösterilebilir. Ağın güvenli olabilmesi, o ağda bulunan cihazların ayrı ayrı güvenli bir şekilde yapılandırılmış olmasıyla doğrudan ilişkilidir.

Dolayısıyla aktif ağ cihazlarına ait yapılandırmaların sıkı olması ve güvenliğinin en yüksek seviyeye çıkarılması sistemin genel güvenliğini artırmak için önemlidir. Örneğin, ağ cihazında http servisinin gereksiz yere açık olduğu ve bu servise erişimlerin kısıtlanmadığı durumlarda, http servisini kullanarak cihaza saldırı gerçekleştirecek olan bir kişi cihazın yapılandırma dosyasına ulaşabilir veya cihazın işleyişini engelleyecek girişimlerde bulunabilir. Sıkılaştırma işleminde amaç genel olarak aşağıdaki maddelerle gösterilebilir: 

·         Cihaz yönetimine olan erişimin kontrol altına alınması ve cihaza yetkisiz erişimlerin engellenmesi

·         Cihaz üzerinden geçen trafiğin denetlenmesi ve gereksiz trafiğin engellenmesi

·         Cihaza veya ağa yapılacak olan saldırıların başarı oranının en düşük seviyeye çekilmesi

Sıkılaştırma yapılırken dikkate alınması gereken başlıca hususlar arasında işletim sistemi güncelliği, parola koruması, yetkilendirme derecelerinin ayarlanması, uzaktan erişimin kısıtlanması, yerelden erişimin kısıtlanması, erişimlere ve trafiğe ait kayıtların tutulması, IP sahtekârlığına önlem alınması, servis dışı bırakma saldırılarına önlem alınması, kullanılmayan servislerin kapatılması ve kullanılan servislere olan erişimlerin kısıtlanması gösterilebilir.

Sıkılaştırma yapılırken herhangi bir sorun çıkmaması için sıkılaştırma yapılmadan önceki ayarların kaydedilmesi ve yapılandırma dosyasının saklanması tavsiye edilir. Eğer sıkılaştırma sırasında herhangi bir işleve yönelik sorun çıkarsa ve eğer sorun birkaç adımda çözülemezse, eski ayarların tekrar uygulanması gerekebilir.

Sıkılaştırma yapmak için değişik yollar izlenebilir. Cihaza ait yapılandırma dosyası incelenerek gerekli yerlerde sıkılaştırma yapılabileceği gibi, yapılandırma dosyası hazır bir yazılımla da test edilebilir ve yazılımın raporu doğrultusunda gerekli ayarlamalar yapılabilir.

Sıkılaştırma işleminde kullanılmak üzere pek çok yazılım bulunmaktadır. Bu yazılımlardan bazıları ücretsiz, bazıları ise ücretlidir. Yazının kalan kısmında ücretsiz bir yazılım olan Nipper ile yapılandırma dosyalarının incelenmesi ve güvenlik analizi anlatılacaktır. Ayrıca örnek olarak, IOS işletim sistemiyle çalışan Cisco anahtara ait yapılandırma dosyasının Nipper yazılımı tarafından incelenmesi sonucu ortaya çıkan rapor ve tavsiyeler verilecektir.

Nipper ücretsiz bir yapılandırma dosyası inceleme ve güvenlik analiz yazılımıdır. Nipper yazılımı kullanılarak, bazı ağ cihazlarının yapılandırma dosyaları güvenlik açısından incelenebilir.

Nipper yazılımının desteklediği cihazlar ve işletim sistemleri şunlardır:

·         Cisco IOS işletim sistemine sahip anahtarlar

·         Cisco IOS işletim sistemine sahip yönlendiriciler

·         Cisco CatOS işletim sistemine sahip anahtarlar

·         Cisco PIX güvenlik duvarı

·         Cisco ASA güvenlik duvarı

·         Cisco FWSM güvenlik duvarı

·         Cisco CSS tabanlı içerik servis anahtarları

·         Juniper Netsecreen ScreenOS tabanlı güvenlik duvarı

Güvenlik incelemesinde Nipper, parola ve bağlantı zamanaşımı sürelerini test edebilir. Bu seçenekler nipper komut satırından değiştirilebilmektedir. Seçenekler şunlardır:

·         Zamanaşımı testi

·         En küçük parola uzunluğu testi

·         Parolada büyük harf varlığı testi

·         Parolada küçük harf varlığı testi

·         Parolada sayı varlığı testi

·         Parolada özel karakter varlığı testi

·         Parolalara sözlük saldırısı testi

Nipper, yapılandırma dosyası güvenlik analizinde yapılandırma dosyasında bulunan bazı önemli kısımları incelemektedir. Yapılandırma dosyası güvenlik analizinde Nipper tarafından incelenen ve denetlenen kısımlardan bazıları şunlardır:

IOS tabanlı işletim sistemlerinde:

·         Yazılım versiyonları

·         Varsayılan parolalar

·         Zayıf şifreler

·         OSPF asılama

·         EIGRP asıllama

·         RIP asıllama

·         VRRP asıllama

·         Bağlantı zamanaşımları

·         AUX portu

·         Kaynak yönlendirme

·         Finger servisi

·         http servisi

·         SNMP Versiyon 1 / 2

·         TelnetErişim listeleri

·         Anahtar port güvenliği

·         Kayıt tutma

·         Proxy ARP

·         SSH Protokol versiyonu

·         CDP

·         En düşük parola uzunluğu

·         Bootp

·         IP Unreachables

·         Enable parolası

·         Gizli/Açık parola

·         Banner

·         PIX/ASA/FWSM: 

·         Bağlantı zamanaşımları

·         Erişim kontrol listeleri

·         SSH protocol versiyonu

Juniper Netscreen: 

·         Politikalar

·         Bağlantı zamanaşımı

·         Yönetimsel http yönlendirme

·         Yönetim IP numarası

Nipper Yazılımı ile Örnek Bir Yapılandırma Dosyasını İnceleme

Bu kısımda, Nipper yazılımı ile incelenen Cisco anahtara ait yapılandırma dosyası ve bu yapılandırma dosyası ile ilgili güvenlik raporu verilecektir. Örnek Cisco IOS yapılandırma dosyası: 

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

hostname Cisco-2950

enable secret 5 $1$xv3v$3syk.LQ9ZwjE4/F5A3Lb37

enable password 7 095C4F4D5D1247000F

username admin password 7 095C4F4D5D1247000F

ip subnet-zero

no ip domain-lookup

cluster enable INTERNET 1

cluster member 2 mac-address 0007.85d7.d456

cluster member 3 mac-address 0007.50ef.f345

cluster member 4 mac-address 0007.8503.3266

cluster member 5 mac-address 0009.7c90.d341 vlan 1

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

interface Loopback0

no ip address

no ip route-cache

interface Port-channel1

interface Port-channel2

interface FastEthernet0/1

description TEST1

switchport access vlan 11

interface FastEthernet0/2

description TEST2

switchport access vlan 6

switchport mode access

interface FastEthernet0/3

description TEST3

switchport access vlan 11

switchport mode access

switchport port-security

shutdown

interface FastEthernet0/4

description TEST4

switchport access vlan 11

switchport mode access

switchport port-security

switchport port-security maximum 4

switchport port-security violation restrict

shutdown

spanning-tree portfast

interface FastEthernet0/5

description TEST5

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address 0016.6764.451b

spanning-tree portfast

interface GigabitEthernet0/1

switchport mode trunk

interface GigabitEthernet0/2

interface Vlan1

no ip address

no ip route-cache

shutdown

interface Vlan6

ip address 10.1.1.5 255.255.255.0

ip access -group 15 in

no ip route-cache

ip default-gateway 10.1.1.1

no ip http server

ip access -list extended CMP-NAT-ACL

dynamic Cluster-HSRP deny ip any any

dynamic Cluster-NAT permit ip any any

logging 10.3.1.8

access -list 15 permit 10.1.1.1

access -list 15 permit 10.1.1.34

access -list 15 deny any

snmp-server community commtest1 RO 15

snmp-server community commtest2 RO

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps entity

snmp-server enable traps rtr

snmp-server enable traps c2900

snmp-server enable traps vtp

snmp-server enable traps MAC-Notification

snmp-server enable traps hsrp

snmp-server enable traps cluster

snmp-server enable traps vlan-membership

line con 0

exec-timeout 0 0

password 7 095C4F4D5D1247000F

login local

line vty 0 4

password 7 095C4F4D5D1247000F

login local

line vty 5 15

access -class 15 in

password 7 095C4F4D5D1247000F

login local

End 

Konfigürasyon dosyası Nipper yazılımı tarafından incelendiğinde aşağıdaki güvenlik sonuç raporu ortaya çıkmıştır.  

Cisco Switch Device Cisco–2950 Security Report

Nipper performed a security audit of the Cisco Switch Cisco-2950 on Thursday March 2008. This report details the security-related issues identified during the security audit, the impact of each issue and any recommendations.

·         Software Version

·         Weak Passwords / Keys

·         Inbound TCP Connection Keep Alives

·         Connection Timeout

·         Simple Network Management Protocol

·         ICMP Redirects

·         Access Control Lists

·         Switch Port Trunking

·         Switch Port Security

·         Proxy ARP

·         Cisco Discovery Protocol

·         BOOTP

·         IP Unreachables

·         Enable Secret

·         Login Banner

·         Maintenance Operations Protocol

·         Software Version

Observation: It is critically important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of an attacker exploiting a known software vulnerability. Furthermore, additional security features and other functionality are normally added or extended with each software revision.

Nipper determined that the Cisco Switch Cisco-2950 was running the out of date software Internet Operating System (IOS) version 12.1. Some of the known vulnerabilities for this software version are listed in Table 1. 

 Table 1: Potential software vulnerabilities

It is worth noting that Nipper used the version number detailed in the device configuration to identify the potential vulnerabilities, and patches may have already been applied. Additionally, a specific device configuration may be required in order for device to become vulnerable.

Impact: The vulnerabilities listed in Table 1 could allow an attacker to gain remote administrative access or perform a Denial of Service (DoS) attack.

Ease: Exploit code is widely available on the Internet for known Cisco Switch vulnerabilities.

Recommendation: Nipper strongly recommends that the software be updated and patched to the latest software version. Furthermore, Nipper recommends that the current patch policy be reviewed.

Weak Passwords / Keys

Observation: Strong passwords tend to contain a number of different types of character, such as uppercase and lowercase letters, numbers and punctuation characters. Weaker passwords tend not to contain a mixture of character types. Additionally, weaker passwords tend to be short in length.

Nipper identified two passwords/keys that did not meet the minimum password complexity requirements. These are listed in Table 2.

 

Table 2: Weak passwords / keys

Impact: If an attacker were able to gain a password or key, either through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to Cisco-2950.

Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.

Recommendation: Nipper strongly recommends that the weak passwords be immediately changed to ones that are stronger. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.

Inbound TCP Connection Keep Alives

Observation: Connections to a Cisco Switch device could become orphaned if a connection becomes disrupted. An attacker could attempt a DoS attack against a Cisco Switch by exhausting the number of possible connections. Transmission Control Protocol (TCP) keep alive messages can be configured to confirm that a remote connection is valid and then terminate any orphaned connections.

Nipper determined that TCP keep alive messages are not sent for connections from remote hosts.

Impact: An attacker could attempt a DoS by exhausting the number of possible connections.

Ease: Tools are available on the Internet that can open large numbers of TCP connections without correctly terminating them.

Recommendation: Nipper recommends that TCP keep alive messages be sent to detect and drop orphaned connections from remote systems. TCP keep alive messages can be enabled for connections from remote systems using the following command:

service tcp-keepalives-in 

Connection Timeout

Observation: Connection timeouts can be configured for a number of the device services. If a timeout were configured on an administrative service, an administrator that did not correctly terminate the connection would have it automatically closed after the timeout expires. However, if a timeout is not configured, or is configured to be a long timeout, an unauthorised user may be able to gain access using the administrator’s previously logged-in connection.

Nipper identified three connection settings that were not configured to timeout within ten minutes, these are listed in Table 3.

 Table 3: Connections with inadequate timeout periods

Impact: An attacker who was able to gain access to a connection that had not expired, would be able to continue using that connection. A connection could be a console port on the device that was not correctly terminated or a remote administrative connection.

Ease: The attacker would have to gain physical access to the device to use the console port, or gain remote access to an administration machine that is attached to the port. To gain access to remote connections, an attacker would have to be able to intercept network traffic between the client and Cisco-2950. The attacker would then have to take over the connection, which could be very difficult with some services. Tools are available on the Internet that would facilitate the monitoring of network connections.

Recommendation: Nipper recommends that a timeout period of ten minutes be configured for connections to the device Cisco-2950.

Simple Network Management Protocol

Observation: Simple Network Management Protocol (SNMP) is widely used to anne network administrators in monitoring and managing a variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are secured with a community string, both authenticate and transmit network packets with no encryption. SNMP version 3 provides three authentication methods. SNMP version 3 No-Auth access requires a username to authenticate and provides no encryption. SNMP version 3 Auth access requires a username and the auth keyword, authentication is encrypted but SNMP network packets are transmitted with no encryption. SNMP version 3 Auth and Priv access requires a username, auth and priv keywords. SNMP version 3 Auth and Priv access provides complete encryption of authentication and SNMP network packets.

Nipper determined that SNMP protocol version 1 was configured on Cisco-2950.

Impact: An attacker who was able to monitor network traffic could capture device configuration settings, possibly including authentication details.

Ease: Network packet monitoring and capture tools are widely available on the Internet.

Recommendation: Nipper recommends that, if possible, SNMP version 1 be disabled. Furthermore, Nipper recommends that, if SNMP is required, protocol version 3 be configured with Auth and Priv authentication. SNMP protocol version 1 can be disabled with the following command for each community string:

no snmp-server community <Community String> <RO | RW>

SNMP version 3 Auth and Priv access can be configured with the following commands:

snmp-server group <Group Name> v3 priv

snmp-server user <Username> <Group Name> v3 auth md5 <Auth Keyword> priv <3des | aes 128 | aes 192> <Priv Keyword>

ICMP Redirects

Observation: Internet Control Message Protocol (ICMP) redirect messages allow systems to change the route that network traffic takes. ICMP redirects are usually enabled by default on Cisco devices.

Nipper determined that the device Cisco-2950 had support for ICMP redirects enabled on the network interface Vlan6.

Impact: An attacker could use ICMP redirect messages to route network traffic through their own router, possibly allowing them to monitor network traffic.

Ease: Tools are widely available that can send ICMP redirect messages.

Recommendation: Nipper recommends that, if not required, ICMP redirects be disabled on all network interfaces. ICMP redirects can be disabled on each individual network interface using the following command:
 

no ip redirects

 Access Control Lists

Observation: Access Control List (ACL) are sequential lists of allow and deny Access Control Entries (ACE) that specify whether network traffic should be allowed or dropped. ACLs are used to restrict access to services and network devices, preventing access to services and devices that should not be accessible.

Nipper identified one insecure ACE. The ACL 15 does not end with a deny all and log

Impact: If ACEs are not sufficiently restrictive, an attacker may be able to access to network devices that should not be accessible. Furthermore, an attacker who had compromised a device could install a backdoor which could listen on a network port that was not filtered.

Ease: N/A

Recommendation: Nipper recommends that all ACLs be configured to only allow access to hosts and services from those hosts that require access. However, in certain circumstances, such as a public web server, a more relaxed configuration may be required to allow any host to access specific hosts and services. Additionally, Nipper recommends that all blocked network traffic be logged.

Switch Port Trunking

Observation: Cisco Switch devices are able to transfer Virtual Local Area Network (VLAN) packets to different network devices, extending a VLAN across different physical devices. In order to extend a VLAN to a different physical device, a trunk has to be created between the devices. Cisco Switch devices default to allowing a trunk to be negotiated on a particular switch port if the connected device will also allow the trunk and supports a common trunking protocol.

Nipper determined that two switch ports allowed a trunk to be negotiated, these are listed in Table 4.

 

Table 4: Switch ports that allow trunking

Impact: An attacker who was able to create a trunk would gain direct access to all the VLANs extended over the trunk. This would allow an attacker to bypass any network filtering between the VLANs.

Ease: The attacker would require knowledge of network trunking. However, tools are available on the Internet that can exploit trunking vulnerabilities.

Recommendation: Nipper recommends that, where possible, all switch ports be configured to provide no trunking. If trunking is required on a specific switch port, Nipper recommends that the switch port be configured to trunk only the required VLANs. Switch ports can be configured to provide no trunking on each interface with the following commands:

·         switchport mode access

·         switchport nonegotiate

·         Switch Port Security

Observation: Switch port security enables a Cisco Switch to help prevent unauthorised access to the network by limiting the Media Access Control (MAC) addresses allowed on specific ports. MAC addresses can either be specified for a particular switch accesses can be learned by the Cisco Switch. When port security is configured a variety of actions can be taken when a violation occurs, such as automatically disabling the port.

Nipper identified 6 switch ports that had no port security configured, these are listed in Table 5.

 

Table 5: Switch ports with no port security

Impact: A switch port with no configured port security could allow an attacker to attach an unauthorised device and scan other network attached devices. Depending on the security of the network attached devices, this issue could allow an attacker to perform information gathering, or potentially, gain access to vulnerable devices.

Ease: An attacker would have to gain access to a switch port with no security configured. If the switch port is not directly patched to a wall socket, the attacker would have to gain physical access to the Cisco Switch.

Recommendation: Nipper recommends that, where possible, port security be enabled on all switch ports. Furthermore, Nipper recommends that all switch ports that are not used be shutdown. Switch port security with MAC address learning and port shutdown on a violation can be configured on each interface with the following commands:

switchport port-security

switchport port-security violation shutdown

switchport port-security mac-address sticky

Unused interfaces can be disabled with the following interface command:

shutdown 

Cisco Discovery Protocol

Observation: Cisco Discovery Protocol (CDP) is a proprietary protocol that is primarily used by Cisco, but has been used by others. CDP allows some network management applications and CDP aware devices to identify each other on a Local Area Network (LAN) segment. Cisco devices, including switches, bridges and routers are configured to broadcast CDP packets by default. The devices can be configured to disable the CDP service or disable CDP on individual network interfaces.

Nipper determined that the CDP service had not been disabled, and additionally, had not been disabled on all the active network interfaces.

Impact: CDP packets contain information about the sender, such as hardware model information, operating system version and IP address details. This information would allow an attacker to gain information about the configuration of the network infrastructure.

Ease: CDP packets are broadcast to an entire network segment. An attacker could use one of the many publicly available tools to capture network traffic and view the leaked information.

Recommendation: Nipper recommends that, if not required, the CDP service be disabled on the Cisco device Cisco-2950. If CDP is required, Nipper recommends that CDP be disabled on all interfaces except those that are explicitly required.

The CDP service can be disabled by issuing the following Cisco IOS command:

no cdp run

CDP can be disabled on individual interfaces using the following command:

no cdp enable

In some configurations with IP phones, deployed using either Auto Discovery or Dynamic Host Configuration Protocol (DHCP), the CDP service may need to be enabled. In this situation CDP should be disabled on all network interfaces for which it is not required.

BOOTP

Observation: BOOTstrap Protocol (BOOTP) is a datagram protocol that allows compatible hosts to load their operating system over the network from a BOOTP server. Cisco routers are capable of acting as BOOTP servers for other Cisco devices and the service is enabled by default. However, BOOTP is rarely used and may represent a security risk.

Nipper determined that BOOTP was not disabled. However, it is worth noting that not all Cisco devices support BOOTP.

Impact: An attacker could use the BOOTP service to download a copy of the router’s IOS software.

Ease: Tools are available on the Internet to access BOOTP servers.

Recommendation: Nipper recommends that, if not required, the BOOTP service be disabled. The following command can be used to disable BOOTP:

no ip bootp server

IP Unreachables

Observation: ICMP IP unreachable messages can be generated by a Cisco device when a host attempts to connect to a non-existent host, network, or use an unsupported protocol. ICMP IP unreachable messages will let the connecting host know that the host, network or protocol is not supported or cannot be contacted. Therefore, the host does not have to wait for a connection time-out. ICMP IP unreachable messages are normally enabled by default on Cisco devices and must be explicitly disabled.

Nipper determined that the Cisco device Cisco-2950 had ICMP IP unreachable messages enabled on the interface Vlan6.

Impact: An attacker who was performing network scans to determine what services were available would be able scan a device more quickly.

Ease: Tools are available on the Internet that can perform a wide variety of scan types.

Recommendation: Nipper recommends that, if not required, IP unreachables be disabled on all network interfaces. However, whilst disabling IP unreachables will not stop scans, it does make it more difficult for an attacker. The IP unreachables option is disabled or enabled individually for each network interface. It can be disabled with the following command:

no ip unreachables

Enable Secret

Observation: Cisco IOS-based device enable passwords can be stored using an iterated MD5 hash, which is far stronger than the easily reversible Cisco type-7 encryption.

Nipper identified one enable password that was not stored using the MD5 hash.

Impact: An attacker could use an enable password from a Cisco device to access the device and possibly modify its configuration.

Ease: An attacker who had accessed to the Cisco configuration file would easily be able to retrieve passwords that are stored in clear-text or using the Cisco type-7 encryption. However, an attacker who had accessed to a Cisco configuration file could brute-force any stronger MD5 passwords.

Recommendation: Nipper recommends that all enable passwords be stored using the MD5 hash. Enable passwords can be stored using the MD5 hash with the following Cisco IOS command:

enable secret

Login Banner

Observation: A banner message can be shown to users who connect to one of the remote management services, such as Telnet. Typically banner messages will include information on the law with regard to unauthorised Banner to the device, warning users who do not have the authority to Banner the device about the consequences.

Nipper determined that no login banner was configured.

Impact: Attackers who have gained Banner to a device could avoid legal action if no banner is configured to warn against unauthorised Banner.

Ease: N/A

Recommendation: Nipper recommends that a banner be configured that warns against unauthorised Banner. Banners are configured on Cisco devices using a delimiter character. A delimiter character is specified in the banner command and is used again to mark the end of the banner. The Cisco command to add a login banner, that is presented to users prior to authentication, is:

banner login <delimiter>The banner text<delimiter>

Sonuç

Raporda da görüldüğü gibi Nipper yazılımı, yapılandırma dosyası hakkında ayrıntılı bir güvenlik analizi yapmaktadır. Cihaz yazılımında tespit edilen açıklıklara ait bilgiler vermekte, şifre testi yapmakta ve servislere ilişkin tavsiyelerde bulunmaktadır. Yaptığı bu analiz neticesinde elde ettiği bulguları ve bu bulgulara ilişkin tavsiyeleri sonuç raporuna yansıtmaktadır. Nipper tarafından desteklenen cihazlara ait yapılandırma dosyasının incelenerek, verilen tavsiyelerle sıkılaştırma yapılması sistem güvenliği adına bir katkıda bulunacaktır. 

Yazar ceyhun çamlı \\ tags: cisco asa, cisco fwsm, cisco pix, Cisco–2950, nipper, sınır güvenliği, switch port security, vtp