ASA Security Contexts
Just a mental note...
Tuesday, October 11, 2011
Monday, October 10, 2011
Cisco Auto Secure
I recently found a new command to help with the securing of Cisco Routers. The command is "auto secure", which is executed from privileged enable mode. When executed, it asks a few questions and executes several commands based on security best practices for Cisco Routers. Below is an example from a router in my test lab.
2610-4#sh run
Building configuration...
Current configuration : 750 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2610-4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 10.1.0.1 255.255.255.0
encapsulation ppp
clock rate 128000
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
ip address 10.0.1.2 255.255.255.0
!
router ospf 1
router-id 10.0.1.2
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 0
network 10.1.0.0 0.0.0.255 area 2
!
ip http server
ip classless
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
2610-4#auto
2610-4#auto se
2610-4#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
If this device is being managed by a network management station,
AutoSecure configuration may block network management traffic.
Continue with AutoSecure? [no]: yes
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
#
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
#
Enable secret is either not configured or
is the same as the enable password
Enter the new enable secret:
Confirm the enable secret :
Enable password is not configured or its length
is less than minimum no. of characters configured
Enter the new enable password:
Confirm the enable password:
Configuration of local user database
Enter the username: james
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
banner #
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
#
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$U3Md$NLdPY5lpIOUf8Ht9L5omi/
enable password 7 00141215170A5955
username james password 7 082B4D5900405D40
aaa new-model
aaa authentication login local_auth local
line console 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
int Ethernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/2
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/3
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
2610-4#
2610-4#sh run
Building configuration...
Current configuration : 2122 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2610-4
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$U3Md$NLdPY5lpIOUf8Ht9L5omi/
enable password 7 00141215170A5955
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
no ip bootp server
!
username james password 7 082B4D5900405D40
!
!
!
!
interface Ethernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
half-duplex
!
interface Serial1/0
ip address 10.1.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
clock rate 128000
!
interface Serial1/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Serial1/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Serial1/3
ip address 10.0.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
router ospf 1
router-id 10.0.1.2
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 0
network 10.1.0.0 0.0.0.255 area 2
!
no ip http server
ip classless
!
!
logging trap debugging
logging facility local2
no cdp run
banner motd ^C
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
!
!
Thursday, February 17, 2011
IOS Local Password Security Features
I've been studying some of the security features built in to IOS. These mostly have to do with physical security and local password security built into IOS.
For instance, a feature that I've used for several years is the "service password-encryption" command. This command takes the plain-text passwords located in AUX, CON, TTY ports, and enable password command and encrypts them with a password hash derived from Cisco. It's not perfect, but will do in a pinch. One thing that you will want to do immediately after executing a "service password-encryption" is executing a "show run". The reason behind this is that the passwords won't change from plain-text to encrypted until that happens.
If you are unable to protect your Cisco equipment physically, the best option is to disable the password recovery function. Be sure to have some other option to do password recoveries however, as you will not be able to do password recoveries from RMON.
This feature isn't listed as a command when executing a "?" command, but the command exists in IOS 12.3(14)T or newer.
Check out the documentation: no service password-recovery
Other options include encrypting the passwords in MD5 using the "secret" sub command. For instance, "enable secret" and username james secret t0ps3cr37pwd". Unfortunately, the "secret" sub command isn't available on the AUX, TTY, or CON ports.
You can also set up minimum password lengths and password retry limits.
For instance, a feature that I've used for several years is the "service password-encryption" command. This command takes the plain-text passwords located in AUX, CON, TTY ports, and enable password command and encrypts them with a password hash derived from Cisco. It's not perfect, but will do in a pinch. One thing that you will want to do immediately after executing a "service password-encryption" is executing a "show run". The reason behind this is that the passwords won't change from plain-text to encrypted until that happens.
Router(config)#service ? .... password-encryption Encrypt system passwords ....
If you are unable to protect your Cisco equipment physically, the best option is to disable the password recovery function. Be sure to have some other option to do password recoveries however, as you will not be able to do password recoveries from RMON.
This feature isn't listed as a command when executing a "?" command, but the command exists in IOS 12.3(14)T or newer.
Check out the documentation: no service password-recovery
Router(config)#no service ?
alignment Control alignment correction and logging
compress-config Compress the nvram configuration file
config TFTP load config files
dhcp Enable DHCP server and relay agent
disable-ip-fast-frag Disable IP particle-based fast fragmentation
exec-callback Enable exec callback
exec-wait Delay EXEC startup on noisy lines
finger Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber enable line number banner for each exec
nagle Enable Nagle's congestion control algorithm
old-slip-prompts Allow old scripts to operate with slip/ppp
pad Enable PAD commands
password-encryption Encrypt system passwords
prompt Enable mode specific prompt
pt-vty-logging Log significant VTY-Async events
sequence-numbers Stamp logger messages with a sequence number
slave-log Enable log capability of slave IPs
tcp-keepalives-in Generate keepalives on idle incoming network
connections
tcp-keepalives-out Generate keepalives on idle outgoing network
connections
Router(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery me
chanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]:
Other options include encrypting the passwords in MD5 using the "secret" sub command. For instance, "enable secret" and username james secret t0ps3cr37pwd". Unfortunately, the "secret" sub command isn't available on the AUX, TTY, or CON ports.
You can also set up minimum password lengths and password retry limits.
Router(config)#security ?
authentication Authentication security CLIs
passwords Password security CLIs
Router(config)#security auth
Router(config)#security authentication ?
failure Authentication failure logging
Router(config)#security authentication fa
Router(config)#security authentication failure ?
rate Authentication failure threshold rate
Router(config)#security authentication failure ra
Router(config)#security authentication failure rate ?
<2-1024> Authentication failure threshold rate
Router(config)#security authentication failure rate 5 ?
log log a message if the Authentication failures over the last one minute
equalled this number
Router(config)#security authentication failure rate 5 l
Router(config)#security authentication failure rate 5 log ?
Router(config)#security pas
Router(config)#security passwords ?
min-length Minimum length of passwords
Router(config)#security passwords min
Router(config)#security passwords min-length ?
<0-16> Minimum length of all user/enable passwords
Router(config)#security passwords min-length 16 ?
Router(config)#enable ?
last-resort Define enable action if no TACACS servers respond
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords
Router(config)#enable sec
Router(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
Router(config)#enable secret
Wednesday, December 15, 2010
Good bye Internet
Goodbye Internet, we hardly knew ye?
Very good article and validates what I've been thinking for a while.
Very good article and validates what I've been thinking for a while.
Backdoor in the openBSD IPSEC Stack?
Allegations regarding OpenBSD IPSEC
If this is true, then wow! It will have major implications on IPSEC implementations around the world as many vendors use the openBSD IPSEC stack. It's hard to believe that in ten years the back door hasn't been found though. How many eyes have been on the code? How many people have modified the code or implemented bug fixes? I'm a little doubtful, but I can't help to be curious if it's true or not.
If this is true, then wow! It will have major implications on IPSEC implementations around the world as many vendors use the openBSD IPSEC stack. It's hard to believe that in ten years the back door hasn't been found though. How many eyes have been on the code? How many people have modified the code or implemented bug fixes? I'm a little doubtful, but I can't help to be curious if it's true or not.
Wednesday, December 8, 2010
Tuesday, December 7, 2010
The United States vs Personal Freedoms and Liberties
I generally do not get overly involved in politics, because I've resigned myself to the fact that it's a completely flawed system and I'm going to find something that I don't agree with anyways. But I've been noticing a very disturbing trend as of late.
It mostly pertains to the fact that the US Government can not seem to protect confidential data, which is evident by the mass amount of data being tossed around the Internet by WikiLeaks. I am actually in favor of WikiLeaks. I'm thoroughly convinced that the US Government, among other world governments are upset with WikiLeaks because they are airing out their dirty laundry. Why would the US Government be that upset unless they are afraid of unethical and perhaps illegal dealings being exposed? Apparently, the US Government is all for whistle blowing, unless somebody is blowing the whistle on the US Government. Here's a tip for the US Government. If you're afraid of what people will think WHEN the information get's made public, then don't do it. The digital age is making it harder and harder for anybody to keep secrets. I personally think that it's a good thing and will keep people honest; Unless the US Government wants to pull a China and start censoring everything that US citizens can view on the Internet.
The US Government has also seen itself fit to start hi-jacking domain names on the Internet for offenders that it see's as breaking some sort of law, such as copy right.
What does the US involvement of actively attacking whistle blowing against the US, domain hi-jacking, and even full body scanners at US airports have in common? It's all about how the US Government is stealing the freedoms and liberties of US citizens little by little, so that no body notices until it's too late. I'm very disturbed by this trend. I'll be posting articles and information from time to time about this subject from now on, because I feel that it's important enough to track closely as well probably start becoming more active in protecting my freedoms and liberties that the government see's fit to take away.
Lieberman Introduces Anti-WikiLeaks Legislation Essentially this proposed legislation will make it illegal to "name names". It's a directly conflict with whistle blowing laws and a violation of my freedom of speech. Here's a big FUCK YOU Mr. Lieberman. You were one of the politicians that I had some sort of respect for. So much for that.
The Wikileaks sex files: How two one-night stands sparked a worldwide hunt for Julian Assange Very good article, but long article short - Assange is a celebrity and a playboy of sorts. He had consensual unprotected sex with two women within days of each other, in Sweden. The women found out about each other and went to the police. Apparently, in Sweden, it can be construed as rape if you have unprotected sex with a person. Who knew? Would this international man hunt have occurred if Assange hadn't been airing out the dirty laundry of international government authorities? My guess is most likely not.
It mostly pertains to the fact that the US Government can not seem to protect confidential data, which is evident by the mass amount of data being tossed around the Internet by WikiLeaks. I am actually in favor of WikiLeaks. I'm thoroughly convinced that the US Government, among other world governments are upset with WikiLeaks because they are airing out their dirty laundry. Why would the US Government be that upset unless they are afraid of unethical and perhaps illegal dealings being exposed? Apparently, the US Government is all for whistle blowing, unless somebody is blowing the whistle on the US Government. Here's a tip for the US Government. If you're afraid of what people will think WHEN the information get's made public, then don't do it. The digital age is making it harder and harder for anybody to keep secrets. I personally think that it's a good thing and will keep people honest; Unless the US Government wants to pull a China and start censoring everything that US citizens can view on the Internet.
The US Government has also seen itself fit to start hi-jacking domain names on the Internet for offenders that it see's as breaking some sort of law, such as copy right.
What does the US involvement of actively attacking whistle blowing against the US, domain hi-jacking, and even full body scanners at US airports have in common? It's all about how the US Government is stealing the freedoms and liberties of US citizens little by little, so that no body notices until it's too late. I'm very disturbed by this trend. I'll be posting articles and information from time to time about this subject from now on, because I feel that it's important enough to track closely as well probably start becoming more active in protecting my freedoms and liberties that the government see's fit to take away.
Lieberman Introduces Anti-WikiLeaks Legislation Essentially this proposed legislation will make it illegal to "name names". It's a directly conflict with whistle blowing laws and a violation of my freedom of speech. Here's a big FUCK YOU Mr. Lieberman. You were one of the politicians that I had some sort of respect for. So much for that.
The Wikileaks sex files: How two one-night stands sparked a worldwide hunt for Julian Assange Very good article, but long article short - Assange is a celebrity and a playboy of sorts. He had consensual unprotected sex with two women within days of each other, in Sweden. The women found out about each other and went to the police. Apparently, in Sweden, it can be construed as rape if you have unprotected sex with a person. Who knew? Would this international man hunt have occurred if Assange hadn't been airing out the dirty laundry of international government authorities? My guess is most likely not.
Subscribe to:
Posts (Atom)
