September 29, 2001
Palante
Network Switch and Router (mis-)Configuration

* while you were busy making your network bigger/faster/better you were also
  making it more exposed to attack

5 most direct risks:
* not setting passwords
* default community strings
	* don't use 'public' and 'private' community strings. Be granular.
	* secure SNMP has been vapor so far
	* use keyed (authenticated) SNMP on Cisco (SNMP v2)
	* snmp-server party (instead of community)
	* ssh into foundry devices (mgmt. II blade or better)
	* Cisco requires IOS 12 with IPSEC image 

* telnet
	* sniffing can be done, even thru a switch
		* ARP hijacking, spanning ports, etc.

* source routes
	* source routing - Bad bad bad. 'no ip source-route'

* dynamic routing
	* keys authenticate dynamic route updates
	* use different keys with each neighbor
	* 'key-chain locked'	(cisco)
	  '..key-string <key>'
	  '..accept-lifetime'
	  '..send-lifetime'
	* 'ip <protocol> authentication-key <key>' (Foundry)
	* filter dynamic routes

* reverse network check - 'ip verify unicast reverse-path'
	* doesn't work on asymmetric environments

5 Leverage threats

* unauthorized HW addresses
	* possible to change HW address, but this at least raises the bar
	* static table entries are a bit different
		* switches learn what port a device is on
		* until it learns, traffic is flooded
		* if the switch 'unlearns', it will flood (which may be SNMP)

* VLAN misconfig
	* don't let VLAN share common port

* LLC packets (logical link control)
	* Cisco Discovery Protocol (CDP) gives out info about the network
		* also id's the most important devices on the network
	* 'no cdp enable'
	* Spanning Tree Protocol - designed to prevent layer 2 loops
	* turns off ports until there's only 1 link to each device
	* 'set spantree root'/'set spantree disable #' (Cisco)
	* 'span .. Priority <x>'/'no spanning-tree' (Foundry)
	* turn off to endusers, outsiders and those w/o multiple ports

* ICMP redirects
	* like source routing
	* 'deny icmp any any redirect' (Cisco)
	* 'no ip icmp redirects' (Foundry)

* protect config files
	* don't leave them around for people to read or change
	* including tftp servers
		* remember only enable password is md5 hashed

5 external threats

* VPN misconfigurations
	* Virtual Private Network via insecure path
	* 'tunnel encapsulation' is not VPN because it has no crypto to prevent disclosure or packet injection
	* crypto isakmp policy & keys
	* 'crypto ipsec transform-set'
	* 'crypto map'
	* MPLS - think 'virtual circuit' not 'vpn'

* subnet broadcast
	* used in smurfs (DoS by ICMP flooding)
	* if you don't need broadcasts across subnets, disable it.
	* 'no ip directed-broadcast' (foundry/cisco)

* filtering
	* duh. filter RFC1918 space (also RFC1700 - loopback).
	* 10/8, 172.16-31.0.0 (172.16/12), 192.168/16
	* your network's address space should not be coming in from outside
	* filter connections to router/switch (only trusted hosts can login)
	* filter SNMP likewise
		* snmp-server access-list # (Cisco)
		* telnet-client/web-client/snmp-client (Foundry)

* unauthorized connections not monitored
	* log review - collect syslogs and SNMP traps (snmp trap target)

* layer 3 packet flooding
	* limit packet rates
	* ip icmp burst-normal & burst-max (foundry)
	* ip icmp lockup (foundry)
	* rate-limit (Cisco)

links
-----
(cisco)
http://www.cisco.com/warp/public/707/21.html
http://www.cicsco.com/warp/public/707
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/ ...

(foundry)
http://www.foundrynet.com

Conclusion: Just because everything is working doesn't mean everything is ok.