Auditing routers and firewall configs

There are several free tools available on net for router and firewall config auditing. I focus on tools which are able to work on the config file pulled from the router/firewall and placed in the local directory of the PC. See the short list below:

 

• NIPPER – can be downloaded from https://www.titania.co.uk after free registration. It can be used to audit configuration files of Cisco, Juniper and Checkpoint, SonicWall, and many others. It produces nice reports.
• CCSAT (Cisco Configuration Security Auditing Tool) see http://freshmeat.net/projects/ccsat/ The tool is based upon industry best practices, including Cisco, NSA, and SANS security guides and recommendations
• RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers acquired by Fortify, see http://www.fortify.com/security-resources/rats.jsp

It is easy and practical to put configuration files in local directory and run ad hoc 'grep' command. I did it once with simple grep 'any\|telnet\|timeout\|floodguard\|server\|logging\|auth\|audit\|pdm'  * > output . And if network admin is reluctant to send config files for auditing he can run such command by himself. And send you just 'output' file for further analysis. Or provide you 'nipper' report or 'ccsat' output. Good luck !

What is Auto-MDIX ?

Always surprised …, to be honest I’ve never heard about Auto-MDIX. I thought that this is important to remember which cable to use: straight-through or crossover. So automatic medium-dependent interface crossover (Auto-MDIX) is a feature that allows the switch interface to detect the required cable connection type (straight-through or crossover) and automatically configure the connection appropriately. With Auto-MDIX enabled, you can use either a straight-through or crossover type cable to connect to the other device, and the interface automatically corrects for any incorrect cabling. It works on 2940, 2970 and 3750 Series Switches.

How to write up Network Security , part II ?

This is continuation of part I

• Consultant/guest access to network - How they separate guest/consultant subnet from the rest of the network ? Well, VLAN is not a good answer. One of the best is probably use of VRF Lite (creating virtual routers, virtual routing tables for guest traffic) for traffic and host segmentation. It's very important from PCI standpoint

IOS IPS

In order to setup IPS on IOS follow instructions here. My tftp server is at the address 192.10.1.200 and dynamips router has interface 192.10.1.6. The first step is to transfer signature files from tftp server to router.

How to write up Network Security ?

Most network security audit programs are written by people with risk or audit background and very little technical and operational experience. So there are a many risks and controls listed there which seem to make sense at first glance, but in fact always one of the below rules apply to them:

• Every network will comply with controls
• Controls cannot to be tested for effectiveness

Dynamic Virtual Tunnel Interface Easy VPN Server and Client

See below two scenarios:
1) SW1 ezVPN client connected to router R1 ezVPN server
2) SW1 ezVPN client connected to firewall ASA ezVPN server

VRF-aware IPSEC Virtual Interface Tunnels

R3 (f0/0 and f0/1) is connected to SW1 (f1/3 and f1/13) on two Fast Ethernet interfaces (R3 f0/0-SW1 f/13 and R3 f0/1 to SW1 f1/13). IPSEC Tunnel 100 and 200 are originating from both pairs of Fast Ethernet interfaces. Network 1.1.1.0 and 3.3.3.0 are routed over Tunnel 100 and 2.2.2.0 and 4.4.4.0 over Tunnel 200. See configurations below:

IPsec using IOS CA Server

Connecting R1 f0/0 to SW1 f1/1 (vlan 10). See configs:
R1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 1.0.0.0
network 10.0.0.0
ntp master 2 ß-R1 is master NTP

Fun with Dynamips – router broken by VRF-lite and PIX

See nice and simple VRF-lite exercise splitting SW1 router into R1 and R2 routers and connecting them by PIX firewall. I was able to ping from R2 (connected to inside interface of PIX) to R1 which is connected to outside interface of PIX firewall.

Internetwork Expert CCIE Security Lab on Dynamips

I was able to perform most of INE CCIE Security Lab 1 tasks (Security Lab Workbook Volume II v5.0 Beta) on Dynamips, see my configuration sec-iewb.net file below:

PIX Active/Active Failover in Dynamips/Pemu

PIX active/active failover configuration involves using groups and assigning firewall contexts to groups. On the both firewalls only one group is active at the time. See below the .net file used to run both firewalls in Dynamips/Pemu

PIX/ASA contexts – virtual firewalls emulation on PC

The below example is based on Internetwork Expert CCIE workbook . It shows how to emulate firewall virtualization using Dynamips and QEMU on windows PC. Dynamips is a Cisco router emulator which emulates 1700, 2600, 3600, 3700, and 7200 hardware platforms, and runs standard IOS images. QEMU is processor emulator (using a portable dynamic translator), emulates a full system (usually a PC). Routers R1 of CustomerA and Router R2 of CustomerB each connect to one PIX firewall through interfaces InsideA and InsideB and are allocated to two virtual contexts. Customers have their own virtual interfaces in DMZ and OUTSIDE