Sunday, September 18, 2005

SecurityFocus SNMP Article

Thanks to Simon Howard for pointing me toward a new article by Mati Aharoni and William M. Hidalgo titled Cisco SNMP configuration attack with a GRE tunnel. The article shows the dangers of not denying packets from the Internet using spoofed internal addresses. The article builds on Mark Wolfgang's Exploiting Cisco Routers: Part 1, where an intruder uses an SNMP SET command to retrieve a router configuration file via TFTP. As Simon wrote in his email to me: "Applying an inbound ACL on the Ethernet0/0 interface denying any traffic from the network would resolve this issue [in the article]."

On a related note, I am looking forward to the second edition of Essential SNMP, pictured at left.


Anonymous said...

A few things to always consider when securing a router:

1) Always include an inbound ACL on an internet facing interface. In almost every case, the first rules should be to block RFC1918 addresses as well as any other addresses that you know will be spoofed. Next block inbound protocols (SNMP, telnet, TFTP, FTP, SSH, etc) to the router interfaces themselves, and only permit trusted hosts to those interfaces using those protocols (such as your other routers) if absolutely necessary. Any other rules can be made to permit specific services from specific hosts.

2) As for SNMP, there is almost never a good reason to not have the snmp-service protected with an ACL to permit only net-mgmt hosts to talk with the router/switch/firewall etc.

3) If you need SNMP data across the internet, consider using IPSec tunnels to transfer that data (i.e. IPSec tunnel between routers and use a non-internet-reachable loopback interface for SNMP services). This obviously requires more work but is the best way to protect the router if you are really concerned with SNMP spoofing for RW access.

3) Some really good router security documents with good explanations:

I realize the Security Focus article was most likely written towards those that have no concept whatsoever of router's and security, however the scenario they write about is fairly simple to avoid.

Anonymous said...

I was aware of the 1st 2 NSA sites, but not of the cymru site - thanks for the notice.

I was curious to know if anyone has used Cisco's Auto Secure feature:

I had read about this before but didn't seriously consider it till I read about it in "Inside Network Perimeter Security" 2nd ed. In particular, I was interested to know if anyone had implemented the IANA ACLs that Auto Secure uses. I would love to know how the ACLs taxed their router (assuming proper memory).


Anonymous said...
This comment has been removed by a blog administrator.