Assessment of Network Device Configuration

SysAdmin Audit Network Security (SANS) Router and Switch Security Policy https://www.sans.org/security-resources/policies/network-security#router-and-switch-security-policy

  1. Direct logins to routers are not allowed. All router and switch access must use TACACS+ for user authentication.

  2. Enable passwords must be stored securely. Routers and switches should use the current, encrypted enable password provided by the device’s support organization.

  3. The following services or features should be turned off: a. IP directed broadcasts b. Incoming packets with invalid source addresses like RFC1918 addresses c. TCP small services d. UDP small services e. All source routing and switching f. All web services running on the router

  4. Standard company SNMP community strings should be used. Default strings, including “public” and “private,” must be deleted. SNMP configuration should use the most secure version of the protocol that both the device and management systems allow.

  5. Access control lists for traffic passing through the device should be implemented according to business requirements.

  6. The router should be managed by the corporate enterprise management system and have a designated point of contact.

  7. All login prompts, both remote and local, on each router must display the following message:

“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring.”

  1. Telnet should never be used to manage a router across any network unless the communication path is fully secured with a tunnel. SSH version 2 is the preferred management protocol.

HP Comware Router

  • No Exec Administrative Line Timeout Configured
  • idle-timeout 10
  • User Account Names Contained “admin”
  • local-user
  • No Hypertext Transfer Protocol over SSL (HTTPS) Service Network Access Restrictions
  • Network Time Protocol (NTP) Control Queries Were Permitted
  • No Time Synchronization Configured
  • ntp-service authentication enable
  • ntp-service authentication-keyid key-id authentication-mode md5 key
  • ntp-service unicast-server address authentication-keyid key-id
  • Weak Password Age Policy Setting
  • password-control aging 10
  • No Network Filtering Rules Were Configured
  • No Post Logon Banner Message

Juniper NetScreen Firewall *

  • Filter Rules Allow Packets From Any Source To Any Destination And Any Port
  • Rules Allow Access To Administrative Services
  • Rules Allow Access To Clear-Text Protocol Services
  • set service “HTTP”
  • VPN Configured With Aggressive Mode Enabled
  • Clear Text Telnet Service Enabled
  • set telnet client enable
  • No Hypertext Transfer Protocol over SSL (HTTPS) Server Session Timeout
  • set service https timeout 10
  • Filter Rules Allow Packets From A Network Source To Any Destination And Any Port
  • Virtual Private Network (VPN) Configured With Weak Encryption
  • sec-level compatible
  • sec-level standard
  • Rules Allow Access To Potentially Unnecessary Services
  • Rules Allow Access To Potentially Sensitive Services
  • Filter Rules Allow Packets From A Network Source To A Network Destination And Any Port
  • Filter Rules Allow Packets To Any Destination And Any Port
  • User Account Names Contained “admin”
  • set admin name “admin”
  • AUX Port Not Disabled
  • set interface serial0/0 disable
  • Weak Secure Sockets Layer (SSL) Ciphers Supported
  • set ssl encrypt 3des sha-1
  • Internet Protocol (IP) Packet Fragmentation Attack Blocking Was Disabled
  • set zone screen block-frag
  • Filter Rules Allow Packets To A Network Destination And Any Port
  • Filter Rules Allow Packets From Any Source To A Network Destination
  • Block Hypertext Transfer Protocol (HTTP) Containing Active Content Was Disabled
  • set zone > screen component-block
  • Weak Administrative Service Network Access Restrictions
  • set admin manager-ip >
  • Filter Rules That Allow Any Protocol Were Configured
  • Filter Rules Allow Packets From A Network Source To Any Port
  • Block HTTP Containing ActiveX Controls Was Disabled
  • set zone screen component-block activex
  • Block HTTP Containing Java Was Disabled
  • set zone screen component-block jar
  • Filter Rules Allow Packets From A Network Source To A Network Destination
  • Filter Rules Allow Packets From Any Source
  • Filter Rule Allows Packets To Any Port
  • Filter Rules Allow Packets To Any Destination
  • Weak VPN Authentication Hashing Algorithm Configured
  • Log Packets With IP Record Route Was Disabled
  • Filter Rules Allow Packets To A Network Destination
  • Filter Rule List Does Not End With Drop All And Log
  • Filter Rules Allow Packets From A Network Source
  • Log IP Security Option Packets Was Disabled
  • Log IP Stream Identifier (ID) Option Packets Was Disabled
  • Log IP Time Stamp Option Packets Was Disabled

Block HTTP Content containing potentially unsafe file types

1

cat  | grep -oP '(?<=component-block).*' -u | sort --unique

Automating Configuration Audit

Nessus - Offline Config Audit

Nipper Drawback: Only for Cisco Router

1

nipper --input=switch.cfg --output=switch

Licensed under CC BY-NC-SA 4.0
Last updated on May 08, 2024 07:20 +0100