acknowledgements€¦ · cdac-r09r06-c01-r-2#show clock 8. banner message warning message should be...
TRANSCRIPT
Acknowledgements
HRD Division
Department of Electronics and Information Technology
Ministry of Communications and Information Technology
Government of India
1
ROUTER AUDITING
2
TABLE OF CONTENTS:
SL.NO. POLICIES PAGE NO.
1. LATEST STABLE SOFTWARE VERSION SHALL BE SELECTED.
2. HOSTNAME SHALL NOT REVEAL MAKE / MODEL OF THE DEVICE.
3. EACH USER SHALL BE ALLOCATED A SEPARATE LOGIN ACCOUNT.
4. SEPARATE LOGIN ACCOUNT SHALL BE USED FOR OPERATING AT DIFFERENT PRIVILEGE LEVELS AND NETWORK SECURITY DEVICES SHOULD HAVE AT LEAST TWO ADMINISTRATORS.
5. PASSWORD SHALL BE MANAGED AS PER THE PASSWORD MANAGEMENT GUIDELINES AND ALSO PASSWORD SHALL BE STORED IN ENCRYPTED FORM.
6. NETWORK TIME PROTOCOL (NTP) SHALL BE CONFIGURED ON THE DEVICES. (REFER: TIME SYNCHRONIZATION GUIDELINES)
7. FOR CHECKING THE TIME SETTINGS IN ROUTER.
8. BANNER MESSAGE WARNING MESSAGE SHOULD BE DISPLAYED BEFORE LOGIN AS A CAUTION
9. PROTOCOLS / SERVICES USING ENCRYPTED CHANNEL (SUCH AS, SSH, SSL, IPSEC, RDP) SHALL BE USED FOR REMOTE ADMINISTRATION.
10. FOR CHECKING UNUSED NETWORK INTERFACES SHALL BE DISABLED.
11. AUTHENTICATION SHOULD BE USED FOR DYNAMIC ROUTING PROTOCOLS.
12. INGRESS AND EGRESS FILTERING SHALL BE CONFIGURED.
13. UNUSED ADDRESS SPACE SHOULD BE ROUTED TO NULL INTERFACE.
14. ANTI-SPOOFING SHOULD BE CONFIGURED ON ALL INTERFACES
15 BACK UP OF THE DEVICE
16. LOG MAINTENANCE
17. FOR CHECKING CONSOLE AND OTHER DIRECT ACCESS PORT CONNECTIONS OF THE ROUTER.
18. FOR CHECKING WHAT ARE THE VARIOUS NETWORKS ALLOWED IN ROUTER.
19. FOR CHECKING THE ROUTER NETWORK TRAFFIC FLOW AND LOOPBACK INTERFACE.
20. FOR CHECKING THE ROUTER TIMEOUT OPTION.
21. FOR CHECKING FOR ANY VIRTUAL TERMINAL UNIT I.E. VTY’S ENABLED ON DEVICE.
22. FOR CHECKING THE ROUTER REMOTE ADMINISTRATION ACCESS PROCESS.
23. FOR CHECKING ACL WRITTEN WITH RESPECT TO ACCESS TO VTY OR REMOTE ADMINISTRATION MECHANISM FOR ROUTER
3
24. FOR CHECKING ANY PRIVILEGED EXEC MODE IN ROUTER SETTINGS
25. FOR CHECKING THE ROUTER IS CONFIGURED WITH LOCAL OR AAA
ENCRYPTION MECHANISM
26. FOR CHECKING THE STATIC AND DYNAMIC ROUTING
27. FOR CHECKING RADIUS & TACACS+ METHODS IN ROUTER
4
1. Latest stable software version shall be selected.
CDAC-R09R06-C01-R-2#show version
2. Hostname shall not reveal make / model of the device.
CDAC-R09R06-C01-R-2#show run | i hostname
3. Each user shall be allocated a separate login account.
CDAC-R09R06-C01-R-2#show user all
CDAC-R09R06-C01-R-2#show users
Note: All the users who are authenticated can be viewed only by login
through the tacacs server.
4. Separate login account shall be used for operating at different privilege
level and Network Security Devices should have at least two
administrators.
CDAC-R09R06-C01-R-2#show run | b user
Note: All the users/admin who are authenticated can be viewed only by login
through the tacacs server and different privilege levels can also be seen by the
using the same tacacs server.
5. Password shall be managed as per the Password Management Guidelines
and also Password shall be stored in encrypted form.
5
CDAC-R09R06-C01-R-2#show run | i password
Note: All the users/admin password shall be managed as per the Password
Management Guidelines only by login through the tacacs server and different
privilege levels can also be seen by the using the same tacacs server.
6. Network Time Protocol (NTP) shall be configured on the devices. (refer: As
Per the cyber security policies for NICNET Information Infrastructure - Time
Synchronization Guidelines)
CDAC-R09R06-C01-R-2#show ntp status
CDAC-R09R06-C01-R-2#show ntp assotiations
7. For checking the time settings in router.
CDAC-R09R06-C01-R-2#show clock
8. Banner Message Warning message should be displayed before login as a
caution.
A sample banner message follows:
--------------------- W A R N I N G ---------------------- Unauthorized access is prohibited. Disconnect IMMEDIATELY if you are not
an authorized user!!! All activities are benign monitored. Any unauthorized access may subject the user to disciplinary / legal action.
CDAC-R09R06-C01-R-2#show run | b banner
9. Protocols / Services using encrypted channel (such as, SSH, SSL, IPSec, RDP)
shall be used for Remote administration.
6
CDAC-R09R06-C01-R-2#show run | i line
10. For checking Unused network interfaces shall be disabled.
CDAC-R09R06-C01-R-2#show interface des | Include Gi
11. Authentication should be used for dynamic routing protocols.
SUMMARY STEPS
• configure • router ospf process-name • router-id {router-id} • authentication [message-digest [keychain keychain] | null] • message-digest-key key-id md5 {key | clear key | encrypted key} • area area-id • interface type instance • Repeat Step 7 for each interface that must communicate, using the same
authentication. • exit • area area-id • authentication [message-digest [keychain keychain] | null] • interface type instance • Repeat Step 12 for each interface that must communicate, using the same
authentication. • interface type instance • authentication [message-digest [keychain keychain] | null] • end Or commit
DETAILED STEPS:
Command Purpose
Step 1 configure Example: RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 router ospf process-name Example: RP/0/RSP0/CPU0:router(config)# router ospf 1
Enables OSPF routing for the specified routing process and places the router in router configuration mode.
7
Note The process-name argument is any alphanumeric string no longer than 40 characters.
Step 3
router-id {router-id} Example: RP/0/RSP0/CPU0:router(config-ospf)# router-id 192.168.4.3
Configures a router ID for the OSPF process.
Step 4
authentication [message-digest[keychain keychain] | null] Example: RP/0/RSP0/CPU0:router(config-ospf)# authentication message-digest
Enables MD5 authentication for the OSPF process. This authentication type applies to the entire router process unless overridden by a lower hierarchical level such as the area or interface.
Step 5
message-digest-key key-id md5 {key |clear key | encrypted key} Example: RP/0/RSP0/CPU0:router(config-ospf)# message-digest-key 4 md5 yourkey
Specifies the MD5 authentication key for the OSPF process. The neighbor routers must have the same key identifier.
Step 6 area area-id Example: RP/0/RSP0/CPU0:router(config-ospf)# area 0
Enters area configuration mode and configures a backbone area for the OSPF process.
Step 7
interface type instance Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# interfac e GigabitEthernet 0/1/0/3
Enters interface configuration mode and associates one or more interfaces to the backbone area. All interfaces inherit the authentication parameter values specified for the OSPF process (Step 4, Step 5, and Step 6).
Step 8 Repeat Step 7 for each interface that must communicate, using the same authentication.
—
Step 9 exit Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# exit
Enters area OSPF configuration mode.
Step 10
area area-id Example: RP/0/RSP0/CPU0:router(config-ospf)# area 1
Enters area configuration mode and configures a nonbackbone area 1 for the OSPF process. The area-id argument can be entered in dotted-decimal or IPv4 address notation, such as area 1000 or
8
area 0.0.3.232. However, you must choose one form or the other for an area. We recommend using the IPv4 address notation.
Step 11
authentication [message-digest[keychain keychain] | null] Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# authentication
Enables Type 1 (plain text) authentication that provides no security. The example specifies plain text authentication (by not specifying a keyword). Use the authentication-keycommand in interface configuration mode to specify the plain text password.
Step 12
interface type instance Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# interface GigabitEthernet 0/1/0/0
Enters interface configuration mode and associates one or more interfaces to the nonbackbone area 1 specified in Step 10. All interfaces configured inherit the authentication parameter values configured for area 1.
Step 13 Repeat Step 12 for each interface that must communicate using the same authentication.
—
Step 14
interface type instance Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# interface GigabitEthernet 0/3/0/0
Enters interface configuration mode and associates one or more interfaces to a different authentication type.
Step 15
authentication [message-digest[keychain keychain] | null] Example: RP/0/RSP0/CPU0:router(config-ospf-ar-if)# authentication null
Specifies no authentication on GigabitEthernet interface 0/3/0/0, overriding the plain text authentication specified for area 1. By default, all of the interfaces configured in the same area inherit the same authentication parameter values of the area.
Step 16
end or commit Example: RP/0/RSP0/CPU0:router(config-ospf-ar-if)# end or
Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before
9
RP/0/RSP0/CPU0:router(config-ospf-ar-if)# commit
exiting(yes/no/cancel)? [cancel]:
Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
CDAC-R09R06-C01-R-2#show run | b router ospf
12. Ingress and Egress filtering shall be configured.
SUMMARY STEPS
• 1. configure • 2. ethernet egress-filter strict • 3. interface {GigabitEthernet | TenGigE | FastEthernet |
Bundle-Ether} instance.subinterface • 4. ethernet egress-filter {strict | disabled} • 5. exit
DETAILED STEPS:
Command or Action Purpose
Step 1 configure RP/0/RSP0/CPU0:PE44_ASR-9010# config Thu Jun 4 07:50:02.660 PST RP/0/RSP0/CPU0:PE44_ASR-9010(config)#
Enters global configuration mode.
10
Step 2 ethernet egress-filter strict RP/0/RSP0/CPU0:PE44_ASR-9010(config)# ethernet egress-filter strict
Enables strict egress filtering on all subinterfaces on the device by default.
Step 3 interface {GigabitEthernet | TenGigE | FastEthernet | Bundle-Ether} instance.subinterface RP/0/RSP0/CPU0:PE44_ASR-9010(config)# interface GigabitEthernet 0/1/0/1.1 RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)#
Creates an L2 subinterface.
Step 4 ethernet egress-filter {strict | disabled} RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# ethernet egress-filter strict
Allows egress filtering to be explicitly enabled or disabled on any L2 subinterface. It can also be used to override global settings.
Step 5 exit RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# exit RP/0/RSP0/CPU0:PE44_ASR-9010(config)# exit
Exit from the configuration mode.
CDAC-R09R06-C01-R-2#show access-lists BLOCK-UDP pfilter location all
CDAC-R09R06-C01-R-2#show run | include ingress
CDAC-R09R06-C01-R-2#show run | include engress
13. Unused address space should be routed to null interface.
FOR EXAMPLE:
• R2# conf t • Enter configuration commands, one per line. End with CNTL/Z. • R2(config)# ip route 192.168.0.0 255.255.0.0 Null0 • R2(config)# end
CDAC-R09R06-C01-R-2#show run | i Null
11
14. Anti-spoofing should be configured on all interfaces
• To configure Unicast RPF loose mode, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip cef
4. interface type slot / port-adapter / port
5. ip verify unicast source reachable-via any DETAILED STEPS:
Command or Action Purpose
Step 1 enable Example: Router> enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Step 2 configure terminal Example: Router# configure terminal
Enters global configuration mode.
Step 3 ip cef Example: Router (config)# ip cef
Enables CEF on the route processor card.
Step 4 interface type slot / port-adapter / port Example: Router (config)# interface serial5/0/0
Configures an interface type and enters interface configuration mode.
Step 5 ip verify unicast source reachable-via any Example: Router (config-if)# ip verify unicast source reachable-via any
Enables Unicast RPF using loose mode.
12
Note: Anti-Spoofing feature is not configured so that’s why screen shot is not
attached.
15. Back up of the current operating system and the running configuration
shall be taken prior to upgrade with SNMP Protocol .check for the
following:
• Enable SNMP if required and check SNMPv3 or higher should be used.
CDAC-R09R06-C01-R-2#show snmp host
• Default community string (for example, "public") shall not be used. • Community string security shall be treated at per with Administrator
account passwords. • Community string should be set for Read Only mode. • SNMP access should be permitted from specific IP addresses of trusted
networks.
• Same or similar community strings should not be used across devices.
CDAC-R09R06-C01-R-2#show run | i snmp
16. Log Maintenance
• Logs should be sent to a centralized log server.
CDAC-R09R06-C01-R-2#show log
• Logs should be archived in read-only format.
CDAC-R09R06-C01-R-2#show log location
CDAC-R09R06-C01-R-2#show run | i log
13
17. For checking console and other direct access port connections of the
router.
CDAC-R09R06-C01-R-2#show run | b line
18. For checking what are the various networks allowed in router.
CDAC-R09R06-C01-R-2#show access-lists BlOCK-UDP usage pfilter location all
19. For checking the router network traffic flow and loopback interface.
CDAC-R09R06-C01-R-2#show monitor-session counters
20. For checking the router timeout option.
CDAC-R09R06-C01-R-2#show run | i timeout
21. For checking for any virtual terminal unit i.e. VTY’s enabled on device.
CDAC-R09R06-C01-R-2#show run | b vty
22. For checking the router remote administration access process.
CDAC-R09R06-C01-R-2#show run | i line
14
23. For checking ACL written with respect to access to VTY or remote
administration mechanism for router.
CDAC-R09R06-C01-R-2#show access-lists MANAGEMENT
24. For checking any privileged exec mode in router settings.
CDAC-R09R06-C01-R-2#show run | i exec
25. For checking the router is configured with local or AAA encryption
mechanism.
CDAC-R09R06-C01-R-2#show tacacs
Note: AAA encryption mechanism managed as per the Cyber Security Policies
NICNET Information Infrastructure only by login through the tacacs server and
different privilege levels can also be seen by the using the same tacacs server.
The above command shows the information about tacacs server.
26. For checking the static and dynamic routing.
• For checking the routing and routed protocols
CDAC-R09R06-C01-R-2#show protocols bgp
CDAC-R09R06-C01-R-2#show protocols ospf
CDAC-R09R06-C01-R-2#show route static
For checking bgp summary.
CDAC-R09R06-C01-R-2#show bgp summary
15
• For checking the ospf neighbor.
CDAC-R09R06-C01-R-2#show ospf neighbor
• For checking OSPF route.
CDAC-R09R06-C01-R-2#show route ospf
• For checking RIP.
• For checking EIGRP.
Note: Organization is not using RIP and EIRGP routing.
27. For checking radius & tacacs+ methods in router.
CDAC-R09R06-C01-R-2#show tacacs
CDAC-R09R06-C01-R-2#show run | i tacacs
CONTRIBUTED BY:
1. Mr Ch A.S Murty
2. Mr Tyeb Naushad
3. Mr Devi Satish
4. Mr Shrinath Rusia
5. Ms Vertika Singh
6. Mr Vinay Kumar
C-DAC, Hyderabad