Securing IGS Cisco Routers v 1.01


This paper will describe how you should obtain remote and local, information about an IGS Cisco Router. It’s recommended if you have some experience with configuring Cisco Routers before reading this paper, by the way it doesn’t matter which model you own. And more important, you must own and know how to use a Unix oriented operating system. After we have collected some information that is useful to us, we’ll try to secure the router as good as possible. And please note, this paper is for educational purposes only and I’m not responsible in any way for your stupid actions if you’ll be caught.

Because the probability you don’t have an IGS Cisco Router but a newer model like the IOS, it could happen you get different outputs at programs like “nmap”. Also while securing the router it’s possible you have to use some other commands than I do. Grab your manual if you have one and try to find the correct command.

Getting the information remote:

I assume you already have configured you Cisco Router and your Unix box with the proper outfit. But because I know there still are people who don’t know where to download the tools we’re going to use, I’ve placed some links at the bottom of this paper which could be useful.

I always start with an “nmap”-scan, we need to know first which daemons are running at the remote host. Because I do own a couple of IGS Cisco Routers myself, I’ll use the router with IP “169.254.0.10” for this paper. A daemon can listen on various sockets, like UDP, TCP, IPX and SPX it could take a long time before they all are scanned. And if you’re not at the same segment as where the remote router is located, it’s completely useless to scan sockets other than TCP and UDP. Protocols other than 802.3(Standard LLC, SNAP LLC and RAW) & IP will standard not be rotated by any (internet)-router!

Well we only will scan all listening TCP and UDP sockets and we use the following command at the Unix shell: “nmap -sT -sU -p 1-65535 169.254.0.10”. For a complete overview of all possibilities type: “man nmap”.

Port       State       Service

7/tcp      open        echo
7/udp     open        echo
9/tcp      open        discard
9/udp     open        discard
23/tcp     open        telnet
49/udp    open        tacacs
67udp     open        bootps
79/tcp     open        finger
161/udp   open       snmp
1993/tcp   open        snmp-tcp-port

Above you notice an output of nmap, now I try to describe every daemon…

By default many FTP daemons will use 20/TCP and 21/TCP, while many Gopher daemons will only listen on 70/TCP, every daemon uses it’s standard port. Of course you can configure the daemon so it listens at a different port. So it’s possible that ‘behind’ 79/TCP at the IGS Cisco Router there is listening another daemon then a finger daemon. There are two ways to discover what daemon will really listen on a socket, one search in your IGS Cisco Router manual; two establish a telnet session to the daemon. I’m trying to establish a telnet session to all daemons, most times you get enough information from the ‘banner’.

Echo (7/TCP&UDP)

SorNOT:~ # telnet 169.254.0.10 7
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape character is '^]'.
hu
hu
:)
:)
echo
echo

This daemon will echo all commands nicely… but will not be really useful to us. So it’s recommended to kill the daemon. Unless you want to have some digital chat friend if you’re feeling bored… :-P


Discard (9/TCP&UDP)

This daemon is kind of funny (check the RFC), but isn’t also very useful, so kill it...


Telnet (23/TCP)

lappie:~/IGS # telnet 169.254.0.10 23
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape character is '^]'.
User Access Verification
Password:
CiscoRouter>

This is a well-known daemon… I suppose you are familiar with it.


Tacacs (49/UDP)

This (Terminal Access Controller Access Control System) daemon has a function I will never use… this daemon control dial-up lines. This option is being used (only?) by Internet Service Providers, where their customers… well create a connection to the Internet perhaps?


Bootps (67/UDP)

With this protocol you can remote configure a Cisco Router… because your router has already been configured it’s not necessary anymore to keep the daemon alive.


Finger (79/TCP)

lappie:~/IGS # telnet 169.254.0.10 79
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape character is '^]'.

   Line    User          Host(s)               Idle     Location
*  2 vty   0                 idle                     0     169.254.0.3

Connection closed by foreign host.

Here we get some pretty valuable information, about who has established a connection to the IGS-CR and from where… this daemon can also being used by a command within a shell. So if you want to kill the daemon remember you cannot anymore use it from within a shell.


SNMP (161/UDP)

This (Simple Network Management Protocol) daemon will come in handy in some situations, but I don’t see any reason to let it ‘live’.


SNMP-tcp-port (1993/tcp)

This is the tcp version of the SNMP at 161/udp… so if you want to stop this daemon you have to check if the daemon behind 1993/tcp is stopped too.


Getting the information local:

We also can request information about the IGS-CR locally, you don’t need to have ‘enable’ privileges for this. With the command “show processes” you’ll get the following output like below.

CiscoRouter#show processes

  CPU utilization for one minute: 15%; for five minutes: 15%

  PID Q T      PC Runtime (ms)    Invoked   uSecs   Stacks  TTY Process

    1 M E 1019D28        49052       5275    9298  876/1000   0 Net Background
    2 L E 102D2EC            0          4       0  880/1000   0 Logger
   27 M *     F14          548         55    9963  678/1200   2 Virtual Exec
   28 L E 10581C8           28         20    1400  824/1000   0 UDP Echo
    5 M E 10581C8            0         52       0  898/1000   0 BOOTP Server
    6 H E 1010ABA       485848      74667    6506  536/900    0 IP Input
    7 M E 1062DA6           68      21114       3  804/1000   0 TCP Timer
    8 L E 1063FA4          164        161    1018  766/1000   0 TCP Protocols
    9 L E 101E646         1568       2321     675  854/1000   0 ARP Input
   10 L E 1010ABA            0          1       0  938/1000   0 Probe Input
   29 L E 10581C8           24         20    1200  824/1000   0 UDP Echo
   12 M E 1035092            0          2       0  968/1000   0 Timers
   13 H E 1010ABA        19472      54616     356  412/500    0 Net Input
   14 M T 100E474          336     104907       3  790/1000   0 TTY Background
   15 L E 10E2722            0          1       0  896/1000   0 IP SNMP
   30 L E 10581C8            0         20       0  946/1000   0 UDP Discard
   31 L E 10581C8            0         20       0  946/1000   0 UDP Discard

With the command “show stacks” you’ll get more information about the daemons.

CiscoRouter#show stacks

Minimum process stacks:
Free/Size  Name
734/1000  Init
970/1000  Pakmon Init
962/1000  MOP Protocols
934/1000  UDP Discard
678/1200  Virtual Exec
786/1000  TCP Discard
782/1000  TCP Echo
820/1000  UDP Echo

Interrupt level stacks:
Level    Called Free/Size  Name
  3         417  964/1000  Serial interface state change interrupt
  4      580538  886/1000  Network interfaces
  5          46  968/1000  Console Uart


Securing IGS-CR

We need the combination of the remote and locally gathered information to stop the unnecessary daemons… We have several ways to do this:

The simplest way is to use the program ‘setup’. Here we can say for example, do not load the SNMP daemon by simple entering ‘yes or no’ by the options.
I know not many people will try this way to unload the unnecessary daemons, because: one it’s not easy to find; and two you really have to know what you’re doing. But it’s possible to read out the whole memory stack and find the right offset of a daemon and rewrite the memory so the daemon will be killed.
As far I know the IGS series do not have an internal (network) firewall or such, properly the newer ones does have it. I will not discuss how to set-up the firewall, because simply said I don’t know how to do this right now. What I do want to mention is with this type of firewall you have the option to filter the daemons for unwanted connections. You can create rules like, 169.254.0.11 may connect to the telnet daemon but 169.254.0.20 may not. Well you get the idea, don’t you?

To completely secure the IGS-CR we have to use the first two ways, first we use way one and if then not all unnecessary daemons are stopped we’re using way two too. It’s possible that you want to kill different daemons then I’m going to do… most likely were talking about daemons who can’t be stopped with the ‘setup’ menu. And daemons that can’t be stopped with way one have to be stopped with way two, and that requires a lot of search-time by yourself.

Way one is rather simple, just type in “setup” and walk through the menu. To verify afterwards you have stopped some unnecessary daemons type, “show processes” before and after you have walked through the setup. Compare both outputs with each other, and see for yourself if something has changed.

I know that you cannot stop all unnecessary daemons with this setup program, but I try to show you how to stop them ‘the second way’…

I’m going try to stop the daemon listed below…

   “15 L E 10E2722            0          1       0  896/1000   0 IP SNMP”

With the command “show memory”, you’ll get a stack dump from the whole memory. This could come in handy if we want to overwrite a specific location of the memory… We can (re)-write the memory with the command “write memory or erase [start stack – end stack] [new data]”.

Address   Bytes Prev.     Next       Ref  PrevF   NextF    Alloc PC   What

58850      112    587E0   588C0      1        *          *        1057FA8    IP SNMP

  PID Q T      PC Runtime (ms)    Invoked   uSecs    Stacks     TTY   Process
  15    L E      10E2722         0           1              0     896/1000      0     IP SNMP

We could also kill the so called PID address, because this depends which router you’re have I’m not going to explain this any further. Just find the appropriate command in your Cisco Router manual.

After you have killed some daemons check if they are really stopped. I know that rewriting the stack is a tricky operation, and it could be that your Cisco Router will stop functioning. To reset all data in the NVRAM (where all configuration is being stored) type in the enabled mode “erase startup config” and “reload”. Remember while doing so, you loose all your configuration and such. The first time the Cisco Router is booting from flash memory, consult your Cisco Router manual for specific information.


Ok, so far for this time… I have to spend my other hours at learning myself more about Cisco Systems products.

Some links:

http://freshmeat.net/projects/nmap/
http://www.cisco.com/
http://www.netterm.com/


If you have any questions or other comment related to this paper you can drop a mail at mailpop3@crosswinds.net






Copyright (C) 2001, Data Wizard, The Netherlands.