Auditors face some challenges when reviewing router and firewall configurations. I'm going to discuss a few of them in this article. My assumption is that there is a device hardening standard in place, which points out the key elements of configuration. I am also assuming configuration review is only small, and not the most important part of audit program (design assessment, change control, access control, etc... have to be done as well).
The first challenge is that auditors don’t have access to devices so they cannot pull the configuration file by themselves. They have to ask network administrators to deliver configuration files to them. So, how auditors know that configuration was collected from the devices in scope of the audit and not from Cisco simulator (GNS3/Dynamips) or from some vanilla firewall or router? Unfortunately, the only solution is to watch over our administrator’s shoulder. The other bad news could be change control. If there is no good change control mechanism in place (i.e. starting form change logging to Cisco ACS) , the configuration file could be changing too often, and auditing it doesn’t make any sense. So, I assume the change control was audited before configuration audit was started. The good news here is that auditors can ask for configuration more than once during audit period or they do audit more than once a year. I would recommend to grep 'Cryptochecksum'
(unfortunately works only on ASA/PIX, not IOS) and retain results. Cyptochecksum conists of four groups of hexadecimal numbers that act as a digital summary of the contents of the configuration. By comparing the numbers auditors can see if the configuration has changed and was written to firewall NVRAM.
The following is a sample output from the show checksum command before and after writing to NVRAM:
Rack1ASA1# sh checksum
Cryptochecksum: be697684 e7dc0660 f0495b17 994feacd <-----------Cryptochecksum
Rack1ASA1# conf t
Rack1ASA1(config)# int e2
Rack1ASA1(config-if)# no sh <----------------------------------Change in firewall configuration
Rack1ASA1(config)# sh checksum
Cryptochecksum: be697684 e7dc0660 f0495b17 994feacd <-----------Cryptochecksum has not changed
Rack1ASA1(config)# wr me
Cryptochecksum: c5df47a1 f4d17718 71a13542 cc6cde7e <-----------Cryptochecksum has changed
2012 bytes copied in 1.210 secs (2012 bytes/sec)
As an auditor I would ask for grep 'Cryptochecksum' (or 'sh cryptochecksum') at the beginning of the audit and at the end. Keep the Cryptochecksum for the next audit.
The second challenge I want to discuss here is that the configuration files tend to be hundreds of pages long, and full of confidential information such as passwords, and addresses. The solution here is to ask network administrators to provide output of a script or single command after removing confidential information. This way, the auditor doesn't need to read through a long printout, and can focus only on important information.
The questions auditors ask most of the time can be satisfied with a single command based on simple 'grep' search, see example below for Cisco PIX firewall:
grep 'any\|telnet\|timeout\|floodguard\|server\|logging\auth\|audit\|pdm' * > output
It will save all configuration lines with keywords 'any', 'telnet,' 'timeout', 'floodguard', 'server', 'logging', 'auth', 'audit' and 'pdm' in the 'output' file. The network administrator now has the opportunity to remove confidential information from this file before sending it back to auditor.
has a nice article about 'Random configuration analysis', with more examples of 'grep' commands. For example to find well-known SNMP communities:
grep -ire "^snmp-server community public "
The ‘grep’ command is part of all flavors of UNIX operating systems. It is also part of many free packages on Windows (i.e. Wingrep) or could be replaces by system ‘findstr’ command. The good source of what to look for with grep/findstr command are Cisco AutoSecure examples
Network administrators can run the grep command against configuration files pulled from routers and firewalls and stored in local directory of their workstation (UNIX or Windows), or use 'grep' statement build into Cisco IOS or ASA. For example, suppose the auditor wants to check the configuration for all “telnet” statements. The network administrator can run “show running-config | grep telnet”
and look through each entry (or without ‘grep’, just using ‘include’ – “sh run | i telnet"), filter out addresses and send output to auditor.
All of these requires auditor to be Router/Firewall Subject Matter Expert. If it is not the case there are several automated tools available for router and firewall configuration auditing which can automatically produce report and save time auditors spend for review of 'grep' output. See the short list below for free tools.
• NIPPER – can be downloaded from Titania
after free registration. It can be used to audit configuration files of Cisco, Juniper and Checkpoint, SonicWall, and many others. Nipper produces long and pretty reports.
• CCSAT (Cisco Configuration Security Auditing Tool) see here
The tool is based upon industry best practices, including Cisco, NSA, and SANS security guides and recommendations
• RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers acquired by Fortify, see here
RAT 2.2 has ability to score Cisco Router IOS and PIX firewalls. It includes benchmark documents for both Cisco IOS and Cisco ASA, FWSM, and PIX security settings.
The Cisco Works Network Compliance Manager (NCM) is a possible solution for Cisco based network (commercial, not free). NCM tracks compliance with a broad variety of regulatory, IT, corporate governance, and technology best practices. It has a sophisticated search capability.
The last challnege I’m going to point out here is that configuration file doesn’t show all settings. There are different versions of software and they can have different defaults. For example, auditor might want to expect to find ‘no service pad’ in the configuration file. The newer version of software can have it disabled by default. In these case additional input from administrator is required (to run ‘show’ command)
Auditing router and firewall configurations by searching for important keywords in the configuration files or using automated tools gives administrators the option to prevent distribution of classified information and verify compliance with device hardening standards.