Brian Wilson (the famous Slimjim100 Blogger) attended BlackHat 2008 DC and heard the news of Cisco routers getting hijacked due to poor ACL's and SNMP traffic being sent over public networks in plain-text.
Slimjim100 (i.e. Brian Wilson) Blogs:
 It is important to keep your router locked down and protected. |
If your router got accessed and changed by an unauthorized person the first thing they might do is to lock you out.
I have heard of reports where this is happened to a large multi-site company and they where blackmailed for money to get access back to there routers.
With networks expanding over many miles, cities, and countries it's important to keep you network safe.
In the case of this reported company, the cost of sending people out to password recover the routers was a lot more than the blackmailer's offer so the company paid them and then locked down the devices after they regained access.
This could of been avoided and the skills needed to lock down a router is not CCIE level stuff!
Just using ACL's and a understanding of how the network is designed can prevent this kind of attack.
Other issues with unauthorized access is even if you can regain access it's best to reload the IOS and review you config's.
I say this since I have learned from Felix's presentation at BlackHat that some attackers load non-Cisco patches to the IOS.
If an unauthorized IOS patch was made to your devices it is very difficult to identify the malicious code.
With infected IOS code your routers you risk them becoming members of bot-nets, reset unexpectedly, or relay/hide unwanted traffic or tunnels.
My recommendation is to only trust IOS code you get directly from Cisco.
In the end of the day it does pay to keep your Cisco contracts up to date so when you need that clean IOS fix your CCO login can save the day.
--------------------
David Davis - Cisco CCIE and the Expert Cisco Columnist for TechRepublic, suggests that you review his top five best practices to secure your routers, your network, and your company from malicious attacks:
Fundamentals: Five ways to secure your Cisco routers and switches
Whitepaper covering Cisco IOS forensic developments, released at BlackHat Briefings Washington DC 2008:
Developments in Cisco IOS Forensics
Cisco IOS is still the prevalent router operating system in today’s networks.
Its architecture and consequently the procedures to debug and analyze it are not suited well for detecting and thoroughly inspecting crash causes, especially intentional attacks.
Cisco Systems recently started to distribute the successor, IOS-XR, which features process separation and the QNX commercial microkernel.
However, the extremely large population of IOS devices and the significantly higher hardware requirements of the new IOSXR limit the impact it has on the currently deployed routing platforms.
Generally, networking engineers are reluctant to move from one image version to another, despite the frequent updates by Cisco Systems.
Most production networks stay with two or three minor versions behind the most recent releases, since only older versions provide the reliability they need to operate stable networks.
All the discussed factors lead to a large part of the network infrastructure being vulnerable to attacks and malicious modification, without the appropriate tools to detect and analyze it.
Developments in Cisco IOS Forensics
Have YOU too ever heard of a company being locked out of their Cisco routers by malicious intruders seeking blackmail money?
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him Toll Free:
866-864-0506
International callers may wish to call Brad by dialing:
850-364-4115
The Leader in Network Knowledge
Wow Need to lock it down
I never thought of this kind of attack! This is the kind of story that makes you want to review all your configs and make sure you keep on your syslogs!
regards,
Router Guy
Simple RO strings and basic
Simple RO strings and basic ACL's can go a long way in preventing this type of thing. Also using SNMPv3, and SSH aka encryption when available and viable are standard best practices.
Auditing is the key!
As I read this all I could think of was WTF where they thinking not protecting there routers or any IT equipment. I would like to know what kind of company had this happen to it. I just hope it was not a bank or hospital as there can be so many other issues there. How did the report get out and is there a hard copy?
Cheers,
WhiteHat
Cisco is the Microsoft
Cisco is the Microsoft Windows of networking.
Access-lists and RO SNMP is useless when dealing with vulnerabilities and spoofed IP's.