Brian Wilson (the famous Slimjim100 Blogger) attended BlackHat 2008 DC and heard the news of Cisco routers getting hijacked due to poor ACL's and SNMP traffic being sent over public networks in plain-text.
Slimjim100 (i.e. Brian Wilson) Blogs:
|It is important to keep your router locked down and protected.
If your router got accessed and changed by an unauthorized person the first thing they might do is to lock you out.
I have heard of reports where this is happened to a large multi-site company and they where blackmailed for money to get access back to there routers.
With networks expanding over many miles, cities, and countries it's important to keep you network safe.
In the case of this reported company, the cost of sending people out to password recover the routers was a lot more than the blackmailer's offer so the company paid them and then locked down the devices after they regained access.
This could of been avoided and the skills needed to lock down a router is not CCIE level stuff!
Just using ACL's and a understanding of how the network is designed can prevent this kind of attack.
Other issues with unauthorized access is even if you can regain access it's best to reload the IOS and review you config's.
I say this since I have learned from Felix's presentation at BlackHat that some attackers load non-Cisco patches to the IOS.
If an unauthorized IOS patch was made to your devices it is very difficult to identify the malicious code.
With infected IOS code your routers you risk them becoming members of bot-nets, reset unexpectedly, or relay/hide unwanted traffic or tunnels.
My recommendation is to only trust IOS code you get directly from Cisco.
In the end of the day it does pay to keep your Cisco contracts up to date so when you need that clean IOS fix your CCO login can save the day.
David Davis - Cisco CCIE and the Expert Cisco Columnist for TechRepublic, suggests that you review his top five best practices to secure your routers, your network, and your company from malicious attacks:
Whitepaper covering Cisco IOS forensic developments, released at BlackHat Briefings Washington DC 2008:
Cisco IOS is still the prevalent router operating system in today’s networks.
Its architecture and consequently the procedures to debug and analyze it are not suited well for detecting and thoroughly inspecting crash causes, especially intentional attacks.
Cisco Systems recently started to distribute the successor, IOS-XR, which features process separation and the QNX commercial microkernel.
However, the extremely large population of IOS devices and the significantly higher hardware requirements of the new IOSXR limit the impact it has on the currently deployed routing platforms.
Generally, networking engineers are reluctant to move from one image version to another, despite the frequent updates by Cisco Systems.
Most production networks stay with two or three minor versions behind the most recent releases, since only older versions provide the reliability they need to operate stable networks.
All the discussed factors lead to a large part of the network infrastructure being vulnerable to attacks and malicious modification, without the appropriate tools to detect and analyze it.
Have YOU too ever heard of a company being locked out of their Cisco routers by malicious intruders seeking blackmail money?
|Warning: Suspect Cisco WS-SUP720-3BXL, WS-SUP720-3B, WS-X6724-SFP and WS-X6748-GE-TX cards being offered for sale|
|Mansion of Cisco CEO gets Palo Alto City Council approval|
|Nortel enterprise director: Cisco insults users' intelligence|
|Nortel enterprise director praises new Cisco ASR 1000 router|
|Cisco Ferrari or Nortel lawn mower, which one will customers choose to ride?|
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him at 717-707-0704.