Unauthorized Management Access Attack

Management sessions to devices allow you the ability to view and collect information about a device and its operations. If this information is disclosed to a malicious user, the device can become the target of an attack, compromised, and used in order to perform additional attacks. Anyone with privileged access to a device has the capability for full administrative control of that device. Securing management sessions is imperative to prevent information disclosure and unauthorised access.

Because information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in cleartext, an attacker can obtain sensitive information about the device and the network.

The management plane is used in order to access, configure, and manage a device, as well as monitor its operations and the network on which it is deployed. The management plane is the plane that receives and sends traffic for operations of these functions. You must secure both the management plane and control plane of a device, as operations of the control plane directly affect operations of the management plane.

Mitigation

Infrastructure ACLs, Configuration Management, Exec Timeout, Encrypted Management, Configuration Change Notification, Logging, TCP keepalives, AAA, SNMPv3, NTP

Infrastructure ACLs

Devised to prevent unauthorized direct communication to network devices, infrastructure access control lists (iACLs) are one of the most critical security controls that can be implemented in networks. An iACL is constructed and applied to specify connections from hosts or networks that need to be allowed to network devices. Common examples of these types of connections are eBGP, SSH, and SNMP.

An iACL is constructed and applied to specify connections from hosts or networks that need to be allowed to network devices. Common examples of these types of connections are eBGP, SSH, and SNMP. After the required connections have been permitted, all other traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network and is not destined to infrastructure devices is then explicitly permitted.

Configuration Management

Cisco IOS software includes several features that can enable a form of configuration management on a Cisco IOS device. Such features include functionality to archive configurations and to rollback the configuration to a previous version as well as create a detailed configuration change log. Beginning in Cisco IOS Software Release 12.3(7)T, the Configuration Replace and Configuration Rollback features allow for archiving of the Cisco IOS device configuration on the device.

Exec Timeout and TCP Keepalives

The exec-timeout command must be used in order to logout sessions on vty or tty lines that are left idle. The service tcp-keepalive-in command must also be used in order to enable TCP keepalives on incoming connections to the device. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local IOS device.

Encrypted Management

An administrator is able to establish an encrypted and secure remote access management connection to a device by using the SSH or HTTPS (Secure Hypertext Transfer Protocol) features. Cisco IOS software supports SSH version 1.0 (SSHv1), SSH version 2.0 (SSHv2), and HTTPS that uses Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data encryption. Note that SSHv1 and SSHv2 are not compatible.

Configuration Change Notification

The Configuration Change Notification and Logging feature makes it possible to log the configuration changes made to a Cisco IOS device. The log is maintained on the Cisco IOS device and contains the user information of the individual who made the change, the configuration command entered, and the time that the change was made.

Logging

Event logging provides you visibility into the operation of a Cisco IOS device and the network into which it is deployed. Cisco IOS software provides several flexible logging options that can help achieve the network management and visibility goals of an organization.

You are advised to send logging information to a remote syslog server. By doing so, it becomes possible to correlate and audit network and security events across network devices more effectively.

AAA

The Authentication, Authorization, and Accounting (AAA) framework is critical to securing interactive access to network devices. The AAA framework provides a highly configurable environment that can be tailored depending on the needs of the network.

SNMPv3

SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network. Where supported, SNMPv3 can be used in order to add another layer of security when deploying SNMP.

NTP

Accurate and reliable time is required for syslog purposes, such as during forensic investigations of potential attacks, as well as for successful VPN connectivity when depending on certificates for Phase 1 authentication.