Cisco Applied Mitigation Bulletin

Identifying and Mitigating Exploitation of the DLSw Vulnerability

Advisory ID: cisco-amb-20070110-dlsw

http://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20070110-dlsw

Revision 1.0

For Public Release 2007 January 10 16:00  UTC (GMT)


Contents

Cisco Response
Device-Specific Mitigation and Identification
Additional Information
Revision History
Cisco Security Procedures
Related Information

Cisco Response

Vulnerability Characteristics

A vulnerability exists in the Data-Link Switching (DLSw) feature within Cisco IOS software where an invalid value in a DLSw capabilities exchange message may result in a crash of the affected device and repeated attempts to exploit this vulnerability could result in a sustained Denial of Service (DoS) condition. Devices running vulnerable IOS software affected by this vulnerability can be exploited remotely by an unauthenticated attacker. The threat vector used to exploit this vulnerability is through the Transmission Control Protocol (TCP) using ports TCP/2065 or TCP/2067 and requires the ability to establish a DLSw connection to the affected device. This vulnerability is not covered by a CVE ID.

This document contains information to assist Cisco customers in identifying and mitigating attempts to exploit the DLSw Vulnerability. The vulnerability described in this document affects devices running Cisco IOS software and having DLSw enabled.

Vulnerable, non-affected and fixed software information is available in the PSIRT Security Advisory at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070110-dlsw.

Mitigation Technique Overview

Cisco devices provide several countermeasures for the "DLSw Vulnerability". The most effective means of exploit prevention is provided through Infrastructure Protection Access Control Lists (iACLs), Transit Access Control Lists (tACLs), or the Control Plane Policing feature which filter TCP packets sent to addresses configured on the affected device on ports TCP/2065 and TCP/2067 or by disabling the use of DLSw promiscuous peering and configuring explicit DLSw peers using the configuration command dlsw remote-peer for all DLSw connections.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of [this vulnerability|these vulnerabilities]. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Specific information on mitigation and identification is available for these devices:

Cisco IOS Routers

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network architecture, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation

Infrastructure Protection Access Control Lists (iACL)

The following access control list (ACL) policy denies TCP packets sent to the IP addresses configured on an affected device for TCP/2065 and TCP/2067. All other packets sent to the affected device are permitted only from known trusted source networks (ie: management networks, security operations center, network operations center). Added access list entries (ACEs) should be implemented as part of an Infrastructure Protection Access Control List (iACL) policy that is used to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic to the infrastructure equipment while permitting all other transit traffic in accordance with existing security policies and configurations.

Additional information about iACLs is available at Protecting Your Core: Infrastructure Protection Access Control Lists.


!-- Permit TCP packets on ports TCP/2065 and TCP/2067 sent to addresses
!-- configured on interfaces of the affected device (management, loopback,
!-- access links and network/user segments) from known trusted DLSw peers.


ip access-list extended infrastructure-acl-policy
  permit tcp host 192.168.2.2 host 192.168.1.1 eq 2065
  permit tcp host 192.168.2.2 host 192.168.1.1 eq 2067
  permit tcp host 192.168.3.3 host 192.168.1.1 eq 2065
  permit tcp host 192.168.3.3 host 192.168.1.1 eq 2067
  permit tcp host 192.168.4.4 host 192.168.1.1 eq 2065
  permit tcp host 192.168.4.4 host 192.168.1.1 eq 2067
  permit tcp host 192.168.5.5 host 192.168.1.1 eq 2065
  permit tcp host 192.168.5.5 host 192.168.1.1 eq 2067


!-- Deny all other TCP traffic sent to addresses configured on interfaces
!-- of the affected device for ports TCP/2065 and TCP/2067.


  deny tcp any any eq 2065
  deny tcp any any eq 2067


!-- Permit/Deny all other Layer3 and Layer4 traffic in accordance
!-- with existing security policies and configurations.

!

!-- Apply iACL to interface(s) in the inbound direction.


interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group infrastructure-acl-policy in
!

Identification

Infrastructure Protection Access Control Lists (iACL)

With an iACL, once the access list is applied, the show access-lists or show ip access-lists commands can be used to identify the number of TCP packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability or to verify if they are legitimate packets.

Example output for show access-lists infrastructure-acl-policy:

ios-router#
ios-router#show access-lists infrastructure-acl-policy
Extended IP access list infrastructure-acl-policy
    10 permit tcp host 192.168.2.2 host 192.168.1.1 eq 2065 (13 matches)
    20 permit tcp host 192.168.2.2 host 192.168.1.1 eq 2067
    30 permit tcp host 192.168.3.3 host 192.168.1.1 eq 2065 (7 matches)
    40 permit tcp host 192.168.3.3 host 192.168.1.1 eq 2067
    50 permit tcp host 192.168.4.4 host 192.168.1.1 eq 2065
    60 permit tcp host 192.168.4.4 host 192.168.1.1 eq 2067 (5 matches)
    70 permit tcp host 192.168.5.5 host 192.168.1.1 eq 2065 (29 matches)
    80 permit tcp host 192.168.5.5 host 192.168.1.1 eq 2067
    90 deny tcp any any eq 2065 (130 matches)
    100 deny tcp any any eq 2067 (2 matches)
    --             ACL Policy Truncated             --
    --  Permit or Deny all other Layer3 and Layer4  --
    -- traffic in accordance with existing security --
    -- policies and configurations.                 --
ios-router#

In the above example, access list infrastructure-acl-policy permitted 13 - packets on ACE sequence-id 10 for TCP/2065, 7 - packets on ACE sequence-id 30 for TCP/2065, 5 - packets on ACE sequence-id 60 for TCP/2067, 29 - packets on ACE sequence-id 70 for TCP/2065, and denied a total of 132 - packets on TCP/2065 and TCP/2067. Access control list infrastructure-acl-policy is applied in the inbound direction on interface GigabitEthernet0/0.

Cisco IOS Switches

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation

Infrastructure Protection Access Control Lists (iACL)

The following access control list (ACL) policy denies TCP packets sent to the addresses configured on an affected device for TCP/2065 and TCP/2067. All other packets sent to the affected device are permitted only from known trusted source networks (ie: management networks, security operations center, network operations center). Added access list entries (ACEs) should be implemented as part of an Infrastructure Protection Access Control List (iACL) policy that is used to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic to the infrastructure equipment while permitting all other transit traffic in accordance with existing security policies and configurations.

Additional information about iACLs is available at Protecting Your Core: Infrastructure Protection Access Control Lists.


!-- Permit TCP packets on ports TCP/2065 and TCP/2067 sent to addresses
!-- configured on interfaces of the affected device (management, loopback,
!-- access links and network/user segments) from known trusted DLSw peers.


ip access-list extended infrastructure-acl-policy
  permit tcp host 192.168.2.2 host 192.168.1.1 eq 2065
  permit tcp host 192.168.2.2 host 192.168.1.1 eq 2067
  permit tcp host 192.168.3.3 host 192.168.1.1 eq 2065
  permit tcp host 192.168.3.3 host 192.168.1.1 eq 2067
  permit tcp host 192.168.4.4 host 192.168.1.1 eq 2065
  permit tcp host 192.168.4.4 host 192.168.1.1 eq 2067
  permit tcp host 192.168.5.5 host 192.168.1.1 eq 2065
  permit tcp host 192.168.5.5 host 192.168.1.1 eq 2067


!-- Deny all other TCP traffic sent to addresses configured on interfaces
!-- of the affected device for ports TCP/2065 and TCP/2067.


  deny tcp any any eq 2065
  deny tcp any any eq 2067


!-- Permit/Deny all other Layer3 and Layer4 traffic in accordance
!-- with existing security policies and configurations.

!

!-- Apply iACL to interface(s) in the inbound direction.


interface Vlan100
 ip address 192.168.1.1 255.255.255.0
 ip access-group infrastructure-acl-policy in
!

Identification

Infrastructure Protection Access Control Lists (iACL)

With an iACL, once the access list is applied, the show access-lists or show ip access-lists commands can be used to identify the number of TCP packets being filtered. Filtered packets should be investigated to determine if they are attempts to exploit this vulnerability or to verify if they are legitimate packets.

Example output for show access-lists infrastructure-acl-policy:

ios-switch#
ios-switch#show access-lists infrastructure-acl-policy
Extended IP access list infrastructure-acl-policy
    10 permit tcp host 192.168.2.2 host 192.168.1.1 eq 2065 (6 matches)
    20 permit tcp host 192.168.2.2 host 192.168.1.1 eq 2067
    30 permit tcp host 192.168.3.3 host 192.168.1.1 eq 2065 (11 matches)
    40 permit tcp host 192.168.3.3 host 192.168.1.1 eq 2067
    50 permit tcp host 192.168.4.4 host 192.168.1.1 eq 2065 (14 matches)
    60 permit tcp host 192.168.4.4 host 192.168.1.1 eq 2067 (7 matches)
    70 permit tcp host 192.168.5.5 host 192.168.1.1 eq 2065
    80 permit tcp host 192.168.5.5 host 192.168.1.1 eq 2067 (1 match)
    90 deny tcp any any eq 2065 (63 matches)
    100 deny tcp any any eq 2067 (1 match)
    --             ACL Policy Truncated             --
    --  Permit or Deny all other Layer3 and Layer4  --
    -- traffic in accordance with existing security --
    -- policies and configurations.                 --
ios-switch#

In the above example, access list infrastructure-acl-policy permitted 6 - packets on ACE sequence-id 10 for TCP/2065, 11 - packets on ACE sequence-id 30 for TCP/2065, 14 - packets on ACE sequence-id 50 for TCP/2065, 7 - packets on ACE sequence-id 60 for TCP/2067, 1 - packet on ACE sequence-id 80 for TCP/2067, and denied a total of 64 - packets on TCP/2065 and TCP/2067, which is applied in the inbound direction on interface Vlan100.

Note:  The above hit counts displayed are for those packets processed (dropped) in software. For hardware-based IOS switches, an additional command can be used to determine if packets are being dropped in hardware.

Starting with IOS version 12.2(14)SX (for Supervisor 720) and version 12.2(17d)SXB (for Supervisor 2), the command show tcam interface vlan <vlan-id> acl <in/out> ip can be used to provide ACE hit counts for packets that have been processed in hardware.

ios-switch#show tcam interface vlan 100 acl in ip

* Global Defaults shared

Entries from Bank 0
Entries from Bank 1

    permit       tcp host 192.168.2.2 host 192.168.1.1 eq 2065
    permit       tcp host 192.168.2.2 host 192.168.1.1 eq 2067
    permit       tcp host 192.168.3.3 host 192.168.1.1 eq 2065 (8 matches)
    permit       tcp host 192.168.3.3 host 192.168.1.1 eq 2067
    permit       tcp host 192.168.4.4 host 192.168.1.1 eq 2065
    permit       tcp host 192.168.4.4 host 192.168.1.1 eq 2067
    permit       tcp host 192.168.5.5 host 192.168.1.1 eq 2065 (35 matches)
    permit       tcp host 192.168.5.5 host 192.168.1.1 eq 2067
    deny         tcp any any eq 2065 (4 matches)
    deny         tcp any any eq 2067 (1 match)

ios-switch#

In the above example, access list infrastructure-acl-policy permitted 43 (total) packets to host 192.168.1.1 in hardware and dropped 5 (total) - packets on TCP/2065 and TCP/2067 in hardware for packets being sent through interface Vlan 100. The show tcam interface vlan <vlan-id> acl <in/out> ip detail command can optionally be used to display detailed information.

Cisco IOS Security Features

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation

Control Plane Policing (CoPP)

Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the Control Plane Policing (CoPP) feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to the infrastructure device in accordance with existing security policies and configurations. The following example can be adapted to your network. This example assumes that DLSw (TCP/2065 and TCP/2067) packets sent to the device is to be restricted only to known trusted DLSw peers:


!-- Deny all TCP packets on ports TCP/2065 and TCP/2067 sent to addresses
!-- configured on interfaces of the affected device (management, loopback,
!-- access links and network/user segments) from known trusted DLSw peers
!-- so traffic is not policed by the CoPP feature.


ip access-list extended infrastructure-acl-policy
  deny tcp host 192.168.2.2 host 192.168.1.1 eq 2065
  deny tcp host 192.168.2.2 host 192.168.1.1 eq 2067
  deny tcp host 192.168.3.3 host 192.168.1.1 eq 2065
  deny tcp host 192.168.3.3 host 192.168.1.1 eq 2067
  deny tcp host 192.168.4.4 host 192.168.1.1 eq 2065
  deny tcp host 192.168.4.4 host 192.168.1.1 eq 2067
  deny tcp host 192.168.5.5 host 192.168.1.1 eq 2065
  deny tcp host 192.168.5.5 host 192.168.1.1 eq 2067


!-- Permit all other TCP traffic sent to addresses configured on interfaces
!-- of the affected device for ports TCP/2065 and TCP/2067 so that it will
!-- be policed by the CoPP feature.


  permit tcp any any eq 2065
  permit tcp any any eq 2067


!-- Permit/Deny all other Layer3 and Layer4 traffic in accordance
!-- with existing security policies and configurations for traffic
!-- that is authorized to be sent to infrastructure devices.

!

!-- Create a Class-Map that will be configured under a Policy-Map for traffic to be
!-- policed by the CoPP feature.


class-map match-all control-plane-class
  match access-group name infrastructure-acl-policy


!-- Create a Policy-Map that will be applied to the Control-Plane of the device for
!-- traffic to be policed by the CoPP feature.


policy-map drop-unauthorized-infra-traffic
  class control-plane-class
    drop


!-- Apply the Policy-Map to the Control-Plane of the device for traffic sent to
!-- the management and control planes to be policed.


control-plane
  service-policy input drop-unauthorized-infra-traffic
!

Please note that in the 12.0S, 12.2S, and 12.2SX Cisco IOS software releases, the policy-map syntax is different:

policy-map drop-unauthorized-infra-traffic
  class control-plane-class
    police cir 32000 bc 1500 be 1500 conform-action drop exceed-action drop 
       violate-action drop

Note: In the above CoPP examples, the access control list entries (ACEs) which match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action are not affected by the policy-map drop function. The 12.0S, 12.2S, and 12.2SX Cisco IOS software releases use the "police" keyword to drop packets that exceed a configured threshold.

Identification

Cisco IOS Router

With Control Plane Policing (CoPP), once the policy-map is applied to the control-plane, the show policy-map control-plane and show access-lists commands can be used to identify the number of packets that have been sent to the management and control planes and dropped by the CoPP policy. Packets dropped by CoPP should be investigated to determine if they are attempts to exploit this vulnerability or to verify if they are legitimate packets.

Example output for show policy-map control-plane and show access-list infrastructure-acl-policy:

ios-router#show policy-map control-plane
 Control Plane 

  Service-policy input: drop-unauthorized-infra-traffic

    Class-map: control-plane-class (match-all)
      165 packets, 9984 bytes
      5 minute offered rate 2000 bps, drop rate 2000 bps
      Match: access-group name infrastructure-acl-policy
      drop

    Class-map: class-default (match-any)
      1063 packets, 69960 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
ios-router#
ios-router#show access-list infrastructure-acl-policy
Extended IP access list infrastructure-acl-policy
    10 deny tcp host 192.168.2.2 host 192.168.1.1 eq 2065
    20 deny tcp host 192.168.2.2 host 192.168.1.1 eq 2067
    30 deny tcp host 192.168.3.3 host 192.168.1.1 eq 2065
    40 deny tcp host 192.168.3.3 host 192.168.1.1 eq 2067
    50 deny tcp host 192.168.4.4 host 192.168.1.1 eq 2065
    60 deny tcp host 192.168.4.4 host 192.168.1.1 eq 2067
    70 deny tcp host 192.168.5.5 host 192.168.1.1 eq 2065
    80 deny tcp host 192.168.5.5 host 192.168.1.1 eq 2067
    90 permit tcp any any eq 2065 (111 matches)
    100 permit tcp any any eq 2067 (54 matches)
    --             ACL Policy Truncated             --
    --  Permit or Deny all other Layer3 and Layer4  --
    -- traffic in accordance with existing security --
    -- policies and configurations.                 --
ios-router#

In the above example, the CoPP policy dropped 165 (total) packets by access control list (ACL) "infrastructure-acl-policy" which is associated with CoPP.

Cisco IOS Switch

With Control Plane Policing (CoPP), once the policy-map is applied to the control-plane, the show policy-map control-plane and show access-lists commands can be used to identify the number of packets that have been sent to the management and control planes and dropped by the CoPP policy. Packets dropped by CoPP should be investigated to determine if they are attempts to exploit this vulnerability or to verify if they are legitimate packets.

Example output for show policy-map control-plane and show access-list infrastructure-acl-policy:

ios-switch#show policy-map control-plan
 Control Plane Interface 

  Service-policy input: drop-unauthorized-infra-traffic

  Hardware Counters: 

    class-map: control-plane-class (match-all)
      Match: access-group name infrastructure-acl-policy
      police :
        32000 bps 1000 limit 1000 extended limit

  Software Counters: 

    Class-map: control-plane-class (match-all)
      157 packets, 10604 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: access-group name infrastructure-acl-policy
      police:
          cir 32000 bps, bc 1500 bytes, be 1500 bytes
        conformed 56 packets, 4182 bytes; action: drop
        exceeded 0 packets, 0 bytes; action: drop
        violated 0 packets, 0 bytes; action: drop
        conformed 0 bps, exceed 0 bps, violate 0 bps
          
    Class-map: class-default (match-any)
      117 packets, 11088 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
ios-switch#
ios-switch#show access-list infrastructure-acl-policy
Extended IP access list infrastructure-acl-policy
    10 deny tcp host 192.168.2.2 host 192.168.1.1 eq 2065
    20 deny tcp host 192.168.2.2 host 192.168.1.1 eq 2067
    30 deny tcp host 192.168.3.3 host 192.168.1.1 eq 2065
    40 deny tcp host 192.168.3.3 host 192.168.1.1 eq 2067
    50 deny tcp host 192.168.4.4 host 192.168.1.1 eq 2065
    60 deny tcp host 192.168.4.4 host 192.168.1.1 eq 2067
    70 deny tcp host 192.168.5.5 host 192.168.1.1 eq 2065
    80 deny tcp host 192.168.5.5 host 192.168.1.1 eq 2067
    90 permit tcp any any eq 2065 (43 matches)
    100 permit tcp any any eq 2067 (13 matches)
    --             ACL Policy Truncated             --
    --  Permit or Deny all other Layer3 and Layer4  --
    -- traffic in accordance with existing security --
    -- policies and configurations.                 --
ios-switch#

In the above example, the CoPP policy dropped 56 (total) packets by access control list (ACL) "infrastructure-acl-policy" which is associated with CoPP.

NetFlow

NetFlow can be configured on Cisco IOS routers and switches to determine if attempts are in progress to exploit this vulnerability. Packets should be investigated to determine if they are attempts to exploit this vulnerability or to verify if they are legitimate packets.

Identification

ios-router#show ip cache flow
IP packet size distribution (587929 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .530 .089 .001 .030 .040 .005 .027 .000 .000 .026 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .028 .000 .217 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  3 active, 65533 inactive, 48473 added
  585328 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 402056 bytes
  0 active, 16384 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet         127      0.0      1406    40      0.7      20.6      13.5
TCP-FTP             18      0.0         7    60      0.0       4.8       8.5
TCP-WWW            400      0.0         7   606      0.0       0.8       3.9
TCP-BGP              1      0.0         1    40      0.0       0.0      15.0
TCP-other        16357      0.0        21   547      1.5       0.9       2.0
UDP-DNS             32      0.0         4    71      0.0       2.9      15.4
UDP-NTP          15796      0.0         1    76      0.0       0.0      15.4
UDP-other        15249      0.0         2   163      0.1       0.6      15.4
ICMP               490      0.0         2    59      0.0      13.5      15.4
Total:           48470      0.2        12   359      2.4       0.7      10.8

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/8         192.168.8.8     Local         192.168.1.1     06 900D 0811    85
Gi0/1         192.168.208.63  Gi0/0         192.168.208.20  06 2A76 0050   111
Gi0/9         192.168.9.9     Local         192.168.1.1     06 900D 0813     2
Gi0/1         192.168.1.21    Gi0/0         192.168.255.21  06 1A9C 0015    21
Gi0/7         192.168.7.7     Local         192.168.1.1     06 900D 0811    73
Gi0/1         10.10.11.22     Gi0/0         192.168.1.11    06 0016 1280     5
Gi0/6         192.168.6.6     Local         192.168.1.1     06 900D 0813    39
Gi0/0         192.168.255.10  Gi0/1         192.168.1.79    11 0035 A8FC    22
Gi0/6         192.168.6.6     Local         192.168.1.1     06 900D 0811   150
Gi0/0         10.10.10.22     Gi0/1         192.168.1.10    06 0016 9A32    57
Gi0/0         192.168.255.10  Gi0/1         192.168.1.44    11 0035 A8EB    68
ios-router#

In the above example, there are several flows on TCP/2065 (Hex value 0811) and TCP/2067 (Hex value 0813) from non-trusted IP addresses destined to the affected DLSw enabled device (192.168.1.1). This may indicate an attempt to exploit this vulnerability and should be compared to baseline utilization for traffic sent to the DLSw enabled device on ports TCP/2065 and TCP/2067.

To only view DLSw flows (TCP/2065 - Hex 0811 or TCP/2067 - Hex 0813), the command show ip cache flow | include SrcIf|0811|0813 may be used as shown here:

ios-router#show ip cache flow | include SrcIf|0811|0813
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/8         192.168.8.8     Local         192.168.1.1     06 900D 0811    85
Gi0/9         192.168.9.9     Local         192.168.1.1     06 900D 0813     2
Gi0/7         192.168.7.7     Local         192.168.1.1     06 900D 0811    73
Gi0/6         192.168.6.6     Local         192.168.1.1     06 900D 0813    39
Gi0/6         192.168.6.6     Local         192.168.1.1     06 900D 0811   150
ios-router#

Cisco ASA, PIX, and FWSM Firewalls

caution Caution: The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Mitigation

ASA and PIX 7.x - Transit Access Control Lists (tACL)

The following access control list (ACL) policy only permits packets sent to the affected device from known trusted DLSw peers and source networks (ie: management networks, security operations center, network operations center). Added access list entries (ACEs) should be implemented as part of a Transit Access Control List (tACL) policy which is used for filtering transit and edge traffic at network ingress points in accordance with existing security policies and configurations.

Additional information about tACLs is available at Transit Access Control Lists: Filtering at Your Edge.


!-- Permit traffic to affected device on TCP/2065 and TCP/2067 for DLSw peering
!-- from known trusted host(s)
.

access-list transit-policy remark -- Permit TCP/2065 and TCP/2067 from trusted 
   hosts for DLSw peering --
access-list transit-policy permit tcp host 192.168.2.2 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.2.2 host 192.168.1.1 eq 2067
access-list transit-policy permit tcp host 192.168.3.3 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.3.3 host 192.168.1.1 eq 2067
access-list transit-policy permit tcp host 192.168.4.4 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.4.4 host 192.168.1.1 eq 2067
access-list transit-policy permit tcp host 192.168.5.5 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.5.5 host 192.168.1.1 eq 2067
access-list transit-policy deny tcp any any eq 2065
access-list transit-policy deny tcp any any eq 2067


!-- Permit/Deny all other Layer3 and Layer4 traffic in accordance
!-- with existing security policies and configurations.

!

!-- Apply tACL to outside interface in the inbound direction.


access-group transit-policy in interface outside
!

FWSM - Transit Access Control Lists (tACL)

The following access control list (ACL) policy only permits packets sent to the affected device from known trusted DLSw peers and source networks (ie: management networks, security operations center, network operations center). Added access list entries (ACEs) should be implemented as part of a Transit Access Control List (tACL) policy which is used for filtering transit and edge traffic at network ingress points in accordance with existing security policies and configurations.

Additional information about tACLs is available at Transit Access Control Lists: Filtering at Your Edge.


!-- Permit traffic to affected device on TCP/2065 and TCP/2067 for DLSw peering
!-- from known trusted host(s).


access-list transit-policy remark -- Permit TCP/2065 and TCP/2067 from trusted 
   hosts for DLSw peering --
access-list transit-policy permit tcp host 192.168.2.2 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.2.2 host 192.168.1.1 eq 2067
access-list transit-policy permit tcp host 192.168.3.3 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.3.3 host 192.168.1.1 eq 2067
access-list transit-policy permit tcp host 192.168.4.4 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.4.4 host 192.168.1.1 eq 2067
access-list transit-policy permit tcp host 192.168.5.5 host 192.168.1.1 eq 2065
access-list transit-policy permit tcp host 192.168.5.5 host 192.168.1.1 eq 2067
access-list transit-policy deny tcp any any eq 2065
access-list transit-policy deny tcp any any eq 2067


!-- Permit/Deny all other Layer3 and Layer4 traffic in accordance
!-- with existing security policies and configurations.

!

!-- Apply tACL to outside interface in the inbound direction.


access-group transit-policy in interface outside
!

Identification

ASA and PIX 7.x - Transit Access Control Lists (tACL)

cisco-asa#show access-list transit-policy
access-list transit-policy line 7 remark -- Permit TCP/2065 and 
   TCP/2067 from trusted hosts for DLSw peering --
access-list transit-policy line 8 extended permit tcp host 
   192.168.2.2 host 192.168.1.1 eq 2065 (hitcnt=8)
access-list transit-policy line 9 extended permit tcp host 
   192.168.2.2 host 192.168.1.1 eq 2067 (hitcnt=0)
access-list transit-policy line 10 extended permit tcp host  
   192.168.3.3 host 192.168.1.1 eq 2065 (hitcnt=71)
access-list transit-policy line 11 extended permit tcp host 
   192.168.3.3 host 192.168.1.1 eq 2067 (hitcnt=0)
access-list transit-policy line 12 extended permit tcp host 
   192.168.4.4 host 192.168.1.1 eq 2065 (hitcnt=0)
access-list transit-policy line 13 extended permit tcp host 
   192.168.4.4 host 192.168.1.1 eq 2067 (hitcnt=0)
access-list transit-policy line 14 extended permit tcp host 
   192.168.5.5 host 192.168.1.1 eq 2065 (hitcnt=39)
access-list transit-policy line 15 extended permit tcp host 
   192.168.5.5 host 192.168.1.1 eq 2067 (hitcnt=0)
access-list transit-policy line 16 extended deny tcp any any eq 2065 (hitcnt=78)
access-list transit-policy line 17 extended deny tcp any any eq 2067 (hitcnt=19)
--             ACL Policy Truncated             --
--  Permit or Deny all other Layer3 and Layer4  --
-- traffic in accordance with existing security --
-- policies and configurations.                 --
cisco-asa#

In the above example, 97 (total) - TCP packets sent to ports TCP/2065 and TCP/2067 have been received from a non-trusted host or network and denied. In addition, the following syslog message will be logged for any attempts that are denied by access list transit-policy:

Jan 08 2007 10:39:38: %ASA-4-106023: Deny tcp src outside:192.168.66.6/39174
  dst inside:192.168.1.1/2065 by access-group "transit-policy"

Additional information about SYSLOG messages is available at Cisco Security Appliance System Log Messages - 106023.

FWSM - Transit Access Control Lists (tACL)

cisco-fwsm#show access-list transit-policy
access-list transit-policy line 7 remark -- Permit TCP/2065 and TCP/2067 
   from trusted hosts for DLSw peering --
access-list transit-policy line 8 extended permit tcp host 192.168.2.2 host 
   192.168.1.1 eq 2065 (hitcnt=0)
access-list transit-policy line 9 extended permit tcp host 192.168.2.2 host 
   192.168.1.1 eq 2067 (hitcnt=1)
access-list transit-policy line 10 extended permit tcp host 192.168.3.3 host 
   192.168.1.1 eq 2065 (hitcnt=39)
access-list transit-policy line 11 extended permit tcp host 192.168.3.3 host 
   192.168.1.1 eq 2067 (hitcnt=8)
access-list transit-policy line 12 extended permit tcp host 192.168.4.4 host 
   192.168.1.1 eq 2065 (hitcnt=53)
access-list transit-policy line 13 extended permit tcp host 192.168.4.4 host 
   192.168.1.1 eq 2067 (hitcnt=19)
access-list transit-policy line 14 extended permit tcp host 192.168.5.5 host 
   192.168.1.1 eq 2065 (hitcnt=72)
access-list transit-policy line 15 extended permit tcp host 192.168.5.5 host 
   192.168.1.1 eq 2067 (hitcnt=0)
access-list transit-policy line 16 extended deny tcp any any eq 2065 (hitcnt=107)
access-list transit-policy line 17 extended deny tcp any any eq 2067 (hitcnt=32)
--             ACL Policy Truncated             --
--  Permit or Deny all other Layer3 and Layer4  --
-- traffic in accordance with existing security --
-- policies and configurations.                 --
cisco-fwsm#

In the above example, 139 (total) - TCP packets sent to ports TCP/2065 and TCP/206 have been received from a non-trusted host or network and denied. In addition, the following syslog message will be logged for any attempts that are denied by access list transit-policy:

Jan 08 2007 09:45:12: %FWSM-4-106023: Deny tcp src outside:192.168.66.6/39108
  dst inside:192.168.1.1/2065 by access-group "transit-policy"

Additional information about SYSLOG messages is available at Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging Configuration and System Log Message 106023.

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Revision History

Revision 1.0

2007-January-10

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information


Download this document (PDF)
View Printable Version