Securing Device Management Protocols
Management sessions to network devices provide the ability to view and collect information about a device and its operations. If this information is disclosed to a malicious user, the device can become the target of an attack, compromised, and used to perform additional attacks. Anyone with privileged access to a device has the capability for full administrative control of that device. It is imperative to secure management sessions in order to prevent information disclosure and unauthorized access.
For each of the targeted protocols, Cisco advocates that customers follow best practices in the securing and hardening of their network devices. Specific best practice recommendations for each of the targeted protocols listed in the joint technical alert are provided here.
Telnet & HTTP
Because information can be disclosed in an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data that is transmitted. Traffic encryption allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in clear text (for example, using Telnet on TCP port 23 or HTTP on TCP port 80), an attacker can obtain sensitive information about the device and the network.
Recommendations: Use Encrypted Protocols for Interactive Management
Utilize Secure Shell (SSH) using SSHv2 as described in the Secure Interactive Management Sessions section of the Cisco Guide to Harden Cisco IOS Devices.
Utilize a secure HTTP server as described in the Encrypt Management Sessions section of the Cisco Guide to Harden Cisco IOS Devices.
Simple Network Management Protocol (SNMP)
It is critical that SNMP (on UDP ports 161 & 162) be properly secured in order to protect the confidentiality, integrity, and availability of both the network data and the network devices through which this data transits. SNMP provides information on the health of network devices. This information should be protected from malicious users that want to leverage this data in order to perform attacks against the network.
Recommendation: Secure SNMP
Secure SNMP as described in the Fortify Simple Network Management Protocol section of the Cisco Guide to Harden Cisco IOS Devices.
Cisco Smart Install (SMI port 4786)
Cisco Smart Install is a legacy feature that provides zero-touch deployment for new switches, typically access layer switches, and incorporates no authentication by design. Newer technology, such as the Cisco Network Plug and Play feature, is highly recommended for more secure setup of new switches. If not properly disabled or secured following setup, Smart Install could allow for the exfiltration and modification of configuration files, among other things, even without the presence of a vulnerability.
Recommendations: Disable/Minimize Exposure of Smart Install
Our recommendation for customers not actually using Smart Install is to disable the feature using the no vstack command once setup is complete. Customers who do use the feature—and need to leave it enabled—can use access control lists (ACLs) to block incoming traffic on TCP port 4786 (the proper security control). Additionally, patches for known security vulnerabilities should be applied as part of standard network security management. More information on the use of Smart Install and how to determine/limit the exposure of this feature can be found in the Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature security advisory.
Warning (Login) Banners
From a security point of view, rather than legal, a login banner should not contain any specific information about the router name, model, software, or ownership. Malicious users can abuse this information.
Recommendation: Minimize Device Information in Login Banner
Follow the guidelines on warning banners as described in the Warning Banners section of the Cisco Guide to Harden Cisco IOS Devices.
Customers who suspect their devices are being potentially exploited by the attacks described in US-CERT Alert TA18-106A should contact their support team (Advanced Services, TAC, etc.) and provide additional details as requested by Cisco.
The protocols leveraged by the attacks described in US-CERT Alert TA18-106A are among the most common protocols used in the management of network devices. Unfortunately, many of these protocols, if not secure according to best practices, provide attackers with information about the devices that can be leveraged for nefarious purposes. It is highly recommended that customers follow the best practices contained in this document to mitigate the effects of the attacks referenced in US-CERT Alert TA18-106A.
Cisco Best Practices
Related Cisco Security Advisories