Acknowledgements

HRD Division

Department of Electronics and Information Technology

Ministry of Communications and Information Technology

Government of India

1

ROUTER AUDITING

2

TABLE OF CONTENTS:

SL.NO. POLICIES PAGE NO.

1. LATEST STABLE SOFTWARE VERSION SHALL BE SELECTED.

2. HOSTNAME SHALL NOT REVEAL MAKE / MODEL OF THE DEVICE.

3. EACH USER SHALL BE ALLOCATED A SEPARATE LOGIN ACCOUNT.

4. SEPARATE LOGIN ACCOUNT SHALL BE USED FOR OPERATING AT DIFFERENT PRIVILEGE LEVELS AND NETWORK SECURITY DEVICES SHOULD HAVE AT LEAST TWO ADMINISTRATORS.

5. PASSWORD SHALL BE MANAGED AS PER THE PASSWORD MANAGEMENT GUIDELINES AND ALSO PASSWORD SHALL BE STORED IN ENCRYPTED FORM.

6. NETWORK TIME PROTOCOL (NTP) SHALL BE CONFIGURED ON THE DEVICES. (REFER: TIME SYNCHRONIZATION GUIDELINES)

7. FOR CHECKING THE TIME SETTINGS IN ROUTER.

8. BANNER MESSAGE WARNING MESSAGE SHOULD BE DISPLAYED BEFORE LOGIN AS A CAUTION

9. PROTOCOLS / SERVICES USING ENCRYPTED CHANNEL (SUCH AS, SSH, SSL, IPSEC, RDP) SHALL BE USED FOR REMOTE ADMINISTRATION.

10. FOR CHECKING UNUSED NETWORK INTERFACES SHALL BE DISABLED.

11. AUTHENTICATION SHOULD BE USED FOR DYNAMIC ROUTING PROTOCOLS.

12. INGRESS AND EGRESS FILTERING SHALL BE CONFIGURED.

13. UNUSED ADDRESS SPACE SHOULD BE ROUTED TO NULL INTERFACE.

14. ANTI-SPOOFING SHOULD BE CONFIGURED ON ALL INTERFACES

15 BACK UP OF THE DEVICE

16. LOG MAINTENANCE

17. FOR CHECKING CONSOLE AND OTHER DIRECT ACCESS PORT CONNECTIONS OF THE ROUTER.

18. FOR CHECKING WHAT ARE THE VARIOUS NETWORKS ALLOWED IN ROUTER.

19. FOR CHECKING THE ROUTER NETWORK TRAFFIC FLOW AND LOOPBACK INTERFACE.

20. FOR CHECKING THE ROUTER TIMEOUT OPTION.

21. FOR CHECKING FOR ANY VIRTUAL TERMINAL UNIT I.E. VTY’S ENABLED ON DEVICE.

22. FOR CHECKING THE ROUTER REMOTE ADMINISTRATION ACCESS PROCESS.

23. FOR CHECKING ACL WRITTEN WITH RESPECT TO ACCESS TO VTY OR REMOTE ADMINISTRATION MECHANISM FOR ROUTER

3

24. FOR CHECKING ANY PRIVILEGED EXEC MODE IN ROUTER SETTINGS

25. FOR CHECKING THE ROUTER IS CONFIGURED WITH LOCAL OR AAA

ENCRYPTION MECHANISM

26. FOR CHECKING THE STATIC AND DYNAMIC ROUTING

27. FOR CHECKING RADIUS & TACACS+ METHODS IN ROUTER

4

1. Latest stable software version shall be selected.

CDAC-R09R06-C01-R-2#show version

2. Hostname shall not reveal make / model of the device.

CDAC-R09R06-C01-R-2#show run | i hostname

3. Each user shall be allocated a separate login account.

CDAC-R09R06-C01-R-2#show user all

CDAC-R09R06-C01-R-2#show users

Note: All the users who are authenticated can be viewed only by login

through the tacacs server.

4. Separate login account shall be used for operating at different privilege

level and Network Security Devices should have at least two

administrators.

CDAC-R09R06-C01-R-2#show run | b user

Note: All the users/admin who are authenticated can be viewed only by login

through the tacacs server and different privilege levels can also be seen by the

using the same tacacs server.

5. Password shall be managed as per the Password Management Guidelines

and also Password shall be stored in encrypted form.

5

CDAC-R09R06-C01-R-2#show run | i password

Note: All the users/admin password shall be managed as per the Password

Management Guidelines only by login through the tacacs server and different

privilege levels can also be seen by the using the same tacacs server.

6. Network Time Protocol (NTP) shall be configured on the devices. (refer: As

Per the cyber security policies for NICNET Information Infrastructure - Time

Synchronization Guidelines)

CDAC-R09R06-C01-R-2#show ntp status

CDAC-R09R06-C01-R-2#show ntp assotiations

7. For checking the time settings in router.

CDAC-R09R06-C01-R-2#show clock

8. Banner Message Warning message should be displayed before login as a

caution.

A sample banner message follows:

--------------------- W A R N I N G ---------------------- Unauthorized access is prohibited. Disconnect IMMEDIATELY if you are not

an authorized user!!! All activities are benign monitored. Any unauthorized access may subject the user to disciplinary / legal action.

CDAC-R09R06-C01-R-2#show run | b banner

9. Protocols / Services using encrypted channel (such as, SSH, SSL, IPSec, RDP)

shall be used for Remote administration.

6

CDAC-R09R06-C01-R-2#show run | i line

10. For checking Unused network interfaces shall be disabled.

CDAC-R09R06-C01-R-2#show interface des | Include Gi

11. Authentication should be used for dynamic routing protocols.

SUMMARY STEPS

• configure • router ospf process-name • router-id {router-id} • authentication [message-digest [keychain keychain] | null] • message-digest-key key-id md5 {key | clear key | encrypted key} • area area-id • interface type instance • Repeat Step 7 for each interface that must communicate, using the same

authentication. • exit • area area-id • authentication [message-digest [keychain keychain] | null] • interface type instance • Repeat Step 12 for each interface that must communicate, using the same

authentication. • interface type instance • authentication [message-digest [keychain keychain] | null] • end Or commit

DETAILED STEPS:

Command Purpose

Step 1 configure Example: RP/0/RSP0/CPU0:router# configure

Enters global configuration mode.

Step 2 router ospf process-name Example: RP/0/RSP0/CPU0:router(config)# router ospf 1

Enables OSPF routing for the specified routing process and places the router in router configuration mode.

7

Note The process-name argument is any alphanumeric string no longer than 40 characters.

Step 3

router-id {router-id} Example: RP/0/RSP0/CPU0:router(config-ospf)# router-id 192.168.4.3

Configures a router ID for the OSPF process.

Step 4

authentication [message-digest[keychain keychain] | null] Example: RP/0/RSP0/CPU0:router(config-ospf)# authentication message-digest

Enables MD5 authentication for the OSPF process. This authentication type applies to the entire router process unless overridden by a lower hierarchical level such as the area or interface.

Step 5

message-digest-key key-id md5 {key |clear key | encrypted key} Example: RP/0/RSP0/CPU0:router(config-ospf)# message-digest-key 4 md5 yourkey

Specifies the MD5 authentication key for the OSPF process. The neighbor routers must have the same key identifier.

Step 6 area area-id Example: RP/0/RSP0/CPU0:router(config-ospf)# area 0

Enters area configuration mode and configures a backbone area for the OSPF process.

Step 7

interface type instance Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# interfac e GigabitEthernet 0/1/0/3

Enters interface configuration mode and associates one or more interfaces to the backbone area. All interfaces inherit the authentication parameter values specified for the OSPF process (Step 4, Step 5, and Step 6).

Step 8 Repeat Step 7 for each interface that must communicate, using the same authentication.

—

Step 9 exit Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# exit

Enters area OSPF configuration mode.

Step 10

area area-id Example: RP/0/RSP0/CPU0:router(config-ospf)# area 1

Enters area configuration mode and configures a nonbackbone area 1 for the OSPF process. The area-id argument can be entered in dotted-decimal or IPv4 address notation, such as area 1000 or

8

area 0.0.3.232. However, you must choose one form or the other for an area. We recommend using the IPv4 address notation.

Step 11

authentication [message-digest[keychain keychain] | null] Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# authentication

Enables Type 1 (plain text) authentication that provides no security. The example specifies plain text authentication (by not specifying a keyword). Use the authentication-keycommand in interface configuration mode to specify the plain text password.

Step 12

interface type instance Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# interface GigabitEthernet 0/1/0/0

Enters interface configuration mode and associates one or more interfaces to the nonbackbone area 1 specified in Step 10. All interfaces configured inherit the authentication parameter values configured for area 1.

Step 13 Repeat Step 12 for each interface that must communicate using the same authentication.

—

Step 14

interface type instance Example: RP/0/RSP0/CPU0:router(config-ospf-ar)# interface GigabitEthernet 0/3/0/0

Enters interface configuration mode and associates one or more interfaces to a different authentication type.

Step 15

authentication [message-digest[keychain keychain] | null] Example: RP/0/RSP0/CPU0:router(config-ospf-ar-if)# authentication null

Specifies no authentication on GigabitEthernet interface 0/3/0/0, overriding the plain text authentication specified for area 1. By default, all of the interfaces configured in the same area inherit the same authentication parameter values of the area.

Step 16

end or commit Example: RP/0/RSP0/CPU0:router(config-ospf-ar-if)# end or

Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before

9

RP/0/RSP0/CPU0:router(config-ospf-ar-if)# commit

exiting(yes/no/cancel)? [cancel]:

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

CDAC-R09R06-C01-R-2#show run | b router ospf

12. Ingress and Egress filtering shall be configured.

SUMMARY STEPS

• 1. configure • 2. ethernet egress-filter strict • 3. interface {GigabitEthernet | TenGigE | FastEthernet |

Bundle-Ether} instance.subinterface • 4. ethernet egress-filter {strict | disabled} • 5. exit

DETAILED STEPS:

Command or Action Purpose

Step 1 configure RP/0/RSP0/CPU0:PE44_ASR-9010# config Thu Jun 4 07:50:02.660 PST RP/0/RSP0/CPU0:PE44_ASR-9010(config)#

Enters global configuration mode.

10

Step 2 ethernet egress-filter strict RP/0/RSP0/CPU0:PE44_ASR-9010(config)# ethernet egress-filter strict

Enables strict egress filtering on all subinterfaces on the device by default.

Step 3 interface {GigabitEthernet | TenGigE | FastEthernet | Bundle-Ether} instance.subinterface RP/0/RSP0/CPU0:PE44_ASR-9010(config)# interface GigabitEthernet 0/1/0/1.1 RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)#

Creates an L2 subinterface.

Step 4 ethernet egress-filter {strict | disabled} RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# ethernet egress-filter strict

Allows egress filtering to be explicitly enabled or disabled on any L2 subinterface. It can also be used to override global settings.

Step 5 exit RP/0/RSP0/CPU0:PE44_ASR-9010(config-subif)# exit RP/0/RSP0/CPU0:PE44_ASR-9010(config)# exit

Exit from the configuration mode.

CDAC-R09R06-C01-R-2#show access-lists BLOCK-UDP pfilter location all

CDAC-R09R06-C01-R-2#show run | include ingress

CDAC-R09R06-C01-R-2#show run | include engress

13. Unused address space should be routed to null interface.

FOR EXAMPLE:

• R2# conf t • Enter configuration commands, one per line. End with CNTL/Z. • R2(config)# ip route 192.168.0.0 255.255.0.0 Null0 • R2(config)# end

CDAC-R09R06-C01-R-2#show run | i Null

11

14. Anti-spoofing should be configured on all interfaces

• To configure Unicast RPF loose mode, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip cef

4. interface type slot / port-adapter / port

5. ip verify unicast source reachable-via any DETAILED STEPS:

Command or Action Purpose

Step 1 enable Example: Router> enable

Enables privileged EXEC mode.

• Enter your password if prompted.

Step 2 configure terminal Example: Router# configure terminal

Enters global configuration mode.

Step 3 ip cef Example: Router (config)# ip cef

Enables CEF on the route processor card.

Step 4 interface type slot / port-adapter / port Example: Router (config)# interface serial5/0/0

Configures an interface type and enters interface configuration mode.

Step 5 ip verify unicast source reachable-via any Example: Router (config-if)# ip verify unicast source reachable-via any

Enables Unicast RPF using loose mode.

12

Note: Anti-Spoofing feature is not configured so that’s why screen shot is not

attached.

15. Back up of the current operating system and the running configuration

shall be taken prior to upgrade with SNMP Protocol .check for the

following:

• Enable SNMP if required and check SNMPv3 or higher should be used.

CDAC-R09R06-C01-R-2#show snmp host

• Default community string (for example, "public") shall not be used. • Community string security shall be treated at per with Administrator

account passwords. • Community string should be set for Read Only mode. • SNMP access should be permitted from specific IP addresses of trusted

networks.

• Same or similar community strings should not be used across devices.

CDAC-R09R06-C01-R-2#show run | i snmp

16. Log Maintenance

• Logs should be sent to a centralized log server.

CDAC-R09R06-C01-R-2#show log

• Logs should be archived in read-only format.

CDAC-R09R06-C01-R-2#show log location

CDAC-R09R06-C01-R-2#show run | i log

13

17. For checking console and other direct access port connections of the

router.

CDAC-R09R06-C01-R-2#show run | b line

18. For checking what are the various networks allowed in router.

CDAC-R09R06-C01-R-2#show access-lists BlOCK-UDP usage pfilter location all

19. For checking the router network traffic flow and loopback interface.

CDAC-R09R06-C01-R-2#show monitor-session counters

20. For checking the router timeout option.

CDAC-R09R06-C01-R-2#show run | i timeout

21. For checking for any virtual terminal unit i.e. VTY’s enabled on device.

CDAC-R09R06-C01-R-2#show run | b vty

22. For checking the router remote administration access process.

CDAC-R09R06-C01-R-2#show run | i line

14

23. For checking ACL written with respect to access to VTY or remote

administration mechanism for router.

CDAC-R09R06-C01-R-2#show access-lists MANAGEMENT

24. For checking any privileged exec mode in router settings.

CDAC-R09R06-C01-R-2#show run | i exec

25. For checking the router is configured with local or AAA encryption

mechanism.

CDAC-R09R06-C01-R-2#show tacacs

Note: AAA encryption mechanism managed as per the Cyber Security Policies

NICNET Information Infrastructure only by login through the tacacs server and

different privilege levels can also be seen by the using the same tacacs server.

The above command shows the information about tacacs server.

26. For checking the static and dynamic routing.

• For checking the routing and routed protocols

CDAC-R09R06-C01-R-2#show protocols bgp

CDAC-R09R06-C01-R-2#show protocols ospf

CDAC-R09R06-C01-R-2#show route static

For checking bgp summary.

CDAC-R09R06-C01-R-2#show bgp summary

15

• For checking the ospf neighbor.

CDAC-R09R06-C01-R-2#show ospf neighbor

• For checking OSPF route.

CDAC-R09R06-C01-R-2#show route ospf

• For checking RIP.

• For checking EIGRP.

Note: Organization is not using RIP and EIRGP routing.

27. For checking radius & tacacs+ methods in router.

CDAC-R09R06-C01-R-2#show tacacs

CDAC-R09R06-C01-R-2#show run | i tacacs

CONTRIBUTED BY:

1. Mr Ch A.S Murty

2. Mr Tyeb Naushad

3. Mr Devi Satish

4. Mr Shrinath Rusia

5. Ms Vertika Singh

6. Mr Vinay Kumar

C-DAC, Hyderabad