ZOHO Corp.
Cisco PIX Security Appliance Security Report
Tuesday 29th May 2012

Security Audit Summary


Overall Issue Ratings
 
Critical High Medium Low Info
1
0
3
4
1

ZOHO Corp. performed a security audit of the Cisco PIX Security Appliance device on Tuesday 29th May 2012 and identified nine security-related issues. The most significant issue identified was rated as critical. ZOHO Corp. recommends that any issue rated higher than a medium should be reviewed as soon as possible.

ZOHO Corp. performed an analysis of the authentication credentials during the security audit. It is important that strong authentication credentials should be chosen in order to help prevent an attacker from gaining unauthorized access by guessing the password, a dictionary-based attack or a brute-force attack. Authentication passwords and keys should be made up of a number of different character types, punctuation, meet a minimum length and not be based on dictionary words, set to the system default or left blank. ZOHO Corp. identified weaknesses with the authentication credentials and recommends that the current password policy should be reviewed and that all passwords should be configured to meet the policy.

The following statistics can be drawn from the results of this assessment. 11% (1) issue was rated as critical. 33% (3) issues were rated as medium. 44% (4) issues were rated as low. 11% (1) issue was rated as informational.

Contents


1. About Your Report
    1.1. Report Content
    1.2. Report Conventions
2. Security Audit
    2.1. Introduction
    2.2. Users Were Configured With No Password
    2.3. No HTTPS Management Host Access Restrictions
    2.4. No Logging Configured
    2.5. No Time Synchronization Configured
    2.6. No Console Connection Timeout
    2.7. Unicast RPF Verification Disabled
    2.8. No ACL Were Configured
    2.9. No Pre-Logon Banner Message
    2.10. No Post Logon Banner Message
    2.11. Conclusions
    2.12. Recommendations
3. Security Best Practices
    3.1. Introduction
    3.2. Software
    3.3. Services
    3.4. Interfaces
    3.5. Filtering
    3.6. Authentication
    3.7. Logging
    3.8. Encryption
4. Device Configuration
    4.1. Introduction
    4.2. General Device Settings
    4.3. Network Services
    4.4. Administration Settings
    4.5. Authentication Settings
    4.6. SNMP Settings
    4.7. Logging Settings
    4.8. Time And Date Settings
    4.9. IDS/IPS Configuration
    4.10. Network Interface Settings

Index Of Tables


Table 1. Report text conventions
Table 2. Impact ratings
Table 3. Ease ratings
Table 4. Fix ratings
Table 5. Users with no password
Table 6. Recommendations
Table 8. General device settings
Table 9. Network services
Table 10. General administration settings
Table 11. Telnet service settings
Table 12. SSH service settings
Table 13. HTTPS service settings
Table 14. HTTPS service encryption ciphers
Table 15. Configured users
Table 16. SNMP settings
Table 17. General logging configuration
Table 18. Internal buffer logging configuration
Table 19. Syslog logging configuration
Table 20. Console logging configuration
Table 21. Terminal line logging configuration
Table 22. General Time Settings
Table 23. NTP client settings
Table 24. Interface ethernet1 IDS/IPS configuration
Table 25. Physical network interfaces

1. About Your Report


1.1. Report Content


This Cisco PIX Security Appliance report was produced by ZOHO Corp. on Tuesday 29th May 2012. The report is comprised of the following sections:

  • a security audit report section that details any identified security-related issues. Each security issue includes a finding, its impact, how easy it would be for an attacker to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to mitigate the issue;
  • a security best practice section that describes, in general terms, how to securely configure Cisco PIX Security Appliance devices;
  • a configuration report section that details the Cisco PIX Security Appliance configuration settings.

1.2. Report Conventions


This report makes use of the text conventions outlined in Table 1.

Table 1: Report text conventions
Convention Description
command This text style represents the Cisco PIX Security Appliance command text that has to be entered literally.
string This text style represents the Cisco PIX Security Appliance command text that you should substitute a suitable value (e.g. an IP address or authentication key).
[ ] Used to enclose a Cisco PIX Security Appliance command option.
{ } Used to enclose a Cisco PIX Security Appliance command requirement.
| Divides command options.

2. Security Audit


2.1. Introduction


Each security issue identified by ZOHO Corp. is described with a finding, the impact of the issue, how easy it would be for an attacker to exploit the issue and a recommendation. Each security issue is rated based on a number of factors, each of these are described in the following sections.

2.1.1. Issue Finding

The issue finding describes what configuration setting ZOHO Corp. identified that potentially poses a security threat. In addition to the finding details, any relevant background information is also described.

2.1.2. Issue Impact

The impact section describes what an attacker could gain from exploiting the security issue. The impact of an issue is often defined by other configuration settings that could heighten the issue or partially mitigate it. For example, a weak password could be partially mitigated if the access gained from using it is restricted in some way. The impact is rated depending on the significance of the security threat. Table 2 outlines the possible impact ratings and their significance.

Table 2: Impact ratings
Rating Description
CriticalThese issues can pose a very significant security threat. The issues that have a critical impact are typically those that would allow an attacker to gain full administrative access to the device. For a firewall device, allowing all traffic to pass through the device unfiltered would receive this rating as filtering traffic to protect other devices is the primary purpose of a firewall.
HighThese issues pose a significant threat to security, but have some limitations on the extent to which they can be abused. User level access to a device and a DoS vulnerability in a critical service would fall into this category. A firewall deivce that allowed significant unfiltered access, such as allowing entire subnets through or not filtering in all directions, would fall into this category. A router that allows significant modification of its routing configuration would also fall into this category.
MediumThese issues have significant limitations on the direct impact they can cause. Typically these issues would include significant information leakage issues, less significant DoS issues or those that provide significantly limited access. A SNMP service that is secured with a default or a dictionary-based community string would typically fall into this rating, as would a firewall that allows unfiltered access to a range of services on a device.
LowThese issues represent a low level security threat. A typical issue would involve information leakage that could be useful to an attacker, such as a list of users or version details. A non-firewall device that was configured with weak network filtering would fall into this category.
InfoThese issues represent a very low level of security threat. These issues include minor information leakage, unnecessary services or legacy protocols that provide no real threat to security.

2.1.3. Issue Ease

The ease section of each issue describes the knowledge, skill and physical access that would be required of an attacker in order to exploit it. The ease will describe if open source or commercially available tools are required for an attacker to exploit an issue. Additionally, the ease will note where an extended period of time is required to exploit the issue, such as cracking weak encryption ciphers. Each issue is rated upon how easily it can be exploited, the ratings for which are described in Table 3.

Table 3: Ease ratings
Rating Description
TrivialThe issue requires little-to-no knowledge on behalf of an attacker and can be exploited using standard operating system tools. A firewall device which had a network filtering configuration that enables traffic to pass through would fall into this category.
EasyThe issue requires some knowledge for an attacker to exploit, which could be performed using standard operating system tools or tools downloaded from the Internet. An administrative service without or with a default password would fall into this category, as would a simple software vulnerability exploit.
ModerateThe issue requires specific knowledge on behalf of an attacker. The issue could be exploited using a combination of operating system tools or publicly available tools downloaded from the Internet.
ChallengeA security issue that falls into this category would require significant effort and knowledge on behalf of the attacker. The attacker may require specific physical access to resources or to the network infrastructure in order to successfully exploit it. Furthermore, a combination of attacks may be required.
N/AThe issue is not directly exploitable. An issue such as enabling legacy protocols or unnecessary services would fall into this rating category.

2.1.4. Issue Recommendation

Each issue includes a recommendation section which describes what steps ZOHO Corp. recommends should be taken in order to mitigate the issue. The recommendation will sometimes include various options, if several mitigating choices are available, and any relevant system commands.

Directly following the recommendation, the issue dependencies and other relevant issues are referenced. The dependency issues are those that when mitigated will eliminate the described issue. For example, if the Simple Network Management Protocol (SNMP) is disabled it no longer matters if a view has not been configured. The relevant issues are ones that can affect the impact or the ease that the issue can be exploited.

The recommendation includes a rating that indicates how easy an issue is to resolve, these are described in Table 4.

Table 4: Fix ratings
Rating Description
InvolvedThe resolution of the issue will require significant resources to resolve and is likely to include disruption to network services, and possibly the modification of other network device configurations. The issue could involve upgrading the Cisco PIX Security Appliance OS and possibly modifications to the hardware.
PlannedThe issue resolution involves planning, testing and could cause some disruption to services. This issue could involve changes to routing protocols and changes to network filtering.
QuickThe issue is quick to resolve. Typically this would just involve changing a small number of settings and would have little-to-no effect on network services.

2.1.5. Issue Overall Rating

The previous sections describe each section that is reported for an individual issue and the rating that is associated with it, they do not describe how the overall rating is calculated. The overall security issue rating is calculated based on a combination of the impact and the ease of exploiting an issue, the recommendation rating is not included as it does not represent the significance of a security issue. The overall rating uses the same ratings as the impact, but modified by how easy it is to exploit.

It is worth noting that ZOHO Corp. is unable to provide an accurate threat assessment due to a lack of contextual information. For example, in the case where highly sensitive information is processed, a Denial of Service (DoS) vulnerability poses less of a threat than the integrity of the data or an attacker gaining access to it. Similarly, for a situation where uptime is critical, a DoS vulnerability could be more important than the leakage of sensitive information. The ratings provided by ZOHO Corp. are intended to be a guide.

2.2. Users Were Configured With No Password


Overall: Critical
Impact: Critical
Ease: Easy
Fix: Quick
2.2.1. Finding

Authentication credentials are configured on Cisco PIX Security Appliance devices in order to help prevent unauthorized access to the device, restricting access to specific authorized users. Authenticated administrative users could reconfigure the device or could use the device to access other devices on the network.

ZOHO Corp. determined that two of the authentication credentials were configured with no password. These are listed in Table 5.

Table 5: Users with no password
User Privilege Level
password-
enable15

2.2.2. Impact

With no password configured, an attacker or malicious user could gain access to by authenticating without providing a password. The attacker could enumerate information about the device and networks configuration. The attacker may also be able to use the device to attack other network devices. Furthermore, with administrative access, the attacker could reconfigure allowing them to:

  • perform a network DoS;
  • monitor potentially sensitive network traffic and capture authentication credentials;
  • perform a man in the middle attack in order to gain access to further devices.

2.2.3. Ease

The attacker would simply need to connect to an authentication service on and would not need to provide a password. Tools to connect to authentication services are provided with most Operating System (OS) as standard. Furthermore, a number of network security testing tools can check authentication services in order to identify any empty, default or weak authentication passwords.

2.2.4. Recommendation

ZOHO Corp. recommends that strong authentication passwords should be immediately configured for all Cisco PIX Security Appliance users. ZOHO Corp. recommends that passwords:

  • are at least eight characters in length;
  • must include uppercase characters;
  • must include lowercase characters;
  • must include numbers;
  • must include non-alphanumeric characters;
  • must not contain the username/service name;
  • must not contain the device's host name;
  • must not contain device details (i.e. make, model);
  • must not be dictionary-based with character substitution (i.e. an "i" swapped for a "1");
  • must not contain character sequences (i.e. "qwerty");
  • must not be dictionary-based with common characters appended (i.e. "1").

The following commands can be used on Cisco PIX Security Appliance devices to configure the initial password, enable password and a user account with a password:

password password
enable password password
username name password password

2.3. No HTTPS Management Host Access Restrictions


Overall: Medium
Impact: Medium
Ease: Trivial
Fix: Quick
2.3.1. Finding

The HTTPS service is used for the remote web-based administration of . To help prevent unauthorized access from a malicious user or an attacker to the HTTPS service, management host addresses can be specified. Once the management host addresses have been configured, Cisco PIX Security Appliance devices will prevent access from an unauthorized host address.

ZOHO Corp. determined that no administrative host addresses were configured for the HTTPS service.

2.3.2. Impact

Without management host address restrictions, an attacker or malicious user with authentication credentials, would be able to connect to the HTTPS service and logon. Furthermore, if a vulnerability was to be identified in the service the attacker would not be prevented from connecting to the service.

Due to the unencrypted nature of the service, an attacker monitoring the connection would gain access to any authentication credentials and data transferred between the client and the device.

2.3.3. Ease

For an attacker to gain access to the HTTPS service, they would simply have to connect to it using their web browser. A variety of web browsers can be downloaded from the Internet and are installed by default on most OS.

2.3.4. Recommendation

ZOHO Corp. recommends that specific addresses for those hosts that require administrative access should be configured.

2.4. No Logging Configured


Overall: Medium
Impact: Medium
Ease: N/A
Fix: Planned
2.4.1. Finding

Logging is an essential component of a secure network configuration. Logging not only assists network administrators to identify issues when troubleshooting, but enables network administrators to react to intrusion attempts or Denial-of-Service attacks. It is therefore important that system messages are logged and that the logs are monitored, enabling system administrators to take immediate action when an attack has been identified or a potential problem raised. Furthermore, system logs are a key component of a forensic investigation into past intrusions or service disruptions.

ZOHO Corp. determined that logging was not enabled on .

2.4.2. Impact

With no logging of system messages a network administrator may not be alerted to an intrusion attempt by an attacker and furthermore, the logs would not be available for a forensic investigation. Additionally, without logging, notifications of possible issues with a device that would of been useful for diagnostic purposes would not be recorded.

2.4.3. Ease

No system messages will be recorded.

2.4.4. Recommendation

ZOHO Corp. recommends that both Syslog and internal buffer logging should be configured on .

Logging can be enabled on Cisco PIX Security Appliance devices with the following command:

logging enable

Syslog hosts can be configured on Cisco PIX Security Appliance devices with the following command:

logging host interface ip-address

Buffered logging can be enabled on Cisco PIX Security Appliance devices with the following command:

logging buffered [level]

2.5. No Time Synchronization Configured


Overall: Medium
Impact: Medium
Ease: N/A
Fix: Planned
2.5.1. Finding

Time synchronization for network devices is inherently important, not just for the various services that make use of time, but for the accurate logging of events. Cisco PIX Security Appliance devices can be configured to synchronize their time against a network time source.

ZOHO Corp. determined that time synchronization against a network time source was not configured.

2.5.2. Impact

Without any configured time synchronization, it could be more difficult to correlate events in the logs. This would make a forensic investigation more complex, hindering any troubleshooting and possibly causing issues with time sensitive systems.

2.5.3. Ease

The system time will not be synchronized.

2.5.4. Recommendation

ZOHO Corp. recommends that the system time should be synchronized against a network time source.

Cisco PIX Security Appliance devices can be configured to obtain time updates from a Network Time Protocol (NTP) service using authentication with the following commands:

ntp authenticate
ntp trusted-key key-id
ntp authentication-key key-id md5 key-string
ntp server ip-address key key-id

2.6. No Console Connection Timeout


Overall: Low
Impact: Critical
Ease: Challenge
Fix: Quick
2.6.1. Finding

The console connection timeout setting is used by Cisco PIX Security Appliance devices to determine if a console connection is no longer being used and can be closed. The console connection could become unused if an administrator has not correctly terminated the connection and still remains logged into the console or they have left their computer without terminating the console connection.

ZOHO Corp. determined that there was no console connection timeout was configured on .

2.6.2. Impact

An attacker with physical access to would be able to connect to the console port and continue using a terminated connection. Due to the nature of the device the user access the attacker would gain is likely to be an administrative level user.

2.6.3. Ease

An attacker would require physical access to the device in order to connect to the console port. Although this may seem like a significant barrier, a malicious user or attacker who has legitimate access to the room where is located would be able to access the console port. A locked server rack would provide little barrier to a motivated attacker.

2.6.4. Recommendation

ZOHO Corp. recommends that a timeout period of 10 minutes should be configured for the console connection.

The console timeout can be configured with the following command:

console timeout timeout-minutes

2.7. Unicast RPF Verification Disabled


Overall: Low
Impact: Medium
Ease: Easy
Fix: Quick
2.7.1. Finding

Any configured network packet filtering will have an impact on a device's performance and the more filtering configured, the greater the impact. Traditionally, to help prevent IP spoofing attacks, additional filtering was configured to perform sanity checks on network traffic to ensure that traffic being routed through the network originates from a valid IP address. These checks were typically configured to ensure the traffic from an IP address on an internal interface is not allowed in from the outside interface. Cisco PIX Security Appliance devices provide unicast Reverse Path Forwarding (RPF) verification to perform network traffic sanity checks without the performance impact of additional network filtering. Furthermore, unicast RPF verification is dynamic and will automatically adjust to topology changes.

ZOHO Corp. determined that unicast RPF verification was disabled on Interface ethernet1.

2.7.2. Impact

If unicast RPF verification is not enabled and no anti-spoofing network filtering is configured, a network packet with a spoofed source address could be routed by the device.

2.7.3. Ease

For an attacker to perform an anti-spoofing attack, they would have to be aware of the address range used on the devices other interfaces. This could be made more difficult if anti-spoofing network filtering has been configured. However, manual configuration of anti-spoofing could miss out address ranges and may become out of date with changes to the network topolgy. To make things easier for an attacker. tools can be downloaded from the Internet that can perform an IP spoofing attack.

2.7.4. Recommendation

ZOHO Corp. recommends that unicast RPF verification should be enabled to help prevent IP spoofing attacks.

Unicast RPF can be enabled on individual interfaces with the following command:

ip verify reverse-path interface interface

2.8. No ACL Were Configured


Overall: Low
Impact: Low
Ease: Trivial
Fix: Planned
2.8.1. Finding

Cisco PIX Security Appliance devices can be configured with Access Control List (ACL) Access Control Entries (ACEs) in order to restrict network access to specific network hosts. Access can then be restricted to those hosts that are authorized to access specific network services. ZOHO Corp. determined that no ACL ACEs were configured on .

2.8.2. Impact

With no ACL ACEs configured, an attacker or malicious user would not be able to access network services through the device as all network traffic would be blocked by the device.

2.8.3. Ease

With no ACL ACEs, a user or attacker would not be able to access any network services through the device.

2.8.4. Recommendation

The primary purpose of Cisco PIX Security Appliance devices is to restrict access to only authorized hosts and services. If is not required, ZOHO Corp. recommends that should be decomissioned. ZOHO Corp. recommends that ACL are configured in order to restrict network access to only those that specifically require access.

2.9. No Pre-Logon Banner Message


Overall: Low
Impact: Low
Ease: N/A
Fix: Quick
2.9.1. Finding

A pre-logon banner message can be configured on Cisco PIX Security Appliance devices. Logon banners are useful for passing on information to users and, with a carefully worded legal warning, as a deterrent to a potential attacker.

ZOHO Corp. determined that no pre-logon banner was configured on .

2.9.2. Impact

A pre-logon banner message is important in warning any potential attacker against unauthorized access to the Cisco PIX Security Appliance. With a carefully worded pre-logon banner, which warns against unauthorized access, if any legal action is taken it would be easier to prove intent on behalf of the attacker.

2.9.3. Ease

Without a pre-login banner, an attacker would not be presented with a legal warning against unauthorized access prior to a logon attempt.

2.9.4. Recommendation

ZOHO Corp. recommends that a carefully worded legal banner should be configured that warns against unauthorized access to .

The Message Of The Day (MOTD) banner message is displayed before logon for connections to . The MOTD banner message can be configured with the following command:

banner motd message-text

2.10. No Post Logon Banner Message


Overall: Info
Impact: Info
Ease: N/A
Fix: Quick
2.10.1. Finding

On Cisco PIX Security Appliance devices it is possible to configure a banner message that is presented to users after they have authenticated. The post logon banner is useful for detailing the acceptable use policy and what change control procedures should be followed prior to making any changes to the devices configuration.

ZOHO Corp. determined that no post logon banner message had been configured on .

2.10.2. Impact

An acceptable use message detailing any change control procedures could help to prevent ad-hoc changes being made to the Cisco PIX Security Appliance configuration.

2.10.3. Ease

No banner message is sent by after a user logon occurs.

2.10.4. Recommendation

ZOHO Corp. recommends that a post logon banner message is configured that details the acceptable use and change control procedure.

The Exec banner message is displayed once a successful logon has occured, before the enable prompt. The Exec banner message can be configured with the following command:

banner exec message-text

2.11. Conclusions


ZOHO Corp. performed a security audit of the Cisco PIX Security Appliance on Tuesday 29th May 2012 and identified nine security-related issues. The most significant issue identified was rated as Critical.

One Critical rated security issue was identitified. ZOHO Corp. determined that:

  • authentication credentials were configured with no password (see section 2.2).

ZOHO Corp. identified three Medium rated security issues. ZOHO Corp. determined that:

  • no HTTPS service management host addresses were configured (see section 2.3);
  • the logging of system messages was not configured (see section 2.4);
  • time synchronization was not configured (see section 2.5).

ZOHO Corp. identified four Low rated security issues. ZOHO Corp. determined that:

  • no console connection timeout was configured (see section 2.6);
  • unicast RPF was disabled (see section 2.7);
  • no ACL were configured (see section 2.8);
  • no pre-logon banner message was configured (see section 2.9).

One Info rated security issue was identified. ZOHO Corp. determined that:

  • no post logon banner message is configured (see section 2.10).

2.12. Recommendations


This section is designed to assist in the mitigation of the security issues identified by collating the security issue recommendations into a single location. The recommendations are listed in Table 6 together with the issue ratings.

Table 6: Recommendations
Issue Overall Impact Ease Fix Recommendation Section
Users Were Configured With No PasswordCriticalCriticalEasyQuickConfigure strong authentication credential passwords for all user accounts2.2
No HTTPS Management Host Access RestrictionsMediumMediumTrivialQuickConfigure management host addresses for only those hosts that require HTTPS access.2.3
No Logging ConfiguredMediumMediumN/APlannedConfigure Syslog and internal buffer logging2.4
No Time Synchronization ConfiguredMediumMediumN/APlannedConfigure time synchronization2.5
No Console Connection TimeoutLowCriticalChallengeQuickConfigure a console connection timeout of 10 minutes2.6
Unicast RPF Verification DisabledLowMediumEasyQuickEnable unicast RPF2.7
No ACL Were ConfiguredLowLowTrivialPlannedConfigure ACL to restrict access
or
decommision
2.8
No Pre-Logon Banner MessageLowLowN/AQuickConfigure a pre-logon banner message with a carefully worded legal warning2.9
No Post Logon Banner MessageInfoInfoN/AQuickConfigure a post logon banner message which details the acceptable use and change control policies2.10

3. Security Best Practices


3.1. Introduction


This section describes the security best practices that are relevant to Cisco PIX Security Appliance devices. Security will often be contrary to both usability and performance. However, in many cases the reverse can also be true with a great number of security best practices benefiting the devices performance. Security best practice can be summarized as follows:

  • run the latest software versions;
  • disable anything that is not used;
  • restrict access to only those that require the access;
  • configure strong authentication credentials;
  • configure logon banners to warn against unauthorized access;
  • log important system events;
  • use strong encryption where possible.

Best practice means that even simple security protection settings should be configured. Security in depth is a term frequently used in the security industry, it means providing security in layers. Even security options that are trivial for a skilled attacker to circumvent may persuade them to look for an easier target if they come across security barriers at every stage.

3.2. Software


3.2.1. Overview

Maintaining an up to date software version is an important part of any devices security and stability. New software vulnerabilities and bugs are continually being identified and PIX is no exception. Furthermore, industry standard protocols are regularly being revised and updated to take into account new technologies and potential weaknesses.

If an attacker is able to determine the PIX version used by a Cisco PIX Security Appliance device, they could look it up on one of the many vulnerability databases available on the Internet and download exploit code targeted for that software version. If an attacker is unable to determine the PIX version, they may run exploit code blindly in an attempt to gain access. It is therefore critical to ensure that all the latest patches and updates have been applied.

Software patches and updates will often include new features, usability improvements and performance tweaks in addition to vulnerability and bug fixes. Therefore, applying updates will often provide much more than vulnerability fixes. However, prior to updates being applied it is worth paying particular attention to the system requirements as hardware updates may also be required.

3.2.2. Recommendation

ZOHO Corp. recommends that a software patching policy should be devised that includes the following key components:

  • Cisco technical bulletins and security notices should be regularly reviewed for new software revisions, patches and configuration changes;
  • new software updates should be tested shortly after release to ensure that their implementation will not cause extensive disruption when applied to devices in a production environment;
  • PIX security updates and patches should be deployed to production devices within a short period of time.

3.3. Services


3.3.1. Overview

Cisco PIX Security Appliance devices can be configured with a wide variety of services. Those services would typically provide a range of connectivity, administrative or monitoring facilities, and some are enabled by default.

Attackers will typically use services to enumerate information and fingerprint devices prior to performing an attack. The information gathered from the services may then be used to determine the software version, enabling an attacker to identify any potential vulnerabilities. Essentially, the greater the number of services running on a device, the greater the number of attack vectors, potential vulnerabilities exposed and information leaked.

In addition to the security risk of running services on a device, each service running on a device will consume system resources and will have an impact on the devices performance.

3.3.2. Recommendation

ZOHO Corp. recommends that all the running services should be reviewed and that those services which are not required should be disabled.

3.4. Interfaces


3.4.1. Overview

A malicious user, or an attacker who has physical access to a network patch point, may attempt to attach their own device to the network in order to attack the other network devices or to capture sensitive information. A more dedicated attacker would typically prefer to use their own network devices that is already loaded with thir hacking tools of choice. Furthermore, a malicious user may be prevented from installing hacking tools on to their network host by a security lock down policy or malicious tool detection software.

A list of the active interfaces on follows.

Table 7: Physical network interfaces
Interface Name Address Standby ACL
ethernet0ethernet1inside / 192.168.118.42--

3.4.2. Recommendation

ZOHO Corp. recommends that the configuration of all the interfaces should be reviewed and, where possible, the following should be configured:

  • disable all unused network interfaces, preventing access from unused network patch points;
  • configure network filtering for all interfaces to help prevent unauthorized access to network hosts and services in all directions.

3.5. Filtering


3.5.1. Overview

Network filtering can be configured on Cisco PIX Security Appliance devices to restrict access to network services and hosts. Network filtering should be configured to prevent unauthorized access. Therefore, filtering should be configured to permit access from only those hosts that require access and all other access should be denied.

Filtering should be configured to restrict both inbound and outbound traffic. An attacker who is exploiting a vulnerability in a network service may attempt to:

  • upload their own tools or rootkit to the device;
  • exploit a vulnerability that requires the service to make an outbound connection;
  • create a connection from the vulnerable device to ease future access;
  • use the vulnerable device to attack other network devices;
  • use the vulnerable device to monitor network traffic.

3.5.2. Recommendation

ZOHO Corp. recommends that ACLs are configured to ensure that:

  • ACEs do not overlap or duplicate other ACEs;
  • ACEs do not contradict other ACEs;
  • no unused ACEs exist.

3.6. Authentication


3.6.1. Overview

An attacker may attempt to gain access to a device using the default authentication credentials, a dictionary-based password guessing attack or by brute-forcing the credentials. An attacker may have to resort to attacks against the authentication credentials if all other avenues of attack have been secured. Therefore it is essential that strong authentication credentials should be configured.

Furthermore, if a device is compromised or authentication traffic captured, an attacker could use the authentication credentials in an attempt to gain access to other network devices. Therefore it is important that, where practical, authentication credentials should not be shared between different network devices.

Deterrents can play an important part in the security of a system, therefore banner messages can play a key role in warning a potential attacker against unauthorized access to the device. Additionally, if a warning is given prior to access, it would be easier to legally prove intent on behalf of the attacker if required in a court of law.

3.6.2. Recommendation

ZOHO Corp. recommends that strong authentication passwords should be immediately configured for all authentication. A strong authentication password does not have to be hard to remember to be complex. For example, the first letter from each word of a song, an address or a quote can appear complex, but easy to remember. A password can be made more complex by inserting or replacing characters with numbers, punctuation marks and altering the character case. ZOHO Corp. recommends that passwords:

  • are at least eight characters in length;
  • must include uppercase characters;
  • must include lowercase characters;
  • must include numbers;
  • must include non-alphanumeric characters;
  • must not contain the username/service name;
  • must not contain the device's host name;
  • must not contain device details (i.e. make, model);
  • must not be dictionary-based with character substitution (i.e. an "i" swapped for a "1");
  • must not contain character sequences (i.e. "qwerty");
  • must not be dictionary-based with common characters appended (i.e. "1").

ZOHO Corp. recommends that a logon banner should be configured with a statement that strongly warns against unauthorized access. Additionally, the logon banner should not provide an attacker with information that they may be able to use either against the device or as part of a social engineering attack.

3.7. Logging


3.7.1. Overview

System message logs can provide a wealth of information for an administrator when troubleshooting a problem. The message logs can also record an attackers activities, both with access granted and denied. The system logs would then be of particular interest during a forensic investigation following an incident. The system logs could also be used by log analysis software which could alert an administrator about potential issues before they become more significant.

A Syslog server makes monitoring and managing message logs easier, especially where a number of different devices are sending messages to the same server. As an added benefit, storage of system message logs on a remote Syslog serve provides an extra level of protection against an attacker attempting to cover their tracks by altering logs. An attacker who was trying to modify the logs would have to access both the device sending the log messages (for its internal logs) and the remote Syslog server.

It is easier to correlate the events logged by different systems together if the time is accurately synchronized between the various systems. Time synchronization can also be critically important for authentication and authorization services that may depend upon the system clock.

3.7.2. Recommendation

ZOHO Corp. recommends that events should be sent to specific logging hosts and logged locally. These recommendations will provide:

  • a centralized logging facility to ease network management and the monitoring of devices;
  • an external event log to help prevent an attacker who has compromised a device, from altering the event logs;
  • local logging of events to aid troubleshooting.

ZOHO Corp. recommends that the system time is synchronized against a network time source to ensure that the system messages are logged with accurate event times.

3.8. Encryption


3.8.1. Overview

Any network traffic traveling between hosts could potentially be monitored and captured by an attacker or malicious user. If network traffic is not encrypted, it would be trivially easy for the information contained in the traffic to be extracted. It is also possible that with weak encryption, or encryption protocols that contain vulnerabilities, an attacker may be able to extract the information contained in the network packets. However, defeating encryption weaknesses could be a time consuming process, but a far longer one than would be required if no encryption existed at all.

For remote device administration, it is especially important that it should be carried out over an encrypted connection. If an attacker was able to monitor the remote administrative connection, they could capture the authentication credentials and use them to gain access to the device.

3.8.2. Recommendation

ZOHO Corp. recommends that all clear-text protocol services should be replaced with cryptographically secure alternatives. Furthermore, where stronger encryption is available, it should be used in preference to the weaker encryption.

4. Device Configuration


4.1. Introduction


This section details the configuration settings of the Cisco PIX Security Appliance device .

4.2. General Device Settings


Table 8: General device settings
Description Setting
PIX Version6.3(4)
Flood GuardEnabled

4.3. Network Services


Table 9 outlines the network services supported by Cisco PIX Security Appliance devices and their status on . The service settings are described in greater detail in the proceeding sections.

Table 9: Network services
Service Status
Telnet ServiceDisabled
SSH ServiceDisabled
HTTPS ServiceDisabled
SNMP ServiceDisabled

4.4. Administration Settings


This section describes the services that are supported by Cisco PIX Security Appliance devices for administration. Each subsection covers a particular service and its configuration settings.

4.4.1. General Administration Settings

This section describes some general Cisco PIX Security Appliance device settings.

Table 10: General administration settings
Description Setting
Console PortEnabled
Console Connection TimeoutNo Timeout

4.4.2. Telnet Service Settings

The Telnet service enables remote administrative access to a Command Line Interface (CLI) on . The Telnet protocol implemented by the service is simple and provides no encryption of the network communications between the client and the server. This section details the Telnet service settings.

Table 11: Telnet service settings
Description Setting
Telnet ServiceDisabled
Service TCP Port23
Connection Timeout5 minutes

4.4.3. SSH Service Settings

The SSH service enables a remote administrator to access a CLI on . The Secure Shell (SSH) protocol provides complete encryption of the network packets between the connecting client and the server. There are two main versions of the SSH protocol.

Cisco PIX Security Appliance devices support SSH protocol version 1 from around PIX version 6. Support for SSH protocol version 2 was added with PIX version 7.0

This section details the SSH service settings.

Table 12: SSH service settings
Description Setting
SSH ServiceDisabled
Service TCP Port22
SSH Protocol Version(s)1 and 2
Connection Timeout5 minutes

4.4.4. HTTPS Service Settings

Cisco PIX Security Appliance devices can provide web-based administrative access. The HTTPS service provides full encryption of communications between the client and server. This section details the web service settings:

Table 13: HTTPS service settings
Description Setting
HTTPS ServiceDisabled
HTTPS Service TCP Port443

Table 14 lists the configured HTTPS service encryption cyphers.

Table 14: HTTPS service encryption ciphers
Encryption Authentication Key Length SSL v2 SSL v3 TLS v1
3DESSHA1168 bitsYesYesYes
3DESSHA156 bitsYesYesYes
RC4MD540 bitsYesYesYes
RC4MD556 bitsYesYesYes
RC4MD564 bitsYesYesYes
RC4MD5128 bitsYesYesYes
AESSHA1128 bitsYesYesYes
AESSHA1192 bitsYesYesYes
AESSHA1256 bitsYesYesYes

It is worth noting that the ciphers were determined using the defaults that Cisco PIX Security Appliance devices are typically configured with. However, these can differ between different models.

4.5. Authentication Settings


This section describes the various Cisco PIX Security Appliance device authentication settings.

4.5.1. Users

This section details the users configured on .

Table 15: Configured users
User Password Encryption Privilege Level
password-None-
enable-None15

4.6. SNMP Settings


SNMP is used to assist network administrators in monitoring and managing a wide variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are both secured with a community string and authenticate and transmit network packets without any form of encryption. SNMP version 3 provides several levels of authentication and encryption. The most basic level provides a similar protection to that of the earlier protocol versions. However, SNMP version 3 can be configured to provide encrypted authentication (auth) and secured further with support for encrypted data communications (priv).

Cisco PIX Security Appliance do not support version 3 of the SNMP. This section describes the SNMP configuration settings.

Table 16: SNMP settings
Description Setting
SNMP ServiceDisabled
SNMP Service UDP Port161

4.7. Logging Settings


Cisco PIX Security Appliance devices are capable of recording system events and messages. Those logs can then be recalled at a latter time, assisting administrators in the diagnosis of system faults or tracking possible unauthorized access attempts. This section details the devices logging configuration.

4.7.1. General Logging Settings

This section details the configuration settings that effect the logging facilities.

Table 17: General logging configuration
Description Setting
Device Logging ServicesDisabled

4.7.2. Internal Buffer Logging Settings

Cisco PIX Security Appliance devices can log messages to an internal buffer. By its nature, the buffer is size limited and therefore newer messages will overwrite older ones when the buffers size has been reached. This section details the internal buffer logging configuration settings.

Table 18: Internal buffer logging configuration
Description Setting
Buffer LoggingDisabled
Logging Severity LevelEmergencies (0)
Buffer Size4096

4.7.3. Syslog Logging Settings

Syslog messages can be sent by Cisco PIX Security Appliance devices to a Syslog server. Syslog servers provide the following advantages:

  • a central repository for logs from a range of network devices;
  • a potentially longer retention period for logs than a device may be capable of storing;
  • a troubleshooting resource for when a device may no longer be responsive;
  • an external log source, in case the security of a device has been compromised;
  • support for an industry standard logging system.

This section details the Syslog configuration settings.

Table 19: Syslog logging configuration
Description Setting
Syslog LoggingDisabled
Severity LevelEmergencies (0)

4.7.4. Console Logging Settings

Cisco PIX Security Appliance devices are capable of sending system logging to the console. This section details those configuration settings.

Table 20: Console logging configuration
Description Setting
Console LoggingDisabled
Logging Severity LevelEmergencies (0)

4.7.5. Terminal Line Logging Settings

Cisco PIX Security Appliance devices are capable of sending system logging to the terminals. This section details those configuration settings.

Table 21: Terminal line logging configuration
Description Setting
Terminal Line LoggingDisabled
Logging Severity LevelEmergencies (0)

4.8. Time And Date Settings


Cisco PIX Security Appliance devices can be configured to obtain time updates from a network service. It is important that all network devices maintain a syncronized time to ensure that all logs and time-based controls are acurate. This section details the time and date configuration settings.

Table 22: General Time Settings
Description Setting
Time ZoneUTC

4.8.1. NTP Client Configuration

Cisco PIX Security Appliance devices can be configured to synchronize their time from a NTP service. This section details the NTP client configuration settings.

Table 23: NTP client settings
Description Setting
NTP ClientDisabled
NTP AuthenticationDisabled

4.9. IDS/IPS Configuration


Cisco PIX Security Appliance devices support Intrusion Detection System (IDS)/Intrusion Protection System (IPS) functionality. This section details those configuration settings.

4.9.1. Interface ethernet1 Configuration

Table 24: Interface ethernet1 IDS/IPS configuration
Description Setting
Unicast RPF VerificationDisabled

4.10. Network Interface Settings


This section details the Cisco PIX Security Appliance devices network interface configuration settings.

4.10.1. Physical Network Interfaces

This section describes the configuration of the Cisco PIX Security Appliance devices physical network interfaces.

Table 25: Physical network interfaces
Interface Active Name Security Address Standby ACL
ethernet0Yesethernet10inside / 192.168.118.42--

tion Setting Unicast RPF VerificationDisabled

4.10. Network Interface Settings


This section details the Cisco PIX Security Appliance devices network interface