Some Quick Cisco IOS questions

[nitrobass24]

I have been asked by the internal audit dept to review our firewall ACLs before our SOC 2/3 testing begins this year.

I have pulled the configs for a couple of devices and I have a few questions.

1. If using a TACACS+ terminal server, do you still need to have SSH, Telnet, HTTPS, enabled on the actual device?
2. All of our PIX devices are using SSHv1...do these support v2?

 

[Vito_Corleone]

1. Yes, and TACACS isn't a terminal server.

2. Probably yes, but severe lack of details on hardware and OS versions.

 

[abyss1]

1) yes , best practice is to disable telnet and any web interface on you device but that aside.
the terminal server is probably a jump box which provides a single IP allowed to manage the device this should be easy to see from the ACL's

2) Yes but as before mentioned hardware and software version dependend.

 

[nitrobass24]

1. Yes, and TACACS isn't a terminal server.

2. Probably yes, but severe lack of details on hardware and OS versions.

1. OK hmm, so then how does TACACS+ work then. From the ACLs it looks like they use same IP for all devices? I read wikipedia....but I am a newb to this....I just happen to be the most IT saavy person who doesnt work for IT Dept. Lucky me

2. The IOS software is out of date. I was only asking because the network engineer said that its not supported period. They will be updating to latests versions, so i was just checking. I dont know all of the actual device models.

 

[Vito_Corleone]

TACACS is essentially an authentication/authorization server. It does more, but it's mainly used to store a DB of credentials for network devices to authenticate against. It can tie into LDAP/AD and other third party stuff as well.

 

[ShadowStriker]

I have been asked by the internal audit dept to review our firewall ACLs before our SOC 2/3 testing begins this year.

I have pulled the configs for a couple of devices and I have a few questions.

1. If using a TACACS+ terminal server, do you still need to have SSH, Telnet, HTTPS, enabled on the actual device?
2. All of our PIX devices are using SSHv1...do these support v2?

Psst, you shouldn't have Telnet enabled.

 

[nitrobass24]

Also do you reccomend any audit tools for parsing IOS/PIX/ASA configs?

I came across a tool called nipper but it seems to cost a lot of money now.

 

[hawk82]

Hire someone capable of handing the audit of the firewall configuration & updating of the device.

 

[nitrobass24]

Hire someone capable of handing the audit of the firewall configuration & updating of the device.

If you read the OP you would know we already did.....this is a readiness assessment.

 

[Spooony]

Gotta love Cisco. They release vulnerability patches twice a year. Hope you don't find one now there's only a patch available again in September.

 

[austeze]

1. Yes, only if you want to keep remote manageability of the devices. TACACS+ is a AAA (Authentication, Authorization, and Accounting) protocol and provides for very granular policy-based authentication. My recommendation would be to disable Telnet and HTTP access to the devices. Keep primary access using SSH (and HTTPS if you desire web based configuration), but set ACLs for access to the management plane via these protocols. Cisco's ACS is wonderful once you get it configured and running. It will definitely satisfy your audit department as it will keep accurate accounting information (such as which user logged in, which device they were authenticated to, and what commands they sent to the TACACS+ server for authorization). The RADIUS protocol would also work in this case, as it has almost the same capabilities. The main important differences between the two is TACACS+ will encrypt and encapsulate the entire packet sent to the AAA server, whereas RADIUS will encrypt only the payload. If latency issues are of concern then TACACS+ would be a wonderful choice. If you are going to use Cisco's ACS server then you can set the ACS service to authenticate users with the internal Windows database. If not then it will keep a seperate database of users to authenticate to. Just make sure you set your devices to authenticate to a local database if the TACACS+ server fails, otherwise you will be locked out and have to password recover the device!

2. SSH v2 support is dependent on the hardware and software version of the PIX firewall.


Also in reference to your question about audit tools for PIX configurations: The SANS institute has a nice document on hardening PIX/ASA devices.

Hope that helps!

 

[nitrobass24]

One more question.

I keep seeing ACLs that are not tied to an Interface/access-group on the router/ASA. Does this effectively make them dormant/disabled?

Thanks for all the help. I have learned so much.

 

[Vito_Corleone]

If they're not applied to anything (this doesn't just mean interfaces, they could be used for other things too), then yes, they're not in use.

 

[nitrobass24]

So remember those Pix Firewalls and Routers that were using SSH v1.

The reason we were running IOS 6.3(5).105 is because someone told the IT Guys that V7 and V8 were transition code to ASA and were not stable for production.

Any truth to that?

 

[mattjw916]

No.

The 7.x builds were quite good on the PIXs. I don't think I ever used 8.x on a PIX because there was a performance hit associated with it and you needed extra memory depending on how many connections they had running through them. No point upgrading them since we were transitioning to ASAs by then (many years ago now).

I think I had 30-40 PIXs running 7.x in production at one site. 6.3(5) was awful (gotta love those conduit commands and NAT control even when you didn't want it) and is tremendously old now. If I was forced to use a PIX I'd run whatever the last version of the 7.x series was.

 

[Valnar]

I think I had 30-40 PIXs running 7.x in production at one site.