Chapter 5 Auditing Switches,

Routers, and
Firewalls
MIS 450 Auditing and Security
Controls
Ted Wallerstedt
Community Faculty

Networking Hardware
Switches Layer 2 Networks within
local
Sends the message only to the port with
the correct destination MAC address

Routers Layer 3 Data Link

between networks, IP addresses
Uses dynamic routing tables such as
OSPF open shortest path first

Network Addresses
MAC address media access control
assigned to each NIC network
interface card (unique)
IP address internet protocol
static unique to computer
Now dynamically assigned within a LAN

Networks Models

ISOs OSI model

International Standards Organizations
Open System Interconnection
TCP/IP model
Transmission control protocol/internet
protocol

OSI Model

7 Application end user

6 Presentation formatting encryption
5 Session App to App
4 Transport packet
assembly/disassembly, error control TCP
3 Network routing, IP addresses
2 Data Link broadcast domain, Switches,
MAC address
1 Physical wiring, modulation, flow
control

Firewalls
Protects information in Security zones
Packet-Filtering layer 3 routers, list of
IP addresses
Stateful Packet Inspection layers 3 &
4, session states from layers 4 and 5
are protected from other traffic
Application proxies layer 7 (proxies
hide the source of the communication
Application-Level 7 gateways,
dynamically refuses or allows access
to the application

General Network Equipment

Audit
Apply to all hardware at all layers
Configuration file contains all information
you need about the hardware.
Config files are not secure out of the box
1.Review controls around developing and
maintaining configurations
Change management
Test Immediately for degraded performance

1. How
Monitor Security mailing list (seclists.org)
Routinely apply latest patches
Strictly followed existing configuration guideline
(http://www.juniper.net/techpubs/software/junos
/junos94/swconfig-routing/bgp-configurationguidelines.html)
Regularly scan for vulnerabilities pen tests
Regularly compare actual with guidelines
Issue regular status reports of network security
to upper management

2. Ensure Controls for

Vulnerabilities are in place for
current software
Software updates, configuration
changes
Check National Vulnerability
Database
http://nvd.nist.gov

3. Unnecessary
services are
Disabled
unnecessary services are susceptible
Make sure exceptions have a
legitimate business need.
Figure 5-3 Cisco device services that
should be disabled

4. Follow good
SNMP management
practices
Simple Network Management Protocol
Full administrative Access to network
devices
Check if SNMP is supported
Version 3 authenticates packets and
encrypts passwords
Version 2 used clear text and are not
authenticated
Follow standard password policies
Users should be restricted

5. Procedures for
User Accounts
Only create accounts when
necessary
Remove or disable obsolete accounts
Strong login procedures
Never share accounts

6. Password
controls
Strong, Encrypted, change required
Passwords
Passwords should be unique for privileged
modes of operation
Type 5 encryption strong, MD5 hash
Type 7 weak, reversible algorithm
Any plain text passwords should not be the
same as any encrypted passwords
Dont share passwords on different devices

7. Use secure management

protocols when possible

SSH
Encrypted Kerberized Telnet
IPSec
SNMPv3

8. Current Backups exist for

config files

9. Logging is enabled and sent

to centralized system
Logs should be sent to a secure host
to prevent tampering

10. Evaluate use of Network

Time Protocol
Synchronizes the timestamp on
logged events
Standardize clocks to a single time
zone

11. Banner stating companys

policy for use and monitoring
Posted Keep Out

12. Access Controls are Applied

to the Console Port
Password protected

13.All network equipment is

stored in a secure location
Even the cables can be tampered
with

14. Use standard naming

convention for all devices

15. Standard documented

processes exist for building
network devices

Switches Layer 2
Avoid using VLAN 1 Cisco routers
by default have all ports assigned to
VLAN 1. Therefore intruders can
easily get to everything.
Trunk autonegotiation
Spanning-Tree protocol attack
mitigation is ON

VLANs
Virtual LANs break up domains and divide
the network into multiple security levels
Disable unused ports and put them in an
unused VLAN
VLAN Trunking Protocol VTP distributes
config info over trunks
An attacker could change or destroy all vlans

Thresholds to limit broad or multicast traffic

Storm control

Router Controls Layer

3
Disable inactive interfaces on the
router
Save core dumps?
Routing updates must be
authenticated
Disable IP source routing and IP
directed broadcasts

Firewall controls

All packets are denied by default

Filter inappropriate internal and
external IP addresses