Lets say we got a router which is connecting to an insecure (Internet 😉 ) network and we’d like to be able to do ICMP and Traceroute for troubleshooting but we dont want to create static ACLs. I for myself think it somehow feels a bit unsafe to allow everything the router needs for Ping and Traceroute and have it open all the time. Another option is to manually create the holes every time we need it or even remove the ACLs from the interface during that time but I dont really like one of those options. Additionally we dont want to allow the devices behind that router to be able to use Ping and Traceroute towards the Internet.
Based on those points CBAC could be a viable solution to have the router dynamically open the ports only when its needed and close them afterwards.
The sample network is simple:
R1 acts as a client in our internal network and R2 is the perimeter Router which is going to filter every traffic towards the internet, except locally generated ICMP and Traceroute packets. Just to keep it simple R2 will not permit anything else than Traceroute and ICMP but it shouldnt be a problem to change the configuration to allow other applications (HTTP or other stuff). Just keep in mind that for every session the router has to allocate 600 bytes and the more ACL entries the router has to work though the more CPU is needed so keep it as simple as possible 🙂
Lock-and-Key Security or also known as dynamic Access Lists is a feature which allows dynamic IP traffic which will normally be blocked. Lock-and-Key is configured over a dynamic extended ACL. Lock-and-Key security allows users to open dynamic openings into existing ACLs to get temporary access to a resource which they normally wont have access to. Lock-and-Key reconfigures the ACL if it gets triggered over a successful telnet login onto the blocking router to allow the user to access those resources.
When should we use Lock-and-Key?
The following list describes two possible scenarios where Lock-and-Key could be used:
- If a specified remote user (or a group of users) needs access to a host or subnet which is normally not reachable.
- If a/some hosts on a local network need access to resources in a remote network, which is blocked via firewall.
Maybe you already read about the Cisco IOS Rootkit which was developed by Sebastian Muniz of CORE Security. EUSecWest did an interview with him about his proof of concept Rootkit.
Cisco also responded with a Security Response about the IOS Rootkit, which mainly says that no new vulnerability has been found and is recommending to follow the best-practices to harden the network devices. A Cisco guide on how to harden their network devices can be found here. To be able to install the Rootkit the attacker needs to have privilege access to the device so hardening the devices should be sufficient to avoid the installation of an IOS Rootkit.
Nicolas Fischbach from Colt Telecom wrote a review at the Cisco Mailinglist [c-nsp] which can be found here. The whole issue can be summarized with a part of his post:
“So what’s the impact today ? Topo’s proof of concept doesn’t bypass ACLs (rACLs,VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload (or enable only if you do gdb-on-the-fly patching). In summary it’s “noisy” and unless you bought the router on an auction site and/or download IOS from “alternative” sources) you should notice (or probably deserve to get owned 🙂“
How CBAC works
Context Based Access-Lists (CBAC) open temporary openings into ACLs on a firewall interface. Those openings will be created if defined traffic from the internal network passes the router. The openings allow the backwards traffic to enter the network, which will normally be blocked by the existing ACLs on the router. The packets will only get accepted when they belong to the same sessions which opened the temporary opening. The ACLs and the ip inspect command have do be configured depending on which interface CBAC is to be set on. Basically there are two types of interfaces, the external and internal interface. External interfaces are the ones that point to the unsecured external network (such as the Internet) while the internal interfaces connect to the protected internal network.