Nessus Cisco Compliance Checks

Tenable has authored a Nessus plugin (ID 46689) named “Cisco IOS Compliance Checks” that implements the APIs used to audit systems running Cisco IOS. This plugin is pre-compiled with the Nessus “.nbin” format. This provides ProfessionalFeed users a method of using Tenable provided .audit files, or their own audit policies, to audit Cisco devices to ensure compliance with corporate policy. This functionality provides a wide range of audit capability including ACL policy detection, service status, device access control and more.

New Keywords

Many of the .audit keywords are the same as for other devices such as Windows and Unix systems. The Cisco compliance checks add two new keywords specific to Cisco IOS based devices:

  • feature_set - Similar to the “system” keyword in the Unix Compliance Checks, this keyword checks the Feature Set (e.g. AdvancedEnterprise, AdvancedIP, Advanced Security, K9, etc) version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular Feature Set (e.g. SSH in K8 and K9 bundles).
  • ios_version - Similar to the “system” keyword in the Unix Compliance Checks, this keyword checks the version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular IOS version.

Examples from Cisco Configuration Audit

A sample audit, provided on the Tenable Support Portal (under “Downloads” -> “Compliance and Audit Files” -> “Cisco Audit Policies”), is based on Cisco best practices available from the Center for Internet Security (CIS) and provides router and switch administrators the ability to test security policy compliance settings in their network infrastructure. Possible security policy compliance configuration tests include requiring encrypted passwords, banning the use of common SNMP community strings, forcing the use of Secure Shell (SSH) to access the IOS console and ensuring the device does not allow unauthorized services. Some of the checks provided in the sample .audit file are described below.

1. Verify that access lists are applied to line interfaces.

An ingress access list can be applied to a line interface by using the access-class definition. The ingress access list can be a standard access list that provides the source addresses allowed to access the line interfaces. It’s important to restrict access to devices to limit exposure to attacks as Cisco does not do a very good job of preventing brute force password attacks.

Note: This check will verify that there is an access list reference, but will not verify that the access list is present or configured properly.

#---------------------------------------------#
<item>
 type:CONFIG_CHECK
 description:"1.1.2.6 Require SSH Access Control"
 info:" Verify that management access to the device is restricted on all VTY lines."
 context:"line .*"
 item:"access-class [0-9]+ in"
</item>
#---------------------------------------------#

2. Verify that SNMP read-only and read/write communities have access control lists.

SNMP v1 (community string based SNMP) has very weak protections as the community passwords are stored, displayed and transmitted in cleartext. This raises the risk that unauthorized individuals may be able to read and write network configurations on the devices. By adding an access list, the administrator can define authorized sources for SNMP access and reduce the threat of unauthorized access.

#---------------------------------------------#
<item>
 type:CONFIG_CHECK
 description: "1.1.5.5 Forbid SNMP without ACL"
 info: "Verify all simple network management protocol (SNMP) access is restricted using an access control list (ACL.)"
 regex: "snmp-server community .*"
 item: "snmp-server community .* (ro|rw) [0-9]+"
 required:NO
</item>
#---------------------------------------------#

3. Verify that SNMP community strings are random

Weak SNMP community strings are the bane of security and network administrators as they can be easily guessed. This check will make sure that passwords are sufficiently randomized to hinder password-guessing programs.

#---------------------------------------------#
<item>
 type:RANDOMNESS_CHECK
 description:"1.1.5.7 Require Authorized Read SNMP Community Strings and Access Control"
 info:"Verify an authorized community string and access control is configured to restrict read access to the device."
 regex:"snmp-server community ([^ ]*) .*"
 required:NO
</item>
#---------------------------------------------#

4. Disable unnecessary services

While this check only verifies that the HTTP (admin) server is turned off, additional audit commands can be placed in the .audit file to make sure other services are disabled, such as tcp_small_services, udp_small_services, finger service and more.

#---------------------------------------------#
<item>
 type:CONFIG_CHECK
 description:"1.2.2.5 Forbid IP HTTP Server"
 info:"Disable HTTP server."
 item:"no ip http server"
</item>
#---------------------------------------------#

Nessus Updates for Cisco Checks

There are three sections of Nessus that received updates with Cisco Compliance checks:

1. Under Policies -> Credentials -> SSH settings, a new method for escalation privileges has been added called "Cisco 'enable’.” This is used to specify the "enable" or superuser password for the target device. Note that only SSH authentication is supported, therefore the Cisco devices must have the K8 or K9 feature sets installed.

Credentials

2. A new plugin called "Cisco IOS Compliance Checks" (Plugin ID 46689) is contained within the "Policy Compliance" plugin family.

Plugins

3. A new plugin preference "Cisco IOS Compliance Checks" has been added that allows users to upload a properly formatted Cisco audit file.

Preferences

Sample Output

The following screen capture shows an example of the output of a Cisco Compliance Audit scan:

Results

In this example, the audit failed because access control has not been restricted to a limited set of IPs on all VTY lines.

Conclusion

The addition of Cisco IOS configuration auditing enables organizations to use Nessus to audit their network from end to end for policy compliance, configuration and security issues. While tools such as Cisco RAT provide rudimentary auditing capability, Nessus provides a more flexible mechanism to audit Cisco devices and correlate the results with other devices. Nessus also provides enhanced reporting capabilities. Nessus audits the security and policy compliance configurations of Windows, Unix, database and now Cisco router and switch platforms, providing a comprehensive enterprise auditing tool.