Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Nessus Cisco Compliance Checks

Tenable has authored a Nessus plugin (ID 46689) named “Cisco IOS Compliance Checks” that implements the APIs used to audit systems running Cisco IOS. This plugin is pre-compiled with the Nessus “.nbin” format. This provides ProfessionalFeed users a method of using Tenable provided .audit files, or their own audit policies, to audit Cisco devices to ensure compliance with corporate policy. This functionality provides a wide range of audit capability including ACL policy detection, service status, device access control and more.

New Keywords

Many of the .audit keywords are the same as for other devices such as Windows and Unix systems. The Cisco compliance checks add two new keywords specific to Cisco IOS based devices:

  • feature_set - Similar to the “system” keyword in the Unix Compliance Checks, this keyword checks the Feature Set (e.g. AdvancedEnterprise, AdvancedIP, Advanced Security, K9, etc) version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular Feature Set (e.g. SSH in K8 and K9 bundles).
  • ios_version - Similar to the “system” keyword in the Unix Compliance Checks, this keyword checks the version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular IOS version.

Examples from Cisco Configuration Audit

A sample audit, provided on the Tenable Support Portal (under “Downloads” -> “Compliance and Audit Files” -> “Cisco Audit Policies”), is based on Cisco best practices available from the Center for Internet Security (CIS) and provides router and switch administrators the ability to test security policy compliance settings in their network infrastructure. Possible security policy compliance configuration tests include requiring encrypted passwords, banning the use of common SNMP community strings, forcing the use of Secure Shell (SSH) to access the IOS console and ensuring the device does not allow unauthorized services. Some of the checks provided in the sample .audit file are described below.

1. Verify that access lists are applied to line interfaces.

An ingress access list can be applied to a line interface by using the access-class definition. The ingress access list can be a standard access list that provides the source addresses allowed to access the line interfaces. It’s important to restrict access to devices to limit exposure to attacks as Cisco does not do a very good job of preventing brute force password attacks.

Note: This check will verify that there is an access list reference, but will not verify that the access list is present or configured properly.

#---------------------------------------------#
<item>
 type:CONFIG_CHECK
 description:"1.1.2.6 Require SSH Access Control"
 info:" Verify that management access to the device is restricted on all VTY lines."
 context:"line .*"
 item:"access-class [0-9]+ in"
</item>
#---------------------------------------------#

2. Verify that SNMP read-only and read/write communities have access control lists.

SNMP v1 (community string based SNMP) has very weak protections as the community passwords are stored, displayed and transmitted in cleartext. This raises the risk that unauthorized individuals may be able to read and write network configurations on the devices. By adding an access list, the administrator can define authorized sources for SNMP access and reduce the threat of unauthorized access.

#---------------------------------------------#
<item>
 type:CONFIG_CHECK
 description: "1.1.5.5 Forbid SNMP without ACL"
 info: "Verify all simple network management protocol (SNMP) access is restricted using an access control list (ACL.)"
 regex: "snmp-server community .*"
 item: "snmp-server community .* (ro|rw) [0-9]+"
 required:NO
</item>
#---------------------------------------------#

3. Verify that SNMP community strings are random

Weak SNMP community strings are the bane of security and network administrators as they can be easily guessed. This check will make sure that passwords are sufficiently randomized to hinder password-guessing programs.

#---------------------------------------------#
<item>
 type:RANDOMNESS_CHECK
 description:"1.1.5.7 Require Authorized Read SNMP Community Strings and Access Control"
 info:"Verify an authorized community string and access control is configured to restrict read access to the device."
 regex:"snmp-server community ([^ ]*) .*"
 required:NO
</item>
#---------------------------------------------#

4. Disable unnecessary services

While this check only verifies that the HTTP (admin) server is turned off, additional audit commands can be placed in the .audit file to make sure other services are disabled, such as tcp_small_services, udp_small_services, finger service and more.

#---------------------------------------------#
<item>
 type:CONFIG_CHECK
 description:"1.2.2.5 Forbid IP HTTP Server"
 info:"Disable HTTP server."
 item:"no ip http server"
</item>
#---------------------------------------------#

Nessus Updates for Cisco Checks

There are three sections of Nessus that received updates with Cisco Compliance checks:

1. Under Policies -> Credentials -> SSH settings, a new method for escalation privileges has been added called "Cisco 'enable’.” This is used to specify the "enable" or superuser password for the target device. Note that only SSH authentication is supported, therefore the Cisco devices must have the K8 or K9 feature sets installed.

Credentials

2. A new plugin called "Cisco IOS Compliance Checks" (Plugin ID 46689) is contained within the "Policy Compliance" plugin family.

Plugins

3. A new plugin preference "Cisco IOS Compliance Checks" has been added that allows users to upload a properly formatted Cisco audit file.

Preferences

Sample Output

The following screen capture shows an example of the output of a Cisco Compliance Audit scan:

Results

In this example, the audit failed because access control has not been restricted to a limited set of IPs on all VTY lines.

Conclusion

The addition of Cisco IOS configuration auditing enables organizations to use Nessus to audit their network from end to end for policy compliance, configuration and security issues. While tools such as Cisco RAT provide rudimentary auditing capability, Nessus provides a more flexible mechanism to audit Cisco devices and correlate the results with other devices. Nessus also provides enhanced reporting capabilities. Nessus audits the security and policy compliance configurations of Windows, Unix, database and now Cisco router and switch platforms, providing a comprehensive enterprise auditing tool.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training