INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS
Come Join Us!
Are you a
Computer / IT professional?
Join Tek-Tips now!
- Talk With Other Members
- Be Notified Of Responses
To Your Posts
- Keyword Search
- One-Click Access To Your
- Automated Signatures
On Your Posts
- Best Of All, It's Free!
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.
Partner With Us!
"Best Of Breed" Forums Add Stickiness To Your Site
(Download This Button Today!)
"...I have never been to any technical site that shows concern just to anybody with problems...I look forward to also share in the future..."
Where in the world do Tek-Tips members come from?
Safe Posting of Configurations
How can I post device configurations safely in a public forum?
Posted: 26 Feb 03 (Edited 23 Oct 03)
I'll be discussing how to protect your network security when posting device configurations in a public place. It's something that we all do from time to time and a great tool to get help from others.
However raw device configurations such as routers and firewalls are golden to any would be malicious hacker. This information is routinely described as The Keys to the Kingdom in security circles. With the real information an attacker can focus their hunt from any of millions and millions of devices down to any of less than a hundred devices, or even a single device, worldwide.
There are several aspects you must protect. With proper care and five or ten minutes you can protect yourself completely..
Your first step is to copy and paste your entire config into notepad or WordPad - anywhere you can do a search and replace.
1) Your Public Address Space
The most important things to protect are your public IP addresses.
* EDIT 02/27/03 EDIT *
It has been brought to my attention that public IP addresses are available to anyone. This, unto itslef is true but does not account for the following.
Why should you broadcast to the whole world -
My domain name is xyz.com, my webserver is on this address, my FTP server is on another, my mail server is right here, (and BTW it's an Exchange Server with OWA and also runs SMTP, IMAP), I allow PC Anywhere to this other address, I have a PIX-to-PIX VPN running and it connects using these protocols, I have three MSSQL servers at these addresses that also have SMTP forwarding?
The list goes on. Fact of the matter is, without real IP addresses, this infomration gives no advantage whatsoever to a would-be attacker
That design and configuration is your secret. That's what makes your network unique. In fact, the clever use and distribution of address space/devices and services and services is part of a secure design.
You may think you have got them over a barrel by a statement:
"access-list 101 deny icmp any any"
That stops people from getting responses to pings directed at your addresses. It makes the malicious hacker's job a little more tricky since they need to use different, more time consuming methods to identify your network devices.
Malicious hackers spend hours, days, or months just scanning a range of addresses to find out what services are running on what addresses. By posting your raw configuration in a public forum you eliminate the need for them to scan a single address. They can go directly into the Operating System and Service Identification process. Then they try known exploits and that's it - end of story. Why make it easy for them?
This doesn't even address little things like SSH or VPN configs. With known exploits to these they can simply attack your PIX with them and bypass ALL SECURITY MEASURES you may have in place. The fact you have SSH configured is not a security risk - unless you tell thm what IP address it's on. Same goes for things like AAA, RADIUS and TACACS servers.
* END EDIT 02/27/2003 EDIT END *
A Public Address is any IP address that is NOT 10.XXX.XXX.XXX, 192.168.XXX.XXX, or 172.16.XXX.XXX through 172.31.XXX.XXX.
Anyone worth their oats will be able to help you without real addresses. It's perfectly acceptable to change your addresses to something fictitious but, for my time, I'd just as soon replace it with text. Generally people replace the first three octets with text.
For Example, if my public address was 220.127.116.11, I would search for 209.205.124 and replace it with MY.PUBLIC.NET. It's very simple and quick to perform this on your entire configuration.
1a) Remote or Client Public Address Space
If your device accesses other public address space, as in VPN or static routes, change those addresses as well. Most likely you can just delete the lines entirely. If you are discussing this as a problem, protect it. Don't forget, this address may be your client's machine and you are obliged to maintain that confidentiality.
2) Password Protection
Next you need to protect your passwords. In some devices your password is displayed in clear text or as a long series of seemingly random characters. Believe it or not, that string is easily reverse engineered into your clear text password.
There are not very many of these in any config. Nine times out of ten you can simply delete the lines from your config before posting them publicly. There is no-one in a public forum that needs this info. Otherwise it's a short task to manually replace the entire strings with a series of asterisks.
This same rule applies to any AAA username/passwords that are set in the config. I find it easiest simply to delete the lines entirely.
3) Private Address Space
It's a judgment call whether or not you rename all your private addresses. My config always has so many different networks in it, it's nearly impossible to rename them all and still make sense of it. I usually just rename the address space in use in my building. Other private networks I leave as is.
So, for example, my inside network is 10.20.30.0 and my DMZ network is 10.20.50.0. I search and replace 10.20.30 with MY.PRIV.NET and 10.20.50 with MY.DMZ.NET.
I figure it only adds another 20 seconds or so to my task so why not?
4) Host Names, Device Names, Domain Names etc.
Next, search and replace the hostname with something nondescript. The less information you give a would-be attacker the better.
Check for text information that would potentially compromise you or your client. Information such as domain names i.e. 'domain tek-tips.com' should be masked as well as any other named devices listed. Especially protect named devices that may reflect your company name or web domain. For example - if my config referred to a device name that very closely resembled my company's name, change it. Just change the statement to read something like domain mydomain.com.
5) Time Zone and Geographic Location Information
Then there is time zone info. Once again - on a global forum, you can tell a malicious person that you are in the Central Time Zone - that's quite a nice assist for the attacker -
Could be any device anywhere in the world
It's definitely a device located in the GMT-6 hour zone
Just delete the lines entirely unless you are dealing specifically with time related issues. Even then, it's easy enough to get what you need without giving real information.
6) Trim and Remove Non Essential Information
If you're experienced enough to know exactly which part of your configuration you are having trouble with, just post up that portion. Too much information can often confuse the issue. If I am having trouble with a simple route statement, there's no reason to post up dozens of lines access-lists or static NAT statements.
In conclusion, it's well worth your time to protect yourself. Ask yourself:
Would I rather spend ten minutes editing my config or would I prefer spending weeks and weeks repairing my hacked network?
I haven't even gone into the dark areas of liabilities your company, and you personally, could incur if client's data were compromised due to a careless post on the Internet.
These guidelines are valid any time you are posting any information about your network in a public place.
Feel free to share this with anyone, but I would appreciate the credit for writing it.
Back to Cisco Systems: PIX Firewall FAQ Index
Back to Cisco Systems: PIX Firewall Forum