Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
How can I post device configurations safely in a public forum?
Safe Posting of Configurations
How can I post device configurations safely in a public forum?
by
haknwak
Posted
(Edited
)
I'll be discussing how to protect your network security when posting device configurations in a public place. It's something that we all do from time to time and a great tool to get help from others.
However raw device configurations such as routers and firewalls are golden to any would be malicious hacker. This information is routinely described as The Keys to the Kingdom in security circles. With the real information an attacker can focus their hunt from any of millions and millions of devices down to any of less than a hundred devices, or even a single device, worldwide.
There are several aspects you must protect. With proper care and five or ten minutes you can protect yourself completely..
Your first step is to copy and paste your entire config into notepad or WordPad - anywhere you can do a search and replace.
1) Your Public Address Space
The most important things to protect are your public IP addresses.
* EDIT 02/27/03 EDIT *
It has been brought to my attention that public IP addresses are available to anyone. This, unto itslef is true but does not account for the following.
Why should you broadcast to the whole world -
My domain name is xyz.com, my webserver is on this address, my FTP server is on another, my mail server is right here, (and BTW it's an Exchange Server with OWA and also runs SMTP, IMAP), I allow PC Anywhere to this other address, I have a PIX-to-PIX VPN running and it connects using these protocols, I have three MSSQL servers at these addresses that also have SMTP forwarding?
The list goes on. Fact of the matter is, without real IP addresses, this infomration gives no advantage whatsoever to a would-be attacker
That design and configuration is your secret. That's what makes your network unique. In fact, the clever use and distribution of address space/devices and services and services is part of a secure design.
You may think you have got them over a barrel by a statement:
"access-list 101 deny icmp any any"
That stops people from getting responses to pings directed at your addresses. It makes the malicious hacker's job a little more tricky since they need to use different, more time consuming methods to identify your network devices.
Malicious hackers spend hours, days, or months just scanning a range of addresses to find out what services are running on what addresses. By posting your raw configuration in a public forum you eliminate the need for them to scan a single address. They can go directly into the Operating System and Service Identification process. Then they try known exploits and that's it - end of story. Why make it easy for them?
This doesn't even address little things like SSH or VPN configs. With known exploits to these they can simply attack your PIX with them and bypass ALL SECURITY MEASURES you may have in place. The fact you have SSH configured is not a security risk - unless you tell thm what IP address it's on. Same goes for things like AAA, RADIUS and TACACS servers.
* END EDIT 02/27/2003 EDIT END *
A Public Address is any IP address that is NOT 10.XXX.XXX.XXX, 192.168.XXX.XXX, or 172.16.XXX.XXX through 172.31.XXX.XXX.
Anyone worth their oats will be able to help you without real addresses. It's perfectly acceptable to change your addresses to something fictitious but, for my time, I'd just as soon replace it with text. Generally people replace the first three octets with text.
For Example, if my public address was 209.205.124.64, I would search for 209.205.124 and replace it with MY.PUBLIC.NET. It's very simple and quick to perform this on your entire configuration.
1a) Remote or Client Public Address Space
If your device accesses other public address space, as in VPN or static routes, change those addresses as well. Most likely you can just delete the lines entirely. If you are discussing this as a problem, protect it. Don't forget, this address may be your client's machine and you are obliged to maintain that confidentiality.
2) Password Protection
Next you need to protect your passwords. In some devices your password is displayed in clear text or as a long series of seemingly random characters. Believe it or not, that string is easily reverse engineered into your clear text password.
There are not very many of these in any config. Nine times out of ten you can simply delete the lines from your config before posting them publicly. There is no-one in a public forum that needs this info. Otherwise it's a short task to manually replace the entire strings with a series of asterisks.
This same rule applies to any AAA username/passwords that are set in the config. I find it easiest simply to delete the lines entirely.
3) Private Address Space
It's a judgment call whether or not you rename all your private addresses. My config always has so many different networks in it, it's nearly impossible to rename them all and still make sense of it. I usually just rename the address space in use in my building. Other private networks I leave as is.
So, for example, my inside network is 10.20.30.0 and my DMZ network is 10.20.50.0. I search and replace 10.20.30 with MY.PRIV.NET and 10.20.50 with MY.DMZ.NET.
I figure it only adds another 20 seconds or so to my task so why not?
4) Host Names, Device Names, Domain Names etc.
Next, search and replace the hostname with something nondescript. The less information you give a would-be attacker the better.
Check for text information that would potentially compromise you or your client. Information such as domain names i.e. 'domain tek-tips.com' should be masked as well as any other named devices listed. Especially protect named devices that may reflect your company name or web domain. For example - if my config referred to a device name that very closely resembled my company's name, change it. Just change the statement to read something like domain mydomain.com.
5) Time Zone and Geographic Location Information
Then there is time zone info. Once again - on a global forum, you can tell a malicious person that you are in the Central Time Zone - that's quite a nice assist for the attacker -
going from
Could be any device anywhere in the world
to
It's definitely a device located in the GMT-6 hour zone
Just delete the lines entirely unless you are dealing specifically with time related issues. Even then, it's easy enough to get what you need without giving real information.
6) Trim and Remove Non Essential Information
If you're experienced enough to know exactly which part of your configuration you are having trouble with, just post up that portion. Too much information can often confuse the issue. If I am having trouble with a simple route statement, there's no reason to post up dozens of lines access-lists or static NAT statements.
In conclusion, it's well worth your time to protect yourself. Ask yourself:
Would I rather spend ten minutes editing my config or would I prefer spending weeks and weeks repairing my hacked network?
Conclusion
I haven't even gone into the dark areas of liabilities your company, and you personally, could incur if client's data were compromised due to a careless post on the Internet.
These guidelines are valid any time you are posting any information about your network in a public place.
Feel free to share this with anyone, but I would appreciate the credit for writing it.
TYVM
However raw device configurations such as routers and firewalls are golden to any would be malicious hacker. This information is routinely described as The Keys to the Kingdom in security circles. With the real information an attacker can focus their hunt from any of millions and millions of devices down to any of less than a hundred devices, or even a single device, worldwide.
There are several aspects you must protect. With proper care and five or ten minutes you can protect yourself completely..
Your first step is to copy and paste your entire config into notepad or WordPad - anywhere you can do a search and replace.
1) Your Public Address Space
The most important things to protect are your public IP addresses.
* EDIT 02/27/03 EDIT *
It has been brought to my attention that public IP addresses are available to anyone. This, unto itslef is true but does not account for the following.
Why should you broadcast to the whole world -
My domain name is xyz.com, my webserver is on this address, my FTP server is on another, my mail server is right here, (and BTW it's an Exchange Server with OWA and also runs SMTP, IMAP), I allow PC Anywhere to this other address, I have a PIX-to-PIX VPN running and it connects using these protocols, I have three MSSQL servers at these addresses that also have SMTP forwarding?
The list goes on. Fact of the matter is, without real IP addresses, this infomration gives no advantage whatsoever to a would-be attacker
That design and configuration is your secret. That's what makes your network unique. In fact, the clever use and distribution of address space/devices and services and services is part of a secure design.
You may think you have got them over a barrel by a statement:
"access-list 101 deny icmp any any"
That stops people from getting responses to pings directed at your addresses. It makes the malicious hacker's job a little more tricky since they need to use different, more time consuming methods to identify your network devices.
Malicious hackers spend hours, days, or months just scanning a range of addresses to find out what services are running on what addresses. By posting your raw configuration in a public forum you eliminate the need for them to scan a single address. They can go directly into the Operating System and Service Identification process. Then they try known exploits and that's it - end of story. Why make it easy for them?
This doesn't even address little things like SSH or VPN configs. With known exploits to these they can simply attack your PIX with them and bypass ALL SECURITY MEASURES you may have in place. The fact you have SSH configured is not a security risk - unless you tell thm what IP address it's on. Same goes for things like AAA, RADIUS and TACACS servers.
* END EDIT 02/27/2003 EDIT END *
A Public Address is any IP address that is NOT 10.XXX.XXX.XXX, 192.168.XXX.XXX, or 172.16.XXX.XXX through 172.31.XXX.XXX.
Anyone worth their oats will be able to help you without real addresses. It's perfectly acceptable to change your addresses to something fictitious but, for my time, I'd just as soon replace it with text. Generally people replace the first three octets with text.
For Example, if my public address was 209.205.124.64, I would search for 209.205.124 and replace it with MY.PUBLIC.NET. It's very simple and quick to perform this on your entire configuration.
1a) Remote or Client Public Address Space
If your device accesses other public address space, as in VPN or static routes, change those addresses as well. Most likely you can just delete the lines entirely. If you are discussing this as a problem, protect it. Don't forget, this address may be your client's machine and you are obliged to maintain that confidentiality.
2) Password Protection
Next you need to protect your passwords. In some devices your password is displayed in clear text or as a long series of seemingly random characters. Believe it or not, that string is easily reverse engineered into your clear text password.
There are not very many of these in any config. Nine times out of ten you can simply delete the lines from your config before posting them publicly. There is no-one in a public forum that needs this info. Otherwise it's a short task to manually replace the entire strings with a series of asterisks.
This same rule applies to any AAA username/passwords that are set in the config. I find it easiest simply to delete the lines entirely.
3) Private Address Space
It's a judgment call whether or not you rename all your private addresses. My config always has so many different networks in it, it's nearly impossible to rename them all and still make sense of it. I usually just rename the address space in use in my building. Other private networks I leave as is.
So, for example, my inside network is 10.20.30.0 and my DMZ network is 10.20.50.0. I search and replace 10.20.30 with MY.PRIV.NET and 10.20.50 with MY.DMZ.NET.
I figure it only adds another 20 seconds or so to my task so why not?
4) Host Names, Device Names, Domain Names etc.
Next, search and replace the hostname with something nondescript. The less information you give a would-be attacker the better.
Check for text information that would potentially compromise you or your client. Information such as domain names i.e. 'domain tek-tips.com' should be masked as well as any other named devices listed. Especially protect named devices that may reflect your company name or web domain. For example - if my config referred to a device name that very closely resembled my company's name, change it. Just change the statement to read something like domain mydomain.com.
5) Time Zone and Geographic Location Information
Then there is time zone info. Once again - on a global forum, you can tell a malicious person that you are in the Central Time Zone - that's quite a nice assist for the attacker -
going from
Could be any device anywhere in the world
to
It's definitely a device located in the GMT-6 hour zone
Just delete the lines entirely unless you are dealing specifically with time related issues. Even then, it's easy enough to get what you need without giving real information.
6) Trim and Remove Non Essential Information
If you're experienced enough to know exactly which part of your configuration you are having trouble with, just post up that portion. Too much information can often confuse the issue. If I am having trouble with a simple route statement, there's no reason to post up dozens of lines access-lists or static NAT statements.
In conclusion, it's well worth your time to protect yourself. Ask yourself:
Would I rather spend ten minutes editing my config or would I prefer spending weeks and weeks repairing my hacked network?
Conclusion
I haven't even gone into the dark areas of liabilities your company, and you personally, could incur if client's data were compromised due to a careless post on the Internet.
These guidelines are valid any time you are posting any information about your network in a public place.
Feel free to share this with anyone, but I would appreciate the credit for writing it.
TYVM
Please Note: 1 is Bad, 10 is Good :-)
Part and Inventory Search
-
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.