Skip to content

Resources

  • Home
  • Resources
  • Reducing MTTR vulnerabilities with accurate remediation guidance for firewalls, switches and routers

Vulnerability Assessments for Secure Networks

Carrying out a vulnerability assessment is one of the first steps in establishing a more secure network. Only once exploitable vulnerabilities have been identified can the risks be prioritized and then remediated. To identify vulnerabilities in routers, switches and firewalls, it is necessary to complete a configuration assessment that considers the impact of any misconfiguration to the network, not just the device.

Prioritization of remediation actions requires an understanding of how critical the risk is to the network, what the likelihood is that it can be exploited and how long repair or remediation efforts might take. That is why in Nipper’s security audit, every vulnerability or misconfiguration identified is rated on the impact to the network, the ease of exploitation, and the fix rating, which highlights the effort and resources required to remediate the issue.

A misconfiguration that could severely impact network security if exploited, and has a quick fix, will be categorized by Nipper as critical – and should be made a priority for remediation over those that have more involved fixes and low impact. Nipper’s rating system allows for this prioritization to take place quickly and effectively, ensuring that those responsible for the network have the information that they need to plan remediation efforts. Every moment a critical vulnerability exists on a device means more risk that the confidentiality, integrity and availability of systems, applications and data could be compromised. Insufficient resources can make rectifying all identified vulnerabilities in a timely fashion hard, which is why prioritization is such an essential part of this process. Therefore, for each issue that Nipper detects, an overall rating, as shown in the image, is given which highlights what the impact is, how easy it is to exploit, how quickly it can be remediated, the type of issue and an ID. This allows for effective prioritization of remediation efforts and can reduce the MTTR for the most critical vulnerabilities.

Remediation Advice

Another key issue is understanding what is needed to remediate vulnerabilities that have been detected, which is why, in Nipper’s security audit, recommendations for how to remediate the issue are provided. For some devices, this includes exact fixes with command line instructions that could be used to resolve the issue. Once remediation work is complete, you can use Nipper to check that the vulnerability no longer exists by running a benchmark report.

Practical examples of remediation advice for firewalls, switches, and routers

The following examples are all drawn from Nipper’s Security Audit and show the recommendations and remediation advice that Nipper can provide. The audit was run on the devices listed in the table below.

Device  Name OS
Cisco Router

CiscoIOS15

IOS 15.0

Cisco Adaptive Security Appliance Firewall

Office-Cisco-ASA

ASA 9.1(1)

Cisco Catalyst Switch

Office-Cisco-Catalyst

IOS 12.1

Cisco Nexus

TitaniaNexus5010

NX-OS 4.1(3)N2(1)

Table 1: Audit device scope

Issue: Users With Dictionary-Based Passwords

Recommendation

Nipper strongly recommends that all user accounts should have a strong password. Nipper recommends that:

  • passwords should be at least eight characters in length;
  • characters in the password should not be repeated more than three times;
  • passwords should include both upper case and lower case characters;
  • passwords should include numbers;
  • passwords should include punctuation characters;
  • passwords should not include the username;
  • passwords should not include a device's name, make or model;
  • passwords should not be based on dictionary words.

Notes for Cisco Router devices:
The following commands can be used on Cisco Router devices to set the enable password, create a local user with a password and to delete a local user:

enable secret password
username user secret password
no username user

Issue: No VTP Authentication Password Was Configured

Recommendation

Nipper recommends that, if not required, VTP should be disabled or placed in transparent mode. However, if VTP is required Nipper recommends that a strong VTP authentication password should be configured on all VTP devices.

Nipper recommends that:

  • passwords should be at least eight characters in length;
  • characters in the password should not be repeated more than three times;
  • passwords should include both upper case and lower case characters;
  • passwords should include numbers;
  • passwords should include punctuation characters;
  • passwords should not include the username;
  • passwords should not include a device's name, make or model;
  • passwords should not be based on dictionary words.

Notes for Cisco Catalyst Switch devices:
VTP can be set to transparent mode on Cisco Catalyst Switch devices using one of the following commands:

tp transparent
vtp mode transparent

 

A VTP password can be configured on a Cisco Catalyst Switch device using the following command:

vtp password password-string

 

On some Cisco Catalyst Switch devices the VTP password is not included in the configuration file, therefore it is not possible for Nipper to validate this has been set correctly.

Issue: Clear Text Telnet Service Enabled

Recommendation

Nipper recommends that the Telnet service should be disabled. If remote administrative access is required then Nipper recommends that a cryptographically secure alternative, such as SSH, should be used instead. If Telnet has to be used then Nipper recommends that network filtering should be employed to restrict access to the service from only those specific devices that need the access.

Notes for Cisco Adaptive Security Appliance Firewall devices:
Telnet access to Cisco Adaptive Security Appliance Firewall devices can be disabled by removing access from all the configured management hosts. This can be done with the following command:

no telnet {hostname | ip-address interface}

 

How Nipper helps

By prioritizing risks and providing clear remediation advice, Nipper supports the proper allocation of time and resources to fixing the configuration vulnerabilities that leave your network most exposed to attack. To see what recommendations Nipper would make for your network devices, register for a trial today.