9/12/2023 0 Comments Asa grep examplesThe network administrator can run “show running-config | grep telnet” and look through each entry (or without ‘grep’, just using ‘include’ – “sh run | i telnet"), filter out addresses and send output to auditor.Īll of these requires auditor to be Router/Firewall Subject Matter Expert. For example, suppose the auditor wants to check the configuration for all “telnet” statements. Network administrators can run the grep command against configuration files pulled from routers and firewalls and stored in local directory of their workstation (UNIX or Windows), or use 'grep' statement build into Cisco IOS or ASA. The good source of what to look for with grep/findstr command are Cisco AutoSecure examples. Wingrep) or could be replaces by system ‘findstr’ command. It is also part of many free packages on Windows (i.e. The ‘grep’ command is part of all flavors of UNIX operating systems. Grep -ire "^snmp-server community public " For example to find well-known SNMP communities: PacketLife has a nice article about 'Random configuration analysis', with more examples of 'grep' commands. The network administrator now has the opportunity to remove confidential information from this file before sending it back to auditor. It will save all configuration lines with keywords 'any', 'telnet,' 'timeout', 'floodguard', 'server', 'logging', 'auth', 'audit' and 'pdm' in the 'output' file. Rack1ASA1# sh checksum Cryptochecksum: be697684 e7dc0660 f0495b17 994feacd output The following is a sample output from the show checksum command before and after writing to NVRAM: By comparing the numbers auditors can see if the configuration has changed and was written to firewall NVRAM. Cyptochecksum conists of four groups of hexadecimal numbers that act as a digital summary of the contents of the configuration. I would recommend to grep 'Cryptochecksum' (unfortunately works only on ASA/PIX, not IOS) and retain results. The good news here is that auditors can ask for configuration more than once during audit period or they do audit more than once a year. So, I assume the change control was audited before configuration audit was started. starting form change logging to Cisco ACS), the configuration file could be changing too often, and auditing it doesn’t make any sense. If there is no good change control mechanism in place (i.e. The other bad news could be change control. So, how auditors know that configuration was collected from the devices in scope of the audit and not from Cisco simulator (GNS3/Dynamips) or from some vanilla firewall or router? Unfortunately, the only solution is to watch over our administrator’s shoulder. They have to ask network administrators to deliver configuration files to them. The first challenge is that auditors don’t have access to devices so they cannot pull the configuration file by themselves. I am also assuming configuration review is only small, and not the most important part of audit program (design assessment, change control, access control, etc. My assumption is that there is a device hardening standard in place, which points out the key elements of configuration. I'm going to discuss a few of them in this article. Auditors face some challenges when reviewing router and firewall configurations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |