I have a love/hate

dfaught · ‎01-27-2015

An internal security scan showed that TCP port 514 is open on the Cisco Prime LMS 4.2.4 server. The security team is concerned that this port is commonly used for rsh, which is not encrypted and may use plain text logins or poorly authenticated logins. The port being open is documented in the "Installing and Migrating ..." manual for LMS 4.2 where it says that this TCP port 514 is used for Remote Copy Protocol in the direction from the server to device. The well-known port associated with a service is usually on the target host, not on the host that initiates the connection, so this is a little confusing. I see that there is no rsh service in /etc/inetd.conf, but there is an rsh service in /etc/xinetd.conf. This LMS is not configured to use RCP for anything, as far as I can tell.

Can I close TCP port 514 on this server without disasterous results, and how do I do that?

Or, how do I satisfy the security team that having this port open is not a security concern?

Thanks for any help.

Dave

Marvin Rhoads · ‎01-27-2015

I have a love/hate relationship with security audits like that. Happy to know the profile of a server but then hating to have to justify everything their "report" "concludes" (95% of which is usually just dressed up too output from Nessus or whatever).

Problem is with appliance servers running a packaged application like LMS, mucking with the OS settings (rc files etc.) can break things in unexpected ways. I'm more in favor of putting it on a segmented network and applying access-control lists or firewall rules inbound vs. trying to take apart the system and put it back together using only the parts you think are necessary (a bit of hyperbole there but it's to make a point).

Call it defense in depth and declare victory and then move on with using the tool to actually manage the network instead of defending its configuration to the Stasi.

LMS 4.2 Why is TCP port 514 used and how to close it?