Remove ICMP Timestamp Request on Cisco 837 - Page 2

whiteford · ‎07-18-2007

We have a few Cisco 837's working as L2L's. I have scanned them for vulnerabilities, and received this message, and need jelp to remove it:

ICMP Timestamp Request:

THREAT:

ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. It's principal purpose is to provide a protocol layer able to inform gateways of the inter-connectivity and accessibility of other gateways or hosts. "ping" is a well-known program for determining if a host is up or down. It uses ICMP echo packets. ICMP timestamp packets are used to synchronize clocks between hosts.

IMPACT:

Unauthorized users can obtain information about your network by sending ICMP timestamp packets. For example, the internal systems clock should not be disclosed since some internal daemons use this value to calculate ID or sequence numbers (i.e., on SunOS servers).

SOLUTION:

You can filter ICMP messages of type "Timestamp" and "Timestamp Reply" at the firewall level. Some system administrators choose to filter most types of ICMP messages for various reasons. For example, they may want to protect their internal hosts from ICMP-based Denial Of Service attacks, such as the Ping of Death or Smurf attacks.

However, you should never filter ALL ICMP messages, as some of them ("Don't Fragment", "Destination Unreachable", "Source Quench", etc) are necessary for proper behavior of Operating System TCP/IP stacks.

It may be wiser to contact your network consultants for advice, since this issue impacts your overall network reliability and security.

whiteford · ‎07-25-2007

Hi, just a couple of questions regarding this.

If I delete the access list won't I lose connection as I'm remotely connected? Or will this only happen if I do a wr mem?

If commands are only added in the order I out them, couldn't I just delete the permit ICMP any any and add the 2 deny ICMP rules then re-add the permit ICMP any any?

Richard Burts · ‎07-26-2007

Andy

If you are telnetted to the router and then make changes on the access list assigned to that interface then yes there is a good chance that you may lose your connection. This would be a good reason to use the approach that I suggested of creating a new version of the access list with a new name, put the statements in the order that you need them, and then change the access-group on the interface. If you do this it should not impact your telent session.

HTH

Rick

HTH

Rick

whiteford · ‎07-28-2007

To make sure I am doing this right, what is the name of my current access-list, I have jsut uploaded this config from another router to this one? and once I've created a new list what areas should I change to make this access list the one to use so I can delete the other one?

Also if I do all this and don't do a "wr mem" and someone restarts the router will it go back to the earlier settings? Just a backup plan.

Richard Burts · ‎07-28-2007

Andy

I suggest that you use this. It should work.

Yes you are correct that if you paste this into the config and you do not do a write mem (or a copy run start) and if the router restarts it will go back to the old settings for the ACL.

!

ip access-list extended inbound_acl

permit udp any any eq isakmp

permit esp any any

deny icmp any any timestamp-request

deny icmp any any timestamp-reply

permit icmp any any

permit udp any any eq ntp

permit tcp x.x.x.64 0.0.0.31 any eq telnet

permit tcp x.x.x.64 0.0.0.31 any eq 22

permit tcp x.x.x.64 0.0.0.31 any eq ftp-data

permit tcp x.x.x.64 0.0.0.31 any eq ftp

permit tcp x.x.x.64 0.0.0.31 any eq www

permit tcp x.x.x.64 0.0.0.31 any eq 443

permit ip 192.168.90.0 0.0.0.255 172.19.3.0 0.0.0.255

!

interface Dialer1

ip access-group inbound_acl in

!

Give this a try and let us know how it works.

HTH

Rick

HTH

Rick

whiteford · ‎07-28-2007

Then just delete the old config?

Also is it easy to update the firmware remotely?

whiteford · ‎07-29-2007

...Also if I add "ip access-group inbound_acl in" will this remove my old one straight away or can you have 2 access groups running? I was think of adding the new access list first then the last part I will change the access group to inbound_acl

If it goes wrong and I lose connection I'll get someone to restart the router.

Richard Burts · ‎07-29-2007

Andy

If you do add "ip access-group inbound_acl in" it will immediately remove the old access-group and begin using the new access-group. You may have only a single IP access-group per direction per interface.

One advantage of this approach is that it immediately begins using the new access-group but leaves the old access-list in place so that you can go back to it if there is a problem with the new access-list.

Another aspect to consider is to consider scheduling a reload before you make the config change to change the access-group. There is an option of the reload command to schedule a reload of the router. So you could use:

reload in 30

to schedule a reload in 30 minutes (or pick whatever time interval you want). This will schedule a reload in 30 minutes. So you would schedule a reload, then you make the config change. If there is a problem with the config change and you lose connectivity to the router you wait for the reload. Since your config change was not saved to NVRAM the reload rverts to the original config and you have access again (without needing to call someone at the remote site). If the config change was good and there are no problems, then you use the command:

reload cancel

sometime before the scheduled reload and then you save your config change.

I would suggest that when you make this kind of config change that you leave the original access-list in the config for some period of time (just in case you need to revert back). And then after some period of time you remove the old access-list from the config.

Whether it is easy to update the firmware remotely depends a bit on your environment. (Just to clarify I assume that when you refer to update firmware that you are refering to updating the image code that the router is running and not referring to updating the bootrom or something) Depending on the plarform most routers store their image in flash. If your flash has enough capacity to store 2 images then it is fairly easy to copy a new image to flash, resulting in 2 images in flash. You then put commands into the config file to boot from the new image and to use the old image if there is a problem in booting the new image. This is fairly straightforward and easy. If there is room in flash for only a single image then you need to erase the old image before copying the new image. This can be done remotely but does have a somewhat higher degree of risk.

HTH

Rick

HTH

Rick

whiteford · ‎07-29-2007

Thanks Rick.

Some really good tips for someone new like me.

I created the new access list and added it to the dialer and stayed connected I then ran a vulnerability test and that vulnerability has gone! I have removed the. Old access list but have try to wr to mem. Wish I'd waited for your post.

I have one last vulnerability on another Cisco 837 but will create a new post.

I have a tftp server that's it, I really don't know where to start on updating it. I think I mean image or ios. I find newer 837 are much better for snmp stuff than older ones, hope you can help.

whiteford · ‎07-30-2007

The outbound access list is bound to the ethernet 0, what is it's job?

Forgot to say this si the show version:

Cisco Internetwork Operating System Software

IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Synched to technology version 12.3(1.6)T

TAC Support: http://www.cisco.com/tac

Compiled Fri 08-Aug-03 05:58 by ealyon

Image text-base: 0x800131E8, data-base: 0x80B8F3D8

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

fl1tw1ck uptime is 1 week, 3 days, 18 hours, 33 minutes

System returned to ROM by power-on

System restarted at 12:49:07 UTC Thu Jul 19 2007

System image file is "flash:c837-k9o3y6-mz.123-2.XA.bin"

CISCO C837 (MPC857DSL) processor (revision 0x500) with 44237K/4915K bytes of memory.

Processor board ID AMB08160J61 (2211829433), with hardware revision 0000

CPU rev number 7

Bridging software.

1 Ethernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

128K bytes of non-volatile configuration memory.

12288K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

fl1tw1ck#$O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELE^ASE SOFTWARE (fc1)

Richard Burts · ‎07-30-2007

Andy

The access list used on the Ethernet interface is used in conjunction with these ip inspect commands which are part of your configuration:

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

The IP inspect looks at traffic originating from end stations on the Ethernet interface and creates dynamic entries in the ACL on the outside interface to create entries allowing response traffic. This is part of providing an enhanced security implementation on your router.

HTH

Rick

HTH

Rick

whiteford · ‎07-30-2007

Thanks Rick, you said:

Whether it is easy to update the firmware remotely depends a bit on your environment. (Just to clarify I assume that when you refer to update firmware that you are refering to updating the image code that the router is running and not referring to updating the bootrom or something) Depending on the plarform most routers store their image in flash. If your flash has enough capacity to store 2 images then it is fairly easy to copy a new image to flash, resulting in 2 images in flash. You then put commands into the config file to boot from the new image and to use the old image if there is a problem in booting the new image. This is fairly straightforward and easy. If there is room in flash for only a single image then you need to erase the old image before copying the new image. This can be done remotely but does have a somewhat higher degree of risk.

This is my "show Version", it seems newer routers we by are much better on SNMP for monitoring, I just want to update the old one sliek this:

Cisco Internetwork Operating System Software

IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Synched to technology version 12.3(1.6)T

TAC Support: http://www.cisco.com/tac

Compiled Fri 08-Aug-03 05:58 by ealyon

Image text-base: 0x800131E8, data-base: 0x80B8F3D8

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

fl1tw1ck uptime is 1 week, 3 days, 18 hours, 33 minutes

System returned to ROM by power-on

System restarted at 12:49:07 UTC Thu Jul 19 2007

System image file is "flash:c837-k9o3y6-mz.123-2.XA.bin"

CISCO C837 (MPC857DSL) processor (revision 0x500) with 44237K/4915K bytes of memory.

Processor board ID AMB08160J61 (2211829433), with hardware revision 0000

CPU rev number 7

Bridging software.

1 Ethernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

128K bytes of non-volatile configuration memory.

12288K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

fl1tw1ck#$O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XA, EARLY DEPLOYMENT RELE^ASE SOFTWARE (fc1)

Richard Burts · ‎07-30-2007

Andy

Cisco routers certainly support remote update/upgrade of the software image. To know whether it is easy or not we need some additional information: how much flash do you have, how much flash is currently used, how much flash is available, how much flash is needed for the new image (how big is the image)? If you post the output of show flash on this 837 we will get answers to the first several questions, and if you have the desired new image on a tftp server (or on another existing router) you can find what size the new image is.

HTH

Rick

HTH

Rick

whiteford · ‎07-30-2007

I have yet to find or download the new version, my account for some reason doesn't have access (speak to my account manager):

System flash directory:

File Length Name/status

1 6171780 c837-k9o3y6-mz.123-2.XA.bin

[6171844 bytes used, 6148924 available, 12320768 total]

12288K bytes of processor board System flash (Read/Write)

Richard Burts · ‎07-30-2007

Andy

Based on this information I believe that we can guess that the remote upgrade will be possible but with some risk. The flash appears to be 12 MB size. Of the available space 6171844 is used for the existing image file and 6148924 is available. Since the available space is slightly less than the existing image and since the new image is likely to be larger than the existing image, it is a safe guess that there is not enough room in flash for both images. So to do the upgrade you will need to erase the existing image in flash, and then copy the new image into flash. The router will still run with the image erased in flash, but if the router reloads for any reason before you get the new image into flash then you would have a broken router.

As I see it you have several options:

- accept the risk and do the remote upgrade.

- go to where the router is located and do the upgrade as a local upgrade.

- if you have a spare 837, you could put the new image on the spare 837, use that router to replace the 837 in the remote location, and bring that 837 back to where you are to do a code upgrade on it.

Which of these choices is best depends on you and your organization and your acceptance of a degree of risk.

HTH

Rick

HTH

Rick

whiteford · ‎07-30-2007

Thanks Rick,

If I do a local upgrade, what commands will I need to use?