INTRO: I used a little bit of humor with the title because many of peers will read it and groan and ask “why in the world would you put you and your network through this hell!” Well, I have to tell you, after dropping a Splunk server on my network and letting it grab up all of my logs, I was pretty happy.
First STIG stands for Security Technical Implementation Guide and they are published by DISA. For those few followers of mine who have never heard of DISA; it stands for Defense Information Systems Agency and are the ISP for the DoD.
Okay, there are almost 500 STIGs on the https://public.cyber.mil/stigs/downloads/ website and I am sure the list can be very daunting. For my original network, I decided to use only just a few vendor specific STIGs and not a lot of the management STIGs. My focus is purely securing my network and STIGs are the best I have seen.
NOTE: There is no such thing as a truly secure network. In the lesson concerning the bear, “When being chased by a bear, you just have to be faster than the person behind you, to be safe.” Well, its the same with networks. You want to make your network a hard target. A hacker/script kiddy wants to attack the easy target and will hopefully move on from a more secure network.
So, lets look at the STIGs I used to secure my home network. For my router I used the Perimeter Router Security Technical Implementation Guide Cisco :: Version 8. For my switch, which is an older model, I used the Cisco ISO Switch Draft STIG.
When I implemented these STIGs, I broke each section into Category I, II, or III. Really Cat I is a the most critical to Cat II which is not as bad a vulnerability but should be concentrated on once all Cat I’s are remediated. And Cat III, which are the vulnerabilities that have the least impact/criticality.
PART 1 (CAT I’s): Now lets breakdown what I actually applied, as I didn’t apply every guideline because of the impact it had on the network.
V-3012, 3056, 3062, 3143: The first 4 CAT I vulnerabilities really have to do with password protecting the device. Okay, if your still using cisco cisco to log into your router and you use it actively as a gateway on your network, shame on you. Change the default username password on your devices. And one more step is to encrypt your passwords:
For example and in this order:
service password-encryption
!
username name secret 5 $1$geU5$vc/uDRS5dWiOrpQJTimBw/
enable secret 5 $1%mer9396y30d$FDA/292/
If you just do the “username {username} password {password}” command, Cisco IOS, by default, will create a type 7 password, which is a weak reversible algorithm hash. Whereas using the “username {username} secret {password} will set the password to a type 5 hash, which is hashed with MD5 and much harder to crack. Is this important on your home network? Wait until the end you judge for yourself.
V-3164: I did implement the Unicast Reverse Path Forwarding (uRPF) Strict mode on my LAN interfaces. With a lot of talkers on the network that are hard to control like an Alexa, Apple TV, or even a refrigerator, I thought it important to drop all illegitimate addresses coming from the LAN. It did create a bit of data rate overhead on my network but only about 1% or 2% of my full data rate.
Example placed on your interface facing your LAN:
ip verify unicast source reachable-via rx 102
access-list 102 deny ip any any log
Most routers with IOS 15 or higher can take the first command. If your router won’t accept the command it may be time to upgrade from the ios 12 your running.
V-3175, 4582: This one is a bit interesting and can be a bit hard to understand. I did some work on my router trying to see if I can adjust the authentication database that is created when the aaa authentication command is run. Frankly if you use the default command the router or switch will use username and password you configured on the device. If you use any other name but default, you are just changing the name.
Example:
aaa new-model ! aaa authentication login default group tacacs+ local
!
line vty 0 4
exec-timeout 10 0
transport input ssh
Remember if you run this command, the “login” command will drop into your line vty set. Also, it will add about a 30 second authentication time because the device will start looking for a tacacs or radius server every 10 seconds for a count of 3 and then default to the local credentials. You can change the default timeout settings. To be honest I didn’t run this command because my plan to establish a centralized authentication server is a bit in the future.
V-3196, 3210: I didn’t implement SNMP on my network. I don’t have a large enough network that would require an agent to monitor my network. But if I did it would definitely be SNMPv3. Yes, there are bit more command to run to establish. Also, when you do configure it, you have to do both commands or it won’t work.
Example:
snmp-server group GroupName v3 auth access 90
snmp-server group GroupName v3 priv access 95
!
snmp-server user UserName GroupName v3 auth sha {password a} priv aes 128 {password b}
If you do the first set of commands, setting up the group name, you are creating a database that has its own users in it. If you don’t setup a user, you in a sense built a house but no one is living there. You need to run the last command (all one line) to finalize the SNMPv3 configurations. If you do the “show snmp user” command and nothing returns than you don’t have a user configured and don’t have SNMPv3 running.
ACLs
The next few vulnerabilities really dig into establishing access to your network from the perimeter/WAN facing interface. To make it simple on my network I built a network address group called “Bad Addresses” and a port group called “Bad Ports”. The goal was to keep my ACL numbers low.
V-14689: This has to do with blocking the local loopback address network (127.0.0.0/8) from entering your network from the WAN.
V-14690: This deals with blocking link-local addresses, better known as APIPA addresses (169.254.0.0/16).
V-14691: This deals with the Bogon and Martian IP addresses, RFC 5735 and 6598. These IPs have not been assigned to a regional internet registry by IANA. The list includes some Class D and E IP space among other IP addresses that could be routed. These addresses have been designated as a high likely of originating spoofing. When I implemented the full list, it really did a number on my network because I was also using my router as a DHCP server. DHCP uses both 0.0.0.0/8 and 240.0.0.0/4 and hindered any of my clients from pulling IP addresses from the router. To block these from the WAN and not still protect my LAN interface, I had to create another address group called “bad Addresses LAN”.
V-14692: This is your typical RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). I did block these from into my network but only on inbound from the WAN.
V-15294: Teredo is a tunneling mechanism that allows computer to encapsulate Ipv6 to traverse the IPv4 only networks–most home networks. Not blocking UDP port 3544 can really allow a device to pass unannounced through your network without any inspection.
V-25037: This really says that IOS 12.4 and lower has too many vulnerabilities to be on the network. In this STIG DISA uses PAT as a reasoning, but really there are a lot of services that are enabled on 12.4 and older that have been disabled by default on newer IOS’s .
Next post will be on the CAT II’s I remediated on my network.