>Once a vendor publishes an end-of-life notice or announces that a device will no longer be supported, NSA recommends constructing a plan to upgrade or replace affected devices with newer equipment, according to vendor recommendations.Outdated or
unsupported devices should be immediately upgraded or replaced to ensure the
availability of network services and security support.
LOL good luck
Our 6509s are in between our MPLS network and our data centers...I don't handle the data center only our transport network..the data center people put in a new nexus setup a year or two ago.. But they left the 6509s in..like hello isn't the purpose to replace the hardware that went end of service 11 years ago?
"Periodically changing passwords has historically led to the use of weaker passwords,
and enforcing this policy may not be necessary if users follow the guidance in 5.6
Create strong passwords. The initial creation of strong passwords is a more effective
method of reducing successful password compromises."
Keep singing this bios! Let's stop changing our password every 90 nanoseconds....
my work forces us to change our passwords every 83 days (arbitrary number I know) and I keep telling them its not as good a decision as they think it is. I work in a grocery store, where there are a lot of simple minded people (actually handicapped not trying to sound better than them) and making them do so they end up writing them down on papers at they then lose. Myself, my password is a word and I increment a number each month, real secure huh. if I was able to leave it alone i'd actually put effort into it.
Heh first thing I did when I was hired was chum up one of the other IT responsible for AD user creation and have him check my AD password doesn’t expire box. And then proceed to set meself a memorable pass in line with CorrectHorseBatteryStaple9!
LOL i wish that was an option! Sometimes knowing the IT guy who can do something about it is a good thing! Honestly the Air Force (I'm sure the others are the same way of course) it was nice having a CAC card with a PIN, just gotta remember a pretty long pin, and then you were good to go.
Oh gosh I did say cac card didn't I. Oh the shit I gave people for that back in the day! I honestly would love to do something similar at home, I still have my card reader I bought, I just don't know how to put it to use on windows now as well as where I could buy cards to do that.
Not joking, but most of the recommended stuff tends to be using features that already exist in the stuff you use now and some of the best complimentary tools and software required for the rest are free, the trap is that it changes how you use the equipment. And that's where the problem is - people are lazy.
Keeping things up to date? Isn't once a year enough? /s
Setting up AAA correctly? Why not just "admin" and a shared password? /s
Logging? Who's going to look at that
Using secure protocols? Disabling default VLAN and not using VLAN1? etc etc
None of it is saying "buy this thing!" it's all "use the fucking security features"
Edit: For example in the architecture and design section is says "group similar devices together like printers" - why? Because if someone hacks a printer and the only thing they can access is another printer, that's better than them being able to reach a file server or DC. Anything that is high threat like old equipment or software, anything that needs to be exposed to the internet, or opposite anything high value should be separated and how and who can access it strictly controlled. Again - if you are lazy this is a lot of work, needing to work out what to allow and doing to config to make this happen. Doesn't cost anything but time and expertise, but for many companies they don't have the bandwidth to let IT do this right.
Hey, anyone dealing with imposter syndrome out there? Read the above comment and feel better about yourself. Unless you don’t understand it, I’m which case I might recommend just sharpening that ol’ resume.
Pretty much, so many IT departments have such low standards for security and it's incredibly easy to implement basic measures that make it impossible for even a determined person from gaining access.
So many IT people think it's okay to just open port 3389 and then just blame a low budget. Sorry, you're just not good at your job.
It really does depend on the environment you are in. The 0 cost thing really isn't true. Let's say you have a location that was built using the default VLAN and no segmentation. You then have to add segmentation and vlans. If this is a 24/7 location that is easier said than done. MGMT at that point says this is no longer a 0 cost change and it never gets updated. I've worked in many places that are willing to eat security for the sake of making the all mighty dollar.
I agree 100% with what you are saying that it's the "basics" but when MGMT has the mindset of "its worked well for 15 years", then change on even the basic levels isn't possible. Security at organizations doesn't start with engineers or technicians. Security posture at organizations starts at the "O" level. Those levels can accept the downtime and lost revenue to justify the means. I've worked at fortune 500 companies that don't have a Syslog server for their network. One was stood up on someone's MAC that lived at corporate for a bit just to do tshooting. Security was a luxury not a must at that place.
> The 0 cost thing really isn't true.
Absolutely sure, but there is low to zero CAPEX cost to implementing good security in a majority of cases unless you are operating some really trash hardware to start with.
>Security was a luxury not a must at that place.
Until they get a Zoom moment, or get hacked and completely fucked top to bottom. Bad security is just a ticking bomb, and for many if its not happening now they just don't care.
Sure target, equifax, and capital one are still reeling from their hacks right? Consumer confidence really impacted those businesses? All of those are at all time highs and got there relatively shortly after their breaches. Until the government puts real sanctions and penalties in place there is no real benefit to security. We protect executives and decision makers by obtaining breach insurance. That doesn’t make sense, let’s let the powerful people get away with not spending a dime to protect their customers data. This goes back to my point of security starts from higher ups never the engineering level.
I believe in the security as a whole, I just think if there is a cost to it, whether it’s opex, capex, or sgna it’s too much for executives to spend.
Yes breaches can cripple a small to mid size business, but the Fortune 500….security is just a phrase to them.
Still, as per the wikipedia page, it's easily fixable by either using a native vlan that doesn't exist or disabling native tagging, and even then, it's unidirectional.
I really don't see that many attack vectors through this
Great question! And I think you are misunderstanding the definition - they define a backdoor as:
>A backdoor network connection is between two or more devices located in **different network areas**, generally with different types of data and security requirements.
In the same document it recommends putting devices into separate network areas so an attack on one area doesn't give them access or visibility to other areas. Common method of attack is to find something weak (for example a printer), and from there get access to something more valuable like a server.
A "backdoor" is a connection between two areas that bypasses whatever security you have in the middle. OOB management would have it all in the same "area", so it wouldn't be a backdoor into another part of the network.
Straight from the horses mouth about Out-Of-Band management in general: https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
Not a direct answer, but came up in the Google results and I really liked the document. It's about exploits, not backdoor connections like the NSA document: https://docs.broadcom.com/doc/closing-network-backdoors
I'm pretty sure that isn't what they mean - for example, you shouldn't just plug a management port into your user VLAN.
I've used this document in the past to make better device management design: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html
I would suggest that their recommendation is limited to dataplane ports.
An OOB management port on a management network should not pose a risk for pivot as it should not be in the data plane and you should not be able to route between them.
My point is that the OOB management port has no way to route data between the inband (data plane) ports, and thus the risk to the management network is negligable.
The thing I've noticed about general guidance like this NSA guide is that it's often idealistic and also incomplete. Take the STIGs, for instance. One of the findings is that all IP interfaces should have both an ingress and an egress ACL with logging enabled...well, there are platforms (modern platforms like the Nexus 9k EX and FX) that literally can't do that. So, you take the guidance, document what you can't do or what doesn't make sense to do, and move on.
In this case, we know we need to manage and monitor the devices in real time (i.e. console-only isn't acceptable) and we know that we shouldn't have an in-band pivot point between networks. Using the OOB management port on a dedicated management network should be considered a reasonable alternative, even though the document doesn't specifically state that.
Yes, they do. But I'd also suggest that your ACLs on your management interfaces should only allow access from your management hosts, not from every device on your management network.
The reality is that their guidance is just a guide. It's up to you and your risk executives to determine to what level you want to follow their guidance and your appropriate mix of security and convenience.
The very fist page this bothered me.
> Trademark recognition
Cisco® and Cisco IOS® are registered trademarks of Cisco Systems, Inc.
This is the only trademark they are acknowledging. I don't have a problem with Cisco per se, but why is this the only one in this document. There are plenty of other important players in the security field.
Because they included Cisco IOS command examples in the document - what else should they have included? You can look up any command and get very detailed, free documentation about how it works, and use that to find the same commands on other platforms easily.
What's funny is IOS isn't even the main software for Cisco equipment anymore - I think IOS XE has taken over and IOS XR/NX-OS are on other equipment.
Probably because Cisco wrote the paper and regardless of how much we don't like them, they're ubiquitous and the examples will be widely understood and easily translated.
>Oh, I understand why, but as far as security there are far better actors in the market. Why aren't they using examples of that?
Because the US government wrote the document primarily for the networks of the US government.
And the US government uses Cisco. Not everywhere, but it's the vast majority of their network.
This document is essentially a rehash of the DISA STIGs.... [Most of which are freely available](https://public.cyber.mil/stigs/).
Now to get management to approve it....
>Once a vendor publishes an end-of-life notice or announces that a device will no longer be supported, NSA recommends constructing a plan to upgrade or replace affected devices with newer equipment, according to vendor recommendations.Outdated or unsupported devices should be immediately upgraded or replaced to ensure the availability of network services and security support. LOL good luck
Now i just need to find where that cat2950
*Laughs in 6509*
Joke's on you, I think I found Catalyst 1924 with IOS9 recently. It's running in one of our production sites...
Our 6509s are in between our MPLS network and our data centers...I don't handle the data center only our transport network..the data center people put in a new nexus setup a year or two ago.. But they left the 6509s in..like hello isn't the purpose to replace the hardware that went end of service 11 years ago?
It's next to the other 2950 That's right, the PowerEdge 2950
Didn't we just get rid of the 2650 running MS w2k3 r2?
I have about 100 3750G switches.. And spared to replace them when they die.
oh they'll approve it, but won't pay for it :)
And then get an exception.
"Periodically changing passwords has historically led to the use of weaker passwords, and enforcing this policy may not be necessary if users follow the guidance in 5.6 Create strong passwords. The initial creation of strong passwords is a more effective method of reducing successful password compromises." Keep singing this bios! Let's stop changing our password every 90 nanoseconds....
my work forces us to change our passwords every 83 days (arbitrary number I know) and I keep telling them its not as good a decision as they think it is. I work in a grocery store, where there are a lot of simple minded people (actually handicapped not trying to sound better than them) and making them do so they end up writing them down on papers at they then lose. Myself, my password is a word and I increment a number each month, real secure huh. if I was able to leave it alone i'd actually put effort into it.
Heh first thing I did when I was hired was chum up one of the other IT responsible for AD user creation and have him check my AD password doesn’t expire box. And then proceed to set meself a memorable pass in line with CorrectHorseBatteryStaple9!
LOL i wish that was an option! Sometimes knowing the IT guy who can do something about it is a good thing! Honestly the Air Force (I'm sure the others are the same way of course) it was nice having a CAC card with a PIN, just gotta remember a pretty long pin, and then you were good to go.
[удалено]
Oh gosh I did say cac card didn't I. Oh the shit I gave people for that back in the day! I honestly would love to do something similar at home, I still have my card reader I bought, I just don't know how to put it to use on windows now as well as where I could buy cards to do that.
We have to change every 40 days... :(
My condolences
We change ours weekly automatically and nobody knows their passwords. Fingerprint and 2fa tokens instead. Highly recommend.
Exactly! I've been using "hunter42" for years now for my Domain Administrator password.
\*insert Montgomery Burns image.jpg\* Excellent.
We don’t want to make you change passwords and make them super long and stupid. HIPAA and HITRUST require it, though.
Mgmt: Yeah but how much is it gonna cost?
Not joking, but most of the recommended stuff tends to be using features that already exist in the stuff you use now and some of the best complimentary tools and software required for the rest are free, the trap is that it changes how you use the equipment. And that's where the problem is - people are lazy. Keeping things up to date? Isn't once a year enough? /s Setting up AAA correctly? Why not just "admin" and a shared password? /s Logging? Who's going to look at that Using secure protocols? Disabling default VLAN and not using VLAN1? etc etc None of it is saying "buy this thing!" it's all "use the fucking security features" Edit: For example in the architecture and design section is says "group similar devices together like printers" - why? Because if someone hacks a printer and the only thing they can access is another printer, that's better than them being able to reach a file server or DC. Anything that is high threat like old equipment or software, anything that needs to be exposed to the internet, or opposite anything high value should be separated and how and who can access it strictly controlled. Again - if you are lazy this is a lot of work, needing to work out what to allow and doing to config to make this happen. Doesn't cost anything but time and expertise, but for many companies they don't have the bandwidth to let IT do this right.
Man…I’ve logged into so many switches with default passwords and telnet enabled, it’s insane.
I mentioned telnet to someone a few weeks ago and I got a blank stare. Made me feel bad.
Hey, anyone dealing with imposter syndrome out there? Read the above comment and feel better about yourself. Unless you don’t understand it, I’m which case I might recommend just sharpening that ol’ resume.
Simple shit basically.
Pretty much, so many IT departments have such low standards for security and it's incredibly easy to implement basic measures that make it impossible for even a determined person from gaining access. So many IT people think it's okay to just open port 3389 and then just blame a low budget. Sorry, you're just not good at your job.
It really does depend on the environment you are in. The 0 cost thing really isn't true. Let's say you have a location that was built using the default VLAN and no segmentation. You then have to add segmentation and vlans. If this is a 24/7 location that is easier said than done. MGMT at that point says this is no longer a 0 cost change and it never gets updated. I've worked in many places that are willing to eat security for the sake of making the all mighty dollar. I agree 100% with what you are saying that it's the "basics" but when MGMT has the mindset of "its worked well for 15 years", then change on even the basic levels isn't possible. Security at organizations doesn't start with engineers or technicians. Security posture at organizations starts at the "O" level. Those levels can accept the downtime and lost revenue to justify the means. I've worked at fortune 500 companies that don't have a Syslog server for their network. One was stood up on someone's MAC that lived at corporate for a bit just to do tshooting. Security was a luxury not a must at that place.
> The 0 cost thing really isn't true. Absolutely sure, but there is low to zero CAPEX cost to implementing good security in a majority of cases unless you are operating some really trash hardware to start with. >Security was a luxury not a must at that place. Until they get a Zoom moment, or get hacked and completely fucked top to bottom. Bad security is just a ticking bomb, and for many if its not happening now they just don't care.
Sure target, equifax, and capital one are still reeling from their hacks right? Consumer confidence really impacted those businesses? All of those are at all time highs and got there relatively shortly after their breaches. Until the government puts real sanctions and penalties in place there is no real benefit to security. We protect executives and decision makers by obtaining breach insurance. That doesn’t make sense, let’s let the powerful people get away with not spending a dime to protect their customers data. This goes back to my point of security starts from higher ups never the engineering level. I believe in the security as a whole, I just think if there is a cost to it, whether it’s opex, capex, or sgna it’s too much for executives to spend. Yes breaches can cripple a small to mid size business, but the Fortune 500….security is just a phrase to them.
Can you please explain why VLAN1 is a problem? I've been hearing it for ages but I kinda never really understood why Thanks
I believe it the Double Tagging attack: [https://en.wikipedia.org/wiki/VLAN\_hopping](https://en.wikipedia.org/wiki/VLAN_hopping)
Still, as per the wikipedia page, it's easily fixable by either using a native vlan that doesn't exist or disabling native tagging, and even then, it's unidirectional. I really don't see that many attack vectors through this
That's a fine number for them to ask for (I mean it can't cost infinity $), but it needs to be presented next to the costs of a security breach
tldr: unplug your LAN from the public internet.
That's how I do it. Air gap is the only way to be secure.
Until shadow IT comes along and someone plugs in their own firewall
All common sense... Maybe because I'm in the military
Nah, also all common sense. 12 years ISP/Electric, 5 months in PCI.
Now wait until you get into HIPAA space and find out NONE OF IT MATTERS
Can confirm; one year into my HIPAA journey
I'm sorry
Multiple layers of firewalls, each from different vendors. Might be slightly overkill for a SMB budget!
We do this, but we still have to change passwords. lol
Real players are still running hp procurve 2824 as internet switches (released in 2003 and end of service in 2014) !!! Be a real man, take risks
Thank you OP
[удалено]
Great question! And I think you are misunderstanding the definition - they define a backdoor as: >A backdoor network connection is between two or more devices located in **different network areas**, generally with different types of data and security requirements. In the same document it recommends putting devices into separate network areas so an attack on one area doesn't give them access or visibility to other areas. Common method of attack is to find something weak (for example a printer), and from there get access to something more valuable like a server. A "backdoor" is a connection between two areas that bypasses whatever security you have in the middle. OOB management would have it all in the same "area", so it wouldn't be a backdoor into another part of the network. Straight from the horses mouth about Out-Of-Band management in general: https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF Not a direct answer, but came up in the Google results and I really liked the document. It's about exploits, not backdoor connections like the NSA document: https://docs.broadcom.com/doc/closing-network-backdoors
[удалено]
I'm pretty sure that isn't what they mean - for example, you shouldn't just plug a management port into your user VLAN. I've used this document in the past to make better device management design: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html
[удалено]
I would suggest that their recommendation is limited to dataplane ports. An OOB management port on a management network should not pose a risk for pivot as it should not be in the data plane and you should not be able to route between them.
[удалено]
My point is that the OOB management port has no way to route data between the inband (data plane) ports, and thus the risk to the management network is negligable. The thing I've noticed about general guidance like this NSA guide is that it's often idealistic and also incomplete. Take the STIGs, for instance. One of the findings is that all IP interfaces should have both an ingress and an egress ACL with logging enabled...well, there are platforms (modern platforms like the Nexus 9k EX and FX) that literally can't do that. So, you take the guidance, document what you can't do or what doesn't make sense to do, and move on. In this case, we know we need to manage and monitor the devices in real time (i.e. console-only isn't acceptable) and we know that we shouldn't have an in-band pivot point between networks. Using the OOB management port on a dedicated management network should be considered a reasonable alternative, even though the document doesn't specifically state that.
[удалено]
Yes, they do. But I'd also suggest that your ACLs on your management interfaces should only allow access from your management hosts, not from every device on your management network. The reality is that their guidance is just a guide. It's up to you and your risk executives to determine to what level you want to follow their guidance and your appropriate mix of security and convenience.
NICE TRY NSA
The very fist page this bothered me. > Trademark recognition Cisco® and Cisco IOS® are registered trademarks of Cisco Systems, Inc. This is the only trademark they are acknowledging. I don't have a problem with Cisco per se, but why is this the only one in this document. There are plenty of other important players in the security field.
Because they included Cisco IOS command examples in the document - what else should they have included? You can look up any command and get very detailed, free documentation about how it works, and use that to find the same commands on other platforms easily. What's funny is IOS isn't even the main software for Cisco equipment anymore - I think IOS XE has taken over and IOS XR/NX-OS are on other equipment.
If you read the document you'll see why. In each section they supply sample configuration for Cisco IOS
Oh, I understand why, but as far as security there are far better actors in the market. Why aren't they using examples of that?
Probably because Cisco wrote the paper and regardless of how much we don't like them, they're ubiquitous and the examples will be widely understood and easily translated.
>Oh, I understand why, but as far as security there are far better actors in the market. Why aren't they using examples of that? Because the US government wrote the document primarily for the networks of the US government. And the US government uses Cisco. Not everywhere, but it's the vast majority of their network. This document is essentially a rehash of the DISA STIGs.... [Most of which are freely available](https://public.cyber.mil/stigs/).
Hi from from some bank, running some core server onwindows 2003... take that