Joined: 30 May 2002
|Posted: Thu Oct 23, 2003 6:32 pm Post subject: How can I post device configurations safely in public
I'll be discussing how to protect your network security when posting
device configurations in a public place. It's something that we all do from
time to time and a great tool to get help from others.
However raw device configurations such as routers and firewalls are
golden to any would be malicious hacker. This information is routinely
described as The Keys to the Kingdom in security circles. With the
real information an attacker can focus their hunt from any of millions and
millions of devices down to any of less than a hundred devices, or even a
single device, worldwide.
There are several aspects you must protect. With proper care and five or
ten minutes you can protect yourself completely..
Your first step is to copy and paste your entire config into notepad or
WordPad - anywhere you can do a search and replace.
1) Your Public Address Space
The most important things to protect are your public IP addresses.
* EDIT 02/27/03 EDIT *
It has been brought to my attention that public IP addresses are
available to anyone. This, unto itself is true but does not account for the
Why should you broadcast to the whole world -
My domain name is xyz.com, my webserver is on this address, my FTP
server is on another, my mail server is right here, (and BTW it's an
Exchange Server with OWA and also runs SMTP, IMAP), I allow PC
Anywhere to this other address, I have a PIX-to-PIX VPN running and it
connects using these protocols, I have three MSSQL servers at these
addresses that also have SMTP forwarding?
The list goes on. Fact of the matter is, without real IP addresses, this
information gives no advantage whatsoever to a would-be attacker
That design and configuration is your secret. That's what makes your
network unique. In fact, the clever use and distribution of address
space/devices and services and services is part of a secure design.
You may think you have got them over a barrel by a statement:
"access-list 101 deny icmp any any"
That stops people from getting responses to pings directed at your
addresses. It makes the malicious hacker's job a little trickier since
they need to use different, more time consuming methods to identify your
Malicious hackers spend hours, days, or months just scanning a range of
addresses to find out what services are running on what addresses. By
posting your raw configuration in a public forum you eliminate the need
for them to scan a single address. They can go directly into the Operating
System and Service Identification process. Then they try known exploits
and that's it - end of story. Why make it easy for them?
This doesn't even address little things like SSH or VPN configs. With
known exploits to these they can simply attack your PIX with them and
bypass ALL SECURITY MEASURES you may have in place. The fact you
have SSH configured is not a security risk - unless you tell them what IP
address it's on. Same goes for things like AAA, RADIUS and TACACS
* END EDIT 02/27/2003 EDIT END *
A Public Address is any IP address that is NOT
10.XXX.XXX.XXX, 192.168.XXX.XXX, or 172.16.XXX.XXX through
Anyone worth their oats will be able to help you without real addresses.
It's perfectly acceptable to change your addresses to something fictitious
but, for my time, I'd just as soon replace it with text. Generally people
replace the first three octets with text.
For Example, if my public address was 126.96.36.199, I would search
for 209.205.124 and replace it with MY.PUBLIC.NET. It's very simple and
quick to perform this on your entire configuration.
1a) Remote or Client Public Address Space
If your device accesses other public address space, as in VPN or static
routes, change those addresses as well. Most likely you can just delete
the lines entirely. If you are discussing this as a problem, protect it. Don't
forget, this address may be your client's machine and you are obliged to
maintain that confidentiality.
2) Password Protection
Next you need to protect your passwords. In some devices your password
is displayed in clear text or as a long series of seemingly random
characters. Believe it or not, that string is easily reverse engineered into
your clear text password.
There are not very many of these in any config. Nine times out of ten you
can simply delete the lines from your config before posting them publicly.
There is no one in a public forum that needs this info. Otherwise it's a
short task to manually replace the entire strings with a series of asterisks.
This same rule applies to any AAA username/passwords that are set in
the config. I find it easiest simply to delete the lines entirely.
3) Private Address Space
It's a judgment call whether or not you rename all your private
addresses. My config always has so many different networks in it, it's
nearly impossible to rename them all and still make sense of it. I usually
just rename the address space in use in my building. Other private
networks I leave as is.
So, for example, my inside network is 10.20.30.0 and my DMZ network is
10.20.50.0. I search and replace 10.20.30 with MY.PRIV.NET and 10.20.50
I figure it only adds another 20 seconds or so to my task so why not?
4) Host Names, Device Names, Domain Names etc.
Next, search and replace the hostname with something nondescript. The
less information you give a would-be attacker the better.
Check for text information that would potentially compromise you or your
client. Information such as domain names i.e. 'domain tek-tips.com'
should be masked as well as any other named devices listed. Especially
protect named devices that may reflect your company name or web
domain. For example - if my config referred to a device name that very
closely resembled my company's name, change it. Just change the
statement to read something like domain mydomain.com.
5) Time Zone and Geographic Location Information
Then there is time zone info. Once again - on a global forum, you can tell
a malicious person that you are in the Central Time Zone - that's quite a
nice assist for the attacker -
Could be any device anywhere in the world
It's definitely a device located in the GMT-6 hour zone
Just delete the lines entirely unless you are dealing specifically with time
related issues. Even then, it's easy enough to get what you need without
giving real information.
6) Trim and Remove Non Essential Information
If you're experienced enough to know exactly which part of your
configuration you are having trouble with, just post up that portion. Too
much information can often confuse the issue. If I am having trouble with
a simple route statement, there's no reason to post up dozens of lines
access-lists or static NAT statements.
In conclusion, it's well worth your time to protect yourself. Ask yourself:
Would I rather spend ten minutes editing my config or would I prefer
spending weeks and weeks repairing my hacked network?
I haven't even gone into the dark areas of liabilities your company, and
you personally, could incur if client's data were compromised due to a
careless post on the Internet.
These guidelines are valid any time you are posting any information about
your network in a public place.
Feel free to share this with anyone, but I would appreciate the credit for writing it.