What is the difference in a routers running configuration and startup configuration?

The Console Port

Any time you have to reset a router's password, or you face an instance where the router can no longer be connected to the network and thus is inaccessible through Telnet, you can use the console port. The console port is used frequently in situations when someone has misconfigured a router from home, or reboots it only to find that he has shut himself out and now needs to physically connect to the router and set things right.

Two other noteworthy facts about the console port are that it is used for router password resetting and as a default output destination for router status and debugging messages. I brought up password resetting in the beginning of this section. The console port is the only port on a Cisco router on which you can successfully bypass the stored configuration and subsequently reset the password. To this point, it is very important to have extra physical protection when it comes to access around your routers.

I have worked with penetration testers who have waltzed into a server room or network operations center posing as janitors. While on-scene, they have taken screenshots, cabled into the console port, and left their “calling card,” among performing other activities, to prove they were there. Once they had physical access, the game of defense was over for the staff. Please don't let that happen to you.

The other key function of the console port is that logging, debugging, and status messages are displayed through the console port by default. This is by design, as someone who is physically connected to the router at the console port needs to be aware of all the goings-on inside the router's head. You can change this by modifying the logging settings and issuing a monitor command while connected to the appropriate terminal interface.

This brings up an important point about recordkeeping and auditing. If you don't set up a system to deliver the alerting, debugging, and administrative log data to a logging system configured to receive system messages such as these, there is a chance that you will miss an event that occurred and will have no information regarding when it happened and who caused it. Such a system is called a syslog server. If you don't know whether a syslog server is being used in this way, maybe you should make that change.

If you really want to set up your router to send messages to a syslog server, use the following commands:

Router#configure terminal

Router(config)#logging facility local5

Router(config)#logging trap notifications

Router(config)#logging 192.168.1.1

Router(config)#logging rate-limit 25

Router(config)# service sequence-numbers

Router(config)#service timestamps log datetime msec localtime show-timezone

Router(config)#CTRL-Z

Router#copy running-config startup-config

The first command informs the IOS to use logging and to set it for logging syslog message type 6 or higher (see Cisco for the significance of syslog message type numbers: http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/4.2/user/guide/logging.html). Then the logging trap command selects the severity of messages you want logged. The syslog server IP address is designated next; so that we don't saturate the syslog server with messages, we are limiting the maximum rate at which syslog messages will be sent to the syslog server. In keeping with the spirit of this book, we are instituting sequence numbers so that the messages are logged sequentially. This makes it easier to detect whether the logs on the syslog server have been tampered with. We add a designation to have the time logged in milliseconds for improved correlation with events, and we include the time zone information (this part of the log details is very important when performing forensic activities on a system that may span different states or time zones).

I also encourage you to ensure that an access control list (ACL) is placed before the syslog server to make it harder for hackers to flood your syslog server with bogus event messages. You can also send your syslog messages to up to 16 different syslog servers so that different organizations or geographically separated teams will have the benefit of the log reports.

Throughout the rest of this chapter, I will describe features that will make logging effective, such as setting the network time from trusted sources as well as ACLs. I will also demonstrate turning off unneeded services, while enforcing username authentication to others.

If you are working as a network administrator or are involved in network security at your office, don't get the false idea that you can set and forget once you have configured logging. You job is not finished. All that data going to a syslog server still needs to be analyzed to determine whether incidents are occurring. If you are working in an incident response role and performing data collection, syslog servers can be faced with an incredible amount of information to parse through. It will blow your mind how much logging is done, and there is a temptation to become intimidated and walk away from it. The inescapable truth is that someone needs to look through the logged data and analyze it. No script, machine, or program can do that for you, as you have the most advanced analysis engine available: the one between your ears.

The good news is that I can repeat and further emphasize the point made by the lead author in the book's Preface to consider using Microsoft's Log Parser to analyze logged data. When you start using it and become familiar with using SQL queries to find the information you need, I am sure you will get hooked on it. Learning the SQL queries is easier than it sounds. Log Parser is available for download at www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx.

In addition, if you already used Log Parser and are interested in using a GUI front end along with SQL queries for IIS/W3C and Event logs, consider checking out Log Parser Lizard from www.lizardlabs.net. I've used this front end extensively to quickly pull out Web server data hits and quickly sort gigabytes of log data to track down unauthorized traffic and artifacts, and then save my queries in tabs or easily export the data to Microsoft Excel.

Don't be surprised if you encounter IT people who think the console port is the only place where the good action happens on a Cisco router. Network technicians and administrators are entitled to their beliefs. I would venture to say that you may become a member of their group if you happen to bring along your own Cisco console cable or have made one yourself that is compatible with Cisco routers, switches, Private Internet Exchange/Adaptive Security Appliance (PIX/ASA) firewalls, and other network devices.

Earlier in this section, I mentioned using an old Apple 8-bit computer to connect to my routers and switches. It's true; I do that. I will usually use my Linux or PC systems for the same purpose only when I have to write documentation or host a training session. The point is that as long as the serial communications protocol can communicate using RS-232, you are in business. Just remember these key asynchronous settings for your own equipment to work properly: 8 bits of data, no parity bit, and 1-bit stop, with no handshaking. If it helps, try to commit 8N1 to memory.

If you're really enthusiastic about making your own console cable, read the related How-to article, “Cabling Guide for Console and AUX Ports,” on Cisco's public Web site at www.cisco.com/en/US/products/hw/routers/ps332/products_tech_note09186a0080094ce6.shtml. It provides plenty of information on the correct pin-out and hardware pieces you need to make and recognize a proper console cable.

For our purposes in this chapter, we will use HyperTerminal to create a Connections setting profile for both a serial connection through the console port and Telnet through virtual terminals (VTY). First we'll address the console port.

Figure 6.1 shows the initial stages of opening HyperTerminal and selecting a meaningful connection name.

Figure 6.2 depicts the flow control, parity, and other settings. If you make a mistake with a setting, select File | Properties and then choose the Configure button to reset the setting as appropriate.

Once the asynchronous settings have been made, a terminal window will open and it may take only one or two key presses to direct data from the router's console port. In Figure 6.3, you can see that once a username and password were entered, the router immediately provided a privilege-enable mode prompt (Router#). This demonstrates how a username login looks after a certain amount of configuration is done to the router. It's really important to change any default usernames and passwords on your equipment. The default settings are the first things hackers try to exploit. Later in this chapter, I will show you the commands to establish usernames and change passwords, as well as logging in using the SSH secure protocol. Remember, this is not set or configured when the router comes out of the box, so you have to do it as a best security practice.

Thanks go out to Dale Liu for mentioning this “Easter egg.” HyperTerminal will allow you to set Cisco-console cable serial settings with the click of a button. When you are presented with the properties for COM1 (or whatever your serial port on your PC is set to), click the Restore Defaults button on the lower half of the window. Like magic, the settings I described earlier will be applied. Click OK and you are finished.

In this section, I discussed the basic settings to enable a console port connection to a router. Most of the configuration functionality, status message reporting, and debugging comes through the console port. Without it, you are unable to bypass startup scripts and change passwords. If you need to do this, the console port is your one ticket for success.

From this point on in the chapter, the code in the figures depicts the login of a level 15 user (who will have enable privileges). Take a close look at the prompt and you will see a # sign following the hostname of the router (i.e., Router#). Anytime you see a procedure in this chapter that moves directly from login to global configuration mode, understand that a custom configuration setting is allowed in only that particular setting, and it may not match your own experience on routers you encounter in the field.

The Auxiliary Port

The auxiliary (AUX) port has some special uses when it comes to Cisco routers, and most of them are for remote administration. When you connect using the AUX port, you normally don't get all the system status and debugging messages unless you make some changes and set the monitor setting to the AUX port. You can also use the AUX port as your remote login facility if you connected a modem to it and put it on a phone line where you can dial in. If you do this, however, practice due diligence and protect the AUX port and modem dial up, as every feature that is added to a network offers a computer attacker another method to get into the network and cause server trouble, and modem ports are no exception.

When you connect a modem to a router's AUX port you take on some rather large security responsibilities and you have some work to do to mitigate possible points of attack. To keep your router from being pillaged you can start by setting appropriate passwords on the AUX port before the temptation sets in to connect your modem. Ensure that the dial-up number to the modem is available only to people on the staff who can be trusted, and who need to know such information. Also, make sure the number is unpublished. When you follow these steps, you will be able to enjoy some of the benefits of remote administration while reducing the chances of a compromise.

You can use the AUX port as a second console port, but you will notice some differences once you log in to it the first few times. One of the key differences is that the status, logging, and debugging messages are not displayed on the AUX port unless you make some changes. You also don't see the system boot-up messages until the IOS is fully reloaded.

Figure 6.4 shows a configuration of the AUX port with the monitor command and the logging level set to monitor so that the commands will not be overrun by status messages.

You can see that a login was conducted, as well as a check on which port the login was performed. In this case, we confirmed that we were logged in to the AUX port, after which the AUX port configuration was modified and we exited from global configuration mode. As soon as that was finished, status messages of all kinds appeared.

If you really want to get your debugging and status messages to appear from the AUX port serial connection, here is how you perform the configuration:

Router#configure terminal

Router(config)#line aux 0

Router(config-line)#monitor

Router(config)#logging synchronous

Router(config-line)#CTRL-Z

Router# copy running-config startup-config

If you are cabled into the AUX port, you should see status messages pop up onto the terminal window.

Remember that we talked about protecting the AUX port from intrusion attempts at the beginning of this section? The next code snippet will address how to lock down and render the AUX port inoperable. This is an easy item to inspect for security compliance, courtesy of our friends at the National Security Association (NSA) and their contributions toward furthering router security awareness; the NSA's router/switch configuration hardening guide has done wonders toward that end. Here are the commands entered into the command-line interface (CLI):

Router#configure terminal

Router(config)#line aux 0

Router(config-line)# login local

Router(config-line)#no exec

Router(config-line)#exec-timeout 0 1

Router(config-line)#tranport input none

Router(config-line)#CTRL-Z

Router# copy running-config startup-config

Here we have applied an overabundance of countermeasures. We set the idle timeout to one second and zero minutes; we removed the exec banner; and we disabled the input transport.

Clock

The show clock command is important as it allows you to establish a synchronized timeline for your other information. Regional differences and drift in switch clocks may cause an incorrect timestamp, so you need to be sure that the time on the switch corresponds with time in the real world. Figure 11.7 shows the output of the show clock command.

Version

The show version command gives basic information regarding the switch. Important information to note is uptime, which will indicate whether the switch has been restarted; and the hardware and IOS versions, so any known problems/vulnerabilities can be evaluated. Figure 11.8 shows sample show version output from a Cisco 2924 switch.

Running Config

The running configuration is a volatile piece of information. Any changes to the switch will be indicated in the running configuration. Cisco switches store this configuration file in memory, not in NVRAM, so when the lights go out, this also goes away. To show the running config, use the show running-config command. Figure 11.9 shows the output of this command.

Startup Config

The startup configuration is used when the switch starts up. After starting the IOS, the switch uses the startup configuration to configure the switch. Typically, the running configuration and startup configuration are the same because Cisco professionals use the following command from privileged exec mode to synchronize the two: copy running-configuration startup-configuration. Differences between the two may indicate that tampering has occurred in the system.

To show the startup config, use the following command:

Switch#show startup-config

The output of the show startup-config command is identical in format to that of the show running-config command.

MAC Table

Switches learn Media Access Control (MAC) addresses, which are the 48-bit addresses that are hardcoded into networking cards and devices. This learning process allows switches to make routing decisions for packets based on Layer 2 addresses and effectively cut down on traffic on the network. The MAC addresses are dynamically built using a learning method which examines the source MAC address portion of a packet and associates that address with the port number on which it originated. This information is stored in the switch's memory, in what is called the MAC address table. This table, shown in Figure 11.10, contains the MAC addresses, ports on which they were found, and whether they were learned or statically entered. To show the MAC address table, use the show mac command.

Banners

A banner is the screen you are greeted with before you log in to a switch. Banners are necessary to help reinforce the point that intrusion into another computer system by unauthorized persons is illegal. Every state has its own laws concerning cyberintrusion. You would be wise to consult with your company's legal team on the best wording that would allow intruders to be warned and prosecuted. You can use the banner motd command to create a “Message of the Day” which will be shown to everyone who attempts to log on to the switch.

To set a “Message of the Day” banner, use the following command (note that the $ character is used to indicate the beginning and end of the banner):

Switch(config)#banner motd $

Enter TEXT message. End with the character ‘$’.

********************************************************************************

Warning - this device is private property.

Unauthorized use prohibited under state and federal law.

All access to this device is subject to monitoring, logging, tracking and investigation.

Inappropriate use may be punished to the fullest extent allowed under the law.

********************************************************************************

$

Logging

As good as the information is on the switch, it cannot capture all of the data that would be helpful to you. Most organizations also include logging to a separate syslog server, as shown in Figure 11.11, where very granular bits of information can be stored. An example is to set up a system such as Microsoft's Log Parser (www.microsoft.com) or Kiwi's Syslog (www.kiwisyslog.com) to serve as the repository for logging information.

To enable logging to a syslog server at IP 10.1.1.2 on the switch, use the following command:

Switch#config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#logging 10.1.1.2

You can configure switches for up to 16 syslog servers so that different Cisco technicians can receive different logs from the switch. For example, one person could be getting messages related to network performance and another could be receiving security alerts.