During the Black Hat USA 2009, Felix “FX” Lindner has presented his researches concerning the exploitation of memory corruption software vulnerabilitiesin Cisco IOS. “The goal is to map out the problem space in order to allow for the anticipation of developments in the future, as current research suggests that exploitation of such vulnerabilities in the wild is not currently the case. By understanding the challenges that an attacker faces, defensive strategies can be better planned, a required evolution with the current state of Cisco IOS router networks.” says Felix ‘FX’ Lindner in his “Cisco IOS Router Exploitation” abstract.

Cisco Network Foundation Protection (NFP) is an umbrella strategy encompassing Cisco IOS Security features that provides the tools, technologies, and services that enable organizations to secure their network foundations. NFP helps to establish a methodical approach to protecting router planes, forming the foundation for continuous service delivery. The router is typically segmented into three planes of operation, each with a clearly identified objective: the data plane allows the ability to forward data packets the control plane allows the ability to route data correctly the management plane allows the ability to manage network elements. The vast majority of packets handled by [...]

In this article I would explain some tips for securing Cisco administrative access. When creating passwords, keep these rules in mind: Make passwords lengthy Passwords should combine letters, numbers, and symbols. Passwords should not use dictionary words Change passwords as often as possible Strong passwords are the primary defense against unauthorized access to your router. The best way to manage passwords is to maintain them on an AAA server, but not all people can have/manage a AAA server. Cisco provides a number of enhanced features that allow you to increase the security of your passwords. For the basic configuration read [...]

The spanning-tree protocol is used to cut loops that redundant links create in bridge networks. These packets are not attested by the system, so an attacker could spoof the BPDU and compromise the network stability! See below to understand BPDU attack: In this example the Ciscozine1 switch is elected Root Bridge due to the lower MAC-address (suppose that all the switches have the same priority).

Due to the number of CLI commands needed to manually disable services in an attempt to make the router more secure, Cisco introduced the AutoSecure feature from the Major Release 12.3 and subsequent 12.3 T. AutoSecure is a good command for customers without special Security Operations Applications because it allows them to quickly secure their network without thorough knowledge of all the Cisco IOS features. The command is available for the Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers. There are 2 mode: Interactive mode: prompts the user with options to enable and disable services and other [...]