Upload
truongque
View
220
Download
0
Embed Size (px)
Citation preview
NipperStudio
AuditReport2March2017
Summary
NipperStudioperformedanauditon2March2017ofthenetworkdevicedetailedinthescope.Theauditconsistedofthefollowingcomponents:
abestpracticesecurityaudit(Part2);asoftwarevulnerabilityauditreport(Part3);aconfigurationreport(Part4).
Scope
ThescopeofthisauditwaslimitedtothedevicedetailedinTable1.
Table1:Auditdevicescope
Device Name OS
3COM5500SeriesSwitch 5500-EI SS4
SecurityAuditSummary
NipperStudioperformedasecurityauditoftheonedevicedetailedinthescopeandidentified21security-relatedissues.AlthoughsignificantissueswereidentifiedthatNipperStudiorecommendsshouldbereviewedassoonasispractical,mostofthesecurityissueswereratedasloworinformational.Eachoftheissuesidentifiedisdescribedingreaterdetailinthemainbodyofthisreport.
NipperStudioidentifiedanumberofclear-textprotocolrelatedissues.Itisimportantthatallclear-textprotocolservicesshouldbereplacedwithcryptographicallysecurealternativesinordertohelppreventunauthorizedeavesdroppingofpotentiallysensitivedata.Furthermoretheclear-textservicesareoftenusedforadministrationpurposesandamalicioususer,orattacker,whoisabletomonitorthecommunicationsmayalsogainaccesstoauthenticationcredentialsthatcouldthenleadthemtogainadministrativeaccesstothesystem.
NipperStudiocandrawthefollowingstatisticsfromtheresultsofthissecurityassessment,(percentageshavebeenrounded).1issue(5%)wasratedascritical,1issue(5%)wasratedashigh,7issues(33%)wereratedasmedium,6issues(29%)wereratedaslowand6issues(29%)wereratedasinformational.
VulnerabilityAuditSummary
NipperStudioperformedavulnerabilityauditofthezerodevicedetailedinthescope.
Table2:SummaryoffindingsfromtheVulnerabilityAuditforeachdevice
Device Name Critical High Medium Low
3COM5500SeriesSwitch 5500-EI 0 0 0 0
Contents
1YourReport1.1Introduction1.2EvaluationUseOnly1.3ReportConventions1.4NetworkFilteringActions1.5ObjectFilterTypes
2SecurityAudit2.1Introduction2.2UsersWithDictionary-BasedPasswords2.3NoHypertextTransferProtocol(HTTP)ServerSessionTimeout2.4ClearTextHTTPServiceEnabled2.5UserAccountNamesContained"admin"2.6AUXPortNotDisabled2.7NoHTTPServiceNetworkAccessRestrictions2.8SyslogLoggingNotEnabled2.9NetworkTimeProtocol(NTP)ControlQueriesWerePermitted2.10NoTimeSynchronizationConfigured2.11WeakUserAccountLockoutPolicySetting2.12ProxyAddressResolutionProtocol(ARP)WasEnabled2.13WeakPasswordHistoryPolicySetting2.14WeakPasswordAgePolicySetting2.15NoWarningInPre-LogonBanner2.16InterfacesWereConfiguredWithNoFiltering2.17InformationLeakageInBannerMessage
2.18NoPostLogonBannerMessage2.19WeakPasswordExpiryWarningPolicySetting2.20FilterRuleAllowsPacketsFromANetworkSource2.21FilterRuleAllowsPacketsFromAnySource2.22FilterDropRulesWereConfiguredWithoutLogging2.23Conclusions2.24Recommendations2.25MitigationClassification
3VulnerabilityAudit3.1Introduction3.2Conclusions3.3Recommendations
4ConfigurationReport4.1Introduction4.23COM5500SeriesSwitch5500-EIConfigurationReport4.2.1BasicInformation4.2.2NetworkServices4.2.3Authentication4.2.4Administration4.2.5LogonBannerMessages4.2.6SimpleNetworkManagementProtocol(SNMP)Settings4.2.7MessageLogging4.2.8NameResolutionSettings4.2.9NetworkProtocols4.2.10NetworkInterfaces4.2.11NetworkFiltering4.2.12TimeAndDate
5Appendix5.1LoggingSeverityLevels5.2CommonTimeZones5.3InternetProtocol(IP)Protocols5.4InternetControlMessageProtocol(ICMP)Types5.5Abbreviations5.6NipperStudioVersion
1YourReport1.1Introduction
ThisreportwasproducedbyNipperStudioon2March2017.Thisreportiscomprisedofthefollowingsections:
asecurityauditsectionwhichdetailsanyidentifiedsecurity-relatedissues.Eachsecurityissue
identifiedincludesdetailsofwhatwasfoundtogetherwiththeimpactoftheissue,howeasyitwouldbeforanattackertoexploitandarecommendation.Therecommendationsmayincludealternativesand,whererelevant,thecommandstoresolvetheissue;asoftwarevulnerabilityauditsectionthatprovidesacomparisonofthedevicesoftwareversionsagainstadatabaseofknownvulnerabilities.Inadditiontoabriefdescription,eachpotentialvulnerabilityincludesaCVSSv2scoreandreferencestomorespecificinformationprovidedbythedevicemanufacturersandthirdparties;aconfigurationreportwhichdetailstheconfigurationsettingsofalltheauditeddevicesinaneasytoreadformat.Theconfigurationsettingsaredividedintoreportsub-sectionswhichgrouprelatedsettingstogetherandprovideadditionalinformationabouttheirpurpose.
Gotothereportcontentsorthestartofthissection.
1.2EvaluationUseOnly
TheversionofNipperStudiousedtogeneratethisreportwaslicensedforevaluationpurposesonly.FormoreinformationonlicensingoptionsyoucancontactTitaniaoroneofourpartnerstodiscussyourrequirements.
Gotothereportcontentsorthestartofthissection.
1.3ReportConventions
ThisreportmakesuseofthetextconventionsdetailedinTable3.
Table3:Reporttextconventions
Convention Description
command Thistextstylerepresentsadevicecommandthatshouldbeenteredliterally.
userdata Thisstyleoftextrepresentsapartofadevicecommandthatyoushouldsubstitutewitha
relevantvalue.Forexample,acommandthatsetsadevice'sIPaddresswouldusethistextstyle
inapositionwheretheaddressshouldbeentered.
[] Theseareusedtoencloseapartofacommandthatshouldbetreatedasoptional.
{} Theseareusedtoencloseapartofacommandthatisrequired.
| Thisisusedtodivideoptionswhichcouldbeenclosedineitherrequiredoroptionalbraces.
Gotothereportcontentsorthestartofthissection.
1.4NetworkFilteringActions
Thisreportincludesanumberofnetworkfilterrules.Table4describesthefilterruleactionsusedwithinthereport.
Action Description
Allowthenetworktraffic,enablingittopassthroughtoitsdestination.
Table4:Networkfilterruleactions
Dropthenetworktraffic,preventingitfromreachingitsdestinationandnotinformingthesenderthat
ithasbeendropped.
Gotothereportcontentsorthestartofthissection.
1.5ObjectFilterTypes
Thisreportdetailsthetypeofnetworkobjectsusedwithinthefilterrules.Table5describestheobjecttypesusedwithinthereport.
Table5:Networkfilterobjecttypes
ObjectType Description
SpecificIPv4orIPv6networkaddress.
DescribesarangeofIPv4orIPv6addresses.
Gotothereportcontentsorthestartofthissection.
2SecurityAudit2.1Introduction
NipperStudioperformedasecurityauditon2March2017ofthedevicedetailedinTable6.
Table6:Securityauditdevicelist
Device Name OS
3COM5500SeriesSwitch 5500-EI SS4
2.1.1SecurityIssueOverview
EachsecurityissueidentifiedbyNipperStudioisdescribedwithafinding,theimpactoftheissue,howeasyitwouldbeforanattackertoexploittheissueandarecommendation.
IssueFinding
TheissuefindingdescribeswhatNipperStudioidentifiedduringthesecurityaudit.Typically,thefindingwillincludebackgroundinformationonwhatparticularconfigurationsettingsarepriortodescribingwhatwasfound.
IssueImpact
Theissueimpactdescribeswhatanattackercouldachievefromexploitingthesecurityauditfinding.However,itisworthnotingthattheimpactofanissuecanoftenbeinfluencedbyother
configurationsettings,whichcouldheightenorpartiallymitigatetheissue.Forexample,aweakpasswordcouldbepartiallymitigatediftheaccessgainedfromusingitisrestrictedinsomeway.
IssueEase
Theissueeasedescribestheknowledge,skill,levelofaccessandtimescalesthatwouldberequiredbyanattackerinordertoexploitanissue.Theissueeasewilldescribe,whererelevant,ifanyOpenSourceorcommerciallyavailabletoolscouldbeusedtoexploitanissue.
IssueRecommendation
EachissueincludesarecommendationsectionwhichdescribesthestepsthatNipperStudiorecommendsshouldbetakeninordertomitigatetheissue.Therecommendationincludes,whererelevant,thecommandsthatcanbeusedtoresolvetheissue.
2.1.2RatingSystemOverview
Eachissueidentifiedinthesecurityauditisratedagainstboththeimpactoftheissueandhoweasyitwouldbeforanattackertoexploit.Thefixratingprovidesaguidetotheeffortrequiredtoresolvetheissue.Theoverallratingfortheissueiscalculatedbasedontheissue'simpactandeaseratings.
ImpactRating
Anissue'simpactratingisdeterminedusingthecriteriaoutlinedinTable7.
Table7:Theimpactrating
Rating Description
CRITICAL Theseissuescanposeaverysignificantsecuritythreat.Theissuesthathaveacriticalimpactare
typicallythosethatwouldallowanattackertogainfulladministrativeaccesstothedevice.Fora
firewalldevice,allowingalltraffictopassthroughthedeviceunfilteredwouldreceivethisratingas
filteringtraffictoprotectotherdevicesistheprimarypurposeofafirewall.
HIGH Theseissuesposeasignificantthreattosecurity,buthavesomelimitationsontheextenttowhich
theycanbeabused.UserlevelaccesstoadeviceandaDoSvulnerabilityinacriticalservicewould
fallintothiscategory.Afirewalldevicethatallowedsignificantunfilteredaccess,suchasallowing
entiresubnetsthroughornotfilteringinalldirections,wouldfallintothiscategory.Arouterthat
allowssignificantmodificationofitsroutingconfigurationwouldalsofallintothiscategory.
MEDIUM Theseissueshavesignificantlimitationsonthedirectimpacttheycancause.Typically,these
issueswouldincludesignificantinformationleakageissues,lesssignificantDoSissuesorthose
thatprovidesignificantlylimitedaccess.AnSNMPservicethatissecuredwithadefaultora
dictionary-basedcommunitystringwouldtypicallyfallintothisrating,aswouldafirewallthat
allowsunfilteredaccesstoarangeofservicesonadevice.
LOW Theseissuesrepresentalowlevelsecuritythreat.Atypicalissuewouldinvolveinformation
leakagethatcouldbeusefultoanattacker,suchasalistofusersorversiondetails.Anon-firewall
devicethatwasconfiguredwithweaknetworkfilteringwouldfallintothiscategory.
INFO Theseissuesrepresentaverylowlevelofsecuritythreat.Theseissuesincludeminorinformation
leakage,unnecessaryservicesorlegacyprotocolsthatpresentnorealthreattosecurity.
EaseRating
Anissue'seaseratingisdeterminedusingthecriteriaoutlinedinTable8.
Table8:Theeaserating
Rating Description
TRIVIAL Theissuerequireslittle-to-noknowledgeonbehalfofanattackerandcanbeexploitedusing
standardoperatingsystemtools.Afirewalldevicewhichhadanetworkfilteringconfiguration
thatenablestraffictopassthroughwouldfallintothiscategory.
EASY Theissuerequiressomeknowledgeforanattackertoexploit,whichcouldbeperformedusing
standardoperatingsystemtoolsortoolsdownloadedfromtheInternet.Anadministrative
servicewithoutorwithadefaultpasswordwouldfallintothiscategory,aswouldasimple
softwarevulnerabilityexploit.
MODERATE Theissuerequiresspecificknowledgeonbehalfofanattacker.Theissuecouldbeexploited
usingacombinationofoperatingsystemtoolsorpubliclyavailabletoolsdownloadedfromthe
Internet.
CHALLENGE Asecurityissuethatfallsintothiscategorywouldrequiresignificanteffortandknowledgeon
behalfoftheattacker.Theattackermayrequirespecificphysicalaccesstoresourcesortothe
networkinfrastructureinordertosuccessfullyexploitthevulnerability.Furthermore,a
combinationofattacksmayberequired.
N/A Theissueisnotdirectlyexploitable.Anissuesuchasenablinglegacyprotocolsorunnecessary
serviceswouldfallintothisratingcategory.
FixRating
Anissue'sfixratingisdeterminedusingthecriteriaoutlinedinTable9.
Table9:Thefixrating
Rating Description
INVOLVED Theresolutionoftheissuewillrequiresignificantresourcestoresolveandislikelytoinclude
disruptiontonetworkservices,andpossiblythemodificationofothernetworkdevice
configurations.Theissuecouldinvolveupgradingadevice'sOSandpossiblemodificationstothe
hardware.
PLANNED Theissueresolutioninvolvesplanning,testingandcouldcausesomedisruptiontoservices.This
issuecouldinvolvechangestoroutingprotocolsandchangestonetworkfiltering.
QUICK Theissueisquicktoresolve.Typicallythiswouldjustinvolvechangingasmallnumberofsettings
andwouldhavelittle-to-noeffectonnetworkservices.
Notes
ItisworthnotingthatNipperStudioisunabletoprovideanaccuratethreatassessmentduetoalackofcontextualinformation.Forexample,inthecasewherehighlysensitiveinformationisprocessed,aDenialofService(DoS)vulnerabilityposeslessofathreatthantheintegrityofthedataoranattackergainingaccesstoit.Similarly,forasituationwhereup-timeiscritical,aDoS
Overall:CRITICAL
Impact:Critical
Ease:Easy
Fix:Quick
vulnerabilitycouldbemoreimportantthantheleakageofsensitiveinformation.ThereforetheratingsprovidedbyNipperStudioareonlyintendedtobeaguidetoanissue'ssignificance.
Gotothereportcontentsorthestartofthissection.
2.2UsersWithDictionary-BasedPasswords
2.2.1Finding
Accesstorestrictednetworkuserandadministrationservicesaretypicallysecuredusingusernameandpasswordauthenticationcredentials.Thestrengthoftheauthenticationcredentialsisevenmoreimportantiftheserviceallowsfordevicestobereconfiguredoritallowsaccesstopotentiallysensitiveinformation.
NipperStudioidentifiedonedictionary-basedpasswordon5500-EI.ThisisshowninTable10andincludesadministrativeaccesstothedevice.
Table10:Useron5500-EIwithadictionary-basedpassword
User Password Privilege
super(level3) password 3
2.2.2Impact
Amalicioususer,orremoteattacker,whoisabletoconnecttoanadministrativeservicewillbeabletoperformadictionary-basedattackinordertoidentifyvalidauthenticationcredentialsandlogontothedevice.Theattackerwillthenbeabletoperformadministrativeanduserleveltasks.Thiscouldincludere-configuringthedevice,extractingpotentiallysensitiveinformationanddisablingthedevice.Onceanattackerhasobtainedtheconfigurationfromthedevicetheymaybeabletoidentifyauthenticationcredentialsthatcouldthenbeusedtogainaccesstoothernetworkdevices.
2.2.3Ease
Dictionary-basedpasswordguessingattackshavebeenwidelydocumentedontheInternetandpublishedmedia,enablinganattackerwithverylittleknowledgeorexperiencetoperformtheattack.Thereareanumberofdifferentdictionary-basedpasswordguessingtoolsandpassworddictionariesavailableontheInternet.Additionallyanexperiencedattackerislikelytohaveacollectionofpersonalpassworddictionarieswhichtheyhavebuiltupovertime.However,thereareanumberoffactorsthatmaydiscourageanattackerfromperformingadictionary-basedattack.
1. Accountlockoutfacilitiescanquicklypreventaccesstotheaccount.2. Deviceprotectionmechanismsmayslowordisconnectconnectionswheremultipleauthentication
attemptsaremadeinashortperiodoftime.3. Brute-forcingcanbeverytimeconsuming,especiallyifthepasswordislongormadeupofvarious
charactertypes.
Overall:HIGH
Impact:High
Ease:Easy
Fix:Quick
4. Networkadministratorsmaybealertedtolockedoutaccountsorauthenticationattempts.
2.2.4Recommendation
NipperStudiostronglyrecommendsthatalluseraccountsshouldhaveastrongpassword.
NipperStudiorecommendsthat:
passwordsshouldbeatleasteightcharactersinlength;charactersinthepasswordshouldnotberepeatedmorethanthreetimes;passwordsshouldincludebothuppercaseandlowercasecharacters;passwordsshouldincludenumbers;passwordsshouldincludepunctuationcharacters;passwordsshouldnotincludetheusername;passwordsshouldnotincludeadevice'sname,makeormodel;passwordsshouldnotbebasedondictionarywords.
Gotothereportcontentsorthestartofthissection.
2.3NoHTTPServerSessionTimeout
2.3.1Finding
TheHTTPserversessiontimeoutsettingisusedtodetermineifawebsessionisnolongerbeingused,enablingadevicetodeterminewhenaconnectioncanbeautomaticallydisconnected.AHTTPserversessioncouldbecomeunusedifanadministratorhasnotproperlyterminatedaconnectionandremainsauthenticated,suchaswhenauserdoesnotclickonalogoutbutton.Thesessioncouldalsobecomeunusediftheuserleavestheircomputerunattendedwithoutterminatingthesession.
NipperStudiodeterminedthatnoHTTPserversessiontimeoutwasconfiguredon5500-EI.
2.3.2Impact
Ifanattackerwasabletoaccessasystemusinganauthenticatedsessionthatisnolongerbeingused,theattackerwouldbeabletoperforminformationgathering,configurationandothermaliciousactivitiesunderthecontextofthepreviousauthenticateduser.Thelevelofaccesscouldpotentiallybeatanadministrativelevel.
2.3.3Ease
ToexploitthisissueanattackerwouldfirsthavetoidentifyaworkingHTTPserversession,possiblypriortoitbecomingunusedbytheuser,andthenbeabletocontrolthatwebsession.Thismaybeassimpleasusingtheuserscomputerwhilsttheyareaway,otherwisetheattackermayhavetoexploitaweaknessintheprotocolorperformaman-in-the-middleattack.Theman-in-the-middleattackcouldbeperformedusingaproxyserver,butausercouldbecomesuspiciousifthesessionisusingHypertextTransferProtocoloverSSL(HTTPS)andthewebbrowserprovidestheuserwithacertificatewarning.
Overall:MEDIUM
Impact:High
Ease:Moderate
Fix:Quick
2.3.4Recommendation
NipperStudiorecommendsthataHTTPserversessiontimeoutperiodof10minutesshouldbeconfigured.
Gotothereportcontentsorthestartofthissection.
2.4ClearTextHTTPServiceEnabled
2.4.1Finding
HTTP(RFC2616)providesweb-basedservices,suchasinformationservices,networkdeviceadministrationandotherpotentiallysensitiveservices.HTTPprovidesnoencryptionoftheconnectionbetweentheclientandserverincludinganyauthenticationanddatatransfer.
NipperStudiodeterminedthatthecleartextHTTPserverwasenabledon5500-EI.
2.4.2Impact
DuetothelackofencryptionprovidedbytheHTTPservice,anattackerwhoisabletomonitorasessionwouldbeabletoviewalloftheauthenticationcredentialsanddatapassedinthesession.Theattackercouldthenattempttogainaccesstothedeviceusingtheauthenticationcredentialsextractedfromthesessionandpotentiallygainaccessunderthecontextofthatuser.SinceHTTPiscommonlyusedfornetworkdeviceadministrationthiscouldgaintheattackeranadministrativelevelofaccess.
2.4.3Ease
ToexploitthefactthattheHTTPservicedoesnotprovideanyencryption,theattackerwouldneedtobeabletomonitorthesessionbetweenaHTTPserverandwebbrowser.Insomesituationstheattackermaynotneedtoperformanyfurtheractionotherthanlaunchinganetworkmonitoringtool.However,inaswitchednetworktheattackermayneedtoperformadditionalactionssuchasanARPattackandinaroutedenvironmenttheattackermayhavetocompromisethenetworkrouting.
ToolsthatarecapableofbothmonitoringanddisplayingnetworktrafficinaneasytoreadformcanbedownloadedfromtheInternet.Therearealsotoolsthatautomaticallydetectwhereauthenticationcredentialsorfilesarebeingtransferredanddisplayorsavethedata.Toolsarealsoavailablethatenableanattackertoeasilyperformavarietyofnetworkattacksinordertobeabletomonitorandinterceptsessionsbetweentwonetworkdevices.
2.4.4Recommendation
NipperStudiorecommendsthattheHTTPserviceshouldbedisabled.IfremoteadministrativeaccessisrequiredthenNipperStudiorecommendsthatacryptographicallysecurealternative,suchasHTTPS,shouldbeusedinstead.
Notesfor3COM5500SeriesSwitchdevices:
TheHTTPwebadministrationservicecanbedisabledusingthefollowingcommand:
Overall:MEDIUM
Impact:Critical
Ease:Challenging
Fix:Quick
Overall:MEDIUM
iphttpshutdown
Gotothereportcontentsorthestartofthissection.
2.5UserAccountNamesContained"admin"
2.5.1Finding
WhenUserAccountnamescontain"admin",aclearindicationisgiventoanattackerormalicoususerthattheaccountmostlikelyhashigherprivilegelevelsthanastandarduser.Thisallowsanattackertofocustheirresourcesinamoredirectway,suchastargetedphishingattacksorothersocialengineeringtechniques.
NipperStudioidentifiedoneuseraccountcontaining"admin"intheusernameon5500-EI.ThisisshowninTable11
Table11:Useron5500-EIwith'admin'inusername
User Password Privilege
admin 0
2.5.2Impact
Amalicioususerwouldbeabletocreatetargetedphishingandsocialengineeringattacksataspecificusertheybelievetohaveadminorelevatedprivileges.Onceaccessisgained,theywouldhavethatuser'saccesstoasystem,whichcouldincludere-configuringthedevice,extractingpotentiallysensitiveinformationanddisablingthedevice.Onceanattackerhasobtainedtheconfigurationfromthedevicetheymaybeabletoidentifyauthenticationcredentialsthatcouldthenbeusedtogainaccesstoothernetworkdevices.
2.5.3Ease
ExploitingthisvulnerabilitywouldrequireanattackertohavegainedaccesstosensitiveinformationdetailinguseraccountsandassociatedID'sbeforebeingabletoidentifyappropriatetargetsforphishingorsocialengineeringattacks.
2.5.4Recommendation
NipperStudiostronglyrecommendsthatallAdminorelevatedprivilegeaccountsshouldnotcontaininformationthatidentifiesthemasbeingsuch.
Gotothereportcontentsorthestartofthissection.
2.6AUXPortNotDisabled
2.6.1Finding
Impact:High
Ease:Challenging
Fix:Quick
Overall:MEDIUM
Impact:Medium
Ease:Trivial
Fix:Quick
TheAuxilary(AUX)port'sprimarypurposeistoprovidearemoteadministrationcapability.WithamodemconnectedtotheAUXport,aremoteadministratorcoulddialintothedeviceinordertoperformremoteadministration.Asanextralayerofsecurity,somedevicescanbeconfiguredwithacallbackfacility.Thecallbackfacility,ifconfigured,dropsanyincomingcallsanddialsthenetworkadministratorback.
NipperStudiodeterminedthattheAUXporthadnotbeendisabledon5500-EI.
TheAUXportlinesettingsthatwereconfiguredon5500-EIarelistedinTable12.
Table12:AUXlinesettingson5500-EI
Line Exec
Auxiliary 10minutes
2.6.2Impact
IfanattackerisabletodialinandconnecttothedeviceremotelyusingtheAUXport,theattackercouldperformabrute-forceattackagainsttheauthenticationmechanisminordertogainremoteadministrativeaccess.IfamalicioususerwasabletogainphysicalaccesstoadevicewheretheAUXporthadnotbeendisabled,theycouldattachamodeminordertoperformanattackfromaremotelocation.Ifacallbackfacilityhasnotbeenconfigured,thenthedevicewouldnotdropincomingcallsandattempttodialthenetworkadministratorsphonenumber.
2.6.3Ease
Inordertosuccessfullyexploitthisissue,theattackerwouldrequireamodemtobeattachedtotheAUXport.Ifamodemisalreadyattached,anattackercoulddiscoverthemodem'stelephonenumberduringawar-dial.However,eventhoughanumberofwardialtoolsareavailableontheInternet,awardialismorelikelytobediscoveredduetothenumberoftelephoneswhichwouldbecalledinanoffice.
2.6.4Recommendation
NipperStudiorecommendsthat,ifnotrequired,theAUXportshouldbedisabled.IftheAUXportisrequiredandthedevicesupportscallbackthenNipperStudiosuggeststhatthecallbackfacilityshouldbeconfiguredasanadditionallevelofprotection.
Gotothereportcontentsorthestartofthissection.
2.7NoHTTPServiceNetworkAccessRestrictions
2.7.1Finding
HTTP(RFC2616)providesweb-basedservices,suchasinformationservices,networkdeviceadministrationandotherpotentiallysensitiveservices.HTTPprovidesnoencryptionoftheconnectionbetweentheclientandserver
Overall:MEDIUM
Impact:Medium
Ease:N/A
Fix:Planned
includinganyauthenticationanddatatransfer.HTTPS,whichisHTTPoverSecureSocketsLayer(SSL)/TLS,isusedtoprovidecryptographicallysecureweb-basedconnection.
NetworkaccesstotheHTTPservicecanberestrictedbyspecifyingthosehoststhatareallowedtoaccesstheserviceandtherebydenyingaccesstoallothernetworkhostaddresses.
NipperStudiodeterminedthattheHTTPserviceon5500-EIwasnotconfiguredtorestrictaccesstoonlythosespecificnetworkhostaddressesthatarerequired.
2.7.2Impact
Withoutmanagementhostaddressrestrictionsanattacker,ormalicioususer,withauthenticationcredentialswouldbeabletoconnecttotheHTTPSservice,logonandaccessthefunctionalityandinformationprovidedforthatuser.Ifanattackerdoesnothaveauthenticationcredentialstheycouldattemptabrute-forceattackinordertoidentifyvalidcredentials.Additionally,ifthereisavulnerabilitywiththeservicethenallowinganyonetoconnecttotheservicecouldenableanattackertoexploitthevulnerability.
2.7.3Ease
WithnoHTTPnetworkhostaccessrestrictionsanattackerwouldnotbepreventedfromconnectingtotheservice.Furthermore,webbrowsersandotherweb-basedclienttoolsareincludedasstandardwithmostoperatingsystems.AlternativewebservicetoolsareavailableontheInternet,togetherwithvulnerabilityexploitcode,enumerationandbrute-forcetools.
2.7.4Recommendation
NipperStudiorecommendsthataccesstotheHTTPserviceshouldberestrictedtoonlythosenetworkhoststhatrequireaccess.
Notesfor3COM5500SeriesSwitchdevices:
HTTPandHTTPSaccesslistscanbeassignedusingthefollowing3COM5500SeriesSwitchdevicecommands:
iphttpaclacl-list
iphttpsaclacl-list
Gotothereportcontentsorthestartofthissection.
2.8SyslogLoggingNotEnabled
2.8.1Finding
Loggingisanimportantcomponentofasecurenetworkconfiguration.Whenappropriatelyconfigured,themessagesloggedprovideawealthofinformationtoanetworkadministratorwhendiagnosingaproblem,identifyinganattackorwhenusedtoprovideanactivityaudittrail.Whenawellconfiguredloggingsystemiscombinedwithagoodmonitoringandalertsystemitwillenablenetworkadministratorstopromptlyrespondtonetworkingissues,DoSattacks,administrative
Overall:MEDIUM
Impact:Medium
Ease:N/A
Fix:Planned
systemlogonsandahostofotherimportantinformation.
Syslogloggingprovidesanindustrystandardsystem(detailedinRFC5424)forloggingmessages,enablingthecollection,storageandadministrationoflogsfromavarietyofdevicestoasinglelocation.Thesendingoflogstoothersystems,notonlyprovidesextrastoragespaceforlogswhichcouldbesizerestrictedontheoriginatingnetworkdevice,butitalsoprovidesanextralevelofprotectionforthelogsinascenariowhereanattackerhascompromisedthesecurityofthemessagesource.
NipperStudiodeterminedthattheloggingofsystemmessagestoaSyslogloggingserverwasnotconfiguredon5500-EI.
2.8.2Impact
Ifloggingofsystemmessagesisnotconfigured,anetworkadministratormaynotbemadeawareofsignificanteventshappeningonthedevice.Theseeventscouldincludesecurityissuessuchasintrusionattempts,networkscans,authenticationfailuresordiagnosticandmanagementinformationsuchaspotentialhardwareissues.Withoutloggingsystemmessages,theinformationwouldnotbeavailabletoeitheraforensicinvestigationorfordiagnosticpurposes.
2.8.3Ease
SystemmessageswillnotbesenttoaSyslogloggingserver.
2.8.4Recommendation
NipperStudiorecommendsthatSyslogloggingshouldbeconfiguredtoenablesystemmessagestobeloggedtoacentralloggingserver.
Notesfor3COM5500SeriesSwitchdevices:
Sysloglogginghostscanbeconfiguredon3COM5500SeriesSwitchdeviceswiththefollowingcommand:
info-centerloghostip-address
Gotothereportcontentsorthestartofthissection.
2.9NTPControlQueriesWerePermitted
2.9.1Finding
Timesynchronizationfornetworkdevicesisinherentlyimportant,notjustforthevariousservicesthatmakeuseoftime,butalsofortheaccurateloggingofevents.Thereforenetworkdevicescanbeconfiguredtosynchronizetheirtimeagainstanetworktimesourceinordertoensurethatthetimeissynchronized.
NTP(describedinRFC5905)isacomplextimesynchronizationprotocolwithanumberofdifferentfeaturesandoptions.Inadditiontotime,anumberofcontrolqueriescanbemadetoanNTPserver,theseincluderequestingalistoftheserversNTPpeersandanumberofdifferentvariables.
Overall:MEDIUM
Impact:Medium
Ease:N/A
Fix:Planned
NipperStudiodeterminedthatNTPcontrolquerieswerepermittedon5500-EI.
2.9.2Impact
AnattackermaysendcontrolqueriestoanNTPserviceinordertogatherinformationaboutthedevice.Inadditiontotimeinformation,anattackermaylearninternalIPaddressesofNTPpeersorbasicoperatingsysteminformation.
2.9.3Ease
NTPquerytoolsareinstalledbydefaultwithsomeoperatingsystemsandNTPtoolscanbedownloadedfromtheInternet.
2.9.4Recommendation
NipperStudiorecommendsthat,ifatimeservermustbeconfiguredonthedevice,accessshouldberestrictedtoonlytimerequests.
Gotothereportcontentsorthestartofthissection.
2.10NoTimeSynchronizationConfigured
2.10.1Finding
Timesynchronizationfornetworkdevicesisinherentlyimportant,notjustforthevariousservicesthatmakeuseoftime,butalsofortheaccurateloggingofevents.Thereforenetworkdevicescanbeconfiguredtosynchronizetheirtimeagainstanetworktimesourceinordertoensurethatthetimeissynchronized.
NipperStudiodeterminedthattimesynchronizationagainstanetworktimeservicewasnotconfiguredon5500-EI.
2.10.2Impact
Althoughnotadirectthreattosecurity,adevicewithnotimesynchronizationconfiguredwouldmakeitmoredifficulttocorrelateeventsinthelogs.Thiswouldmakeaforensicinvestigationmorecomplex,hinderinganytroubleshooting.Thelackoftimesynchronizationcouldalsocauseproblemswithsomesystemsthatdependonaccuratetime,suchassomeauthenticationservices.
2.10.3Ease
Thesystemtimewillnotbesynchronized.Furthermore,overaperiodoftimetheinitialconfigurationcouldgraduallydriftawaybeinganywherenearaccurate.
2.10.4Recommendation
NipperStudiorecommendsthatallnetworkeddevicesshouldsynchronizetheirclockswithanetworktimesource.
Notesfor3COM5500SeriesSwitchdevices:
Overall:LOW
Impact:Medium
Ease:Easy
Fix:Quick
TimesynchronizationcanbeconfiguredagainstanauthenticatedNTPtimesourceon3COM5500SeriesSwitchdeviceswiththefollowingcommands:
ntp-serviceauthenticationenable
ntp-serviceauthentication-keyidkey-idauthentication-modemd5key
ntp-serviceunicast-serveraddressauthentication-keyidkey-id
Gotothereportcontentsorthestartofthissection.
2.11WeakUserAccountLockoutPolicySetting
2.11.1Finding
Whenconfigured,theuseraccountlockoutpolicysettingwillpreventauseraccountfromauthenticatingiftheuserhasfailedtologonthenumberoftimesdefinedbythethreshold.
NipperStudiodeterminedthattheuseraccountlockoutpolicysettingwasconfiguredtoUnlimitedlogonattempts.
2.11.2Impact
Amalicioususer,orattacker,mayattempttodetermineapasswordforaspecificuseraccountbyrepeatedlyattemptingtologonusingadifferentpasswordeachtime.Ifnouseraccountlockoutpolicysettinghasbeenconfiguredthenanattackercouldbrute-forceapasswordbygoingthrougheachcharactercombinationuntilavalidpasswordisfound.However,ifauseraccountlockoutpolicysettinghasbeendefined,theattackerwillbelimitedtoafarsmallernumberofguessesbeforetheaccountbecomesunusable.
2.11.3Ease
Brute-forceanddictionary-basedpasswordguessingattackshavebeenwidelydocumentedontheInternetandpublishedmedia,enablinganattackerwithverylittleknowledgeorexperiencetoperformtheattack.However,itisalsoworthnotingthatthereareanumberoffactorsthatmaydiscourageanattackerfromperformingapasswordguessingattack.
Ifauseraccountlockoutpolicysettinghasbeenconfiguredtheuseraccountcouldquicklybecomedisabled;Deviceprotectionmechanismsmayslowordisconnectconnectionswheremultipleauthenticationattemptsaremadeinashortperiodoftime;Brute-forcingcanbeverytimeconsuming,especiallyifthepasswordislongormadeupofvariouscharactertypes;Networkadministratorsmaybealertedtolockedoutaccountsorauthenticationattempts.
2.11.4Recommendation
NipperStudiorecommendsthatauseraccountlockoutthresholdof3shouldbeconfiguredinordertohelppreventunauthorizedaccesstouseraccounts.
Notesfor3COM5500SeriesSwitchdevices:
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
Thenumberoftimesyoucanattempttologonbeforeauseraccountislockedcanbeconfiguredusingthefollowing3COM5500SeriesSwitchdevicecommand:
password-controllogin-attemptnumber-of-attempts
Gotothereportcontentsorthestartofthissection.
2.12ProxyARPWasEnabled
2.12.1Finding
ARPisaprotocolthatnetworkhostsusetotranslatenetworkIPaddressesintoMediaAccessControl(MAC)addresses.Undernormalcircumstances,ARPpacketsareconfinedtothesender'snetworksegment.However,somenetworkdevicescanbeconfiguredtoactasaproxyforARPrequests,retransmittinganARPrequestonothernetworksegmentsandsendinganyresponsebacktotheoriginatoroftherequest.
NipperStudiodeterminedthattheProxyARPfeaturewasenabledononenetworkinterfaceon5500-EI.ThisisdetailedinTable13.
Table13:Networkinterfaceon5500-EIwithProxyARPenabled
Interface Address Proxy-ARP Description
1 192.168.0.19/24 On testinterface
2.12.2Impact
ArouterthatactsasaproxyforARPrequestswillextendlayertwoaccessacrossmultiplenetworksegments,potentiallybreakingperimetersecurity.
2.12.3Ease
AnetworkdevicewithproxyARPenabledwillproxyARPrequestsforallhostsonthoseinterfaces.AnumberofARPtoolscanbedownloadedfromtheInternetforuseinexploitingthisissue.
2.12.4Recommendation
NipperStudiorecommendsthat,ifnotrequired,theProxyARPfeatureshouldbedisabledonallinterfaces.
Notesfor3COM5500SeriesSwitchdevices:
ProxyARPcanbedisabledoninterfacesusingthefollowinginterfacecommand:
undolocal-proxy-arpenable
Gotothereportcontentsorthestartofthissection.
Overall:LOW
Impact:Low
Ease:Easy
Fix:Quick
Overall:LOW
2.13WeakPasswordHistoryPolicySetting
2.13.1Finding
Thepasswordhistoryfacilitymaintainsalimitedlistofpasswordsforeachuserinordertodetermineifauserisselectingapreviouslyusedpasswordwhentheychangeit.Thepasswordhistorypolicysettingisusedtopreventauserfromchoosingthesamepasswordwithinthedefinednumberofpreviouspasswords.
NipperStudiodeterminedthatthepasswordhistorypolicysettingwasconfiguredto4passwordson5500-EI.
2.13.2Impact
Strongauthenticationcredentialsareakeycomponentofasystemssecurity.Itisthereforeimportantthatauserchoosesastrongpasswordandthatitischangedonaregularbasis.Ifauserisabletorepeatedlyselectthesamepasswordeachtimetheyareaskedtochangetheirpassworditwouldmakethepasswordagefacilityredundant.
Theyoungerapasswordsagethebetteritisforsecuritybecauseofanumberofreasons.Forexample,ifgivenenoughtimeitmaybepossibleforanattackerwhohadcapturedsomeencryptednetworktraffictodecryptandidentifytheuserauthenticationcredentials.Overtimeanypasswordislikelytobeusedandbepresentinagreaternumberoflocations,suchasonotherdevices,systembackupsandtemporaryfiles.Itisalsopossiblethatoveraperiodoftimeapasswordmaybecomeknowntoco-workersorpassersbyfromcasualorintentionalshouldersurfing.
2.13.3Ease
Amalicioususer,orattacker,whohasgainedaccesstoapasswordwouldhaveafargreaterchanceofthepasswordcontinuingtoworkinthefutureifthedevicedoesnotmaintainapasswordhistory.
2.13.4Recommendation
NipperStudiorecommendsthatauserpasswordhistoryof10shouldbeconfiguredinordertohelppreventusersfromrepeatedlyselectingthesamepassword.
Notesfor3COM5500SeriesSwitchdevices:
Apasswordhistorycanbeconfiguredusingthefollowingcommands:
password-controlhistorynumber-of-passwords
password-controlhistoryenable
Gotothereportcontentsorthestartofthissection.
2.14WeakPasswordAgePolicySetting
2.14.1Finding
Impact:Low
Ease:Easy
Fix:Quick
Overall:LOW
Impact:Low
Ease:N/A
Fix:Quick
Thepasswordagepolicysettingisusedtodeterminehowmuchtimecanpassbeforeauserwillbeforcedtochangetheirpassword.
NipperStudiodeterminedthatthepasswordagepolicysettingwasconfiguredto90dayson5500-EI.
2.14.2Impact
Strongauthenticationcredentialsareakeycomponentofasystemssecurity.Itisthereforeimportantthatauserchoosesastrongpasswordandthatitischangedonaregularbasis.
Theyoungerapasswordsagethebetteritisforsecuritybecauseofanumberofreasons.Forexample,ifgivenenoughtimeitmaybepossibleforanattackerwhohadcapturedsomeencryptednetworktraffictodecryptandidentifytheuserauthenticationcredentials.Overtimeanypasswordislikelytobeusedandbepresentinagreaternumberoflocations,suchasonotherdevices,systembackupsandtemporaryfiles.Itisalsopossiblethatoveraperiodoftimeapasswordmaybecomeknowntoco-workersorpassersbyfromcasualorintentionalshouldersurfing.
2.14.3Ease
Amalicioususer,orattacker,whohasgainedaccesstoapasswordwouldhaveafargreaterchanceofthepasswordcontinuingtoworkinthefutureifthedevicedoesnotenforceamaximumpasswordage.
2.14.4Recommendation
NipperStudiorecommendsthatauserpasswordagepolicysettingof60daysshouldbeconfigured.
Notesfor3COM5500SeriesSwitchdevices:
Amaximumpasswordagecanbeconfiguredon3COM5500SeriesSwitchdevicesusingthefollowingcommands:
password-controlagingdays
password-controlagingenable
Gotothereportcontentsorthestartofthissection.
2.15NoWarningInPre-LogonBanner
2.15.1Finding
Logonbannermessagesareanimportant,butoftenoverlooked,partofasecureconfiguration.Logonbannermessagescanprovideconnectinguserswithimportantinformationandwarnagainstunauthorizedaccess.
NipperStudiodeterminedthatCopyrightpre-logonbannermessageon5500-EIdidnotincludeawarningagainstunauthorizedaccess.Theconfiguredbannerwas:
Overall:LOW
Impact:Low
Ease:N/A
Fix:Quick
*****************************************************************************
***
*Copyright(c)2004-20093COMCorp.anditslicensors.Allrightsreserved.
*
*Withouttheowner'spriorwrittenconsent,
*
*nodecompilingorreverse-engineeringshallbeallowed.
*
*****************************************************************************
***
2.15.2Impact
Acarefullywordedwarningmessagecoulddeteracasualattackerormalicioususer,butnotadeterminedattacker.However,itwouldbemoredifficulttoproveanyintentwithoutamessagewarningagainstunauthorizedaccessifanylegalactionweretobetakenagainstanattacker.
2.15.3Ease
Anattackerwouldnotbepresentedwithacarefullywordedlegalwarningpriortoattemptingtologon.
2.15.4Recommendation
NipperStudiorecommendsthatallpre-logonbannermessagesshouldbeconfiguredtowarnagainstunauthorizedaccess.
Notesfor3COM5500SeriesSwitchdevices:
TheCopyrightbannermessageshowsthedevicemanufacturerscopyrightinformationtoalluserspriortologon.TheCopyrightbannermessagecannotbeedited.HowevertheCopyrightbannermessagecanbedisabledusingthefollowingcommand:
undocopyright-infoenable
Gotothereportcontentsorthestartofthissection.
2.16InterfacesWereConfiguredWithNoFiltering
2.16.1Finding
Networkfilteringrulelistscanbeassignedtoindividualnetworkinterfacestoprovidefilteringofnetworktraffic.
NipperStudiodeterminedthatthreenetworkinterfaceson5500-EIhadnonetworkfilteringrulesassigned.Thesearedetailedbelow.
Interface Active Description
1/0/26 Yes
Overall:INFORMATIONAL
Impact:Informational
Ease:Trivial
Fix:Quick
Table14:Networkinterfaceswithnofilteringon5500-EI
1/0/27 Yes
1/0/28 Yes
2.16.2Impact
Thenetworktrafficfromanattackerattachedtooneofthenetworkinterfacesdetailedabovewouldnotbesubjectedtofiltering,potentiallyprovidingunrestrictedaccesstonetworkservices.
2.16.3Ease
Thenetworktrafficwouldnotbesubjectedtofiltering.
2.16.4Recommendation
NipperStudiorecommendsthatallnetworkinterfacesshouldbeconfiguredfilteringtohelppreventunauthorizedaccesstonetworkservicesandhosts.
Gotothereportcontentsorthestartofthissection.
2.17InformationLeakageInBannerMessage
2.17.1Finding
Logonbannermessagesareanimportant,butoftenoverlooked,partofasecureconfiguration.Logonbannermessagesshouldprovideconnectinguserswithimportantinformationandwarnagainstunauthorizedaccess.
NipperStudiodeterminedthatCopyrightbannermessageon5500-EIcontainedthedevice'smanufacturer.Theconfiguredbannerwas:
*****************************************************************************
***
*Copyright(c)2004-20093COMCorp.anditslicensors.Allrightsreserved.
*
*Withouttheowner'spriorwrittenconsent,
*
*nodecompilingorreverse-engineeringshallbeallowed.
*
*****************************************************************************
***
2.17.2Impact
Informationleakedinabannermessagecouldprovideamalicioususer,orattacker,detailsthattheycoulduseaspartofanattack.Forexample,revealinginformationaboutthetypeofdevice,itsmanufacturerorsoftwareversioncouldgiveanattackerenoughinformationtoidentifypotentialsoftwarevulnerabilitiesusinganInternetvulnerabilitydatabase.Theattackercouldthen
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Quick
downloadexploitcodefortheidentifiedvulnerabilitiesandperformamoretargetedattackagainstthedevice.
2.17.3Ease
Theattackerwouldbesentthebannermessagewithinformationleakagebeforetheyhadauthenticated.
2.17.4Recommendation
NipperStudiorecommendsthatbannermessagesshouldnotcontaininformationthatanattackercouldfinduseful.
Notesfor3COM5500SeriesSwitchdevices:
TheCopyrightbannermessageshowsthedevicemanufacturerscopyrightinformationtoalluserspriortologon.TheCopyrightbannermessagecannotbeedited.HowevertheCopyrightbannermessagecanbedisabledusingthefollowingcommand:
undocopyright-infoenable
Gotothereportcontentsorthestartofthissection.
2.18NoPostLogonBannerMessage
2.18.1Finding
Postlogonbannermessagesareonesthatareshowntousersaftertheyhaveauthenticatedandpriortobeinggivenaccesstothedevice.Itisonethatisshowntouserswhentheyconnecttoadeviceandpriortotheuserlogon.
NipperStudiodeterminedthat5500-EIwasconfiguredwithnopostlogonbannermessage.
2.18.2Impact
Thepostlogonbannerisusefulfordetailingtheacceptableusepolicyandthechangecontrolprocedureswhichshouldbefollowedpriortomakinganychangestoadevice'sconfiguration.Anacceptableusemessagedetailingthechangecontrolproceduresandwaningagainstabuseofthepolicycouldhelptopreventad-hocchangesbeingmadetoadevice'sconfiguration.
Additionally,ifadevicedoesnothavethefacilitiestoconfigureapre-logonbannermessagethenthepostlogonbannermessagecouldbetheonlyplacewherealegalwarningagainstunauthorizedaccesscouldbegiven.
2.18.3Ease
Withnopostlogonbannerconfigured,auserwouldnotbegivenareminderoftheacceptableuseandchangecontrolprocedurepolicydetails.
2.18.4Recommendation
Overall:INFORMATIONAL
Impact:Informational
Ease:Trivial
Fix:Quick
NipperStudiorecommendsthatapostlogonbannermessageisconfiguredthatdetailsboththeacceptableusepolicyandchangecontrolprocedures.Additionally,ifthedevicedoesnotsupportapre-logonbannermessagethenNipperStudiorecommendsthatthepostlogonbannermessageshouldalsoincludeacarefullywordedlegalwarningagainstunauthorizedaccess.
Notesfor3COM5500SeriesSwitchdevices:
TheShellbannermessageisshowntonon-modemusersaftertheylogonandtheIncomingbannermessageisshowntomodemusersaftertheylogon.TheShellandIncomingbannermessagescanbeconfiguredusingthefollowingcommands:
headershelldelimiter
headerincomingdelimiter
Gotothereportcontentsorthestartofthissection.
2.19WeakPasswordExpiryWarningPolicySetting
2.19.1Finding
Thepasswordexpirypolicysettingisusedtodeterminehowlonguntilapasswordisabouttoexpireausershouldbewarned.Thewarningwillthenenabletheusertochangetheirpasswordbeforeitisolderthanthemaximumpasswordageandexpires.
NipperStudiodeterminedthatthepasswordexpirywarningpolicysettingwasconfiguredtonotnotifytheuseron5500-EI.
2.19.2Impact
Strongauthenticationcredentialsareakeycomponentofasystemssecurity.Itisthereforeimportantthatauserchoosesastrongpasswordandthatitischangedonaregularbasis.Ifthepasswordexpirywarningisdisabledthenuserswillnotbewarnedpriortotheirpasswordexpiring.Ifthepasswordexpirywarningissettoatooshortperiodoftime,theusermaynotbenotifiedthattheirpasswordisabouttoexpireiftheyhavenotauthenticatedneartheexpirydate.
2.19.3Ease
Theusermaynotbenotifiedthattheirpasswordisabouttoexpire.
2.19.4Recommendation
NipperStudiosuggeststhatauserpasswordexpirywarningpolicysettingof14daysshouldbeconfigured.
Notesfor3COM5500SeriesSwitchdevices:
Apasswordexpirywarningcanbeconfiguredusingthefollowingcommand:
password-controlalert-before-expiredays
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Planned
Gotothereportcontentsorthestartofthissection.
2.20FilterRuleAllowsPacketsFromANetworkSource
2.20.1Finding
Networkfilteringrulescanbeconfiguredonawiderangeofnetworkdevicestorestrictaccess,helpingtopreventunauthorizedaccesstonetworkhostsandservices.Thefilteringrulesareprocessedsequentiallywhentheyareappliedtonetworkpackets,withthefirstrulethatmatchesthenetworkpacketbeingapplied.
NipperStudioidentifiedonenetworkfilterruleon5500-EIthatallowspacketsfromanetworksource.
Table15:BasicACL2222ruleallowingpacketsfromanetworksourceon5500-EI
Rule Action Source
20 0.0.0.200.0.0.255
2.20.2Impact
Ifnetworkfilteringrulesarenotconfiguredtorestrictaccesstonetworkservicesfromonlythosehoststhatrequiretheaccessthenunauthorizedaccessmaybegainedtothoseservicescoveredinthisissuesfinding.Foranetworkedgedevice,thiscouldleadtoaremoteattackergainingaccesstonetworkservice.Foraninternaldevicethiscouldleadamalicioususergainingunauthorizedaccesstoaservice.
2.20.3Ease
Thenetworkfilteringwouldnotpreventamalicioususeroranattackerfromaccessingthenetworkservicescoveredbytherulesdetailedinthisissuesfinding.
2.20.4Recommendation
NipperStudiorecommendsthat,wherepossible,allnetworkfilteringrulesshouldbeconfiguredtorestrictaccesstonetworkservicesfromonlythosehoststhatrequiretheaccess.However,itisworthnotingthatitmaynotbepossibletoachievethisinallcircumstances,suchaswithapublicwebserverwherebusinessrequirementsimplythatanynetworkaddressshouldbepermittedtoaccesstheservice.
NipperStudiorecommendsthat:
filterrulesshouldonlyallowaccesstospecificdestinationaddresses;filterrulesshouldonlyallowaccesstospecificdestinationnetworkports;filterrulesshouldonlyallowaccessfromspecificsourceaddresses;filterrulesshouldspecifyaspecificnetworkprotocol;ICMPfilterrulesshouldspecifyaspecificmessagetype;
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Planned
filterrulesshouldalwaysdropnetworkpacketsandnotrejectthem;filterrulesshouldperformaspecificactionandnotrelyonadefaultaction.
Notesfor3COM5500SeriesSwitchdevices:
YoucanmodifyAccessControlList(ACL)ruleson3COM5500SeriesSwitchdevicesbyremovingtheruleandthenaddingtheupdatedrule.YoucandothisusingthefollowingACLcommands:
undorulerule-number
rulenumber{permit|deny}rule-options
ACLrulescanbedeletedusingthefollowingACLcommand:
undorulerule-number
Gotothereportcontentsorthestartofthissection.
2.21FilterRuleAllowsPacketsFromAnySource
2.21.1Finding
Networkfilteringrulescanbeconfiguredonawiderangeofnetworkdevicestorestrictaccess,helpingtopreventunauthorizedaccesstonetworkhostsandservices.Thefilteringrulesareprocessedsequentiallywhentheyareappliedtonetworkpackets,withthefirstrulethatmatchesthenetworkpacketbeingapplied.
NipperStudioidentifiedonenetworkfilterruleon5500-EIthatallowspacketsfromanysource.
Table16:BasicACL2222ruleallowingpacketsfromanysourceon5500-EI
Rule Action Source
30 Any
2.21.2Impact
Ifnetworkfilteringrulesarenotconfiguredtorestrictaccesstonetworkservicesfromonlythosehoststhatrequiretheaccessthenunauthorizedaccessmaybegainedtothoseservicescoveredinthisissuesfinding.Foranetworkedgedevice,thiscouldleadtoaremoteattackergainingaccesstonetworkservice.Foraninternaldevicethiscouldleadamalicioususergainingunauthorizedaccesstoaservice.
2.21.3Ease
Thenetworkfilteringwouldnotpreventamalicioususeroranattackerfromaccessingthenetworkservicescoveredbytherulesdetailedinthisissuesfinding.
2.21.4Recommendation
Overall:INFORMATIONAL
Impact:Informational
Ease:N/A
Fix:Quick
NipperStudiorecommendsthat,wherepossible,allnetworkfilteringrulesshouldbeconfiguredtorestrictaccesstonetworkservicesfromonlythosehoststhatrequiretheaccess.However,itisworthnotingthatitmaynotbepossibletoachievethisinallcircumstances,suchaswithapublicwebserverwherebusinessrequirementsimplythatanynetworkaddressshouldbepermittedtoaccesstheservice.
NipperStudiorecommendsthat:
filterrulesshouldonlyallowaccesstospecificdestinationaddresses;filterrulesshouldonlyallowaccesstospecificdestinationnetworkports;filterrulesshouldonlyallowaccessfromspecificsourceaddresses;filterrulesshouldspecifyaspecificnetworkprotocol;ICMPfilterrulesshouldspecifyaspecificmessagetype;filterrulesshouldalwaysdropnetworkpacketsandnotrejectthem;filterrulesshouldperformaspecificactionandnotrelyonadefaultaction.
Notesfor3COM5500SeriesSwitchdevices:
YoucanmodifyACLruleson3COM5500SeriesSwitchdevicesbyremovingtheruleandthenaddingtheupdatedrule.YoucandothisusingthefollowingACLcommands:
undorulerule-number
rulenumber{permit|deny}rule-options
ACLrulescanbedeletedusingthefollowingACLcommand:
undorulerule-number
Gotothereportcontentsorthestartofthissection.
2.22FilterDropRulesWereConfiguredWithoutLogging
2.22.1Finding
Networkfilterrulescanbeconfiguredtologanaccessattemptwhennetworktrafficmatchesaspecificfilterrule.Thenetworkfilterruleloggingfacilityhelpsnetworkadministratorstodiagnoseissues,determinearulesusageandprovideanaudittrailfornetworktrafficaccessingspecifichostsandservices.
NipperStudioidentifiedonefilterruleon5500-EIthatdoesnotlogdroppednetworktraffic.ThefilterruleisshownbelowinTable17.
Table17:BasicACL2222rulenotloggingdroppednetworktrafficon5500-EI
Rule Action Source
31 1.2.3.4
2.22.2Impact
Itiscommonforanattackertoperformnetworkreconnaissanceinordertoidentifypotentialtargethostsandservices.Anattackersreconnaissancephasecanvarygreatlyinintensityandcovertness,butanynetworkscansthatmatchnetworkfilterrulesthatarenotconfiguredtologwillnotberecordtheactivity.
Loggingaccessattemptstonetworkhostsandservicesthatarefilteredusingdroprulesprovidesusefulinformationaboutanattackersactivities,andcouldbeusefulasevidenceinanylegalactiontaken.Withnologgingofdropfilterrulestheinformationwouldnotberecordedforusebynetworkadministrators,auditorsoranetworkforensicteam.Furthermorelogmonitoringsoftware,ifconfigured,wouldnotalertnetworkadministratorsofapotentialattackinprogress.
2.22.3Ease
Anattackersattemptstoaccessnetworkserviceswhichareprotectedbythedropfilterrulesdetailedinthefindingwouldnotbelogged.
2.22.4Recommendation
NipperStudiorecommendsthatallnetworkfilterrulesthatdropnetworktrafficshouldbeconfiguredtologtheaccessattempt.
NipperStudiorecommendsthat:
filterrulesshouldonlyallowaccesstospecificdestinationaddresses;filterrulesshouldonlyallowaccesstospecificdestinationnetworkports;filterrulesshouldonlyallowaccessfromspecificsourceaddresses;filterrulesshouldspecifyaspecificnetworkprotocol;ICMPfilterrulesshouldspecifyaspecificmessagetype;filterrulesshouldalwaysdropnetworkpacketsandnotrejectthem;filterrulesshouldperformaspecificactionandnotrelyonadefaultaction.
Notesfor3COM5500SeriesSwitchdevices:
YoucanmodifyACLruleson3COM5500SeriesSwitchdevicesbyremovingtheruleandthenaddingtheupdatedrule.YoucandothisusingthefollowingACLcommands:
undorulerule-number
rulenumber{permit|deny}rule-options
Gotothereportcontentsorthestartofthissection.
2.23Conclusions
NipperStudioperformedasecurityauditon2March2017ofthedevicedetailedinTable18.NipperStudioidentified21security-relatedissues.ThemostsignificantissuewasratedasCRITICAL.
Device Name Issues HighestRating
Table18:Securityauditdeviceconclusions
3COM5500SeriesSwitch 5500-EI 21 CRITICAL
OneCRITICALratedsecurityissuewasidentified.NipperStudiodeterminedthat:
dictionary-baseduserauthenticationcredentialswereconfigured(onedevice,seesection2.2).
OneHIGHratedsecurityissuewasidentified.NipperStudiodeterminedthat:
noHTTPserversessiontimeoutwasconfigured(onedevice,seesection2.3).
NipperStudioidentifiedsevenMEDIUMratedsecurityissues.NipperStudiodeterminedthat:
theHTTPserverwasenabled(onedevice,seesection2.4);useraccountnamescontained"admin".(onedevice,seesection2.5);theAUXportwasnotdisabled(onedevice,seesection2.6);noHTTPnetworkhostaccessaddresseswereconfigured(onedevice,seesection2.7);theloggingofsystemmessagestoaSyslogloggingserverwasnotconfigured(onedevice,seesection2.8);NTPcontrolquerieswerepermitted(onedevice,seesection2.9);timesynchronizationwasnotconfigured(onedevice,seesection2.10).
NipperStudioidentifiedsixLOWratedsecurityissues.NipperStudiodeterminedthat:
aweakuseraccountlockoutpolicysettingwasconfigured(onedevice,seesection2.11);proxyARPwasenabled(onedevice,seesection2.12);aweakpasswordhistorypolicysettingwasconfigured(onedevice,seesection2.13);aweakpasswordagepolicysettingwasconfigured(onedevice,seesection2.14);nounauthorizedaccesswarninginthepre-logonbannermessage(onedevice,seesection2.15);networkinterfaceswereconfiguredwithoutfiltering(onedevice,seesection2.16).
NipperStudioidentifiedsixINFOratedsecurityissues.NipperStudiodeterminedthat:
informationleakageinthelogonbannermessage(onedevice,seesection2.17);nopostlogonbannermessagewasconfigured(onedevice,seesection2.18);apasswordexpirywarningpolicysettingwasnotconfiguredtotherecommendedvalue(onedevice,seesection2.19);networkfilteringruleswereconfiguredthatallowpacketsfromanetworksource(onedevice,seesection2.20);networkfilteringruleswereconfiguredthatallowpacketsfromanysource(onedevice,seesection2.21);networkfilterruleswereconfiguredthatdonotlogdroppednetworktraffic(onedevice,seesection2.22).
NipperStudiocandrawthefollowingstatisticsfromtheresultsofthissecurityassessment,(percentageshavebeenrounded).1issue(5%)wasratedascritical,1issue(5%)wasratedashigh,7issues(33%)wereratedasmedium,6issues(29%)wereratedaslowand6issues(29%)wereratedasinformational.
Gotothereportcontentsorthestartofthissection.
2.24Recommendations
Thissectioncollatesthesecurityauditissuerecommendationsintoasinglelocationinordertoprovideaguidetoplanningandmitigatingtheidentifiedissues.TherecommendationsarelistedinTable19togetherwiththeissueratingandalistofaffecteddevices.
Issue Rating Recommendation AffectedDevices
Section
UsersWithDictionary-
BasedPasswords
CRITICAL Configurestrongpasswordsforalluserauthentication
credentials.
5500-EI 2.2
NoHTTPServerSession
Timeout
HIGH ConfigureaHTTPserversessiontimeoutofatmost10
minutes.
5500-EI 2.3
ClearTextHTTPService
Enabled
MEDIUM DisabletheHTTPserver. 5500-EI 2.4
UserAccountNames
Contained"admin"
MEDIUM Ensureadminstrativeorelevatedprivilegeaccounts
donotcontaininformationidentifyingthemassuch.
5500-EI 2.5
AUXPortNotDisabled MEDIUM DisabletheAUXport.
OR
Configurethecallbackfacility.
5500-EI 2.6
NoHTTPService
NetworkAccess
Restrictions
MEDIUM RestricttheHTTPservicetoonlythosehoststhat
requireaccess.
5500-EI 2.7
SyslogLoggingNot
Enabled
MEDIUM ConfigureSyslogmessagelogging. 5500-EI 2.8
NTPControlQueries
WerePermitted
MEDIUM RestrictNTPserveraccesstoonlytimerequests. 5500-EI 2.9
NoTimeSynchronization
Configured
MEDIUM Configuretimesynchronization. 5500-EI 2.10
WeakUserAccount
LockoutPolicySetting
LOW Configuredauseraccountlockoutpolicytodisable
accessafter3failedlogonattempts.
5500-EI 2.11
ProxyARPWasEnabled LOW DisableproxyARPonallinterfaces. 5500-EI 2.12
WeakPasswordHistory LOW Configuredapasswordhistorypolicysettingof10 5500-EI 2.13
Table19:Securityauditrecommendationslist
PolicySetting
WeakPasswordAge
PolicySetting
LOW Configuredapasswordagepolicysettingof60days 5500-EI 2.14
NoWarningInPre-Logon
Banner
LOW Modifythepre-logonbannermessagetoincludea
carefullywordedlegalwarning.
5500-EI 2.15
InterfacesWere
ConfiguredWithNo
Filtering
LOW Assignnetworkfilteringrulestoallnetworkinterfaces. 5500-EI 2.16
InformationLeakageIn
BannerMessage
INFO Removeinformationleakagefromallbanner
messages.
5500-EI 2.17
NoPostLogonBanner
Message
INFO Configureapostlogonbannermessagedetailingthe
acceptableusepolicyandchangecontrolprocedures.
5500-EI 2.18
WeakPasswordExpiry
WarningPolicySetting
INFO Configuredapasswordexpirywarningpolicysetting
of14days
5500-EI 2.19
FilterRuleAllowsPackets
FromANetworkSource
INFO Configurethenetworkfilteringrulestorestrictaccess
tonetworkservicesfromonlythosehoststhatrequire
theaccess.
5500-EI 2.20
FilterRuleAllowsPackets
FromAnySource
INFO Configurethenetworkfilteringrulestorestrictaccess
tonetworkservicesfromonlythosehoststhatrequire
theaccess.
5500-EI 2.21
FilterDropRulesWere
ConfiguredWithout
Logging
INFO Modifythefilterrulestologalldroppednetwork
traffic.
5500-EI 2.22
Gotothereportcontentsorthestartofthissection.
2.25MitigationClassification
Thissectionaimstoprovideaguidetotheperceivedcomplexityofresolvingaparticularissuebyimplementingtherecommendation.AnoutlineofhoweachmitigationclassificationhasbeendeterminedisdescribedinTable20.
Table20:Themitigationclassification
Classification Description
QUICK Theissueisquicktoresolve.Typicallythiswouldjustinvolvechangingasmallnumberof
settingsandwouldhavelittle-to-noeffectonnetworkservices.
PLANNED Theissueresolutioninvolvesplanning,testingandcouldcausesomedisruptiontoservices.
Thisissuecouldinvolvechangestoroutingprotocolsandchangestonetworkfiltering.
INVOLVED Theresolutionoftheissuewillrequiresignificantresourcestoresolveandislikelytoinclude
disruptiontonetworkservices,andpossiblythemodificationofothernetworkdevice
configurations.Theissuecouldinvolveupgradingadevice'sOSandpossiblemodificationsto
thehardware.
NipperStudioidentified16securityissueswithmitigationrecommendationsthatwereclassifiedasQUICK.Thoseissueswere:
CRITICAL:UsersWithDictionary-BasedPasswords(onedevice,seesection2.2);HIGH:NoHTTPServerSessionTimeout(onedevice,seesection2.3);MEDIUM:ClearTextHTTPServiceEnabled(onedevice,seesection2.4);MEDIUM:UserAccountNamesContained"admin"(onedevice,seesection2.5);MEDIUM:AUXPortNotDisabled(onedevice,seesection2.6);MEDIUM:NoHTTPServiceNetworkAccessRestrictions(onedevice,seesection2.7);LOW:WeakUserAccountLockoutPolicySetting(onedevice,seesection2.11);LOW:ProxyARPWasEnabled(onedevice,seesection2.12);LOW:WeakPasswordHistoryPolicySetting(onedevice,seesection2.13);LOW:WeakPasswordAgePolicySetting(onedevice,seesection2.14);LOW:NoWarningInPre-LogonBanner(onedevice,seesection2.15);LOW:InterfacesWereConfiguredWithNoFiltering(onedevice,seesection2.16);INFO:InformationLeakageInBannerMessage(onedevice,seesection2.17);INFO:NoPostLogonBannerMessage(onedevice,seesection2.18);INFO:WeakPasswordExpiryWarningPolicySetting(onedevice,seesection2.19);INFO:FilterDropRulesWereConfiguredWithoutLogging(onedevice,seesection2.22).
NipperStudioidentifiedfivesecurityissueswithmitigationrecommendationsthatwereclassifiedasPLANNED.Thoseissueswere:
MEDIUM:SyslogLoggingNotEnabled(onedevice,seesection2.8);MEDIUM:NTPControlQueriesWerePermitted(onedevice,seesection2.9);MEDIUM:NoTimeSynchronizationConfigured(onedevice,seesection2.10);INFO:FilterRuleAllowsPacketsFromANetworkSource(onedevice,seesection2.20);INFO:FilterRuleAllowsPacketsFromAnySource(onedevice,seesection2.21).
NipperStudiocandrawthefollowingadditionalconclusionfromthesecurityauditbasedontheclassificationoftherecommendedissuemitigations.Mostofthesecurityissuerecommendationsareperceivedtobequicktoimplement,enablingthemajorityoftheissuestobequicklyresolvedwithoutrequiringasignificantallocationofresourcesorsystemdisruption.Ofthe21securityissuesidentified,16(76%)recommendationswereclassifiedashavingaquickmitigationandfive(23%)recommendationswereclassifiedashavingaplannedmitigation.
Gotothereportcontentsorthestartofthissection.
3VulnerabilityAudit3.1Introduction
Thefollowingdevicewasexcludedfromtheauditasnoversioninformationwasavailable:
3COM5500SeriesSwitch5500-EI.
Thevulnerabilitydatabaseusedinthisauditwasupdatedon10February2017.EachvulnerabilityisdetailedwithaCVSSv2score,advisoryreferencesandthird-partyreferences.
Gotothereportcontentsorthestartofthissection.
3.2Conclusions
NipperStudioperformedasoftwarevulnerabilityauditofthezerodeviceslistedinTable21on2March2017.Novulnerabilitieswereidentifiedduringtheaudit,thismaybeduetothefactthatthevulnerabilitydatabaseinusecontainednoinformationforsomeoftheauditeddevices
Table21:Softwarevulnerabilityauditconclusions
Device Type Findings Highest
NoInformation
AlthoughNipperStudiodidnotdetermineifanyvulnerabilitiesexistedonthesystem,thiscouldbeduetotheOSversionnotbeingidentifiedcorrectly,orduetoadeficiencyintheNISTNVD.Also,thevulnerabilitydatabaseusedduringthisauditcontainsonlypublicallyknownvulnerabilitiesandnotundisclosedissuesknownonlytothemanufacturersandthirdparties.Furthermore,itiscommonforsoftwarevulnerabilitiestoadditionallyrequirespecificservices,protocols,configurationsetupordevicemodelsinorderforthemtobeexposed.
Gotothereportcontentsorthestartofthissection.
3.3Recommendations
Althoughnovulnerabilitieswereidentifiedduringtheaudit,NipperStudiostillrecommendsthatthelatestsoftwareupdatesfromthemanufacturershouldbeinstalledsincenotallvulnerabilitiesarepublicallydisclosed.Sincesoftwareupdatestypicallyincludestability,performanceandfeatureimprovementsinadditiontosecurityfixesitisworthreviewinganddeployingthelatestupdatesonaregularbasisnotjustforsecurityreasons.Furthermore,sometimesmanufacturerswillresolvesoftwarevulnerabilitiesandrollthefixesintotheirlatestsoftwareupdateswithoutafulldisclosureoftheissuesbeingresolved.
WhendeployingasoftwareupdateNipperStudiorecommendsthat:
themanufacturerssoftwareupdatereleasenotesshouldbereviewedinordertofamiliaryourselfwithwhatisrequired,theprocedureandanyotherpertinentinformation;youshouldmakeabackupofyourexistingconfigurationpriortotheupdate;ifyouhaveaccesstoaduplicateorcontingencydevicethenitisworthtestingtheprocedureon
thatdevicepriortodeployingtheupdatetothelivedevice.
Performingasoftwareupdatesonadeviceisnotalwaysstraightforwardandtypicallyrequiresarebootanddowntime.AlthoughNipperStudiorecommendsinstallingthelatestsoftwareupdatestoresolvesoftwarevulnerabilitiesanalternativemitigationmeasuremaybeavailable.Softwarevulnerabilitiesoftenrequirespecificconfigurationsetupsinordertobepresentandthedevicemanufacturermaypublishconfigurationchangesthatmakeitpossibletomitigatetheexposure.
Moreinformation,supportandsoftwareupdates:
Gotothereportcontentsorthestartofthissection.
4ConfigurationReport4.1Introduction
Thissectiondetailstheconfigurationsettingsofyourdeviceinaneasytoreadandunderstandformat.Thevariousdeviceconfigurationsettingsaregroupedintosectionsofrelatedoptions.
Gotothereportcontentsorthestartofthissection.
4.23COM5500SeriesSwitch5500-EIConfigurationReport
4.2.1BasicInformation
Table22:Basicinformation
Description Setting
Name 5500-EI
Device 3COM5500SeriesSwitch
4.2.2NetworkServices
Table23outlinesthenetworkservicesconfiguredonthedeviceandtheirstatus.Theservicesettingsaredescribedingreaterdetailintheproceedingsections.
Table23:Networkservices
Service Status Protocol Port
TelnetService Disabled TCP 23
SSHService Disabled TCP 22
WebAdministrationService(HTTP) Enabled TCP 80
FTPService Disabled TCP 21
SNMPService Disabled UDP 161
NTPService Disabled UDP 123
4.2.3Authentication
Thissectiondetailstheauthenticationconfigurationsettingsfor5500-EI.
4.2.3.1UserPolicySettings
Thissectiondetailstheuserpolicyconfigurationsettings.
Table24:Userpolicysettings
Description Setting
LockAccountFailedLogonAttemptLimit None
AccountLockoutDuration Forever
MinimumPasswordLength 10Characters
MaximumPasswordAgeLimit(Days) 90Days
PasswordAgeExpiryWarning(Days) None
PasswordHistory 4Passwords
PasswordComplexityChecking Enabled
4.2.3.2LocalUsers
Thissectiondetailstheusersconfiguredon5500-EI.
Table25:Users
User Password Privilege
super(level3) password 3
admin 0
andy 0
4.2.4Administration
Thissectiondescribestheadministrationservicesandconfigurationsettingsthataresupportedby3COM5500SeriesSwitchdevices.Eachsubsectioncoverstheconfigurationofaspecificadministrationserviceorservices.
4.2.4.1GeneralAdministrationSettings
Thissectiondescribessomegeneral3COM5500SeriesSwitchdeviceadministrationsettings.
Description Setting
ConsolePort Enabled
Table26:Generaladministrationsettings
AUXPort Enabled
4.2.4.2TelnetServiceSettings
TheTelnetserviceenablesremoteadministrativeaccesstoaCommandLineInterface(CLI)on5500-EI.TheTelnetprotocolimplementedbytheserviceissimpleandprovidesnoencryptionofthenetworkcommunicationsbetweentheclientandtheserver.ThissectiondetailstheTelnetservicesettings.
Table27:Telnetservicesettings
Description Setting
TelnetService Disabled
ServiceTCPPort 23
4.2.4.3SSHServiceSettings
TheSecureShell(SSH)serviceenablesaremoteadministratortoaccessaCLIon5500-EI.TheSSHprotocolprovidescompleteencryptionofthenetworkpacketsbetweentheconnectingclientandtheserver.TherearetwomainversionsoftheSSHprotocol.
ThissectiondetailstheSSHservicesettings.
Table28:SSHservicesettings
Description Setting
SSHService Disabled
ServiceTCPPort 22
SSHProtocolVersions 1and2
SFTP Disabled
4.2.4.4Web-BasedAdministrationServiceSettings
TheWeb-basedadministrationserviceenablesaremoteadministratortomanagethedeviceusingawebbrowser.3COM5500SeriesSwitchdevicesprovideadministrativeaccessusingonlytheHTTPprotocol.TheuseoftheHTTPprotocolmeansthattheconnectionbetweentheadministratorandthedevicewillnotbeencrypted.
Thissectiondetailstheconfigurationoftheweb-basedadministration.
Description Setting
WebAdministrationService(HTTP) Enabled
Table29:Web-basedadministrationservicesettings
HTTPTCPPort 80
4.2.4.5FTPServiceSettings
TheFileTransferProtocol(FTP)serviceenablesremoteadministratorstotransferfilestoandfrom5500-EI.TheauthenticationandtransferoffilesbetweentheFTPserviceandclientareunencrypted.ThissectiondetailstheFTPservicesettings.
Table30:FTPservicesettings
Description Setting
FTPService Disabled
TCPPort 21
ConnectionTimeout 30minutes
4.2.4.6AdministrativeInterfaceLineSettings
Theadministrativeinterfacelinesettingsareusedon5500-EIdevicestoconfigureadministrativeaccessusinganumberofdifferentservices.Theprevioussectionshavecoveredthespecificadministrationservicesandtheirauthenticationconfigurations.Thissectiondetailsalltheadministrativeinterfacelinesconfiguredon5500-EI,thetimeoutsandotheroptions.
Table31:Administrativeinterfacelineconfiguration
Line ExecTimeout
Auxiliary 10minutes
VTY0-4 10minutes
4.2.5LogonBannerMessages
Theimportanceofbannermessagescanoftenbeoverlooked.Bannermessagesareusefulforprovidingadeterrentagainstunauthorizedaccessorremindingauseraboutproceduraldetailsformakingmodificationstoadevicesconfiguration.Ifawarningmessagehasbeenconfiguredandanattackerhasgainedunauthorizedaccess,thebannermessagecouldactasevidenceofanattackersintent.Thissectiondetailsthebannermessagesconfiguredon5500-EI.
4.2.5.1CopyrightBanner
TheCopyrightbannermessageshowsthedevicemanufacturerscopyrightinformationtoalluserspriortologon.AtypicalCopyrightbannermessageisasfollows:
*****************************************************************************
***
*Copyright(c)2004-20093COMCorp.anditslicensors.Allrightsreserved.
*
*Withouttheowner'spriorwrittenconsent,
*
*nodecompilingorreverse-engineeringshallbeallowed.
*
*****************************************************************************
***
Table32:BannerStatus
Status
Enabled
4.2.6SNMPSettings
SNMPisusedtoassistnetworkadministratorsinmonitoringandmanagingawidevarietyofnetworkdevices.TherearethreemainversionsofSNMPinuse.Versions1and2ofSNMParebothsecuredwithacommunitystringandauthenticateandtransmitnetworkpacketswithoutanyformofencryption.SNMPversion3providesseverallevelsofauthenticationandencryption.Themostbasiclevelprovidesasimilarprotectiontothatoftheearlierprotocolversions.However,SNMPversion3canbeconfiguredtoprovideencryptedauthentication(auth)andsecuredfurtherwithsupportforencrypteddatacommunications(priv).
Thissectiondescribesthe5500-EISNMPconfigurationsettings.
Table33:SNMPsettings
Description Setting
SNMPService Disabled
UDPPort 161
Contact 3COMCorporation
Location Marlborough,MA
4.2.7MessageLogging
3COM5500SeriesSwitchdevicesarecapableofloggingsystemeventsandmessages.Thoselogscanthenberecalledatalatertime,assistingadministratorsinthediagnosisofsystemfaultsoralertingsystemadministratorsofanattack.Thissectiondetailsthedevicesloggingconfiguration.
4.2.7.1SyslogLogging
Syslogmessagescanbesentby3COM5500SeriesSwitchdevicestoaSyslogserver.Syslogserversprovidethefollowingadvantages:
acentralrepositoryforlogsfromarangeofnetworkdevices;apotentiallylongerretentionperiodforlogsthanadevicemaybecapableofstoring;atroubleshootingresourceforwhenadevicemaynolongerberesponsive;
anexternallogsource,incasethesecurityofadevicehasbeencompromised;supportforanindustrystandardloggingsystem.
ThissectiondetailstheSyslogconfigurationsettings.
Table34:Syslogloggingconfiguration
Description Setting
SyslogLogging Disabled
4.2.7.2InternalBufferLoggingSettings
3COM5500SeriesSwitchdevicescanlogmessagestoaninternalbuffer.Byitsnature,thebufferissizelimitedandthereforenewermessageswilloverwriteolderoneswhenthebufferssizehasbeenreached.Thissectiondetailstheinternalbufferloggingconfigurationsettings.
Table35:Internalbufferloggingconfiguration
Description Setting
BufferLogging Enabled
BufferSize 512
4.2.7.3ConsoleLogging
3COM5500SeriesSwitchdevicesarecapableofsendingsystemloggingtotheconsole.Thissectiondetailsthoseconfigurationsettings.
Table36:Consoleloggingconfiguration
Description Setting
ConsoleLogging Enabled
4.2.7.4TerminalLineLogging
3COM5500SeriesSwitchdevicesarecapableofsendingsystemloggingtotheterminallines.Thissectiondetailsthoseconfigurationsettings.
Table37:Terminallineloggingconfiguration
Description Setting
TerminalLineLogging Enabled
4.2.8NameResolutionSettings
3COM5500SeriesSwitchdevicescanbeconfiguredtoresolvenametoaddressmappings.Thissectiondetailsthosesettings.
4.2.8.1DNSClient
TheDomainNameSystem(DNS)servicestoresinformationaboutmappingsbetweenadevicesIPaddressandaname,whichiseasierforhumanstorecognizeandremember.3COM5500SeriesSwitchdevicescanbeconfiguredtoqueryaDNSinordertoresolvenamestoaddresses.Thissectiondetailsthoseconfigurationsettings.
Table38:DNSclientconfiguration
Description Setting
DNSType Standard
Domain titania.co.uk
DNSLookups Disabled
Table39:DNSservers
Description ServerIPAddress
Primary 8.8.8.8
4.2.8.2Hostnamemappings
3COM5500SeriesSwitchdevicescanbeconfiguredwithhostnametoIPaddressmappingsforusewiththedevice.ThissectiondetailsthosehostnametoIPaddressmappings.
Table40:HostnameIPaddressmappings
Hostname IPAddress
testhost 10.10.10.10
4.2.9NetworkProtocols
Thissectiondetailstheconfigurationofthenetworkprotocolssupportedby3COM5500SeriesSwitchdevices.Eachsectiondetailsspecificsettingssuchasanynetworkprotocoladdressconfigurationsettings.
4.2.9.1IPv4
ThissectiondetailstheconfigurationoftheInternetProtocolversion4(IPv4)protocolandaddresses.IPv4isdescribedinRFC791.
Interface Address Proxy-ARP
Table41:IPv4addresses
1 192.168.0.19/24 On
4.2.10NetworkInterfaces
Thissectiondetailstheconfigurationofbothphysicalandvirtualnetworkinterfaces.
4.2.10.1VLANInterfaces
ThissectiondescribestheconfigurationofthedevicesVirtualLocalAreaNetwork(VLAN)interfaces.
Table42:VLANinterfaces
Interface
1
4.2.10.2AuxiliaryInterfaces
Thissectiondescribestheconfigurationofthedevicesauxiliaryinterfaces.
Table43:Auxiliaryinterfaces
Interface
1/0/0
4.2.10.3EthernetInterfaces
ThissectiondescribestheconfigurationofthedevicesEthernetinterfaces.
Interface Active VLAN Trunk
1/0/1 Yes No
1/0/2 Yes No
1/0/3 Yes No
1/0/4 Yes No
1/0/5 Yes No
1/0/6 Yes No
1/0/7 Yes No
1/0/8 Yes No
1/0/9 Yes No
1/0/10 Yes No
1/0/11 Yes No
Table44:Ethernetinterfaces
1/0/12 Yes No
1/0/13 Yes No
1/0/14 Yes No
1/0/15 Yes No
1/0/16 Yes No
1/0/17 Yes No
1/0/18 Yes No
1/0/19 Yes No
1/0/20 Yes No
1/0/21 Yes No
1/0/22 Yes No
1/0/23 Yes No
1/0/24 Yes No
4.2.10.4GigabitEthernetInterfaces
ThissectiondescribestheconfigurationofthedevicesGigabitEthernetinterfaces.
Table45:GigabitEthernetinterfaces
Interface Active VLAN Trunk
1/0/25 Yes No
1/0/26 Yes No
1/0/27 Yes No
1/0/28 Yes No
4.2.10.5NullInterfaces
Thissectiondescribestheconfigurationofthedevicesnullinterfaces.
Table46:Nullinterfaces
Interface
0
4.2.11NetworkFiltering
3COM5500SeriesSwitchdevicescanbeconfiguredtofilternetworktrafficinordertorestrictaccesstodevicesandservices.Thosenetworkfilteringsettingsaredetailedinthissection.
4.2.11.1BasicACL
BasicACLsfilternetworkpacketsbasedonthesourceIPaddress.BasicACLsarenumberedbetween2000and2999.
Table47:2222(atestbasicacl)
Rule Action Source
10 10.10.10.10
20 0.0.0.200.0.0.255
30 Any
31 1.2.3.4
4.2.11.2AdvancedACL
AdvancedACLsfilternetworkpacketsprimarilybasedontheprotocol,sourceIPaddress,sourceport,destinationIPaddressanddestinationservice.AdvancedACLsarenumberedbetween3000and3999.
Table48:3333(atestadvancedacl)
Rule Action Protocol Source SrcPort Destination DstPort
0 Any 10.10.10.10 Any 20.20.20.0/24 Any
1 TCP 2.3.0.0/16 <56 1.2.3.4 >4
2 OSPF Any Any
3 ICMP Any Any
4.2.11.3Layer2ACL
Layer2ACLsfilternetworkpacketsprimarilybasedonthesourceanddestinationnetworkinterfacehardwareaddresses.Layer2ACLsarenumberedbetween4000and4999.
Table49:4444
Rule Action Protocol Source Destination
0 802.3 00:14:00:14:00:1400:55:00:55:00:55 Any
4.2.12TimeAndDate
Itcanbecriticallyimportantthatthetimeanddatesetonallnetworkdevicesmatch.Manyauthenticationservicesdependonthetimebetweendevicesbeingsynchronized,ifaclockisoutsideathresholdthenthatdevicemaynolongerbeabletoperformauthentication.Furthermore,diagnosingissueswiththeuseofmessagelogsbecomesmuchmorecumbersomeif
thetimeanddatesbetweendevicesdonotmatch.3COM5500SeriesSwitchdevicescanbeconfiguredtoobtaintimeupdatesfromanetworktimesource.Thissectiondetailsthetimeanddateconfigurationsettings.
4.2.12.1TimeZones
Table50:GeneralTimeSettings
Description Setting
TimeZone UTC
SummerTimeDaylightSaving Disabled
4.2.12.2NTPClientConfiguration
3COM5500SeriesSwitchdevicescanbeconfiguredtosynchronizetheirtimefromaNTPtimesource(RequestForChange(RFC)1305http://www.faqs.org/rfcs/rfc1305.html).ThissectiondetailsthoseNTPclientconfigurationsettings.
Table51:NTPclientsettings
Description Setting
NTPClient Disabled
AcceptBroadcastUpdates Disabled
AcceptMulticastUpdates Disabled
NTPAuthentication Disabled
4.2.12.3NTPServerConfiguration
3COM5500SeriesSwitchdevicescanbeconfiguredtoprovideanNTPtimesourceforothernetworkdevices.ThissectiondetailstheNTPserverconfiguration.
Table52:NTPserverconfiguration
Description Setting
NTPService Disabled
MulticastNTPServer Disabled
BroadcastNTPServer Disabled
4.2.12.4NTPAccessRestrictions
AccessrestrictionscanbeappliedtoNTPtimesynchronizationon3COM5500SeriesSwitchdevices.Thissectiondetailsthosesettings.
Table53:NTPaccessrestrictions
ControlCommands NTPClient NTPServer Filter
Enabled Disabled Enabled 2222
Gotothereportcontentsorthestartofthissection.
5Appendix5.1LoggingSeverityLevels
Loggingmessageseveritylevelsprovideawayoftagginglogmessageswithanindicationofhowsignificantthemessageis.Table54liststhevariousstandardloggingseveritylevelsthatcanbeconfigured.
Table54:Loggingmessageseveritylevels
Level Name Description
0 Emergencies Thesystemisunusable.
1 Alerts Immediateactionisrequired
2 Critical Criticalconditions
3 Errors Errorconditions
4 Warnings Warningconditions
5 Notifications Significantconditions
6 Informational Informationalmessages
7 Debugging Debuggingmessages
Gotothereportcontentsorthestartofthissection.
5.2CommonTimeZones
Whensynchronisingtimefromacentralsource,timezonescanconfiguredinordertooffsetthetimeinformationforaspecificlocality.Thissectiondetailsthemostcommontimezones.
Region Acronym TimeZone UTCOffset
Australia CST CentralStandardTime +9.5hours
Australia EST EasternStandard/SummerTime +10hours
Australia WST WesternStandardTime +8hours
Europe BST BritishSummerTime +1hour
Europe CEST CentralEuropeSummerTime +2hours
Europe CET CentralEuropeTime +1hour
Europe EEST EasternEuropeSummerTime +3hours
Table55:Commontimezones
Europe EST EasternEuropeTime +2hours
Europe GMT GreenwichMeanTime
Europe IST IrishSummerTime +1hour
Europe MSK MoscowTime +3hours
Europe WEST WesternEuropeSummerTime +1hour
Europe WET WesternEuropeTime +1hour
USAandCanada ADT AtlanticDaylightTime -3hours
USAandCanada AKDT AlaskaStandardDaylightSavingTime -8hours
USAandCanada AKST AlaskaStandardTime -9hours
USAandCanada AST AtlanticStandardTime -4hours
USAandCanada CDT CentralDaylightSavingTime -5hours
USAandCanada CST CentralStandardTime -6hours
USAandCanada EDT EasternDaylightTime -4hours
USAandCanada EST EasternStandardTime -5hours
USAandCanada HST HawaiianStandardTime -10hours
USAandCanada MDT MountainDaylightTime -6hours
USAandCanada MST MountainStandardTime -7hours
USAandCanada PDT PacificDaylightTime -7hours
USAandCanada PST PacificStandardTime -3hours
Gotothereportcontentsorthestartofthissection.
5.3IPProtocols
ThissectionliststheIPprotocolsreferencedwithinthisreport.
Name Description ID RFC
NVP NetworkVoiceProtocol 11 RFC741
Reserved 255
UseforExperimentationandTesting 253-254 RFC3692
Unassigned 140-252
HIP HostIdentityProtocol 139 RFC5201
MANET MANETProtocols 138
MPLS-in-IP EncapsulatingMPLSinIP 137 RFC4023
UDPLite LightweightUDP 136 RFC3828
MobilityHeader MobilitySupportinIPv6 135 RFC3775
RSVP-E2E-IGNORE RSVPforIPv4andIPv6 134 RFC3175
FC FibreChannel 133
SCTP StreamControlTransmissionProtocol 132
PIPE PrivateIPEncapsulationwithinIP 131
SPS SecurePacketShield 130
IPLT IPLT 129
SSCOPMCE SSCOPMCE 128
CRUDP CombatRadioUserDatagram 127
CRTP CombatRadioTransportProtocol 126
FIRE FIRE 125
ISISoverIPv4 IntermediateSystemtoIntermediateSystemoverIPv4 124
PTP PerformanceTransparencyProtocol 123
SM SM 122
SMP SimpleMessageProtocol 121
UTI UTI 120
SRP SpectraLinkRadioProtocol 119
STP ScheduleTransferProtocol 118
IATP InteractiveAgentTransferProtocol 117
DDX D-IIDataExchange 116
L2TP LayerTwoTunnelingProtocol 115
Any0HopProtocol 114
PGM PGMReliableTransportProtocol 113
VRRP VirtualRouterRedundancyProtocol 112 RFC3768
IPX-in-IP IPXinIP 111
Compaq-Peer CompaqPeerProtocol 110
SNP SitaraNetworksProtocol 109
PCP IPPayloadCompressionProtocol 108 RFC3173
IPComp IPPayloadCompressionProtocol 108 RFC3173
A/N ActiveNetworks 107
QNX QNX 106
SCPS SCPS 105
ARIS ARIS 104
PIM ProtocolIndependentMulticastP 103
PNNI PNNIoverIP 102
IFMP IpsilonFlowManagementProtocol 101
GMTP GMTP 100
AnyPrivateEncryptionScheme 99
ENCAP EncapsulationHeader 98 RFC1241
ETHERIP Ethernet-within-IPEncapsulation 97 RFC3378
SCC-SP SemaphoreCommunicationsSecurityProtocol 96
MICP MobileInternetworkingControlProtocol 95
NOS KA9QNOS 94
IPIP IP-within-IPEncapsulationProtocol 94
AX.25 AX.25Frames 93
MTP MulticastTransportProtocol 92
LARP LocusAddressResolutionProtocol 91
Sprite-RPC SpriteRPCProtocol 90
OSPF OpenShortestPathFirst 89 RFC1583
EIGRP EnhancedIGRP 88
TCF TCF 87
DGP DissimilarGatewayProtocol 86
NSFNET-IGP NSFNET-IGP 85
TTP TTP 84
VINES VINES 83
SECURE-VMTP SecureVMTP 82
VMTP VersatileMessageTransactionProtocol 81 RFC1045
ISO-IP ISOInternetProtocol 80
WB-EXPAK WIDEBANDEXPAK 79
WB-MON WIDEBANDMonitoring 78
SUN-ND SUNNDPROTOCOL-Temporary 77
BR-SAT-MON BackroomSATNETMonitoring 76
PVP PacketVideoProtocol 75
WSN WangSpanNetwork 74
CPHB ComputerProtocolHeartBeat 73
CPNX ComputerProtocolNetworkExecutive 72
IPCV InternetPacketCoreUtility 71
VISA VISAProtocol 70
SAT-MON SATNETMonitoring 69
AnyDistributedFileSystem 68
IPPC InternetPluribusPacketCore 67
RVD MITRemoteVirtualDiskProtocol 66
KRYPTOLAN Kryptolan 65
SAT-EXPAK SATNETandBackroomEXPAK 64
AnyLocalNetwork 63
CFTP CFTP 62
AnyHostInternalProtocol 61
Opts6 DestinationOptionsforIPv6 60 RFC1883
IPv6-Opts DestinationOptionsforIPv6 60 RFC1883
NoNxt6 NoNextHeaderforIPv6 59 RFC1883
IPv6-NoNxt NoNextHeaderforIPv6 59 RFC1883
ICMP6 ICMPforIPv6 58 RFC1883
IPv6-ICMP ICMPforIPv6 58 RFC1883
SKIP SKIP 57
TLSP TransportLayerSecurityProtocol 56
MOBILE IPMobility 55
NARP NBMAAddressResolutionProtocol 54 RFC1735
SWIPE IPwithEncryption 53
I-NLSP IntegratedNetLayerSecurityProtocol 52
AHP AuthenticationHeader 51 RFC2402
AH AuthenticationHeader 51 RFC2402
ESP EncapsulatingSecurityPayload 50 RFC2406
BNA BNA 49
DSR DynamicSourceRoutingProtocol 48 RFC4728
GRE GeneralRoutingEncapsulation 47
RSVP ReservationProtocol 46
IDRP Inter-DomainRoutingProtocol 45
IPv6-Frag FragmentHeaderforIPv6 44
IPv6-Route RoutingHeaderforIPv6 43
SDRP SourceDemandRoutingProtocol 42
IPv6 IPv6inIPv4(encapsulation) 41
IL ILTransportProtocol 40
TP++ TP++TransportProtocol 39
IDPR-CMTP IDPRControlMessageTransportProtocol 38
DDP DatagramDeliveryProtocol 37
XTP XTP 36
IDPR Inter-DomainPolicyRoutingProtocol 35
3PC ThirdPartyConnectProtocol 34
DCCP DatagramCongestionControlProtocol 33 RFC4340
MERIT-INP MERITInternodalProtocol 32
MFE-NSP MFENetworkServicesProtocol 31
NETBLT BulkDataTransferProtocol 30 RFC969
ISO-TP4 ISOTransportProtocolClass4 29 RFC905
IRTP InternetReliableTransactioProtocol 28 RFC938
RDP ReliableDataProtocol 27 RFC908
LEAF-2 Leaf-2 26
LEAF-1 Leaf-1 25
TRUNK-2 Trunk-2 24
TRUNK-1 Trunk-1 23
XNS-IDP XEROXNSIDP 22
PRM PacketRadioMeasurement 21
HMP HostMonitoringProtocol 20 RFC869
DCN-MEAS DCNMeasurementSubsystems 19
MUX Multiplexing 18
Table56:IPProtocols
UDP UserDatagramProtocol 17 RFC768
CHAOS Chaos 16
XNET CrossNetDebugger 15
EMCON EMCON 14
ARGUS ARGUS 13
PUP PARCUniversalPacket 12
NVP-II NetworkVoiceProtocol 11 RFC741
BBN-RCC-MON BBNRCCMonitoring 10
IGP InteriorGatewayProtocol 9
IGRP InteriorGatewayProtocol 9
EGP ExteriorGatewayProtocol 8 RFC888
CBT CBT 7
TCP TransmissionControlProtocol 6 RFC793
ST Stream 5 RFC1819
IPINIP IPinIP(encapsulation) 4 RFC2003
IPIP IPinIP(encapsulation) 4 RFC2003
GGP Gateway-to-Gateway 3 RFC823
IGMP InternetGroupManagement 2 RFC1112
ICMP InternetControlMessage 1 RFC792
HOPOPT IPv6Hop-by-HopOption 0 RFC1883
Gotothereportcontentsorthestartofthissection.
5.4ICMPTypes
ThissectionliststheICMPtypesreferencedwithinthisreport.
Description Type Code RFC
NeedAuthorization 40 5 RFC2521
NeedAuthentication 40 4 RFC2521
DecryptionFailed 40 3 RFC2521
DecompressionFailed 40 2 RFC2521
AuthenticationFailed 40 1 RFC2521
BadSPI 40 0 RFC2521
Photuris 40 -1 RFC2521
SKIP 39 -1
DomainNameReply 38 -1 RFC1788
DomainNameRequest 37 -1 RFC1788
MobileRegistrationReply 36 -1
MobileRegistrationRequest 35 -1
IPv6I-Am-Here 34 -1
IPv6Where-Are-You 33 -1
MobileHostRedirect 32 -1
DatagramConversionError 31 -1 RFC1475
Traceroute 30 -1 RFC1393
AddressMaskReply 18 -1 RFC950
AddressMaskRequest 17 -1 RFC950
InformationReply 16 -1 RFC792
InformationRequest 15 -1 RFC792
TimestampReply 14 -1 RFC792
TimestampRequest 13 -1 RFC792
BadLength 12 2 RFC1108
MissingaRequiredOption 12 1 RFC1108
PointerIndicatestheError 12 0 RFC792
ParameterProblem 12 -1 RFC792
FragmentReassemblyTimeExceeded 11 1 RFC792
TimetoLiveExceededinTransit 11 0 RFC792
TimeExceeded 11 -1 RFC792
RouterSolicitation 10 -1 RFC1256
DoesNotRouteCommonTraffic 9 16 RFC2002
RouterAdvertisement 9 0 RFC1256
EchoRequest 8 -1 RFC792
Echo 8 -1 RFC792
AlternateHostAddress 6 -1 RFC792
RedirectDatagramfortheTypeofServiceandHost 5 3 RFC792
RedirectDatagramfortheTypeofServiceandNetwork 5 2 RFC792
RedirectDatagramfortheHost 5 1 RFC792
RedirectDatagramfortheNetwork(orsubnet) 5 0 RFC792
Redirect 5 -1 RFC792
SourceQuench 4 -1 RFC792
PrecedenceCutoffinEffect 3 15 RFC1812
HostPrecedenceViolation 3 14 RFC1812
CommunicationAdministrativelyProhibited 3 13 RFC1812
DestinationHostUnreachableforTypeofService 3 12 RFC1122
DestinationNetworkUnreachableforTypeofService 3 11 RFC1122
CommunicationwithDestinationHostisAdministrativelyProhibited 3 10 RFC1122
CommunicationwithDestinationNetworkisAdministrativelyProhibited 3 9 RFC1122
SourceHostIsolated 3 8 RFC1122
DestinationHostUnknown 3 7 RFC1122
Table57:ICMPTypes
DestinationNetworkUnknown 3 6 RFC1122
SourceRouteFailed 3 5 RFC792
FragementationNeeded 3 4 RFC792
PortUnreachable 3 3 RFC792
ProtocolUnreachable 3 2 RFC792
HostUnreachable 3 1 RFC792
NetUnreachable 3 0 RFC792
DestinationUnreachable 3 -1 RFC792
EchoReply 0 -1 RFC792
Gotothereportcontentsorthestartofthissection.
5.5Abbreviations
Table58:Abbreviations
Abbreviation Description
VTY VirtualTeletype
VLAN VirtualLocalAreaNetwork
UDP UserDatagramProtocol
TCP TransmissionControlProtocol
SSL SecureSocketsLayer
SSH SecureShell
SNMP SimpleNetworkManagementProtocol
SFTP SecureFileTransferProtocol
RFC RequestForChange
OS OperatingSystem
NTP NetworkTimeProtocol
MAC MediaAccessControl
IPv4 InternetProtocolversion4
IP InternetProtocol
ICMP InternetControlMessageProtocol
HTTPS HypertextTransferProtocoloverSSL
HTTP HypertextTransferProtocol
FTP FileTransferProtocol
DoS DenialofService
DNS DomainNameSystem
CLI CommandLineInterface
AUX Auxilary
ARP AddressResolutionProtocol
ACL AccessControlList