ZOHO Corp. performed a security audit of the Cisco PIX Security Appliance device on Tuesday 29th May 2012 and identified nine security-related issues. The most significant issue identified was rated as critical. ZOHO Corp. recommends that any issue rated higher than a medium should be reviewed as soon as possible.
ZOHO Corp. performed an analysis of the authentication credentials during the security audit. It is important that strong authentication credentials should be chosen in order to help prevent an attacker from gaining unauthorized access by guessing the password, a dictionary-based attack or a brute-force attack. Authentication passwords and keys should be made up of a number of different character types, punctuation, meet a minimum length and not be based on dictionary words, set to the system default or left blank. ZOHO Corp. identified weaknesses with the authentication credentials and recommends that the current password policy should be reviewed and that all passwords should be configured to meet the policy.
The following statistics can be drawn from the results of this assessment. 11% (1) issue was rated as critical. 33% (3) issues were rated as medium. 44% (4) issues were rated as low. 11% (1) issue was rated as informational.
This Cisco PIX Security Appliance report was produced by ZOHO Corp. on Tuesday 29th May 2012. The report is comprised of the following sections:
This report makes use of the text conventions outlined in Table 1.
| Convention | Description |
|---|---|
| command | This text style represents the Cisco PIX Security Appliance command text that has to be entered literally. |
| string | This text style represents the Cisco PIX Security Appliance command text that you should substitute a suitable value (e.g. an IP address or authentication key). |
| [ ] | Used to enclose a Cisco PIX Security Appliance command option. |
| { } | Used to enclose a Cisco PIX Security Appliance command requirement. |
| | | Divides command options. |
Each security issue identified by ZOHO Corp. is described with a finding, the impact of the issue, how easy it would be for an attacker to exploit the issue and a recommendation. Each security issue is rated based on a number of factors, each of these are described in the following sections.
The issue finding describes what configuration setting ZOHO Corp. identified that potentially poses a security threat. In addition to the finding details, any relevant background information is also described.
The impact section describes what an attacker could gain from exploiting the security issue. The impact of an issue is often defined by other configuration settings that could heighten the issue or partially mitigate it. For example, a weak password could be partially mitigated if the access gained from using it is restricted in some way. The impact is rated depending on the significance of the security threat. Table 2 outlines the possible impact ratings and their significance.
| Rating | Description |
|---|---|
| Critical | These issues can pose a very significant security threat. The issues that have a critical impact are typically those that would allow an attacker to gain full administrative access to the device. For a firewall device, allowing all traffic to pass through the device unfiltered would receive this rating as filtering traffic to protect other devices is the primary purpose of a firewall. |
| High | These issues pose a significant threat to security, but have some limitations on the extent to which they can be abused. User level access to a device and a DoS vulnerability in a critical service would fall into this category. A firewall deivce that allowed significant unfiltered access, such as allowing entire subnets through or not filtering in all directions, would fall into this category. A router that allows significant modification of its routing configuration would also fall into this category. |
| Medium | These issues have significant limitations on the direct impact they can cause. Typically these issues would include significant information leakage issues, less significant DoS issues or those that provide significantly limited access. A SNMP service that is secured with a default or a dictionary-based community string would typically fall into this rating, as would a firewall that allows unfiltered access to a range of services on a device. |
| Low | These issues represent a low level security threat. A typical issue would involve information leakage that could be useful to an attacker, such as a list of users or version details. A non-firewall device that was configured with weak network filtering would fall into this category. |
| Info | These issues represent a very low level of security threat. These issues include minor information leakage, unnecessary services or legacy protocols that provide no real threat to security. |
The ease section of each issue describes the knowledge, skill and physical access that would be required of an attacker in order to exploit it. The ease will describe if open source or commercially available tools are required for an attacker to exploit an issue. Additionally, the ease will note where an extended period of time is required to exploit the issue, such as cracking weak encryption ciphers. Each issue is rated upon how easily it can be exploited, the ratings for which are described in Table 3.
| Rating | Description |
|---|---|
| Trivial | The issue requires little-to-no knowledge on behalf of an attacker and can be exploited using standard operating system tools. A firewall device which had a network filtering configuration that enables traffic to pass through would fall into this category. |
| Easy | The issue requires some knowledge for an attacker to exploit, which could be performed using standard operating system tools or tools downloaded from the Internet. An administrative service without or with a default password would fall into this category, as would a simple software vulnerability exploit. |
| Moderate | The issue requires specific knowledge on behalf of an attacker. The issue could be exploited using a combination of operating system tools or publicly available tools downloaded from the Internet. |
| Challenge | A security issue that falls into this category would require significant effort and knowledge on behalf of the attacker. The attacker may require specific physical access to resources or to the network infrastructure in order to successfully exploit it. Furthermore, a combination of attacks may be required. |
| N/A | The issue is not directly exploitable. An issue such as enabling legacy protocols or unnecessary services would fall into this rating category. |
Each issue includes a recommendation section which describes what steps ZOHO Corp. recommends should be taken in order to mitigate the issue. The recommendation will sometimes include various options, if several mitigating choices are available, and any relevant system commands.
Directly following the recommendation, the issue dependencies and other relevant issues are referenced. The dependency issues are those that when mitigated will eliminate the described issue. For example, if the Simple Network Management Protocol (SNMP) is disabled it no longer matters if a view has not been configured. The relevant issues are ones that can affect the impact or the ease that the issue can be exploited.
The recommendation includes a rating that indicates how easy an issue is to resolve, these are described in Table 4.
| Rating | Description |
|---|---|
| Involved | The resolution of the issue will require significant resources to resolve and is likely to include disruption to network services, and possibly the modification of other network device configurations. The issue could involve upgrading the Cisco PIX Security Appliance OS and possibly modifications to the hardware. |
| Planned | The issue resolution involves planning, testing and could cause some disruption to services. This issue could involve changes to routing protocols and changes to network filtering. |
| Quick | The issue is quick to resolve. Typically this would just involve changing a small number of settings and would have little-to-no effect on network services. |
The previous sections describe each section that is reported for an individual issue and the rating that is associated with it, they do not describe how the overall rating is calculated. The overall security issue rating is calculated based on a combination of the impact and the ease of exploiting an issue, the recommendation rating is not included as it does not represent the significance of a security issue. The overall rating uses the same ratings as the impact, but modified by how easy it is to exploit.
It is worth noting that ZOHO Corp. is unable to provide an accurate threat assessment due to a lack of contextual information. For example, in the case where highly sensitive information is processed, a Denial of Service (DoS) vulnerability poses less of a threat than the integrity of the data or an attacker gaining access to it. Similarly, for a situation where uptime is critical, a DoS vulnerability could be more important than the leakage of sensitive information. The ratings provided by ZOHO Corp. are intended to be a guide.
Authentication credentials are configured on Cisco PIX Security Appliance devices in order to help prevent unauthorized access to the device, restricting access to specific authorized users. Authenticated administrative users could reconfigure the device or could use the device to access other devices on the network.
ZOHO Corp. determined that two of the authentication credentials were configured with no password. These are listed in Table 5.
| User | Privilege Level |
|---|---|
| password | - |
| enable | 15 |
With no password configured, an attacker or malicious user could gain access to by authenticating without providing a password. The attacker could enumerate information about the device and networks configuration. The attacker may also be able to use the device to attack other network devices. Furthermore, with administrative access, the attacker could reconfigure allowing them to:
The attacker would simply need to connect to an authentication service on and would not need to provide a password. Tools to connect to authentication services are provided with most Operating System (OS) as standard. Furthermore, a number of network security testing tools can check authentication services in order to identify any empty, default or weak authentication passwords.
ZOHO Corp. recommends that strong authentication passwords should be immediately configured for all Cisco PIX Security Appliance users. ZOHO Corp. recommends that passwords:
The following commands can be used on Cisco PIX Security Appliance devices to configure the initial password, enable password and a user account with a password:
password password enable password password username name password password
The HTTPS service is used for the remote web-based administration of . To help prevent unauthorized access from a malicious user or an attacker to the HTTPS service, management host addresses can be specified. Once the management host addresses have been configured, Cisco PIX Security Appliance devices will prevent access from an unauthorized host address.
ZOHO Corp. determined that no administrative host addresses were configured for the HTTPS service.
Without management host address restrictions, an attacker or malicious user with authentication credentials, would be able to connect to the HTTPS service and logon. Furthermore, if a vulnerability was to be identified in the service the attacker would not be prevented from connecting to the service.
Due to the unencrypted nature of the service, an attacker monitoring the connection would gain access to any authentication credentials and data transferred between the client and the device.
For an attacker to gain access to the HTTPS service, they would simply have to connect to it using their web browser. A variety of web browsers can be downloaded from the Internet and are installed by default on most OS.
ZOHO Corp. recommends that specific addresses for those hosts that require administrative access should be configured.
Logging is an essential component of a secure network configuration. Logging not only assists network administrators to identify issues when troubleshooting, but enables network administrators to react to intrusion attempts or Denial-of-Service attacks. It is therefore important that system messages are logged and that the logs are monitored, enabling system administrators to take immediate action when an attack has been identified or a potential problem raised. Furthermore, system logs are a key component of a forensic investigation into past intrusions or service disruptions.
ZOHO Corp. determined that logging was not enabled on .
With no logging of system messages a network administrator may not be alerted to an intrusion attempt by an attacker and furthermore, the logs would not be available for a forensic investigation. Additionally, without logging, notifications of possible issues with a device that would of been useful for diagnostic purposes would not be recorded.
No system messages will be recorded.
ZOHO Corp. recommends that both Syslog and internal buffer logging should be configured on .
Logging can be enabled on Cisco PIX Security Appliance devices with the following command:
logging enable
Syslog hosts can be configured on Cisco PIX Security Appliance devices with the following command:
logging host interface ip-address
Buffered logging can be enabled on Cisco PIX Security Appliance devices with the following command:
logging buffered [level]
Time synchronization for network devices is inherently important, not just for the various services that make use of time, but for the accurate logging of events. Cisco PIX Security Appliance devices can be configured to synchronize their time against a network time source.
ZOHO Corp. determined that time synchronization against a network time source was not configured.
Without any configured time synchronization, it could be more difficult to correlate events in the logs. This would make a forensic investigation more complex, hindering any troubleshooting and possibly causing issues with time sensitive systems.
The system time will not be synchronized.
ZOHO Corp. recommends that the system time should be synchronized against a network time source.
Cisco PIX Security Appliance devices can be configured to obtain time updates from a Network Time Protocol (NTP) service using authentication with the following commands:
ntp authenticate ntp trusted-key key-id ntp authentication-key key-id md5 key-string ntp server ip-address key key-id
The console connection timeout setting is used by Cisco PIX Security Appliance devices to determine if a console connection is no longer being used and can be closed. The console connection could become unused if an administrator has not correctly terminated the connection and still remains logged into the console or they have left their computer without terminating the console connection.
ZOHO Corp. determined that there was no console connection timeout was configured on .
An attacker with physical access to would be able to connect to the console port and continue using a terminated connection. Due to the nature of the device the user access the attacker would gain is likely to be an administrative level user.
An attacker would require physical access to the device in order to connect to the console port. Although this may seem like a significant barrier, a malicious user or attacker who has legitimate access to the room where is located would be able to access the console port. A locked server rack would provide little barrier to a motivated attacker.
ZOHO Corp. recommends that a timeout period of 10 minutes should be configured for the console connection.
The console timeout can be configured with the following command:
console timeout timeout-minutes
Any configured network packet filtering will have an impact on a device's performance and the more filtering configured, the greater the impact. Traditionally, to help prevent IP spoofing attacks, additional filtering was configured to perform sanity checks on network traffic to ensure that traffic being routed through the network originates from a valid IP address. These checks were typically configured to ensure the traffic from an IP address on an internal interface is not allowed in from the outside interface. Cisco PIX Security Appliance devices provide unicast Reverse Path Forwarding (RPF) verification to perform network traffic sanity checks without the performance impact of additional network filtering. Furthermore, unicast RPF verification is dynamic and will automatically adjust to topology changes.
ZOHO Corp. determined that unicast RPF verification was disabled on Interface ethernet1.
If unicast RPF verification is not enabled and no anti-spoofing network filtering is configured, a network packet with a spoofed source address could be routed by the device.
For an attacker to perform an anti-spoofing attack, they would have to be aware of the address range used on the devices other interfaces. This could be made more difficult if anti-spoofing network filtering has been configured. However, manual configuration of anti-spoofing could miss out address ranges and may become out of date with changes to the network topolgy. To make things easier for an attacker. tools can be downloaded from the Internet that can perform an IP spoofing attack.
ZOHO Corp. recommends that unicast RPF verification should be enabled to help prevent IP spoofing attacks.
Unicast RPF can be enabled on individual interfaces with the following command:
ip verify reverse-path interface interface
Cisco PIX Security Appliance devices can be configured with Access Control List (ACL) Access Control Entries (ACEs) in order to restrict network access to specific network hosts. Access can then be restricted to those hosts that are authorized to access specific network services. ZOHO Corp. determined that no ACL ACEs were configured on .
With no ACL ACEs configured, an attacker or malicious user would not be able to access network services through the device as all network traffic would be blocked by the device.
With no ACL ACEs, a user or attacker would not be able to access any network services through the device.
The primary purpose of Cisco PIX Security Appliance devices is to restrict access to only authorized hosts and services. If is not required, ZOHO Corp. recommends that should be decomissioned. ZOHO Corp. recommends that ACL are configured in order to restrict network access to only those that specifically require access.
A pre-logon banner message can be configured on Cisco PIX Security Appliance devices. Logon banners are useful for passing on information to users and, with a carefully worded legal warning, as a deterrent to a potential attacker.
ZOHO Corp. determined that no pre-logon banner was configured on .
A pre-logon banner message is important in warning any potential attacker against unauthorized access to the Cisco PIX Security Appliance. With a carefully worded pre-logon banner, which warns against unauthorized access, if any legal action is taken it would be easier to prove intent on behalf of the attacker.
Without a pre-login banner, an attacker would not be presented with a legal warning against unauthorized access prior to a logon attempt.
ZOHO Corp. recommends that a carefully worded legal banner should be configured that warns against unauthorized access to .
The Message Of The Day (MOTD) banner message is displayed before logon for connections to . The MOTD banner message can be configured with the following command:
banner motd message-text
On Cisco PIX Security Appliance devices it is possible to configure a banner message that is presented to users after they have authenticated. The post logon banner is useful for detailing the acceptable use policy and what change control procedures should be followed prior to making any changes to the devices configuration.
ZOHO Corp. determined that no post logon banner message had been configured on .
An acceptable use message detailing any change control procedures could help to prevent ad-hoc changes being made to the Cisco PIX Security Appliance configuration.
No banner message is sent by after a user logon occurs.
ZOHO Corp. recommends that a post logon banner message is configured that details the acceptable use and change control procedure.
The Exec banner message is displayed once a successful logon has occured, before the enable prompt. The Exec banner message can be configured with the following command:
banner exec message-text
ZOHO Corp. performed a security audit of the Cisco PIX Security Appliance on Tuesday 29th May 2012 and identified nine security-related issues. The most significant issue identified was rated as Critical.
One Critical rated security issue was identitified. ZOHO Corp. determined that:
ZOHO Corp. identified three Medium rated security issues. ZOHO Corp. determined that:
ZOHO Corp. identified four Low rated security issues. ZOHO Corp. determined that:
One Info rated security issue was identified. ZOHO Corp. determined that:
This section is designed to assist in the mitigation of the security issues identified by collating the security issue recommendations into a single location. The recommendations are listed in Table 6 together with the issue ratings.
| Issue | Overall | Impact | Ease | Fix | Recommendation | Section |
|---|---|---|---|---|---|---|
| Users Were Configured With No Password | Critical | Critical | Easy | Quick | Configure strong authentication credential passwords for all user accounts | 2.2 |
| No HTTPS Management Host Access Restrictions | Medium | Medium | Trivial | Quick | Configure management host addresses for only those hosts that require HTTPS access. | 2.3 |
| No Logging Configured | Medium | Medium | N/A | Planned | Configure Syslog and internal buffer logging | 2.4 |
| No Time Synchronization Configured | Medium | Medium | N/A | Planned | Configure time synchronization | 2.5 |
| No Console Connection Timeout | Low | Critical | Challenge | Quick | Configure a console connection timeout of 10 minutes | 2.6 |
| Unicast RPF Verification Disabled | Low | Medium | Easy | Quick | Enable unicast RPF | 2.7 |
| No ACL Were Configured | Low | Low | Trivial | Planned | Configure ACL to restrict access or decommision | 2.8 |
| No Pre-Logon Banner Message | Low | Low | N/A | Quick | Configure a pre-logon banner message with a carefully worded legal warning | 2.9 |
| No Post Logon Banner Message | Info | Info | N/A | Quick | Configure a post logon banner message which details the acceptable use and change control policies | 2.10 |
This section describes the security best practices that are relevant to Cisco PIX Security Appliance devices. Security will often be contrary to both usability and performance. However, in many cases the reverse can also be true with a great number of security best practices benefiting the devices performance. Security best practice can be summarized as follows:
Best practice means that even simple security protection settings should be configured. Security in depth is a term frequently used in the security industry, it means providing security in layers. Even security options that are trivial for a skilled attacker to circumvent may persuade them to look for an easier target if they come across security barriers at every stage.
Maintaining an up to date software version is an important part of any devices security and stability. New software vulnerabilities and bugs are continually being identified and PIX is no exception. Furthermore, industry standard protocols are regularly being revised and updated to take into account new technologies and potential weaknesses.
If an attacker is able to determine the PIX version used by a Cisco PIX Security Appliance device, they could look it up on one of the many vulnerability databases available on the Internet and download exploit code targeted for that software version. If an attacker is unable to determine the PIX version, they may run exploit code blindly in an attempt to gain access. It is therefore critical to ensure that all the latest patches and updates have been applied.
Software patches and updates will often include new features, usability improvements and performance tweaks in addition to vulnerability and bug fixes. Therefore, applying updates will often provide much more than vulnerability fixes. However, prior to updates being applied it is worth paying particular attention to the system requirements as hardware updates may also be required.
ZOHO Corp. recommends that a software patching policy should be devised that includes the following key components:
Cisco PIX Security Appliance devices can be configured with a wide variety of services. Those services would typically provide a range of connectivity, administrative or monitoring facilities, and some are enabled by default.
Attackers will typically use services to enumerate information and fingerprint devices prior to performing an attack. The information gathered from the services may then be used to determine the software version, enabling an attacker to identify any potential vulnerabilities. Essentially, the greater the number of services running on a device, the greater the number of attack vectors, potential vulnerabilities exposed and information leaked.
In addition to the security risk of running services on a device, each service running on a device will consume system resources and will have an impact on the devices performance.
ZOHO Corp. recommends that all the running services should be reviewed and that those services which are not required should be disabled.
A malicious user, or an attacker who has physical access to a network patch point, may attempt to attach their own device to the network in order to attack the other network devices or to capture sensitive information. A more dedicated attacker would typically prefer to use their own network devices that is already loaded with thir hacking tools of choice. Furthermore, a malicious user may be prevented from installing hacking tools on to their network host by a security lock down policy or malicious tool detection software.
A list of the active interfaces on follows.
| Interface | Name | Address | Standby | ACL |
|---|---|---|---|---|
| ethernet0 | ethernet1 | inside / 192.168.118.42 | - | - |
ZOHO Corp. recommends that the configuration of all the interfaces should be reviewed and, where possible, the following should be configured:
Network filtering can be configured on Cisco PIX Security Appliance devices to restrict access to network services and hosts. Network filtering should be configured to prevent unauthorized access. Therefore, filtering should be configured to permit access from only those hosts that require access and all other access should be denied.
Filtering should be configured to restrict both inbound and outbound traffic. An attacker who is exploiting a vulnerability in a network service may attempt to:
ZOHO Corp. recommends that ACLs are configured to ensure that:
An attacker may attempt to gain access to a device using the default authentication credentials, a dictionary-based password guessing attack or by brute-forcing the credentials. An attacker may have to resort to attacks against the authentication credentials if all other avenues of attack have been secured. Therefore it is essential that strong authentication credentials should be configured.
Furthermore, if a device is compromised or authentication traffic captured, an attacker could use the authentication credentials in an attempt to gain access to other network devices. Therefore it is important that, where practical, authentication credentials should not be shared between different network devices.
Deterrents can play an important part in the security of a system, therefore banner messages can play a key role in warning a potential attacker against unauthorized access to the device. Additionally, if a warning is given prior to access, it would be easier to legally prove intent on behalf of the attacker if required in a court of law.
ZOHO Corp. recommends that strong authentication passwords should be immediately configured for all authentication. A strong authentication password does not have to be hard to remember to be complex. For example, the first letter from each word of a song, an address or a quote can appear complex, but easy to remember. A password can be made more complex by inserting or replacing characters with numbers, punctuation marks and altering the character case. ZOHO Corp. recommends that passwords:
ZOHO Corp. recommends that a logon banner should be configured with a statement that strongly warns against unauthorized access. Additionally, the logon banner should not provide an attacker with information that they may be able to use either against the device or as part of a social engineering attack.
System message logs can provide a wealth of information for an administrator when troubleshooting a problem. The message logs can also record an attackers activities, both with access granted and denied. The system logs would then be of particular interest during a forensic investigation following an incident. The system logs could also be used by log analysis software which could alert an administrator about potential issues before they become more significant.
A Syslog server makes monitoring and managing message logs easier, especially where a number of different devices are sending messages to the same server. As an added benefit, storage of system message logs on a remote Syslog serve provides an extra level of protection against an attacker attempting to cover their tracks by altering logs. An attacker who was trying to modify the logs would have to access both the device sending the log messages (for its internal logs) and the remote Syslog server.
It is easier to correlate the events logged by different systems together if the time is accurately synchronized between the various systems. Time synchronization can also be critically important for authentication and authorization services that may depend upon the system clock.
ZOHO Corp. recommends that events should be sent to specific logging hosts and logged locally. These recommendations will provide:
ZOHO Corp. recommends that the system time is synchronized against a network time source to ensure that the system messages are logged with accurate event times.
Any network traffic traveling between hosts could potentially be monitored and captured by an attacker or malicious user. If network traffic is not encrypted, it would be trivially easy for the information contained in the traffic to be extracted. It is also possible that with weak encryption, or encryption protocols that contain vulnerabilities, an attacker may be able to extract the information contained in the network packets. However, defeating encryption weaknesses could be a time consuming process, but a far longer one than would be required if no encryption existed at all.
For remote device administration, it is especially important that it should be carried out over an encrypted connection. If an attacker was able to monitor the remote administrative connection, they could capture the authentication credentials and use them to gain access to the device.
ZOHO Corp. recommends that all clear-text protocol services should be replaced with cryptographically secure alternatives. Furthermore, where stronger encryption is available, it should be used in preference to the weaker encryption.
This section details the configuration settings of the Cisco PIX Security Appliance device .
| Description | Setting |
|---|---|
| PIX Version | 6.3(4) |
| Flood Guard | Enabled |
Table 9 outlines the network services supported by Cisco PIX Security Appliance devices and their status on . The service settings are described in greater detail in the proceeding sections.
| Service | Status |
|---|---|
| Telnet Service | Disabled |
| SSH Service | Disabled |
| HTTPS Service | Disabled |
| SNMP Service | Disabled |
This section describes the services that are supported by Cisco PIX Security Appliance devices for administration. Each subsection covers a particular service and its configuration settings.
This section describes some general Cisco PIX Security Appliance device settings.
| Description | Setting |
|---|---|
| Console Port | Enabled |
| Console Connection Timeout | No Timeout |
The Telnet service enables remote administrative access to a Command Line Interface (CLI) on . The Telnet protocol implemented by the service is simple and provides no encryption of the network communications between the client and the server. This section details the Telnet service settings.
| Description | Setting |
|---|---|
| Telnet Service | Disabled |
| Service TCP Port | 23 |
| Connection Timeout | 5 minutes |
The SSH service enables a remote administrator to access a CLI on . The Secure Shell (SSH) protocol provides complete encryption of the network packets between the connecting client and the server. There are two main versions of the SSH protocol.
Cisco PIX Security Appliance devices support SSH protocol version 1 from around PIX version 6. Support for SSH protocol version 2 was added with PIX version 7.0
This section details the SSH service settings.
| Description | Setting |
|---|---|
| SSH Service | Disabled |
| Service TCP Port | 22 |
| SSH Protocol Version(s) | 1 and 2 |
| Connection Timeout | 5 minutes |
Cisco PIX Security Appliance devices can provide web-based administrative access. The HTTPS service provides full encryption of communications between the client and server. This section details the web service settings:
| Description | Setting |
|---|---|
| HTTPS Service | Disabled |
| HTTPS Service TCP Port | 443 |
Table 14 lists the configured HTTPS service encryption cyphers.
| Encryption | Authentication | Key Length | SSL v2 | SSL v3 | TLS v1 |
|---|---|---|---|---|---|
| 3DES | SHA1 | 168 bits | Yes | Yes | Yes |
| 3DES | SHA1 | 56 bits | Yes | Yes | Yes |
| RC4 | MD5 | 40 bits | Yes | Yes | Yes |
| RC4 | MD5 | 56 bits | Yes | Yes | Yes |
| RC4 | MD5 | 64 bits | Yes | Yes | Yes |
| RC4 | MD5 | 128 bits | Yes | Yes | Yes |
| AES | SHA1 | 128 bits | Yes | Yes | Yes |
| AES | SHA1 | 192 bits | Yes | Yes | Yes |
| AES | SHA1 | 256 bits | Yes | Yes | Yes |
It is worth noting that the ciphers were determined using the defaults that Cisco PIX Security Appliance devices are typically configured with. However, these can differ between different models.
This section describes the various Cisco PIX Security Appliance device authentication settings.
This section details the users configured on .
| User | Password | Encryption | Privilege Level |
|---|---|---|---|
| password | - | None | - |
| enable | - | None | 15 |
SNMP is used to assist network administrators in monitoring and managing a wide variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are both secured with a community string and authenticate and transmit network packets without any form of encryption. SNMP version 3 provides several levels of authentication and encryption. The most basic level provides a similar protection to that of the earlier protocol versions. However, SNMP version 3 can be configured to provide encrypted authentication (auth) and secured further with support for encrypted data communications (priv).
Cisco PIX Security Appliance do not support version 3 of the SNMP. This section describes the SNMP configuration settings.
| Description | Setting |
|---|---|
| SNMP Service | Disabled |
| SNMP Service UDP Port | 161 |
Cisco PIX Security Appliance devices are capable of recording system events and messages. Those logs can then be recalled at a latter time, assisting administrators in the diagnosis of system faults or tracking possible unauthorized access attempts. This section details the devices logging configuration.
This section details the configuration settings that effect the logging facilities.
| Description | Setting |
|---|---|
| Device Logging Services | Disabled |
Cisco PIX Security Appliance devices can log messages to an internal buffer. By its nature, the buffer is size limited and therefore newer messages will overwrite older ones when the buffers size has been reached. This section details the internal buffer logging configuration settings.
| Description | Setting |
|---|---|
| Buffer Logging | Disabled |
| Logging Severity Level | Emergencies (0) |
| Buffer Size | 4096 |
Syslog messages can be sent by Cisco PIX Security Appliance devices to a Syslog server. Syslog servers provide the following advantages:
This section details the Syslog configuration settings.
| Description | Setting |
|---|---|
| Syslog Logging | Disabled |
| Severity Level | Emergencies (0) |
Cisco PIX Security Appliance devices are capable of sending system logging to the console. This section details those configuration settings.
| Description | Setting |
|---|---|
| Console Logging | Disabled |
| Logging Severity Level | Emergencies (0) |
Cisco PIX Security Appliance devices are capable of sending system logging to the terminals. This section details those configuration settings.
| Description | Setting |
|---|---|
| Terminal Line Logging | Disabled |
| Logging Severity Level | Emergencies (0) |
Cisco PIX Security Appliance devices can be configured to obtain time updates from a network service. It is important that all network devices maintain a syncronized time to ensure that all logs and time-based controls are acurate. This section details the time and date configuration settings.
| Description | Setting |
|---|---|
| Time Zone | UTC |
Cisco PIX Security Appliance devices can be configured to synchronize their time from a NTP service. This section details the NTP client configuration settings.
| Description | Setting |
|---|---|
| NTP Client | Disabled |
| NTP Authentication | Disabled |
Cisco PIX Security Appliance devices support Intrusion Detection System (IDS)/Intrusion Protection System (IPS) functionality. This section details those configuration settings.
| Description | Setting |
|---|---|
| Unicast RPF Verification | Disabled |
This section details the Cisco PIX Security Appliance devices network interface configuration settings.
This section describes the configuration of the Cisco PIX Security Appliance devices physical network interfaces.
| Interface | Active | Name | Security | Address | Standby | ACL |
|---|---|---|---|---|---|---|
| ethernet0 | Yes | ethernet1 | 0 | inside / 192.168.118.42 | - | - |