[Info-vax] OT: Cisco routers and intrusion detection

Mark Berryman mark at theberrymans.com
Mon Nov 29 13:54:06 EST 2010 

My apologies for replying to a month-old topic but I do not frequent 
this forum anymore and I came across the following while doing an 
unrelated search.  I am hoping to correct some of the misinformation given.

On 10/25/10 6:03 PM, VAXman- @SendSpamHere.ORG wrote:
> In article<4cc61298$0$9497$c3e8da3$f017e9df at news.astraweb.com>, JF Mezei<jfmezei.spamnot at vaxination.ca>  writes:
>> VAXman- @SendSpamHere.ORG wrote:
>>
>>> Would a modified ACL take effect upon TFTPing the config file commands
>>> to running-config?
>>
>> When you copy a file to running-config, it is overlaid. It doesn't
>> necessarily replace it.

It does exactly what would happen if you simply typed in the commands. 
Adding data by copying a config file is always a merge.  If a conflict 
exists, an error is generated for that line and the merge continues.

>> But it is different than entering commands. For instance if you wish to
>> update an access list, you can't replace a lime, you have to delete it
>> fiorst and then enter the replacement
>>
>> router1(config-ext-nacl)#5 deny ip host 67.83.127.219 any
>> % Duplicate sequence number
>>
>> ( you have to enter "no 5" first to delete the line).

It is not different than entering commands.  If you are entering 
commands and line 5 exists, you also have to delete it first with the 
"no 5" before you can replace it.  Same when using a config file.

>>
>> It is not clear if a line which exists on the old ACL but not in the one
>> you are loading would remain or be zapped.

It is completely clear.  Existing lines are not removed unless you 
explicitly remove them, either by explicitly deleting them - as is 
required for an ACL, or by overwriting them.

>>> Does it affect or interrupt any IP traffic through
>>> the router?
>>
>> Yes, because you are redefining all interfaces when you reload the whole
>> config.

No, it does not.  If you should make the extremely poor choice of 
loading an entire config file in order to simply change an ACL, you will 
not impact traffic through an interface if you are loading the same 
config that is already on that interface.  If, however, you made a major 
change to that interface, such as changing its IP address, then there 
would be a very brief hiccup.

>>> I brought this up some time ago here on comp.os.vms because I asked of
>>> a Cisco engineer if there was any way to add to an ACL via SNMP and he
>>> said, "No."

Then he was incorrect.

>> So I guess one would need to write some script to send telnet or serial
>> port data to the router to fake an interactive session.

And you would guess wrong, JF.
>
> Which is what I/d figured and that isn't acceptable.

Here is a simple example.  A router has the following access list on it:

#sho access-list test
Extended IP access list test
     10 permit ip host 10.1.1.1 any
     20 permit ip host 10.2.2.2 any
     30 permit ip host 10.3.3.3 any
     40 deny ip any any
#

On my server, I have the following file:

$ type test.acl
ip access-list extended test
  no 20
  20 permit ip host 10.4.4.4 any
end

I then copy that file using tftp to the router:

#copy tftp runn
Address or name of remote host [10.7.0.1]?
Source filename [test.acl]?
Destination filename [running-config]?
Accessing tftp://10.7.0.1/test.acl...
Loading test.acl from 10.7.0.1 (via FastEthernet0/0): !
[OK - 72 bytes]

72 bytes copied in 0.028 secs (2571 bytes/sec)

US-MVB2#show access-list test
Extended IP access list test
     10 permit ip host 10.1.1.1 any
     20 permit ip host 10.4.4.4 any
     30 permit ip host 10.3.3.3 any
#

As you can see, the line I wanted to replace has been replaced without 
any kind of telnet, kermit, or send/expect script.

The only remaining question, I believe, is how to do this entirely from 
the server end.  That process is as follows:

1. Create the update to the ACL on the server.  If, for example, you had 
an ACL that permitted certain hosts to connect to you via SSH and all 
you wanted to do was add a new one, the file would look something like 
this (although you would probably use your server address instead of "any"):

ip access-list extended test
   permit tcp host 10.5.5.5 any eq 22
end

With no line number on the entry, it is simply appended to the end. 
Since all ACLs have an implicit "deny ip any any" at the end, you do not 
need to explicitly put one there yourself and you can simply add new 
permits as you need them.  Here is the result on the router:

#sho access-list test
Extended IP access list test
     10 permit ip host 10.1.1.1 any
     20 permit ip host 10.2.2.2 any
     30 permit ip host 10.3.3.3 any
     40 permit tcp host 10.5.5.5 any eq 22
#


If you wanted to completely replace an ACL, or make sure that the ACL 
name you were creating did not already exist, the file would look like this:

no ip access-list extended test
ip access-list extended test
  permit ip host 10.1.1.1 any
  permit ip host 10.2.2.2 any
  permit ip host 10.3.3.3 any
end

How to edit an exiting line has already been shown.

Once the file has been created, you send an SNMP command to the router 
and tell it to load the file.  You use the ccCopy tree to do this.  Here 
is a perl snippet of code doing this:

   my @vars;
   push( @vars, ($mibs{'ccCopyProtocol'}.".$row", INTEGER32, 1) );
	#1=TFTP, 2=FTP, 3=RCP, 4=scp, 5=sftp
   push( @vars, ($mibs{'ccCopySourceFileType'}.".$row", INTEGER32, 4) );
	#1=Network, 2=iosFile, 3=startupConfig, 4=runningConfig,
	#5=Console

   push( @vars, ($mibs{'ccCopyDestFileType'}.".$row", INTEGER32, 1) );
	#(same values as source file type)
   push( @vars, ($mibs{'ccCopyServerAddress'}.".$row", IPADDRESS,$host));
	#IP4 address of TFTP server
   push( @vars, ($mibs{'ccCopyFileName'}.".$row", OCTET_STRING, $fn) );
	#file name on TFTP server to copy to/from
   push( @vars, ($mibs{'ccCopyEntryRowStatus'}.".$row", INTEGER32, 4) );
	#1=active, 2=notInService, 3=notReady, 4=createAndGo,
	#5=createAndWait, 6=destroy

#
# issue the SNMP request
#
   my $result = $session->set_request(
         -varbindlist    => \@vars
        );

Then you simply poll the variable ccCopyState for completion and success 
status.

TFTP, FTP, and RCP can be configured to work without putting usernames 
and passwords in the script.  SCP and SFTP require that a username and 
password variable be set in the SNMP commands because the router 
provides no mechanism for using PKI for these transfers.  However, in my 
case, the router and server are either on the same LAN (where there 
isn't any way for anyone to see the traffic) or the connection between 
the router and the server uses an encrypted tunnel so I again don't care 
that the copy protocol is not encrypted.

Hopefully, this answers the questions.

Mark Berryman





--- news://freenews.netfront.net/ - complaints: news at netfront.net ---

More information about the Info-vax mailing list