Disclaimer: All equipment photos are provided courtesy of Cisco Systems, Inc. and are intended for informational purposes only. Their use does not in any way constitute endorsement, partnering or any other type of involvement on the part of Cisco Systems, Inc. Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity Copyright © 2009 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 13: 978-1-59749-418-2 Publisher: Laura Colantoni Page Layout and Art: SPI Acquisitions Editor: Angelina Ward Copy Editor: Audrey Doyle Developmental Editor: Matthew Cater Indexer: SPI Lead Author and Technical Editor: Dale Liu Cover Designer: Michael Kavish Project Manager: Phil Bugeau For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Corporate Sales; email [email protected]. Library of Congress Cataloging-in-Publication Data Application Submitted Lead Author and Technical Editor Dale Liu (MCSE Security, CISSP, MCT, IAM/IEM, CCNA) has been working in the computer and networking field for over 20 years. Dale’s experience ranges from programming to networking to information security and project management. He currently teaches networking, routing and security classes, while working in the field performing security audits and infrastructure design for medium to large companies. Dale was the lead author and technical editor for Next Generation SSH2 Implementation: Securing Data in Motion (Syngress Publishing, ISBN: 978-1-59749-283-6), technical editor for The IT Regulatory and Standards Compliance Handbook: How to Survive an Information Systems Audit and Assessments (Syngress Publishing, ISBN: 978-1-59749-266-9), and contributing author to Securing Windows Server 2008: Prevent Attacks from Outside and Inside your Organization (Syngress Publishing, ISBN: 978-1-59749-280-5). He currently resides in Houston, TX with two cats. He enjoys cooking and beer brewing with his girlfriend and live-in editor Amy. iii Contributing Authors James Burton (CISSP, CISA, CISM, GSNA) has worked in the Information Technology Security sector since 1995, and specializes in IT security, focusing on IT audit and compliance and secure system configurations. He is currently a Senior Systems Security Engineer with Intelligent Software Solutions, Inc., in Colorado Springs, CO. He has also held the positions of Senior Consultant at Secure Banking Services and BearingPoint, Senior INFOSEC Engineer at SRS Technologies, Systems Security Engineer at Northrop Grumman, and Adjunct Professor at Colorado Technical University. James was a contributing author to Cisco® Security Professional’s Guide to Secure Intrusion Detection Systems (Syngress Publishing, ISBN: 978-1-932266-69-6) and PCI Compliance: Understand and Implement Effective PCI Data Security Standard Complicance (Syngress Publishing, ISBN: 978-1-59749-165-5). In his spare time he provides training and education in the IT security field in the areas of general information security theory and concepts, Information Assurance, and preparation for the Certified Information Systems Security Professional (CISSP) exam with IP3, Inc., and also works as an independent trainer. James is a member of many professional security organizations including the International Information Systems Security Certification Consortium ((ISC)2), Information Systems Audit and Control Association (ISACA) and Information System Security Association (ISSA). Tony Fowlie (CISSP, MCITP, MCSE, MCT, MCSA) is a senior systems and security administrator for the Texas Association of School Boards. He currently drives strategic and technical initiatives investigating new technologies and products, in addition to ensuring the continued security of the organization’s digital assets. His specialties include network security audits and documenting, systems architecture design, Active Directory design, virtualization planning and implementation, and Microsoft System Center implementation and operation. Tony has experienced a range of iv information technology infrastructures, having previously managed IT for a nationally distributed software development company, provided consulting for compliance efforts, and managed a regional Internet Service Provider. Paul A. Henry (MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP, -ISSAP, CISM, CISA, CIFI, CCE, Security and Forensic Analyst – Licensed PI No. C 2800597) is one of the world’s foremost global information security and computer forensic experts, with more than 20 years’ experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. Mr. Henry is currently the Lead Forensic Investigator and President of Forensics & Recovery LLC and is keeping a finger on the pulse of network security as the Security and Forensic Analyst at Lumension Security. Throughout his career Mr. Henry has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Mr. Henry also advises and consults on some of the world’s most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense’s Satellite Data Project, and both Government as well as Telecommunications projects throughout Southeast Asia. Mr. Henry is a frequently cited by major and trade print publications as an expert in computer forensics as well as both technical security topics and general security trends, and serves as an expert commentator for network broadcast outlets such as FOX, NBC, CNN and CNBC. In addition, Mr. Henry regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications such as the Information Security Management Handbook, where he is a consistent contributor. Mr. Henry serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, firewall architectures, security architectures and managed security services. v Jan Kanclirz Jr. (CCIE #12136-Security, CCSP, CCNP, CCIP, CCNA, CCDA, INFOSEC Professional, Cisco WLAN Support/Design Specialist, Data Center Application Services Support/Design Specialist) is currently a Senior Network Information Security Architect at MSN Communications. Jan specializes in multi vendor designs and post-sale implementations for several technologies such as VPNs, IPS/IDS, LAN/WAN, firewalls, content networking, wireless and VoIP. Beyond network designs and engineering Jan’s background includes extensive experience with open source applica- tions and Linux. Jan has contributed to several Syngress book titles on topics such as: Wireless, VoIP, Security, Operating Systems and other technologies. When Jan isn’t working or writing books he enjoys working on his security portal www.makesecure.com and exploring the outdoors in Colorado. Dave Kleiman (CAS, CCE, CIFI, CEECS, CISM, CISSP, ISSAP, ISSMP, MCSE, MVP) has worked in the Information Technology Security sector since 1990. Currently, he runs an independent Computer Forensic company, DaveKleiman.com, which specializes in litigation support, computer forensic examinations, incident response, and intrusion analysis. He developed a Windows Operating System lockdown tool S-Lok. He is frequently a speaker at many national security conferences and is a regular contributor to security-related Web sites, and Internet forums. Dave is a member of many professional security organizations, including the Miami Electronic Crimes Task Force (MECTF), International Association of Computer Investigative Specialists® (IACIS), International Information Systems Forensics Association (IISFA), the International Society of Forensic Computer Examiners® (ISFCE), Information Systems Audit and Control Association® (ISACA), and the High Tech Crime Consortium (HTCC). He is also on the Certification Committee for National Center for Forensic Science (NCFS) Digital Forensics Certification Board (DFCB), a program of the U.S. Department of Justice’s Office National Institute of Justice and the Sector Chief for Information Technology at the FBI’s InfraGard®. Dave was a contributing author for Microsoft Log Parser Toolkit (Syngress Publishing, ISBN: 978-1-932266-52-8), Security Log Management: Identifying Patterns in the Chaos (Syngress Publishing, ISBN: 978-1-59749-042-9) and, vi How to Cheat at Windows System Administration: Using Command Line Scripts (Syngress Publishing ISBN: 978-1-59749-105-1). Dave was Technical Editor for Perfect Passwords: Selection, Protection, Authentication (Syngress Publishing, ISBN: 978-1-59749-041-2), Winternals® Defragmentation, Recovery, and Administration Field Guide (Syngress Publishing, ISBN: 978-1-59749-079-5), Windows Forensic Analysis DVD Toolkit (Syngress Publishing, ISBN: 978-1-59749-156-3), CD and DVD Forensics (Syngress Publishing, ISBN: 978-1-59749-128-0), Perl Scripting for Windows Security: Live Response, Forensic Analysis, and Monitoring (Syngress Publishing, ISBN: 978-1-59749-173-0) and The Official CHFI™ Exam 312-49 Study Guide: for Computer Hacking Forensics Investigators(Syngress Publishing, ISBN: 978-1-59749-197-6). He was Technical Reviewer for Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures (Syngress Publishing ISBN: 978-1-59749-129-7). Thomas Millar (CCNA) has been in the information technology field since 1996 where he has worked in field IT service positions. During his work at several commercial and education organizations in the Northern California Bay Area, Thomas established himself as a Linux and anti-virus (malware) subject matter expert in the workplace. Some of the highlights of Thomas’s activities were the setting up of hardened Linux Kiosk systems for the students and parents of Santa Clara University (SCU) to securely access finance data and records, tracking down malware flagged by the campus web proxy filter, devising a system to distribute remediation patches in the wake of the MS Blaster worm in 2003, and applying open source software to locate unauthorized network devices that were placed on the campus network. As of May 2008, Thomas has worked as a computer forensics and incident response consultant in the Western U.S. Thomas is also a serving Army Reserve Warrant Officer in the U.S. Army Reserve. He has served in the U.S. Army for the past 19 years with postings in the U.S., Germany, and the Middle East. Since 2005 Thomas has worked with several Incident Response and Vulnerability Assessment teams for both the Army Reserve Information Operations Command and U.S. Army Regional Computer Emergency Response Teams (CONUS vii and SWA). Some of his assignments included joint task force operations with the National Security Agency, the Regional Computer Emergency Response Team-Continental United States, and the Joint Intelligence Center-Pacific. Kevin O’Shea is currently employed as a Homeland Security and Intelligence Specialist in the Justiceworks program at the University of New Hampshire and is the owner of Link Consulting Group, LLC. Mr. O’Shea supports the implementation of tools, technology, and training to assist law enforcement in the investigation of crimes with a cyber component. Mr. O’Shea has developed computer-crime-related curriculum for Microsoft, the MA Attorney General’s Office and the New Hampshire Police Standards and Training council. James “Jim” Steele (CISSP, MCSE: Security, Security+) has a career rich with experience in the security, computer forensics, network development, and management fields. For over 15 years he has played integral roles regarding project management, systems administration, network administration, and enterprise security management in public safety and mission-critical systems. As a Senior Technical Consultant assigned to the NYPD E-911 Center, he designed and managed implementation of multiple systems for enterprise security; he also performed supporting operations on-site during September 11, 2001, and the blackout of 2003. Jim has also participated in foreign projects such as the development of the London Metropolitan Police C3i Project, for which he was a member of the Design and Proposal Team. Jim’s career as a Technical Consultant also includes time with the University of Pennsylvania and the FDNY. His time working in the diverse network security field and expert knowledge of operating systems and network products and technologies have prepared him for his current position as Manager of Digital Forensics with a large wireless carrier. His responsibilities include performing workstation, server, PDA, cell phone, and network forensics as well as acting as a liaison to multiple law enforcement agencies, including the United States Secret Service and the FBI. On a daily basis he investigates cases of fraud, employee integrity, and compromised systems. Jim is a member of HTCC, NYECTF, InfraGard and the HTCIA. viii Scott Sweitzer (CCNA, CCAI, MCSE, MCSA, MCITP, MCTS, MCP+I, MCT, A+, Network+, Server+, INet+, HTI+, DHTI+) is a technical trainer with ComputerTraining.com. He currently works with career changing students providing Microsoft training in Indianapolis Indiana. His specialties include Cisco routers and LAN switches, Microsoft Windows NT4-2008, Virtualization, and Update services. He also works with home technology integration projects. In addition Scott is the owner of consulting companies MicrosoftITPros. com and TrainingMicrosoft.net where he works with the small and medium business market. Scott’s background also includes positions as a Department Chair Technology Programs at Indiana Business College and systems engineer at the Systems House. Scott and his wife Robin and two daughters Delaney and Emilee currently reside in a suburb of Indianapolis. Craig Wright has authored numerous IT security-related articles and books as well as designed the architecture for the world’s first online casino (Lasseter’s Online) in the Northern Territory. He designed and managed the implementation of many of the systems that protect the Australian Stock Exchange as well as the security policies and procedural practices within Mahindra and Mahindra, India’s largest vehicle manufacturer. The Mahindra group employs over 50,000 people and has numerous business interests from car to tractor manufacture to IT outsourcing. Craig is one of the few people with a GSE certification and is the first in the Compliance stream. He has 27 GIAC certifications including the GSE-Malware and is working on his 8th GIAC Gold paper. He publishes papers on forensics on a regular basis. ix Introduction An Overview of Cisco Router and Switch Forensics Solutions in this chapter: Defining a Secure Network ■ Equipment Used for ■ the Examples in This Book Setting Up a Secure Network ■ The Incident ■ How to Respond ■ ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions 1 2 Introduction • An Overview of Cisco Router and Switch Forensics About This Book Before we can delve into the world of conducting router and switch forensics on Cisco devices, we need to discuss what makes a network secure. Thirty years ago we were using mainframe computers and “security” meant nothing more than the fact that a physical wall separated the people who worked with the data from the machines storing that data. As PCs and local area networks (LANs) have gained acceptance over the years, securing data and resources has become more difficult. Routers and switches are the devices that join PCs on a LAN and that join LANs over the Internet. Since Cisco is one of the market leaders in supplying these devices, its products have become the targets of miscreants who are attempting to break into companies’ secure networks. By reading this book, you will learn how to recognize an incident (breach), how to gather evidence of the incident, how to get the appropriate local, state, or federal agencies involved, and how to present your case. In this introduction, we will discuss secure network design and Cisco’s role in router and switch forensics. We will also discuss the equipment we’ll be using for the examples in the book, as well as introduce the incident that we will investigate. In later chapters, we will discuss what it takes to set up routers and switches. Defining a Secure Network Network security is becoming increasingly important as more people send private data over the public Internet. As you define network infrastructure, you need to consider security, logging, and forensic data–gathering methodologies up front. In this section, we will discuss options for defining a secure network. Network Architectures Network architectures exist in many forms ; however, the most common topology in use today is the star topology, of which there are two types: the flat topology LAN, shown in Figure 1, and the zoned trust topology, shown in Figure 2. The key difference between the two types of network architectures is the use of additional firewalls inside the LAN to secure sensitive resources from attacks initiated inside the LAN.