Re: Router Investigations

From: forensics@applied-knowledge.net
Date: Wed Sep 04 2002 - 21:08:33 PDT

Next message: Narinder.Bakshiat_private: "RE: Router Investigations"

Previous message: Ian Macdonald: "Re: Router Investigations"
In reply to: Thad Horak: "Router Investigations"
Next in thread: Narinder.Bakshiat_private: "RE: Router Investigations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thad--

I may be unsure of what exactly you are after but here are some ideas I
have had different levels of success with over the years.

1.  Revision control.  All router and switch configs should be maintained
under revision control in some canonical location.  One particularly nice
example is to keep every config file under RCS (it's more aptly suited to
system/network admin work than something more "robust" like CVS, IMHO),
have the admins only make changes to the files under revision control and
use tftp (or whatever suits you) on the router/switch to grab the
appropriate copy.  This is also nice as a way back into the device via the
"service config" statement if you lock yourself out while screwing with
ACLs :) 

2.  Logging.  All Cisco routers and switches (to the best of my knowledge)
can log remotely via syslog.  Take advantage of this.  Syslog may have
it's down sides (UDP transport for log data...sigh...so sad these days)
but it is most cvertainly better than nothing if your organization
(technology and policy) allow for it.  By maintaining a central log
server(s) you are more easily able to correlate data in the event of an
investigation or forensics efforts.

3.  Out-of-band management.  Modems and console servers can be life-savers
at times when doing network administration but they require the same
amount of security awareness and handling as anything else.  Enough said.

Chris

On Wed, 4 Sep 2002, Thad Horak wrote:

> I've been tasked to add to our existing incident
> handling process a methodology to investigate our
> Cisco routers and switches. I've found a few documents
> when searching on google, but it seems that most
> people just want to teach this through a course. Can
> anyone suggest any documents that they written or
> found helpful? Many thanks.
> 
> Thad
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Narinder.Bakshiat_private: "RE: Router Investigations"
Previous message: Ian Macdonald: "Re: Router Investigations"
In reply to: Thad Horak: "Router Investigations"
Next in thread: Narinder.Bakshiat_private: "RE: Router Investigations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 06:59:11 PDT