I'd like to take a moment to get out some 'interim' documentation about cisco
router/commserver/protocol translator products that may be of interest to
folks who allow in bound TCP connections to high port numbers through their
fire-walls.
What I'm about to describe is default behavior. The documented mechanisms
for access controls on all cisco products may be used to change this default
behavior, but users who are unaware of all of the features of this product
line should take a moment to check their configurations.
In addition to being able to telnet into a box on TCP port 23, there are a
number of other TCP ports that cisco router/commserver/protocol-translator
products will accept connections on. Firewall designers should be aware of
these ports when configuring packet filters.
(a) This product line may accept TCP connections to the following addresses
(or ranges), depending upon the configuration.
7 Echo
9 Chargen
23 Telnet
79 Finger
1993 SNMP over TCP (must be explicitly configured)
2001...2xxx AUX port, TTY ports and VTY access
3001...3xxx rotary ports (must be explicitly configured)
4001...4xxx stream mirror of 2000 range
5001...5xxx stream mirror of 3000 range (must be configured)
6001...6xxx binary mirror of 2000 range
7001...7xxx binary mirror of 3000 range (must be configured)
8001...8xxx xremote (commservers only)
9001...9xxx reverse xremote (commservers only)
10001...10xxx reverse xremote rotary (commservers only, must be
cfgd)
A quick explanation of what all of this means is in order:
On cisco communications servers, one may directly connect to a given 'tty'
line by connecting into the box on port 2000 + line number. This allows
remote access of serial devices (modems, printers, ...) via the net. cisco
routers may be considered one port terminal servers, and one can connect to
the auxiliary port as if it were 'tty 1'.
NOTE: Until recently, following the tty range, is the vty range,
so on a typical router, connecting to port 2002 would connect you to
line vty 1. However, standard vty access control lists DO permit you
to restrict access to the box with the identical mechanism for
restricting telnet access via port 23.
In addition to directly connecting to a single port, a rotary mechanism exists
where one can connect to a rotary port which will provide access to the first
available port in a given rotary group. Rotaries must be explicitly
configured before we will accept connections on those ports and all devices
that are rotary clients are subject to access controls.
A typical router running all but the most recent software and no changes to
the configuration will accept TCP connections on:
7, 9, 23, 1993, 2001 (the aux port), 2002-2006 (the vtys),
4001, 4002-4006, 6001, and 6002-6006.
We will accept connections to 9001-9006, but will ignore data,
since Xremote support is only present in commserver products.
Operators may disable connections to these boxes by configuring access lists
on the appropriate tty, aux, and vty lines. As an example, the following
configuration fragment denys all in-bound telnet access to the aux port, and
allows telnets to the router (which covers both port 23 and the high numbered
ports) only from 192.32.6.7:
access-class 52 permit 192.32.6.7
line aux 0
transport input none
line vty 0 4
access-class 52 in
We strongly encourage customers using fire-walls that allow in-bound TCP
connections to high numbered ports to apply appropriate in-bound access lists
to their cisco products.
(b) There was no way to disable connections to the echo and discard ports.
While not a security hole, we feel that some customers may wish to disable
these services all together, so we added the command:
'[no] service tcp-small-servers'
to enable/disable this command. By default, they are enabled.
(c) When using the IP alias command, we would accept TCP connections on
to any destination port and treat them as valid connections to the
aliased service.
By default, there are no aliases configured in the router, and this command
is primarily used only by protocol translators and some communications
servers. IP aliases are a manually configured feature which must be
explicitly enabled by the operator.
We have changed our product so that connections to 'aliased' services must
always be to the telnet port (port 23).
(d) In summary, here's what we've changed in current releases:
CSCdi20050: router allows direct connect to vty at high-numbered ports
Direct access to VTY devices through the 2000/4000/6000
port ranges have been disabled. The workaround for
customers currently relying on that feature is to set
up one-to-one mapping of vty ports to rotary ports.
TTY and AUX port access has *not* been changed.
CSCdi20077: connections to the echo/discard ports may now be disabled
We have added a knob '[no] service tcp-small-servers'
to disable connections to the echo and discard ports if
desired.
CSCdi20075: boxes with "ip alias" allow connections to any destination port
Connections to IP alias devices are now only accepted
for destination port 23.
These changes are available in the following releases:
9.1(11.5) and newer
9.21(3.2) and newer
All release versions of 10.0
A typical router running newer software and no changes to the configuration
will accept TCP connections on ports 7, 9, 23, 79, 1993, 2001, 4001, and 6001.
7 and 9 may be disabled with 'no service tcp-small-servers'
and (as always):
23 may be controlled with an ACL on the vtys or
transport input none
79 may be disabled with 'no service finger'
1993 may be controlled with SNMP access lists
2001/4001/6001 may be controlled with an ACL on the aux port
or transport input none
We'd like to stress that even with the older software, all of the standard
mechanisms for denying access to the box work, and the password and other
authentication systems are fully functional. However, customers interested
in upgrading should contact their normal support channels. Images are
also available via anonymous FTP via our CIO service (telnet to
"cio.cisco.com" for more information).
|
|
