Cisco IOS , IPv6 and ip http [secure-server]

Started by Dieselboy, May 23, 2016, 09:30:00 PM

Previous topic - Next topic

Dieselboy

Most of you will probably be aware of this and I thought it was worth making a post for anyone looking to go down this route. Because as you know, we all should be dual-stack by now anyway :)

If you enable / configure IPv6 be aware that the "ip http" command will only allow you to secure HTTP management access to your device with an IPv4 ACL.

If you have ANY IPv6 address configured on your device, and IP HTTP xxx configured then your device http management will be accessible.

The only way to overcome this, is with no ip http server. You cannot block access to the http management with an ACL on the management. Technically you could configure interface ACLs instead but you probably don't want to do this for many reasons.

Why is it like this? No idea.

Line VTY - you can have both IPv4 and IPv6 ACLs separately.

line vty 0 4
access-class VTY-ACCESS in
exec-timeout 15 0
ipv6 access-class IPv6-VTY-ACCESS in
transport input telnet ssh


I may log a feature request with Cisco. It's not like IPv6 just came out.
:awesome:

deanwebb

I think that was actually a security advisory, a few weeks ago. The solution was to turn off HTTP and to leave it off, given that there were so many other exploits linked to HTTP.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on May 24, 2016, 06:51:06 AM
I think that was actually a security advisory, a few weeks years ago. The solution was to turn off HTTP and to leave it off, given that there were so many other exploits linked to HTTP.

fixed that for you
:professorcat:

My Moral Fibers have been cut.

deanwebb

Well played, Ristau. Well played.

To be sure, there was a repeat of that advisory a few weeks ago. I believe we have footage of an engineer that had it all turned on:

:frustration:

And one that had it all turned off:

:greatoffer:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Turning off HTTP is not conducive. Sometimes HTTP is required. A fix is not to turn off HTTP, because then HTTP is not available to anyone.

A security advisory a few years ago means it was fixed a few years ago, right?  :zomgwtfbbq:

A fix would be to allow an IPv6 ACL to be assigned to ipv6 http access-class. Alternatively an "no ipv6 http server" could be a workaround.

wintermute000

What conceivable reason would you want HTTP active on a Cisco router or switch? There's no REST-API exposed, the web UI is beyond abysmal to the point of being useless, I can't think of any other use for it?

Dieselboy

Hey the post wasn't about why you would need to use HTTP on a IOS device.

On a switch sometimes it's handy to have if you're looking for an issue - you can get a quick look at a lot of port counters and it's very easy to see if one interface stands out.

Configuration Pro is the reason I might use it on a router. I agree it's not great (sometimes it's pretty crap because it relies on Effing Java) but having that flexibility gives you access to some useful tools. It has come in handy for
- checking configs
- checking interfaces / errors
- webvpn config / some other RA VPN configs
- VOIP stuff
-ZBWF configs

Another benefit with the config pro being used is that in those rare instances where you know what you need to do but don't know the specific command, eg within webvpn. You can load up config pro and tick the check box and click apply This will then show you the command it is about to execute. You then copy the command and cancel it, then go and do it at the CLI. I used to do this ALL the time when studying for my CCNP.
ZBFW - you can do quite powerful stuff at the config pro gui that you cannot do at the cli. Like re-ordering access rules. To do this at the CLI you would need to manually delete (no class-map xxxx) and then paste it back in, in the correct order. The firewall part of config pro also gives you a nice graphical representation of the config whereas the CLI is just text which can be confusing because of the way the policy map / class map / ACL / etc tree structure is done. You might need to go up and down the config many times to reverse engineer the firewall rules.


Regardless of anyones personal preference, the fact remains that you can HTTP to a router using both IPv4 and IPv6 but you're unable to set an IPv6 ACL on the management config of the HTTP server which is an issue which should have been fixed already. It just seems dumb to me.

deanwebb

Welcome to Cisco "security", and I use that term loosely.

:tmyk:

I agree that GUI stuff is indispensable when doing security jobs. Cisco has GOT to get its act together, though, about patching the huge holes in its products as far as ancient vulnerabilities go.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on May 25, 2016, 11:55:07 AM
Welcome to Cisco "security", and I use that term loosely.

I agree that GUI stuff is indispensable when doing security jobs. Cisco has GOT to get its act together, though, about patching the huge holes in its products as far as ancient vulnerabilities go.

that and their reliance on Java, they really got to let that one go and move on to HTML5
:professorcat:

My Moral Fibers have been cut.

Dieselboy

Quote from: deanwebb on May 25, 2016, 11:55:07 AM

I agree that GUI stuff is indispensable when doing security jobs. Cisco has GOT to get its act together, though, about patching the huge holes in its products as far as ancient vulnerabilities go.

Not only that but I have a TAC case open for almost a year. My issue is that I use SSL VPN on an IOS router which terminates VPN phones. CISCO have implemented a "feature" in the IOS SSL VPN component (from IOS 15.something) which now expects the VPN client to negotiate for DTLS (SSL VPN on UDP port 443). Obviously a VPN phone (Cisco VPN phone of course) NEEEDS DTLS for transport for the voice packets. Otherwise effectively you would be sending voice over TCP which is crap.
BUT Cisco have no phone firmware available which can do the DTLS negotiation. So if I need to upgrade my router for security reasons (I really do) I cannot because it breaks the phones.
As I said, 12 months and there is still no plans by Cisco to at least implement a phone firmware which can do the negotiation. So I'm a bit "up sh*t creek" in that aspect.




Don't even get me started on Java.

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.