Nipper


Cisco Router Security Report

of the

BLAHPIX2 Cisco Router


Contents

1. About This Report
    1.1. Organisation
    1.2. Conventions
2. Security Audit
    2.1. Introduction
    2.2. Dictionary-based Password / Key
    2.3. Weak Password / Key
    2.4. Directed Broadcasts
    2.5. Inbound TCP Connection Keep Alives
    2.6. IP Source Routing
    2.7. HyperText Transport Protocol Service
    2.8. Simple Network Management Protocol
    2.9. Access Control Lists
    2.10. Logging
    2.11. Cisco Discovery Protocol
    2.12. Classless Routing
    2.13. BOOTP
    2.14. TCP and UDP Small Servers
    2.15. Enable Secret
    2.16. Service Password Encryption
    2.17. Login Banner
    2.18. Domain Lookups
    2.19. Packet Assembler / Disassembler
    2.20. Conclusions
3. Device Configuration
    3.1. Introduction
    3.2. General
    3.3. Services
    3.4. Domain Name Settings
    3.5. Time Zone Settings
    3.6. User Accounts and Privilages
    3.7. Simple Network Management Protocol
    3.8. Interfaces
    3.9. Access Control List
4. Appendix
    4.1. Abbreviations
    4.2. Common Ports
    4.3. Logging Severity Levels
    4.4. Time Zones
    4.5. Nipper Details


1. About This Report

1.1. Organisation

This Cisco Router BLAHPIX2 report was produced by Nipper on Friday 20th June 2008. The report contains the following sections:
 

1.2. Conventions

This report makes use of the text conventions outlined in Table 1.
 
Table 1: Report text conventions
Convention Description
command
This text style represents the Cisco Router command text that has to be entered literally.
string
This text style represents the Cisco Router command text that the you have to enter.
[ ]
Used to enclose a Cisco Router command option.
{ }
Used to enclose a Cisco Router command requirement.
|
Divides command option or requirement choices.
 

2. Security Audit

2.1. Introduction

Nipper performed a security audit of the Cisco Router BLAHPIX2 on Friday 20th June 2008. This section details the findings of the security audit together with the impact and recommendations.
 

2.2. Dictionary-based Password / Key

Observation: Attackers will often have dictionaries of words that contain names, places, default passwords and other common passwords. If a password or key is likely to be contained within an attacker's dictionary, they could gain access to the system.
 
The passwords and keys of the device BLAHPIX2 were tested against a small dictionary and one password / key was identified. The read-only Simple Network Management Protocol (SNMP) community string was public.
 
Impact: An attacker who was able to identify a password or key would be able to gain a level of access to the device, based on what service the password / key was used for.
 
Ease: Tools are available on the Internet that can perform dictionary-based password guessing against a number of network services.
 
Recommendation: Nipper strongly recommends that the password identified be immediately changed to something that is more difficult to guess. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.
 

2.3. Weak Password / Key

Observation: Strong passwords tend to contain a number of different types of character, such as uppercase and lowercase letters, numbers and punctuation characters. Weaker passwords tend not to contain a mixture of character types. Additionally, weaker passwords tend to be short in length.
 
Nipper identified one password / key that did not meet the minimum password complexity requirements. The read-only SNMP community string was public.
 
Impact: If an attacker were able to gain a password or key, either through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to BLAHPIX2.
 
Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.
 
Recommendation: Nipper strongly recommends that the weak password be immediately changed to one that is stronger. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.
 

2.4. Directed Broadcasts

Observation: Internet Control Message Protocol (ICMP) echo requests can be addressed to an entire network or subnet as well as to individual hosts. Disabling directed broadcasts on each individual network interface will help prevent network ping requests. Directed broadcasts are usually enabled by default on Cisco devices running Internet Operating System (IOS) version 11.3 and earlier.
 
Nipper determined that the device BLAHPIX2 had support for directed broadcasts enabled on the network interface ethernet010baset.
 
Impact: A Denial of Service (DoS) attack exists that makes use of network echo requests, known as a smurf attack. An attacker would send an ICMP echo request with the victim hosts IP address spoofed as the source. The hosts on the network would then reply to the echo request, flooding the victim host.
 
Ease: Tools are available on the Internet that can perform the smurf attack outlined above.
 
Recommendation: Nipper recommends that directed broadcasts be disabled on all network interfaces. Directed broadcasts can be disabled on each individual network interface using the following command:
 
no ip directed broadcast

 

2.5. Inbound TCP Connection Keep Alives

Observation: Connections to a Cisco Router device could become orphaned if a connection becomes disrupted. An attacker could attempt a DoS attack against a Cisco Router by exhausting the number of possible connections. Transmission Control Protocol (TCP) keep alive messages can be configured to confirm that a remote connection is valid and then terminate any orphaned connections.
 
Nipper determined that TCP keep alive messages are not sent for connections from remote hosts.
 
Impact: An attacker could attempt a DoS by exhausting the number of possible connections.
 
Ease: Tools are available on the Internet that can open large numbers of TCP connections without correctly terminating them.
 
Recommendation: Nipper recommends that TCP keep alive messages be sent to detect and drop orphaned connections from remote systems. TCP keep alive messages can be enabled for connections from remote systems using the following command:
 
service tcp-keepalives-in

 

2.6. IP Source Routing

Observation: IP source routing is a feature whereby a network packet can specify how it should be routed through the network. Cisco routers normally accept and process source routes specified by a packet, unless the feature has been disabled.
 
Nipper determined that IP source routing was not disabled.
 
Impact: IP source routing can allow an attacker to specify a route for a network packet to follow, possibly to bypass a Firewall device or an Intruder Detection System (IDS). An attacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker.
 
Ease: An attacker would have to control either a routing device or an end point device in order to modify a packets route through the network. However, tools are available on the Internet that would allow an attacker to specify source routes. Tools are also available to modify network routing using vulnerabilities in some routing protocols.
 
Recommendation: Nipper recommends that, if not required, IP source routing be disabled. IP source routing can be disabled by issuing the following IOS command:
 
no ip source routing

 

2.7. HyperText Transport Protocol Service

Observation: Recent Cisco IOS-based devices support web-based administration using the HTTP protocol. Cisco web-based administration facilities can sometimes be basic but they do provide a simple method of administering remote devices. However, HTTP is a clear-text protocol and is vulnerable to various packet-capture techniques.
 
Even though the HTTP service had not been configured, it can be enabled by default on some Cisco devices.
 
Impact: An attacker who was able to monitor network traffic could capture authentication credentials.
 
Ease: Network packet and password sniffing tools are widely available on the Internet. Once authentication credentials have been captured it is trivial to use the credentials to log in using the captured credentials.
 
Recommendation: Nipper recommends that, if not required, the HTTP service be disabled. If a remote method of access to the device is required, consider using HTTPS or Secure Shell (SSH). The encrypted HTTPS and SSH services may require a firmware or hardware upgrade. The HTTP service can be disabled with the following IOS command:
 
no ip http server
 
If it is not possible to upgrade the device to use the encrypted HTTPS or SSH services, additional security can be configured. An access list can be configured to restrict access to the device. An access list can be specified with the following command:
 
ip http access-class {access list number}

 
The authentication method can be changed using the following command (where the authentication method is either local, enable, tacacs or aaa):
 
ip http authentication [authentication method]

 

2.8. Simple Network Management Protocol

Observation: SNMP is used to assist network administrators in monitoring and managing a wide variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are both secured with a community string and authenticate and transmit network packets without any form of encryption. SNMP version 3 provides several levels of authentication and encryption. The most basic level provides a similar protection to that of the earlier protocol versions. However, SNMP version 3 can be configured to provide encrypted authentication (auth) and secured further with support for encrypted data communications (priv).
 
Nipper determined that SNMP protocol version 1 was configured on BLAHPIX2.
 
Impact: Due to the unencrypted nature of SNMP protocol versions 1 and 2c, an attacker who was able to monitor network traffic could capture device configuration settings, including authentication details.
 
Ease: Network packet monitoring and capture tools are widely available on the Internet and SNMP tools are included as standard with some operating systems.
 
Recommendation: Nipper recommends that, if possible, SNMP version 1 be disabled. Furthermore, Nipper recommends that, if SNMP is required, protocol version 3 be configured with Auth and Priv authentication. SNMP protocol version 1 can be disabled with the following command for each community string:
 
no snmp-server community {Community String} {[RO] | [RW]}
 
SNMP version 3 Auth and Priv access can be configured with the following commands:
 
snmp-server group {Group Name} v3 priv
 
snmp-server user {Username} {Group Name} v3 auth md5 {Auth Keyword} priv {[3des] | [aes 128] | [aes 192]} {Priv Keyword}

 

2.9. Access Control Lists

Observation: Access Control List (ACL) are sequential lists of allow and deny Access Control Entries (ACE) that specify whether network traffic should be allowed or dropped. ACLs are used to restrict access to services and network devices, preventing access to services and devices that should not be accessible.
 
Nipper identified 22 security-related issues with the configured ACL, these are listed in Table 2.
 
Table 2: Insecure Access Control Entries
ACL Line Description
1001Allows access from 130.25.65.63 to any destination.
1002Allows access from 130.25.65.70 to any destination.
1003Allows access from 130.25.65.63 to any destination.
Allows access from 130.25.65.63 to any destination service.
1004Allows access from 130.25.65.70 to any destination.
Allows access from 130.25.65.70 to any destination service.
100N/AACL does not end with a deny all and log.
1011Does not log denied access.
1012Does not log denied access.
1013Does not log denied access.
1014Does not log denied access.
1015Does not log denied access.
1016Does not log denied access.
1017Does not log denied access.
1018Does not log denied access.
1019Does not log denied access.
10110Does not log denied access.
10111Does not log denied access.
10112Allows access from any source to any address.
Allows access from any address to any destination.
Allows access from any address to any destination service.
101N/AACL does not end with a deny all and log.
 
Impact: If ACEs are not sufficiently restrictive, an attacker may be able to access services or network devices that should not be accessible. Furthermore, an attacker who had compromised a device could install a backdoor which could listen on a network port that was not filtered.
 
Ease: N/A
 
Recommendation: Nipper recommends that the ACLs be reviewed and, where possible, modified to ensure that: However, in certain circumstances, such as a public web server, a more relaxed configuration may be required to allow any host to access specific hosts and services.
 

2.10. Logging

Observation: Logging is an essential component of a secure network configuration. Logging not only assists network administrators to identify issues when troubleshooting, but enables network administrators to react to intrusion attempts or Denial-of-Service attacks. It is therefore critical that logs be monitored, allowing administrators to take immediate action when an attack has been identified. Furthermore, system logs are a key component of a forensic investigation into past intrusions or service disruptions.
 
Nipper determined that logging had not been configured on BLAHPIX2.
 
Impact: An attacker could attempt to map and bypass any configured ACL or to gain access to the Cisco Router without network administrators being alerted to the attempts. Furthermore, after an unauthorised intrusion into the network had been detected, it would be more difficult for an investigation to identify the source of the attack or the entry point without access to logs.
 
Ease: N/A
 
Recommendation: Nipper recommends that Syslog and Buffered logging be configured on BLAHPIX2. Logging can be enabled with the following command:
 
logging on

 
To configure Syslog logging, four things need to be set; a source interface for the Syslog messages to be sent from, one or more Syslog hosts to send messages to, the Syslog logging message severity level and the Syslog facility. The following commands can be used to configure Syslog logging:
 
logging source-interface {Interface}
 
logging host {Syslog IP address or hostname}
 
logging trap {Logging message severity level}
 
logging facility {Syslog facility}

 
It is worth noting that older IOS versions do not exclude the host parameter when specifying a host to send Syslog messages to. For older IOS versions you would use the following command:
 
logging {Syslog IP address or hostname}

 
Buffered logging can be configured with the following command:
 
logging buffered {Buffer Size} {Logging message severity level}

 

2.11. Cisco Discovery Protocol

Observation: Cisco Discovery Protocol (CDP) is a proprietary protocol that is primarily used by Cisco, but has been used by others. CDP allows some network management applications and CDP aware devices to identify each other on a Local Area Network (LAN) segment. Cisco devices, including switches, bridges and routers are configured to broadcast CDP packets by default. The devices can be configured to disable the CDP service or disable CDP on individual network interfaces.
 
Nipper determined that even though CDP had been disabled on all active interfaces, the CDP service had not been disabled.
 
Impact: CDP packets contain information about the sender, such as hardware model information, operating system version and IP address details. This information would allow an attacker to gain information about the configuration of the network infrastructure.
 
Ease: CDP packets are broadcast to an entire network segment. An attacker could use one of the many publicly available tools to capture network traffic and view the leaked information.
 
Recommendation: Nipper recommends that, if not required, the CDP service be disabled on the Cisco device BLAHPIX2. If CDP is required, Nipper recommends that CDP be disabled on all interfaces except those that are explicitly required.
 
The CDP service can be disabled by issuing the following Cisco IOS command:
 
no cdp run
 
CDP can be disabled on individual interfaces using the following command:
 
no cdp enable
 
In some configurations with IP phones, deployed using either Auto Discovery or Dynamic Host Configuration Protocol (DHCP), the CDP service may need to be enabled. In this situation CDP should be disabled on all network interfaces for which it is not required.
 

2.12. Classless Routing

Observation: Classless routing is enabled by default on Cisco routers. If a router has classless routing enabled and it receives a network packet for which there is no configured route, the router will forward the packet to the best destination. With classless routing disabled, the router would discard any network traffic for which no route is defined.
 
Nipper determined that classless routing was enabled on BLAHPIX2.
 
Impact: Network traffic that should not be routed by the router may be routed when classless routing is enabled.
 
Ease: N/A
 
Recommendation: Nipper recommends that, if possible, classless routing be disabled. Classless routing can be disabled with the following command:
 
no ip classless

 

2.13. BOOTP

Observation: BOOTstrap Protocol (BOOTP) is a datagram protocol that allows compatible hosts to load their operating system over the network from a BOOTP server. Cisco routers are capable of acting as BOOTP servers for other Cisco devices and the service is enabled by default. However, BOOTP is rarely used and may represent a security risk.
 
Nipper determined that BOOTP was not disabled. However, it is worth noting that not all Cisco devices support BOOTP.
 
Impact: An attacker could use the BOOTP service to download a copy of the router's IOS software.
 
Ease: Tools are available on the Internet to access BOOTP servers.
 
Recommendation: Nipper recommends that, if not required, the BOOTP service be disabled. The following command can be used to disable BOOTP:
 
no ip bootp server

 

2.14. TCP and UDP Small Servers

Observation: Cisco devices provide a set of simple servers which are collectively known as TCP small servers and User Datagram Protocol (UDP) small servers. The services provide little functionality and include chargen, echo and daytime. Cisco IOS version 11.2 and older enable these services by default; newer IOS versions explicitly require them to be started.
 
Nipper determined that the version of IOS, on the Cisco device BLAHPIX2, enables these servers by default and they have not been explicitly disabled.
 
Impact: Each running service increases the chances of an attacker being able to identify the device and successfully compromise it. It is good security practice to disable all unused services.
 
Ease: Tools are widely available to query these services and some operating systems install these tools by default.
 
Recommendation: Nipper recommends that, if not required, TCP and UDP small servers be explicitly disabled. TCP and UDP small services are rarely used and are disabled by default in newer versions of Cisco IOS.
 
TCP small servers can be disabled with the following IOS command:
 
no service tcp-small-servers

 
UDP small servers can be disabled with the following IOS command:
 
no service udp-small-servers

 

2.15. Enable Secret

Observation: Cisco IOS-based device enable passwords can be stored using an iterated MD5 hash, which is far stronger than the easily reversible Cisco type-7 encryption.
 
Nipper identified one enable password that was not stored using the MD5 hash.
 
Impact: An attacker could use an enable password from a Cisco device to access the device and possibly modify its configuration.
 
Ease: An attacker who had access to the Cisco configuration file would easily be able to retrieve passwords that are stored in clear-text or using the Cisco type-7 encryption. However, an attacker who had access to a Cisco configuration file could brute-force any stronger MD5 passwords.
 
Recommendation: Nipper recommends that all enable passwords be stored using the MD5 hash. Enable passwords can be stored using the MD5 hash with the following Cisco IOS command:
 
enable secret

 

2.16. Service Password Encryption

Observation: Cisco service passwords are stored by default in their clear-text form rather than being encrypted. However, it is possible to have these passwords stored using the reversible Cisco type-7 encryption.
 
Nipper determined that the Cisco device BLAHPIX2 was not running the password encryption service that helps provide a basic level of encryption to passwords that otherwise would be stored in clear-text.
 
Impact: If a malicious user were to see a Cisco configuration that contained clear-text passwords, they could use the passwords to access the device. However, an attacker who had access to a Cisco configuration file would easily be able to reverse the passwords.
 
Ease: Even though it is trivial to reverse Cisco type-7 passwords, they do provide a greater level of security than clear-text passwords. Tools are widely available on the Internet that reverse Cisco type-7 passwords.
 
Recommendation: Nipper recommends that the Cisco password encryption service be enabled. The Cisco password encryption service can be started with the following Cisco IOS command:
 
service password-encryption

 

2.17. Login Banner

Observation: A banner message can be shown to users who connect to one of the remote management services, such as Telnet. Typically banner messages will include information on the law with regard to unauthorised access to the device, warning users who do not have the authority to access the device about the consequences.
 
Nipper determined that no login banner was configured.
 
Impact: Attackers who have gained access to a device could avoid legal action if no banner is configured to warn against unauthorised access.
 
Ease: N/A
 
Recommendation: Nipper recommends that a banner be configured that warns against unauthorised access. Banners are configured on Cisco devices using a delimiter character. A delimiter character is specified in the banner command and is used again to mark the end of the banner. The Cisco command to add a login banner, that is presented to users prior to authentication, is:
 
banner login {delimiter} The banner text {delimiter}

 

2.18. Domain Lookups

Observation: Cisco IOS-based devices support name lookups using the Domain Name System (DNS). However, if a DNS server has not been configured, then the DNS request is broadcast.
 
Nipper determined that name lookups had not been disabled and no DNS servers had been configured.
 
Impact: An attacker who was able to capture network traffic could monitor DNS queries from the Cisco Router. Furthermore, Cisco devices can connect to Telnet servers by supplying only the hostname or IP address of the server. A mistyped Cisco command could be interpreted as an attempt to connect to a Telnet server and broadcast on the network.
 
Ease: It would be trivial for an attacker to capture network traffic broadcast from a Cisco Router. Furthermore, network traffic capture tools are widely available on the Internet.
 
Recommendation: Nipper recommends that domain lookups be disabled. Domain lookups can be disabled with the following command:
 
no ip domain-lookup
 
If domain lookups are required, Nipper recommends that DNS be configured. DNS can be configured with the following command:
 
ip name-server {IP address}

 

2.19. Packet Assembler / Disassembler

Observation: The Packet Assembler / Disassembler (PAD) service enables X.25 connections between network systems. The PAD service is enabled by default on most Cisco IOS devices but it is only required if support for X.25 links is necessary.
 
Nipper determined that the PAD service had not been disabled.
 
Impact: Running unused services increases the chances of an attacker finding a security hole or fingerprinting a device.
 
Ease: N/A
 
Recommendation: Nipper recommends that, if not required, the PAD service be disabled. Use the following command to disable the PAD service:
 
no service pad

 

2.20. Conclusions

Nipper performed a security audit of the Cisco Router device BLAHPIX2 on Friday 20th June 2008 and identified 18 security-related issues. Nipper determined that:
 

3. Device Configuration

3.1. Introduction

This section details the configuration settings of the Cisco Router device BLAHPIX2.
 

3.2. General

Table 3: General device settings
Description Setting
HostnameBLAHPIX2
Service Password EncryptionDisabled
IP Source RoutingEnabled
BOOTPEnabled
Service ConfigDisabled
TCP Keep Alives (In)Disabled
TCP Keep Alives (Out)Disabled
Cisco Express ForwardingDisabled
Classless RoutingEnabled
 

3.3. Services

Table 4: Device services
Service Status
TelnetDisabled
HTTPUnconfigured
FingerDisabled
TCP Small ServicesEnabled
UDP Small ServicesEnabled
SNMPEnabled
CDPEnabled
PADEnabled
 

3.4. Domain Name Settings

Table 5: Domain name settings
Description Setting
Domain LookupEnabled
 

3.5. Time Zone Settings

Table 6: Time zone settings
Description Setting
Time ZoneUTC
UTC OffsetNone
Summer Time ZoneDisabled
Authorative Time SourceNo
 

3.6. User Accounts and Privilages

Table 7: Enable Passwords
Level Password Encryption
15<unknown> Unknown
 

3.7. Simple Network Management Protocol

SNMP is used to assist network administrators in monitoring and managing a wide variety of network devices. There are three main versions of SNMP in use. Versions 1 and 2 of SNMP are both secured with a community string and authenticate and transmit network packets without any form of encryption. SNMP version 3 provides several levels of authentication and encryption. The most basic level provides a similar protection to that of the earlier protocol versions. However, SNMP version 3 can be configured to provide encrypted authentication (auth) and secured further with support for encrypted data communications (priv).
 
Table 8: General SNMP service configuration
Description Setting
Service enabledYes
Contactct
Locationon
Trap Timeout30 seconds
TFTP Server ListDisabled
 
Table 9: SNMP community strings
Community Access View Access-List Enabled
public Read-OnlyYes
 
Table 10: SNMP traps
SNMP Trap
 

3.8. Interfaces

Table 11: Interfaces
Interface Active IP Address Proxy ARP IP Unreachable IP Redirect IP Mask Reply IP Direct Broadcast NTP CDP uRPF MOP
ethernet010basetYesNoneN/AN/AN/AN/AN/AN/AN/AOffN/A
 

3.9. Access Control List

A Cisco ACL is a sequential list of apply or deny ACEs that a Cisco device will apply to network traffic. The Cisco device will check network traffic against the ACL and the first ACE match will determine whether the packet is accepted or rejected. If the Cisco device does not have an ACE that applies then the packet is denied. When a packet is rejected after access list processing, an ICMP host unreachable message is sent, unless it had been disabled.
 
There are two different types of ACLs on IOS-based Cisco devices, standard and extended. Standard ACLs have an access list number between 1 and 99, extended ACLs are numbered 100 or above. Standard ACLs only define the source address and process the packet solely based on that. Extended ACLs contain additional checks, such as destination address and network port numbers.
 
Table 12: Extended ACL 100
Line Filter Protocol Source Source Service Destination Destination Service Log Options
1Permittcp130.25.65.63AnyAnytelnetNo
2Permittcp130.25.65.70AnyAnytelnetNo
3Permiticmp130.25.65.63AnyAnyAnyNo
4Permiticmp130.25.65.70AnyAnyAnyNo
 
Table 13: Extended ACL 101
Line Filter Protocol Source Source Service Destination Destination Service Log Options
1DenyudpAnyAnyAny1434No
2DenyudpAnyAnyAnynetbios-nsNo
3DenyudpAnyAnyAnynetbios-dgmNo
4DenytcpAnyAnyAnynetbios-ssnNo
5DenyudpAnyAnyAny139No
6DenytcpAnyAnyAny445No
7DenytcpAnyAny / AnyNo
8DenyudpAnyAnyAnytftpNo
9DenytcpAnyAnyAny135No
10DenyudpAnyAnyAny135No
11DenyicmpAnyAnyAnyAnyNo
12PermitipAnyAnyAnyAnyNo
 

4. Appendix

4.1. Abbreviations

ACEAccess Control Entry
ACLAccess Control List
ARPAddress Resolution Protocol
BOOTPBOOTstrap Protocol
CDPCisco Discovery Protocol
CEFCisco Express Forwarding
DHCPDynamic Host Configuration Protocol
DNSDomain Name System
DoSDenial of Service
HTTPHyperText Transfer Protocol
HTTPSHyperText Transfer Protocol over SSL
ICMPInternet Control Message Protocol
IDSIntruder Detection System
IOSInternet Operating System
IPInternet Protocol
LANLocal Area Network
MD5Message Digest 5
MOPMaintenance Operations Protocol
NetBIOS-DGMNetBIOS Datagram Service
NetBIOS-NSNetBIOS Name Service
NetBIOS-SSNNetBIOS Session Service
NTPNetwork Time Protocol
PADPacket Assembler / Disassembler
SNMPSimple Network Management Protocol
SSHSecure Shell
SSLSecure Sockets Layer
TCPTransmission Control Protocol
TFTPTrivial File Transfer Protocol
UDPUser Datagram Protocol
UTCCoordinated Universal Time
 

4.2. Common Ports

Table 14: Common ports
Service Port
SSH22
Telnet23
DHCP67
TFTP69
HTTP80
NTP123
NetBIOS-NS137
NetBIOS-DGM138
NetBIOS-SSN139
SNMP161
HTTPS443
 

4.3. Logging Severity Levels

Table 15: Logging message severity levels
Level Level Name Description
0EmergenciesSystem is unstable
1AlertsImmediate action is required
2CriticalCritical conditions
3ErrorsError conditions
4WarningsWarning conditions
5NotificationsSignificant conditions
6InformationalInformational messages
7DebuggingDebugging messages
 

4.4. Time Zones

Table 16: Common time zone acronyms
Region Acronym Time Zone UTC Offset
AustraliaCSTCentral Standard Time+9.5 hours
AustraliaESTEastern Standard/Summer Time+10 hours
AustraliaWSTWestern Standard Time+8 hours
EuropeBSTBritish Summer Time+1 hour
EuropeCESTCentral Europe Summer Time+2 hours
EuropeCETCentral Europe Time+1 hour
EuropeEESTEastern Europe Summer Time+3 hours
EuropeESTEastern Europe Time+2 hours
EuropeGMTGreenwich Mean Time
EuropeISTIrish Summer Time+1 hour
EuropeMSKMoscow Time+3 hours
EuropeWESTWestern Europe Summer Time+1 hour
EuropeWETWestern Europe Time+1 hour
USA and CanadaADTAtlantic Daylight Time-3 hours
USA and CanadaAKDTAlaska Standard Daylight Saving Time-8 hours
USA and CanadaAKSTAlaska Standard Time-9 hours
USA and CanadaASTAtlantic Standard Time-4 hours
USA and CanadaCDTCentral Daylight Saving Time-5 hours
USA and CanadaCSTCentral Standard Time-6 hours
USA and CanadaEDTEastern Daylight Time-4 hours
USA and CanadaESTEastern Standard Time-5 hours
USA and CanadaHSTHawaiian Standard Time-10 hours
USA and CanadaMDTMountain Daylight Time-6 hours
USA and CanadaMSTMountain Standard Time-7 hours
USA and CanadaPDTPacific Daylight Time-7 hours
USA and CanadaPSTPacific Standard Time-3 hours
 

4.5. Nipper Details

This report was generated using Nipper version 0.11.8. Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. The latest version of Nipper can be found at the following URL:
 
http://nipper.titania.co.uk.