Chapter 2. IOS Version Security
The first item to discuss when talking about router security is the router’s operating system (OS). The OS on Cisco routers is called Internetworking Operating System, or IOS. Most routers will be running an IOS version between 11.x and 12.x. By the time this book is published, Cisco may have released 13.x. Every OS has vulnerabilities, and IOS is no exception. These vulnerabilities generally allow an attacker to disable a router (a denial of service attack), collect information from a router (information leakage), or reconfigure a router (an actual compromise).
The Need for a Current IOS
A key aspect of every good security plan involves operating system security. Every operating system connected to the Internet is subject to attack. Hackers look for OS vulnerabilities to exploit. Cisco IOS has come under increasing scrutiny over the past few years. Bugtraq, a full disclosure vulnerability forum, reports 14 Cisco vulnerabilities between 1992 and 1999, 23 in 2000, and 42 in 2001. Once posted on Bugtraq, these vulnerabilities are seen by thousands of hackers a day and are used in numerous attacks. With such an increase in vulnerabilities, secure routers must have a current and stable version of IOS. The next section on IOS versions provides information on how to identify secure IOS releases.
Determining the IOS Version
You must know what IOS version your routers are currently
running before determining whether you should use the latest release. To
determine the IOS version, log into your router and type show version. The output will be similar
to:
Cisco Internetwork Operating System Software IOS(tm)
GS Software (RSP-P-MZ), Version 12.0(16), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by Cisco Systems, Inc.
Compiled Wed 06-Jan-99 08:15 by preetha The author has highlighted the important IOS information.
The first is Version 12.0(16), showing the IOS release version. This is
followed by text indicating the release type. For the sake of security
and stability, this text should normally read RELEASE SOFTWARE. If it reads anything else,
such as EARLY DEPLOYMENT RELEASE
SOFTWARE or MAINTENANCE INTERIM
SOFTWARE, the router is not running one of the most stable and
secure releases.
IOS Versions and Vulnerabilities
Once you know what IOS version your routers are running, you need to understand the IOS release process. Without this understanding, identifying and choosing the most secure release can be very difficult.
IOS Versions
Cisco has a very defined and often confusing procedure for releasing IOS versions. There are two major types of IOS releases:
- Early Deployment
Early Deployment (ED) releases are used to add features to Cisco’s IOS. These releases contain feature and platform support that has not yet been tested extensively in production systems. It is relatively easy for Cisco to add additional features or platform support to ED releases, but these additions have had very little testing in production environments.
- Major Release
The goal of Major Releases is stability and quality. Major Releases provide images for all Cisco hardware and once a release become a Major Release, no additional features or platforms added. The only changes to these releases are in the form of bug fixes.
Both Early Deployment and Major Releases are broken down into subcategories. Early Deployment releases are broken down into four types:
- Consolidated Technology Early Deployment (CTED)
Cisco uses the CTED to add enhancements, new features, and new hardware platforms to the IOS. These releases are extremely feature rich, but at the cost of stability and reliability.
- Specific Technology Early Deployment (STED)
STED releases are similar to CTED releases, but are targeted toward a specific technology and are always released on specific platforms.
- Specific Market Early Deployment (SMED)
These releases target specific market segments such as ISPs or financial institutions. Unlike STED releases, which are organized according to technology, SMED releases are organized around a specific market segment. These releases are built only for the specific platforms needed by the target market.
- X Releases
X Releases are short-lived, one-time releases. These releases exist to allow Cisco to add new features and platforms to a CTED release in an extremely short period of time in order to get these enhancements to market quickly. After successful testing, X Releases are ported back into the CTED releases immediately.
Major Releases can be broken down into two subcategories:
- Limited Deployment
Limited Deployment (LD) releases are the first official Major Releases of IOS code. They have passed through the Early Deployment phase and include many of the new features and product support developed under the ED releases. Once a release is in the LD phase, no additional features, platforms, or enhancements can be made to the release—only bug fixes. Limited Deployment releases, however, have not yet been extensively tested in actual production networks.
- General Deployment
After 9 to 14 months of testing in Limited Deployment, IOS versions enter General Deployment (GD). Once an IOS version reaches this phase, there are strict controls over any modifications to the code. The goal for GD releases is to remain as stable as possible. Not all releases reach General Deployment (for example, 11.1 and 11.3).
One more type of release needs to be mentioned: a Deferred Release (DF). These releases are designated by DF and occur when Cisco cancels and makes obsolete a release somewhere in the cycle. Releases are usually deferred because of significant quality issues and should be avoided.
From a security standpoint, organizations should normally be running GD releases. These releases are the most stable and have the most testing behind them. Other releases should be run only if an organization requires the additional functionality provided by another release and if a risk analysis indicates that they can handle the instability and insecurity often associated with the other releases.
Please note that, not knowing any better, many organizations run ED and LD releases and often have no problems. Cisco’s release process is done very well, and even these releases are generally stable and secure. However, the field of security requires one to be a little paranoid and, unless there are significant reasons to run other releases, the best practice is to stick with GD releases.
Finally, while running a General Deployment release should keep you safe from currently known problems and vulnerabilities, don’t let the GD release lull you into a false sense of confidence. Vulnerabilities are still discovered in GD releases, so it is extremely important to monitor the status of your releases to make sure new bugs have not been uncovered.
IOS Naming Scheme
In addition to the release system, choosing the right IOS release requires an understanding of Cisco’s naming conventions. The first is the Major Release number. Examples of Major Release numbers are 12.1, 12.0, 11.3, 11.2, and 11.1. Bug fixes to Major Releases are included in maintenance revisions released every eight weeks. The number inside the parentheses indicates maintenance revisions. For example, 12.0(3) indicates Major Release 12.0 and maintenance revision 3.
Limited or General Deployment releases consist of only Major Release and maintenance revision numbers. While the first few maintenance releases are going to be LD releases, there is no way to determine from the IOS number whether a release is in Limited or General Deployment. To find out, go to http://www.cisco.com and choose Products → Cisco IOS Software → Key Release Dates and Milestones, where the GD release dates are listed.
Identifying Early Deployment releases is easier. Letters or groups of letters are always assigned to ED releases:
- CTED
The feature-rich Consolidated Technology releases can be identified by a T appended after the release number—12.0T , 12.1(3)T, or 11.3(15)T.
- STED
The Specific Technology releases can be identified by two letters (excluding X) appended after the release number—11.1CA, 11.3(12)MA, or 12.0(3)NB. The first letter is used to specify the technology (see Table 2-1) and the second is used for differentiation.
- SMED
The Specific Market releases can be identified by a single letter after the release number (except for a T, which indicates a CTED release.) Examples of SMED releases are 12.1E or 12.0(14)S.
- X Releases
These one-time releases can be identified by two letters—an X followed by a letter for differentiation.
The following letters help identify ED releases. These definitions apply when the letters are in the first position after the IOS release name.
Letter | Meaning |
A | Access server/dial technology |
D | xDSL technology |
E | Enterprise feature set |
H | SDH/SONET technology |
N | Voice, multimedia, conference |
S | Service provider |
T | Consolidated Technology (CTED) |
W | ATM/LAN switching/layer 3 switching |
X | One-time release based on a CTED release |
An X or Y in the second position indicates a short-lived Early Deployment release based on a Specific Technology (STED) release. For example, 11.3NX is based on 11.3 NA and 12.0(3)WX is based on 12.0(3)WA.
Finally, in the case of a major bug, Cisco may fix and rebuild an IOS release. To differentiate these rebuilds from the original release, Cisco appends a number or letter to the end of the release number. If the release ends in a letter, Cisco appends a number. If the release ends in a number, Cisco appends a letter. If 12.0(3)T was rebuilt, the number would be 12.0(3)T1. A rebuild of 11.3(13) would yield 11.3(13a) and a rebuild of 12.1(2)NA would result in 12.1(2)NA1.
Vulnerabilities
To determine which versions of IOS have vulnerabilities, go to http://www.cisco.com/go/psirt to find the latest security information. Unfortunately, Cisco provides no summary of vulnerable IOS versions, and determining your vulnerability requires going through most Security Advisories individually. With the numerous IOS versions available, choosing a General Deployment makes checking for security vulnerabilities easier.
IOS Security Checklist
This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A.
Make sure that all routers are running a current IOS.
Make sure that the IOS version is in General Deployment (unless all risks with the non-GD IOS version have been addressed).
Check the IOS version against existing Cisco Security Advisories.
Regularly check Cisco Security Advisories for IOS vulnerabilities.