Table of Contents
Advertisement
Command Reference Guide
If two people are logged in simultaneously (for example, one via Telnet and one via the console) and both
try to run the audit security tool, the user who begins the audit first will take precedence. An error message
will be displayed to the second user that an audit is in progress.
The following table lists the configuration items that are audited for security risks.
Violation Type
Startup-Config
Passwords/Keys
Firewall
Policy-Class
SNMP
Network Protocols
WIFI
Session Timeout
60000CRG0-35E
Severity Description
High
Indicates that the startup configuration file does not match the
running configuration file. This is determined by comparing the MD5
checksum of both files for a match.
High
Identifies nonsecure passwords. If a password has MD5 encryption
enabled, the tool tests for common password sequences,
such as qwerty, 1234, abc, xyz, etc. If MD5 is disabled, an alert is
issued if the password:
•
Is less than 7 characters.
•
Does not contain alphabetic and numeric characters.
•
Matches common sequences, such as qwerty, 1234, abc, xyz,
etc.
•
Matches the default passwords.
•
Matches another password in the system.
•
Service password encryption is not enabled.
High
Indicates the firewall is disabled.
High
Identifies any of the following access control policy (ACP)
vulnerabilities:
•
Stateful inspection is disabled.
•
An undefined access control list (ACL) exists in the ACP.
•
An interface with a private IP address (10.x.x.x, 172.16.x.x,
192.168.x.x) has an ACP assigned that does not have NAT
configured.
•
An interface is enabled without an ACP assigned.
High
Indicates the SNMP agent is enabled and configured to allow
SNMPv1 or SNMPv2. Both of these versions are considered
nonsecure. SNMPv3 group and SNMPv3 user are preferred.
High
Identifies any of the following network protocols are enabled and
considered a security risk: HTTP, HTTPS SSLv2, FTP, TFTP, and
Telnet. SSH is suggested as a replacement for Telnet and HTTPS
SSLv3 instead of HTTPS SSLv2.
High
Identifies any of the following wireless vulnerabilities:
•
Security mode is set to anything but WPA2 (including none).
•
Service set identifier (SSID) broadcast is enabled.
•
A weak key.
High
Identifies the console, HTTP, SSH, or Telnet session timeout is set
to a value greater than 15 minutes. Long session timeouts can
compromise the system. The recommended setting is 15 minutes or
less.
Copyright © 2012 ADTRAN, Inc.
Enable Mode Command Set
410
- Quick Links:
- Basic Mode Command Set
Hide quick links:
Advertisement
Table of Contents
