Security – Is enabling https on a Cisco router a considerable security risk

ciscohttpsrouterSecurity

I would like to use Cisco's Network Assistant to manage my Cisco routers (I know there are other solutions for this, but for now I've decided to use CNA). It requires the HTTP or HTTPS service to be running on routers being managed. Where I work I have already been told I probably won't be allowed to implement this because enabling HTTP/HTTPS on the routers is a security risk.

But is it really a security hole as long as I enable HTTPS and change the default port number? I want to be able to say with confidence that doing it this way is completely secure. Of course nothing is "completely" secure and a port scanner could find any open ports, but the HTTP service running in the IOS isn't that hackable is it?

Lastly, should I have asked this question in the security forum?

Best Answer

As an Information Assurance (IA) principle, the less unnecessary services running on a device, the lower the attack surface. To mitigate issues, proper configuration and patching levels are key. Changing ports is one of many elements you can do to lower the potential security risk.

Cisco has an excellent guide for proper implementation of the HTTP/HTTPS service here (Selective Enabling of Applications Using an HTTP or HTTPS)

Related Solutions

Security Risk? Microsoft-HTTPAPI/2.0

If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).

You can test this by throwing an error using CURL:

curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"

You will see something like this if your server is sending the header:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

You can add a registry value so HTTP.sys doesn't include the header.

Open Regedit
Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Reference: WS/WCF: Remove Server Header

After you add the registry key, the response looks like this:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

Posting here so people who need this can find it. (Thanks, Oram!)

Security risk of enabling MSDTC

I don't know of any security issues with enabling MS DTC. If you require distributed transactions, then you'll need MS DTC, no way around it even if there were.

Best Answer

Related Solutions

Security Risk? Microsoft-HTTPAPI/2.0

Security risk of enabling MSDTC

Related Topic