InfoSecter Support Notes for IOS
Supported versions
InfoSecter has been tested on configurations from versions 12.3 and 12.4.
The InfoSecter analysis support concentrates on firewall and IPSec features. In particular InfoSecter reports may include the following classes of actions.
- permit or deny, basic firewall filtering.
- translate, address translation.
- inspect protocol, activation of more detailed protocol processing enabled by the inspect commands.
- crypto-map map name, direct traffic into the specified crypto map for IPSec tunneling.
The IOS command set is vast. InfoSecter parses firewall feature set commands and core IOS commands. The Analyzer will parse and use both CBAC commands and newer zone-based firewall commands in building its model of the firewall's operation. It does not parse the entire IOS command set. InfoSecter analysis will continue over the information from the parsed commands.
Gathering device configurations
Secure copy (copy over the SSH protocol) can be used to pull configurations from the IOS device to a client machine. To enable such access, the IOS device must be configured to allow SSH access and then to enable scp access. The Cisco documentation on SSH and scp cover this in detail.
To enable ssh access to the device, you must use the crypto key generate rsa command to create a named key pair for use with the SSH server on the device. To enable secure copy access from a client to the IOS device use the ip scp server enable command.
Once the device is configured to allow scp access, you can use your favorite secure copy program (e.g. scp from OpenSSH or pscp from PuTTY). For example, using OpenSSH's scp, the following command will pull the running config from an IOS device with the address 192.168.1.1 and store it locally in the file backup.cfg.
scp admin@192.168.1.1:running-config backup.cfg
This example assumes there is a user named admin either defined on the IOS device or defined in a AAA server that the IOS device uses for authentication and authorization.