The 10th International Conference for Internet Technology and Secured Transactions (ICITST-2015)

Automated Security Configuration Checklist for a

Cisco IPsec VPN Router using SCAP 1.2
Gabriel Biedima Peterside, Pavol Zavarsky, Sergey Butakov
Information Systems Security Management
Concordia University of Edmonton, Edmonton, Alberta, Canada
[email protected], {pavol.zavarsky,sergey.butakov}@concordia.ab.ca

Abstract—For large enterprises running many different vulnerabilities, expedite response to known threat, deliver
operating systems, applications, and multi-vendor devices, the essential information when needed, and allow information
task of reviewing the security state of a broad range of devices security professionals to focus on hard problems [2]. One
and business areas in order to either comply with security common security automation protocol used by the U.S Federal
requirements from regulations or detect risks such as Agencies, and also supported by major players such as
misconfigured devices, out-of-date software, etc., is time- Microsoft, Cisco Systems, etc, is the Security Content
consuming, error-prone, and expensive. Although humans are Automation Protocol (SCAP). The SCAP, developed by NIST,
important in the security assessment process, they are unable to is a suite of specifications that standardize the format and
keep up with the task, and may introduce inconsistencies which
nomenclature by which software flaw and security
could further make organizations vulnerable to security
breaches. Security automation provides a solution to this
configuration information is communicated, both to machines
challenges. In this paper, a common security automation and to humans [3].
protocol, Security Content Automation Protocol (SCAP) version This work was motivated by the fact that the
1.2, was leveraged to develop an automated secure configuration checklists/Security Technical Implementation Guides (STIGs)
checklist which can be used by security professionals to rapidly for network edge devices currently available to the public via
and consistently audit network edge devices such as a Cisco IPsec the NIST National Checklist Program, the NSA’s Security
VPN router to ensure secure configuration per the baseline.
Configuration Guides repository, the Center for Internet
Keywords— SCAP; Security Automation; IPsec VPN
Security, and the Defense Information Systems Agency
(DISA) are not automated; therefore, making it burdensome
I. INTRODUCTION for large organizations to quickly determine their security
posture in order to identify risks such as devices configured
Managing security of information systems especially for insecurely. Also, under the Federal Information Security
large enterprises with many different systems from multiple Management Act (FISMA) of 2002. Title III of the E-
vendors, different applications, and different flavors’ of Government Act (Public Law 107-347), Federal organizations
operating systems with different mechanisms for secure must report annually to the Congress and to the Office of
configuration management and patching, is challenging for Management and Budget (OMB) on the adequacy and
organizations and security professionals. The emergence of effectiveness of their information security policies, procedures,
virtualization technology, for example, further increases the and practices [4].
problem as security professionals must now ensure security of
virtual machines, guest operating systems running on them, The SCAP 1.2 specifications, Extensible Configuration
and guest applications, in addition to the physical device. Checklist Description Format (XCCDF) and the Open
Vulnerability and Assessment Language (OVAL) were used in
The process of reviewing security posture in such large the automated checklist developed for use in verifying the
enterprises is time-consuming, error-prone, taxing, and often configuration on a Cisco router configured for IPsec VPN, per
results in inconsistencies, and consequently new risks, since baseline (i.e. configuration compliance checking). This
humans have to manually carry out such tasks. Coupled with enabled rapid security assessment using SCAP-Validated
the fact that attackers may exploit unpatched vulnerabilities products, and for demonstration of compliance as and when
anytime, time is also of the essence in ensuring a good security required.
posture.
The automated checklist was developed following a similar
These challenges may be solved by automating the process approach used in traditional software development in which
of verifying the security state of information systems based on development goes via the following phases listed below.
defined security policies or baseline – a process known as
Security Automation. Security Automation is the use of x Requirements analysis
standardized specifications and protocols to perform common
security functions such as patch management, inventory x Design
management, vulnerability assessment, compliance checking, x Implementation
etc. [1]. It is a set of technologies and processes designed to
automatically handle routine tasks, detect and remediate x Testing

978-1-908320-52/0/$31.00 ©2015 IEEE 355

 The 10th International Conference for Internet Technology and Secured Transactions (ICITST-2015)

The result of this automated checklist development enables B. Design

organizations determine whether their network edge routers Based on the security requirements in Section III,
configured for IPsec VPN meets the security baseline, quickly subsection A above, and the SCAP 1.2 Content Requirements
demonstrate compliance to regulations, and bring non- and Recommendations defined in the Technical Specification
compliant devices into compliance using recommendations for SCAP Version 1.2, a pseudocode was developed to be used
provided with the assessment result. in the implementation phase. Also, a test plan was created to
The main contribution of this paper is a SCAP 1.2 guide testing.
automated checklist used for checking the compliance of a C. Implementation
Cisco IPsec VPN router with the baseline. In addition, test and
validation results are discussed briefly. The checklist was developed per the design, using XCCDF
and OVAL. Also, an initial test and validation using a SCAP-
The remaining sections of the paper are organized as Validated product such as jOVAL, and the SCAP Content
follows. In Section II, we look at related research work, in Validation Tool from NIST was carried out. SCAP-Validated
Section III, the methodology used is discussed, while the products (SCAP content consumers) are a list of products that
architecture of the SCAP Content developed is discussed in have been validated by NIST as conforming to the SCAP and
Section IV. In Section V, test results are discussed. its component standards. On the other hand, the SCAP Content
Validation Tool is designed to validate the correctness of a
II. RELATED WORK SCAP data stream for a particular use case according to what
Existing work related to automated security audit focused is defined in SP 800-126 [8].
on security automation approaches [5], automation
D. Testing
possibilities in information security management [6] [7], how
SCAP enables organizations verify the secure state of their The automated checklist was tested using the test plan
systems [4], and recently, an automated secure configuration developed in the design phase, a SCAP-Validated Product
benchmark for a Cisco router using SCAP. (jOVAL), and a Cisco IPsec VPN router, to ensure the
requirements have been met. Test results were also discussed
In [5], two initiatives are provided for solving the briefly.
challenges faced by large organizations and security
professionals, with more emphasis on the SCAP version 1.1 IV. PROPOSED SCAP CONTENT ARCHITECTURE
standards such as OVAL, OCIL and XCCDF, and how they To automate compliance checking, a baseline (usually
can be used to bridge the gap between the demands of security based on the organization’s security requirements) which
and complexity of the IT infrastructure. Although useful code devices will be verified against was defined. This baseline was
snippets using the OVAL specification are provided, they are then translated using the ‘Checklist’ language (XCCDF) to a
tailored towards operating systems such as Windows and are checklist (rules) in XML and thus, could be processed by
based on an older version of SCAP, version 1.1. SCAP-Validated products. Since the checklist cannot interact
On the other hand, [6] shows that although security directly with the low-level settings of the device, the ‘check’
automation eases the burden of security assessment, language, OVAL, must be invoked.
automating every aspect of it is not possible since it involves
technology, people, and processes. For instance, awareness SCAP-Validated Tool

and training cannot be automated because it involves humans; XCCDF

however, automation should be leveraged as much as possible (encapsulated security policy/guidance)

in order to reduce the time necessary to detect security flaws, OVAL

etc. In [4], recommendations on how organizations can adopt (assessment instructions)

SCAP are provided through various use cases and System Settings
(registry key, hash, etc)
specifications.
Figure 1. XCCDF interaction with the system [9]
III. METHODOLOGY
Fig. 1 shows a high-level of how the checklist in XCCDF
The methodology used in this paper was accomplished interacts with the system (router). Each layer builds on the
through the phases as follows. layer below it.
A. Requirements Analysis A. Security Baseline
In this stage, a baseline based on security configuration A baseline is a minimum level of security that a system,
guides from the National Security Agency (NSA), National network, or device must adhere to [10].
Institute of Standards and Technology (NIST), and Cisco
Systems (Next Generation Encryption) was defined in line The security parameters that make up the baseline are
with the typical security requirements of an organization. The shown below.
baseline formed the basis of the rules defined in the automated IPsec Protocol “Global” Configuration Parameters:
checklist using XCCDF. The tools used were also identified in
this phase. x ESP Tunnel Mode – This is the default mode and
provides encryption and integrity protection,

978-1-908320-52/0/$31.00 ©2015 IEEE 356

 The 10th International Conference for Internet Technology and Secured Transactions (ICITST-2015)

complicates attempts to perform traffic analysis, and used. The data stream references a checklist component
is compatible with NAT [11]. (XCCDF) which has a set of rules based on the baseline, a
checking system (OVAL) invoked by the checklist to carry out
the test. It also references a CPE dictionary component (cpe
dict) which contains information about the Cisco router, and a
TABLE I. ISAKMP SA SECURITY PARAMETERS (IKE PHASE 1) [12] ‘cpe-oval’ component that provides information to the SCAP
tool on how to check if the router being assessed meets the
Security Parameters Rationale
defined specification.
Authentication PSK Provides acceptable security [13]
Provides marginal but acceptable
Encryption 3DES security level [13] and is FIPS- Data stream collection
approved [11] xccdf
Provides marginal but acceptable
HMAC SHA-1
security [13]
oval
Recommended by the NSA, NIST
Diffie-Hellman Group 2 data stream
and Cisco Systems [11] [13] [14]
cpe oval
Lifetimes 86,400 seconds Recommended by [11] and [14]
cpe dict

TABLE II. IPSEC SA SECURITY PARAMETERS (IKE PHASE 2) [12]

components
Security Parameters Rationale
Encryption AES Provides adequate security [13] Figure 3. SCAP data stream design
HMAC SHA-1 Provides adequate security
Lifetime of 30 mins (1800s)
At the heart of the configuration compliance checking is
improves the security of legacy the OVAL check system [8]which uses Cisco IOS schema
Lifetimes 1,800 seconds tests [15] to verify the configuration of the target device (i.e. a
algorithm, and is recommended
by [13] [11] Cisco IPsec VPN router). The OVAL tests, ‘line_test’ and
‘version55_test’ were used in the checklist developed. The
‘line_test’ checks the properties of specific output lines from a
B. SCAP Data Stream Design ‘show’ command, such as ‘show running-config’. The
SCAP 1.2 introduced the concept of a Datastream which is required object element references a ‘line_object’ and the
a combination of SCAP specifications/components such as optional ‘state’ element specifies the data to check [15]. On
OVAL, XCCDF, CPE, OCIL, etc, used together for particular the other hand, the ‘version55_test’ was used to check the
functions (i.e. use cases), such as security configuration version of the internetwork operating system (IOS) running on
checking, vulnerability assessment, inventory management, the router. The required object element references a
etc. [8]. Multiple data streams along with their components ‘version_object’ and the optional ‘state’ element specifies the
constitute a SCAP source data stream collection [8] shown in data to check. An illustration of how they were used is shown
Fig. 2 below. Thus, the checklist we developed for the in the snippet provided Fig. 4 below.
‘Configuration’ use case in this research, works with SCAP
specifications/components such as OVAL and CPE, and are In Fig. 4, the ‘<tests>’ element on lines 1 and 6 provides a
reflected in the design shown in Fig. 3. container for one or more OVAL tests. Line 3 is a reference to
an OVAL object that specifies which system data to collect,
I. SCAP Data Stream Collection while line 4 is a reference to the expected state of the collected
system data.
Data stream collection

xccdf1
1 <tests>
data stream 1
xccdf2 2 <line_test id="oval:cue:tst:1">
3 <object object_ref="oval:cue:obj:1"/>
oval1 4 <state state_ref="oval:cue:ste:1"/>
5 </line_test>
oval2 6 </tests>

data stream 2 cpe dict1 Figure 4. OVAL test structure code snippet [16]

cpe dict2
II. Test Evaluation
The accuracy of the result obtained from the device
data streams components configuration compliance checking is largely based on the test
evaluation of the checking system. The result of the OVAL
Figure 2. SCAP data stream collection [8]
test evaluation is determined by combining the results of the
following three test evaluation parameters [17]:
In Fig. 2, ‘data stream 1’ and ‘data stream 2’ can reference
any component within the same data stream collection. The x Existence Check Evaluation – The process of
Fig. 3 below shows at a high-level, the data stream design determining whether or not the number of OVAL

978-1-908320-52/0/$31.00 ©2015 IEEE 357

 The 10th International Conference for Internet Technology and Secured Transactions (ICITST-2015)

Items, that match the specified OVAL object, satisfies The tools used in this research are listed in the Table III
the requirements specified by the ‘check_existence’ below.
property
TABLE III. TOOLS USED
x Check Evaluation – The process of determining
whether or not the number of collected OVAL Items, Tool Vendor Version
specified by the ‘check’ property, match the specified SCAP-Tool (jOVAL) Joval 5.11.1-1
OVAL states.
Cisco 12.4, Advanced Security
Cisco 2811 router
x State Operator Evaluation – The process of combining Systems IOS
the individual results, from the comparison of an SCAP Content Validation Tool NIST 1.2
OVAL Item to the specified OVAL States, according Source Code Editor Notepad++ 6.8.1
to the ‘state_operator’ property.
Laptop running Windows 7 and
Dell 6.3.9600 Build 9600
8.1 OS
1<criteria operator="AND">
2 <criterion test_ref="oval:cue:tst:1"/>
3 <criterion test_ref="oval:cue:tst:2"/>
The test plan, as shown in Table IV, allowed for testing the
4</criteria> checklist using various test cases to identify and fix any errors,
as well as validate our claims.
5<tests>
6 <line_test id="oval:cue:tst:1" check="at least one" The last three columns of the test plan in Table IV are
check_existence="at_least_one_exists">
7 <object object_ref="oval:cue:obj:1"/> blank intentionally, to be populated after each test. The
8 <state state_ref="oval:cue:ste:1"/> Expected Outcome column is used to record the result
9 </line_test>
10 <line_test id="oval:cue:tst:2" check="at least one"
expected for a particular test case per design, while the Actual
check_existence="at_least_one_exists"> Outcome column is for describing the real result obtained.
11 <object object_ref="oval:cue:obj:2"/> Remarks, if any, are made in the last column.
12 <state state_ref="oval:cue:ste:2"/>
13 </line_test>
14</tests> TABLE IV. TEST PLAN

Figure 5. OVAL test evaluation code snippet Expected Actual

Test ID Test Remarks
Outcome Outcome
In Fig. 5 above, the individual results of both tests in the Data stream (checklist)
‘<tests>’ container (i.e. lines 6 – 9 and lines 10 – 13), obtained validates with the SCAP
1
by doing a ‘check’ and ‘check existence’ evaluation, is Content Validation Tool
evaluated by the logical ‘AND’ operator in line 1 to obtain the 2
jOVAL can communicate
final test result which shows whether or not the device meets with IPsec VPN Router
the baseline. The code snippet in Fig. 6 ties key data stream Data stream validates upon
3
import to jOVAL
components together. IKE Phase 1 – Encryption
4
Configuration
IKE Phase 1 – Hash
1<data-stream-collection> 5
Configuration
2 <data-stream id="dsm" use-case="CONFIGURATION">
3 <checklists> IKE Phase 1 –
4 <component-ref 6 Authentication
5id="ref.xml"xlink:href="#checklist.xml"> Configuration
6 <cat:catalog> IKE Phase 1 – DH Group
7 <cat:uri name="oval.xml" uri="#ovalcompid"/> 7
Configuration
8 </cat:catalog>
9 </component-ref> IKE Phase 1 – Lifetime
8
10 </checklists> Configuration
11 </data-stream> IKE Phase 2 – Transform
9
12 <component> Set Configuration
14 <!--XCCDF checklist per baseline invokes the OVAL IKE Phase 2 – IPsec Mode
checking system--> 10
15 </component>
Configuration
16 <!-- other SCAP specifications defined in IKE Phase 2 – IPsec
11
'<component>' containers--> Lifetime Configuration
</data-stream-collection> 12 Tests will pass per baseline
Configuration assessment
Figure 6. Data stream snippet showing key components 13 of unsupported devices fail
Remediation guidance
In Fig. 6, the checklist component, ‘checklist.xml’ uses an 14 provided to bring devices
XML catalog element to reference ‘oval.xml’, with its SCAP to compliance
content accessible through the external URI ‘ovalcompid’.
The automated checklist is available upon request.

III. Test Plan and Tools Used

978-1-908320-52/0/$31.00 ©2015 IEEE 358

 The 10th International Conference for Internet Technology and Secured Transactions (ICITST-2015)

C. SCAP Data Stream Implementation The logical ‘OR’ and ‘AND’ operators provided much
In developing the checklist, the following steps were flexibility in the evaluation of test results in that tests could be
outlined (in no particular order) as pseudocode before actual evaluated individually or as a group, for a more accurate
development using the SCAP specifications. result. The ‘negate’ keyword was also very useful in test
evaluations for the IKE Phase 1 DH Group Configuration and
x Define data stream use case as ‘Configuration’ Lifetime Configuration as some test results had to be ‘negated’
in order for them to pass per the baseline.
x Identify OVAL schema tests for Cisco IOS
Although no false positives were identified in the course of
x Examine secure configuration guides for IPsec from the testing, it is not impossible for false positives to be
NIST, Cisco, the NSA, etc. obtained in future/over time, for instance due to router
x Translate security baseline to XCCDF software bugs, deprecated OVAL tests, etc.

x Translate checks/compliance tests to be run on the The automated checklist developed in this research is available
target device to OVAL upon request by contacting the first author.

x Invoke OVAL component (test) from XCCDF VI. CONCLUSION AND FUTURE WORK
x Identify CPE name for the target device and develop An automated checklist was developed for verifying the
CPE test configuration of a Cisco IPsec VPN router against the
baseline. The test results were discussed in Section V and meet
x Create CPE dictionary and CPE OVAL components the defined baseline. Due to limited access to real hardware,
extensive testing was not possible thus, it was not possible to
x Create data stream for the SCAP components
compare results across multiple IPsec VPN routers.
x Develop test plan Security automation using SCAP 1.2 data stream is a
x Validate SCAP data stream for correctness using the “must-have” item for large enterprises looking to quickly
SCAP-Validation tool from NIST and the SCAP- verify the security state of their information systems; however,
Validated product, jOVAL during import. the learning curve is steep.
x Test checklist against target device(s) and note results The checklist developed currently verifies devices and
provide recommendations on how to bring them into
V. TEST RESULTS AND DISCUSSION compliance, if they are non-compliant to the baseline. In
The test plan developed in the design phase of the research addition to assessing the router for misconfigurations, the
was used for the purpose of testing against a Cisco 2811 IPsec Open Checklist Interactive Language (OCIL) component of
VPN router and is based on the defined baseline. In the testing, SCAP can be leveraged for automated remediation. For
typical scenarios in the production environment were instance, the OCIL can be integrated into the automated
simulated. In addition, tests were also carried out by an checklist to capture human input in the form of authorization
external party not involved in the research in order to ensure from the change advisory board, before proceeding with
the consistency and accuracy of test results. The testing remediating non-compliant devices using OVAL.
followed three general phases: Finally, the checklist can be used to scan routers running
IOS version 12.x but not version 15.x which is the latest
x Phase 1 – SCAP content validation
because we had no access to routers running that software
x Phase 2 – jOVAL connectivity to router version. Also, it does not check the device to ensure it’s a
Cisco IPsec VPN router, before checking its configuration for
x Phase 3 – IPsec router assessment per baseline compliance. Thus, this could result to a false positive if a non-
IPsec VPN router is scanned.
The tests showed how leveraging security automation for
secure configuration checking ensures consistency of security ACKNOWLEDGMENT
parameters configured, thereby reducing errors due to manual We thank God for His grace in making this research
configuration by humans. possible. We also thank our family and friends for their
encouragement and support including, Mr. Chamberlain
Most importantly, misconfigurations were picked up by the
Peterside, PhD, and the RSSDA for their support.
checklist upon assessment of the router and reported as a
‘FAIL,’. For instance, in the IKE Phase 2 - IPsec Lifetime REFERENCES
Configuration test, if the lifetime configured was anything
[1] G. Witte, Security automation essentials: streamlined enterprise security
other than 1800 seconds, the test failed since it did not meet management & monitoring with SCAP, New York: McGraw-Hill, 2012.
the baseline. Also, for IKE Phase 1 – DH Group [2] S. Hanna and D. Waltermire, "Security Automation Webinar: Protecting
Configuration, the test failed when the default DH Group Your Enterprise with Security Automation," 15 May 2013. [Online].
(group 1) was configured, because it did not meet the baseline Available:https://www.trustedcomputinggroup.org/files/resource_files/A
as defined in the XCCDF rule. Overall, the tests passed as long 9AA1AE4-1A4B-B294-
as the router configuration for that security parameter met the D0D4F40E60A181C2/Security%20Automation%20Webinar_2013%200
5%2015.pdf. [Accessed 12 October 2015].
baseline.

978-1-908320-52/0/$31.00 ©2015 IEEE 359

 The 10th International Conference for Internet Technology and Secured Transactions (ICITST-2015)

[3] National Institute of Standards and Technology, "NIST Solicits 2005. [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-
Comments on the Security Content Automation Protocol (SCAP)," 77/sp800-77.pdf. [Accessed 18 September 2015].
August 2015. [Online]. Available: [12] Cisco Systems, "IPsec WAN Design Overview," [Online]. Available:
http://csrc.nist.gov/publications/drafts/800-126/sp800-126r3_call-for- https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/cc
comments.html. [Accessed 2 September 2015]. migration_09186a008074f22f.pdf. [Accessed 24 September 2015].
[4] S. Radack, "Security Content Automation Protocol (SCAP): Helping [13] Cisco Systems, "Next Generation Encryption," October 2015. [Online].
organizations maintain and verify the security of their information Available:http://www.cisco.com/web/about/security/intelligence/nextgen
systems," September 2010. [Online]. Available: _crypto.html. [Accessed 26 November 2015].
http://csrc.nist.gov/publications/nistbul/september2010-bulletin.pdf.
[Accessed 26 October 2015]. [14] V. Antonie, R. Bongiorni, A. Borza, P. Bosmajian, D. Duesterhaus, M.
Dransfield, B. Eppinger et. al. , "Router Security Configuration Guide,"
[5] G. Koschorreck, "Automated audit of compliance and security controls," 15 December 2005. [Online]. Available:
in 2011 Sixth International Conference on IT Security Incident https://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf. [Accessed 22
Management and IT Forensics, Bensheim, 2011.4 October 2015].
[6] R. Montesino and S. Fenz, "Automation possibilities in information [15] The MITRE Corporation, "Version 5.10.1 - Test Listing," 2015.
security management," in 2011 European Intelligence and Security [Online]. Available:
Informatics Conference, Athens, 2011. http://oval.mitre.org/language/version5.10.1/test_listing.html#IOS.
[7] P. Dwivedi and S. C. Diana, "Analysis of automation studies in the field [Accessed 26 November 2015].
of information security management," International Journal of [16] The MITRE Corporation,, "OVAL Definition Tutorial," The MITRE
Engineering Research and Development, vol. 6, no. 12, pp. 60-63, 2013. Corporation, 18 January 2011. [Online]. Available:
[8] NIST, "SCAP Specifications," National Institue of Standards and https://oval.mitre.org/language/about/definition.html. [Accessed 01
Technology, 8 April 2015. [Online]. Available: October 2015].
http://scap.nist.gov/revision/1.2/. [Accessed 30 September 2015]. [17] J. Baker, M. Hansbury and D. Haynes, "The OVAL Language
[9] The MITRE Corporation, "XCCDF Introduction Handout," [Online]. Specification Version 5.10.1," 20 January 2012. [Online]. Available:
Available: https://msm.mitre.org/docs/xccdf-intro-handout.pdf. http://oval.mitre.org/language/version5.10.1/OVAL_Language_Specific
[Accessed 26 November 2015]. ation_01-20-2012.pdf. [Accessed 25 November 2015].
[10] M. Gregg, CISSP Exam Cram 2 (3rd Edition), Pearson Education Inc., [18] W. Jackson, "Security Automation: Are humans still relevant?," 24 July
2013, p. 5. 2014. [Online]. Available:
[11] S. Frankel, K. Kent, R. Lewkowski, A. D. Orebaugh, R. W. Ritchey and http://gcn.com/blogs/cybereye/2014/07/humans-vs-automation.aspx.
S. R. Sharma, "Guide to IPsec VPNs - NIST SP 800-77," December [Accessed 06 October 2015].

978-1-908320-52/0/$31.00 ©2015 IEEE 360