Jump to content
begood

How to secure a Cisco router

By begood, in Tutoriale in engleza

Recommended Posts

begood Newbie

begood

Posted
Posted

A more accurate title for this article would have been how to increase security on a Cisco border router, but that's too long.

This article assumes some familiarity with Cisco routers. If you're not familiar with Cisco IOS command line interaction, consult reference [2] below, or Cisco documentation.

Thoroughly securing a Cisco router (or any router) is a topic that can require its own book(s) (see the references at the end of this article). I will cover the basics here though. The low hanging fruit.

Before you begin, keep a copy of your present, working router configuration in pristine condition. Save the edited configuration to a new file. The same goes for IOS code. Make sure you have a full copy of the version you're running before you upgrade.

1. Upgrade IOS. Upgrade to the latest stable code version available for your router. Like other operating systems, Cisco IOS is upgraded for various reasons including to fix security flaws. How to do that is beyond the scope of this article but you can find more info here:

Software Upgrade Procedure - Cisco Systems

2. Generate an rsa crypto-key. If your router code supports cryptography, enter the following commands to create a crypto-key for later use with SSH (if your router does not support cryptography, you will receive an error when you try to enter the commands):

hostname [enter a hostname for your router]

ip domain-name [enter your domain name i.e. mydomain.com]

crypto key generate rsa

If it works, the router will process the command for a moment then ask you how many bits the modulus should be. If permitted by you local laws regarding cryptograpy, enter 1024. If not, enter the largest number you are entitled to use.

3. Disable unneeded services. There are many services that are enabled by default on Cisco routers. Each can provide information an attacker can use. There is a free utility called Yersinia that can be used to obtain Cisco Discovery Protocol (CDP) information over the Internet for example.

Global commands:

no service tcp-small-servers

no service udp-small-servers

no service dhcp

no ip bootp server

no service finger

no ip http server [you may not want to enter this command if you use Adaptive Security Device Manager (ASDM) to manager your router over HTTP]

no ip http secure-server [you may not want to enter this command if you use ASDM to manager your router over HTTPS]

no snmp-server

no cdp run

no service config

no ip gratuitous-arps

no ip source-route

ip options drop

Interface commands (enter these on each interface in use):

no ip directed-broadcast

no ip unreachables

no ip redirects

no ip mask-reply

no ip proxy-arp

In addition to the above, the shutdown command should be applied to interfaces that are not in use.

4. Enable 'good' services. Some beneficial services are not enabled by default. We'll turn them on:

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec show-timezone localtime

service timestamps log datetime msec show-timezone localtime

5. Secure local and remote access.

Console line configuration:

line con 0

exec-timeout 5 0

login

Auxiliary line configuration (should be disabled unless needed for remote access):

line aux 0

no exec

exec-timeout 0 10

transport input none

VTY lines (virtual lines for remote access over the network):

line vty 0 4

exec-timeout 5 0

login

transport input telnet ssh

(If you can configure SSH for remote access, it is recommended that you remove the word telnet from the above command and only use SSH for remote access.)

6. Set and secure passwords.

service password-encryption

enable secret 0 [enter your password here]

Console line

line con 0

password [enter your password here]

Auxiliary Line

line aux 0

password [enter your password here]

7. Enable and configure logging. Ideally, logs should be sent to a hardened syslog server so they cannot be tampered with and so they are more permanent. Local logs are deleted whenever the router is rebooted. We will configure local logging here though.

logging enable

logging buffered 16000

logging console critical

logging trap informational

8. Other measures. Additional measures you can take include:

8.a. Drop bogon and Martian traffic. Handling of bogon and Martian addresses. Bogon addresses are addresses that have not been issued by the IANA, so they should not appear on the Internet. Martians are reserved addresses and they also should not appear on the Internet. If either does appear, it is either coming from a mis-configured router or device, or it is an attack attempt of some kind (they are fake or 'spoofed' addresses). There are several ways to handle these. Team Cymru's site has more information about bogon and Martian addresses. [3]

8.a.1. Null Routing - You could null route them (create a static mapping sending all bogon and Martian addresses not in use on the router to the null interface). This is my favorite method. It drops the traffic with minimal processing.

8.a.2. Use an Access Control Lists (ACLs) - Set up an ACL to drop and log each violation. Although this method provides more information, it also uses up more processing power. Since one reason you may receive spoofed packets is in conjunction with a Denial of Service (DoS) attack of some kind, it seems prudent to minimize the burden on the processor, hence the suggested method above.

8.a.3. Verify unicast reverse-path - To use this method, configure Cisco express forwarding globally using the ip cef command, then run the command ip verify unicast reverse-path on each interface that faces the Internet. Although easy to configure, and easy on the processor, I'm not sure how well it works with a single static default route as is the case for most small organizations. I'd like to hear the thoughts of some of you Cisco pro's out there about whether it works on a small network (i.e. one not running Border Gateway Protocol (BGP).

8.b. Configure Authentication, Authorization and Accounging (AAA) - Configure the American Automotive Association... Just seeing if you're still awake!

Configure AAA, even if only used locally. It allows for more granularity of access and logging of activities. You can, for example, have a log entry created for each command a user enters. Very handy for finding configuration mistakes or typo's or correcting the nastiness of an intruder.

aaa new-model

aaa authentication login default local

aaa authorization commands 15 default local

8.c. Access Control Lists - Control the flow of traffic through the router with ACLs. For example, traffic from the inside interface of the router should not come in to the router from the Internet. Filter for that using an ACL. ACL configuration has to be done for your specific network. See references [3] and [4] below for more.

9. Why this article? Quite often, at the end of a 'teaser' article like this, the author tries to sell you something. I'm not selling you anything! I want to make the Internet a safer place, and I want to make that easy for you.

There are several free utilities that can help you secure your router including:

Router Administration Tool (RAT):

Router Audit Tool (RAT) .: CIS Knowledge Base

Cisco AutoSecure:

AutoSecure

and my project,

BRST - Border Router Security Tool, SourceForge

https://sourceforge.net/projects/borderroutersec/

Of the three listed above, only the BRST is open source. RAT is available for free, but is proprietary. Cisco AutoSecure is 'free' but is not available for all router models and IOS versions and is proprietary.

Compare, contrast, play, provide feedback on all three. Use great caution on production routers though!

Thanks for your time!

[1] NSA/SNAC Router Security Configuration Guide, Executive Summary

http://www.nsa.gov/ia/_files/routers/cisco_exec_sum.pdf

[2] NSA/SNAC Router Security Configuration Guide 1.1c

http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf

[3] Secure IOS Template v6.2 01 Feb 2010, Team Cymru

Secure IOS Template v6.2 01 FEB 2010 deitrich noc@cymru.com

[4] Cisco IOS Security Configuration Guide, Release 12.4

Cisco IOS Security Configuration Guide, Release 12.4 [support] - Cisco Systems

[5] Hardening Cisco Routers, By Thomas Akin, O'Reilly, 2002

[6] BRST - Border Router Security Tool, SourceForge Project

https://sourceforge.net/projects/borderroutersec/

[7] BRST - Border Router Security Tool Questionnaire, SourceForge

BRST - Border Router Security Tool Questionnaire

source : https://www.infosecisland.com/blogview/3309-How-to-secure-a-Cisco-router.html

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...