Routine Security Measures
Now that we examined how we can protect enable mode, it's time to look at securing the rest of the router. If the router is directly connected to the Internet, there are many, many security items we need to review. If the router is connected to a neighbor's networkbut not fully trustedthere are still quite a few security items to consider. In this section, we'll review features that should be disabled or enabled for security reasons.
15.2.1. Features to Disable
A gateway router is the most vulnerable to attacks, especially if it sits outside your firewall. Table 15-1 lists a number of services that should be disabled to heighten security. The Level column shows whether the command is part of the global configuration or needs to be applied to specific interfaces.
|
Command |
Level |
Resulting action |
|---|---|---|
|
no cdp enable |
Interface |
Disables CDP at the interface level. You don't want untrusted networks to learn any extra information about your router. CDP is very helpful, so disable it only on interfaces that are connected to untrusted networks. |
|
no ip proxy-arp |
Interface |
Ignores incoming ARP requests for hosts within the network. |
|
no ip directed-broadcast |
Interface |
Disables translations of directed broadcasts to physical broadcasts. |
|
no ip unreachables |
Interface |
Disables ICMP unreachable messages on an interface. |
|
no ip redirects |
Interface |
Disables redirect messages. A redirect message is generated to another device when a datagram is sent out over the same interface through which it was received. The redirect message tells the sending host that it should have been able to get to the destination without going through the router. Redirects have played a role in a number of attacks, so it's safest to disable them. |
|
no ip source-route |
Global |
Causes the router to discard any packet with source-route information. Presumably, we don't want hosts telling our router how to route the traffic. |
|
no service finger |
Global |
Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username. Now all they need is a password! |
|
no service udp-small-servers no service tcp-small-servers |
Global |
Disables all small UDP and TCP services on your router (echo, chargen, and some others). These are services that outsiders shouldn't see anyway. |
15.2.2. Features to Enable
As we said before, a gateway routerone that connects to the Internet or one that connects to another untrusted networkneeds more security than an internal router. In the previous section, we looked at features to disable in order to increase security.
Table 15-2 lists the features you might want to enable on your router.
|
Command |
Level |
Resulting action |
|---|---|---|
|
exec-timeout |
Line |
Kills idle VTY sessions. Default is 10 minutes. |
|
ip http authentication ip http access-class |
Global |
If you are using the http configuration on the router, you should protect it with authentication and an access list that restricts which machines can access the HTTP server. Or even easier, you can just shut down the http configuration altogether with the no ip http command. |
|
ip verify unicast reverse-path |
Interface |
Verifies that a packet's return path is the same as the interface it arrived on. This attempts to stop IP address spoofing. However, be careful; this might cause problems in networks with asymmetric paths. (Requires CEF; see Chapter 17 for more details.) |
|
ip route 0.0.0.0 0.0.0.0 null 0 255 |
Global |
A static route that quickly throws away packets with invalid destinations. |
|
scheduler-interval scheduler allocate |
Global |
Allows time for important router processes during time of floods. |
|
service password-encryption |
Global |
Provides some password protection. |
|
service tcp-keepalives-in |
Global |
Attempts to kill orphaned or inactive sessions to the router. |
|
snmp-server community |
Global |
For years, people have been using "public" and "private" as their SNMPv1 passwords. Set both the read and write password to something unique. Or better yet, use SNMPv3. |
|
spanning-port portfast |
Switch Interfaces |
If you know a switch port is always going to be connected to an end-user device, you can configure this command, which keeps the port from going through spanning tree. Although this isn't technically a security command, it does provide a degree of switch security by keeping users from starting an STP cycle. |
|
transport input |
Line |
Controls which protocols can be used to connect to VTY or TTY ports. (Use SSH, as described later in this chapter.) |
15.2.2.1. Deny local IP addresses coming from outside
If we get a packet from outside our network that bears a local IP address (see RFC 1918), we know that, at best, it's invalid and, at worst, it's forged. Either way we should drop such packets. A simple access list will throw these away:
! See warning about this list in the next paragraph access-list 110 deny ip 172.16.0.0 0.15.255.255 any access-list 110 deny ip 192.168.0.0 0.0.255.255 any access-list 110 deny ip 10.0.0.0 0.255.255.255 any access-list 110 permit ip any any ! interface serial 1 Ip access-group 100 in
This access list is just an example of denying the local IP addresses. As a security example, however, this access list is extremely deficient because it allows all traffic into our network. For a real example of providing a decent access list on your edge router, see "Building a Gateway Router" in Chapter 7.
15.2.2.2. Use a warning banner
To properly secure a machine, you need to supply a warning banner. The banner doesn't actually do anything to protect the router, but it does warn people who are connecting to the router that unauthorized access is taken seriously. That way, they can't use the excuse that they didn't know. It's a good idea to ask for legal help in crafting an appropriate message.
The following commands create a warning banner:
! Apply a warning banner. ! Seek legal advice to craft a banner to properly protect your network banner login ^C #### WARNING #### Authorized Access ONLY! All connections are logged and monitored. Any unauthorized use will be prosecuted to the fullest extent of the law. If you do not agree to these conditions, disconnect now. ^C
15.2.3. AutoSecure: Letting the Router Do the Work
With the release of IOS 12.3, Cisco has provided a command that essentially locks down your router with a simple command. When you run the auto secure command, the router asks a series of questions and then modifies the configuration as it sees fit, applying as many security enhancements as it can.
Router#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes Enter the number of interfaces facing internet [1]: 1 Interface IP-Address OK? Method Status Protocol Ethernet0/0 192.168.0.100 YES NVRAM up up Loopback0 192.168.1.1 YES NVRAM up up Enter the interface name that is facing internet: ethernet0/0 Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Enter the new enable password: Confirm the enable password: Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks ...
This sample is only a small portion of the command's output. To review the output later, use the command show auto secure config, which displays all the configuration changes that AutoSecure made on the router. For a production router, I don't recommend running this command. But if you have a new router, you might want to use AutoSecure as a starting place for your new configuration. In this way, you know you'll be starting out with the most secure router configuration possible.
To see the entire list of what AutoSecure will configure on your router, see Cisco's AutoSecure web page at http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/ products_feature_guide09186a008017d101.html#wp1027184.