Using AutoSecure

Problem

You want to secure your router without having to read the whole book.

Solution

To automatically secure the router, use the following command:

Router2#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]:

 

Discussion

Beginning with IOS Version 12.3(1), Cisco introduced the autosecure feature to quickly harden router configuration files in an automated fashion. Essentially, autosecure disables common router features that might pose a security while enabling other IOS features that will assist to harden the router. Once you enter the autosecure command, the router will lead you through a series of questions so it can best determine how to secure the router for your environment.

The autosecure feature is excellent for users that have limited knowledge of all the Cisco security features or for environments that don't have a well-defined security policy. Be sure to review carefully which services are enabled or disabled to fully understand the consequences. Once you've executed the autosecure script, you can view what changes were made to the configuration by issuing the show auto secure config command:

Router2#show auto secure config no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no snmp-server community public no snmp-server community private banner ^C Test ^C security passwords min-length 6 security authentication failure rate 10 log enable password 7 00071A1507545B54 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 6 login authentication local_auth transport input telnet login block-for 5 attempts 5 within 6 crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 6 transport input ssh telnet service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ! interface Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ! ip cef Router2#

In this example, you can see that autosecure disabled such services as CDP, finger, SNMP, HTTP server, etc. In some environments, disabling CDP can break certain network management platforms, as can disabling inbound SNMP, so be careful when using this feature to ensure that you don't inadvertently affect your network.

Although autosecure is not the magic bullet of hardening Cisco routers, it certainly does a good job of securing the router compared to using the default configuration settings. If faced with a decision of having no security features enabled or using the autosecure feature, then we recommend using the autosecure feature.

In addition to the default behavior, you can also use a number of keywords to modify the autosecure script. See Table 27-1 for more information.

Table 27-1. Autosecure optional keywords

Keyword Description
management Only secure the management plane (e.g., SNMP, logging, etc.).
forwarding Only secure the forwarding plane (e.g., CEF, CBAC, TCP intercept, etc.).
no-interactive Don't prompt for interactive configurations.
Full User will be prompted for all interactive configurations (default).
Ntp Specifies to configure NTP service in the autosecure script.
Login Specifies to configure the login feature in the autosecure script.
Ssh Specifies to enable SSH in the autosecure script.
Firewall Specifies to enable the Firewall feature in the autosecure script.
tcp-intercept Specifies to enable TCP Intercept in the autosecure script.

Категории