Locking Down the Router

This section begins by identifying router services that are susceptible to attack and by explaining how security can be compromised by various router management services. You will learn two approaches for hardening a Cisco IOS router against attacks:

■ Using Cisco SDM's One-Step Lockdown feature

■ Using the auto secure CLI command

Identifying Potentially Vulnerable Router Interfaces and Services

One of the most obvious steps to secure a router is to administratively shut down any unused router interfaces using the shutdown command in interface configuration mode. Another approach to securing a router involves turning off unneeded services.

Fortunately, hardening a router against attack does not require a thorough understanding of how an attacker can compromise router security through specific services. However, you should be acquainted with the services that are potentially running on your router, which might or might not be needed. If a service is not needed, typically it should be disabled to prevent it from inadvertently becoming a security hole. Table 5-2 provides an overview of several services and features available on many Cisco IOS routers.

Table 5-2 Cisco IOS Features

IOS Feature

Description

Bootstrap protocol (BOOTP) server

Allows a router to serve as a BOOTP server for other routers

Cisco Discovery Protocol (CDP)

A Layer 2 protocol that permits adjacent Cisco devices to learn information about one another (for example, protocol and platform information)

Configuration autoloading

Supports a router loading its configuration information from a network server

FTP server

Causes a router to act as an FTP server for file transfer

TFTP server

Permits a router to act as a TFTP server, which does not require authentication

Network Time Protocol (NTP)

Allows a router to act as a time source for other network devices

Table 5-2 Cisco IOS Features (Continued)

IOS Feature

Description

Packet Assembler/ Disassembler (PAD)

Permits access to X.25 commands

TCP/UDP minor services

Allows various daemons to be used for diagnostics

Maintenance Operation Protocol (MOP)

Used as a maintenance protocol in a Digital Equipment Corporation (DEC) environment

Simple Network Management Protocol (SNMP)

Allows a router to communicate with an SNMP-speaking network management station

HTTP/HTTPS configuration and monitoring

Supports the monitoring and configuration of a router via a web interface (for example, the Cisco SDM interface)

Domain Name Service (DNS)

Allows a router to send DNS queries for name-to-IP address resolution

Internet Control Message Protocol (ICMP) redirects

Tells a router to send an ICMP redirect message in case the router resends a packet out the same interface the packet was received on

IP source routing

Permits the sender of a packet to dictate the route that the packet will take to its destination

Finger service

Displays users currently logged into a router

ICMP unreachable notifications

Notifies the sender of a packet if the packet was destined for an invalid destination

ICMP mask

Causes a router to send an ICMP mask reply message, which contains an interface's IP address mask, in response to an ICMP mask request

IP identification service

Identifies the initiator of a TCP connection to the other party in the connection

TCP keepalives

Helps a router close inactive TCP connections

Gratuitous ARP

Allows a router to accept replies to Address Resolution Protocol (ARP) requests that the router did not request

Proxy ARP

Supports a router functioning as a Layer 2 bridge by responding to ARP requests on behalf of another network device (for example, a network server)

IP-directed broadcast

Allows a router to propagate a broadcast message originating in one subnet and destined for another subnet

NOTE SNMP version 1 and SNMP version 2c use community strings for authentication. These community strings, which are often set to a default of "public" (which provides read access) and "private" (which provides read-write access) are sent in clear text, and SNMPvl and SNMPv2c can easily be spoofed. Therefore, Cisco recommends that SNMP be disabled. However, if SNMP is needed, Cisco recommends using SNMP version 3, which is more secure. Specifically, SNMP version 3 offers authentication, encryption, and access control features.

NOTE Although Cisco SDM supports either HTTP or HTTPS, Cisco recommends using HTTPS, because HTTPS encrypts the data exchanged between a router and the Cisco SDM workstation. For additional security, access to a router's HTTPS service can be limited by an access control list (ACL), which can restrict the subnet(s) allowed to access a router via HTTPS.

NOTE By default, when a Cisco IOS router sends a DNS name query, the router sends the query to a broadcast address of 255.255.255.255. Attackers could leverage this default behavior by pretending to be a DNS server and responding to the router's name queries with incorrect information.

Locking Down a Cisco IOS Router

Next, consider how you can follow the Cisco best-practice recommendations for disabling services and further securing a router. Instead of individually enabling or disabling selected services, you can use one of two automated approaches that Cisco offers, as summarized in Table 5-3.

Table 5-3 Methods for Locking Down a Cisco Router

Methods

Configuration

AutoSecure

The AutoSecure IOS feature is invoked by issuing the auto secure command from the CLI.

Cisco SDM One-Step Lockdown

The Cisco SDM One-Step Lockdown method for securing a router uses a wizard in the Cisco SDM graphical interface.

AutoSecure

The AutoSecure feature can be enabled from privileged EXEC mode by issuing the auto secure command, as shown in Example 5-1.

Example 5-1 Enabling AutoSecure

R1# auto secure

--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks ***

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for

Autosecure documentation.

At any prompt you may enter '?' for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]:

Interface FastEthernet0/0

FastEthernet0/1

Serial1/0

Serial1/1

Serial1/2

Serial1/3

IP-Address 192.168.0.29

172.16.2.1

172.16.1.1

unassigned unassigned unassigned

OK? Method Status YES NVRAM up

Protocol up

YES NVRAM up up

YES NVRAM up up

YES NVRAM administratively down down

YES NVRAM administratively down down

YES NVRAM administratively down down

Enter the interface name that is facing the internet: FastEthernet0/1

Securing Management plane services...

Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in

Example 5-1 Enabling AutoSecure (Continued)

Enabling service tcp-keepalives-out Disabling the cdp protocol

Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp

Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action.

Enter the security banner {Put the banner between k and k, where k is any character}: %

WARNING: This router is the property of Cisco Press.

Any unauthorized access is monitored. Violators will be prosecuted.

Enter the new enable password:

Confirm the enable password:

Configuring AAA local authentication

Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 30

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 10

Configure SSH server? [yes]:

Enter the domain-name: ciscopress.com

Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces:

Example 5-1 Enabling AutoSecure (Continued)

no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd "C

WARNING: This router is the property of Cisco Press.

Any unauthorized access is monitored. Violators will be prosecuted.

"C

security passwords min-length 6 security authentication failure rate 10 log enable password 7 095F4B0A0B0003022B1F17 aaa new-model authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0

Example 5-1 Enabling AutoSecure (Continued)

transport output telnet line vty 0 4 login authentication local_auth transport input telnet login block-for 30 attempts 3 within 10 ip domain-name ciscopress.com crypto key generate rsa general-keys modulus 1024

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 4

transport input ssh telnet service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/2 no ip redirects no ip proxy-arp

Example 5-1 Enabling AutoSecure (Continued)

no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/3 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef access-list 100 permit udp any any eq bootpc interface FastEthernet0/1

ip verify

unicast source reachable-via rx allow-default 100

ip

inspect

audit-trail

ip

inspect

dns-

timeout 7

ip

inspect

tcp

idle-time 14400

ip

inspect

udp

idle-time 1800

ip

inspect

name

autosec_inspect

cuseeme timeout 3600

ip

inspect

name

autosec_inspect

ftp timeout 3600

ip

inspect

name

autosec_inspect

http timeout 3600

ip

inspect

name

autosec_inspect

rcmd timeout 3600

ip

inspect

name

autosec_inspect

realaudio timeout 3600

ip

inspect

name

autosec_inspect

smtp timeout 3600

ip

inspect

name

autosec_inspect

tftp timeout 30

ip

inspect

name

autosec_inspect

udp timeout 15

ip

inspect

name

autosec_inspect

tcp timeout 3600

ip

access-list

extended autosec

firewall_acl

permit udp any any eq bootpc deny ip any any interface FastEthernet0/1 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in

Apply this configuration to running-config? [yes]:

Applying the config generated to running-config

The name for the keys will be: R1.ciscopress.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

NOTE In Example 5-1, the administrator is prompted for a variety of input. However, adding the no-interact option to the end of the auto secure command eliminates this interactivity and simply applies default configurations without any further prompts.

Cisco SDM One-Step Lockdown

Most of the actions performed by the AutoSecure feature can be configured graphically using Cisco SDM's One-Step Lockdown feature. The following steps describe how to configure One-Step Lockdown:

Step 1 Click the Configure button in the Cisco SDM interface, as shown in Figure 5-1.

Figure 5-1 Entering the Cisco SDM Configure Screen

Configure Menu Button

Figure 5-1 Entering the Cisco SDM Configure Screen

Configure Menu Button

Step 2 Click the Security Audit button in the Tasks pane, as shown in Figure 5-2.

Figure 5-2 Selecting the Security Audit Task

Security Audit Button

Figure 5-2 Selecting the Security Audit Task

Security Audit Button

Step 3 Click the One-step lockdown button, as shown in Figure 5-3.

Figure 5-3 Initiating a Security Audit

Figure 5-3 Initiating a Security Audit

One-Step Lockdown Button

Step 4

Click the Yes button on the SDM Warning screen, as shown in Figure 5-4. It explains how to undo some of the settings about to be applied by the One-Step Lockdown feature.

Figure 5-4 SDM Warning Window

Figure 5-4 SDM Warning Window

Lockdown Confirmation

Step 5 After the One-Step Lockdown feature generates a set of recommended security settings, click the Deliver button, as shown in Figure 5-5, to apply the recommended configuration to the router.

Figure 5-5 Delivering a Recommended Configuration to the Router

Figure 5-5 Delivering a Recommended Configuration to the Router

Prompt to Send Configuration to Router

Step 6 Click the OK button after the recommended commands are delivered to the router, as shown in Figure 5-6.

Be aware that Cisco SDM's One-Step Lockdown feature does not perform all the same actions as the Cisco AutoSecure feature. Following are a few distinctions to keep in mind:

One-Step Lockdown does not support the disabling of NTP.

One-Step Lockdown does not support the configuration of AAA.

One-Step Lockdown does not support the setting of Selective Packet Discard (SPD) values.

One-Step Lockdown does not support the enabling of TCP intercepts. One-Step Lockdown does not configure antispoofing ACLs.

Figure 5-6 Completing the One-Step Lockdown Process

Figure 5-6 Completing the One-Step Lockdown Process

Acknowledgement of Configuration Delivery

■ Although One-Step Lockdown does support the disabling of SNMP, it does not support the configuration of SNMP version 3.

■ Although One-Step Lockdown supports the configuration of Secure Shell (SSH) access, it does not support the enabling of Service Control Point or the disabling of other access services and file transfer services (for example, FTP).

0 0

Post a comment