| 1 comments ]

Locking Down the Router

Add a note hereCisco routers are initially deployed with services that are enabled by default. This section discusses the Cisco configuration settings that you should consider changing on your routers, especially on your perimeter routers, to improve security. The list of configuration settings discussed is not exhaustive, and it cannot be substituted for understanding on your part; it is meant to be a reminder of some of the things that are sometimes forgotten. Many of the services that you can enable on Cisco routers require careful security configuration. However, this section describes services that are enabled by default, or that are almost always enabled by users, and that might need to be disabled.

Add a note hereConsideration of these services is particularly important because some of the default settings in Cisco IOS Software are there for historical reasons; they made sense when they were chosen but would probably be different if new defaults were chosen today. Other defaults make sense for most systems but can create security exposures if they are used in devices that form part of a network perimeter defense. Still, other defaults are actually required by standards but are not always desirable from a security point of view.

Add a note here Vulnerable Router Services and Interfaces

Add a note hereCisco routers support many network services that may not be required in certain enterprise networks. The services that are listed here have been chosen for their vulnerability to malicious exploitation. These are the router services most likely to be used in network attacks. For ease of learning, the services are grouped as follows:

  • Add a note here Disable unnecessary services and interfaces

    • Add a note here Router interfaces: You should limit unauthorized access to the router and the network by disabling unused open router interfaces.

    • Add a note here Bootstrap Protocol (BOOTP) server: This service is enabled by default. This service allows a router to act as a BOOTP server for other routers. This service is rarely required and should be disabled.

    • Add a note here Cisco Discovery Protocol: This service is enabled by default. Cisco Discovery Protocol is used primarily to obtain protocol addresses of neighboring Cisco devices and to discover the platforms of those devices. Cisco Discovery Protocol is media and protocol independent and runs on most equipment manufactured by Cisco, including routers, access servers, switches, and IP phones. This service should be disabled globally or on a per-interface basis if it is not required.

    • Add a note here Configuration autoloading: This service is disabled by default. Autoloading of configuration files from a network server should remain disabled when not in use by the router.

    • Add a note here FTP server: This service is disabled by default. The FTP server enables you to use your router as an FTP server for FTP client requests. Because it allows access to certain files in the router flash memory, this service should be disabled when it is not required.

    • Add a note here TFTP server: This service is disabled by default. The TFTP server enables you to use your router as a TFTP server for TFTP clients. This service should be disabled when it is not in use, because it allows access to certain files in the router flash memory.

    • Add a note here Network Time Protocol (NTP) service: This service is disabled by default. When NTP is enabled, the router acts as a time server for other network devices. If NTP is configured unsecurely, an attacker can use it to corrupt the router clock and potentially the clock of other devices that learn time from the router. Correct time is essential for setting proper time stamps for IPsec encryption services, log data, and diagnostic and security alerts. If this service is used, restrict which devices have access to NTP. Disable this service when it is not required.

    • Add a note here Packet Assembler/Disassembler (PAD) service: This service is enabled by default. The PAD service allows access to X.25 PAD commands when forwarding X.25 packets. This service should be explicitly disabled when not in use.

    • Add a note here TCP and UDPminor services: These services are enabled in Cisco IOS Software before Release 11.3 and disabled in Cisco IOS Software Release 11.3 and later. The minor services are provided by small servers (daemons) running in the router. They are potentially useful for diagnostics but are rarely used. Disable this service explicitly.

    • Add a note here Maintenance Operation Protocol (MOP) service: This service is enabled on most Ethernet interfaces. MOP is a Digital Equipment Corp. (DEC) maintenance protocol that should be explicitly disabled when it is not in use.

  • Add a note here Disable and restrict commonly configured management services

    • Add a note here SNMP: This service is enabled by default. The SNMP service allows the router to respond to remote SNMP queries and configuration requests. If required, restrict which SNMP systems have access to the router SNMP agent and use SNMPv3 whenever possible, because this version offers secure communication not available in earlier versions of SNMP. Disable this service when it is not required.

    • Add a note here HTTP or HTTPS configuration and monitoring: The default setting for this service is Cisco device dependent. This service allows the router to be monitored or have its configuration modified from a web browser via an application such as the Cisco SDM. You should disable this service if it is not required. If this service is required, restrict access to the router HTTP or HTTPS service using ACLs.

    • Add a note here DNS: This client service is enabled by default. By default, Cisco routers broadcast name requests to 255.255.255.255. Restrict this service by disabling it when it is not required. If the DNS lookup service is required, ensure that you set the DNS server address explicitly.

  • Add a note here Ensure path integrity

    • Add a note here Internet Control Message Protocol (ICMP) redirects: This service is enabled by default. ICMP redirects cause the router to send ICMP redirect messages whenever the router is forced to resend a packet through the same interface on which it was received. Attackers can use this information to redirect packets to an untrusted device. This service should be disabled when it is not required.

    • Add a note here IP source routing: This service is enabled by default. The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that a datagram will take toward its ultimate destination and, generally, the route that any reply will take. An attacker can exploit these options to bypass the intended routing path and security of the network. Also, some older IP implementations do not process source-routed packets properly, and it may be possible to crash machines running these implementations by sending datagrams with source routing options. Disable this service when it is not required.

  • Add a note here Disable probes and scans

    • Add a note here Finger service: This service is enabled by default. The finger protocol (port 79) allows users throughout the network to obtain a list of the users currently using a particular device. The information that is displayed includes the processes running on the system, the line number, connection name, idle time, and terminal location. This information is provided through the Cisco IOS Software show users EXEC command. This command will also display the usernames of those that authenticate via AAA. Unauthorized persons can use this information for reconnaissance attacks. Disable this service when it is not required.

    • Add a note here ICMP unreachable notifications: This service is enabled by default. This service notifies senders of invalid destination IP networks or specific IP addresses. This information can be used to map networks and should be explicitly disabled on interfaces to untrusted networks.

    • Add a note here ICMP mask reply: This service is disabled by default. When this service is enabled, this service tells the router to respond to ICMP mask requests by sending ICMP mask reply messages containing the interface IP address mask. This information can be used to map the network, and this service should be explicitly disabled on interfaces to untrusted networks.

  • Add a note here Ensure terminal access security

    • Add a note here IP identification service: This service is enabled by default. The identification protocol (specified in RFC 1413, Identification Protocol) reports the identity of a TCP connection initiator to the receiving host. An attacker can use this data to gather information about your network, and this service should be explicitly disabled.

    • Add a note here TCP keepalives: This service is disabled by default. TCP keepalives help “clean up” TCP connections where a remote host has rebooted or otherwise stopped processing TCP traffic. Keepalives should be enabled globally to manage TCP connections and prevent certain DoS attacks.

  • Add a note here Disable gratuitous and proxy Address Resolution Protocol (ARP)

    • Add a note here Gratuitous ARP (GARP): This service is enabled by default. GARP is the main mechanism that is used in ARP poisoning attacks. You should disable gratuitous ARPs on each router interface unless this service is needed.

    • Add a note here Proxy ARP: This service is enabled by default. This feature configures the router to act as a proxy for Layer 2 address resolution. You should disable this service unless the router is being used as a LAN bridge.

  • Add a note here Disable IP-directed broadcast

Add a note hereThis service is enabled in Cisco IOS Software before Release 12.0 and is disabled in Cisco IOS Software Release 12.0 and later. IP-directed broadcasts are used in the common and popular Smurf DoS attacks and other related attacks. You should disable this service when it is not required.

Add a note here Management Service Vulnerabilities

Add a note hereSNMP is a network protocol that provides a facility for managing the network devices through an NMS. SNMP is widely used for router monitoring and is frequently used for making changes to a router configuration. However, SNMPv1, which is the most commonly used version of SNMP, is often a security risk for the following reasons:

  • Add a note hereSNMPv1 and SNMPv2 use authentication strings called community strings, which are stored and sent across the network in plaintext. Most SNMP implementations send these strings repeatedly as part of periodic polling.

  • Add a note hereSNMPv1 is easily spoofed.

Add a note hereBecause SNMP can retrieve a copy of the network routing table, and other sensitive network information, it is recommended that you disable SNMPv1 and SNMPv2 if your network does not require it, or use SNMPv3, which has much stronger security mechanisms.

Add a note hereMost Cisco IOS Software releases support remote configuration and monitoring using HTTP. The authentication protocol that HTTP uses sends a plaintext password across the network. With HTTPS, the session data is encrypted. Cisco SDM uses either HTTP or HTTPS. Access to the HTTP and HTTPS service should be limited by configuring an access class that allows access only to directly connected nodes.

Add a note hereBy default, the Cisco router DNS lookup service sends name queries to the 255.255.255.255 broadcast address. Using this broadcast address should be avoided because it can allow an attacker to emulate one of your DNS servers and respond to router queries with erroneous data. The DNS lookup service is enabled by default. If your routers must use this service, ensure that you explicitly set the IP address of your DNS servers in the router configuration.

Add a note hereBy default, Telnet sends authentication and commands in plaintext. SSH allows a management connection that is secure and encrypted. Whenever possible you should use SSH rather than Telnet to manage your Cisco routers.

Add a note here Performing a Security Audit

Add a note hereSecurity Audit is a feature that examines your existing router configurations and then updates your router to make your router and network more secure. Security Audit is based on the Cisco IOS AutoSecure feature; Security Audit performs checks on, and assists in, the configuration of almost all of the Cisco AutoSecure functions.


Note

Add a note hereFor a complete list of the functions that Security Audit checks for, and for a list of the Cisco AutoSecure features that Security Audit does not support, see the Cisco Router and Security Device Manager 2.4 User’s Guide.

Add a note here Security Audit operates in one of two modes, as shown in Figure 2-43:

  • Add a note here Security Audit: A wizard that enables you to choose which potential security-related configuration changes to implement on your router

  • Add a note here One-Step Lockdown: Automatically makes all recommended security-related configuration changes

Performing a Security Audit with the Security Audit Wizard

Add a note hereThe Security Audit Wizard tests your router configuration to determine whether any potential security problems exist in the configuration, and then presents you with a screen that lets you determine which of those security problems you want to fix. Once you determine which security problems to fix, the Security Audit Wizard makes the necessary changes to the router configuration to fix those problems.

Add a note hereFollow these steps, shown in Figure 2-44, to perform a security audit:

Add a note here Step 1

Add a note hereFrom Cisco SDM choose Configure > Security Audit.

Add a note here Step 2

Add a note hereClick Perform Security Audit. The Welcome page of the Security Audit Wizard appears.

Add a note here Step 3

Add a note hereClick Next. The Security Audit Interface Configuration page appears.

Add a note here Step 4

Add a note hereThe Security Audit Wizard needs to know which of your router interfaces connect to your inside network and which connect outside of your network. For each interface that is listed, check either the Inside or Outside check box to indicate where the interface connects.

Add a note here Step 5

Add a note hereClick Next.

Add a note here The Security Audit Wizard tests your router configuration to determine which possible security problems may exist. A window that shows the progress of this action appears, listing all of the configuration options that are being tested, and whether the current router configuration passes those tests, as shown in Figure 2-45.

Add a note here Step 6

Add a note hereWhen the security audit is finished, you have the option to save the report. To save this report to a file, click Save Report.

Add a note here Step 7

Add a note hereClick Close to continue fixing the identified security problems or to undo the configured security configurations in the router.

Add a note hereThe Security Audit Report Card screen appears, as shown in Figure 2-46, showing a list of possible security problems.

Add a note here Step 8

Add a note hereCheck the Fix It check boxes next to any problems that you want Cisco SDM to fix. For a description of the problem and a list of the Cisco IOS commands that will be added to your configuration, click the problem description link to display a help page about that problem. To fix all the presented problems, click the Fix All button.

Add a note here Step 9

Add a note hereClick Next.

Add a note here Step 10

Add a note hereDepending on which options you chose to fix, the Security Audit Wizard may display one or more screens that require you to enter information to fix certain problems. Enter the information as required, and then click Next for each of those screens.

Add a note here Step 11

Add a note here The Summary page of the wizard shows a list of all the configuration changes that Security Audit will make. Click Finish to deliver those changes to your router.

Image from book
Add a note hereFigure 2-44: Performing a Security Audit
Image from book
Add a note hereFigure 2-45: Progress Window of the Security Audit Wizard
Image from book
Add a note hereFigure 2-46: Security Audit Report Card

Configuring One-Step Cisco Router Lockdown

Add a note hereThe One-Step Lockdown feature tests your router configuration for any potential security problems and automatically makes the necessary configuration changes to correct any problems that were found.

Add a note hereFollow these steps to perform a one-step lockdown, shown in Figure 2-47:

Add a note here Step 1

Add a note hereFrom Cisco SDM choose Configure > Security Audit.

Add a note here Step 2

Add a note hereClick One-Step Lockdown.

Add a note here Step 3

Add a note hereThe SDM window appears asking whether you are sure you want to lock down the router. Click Yes to continue or click No to quit the process.

Add a note here Step 4

Add a note hereThe One-Step Lockdown window appears, showing the status of the lockdown process. When the One-Step Lockdown is finished, click Deliver to deliver the configuration to the router.

Add a note here Step 5

Add a note hereThe Commands Delivery Status window shows the status of delivering the commands to the router. After the configuration is delivered to the router, click OK to finish.

Image from book
Add a note hereFigure 2-47: Performing a One-Step Lockdown

Add a note hereThe One-Step Lockdown feature checks for and, if necessary, corrects the following items:

  • Add a note hereDisable finger service

  • Add a note here Disable PAD service

  • Add a note hereDisable TCP small servers service

  • Add a note hereDisable UDP small servers service

  • Add a note hereDisable IP BOOTP server service

  • Add a note hereDisable IP identification service

  • Add a note hereDisable Cisco Discovery Protocol

  • Add a note hereDisable IP source route

  • Add a note hereEnable password encryption service

  • Add a note hereEnable TCP keepalives for inbound Telnet sessions

  • Add a note hereEnable TCP keepalives for outbound Telnet sessions

  • Add a note hereEnable sequence numbers and time stamps on debugs

  • Add a note hereEnable IP Cisco Express Forwarding

  • Add a note hereDisable IP GARPs

  • Add a note hereSet minimum password length to less than six characters

  • Add a note hereSet authentication failure rate to less than three retries

  • Add a note hereSet TCP synwait time

  • Add a note hereSet banner

  • Add a note here Enable logging

  • Add a note hereSet enable secret password

  • Add a note hereDisable SNMP

  • Add a note hereSet scheduler interval

  • Add a note hereSet scheduler allocate

  • Add a note hereSet users

  • Add a note hereEnable Telnet settings

  • Add a note hereEnable NetFlow switching

  • Add a note hereDisable IP redirects

  • Add a note hereDisable IP proxy ARP

  • Add a note hereDisable IP directed broadcast

  • Add a note hereDisable MOP service

  • Add a note hereDisable IP unreachables

  • Add a note hereDisable IP mask reply

  • Add a note hereDisable IP unreachables on null interface

  • Add a note hereEnable Unicast Reverse Path Forwarding (RPF) on outside interfaces

  • Add a note hereEnable firewall on all of the outside interfaces

  • Add a note hereSet access class on HTTP server service

  • Add a note hereSet access class on vty lines

  • Add a note hereEnable SSH for access to the router

  • Add a note hereEnable AAA


Note

Add a note hereOne-Step Lockdown can cause a service disruption. Verify changes in a test environment before deploying in your production environment.

Add a note here Cisco AutoSecure

Add a note here Cisco AutoSecure is a Cisco IOS feature that lets you more easily configure security features on your router, so that your network is better protected. You can configure Cisco AutoSecure from the privileged EXEC mode using the auto secure command in one of two modes:

  • Add a note here Interactive mode: This mode prompts the user with options to enable and disable services and other security features. This is the default mode.

  • Add a note here Noninteractive mode: This mode automatically executes the Cisco auto secure command with the recommended Cisco default settings. This mode is enabled with the no-interact command option.

Add a note here Example 2-33 shows an abstracted example of the first three steps of an interactive Cisco AutoSecure configuration.

Add a note here Example 2-33: Example of the Cisco AutoSecure Feature

Add a note hereRouter# auto secure
Is this router connected to internet? [no]:y
Enter the number of interfaces facing internet [1]:1
Enter the interface name that is facing internet:Serial0/0/0
Securing Management plane services..

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Add a note here Cisco SDM does not implement all the features of Cisco AutoSecure. As of Cisco SDM Version 2.4, the following Cisco AutoSecure features are not part of the Cisco SDM One-Step Lockdown feature:

  • Add a note here Disabling NTP: Based on input, Cisco AutoSecure will disable NTP if it is not necessary. Otherwise, NTP will be configured with MD5 authentication. Cisco SDM does not support disabling NTP.

  • Add a note here Configuring AAA: If the AAA service is not configured, Cisco AutoSecure configures local AAA and prompts for the configuration of a local username and password database on the router. Cisco SDM does not support AAA configuration.

  • Add a note here Setting Selective Packet Discard (SPD) values: Cisco SDM does not set SPD values.

  • Add a note here Enabling TCP intercepts: Cisco SDM does not enable TCP intercepts.

  • Add a note here Configuring antispoofing ACLs on outside interfaces: Cisco AutoSecure creates three named access lists to prevent antispoofing source addresses. Cisco SDM does not configure these ACLs.

Add a note hereThe following Cisco AutoSecure features are implemented differently in Cisco SDM:

  • Add a note here Disable SNMP: Cisco SDM will disable SNMP; however, unlike Cisco AutoSecure, Cisco SDM does not provide an option for configuring SNMPv3.


    Note

    Add a note hereThe SNMPv3 option is not available on all routers.

  • Add a note here Enable SSH for access to the router: Cisco SDM will enable and configure SSH on Cisco IOS images that have the IPsec feature set; however, unlike Cisco AutoSecure, Cisco SDM will not enable Secure Copy Protocol (SCP) or disable other access and file transfer services, such as FTP.


Chapter Summary

Add a note here The following topics were discussed in this chapter:

  • Add a note hereRouters can be used to secure the perimeters of your networks.

  • Add a note hereCisco SDM can be launched from router memory or from a Windows PC if it has been installed.

  • Add a note hereAAA services provide a higher degree of scalability than line-level and privileged EXEC authentication.

  • Add a note hereCisco Secure ACS is a highly scalable, high-performance access control server that supports RADIUS and TACACS+.

  • Add a note hereBecause OOB management architectures provide higher levels of security and performance than in-band architectures, the decision to use an in-band solution must be carefully considered.

  • Add a note hereMany services and interfaces are enabled by default on newly commissioned routers. These services and interfaces are vulnerable to attack and should be secured.

Add a note here References

Add a note hereFor additional information, refer to these resources:

  • Add a note hereCisco Systems Inc. Integrated Services Routers, http://www.cisco.com/go/isr

  • Add a note hereCisco Systems Inc. Cisco Router and Security Device Manager Introduction, http://www.cisco.com/go/sdm

  • Add a note hereCisco Systems, Inc. Cisco Router and Security Device Manager Quick Start Guide, http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_quick_start09186a0080511c89.html

  • Add a note hereCisco Systems, Inc. SDM Express 2.4 User’s Guide, http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/24/express/software/user/guide/esugd.html

  • Add a note hereCisco Systems, Inc. Tools & Resources: Software Download Cisco Security Device Manager, http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm

  • Add a note hereCisco Systems, Inc. Cisco Router and Security Device Manager 2.4 User’s Guide 2.4, http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_list.html

  • Add a note hereCisco Systems, Inc. Installing Cisco Secure ACS for Windows, http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/windows/install.html

  • Add a note hereCisco Systems, Inc. Cisco Secure Access Control Server for Windows: Release Notes, http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html

  • Add a note hereCarroll, B., Cisco Access Control Security: AAA Administration Services (Cisco Press, 2004)

  • Add a note here Cisco Systems, Inc. Cisco Secure Access Control Server Express: Introduction, http://www.cisco.com/en/US/products/ps8543/index.html

  • Add a note here NTP RFC, http://www.faqs.org/rfcs/rfc1305.html

  • Add a note here SNMP RFC, http://www.ietf.org/rfc/rfc2571.txt

  • Add a note hereWikipedia. Secure Shell, http://en.wikipedia.org/wiki/Secure_Shell

  • Add a note hereHalleen, G. and Kellogg, G., Security Monitoring with Cisco Security MARS (Cisco Press, 2007)

1 comments

Joanna Zadrożna said... @ February 24, 2021 at 8:53 PM

Bardzo fajnie napisane. Jestem pod wrażeniem i pozdrawiam.

Post a Comment