DE LA COMPETENCIA Y DE LAS HABILIDADES

This section begins by identifying router services that are susceptible to attack and by explaining how security can be compromised by various router management services. You will learn two approaches for hardening a Cisco IOS router against attacks:

■ Using Cisco SDM’s One-Step Lockdown feature ■ Using the auto secure CLI command

Identifying Potentially Vulnerable Router Interfaces and Services One of the most obvious steps to secure a router is to administratively shut down any unused router interfaces using the shutdown command in interface configuration mode. Another approach to securing a router involves turning off unneeded services.

Fortunately, hardening a router against attack does not require a thorough understanding of how an attacker can compromise router security through specific services. However, you should be acquainted with the services that are potentially running on your router, which might or might not be needed. If a service is not needed, typically it should be disabled to prevent it from inadvertently becoming a security hole. Table 5-2 provides an overview of several services and features available on many Cisco IOS routers.

Table 5-2 Cisco IOS Features

IOS Feature Description

Bootstrap protocol (BOOTP) server

Allows a router to serve as a BOOTP server for other routers

Cisco Discovery Protocol (CDP)

A Layer 2 protocol that permits adjacent Cisco devices to learn information about one another (for example, protocol and platform information)

Configuration autoloading Supports a router loading its configuration information from a network server

FTP server Causes a router to act as an FTP server for file transfer TFTP server Permits a router to act as a TFTP server, which does not

require authentication Network Time Protocol

(NTP)

Allows a router to act as a time source for other network devices

Locking Down the Router 159

IOS Feature Description

Packet Assembler/ Disassembler (PAD)

Permits access to X.25 commands

TCP/UDP minor services Allows various daemons to be used for diagnostics Maintenance Operation

Protocol (MOP)

Used as a maintenance protocol in a Digital Equipment Corporation (DEC) environment

Simple Network Management Protocol (SNMP)

Allows a router to communicate with an SNMP-speaking network management station

HTTP/HTTPS configuration and monitoring

Supports the monitoring and configuration of a router via a web interface (for example, the Cisco SDM interface)

Domain Name Service (DNS)

Allows a router to send DNS queries for name-to-IP address resolution

Internet Control Message Protocol (ICMP) redirects

Tells a router to send an ICMP redirect message in case the router resends a packet out the same interface the packet was received on

IP source routing Permits the sender of a packet to dictate the route that the packet will take to its destination

Finger service Displays users currently logged into a router ICMP unreachable

notifications

Notifies the sender of a packet if the packet was destined for an invalid destination

ICMP mask Causes a router to send an ICMP mask reply message, which contains an interface’s IP address mask, in response to an ICMP mask request

IP identification service Identifies the initiator of a TCP connection to the other party in the connection

TCP keepalives Helps a router close inactive TCP connections

Gratuitous ARP Allows a router to accept replies to Address Resolution Protocol (ARP) requests that the router did not request Proxy ARP Supports a router functioning as a Layer 2 bridge by

responding to ARP requests on behalf of another network device (for example, a network server)

IP-directed broadcast Allows a router to propagate a broadcast message originating in one subnet and destined for another subnet

Locking Down a Cisco IOS Router

Next, consider how you can follow the Cisco best-practice recommendations for disabling services and further securing a router. Instead of individually enabling or disabling selected services, you can use one of two automated approaches that Cisco offers, as summarized in Table 5-3.

NOTE SNMP version 1 and SNMP version 2c use community strings for

authentication. These community strings, which are often set to a default of “public” (which provides read access) and “private” (which provides read-write access) are sent in clear text, and SNMPv1 and SNMPv2c can easily be spoofed. Therefore, Cisco recommends that SNMP be disabled. However, if SNMP is needed, Cisco recommends using SNMP version 3, which is more secure. Specifically, SNMP version 3 offers authentication, encryption, and access control features.

NOTE Although Cisco SDM supports either HTTP or HTTPS, Cisco recommends using HTTPS, because HTTPS encrypts the data exchanged between a router and the Cisco SDM workstation. For additional security, access to a router’s HTTPS service can be limited by an access control list (ACL), which can restrict the subnet(s) allowed to access a router via HTTPS.

NOTE By default, when a Cisco IOS router sends a DNS name query, the router sends the query to a broadcast address of 255.255.255.255. Attackers could leverage this default behavior by pretending to be a DNS server and responding to the router’s name queries with incorrect information.

Table 5-3 Methods for Locking Down a Cisco Router

Methods Configuration

AutoSecure The AutoSecure IOS feature is invoked by issuing the auto secure command from the CLI.

Cisco SDM One-Step Lockdown

The Cisco SDM One-Step Lockdown method for securing a router uses a wizard in the Cisco SDM graphical interface.

Locking Down the Router 161

AutoSecure

The AutoSecure feature can be enabled from privileged EXEC mode by issuing the auto secure command, as shown in Example 5-1.

Example 5-1 Enabling AutoSecure R1# aauaauuuttottooo ssesseeeccuccuruurerreee

--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks ***

AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation.

At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yyyyeeeessss

Enter the number of interfaces facing the internet [1]:

Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.0.29 YES NVRAM up up

FastEthernet0/1 172.16.2.1 YES NVRAM up up

Serial1/0 172.16.1.1 YES NVRAM up up

Serial1/1 unassigned YES NVRAM administratively down down

Serial1/2 unassigned YES NVRAM administratively down down

Serial1/3 unassigned YES NVRAM administratively down down

Enter the interface name that is facing the internet: FFFFaasaasssttEttEEEtthtthhheereerrrnnnneeteet0tt0/00///1111

Securing Management plane services...

Disabling service finger Disabling service pad

Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out Disabling the cdp protocol

Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp

Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device

are logged. Any violations of access policy will result in disciplinary action.

Enter the security banner {Put the banner between k and k, where k is any character}:

%%% % WWW WAARAARRRNNNINIIINNGNNG:GG: :: TTTThhhhiiiiss ss rrorrooouutuuttteeeerr rr iisiisss tttthhhhee ee pprpprrrooooppppeeeerrtrrtttyy yy oofoofff CCiCCiiisscsscccoo oo PPrPPrerreeessssssss.... AAA Annnnyyyy uunuunannaaauutuuthtthhhoooorrrriiziizzzeedeeddd aaaaccccccecceseesssssss iiiiss ss mmmmoonooninniiittttoooorrerreeedd.dd... VVVViiiiooloolallataattotoroorsrrss s wwwwiiliilllll ll bbbbeeee pprpprrroosoosesseeeccccuuuuttetteeedd.dd... %%% %

Enter the new enable password: Confirm the enable password:

Configuring AAA local authentication Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 33033000

Maximum Login failures with the device: 3333

Maximum time period for crossing the failed login attempts: 11110000

Configure SSH server? [yes]:

Enter the domain-name: ccicciiisscsscoccooopprpprerreseesssssss..c..cccoomoommm

Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces:

Locking Down the Router 163 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply

Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: yyeyyeeessss

This is the configuration generated:

no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd ^C

WARNING: This router is the property of Cisco Press.

Any unauthorized access is monitored. Violators will be prosecuted. ^C

security passwords min-length 6

security authentication failure rate 10 log enable password 7 095F4B0A0B0003022B1F17 aaa new-model

authentication login local_auth local line con 0

login authentication local_auth exec-timeout 5 0

transport output telnet line aux 0

login authentication local_auth exec-timeout 10 0

Example 5-1 Enabling AutoSecure (Continued)

transport output telnet line vty 0 4

login authentication local_auth transport input telnet

login block-for 30 attempts 3 within 10 ip domain-name ciscopress.com

crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60

ip ssh authentication-retries 2 line vty 0 4

transport input ssh telnet

service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2

logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/2 no ip redirects no ip proxy-arp

Locking Down the Router 165 no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/3 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef

access-list 100 permit udp any any eq bootpc interface FastEthernet0/1

ip verify unicast source reachable-via rx allow-default 100 ip inspect audit-trail

ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800

ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc

deny ip any any

interface FastEthernet0/1 ip inspect autosec_inspect out

ip access-group autosec_firewall_acl in !

end

Apply this configuration to running-config? [yes]:

Applying the config generated to running-config The name for the keys will be: R1.ciscopress.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

R1#

Cisco SDM One-Step Lockdown

Most of the actions performed by the AutoSecure feature can be configured graphically using Cisco SDM’s One-Step Lockdown feature. The following steps describe how to configure One-Step Lockdown:

Step 1 Click the Configure button in the Cisco SDM interface, as shown in Figure 5-1.

Figure 5-1 Entering the Cisco SDM Configure Screen

Step 2 Click the Security Audit button in the Tasks pane, as shown in Figure 5-2. NOTE In Example 5-1, the administrator is prompted for a variety of input. However, adding the no-interact option to the end of the auto secure command eliminates this interactivity and simply applies default configurations without any further prompts.