Scribd
Upload
20 views23 pages

CiscoRouterHardening

The document discusses basic router configuration and hardening, including setting passwords, logging, access control lists, and disabling unsafe defaults. It also covers network hardening topics such as broadcast forwarding, denial of service protection, routing protocols, and operational considerations. The document was presented by Craig Biggerstaff from Omitron, an IT security consulting firm.

Uploaded by

vaniirffan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views23 pages

CiscoRouterHardening

The document discusses basic router configuration and hardening, including setting passwords, logging, access control lists, and disabling unsafe defaults. It also covers network hardening topics such as broadcast forwarding, denial of service protection, routing protocols, and operational considerations. The document was presented by Craig Biggerstaff from Omitron, an IT security consulting firm.

Uploaded by

vaniirffan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Craig Biggerstaff

Omitron, Inc.
AGENDA

• Basic Configuration
• Cannot teach router configuration here
• Assume some familiarity with Cisco IOS
• Many aspects are not covered

• Router Hardening

• Network Hardening
BASIC CONFIGURATION

• Architecture
• Console Password
• Time Services
• Logging
• Access Control Lists
ARCHITECTURE

• Routers 101
• A router is a computer dedicated to forwarding packets
between networks
• Makes routing decisions
• Applies traffic filters
• Relays packet data
• Exchanges link state information with other routers

• OSI Layer 3 device


• Some are switch/routers that combine layers 2 & 3
(We can ignore the differences for this talk)

• Has a CPU, RAM, non-volatile storage (NVRAM)


• Runs an operating system (Cisco IOS)
# IOS commands are shown here in monospace font
CONSOLE PASSWORD

• Set console password


• Use newer “enable secret” command,
not older “enable password”
• “enable secret” uses MD5 hash
• Older passwords are cryptographically worse
• Cisco recommends using AAA instead
# no enable password
# enable secret DoubleSuperSecretPassword
# service password-encryption
# line console 0
# password SomePassword
• (not recommended – see above)
# transport output none
# line aux
# no exec
# transport input none
TIME SERVICES

• Point to a reliable, authenticated time source


• Network Time Protocol (NTP)
# clock timezone UTC 0
• Don’t use local time – makes log correlation difficult if routers
in multiple timezones
# no clock summer-time
# ntp update-calendar
# ntp authenticate
# ntp authentication-key 10 md5 ntpkey
# ntp trusted-key 10
# ntp server 172.16.3.2 key 10
# interface Serial 0/0
# ntp disable
# interface Ethernet 0/0
# ntp broadcast
LOGGING

• Set up log history buffer


• Circular buffer – oldest entries overwritten
• Large size uses RAM needed by other processes
# logging buffered 8192 debugging
• Time and date stamp log entries
# service timestamps debug datetime
# service timestamps log datetime
• Prevent IP-to-name translation in logs
# no ip domain lookup
• Enable remote syslog
• Uses Unix “local7” syslog facility
# logging 172.16.1.2
# logging trap notifications
ACCESS CONTROL LISTS

• Ordered list of matching criteria for making packet


forwarding decisions
• Used for filtering traffic across interfaces
• Used for filtering access to router services
• Referenced in other IOS commands by ACL number

• Examples:
# access-list 101 deny ip any 172.16.1.0 0.255.255.255 log
# access-list 102 deny ip any 1.0.0.0 0.255.255.255 log
# access-list 102 deny icmp any any log
# interface Serial 0/0
# ip access-group 101 out
# ip access-group 102 in
# exit
ROUTER HARDENING

• Remote Terminal
Access
• AAA
• Secure Shell & Secure
Copy
• SNMP
• Disabling Unsafe
Defaults
REMOTE TERMINAL ACCESS

• Restrict access to login prompt


• To nodes that need it
• To secure protocols
• Example:
# access-list 80 permit 172.16.0.0 0.0.255.255 log
# access-list 80 deny any log
# line vty 0 4
# login
# password SomePassword
# transport input ssh
# transport output none
# exec timeout 5 0
# access-class 80 in
# exit
# service tcp-keepalives-in
# service tcp-keepalives-out
AUTHENTICATION
AUTHORIZATION & ACCTING

• Restrict login access by tying authentication to an


external source
• RADIUS
• TACACS+
• Example:
# aaa new-model
# aaa authentication login RemoteAuth radius tacacs+ enable
# tacacs-server host 172.16.1.11
# tacacs-server key TestTKey
# radius-server host 172.16.1.12
# radius-server key TestRKey
# line vty 0 4
# login authentication RemoteAuth
SECURE SHELL &
SECURE COPY

• In newer versions of Cisco IOS


• Replaces telnet authentication
• Replaces tftp transfer of configuration files
• Example:
# hostname myrouter
# ip domain-name mycompany.com
# crypto key generate rsa
# ip ssh time-out 60
# ip ssh authentication-retries 3
# ip scp server enable
SNMP

• A necessary evil
• Hard to manage routers without it
• Use access lists to restrict who can see data
• Use views to restrict what they can see
• Choose non-obvious community strings, and use different
strings and ACLs for read & write access
• Example:
# access-list 80 permit 172.16.0.0 0.0.255.255
# access-list 90 permit 172.16.1.2
# snmp-server community ReadString view ViewName RO 80
# snmp-server community WriteString RW 90
# snmp-server view ViewName 1.3.6.2.4 excluded
# snmp-server enable traps
# snmp-server host 172.16.1.2 version 2c TrapString
UNSAFE DEFAULTS

• Turn off unneeded router services


# no service tcp-small-services
# no service udp-small-services
# no service finger
# no service pad
# no service config
# no ip identd
# no ip bootp server
# no ip http server
NETWORK HARDENING

• Broadcast Forwarding
• Denial-of-Service
Hardening
• Routing Protocols
• Going Operational
BROADCAST FORWARDING

• Certain UDP broadcasts are forwarded by default –


turn them off
# no ip forward-protocol port 69
# no ip forward-protocol port 53
# no ip forward-protocol port 37
# no ip forward-protocol port 137
# no ip forward-protocol port 138
# no ip forward-protocol port 67
# no ip forward-protocol port 68
# no ip forward-protocol port 49
# no ip forward-protocol port 42
# no ip helper-address
• If UDP broadcasts are needed, enable only the specific port and
recipient
DENIAL OF SERVICE
HARDENING

• Turn off opportunities for crafted spoof attacks &


probes
# no ip source-route
# interface Serial 0/0
# no ip proxy arp
# no ip directed-broadcast
# no ip unreachables
# no ip mask-reply
# no ip redirects

• Optimize router for heavy loading


# service nagle
# ip tcp synwait-time 10
# scheduler interval 500
DENIAL OF SERVICE
HARDENING (CONTINUED)

• Create ACL to use in rate-limiting received packets


by type
• Example (against SYN-flood)
# access-list 120 deny tcp any any established
# access-list 120 permit tcp any any
# interface Serial 0/0
rate-limit input access-group 120 64000 8000 8000
conform-action transmit
exceed-action drop
• Also can rate-limit UDP (against “Fraggle”)
• Also can rate-limit ICMP (against “Smurf”)
ROUTING

• Securing individual
routing protocols is
beyond the scope of
this talk
GOING OPERATIONAL

• Make sure your configuration survives!


# copy running-config startup-config
• or
# write memory

# reload

• Record your IOS version and configuration (and


protect it)
• Enable secret can be recovered from MD5 hash – program “Too
Many Secrets” cracks them by brute force
# show version
# show config
# copy running-config scp://user@host
REFERENCES

• Securing Cisco • Routing TCP/IP, • NSA Router


Routers: Step-by- Volume II (Cisco) Security
Step (SANS) Configuration
Guide
OMITRON
SECURITY SOLUTIONS GROUP

• We offer effective IT security consulting


• Customized solutions
• Help you achieve your business goals

• Services
• Risk Assessments
• Network Vulnerability / Penetration Testing
• Architecture, Design, & Integration
• Firewalls, VPN, IDS, Remote Access, Wireless, COMSEC
• Policy Development
• Compliance Audits
• Business Continuity / Disaster Recovery Planning
• Security Awareness & Training
CONTACT INFORMATION

• Headquarters
7051 Muirkirk Meadows Drive, Suite A
Beltsville, MD 20705
301-474-1700
Attn: George Sauble
http://www.omitron.com

• Security Solutions Group


16850 Saturn Lane, Suite 100
Houston, TX 77058
281-853-3103
Attn: Ernie Maravilla
mailto:it.security@omitron.com

• Craig Biggerstaff
281-483-2027
mailto:craig.biggerstaff@omitron.com

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy