Solved

Securing our Router

Posted on 2004-04-02
13
502 Views
Last Modified: 2009-10-17
Hi gang!

We're working on securing a router and frankly we have'nt the slightest business doing this, but
when you're small you do what you have to :)

Ok, we're working with our Cisco 1720 and we're using defaults on most things.
Below you'll find our config currently:

<begin snip>
Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname hostname-gw
!
logging buffered 4096 debugging
enable password somepassword
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip domain-name customer.com
ip name-server 'nameserver'
ip name-server 'nameserver'
!
isdn switch-type basic-ni
!
!
!
interface Serial0
 description The World
 bandwidth 1544
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address ourIP ourSub
 frame-relay interface-dlci 100
!
interface BRI0
 bandwidth 256
 ip unnumbered FastEthernet0
 encapsulation ppp
 shutdown
 dialer rotary-group 1
 isdn switch-type basic-ni
 isdn spid1 somenumber
 isdn spid2 somenumber
!
interface FastEthernet0
 description To Office FastEthernet
 ip address otherIP otherSUB secondary
 ip address ourIP ourSUB
 speed auto
!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 300
 dialer string 1234567890
 dialer string somenumber
 dialer hold-queue 10
 dialer load-threshold 179 either
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname somehostname
 ppp chap password 7 somepassword
 ppp multilink
!
ip nat translation tcp-timeout 600
ip classless
ip route 0.0.0.0 0.0.0.0 someIP
ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
 password somepassword
 login
 transport preferred none
 transport input none
 stopbits 1
line aux 0
 password somepassword
 login
 modem InOut
 transport preferred none
!
line con 0
 password somepassword
 login
 transport preferred none
 transport input none
 stopbits 1
line aux 0
 password somepassword
 login
 modem InOut
 transport preferred none
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password somepassword
 login
 transport preferred none
!
no scheduler allocate
end

</end snip>

As you see, we've got info for a dialer, which isnt used.
And never will be. If we will get better service without it's
config we're fine with removing it.

Also, everything is pretty much default except for the IP's and whatnot
and passwords. We dont have any specific blocks for say DoS attacks
and whatnot.
We'd like to be able to say our router is pretty secure so we can
rest at night.

Any help would be appreciated,

UG
0
Comment
Question by:uglygrouch
  • 3
  • 3
  • 3
  • +1
13 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 10742658
One of the easiest things to do is controll who has access to you router via telnet...so you would do the following

Access-list 10 permit 192.168.1.0 0.0.0.255

Then in the line vty 0 4

access-class 10 in

that is assuming that your local network you manage the box from will be 192.168.1.0/24 and you can add any addtional information to that...
0
 
LVL 12

Accepted Solution

by:
Scotty_cisco earned 168 total points
ID: 10742697
Then I would add an access-list such as the following

access-list 105 permit tcp any any established
access-list 105 deny   53 any any
access-list 105 deny   55 any any
access-list 105 deny   77 any any
access-list 105 deny   pim any any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any host-unreachable
access-list 105 permit icmp any any time-exceeded
access-list 105 deny   udp any range snmp snmptrap any log
access-list 105 permit ip any any

Then in the serial interface put in

ip access-group 105 in

That should give you a very good start


0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 10742712
sorry in your serial's sub-interface is a better place to put

IP access-group 105 in

and BTW you could get rid of the dialer interface and other un needed configuration items... They are certainly not hurting anything it would just clean up the configuration....

Thanks
Scott
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10744418
Also, run the following command to encrypt the enable password within the configuration:

service password-encryption
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 166 total points
ID: 10744627
Here's a really good reference guide as a starting point.
Follow the Cisco Routers guide, Executive Summary is easiest to follow..
http://nsa1.www.conxion.com/cisco/download.htm

Another good ref:
http://www.sans.org/rr/papers/index.php?id=794
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Assisted Solution

by:Greenclock
Greenclock earned 166 total points
ID: 10749751
I  have run the config you provide through one of the cisco tools that does some basic checks  on config.  Below are the result which should provide a good starting point.

GC  :-o

SHOW RUNNING-CONFIG SECURITY NOTIFICATIONS (if any)

This process will suggest enhancements to an IP network's first line of defense,
the router. Please note the following:
 1. This is NOT a substitute for an overall network security policy. Responsible
    network security management requires careful research, planning, as well as
    continued vigilance. It is important to develop, document, and maintain standards
    for appropriate network access and utilization.
 2. While a guide to your first steps in securing the TCP/IP operations within
    a Cisco router running IOS, this process is NO substitute for expertise in IP
    network security and exploit reduction. It is crucial for network support personnel
    to cultivate and maintain a base of knowledge in these areas.
 3. DO NOT deploy any proposed configuration changes without thorough testing
    in a non-critical environment. You will want to research any commands with which
    you are not very familiar. Cisco's web-site has many outstanding resources,
    documents, templates, and links for further information, to assist you in this
    effort. Also, the Cisco Technical Assistance Center (TAC) is always available.
   
Product Security Incident Response Team(PSIRT) advisories.

PASSWORD MANAGEMENT:
  WARNING: This router's passwords are not as secure as they can be.
  TRY THIS: To improve password security, you may wish to introduce the following
  configuration command(s):
  * 'service password-encryption'
    INFO: This service directs IOS to encrypt passwords, CHAP secrets and similar
    data. The encryption method is NOT strong and can be reversed by any competent
    amateur cryptographer in a few hours.
  * 'enable secret'
    INFO: This command enables strong MD5 password hashing for the enable password.
    While there is no known method to reverse this algorithm, the password itself
    is still vulnerable to dictionary attacks.
  * 'aaa new-model'
    'aaa authentication login'
    INFO: These commands establish a more sophisticated authentication model for
    logins and privileged sessions. In conjunction with a security server (TACACS+
    or RADIUS), login passwords may be secured and tracked much more thoroughly
    than before. Even without a security server, these commands improve the information
    available from the system logs by associating each login and privileged session
    with a specific username/password combination.
    NOTE: Create AT LEAST ONE local user account on the router before adding these
    commands to the configuration.
  * 'username ... password ...'
    INFO: This command creates user accounts local to the router. While these
    local accounts are no more secure then the standard vty 'password', they improve
    the quality of information stored in log files by associating each login with
    a specific user. These accounts can also serve as backup authentication if
    primary authentication from a security server (TACACS+ or RADIUS) becomes unavailable.
  NOTE: It is always important to secure all copies of the router configuration
  file from unauthorized individuals.
 
SECURING INTERACTIVE SESSIONS:
  WARNING: Interactive sessions initiated to and from this router are not as secure
  as they can be.
  TRY THIS: Consider introducing the following configuration command(s):
  * 'service tcp-keepalives-in'
    INFO: This command enables TCP keepalives on incoming connections to the router,
    thus preventing 'orphaned' sessions created by sudden disconnects such as a
    modem failure or a remote system crash.
  * 'service tcp-keepalives-out'
    INFO: This command enables TCP keepalives on outgoing connections from the
    router. While not unbreakable, this feature makes more difficult the practice
    of using a false host to assume an active session initiated from the router.
  * 'banner login'
    INFO: In some jurisdictions, civil and/or criminal prosecution of unauthorized
    users is much easier when you provide a banner warning them that their access
    is unauthorized. Legal notification requirements are complex and these should
    be discussed with your own legal counsel. Once the appropriate login warning
    has been developed for your router, you may incorporate it into your unit for
    display before all interactive logins with the 'banner login' configuration
    command.
 
PORT/LINE SECURITY:
  WARNING: This router's ports/lines are not as secure as they can be.
  TRY THIS: Consider introducing the following configuration command(s):
  * 'line con 0'
    . 'transport input none'
      INFO: This command guards against anyone initiating a reverse-telnet session
      to the router's console port.
    . 'exec-timeout'
      INFO: This command will end an interactive session if it remains inactive
      for a specified number of minutes.
  * 'line aux 0'
    . 'transport input none'
      INFO: This command guards against anyone initiating a reverse-telnet session
      to the router's aux port.
    . 'exec-timeout'
      INFO: This command will end an interactive session if it remains inactive
      for a specified number of minutes.
  * 'line vty 0 4'
    . 'transport input ssh'
      INFO: This command restricts the session protocols that can be used to only
      SSH, in order to initiate a session to the router. Using SSH is preferable
      to TELNET since sessions are encrypted.  SSH has been supported since IOS
      12.0.5.S.
      REFERENCE: Configuring SSH on Cisco IOS routers
    . 'exec-timeout'
      INFO: This command will end an interactive session if it remains inactive
      for a specified number of minutes.
    . 'access-class ... in'
      INFO: This command, in conjunction with an access-list, restricts interactive
      sessions to a specific list of source hosts. This parameter can be added
      to all vty ports or just the last. The later case will allow access to the
      router from anywhere on the network but holds the last port in reserve for
      a trusted host should the others 'fill-up' for any reason.
 
HTTP MANAGEMENT SERVICE:
  WARNING: The HTTP management service is enabled on this router. It is generally
  recommended that this service be disabled, especially across the public Internet.
  TRY THIS: Use the 'no ip http server' configuration command to disable this service.
 
ROUTE/PATH INTEGRITY:
  WARNING: This router will accept packets with the IP source-routing option.
  These packets have the ability to control not only their own route toward destination
  but any replies as well. Some older IP implementations are vulnerable to these
  packets and their associated systems may crash while trying to process.
  TRY THIS: You can direct the router to drop any packet with the source-routing
  option using the 'no ip source-route' configuration command.
 
  WARNING: This router does not show any filter against ICMP redirects.
  INFO: An ICMP redirect is a message to a host to use a specific router as its
  path to a particular destination. In a properly functioning network, these messages
  will be sent within a local segment only. If this rule is violated, however,
  ICMP redirects can become the basis of attack.
  TRY THIS: Consider the introduction of or addition to an access-list applied
  to externally facing interfaces to prevent these messages from crossing network
  segments. Use the 'access-list 100 deny icmp any any redirect' configuration
  command.
  REFERENCE: See Extended Access List Examples for more information.
 
  WARNING: This router does not show protection against commonly 'spoofed' IP addresses.
  INFO: Spoofing is the practice of falsifying the source-address of an IP packet
  so as to disguise it's origin and/or intent.
  TRY THIS: Consider the introduction of OR addition to an IP access-list applied
  to incoming packets on all active interfaces. The LAN interface should block
  all IP source-addresses not specifically permitted to exist on that network segment.
  The WAN interface should block any traffic attempting to represent itself as
  from the WAN interface itself, the internal LAN segment, a private network (impossible
  from the Internet), a loopback address (not permitted on the Internet), or from
  multicast/experimental address-space (invalid under most circumstances).
  INFO: Private network addresses are within these ranges:
         10.0.0.0 - 10.255.255.255
       172.16.0.0 - 172.31.255.255
      192.168.0.0 - 192.168.255.255
  INFO: Loopback and multicast addresses exist within these ranges:
        127.0.0.0 - 127.255.255.255
        224.0.0.0 - 255.255.255.255
  NOTE: Research the anti-spoofing requirements of your own network before applying
  this protection.
 
SERVICE-EXPLOIT REDUCTION:
  WARNING: One or more services are running that can be exploited.
  TRY THIS: To reduce possible service-based exploits that may be attempted against
  this router, consider disabling these services using the following configuration
  command(s):
  * 'no service udp-small-servers'
  * 'no service tcp-small-servers'
  * 'no service finger'
  * 'no ip bootp server'
  * 'no ip domain-lookup'
  These services are rarely used for legitimate purposes and can be co-opted to
  launch a denial-of-service as well as other types of attacks.
 
  WARNING: NTP (Network Time Protocol) has not been secured.
  INFO: While not particularly dangerous, can be used to subvert certain security
  protocols (those that use a time-base) and foul the time-stamps on the router's
  log messages.
  TRY THIS: To disable NTP on a per interface basis, use the 'ntp disable' interface
  configuration command. To use NTP more securely, consider the following configuration
  command(s):
  * 'ntp server'
  * 'ntp authenticate'
 
  WARNING: CDP (Cisco Discovery Protocol) is currently running on this router.
  INFO: While CDP can be used to provide some network management functions, the
  information it offers to each directly connected segment can be used to design
  attacks against your network.
  TRY THIS: You can disable CDP using the 'no cdp run' configuration command.
  To continue running CDP, consider adding the 'no cdp enable' interface command
  to any/every EXTERNAL interface.
 
  WARNING: Proxy ARP may be enabled on the following interfaces:
      FastEthernet0
  INFO: The Cisco IOS software uses proxy ARP (as defined in RFC 1027) to help
  hosts with no knowledge of routing determine the media addresses of hosts on other
  networks or subnets.  Proxy ARP can lead to increased ARP traffic on a segment,
  increased ARP table size in hosts, and can prove vulnerable to 'spoofing' attacks,
  where a machine can claim to be another in order to intercept packets.
  TRY THIS: Check whether Proxy ARP is enabled using the 'show ip interface'
  command. You can disable proxy ARP using the 'no ip proxy-arp' configuration
  command.
 
TRAFFIC-FLOOD MANAGEMENT:
  INFO: Many denial-of-service (DOS) attacks are based on sending a flood of useless
  packets to vulnerable units.
 
  WARNING: This router may not respond well in the face of a flood-based attack.
  TRY THIS: To improve this router's response, consider introducing the following
  configuration command(s):
  * 'scheduler allocate'
    INFO: This command guarantees that the router's CPU will respond to interactive
    sessions regardless of heavy traffic loads.
    Serial0
    * 'no ip unreachables'
    * 'no ip redirects'
    Serial0.1 point-to-point
    * 'no ip unreachables'
    * 'no ip redirects'
    FastEthernet0
    * 'no ip unreachables'
    * 'no ip redirects'
    Dialer1
    * 'no ip unreachables'
    * 'no ip redirects'
    INFO: These commands will disable the replies utilized by the more common
    DoS-attacks at the interface-level. While these do not specifically protect
    this router/network from attack, they do much to prevent it being used as an
    unwitting 'reflector' of attacks directed towards others.
  * 'ip verify unicast reverse-path'
    INFO: This interface command examines each packet received as input on that
    interface. If the source IP address does not have a route in the CEF tables
    that points back to the same interface on which the packet arrived, the router
    drops the packet. The feature should be applied to internet facing interfaces
    and CEF (Cisco Express Forwarding) should be enabled on the router.
    REFERENCE: Configuring Unicast Reverse Path Forwarding
 
  INFO: If this router is a 2600 series or higher (this includes Catalyst 5000
  series units configured with an RSM), you may wish to investigate the TCP Intercept
  feature introduced in IOS Version 11.2. This is a powerful feature designed to
  protect selected hosts from SYN-flood attacks common to the Internet. There is
  some cost, however, with regard to the router's performance.
  REFERENCE: For more information, see Cisco IOS TCP Intercept and TCP Intercept.
 
  INFO: You may consider enabling the 'committed access rate' (CAR) feature to limit
  the bandwidth consumed by certain traffic types such as ICMP, TCP 'SYN', UDP
  and multicast packets. These should be applied to internet facing interfaces
  using the 'rate-limit' interface configuration command and an appropriate access-list.
  This can be helpful in limiting the effect of denial of service attacks. CAR
  is a functionality that works with Cisco Express Forwarding, found in 11.1CC
  and releases from 12.0.
  REFERENCE: For more information, see Configuring Committed Access Rate
 
LOGGING:
  WARNING: This router is not taking full advantage of its logging capabilities.
  INFO: The router is capable of logging accesses and other significant events
  using a variety of methods. These logs, when detailed over a significant interval,
  are invaluable in identifying/responding to attacks and other abuses.
  TRY THIS: To take advantage of these logging activities consider introducing
  the following configuration command(s):
  * 'logging (IP address of syslog server)'
  * 'logging trap'
    INFO: These commands set up communication between the router's logging process
    and a syslog server. A syslog server is an inexpensive and widely available
    application/agent that stores log entries from network devices. This facility
    allows you permanent storage for logging information, which is especially valuable
    when physical access to the router is impractical. A syslog server also affords
    greater detail within the logs themselves (less reliance on the router's logging
    buffer). The level of 'urgency' (detail) of the syslog server-stored logs is
    set via the 'logging trap' command. There is minimal performance impact to
    the router, regardless of the level of logging detail. Like any component of
    a network-management system, the syslog server application should be run only
    from a secured, trusted host.
  * 'no logging console'
    INFO: This command disables all logging to the console terminal. Excessive
    debugs to the console port of a router can cause it to hang. This is because
    the router automatically prioritizes console output ahead of other router functions.
    Hence, if the router is processing a large debug output to the console port,
    it may hang. Hence, if the debug output is excessive, use the vty (telnet)
    ports or the log buffers to obtain your debugs.
    REFERENCE: Important Information on Debug Commands
  * 'aaa accounting'
    INFO: The best, most detailed logging is done in conjunction with a TACACS+
    or RADIUS server. While this option would require some setup, configuration,
    and ongoing support, the benefits to your overall network security are considerable
    and extend well beyond logging functions.
    REFERENCE: For more information on IOS Version-Specific AAA Overview and Configuration
    Guides, see: Configuring Accounting (IOS 12.1)
  * 'exception dump'
    INFO: When a router crashes, a copy of the core memory is kept. Before the
    memory is erased on reboot, the router can be set up to copy the core dump
    out to a UNIX server. These dumps can be extremely useful in identifying the
    cause of a crash. An account (ftp, tftp, or rcp) and sufficient disk space
    (equal to the amount of memory on the router per dump) needs to be set up and
    allocated. One example, using FTP to export the dump:
      !
      ip ftp source-interface Loopback0
      ip ftp username [enter username here]
      ip ftp password [enter password here]
      !
      exception protocol ftp
      exception dump [enter IP address of FTP Server here]
      !
    REFERENCE: For more information on configuring core dumps, see:
      Configuring Core Dumps
  * 'ip accounting access-violations'
    INFO: This command enables IP accounting on an interface with the ability
    to identify IP traffic that fails IP access lists. The following interfaces
    could benefit from this:
          Serial0
          Serial0.1 point-to-point
          BRI0
          FastEthernet0
          Dialer1
    Once enabled, violations may be viewed with the 'show ip accounting access-violations'
    command.
 
REFERENCE: For additional information see:
  Practical Reading:
    Improving Security on Cisco Routers
    Characterizing and Tracing Packet Floods Using Cisco Routers
  IOS Version-Specific Security Overviews/Configuration Guides:
    Security Overview (IOS 12.1)
  Cisco Security Solutions:
    Security Solutions

 
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10749802
Greenclock, which tool did you use, please?
0
 
LVL 6

Expert Comment

by:Greenclock
ID: 10751642
Output Interpreter - You need to have a Registered CCO account with cisco to be able to access it. Sorry...

GC  
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10752928
I have one, that's why I asked.  Thanks.  :-)
0
 
LVL 6

Expert Comment

by:Greenclock
ID: 10753177
Shouldn't be any probs them.  Just cut'n'Paste the config in and it will display the results.  Even able to email it to someone else if need be.

Very good for a quick diagnosis.  A must for anyone supporting Cisco Kit.

GC
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10807664
Any updates for us? Are you still working on this? Do you need more information?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now