© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 1

Implementing Secure Converged Wide Area Networks (ISCW)


Lesson 4 – Module 5 – ‘Cisco Device Hardening’

Disabling Unused Cisco Router Network Services and Interfaces


Module Introduction

The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.

Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.

Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.


Vulnerable Router Services and Interfaces

Medium size and large networks typically use a firewall appliance behind the perimeter router, which adds security features and performs user authentication and more advanced packet filtering

Firewall installations also facilitate the creation of Demilitarized Zones (DMZs), where the firewall ‘places’ hosts that are commonly accessed from the Internet

Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall features in the perimeter router. Although this option does not provide the same performance and security features that a Cisco PIX Security Appliance offers, a router with an integrated firewall feature set can solve most small-to-medium business perimeter security requirements.

Cisco IOS routers run many services that create potential vulnerabilities. To secure an enterprise network, all unneeded router services and interfaces must be disabled.


Vulnerable Router Services and Interfaces

Cisco IOS routers can be used as:

Edge devices

Firewalls

Internal routers

Routers have default services that create potential vulnerabilities (for example, BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP

Vulnerabilities can be exploited regardless of where the routers are placed.


Vulnerable Router Services

Disable unnecessary services and interfaces (BOOTP, CDP, FTP, TFTP, NTP, PAD, and TCP/UDP minor services)

Disable commonly configured management services (SNMP, HTTP, and DNS)

Ensure path integrity (ICMP redirects and IP source routing)

Disable probes and scans (finger, ICMP unreachables, and ICMP mask replies)

Ensure terminal access security (ident and TCP keepalives)

Disable gratuitous and proxy ARP

Disable IP directed broadcast


Unnecessary Services and Interfaces

Router Service Default Best Practice

BOOTP server Enabled Disable

Cisco Discovery Protocol (CDP) Enabled Disable if not required

Configuration auto-loading Disabled Disable if not required

FTP server Disabled

Disable if not required.

Otherwise encrypt traffic within an IPsec tunnel.

TFTP server Disabled


Otherwise encrypt traffic within an IPsec tunnel.

Network Time Protocol (NTP) service Disabled


Otherwise configure NTPv3 and control access between permitted

devices using ACLs.

Packet assembler and disassembler (PAD) service

Enabled Disable if not required

TCP and UDP minor servicesEnabled (pre

11.3)

Disabled (11.3+) Disable if not required

Maintenance Operation Protocol (MOP) service

Enabled Disable explicitly if not required


Commonly Configured Management Services

Management ServiceEnabled by

DefaultBest Practice

Simple Network Management Protocol (SNMP) EnabledDisable the service. Otherwise

configure SNMPv3.

HTTP configuration and monitoring Device dependent


Otherwise restrict access using ACLs.

Domain Name System (DNS) Client Service – Enabled


Otherwise explicitly configure the DNS server address.


Path Integrity Mechanisms

Path Integrity MechanismEnabled by


ICMP redirects Enabled Disable the service

IP source routing Enabled Disable if not required.


Probe and Scan Features

Probe and Scan FeatureEnabled by


Finger service Enabled Disable if not required.

ICMP unreachable notifications EnabledDisable explicitly on untrusted

interfaces.

ICMP mask reply DisabledDisable explicitly on untrusted

interfaces.


Terminal Access Security

Terminal Access SecurityEnabled by


IP identification service Enabled Disable

TCP Keepalives Disabled Enable


ARP Service

ARP ServiceEnabled by


Gratuitous ARP Enabled Disable if not required.

Proxy ARP Enabled Disable if not required.


Router Hardening Considerations

Attackers can exploit unused router services and interfaces.

Administrators do not need to know how to exploit the services, but they should know how to disable them.

It is tedious to disable the services individually.

An automated method is needed to speed up the hardening process.


Locking Down Routers with AutoSecure

The AutoSecure feature was released in Cisco IOS Release 12.3 and later

AutoSecure is a single privileged EXEC program that allows elimination of many potential security threats quickly and easily. AutoSecure helps to make you more efficient at securing Cisco routers

AutoSecure allows two modes of operation:

1. Interactive mode: Prompts to choose the way you want to configure router services and other security-related features

2. Noninteractive mode: Configures security-related features on your router based on a set of Cisco defaults


AutoSecure Functions

AutoSecure can selectively lock down:Management plane services and functions:

Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner

Also provides password security and SSH access

Forwarding plane services and functions:

CEF, traffic filtering with ACLs

Firewall services and functions:

Cisco IOS Firewall inspection for common protocols

Login functions:

Password security

NTP protocol

SSH access

TCP Intercept services


AutoSecure Failure Rollback Feature

If AutoSecure fails to complete its operation, the running configuration may be corrupt:

In Cisco IOS Release 12.3(8)T and later releases:

Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg

Rollback reverts the router to the router’s pre-autosecure configuration

Command: configure replace flash:pre_autosec.cfg

If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.


AutoSecure Process Overview

auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]

router#

Cisco AutoSecure Interactive Steps:

Step 1 — Identify outside interfaces.

Step 2 — Secure the management plane.

Step 3 — Create security banner.

Step 4 — Configure passwords, AAA, and SSH.

Step 5 — Secure the interface settings.

Step 6 — Secure the forwarding plane.


Auto Secure Parameters

Parameter Description

management (Optional) Only the management plane will be secured.

forwarding (Optional) Only the forwarding plane will be secured.

no-interact (Optional) The user will not be prompted for any interactive configurations. No interactive dialogue parameters will be configured, including usernames or passwords.

full (Optional) The user will be prompted for all interactive questions. This is the default setting.

ntp (Optional) Specifies the configuration of the Network Time Protocol (NTP) feature in the AutoSecure command-line interface (CLI).

login (Optional) Specifies the configuration of the Login feature in the AutoSecure CLI.

ssh (Optional) Specifies the configuration of the SSH feature in the AutoSecure CLI.

firewall (Optional) Specifies the configuration of the Firewall feature in the AutoSecure CLI.

tcp-intercept (Optional) Specifies the configuration of the TCP-Intercept feature in the AutoSecure CLI.


Router#auto secure--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks ***All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yEnter the number of interfaces facing internet [1]: 1Interface IP-Address OK? Method Status ProtocolEthernet0/0 10.0.2.2 YES NVRAM up upEthernet0/1 172.30.2.2 YES NVRAM up up

Enter the interface name that is facing internet: Ethernet0/1

Step 1: Identify Outside Interfaces


Step 2: Secure Management Plane ServicesSecuring Management plane services..

Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol

Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp


Step 3: Create Security BannerHere is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements.

Authorised Access only

This system is the property of Woolloomooloo Pty Ltd. UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this

device. All activities performed on this device

are logged and violations of of this policy result

in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:

%This system is the property of Cisco Systems, Inc.

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%


Step 4: Passwords and AAA

Enable secret is either not configured or is same as enable password

Enter the new enable secret: Curium96

Configuration of local user database

Enter the username: student1

Enter the password: student1

Configuring aaa local authentication

Configuring console, Aux and vty lines for

local authentication, exec-timeout, transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 300

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 60


Step 5: SSH and Interface-Specific Services

Configure SSH server? [yes]: y

Enter the hostname: R2

Enter the domain-name: cisco.com

Configuring interface specific AutoSecure services

Disabling the following ip services on all interfaces:

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

Disabling mop on Ethernet interfaces


Step 6: Forwarding Plane Verification and Deployment

Securing Forwarding plane services..

Enabling CEF (This might impact the memory requirements for your platform)

Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption..

Apply this configuration to running-config? [yes]: y


Auto Secure Configuration Example (1 of 6)

no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identd

banner #This system is the property of Cisco Systems, Inc.UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.#

security passwords min-length 6

security authentication failure rate 10 log

Set minimum password length.

Create banner.

Disable global services.

Set the login failure rate.



enable secret 5 $1$6NpI$ClSvtL5Zs63fPpsQT5Dyq/enable password 7 09674F04100916

aaa new-modelaaa authentication login local_auth local

line con 0 login authentication local_auth exec-timeout 5 0 transport output telnetline aux 0 login authentication local_auth exec-timeout 10 0 transport output telnetline vty 0 4 login authentication local_auth transport input telnet

login block-for 5 attempts 3 within 4

Enable local AAA.

Enable secret password.

Configure local authentication on console, auxiliary and VTY lines for telnet.

Block too many login attempts.



hostname LosAngelesip domain-name cisco.comcrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2line vty 0 4 transport input ssh telnet

service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging buffered

Configure hostname and domain name.

Configure logging parameters.



interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-replyinterface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled

Disable FE interface 0/0 services.

Disable serial port services.

Disable FE interface 0/1 services.



ip cef

interface Serial0/0 ip access-group autosec_complete_bogon inexitaccess-list 100 permit udp any any eq bootpcinterface Serial0/0 ip verify unicast source reachable-via rx allow-default 100

ip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600!end

Enable CEF.

Apply ACL to inside interface.

Turn on the CBAC firewall with common settings.



ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any

interface Serial0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in

Apply CBAC inspect list to outside interface.

Apply ACL to outside interface.


Locking Down Routers with Cisco SDM

SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI

SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software

SDM contains a Security Audit wizard that performs a comprehensive router security audit

SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings

The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies

SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature


Security Device Manager (SDM)

SDM automated hardening features:

• Security Audit

• One-Step Lockdown


SDM Security Audit Overview

Security Audit compares router configuration against recommended settings

Examples of the audit include:

Shut down unneeded servers

Disable unneeded services

Apply the firewall to the outside interfaces

Disable or harden SNMP

Shut down unused interfaces

Check password strength

Enforce the use of ACLs


SDM Security Audit: Main Window1.

2.

3.


SDM Security Audit Wizard


SDM Security Audit Interface Configuration


SDM Security Audit


SDM Security Audit: Fix the Security Problems


SDM Security Audit: Summary


SDM One-Step Lockdown: Main Window

1.

2.

3.


SDM One-Step Lockdown Wizard


© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

Documents

cisco systems

vulnerable router services

unneeded router services

interfaces cisco ios

default services

unnecessary services

cisco pix security appliance

perimeter router