Securing the Router Chris Cunningham. Chris Cunningham [email protected] CCSI #33650 CCNA & CCNP Routing and Switching / CCNA Security.

Securing the RouterChris Cunningham

Chris Cunningham [email protected]

CCSI #33650

CCNA & CCNP Routing and Switching / CCNA Security

MCITP (Server Enter. Admin & Vista),

MCTS (Server 08 & Vista)

A+, Network+, Security+

Before Implementing Security Changes• Consult Change Management Documents and Processes

• Lab it up to be sure it will do what you think it will do

• Consult Security Documentation to verify it fits in with the Security Policy of the organization

• Above all else, when finished. . . Document!!

Planes of Security

Management Plane

Data Plane

Control Plane

How Tech’s Connect to the device

How the Router Decides to forward traffic

The data being forwarded

Management Plane

Encrypted Communications• SSH Version 2

• HTTPs for GUI Configuration

Secure Login• Use Radius or TACACS+

Router(config)# aaa new-model

Router(config)# radius server

Router(config-radius-server)#address ipv4 10.0.0.1 acct-port 1813 auth-port 1812 key apple

Router(config)# aaa authentication login default group radius local

Router(config)# username admin secret 0 apple

• Login Lockouts (local accounts)

Router(config)# aaa local authentication attempts max-fail 3

Router# clear aaa local user lockout [username | all]

• Disable Password Recovery (disables access to RMON by disabling the BREAK sequence)

Router (config)#no service password-recovery

• Access Class

• Exec-timeout

Network Monitoring• Use SNMP Version 3 with ACL to limit which SNMP Servers can

connect

Router(config)#ip access-list extended snmp-server

Router(config-ext-nacl)#permit ip 10.1.0.100 any

Router(config)# snmp-server group group1 v3 auth access snmp-server

Router(config)# snmp-server engineID remote 10.1.0.100 udp-port 120 1a2833c0129a

Router(config)# snmp-server user user1 group1 v3 auth md5 password123

Or

Router(config)#snmp-server community server1 RO snmp-serverRouter(config)#snmp-server community server2 RW snmp-server

• Use Syslog with separate Network (VLAN) for communication• Disable Console Logging to reduce the CPU load on the device

Secure Configurations• Use the Archive Feature to allow for rapid recovery when device is

misconfigured

• Use Secure Boot-Image to secure the IOS so it can’t be deleted

Router(config)# secure boot-image

• Use Secure Boot-Config to secure the startup-config from being removed

Router(config)# secure boot-config

Verify

Router# show secure bootset

Control Plane

Secure Routing Protocols• Use MD5 Password Hashes

Router(config)# enable secret apple

Router(config)# username chris secret 0 apple

• Passive interfaces

• Also Secure FHRP (HSRP, VRRP, GLBP) with Authentication

Router(config)# key chain secure

Router(config-keychain)#key 1

Router(config-keychain-key)#key-string apple

Router(config-keychain-key)#inter fa 0/0

Router(config-if#standby 1 authentication md5 key-chain secure

Preserve CPU Resources• Access Control List logging

Control Plane Policing (CoPP)• Allows you more control over what protocols and data are allowed to

enter the router and thus the Control Plane

Data Plane

IP Traffic• Fragmentation

Router(config)# ip access-list extended SecureRouter(config-ext-nacl)#deny tcp any any fragmentsRouter(config-ext-nacl)# deny udp any any fragmentsRouter(config-ext-nacl)# deny icmp any any fragmentsRouter(config-ext-nacl)# deny ip any any fragments

• IP Options

Router(config-ext-nacl)# deny ip any any option any-options

• TTL to short to make it through the network

Router(config-ext-nacl)# deny ip any any ttl lt 6

* All this traffic gets Process Switched instead of using CEF

Prevent Spoofed Packets• Unicast Reverse Path Forwarding (Unicast RPF)

Router(config-if)#ip verify unicast source reachable-via rx

Monitor with NetFlow

Wrap-Up

Secure All Planes of a Device• Management Plane

• Control Plane

• Data Plane

• Document, Document, Document

Questions??