© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 1
Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 2
Lesson 4 – Module 5 – ‘Cisco Device Hardening’
Disabling Unused Cisco Router Network Services and Interfaces
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 3
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.
Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.
Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 4
Vulnerable Router Services and Interfaces
Medium size and large networks typically use a firewall appliance behind the perimeter router, which adds security features and performs user authentication and more advanced packet filtering
Firewall installations also facilitate the creation of Demilitarized Zones (DMZs), where the firewall ‘places’ hosts that are commonly accessed from the Internet
Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall features in the perimeter router. Although this option does not provide the same performance and security features that a Cisco PIX Security Appliance offers, a router with an integrated firewall feature set can solve most small-to-medium business perimeter security requirements.
Cisco IOS routers run many services that create potential vulnerabilities. To secure an enterprise network, all unneeded router services and interfaces must be disabled.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 5
Vulnerable Router Services and Interfaces
Cisco IOS routers can be used as:
Edge devices
Firewalls
Internal routers
Routers have default services that create potential vulnerabilities (for example, BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP
Vulnerabilities can be exploited regardless of where the routers are placed.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 6
Vulnerable Router Services
Disable unnecessary services and interfaces (BOOTP, CDP, FTP, TFTP, NTP, PAD, and TCP/UDP minor services)
Disable commonly configured management services (SNMP, HTTP, and DNS)
Ensure path integrity (ICMP redirects and IP source routing)
Disable probes and scans (finger, ICMP unreachables, and ICMP mask replies)
Ensure terminal access security (ident and TCP keepalives)
Disable gratuitous and proxy ARP
Disable IP directed broadcast
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 7
Unnecessary Services and Interfaces
Router Service Default Best Practice
BOOTP server Enabled Disable
Cisco Discovery Protocol (CDP) Enabled Disable if not required
Configuration auto-loading Disabled Disable if not required
FTP server Disabled
Disable if not required.
Otherwise encrypt traffic within an IPsec tunnel.
TFTP server Disabled
Disable if not required.
Otherwise encrypt traffic within an IPsec tunnel.
Network Time Protocol (NTP) service Disabled
Disable if not required.
Otherwise configure NTPv3 and control access between permitted
devices using ACLs.
Packet assembler and disassembler (PAD) service
Enabled Disable if not required
TCP and UDP minor servicesEnabled (pre
11.3)
Disabled (11.3+) Disable if not required
Maintenance Operation Protocol (MOP) service
Enabled Disable explicitly if not required
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 8
Commonly Configured Management Services
Management ServiceEnabled by
DefaultBest Practice
Simple Network Management Protocol (SNMP) EnabledDisable the service. Otherwise
configure SNMPv3.
HTTP configuration and monitoring Device dependent
Disable if not required.
Otherwise restrict access using ACLs.
Domain Name System (DNS) Client Service – Enabled
Disable if not required.
Otherwise explicitly configure the DNS server address.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 9
Path Integrity Mechanisms
Path Integrity MechanismEnabled by
DefaultBest Practice
ICMP redirects Enabled Disable the service
IP source routing Enabled Disable if not required.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 10
Probe and Scan Features
Probe and Scan FeatureEnabled by
DefaultBest Practice
Finger service Enabled Disable if not required.
ICMP unreachable notifications EnabledDisable explicitly on untrusted
interfaces.
ICMP mask reply DisabledDisable explicitly on untrusted
interfaces.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 11
Terminal Access Security
Terminal Access SecurityEnabled by
DefaultBest Practice
IP identification service Enabled Disable
TCP Keepalives Disabled Enable
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 12
ARP Service
ARP ServiceEnabled by
DefaultBest Practice
Gratuitous ARP Enabled Disable if not required.
Proxy ARP Enabled Disable if not required.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 13
Router Hardening Considerations
Attackers can exploit unused router services and interfaces.
Administrators do not need to know how to exploit the services, but they should know how to disable them.
It is tedious to disable the services individually.
An automated method is needed to speed up the hardening process.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 14
Locking Down Routers with AutoSecure
The AutoSecure feature was released in Cisco IOS Release 12.3 and later
AutoSecure is a single privileged EXEC program that allows elimination of many potential security threats quickly and easily. AutoSecure helps to make you more efficient at securing Cisco routers
AutoSecure allows two modes of operation:
1. Interactive mode: Prompts to choose the way you want to configure router services and other security-related features
2. Noninteractive mode: Configures security-related features on your router based on a set of Cisco defaults
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 15
AutoSecure Functions
AutoSecure can selectively lock down:Management plane services and functions:
Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner
Also provides password security and SSH access
Forwarding plane services and functions:
CEF, traffic filtering with ACLs
Firewall services and functions:
Cisco IOS Firewall inspection for common protocols
Login functions:
Password security
NTP protocol
SSH access
TCP Intercept services
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 16
AutoSecure Failure Rollback Feature
If AutoSecure fails to complete its operation, the running configuration may be corrupt:
In Cisco IOS Release 12.3(8)T and later releases:
Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg
Rollback reverts the router to the router’s pre-autosecure configuration
Command: configure replace flash:pre_autosec.cfg
If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 17
AutoSecure Process Overview
auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]
router#
Cisco AutoSecure Interactive Steps:
Step 1 — Identify outside interfaces.
Step 2 — Secure the management plane.
Step 3 — Create security banner.
Step 4 — Configure passwords, AAA, and SSH.
Step 5 — Secure the interface settings.
Step 6 — Secure the forwarding plane.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 18
Auto Secure Parameters
Parameter Description
management (Optional) Only the management plane will be secured.
forwarding (Optional) Only the forwarding plane will be secured.
no-interact (Optional) The user will not be prompted for any interactive configurations. No interactive dialogue parameters will be configured, including usernames or passwords.
full (Optional) The user will be prompted for all interactive questions. This is the default setting.
ntp (Optional) Specifies the configuration of the Network Time Protocol (NTP) feature in the AutoSecure command-line interface (CLI).
login (Optional) Specifies the configuration of the Login feature in the AutoSecure CLI.
ssh (Optional) Specifies the configuration of the SSH feature in the AutoSecure CLI.
firewall (Optional) Specifies the configuration of the Firewall feature in the AutoSecure CLI.
tcp-intercept (Optional) Specifies the configuration of the TCP-Intercept feature in the AutoSecure CLI.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 19
Router#auto secure--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks ***All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yEnter the number of interfaces facing internet [1]: 1Interface IP-Address OK? Method Status ProtocolEthernet0/0 10.0.2.2 YES NVRAM up upEthernet0/1 172.30.2.2 YES NVRAM up up
Enter the interface name that is facing internet: Ethernet0/1
Step 1: Identify Outside Interfaces
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 20
Step 2: Secure Management Plane ServicesSecuring Management plane services..
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 21
Step 3: Create Security BannerHere is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements.
Authorised Access only
This system is the property of Woolloomooloo Pty Ltd. UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged and violations of of this policy result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
%This system is the property of Cisco Systems, Inc.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 22
Step 4: Passwords and AAA
Enable secret is either not configured or is same as enable password
Enter the new enable secret: Curium96
Configuration of local user database
Enter the username: student1
Enter the password: student1
Configuring aaa local authentication
Configuring console, Aux and vty lines for
local authentication, exec-timeout, transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 300
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 60
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 23
Step 5: SSH and Interface-Specific Services
Configure SSH server? [yes]: y
Enter the hostname: R2
Enter the domain-name: cisco.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 24
Step 6: Forwarding Plane Verification and Deployment
Securing Forwarding plane services..
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: yes
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption..
Apply this configuration to running-config? [yes]: y
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 25
Auto Secure Configuration Example (1 of 6)
no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identd
banner #This system is the property of Cisco Systems, Inc.UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.#
security passwords min-length 6
security authentication failure rate 10 log
Set minimum password length.
Create banner.
Disable global services.
Set the login failure rate.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 26
Auto Secure Configuration Example (2 of 6)
enable secret 5 $1$6NpI$ClSvtL5Zs63fPpsQT5Dyq/enable password 7 09674F04100916
aaa new-modelaaa authentication login local_auth local
line con 0 login authentication local_auth exec-timeout 5 0 transport output telnetline aux 0 login authentication local_auth exec-timeout 10 0 transport output telnetline vty 0 4 login authentication local_auth transport input telnet
login block-for 5 attempts 3 within 4
Enable local AAA.
Enable secret password.
Configure local authentication on console, auxiliary and VTY lines for telnet.
Block too many login attempts.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 27
Auto Secure Configuration Example (3 of 6)
hostname LosAngelesip domain-name cisco.comcrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2line vty 0 4 transport input ssh telnet
service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging buffered
Configure hostname and domain name.
Configure logging parameters.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 28
Auto Secure Configuration Example (4 of 6)
interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-replyinterface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled
Disable FE interface 0/0 services.
Disable serial port services.
Disable FE interface 0/1 services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 29
Auto Secure Configuration Example (5 of 6)
ip cef
interface Serial0/0 ip access-group autosec_complete_bogon inexitaccess-list 100 permit udp any any eq bootpcinterface Serial0/0 ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600!end
Enable CEF.
Apply ACL to inside interface.
Turn on the CBAC firewall with common settings.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 30
Auto Secure Configuration Example (6 of 6)
ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any
interface Serial0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in
Apply CBAC inspect list to outside interface.
Apply ACL to outside interface.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 31
Locking Down Routers with Cisco SDM
SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI
SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software
SDM contains a Security Audit wizard that performs a comprehensive router security audit
SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings
The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies
SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 32
Security Device Manager (SDM)
SDM automated hardening features:
• Security Audit
• One-Step Lockdown
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 33
SDM Security Audit Overview
Security Audit compares router configuration against recommended settings
Examples of the audit include:
Shut down unneeded servers
Disable unneeded services
Apply the firewall to the outside interfaces
Disable or harden SNMP
Shut down unused interfaces
Check password strength
Enforce the use of ACLs
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 34
SDM Security Audit: Main Window1.
2.
3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 35
SDM Security Audit Wizard
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 36
SDM Security Audit Interface Configuration
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 37
SDM Security Audit
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 38
SDM Security Audit: Fix the Security Problems
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 39
SDM Security Audit: Summary
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 40
SDM One-Step Lockdown: Main Window
1.
2.
3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 41
SDM One-Step Lockdown Wizard
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 42