© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Vulnerable Router Services and Interfaces
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Vulnerable Router Services and Interfaces Cisco IOS routers can be used as: –Edge devices –Firewalls –Internal routers Default services that create potential vulnerabilities (e.g., BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP). Vulnerabilities can be exploited independently of the router placement.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Vulnerable Router Services Disable unnecessary services and interfaces (BOOTP, CDP, FTP, TFTP, NTP, PAD, and TCP/UDP minor services) Disable commonly configured management services (SNMP, HTTP, and DNS) Ensure path integrity (ICMP redirects and IP source routing) Disable probes and scans (finger, ICMP unreachables, and ICMP mask replies) Ensure terminal access security (ident and TCP keepalives) Disable gratuitous and proxy ARP Disable IP directed broadcast
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Router Hardening Considerations Attackers can exploit unused router services and interfaces. Administrators do not need to know how to exploit the services, but they should know how to disable them. It is tedious to disable the services individually. An automated method is needed to speed up the hardening process.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Locking Down Routers with AutoSecure
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v What is AutoSecure? AutoSecure helps secure Cisco IOS networks by performing these router functions: Disables insecure global services Enables security-based global services Disables insecure interface services Enables appropriate security logging Secures router administrative access Secures the router management plane Secures the router forwarding plane
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AutoSecure Operation Modes AutoSecure can be deployed using one of the following two modes of operation: Interactive mode: Prompts the user with options to enable and disable services and other security-related features Noninteractive mode: Automatically executes the auto secure command using recommended default settings
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AutoSecure Functions AutoSecure can selectively lock down: Management plane services and functions: –Finger, PAD, UDP & TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner –Also provides password security and SSH access Forwarding plane services and functions: –CEF, traffic filtering with ACLs Firewall services and functions: –Cisco IOS Firewall inspection for common protocols Login functions: –Password security NTP protocol SSH access TCP Intercept services
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AutoSecure Failure Scenarios If AutoSecure fails to complete its operation, your running configuration may be corrupt: In 12.3(8)T and later releases –Pre-autosecure configuration snapshot is stored in the flash under filename pre_autosec.cfg –Roll-back reverts the router to its pre-autosecure configuration –Command: configure replace flash:pre_autosec.cfg Prior to 12.3(8)T, you should save the running configuration before running AutoSecure
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AutoSecure Process Overview
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AutoSecure Process Overview auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept] router# Launches AutoSecure Main steps with the interactive full option: –Identify outside interfaces. –Secure the management plane. –Create security banner. –Configure passwords, AAA, and SSH. –Secure the interface settings. –Secure the forwarding plane.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Start and Interface Selection Router#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: y Enter the number of interfaces facing internet [1]: 1 Interface IP-Address OK? Method Status Protocol Ethernet0/ YES NVRAM up up Ethernet0/ YES NVRAM up up Enter the interface name that is facing internet: Ethernet0/1
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Securing Management Plane Services Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Creating Security Banner Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorised Access only This system is the property of So-&-So-Enterprise. UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of of this policy result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: %This system is the property of Cisco Systems, Inc. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Passwords and AAA Enable secret is either not configured or is same as enable password Enter the new enable secret: Curium96 Configuration of local user database Enter the username: student1 Enter the password: student1 Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 300 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 60
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SSH and Interface-Specific Services Configure SSH server? [yes]: y Enter the hostname: R2 Enter the domain-name: cisco.com Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Forwarding Plane, Verificaton and Deployment Securing Forwarding plane services.. Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption. Apply this configuration to running-config? [yes]: y
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Locking Down Routers with the SDM
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Security Device Manager SDM automated hardening features: Security Audit One-Step Lockdown
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM Security Audit Overview The security audit compares router configuration against recommended settings. Examples of the audit include: –Shut down unneeded servers. –Disable unneeded services. –Apply the firewall to the outside interfaces. –Disable or harden SNMP. –Shut down unused interfaces. –Check password strength. –Enforce the use of ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM Security Audit: Main Window
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM Security Audit Wizard
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM Security Audit Interface Configuration
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM Security Audit
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM Security Audit: Fix the Security Problems
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM Security Audit: Summary
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM One-Step Lockdown: Main Window
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM One-Step Lockdown Wizard
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Unused router services and interfaces should be disabled. AutoSecure is a very efficient tool for securing Cisco routers. AutoSecure runs in an interactive and noninteractive mode. AutoSecure can selectively lock down the management or the forwarding plane, or other router functions such as login, firewall, SSH, NTP, and TCP Intercept. AutoSecure provides rollback functionality. Cisco SDM includes a Security Audit wizard that allows you to analyze the router configuration and selectively fix the security issues. Cisco SDM provides a One-Step Lockdown feature that tests the router configuration for any potential security problems and automatically makes the necessary corrections.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v