© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Device Hardening Securing Cisco Router Installations and Administrative Access

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Router Passwords

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Router Passwords A console is a terminal connected to a router console port. The terminal can be a dumb terminal or a PC with terminal emulation software.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Password Creation Rules Passwords can be 1 to 25 characters in length. Passwords can include: –Alphanumeric characters –Uppercase and lowercase characters –Symbols and spaces Passwords cannot have a number as the first character. Password-leading spaces are ignored, but any spaces after the first character are not ignored. Change passwords.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Initial Configuration Dialog Would you like to enter the initial configuration dialog? [yes/no] y Configuring global parameters: Enter host name [Router]: Boston The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret: CantGuessMe The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password: WontGuessMe The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: CantGuessMeVTY

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configure the Line-Level Password router(config)# line console 0 line aux 0 line vty 0 4 router(config-line)# login router(config-line)# password Enters line configuration mode (console, auxiliary, or vty) Enables password checking at login Sets the line-level password Boston(config)#line con 0 Boston(config-line)#login Boston(config-line)#password ConUser1

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Password Minimum Length Enforcement router(config )# security passwords min-length length Sets the minimum length of all Cisco IOS passwords Boston(config)#security passwords min-length 10

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Encrypting Passwords Using the service password-encryption Command service password-encryption Encrypts all passwords in the router configuration file router(config)# Boston(config)#service password-encryption Boston(config)#exit Boston#show running-config enable password A061E ! line con 0 password F57A109A ! line vty 0 4 password 7 034A18F366A0 ! line aux 0 password 7 7A4F A

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Enhanced Username Password Security router(config)# username name secret {[0] password | 5 encrypted-secret} Uses MD5 hashing for strong password protection Better than the type 7 encryption found in service password- encryption command Boston(config)#username rtradmin secret 0 Curium96 Boston(config)#username rtradmin secret 5 $1$feb0$a104Qd9UZ./Ak007 router(config)# username name password {[0] password | 7 hidden-password} Traditional user configuration with plaintext password

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Securing ROMMON with the no password-recovery Command router(config)# no service password-recovery By default, Cisco routers are factory configured with the service password-recovery set. The no service password-recovery command prevents console from accessing ROMMON. Boston(config)#no service password-recovery WARNING: Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? [yes/no]: yes Boston(config)#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Setting a Login Failure Rate

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Authentication Failure Rate with Login router(config)# security authentication failure rate threshold-rate log Configures the number of allowable unsuccessful login attempts By default, router allows 10 login failures before initiating a 15-second delay Generates a syslog message when rate is exceeded Boston(config)#security authentication failure rate 10 log

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Setting a Login Failure Blocking Period router(config)# login block-for seconds attempts tries within seconds Blocks access for a quiet period after a configurable number of failed login attempts within a specified period Must be entered before any other login command Mitigates DoS and break-in attacks Boston(config)#login block-for 100 attempts 2 within 100

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Excluding Addresses from Login Blocking router(config)# login quiet-mode access-class {acl-name | acl-number} Specifies an ACL that is applied to the router when it switches to the quiet mode. If not configured, all login requests will be denied during the quiet mode. Excludes IP addresses from failure counting for login block-for command. Boston(config)#login quiet-mode access-class myacl

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Setting a Login Delay router(config)# login delay seconds Configures a delay between successive login attempts. Helps mitigate dictionary attacks. If not set, a default delay of one second is enforced after the login block-for command is configured. Boston(config)#login delay 30

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verifying Login router# show login [failures] Displays login parameters and failures Boston(config)#show login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured. All successful login is logged and generate SNMP traps. All failed login is logged and generate SNMP traps. Router enabled to watch for login Attacks. If more than 15 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds. Router presently in Watch-Mode, will remain in Watch-Mode for 95 seconds. Present login failure count 5.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Setting Timeouts

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Setting Timeouts for Router Lines router(config-line)# exec-timeout minutes [seconds] Default is 10 minutes Terminates an unattended connection Provides an extra safety factor when an administrator walks away from an active console session Terminates an unattended console and auxiliary connection after 3 minutes and 30 seconds Boston(config)#line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)#line aux 0 Boston(config-line)#exec-timeout 3 30

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Setting Multiple Privilege Levels

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Setting Multiple Privilege Levels router(config)# privilege mode {level level command | reset command} Level 0 is predefined for user-level access privileges. Levels 1 to 14 may be customized for user-level privileges. Level 15 is predefined for enable mode (enable command). Boston(config)#privilege exec level 2 ping Boston(config)#enable secret level 2 Patriot

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Banner Messages

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Banner Messages router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d Specifies what is proper use of the system Specifies that the system is being monitored Specifies that privacy should not be expected when using this system Boston(config)#banner motd % WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. %

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Role-Based CLI

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Role-Based CLI Overview Traditional approach of limiting CLI access based on privilege levels and enable passwords provided too little control: –No access control to specific interfaces –Commands placed on a higher privilege level could not be reused for lower-privileged users CLI views provide more granular control. CLI views include accessible commands and interfaces. Access to a view is protected with a secret. Views can be grouped to superviews to create large sets of accessible commands and interfaces.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Role-Based CLI Details Root view is the highest administrative view. Creating and modifying a view or superview is possible only from root view. The difference between root view and privilege 15 is that only a rootview user can create or modify views and superviews. CLI views require AAA new-model: –Necessary even with local view authentication –View authentication can be offloaded to an AAA server using the new attribute "cli-view-name" A maximum of 15 CLI views can exist in addition to the root view.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Getting Started with Role-Based CLI router# enable [privilege-level] [view [view-name]] Enter a privilege level or a CLI view. Use enable command with the view parameter to enter the root view. Root view requires privilege 15 authentication. The aaa-new model must be enabled. Boston(config)#aaa new-model Boston(config)#exit Boston#enable view Password: Boston# %PARSER-6-VIEW_SWITCH: successfully set to view 'root'

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring CLI Views router(config)# Creates a view and enters view configuration mode Boston(config)#parser view monitor_view Boston(config-view)#password 5 hErMeNe%GiLdE! Boston(config-view)#commands exec include show version parser view view-name router(config-view)# password 5 encrypted-password commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] Sets a password to protect access to the view Adds commands or interfaces to a view

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Superviews router(config)# Creates a (super)view and enters its configuration Boston(config)#parser view monitor_audit Boston(config-view)#password 5 AnA6TaSiA$ Boston(config-view)#view monitor_view Boston(config-view)#view audit_view parser view view-name router(config-view)# password 5 encrypted-password view view-name Sets a password to protect access to the superview Adds a CLI view to a superview

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Role-Based CLI Monitoring router# Displays the current view name The option all: –Displays all CLI views configured on the router –Is by default available only to root users –Can be added to other CLI views show parser view [all] router# debug parser view Displays debug messages for all views

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Role-Based CLI Configuration Example Boston(config)#aaa new-model Boston(config)#exit Boston#enable view %PARSER-6-VIEW_SWITCH: successfully set to view root. Boston#configure terminal Boston(config)#parser view first %PARSER-6-VIEW_CREATED:view first successfully created. Boston(config-view)#secret 5 firstpass Boston(config-view)#command exec include show version Boston(config-view)#command exec include configure terminal Boston(config-view)#command exec include all show ip Boston(config-view)#exit

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Role-Based CLI Verification Boston>enable view first Password: %PARSER-6-VIEW_SWITCH:successfully set to view 'first'. Boston#? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system information Boston#show ? ip IP information parser Display parser information version System hardware and software status

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Role-Based CLI Verification (Cont.) Boston#show ip ? access-lists List IP access lists accounting The active IP accounting database aliases IP alias table arp IP ARP table as-path-access-list List AS path access lists bgp BGP information cache IP fast-switching route cache casa Display casa information cef Cisco Express Forwarding community-list List community-list dfp DFP information dhcp Show items in the DHCP database drp --More--

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Configuration Files

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Configuration Files Introduction Traditional risk that the configuration and the image are erased after a router compromise: –Availability threat (downtime) Need to secure the primary bootset (configuration file and the running image) Also known as the Cisco IOS Resilient Configuration feature Speeds up the recovery process Files must be stored locally Feature can be disabled through a console session

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Securing Configuration Files router(config)# Enables Cisco IOS image resilience Boston(config)#secure boot-image Boston(config)#secure boot-config secure boot-image router(config)# secure boot-config Stores a secure copy of the primary bootset in persistent storage router# Displays the status of configuration resilience and the primary bootset filename show secure bootset

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Resilient Configuration Feature Verification Boston#show secure bootset IOS resilience router id JMX0704L5GH IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun Secure archive slot0:c3745-js2-mz type is image (elf) [] file size is bytes, run size is bytes Runnable image, entry point 0x , run from ram IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun Secure archive slot0:.runcfg ar type is config configuration archive size 1059 bytes

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Configuration Files Recovery rommon 1 > Lists the contents of the device with secure bootset Boots up the router using the secure bootset image rommon 1 >dir slot0: rommon 2 >boot slot0:c3745-js2-mz.... Router(config)#secure boot-config restore slot0:rescue Router#copy slot0:rescue running-config dir [filesystem:] boot [partition-number:][filename] router(config)# Restores the secure configuration to a filename secure boot-config [restore filename]

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Strong passwords and protection of all access methods are essential for router security. Enable secrets should be used in addition or instead of enable passwords for increased password protection. Password-encryption service encrypts all system passwords with Vigenere cipher to protect against shoulder surfing. Enhanced username password security provides a strong MD5 password encryption. Login failure rate and blocking period after login failures mitigate password attacks.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary (Cont.) Banner messages should warn against unauthorized access. Privilege levels facilitate management by multiple administrators. Role-based CLI provides more manageability than privilege levels. The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v