If you are fairly new to Cisco Routers, getting them up and running can be a sizable challenge. The problem is that getting the basic functionality out of a Cisco Router is only the beginning; you now need to secure it.
Sure, you can find yourself some confusing manuals at various tech sites, but what does it all mean? Can’t tell your proxy arp from your elbow? Hopefully this article will help.
First of all we will have to assume that you are at least semi comfortable with the Cisco command line Interface or “CLI”.
To start with, Ray has already covered securing the management plane in an earlier article which can be found here: http://cisconews.co.uk/2008/01/12/securing-your-cisco-router/
Physical Security
The first thing to touch upon is a topic which affects all Networking devices but is often overlooked. Physical Security is one of the most important aspects of Network Security. All the access-lists and configuration in the world isn’t going to help you when somebody is running down the street with your router under their arm.
Most of the physical side of things is common sense. Keep the router/device in a locked cab/room. It is also a good idea to keep a log of all access in and out of this room.
Make sure the room is well ventilated and/or Climate controlled. You should also make sure that the room is not close to anything that may cause interference with the device.
Finally, ensuring the device has a reliable power supply is paramount. A UPS Device is usually a good idea in this scenario.
Software Version
Anyone who has worked with computers before will know that they require constant updates to keep them away from harm. Thankfully, these updates are far less frequent when it comes to Cisco Routers. That being said, there are still vulnerabilities that appear every so often, so it is advisable to keep on top of them.
The best places to go are the links right above this article for various Cisco Feeds. If you want to go straight to the source, check out PSIRT here: http://www.cisco.com/go/psirt/
Configuration Hardening Once again a line can be drawn between Servers/PCs and Routers. All of these devices offer features far in excess of what we may actually need. More functionality usually adds up to more chance of exploitation. Every extra unwanted service you leave running is potentially another way to disrupt service or steal data so don’t forget to disable them. Here’s how!
Disable CDP – Cisco Discovery protocol: CDP is a protocol that provides information on a Cisco Device. Remember that CDP can actually be of use in your network, and can certainly be actively used by some services. You are going to need to ensure you do not need CDP before disabling it.The “show cdp neighbors” command can be very useful in a Cisco heavy network.A lot of Cisco Voice over IP implementations use CDP, so do be careful.Luckily, we can disable CDP globally or on a per interface basis.
To disable CDP globally:
Router(config)#no cdp run
To disable CDP on a per interface basis:
Router(config-if)#no cdp enable
Disable “Service Config” – Remote config loading: This one is fairly straight forward. Cisco routers have the ability to load their config from a TFTP server of your choosing. Most people have no use for this feature as part of day to day administration and it can therefore be disabled.How to disable remote config:
Router(config)#no service config
Disable TCP and UDP Small Services: TCP and UDP small servers are diagnostic tools for Cisco Routers left over from UNIX. Again, they see very little use these days and it is generally a good idea to disable them. You can always turn them back on when you need them.Please note that TCP and UDP small servers are disabled by default in IOS 11.3 and newer, so the chances are that you will not need to disable them if you have followed this guide so far and updated your IOS JThe TCP small servers are:
Echo – When you type your text is mirrored or echoed back to you.
Chargen - Simply generates a stream of ASCII data.
Discard – Discards whatever you type.
Daytime – Responds with the date and time.
The UDP small servers are:
Echo – Echoes the content of any packets you send to the router.
Discard – Silently discards the packets you send.
Chargen – Discards the packets you send and responds with a 72 character string of ASCII characters
As you can see, many of these will not be of much use to you, but your environment may dictate that they are needed in a minority of cases. To disable them enter the following commands:
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers Disable BOOTP Server: BOOTP is a protocol used for assigning addresses to devices ACROSS different subnets/networks and was originally designed for use by diskless machines so that they could start up, get an IP address and perform their tasks. You can check RFC 951 if you want more detail. Chances are you will quickly realise that you don’t use it, which will allow you to disable it as below:
Router(config)#no ip bootp server
Disable Source Routing: Source routing is one of those things that sounds bad, looks bad and in 99% of cases *IS* bad. To describe it is simple, it basically allows the sender of traffic to dictate the route the packet takes. Do you want outsiders dictating how to route traffic through your network? Never mind that, do you want insiders dictating how to route traffic through your network? Thought not. The good news is that nobody uses it these days and so it should be disabled on your router. Here’s how: Router(config)#no ip source-routePlease bear in mind that any traffic with the source routing option set will be dropped. There shouldn’t be any legitimate reason to use it though.
Disable Web Server: Here is one of the few cases where you will need to give some thought to the implications of your Security Spring-clean. The built in web server on Cisco routers is what provides you with your SDM GUI access to the device. If you do not use the GUI, you can disable the service. If you do use the GUI you can lock down access to it, here’s how:
Perform the following if you do not use the GUI/SDM:
Router(config)#no ip http server
Perform the following if you use the GUI/SDM:
Firstly, create an access list that will dictate which machines and networks get access to the GUI:
access-list 1 remark ***HTTP_SERVER_ACL***
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any log
Then tie the access list in with the following statement:
ip http access-class 1
It’s as simple as that. Now the only people that can log onto the administrative GUI for the router are on the 192.168.1.0/24 network. Further to this, you are now logging any denied attempts.
Disable SNMP: SNMP can be extremely useful to any Network admin. It is used to transmit information related to the device such as bandwidth statistics, Errors and log events.If you are certain that you will not use it, you can disable it by doing the following:
Router(config)#no snmp-server
Interface Configuration: Configuring Interfaces correctly is a key part of securing your router. First of all, you should disable any unused interfaces by doing the following:
Router(config-if)#shutYou should then proceed to disable unwanted behaviour on the remaining interfaces.Router(config-if)#no ip proxy arpRouter(config-if)#no ip mask-replyRouter(config-if)#no ip directed-broadcastProxy arp is used a lot these days, so be carefully which interfaces you disable it on. I would err on the side of caution here and leave it enabled if you are unsure. Proxy arp is when the router answers for another device and passes the information on. This can be quite common in environments where NAT is used.
To go into any more depth than this is beyond the scope of the article. If you are unsure if this will affect you, leave a comment and we will get back to you ASAP.
Well, that’s enough for one guide. There is certainly more that can be done when locking a router down, such as configuring CBAC, implementing access lists and turning on the IOS IPS feature set but they will have to be covered in another guide.
Thanks for reading.
Entries (RSS)