How to secure a Cisco router

Tuesday, March 16, 2010

Ted LeRoy

E4b33dbe234685965beb3e9f2a0ad456

A more accurate title for this article would have been how to increase security on a Cisco border router, but that's too long. 

This article assumes some familiarity with Cisco routers.  If you're not familiar with Cisco IOS command line interaction, consult reference [2] below, or Cisco documentation.

Thoroughly securing a Cisco router (or any router) is a topic that can require its own book(s) (see the references at the end of this article).  I will cover the basics here though.  The low hanging fruit.

Before you begin, keep a copy of your present, working router configuration in pristine condition.  Save the edited configuration to a new file.  The same goes for IOS code.  Make sure you have a full copy of the version you're running before you upgrade.

1.  Upgrade IOS.  Upgrade to the latest stable code version available for your router.  Like other operating systems, Cisco IOS is upgraded for various reasons including to fix security flaws.  How to do that is beyond the scope of this article but you can find more info here:

http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a00801fc986.shtml

2.  Generate an rsa crypto-key.   If your router code supports cryptography, enter the following commands to create a crypto-key for later use with SSH (if your router does not support cryptography, you will receive an error when you try to enter the commands):

hostname [enter a hostname for your router]

ip domain-name [enter your domain name i.e. mydomain.com]

crypto key generate rsa

If it works, the router will process the command for a moment then ask you how many bits the modulus should be.  If permitted by you local laws regarding cryptograpy, enter 1024.  If not, enter the largest number you are entitled to use.

3.  Disable unneeded services. There are many services that are enabled by default on Cisco routers.  Each can provide information an attacker can use.  There is a free utility called Yersinia that can be used to obtain Cisco Discovery Protocol (CDP) information over the Internet for example.

Global commands:

no service tcp-small-servers

no service udp-small-servers

no service dhcp

no ip bootp server

no service finger

no ip http server [you may not want to enter this command if you use Adaptive Security Device Manager (ASDM) to manager your router over HTTP]

no ip http secure-server [you may not want to enter this command if you use ASDM to manager your router over HTTPS]

no snmp-server

no cdp run

no service config

no ip gratuitous-arps

no ip source-route

ip options drop

Interface commands (enter these on each interface in use):

no ip directed-broadcast

no ip unreachables

no ip redirects

no ip mask-reply

no ip proxy-arp

In addition to the above, the shutdown command should be applied to interfaces that are not in use.

4.  Enable 'good' services.  Some beneficial services are not enabled by default.  We'll turn them on:

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec show-timezone localtime

service timestamps log datetime msec show-timezone localtime

5.  Secure local and remote access.

Console line configuration:

line con 0

exec-timeout 5 0

login

Auxiliary line configuration (should be disabled unless needed for remote access):

line aux 0

no exec

exec-timeout 0 10

transport input none

VTY lines (virtual lines for remote access over the network):

line vty 0 4

exec-timeout 5 0

login

transport input telnet ssh

(If you can configure SSH for remote access, it is recommended that you remove the word telnet from the above command and only use SSH for remote access.)

6.  Set and secure passwords.

service password-encryption

enable secret 0 [enter your password here]

Console line

line con 0

password [enter your password here]

Auxiliary Line

line aux 0

password [enter your password here]

7.  Enable and configure logging.  Ideally, logs should be sent to a hardened syslog server so they cannot be tampered with and so they are more permanent.  Local logs are deleted whenever the router is rebooted.  We will configure local logging here though.

logging enable

logging buffered 16000

logging console critical

logging trap informational

8.  Other measures.  Additional measures you can take include:

8.a.  Drop bogon and Martian traffic.  Handling of bogon and Martian addresses.  Bogon addresses are addresses that have not been issued by the IANA, so they should not appear on the Internet.  Martians are reserved addresses and they also should not appear on the Internet.  If either does appear, it is either coming from a mis-configured router or device, or it is an attack attempt of some kind (they are fake or 'spoofed' addresses).  There are several ways to handle these. Team Cymru's site has more information about bogon and Martian addresses.  [3]

8.a.1.  Null Routing - You could null route them (create a static mapping sending all bogon and Martian addresses not in use on the router to the null interface).  This is my favorite method.  It drops the traffic with minimal processing.

8.a.2.  Use an Access Control Lists (ACLs) - Set up an ACL to drop and log each violation.  Although this method provides more information, it also uses up more processing power.  Since one reason you may receive spoofed packets is in conjunction with a Denial of Service (DoS) attack of some kind, it seems prudent to minimize the burden on the processor, hence the suggested method above.

8.a.3.   Verify unicast reverse-path - To use this method, configure Cisco express forwarding globally using the ip cef command, then run the command ip verify unicast reverse-path on each interface that faces the Internet.  Although easy to configure, and easy on the processor, I'm not sure how well it works with a single static default route as is the case for most small organizations.  I'd like to hear the thoughts of some of you Cisco pro's out there about whether it works on a small network (i.e. one not running Border Gateway Protocol (BGP).

8.b.  Configure Authentication, Authorization and Accounging (AAA) -  Configure the American Automotive Association... Just seeing if you're still awake!

Configure AAA, even if only used locally.  It allows for more granularity of access and logging of activities.  You can, for example, have a log entry created for each command a user enters.  Very handy for finding configuration mistakes or typo's or correcting the nastiness of an intruder.

aaa new-model

aaa authentication login default local

aaa authorization commands 15 default local

8.c.  Access Control Lists - Control the flow of traffic through the router with ACLs.  For example, traffic from the inside interface of the router should not come in to the router from the Internet.  Filter for that using an ACL.  ACL configuration has to be done for your specific network.  See references [3] and [4] below for more.

9.  Why this article?  Quite often, at the end of a 'teaser' article like this, the author tries to sell you something.  I'm not selling you anything!  I want to make the Internet a safer place, and I want to make that easy for you.

There are several free utilities that can help you secure your router including:

Router Administration Tool (RAT):

http://members.cisecurity.org/kb/category.php?id=21

Cisco AutoSecure:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm

and my project,

BRST - Border Router Security Tool, SourceForge

https://sourceforge.net/projects/borderroutersec/

Of the three listed above, only the BRST is open source.  RAT is available for free, but is proprietary.  Cisco AutoSecure is 'free' but is not available for all router models and IOS versions and is proprietary.  

Compare, contrast, play, provide feedback on all three.  Use great caution on production routers though!

Thanks for your time!

[1] NSA/SNAC Router Security Configuration Guide, Executive Summary

http://www.nsa.gov/ia/_files/routers/cisco_exec_sum.pdf

[2] NSA/SNAC Router Security Configuration Guide 1.1c

http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf

[3] Secure IOS Template v6.2 01 Feb 2010, Team Cymru

http://www.cymru.com/Documents/secure-ios-template.html

[4] Cisco IOS Security Configuration Guide, Release 12.4

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html

[5] Hardening Cisco Routers, By Thomas Akin, O'Reilly, 2002

[6] BRST - Border Router Security Tool, SourceForge Project

https://sourceforge.net/projects/borderroutersec/

[7] BRST - Border Router Security Tool Questionnaire, SourceForge

http://borderroutersec.sourceforge.net/

Possibly Related Articles:
35232
Firewalls IDS/IDP Network Access Control Network->General
Cisco Best Practices
Post Rating I Like this!
Default-avatar
Richard Meduri Ted,

Thanks for posting this. It is a very good summary of a solid IOS config and should go a long way toward helping secure our routers better.
1272226393
Default-avatar
john jones Whenever I hear cisco I think of phone systems. Do they have voip systems like http://www.freedomiq.com? Or do they mainly stick with selling routers? I have never used a cisco router. We have always used linux.
1303302102
E4b33dbe234685965beb3e9f2a0ad456
Ted LeRoy Hi John,
Cisco has VOIP related products, but they're quite expensive. I recommend researching less expensive products like Asterisk. Cisco is known much more for its routing/switching/firewall products.
Ted
1303306308
Default-avatar
john jones Thanks Ted. I will look into Asterisk.
1303309724
E4b33dbe234685965beb3e9f2a0ad456
Ted LeRoy Hi Hanna,

Glad the article helped you!

Hi mivplsusan,
What parts do you take issue with regarding use with a single static default route on a small network?
That's the target audience for this article and for the Border Router Security Tool.
1306784921
E4b33dbe234685965beb3e9f2a0ad456
Ted LeRoy You're most welcome Jadranka. I'm glad you found the post useful. Please bear in mind that it was just an attempt to summarize the recommendations in the referenced articles, and that an automated tool is available at http://www.borderroutersec.org.
1309267131
E4b33dbe234685965beb3e9f2a0ad456
Ted LeRoy Hi Jamie and Irwan,

Thanks for the comments and I'm glad the article was helpful. It's really just a brief overview of what's available in the references I cited. It does go a long way toward securing your Cisco router(s) though.
Ted
1311087845
Default-avatar
Todd Vohs Ted, would you contact me about this? It is great information. I have one question as I cannot access my router now but my network is a little different.
1311289053
E4b33dbe234685965beb3e9f2a0ad456
Ted LeRoy Hi Todd,

I recommend you look up password recovery option for your 2621.

Ted
1311303808
Default-avatar
Peter Smith I know that the configuration of a Cisco IOS device contains many sensitive details. Usernames, passwords, and the contents of access control lists are examples of this type of information. The repository that you use in order to archive Cisco IOS device configurations needs to be secured.Insecure access to this information can undermine the security of the entire network. You should use a term paper to prevent it!
1311416324
E4b33dbe234685965beb3e9f2a0ad456
Ted LeRoy Hi Peter,
Any router or switch configuration file should be treated as highly sensitive information and stored appropriately. I recommend an OpenBSD or FreeBSD syslog server and repository. Lock it down.
Ted
1311859425
E4b33dbe234685965beb3e9f2a0ad456
Ted LeRoy I'm glad it was helpful to you Natsu (Kue?).

Ted
1312902324
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked