The most basic and most important aspect of protecting a router from unauthorized access is physical security. Anyone with physical access to the router can gain control over it, whether through an unprotected port or by more disruptive methods (performing a password recovery). Therefore, it is vitally important to prevent unauthorized personnel from gaining physical access to the router.
Orgnization’s restricts physical access to all its network devices. All routers and switches are located either in a locked data center or a locked wiring closet. Access to these restricted areas is limited to authorized Bank personnel.
Every Cisco device has a console port that can be used for performing initial configuration. The console port requires a directly-attached connection, so it is typically inconvenient as a management interface once a switch or router is put into production. Once a switch or router is on the production network, management is typically performed through other means, such as a telnet or ssh session.
Even though the console port is not generally used for day-to-day management of a network device, it must be protected from casual access.
An organization uses local password authentication for console access to its routers. The console port is also configured to automatically log out an exec session after it has been idle for five minutes.
The following commands are used to configure the console port for local password authentication:
Router(config)# line con 0
Router(config-line)# exec-timeout 5 0
Router(config-line)# password [console password]
Similar to the console port, the aux port can be used to gain local access to the router. Typically the aux port is used to provide out-of-band access to the router, such as a modem. If the aux port is not needed, it should be have exec access disabled. The following commands will disallow login exec sessions through the aux port.
Router(config)# line aux 0
Router(config-line)# transport input none
Router(config-line)# exec-timeout 0 1
Router(config-line)# no exec
A Cisco device has several virtual terminals (VTYs) that are used for remote administration of the device. Once a device is on a production network, the VTY ports are the primary interface through which configuration tasks are performed.
Organization’s uses local password authentication to restrict VTY access to its routers.
VTY ports can also be protected with an access class. An access class is an access list that defines the source addresses eligible to initiate telnet or ssh sessions to the router.
access-list 20 permit 10.7.1.0 0.0.0.255
access-list 20 permit 10.7.7.0 0.0.0.255
access-list 20 permit 10.7.97.0 0.0.0.255
access-list 20 permit 10.7.146.0 0.0.0.255
access-list 20 deny any
Router(config)# line vty 0 4
Router(config-line)# exec-timeout 5 0
Router(config-line)# password [vty password]
Router(config-line)# transport input ssh
Secure Shell (SSH) protocol is intended as a replacement for telnet due to telnet’s vulnerability to spoofing, man-in-the-middle attacks, and sessions hijacking. SSH is not as vulnerable to these attacks due to its use of encryption keys. Key sizes with a modulus of 360 to 2048 are available for use with SSH, but a modulus of 1048 or greater is recommended. The following steps are used to configure SSH on a router.
Configure the hostname:
Router(config)# hostname ORGANIZATIONRTR1
Configure the DNS domain:
ORGANIZATIONRTR1(config)# ip domain-name organization.com
Generate the SSH key to be used:
ORGANIZATIONRTR1(config)# crypto key generate rsa usage 1024
Enable the SSH transport for the vty:
ORGANIZATIONRTR1(config)# aaa new-mode
ORGANIZATIONRTR1(config)# ip ssh time-out 15
ORGANIZATIONRTR1(config)# ip ssh authentication-retries 3
ORGANIZATIONRTR1(config)# line vty 0 4
ORGANIZATIONRTR1(config-line)# transport input SSH
AAA stands for Authentication, Authorization, and Accounting. As its name suggests, AAA is a framework that allows better control over who is allowed to administer a switch and what commands those administrators are allowed to perform. The accounting function keeps a record of all users logging into a switch and what configuration changes are made.
The biggest advantage of AAA is that it creates a level of accountability for network changes that is unavailable with shared passwords.
The following commands are used to configure AAA:
Router(config)# username localadmin secret
Router(config)# username cview privilege 15 secret
Router(config)# aaa new-model
Router(config)# tacacs-server host 10.7.7.245
Router(config)# tacacs-server directed-request
Router(config)# tacacs-server key
Router(config)# ip tacacs source-interface vlan 7
Router(config)# aaa group server tacacs+ ORGANIZATION-ACS
Router(config)# aaa session-id common
Router(config)# aaa authentication login default group ORGANIZATION-ACS local
Router(config)# aaa accounting send stop-record authentication failure
Router(config)# aaa accounting exec default start-stop group ORGANIZATION-ACS
Router(config)# aaa accounting commands 15 default start-stop group ORGANIZATION-ACS
At this point log off the router and log back in using your AAA ID and Password
The following commands are used to complete the AAA configuration:
Router(config)# aaa authorization config-commands
Router(config)# aaa authorization exec default group ORGANIZATION-ACS local
Router(config)# aaa authorization commands 15 default group ORGANIZATION-ACS local
The configuration of a Cisco router may include several user/password pairs in the config itself. Cisco routers can obscure the passwords through the password encryption service. The password encryption service is easily reversible, but it does provide some protection against passwords being leaked to the casual observer looking at a configuration.
An organization uses the password encryption service on its switches and routers. Use the following commands to enable password encryption:
Router(config)# service password-encryption
The enable password is similar to the root password on a UNIX machine. It allows the user to run any command in IOS, and therefore should be protected appropriately. When the enable password is stored locally on the router, it can be kept one of two ways: as an enable password, or as an enable secret. The enable password is stored in the config just like the passwords obscured by the password encryption service mentioned above. That is, it is easily reversible with utilities freely available on the Internet. By contrast, the enable secret uses a much stronger encryption method to hide the super user password. Unlike an enable password, an enable secret cannot be broken with the password cracking utilities on the Internet. One must use brute force methods to crack a password encrypted with enable secret.
If both an enable password and an enable secret are present in the router config, the enable secret will be used for gaining access to super user mode.
Many organizations uses enable secret on its network equipment. The command to use an enable secret is:
Router(config)# enable secret [superuser_password]
Disabling Unnecessary Services
The services running on a router can be displayed by running the following command which shows all the processes running on a router:
Router# show proc
The Cisco Discovery Protocol (CDP) is a proprietary Layer 2 protocol used to provide host-specific information about other Cisco devices adjacent to a router. CDP can be a useful tool for network troubleshooting, but it can also be used by an attacker to gain intelligence about a network’s topology. CDP is generally okay to run on an internal network (protected from the Internet by a firewall), but there is no reason to run CDP on a router that is exposed to the Internet. CDP is enabled by default, but it can be disabled with the following commands:
To disable CDP on a specific interface,
Router(config-if)# no cdp enable
To globally disable CDP on the entire router,
Router(config)# no cdp run
The original specification for TCP/IP calls for some simple services that should be available on any host running a TCP/IP protocol stack. These services are never needed on a Cisco router, and so they should be disabled. The TCP small services are as follows:
Echo – echoes back whatever the user types.
Chargen – generates a stream of ASCII data.
Discard – throws away whatever the user types.
Daytime – returns the sytem date and time.
Beginning with IOS 11.3, TCP Small Services are disabled by default, but the service can be explicitly disabled with the following command:
Router(config)# no service tcp-small-servers
The original specification for TCP/IP calls for some simple services that should be available on any host running a TCP/IP protocol stack. These services are never needed on a Cisco router, and so they should be disabled. The UDP small services are as follows:
Echo – echoes the payload of the datagram the user sends.
Discard- discard the payload of the datagram the user sends.
Chargen – discards the payload of the datagram the user sends and responds with a 72-character string of ASCII characters.
Beginning with IOS 11.3, UDP Small Services are disabled by default, but the service can be explicitly disabled with the following command:
Router(config)# no service udp-small-servers
The IP finger service is used to tell who else is logged into a network host. Since access to the router should be restricted to authorized users, there is no need for the finger service to be running. This service is enabled by default, but it can be disabled with the following command:
Router(config)# no ip finger
The http server included in Cisco IOS has historically been vulnerable to security vulnerabilities. Unless the http server is being used to configure the router (as opposed to telnet, ssh, or console sessions), it should be disabled. The Cisco http server can be disabled with the following command:
Router(config)# no ip http server
A Cisco router can be configured as a tftp server, allowing other routers to boot from an image stored in flash memory. This service is seldom required, so it should be disabled.
Router(config)# no ip bootp server
A Cisco router may be configured to attempt to load its startup configuration via tftp instead of from local memory. This is dangerous, because the tftp session could potentially be intercepted, leaving an attacker with a copy of the router’s configuration. This service should be disabled.
Router(config)# no service config
IP packets can specify their next hop behavior. This is primarily used for token ring networks, but it can also be used by an attacker to bypass certain security devices on the network. Source routing is unneeded on the organization network, so it should be disabled. Source routing can be disabled with the following command:
Router(config)# no ip source-route
Interfaces that are not currently in use should be shut down. Interfaces can be specifically enabled when they are needed.
Router(config)# interface e0/0
As the name suggests, the multicast route cache contains multicast route cache entries. An organization does not currently use multicast in its network, so the mroute cache can be disabled. Multicast route caching is disabled a per interface basis with the following commands:
Router(config)# interface e0/0
Router(config-if)# no ip mroute-cache
Ethernet networks use the Address Resolution Protocol (ARP) to resolve the MAC address associated with a particular IP address. In normal operations, a host uses ARP to resolve the MAC address of its default gateway, and the appropriate host responds with an ARP reply.
When a host does not “know” its correct default gateway (either the gateway address is missing, or the host is configured with the wrong subnet mask), it will be unable to communicate with hosts outside its local network.
Cisco routers are capable of acting as an ARP proxy for addresses that do not reside on the local network by responding to ARP requests for hosts on a remote network. This service is intended primarily as a convenience, but it has the side effect of extending the L2 segment beyond the router, which is undesirable.
Proxy ARP is enabled by default on all interfaces; it should be explicitly disabled. Proxy ARP can be disabled on a per-interface basis with the following commands:
Router(config)# interface e0/0
Router(config-if)# no ip proxy-arp
When the ip helper-address command is used on an interface, the router forwards UDP broadcasts to the listed server or servers. An example of this is when you want to forward DHCP client requests to a DHCP server. Enabling this option, by default, also forwards six other ports as well. The following commands, are used to disable the unused ports. Following the commands is an explanation of the ports.
Router(config)# no ip forward-protocol udp 67
Router(config)# no ip forward-protocol udp 69
Router(config)# no ip forward-protocol udp 53
Router(config)# no ip forward-protocol udp 37
Router(config)# no ip forward-protocol udp 137
Router(config)# no ip forward-protocol udp 138
Router(config)# no ip forward-protocol udp 68
Router(config)# no ip forward-protocol udp 49
This feature is enabled on the interface of the router and uses the IP CEF adjacency tables to determine whether packets arriving on the interface have a legitimate source address. If a packet with a bogus source address (i.e., not in the CEF tables) arrives on the interface, it is dropped. This feature helps prevent IP spoofing by dropping spoofed packets. The following commands are used to enable IP unicast reverse-path forward:
Router(config)# ip cef
Router(config)# interface e0/0
Router(config-if#) ip verify unicast reverse-path
A directed broadcast is a broadcast that is sent to a remote network, rather than the local segment. Directed broadcasts were historically used as a vehicle to launch denial-of-service (DoS) attacks. Directed broadcasts are disabled by default in recent IOS versions (11.3 and newer), but it can also be explicitly disabled with the following command:
Router(config)# interface e0/0
Router(config-if)# no ip directed-broadcast
The Internet Control Message Protocol (ICMP) complements an IP network by providing useful information about the paths, routes, and network conditions. Of course, this information also happens to be useful to attackers, so its use should be restricted in order to maximize security.
Three ICMP messages are especially useful to an attacker hoping to gain information about a network’s topology:
- ICMP Unreachable – tells a host that a destination address cannot be found. Useful to determine the boundaries of a network.
- ICMP Redirect – if a host has incorrect information about the default gateway, a redirect will inform the host of the correct gateway address
- ICMP Mask-Reply – Informs the host of the correct subnet mask for the network. Valuable to an attacker trying to gather information.
Thes ICMP messages can be disabled on a per-interface basis with the following commands:
Router(config)# interface e0/0
Router(config-if)# no ip redirect
Router(config-if)# no ip unreachable
Router(config-if)# no ip mask-reply
Access lists are an essential tool for controlling traffic flows in a network.
Can prevent many routing attacks. Each router is authenticated through an authentication key that they all share. Each sending router uses the shared key to sign each route table update message. The receiving router verifies that the shared secret key is correct before accepting the route table update message. OSPF uses plaintext and MD5 neighbor authentication. Plaintext authentication does not provide much security as the shared key is sent in plain text in the header of the OSPF packet.
Router(config)# router ospf 1
Router(config-router)# network 192.168.0.0 0.0.255.255 area 0
Router(config-router)# area 0 authentication message digest
Router(config)# interface e0/0
Router(config-if)# ip ospf message-digest-key 1 md5 sh@redkey
Can prevent many routing attacks. Each router is authenticated through an authentication key that they all share. Each sending router uses the shared key to sign each route table update message. The receiving router verifies that the shared secret key is correct before accepting the route table update message. BGP authentication is configured between the organizations router and the ISP router.
Router(config)# router bgp [ORGANIZATION AS Number]
Router(config-router)# neighbor 192.168.0.0 0 remote-as [ISP AS Number]
Router(config-router)# neighbor 192.168.0.0 password sh@redkey
Used to prevent SYN-flood attacks from casuing a Denial-of-Service (DoS) on the router. TCP intercept helps prevent these type of attacks by intercepting TCP SYN packets from clients to servers that match an ACL. The TCP intercept software establishes a connection with the client and also a connection with the server and once both of these connections are validated it joins the connections together. If all connections do not want to be monitored then watch mode can be implemented and only connections that fail establish in a configurable interval are terminated.
When a router or switch becomes unreachable through normal means as a result of network outage issues, it is necessary to have some other method of administering the device remotely. This is typically accomplished by attaching a modem to the AUX port of a router. In larger environments, a separate router (reachable through out-of-band means) with asynchronous serial ports can be configured to provide console access to many network devices.
The login banner is a warning to explicitly prohibit unauthorized access to the router. The login banner is configured with the following commands:
Router(config)# banner motd ^C
Warning! Authorized Users Only on this Network
This Equipment is for the use of authorized personnel for approved
business purposes only. Violators can be subject to disciplinary action
and/or criminal prosecution. Access to this device may be monitored.
The hostname gives the router a unique identity on the network. The hostname is crucial for management purposes, since all Cisco routers start out with the same default hostname, “Router.”
Assign a hostname with the following commands:
Router(config)# hostname ORGANIZATION
A Cisco router gives the administrator the ability to create a virtual interface, known as a loopback. A loopback interface can be assigned a network address just like any other interface; the loopback interface can be used a variety of ways, but one of the most common uses is to create a single address for all management purposes. The loopback interface can be created and configured with the following commands:
Router(config)# interface Loopback0
Router(config-if)# ip address 10.7.254.30 255.255.255.255
Router(config-if)# no ip redirects
Router(config-if)# no ip unreachables
The Domain Name System (DNS) is a mechanism that allows one to refer to a network host by name, rather than by IP address. For convenience, a router can be added to DNS just like any other host. This makes administration somewhat easier, since the administrator can refer to a router by its hostname instead of by IP address
The network time protocol is used to synchronize the system clocks of networked devices. Synchronous time across an entire network is a very important aspect of a well-run network. Kerberos and certificate authentication, intrustion detection systems, and performing an accurate forsensic analysis all rely on synchronous time across an entire network.
Router(config)# ntp source Loopback0
Router(config)# ntp server 10.7.254.30
Router(config)# ntp server 10.7.254.31
Cisco routers can be configured to apply timestamps to debug and log messages. Timestamps are essential to correllate debug or syslog events between different devices across the network. The timestamp service uses the router’s system clock, which should be set via NTP (see above). Configuring timestamps on debug and syslog messages is done with the following commands:
Router(config)# service timestamps debug datetime msec localtime show-timezone
Router(config)# service timestamps log datetime msec localtime show-timezone
The Simple Network Management Protocol (SNMP) is very useful configuration and monitoring protocol on the inside of the network, but presents a vulnerability if SNMP strings are allowed in from outside of the network. It is recommended to block SNMP with access lists at the perimeter of the network. The following commands block SNMP. Refer to the ACL Configuration Standards for the more information.
Typically SNMP messages are sent from Network Management Systems and possibly a few other devices on the network. It is recommended that access lists be added to all routers to only accept SNMP messages from these devices.
Public and private the default SNMP community strings and their use is not recommended. It is recommended to use complex SNMP read-write community strings. A combination of uppercase letters, lowercase letters, base 10 digits, and non-alphabetic characters is recommended for use in SNMP read-write community strings.
Cisco routers can provide a wealth of information to the network administrator through system log (syslog) messages. The content of syslog messages can vary widely, from routine update messages to ultra-detailed debugging messages. The content of these messages are categorized by severity level. The lower the number the more critical the message. Below are the IOS severity levels:
Syslog messages can be sent to a number of different outputs, including the system console, a local buffer for logging messages, and a syslog server.
Logging to the console is enabled by default, but doing so is not recommended for a production environment. Each character sent to the system console generates a CPU interrupt; when logging lots of information to the console, this can result in severely degraded performance, or even a system crash. An organization may disable logging to the console port for its network devices. Console logging is disabled with the following command:
Router(config)# no logging console
The syslog messages generated by a router can also be stored locally in a buffer dedicated to that purpose. The local buffer is handy for viewing recent syslog messages without having to pore through thousands of messages on a dedicated syslog server.
By default, the local logging buffer is set at 4K in size. Since the local buffer is overwritten when it fills up, it is usually beneficial to increase the size of the buffer. The following command sets the local syslog buffer to 16K, and sends all messages of debug (level 7) or lower:
Router(config)# logging buffer 16384 debugging
Syslog messages can also be sent to a syslog server. It is generally not necessary to send extremely detailed logging messages over the network, since doing so will fill up the syslog server with unnecessary information. Instead, configure the router to send traps at informational (level 7) or lower. Use the following commands to send syslog messages to a syslog server:
Router(config)# logging host [syslog_server_ip]
Router(config)# logging trap notifications