13-1 Suggested Ways to Secure a Router

This section presents some ideas and suggestions that you can use to improve security on the router itself. Although a router is usually configured to provide network connectivity and services to other parts of a network, it too is subject to some types of security exploits.

User Authentication on the Router

  • Passwords (local authentication) ” Use the (global) username username password password command to define a locally authenticated user and password. By defining individual usernames, you can control user access at a finer granularity. You also can configure the router to generate an audit trail if needed.

    NOTE

    You should use the (global) service password-encryption command so that passwords contained in the router configuration are encoded before they are displayed. This can be useful when you need to view or share a configuration with other people. However, the "encryption" algorithm is a simple one based on a Vigenere Cipher, and it should not be a substitute for proper security. Make sure you store and protect your configuration files as if they have cleartext passwords displayed.


  • The enable password ” Always use the (global) enable secret command to define a privileged level (enable) password. This command uses the MD5 algorithm for encryption and hashing, which is considered an irreversible encryption method.

  • AAA authentication ” For the most flexible and scalable management of user access, you should use AAA. See Section 13-2 for further information.

Control Access to the Router Lines

Interactive access is available on all router "lines," such as the Console, Aux, async, and VTY lines. The VTY lines provide a means to Telnet to the router (port 23 and other higher port numbers ), whereas the other lines require a physical connection. However, other means of access exist, including rlogin, SSH, LAT, MOP, X.29, V.120, and other protocols.

Be sure to configure some form of authentication on all router lines. If a line is not needed for user access, disable interactive logins with the (line) login and (line) no password commands. Users can use reverse-Telnet to connect to a physical line (Aux and async lines) remotely. If this is not desired, use the (line) transport input none command to disable remote access.

VTY lines should be configured for the necessary access protocols only. Use the (line) transport input telnet command to enable reverse Telnet, or transport input telnet ssh to enable only Telnet and SSH access. You should also define standard IP access lists to permit only known host IP addresses to Telnet into the router. Do this with the (line) ip access-class acc-list-number command on each line.

Be aware that a router supports a limited number of VTY lines so that multiple Telnet sessions can exist. If all of these VTY lines are in use (either with successful authentications or just left at the login prompt), no other users can Telnet to the router. This might mean that you are unable to use Telnet to access a router remotely when you really need to! To prevent this from happening, set a session timeout on the VTY lines: (line) exec -timeout minutes seconds. You should also consider reserving the highest-number VTY line exclusively for management purposes. Do this by using an access list that permits only specific management station IP addresses, along with the (line) ip access-class command for the last VTY line.

Refer to Section 1-1 for further configuration information.

Use Warning Banners to Inform Users

You should configure warning banners to inform users of the legal requirements and consequences of unauthorized access to your router and your network. Use the (global) banner login command to define a banner message that is displayed before the username and password prompts.

To properly inform would-be users, and to be able to prosecute malicious visitors to your router, you should place additional information in the banner. Identify your company, and state that all access and actions are monitored and recorded. Also state that unauthorized actions are prohibited and might be prosecuted. You should consult your local legal counsel for help in deciding what information to place in your banner. For an example, see the "Security" section of the FBI's Web site at http://www.fbi.gov/privacy.htm.

NOTE

If you use a login banner, don't display any specific information about your router or your network. Examples of this include the router name , model, manufacturer, software, or who owns or maintains the router. Unauthorized users (crackers) can use unintentional hints as leverage to find a way to compromise your network.


Router Management

  • SNMP ” If SNMP is used, you should try to use SNMP v2 if possible. Version 2 has support for MD5 authentication, which is much more secure than the cleartext version 1 community string. If Version 1 must be used, configure unique read-only and read-write community strings that can't be easily guessed (unlike the default "public" and "private"community strings). Also, use standard IP access lists to limit the router's SNMP access to specific management stations . See Section 1-6 for further configuration details about SNMP.

  • HTTP ” You should carefully consider using the HTTP management interface on a router. HTTP uses cleartext passwords unless it is used in conjunction with a more secure authentication method such as AAA. Also, configure a standard access list to limit HTTP management traffic to specific management stations. See Section 1-1 for more information.

Implement Logging on the Router

A router can generate logging information for a variety of activity. Logging creates an audit trail for things such as AAA, router command usage, SNMP traps, system activity, access list violations, intrusion detection alerts, and debugging information. Logging should be disabled on the router console due to the relatively slow speed of the async line. Instead, configure logging to the router's buffer in memory ( logging buffered ) and also to one or more syslog servers. Logging is much more efficient with these methods , and a running record can be maintained in the syslog files on the servers. See Section 1-6 for more information about logging.

Control Spoofed Information

  • Address spoofing ” A malicious user can send packets to your network with "spoofed" IP addresses. These addresses either don't exist or are unreachable, so the targets of an attack can't successfully reply to or open connections that were originated by the source. Obviously, you want your router to filter out any packets with spoofed source addresses so that no internal hosts have to deal with attack traffic.

    • Use access lists to deny spoofed addresses:

       (global)  access-list   acc-list-number   deny ip   internal-network mask   any  

      Spoofed IP addresses are used on inbound packets from the outside, using source addresses from the inside of your network. If allowed in, the packets can reach an internal target, but replies will never find the original source.

      In addition, inbound packets can have source addresses corresponding to the RFC 1918 routes or other illegal values: 10.0.0.0 (private class A network), 127.0.0.0 (reserved for loopback), 169.254.0.0 (used by Microsoft for failed DHCP), 172.16.0.0 to 172.31.0.0 (private class B networks), 192.168.0.0 (private class C networks), and 224.0.0.0 (multicast; never used as a source address). For these, additional commands should be added to the access list:

       (global)  access-list   acc-list-number   deny ip 10.0.0.0 0.255.255.255 any  (global)  access-list   acc-list-number   deny ip 127.0.0.0 0.255.255.255   any  (global)  access-list   acc-list-number   deny ip 169.254.0.0 0.0.255.255   any  (global)  access-list   acc-list-number   deny ip 172.16.0.0 0.15.255.255   any  (global)  access-list   acc-list-number   deny ip 192.168.0.0 0.0.255.255   any  (global)  access-list   acc-list-number   deny ip 224.0.0.0 31.255.255.255   any  
    • Use Reverse Path Forwarding (RPF) RPF can also be used to identify and drop spoofed traffic. RPF is used on the inbound interface of a router that borders a public network. When a packet is received, the router performs a reverse route lookup in the CEF database (FIB). If there is a known route back to the source, and if the route points back to the same interface that the packet was received on (or any other redundant path back to the source), the packet is routed. If no reverse lookup is found, the packet is dropped. RPF must be used with global CEF switching enabled on the router:

       (global)  ip cef  (interface)  ip verify unicast reverse-path  
  • Routing update spoofing ” Routing updates can also be spoofed and advertised into your local routing domain. You should use the various routing protocol authentication mechanisms to validate that advertisements are coming from trusted routing peers.

Control Unnecessary Router Services

  • Cisco Discovery Protocol (CDP) ” CDP should be disabled at the edges of your network so that information about your routers doesn't get propagated to untrusted recipients. CDP is forwarded only to directly connected neighbors on router interfaces. Disable CDP on an interface with the (interface) no cdp enable command.

  • Network Time Protocol (NTP) ” If NTP is used in your network, you should configure specific addresses for the trusted time sources. NTP authentication should also be used. If NTP is not needed, you can disable it with the (global) no ntp enable command.

  • UDP and TCP services ” By default, the UDP and TCP "small services" (echo, chargen, discard, and daytime services) are disabled on IOS 12.0 and greater. These services are almost never needed, and they can be abused if they are enabled. When they are disabled, the router sends ICMP port unreachable messages if the UDP services are attempted and resets the TCP connections if the TCP services are attempted. If these services are enabled, you can disable them:

     (global)  no service tcp-small-servers  (global)  no service udp-small-servers  
  • Finger ” You should disable the finger service, which provides information about users who are connected to the router. Use the (global) no service finger command.

  • ICMP packets ” You should be selective about the type of ICMP packets you allow into your network. Some ICMP messages can be exploited and used for attacks. As a rule of thumb, you should filter ICMP at a border router using a standard IP access list like the following:

     (global)  access-list   acc-list-number   permit icmp any any echo-reply  (global)  access-list   acc-list-number   permit icmp any   internal-network   mask  time-exceeded (global)  access-list   acc-list-number   permit icmp any   internal-network   mask   packet-too-big  (global)  access-list   acc-list-number   permit icmp any   internal-network   mask   traceroute  (global)  access-list   acc-list-number   permit icmp any   internal-network   mask   unreachable  

    You should allow these ICMP messages into your network: Ping replies ( echo-reply ), TTL exceeded ( time-exceeded ), Path MTU discovery ( packet-too-big ), traceroute, and unreachable. All other types are implicitly denied at the end of the access list.

  • Directed broadcasts ” You should disable directed broadcasts, which send packets to a subnet's broadcast address. Obviously, if the directed broadcast were forwarded by the router, every host on the subnet would receive it and try to respond to the source address. Disable directed broadcasts on every interface of every router in your network:

     (interface)  no ip directed-broadcast  

    In IOS 12.0 and greater, directed broadcasts are disabled on every interface by default.

  • IP source routing ” IP packets can contain an explicit source route field that lists the exact path a packet should take through the network. In most cases, this is not needed, can be exploited, and should be disabled:

     (global)  no ip source-route  


Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net