Networking devices include, among others, routers, switches, firewalls, and NIDS. Hardening these four types of devices is the subject of this section. As you learned earlier, the default security of these devices can be quite a bit different, which changes the amount of work required to harden a particular device.
An important characteristic of all these devices is the availability of a console port. The console port has privileged access to these devices because it generally implies physical access to the device (though this could be a modem). The console port defaults to having initial authentication that is weak or nonexistent and is able to send a break signal to the device upon boot. This is used to reset most of these types of devices or to recover from a lost password.
Because of the capabilities of a console port, it is important to control physical access to networking devices whenever possible. Chapter 6 outlines physical security considerations.
This section on network devices assumes the devices are not running on general-purpose operating systems. If they are, be sure to run the host operating system (OS)hardening as well as the network devicehardening steps.
From a configuration perspective, the methods for hardening a router or switch are very similar. Detailed examples of Cisco IOS configuration are provided, and Cisco CatOS switch configuration is covered in summary.
Router hardening has garnered quite a bit of attention of late because attacks have targeted routed infrastructure more and more. This section outlines steps to take when hardening a router; configuration examples are for Cisco IOS devices. For more information about router hardening, the following resources are useful:
Improving Security on Cisco Routers: http://www.cisco.com/warp/public/707/21.html
Building Bastion Routers Using Cisco IOS: http://www.phrack.com/phrack/55/P55-10
NSA Router Security Configuration Guide (290 pages!): http://www.nsa.gov/snac/cisco/
Basic Hardening Settings
The following hardening steps are useful on almost every router you deploy in a network. These steps include disabling unneeded services and ensuring that passwords are encrypted whenever possible.
Disable Unneeded Services
Turn off Domain Name System (DNS) lookups for the router with the following command. Although not strictly security related, this is the first command to type on a fresh router before doing any other configuration (assuming, of course, you don't need domain resolution for a feature you plan to use). Otherwise, be careful to avoid input errors. Typing the command enadle instead of enable will result in a long timeout while the router tries to find host "enadle" and communicate with it.
Router(config)#no ip domain-lookup
Disable small services such as echo, chargen, and discard, as well as the finger service. After Cisco IOS Release 11.3, these services are disabled by default, but it never hurts to have these commands as part of the script you use to harden a device. These small services should almost always be turned off because they have no legitimate use:
Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers Router(config)#no service finger
Disable bootp server with the following command if you aren't using it on your network (most don't):
Router(config)#no ip bootp server
Disable source routing and directed broadcast. These should be off by default on reasonably current routers, but make sure with the following commands:
Router(config-if)#no ip directed-broadcast Router(config)#no ip source-route
You can disable Proxy ARP in most situations, assuming your devices are routing aware:
Router(config-if)#no ip proxy-arp
ICMP redirects should be sent only to end systems that have multiple outbound routes from which to choose. In situations in which IP redirects are unnecessary, disable them with the following command:
Router(config-if)#no ip redirects
The following command enables a simple Vigenere cipher, which encrypts most passwords on a router that would otherwise be shown as cleartext in the configuration. This cipher, as implemented on Cisco routers, is very weak and can easily be broken. It is enabled primarily to prevent a casual observer from noting your passwords. For example, you might not want a coworker observing your work to learn the password for your router after you type wr t.
This section outlines authentication-related settings, including the use of enable secret, login banners, line access, usernames stored locally or through AAA servers, and device access by SSH.
Enable strong MD5 hashed passwords for router Enable mode. The following password should be used instead of the basic enable password encrypted by using service password-encryption. It is much more secure, though it has the same susceptibility to dictionary attacks as any hashed password. Choosing strong passwords mitigates dictionary attacks.
Router(config)#enable secret password
Enable a warning banner to be presented to users when they connect to the device. This sort of banner can aid in prosecution in some jurisdictions and should generally at least include a statement saying that unauthorized access is prohibited. Be sure not to disclose any information that would be useful to the attacker such as platform type, software version, owner, location, and so on.
Router(config)#banner motd ^ Enter TEXT message. End with the character '^'. Enter your warning banner message here. ^
On a standard Cisco router, there are three primary ways to log on:
Fresh out of the box, only the console and aux ports can be used to access the device. Generally, only the console port is needed and not the aux port. To set up the console port, enter the following commands:
Router(config)#line con 0 Router(config-line)#exec-timeout 5 0 Router(config-line)#password password Router(config-line)#login
These commands enable login with a local password and time out the connection after 5 minutes and 0 seconds of inactivity.
To disable the aux port, type the following commands:
Router(config)#line aux 0 Router(config-line)#no exec
Turning off exec prevents logon to the device. Any additional commands such as transport input none or exec-timeout 0 1 aren't going to make you more secure, but feel free to type them if you want. Controlling vty access is separate and requires the following commands:
Router(config)#line vty 0 3 Router(config-line)#exec-timeout 5 0 Router(config-line)#password password Router(config-line)#login Router(config-line)#transport input protocol
Typically, a router has 5 vty lines. The preceding four commands set up access in a very similar fashion to the console port. Replace protocol with your method of access, preferably SSH.
The following eight lines reserve the last vty port for a specific IP address. This is useful if someone is attempting to deny service to the login process on the router (which can be done without the password). You can use the access class settings referenced here for lines 0 to 3 as well. If you do, open the access control list (ACL) to allow a wider range of IP addresses to access (for instance, your entire management subnet).
Router(config)#line vty 4 Router(config-line)#exec-timeout 5 0 Router(config-line)#password password Router(config-line)#login Router(config-line)#transport input protocol Router(config-line)#access-class 99 in Router(config)#access-list 99 permit host adminIP Router(config)#access-list 99 deny any log
Setting Up Usernames
If you don't have access to TACACS+ or RADIUS, local usernames can be configured on a system as follows:
Router(config)#username username password password Router(config)#line vty 0 4 Router(config-line)#login local
The preceding commands set up a local username and password and then configure the vty lines to use a local database.
To configure TACACS+ access to a system, you must first enable the AAA system:
You then must define the TACACS+ host and password:
Router(config)#tacacs-server host ipaddr Router(config)#tacacs-server key password
After setting up the host, you must define the authentication methods. The following uses TACACS+ as the default authentication but also defines an authentication method no-tacacs, which can be used for the console port. Using AAA for the console port is not recommended because if the network is down, you won't be able to log on to the box.
Router(config)#aaa authentication login default group tacacs+ Router(config)#aaa authentication login no-tacacs line
The line parameters can then be modified based on which method you want to use to authenticate:
Router(config)#line vty 0 4 Router(config-line)#login authentication default Router(config)#line con 0 Router(config-line)#login authentication no-tacacs
So far, these AAA commands have dealt only with authentication. Say, for example, you wanted to have a detailed log of every command typed on a router as well as when an administrator logged in or out. The following commands enable TACACS+ accounting for these events:
! Enable login and logout tracking for router administrators Router(config)#aaa accounting exec default start-stop group tacacs+ ! Enable command logging for exec level 1 commands (basic telnet) Router(config)# aaa accounting commands 1 default start-stop group tacacs+ ! Enable command logging for exec level 15 commands (enable mode) Router(config)# aaa accounting commands 15 default start-stop group tacacs+
AAA can be very complicated. You have lots of options at your disposal. For more information about configuring AAA on Cisco devices, see the following site: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/index.htm.
Secure Shell (SSH)
Use SSH instead of Telnet whenever possible. To configure it, you must first define a hostname, domain name, and generate keys:
Router(config)#hostname hostname Router(config)#ip domain-name yourdomain.com Router(config)#crypto key generate rsa
From here, you can refer to the transport input command in the "Line Access" section earlier in this chapter. To set up the vty lines to accept only SSH, enter the following command:
Router(config)#line vty 0 4 Router(config)#transport input ssh
There are a few other options with respect to SSH configuration. See the following URL if you'd like more information: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfssh.htm.
This section outlines basic settings for hardening management access including security settings for the HTTP server, Simple Network Management Protocol (SNMP), CDP, syslog, Network Time Protocol (NTP), and various ACL logging options.
If not in use, disable the HTTP server for router management with the following command:
Router(config)#no ip http server
The embedded web server in routers has had vulnerabilities in the past, so unless you have a specific need for the HTTP functionality (such as a specific management application), it is best to disable it. If you need access to the HTTP server, use the http access-class command as shown:
Router(config)#ip http access-class 10 Router(config)#access-list 10 permit host http-mgmnt-ip Router(config)#access-list 10 deny any log
You should also require HTTP authentication with the following command:
Router(config)#ip http authentication ? enable Use enable passwords local Use local username and passwords tacacs Use tacacs to authorize user
TACACS+ is preferred; otherwise, a local username and password can be used. Try to avoid using the enable password.
SNMP is widely used as a network management protocol. Unfortunately, it is UDP based (port 161) and, until version 3, had no real security options. Earlier versions of SNMP use a community string for authentication and it is sent in the clear with the rest of the SNMP datagram. Even though version 3 offers more security, most network management applications use SNMP version 1 or version 2c. If you don't plan to manage a device with SNMP, it is simple to disable:
If you must use SNMP v1 or v2c, consider using read-only as opposed to read-write. Much of the damage an attacker can cause with SNMP goes away if you remove the ability to write changes. In either case, the community string should be set and managed like the root password on any system (change it regularly and so on). Look to Chapter 16, "Secure Network Management and Network Security Management," for more information on management channel security. At the bare minimum, an ACL should be defined that allows only your SNMP devices to query the management agents on the network device, as follows:
Router(config)#snmp-server community password ro 98 Router(config)#snmp-server community password rw 98 Router(config)#access-list 98 permit host snmp-server-ip Router(config)#access-list 98 deny any log
If you are using SNMP v3 or would like more information on the rest of the SNMP configuration, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/fcfprt3/fcf014.htm.
CDP is a proprietary Cisco protocol that provides a mechanism for Cisco devices to exchange information. It is described in more detail (including situations when you might or might not need to use it on an interface) in Chapter 6. The following two commands show how to globally disable CDP or, alternately, to disable it only on a specific interface:
Router(config)#no cdp run Router(config-if)#no cdp enable
Using syslog on a router is one of the easiest ways to troubleshoot your network. Syslog servers are free (besides the hardware), and the messages generated by syslog are usually easy to understand. If you are using any kind of ACLs on a router, you need syslog; even if you are not, it is a very good idea. Enabling syslog is easy. Just enter one or more logging hosts and make sure timestamps are enabled:
Router(config)#service timestamps log datetime localtime msec show-timezone Router(config)#logging syslog-ip-addr
Sometimes viewing messages locally on the router can be useful. Besides viewing messages as they are generated on the console, you can optionally have them buffered to router memory. You don't need a large buffer here since these are simple text messages; even 512 KB will save lots of messages. Be sure you don't use up a significant portion of your device memory, or you might affect packet forwarding. (That is, if you have 8 MB of memory on your router, don't set the buffer size to 6 MB.) Enter the following command to enable this functionality:
Router(config)#logging buffered buffersize
You can use the logging trap command to set the level of logging information you will receive; there is no hard-and-fast rule for where to set this except to say that the highest level of logging is almost always too much information and the lowest level doesn't provide enough information. Try a few different levels on your own device to determine the amount of information that makes sense in your environment. Syslog has a number of additional options. For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/fcfprt3/fcf013.htm#1001168.
Without proper timestamps, router syslog messages are nearly useless in troubleshooting. Your networking devices can be synchronized to the same clock with NTP. Configuring NTP on a router is a simple matter of locally configuring the time zone and then pointing the router to the NTP server. In the following example, NTP authentication is enabled, and an ACL restricting NTP access to the configured NTP server is applied:
Router(config)#clock timezone PST -8 Router(config)#clock summer-time PDT recurring Router(config)#ntp authenticate Router(config)#ntp authentication-key 1 md5 password Router(config)#ntp trusted-key 1 Router(config)#ntp access-group peer 96 Router(config)#ntp server ntp-svr-ip key 1 Router(config)#access-list 96 permit host ntp-svr-ip Router(config)#access-list 96 deny any log
Although there are several free NTP services on the Internet, it is not advisable to use them for security reasons. If your time source is corrupted, your log data is useless. Consider, instead, setting up a local time source that connects to a reliable, known atomic clock to maintain accurate time. NTP can be disabled on interfaces that do not expect to receive valid NTP information. Use the following command:
More information on NTP is available at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/fcfprt3/fcf012.htm#1001170.
By default, the last line in an ACL is an implicit deny all. Matches to this list are not logged, however. If you want to enable logging, a manual entry should be added to the ACL denying all traffic and informing the ACL to log the violation. It is possible to log permits as well, but this tends just to fill up a syslog server. To drop all traffic and log violations in a standard IP ACL, use the following command:
Router(config)#access-list 1 deny any log
For an extended IP ACL, use this command:
Router(config)#access-list 101 deny ip any any log
In addition to the basic log keyword, log-input is usually available for extended ACLs. log-input adds the source interface and Media Access Control (MAC) address to the usual IP address and port number message associated with the ACL entry.
Other Hardening Options
In addition to the configuration discussed in this section, Chapter 6 contains a fair amount of information on router and switch hardening, including:
After hardening a router, it is a good idea to scan it with your favorite port scanner. This ensures that you aren't running any services you thought you turned off. For instance, when testing in my lab for this book, I realized I accidentally left the HTTP server running!
Example 5-1 is a dump of the router configuration used in testing the configurations in this section. Remember that commands that are defaults will not show up in the configuration.
Example 5-1. Hardened Router Example
version 12.2 service timestamps debug uptime service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname broken ! logging buffered 512000 debugging enable secret 5 $1$ec0k$PW/.SXz8klYAqNBaFJ6.Q0 ! clock timezone PST -8 clock summer-time PDT recurring aaa new-model ! aaa authentication login default group tacacs+ aaa authentication login no-tacacs line aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ip subnet-zero no ip source-route ! no ip domain lookup ip domain name halo05.com ! no ip bootp server ! interface FastEthernet0/0 ip address 172.19.93.135 255.255.255.240 no ip redirects no ip proxy-arp ! interface FastEthernet0/1 ip address 172.19.93.241 255.255.255.240 no ip redirects no ip proxy-arp ntp disable ! ip classless no ip http server ! logging 172.19.93.140 access-list 96 permit 172.19.93.131 access-list 96 deny any log access-list 99 permit 172.19.93.131 access-list 99 deny any log no cdp run ! tacacs-server host 172.19.93.130 single-connection tacacs-server directed-request tacacs-server key 4n7xe0n!x# ! banner motd ^C Unauthorized Use Prohibited ^C ! line con 0 exec-timeout 5 0 password 7 094D410B1622233358 login authentication no-tacacs line aux 0 no exec line vty 0 3 exec-timeout 5 0 password 7 070E2E4D412D2E2444 transport input ssh line vty 4 access-class 99 in exec-timeout 5 0 password 7 0822455E0A16 transport input ssh ! ntp authentication-key 1 md5 13151601181B0B382F 7 ntp authenticate ntp trusted-key 1 ntp access-group peer 96 ntp server 172.19.93.131 key 1 ! end
Cisco IOS 12.3 added a new feature called AutoSecure to simplify the process of locking down a Cisco router. For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm.
The types of hardening tasks you do for a switch are very similar to those for a router. Most of the options from the router-hardening steps are presented in Example 5-2 in summary for a Cisco CatOS device (a Cat 6K in this example). A large amount of L2 security precautions can be considered switch-hardening tasks. (They are discussed in Chapter 6.)
Example 5-2. Hardened Switch Config Minus L2 Security Precautions
! Turn on NTP set timezone PST -8 set summertime PDT set summertime recurring set ntp authentication enable set ntp key 1 trusted md5 password set ntp server ntp-svr-ip key 1 set ntp client enable ! Turn off un-needed services set cdp disable set ip http server disable ! Turn on logging and snmp set logging server syslog-ip-addr set logging timestamp enable set logging server enable ! You can control the types of messages logged with the "set logging server ! severity" command ! Enable SNMP read only. To disable completely "set snmp disable" set snmp community read-only password set ip permit enable snmp set ip permit snmp-ip-addr snmp ! Turn on AAA set tacacs server tacacs-ip-addr primary set tacacs key password set authentication login tacacs enable telnet set authentication login local disable telnet set accounting exec enable start-stop tacacs+ set accounting commands enable all start-stop tacacs+ ! Set passwords and access restrictions set banner motd ^ Insert your warning banner here ^ ! Console password is set by 'set password' ! Enter old password followed by new password ! ! Enable password is set by 'set enable' ! Enter old password followed by new password ! set logout 5 set ip permit enable telnet set ip permit telnet-ip-addr 255.255.255.255 telnet ! !Setup SSH !set crypto key rsa 1024 !set ip permit enable ssh !set ip permit ssh-client-ips netmask ssh
Firewalls usually have a default posture that is more secure than a router or switch. They also generally have less functionality. This section describes common tasks used in appliance firewall hardening using the Cisco PIX as an example. Several functions, such as NTP and SNMP configuration, are virtually identical to Cisco IOS configuration and are not included here; refer to your firewall documentation for more details.
To restrict Telnet access to the Cisco PIX, type the following command:
pixfirewall(config)# telnet ip-addr mask interface
For example, you might enter the following:
pixfirewall(config)# telnet 192.0.2.55 255.255.255.255 inside
The password must also be set:
pixfirewall(config)# passwd password
To authenticate users by TACACS+, enter the following commands:
pixfirewall(config)# aaa-server telnet-group protocol tacacs+ pixfirewall(config)# aaa-server telnet-group (inside) host tacacs-ip-addr password
The telnet-group is an arbitrary name assigned by the administrator.
After the protocol type and server IP are defined in the previous two commands, you must map the Telnet process to use the defined group, as follows:
pixfirewall(config)# aaa authentication telnet console telnet-group
To set the enable password, enter the following command:
pixfirewall(config)# enable password password
Setting up SSH on a PIX is very similar to setting up SSH on a router, as shown in Example 5-3.
Example 5-3. Configuring SSH on a PIX Firewall
!Define the hostname and domain name just like on a router hostname nsa-pix domain-name yourdomain.com !Generate key ca generate rsa key 1024 !Save the key (this may take a moment) ca save all !enable SSH connections on the inside interface ssh 192.0.2.0 255.255.255.0 inside !AAA can be setup in the same way as Telnet AAA on a router !just define a new group and enter the same commands: aaa-server ssh-group protocol tacacs+ aaa-server ssh-group (inside) host tacacs-ip-addr password aaa authentication ssh console ssh-group !If you are planning to have both telnet and ssh enabled then you could use the !Same TACACS+ config by specifying the same aaa-server group for both aaa !authentication commands.
Setting up logging on a PIX is fairly simple. You start by turning logging on and defining the server IP by using the following commands:
pixfirewall(config)# logging on pixfirewall(config)# logging host inside syslog-ip-addr
You then should define the logging level. Setting the logging level to the debugging level will give you more alarms than you probably want. Set it to "error" to start with (level 3 of 7) and then change it as needed. The facility should also be defined. This almost always should be 20 to communicate with most syslog servers. Logging facility is a syslog-specific setting with origins in the original UNIX syslog implementation.
pixfirewall(config)# logging trap error
To view a list of PIX log messages, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/.