Routine Security Measures

Now that we examined how we can protect enable mode, it's time to look at securing the rest of the router. If the router is directly connected to the Internet, there are many, many security items we need to review. If the router is connected to a neighbor's networkbut not fully trustedthere are still quite a few security items to consider. In this section, we'll review features that should be disabled or enabled for security reasons.

15.2.1. Features to Disable

A gateway router is the most vulnerable to attacks, especially if it sits outside your firewall. Table 15-1 lists a number of services that should be disabled to heighten security. The Level column shows whether the command is part of the global configuration or needs to be applied to specific interfaces.

Table 15-1. Features to disable on the router for heightened security

Command	Level	Resulting action
no cdp enable	Interface	Disables CDP at the interface level. You don't want untrusted networks to learn any extra information about your router. CDP is very helpful, so disable it only on interfaces that are connected to untrusted networks.
no ip proxy-arp	Interface	Ignores incoming ARP requests for hosts within the network.
no ip directed-broadcast	Interface	Disables translations of directed broadcasts to physical broadcasts.
no ip unreachables	Interface	Disables ICMP unreachable messages on an interface.
no ip redirects	Interface	Disables redirect messages. A redirect message is generated to another device when a datagram is sent out over the same interface through which it was received. The redirect message tells the sending host that it should have been able to get to the destination without going through the router. Redirects have played a role in a number of attacks, so it's safest to disable them.
no ip source-route	Global	Causes the router to discard any packet with source-route information. Presumably, we don't want hosts telling our router how to route the traffic.
no service finger	Global	Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username. Now all they need is a password!
no service udp-small-servers no service tcp-small-servers	Global	Disables all small UDP and TCP services on your router (echo, chargen, and some others). These are services that outsiders shouldn't see anyway.

 

15.2.2. Features to Enable

As we said before, a gateway routerone that connects to the Internet or one that connects to another untrusted networkneeds more security than an internal router. In the previous section, we looked at features to disable in order to increase security.

Table 15-2 lists the features you might want to enable on your router.

Table 15-2. Features to enable on the router for heightened security

Command	Level	Resulting action
exec-timeout	Line	Kills idle VTY sessions. Default is 10 minutes.
ip http authentication ip http access-class	Global	If you are using the http configuration on the router, you should protect it with authentication and an access list that restricts which machines can access the HTTP server. Or even easier, you can just shut down the http configuration altogether with the no ip http command.
ip verify unicast reverse-path	Interface	Verifies that a packet's return path is the same as the interface it arrived on. This attempts to stop IP address spoofing. However, be careful; this might cause problems in networks with asymmetric paths. (Requires CEF; see Chapter 17 for more details.)
ip route 0.0.0.0 0.0.0.0 null 0 255	Global	A static route that quickly throws away packets with invalid destinations.
scheduler-interval scheduler allocate	Global	Allows time for important router processes during time of floods.
service password-encryption	Global	Provides some password protection.
service tcp-keepalives-in	Global	Attempts to kill orphaned or inactive sessions to the router.
snmp-server community	Global	For years, people have been using "public" and "private" as their SNMPv1 passwords. Set both the read and write password to something unique. Or better yet, use SNMPv3.
spanning-port portfast	Switch Interfaces	If you know a switch port is always going to be connected to an end-user device, you can configure this command, which keeps the port from going through spanning tree. Although this isn't technically a security command, it does provide a degree of switch security by keeping users from starting an STP cycle.
transport input	Line	Controls which protocols can be used to connect to VTY or TTY ports. (Use SSH, as described later in this chapter.)

 

15.2.2.1. Deny local IP addresses coming from outside

If we get a packet from outside our network that bears a local IP address (see RFC 1918), we know that, at best, it's invalid and, at worst, it's forged. Either way we should drop such packets. A simple access list will throw these away:

 ! See warning about this list in the next paragraph
 access-list 110 deny ip 172.16.0.0 0.15.255.255 any
 access-list 110 deny ip 192.168.0.0 0.0.255.255 any
 access-list 110 deny ip 10.0.0.0 0.255.255.255 any
 access-list 110 permit ip any any
 !
 interface serial 1
 Ip access-group 100 in

This access list is just an example of denying the local IP addresses. As a security example, however, this access list is extremely deficient because it allows all traffic into our network. For a real example of providing a decent access list on your edge router, see "Building a Gateway Router" in Chapter 7.

15.2.2.2. Use a warning banner

To properly secure a machine, you need to supply a warning banner. The banner doesn't actually do anything to protect the router, but it does warn people who are connecting to the router that unauthorized access is taken seriously. That way, they can't use the excuse that they didn't know. It's a good idea to ask for legal help in crafting an appropriate message.

The following commands create a warning banner:

 ! Apply a warning banner.
 ! Seek legal advice to craft a banner to properly protect your network
 banner login ^C
 #### WARNING ####
 Authorized Access ONLY!
 All connections are logged and monitored. Any unauthorized
 use will be prosecuted to the fullest extent of the law. If
 you do not agree to these conditions, disconnect now.
 ^C

 

15.2.3. AutoSecure: Letting the Router Do the Work

With the release of IOS 12.3, Cisco has provided a command that essentially locks down your router with a simple command. When you run the auto secure command, the router asks a series of questions and then modifies the configuration as it sees fit, applying as many security enhancements as it can.

 Router#auto secure
 --- AutoSecure Configuration ---

 *** AutoSecure configuration enhances the security of
 the router but it will not make router absolutely secure
 from all security attacks ***

 All the configuration done as part of AutoSecure will be
 shown here. For more details of why and how this configuration
 is useful, and any possible side effects, please refer to Cisco
 documentation of AutoSecure.
 At any prompt you may enter '?' for help.
 Use ctrl-c to abort this session at any prompt.

 Gathering information about the router for AutoSecure

 Is this router connected to internet? [no]: yes
 Enter the number of interfaces facing internet [1]: 1
 Interface IP-Address OK? Method Status
 Protocol
 Ethernet0/0 192.168.0.100 YES NVRAM up
 up
 Loopback0 192.168.1.1 YES NVRAM up
 up
 Enter the interface name that is facing internet: ethernet0/0

 Securing Management plane services..
 Disabling service finger
 Disabling service pad
 Disabling udp & tcp small servers
 Enabling service password encryption
 Enabling service tcp-keepalives-in
 Enabling service tcp-keepalives-out
 Disabling the cdp protocol
 Disabling the bootp server
 Disabling the http server
 Disabling the finger service
 Disabling source routing
 Disabling gratuitous arp
 Enter the new enable password:
 Confirm the enable password:
 Configuring aaa local authentication
 Configuring console, Aux and vty lines for
 local authentication, exec-timeout, transport
 Securing device against Login Attacks
 ...

This sample is only a small portion of the command's output. To review the output later, use the command show auto secure config, which displays all the configuration changes that AutoSecure made on the router. For a production router, I don't recommend running this command. But if you have a new router, you might want to use AutoSecure as a starting place for your new configuration. In this way, you know you'll be starting out with the most secure router configuration possible.

To see the entire list of what AutoSecure will configure on your router, see Cisco's AutoSecure web page at http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/ products_feature_guide09186a008017d101.html#wp1027184.