Using AutoSecure

Problem

You want to secure your router without having to read the whole book.

Solution

To automatically secure the router, use the following command:

Router2#auto secure
 --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:
 

 

Discussion

Beginning with IOS Version 12.3(1), Cisco introduced the autosecure feature to quickly harden router configuration files in an automated fashion. Essentially, autosecure disables common router features that might pose a security while enabling other IOS features that will assist to harden the router. Once you enter the autosecure command, the router will lead you through a series of questions so it can best determine how to secure the router for your environment.

The autosecure feature is excellent for users that have limited knowledge of all the Cisco security features or for environments that don't have a well-defined security policy. Be sure to review carefully which services are enabled or disabled to fully understand the consequences. Once you've executed the autosecure script, you can view what changes were made to the configuration by issuing the show auto secure config command:

Router2#show auto secure config 
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no snmp-server community public
no snmp-server community private
banner ^C Test ^C
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 00071A1507545B54
aaa new-model
aaa authentication login local_auth local
line con 0
 login authentication local_auth
 exec-timeout 5 0
 transport output telnet
line aux 0
 login authentication local_auth
 exec-timeout 10 0
 transport output telnet
line vty 0 6
 login authentication local_auth
 transport input telnet
login block-for 5 attempts 5 within 6

crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 6
 transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
!
interface Serial0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
!
ip cef
Router2#

In this example, you can see that autosecure disabled such services as CDP, finger, SNMP, HTTP server, etc. In some environments, disabling CDP can break certain network management platforms, as can disabling inbound SNMP, so be careful when using this feature to ensure that you don't inadvertently affect your network.

Although autosecure is not the magic bullet of hardening Cisco routers, it certainly does a good job of securing the router compared to using the default configuration settings. If faced with a decision of having no security features enabled or using the autosecure feature, then we recommend using the autosecure feature.

In addition to the default behavior, you can also use a number of keywords to modify the autosecure script. See Table 27-1 for more information.

Table 27-1. Autosecure optional keywords

Keyword Description
management Only secure the management plane (e.g., SNMP, logging, etc.).
forwarding Only secure the forwarding plane (e.g., CEF, CBAC, TCP intercept, etc.).
no-interactive Don't prompt for interactive configurations.
Full User will be prompted for all interactive configurations (default).
Ntp Specifies to configure NTP service in the autosecure script.
Login Specifies to configure the login feature in the autosecure script.
Ssh Specifies to enable SSH in the autosecure script.
Firewall Specifies to enable the Firewall feature in the autosecure script.
tcp-intercept Specifies to enable TCP Intercept in the autosecure script.


Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net