Appendix B: Lab Router Interactive Cisco Auto Secure Configuration Example

Please note that depending on the version of the IOS you use, because Cisco engineers add new security features, the available auto secure options may slightly differ from those presented here.

 c2600#auto secure ?        forwarding    Secure Forwarding Plane        management    Secure Management Plane        no-interact   Non-interactive session of AutoSecure        <cr>      c2600#auto secure                      --- AutoSecure Configuration ---      *** AutoSecure configuration enhances the security of      the router but it will not make router absolutely secure      from all security attacks ***      All the configuration done as part of AutoSecure will be      shown here. For more details of why and how this configuration      is useful, and any possible side effects, please refer to Cisco      documentation of AutoSecure.      At any prompt you may enter '?' for help.      Use ctrl-c to abort this session at any prompt.      If this device is being managed by a network management station,      AutoSecure configuration may block network management traffic.      Continue with AutoSecure? [no]: yes      Gathering information about the router for AutoSecure      Is this router connected to internet? [no]: yes      Enter the number of interfaces facing internet [1]:      Interface      IP-Address       OK?    Method    Status    Protocol      Ethernet0/0    192.168.66.202   YES    NVRAM     up        up      Serial0/0      192.168.30.202   YES    NVRAM     up        up      Ethernet0/1    192.168.40.202   YES    NVRAM     up        up      Serial0/1      unassigned       YES    NVRAM  administratively down down      Loopback0      192.168.254.254  YES    NVRAM     up        up      Enter the interface name that is facing internet: Ethernet0/1      Securing Management plane services..      Disabling service finger      Disabling service pad      Disabling udp & tcp small servers      Enabling service password encryption      Enabling service tcp-keepalives-in      Enabling service tcp-keepalives-out      Disabling the cdp protocol      Disabling the bootp server      Disabling the http server      Disabling the finger service      Disabling source routing      Disabling gratuitous arp      Is SNMP used to manage the router? [yes/no]: yes      Deleting the commonly used community public for security      Deleting the commonly used community private for security      SNMPv1 & SNMPv2c are unsecure, try to use SNMPv3      Configure NTP Authentication? [yes]: yes      Enter the trust-key number [1]:      Enter the authentication key: secretkey      Enter the ACL for all NTP services [1]:      Here is a sample Security Banner to be shown      at every access to device. Modify it to suit your      enterprise requirements.      Authorized Access only        This system is the property of So-&-So-Enterprise.        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.        You must have explicit permission to access this        device. All activities performed on this device        are logged and violations of this policy result        in disciplinary action.      Enter the security banner {Put the banner between      k and k, where k is any character}:      kUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.        You must have explicit permission to access this        device. All activities performed on this device        are logged and violations of this policy result        in disciplinary action.k      Enable password is not configured or its length      is less than minimum no. of characters configured      Enter the new enable password:<no prompt of the entered password shown>      Confirm the enable password:<no prompt of the entered password shown>      Configuring aaa local authentication      Configuring console, Aux and vty lines for      local authentication, exec-timeout, transport      Configure SSH server? [yes]: yes      Configuring interface specific AutoSecure services      Disabling the following ip services on all interfaces:        no ip redirects        no ip proxy-arp        no ip unreachables        no ip directed-broadcast        no ip mask-reply      Securing Forwarding plane services..      Enabling CEF (it might have more memory requirements on some low end platforms)      Configuring the named acls for Ingress filtering      autosec_iana_reserved_block: This block may be subject to      change by iana and for updated list visit      www.iana.org/assignments/ipv4-address-space.      1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8,      41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8,      72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8,      84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8,      94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8,      103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8,      111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8,      119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8,      197/8, 201/8      autosec_private_block:      10/8, 172.16/12, 192.168/16      autosec_complete_block: This is union of above two and      the addresses of source multicast, class E addresses      and addresses that are prohibited for use as source.      source multicast (224/4), class E(240/4), 0/8, 169.254/16,      192.0.2/24, 127/8.      Configuring Ingress filtering replaces the existing      acl on external interfaces, if any, with ingress      filtering acl.      Configure Ingress filtering on edge interfaces? [yes]: yes      [1] Apply autosec_iana_reserved_block acl on all edge interfaces      [2] Apply autosec_private_block acl on all edge interfaces      [3] Apply autosec_complete_bogon acl on all edge interfaces      Enter your selection [3]: 3      Enabling unicast rpf on all interfaces connected to internet      Configure CBAC Firewall feature? [yes/no]: yes      This is the configuration generated:      no service finger      no service pad      no service udp-small-servers      no service tcp-small-servers      service password-encryption      service tcp-keepalives-in      service tcp-keepalives-out      no cdp run      no ip bootp server      no ip http server      no ip finger      no ip source-route      no ip gratuitous-arps      no snmp-server community public      no snmp-server community private      ntp trusted-key 1      ntp authentication-key 1 md5 secretkey      ntp authenticate      ntp server 192.168.XXX.XXX key 1 prefer      ntp access-group peer 1      banner kUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.        You must have explicit permission to access this        device. All activities performed on this device        are logged and violations of this policy result        in disciplinary action.k      security passwords min-length 6      security authentication failure rate 10 log      enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX      aaa new-model      aaa authentication login local_auth local      line console 0        login authentication local_auth        exec-timeout 5 0        transport output telnet      line aux 0        login authentication local_auth        exec-timeout 10 0        transport output telnet      line vty 0 4        login authentication local_auth        transport input telnet      crypto key generate rsa general-keys modulus 1024      ip ssh time-out 60      ip ssh authentication-retries 2      line vty 0 4        transport input ssh telnet      service timestamps debug datetime localtime show-timezone msec      service timestamps log datetime localtime show-timezone msec      logging facility local2      logging trap debugging      service sequence-numbers      logging console critical      logging buffered      int Ethernet0/0        no ip redirects        no ip proxy-arp        no ip unreachables        no ip directed-broadcast        no ip mask-reply      int Serial0/0        no ip redirects        no ip proxy-arp        no ip unreachables        no ip directed-broadcast        no ip mask-reply      int Ethernet0/1        no ip redirects        no ip proxy-arp        no ip unreachables        no ip directed-broadcast        no ip mask-reply      int Serial0/1        no ip redirects        no ip proxy-arp        no ip unreachables        no ip directed-broadcast        no ip mask-reply      ip cef      ip access-list extended autosec_iana_reserved_block        deny ip 1.0.0.0 0.255.255.255 any        deny ip 2.0.0.0 0.255.255.255 any        deny ip 5.0.0.0 0.255.255.255 any        deny ip 7.0.0.0 0.255.255.255 any        deny ip 23.0.0.0 0.255.255.255 any        deny ip 27.0.0.0 0.255.255.255 any        deny ip 31.0.0.0 0.255.255.255 any        deny ip 36.0.0.0 0.255.255.255 any        deny ip 37.0.0.0 0.255.255.255 any        deny ip 39.0.0.0 0.255.255.255 any        deny ip 41.0.0.0 0.255.255.255 any        deny ip 42.0.0.0 0.255.255.255 any        deny ip 49.0.0.0 0.255.255.255 any        deny ip 50.0.0.0 0.255.255.255 any        deny ip 58.0.0.0 0.255.255.255 any        deny ip 59.0.0.0 0.255.255.255 any        deny ip 60.0.0.0 0.255.255.255 any        deny ip 70.0.0.0 0.255.255.255 any        deny ip 71.0.0.0 0.255.255.255 any        deny ip 72.0.0.0 0.255.255.255 any        deny ip 73.0.0.0 0.255.255.255 any        deny ip 74.0.0.0 0.255.255.255 any        deny ip 75.0.0.0 0.255.255.255 any        deny ip 76.0.0.0 0.255.255.255 any        deny ip 77.0.0.0 0.255.255.255 any        deny ip 78.0.0.0 0.255.255.255 any        deny ip 79.0.0.0 0.255.255.255 any        deny ip 83.0.0.0 0.255.255.255 any        deny ip 84.0.0.0 0.255.255.255 any        deny ip 85.0.0.0 0.255.255.255 any        deny ip 86.0.0.0 0.255.255.255 any        deny ip 87.0.0.0 0.255.255.255 any        deny ip 88.0.0.0 0.255.255.255 any        deny ip 89.0.0.0 0.255.255.255 any        deny ip 90.0.0.0 0.255.255.255 any        deny ip 91.0.0.0 0.255.255.255 any        deny ip 92.0.0.0 0.255.255.255 any        deny ip 93.0.0.0 0.255.255.255 any        deny ip 94.0.0.0 0.255.255.255 any        deny ip 95.0.0.0 0.255.255.255 any        deny ip 96.0.0.0 0.255.255.255 any        deny ip 97.0.0.0 0.255.255.255 any        deny ip 98.0.0.0 0.255.255.255 any        deny ip 99.0.0.0 0.255.255.255 any        deny ip 100.0.0.0 0.255.255.255 any        deny ip 101.0.0.0 0.255.255.255 any        deny ip 102.0.0.0 0.255.255.255 any        deny ip 103.0.0.0 0.255.255.255 any        deny ip 104.0.0.0 0.255.255.255 any        deny ip 105.0.0.0 0.255.255.255 any        deny ip 106.0.0.0 0.255.255.255 any        deny ip 107.0.0.0 0.255.255.255 any        deny ip 108.0.0.0 0.255.255.255 any        deny ip 109.0.0.0 0.255.255.255 any        deny ip 110.0.0.0 0.255.255.255 any        deny ip 111.0.0.0 0.255.255.255 any        deny ip 112.0.0.0 0.255.255.255 any        deny ip 113.0.0.0 0.255.255.255 any        deny ip 114.0.0.0 0.255.255.255 any        deny ip 115.0.0.0 0.255.255.255 any        deny ip 116.0.0.0 0.255.255.255 any        deny ip 117.0.0.0 0.255.255.255 any        deny ip 118.0.0.0 0.255.255.255 any        deny ip 119.0.0.0 0.255.255.255 any        deny ip 120.0.0.0 0.255.255.255 any        deny ip 121.0.0.0 0.255.255.255 any        deny ip 122.0.0.0 0.255.255.255 any        deny ip 123.0.0.0 0.255.255.255 any        deny ip 124.0.0.0 0.255.255.255 any        deny ip 125.0.0.0 0.255.255.255 any        deny ip 126.0.0.0 0.255.255.255 any        deny ip 197.0.0.0 0.255.255.255 any        deny ip 201.0.0.0 0.255.255.255 any        permit ip any any      remark This acl might not be up to date. Visit      www.iana.org/assignments/ipv4-address-space for update list      exit      ip access-list extended autosec_private_block        deny ip 10.0.0.0 0.255.255.255 any        deny ip 172.16.0.0 0.15.255.255 any        deny ip 192.168.0.0 0.0.255.255 any        permit ip any any      exit      ip access-list extended autosec_complete_bogon        deny ip 1.0.0.0 0.255.255.255 any        deny ip 2.0.0.0 0.255.255.255 any        deny ip 5.0.0.0 0.255.255.255 any        deny ip 7.0.0.0 0.255.255.255 any        deny ip 23.0.0.0 0.255.255.255 any        deny ip 27.0.0.0 0.255.255.255 any        deny ip 31.0.0.0 0.255.255.255 any        deny ip 36.0.0.0 0.255.255.255 any        deny ip 37.0.0.0 0.255.255.255 any        deny ip 39.0.0.0 0.255.255.255 any        deny ip 41.0.0.0 0.255.255.255 any        deny ip 42.0.0.0 0.255.255.255 any        deny ip 49.0.0.0 0.255.255.255 any        deny ip 50.0.0.0 0.255.255.255 any        deny ip 58.0.0.0 0.255.255.255 any        deny ip 59.0.0.0 0.255.255.255 any        deny ip 60.0.0.0 0.255.255.255 any        deny ip 70.0.0.0 0.255.255.255 any        deny ip 71.0.0.0 0.255.255.255 any        deny ip 72.0.0.0 0.255.255.255 any        deny ip 73.0.0.0 0.255.255.255 any        deny ip 74.0.0.0 0.255.255.255 any        deny ip 75.0.0.0 0.255.255.255 any        deny ip 76.0.0.0 0.255.255.255 any        deny ip 77.0.0.0 0.255.255.255 any        deny ip 78.0.0.0 0.255.255.255 any        deny ip 79.0.0.0 0.255.255.255 any        deny ip 83.0.0.0 0.255.255.255 any        deny ip 84.0.0.0 0.255.255.255 any        deny ip 85.0.0.0 0.255.255.255 any        deny ip 86.0.0.0 0.255.255.255 any        deny ip 87.0.0.0 0.255.255.255 any        deny ip 88.0.0.0 0.255.255.255 any        deny ip 89.0.0.0 0.255.255.255 any        deny ip 90.0.0.0 0.255.255.255 any        deny ip 91.0.0.0 0.255.255.255 any        deny ip 92.0.0.0 0.255.255.255 any        deny ip 93.0.0.0 0.255.255.255 any        deny ip 94.0.0.0 0.255.255.255 any        deny ip 95.0.0.0 0.255.255.255 any        deny ip 96.0.0.0 0.255.255.255 any        deny ip 97.0.0.0 0.255.255.255 any        deny ip 98.0.0.0 0.255.255.255 any        deny ip 99.0.0.0 0.255.255.255 any        deny ip 100.0.0.0 0.255.255.255 any        deny ip 101.0.0.0 0.255.255.255 any        deny ip 102.0.0.0 0.255.255.255 any        deny ip 103.0.0.0 0.255.255.255 any        deny ip 104.0.0.0 0.255.255.255 any        deny ip 105.0.0.0 0.255.255.255 any        deny ip 106.0.0.0 0.255.255.255 any        deny ip 107.0.0.0 0.255.255.255 any        deny ip 108.0.0.0 0.255.255.255 any        deny ip 109.0.0.0 0.255.255.255 any        deny ip 110.0.0.0 0.255.255.255 any        deny ip 111.0.0.0 0.255.255.255 any        deny ip 112.0.0.0 0.255.255.255 any        deny ip 113.0.0.0 0.255.255.255 any        deny ip 114.0.0.0 0.255.255.255 any        deny ip 115.0.0.0 0.255.255.255 any        deny ip 116.0.0.0 0.255.255.255 any        deny ip 117.0.0.0 0.255.255.255 any        deny ip 118.0.0.0 0.255.255.255 any        deny ip 119.0.0.0 0.255.255.255 any        deny ip 120.0.0.0 0.255.255.255 any        deny ip 121.0.0.0 0.255.255.255 any        deny ip 122.0.0.0 0.255.255.255 any        deny ip 123.0.0.0 0.255.255.255 any        deny ip 124.0.0.0 0.255.255.255 any        deny ip 125.0.0.0 0.255.255.255 any        deny ip 126.0.0.0 0.255.255.255 any        deny ip 197.0.0.0 0.255.255.255 any        deny ip 201.0.0.0 0.255.255.255 any        deny ip 10.0.0.0 0.255.255.255 any        deny ip 172.16.0.0 0.15.255.255 any        deny ip 192.168.0.0 0.0.255.255 any        deny ip 224.0.0.0 15.255.255.255 any        deny ip 240.0.0.0 15.255.255.255 any        deny ip 0.0.0.0 0.255.255.255 any        deny ip 169.254.0.0 0.0.255.255 any        deny ip 192.0.2.0 0.0.0.255 any        deny ip 127.0.0.0 0.255.255.255 any        permit ip any any      remark This acl might not be up to date. Visit      www.iana.org/assignments/ipv4-address-space for update list      exit      interface Ethernet0/1        ip access-group autosec_complete_bogon in      exit      ip access-list extended 100        permit udp any any eq bootpc      interface Ethernet0/1        ip verify unicast source reachable-via rx allow-default 100      ip inspect audit-trail      ip inspect dns-timeout 7      ip inspect tcp idle-time 14400      ip inspect udp idle-time 1800      ip inspect name autosec_inspect cuseeme timeout 3600      ip inspect name autosec_inspect ftp timeout 3600      ip inspect name autosec_inspect http timeout 3600        deny ip 119.0.0.0 0.255.255.255 any        deny ip 120.0.0.0 0.255.255.255 any        deny ip 121.0.0.0 0.255.255.255 any        deny ip 122.0.0.0 0.255.255.255 any        deny ip 123.0.0.0 0.255.255.255 any        deny ip 124.0.0.0 0.255.255.255 any        deny ip 125.0.0.0 0.255.255.255 any        deny ip 126.0.0.0 0.255.255.255 any        deny ip 197.0.0.0 0.255.255.255 any        deny ip 201.0.0.0 0.255.255.255 any        deny ip 10.0.0.0 0.255.255.255 any        deny ip 172.16.0.0 0.15.255.255 any        deny ip 192.168.0.0 0.0.255.255 any        deny ip 224.0.0.0 15.255.255.255 any        deny ip 240.0.0.0 15.255.255.255 any        deny ip 0.0.0.0 0.255.255.255 any        deny ip 169.254.0.0 0.0.255.255 any        deny ip 192.0.2.0 0.0.0.255 any        deny ip 127.0.0.0 0.255.255.255 any        permit ip any any      remark This acl might not be up to date. Visit      www.iana.org/assignments/ipv4-address-space for update list      exit      interface Ethernet0/1        ip access-group autosec_complete_bogon in      exit      ip access-list extended 100        permit udp any any eq bootpc      interface Ethernet0/1        ip verify unicast source reachable-via rx allow-default 100      ip inspect audit-trail      ip inspect dns-timeout 7      ip inspect tcp idle-time 14400      ip inspect udp idle-time 1800      ip inspect name autosec_inspect cuseeme timeout 3600      ip inspect name autosec_inspect ftp timeout 3600      ip inspect name autosec_inspect http timeout 3600      ip inspect name autosec_inspect rcmd timeout 3600      ip inspect name autosec_inspect realaudio timeout 3600      ip inspect name autosec_inspect smtp timeout 3600      ip inspect name autosec_inspect tftp timeout 30      ip inspect name autosec_inspect udp timeout 15      ip inspect name autosec_inspect tcp timeout 3600      ip access-list extended autosec_firewall_acl        permit udp any any eq bootpc        deny ip any any      interface Ethernet0/1        ip inspect autosec_inspect out      !      end      Apply this configuration to running-config? [yes]:yes      Applying the config generated to running-config      The name for the keys will be:c2600.testing.arhont.com      % The key modulus size is 1024 bits      % Generating 1024 bit RSA keys ...[OK]      c2600# 


Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net