A more accurate title for this article would have been how to increase security on a Cisco border router, but that's too long.
This article assumes some familiarity with Cisco routers. If you're not familiar with Cisco IOS command line interaction, consult reference [2] below, or Cisco documentation.
Thoroughly securing a Cisco router (or any router) is a topic that can require its own book(s) (see the references at the end of this article). I will cover the basics here though. The low hanging fruit.
Before you begin, keep a copy of your present, working router configuration in pristine condition. Save the edited configuration to a new file. The same goes for IOS code. Make sure you have a full copy of the version you're running before you upgrade.
1. Upgrade IOS. Upgrade to the latest stable code version available for your router. Like other operating systems, Cisco IOS is upgraded for various reasons including to fix security flaws. How to do that is beyond the scope of this article but you can find more info here:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a00801fc986.shtml
2. Generate an rsa crypto-key. If your router code supports cryptography, enter the following commands to create a crypto-key for later use with SSH (if your router does not support cryptography, you will receive an error when you try to enter the commands):
hostname [enter a hostname for your router]
ip domain-name [enter your domain name i.e. mydomain.com]
crypto key generate rsa
If it works, the router will process the command for a moment then ask you how many bits the modulus should be. If permitted by you local laws regarding cryptograpy, enter 1024. If not, enter the largest number you are entitled to use.
3. Disable unneeded services. There are many services that are enabled by default on Cisco routers. Each can provide information an attacker can use. There is a free utility called Yersinia that can be used to obtain Cisco Discovery Protocol (CDP) information over the Internet for example.
Global commands:
no service tcp-small-servers
no service udp-small-servers
no service dhcp
no ip bootp server
no service finger
no ip http server [you may not want to enter this command if you use Adaptive Security Device Manager (ASDM) to manager your router over HTTP]
no ip http secure-server [you may not want to enter this command if you use ASDM to manager your router over HTTPS]
no snmp-server
no cdp run
no service config
no ip gratuitous-arps
no ip source-route
ip options drop
Interface commands (enter these on each interface in use):
no ip directed-broadcast
no ip unreachables
no ip redirects
no ip mask-reply
no ip proxy-arp
In addition to the above, the shutdown command should be applied to interfaces that are not in use.
4. Enable 'good' services. Some beneficial services are not enabled by default. We'll turn them on:
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
5. Secure local and remote access.
Console line configuration:
line con 0
exec-timeout 5 0
login
Auxiliary line configuration (should be disabled unless needed for remote access):
line aux 0
no exec
exec-timeout 0 10
transport input none
VTY lines (virtual lines for remote access over the network):
line vty 0 4
exec-timeout 5 0
login
transport input telnet ssh
(If you can configure SSH for remote access, it is recommended that you remove the word telnet from the above command and only use SSH for remote access.)
6. Set and secure passwords.
service password-encryption
enable secret 0 [enter your password here]
Console line
line con 0
password [enter your password here]
Auxiliary Line
line aux 0
password [enter your password here]
7. Enable and configure logging. Ideally, logs should be sent to a hardened syslog server so they cannot be tampered with and so they are more permanent. Local logs are deleted whenever the router is rebooted. We will configure local logging here though.
logging enable
logging buffered 16000
logging console critical
logging trap informational
8. Other measures. Additional measures you can take include:
8.a. Drop bogon and Martian traffic. Handling of bogon and Martian addresses. Bogon addresses are addresses that have not been issued by the IANA, so they should not appear on the Internet. Martians are reserved addresses and they also should not appear on the Internet. If either does appear, it is either coming from a mis-configured router or device, or it is an attack attempt of some kind (they are fake or 'spoofed' addresses). There are several ways to handle these. Team Cymru's site has more information about bogon and Martian addresses. [3]
8.a.1. Null Routing - You could null route them (create a static mapping sending all bogon and Martian addresses not in use on the router to the null interface). This is my favorite method. It drops the traffic with minimal processing.
8.a.2. Use an Access Control Lists (ACLs) - Set up an ACL to drop and log each violation. Although this method provides more information, it also uses up more processing power. Since one reason you may receive spoofed packets is in conjunction with a Denial of Service (DoS) attack of some kind, it seems prudent to minimize the burden on the processor, hence the suggested method above.
8.a.3. Verify unicast reverse-path - To use this method, configure Cisco express forwarding globally using the ip cef command, then run the command ip verify unicast reverse-path on each interface that faces the Internet. Although easy to configure, and easy on the processor, I'm not sure how well it works with a single static default route as is the case for most small organizations. I'd like to hear the thoughts of some of you Cisco pro's out there about whether it works on a small network (i.e. one not running Border Gateway Protocol (BGP).
8.b. Configure Authentication, Authorization and Accounging (AAA) - Configure the American Automotive Association... Just seeing if you're still awake!
Configure AAA, even if only used locally. It allows for more granularity of access and logging of activities. You can, for example, have a log entry created for each command a user enters. Very handy for finding configuration mistakes or typo's or correcting the nastiness of an intruder.
aaa new-model
aaa authentication login default local
aaa authorization commands 15 default local
8.c. Access Control Lists - Control the flow of traffic through the router with ACLs. For example, traffic from the inside interface of the router should not come in to the router from the Internet. Filter for that using an ACL. ACL configuration has to be done for your specific network. See references [3] and [4] below for more.
9. Why this article? Quite often, at the end of a 'teaser' article like this, the author tries to sell you something. I'm not selling you anything! I want to make the Internet a safer place, and I want to make that easy for you.
There are several free utilities that can help you secure your router including:
Router Administration Tool (RAT):
http://members.cisecurity.org/kb/category.php?id=21
Cisco AutoSecure:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm
and my project,
BRST - Border Router Security Tool, SourceForge
https://sourceforge.net/projects/borderroutersec/
Of the three listed above, only the BRST is open source. RAT is available for free, but is proprietary. Cisco AutoSecure is 'free' but is not available for all router models and IOS versions and is proprietary.
Compare, contrast, play, provide feedback on all three. Use great caution on production routers though!
Thanks for your time!
[1] NSA/SNAC Router Security Configuration Guide, Executive Summary
http://www.nsa.gov/ia/_files/routers/cisco_exec_sum.pdf
[2] NSA/SNAC Router Security Configuration Guide 1.1c
http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
[3] Secure IOS Template v6.2 01 Feb 2010, Team Cymru
http://www.cymru.com/Documents/secure-ios-template.html
[4] Cisco IOS Security Configuration Guide, Release 12.4
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html
[5] Hardening Cisco Routers, By Thomas Akin, O'Reilly, 2002
[6] BRST - Border Router Security Tool, SourceForge Project
https://sourceforge.net/projects/borderroutersec/
[7] BRST - Border Router Security Tool Questionnaire, SourceForge
http://borderroutersec.sourceforge.net/
