How to secure a Cisco Router?
Before you begin, keep a copy of your present, working router configuration in pristine condition. Save the edited configuration to a new file. The same goes for IOS code. Make sure you have a full copy of the version you're running before you upgrade.
1. Upgrade IOS. Upgrade to the latest stable code version available for your router. Like other operating systems, Cisco IOS is upgraded for various reasons including to fix security flaws.
2. Generate an rsa crypto-key. If your router code supports cryptography, enter the following commands to create a crypto-key for later use with SSH (if your router does not support cryptography, you will receive an error when you try to enter the commands):
hostname [enter a hostname for your router]
ip domain-name [enter your domain name i.e. mydomain.com]
crypto key generate rsa
If it works, the router will process the command for a moment then ask you how many bits the modulus should be. If permitted by you local laws regarding cryptograpy, enter 1024. If not, enter the largest number you are entitled to use.
3. Disable unneeded services. There are many services that are enabled by default on Cisco routers. Each can provide information an attacker can use. There is a free utility called Yersinia that can be used to obtain Cisco Discovery Protocol (CDP) information over the Internet for example.
Global commands:
no service tcp-small-servers
no service udp-small-servers
no service dhcp
no ip bootp server
no service finger
no ip http server [you may not want to enter this command if you use Adaptive Security Device Manager (ASDM) to manager your router over HTTP]
no ip http secure-server [you may not want to enter this command if you use ASDM to manager your router over HTTPS]
no snmp-server
no cdp run
no service config
no ip gratuitous-arps
no ip source-route
ip options drop
Interface commands (enter these on each interface in use):
no ip directed-broadcast
no ip unreachables
no ip redirects
no ip mask-reply
no ip proxy-arp
In addition to the above, the shutdown command should be applied to interfaces that are not in use.
4. Enable 'good' services. Some beneficial services are not enabled by default. We'll turn them on:
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
5. Secure local and remote access.
Console line configuration:
line con 0
exec-timeout 5 0
login
Auxiliary line configuration (should be disabled unless needed for remote access):
line aux 0
no exec
exec-timeout 0 10
transport input none
VTY lines (virtual lines for remote access over the network):
line vty 0 4
exec-timeout 5 0
login
transport input telnet ssh
(If you can configure SSH for remote access, it is recommended that you remove the word telnet from the above command and only use SSH for remote access.)
6. Set and secure passwords.
service password-encryption
enable secret 0 [enter your password here]
Console line
line con 0
password [enter your password here]
Auxiliary Line
line aux 0
password [enter your password here]
7. Enable and configure logging. Ideally, logs should be sent to a hardened syslog server so they cannot be tampered with and so they are more permanent. Local logs are deleted whenever the router is rebooted. We will configure local logging here though.
logging enable
logging buffered 16000
logging console critical
logging trap informational
No comments:
Post a Comment