Router Access
Shut down unneeded servers on the router.
Servers that are not running cannot break. Also, more memory and processor slots are available. Start by running the show proc command on the router, then turn off clearly unneeded facilities and services. Some servers that should almost always be turned off and the corresponding commands to disable them are listed below.
Small services (echo, discard, chargen, etc.)
no service tcp-small-servers
no service udp-small-servers
BOOTP - no ip bootp server
Finger – no service finger
HTTP – no ip http server
SNMP – no snmp-server
Shut down unneeded services on the routers.
These services allow certain packets to pass through the router, or send special packets, or are used for remote router configuration. Some services that should almost always be turned off and the corresponding commands to disable them are listed below.
CDP – no cdp run
Remote config. - no service config
Source routing – no ip source-route
Classless routeing – no ip classless
The interfaces on the router can be made more secure by using certain commands in the Configure Interface mode. These commands should be applied to every interface.
Unused interfaces - shutdown
No Smurf attacks – no ip directed-broadcast
Ad-hoc routing -no ip proxy-arp
The console line, the auxiliary line and the virtual terminal lines on the router can be made more secure in the Configure Line mode. The console line and the virtual terminal lines should be secured as shown below. The Aux line should be disabled, as shown below, if it is not being used
Console Line
line con 0
exec-timeout 5 0
login
transport input telnet
Auxiliary Line
line aux 0
no exec exec-timeout 0 10
transport input none
VTY lines
line vty 0 4
exec-timeout 5 0
login
transport input telnet
Enable secret – enable secret 0 yoursecretpassword
Console Line
line con 0
password yourconsolepassword
Auxiliary Line
line aux 0
password yourauxpassword
VTY Lines
line vty 0 4
password yourtelnetpassword
Basic protection – servicepassword-encryption
Logging & Debugging
1. Turn on the router’s logging capability, and use it to log errors and blocked packets to an internal (trusted) syslog host. Make sure that the router blocks syslog traffic from untrusted networks. See example commands below.
Central(config)#logging on
Central(config)#logging 14.2.9.1
Central(config)#logging buffered
Central(config)#logging console critical
Central(config)#logging trap debugging
Central(config)#logging facility local1
2. Configure the router to include time information in the logging. Point to two different NTP servers to ensure availability of good time information. This will allow an administrator to trace network attacks more accurately. See example commands below.
Service timestamps log datetime localtime show-timezone
clock timezone IST
ntp source Ethernet0/1
ntpserver 192.5.41.40
ntpserver 192.5.41.41
3. If you are using SNMP, then select and configure hard-to-guess SNMP community strings. The example commands below show how to remove the default community strings and set a better read-only community string.
East(config)#no snmp community public
East(config)#no snmp community private
East(config)#snmp community hardtoguesscommunityname
Access Lists
1. Always start an access-list definition with the privileged command no access-list nnn to clear out any previous versions of access list nnn.
East(config)#no access-list 51
East(config)#access-list 51 permit host 14.2.9.6
East(config)#access-list 51 deny any log
2. Log access list port messages properly. For reasons of efficiency, Cisco IOS doesn't look at an entire packet header unless it has to. To ensure that logs contain correct port number information, use the special port range arguments shown below.
no access-list 106
access-list 106 deny udp any range 1 65535 any range 1 65535 log
access-list 106 deny tcp any range 1 65535 any range 1 65535 log
access-list 106 deny ip any any log
The last line is necessary to ensure that rejected packets of protocols other than TCP and UDP are properly logged.
3. Allow only internal addresses to enter the router from the internal interfaces, enforce this using access-lists. Block illegal addresses at the outgoing interfaces. Besides preventing an attacker from using the router to attack other sites, it helps identify poorly configured internal hosts and networks. This approach may not be feasible for very complicated networks.
4. Block packets coming from the outside (untrusted network) that are obviously fake or are commonly used for attacks. This protection should be part of the overall design for traffic filtering at the router interface attached to the external, untrusted network.
5. Block packets that claim to have a source address of any internal (trusted) networks. This impedes some TCP sequence number guessing attacks and related attacks. Incorporate this protection into the access lists applied to interfaces connected to any untrusted networks.
6. Block incoming loopback packets (network 127.0.0.0). These packets cannot be real. Block reserved IP addresses (network 10.0.0.0, 172.16.0.0-172.31.0.0, 192.168.0.0).
7. If the network does not need IP multicast, then block multicast packets.
8. Block broadcast packets. (Note that this may block DHCP and BOOTP services, but these services should not be used
on external interfaces.)
9. A number of remote attacks use ICMP redirects, block them. (A superior but more difficult approach is to permit only necessary ICMP packet types.)
10. Block incoming packets that claim to have the same destination and source address (i.e. a ‘Land’ attack on the router itself). Incorporate this protection into the access list used to restrict incoming traffic into each interface,
11. Configure an access list for the virtual terminal lines to control telnet access
Security Checklist
This security checklist is designed to help you review your router security configuration, and remind you of any security area you might have missed.
# Router security policy written, approved, distributed.
# Router IOS version checked and up to date.
# Router configuration kept off-line, backed up, access to it limited.
# Router configuration is well-documented, commented.
# Router users and passwords configured and maintained.
# Enable password difficult to guess, knowledge of it strictly limited. (if not, change the password immediately)
# Access restrictions imposed on Console, Aux, VTYs.
# Unneeded network services disabled.
# Necessary network services configured correction (e.g. DNS)
# Unused interfaces and VTYs shut down or disabled.
# Risky interface services disabled.
# Port and protocol needs of the network identified and checked.
# Access lists limit traffic to identified ports and protocols.
# Access lists block reserved and inappropriate addresses.
# Static routes configured where necessary.
# Routing protocols configured to use integrity mechanisms.
# Logging enabled and log recipient hosts identified and configured.
# Router’s time of day set accurately, maintained with NTP.
# Logging set to include time information.
# Logs checked, reviewed, archived in accordance with local policy.
# SNMP disabled or enabled with hard-to-guess community strings.
