Basic Cisco Router Security
This document describes some basic security tips for Cisco routers.
The tips are based on my experiences regarding routers during the
time I was employed by Philips
Communication and Processing Services, Origin IT and Atos Origin.
These tips are basic tips to harden your network devices, but they
are not the ultimate set of things to do. Keeping in mind how an
IP network works and keeping your skills up to date with general
networking- and security-mailing-lists is a must.
Network layout
For this document we have the following layout of the network:
The following assumptions regarding network design are made:
- There is a difference in the IP space for the network and for
the user LANs. This makes it possible to distinguise traffic
from user LANS from traffic within the network.
- Despite the fact that there is a firewall in the picture, this
document only describes security on the routers. It's there only to
complete the picture.
- The IP space of the network management LAN is dedicated to
network management systems. No other systems are there.
- User LANs are not allowed to access the network infrastructure.
If people on a user LAN want to access the network, they have
to hop via the network management LAN.
User LANs |
IP subnet |
Comment |
On router-A |
130.140.254.0/24 |
Network Management LAN |
On router-B |
130.140.2.0/24 |
Firewall LAN |
On router-C |
130.140.1.0/24 and 130.140.5.0/24 |
Via a router of the user |
On router-D |
- |
Link to public internet |
- The network management LAN has a rich set of features. This includes,
but will not be limited to, a TACACS+ server, an NTP server,
a syslog server and an SNMP server.
- The routers use an external authentication mechanism, like a TACACS+.
- Each router has a loopback interface.
Device name |
Loopback IP address |
router-A |
10.254.254.1 |
router-B |
10.254.254.2 |
router-C |
10.254.254.4 |
router-D |
10.254.254.5 |
Initial router configuration
There are a couple of things which are assumed to have happened:
- The routers have hostnames
router(config)#hostname router-A
- The routers have loopback interfaces.
The loopback interface will be used as source-address for all
the outgoing IP traffic and as interface to connect to the
router. As long as one of the physical interfaces is up, the
loopback interface will be reachable.
router-A(config)#interface loopback0
router-A(config-if)#ip address <Loopback IP address> 255.255.255.255
- All the routers should have their clocks right. Without this,
it is not possible to do fast and proper debugging and analyzing.
router-A(config)#clock timezone UTC 0
router-A(config)#service timestamps log datetime show-timezone
router-A(config)#service timestamps debug datetime show-timezone
Access security
This part describes security to access the router via normal telnet.
Authentication is done via TACACS+. The router should use it for
both login- and enable-authentication. If no connection could be
made with the authentication server it should fall back on the
enable password.
router-A(config)#aaa new-model
router-A(config)#aaa authentication login default tacacs+ enable
router-A(config)#aaa authentication enable default tacacs+ enable
router-A(config)#tacacs-server host <ip address of TACACS+ server>
router-A(config)#ip tacacs source-interface loopback0
Now an enable password should be defined. Cisco routers have three
types of password-encryptions:
- Type 0: no encryption. All your passwords are plain text.
- Type 7: password is encrypted, but can be decrypted.
- Type 5: password is an MD5 hash, it cannot be decrypted.
router-A(config)#service password-encryption
router-A(config)#enable secret <password>
Only TCP connections coming from the network management LAN are
allowed to access the routers.
router-A(config)#no access-list 1
router-A(config)#access-list 1 permit <subnet address of network management LAN> <subnet mask>
Next it's finally time to enable the possibilities to login. There
will no passwords specified on the lines because that's configured
with the aaa statements. A 30-minute time-out shall be
standard on all console and virtual terminal lines.
router-A(config)#line console 0
router-A(config-line)#exec-timeout 30 0
router-A(config-line)#line aux 0
router-A(config-line)#no exec
router-A(config-line)#transport input all
router-A(config-line)#line vty 0 4
router-A(config-line)#access-list 1 in
router-A(config-line)#exec-timeout 30 0
In the past, it was possible to access the router via the chargen
or echo ports. These services are not needed and should be disabled:
router-A(config)#no service udp-small-servers
router-A(config)#no service tcp-small-servers
SNMP security
SNMP is used to retrieve data from remote machines. This should
only be allowed by machines on the network management LAN. If you
want to allow non-network management hosts to have SNMP access to
a router, put them in a different access-list and give them a uniq
community-string.
router-A(config)#no access-list 3
router-A(config)#access-list 3 permit <subnet address of network management LAN> <subnet mask>
router-A(config)#no access-list 4
router-A(config)#access-list 4 deny any
Let the router send its SNMP information to the SNMP server, which
is on the network management LAN. If there is an unauthorized
attempt to access the router via SNMP, let it send a warning to
the SNMP server. Limit the machines which can perform SNMP queries
to the machines on the network management LAN. Also disable the
possibility to do a system shutdown via SNMP.
router-A(config)#snmp-server community <community-string> RW 3
router-A(config)#snmp-server community <community-string> RO 4
router-A(config)#snmp-server host <ip address of SNMP server> <community-string>
router-A(config)#snmp-server trap-source loopback0
router-A(config)#snmp-server enable traps snmp authentication
router-A(config)#no snmp-server system-shutdown
router-A(config)#snmp-server tftp-server-list 3
Routing Process security
The routing-process is the most part of your network: If it is
screwed up, your network doesn't function. Also, it gives a lot of
information away is people have access to the routing-tables.
If a routing-neighbour gets lost, it should be logged in the syslog:
router-A(config)#router eigrp 12
router-A(config-router)#eigrp log-neighbour-changes
All interfaces which are not connected to another router managed
by you should be turned off for routing.
router-A(config)#router eigrp 12
router-A(config-router)#passive-interface loopback0
router-A(config-router)#passive-interface ethernet0
Also, don't accept any routing information from routers not belonging to you.
If you want to route to other routers on the user LANs, managed by
you or not, use static routes which points to that router and let
a default gateway point from them to your router.
router-C(config)#ip route 130.140.5.0 255.255.255.0 130.140.1.2
router-C(config)#router eigrp 12
router-C(config-router)#redistribute static
user-router(config)#ip route 0.0.0.0 255.255.255.0 130.140.1.1
Logging security
The logging done by the routers can be send to a central host. If
you enable this, make sure the syslog-deamom op that host allows
syslog-messages from remote machines.
router-A(config)#logging buffered
router-A(config)#logging console debugging
router-A(config)#logging trap informational
router-A(config)#logging source-interface loopback0
router-A(config)#logging <ip address of syslog server>
NTP security
Knowledge of the time with regarding to debugging, general logging
and analyzing of problems is very important. Therefor all routers
should have their time to a single source and accept no time
information from any other source. It is also possible to configure
routers to act as NTP servers for either other routers or to hosts
on the user LAN.
router-A(config)#no access-list 5
router-A(config)#access-list 5 permit <ip address of NTP server>
router-A(config)#no access-list 6
router-A(config)#access-list 6 deny all
router-A(config)#ntp access-group peer 5
router-A(config)#ntp access-group serve 6
router-A(config)#ntp source loopback 0
router-A(config)#ntp server <ip address of NTP server>
User LAN Interface security
The user LAN interfaces is the place where the traffic goes and
comes from the users. And thus the place which will receive bogus
and illegal packets first. There are a couple of things things to
take care of:
- Do not advertise yourself towards the user LAN as a router:
router-A(config)#interface ethernet0
router-A(config-if)#no cdp enable
- Do not forward IP packets with source-routing header options enabled:
router-A(config)#no ip source-route
- Do not answer to ARP requests for hosts which are not on the user LAN:
router-A(config)#interface ethernet0
router-A(config-if)#no ip proxy-arp
- Only allow packets which are expected to come from the user
LAN and are ment for other user LANs. That means, don't forward
packets to network devices:
router-A(config)#ip access-list extended outgoing_e0
router-A(config-ext-acl)#deny ip any <ip space of network> <subnet mask> any
router-A(config-ext-acl)#permit ip <subnet address of user LAN> <subnet mask> any
router-A(config-ext-acl)#deny ip any any
router-A(config)#interface ethernet0
router-A(config-if)#ip access-group outgoing_e0 in
|