Router Hardening

Nancy Grover, CISSPISC2/ISSA Security ConferenceNovember 2004

Introduction

• Types of Routers • Unnecessary Services• Password Management• Interactive Access• IP Routing

Introduction

• Warning Banners• SNMP Security• Logging Requirements• General Requirements• Router Threat Management

Types of Routers

• Boundary or edge routers• Interior routers• Backbone routers• Aggregate routers or hub routers

Types of Routers

• Interior routers provide connectivity within a routing domain.

Types of Routers

• Backbone routers provide connectivity between routing domains.

Types of Routers

• Aggregate routers and hub routers are used to combine a large number of connections into a fewer number of high bandwidth connections.

Types of Routers

• A boundary or edge router refers to a router that sits between one or more networks that are of different security domains.

• These routers require a higher level of security.

Unnecessary Services

• TCP & UDP Small Servers need to be disabled on the router.

Unnecessary Services

• These services can be disabled with the commands:

no service tcp-small-servers no service udp-small-servers

• Note: Small services are disabled by default in Cisco IOS 12.0 and later software.

Unnecessary Services

• Boundary/edge routers should have Cisco Discovery Protocol (CDP) disabled.

Unnecessary Services

• The CDP protocol can be disabled with the global configuration command:

no cdp running

• CDP can be disabled on a particular interface with:

no cdp enable

Unnecessary Services

• HTTP access should disabled on the router, especially on a boundary/edge router.

Unnecessary Services

• Finger should be disabled on the router.

• The finger service can be disabled with the command:

no service finger

Unnecessary Services

• The RSH and RCP services must be restricted by IP address.

• If the services are not needed, they must be disabled.

Unnecessary Services

• These services can be disabled with the commands:

no ip rcmd rcp-enable

no ip rcmd rsh-enable

• Note: These commands are disabled by default in Cisco IOS 12.0 and later.

Password Management

• The service password encryption command should be enabled to provide minimum protection for configured passwords.

Password Management

• As a global default, use the command:

service password encryption

• Note: This command directs the IOS software to encrypt passwords, CHAP secrets, and similar data saved in its configuration file.

Password Management

• The enable secret command is used to set the password granting privileged administrative access to the IOS system.

Password Management

• All system installation, maintenance, and default passwords supplied by vendors must be changed.

• Passwords should follow the password complexity guidelines outlined in your company’s security policies.

Interactive Access

• tty console and auxiliary access should be controlled with both a user ID and password stored in a local file on the router.

• Note: All tty access should use either TACACS+ or a RADIUS server for authentication.

Interactive Access

• Reverse telnet sessions to console and auxiliary tty lines should be disabled.

• Disable reverse telnet sessions on tty lines by using the command:

transport input none

Interactive Access

• vty access to the router should be controlled by both a user ID and password when logging into the router.

• Note: All vty access should use either a TACACS+ or a RADIUS server for authentication.

Interactive Access

• vty lines should be configured to accept connections only from those protocols actually needed.

Interactive Access

• Use the transport input command to restrict the protocols accepted by the vty lines.

Interactive Access

• Access to at least one vty line should be restricted to an IP or IP range to protect against Denial of Service Attacks.

• The ip access-class command can be used to restrict the IP addresses.

Interactive Access

• Timeouts should be configured on all vty lines, based on your company’s timeout policy.

• Use the exec-timeout command to configure timeouts on vty lines.

IP Routing

• Routers should have IP source routing disabled.

• Disable IP source routing as a global default with the no ip source-route command.

IP Routing

• All directed broadcasts should be disabled on all router interfaces.

IP Routing

• Use the no ip directed-broadcast command to prevent directed broadcasts that could “explode” into link-layer broadcasts.

• Note: directed broadcasts are disabled by

default in Cisco IOS 12.0 and later.

IP Routing

• Boundary/edge routers, in particular, should filter ICMP redirects.

• Use access lists to block ICMP redirects.

• Note: All boundary routers should block ICMP redirects to prevent Denial of Service attacks.

IP Routing

• If the router is Internet facing or a boundary/edge router, apply anti-spoofing access lists on all inbound Internet/external facing interfaces.

IP Routing

• Note: Anti-spoofing access lists should block: • Publicly owned internal address space• All RFC1918 private addresses• IP addresses with a source address of a

router interface • 127.0.0.0 (loopback)

Warning Banner

• Is the company’s warning banner displayed to anyone logging into the router?

• Note: Use the banner login command to configure the warning banner.

SNMP Security

• SNMP community strings should adhere to your company’s password complexity guidelines.

SNMP Security

• The read only community string should be different than the read/write community string.

• Note: If possible, periodic polling should be done on the read only community string.

SNMP Security

• The read/write community string should be reserved for write operations ONLY, while the read only community strings should be reserved for read access.

SNMP Security

• Access lists should be employed to restrict SNMP to the IP addresses of management stations only.

Logging Requirements

• System logging should be enabled and the information saved to both a local buffer and a syslog server.

Logging Requirements

• If using TACACS+ and/or RADIUS protocols, AAA logging should be enabled and saved to the RADIUS or TACACS+ Server.

Logging Requirements

• If router is using a real-time clock or is running NTP, all log entries should be time-stamped.

Logging Requirements

• To show time-stamps, use the command:

service timestamps log datetime localtime show-timezone

Logging Requirements

• All logging information should be retained for a minimum of 90 days, or for the time specified in your company’s policy.

Logging Requirements

• System logs must be protected from unauthorized access, and frequently reviewed for unusual or suspicious events.

General Requirements

• Establish a procedure to load appropriate IOS security patches, keeping the IOS level current.

General Requirements

• Physical access to the router and its components must be strictly controlled.

General Requirements

• Back-up and contingency processes for each router need to be documented and in place.

General Requirements

• There should be a method to receive and distribute vendor and other security advisories to the appropriate people in your company

Router Threat Management

• Threat Warning – Inform technology SME’s of a newly identified threat.

• Threat Plan – Provide specific remediation information to SMEs.

• Alert – Send urgent threat information and remediation plans to all System Administrators.

Router Threat Management

• Critical T-0: Immediate risk. Patching must begin immediately.

• Critical T-7: Testing and installation of patches is expected on all impacted systems within 7 days.

• Important T-30: Patches expected to be tested and installed within 30 days.

• Informational: General awareness threat issue.

Router Threat Management

• Other methods to protect routers from outside attacks.

The End

Questions?