Re: Lock down Router

schroed · ‎03-03-2004

Hi all;

I have two routers at different locations that are basically "open" as they sit in front of firewalls and pass all data.

My firewalls are doing all the protection as they are setup as a VPN between the two sites.

Both are 2600 series with one version at:

Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

-the other-

Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

I've got my non-cisco brand firewalls very locked down and feel comfortable, however I would like to update/improve the securtiy on my routers as another line of defense.

Any ideas would be appreciated. TIA

Steve

jamey · ‎03-03-2004

Ensure unused services are disabled (most of these are turned off in newer versions of IOS by default):

Disable small services (echo, discard, chargen, etc.):

no service tcp-small-servers

no service udp-small-servers

cdp - no cdp run

remote config-no service config

source routing - no ip source-route

BOOTP - no ip bootp server

Finger - no service finger

HTTP - no ip http server

Disable IP domain lookup-no ip domain-lookup

disable SNMP if you don't really need it- no snmp-server

(If you do need SNMP use an access-list to deny everything but your managment station access and use Read Only):

access-list 1 permit

snmp-server community hard_to_guess_string ro 1

Adminstratively shutdown unused interfaces

On used interfaces:

Disable directed broadcasts-no ip directed-broadcasts - this helps prevent "smurf" type attacks

Disable proxy arp - no ip proxy-arp

disable IP unreachables, redirects and mask replies:

no ip unreachable

no ip redirect

no ip mask-reply

Stuff to enable:

If you have a crypto version of IOS, enable SSH and use access-class on VTY lines to restrict access. If you don't have a crypto version of IOS, be sure to use an access-class on the vty lines:

access-list 1 permit

line vty 0 4

access-class 1 in

Ensure you have a banner motd that states "Unauthorized access to this system is prohibited..."

Use a local login username/password instead of just having a telnet password (since you only have two routers you can get by with using a local database:

username xxxx password xxxx

line vty 0 4

login local

Ensure you have strong passwords for your enable secret, usernames/passwords and telnet/ssh.

enable service password encryption and timestamps to use date and time instead of uptime:

service timestamps debug datetime

service timestamps log datetime localtime

service password-encryption

Ensure you have the correct date and time set on the box.

Some people like to put an inbound ACL on the incoming interface of their router that denies obvious fake source IPs and source IPs that exist in their internal network (anti-spoofing):

e.g. a named ACL (say your internal IP block is x.x.x.0/24):

ip access-list extended inbound

deny ip x.x.x.0 0.0.0.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

permit ip any any

(newer versions of IOS show line numbers so you can quickly insert and remove entries without having to re-enter the whole ACL)

Normal ACL method:

access-list 199 deny ip x.x.x.0 0.0.0.255 any log

access-list 199 deny ip 169.254.0.0 0.0.255.255 any log

access-list 199 deny ip 127.0.0.0 0.255.255.255 any log

access-list 199 deny ip 10.0.0.0 0.255.255.255 any log

access-list 199 deny ip 172.16.0.0 0.15.255.255 any log

access-list 199 deny ip 192.168.0.0 0.0.255.255 any log

access-list 199 permit ip any any

Then apply it to your inbound interface:

ip access-group inbound in

If you have this ACL in place and there is a breach on your network you can quickly add a line into the ACL to block the offending host/attacker more quickly than you can probably change your firewall. A lot of people use this inbound ACL as a first line of defense when something new is released into the wild. It also can stop attacks, etc before they reach your firewall. A common example would be to use this ACL to block the ports used by some kind of virus out there until you can patch up all your hosts with the latest DAT files.

If you use routing protocols, use MD5 authentication if available (OSPF, EIGRP, etc have MD5)

My $.02

lexitrans · ‎03-03-2004

not to over simplify but a good tool to use (to get started) is cisco's output Interpreter. it will give you some good places to start. behind that the suggestions above a good ones.

vcjones · ‎03-03-2004

I like Jamey's reply, but would emphasize that his suggestion should be considered the minimum acceptable.

On routers which are the first hop inside a firewall, I like to go a step further and put in access-lists which duplicate as much as possible the IP filtering already on the firewall. That way, when a wiley hacker does get through the firewall, you may be able to detect and stop him before he also works his way through your router.

It's more work, but could save you when a hacker does get through (and they will :-( ). The goal is defense in depth, aka redundant security. Of course, if no one is monitoring the firewall and router, you'll have no idea that either was penetrated, and you're wasting your time. Unfortunately, real security is not something you can install and forget. Like high availability, it requires constant attention.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

P.S. There is a lot more detail on the rational behind Jamey's suggestions in Chapter 8 of my book.

jamey · ‎03-08-2004

A follow up. I just read about this new 12.3 command called Auto Secure:

http://www.cisco.com/warp/public/732/releases/release123/major/highlights/

Pretty cool stuff.

-HTH