Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Similar documents
Network security session 9-2 Router Security. Network II

TACACS Device Access Control with Cisco Active Network Abstraction

Note that you can also use the password command but the secret command gives you a better encryption algorithm.

Lab 7 Configuring Basic Router Settings with IOS CLI

Configuring the Management Interface and Security

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.

co Configuring PIX to Router Dynamic to Static IPSec with

AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Cisco Router Security: Principles and Practise. The foundation of network security is router security.

Lab Configuring and Verifying Extended ACLs Topology

PT Activity: Configure AAA Authentication on Cisco Routers

Lab Using the CLI to Gather Network Device Information Topology

Configuring Local Authentication

Configuring Secure Shell (SSH)

Cisco IOS Firewall Authentication Proxy

IPsec Anti-Replay Window Expanding and Disabling

CCNA Security PT Practice SBA

IPsec Anti-Replay Window: Expanding and Disabling

Teacher s Reference Manual

Configuring Security with Passwords, Privileges, and Logins

Internetwork Expert s CCNA Security Bootcamp. Securing Cisco Routers. Router Security Challenges

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

Making the most of your Network Management System

Chapter 4. Network Security. Part II

Configuring Authentication Proxy

Configuring Authentication Proxy

Lab Configure Basic AP Security through IOS CLI

Configuring Lock-and-Key Security (Dynamic Access Lists)

Configuring Secure Shell

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Cisco CCNA ACL Part II

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Configuring Switch-Based Authentication

Using the Management Interfaces

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Configuring Management Access

Configuring Authentication Proxy

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

CCNP TSHOOT. Quick Reference Sheet Exam

User Security Configuration Guide, Cisco IOS Release 15MT

Auditing CISCO Routers

Welcome! APNIC Security Tutorial. Securing edge network devices. Overview

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

CCNA Security 1.0 Student Packet Tracer Manual

Examples of Cisco APE Scenarios

Module 11 Advanced Router Configuration

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Configuring Secure Shell (SSH)

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

Lab - Examining Telnet and SSH in Wireshark

Basic Router Configuration

Lab Configuring Dynamic and Static NAT (Solution)

Console Port, Telnet, and SSH Handling

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

CCNA Semester 2 labs. Labs for chapters 2 10

Seattle Cisco Users Group

Configuring Security for the ML-Series Card

Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)

Lab Configuring IPv4 Static and Default Routes (Solution)

Configuring Secure Shell (SSH)

Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network

How to configure MB5000 Serial Port Bridge mode

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

Implementing Cisco Network Security (IINS) 3.0

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Setting Up Physical Inventory

Fundamentals of Network Security v1.1 Scope and Sequence

Lab Securing Network Devices

Troubleshooting Network analysis Software communication tests and development Education. Protocols used for communication (10 seconds capture)

Identity Firewall. About the Identity Firewall

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

AAA and the Local Database

RR> RR> RR>en RR# RR# RR# RR# *Oct 2 04:57:03.684: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/2 TDR=0, TRC=0 RR#

Radius, LDAP, Radius, Kerberos used in Authenticating Users

CISCO SWITCH BEST PRACTICES GUIDE

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

CCNA Access List Questions

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Configuring Secure Shell on Routers and Switches Running Cisco IOS

Network Infrastructure Filtering at the border. PacNOG19 28th November - 2nd December 2016 Nadi, Fiji

Configuring Authorization

This document is a tutorial related to the Router Emulator which is available at:

Configuring Secure Shell (SSH)

IT Exam Training online / Bootcamp

ROUTE Curriculum Labs powered by

Configure Site Network Settings

CCNA Security Instructor Packet Tracer Manual

Platform Settings for Classic Devices

Module 11 Advanced Router Configuration

Implementing Cisco IP Routing

Top-Down Network Design

Policy Based Routing with the Multiple Tracking Options Feature Configuration Example

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Network Monitoring and Management Cisco Configuration

Network Admission Control

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Transcription:

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps Network infrastructure devices (routers, switches, load balancers, firewalls etc) are among the assets of an enterprise that play an important role in security and thus need to be protected and configured accordingly. Many enterprises focus on protecting their s, applications, databases etc but they forget about security of network devices which are sometimes installed with out-of-the-box configurations. A compromised router for example can be devastating to the whole security of the enterprise since it can be used to gain access to data, reconfigured to route traffic to other destinations, used to launch attacks to other networks, used to gain access to other internal resources etc. Therefore, hardening the network devices themselves is essential for enhancing the whole security of the enterprise. Cisco separates a network device in 3 functional elements called Planes. These are the following: Management Plane: This is about the management of a network device. The management plane is used to access, configure, manage and monitor a network device. The security of the management plane is discussed in this article. Control Plane: Control plane consists of the protocols and processes that communicate between network devices in order to move data from source to destination. This includes routing protocols such as the BGP, OSPF, signaling protocols etc. Data Plane: The data plane is responsible for moving data from source to destination. This is where most data packets are flowing within the network device (usually hardware accelerated as well).

From the three Planes above, the Management Plane first and the Control Plane second are the most important to secure. In this article we will focus on Management Plane security and discuss the 10 most important steps to harden a Cisco IOS network device. The security checklist below is not exhaustive but it includes the most important commands and configurations that will lock down a Cisco IOS network device and enhance its security and that of the whole network as well. The checklist below applies to both Cisco Routers and Switches as well. 1) Create an Enable Secret Password In order to grant privileged administrative access to the IOS device, you should create a strong Enable Secret Password. I suggest to use a password with at least 10 characters long consisting of alphanumeric and special symbols. Make sure to use the enable secret command which creates a password with strong encryption. Router(config)# enable secret strongpassword 2) Encrypt Passwords on the device All the passwords configured on the Cisco device (except the enable secret ) are shown as clear text in the configuration file. In order to encrypt the clear text passwords and obscure them from showing in the configuration file, use the global command service password-encryption. Router(config)# service password-encryption The command above uses a fairly weak Vigenre cipher which can be decrypted with software tools. It is used mainly to prevent casual obs from reading

passwords, such as when they look at the screen over the shoulder of an administrator. 3) Use an external AAA for User Authentication Instead of using local user accounts on each device for administrator access, it s much more secure, flexible and scalable to use an external AAA (TACACS+ or RADIUS) to handle the Authentication, Authorization and Accounting of users access to the devices. With a centralized AAA you can easily change/enable/disable account passwords, enforce strong password policies, monitor account usage and user access etc. Here we will see how to configure both TACACS+ and RADIUS AAA s with enable secret password as fallback if the AAA is not available.

TACACS+ Router(config)# enable secret K6dn!#scfw35 Create first an enable secret password Router(config)# aaa new-model Enable the AAA service Router(config)# aaa authentication login default group tacacs+ enable Use TACACS for authentication with enable password as fallback Router(config)# tacacs- host 192.168.1.10 assign the internal AAA Router(config)# tacacs- key secret-key secret key configured on AAA Router(config)# line vty 0 4 Router(config-line)# login authentication default Apply AAA authentication to VTY lines (Telnet, SSH etc) Router(config-line)# exit Router(config)# line con 0 Apply AAA authentication to console port Router(config-line)# login authentication default RADIUS Router(config)# enable secret K6dn!#scfw35 Create first an enable secret password Router(config)# aaa new-model Enable the AAA service Router(config)# aaa authentication login default group radius enable Use RADIUS for authentication with enable password as fallback Router(config)# radius- host 192.168.1.10 assign the internal AAA Router(config)# radius- key secret-key secret key configured on AAA Router(config)# line vty 0 4 Router(config-line)# login authentication default Apply AAA authentication to VTY lines (Telnet, SSH etc) Router(config-line)# exit Router(config)# line con 0 Apply AAA authentication to console port Router(config-line)# login authentication default

4) Create separate local accounts for User Authentication If you can t install and use an external AAA as discussed in the previous section, at a bare minimum create separate local accounts for anyone that you will give access to your devices. If you have for example 3 network administrators and you have to use local device accounts for them, then create a personalized user account for each administrator. This accomplishes accountability for each different administrator about the actions performed on the device. Moreover, from IOS version 12.2(8)T and later you can configure Enhanced Password Security for local accounts created on the device. This means that local accounts will be encrypted with MD5 hash. Let s configure 3 different local administrator accounts with Enhanced Password Security. Router(config)# username john-admin secret Lms!a2eZSf*% Router(config)# username david-admin secret d4n3$6&%sf Router(config)# username mary-admin secret 54sxSFT*&(zsd

5) Configure Maximum Failed Authentication Attempts To avoid brute force password attacks to the devices, you can configure maximum number of failed login attempts so that a user will be locked out after this threshold. This works for local user accounts on the devices. Router(config)# username john-admin secret Lms!a2eZSf*% Router(config)# aaa new-model Router(config)# aaa local authentication attempts max-fail 5 max 5 failed login attempts Router(config)# aaa authentication login default local 6) Control Management Access to the devices to specific IPs only This is probably one of the most important security configurations on Cisco network devices. You should restrict what IP addresses can Telnet or SSH to your devices. This should be limited to a few management systems that administrators will be using to manage the network. Assume that the administrators subnet is 192.168.1.0/28 Router(config)# access-list 10 permit 192.168.1.0 0.0.0.15 Router(config)# line vty 0 4 Router(config)# access-class 10 in Apply IP restrictions to all VTY lines (for Telnet or SSH)

7) Enable Logging Logging is very useful for monitoring, incident response and auditing. You can enable logging to an internal buffer of the device or to an external Log. The latter is much more flexible and helpful since you can store much more log data and perform analysis on logs much easier than local logging. There are 8 different logging levels (from 0 to 7) each one giving progressively more log data details. You should avoid logging level 7 (debug) since it will overload the device. Here we will discuss both buffered logging (internal to the device) and Logging to an external Server. You can have both if you want as shown below. Router(config)# logging trap 6 Enable logging level 6 for logs sent to external Router(config)# logging buffered 5 Enable logging level 5 for logs stored locally in buffer Router(config)# service timestamps log datetime msec show-timezone Include timestamps in logs with millisecond precision Router(config)# logging host 192.168.1.2 Send logs to external log Router(config)# logging source-interface ethernet 1/0 Use Eth1/0 to send log messages

8) Enable Network Time Protocol (NTP) This step is essential for the previous section about logging. You must have accurate and uniform clock settings on all network devices in order for log data to be stamped with the correct time and timezone. This will help tremendously in incident handling and proper log monitoring and correlation. You can either configure an internal or external NTP (there are several public NTP s that you can use as well). Router(config)# ntp 1.1.1.1 Router(config)# ntp 2.2.2.2 9) Use Secure Management Protocols if possible Telnet is the default management protocol for Command Line access to Cisco devices. However, all management traffic is clear-text. For security reasons, prefer SSH for management instead of Telnet. Let s see how to configure SSH access to a Cisco device. Router(config)# hostname London London(config)# ip domain-name mydomain.com London(config)# ip ssh version 2 London(config)# crypto key generate rsa modulus 2048 London(config)# ip ssh time-out 60 London(config)# ip ssh authentication-retries 3 London(config)# line vty 0 4 London(config-line)# transport input ssh SSH requires to have a hostname and domain-name configured and also to generate SSH keys. Also, on VTY lines allow SSH protocol only.

10) Restrict and Secure SNMP Access The Simple Network Management Protocol (SNMP) can be very useful to collect information from network devices but can also pose a security risk if not configured properly. SNMP protocol uses a "Community String" which acts as password for restricting access (Read Only or Read/Write) to the SNMP data on the device. In addition to configuring a strong Community String, IP filtering must also be applied to allow SNMP access only from few management workstations. Let's configure two Community strings (one "READ ONLY" and another one "READ/WRITE") and also apply IP address control with ACLs. Router(config)# access-list 11 permit 192.168.1.0 0.0.0.15 Router(config)# access-list 12 permit 192.168.1.1 Router(config)# snmp- community Cbd43@#w5SDF RO 11 Create Read Only (RO) community string and use ACL 11 to allow SNMP access Router(config)# snmp- community Xcv4#56&454sdS RW 12 Create Read Write (RW) community string and use ACL 12 to allow SNMP access The above commands allow the administrators subnet 192.168.1.0/28 to have Read Only SNMP access to devices and also allows host 192.168.1.1 to have full Read/Write SNMP access to devices. About the Author Harris Andrea is a Cisco Certified Professional with more than 18 years of experience working with Cisco network technologies. He is the author of two Cisco Books ( Cisco ASA Firewall Fundamentals and Cisco VPN Configuration Guide ) which have been embraced by thousands of Cisco professionals all over the world. You can find more Cisco configuration guides and tutorials on his blog here http://www.networkstraining.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback