Friday, January 3, 2014

Securing a cisco IOS router with auto secure

In this post we will look at how you can secure a cisco IOS router via a 1 2 3 step process using auto secure.

That's right, cisco has create a command that allows for even the novice engineer,  to help secure a router. Execution of the command with a ? mark shows you these available options




We will walk thru a quick tour of a simple basic no-options autosecure session.

First off the command makes the best guess, and uses  best common practices for securing your IOS router. You should always review the changes and understand what's being configured imho.

It's not available for any IOS-XR or ASA devices. The cli auto secure command,  is available for most newer routers running the latest serioous of IOS code . And for most  IOS-based L3 switches.

Okay when you 1st execute the command you will get a cisco warning;


The command is systematic in it's process of securing of the access,snmp,ntp,interfaces etc.....

Here's a full complete setup of a a very basic auto secure session.



SOCASR1#auto secure 
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of

the router but it will not make router absolutely secure
from all security attacks ***

All the configuration done as part of AutoSecure will be

shown here. For more details of why and how this configuration
is useful, and any possible side effects, please refer to Cisco
documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

If this device is being managed by a network management station,

AutoSecure configuration may block network management traffic.
Continue with AutoSecure? [no]: yes

Gathering information about the router for AutoSecure


Is this router connected to internet? [no]: 


Securing Management plane services..


Disabling service finger

Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server

Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Is SNMP used to manage the router? [yes/no]: yes

SNMPv1 & SNMPv2c are unsecure, try to use SNMPv3
Configure NTP Authentication? [yes]: no

Here is a sample Security Banner to be shown

at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only

  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:
+
this is my router +
Enter the new enable password: 
Confirm the enable password: 
Configuring AAA local authentication
Configuring console, Aux and vty lines for
local authentication, exec-timeout, transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 10


Maximum Login failures with the device: 5


Maximum time period for crossing the failed login attempts: 10


Configure SSH server? [yes]: 


Configuring interface specific AutoSecure services

Disabling the following ip services on all interfaces:

 no ip redirects

 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services..


Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: no

Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed


Enable tcp intercept feature? [yes/no]: no


This is the configuration generated:


no service finger

no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C
this is my router ^C
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 123E000317180D24282A3029
aaa new-model
aaa authentication login local_auth local
line console 0
 login authentication local_auth
 exec-timeout 5 0
 transport output telnet
line aux 0
 login authentication local_auth
 exec-timeout 10 0
 transport output telnet
line vty 0 4
 login authentication local_auth
 transport input telnet
login block-for 10 attempts 5 within 10
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
 transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
int GigabitEthernet0/0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
int GigabitEthernet0/0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
int GigabitEthernet0/0/2
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
int GigabitEthernet0/0/3
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
ip access-list extended 100
 permit udp any any eq bootpc
!         
end


Apply this configuration to running-config? [yes]:    




So at it's conclusion,  you now have the oppurtunity to apply the config to your cisco device. If you choose to answer with a  "no", than no  changes will  take place.

Also cisco took the luxury to enforce acceptable password lengths & validation;



So you don't have to worry about  your password being input wrongly.

Conclusion;

Auto secure provides a quick no brainer approach for deploying the basic security for a router that internet facing or non-internet facing. It strices to use  cbac or tcp interception security features. It's available on most cisco devices.



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^  ^  )=
          o
       /     \




No comments:

Post a Comment